Only render required zones in config for nsec3 tests

When all zones are configured, regardless of whether the test module actually uses them, it makes debugging the logs needlessly more complicated, as there is a bunch of stuff going on that is completely unrelated to the test. Define a list of tested zones in each test module and only render the named.conf with those zones defined.
2026-05-28 04:34:54 -04:00 · 2025-11-20 18:09:58 +01:00 · 2025-11-20 18:09:58 +01:00 · 66e4146a88
commit 66e4146a88
parent 9ee62467a6
8 changed files with 183 additions and 32 deletions
--- a/bin/tests/system/nsec3/ns2/named.conf.j2
+++ b/bin/tests/system/nsec3/ns2/named.conf.j2
@ -39,8 +39,10 @@ controls {
 	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 };

+{% if "nsec3-xfr-inline.kasp" in zones %}
 zone "nsec3-xfr-inline.kasp" {
 	type primary;
 	file "nsec3-xfr-inline.kasp.db";
 	dnssec-policy "nsec3";
 };
+{% endif %}{# nsec3-xfr-inline.kasp #}
--- a/bin/tests/system/nsec3/ns3/named-fips.conf.j2
+++ b/bin/tests/system/nsec3/ns3/named-fips.conf.j2
@ -18,41 +18,52 @@
 {% set nsec3_from_optout = "optout" if not reconfiged else "nsec3" %}
 {% set nsec3_to_optout = "nsec3" if not reconfiged else "optout" %}

+{% if "nsec-to-nsec3.kasp" in zones %}
 /* This zone starts with NSEC, but will be reconfigured to use NSEC3. */
 zone "nsec-to-nsec3.kasp" {
 	type primary;
 	file "nsec-to-nsec3.kasp.db";
 	dnssec-policy "@nsec_to_nsec3@";
 };
+{% endif %}{# nsec-to-nsec3.kasp #}

+{% if "nsec3.kasp" in zones %}
 /* These zones use the default NSEC3 settings. */
 zone "nsec3.kasp" {
 	type primary;
 	file "nsec3.kasp.db";
 	dnssec-policy "nsec3";
 };
+{% endif %}{# nsec3.kasp #}

+{% if "nsec3-dynamic.kasp" in zones %}
 zone "nsec3-dynamic.kasp" {
 	type primary;
 	file "nsec3-dynamic.kasp.db";
 	dnssec-policy "nsec3";
 	allow-update { any; };
 };
+{% endif %}{# nsec3-dynamic.kasp #}

+{% if "nsec3-other.kasp" in zones %}
 /* This zone uses non-default NSEC3 settings. */
 zone "nsec3-other.kasp" {
 	type primary;
 	file "nsec3-other.kasp.db";
 	dnssec-policy "nsec3-other";
 };
+{% endif %}{# nsec3-other.kasp #}

+{% if "nsec3-change.kasp" in zones %}
 /* These zones will be reconfigured to use other NSEC3 settings. */
 zone "nsec3-change.kasp" {
 	type primary;
 	file "nsec3-change.kasp.db";
 	dnssec-policy "@nsec3_change@";
 };
+{% endif %}{# nsec3-change.kasp #}

+{% if "nsec3-dynamic-change.kasp" in zones %}
 zone "nsec3-dynamic-change.kasp" {
 	type primary;
 	file "nsec3-dynamic-change.kasp.db";
@ -60,28 +71,36 @@ zone "nsec3-dynamic-change.kasp" {
 	dnssec-policy "@nsec3_change@";
 	allow-update { any; };
 };
+{% endif %}{# nsec3-dynamic-change.kasp #}

+{% if "nsec3-to-optout.kasp" in zones %}
 /* The zone will be reconfigured to use opt-out. */
 zone "nsec3-to-optout.kasp" {
 	type primary;
 	file "nsec3-to-optout.kasp.db";
 	dnssec-policy "@nsec3_to_optout@";
 };
+{% endif %}{# nsec3-to-optout.kasp #}

+{% if "nsec3-from-optout.kasp" in zones %}
 /* The zone will be reconfigured to disable opt-out. */
 zone "nsec3-from-optout.kasp" {
 	type primary;
 	file "nsec3-from-optout.kasp.db";
 	dnssec-policy "@nsec3_from_optout@";
 };
+{% endif %}{# nsec3-from-optout.kasp #}

+{% if "nsec3-to-nsec.kasp" in zones %}
 /* The zone starts with NSEC3, but will be reconfigured to use NSEC. */
 zone "nsec3-to-nsec.kasp" {
 	type primary;
 	file "nsec3-to-nsec.kasp.db";
 	dnssec-policy "@nsec3_to_nsec@";
 };
+{% endif %}{# nsec3-to-nsec.kasp #}

+{% if "nsec3-fails-to-load.kasp" in zones %}
 /*
 * The zone fails to load, this should not prevent shutdown.
 * The zone is fixed after a reconfig.
@ -92,7 +111,9 @@ zone "nsec3-fails-to-load.kasp" {
 	dnssec-policy "nsec3";
 	allow-update { any; };
 };
+{% endif %}{# nsec3-fails-to-load.kasp #}

+{% if "nsec3-dynamic-to-inline.kasp" in zones %}
 /* These zones switch from dynamic to inline-signing or vice versa. */
 zone "nsec3-dynamic-to-inline.kasp" {
 	type primary;
@ -101,9 +122,11 @@ zone "nsec3-dynamic-to-inline.kasp" {
 {% if not reconfiged %}
 	allow-update { any; };
 	inline-signing no;
-{% endif %}
+{% endif %}{# not reconfiged #}
 };
+{% endif %}{# nsec3-dynamic-to-inline.kasp #}

+{% if "nsec3-inline-to-dynamic.kasp" in zones %}
 zone "nsec3-inline-to-dynamic.kasp" {
 	type primary;
 	file "nsec3-inline-to-dynamic.kasp.db";
@ -111,34 +134,11 @@ zone "nsec3-inline-to-dynamic.kasp" {
 {% if reconfiged %}
 	allow-update { any; };
 	inline-signing no;
-{% endif %}
-
+{% endif %}{# reconfiged #}
 };
+{% endif %}{# nsec3-inline-to-dynamic.kasp #}

-{% if not reconfiged %}
-
-/*
- * Test adding a NSEC3 record to an inline-signing dnssec-policy zone.
- */
-zone "nsec3-dynamic-update-inline.kasp" {
-	type primary;
-	file "nsec3-dynamic-update-inline.kasp.db";
-	allow-update { any; };
-	dnssec-policy "nsec";
-};
-
-/*
- * This zone will have an empty nonterminal node added and a node deleted.
- */
-zone "nsec3-xfr-inline.kasp" {
-       type secondary;
-       file "nsec3-xfr-inline.kasp.db";
-       dnssec-policy "nsec";
-       primaries { 10.53.0.2; };
-};
-
-{% else %}
-
+{% if "nsec3-ent.kasp" in zones %}
 /*
 * This zone will have an empty nonterminal node added and a node deleted.
 */
@ -148,5 +148,32 @@ zone "nsec3-ent.kasp" {
 	dnssec-policy "nsec3";
 	inline-signing yes;
 };
+{% endif %}{# nsec3-ent.kasp #}

-{% endif %}
+{% if not reconfiged %}
+
+{% if "nsec3-dynamic-update-inline.kasp" in zones %}
+/*
+ * Test adding a NSEC3 record to an inline-signing dnssec-policy zone.
+ */
+zone "nsec3-dynamic-update-inline.kasp" {
+	type primary;
+	file "nsec3-dynamic-update-inline.kasp.db";
+	allow-update { any; };
+	dnssec-policy "nsec";
+};
+{% endif %}{# nsec3-dynamic-update-inline.kasp #}
+
+{% if "nsec3-xfr-inline.kasp" in zones %}
+/*
+ * This zone will have an empty nonterminal node added and a node deleted.
+ */
+zone "nsec3-xfr-inline.kasp" {
+       type secondary;
+       file "nsec3-xfr-inline.kasp.db";
+       dnssec-policy "nsec";
+       primaries { 10.53.0.2; };
+};
+{% endif %}{# nsec3-xfr-inline.kasp #}
+
+{% endif %}{# not reconfiged #}
--- a/bin/tests/system/nsec3/ns3/named-rsasha1.conf.j2
+++ b/bin/tests/system/nsec3/ns3/named-rsasha1.conf.j2
@ -21,6 +21,8 @@ dnssec-policy "rsasha1" {
 	};
 };

+
+{% if "rsasha1-to-nsec3.kasp" in zones %}
 /*
 * This zone starts with NSEC, but will be reconfigured to use NSEC3.
 * This should work despite the incompatible RSAHSHA1 algorithm,
@ -31,7 +33,9 @@ zone "rsasha1-to-nsec3.kasp" {
 	file "rsasha1-to-nsec3.kasp.db";
 	dnssec-policy "@rsasha1_to_nsec3@";
 };
+{% endif %}{# rsasha1-to-nsec3.kasp #}

+{% if "rsasha1-to-nsec3-wait.kasp" in zones %}
 /*
 * This zone starts with NSEC, but will be reconfigured to use NSEC3.
 * This should block because RSASHA1 is not compatible with NSEC3,
@ -42,7 +46,9 @@ zone "rsasha1-to-nsec3-wait.kasp" {
 	file "rsasha1-to-nsec3-wait.kasp.db";
 	dnssec-policy "@rsasha1_to_nsec3@";
 };
+{% endif %}{# rsasha1-to-nsec3-wait.kasp #}

+{% if "nsec3-to-rsasha1.kasp" in zones %}
 /*
 * This zone starts with NSEC3, but will be reconfigured to use NSEC with an
 * NSEC only algorithm. This should work despite the incompatible RSAHSHA1
@ -53,7 +59,9 @@ zone "nsec3-to-rsasha1.kasp" {
 	file "nsec3-to-rsasha1.kasp.db";
 	dnssec-policy "@nsec3_to_rsasha1@";
 };
+{% endif %}{# nsec3-to-rsasha1.kasp #}

+{% if "nsec3-to-rsasha1-ds.kasp" in zones %}
 /*
 * This zone starts with NSEC3, but will be reconfigured to use NSEC with an
 * NSEC only algorithm. This should also be fine because we are allowed
@ -65,3 +73,4 @@ zone "nsec3-to-rsasha1-ds.kasp" {
 	file "nsec3-to-rsasha1-ds.kasp.db";
 	dnssec-policy "@nsec3_to_rsasha1@";
 };
+{% endif %}{# nsec3-to-rsasha1-ds.kasp #}
--- a/bin/tests/system/nsec3/tests_nsec3_change.py
+++ b/bin/tests/system/nsec3/tests_nsec3_change.py
@ -31,6 +31,18 @@ from nsec3.common import (
 )


+# include the following zones when rendering named configs
+ZONES = {
+    "nsec3-change.kasp",
+}
+
+
+def bootstrap():
+    return {
+        "zones": ZONES,
+    }
+
+
@pytest.fixture(scope="module", autouse=True)
 def after_servers_start(ns3, templates):

@ -58,8 +70,12 @@ def after_servers_start(ns3, templates):
    # After reconfig, the NSEC3PARAM TTL should match the new SOA MINIMUM.

    # Reconfigure.
-    templates.render(f"{nsdir}/named-fips.conf", {"reconfiged": True})
-    templates.render(f"{nsdir}/named-rsasha1.conf", {"reconfiged": True})
+    data = {
+        "reconfiged": True,
+        "zones": ZONES,
+    }
+    templates.render(f"{nsdir}/named-fips.conf", data)
+    templates.render(f"{nsdir}/named-rsasha1.conf", data)

    # Wait for the NSEC3 chain is finished rebuilding.
    messages = [
--- a/bin/tests/system/nsec3/tests_nsec3_initial.py
+++ b/bin/tests/system/nsec3/tests_nsec3_initial.py
@ -11,6 +11,8 @@

 # pylint: disable=redefined-outer-name,unused-import

+import os
+
 import dns.update
 import pytest

@ -27,6 +29,40 @@ from nsec3.common import (
 )


+# include the following zones when rendering named configs
+ZONES = {
+    "nsec-to-nsec3.kasp",
+    "nsec3-xfr-inline.kasp",
+    "nsec3-dynamic-update-inline.kasp",
+    "nsec3.kasp",
+    "nsec3-dynamic.kasp",
+    "nsec3-change.kasp",
+    "nsec3-dynamic-change.kasp",
+    "nsec3-dynamic-to-inline.kasp",
+    "nsec3-inline-to-dynamic.kasp",
+    "nsec3-to-nsec.kasp",
+    "nsec3-to-optout.kasp",
+    "nsec3-from-optout.kasp",
+    "nsec3-other.kasp",
+}
+
+if os.environ["RSASHA1_SUPPORTED"] == "1":
+    ZONES.update(
+        {
+            "rsasha1-to-nsec3.kasp",
+            "rsasha1-to-nsec3-wait.kasp",
+            "nsec3-to-rsasha1.kasp",
+            "nsec3-to-rsasha1-ds.kasp",
+        }
+    )
+
+
+def bootstrap():
+    return {
+        "zones": ZONES,
+    }
+
+
@pytest.mark.parametrize(
    "params",
    [
--- a/bin/tests/system/nsec3/tests_nsec3_reconfig.py
+++ b/bin/tests/system/nsec3/tests_nsec3_reconfig.py
@ -31,6 +31,38 @@ from nsec3.common import (
 )


+# include the following zones when rendering named configs
+ZONES = {
+    "nsec3-to-nsec.kasp",
+    "nsec-to-nsec3.kasp",
+    "nsec3.kasp",
+    "nsec3-dynamic.kasp",
+    "nsec3-dynamic-change.kasp",
+    "nsec3-dynamic-to-inline.kasp",
+    "nsec3-inline-to-dynamic.kasp",
+    # "nsec3-to-optout.kasp",
+    # "nsec3-from-optout.kasp",
+    "nsec3-other.kasp",
+    "nsec3-ent.kasp",
+}
+
+if os.environ["RSASHA1_SUPPORTED"] == "1":
+    ZONES.update(
+        {
+            "rsasha1-to-nsec3-wait.kasp",
+            "nsec3-to-rsasha1.kasp",
+            "nsec3-to-rsasha1-ds.kasp",
+            "rsasha1-to-nsec3.kasp",
+        }
+    )
+
+
+def bootstrap():
+    return {
+        "zones": ZONES,
+    }
+
+
@pytest.fixture(scope="module", autouse=True)
 def after_servers_start(ns3, templates):
    # Ensure rsasha1-to-nsec3-wait.kasp is fully signed prior to reconfig.
@ -41,8 +73,12 @@ def after_servers_start(ns3, templates):
        isctest.kasp.check_dnssec_verify(ns3, zone)

    # Reconfigure.
-    templates.render(f"{ns3.identifier}/named-fips.conf", {"reconfiged": True})
-    templates.render(f"{ns3.identifier}/named-rsasha1.conf", {"reconfiged": True})
+    data = {
+        "reconfiged": True,
+        "zones": ZONES,
+    }
+    templates.render(f"{ns3.identifier}/named-fips.conf", data)
+    templates.render(f"{ns3.identifier}/named-rsasha1.conf", data)
    ns3.reconfigure()


--- a/bin/tests/system/nsec3/tests_nsec3_reload.py
+++ b/bin/tests/system/nsec3/tests_nsec3_reload.py
@ -26,6 +26,18 @@ from nsec3.common import (
 )


+# include the following zones when rendering named configs
+ZONES = {
+    "nsec3-fails-to-load.kasp",
+}
+
+
+def bootstrap():
+    return {
+        "zones": ZONES,
+    }
+
+
 def test_nsec3_case(ns3):
    # Get test parameters.
    params = {
--- a/bin/tests/system/nsec3/tests_nsec3_restart.py
+++ b/bin/tests/system/nsec3/tests_nsec3_restart.py
@ -29,6 +29,19 @@ from nsec3.common import (
 )


+# include the following zones when rendering named configs
+ZONES = {
+    "nsec3.kasp",
+    "nsec3-other.kasp",
+}
+
+
+def bootstrap():
+    return {
+        "zones": ZONES,
+    }
+
+
 def perform_nsec3_tests(server, params):
    # Get test parameters.
    zone = params["zone"]