From: Matthijs Mekking <matthijs@isc.org>
Date: Fri, 21 Nov 2025 08:47:08 +0000 (+0100)
Subject: Wait until zones are signed before reconfig
X-Git-Tag: v9.21.16~38^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8cfccb9eacac5764fd85e1007886f88875a5232c;p=thirdparty%2Fbind9.git

Wait until zones are signed before reconfig

In order to make the tests run reliable, first make sure the key
managing for all the zones has finished before doing running the
reconfig command.
---

diff --git a/bin/tests/system/nsec3/tests_nsec3_reconfig.py b/bin/tests/system/nsec3/tests_nsec3_reconfig.py
index 666ba320b4f..47cd77ecf2f 100644
--- a/bin/tests/system/nsec3/tests_nsec3_reconfig.py
+++ b/bin/tests/system/nsec3/tests_nsec3_reconfig.py
@@ -65,6 +65,13 @@ def bootstrap():
 
 @pytest.fixture(scope="module", autouse=True)
 def after_servers_start(ns3, templates):
+    # First make sure all zones are properly signed. Here we specifically need
+    # to wait until all zones have finished key management before we can
+    # reconfigure the server, because changing the DNSSEC policy relies on
+    # zones having finished applying their initial policy.
+    for zone in ZONES:
+        isctest.kasp.wait_keymgr_done(ns3, zone)
+
     # Ensure rsasha1-to-nsec3-wait.kasp is fully signed prior to reconfig.
     with_rsasha1 = "RSASHA1_SUPPORTED"
     assert with_rsasha1 in os.environ, f"{with_rsasha1} env variable undefined"