Update tests to match new nsec3param default

Update the nsec3 system tests to use the new default values. Change
the policy for "nsec3-other" so that we still have a test case for
non-zero salt length.

diff --git a/bin/tests/system/nsec3/ns3/named.conf.in b/bin/tests/system/nsec3/ns3/named.conf.in
index 2241bc87bfac7c00f51664e88ed8478bebeecff5..8bab481c60476f1037c813e8d4e46c15a5d35b6a 100644 (file)
--- a/bin/tests/system/nsec3/ns3/named.conf.in
+++ b/bin/tests/system/nsec3/ns3/named.conf.in
@@ -25,7 +25,7 @@ dnssec-policy "optout" {
 };
 
 dnssec-policy "nsec3-other" {
-       nsec3param iterations 11 optout yes salt-length 0;
+       nsec3param iterations 11 optout yes salt-length 8;
 };
 
 options {

diff --git a/bin/tests/system/nsec3/tests.sh b/bin/tests/system/nsec3/tests.sh
index ac3a3c13cd7392d5afcb490ea0d80855aee574a4..03f0ef25d41b0d9d31327dc3e75829204fa82dda 100644 (file)
--- a/bin/tests/system/nsec3/tests.sh
+++ b/bin/tests/system/nsec3/tests.sh
@@ -159,56 +159,56 @@ dnssec_verify
 
 # Zone: nsec3.kasp.
 set_zone_policy "nsec3.kasp" "nsec3"
-set_nsec3param "0" "5" "8"
+set_nsec3param "0" "0" "0"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
 dnssec_verify
 
 # Zone: nsec3-dynamic.kasp.
 set_zone_policy "nsec3-dynamic.kasp" "nsec3"
-set_nsec3param "0" "5" "8"
+set_nsec3param "0" "0" "0"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
 dnssec_verify
 
 # Zone: nsec3-change.kasp.
 set_zone_policy "nsec3-change.kasp" "nsec3"
-set_nsec3param "0" "5" "8"
+set_nsec3param "0" "0" "0"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
 dnssec_verify
 
 # Zone: nsec3-dynamic-change.kasp.
 set_zone_policy "nsec3-dynamic-change.kasp" "nsec3"
-set_nsec3param "0" "5" "8"
+set_nsec3param "0" "0" "0"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
 dnssec_verify
 
 # Zone: nsec3-to-nsec.kasp.
 set_zone_policy "nsec3-to-nsec.kasp" "nsec3"
-set_nsec3param "0" "5" "8"
+set_nsec3param "0" "0" "0"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
 dnssec_verify
 
 # Zone: nsec3-to-optout.kasp.
 set_zone_policy "nsec3-to-optout.kasp" "nsec3"
-set_nsec3param "0" "5" "8"
+set_nsec3param "0" "0" "0"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
 dnssec_verify
 
 # Zone: nsec3-from-optout.kasp.
 set_zone_policy "nsec3-from-optout.kasp" "optout"
-set_nsec3param "1" "5" "8"
+set_nsec3param "1" "0" "0"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
 dnssec_verify
 
 # Zone: nsec3-other.kasp.
 set_zone_policy "nsec3-other.kasp" "nsec3-other"
-set_nsec3param "1" "11" "0"
+set_nsec3param "1" "11" "8"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
 dnssec_verify
@@ -220,42 +220,42 @@ rndc_reconfig ns3 10.53.0.3
 
 # Zone: nsec-to-nsec3.kasp. (reconfigured)
 set_zone_policy "nsec-to-nsec3.kasp" "nsec3"
-set_nsec3param "0" "5" "8"
+set_nsec3param "0" "0" "0"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
 dnssec_verify
 
 # Zone: nsec3.kasp. (same)
 set_zone_policy "nsec3.kasp" "nsec3"
-set_nsec3param "0" "5" "8"
+set_nsec3param "0" "0" "0"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
 dnssec_verify
 
 # Zone: nsec3-dyamic.kasp. (same)
 set_zone_policy "nsec3-dynamic.kasp" "nsec3"
-set_nsec3param "0" "5" "8"
+set_nsec3param "0" "0" "0"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
 dnssec_verify
 
 # Zone: nsec3-change.kasp. (reconfigured)
 set_zone_policy "nsec3-change.kasp" "nsec3-other"
-set_nsec3param "1" "11" "0"
+set_nsec3param "1" "11" "8"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
 dnssec_verify
 
 # Zone: nsec3-dynamic-change.kasp. (reconfigured)
 set_zone_policy "nsec3-dynamic-change.kasp" "nsec3-other"
-set_nsec3param "1" "11" "0"
+set_nsec3param "1" "11" "8"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
 dnssec_verify
 
 # Zone: nsec3-to-nsec.kasp. (reconfigured)
 set_zone_policy "nsec3-to-nsec.kasp" "nsec"
-set_nsec3param "1" "11" "0"
+set_nsec3param "1" "11" "8"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec
 dnssec_verify
@@ -265,7 +265,7 @@ dnssec_verify
 # There is a bug in the nsec3param building code that thinks when the
 # optout bit is changed, the chain already exists. [GL #2216]
 #set_zone_policy "nsec3-to-optout.kasp" "optout"
-#set_nsec3param "1" "5" "8"
+#set_nsec3param "1" "0" "0"
 #echo_i "check zone ${ZONE} after reconfig"
 #check_nsec3
 #dnssec_verify
@@ -275,14 +275,14 @@ dnssec_verify
 # There is a bug in the nsec3param building code that thinks when the
 # optout bit is changed, the chain already exists. [GL #2216]
 #set_zone_policy "nsec3-from-optout.kasp" "nsec3"
-#set_nsec3param "0" "5" "8"
+#set_nsec3param "0" "0" "0"
 #echo_i "check zone ${ZONE} after reconfig"
 #check_nsec3
 #dnssec_verify
 
 # Zone: nsec3-other.kasp. (same)
 set_zone_policy "nsec3-other.kasp" "nsec3-other"
-set_nsec3param "1" "11" "0"
+set_nsec3param "1" "11" "8"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
 dnssec_verify
@@ -297,7 +297,7 @@ dnssec_verify
 
 # Test NSEC3 and NSEC3PARAM is the same after restart
 set_zone_policy "nsec3.kasp" "nsec3"
-set_nsec3param "0" "5" "8"
+set_nsec3param "0" "0" "0"
 echo_i "check zone ${ZONE} before restart"
 check_nsec3
 dnssec_verify
@@ -317,7 +317,7 @@ status=$((status+ret))
 
 prevsalt="${SALT}"
 set_zone_policy "nsec3.kasp" "nsec3"
-set_nsec3param "0" "5" "8"
+set_nsec3param "0" "0" "0"
 SALT="${prevsalt}"
 echo_i "check zone ${ZONE} after restart has salt ${SALT}"
 check_nsec3
@@ -328,7 +328,7 @@ cp ns3/template.db.in ns3/nsec3-fails-to-load.kasp.db
 rndc_reload ns3 10.53.0.3
 
 set_zone_policy "nsec3-fails-to-load.kasp" "nsec3"
-set_nsec3param "0" "5" "8"
+set_nsec3param "0" "0" "0"
 echo_i "check zone ${ZONE} after reload"
 check_nsec3
 dnssec_verify