From bdd59dace805a81facc71365212601e01cc6a546 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Thu, 21 Aug 2025 09:47:32 +0200
Subject: [PATCH] Add a test for non-existence of RRSIG in the unsigned zone

This tests that the result is NOERROR and a single SOA record is
returned.
---
 bin/tests/system/dnssec/tests_validation.py | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/bin/tests/system/dnssec/tests_validation.py b/bin/tests/system/dnssec/tests_validation.py
index 36c743f6a0..88b0a920f1 100644
--- a/bin/tests/system/dnssec/tests_validation.py
+++ b/bin/tests/system/dnssec/tests_validation.py
@@ -82,6 +82,20 @@ def test_load_transfer(qname, qtype):
     isctest.check.noerror(res1)
 
 
+def test_insecure_rrsig():
+    # check that for a rrsig query against a validating resolver where the
+    # authoritative zone is unsigned (insecure delegation), noerror is
+    # returned.
+    msg = isctest.query.create("a.insecure.example", "RRSIG")
+    res = isctest.query.tcp(msg, "10.53.0.4")
+    isctest.check.noerror(res)
+    isctest.check.rr_count_eq(res.answer, 0)
+    isctest.check.rr_count_eq(res.authority, 1)
+    isctest.check.rr_count_eq(res.additional, 0)
+    assert str(res.authority[0].name) == "insecure.example."
+    assert res.authority[0].rdtype == rdatatype.SOA
+
+
 def test_insecure_glue():
     # check that for a query against a validating resolver where the
     # authoritative zone is unsigned (insecure delegation), glue is returned