From: Alessio Podda <alessio@isc.org>
Date: Fri, 8 May 2026 12:19:38 +0000 (+0200)
Subject: Add system test for private-type RRset delete update
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d2d8d77fc0c7f9e5c0ce287a0f0c49661e226aa8;p=thirdparty%2Fbind9.git

Add system test for private-type RRset delete update

Add a Python system test covering an RFC 2136 Delete RRset UPDATE for
the zone apex TYPE65534 private signing-state RRset.

The test uses a dnssec-policy NSEC3 primary with inline-signing
disabled, seeds the apex with an NSEC3PARAM update, then sends the
TYPE65534 RRset delete over TCP.
---

diff --git a/bin/tests/system/nsec3/ns3/named-fips.conf.j2 b/bin/tests/system/nsec3/ns3/named-fips.conf.j2
index 490f6ec1c7d..783921ba5e1 100644
--- a/bin/tests/system/nsec3/ns3/named-fips.conf.j2
+++ b/bin/tests/system/nsec3/ns3/named-fips.conf.j2
@@ -32,6 +32,16 @@ zone "nsec3-dynamic.kasp" {
 };
 {% endif %}{# nsec3-dynamic.kasp #}
 
+{% if "nsec3-private-type-delete.kasp" in zones %}
+zone "nsec3-private-type-delete.kasp" {
+	type primary;
+	file "nsec3-private-type-delete.kasp.db";
+	dnssec-policy "nsec3";
+	inline-signing no;
+	allow-update { any; };
+};
+{% endif %}{# nsec3-private-type-delete.kasp #}
+
 {% if "nsec3-other.kasp" in zones %}
 /* This zone uses non-default NSEC3 settings. */
 zone "nsec3-other.kasp" {
diff --git a/bin/tests/system/nsec3/ns3/setup.sh b/bin/tests/system/nsec3/ns3/setup.sh
index 03b6b81b0d0..ddc0a5a3c4c 100644
--- a/bin/tests/system/nsec3/ns3/setup.sh
+++ b/bin/tests/system/nsec3/ns3/setup.sh
@@ -26,7 +26,8 @@ setup() {
 for zn in nsec-to-nsec3 nsec3 nsec3-other nsec3-change nsec3-to-nsec \
   nsec3-to-optout nsec3-from-optout nsec3-dynamic \
   nsec3-dynamic-change nsec3-dynamic-to-inline \
-  nsec3-inline-to-dynamic nsec3-dynamic-update-inline; do
+  nsec3-inline-to-dynamic nsec3-dynamic-update-inline \
+  nsec3-private-type-delete; do
   setup "${zn}.kasp"
 done
 
diff --git a/bin/tests/system/nsec3/tests_nsec3_initial.py b/bin/tests/system/nsec3/tests_nsec3_initial.py
index f0dacdc4617..3fa07bdeca7 100644
--- a/bin/tests/system/nsec3/tests_nsec3_initial.py
+++ b/bin/tests/system/nsec3/tests_nsec3_initial.py
@@ -14,6 +14,7 @@
 import os
 
 import dns.rcode
+import dns.rdatatype
 import dns.update
 import pytest
 
@@ -32,6 +33,7 @@ ZONES = {
     "nsec3-dynamic-update-inline.kasp",
     "nsec3.kasp",
     "nsec3-dynamic.kasp",
+    "nsec3-private-type-delete.kasp",
     "nsec3-change.kasp",
     "nsec3-dynamic-change.kasp",
     "nsec3-dynamic-to-inline.kasp",
@@ -59,6 +61,33 @@ def bootstrap():
     }
 
 
+def test_update_delete_private_type_rrset(ns3):
+    zone = "nsec3-private-type-delete.kasp"
+    fqdn = f"{zone}."
+
+    isctest.kasp.wait_keymgr_done(ns3, zone)
+
+    update_msg = dns.update.UpdateMessage(zone)
+    update_msg.add(fqdn, 0, dns.rdatatype.NSEC3PARAM, "1 0 5 ab")
+    response = isctest.query.tcp(
+        update_msg,
+        ns3.ip,
+        attempts=1,
+        expected_rcode=dns.rcode.NOERROR,
+    )
+    isctest.check.noerror(response)
+
+    update_msg = dns.update.UpdateMessage(zone)
+    update_msg.delete(fqdn, dns.rdatatype.from_text("TYPE65534"))
+    response = isctest.query.tcp(
+        update_msg,
+        ns3.ip,
+        attempts=1,
+        expected_rcode=dns.rcode.NOERROR,
+    )
+    isctest.check.noerror(response)
+
+
 @pytest.mark.parametrize(
     "params",
     [