Tune the performance of oldsigs test

The oldsigs test was checking only for the validity of the A
a.oldsigs.example. resource record and associated DNSSEC signature while
the zone might not have been fully signed yet leading to validation
failures because of bogus signatures on the validation path.

This commit changes the test to test that all old signatures in the
oldsigs.example. zone were replaced and the zone is fully resigned
before running the main check.

(cherry picked from commit 519b0473621310c5a2f19208f3dcc378f705aee1)

diff --git a/bin/tests/system/autosign/ns3/named.conf.in b/bin/tests/system/autosign/ns3/named.conf.in
index f2ae156a2a18e56c774b787e433898ee85e87bc6..f7bc75c89218c45557381ce1c7d83877f4d7d83a 100644 (file)
--- a/bin/tests/system/autosign/ns3/named.conf.in
+++ b/bin/tests/system/autosign/ns3/named.conf.in
@@ -190,6 +190,8 @@ zone "oldsigs.example" {
        allow-update { any; };
        auto-dnssec maintain;
        sig-validity-interval 10 2;
+       sig-signing-nodes 1000;
+       sig-signing-signatures 100;
 };
 
 zone "prepub.example" {

diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh
index 8876bde90284eb867921959489383c18612041a4..6c4a9b54d2a3c79a1615b7ba38742383bdb33e9c 100755 (executable)
--- a/bin/tests/system/autosign/tests.sh
+++ b/bin/tests/system/autosign/tests.sh
@@ -408,20 +408,26 @@ echo_i "dumping zone files"
 ($RNDCCMD 10.53.0.2 sync 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1
 ($RNDCCMD 10.53.0.3 sync 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1
 
+now="$(TZ=UTC date +%Y%m%d%H%M%S)"
+check_expiry() (
+       $DIG $DIGOPTS AXFR oldsigs.example @10.53.0.3 > dig.out.test$n
+       nearest_expiration="$(awk '$4 == "RRSIG" { print $9 }' < dig.out.test$n | sort -n | head -1)"
+       if [ "$nearest_expiration" -le "$now" ]; then
+               echo_i "failed: $nearest_expiration <= $now"
+               return 1
+       fi
+)
+
 echo_i "checking expired signatures were updated ($n)"
-for i in 1 2 3 4 5 6 7 8 9
-do
-       ret=0
-       $DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
-       $DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
-        digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
-       grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
-       [ $ret = 0 ] && break
-       sleep 1
-done
+retry 10 check_expiry || ret=1
+$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
+
 # Check jitter distribution.
 echo_i "checking expired signatures were jittered correctly ($n)"
 ret=0