Allow empty CDNSKEY/CDS RRset in ksr system test

When the zone is initially signed, the CDNSKEY/CDS RRset is not immediately published. The DNSKEY and signatures must propagate first. Adjust the test to allow for this case. (cherry picked from commit 708927e03d152983557b6a2d0d40888e0ccffad5)
2025-08-29 13:38:26 +00:00 · 2024-09-04 15:54:53 +02:00 · 2024-09-04 15:54:53 +02:00 · 2e5a2f4e81
commit 2e5a2f4e81
parent a92fb659d3
2 changed files with 33 additions and 12 deletions
--- a/bin/tests/system/isctest/kasp.py
+++ b/bin/tests/system/isctest/kasp.py
@ -431,7 +431,10 @@ def _check_dnskeys(dnskeys, keys, cdnskey=False):
                has_dnskey = True
                break

+        if not cdnskey:
            assert has_dnskey
+
+        if has_dnskey:
            numkeys += 1

    return numkeys
@ -541,15 +544,15 @@ def check_apex(server, zone, ksks, zsks):

    # test cdnskey query
    cdnskeys, rrsigs = _query_rrset(server, fqdn, dns.rdatatype.CDNSKEY)
-    assert len(cdnskeys) > 0
    check_dnskeys(cdnskeys, ksks, zsks, cdnskey=True)
+    if len(cdnskeys) > 0:
        assert len(rrsigs) > 0
        check_signatures(rrsigs, dns.rdatatype.CDNSKEY, fqdn, ksks, zsks)

    # test cds query
    cds, rrsigs = _query_rrset(server, fqdn, dns.rdatatype.CDS)
-    assert len(cds) > 0
    check_cds(cds, ksks)
+    if len(cds) > 0:
        assert len(rrsigs) > 0
        check_signatures(rrsigs, dns.rdatatype.CDS, fqdn, ksks, zsks)

--- a/bin/tests/system/ksr/tests_ksr.py
+++ b/bin/tests/system/ksr/tests_ksr.py
@ -324,10 +324,17 @@ def check_signedkeyresponse(
            line_no += 1

        # expect cdnskey
+        have_cdnskey = False
        if cdnskey:
            for key in sorted(ksks):
-                published = key.get_timing("Publish")
-                removed = key.get_timing("Delete", must_exist=False)
+                published = key.get_timing("SyncPublish")
+                if between(published, inception, next_bundle):
+                    next_bundle = published
+
+                removed = key.get_timing("SyncDelete", must_exist=False)
+                if between(removed, inception, next_bundle):
+                    next_bundle = removed
+
                if published > inception:
                    continue
                if removed is not None and inception >= removed:
@ -336,7 +343,9 @@ def check_signedkeyresponse(
                # the cdnskey of this ksk must be in the ksr
                assert key.dnskey_equals(lines[line_no], cdnskey=True)
                line_no += 1
+                have_cdnskey = True

+        if have_cdnskey:
            # expect rrsig(cdnskey)
            for key in sorted(ksks):
                active = key.get_timing("Activate")
@ -354,10 +363,17 @@ def check_signedkeyresponse(
                line_no += 1

        # expect cds
+        have_cds = False
        if cds != "":
            for key in sorted(ksks):
-                published = key.get_timing("Publish")
-                removed = key.get_timing("Delete", must_exist=False)
+                published = key.get_timing("SyncPublish")
+                if between(published, inception, next_bundle):
+                    next_bundle = published
+
+                removed = key.get_timing("SyncDelete", must_exist=False)
+                if between(removed, inception, next_bundle):
+                    next_bundle = removed
+
                if published > inception:
                    continue
                if removed is not None and inception >= removed:
@ -368,7 +384,9 @@ def check_signedkeyresponse(
                for alg in expected_cds:
                    assert key.cds_equals(lines[line_no], alg.strip())
                    line_no += 1
+                    have_cds = True

+        if have_cds:
            # expect rrsig(cds)
            for key in sorted(ksks):
                active = key.get_timing("Activate")