From: Nicki Křížek Date: Thu, 20 Nov 2025 17:09:58 +0000 (+0100) Subject: Only render required zones in config for nsec3 tests X-Git-Tag: v9.21.16~38^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=66e4146a88c4de2b0881e29ff269f01f6658d376;p=thirdparty%2Fbind9.git Only render required zones in config for nsec3 tests When all zones are configured, regardless of whether the test module actually uses them, it makes debugging the logs needlessly more complicated, as there is a bunch of stuff going on that is completely unrelated to the test. Define a list of tested zones in each test module and only render the named.conf with those zones defined. --- diff --git a/bin/tests/system/nsec3/ns2/named.conf.j2 b/bin/tests/system/nsec3/ns2/named.conf.j2 index 924e9d26cb3..904abbf81d6 100644 --- a/bin/tests/system/nsec3/ns2/named.conf.j2 +++ b/bin/tests/system/nsec3/ns2/named.conf.j2 @@ -39,8 +39,10 @@ controls { inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; +{% if "nsec3-xfr-inline.kasp" in zones %} zone "nsec3-xfr-inline.kasp" { type primary; file "nsec3-xfr-inline.kasp.db"; dnssec-policy "nsec3"; }; +{% endif %}{# nsec3-xfr-inline.kasp #} diff --git a/bin/tests/system/nsec3/ns3/named-fips.conf.j2 b/bin/tests/system/nsec3/ns3/named-fips.conf.j2 index 50294575982..8074646fa68 100644 --- a/bin/tests/system/nsec3/ns3/named-fips.conf.j2 +++ b/bin/tests/system/nsec3/ns3/named-fips.conf.j2 @@ -18,41 +18,52 @@ {% set nsec3_from_optout = "optout" if not reconfiged else "nsec3" %} {% set nsec3_to_optout = "nsec3" if not reconfiged else "optout" %} +{% if "nsec-to-nsec3.kasp" in zones %} /* This zone starts with NSEC, but will be reconfigured to use NSEC3. */ zone "nsec-to-nsec3.kasp" { type primary; file "nsec-to-nsec3.kasp.db"; dnssec-policy "@nsec_to_nsec3@"; }; +{% endif %}{# nsec-to-nsec3.kasp #} +{% if "nsec3.kasp" in zones %} /* These zones use the default NSEC3 settings. */ zone "nsec3.kasp" { type primary; file "nsec3.kasp.db"; dnssec-policy "nsec3"; }; +{% endif %}{# nsec3.kasp #} +{% if "nsec3-dynamic.kasp" in zones %} zone "nsec3-dynamic.kasp" { type primary; file "nsec3-dynamic.kasp.db"; dnssec-policy "nsec3"; allow-update { any; }; }; +{% endif %}{# nsec3-dynamic.kasp #} +{% if "nsec3-other.kasp" in zones %} /* This zone uses non-default NSEC3 settings. */ zone "nsec3-other.kasp" { type primary; file "nsec3-other.kasp.db"; dnssec-policy "nsec3-other"; }; +{% endif %}{# nsec3-other.kasp #} +{% if "nsec3-change.kasp" in zones %} /* These zones will be reconfigured to use other NSEC3 settings. */ zone "nsec3-change.kasp" { type primary; file "nsec3-change.kasp.db"; dnssec-policy "@nsec3_change@"; }; +{% endif %}{# nsec3-change.kasp #} +{% if "nsec3-dynamic-change.kasp" in zones %} zone "nsec3-dynamic-change.kasp" { type primary; file "nsec3-dynamic-change.kasp.db"; @@ -60,28 +71,36 @@ zone "nsec3-dynamic-change.kasp" { dnssec-policy "@nsec3_change@"; allow-update { any; }; }; +{% endif %}{# nsec3-dynamic-change.kasp #} +{% if "nsec3-to-optout.kasp" in zones %} /* The zone will be reconfigured to use opt-out. */ zone "nsec3-to-optout.kasp" { type primary; file "nsec3-to-optout.kasp.db"; dnssec-policy "@nsec3_to_optout@"; }; +{% endif %}{# nsec3-to-optout.kasp #} +{% if "nsec3-from-optout.kasp" in zones %} /* The zone will be reconfigured to disable opt-out. */ zone "nsec3-from-optout.kasp" { type primary; file "nsec3-from-optout.kasp.db"; dnssec-policy "@nsec3_from_optout@"; }; +{% endif %}{# nsec3-from-optout.kasp #} +{% if "nsec3-to-nsec.kasp" in zones %} /* The zone starts with NSEC3, but will be reconfigured to use NSEC. */ zone "nsec3-to-nsec.kasp" { type primary; file "nsec3-to-nsec.kasp.db"; dnssec-policy "@nsec3_to_nsec@"; }; +{% endif %}{# nsec3-to-nsec.kasp #} +{% if "nsec3-fails-to-load.kasp" in zones %} /* * The zone fails to load, this should not prevent shutdown. * The zone is fixed after a reconfig. @@ -92,7 +111,9 @@ zone "nsec3-fails-to-load.kasp" { dnssec-policy "nsec3"; allow-update { any; }; }; +{% endif %}{# nsec3-fails-to-load.kasp #} +{% if "nsec3-dynamic-to-inline.kasp" in zones %} /* These zones switch from dynamic to inline-signing or vice versa. */ zone "nsec3-dynamic-to-inline.kasp" { type primary; @@ -101,9 +122,11 @@ zone "nsec3-dynamic-to-inline.kasp" { {% if not reconfiged %} allow-update { any; }; inline-signing no; -{% endif %} +{% endif %}{# not reconfiged #} }; +{% endif %}{# nsec3-dynamic-to-inline.kasp #} +{% if "nsec3-inline-to-dynamic.kasp" in zones %} zone "nsec3-inline-to-dynamic.kasp" { type primary; file "nsec3-inline-to-dynamic.kasp.db"; @@ -111,12 +134,25 @@ zone "nsec3-inline-to-dynamic.kasp" { {% if reconfiged %} allow-update { any; }; inline-signing no; -{% endif %} +{% endif %}{# reconfiged #} +}; +{% endif %}{# nsec3-inline-to-dynamic.kasp #} +{% if "nsec3-ent.kasp" in zones %} +/* + * This zone will have an empty nonterminal node added and a node deleted. + */ +zone "nsec3-ent.kasp" { + type primary; + file "nsec3-ent.kasp.db"; + dnssec-policy "nsec3"; + inline-signing yes; }; +{% endif %}{# nsec3-ent.kasp #} {% if not reconfiged %} +{% if "nsec3-dynamic-update-inline.kasp" in zones %} /* * Test adding a NSEC3 record to an inline-signing dnssec-policy zone. */ @@ -126,7 +162,9 @@ zone "nsec3-dynamic-update-inline.kasp" { allow-update { any; }; dnssec-policy "nsec"; }; +{% endif %}{# nsec3-dynamic-update-inline.kasp #} +{% if "nsec3-xfr-inline.kasp" in zones %} /* * This zone will have an empty nonterminal node added and a node deleted. */ @@ -136,17 +174,6 @@ zone "nsec3-xfr-inline.kasp" { dnssec-policy "nsec"; primaries { 10.53.0.2; }; }; +{% endif %}{# nsec3-xfr-inline.kasp #} -{% else %} - -/* - * This zone will have an empty nonterminal node added and a node deleted. - */ -zone "nsec3-ent.kasp" { - type primary; - file "nsec3-ent.kasp.db"; - dnssec-policy "nsec3"; - inline-signing yes; -}; - -{% endif %} +{% endif %}{# not reconfiged #} diff --git a/bin/tests/system/nsec3/ns3/named-rsasha1.conf.j2 b/bin/tests/system/nsec3/ns3/named-rsasha1.conf.j2 index c2cbf485ce3..7c47ae2d54e 100644 --- a/bin/tests/system/nsec3/ns3/named-rsasha1.conf.j2 +++ b/bin/tests/system/nsec3/ns3/named-rsasha1.conf.j2 @@ -21,6 +21,8 @@ dnssec-policy "rsasha1" { }; }; + +{% if "rsasha1-to-nsec3.kasp" in zones %} /* * This zone starts with NSEC, but will be reconfigured to use NSEC3. * This should work despite the incompatible RSAHSHA1 algorithm, @@ -31,7 +33,9 @@ zone "rsasha1-to-nsec3.kasp" { file "rsasha1-to-nsec3.kasp.db"; dnssec-policy "@rsasha1_to_nsec3@"; }; +{% endif %}{# rsasha1-to-nsec3.kasp #} +{% if "rsasha1-to-nsec3-wait.kasp" in zones %} /* * This zone starts with NSEC, but will be reconfigured to use NSEC3. * This should block because RSASHA1 is not compatible with NSEC3, @@ -42,7 +46,9 @@ zone "rsasha1-to-nsec3-wait.kasp" { file "rsasha1-to-nsec3-wait.kasp.db"; dnssec-policy "@rsasha1_to_nsec3@"; }; +{% endif %}{# rsasha1-to-nsec3-wait.kasp #} +{% if "nsec3-to-rsasha1.kasp" in zones %} /* * This zone starts with NSEC3, but will be reconfigured to use NSEC with an * NSEC only algorithm. This should work despite the incompatible RSAHSHA1 @@ -53,7 +59,9 @@ zone "nsec3-to-rsasha1.kasp" { file "nsec3-to-rsasha1.kasp.db"; dnssec-policy "@nsec3_to_rsasha1@"; }; +{% endif %}{# nsec3-to-rsasha1.kasp #} +{% if "nsec3-to-rsasha1-ds.kasp" in zones %} /* * This zone starts with NSEC3, but will be reconfigured to use NSEC with an * NSEC only algorithm. This should also be fine because we are allowed @@ -65,3 +73,4 @@ zone "nsec3-to-rsasha1-ds.kasp" { file "nsec3-to-rsasha1-ds.kasp.db"; dnssec-policy "@nsec3_to_rsasha1@"; }; +{% endif %}{# nsec3-to-rsasha1-ds.kasp #} diff --git a/bin/tests/system/nsec3/tests_nsec3_change.py b/bin/tests/system/nsec3/tests_nsec3_change.py index 39b3a1cbfe7..a65a1789be2 100644 --- a/bin/tests/system/nsec3/tests_nsec3_change.py +++ b/bin/tests/system/nsec3/tests_nsec3_change.py @@ -31,6 +31,18 @@ from nsec3.common import ( ) +# include the following zones when rendering named configs +ZONES = { + "nsec3-change.kasp", +} + + +def bootstrap(): + return { + "zones": ZONES, + } + + @pytest.fixture(scope="module", autouse=True) def after_servers_start(ns3, templates): @@ -58,8 +70,12 @@ def after_servers_start(ns3, templates): # After reconfig, the NSEC3PARAM TTL should match the new SOA MINIMUM. # Reconfigure. - templates.render(f"{nsdir}/named-fips.conf", {"reconfiged": True}) - templates.render(f"{nsdir}/named-rsasha1.conf", {"reconfiged": True}) + data = { + "reconfiged": True, + "zones": ZONES, + } + templates.render(f"{nsdir}/named-fips.conf", data) + templates.render(f"{nsdir}/named-rsasha1.conf", data) # Wait for the NSEC3 chain is finished rebuilding. messages = [ diff --git a/bin/tests/system/nsec3/tests_nsec3_initial.py b/bin/tests/system/nsec3/tests_nsec3_initial.py index a8f52350fe1..6ef80343a99 100644 --- a/bin/tests/system/nsec3/tests_nsec3_initial.py +++ b/bin/tests/system/nsec3/tests_nsec3_initial.py @@ -11,6 +11,8 @@ # pylint: disable=redefined-outer-name,unused-import +import os + import dns.update import pytest @@ -27,6 +29,40 @@ from nsec3.common import ( ) +# include the following zones when rendering named configs +ZONES = { + "nsec-to-nsec3.kasp", + "nsec3-xfr-inline.kasp", + "nsec3-dynamic-update-inline.kasp", + "nsec3.kasp", + "nsec3-dynamic.kasp", + "nsec3-change.kasp", + "nsec3-dynamic-change.kasp", + "nsec3-dynamic-to-inline.kasp", + "nsec3-inline-to-dynamic.kasp", + "nsec3-to-nsec.kasp", + "nsec3-to-optout.kasp", + "nsec3-from-optout.kasp", + "nsec3-other.kasp", +} + +if os.environ["RSASHA1_SUPPORTED"] == "1": + ZONES.update( + { + "rsasha1-to-nsec3.kasp", + "rsasha1-to-nsec3-wait.kasp", + "nsec3-to-rsasha1.kasp", + "nsec3-to-rsasha1-ds.kasp", + } + ) + + +def bootstrap(): + return { + "zones": ZONES, + } + + @pytest.mark.parametrize( "params", [ diff --git a/bin/tests/system/nsec3/tests_nsec3_reconfig.py b/bin/tests/system/nsec3/tests_nsec3_reconfig.py index 1f7ffec73e5..666ba320b4f 100644 --- a/bin/tests/system/nsec3/tests_nsec3_reconfig.py +++ b/bin/tests/system/nsec3/tests_nsec3_reconfig.py @@ -31,6 +31,38 @@ from nsec3.common import ( ) +# include the following zones when rendering named configs +ZONES = { + "nsec3-to-nsec.kasp", + "nsec-to-nsec3.kasp", + "nsec3.kasp", + "nsec3-dynamic.kasp", + "nsec3-dynamic-change.kasp", + "nsec3-dynamic-to-inline.kasp", + "nsec3-inline-to-dynamic.kasp", + # "nsec3-to-optout.kasp", + # "nsec3-from-optout.kasp", + "nsec3-other.kasp", + "nsec3-ent.kasp", +} + +if os.environ["RSASHA1_SUPPORTED"] == "1": + ZONES.update( + { + "rsasha1-to-nsec3-wait.kasp", + "nsec3-to-rsasha1.kasp", + "nsec3-to-rsasha1-ds.kasp", + "rsasha1-to-nsec3.kasp", + } + ) + + +def bootstrap(): + return { + "zones": ZONES, + } + + @pytest.fixture(scope="module", autouse=True) def after_servers_start(ns3, templates): # Ensure rsasha1-to-nsec3-wait.kasp is fully signed prior to reconfig. @@ -41,8 +73,12 @@ def after_servers_start(ns3, templates): isctest.kasp.check_dnssec_verify(ns3, zone) # Reconfigure. - templates.render(f"{ns3.identifier}/named-fips.conf", {"reconfiged": True}) - templates.render(f"{ns3.identifier}/named-rsasha1.conf", {"reconfiged": True}) + data = { + "reconfiged": True, + "zones": ZONES, + } + templates.render(f"{ns3.identifier}/named-fips.conf", data) + templates.render(f"{ns3.identifier}/named-rsasha1.conf", data) ns3.reconfigure() diff --git a/bin/tests/system/nsec3/tests_nsec3_reload.py b/bin/tests/system/nsec3/tests_nsec3_reload.py index 0e5dd0cfea3..b3fb860288d 100644 --- a/bin/tests/system/nsec3/tests_nsec3_reload.py +++ b/bin/tests/system/nsec3/tests_nsec3_reload.py @@ -26,6 +26,18 @@ from nsec3.common import ( ) +# include the following zones when rendering named configs +ZONES = { + "nsec3-fails-to-load.kasp", +} + + +def bootstrap(): + return { + "zones": ZONES, + } + + def test_nsec3_case(ns3): # Get test parameters. params = { diff --git a/bin/tests/system/nsec3/tests_nsec3_restart.py b/bin/tests/system/nsec3/tests_nsec3_restart.py index cae21f4413e..e1e76c4f98a 100644 --- a/bin/tests/system/nsec3/tests_nsec3_restart.py +++ b/bin/tests/system/nsec3/tests_nsec3_restart.py @@ -29,6 +29,19 @@ from nsec3.common import ( ) +# include the following zones when rendering named configs +ZONES = { + "nsec3.kasp", + "nsec3-other.kasp", +} + + +def bootstrap(): + return { + "zones": ZONES, + } + + def perform_nsec3_tests(server, params): # Get test parameters. zone = params["zone"]