GitLab

The "check key refreshes are resumed after root servers become available" check may trigger a false positive for the "mkeys" system test if the second example/TXT query sent by dig is received by ns5 less than a second after it receives a REFUSED response to the upstream query it sends to ns1 in order to resolve the first example/TXT query sent by dig. Since that REFUSED response from ns1 causes ns5 to return a SERVFAIL answer to dig, example/TXT is added to the SERVFAIL cache, which is enabled by default with a TTL of 1 second. This in turn may cause ns5 to return a cached SERVFAIL response to the second example/TXT query sent by dig, i.e. make ns5 not perform full query processing as expected by the check.

Since the primary purpose of the check in question is to ensure that key refreshes are resumed once initially unavailable root servers become available, the optimal solution appears to be disabling SERVFAIL cache for ns5 as doing that still allows the check to fulfill its purpose and it is arguably more prudent than always sleeping for 1 second.