From: Michal Nowak <mnowak@isc.org>
Date: Wed, 14 May 2025 16:04:02 +0000 (+0200)
Subject: Rewrite xfer system test to pytest
X-Git-Tag: v9.21.19~36^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bf0df8b7f4c56f7a53ffc3e1dcd2ed76320f2a83;p=thirdparty%2Fbind9.git

Rewrite xfer system test to pytest
---

diff --git a/bin/tests/system/isctest/instance.py b/bin/tests/system/isctest/instance.py
index 5e4d77517ad..129a2a907a7 100644
--- a/bin/tests/system/isctest/instance.py
+++ b/bin/tests/system/isctest/instance.py
@@ -166,6 +166,15 @@ class NamedInstance:
             watcher.wait_for_line("any newly configured zones are now loaded")
         return cmd
 
+    def reload(self, **kwargs) -> CmdResult:
+        """
+        Reload this named `instance` and wait until reload is finished.
+        """
+        with self.watch_log_from_here() as watcher:
+            cmd = self.rndc("reload", **kwargs)
+            watcher.wait_for_line("all zones loaded")
+        return cmd
+
     def stop(self, args: Optional[List[str]] = None) -> None:
         """Stop the instance."""
         args = args or []
diff --git a/bin/tests/system/xfer/axfr-stats.good b/bin/tests/system/xfer/axfr-stats.good
deleted file mode 100644
index 616854e6466..00000000000
--- a/bin/tests/system/xfer/axfr-stats.good
+++ /dev/null
@@ -1,3 +0,0 @@
-messages=16
-records=10003
-bytes=218403
diff --git a/bin/tests/system/xfer/dig1.good b/bin/tests/system/xfer/dig1.good
deleted file mode 100644
index 06f9790d40d..00000000000
--- a/bin/tests/system/xfer/dig1.good
+++ /dev/null
@@ -1,186 +0,0 @@
-example.		86400	IN	SOA	ns2.example. hostmaster.example. 1397051952 5 5 1814400 3600
-example.		3600	IN	NS	ns2.example.
-example.		3600	IN	NS	ns3.example.
-example.		3600	IN	DNSKEY	512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8=
-a01.example.		3600	IN	A	0.0.0.0
-a02.example.		3600	IN	A	255.255.255.255
-a601.example.		3600	IN	A6	0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
-a601.example.		3600	IN	A6	64 ::ffff:ffff:ffff:ffff foo.
-a601.example.		3600	IN	A6	127 ::1 foo.
-a601.example.		3600	IN	A6	128  .
-aaaa01.example.		3600	IN	AAAA	::1
-aaaa02.example.		3600	IN	AAAA	fd92:7065:b8e:ffff::5
-afsdb01.example.	3600	IN	AFSDB	0 hostname.example.
-afsdb02.example.	3600	IN	AFSDB	65535 .
-amtrelay01.example.	3600	IN	AMTRELAY 0 0 0 .
-amtrelay02.example.	3600	IN	AMTRELAY 0 1 0 .
-amtrelay03.example.	3600	IN	AMTRELAY 0 0 1 0.0.0.0
-amtrelay04.example.	3600	IN	AMTRELAY 0 0 2 ::
-amtrelay05.example.	3600	IN	AMTRELAY 0 0 3 example.net.
-amtrelay06.example.	3600	IN	AMTRELAY \# 2 0004
-apl01.example.		3600	IN	APL	!1:10.0.0.1/32 1:10.0.0.0/24
-apl02.example.		3600	IN	APL
-atma01.example.		3600	IN	ATMA	+61200000000
-atma02.example.		3600	IN	ATMA	+61200000000
-atma03.example.		3600	IN	ATMA	1234567890abcdef
-atma04.example.		3600	IN	ATMA	fedcba0987654321
-avc.example.		3600	IN	AVC	"foo:bar"
-brid.example.		3600	IN	BRID	abcd
-caa01.example.		3600	IN	CAA	0 issue "ca.example.net; policy=ev"
-caa02.example.		3600	IN	CAA	128 tbs "Unknown"
-caa03.example.		3600	IN	CAA	128 tbs ""
-cdnskey01.example.	3600	IN	CDNSKEY	512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8=
-cds01.example.		3600	IN	CDS	30795 1 1 310D27F4D82C1FC2400704EA9939FE6E1CEAA3B9
-cert01.example.		3600	IN	CERT	65534 65535 PRIVATEOID MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgiWCn/GxHhai6V AuHAoNUz4YoU1tVfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY=
-cname01.example.	3600	IN	CNAME	cname-target.
-cname02.example.	3600	IN	CNAME	cname-target.example.
-cname03.example.	3600	IN	CNAME	.
-csync01.example.	3600	IN	CSYNC	0 0 A NS AAAA
-csync02.example.	3600	IN	CSYNC	0 0
-dhcid01.example.	3600	IN	DHCID	AAIBY2/AuCccgoJbsaxcQc9TUapptP69lOjxfNuVAA2kjEA=
-dhcid02.example.	3600	IN	DHCID	AAEBOSD+XR3Os/0LozeXVqcNc7FwCfQdWL3b/NaiUDlW2No=
-dhcid03.example.	3600	IN	DHCID	AAABxLmlskllE0MVjd57zHcWmEH3pCQ6VytcKD//7es/deY=
-dlv.example.		3600	IN	DLV	30795 1 1 310D27F4D82C1FC2400704EA9939FE6E1CEAA3B9
-dname01.example.	3600	IN	DNAME	dname-target.
-dname02.example.	3600	IN	DNAME	dname-target.example.
-dname03.example.	3600	IN	DNAME	.
-doa01.example.		3600	IN	DOA	1234567890 1234567890 1 "image/gif" R0lGODlhKAAZAOMCAGZmZgBmmf///zOZzMz//5nM/zNmmWbM/5nMzMzMzACZ/////////////////////yH5BAEKAA8ALAAAAAAoABkAAATH8IFJK5U2a4337F5ogRkpnoCJrly7PrCKyh8c3HgAhzT35MDbbtO7/IJIHbGiOiaTxVTpSVWWLqNq1UVyapNS1wd3OAxug0LhnCubcVhsxysQnOt4ATpvvzHlFzl1AwODhWeFAgRpen5/UhheAYMFdUB4SFcpGEGGdQeCAqBBLTuSk30EeXd9pEsAbKGxjHqDSE0Sp6ixN4N1BJmbc7lIhmsBich1awPAjkY1SZR8bJWrz382SGqIBQQFQd4IsUTaX+ceuudPEQA7
-doa02.example.		3600	IN	DOA	0 1 2 "" aHR0cHM6Ly93d3cuaXNjLm9yZy8=
-ds01.example.		3600	IN	DS	12892 5 2 26584835CA80C81C91999F31CFAF2A0E89D4FF1C8FAFD0DDB31A85C7 19277C13
-ds01.example.		3600	IN	NS	ns42.example.
-ds02.example.		3600	IN	DS	12892 5 1 7AA4A3F416C2F2391FB7AB0D434F762CD62D1390
-ds02.example.		3600	IN	NS	ns43.example.
-dsync01.example.	3600	IN	DSYNC	CDS NOTIFY 53 .
-eid01.example.		3600	IN	EID	1289AB
-eui48.example.		3600	IN	EUI48	01-23-45-67-89-ab
-eui64.example.		3600	IN	EUI64	01-23-45-67-89-ab-cd-ef
-gid01.example.		3600	IN	GID	\# 1 03
-gpos01.example.		3600	IN	GPOS	"-22.6882" "116.8652" "250.0"
-gpos02.example.		3600	IN	GPOS	"" "" ""
-hhit.example.		3600	IN	HHIT	abcd
-hinfo01.example.	3600	IN	HINFO	"Generic PC clone" "NetBSD-1.4"
-hinfo02.example.	3600	IN	HINFO	"PC" "NetBSD"
-hip1.example.		3600	IN	HIP	2 200100107B1A74DF365639CC39F1D578 AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D
-hip2.example.		3600	IN	HIP	2 200100107B1A74DF365639CC39F1D578 AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D rvs.example.com.
-https0.example.		3600	IN	HTTPS	0 example.net.
-https1.example.		3600	IN	HTTPS	1 . port=60
-ipseckey01.example.	3600	IN	IPSECKEY 10 1 2 192.0.2.38 AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
-ipseckey02.example.	3600	IN	IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
-ipseckey03.example.	3600	IN	IPSECKEY 10 1 2 192.0.2.3 AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
-ipseckey04.example.	3600	IN	IPSECKEY 10 3 2 mygateway.example.com. AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
-ipseckey05.example.	3600	IN	IPSECKEY 10 2 2 2001:db8:0:8002::2000:1 AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
-isdn01.example.		3600	IN	ISDN	"isdn-address"
-isdn02.example.		3600	IN	ISDN	"isdn-address" "subaddress"
-isdn03.example.		3600	IN	ISDN	"isdn-address"
-isdn04.example.		3600	IN	ISDN	"isdn-address" "subaddress"
-keydata.example.	3600	IN	TYPE65533 \# 0
-keydata.example.	3600	IN	TYPE65533 \# 6 010203040506
-keydata.example.	3600	IN	TYPE65533 \# 18 010203040506010203040506010203040506
-kx01.example.		3600	IN	KX	10 kdc.example.
-kx02.example.		3600	IN	KX	10 .
-l32.example.		3600	IN	L32	10 1.2.3.4
-l64.example.		3600	IN	L64	10 14:4fff:ff20:ee64
-loc01.example.		3600	IN	LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
-loc02.example.		3600	IN	LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
-lp.example.		3600	IN	LP	10 example.net.
-mb01.example.		3600	IN	MG	madname.example.
-mb02.example.		3600	IN	MG	.
-mg01.example.		3600	IN	MG	mgmname.example.
-mg02.example.		3600	IN	MG	.
-minfo01.example.	3600	IN	MINFO	rmailbx.example. emailbx.example.
-minfo02.example.	3600	IN	MINFO	. .
-mr01.example.		3600	IN	MR	mrname.example.
-mr02.example.		3600	IN	MR	.
-mx01.example.		3600	IN	MX	10 mail.example.
-mx02.example.		3600	IN	MX	10 .
-naptr01.example.	3600	IN	NAPTR	0 0 "" "" "" .
-naptr02.example.	3600	IN	NAPTR	65535 65535 "blurgh" "blorf" "blllbb" foo.
-nid.example.		3600	IN	NID	10 14:4fff:ff20:ee64
-nimloc01.example.	3600	IN	NIMLOC	1289AB
-ninfo01.example.	3600	IN	NINFO	"foo"
-ninfo02.example.	3600	IN	NINFO	"foo" "bar"
-ninfo03.example.	3600	IN	NINFO	"foo"
-ninfo04.example.	3600	IN	NINFO	"foo" "bar"
-ninfo05.example.	3600	IN	NINFO	"foo bar"
-ninfo06.example.	3600	IN	NINFO	"foo bar"
-ninfo07.example.	3600	IN	NINFO	"foo bar"
-ninfo08.example.	3600	IN	NINFO	"foo\010bar"
-ninfo09.example.	3600	IN	NINFO	"foo\010bar"
-ninfo10.example.	3600	IN	NINFO	"foo bar"
-ninfo11.example.	3600	IN	NINFO	"\"foo\""
-ninfo12.example.	3600	IN	NINFO	"\"foo\""
-ninfo13.example.	3600	IN	NINFO	"foo;"
-ninfo14.example.	3600	IN	NINFO	"foo;"
-ninfo15.example.	3600	IN	NINFO	"bar\\;"
-ns2.example.		3600	IN	A	10.53.0.2
-ns3.example.		3600	IN	A	10.53.0.3
-nsap-ptr01.example.	3600	IN	NSAP-PTR foo.
-nsap-ptr01.example.	3600	IN	NSAP-PTR .
-nsap01.example.		3600	IN	NSAP	0x47000580005a0000000001e133ffffff00016100
-nsap02.example.		3600	IN	NSAP	0x47000580005a0000000001e133ffffff00016100
-nsec01.example.		3600	IN	NSEC	a.secure.nil. NS SOA MX LOC RRSIG NSEC DNSKEY
-nsec02.example.		3600	IN	NSEC	. NSAP-PTR NSEC
-nsec03.example.		3600	IN	NSEC	. A
-nsec04.example.		3600	IN	NSEC	. TYPE127
-openpgpkey.example.	3600	IN	OPENPGPKEY AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8=
-ptr01.example.		3600	IN	PTR	example.
-px01.example.		3600	IN	PX	65535 foo. bar.
-px02.example.		3600	IN	PX	65535 . .
-resinfo.example.	3600	IN	RESINFO	"qnamemin" "exterr=15,16,17" "infourl=https://resolver.example.com/guide"
-rkey01.example.		3600	IN	RKEY	0 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8=
-rp01.example.		3600	IN	RP	mbox-dname.example. txt-dname.example.
-rp02.example.		3600	IN	RP	. .
-rrsig01.example.	3600	IN	RRSIG	NSEC 1 3 3600 20000102030405 19961211100908 2143 foo.nil. MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgiWCn/GxHhai6V AuHAoNUz4YoU1tVfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY=
-rt01.example.		3600	IN	RT	0 intermediate-host.example.
-rt02.example.		3600	IN	RT	65535 .
-sink01.example.		3600	IN	SINK	1 0 0
-sink02.example.		3600	IN	SINK	8 0 2 l4ik
-smimea.example.		3600	IN	SMIMEA	1 1 2 92003BA34942DC74152E2F2C408D29ECA5A520E7F2E06BB944F4DCA3 46BAF63C1B177615D466F6C4B71C216A50292BD58C9EBDD2F74E38FE 51FFD48C43326CBC
-spf01.example.		3600	IN	SPF	"v=spf1 -all"
-spf02.example.		3600	IN	SPF	"v=spf1" " -all"
-srv01.example.		3600	IN	SRV	0 0 0 .
-srv02.example.		3600	IN	SRV	65535 65535 65535 old-slow-box.example.
-sshfp01.example.	3600	IN	SSHFP	4 2 C76D8329954DA2835751E371544E963EFDA099080D6C58DD2BFD9A31 6E162C83
-sshfp02.example.	3600	IN	SSHFP	1 2 BF29468C83AC58CCF8C85AB7B3BEB054ECF1E38512B8353AB36471FA 88961DCC
-svcb0.example.		3600	IN	SVCB	0 example.net.
-svcb1.example.		3600	IN	SVCB	1 . port=60
-ta.example.		3600	IN	TA	30795 1 1 310D27F4D82C1FC2400704EA9939FE6E1CEAA3B9
-talink0.example.	3600	IN	TALINK	. talink1.example.
-talink1.example.	3600	IN	TALINK	talink0.example. talink2.example.
-talink2.example.	3600	IN	TALINK	talink2.example. .
-tlsa.example.		3600	IN	TLSA	1 1 2 92003BA34942DC74152E2F2C408D29ECA5A520E7F2E06BB944F4DCA3 46BAF63C1B177615D466F6C4B71C216A50292BD58C9EBDD2F74E38FE 51FFD48C43326CBC
-txt01.example.		3600	IN	TXT	"foo"
-txt02.example.		3600	IN	TXT	"foo" "bar"
-txt03.example.		3600	IN	TXT	"foo"
-txt04.example.		3600	IN	TXT	"foo" "bar"
-txt05.example.		3600	IN	TXT	"foo bar"
-txt06.example.		3600	IN	TXT	"foo bar"
-txt07.example.		3600	IN	TXT	"foo bar"
-txt08.example.		3600	IN	TXT	"foo\010bar"
-txt09.example.		3600	IN	TXT	"foo\010bar"
-txt10.example.		3600	IN	TXT	"foo bar"
-txt11.example.		3600	IN	TXT	"\"foo\""
-txt12.example.		3600	IN	TXT	"\"foo\""
-txt13.example.		3600	IN	TXT	"foo;"
-txt14.example.		3600	IN	TXT	"foo;"
-txt15.example.		3600	IN	TXT	"bar\\;"
-uid01.example.		3600	IN	UID	\# 1 02
-uinfo01.example.	3600	IN	UINFO	\# 1 01
-unspec01.example.	3600	IN	UNSPEC	\# 1 04
-uri01.example.		3600	IN	URI	10 20 "https://www.isc.org/"
-uri02.example.		3600	IN	URI	30 40 "https://www.isc.org/HolyCowThisSureIsAVeryLongURIRecordIDontEvenKnowWhatSomeoneWouldEverWantWithSuchAThingButTheSpecificationRequiresThatWesupportItSoHereWeGoTestingItLaLaLaLaLaLaLaSeriouslyThoughWhyWouldYouEvenConsiderUsingAURIThisLongItSeemsLikeASillyIdeaButEnhWhatAreYouGonnaDo/"
-uri03.example.		3600	IN	URI	30 40 ""
-wallet.example.		3600	IN	WALLET	"currency-identifer" "wallet-identifier"
-wallet-multiple.example. 3600	IN	WALLET	"currency-identifer1" "wallet-identifier1"
-wallet-multiple.example. 3600	IN	WALLET	"currency-identifer1" "wallet-identifier2"
-wallet-multiple.example. 3600	IN	WALLET	"currency-identifer2" "wallet-identifier3"
-wks01.example.		3600	IN	WKS	10.0.0.1 6 0 1 2 21 23
-wks02.example.		3600	IN	WKS	10.0.0.1 17 0 1 2 53
-wks03.example.		3600	IN	WKS	10.0.0.2 6 65535
-x2501.example.		3600	IN	X25	"123456789"
-zonemd01.example.	3600	IN	ZONEMD	2019020700 1 1 C220B8A6ED5728A971902F7E3D4FD93ADEEA88B0453C2E8E8C863D46 5AB06CF34EB95B266398C98B59124FA239CB7EEB
-zonemd02.example.	3600	IN	ZONEMD	2019020700 1 2 08CFA1115C7B948C4163A901270395EA226A930CD2CBCF2FA9A5E6EB 85F37C8A4E114D884E66F176EAB121CB02DB7D652E0CC4827E7A3204 F166B47E5613FD27
-8f1tmio9avcom2k0frp92lgcumak0cad.example. 3600 IN NSEC3	1 0 10 D2CF0294C020CE6C 8FPNS2UCT7FBS643THP2B77PEQ77K6IU A NS SOA MX AAAA RRSIG DNSKEY NSEC3PARAM
-kcd3juae64f9c5csl1kif1htaui7un0g.example. 3600 IN NSEC3	1 0 10 D2CF0294C020CE6C KD5MN2M20340DGO0BL7NTSB8JP4BSC7E
-mr5ukvsk1l37btu4q7b1dfevft4hkqdk.example. 3600 IN NSEC3	1 0 10 D2CF0294C020CE6C MT38J6VG7S0SN5G17MCUF6IQIKFUAJ05 A AAAA RRSIG
-example.		86400	IN	SOA	ns2.example. hostmaster.example. 1397051952 5 5 1814400 3600
diff --git a/bin/tests/system/xfer/dig2.good b/bin/tests/system/xfer/dig2.good
deleted file mode 100644
index 1c1c60e4041..00000000000
--- a/bin/tests/system/xfer/dig2.good
+++ /dev/null
@@ -1,186 +0,0 @@
-example.		86400	IN	SOA	ns2.example. hostmaster.example. 1397051953 5 5 1814400 3600
-example.		3600	IN	NS	ns2.example.
-example.		3600	IN	NS	ns3.example.
-example.		3600	IN	DNSKEY	512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8=
-a01.example.		3600	IN	A	0.0.0.1
-a02.example.		3600	IN	A	255.255.255.255
-a601.example.		3600	IN	A6	0 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
-a601.example.		3600	IN	A6	64 ::ffff:ffff:ffff:ffff foo.
-a601.example.		3600	IN	A6	127 ::1 foo.
-a601.example.		3600	IN	A6	128  .
-aaaa01.example.		3600	IN	AAAA	::1
-aaaa02.example.		3600	IN	AAAA	fd92:7065:b8e:ffff::5
-afsdb01.example.	3600	IN	AFSDB	0 hostname.example.
-afsdb02.example.	3600	IN	AFSDB	65535 .
-amtrelay01.example.	3600	IN	AMTRELAY 0 0 0 .
-amtrelay02.example.	3600	IN	AMTRELAY 0 1 0 .
-amtrelay03.example.	3600	IN	AMTRELAY 0 0 1 0.0.0.1
-amtrelay04.example.	3600	IN	AMTRELAY 0 0 2 ::
-amtrelay05.example.	3600	IN	AMTRELAY 0 0 3 example.net.
-amtrelay06.example.	3600	IN	AMTRELAY \# 2 0004
-apl01.example.		3600	IN	APL	!1:10.0.0.1/32 1:10.0.0.1/24
-apl02.example.		3600	IN	APL
-atma01.example.		3600	IN	ATMA	+61200000000
-atma02.example.		3600	IN	ATMA	+61200000000
-atma03.example.		3600	IN	ATMA	1234567890abcdef
-atma04.example.		3600	IN	ATMA	fedcba0987654321
-avc.example.		3600	IN	AVC	"foo:bar"
-brid.example.		3600	IN	BRID	abcd
-caa01.example.		3600	IN	CAA	0 issue "ca.example.net; policy=ev"
-caa02.example.		3600	IN	CAA	128 tbs "Unknown"
-caa03.example.		3600	IN	CAA	128 tbs ""
-cdnskey01.example.	3600	IN	CDNSKEY	512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8=
-cds01.example.		3600	IN	CDS	30795 1 1 310D27F4D82C1FC2400704EA9939FE6E1CEAA3B9
-cert01.example.		3600	IN	CERT	65534 65535 PRIVATEOID MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgiWCn/GxHhai6V AuHAoNUz4YoU1tVfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY=
-cname01.example.	3600	IN	CNAME	cname-target.
-cname02.example.	3600	IN	CNAME	cname-target.example.
-cname03.example.	3600	IN	CNAME	.
-csync01.example.	3600	IN	CSYNC	0 0 A NS AAAA
-csync02.example.	3600	IN	CSYNC	0 0
-dhcid01.example.	3600	IN	DHCID	AAIBY2/AuCccgoJbsaxcQc9TUapptP69lOjxfNuVAA2kjEA=
-dhcid02.example.	3600	IN	DHCID	AAEBOSD+XR3Os/0LozeXVqcNc7FwCfQdWL3b/NaiUDlW2No=
-dhcid03.example.	3600	IN	DHCID	AAABxLmlskllE0MVjd57zHcWmEH3pCQ6VytcKD//7es/deY=
-dlv.example.		3600	IN	DLV	30795 1 1 310D27F4D82C1FC2400704EA9939FE6E1CEAA3B9
-dname01.example.	3600	IN	DNAME	dname-target.
-dname02.example.	3600	IN	DNAME	dname-target.example.
-dname03.example.	3600	IN	DNAME	.
-doa01.example.		3600	IN	DOA	1234567890 1234567890 1 "image/gif" R0lGODlhKAAZAOMCAGZmZgBmmf///zOZzMz//5nM/zNmmWbM/5nMzMzMzACZ/////////////////////yH5BAEKAA8ALAAAAAAoABkAAATH8IFJK5U2a4337F5ogRkpnoCJrly7PrCKyh8c3HgAhzT35MDbbtO7/IJIHbGiOiaTxVTpSVWWLqNq1UVyapNS1wd3OAxug0LhnCubcVhsxysQnOt4ATpvvzHlFzl1AwODhWeFAgRpen5/UhheAYMFdUB4SFcpGEGGdQeCAqBBLTuSk30EeXd9pEsAbKGxjHqDSE0Sp6ixN4N1BJmbc7lIhmsBich1awPAjkY1SZR8bJWrz382SGqIBQQFQd4IsUTaX+ceuudPEQA7
-doa02.example.		3600	IN	DOA	0 1 2 "" aHR0cHM6Ly93d3cuaXNjLm9yZy8=
-ds01.example.		3600	IN	NS	ns42.example.
-ds01.example.		3600	IN	DS	12892 5 2 26584835CA80C81C91999F31CFAF2A0E89D4FF1C8FAFD0DDB31A85C7 19277C13
-ds02.example.		3600	IN	NS	ns43.example.
-ds02.example.		3600	IN	DS	12892 5 1 7AA4A3F416C2F2391FB7AB0D434F762CD62D1390
-dsync01.example.	3600	IN	DSYNC	CDS NOTIFY 53 .
-eid01.example.		3600	IN	EID	1289AB
-eui48.example.		3600	IN	EUI48	01-23-45-67-89-ab
-eui64.example.		3600	IN	EUI64	01-23-45-67-89-ab-cd-ef
-gid01.example.		3600	IN	GID	\# 1 03
-gpos01.example.		3600	IN	GPOS	"-22.6882" "116.8652" "250.0"
-gpos02.example.		3600	IN	GPOS	"" "" ""
-hhit.example.		3600	IN	HHIT	abcd
-hinfo01.example.	3600	IN	HINFO	"Generic PC clone" "NetBSD-1.4"
-hinfo02.example.	3600	IN	HINFO	"PC" "NetBSD"
-hip1.example.		3600	IN	HIP	2 200100107B1A74DF365639CC39F1D578 AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D
-hip2.example.		3600	IN	HIP	2 200100107B1A74DF365639CC39F1D578 AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D rvs.example.com.
-https0.example.		3600	IN	HTTPS	0 example.net.
-https1.example.		3600	IN	HTTPS	1 . port=60
-ipseckey01.example.	3600	IN	IPSECKEY 10 1 2 192.0.2.38 AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
-ipseckey02.example.	3600	IN	IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
-ipseckey03.example.	3600	IN	IPSECKEY 10 1 2 192.0.2.3 AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
-ipseckey04.example.	3600	IN	IPSECKEY 10 3 2 mygateway.example.com. AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
-ipseckey05.example.	3600	IN	IPSECKEY 10 2 2 2001:db8:0:8002::2000:1 AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
-isdn01.example.		3600	IN	ISDN	"isdn-address"
-isdn02.example.		3600	IN	ISDN	"isdn-address" "subaddress"
-isdn03.example.		3600	IN	ISDN	"isdn-address"
-isdn04.example.		3600	IN	ISDN	"isdn-address" "subaddress"
-keydata.example.	3600	IN	TYPE65533 \# 0
-keydata.example.	3600	IN	TYPE65533 \# 6 010203040506
-keydata.example.	3600	IN	TYPE65533 \# 18 010203040506010203040506010203040506
-kx01.example.		3600	IN	KX	10 kdc.example.
-kx02.example.		3600	IN	KX	10 .
-l32.example.		3600	IN	L32	10 1.2.3.4
-l64.example.		3600	IN	L64	10 14:4fff:ff20:ee64
-loc01.example.		3600	IN	LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
-loc02.example.		3600	IN	LOC	60 9 0.000 N 24 39 0.000 E 10.00m 20m 2000m 20m
-lp.example.		3600	IN	LP	10 example.net.
-mb01.example.		3600	IN	MG	madname.example.
-mb02.example.		3600	IN	MG	.
-mg01.example.		3600	IN	MG	mgmname.example.
-mg02.example.		3600	IN	MG	.
-minfo01.example.	3600	IN	MINFO	rmailbx.example. emailbx.example.
-minfo02.example.	3600	IN	MINFO	. .
-mr01.example.		3600	IN	MR	mrname.example.
-mr02.example.		3600	IN	MR	.
-mx01.example.		3600	IN	MX	10 mail.example.
-mx02.example.		3600	IN	MX	10 .
-naptr01.example.	3600	IN	NAPTR	0 0 "" "" "" .
-naptr02.example.	3600	IN	NAPTR	65535 65535 "blurgh" "blorf" "blllbb" foo.
-nid.example.		3600	IN	NID	10 14:4fff:ff20:ee64
-nimloc01.example.	3600	IN	NIMLOC	1289AB
-ninfo01.example.	3600	IN	NINFO	"foo"
-ninfo02.example.	3600	IN	NINFO	"foo" "bar"
-ninfo03.example.	3600	IN	NINFO	"foo"
-ninfo04.example.	3600	IN	NINFO	"foo" "bar"
-ninfo05.example.	3600	IN	NINFO	"foo bar"
-ninfo06.example.	3600	IN	NINFO	"foo bar"
-ninfo07.example.	3600	IN	NINFO	"foo bar"
-ninfo08.example.	3600	IN	NINFO	"foo\010bar"
-ninfo09.example.	3600	IN	NINFO	"foo\010bar"
-ninfo10.example.	3600	IN	NINFO	"foo bar"
-ninfo11.example.	3600	IN	NINFO	"\"foo\""
-ninfo12.example.	3600	IN	NINFO	"\"foo\""
-ninfo13.example.	3600	IN	NINFO	"foo;"
-ninfo14.example.	3600	IN	NINFO	"foo;"
-ninfo15.example.	3600	IN	NINFO	"bar\\;"
-ns2.example.		3600	IN	A	10.53.0.2
-ns3.example.		3600	IN	A	10.53.0.3
-nsap-ptr01.example.	3600	IN	NSAP-PTR foo.
-nsap-ptr01.example.	3600	IN	NSAP-PTR .
-nsap01.example.		3600	IN	NSAP	0x47000580005a0000000001e133ffffff00016100
-nsap02.example.		3600	IN	NSAP	0x47000580005a0000000001e133ffffff00016100
-nsec01.example.		3600	IN	NSEC	a.secure.nil. NS SOA MX LOC RRSIG NSEC DNSKEY
-nsec02.example.		3600	IN	NSEC	. NSAP-PTR NSEC
-nsec03.example.		3600	IN	NSEC	. A
-nsec04.example.		3600	IN	NSEC	. TYPE127
-openpgpkey.example.	3600	IN	OPENPGPKEY AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8=
-ptr01.example.		3600	IN	PTR	example.
-px01.example.		3600	IN	PX	65535 foo. bar.
-px02.example.		3600	IN	PX	65535 . .
-resinfo.example.	3600	IN	RESINFO	"qnamemin" "exterr=15,16,17" "infourl=https://resolver.example.com/guide"
-rkey01.example.		3600	IN	RKEY	0 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2od GWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60z yGW6LFe9r8n6paHrlG5ojqf0BaqHT+8=
-rp01.example.		3600	IN	RP	mbox-dname.example. txt-dname.example.
-rp02.example.		3600	IN	RP	. .
-rrsig01.example.	3600	IN	RRSIG	NSEC 1 3 3600 20000102030405 19961211100908 2143 foo.nil. MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgiWCn/GxHhai6V AuHAoNUz4YoU1tVfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY=
-rt01.example.		3600	IN	RT	0 intermediate-host.example.
-rt02.example.		3600	IN	RT	65535 .
-sink01.example.		3600	IN	SINK	1 0 0
-sink02.example.		3600	IN	SINK	8 0 2 l4ik
-smimea.example.		3600	IN	SMIMEA	1 1 2 92003BA34942DC74152E2F2C408D29ECA5A520E7F2E06BB944F4DCA3 46BAF63C1B177615D466F6C4B71C216A50292BD58C9EBDD2F74E38FE 51FFD48C43326CBC
-spf01.example.		3600	IN	SPF	"v=spf1 -all"
-spf02.example.		3600	IN	SPF	"v=spf1" " -all"
-srv01.example.		3600	IN	SRV	0 0 0 .
-srv02.example.		3600	IN	SRV	65535 65535 65535 old-slow-box.example.
-sshfp01.example.	3600	IN	SSHFP	4 2 C76D8329954DA2835751E371544E963EFDA099080D6C58DD2BFD9A31 6E162C83
-sshfp02.example.	3600	IN	SSHFP	1 2 BF29468C83AC58CCF8C85AB7B3BEB054ECF1E38512B8353AB36471FA 88961DCC
-svcb0.example.		3600	IN	SVCB	0 example.net.
-svcb1.example.		3600	IN	SVCB	1 . port=60
-ta.example.		3600	IN	TA	30795 1 1 310D27F4D82C1FC2400704EA9939FE6E1CEAA3B9
-talink0.example.	3600	IN	TALINK	. talink1.example.
-talink1.example.	3600	IN	TALINK	talink0.example. talink2.example.
-talink2.example.	3600	IN	TALINK	talink2.example. .
-tlsa.example.		3600	IN	TLSA	1 1 2 92003BA34942DC74152E2F2C408D29ECA5A520E7F2E06BB944F4DCA3 46BAF63C1B177615D466F6C4B71C216A50292BD58C9EBDD2F74E38FE 51FFD48C43326CBC
-txt01.example.		3600	IN	TXT	"foo"
-txt02.example.		3600	IN	TXT	"foo" "bar"
-txt03.example.		3600	IN	TXT	"foo"
-txt04.example.		3600	IN	TXT	"foo" "bar"
-txt05.example.		3600	IN	TXT	"foo bar"
-txt06.example.		3600	IN	TXT	"foo bar"
-txt07.example.		3600	IN	TXT	"foo bar"
-txt08.example.		3600	IN	TXT	"foo\010bar"
-txt09.example.		3600	IN	TXT	"foo\010bar"
-txt10.example.		3600	IN	TXT	"foo bar"
-txt11.example.		3600	IN	TXT	"\"foo\""
-txt12.example.		3600	IN	TXT	"\"foo\""
-txt13.example.		3600	IN	TXT	"foo;"
-txt14.example.		3600	IN	TXT	"foo;"
-txt15.example.		3600	IN	TXT	"bar\\;"
-uid01.example.		3600	IN	UID	\# 1 02
-uinfo01.example.	3600	IN	UINFO	\# 1 01
-unspec01.example.	3600	IN	UNSPEC	\# 1 04
-uri01.example.		3600	IN	URI	10 20 "https://www.isc.org/"
-uri02.example.		3600	IN	URI	30 40 "https://www.isc.org/HolyCowThisSureIsAVeryLongURIRecordIDontEvenKnowWhatSomeoneWouldEverWantWithSuchAThingButTheSpecificationRequiresThatWesupportItSoHereWeGoTestingItLaLaLaLaLaLaLaSeriouslyThoughWhyWouldYouEvenConsiderUsingAURIThisLongItSeemsLikeASillyIdeaButEnhWhatAreYouGonnaDo/"
-uri03.example.		3600	IN	URI	30 40 ""
-wallet.example.		3600	IN	WALLET	"currency-identifer" "wallet-identifier"
-wallet-multiple.example. 3600	IN	WALLET	"currency-identifer1" "wallet-identifier1"
-wallet-multiple.example. 3600	IN	WALLET	"currency-identifer1" "wallet-identifier2"
-wallet-multiple.example. 3600	IN	WALLET	"currency-identifer2" "wallet-identifier3"
-wks01.example.		3600	IN	WKS	10.0.0.1 6 0 1 2 21 23
-wks02.example.		3600	IN	WKS	10.0.0.1 17 0 1 2 53
-wks03.example.		3600	IN	WKS	10.0.0.2 6 65535
-x2501.example.		3600	IN	X25	"123456789"
-zonemd01.example.	3600	IN	ZONEMD	2019020700 1 1 C220B8A6ED5728A971902F7E3D4FD93ADEEA88B0453C2E8E8C863D46 5AB06CF34EB95B266398C98B59124FA239CB7EEB
-zonemd02.example.	3600	IN	ZONEMD	2019020700 1 2 08CFA1115C7B948C4163A901270395EA226A930CD2CBCF2FA9A5E6EB 85F37C8A4E114D884E66F176EAB121CB02DB7D652E0CC4827E7A3204 F166B47E5613FD27
-8f1tmio9avcom2k0frp92lgcumak0cad.example. 3600 IN NSEC3	1 0 10 D2CF0294C020CE6C 8FPNS2UCT7FBS643THP2B77PEQ77K6IU A NS SOA MX AAAA RRSIG DNSKEY NSEC3PARAM
-kcd3juae64f9c5csl1kif1htaui7un0g.example. 3600 IN NSEC3	1 0 10 D2CF0294C020CE6C KD5MN2M20340DGO0BL7NTSB8JP4BSC7E
-mr5ukvsk1l37btu4q7b1dfevft4hkqdk.example. 3600 IN NSEC3	1 0 10 D2CF0294C020CE6C MT38J6VG7S0SN5G17MCUF6IQIKFUAJ05 A AAAA RRSIG
-example.		86400	IN	SOA	ns2.example. hostmaster.example. 1397051953 5 5 1814400 3600
diff --git a/bin/tests/system/xfer/knowngood.mapped b/bin/tests/system/xfer/knowngood.mapped
index 5fcd00b5119..276322327be 100644
--- a/bin/tests/system/xfer/knowngood.mapped
+++ b/bin/tests/system/xfer/knowngood.mapped
@@ -1,6 +1,4 @@
-
-; <<>> DiG 9.10.2-P3 <<>> -p 5300 axfr mapped @10.53.0.3
-;; global options: +cmd
+;ANSWER
 mapped.			3600	IN	SOA	. . 0 0 0 2147483647 0
 example.aa.		3600	IN	A	1.2.3.4
 example1.aa.		3600	IN	A	1.2.3.4
@@ -18,9 +16,4 @@ foo.jj.			3600	IN	A	1.2.3.4
 foo.kk.			3600	IN	A	1.2.3.4
 foo.ll.			3600	IN	A	1.2.3.4
 mapped.			3600	IN	NS	.
-mapped.			3600	IN	SOA	. . 0 0 0 2147483647 0
-;; Query time: 4 msec
-;; SERVER: 10.53.0.3#5300(10.53.0.3)
-;; WHEN: Tue Feb 16 14:38:25 EST 2016
-;; XFR size: 18 records (messages 1, bytes 468)
-
+mapped.			3600	IN	SOA	. . 0 0 0 2147483647 0
\ No newline at end of file
diff --git a/bin/tests/system/xfer/ns1/dot-fallback.db.in b/bin/tests/system/xfer/ns1/dot-fallback.db
similarity index 100%
rename from bin/tests/system/xfer/ns1/dot-fallback.db.in
rename to bin/tests/system/xfer/ns1/dot-fallback.db
diff --git a/bin/tests/system/xfer/ns1/ixfr-too-big.db.in b/bin/tests/system/xfer/ns1/ixfr-too-big.db
similarity index 100%
rename from bin/tests/system/xfer/ns1/ixfr-too-big.db.in
rename to bin/tests/system/xfer/ns1/ixfr-too-big.db
diff --git a/bin/tests/system/xfer/ns1/named.conf.j2 b/bin/tests/system/xfer/ns1/named.conf.j2
index 709187eff6f..f3d099f909a 100644
--- a/bin/tests/system/xfer/ns1/named.conf.j2
+++ b/bin/tests/system/xfer/ns1/named.conf.j2
@@ -36,17 +36,12 @@ zone "." {
 	file "root.db";
 };
 
-zone "secondary" {
-	type primary;
-	allow-transfer { 10.53.0.1; 10.53.0.2; 10.53.0.6; 10.53.0.7; };
-	file "sec.db";
-};
-
-zone "edns-expire" {
+{% if enable_only_axfr_max_idle_time | default(False) %}
+zone "axfr-max-idle-time" {
 	type primary;
-	file "edns-expire.db";
+	file "axfr-max-idle-time.db";
 };
-
+{% else %}
 zone "axfr-min-transfer-rate" {
 	type primary;
 	file "axfr-min-transfer-rate.db";
@@ -57,14 +52,21 @@ zone "axfr-max-transfer-time" {
 	file "axfr-max-transfer-time.db";
 };
 
-zone "axfr-max-idle-time" {
+zone "axfr-rndc-retransfer-force" {
 	type primary;
-	file "axfr-max-idle-time.db";
+	file "axfr-rndc-retransfer-force.db";
 };
 
-zone "axfr-rndc-retransfer-force" {
+{% if enable_some_zones | default(True) %}
+zone "secondary" {
 	type primary;
-	file "axfr-rndc-retransfer-force.db";
+	allow-transfer { 10.53.0.1; 10.53.0.2; 10.53.0.6; 10.53.0.7; };
+	file "sec.db";
+};
+
+zone "edns-expire" {
+	type primary;
+	file "edns-expire.db";
 };
 
 zone "xot-primary-try-next" {
@@ -98,3 +100,5 @@ zone "dot-fallback" {
 	type primary;
 	file "dot-fallback.db";
 };
+{% endif %}
+{% endif %}
\ No newline at end of file
diff --git a/bin/tests/system/xfer/ns2/mapped.db.in b/bin/tests/system/xfer/ns2/mapped.db
similarity index 100%
rename from bin/tests/system/xfer/ns2/mapped.db.in
rename to bin/tests/system/xfer/ns2/mapped.db
diff --git a/bin/tests/system/xfer/ns2/sec.db.in b/bin/tests/system/xfer/ns2/sec.db
similarity index 100%
rename from bin/tests/system/xfer/ns2/sec.db.in
rename to bin/tests/system/xfer/ns2/sec.db
diff --git a/bin/tests/system/xfer/ns4/named.conf.j2 b/bin/tests/system/xfer/ns4/named.conf.j2
index 4f98d4e4df7..07c8f02a62d 100644
--- a/bin/tests/system/xfer/ns4/named.conf.j2
+++ b/bin/tests/system/xfer/ns4/named.conf.j2
@@ -11,6 +11,7 @@
  * information regarding copyright ownership.
  */
 
+{% set ns4_as_secondary_for_nil = ns4_as_secondary_for_nil | default(False) %}
 options {
 	query-source address 10.53.0.4;
 	notify-source 10.53.0.4;
@@ -49,3 +50,11 @@ zone "." {
 	type primary;
 	file "root.db";
 };
+
+{% if ns4_as_secondary_for_nil %}
+zone "nil" {
+    type secondary;
+    file "nil.db";
+    primaries { 10.53.0.5 key tsig_key; };
+};
+{% endif %}
diff --git a/bin/tests/system/xfer/ns4/root.db.in b/bin/tests/system/xfer/ns4/root.db.j2
similarity index 83%
rename from bin/tests/system/xfer/ns4/root.db.in
rename to bin/tests/system/xfer/ns4/root.db.j2
index 29ee0ec45c3..a47fcad1bd1 100644
--- a/bin/tests/system/xfer/ns4/root.db.in
+++ b/bin/tests/system/xfer/ns4/root.db.j2
@@ -9,6 +9,12 @@
 ; See the COPYRIGHT file distributed with this work for additional
 ; information regarding copyright ownership.
 
+{% raw -%}
 @ 0 SOA . . 0 0 0 0 0
 @ 0 NS .
 @ 0 A 10.53.0.4
+{% endraw -%}
+
+{% for i in range(10000) -%}
+x@i@ 0 in a 10.53.0.1
+{% endfor %}
\ No newline at end of file
diff --git a/bin/tests/system/xfer/ns8/.gitignore b/bin/tests/system/xfer/ns8/.gitignore
deleted file mode 100644
index 3eedd36ba1b..00000000000
--- a/bin/tests/system/xfer/ns8/.gitignore
+++ /dev/null
@@ -1,2 +0,0 @@
-/large.db
-/small.db
diff --git a/bin/tests/system/xfer/ns8/large.db.j2 b/bin/tests/system/xfer/ns8/large.db.j2
new file mode 100644
index 00000000000..8c57b054540
--- /dev/null
+++ b/bin/tests/system/xfer/ns8/large.db.j2
@@ -0,0 +1,12 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+large IN TYPE45234 \# 48000 {% for i in range(48000) %}@"%02x" | format(i % 256)@{% endfor %}
\ No newline at end of file
diff --git a/bin/tests/system/xfer/ns8/small.db.j2 b/bin/tests/system/xfer/ns8/small.db.j2
new file mode 100644
index 00000000000..2c90a2577a1
--- /dev/null
+++ b/bin/tests/system/xfer/ns8/small.db.j2
@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+{% for i in range(4096) %}
+name@i@ 259200 A 1.2.3.4
+name@i@ 259200 TXT "Hello World @i@"
+{%- endfor %}
\ No newline at end of file
diff --git a/bin/tests/system/xfer/response1.good b/bin/tests/system/xfer/response1.good
new file mode 100644
index 00000000000..67d49a53065
--- /dev/null
+++ b/bin/tests/system/xfer/response1.good
@@ -0,0 +1,174 @@
+;ANSWER
+example. 86400 IN SOA ns2.example. hostmaster.example. 1397051952 5 5 1814400 3600
+example. 3600 IN DNSKEY 512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRu niJDBzC7w0aRyzWZriO6i2odGWWQVucZ qKVsENW91IOW4vqudngPZsY3GvQ/xVA8 /7pyFj6b7Esga60zyGW6LFe9r8n6paHr lG5ojqf0BaqHT+8=
+example. 3600 IN NS ns2.example.
+example. 3600 IN NS ns3.example.
+a01.example. 3600 IN A 0.0.0.0
+a02.example. 3600 IN A 255.255.255.255
+a601.example. 3600 IN A6 \# 17 00ffffffffffffffffffffffffffffff ff
+a601.example. 3600 IN A6 \# 14 40ffffffffffffffff03666f6f00
+a601.example. 3600 IN A6 \# 7 7f0103666f6f00
+a601.example. 3600 IN A6 \# 2 8000
+aaaa01.example. 3600 IN AAAA ::1
+aaaa02.example. 3600 IN AAAA fd92:7065:b8e:ffff::5
+afsdb01.example. 3600 IN AFSDB 0 hostname.example.
+afsdb02.example. 3600 IN AFSDB 65535 .
+amtrelay01.example. 3600 IN AMTRELAY 0 0 0 .
+amtrelay02.example. 3600 IN AMTRELAY 0 1 0 .
+amtrelay03.example. 3600 IN AMTRELAY 0 0 1 0.0.0.0
+amtrelay04.example. 3600 IN AMTRELAY 0 0 2 ::
+amtrelay05.example. 3600 IN AMTRELAY 0 0 3 example.net.
+apl01.example. 3600 IN APL !1:10.0.0.1/32 1:10.0.0.0/24
+atma01.example. 3600 IN TYPE34 \# 12 013631323030303030303030
+atma02.example. 3600 IN TYPE34 \# 12 013631323030303030303030
+atma03.example. 3600 IN TYPE34 \# 9 001234567890abcdef
+atma04.example. 3600 IN TYPE34 \# 9 00fedcba0987654321
+avc.example. 3600 IN AVC "foo:bar"
+caa01.example. 3600 IN CAA 0 issue "ca.example.net; policy=ev"
+caa02.example. 3600 IN CAA 128 tbs "Unknown"
+caa03.example. 3600 IN CAA 128 tbs ""
+cdnskey01.example. 3600 IN CDNSKEY 512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRu niJDBzC7w0aRyzWZriO6i2odGWWQVucZ qKVsENW91IOW4vqudngPZsY3GvQ/xVA8 /7pyFj6b7Esga60zyGW6LFe9r8n6paHr lG5ojqf0BaqHT+8=
+cds01.example. 3600 IN CDS 30795 1 1 310d27f4d82c1fc2400704ea9939fe6e1ceaa3b9
+cert01.example. 3600 IN CERT 65534 65535 PRIVATEOID MxFcby9k/yvedMfQgKzhH5er0Mu/vILz 45IkskceFGgiWCn/GxHhai6VAuHAoNUz 4YoU1tVfSCSqQYn6//11U6Nld80jEeC8 aTrO+KKmCaY=
+cname01.example. 3600 IN CNAME cname-target.
+cname02.example. 3600 IN CNAME cname-target.example.
+cname03.example. 3600 IN CNAME .
+csync01.example. 3600 IN CSYNC 0 0 A NS AAAA
+csync02.example. 3600 IN CSYNC 0 0
+dhcid01.example. 3600 IN DHCID AAIBY2/AuCccgoJbsaxcQc9TUapptP69 lOjxfNuVAA2kjEA=
+dhcid02.example. 3600 IN DHCID AAEBOSD+XR3Os/0LozeXVqcNc7FwCfQd WL3b/NaiUDlW2No=
+dhcid03.example. 3600 IN DHCID AAABxLmlskllE0MVjd57zHcWmEH3pCQ6 VytcKD//7es/deY=
+dlv.example. 3600 IN DLV 30795 1 1 310d27f4d82c1fc2400704ea9939fe6e1ceaa3b9
+dname01.example. 3600 IN DNAME dname-target.
+dname02.example. 3600 IN DNAME dname-target.example.
+dname03.example. 3600 IN DNAME .
+doa01.example. 3600 IN TYPE259 \# 301 499602d2499602d20109696d6167652f 67696647494638396128001900e30200 666666006699ffffff3399ccccffff99 ccff33669966ccff99cccccccccc0099 ffffffffffffffffffffffffffffffff 21f904010a000f002c00000000280019 000004c7f081492b95366b8df7ec5e68 8119299e8089ae5cbb3eb08aca1f1cdc 78008734f7e4c0db6ed3bbfc82481db1 a23a2693c554e94955962ea36ad54572 6a9352d70777380c6e8342e19c2b9b71 586cc72b109ceb78013a6fbf31e51739 750303838567850204697a7e7f52185e 01830575407848572918418675078202 a0412d3b92937d0479777da44b006ca1 b18c7a83484d12a7a8b137837504999b 73b948866b0189c8756b03c08e463549 947c6c95abcf7f36486a8805040541de 08b144da5fe71ebae74f11003b
+doa02.example. 3600 IN TYPE259 \# 30 0000000000000001020068747470733a 2f2f7777772e6973632e6f72672f
+ds01.example. 3600 IN DS 12892 5 2 26584835ca80c81c91999f31cfaf2a0e89d4ff1c8fafd0ddb31a85c719277c13
+ds01.example. 3600 IN NS ns42.example.
+ds02.example. 3600 IN DS 12892 5 1 7aa4a3f416c2f2391fb7ab0d434f762cd62d1390
+ds02.example. 3600 IN NS ns43.example.
+eid01.example. 3600 IN TYPE31 \# 3 1289ab
+eui48.example. 3600 IN EUI48 01-23-45-67-89-ab
+eui64.example. 3600 IN EUI64 01-23-45-67-89-ab-cd-ef
+gid01.example. 3600 IN TYPE102 \# 1 03
+gpos01.example. 3600 IN GPOS -22.6882 116.8652 250.0
+hinfo01.example. 3600 IN HINFO "Generic PC clone" "NetBSD-1.4"
+hinfo02.example. 3600 IN HINFO "PC" "NetBSD"
+hip1.example. 3600 IN HIP 2 200100107b1a74df365639cc39f1d578 AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D
+hip2.example. 3600 IN HIP 2 200100107b1a74df365639cc39f1d578 AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D rvs.example.com.
+https0.example. 3600 IN HTTPS 0 example.net.
+https1.example. 3600 IN HTTPS 1 . port="60"
+ipseckey01.example. 3600 IN IPSECKEY 10 1 2 192.0.2.38 AQNRU3mG7TVTO2BkR47usntb102uFJtu gbo6BSGvgqt4AQ==
+ipseckey02.example. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtu gbo6BSGvgqt4AQ==
+ipseckey03.example. 3600 IN IPSECKEY 10 1 2 192.0.2.3 AQNRU3mG7TVTO2BkR47usntb102uFJtu gbo6BSGvgqt4AQ==
+ipseckey04.example. 3600 IN IPSECKEY 10 3 2 mygateway.example.com. AQNRU3mG7TVTO2BkR47usntb102uFJtu gbo6BSGvgqt4AQ==
+ipseckey05.example. 3600 IN IPSECKEY 10 2 2 2001:db8:0:8002::2000:1 AQNRU3mG7TVTO2BkR47usntb102uFJtu gbo6BSGvgqt4AQ==
+isdn01.example. 3600 IN ISDN "isdn-address"
+isdn02.example. 3600 IN ISDN "isdn-address" "subaddress"
+isdn03.example. 3600 IN ISDN "isdn-address"
+isdn04.example. 3600 IN ISDN "isdn-address" "subaddress"
+keydata.example. 3600 IN TYPE65533 \# 0
+keydata.example. 3600 IN TYPE65533 \# 6 010203040506
+keydata.example. 3600 IN TYPE65533 \# 18 01020304050601020304050601020304 0506
+kx01.example. 3600 IN KX 10 kdc.example.
+kx02.example. 3600 IN KX 10 .
+l32.example. 3600 IN L32 10 1.2.3.4
+l64.example. 3600 IN L64 10 0014:4fff:ff20:ee64
+loc01.example. 3600 IN LOC 60 9 0.000 N 24 39 0.000 E 10.00m 20.00m 2000.00m 20.00m
+loc02.example. 3600 IN LOC 60 9 0.000 N 24 39 0.000 E 10.00m 20.00m 2000.00m 20.00m
+lp.example. 3600 IN LP 10 example.net.
+mb01.example. 3600 IN MG \# 10 076d61646e616d65c00c
+mb02.example. 3600 IN MG \# 1 00
+mg01.example. 3600 IN MG \# 10 076d676d6e616d65c00c
+mg02.example. 3600 IN MG \# 1 00
+minfo01.example. 3600 IN MINFO \# 20 07726d61696c6278c00c07656d61696c 6278c00c
+minfo02.example. 3600 IN MINFO \# 2 0000
+mr01.example. 3600 IN MR \# 9 066d726e616d65c00c
+mr02.example. 3600 IN MR \# 1 00
+mx01.example. 3600 IN MX 10 mail.example.
+mx02.example. 3600 IN MX 10 .
+naptr01.example. 3600 IN NAPTR 0 0 "" "" "" .
+naptr02.example. 3600 IN NAPTR 65535 65535 "blurgh" "blorf" "blllbb" foo.
+nid.example. 3600 IN NID 10 0014:4fff:ff20:ee64
+nimloc01.example. 3600 IN TYPE32 \# 3 1289ab
+ninfo01.example. 3600 IN NINFO "foo"
+ninfo02.example. 3600 IN NINFO "foo" "bar"
+ninfo03.example. 3600 IN NINFO "foo"
+ninfo04.example. 3600 IN NINFO "foo" "bar"
+ninfo05.example. 3600 IN NINFO "foo bar"
+ninfo06.example. 3600 IN NINFO "foo bar"
+ninfo07.example. 3600 IN NINFO "foo bar"
+ninfo08.example. 3600 IN NINFO "foo\010bar"
+ninfo09.example. 3600 IN NINFO "foo\010bar"
+ninfo10.example. 3600 IN NINFO "foo bar"
+ninfo11.example. 3600 IN NINFO "\"foo\""
+ninfo12.example. 3600 IN NINFO "\"foo\""
+ninfo13.example. 3600 IN NINFO "foo;"
+ninfo14.example. 3600 IN NINFO "foo;"
+ninfo15.example. 3600 IN NINFO "bar\\;"
+ns2.example. 3600 IN A 10.53.0.2
+ns3.example. 3600 IN A 10.53.0.3
+nsap-ptr01.example. 3600 IN NSAP-PTR .
+nsap-ptr01.example. 3600 IN NSAP-PTR foo.
+nsap01.example. 3600 IN NSAP 0x47000580005a0000000001e133ffffff00016100
+nsap02.example. 3600 IN NSAP 0x47000580005a0000000001e133ffffff00016100
+nsec01.example. 3600 IN NSEC a.secure.nil. NS SOA MX LOC RRSIG NSEC DNSKEY
+nsec02.example. 3600 IN NSEC . NSAP-PTR NSEC
+nsec03.example. 3600 IN NSEC . A
+nsec04.example. 3600 IN NSEC . TYPE127
+openpgpkey.example. 3600 IN OPENPGPKEY AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2odGWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60zyGW6LFe9r8n6paHrlG5ojqf0BaqHT+8=
+ptr01.example. 3600 IN PTR example.
+px01.example. 3600 IN PX 65535 foo. bar.
+px02.example. 3600 IN PX 65535 . .
+rkey01.example. 3600 IN TYPE57 \# 111 0000ff010103050f9ada7330891d588a b4b621586cfc84c63d50646e9e224307 30bbc34691cb3599ae23ba8b6a1d1965 9056e719a8a56c10d5bdd48396e2faae 76780f66c6371af43fc5503cffba7216 3e9bec4b206bad33c865ba2c57bdafc9 faa5a1eb946e688ea7f405aa874fef
+rp01.example. 3600 IN RP mbox-dname.example. txt-dname.example.
+rp02.example. 3600 IN RP . .
+rrsig01.example. 3600 IN RRSIG NSEC 1 3 3600 20000102030405 19961211100908 2143 foo.nil. MxFcby9k/yvedMfQgKzhH5er0Mu/vILz 45IkskceFGgiWCn/GxHhai6VAuHAoNUz 4YoU1tVfSCSqQYn6//11U6Nld80jEeC8 aTrO+KKmCaY=
+rt01.example. 3600 IN RT 0 intermediate-host.example.
+rt02.example. 3600 IN RT 65535 .
+sink01.example. 3600 IN TYPE40 \# 3 010000
+sink02.example. 3600 IN TYPE40 \# 6 0800029788a4
+smimea.example. 3600 IN SMIMEA 1 1 2 92003ba34942dc74152e2f2c408d29eca5a520e7f2e06bb944f4dca346baf63c1b177615d466f6c4b71c216a50292bd58c9ebdd2f74e38fe51ffd48c43326cbc
+spf01.example. 3600 IN SPF "v=spf1 -all"
+spf02.example. 3600 IN SPF "v=spf1" " -all"
+srv01.example. 3600 IN SRV 0 0 0 .
+srv02.example. 3600 IN SRV 65535 65535 65535 old-slow-box.example.
+sshfp01.example. 3600 IN SSHFP 4 2 c76d8329954da2835751e371544e963efda099080d6c58dd2bfd9a316e162c83
+sshfp02.example. 3600 IN SSHFP 1 2 bf29468c83ac58ccf8c85ab7b3beb054ecf1e38512b8353ab36471fa88961dcc
+svcb0.example. 3600 IN SVCB 0 example.net.
+svcb1.example. 3600 IN SVCB 1 . port="60"
+ta.example. 3600 IN TA \# 24 784b0101310d27f4d82c1fc2400704ea 9939fe6e1ceaa3b9
+talink0.example. 3600 IN TYPE58 \# 18 000774616c696e6b31076578616d706c 6500
+talink1.example. 3600 IN TYPE58 \# 34 0774616c696e6b30076578616d706c65 000774616c696e6b32076578616d706c 6500
+talink2.example. 3600 IN TYPE58 \# 18 0774616c696e6b32076578616d706c65 0000
+tlsa.example. 3600 IN TLSA 1 1 2 92003ba34942dc74152e2f2c408d29eca5a520e7f2e06bb944f4dca346baf63c1b177615d466f6c4b71c216a50292bd58c9ebdd2f74e38fe51ffd48c43326cbc
+txt01.example. 3600 IN TXT "foo"
+txt02.example. 3600 IN TXT "foo" "bar"
+txt03.example. 3600 IN TXT "foo"
+txt04.example. 3600 IN TXT "foo" "bar"
+txt05.example. 3600 IN TXT "foo bar"
+txt06.example. 3600 IN TXT "foo bar"
+txt07.example. 3600 IN TXT "foo bar"
+txt08.example. 3600 IN TXT "foo\010bar"
+txt09.example. 3600 IN TXT "foo\010bar"
+txt10.example. 3600 IN TXT "foo bar"
+txt11.example. 3600 IN TXT "\"foo\""
+txt12.example. 3600 IN TXT "\"foo\""
+txt13.example. 3600 IN TXT "foo;"
+txt14.example. 3600 IN TXT "foo;"
+txt15.example. 3600 IN TXT "bar\\;"
+uid01.example. 3600 IN TYPE101 \# 1 02
+uinfo01.example. 3600 IN TYPE100 \# 1 01
+unspec01.example. 3600 IN UNSPEC \# 1 04
+uri01.example. 3600 IN URI 10 20 "https://www.isc.org/"
+uri02.example. 3600 IN URI 30 40 "https://www.isc.org/HolyCowThisSureIsAVeryLongURIRecordIDontEvenKnowWhatSomeoneWouldEverWantWithSuchAThingButTheSpecificationRequiresThatWesupportItSoHereWeGoTestingItLaLaLaLaLaLaLaSeriouslyThoughWhyWouldYouEvenConsiderUsingAURIThisLongItSeemsLikeASillyIdeaButEnhWhatAreYouGonnaDo/"
+wks01.example. 3600 IN WKS 10.0.0.1 6 0 1 2 21 23
+wks02.example. 3600 IN WKS 10.0.0.1 17 0 1 2 53
+wks03.example. 3600 IN WKS 10.0.0.2 6 65535
+x2501.example. 3600 IN X25 "123456789"
+zonemd01.example. 3600 IN ZONEMD 2019020700 1 1 c220b8a6ed5728a971902f7e3d4fd93adeea88b0453c2e8e8c863d465ab06cf34eb95b266398c98b59124fa239cb7eeb
+zonemd02.example. 3600 IN ZONEMD 2019020700 1 2 08cfa1115c7b948c4163a901270395ea226a930cd2cbcf2fa9a5e6eb85f37c8a4e114d884e66f176eab121cb02db7d652e0cc4827e7a3204f166b47e5613fd27
+8f1tmio9avcom2k0frp92lgcumak0cad.example. 3600 IN NSEC3 1 0 10 d2cf0294c020ce6c 8fpns2uct7fbs643thp2b77peq77k6iu A NS SOA MX AAAA RRSIG DNSKEY NSEC3PARAM
+kcd3juae64f9c5csl1kif1htaui7un0g.example. 3600 IN NSEC3 1 0 10 d2cf0294c020ce6c kd5mn2m20340dgo0bl7ntsb8jp4bsc7e
+mr5ukvsk1l37btu4q7b1dfevft4hkqdk.example. 3600 IN NSEC3 1 0 10 d2cf0294c020ce6c mt38j6vg7s0sn5g17mcuf6iqikfuaj05 A AAAA RRSIG
\ No newline at end of file
diff --git a/bin/tests/system/xfer/response2.good b/bin/tests/system/xfer/response2.good
new file mode 100644
index 00000000000..0844e83daf5
--- /dev/null
+++ b/bin/tests/system/xfer/response2.good
@@ -0,0 +1,174 @@
+;ANSWER
+example. 86400 IN SOA ns2.example. hostmaster.example. 1397051953 5 5 1814400 3600
+example. 3600 IN DNSKEY 512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRu niJDBzC7w0aRyzWZriO6i2odGWWQVucZ qKVsENW91IOW4vqudngPZsY3GvQ/xVA8 /7pyFj6b7Esga60zyGW6LFe9r8n6paHr lG5ojqf0BaqHT+8=
+example. 3600 IN NS ns2.example.
+example. 3600 IN NS ns3.example.
+a01.example. 3600 IN A 0.0.0.1
+a02.example. 3600 IN A 255.255.255.255
+a601.example. 3600 IN A6 \# 17 00ffffffffffffffffffffffffffffff ff
+a601.example. 3600 IN A6 \# 14 40ffffffffffffffff03666f6f00
+a601.example. 3600 IN A6 \# 7 7f0103666f6f00
+a601.example. 3600 IN A6 \# 2 8000
+aaaa01.example. 3600 IN AAAA ::1
+aaaa02.example. 3600 IN AAAA fd92:7065:b8e:ffff::5
+afsdb01.example. 3600 IN AFSDB 0 hostname.example.
+afsdb02.example. 3600 IN AFSDB 65535 .
+amtrelay01.example. 3600 IN AMTRELAY 0 0 0 .
+amtrelay02.example. 3600 IN AMTRELAY 0 1 0 .
+amtrelay03.example. 3600 IN AMTRELAY 0 0 1 0.0.0.1
+amtrelay04.example. 3600 IN AMTRELAY 0 0 2 ::
+amtrelay05.example. 3600 IN AMTRELAY 0 0 3 example.net.
+apl01.example. 3600 IN APL !1:10.0.0.1/32 1:10.0.0.0/24
+atma01.example. 3600 IN TYPE34 \# 12 013631323030303030303030
+atma02.example. 3600 IN TYPE34 \# 12 013631323030303030303030
+atma03.example. 3600 IN TYPE34 \# 9 001234567890abcdef
+atma04.example. 3600 IN TYPE34 \# 9 00fedcba0987654321
+avc.example. 3600 IN AVC "foo:bar"
+caa01.example. 3600 IN CAA 0 issue "ca.example.net; policy=ev"
+caa02.example. 3600 IN CAA 128 tbs "Unknown"
+caa03.example. 3600 IN CAA 128 tbs ""
+cdnskey01.example. 3600 IN CDNSKEY 512 255 1 AQMFD5raczCJHViKtLYhWGz8hMY9UGRu niJDBzC7w0aRyzWZriO6i2odGWWQVucZ qKVsENW91IOW4vqudngPZsY3GvQ/xVA8 /7pyFj6b7Esga60zyGW6LFe9r8n6paHr lG5ojqf0BaqHT+8=
+cds01.example. 3600 IN CDS 30795 1 1 310d27f4d82c1fc2400704ea9939fe6e1ceaa3b9
+cert01.example. 3600 IN CERT 65534 65535 PRIVATEOID MxFcby9k/yvedMfQgKzhH5er0Mu/vILz 45IkskceFGgiWCn/GxHhai6VAuHAoNUz 4YoU1tVfSCSqQYn6//11U6Nld80jEeC8 aTrO+KKmCaY=
+cname01.example. 3600 IN CNAME cname-target.
+cname02.example. 3600 IN CNAME cname-target.example.
+cname03.example. 3600 IN CNAME .
+csync01.example. 3600 IN CSYNC 0 0 A NS AAAA
+csync02.example. 3600 IN CSYNC 0 0
+dhcid01.example. 3600 IN DHCID AAIBY2/AuCccgoJbsaxcQc9TUapptP69 lOjxfNuVAA2kjEA=
+dhcid02.example. 3600 IN DHCID AAEBOSD+XR3Os/0LozeXVqcNc7FwCfQd WL3b/NaiUDlW2No=
+dhcid03.example. 3600 IN DHCID AAABxLmlskllE0MVjd57zHcWmEH3pCQ6 VytcKD//7es/deY=
+dlv.example. 3600 IN DLV 30795 1 1 310d27f4d82c1fc2400704ea9939fe6e1ceaa3b9
+dname01.example. 3600 IN DNAME dname-target.
+dname02.example. 3600 IN DNAME dname-target.example.
+dname03.example. 3600 IN DNAME .
+doa01.example. 3600 IN TYPE259 \# 301 499602d2499602d20109696d6167652f 67696647494638396128001900e30200 666666006699ffffff3399ccccffff99 ccff33669966ccff99cccccccccc0099 ffffffffffffffffffffffffffffffff 21f904010a000f002c00000000280019 000004c7f081492b95366b8df7ec5e68 8119299e8089ae5cbb3eb08aca1f1cdc 78008734f7e4c0db6ed3bbfc82481db1 a23a2693c554e94955962ea36ad54572 6a9352d70777380c6e8342e19c2b9b71 586cc72b109ceb78013a6fbf31e51739 750303838567850204697a7e7f52185e 01830575407848572918418675078202 a0412d3b92937d0479777da44b006ca1 b18c7a83484d12a7a8b137837504999b 73b948866b0189c8756b03c08e463549 947c6c95abcf7f36486a8805040541de 08b144da5fe71ebae74f11003b
+doa02.example. 3600 IN TYPE259 \# 30 0000000000000001020068747470733a 2f2f7777772e6973632e6f72672f
+ds01.example. 3600 IN DS 12892 5 2 26584835ca80c81c91999f31cfaf2a0e89d4ff1c8fafd0ddb31a85c719277c13
+ds01.example. 3600 IN NS ns42.example.
+ds02.example. 3600 IN DS 12892 5 1 7aa4a3f416c2f2391fb7ab0d434f762cd62d1390
+ds02.example. 3600 IN NS ns43.example.
+eid01.example. 3600 IN TYPE31 \# 3 1289ab
+eui48.example. 3600 IN EUI48 01-23-45-67-89-ab
+eui64.example. 3600 IN EUI64 01-23-45-67-89-ab-cd-ef
+gid01.example. 3600 IN TYPE102 \# 1 03
+gpos01.example. 3600 IN GPOS -22.6882 116.8652 250.0
+hinfo01.example. 3600 IN HINFO "Generic PC clone" "NetBSD-1.4"
+hinfo02.example. 3600 IN HINFO "PC" "NetBSD"
+hip1.example. 3600 IN HIP 2 200100107b1a74df365639cc39f1d578 AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D
+hip2.example. 3600 IN HIP 2 200100107b1a74df365639cc39f1d578 AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D rvs.example.com.
+https0.example. 3600 IN HTTPS 0 example.net.
+https1.example. 3600 IN HTTPS 1 . port="60"
+ipseckey01.example. 3600 IN IPSECKEY 10 1 2 192.0.2.38 AQNRU3mG7TVTO2BkR47usntb102uFJtu gbo6BSGvgqt4AQ==
+ipseckey02.example. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtu gbo6BSGvgqt4AQ==
+ipseckey03.example. 3600 IN IPSECKEY 10 1 2 192.0.2.3 AQNRU3mG7TVTO2BkR47usntb102uFJtu gbo6BSGvgqt4AQ==
+ipseckey04.example. 3600 IN IPSECKEY 10 3 2 mygateway.example.com. AQNRU3mG7TVTO2BkR47usntb102uFJtu gbo6BSGvgqt4AQ==
+ipseckey05.example. 3600 IN IPSECKEY 10 2 2 2001:db8:0:8002::2000:1 AQNRU3mG7TVTO2BkR47usntb102uFJtu gbo6BSGvgqt4AQ==
+isdn01.example. 3600 IN ISDN "isdn-address"
+isdn02.example. 3600 IN ISDN "isdn-address" "subaddress"
+isdn03.example. 3600 IN ISDN "isdn-address"
+isdn04.example. 3600 IN ISDN "isdn-address" "subaddress"
+keydata.example. 3600 IN TYPE65533 \# 0
+keydata.example. 3600 IN TYPE65533 \# 6 010203040506
+keydata.example. 3600 IN TYPE65533 \# 18 01020304050601020304050601020304 0506
+kx01.example. 3600 IN KX 10 kdc.example.
+kx02.example. 3600 IN KX 10 .
+l32.example. 3600 IN L32 10 1.2.3.4
+l64.example. 3600 IN L64 10 0014:4fff:ff20:ee64
+loc01.example. 3600 IN LOC 60 9 0.000 N 24 39 0.000 E 10.00m 20.00m 2000.00m 20.00m
+loc02.example. 3600 IN LOC 60 9 0.000 N 24 39 0.000 E 10.00m 20.00m 2000.00m 20.00m
+lp.example. 3600 IN LP 10 example.net.
+mb01.example. 3600 IN MG \# 10 076d61646e616d65c00c
+mb02.example. 3600 IN MG \# 1 00
+mg01.example. 3600 IN MG \# 10 076d676d6e616d65c00c
+mg02.example. 3600 IN MG \# 1 00
+minfo01.example. 3600 IN MINFO \# 20 07726d61696c6278c00c07656d61696c 6278c00c
+minfo02.example. 3600 IN MINFO \# 2 0000
+mr01.example. 3600 IN MR \# 9 066d726e616d65c00c
+mr02.example. 3600 IN MR \# 1 00
+mx01.example. 3600 IN MX 10 mail.example.
+mx02.example. 3600 IN MX 10 .
+naptr01.example. 3600 IN NAPTR 0 0 "" "" "" .
+naptr02.example. 3600 IN NAPTR 65535 65535 "blurgh" "blorf" "blllbb" foo.
+nid.example. 3600 IN NID 10 0014:4fff:ff20:ee64
+nimloc01.example. 3600 IN TYPE32 \# 3 1289ab
+ninfo01.example. 3600 IN NINFO "foo"
+ninfo02.example. 3600 IN NINFO "foo" "bar"
+ninfo03.example. 3600 IN NINFO "foo"
+ninfo04.example. 3600 IN NINFO "foo" "bar"
+ninfo05.example. 3600 IN NINFO "foo bar"
+ninfo06.example. 3600 IN NINFO "foo bar"
+ninfo07.example. 3600 IN NINFO "foo bar"
+ninfo08.example. 3600 IN NINFO "foo\010bar"
+ninfo09.example. 3600 IN NINFO "foo\010bar"
+ninfo10.example. 3600 IN NINFO "foo bar"
+ninfo11.example. 3600 IN NINFO "\"foo\""
+ninfo12.example. 3600 IN NINFO "\"foo\""
+ninfo13.example. 3600 IN NINFO "foo;"
+ninfo14.example. 3600 IN NINFO "foo;"
+ninfo15.example. 3600 IN NINFO "bar\\;"
+ns2.example. 3600 IN A 10.53.0.2
+ns3.example. 3600 IN A 10.53.0.3
+nsap-ptr01.example. 3600 IN NSAP-PTR .
+nsap-ptr01.example. 3600 IN NSAP-PTR foo.
+nsap01.example. 3600 IN NSAP 0x47000580005a0000000001e133ffffff00016100
+nsap02.example. 3600 IN NSAP 0x47000580005a0000000001e133ffffff00016100
+nsec01.example. 3600 IN NSEC a.secure.nil. NS SOA MX LOC RRSIG NSEC DNSKEY
+nsec02.example. 3600 IN NSEC . NSAP-PTR NSEC
+nsec03.example. 3600 IN NSEC . A
+nsec04.example. 3600 IN NSEC . TYPE127
+openpgpkey.example. 3600 IN OPENPGPKEY AQMFD5raczCJHViKtLYhWGz8hMY9UGRuniJDBzC7w0aRyzWZriO6i2odGWWQVucZqKVsENW91IOW4vqudngPZsY3GvQ/xVA8/7pyFj6b7Esga60zyGW6LFe9r8n6paHrlG5ojqf0BaqHT+8=
+ptr01.example. 3600 IN PTR example.
+px01.example. 3600 IN PX 65535 foo. bar.
+px02.example. 3600 IN PX 65535 . .
+rkey01.example. 3600 IN TYPE57 \# 111 0000ff010103050f9ada7330891d588a b4b621586cfc84c63d50646e9e224307 30bbc34691cb3599ae23ba8b6a1d1965 9056e719a8a56c10d5bdd48396e2faae 76780f66c6371af43fc5503cffba7216 3e9bec4b206bad33c865ba2c57bdafc9 faa5a1eb946e688ea7f405aa874fef
+rp01.example. 3600 IN RP mbox-dname.example. txt-dname.example.
+rp02.example. 3600 IN RP . .
+rrsig01.example. 3600 IN RRSIG NSEC 1 3 3600 20000102030405 19961211100908 2143 foo.nil. MxFcby9k/yvedMfQgKzhH5er0Mu/vILz 45IkskceFGgiWCn/GxHhai6VAuHAoNUz 4YoU1tVfSCSqQYn6//11U6Nld80jEeC8 aTrO+KKmCaY=
+rt01.example. 3600 IN RT 0 intermediate-host.example.
+rt02.example. 3600 IN RT 65535 .
+sink01.example. 3600 IN TYPE40 \# 3 010000
+sink02.example. 3600 IN TYPE40 \# 6 0800029788a4
+smimea.example. 3600 IN SMIMEA 1 1 2 92003ba34942dc74152e2f2c408d29eca5a520e7f2e06bb944f4dca346baf63c1b177615d466f6c4b71c216a50292bd58c9ebdd2f74e38fe51ffd48c43326cbc
+spf01.example. 3600 IN SPF "v=spf1 -all"
+spf02.example. 3600 IN SPF "v=spf1" " -all"
+srv01.example. 3600 IN SRV 0 0 0 .
+srv02.example. 3600 IN SRV 65535 65535 65535 old-slow-box.example.
+sshfp01.example. 3600 IN SSHFP 4 2 c76d8329954da2835751e371544e963efda099080d6c58dd2bfd9a316e162c83
+sshfp02.example. 3600 IN SSHFP 1 2 bf29468c83ac58ccf8c85ab7b3beb054ecf1e38512b8353ab36471fa88961dcc
+svcb0.example. 3600 IN SVCB 0 example.net.
+svcb1.example. 3600 IN SVCB 1 . port="60"
+ta.example. 3600 IN TA \# 24 784b0101310d27f4d82c1fc2400704ea 9939fe6e1ceaa3b9
+talink0.example. 3600 IN TYPE58 \# 18 000774616c696e6b31076578616d706c 6500
+talink1.example. 3600 IN TYPE58 \# 34 0774616c696e6b30076578616d706c65 000774616c696e6b32076578616d706c 6500
+talink2.example. 3600 IN TYPE58 \# 18 0774616c696e6b32076578616d706c65 0000
+tlsa.example. 3600 IN TLSA 1 1 2 92003ba34942dc74152e2f2c408d29eca5a520e7f2e06bb944f4dca346baf63c1b177615d466f6c4b71c216a50292bd58c9ebdd2f74e38fe51ffd48c43326cbc
+txt01.example. 3600 IN TXT "foo"
+txt02.example. 3600 IN TXT "foo" "bar"
+txt03.example. 3600 IN TXT "foo"
+txt04.example. 3600 IN TXT "foo" "bar"
+txt05.example. 3600 IN TXT "foo bar"
+txt06.example. 3600 IN TXT "foo bar"
+txt07.example. 3600 IN TXT "foo bar"
+txt08.example. 3600 IN TXT "foo\010bar"
+txt09.example. 3600 IN TXT "foo\010bar"
+txt10.example. 3600 IN TXT "foo bar"
+txt11.example. 3600 IN TXT "\"foo\""
+txt12.example. 3600 IN TXT "\"foo\""
+txt13.example. 3600 IN TXT "foo;"
+txt14.example. 3600 IN TXT "foo;"
+txt15.example. 3600 IN TXT "bar\\;"
+uid01.example. 3600 IN TYPE101 \# 1 02
+uinfo01.example. 3600 IN TYPE100 \# 1 01
+unspec01.example. 3600 IN UNSPEC \# 1 04
+uri01.example. 3600 IN URI 10 20 "https://www.isc.org/"
+uri02.example. 3600 IN URI 30 40 "https://www.isc.org/HolyCowThisSureIsAVeryLongURIRecordIDontEvenKnowWhatSomeoneWouldEverWantWithSuchAThingButTheSpecificationRequiresThatWesupportItSoHereWeGoTestingItLaLaLaLaLaLaLaSeriouslyThoughWhyWouldYouEvenConsiderUsingAURIThisLongItSeemsLikeASillyIdeaButEnhWhatAreYouGonnaDo/"
+wks01.example. 3600 IN WKS 10.0.0.1 6 0 1 2 21 23
+wks02.example. 3600 IN WKS 10.0.0.1 17 0 1 2 53
+wks03.example. 3600 IN WKS 10.0.0.2 6 65535
+x2501.example. 3600 IN X25 "123456789"
+zonemd01.example. 3600 IN ZONEMD 2019020700 1 1 c220b8a6ed5728a971902f7e3d4fd93adeea88b0453c2e8e8c863d465ab06cf34eb95b266398c98b59124fa239cb7eeb
+zonemd02.example. 3600 IN ZONEMD 2019020700 1 2 08cfa1115c7b948c4163a901270395ea226a930cd2cbcf2fa9a5e6eb85f37c8a4e114d884e66f176eab121cb02db7d652e0cc4827e7a3204f166b47e5613fd27
+8f1tmio9avcom2k0frp92lgcumak0cad.example. 3600 IN NSEC3 1 0 10 d2cf0294c020ce6c 8fpns2uct7fbs643thp2b77peq77k6iu A NS SOA MX AAAA RRSIG DNSKEY NSEC3PARAM
+kcd3juae64f9c5csl1kif1htaui7un0g.example. 3600 IN NSEC3 1 0 10 d2cf0294c020ce6c kd5mn2m20340dgo0bl7ntsb8jp4bsc7e
+mr5ukvsk1l37btu4q7b1dfevft4hkqdk.example. 3600 IN NSEC3 1 0 10 d2cf0294c020ce6c mt38j6vg7s0sn5g17mcuf6iqikfuaj05 A AAAA RRSIG
diff --git a/bin/tests/system/xfer/dig3.good b/bin/tests/system/xfer/response3.good
similarity index 97%
rename from bin/tests/system/xfer/dig3.good
rename to bin/tests/system/xfer/response3.good
index d58c4216a39..551bec08dd3 100644
--- a/bin/tests/system/xfer/dig3.good
+++ b/bin/tests/system/xfer/response3.good
@@ -1,3 +1,4 @@
+;ANSWER
 dot-fallback.		5	IN	SOA	ns1.dot-fallback. hostmaster.dot-fallback. 1 3600 3600 3600 3600
 dot-fallback.		5	IN	NS	ns1.dot-fallback.
 a01.dot-fallback.	5	IN	A	1.1.1.1
diff --git a/bin/tests/system/xfer/setup.sh b/bin/tests/system/xfer/setup.sh
index f10dac34703..0934347b190 100644
--- a/bin/tests/system/xfer/setup.sh
+++ b/bin/tests/system/xfer/setup.sh
@@ -13,24 +13,33 @@
 
 . ../conf.sh
 
-$SHELL ${TOP_SRCDIR}/bin/tests/system/genzone.sh 1 6 7 >ns1/sec.db
-$SHELL ${TOP_SRCDIR}/bin/tests/system/genzone.sh 1 6 7 >ns1/edns-expire.db
-$SHELL ${TOP_SRCDIR}/bin/tests/system/genzone.sh 2 3 >ns2/example.db
-$SHELL ${TOP_SRCDIR}/bin/tests/system/genzone.sh 2 3 >ns2/tsigzone.db
-$SHELL ${TOP_SRCDIR}/bin/tests/system/genzone.sh 6 3 >ns6/primary.db
-$SHELL ${TOP_SRCDIR}/bin/tests/system/genzone.sh 7 >ns7/primary2.db
+dnspython_genzone() (
+  servers="$@"
+  # Drop unusual RR sets and RR types (AMTRELAY, GPOS, URI, apl02) dnspython
+  # can't handle. For more information see
+  # https://github.com/rthalley/dnspython/issues/1034#issuecomment-1896541899.
+  # - BRID and HHIT are not supported by dnspython at all.
+  # - dnspython v2.8.0 adds support for DSYNC RR type
+  # - dnspython v2.7.0 adds support for RESINFO and WALLET RR types
+  $SHELL "${TOP_SRCDIR}/bin/tests/system/genzone.sh" $servers \
+    | sed \
+      -e '/AMTRELAY.*\# 2 0004/d' \
+      -e '/BRID/d' \
+      -e '/DSYNC/d' \
+      -e '/GPOS.*"" "" ""/d' \
+      -e '/HHIT/d' \
+      -e '/RESINFO/d' \
+      -e '/URI.*30 40 ""/d' \
+      -e '/WALLET/d' \
+      -e '/apl02/d' \
+    | tr "\t" " "
+)
+
+dnspython_genzone 1 6 7 >ns1/sec.db
+dnspython_genzone 1 6 7 >ns1/edns-expire.db
+dnspython_genzone 2 3 >ns2/example.db
+dnspython_genzone 2 3 >ns2/tsigzone.db
+dnspython_genzone 6 3 >ns6/primary.db
+dnspython_genzone 7 >ns7/primary2.db
 
-cp -f ns4/root.db.in ns4/root.db
-$PERL -e 'for ($i=0;$i<10000;$i++){ printf("x%u 0 in a 10.53.0.1\n", $i);}' >>ns4/root.db
-
-cp ns1/dot-fallback.db.in ns1/dot-fallback.db
-
-cp ns2/sec.db.in ns2/sec.db
 touch -t 200101010000 ns2/sec.db
-
-cp ns2/mapped.db.in ns2/mapped.db
-
-$PERL -e 'for ($i=0;$i<4096;$i++){ printf("name%u 259200 A 1.2.3.4\nname%u 259200 TXT \"Hello World %u\"\n", $i, $i, $i);}' >ns8/small.db
-$PERL -e 'printf("large IN TYPE45234 \\# 48000 "); for ($i=0;$i<16*3000;$i++) { printf("%02x", $i % 256); } printf("\n");' >ns8/large.db
-
-cp -f ns1/ixfr-too-big.db.in ns1/ixfr-too-big.db
diff --git a/bin/tests/system/xfer/tests.sh b/bin/tests/system/xfer/tests.sh
deleted file mode 100755
index a77d0b4bc1e..00000000000
--- a/bin/tests/system/xfer/tests.sh
+++ /dev/null
@@ -1,799 +0,0 @@
-#!/bin/sh
-
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0.  If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-set -e
-
-. ../conf.sh
-
-DIGOPTS="+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd -p ${PORT}"
-RNDCCMD="$RNDC -c ../_common/rndc.conf -p ${CONTROLPORT} -s"
-NS_PARAMS="-m record -c named.conf -d 99 -g -T maxcachesize=2097152"
-
-dig_with_opts() (
-  "$DIG" -p "$PORT" "$@"
-)
-
-status=0
-n=0
-
-n=$((n + 1))
-echo_i "testing basic zone transfer functionality (from primary) ($n)"
-tmp=0
-$DIG $DIGOPTS example. @10.53.0.2 axfr >dig.out.ns2.test$n || tmp=1
-grep "^;" dig.out.ns2.test$n | cat_i
-digcomp dig1.good dig.out.ns2.test$n || tmp=1
-if test $tmp != 0; then echo_i "failed"; fi
-status=$((status + tmp))
-
-n=$((n + 1))
-echo_i "testing basic zone transfer functionality (from secondary) ($n)"
-tmp=0
-#
-# Spin to allow the zone to transfer.
-#
-wait_for_xfer() {
-  ZONE=$1
-  SERVER=$2
-  $DIG $DIGOPTS $ZONE @$SERVER axfr >dig.out.test$n || return 1
-  grep "^;" dig.out.test$n >/dev/null && return 1
-  return 0
-}
-retry_quiet 25 wait_for_xfer example. 10.53.0.3 || tmp=1
-grep "^;" dig.out.test$n | cat_i
-digcomp dig1.good dig.out.test$n || tmp=1
-if test $tmp != 0; then echo_i "failed"; fi
-status=$((status + tmp))
-
-n=$((n + 1))
-echo_i "testing zone transfer functionality (fallback to DNS after DoT failed) ($n)"
-tmp=0
-retry_quiet 25 wait_for_xfer dot-fallback. 10.53.0.2 || tmp=1
-grep "^;" dig.out.test$n | cat_i
-digcomp dig3.good dig.out.test$n || tmp=1
-if test $tmp != 0; then echo_i "failed"; fi
-status=$((status + tmp))
-
-n=$((n + 1))
-echo_i "testing TSIG signed zone transfers ($n)"
-tmp=0
-$DIG $DIGOPTS tsigzone. @10.53.0.2 axfr -y "${DEFAULT_HMAC}:tsigzone.:1234abcd8765" >dig.out.ns2.test$n || tmp=1
-grep "^;" dig.out.ns2.test$n | cat_i
-
-#
-# Spin to allow the zone to transfer.
-#
-wait_for_xfer_tsig() {
-  $DIG $DIGOPTS tsigzone. @10.53.0.3 axfr -y "${DEFAULT_HMAC}:tsigzone.:1234abcd8765" >dig.out.ns3.test$n || return 1
-  grep "^;" dig.out.ns3.test$n >/dev/null && return 1
-  return 0
-}
-retry_quiet 25 wait_for_xfer_tsig || tmp=1
-grep "^;" dig.out.ns3.test$n | cat_i
-digcomp dig.out.ns2.test$n dig.out.ns3.test$n || tmp=1
-if test $tmp != 0; then echo_i "failed"; fi
-status=$((status + tmp))
-
-echo_i "reload servers for in preparation for ixfr-from-differences tests"
-
-rndc_reload ns1 10.53.0.1
-rndc_reload ns2 10.53.0.2
-rndc_reload ns3 10.53.0.3
-rndc_reload ns6 10.53.0.6
-rndc_reload ns7 10.53.0.7
-
-sleep 2
-
-echo_i "updating primary zones for ixfr-from-differences tests"
-
-$PERL -i -p -e '
-	s/0\.0\.0\.0/0.0.0.1/;
-	s/1397051952/1397051953/
-' ns1/sec.db
-
-rndc_reload ns1 10.53.0.1
-
-$PERL -i -p -e '
-	s/0\.0\.0\.0/0.0.0.1/;
-	s/1397051952/1397051953/
-' ns2/example.db
-
-rndc_reload ns2 10.53.0.2
-
-$PERL -i -p -e '
-	s/0\.0\.0\.0/0.0.0.1/;
-	s/1397051952/1397051953/
-' ns6/primary.db
-
-rndc_reload ns6 10.53.0.6
-
-$PERL -i -p -e '
-	s/0\.0\.0\.0/0.0.0.1/;
-	s/1397051952/1397051953/
-' ns7/primary2.db
-
-rndc_reload ns7 10.53.0.7
-
-sleep 3
-
-n=$((n + 1))
-echo_i "testing zone is dumped after successful transfer ($n)"
-tmp=0
-$DIG $DIGOPTS +noall +answer +multi @10.53.0.2 \
-  secondary. soa >dig.out.ns2.test$n || tmp=1
-grep "1397051952 ; serial" dig.out.ns2.test$n >/dev/null 2>&1 || tmp=1
-grep "1397051952 ; serial" ns2/sec.db >/dev/null 2>&1 || tmp=1
-if test $tmp != 0; then echo_i "failed"; fi
-status=$((status + tmp))
-
-n=$((n + 1))
-echo_i "testing ixfr-from-differences yes; ($n)"
-tmp=0
-
-echo_i "wait for reloads..."
-wait_for_reloads() (
-  $DIG $DIGOPTS @10.53.0.6 +noall +answer soa primary >dig.out.soa1.ns6.test$n
-  grep "1397051953" dig.out.soa1.ns6.test$n >/dev/null || return 1
-  $DIG $DIGOPTS @10.53.0.1 +noall +answer soa secondary >dig.out.soa2.ns1.test$n
-  grep "1397051953" dig.out.soa2.ns1.test$n >/dev/null || return 1
-  $DIG $DIGOPTS @10.53.0.2 +noall +answer soa example >dig.out.soa3.ns2.test$n
-  grep "1397051953" dig.out.soa3.ns2.test$n >/dev/null || return 1
-  return 0
-)
-retry_quiet 20 wait_for_reloads || tmp=1
-
-echo_i "wait for transfers..."
-wait_for_transfers() (
-  a=0 b=0 c=0 d=0
-  $DIG $DIGOPTS @10.53.0.3 +noall +answer soa example >dig.out.soa1.ns3.test$n
-  grep "1397051953" dig.out.soa1.ns3.test$n >/dev/null && a=1
-  $DIG $DIGOPTS @10.53.0.3 +noall +answer soa primary >dig.out.soa2.ns3.test$n
-  grep "1397051953" dig.out.soa2.ns3.test$n >/dev/null && b=1
-  $DIG $DIGOPTS @10.53.0.6 +noall +answer soa secondary >dig.out.soa3.ns6.test$n
-  grep "1397051953" dig.out.soa3.ns6.test$n >/dev/null && c=1
-  [ $a -eq 1 -a $b -eq 1 -a $c -eq 1 ] && return 0
-
-  # re-notify if necessary
-  $RNDCCMD 10.53.0.6 notify primary 2>&1 | sed 's/^/ns6 /' | cat_i
-  $RNDCCMD 10.53.0.1 notify secondary 2>&1 | sed 's/^/ns1 /' | cat_i
-  $RNDCCMD 10.53.0.2 notify example 2>&1 | sed 's/^/ns2 /' | cat_i
-  return 1
-)
-retry_quiet 20 wait_for_transfers || tmp=1
-
-$DIG $DIGOPTS example. \
-  @10.53.0.3 axfr >dig.out.ns3.test$n || tmp=1
-grep "^;" dig.out.ns3.test$n | cat_i
-
-digcomp dig2.good dig.out.ns3.test$n || tmp=1
-
-# ns3 has a journal iff it received an IXFR.
-test -f ns3/example.bk || tmp=1
-test -f ns3/example.bk.jnl || tmp=1
-
-if test $tmp != 0; then echo_i "failed"; fi
-status=$((status + tmp))
-
-n=$((n + 1))
-echo_i "testing ixfr-from-differences primary; (primary zone) ($n)"
-tmp=0
-
-$DIG $DIGOPTS primary. \
-  @10.53.0.6 axfr >dig.out.ns6.test$n || tmp=1
-grep "^;" dig.out.ns6.test$n | cat_i
-
-$DIG $DIGOPTS primary. \
-  @10.53.0.3 axfr >dig.out.ns3.test$n || tmp=1
-grep "^;" dig.out.ns3.test$n >/dev/null && cat_i <dig.out.ns3.test$n
-
-digcomp dig.out.ns6.test$n dig.out.ns3.test$n || tmp=1
-
-# ns3 has a journal iff it received an IXFR.
-test -f ns3/primary.bk || tmp=1
-test -f ns3/primary.bk.jnl || tmp=1
-
-if test $tmp != 0; then echo_i "failed"; fi
-status=$((status + tmp))
-
-n=$((n + 1))
-echo_i "testing ixfr-from-differences primary; (secondary zone) ($n)"
-tmp=0
-
-$DIG $DIGOPTS secondary. \
-  @10.53.0.6 axfr >dig.out.ns6.test$n || tmp=1
-grep "^;" dig.out.ns6.test$n | cat_i
-
-$DIG $DIGOPTS secondary. \
-  @10.53.0.1 axfr >dig.out.ns1.test$n || tmp=1
-grep "^;" dig.out.ns1.test$n | cat_i
-
-digcomp dig.out.ns6.test$n dig.out.ns1.test$n || tmp=1
-
-# ns6 has a journal iff it received an IXFR.
-test -f ns6/sec.bk || tmp=1
-test -f ns6/sec.bk.jnl && tmp=1
-
-if test $tmp != 0; then echo_i "failed"; fi
-status=$((status + tmp))
-
-n=$((n + 1))
-echo_i "testing ixfr-from-differences secondary; (secondary zone) ($n)"
-tmp=0
-
-# ns7 has a journal iff it generates an IXFR.
-test -f ns7/primary2.db || tmp=1
-test -f ns7/primary2.db.jnl && tmp=1
-
-if test $tmp != 0; then echo_i "failed"; fi
-status=$((status + tmp))
-
-n=$((n + 1))
-echo_i "testing ixfr-from-differences secondary; (secondary zone) ($n)"
-tmp=0
-
-$DIG $DIGOPTS secondary. \
-  @10.53.0.1 axfr >dig.out.ns1.test$n || tmp=1
-grep "^;" dig.out.ns1.test$n | cat_i
-
-$DIG $DIGOPTS secondary. \
-  @10.53.0.7 axfr >dig.out.ns7.test$n || tmp=1
-grep "^;" dig.out.ns7.test$n | cat_i
-
-digcomp dig.out.ns7.test$n dig.out.ns1.test$n || tmp=1
-
-# ns7 has a journal iff it generates an IXFR.
-test -f ns7/sec.bk || tmp=1
-test -f ns7/sec.bk.jnl || tmp=1
-
-if test $tmp != 0; then echo_i "failed"; fi
-status=$((status + tmp))
-
-n=$((n + 1))
-echo_i "check that a multi-message uncompressable zone transfers ($n)"
-$DIG axfr . -p ${PORT} @10.53.0.4 | grep SOA >axfr.out || tmp=1
-if test $(wc -l <axfr.out) != 2; then
-  echo_i "failed"
-  status=$((status + 1))
-fi
-
-# now we test transfers with assorted TSIG glitches
-DIGCMD="$DIG $DIGOPTS @10.53.0.4"
-
-sendcmd() {
-  send 10.53.0.5 "$EXTRAPORT1"
-}
-
-echo_i "testing that incorrectly signed transfers will fail..."
-n=$((n + 1))
-echo_i "initial correctly-signed transfer should succeed ($n)"
-
-sendcmd <ans5/goodaxfr
-
-# Initially, ns4 is not authoritative for anything.
-# Now that ans is up and running with the right data, we make ns4
-# a secondary for nil.
-
-cat <<EOF >>ns4/named.conf
-zone "nil" {
-	type secondary;
-	file "nil.db";
-	primaries { 10.53.0.5 key tsig_key; };
-};
-EOF
-
-nextpart ns4/named.run >/dev/null
-
-rndc_reload ns4 10.53.0.4
-
-wait_for_soa() (
-  $DIGCMD nil. SOA >dig.out.ns4.test$n
-  grep SOA dig.out.ns4.test$n >/dev/null
-)
-retry_quiet 10 wait_for_soa
-
-nextpart ns4/named.run | grep "Transfer status: success" >/dev/null || {
-  echo_i "failed: expected status was not logged"
-  status=$((status + 1))
-}
-
-$DIGCMD nil. TXT | grep 'initial AXFR' >/dev/null || {
-  echo_i "failed"
-  status=$((status + 1))
-}
-
-n=$((n + 1))
-echo_i "handle IXFR NOTIMP ($n)"
-
-sendcmd <ans5/ixfrnotimp
-
-$RNDCCMD 10.53.0.4 refresh nil | sed 's/^/ns4 /' | cat_i
-
-sleep 2
-
-nextpart ns4/named.run | grep "zone nil/IN: requesting IXFR from 10.53.0.5" >/dev/null || {
-  echo_i "failed: expected status was not logged"
-  status=$((status + 1))
-}
-
-$DIGCMD nil. TXT | grep 'IXFR NOTIMP' >/dev/null || {
-  echo_i "failed"
-  status=$((status + 1))
-}
-
-n=$((n + 1))
-echo_i "unsigned transfer ($n)"
-
-sendcmd <ans5/unsigned
-sleep 1
-
-$RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i
-
-sleep 2
-
-nextpart ns4/named.run | grep "Transfer status: expected a TSIG or SIG(0)" >/dev/null || {
-  echo_i "failed: expected status was not logged"
-  status=$((status + 1))
-}
-
-$DIGCMD nil. TXT | grep 'unsigned AXFR' >/dev/null && {
-  echo_i "failed"
-  status=$((status + 1))
-}
-
-n=$((n + 1))
-echo_i "bad keydata ($n)"
-
-sendcmd <ans5/badkeydata
-
-$RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i
-
-sleep 2
-
-nextpart ns4/named.run | grep "Transfer status: tsig verify failure" >/dev/null || {
-  echo_i "failed: expected status was not logged"
-  status=$((status + 1))
-}
-
-$DIGCMD nil. TXT | grep 'bad keydata AXFR' >/dev/null && {
-  echo_i "failed"
-  status=$((status + 1))
-}
-
-n=$((n + 1))
-echo_i "partially-signed transfer ($n)"
-
-sendcmd <ans5/partial
-
-$RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i
-
-sleep 2
-
-nextpart ns4/named.run | grep "Transfer status: expected a TSIG or SIG(0)" >/dev/null || {
-  echo_i "failed: expected status was not logged"
-  status=$((status + 1))
-}
-
-$DIGCMD nil. TXT | grep 'partially signed AXFR' >/dev/null && {
-  echo_i "failed"
-  status=$((status + 1))
-}
-
-n=$((n + 1))
-echo_i "unknown key ($n)"
-
-sendcmd <ans5/unknownkey
-
-$RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i
-
-sleep 2
-
-nextpart ns4/named.run | grep "tsig key 'tsig_key': key name and algorithm do not match" >/dev/null || {
-  echo_i "failed: expected status was not logged"
-  status=$((status + 1))
-}
-
-$DIGCMD nil. TXT | grep 'unknown key AXFR' >/dev/null && {
-  echo_i "failed"
-  status=$((status + 1))
-}
-
-n=$((n + 1))
-echo_i "incorrect key ($n)"
-
-sendcmd <ans5/wrongkey
-
-$RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i
-
-sleep 2
-
-nextpart ns4/named.run | grep "tsig key 'tsig_key': key name and algorithm do not match" >/dev/null || {
-  echo_i "failed: expected status was not logged"
-  status=$((status + 1))
-}
-
-$DIGCMD nil. TXT | grep 'incorrect key AXFR' >/dev/null && {
-  echo_i "failed"
-  status=$((status + 1))
-}
-
-n=$((n + 1))
-echo_i "bad question section ($n)"
-
-sendcmd <ans5/wrongname
-
-$RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i
-
-sleep 2
-
-nextpart ns4/named.run | grep "question name mismatch" >/dev/null || {
-  echo_i "failed: expected status was not logged"
-  status=$((status + 1))
-}
-
-$DIGCMD nil. TXT | grep 'wrong question AXFR' >/dev/null && {
-  echo_i "failed"
-  status=$((status + 1))
-}
-
-n=$((n + 1))
-echo_i "bad message id ($n)"
-
-sendcmd <ans5/badmessageid
-
-# Uncomment to see AXFR stream with mismatching IDs.
-# $DIG $DIGOPTS @10.53.0.5 -y "${DEFAULT_HMAC}:tsig_key:LSAnCU+Z" nil. AXFR +all
-
-$RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i
-
-sleep 2
-
-nextpart ns4/named.run | grep "Transfer status: unexpected error" >/dev/null || {
-  echo_i "failed: expected status was not logged"
-  status=$((status + 1))
-}
-
-$DIGCMD nil. TXT | grep 'bad message id' >/dev/null && {
-  echo_i "failed"
-  status=$((status + 1))
-}
-
-n=$((n + 1))
-echo_i "mismatched SOA ($n)"
-
-sendcmd <ans5/soamismatch
-
-$RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i
-
-sleep 2
-
-nextpart ns4/named.run | grep "Transfer status: FORMERR" >/dev/null || {
-  echo_i "failed: expected status was not logged"
-  status=$((status + 1))
-}
-
-$DIGCMD nil. TXT | grep 'SOA mismatch AXFR' >/dev/null && {
-  echo_i "failed"
-  status=$((status + 1))
-}
-
-n=$((n + 1))
-echo_i "handle EDNS NOTIMP ($n)"
-
-$RNDCCMD 10.53.0.4 null testing EDNS NOTIMP | sed 's/^/ns4 /' | cat_i
-
-sendcmd <ans5/ednsnotimp
-
-$RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i
-
-sleep 2
-
-nextpart ns4/named.run | grep "Transfer status: NOTIMP" >/dev/null || {
-  echo_i "failed: expected status was not logged"
-  status=$((status + 1))
-}
-
-n=$((n + 1))
-echo_i "handle EDNS FORMERR ($n)"
-
-$RNDCCMD 10.53.0.4 null testing EDNS FORMERR | sed 's/^/ns4 /' | cat_i
-
-sendcmd <ans5/ednsformerr
-
-$RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i
-
-sleep 10
-
-$DIGCMD nil. TXT | grep 'EDNS FORMERR' >/dev/null || {
-  echo_i "failed"
-  status=$((status + 1))
-}
-
-n=$((n + 1))
-echo_i "check that we ask for and got a EDNS EXPIRE response when transfering from a secondary ($n)"
-tmp=0
-msg="zone edns-expire/IN: zone transfer finished: success, expire=1814[0-4][0-9][0-9]"
-grep "$msg" ns7/named.run >/dev/null || tmp=1
-[ "$tmp" -ne 0 ] && echo_i "failed"
-status=$((status + tmp))
-
-n=$((n + 1))
-echo_i "check that we ask for and get a EDNS EXPIRE response when refreshing ($n)"
-# force a refresh query
-$RNDCCMD 10.53.0.7 refresh edns-expire 2>&1 | sed 's/^/ns7 /' | cat_i
-sleep 10
-
-# there may be multiple log entries so get the last one.
-expire=$(awk '/edns-expire\/IN: got EDNS EXPIRE of/ { x=$8 } END { print x }' ns7/named.run)
-test ${expire:-0} -gt 0 -a ${expire:-0} -lt 1814400 || {
-  echo_i "failed (expire=${expire:-0})"
-  status=$((status + 1))
-}
-
-n=$((n + 1))
-echo_i "test smaller transfer TCP message size ($n)"
-$DIG $DIGOPTS example. @10.53.0.8 axfr \
-  -y "${DEFAULT_HMAC}:key1.:1234abcd8765" >dig.out.msgsize.test$n || status=1
-
-bytes=$(wc -c <dig.out.msgsize.test$n)
-if [ $bytes -ne 459357 ]; then
-  echo_i "failed axfr size check"
-  status=$((status + 1))
-fi
-
-num_messages=$(cat ns8/named.run | grep "sending TCP message of" | wc -l)
-if [ $num_messages -le 300 ]; then
-  echo_i "failed transfer message count check"
-  status=$((status + 1))
-fi
-
-n=$((n + 1))
-echo_i "test mapped zone with out of zone data ($n)"
-tmp=0
-$DIG -p ${PORT} txt mapped @10.53.0.3 >dig.out.1.test$n
-grep "status: NOERROR," dig.out.1.test$n >/dev/null || tmp=1
-stop_server ns3
-start_server --noclean --restart --port ${PORT} ns3
-check_mapped() {
-  $DIG -p ${PORT} txt mapped @10.53.0.3 >dig.out.2.test$n
-  grep "status: NOERROR," dig.out.2.test$n >/dev/null || return 1
-  $DIG -p ${PORT} axfr mapped @10.53.0.3 >dig.out.3.test$n
-  digcomp knowngood.mapped dig.out.3.test$n || return 1
-  return 0
-}
-retry_quiet 10 check_mapped || tmp=1
-[ "$tmp" -ne 0 ] && echo_i "failed"
-status=$((status + tmp))
-
-n=$((n + 1))
-echo_i "test that a zone with too many records is rejected (AXFR) ($n)"
-tmp=0
-grep "'axfr-too-big/IN'.*: too many records" ns6/named.run >/dev/null || tmp=1
-if test $tmp != 0; then echo_i "failed"; fi
-status=$((status + tmp))
-
-n=$((n + 1))
-echo_i "test that a zone with too many records is rejected (IXFR) ($n)"
-tmp=0
-nextpart ns6/named.run >/dev/null
-$NSUPDATE <<EOF
-zone ixfr-too-big
-server 10.53.0.1 ${PORT}
-update add the-31st-record.ixfr-too-big 0 TXT this is it
-send
-EOF
-msg="'ixfr-too-big/IN' from 10.53.0.1#${PORT}: Transfer status: too many records"
-wait_for_log 10 "$msg" ns6/named.run || tmp=1
-if test $tmp != 0; then echo_i "failed"; fi
-status=$((status + tmp))
-
-n=$((n + 1))
-echo_i "test that a zone with too many diffs (IXFR) is retried with AXFR ($n)"
-tmp=0
-nextpart ns6/named.run >/dev/null
-$NSUPDATE <<EOF
-zone ixfr-too-many-diffs
-server 10.53.0.1 ${PORT}
-update add the-31st-record.ixfr-too-many-diffs 0 TXT too
-update add the-32nd-record.ixfr-too-many-diffs 0 TXT many
-update add the-33rd-record.ixfr-too-many-diffs 0 TXT diffs
-update add the-34th-record.ixfr-too-many-diffs 0 TXT for
-update add the-35th-record.ixfr-too-many-diffs 0 TXT ixfr
-send
-EOF
-msg="'ixfr-too-many-diffs/IN' from 10.53.0.1#${PORT}: Transfer status: success"
-wait_for_log 10 "$msg" ns6/named.run || tmp=1
-msg="'ixfr-too-many-diffs/IN' from 10.53.0.1#${PORT}: too many diffs, retrying with AXFR"
-grep -F "$msg" ns6/named.run >/dev/null || tmp=1
-if test $tmp != 0; then echo_i "failed"; fi
-status=$((status + tmp))
-
-n=$((n + 1))
-echo_i "checking whether dig calculates AXFR statistics correctly ($n)"
-tmp=0
-# Loop until the secondary server manages to transfer the "xfer-stats" zone so
-# that we can both check dig output and immediately proceed with the next test.
-# Use -b so that we can discern between incoming and outgoing transfers in ns3
-# logs later on.
-wait_for_xfer() (
-  $DIG $DIGOPTS +edns +nocookie +noexpire +stat -b 10.53.0.2 @10.53.0.3 xfer-stats. AXFR >dig.out.ns3.test$n
-  grep "; Transfer failed" dig.out.ns3.test$n >/dev/null || return 0
-  return 1
-)
-if retry_quiet 10 wait_for_xfer; then
-  get_dig_xfer_stats dig.out.ns3.test$n >stats.dig
-  diff axfr-stats.good stats.dig || tmp=1
-else
-  echo_i "timed out waiting for zone transfer"
-fi
-if test $tmp != 0; then echo_i "failed"; fi
-status=$((status + tmp))
-
-# Note: in the next two tests, we use ns3 logs for checking both incoming and
-# outgoing transfer statistics as ns3 is both a secondary server (for ns1) and a
-# primary server (for dig queries from the previous test) for "xfer-stats".
-n=$((n + 1))
-echo_i "checking whether named calculates incoming AXFR statistics correctly ($n)"
-tmp=0
-get_named_xfer_stats ns3/named.run 10.53.0.1 xfer-stats "Transfer completed" >stats.incoming
-diff axfr-stats.good stats.incoming || tmp=1
-if test $tmp != 0; then echo_i "failed"; fi
-status=$((status + tmp))
-
-n=$((n + 1))
-echo_i "checking whether named calculates outgoing AXFR statistics correctly ($n)"
-tmp=0
-check_xfer_stats() {
-  get_named_xfer_stats ns3/named.run 10.53.0.2 xfer-stats "AXFR ended" >stats.outgoing
-  diff axfr-stats.good stats.outgoing >/dev/null
-}
-retry_quiet 10 check_xfer_stats || tmp=1
-if test $tmp != 0; then echo_i "failed"; fi
-status=$((status + tmp))
-
-wait_for_message() (
-  nextpartpeek ns6/named.run >wait_for_message.$n
-  grep -F "$1" wait_for_message.$n >/dev/null
-)
-
-nextpart ns6/named.run >/dev/null
-
-n=$((n + 1))
-echo_i "test that named tries the next primary in the list when the first one fails (XoT -> Do53) ($n)"
-tmp=0
-$RNDCCMD 10.53.0.6 retransfer xot-primary-try-next 2>&1 | sed 's/^/ns6 /' | cat_i
-msg="'xot-primary-try-next/IN' from 10.53.0.1#${PORT}: Transfer status: success"
-retry_quiet 60 wait_for_message "$msg" || tmp=1
-if test $tmp != 0; then echo_i "failed"; fi
-status=$((status + tmp))
-
-nextpart ns6/named.run >/dev/null
-
-n=$((n + 1))
-echo_i "test that named tries the next primary in the list when the first one is already marked as unreachable (XoT -> Do53) ($n)"
-tmp=0
-$RNDCCMD 10.53.0.6 retransfer xot-primary-try-next 2>&1 | sed 's/^/ns6 /' | cat_i
-msg="'xot-primary-try-next/IN' from 10.53.0.1#${PORT}: Transfer status: success"
-retry_quiet 60 wait_for_message "$msg" || tmp=1
-if test $tmp != 0; then echo_i "failed"; fi
-status=$((status + tmp))
-
-# Restart ns1 with -T transferslowly
-stop_server ns1
-cp ns1/named2.conf ns1/named.conf
-start_server --noclean --restart --port ${PORT} ns1 -- "-D xfer-ns1 $NS_PARAMS -T transferinsecs -T transferslowly"
-sleep 1
-
-nextpart ns6/named.run >/dev/null
-
-n=$((n + 1))
-echo_i "test rndc retransfer -force ($n)"
-tmp=0
-$RNDCCMD 10.53.0.6 retransfer axfr-rndc-retransfer-force 2>&1 | sed 's/^/ns6 /' | cat_i
-# Wait for at least one message
-msg="'axfr-rndc-retransfer-force/IN' from 10.53.0.1#${PORT}: received"
-retry_quiet 5 wait_for_message "$msg" || tmp=1
-# Issue a retransfer-force command which should cancel the ongoing transfer and start a new one
-$RNDCCMD 10.53.0.6 retransfer -force axfr-rndc-retransfer-force 2>&1 | sed 's/^/ns6 /' | cat_i
-msg="'axfr-rndc-retransfer-force/IN' from 10.53.0.1#${PORT}: Transfer status: shutting down"
-retry_quiet 5 wait_for_message "$msg" || tmp=1
-# Wait for the new transfer to complete successfully
-msg="'axfr-rndc-retransfer-force/IN' from 10.53.0.1#${PORT}: Transfer status: success"
-retry_quiet 30 wait_for_message "$msg" || tmp=1
-if test $tmp != 0; then echo_i "failed"; fi
-status=$((status + tmp))
-
-nextpart ns6/named.run >/dev/null
-
-n=$((n + 1))
-echo_i "test min-transfer-rate-in with 5 seconds timeout ($n)"
-$RNDCCMD 10.53.0.6 retransfer axfr-min-transfer-rate 2>&1 | sed 's/^/ns6 /' | cat_i
-tmp=0
-retry_quiet 10 wait_for_message "minimum transfer rate reached: timed out" || tmp=1
-if test $tmp != 0; then echo_i "failed"; fi
-status=$((status + tmp))
-
-nextpart ns6/named.run >/dev/null
-
-n=$((n + 1))
-echo_i "test max-transfer-time-in with 1 second timeout ($n)"
-$RNDCCMD 10.53.0.6 retransfer axfr-max-transfer-time 2>&1 | sed 's/^/ns6 /' | cat_i
-tmp=0
-retry_quiet 10 wait_for_message "maximum transfer time exceeded: timed out" || tmp=1
-if test $tmp != 0; then echo_i "failed"; fi
-status=$((status + tmp))
-
-# Restart ns1 with -T transferstuck
-stop_server ns1
-cp ns1/named3.conf ns1/named.conf
-start_server --noclean --restart --port ${PORT} ns1 -- "-D xfer-ns1 $NS_PARAMS -T transferinsecs -T transferstuck"
-sleep 1
-
-nextpart ns6/named.run >/dev/null
-
-n=$((n + 1))
-echo_i "test max-transfer-idle-in with 50 seconds timeout ($n)"
-start=$(date +%s)
-$RNDCCMD 10.53.0.6 retransfer axfr-max-idle-time 2>&1 | sed 's/^/ns6 /' | cat_i
-tmp=0
-retry_quiet 60 wait_for_message "maximum idle time exceeded: timed out" || tmp=1
-if test $tmp != 0; then echo_i "failed"; fi
-if [ $tmp -eq 0 ]; then
-  now=$(date +%s)
-  diff=$((now - start))
-  # we expect a timeout in 50 seconds
-  test $diff -lt 50 && tmp=1
-  test $diff -ge 59 && tmp=1
-  if test $tmp != 0; then echo_i "unexpected diff value: ${diff}"; fi
-fi
-status=$((status + tmp))
-
-nextpart ns6/named.run >/dev/null
-
-sendcmd() (
-  dig_with_opts "@${1}" "${2}._control." TXT +time=5 +tries=1 +tcp >/dev/null 2>&1
-)
-
-# See #5307#note_558185
-n=$((n + 1))
-echo_i "test reconfiguration when zone transfer is in the middle of a SOA query (part 1) ($n)"
-tmp=0
-# Check that xfr-and-reconfig has been successfully transferred by the secondary.
-grep -F 'zone xfr-and-reconfig/IN: zone transfer finished: success' ns6/named.run 2>&1 >/dev/null || tmp=0
-# Make ans6 receive queries without responding to them.
-sendcmd 10.53.0.9 "disable.send-responses"
-sleep 1
-# Try to reload the zone from an unresponsive primary.
-$RNDCCMD 10.53.0.6 reload xfr-and-reconfig 2>&1 | sed 's/^/ns6 /' | cat_i
-sleep 1
-# Reconfigure named while zone transfer attempt is in progress.
-$RNDCCMD 10.53.0.6 reconfig 2>&1 | sed 's/^/ns6 /' | cat_i
-# Confirm that the ongoing SOA request was canceled, caused by the reconfiguratoin.
-retry_quiet 60 wait_for_message "refresh: request result: operation canceled" || tmp=1
-if test $tmp != 0; then echo_i "failed"; fi
-status=$((status + tmp))
-
-nextpart ns6/named.run >/dev/null
-
-n=$((n + 1))
-echo_i "test reconfiguration when zone transfer is in the middle of a SOA query (part 2) ($n)"
-tmp=0
-# Make ans6 receive queries and respond to them.
-sendcmd 10.53.0.9 "enable.send-responses"
-sleep 1
-# Try to reload the zone from the primary.
-$RNDCCMD 10.53.0.6 reload xfr-and-reconfig 2>&1 | sed 's/^/ns6 /' | cat_i
-retry_quiet 60 wait_for_message "zone xfr-and-reconfig/IN: Transfer started." || tmp=1
-if test $tmp != 0; then echo_i "failed"; fi
-status=$((status + tmp))
-
-echo_i "exit status: $status"
-[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/xfer/tests_retransfer_with_force.py b/bin/tests/system/xfer/tests_retransfer_with_force.py
new file mode 100644
index 00000000000..2ecae569334
--- /dev/null
+++ b/bin/tests/system/xfer/tests_retransfer_with_force.py
@@ -0,0 +1,62 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import isctest
+
+
+def bootstrap():
+    isctest.log.info("Restart ns1 with -T transferslowly")
+    with open("ns1/named.args", "w", encoding="utf-8") as argsfile:
+        argsfile.write(
+            "-D xfer-ns1 -m record -c named.conf -d 99 -g -T maxcachesize=2097152 -T transferinsecs -T transferslowly"
+        )
+    return {
+        "enable_some_zones": False,
+    }
+
+
+def test_wait_for_zone_retransfer(named_port, ns6):
+    isctest.log.info("Wait for at least one message")
+    with ns6.watch_log_from_here() as watcher:
+        ns6.rndc("retransfer axfr-rndc-retransfer-force.")
+        watcher.wait_for_line(
+            f"'axfr-rndc-retransfer-force/IN' from 10.53.0.1#{named_port}: received"
+        )
+
+
+def test_cancel_ongoing_retransfer(named_port, ns6):
+    isctest.log.info(
+        "Issue a retransfer-force command which should cancel the ongoing transfer and start a new one."
+    )
+    with ns6.watch_log_from_here(timeout=30) as watcher_transfer_success:
+        with ns6.watch_log_from_here() as watcher_transfer_shutting_down:
+            ns6.rndc("retransfer -force axfr-rndc-retransfer-force.")
+            watcher_transfer_shutting_down.wait_for_line(
+                f"'axfr-rndc-retransfer-force/IN' from 10.53.0.1#{named_port}: Transfer status: shutting down"
+            )
+        isctest.log.info("Wait for the new transfer to complete successfully")
+        watcher_transfer_success.wait_for_line(
+            f"'axfr-rndc-retransfer-force/IN' from 10.53.0.1#{named_port}: Transfer status: success"
+        )
+
+
+def test_min_transfer_rate_in(ns6):
+    isctest.log.info("Test min-transfer-rate-in with 5 seconds timeout")
+    with ns6.watch_log_from_here() as watcher:
+        ns6.rndc("retransfer axfr-min-transfer-rate.")
+        watcher.wait_for_line("minimum transfer rate reached: timed out")
+
+
+def test_max_transfer_time_in(ns6):
+    isctest.log.info("Test max-transfer-time-in with 1 second timeout")
+    with ns6.watch_log_from_here() as watcher:
+        ns6.rndc("retransfer axfr-max-transfer-time.")
+        watcher.wait_for_line("maximum transfer time exceeded: timed out")
diff --git a/bin/tests/system/xfer/tests_retransfer_with_transferstuck.py b/bin/tests/system/xfer/tests_retransfer_with_transferstuck.py
new file mode 100644
index 00000000000..ae24eab7034
--- /dev/null
+++ b/bin/tests/system/xfer/tests_retransfer_with_transferstuck.py
@@ -0,0 +1,38 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import time
+
+import isctest
+
+
+def bootstrap():
+    isctest.log.info("Restart ns1 with -T transferstuck")
+    with open("ns1/named.args", "w", encoding="utf-8") as argsfile:
+        argsfile.write(
+            "-D xfer-ns1 -m record -c named.conf -d 99 -g -T maxcachesize=2097152 -T transferinsecs -T transferstuck"
+        )
+    return {
+        "enable_some_zones": False,
+        "enable_only_axfr_max_idle_time": True,
+    }
+
+
+def test_retransfer_with_transferstuck(ns6):
+    isctest.log.info("Test max-transfer-idle-in with 50 seconds timeout")
+    start_time = time.time()
+    with ns6.watch_log_from_here(timeout=60) as watcher:
+        ns6.rndc("retransfer -force axfr-max-idle-time.")
+        watcher.wait_for_line("maximum idle time exceeded: timed out")
+    end_time = time.time()
+    assert (
+        50 <= (end_time - start_time) < 59
+    ), "max-transfer-idle-in did not wait for the expected time"
diff --git a/bin/tests/system/xfer/tests_sh_xfer.py b/bin/tests/system/xfer/tests_sh_xfer.py
deleted file mode 100644
index d94f90b9811..00000000000
--- a/bin/tests/system/xfer/tests_sh_xfer.py
+++ /dev/null
@@ -1,66 +0,0 @@
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0.  If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-import pytest
-
-pytestmark = pytest.mark.extra_artifacts(
-    [
-        "axfr.out",
-        "dig.out.*",
-        "stats.*",
-        "wait_for_message.*",
-        "ans*/ans.run",
-        "ns1/dot-fallback.db",
-        "ns1/edns-expire.db",
-        "ns1/ixfr-too-big.db",
-        "ns1/ixfr-too-big.db.jnl",
-        "ns1/ixfr-too-many-diffs.db.jnl",
-        "ns1/sec.db",
-        "ns2/dot-fallback.db",
-        "ns2/example.db",
-        "ns2/example.db.jnl",
-        "ns2/mapped.db",
-        "ns2/sec.db",
-        "ns2/tsigzone.db",
-        "ns3/example.bk",
-        "ns3/example.bk.jnl",
-        "ns3/mapped.bk",
-        "ns3/primary.bk",
-        "ns3/primary.bk.jnl",
-        "ns3/tsigzone.bk",
-        "ns3/xfer-stats.bk",
-        "ns4/nil.db",
-        "ns4/root.db",
-        "ns6/axfr-max-idle-time.bk",
-        "ns6/axfr-max-transfer-time.bk",
-        "ns6/axfr-min-transfer-rate.bk",
-        "ns6/axfr-rndc-retransfer-force.bk",
-        "ns6/edns-expire.bk",
-        "ns6/ixfr-too-big.bk",
-        "ns6/ixfr-too-big.bk.jnl",
-        "ns6/ixfr-too-many-diffs.bk",
-        "ns6/primary.db",
-        "ns6/primary.db.jnl",
-        "ns6/sec.bk",
-        "ns6/xot-primary-try-next.bk",
-        "ns6/xfr-and-reconfig.bk",
-        "ns7/edns-expire.bk",
-        "ns7/primary2.db",
-        "ns7/sec.bk",
-        "ns7/sec.bk.jnl",
-        "ns8/large.db",
-        "ns8/small.db",
-    ]
-)
-
-
-def test_xfer(run_tests_sh):
-    run_tests_sh()
diff --git a/bin/tests/system/xfer/tests_xfer.py b/bin/tests/system/xfer/tests_xfer.py
new file mode 100644
index 00000000000..d8ae3ec8f86
--- /dev/null
+++ b/bin/tests/system/xfer/tests_xfer.py
@@ -0,0 +1,556 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+
+import fileinput
+import os
+from re import compile as Re
+import socket
+import time
+
+import pytest
+
+import isctest
+from isctest.util import param
+
+import dns.message
+
+NEW_SOA_SERIAL = 1397051953
+OLD_SOA_SERIAL = 1397051952
+
+
+def sendcmd(cmdfile):
+    host = "10.53.0.5"
+    port = int(isctest.vars.ALL["EXTRAPORT1"])
+    cmdfile = f"ans5/{cmdfile}"
+    assert os.path.exists(cmdfile)
+
+    sock = socket.create_connection((host, port))
+    with open(cmdfile, "r", encoding="utf-8") as f:
+        for line in f:
+            sock.sendall(line.encode())
+    sock.close()
+
+
+@pytest.fixture(scope="module", autouse=True)
+def after_servers_start(templates, ns4):
+    # initial correctly-signed transfer should succeed
+    sendcmd("goodaxfr")
+
+    with ns4.watch_log_from_here() as watcher:
+        templates.render("ns4/named.conf", {"ns4_as_secondary_for_nil": True})
+        ns4.reconfigure()
+        watcher.wait_for_line("Transfer status: success")
+
+    with ns4.watch_log_from_here() as watcher_retransfer_nil_success:
+        ns4.rndc("retransfer nil.")
+        watcher_retransfer_nil_success.wait_for_line("Transfer status: success")
+
+
+def get_response(msg, server_ip, allow_empty_answer=False):
+    res = isctest.query.tcp(msg, server_ip)
+    isctest.check.noerror(res)
+    if not allow_empty_answer:
+        assert len(res.answer) > 0
+    return res
+
+
+def check_rdata_in_txt_record(rdata, should_exist=True):
+    def check_data():
+        qname = "nil."
+        msg = dns.message.make_query(qname, "TXT")
+        res = get_response(msg, "10.53.0.4")
+        rrset = res.get_rrset(
+            dns.message.ANSWER, qname, dns.rdataclass.IN, dns.rdatatype.TXT
+        )
+        found = rdata in rrset.to_text()
+        if found == should_exist:
+            return True
+        status = "not found" if should_exist else "found"
+        assert False, f"TXT rdata '{rdata}' {status} in the response\n{res}"
+
+    isctest.run.retry_with_timeout(check_data, timeout=10)
+
+
+def nsupdate(config):
+    isctest.run.cmd(isctest.vars.ALL["NSUPDATE"], input_text=config.encode("utf-8"))
+
+
+def validate_axfr_from_query_and_file(msg, server_ip, filename):
+    res = get_response(msg, server_ip)
+    with open(filename, "r", encoding="utf-8") as file:
+        expected = dns.message.from_file(file)
+        isctest.check.rrsets_equal(expected.answer, res.answer)
+
+
+def test_zone_transfer_fallback_to_dns_after_dot_failed():
+    msg = dns.message.make_query("dot-fallback.", "AXFR")
+    validate_axfr_from_query_and_file(msg, "10.53.0.2", "response3.good")
+
+
+def test_tsig_signed_zone_transfer():
+    key = dns.tsig.Key(
+        name="tsigzone.",
+        secret="1234abcd8765",
+        algorithm=isctest.vars.ALL["DEFAULT_HMAC"],
+    )
+    msg = dns.message.make_query("tsigzone.", "AXFR")
+    msg.use_tsig(keyring=key)
+    res2 = get_response(msg, "10.53.0.2")
+    res3 = get_response(msg, "10.53.0.3")
+    isctest.check.rrsets_equal(res2.answer, res3.answer)
+
+
+def test_zone_is_dumped_after_transfer(ns1, ns2, ns3, ns6, ns7):
+    def check_soa_serial_with_retry(checked_zones, recovery_function):
+        def get_soa_serial(qname, server_ip, serial):
+            msg = dns.message.make_query(qname, "SOA")
+            res = get_response(msg, server_ip)
+            rrset = res.get_rrset(
+                dns.message.ANSWER, qname, dns.rdataclass.IN, dns.rdatatype.SOA
+            )
+            return rrset[0].serial == serial
+
+        def find_serial_in_responses():
+            serial_found_in_responses = 0
+            for server, zone in checked_zones:
+                if get_soa_serial(zone, server, NEW_SOA_SERIAL):
+                    serial_found_in_responses += 1
+            if serial_found_in_responses == len(checked_zones):
+                return True
+            recovery_function()
+            return False
+
+        isctest.run.retry_with_timeout(
+            find_serial_in_responses,
+            timeout=20,
+            msg=f"SOA serial {NEW_SOA_SERIAL} not found in responses",
+        )
+
+    def validate_axfr_from_query_and_query(msg, server_ip1, server_ip2):
+        res1 = get_response(msg, server_ip1)
+        res2 = get_response(msg, server_ip2)
+        isctest.check.rrsets_equal(res1.answer, res2.answer)
+
+    def rndc_reload(*servers):
+        for server in servers:
+            server.reload()
+
+    isctest.log.info("reload servers for preparation of ixfr-from-differences tests")
+    rndc_reload(ns1, ns2, ns3, ns6, ns7)
+
+    isctest.log.info("basic zone transfer")
+    msg = dns.message.make_query("example.", "AXFR")
+    validate_axfr_from_query_and_file(msg, "10.53.0.2", "response1.good")
+    validate_axfr_from_query_and_file(msg, "10.53.0.3", "response1.good")
+
+    isctest.log.info("update primary zones for ixfr-from-differences tests")
+    for zone_file in [
+        "ns1/sec.db",
+        "ns2/example.db",
+        "ns6/primary.db",
+        "ns7/primary2.db",
+    ]:
+        with fileinput.FileInput(zone_file, inplace=True) as file:
+            for line in file:
+                print(
+                    line.replace(" 0.0.0.0", " 0.0.0.1").replace(
+                        str(OLD_SOA_SERIAL), str(NEW_SOA_SERIAL)
+                    ),
+                    end="",
+                )
+    rndc_reload(ns1, ns2, ns6, ns7)
+
+    qname = "secondary."
+    msg = dns.message.make_query(qname, "SOA")
+    res = get_response(msg, "10.53.0.2")
+    rrset = res.get_rrset(
+        dns.message.ANSWER, qname, dns.rdataclass.IN, dns.rdatatype.SOA
+    )
+    assert (
+        rrset[0].serial == OLD_SOA_SERIAL
+    ), f"SOA serial {OLD_SOA_SERIAL} not found in the response"
+
+    sec_db = isctest.text.TextFile("ns2/sec.db")
+    assert (
+        f"{OLD_SOA_SERIAL} ; serial" in sec_db
+    ), f"{OLD_SOA_SERIAL} not found in ns2/sec.db"
+
+    isctest.log.info("wait for reloads")
+    reloaded_zones = (
+        ("10.53.0.6", "primary."),
+        ("10.53.0.1", "secondary."),
+        ("10.53.0.2", "example."),
+    )
+    check_soa_serial_with_retry(reloaded_zones, lambda: time.sleep(1))
+
+    def notify_some_servers():
+        ns6.rndc("notify primary.")
+        ns1.rndc("notify secondary.")
+        ns2.rndc("notify example.")
+        time.sleep(2)
+
+    isctest.log.info("wait for transfers")
+    transfered_zones = (
+        ("10.53.0.3", "example."),
+        ("10.53.0.3", "primary."),
+        ("10.53.0.6", "secondary."),
+    )
+    check_soa_serial_with_retry(transfered_zones, notify_some_servers)
+
+    msg = dns.message.make_query("example.", "AXFR")
+    validate_axfr_from_query_and_file(msg, "10.53.0.3", "response2.good")
+
+    isctest.log.info("ns3 has a journal iff it received an IXFR.")
+    assert os.path.exists("ns3/example.bk")
+    assert os.path.exists("ns3/example.bk.jnl")
+
+    isctest.log.info("testing ixfr-from-differences primary; (primary zone)")
+    msg = dns.message.make_query("primary.", "AXFR")
+    validate_axfr_from_query_and_query(msg, "10.53.0.6", "10.53.0.3")
+
+    isctest.log.info("ns3 has a journal iff it received an IXFR.")
+    assert os.path.exists("ns3/primary.bk")
+    assert os.path.exists("ns3/primary.bk.jnl")
+
+    isctest.log.info("testing ixfr-from-differences primary; (secondary zone)")
+    msg = dns.message.make_query("secondary.", "AXFR")
+    validate_axfr_from_query_and_query(msg, "10.53.0.6", "10.53.0.1")
+
+    isctest.log.info("ns6 has a journal iff it received an IXFR.")
+    assert os.path.exists("ns6/sec.bk")
+    assert not os.path.exists("ns6/sec.bk.jnl")
+
+    isctest.log.info("testing ixfr-from-differences secondary; (primary zone)")
+
+    isctest.log.info("ns7 has a journal iff it generates an IXFR.")
+    assert os.path.exists("ns7/primary2.db")
+    assert not os.path.exists("ns7/primary2.db.jnl")
+
+    isctest.log.info("testing ixfr-from-differences secondary; (secondary zone)")
+    msg = dns.message.make_query("secondary.", "AXFR")
+    validate_axfr_from_query_and_query(msg, "10.53.0.1", "10.53.0.7")
+
+    isctest.log.info("ns7 has a journal iff it generates an IXFR.")
+    assert os.path.exists("ns7/sec.bk")
+    assert os.path.exists("ns7/sec.bk.jnl")
+
+
+# check that a multi-message uncompressable zone transfers
+def test_multi_message_uncompressable_zone_transfers(named_port):
+    zone = dns.zone.Zone(".")
+    isctest.log.info("Initiate a zone transfer from the server")
+    dns.query.inbound_xfr("10.53.0.4", zone, port=named_port, timeout=10, lifetime=10)
+
+    for name, node in zone.nodes.items():
+        label = name.to_text()
+        fqdn = name.derelativize(zone.origin).to_text()
+
+        for rdataset in node.rdatasets:
+            rtype = dns.rdatatype.to_text(rdataset.rdtype)
+            for rdata in rdataset:
+                if rtype == "A":
+                    # The A records name is either "." or in the format "xN",
+                    # where N is a number between 0 and 9999
+                    assert fqdn == "." or (
+                        label.startswith("x")
+                        and label[1:].isdigit()
+                        and 0 <= int(label[1:]) < 10000
+                    )
+                elif rtype in ("SOA", "NS"):
+                    assert fqdn == "."
+                else:
+                    assert (
+                        False
+                    ), f"Unexpected RRset: {fqdn} {rdataset.ttl} IN {rtype} {rdata}"
+
+
+# Initially, ns4 is not authoritative for anything.
+# Now that ans is up and running with the right data, we make ns4
+# a secondary for nil.
+def test_make_ns4_secondary_for_nil():
+    # now we test transfers with assorted TSIG glitches.
+    # testing that incorrectly signed transfers will fail.
+
+    def wait_for_soa():
+        def _wait_for_soa():
+            qname = "nil."
+            msg = dns.message.make_query(qname, "SOA")
+            res = isctest.query.tcp(msg, "10.53.0.4")
+            rrset = res.get_rrset(
+                dns.message.ANSWER, qname, dns.rdataclass.IN, dns.rdatatype.SOA
+            )
+            return True if rrset else time.sleep(1)
+
+        isctest.run.retry_with_timeout(_wait_for_soa, timeout=10)
+        return True
+
+    sendcmd("goodaxfr")
+    assert wait_for_soa(), "SOA not found in the response"
+    check_rdata_in_txt_record("initial AXFR")
+
+
+def test_handle_ixfr_notimp(ns4):
+    sendcmd("ixfrnotimp")
+    with ns4.watch_log_from_here() as watcher_transfer_success:
+        with ns4.watch_log_from_here() as watcher_requesting_ixfr:
+            ns4.rndc("refresh nil.")
+            watcher_requesting_ixfr.wait_for_line(
+                "zone nil/IN: requesting IXFR from 10.53.0.5"
+            )
+        watcher_transfer_success.wait_for_line("Transfer status: success")
+
+    check_rdata_in_txt_record("IXFR NOTIMP")
+
+
+@pytest.mark.parametrize(
+    "command_file,expected_rdata,named_log_line",
+    [
+        param(
+            "unsigned",
+            "unsigned AXFR",
+            "Transfer status: expected a TSIG or SIG(0)",
+        ),
+        param(
+            "badkeydata",
+            "bad keydata AXFR",
+            "Transfer status: tsig verify failure",
+        ),
+        param(
+            "partial",
+            "partially signed AXFR",
+            "Transfer status: expected a TSIG or SIG(0)",
+        ),
+        param(
+            "unknownkey",
+            "unknown key AXFR",
+            "tsig key 'tsig_key': key name and algorithm do not match",
+        ),
+        param(
+            "wrongkey",
+            "incorrect key AXFR",
+            "tsig key 'tsig_key': key name and algorithm do not match",
+        ),
+        param(
+            "wrongname",
+            "wrong question AXFR",
+            "question name mismatch",
+        ),
+        param(
+            "badmessageid",
+            "bad message id",
+            "Transfer status: unexpected error",
+        ),
+        param(
+            "soamismatch",
+            "SOA mismatch AXFR",
+            "Transfer status: FORMERR",
+        ),
+    ],
+)
+def test_under_signed_transfer(command_file, expected_rdata, named_log_line, ns4):
+    sendcmd(command_file)
+    with ns4.watch_log_from_here() as watcher:
+        ns4.rndc("retransfer nil.")
+        watcher.wait_for_line(named_log_line)
+    check_rdata_in_txt_record(expected_rdata, should_exist=False)
+
+
+def test_handle_edns_notimp(ns4):
+    sendcmd("ednsnotimp")
+    with ns4.watch_log_from_here() as watcher:
+        ns4.rndc("retransfer nil.")
+        watcher.wait_for_line("Transfer status: NOTIMP")
+
+
+def test_handle_edns_formerr(ns4):
+    sendcmd("ednsformerr")
+    with ns4.watch_log_from_here() as watcher:
+        ns4.rndc("retransfer nil.")
+        watcher.wait_for_line("Transfer status: success")
+    check_rdata_in_txt_record("EDNS FORMERR")
+
+
+# check that we asked for and received a EDNS EXPIRE response when transfering from a secondary
+def test_edns_expire_from_secondary(ns7):
+    pattern = Re(
+        "zone edns-expire/IN: zone transfer finished: success, expire=1814[0-4][0-9][0-9]"
+    )
+    with ns7.watch_log_from_start() as watcher:
+        watcher.wait_for_line(pattern)
+
+
+# check that we ask for and get a EDNS EXPIRE response when refreshing
+def test_edns_expire_refresh(ns7):
+    time.sleep(1)
+    with ns7.watch_log_from_here() as watcher:
+        ns7.rndc("refresh edns-expire.")
+        isctest.log.info("make sure the EDNS EXPIRE of 1814400 decreases a slightly")
+        pattern = Re("zone edns-expire/IN: got EDNS EXPIRE of 1814[0-3][0-9][0-9]")
+        watcher.wait_for_line(pattern)
+
+
+# test small transfer TCP message size (transfer-message-size 1024;)
+def test_tcp_message_compression_makes_difference(named_port, ns8):
+    key = dns.tsig.Key(
+        name="key1.",
+        secret="1234abcd8765",
+        algorithm=isctest.vars.ALL["DEFAULT_HMAC"],
+    )
+    msg = dns.message.make_query("example.", "AXFR")
+    msg.use_tsig(keyring=key)
+    zone = dns.zone.Zone("example.")
+    dns.query.inbound_xfr(
+        "10.53.0.8", zone, query=msg, port=named_port, timeout=10, lifetime=10
+    )
+
+    xfr_size = 0
+    for name, node in zone.nodes.items():
+        fqdn = name.derelativize(zone.origin).to_text()
+        for rdataset in node.rdatasets:
+            xfr_size += len(f"{fqdn} {rdataset}")
+    assert xfr_size >= 452172, f"XFR size {xfr_size} seems too small"
+
+    assert len(ns8.log.grep("sending TCP message of")) > 300
+
+
+# test mapped. zone with out zone data
+def test_mapped_zone(named_port, ns3):
+    msg_txt = dns.message.make_query("mapped.", "TXT")
+    get_response(msg_txt, "10.53.0.3", allow_empty_answer=True)
+
+    ns3.stop()
+    ns3.start(["--noclean", "--restart", "--port", str(named_port)])
+
+    get_response(msg_txt, "10.53.0.3", allow_empty_answer=True)
+
+    msg_axfr = dns.message.make_query("mapped.", "AXFR")
+    validate_axfr_from_query_and_file(msg_axfr, "10.53.0.3", "knowngood.mapped")
+
+
+# test that a zone with too many records is rejected (AXFR)
+def test_axfr_too_many_records(ns6):
+    with ns6.watch_log_from_start() as watcher:
+        watcher.wait_for_line(Re("'axfr-too-big/IN'.*: too many records"))
+
+
+# test that a zone with too many records is rejected (IXFR)
+def test_ixfr_too_many_records(named_port, ns6):
+    with ns6.watch_log_from_here(timeout=20) as watcher:
+        nsupdate_config = f"""
+        zone ixfr-too-big
+        server 10.53.0.1 {named_port}
+        update add the-31st-record.ixfr-too-big 0 TXT this is it
+        send
+        """
+        nsupdate(nsupdate_config)
+        watcher.wait_for_line("Transfer status: too many records")
+
+
+# test that a zone with too many diffs (IXFR) is retried with AXFR
+def test_ixfr_too_many_diffs(named_port, ns6):
+    nsupdate_config = f"""
+    zone ixfr-too-many-diffs
+    server 10.53.0.1 {named_port}
+    update add the-31st-record.ixfr-too-many-diffs 0 TXT too
+    update add the-32nd-record.ixfr-too-many-diffs 0 TXT many
+    update add the-33rd-record.ixfr-too-many-diffs 0 TXT diffs
+    update add the-34th-record.ixfr-too-many-diffs 0 TXT for
+    update add the-35th-record.ixfr-too-many-diffs 0 TXT ixfr
+    send
+    """
+    log_sequence = ["too many diffs, retrying with AXFR", "Transfer status: success"]
+    with ns6.watch_log_from_here() as watcher_transfer_status:
+        nsupdate(nsupdate_config)
+        watcher_transfer_status.wait_for_sequence(log_sequence)
+
+
+# checking whether dig calculates AXFR statistics correctly
+def test_dig_and_named_axfr_stats(named_port, ns3):
+    # Use ns3 logs for checking incoming transfer statistics as ns3 is a
+    # secondary server (for ns1) for "xfer-stats".
+    with ns3.watch_log_from_start() as watcher_transfer_completed:
+        pattern_transfer_completed = (
+            "Transfer completed: 16 messages, 10003 records, 218403 bytes"
+        )
+        watcher_transfer_completed.wait_for_line(pattern_transfer_completed)
+
+    # Loop until the secondary server manages to transfer the "xfer-stats" zone so
+    # that we can both check dig output and immediately proceed with the next test.
+    # Use -b so that we can discern between incoming and outgoing transfers in ns3
+    # logs later on.
+    dig_source_port = os.getenv("EXTRAPORT1")
+    dig = isctest.run.isctest.run.EnvCmd("DIG", f"-p {str(named_port)}")
+    output = dig(
+        f"+tcp +noadd +nosea +nostat +noquest +nocomm +nocmd +edns +nocookie +noexpire +stat -b 10.53.0.2#{dig_source_port} @10.53.0.3 xfer-stats. AXFR"
+    ).out
+
+    assert "; Transfer failed" not in output
+    assert ";; XFR size: 10003 records (messages 16, bytes 218403)" in output
+
+    # Use ns3 logs for checking outgoing transfer statistics as ns3 is a
+    # primary server (for dig queries from the previous test) for "xfer-stats".
+    isctest.log.info(
+        "checking whether named calculates outgoing AXFR statistics correctly"
+    )
+    with ns3.watch_log_from_start() as watcher_axfr_ended:
+        pattern_axfr_ended = f"10.53.0.2#{dig_source_port} (xfer-stats): transfer of 'xfer-stats/IN': AXFR ended: 16 messages, 10003 records, 218403 bytes"
+        watcher_axfr_ended.wait_for_line(pattern_axfr_ended)
+
+
+# First, test that named tries the next primary in the list when the first one
+# fails (XoT -> Do53). Then, test that named tries the next primary in the list
+# when the first one is already marked as unreachable (XoT -> Do53).
+def test_xot_primary_try_next(ns6):
+    def retransfer_and_check_log():
+        with ns6.watch_log_from_here(timeout=60) as watcher:
+            ns6.rndc("retransfer xot-primary-try-next.")
+            watcher.wait_for_line("Transfer status: success")
+
+    retransfer_and_check_log()
+    retransfer_and_check_log()
+
+
+# See #5307#note_558185
+def test_reconfiguration_when_zone_transfer_is_in_the_middle_of_soa_query(ns6):
+    isctest.log.info(
+        "Check that xfr-and-reconfig has been successfully transferred by the secondary"
+    )
+    with ns6.watch_log_from_start() as watcher_transfer_completed:
+        watcher_transfer_completed.wait_for_line(
+            "zone xfr-and-reconfig/IN: zone transfer finished: success"
+        )
+
+    isctest.log.info("Make ans6 receive queries without responding to them")
+    msg = dns.message.make_query("disable.send-responses._control.", "TXT")
+    get_response(msg, "10.53.0.9")
+
+    isctest.log.info("Try to reload the zone from an unresponsive primary")
+    ns6.rndc("reload xfr-and-reconfig")
+
+    isctest.log.info("Reconfigure named while zone transfer attempt is in progress")
+    ns6.reconfigure()
+
+    isctest.log.info(
+        "Confirm that the ongoing SOA request was canceled, caused by the reconfiguration"
+    )
+    with ns6.watch_log_from_start() as watcher_transfer_cancelled:
+        watcher_transfer_cancelled.wait_for_line(
+            "refresh: request result: operation canceled"
+        )
+
+    isctest.log.info("Make ans6 receive queries and respond to them")
+    msg = dns.message.make_query("enable.send-responses._control.", "TXT")
+    with ns6.watch_log_from_here() as watcher_transfer_started:
+        get_response(msg, "10.53.0.9")
+        isctest.log.info("Try to reload the zone from the primary")
+        ns6.rndc("reload xfr-and-reconfig")
+        watcher_transfer_started.wait_for_line("Transfer started")