From: Nicki Křížek <nicki@isc.org>
Date: Thu, 29 May 2025 12:34:15 +0000 (+0000)
Subject: fix: test: Fix intermittent kasp pytest failures
X-Git-Tag: v9.21.9~24
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1291bbf74a28a670598218ab011c40efea531227;p=thirdparty%2Fbind9.git

fix: test: Fix intermittent kasp pytest failures

The `pytest` cases checks if a zone is signed by looking at the `NSEC` record at the apex. If that has an RRSIG record, it is considered signed. But `named` signs zones incrementally (in batches) and so the zone may still lack some signatures. In other words, the tests may consider a zone signed while in fact signing is not yet complete, then performs additional checks such as is a subdomain signed with the right key. If this check happens before the zone is actually fully
signed, the check will fail.

Fix this by using `check_dnssec_verify` instead of `check_is_zone_signed`. We were already doing this check, but we now move it up. This will transfer the zone and then run `dnssec-verify` on the response. If the zone is partially signed, the check will fail, and it will retry for up to ten times.

Closes #5303

Merge branch '5303-kasp-pytest-intermittent-test-failures' into 'main'

See merge request isc-projects/bind9!10445
---

1291bbf74a28a670598218ab011c40efea531227