Add test cases for 'checkds yes'

Add the test cases for automatic parental-agents, i.e. when 'checkds' is set to 'yes'. Split out the special cases that use a reference or a resolver as parental-agent so that the common use cases can be tested with the same function.
2025-08-30 22:15:20 +00:00 · 2023-03-28 12:00:56 +02:00
parent 226b6e385e
commit 6bb862d10f
21 changed files with 348 additions and 105 deletions
--- a/bin/tests/system/checkds/ns2/ns2-4-5.db.in
+++ b/bin/tests/system/checkds/ns2/ns2-4-5.db.in
@@ -28,3 +28,7 @@ ns5				A	10.53.0.5
 $ORIGIN explicit.dspublish.ns2-4-5.
 incomplete			NS	ns9.incomplete
 ns9.imcomplete			A	10.53.0.9
+
+$ORIGIN yes.dspublish.ns2-4-5.
+incomplete			NS	ns9.incomplete
+ns9.imcomplete			A	10.53.0.9
--- a/bin/tests/system/checkds/ns2/ns2-4-6.db.in
+++ b/bin/tests/system/checkds/ns2/ns2-4-6.db.in
@@ -28,3 +28,7 @@ ns6				A	10.53.0.6
 $ORIGIN explicit.dspublish.ns2-4-6.
 bad				NS	ns9.bad
 ns9.bad				A	10.53.0.9
+
+$ORIGIN yes.dspublish.ns2-4-6.
+bad				NS	ns9.bad
+ns9.bad				A	10.53.0.9
--- a/bin/tests/system/checkds/ns2/ns2-4.db.in
+++ b/bin/tests/system/checkds/ns2/ns2-4.db.in
@@ -26,3 +26,7 @@ ns4				A	10.53.0.4
 $ORIGIN explicit.dspublish.ns2-4.
 good				NS	ns9.good
 ns9.good			A	10.53.0.9
+
+$ORIGIN yes.dspublish.ns2-4.
+good				NS	ns9.good
+ns9.good			A	10.53.0.9
--- a/bin/tests/system/checkds/ns2/ns2-5-7.db.in
+++ b/bin/tests/system/checkds/ns2/ns2-5-7.db.in
@@ -28,3 +28,7 @@ ns7				A	10.53.0.7
 $ORIGIN explicit.dsremoved.ns2-5-7.
 incomplete			NS	ns9.incomplete
 ns9.incomplete			A	10.53.0.9
+
+$ORIGIN yes.dsremoved.ns2-5-7.
+incomplete			NS	ns9.incomplete
+ns9.incomplete			A	10.53.0.9
--- a/bin/tests/system/checkds/ns2/ns2.db.in
+++ b/bin/tests/system/checkds/ns2/ns2.db.in
@@ -29,6 +29,14 @@ ns9.good			A	10.53.0.9
 ns9.reference			A	10.53.0.9
 ns9.resolver			A	10.53.0.9

+$ORIGIN yes.dspublish.ns2.
+good				NS	ns9.good
+ns9.good			A	10.53.0.9
+
 $ORIGIN explicit.dsremoved.ns2.
 still-there			NS	ns9.still-there
 ns9.still-there			A	10.53.0.9
+
+$ORIGIN yes.dsremoved.ns2.
+still-there			NS	ns9.still-there
+ns9.still-there			A	10.53.0.9
--- a/bin/tests/system/checkds/ns2/ns5-6-7.db.in
+++ b/bin/tests/system/checkds/ns2/ns5-6-7.db.in
@@ -28,3 +28,7 @@ ns7				A	10.53.0.7
 $ORIGIN explicit.dsremoved.ns5-6-7.
 bad				NS	ns9.bad
 ns9.bad				A	10.53.0.9
+
+$ORIGIN yes.dsremoved.ns5-6-7.
+bad				NS	ns9.bad
+ns9.bad				A	10.53.0.9
--- a/bin/tests/system/checkds/ns2/ns5-7.db.in
+++ b/bin/tests/system/checkds/ns2/ns5-7.db.in
@@ -26,3 +26,7 @@ ns7				A	10.53.0.7
 $ORIGIN explicit.dsremoved.ns5-7.
 good				NS	ns9.good
 ns9.good			A	10.53.0.9
+
+$ORIGIN yes.dsremoved.ns5-7.
+good				NS	ns9.good
+ns9.good			A	10.53.0.9
--- a/bin/tests/system/checkds/ns2/ns5.db.in
+++ b/bin/tests/system/checkds/ns2/ns5.db.in
@@ -25,8 +25,18 @@ $ORIGIN explicit.dspublish.ns5.
 not-yet				NS	ns9.not-yet
 ns9.not-yet			A	10.53.0.9

+$ORIGIN yes.dspublish.ns5.
+not-yet				NS	ns9.not-yet
+ns9.not-yet			A	10.53.0.9
+
 $ORIGIN explicit.dsremoved.ns5.
 good				NS	ns9.good
 resolver			NS	ns9.resolver
 ns9.good			A	10.53.0.9
 ns9.resolver			A	10.53.0.9
+
+$ORIGIN yes.dsremoved.ns5.
+good				NS	ns9.good
+resolver			NS	ns9.resolver
+ns9.good			A	10.53.0.9
+ns9.resolver			A	10.53.0.9
--- a/bin/tests/system/checkds/ns2/ns6.db.in
+++ b/bin/tests/system/checkds/ns2/ns6.db.in
@@ -28,3 +28,11 @@ ns9.bad				A	10.53.0.9
 $ORIGIN explicit.dsremoved.ns6.
 bad				NS	ns9.bad
 ns9.bad				A	10.53.0.9
+
+$ORIGIN yes.dspublish.ns6.
+bad				NS	ns9.bad
+ns9.bad				A	10.53.0.9
+
+$ORIGIN yes.dsremoved.ns6.
+bad				NS	ns9.bad
+ns9.bad				A	10.53.0.9
--- a/bin/tests/system/checkds/ns5/ns2-4-5.db.in
+++ b/bin/tests/system/checkds/ns5/ns2-4-5.db.in
@@ -28,3 +28,7 @@ ns5				A	10.53.0.5
 $ORIGIN explicit.dspublish.ns2-4-5.
 incomplete			NS	ns9.incomplete
 ns9.imcomplete			A	10.53.0.9
+
+$ORIGIN yes.dspublish.ns2-4-5.
+incomplete			NS	ns9.incomplete
+ns9.imcomplete			A	10.53.0.9
--- a/bin/tests/system/checkds/ns5/ns2-4-6.db.in
+++ b/bin/tests/system/checkds/ns5/ns2-4-6.db.in
@@ -28,3 +28,7 @@ ns6				A	10.53.0.6
 $ORIGIN explicit.dspublish.ns2-4-6.
 bad				NS	ns9.bad
 ns9.bad				A	10.53.0.9
+
+$ORIGIN yes.dspublish.ns2-4-6.
+bad				NS	ns9.bad
+ns9.bad				A	10.53.0.9
--- a/bin/tests/system/checkds/ns5/ns2-4.db.in
+++ b/bin/tests/system/checkds/ns5/ns2-4.db.in
@@ -26,3 +26,7 @@ ns4				A	10.53.0.4
 $ORIGIN explicit.dspublish.ns2-4.
 good				NS	ns9.good
 ns9.good			A	10.53.0.9
+
+$ORIGIN yes.dspublish.ns2-4.
+good				NS	ns9.good
+ns9.good			A	10.53.0.9
--- a/bin/tests/system/checkds/ns5/ns2-5-7.db.in
+++ b/bin/tests/system/checkds/ns5/ns2-5-7.db.in
@@ -28,3 +28,7 @@ ns7				A	10.53.0.7
 $ORIGIN explicit.dsremoved.ns2-5-7.
 incomplete			NS	ns9.incomplete
 ns9.incomplete			A	10.53.0.9
+
+$ORIGIN yes.dsremoved.ns2-5-7.
+incomplete			NS	ns9.incomplete
+ns9.incomplete			A	10.53.0.9
--- a/bin/tests/system/checkds/ns5/ns2.db.in
+++ b/bin/tests/system/checkds/ns5/ns2.db.in
@@ -29,6 +29,14 @@ ns9.good			A	10.53.0.9
 ns9.reference			A	10.53.0.9
 ns9.resolver			A	10.53.0.9

+$ORIGIN yes.dspublish.ns2.
+good				NS	ns9.good
+ns9.good			A	10.53.0.9
+
 $ORIGIN explicit.dsremoved.ns2.
 still-there			NS	ns9.still-there
 ns9.still-there			A	10.53.0.9
+
+$ORIGIN yes.dsremoved.ns2.
+still-there			NS	ns9.still-there
+ns9.still-there			A	10.53.0.9
--- a/bin/tests/system/checkds/ns5/ns5-6-7.db.in
+++ b/bin/tests/system/checkds/ns5/ns5-6-7.db.in
@@ -28,3 +28,7 @@ ns7				A	10.53.0.7
 $ORIGIN explicit.dsremoved.ns5-6-7.
 bad				NS	ns9.bad
 ns9.bad				A	10.53.0.9
+
+$ORIGIN yes.dsremoved.ns5-6-7.
+bad				NS	ns9.bad
+ns9.bad				A	10.53.0.9
--- a/bin/tests/system/checkds/ns5/ns5-7.db.in
+++ b/bin/tests/system/checkds/ns5/ns5-7.db.in
@@ -26,3 +26,7 @@ ns7				A	10.53.0.7
 $ORIGIN explicit.dsremoved.ns5-7.
 good				NS	ns9.good
 ns9.good			A	10.53.0.9
+
+$ORIGIN yes.dsremoved.ns5-7.
+good				NS	ns9.good
+ns9.good			A	10.53.0.9
--- a/bin/tests/system/checkds/ns5/ns5.db.in
+++ b/bin/tests/system/checkds/ns5/ns5.db.in
@@ -25,8 +25,18 @@ $ORIGIN explicit.dspublish.ns5.
 not-yet				NS	ns9.not-yet
 ns9.not-yet			A	10.53.0.9

+$ORIGIN yes.dspublish.ns5.
+not-yet				NS	ns9.not-yet
+ns9.not-yet			A	10.53.0.9
+
 $ORIGIN explicit.dsremoved.ns5.
 good				NS	ns9.good
 resolver			NS	ns9.resolver
 ns9.good			A	10.53.0.9
 ns9.resolver			A	10.53.0.9
+
+$ORIGIN yes.dsremoved.ns5.
+good				NS	ns9.good
+resolver			NS	ns9.resolver
+ns9.good			A	10.53.0.9
+ns9.resolver			A	10.53.0.9
--- a/bin/tests/system/checkds/ns5/ns6.db.in
+++ b/bin/tests/system/checkds/ns5/ns6.db.in
@@ -28,3 +28,11 @@ ns9.bad				A	10.53.0.9
 $ORIGIN explicit.dsremoved.ns6.
 bad				NS	ns9.bad
 ns9.bad				A	10.53.0.9
+
+$ORIGIN yes.dspublish.ns6.
+bad				NS	ns9.bad
+ns9.bad				A	10.53.0.9
+
+$ORIGIN yes.dsremoved.ns6.
+bad				NS	ns9.bad
+ns9.bad				A	10.53.0.9
--- a/bin/tests/system/checkds/ns9/named.conf.in
+++ b/bin/tests/system/checkds/ns9/named.conf.in
@@ -78,6 +78,15 @@ zone "resolver.explicit.dspublish.ns2" {
 	};
 };

+/* Same as above, but now with auto parental agents. */
+zone "good.yes.dspublish.ns2" {
+	type primary;
+	file "good.yes.dspublish.ns2.db";
+	inline-signing yes;
+	dnssec-policy "default";
+	checkds yes;
+};
+
 /*
 * 1.     Enabling DNSSEC
 * 1.1    - With one parental agent
@@ -93,6 +102,14 @@ zone "not-yet.explicit.dspublish.ns5" {
 	};
 };

+zone "not-yet.yes.dspublish.ns5" {
+	type primary;
+	file "not-yet.yes.dspublish.ns5.db";
+	inline-signing yes;
+	dnssec-policy "default";
+	checkds yes;
+};
+
 /*
 * 1.     Enabling DNSSEC
 * 1.1    - With one parental agent
@@ -108,6 +125,14 @@ zone "bad.explicit.dspublish.ns6" {
 	};
 };

+zone "bad.yes.dspublish.ns6" {
+	type primary;
+	file "bad.yes.dspublish.ns6.db";
+	inline-signing yes;
+	dnssec-policy "default";
+	checkds yes;
+};
+
 /*
 * 1.     Enabling DNSSEC
 * 1.1    - With one parental agent
@@ -131,6 +156,14 @@ zone "good.explicit.dspublish.ns2-4" {
 	};
 };

+zone "good.yes.dspublish.ns2-4" {
+	type primary;
+	file "good.yes.dspublish.ns2-4.db";
+	inline-signing yes;
+	dnssec-policy "default";
+	checkds yes;
+};
+
 /*
 * 1.     Enabling DNSSEC
 * 1.2    - With multiple parental agent
@@ -148,6 +181,14 @@ zone "incomplete.explicit.dspublish.ns2-4-5" {
 	};
 };

+zone "incomplete.yes.dspublish.ns2-4-5" {
+	type primary;
+	file "incomplete.yes.dspublish.ns2-4-5.db";
+	inline-signing yes;
+	dnssec-policy "default";
+	checkds yes;
+};
+
 /*
 * 1.     Enabling DNSSEC
 * 1.2    - With multiple parental agent
@@ -165,6 +206,14 @@ zone "bad.explicit.dspublish.ns2-4-6" {
 	};
 };

+zone "bad.yes.dspublish.ns2-4-6" {
+	type primary;
+	file "bad.yes.dspublish.ns2-4-6.db";
+	inline-signing yes;
+	dnssec-policy "default";
+	checkds yes;
+};
+
 /*
 * 1.     Enabling DNSSEC
 * 1.2    - With multiple parental agent
@@ -199,6 +248,14 @@ zone "resolver.explicit.dsremoved.ns5" {
 	};
 };

+zone "good.yes.dsremoved.ns5" {
+	type primary;
+	file "good.yes.dsremoved.ns5.db";
+	inline-signing yes;
+	dnssec-policy "insecure";
+	checkds yes;
+};
+
 /*
 * 2.     Going insecure
 * 2.1    - With one parental agent
@@ -214,6 +271,14 @@ zone "still-there.explicit.dsremoved.ns2" {
 	};
 };

+zone "still-there.yes.dsremoved.ns2" {
+	type primary;
+	file "still-there.yes.dsremoved.ns2.db";
+	inline-signing yes;
+	dnssec-policy "insecure";
+	checkds yes;
+};
+
 /*
 * 2.     Going insecure
 * 2.1    - With one parental agent
@@ -229,6 +294,14 @@ zone "bad.explicit.dsremoved.ns6" {
 	};
 };

+zone "bad.yes.dsremoved.ns6" {
+	type primary;
+	file "bad.yes.dsremoved.ns6.db";
+	inline-signing yes;
+	dnssec-policy "insecure";
+	checkds yes;
+};
+
 /*
 * 2.     Going insecure
 * 2.1    - With one parental agent
@@ -252,6 +325,14 @@ zone "good.explicit.dsremoved.ns5-7" {
 	};
 };

+zone "good.yes.dsremoved.ns5-7" {
+	type primary;
+	file "good.yes.dsremoved.ns5-7.db";
+	inline-signing yes;
+	dnssec-policy "insecure";
+	checkds yes;
+};
+
 /*
 * 2.     Going insecure
 * 2.2.    - With multiple parental agents
@@ -269,6 +350,14 @@ zone "incomplete.explicit.dsremoved.ns2-5-7" {
 	};
 };

+zone "incomplete.yes.dsremoved.ns2-5-7" {
+	type primary;
+	file "incomplete.yes.dsremoved.ns2-5-7.db";
+	inline-signing yes;
+	dnssec-policy "insecure";
+	checkds yes;
+};
+
 /*
 * 2.     Going insecure
 * 2.2.    - With multiple parental agents
@@ -286,6 +375,14 @@ zone "bad.explicit.dsremoved.ns5-6-7" {
 	};
 };

+zone "bad.yes.dsremoved.ns5-6-7" {
+	type primary;
+	file "bad.yes.dsremoved.ns5-6-7.db";
+	inline-signing yes;
+	dnssec-policy "insecure";
+	checkds yes;
+};
+
 /*
 * 2.     Going insecure
 * 2.2.    - With multiple parental agents
--- a/bin/tests/system/checkds/ns9/setup.sh
+++ b/bin/tests/system/checkds/ns9/setup.sh
@@ -33,7 +33,7 @@ T="now-30d"
 Y="now-1y"

 # DS Publication.
-for checkds in explicit
+for checkds in explicit yes
 do
 	for zn in \
 		good.${checkds}.dspublish.ns2 \
@@ -60,7 +60,7 @@ do
 done

 # DS Withdrawal.
-for checkds in explicit
+for checkds in explicit yes
 do
 	for zn in \
 		good.${checkds}.dsremoved.ns5 \
--- a/bin/tests/system/checkds/tests_checkds.py
+++ b/bin/tests/system/checkds/tests_checkds.py
@@ -249,7 +249,7 @@ def wait_for_log(filename, log):
    assert found


-def test_checkds_dspublished(named_port):
+def checkds_dspublished(named_port, checkds):
    # We create resolver instances that will be used to send queries.
    server = dns.resolver.Resolver()
    server.nameservers = ["10.53.0.9"]
@@ -265,55 +265,44 @@ def test_checkds_dspublished(named_port):
    #

    # The simple case.
-    zone_check(server, "good.explicit.dspublish.ns2.")
+    zone_check(server, "good.{}.dspublish.ns2.".format(checkds))
    wait_for_log(
        "ns9/named.run",
-        "zone good.explicit.dspublish.ns2/IN (signed): checkds: "
-	"DS response from 10.53.0.2",
+        "zone good.{}.dspublish.ns2/IN (signed): checkds: "
+	"DS response from 10.53.0.2".format(checkds),
    )
-    keystate_check(parent, "good.explicit.dspublish.ns2.", "DSPublish")
-
-    # Using a reference to parental-agents.
-    zone_check(server, "reference.explicit.dspublish.ns2.")
-    wait_for_log(
-        "ns9/named.run",
-        "zone reference.explicit.dspublish.ns2/IN (signed): "
-	"checkds: DS response from 10.53.0.2",
-    )
-    keystate_check(parent, "reference.explicit.dspublish.ns2.", "DSPublish")
-
-    # Using a resolver as parental-agent (ns3).
-    zone_check(server, "resolver.explicit.dspublish.ns2.")
-    wait_for_log(
-        "ns9/named.run",
-        "zone resolver.explicit.dspublish.ns2/IN (signed): checkds: "
-        "DS response from 10.53.0.3",
-    )
-    keystate_check(parent, "resolver.explicit.dspublish.ns2.", "DSPublish")
+    keystate_check(parent, "good.{}.dspublish.ns2.".format(checkds), "DSPublish")

    #
    # 1.1.2: DS is not published in parent.
    # parental-agents: ns5
    #
-    zone_check(server, "not-yet.explicit.dspublish.ns5.")
+    zone_check(server, "not-yet.{}.dspublish.ns5.".format(checkds))
    wait_for_log(
        "ns9/named.run",
-        "zone not-yet.explicit.dspublish.ns5/IN (signed): checkds: "
-        "empty DS response from 10.53.0.5",
+        "zone not-yet.{}.dspublish.ns5/IN (signed): checkds: "
+        "empty DS response from 10.53.0.5".format(checkds),
    )
-    keystate_check(parent, "not-yet.explicit.dspublish.ns5.", "!DSPublish")
+    keystate_check(parent, "not-yet.{}.dspublish.ns5.".format(checkds), "!DSPublish")

    #
    # 1.1.3: The parental agent is badly configured.
    # parental-agents: ns6
    #
-    zone_check(server, "bad.explicit.dspublish.ns6.")
-    wait_for_log(
-        "ns9/named.run",
-        "zone bad.explicit.dspublish.ns6/IN (signed): checkds: "
-        "bad DS response from 10.53.0.6",
-    )
-    keystate_check(parent, "bad.explicit.dspublish.ns6.", "!DSPublish")
+    zone_check(server, "bad.{}.dspublish.ns6.".format(checkds))
+    if checkds == "explicit":
+        wait_for_log(
+            "ns9/named.run",
+            "zone bad.{}.dspublish.ns6/IN (signed): checkds: "
+            "bad DS response from 10.53.0.6".format(checkds),
+        )
+    elif checkds == "yes":
+        wait_for_log(
+            "ns9/named.run",
+            "zone bad.{}.dspublish.ns6/IN (signed): checkds: "
+            "error during parental-agents processing".format(checkds),
+        )
+    keystate_check(parent, "bad.{}.dspublish.ns6.".format(checkds), "!DSPublish")

    #
    # 1.1.4: DS is published, but has bogus signature.
@@ -324,62 +313,62 @@ def test_checkds_dspublished(named_port):
    # 1.2.1: DS is correctly published in all parents.
    # parental-agents: ns2, ns4
    #
-    zone_check(server, "good.explicit.dspublish.ns2-4.")
+    zone_check(server, "good.{}.dspublish.ns2-4.".format(checkds))
    wait_for_log(
        "ns9/named.run",
-        "zone good.explicit.dspublish.ns2-4/IN (signed): checkds: "
-        "DS response from 10.53.0.2",
+        "zone good.{}.dspublish.ns2-4/IN (signed): checkds: "
+        "DS response from 10.53.0.2".format(checkds),
    )
    wait_for_log(
        "ns9/named.run",
-        "zone good.explicit.dspublish.ns2-4/IN (signed): checkds: "
-        "DS response from 10.53.0.4",
+        "zone good.{}.dspublish.ns2-4/IN (signed): checkds: "
+        "DS response from 10.53.0.4".format(checkds),
    )
-    keystate_check(parent, "good.explicit.dspublish.ns2-4.", "DSPublish")
+    keystate_check(parent, "good.{}.dspublish.ns2-4.".format(checkds), "DSPublish")

    #
    # 1.2.2: DS is not published in some parents.
    # parental-agents: ns2, ns4, ns5
    #
-    zone_check(server, "incomplete.explicit.dspublish.ns2-4-5.")
+    zone_check(server, "incomplete.{}.dspublish.ns2-4-5.".format(checkds))
    wait_for_log(
        "ns9/named.run",
-        "zone incomplete.explicit.dspublish.ns2-4-5/IN (signed): checkds: "
-        "DS response from 10.53.0.2",
+        "zone incomplete.{}.dspublish.ns2-4-5/IN (signed): checkds: "
+        "DS response from 10.53.0.2".format(checkds),
    )
    wait_for_log(
        "ns9/named.run",
-        "zone incomplete.explicit.dspublish.ns2-4-5/IN (signed): checkds: "
-        "DS response from 10.53.0.4",
+        "zone incomplete.{}.dspublish.ns2-4-5/IN (signed): checkds: "
+        "DS response from 10.53.0.4".format(checkds),
    )
    wait_for_log(
        "ns9/named.run",
-        "zone incomplete.explicit.dspublish.ns2-4-5/IN (signed): checkds: "
-        "empty DS response from 10.53.0.5",
+        "zone incomplete.{}.dspublish.ns2-4-5/IN (signed): checkds: "
+        "empty DS response from 10.53.0.5".format(checkds),
    )
-    keystate_check(parent, "incomplete.explicit.dspublish.ns2-4-5.", "!DSPublish")
+    keystate_check(parent, "incomplete.{}.dspublish.ns2-4-5.".format(checkds), "!DSPublish")

    #
    # 1.2.3: One parental agent is badly configured.
    # parental-agents: ns2, ns4, ns6
    #
-    zone_check(server, "bad.explicit.dspublish.ns2-4-6.")
+    zone_check(server, "bad.{}.dspublish.ns2-4-6.".format(checkds))
    wait_for_log(
        "ns9/named.run",
-        "zone bad.explicit.dspublish.ns2-4-6/IN (signed): checkds: "
-        "DS response from 10.53.0.2",
+        "zone bad.{}.dspublish.ns2-4-6/IN (signed): checkds: "
+        "DS response from 10.53.0.2".format(checkds),
    )
    wait_for_log(
        "ns9/named.run",
-        "zone bad.explicit.dspublish.ns2-4-6/IN (signed): checkds: "
-        "DS response from 10.53.0.4",
+        "zone bad.{}.dspublish.ns2-4-6/IN (signed): checkds: "
+        "DS response from 10.53.0.4".format(checkds),
    )
    wait_for_log(
        "ns9/named.run",
-        "zone bad.explicit.dspublish.ns2-4-6/IN (signed): checkds: "
-        "bad DS response from 10.53.0.6",
+        "zone bad.{}.dspublish.ns2-4-6/IN (signed): checkds: "
+        "bad DS response from 10.53.0.6".format(checkds),
    )
-    keystate_check(parent, "bad.explicit.dspublish.ns2-4-6.", "!DSPublish")
+    keystate_check(parent, "bad.{}.dspublish.ns2-4-6.".format(checkds), "!DSPublish")

    #
    # 1.2.4: DS is completely published, bogus signature.
@@ -390,7 +379,7 @@ def test_checkds_dspublished(named_port):
    # TBD: Check with TLS


-def test_checkds_dswithdrawn(named_port):
+def checkds_dswithdrawn(named_port, checkds):
    # We create resolver instances that will be used to send queries.
    server = dns.resolver.Resolver()
    server.nameservers = ["10.53.0.9"]
@@ -406,46 +395,44 @@ def test_checkds_dswithdrawn(named_port):
    #

    # The simple case.
-    zone_check(server, "good.explicit.dsremoved.ns5.")
+    zone_check(server, "good.{}.dsremoved.ns5.".format(checkds))
    wait_for_log(
        "ns9/named.run",
-        "zone good.explicit.dsremoved.ns5/IN (signed): checkds: "
-        "empty DS response from 10.53.0.5",
+        "zone good.{}.dsremoved.ns5/IN (signed): checkds: "
+        "empty DS response from 10.53.0.5".format(checkds),
    )
-    keystate_check(parent, "good.explicit.dsremoved.ns5.", "DSRemoved")
-
-    # Using a resolver as parental-agent (ns3).
-    zone_check(server, "resolver.explicit.dsremoved.ns5.")
-    wait_for_log(
-        "ns9/named.run",
-        "zone resolver.explicit.dsremoved.ns5/IN (signed): checkds: "
-        "empty DS response from 10.53.0.3",
-    )
-    keystate_check(parent, "resolver.explicit.dsremoved.ns5.", "DSRemoved")
+    keystate_check(parent, "good.{}.dsremoved.ns5.".format(checkds), "DSRemoved")

    #
    # 2.1.2: DS is published in the parent.
    # parental-agents: ns2
    #
-    zone_check(server, "still-there.explicit.dsremoved.ns2.")
+    zone_check(server, "still-there.{}.dsremoved.ns2.".format(checkds))
    wait_for_log(
        "ns9/named.run",
-        "zone still-there.explicit.dsremoved.ns2/IN (signed): checkds: "
-        "DS response from 10.53.0.2",
+        "zone still-there.{}.dsremoved.ns2/IN (signed): checkds: "
+        "DS response from 10.53.0.2".format(checkds),
    )
-    keystate_check(parent, "still-there.explicit.dsremoved.ns2.", "!DSRemoved")
+    keystate_check(parent, "still-there.{}.dsremoved.ns2.".format(checkds), "!DSRemoved")

    #
    # 2.1.3: The parental agent is badly configured.
    # parental-agents: ns6
    #
-    zone_check(server, "bad.explicit.dsremoved.ns6.")
-    wait_for_log(
-        "ns9/named.run",
-        "zone bad.explicit.dsremoved.ns6/IN (signed): checkds: "
-        "bad DS response from 10.53.0.6",
-    )
-    keystate_check(parent, "bad.explicit.dsremoved.ns6.", "!DSRemoved")
+    zone_check(server, "bad.{}.dsremoved.ns6.".format(checkds))
+    if checkds == "explicit":
+        wait_for_log(
+            "ns9/named.run",
+            "zone bad.{}.dsremoved.ns6/IN (signed): checkds: "
+            "bad DS response from 10.53.0.6".format(checkds),
+        )
+    elif checkds == "yes":
+        wait_for_log(
+            "ns9/named.run",
+            "zone bad.{}.dsremoved.ns6/IN (signed): checkds: "
+            "error during parental-agents processing".format(checkds),
+        )
+    keystate_check(parent, "bad.{}.dsremoved.ns6.".format(checkds), "!DSRemoved")

    #
    # 2.1.4: DS is withdrawn, but has bogus signature.
@@ -456,64 +443,123 @@ def test_checkds_dswithdrawn(named_port):
    # 2.2.1: DS is correctly withdrawn from all parents.
    # parental-agents: ns5, ns7
    #
-    zone_check(server, "good.explicit.dsremoved.ns5-7.")
+    zone_check(server, "good.{}.dsremoved.ns5-7.".format(checkds))
    wait_for_log(
        "ns9/named.run",
-        "zone good.explicit.dsremoved.ns5-7/IN (signed): checkds: "
-        "empty DS response from 10.53.0.5",
+        "zone good.{}.dsremoved.ns5-7/IN (signed): checkds: "
+        "empty DS response from 10.53.0.5".format(checkds),
    )
    wait_for_log(
        "ns9/named.run",
-        "zone good.explicit.dsremoved.ns5-7/IN (signed): checkds: "
-        "empty DS response from 10.53.0.7",
+        "zone good.{}.dsremoved.ns5-7/IN (signed): checkds: "
+        "empty DS response from 10.53.0.7".format(checkds),
    )
-    keystate_check(parent, "good.explicit.dsremoved.ns5-7.", "DSRemoved")
+    keystate_check(parent, "good.{}.dsremoved.ns5-7.".format(checkds), "DSRemoved")

    #
    # 2.2.2: DS is not withdrawn from some parents.
    # parental-agents: ns2, ns5, ns7
    #
-    zone_check(server, "incomplete.explicit.dsremoved.ns2-5-7.")
+    zone_check(server, "incomplete.{}.dsremoved.ns2-5-7.".format(checkds))
    wait_for_log(
        "ns9/named.run",
-        "zone incomplete.explicit.dsremoved.ns2-5-7/IN (signed): checkds: "
-        "DS response from 10.53.0.2",
+        "zone incomplete.{}.dsremoved.ns2-5-7/IN (signed): checkds: "
+        "DS response from 10.53.0.2".format(checkds),
    )
    wait_for_log(
        "ns9/named.run",
-        "zone incomplete.explicit.dsremoved.ns2-5-7/IN (signed): checkds: "
-        "empty DS response from 10.53.0.5",
+        "zone incomplete.{}.dsremoved.ns2-5-7/IN (signed): checkds: "
+        "empty DS response from 10.53.0.5".format(checkds),
    )
    wait_for_log(
        "ns9/named.run",
-        "zone incomplete.explicit.dsremoved.ns2-5-7/IN (signed): checkds: "
-        "empty DS response from 10.53.0.7",
+        "zone incomplete.{}.dsremoved.ns2-5-7/IN (signed): checkds: "
+        "empty DS response from 10.53.0.7".format(checkds),
    )
-    keystate_check(parent, "incomplete.explicit.dsremoved.ns2-5-7.", "!DSRemoved")
+    keystate_check(parent, "incomplete.{}.dsremoved.ns2-5-7.".format(checkds), "!DSRemoved")

    #
    # 2.2.3: One parental agent is badly configured.
    # parental-agents: ns5, ns6, ns7
    #
-    zone_check(server, "bad.explicit.dsremoved.ns5-6-7.")
+    zone_check(server, "bad.{}.dsremoved.ns5-6-7.".format(checkds))
    wait_for_log(
        "ns9/named.run",
-        "zone bad.explicit.dsremoved.ns5-6-7/IN (signed): checkds: "
-        "empty DS response from 10.53.0.5",
+        "zone bad.{}.dsremoved.ns5-6-7/IN (signed): checkds: "
+        "empty DS response from 10.53.0.5".format(checkds),
    )
    wait_for_log(
        "ns9/named.run",
-        "zone bad.explicit.dsremoved.ns5-6-7/IN (signed): checkds: "
-        "empty DS response from 10.53.0.7",
+        "zone bad.{}.dsremoved.ns5-6-7/IN (signed): checkds: "
+        "empty DS response from 10.53.0.7".format(checkds),
    )
    wait_for_log(
        "ns9/named.run",
-        "zone bad.explicit.dsremoved.ns5-6-7/IN (signed): checkds: "
-        "bad DS response from 10.53.0.6",
+        "zone bad.{}.dsremoved.ns5-6-7/IN (signed): checkds: "
+        "bad DS response from 10.53.0.6".format(checkds),
    )
-    keystate_check(parent, "bad.explicit.dsremoved.ns5-6-7.", "!DSRemoved")
+    keystate_check(parent, "bad.{}.dsremoved.ns5-6-7.".format(checkds), "!DSRemoved")

    #
    # 2.2.4:: DS is removed completely, bogus signature.
    #
    # TBD
+
+
+def test_checkds_reference(named_port):
+    # We create resolver instances that will be used to send queries.
+    server = dns.resolver.Resolver()
+    server.nameservers = ["10.53.0.9"]
+    server.port = named_port
+
+    parent = dns.resolver.Resolver()
+    parent.nameservers = ["10.53.0.2"]
+    parent.port = named_port
+
+    # Using a reference to parental-agents.
+    zone_check(server, "reference.explicit.dspublish.ns2.")
+    wait_for_log(
+        "ns9/named.run",
+        "zone reference.explicit.dspublish.ns2/IN (signed): "
+        "checkds: DS response from 10.53.0.2",
+    )
+    keystate_check(parent, "reference.explicit.dspublish.ns2.", "DSPublish")
+
+
+def test_checkds_resolver(named_port):
+    # We create resolver instances that will be used to send queries.
+    server = dns.resolver.Resolver()
+    server.nameservers = ["10.53.0.9"]
+    server.port = named_port
+
+    parent = dns.resolver.Resolver()
+    parent.nameservers = ["10.53.0.2"]
+    parent.port = named_port
+
+    # Using a resolver as parental-agent (ns3).
+    zone_check(server, "resolver.explicit.dspublish.ns2.")
+    wait_for_log(
+        "ns9/named.run",
+        "zone resolver.explicit.dspublish.ns2/IN (signed): checkds: "
+        "DS response from 10.53.0.3",
+    )
+    keystate_check(parent, "resolver.explicit.dspublish.ns2.", "DSPublish")
+
+    # Using a resolver as parental-agent (ns3).
+    zone_check(server, "resolver.explicit.dsremoved.ns5.")
+    wait_for_log(
+        "ns9/named.run",
+        "zone resolver.explicit.dsremoved.ns5/IN (signed): checkds: "
+        "empty DS response from 10.53.0.3",
+    )
+    keystate_check(parent, "resolver.explicit.dsremoved.ns5.", "DSRemoved")
+
+
+def test_checkds_dspublished(named_port):
+    checkds_dspublished(named_port, "explicit")
+    checkds_dspublished(named_port, "yes")
+
+
+def test_checkds_dswithdrawn(named_port):
+    checkds_dswithdrawn(named_port, "explicit")
+    checkds_dswithdrawn(named_port, "yes")