Add active truncated DNSKEY test to dnssec_py

Forward-port active truncated DNSKEY test from a812bc52 which has only
been merged to the stable branches.

Assisted-by: Claude:claude-opus-4-8

bin/tests/system/dnssec_py/ns2/zones/truncated-active.selfsigned.db.signed.j2

@@ -0,0 +1,25 @@
+{% raw %}
+$TTL 300
+
+@		IN SOA	mname1. . (
+				1	; serial
+				600	; refresh
+				600	; retry
+				1200	; expire
+				600	; minimum
+				)
+
+@		NS	@
+@		A	10.53.0.2
+
+; The following DNSKEY is too short for the algorithm, but will be
+; accepted by the DNSKEY parser code, which only checks for minimum length.
+@		DNSKEY	257 3 14 fYA=
+
+@		RRSIG	SOA 14 2 86400 20950926153053 20251013153053 33167 @ xxxx5f7U0DiPvKFxpB83mTyqkAO0TfM0 xe4ZMYoJUQEPYdd0GTNkFzI6crsbU0lQ t/V1YOxAt5B+T1ch9n5dhYwt7ZTqluI2 mr6myKMesdPl1zp1hEgkmFpCG3NOXl2Z
+@		RRSIG	NS 14 2 86400 20950926153053 20251013153053 33167 @ xxxxLBPc05g7v/K5UfGuXsHH8xd29eQb 5qWe+Ei4Qn0GlmH0x/VIJiJMZXuxD5S+ VhP7DiX7uKIxi0QS2DOK1aOMXq/2WiUV 2VBmYAoSUilMlJY84I2XbzqD5iz5y+yp
+@		RRSIG	A 14 2 86400 20950926153053 20251013153053 33167 @ xxxx6UguMh8jgdVox2UVURjEsAP0D8o2 mFofnFOd6eYf+49QlWD+GX6x60X/hPVi f2XFsajouCvT/ZSmoXKWad3RC1DLHF/H TdOGMKlT4DfvbeJV+N5N0bgu2Wv3QRdM
+@		RRSIG	DNSKEY 14 2 86400 20950926153053 20251013153053 33167 @ xxxxqayRNsL32Km0c9AjwN0RNktt4iGb 97Dwi0uiHPcM4eVNZR2w68XMUh43+nR1 DA1QE2RqIqt7soEIwi1z4kAczf7W1wrP 7dcbEwjxS9D1CefuNRG1xnj9wGsqKecI
+@		NSEC	a A NS SOA RRSIG NSEC DNSKEY
+@		RRSIG	NSEC 14 2 0 20950926153053 20251013153053 33167 @ xxxx4Y6vqeOJHWEeg0T0OY4z7BdDrTkn BY9Yra8zSjFEGZvIX3irPd81+u5xlA0T 9waJO2Y9W42IMrOeKdQt++QXVHsLhOYn 4NAF6RotHSb4cqv1DXI1PSchMaJ5FWwD
+{% endraw %}

bin/tests/system/dnssec_py/tests_dnskey_truncated_selfsigned.py

@@ -21,25 +21,44 @@ pytestmark = DNSSEC_PY_MARK
 
 
 def bootstrap():
-    zone = Zone("truncated.selfsigned", NS2, signed=True)
+    revoked_zone = Zone("truncated-revoked.selfsigned", NS2, signed=True)
+    active_zone = Zone("truncated-active.selfsigned", NS2, signed=True)
 
-    root = configure_root([zone], signed=False)  # just delegation, TA is added directly
+    # just delegation, the trust anchors are added directly
+    root = configure_root([revoked_zone, active_zone], signed=False)
 
     # The trust anchor key tag must match the revoked truncated self-signed key
     # in the zone (key tag 33167). The flags differ here (257 vs 385) because
     # the revoked bit is not part of the trust anchor, but it is part of the key
     # tag calculation.
-    zone_ta = TrustAnchor("truncated.selfsigned", "static-key", '257 3 14 "fYA="')
+    revoked_ta = TrustAnchor(
+        "truncated-revoked.selfsigned", "static-key", '257 3 14 "fYA="'
+    )
+
+    # The active truncated key is too short for the ECDSA curve but passes the
+    # parser's minimum-length check; trusting it directly exercises the
+    # key-construction failure path.
+    active_ta = TrustAnchor(
+        "truncated-active.selfsigned", "static-key", '257 3 14 "fYA="'
+    )
 
     return {
-        "trust_anchors": [zone_ta],
-        "zones": zones([root, zone]),
+        "trust_anchors": [revoked_ta, active_ta],
+        "zones": zones([root, revoked_zone, active_zone]),
     }
 
 
-def test_truncated_dnskey(ns9):
-    msg = isctest.query.create("a.truncated.selfsigned.", "A")
+def test_truncated_revoked_dnskey(ns9):
+    msg = isctest.query.create("a.truncated-revoked.selfsigned.", "A")
     with ns9.watch_log_from_here() as watcher:
         res = isctest.query.tcp(msg, ns9.ip)
-        watcher.wait_for_line(Re("a.truncated.selfsigned/A.*broken trust chain"))
+        watcher.wait_for_line(
+            Re("a.truncated-revoked.selfsigned/A.*broken trust chain")
+        )
+    isctest.check.servfail(res)
+
+
+def test_truncated_active_dnskey(ns9):
+    msg = isctest.query.create("a.truncated-active.selfsigned.", "A")
+    res = isctest.query.tcp(msg, ns9.ip)
     isctest.check.servfail(res)