mirror of
https://github.com/isc-projects/bind9.git
synced 2026-06-27 06:10:20 -04:00
7a31fd57e2
The pytest cases checks if a zone is signed by looking at the NSEC record at the apex. If that has an RRSIG record, it is considered signed. But 'named' signs zones incrementally (in batches) and so the zone may still lack some signatures. In other words, the tests may consider a zone signed while in fact signing is not yet complete, then performs additional checks such as is a subdomain signed with the right key. If this check happens before the zone is actually fully signed, the check will fail. Fix this by using 'check_dnssec_verify' instead of 'check_is_zone_signed'. We were already doing this check, but we now move it up. This will transfer the zone and then run 'dnssec-verify' on the response. If the zone is partially signed, the check will fail, and it will retry for up to ten times. |
||
|---|---|---|
| .. | ||
| check | ||
| confgen | ||
| delv | ||
| dig | ||
| dnssec | ||
| named | ||
| nsupdate | ||
| plugins | ||
| rndc | ||
| tests | ||
| tools | ||
| Makefile.am | ||