Allow empty CDNSKEY/CDS RRset in ksr system test

When the zone is initially signed, the CDNSKEY/CDS RRset is not
immediately published. The DNSKEY and signatures must propagate first.
Adjust the test to allow for this case.

(cherry picked from commit 708927e03d152983557b6a2d0d40888e0ccffad5)

bin/tests/system/isctest/kasp.py

@@ -431,8 +431,11 @@ def _check_dnskeys(dnskeys, keys, cdnskey=False):
                 has_dnskey = True
                 break
 
-        assert has_dnskey
-        numkeys += 1
+        if not cdnskey:
+            assert has_dnskey
+
+        if has_dnskey:
+            numkeys += 1
 
     return numkeys
 
@@ -541,17 +544,17 @@ def check_apex(server, zone, ksks, zsks):
 
     # test cdnskey query
     cdnskeys, rrsigs = _query_rrset(server, fqdn, dns.rdatatype.CDNSKEY)
-    assert len(cdnskeys) > 0
     check_dnskeys(cdnskeys, ksks, zsks, cdnskey=True)
-    assert len(rrsigs) > 0
-    check_signatures(rrsigs, dns.rdatatype.CDNSKEY, fqdn, ksks, zsks)
+    if len(cdnskeys) > 0:
+        assert len(rrsigs) > 0
+        check_signatures(rrsigs, dns.rdatatype.CDNSKEY, fqdn, ksks, zsks)
 
     # test cds query
     cds, rrsigs = _query_rrset(server, fqdn, dns.rdatatype.CDS)
-    assert len(cds) > 0
     check_cds(cds, ksks)
-    assert len(rrsigs) > 0
-    check_signatures(rrsigs, dns.rdatatype.CDS, fqdn, ksks, zsks)
+    if len(cds) > 0:
+        assert len(rrsigs) > 0
+        check_signatures(rrsigs, dns.rdatatype.CDS, fqdn, ksks, zsks)
 
 
 def check_subdomain(server, zone, ksks, zsks):

bin/tests/system/ksr/tests_ksr.py

@@ -324,10 +324,17 @@ def check_signedkeyresponse(
             line_no += 1
 
         # expect cdnskey
+        have_cdnskey = False
         if cdnskey:
             for key in sorted(ksks):
-                published = key.get_timing("Publish")
-                removed = key.get_timing("Delete", must_exist=False)
+                published = key.get_timing("SyncPublish")
+                if between(published, inception, next_bundle):
+                    next_bundle = published
+
+                removed = key.get_timing("SyncDelete", must_exist=False)
+                if between(removed, inception, next_bundle):
+                    next_bundle = removed
+
                 if published > inception:
                     continue
                 if removed is not None and inception >= removed:
@@ -336,7 +343,9 @@ def check_signedkeyresponse(
                 # the cdnskey of this ksk must be in the ksr
                 assert key.dnskey_equals(lines[line_no], cdnskey=True)
                 line_no += 1
+                have_cdnskey = True
 
+        if have_cdnskey:
             # expect rrsig(cdnskey)
             for key in sorted(ksks):
                 active = key.get_timing("Activate")
@@ -354,10 +363,17 @@ def check_signedkeyresponse(
                 line_no += 1
 
         # expect cds
+        have_cds = False
         if cds != "":
             for key in sorted(ksks):
-                published = key.get_timing("Publish")
-                removed = key.get_timing("Delete", must_exist=False)
+                published = key.get_timing("SyncPublish")
+                if between(published, inception, next_bundle):
+                    next_bundle = published
+
+                removed = key.get_timing("SyncDelete", must_exist=False)
+                if between(removed, inception, next_bundle):
+                    next_bundle = removed
+
                 if published > inception:
                     continue
                 if removed is not None and inception >= removed:
@@ -368,7 +384,9 @@ def check_signedkeyresponse(
                 for alg in expected_cds:
                     assert key.cds_equals(lines[line_no], alg.strip())
                     line_no += 1
+                    have_cds = True
 
+        if have_cds:
             # expect rrsig(cds)
             for key in sorted(ksks):
                 active = key.get_timing("Activate")