Allow empty CDNSKEY/CDS RRset in ksr system test

When the zone is initially signed, the CDNSKEY/CDS RRset is not immediately published. The DNSKEY and signatures must propagate first. Adjust the test to allow for this case.
2024-09-04 15:54:53 +02:00
parent 680aedb595
commit 708927e03d
2 changed files with 33 additions and 12 deletions
--- a/bin/tests/system/isctest/kasp.py
+++ b/bin/tests/system/isctest/kasp.py
@@ -431,8 +431,11 @@ def _check_dnskeys(dnskeys, keys, cdnskey=False):
                has_dnskey = True
                break

-        assert has_dnskey
-        numkeys += 1
+        if not cdnskey:
+            assert has_dnskey
+
+        if has_dnskey:
+            numkeys += 1

    return numkeys

@@ -541,17 +544,17 @@ def check_apex(server, zone, ksks, zsks):

    # test cdnskey query
    cdnskeys, rrsigs = _query_rrset(server, fqdn, dns.rdatatype.CDNSKEY)
-    assert len(cdnskeys) > 0
    check_dnskeys(cdnskeys, ksks, zsks, cdnskey=True)
-    assert len(rrsigs) > 0
-    check_signatures(rrsigs, dns.rdatatype.CDNSKEY, fqdn, ksks, zsks)
+    if len(cdnskeys) > 0:
+        assert len(rrsigs) > 0
+        check_signatures(rrsigs, dns.rdatatype.CDNSKEY, fqdn, ksks, zsks)

    # test cds query
    cds, rrsigs = _query_rrset(server, fqdn, dns.rdatatype.CDS)
-    assert len(cds) > 0
    check_cds(cds, ksks)
-    assert len(rrsigs) > 0
-    check_signatures(rrsigs, dns.rdatatype.CDS, fqdn, ksks, zsks)
+    if len(cds) > 0:
+        assert len(rrsigs) > 0
+        check_signatures(rrsigs, dns.rdatatype.CDS, fqdn, ksks, zsks)


 def check_subdomain(server, zone, ksks, zsks):
--- a/bin/tests/system/ksr/tests_ksr.py
+++ b/bin/tests/system/ksr/tests_ksr.py
@@ -324,10 +324,17 @@ def check_signedkeyresponse(
            line_no += 1

        # expect cdnskey
+        have_cdnskey = False
        if cdnskey:
            for key in sorted(ksks):
-                published = key.get_timing("Publish")
-                removed = key.get_timing("Delete", must_exist=False)
+                published = key.get_timing("SyncPublish")
+                if between(published, inception, next_bundle):
+                    next_bundle = published
+
+                removed = key.get_timing("SyncDelete", must_exist=False)
+                if between(removed, inception, next_bundle):
+                    next_bundle = removed
+
                if published > inception:
                    continue
                if removed is not None and inception >= removed:
@@ -336,7 +343,9 @@ def check_signedkeyresponse(
                # the cdnskey of this ksk must be in the ksr
                assert key.dnskey_equals(lines[line_no], cdnskey=True)
                line_no += 1
+                have_cdnskey = True

+        if have_cdnskey:
            # expect rrsig(cdnskey)
            for key in sorted(ksks):
                active = key.get_timing("Activate")
@@ -354,10 +363,17 @@ def check_signedkeyresponse(
                line_no += 1

        # expect cds
+        have_cds = False
        if cds != "":
            for key in sorted(ksks):
-                published = key.get_timing("Publish")
-                removed = key.get_timing("Delete", must_exist=False)
+                published = key.get_timing("SyncPublish")
+                if between(published, inception, next_bundle):
+                    next_bundle = published
+
+                removed = key.get_timing("SyncDelete", must_exist=False)
+                if between(removed, inception, next_bundle):
+                    next_bundle = removed
+
                if published > inception:
                    continue
                if removed is not None and inception >= removed:
@@ -368,7 +384,9 @@ def check_signedkeyresponse(
                for alg in expected_cds:
                    assert key.cds_equals(lines[line_no], alg.strip())
                    line_no += 1
+                    have_cds = True

+        if have_cds:
            # expect rrsig(cds)
            for key in sorted(ksks):
                active = key.get_timing("Activate")