From 2385aa5d5d30cc8c0a63f55017691f69ccf5324f Mon Sep 17 00:00:00 2001
From: Jan Kadlec <jan.kadlec@nic.cz>
Date: Thu, 9 Oct 2014 16:19:34 +0200
Subject: [PATCH] tests-extra: no_resign: Only allow RRSIGs for SOA and NSEC

---
 tests-extra/tests/dnssec/no_resign/test.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/tests-extra/tests/dnssec/no_resign/test.py b/tests-extra/tests/dnssec/no_resign/test.py
index ab92f27cbe..26d559c5b3 100644
--- a/tests-extra/tests/dnssec/no_resign/test.py
+++ b/tests-extra/tests/dnssec/no_resign/test.py
@@ -13,6 +13,11 @@ def only_nsec_changed(server, zone, serial):
        for rr in msg.answer:
             if rr.rdtype not in [dns.rdatatype.SOA, dns.rdatatype.NSEC, dns.rdatatype.RRSIG]:
                 return False
+            if rr.rdtype == dns.rdatatype.RRSIG:
+                if (not rr.match(rr.name, rr.rdclass, dns.rdatatype.RRSIG, dns.rdatatype.NSEC)) and \
+                   (not rr.match(rr.name, rr.rdclass, dns.rdatatype.RRSIG, dns.rdatatype.SOA)):
+                    # RRSIG covering something else than NSEC or SOA.
+                    return False
    return True
 
 t = Test()
-- 
GitLab