Add some NSEC3 optout tests

Make sure that just changing the optout value recreates the chain.

bin/tests/system/nsec3/ns3/named.conf.in

@@ -20,6 +20,10 @@ dnssec-policy "nsec3" {
 	nsec3param;
 };
 
+dnssec-policy "optout" {
+	nsec3param optout yes;
+};
+
 dnssec-policy "nsec3-other" {
 	nsec3param iterations 11 optout yes salt "deadbeef";
 };
@@ -73,6 +77,20 @@ zone "nsec3-change.kasp" {
 	dnssec-policy "nsec3";
 };
 
+/* The zone will be reconfigured to use opt-out. */
+zone "nsec3-to-optout.kasp" {
+	type primary;
+	file "nsec3-to-optout.kasp.db";
+	dnssec-policy "nsec3";
+};
+
+/* The zone will be reconfigured to disable opt-out. */
+zone "nsec3-from-optout.kasp" {
+	type primary;
+	file "nsec3-from-optout.kasp.db";
+	dnssec-policy "optout";
+};
+
 /* The zone starts with NSEC3, but will be reconfigured to use NSEC. */
 zone "nsec3-to-nsec.kasp" {
 	type primary;

bin/tests/system/nsec3/ns3/named2.conf.in

@@ -20,6 +20,10 @@ dnssec-policy "nsec3" {
 	nsec3param;
 };
 
+dnssec-policy "optout" {
+	nsec3param optout yes;
+};
+
 dnssec-policy "nsec3-other" {
 	nsec3param iterations 11 optout yes salt "deadbeef";
 };
@@ -75,6 +79,22 @@ zone "nsec3-change.kasp" {
 	dnssec-policy "nsec3-other";
 };
 
+/* The zone will be reconfigured to use opt-out. */
+zone "nsec3-to-optout.kasp" {
+	type primary;
+	file "nsec3-to-optout.kasp.db";
+	//dnssec-policy "nsec3";
+	dnssec-policy "optout";
+};
+
+/* The zone will be reconfigured to disable opt-out. */
+zone "nsec3-from-optout.kasp" {
+	type primary;
+	file "nsec3-from-optout.kasp.db";
+	//dnssec-policy "optout";
+	dnssec-policy "nsec3";
+};
+
 /* The zone starts with NSEC3, but will be reconfigured to use NSEC. */
 zone "nsec3-to-nsec.kasp" {
 	type primary;

bin/tests/system/nsec3/ns3/setup.sh

@@ -22,7 +22,8 @@ setup() {
 	cp template.db.in "$zonefile"
 }
 
-for zn in nsec-to-nsec3 nsec3 nsec3-other nsec3-change nsec3-to-nsec
+for zn in nsec-to-nsec3 nsec3 nsec3-other nsec3-change nsec3-to-nsec \
+	  nsec3-to-optout nsec3-from-optout
 do
 	setup "${zn}.kasp"
 done

bin/tests/system/nsec3/tests.sh

@@ -184,6 +184,19 @@ echo_i "initial check zone ${ZONE}"
 check_nsec3
 dnssec_verify
 
+# Zone: nsec3-to-optout.kasp.
+set_zone_policy "nsec3-to-optout.kasp" "nsec3"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+dnssec_verify
+
+# Zone: nsec3-from-optout.kasp.
+set_zone_policy "nsec3-from-optout.kasp" "optout"
+set_nsec3param "1" "5" "-"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+dnssec_verify
+
 # Zone: nsec3-other.kasp.
 set_zone_policy "nsec3-other.kasp" "nsec3-other"
 set_nsec3param "1" "11" "DEADBEEF"
@@ -224,6 +237,20 @@ echo_i "check zone ${ZONE} after reconfig"
 check_nsec
 dnssec_verify
 
+# Zone: nsec3-to-optout.kasp. (reconfigured)
+set_zone_policy "nsec3-to-optout.kasp" "optout"
+set_nsec3param "1" "5" "-"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec3
+dnssec_verify
+
+# Zone: nsec3-from-optout.kasp. (reconfigured)
+set_zone_policy "nsec3-from-optout.kasp" "nsec3"
+set_nsec3param "0" "5" "-"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec3
+dnssec_verify
+
 # Zone: nsec3-other.kasp. (same)
 set_zone_policy "nsec3-other.kasp" "nsec3-other"
 set_nsec3param "1" "11" "DEADBEEF"
@@ -231,7 +258,7 @@ echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
 dnssec_verify
 
-# Using rndc signing -nsec3param
+# Using rndc signing -nsec3param (should fail)
 set_zone_policy "nsec3-change.kasp" "nsec3-other"
 echo_i "use rndc signing -nsec3param ${ZONE} to change NSEC3 settings"
 rndccmd $SERVER signing -nsec3param 1 1 12 ffff $ZONE > rndc.signing.test$n.$ZONE || log_error "failed to call rndc signing -nsec3param $ZONE"
@@ -241,4 +268,3 @@ dnssec_verify
 
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
-