xfer system test passes even if there's a TSIG failure
dig
doesn't seem to return an error status if there's a TSIG failure. E.g., apply this patch:
diff --git a/bin/dig/dig.c b/bin/dig/dig.c
index ee891b4e36..15f24f6677 100644
--- a/bin/dig/dig.c
+++ b/bin/dig/dig.c
@@ -1766,7 +1766,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
ptr2 = ptr3;
} else {
#ifndef PK11_MD5_DISABLE
- hmacname = DNS_TSIG_HMACMD5_NAME;
+ hmacname = DNS_TSIG_HMACSHA256_NAME;
#else
hmacname = DNS_TSIG_HMACSHA256_NAME;
#endif
diff --git a/bin/tests/system/xfer/tests.sh b/bin/tests/system/xfer/tests.sh
index 91b23b3edb..004bf43ab6 100755
--- a/bin/tests/system/xfer/tests.sh
+++ b/bin/tests/system/xfer/tests.sh
@@ -46,7 +46,7 @@ digcomp dig1.good dig.out.ns3 || status=1
n=`expr $n + 1`
echo_i "testing TSIG signed zone transfers"
-$DIG $DIGOPTS tsigzone. @10.53.0.2 axfr -y tsigzone.:1234abcd8765 > dig.out.ns2 || status=1
+$DIG $DIGOPTS tsigzone. @10.53.0.2 axfr -y tsigzone.:1234abcd8765 > dig.out.ns2 || exit 1
grep "^;" dig.out.ns2 | cat_i
#
and run the xfer
system test. See the early failures, but it doesn't exit after the dig failure above.
This was noticed about a year back, but it got missed. The regular passing tests don't exercise the failure.