Add NSEC3 excessive iterations test to dnssec_py

Rewrite nsec3_delegation/tests_excessive_nsec3_iterations.py as
dnssec_py/tests_nsec3_iter_too_many.py using the isctest.zone helpers.

The test is a reproducer for CVE-2026-1519 [GL#5708]. It sets up a
delegation from nsec3-iter-too-many. (ns2) to an unsigned sub zone
(ns3), signing the parent with NSEC3 at 51 iterations. A validating
resolver (ns9) must use NSEC3 to prove the sub zone is insecure; the
excessive iteration count is logged as a warning. The test verifies that
the query still resolves successfully (insecure, not SERVFAIL) despite
the high iteration count.

Assisted-by: Claude:claude-opus-4-8

bin/tests/system/dnssec_py/tests_nsec3_iter_too_many.py

@@ -0,0 +1,52 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+from re import compile as Re
+
+from dnssec_py.common import DNSSEC_PY_MARK
+from isctest.template import NS2, NS3, zones
+from isctest.zone import Zone, configure_root
+
+import isctest
+
+pytestmark = DNSSEC_PY_MARK
+
+
+def bootstrap():
+    sub = Zone("sub.nsec3-iter-too-many", NS3, signed=False)
+    sub.configure()
+
+    parent = Zone("nsec3-iter-too-many", NS2, signed=True)
+    parent.delegations = [sub]
+    parent.configure(sign_params="-3 A1B2C3D4 -H too-many -H 51")
+
+    root = configure_root([parent])
+
+    return {
+        "trust_anchors": root.trust_anchors(),
+        "zones": zones([root, parent, sub]),
+    }
+
+
+def test_excessive_nsec3_iterations_delegation(ns9):
+    # reproducer for CVE-2026-1519 [GL#5708]
+    zone = "a.sub.nsec3-iter-too-many"
+    msg = isctest.query.create(zone, "A")
+    res = isctest.query.tcp(msg, ns9.ip)
+
+    # an insecure response is expected regardless of the NSEC3 iteration limit,
+    # because the sub.nsec3-iter-too-many. zone is unsigned. the real
+    # difference is in the CPU usage required for generating such response, but
+    # that can't be easily and reliably tested in an automated fashion
+    isctest.check.noerror(res)
+
+    with ns9.watch_log_from_start() as watcher:
+        watcher.wait_for_line(Re(f"validating {zone}/A:.*too many iterations"))

bin/tests/system/nsec3_delegation/ns1/named.conf.j2

@@ -1,22 +0,0 @@
-options {
-	query-source address 10.53.0.1;
-	notify-source 10.53.0.1;
-	transfer-source 10.53.0.1;
-	port @PORT@;
-	pid-file "named.pid";
-	listen-on { 10.53.0.1; };
-	listen-on-v6 { none; };
-	recursion no;
-	dnssec-validation no;
-};
-
-controls {
-	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
-};
-
-include "../../_common/rndc.key";
-
-zone "." {
-	type primary;
-	file "root.db";
-};

bin/tests/system/nsec3_delegation/ns1/root.db

@@ -1,14 +0,0 @@
-$TTL 300
-.			IN SOA	. . (
-				2025063000	; serial
-				600		; refresh
-				600		; retry
-				1200		; expire
-				600		; minimum
-				)
-.			NS	a.root-servers.nil.
-
-a.root-servers.nil	A	10.53.0.1
-
-iter-too-many.		NS	ns2.iter-too-many.
-ns2.iter-too-many.	A	10.53.0.2

bin/tests/system/nsec3_delegation/ns2/iter-too-many.db.j2.manual

@@ -1,20 +0,0 @@
-{% raw %}
-$TTL 300
-@			IN SOA	ns2.iter-too-many. hostmaster.iter-too-many. (
-				2026020300	; serial
-				20		; refresh (20 seconds)
-				20		; retry (20 seconds)
-				1814400		; expire (3 weeks)
-				3600		; minimum (1 hour)
-)
-
-@	IN	NS	ns2.iter-too-many.
-ns2	IN	A	10.53.0.2
-
-sub	IN	NS	ns2.sub.iter-too-many.
-ns2.sub	IN	A	10.53.0.2
-{% endraw %}
-
-{% for dnskey in dnskeys %}
-@dnskey@
-{% endfor %}

bin/tests/system/nsec3_delegation/ns2/named.conf.j2

@@ -1,27 +0,0 @@
-options {
-	query-source address 10.53.0.2;
-	notify-source 10.53.0.2;
-	transfer-source 10.53.0.2;
-	port @PORT@;
-	pid-file "named.pid";
-	listen-on { 10.53.0.2; };
-	listen-on-v6 { none; };
-	recursion no;
-	dnssec-validation no;
-};
-
-controls {
-	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
-};
-
-include "../../_common/rndc.key";
-
-zone "iter-too-many" {
-	type primary;
-	file "iter-too-many.signed.db";
-};
-
-zone "sub.iter-too-many" {
-	type primary;
-	file "sub.iter-too-many.db";
-};

bin/tests/system/nsec3_delegation/ns2/sub.iter-too-many.db

@@ -1,13 +0,0 @@
-$TTL 300
-@			IN SOA	ns2.sub.iter-too-many. hostmaster.sub.iter-too-many. (
-				2026020300	; serial
-				20		; refresh (20 seconds)
-				20		; retry (20 seconds)
-				1814400		; expire (3 weeks)
-				3600		; minimum (1 hour)
-)
-
-@	IN	NS	ns2.sub.iter-too-many.
-ns2	IN	A	10.53.0.2
-
-example	IN	A	127.0.0.1

bin/tests/system/nsec3_delegation/ns3/named.conf.j2

@@ -1,24 +0,0 @@
-options {
-	query-source address 10.53.0.3;
-	notify-source 10.53.0.3;
-	transfer-source 10.53.0.3;
-	port @PORT@;
-	pid-file "named.pid";
-	listen-on { 10.53.0.3; };
-	listen-on-v6 { none; };
-	recursion yes;
-	dnssec-validation yes;
-};
-
-controls {
-	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
-};
-
-include "../../_common/rndc.key";
-
-zone "." {
-	type hint;
-	file "../../_common/root.hint";
-};
-
-include "trusted.conf";

bin/tests/system/nsec3_delegation/ns3/trusted.conf.j2

@@ -1 +0,0 @@
-../../_common/trusted.conf.j2

bin/tests/system/nsec3_delegation/tests_excessive_nsec3_iterations.py

@@ -1,61 +0,0 @@
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0.  If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-from isctest.run import EnvCmd
-
-import isctest
-
-
-def bootstrap():
-    templates = isctest.template.TemplateEngine(".")
-    keygen = EnvCmd("KEYGEN", "-a ECDSA256")
-    signer = EnvCmd("SIGNER")
-
-    isctest.log.info("setup iter-too-many.")
-    zonename = "iter-too-many."
-    ksk_name = keygen(f"-f KSK {zonename}", cwd="ns2").out.strip()
-    zsk_name = keygen(f"{zonename}", cwd="ns2").out.strip()
-    ksk = isctest.kasp.Key(ksk_name, keydir="ns2")
-    zsk = isctest.kasp.Key(zsk_name, keydir="ns2")
-    dnskeys = [ksk.dnskey, zsk.dnskey]
-
-    tdata = {
-        "dnskeys": dnskeys,
-    }
-    templates.render(f"ns2/{zonename}db", tdata, template=f"ns2/{zonename}db.j2.manual")
-    signer(
-        f"-P -o {zonename} -f {zonename}signed.db -3 A1B2C3D4 -H too-many -H 51 -S {zonename}db",
-        cwd="ns2",
-    )
-
-    return {
-        "trust_anchors": [
-            ksk.into_ta("static-key"),
-        ],
-    }
-
-
-def test_excessive_nsec3_iterations_delegation(ns3):
-    # reproducer for CVE-2026-1519 [GL#5708]
-    zone = "example.sub.iter-too-many"
-    msg = isctest.query.create(zone, "A")
-    res = isctest.query.tcp(msg, ns3.ip)
-
-    # an insecure response is expected regardless of the NSEC3 iteration limit,
-    # because the sub.iter-too-many. zone is unsigned. the real difference is
-    # in the CPU usage required for generating such response, but that can't be
-    # easily and reliably tested in an automated fashion
-    isctest.check.noerror(res)
-
-    with ns3.watch_log_from_start() as watcher:
-        watcher.wait_for_line(
-            f"validating {zone}/A: validator_callback_ds: too many iterations"
-        )