Test checkconf NSEC3 and incompatible algorithm

The check code for this already exists, but was untested.

diff --git a/bin/tests/system/checkconf/bad-kasp-nsec3-alg.conf b/bin/tests/system/checkconf/bad-kasp-nsec3-alg.conf
new file mode 100644 (file)
index 0000000..ff25ece
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-nsec3-alg.conf
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "badnsec3alg" {
+       keys {
+               csk lifetime unlimited algorithm rsasha1;
+       };
+       nsec3param iterations 0 optout 0 salt-length 0;
+};
+
+zone "example.net" {
+       type primary;
+       file "example.db";
+       dnssec-policy "badnsec3alg";
+};