summaryrefslogtreecommitdiffstats
path: root/bin/tests/system/nsec3
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 15:59:48 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 15:59:48 +0000
commit3b9b6d0b8e7f798023c9d109c490449d528fde80 (patch)
tree2e1c188dd7b8d7475cd163de9ae02c428343669b /bin/tests/system/nsec3
parentInitial commit. (diff)
downloadbind9-3b9b6d0b8e7f798023c9d109c490449d528fde80.tar.xz
bind9-3b9b6d0b8e7f798023c9d109c490449d528fde80.zip
Adding upstream version 1:9.18.19.upstream/1%9.18.19upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'bin/tests/system/nsec3')
-rw-r--r--bin/tests/system/nsec3/clean.sh22
-rw-r--r--bin/tests/system/nsec3/ns2/named.conf.in47
-rw-r--r--bin/tests/system/nsec3/ns2/setup.sh22
-rw-r--r--bin/tests/system/nsec3/ns2/template.db.in28
-rw-r--r--bin/tests/system/nsec3/ns3/named.conf.in218
-rw-r--r--bin/tests/system/nsec3/ns3/named2.conf.in212
-rw-r--r--bin/tests/system/nsec3/ns3/nsec3-fails-to-load.kasp.db.in19
-rw-r--r--bin/tests/system/nsec3/ns3/setup.sh60
-rw-r--r--bin/tests/system/nsec3/ns3/template.db.in27
-rw-r--r--bin/tests/system/nsec3/setup.sh30
-rw-r--r--bin/tests/system/nsec3/tests.sh553
-rw-r--r--bin/tests/system/nsec3/tests_sh_nsec3.py14
12 files changed, 1252 insertions, 0 deletions
diff --git a/bin/tests/system/nsec3/clean.sh b/bin/tests/system/nsec3/clean.sh
new file mode 100644
index 0000000..7ca6829
--- /dev/null
+++ b/bin/tests/system/nsec3/clean.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+rm -f dig.out.* rndc.signing.* update.out.* verify.out.*
+rm -f ns*/named.conf ns*/named.memstats ns*/named.run*
+rm -f ns*/*.jnl ns*/*.jbk ns*/managed-keys.bind
+rm -f ns*/K*.private ns*/K*.key ns*/K*.state
+rm -f ns*/dsset-* ns*/*.db ns*/*.db.signed
+rm -f ns*/keygen.out.* ns*/settime.out.*
+rm -f created.key-* *.created unused.key-*
diff --git a/bin/tests/system/nsec3/ns2/named.conf.in b/bin/tests/system/nsec3/ns2/named.conf.in
new file mode 100644
index 0000000..f4cc1b0
--- /dev/null
+++ b/bin/tests/system/nsec3/ns2/named.conf.in
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS2
+
+dnssec-policy "nsec3" {
+ nsec3param;
+};
+
+options {
+ query-source address 10.53.0.2;
+ notify-source 10.53.0.2;
+ transfer-source 10.53.0.2;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.2; };
+ listen-on-v6 { none; };
+ allow-transfer { any; };
+ recursion no;
+ dnssec-validation no;
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+ inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "nsec3-xfr-inline.kasp" {
+ type primary;
+ file "nsec3-xfr-inline.kasp.db";
+ inline-signing yes;
+ dnssec-policy "nsec3";
+};
diff --git a/bin/tests/system/nsec3/ns2/setup.sh b/bin/tests/system/nsec3/ns2/setup.sh
new file mode 100644
index 0000000..1cbe02f
--- /dev/null
+++ b/bin/tests/system/nsec3/ns2/setup.sh
@@ -0,0 +1,22 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../../conf.sh
+
+echo_i "ns2/setup.sh"
+
+zone="nsec3-xfr-inline.kasp"
+echo_i "setting up zone: $zone"
+zonefile="${zone}.db"
+cp template.db.in "$zonefile"
diff --git a/bin/tests/system/nsec3/ns2/template.db.in b/bin/tests/system/nsec3/ns2/template.db.in
new file mode 100644
index 0000000..8379c37
--- /dev/null
+++ b/bin/tests/system/nsec3/ns2/template.db.in
@@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ IN SOA mname1. . (
+ 1 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+
+ NS ns2
+ns2 A 10.53.0.2
+ns3 A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+c A 10.0.0.3
+
diff --git a/bin/tests/system/nsec3/ns3/named.conf.in b/bin/tests/system/nsec3/ns3/named.conf.in
new file mode 100644
index 0000000..de09774
--- /dev/null
+++ b/bin/tests/system/nsec3/ns3/named.conf.in
@@ -0,0 +1,218 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+dnssec-policy "nsec" {
+ // no need to change configuration: if no 'nsec3param' is set,
+ // NSEC will be used;
+};
+
+dnssec-policy "rsasha1" {
+ keys {
+ csk lifetime unlimited algorithm rsasha1;
+ };
+};
+
+dnssec-policy "nsec3" {
+ nsec3param;
+};
+
+dnssec-policy "optout" {
+ nsec3param optout yes;
+};
+
+dnssec-policy "nsec3-other" {
+ nsec3param iterations 11 optout yes salt-length 8;
+};
+
+options {
+ query-source address 10.53.0.3;
+ notify-source 10.53.0.3;
+ transfer-source 10.53.0.3;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.3; };
+ listen-on-v6 { none; };
+ allow-transfer { any; };
+ recursion no;
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+/* This zone starts with NSEC, but will be reconfigured to use NSEC3. */
+zone "nsec-to-nsec3.kasp" {
+ type primary;
+ file "nsec-to-nsec3.kasp.db";
+ inline-signing yes;
+ dnssec-policy "nsec";
+};
+
+/*
+ * This zone starts with NSEC, but will be reconfigured to use NSEC3.
+ * This should work despite the incompatible RSAHSHA1 algorithm,
+ * because the DS is still in hidden state.
+ */
+zone "rsasha1-to-nsec3.kasp" {
+ type primary;
+ file "rsasha1-to-nsec3.kasp.db";
+ inline-signing yes;
+ dnssec-policy "rsasha1";
+};
+
+/*
+ * This zone starts with NSEC, but will be reconfigured to use NSEC3.
+ * This should block because RSASHA1 is not compatible with NSEC3,
+ * and the DS is published.
+ */
+zone "rsasha1-to-nsec3-wait.kasp" {
+ type primary;
+ file "rsasha1-to-nsec3-wait.kasp.db";
+ inline-signing yes;
+ dnssec-policy "rsasha1";
+};
+
+/*
+ * This zone starts with NSEC3, but will be reconfigured to use NSEC with an
+ * NSEC only algorithm. This should work despite the incompatible RSAHSHA1
+ * algorithm, because the DS is still in hidden state.
+ */
+zone "nsec3-to-rsasha1.kasp" {
+ type primary;
+ file "nsec3-to-rsasha1.kasp.db";
+ inline-signing yes;
+ dnssec-policy "nsec3";
+};
+
+/*
+ * This zone starts with NSEC3, but will be reconfigured to use NSEC with an
+ * NSEC only algorithm. This should also be fine because we are allowed
+ * to change to NSEC with any algorithm, then we can also publish the new
+ * DNSKEY and signatures of the RSASHA1 algorithm.
+ */
+zone "nsec3-to-rsasha1-ds.kasp" {
+ type primary;
+ file "nsec3-to-rsasha1-ds.kasp.db";
+ inline-signing yes;
+ dnssec-policy "nsec3";
+};
+
+
+/* These zones use the default NSEC3 settings. */
+zone "nsec3.kasp" {
+ type primary;
+ file "nsec3.kasp.db";
+ inline-signing yes;
+ dnssec-policy "nsec3";
+};
+
+zone "nsec3-dynamic.kasp" {
+ type primary;
+ file "nsec3-dynamic.kasp.db";
+ dnssec-policy "nsec3";
+ allow-update { any; };
+};
+
+/* This zone uses non-default NSEC3 settings. */
+zone "nsec3-other.kasp" {
+ type primary;
+ file "nsec3-other.kasp.db";
+ inline-signing yes;
+ dnssec-policy "nsec3-other";
+};
+
+/* These zones will be reconfigured to use other NSEC3 settings. */
+zone "nsec3-change.kasp" {
+ type primary;
+ file "nsec3-change.kasp.db";
+ inline-signing yes;
+ dnssec-policy "nsec3";
+};
+
+zone "nsec3-dynamic-change.kasp" {
+ type primary;
+ file "nsec3-dynamic-change.kasp.db";
+ dnssec-policy "nsec3";
+ allow-update { any; };
+};
+
+/* The zone will be reconfigured to use opt-out. */
+zone "nsec3-to-optout.kasp" {
+ type primary;
+ file "nsec3-to-optout.kasp.db";
+ inline-signing yes;
+ dnssec-policy "nsec3";
+};
+
+/* The zone will be reconfigured to disable opt-out. */
+zone "nsec3-from-optout.kasp" {
+ type primary;
+ file "nsec3-from-optout.kasp.db";
+ inline-signing yes;
+ dnssec-policy "optout";
+};
+
+/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */
+zone "nsec3-to-nsec.kasp" {
+ type primary;
+ file "nsec3-to-nsec.kasp.db";
+ inline-signing yes;
+ dnssec-policy "nsec3";
+};
+
+/* The zone fails to load, this should not prevent shutdown. */
+zone "nsec3-fails-to-load.kasp" {
+ type primary;
+ file "nsec3-fails-to-load.kasp.db";
+ dnssec-policy "nsec3";
+ allow-update { any; };
+};
+
+/* These zones switch from dynamic to inline-signing or vice versa. */
+zone "nsec3-dynamic-to-inline.kasp" {
+ type primary;
+ file "nsec3-dynamic-to-inline.kasp.db";
+ dnssec-policy "nsec3";
+ allow-update { any; };
+};
+
+zone "nsec3-inline-to-dynamic.kasp" {
+ type primary;
+ file "nsec3-inline-to-dynamic.kasp.db";
+ inline-signing yes;
+ dnssec-policy "nsec3";
+};
+
+/* Test adding a NSEC3 record to an inline-signing dnssec-policy zone. */
+zone "nsec3-dynamic-update-inline.kasp" {
+ type primary;
+ file "nsec3-dynamic-update-inline.kasp.db";
+ inline-signing yes;
+ allow-update { any; };
+ dnssec-policy "nsec";
+};
+
+zone "nsec3-xfr-inline.kasp" {
+ type secondary;
+ file "nsec3-xfr-inline.kasp.db";
+ inline-signing yes;
+ dnssec-policy "nsec";
+ primaries { 10.53.0.2; };
+};
diff --git a/bin/tests/system/nsec3/ns3/named2.conf.in b/bin/tests/system/nsec3/ns3/named2.conf.in
new file mode 100644
index 0000000..084bba3
--- /dev/null
+++ b/bin/tests/system/nsec3/ns3/named2.conf.in
@@ -0,0 +1,212 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+dnssec-policy "nsec" {
+ // no need to change configuration: if no 'nsec3param' is set,
+ // NSEC will be used;
+};
+
+dnssec-policy "rsasha1" {
+ keys {
+ csk lifetime unlimited algorithm rsasha1;
+ };
+};
+
+dnssec-policy "nsec3" {
+ nsec3param;
+};
+
+dnssec-policy "optout" {
+ nsec3param optout yes;
+};
+
+dnssec-policy "nsec3-other" {
+ nsec3param iterations 11 optout yes salt-length 0;
+};
+
+options {
+ query-source address 10.53.0.3;
+ notify-source 10.53.0.3;
+ transfer-source 10.53.0.3;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.3; };
+ listen-on-v6 { none; };
+ allow-transfer { any; };
+ recursion no;
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+/* This zone starts with NSEC, but will be reconfigured to use NSEC3. */
+zone "nsec-to-nsec3.kasp" {
+ type primary;
+ file "nsec-to-nsec3.kasp.db";
+ inline-signing yes;
+ //dnssec-policy "nsec";
+ dnssec-policy "nsec3";
+};
+
+/*
+ * This zone starts with NSEC, but will be reconfigured to use NSEC3.
+ * This should work despite the incompatible RSAHSHA1 algorithm,
+ * because the DS is still in hidden state.
+ */
+zone "rsasha1-to-nsec3.kasp" {
+ type primary;
+ file "rsasha1-to-nsec3.kasp.db";
+ inline-signing yes;
+ //dnssec-policy "rsasha1";
+ dnssec-policy "nsec3";
+};
+
+/*
+ * This zone starts with NSEC, but will be reconfigured to use NSEC3.
+ * This should block because RSASHA1 is not compatible with NSEC3,
+ * and the DS is published.
+ */
+zone "rsasha1-to-nsec3-wait.kasp" {
+ type primary;
+ file "rsasha1-to-nsec3-wait.kasp.db";
+ inline-signing yes;
+ //dnssec-policy "rsasha1";
+ dnssec-policy "nsec3";
+};
+
+/*
+ * This zone starts with NSEC3, but will be reconfigured to use NSEC with an
+ * NSEC only algorithm. This should work despite the incompatible RSAHSHA1
+ * algorithm, because the DS is still in hidden state.
+ */
+zone "nsec3-to-rsasha1.kasp" {
+ type primary;
+ file "nsec3-to-rsasha1.kasp.db";
+ inline-signing yes;
+ //dnssec-policy "nsec3";
+ dnssec-policy "rsasha1";
+};
+
+/*
+ * This zone starts with NSEC3, but will be reconfigured to use NSEC with an
+ * NSEC only algorithm. This should also be fine because we are allowed
+ * to change to NSEC with any algorithm, then we can also publish the new
+ * DNSKEY and signatures of the RSASHA1 algorithm.
+ */
+zone "nsec3-to-rsasha1-ds.kasp" {
+ type primary;
+ file "nsec3-to-rsasha1-ds.kasp.db";
+ inline-signing yes;
+ //dnssec-policy "nsec3";
+ dnssec-policy "rsasha1";
+};
+
+/* These zones use the default NSEC3 settings. */
+zone "nsec3.kasp" {
+ type primary;
+ file "nsec3.kasp.db";
+ inline-signing yes;
+ dnssec-policy "nsec3";
+};
+
+zone "nsec3-dynamic.kasp" {
+ type primary;
+ file "nsec3-dynamic.kasp.db";
+ dnssec-policy "nsec3";
+ allow-update { any; };
+};
+
+/* This zone uses non-default NSEC3 settings. */
+zone "nsec3-other.kasp" {
+ type primary;
+ file "nsec3-other.kasp.db";
+ inline-signing yes;
+ dnssec-policy "nsec3-other";
+};
+
+/* These zone will be reconfigured to use other NSEC3 settings. */
+zone "nsec3-change.kasp" {
+ type primary;
+ file "nsec3-change.kasp.db";
+ inline-signing yes;
+ //dnssec-policy "nsec3";
+ dnssec-policy "nsec3-other";
+};
+
+zone "nsec3-dynamic-change.kasp" {
+ type primary;
+ file "nsec3-dynamic-change.kasp.db";
+ //dnssec-policy "nsec3";
+ dnssec-policy "nsec3-other";
+ allow-update { any; };
+};
+
+/* The zone will be reconfigured to use opt-out. */
+zone "nsec3-to-optout.kasp" {
+ type primary;
+ file "nsec3-to-optout.kasp.db";
+ inline-signing yes;
+ //dnssec-policy "nsec3";
+ dnssec-policy "optout";
+};
+
+/* The zone will be reconfigured to disable opt-out. */
+zone "nsec3-from-optout.kasp" {
+ type primary;
+ file "nsec3-from-optout.kasp.db";
+ inline-signing yes;
+ //dnssec-policy "optout";
+ dnssec-policy "nsec3";
+};
+
+/* The zone starts with NSEC3, but will be reconfigured to use NSEC. */
+zone "nsec3-to-nsec.kasp" {
+ type primary;
+ file "nsec3-to-nsec.kasp.db";
+ inline-signing yes;
+ //dnssec-policy "nsec3";
+ dnssec-policy "nsec";
+};
+
+/* The zone fails to load, but is fixed after a reload. */
+zone "nsec3-fails-to-load.kasp" {
+ type primary;
+ file "nsec3-fails-to-load.kasp.db";
+ dnssec-policy "nsec3";
+ allow-update { any; };
+};
+
+/* These zones switch from dynamic to inline-signing or vice versa. */
+zone "nsec3-dynamic-to-inline.kasp" {
+ type primary;
+ file "nsec3-dynamic-to-inline.kasp.db";
+ inline-signing yes;
+ dnssec-policy "nsec3";
+ allow-update { any; };
+};
+
+zone "nsec3-inline-to-dynamic.kasp" {
+ type primary;
+ file "nsec3-inline-to-dynamic.kasp.db";
+ inline-signing no;
+ dnssec-policy "nsec3";
+ allow-update { any; };
+};
diff --git a/bin/tests/system/nsec3/ns3/nsec3-fails-to-load.kasp.db.in b/bin/tests/system/nsec3/ns3/nsec3-fails-to-load.kasp.db.in
new file mode 100644
index 0000000..77b0d10
--- /dev/null
+++ b/bin/tests/system/nsec3/ns3/nsec3-fails-to-load.kasp.db.in
@@ -0,0 +1,19 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@ IN SOA kasp. nsec3-fails-to-load.kasp. (
+ 1 ; serial
+ 30 ; refresh (30 seconds)
+ 10 ; retry (10 seconds)
+ 3600000 ; expire (5 weeks 6 days 16 hours)
+ 300 ; minimum (5 minutes)
+ )
+ NS nsec3-fails-to-load.kasp.
diff --git a/bin/tests/system/nsec3/ns3/setup.sh b/bin/tests/system/nsec3/ns3/setup.sh
new file mode 100644
index 0000000..68bc2e4
--- /dev/null
+++ b/bin/tests/system/nsec3/ns3/setup.sh
@@ -0,0 +1,60 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../../conf.sh
+
+echo_i "ns3/setup.sh"
+
+setup() {
+ zone="$1"
+ echo_i "setting up zone: $zone"
+ zonefile="${zone}.db"
+ infile="${zone}.db.infile"
+ cp template.db.in "$zonefile"
+}
+
+for zn in nsec-to-nsec3 nsec3 nsec3-other nsec3-change nsec3-to-nsec \
+ nsec3-to-optout nsec3-from-optout nsec3-dynamic \
+ nsec3-dynamic-change nsec3-dynamic-to-inline \
+ nsec3-inline-to-dynamic nsec3-dynamic-update-inline
+do
+ setup "${zn}.kasp"
+done
+
+if (cd ..; $SHELL ../testcrypto.sh -q RSASHA1)
+then
+ for zn in rsasha1-to-nsec3 rsasha1-to-nsec3-wait nsec3-to-rsasha1 \
+ nsec3-to-rsasha1-ds
+ do
+ setup "${zn}.kasp"
+ done
+
+ longago="now-1y"
+ keytimes="-P ${longago} -A ${longago}"
+ O="omnipresent"
+
+ zone="rsasha1-to-nsec3-wait.kasp"
+ CSK=$($KEYGEN -k "rsasha1" -l named.conf $keytimes $zone 2> keygen.out.$zone)
+ echo_i "Created key file $CSK"
+ $SETTIME -s -g $O -k $O $longago -r $O $longago -z $O $longago -d $O $longago "$CSK" > settime.out.$zone 2>&1
+
+ zone="nsec3-to-rsasha1-ds.kasp"
+ CSK=$($KEYGEN -k "default" -l named.conf $keytimes $zone 2> keygen.out.$zone)
+ echo_i "Created key file $CSK"
+ $SETTIME -s -g $O -k $O $longago -r $O $longago -z $O $longago -d $O $longago "$CSK" > settime.out.$zone 2>&1
+else
+ echo_i "skip: skip rsasha1 zones - signing with RSASHA1 not supported"
+fi
+
+cp nsec3-fails-to-load.kasp.db.in nsec3-fails-to-load.kasp.db
diff --git a/bin/tests/system/nsec3/ns3/template.db.in b/bin/tests/system/nsec3/ns3/template.db.in
new file mode 100644
index 0000000..010b05b
--- /dev/null
+++ b/bin/tests/system/nsec3/ns3/template.db.in
@@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ IN SOA mname1. . (
+ 1 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+
+ NS ns3
+ns3 A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+c A 10.0.0.3
+
diff --git a/bin/tests/system/nsec3/setup.sh b/bin/tests/system/nsec3/setup.sh
new file mode 100644
index 0000000..bdd1ae9
--- /dev/null
+++ b/bin/tests/system/nsec3/setup.sh
@@ -0,0 +1,30 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../conf.sh
+
+set -e
+
+$SHELL clean.sh
+
+copy_setports ns2/named.conf.in ns2/named.conf
+(
+ cd ns2
+ $SHELL setup.sh
+)
+copy_setports ns3/named.conf.in ns3/named.conf
+(
+ cd ns3
+ $SHELL setup.sh
+)
diff --git a/bin/tests/system/nsec3/tests.sh b/bin/tests/system/nsec3/tests.sh
new file mode 100644
index 0000000..117bf63
--- /dev/null
+++ b/bin/tests/system/nsec3/tests.sh
@@ -0,0 +1,553 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+# shellcheck source=conf.sh
+. ../conf.sh
+# shellcheck source=kasp.sh
+. ../kasp.sh
+
+# Log errors and increment $ret.
+log_error() {
+ echo_i "error: $1"
+ ret=$((ret+1))
+}
+
+# Call dig with default options.
+dig_with_opts() {
+ $DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
+}
+
+# Call rndc.
+rndccmd() {
+ "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@"
+}
+
+# Set zone name ($1) and policy ($2) for testing nsec3.
+set_zone_policy() {
+ ZONE=$1
+ POLICY=$2
+ NUM_KEYS=$3
+ DNSKEY_TTL=$4
+}
+# Set expected NSEC3 parameters: flags ($1), iterations ($2), and
+# salt length ($3).
+set_nsec3param() {
+ FLAGS=$1
+ ITERATIONS=$2
+ SALTLEN=$3
+ # Reset salt.
+ SALT=""
+}
+
+# Set expected default dnssec-policy keys values.
+set_key_default_values() {
+ key_clear $1
+
+ set_keyrole $1 "csk"
+ set_keylifetime $1 "0"
+ set_keyalgorithm $1 "13" "ECDSAP256SHA256" "256"
+ set_keysigning $1 "yes"
+ set_zonesigning $1 "yes"
+
+ set_keystate $1 "GOAL" "omnipresent"
+ set_keystate $1 "STATE_DNSKEY" "rumoured"
+ set_keystate $1 "STATE_KRRSIG" "rumoured"
+ set_keystate $1 "STATE_ZRRSIG" "rumoured"
+ set_keystate $1 "STATE_DS" "hidden"
+}
+
+# Set expected rsasha1 dnssec-policy keys values.
+set_key_rsasha1_values() {
+ key_clear $1
+
+ set_keyrole $1 "csk"
+ set_keylifetime $1 "0"
+ set_keyalgorithm $1 "5" "RSASHA1" "2048"
+ set_keysigning $1 "yes"
+ set_zonesigning $1 "yes"
+
+ set_keystate $1 "GOAL" "omnipresent"
+ set_keystate $1 "STATE_DNSKEY" "rumoured"
+ set_keystate $1 "STATE_KRRSIG" "rumoured"
+ set_keystate $1 "STATE_ZRRSIG" "rumoured"
+ set_keystate $1 "STATE_DS" "hidden"
+}
+
+# Update the key states.
+set_key_states() {
+ set_keystate $1 "GOAL" "$2"
+ set_keystate $1 "STATE_DNSKEY" "$3"
+ set_keystate $1 "STATE_KRRSIG" "$4"
+ set_keystate $1 "STATE_ZRRSIG" "$5"
+ set_keystate $1 "STATE_DS" "$6"
+}
+
+# The apex NSEC3PARAM record indicates that it is signed.
+_wait_for_nsec3param() {
+ dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC3PARAM > "dig.out.test$n.wait" || return 1
+ grep "${ZONE}\..*IN.*NSEC3PARAM.*1.*0.*${ITERATIONS}.*${SALT}" "dig.out.test$n.wait" > /dev/null || return 1
+ grep "${ZONE}\..*IN.*RRSIG" "dig.out.test$n.wait" > /dev/null || return 1
+ return 0
+}
+# The apex NSEC record indicates that it is signed.
+_wait_for_nsec() {
+ dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC > "dig.out.test$n.wait" || return 1
+ grep "NS SOA" "dig.out.test$n.wait" > /dev/null || return 1
+ grep "${ZONE}\..*IN.*RRSIG" "dig.out.test$n.wait" > /dev/null || return 1
+ grep "${ZONE}\..*IN.*NSEC3PARAM" "dig.out.test$n.wait" > /dev/null && return 1
+ return 0
+}
+
+# Wait for the zone to be signed.
+wait_for_zone_is_signed() {
+ n=$((n+1))
+ ret=0
+ echo_i "wait for ${ZONE} to be signed with $1 ($n)"
+
+ if [ "$1" = "nsec3" ]; then
+ retry_quiet 10 _wait_for_nsec3param || log_error "wait for ${ZONE} to be signed failed"
+ else
+ retry_quiet 10 _wait_for_nsec || log_error "wait for ${ZONE} to be signed failed"
+ fi
+
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status+ret))
+}
+
+# Test: check DNSSEC verify
+_check_dnssec_verify() {
+ dig_with_opts @$SERVER "${ZONE}" AXFR > "dig.out.test$n.axfr.$ZONE" || return 1
+ $VERIFY -z -o "$ZONE" "dig.out.test$n.axfr.$ZONE" > "verify.out.test$n.$ZONE" 2>&1 || return 1
+ return 0
+}
+
+# Test: check NSEC in answers
+_check_nsec_nsec3param() {
+ dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM > "dig.out.test$n.nsec3param.$ZONE" || return 1
+ grep "NSEC3PARAM" "dig.out.test$n.nsec3param.$ZONE" > /dev/null && return 1
+ return 0
+}
+
+_check_nsec_nxdomain() {
+ dig_with_opts @$SERVER "nosuchname.${ZONE}" > "dig.out.test$n.nxdomain.$ZONE" || return 1
+ grep "${ZONE}.*IN.*NSEC.*NS.*SOA.*RRSIG.*NSEC.*DNSKEY" "dig.out.test$n.nxdomain.$ZONE" > /dev/null || return 1
+ grep "NSEC3" "dig.out.test$n.nxdomain.$ZONE" > /dev/null && return 1
+ return 0
+}
+
+check_nsec() {
+ wait_for_zone_is_signed "nsec"
+
+ n=$((n+1))
+ echo_i "check DNSKEY rrset is signed correctly for zone ${ZONE} ($n)"
+ ret=0
+ check_keys
+ retry_quiet 10 _check_apex_dnskey || log_error "bad DNSKEY RRset for zone ${ZONE}"
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status+ret))
+
+ n=$((n+1))
+ echo_i "verify DNSSEC for zone ${ZONE} ($n)"
+ ret=0
+ retry_quiet 10 _check_dnssec_verify || log_error "DNSSEC verify failed for zone ${ZONE}"
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status+ret))
+
+ n=$((n+1))
+ echo_i "check NSEC3PARAM response for zone ${ZONE} ($n)"
+ ret=0
+ retry_quiet 10 _check_nsec_nsec3param || log_error "unexpected NSEC3PARAM in response for zone ${ZONE}"
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status+ret))
+
+ n=$((n+1))
+ echo_i "check NXDOMAIN response for zone ${ZONE} ($n)"
+ ret=0
+ retry_quiet 10 _check_nsec_nxdomain || log_error "bad NXDOMAIN response for zone ${ZONE}"
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status+ret))
+}
+
+# Test: check NSEC3 parameters in answers
+_check_nsec3_nsec3param() {
+ dig_with_opts +noquestion @$SERVER "${ZONE}" NSEC3PARAM > "dig.out.test$n.nsec3param.$ZONE" || return 1
+ grep "${ZONE}.*0.*IN.*NSEC3PARAM.*1.*0.*${ITERATIONS}.*${SALT}" "dig.out.test$n.nsec3param.$ZONE" > /dev/null || return 1
+
+ if [ -z "$SALT" ]; then
+ SALT=$(awk '$4 == "NSEC3PARAM" { print $8 }' dig.out.test$n.nsec3param.$ZONE)
+ fi
+ return 0
+}
+
+_check_nsec3_nxdomain() {
+ dig_with_opts @$SERVER "nosuchname.${ZONE}" > "dig.out.test$n.nxdomain.$ZONE" || return 1
+ grep ".*\.${ZONE}.*IN.*NSEC3.*1.${FLAGS}.*${ITERATIONS}.*${SALT}" "dig.out.test$n.nxdomain.$ZONE" > /dev/null || return 1
+ return 0
+}
+
+check_nsec3() {
+ wait_for_zone_is_signed "nsec3"
+
+ n=$((n+1))
+ echo_i "check that NSEC3PARAM 1 0 ${ITERATIONS} is published zone ${ZONE} ($n)"
+ ret=0
+ retry_quiet 10 _check_nsec3_nsec3param || log_error "bad NSEC3PARAM response for ${ZONE}"
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status+ret))
+
+ n=$((n+1))
+ echo_i "check NXDOMAIN response has correct NSEC3 1 ${FLAGS} ${ITERATIONS} ${SALT} for zone ${ZONE} ($n)"
+ ret=0
+ retry_quiet 10 _check_nsec3_nxdomain || log_error "bad NXDOMAIN response for zone ${ZONE}"
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status+ret))
+
+ n=$((n+1))
+ echo_i "verify DNSSEC for zone ${ZONE} ($n)"
+ ret=0
+ retry_quiet 10 _check_dnssec_verify || log_error "DNSSEC verify failed for zone ${ZONE}"
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status+ret))
+}
+
+start_time="$(TZ=UTC date +%s)"
+status=0
+n=0
+
+key_clear "KEY1"
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+# Zone: nsec-to-nsec3.kasp.
+set_zone_policy "nsec-to-nsec3.kasp" "nsec" 1 3600
+set_server "ns3" "10.53.0.3"
+set_key_default_values "KEY1"
+echo_i "initial check zone ${ZONE}"
+check_nsec
+
+if ($SHELL ../testcrypto.sh -q RSASHA1)
+then
+ # Zone: rsasha1-to-nsec3.kasp.
+ set_zone_policy "rsasha1-to-nsec3.kasp" "rsasha1" 1 3600
+ set_server "ns3" "10.53.0.3"
+ set_key_rsasha1_values "KEY1"
+ echo_i "initial check zone ${ZONE}"
+ check_nsec
+
+ # Zone: rsasha1-to-nsec3-wait.kasp.
+ set_zone_policy "rsasha1-to-nsec3-wait.kasp" "rsasha1" 1 3600
+ set_server "ns3" "10.53.0.3"
+ set_key_rsasha1_values "KEY1"
+ set_key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent"
+ echo_i "initial check zone ${ZONE}"
+ check_nsec
+
+ # Zone: nsec3-to-rsasha1.kasp.
+ set_zone_policy "nsec3-to-rsasha1.kasp" "nsec3" 1 3600
+ set_server "ns3" "10.53.0.3"
+ set_key_rsasha1_values "KEY1"
+ echo_i "initial check zone ${ZONE}"
+ check_nsec3
+
+ # Zone: nsec3-to-rsasha1-ds.kasp.
+ set_zone_policy "nsec3-to-rsasha1-ds.kasp" "nsec3" 1 3600
+ set_server "ns3" "10.53.0.3"
+ set_key_rsasha1_values "KEY1"
+ set_key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent"
+ echo_i "initial check zone ${ZONE}"
+ check_nsec3
+fi
+
+# Zone: nsec3.kasp.
+set_zone_policy "nsec3.kasp" "nsec3" 1 3600
+set_nsec3param "0" "0" "0"
+set_key_default_values "KEY1"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+
+# Zone: nsec3-dynamic.kasp.
+set_zone_policy "nsec3-dynamic.kasp" "nsec3" 1 3600
+set_nsec3param "0" "0" "0"
+set_key_default_values "KEY1"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+
+# Zone: nsec3-change.kasp.
+set_zone_policy "nsec3-change.kasp" "nsec3" 1 3600
+set_nsec3param "0" "0" "0"
+set_key_default_values "KEY1"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+
+# Zone: nsec3-dynamic-change.kasp.
+set_zone_policy "nsec3-dynamic-change.kasp" "nsec3" 1 3600
+set_nsec3param "0" "0" "0"
+set_key_default_values "KEY1"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+
+# Zone: nsec3-dynamic-to-inline.kasp.
+set_zone_policy "nsec3-dynamic-to-inline.kasp" "nsec3" 1 3600
+set_nsec3param "0" "0" "0"
+set_key_default_values "KEY1"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+
+# Zone: nsec3-inline-to-dynamic.kasp.
+set_zone_policy "nsec3-inline-to-dynamic.kasp" "nsec3" 1 3600
+set_nsec3param "0" "0" "0"
+set_key_default_values "KEY1"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+
+# Zone: nsec3-to-nsec.kasp.
+set_zone_policy "nsec3-to-nsec.kasp" "nsec3" 1 3600
+set_nsec3param "0" "0" "0"
+set_key_default_values "KEY1"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+
+# Zone: nsec3-to-optout.kasp.
+set_zone_policy "nsec3-to-optout.kasp" "nsec3" 1 3600
+set_nsec3param "0" "0" "0"
+set_key_default_values "KEY1"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+
+# Zone: nsec3-from-optout.kasp.
+set_zone_policy "nsec3-from-optout.kasp" "optout" 1 3600
+set_nsec3param "1" "0" "0"
+set_key_default_values "KEY1"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+
+# Zone: nsec3-other.kasp.
+set_zone_policy "nsec3-other.kasp" "nsec3-other" 1 3600
+set_nsec3param "1" "11" "8"
+set_key_default_values "KEY1"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+
+# Zone: nsec3-xfr-inline.kasp.
+# This is a secondary zone, where the primary is signed with NSEC3 but
+# the dnssec-policy dictates NSEC.
+set_zone_policy "nsec3-xfr-inline.kasp" "nsec" 1 3600
+set_key_default_values "KEY1"
+echo_i "initial check zone ${ZONE}"
+check_nsec
+
+# Zone: nsec3-dynamic-update-inline.kasp.
+set_zone_policy "nsec3-dynamic-update-inline.kasp" "nsec" 1 3600
+set_key_default_values "KEY1"
+echo_i "initial check zone ${ZONE}"
+check_nsec
+
+n=$((n+1))
+echo_i "dynamic update dnssec-policy zone ${ZONE} with NSEC3 ($n)"
+ret=0
+$NSUPDATE > update.out.$ZONE.test$n 2>&1 << END || ret=1
+server 10.53.0.3 ${PORT}
+zone ${ZONE}.
+update add 04O18462RI5903H8RDVL0QDT5B528DUJ.${ZONE}. 3600 NSEC3 0 0 0 408A4B2D412A4E95 1JMDDPMTFF8QQLIOINSIG4CR9OTICAOC A RRSIG
+send
+END
+wait_for_log 10 "updating zone '${ZONE}/IN': update failed: explicit NSEC3 updates are not allowed in secure zones (REFUSED)" ns3/named.run || ret=1
+check_nsec
+
+# Reconfig named.
+ret=0
+echo_i "reconfig dnssec-policy to trigger nsec3 rollovers"
+copy_setports ns3/named2.conf.in ns3/named.conf
+rndc_reconfig ns3 10.53.0.3
+
+# Zone: nsec-to-nsec3.kasp. (reconfigured)
+set_zone_policy "nsec-to-nsec3.kasp" "nsec3" 1 3600
+set_nsec3param "0" "0" "0"
+set_key_default_values "KEY1"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec3
+
+if ($SHELL ../testcrypto.sh -q RSASHA1)
+then
+ # Zone: rsasha1-to-nsec3.kasp.
+ set_zone_policy "rsasha1-to-nsec3.kasp" "nsec3" 2 3600
+ set_server "ns3" "10.53.0.3"
+ set_key_rsasha1_values "KEY1"
+ set_key_states "KEY1" "hidden" "unretentive" "unretentive" "unretentive" "hidden"
+ set_keysigning "KEY1" "no"
+ set_zonesigning "KEY1" "no"
+ set_key_default_values "KEY2"
+ echo_i "check zone ${ZONE} after reconfig"
+ check_nsec3
+
+ # Zone: rsasha1-to-nsec3-wait.kasp.
+ set_zone_policy "rsasha1-to-nsec3-wait.kasp" "nsec3" 2 3600
+ set_server "ns3" "10.53.0.3"
+ set_key_rsasha1_values "KEY1"
+ set_key_states "KEY1" "hidden" "omnipresent" "omnipresent" "omnipresent" "omnipresent"
+ set_key_default_values "KEY2"
+ echo_i "check zone ${ZONE} after reconfig"
+ check_nsec
+
+ # Zone: nsec3-to-rsasha1.kasp.
+ set_zone_policy "nsec3-to-rsasha1.kasp" "rsasha1" 2 3600
+ set_nsec3param "1" "0" "0"
+ set_server "ns3" "10.53.0.3"
+ set_key_default_values "KEY1"
+ set_key_states "KEY1" "hidden" "unretentive" "unretentive" "unretentive" "hidden"
+ set_keysigning "KEY1" "no"
+ set_zonesigning "KEY1" "no"
+ set_key_rsasha1_values "KEY2"
+ echo_i "check zone ${ZONE} after reconfig"
+ check_nsec
+
+ # Zone: nsec3-to-rsasha1-ds.kasp.
+ set_zone_policy "nsec3-to-rsasha1-ds.kasp" "rsasha1" 2 3600
+ set_nsec3param "1" "0" "0"
+ set_server "ns3" "10.53.0.3"
+ set_key_default_values "KEY1"
+ set_key_states "KEY1" "hidden" "omnipresent" "omnipresent" "omnipresent" "omnipresent"
+ set_key_rsasha1_values "KEY2"
+ echo_i "check zone ${ZONE} after reconfig"
+ check_nsec
+
+ key_clear "KEY1"
+ key_clear "KEY2"
+fi
+
+# Zone: nsec3.kasp. (same)
+set_zone_policy "nsec3.kasp" "nsec3" 1 3600
+set_nsec3param "0" "0" "0"
+set_key_default_values "KEY1"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec3
+
+# Zone: nsec3-dyamic.kasp. (same)
+set_zone_policy "nsec3-dynamic.kasp" "nsec3" 1 3600
+set_nsec3param "0" "0" "0"
+set_key_default_values "KEY1"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec3
+
+# Zone: nsec3-change.kasp. (reconfigured)
+set_zone_policy "nsec3-change.kasp" "nsec3-other" 1 3600
+set_nsec3param "1" "11" "8"
+set_key_default_values "KEY1"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec3
+
+# Zone: nsec3-dynamic-change.kasp. (reconfigured)
+set_zone_policy "nsec3-dynamic-change.kasp" "nsec3-other" 1 3600
+set_nsec3param "1" "11" "8"
+set_key_default_values "KEY1"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec3
+
+# Zone: nsec3-dynamic-to-inline.kasp. (same)
+set_zone_policy "nsec3-dynamic-to-inline.kasp" "nsec3" 1 3600
+set_nsec3param "0" "0" "0"
+set_key_default_values "KEY1"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec3
+
+# Zone: nsec3-inline-to-dynamic.kasp. (same)
+set_zone_policy "nsec3-inline-to-dynamic.kasp" "nsec3" 1 3600
+set_nsec3param "0" "0" "0"
+set_key_default_values "KEY1"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+
+# Zone: nsec3-to-nsec.kasp. (reconfigured)
+set_zone_policy "nsec3-to-nsec.kasp" "nsec" 1 3600
+set_nsec3param "1" "11" "8"
+set_key_default_values "KEY1"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec
+
+# Zone: nsec3-to-optout.kasp. (reconfigured)
+# DISABLED:
+# There is a bug in the nsec3param building code that thinks when the
+# optout bit is changed, the chain already exists. [GL #2216]
+#set_zone_policy "nsec3-to-optout.kasp" "optout" 1 3600
+#set_nsec3param "1" "0" "0"
+#set_key_default_values "KEY1"
+#echo_i "check zone ${ZONE} after reconfig"
+#check_nsec3
+
+# Zone: nsec3-from-optout.kasp. (reconfigured)
+# DISABLED:
+# There is a bug in the nsec3param building code that thinks when the
+# optout bit is changed, the chain already exists. [GL #2216]
+#set_zone_policy "nsec3-from-optout.kasp" "nsec3" 1 3600
+#set_nsec3param "0" "0" "0"
+#set_key_default_values "KEY1"
+#echo_i "check zone ${ZONE} after reconfig"
+#check_nsec3
+
+# Zone: nsec3-other.kasp. (same)
+set_zone_policy "nsec3-other.kasp" "nsec3-other" 1 3600
+set_nsec3param "1" "11" "8"
+set_key_default_values "KEY1"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec3
+
+# Using rndc signing -nsec3param (should fail)
+set_zone_policy "nsec3-change.kasp" "nsec3-other" 1 3600
+echo_i "use rndc signing -nsec3param ${ZONE} to change NSEC3 settings"
+rndccmd $SERVER signing -nsec3param 1 1 12 ffff $ZONE > rndc.signing.test$n.$ZONE || log_error "failed to call rndc signing -nsec3param $ZONE"
+grep "zone uses dnssec-policy, use rndc dnssec command instead" rndc.signing.test$n.$ZONE > /dev/null || log_error "rndc signing -nsec3param should fail"
+check_nsec3
+
+# Test NSEC3 and NSEC3PARAM is the same after restart
+set_zone_policy "nsec3.kasp" "nsec3" 1 3600
+set_nsec3param "0" "0" "0"
+set_key_default_values "KEY1"
+echo_i "check zone ${ZONE} before restart"
+check_nsec3
+
+# Restart named, NSEC3 should stay the same.
+ret=0
+echo "stop ns3"
+stop_server --use-rndc --port ${CONTROLPORT} ${DIR} || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+ret=0
+echo "start ns3"
+start_server --noclean --restart --port ${PORT} ${DIR}
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+prevsalt="${SALT}"
+set_zone_policy "nsec3.kasp" "nsec3" 1 3600
+set_nsec3param "0" "0" "0"
+set_key_default_values "KEY1"
+SALT="${prevsalt}"
+echo_i "check zone ${ZONE} after restart has salt ${SALT}"
+check_nsec3
+
+# Zone: nsec3-fails-to-load.kasp. (should be fixed after reload)
+cp ns3/template.db.in ns3/nsec3-fails-to-load.kasp.db
+rndc_reload ns3 10.53.0.3
+
+set_zone_policy "nsec3-fails-to-load.kasp" "nsec3" 1 3600
+set_nsec3param "0" "0" "0"
+set_key_default_values "KEY1"
+echo_i "check zone ${ZONE} after reload"
+check_nsec3
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/nsec3/tests_sh_nsec3.py b/bin/tests/system/nsec3/tests_sh_nsec3.py
new file mode 100644
index 0000000..16df541
--- /dev/null
+++ b/bin/tests/system/nsec3/tests_sh_nsec3.py
@@ -0,0 +1,14 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+
+def test_nsec3(run_tests_sh):
+ run_tests_sh()