Change NSEC3 iterations to 0 in system tests

The system tests need to be updated because non-zero iterations are no
longer accepted.

The autosign system test changes its iterations from 1 to 0 in one
test case. This requires the hash to be updated.

The checkconf system test needs to change the iterations in the good
configuration files to 0, and in the bad ones to 1 (any non-zero value
would suffice, but we test the corner case here). Also, the expected
failure message is change, so needs to be adjusted.

The nsec3 system test also needs iteration configuration adjustments.
In addition, the test script no longer needs the ITERATIONS environment
variable.

In the process of updating the system tests, I noticed an error
in the dnssec-policy "nsec3-other", where the salt length in one
configuration file is different than in the other (they need to be
the same). Furthermore, the 'rndc signing -nsec3param' test case
is operated on the zone 'nsec-change.kasp', so is moved so that the
tests on the same zone are grouped together.

diff --git a/bin/tests/system/autosign/ns2/named.conf.in b/bin/tests/system/autosign/ns2/named.conf.in
index 83da46459529402a3b30d9dd789c7e030a1b990c..fc5740c84f8451769c3fc5aae49005e3564d11b0 100644 (file)
--- a/bin/tests/system/autosign/ns2/named.conf.in
+++ b/bin/tests/system/autosign/ns2/named.conf.in
@@ -67,7 +67,7 @@ dnssec-policy "optout" {
                zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
        };
 
-       nsec3param iterations 1 optout yes salt-length 0;
+       nsec3param iterations 0 optout yes salt-length 0;
 };
 
 zone "." {

diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh
index 41cbb0b613665d5751501ab3a105976a63286586..61afacf1e49378eaa076fd3f2926aeb3cf3ed020 100755 (executable)
--- a/bin/tests/system/autosign/tests.sh
+++ b/bin/tests/system/autosign/tests.sh
@@ -1269,9 +1269,9 @@ n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
-echo_i "check removal of ENT NSEC3 records when opt out delegations are removed"
+echo_i "check removal of ENT NSEC3 records when opt out delegations are removed ($n)"
 zone=optout-with-ent
-hash=JTR8R6AVFULU0DQH9I6HNN2KUK5956EL
+hash=JE76PJ65FUO86UIR594L8P0SNJJ6RMNI
 
 # check that NSEC3 for ENT is present
 echo_i "check ENT NSEC3 is initially present"

diff --git a/bin/tests/system/checkconf/good-kasp.conf b/bin/tests/system/checkconf/good-kasp.conf
index fb3fceab0a2f902f66acea8838605fc42433d399..d5da98fc6dbaa3284235404da1dcb87640073fc9 100644 (file)
--- a/bin/tests/system/checkconf/good-kasp.conf
+++ b/bin/tests/system/checkconf/good-kasp.conf
@@ -29,7 +29,7 @@ dnssec-policy "test" {
                csk key-directory lifetime unlimited algorithm rsasha256 2048;
        };
        max-zone-ttl 86400;
-       nsec3param iterations 5 optout no salt-length 8;
+       nsec3param iterations 0 optout no salt-length 8;
        parent-ds-ttl 7200;
        parent-propagation-delay PT1H;
        publish-safety PT3600S;

diff --git a/bin/tests/system/checkconf/good-key-directory.conf b/bin/tests/system/checkconf/good-key-directory.conf
index 07deb2899374d21ed83244d235ea37b2a2a2b1b8..063c4a9928fa4091bc3519601474b01a0a36b996 100644 (file)
--- a/bin/tests/system/checkconf/good-key-directory.conf
+++ b/bin/tests/system/checkconf/good-key-directory.conf
@@ -17,7 +17,7 @@ dnssec-policy "internet" {
     zsk   key-directory   lifetime P90D        algorithm ecdsa256;
   };
 
-  nsec3param iterations 15 optout no salt-length 8;
+  nsec3param iterations 0 optout no salt-length 8;
 };
 
 dnssec-policy "intranet" {
@@ -25,7 +25,7 @@ dnssec-policy "intranet" {
     ksk   key-directory   lifetime unlimited   algorithm ecdsa256;
     zsk   key-directory   lifetime P30D        algorithm ecdsa256;
   };
-  nsec3param iterations 15 optout no salt-length 8;
+  nsec3param iterations 0 optout no salt-length 8;
 };
 
 dnssec-policy "localhost" {
@@ -33,7 +33,7 @@ dnssec-policy "localhost" {
     ksk   key-directory   lifetime unlimited   algorithm ecdsa256;
     zsk   key-directory   lifetime P30D        algorithm ecdsa256;
   };
-  nsec3param iterations 15 optout no salt-length 8;
+  nsec3param iterations 0 optout no salt-length 8;
 };
 
 options {

diff --git a/bin/tests/system/checkconf/kasp-bad-nsec3-iter-fips.conf b/bin/tests/system/checkconf/kasp-bad-nsec3-iter-fips.conf
index e54df3b3602c9884422917f41c88103fdea7d132..da896a244724833ae0c1bcad35071341ffa83839 100644 (file)
--- a/bin/tests/system/checkconf/kasp-bad-nsec3-iter-fips.conf
+++ b/bin/tests/system/checkconf/kasp-bad-nsec3-iter-fips.conf
@@ -15,28 +15,28 @@ dnssec-policy "rsasha256" {
        keys {
                csk lifetime P10Y algorithm rsasha256 2048;
        };
-       nsec3param iterations 150;
+       nsec3param iterations 0;
 };
 
 dnssec-policy "rsasha256-bad" {
        keys {
                csk lifetime P10Y algorithm rsasha256 2048;
        };
-       nsec3param iterations 151;
+       nsec3param iterations 1;
 };
 
 dnssec-policy "rsasha512" {
        keys {
                csk lifetime P10Y algorithm rsasha512 4096;
        };
-       nsec3param iterations 150;
+       nsec3param iterations 0;
 };
 
 dnssec-policy "rsasha512-bad" {
        keys {
                csk lifetime P10Y algorithm rsasha512 4096;
        };
-       nsec3param iterations 151;
+       nsec3param iterations 1;
 };
 
 zone "example.net" {

diff --git a/bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf b/bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf
index 8dc710f29c0f82b5dadaaf8d50f2c8ce621ed59f..967c29fc0fd7bfcb04e35f81e6ab634412dae7b8 100644 (file)
--- a/bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf
+++ b/bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf
@@ -15,42 +15,42 @@ dnssec-policy "rsasha1" {
        keys {
                csk lifetime P10Y algorithm nsec3rsasha1 1024;
        };
-       nsec3param iterations 150;
+       nsec3param iterations 0;
 };
 
 dnssec-policy "rsasha1-bad" {
        keys {
                csk lifetime P10Y algorithm nsec3rsasha1 1024;
        };
-       nsec3param iterations 151;
+       nsec3param iterations 1;
 };
 
 dnssec-policy "rsasha256" {
        keys {
                csk lifetime P10Y algorithm rsasha256 2048;
        };
-       nsec3param iterations 150;
+       nsec3param iterations 0;
 };
 
 dnssec-policy "rsasha256-bad" {
        keys {
                csk lifetime P10Y algorithm rsasha256 2048;
        };
-       nsec3param iterations 151;
+       nsec3param iterations 1;
 };
 
 dnssec-policy "rsasha512" {
        keys {
                csk lifetime P10Y algorithm rsasha512 4096;
        };
-       nsec3param iterations 150;
+       nsec3param iterations 0;
 };
 
 dnssec-policy "rsasha512-bad" {
        keys {
                csk lifetime P10Y algorithm rsasha512 4096;
        };
-       nsec3param iterations 151;
+       nsec3param iterations 1;
 };
 
 zone "example.net" {

diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh
index 458b1a41ecbce14a5fe3df0e7cdfdb9e7d90daeb..606c8487a394d05fc02cd07745a73780f3f10872 100644 (file)
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -620,7 +620,7 @@ else
   expect=3
 fi
 $CHECKCONF $conf >checkconf.out$n 2>&1 && ret=1
-grep "dnssec-policy: nsec3 iterations value 151 out of range" <checkconf.out$n >/dev/null || ret=1
+grep "dnssec-policy: nsec3 iterations value 1 not allowed, must be zero" <checkconf.out$n >/dev/null || ret=1
 lines=$(wc -l <"checkconf.out$n")
 if [ $lines -ne $expect ]; then ret=1; fi
 if [ $ret -ne 0 ]; then echo_i "failed"; fi

diff --git a/bin/tests/system/nsec3/ns3/named-fips.conf.in b/bin/tests/system/nsec3/ns3/named-fips.conf.in
index 7890d4aa6d11c5ef69115da5b6e49d24505f9ff8..4ed7cc042726cf3cce3d39638afe3ab2c29d3b19 100644 (file)
--- a/bin/tests/system/nsec3/ns3/named-fips.conf.in
+++ b/bin/tests/system/nsec3/ns3/named-fips.conf.in
@@ -27,7 +27,7 @@ dnssec-policy "optout" {
 };
 
 dnssec-policy "nsec3-other" {
-       nsec3param iterations 11 optout yes salt-length 8;
+       nsec3param iterations 0 optout yes salt-length 8;
 };
 
 options {

diff --git a/bin/tests/system/nsec3/ns3/named2-fips.conf.in b/bin/tests/system/nsec3/ns3/named2-fips.conf.in
index 87e87f2e17879e447a972c956d5ee0ad03ce8722..8b42abbccee4bf4f6c9c9b3283f0f070a1172650 100644 (file)
--- a/bin/tests/system/nsec3/ns3/named2-fips.conf.in
+++ b/bin/tests/system/nsec3/ns3/named2-fips.conf.in
@@ -27,7 +27,7 @@ dnssec-policy "optout" {
 };
 
 dnssec-policy "nsec3-other" {
-       nsec3param iterations 11 optout yes salt-length 0;
+       nsec3param iterations 0 optout yes salt-length 8;
 };
 
 options {

diff --git a/bin/tests/system/nsec3/tests.sh b/bin/tests/system/nsec3/tests.sh
index 5be7fe33d40e0420b9ff3ff0f0232e3ef5e8a5e8..ee49d63f47c465d19975cd00e06d6618323e2e65 100644 (file)
--- a/bin/tests/system/nsec3/tests.sh
+++ b/bin/tests/system/nsec3/tests.sh
@@ -46,12 +46,10 @@ set_zone_policy() {
   CDS_SHA256="yes"
   CDS_SHA384="no"
 }
-# Set expected NSEC3 parameters: flags ($1), iterations ($2), and
-# salt length ($3).
+# Set expected NSEC3 parameters: flags ($1) and salt length ($2).
 set_nsec3param() {
   FLAGS=$1
-  ITERATIONS=$2
-  SALTLEN=$3
+  SALTLEN=$2
   # Reset salt.
   SALT=""
 }
@@ -102,7 +100,7 @@ set_key_states() {
 # The apex NSEC3PARAM record indicates that it is signed.
 _wait_for_nsec3param() {
   dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC3PARAM >"dig.out.test$n.wait" || return 1
-  grep "${ZONE}\..*IN.*NSEC3PARAM.*1.*0.*${ITERATIONS}.*${SALT}" "dig.out.test$n.wait" >/dev/null || return 1
+  grep "${ZONE}\..*IN.*NSEC3PARAM 1 0 0.*${SALT}" "dig.out.test$n.wait" >/dev/null || return 1
   grep "${ZONE}\..*IN.*RRSIG" "dig.out.test$n.wait" >/dev/null || return 1
   return 0
 }
@@ -188,7 +186,7 @@ check_nsec() {
 # Test: check NSEC3 parameters in answers
 _check_nsec3_nsec3param() {
   dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM >"dig.out.test$n.nsec3param.$ZONE" || return 1
-  grep "${ZONE}.*0.*IN.*NSEC3PARAM.*1.*0.*${ITERATIONS}.*${SALT}" "dig.out.test$n.nsec3param.$ZONE" >/dev/null || return 1
+  grep "${ZONE}.*0.*IN.*NSEC3PARAM.*1.*0.*0.*${SALT}" "dig.out.test$n.nsec3param.$ZONE" >/dev/null || return 1
 
   if [ -z "$SALT" ]; then
     SALT=$(awk '$4 == "NSEC3PARAM" { print $8 }' dig.out.test$n.nsec3param.$ZONE)
@@ -198,7 +196,7 @@ _check_nsec3_nsec3param() {
 
 _check_nsec3_nxdomain() {
   dig_with_opts @$SERVER "nosuchname.${ZONE}" >"dig.out.test$n.nxdomain.$ZONE" || return 1
-  grep ".*\.${ZONE}.*IN.*NSEC3.*1.${FLAGS}.*${ITERATIONS}.*${SALT}" "dig.out.test$n.nxdomain.$ZONE" >/dev/null || return 1
+  grep ".*\.${ZONE}.*IN.*NSEC3.*1.${FLAGS}.*0.*${SALT}" "dig.out.test$n.nxdomain.$ZONE" >/dev/null || return 1
   return 0
 }
 
@@ -206,14 +204,14 @@ check_nsec3() {
   wait_for_zone_is_signed "nsec3"
 
   n=$((n + 1))
-  echo_i "check that NSEC3PARAM 1 0 ${ITERATIONS} is published zone ${ZONE} ($n)"
+  echo_i "check that NSEC3PARAM 1 0 0 ${SALT} is published zone ${ZONE} ($n)"
   ret=0
   retry_quiet 10 _check_nsec3_nsec3param || log_error "bad NSEC3PARAM response for ${ZONE}"
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status + ret))
 
   n=$((n + 1))
-  echo_i "check NXDOMAIN response has correct NSEC3 1 ${FLAGS} ${ITERATIONS} ${SALT} for zone ${ZONE} ($n)"
+  echo_i "check NXDOMAIN response has correct NSEC3 1 ${FLAGS} 0 ${SALT} for zone ${ZONE} ($n)"
   ret=0
   retry_quiet 10 _check_nsec3_nxdomain || log_error "bad NXDOMAIN response for zone ${ZONE}"
   test "$ret" -eq 0 || echo_i "failed"
@@ -277,21 +275,21 @@ fi
 
 # Zone: nsec3.kasp.
 set_zone_policy "nsec3.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
 
 # Zone: nsec3-dynamic.kasp.
 set_zone_policy "nsec3-dynamic.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
 
 # Zone: nsec3-change.kasp.
 set_zone_policy "nsec3-change.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
@@ -316,49 +314,49 @@ retry_quiet 10 _wait_for_new_soa || log_error "failed to update SOA record in zo
 
 # Zone: nsec3-dynamic-change.kasp.
 set_zone_policy "nsec3-dynamic-change.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
 
 # Zone: nsec3-dynamic-to-inline.kasp.
 set_zone_policy "nsec3-dynamic-to-inline.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
 
 # Zone: nsec3-inline-to-dynamic.kasp.
 set_zone_policy "nsec3-inline-to-dynamic.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
 
 # Zone: nsec3-to-nsec.kasp.
 set_zone_policy "nsec3-to-nsec.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
 
 # Zone: nsec3-to-optout.kasp.
 set_zone_policy "nsec3-to-optout.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
 
 # Zone: nsec3-from-optout.kasp.
 set_zone_policy "nsec3-from-optout.kasp" "optout" 1 3600
-set_nsec3param "1" "0" "0"
+set_nsec3param "1" "0"
 set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
 
 # Zone: nsec3-other.kasp.
 set_zone_policy "nsec3-other.kasp" "nsec3-other" 1 3600
-set_nsec3param "1" "11" "8"
+set_nsec3param "1" "8"
 set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
@@ -403,7 +401,7 @@ rndc_reconfig ns3 10.53.0.3
 
 # Zone: nsec-to-nsec3.kasp. (reconfigured)
 set_zone_policy "nsec-to-nsec3.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
@@ -431,7 +429,7 @@ if ($SHELL ../testcrypto.sh -q RSASHA1); then
 
   # Zone: nsec3-to-rsasha1.kasp.
   set_zone_policy "nsec3-to-rsasha1.kasp" "rsasha1" 2 3600
-  set_nsec3param "1" "0" "0"
+  set_nsec3param "1" "0"
   set_server "ns3" "10.53.0.3"
   set_key_default_values "KEY1"
   set_key_states "KEY1" "hidden" "unretentive" "unretentive" "unretentive" "hidden"
@@ -443,7 +441,7 @@ if ($SHELL ../testcrypto.sh -q RSASHA1); then
 
   # Zone: nsec3-to-rsasha1-ds.kasp.
   set_zone_policy "nsec3-to-rsasha1-ds.kasp" "rsasha1" 2 3600
-  set_nsec3param "1" "0" "0"
+  set_nsec3param "1" "0"
   set_server "ns3" "10.53.0.3"
   set_key_default_values "KEY1"
   set_key_states "KEY1" "hidden" "omnipresent" "omnipresent" "omnipresent" "omnipresent"
@@ -457,21 +455,21 @@ fi
 
 # Zone: nsec3.kasp. (same)
 set_zone_policy "nsec3.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
 
 # Zone: nsec3-dyamic.kasp. (same)
 set_zone_policy "nsec3-dynamic.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
 
 # Zone: nsec3-change.kasp. (reconfigured)
 set_zone_policy "nsec3-change.kasp" "nsec3-other" 1 3600
-set_nsec3param "1" "11" "8"
+set_nsec3param "1" "8"
 set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
@@ -486,30 +484,36 @@ grep "${ZONE}\..*900.*IN.*NSEC3PARAM" "dig.out.nsec3param.test$n" >/dev/null ||
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status + ret))
 
+# Using rndc signing -nsec3param (should fail)
+echo_i "use rndc signing -nsec3param ${ZONE} to change NSEC3 settings"
+rndccmd $SERVER signing -nsec3param 1 1 12 ffff $ZONE >rndc.signing.test$n.$ZONE || log_error "failed to call rndc signing -nsec3param $ZONE"
+grep "zone uses dnssec-policy, use rndc dnssec command instead" rndc.signing.test$n.$ZONE >/dev/null || log_error "rndc signing -nsec3param should fail"
+check_nsec3
+
 # Zone: nsec3-dynamic-change.kasp. (reconfigured)
 set_zone_policy "nsec3-dynamic-change.kasp" "nsec3-other" 1 3600
-set_nsec3param "1" "11" "8"
+set_nsec3param "1" "8"
 set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
 
 # Zone: nsec3-dynamic-to-inline.kasp. (same)
 set_zone_policy "nsec3-dynamic-to-inline.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
 
 # Zone: nsec3-inline-to-dynamic.kasp. (same)
 set_zone_policy "nsec3-inline-to-dynamic.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
 
 # Zone: nsec3-to-nsec.kasp. (reconfigured)
 set_zone_policy "nsec3-to-nsec.kasp" "nsec" 1 3600
-set_nsec3param "1" "11" "8"
+set_nsec3param "1" "8"
 set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec
@@ -519,7 +523,7 @@ check_nsec
 # There is a bug in the nsec3param building code that thinks when the
 # optout bit is changed, the chain already exists. [GL #2216]
 #set_zone_policy "nsec3-to-optout.kasp" "optout" 1 3600
-#set_nsec3param "1" "0" "0"
+#set_nsec3param "1" "0"
 #set_key_default_values "KEY1"
 #echo_i "check zone ${ZONE} after reconfig"
 #check_nsec3
@@ -529,28 +533,21 @@ check_nsec
 # There is a bug in the nsec3param building code that thinks when the
 # optout bit is changed, the chain already exists. [GL #2216]
 #set_zone_policy "nsec3-from-optout.kasp" "nsec3" 1 3600
-#set_nsec3param "0" "0" "0"
+#set_nsec3param "0" "0"
 #set_key_default_values "KEY1"
 #echo_i "check zone ${ZONE} after reconfig"
 #check_nsec3
 
 # Zone: nsec3-other.kasp. (same)
 set_zone_policy "nsec3-other.kasp" "nsec3-other" 1 3600
-set_nsec3param "1" "11" "8"
+set_nsec3param "1" "8"
 set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
 
-# Using rndc signing -nsec3param (should fail)
-set_zone_policy "nsec3-change.kasp" "nsec3-other" 1 3600
-echo_i "use rndc signing -nsec3param ${ZONE} to change NSEC3 settings"
-rndccmd $SERVER signing -nsec3param 1 1 12 ffff $ZONE >rndc.signing.test$n.$ZONE || log_error "failed to call rndc signing -nsec3param $ZONE"
-grep "zone uses dnssec-policy, use rndc dnssec command instead" rndc.signing.test$n.$ZONE >/dev/null || log_error "rndc signing -nsec3param should fail"
-check_nsec3
-
 # Test NSEC3 and NSEC3PARAM is the same after restart
 set_zone_policy "nsec3.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} before restart"
 check_nsec3
@@ -570,7 +567,7 @@ status=$((status + ret))
 
 prevsalt="${SALT}"
 set_zone_policy "nsec3.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 SALT="${prevsalt}"
 echo_i "check zone ${ZONE} after restart has salt ${SALT}"
@@ -581,7 +578,7 @@ cp ns3/template.db.in ns3/nsec3-fails-to-load.kasp.db
 rndc_reload ns3 10.53.0.3
 
 set_zone_policy "nsec3-fails-to-load.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reload"
 check_nsec3