Don't use fixed algorithm names for EDE 1 tests

Add a test for excluding EDE 1 and 2
Add a test where there exist DS with unsupported digests but also digests that the resolver does know about. The EDE 2 (Unsupported DS Digest Type) should not be added. The same test covers the case where there exist a DNSKEY with unsupported algorithm, but also a DNSKEY with a supported algorithm. Similarly, the EDE 1 (Unsupported DNSKEY Algorithm) should not be added.
2025-02-06 15:40:15 +11:00 · 2025-02-06 13:03:40 +11:00 · 2025-02-06 13:03:40 +11:00
13 changed files with 213 additions and 61 deletions
--- a/bin/tests/system/dnssec/ns2/example.db.in
+++ b/bin/tests/system/dnssec/ns2/example.db.in
@@ -102,15 +102,21 @@ ns.dnskey-unknown	A	10.53.0.3
 dnskey-unsupported	NS	ns.dnskey-unsupported
 ns.dnskey-unsupported	A	10.53.0.3

-ds-unsupported	NS	ns.ds-unsupported
+algorithm-disabled	NS	ns.algorithm-disabled
+ns.algorithm-disabled	A	10.53.0.3
+
+ds-unsupported		NS	ns.ds-unsupported
 ns.ds-unsupported	A	10.53.0.3

-digest-alg-unsupported    NS 	ns.digest-alg-unsupported
+digest-alg-unsupported	NS	ns.digest-alg-unsupported
 ns.digest-alg-unsupported A	10.53.0.3

 dnskey-nsec3-unknown	NS	ns.dnskey-nsec3-unknown
 ns.dnskey-nsec3-unknown	A	10.53.0.3

+ede-not-only		NS	ns.ede-not-only
+ns.ede-not-only		A	10.53.0.3
+
 multiple		NS	ns.multiple
 ns.multiple		A	10.53.0.3

--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -59,7 +59,7 @@ zonefile=example.db

 # Get the DS records for the "example." zone.
 for subdomain in digest-alg-unsupported ds-unsupported secure badds \
-  bogus dynamic keyless nsec3 optout \
+  algorithm-disabled bogus dynamic keyless nsec3 optout ede-not-only \
  nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \
  kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \
  ttlpatch split-dnssec split-smart expired expiring upper lower \
--- a/bin/tests/system/dnssec/ns3/algorithm-disabled.example.db.in
+++ b/bin/tests/system/dnssec/ns3/algorithm-disabled.example.db.in
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+a			A	10.0.0.1
--- a/bin/tests/system/dnssec/ns3/ede-not-only.example.db.in
+++ b/bin/tests/system/dnssec/ns3/ede-not-only.example.db.in
@@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@			IN SOA	mname1. . (
+				2000042407 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns
+ns			A	10.53.0.3
+a			A	10.0.0.1
--- a/bin/tests/system/dnssec/ns3/named.conf.in
+++ b/bin/tests/system/dnssec/ns3/named.conf.in
@@ -207,6 +207,12 @@ zone "ds-unsupported.example" {
 	allow-update { any; };
 };

+zone "algorithm-disabled.example" {
+	type primary;
+	file "algorithm-disabled.example.db.signed";
+	allow-update { any; };
+};
+
 zone "dnskey-unsupported.example" {
 	type primary;
 	file "dnskey-unsupported.example.db.signed";
@@ -223,6 +229,11 @@ zone "dnskey-nsec3-unknown.example" {
 	file "dnskey-nsec3-unknown.example.db.signed";
 };

+zone "ede-not-only.example" {
+	type primary;
+	file "ede-not-only.example.db.signed";
+};
+
 zone "multiple.example" {
 	type primary;
 	file "multiple.example.db.signed";
--- a/bin/tests/system/dnssec/ns3/secure.example.db.in
+++ b/bin/tests/system/dnssec/ns3/secure.example.db.in
@@ -30,7 +30,6 @@ g			A	10.0.0.7
 z			A	10.0.0.26
 a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
 x			CNAME	a
-badalg			A	10.53.0.4

 private			NS	ns.private
 ns.private		A	10.53.0.2
--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@@ -298,48 +298,6 @@ awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefil
 DSFILE="dsset-${zone}."
 $DSFROMKEY -A -f ${zonefile}.signed "$zone" >"$DSFILE"

-#
-# A zone which uses an unsupported algorithm for a DNSKEY and an unsupported
-# digest for another DNSKEY
-#
-zone=digest-alg-unsupported.example.
-infile=digest-alg-unsupported.example.db.in
-zonefile=digest-alg-unsupported.example.db
-
-cnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "cnameandkey.$zone")
-dnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "dnameandkey.$zone")
-keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-keyname2=$("$KEYGEN" -q -a ECDSAP384SHA384 -b "$DEFAULT_BITS" -n zone "$zone")
-
-cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" "$keyname2.key" >"$zonefile"
-
-"$SIGNER" -z -D -o "$zone" "$zonefile" >/dev/null
-cat "$zonefile" "$zonefile".signed >"$zonefile".tmp
-mv "$zonefile".tmp "$zonefile".signed
-
-# override generated DS record file so we can set different digest to each keys
-DSFILE="dsset-${zone}"
-$DSFROMKEY -a SHA-384 -A -f ${zonefile}.signed "$zone" | head -n 1 >"$DSFILE"
-$DSFROMKEY -2 -A -f ${zonefile}.signed "$zone" | tail -1 >>"$DSFILE"
-
-#
-# A zone which is fine by itself (supported algorithm) but that is used
-# to mimic unsupported DS digest (see ns8).
-#
-zone=ds-unsupported.example.
-infile=ds-unsupported.example.db.in
-zonefile=ds-unsupported.example.db
-
-cnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "cnameandkey.$zone")
-dnameandkey=$("$KEYGEN" -T KEY -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n host "dnameandkey.$zone")
-keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
-
-cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" >"$zonefile"
-
-"$SIGNER" -z -D -o "$zone" "$zonefile" >/dev/null
-cat "$zonefile" "$zonefile".signed >"$zonefile".tmp
-mv "$zonefile".tmp "$zonefile".signed
-
 #
 # A zone with a published unsupported DNSKEY algorithm (Reserved).
 # Different from above because this key is not intended for signing.
@@ -355,6 +313,81 @@ cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key >"$zonefile"

 "$SIGNER" -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" >/dev/null

+#
+# A zone which uses an unsupported algorithm for a DNSKEY and an unsupported
+# digest for another DNSKEY.
+#
+zone=digest-alg-unsupported.example.
+infile=digest-alg-unsupported.example.db.in
+zonefile=digest-alg-unsupported.example.db
+
+key1=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+key2=$("$KEYGEN" -f KSK -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone")
+cat "$infile" "$key1.key" "$key2.key" >"$zonefile"
+
+"$SIGNER" -z -D -o "$zone" "$zonefile" >/dev/null
+cat "$zonefile" "$zonefile".signed >"$zonefile".tmp
+mv "$zonefile".tmp "$zonefile".signed
+
+# override generated DS record file so we can set different digest to each keys
+DSFILE="dsset-${zone}"
+$DSFROMKEY -a SHA-384 -A -f ${zonefile}.signed "$zone" | head -n 1 >"$DSFILE"
+$DSFROMKEY -2 -A -f ${zonefile}.signed "$zone" | tail -1 >>"$DSFILE"
+
+#
+# A zone which is fine by itself (supported algorithm) but that is used
+# to mimic unsupported DS digest.
+#
+zone=ds-unsupported.example.
+infile=ds-unsupported.example.db.in
+zonefile=ds-unsupported.example.db
+
+ksk=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"
+
+"$SIGNER" -z -D -o "$zone" "$zonefile" >/dev/null
+cat "$zonefile" "$zonefile".signed >"$zonefile".tmp
+mv "$zonefile".tmp "$zonefile".signed
+
+#
+# A zone that is used to mimic unsupported DNSKEY algorithm.
+#
+zone=algorithm-disabled.example.
+infile=algorithm-disabled.example.db.in
+zonefile=algorithm-disabled.example.db
+
+ksk=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"
+
+"$SIGNER" -z -D -o "$zone" "$zonefile" >/dev/null
+cat "$zonefile" "$zonefile".signed >"$zonefile".tmp
+mv "$zonefile".tmp "$zonefile".signed
+
+#
+# A zone which uses an unsupported and supported algorithm for DNSKEY,
+# and an unsupported and supported digest for those keys. Since there are
+# available supported digests and algorithms, there should be no DNSSEC related
+# EDE on responses for this zone.
+#
+zone=ede-not-only.example.
+infile=ede-not-only.example.db.in
+zonefile=ede-not-only.example.db
+
+key1=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
+key2=$("$KEYGEN" -f KSK -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zone "$zone")
+cat "$infile" "$key1.key" "$key2.key" >"$zonefile"
+
+"$SIGNER" -z -D -o "$zone" "$zonefile" >/dev/null
+cat "$zonefile" "$zonefile".signed >"$zonefile".tmp
+mv "$zonefile".tmp "$zonefile".signed
+
+# override generated DS record file so we can set multiple digests.
+DSFILE="dsset-${zone}"
+$DSFROMKEY -a SHA-384 -A -f ${zonefile}.signed "$zone" >"$DSFILE"
+$DSFROMKEY -2 -A -f ${zonefile}.signed "$zone" >>"$DSFILE"
+
 #
 # A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U).
 # Algorithm 7 is replaced by 100 in the zone and dsset.
--- a/bin/tests/system/dnssec/ns4/named1.conf.in
+++ b/bin/tests/system/dnssec/ns4/named1.conf.in
@@ -29,10 +29,18 @@ options {
 	nta-recheck 9s;
 	validate-except { corp; };

-	disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; };
+	# "example" is signed with the alterative algorithm so use default algorithm here
+	disable-algorithms "digest-alg-unsupported.example." { @DEFAULT_ALGORITHM@; };
 	disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; };
+
+	# "example" is signed with the alterative algorithm so use default algorithm here
+	disable-algorithms "ede-not-only.example." { @DEFAULT_ALGORITHM@; };
+	disable-ds-digests "ede-not-only.example." { "SHA384"; "SHA-384"; };
+
 	disable-ds-digests "ds-unsupported.example." {"SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
-	disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
+
+	# "example" is signed with the alterative algorithm so use default algorithm here
+	disable-algorithms "algorithm-disabled.example." { @DEFAULT_ALGORITHM@; };

 	# Note: We only reference the bind.keys file here to confirm that it
 	# is *not* being used.  It contains the real root key, and we're
--- a/bin/tests/system/dnssec/ns4/named2.conf.in
+++ b/bin/tests/system/dnssec/ns4/named2.conf.in
@@ -25,10 +25,19 @@ options {
 	dnssec-validation auto;
 	bindkeys-file "managed.conf";
 	minimal-responses no;
-	disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; };
+
+	# "example" is signed with the alterative algorithm so use default algorithm here
+	disable-algorithms "digest-alg-unsupported.example." { @DEFAULT_ALGORITHM@; };
 	disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384";  };
+
+	# "example" is signed with the alterative algorithm so use default algorithm here
+	disable-algorithms "ede-not-only.example." { @DEFAULT_ALGORITHM@; };
+	disable-ds-digests "ede-not-only.example." { "SHA384"; "SHA-384";  };
+
 	disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
-	disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
+
+	# "example" is signed with the alterative algorithm so use default algorithm here
+	disable-algorithms "algorithm-disabled.example." { @DEFAULT_ALGORITHM@; };
 };

 key rndc_key {
--- a/bin/tests/system/dnssec/ns4/named3.conf.in
+++ b/bin/tests/system/dnssec/ns4/named3.conf.in
@@ -26,10 +26,19 @@ options {
 	bindkeys-file "managed.conf";
 	dnssec-accept-expired yes;
 	minimal-responses no;
-	disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; };
+
+	# "example" is signed with the alterative algorithm so use default algorithm here
+	disable-algorithms "digest-alg-unsupported.example." { @DEFAULT_ALGORITHM@; };
 	disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384";};
+
+	# "example" is signed with the alterative algorithm so use default algorithm here
+	disable-algorithms "ede-not-only.example." { @DEFAULT_ALGORITHM@; };
+	disable-ds-digests "ede-not-only.example." { "SHA384"; "SHA-384";};
+
 	disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
-	disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
+
+	# "example" is signed with the alterative algorithm so use default algorithm here
+	disable-algorithms "algorithm-disabled.example." { @DEFAULT_ALGORITHM@; };
 };

 key rndc_key {
--- a/bin/tests/system/dnssec/ns4/named4.conf.in
+++ b/bin/tests/system/dnssec/ns4/named4.conf.in
@@ -21,10 +21,19 @@ options {
 	pid-file "named.pid";
 	listen-on { 10.53.0.4; };
 	listen-on-v6 { none; };
-	disable-algorithms "digest-alg-unsupported.example." { ECDSAP384SHA384; };
+
+	# "example" is signed with the alterative algorithm so use default algorithm here
+	disable-algorithms "digest-alg-unsupported.example." { @DEFAULT_ALGORITHM@; };
 	disable-ds-digests "digest-alg-unsupported.example." { "SHA384"; "SHA-384"; };
+
+	# "example" is signed with the alterative algorithm so use default algorithm here
+	disable-algorithms "ede-not-only.example." { @DEFAULT_ALGORITHM@; };
+	disable-ds-digests "ede-not-only.example." { "SHA384"; "SHA-384"; };
+
 	disable-ds-digests "ds-unsupported.example." { "SHA256"; "SHA-256"; "SHA384"; "SHA-384"; };
-	disable-algorithms "badalg.secure.example." { ECDSAP256SHA256; };
+
+	# "example" is signed with the alterative algorithm so use default algorithm here
+	disable-algorithms "algorithm-disabled.example." { @DEFAULT_ALGORITHM@; };
 };

 key rndc_key {
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -3703,19 +3703,25 @@ n=$((n + 1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status + ret))

-echo_i "checking EDE code 2 for unsupported DS digest ($n)"
+echo_i "checking EDE code 2 for unsupported DS digest (disable-ds-digests) ($n)"
 ret=0
+dig_with_opts @10.53.0.3 a.ds-unsupported.example >dig.out.ns3.test$n || ret=1
 dig_with_opts @10.53.0.4 a.ds-unsupported.example >dig.out.ns4.test$n || ret=1
+grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1
+grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1
 grep "; EDE: 2 (Unsupported DS Digest Type): (SHA-256 ds-unsupported.example/DNSKEY)" dig.out.ns4.test$n >/dev/null || ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1
 n=$((n + 1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status + ret))

-echo_i "checking EDE code 1 for bad alg mnemonic ($n)"
+echo_i "checking EDE code 1 for unsupported algorithm (disabled-algorithms) ($n)"
 ret=0
-dig_with_opts @10.53.0.4 badalg.secure.example >dig.out.ns4.test$n || ret=1
-grep "; EDE: 1 (Unsupported DNSKEY Algorithm): (ECDSAP256SHA256 badalg.secure.example/A)" dig.out.ns4.test$n >/dev/null || ret=1
+dig_with_opts @10.53.0.3 a.algorithm-disabled.example >dig.out.ns3.test$n || ret=1
+dig_with_opts @10.53.0.4 a.algorithm-disabled.example >dig.out.ns4.test$n || ret=1
+grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1
+grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1
+grep "; EDE: 1 (Unsupported DNSKEY Algorithm): (${DEFAULT_ALGORITHM} a.algorithm-disabled.example/A)" dig.out.ns4.test$n >/dev/null || ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1
 n=$((n + 1))
 test "$ret" -eq 0 || echo_i "failed"
@@ -3723,14 +3729,30 @@ status=$((status + ret))

 echo_i "checking both EDE code 1 and 2 for unsupported digest on one DNSKEY and alg on the other ($n)"
 ret=0
+dig_with_opts @10.53.0.3 a.digest-alg-unsupported.example >dig.out.ns3.test$n || ret=1
 dig_with_opts @10.53.0.4 a.digest-alg-unsupported.example >dig.out.ns4.test$n || ret=1
-grep "; EDE: 1 (Unsupported DNSKEY Algorithm): (ECDSAP384SHA384 digest-alg-unsupported.example/DNSKEY)" dig.out.ns4.test$n >/dev/null || ret=1
+grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1
+grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1
+grep "; EDE: 1 (Unsupported DNSKEY Algorithm): (${DEFAULT_ALGORITHM} digest-alg-unsupported.example/DNSKEY)" dig.out.ns4.test$n >/dev/null || ret=1
 grep "; EDE: 2 (Unsupported DS Digest Type): (SHA-384 digest-alg-unsupported.example/DNSKEY)" dig.out.ns4.test$n >/dev/null || ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1
 n=$((n + 1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status + ret))

+echo_i "checking no EDE code 1 and 2 are added if there are other usable records are available ($n)"
+ret=0
+dig_with_opts @10.53.0.3 a.ede-not-only.example >dig.out.ns3.test$n || ret=1
+dig_with_opts @10.53.0.4 a.ede-not-only.example >dig.out.ns4.test$n || ret=1
+grep "status: NOERROR," dig.out.ns3.test$n >/dev/null || ret=1
+grep "status: NOERROR," dig.out.ns4.test$n >/dev/null || ret=1
+grep "; EDE: 1 (Unsupported DNSKEY Algorithm)" dig.out.ns4.test$n >/dev/null && ret=1
+grep "; EDE: 2 (Unsupported DS Digest Type)" dig.out.ns4.test$n >/dev/null && ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
 echo_i "checking that unsupported DNSKEY algorithm is in DNSKEY RRset ($n)"
 ret=0
 dig_with_opts +noauth +noadd +nodnssec +adflag @10.53.0.3 dnskey-unsupported-2.example DNSKEY >dig.out.test$n
--- a/bin/tests/system/dnssec/tests_sh_dnssec.py
+++ b/bin/tests/system/dnssec/tests_sh_dnssec.py
@@ -72,10 +72,12 @@ pytestmark = pytest.mark.extra_artifacts(
        "ns2/updatecheck-kskonly.secure.zsk.key",
        "ns3/NSEC",
        "ns3/NSEC3",
+        "ns3/algorithm-disabled.example.db",
        "ns3/auto-nsec.example.db",
        "ns3/auto-nsec3.example.db",
        "ns3/badds.example.db",
        "ns3/bogus.example.db",
+        "ns3/digest-alg-unsupported.example.db",
        "ns3/disabled.managed.db",
        "ns3/disabled.trusted.db",
        "ns3/dname-at-apex-nsec3.example.db",
@@ -86,8 +88,9 @@ pytestmark = pytest.mark.extra_artifacts(
        "ns3/dnskey-unsupported-2.example.db",
        "ns3/dnskey-unsupported.example.db",
        "ns3/dnskey-unsupported.example.db.tmp",
+        "ns3/ds-unsupported.example.db",
        "ns3/dynamic.example.db",
-        "ns3/digest-alg-unsupported.example.db",
+        "ns3/ede-not-only.example.db",
        "ns3/enabled.managed.db",
        "ns3/enabled.trusted.db",
        "ns3/example.bk",
@@ -137,7 +140,6 @@ pytestmark = pytest.mark.extra_artifacts(
        "ns3/update-nsec3.example.db.signed",
        "ns3/upper.example.db",
        "ns3/upper.example.db.lower",
-        "ns3/ds-unsupported.example.db",
        "ns4/managed.conf",
        "ns4/managed-keys.bind",
        "ns4/named.secroots",