From fef505206799c6a7eb95318a54dae8dcd3761f0f Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 19 Feb 2025 12:31:16 +1100
Subject: [PATCH] Check insecure response with missing RRSIG in authority

This scenario should succeed but wasn't due rejection of the
message at the message parsing stage.

(cherry picked from commit 4271d93f00909fad74d694121da970b1a633c495)
---
 bin/tests/system/dnssec/ans10/ans.py   |  6 ++++++
 bin/tests/system/dnssec/ns1/root.db.in |  2 ++
 bin/tests/system/dnssec/tests.sh       | 16 ++++++++++++++++
 3 files changed, 24 insertions(+)

diff --git a/bin/tests/system/dnssec/ans10/ans.py b/bin/tests/system/dnssec/ans10/ans.py
index dbe49e5e5a..84bf0a2642 100644
--- a/bin/tests/system/dnssec/ans10/ans.py
+++ b/bin/tests/system/dnssec/ans10/ans.py
@@ -38,6 +38,7 @@ def logquery(type, qname):
 # NS gets a unsigned response.
 # DNSKEY get a unsigned NODATA response.
 # A gets a signed response.
+# TXT gets a signed NODATA response without RRSIG.
 # All other types get a unsigned NODATA response.
 ############################################################################
 def create_response(msg):
@@ -72,6 +73,11 @@ def create_response(msg):
         r.answer.append(dns.rrset.from_text(qname, 1, IN, NS, "."))
     elif rrtype == SOA:
         r.answer.append(dns.rrset.from_text(qname, 1, IN, SOA, ". . 0 0 0 0 0"))
+    elif rrtype == TXT:
+        r.authority.append(dns.rrset.from_text(qname, 1, IN, SOA, ". . 0 0 0 0 0"))
+        r.authority.append(
+            dns.rrset.from_text(qname, 1, IN, NSEC, qname + " A NS SOA RRSIG NSEC")
+        )
     else:
         r.authority.append(dns.rrset.from_text(qname, 1, IN, SOA, ". . 0 0 0 0 0"))
     r.flags |= dns.flags.AA
diff --git a/bin/tests/system/dnssec/ns1/root.db.in b/bin/tests/system/dnssec/ns1/root.db.in
index 52d88ab500..1e7a5c79cf 100644
--- a/bin/tests/system/dnssec/ns1/root.db.in
+++ b/bin/tests/system/dnssec/ns1/root.db.in
@@ -43,3 +43,5 @@ ds-rrsigs-stripped.	NS	ns2.ds-rrsigs-stripped.
 ns2.ds-rrsigs-stripped.	A	10.53.0.2
 inconsistent.		NS	ns2.inconsistent.
 ns2.inconsistent.	A	10.53.0.2
+nsec-rrsigs-stripped.	NS	ns10.nsec-rrsigs-stripped.
+ns10.nsec-rrsigs-stripped.	A	10.53.0.10
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index c022e8afca..2b2ff2fbb6 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -4553,5 +4553,21 @@ n=$((n + 1))
 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
+echo_i "checking that a insecure negative response where there is a NSEC without a RRSIG succeeds ($n)"
+ret=0
+# check server preconditions
+dig_with_opts +notcp @10.53.0.10 nsec-rrsigs-stripped. TXT +dnssec >dig.out.ns10.test$n
+grep "status: NOERROR" dig.out.ns10.test$n >/dev/null || ret=1
+grep "QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1" dig.out.ns10.test$n >/dev/null || ret=1
+grep "IN.RRSIG.NSEC" dig.out.ns10.test$n >/dev/null && ret=1
+# check resolver succeeds
+dig_with_opts @10.53.0.4 nsec-rrsigs-stripped. TXT +dnssec >dig.out.ns4.test$n
+grep "status: NOERROR" dig.out.ns4.test$n >/dev/null || ret=1
+grep "QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1" dig.out.ns4.test$n >/dev/null || ret=1
+grep "IN.RRSIG.NSEC" dig.out.ns4.test$n >/dev/null && ret=1
+n=$((n + 1))
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1