From 9ee45e9817dd7f608ff46e94dcd14fb750b22d41 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 30 Sep 2025 12:33:14 +0200
Subject: [PATCH] Improve check_auth_nsec3 salt checking

Since we know the salt after checking the NSEC3PARAM, we might as well
check the NSEC3 records on the NXDOMAIN response that the salt matches.

(cherry picked from commit ba1ffe56e4f7ab6a4a7714c6551df9f6e42b87cb)
---
 bin/tests/system/nsec3/common.py              | 13 ++++++-------
 bin/tests/system/nsec3/tests_nsec3_initial.py |  4 ++--
 2 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/bin/tests/system/nsec3/common.py b/bin/tests/system/nsec3/common.py
index 78c7aabe8f..12a176fea5 100644
--- a/bin/tests/system/nsec3/common.py
+++ b/bin/tests/system/nsec3/common.py
@@ -66,18 +66,13 @@ def check_auth_nsec(response):
     assert len(rrs) != 0, "no NSEC records found in authority section"
 
 
-def check_auth_nsec3(response, iterations=0, optout=0, saltlen=0):
-    match = f"IN NSEC3 1 {optout} {iterations}"
+def check_auth_nsec3(response, iterations=0, optout=0, salt="-"):
+    match = f"IN NSEC3 1 {optout} {iterations} {salt}"
     rrs = []
 
     for rrset in response.authority:
         if rrset.match(dns.rdataclass.IN, dns.rdatatype.NSEC3, dns.rdatatype.NONE):
             assert match in rrset.to_text()
-            if saltlen == 0:
-                assert f"{match} -" in rrset.to_text()
-            else:
-                assert not f"{match} -" in rrset.to_text()
-
             rrs.append(rrset)
         assert not rrset.match(
             dns.rdataclass.IN, dns.rdatatype.NSEC, dns.rdatatype.NONE
@@ -88,6 +83,7 @@ def check_auth_nsec3(response, iterations=0, optout=0, saltlen=0):
 
 def check_nsec3param(response, match, saltlen):
     rrs = []
+    salt = "-"
 
     for rrset in response.answer:
         if rrset.match(dns.rdataclass.IN, dns.rdatatype.NSEC3PARAM, dns.rdatatype.NONE):
@@ -96,6 +92,7 @@ def check_nsec3param(response, match, saltlen):
                 assert f"{match} -" in rrset.to_text()
             else:
                 assert not f"{match} -" in rrset.to_text()
+                salt = rrset.to_text().split()[7]
 
             rrs.append(rrset)
         else:
@@ -104,3 +101,5 @@ def check_nsec3param(response, match, saltlen):
             )
 
     assert len(rrs) != 0
+
+    return salt
diff --git a/bin/tests/system/nsec3/tests_nsec3_initial.py b/bin/tests/system/nsec3/tests_nsec3_initial.py
index 25a3070435..6f5cfcdafc 100644
--- a/bin/tests/system/nsec3/tests_nsec3_initial.py
+++ b/bin/tests/system/nsec3/tests_nsec3_initial.py
@@ -343,12 +343,12 @@ def test_nsec3_case(ns3, params):
     response = isctest.query.tcp(query, ns3.ip)
     assert response.rcode() == dns.rcode.NOERROR
 
-    check_nsec3param(response, match, saltlen)
+    salt = check_nsec3param(response, match, saltlen)
 
     query = isctest.query.create(f"nosuchname.{fqdn}", dns.rdatatype.A)
     response = isctest.query.tcp(query, ns3.ip)
     assert response.rcode() == dns.rcode.NXDOMAIN
-    check_auth_nsec3(response, iterations, optout, saltlen)
+    check_auth_nsec3(response, iterations, optout, salt)
 
     # Extra test for nsec3-change.kasp.
     if zone == "nsec3-change.kasp":