Add kasp test case for root with checkds enabled

Add a test case where the root zone has dnssec-policy configured, with
checkds enabled. This is a silly case because the root does not have
any parent NS records, but it should not crash the server.

The same is true for zones that do not have parent NS records, but
eventually they will hit the same code path.

(cherry picked from commit 9e9af18e4a)

bin/tests/system/kasp/ns1/named.conf.j2

@@ -0,0 +1,21 @@
+// NS1
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+        allow-transfer { any; };
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+	dnssec-policy default;
+	checkds yes;
+};

bin/tests/system/kasp/ns1/root.db.j2

@@ -0,0 +1,10 @@
+$TTL 300
+.			IN SOA	. a.root.servers.nil. (
+				2000042100	; serial
+				600		; refresh
+				600		; retry
+				1200		; expire
+				600		; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1

bin/tests/system/kasp/ns1/setup.sh

@@ -0,0 +1,31 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../../conf.sh
+
+echo_i "ns1/setup.sh"
+
+# Make lines shorter by storing key states in environment variables.
+H="HIDDEN"
+O="OMNIPRESENT"
+
+zone="."
+echo_i "setting up zone: $zone"
+Tpub="now-30d"
+Tact="now-1d"
+keytimes="-P ${Tpub} -A ${Tact}"
+CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -f KSK -L 3600 $keytimes $zone 2>keygen.out.$zone.1)
+$SETTIME -s -g $O -k $O $Tpub -r $O $Tpub -d $H $Tact -z $O $Tpub "$CSK" >settime.out.$zone.1 2>&1
+echo "KSK: yes" >>"${CSK}".state
+echo "ZSK: yes" >>"${CSK}".state

bin/tests/system/kasp/setup.sh

@@ -20,6 +20,10 @@ mkdir keys
 mkdir ns3/keys
 
 # Setup zones
+(
+  cd ns1
+  $SHELL setup.sh
+)
 (
   cd ns2
   $SHELL setup.sh

bin/tests/system/kasp/tests_kasp.py

@@ -80,6 +80,7 @@ pytestmark = pytest.mark.extra_artifacts(
         "ns*/signer.out.*",
         "ns*/zones",
         "ns*/policies/*.conf",
+        "ns1/managed-keys.*",
         "ns3/legacy-keys.*",
         "ns3/dynamic-signed-inline-signing.kasp.db.signed.signed",
         "ns4/purgekeys.conf",
@@ -87,6 +88,18 @@ pytestmark = pytest.mark.extra_artifacts(
     ]
 )
 
+default_config = {
+    "dnskey-ttl": timedelta(hours=1),
+    "ds-ttl": timedelta(days=1),
+    "max-zone-ttl": timedelta(days=1),
+    "parent-propagation-delay": timedelta(hours=1),
+    "publish-safety": timedelta(hours=1),
+    "purge-keys": timedelta(days=90),
+    "retire-safety": timedelta(hours=1),
+    "signatures-refresh": timedelta(days=5),
+    "signatures-validity": timedelta(days=14),
+    "zone-propagation-delay": timedelta(minutes=5),
+}
 
 kasp_config = {
     "dnskey-ttl": timedelta(seconds=1234),
@@ -1768,3 +1781,28 @@ def test_kasp_manual_mode(ns3, default_algorithm):
     isctest.kasp.check_keys(zone, keys, expected)
     check_all(ns3, zone, policy, ksks, zsks, manual_mode=True)
     isctest.kasp.check_dnssec_verify(ns3, zone)
+
+
+def test_root_case(ns1):
+    keydir = ns1.identifier
+
+    # Get test parameters.
+    zone = ""
+    policy = "default"
+    ttl = 3600
+
+    isctest.kasp.wait_keymgr_done(ns1, ".")
+
+    # Test case.
+    isctest.log.info(f"check root zone with policy {policy}")
+
+    # First make sure the zone is signed.
+    isctest.kasp.check_dnssec_verify(ns1, zone)
+
+    # Check key properties. DS is expected to go to rumoured, so checkds kicks in.
+    keyprops = [
+        "csk 0 13 256 goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:rumoured",
+    ]
+    expected = isctest.kasp.policy_to_properties(ttl=ttl, keys=keyprops)
+    keys = isctest.kasp.keydir_to_keylist(zone, keydir)
+    isctest.kasp.check_keys(zone, keys, expected)