Fix NTA-related races

Changes introduced by commit 6b8e4d6e695fc13b2d2a93437418a047b5adce81
were incomplete as not all time-sensitive checks were updated to match
revised "nta-lifetime" and "nta-recheck" values.  Prevent rare false
positives by updating all NTA-related checks so that they work reliably
with "nta-lifetime 12s;" and "nta-recheck 9s;".  Update comments as well
to prevent confusion.

(cherry picked from commit 9a36a1bba34d178ee65d24d1dd71c7ae7953abf6)

diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 81865b626e3a712e2a9d79955b15c1ef8b9a91a6..28dff275067b9a9e0de06de8f394b4bffbb68046 100644 (file)
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -1864,8 +1864,8 @@ echo_i "waiting for NTA rechecks/expirations"
 
 #
 # secure.example and badds.example used default nta-duration
-# (configured as 10s in ns4/named1.conf), but nta recheck interval
-# is configured to 7s, so at t=8 the NTAs for secure.example and
+# (configured as 12s in ns4/named1.conf), but nta recheck interval
+# is configured to 9s, so at t=10 the NTAs for secure.example and
 # fakenode.secure.example should both be lifted, but badds.example
 # should still be going.
 #
@@ -1886,9 +1886,9 @@ status=$((status+ret))
 ret=0
 
 #
-# bogus.example was set to expire in 20s, so at t=11
+# bogus.example was set to expire in 20s, so at t=13
 # it should still be NTA'd, but badds.example used the default
-# lifetime of 10s, so it should revert to SERVFAIL now.
+# lifetime of 12s, so it should revert to SERVFAIL now.
 #
 # shellcheck disable=SC2016
 $PERL -e 'my $delay = '"$start"' + 13 - time(); select(undef, undef, undef, $delay) if ($delay > 0);'
@@ -2087,11 +2087,11 @@ else
     exit 1
 fi
 
-# nta-recheck is configured as 7s, so at t=10 the NTAs for
+# nta-recheck is configured as 9s, so at t=12 the NTAs for
 # secure.example. should be lifted as it is not a forced NTA.
-echo_i "waiting till 10s have passed after ns4 was restarted"
+echo_i "waiting till 12s have passed after ns4 was restarted"
 # shellcheck disable=SC2016
-$PERL -e 'my $delay = '"$start"' + 10 - time(); select(undef, undef, undef, $delay) if ($delay > 0);'
+$PERL -e 'my $delay = '"$start"' + 12 - time(); select(undef, undef, undef, $delay) if ($delay > 0);'
 
 # secure.example. should now return an AD=1 answer (still validates) as
 # the NTA has been lifted.
@@ -2143,11 +2143,11 @@ else
     exit 1
 fi
 
-# nta-recheck is configured as 7s, but even at t=10 the NTAs for
+# nta-recheck is configured as 9s, but even at t=12 the NTAs for
 # secure.example. should not be lifted as it is a forced NTA.
-echo_i "waiting till 10s have passed after ns4 was restarted"
+echo_i "waiting till 12s have passed after ns4 was restarted"
 # shellcheck disable=SC2016
-$PERL -e 'my $delay = '"$start"' + 10 - time(); select(undef, undef, undef, $delay) if ($delay > 0);'
+$PERL -e 'my $delay = '"$start"' + 12 - time(); select(undef, undef, undef, $delay) if ($delay > 0);'
 
 # secure.example. should now return an AD=0 answer (non-authenticated)
 # as the NTA is still there.