From 9fcad11e347cbca621c38830ffc02b5c726f5346 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 29 Jan 2019 18:09:06 +0100
Subject: [PATCH] Weak verification for signed TKEY response

The introduced grep call checks whether there was a
response that has an answer and an additional record.
There should be only one in the nsupdate output that is
for the TKEY response.
---
 bin/tests/system/tsiggss/tests.sh | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/bin/tests/system/tsiggss/tests.sh b/bin/tests/system/tsiggss/tests.sh
index fbc5ffc30a..5131c18217 100644
--- a/bin/tests/system/tsiggss/tests.sh
+++ b/bin/tests/system/tsiggss/tests.sh
@@ -39,6 +39,12 @@ EOF
 	return 1
     }
 
+    # Weak verification that TKEY response is signed.
+    grep -q "flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1" nsupdate.out${num} || {
+	echo "I:bad tkey response (not tsig signed)"
+	return 1
+    }
+
     out=`$DIG $DIGOPTS -t $type -q $host | egrep "^${host}"`
     lines=`echo "$out" | grep "$digout" | wc -l`
     [ $lines -eq 1 ] || {