Change NSEC3 iterations to 0 in system tests

The system tests need to be updated because non-zero iterations are no
longer accepted.

The autosign system test changes its iterations from 1 to 0 in one
test case. This requires the hash to be updated.

The checkconf system test needs to change the iterations in the good
configuration files to 0, and in the bad ones to 1 (any non-zero value
would suffice, but we test the corner case here). Also, the expected
failure message is change, so needs to be adjusted.

The nsec3 system test also needs iteration configuration adjustments.
In addition, the test script no longer needs the ITERATIONS environment
variable.

In the process of updating the system tests, I noticed an error
in the dnssec-policy "nsec3-other", where the salt length in one
configuration file is different than in the other (they need to be
the same). Furthermore, the 'rndc signing -nsec3param' test case
is operated on the zone 'nsec-change.kasp', so is moved so that the
tests on the same zone are grouped together.

bin/tests/system/autosign/ns2/named.conf.in

@@ -67,7 +67,7 @@ dnssec-policy "optout" {
 		zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
 	};
 
-	nsec3param iterations 1 optout yes salt-length 0;
+	nsec3param iterations 0 optout yes salt-length 0;
 };
 
 zone "." {

bin/tests/system/autosign/tests.sh

@@ -1269,9 +1269,9 @@ n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
-echo_i "check removal of ENT NSEC3 records when opt out delegations are removed"
+echo_i "check removal of ENT NSEC3 records when opt out delegations are removed ($n)"
 zone=optout-with-ent
-hash=JTR8R6AVFULU0DQH9I6HNN2KUK5956EL
+hash=JE76PJ65FUO86UIR594L8P0SNJJ6RMNI
 
 # check that NSEC3 for ENT is present
 echo_i "check ENT NSEC3 is initially present"

bin/tests/system/checkconf/good-kasp.conf

@@ -29,7 +29,7 @@ dnssec-policy "test" {
 		csk key-directory lifetime unlimited algorithm rsasha256 2048;
 	};
 	max-zone-ttl 86400;
-	nsec3param iterations 5 optout no salt-length 8;
+	nsec3param iterations 0 optout no salt-length 8;
 	parent-ds-ttl 7200;
 	parent-propagation-delay PT1H;
 	publish-safety PT3600S;

bin/tests/system/checkconf/good-key-directory.conf

@@ -17,7 +17,7 @@ dnssec-policy "internet" {
     zsk   key-directory   lifetime P90D        algorithm ecdsa256;
   };
 
-  nsec3param iterations 15 optout no salt-length 8;
+  nsec3param iterations 0 optout no salt-length 8;
 };
 
 dnssec-policy "intranet" {
@@ -25,7 +25,7 @@ dnssec-policy "intranet" {
     ksk   key-directory   lifetime unlimited   algorithm ecdsa256;
     zsk   key-directory   lifetime P30D        algorithm ecdsa256;
   };
-  nsec3param iterations 15 optout no salt-length 8;
+  nsec3param iterations 0 optout no salt-length 8;
 };
 
 dnssec-policy "localhost" {
@@ -33,7 +33,7 @@ dnssec-policy "localhost" {
     ksk   key-directory   lifetime unlimited   algorithm ecdsa256;
     zsk   key-directory   lifetime P30D        algorithm ecdsa256;
   };
-  nsec3param iterations 15 optout no salt-length 8;
+  nsec3param iterations 0 optout no salt-length 8;
 };
 
 options {

bin/tests/system/checkconf/kasp-bad-nsec3-iter-fips.conf

@@ -15,28 +15,28 @@ dnssec-policy "rsasha256" {
 	keys {
 		csk lifetime P10Y algorithm rsasha256 2048;
 	};
-	nsec3param iterations 150;
+	nsec3param iterations 0;
 };
 
 dnssec-policy "rsasha256-bad" {
 	keys {
 		csk lifetime P10Y algorithm rsasha256 2048;
 	};
-	nsec3param iterations 151;
+	nsec3param iterations 1;
 };
 
 dnssec-policy "rsasha512" {
 	keys {
 		csk lifetime P10Y algorithm rsasha512 4096;
 	};
-	nsec3param iterations 150;
+	nsec3param iterations 0;
 };
 
 dnssec-policy "rsasha512-bad" {
 	keys {
 		csk lifetime P10Y algorithm rsasha512 4096;
 	};
-	nsec3param iterations 151;
+	nsec3param iterations 1;
 };
 
 zone "example.net" {

bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf

@@ -15,42 +15,42 @@ dnssec-policy "rsasha1" {
 	keys {
 		csk lifetime P10Y algorithm nsec3rsasha1 1024;
 	};
-	nsec3param iterations 150;
+	nsec3param iterations 0;
 };
 
 dnssec-policy "rsasha1-bad" {
 	keys {
 		csk lifetime P10Y algorithm nsec3rsasha1 1024;
 	};
-	nsec3param iterations 151;
+	nsec3param iterations 1;
 };
 
 dnssec-policy "rsasha256" {
 	keys {
 		csk lifetime P10Y algorithm rsasha256 2048;
 	};
-	nsec3param iterations 150;
+	nsec3param iterations 0;
 };
 
 dnssec-policy "rsasha256-bad" {
 	keys {
 		csk lifetime P10Y algorithm rsasha256 2048;
 	};
-	nsec3param iterations 151;
+	nsec3param iterations 1;
 };
 
 dnssec-policy "rsasha512" {
 	keys {
 		csk lifetime P10Y algorithm rsasha512 4096;
 	};
-	nsec3param iterations 150;
+	nsec3param iterations 0;
 };
 
 dnssec-policy "rsasha512-bad" {
 	keys {
 		csk lifetime P10Y algorithm rsasha512 4096;
 	};
-	nsec3param iterations 151;
+	nsec3param iterations 1;
 };
 
 zone "example.net" {

bin/tests/system/checkconf/tests.sh

@@ -620,7 +620,7 @@ else
   expect=3
 fi
 $CHECKCONF $conf >checkconf.out$n 2>&1 && ret=1
-grep "dnssec-policy: nsec3 iterations value 151 out of range" <checkconf.out$n >/dev/null || ret=1
+grep "dnssec-policy: nsec3 iterations value 1 not allowed, must be zero" <checkconf.out$n >/dev/null || ret=1
 lines=$(wc -l <"checkconf.out$n")
 if [ $lines -ne $expect ]; then ret=1; fi
 if [ $ret -ne 0 ]; then echo_i "failed"; fi

bin/tests/system/nsec3/ns3/named-fips.conf.in

@@ -27,7 +27,7 @@ dnssec-policy "optout" {
 };
 
 dnssec-policy "nsec3-other" {
-	nsec3param iterations 11 optout yes salt-length 8;
+	nsec3param iterations 0 optout yes salt-length 8;
 };
 
 options {

bin/tests/system/nsec3/ns3/named2-fips.conf.in

@@ -27,7 +27,7 @@ dnssec-policy "optout" {
 };
 
 dnssec-policy "nsec3-other" {
-	nsec3param iterations 11 optout yes salt-length 0;
+	nsec3param iterations 0 optout yes salt-length 8;
 };
 
 options {

bin/tests/system/nsec3/tests.sh

@@ -46,12 +46,10 @@ set_zone_policy() {
   CDS_SHA256="yes"
   CDS_SHA384="no"
 }
-# Set expected NSEC3 parameters: flags ($1), iterations ($2), and
-# salt length ($3).
+# Set expected NSEC3 parameters: flags ($1) and salt length ($2).
 set_nsec3param() {
   FLAGS=$1
-  ITERATIONS=$2
-  SALTLEN=$3
+  SALTLEN=$2
   # Reset salt.
   SALT=""
 }
@@ -102,7 +100,7 @@ set_key_states() {
 # The apex NSEC3PARAM record indicates that it is signed.
 _wait_for_nsec3param() {
   dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC3PARAM >"dig.out.test$n.wait" || return 1
-  grep "${ZONE}\..*IN.*NSEC3PARAM.*1.*0.*${ITERATIONS}.*${SALT}" "dig.out.test$n.wait" >/dev/null || return 1
+  grep "${ZONE}\..*IN.*NSEC3PARAM 1 0 0.*${SALT}" "dig.out.test$n.wait" >/dev/null || return 1
   grep "${ZONE}\..*IN.*RRSIG" "dig.out.test$n.wait" >/dev/null || return 1
   return 0
 }
@@ -188,7 +186,7 @@ check_nsec() {
 # Test: check NSEC3 parameters in answers
 _check_nsec3_nsec3param() {
   dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM >"dig.out.test$n.nsec3param.$ZONE" || return 1
-  grep "${ZONE}.*0.*IN.*NSEC3PARAM.*1.*0.*${ITERATIONS}.*${SALT}" "dig.out.test$n.nsec3param.$ZONE" >/dev/null || return 1
+  grep "${ZONE}.*0.*IN.*NSEC3PARAM.*1.*0.*0.*${SALT}" "dig.out.test$n.nsec3param.$ZONE" >/dev/null || return 1
 
   if [ -z "$SALT" ]; then
     SALT=$(awk '$4 == "NSEC3PARAM" { print $8 }' dig.out.test$n.nsec3param.$ZONE)
@@ -198,7 +196,7 @@ _check_nsec3_nsec3param() {
 
 _check_nsec3_nxdomain() {
   dig_with_opts @$SERVER "nosuchname.${ZONE}" >"dig.out.test$n.nxdomain.$ZONE" || return 1
-  grep ".*\.${ZONE}.*IN.*NSEC3.*1.${FLAGS}.*${ITERATIONS}.*${SALT}" "dig.out.test$n.nxdomain.$ZONE" >/dev/null || return 1
+  grep ".*\.${ZONE}.*IN.*NSEC3.*1.${FLAGS}.*0.*${SALT}" "dig.out.test$n.nxdomain.$ZONE" >/dev/null || return 1
   return 0
 }
 
@@ -206,14 +204,14 @@ check_nsec3() {
   wait_for_zone_is_signed "nsec3"
 
   n=$((n + 1))
-  echo_i "check that NSEC3PARAM 1 0 ${ITERATIONS} is published zone ${ZONE} ($n)"
+  echo_i "check that NSEC3PARAM 1 0 0 ${SALT} is published zone ${ZONE} ($n)"
   ret=0
   retry_quiet 10 _check_nsec3_nsec3param || log_error "bad NSEC3PARAM response for ${ZONE}"
   test "$ret" -eq 0 || echo_i "failed"
   status=$((status + ret))
 
   n=$((n + 1))
-  echo_i "check NXDOMAIN response has correct NSEC3 1 ${FLAGS} ${ITERATIONS} ${SALT} for zone ${ZONE} ($n)"
+  echo_i "check NXDOMAIN response has correct NSEC3 1 ${FLAGS} 0 ${SALT} for zone ${ZONE} ($n)"
   ret=0
   retry_quiet 10 _check_nsec3_nxdomain || log_error "bad NXDOMAIN response for zone ${ZONE}"
   test "$ret" -eq 0 || echo_i "failed"
@@ -277,21 +275,21 @@ fi
 
 # Zone: nsec3.kasp.
 set_zone_policy "nsec3.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
 
 # Zone: nsec3-dynamic.kasp.
 set_zone_policy "nsec3-dynamic.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
 
 # Zone: nsec3-change.kasp.
 set_zone_policy "nsec3-change.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
@@ -316,49 +314,49 @@ retry_quiet 10 _wait_for_new_soa || log_error "failed to update SOA record in zo
 
 # Zone: nsec3-dynamic-change.kasp.
 set_zone_policy "nsec3-dynamic-change.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
 
 # Zone: nsec3-dynamic-to-inline.kasp.
 set_zone_policy "nsec3-dynamic-to-inline.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
 
 # Zone: nsec3-inline-to-dynamic.kasp.
 set_zone_policy "nsec3-inline-to-dynamic.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
 
 # Zone: nsec3-to-nsec.kasp.
 set_zone_policy "nsec3-to-nsec.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
 
 # Zone: nsec3-to-optout.kasp.
 set_zone_policy "nsec3-to-optout.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
 
 # Zone: nsec3-from-optout.kasp.
 set_zone_policy "nsec3-from-optout.kasp" "optout" 1 3600
-set_nsec3param "1" "0" "0"
+set_nsec3param "1" "0"
 set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
 
 # Zone: nsec3-other.kasp.
 set_zone_policy "nsec3-other.kasp" "nsec3-other" 1 3600
-set_nsec3param "1" "11" "8"
+set_nsec3param "1" "8"
 set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
@@ -403,7 +401,7 @@ rndc_reconfig ns3 10.53.0.3
 
 # Zone: nsec-to-nsec3.kasp. (reconfigured)
 set_zone_policy "nsec-to-nsec3.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
@@ -431,7 +429,7 @@ if ($SHELL ../testcrypto.sh -q RSASHA1); then
 
   # Zone: nsec3-to-rsasha1.kasp.
   set_zone_policy "nsec3-to-rsasha1.kasp" "rsasha1" 2 3600
-  set_nsec3param "1" "0" "0"
+  set_nsec3param "1" "0"
   set_server "ns3" "10.53.0.3"
   set_key_default_values "KEY1"
   set_key_states "KEY1" "hidden" "unretentive" "unretentive" "unretentive" "hidden"
@@ -443,7 +441,7 @@ if ($SHELL ../testcrypto.sh -q RSASHA1); then
 
   # Zone: nsec3-to-rsasha1-ds.kasp.
   set_zone_policy "nsec3-to-rsasha1-ds.kasp" "rsasha1" 2 3600
-  set_nsec3param "1" "0" "0"
+  set_nsec3param "1" "0"
   set_server "ns3" "10.53.0.3"
   set_key_default_values "KEY1"
   set_key_states "KEY1" "hidden" "omnipresent" "omnipresent" "omnipresent" "omnipresent"
@@ -457,21 +455,21 @@ fi
 
 # Zone: nsec3.kasp. (same)
 set_zone_policy "nsec3.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
 
 # Zone: nsec3-dyamic.kasp. (same)
 set_zone_policy "nsec3-dynamic.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
 
 # Zone: nsec3-change.kasp. (reconfigured)
 set_zone_policy "nsec3-change.kasp" "nsec3-other" 1 3600
-set_nsec3param "1" "11" "8"
+set_nsec3param "1" "8"
 set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
@@ -486,30 +484,36 @@ grep "${ZONE}\..*900.*IN.*NSEC3PARAM" "dig.out.nsec3param.test$n" >/dev/null ||
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status + ret))
 
+# Using rndc signing -nsec3param (should fail)
+echo_i "use rndc signing -nsec3param ${ZONE} to change NSEC3 settings"
+rndccmd $SERVER signing -nsec3param 1 1 12 ffff $ZONE >rndc.signing.test$n.$ZONE || log_error "failed to call rndc signing -nsec3param $ZONE"
+grep "zone uses dnssec-policy, use rndc dnssec command instead" rndc.signing.test$n.$ZONE >/dev/null || log_error "rndc signing -nsec3param should fail"
+check_nsec3
+
 # Zone: nsec3-dynamic-change.kasp. (reconfigured)
 set_zone_policy "nsec3-dynamic-change.kasp" "nsec3-other" 1 3600
-set_nsec3param "1" "11" "8"
+set_nsec3param "1" "8"
 set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
 
 # Zone: nsec3-dynamic-to-inline.kasp. (same)
 set_zone_policy "nsec3-dynamic-to-inline.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
 
 # Zone: nsec3-inline-to-dynamic.kasp. (same)
 set_zone_policy "nsec3-inline-to-dynamic.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
 
 # Zone: nsec3-to-nsec.kasp. (reconfigured)
 set_zone_policy "nsec3-to-nsec.kasp" "nsec" 1 3600
-set_nsec3param "1" "11" "8"
+set_nsec3param "1" "8"
 set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec
@@ -519,7 +523,7 @@ check_nsec
 # There is a bug in the nsec3param building code that thinks when the
 # optout bit is changed, the chain already exists. [GL #2216]
 #set_zone_policy "nsec3-to-optout.kasp" "optout" 1 3600
-#set_nsec3param "1" "0" "0"
+#set_nsec3param "1" "0"
 #set_key_default_values "KEY1"
 #echo_i "check zone ${ZONE} after reconfig"
 #check_nsec3
@@ -529,28 +533,21 @@ check_nsec
 # There is a bug in the nsec3param building code that thinks when the
 # optout bit is changed, the chain already exists. [GL #2216]
 #set_zone_policy "nsec3-from-optout.kasp" "nsec3" 1 3600
-#set_nsec3param "0" "0" "0"
+#set_nsec3param "0" "0"
 #set_key_default_values "KEY1"
 #echo_i "check zone ${ZONE} after reconfig"
 #check_nsec3
 
 # Zone: nsec3-other.kasp. (same)
 set_zone_policy "nsec3-other.kasp" "nsec3-other" 1 3600
-set_nsec3param "1" "11" "8"
+set_nsec3param "1" "8"
 set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
 
-# Using rndc signing -nsec3param (should fail)
-set_zone_policy "nsec3-change.kasp" "nsec3-other" 1 3600
-echo_i "use rndc signing -nsec3param ${ZONE} to change NSEC3 settings"
-rndccmd $SERVER signing -nsec3param 1 1 12 ffff $ZONE >rndc.signing.test$n.$ZONE || log_error "failed to call rndc signing -nsec3param $ZONE"
-grep "zone uses dnssec-policy, use rndc dnssec command instead" rndc.signing.test$n.$ZONE >/dev/null || log_error "rndc signing -nsec3param should fail"
-check_nsec3
-
 # Test NSEC3 and NSEC3PARAM is the same after restart
 set_zone_policy "nsec3.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} before restart"
 check_nsec3
@@ -570,7 +567,7 @@ status=$((status + ret))
 
 prevsalt="${SALT}"
 set_zone_policy "nsec3.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 SALT="${prevsalt}"
 echo_i "check zone ${ZONE} after restart has salt ${SALT}"
@@ -581,7 +578,7 @@ cp ns3/template.db.in ns3/nsec3-fails-to-load.kasp.db
 rndc_reload ns3 10.53.0.3
 
 set_zone_policy "nsec3-fails-to-load.kasp" "nsec3" 1 3600
-set_nsec3param "0" "0" "0"
+set_nsec3param "0" "0"
 set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reload"
 check_nsec3