From b91735683ae7d4c5f5fe3a4d84fd99db862be6f5 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Thu, 1 Sep 2016 11:23:35 +0200
Subject: [PATCH] Add test for NTA at level of TA

---
 regression-tests.recursor-dnssec/test_NTA.py | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/regression-tests.recursor-dnssec/test_NTA.py b/regression-tests.recursor-dnssec/test_NTA.py
index 7f58c5b64..b21d7f6b6 100644
--- a/regression-tests.recursor-dnssec/test_NTA.py
+++ b/regression-tests.recursor-dnssec/test_NTA.py
@@ -5,7 +5,9 @@ class testSimple(RecursorTest):
     _confdir = 'NTA'
 
     _config_template = """dnssec=validate"""
-    _lua_config_file = """addNTA("bogus.example")"""
+    _lua_config_file = """addNTA("bogus.example")
+addNTA('secure.optout.example', 'Should be Insecure, even with DS configured')
+addDS('secure.optout.example', '64215 13 1 b88284d7a8d8605c398e8942262f97b9a5a31787')"""
 
     def testDirectNTA(self):
         """Ensure a direct query to a bogus name with an NTA is Insecure"""
@@ -29,3 +31,14 @@ class testSimple(RecursorTest):
 
         self.assertMessageHasFlags(res, ['QR', 'RA', 'RD'], ['DO'])
         self.assertRcodeEqual(res, dns.rcode.NOERROR)
+
+    def testSecureWithNTAandDS(self):
+        """#4391: when there is a TA *and* NTA configured for a name, the result must be insecure"""
+        msg = dns.message.make_query("node1.secure.optout.example.", dns.rdatatype.A)
+        msg.flags = dns.flags.from_text('AD RD')
+        msg.use_edns(edns=0, ednsflags=dns.flags.edns_from_text('DO'))
+
+        res = self.sendUDPQuery(msg)
+
+        self.assertMessageHasFlags(res, ['QR', 'RA', 'RD'], ['DO'])
+        self.assertRcodeEqual(res, dns.rcode.NOERROR)
-- 
2.40.0