Bump dnspython from 2.6.1 to 2.7.0 (#2440)

* Bump dnspython from 2.6.1 to 2.7.0

Bumps [dnspython](https://github.com/rthalley/dnspython) from 2.6.1 to 2.7.0.
- [Release notes](https://github.com/rthalley/dnspython/releases)
- [Changelog](https://github.com/rthalley/dnspython/blob/main/doc/whatsnew.rst)
- [Commits](https://github.com/rthalley/dnspython/compare/v2.6.1...v2.7.0)

---
updated-dependencies:
- dependency-name: dnspython
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Update dnspython==2.7.0

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: JonnyWong16 <9099342+JonnyWong16@users.noreply.github.com>

[skip ci]

lib/dns/dnssec.py

@@ -118,6 +118,7 @@ def key_id(key: Union[DNSKEY, CDNSKEY]) -> int:
     """
 
     rdata = key.to_wire()
+    assert rdata is not None  # for mypy
     if key.algorithm == Algorithm.RSAMD5:
         return (rdata[-3] << 8) + rdata[-2]
     else:
@@ -224,7 +225,7 @@ def make_ds(
         if isinstance(algorithm, str):
             algorithm = DSDigest[algorithm.upper()]
     except Exception:
-        raise UnsupportedAlgorithm('unsupported algorithm "%s"' % algorithm)
+        raise UnsupportedAlgorithm(f'unsupported algorithm "{algorithm}"')
     if validating:
         check = policy.ok_to_validate_ds
     else:
@@ -240,14 +241,15 @@ def make_ds(
     elif algorithm == DSDigest.SHA384:
         dshash = hashlib.sha384()
     else:
-        raise UnsupportedAlgorithm('unsupported algorithm "%s"' % algorithm)
+        raise UnsupportedAlgorithm(f'unsupported algorithm "{algorithm}"')
 
     if isinstance(name, str):
         name = dns.name.from_text(name, origin)
     wire = name.canonicalize().to_wire()
-    assert wire is not None
+    kwire = key.to_wire(origin=origin)
+    assert wire is not None and kwire is not None  # for mypy
     dshash.update(wire)
-    dshash.update(key.to_wire(origin=origin))
+    dshash.update(kwire)
     digest = dshash.digest()
 
     dsrdata = struct.pack("!HBB", key_id(key), key.algorithm, algorithm) + digest
@@ -323,6 +325,7 @@ def _get_rrname_rdataset(
 
 
 def _validate_signature(sig: bytes, data: bytes, key: DNSKEY) -> None:
+    # pylint: disable=possibly-used-before-assignment
     public_cls = get_algorithm_cls_from_dnskey(key).public_cls
     try:
         public_key = public_cls.from_dnskey(key)
@@ -387,6 +390,7 @@ def _validate_rrsig(
 
     data = _make_rrsig_signature_data(rrset, rrsig, origin)
 
+    # pylint: disable=possibly-used-before-assignment
     for candidate_key in candidate_keys:
         if not policy.ok_to_validate(candidate_key):
             continue
@@ -484,6 +488,7 @@ def _sign(
     verify: bool = False,
     policy: Optional[Policy] = None,
     origin: Optional[dns.name.Name] = None,
+    deterministic: bool = True,
 ) -> RRSIG:
     """Sign RRset using private key.
 
@@ -523,6 +528,10 @@ def _sign(
     names in the rrset (including its owner name) must be absolute; otherwise the
     specified origin will be used to make names absolute when signing.
 
+    *deterministic*, a ``bool``. If ``True``, the default, use deterministic
+    (reproducible) signatures when supported by the algorithm used for signing.
+    Currently, this only affects ECDSA.
+
     Raises ``DeniedByPolicy`` if the signature is denied by policy.
     """
 
@@ -580,6 +589,7 @@ def _sign(
 
     data = dns.dnssec._make_rrsig_signature_data(rrset, rrsig_template, origin)
 
+    # pylint: disable=possibly-used-before-assignment
     if isinstance(private_key, GenericPrivateKey):
         signing_key = private_key
     else:
@@ -589,7 +599,7 @@ def _sign(
         except UnsupportedAlgorithm:
             raise TypeError("Unsupported key algorithm")
 
-    signature = signing_key.sign(data, verify)
+    signature = signing_key.sign(data, verify, deterministic)
 
     return cast(RRSIG, rrsig_template.replace(signature=signature))
 
@@ -629,7 +639,9 @@ def _make_rrsig_signature_data(
     rrname, rdataset = _get_rrname_rdataset(rrset)
 
     data = b""
-    data += rrsig.to_wire(origin=signer)[:18]
+    wire = rrsig.to_wire(origin=signer)
+    assert wire is not None  # for mypy
+    data += wire[:18]
     data += rrsig.signer.to_digestable(signer)
 
     # Derelativize the name before considering labels.
@@ -686,6 +698,7 @@ def _make_dnskey(
 
     algorithm = Algorithm.make(algorithm)
 
+    # pylint: disable=possibly-used-before-assignment
     if isinstance(public_key, GenericPublicKey):
         return public_key.to_dnskey(flags=flags, protocol=protocol)
     else:
@@ -832,7 +845,7 @@ def make_ds_rdataset(
             if isinstance(algorithm, str):
                 algorithm = DSDigest[algorithm.upper()]
         except Exception:
-            raise UnsupportedAlgorithm('unsupported algorithm "%s"' % algorithm)
+            raise UnsupportedAlgorithm(f'unsupported algorithm "{algorithm}"')
         _algorithms.add(algorithm)
 
     if rdataset.rdtype == dns.rdatatype.CDS:
@@ -950,6 +963,7 @@ def default_rrset_signer(
     lifetime: Optional[int] = None,
     policy: Optional[Policy] = None,
     origin: Optional[dns.name.Name] = None,
+    deterministic: bool = True,
 ) -> None:
     """Default RRset signer"""
 
@@ -975,6 +989,7 @@ def default_rrset_signer(
             signer=signer,
             policy=policy,
             origin=origin,
+            deterministic=deterministic,
         )
         txn.add(rrset.name, rrset.ttl, rrsig)
 
@@ -991,6 +1006,7 @@ def sign_zone(
     nsec3: Optional[NSEC3PARAM] = None,
     rrset_signer: Optional[RRsetSigner] = None,
     policy: Optional[Policy] = None,
+    deterministic: bool = True,
 ) -> None:
     """Sign zone.
 
@@ -1030,6 +1046,10 @@ def sign_zone(
     function requires two arguments: transaction and RRset. If the not specified,
     ``dns.dnssec.default_rrset_signer`` will be used.
 
+    *deterministic*, a ``bool``. If ``True``, the default, use deterministic
+    (reproducible) signatures when supported by the algorithm used for signing.
+    Currently, this only affects ECDSA.
+
     Returns ``None``.
     """
 
@@ -1056,6 +1076,9 @@ def sign_zone(
     else:
         cm = zone.writer()
 
+    if zone.origin is None:
+        raise ValueError("no zone origin")
+
     with cm as _txn:
         if add_dnskey:
             if dnskey_ttl is None:
@@ -1081,6 +1104,7 @@ def sign_zone(
                 lifetime=lifetime,
                 policy=policy,
                 origin=zone.origin,
+                deterministic=deterministic,
             )
             return _sign_zone_nsec(zone, _txn, _rrset_signer)