From 66e4146a88c4de2b0881e29ff269f01f6658d376 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Thu, 20 Nov 2025 18:09:58 +0100 Subject: [PATCH] Only render required zones in config for nsec3 tests When all zones are configured, regardless of whether the test module actually uses them, it makes debugging the logs needlessly more complicated, as there is a bunch of stuff going on that is completely unrelated to the test. Define a list of tested zones in each test module and only render the named.conf with those zones defined. --- bin/tests/system/nsec3/ns2/named.conf.j2 | 2 + bin/tests/system/nsec3/ns3/named-fips.conf.j2 | 83 ++++++++++++------- .../system/nsec3/ns3/named-rsasha1.conf.j2 | 9 ++ bin/tests/system/nsec3/tests_nsec3_change.py | 20 ++++- bin/tests/system/nsec3/tests_nsec3_initial.py | 36 ++++++++ .../system/nsec3/tests_nsec3_reconfig.py | 40 ++++++++- bin/tests/system/nsec3/tests_nsec3_reload.py | 12 +++ bin/tests/system/nsec3/tests_nsec3_restart.py | 13 +++ 8 files changed, 183 insertions(+), 32 deletions(-) diff --git a/bin/tests/system/nsec3/ns2/named.conf.j2 b/bin/tests/system/nsec3/ns2/named.conf.j2 index 924e9d26cb..904abbf81d 100644 --- a/bin/tests/system/nsec3/ns2/named.conf.j2 +++ b/bin/tests/system/nsec3/ns2/named.conf.j2 @@ -39,8 +39,10 @@ controls { inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; +{% if "nsec3-xfr-inline.kasp" in zones %} zone "nsec3-xfr-inline.kasp" { type primary; file "nsec3-xfr-inline.kasp.db"; dnssec-policy "nsec3"; }; +{% endif %}{# nsec3-xfr-inline.kasp #} diff --git a/bin/tests/system/nsec3/ns3/named-fips.conf.j2 b/bin/tests/system/nsec3/ns3/named-fips.conf.j2 index 5029457598..8074646fa6 100644 --- a/bin/tests/system/nsec3/ns3/named-fips.conf.j2 +++ b/bin/tests/system/nsec3/ns3/named-fips.conf.j2 @@ -18,41 +18,52 @@ {% set nsec3_from_optout = "optout" if not reconfiged else "nsec3" %} {% set nsec3_to_optout = "nsec3" if not reconfiged else "optout" %} +{% if "nsec-to-nsec3.kasp" in zones %} /* This zone starts with NSEC, but will be reconfigured to use NSEC3. */ zone "nsec-to-nsec3.kasp" { type primary; file "nsec-to-nsec3.kasp.db"; dnssec-policy "@nsec_to_nsec3@"; }; +{% endif %}{# nsec-to-nsec3.kasp #} +{% if "nsec3.kasp" in zones %} /* These zones use the default NSEC3 settings. */ zone "nsec3.kasp" { type primary; file "nsec3.kasp.db"; dnssec-policy "nsec3"; }; +{% endif %}{# nsec3.kasp #} +{% if "nsec3-dynamic.kasp" in zones %} zone "nsec3-dynamic.kasp" { type primary; file "nsec3-dynamic.kasp.db"; dnssec-policy "nsec3"; allow-update { any; }; }; +{% endif %}{# nsec3-dynamic.kasp #} +{% if "nsec3-other.kasp" in zones %} /* This zone uses non-default NSEC3 settings. */ zone "nsec3-other.kasp" { type primary; file "nsec3-other.kasp.db"; dnssec-policy "nsec3-other"; }; +{% endif %}{# nsec3-other.kasp #} +{% if "nsec3-change.kasp" in zones %} /* These zones will be reconfigured to use other NSEC3 settings. */ zone "nsec3-change.kasp" { type primary; file "nsec3-change.kasp.db"; dnssec-policy "@nsec3_change@"; }; +{% endif %}{# nsec3-change.kasp #} +{% if "nsec3-dynamic-change.kasp" in zones %} zone "nsec3-dynamic-change.kasp" { type primary; file "nsec3-dynamic-change.kasp.db"; @@ -60,28 +71,36 @@ zone "nsec3-dynamic-change.kasp" { dnssec-policy "@nsec3_change@"; allow-update { any; }; }; +{% endif %}{# nsec3-dynamic-change.kasp #} +{% if "nsec3-to-optout.kasp" in zones %} /* The zone will be reconfigured to use opt-out. */ zone "nsec3-to-optout.kasp" { type primary; file "nsec3-to-optout.kasp.db"; dnssec-policy "@nsec3_to_optout@"; }; +{% endif %}{# nsec3-to-optout.kasp #} +{% if "nsec3-from-optout.kasp" in zones %} /* The zone will be reconfigured to disable opt-out. */ zone "nsec3-from-optout.kasp" { type primary; file "nsec3-from-optout.kasp.db"; dnssec-policy "@nsec3_from_optout@"; }; +{% endif %}{# nsec3-from-optout.kasp #} +{% if "nsec3-to-nsec.kasp" in zones %} /* The zone starts with NSEC3, but will be reconfigured to use NSEC. */ zone "nsec3-to-nsec.kasp" { type primary; file "nsec3-to-nsec.kasp.db"; dnssec-policy "@nsec3_to_nsec@"; }; +{% endif %}{# nsec3-to-nsec.kasp #} +{% if "nsec3-fails-to-load.kasp" in zones %} /* * The zone fails to load, this should not prevent shutdown. * The zone is fixed after a reconfig. @@ -92,7 +111,9 @@ zone "nsec3-fails-to-load.kasp" { dnssec-policy "nsec3"; allow-update { any; }; }; +{% endif %}{# nsec3-fails-to-load.kasp #} +{% if "nsec3-dynamic-to-inline.kasp" in zones %} /* These zones switch from dynamic to inline-signing or vice versa. */ zone "nsec3-dynamic-to-inline.kasp" { type primary; @@ -101,9 +122,11 @@ zone "nsec3-dynamic-to-inline.kasp" { {% if not reconfiged %} allow-update { any; }; inline-signing no; -{% endif %} +{% endif %}{# not reconfiged #} }; +{% endif %}{# nsec3-dynamic-to-inline.kasp #} +{% if "nsec3-inline-to-dynamic.kasp" in zones %} zone "nsec3-inline-to-dynamic.kasp" { type primary; file "nsec3-inline-to-dynamic.kasp.db"; @@ -111,34 +134,11 @@ zone "nsec3-inline-to-dynamic.kasp" { {% if reconfiged %} allow-update { any; }; inline-signing no; -{% endif %} - +{% endif %}{# reconfiged #} }; +{% endif %}{# nsec3-inline-to-dynamic.kasp #} -{% if not reconfiged %} - -/* - * Test adding a NSEC3 record to an inline-signing dnssec-policy zone. - */ -zone "nsec3-dynamic-update-inline.kasp" { - type primary; - file "nsec3-dynamic-update-inline.kasp.db"; - allow-update { any; }; - dnssec-policy "nsec"; -}; - -/* - * This zone will have an empty nonterminal node added and a node deleted. - */ -zone "nsec3-xfr-inline.kasp" { - type secondary; - file "nsec3-xfr-inline.kasp.db"; - dnssec-policy "nsec"; - primaries { 10.53.0.2; }; -}; - -{% else %} - +{% if "nsec3-ent.kasp" in zones %} /* * This zone will have an empty nonterminal node added and a node deleted. */ @@ -148,5 +148,32 @@ zone "nsec3-ent.kasp" { dnssec-policy "nsec3"; inline-signing yes; }; +{% endif %}{# nsec3-ent.kasp #} -{% endif %} +{% if not reconfiged %} + +{% if "nsec3-dynamic-update-inline.kasp" in zones %} +/* + * Test adding a NSEC3 record to an inline-signing dnssec-policy zone. + */ +zone "nsec3-dynamic-update-inline.kasp" { + type primary; + file "nsec3-dynamic-update-inline.kasp.db"; + allow-update { any; }; + dnssec-policy "nsec"; +}; +{% endif %}{# nsec3-dynamic-update-inline.kasp #} + +{% if "nsec3-xfr-inline.kasp" in zones %} +/* + * This zone will have an empty nonterminal node added and a node deleted. + */ +zone "nsec3-xfr-inline.kasp" { + type secondary; + file "nsec3-xfr-inline.kasp.db"; + dnssec-policy "nsec"; + primaries { 10.53.0.2; }; +}; +{% endif %}{# nsec3-xfr-inline.kasp #} + +{% endif %}{# not reconfiged #} diff --git a/bin/tests/system/nsec3/ns3/named-rsasha1.conf.j2 b/bin/tests/system/nsec3/ns3/named-rsasha1.conf.j2 index c2cbf485ce..7c47ae2d54 100644 --- a/bin/tests/system/nsec3/ns3/named-rsasha1.conf.j2 +++ b/bin/tests/system/nsec3/ns3/named-rsasha1.conf.j2 @@ -21,6 +21,8 @@ dnssec-policy "rsasha1" { }; }; + +{% if "rsasha1-to-nsec3.kasp" in zones %} /* * This zone starts with NSEC, but will be reconfigured to use NSEC3. * This should work despite the incompatible RSAHSHA1 algorithm, @@ -31,7 +33,9 @@ zone "rsasha1-to-nsec3.kasp" { file "rsasha1-to-nsec3.kasp.db"; dnssec-policy "@rsasha1_to_nsec3@"; }; +{% endif %}{# rsasha1-to-nsec3.kasp #} +{% if "rsasha1-to-nsec3-wait.kasp" in zones %} /* * This zone starts with NSEC, but will be reconfigured to use NSEC3. * This should block because RSASHA1 is not compatible with NSEC3, @@ -42,7 +46,9 @@ zone "rsasha1-to-nsec3-wait.kasp" { file "rsasha1-to-nsec3-wait.kasp.db"; dnssec-policy "@rsasha1_to_nsec3@"; }; +{% endif %}{# rsasha1-to-nsec3-wait.kasp #} +{% if "nsec3-to-rsasha1.kasp" in zones %} /* * This zone starts with NSEC3, but will be reconfigured to use NSEC with an * NSEC only algorithm. This should work despite the incompatible RSAHSHA1 @@ -53,7 +59,9 @@ zone "nsec3-to-rsasha1.kasp" { file "nsec3-to-rsasha1.kasp.db"; dnssec-policy "@nsec3_to_rsasha1@"; }; +{% endif %}{# nsec3-to-rsasha1.kasp #} +{% if "nsec3-to-rsasha1-ds.kasp" in zones %} /* * This zone starts with NSEC3, but will be reconfigured to use NSEC with an * NSEC only algorithm. This should also be fine because we are allowed @@ -65,3 +73,4 @@ zone "nsec3-to-rsasha1-ds.kasp" { file "nsec3-to-rsasha1-ds.kasp.db"; dnssec-policy "@nsec3_to_rsasha1@"; }; +{% endif %}{# nsec3-to-rsasha1-ds.kasp #} diff --git a/bin/tests/system/nsec3/tests_nsec3_change.py b/bin/tests/system/nsec3/tests_nsec3_change.py index 39b3a1cbfe..a65a1789be 100644 --- a/bin/tests/system/nsec3/tests_nsec3_change.py +++ b/bin/tests/system/nsec3/tests_nsec3_change.py @@ -31,6 +31,18 @@ from nsec3.common import ( ) +# include the following zones when rendering named configs +ZONES = { + "nsec3-change.kasp", +} + + +def bootstrap(): + return { + "zones": ZONES, + } + + @pytest.fixture(scope="module", autouse=True) def after_servers_start(ns3, templates): @@ -58,8 +70,12 @@ def after_servers_start(ns3, templates): # After reconfig, the NSEC3PARAM TTL should match the new SOA MINIMUM. # Reconfigure. - templates.render(f"{nsdir}/named-fips.conf", {"reconfiged": True}) - templates.render(f"{nsdir}/named-rsasha1.conf", {"reconfiged": True}) + data = { + "reconfiged": True, + "zones": ZONES, + } + templates.render(f"{nsdir}/named-fips.conf", data) + templates.render(f"{nsdir}/named-rsasha1.conf", data) # Wait for the NSEC3 chain is finished rebuilding. messages = [ diff --git a/bin/tests/system/nsec3/tests_nsec3_initial.py b/bin/tests/system/nsec3/tests_nsec3_initial.py index a8f52350fe..6ef80343a9 100644 --- a/bin/tests/system/nsec3/tests_nsec3_initial.py +++ b/bin/tests/system/nsec3/tests_nsec3_initial.py @@ -11,6 +11,8 @@ # pylint: disable=redefined-outer-name,unused-import +import os + import dns.update import pytest @@ -27,6 +29,40 @@ from nsec3.common import ( ) +# include the following zones when rendering named configs +ZONES = { + "nsec-to-nsec3.kasp", + "nsec3-xfr-inline.kasp", + "nsec3-dynamic-update-inline.kasp", + "nsec3.kasp", + "nsec3-dynamic.kasp", + "nsec3-change.kasp", + "nsec3-dynamic-change.kasp", + "nsec3-dynamic-to-inline.kasp", + "nsec3-inline-to-dynamic.kasp", + "nsec3-to-nsec.kasp", + "nsec3-to-optout.kasp", + "nsec3-from-optout.kasp", + "nsec3-other.kasp", +} + +if os.environ["RSASHA1_SUPPORTED"] == "1": + ZONES.update( + { + "rsasha1-to-nsec3.kasp", + "rsasha1-to-nsec3-wait.kasp", + "nsec3-to-rsasha1.kasp", + "nsec3-to-rsasha1-ds.kasp", + } + ) + + +def bootstrap(): + return { + "zones": ZONES, + } + + @pytest.mark.parametrize( "params", [ diff --git a/bin/tests/system/nsec3/tests_nsec3_reconfig.py b/bin/tests/system/nsec3/tests_nsec3_reconfig.py index 1f7ffec73e..666ba320b4 100644 --- a/bin/tests/system/nsec3/tests_nsec3_reconfig.py +++ b/bin/tests/system/nsec3/tests_nsec3_reconfig.py @@ -31,6 +31,38 @@ from nsec3.common import ( ) +# include the following zones when rendering named configs +ZONES = { + "nsec3-to-nsec.kasp", + "nsec-to-nsec3.kasp", + "nsec3.kasp", + "nsec3-dynamic.kasp", + "nsec3-dynamic-change.kasp", + "nsec3-dynamic-to-inline.kasp", + "nsec3-inline-to-dynamic.kasp", + # "nsec3-to-optout.kasp", + # "nsec3-from-optout.kasp", + "nsec3-other.kasp", + "nsec3-ent.kasp", +} + +if os.environ["RSASHA1_SUPPORTED"] == "1": + ZONES.update( + { + "rsasha1-to-nsec3-wait.kasp", + "nsec3-to-rsasha1.kasp", + "nsec3-to-rsasha1-ds.kasp", + "rsasha1-to-nsec3.kasp", + } + ) + + +def bootstrap(): + return { + "zones": ZONES, + } + + @pytest.fixture(scope="module", autouse=True) def after_servers_start(ns3, templates): # Ensure rsasha1-to-nsec3-wait.kasp is fully signed prior to reconfig. @@ -41,8 +73,12 @@ def after_servers_start(ns3, templates): isctest.kasp.check_dnssec_verify(ns3, zone) # Reconfigure. - templates.render(f"{ns3.identifier}/named-fips.conf", {"reconfiged": True}) - templates.render(f"{ns3.identifier}/named-rsasha1.conf", {"reconfiged": True}) + data = { + "reconfiged": True, + "zones": ZONES, + } + templates.render(f"{ns3.identifier}/named-fips.conf", data) + templates.render(f"{ns3.identifier}/named-rsasha1.conf", data) ns3.reconfigure() diff --git a/bin/tests/system/nsec3/tests_nsec3_reload.py b/bin/tests/system/nsec3/tests_nsec3_reload.py index 0e5dd0cfea..b3fb860288 100644 --- a/bin/tests/system/nsec3/tests_nsec3_reload.py +++ b/bin/tests/system/nsec3/tests_nsec3_reload.py @@ -26,6 +26,18 @@ from nsec3.common import ( ) +# include the following zones when rendering named configs +ZONES = { + "nsec3-fails-to-load.kasp", +} + + +def bootstrap(): + return { + "zones": ZONES, + } + + def test_nsec3_case(ns3): # Get test parameters. params = { diff --git a/bin/tests/system/nsec3/tests_nsec3_restart.py b/bin/tests/system/nsec3/tests_nsec3_restart.py index cae21f4413..e1e76c4f98 100644 --- a/bin/tests/system/nsec3/tests_nsec3_restart.py +++ b/bin/tests/system/nsec3/tests_nsec3_restart.py @@ -29,6 +29,19 @@ from nsec3.common import ( ) +# include the following zones when rendering named configs +ZONES = { + "nsec3.kasp", + "nsec3-other.kasp", +} + + +def bootstrap(): + return { + "zones": ZONES, + } + + def perform_nsec3_tests(server, params): # Get test parameters. zone = params["zone"]