Split up badkey tests into separate modules

If nsX.reconfigure() is used in a way that might affect other tests within the same module, it's best to split up the tests which need the reconfig to a separate module. This ensures the reconfigure() won't interfere with test results in case the tests are executed separately, or in a different order.
2026-05-28 04:34:54 -04:00 · 2025-07-10 15:21:05 +02:00 · 2025-07-10 15:21:05 +02:00 · b7a2061e5f
commit b7a2061e5f
parent e7bd28dbf8
4 changed files with 75 additions and 36 deletions
--- a/bin/tests/system/dnssec/ns9/named.conf.j2
+++ b/bin/tests/system/dnssec/ns9/named.conf.j2
@ -13,6 +13,8 @@

 // NS9

+{% set forward_badkey = forward_badkey | default(False) %}
+
 options {
 	query-source address 10.53.0.9;
 	notify-source 10.53.0.9;
@ -24,7 +26,6 @@ options {
 	recursion yes;
 	dnssec-validation yes;
 	forward only;
-{% set forward_badkey = forward_badkey | default(False) %}
 {% if forward_badkey %}
 	forwarders { 10.53.0.5; };
 {% else %}
--- a/bin/tests/system/dnssec/tests_badkey.py
+++ b/bin/tests/system/dnssec/tests_badkey.py
@ -87,38 +87,3 @@ def test_misconfigured_ta_with_cd(check, qname, qtype, rcode_func):
    res2 = isctest.query.tcp(msg, "10.53.0.4")
    isctest.check.noadflag(res2)
    isctest.check.same_answer(res, res2)
-
-
-def test_revoked_init(servers, templates):
-    # use a revoked key and try to reiniitialize; check for failure
-    ns5 = servers["ns5"]
-    templates.render("ns5/named.conf", {"revoked_key": True})
-    ns5.reconfigure(log=False)
-
-    msg = isctest.query.create(".", "SOA")
-    res = isctest.query.tcp(msg, "10.53.0.5")
-    isctest.check.servfail(res)
-
-
-def test_broken_forwarding(servers, templates):
-    # check forwarder CD behavior (forward server with bad trust anchor)
-    ns5 = servers["ns5"]
-    templates.render("ns5/named.conf", {"broken_key": True})
-    ns5.reconfigure(log=False)
-
-    ns9 = servers["ns9"]
-    templates.render("ns9/named.conf", {"forward_badkey": True})
-    ns9.reconfigure(log=False)
-
-    # confirm invalid trust anchor produces SERVFAIL in resolver
-    msg = isctest.query.create("a.secure.example.", "A")
-    res = isctest.query.tcp(msg, "10.53.0.5")
-    isctest.check.servfail(res)
-
-    # check that lookup involving forwarder succeeds and SERVFAIL was received
-    with ns9.watch_log_from_here() as watcher:
-        msg = isctest.query.create("a.secure.example.", "SOA")
-        res = isctest.query.tcp(msg, "10.53.0.9")
-        isctest.check.noerror(res)
-        assert (res.flags & flags.AD) != 0
-        watcher.wait_for_line("status: SERVFAIL")
--- a/bin/tests/system/dnssec/tests_badkey_broken.py
+++ b/bin/tests/system/dnssec/tests_badkey_broken.py
@ -0,0 +1,45 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+from dns import flags
+
+import pytest
+
+import isctest
+
+
+@pytest.fixture(scope="module", autouse=True)
+def reconfigure(servers, templates):
+    ns5 = servers["ns5"]
+    templates.render("ns5/named.conf", {"broken_key": True})
+    ns5.reconfigure(log=False)
+
+    ns9 = servers["ns9"]
+    templates.render("ns9/named.conf", {"forward_badkey": True})
+    ns9.reconfigure(log=False)
+
+
+def test_broken_forwarding(servers):
+    # check forwarder CD behavior (forward server with bad trust anchor)
+    ns9 = servers["ns9"]
+
+    # confirm invalid trust anchor produces SERVFAIL in resolver
+    msg = isctest.query.create("a.secure.example.", "A")
+    res = isctest.query.tcp(msg, "10.53.0.5")
+    isctest.check.servfail(res)
+
+    # check that lookup involving forwarder succeeds and SERVFAIL was received
+    with ns9.watch_log_from_here() as watcher:
+        msg = isctest.query.create("a.secure.example.", "SOA")
+        res = isctest.query.tcp(msg, "10.53.0.9")
+        isctest.check.noerror(res)
+        assert (res.flags & flags.AD) != 0
+        watcher.wait_for_line("status: SERVFAIL")
--- a/bin/tests/system/dnssec/tests_badkey_revoked.py
+++ b/bin/tests/system/dnssec/tests_badkey_revoked.py
@ -0,0 +1,28 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import pytest
+
+import isctest
+
+
+@pytest.fixture(scope="module", autouse=True)
+def reconfigure(servers, templates):
+    ns5 = servers["ns5"]
+    templates.render("ns5/named.conf", {"revoked_key": True})
+    ns5.reconfigure(log=False)
+
+
+def test_revoked_init():
+    # use a revoked key and check for failure when using revoked key
+    msg = isctest.query.create(".", "SOA")
+    res = isctest.query.tcp(msg, "10.53.0.5")
+    isctest.check.servfail(res)