Add system test for private-type RRset delete update

Add a Python system test covering an RFC 2136 Delete RRset UPDATE for
the zone apex TYPE65534 private signing-state RRset.

The test uses a dnssec-policy NSEC3 primary with inline-signing
disabled, seeds the apex with an NSEC3PARAM update, then sends the
TYPE65534 RRset delete over TCP.

diff --git a/bin/tests/system/nsec3/ns3/named-fips.conf.j2 b/bin/tests/system/nsec3/ns3/named-fips.conf.j2
index 490f6ec1c7d7b29223ce7b7899d7b1bb6863c37a..783921ba5e13e45c3c2c1006366c08250f38a031 100644 (file)
--- a/bin/tests/system/nsec3/ns3/named-fips.conf.j2
+++ b/bin/tests/system/nsec3/ns3/named-fips.conf.j2
@@ -32,6 +32,16 @@ zone "nsec3-dynamic.kasp" {
 };
 {% endif %}{# nsec3-dynamic.kasp #}
 
+{% if "nsec3-private-type-delete.kasp" in zones %}
+zone "nsec3-private-type-delete.kasp" {
+       type primary;
+       file "nsec3-private-type-delete.kasp.db";
+       dnssec-policy "nsec3";
+       inline-signing no;
+       allow-update { any; };
+};
+{% endif %}{# nsec3-private-type-delete.kasp #}
+
 {% if "nsec3-other.kasp" in zones %}
 /* This zone uses non-default NSEC3 settings. */
 zone "nsec3-other.kasp" {

diff --git a/bin/tests/system/nsec3/ns3/setup.sh b/bin/tests/system/nsec3/ns3/setup.sh
index 03b6b81b0d0f7e34d9105c6b900af88208f3d408..ddc0a5a3c4ca00e7db2d6146fdc2c5c9998c03f4 100644 (file)
--- a/bin/tests/system/nsec3/ns3/setup.sh
+++ b/bin/tests/system/nsec3/ns3/setup.sh
@@ -26,7 +26,8 @@ setup() {
 for zn in nsec-to-nsec3 nsec3 nsec3-other nsec3-change nsec3-to-nsec \
   nsec3-to-optout nsec3-from-optout nsec3-dynamic \
   nsec3-dynamic-change nsec3-dynamic-to-inline \
-  nsec3-inline-to-dynamic nsec3-dynamic-update-inline; do
+  nsec3-inline-to-dynamic nsec3-dynamic-update-inline \
+  nsec3-private-type-delete; do
   setup "${zn}.kasp"
 done
 

diff --git a/bin/tests/system/nsec3/tests_nsec3_initial.py b/bin/tests/system/nsec3/tests_nsec3_initial.py
index f0dacdc46176a6c44d117d734eaa2621691dd896..3fa07bdeca75ed0878c6f3adb0d4429d8d631884 100644 (file)
--- a/bin/tests/system/nsec3/tests_nsec3_initial.py
+++ b/bin/tests/system/nsec3/tests_nsec3_initial.py
@@ -14,6 +14,7 @@
 import os
 
 import dns.rcode
+import dns.rdatatype
 import dns.update
 import pytest
 
@@ -32,6 +33,7 @@ ZONES = {
     "nsec3-dynamic-update-inline.kasp",
     "nsec3.kasp",
     "nsec3-dynamic.kasp",
+    "nsec3-private-type-delete.kasp",
     "nsec3-change.kasp",
     "nsec3-dynamic-change.kasp",
     "nsec3-dynamic-to-inline.kasp",
@@ -59,6 +61,33 @@ def bootstrap():
     }
 
 
+def test_update_delete_private_type_rrset(ns3):
+    zone = "nsec3-private-type-delete.kasp"
+    fqdn = f"{zone}."
+
+    isctest.kasp.wait_keymgr_done(ns3, zone)
+
+    update_msg = dns.update.UpdateMessage(zone)
+    update_msg.add(fqdn, 0, dns.rdatatype.NSEC3PARAM, "1 0 5 ab")
+    response = isctest.query.tcp(
+        update_msg,
+        ns3.ip,
+        attempts=1,
+        expected_rcode=dns.rcode.NOERROR,
+    )
+    isctest.check.noerror(response)
+
+    update_msg = dns.update.UpdateMessage(zone)
+    update_msg.delete(fqdn, dns.rdatatype.from_text("TYPE65534"))
+    response = isctest.query.tcp(
+        update_msg,
+        ns3.ip,
+        attempts=1,
+        expected_rcode=dns.rcode.NOERROR,
+    )
+    isctest.check.noerror(response)
+
+
 @pytest.mark.parametrize(
     "params",
     [