Obsolete dnssec-update-mode

We no longer support 'no-resign' and thus the configuration option
becomes obsolete. Remove the corresponding dnssec system test cases.

bin/tests/system/dnssec/clean.sh

@@ -31,7 +31,6 @@ rm -f ./dnssectools.out*
 rm -f ./dsfromkey.out.*
 rm -f ./keygen.err
 rm -f ./named.secroots.test*
-rm -f ./nosign.before
 rm -f ./ns*/*.nta
 rm -f ./ns*/managed-keys.bind ./ns*/managed-keys.bind.jnl ./ns*/*.mkeys*
 rm -f ./ns*/named.lock
@@ -68,7 +67,7 @@ rm -f ./ns3/dnskey-unsupported.example.db
 rm -f ./ns3/dnskey-unsupported.example.db.tmp
 rm -f ./ns3/dynamic.example.db ./ns3/dynamic.example.db.signed.jnl
 rm -f ./ns3/expired.example.db ./ns3/update-nsec3.example.db
-rm -f ./ns3/expiring.example.db ./ns3/nosign.example.db
+rm -f ./ns3/expiring.example.db
 rm -f ./ns3/future.example.db ./ns3/trusted-future.key
 rm -f ./ns3/inline.example.db.signed
 rm -f ./ns3/kskonly.example.db

bin/tests/system/dnssec/ns3/named.conf.in

@@ -301,13 +301,6 @@ zone "expiring.example" {
 	file "expiring.example.db.signed";
 };
 
-zone "nosign.example" {
-	type primary;
-	allow-update { any; };
-	dnssec-update-mode no-resign;
-	file "nosign.example.db.signed";
-};
-
 zone "upper.example" {
 	type primary;
 	file "upper.example.db.signed";

bin/tests/system/dnssec/ns3/sign.sh

@@ -545,23 +545,6 @@ zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone"
 cp "$infile" "$zonefile"
 "$SIGNER" -P -S -o "$zone" "$zonefile" > /dev/null
 
-#
-# Zone with signatures about to expire, and dynamic, but configured
-# not to resign with 'auto-resign no;'
-#
-zone="nosign.example."
-infile="nosign.example.db.in"
-zonefile="nosign.example.db"
-signedfile="nosign.example.db.signed"
-kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
-zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
-cp "$infile" "$zonefile"
-"$SIGNER" -S -e "now+1mi" -o "$zone" "$zonefile" > /dev/null
-# preserve a normalized copy of the NS RRSIG for comparison later
-$CHECKZONE -D nosign.example nosign.example.db.signed 2>/dev/null | \
-        awk '$4 == "RRSIG" && $5 == "NS" {$2 = ""; print}' | \
-        sed 's/[ 	][ 	]*/ /g'> ../nosign.before
-
 #
 # An inline signing zone
 #

bin/tests/system/dnssec/tests.sh

@@ -2969,48 +2969,6 @@ n=$((n+1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
 
-echo_i "testing new records are signed with 'no-resign' ($n)"
-ret=0
-(
-echo zone nosign.example
-echo server 10.53.0.3 "$PORT"
-echo update add new.nosign.example 300 in txt "hi there"
-echo send
-) | $NSUPDATE
-sleep 1
-dig_with_answeropts +nottlid txt new.nosign.example @10.53.0.3 \
-        > dig.out.ns3.test$n 2>&1
-grep RRSIG dig.out.ns3.test$n > /dev/null 2>&1 || ret=1
-n=$((n+1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
-
-echo_i "testing expiring records aren't resigned with 'no-resign' ($n)"
-ret=0
-dig_with_answeropts +nottlid nosign.example ns @10.53.0.3 | \
-        grep RRSIG | sed 's/[ 	][ 	]*/ /g' > dig.out.ns3.test$n 2>&1
-# the NS RRSIG should not be changed
-diff nosign.before dig.out.ns3.test$n > /dev/null|| ret=1
-n=$((n+1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
-
-echo_i "testing updates fail with no private key ($n)"
-ret=0
-rm -f ns3/Knosign.example.*.private
-(
-echo zone nosign.example
-echo server 10.53.0.3 "$PORT"
-echo update add fail.nosign.example 300 in txt "reject me"
-echo send
-) | $NSUPDATE > /dev/null 2>&1 && ret=1
-dig_with_answeropts +nottlid fail.nosign.example txt @10.53.0.3 \
-        > dig.out.ns3.test$n 2>&1
-[ -s dig.out.ns3.test$n ] && ret=1
-n=$((n+1))
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
-
 echo_i "testing legacy upper case signer name validation ($n)"
 ret=0
 $DIG +tcp +noadd +noauth +dnssec -p "$PORT" soa upper.example @10.53.0.4 \