Skip to content

Tests: auto-detect upstream DNSSEC state for query-count assertions#2845

Merged
DL6ER merged 2 commits into
developmentfrom
fix/dnssec_tests
Apr 12, 2026
Merged

Tests: auto-detect upstream DNSSEC state for query-count assertions#2845
DL6ER merged 2 commits into
developmentfrom
fix/dnssec_tests

Conversation

@DL6ER

@DL6ER DL6ER commented Apr 12, 2026

Copy link
Copy Markdown
Member

What does this implement/fix?

The pytest API tests assert exact query counts that depend on whether icloud.com and apple-dns.net are DNSSEC-signed. When Apple removed DNSSEC from those zones (April 2026), dnsmasq stopped firing two DNSKEY validation queries during the mask.icloud.com CNAME chain walk, breaking 7 tests on every CI run - including re-runs of previously green commits.

Instead of hardcoding either set of numbers, detect the current DNSSEC state at test startup by querying the local pdns_recursor (port 5555, bypassing FTL to avoid counter pollution) for DS records on both domains. Four module-level constants (TOTAL, FORWARDED, DNSKEY, TOP_DOMAIN) are set accordingly, and the 11 affected assertions now reference these constants.

The bats "Special domain: Record is returned when explicitly allowed" test is preserved unchanged - the hybrid detection makes it safe regardless of upstream DNSSEC posture.

Related issue or feature (if applicable): N/A

Pull request in docs with documentation (if applicable): N/A

By submitting this pull request, I confirm the following:

  1. I have read and understood the contributors guide, as well as this entire template. I understand which branch to base my commits and Pull Requests against.
  2. I have commented my proposed changes within the code.
  3. I am willing to help maintain this change if there are issues with it later.
  4. It is compatible with the EUPL 1.2 license
  5. I have squashed any insignificant commits. (git rebase)

Checklist:

  • The code change is tested and works locally.
  • I based my code and PRs against the repositories development branch.
  • I signed off all commits. Pi-hole enforces the DCO for all contributions
  • I signed all my commits. Pi-hole requires signatures to verify authorship
  • I have read the above and my PR is ready for review.

@DL6ER
test: auto-detect upstream DNSSEC state for query-count assertions
e198fc5 
The pytest API tests assert exact query counts that depend on whether icloud.com and apple-dns.net are DNSSEC-signed.  When Apple removed DNSSEC from those zones (April 2026), dnsmasq stopped firing two DNSKEY validation queries during the mask.icloud.com CNAME chain walk, breaking 7 tests on every CI run - including re-runs of previously green commits.

Instead of hardcoding either set of numbers, detect the current DNSSEC state at test startup by querying the local pdns_recursor (port 5555, bypassing FTL to avoid counter pollution) for DS records on both domains.  Four module-level constants (TOTAL, FORWARDED, DNSKEY, TOP_DOMAIN) are set accordingly, and the 11 affected assertions now reference these constants.

The bats "Special domain: Record is returned when explicitly allowed" test is preserved unchanged - the hybrid detection makes it safe regardless of upstream DNSSEC posture.

Signed-off-by: Dominik <dl6er@dl6er.de>
Copilot AI review requested due to automatic review settings April 12, 2026 05:59
@DL6ER DL6ER requested a review from a team as a code owner April 12, 2026 05:59
@DL6ER DL6ER added the Tests label Apr 12, 2026
Copilot AI reviewed Apr 12, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the pytest API integration tests to adapt query-count assertions based on whether upstream domains involved in the mask.icloud.com CNAME chain are currently DNSSEC-signed, avoiding CI breakage when upstream DNSSEC posture changes.

Changes:

  • Add upstream DNSSEC detection by querying DS records via the local pdns_recursor on 127.0.0.1:5555.
  • Introduce module-level expected-counter constants (TOTAL, FORWARDED, DNSKEY, TOP_DOMAIN) derived from detection.
  • Replace hardcoded query-count assertions with references to these constants in the affected tests.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread test/api/test_api.py Outdated
This was referenced Apr 12, 2026
Merged
Merged
@DL6ER DL6ER merged commit bdaaa2c into development Apr 12, 2026
18 checks passed
@DL6ER DL6ER deleted the fix/dnssec_tests branch April 12, 2026 13:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@PromoFaux PromoFaux PromoFaux approved these changes

+1 more reviewer

Copilot code review Copilot Copilot left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

internal Tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@DL6ER @PromoFaux