Skip to content

Fix dnssec test

Matthijs Mekking requested to merge 1413-fix-dnssec-test-v9_16 into v9_16

There is a failure mode which gets triggered on heavily loaded systems. A key change is scheduled in 5 seconds to make ZSK2 inactive and ZSK3 active, but named takes more than 5 seconds to progress from rndc loadkeys to the query check. At this time the SOA RRset is already signed by the new ZSK which is not expected to be active at that point yet.

Split up the checks to test the case where RRsets are signed correctly with the offline KSK (maintained the signature) and the active ZSK. First run, RRsets should be signed with the still active ZSK2, second run RRsets should be signed with the new active ZSK3.

(cherry picked from commit aebb2aaa)

Closes #1413 (closed)

Merge request reports