From a6ca8407ee17d8a93bcd4891e1d28fa20ca5af11 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 1 Oct 2025 14:49:33 +1000
Subject: [PATCH] Check notify with bad notify source address and tsig

named was asserting when the notify source address was not available
and TSIG was being used.  Check this scenario by adding a nameserver
to the zone which is configured to uses a non-existent source address
and a blackholed destination address and a TSIG using a server clause
for that destination address.

(cherry picked from commit f99d7f421767bf709859f72368e5c0ac6bce2e6a)
---
 bin/tests/system/notify/ns2/named.conf.j2  | 16 ++++++++++++++++
 bin/tests/system/notify/setup.sh           |  1 +
 bin/tests/system/notify/tests.sh           | 13 +++++++++++++
 bin/tests/system/notify/tests_sh_notify.py |  2 ++
 4 files changed, 32 insertions(+)

diff --git a/bin/tests/system/notify/ns2/named.conf.j2 b/bin/tests/system/notify/ns2/named.conf.j2
index 9d20617b75b..24f0e69f5c4 100644
--- a/bin/tests/system/notify/ns2/named.conf.j2
+++ b/bin/tests/system/notify/ns2/named.conf.j2
@@ -97,3 +97,19 @@ zone x18 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; };
 zone x19 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; };
 zone x20 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; };
 zone x21 { type primary; file "x21.db"; allow-update { any; }; also-notify { x21; }; };
+
+key 10.53.0.53 {
+	algorithm hmac-sha256;
+	secret "aaaabbbbccccddddeeeeffffgggghhhhiiii";
+};
+
+server 10.53.0.53 {
+	notify-source 198.51.100.0; // non existant / not configured
+	keys 10.53.0.53;
+};
+
+zone "change-ns" {
+	type primary;
+	file "change-ns.db";
+	allow-update { any; };
+};
diff --git a/bin/tests/system/notify/setup.sh b/bin/tests/system/notify/setup.sh
index 5948652d130..4c8c104be16 100644
--- a/bin/tests/system/notify/setup.sh
+++ b/bin/tests/system/notify/setup.sh
@@ -15,3 +15,4 @@
 
 cp -f ns2/example1.db ns2/example.db
 cp -f ns2/generic.db ns2/x21.db
+cp -f ns2/generic.db ns2/change-ns.db
diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh
index 1f16ba8d7fd..8201b151369 100644
--- a/bin/tests/system/notify/tests.sh
+++ b/bin/tests/system/notify/tests.sh
@@ -240,5 +240,18 @@ nextpartreset ns3/named.run
 wait_for_log 30 'retries exceeded' ns3/named.run || ret=1
 test_end
 
+test_start "checking notify with bad notify source address and tsig"
+$NSUPDATE <<EOF
+server 10.53.0.2 ${PORT}
+zone change-ns
+update add change-ns 0 NS ns53.change-ns
+update add ns53.change-ns 0 A 10.53.0.53
+send
+EOF
+wait_for_log 10 "zone change-ns/IN: sending notify to 10.53.0.53#${PORT} : TSIG (10.53.0.53)" ns2/named.run
+dig_plus_opts ns change-ns @10.53.0.2 >dig.out.test$n || ret=1
+grep "ns2.change-ns." dig.out.test$n >/dev/null || ret=1
+test_end
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/notify/tests_sh_notify.py b/bin/tests/system/notify/tests_sh_notify.py
index 74c626b76b9..f4a425533bb 100644
--- a/bin/tests/system/notify/tests_sh_notify.py
+++ b/bin/tests/system/notify/tests_sh_notify.py
@@ -15,6 +15,8 @@ pytestmark = pytest.mark.extra_artifacts(
     [
         "awk.out.*",
         "dig.out.*",
+        "ns2/change-ns.db",
+        "ns2/change-ns.db.jnl",
         "ns2/example.db",
         "ns2/named-tls.conf",
         "ns2/x21.db*",
-- 
2.47.3