Parse DNSKEY into a dnspython type in isctest.kasp.Key.dnskey

Previously, a DNSKEY string from keyfile was returned. This made the
function brittle for further processing, as the string would have to be
split up, concatenated, and TTL could be missing, making string indices
context-dependent.

Parse the DNSKEY rrset into a proper dnspython object and return it.
This makes the output more predictable and reliable, as all the
neccessary parsing is done by dnspython.

(cherry picked from commit 0bf20f8d68705d2b4fa52a0c77a28ec25ab277af)

diff --git a/bin/tests/system/isctest/kasp.py b/bin/tests/system/isctest/kasp.py
index 3728e1e3d2b712b6e0257c6df03788a7ec8e2c1f..e41def525e2f288faf19776227c67f32fb736b51 100644 (file)
--- a/bin/tests/system/isctest/kasp.py
+++ b/bin/tests/system/isctest/kasp.py
@@ -20,8 +20,12 @@ import time
 from typing import Dict, List, Optional, Tuple, Union
 
 import dns
+import dns.rdatatype
+import dns.rrset
 import dns.tsig
 
+import pytest
+
 import isctest.log
 import isctest.query
 import isctest.util
@@ -435,12 +439,22 @@ class Key:
                 return int(line.split()[1])
         return 0
 
-    def dnskey(self):
+    @property
+    def dnskey(self) -> dns.rrset.RRset:
+        pytest.importorskip("dns", minversion="2.2.0")  # dns.zonefile.read_rrsets
         with open(self.keyfile, "r", encoding="utf-8") as file:
-            for line in file:
-                if "DNSKEY" in line:
-                    return line.strip()
-        return "undefined"
+            rrsets = dns.zonefile.read_rrsets(
+                file.read(),
+                rdclass=None,  # read rdclass from the file
+                default_ttl=DEFAULT_TTL,  # use this TTL if not present
+            )
+        assert len(rrsets) == 1, f"{self.keyfile} has multiple RRsets"
+        dnskey_rr = rrsets[0]
+        assert len(dnskey_rr) == 1, f"{self.keyfile} has multiple RRs"
+        assert (
+            dnskey_rr.rdtype == dns.rdatatype.DNSKEY
+        ), f"DNSKEY not found in {self.keyfile}"
+        return dnskey_rr
 
     def is_ksk(self) -> bool:
         return self.get_metadata("KSK") == "yes"

diff --git a/bin/tests/system/rollover-multisigner/tests_rollover_multisigner.py b/bin/tests/system/rollover-multisigner/tests_rollover_multisigner.py
index 6b5a624403131bc724bf9e1722fce0dada7997fa..7aad2d98cdf1ccdb6a8766633810aa18bcd5bd90 100644 (file)
--- a/bin/tests/system/rollover-multisigner/tests_rollover_multisigner.py
+++ b/bin/tests/system/rollover-multisigner/tests_rollover_multisigner.py
@@ -102,11 +102,10 @@ def test_rollover_multisigner(ns3, alg, size):
     expected2[0].legacy = True  # noqa
     expected = expected + expected2
 
-    dnskey = newkeys[0].dnskey().split()
-    rdata = " ".join(dnskey[4:])
+    dnskey = newkeys[0].dnskey
 
     update_msg = dns.update.UpdateMessage(zone)
-    update_msg.add(f"{dnskey[0]}", 3600, "DNSKEY", rdata)
+    update_msg.add(dnskey.name, dnskey.ttl, dnskey[0])
     ns3.nsupdate(update_msg)
 
     isctest.kasp.check_dnssec_verify(ns3, zone)
@@ -118,11 +117,10 @@ def test_rollover_multisigner(ns3, alg, size):
     isctest.kasp.check_subdomain(ns3, zone, ksks, zsks)
 
     # Remove ZSKs from the other providers for zone.
-    dnskey2 = extkeys[0].dnskey().split()
-    rdata2 = " ".join(dnskey2[4:])
+    dnskey2 = extkeys[0].dnskey
     update_msg = dns.update.UpdateMessage(zone)
-    update_msg.delete(f"{dnskey[0]}", "DNSKEY", rdata)
-    update_msg.delete(f"{dnskey2[0]}", "DNSKEY", rdata2)
+    update_msg.delete(dnskey.name, dnskey[0])
+    update_msg.delete(dnskey2.name, dnskey2[0])
     ns3.nsupdate(update_msg)
 
     isctest.kasp.check_dnssec_verify(ns3, zone)