Improve check_auth_nsec3 salt checking

Since we know the salt after checking the NSEC3PARAM, we might as well
check the NSEC3 records on the NXDOMAIN response that the salt matches.

(cherry picked from commit ba1ffe56e4f7ab6a4a7714c6551df9f6e42b87cb)

diff --git a/bin/tests/system/nsec3/common.py b/bin/tests/system/nsec3/common.py
index 78c7aabe8f9cafe10e860dd539db77cc68332632..12a176fea5157b3d9538937b5a719e1d47adddac 100644 (file)
--- a/bin/tests/system/nsec3/common.py
+++ b/bin/tests/system/nsec3/common.py
@@ -66,18 +66,13 @@ def check_auth_nsec(response):
     assert len(rrs) != 0, "no NSEC records found in authority section"
 
 
-def check_auth_nsec3(response, iterations=0, optout=0, saltlen=0):
-    match = f"IN NSEC3 1 {optout} {iterations}"
+def check_auth_nsec3(response, iterations=0, optout=0, salt="-"):
+    match = f"IN NSEC3 1 {optout} {iterations} {salt}"
     rrs = []
 
     for rrset in response.authority:
         if rrset.match(dns.rdataclass.IN, dns.rdatatype.NSEC3, dns.rdatatype.NONE):
             assert match in rrset.to_text()
-            if saltlen == 0:
-                assert f"{match} -" in rrset.to_text()
-            else:
-                assert not f"{match} -" in rrset.to_text()
-
             rrs.append(rrset)
         assert not rrset.match(
             dns.rdataclass.IN, dns.rdatatype.NSEC, dns.rdatatype.NONE
@@ -88,6 +83,7 @@ def check_auth_nsec3(response, iterations=0, optout=0, saltlen=0):
 
 def check_nsec3param(response, match, saltlen):
     rrs = []
+    salt = "-"
 
     for rrset in response.answer:
         if rrset.match(dns.rdataclass.IN, dns.rdatatype.NSEC3PARAM, dns.rdatatype.NONE):
@@ -96,6 +92,7 @@ def check_nsec3param(response, match, saltlen):
                 assert f"{match} -" in rrset.to_text()
             else:
                 assert not f"{match} -" in rrset.to_text()
+                salt = rrset.to_text().split()[7]
 
             rrs.append(rrset)
         else:
@@ -104,3 +101,5 @@ def check_nsec3param(response, match, saltlen):
             )
 
     assert len(rrs) != 0
+
+    return salt

diff --git a/bin/tests/system/nsec3/tests_nsec3_initial.py b/bin/tests/system/nsec3/tests_nsec3_initial.py
index 25a30704350c0681b8b7e5746be33e872fcff3bf..6f5cfcdafce4dd5ddc45a8cae2941fd60e0bfa23 100644 (file)
--- a/bin/tests/system/nsec3/tests_nsec3_initial.py
+++ b/bin/tests/system/nsec3/tests_nsec3_initial.py
@@ -343,12 +343,12 @@ def test_nsec3_case(ns3, params):
     response = isctest.query.tcp(query, ns3.ip)
     assert response.rcode() == dns.rcode.NOERROR
 
-    check_nsec3param(response, match, saltlen)
+    salt = check_nsec3param(response, match, saltlen)
 
     query = isctest.query.create(f"nosuchname.{fqdn}", dns.rdatatype.A)
     response = isctest.query.tcp(query, ns3.ip)
     assert response.rcode() == dns.rcode.NXDOMAIN
-    check_auth_nsec3(response, iterations, optout, saltlen)
+    check_auth_nsec3(response, iterations, optout, salt)
 
     # Extra test for nsec3-change.kasp.
     if zone == "nsec3-change.kasp":