Bail out on failure when starting up

Don't silently hide failures, barf on startup. Also add more integration
tests that should catch some of these things.

4 files changed, 91 insertions, 9 deletions

diff --git a/core/setup/dnssec.go b/core/setup/dnssec.go
index 523f6e659..39f34b66f 100644
--- a/core/setup/dnssec.go
+++ b/core/setup/dnssec.go
@@ -1,7 +1,7 @@
 package setup
 
 import (
-	"path"
+	"strings"
 
 	"github.com/miekg/coredns/middleware"
 	"github.com/miekg/coredns/middleware/dnssec"
@@ -35,8 +35,7 @@ func dnssecParse(c *Controller) ([]string, []*dnssec.DNSKEY, error) {
 			for c.NextBlock() {
 				k, e := keyParse(c)
 				if e != nil {
-					// TODO(miek): Log and drop or something? stop startup?
-					continue
+					return nil, nil, e
 				}
 				keys = append(keys, k...)
 			}
@@ -61,11 +60,13 @@ func keyParse(c *Controller) ([]*dnssec.DNSKEY, error) {
 		if value == "file" {
 			ks := c.RemainingArgs()
 			for _, k := range ks {
-				// Kmiek.nl.+013+26205.key, handle .private or without extension: Kmiek.nl.+013+26205
-				ext := path.Ext(k) // TODO(miek): test things like .key
 				base := k
-				if len(ext) > 0 {
-					base = k[:len(k)-len(ext)]
+				// Kmiek.nl.+013+26205.key, handle .private or without extension: Kmiek.nl.+013+26205
+				if strings.HasSuffix(k, ".key") {
+					base = k[:len(k)-4]
+				}
+				if strings.HasSuffix(k, ".private") {
+					base = k[:len(k)-8]
 				}
 				k, err := dnssec.ParseKeyFile(base+".key", base+".private")
 				if err != nil {
diff --git a/core/setup/file.go b/core/setup/file.go
index b535332a7..a0b90c3ca 100644
--- a/core/setup/file.go
+++ b/core/setup/file.go
@@ -54,7 +54,8 @@ func fileParse(c *Controller) (file.Zones, error) {
 
 			reader, err := os.Open(fileName)
 			if err != nil {
-				continue
+				// bail out
+				return file.Zones{}, err
 			}
 
 			for i, _ := range origins {
@@ -62,6 +63,8 @@ func fileParse(c *Controller) (file.Zones, error) {
 				zone, err := file.Parse(reader, origins[i], fileName)
 				if err == nil {
 					z[origins[i]] = zone
+				} else {
+					return file.Zones{}, err
 				}
 				names = append(names, origins[i])
 			}
diff --git a/middleware/dnssec/dnssec.go b/middleware/dnssec/dnssec.go
index b0a328bee..64359d8c9 100644
--- a/middleware/dnssec/dnssec.go
+++ b/middleware/dnssec/dnssec.go
@@ -74,7 +74,7 @@ func (d Dnssec) Sign(state middleware.State, zone string, now time.Time) *dns.Ms
 	for _, r := range rrSets(req.Extra) {
 		ttl := r[0].Header().Ttl
 		if sigs, err := d.sign(r, zone, ttl, incep, expir); err == nil {
-			req.Extra = append(req.Extra, sigs...)
+			req.Extra = append(sigs, req.Extra...) // prepend to leave OPT alone
 		}
 	}
 	return req
diff --git a/test/middleware_dnssec_test.go b/test/middleware_dnssec_test.go
new file mode 100644
index 000000000..434e7ad56
--- /dev/null
+++ b/test/middleware_dnssec_test.go
@@ -0,0 +1,78 @@
+package test
+
+import (
+	"io/ioutil"
+	"log"
+	"os"
+	"testing"
+
+	"github.com/miekg/coredns/middleware/test"
+
+	"github.com/miekg/dns"
+)
+
+func TestLookupBalanceRewriteCacheDnssec(t *testing.T) {
+	name, rm, err := test.TempFile(t, ".", exampleOrg)
+	if err != nil {
+		t.Fatalf("failed to created zone: %s", err)
+	}
+	defer rm()
+	rm1 := createKeyFile(t)
+	defer rm1()
+
+	corefile := `example.org:0 {
+    file ` + name + `
+    rewrite ANY HINFO
+    dnssec {
+        key file ` + base + `
+    }
+    loadbalance
+}
+`
+	ex, _, udp, err := Server(t, corefile)
+	if err != nil {
+		t.Errorf("Could get server to start: %s", err)
+		return
+	}
+	defer ex.Stop()
+
+	log.SetOutput(ioutil.Discard)
+	c := new(dns.Client)
+	m := new(dns.Msg)
+	m.SetQuestion("example.org.", dns.TypeA)
+	m.SetEdns0(4096, true)
+	res, _, err := c.Exchange(m, udp)
+	if err != nil {
+		t.Fatalf("Could not send query: %s", err)
+	}
+	sig := 0
+	for _, a := range res.Answer {
+		if a.Header().Rrtype == dns.TypeRRSIG {
+			sig++
+		}
+	}
+	if sig == 0 {
+		t.Errorf("expected RRSIGs, got none")
+		t.Logf("%v\n", res)
+	}
+}
+
+func createKeyFile(t *testing.T) func() {
+	ioutil.WriteFile(base+".key",
+		[]byte(`example.org. IN DNSKEY 256 3 13 tDyI0uEIDO4SjhTJh1AVTFBLpKhY3He5BdAlKztewiZ7GecWj94DOodg ovpN73+oJs+UfZ+p9zOSN5usGAlHrw==`),
+		0644)
+	ioutil.WriteFile(base+".private",
+		[]byte(`Private-key-format: v1.3
+Algorithm: 13 (ECDSAP256SHA256)
+PrivateKey: HPmldSNfrkj/aDdUMFwuk/lgzaC5KIsVEG3uoYvF4pQ=
+Created: 20160426083115
+Publish: 20160426083115
+Activate: 20160426083115`),
+		0644)
+	return func() {
+		os.Remove(base + ".key")
+		os.Remove(base + ".private")
+	}
+}
+
+const base = "Kexample.org.+013+44563"