zonemaster-engine icon indicating copy to clipboard operation
zonemaster-engine copied to clipboard
verified publisher icon zonemaster

Update DNSSEC07 implementation

Open tgreenx opened this issue 2 months ago • 4 comments

Purpose

This PR proposes an update of test case DNSSEC07 implementation.

Context

Test case specification: https://github.com/zonemaster/zonemaster/pull/1425 Test scenarios specification: https://github.com/zonemaster/zonemaster/pull/1432

Changes

  • Update implementation (test case, message tags, profile, DNSSEC module test plan)
  • Update unit tests
  • Update unit test data

How to test this PR

Unit tests are updated and should pass.

tgreenx avatar Oct 30 '25 14:10 tgreenx

From the description of zonemaster/zonemaster#1425:

After this update, DNSSEC07 should still be run first, and then DNSSEC11. If updated DNSSEC07 outputs DS07_NOT_SIGNED then no other test cases, besides DNSSEC11, in DNSSEC module should be run.

I.e. DNSSEC07 and DNSSEC11 should always be run.

Should that be included in the specification? I do not think so, but it should be stated somewhere.

For that purpose with have the "Special procedural requirements" section in the specification, which I followed. But it seems it was not entirely updated correctly then.

tgreenx avatar Nov 04 '25 09:11 tgreenx

Besides that DNSSEC11 should always be run it looks fine. All scenarios pass.

Updated and rebased on top of #1475

tgreenx avatar Nov 04 '25 10:11 tgreenx

Unit test data for t/Test-dnssec.t needs to be re-recorded in order for all unit tests to pass, but that can't be done right now (zut-root.rd.nic.fr is temporarily offline). It will be done at a later time.

tgreenx avatar Nov 04 '25 12:11 tgreenx

Unit test data for t/Test-dnssec.t needs to be re-recorded in order for all unit tests to pass, but that can't be done right now (zut-root.rd.nic.fr is temporarily offline). It will be done at a later time.

I suggest that the failing tests are marked as TODO. What test cases are affected? I could possibly create scenarios for them.

matsduf avatar Nov 04 '25 13:11 matsduf

@matsduf please re-review, unit tests have been re-recorded (the test zones are back online).

tgreenx avatar Nov 13 '25 13:11 tgreenx

It does not look like the tag NOT_SIGNED show up in the output, which seems strange.

It is not strange. It is outputted, but on DEBUG level. If level is set to DEBUG in zonemaster-cli it is outputted.

matsduf avatar Nov 14 '25 08:11 matsduf

The NOT_SIGNED tag should be cleaned away, but it does no harm. The cleaning could also be done later.

Done (removed). I've also rebased and fixed several conflicts. Please re-review

tgreenx avatar Nov 14 '25 09:11 tgreenx