From: Aram Sargsyan <aram@isc.org>
Date: Fri, 22 May 2026 11:27:54 +0000 (+0000)
Subject: Add a check for the "doth" system test
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6e0d998ff640b4600f9053640a0ba6928de2d919;p=thirdparty%2Fbind9.git

Add a check for the "doth" system test

Configure a zone transfer using XoT (with opportunistic TLS) from
a non-DoT port, which does not provide ALPN "dot" (in this case
it will try to connect to a DoH port). This is expected to fail,
but the client should handle the error gracefully and not to crash.
---

diff --git a/bin/tests/system/doth/ns2/named.conf.j2 b/bin/tests/system/doth/ns2/named.conf.j2
index 69bd7327f53..bb9ee1820d0 100644
--- a/bin/tests/system/doth/ns2/named.conf.j2
+++ b/bin/tests/system/doth/ns2/named.conf.j2
@@ -86,6 +86,15 @@ zone "example3" {
 	allow-transfer { any; };
 };
 
+# Trying a XoT transfer of a non-existing zone on an HTTPS port. The error should
+# be handled gracefully when the expected ALPN "dot" is not present, see GL#5957.
+tls tls-opportunistic { };
+zone "example-non-existing" {
+	type secondary;
+	primaries { 10.53.0.1 port @EXTRAPORT3@ tls tls-opportunistic; };
+	file "example-non-existing.db";
+};
+
 # As you can see, the "remote-hostname" is missing, but "ca-file" is
 # specified. As the result, the primaries server certificate will be
 # verified using the IP address instead of hostname. That is fine,