From: Mark Andrews <marka@isc.org>
Date: Fri, 10 Apr 2026 03:05:31 +0000 (+1000)
Subject: Checking invalid TSIG key name in a catalog zone
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=298e60f877bdf0efe8e8f80c0bce5a22ba35e64e;p=thirdparty%2Fbind9.git

Checking invalid TSIG key name in a catalog zone

(cherry picked from commit 213e59ccf56f4d66cf65f363be4563f2e853d12f)
---

diff --git a/bin/tests/system/catz/ns1/catalog-bad6.example.db b/bin/tests/system/catz/ns1/catalog-bad6.example.db
new file mode 100644
index 00000000000..bc5ca704929
--- /dev/null
+++ b/bin/tests/system/catz/ns1/catalog-bad6.example.db
@@ -0,0 +1,7 @@
+@ 3600 SOA . . 1 86400 3600 86400 3600
+@ 3600 IN NS invalid.
+version IN TXT "2"
+deadbeef.zones IN PTR member.example.
+mykey.primaries.ext.deadbeef.zones IN A 192.0.2.1
+; bad key name label too big
+mykey.primaries.ext.deadbeef.zones IN TXT "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.example.com"
diff --git a/bin/tests/system/catz/ns1/named.conf.in b/bin/tests/system/catz/ns1/named.conf.in
index 1f4ee99337d..89c461e92d1 100644
--- a/bin/tests/system/catz/ns1/named.conf.in
+++ b/bin/tests/system/catz/ns1/named.conf.in
@@ -108,6 +108,16 @@ view "default" {
 		notify explicit;
 	};
 
+	# Bad TSIG key name
+	zone "catalog-bad6.example" {
+		type primary;
+		file "catalog-bad6.example.db";
+		allow-transfer { any; };
+		allow-update { any; };
+		also-notify { 10.53.0.2; };
+		notify explicit;
+	};
+
 	# A catalog zone that requires TLS to be used
 	zone "catalog-tls.example" {
 		type primary;
diff --git a/bin/tests/system/catz/ns2/named1.conf.in b/bin/tests/system/catz/ns2/named1.conf.in
index b13d912ad74..993edcfee49 100644
--- a/bin/tests/system/catz/ns2/named1.conf.in
+++ b/bin/tests/system/catz/ns2/named1.conf.in
@@ -67,6 +67,10 @@ view "default" {
 		zone "catalog-bad4.example"
 			default-masters { 10.53.0.1; }
 			in-memory yes;
+		zone "catalog-bad6.example"
+			default-masters { 10.53.0.1; }
+			min-update-interval 1s
+			in-memory yes;
 	};
 
 	# A faulty dlz configuration to check if named and catz survive a certain class
@@ -155,6 +159,12 @@ view "default" {
 		primaries { 10.53.0.1; };
 	};
 
+	# Bad TSIG key name
+	zone "catalog-bad6.example" {
+		type secondary;
+		file "catalog-bad6.example.db";
+		primaries { 10.53.0.1; };
+	};
 };
 
 view "ch" ch {
diff --git a/bin/tests/system/catz/tests.sh b/bin/tests/system/catz/tests.sh
index 713db3b890d..f8e7fbe5001 100644
--- a/bin/tests/system/catz/tests.sh
+++ b/bin/tests/system/catz/tests.sh
@@ -126,6 +126,12 @@ grep -F "catz: dns_catz_add_zone catalog-bad5.example" ns2/named.run && ret=1
 if [ $ret -ne 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
+echo_i "checking that catalog-bad6.example (invalid TSIG key name) is handled ($n)"
+ret=0
+wait_for_message ns2/named.run "catz: invalid record in catalog zone - mykey.primaries.ext.deadbeef.zones.catalog-bad6.example IN TXT (label too long) - ignoring" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 nextpart ns2/named.run >/dev/null
 
 ##########################################################################