From: Evan Hunt Date: Wed, 17 Jun 2026 18:48:42 +0000 (-0700) Subject: update tests_validation.py test for new behavior X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dc2640f87d51b9d02912815420d36201e2af9164;p=thirdparty%2Fbind9.git update tests_validation.py test for new behavior Some of the tests in in dnssec/tests_validation.py worked by iterating through the response message looking for failure conditions, such as excessively high TTL values. In some cases, previous changes caused additional data not to be returned. Since there was nothing to iterate, the tests still "passed". Tests that don't make sense anymore have been removed. Other tests that iterate through responses have been updated with checks to ensure that the responses actually do contain data. --- diff --git a/bin/tests/system/dnssec/ns3/named.conf.j2 b/bin/tests/system/dnssec/ns3/named.conf.j2 index 564a82e4a6d..4e1dc2c5d2b 100644 --- a/bin/tests/system/dnssec/ns3/named.conf.j2 +++ b/bin/tests/system/dnssec/ns3/named.conf.j2 @@ -324,7 +324,6 @@ zone "nsec3chain-test" { zone "expiring.example" { type primary; - allow-update { any; }; file "expiring.example.db.signed"; }; diff --git a/bin/tests/system/dnssec/tests_validation.py b/bin/tests/system/dnssec/tests_validation.py index 781324fed26..c0a786cc6cf 100644 --- a/bin/tests/system/dnssec/tests_validation.py +++ b/bin/tests/system/dnssec/tests_validation.py @@ -630,6 +630,7 @@ def test_negative_validation_optout(): msg = isctest.query.create("delegation.single-nsec3", "A") res = isctest.query.tcp(msg, "10.53.0.2") isctest.check.noerror(res) + isctest.check.has_authority(res) for rrset in res.authority: if ( rrset.rdtype != rdatatype.NSEC3 @@ -642,6 +643,7 @@ def test_negative_validation_optout(): msg = isctest.query.create("nonexist.single-nsec3", "A") res = isctest.query.tcp(msg, "10.53.0.2") isctest.check.nxdomain(res) + isctest.check.has_authority(res) for rrset in res.authority: if ( rrset.rdtype != rdatatype.NSEC3 @@ -654,6 +656,7 @@ def test_negative_validation_optout(): msg = isctest.query.create("single-nsec3", "A") res = isctest.query.tcp(msg, "10.53.0.2") isctest.check.noerror(res) + isctest.check.has_authority(res) for rrset in res.authority: if ( rrset.rdtype != rdatatype.NSEC3 @@ -1129,33 +1132,15 @@ def test_expired_signatures(ns4): res1 = isctest.query.tcp(msg, "10.53.0.4") msg = isctest.query.create("expiring.example", "SOA") res2 = isctest.query.tcp(msg, "10.53.0.4") + isctest.check.noerror(res1) + isctest.check.has_answer(res1) + isctest.check.noerror(res2) + isctest.check.has_answer(res2) for rrset in res1.answer: assert 240 <= rrset.ttl <= 300 for rrset in res2.answer: assert rrset.ttl <= 60 - # test TTL is capped at RRSIG expiry time in the additional section (NS) - ns4.rndc("flush") - msg = isctest.query.create("expiring.example", "NS", cd=True) - res1 = isctest.query.tcp(msg, "10.53.0.4") - msg = isctest.query.create("expiring.example", "NS") - res2 = isctest.query.tcp(msg, "10.53.0.4") - for rrset in res1.additional: - assert 240 <= rrset.ttl <= 300 - for rrset in res2.additional: - assert rrset.ttl <= 60 - - # test TTL is capped at RRSIG expiry time in the additional section (MX) - ns4.rndc("flush") - msg = isctest.query.create("expiring.example", "MX", cd=True) - res1 = isctest.query.tcp(msg, "10.53.0.4") - msg = isctest.query.create("expiring.example", "MX") - res2 = isctest.query.tcp(msg, "10.53.0.4") - for rrset in res1.additional: - assert 240 <= rrset.ttl <= 300 - for rrset in res2.additional: - assert rrset.ttl <= 60 - def test_casing(): # test legacy upper-case signer name validation