From: Alessio Podda <alessio@isc.org>
Date: Fri, 8 May 2026 12:26:04 +0000 (+0200)
Subject: Add system test for apex delete-all private rollback
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ad2411ace1d55ee3daab57c83e967b1e51edcaa7;p=thirdparty%2Fbind9.git

Add system test for apex delete-all private rollback

Add a Python system test for an RFC 2136 delete-all-at-name UPDATE at
the zone apex when the apex contains TYPE65534 private signing state.

The test reuses the dnssec-policy NSEC3 primary with inline-signing
disabled, seeds the apex through dynamic update, then sends the apex
ANY/ANY delete-all UPDATE over TCP.
---

diff --git a/bin/tests/system/nsec3/tests_nsec3_initial.py b/bin/tests/system/nsec3/tests_nsec3_initial.py
index 3fa07bdeca7..7d82e79ff8b 100644
--- a/bin/tests/system/nsec3/tests_nsec3_initial.py
+++ b/bin/tests/system/nsec3/tests_nsec3_initial.py
@@ -88,6 +88,33 @@ def test_update_delete_private_type_rrset(ns3):
     isctest.check.noerror(response)
 
 
+def test_update_delete_all_apex_rrsets_with_private_type(ns3):
+    zone = "nsec3-private-type-delete.kasp"
+    fqdn = f"{zone}."
+
+    isctest.kasp.wait_keymgr_done(ns3, zone)
+
+    update_msg = dns.update.UpdateMessage(zone)
+    update_msg.add(fqdn, 0, dns.rdatatype.NSEC3PARAM, "1 0 5 ab")
+    response = isctest.query.tcp(
+        update_msg,
+        ns3.ip,
+        attempts=1,
+        expected_rcode=dns.rcode.NOERROR,
+    )
+    isctest.check.noerror(response)
+
+    update_msg = dns.update.UpdateMessage(zone)
+    update_msg.delete(fqdn)
+    response = isctest.query.tcp(
+        update_msg,
+        ns3.ip,
+        attempts=1,
+        expected_rcode=dns.rcode.NOERROR,
+    )
+    isctest.check.noerror(response)
+
+
 @pytest.mark.parametrize(
     "params",
     [