From: Matthijs Mekking <matthijs@isc.org>
Date: Fri, 14 Nov 2025 15:31:42 +0000 (+0100)
Subject: Move nsec3-change.kasp test to separate module
X-Git-Tag: v9.21.16~38^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9ee62467a6f2789eb0062df4fa41ae68b4e724d8;p=thirdparty%2Fbind9.git

Move nsec3-change.kasp test to separate module

This zone has a specific corner case to be tested during the setup.
Move it to a separate module so it is less convoluted.
---

diff --git a/bin/tests/system/nsec3/tests_nsec3_change.py b/bin/tests/system/nsec3/tests_nsec3_change.py
new file mode 100644
index 00000000000..39b3a1cbfe7
--- /dev/null
+++ b/bin/tests/system/nsec3/tests_nsec3_change.py
@@ -0,0 +1,101 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# pylint: disable=redefined-outer-name,unused-import
+
+import os
+import shutil
+import time
+
+import dns.update
+import pytest
+
+pytest.importorskip("dns", minversion="2.0.0")
+import isctest
+import isctest.mark
+from isctest.vars.algorithms import RSASHA1
+from nsec3.common import (
+    ALGORITHM,
+    SIZE,
+    default_config,
+    pytestmark,
+    check_nsec3_case,
+)
+
+
+@pytest.fixture(scope="module", autouse=True)
+def after_servers_start(ns3, templates):
+
+    def check_soa_update():
+        query = isctest.query.create(fqdn, dns.rdatatype.SOA)
+        response = isctest.query.tcp(query, ns3.ip, attempts=1, timeout=2)
+        rrset = response.get_rrset(
+            response.answer,
+            dns.name.from_text(fqdn),
+            dns.rdataclass.IN,
+            dns.rdatatype.SOA,
+        )
+        return rrset[0].minimum == 900
+
+    nsdir = ns3.identifier
+
+    zone = "nsec3-change.kasp"
+    fqdn = f"{zone}."
+    isctest.kasp.wait_keymgr_done(ns3, zone)
+
+    shutil.copyfile(f"{nsdir}/template2.db.in", f"{nsdir}/{zone}.db")
+    ns3.rndc(f"reload {zone}")
+
+    isctest.run.retry_with_timeout(check_soa_update, timeout=10)
+    # After reconfig, the NSEC3PARAM TTL should match the new SOA MINIMUM.
+
+    # Reconfigure.
+    templates.render(f"{nsdir}/named-fips.conf", {"reconfiged": True})
+    templates.render(f"{nsdir}/named-rsasha1.conf", {"reconfiged": True})
+
+    # Wait for the NSEC3 chain is finished rebuilding.
+    messages = [
+        f"zone {zone}/IN (signed): generated salt",
+        f"zone_nsec3chain: zone {zone}/IN (signed): enter",
+        f"add {zone}.	900	IN	NSEC3PARAM 1 0 0",
+        f"zone_needdump: zone {zone}/IN (signed): enter",
+    ]
+    with ns3.watch_log_from_start() as watcher:
+        ns3.reconfigure()
+        watcher.wait_for_sequence(messages)
+
+
+def test_nsec3_case(ns3):
+    # Get test parameters.
+    params = {
+        "zone": "nsec3-change.kasp",
+        "policy": "nsec3",
+        "soa-minimum": 900,
+        "nsec3param": {
+            "optout": 1,
+            "salt-length": 8,
+        },
+        "key-properties": [
+            f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+        ],
+    }
+    zone = params["zone"]
+
+    # First make sure the zone is properly signed.
+    isctest.kasp.wait_keymgr_done(ns3, zone, reconfig=True)
+
+    # Test case.
+    check_nsec3_case(ns3, params)
+
+    # Using rndc signing -nsec3param (should fail)
+    isctest.log.info(f"use rndc signing -nsec3param {zone} to change NSEC3 settings")
+    response = ns3.rndc(f"signing -nsec3param 1 1 12 ffff {zone}")
+    assert "zone uses dnssec-policy, use rndc dnssec command instead" in response
diff --git a/bin/tests/system/nsec3/tests_nsec3_reconfig.py b/bin/tests/system/nsec3/tests_nsec3_reconfig.py
index 3525a264449..1f7ffec73e5 100644
--- a/bin/tests/system/nsec3/tests_nsec3_reconfig.py
+++ b/bin/tests/system/nsec3/tests_nsec3_reconfig.py
@@ -33,36 +33,6 @@ from nsec3.common import (
 
 @pytest.fixture(scope="module", autouse=True)
 def after_servers_start(ns3, templates):
-
-    def wait_for_soa_update():
-        match = "20 20 1814400 900"
-
-        for _ in range(5):
-            query = isctest.query.create(fqdn, dns.rdatatype.SOA)
-            response = isctest.query.tcp(query, ns3.ip)
-            rrset = response.get_rrset(
-                response.answer,
-                dns.name.from_text(fqdn),
-                dns.rdataclass.IN,
-                dns.rdatatype.SOA,
-            )
-            if match in str(rrset[0]):
-                return True
-
-        return False
-
-    nsdir = ns3.identifier
-
-    # Extra test for nsec3-change.kasp.
-    zone = "nsec3-change.kasp"
-    fqdn = f"{zone}."
-    isctest.kasp.wait_keymgr_done(ns3, zone)
-    shutil.copyfile(f"{nsdir}/template2.db.in", f"{nsdir}/{zone}.db")
-    ns3.rndc(f"reload {zone}")
-
-    isctest.run.retry_with_timeout(wait_for_soa_update, timeout=5)
-    # After reconfig, the NSEC3PARAM TTL should match the new SOA MINIMUM.
-
     # Ensure rsasha1-to-nsec3-wait.kasp is fully signed prior to reconfig.
     with_rsasha1 = "RSASHA1_SUPPORTED"
     assert with_rsasha1 in os.environ, f"{with_rsasha1} env variable undefined"
@@ -71,8 +41,8 @@ def after_servers_start(ns3, templates):
         isctest.kasp.check_dnssec_verify(ns3, zone)
 
     # Reconfigure.
-    templates.render(f"{nsdir}/named-fips.conf", {"reconfiged": True})
-    templates.render(f"{nsdir}/named-rsasha1.conf", {"reconfiged": True})
+    templates.render(f"{ns3.identifier}/named-fips.conf", {"reconfiged": True})
+    templates.render(f"{ns3.identifier}/named-rsasha1.conf", {"reconfiged": True})
     ns3.reconfigure()
 
 
@@ -182,21 +152,6 @@ def test_nsec_case(ns3, params):
             },
             id="nsec3-dynamic.kasp",
         ),
-        pytest.param(
-            {
-                "zone": "nsec3-change.kasp",
-                "policy": "nsec3",
-                "soa-minimum": 900,
-                "nsec3param": {
-                    "optout": 1,
-                    "salt-length": 8,
-                },
-                "key-properties": [
-                    f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
-                ],
-            },
-            id="nsec3-change.kasp",
-        ),
         pytest.param(
             {
                 "zone": "nsec3-dynamic-change.kasp",
@@ -287,15 +242,6 @@ def test_nsec3_case(ns3, params):
     # Test case.
     check_nsec3_case(ns3, params)
 
-    # Extra test for nsec3-change.kasp.
-    if zone == "nsec3-change.kasp":
-        # Using rndc signing -nsec3param (should fail)
-        isctest.log.info(
-            f"use rndc signing -nsec3param {zone} to change NSEC3 settings"
-        )
-        response = ns3.rndc(f"signing -nsec3param 1 1 12 ffff {zone}")
-        assert "zone uses dnssec-policy, use rndc dnssec command instead" in response
-
 
 def test_nsec3_ent(ns3, templates):
     # Zone: nsec3-ent.kasp (regression test for #5108)