Skip to content
  • Michał Kępień's avatar
    Disable SERVFAIL cache for ns5 in the "mkeys" system test · 7c6bff3c
    Michał Kępień authored and Evan Hunt's avatar Evan Hunt committed
    The "check key refreshes are resumed after root servers become
    available" check may trigger a false positive for the "mkeys" system
    test if the second example/TXT query sent by dig is received by ns5 less
    than a second after it receives a REFUSED response to the upstream query
    it sends to ns1 in order to resolve the first example/TXT query sent by
    dig.  Since that REFUSED response from ns1 causes ns5 to return a
    SERVFAIL answer to dig, example/TXT is added to the SERVFAIL cache,
    which is enabled by default with a TTL of 1 second.  This in turn may
    cause ns5 to return a cached SERVFAIL response to the second example/TXT
    query sent by dig, i.e. make ns5 not perform full query processing as
    expected by the check.
    
    Since the primary purpose of the check in question is to ensure that key
    refreshes are resumed once initially unavailable root servers become
    available, the optimal solution appears to be disabling SERVFAIL cache
    for ns5 as doing that still allows the check to fulfill its purpose and
    it is arguably more prudent than always sleeping for 1 second.
    7c6bff3c