Add additional wait period for algorithm rollover

We may be checking the algorithm steps too fast: the reconfig
command may still be in progress. Make sure the zones are signed
and loaded by digging the NSEC records for these zones.

(cherry picked from commit d16520532f)

bin/tests/system/kasp/clean.sh

@@ -22,4 +22,4 @@ rm -f ns*/dsset-* ns*/*.db ns*/*.db.signed
 rm -f ns*/keygen.out.* ns*/settime.out.* ns*/signer.out.*
 rm -f ns*/managed-keys.bind
 rm -f ns*/*.mkeys
-rm -f ns*/zones ns*/*.db.infile
+rm -f ns*/zones* ns*/*.db.infile

bin/tests/system/kasp/ns6/setup.sh

@@ -19,6 +19,7 @@ setup() {
 	echo_i "setting up zone: $zone"
 	zonefile="${zone}.db"
 	infile="${zone}.db.infile"
+	echo "$zone" >> zones.2
 }
 
 private_type_record() {
@@ -46,7 +47,6 @@ U="UNRETENTIVE"
 # Step 1:
 # Introduce the first key. This will immediately be active.
 setup step1.algorithm-roll.kasp
-echo "$zone" >> zones
 KSK=$($KEYGEN -a RSASHA1 -f KSK -L 3600 $zone 2> keygen.out.$zone.1)
 ZSK=$($KEYGEN -a RSASHA1 -L 3600 $zone 2> keygen.out.$zone.2)
 TactN="now"

bin/tests/system/kasp/tests.sh

@@ -465,6 +465,9 @@ dnssec_verify()
 	status=$((status+ret))
 }
 
+# Default next key event threshold. May be extended by wait periods.
+next_key_event_threshold=100
+
 ###############################################################################
 # Tests                                                                       #
 ###############################################################################
@@ -611,7 +614,6 @@ check_key "KEY1" "$id"
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
 
-
 #
 # named
 #
@@ -649,6 +651,8 @@ done
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
 
+next_key_event_threshold=$((next_key_event_threshold+i))
+
 #
 # Zone: default.kasp.
 #
@@ -1632,10 +1636,10 @@ check_next_key_event() {
 	# Get the latest next key event.
 	_time=$(awk '{print $10}' < "keyevent.out.$ZONE.test$n" | tail -1)
 
-	# The next key event time must within 60 seconds of the
+	# The next key event time must within threshold of the
 	# expected time.
-	_expectmin=$((_expect-60))
-	_expectmax=$((_expect+60))
+	_expectmin=$((_expect-next_key_event_threshold))
+	_expectmax=$((_expect+next_key_event_threshold))
 
 	test $_expectmin -le "$_time" || log_error "bad next key event time ${_time} for zone ${ZONE} (expect ${_expect})"
 	test $_expectmax -ge "$_time" || log_error "bad next key event time ${_time} for zone ${ZONE} (expect ${_expect})"
@@ -2272,6 +2276,34 @@ echo_i "reconfig dnssec-policy to trigger algorithm rollover"
 copy_setports ns6/named2.conf.in ns6/named.conf
 rndc_reconfig ns6 10.53.0.6
 
+#  The NSEC record at the apex of the zone and its RRSIG records are
+#  added as part of the last step in signing a zone.  We wait for the
+#  NSEC records to appear before proceeding with a counter to prevent
+#  infinite loops if there is a error.
+#
+n=$((n+1))
+echo_i "waiting for reconfig signing changes to take effect ($n)"
+i=0
+while [ $i -lt 30 ]
+do
+	ret=0
+	while read -r zone
+	do
+		dig_with_opts "$zone" @10.53.0.6 nsec > "dig.out.ns6.test$n.$zone" || ret=1
+		grep "NS SOA" "dig.out.ns6.test$n.$zone" > /dev/null || ret=1
+		grep "$zone\..*IN.*RRSIG" "dig.out.ns6.test$n.$zone" > /dev/null || ret=1
+	done < ns6/zones.2
+
+	i=$((i+1))
+	if [ $ret = 0 ]; then break; fi
+	echo_i "waiting ... ($i)"
+	sleep 1
+done
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+next_key_event_threshold=$((next_key_event_threshold+i))
+
 #
 # Testing KSK/ZSK algorithm rollover.
 #