git.ipfire.org Git - thirdparty/bind9.git/commit

author	Evan Hunt <each@isc.org>
	Mon, 4 Dec 2023 03:35:08 +0000 (19:35 -0800)
committer	Matthijs Mekking <matthijs@isc.org>
	Wed, 6 Mar 2024 09:49:02 +0000 (10:49 +0100)
commit	815f54ec2796fe1ef7f16f0df4e9b351adc071b5
tree	d1ef007ec481a4c8531822f688d7b72302c24239	tree \| snapshot
parent	91a275543391a8412eb859963258304cc6734a8c	commit \| diff

revise test for ENT NSEC3 cleanup

as a side effect of the switch from RBT to QBDB, NSEC3 records
are no longer created for empty non-terminal nodes when the
node only contains insecure delegations in an opt-out range.

such NSEC3 records are optional according to RFC 5155 (and,
for example, they are not created by dnssec-signzone), but they were
previously created by named, as a harmless side effect of the RBT
structure, which contains empty internal nodes that can be reached
by a DB iterator. these nodes are not present in the QPDB, so
NSEC3 records are not created unless they're actually required.

the autosign system test contained a test case (added in commit
ad91a70d as part of GL #4027) that checked whether ENT NSEC3
records were deleted when the delegations under the ENT removed.
this test no longer passes, because the NSEC3's are not created
in the first place, and therefore cannot be removed.

rather than "fix" the QPDB to add unnecessary NSEC3 records, this
commit instead revises the test to check for removal of ENT NSEC3
records when *not* using opt-out.

bin/tests/system/autosign/clean.sh		diff \| blob \| blame \| history
bin/tests/system/autosign/ns2/keygen.sh		diff \| blob \| blame \| history
bin/tests/system/autosign/ns2/named.conf.in		diff \| blob \| blame \| history
bin/tests/system/autosign/ns2/nsec3-with-ent.db.in	[moved from bin/tests/system/autosign/ns2/optout-with-ent.db.in with 100% similarity]	blob \| blame \| history
bin/tests/system/autosign/tests.sh		diff \| blob \| blame \| history