From ab77b3dffa343f88e36d24571dc2b142a65f8f4b Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Fri, 20 Feb 2026 13:48:17 +0000
Subject: [PATCH] Test sending a TKEY query with deletion and unrecognized
 modes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This new test sends two signed TKEY queries, one in delegation
mode and one in an unrecognized mode to check that named
correctly processes them.

Co-authored-by: Nicki Křížek <nicki@isc.org>
---
 bin/tests/system/tkey/ns1/example.db         | 23 ++++++++
 bin/tests/system/tkey/ns1/named.conf.j2      | 35 +++++++++++
 bin/tests/system/tkey/tests_cve_2026_3119.py | 62 ++++++++++++++++++++
 3 files changed, 120 insertions(+)
 create mode 100644 bin/tests/system/tkey/ns1/example.db
 create mode 100644 bin/tests/system/tkey/ns1/named.conf.j2
 create mode 100644 bin/tests/system/tkey/tests_cve_2026_3119.py

diff --git a/bin/tests/system/tkey/ns1/example.db b/bin/tests/system/tkey/ns1/example.db
new file mode 100644
index 0000000000..49c499c3a0
--- /dev/null
+++ b/bin/tests/system/tkey/ns1/example.db
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 300	; 5 minutes
+example.nil		IN SOA	ns1.example.nil. hostmaster.example.nil. (
+				1	   ; serial
+				2000       ; refresh (2000 seconds)
+				2000       ; retry (2000 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+example.nil.		NS	ns1.example.nil.
+ns1.example.nil.	A	10.53.0.1
+a.example.nil.		A	10.53.0.1
diff --git a/bin/tests/system/tkey/ns1/named.conf.j2 b/bin/tests/system/tkey/ns1/named.conf.j2
new file mode 100644
index 0000000000..4603956744
--- /dev/null
+++ b/bin/tests/system/tkey/ns1/named.conf.j2
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+	notify no;
+};
+
+key "test-key" {
+	algorithm "hmac-sha256";
+	secret "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY=";
+};
+
+zone "example.nil" {
+	type primary;
+	file "example.db";
+};
diff --git a/bin/tests/system/tkey/tests_cve_2026_3119.py b/bin/tests/system/tkey/tests_cve_2026_3119.py
new file mode 100644
index 0000000000..bbf673d8df
--- /dev/null
+++ b/bin/tests/system/tkey/tests_cve_2026_3119.py
@@ -0,0 +1,62 @@
+#!/usr/bin/python3
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# pylint: disable=unused-variable
+
+import time
+
+import dns.message
+import dns.rdataclass
+import dns.rdatatype
+import dns.rdtypes.ANY.TKEY
+import dns.rrset
+import dns.tsigkeyring
+import pytest
+
+import isctest
+
+pytestmark = pytest.mark.extra_artifacts([])
+
+
+def create_tkey_msg(qname, mode, alg="hmac-sha256"):
+    msg = dns.message.make_query(qname, "TKEY")
+    now = int(time.time())
+    rdata = dns.rdtypes.ANY.TKEY.TKEY(
+        rdclass=dns.rdataclass.ANY,
+        rdtype=dns.rdatatype.TKEY,
+        algorithm=alg,
+        inception=now - 3600,
+        expiration=now + 86400,
+        mode=mode,
+        error=0,
+        key=b"",
+    )
+    rrset = dns.rrset.from_rdata(qname, dns.rdatatype.TKEY, rdata)
+    msg.additional.append(rrset)
+    return msg
+
+
+def test_tkey_cve_2026_3119(ns1):
+    keyring = dns.tsigkeyring.from_text(
+        {
+            "test-key": "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY=",
+        }
+    )
+
+    msg_delete = create_tkey_msg("a.example.nil.", 5)
+    msg_delete.use_tsig(keyring, keyname="test-key")
+    isctest.query.tcp(msg_delete, ns1.ip, attempts=1)
+
+    msg_unsupported = create_tkey_msg("a.example.nil.", 99)
+    msg_unsupported.use_tsig(keyring, keyname="test-key")
+    isctest.query.tcp(msg_unsupported, ns1.ip, attempts=1)