From 8cfccb9eacac5764fd85e1007886f88875a5232c Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Fri, 21 Nov 2025 09:47:08 +0100 Subject: [PATCH] Wait until zones are signed before reconfig In order to make the tests run reliable, first make sure the key managing for all the zones has finished before doing running the reconfig command. --- bin/tests/system/nsec3/tests_nsec3_reconfig.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/bin/tests/system/nsec3/tests_nsec3_reconfig.py b/bin/tests/system/nsec3/tests_nsec3_reconfig.py index 666ba320b4..47cd77ecf2 100644 --- a/bin/tests/system/nsec3/tests_nsec3_reconfig.py +++ b/bin/tests/system/nsec3/tests_nsec3_reconfig.py @@ -65,6 +65,13 @@ def bootstrap(): @pytest.fixture(scope="module", autouse=True) def after_servers_start(ns3, templates): + # First make sure all zones are properly signed. Here we specifically need + # to wait until all zones have finished key management before we can + # reconfigure the server, because changing the DNSSEC policy relies on + # zones having finished applying their initial policy. + for zone in ZONES: + isctest.kasp.wait_keymgr_done(ns3, zone) + # Ensure rsasha1-to-nsec3-wait.kasp is fully signed prior to reconfig. with_rsasha1 = "RSASHA1_SUPPORTED" assert with_rsasha1 in os.environ, f"{with_rsasha1} env variable undefined"