From: Matthijs Mekking <matthijs@isc.org>
Date: Thu, 25 Jun 2020 11:39:24 +0000 (+0200)
Subject: Add todo in dnssec system test for [GL #1689]
X-Git-Tag: v9.17.3~37^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c6345fffe96fb6b71eb1a736e528a811b037288d;p=thirdparty%2Fbind9.git

Add todo in dnssec system test for [GL #1689]

Add a note why we don't have a test case for the issue.

It is tricky to write a good test case for this if our tools are
not allowed to create signatures for unsupported algorithms.
---

diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 84e4ad627b5..562be711227 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -3562,6 +3562,13 @@ n=$((n+1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
 
+# TODO: test case for GL #1689.
+# If we allow the dnssec tools to use deprecated algorithms (such as RSAMD5)
+# we could write a test that signs a zone with supported and unsupported
+# algorithm, apply a fixed rrset order such that the unsupported algorithm
+# precedes the supported one in the DNSKEY RRset, and verify the result still
+# validates succesfully.
+
 echo_i "check that a lone non matching CDNSKEY record is rejected ($n)"
 ret=0
 (