Add test for NTA at level of TA

diff --git a/regression-tests.recursor-dnssec/test_NTA.py b/regression-tests.recursor-dnssec/test_NTA.py
index 7f58c5b6458d3d43e43a51d54877c936db8005d4..b21d7f6b6b5d061afb70d735ece09228792277b7 100644 (file)
--- a/regression-tests.recursor-dnssec/test_NTA.py
+++ b/regression-tests.recursor-dnssec/test_NTA.py
@@ -5,7 +5,9 @@ class testSimple(RecursorTest):
     _confdir = 'NTA'
 
     _config_template = """dnssec=validate"""
-    _lua_config_file = """addNTA("bogus.example")"""
+    _lua_config_file = """addNTA("bogus.example")
+addNTA('secure.optout.example', 'Should be Insecure, even with DS configured')
+addDS('secure.optout.example', '64215 13 1 b88284d7a8d8605c398e8942262f97b9a5a31787')"""
 
     def testDirectNTA(self):
         """Ensure a direct query to a bogus name with an NTA is Insecure"""
@@ -29,3 +31,14 @@ class testSimple(RecursorTest):
 
         self.assertMessageHasFlags(res, ['QR', 'RA', 'RD'], ['DO'])
         self.assertRcodeEqual(res, dns.rcode.NOERROR)
+
+    def testSecureWithNTAandDS(self):
+        """#4391: when there is a TA *and* NTA configured for a name, the result must be insecure"""
+        msg = dns.message.make_query("node1.secure.optout.example.", dns.rdatatype.A)
+        msg.flags = dns.flags.from_text('AD RD')
+        msg.use_edns(edns=0, ednsflags=dns.flags.edns_from_text('DO'))
+
+        res = self.sendUDPQuery(msg)
+
+        self.assertMessageHasFlags(res, ['QR', 'RA', 'RD'], ['DO'])
+        self.assertRcodeEqual(res, dns.rcode.NOERROR)