dnssec system test fails intermittently
The failure mode below has been observed 4 times so far:
- https://gitlab.isc.org/isc-projects/bind9/-/jobs/3025
- https://gitlab.isc.org/isc-projects/bind9/-/jobs/3026
- https://gitlab.isc.org/isc-projects/bind9/-/jobs/3048
- https://gitlab.isc.org/isc-projects/bind9/-/jobs/3078
S:dnssec:Tue Mar 6 07:40:18 UTC 2018
T:dnssec:1:A
A:dnssec:System test dnssec
I:dnssec:PORTRANGE:7400 - 7499
I:dnssec:checking that zone transfer worked (1)
I:dnssec:checking AD bit asking for validation (2)
I:dnssec:checking that AD is not set without +adflag or +dnssec (3)
I:dnssec:checking for AD in authoritative answer (4)
I:dnssec:checking positive validation NSEC (5)
I:dnssec:checking postive validation NSEC using dns_client (6)
I:dnssec:checking positive validation NSEC3 (7)
I:dnssec:checking positive validation NSEC3 using dns_client (8)
I:dnssec:checking positive validation OPTOUT (9)
I:dnssec:checking positive validation OPTOUT using dns_client (10)
I:dnssec:checking positive wildcard validation NSEC (11)
I:dnssec:checking positive wildcard validation NSEC using dns_client (12)
I:dnssec:checking positive wildcard answer NSEC3 (13)
I:dnssec:checking positive wildcard answer NSEC3 (14)
I:dnssec:checking positive wildcard validation NSEC3 (15)
I:dnssec:checking positive wildcard validation NSEC3 using dns_client (16)
I:dnssec:checking positive wildcard validation OPTOUT (17)
I:dnssec:checking positive wildcard validation OPTOUT using dns_client (18)
I:dnssec:checking negative validation NXDOMAIN NSEC (19)
I:dnssec:checking negative validation NXDOMAIN NSEC using dns_client (20)
I:dnssec:checking negative validation NXDOMAIN NSEC3 (21)
I:dnssec:checking negative validation NXDOMAIN NSEC3 using dns_client (22)
I:dnssec:checking negative validation NXDOMAIN OPTOUT (23)
I:dnssec:checking negative validation NXDOMAIN OPTOUT using dns_client (24)
I:dnssec:checking negative validation NODATA NSEC (25)
I:dnssec:checking negative validation NODATA OPTOUT using dns_client (26)
I:dnssec:checking negative validation NODATA NSEC3 (27)
I:dnssec:checking negative validation NODATA NSEC3 using dns_client (28)
I:dnssec:checking negative validation NODATA OPTOUT (29)
I:dnssec:checking negative validation NODATA OPTOUT using dns_client (30)
I:dnssec:checking negative wildcard validation NSEC (31)
I:dnssec:checking negative wildcard validation NSEC using dns_client (32)
I:dnssec:checking negative wildcard validation NSEC3 (33)
I:dnssec:checking negative wildcard validation NSEC3 using dns_client (34)
I:dnssec:checking negative wildcard validation OPTOUT (35)
I:dnssec:checking negative wildcard validation OPTOUT using dns_client (36)
I:dnssec:checking 1-server insecurity proof NSEC (37)
I:dnssec:checking 1-server insecurity proof NSEC using dns_client (38)
I:dnssec:checking 1-server insecurity proof NSEC3 (39)
I:dnssec:checking 1-server insecurity proof NSEC3 using dns_client (40)
I:dnssec:checking 1-server insecurity proof OPTOUT (41)
I:dnssec:checking 1-server insecurity proof OPTOUT using dns_client (42)
I:dnssec:checking 1-server negative insecurity proof NSEC (43)
I:dnssec:checking 1-server negative insecurity proof NSEC using dns_client (44)
I:dnssec:checking 1-server negative insecurity proof NSEC3 (45)
I:dnssec:checking 1-server negative insecurity proof NSEC3 using dns_client (46)
I:dnssec:checking 1-server negative insecurity proof OPTOUT (47)
I:dnssec:checking 1-server negative insecurity proof OPTOUT using dns_client (48)
I:dnssec:checking 1-server negative insecurity proof with SOA hack NSEC (49)
I:dnssec:checking 1-server negative insecurity proof with SOA hack NSEC3 (50)
I:dnssec:checking 1-server negative insecurity proof with SOA hack OPTOUT (51)
I:dnssec:checking multi-stage positive validation NSEC/NSEC (52)
I:dnssec:checking multi-stage positive validation NSEC/NSEC3 (53)
I:dnssec:checking multi-stage positive validation NSEC/OPTOUT (54)
I:dnssec:checking multi-stage positive validation NSEC3/NSEC (55)
I:dnssec:checking multi-stage positive validation NSEC3/NSEC3 (56)
I:dnssec:checking multi-stage positive validation NSEC3/OPTOUT (57)
I:dnssec:checking multi-stage positive validation OPTOUT/NSEC (58)
I:dnssec:checking multi-stage positive validation OPTOUT/NSEC3 (59)
I:dnssec:checking multi-stage positive validation OPTOUT/OPTOUT (60)
I:dnssec:checking empty NODATA OPTOUT (61)
I:dnssec:checking failed validation (62)
I:dnssec:checking failed validation using dns_client (63)
I:dnssec:checking that validation fails with a misconfigured trusted key (64)
I:dnssec:checking that negative validation fails with a misconfigured trusted key (65)
I:dnssec:checking that insecurity proofs fail with a misconfigured trusted key (66)
I:dnssec:checking that validation fails when key record is missing (67)
I:dnssec:checking that validation fails when key record is missing using dns_client (68)
I:dnssec:checking that validation succeeds when a revoked key is encountered (69)
I:dnssec:checking that validation succeeds when a revoked key is encountered using dns_client (70)
I:dnssec:Checking that a bad CNAME signature is caught after a +CD query (71)
I:dnssec:Checking that a bad DNAME signature is caught after a +CD query (72)
I:dnssec:checking 2-server insecurity proof (73)
I:dnssec:checking 2-server insecurity proof with a negative answer (74)
I:dnssec:checking 2-server insecurity proof with a negative answer and SOA hack (75)
I:dnssec:checking security root query (76)
I:dnssec:checking cd bit on a positive answer (77)
I:dnssec:checking cd bit on a negative answer (78)
I:dnssec:checking positive validation RSASHA256 NSEC (79)
I:dnssec:checking positive validation RSASHA512 NSEC (80)
I:dnssec:checking positive validation with KSK-only DNSKEY signature (81)
I:dnssec:checking cd bit on a query that should fail (82)
I:dnssec:checking cd bit on an insecurity proof (83)
I:dnssec:checking cd bit on a negative insecurity proof (84)
I:dnssec:checking that validation of an ANY query works (85)
I:dnssec:checking that validation of a query returning a CNAME works (86)
I:dnssec:checking that validation of a query returning a DNAME works (87)
I:dnssec:checking that validation of an ANY query returning a CNAME works (88)
I:dnssec:checking that validation of an ANY query returning a DNAME works (89)
I:dnssec:checking that positive validation in a privately secure zone works (90)
I:dnssec:checking that negative validation in a privately secure zone works (91)
I:dnssec:checking that lookups succeed after disabling a algorithm works (92)
I:dnssec:checking privately secure to nxdomain works (93)
I:dnssec:checking privately secure wildcard to nxdomain works (94)
I:dnssec:checking a non-cachable NODATA works (95)
I:dnssec:checking a non-cachable NXDOMAIN works (96)
I:dnssec:checking dnssec-lookaside-validation works (97)
I:dnssec:checking that we can load a rfc2535 signed zone (98)
I:dnssec:checking that we can transfer a rfc2535 signed zone (99)
I:dnssec:checking that we can sign a zone with out-of-zone records (100)
I:dnssec:checking that we can sign a zone (NSEC3) with out-of-zone records (101)
I:dnssec:checking NSEC3 signing with empty nonterminals above a delegation (102)
I:dnssec:checking that dnsssec-signzone updates originalttl on ttl changes (103)
I:dnssec:checking dnssec-signzone keeps valid signatures from removed keys (104)
I:dnssec:checking dnssec-signzone -R purges signatures from removed keys (105)
I:dnssec:checking dnssec-signzone keeps valid signatures from inactive keys (106)
I:dnssec:checking dnssec-signzone -Q purges signatures from inactive keys (107)
I:dnssec:checking dnssec-signzone retains unexpired signatures (108)
I:dnssec:checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec) (109)
I:dnssec:checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec3) (110)
I:dnssec:checking dnssec-signzone output format (111)
I:dnssec:checking TTLs are capped by dnssec-signzone -M (112)
I:dnssec:checking dnssec-signzone -N date (113)
I:dnssec:checking validated data are not cached longer than originalttl (114)
I:dnssec:checking rndc secroots (115)
I:dnssec:checking RRSIG query from cache (116)
I:dnssec:checking RRSIG query not in cache (117)
I:dnssec:checking NSEC3 zone with mismatched NSEC3PARAM / NSEC parameters (118)
I:dnssec:checking optout NSEC3 referral with only insecure delegations (119)
I:dnssec:checking optout NSEC3 NXDOMAIN with only insecure delegations (120)
I:dnssec:checking optout NSEC3 nodata with only insecure delegations (121)
I:dnssec:checking that a zone finishing the transition from RSASHA1 to RSASHA256 validates secure (122)
I:dnssec:checking positive and negative validation with negative trust anchors (123)
I:dnssec:ns4 Negative trust anchor added: bogus.example/_default, expires 06-Mar-2018 07:43:35.000
I:dnssec:ns4 Negative trust anchor added: badds.example/_default, expires 06-Mar-2018 07:43:27.000
I:dnssec:ns4 Negative trust anchor added: secure.example/_default, expires 06-Mar-2018 07:43:28.000
I:dnssec:ns4 Negative trust anchor added: fakenode.secure.example/_default, expires 06-Mar-2018 07:43:29.000
I:dnssec:ns4 server reload successful
I:dnssec:dumping secroots
I:dnssec:waiting for NTA rechecks/expirations
I:dnssec:testing NTA removals (124)
I:dnssec:ns4 Negative trust anchor added: badds.example/_default, expires 06-Mar-2018 07:43:51.000
I:dnssec:remove non-existent NTA three times
I:dnssec:testing NTA with bogus lifetimes (125)
I:dnssec:check with no nta lifetime specified
I:dnssec:check with bad nta lifetime
I:dnssec:check with too long nta lifetime
I:dnssec:testing NTA persistence across restarts (126)
I:dnssec:ns4 Negative trust anchor added: bogus.example/_default, expires 06-Mar-2018 07:44:12.000
I:dnssec:ns4 Negative trust anchor added: badds.example/_default, expires 06-Mar-2018 07:43:53.000
I:dnssec:killing ns4 with SIGTERM
I:dnssec:waiting till 14s have passed since NTAs were added before restarting ns4
I:dnssec:restarted server ns4
I:dnssec:sleeping for an additional 4 seconds for ns4 to fully startup
I:dnssec:testing loading regular attribute from NTA file (127)
I:dnssec:killing ns4 with SIGTERM
I:dnssec:sleeping for an additional 4 seconds for ns4 to fully shutdown
I:dnssec:restarted server ns4
I:dnssec:waiting till 10s have passed after ns4 was restarted
I:dnssec:failed - NTA persistence: loading regular NTAs failed
I:dnssec:testing loading forced attribute from NTA file (128)
I:dnssec:killing ns4 with SIGTERM
I:dnssec:sleeping for an additional 4 seconds for ns4 to fully shutdown
I:dnssec:restarted server ns4
I:dnssec:waiting till 10s have passed after ns4 was restarted
I:dnssec:testing loading out of bounds lifetime from NTA file (129)
I:dnssec:killing ns4 with SIGTERM
I:dnssec:sleeping for an additional 4 seconds for ns4 to fully shutdown
I:dnssec:restarted server ns4
I:dnssec:sleeping for an additional 4 seconds for ns4 to fully startup
I:dnssec:completed NTA tests
I:dnssec:running DNSSEC update test
I:dnssec:Add a name
I:dnssec:Delete the name
I:dnssec:All update tests successful.
I:dnssec:checking managed key maintenance has not started yet (130)
I:dnssec:switching to automatic root key configuration
I:dnssec:checking managed key maintenance timer has now started (131)
I:dnssec:checking positive validation NSEC (132)
I:dnssec:checking positive validation NSEC3 (133)
I:dnssec:checking positive validation OPTOUT (134)
I:dnssec:checking negative validation (135)
I:dnssec:checking that root DS queries validate (136)
I:dnssec:checking that DS at a RFC 1918 empty zone lookup succeeds (137)
I:dnssec:checking expired signatures remain with "allow-update { none; };" and no keys available (138)
I:dnssec:checking expired signatures do not validate (139)
I:dnssec:checking that the NSEC3 record for the apex is properly signed when a DNSKEY is added via UPDATE (140)
I:dnssec:checking that the NSEC record is properly generated when DNSKEY are added via auto-dnssec (141)
I:dnssec:checking that the NSEC3 record is properly generated when DNSKEY are added via auto-dnssec (142)
I:dnssec:checking that signing records have been marked as complete (143)
I:dnssec:check that 'rndc signing' without arguments is handled (144)
I:dnssec:check that 'rndc signing -list' without zone is handled (145)
I:dnssec:check that 'rndc signing -clear' without additional arguments is handled (146)
I:dnssec:check that 'rndc signing -clear all' without zone is handled (147)
I:dnssec:check that 'rndc signing -nsec3param' without additional arguments is handled (148)
I:dnssec:check that 'rndc signing -nsec3param none' without zone is handled (149)
I:dnssec:check that 'rndc signing -nsec3param 1' without additional arguments is handled (150)
I:dnssec:check that 'rndc signing -nsec3param 1 0' without additional arguments is handled (151)
I:dnssec:check that 'rndc signing -nsec3param 1 0 0' without additional arguments is handled (152)
I:dnssec:check that 'rndc signing -nsec3param 1 0 0 -' without zone is handled (153)
I:dnssec:check that 'rndc signing -nsec3param' works with salt (154)
I:dnssec:check that 'rndc signing -nsec3param' works without salt (155)
I:dnssec:check that 'rndc signing -nsec3param' works with 'auto' as salt (156)
I:dnssec:check that 'rndc signing -nsec3param' with 'auto' as salt again generates a different salt (157)
I:dnssec:check rndc signing -list output (158)
I:dnssec:clear signing records (159)
I:dnssec:checking that a insecure zone beneath a cname resolves (160)
I:dnssec:checking that a secure zone beneath a cname resolves (161)
I:dnssec:checking dnskey query with no data still gets put in cache (162)
I:dnssec:check that a split dnssec dnssec-signzone work (163)
I:dnssec:check that a smart split dnssec dnssec-signzone work (164)
I:dnssec:check that NOTIFY is sent at the end of NSEC3 chain generation (165)
I:dnssec:sleeping ....
I:dnssec:sleeping ....
I:dnssec:check dnssec-dsfromkey from stdin (166)
I:dnssec:check dnssec-dsfromkey error message when keyfile is not found (167)
I:dnssec:testing soon-to-expire RRSIGs without a replacement private key (168)
I:dnssec:testing new records are signed with 'no-resign' (169)
I:dnssec:testing expiring records aren't resigned with 'no-resign' (170)
I:dnssec:testing updates fail with no private key (171)
I:dnssec:testing legacy upper case signer name validation (172)
I:dnssec:testing that we lower case signer name (173)
I:dnssec:testing TTL is capped at RRSIG expiry time (174)
I:dnssec:ns3 zone reload queued
I:dnssec:testing TTL is capped at RRSIG expiry time for records in the additional section (175)
I:dnssec:testing TTL of about to expire RRsets with dnssec-accept-expired yes; (176)
I:dnssec:testing TTL of expired RRsets with dnssec-accept-expired yes; (177)
I:dnssec:testing TTL is capped at RRSIG expiry time for records in the additional section with dnssec-accept-expired yes; (178)
I:dnssec:testing DNSKEY lookup via CNAME (179)
I:dnssec:testing KEY lookup at CNAME (present) (180)
I:dnssec:testing KEY lookup at CNAME (not present) (181)
I:dnssec:testing DNSKEY lookup via DNAME (182)
I:dnssec:testing KEY lookup via DNAME (183)
I:dnssec:check that named doesn't loop when all private keys are not available (184)
I:dnssec:check against against missing nearest provable proof (185)
I:dnssec:check that key id are logged when dumping the cache (186)
I:dnssec:check KEYDATA records are printed in human readable form in key zone (187)
I:dnssec:check dig's +nocrypto flag (188)
I:dnssec:check simultaneous inactivation and publishing of dnskeys removes inactive signature (189)
I:dnssec:check that increasing the sig-validity-interval resigning triggers re-signing (190)
I:dnssec:check insecure delegation between static-stub zones (191)
I:dnssec:check the acceptance of seconds as inception and expiration times (192)
I:dnssec:check the correct resigning time is reported in zonestatus (193)
I:dnssec:check that split rrsigs are handled (194)
I:dnssec:check that 'dnssec-keygen -S' works for all supported algorithms (195)
I:dnssec:check that CDS records are signed using KSK by dnssec-signzone (196)
I:dnssec:check that CDS records are not signed using ZSK by dnssec-signzone -x (197)
I:dnssec:checking that positive unknown NSEC3 hash algorithm does validate (198)
I:dnssec:check that CDS records are signed using KSK by with dnssec-auto (199)
I:dnssec:check that a lone non matching CDS record is rejected (200)
I:dnssec:check that CDS records are signed using KSK when added by nsupdate (201)
I:dnssec:check that CDS records are signed only using KSK when added by
I:dnssec:nsupdate when dnssec-dnskey-kskonly is yes (202)
I:dnssec:checking that positive unknown NSEC3 hash algorithm with OPTOUT does validate (203)
I:dnssec:check that a non matching CDS record is accepted with a matching CDS record (204)
I:dnssec:checking that negative unknown NSEC3 hash algorithm does not validate (205)
I:dnssec:check that CDNSKEY records are signed using KSK by dnssec-signzone (206)
I:dnssec:check that CDNSKEY records are not signed using ZSK by dnssec-signzone -x (207)
I:dnssec:checking that negative unknown NSEC3 hash algorithm with OPTOUT does not validate (208)
I:dnssec:check that CDNSKEY records are signed using KSK by with dnssec-auto (209)
I:dnssec:checking that unknown DNSKEY algorithm validates as insecure (210)
I:dnssec:check that a lone non matching CDNSKEY record is rejected (211)
I:dnssec:checking that unknown DNSKEY algorithm + unknown NSEC3 has algorithm validates as insecure (212)
I:dnssec:check that CDNSKEY records are signed using KSK when added by nsupdate (213)
I:dnssec:check that CDNSKEY records are signed only using KSK when added by
I:dnssec:nsupdate when dnssec-dnskey-kskonly is yes (214)
I:dnssec:checking initialization with a revoked managed key (215)
I:dnssec:check that a non matching CDNSKEY record is accepted with a matching CDNSKEY record (216)
I:dnssec:check that RRSIGs are correctly removed from apex when RRset is removed NSEC (217)
I:dnssec:check that RRSIGs are correctly removed from apex when RRset is removed NSEC3 (218)
I:dnssec:check that a named managed zone that was signed 'in-the-future' is re-signed when loaded (219)
I:dnssec:check that trust-anchor-telemetry queries are logged (220)
I:dnssec:check that _ta-XXXX trust-anchor-telemetry queries are logged (221)
I:dnssec:check that _ta-AAAA trust-anchor-telemetry are not sent when disabled (222)
I:dnssec:check that KEY-TAG trust-anchor-telemetry queries are logged (223)
I:dnssec:check that the view is logged in messages from the validator when using views (224)
I:dnssec:exit status: 1
R:dnssec:FAIL
E:dnssec:Tue Mar 6 07:46:29 UTC 2018Contents of bin/tests/system/dnssec/ from the first 3 jobs listed above are attached.
Edited by Michał Kępień