From 7eed9397e2520b4388ee4cc7172e09bd5d195e16 Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Mon, 4 May 2026 11:40:57 +0000
Subject: [PATCH 1/2] Add a catz test with a duplicate primaries entry
 (alternative syntax)

This new check ads a catalog member zone with both variants of
the labeled primaries/masters property. This should not cause
any issues.

(cherry picked from commit 4f5f4b77c76eb205a3e270f7c9956289841e8735)
---
 bin/tests/system/catz/tests.sh | 46 ++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)

diff --git a/bin/tests/system/catz/tests.sh b/bin/tests/system/catz/tests.sh
index df148f2bde..fb1a700eeb 100644
--- a/bin/tests/system/catz/tests.sh
+++ b/bin/tests/system/catz/tests.sh
@@ -2993,6 +2993,52 @@ wait_for_soa @10.53.0.2 dom21.example. dig.out.test$n || ret=1
 if [ $ret -ne 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
+##########################################################################
+
+nextpart ns2/named.run >/dev/null
+
+echo_i "Testing primaries and masters suboptions together"
+
+n=$((n + 1))
+echo_i "adding domain dom22.example. to primary via RNDC ($n)"
+ret=0
+echo "@ 3600 IN SOA . . 1 3600 3600 3600 3600" >ns1/dom22.example.db
+echo "@ IN NS invalid." >>ns1/dom22.example.db
+echo "@ IN A 192.0.2.1" >>ns1/dom22.example.db
+rndccmd 10.53.0.1 addzone dom22.example. in default '{type primary; file "dom22.example.db"; allow-transfer { key tsig_key; };};' || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "adding dom22.example. with both primaries and masters suboptions ($n)"
+ret=0
+$NSUPDATE -d <<END >>nsupdate.out.test$n 2>&1 || ret=1
+    server 10.53.0.1 ${PORT}
+    update add double.zones.catalog1.example. 3600 IN PTR dom22.example.
+    update add samelabel.primaries.ext.double.zones.catalog1.example. 3600 IN A 10.53.0.1
+    update add samelabel.primaries.ext.double.zones.catalog1.example. 3600 IN TXT "tsig_key"
+    update add samelabel.masters.ext.double.zones.catalog1.example. 3600 IN A 10.53.0.1
+    update add samelabel.masters.ext.double.zones.catalog1.example. 3600 IN TXT "tsig_key"
+    send
+END
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "waiting for secondary to sync up ($n)"
+ret=0
+wait_for_message ns2/named.run "catz: adding zone 'dom22.example' from catalog 'catalog1.example'" \
+  && wait_for_message ns2/named.run "transfer of 'dom22.example/IN/default' from 10.53.0.1#${PORT}: Transfer status: success" || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that dom22.example. is served by secondary ($n)"
+ret=0
+wait_for_soa @10.53.0.2 dom22.example. dig.out.test$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 ##########################################################################
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1

From 83cd5b52b5b65bd567a6709988c86ae90e663d3f Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Mon, 4 May 2026 11:45:21 +0000
Subject: [PATCH 2/2] Fix a memory leak issue in catz_process_primaries()

Free the old version of the keyname (if it exists) before setting
the new one.

(cherry picked from commit 4576a67a935b59191119e1b3f8f1ebce1521f3c8)
---
 lib/dns/catz.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lib/dns/catz.c b/lib/dns/catz.c
index 2924a13462..37e940b2e9 100644
--- a/lib/dns/catz.c
+++ b/lib/dns/catz.c
@@ -1490,6 +1490,14 @@ catz_process_primaries(dns_catz_zone_t *catz, dns_ipkeylist_t *ipkl,
 
 		if (i < ipkl->count) { /* we have this record already */
 			if (value->type == dns_rdatatype_txt) {
+				if (ipkl->keys[i] != NULL) {
+					if (dns_name_dynamic(ipkl->keys[i])) {
+						dns_name_free(ipkl->keys[i],
+							      mctx);
+					}
+					isc_mem_put(mctx, ipkl->keys[i],
+						    sizeof(*ipkl->keys[i]));
+				}
 				ipkl->keys[i] = keyname;
 			} else { /* A/AAAA */
 				memmove(&ipkl->addrs[i], &sockaddr,