Commit 7c6bff3c authored by Michał Kępień's avatar Michał Kępień Committed by Evan Hunt
Browse files

Disable SERVFAIL cache for ns5 in the "mkeys" system test

The "check key refreshes are resumed after root servers become
available" check may trigger a false positive for the "mkeys" system
test if the second example/TXT query sent by dig is received by ns5 less
than a second after it receives a REFUSED response to the upstream query
it sends to ns1 in order to resolve the first example/TXT query sent by
dig.  Since that REFUSED response from ns1 causes ns5 to return a
SERVFAIL answer to dig, example/TXT is added to the SERVFAIL cache,
which is enabled by default with a TTL of 1 second.  This in turn may
cause ns5 to return a cached SERVFAIL response to the second example/TXT
query sent by dig, i.e. make ns5 not perform full query processing as
expected by the check.

Since the primary purpose of the check in question is to ensure that key
refreshes are resumed once initially unavailable root servers become
available, the optimal solution appears to be disabling SERVFAIL cache
for ns5 as doing that still allows the check to fulfill its purpose and
it is arguably more prudent than always sleeping for 1 second.
parent ea95d850
Pipeline #11028 passed with stages
in 11 minutes and 35 seconds
......@@ -24,6 +24,7 @@ options {
dnssec-enable yes;
dnssec-validation auto;
bindkeys-file "managed.conf";
servfail-ttl 0;
key rndc_key {
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment