[9.20] chg: test: Match algorithms when checking signatures

In the ksr system test, the 'test_ksr_twotone' case may fail if there are two keys with the same keytag (but different algorithms), because one key is expected to be signing and the other is not. Switch to regular expression matching and include the algorithm in the search string. Closes #5017 Backport of MR !9701 Merge branch 'backport-5017-unexpected-match-ksr-twotone-again-9.20' into 'bind-9.20' See merge request isc-projects/bind9!9710
2026-05-28 04:34:54 -04:00 · 2024-11-01 14:51:01 +00:00 · 2024-11-01 14:51:01 +00:00 · ba2e8fe5f9
commit ba2e8fe5f9
parent b02f039d3a 9621369524
1 changed files with 11 additions and 7 deletions
--- a/bin/tests/system/isctest/kasp.py
+++ b/bin/tests/system/isctest/kasp.py
@ -345,37 +345,41 @@ def _check_signatures(signatures, covers, fqdn, keys):
        active = now >= activate
        retired = inactive is not None and inactive <= now
        signing = active and not retired
+        alg = key.get_metadata("Algorithm")
+        rtype = dns.rdatatype.to_text(covers)
+
+        expect = rf"IN RRSIG {rtype} {alg} (\d) (\d+) (\d+) (\d+) {key.tag} {fqdn}"

        if not signing:
            for rrsig in signatures:
-                assert f" {key.tag} {fqdn}" not in rrsig
+                assert re.search(expect, rrsig) is None
            continue

        if zrrsig and key.is_zsk():
            has_rrsig = False
            for rrsig in signatures:
-                if f" {key.tag} {fqdn}" in rrsig:
+                if re.search(expect, rrsig) is not None:
                    has_rrsig = True
                    break
-            assert has_rrsig
+            assert has_rrsig, f"Expected signature but not found: {expect}"
            numsigs += 1

        if zrrsig and not key.is_zsk():
            for rrsig in signatures:
-                assert f" {key.tag} {fqdn}" not in rrsig
+                assert re.search(expect, rrsig) is None

        if krrsig and key.is_ksk():
            has_rrsig = False
            for rrsig in signatures:
-                if f" {key.tag} {fqdn}" in rrsig:
+                if re.search(expect, rrsig) is not None:
                    has_rrsig = True
                    break
-            assert has_rrsig
+            assert has_rrsig, f"Expected signature but not found: {expect}"
            numsigs += 1

        if krrsig and not key.is_ksk():
            for rrsig in signatures:
-                assert f" {key.tag} {fqdn}" not in rrsig
+                assert re.search(expect, rrsig) is None

    return numsigs