[master] Improve clarity of keytable unit tests

4799. [cleanup] Improve clarity of keytable unit tests. [RT #46407]
2025-08-30 22:15:20 +00:00 · 2017-10-28 19:59:40 +02:00
parent 8f532a13cb
commit c6c1193e39
2 changed files with 13 additions and 14 deletions
--- a/2
+++ b/2
@@ -1,3 +1,5 @@
+4799.	[cleanup]	Improve clarity of keytable unit tests. [RT #46407]
+
 4798.	[func]		Keys specified in "managed-keys" statements
 			are tagged as "initializing" until they have been
 			updated by a key refresh query. If initialization
--- a/lib/dns/tests/keytable_test.c
+++ b/lib/dns/tests/keytable_test.c
@@ -457,8 +457,7 @@ ATF_TC_BODY(find, tc) {

 	/*
 	 * dns_keytable_find() requires exact name match.  It matches node
-	 * that has a null key, too.  But it doesn't match a negative trust
-	 * anchor.
+	 * that has a null key, too.
 	 */
 	ATF_REQUIRE_EQ(dns_keytable_find(keytable, str2name("example.org"),
 					 &keynode), ISC_R_NOTFOUND);
@@ -471,12 +470,10 @@ ATF_TC_BODY(find, tc) {
 					 &keynode), ISC_R_SUCCESS);
 	ATF_REQUIRE_EQ(dns_keynode_key(keynode), NULL);
 	dns_keytable_detachkeynode(keytable, &keynode);
-	ATF_REQUIRE_EQ(dns_keytable_find(keytable, str2name("insecure.example"),
-					 &keynode), ISC_R_NOTFOUND);

 	/*
 	 * dns_keytable_finddeepestmatch() allows partial match.  Also match
-	 * nodes with a null key or a negative trust anchor.
+	 * nodes with a null key.
 	 */
 	dns_fixedname_init(&fname);
 	name = dns_fixedname_name(&fname);
@@ -500,8 +497,7 @@ ATF_TC_BODY(find, tc) {
 	/*
 	 * dns_keytable_findkeynode() requires exact name, algorithm, keytag
 	 * match.  If algorithm or keytag doesn't match, should result in
-	 * PARTIALMATCH.  Same for a node with a null key or a negative trust
-	 * anchor.
+	 * PARTIALMATCH.  Same for a node with a null key.
 	 */
 	ATF_REQUIRE_EQ(dns_keytable_findkeynode(keytable,
 						str2name("example.org"),
@@ -563,19 +559,15 @@ ATF_TC_BODY(issecuredomain, tc) {
 	}

 	/*
-	 * Domains that are an exact or partial match of a negative trust
-	 * anchor are considered insecure.
+	 * If the key table has no entry (not even a null one) for a domain or
+	 * any of its ancestors, that domain is considered insecure.
 	 */
 	ATF_REQUIRE_EQ(dns_keytable_issecuredomain(keytable,
-						   str2name("insecure.example"),
+						   str2name("example.org"),
 						   NULL,
 						   &issecure),
 		       ISC_R_SUCCESS);
 	ATF_REQUIRE_EQ(issecure, ISC_FALSE);
-	ATF_REQUIRE_EQ(dns_keytable_issecuredomain(
-			       keytable, str2name("sub.insecure.example"),
-			       NULL, &issecure), ISC_R_SUCCESS);
-	ATF_REQUIRE_EQ(issecure, ISC_FALSE);

 	destroy_tables();
 	dns_test_end();
@@ -675,6 +667,11 @@ ATF_TC_BODY(nta, tc) {
 	ATF_CHECK(issecure);

 	/* Now check deletion */
+	result = dns_view_issecuredomain(myview, str2name("test.new.example"),
+					 now, ISC_TRUE, &issecure);
+	ATF_CHECK_EQ(result, ISC_R_SUCCESS);
+	ATF_CHECK(issecure);
+
 	result = dns_ntatable_add(ntatable, str2name("new.example"),
 				  ISC_FALSE, now, 3600);
 	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);