Test rndc sign updates the signatures

Add a check to the ZSK rollover test case that ensures the zone is
signed with the successor key only, after a 'rndc sign' is commanded.

diff --git a/bin/tests/system/rollover-zsk-prepub/tests_rollover_zsk_prepublication.py b/bin/tests/system/rollover-zsk-prepub/tests_rollover_zsk_prepublication.py
index c8643022e6ef26f6d222582b65f21398c7fa2a5a..e5d842c5358b4cdf81a14180ea5fd20d6e197be1 100644 (file)
--- a/bin/tests/system/rollover-zsk-prepub/tests_rollover_zsk_prepublication.py
+++ b/bin/tests/system/rollover-zsk-prepub/tests_rollover_zsk_prepublication.py
@@ -222,6 +222,14 @@ def test_zsk_prepub_step3(tld, alg, size, ns3):
     }
     isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
 
+    # Force full resign and check all signatures have been replaced.
+    with ns3.watch_log_from_here() as watcher:
+        ns3.rndc(f"sign {zone}", log=False)
+        watcher.wait_for_line(f"zone {zone}/IN (signed): sending notifies")
+
+    step["smooth"] = False
+    isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step)
+
 
 @pytest.mark.parametrize(
     "tld",