See https://bind-build.isc.org/#bind9_v9_9_sub Test Failed: dnssec S:dnssec:Sun Jan 8 19:58:05 PST 2017 T:dnssec:1:A A:System test dnssec I:checking that zone transfer worked (1) I:checking AD bit asking for validation (2) I:checking that AD is not set without +adflag or +dnssec (3) I:checking for AD in authoritative answer (4) I:checking positive validation NSEC (5) I:checking positive validation NSEC3 (6) I:checking positive validation OPTOUT (7) I:checking positive wildcard validation NSEC (8) I:checking positive wildcard answer NSEC3 (9) I:checking positive wildcard answer NSEC3 (10) I:checking positive wildcard validation NSEC3 (11) I:checking positive wildcard validation OPTOUT (12) I:checking negative validation NXDOMAIN NSEC (13) I:checking negative validation NXDOMAIN NSEC3 (14) I:checking negative validation NXDOMAIN OPTOUT (15) I:checking negative validation NODATA NSEC (16) I:checking negative validation NODATA NSEC3 (17) I:checking negative validation NODATA OPTOUT (18) I:checking negative wildcard validation NSEC (19) I:checking negative wildcard validation NSEC3 (20) I:checking negative wildcard validation OPTOUT (21) I:checking 1-server insecurity proof NSEC (22) I:checking 1-server insecurity proof NSEC3 (23) I:checking 1-server insecurity proof OPTOUT (24) I:checking 1-server negative insecurity proof NSEC (25) I:checking 1-server negative insecurity proof NSEC3 (26) I:checking 1-server negative insecurity proof OPTOUT (27) I:checking 1-server negative insecurity proof with SOA hack NSEC (28) I:checking 1-server negative insecurity proof with SOA hack NSEC3 (29) I:checking 1-server negative insecurity proof with SOA hack OPTOUT (30) I:checking multi-stage positive validation NSEC/NSEC (31) I:checking multi-stage positive validation NSEC/NSEC3 (32) I:checking multi-stage positive validation NSEC/OPTOUT (33) I:checking multi-stage positive validation NSEC3/NSEC (34) I:checking multi-stage positive validation NSEC3/NSEC3 (35) I:checking multi-stage positive validation NSEC3/OPTOUT (36) I:checking multi-stage positive validation OPTOUT/NSEC (37) I:checking multi-stage positive validation OPTOUT/NSEC3 (38) I:checking multi-stage positive validation OPTOUT/OPTOUT (39) I:checking empty NODATA OPTOUT (40) I:checking failed validation (41) I:checking that validation fails with a misconfigured trusted key (42) I:checking that negative validation fails with a misconfigured trusted key (43) I:checking that insecurity proofs fail with a misconfigured trusted key (44) I:checking that validation fails when key record is missing (45) I:checking that validation succeeds when a revoked key is encountered (46) I:Checking that a bad CNAME signature is caught after a +CD query (47) I:Checking that a bad DNAME signature is caught after a +CD query (48) I:checking 2-server insecurity proof (49) I:checking 2-server insecurity proof with a negative answer (50) I:checking 2-server insecurity proof with a negative answer and SOA hack (51) I:checking security root query (52) I:checking cd bit on a positive answer (53) I:checking cd bit on a negative answer (54) I:checking positive validation RSASHA256 NSEC (55) I:checking positive validation RSASHA512 NSEC (56) I:checking positive validation with KSK-only DNSKEY signature (57) I:checking cd bit on a query that should fail (58) I:checking cd bit on an insecurity proof (59) I:checking cd bit on a negative insecurity proof (60) I:checking that validation of an ANY query works (61) I:checking that validation of a query returning a CNAME works (62) I:checking that validation of a query returning a DNAME works (63) I:checking that validation of an ANY query returning a CNAME works (64) I:checking that validation of an ANY query returning a DNAME works (65) I:checking that positive validation in a privately secure zone works (66) I:checking that negative validation in a privately secure zone works (67) I:checking that lookups succeed after disabling a algorithm works (68) I:checking privately secure to nxdomain works (69) I:checking privately secure wildcard to nxdomain works (70) I:checking a non-cachable NODATA works (71) I:checking a non-cachable NXDOMAIN works (72) I:checking dnssec-lookaside-validation works (73) I:checking that we can load a rfc2535 signed zone (74) I:checking that we can transfer a rfc2535 signed zone (75) I:checking that we can sign a zone with out-of-zone records (76) I:checking that we can sign a zone (NSEC3) with out-of-zone records (77) I:checking NSEC3 signing with empty nonterminals above a delegation (78) I:checking that dnsssec-signzone updates originalttl on ttl changes (79) I:checking dnssec-signzone keeps valid signatures from removed keys (80) I:checking dnssec-signzone -R purges signatures from removed keys (81) I:checking dnssec-signzone keeps valid signatures from inactive keys (82) I:checking dnssec-signzone -Q purges signatures from inactive keys (83) I:checking dnssec-signzone retains unexpired signatures (84) I:checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec) (85) I:checking dnssec-signzone purges RRSIGs from formerly-owned glue (nsec3) (86) I:checking dnssec-signzone output format (87) I:checking dnssec-signzone output format (87) I:checking validated data are not cached longer than originalttl (87) I:checking rndc secroots (88) I:checking RRSIG query from cache (89) I:checking RRSIG query not in cache (90) I:checking NSEC3 zone with mismatched NSEC3PARAM / NSEC parameters (91) I:checking optout NSEC3 referral with only insecure delegations (92) I:checking optout NSEC3 NXDOMAIN with only insecure delegations (93) I:checking optout NSEC3 nodata with only insecure delegations (94) I:checking that a zone finishing the transition from RSASHA1 to RSASHA256 validates secure (95) I:checking positive and negative validation with negative trust anchors (96) I:ns4 Negative trust anchor added: bogus.example/_default, expires 08-Jan-2017 19:58:35.000 I:ns4 Negative trust anchor added: badds.example/_default, expires 08-Jan-2017 19:58:25.000 I:ns4 Negative trust anchor added: secure.example/_default, expires 08-Jan-2017 19:58:26.000 I:ns4 Negative trust anchor added: fakenode.secure.example/_default, expires 08-Jan-2017 19:58:26.000 server reload successful I: dumping secroots I: waiting for NTA rechecks/expirations I: testing NTA removals (97) I:ns4 Negative trust anchor added: badds.example/_default, expires 08-Jan-2017 19:58:47.000 I: remove non-existent NTA three times I: testing NTA with bogus lifetimes (98) I:check with no nta lifetime specified I:check with bad nta lifetime I:check with too long nta lifetime I: testing NTA persistence across restarts (99) I:ns4 Negative trust anchor added: bogus.example/_default, expires 08-Jan-2017 19:59:07.000 I:ns4 Negative trust anchor added: badds.example/_default, expires 08-Jan-2017 19:58:47.000 I:killing ns4 with SIGTERM I:waiting till 14s have passed since NTAs were added before restarting ns4 I:restarted server ns4 I:sleeping for an additional 4 seconds for ns4 to fully startup I: testing loading regular attribute from NTA file (100) I:killing ns4 with SIGTERM I:sleeping for an additional 4 seconds for ns4 to fully shutdown I:restarted server ns4 I:waiting till 10s have passed after ns4 was restarted I: testing loading forced attribute from NTA file (101) I:killing ns4 with SIGTERM I:sleeping for an additional 4 seconds for ns4 to fully shutdown I:restarted server ns4 I:waiting till 10s have passed after ns4 was restarted I: testing loading out of bounds lifetime from NTA file (102) I:killing ns4 with SIGTERM I:sleeping for an additional 4 seconds for ns4 to fully shutdown I:restarted server ns4 I:sleeping for an additional 4 seconds for ns4 to fully startup I:completed NTA tests I:running DNSSEC update test I:Add a name I:Delete the name I:All update tests successful. I:checking managed key maintenance has not started yet (103) I:switching to automatic root key configuration I:checking managed key maintenance timer has now started (104) I:checking positive validation NSEC (105) I:checking positive validation NSEC3 (106) I:checking positive validation OPTOUT (107) I:checking negative validation (108) I:checking that root DS queries validate (109) I:checking that DS at a RFC 1918 empty zone lookup succeeds (110) I:checking expired signatures remain with "allow-update { none; };" and no keys available (111) I:checking expired signatures do not validate (112) I:checking that the NSEC3 record for the apex is properly signed when a DNSKEY is added via UPDATE (113) I:checking that the NSEC record is properly generated when DNSKEY are added via auto-dnssec (114) I:checking that the NSEC3 record is properly generated when DNSKEY are added via auto-dnssec (115) I:checking that signing records have been marked as complete (116) I:check that 'rndc signing' without arguments is handled (117) I:check that 'rndc signing -list' without zone is handled (118) I:check that 'rndc signing -clear' without additional arguments is handled (119) I:check that 'rndc signing -clear all' without zone is handled (120) I:check that 'rndc signing -nsec3param' without additional arguments is handled (121) I:check that 'rndc signing -nsec3param none' without zone is handled (122) I:check that 'rndc signing -nsec3param 1' without additional arguments is handled (123) I:check that 'rndc signing -nsec3param 1 0' without additional arguments is handled (124) I:check that 'rndc signing -nsec3param 1 0 0' without additional arguments is handled (125) I:check that 'rndc signing -nsec3param 1 0 0 -' without zone is handled (126) I:check that 'rndc signing -nsec3param' works with salt (127) I:sleeping .... I:check that 'rndc signing -nsec3param' works without salt (128) I:sleeping .... I:check rndc signing -list output (129) I:clear signing records (130) I:checking that a insecure zone beneath a cname resolves (131) I:checking that a secure zone beneath a cname resolves (132) I:checking dnskey query with no data still gets put in cache (133) I:check that a split dnssec dnssec-signzone work (134) I:check that a smart split dnssec dnssec-signzone work (135) I:check that NOTIFY is sent at the end of NSEC3 chain generation (136) I:sleeping .... I:check dnssec-dsfromkey from stdin (137) I:testing soon-to-expire RRSIGs without a replacement private key (138) I:testing new records are signed with 'no-resign' (139) I:testing expiring records aren't resigned with 'no-resign' (140) I:testing updates fail with no private key (141) I:testing legacy upper case signer name validation (142) I:testing that we lower case signer name (143) I:testing TTL is capped at RRSIG expiry time (144) I:ns3 zone reload queued I:testing TTL is capped at RRSIG expiry time for records in the additional section (145) I:testing TTL of about to expire RRsets with dnssec-accept-expired yes; (146) I:testing TTL of expired RRsets with dnssec-accept-expired yes; (147) I:testing TTL is capped at RRSIG expiry time for records in the additional section with dnssec-accept-expired yes; (148) I:testing DNSKEY lookup via CNAME (149) I:testing KEY lookup at CNAME (present) (150) I:testing KEY lookup at CNAME (not present) (151) I:testing DNSKEY lookup via DNAME (152) I:testing KEY lookup via DNAME (153) I:check that named doesn't loop when all private keys are not available (154) I:check against against missing nearest provable proof (155) I:check KEYDATA records are printed in human readable form in key zone (156) I:check simultaneous inactivation and publishing of dnskeys removes inactive signature (157) I:check that increasing the sig-validity-interval resigning triggers re-signing I:check insecure delegation between static-stub zones (159) I:check that split rrsigs are handled (160) I:check that 'dnssec-keygen -S' works for all supported algorithms (161) I:check that CDS records are signed using KSK by dnssec-signzone (162) I:Skipping 'dig +sigchase' tests I:checking that positive unknown NSEC3 hash algorithm does validate (164) I:check that CDS records are signed using KSK by with dnssec-auto (165) I:check that a lone non matching CDS record is rejected (166) I:check that CDS records are signed using KSK when added by nsupdate (167) I:checking that positive unknown NSEC3 hash algorithm with OPTOUT does validate (168) I:check that a non matching CDS record is accepted with a matching CDS record (169) I:checking that negative unknown NSEC3 hash algorithm does not validate (170) I:check that CDNSKEY records are signed using KSK by dnssec-signzone (171) I:checking that negative unknown NSEC3 hash algorithm with OPTOUT does not validate (172) I:check that CDNSKEY records are signed using KSK by with dnssec-auto (173) I:checking that unknown DNSKEY algorithm validates as insecure (174) I:check that a lone non matching CDNSKEY record is rejected (175) I:checking that unknown DNSKEY algorithm + unknown NSEC3 has algorithm validates as insecure (176) I:check that CDNSKEY records are signed using KSK when added by nsupdate (177) I:checking initialization with a revoked managed key (178) I:check that a non matching CDNSKEY record is accepted with a matching CDNSKEY record (179) I:check that RRSIGs are correctly removed from apex when RRset is removed NSEC (180) I:failed I:check that RRSIGs are correctly removed from apex when RRset is removed NSEC3 (181) I:failed I:check that a named managed zone that was signed 'in-the-future' is re-signed when loaded (182) I:exit status: 2 R:FAIL E:dnssec:Sun Jan 8 20:00:05 PST 2017