[DO NOT MERGE] Add DisableCnameChainValidation to DNS security rule cmdlets

src/DnsResolver/DnsResolver.Autorest/README.md

@@ -71,7 +71,7 @@ commit: 6e8964026a4ed0f55fdb2c55a141fc7d501b94a6
 require:
   - $(this-folder)/../../readme.azure.noprofile.md
 input-file:
-  - $(repo)/specification/dnsresolver/resource-manager/Microsoft.Network/DnsResolver/preview/2025-10-01-preview/openapi.json
+  - $(repo)/specification/dnsresolver/resource-manager/Microsoft.Network/DnsResolver/preview/2026-07-01-preview/openapi.json
 
 module-version: 0.2.9
 title: DnsResolver
@@ -127,14 +127,14 @@ directive:
     set:
       preview-announcement:
         preview-message: "*****************************************************************************************\\r\\n* This cmdlet will undergo a breaking change in Az v16.0.0, to be released in May 2026. *\\r\\n* At least one change applies to this cmdlet.                                                     *\\r\\n* See all possible breaking changes at https://go.microsoft.com/fwlink/?linkid=2333486            *\\r\\n**************************************************************************************************"
-  # Breaking change: ActionBlockResponseCode parameter removed in 2025-10-01-preview
+  # Breaking change: ActionBlockResponseCode parameter removed in 2026-07-01-preview
   - where:
       verb: New|Update
       subject: PolicyDnsSecurityRule
       parameter-name: ActionBlockResponseCode
     set:
       breaking-change:
-        change-description: The parameter 'ActionBlockResponseCode' has been removed. The block response code is no longer configurable in API version 2025-10-01-preview.
+        change-description: The parameter 'ActionBlockResponseCode' has been removed. The block response code is no longer configurable in API version 2026-07-01-preview.
         deprecated-by-version: 2.0.0
         deprecated-by-azversion: 16.0.0
         change-effective-date: 2026/05/01

src/DnsResolver/DnsResolver.Autorest/examples/New-AzDnsResolverPolicyDnsSecurityRule.md

@@ -22,3 +22,16 @@ westus2  sampleSecurityRule       Microsoft.Network/dnsSecurityRules       "0000
 ```
 
 This cmdlet creates a DNS security rule with tag.
+
+### Example 3: Create a DNS security rule with DisableCnameChainValidation
+```powershell
+New-AzDnsResolverPolicyDnsSecurityRule -Name sampleSecurityRule -ResourceGroupName powershell-test-rg -DnsResolverPolicyName samplePolicyName -Location westus2 -DnsSecurityRuleState "Enabled" -ActionType "Block" -Priority 100 -DnsResolverDomainList @{id = "/subscriptions/0e5a46b1-de0b-4ec3-a5d7-dda908b4e076/resourceGroups/powershell-test-rg/providers/Microsoft.Network/dnsResolverDomainLists/exampleDomainListName";} -DisableCnameChainValidation
+```
+
+```output
+Location Name                     Type                                     Etag
+-------- ----                     ----                                     ----
+westus2  sampleSecurityRule       Microsoft.Network/dnsSecurityRules       "00009ad5-0000-0800-0000-604016d10000"
+```
+
+This cmdlet creates a DNS security rule with CNAME chain validation disabled. When set, the resolver will not validate the full CNAME chain against domain lists and will match only on the queried domain name.

src/DnsResolver/DnsResolver.Autorest/examples/Update-AzDnsResolverPolicyDnsSecurityRule.md

@@ -23,3 +23,15 @@ Location Name                                Type
 westus2  psdnssecurityrulename33nmy1fz       Microsoft.Network/dnsSecurityRules       "0000efd6-0000-0800-0000-60401c7c0000"
 ```
 This command updates an existing DNS Security Rules by identity ( removing tag ).
+
+### Example 3: Update DNS Security Rule with DisableCnameChainValidation
+```powershell
+Update-AzDnsResolverPolicyDnsSecurityRule -ResourceGroupName powershell-test-rg -DnsResolverPolicyName exampleDnsResolverPolicyName -Name psdnssecurityrulename33nmy1fz -DisableCnameChainValidation
+```
+
+```output
+Location Name                                Type                                     Etag
+-------- ----                                ----                                     ----
+westus2  psdnssecurityrulename33nmy1fz       Microsoft.Network/dnsSecurityRules       "0000f0d6-0000-0800-0000-60401c7d0000"
+```
+This command updates a DNS Security Rule to disable CNAME chain validation. When set, the resolver will not validate the full CNAME chain against domain lists and will match only on the queried domain name.

src/DnsResolver/DnsResolver.Autorest/test/Get-AzDnsResolverPolicyDnsSecurityRule.Tests.ps1

@@ -1,30 +1,61 @@
-$TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzDnsResolverPolicyDnsSecurityRule.Recording.json'
-$currentPath = $PSScriptRoot
-while(-not $mockingPath) { $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File; $currentPath = Split-Path -Path $currentPath -Parent }
-. ($mockingPath | Select-Object -First 1).FullName
+if(($null -eq $TestName) -or ($TestName -contains 'Get-AzDnsResolverPolicyDnsSecurityRule'))
+{
+  $loadEnvPath = Join-Path $PSScriptRoot 'loadEnv.ps1'
+  if (-Not (Test-Path -Path $loadEnvPath)) {
+      $loadEnvPath = Join-Path $PSScriptRoot '..\loadEnv.ps1'
+  }
+  . ($loadEnvPath)
+  $TestRecordingFile = Join-Path $PSScriptRoot 'Get-AzDnsResolverPolicyDnsSecurityRule.Recording.json'
+  $currentPath = $PSScriptRoot
+  while(-not $mockingPath) {
+      $mockingPath = Get-ChildItem -Path $currentPath -Recurse -Include 'HttpPipelineMocking.ps1' -File
+      $currentPath = Split-Path -Path $currentPath -Parent
+  }
+  . ($mockingPath | Select-Object -First 1).FullName
+}
+
+# Load post-merge test helper for routing to Frontend endpoint
+. (Join-Path $PSScriptRoot 'postMergeTestHelper.ps1')
+if ($TestMode -ne 'playback') {
+    $postMergeStep = New-PostMergeTestHttpPipelineStep
+    $existingMock = $PSDefaultParameterValues["*:HttpPipelinePrepend"]
+    $PSDefaultParameterValues["*:HttpPipelinePrepend"] = [Microsoft.Azure.PowerShell.Cmdlets.DnsResolver.Runtime.SendAsyncStep[]]@(
+        [Microsoft.Azure.PowerShell.Cmdlets.DnsResolver.Runtime.SendAsyncStep]$postMergeStep,
+        [Microsoft.Azure.PowerShell.Cmdlets.DnsResolver.Runtime.SendAsyncStep]$existingMock
+    )
+}
 
 Describe 'Get-AzDnsResolverPolicyDnsSecurityRule' {
-    BeforeAll {
-        $subscriptionId = '97db216c-169d-4ea9-9d98-114adba0aa20'; $location = 'westus2'
-        $rgName = "ps-secrule-get-41328"
-        if ($TestMode -ne 'playback') {
-            Select-AzSubscription -SubscriptionId $subscriptionId
-            New-AzResourceGroup -Name $rgName -Location $location
-            New-AzDnsResolverPolicy -Name "policy-secrule-g" -ResourceGroupName $rgName -Location $location
-            New-AzDnsResolverDomainList -Name "domainlist-secrule-g" -ResourceGroupName $rgName -Location $location -Domain @("contoso.com.")
-            $dlId = "/subscriptions/$subscriptionId/resourceGroups/$rgName/providers/Microsoft.Network/dnsResolverDomainLists/domainlist-secrule-g"
-            New-AzDnsResolverPolicyDnsSecurityRule -Name "secrule-get-1" -DnsResolverPolicyName "policy-secrule-g" -ResourceGroupName $rgName -Location $location -DnsSecurityRuleState "Enabled" -ActionType "Block" -Priority 100 -DnsResolverDomainList @(@{id = $dlId})
-        }
-    }
-    AfterAll {
-        if ($TestMode -ne 'playback') { Remove-AzResourceGroup -Name $rgName -ErrorAction SilentlyContinue -AsJob | Out-Null }
-    }
-    It 'Get a security rule by name' {
-        $rule = Get-AzDnsResolverPolicyDnsSecurityRule -Name "secrule-get-1" -DnsResolverPolicyName "policy-secrule-g" -ResourceGroupName $rgName
-        $rule.ProvisioningState | Should -Be "Succeeded"
+    It 'Get single DNS security rule by name, expect DNS security rule by name retrieved' {
+        # ARRANGE
+        $dnsResolverPolicyName = "psdnsresolverpolicyforrulename1m0cdag";
+        $dnsSecurityRuleName = "psdnssecurityrulename1m0cdag";
+        $dnsResolverDomainListName = "psdnsresolverdomainlistforrulename1m0cdag";
+        $resourceGroupName = "powershell-test-rg-debug-get";
+        $location = "westus2";
+        $resolverPolicy = New-AzDnsResolverPolicy -Name $dnsResolverPolicyName -ResourceGroupName $resourceGroupName -Location $location
+        $domainList = New-AzDnsResolverDomainList -Name $dnsResolverDomainListName -ResourceGroupName $resourceGroupName -Location $location -Domain @("contoso.com.", "example.com.")
+        $securityRule = New-AzDnsResolverPolicyDnsSecurityRule -Name $dnsSecurityRuleName -DnsResolverPolicyName $dnsResolverPolicyName -ResourceGroupName $resourceGroupName -Location $location -DnsResolverDomainList @{id = $domainList.Id;} -DnsSecurityRuleState "Enabled" -ActionType "Block" -Priority 100
+
+        # ACT - ASSERT
+        {Get-AzDnsResolverPolicyDnsSecurityRule -Name $dnsSecurityRuleName -DnsResolverPolicyName $dnsResolverPolicyName -ResourceGroupName $resourceGroupName} | Should -Not -Throw
     }
-    It 'List security rules in policy' {
-        $rules = Get-AzDnsResolverPolicyDnsSecurityRule -DnsResolverPolicyName "policy-secrule-g" -ResourceGroupName $rgName
-        $rules.Count | Should -BeGreaterThan 0
+
+    It 'List DNS resolver policies in a resource group, expected least number of DNS resolver policies retrieved' {
+        # ARRANGE
+        $dnsResolverPolicyName = "psdnsresolverpolicyforrulename2n1edag";
+        $dnsSecurityRuleName = "psdnssecurityrulename2n1edag";
+        $dnsResolverDomainListName = "psdnsresolverdomainlistforrulename2n1edag";
+        $resourceGroupName = "powershell-test-rg-debug-get";
+        $location = "westus2";
+        $resolverPolicy = New-AzDnsResolverPolicy -Name $dnsResolverPolicyName -ResourceGroupName $resourceGroupName -Location $location
+        $domainList = New-AzDnsResolverDomainList -Name $dnsResolverDomainListName -ResourceGroupName $resourceGroupName -Location $location -Domain @("contoso.com.", "example.com.")
+        $securityRule = New-AzDnsResolverPolicyDnsSecurityRule -Name $dnsSecurityRuleName -DnsResolverPolicyName $dnsResolverPolicyName -ResourceGroupName $resourceGroupName -Location $location -DnsResolverDomainList @{id = $domainList.Id;} -DnsSecurityRuleState "Enabled" -ActionType "Block" -Priority 100
+
+        # ACT
+        $securityRules =  Get-AzDnsResolverPolicyDnsSecurityRule -DnsResolverPolicyName $dnsResolverPolicyName -ResourceGroupName $resourceGroupName
+
+        # ASSERT
+        $securityRules.Count | Should -BeGreaterThan 0
     }
 }