Separate test into a new directory

The test actually needs just two servers - auth and resolver. The rest
was not needed and made test setup only slower and harder to debug.

bin/tests/system/nsec3-answer/ns1/named.conf.j2

@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS1
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+};
+
+zone "." {
+	type primary;
+	file "root.db.signed";
+};

bin/tests/system/nsec3-answer/ns1/root.db.in

@@ -0,0 +1,39 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+.			IN SOA	. . (
+				2025063000	; serial
+				600		; refresh
+				600		; retry
+				1200		; expire
+				600		; minimum
+				)
+.			NS	a.root-servers.nil.
+
+02hc3em7bdd011a0gms3hkkjt2if5vp8.		A	10.0.0.0
+a.						A	10.0.0.1
+*.a.a.						A	10.0.0.6
+a.a.a.a.					A	10.0.0.3
+b.						A	10.0.0.2
+b.b.b.b.b.b.b.b.b.b.b.b.b.b.b.b.b.b.b.b.b.	A	10.0.0.2
+; cname.						CNAME	cname.a.a.
+d.						A	10.0.0.4
+dname-nowhere.					DNAME	does-not-exist.
+insecure.					NS	a.root-servers.nil.
+ns.insecure.					A	10.53.0.3
+a.root-servers.nil.				A	10.53.0.1
+secure.						NS	a.root-servers.nil.
+secure.						DS	11111 13 255 00
+occluded.secure.				A	0.0.0.0
+*.wild.						A	10.0.0.6
+explicit.wild.					A	192.0.2.66
+z.						A	10.0.0.26

bin/tests/system/nsec3-answer/ns1/sign.sh

@@ -0,0 +1,32 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../../conf.sh
+
+set -e
+
+zone=.
+infile=root.db.in
+zonefile=root.db
+
+echo_i "ns1/sign.sh"
+
+ksk=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
+
+cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"
+
+"$SIGNER" -3 - -o "$zone" "$zonefile" 2>&1 >"$zonefile.sign.log"
+
+keyfile_to_initial_ds "$ksk" >managed-keys.conf

bin/tests/system/nsec3-answer/ns2/named.conf.j2

@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// validating resolver
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+include "../../_common/rndc.key";
+
+zone "." {
+	type hint;
+	file "../../_common/root.hint";
+};
+
+include "../ns1/managed-keys.conf";

bin/tests/system/nsec3-answer/setup.sh

@@ -0,0 +1,22 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../conf.sh
+
+set -e
+
+(
+  cd ns1
+  $SHELL sign.sh
+)

bin/tests/system/nsec3-answer/tests_nsec3.py

@@ -36,12 +36,12 @@ import isctest.name
 
 from hypothesis import assume, given
 
-SUFFIX = dns.name.from_text("nsec3.example.")
+SUFFIX = dns.name.from_text(".")
-AUTH = "10.53.0.3"
+AUTH = "10.53.0.1"
-RESOLVER = "10.53.0.4"
+RESOLVER = "10.53.0.2"
 TIMEOUT = 5
 ZONE = isctest.name.ZoneAnalyzer.read_path(
-    Path(os.environ["builddir"]) / "dnssec/ns3/nsec3.example.db.in", origin=SUFFIX
+    Path(os.environ["srcdir"]) / "nsec3-answer/ns1/root.db.in", origin=SUFFIX
 )
 
 
@@ -56,7 +56,7 @@ def do_test_query(
 
 
 @pytest.mark.parametrize(
-    "server", [pytest.param(AUTH, id="ns3"), pytest.param(RESOLVER, id="ns4")]
+    "server", [pytest.param(AUTH, id="ns1"), pytest.param(RESOLVER, id="ns2")]
 )
 @given(qname=sampled_from(sorted(ZONE.reachable)))
 def test_nodata(server, qname: dns.name.Name, named_port: int) -> None:
@@ -72,7 +72,7 @@ def assume_nx_and_no_delegation(qname):
     assume(qname not in ZONE.all_existing_names)
 
     # name must not be under a delegation or DNAME:
-    # it would not work with resolver ns4
+    # it would not work with resolver ns2
     assume(
         not isctest.name.is_related_to_any(
             qname,
@@ -83,7 +83,7 @@ def assume_nx_and_no_delegation(qname):
 
 
 @pytest.mark.parametrize(
-    "server", [pytest.param(AUTH, id="ns3"), pytest.param(RESOLVER, id="ns4")]
+    "server", [pytest.param(AUTH, id="ns1"), pytest.param(RESOLVER, id="ns2")]
 )
 @given(qname=dns_names(suffix=SUFFIX))
 def test_nxdomain(server, qname: dns.name.Name, named_port: int) -> None:
@@ -96,7 +96,7 @@ def test_nxdomain(server, qname: dns.name.Name, named_port: int) -> None:
 
 
 @pytest.mark.parametrize(
-    "server", [pytest.param(AUTH, id="ns3"), pytest.param(RESOLVER, id="ns4")]
+    "server", [pytest.param(AUTH, id="ns1"), pytest.param(RESOLVER, id="ns2")]
 )
 @given(qname=dns_names(suffix=ZONE.ents))
 def test_ents(server, qname: dns.name.Name, named_port: int) -> None:
@@ -112,7 +112,7 @@ def test_ents(server, qname: dns.name.Name, named_port: int) -> None:
 
 
 @pytest.mark.parametrize(
-    "server", [pytest.param(AUTH, id="ns3"), pytest.param(RESOLVER, id="ns4")]
+    "server", [pytest.param(AUTH, id="ns1"), pytest.param(RESOLVER, id="ns2")]
 )
 @given(qname=dns_names(suffix=ZONE.reachable_wildcard_parents))
 def test_wildcard_synthesis(server, qname: dns.name.Name, named_port: int) -> None:
@@ -125,7 +125,7 @@ def test_wildcard_synthesis(server, qname: dns.name.Name, named_port: int) -> No
 
 
 @pytest.mark.parametrize(
-    "server", [pytest.param(AUTH, id="ns3"), pytest.param(RESOLVER, id="ns4")]
+    "server", [pytest.param(AUTH, id="ns1"), pytest.param(RESOLVER, id="ns2")]
 )
 @given(qname=dns_names(suffix=ZONE.reachable_wildcard_parents))
 def test_wildcard_nodata(server, qname: dns.name.Name, named_port: int) -> None: