From 33eee6572a3b7ff8f41c25d29b42a9c8399cdfc6 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 16 Apr 2020 16:59:33 +1000
Subject: [PATCH 1/3] Reject AXFR streams where the message id is not
 consistent.

---
 CHANGES         | 6 +++++-
 lib/dns/xfrin.c | 8 +-------
 2 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/CHANGES b/CHANGES
index 44f01ad9b0..6d6435e2bd 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,9 @@
-5386.	[cleanup]	Address Coverity warnings in keymgr.c [GL #1737]
+5388.	[func]		Reject AXFR streams where the message id is not
+			consistent. [GL #1674]
 
+5387.	[placeholder]
+
+5386.	[cleanup]	Address Coverity warnings in keymgr.c [GL #1737]
 
 5385.	[func]		Make ISC rwlock implementation the default again.
 			[GL #1753]
diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c
index c5a6d2d351..657ee4a5d4 100644
--- a/lib/dns/xfrin.c
+++ b/lib/dns/xfrin.c
@@ -111,7 +111,6 @@ struct dns_xfrin_ctx {
 	dns_name_t name; /*%< Name of zone to transfer */
 	dns_rdataclass_t rdclass;
 
-	bool checkid;
 	dns_messageid_t id;
 
 	/*%
@@ -551,9 +550,6 @@ redo:
 				  xfr->ixfr.request_serial, xfr->end_serial);
 			FAIL(DNS_R_UPTODATE);
 		}
-		if (xfr->reqtype == dns_rdatatype_axfr) {
-			xfr->checkid = false;
-		}
 		xfr->state = XFRST_FIRSTDATA;
 		break;
 
@@ -835,7 +831,6 @@ xfrin_create(isc_mem_t *mctx, dns_zone_t *zone, dns_db_t *db, isc_task_t *task,
 
 	dns_name_init(&xfr->name, NULL);
 	xfr->rdclass = rdclass;
-	xfr->checkid = true;
 	xfr->id = (dns_messageid_t)isc_random16();
 	xfr->reqtype = reqtype;
 	xfr->dscp = dscp;
@@ -1145,7 +1140,6 @@ xfrin_send_request(dns_xfrin_ctx_t *xfr) {
 					  &xfr->ixfr.request_serial));
 	}
 
-	xfr->checkid = true;
 	xfr->id++;
 	xfr->nmsg = 0;
 	xfr->nrecs = 0;
@@ -1289,7 +1283,7 @@ xfrin_recv_done(isc_task_t *task, isc_event_t *ev) {
 
 	if (result != ISC_R_SUCCESS || msg->rcode != dns_rcode_noerror ||
 	    msg->opcode != dns_opcode_query || msg->rdclass != xfr->rdclass ||
-	    (xfr->checkid && msg->id != xfr->id))
+	    msg->id != xfr->id)
 	{
 		if (result == ISC_R_SUCCESS && msg->rcode != dns_rcode_noerror)
 		{

From ac45bde2fa44aae6e2196f8db1c369c3983bb934 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 26 Mar 2020 13:32:14 +1100
Subject: [PATCH 2/3] Convert to using retry_quiet and nextpart

---
 bin/tests/system/xfer/tests.sh | 193 ++++++++++++++-------------------
 1 file changed, 81 insertions(+), 112 deletions(-)

diff --git a/bin/tests/system/xfer/tests.sh b/bin/tests/system/xfer/tests.sh
index 939c01490e..d0aaca6256 100755
--- a/bin/tests/system/xfer/tests.sh
+++ b/bin/tests/system/xfer/tests.sh
@@ -21,29 +21,24 @@ n=0
 n=$((n+1))
 echo_i "testing basic zone transfer functionality (from primary) ($n)"
 tmp=0
-$DIG $DIGOPTS example. \
-	@10.53.0.2 axfr > dig.out.ns2.test$n || tmp=1
+$DIG $DIGOPTS example. @10.53.0.2 axfr > dig.out.ns2.test$n || tmp=1
 grep "^;" dig.out.ns2.test$n | cat_i
-
 digcomp dig1.good dig.out.ns2.test$n || tmp=1
-
 if test $tmp != 0 ; then echo_i "failed"; fi
 status=$((status+tmp))
 
 n=$((n+1))
 echo_i "testing basic zone transfer functionality (from secondary) ($n)"
+tmp=0
 #
 # Spin to allow the zone to transfer.
 #
-for i in 1 2 3 4 5
-do
-    tmp=0
-    $DIG $DIGOPTS example. \
-	@10.53.0.3 axfr > dig.out.ns3.test$n || tmp=1
-    grep "^;" dig.out.ns3.test$n > /dev/null || break
-    echo_i "plain zone re-transfer"
-    sleep 5
-done
+wait_for_xfer () {
+	$DIG $DIGOPTS example. @10.53.0.3 axfr > dig.out.ns3.test$n || return 1
+	grep "^;" dig.out.ns3.test$n > /dev/null && return 1
+	return 0
+}
+retry_quiet 25 wait_for_xfer || tmp=1
 grep "^;" dig.out.ns3.test$n | cat_i
 digcomp dig1.good dig.out.ns3.test$n || tmp=1
 if test $tmp != 0 ; then echo_i "failed"; fi
@@ -51,25 +46,23 @@ status=$((status+tmp))
 
 n=$((n+1))
 echo_i "testing TSIG signed zone transfers ($n)"
-$DIG $DIGOPTS tsigzone. @10.53.0.2 axfr -y tsigzone.:1234abcd8765 > dig.out.ns2.test$n || status=1
+tmp=0
+$DIG $DIGOPTS tsigzone. @10.53.0.2 axfr -y tsigzone.:1234abcd8765 > dig.out.ns2.test$n || tmp=1
 grep "^;" dig.out.ns2.test$n | cat_i
 
 #
 # Spin to allow the zone to transfer.
 #
-for i in 1 2 3 4 5
-do
-tmp=0
-	$DIG $DIGOPTS tsigzone. @10.53.0.3 axfr -y tsigzone.:1234abcd8765 > dig.out.ns3.test$n || tmp=1
-	grep "^;" dig.out.ns3.test$n > /dev/null
-	if test $? -ne 0 ; then break; fi
-	echo_i "plain zone re-transfer"
-	sleep 5
-done
-if test $tmp -eq 1 ; then status=1; fi
+wait_for_xfer_tsig () {
+	$DIG $DIGOPTS tsigzone. @10.53.0.3 axfr -y tsigzone.:1234abcd8765 > dig.out.ns3.test$n || return 1
+	grep "^;" dig.out.ns3.test$n > /dev/null && return 1
+	return 0
+}
+retry_quiet 25 wait_for_xfer_tsig || tmp=1
 grep "^;" dig.out.ns3.test$n | cat_i
-
-digcomp dig.out.ns2.test$n dig.out.ns3.test$n || status=1
+digcomp dig.out.ns2.test$n dig.out.ns3.test$n || tmp=1
+if test $tmp != 0 ; then echo_i "failed"; fi
+status=$((status+tmp))
 
 echo_i "reload servers for in preparation for ixfr-from-differences tests"
 
@@ -115,6 +108,7 @@ sleep 3
 
 n=$((n+1))
 echo_i "testing zone is dumped after successful transfer ($n)"
+tmp=0
 $DIG $DIGOPTS +noall +answer +multi @10.53.0.2 \
 	slave. soa > dig.out.ns2.test$n || tmp=1
 grep "1397051952 ; serial" dig.out.ns2.test$n > /dev/null 2>&1 || tmp=1
@@ -126,38 +120,36 @@ n=$((n+1))
 echo_i "testing ixfr-from-differences yes; ($n)"
 tmp=0
 
-for i in 0 1 2 3 4 5 6 7 8 9
-do
-	a=0 b=0 c=0 d=0
-	echo_i "wait for reloads..."
+echo_i "wait for reloads..."
+wait_for_reloads() (
 	$DIG $DIGOPTS @10.53.0.6 +noall +answer soa master > dig.out.soa1.ns6.test$n
-	grep "1397051953" dig.out.soa1.ns6.test$n > /dev/null && a=1
+	grep "1397051953" dig.out.soa1.ns6.test$n > /dev/null || return 1
 	$DIG $DIGOPTS @10.53.0.1 +noall +answer soa slave  > dig.out.soa2.ns1.test$n
-	grep "1397051953" dig.out.soa2.ns1.test$n > /dev/null && b=1
+	grep "1397051953" dig.out.soa2.ns1.test$n > /dev/null || return 1
 	$DIG $DIGOPTS @10.53.0.2 +noall +answer soa example > dig.out.soa3.ns2.test$n
-	grep "1397051953" dig.out.soa3.ns2.test$n > /dev/null && c=1
-	[ $a -eq 1 -a $b -eq 1 -a $c -eq 1 ] && break
-	sleep 2
-done
+	grep "1397051953" dig.out.soa3.ns2.test$n > /dev/null || return 1
+	return 0
+)
+retry_quiet 20 wait_for_reloads || tmp=1
 
-for i in 0 1 2 3 4 5 6 7 8 9
-do
+echo_i "wait for transfers..."
+wait_for_transfers() (
 	a=0 b=0 c=0 d=0
-	echo_i "wait for transfers..."
 	$DIG $DIGOPTS @10.53.0.3 +noall +answer soa example > dig.out.soa1.ns3.test$n
 	grep "1397051953" dig.out.soa1.ns3.test$n > /dev/null && a=1
 	$DIG $DIGOPTS @10.53.0.3 +noall +answer soa master > dig.out.soa2.ns3.test$n
 	grep "1397051953" dig.out.soa2.ns3.test$n > /dev/null && b=1
 	$DIG $DIGOPTS @10.53.0.6 +noall +answer soa slave  > dig.out.soa3.ns6.test$n
 	grep "1397051953" dig.out.soa3.ns6.test$n > /dev/null && c=1
-	[ $a -eq 1 -a $b -eq 1 -a $c -eq 1 ] && break
+	[ $a -eq 1 -a $b -eq 1 -a $c -eq 1 ] && return 0
 
 	# re-notify if necessary
 	$RNDCCMD 10.53.0.6 notify master 2>&1 | sed 's/^/ns6 /' | cat_i
 	$RNDCCMD 10.53.0.1 notify slave 2>&1 | sed 's/^/ns1 /' | cat_i
 	$RNDCCMD 10.53.0.2 notify example 2>&1 | sed 's/^/ns2 /' | cat_i
-	sleep 2
-done
+	return 1
+)
+retry_quiet 20 wait_for_transfers || tmp=1
 
 $DIG $DIGOPTS example. \
 	@10.53.0.3 axfr > dig.out.ns3.test$n || tmp=1
@@ -260,10 +252,10 @@ DIGCMD="$DIG $DIGOPTS @10.53.0.4"
 SENDCMD="$PERL ../send.pl 10.53.0.5 $EXTRAPORT1"
 
 echo_i "testing that incorrectly signed transfers will fail..."
-echo_i "initial correctly-signed transfer should succeed"
+n=$((n+1))
+echo_i "initial correctly-signed transfer should succeed ($n)"
 
 $SENDCMD < ans5/goodaxfr
-sleep 1
 
 # Initially, ns4 is not authoritative for anything.
 # Now that ans is up and running with the right data, we make ns4
@@ -277,122 +269,115 @@ zone "nil" {
 };
 EOF
 
-cur=`awk 'END {print NR}' ns4/named.run`
+nextpart ns4/named.run >/dev/null
 
 rndc_reload ns4 10.53.0.4
 
-for i in 0 1 2 3 4 5 6 7 8 9
-do
+wait_for_soa() (
 	$DIGCMD nil. SOA > dig.out.ns4.test$n
-	grep SOA dig.out.ns4.test$n > /dev/null && break
-	sleep 1
-done
+	grep SOA dig.out.ns4.test$n > /dev/null
+)
+retry_quiet 10 wait_for_soa
 
-sed -n "$cur,\$p" < ns4/named.run | grep "Transfer status: success" > /dev/null || {
+nextpart ns4/named.run | grep "Transfer status: success" > /dev/null || {
     echo_i "failed: expected status was not logged"
     status=$((status+1))
 }
-cur=`awk 'END {print NR}' ns4/named.run`
 
 $DIGCMD nil. TXT | grep 'initial AXFR' >/dev/null || {
     echo_i "failed"
     status=$((status+1))
 }
 
-echo_i "unsigned transfer"
+n=$((n+1))
+echo_i "unsigned transfer ($n)"
 
 $SENDCMD < ans5/unsigned
-sleep 1
 
 $RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i
 
 sleep 2
 
-sed -n "$cur,\$p" < ns4/named.run | grep "Transfer status: expected a TSIG or SIG(0)" > /dev/null || {
+nextpart ns4/named.run | grep "Transfer status: expected a TSIG or SIG(0)" > /dev/null || {
     echo_i "failed: expected status was not logged"
     status=$((status+1))
 }
-cur=`awk 'END {print NR}' ns4/named.run`
 
 $DIGCMD nil. TXT | grep 'unsigned AXFR' >/dev/null && {
     echo_i "failed"
     status=$((status+1))
 }
 
-echo_i "bad keydata"
+n=$((n+1))
+echo_i "bad keydata ($n)"
 
 $SENDCMD < ans5/badkeydata
-sleep 1
 
 $RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i
 
 sleep 2
 
-sed -n "$cur,\$p" < ns4/named.run | grep "Transfer status: tsig verify failure" > /dev/null || {
+nextpart ns4/named.run | grep "Transfer status: tsig verify failure" > /dev/null || {
     echo_i "failed: expected status was not logged"
     status=$((status+1))
 }
-cur=`awk 'END {print NR}' ns4/named.run`
 
 $DIGCMD nil. TXT | grep 'bad keydata AXFR' >/dev/null && {
     echo_i "failed"
     status=$((status+1))
 }
 
-echo_i "partially-signed transfer"
+n=$((n+1))
+echo_i "partially-signed transfer ($n)"
 
 $SENDCMD < ans5/partial
-sleep 1
 
 $RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i
 
 sleep 2
 
-sed -n "$cur,\$p" < ns4/named.run | grep "Transfer status: expected a TSIG or SIG(0)" > /dev/null || {
+nextpart ns4/named.run | grep "Transfer status: expected a TSIG or SIG(0)" > /dev/null || {
     echo_i "failed: expected status was not logged"
     status=$((status+1))
 }
-cur=`awk 'END {print NR}' ns4/named.run`
 
 $DIGCMD nil. TXT | grep 'partially signed AXFR' >/dev/null && {
     echo_i "failed"
     status=$((status+1))
 }
 
-echo_i "unknown key"
+n=$((n+1))
+echo_i "unknown key ($n)"
 
 $SENDCMD < ans5/unknownkey
-sleep 1
 
 $RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i
 
 sleep 2
 
-sed -n "$cur,\$p" < ns4/named.run | grep "tsig key 'tsig_key': key name and algorithm do not match" > /dev/null || {
+nextpart ns4/named.run | grep "tsig key 'tsig_key': key name and algorithm do not match" > /dev/null || {
     echo_i "failed: expected status was not logged"
     status=$((status+1))
 }
-cur=`awk 'END {print NR}' ns4/named.run`
 
 $DIGCMD nil. TXT | grep 'unknown key AXFR' >/dev/null && {
     echo_i "failed"
     status=$((status+1))
 }
 
-echo_i "incorrect key"
+n=$((n+1))
+echo_i "incorrect key ($n)"
 
 $SENDCMD < ans5/wrongkey
-sleep 1
 
 $RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i
 
 sleep 2
 
-sed -n "$cur,\$p" < ns4/named.run | grep "tsig key 'tsig_key': key name and algorithm do not match" > /dev/null || {
+nextpart ns4/named.run | grep "tsig key 'tsig_key': key name and algorithm do not match" > /dev/null || {
     echo_i "failed: expected status was not logged"
     status=$((status+1))
 }
-cur=`awk 'END {print NR}' ns4/named.run`
 
 $DIGCMD nil. TXT | grep 'incorrect key AXFR' >/dev/null && {
     echo_i "failed"
@@ -438,19 +423,14 @@ $DIG -p ${PORT} txt mapped @10.53.0.3 > dig.out.1.test$n
 grep "status: NOERROR," dig.out.1.test$n > /dev/null || tmp=1
 $PERL $SYSTEMTESTTOP/stop.pl xfer ns3
 $PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} xfer ns3
-for try in 0 1 2 3 4 5 6 7 8 9; do
-    iret=0
-    $DIG -p ${PORT} txt mapped @10.53.0.3 > dig.out.2.test$n
-    grep "status: NOERROR," dig.out.2.test$n > /dev/null || iret=1
-    if [ "$iret" -eq 0 ]
-    then
-        $DIG -p ${PORT} axfr mapped @10.53.0.3 > dig.out.3.test$n
-        digcomp knowngood.mapped dig.out.3.test$n || iret=1
-    fi
-    [ "$iret" -eq 0 ] && break
-    sleep 1
-done
-[ "$iret" -eq 0 ] || tmp=1
+check_mapped () {
+	$DIG -p ${PORT} txt mapped @10.53.0.3 > dig.out.2.test$n
+	grep "status: NOERROR," dig.out.2.test$n > /dev/null || return 1
+	$DIG -p ${PORT} axfr mapped @10.53.0.3 > dig.out.3.test$n
+	digcomp knowngood.mapped dig.out.3.test$n || return 1
+	return 0
+}
+retry_quiet 10 check_mapped || tmp=1
 [ "$tmp" -ne 0 ] && echo_i "failed"
 status=$((status+tmp))
 
@@ -464,43 +444,35 @@ status=$((status+tmp))
 n=$((n+1))
 echo_i "test that a zone with too many records is rejected (IXFR) ($n)"
 tmp=0
-grep "'ixfr-too-big./IN.*: too many records" ns6/named.run >/dev/null && tmp=1
+nextpart ns6/named.run > /dev/null
 $NSUPDATE << EOF
 zone ixfr-too-big
 server 10.53.0.1 ${PORT}
 update add the-31st-record.ixfr-too-big 0 TXT this is it
 send
 EOF
-for i in 1 2 3 4 5 6 7 8
-do
-    grep "'ixfr-too-big/IN'.*: too many records" ns6/named.run >/dev/null && break
-    sleep 1
-done
-grep "'ixfr-too-big/IN'.*: too many records" ns6/named.run >/dev/null || tmp=1
+msg="'ixfr-too-big/IN' from 10.53.0.1#${PORT}: Transfer status: too many records"
+wait_for_log 10 "$msg" ns6/named.run || tmp=1
 if test $tmp != 0 ; then echo_i "failed"; fi
 status=$((status+tmp))
 
 n=$((n+1))
 echo_i "checking whether dig calculates AXFR statistics correctly ($n)"
+tmp=0
 # Loop until the secondary server manages to transfer the "xfer-stats" zone so
 # that we can both check dig output and immediately proceed with the next test.
 # Use -b so that we can discern between incoming and outgoing transfers in ns3
 # logs later on.
-tmp=1
-for i in 1 2 3 4 5 6 7 8 9 10; do
+wait_for_xfer() (
 	$DIG $DIGOPTS +noedns +stat -b 10.53.0.2 @10.53.0.3 xfer-stats. AXFR > dig.out.ns3.test$n
-	if grep "; Transfer failed" dig.out.ns3.test$n > /dev/null; then
-		sleep 1
-	else
-		tmp=0
-		break
-	fi
-done
-if [ $tmp -ne 0 ]; then
-	echo_i "timed out waiting for zone transfer"
-else
+	grep "; Transfer failed" dig.out.ns3.test$n > /dev/null || return 0
+	return 1
+)
+if retry_quiet 10 wait_for_xfer; then
 	get_dig_xfer_stats dig.out.ns3.test$n > stats.dig
 	diff axfr-stats.good stats.dig || tmp=1
+else
+	echo_i "timed out waiting for zone transfer"
 fi
 if test $tmp != 0 ; then echo_i "failed"; fi
 status=$((status+tmp))
@@ -518,15 +490,12 @@ status=$((status+tmp))
 
 n=$((n+1))
 echo_i "checking whether named calculates outgoing AXFR statistics correctly ($n)"
-tmp=1
-for i in 0 1 2 3 4 5 6 7 8 9; do
+tmp=0
+check_xfer_stats() {
 	get_named_xfer_stats ns3/named.run 10.53.0.2 xfer-stats "AXFR ended" > stats.outgoing
-	if diff axfr-stats.good stats.outgoing > /dev/null; then
-		tmp=0
-		break
-	fi
-	sleep 1
-done
+	diff axfr-stats.good stats.outgoing > /dev/null
+}
+retry_quiet 10 check_xfer_stats || tmp=1
 if test $tmp != 0 ; then echo_i "failed"; fi
 status=$((status+tmp))
 

From ba445afb4fcc172e002b6941712028ded77f5e15 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 19 Mar 2020 12:26:37 +1100
Subject: [PATCH 3/3] Check that bad message id's are caught by named

---
 bin/tests/system/ans.pl                 | 12 +++++++++++-
 bin/tests/system/xfer/ans5/badmessageid | 10 ++++++++++
 bin/tests/system/xfer/clean.sh          | 26 ++++++++++++-------------
 bin/tests/system/xfer/tests.sh          | 22 +++++++++++++++++++++
 util/copyrights                         |  1 +
 5 files changed, 57 insertions(+), 14 deletions(-)
 create mode 100644 bin/tests/system/xfer/ans5/badmessageid

diff --git a/bin/tests/system/ans.pl b/bin/tests/system/ans.pl
index d7f9f63cfa..9d77eb4575 100644
--- a/bin/tests/system/ans.pl
+++ b/bin/tests/system/ans.pl
@@ -62,6 +62,11 @@
 #  Note that this data will still be sent with any request for
 #  pattern, only this data will be signed. Currently, this is only
 #  done for TCP.
+#
+# /pattern bad-id <key> <key_data>/
+# /pattern bad-id/
+#
+# will add 50 to the message id of the response.
 
 
 use IO::File;
@@ -361,7 +366,7 @@ sub handleTCP {
 	my $r;
 	foreach $r (@rules) {
 		my $pattern = $r->{pattern};
-		my($dbtype, $key_name, $key_data) = split(/ /,$pattern);
+		my($dbtype, $key_name, $key_data, $extra) = split(/ /,$pattern);
 		print "[handleTCP] $dbtype, $key_name, $key_data \n";
 		if ("$qname $qtype" =~ /$dbtype/) {
 			$count_these++;
@@ -369,6 +374,11 @@ sub handleTCP {
 			foreach $a (@{$r->{answer}}) {
 				$packet->push("answer", $a);
 			}
+			if(defined($key_name) && $key_name eq "bad-id") {
+				$packet->header->id(($id+50)%0xffff);
+				$key_name = $key_data;
+				$key_data = $extra;
+			}
 			if (defined($key_name) && defined($key_data)) {
 				my $tsig;
 				# sign the packet
diff --git a/bin/tests/system/xfer/ans5/badmessageid b/bin/tests/system/xfer/ans5/badmessageid
new file mode 100644
index 0000000000..e0dc04168b
--- /dev/null
+++ b/bin/tests/system/xfer/ans5/badmessageid
@@ -0,0 +1,10 @@
+/SOA tsig_key LSAnCU+Z/
+nil.      	300	SOA	ns.nil. root.nil. 1 300 300 604800 300
+/AXFR tsig_key LSAnCU+Z/
+nil.      	300	SOA	ns.nil. root.nil. 1 300 300 604800 300
+/AXFR bad-id tsig_key LSAnCU+Z/
+nil.      	300	NS	ns.nil.
+nil.		300	TXT	"bad message id"
+a.nil.		60	A	10.0.0.61
+/AXFR bad-id tsig_key LSAnCU+Z/
+nil.      	300	SOA	ns.nil. root.nil. 1 300 300 604800 300
diff --git a/bin/tests/system/xfer/clean.sh b/bin/tests/system/xfer/clean.sh
index e172922253..f6de806024 100644
--- a/bin/tests/system/xfer/clean.sh
+++ b/bin/tests/system/xfer/clean.sh
@@ -13,25 +13,25 @@
 # Clean up after zone transfer tests.
 #
 
-rm -f dig.out.*
+rm -f */ans.run
+rm -f */named.conf
+rm -f */named.memstats
+rm -f */named.run
+rm -f */named.run.prev
 rm -f axfr.out
-rm -f stats.*
-rm -f ns1/slave.db ns2/slave.db
+rm -f dig.out.*
+rm -f ns*/managed-keys.bind*
+rm -f ns*/named.lock
 rm -f ns1/edns-expire.db
+rm -f ns1/ixfr-too-big.db ns1/ixfr-too-big.db.jnl
+rm -f ns1/slave.db ns2/slave.db
 rm -f ns2/example.db ns2/tsigzone.db ns2/example.db.jnl
+rm -f ns2/mapped.db
 rm -f ns3/example.bk ns3/xfer-stats.bk ns3/tsigzone.bk ns3/example.bk.jnl
+rm -f ns3/mapped.bk
 rm -f ns3/master.bk ns3/master.bk.jnl
 rm -f ns4/*.db ns4/*.jnl
 rm -f ns6/*.db ns6/*.bk ns6/*.jnl
 rm -f ns7/*.db ns7/*.bk ns7/*.jnl
 rm -f ns8/large.db ns8/small.db
-rm -f */named.conf
-rm -f */named.run
-rm -f */named.memstats
-rm -f */named.run
-rm -f */ans.run
-rm -f ns*/named.lock
-rm -f ns2/mapped.db
-rm -f ns3/mapped.bk
-rm -f ns1/ixfr-too-big.db ns1/ixfr-too-big.db.jnl
-rm -f ns*/managed-keys.bind*
+rm -f stats.*
diff --git a/bin/tests/system/xfer/tests.sh b/bin/tests/system/xfer/tests.sh
index d0aaca6256..c88de9e679 100755
--- a/bin/tests/system/xfer/tests.sh
+++ b/bin/tests/system/xfer/tests.sh
@@ -384,6 +384,28 @@ $DIGCMD nil. TXT | grep 'incorrect key AXFR' >/dev/null && {
     status=$((status+1))
 }
 
+n=$((n+1))
+echo_i "bad message id ($n)"
+
+$SENDCMD < ans5/badmessageid
+
+# Uncomment to see AXFR stream with mismatching IDs.
+# $DIG $DIGOPTS @10.53.0.5 -y tsig_key:LSAnCU+Z nil. AXFR +all
+
+$RNDCCMD 10.53.0.4 retransfer nil | sed 's/^/ns4 /' | cat_i
+
+sleep 2
+
+nextpart ns4/named.run | grep "unexpected message id" > /dev/null || {
+    echo_i "failed: expected status was not logged"
+    status=$((status+1))
+}
+
+$DIGCMD nil. TXT | grep 'bad message id' >/dev/null && {
+    echo_i "failed"
+    status=$((status+1))
+}
+
 n=$((n+1))
 echo_i "check that we ask for and get a EDNS EXPIRE response ($n)"
 # force a refresh query
diff --git a/util/copyrights b/util/copyrights
index d176a9c783..1297eb8bd3 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -1167,6 +1167,7 @@
 ./bin/tests/system/win32/pipequeries.vcxproj.in	X	2016,2017,2018,2019,2020
 ./bin/tests/system/win32/pipequeries.vcxproj.user	X	2016,2018,2019,2020
 ./bin/tests/system/xfer/ans5/badkeydata		X	2011,2018,2019,2020
+./bin/tests/system/xfer/ans5/badmessageid	X	2020
 ./bin/tests/system/xfer/ans5/goodaxfr		X	2011,2018,2019,2020
 ./bin/tests/system/xfer/ans5/partial		X	2011,2018,2019,2020
 ./bin/tests/system/xfer/ans5/unknownkey		X	2011,2018,2019,2020