From: Mark Andrews <marka@isc.org>
Date: Wed, 1 Oct 2025 04:49:33 +0000 (+1000)
Subject: Check notify with bad notify source address and tsig
X-Git-Tag: v9.21.19~19^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f99d7f421767bf709859f72368e5c0ac6bce2e6a;p=thirdparty%2Fbind9.git

Check notify with bad notify source address and tsig

named was asserting when the notify source address was not available
and TSIG was being used.  Check this scenario by adding a nameserver
to the zone which is configured to uses a non-existent source address
and a blackholed destination address and a TSIG using a server clause
for that destination address.
---

diff --git a/bin/tests/system/notify/ns2/named.conf.j2 b/bin/tests/system/notify/ns2/named.conf.j2
index 6ef327398d9..3fe8caa3907 100644
--- a/bin/tests/system/notify/ns2/named.conf.j2
+++ b/bin/tests/system/notify/ns2/named.conf.j2
@@ -97,3 +97,19 @@ zone x18 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; };
 zone x19 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; };
 zone x20 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; };
 zone x21 { type primary; file "x21.db"; allow-update { any; }; also-notify { x21; }; };
+
+key 10.53.0.53 {
+	algorithm hmac-sha256;
+	secret "aaaabbbbccccddddeeeeffffgggghhhhiiii";
+};
+
+server 10.53.0.53 {
+	notify-source 198.51.100.0; // non existant / not configured
+	keys 10.53.0.53;
+};
+
+zone "change-ns" {
+	type primary;
+	file "change-ns.db";
+	allow-update { any; };
+};
diff --git a/bin/tests/system/notify/setup.sh b/bin/tests/system/notify/setup.sh
index 5948652d130..4c8c104be16 100644
--- a/bin/tests/system/notify/setup.sh
+++ b/bin/tests/system/notify/setup.sh
@@ -15,3 +15,4 @@
 
 cp -f ns2/example1.db ns2/example.db
 cp -f ns2/generic.db ns2/x21.db
+cp -f ns2/generic.db ns2/change-ns.db
diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh
index 3beb52ae9af..668573bdce4 100644
--- a/bin/tests/system/notify/tests.sh
+++ b/bin/tests/system/notify/tests.sh
@@ -237,5 +237,18 @@ nextpartreset ns3/named.run
 wait_for_log 30 'retries exceeded' ns3/named.run || ret=1
 test_end
 
+test_start "checking notify with bad notify source address and tsig"
+$NSUPDATE <<EOF
+server 10.53.0.2 ${PORT}
+zone change-ns
+update add change-ns 0 NS ns53.change-ns
+update add ns53.change-ns 0 A 10.53.0.53
+send
+EOF
+wait_for_log 10 "zone change-ns/IN: sending notify(SOA) to 10.53.0.53#${PORT} : TSIG (10.53.0.53)" ns2/named.run
+dig_plus_opts ns change-ns @10.53.0.2 >dig.out.test$n || ret=1
+grep "ns2.change-ns." dig.out.test$n >/dev/null || ret=1
+test_end
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/notify/tests_sh_notify.py b/bin/tests/system/notify/tests_sh_notify.py
index 74c626b76b9..f4a425533bb 100644
--- a/bin/tests/system/notify/tests_sh_notify.py
+++ b/bin/tests/system/notify/tests_sh_notify.py
@@ -15,6 +15,8 @@ pytestmark = pytest.mark.extra_artifacts(
     [
         "awk.out.*",
         "dig.out.*",
+        "ns2/change-ns.db",
+        "ns2/change-ns.db.jnl",
         "ns2/example.db",
         "ns2/named-tls.conf",
         "ns2/x21.db*",