The `pytest` cases checks if a zone is signed by looking at the `NSEC` record at the apex. If that has an RRSIG record, it is considered signed. But `named` signs zones incrementally (in batches) and so the zone may still lack some signatures. In other words, the tests may consider a zone signed while in fact signing is not yet complete, then performs additional checks such as is a subdomain signed with the right key. If this check happens before the zone is actually fully
signed, the check will fail.
Fix this by using `check_dnssec_verify` instead of `check_is_zone_signed`. We were already doing this check, but we now move it up. This will transfer the zone and then run `dnssec-verify` on the response. If the zone is partially signed, the check will fail, and it will retry for up to ten times.
Closes #5303
Merge branch '5303-kasp-pytest-intermittent-test-failures' into 'main'
See merge request isc-projects/bind9!10445
projects / thirdparty / bind9.git / commitdiff
