From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 30 Sep 2025 10:33:14 +0000 (+0200)
Subject: Improve check_auth_nsec3 salt checking
X-Git-Tag: v9.21.16~38^2~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ba1ffe56e4f7ab6a4a7714c6551df9f6e42b87cb;p=thirdparty%2Fbind9.git

Improve check_auth_nsec3 salt checking

Since we know the salt after checking the NSEC3PARAM, we might as well
check the NSEC3 records on the NXDOMAIN response that the salt matches.
---

diff --git a/bin/tests/system/nsec3/common.py b/bin/tests/system/nsec3/common.py
index 78c7aabe8f9..12a176fea51 100644
--- a/bin/tests/system/nsec3/common.py
+++ b/bin/tests/system/nsec3/common.py
@@ -66,18 +66,13 @@ def check_auth_nsec(response):
     assert len(rrs) != 0, "no NSEC records found in authority section"
 
 
-def check_auth_nsec3(response, iterations=0, optout=0, saltlen=0):
-    match = f"IN NSEC3 1 {optout} {iterations}"
+def check_auth_nsec3(response, iterations=0, optout=0, salt="-"):
+    match = f"IN NSEC3 1 {optout} {iterations} {salt}"
     rrs = []
 
     for rrset in response.authority:
         if rrset.match(dns.rdataclass.IN, dns.rdatatype.NSEC3, dns.rdatatype.NONE):
             assert match in rrset.to_text()
-            if saltlen == 0:
-                assert f"{match} -" in rrset.to_text()
-            else:
-                assert not f"{match} -" in rrset.to_text()
-
             rrs.append(rrset)
         assert not rrset.match(
             dns.rdataclass.IN, dns.rdatatype.NSEC, dns.rdatatype.NONE
@@ -88,6 +83,7 @@ def check_auth_nsec3(response, iterations=0, optout=0, saltlen=0):
 
 def check_nsec3param(response, match, saltlen):
     rrs = []
+    salt = "-"
 
     for rrset in response.answer:
         if rrset.match(dns.rdataclass.IN, dns.rdatatype.NSEC3PARAM, dns.rdatatype.NONE):
@@ -96,6 +92,7 @@ def check_nsec3param(response, match, saltlen):
                 assert f"{match} -" in rrset.to_text()
             else:
                 assert not f"{match} -" in rrset.to_text()
+                salt = rrset.to_text().split()[7]
 
             rrs.append(rrset)
         else:
@@ -104,3 +101,5 @@ def check_nsec3param(response, match, saltlen):
             )
 
     assert len(rrs) != 0
+
+    return salt
diff --git a/bin/tests/system/nsec3/tests_nsec3_initial.py b/bin/tests/system/nsec3/tests_nsec3_initial.py
index 25a30704350..6f5cfcdafce 100644
--- a/bin/tests/system/nsec3/tests_nsec3_initial.py
+++ b/bin/tests/system/nsec3/tests_nsec3_initial.py
@@ -343,12 +343,12 @@ def test_nsec3_case(ns3, params):
     response = isctest.query.tcp(query, ns3.ip)
     assert response.rcode() == dns.rcode.NOERROR
 
-    check_nsec3param(response, match, saltlen)
+    salt = check_nsec3param(response, match, saltlen)
 
     query = isctest.query.create(f"nosuchname.{fqdn}", dns.rdatatype.A)
     response = isctest.query.tcp(query, ns3.ip)
     assert response.rcode() == dns.rcode.NXDOMAIN
-    check_auth_nsec3(response, iterations, optout, saltlen)
+    check_auth_nsec3(response, iterations, optout, salt)
 
     # Extra test for nsec3-change.kasp.
     if zone == "nsec3-change.kasp":