Wait until zones are signed before reconfig

In order to make the tests run reliable, first make sure the key
managing for all the zones has finished before doing running the
reconfig command.

diff --git a/bin/tests/system/nsec3/tests_nsec3_reconfig.py b/bin/tests/system/nsec3/tests_nsec3_reconfig.py
index 666ba320b4f75371f7289a47db7d236c42bd5fad..47cd77ecf2fe1a26c86d5aa1426591bb8ae90027 100644 (file)
--- a/bin/tests/system/nsec3/tests_nsec3_reconfig.py
+++ b/bin/tests/system/nsec3/tests_nsec3_reconfig.py
@@ -65,6 +65,13 @@ def bootstrap():
 
 @pytest.fixture(scope="module", autouse=True)
 def after_servers_start(ns3, templates):
+    # First make sure all zones are properly signed. Here we specifically need
+    # to wait until all zones have finished key management before we can
+    # reconfigure the server, because changing the DNSSEC policy relies on
+    # zones having finished applying their initial policy.
+    for zone in ZONES:
+        isctest.kasp.wait_keymgr_done(ns3, zone)
+
     # Ensure rsasha1-to-nsec3-wait.kasp is fully signed prior to reconfig.
     with_rsasha1 = "RSASHA1_SUPPORTED"
     assert with_rsasha1 in os.environ, f"{with_rsasha1} env variable undefined"