Add kasp test zone with uppercase characters

The test ensures that such zone is signed correctly. In addition, test that the next owner name field of the NSEC record is lowercased.
2026-06-11 07:09:59 -04:00 · 2026-01-09 11:32:43 +01:00 · 2026-01-09 11:32:43 +01:00 · bcb65f52f2
commit bcb65f52f2
parent 24aa490a9b
5 changed files with 83 additions and 6 deletions
--- a/bin/tests/system/isctest/kasp.py
+++ b/bin/tests/system/isctest/kasp.py
@ -952,6 +952,8 @@ def _check_signatures(
        zrrsig = False
    krrsig = not zrrsig

+    signer = fqdn.lower()
+
    for key in keys:
        if key.external:
            continue
@ -963,7 +965,7 @@ def _check_signatures(
        alg = key.get_dnsalg()
        rtype = dns.rdatatype.to_text(covers)

-        expect = rf"IN RRSIG {rtype} {alg} (\d) (\d+) (\d+) (\d+) {key.tag} {fqdn}"
+        expect = rf"IN RRSIG {rtype} {alg} (\d) (\d+) (\d+) (\d+) {key.tag} {signer}"

        if zrrsig and zsigning:
            has_rrsig = False
@ -1572,17 +1574,18 @@ def keydir_to_keylist(
    """
    if zone is None:
        zone = ""
+    zname = zone.lower()

    all_keys = []
    if keydir is None:
-        regex = rf"(K{zone}\.\+.*\+.*)\.key"
-        for filename in glob.glob(f"K{zone}.+*+*.key"):
+        regex = rf"(K{zname}\.\+.*\+.*)\.key"
+        for filename in glob.glob(f"K{zname}.+*+*.key"):
            match = re.match(regex, filename)
            if match is not None:
                all_keys.append(Key(match.group(1)))
    else:
-        regex = rf"{keydir}/(K{zone}\.\+.*\+.*)\.key"
-        for filename in glob.glob(f"{keydir}/K{zone}.+*+*.key"):
+        regex = rf"{keydir}/(K{zname}\.\+.*\+.*)\.key"
+        for filename in glob.glob(f"{keydir}/K{zname}.+*+*.key"):
            match = re.match(regex, filename)
            if match is not None:
                all_keys.append(Key(match.group(1), keydir))
--- a/bin/tests/system/kasp/ns3/named-fips.conf.j2
+++ b/bin/tests/system/kasp/ns3/named-fips.conf.j2
@ -20,6 +20,13 @@ zone "default.kasp" {
 	dnssec-policy "default";
 };

+/* The UPPER case: a zone with uppercase characters. */
+zone "UPPER.KASP" {
+	type primary;
+	file "upper.kasp.db";
+	dnssec-policy "default";
+};
+
 /* A zone with special characters. */
 zone {% raw %}"i-am.\":\;?&[]\@!\$*+,|=\.\(\)special.kasp."{% endraw %} {
        type primary;
--- a/bin/tests/system/kasp/ns3/setup.sh
+++ b/bin/tests/system/kasp/ns3/setup.sh
@ -56,12 +56,16 @@ for zn in default dnssec-keygen some-keys legacy-keys pregenerated \
 done

 #
-# Setup special zone
+# Setup special zones
 #
 zone="i-am.\":\;?&[]\@!\$*+,|=\.\(\)special.kasp."
 echo_i "setting up zone: $zone"
 cp template.db.in "i-am.special.kasp.db"

+zone="UPPER.KASP."
+echo_i "setting up zone: $zone"
+cp upper.kasp.db.in "upper.kasp.db"
+
 #
 # Set up RSASHA1 based zones
 #
--- a/bin/tests/system/kasp/ns3/upper.kasp.db.in
+++ b/bin/tests/system/kasp/ns3/upper.kasp.db.in
@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+UPPER.KASP.	IN	SOA  MNAME1. . (
+			1       ; serial
+			20      ; refresh (20 seconds)
+			20      ; retry (20 seconds)
+			1814400 ; expire (3 weeks)
+			3600    ; minimum (1 hour)
+			)
+
+			NS	ns3
+ns3			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+c			A	10.0.0.3
+
--- a/bin/tests/system/kasp/tests_kasp.py
+++ b/bin/tests/system/kasp/tests_kasp.py
@ -936,6 +936,42 @@ def test_kasp_default(ns3):
    check_all(ns3, zone, policy, keys, [])


+def test_kasp_uppercase(ns3):
+    # check the zone with uppercase characters is loaded and signed.
+    isctest.log.info("check a zone with upper case characters is signed")
+    zone = "UPPER.KASP"
+    policy = "default"
+
+    isctest.kasp.wait_keymgr_done(ns3, zone)
+
+    # Key properties.
+    # DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait.
+    keyprops = [
+        "csk 0 13 256 goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+    ]
+    expected = isctest.kasp.policy_to_properties(ttl=3600, keys=keyprops)
+    keys = isctest.kasp.keydir_to_keylist(zone, "ns3")
+    isctest.kasp.check_dnssec_verify(ns3, zone)
+    isctest.kasp.check_keys(zone, keys, expected)
+    set_keytimes_default_policy(expected[0])
+    isctest.kasp.check_keytimes(keys, expected)
+    check_all(ns3, zone, policy, keys, [])
+
+    fqdn = f"{zone}."
+    query = isctest.query.create(fqdn, dns.rdatatype.NSEC)
+    response = isctest.query.tcp(query, ns3.ip)
+    assert response.rcode() == dns.rcode.NOERROR
+
+    nsec = response.get_rrset(
+        response.answer,
+        dns.name.from_text(fqdn),
+        dns.rdataclass.IN,
+        dns.rdatatype.NSEC,
+    )
+    nextname = nsec[0].next
+    assert str(nextname) == "a.upper.kasp."
+
+
 def test_kasp_dynamic(ns3):
    # Standard dynamic zone.
    isctest.log.info("check dynamic zone is updated and signed after update")