Add system test for apex delete-all private rollback

Add a Python system test for an RFC 2136 delete-all-at-name UPDATE at
the zone apex when the apex contains TYPE65534 private signing state.

The test reuses the dnssec-policy NSEC3 primary with inline-signing
disabled, seeds the apex through dynamic update, then sends the apex
ANY/ANY delete-all UPDATE over TCP.

diff --git a/bin/tests/system/nsec3/tests_nsec3_initial.py b/bin/tests/system/nsec3/tests_nsec3_initial.py
index 3fa07bdeca75ed0878c6f3adb0d4429d8d631884..7d82e79ff8b0f8e61a77a4bd89ff85f9000e3247 100644 (file)
--- a/bin/tests/system/nsec3/tests_nsec3_initial.py
+++ b/bin/tests/system/nsec3/tests_nsec3_initial.py
@@ -88,6 +88,33 @@ def test_update_delete_private_type_rrset(ns3):
     isctest.check.noerror(response)
 
 
+def test_update_delete_all_apex_rrsets_with_private_type(ns3):
+    zone = "nsec3-private-type-delete.kasp"
+    fqdn = f"{zone}."
+
+    isctest.kasp.wait_keymgr_done(ns3, zone)
+
+    update_msg = dns.update.UpdateMessage(zone)
+    update_msg.add(fqdn, 0, dns.rdatatype.NSEC3PARAM, "1 0 5 ab")
+    response = isctest.query.tcp(
+        update_msg,
+        ns3.ip,
+        attempts=1,
+        expected_rcode=dns.rcode.NOERROR,
+    )
+    isctest.check.noerror(response)
+
+    update_msg = dns.update.UpdateMessage(zone)
+    update_msg.delete(fqdn)
+    response = isctest.query.tcp(
+        update_msg,
+        ns3.ip,
+        attempts=1,
+        expected_rcode=dns.rcode.NOERROR,
+    )
+    isctest.check.noerror(response)
+
+
 @pytest.mark.parametrize(
     "params",
     [