From 25690af358716306ff530d9ca0985d4a373e75da Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Thu, 27 Mar 2025 19:59:53 -0700
Subject: [PATCH] Fix out-of-tree test

A recent change to the dnssec system test depended on a file
that is only in the source tree, not in the build tree, and was
therefore not available in out-of-tree builds.
---
 bin/tests/system/dnssec/ns1/sign.sh        |  6 ++++++
 bin/tests/system/dnssec/ns4/named5.conf.in | 11 ++++++-----
 bin/tests/system/dnssec/tests_sh_dnssec.py |  1 +
 3 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh
index 63d2c58ff9..90286fb3e6 100644
--- a/bin/tests/system/dnssec/ns1/sign.sh
+++ b/bin/tests/system/dnssec/ns1/sign.sh
@@ -65,3 +65,9 @@ cp managed.conf ../ns4/managed.conf
 #
 
 keyfile_to_key_id "$ksk" >managed.key.id
+
+#
+# Also generate a broken trusted-keys file for the dnssec test.
+#
+broken=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" .)
+keyfile_to_static_ds "$broken" >../ns4/broken.conf
diff --git a/bin/tests/system/dnssec/ns4/named5.conf.in b/bin/tests/system/dnssec/ns4/named5.conf.in
index 16c81264e1..dae14c328b 100644
--- a/bin/tests/system/dnssec/ns4/named5.conf.in
+++ b/bin/tests/system/dnssec/ns4/named5.conf.in
@@ -27,11 +27,12 @@ options {
 
 };
 
-# Note: This is deliberately wrong! The bind.keys file contains
-# the real DNS root key, so it won't work with the local toy
-# root zones used in the tests. This is to test a forwarder
-# talking to a resolver with a misconfigured trust anchor.
-include "../../../../../bind.keys";
+# Note: This contains a deliberately incorrect key,
+# so it won't work with the root zones used in the tests;
+# all signed data should SERVFAIL. This is to test the case
+# of a validating forwarder talking to a resolver that has
+# a misconfigured trust anchor.
+include "broken.conf";
 
 key rndc_key {
 	secret "1234abcd8765";
diff --git a/bin/tests/system/dnssec/tests_sh_dnssec.py b/bin/tests/system/dnssec/tests_sh_dnssec.py
index 91a8ba24eb..ac95282452 100644
--- a/bin/tests/system/dnssec/tests_sh_dnssec.py
+++ b/bin/tests/system/dnssec/tests_sh_dnssec.py
@@ -147,6 +147,7 @@ pytestmark = pytest.mark.extra_artifacts(
         "ns3/upper.example.db",
         "ns3/upper.example.db.lower",
         "ns3/ds-unsupported.example.db",
+        "ns4/broken.conf",
         "ns4/managed.conf",
         "ns4/managed-keys.bind",
         "ns4/named.secroots",