Update optout test to reconfig to NSEC

If we change from NSEC3 to NSEC we should not produce a zone with missing NSEC records. The code only considered having seen a record if there was previously a signature present at the owner name. However with opt-out, insecure delegations don't have a RRSIG record. Reconfiguring to NSEC causes all insecure delegations to have a missing NSEC record. Add a DNAME record to the test zone to also cover DNAME delegations.
2025-12-20 00:55:29 +08:00 · 2025-12-09 14:12:08 +01:00
parent 17c5537c26
commit 3679bd4888
5 changed files with 83 additions and 16 deletions
--- a/bin/tests/system/optout/ns2/named.conf.j2
+++ b/bin/tests/system/optout/ns2/named.conf.j2
@@ -11,6 +11,9 @@
 * information regarding copyright ownership.
 */

+{% set reconfiged = reconfiged | default(False) %}
+{% set policy = "optout" if not reconfiged else "nsec" %}
+
 options {
        port @PORT@;
        pid-file "named.pid";
@@ -33,9 +36,22 @@ dnssec-policy "optout" {
 	nsec3param iterations 0 optout yes salt-length 0;
 };

+dnssec-policy "nsec" {
+	keys {
+		csk lifetime unlimited algorithm ecdsa256;
+	};
+};
+
 zone "test" {
 	type primary;
 	file "test.db";
 	dnssec-policy "optout";
 	inline-signing yes;
 };
+
+zone "small.test" {
+	type primary;
+	file "small.test.db";
+	dnssec-policy "@policy@";
+	inline-signing yes;
+};
--- a/bin/tests/system/optout/ns2/small.test.db
+++ b/bin/tests/system/optout/ns2/small.test.db
@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL	3600
+@				IN	SOA	ns2.small.test. hostmaster.small.test. 1 7200 3600 24796800 3600
+				IN	NS	ns2
+
+ns2				IN	A	10.53.0.2
+
+a				IN	A	127.0.0.1
+
+dname				IN	DNAME	branch.example.
+under.dname			IN	TXT	"occluded"
+
+$GENERATE 1-10		child$	IN	NS	ns.example.
+
+child5				IN	DS	7250 13 2 A30B3F78B6DDE9A4A9A2AD0C805518B4F49EC62E7D3F4531D33DE697 CDA01CB2
--- a/bin/tests/system/optout/ns2/test.db
+++ b/bin/tests/system/optout/ns2/test.db
@@ -17,6 +17,9 @@ ns2				IN	A	10.53.0.2

 a				IN	A	127.0.0.1

+dname				IN	DNAME	branch.example.
+under.dname			IN	TXT	"occluded"
+
 $GENERATE 1-50000	child$	IN	NS	ns.example.

 child303			IN	DS	7250 13 2 A30B3F78B6DDE9A4A9A2AD0C805518B4F49EC62E7D3F4531D33DE697 CDA01CB2
--- a/bin/tests/system/optout/setup.sh
+++ b/bin/tests/system/optout/setup.sh
@@ -1,14 +0,0 @@
-#!/bin/sh -e
-
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0.  If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-. ../conf.sh
--- a/bin/tests/system/optout/tests_optout.py
+++ b/bin/tests/system/optout/tests_optout.py
@@ -94,14 +94,51 @@ def verify_zone(zone, transfer):

 def test_optout(ns2):
    zone = "test"
+    expect_nsec3param = True

    # Wait until the provided zone is signed and then verify its DNSSEC data.
    def check_nsec3param():
        response = do_query(ns2, zone, "NSEC3PARAM")
-        return has_nsec3param(zone, response)
+        if expect_nsec3param:
+            return has_nsec3param(zone, response)
+        return not has_nsec3param(zone, response)

    # check zone is fully signed.
-    isctest.run.retry_with_timeout(check_nsec3param, timeout=300)
+    isctest.run.retry_with_timeout(check_nsec3param, timeout=100)
+
+    # check if zone if DNSSEC valid.
+    transfer = do_xfr(ns2, zone)
+    assert verify_zone(zone, transfer)
+
+
+def test_optout_to_nsec(ns2, templates):
+    zone = "small.test"
+    expect_nsec3param = True
+
+    # Wait until the provided zone is signed and then verify its DNSSEC data.
+    def check_nsec3param():
+        response = do_query(ns2, zone, "NSEC3PARAM")
+        if expect_nsec3param:
+            return has_nsec3param(zone, response)
+        return not has_nsec3param(zone, response)
+
+    # check zone is fully signed.
+    isctest.run.retry_with_timeout(check_nsec3param, timeout=100)
+
+    # check if zone if DNSSEC valid.
+    transfer = do_xfr(ns2, zone)
+    assert verify_zone(zone, transfer)
+
+    # reconfigure to NSEC.
+    data = {
+        "reconfiged": True,
+    }
+    templates.render(f"{ns2.identifier}/named.conf", data)
+    ns2.reconfigure()
+
+    # wait until NSEC3PARAM is removed.
+    expect_nsec3param = False
+    isctest.run.retry_with_timeout(check_nsec3param, timeout=100)

    # check if zone if DNSSEC valid.
    transfer = do_xfr(ns2, zone)