diff options
| -rw-r--r-- | plugin/dnssec/dnssec.go | 2 | ||||
| -rw-r--r-- | plugin/dnssec/dnssec_test.go | 21 |
2 files changed, 22 insertions, 1 deletions
diff --git a/plugin/dnssec/dnssec.go b/plugin/dnssec/dnssec.go index 84de05c86..9a20776fe 100644 --- a/plugin/dnssec/dnssec.go +++ b/plugin/dnssec/dnssec.go @@ -49,7 +49,7 @@ func (d Dnssec) Sign(state request.Request, zone string, now time.Time) *dns.Msg incep, expir := incepExpir(now) - if mt == response.NameError { + if mt == response.NameError || mt == response.NoData { if req.Ns[0].Header().Rrtype != dns.TypeSOA || len(req.Ns) > 1 { return req } diff --git a/plugin/dnssec/dnssec_test.go b/plugin/dnssec/dnssec_test.go index 83ce70beb..34c9bf331 100644 --- a/plugin/dnssec/dnssec_test.go +++ b/plugin/dnssec/dnssec_test.go @@ -127,6 +127,20 @@ func TestSigningDname(t *testing.T) { } } +func TestSigningEmpty(t *testing.T) { + d, rm1, rm2 := newDnssec(t, []string{"miek.nl."}) + defer rm1() + defer rm2() + + m := testEmptyMsg() + m.SetQuestion("a.miek.nl.", dns.TypeA) + state := request.Request{Req: m} + m = d.Sign(state, "miek.nl.", time.Now().UTC()) + if !section(m.Ns, 2) { + t.Errorf("authority section should have 2 sig") + } +} + func section(rss []dns.RR, nrSigs int) bool { i := 0 for _, r := range rss { @@ -181,6 +195,13 @@ func testMsgDname() *dns.Msg { } } +func testEmptyMsg() *dns.Msg { + // don't care about the message header + return &dns.Msg{ + Ns: []dns.RR{test.SOA("miek.nl. 1800 IN SOA ns.miek.nl. dnsmaster.miek.nl. 2017100301 200 100 604800 3600")}, + } +} + func newDnssec(t *testing.T, zones []string) (Dnssec, func(), func()) { k, rm1, rm2 := newKey(t) c := cache.New(defaultCap) |