From bb4afd1332dc8a29b5e9ebd7925dd885758c736b Mon Sep 17 00:00:00 2001
From: Michal Nowak <mnowak@isc.org>
Date: Wed, 3 Jun 2026 16:39:56 +0000
Subject: [PATCH] Retry the SOA serial check in the rpz test

While a response-policy zone is being (re)loaded it can briefly answer
with no SOA (SERVFAIL/REFUSED), which `dig +short` renders as empty
output.  get_sn() aborted the whole tests.sh on the first such miss,
defeating the retry_quiet() loop in ck_soa() that is meant to wait for
the reload to settle.  Return failure instead so the check is retried.

Assisted-by: Claude:claude-opus-4-8
---
 bin/tests/system/rpz/tests.sh | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh
index 2b3598d7af..2172cec705 100644
--- a/bin/tests/system/rpz/tests.sh
+++ b/bin/tests/system/rpz/tests.sh
@@ -111,8 +111,12 @@ get_sn() {
   $DIG -p "${PORT}" +short +norecurse soa "$1" "@$2" "-b$2" >$DIGNM
   SN=$(awk '{ print $3 }' <$DIGNM)
   [ -n "$SN" ] && return
+  # A policy zone being (re)loaded can briefly answer with no SOA
+  # (SERVFAIL/REFUSED), which +short renders as empty output.  Return
+  # failure rather than aborting so the retry_quiet() in ck_soa() can
+  # probe again instead of dying on a single transient miss.
   echo_i "no serial number from \`dig -p ${PORT} soa $1 @$2\`"
-  exit 1
+  return 1
 }
 
 # check the serial number in an SOA to ensure that a policy zone has
@@ -121,7 +125,7 @@ get_sn() {
 # $2=domain
 # $3=DNS server
 test_soa() {
-  get_sn "$2" "$3"
+  get_sn "$2" "$3" || return 1
   test "$SN" -eq "$1"
 }