From: Matthijs Mekking <matthijs@isc.org>
Date: Mon, 4 Aug 2025 11:09:12 +0000 (+0200)
Subject: Fix nsec3 system test
X-Git-Tag: v9.21.17~60^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a8339be0f82019f6eecb9136ea928788bec0794b;p=thirdparty%2Fbind9.git

Fix nsec3 system test

The nsec3 system test has a couple of cases where the configured policy
changes the algorithm, effectively triggering an algorithm rollover. Fix
those cases to start in a valid DNSSEC state. Then fix the expected key
states, no longer should the old algorithm be removed immediately.
---

diff --git a/bin/tests/system/nsec3/ns3/named-rsasha1.conf.j2 b/bin/tests/system/nsec3/ns3/named-rsasha1.conf.j2
index 7c47ae2d54e..e05d3410e2e 100644
--- a/bin/tests/system/nsec3/ns3/named-rsasha1.conf.j2
+++ b/bin/tests/system/nsec3/ns3/named-rsasha1.conf.j2
@@ -25,7 +25,7 @@ dnssec-policy "rsasha1" {
 {% if "rsasha1-to-nsec3.kasp" in zones %}
 /*
  * This zone starts with NSEC, but will be reconfigured to use NSEC3.
- * This should work despite the incompatible RSAHSHA1 algorithm,
+ * This should work despite the incompatible RSASHA1 algorithm,
  * because the DS is still in hidden state.
  */
 zone "rsasha1-to-nsec3.kasp" {
@@ -51,7 +51,7 @@ zone "rsasha1-to-nsec3-wait.kasp" {
 {% if "nsec3-to-rsasha1.kasp" in zones %}
 /*
  * This zone starts with NSEC3, but will be reconfigured to use NSEC with an
- * NSEC only algorithm. This should work despite the incompatible RSAHSHA1
+ * NSEC only algorithm. This should work despite the incompatible RSASHA1
  * algorithm, because the DS is still in hidden state.
  */
 zone "nsec3-to-rsasha1.kasp" {
diff --git a/bin/tests/system/nsec3/ns3/setup.sh b/bin/tests/system/nsec3/ns3/setup.sh
index 5b7053e08da..03b6b81b0d0 100644
--- a/bin/tests/system/nsec3/ns3/setup.sh
+++ b/bin/tests/system/nsec3/ns3/setup.sh
@@ -31,24 +31,23 @@ for zn in nsec-to-nsec3 nsec3 nsec3-other nsec3-change nsec3-to-nsec \
 done
 
 if [ $RSASHA1_SUPPORTED = 1 ]; then
-  for zn in rsasha1-to-nsec3 rsasha1-to-nsec3-wait nsec3-to-rsasha1 \
-    nsec3-to-rsasha1-ds; do
-    setup "${zn}.kasp"
-  done
-
   longago="now-1y"
-  keytimes="-P ${longago} -A ${longago}"
+  keytimes="-P ${longago} -A ${longago} -P sync ${longago}"
   O="omnipresent"
 
-  zone="rsasha1-to-nsec3-wait.kasp"
-  CSK=$($KEYGEN -k "rsasha1" -l named.conf $keytimes $zone 2>keygen.out.$zone)
-  echo_i "Created key file $CSK"
-  $SETTIME -s -g $O -k $O $longago -r $O $longago -z $O $longago -d $O $longago "$CSK" >settime.out.$zone 2>&1
+  for zn in nsec3-to-rsasha1 nsec3-to-rsasha1-ds; do
+    setup "${zn}.kasp"
+    CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone)
+    $SETTIME -s -g $O -k $O $longago -r $O $longago -z $O $longago -d $O $longago "$CSK" >settime.out.$zone 2>&1
+    cat $CSK.key >>$zonefile
+  done
 
-  zone="nsec3-to-rsasha1-ds.kasp"
-  CSK=$($KEYGEN -k "default" -l named.conf $keytimes $zone 2>keygen.out.$zone)
-  echo_i "Created key file $CSK"
-  $SETTIME -s -g $O -k $O $longago -r $O $longago -z $O $longago -d $O $longago "$CSK" >settime.out.$zone 2>&1
+  for zn in rsasha1-to-nsec3 rsasha1-to-nsec3-wait; do
+    setup "${zn}.kasp"
+    CSK=$($KEYGEN -k "rsasha1" -l named.conf $keytimes $zone 2>keygen.out.$zone)
+    $SETTIME -s -g $O -k $O $longago -r $O $longago -z $O $longago -d $O $longago "$CSK" >settime.out.$zone 2>&1
+    cat $CSK.key >>$zonefile
+  done
 else
   echo_i "skip: skip rsasha1 zones - signing with RSASHA1 not supported"
 fi
diff --git a/bin/tests/system/nsec3/tests_nsec3_initial.py b/bin/tests/system/nsec3/tests_nsec3_initial.py
index 6ef80343a99..b890bf9cbdc 100644
--- a/bin/tests/system/nsec3/tests_nsec3_initial.py
+++ b/bin/tests/system/nsec3/tests_nsec3_initial.py
@@ -81,7 +81,7 @@ def bootstrap():
                 "zone": "rsasha1-to-nsec3.kasp",
                 "policy": "rsasha1",
                 "key-properties": [
-                    f"csk 0 {RSASHA1.number} 2048 goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+                    f"csk 0 {RSASHA1.number} 2048 goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent",
                 ],
             },
             id="rsasha1-to-nsec3.kasp",
@@ -162,7 +162,7 @@ def test_nsec_case(ns3, params):
                 "zone": "nsec3-to-rsasha1.kasp",
                 "policy": "nsec3",
                 "key-properties": [
-                    f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+                    f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent",
                 ],
             },
             id="nsec3-to-rsasha1.kasp",
diff --git a/bin/tests/system/nsec3/tests_nsec3_reconfig.py b/bin/tests/system/nsec3/tests_nsec3_reconfig.py
index 3b791eba118..26df38cfdd0 100644
--- a/bin/tests/system/nsec3/tests_nsec3_reconfig.py
+++ b/bin/tests/system/nsec3/tests_nsec3_reconfig.py
@@ -92,6 +92,18 @@ def after_servers_start(ns3, templates):
 @pytest.mark.parametrize(
     "params",
     [
+        pytest.param(
+            {
+                "zone": "rsasha1-to-nsec3.kasp",
+                "policy": "nsec3",
+                "key-properties": [
+                    f"csk 0 {RSASHA1.number} 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent",
+                    f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+                ],
+            },
+            id="rsasha1-to-nsec3.kasp",
+            marks=isctest.mark.with_algorithm("RSASHA1"),
+        ),
         pytest.param(
             {
                 "zone": "rsasha1-to-nsec3-wait.kasp",
@@ -109,7 +121,7 @@ def after_servers_start(ns3, templates):
                 "zone": "nsec3-to-rsasha1.kasp",
                 "policy": "rsasha1",
                 "key-properties": [
-                    f"csk 0 {ALGORITHM} {SIZE} goal:hidden dnskey:unretentive krrsig:unretentive zrrsig:unretentive ds:hidden",
+                    f"csk 0 {ALGORITHM} {SIZE} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent",
                     f"csk 0 {RSASHA1.number} 2048 goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
                 ],
             },
@@ -163,18 +175,6 @@ def test_nsec_case(ns3, params):
             },
             id="nsec-to-nsec3.kasp",
         ),
-        pytest.param(
-            {
-                "zone": "rsasha1-to-nsec3.kasp",
-                "policy": "nsec3",
-                "key-properties": [
-                    f"csk 0 {RSASHA1.number} 2048 goal:hidden dnskey:unretentive krrsig:unretentive zrrsig:unretentive ds:hidden",
-                    f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
-                ],
-            },
-            id="rsasha1-to-nsec3.kasp",
-            marks=isctest.mark.with_algorithm("RSASHA1"),
-        ),
         pytest.param(
             {
                 "zone": "nsec3.kasp",