From 8b71cbd09c33209ff55fc38fa1ea5b01fb7e0cc2 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 30 Aug 2022 10:04:16 +0200
Subject: [PATCH] Update inline system test, zone 'retransfer3.'

The zone 'retransfer3.' tests whether zones that 'rndc signing
-nsec3param' requests are queued even if the zone is not loaded.

The test assumes that if 'rndc signing -list' shows that the zone is
done signing with two keys, and there are no NSEC3 chains pending, the
zone is done handling the '-nsec3param' queued requests. However, it
is possible that the 'rndc signing -list' command is received before
the corresponding privatetype records are added to the zone (the records
that are used to retrieve the signing status with 'rndc signing').

This is what happens in test failure
https://gitlab.isc.org/isc-projects/bind9/-/jobs/2722752.

The 'rndc signing -list retransfer3' is thus an unreliable check.
It is simpler to just remove the check and wait for a certain amount
of time and check whether ns3 has re-signed the zone using NSEC3.
---
 bin/tests/system/inline/tests.sh | 18 ++++++------------
 1 file changed, 6 insertions(+), 12 deletions(-)

diff --git a/bin/tests/system/inline/tests.sh b/bin/tests/system/inline/tests.sh
index a8f8860a01..5d2df04add 100755
--- a/bin/tests/system/inline/tests.sh
+++ b/bin/tests/system/inline/tests.sh
@@ -796,22 +796,16 @@ mv ns2/named.conf.new ns2/named.conf
 $RNDCCMD 10.53.0.2 reconfig || ret=1
 # Request ns3 to retransfer the "retransfer3" zone.
 $RNDCCMD 10.53.0.3 retransfer retransfer3 || ret=1
-# Wait until ns3 finishes building the NSEC3 chain for "retransfer3".  There is
-# no need to immediately set ret=1 if building the NSEC3 chain is not finished
-# within the time limit because the query we will send shortly will detect any
-# problems anyway.
+# Check whether "retransfer3" uses NSEC3 as requested.
 for i in 0 1 2 3 4 5 6 7 8 9
 do
-	$RNDCCMD 10.53.0.3 signing -list retransfer3 > signing.out.test$n.$i 2>&1
-	keys_done=$(grep "Done signing" signing.out.test$n.$i | wc -l)
-	nsec3_pending=$(grep "NSEC3 chain" signing.out.test$n.$i | wc -l)
-	test $keys_done -eq 2 -a $nsec3_pending -eq 0 && break
+	ret=0
+	$DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.post.test$n.$i
+	grep "status: NXDOMAIN" dig.out.ns3.post.test$n.$i > /dev/null || ret=1
+	grep "NSEC3" dig.out.ns3.post.test$n.$i > /dev/null || ret=1
+	test $ret -eq 0 && break
 	sleep 1
 done
-# Check whether "retransfer3" uses NSEC3 as requested.
-$DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.post.test$n
-grep "status: NXDOMAIN" dig.out.ns3.post.test$n > /dev/null || ret=1
-grep "NSEC3" dig.out.ns3.post.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))