Update checkds system test

Make the checkds system test more structured with the many more test
cases to come. Add a README for clarity.

Update the 'has_signed_apex_nsec' helper function so it can take any
domain name regardless of the number of labels.

Change the DNS tree structure such that we have different TLD names
for the various test scenarios, because we need servers that respond
differently to DS queries. Note that this isn't applicable to the
existing "checkds explicit" test cases, but is preparation work for
testing "checkds yes" (automatic parental agents).

Add a trust-anchor to the server that will be querying for parent
NS records.

bin/tests/system/checkds/README

@@ -14,6 +14,7 @@ The test setup for the checkds tests.
 These servers are parent servers:
 - ns2 is a primary authoritative server that serves the parent zone for zones
   configured in ns9.
+- ns3 is a resolver that can be configured as a parental agent.
 - ns4 is the secondary server for ns2.
 - ns5 is a primary authoritative server that serves the parent zone for zones
   configured in ns9, but this one does not publish DS records (to test cases
@@ -24,3 +25,65 @@ These servers are parent servers:
 
 Finally, ns9 is the authoritative server for the various DNSSEC enabled test
 domains.
+
+We need multiple test cases for testing the "checkds" functionality. Basically,
+the behavior of "checkds" is of importance in three cases:
+
+1. Enabling DNSSEC
+2. KSK rollover
+3. Going insecure
+
+All these three cases involve publishing DS records into the parent, and
+withdrawing them. The named instance is responsible for checking that the
+relevant DS records are published or removed from the parent zone. Therefor,
+it needs to know what the parental agents are (the servers that it can send
+the DS queries to).
+
+Then there are two ways of retrieving parental agents, either through explicit
+configuration ("checkds explicit;"), or through discovery ("checkds yes;"). In
+the latter case, the parental agents are retrieved by querying for the parent NS
+RRset.
+
+The third value is "checkds no;", which disables the feature.
+
+Depending on the DS publication status, the DS state of the key needs to be
+updated. In case of DS publication, the "DSPublish" state should be set, only
+if all parental agents have the relevant DS published. In case of DS withdrawal,
+the "DSRemoved" state should be set, only if none of the parental agents have
+the relevant DS in their zone.
+
+Regardless of how parental agents are retrieved, we identify the following test
+cases:
+
+1.	Enabling DNSSEC
+
+1.1.	- With one parental agent
+1.1.1.	  - DS is correctly published in the parent:		DSPublish
+1.1.2.	  - DS is not (yet) published in the parent:		!DSPublish
+1.1.3.	  - The parental agent is badly configured:		!DSPublish
+1.1.4.	  - DS is published, but has bogus signature:		!DSPublish
+
+1.2.	- With multiple parental agents
+1.2.1.	  - DS is correctly published in all parents:		DSPublish
+1.2.2.	  - DS is not (yet) published in some parents:		!DSPublish
+1.2.3.	  - One parental agent is badly configured:		!DSPublish
+1.2.4.	  - DS is completely published, bogus signature:	!DSPublish
+
+2.	Going insecure
+
+2.1.	- With one parental agent
+2.1.1.	  - DS is correctly withdrawn from the parent:		DSRemoved
+2.1.2.	  - DS is (still) published in the parent:		!DSRemoved
+2.1.3.	  - The parental agent is badly configured:		!DSRemoved
+2.1.4.	  - DS is withdrawn, but has bogus signature:		!DSRemoved
+
+2.2.	- With multiple parental agents
+2.2.1.	  - DS is correctly withdrawn from all parents:		DSRemoved
+2.2.2.	  - DS is not (yet) withdrawn from some parents:	!DSRemoved
+2.2.3.	  - One parental agent is badly configured:		!DSRemoved
+2.2.4.	  - DS is removed completely, bogus signature:		!DSRemoved
+
+We deliberately don't test the "KSK Rollover" case in this system test as this
+can be considered as the same as "Enabling DNSSEC" for one key and
+"Going insecure" for another case. In other words, it is covered by the two
+other scenarios (although we might still add the test cases in the future).

bin/tests/system/checkds/clean.sh

@@ -17,6 +17,7 @@ rm -f dig.out*
 rm -f ns*/named.conf ns*/named.memstats ns*/named.run*
 rm -f ns*/*.jnl ns*/*.jbk
 rm -f ns*/K*.private ns*/K*.key ns*/K*.state
+rm -f ns*/*.keyname
 rm -f ns*/dsset-*
 rm -f ns*/*.db ns*/*.jnl ns*/*.jbk ns*/*.db.signed ns*/*.db.infile
 rm -f ns*/keygen.out.* ns*/settime.out.* ns*/signer.out.*
@@ -24,4 +25,4 @@ rm -f ns*/managed-keys.bind*
 rm -f ns*/trusted.conf
 rm -f ns*/*.mkeys
 rm -f ns*/zones
-rm -f *.checkds.out
+rm -f ./*.out

bin/tests/system/checkds/ns1/root.db.in

@@ -20,5 +20,49 @@ $TTL 300
 .			NS	a.root-servers.nil.
 a.root-servers.nil.	A	10.53.0.1
 
-checkds.		NS	ns2.checkds.
-ns2.checkds.		A	10.53.0.2
+ns2.			NS	ns2.ns2.
+ns2.ns2.		A	10.53.0.2
+
+ns2-4.			NS	ns2.ns2-4.
+ns2-4.			NS	ns4.ns2-4.
+ns2.ns2-4.		A	10.53.0.2
+ns4.ns2-4.		A	10.53.0.4
+
+ns2-4-5.		NS	ns2.ns2-4-5.
+ns2-4-5.		NS	ns4.ns2-4-5.
+ns2-4-5.		NS	ns5.ns2-4-5.
+ns2.ns2-4-5.		A	10.53.0.2
+ns4.ns2-4-5.		A	10.53.0.4
+ns5.ns2-4-5.		A	10.53.0.5
+
+ns2-4-6.		NS	ns2.ns2-4-6.
+ns2-4-6.		NS	ns4.ns2-4-6.
+ns2-4-6.		NS	ns6.ns2-4-6.
+ns2.ns2-4-6.		A	10.53.0.2
+ns4.ns2-4-6.		A	10.53.0.4
+ns6.ns2-4-6.		A	10.53.0.6
+
+ns2-5-7.		NS	ns2.ns2-5-7.
+ns2-5-7.		NS	ns5.ns2-5-7.
+ns2-5-7.		NS	ns7.ns2-5-7.
+ns2.ns2-5-7.		A	10.53.0.2
+ns5.ns2-5-7.		A	10.53.0.5
+ns7.ns2-5-7.		A	10.53.0.7
+
+ns5.			NS	ns5.ns5.
+ns5.ns5.		A	10.53.0.5
+
+ns5-6-7.		NS	ns5.ns5-6-7.
+ns5-6-7.		NS	ns6.ns5-6-7.
+ns5-6-7.		NS	ns7.ns5-6-7.
+ns5.ns5-6-7.		A	10.53.0.5
+ns6.ns5-6-7.		A	10.53.0.6
+ns7.ns5-6-7.		A	10.53.0.7
+
+ns5-7.			NS	ns5.ns5-7.
+ns5-7.			NS	ns7.ns5-7.
+ns5.ns5-7.		A	10.53.0.5
+ns7.ns5-7.		A	10.53.0.7
+
+ns6.			NS	ns6.ns6.
+ns6.ns6.		A	10.53.0.6

bin/tests/system/checkds/ns1/setup.sh

@@ -22,8 +22,6 @@ zonefile=root.db
 
 echo_i "ns1/setup.sh"
 
-cp "../ns2/dsset-checkds." .
-
 ksk=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
 zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
 cp "$ksk.key" "../ns10/"
@@ -44,3 +42,4 @@ cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile"
 keyfile_to_static_ds "$ksk" > trusted.conf
 cp trusted.conf ../ns3/trusted.conf
 cp trusted.conf ../ns8/trusted.conf
+cp trusted.conf ../ns9/trusted.conf

bin/tests/system/checkds/ns2/named.conf.in

@@ -39,8 +39,83 @@ zone "." {
 	file "../../common/root.hint";
 };
 
-zone "checkds" {
+zone "ns2" {
 	type primary;
+	allow-update { any; };
 	allow-transfer { 10.53.0.2; 10.53.0.4; };
-	file "checkds.db";
+	also-notify { 10.53.0.4; };
+	dnssec-policy default;
+	file "ns2.db";
+};
+
+zone "ns2-4" {
+	type primary;
+	allow-update { any; };
+	allow-transfer { 10.53.0.2; 10.53.0.4; };
+	also-notify { 10.53.0.4; };
+	dnssec-policy default;
+	file "ns2-4.db";
+};
+
+zone "ns2-4-5" {
+	type primary;
+	allow-update { any; };
+	allow-transfer { 10.53.0.2; 10.53.0.4; };
+	also-notify { 10.53.0.4; };
+	dnssec-policy default;
+	file "ns2-4-5.db";
+};
+
+zone "ns2-4-6" {
+	type primary;
+	allow-update { any; };
+	allow-transfer { 10.53.0.2; 10.53.0.4; };
+	also-notify { 10.53.0.4; };
+	dnssec-policy default;
+	file "ns2-4-6.db";
+};
+
+zone "ns2-5-7" {
+	type primary;
+	allow-update { any; };
+	allow-transfer { 10.53.0.2; 10.53.0.4; };
+	also-notify { 10.53.0.4; };
+	dnssec-policy default;
+	file "ns2-5-7.db";
+};
+
+zone "ns5" {
+	type primary;
+	allow-update { any; };
+	allow-transfer { 10.53.0.2; 10.53.0.4; };
+	also-notify { 10.53.0.4; };
+	dnssec-policy default;
+	file "ns5.db";
+};
+
+zone "ns5-6-7" {
+	type primary;
+	allow-update { any; };
+	allow-transfer { 10.53.0.2; 10.53.0.4; };
+	also-notify { 10.53.0.4; };
+	dnssec-policy default;
+	file "ns5-6-7.db";
+};
+
+zone "ns5-7" {
+	type primary;
+	allow-update { any; };
+	allow-transfer { 10.53.0.2; 10.53.0.4; };
+	also-notify { 10.53.0.4; };
+	dnssec-policy default;
+	file "ns5-7.db";
+};
+
+zone "ns6" {
+	type primary;
+	allow-update { any; };
+	allow-transfer { 10.53.0.2; 10.53.0.4; };
+	also-notify { 10.53.0.4; };
+	dnssec-policy default;
+	file "ns6.db";
 };

bin/tests/system/checkds/ns2/ns2-4-5.db.in

@@ -0,0 +1,30 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@			IN	SOA  secondary.example. hostmaster.example. (
+				1       ; serial
+				20      ; refresh (20 seconds)
+				20      ; retry (20 seconds)
+				1814400 ; expire (3 weeks)
+				3600    ; minimum (1 hour)
+				)
+
+				NS	ns2
+				NS	ns4
+				NS	ns5
+ns2				A	10.53.0.2
+ns4				A	10.53.0.4
+ns5				A	10.53.0.5
+
+$ORIGIN explicit.dspublish.ns2-4-5.
+incomplete			NS	ns9.incomplete
+ns9.imcomplete			A	10.53.0.9

bin/tests/system/checkds/ns2/ns2-4-6.db.in

@@ -0,0 +1,30 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@			IN	SOA  secondary.example. hostmaster.example. (
+				1       ; serial
+				20      ; refresh (20 seconds)
+				20      ; retry (20 seconds)
+				1814400 ; expire (3 weeks)
+				3600    ; minimum (1 hour)
+				)
+
+				NS	ns2
+				NS	ns4
+				NS	ns6
+ns2				A	10.53.0.2
+ns4				A	10.53.0.4
+ns6				A	10.53.0.6
+
+$ORIGIN explicit.dspublish.ns2-4-6.
+bad				NS	ns9.bad
+ns9.bad				A	10.53.0.9

bin/tests/system/checkds/ns2/ns2-4.db.in

@@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@			IN	SOA  secondary.example. hostmaster.example. (
+				1       ; serial
+				20      ; refresh (20 seconds)
+				20      ; retry (20 seconds)
+				1814400 ; expire (3 weeks)
+				3600    ; minimum (1 hour)
+				)
+
+				NS	ns2
+				NS	ns4
+ns2				A	10.53.0.2
+ns4				A	10.53.0.4
+
+$ORIGIN explicit.dspublish.ns2-4.
+good				NS	ns9.good
+ns9.good			A	10.53.0.9

bin/tests/system/checkds/ns2/ns2-5-7.db.in

@@ -0,0 +1,30 @@
+	; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@			IN	SOA  secondary.example. hostmaster.example. (
+				1       ; serial
+				20      ; refresh (20 seconds)
+				20      ; retry (20 seconds)
+				1814400 ; expire (3 weeks)
+				3600    ; minimum (1 hour)
+				)
+
+				NS	ns2
+				NS	ns5
+				NS	ns7
+ns2				A	10.53.0.2
+ns5				A	10.53.0.5
+ns7				A	10.53.0.7
+
+$ORIGIN explicit.dsremoved.ns2-5-7.
+incomplete			NS	ns9.incomplete
+ns9.incomplete			A	10.53.0.9

bin/tests/system/checkds/ns2/ns2.db.in

@@ -21,19 +21,14 @@ $TTL 300
 				NS	ns2
 ns2				A	10.53.0.2
 
-dspublished			NS	ns9.dspublished
+$ORIGIN explicit.dspublish.ns2.
+good				NS	ns9.good
 reference			NS	ns9.reference
-missing-dspublished		NS	ns9.missing-dspublished
-bad-dspublished			NS	ns9.bad-dspublished
-multiple-dspublished		NS	ns9.multiple-dspublished
-incomplete-dspublished		NS	ns9.incomplete-dspublished
-bad2-dspublished		NS	ns9.bad2-dspublished
-resolver-dspublished		NS	ns9.resolver-dspublished
+resolver			NS	ns9.resolver
+ns9.good			A	10.53.0.9
+ns9.reference			A	10.53.0.9
+ns9.resolver			A	10.53.0.9
 
-dswithdrawn			NS	ns9.dswithdrawn
-missing-dswithdrawn		NS	ns9.missing-dswithdrawn
-bad-dswithdrawn			NS	ns9.bad-dswithdrawn
-multiple-dswithdrawn		NS	ns9.multiple-dswithdrawn
-incomplete-dswithdrawn		NS	ns9.incomplete-dswithdrawn
-bad2-dswithdrawn		NS	ns9.bad2-dswithdrawn
-resolver-dswithdrawn		NS	ns9.resolver-dswithdrawn
+$ORIGIN explicit.dsremoved.ns2.
+still-there			NS	ns9.still-there
+ns9.still-there			A	10.53.0.9

bin/tests/system/checkds/ns2/ns5-6-7.db.in

@@ -0,0 +1,30 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@			IN	SOA  secondary.example. hostmaster.example. (
+				1       ; serial
+				20      ; refresh (20 seconds)
+				20      ; retry (20 seconds)
+				1814400 ; expire (3 weeks)
+				3600    ; minimum (1 hour)
+				)
+
+				NS	ns5
+				NS	ns6
+				NS	ns7
+ns5				A	10.53.0.5
+ns6				A	10.53.0.6
+ns7				A	10.53.0.7
+
+$ORIGIN explicit.dsremoved.ns5-6-7.
+bad				NS	ns9.bad
+ns9.bad				A	10.53.0.9

bin/tests/system/checkds/ns2/ns5-7.db.in

@@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@			IN	SOA  secondary.example. hostmaster.example. (
+				1       ; serial
+				20      ; refresh (20 seconds)
+				20      ; retry (20 seconds)
+				1814400 ; expire (3 weeks)
+				3600    ; minimum (1 hour)
+				)
+
+				NS	ns5
+				NS	ns7
+ns5				A	10.53.0.5
+ns7				A	10.53.0.7
+
+$ORIGIN explicit.dsremoved.ns5-7.
+good				NS	ns9.good
+ns9.good			A	10.53.0.9

bin/tests/system/checkds/ns2/ns5.db.in

@@ -0,0 +1,32 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@			IN	SOA  secondary.example. hostmaster.example. (
+				1       ; serial
+				20      ; refresh (20 seconds)
+				20      ; retry (20 seconds)
+				1814400 ; expire (3 weeks)
+				3600    ; minimum (1 hour)
+				)
+
+				NS	ns5
+ns5				A	10.53.0.5
+
+$ORIGIN explicit.dspublish.ns5.
+not-yet				NS	ns9.not-yet
+ns9.not-yet			A	10.53.0.9
+
+$ORIGIN explicit.dsremoved.ns5.
+good				NS	ns9.good
+resolver			NS	ns9.resolver
+ns9.good			A	10.53.0.9
+ns9.resolver			A	10.53.0.9

bin/tests/system/checkds/ns2/ns6.db.in

@@ -0,0 +1,30 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@			IN	SOA  secondary.example. hostmaster.example. (
+				1       ; serial
+				20      ; refresh (20 seconds)
+				20      ; retry (20 seconds)
+				1814400 ; expire (3 weeks)
+				3600    ; minimum (1 hour)
+				)
+
+				NS	ns6
+ns6				A	10.53.0.6
+
+$ORIGIN explicit.dspublish.ns6.
+bad				NS	ns9.bad
+ns9.bad				A	10.53.0.9
+
+$ORIGIN explicit.dsremoved.ns6.
+bad				NS	ns9.bad
+ns9.bad				A	10.53.0.9

bin/tests/system/checkds/ns2/setup.sh

@@ -16,21 +16,19 @@
 
 echo_i "ns2/setup.sh"
 
-for subdomain in dspublished reference missing-dspublished bad-dspublished \
-		 multiple-dspublished incomplete-dspublished bad2-dspublished \
-		 resolver-dspublished \
-		 dswithdrawn missing-dswithdrawn bad-dswithdrawn \
-		 multiple-dswithdrawn incomplete-dswithdrawn bad2-dswithdrawn \
-		 resolver-dswithdrawn
+for zn in \
+	ns2 ns2-4 ns2-4-5 ns2-4-6 ns2-5-7 \
+	ns5 ns5-6-7 ns5-7 ns6
 do
-	cp "../ns9/dsset-$subdomain.checkds." .
+	zone="${zn}"
+	infile="${zn}.db.infile"
+	zonefile="${zn}.db"
+
+	# The signing key is copied from ns5.
+	CSK=$(cat "${zn}.keyname")
+	cat "${zn}.db.in" "${CSK}.key" > "$infile"
+	private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+	$SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone 2>&1
+
+	cp "dsset-${zn}." ../ns1/
 done
-
-zone="checkds"
-infile="checkds.db.infile"
-zonefile="checkds.db"
-
-CSK=$($KEYGEN -k default $zone 2> keygen.out.$zone)
-cat template.db.in "${CSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
-$SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone 2>&1

bin/tests/system/checkds/ns4/named.conf.in

@@ -34,8 +34,56 @@ controls {
 	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 };
 
-zone "checkds" {
+zone "ns2" {
 	type secondary;
-	file "checkds.db";
-        primaries source 10.53.0.4 { 10.53.0.2 port @PORT@; };
+	primaries source 10.53.0.4 { 10.53.0.2 port @PORT@; };
+	file "ns2.db";
+};
+
+zone "ns2-4" {
+	type secondary;
+	primaries source 10.53.0.4 { 10.53.0.2 port @PORT@; };
+	file "ns2-4.db";
+};
+
+zone "ns2-4-5" {
+	type secondary;
+	primaries source 10.53.0.4 { 10.53.0.2 port @PORT@; };
+	file "ns2-4-5.db";
+};
+
+zone "ns2-4-6" {
+	type secondary;
+	primaries source 10.53.0.4 { 10.53.0.2 port @PORT@; };
+	file "ns2-4-6.db";
+};
+
+zone "ns2-5-7" {
+	type secondary;
+	primaries source 10.53.0.4 { 10.53.0.2 port @PORT@; };
+	file "ns2-5-7.db";
+};
+
+zone "ns5" {
+	type secondary;
+	primaries source 10.53.0.4 { 10.53.0.2 port @PORT@; };
+	file "ns5.db";
+};
+
+zone "ns5-6-7" {
+	type secondary;
+	primaries source 10.53.0.4 { 10.53.0.2 port @PORT@; };
+	file "ns5-6-7.db";
+};
+
+zone "ns5-7" {
+	type secondary;
+	primaries source 10.53.0.4 { 10.53.0.2 port @PORT@; };
+	file "ns5-7.db";
+};
+
+zone "ns6" {
+	type secondary;
+	primaries source 10.53.0.4 { 10.53.0.2 port @PORT@; };
+	file "ns6.db";
 };

bin/tests/system/checkds/ns5/named.conf.in

@@ -39,8 +39,83 @@ zone "." {
 	file "../../common/root.hint";
 };
 
-zone "checkds" {
+zone "ns2" {
 	type primary;
+	allow-update { any; };
 	allow-transfer { 10.53.0.5; 10.53.0.7; };
-	file "checkds.db";
+	also-notify { 10.53.0.7; };
+	dnssec-policy default;
+	file "ns2.db";
+};
+
+zone "ns2-4" {
+	type primary;
+	allow-update { any; };
+	allow-transfer { 10.53.0.5; 10.53.0.7; };
+	also-notify { 10.53.0.7; };
+	dnssec-policy default;
+	file "ns2-4.db";
+};
+
+zone "ns2-4-5" {
+	type primary;
+	allow-update { any; };
+	allow-transfer { 10.53.0.5; 10.53.0.7; };
+	also-notify { 10.53.0.7; };
+	dnssec-policy default;
+	file "ns2-4-5.db";
+};
+
+zone "ns2-4-6" {
+	type primary;
+	allow-update { any; };
+	allow-transfer { 10.53.0.5; 10.53.0.7; };
+	also-notify { 10.53.0.7; };
+	dnssec-policy default;
+	file "ns2-4-6.db";
+};
+
+zone "ns2-5-7" {
+	type primary;
+	allow-update { any; };
+	allow-transfer { 10.53.0.5; 10.53.0.7; };
+	also-notify { 10.53.0.7; };
+	dnssec-policy default;
+	file "ns2-5-7.db";
+};
+
+zone "ns5" {
+	type primary;
+	allow-update { any; };
+	allow-transfer { 10.53.0.5; 10.53.0.7; };
+	also-notify { 10.53.0.7; };
+	dnssec-policy default;
+	file "ns5.db";
+};
+
+zone "ns5-6-7" {
+	type primary;
+	allow-update { any; };
+	allow-transfer { 10.53.0.5; 10.53.0.7; };
+	also-notify { 10.53.0.7; };
+	dnssec-policy default;
+	file "ns5-6-7.db";
+};
+
+zone "ns5-7" {
+	type primary;
+	allow-update { any; };
+	allow-transfer { 10.53.0.5; 10.53.0.7; };
+	also-notify { 10.53.0.7; };
+	dnssec-policy default;
+	file "ns5-7.db";
+};
+
+zone "ns6" {
+	type primary;
+	allow-update { any; };
+	allow-transfer { 10.53.0.5; 10.53.0.7; };
+	also-notify { 10.53.0.7; };
+	dnssec-policy default;
+	file "ns6.db";
 };

bin/tests/system/checkds/ns5/ns2-4-5.db.in

@@ -0,0 +1,30 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@			IN	SOA  secondary.example. hostmaster.example. (
+				1       ; serial
+				20      ; refresh (20 seconds)
+				20      ; retry (20 seconds)
+				1814400 ; expire (3 weeks)
+				3600    ; minimum (1 hour)
+				)
+
+				NS	ns2
+				NS	ns4
+				NS	ns5
+ns2				A	10.53.0.2
+ns4				A	10.53.0.4
+ns5				A	10.53.0.5
+
+$ORIGIN explicit.dspublish.ns2-4-5.
+incomplete			NS	ns9.incomplete
+ns9.imcomplete			A	10.53.0.9

bin/tests/system/checkds/ns5/ns2-4-6.db.in

@@ -0,0 +1,30 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@			IN	SOA  secondary.example. hostmaster.example. (
+				1       ; serial
+				20      ; refresh (20 seconds)
+				20      ; retry (20 seconds)
+				1814400 ; expire (3 weeks)
+				3600    ; minimum (1 hour)
+				)
+
+				NS	ns2
+				NS	ns4
+				NS	ns6
+ns2				A	10.53.0.2
+ns4				A	10.53.0.4
+ns6				A	10.53.0.6
+
+$ORIGIN explicit.dspublish.ns2-4-6.
+bad				NS	ns9.bad
+ns9.bad				A	10.53.0.9

bin/tests/system/checkds/ns5/ns2-4.db.in

@@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@			IN	SOA  secondary.example. hostmaster.example. (
+				1       ; serial
+				20      ; refresh (20 seconds)
+				20      ; retry (20 seconds)
+				1814400 ; expire (3 weeks)
+				3600    ; minimum (1 hour)
+				)
+
+				NS	ns2
+				NS	ns4
+ns2				A	10.53.0.2
+ns4				A	10.53.0.4
+
+$ORIGIN explicit.dspublish.ns2-4.
+good				NS	ns9.good
+ns9.good			A	10.53.0.9

bin/tests/system/checkds/ns5/ns2-5-7.db.in

@@ -0,0 +1,30 @@
+	; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@			IN	SOA  secondary.example. hostmaster.example. (
+				1       ; serial
+				20      ; refresh (20 seconds)
+				20      ; retry (20 seconds)
+				1814400 ; expire (3 weeks)
+				3600    ; minimum (1 hour)
+				)
+
+				NS	ns2
+				NS	ns5
+				NS	ns7
+ns2				A	10.53.0.2
+ns5				A	10.53.0.5
+ns7				A	10.53.0.7
+
+$ORIGIN explicit.dsremoved.ns2-5-7.
+incomplete			NS	ns9.incomplete
+ns9.incomplete			A	10.53.0.9

bin/tests/system/checkds/ns5/ns2.db.in

@@ -0,0 +1,34 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@			IN	SOA  secondary.example. hostmaster.example. (
+				1       ; serial
+				20      ; refresh (20 seconds)
+				20      ; retry (20 seconds)
+				1814400 ; expire (3 weeks)
+				3600    ; minimum (1 hour)
+				)
+
+				NS	ns2
+ns2				A	10.53.0.2
+
+$ORIGIN explicit.dspublish.ns2.
+good				NS	ns9.good
+reference			NS	ns9.reference
+resolver			NS	ns9.resolver
+ns9.good			A	10.53.0.9
+ns9.reference			A	10.53.0.9
+ns9.resolver			A	10.53.0.9
+
+$ORIGIN explicit.dsremoved.ns2.
+still-there			NS	ns9.still-there
+ns9.still-there			A	10.53.0.9

bin/tests/system/checkds/ns5/ns5-6-7.db.in

@@ -0,0 +1,30 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@			IN	SOA  secondary.example. hostmaster.example. (
+				1       ; serial
+				20      ; refresh (20 seconds)
+				20      ; retry (20 seconds)
+				1814400 ; expire (3 weeks)
+				3600    ; minimum (1 hour)
+				)
+
+				NS	ns5
+				NS	ns6
+				NS	ns7
+ns5				A	10.53.0.5
+ns6				A	10.53.0.6
+ns7				A	10.53.0.7
+
+$ORIGIN explicit.dsremoved.ns5-6-7.
+bad				NS	ns9.bad
+ns9.bad				A	10.53.0.9

bin/tests/system/checkds/ns5/ns5-7.db.in

@@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@			IN	SOA  secondary.example. hostmaster.example. (
+				1       ; serial
+				20      ; refresh (20 seconds)
+				20      ; retry (20 seconds)
+				1814400 ; expire (3 weeks)
+				3600    ; minimum (1 hour)
+				)
+
+				NS	ns5
+				NS	ns7
+ns5				A	10.53.0.5
+ns7				A	10.53.0.7
+
+$ORIGIN explicit.dsremoved.ns5-7.
+good				NS	ns9.good
+ns9.good			A	10.53.0.9

bin/tests/system/checkds/ns5/ns5.db.in

@@ -0,0 +1,32 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@			IN	SOA  secondary.example. hostmaster.example. (
+				1       ; serial
+				20      ; refresh (20 seconds)
+				20      ; retry (20 seconds)
+				1814400 ; expire (3 weeks)
+				3600    ; minimum (1 hour)
+				)
+
+				NS	ns5
+ns5				A	10.53.0.5
+
+$ORIGIN explicit.dspublish.ns5.
+not-yet				NS	ns9.not-yet
+ns9.not-yet			A	10.53.0.9
+
+$ORIGIN explicit.dsremoved.ns5.
+good				NS	ns9.good
+resolver			NS	ns9.resolver
+ns9.good			A	10.53.0.9
+ns9.resolver			A	10.53.0.9

bin/tests/system/checkds/ns5/ns6.db.in

@@ -0,0 +1,30 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@			IN	SOA  secondary.example. hostmaster.example. (
+				1       ; serial
+				20      ; refresh (20 seconds)
+				20      ; retry (20 seconds)
+				1814400 ; expire (3 weeks)
+				3600    ; minimum (1 hour)
+				)
+
+				NS	ns6
+ns6				A	10.53.0.6
+
+$ORIGIN explicit.dspublish.ns6.
+bad				NS	ns9.bad
+ns9.bad				A	10.53.0.9
+
+$ORIGIN explicit.dsremoved.ns6.
+bad				NS	ns9.bad
+ns9.bad				A	10.53.0.9

bin/tests/system/checkds/ns5/setup.sh

@@ -16,11 +16,21 @@
 
 echo_i "ns5/setup.sh"
 
-zone="checkds"
-infile="checkds.db.infile"
-zonefile="checkds.db"
+for zn in \
+	ns2 ns2-4 ns2-4-5 ns2-4-6 ns2-5-7 \
+	ns5 ns5-6-7 ns5-7 ns6
+do
+	zone="${zn}"
+	infile="${zn}.db.infile"
+	zonefile="${zn}.db"
 
-CSK=$($KEYGEN -k default $zone 2> keygen.out.$zone)
-cat template.db.in "${CSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
-$SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone 2>&1
+	CSK=$($KEYGEN -k default $zone 2> keygen.out.$zone)
+	cat "${zn}.db.in" "${CSK}.key" > "$infile"
+	private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+	$SIGNER -S -g -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone 2>&1
+
+	# Copy key to ns2, the other primary.
+	echo "${CSK}" > "../ns2/${zn}.keyname"
+	cp "${CSK}.key" ../ns2/
+	cp "${CSK}.private" ../ns2/
+done

bin/tests/system/checkds/ns5/template.db.in

@@ -1,40 +0,0 @@
-; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-;
-; SPDX-License-Identifier: MPL-2.0
-;
-; This Source Code Form is subject to the terms of the Mozilla Public
-; License, v. 2.0.  If a copy of the MPL was not distributed with this
-; file, you can obtain one at https://mozilla.org/MPL/2.0/.
-;
-; See the COPYRIGHT file distributed with this work for additional
-; information regarding copyright ownership.
-
-$TTL 300
-@			IN	SOA  secondary.example. hostmaster.example. (
-				1       ; serial
-				20      ; refresh (20 seconds)
-				20      ; retry (20 seconds)
-				1814400 ; expire (3 weeks)
-				3600    ; minimum (1 hour)
-				)
-
-				NS	ns5
-ns5				A	10.53.0.5
-
-dspublished			NS	ns9.dspublished
-reference			NS	ns9.reference
-missing-dspublished		NS	ns9.missing-dspublished
-bad-dspublished			NS	ns9.bad-dspublished
-multiple-dspublished		NS	ns9.multiple-dspublished
-incomplete-dspublished		NS	ns9.incomplete-dspublished
-bad2-dspublished		NS	ns9.bad2-dspublished
-resolver-dspublished		NS	ns9.resolver-dspublished
-
-dswithdrawn			NS	ns9.dswithdrawn
-missing-dswithdrawn		NS	ns9.missing-dswithdrawn
-bad-dswithdrawn			NS	ns9.bad-dswithdrawn
-multiple-dswithdrawn		NS	ns9.multiple-dswithdrawn
-incomplete-dswithdrawn		NS	ns9.incomplete-dswithdrawn
-bad2-dswithdrawn		NS	ns9.bad2-dswithdrawn
-resolver-dswithdrawn		NS	ns9.resolver-dswithdrawn
-

bin/tests/system/checkds/ns7/named.conf.in

@@ -34,13 +34,56 @@ controls {
 	inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 };
 
-zone "." {
-        type hint;
-        file "../../common/root.hint";
+zone "ns2" {
+	type secondary;
+	primaries source 10.53.0.7 { 10.53.0.5 port @PORT@; };
+	file "ns2.db";
 };
 
-zone "checkds" {
+zone "ns2-4" {
 	type secondary;
-	file "checkds.db";
-        primaries source 10.53.0.7 { 10.53.0.5 port @PORT@; };
+	primaries source 10.53.0.7 { 10.53.0.5 port @PORT@; };
+	file "ns2-4.db";
+};
+
+zone "ns2-4-5" {
+	type secondary;
+	primaries source 10.53.0.7 { 10.53.0.5 port @PORT@; };
+	file "ns2-4-5.db";
+};
+
+zone "ns2-4-6" {
+	type secondary;
+	primaries source 10.53.0.7 { 10.53.0.5 port @PORT@; };
+	file "ns2-4-6.db";
+};
+
+zone "ns2-5-7" {
+	type secondary;
+	primaries source 10.53.0.7 { 10.53.0.5 port @PORT@; };
+	file "ns2-5-7.db";
+};
+
+zone "ns5" {
+	type secondary;
+	primaries source 10.53.0.7 { 10.53.0.5 port @PORT@; };
+	file "ns5.db";
+};
+
+zone "ns5-6-7" {
+	type secondary;
+	primaries source 10.53.0.7 { 10.53.0.5 port @PORT@; };
+	file "ns5-6-7.db";
+};
+
+zone "ns5-7" {
+	type secondary;
+	primaries source 10.53.0.7 { 10.53.0.5 port @PORT@; };
+	file "ns5-7.db";
+};
+
+zone "ns6" {
+	type secondary;
+	primaries source 10.53.0.7 { 10.53.0.5 port @PORT@; };
+	file "ns6.db";
 };

bin/tests/system/checkds/ns9/named.conf.in

@@ -13,6 +13,8 @@
 
 // NS9
 
+include "trusted.conf";
+
 options {
 	query-source address 10.53.0.9;
 	notify-source 10.53.0.9;
@@ -44,113 +46,31 @@ zone "." {
 };
 
 /*
- * Zone with parental agent configured, due for DS checking.
+ * 1.     Enabling DNSSEC
+ * 1.1    - With one parental agent
+ * 1.1.1. - DS is correctly published in the parent.
  */
-zone "dspublished.checkds" {
+zone "good.explicit.dspublish.ns2" {
 	type primary;
-	file "dspublished.checkds.db";
+	file "good.explicit.dspublish.ns2.db";
 	inline-signing yes;
 	dnssec-policy "default";
 	parental-agents { 10.53.0.2 port @PORT@; };
 };
 
-/*
- * Zone with parental agent configured, due for DS checking.
- * Same as above, but now with a reference to parental-agents.
- */
-zone "reference.checkds" {
+/* Same as above, but now with a reference to parental-agents. */
+zone "reference.explicit.dspublish.ns2" {
 	type primary;
-	file "reference.checkds.db";
+	file "reference.explicit.dspublish.ns2.db";
 	inline-signing yes;
 	dnssec-policy "default";
 	parental-agents { "ns2"; };
 };
 
-/*
- * Zone with parental agent configured, due for DS checking.
- * The parental agent does not have the DS yet.
- */
-zone "missing-dspublished.checkds" {
+/* Same as above, but now with resolver parental agent configured. */
+zone "resolver.explicit.dspublish.ns2" {
 	type primary;
-	file "missing-dspublished.checkds.db";
-	inline-signing yes;
-	dnssec-policy "default";
-	parental-agents {
-		10.53.0.5 port @PORT@; // missing
-	};
-};
-
-
-/*
- * Zone with parental agent configured, due for DS checking.
- * This case, the server is badly configured.
- */
-zone "bad-dspublished.checkds" {
-	type primary;
-	file "bad-dspublished.checkds.db";
-	inline-signing yes;
-	dnssec-policy "default";
-	parental-agents {
-		10.53.0.6 port @PORT@; // bad
-	};
-};
-
-/*
- * Zone with multiple parental agents configured, due for DS checking.
- * All need to have the DS before the rollover may continue.
- */
-zone "multiple-dspublished.checkds" {
-	type primary;
-	file "multiple-dspublished.checkds.db";
-	inline-signing yes;
-	dnssec-policy "default";
-	parental-agents {
-		10.53.0.2 port @PORT@;
-		10.53.0.4 port @PORT@;
-	};
-};
-
-/*
- * Zone with multiple parental agents configured, due for DS checking.
- * All need to have the DS before the rollover may continue.
- * This case, one server is still missing the DS.
- */
-zone "incomplete-dspublished.checkds" {
-	type primary;
-	file "incomplete-dspublished.checkds.db";
-	inline-signing yes;
-	dnssec-policy "default";
-	parental-agents {
-		10.53.0.2 port @PORT@;
-		10.53.0.4 port @PORT@;
-		10.53.0.5 port @PORT@; // missing
-	};
-};
-
-
-/*
- * Zone with multiple parental agents configured, due for DS checking.
- * All need to have the DS before the rollover may continue.
- * This case, one server is badly configured.
- */
-zone "bad2-dspublished.checkds" {
-	type primary;
-	file "bad2-dspublished.checkds.db";
-	inline-signing yes;
-	dnssec-policy "default";
-	parental-agents {
-		10.53.0.2 port @PORT@;
-		10.53.0.4 port @PORT@;
-		10.53.0.6 port @PORT@; // bad
-	};
-};
-
-/*
- * Zone with resolver parental agent configured, due for DS checking.
- */
-zone "resolver-dspublished.checkds" {
-	type primary;
-	file "resolver-dspublished.checkds.db";
+	file "resolver.explicit.dspublish.ns2.db";
 	inline-signing yes;
 	dnssec-policy "default";
 	parental-agents {
@@ -158,84 +78,217 @@ zone "resolver-dspublished.checkds" {
 	};
 };
 
+/*
+ * 1.     Enabling DNSSEC
+ * 1.1    - With one parental agent
+ * 1.1.2. - DS is not (yet) published in the parent.
+ */
+zone "not-yet.explicit.dspublish.ns5" {
+	type primary;
+	file "not-yet.explicit.dspublish.ns5.db";
+	inline-signing yes;
+	dnssec-policy "default";
+	parental-agents {
+		10.53.0.5 port @PORT@; // missing
+	};
+};
+
+/*
+ * 1.     Enabling DNSSEC
+ * 1.1    - With one parental agent
+ * 1.1.3. - The parental agent is badly configured.
+ */
+zone "bad.explicit.dspublish.ns6" {
+	type primary;
+	file "bad.explicit.dspublish.ns6.db";
+	inline-signing yes;
+	dnssec-policy "default";
+	parental-agents {
+		10.53.0.6 port @PORT@; // bad
+	};
+};
+
+/*
+ * 1.     Enabling DNSSEC
+ * 1.1    - With one parental agent
+ * 1.1.4. - DS is published, but has bogus signature
+ */
+// TODO
+
+/*
+ * 1.     Enabling DNSSEC
+ * 1.2    - With multiple parental agent
+ * 1.2.1. - DS is correctly published in all parents.
+ */
+zone "good.explicit.dspublish.ns2-4" {
+	type primary;
+	file "good.explicit.dspublish.ns2-4.db";
+	inline-signing yes;
+	dnssec-policy "default";
+	parental-agents {
+		10.53.0.2 port @PORT@;
+		10.53.0.4 port @PORT@;
+	};
+};
+
+/*
+ * 1.     Enabling DNSSEC
+ * 1.2    - With multiple parental agent
+ * 1.2.2. - DS is not (yet) published in some parents.
+ */
+zone "incomplete.explicit.dspublish.ns2-4-5" {
+	type primary;
+	file "incomplete.explicit.dspublish.ns2-4-5.db";
+	inline-signing yes;
+	dnssec-policy "default";
+	parental-agents {
+		10.53.0.2 port @PORT@;
+		10.53.0.4 port @PORT@;
+		10.53.0.5 port @PORT@; // missing
+	};
+};
+
+/*
+ * 1.     Enabling DNSSEC
+ * 1.2    - With multiple parental agent
+ * 1.2.3. - DS is not (yet) published in some parents.
+ */
+zone "bad.explicit.dspublish.ns2-4-6" {
+	type primary;
+	file "bad.explicit.dspublish.ns2-4-6.db";
+	inline-signing yes;
+	dnssec-policy "default";
+	parental-agents {
+		10.53.0.2 port @PORT@;
+		10.53.0.4 port @PORT@;
+		10.53.0.6 port @PORT@; // bad
+	};
+};
+
+/*
+ * 1.     Enabling DNSSEC
+ * 1.2    - With multiple parental agent
+ * 1.2.4. - DS is completely published, bogus signature.
+ */
+// TODO
+
 // TODO: Other test cases:
-// - Test with bogus response
 // - check with TSIG
 // - check with TLS
 
-
 /*
- * Zones that are going insecure (test DS withdrawn polling).
+ * 2.     Going insecure
+ * 2.1    - With one parental agent
+ * 2.1.1. - DS is correctly withdrawn from the parent.
  */
-zone "dswithdrawn.checkds" {
+zone "good.explicit.dsremoved.ns5" {
 	type primary;
-	file "dswithdrawn.checkds.db";
+	file "good.explicit.dsremoved.ns5.db";
 	inline-signing yes;
 	dnssec-policy "insecure";
 	parental-agents { 10.53.0.5 port @PORT@; };
 };
 
-zone "missing-dswithdrawn.checkds" {
+zone "resolver.explicit.dsremoved.ns5" {
 	type primary;
-	file "missing-dswithdrawn.checkds.db";
-	inline-signing yes;
-	dnssec-policy "insecure";
-	parental-agents {
-		10.53.0.2 port @PORT@; // still published
-	};
-};
-
-zone "bad-dswithdrawn.checkds" {
-	type primary;
-	file "bad-dswithdrawn.checkds.db";
-	inline-signing yes;
-	dnssec-policy "insecure";
-	parental-agents {
-		10.53.0.6 port @PORT@; // bad
-	};
-};
-
-zone "multiple-dswithdrawn.checkds" {
-	type primary;
-	file "multiple-dswithdrawn.checkds.db";
-	inline-signing yes;
-	dnssec-policy "insecure";
-	parental-agents {
-		10.53.0.5 port @PORT@;
-		10.53.0.7 port @PORT@;
-	};
-};
-
-zone "incomplete-dswithdrawn.checkds" {
-	type primary;
-	file "incomplete-dswithdrawn.checkds.db";
-	inline-signing yes;
-	dnssec-policy "insecure";
-	parental-agents {
-		10.53.0.2 port @PORT@; // still published
-		10.53.0.5 port @PORT@;
-		10.53.0.7 port @PORT@;
-	};
-};
-
-zone "bad2-dswithdrawn.checkds" {
-	type primary;
-	file "bad2-dswithdrawn.checkds.db";
-	inline-signing yes;
-	dnssec-policy "insecure";
-	parental-agents {
-		10.53.0.5 port @PORT@;
-		10.53.0.7 port @PORT@;
-		10.53.0.6 port @PORT@; // bad
-	};
-};
-
-zone "resolver-dswithdrawn.checkds" {
-	type primary;
-	file "resolver-dswithdrawn.checkds.db";
+	file "resolver.explicit.dsremoved.ns5.db";
 	inline-signing yes;
 	dnssec-policy "default";
 	parental-agents {
-		10.53.0.8 port @PORT@;
+		10.53.0.3 port @PORT@;
 	};
 };
+
+/*
+ * 2.     Going insecure
+ * 2.1    - With one parental agent
+ * 2.1.2. - DS is (still) published in the parent.
+ */
+zone "still-there.explicit.dsremoved.ns2" {
+	type primary;
+	file "still-there.explicit.dsremoved.ns2.db";
+	inline-signing yes;
+	dnssec-policy "insecure";
+	parental-agents {
+		10.53.0.2 port @PORT@; // still published
+	};
+};
+
+/*
+ * 2.     Going insecure
+ * 2.1    - With one parental agent
+ * 2.1.3. - The parental agent is badly configured.
+ */
+zone "bad.explicit.dsremoved.ns6" {
+	type primary;
+	file "bad.explicit.dsremoved.ns6.db";
+	inline-signing yes;
+	dnssec-policy "insecure";
+	parental-agents {
+		10.53.0.6 port @PORT@; // bad
+	};
+};
+
+/*
+ * 2.     Going insecure
+ * 2.1    - With one parental agent
+ * 2.1.4. - DS is withdrawn, but has bogus signature.
+ */
+// TODO
+
+/*
+ * 2.     Going insecure
+ * 2.2.    - With multiple parental agents
+ * 2.2.1.  - DS is correctly withdrawn from all parents.
+ */
+zone "good.explicit.dsremoved.ns5-7" {
+	type primary;
+	file "good.explicit.dsremoved.ns5-7.db";
+	inline-signing yes;
+	dnssec-policy "insecure";
+	parental-agents {
+		10.53.0.5 port @PORT@;
+		10.53.0.7 port @PORT@;
+	};
+};
+
+/*
+ * 2.     Going insecure
+ * 2.2.    - With multiple parental agents
+ * 2.2.2.  - DS is not (yet) withdrawn from some parents.
+ */
+zone "incomplete.explicit.dsremoved.ns2-5-7" {
+	type primary;
+	file "incomplete.explicit.dsremoved.ns2-5-7.db";
+	inline-signing yes;
+	dnssec-policy "insecure";
+	parental-agents {
+		10.53.0.2 port @PORT@; // still published
+		10.53.0.5 port @PORT@;
+		10.53.0.7 port @PORT@;
+	};
+};
+
+/*
+ * 2.     Going insecure
+ * 2.2.    - With multiple parental agents
+ * 2.2.3.  - One parental agent is badly configured.
+ */
+zone "bad.explicit.dsremoved.ns5-6-7" {
+	type primary;
+	file "bad.explicit.dsremoved.ns5-6-7.db";
+	inline-signing yes;
+	dnssec-policy "insecure";
+	parental-agents {
+		10.53.0.5 port @PORT@;
+		10.53.0.7 port @PORT@;
+		10.53.0.6 port @PORT@; // bad
+	};
+};
+
+/*
+ * 2.     Going insecure
+ * 2.2.    - With multiple parental agents
+ * 2.2.4.  - DS is removed completely, bogus signature
+ */
+// TODO

bin/tests/system/checkds/ns9/setup.sh

@@ -33,31 +33,54 @@ T="now-30d"
 Y="now-1y"
 
 # DS Publication.
-for zn in dspublished reference missing-dspublished bad-dspublished \
-	  multiple-dspublished incomplete-dspublished bad2-dspublished resolver-dspublished
+for checkds in explicit
 do
-	setup "${zn}.checkds"
-	cp template.db.in "$zonefile"
-	keytimes="-P $T -P sync $T -A $T"
-	CSK=$($KEYGEN -k default $keytimes $zone 2> keygen.out.$zone)
-	$SETTIME -s -g $O -k $O $T -r $O $T -z $O $T -d $R $T "$CSK" > settime.out.$zone 2>&1
-	cat template.db.in "${CSK}.key" > "$infile"
-	private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
-	cp $infile $zonefile
-	$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+	for zn in \
+		good.${checkds}.dspublish.ns2 \
+		reference.${checkds}.dspublish.ns2 \
+		resolver.${checkds}.dspublish.ns2 \
+		not-yet.${checkds}.dspublish.ns5 \
+		bad.${checkds}.dspublish.ns6 \
+		good.${checkds}.dspublish.ns2-4 \
+		incomplete.${checkds}.dspublish.ns2-4-5 \
+		bad.${checkds}.dspublish.ns2-4-6
+	do
+		setup "${zn}"
+		cp template.db.in "$zonefile"
+		keytimes="-P $T -P sync $T -A $T"
+		CSK=$($KEYGEN -k default $keytimes $zone 2> keygen.out.$zone)
+		$SETTIME -s -g $O -k $O $T -r $O $T -z $O $T -d $R $T "$CSK" > settime.out.$zone 2>&1
+		cat "$zonefile" "${CSK}.key" > "$infile"
+		private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+		cp $infile $zonefile
+		$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+	        cp "dsset-${zone}." ../ns2/
+	done
 done
 
 # DS Withdrawal.
-for zn in dswithdrawn missing-dswithdrawn bad-dswithdrawn multiple-dswithdrawn \
-	  incomplete-dswithdrawn bad2-dswithdrawn resolver-dswithdrawn
+for checkds in explicit
 do
-	setup "${zn}.checkds"
-	cp template.db.in "$zonefile"
-	keytimes="-P $Y -P sync $Y -A $Y"
-	CSK=$($KEYGEN -k default $keytimes $zone 2> keygen.out.$zone)
-	$SETTIME -s -g $H -k $O $T -r $O $T -z $O $T -d $U $T "$CSK" > settime.out.$zone 2>&1
-	cat template.db.in "${CSK}.key" > "$infile"
-	private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
-	cp $infile $zonefile
-	$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+	for zn in \
+		good.${checkds}.dsremoved.ns5 \
+		resolver.${checkds}.dsremoved.ns5 \
+		still-there.${checkds}.dsremoved.ns2 \
+		bad.${checkds}.dsremoved.ns6 \
+		good.${checkds}.dsremoved.ns5-7 \
+		incomplete.${checkds}.dsremoved.ns2-5-7 \
+		bad.${checkds}.dsremoved.ns5-6-7
+	do
+		setup "${zn}"
+		cp template.db.in "$zonefile"
+		keytimes="-P $Y -P sync $Y -A $Y"
+		CSK=$($KEYGEN -k default $keytimes $zone 2> keygen.out.$zone)
+		$SETTIME -s -g $H -k $O $T -r $O $T -z $O $T -d $U $T "$CSK" > settime.out.$zone 2>&1
+		cat "$zonefile" "${CSK}.key" > "$infile"
+		private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+		cp $infile $zonefile
+		$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
+	        cp "dsset-${zone}." ../ns2/
+	done
 done

bin/tests/system/checkds/tests_checkds.py

@@ -36,9 +36,10 @@ def has_signed_apex_nsec(zone, response):
 
     ttl = 300
     nextname = "a."
+    labelcount = zone.count(".")  # zone is specified as FQDN
     types = "NS SOA RRSIG NSEC DNSKEY"
     match = "{0} {1} IN NSEC {2}{0} {3}".format(zone, ttl, nextname, types)
-    sig = "{0} {1} IN RRSIG NSEC 13 2 300".format(zone, ttl)
+    sig = "{0} {1} IN RRSIG NSEC 13 {2} 300".format(zone, ttl, labelcount)
 
     for rr in response.answer:
         if match in rr.to_text():
@@ -258,107 +259,134 @@ def test_checkds_dspublished(named_port):
     parent.nameservers = ["10.53.0.2"]
     parent.port = named_port
 
-    # DS correctly published in parent.
-    zone_check(server, "dspublished.checkds.")
-    wait_for_log(
-        "ns9/named.run",
-        "zone dspublished.checkds/IN (signed): checkds: DS response from 10.53.0.2",
-    )
-    keystate_check(parent, "dspublished.checkds.", "DSPublish")
+    #
+    # 1.1.1: DS is correctly published in parent.
+    # parental-agents: ns2
+    #
 
-    # DS correctly published in parent (reference to parental-agent).
-    zone_check(server, "reference.checkds.")
+    # The simple case.
+    zone_check(server, "good.explicit.dspublish.ns2.")
     wait_for_log(
         "ns9/named.run",
-        "zone reference.checkds/IN (signed): checkds: DS response from 10.53.0.2",
+        "zone good.explicit.dspublish.ns2/IN (signed): checkds: "
+	"DS response from 10.53.0.2",
     )
-    keystate_check(parent, "reference.checkds.", "DSPublish")
+    keystate_check(parent, "good.explicit.dspublish.ns2.", "DSPublish")
 
-    # DS not published in parent.
-    zone_check(server, "missing-dspublished.checkds.")
+    # Using a reference to parental-agents.
+    zone_check(server, "reference.explicit.dspublish.ns2.")
     wait_for_log(
         "ns9/named.run",
-        "zone missing-dspublished.checkds/IN (signed): checkds: "
-        "empty DS response from 10.53.0.5",
+        "zone reference.explicit.dspublish.ns2/IN (signed): "
+	"checkds: DS response from 10.53.0.2",
     )
-    keystate_check(parent, "missing-dspublished.checkds.", "!DSPublish")
+    keystate_check(parent, "reference.explicit.dspublish.ns2.", "DSPublish")
 
-    # Badly configured parent.
-    zone_check(server, "bad-dspublished.checkds.")
+    # Using a resolver as parental-agent (ns3).
+    zone_check(server, "resolver.explicit.dspublish.ns2.")
     wait_for_log(
         "ns9/named.run",
-        "zone bad-dspublished.checkds/IN (signed): checkds: "
-        "bad DS response from 10.53.0.6",
-    )
-    keystate_check(parent, "bad-dspublished.checkds.", "!DSPublish")
-
-    # TBD: DS published in parent, but bogus signature.
-
-    # DS correctly published in all parents.
-    zone_check(server, "multiple-dspublished.checkds.")
-    wait_for_log(
-        "ns9/named.run",
-        "zone multiple-dspublished.checkds/IN (signed): checkds: "
-        "DS response from 10.53.0.2",
-    )
-    wait_for_log(
-        "ns9/named.run",
-        "zone multiple-dspublished.checkds/IN (signed): checkds: "
-        "DS response from 10.53.0.4",
-    )
-    keystate_check(parent, "multiple-dspublished.checkds.", "DSPublish")
-
-    # DS published in only one of multiple parents.
-    zone_check(server, "incomplete-dspublished.checkds.")
-    wait_for_log(
-        "ns9/named.run",
-        "zone incomplete-dspublished.checkds/IN (signed): checkds: "
-        "DS response from 10.53.0.2",
-    )
-    wait_for_log(
-        "ns9/named.run",
-        "zone incomplete-dspublished.checkds/IN (signed): checkds: "
-        "DS response from 10.53.0.4",
-    )
-    wait_for_log(
-        "ns9/named.run",
-        "zone incomplete-dspublished.checkds/IN (signed): checkds: "
-        "empty DS response from 10.53.0.5",
-    )
-    keystate_check(parent, "incomplete-dspublished.checkds.", "!DSPublish")
-
-    # One of the parents is badly configured.
-    zone_check(server, "bad2-dswithdrawn.checkds.")
-    wait_for_log(
-        "ns9/named.run",
-        "zone bad2-dspublished.checkds/IN (signed): checkds: "
-        "DS response from 10.53.0.2",
-    )
-    wait_for_log(
-        "ns9/named.run",
-        "zone bad2-dspublished.checkds/IN (signed): checkds: "
-        "DS response from 10.53.0.4",
-    )
-    wait_for_log(
-        "ns9/named.run",
-        "zone bad2-dspublished.checkds/IN (signed): checkds: "
-        "bad DS response from 10.53.0.6",
-    )
-    keystate_check(parent, "bad2-dspublished.checkds.", "!DSPublish")
-
-    # Check with resolver parental-agent.
-    zone_check(server, "resolver-dspublished.checkds.")
-    wait_for_log(
-        "ns9/named.run",
-        "zone resolver-dspublished.checkds/IN (signed): checkds: "
+        "zone resolver.explicit.dspublish.ns2/IN (signed): checkds: "
         "DS response from 10.53.0.3",
     )
-    keystate_check(parent, "resolver-dspublished.checkds.", "DSPublish")
+    keystate_check(parent, "resolver.explicit.dspublish.ns2.", "DSPublish")
 
-    # TBD: DS published in all parents, but one has bogus signature.
+    #
+    # 1.1.2: DS is not published in parent.
+    # parental-agents: ns5
+    #
+    zone_check(server, "not-yet.explicit.dspublish.ns5.")
+    wait_for_log(
+        "ns9/named.run",
+        "zone not-yet.explicit.dspublish.ns5/IN (signed): checkds: "
+        "empty DS response from 10.53.0.5",
+    )
+    keystate_check(parent, "not-yet.explicit.dspublish.ns5.", "!DSPublish")
+
+    #
+    # 1.1.3: The parental agent is badly configured.
+    # parental-agents: ns6
+    #
+    zone_check(server, "bad.explicit.dspublish.ns6.")
+    wait_for_log(
+        "ns9/named.run",
+        "zone bad.explicit.dspublish.ns6/IN (signed): checkds: "
+        "bad DS response from 10.53.0.6",
+    )
+    keystate_check(parent, "bad.explicit.dspublish.ns6.", "!DSPublish")
+
+    #
+    # 1.1.4: DS is published, but has bogus signature.
+    #
+    # TBD
+
+    #
+    # 1.2.1: DS is correctly published in all parents.
+    # parental-agents: ns2, ns4
+    #
+    zone_check(server, "good.explicit.dspublish.ns2-4.")
+    wait_for_log(
+        "ns9/named.run",
+        "zone good.explicit.dspublish.ns2-4/IN (signed): checkds: "
+        "DS response from 10.53.0.2",
+    )
+    wait_for_log(
+        "ns9/named.run",
+        "zone good.explicit.dspublish.ns2-4/IN (signed): checkds: "
+        "DS response from 10.53.0.4",
+    )
+    keystate_check(parent, "good.explicit.dspublish.ns2-4.", "DSPublish")
+
+    #
+    # 1.2.2: DS is not published in some parents.
+    # parental-agents: ns2, ns4, ns5
+    #
+    zone_check(server, "incomplete.explicit.dspublish.ns2-4-5.")
+    wait_for_log(
+        "ns9/named.run",
+        "zone incomplete.explicit.dspublish.ns2-4-5/IN (signed): checkds: "
+        "DS response from 10.53.0.2",
+    )
+    wait_for_log(
+        "ns9/named.run",
+        "zone incomplete.explicit.dspublish.ns2-4-5/IN (signed): checkds: "
+        "DS response from 10.53.0.4",
+    )
+    wait_for_log(
+        "ns9/named.run",
+        "zone incomplete.explicit.dspublish.ns2-4-5/IN (signed): checkds: "
+        "empty DS response from 10.53.0.5",
+    )
+    keystate_check(parent, "incomplete.explicit.dspublish.ns2-4-5.", "!DSPublish")
+
+    #
+    # 1.2.3: One parental agent is badly configured.
+    # parental-agents: ns2, ns4, ns6
+    #
+    zone_check(server, "bad.explicit.dspublish.ns2-4-6.")
+    wait_for_log(
+        "ns9/named.run",
+        "zone bad.explicit.dspublish.ns2-4-6/IN (signed): checkds: "
+        "DS response from 10.53.0.2",
+    )
+    wait_for_log(
+        "ns9/named.run",
+        "zone bad.explicit.dspublish.ns2-4-6/IN (signed): checkds: "
+        "DS response from 10.53.0.4",
+    )
+    wait_for_log(
+        "ns9/named.run",
+        "zone bad.explicit.dspublish.ns2-4-6/IN (signed): checkds: "
+        "bad DS response from 10.53.0.6",
+    )
+    keystate_check(parent, "bad.explicit.dspublish.ns2-4-6.", "!DSPublish")
+
+    #
+    # 1.2.4: DS is completely published, bogus signature.
+    #
+    # TBD
 
     # TBD: Check with TSIG
-
     # TBD: Check with TLS
 
 
@@ -372,94 +400,120 @@ def test_checkds_dswithdrawn(named_port):
     parent.nameservers = ["10.53.0.2"]
     parent.port = named_port
 
-    # DS correctly published in single parent.
-    zone_check(server, "dswithdrawn.checkds.")
+    #
+    # 2.1.1: DS correctly withdrawn from the parent.
+    # parental-agents: ns5
+    #
+
+    # The simple case.
+    zone_check(server, "good.explicit.dsremoved.ns5.")
     wait_for_log(
         "ns9/named.run",
-        "zone dswithdrawn.checkds/IN (signed): checkds: "
+        "zone good.explicit.dsremoved.ns5/IN (signed): checkds: "
         "empty DS response from 10.53.0.5",
     )
-    keystate_check(parent, "dswithdrawn.checkds.", "DSRemoved")
+    keystate_check(parent, "good.explicit.dsremoved.ns5.", "DSRemoved")
 
-    # DS not withdrawn from parent.
-    zone_check(server, "missing-dswithdrawn.checkds.")
+    # Using a resolver as parental-agent (ns3).
+    zone_check(server, "resolver.explicit.dsremoved.ns5.")
     wait_for_log(
         "ns9/named.run",
-        "zone missing-dswithdrawn.checkds/IN (signed): checkds: "
+        "zone resolver.explicit.dsremoved.ns5/IN (signed): checkds: "
+        "empty DS response from 10.53.0.3",
+    )
+    keystate_check(parent, "resolver.explicit.dsremoved.ns5.", "DSRemoved")
+
+    #
+    # 2.1.2: DS is published in the parent.
+    # parental-agents: ns2
+    #
+    zone_check(server, "still-there.explicit.dsremoved.ns2.")
+    wait_for_log(
+        "ns9/named.run",
+        "zone still-there.explicit.dsremoved.ns2/IN (signed): checkds: "
         "DS response from 10.53.0.2",
     )
-    keystate_check(parent, "missing-dswithdrawn.checkds.", "!DSRemoved")
+    keystate_check(parent, "still-there.explicit.dsremoved.ns2.", "!DSRemoved")
 
-    # Badly configured parent.
-    zone_check(server, "bad-dswithdrawn.checkds.")
+    #
+    # 2.1.3: The parental agent is badly configured.
+    # parental-agents: ns6
+    #
+    zone_check(server, "bad.explicit.dsremoved.ns6.")
     wait_for_log(
         "ns9/named.run",
-        "zone bad-dswithdrawn.checkds/IN (signed): checkds: "
+        "zone bad.explicit.dsremoved.ns6/IN (signed): checkds: "
         "bad DS response from 10.53.0.6",
     )
-    keystate_check(parent, "bad-dswithdrawn.checkds.", "!DSRemoved")
+    keystate_check(parent, "bad.explicit.dsremoved.ns6.", "!DSRemoved")
 
-    # TBD: DS published in parent, but bogus signature.
+    #
+    # 2.1.4: DS is withdrawn, but has bogus signature.
+    #
+    # TBD
 
-    # DS correctly withdrawn from all parents.
-    zone_check(server, "multiple-dswithdrawn.checkds.")
+    #
+    # 2.2.1: DS is correctly withdrawn from all parents.
+    # parental-agents: ns5, ns7
+    #
+    zone_check(server, "good.explicit.dsremoved.ns5-7.")
     wait_for_log(
         "ns9/named.run",
-        "zone multiple-dswithdrawn.checkds/IN (signed): checkds: "
+        "zone good.explicit.dsremoved.ns5-7/IN (signed): checkds: "
         "empty DS response from 10.53.0.5",
     )
     wait_for_log(
         "ns9/named.run",
-        "zone multiple-dswithdrawn.checkds/IN (signed): checkds: "
+        "zone good.explicit.dsremoved.ns5-7/IN (signed): checkds: "
         "empty DS response from 10.53.0.7",
     )
-    keystate_check(parent, "multiple-dswithdrawn.checkds.", "DSRemoved")
+    keystate_check(parent, "good.explicit.dsremoved.ns5-7.", "DSRemoved")
 
-    # DS withdrawn from only one of multiple parents.
-    zone_check(server, "incomplete-dswithdrawn.checkds.")
+    #
+    # 2.2.2: DS is not withdrawn from some parents.
+    # parental-agents: ns2, ns5, ns7
+    #
+    zone_check(server, "incomplete.explicit.dsremoved.ns2-5-7.")
     wait_for_log(
         "ns9/named.run",
-        "zone incomplete-dswithdrawn.checkds/IN (signed): checkds: "
+        "zone incomplete.explicit.dsremoved.ns2-5-7/IN (signed): checkds: "
         "DS response from 10.53.0.2",
     )
     wait_for_log(
         "ns9/named.run",
-        "zone incomplete-dswithdrawn.checkds/IN (signed): checkds: "
+        "zone incomplete.explicit.dsremoved.ns2-5-7/IN (signed): checkds: "
         "empty DS response from 10.53.0.5",
     )
     wait_for_log(
         "ns9/named.run",
-        "zone incomplete-dswithdrawn.checkds/IN (signed): checkds: "
+        "zone incomplete.explicit.dsremoved.ns2-5-7/IN (signed): checkds: "
         "empty DS response from 10.53.0.7",
     )
-    keystate_check(parent, "incomplete-dswithdrawn.checkds.", "!DSRemoved")
+    keystate_check(parent, "incomplete.explicit.dsremoved.ns2-5-7.", "!DSRemoved")
 
-    # One of the parents is badly configured.
-    zone_check(server, "bad2-dswithdrawn.checkds.")
+    #
+    # 2.2.3: One parental agent is badly configured.
+    # parental-agents: ns5, ns6, ns7
+    #
+    zone_check(server, "bad.explicit.dsremoved.ns5-6-7.")
     wait_for_log(
         "ns9/named.run",
-        "zone bad2-dswithdrawn.checkds/IN (signed): checkds: "
+        "zone bad.explicit.dsremoved.ns5-6-7/IN (signed): checkds: "
         "empty DS response from 10.53.0.5",
     )
     wait_for_log(
         "ns9/named.run",
-        "zone bad2-dswithdrawn.checkds/IN (signed): checkds: "
+        "zone bad.explicit.dsremoved.ns5-6-7/IN (signed): checkds: "
         "empty DS response from 10.53.0.7",
     )
     wait_for_log(
         "ns9/named.run",
-        "zone bad2-dswithdrawn.checkds/IN (signed): checkds: "
+        "zone bad.explicit.dsremoved.ns5-6-7/IN (signed): checkds: "
         "bad DS response from 10.53.0.6",
     )
-    keystate_check(parent, "bad2-dswithdrawn.checkds.", "!DSRemoved")
+    keystate_check(parent, "bad.explicit.dsremoved.ns5-6-7.", "!DSRemoved")
 
-    # Check with resolver parental-agent.
-    zone_check(server, "resolver-dswithdrawn.checkds.")
-    wait_for_log(
-        "ns9/named.run",
-        "zone resolver-dswithdrawn.checkds/IN (signed): checkds: "
-        "empty DS response from 10.53.0.8",
-    )
-    keystate_check(parent, "resolver-dswithdrawn.checkds.", "DSRemoved")
-
-    # TBD: DS withdrawn from all parents, but one has bogus signature.
+    #
+    # 2.2.4:: DS is removed completely, bogus signature.
+    #
+    # TBD