"statschannel" system test setup may fail on slow systems

https://gitlab.isc.org/isc-private/bind9/-/jobs/1465497

S:statschannel:2021-02-04T12:09:33+0000
T:statschannel:1:A
A:statschannel:System test statschannel
I:statschannel:PORTRANGE:12500 - 12599
I:statschannel:setup.sh script failed
R:statschannel:FAIL
E:statschannel:2021-02-04T12:09:40+0000

Based on the job artifacts, it looks like test setup failed in ns2/sign.sh, specifically on line 37, where the manykeys zone is signed:

"$SIGNER" -S -x -O full -e "now"+1s -o "$zone" -f "$zonefile" "$infile" > "signzone.out.$zone" 2>&1

bin/tests/system/statschannel/ns2/signzone.out.manykeys. contains:

No self-signed KSK DNSKEY found
Fetching manykeys/RSASHA256/51699 (ZSK) from key repository.
Fetching manykeys/ECDSAP256SHA256/19507 (KSK) from key repository.
Fetching manykeys/RSASHA256/24910 (KSK) from key repository.
Fetching manykeys/ECDSAP384SHA384/27336 (ZSK) from key repository.
Fetching manykeys/ECDSAP256SHA256/61056 (ZSK) from key repository.
Fetching manykeys/ECDSAP384SHA384/43460 (KSK) from key repository.
Zone verification failed (failure)

Since the dnssec-signzone invocation includes -e now+1s (signatures are supposed to expire one second after dnssec-signzone startup) and this failure is intermittent, what I believe happened here is that dnssec-signzone ran long enough for at least some of the signatures to already have become expired when zone verification took place.

The simplest solution here seems to be to employ the -P switch for dnssec-signzone, which is something we routinely do in system tests.