Update optout test to reconfig to NSEC

If we change from NSEC3 to NSEC we should not produce a zone with
missing NSEC records.

The code only considered having seen a record if there was previously
a signature present at the owner name. However with opt-out, insecure
delegations don't have a RRSIG record. Reconfiguring to NSEC causes
all insecure delegations to have a missing NSEC record.

Add a DNAME record to the test zone to also cover DNAME delegations.

diff --git a/bin/tests/system/optout/ns2/named.conf.j2 b/bin/tests/system/optout/ns2/named.conf.j2
index 4d9aed3ed0242ad8bfdf54b0650749bbd44326ce..6bfe881451e4a90a48eeb57e58f301bd1ede8fa5 100644 (file)
--- a/bin/tests/system/optout/ns2/named.conf.j2
+++ b/bin/tests/system/optout/ns2/named.conf.j2
@@ -11,6 +11,9 @@
  * information regarding copyright ownership.
  */
 
+{% set reconfiged = reconfiged | default(False) %}
+{% set policy = "optout" if not reconfiged else "nsec" %}
+
 options {
         port @PORT@;
         pid-file "named.pid";
@@ -33,9 +36,22 @@ dnssec-policy "optout" {
        nsec3param iterations 0 optout yes salt-length 0;
 };
 
+dnssec-policy "nsec" {
+       keys {
+               csk lifetime unlimited algorithm ecdsa256;
+       };
+};
+
 zone "test" {
        type primary;
        file "test.db";
        dnssec-policy "optout";
        inline-signing yes;
 };
+
+zone "small.test" {
+       type primary;
+       file "small.test.db";
+       dnssec-policy "@policy@";
+       inline-signing yes;
+};

diff --git a/bin/tests/system/optout/ns2/small.test.db b/bin/tests/system/optout/ns2/small.test.db
new file mode 100644 (file)
index 0000000..9b67ef4
--- /dev/null
+++ b/bin/tests/system/optout/ns2/small.test.db
@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL   3600
+@                              IN      SOA     ns2.small.test. hostmaster.small.test. 1 7200 3600 24796800 3600
+                               IN      NS      ns2
+
+ns2                            IN      A       10.53.0.2
+
+a                              IN      A       127.0.0.1
+
+dname                          IN      DNAME   branch.example.
+under.dname                    IN      TXT     "occluded"
+
+$GENERATE 1-10         child$  IN      NS      ns.example.
+
+child5                         IN      DS      7250 13 2 A30B3F78B6DDE9A4A9A2AD0C805518B4F49EC62E7D3F4531D33DE697 CDA01CB2

diff --git a/bin/tests/system/optout/ns2/test.db b/bin/tests/system/optout/ns2/test.db
index d3a930229f108a7884a76d8fd50bf8345bbe27e5..a864d6f1e8edc6f0fd295fcb2b6875a717b4875c 100644 (file)
--- a/bin/tests/system/optout/ns2/test.db
+++ b/bin/tests/system/optout/ns2/test.db
@@ -17,6 +17,9 @@ ns2                           IN      A       10.53.0.2
 
 a                              IN      A       127.0.0.1
 
+dname                          IN      DNAME   branch.example.
+under.dname                    IN      TXT     "occluded"
+
 $GENERATE 1-50000      child$  IN      NS      ns.example.
 
 child303                       IN      DS      7250 13 2 A30B3F78B6DDE9A4A9A2AD0C805518B4F49EC62E7D3F4531D33DE697 CDA01CB2

diff --git a/bin/tests/system/optout/setup.sh b/bin/tests/system/optout/setup.sh
deleted file mode 100644 (file)
index bb08b9c..0000000
--- a/bin/tests/system/optout/setup.sh
+++ /dev/null
@@ -1,14 +0,0 @@
-#!/bin/sh -e
-
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0.  If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-. ../conf.sh

diff --git a/bin/tests/system/optout/tests_optout.py b/bin/tests/system/optout/tests_optout.py
index 67628c20e89c9e89db1046a0d30de1b702216cff..3f0df0bb5328387cdf0eee1b164fc3ca083b1da9 100755 (executable)
--- a/bin/tests/system/optout/tests_optout.py
+++ b/bin/tests/system/optout/tests_optout.py
@@ -94,14 +94,51 @@ def verify_zone(zone, transfer):
 
 def test_optout(ns2):
     zone = "test"
+    expect_nsec3param = True
 
     # Wait until the provided zone is signed and then verify its DNSSEC data.
     def check_nsec3param():
         response = do_query(ns2, zone, "NSEC3PARAM")
-        return has_nsec3param(zone, response)
+        if expect_nsec3param:
+            return has_nsec3param(zone, response)
+        return not has_nsec3param(zone, response)
 
     # check zone is fully signed.
-    isctest.run.retry_with_timeout(check_nsec3param, timeout=300)
+    isctest.run.retry_with_timeout(check_nsec3param, timeout=100)
+
+    # check if zone if DNSSEC valid.
+    transfer = do_xfr(ns2, zone)
+    assert verify_zone(zone, transfer)
+
+
+def test_optout_to_nsec(ns2, templates):
+    zone = "small.test"
+    expect_nsec3param = True
+
+    # Wait until the provided zone is signed and then verify its DNSSEC data.
+    def check_nsec3param():
+        response = do_query(ns2, zone, "NSEC3PARAM")
+        if expect_nsec3param:
+            return has_nsec3param(zone, response)
+        return not has_nsec3param(zone, response)
+
+    # check zone is fully signed.
+    isctest.run.retry_with_timeout(check_nsec3param, timeout=100)
+
+    # check if zone if DNSSEC valid.
+    transfer = do_xfr(ns2, zone)
+    assert verify_zone(zone, transfer)
+
+    # reconfigure to NSEC.
+    data = {
+        "reconfiged": True,
+    }
+    templates.render(f"{ns2.identifier}/named.conf", data)
+    ns2.reconfigure()
+
+    # wait until NSEC3PARAM is removed.
+    expect_nsec3param = False
+    isctest.run.retry_with_timeout(check_nsec3param, timeout=100)
 
     # check if zone if DNSSEC valid.
     transfer = do_xfr(ns2, zone)