From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Wed, 15 Oct 2025 11:26:44 +0000 (+0200)
Subject: test: wait for signed.test's zone DS records to get pushed to the parent zone
X-Git-Tag: v258.2~39
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=163eaa210c243f7fa39338b28e02ac6379f23d6a;p=thirdparty%2Fsystemd.git

test: wait for signed.test's zone DS records to get pushed to the parent zone

It looks like the 4 second sleep might not be enough on some slower
machines (like the ARM GH Actions nodes) which can lead to the DS RRs
propagation to clash with the manual test zone edit, and the
signed.test zone then might end up not properly signed:

TEST-75-RESOLVED.sh[749]: + : '--- ZONE: signed.test (static DNSSEC) ---'
TEST-75-RESOLVED.sh[749]: + run_delv @ns1.unsigned.test signed.test
TEST-75-RESOLVED.sh[749]: + run delv -a /etc/bind.keys @ns1.unsigned.test signed.test
TEST-75-RESOLVED.sh[778]: + delv -a /etc/bind.keys @ns1.unsigned.test signed.test
TEST-75-RESOLVED.sh[779]: + tee /tmp/tmp.2KOIiyrgth
TEST-75-RESOLVED.sh[779]: ;; /etc/bind.keys:1: option 'managed-keys' is deprecated
TEST-75-RESOLVED.sh[779]: ;; validating signed.test/DS: no valid signature found
TEST-75-RESOLVED.sh[779]: ;; validating signed.test/A: no valid signature found
TEST-75-RESOLVED.sh[779]: ; unsigned answer
TEST-75-RESOLVED.sh[779]: signed.test.		86400	IN	A	10.0.0.10
TEST-75-RESOLVED.sh[779]: signed.test.		86400	IN	RRSIG	A 13 2 86400 20251028114356 20251014101356 39330 signed.test. oo3ca8WPusbBPRhzsEKw3bsBBqFtI8i4bckoMVNzt7lY+udGW6PlaSYj OjpQGgY9oglowVM9bteNtwJKHUbvtw==
TEST-75-RESOLVED.sh[749]: + grep -qF '; fully validated' /tmp/tmp.2KOIiyrgth
[FAILED] Failed to start TEST-75-RESOLVED.service - TEST-75-RESOLVED.

Let's explicitly wait for the DS records propagation to finish before we
start editing the test zone to avoid this.

I'm still not completely sure if this is the root cause, but it's the
best shot I currently have, so I'll let the CIs decide.

(cherry picked from commit 92631f1962b1bbd253e5d56a4290ab82805dc43a)
---

diff --git a/test/units/TEST-75-RESOLVED.sh b/test/units/TEST-75-RESOLVED.sh
index 39cd4c717d5..04216ec1426 100755
--- a/test/units/TEST-75-RESOLVED.sh
+++ b/test/units/TEST-75-RESOLVED.sh
@@ -183,8 +183,8 @@ EOF
         chown -R knot:knot /run/knot
     fi
     systemctl start knot
-    # Wait a bit for the keys to propagate
-    sleep 4
+    # Wait for signed.test's zone DS records to get pushed to the parent zone
+    timeout 30s bash -xec 'until knotc zone-read test. signed.test. ds | grep -E "signed\.test\. [0-9]+ DS"; do sleep 2; done'
 
     systemctl status resolved-dummy-server
     networkctl status