Improve check_auth_nsec3 salt checking

Since we know the salt after checking the NSEC3PARAM, we might as well check the NSEC3 records on the NXDOMAIN response that the salt matches. (cherry picked from commit ba1ffe56e4)
2026-06-10 19:50:00 -04:00 · 2025-09-30 12:33:14 +02:00 · 2025-09-30 12:33:14 +02:00 · 9ee45e9817
commit 9ee45e9817
parent 54fbbc109a
2 changed files with 8 additions and 9 deletions
--- a/bin/tests/system/nsec3/common.py
+++ b/bin/tests/system/nsec3/common.py
@ -66,18 +66,13 @@ def check_auth_nsec(response):
    assert len(rrs) != 0, "no NSEC records found in authority section"


-def check_auth_nsec3(response, iterations=0, optout=0, saltlen=0):
-    match = f"IN NSEC3 1 {optout} {iterations}"
+def check_auth_nsec3(response, iterations=0, optout=0, salt="-"):
+    match = f"IN NSEC3 1 {optout} {iterations} {salt}"
    rrs = []

    for rrset in response.authority:
        if rrset.match(dns.rdataclass.IN, dns.rdatatype.NSEC3, dns.rdatatype.NONE):
            assert match in rrset.to_text()
-            if saltlen == 0:
-                assert f"{match} -" in rrset.to_text()
-            else:
-                assert not f"{match} -" in rrset.to_text()
-
            rrs.append(rrset)
        assert not rrset.match(
            dns.rdataclass.IN, dns.rdatatype.NSEC, dns.rdatatype.NONE
@ -88,6 +83,7 @@ def check_auth_nsec3(response, iterations=0, optout=0, saltlen=0):

 def check_nsec3param(response, match, saltlen):
    rrs = []
+    salt = "-"

    for rrset in response.answer:
        if rrset.match(dns.rdataclass.IN, dns.rdatatype.NSEC3PARAM, dns.rdatatype.NONE):
@ -96,6 +92,7 @@ def check_nsec3param(response, match, saltlen):
                assert f"{match} -" in rrset.to_text()
            else:
                assert not f"{match} -" in rrset.to_text()
+                salt = rrset.to_text().split()[7]

            rrs.append(rrset)
        else:
@ -104,3 +101,5 @@ def check_nsec3param(response, match, saltlen):
            )

    assert len(rrs) != 0
+
+    return salt
--- a/bin/tests/system/nsec3/tests_nsec3_initial.py
+++ b/bin/tests/system/nsec3/tests_nsec3_initial.py
@ -343,12 +343,12 @@ def test_nsec3_case(ns3, params):
    response = isctest.query.tcp(query, ns3.ip)
    assert response.rcode() == dns.rcode.NOERROR

-    check_nsec3param(response, match, saltlen)
+    salt = check_nsec3param(response, match, saltlen)

    query = isctest.query.create(f"nosuchname.{fqdn}", dns.rdatatype.A)
    response = isctest.query.tcp(query, ns3.ip)
    assert response.rcode() == dns.rcode.NXDOMAIN
-    check_auth_nsec3(response, iterations, optout, saltlen)
+    check_auth_nsec3(response, iterations, optout, salt)

    # Extra test for nsec3-change.kasp.
    if zone == "nsec3-change.kasp":