Parse DNSKEY into a dnspython type in isctest.kasp.Key.dnskey

Previously, a DNSKEY string from keyfile was returned. This made the function brittle for further processing, as the string would have to be split up, concatenated, and TTL could be missing, making string indices context-dependent. Parse the DNSKEY rrset into a proper dnspython object and return it. This makes the output more predictable and reliable, as all the neccessary parsing is done by dnspython.
2026-05-23 10:37:43 -04:00 · 2025-10-24 16:47:59 +02:00 · 2025-10-24 16:47:59 +02:00 · 0bf20f8d68
commit 0bf20f8d68
parent 1ede6683cd
2 changed files with 24 additions and 12 deletions
--- a/bin/tests/system/isctest/kasp.py
+++ b/bin/tests/system/isctest/kasp.py
@ -20,8 +20,12 @@ import time
 from typing import Dict, List, Optional, Tuple, Union

 import dns
+import dns.rdatatype
+import dns.rrset
 import dns.tsig

+import pytest
+
 import isctest.log
 import isctest.query
 import isctest.util
@ -443,12 +447,22 @@ class Key:
                return int(line.split()[1])
        return 0

-    def dnskey(self):
+    @property
+    def dnskey(self) -> dns.rrset.RRset:
+        pytest.importorskip("dns", minversion="2.2.0")  # dns.zonefile.read_rrsets
        with open(self.keyfile, "r", encoding="utf-8") as file:
-            for line in file:
-                if "DNSKEY" in line:
-                    return line.strip()
-        return "undefined"
+            rrsets = dns.zonefile.read_rrsets(
+                file.read(),
+                rdclass=None,  # read rdclass from the file
+                default_ttl=DEFAULT_TTL,  # use this TTL if not present
+            )
+        assert len(rrsets) == 1, f"{self.keyfile} has multiple RRsets"
+        dnskey_rr = rrsets[0]
+        assert len(dnskey_rr) == 1, f"{self.keyfile} has multiple RRs"
+        assert (
+            dnskey_rr.rdtype == dns.rdatatype.DNSKEY
+        ), f"DNSKEY not found in {self.keyfile}"
+        return dnskey_rr

    def is_ksk(self) -> bool:
        return self.get_metadata("KSK") == "yes"
--- a/bin/tests/system/rollover-multisigner/tests_rollover_multisigner.py
+++ b/bin/tests/system/rollover-multisigner/tests_rollover_multisigner.py
@ -102,11 +102,10 @@ def test_rollover_multisigner(ns3, alg, size):
    expected2[0].legacy = True  # noqa
    expected = expected + expected2

-    dnskey = newkeys[0].dnskey().split()
-    rdata = " ".join(dnskey[4:])
+    dnskey = newkeys[0].dnskey

    update_msg = dns.update.UpdateMessage(zone)
-    update_msg.add(f"{dnskey[0]}", 3600, "DNSKEY", rdata)
+    update_msg.add(dnskey.name, dnskey.ttl, dnskey[0])
    ns3.nsupdate(update_msg)

    isctest.kasp.check_dnssec_verify(ns3, zone)
@ -118,11 +117,10 @@ def test_rollover_multisigner(ns3, alg, size):
    isctest.kasp.check_subdomain(ns3, zone, ksks, zsks)

    # Remove ZSKs from the other providers for zone.
-    dnskey2 = extkeys[0].dnskey().split()
-    rdata2 = " ".join(dnskey2[4:])
+    dnskey2 = extkeys[0].dnskey
    update_msg = dns.update.UpdateMessage(zone)
-    update_msg.delete(f"{dnskey[0]}", "DNSKEY", rdata)
-    update_msg.delete(f"{dnskey2[0]}", "DNSKEY", rdata2)
+    update_msg.delete(dnskey.name, dnskey[0])
+    update_msg.delete(dnskey2.name, dnskey2[0])
    ns3.nsupdate(update_msg)

    isctest.kasp.check_dnssec_verify(ns3, zone)