# Issue #16 — signed-zone completeness (missing RRSIG detection)

Codeberg issue: https://codeberg.org/DNS-OARC/validns/issues/16

Fixtures for the check that every authoritative RR set in a signed zone
has a covering RRSIG, and (policy check all-algorithms-signed) covering
RRSIGs for every algorithm in the apex DNSKEY RR set.

From example.sec.zone (RSASHA256):

- example.sec.signed.nsec            — NSEC chain, fully signed (silent).
- example.sec.signed.nsec3           — NSEC3 chain, fully signed (silent).
- example.sec.signed.nsec3optout     — NSEC3 opt-out; the unsigned
  delegation and everything below it must stay silent.
- example.sec.signed.nsec.noleafsig  — RRSIG over leaf A removed
  (expects: leaf.example.sec. A: no covering RRSIG in a signed zone).
- example.sec.signed.nsec.nodssig    — RRSIG over the delegation DS
  removed (expects the DS variant of the same message).
- example.sec.signed.nsec3.nonsec3sig — one NSEC3's RRSIG removed
  (expects the NSEC3 variant of the same message).

The zone deliberately contains: leaf sets, a wildcard, a signed
delegation (synthetic DS), glue below a delegation, glue at a
delegation owner, an occluded record below a delegation (the issue-24
shape), and an unsigned delegation. All of those except the missing-sig
variants must produce zero errors.

From alg2.example.sec.zone (RSASHA256 + ECDSAP256SHA256):

- alg2.example.sec.signed             — signed with both algorithms
  (silent, with and without -p all-algorithms-signed).
- alg2.example.sec.signed.missing-alg — the algorithm-13 RRSIG over
  leaf's A removed. Silent by default; exactly one error under
  -p all-algorithms-signed (and -p all).

To regenerate:

    cd src/t/issues/16-signed-completeness
    ./regenerate.sh

Test-time used by src/t/test.pl: -t1802692800 (2027-02-15 12:00 UTC,
inside the signing window 2027-02-01 .. 2027-03-03). If regenerate.sh
changes the window, update the -t values in test.pl accordingly.
