From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 19 Aug 2025 10:42:35 +0000 (+0200)
Subject: Test rndc sign updates the signatures
X-Git-Tag: v9.21.14~21^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=008d3d2a9c0bb807ce392374bcc63a6f79b9d088;p=thirdparty%2Fbind9.git

Test rndc sign updates the signatures

Add a check to the ZSK rollover test case that ensures the zone is
signed with the successor key only, after a 'rndc sign' is commanded.
---

diff --git a/bin/tests/system/rollover-zsk-prepub/tests_rollover_zsk_prepublication.py b/bin/tests/system/rollover-zsk-prepub/tests_rollover_zsk_prepublication.py
index c8643022e6e..e5d842c5358 100644
--- a/bin/tests/system/rollover-zsk-prepub/tests_rollover_zsk_prepublication.py
+++ b/bin/tests/system/rollover-zsk-prepub/tests_rollover_zsk_prepublication.py
@@ -222,6 +222,14 @@ def test_zsk_prepub_step3(tld, alg, size, ns3):
     }
     isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
 
+    # Force full resign and check all signatures have been replaced.
+    with ns3.watch_log_from_here() as watcher:
+        ns3.rndc(f"sign {zone}", log=False)
+        watcher.wait_for_line(f"zone {zone}/IN (signed): sending notifies")
+
+    step["smooth"] = False
+    isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step)
+
 
 @pytest.mark.parametrize(
     "tld",