]> git.ipfire.org Git - thirdparty/bind9.git/commit
projects / thirdparty / bind9.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: e29d87a) | patch
Fix intermittent kasp pytest failures
authorMatthijs Mekking <matthijs@isc.org>
Wed, 7 May 2025 15:17:27 +0000 (17:17 +0200)
committerNicki Křížek <nicki@isc.org>
Thu, 29 May 2025 11:44:56 +0000 (11:44 +0000)
commit7a31fd57e2fbb9b4a4cdf169698425742f407b18
tree29ec637182f9186d64bd61a24a366cfd0a062ba7tree | snapshot
parente29d87a29b68a805386668bf105a21a2bd4fb921commit | diff
Fix intermittent kasp pytest failures

The pytest cases checks if a zone is signed by looking at the NSEC
record at the apex. If that has an RRSIG record, it is considered
signed. But 'named' signs zones incrementally (in batches) and so
the zone may still lack some signatures. In other words, the tests
may consider a zone signed while in fact signing is not yet complete,
then performs additional checks such as is a subdomain signed with the
right key. If this check happens before the zone is actually fully
signed, the check will fail.

Fix this by using 'check_dnssec_verify' instead of
'check_is_zone_signed'. We were already doing this check, but we now
move it up. This will transfer the zone and then run 'dnssec-verify'
on the response. If the zone is partially signed, the check will fail,
and it will retry for up to ten times.
bin/tests/system/isctest/kasp.py diff | blob | blame | history
bin/tests/system/kasp/tests_kasp.py diff | blob | blame | history
bin/tests/system/ksr/tests_ksr.py diff | blob | blame | history
Mirror of https://gitlab.isc.org/isc-projects/bind9.git