Update kasp based system tests to new output

author Matthijs Mekking <matthijs@isc.org>

Wed, 15 Oct 2025 14:37:15 +0000 (16:37 +0200)

committer Matthijs Mekking <matthijs@isc.org>

Fri, 28 Nov 2025 14:32:17 +0000 (15:32 +0100)
author Matthijs Mekking <matthijs@isc.org>
Wed, 15 Oct 2025 14:37:15 +0000 (16:37 +0200)
committer Matthijs Mekking <matthijs@isc.org>
Fri, 28 Nov 2025 14:32:17 +0000 (15:32 +0100)
diff --git a/bin/tests/system/isctest/kasp.py b/bin/tests/system/isctest/kasp.py

index 486b2063157cb732a1665d48d44528b1221ef244..1a657a26dbbee4898184375240e4cecb6a27d109 100644 (file)
--- a/bin/tests/system/isctest/kasp.py
+++ b/bin/tests/system/isctest/kasp.py
@@ -486,6 +486,13 @@ class Key:
      def is_zsk(self) -> bool:
          return self.get_metadata("ZSK") == "yes"
  
+    def role(self) -> str:
+        if self.is_ksk() and self.is_zsk():
+            return "CSK"
+        if self.is_ksk():
+            return "KSK"
+        return "ZSK"
+
      @property
      def algorithm(self) -> Algorithm:
          num = int(self.get_metadata("Algorithm"))
@@ -844,25 +851,31 @@ def check_dnssec_verify(server, zone, tsig=None):
      assert verified
  
  
-def check_dnssecstatus(server, zone, keys, policy=None, view=None):
+def check_dnssecstatus(server, zone, keys, policy=None, view=None, verbose=False):
      # Call rndc dnssec -status on 'server' for 'zone'. Expect 'policy' in
      # the output. This is a loose verification, it just tests if the right
      # policy name is returned, and if all expected keys are listed.
      response = ""
+
+    # Verbose output.
+    v = ""
+    if verbose:
+        v = "-v "
+
      if view is None:
-        response = server.rndc(f"dnssec -status {zone}", log=False)
+        response = server.rndc(f"dnssec -status {v}{zone}", log=False)
      else:
-        response = server.rndc(f"dnssec -status {zone} in {view}", log=False)
+        response = server.rndc(f"dnssec -status {v}{zone} in {view}", log=False)
  
      if policy is None:
          assert "Zone does not have dnssec-policy" in response
          return
  
-    assert f"dnssec-policy: {policy}" in response
+    assert f"DNSSEC status for zone '{zone}' using policy '{policy}'" in response
  
      for key in keys:
          if not key.external:
-            assert f"key: {key.tag}" in response
+            assert f"{key.role()} {key.tag}" in response
  
  
  def _check_signatures(
@@ -1250,6 +1263,7 @@ def check_rollover_step(server, config, policy, step):
      check_keytimes_flag = step.get("check-keytimes", True)
      zone_signed = step.get("zone-signed", True)
      manual_mode = step.get("manual-mode", False)
+    verbose = step.get("verbose", False)
  
      isctest.log.info(f"check rollover step {zone}")
  
@@ -1311,7 +1325,7 @@ def check_rollover_step(server, config, policy, step):
      if check_keytimes_flag:
          check_keytimes(keys, expected)
  
-    check_dnssecstatus(server, zone, keys, policy=policy)
+    check_dnssecstatus(server, zone, keys, policy=policy, verbose=verbose)
      check_apex(
          server,
          zone,
diff --git a/bin/tests/system/kasp/tests_kasp.py b/bin/tests/system/kasp/tests_kasp.py

index c494b7a13cb99661e798f1dbbf6bddd372e1a28b..2d6aa4b46e8f9fe3bb4a777baf04cc90ae648473 100644 (file)
--- a/bin/tests/system/kasp/tests_kasp.py
+++ b/bin/tests/system/kasp/tests_kasp.py
@@ -342,7 +342,7 @@ def cb_remove_keyfiles(params, ksks=None, zsks=None):
          pytest.param(
              {
                  "zone": "rsasha1-nsec3.kasp",
-                "policy": "rsasha1",
+                "policy": "rsasha1-nsec3",
                  "config": kasp_config,
                  "key-properties": rsa1_properties(7),
              },
@@ -939,7 +939,7 @@ def test_kasp_dynamic(ns3):
      # Standard dynamic zone.
      isctest.log.info("check dynamic zone is updated and signed after update")
      zone = "dynamic.kasp"
-    policy = "default"
+    policy = "default-dynamic"
  
      isctest.kasp.wait_keymgr_done(ns3, zone)
  
@@ -1005,6 +1005,7 @@ def test_kasp_dynamic(ns3):
  
      # Dynamic, and inline-signing.
      zone = "dynamic-inline-signing.kasp"
+    policy = "default"
  
      isctest.kasp.wait_keymgr_done(ns3, zone)
  
diff --git a/bin/tests/system/ksr/tests_ksr.py b/bin/tests/system/ksr/tests_ksr.py

index 23faab0eae1cfea025520899aa3656bd2486834f..374865b042e6fa0c3465a38f1056efba2c3131fb 100644 (file)
--- a/bin/tests/system/ksr/tests_ksr.py
+++ b/bin/tests/system/ksr/tests_ksr.py
@@ -746,7 +746,9 @@ def test_ksr_common(ns1):
  
      # test zone is correctly signed
      # - check rndc dnssec -status output
-    isctest.kasp.check_dnssecstatus(ns1, zone, overlapping_zsks, policy=policy)
+    isctest.kasp.check_dnssecstatus(
+        ns1, zone, overlapping_zsks, policy=policy, verbose=True
+    )
      # - dnssec_verify
      isctest.kasp.check_dnssec_verify(ns1, zone)
      # - check keys
@@ -818,7 +820,7 @@ def test_ksr_lastbundle(ns1):
  
      # test zone is correctly signed
      # - check rndc dnssec -status output
-    isctest.kasp.check_dnssecstatus(ns1, zone, zsks, policy=policy)
+    isctest.kasp.check_dnssecstatus(ns1, zone, zsks, policy=policy, verbose=True)
      # - dnssec_verify
      isctest.kasp.check_dnssec_verify(ns1, zone)
      # - check keys
@@ -895,7 +897,7 @@ def test_ksr_inthemiddle(ns1):
  
      # test zone is correctly signed
      # - check rndc dnssec -status output
-    isctest.kasp.check_dnssecstatus(ns1, zone, zsks, policy=policy)
+    isctest.kasp.check_dnssecstatus(ns1, zone, zsks, policy=policy, verbose=True)
      # - dnssec_verify
      isctest.kasp.check_dnssec_verify(ns1, zone)
      # - check keys
@@ -1083,7 +1085,7 @@ def test_ksr_unlimited(ns1):
  
      # test zone is correctly signed
      # - check rndc dnssec -status output
-    isctest.kasp.check_dnssecstatus(ns1, zone, zsks, policy=policy)
+    isctest.kasp.check_dnssecstatus(ns1, zone, zsks, policy=policy, verbose=True)
      # - dnssec_verify
      isctest.kasp.check_dnssec_verify(ns1, zone)
      # - check keys
@@ -1192,7 +1194,7 @@ def test_ksr_twotone(ns1):
  
      # test zone is correctly signed
      # - check rndc dnssec -status output
-    isctest.kasp.check_dnssecstatus(ns1, zone, zsks, policy=policy)
+    isctest.kasp.check_dnssecstatus(ns1, zone, zsks, policy=policy, verbose=True)
      # - dnssec_verify
      isctest.kasp.check_dnssec_verify(ns1, zone)
      # - check keys
@@ -1269,7 +1271,7 @@ def test_ksr_kskroll(ns1):
  
      # test zone is correctly signed
      # - check rndc dnssec -status output
-    isctest.kasp.check_dnssecstatus(ns1, zone, zsks, policy=policy)
+    isctest.kasp.check_dnssecstatus(ns1, zone, zsks, policy=policy, verbose=True)
      # - dnssec_verify
      isctest.kasp.check_dnssec_verify(ns1, zone)
      # - check keys
diff --git a/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_initial.py b/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_initial.py

index d8178f623ef7a4d7c86d21c1da6a8e8223b2dc7b..0b96fb7328952552671b11c251571291cc5729e6 100644 (file)
--- a/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_initial.py
+++ b/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_initial.py
@@ -27,7 +27,7 @@ from rollover.common import (
  @pytest.mark.parametrize(
      "tld, policy",
      [
-        param("kasp", "csk-algoroll"),
+        param("kasp", "csk-algoroll-kasp"),
          param("manual", "csk-algoroll-manual"),
      ],
  )
diff --git a/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_reconfig.py b/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_reconfig.py

index 8b152b754fec42f127f4b2bc580b5955f45e608c..2fcbd6290af2400d50cad8fa4880267bb3cba919 100644 (file)
--- a/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_reconfig.py
+++ b/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_reconfig.py
@@ -330,5 +330,7 @@ def test_algoroll_csk_reconfig_step6(tld, ns6, alg, size):
          # keys have an unlimited lifetime.  Fallback to the default
          # loadkeys interval.
          "nextev": TIMEDELTA["PT1H"],
+        # Include hidden keys in output.
+        "verbose": True,
      }
      isctest.kasp.check_rollover_step(ns6, CONFIG, policy, step)
diff --git a/bin/tests/system/rollover-algo-ksk-zsk/tests_rollover_algo_ksk_zsk_reconfig.py b/bin/tests/system/rollover-algo-ksk-zsk/tests_rollover_algo_ksk_zsk_reconfig.py

index 9de15ba2f131970925035c35300258ffa7ba29df..590dc4ec3ca00362dd866b6b1da3cea18f9a220a 100644 (file)
--- a/bin/tests/system/rollover-algo-ksk-zsk/tests_rollover_algo_ksk_zsk_reconfig.py
+++ b/bin/tests/system/rollover-algo-ksk-zsk/tests_rollover_algo_ksk_zsk_reconfig.py
@@ -319,6 +319,8 @@ def test_algoroll_ksk_zsk_reconfig_step5(tld, ns6, alg, size):
          # platforms by subtracting the number of seconds which passed
          # between key creation and invoking 'rndc reconfig'.
          "nextev": ALGOROLL_IRET - ALGOROLL_IRETKSK - ALGOROLL_KEYTTLPROP - TIME_PASSED,
+        # Include hidden keys in output.
+        "verbose": True,
      }
      isctest.kasp.check_rollover_step(ns6, CONFIG, policy, step)
  
@@ -352,5 +354,7 @@ def test_algoroll_ksk_zsk_reconfig_step6(tld, ns6, alg, size):
          # keys have an unlimited lifetime.  Fallback to the default
          # loadkeys interval.
          "nextev": TIMEDELTA["PT1H"],
+        # Include hidden keys in output.
+        "verbose": True,
      }
      isctest.kasp.check_rollover_step(ns6, CONFIG, policy, step)
diff --git a/bin/tests/system/rollover-csk-roll1/tests_rollover_csk_roll1.py b/bin/tests/system/rollover-csk-roll1/tests_rollover_csk_roll1.py

index b9c5861d86e0b74b0ac7c65f16453b162f304140..b4b31df6fde0be51c5cdd61cd0ef5816e9491f09 100644 (file)
--- a/bin/tests/system/rollover-csk-roll1/tests_rollover_csk_roll1.py
+++ b/bin/tests/system/rollover-csk-roll1/tests_rollover_csk_roll1.py
@@ -404,6 +404,8 @@ def test_csk_roll1_step7(tld, alg, size, ns3):
          # This is the Lcsk, minus time passed since the key started signing,
          # minus the prepublication time.
          "nextev": CSK_LIFETIME - IRETZSK - IPUB - KEYTTLPROP,
+        # Include hidden keys in output.
+        "verbose": True,
      }
      isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
  
diff --git a/bin/tests/system/rollover-csk-roll2/tests_rollover_csk_roll2.py b/bin/tests/system/rollover-csk-roll2/tests_rollover_csk_roll2.py

index f63c565fc0bef558e553f2d4da8c62b0b4834587..d18b13fe5d2d50da197ac76089da477be05f7a5a 100644 (file)
--- a/bin/tests/system/rollover-csk-roll2/tests_rollover_csk_roll2.py
+++ b/bin/tests/system/rollover-csk-roll2/tests_rollover_csk_roll2.py
@@ -376,6 +376,8 @@ def test_csk_roll2_step6(tld, alg, size, ns3):
          # Next key event is when the new successor needs to be published.
          # This is the Lcsk, minus time passed since the key was published.
          "nextev": CSK_LIFETIME - IRET - IPUB - KEYTTLPROP,
+        # Include hidden keys in output.
+        "verbose": True,
      }
      isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
  
@@ -405,5 +407,7 @@ def test_csk_roll2_step7(tld, alg, size, ns3):
          ],
          "keyrelationships": [0, 1],
          "nextev": None,
+        # Include hidden keys in output.
+        "verbose": True,
      }
      isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
diff --git a/bin/tests/system/rollover-ksk-doubleksk/tests_rollover_ksk_doubleksk.py b/bin/tests/system/rollover-ksk-doubleksk/tests_rollover_ksk_doubleksk.py

index 9f01fdaca94b4363e5628a759b914f53585acac5..68dc712b0be36a3935f9ef8dc875fad30cda3e93 100644 (file)
--- a/bin/tests/system/rollover-ksk-doubleksk/tests_rollover_ksk_doubleksk.py
+++ b/bin/tests/system/rollover-ksk-doubleksk/tests_rollover_ksk_doubleksk.py
@@ -316,6 +316,8 @@ def test_ksk_doubleksk_step5(tld, alg, size, ns3):
          # Next key event is when the new successor needs to be published.
          # This is the KSK lifetime minus Ipub minus Iret minus time elapsed.
          "nextev": KSK_LIFETIME - KSK_IPUB - KSK_IRET - KSK_KEYTTLPROP,
+        # Include hidden keys in output.
+        "verbose": True,
      }
      isctest.kasp.check_rollover_step(ns3, KSK_CONFIG, policy, step)
  
diff --git a/bin/tests/system/rollover-zsk-prepub/tests_rollover_zsk_prepublication.py b/bin/tests/system/rollover-zsk-prepub/tests_rollover_zsk_prepublication.py

index 702c0f26ad4bed17eaaf893ac4a592f97b6c76aa..30a5104c8b131dbea4f8aedcfe7bff5e4d2f5943 100644 (file)
--- a/bin/tests/system/rollover-zsk-prepub/tests_rollover_zsk_prepublication.py
+++ b/bin/tests/system/rollover-zsk-prepub/tests_rollover_zsk_prepublication.py
@@ -229,7 +229,7 @@ def test_zsk_prepub_step3(tld, alg, size, ns3):
  
      step["smooth"] = False
      step["nextev"] = Iret(CONFIG, smooth=False)
-    isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step)
+    isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
  
  
  @pytest.mark.parametrize(
@@ -322,6 +322,8 @@ def test_zsk_prepub_step5(tld, alg, size, ns3):
          # this is the zsk lifetime minus IRET minus IPUB minus time
          # elapsed.
          "nextev": ZSK_LIFETIME - IRET - IPUB - KEYTTLPROP,
+        # Include hidden keys in output.
+        "verbose": True,
      }
      isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
author	Matthijs Mekking <matthijs@isc.org>
	Wed, 15 Oct 2025 14:37:15 +0000 (16:37 +0200)
committer	Matthijs Mekking <matthijs@isc.org>
	Fri, 28 Nov 2025 14:32:17 +0000 (15:32 +0100)
bin/tests/system/isctest/kasp.py		patch \| blob \| blame \| history
bin/tests/system/kasp/tests_kasp.py		patch \| blob \| blame \| history
bin/tests/system/ksr/tests_ksr.py		patch \| blob \| blame \| history
bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_initial.py		patch \| blob \| blame \| history
bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_reconfig.py		patch \| blob \| blame \| history
bin/tests/system/rollover-algo-ksk-zsk/tests_rollover_algo_ksk_zsk_reconfig.py		patch \| blob \| blame \| history
bin/tests/system/rollover-csk-roll1/tests_rollover_csk_roll1.py		patch \| blob \| blame \| history
bin/tests/system/rollover-csk-roll2/tests_rollover_csk_roll2.py		patch \| blob \| blame \| history
bin/tests/system/rollover-ksk-doubleksk/tests_rollover_ksk_doubleksk.py		patch \| blob \| blame \| history
bin/tests/system/rollover-zsk-prepub/tests_rollover_zsk_prepublication.py		patch \| blob \| blame \| history