update tests_validation.py test for new behavior

Some of the tests in in dnssec/tests_validation.py worked by iterating
through the response message looking for failure conditions, such as
excessively high TTL values. In some cases, previous changes caused
additional data not to be returned. Since there was nothing to
iterate, the tests still "passed".

Tests that don't make sense anymore have been removed. Other tests that
iterate through responses have been updated with checks to ensure that
the responses actually do contain data.

diff --git a/bin/tests/system/dnssec/ns3/named.conf.j2 b/bin/tests/system/dnssec/ns3/named.conf.j2
index 564a82e4a6d263d794bd7c1fb03a3e5a036cccf1..4e1dc2c5d2bb258f31a42e17d1e2c80b89ae1e95 100644 (file)
--- a/bin/tests/system/dnssec/ns3/named.conf.j2
+++ b/bin/tests/system/dnssec/ns3/named.conf.j2
@@ -324,7 +324,6 @@ zone "nsec3chain-test" {
 
 zone "expiring.example" {
        type primary;
-       allow-update { any; };
        file "expiring.example.db.signed";
 };
 

diff --git a/bin/tests/system/dnssec/tests_validation.py b/bin/tests/system/dnssec/tests_validation.py
index 781324fed268661467d31e196419d280e35187a8..c0a786cc6cf74124cde95024e5911ec3ec1c4556 100644 (file)
--- a/bin/tests/system/dnssec/tests_validation.py
+++ b/bin/tests/system/dnssec/tests_validation.py
@@ -630,6 +630,7 @@ def test_negative_validation_optout():
     msg = isctest.query.create("delegation.single-nsec3", "A")
     res = isctest.query.tcp(msg, "10.53.0.2")
     isctest.check.noerror(res)
+    isctest.check.has_authority(res)
     for rrset in res.authority:
         if (
             rrset.rdtype != rdatatype.NSEC3
@@ -642,6 +643,7 @@ def test_negative_validation_optout():
     msg = isctest.query.create("nonexist.single-nsec3", "A")
     res = isctest.query.tcp(msg, "10.53.0.2")
     isctest.check.nxdomain(res)
+    isctest.check.has_authority(res)
     for rrset in res.authority:
         if (
             rrset.rdtype != rdatatype.NSEC3
@@ -654,6 +656,7 @@ def test_negative_validation_optout():
     msg = isctest.query.create("single-nsec3", "A")
     res = isctest.query.tcp(msg, "10.53.0.2")
     isctest.check.noerror(res)
+    isctest.check.has_authority(res)
     for rrset in res.authority:
         if (
             rrset.rdtype != rdatatype.NSEC3
@@ -1129,33 +1132,15 @@ def test_expired_signatures(ns4):
     res1 = isctest.query.tcp(msg, "10.53.0.4")
     msg = isctest.query.create("expiring.example", "SOA")
     res2 = isctest.query.tcp(msg, "10.53.0.4")
+    isctest.check.noerror(res1)
+    isctest.check.has_answer(res1)
+    isctest.check.noerror(res2)
+    isctest.check.has_answer(res2)
     for rrset in res1.answer:
         assert 240 <= rrset.ttl <= 300
     for rrset in res2.answer:
         assert rrset.ttl <= 60
 
-    # test TTL is capped at RRSIG expiry time in the additional section (NS)
-    ns4.rndc("flush")
-    msg = isctest.query.create("expiring.example", "NS", cd=True)
-    res1 = isctest.query.tcp(msg, "10.53.0.4")
-    msg = isctest.query.create("expiring.example", "NS")
-    res2 = isctest.query.tcp(msg, "10.53.0.4")
-    for rrset in res1.additional:
-        assert 240 <= rrset.ttl <= 300
-    for rrset in res2.additional:
-        assert rrset.ttl <= 60
-
-    # test TTL is capped at RRSIG expiry time in the additional section (MX)
-    ns4.rndc("flush")
-    msg = isctest.query.create("expiring.example", "MX", cd=True)
-    res1 = isctest.query.tcp(msg, "10.53.0.4")
-    msg = isctest.query.create("expiring.example", "MX")
-    res2 = isctest.query.tcp(msg, "10.53.0.4")
-    for rrset in res1.additional:
-        assert 240 <= rrset.ttl <= 300
-    for rrset in res2.additional:
-        assert rrset.ttl <= 60
-
 
 def test_casing():
     # test legacy upper-case signer name validation