Test sending a TKEY query with deletion and unrecognized modes

This new test sends two signed TKEY queries, one in delegation
mode and one in an unrecognized mode to check that named
correctly processes them.

Co-authored-by: Nicki Křížek <nicki@isc.org>

bin/tests/system/tkey/ns1/example.db

@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 300	; 5 minutes
+example.nil		IN SOA	ns1.example.nil. hostmaster.example.nil. (
+				1	   ; serial
+				2000       ; refresh (2000 seconds)
+				2000       ; retry (2000 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+example.nil.		NS	ns1.example.nil.
+ns1.example.nil.	A	10.53.0.1
+a.example.nil.		A	10.53.0.1

bin/tests/system/tkey/ns1/named.conf.j2

@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+	notify no;
+};
+
+key "test-key" {
+	algorithm "hmac-sha256";
+	secret "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY=";
+};
+
+zone "example.nil" {
+	type primary;
+	file "example.db";
+};

bin/tests/system/tkey/tests_cve_2026_3119.py

@@ -0,0 +1,62 @@
+#!/usr/bin/python3
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# pylint: disable=unused-variable
+
+import time
+
+import dns.message
+import dns.rdataclass
+import dns.rdatatype
+import dns.rdtypes.ANY.TKEY
+import dns.rrset
+import dns.tsigkeyring
+import pytest
+
+import isctest
+
+pytestmark = pytest.mark.extra_artifacts([])
+
+
+def create_tkey_msg(qname, mode, alg="hmac-sha256"):
+    msg = dns.message.make_query(qname, "TKEY")
+    now = int(time.time())
+    rdata = dns.rdtypes.ANY.TKEY.TKEY(
+        rdclass=dns.rdataclass.ANY,
+        rdtype=dns.rdatatype.TKEY,
+        algorithm=alg,
+        inception=now - 3600,
+        expiration=now + 86400,
+        mode=mode,
+        error=0,
+        key=b"",
+    )
+    rrset = dns.rrset.from_rdata(qname, dns.rdatatype.TKEY, rdata)
+    msg.additional.append(rrset)
+    return msg
+
+
+def test_tkey_cve_2026_3119(ns1):
+    keyring = dns.tsigkeyring.from_text(
+        {
+            "test-key": "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY=",
+        }
+    )
+
+    msg_delete = create_tkey_msg("a.example.nil.", 5)
+    msg_delete.use_tsig(keyring, keyname="test-key")
+    isctest.query.tcp(msg_delete, ns1.ip, attempts=1)
+
+    msg_unsupported = create_tkey_msg("a.example.nil.", 99)
+    msg_unsupported.use_tsig(keyring, keyname="test-key")
+    isctest.query.tcp(msg_unsupported, ns1.ip, attempts=1)