#5670 test_dnssec.py: AssertionError: DNSKEY should be different
Closed: duplicate 2 years ago Opened 4 years ago by lslebodn.

_________ TestInstallDNSSECLast.test_disable_reenable_signing_replica __________

self = <ipatests.test_integration.test_dnssec.TestInstallDNSSECLast object at 0x7f0c6d2bc290>

    def test_disable_reenable_signing_replica(self):

        dnskey_old = resolve_with_dnssec(self.replicas[0].ip, test_zone_repl,
                                         self.log, rtype="DNSKEY").rrset

        # disable DNSSEC signing of zone on replica
        args = [
            "ipa",
            "dnszone-mod", test_zone_repl,
            "--dnssec", "false",
        ]
        self.master.run_command(args)

        time.sleep(20)  # sleep a bit until LDAP changes are applied to DNS

        # test master
        assert not is_record_signed(
            self.master.ip, test_zone_repl, self.log
        ), "Zone %s is still signed (master)" % test_zone_repl

        # test replica
        assert not is_record_signed(
            self.replicas[0].ip, test_zone_repl, self.log
        ), "DNS zone %s is still signed (replica)" % test_zone_repl

        # reenable DNSSEC signing
        args = [
            "ipa",
            "dnszone-mod", test_zone_repl,
            "--dnssec", "true",
        ]
        self.master.run_command(args)

        time.sleep(20)  # sleep a bit until LDAP changes are applied to DNS

        # test master
        assert wait_until_record_is_signed(
            self.master.ip, test_zone_repl, self.log, timeout=100
        ), "Zone %s is not signed (master)" % test_zone_repl

        # test replica
        assert wait_until_record_is_signed(
            self.replicas[0].ip, test_zone_repl, self.log, timeout=200
        ), "DNS zone %s is not signed (replica)" % test_zone_repl

        dnskey_new = resolve_with_dnssec(self.replicas[0].ip, test_zone_repl,
                                         self.log, rtype="DNSKEY").rrset
>       assert dnskey_old != dnskey_new, "DNSKEY should be different"
E       AssertionError: DNSKEY should be different
E       assert <DNS dnssec-replica.test. IN DNSKEY RRset> != <DNS dnssec-replica.test. IN DNSKEY RRset>

test_integration/test_dnssec.py:236: AssertionError

I can it reproduce very often.


triage comments:

  • well test works, IPA doesn't :)
  • probably related to, or same as: #5348
  • BIND failed to load new keys and still provides the old one for reenabled zone, needs more investigation

Metadata Update from @lslebodn:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog

3 years ago

Metadata Update from @fbarreto:
- Issue close_status updated to: None
- Issue set to the milestone: FreeIPA 4.6.4 (was: FreeIPA 4.5 backlog)
- Issue tagged with: test-failure

2 years ago

Metadata Update from @fbarreto:
- Issue assigned to fbarreto (was: someone)

2 years ago

Metadata Update from @fbarreto:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/1914 (was: 0)

2 years ago

master:
f03df5f Adding xfail to failing tests

still needs 4-6

ipa-4-6:
* d8ad644 Adding xfail to failing tests

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.6.5 (was: FreeIPA 4.6.4)

2 years ago

Closing as duplicate of 5348, test is not failing any more in the nightly test suite.

Metadata Update from @frenaud:
- Issue close_status updated to: duplicate
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata