Improve check_auth_nsec3 salt checking

Since we know the salt after checking the NSEC3PARAM, we might as well
check the NSEC3 records on the NXDOMAIN response that the salt matches.

diff --git a/bin/tests/system/nsec3/common.py b/bin/tests/system/nsec3/common.py
index 78c7aabe8f9cafe10e860dd539db77cc68332632..12a176fea5157b3d9538937b5a719e1d47adddac 100644 (file)
--- a/bin/tests/system/nsec3/common.py
+++ b/bin/tests/system/nsec3/common.py
@@ -66,18 +66,13 @@ def check_auth_nsec(response):
     assert len(rrs) != 0, "no NSEC records found in authority section"
 
 
-def check_auth_nsec3(response, iterations=0, optout=0, saltlen=0):
-    match = f"IN NSEC3 1 {optout} {iterations}"
+def check_auth_nsec3(response, iterations=0, optout=0, salt="-"):
+    match = f"IN NSEC3 1 {optout} {iterations} {salt}"
     rrs = []
 
     for rrset in response.authority:
         if rrset.match(dns.rdataclass.IN, dns.rdatatype.NSEC3, dns.rdatatype.NONE):
             assert match in rrset.to_text()
-            if saltlen == 0:
-                assert f"{match} -" in rrset.to_text()
-            else:
-                assert not f"{match} -" in rrset.to_text()
-
             rrs.append(rrset)
         assert not rrset.match(
             dns.rdataclass.IN, dns.rdatatype.NSEC, dns.rdatatype.NONE
@@ -88,6 +83,7 @@ def check_auth_nsec3(response, iterations=0, optout=0, saltlen=0):
 
 def check_nsec3param(response, match, saltlen):
     rrs = []
+    salt = "-"
 
     for rrset in response.answer:
         if rrset.match(dns.rdataclass.IN, dns.rdatatype.NSEC3PARAM, dns.rdatatype.NONE):
@@ -96,6 +92,7 @@ def check_nsec3param(response, match, saltlen):
                 assert f"{match} -" in rrset.to_text()
             else:
                 assert not f"{match} -" in rrset.to_text()
+                salt = rrset.to_text().split()[7]
 
             rrs.append(rrset)
         else:
@@ -104,3 +101,5 @@ def check_nsec3param(response, match, saltlen):
             )
 
     assert len(rrs) != 0
+
+    return salt

diff --git a/bin/tests/system/nsec3/tests_nsec3_initial.py b/bin/tests/system/nsec3/tests_nsec3_initial.py
index 25a30704350c0681b8b7e5746be33e872fcff3bf..6f5cfcdafce4dd5ddc45a8cae2941fd60e0bfa23 100644 (file)
--- a/bin/tests/system/nsec3/tests_nsec3_initial.py
+++ b/bin/tests/system/nsec3/tests_nsec3_initial.py
@@ -343,12 +343,12 @@ def test_nsec3_case(ns3, params):
     response = isctest.query.tcp(query, ns3.ip)
     assert response.rcode() == dns.rcode.NOERROR
 
-    check_nsec3param(response, match, saltlen)
+    salt = check_nsec3param(response, match, saltlen)
 
     query = isctest.query.create(f"nosuchname.{fqdn}", dns.rdatatype.A)
     response = isctest.query.tcp(query, ns3.ip)
     assert response.rcode() == dns.rcode.NXDOMAIN
-    check_auth_nsec3(response, iterations, optout, saltlen)
+    check_auth_nsec3(response, iterations, optout, salt)
 
     # Extra test for nsec3-change.kasp.
     if zone == "nsec3-change.kasp":