From 13000c28c2e0ab2754f0f37ab8d6edb8249a1370 Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Wed, 21 Sep 2022 08:20:22 +0000
Subject: [PATCH 1/6] Implement DoT support for nsupdate

Implement DNS-over-TLS support for nsupdate. Use DiG's DoT
implementation as a model for the newly added features.
---
 bin/nsupdate/nsupdate.c         | 187 ++++++++++++++++++++++++++++----
 lib/dns/include/dns/transport.h |  20 +++-
 lib/dns/transport.c             |  32 +++++-
 3 files changed, 210 insertions(+), 29 deletions(-)

diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
index caac7f8489..8444e32f67 100644
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@@ -46,6 +46,7 @@
 #include <isc/stdio.h>
 #include <isc/string.h>
 #include <isc/task.h>
+#include <isc/tls.h>
 #include <isc/types.h>
 #include <isc/util.h>
 
@@ -68,6 +69,7 @@
 #include <dns/rdatatype.h>
 #include <dns/request.h>
 #include <dns/tkey.h>
+#include <dns/transport.h>
 #include <dns/tsig.h>
 
 #include <dst/dst.h>
@@ -120,6 +122,7 @@ static bool memdebugging = false;
 static bool have_ipv4 = false;
 static bool have_ipv6 = false;
 static bool is_dst_up = false;
+static bool use_tls = false;
 static bool usevc = false;
 static bool usegsstsig = false;
 static bool use_win2k_gsstsig = false;
@@ -147,6 +150,14 @@ static dns_tsigkey_t *tsigkey = NULL;
 static dst_key_t *sig0key = NULL;
 static isc_sockaddr_t *servers = NULL;
 static isc_sockaddr_t *primary_servers = NULL;
+static dns_transport_list_t *transport_list = NULL;
+static dns_transport_t *transport = NULL;
+static isc_tlsctx_cache_t *tls_ctx_cache = NULL;
+static char *tls_hostname = NULL;
+static char *tls_client_key_file = NULL;
+static char *tls_client_cert_file = NULL;
+static char *tls_ca_file = NULL;
+static bool tls_always_verify_remote = true;
 static bool default_servers = true;
 static int ns_inuse = 0;
 static int primary_inuse = 0;
@@ -793,6 +804,19 @@ set_source_ports(dns_dispatchmgr_t *manager) {
 	isc_portset_destroy(gmctx, &v6portset);
 }
 
+static isc_result_t
+create_name(const char *str, char *namedata, size_t len, dns_name_t *name) {
+	isc_buffer_t namesrc, namebuf;
+
+	dns_name_init(name, NULL);
+	isc_buffer_constinit(&namesrc, str, strlen(str));
+	isc_buffer_add(&namesrc, strlen(str));
+	isc_buffer_init(&namebuf, namedata, len);
+
+	return (dns_name_fromtext(name, &namesrc, dns_rootname,
+				  DNS_NAME_DOWNCASE, &namebuf));
+}
+
 static void
 setup_system(void) {
 	isc_result_t result;
@@ -800,6 +824,8 @@ setup_system(void) {
 	isc_sockaddrlist_t *nslist;
 	isc_logconfig_t *logconfig = NULL;
 	irs_resconf_t *resconf = NULL;
+	dns_name_t tlsname;
+	char namedata[DNS_NAME_FORMATSIZE + 1];
 
 	ddebug("setup_system()");
 
@@ -936,6 +962,31 @@ setup_system(void) {
 						&dispatchv4);
 		check_result(result, "dns_dispatch_createudp (v4)");
 	}
+	transport_list = dns_transport_list_new(gmctx);
+
+	tls_ctx_cache = isc_tlsctx_cache_new(gmctx);
+
+	if (tls_client_key_file == NULL) {
+		result = create_name("tls-non-auth-client", namedata,
+				     sizeof(namedata), &tlsname);
+		check_result(result, "create_name (tls-non-auth-client)");
+		transport = dns_transport_new(&tlsname, DNS_TRANSPORT_TLS,
+					      transport_list);
+		dns_transport_set_tlsname(transport, "tls-non-auth-client");
+	} else {
+		result = create_name("tls-auth-client", namedata,
+				     sizeof(namedata), &tlsname);
+		check_result(result, "create_name (tls-auth-client)");
+		transport = dns_transport_new(&tlsname, DNS_TRANSPORT_TLS,
+					      transport_list);
+		dns_transport_set_tlsname(transport, "tls-auth-client");
+		dns_transport_set_keyfile(transport, tls_client_key_file);
+		dns_transport_set_certfile(transport, tls_client_cert_file);
+	}
+	dns_transport_set_cafile(transport, tls_ca_file);
+	dns_transport_set_remote_hostname(transport, tls_hostname);
+	dns_transport_set_always_verify_remote(transport,
+					       tls_always_verify_remote);
 
 	result = dns_requestmgr_create(gmctx, taskmgr, dispatchmgr, dispatchv4,
 				       dispatchv6, &requestmgr);
@@ -972,7 +1023,7 @@ get_addresses(char *host, in_port_t port, isc_sockaddr_t *sockaddr,
 	return (count);
 }
 
-#define PARSE_ARGS_FMT "46C:dDghilL:Mok:p:Pr:R:t:Tu:vVy:"
+#define PARSE_ARGS_FMT "46A:C:dDE:ghH:iK:lL:MoOk:p:Pr:R:St:Tu:vVy:"
 
 static void
 pre_parse_args(int argc, char **argv) {
@@ -1015,7 +1066,9 @@ pre_parse_args(int argc, char **argv) {
 			fprintf(stderr, "usage: nsupdate [-CdDi] [-L level] "
 					"[-l] [-g | -o | -y keyname:secret "
 					"| -k keyfile] [-p port] "
-					"[-v] [-V] [-P] [-T] [-4 | -6] "
+					"[ -S [-K tlskeyfile] [-E tlscertfile] "
+					"[-A tlscafile] [-H tlshostname] "
+					"[-O] ] [-v] [-V] [-P] [-T] [-4 | -6] "
 					"[filename]\n");
 			exit(1);
 
@@ -1087,6 +1140,11 @@ parse_args(int argc, char **argv) {
 				fatal("can't find IPv6 networking");
 			}
 			break;
+		case 'A':
+			use_tls = true;
+			usevc = true;
+			tls_ca_file = isc_commandline_argument;
+			break;
 		case 'C':
 			resolvconf = isc_commandline_argument;
 			break;
@@ -1097,12 +1155,27 @@ parse_args(int argc, char **argv) {
 			debugging = true;
 			ddebugging = true;
 			break;
+		case 'E':
+			use_tls = true;
+			usevc = true;
+			tls_client_cert_file = isc_commandline_argument;
+			break;
+		case 'H':
+			use_tls = true;
+			usevc = true;
+			tls_hostname = isc_commandline_argument;
+			break;
 		case 'M':
 			break;
 		case 'i':
 			force_interactive = true;
 			interactive = true;
 			break;
+		case 'K':
+			use_tls = true;
+			usevc = true;
+			tls_client_key_file = isc_commandline_argument;
+			break;
 		case 'l':
 			local_only = true;
 			break;
@@ -1135,6 +1208,11 @@ parse_args(int argc, char **argv) {
 			usegsstsig = true;
 			use_win2k_gsstsig = true;
 			break;
+		case 'O':
+			use_tls = true;
+			usevc = true;
+			tls_always_verify_remote = false;
+			break;
 		case 'p':
 			result = isc_parse_uint16(&dnsport,
 						  isc_commandline_argument, 10);
@@ -1146,6 +1224,10 @@ parse_args(int argc, char **argv) {
 				exit(1);
 			}
 			break;
+		case 'S':
+			use_tls = true;
+			usevc = true;
+			break;
 		case 't':
 			result = isc_parse_uint32(&timeout,
 						  isc_commandline_argument, 10);
@@ -1211,6 +1293,24 @@ parse_args(int argc, char **argv) {
 	}
 #endif /* HAVE_GSSAPI */
 
+	if (use_tls) {
+		if ((tls_client_key_file == NULL) !=
+		    (tls_client_cert_file == NULL)) {
+			fprintf(stderr,
+				"%s: cannot specify the -K option without"
+				"the -E option, and vice versa.\n",
+				argv[0]);
+			exit(1);
+		}
+		if (tls_ca_file != NULL && tls_always_verify_remote == false) {
+			fprintf(stderr,
+				"%s: cannot specify the -A option in "
+				"conjuction with the -O option.\n",
+				argv[0]);
+			exit(1);
+		}
+	}
+
 	if (argv[isc_commandline_index] != NULL) {
 		if (strcmp(argv[isc_commandline_index], "-") == 0) {
 			input = stdin;
@@ -2448,8 +2548,10 @@ static void
 send_update(dns_name_t *zone, isc_sockaddr_t *primary) {
 	isc_result_t result;
 	dns_request_t *request = NULL;
-	unsigned int options = DNS_REQUESTOPT_CASE;
 	isc_sockaddr_t *srcaddr;
+	unsigned int options = DNS_REQUESTOPT_CASE;
+	dns_transport_t *req_transport = NULL;
+	isc_tlsctx_cache_t *req_tls_ctx_cache = NULL;
 
 	ddebug("send_update()");
 
@@ -2457,7 +2559,12 @@ send_update(dns_name_t *zone, isc_sockaddr_t *primary) {
 
 	if (usevc) {
 		options |= DNS_REQUESTOPT_TCP;
+		if (use_tls) {
+			req_transport = transport;
+			req_tls_ctx_cache = tls_ctx_cache;
+		}
 	}
+
 	if (tsigkey == NULL && sig0key != NULL) {
 		result = dns_message_setsig0key(updatemsg, sig0key);
 		check_result(result, "dns_message_setsig0key");
@@ -2480,10 +2587,10 @@ send_update(dns_name_t *zone, isc_sockaddr_t *primary) {
 		updatemsg->tsigname->attributes |= DNS_NAMEATTR_NOCOMPRESS;
 	}
 
-	result = dns_request_create(requestmgr, updatemsg, srcaddr, primary,
-				    NULL, NULL, -1, options, tsigkey, timeout,
-				    udp_timeout, udp_retries, global_task,
-				    update_completed, NULL, &request);
+	result = dns_request_create(
+		requestmgr, updatemsg, srcaddr, primary, req_transport,
+		req_tls_ctx_cache, -1, options, tsigkey, timeout, udp_timeout,
+		udp_retries, global_task, update_completed, NULL, &request);
 	check_result(result, "dns_request_create");
 
 	if (debugging) {
@@ -2574,6 +2681,10 @@ recvsoa(isc_task_t *task, isc_event_t *event) {
 	result = dns_request_getresponse(request, rcvmsg,
 					 DNS_MESSAGEPARSE_PRESERVEORDER);
 	if (result == DNS_R_TSIGERRORSET && servers != NULL) {
+		unsigned int options = DNS_REQUESTOPT_CASE;
+		dns_transport_t *req_transport = NULL;
+		isc_tlsctx_cache_t *req_tls_ctx_cache = NULL;
+
 		dns_message_detach(&rcvmsg);
 		ddebug("Destroying request [%p]", request);
 		dns_request_destroy(&request);
@@ -2583,6 +2694,14 @@ recvsoa(isc_task_t *task, isc_event_t *event) {
 		dns_message_renderreset(soaquery);
 		ddebug("retrying soa request without TSIG");
 
+		if (usevc) {
+			options |= DNS_REQUESTOPT_TCP;
+			if (!default_servers && use_tls) {
+				req_transport = transport;
+				req_tls_ctx_cache = tls_ctx_cache;
+			}
+		}
+
 		if (isc_sockaddr_pf(addr) == AF_INET6) {
 			srcaddr = localaddr6;
 		} else {
@@ -2590,9 +2709,10 @@ recvsoa(isc_task_t *task, isc_event_t *event) {
 		}
 
 		result = dns_request_create(
-			requestmgr, soaquery, srcaddr, addr, NULL, NULL, -1, 0,
-			NULL, FIND_TIMEOUT * 20, FIND_TIMEOUT, 3, global_task,
-			recvsoa, reqinfo, &request);
+			requestmgr, soaquery, srcaddr, addr, req_transport,
+			req_tls_ctx_cache, -1, options, NULL, FIND_TIMEOUT * 20,
+			FIND_TIMEOUT, 3, global_task, recvsoa, reqinfo,
+			&request);
 		check_result(result, "dns_request_create");
 		requests++;
 		return;
@@ -2797,6 +2917,17 @@ sendrequest(isc_sockaddr_t *destaddr, dns_message_t *msg,
 	isc_result_t result;
 	nsu_requestinfo_t *reqinfo;
 	isc_sockaddr_t *srcaddr;
+	unsigned int options = DNS_REQUESTOPT_CASE;
+	dns_transport_t *req_transport = NULL;
+	isc_tlsctx_cache_t *req_tls_ctx_cache = NULL;
+
+	if (usevc) {
+		options |= DNS_REQUESTOPT_TCP;
+		if (!default_servers && use_tls) {
+			req_transport = transport;
+			req_tls_ctx_cache = tls_ctx_cache;
+		}
+	}
 
 	reqinfo = isc_mem_get(gmctx, sizeof(nsu_requestinfo_t));
 	reqinfo->msg = msg;
@@ -2808,10 +2939,11 @@ sendrequest(isc_sockaddr_t *destaddr, dns_message_t *msg,
 		srcaddr = localaddr4;
 	}
 
-	result = dns_request_create(
-		requestmgr, msg, srcaddr, destaddr, NULL, NULL, -1, 0,
-		default_servers ? NULL : tsigkey, FIND_TIMEOUT * 20,
-		FIND_TIMEOUT, 3, global_task, recvsoa, reqinfo, request);
+	result = dns_request_create(requestmgr, msg, srcaddr, destaddr,
+				    req_transport, req_tls_ctx_cache, -1,
+				    options, default_servers ? NULL : tsigkey,
+				    FIND_TIMEOUT * 20, FIND_TIMEOUT, 3,
+				    global_task, recvsoa, reqinfo, request);
 	check_result(result, "dns_request_create");
 	requests++;
 }
@@ -2991,8 +3123,15 @@ send_gssrequest(isc_sockaddr_t *destaddr, dns_message_t *msg,
 		dns_request_t **request, gss_ctx_id_t context) {
 	isc_result_t result;
 	nsu_gssinfo_t *reqinfo;
-	unsigned int options = 0;
 	isc_sockaddr_t *srcaddr;
+	unsigned int options = DNS_REQUESTOPT_CASE | DNS_REQUESTOPT_TCP;
+	dns_transport_t *req_transport = NULL;
+	isc_tlsctx_cache_t *req_tls_ctx_cache = NULL;
+
+	if (!default_servers && use_tls) {
+		req_transport = transport;
+		req_tls_ctx_cache = tls_ctx_cache;
+	}
 
 	debug("send_gssrequest");
 	REQUIRE(destaddr != NULL);
@@ -3002,18 +3141,16 @@ send_gssrequest(isc_sockaddr_t *destaddr, dns_message_t *msg,
 	reqinfo->addr = destaddr;
 	reqinfo->context = context;
 
-	options |= DNS_REQUESTOPT_TCP;
-
 	if (isc_sockaddr_pf(destaddr) == AF_INET6) {
 		srcaddr = localaddr6;
 	} else {
 		srcaddr = localaddr4;
 	}
 
-	result = dns_request_create(requestmgr, msg, srcaddr, destaddr, NULL,
-				    NULL, -1, options, tsigkey,
-				    FIND_TIMEOUT * 20, FIND_TIMEOUT, 3,
-				    global_task, recvgss, reqinfo, request);
+	result = dns_request_create(
+		requestmgr, msg, srcaddr, destaddr, req_transport,
+		req_tls_ctx_cache, -1, options, tsigkey, FIND_TIMEOUT * 20,
+		FIND_TIMEOUT, 3, global_task, recvgss, reqinfo, request);
 	check_result(result, "dns_request_create");
 	if (debugging) {
 		show_message(stdout, msg, "Outgoing update query:");
@@ -3271,6 +3408,14 @@ static void
 cleanup(void) {
 	ddebug("cleanup()");
 
+	if (tls_ctx_cache != NULL) {
+		isc_tlsctx_cache_detach(&tls_ctx_cache);
+	}
+
+	if (transport_list != NULL) {
+		dns_transport_list_detach(&transport_list);
+	}
+
 	LOCK(&answer_lock);
 	if (answer != NULL) {
 		dns_message_detach(&answer);
diff --git a/lib/dns/include/dns/transport.h b/lib/dns/include/dns/transport.h
index d3df43d6b8..e6499a97e7 100644
--- a/lib/dns/include/dns/transport.h
+++ b/lib/dns/include/dns/transport.h
@@ -62,9 +62,13 @@ dns_transport_get_tls_versions(const dns_transport_t *transport);
 bool
 dns_transport_get_prefer_server_ciphers(const dns_transport_t *transport,
 					bool		      *preferp);
+bool
+dns_transport_get_always_verify_remote(dns_transport_t *transport);
 /*%<
  * Getter functions: return the type, cert file, key file, CA file,
- * hostname, HTTP endpoint, or HTTP mode (GET or POST) for 'transport'.
+ * hostname, HTTP endpoint, HTTP mode (GET or POST), ciphers, TLS name,
+ * TLS version, server ciphers preference mode, and always enabling
+ * authentication mode for 'transport'.
  *
  * dns_transport_get_prefer_server_ciphers() returns 'true' is value
  * was set, 'false' otherwise. The actual value is returned via
@@ -80,6 +84,13 @@ dns_transport_get_tlsctx(dns_transport_t *transport, const isc_sockaddr_t *peer,
  * Get the transport's TLS Context and the TLS Client Session Cache associated
  * with it.
  *
+ * When neither the TLS hostname, nor the TLS certificates authorities (CA)
+ * file are set for the 'transport', then Opportunistic TLS (no authentication
+ * of the remote peer) will be used, unless the 'always_verify_remote' mode is
+ * enabled on the 'transport', in which case the remote peer will be
+ * authenticated by its IP address using the system's default certificates
+ * authorities store.
+ *
  * Requires:
  *\li	'transport' is a valid, 'DNS_TRANSPORT_TLS' type transport.
  *\li	'peer' is not NULL.
@@ -113,9 +124,14 @@ dns_transport_set_tls_versions(dns_transport_t *transport,
 void
 dns_transport_set_prefer_server_ciphers(dns_transport_t *transport,
 					const bool	 prefer);
+void
+dns_transport_set_always_verify_remote(dns_transport_t *transport,
+				       const bool	always_verify_remote);
 /*%<
  * Setter functions: set the type, cert file, key file, CA file,
- * hostname, HTTP endpoint, or HTTP mode (GET or POST) for 'transport'.
+ * hostname, HTTP endpoint, HTTP mode (GET or POST), ciphers, TLS name,
+ * TLS version, server ciphers preference mode, and always enabling
+ * authentication mode for 'transport'.
  *
  * Requires:
  *\li	'transport' is valid.
diff --git a/lib/dns/transport.c b/lib/dns/transport.c
index 8e0a8f6661..33c7ba8afb 100644
--- a/lib/dns/transport.c
+++ b/lib/dns/transport.c
@@ -56,6 +56,7 @@ struct dns_transport {
 		char *ciphers;
 		uint32_t protocol_versions;
 		ternary_t prefer_server_ciphers;
+		bool always_verify_remote;
 	} tls;
 	struct {
 		char *endpoint;
@@ -334,6 +335,25 @@ dns_transport_get_prefer_server_ciphers(const dns_transport_t *transport,
 	return false;
 }
 
+void
+dns_transport_set_always_verify_remote(dns_transport_t *transport,
+				       const bool always_verify_remote) {
+	REQUIRE(VALID_TRANSPORT(transport));
+	REQUIRE(transport->type == DNS_TRANSPORT_TLS ||
+		transport->type == DNS_TRANSPORT_HTTP);
+
+	transport->tls.always_verify_remote = always_verify_remote;
+}
+
+bool
+dns_transport_get_always_verify_remote(dns_transport_t *transport) {
+	REQUIRE(VALID_TRANSPORT(transport));
+	REQUIRE(transport->type == DNS_TRANSPORT_TLS ||
+		transport->type == DNS_TRANSPORT_HTTP);
+
+	return transport->tls.always_verify_remote;
+}
+
 isc_result_t
 dns_transport_get_tlsctx(dns_transport_t *transport, const isc_sockaddr_t *peer,
 			 isc_tlsctx_cache_t *tlsctx_cache, isc_mem_t *mctx,
@@ -378,6 +398,8 @@ dns_transport_get_tlsctx(dns_transport_t *transport, const isc_sockaddr_t *peer,
 		const char *ca_file = dns_transport_get_cafile(transport);
 		const char *cert_file = dns_transport_get_certfile(transport);
 		const char *key_file = dns_transport_get_keyfile(transport);
+		const bool always_verify_remote =
+			dns_transport_get_always_verify_remote(transport);
 		char peer_addr_str[INET6_ADDRSTRLEN] = { 0 };
 		isc_netaddr_t peer_netaddr = { 0 };
 		bool hostname_ignore_subject;
@@ -406,7 +428,8 @@ dns_transport_get_tlsctx(dns_transport_t *transport, const isc_sockaddr_t *peer,
 							 prefer_server_ciphers);
 		}
 
-		if (hostname != NULL || ca_file != NULL) {
+		if (always_verify_remote || hostname != NULL || ca_file != NULL)
+		{
 			/*
 			 * The situation when 'found_store != NULL' while
 			 * 'found == NULL' may occur as there is a one-to-many
@@ -433,12 +456,9 @@ dns_transport_get_tlsctx(dns_transport_t *transport, const isc_sockaddr_t *peer,
 			INSIST(store != NULL);
 			if (hostname == NULL) {
 				/*
-				 * If CA bundle file is specified, but
-				 * hostname is not, then use the peer
-				 * IP address for validation, just like
-				 * dig does.
+				 * If hostname is not specified, then use the
+				 * peer IP address for validation.
 				 */
-				INSIST(ca_file != NULL);
 				isc_netaddr_fromsockaddr(&peer_netaddr, peer);
 				isc_netaddr_format(&peer_netaddr, peer_addr_str,
 						   sizeof(peer_addr_str));

From 60f1a73754351cd0b7cc071b2822792eb9bfc88e Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Wed, 21 Sep 2022 08:25:52 +0000
Subject: [PATCH 2/6] Fix a typo in doth system test's CA.cfg

The comments in CA.cfg file serve as a good tutorial for setting up
a simple PKI for a system test. There is a typo in one of the presented
commands, which results in openssl not exiting with an error message
instead of generating a certificate.

Fix the typo.
---
 bin/tests/system/doth/CA/CA.cfg | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bin/tests/system/doth/CA/CA.cfg b/bin/tests/system/doth/CA/CA.cfg
index 97ea088bbb..dcdff1f136 100644
--- a/bin/tests/system/doth/CA/CA.cfg
+++ b/bin/tests/system/doth/CA/CA.cfg
@@ -5,7 +5,7 @@
 # xxd -l 8 -u -ps /dev/urandom > ./serial
 # 2. Create the new certificate request (e.g. for foo.example.com):
 #  openssl req -config ./CA.cfg -new -subj "/CN=foo.example.com" \
-#                  -addext "subjectAltName=DNS:foo.example.com,IP=X.X.X.X" \
+#                  -addext "subjectAltName=DNS:foo.example.com,IP:X.X.X.X" \
 #                  -newkey rsa -keyout ./certs/foo.example.com.key \
 #                  -out ./certs/foo.example.com.csr
 #

From f2bb80d6ae172f6fd7943bf913d1b0566b5df352 Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Wed, 21 Sep 2022 13:15:50 +0000
Subject: [PATCH 3/6] Extend the nsupdate system test with DoT-related checks

Add a simple test PKI based on the existing one in the doth test.

Check ephemeral, forward-secrecy, and forward-secrecy-mutual-tls
TLS configurations with different scenarios.
---
 .reuse/dep5                                   |   5 +
 bin/tests/system/nsupdate/.gitignore          |   5 +
 bin/tests/system/nsupdate/CA/CA-other.pem     |  26 ++
 bin/tests/system/nsupdate/CA/CA.cfg           |  77 ++++
 bin/tests/system/nsupdate/CA/CA.pem           |  29 ++
 bin/tests/system/nsupdate/CA/README           |   2 +
 .../CA/certs/srv01.client01.example.nil.key   |  40 ++
 .../CA/certs/srv01.client01.example.nil.pem   |  93 +++++
 .../srv01.client02-expired.example.nil.key    |  40 ++
 .../srv01.client02-expired.example.nil.pem    |  93 +++++
 .../CA/certs/srv01.crt01.example.nil.key      |  40 ++
 .../CA/certs/srv01.crt01.example.nil.pem      |  93 +++++
 .../certs/srv01.crt02-expired.example.nil.key |  40 ++
 .../certs/srv01.crt02-expired.example.nil.pem |  93 +++++
 bin/tests/system/nsupdate/CA/index.txt        |   4 +
 bin/tests/system/nsupdate/CA/index.txt.attr   |   1 +
 .../nsupdate/CA/newcerts/70B9F4EB2FA19598.pem |  93 +++++
 .../nsupdate/CA/newcerts/70B9F4EB2FA19599.pem |  93 +++++
 .../nsupdate/CA/newcerts/70B9F4EB2FA1959A.pem |  93 +++++
 .../nsupdate/CA/newcerts/70B9F4EB2FA1959B.pem |  93 +++++
 .../system/nsupdate/CA/private/CA-other.key   |  39 ++
 bin/tests/system/nsupdate/CA/private/CA.key   |  39 ++
 bin/tests/system/nsupdate/CA/serial           |   1 +
 bin/tests/system/nsupdate/dhparam3072.pem     |  11 +
 bin/tests/system/nsupdate/ns1/named.conf.in   |  34 ++
 bin/tests/system/nsupdate/ns10/named.conf.in  |   2 +
 bin/tests/system/nsupdate/tests.sh            | 359 ++++++++++++++----
 27 files changed, 1455 insertions(+), 83 deletions(-)
 create mode 100644 bin/tests/system/nsupdate/.gitignore
 create mode 100644 bin/tests/system/nsupdate/CA/CA-other.pem
 create mode 100644 bin/tests/system/nsupdate/CA/CA.cfg
 create mode 100644 bin/tests/system/nsupdate/CA/CA.pem
 create mode 100644 bin/tests/system/nsupdate/CA/README
 create mode 100644 bin/tests/system/nsupdate/CA/certs/srv01.client01.example.nil.key
 create mode 100644 bin/tests/system/nsupdate/CA/certs/srv01.client01.example.nil.pem
 create mode 100644 bin/tests/system/nsupdate/CA/certs/srv01.client02-expired.example.nil.key
 create mode 100644 bin/tests/system/nsupdate/CA/certs/srv01.client02-expired.example.nil.pem
 create mode 100644 bin/tests/system/nsupdate/CA/certs/srv01.crt01.example.nil.key
 create mode 100644 bin/tests/system/nsupdate/CA/certs/srv01.crt01.example.nil.pem
 create mode 100644 bin/tests/system/nsupdate/CA/certs/srv01.crt02-expired.example.nil.key
 create mode 100644 bin/tests/system/nsupdate/CA/certs/srv01.crt02-expired.example.nil.pem
 create mode 100644 bin/tests/system/nsupdate/CA/index.txt
 create mode 100644 bin/tests/system/nsupdate/CA/index.txt.attr
 create mode 100644 bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA19598.pem
 create mode 100644 bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA19599.pem
 create mode 100644 bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA1959A.pem
 create mode 100644 bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA1959B.pem
 create mode 100644 bin/tests/system/nsupdate/CA/private/CA-other.key
 create mode 100644 bin/tests/system/nsupdate/CA/private/CA.key
 create mode 100644 bin/tests/system/nsupdate/CA/serial
 create mode 100644 bin/tests/system/nsupdate/dhparam3072.pem

diff --git a/.reuse/dep5 b/.reuse/dep5
index d9dec6a5cb..aa3e428416 100644
--- a/.reuse/dep5
+++ b/.reuse/dep5
@@ -49,6 +49,11 @@ Files: **/*.after*
        bin/tests/system/keepalive/expected
        bin/tests/system/legacy/ns6/edns512.db.signed
        bin/tests/system/legacy/ns7/edns512-notcp.db.signed
+       bin/tests/system/nsupdate/CA/CA.cfg
+       bin/tests/system/nsupdate/CA/README
+       bin/tests/system/nsupdate/CA/index.txt
+       bin/tests/system/nsupdate/CA/index.txt.attr
+       bin/tests/system/nsupdate/CA/serial
        bin/tests/system/nsupdate/commandlist
        bin/tests/system/nsupdate/verylarge.in
        bin/tests/system/org.isc.bind.system.plist
diff --git a/bin/tests/system/nsupdate/.gitignore b/bin/tests/system/nsupdate/.gitignore
new file mode 100644
index 0000000000..df5fe68d5d
--- /dev/null
+++ b/bin/tests/system/nsupdate/.gitignore
@@ -0,0 +1,5 @@
+# temporary files generated by "openssl ca"
+/CA/*.old
+# there is little point in keeping the certificate requests
+# for the issued certificates
+/CA/certs/*.csr
diff --git a/bin/tests/system/nsupdate/CA/CA-other.pem b/bin/tests/system/nsupdate/CA/CA-other.pem
new file mode 100644
index 0000000000..6bdbedacbf
--- /dev/null
+++ b/bin/tests/system/nsupdate/CA/CA-other.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEZTCCAs0CFDYlin3oeYDu16bFItl9tGZz1Ra4MA0GCSqGSIb3DQEBCwUAMG4x
+CzAJBgNVBAYTAlVBMRcwFQYDVQQIDA5LaGFya2l2IE9ibGFzdDEQMA4GA1UEBwwH
+S2hhcmtpdjEMMAoGA1UECgwDSVNDMSYwJAYDVQQLDB1Tb2Z0d2FyZSBFbmdlbmVl
+cmluZyAoQklORCA5KTAgFw0yMjA5MDcyMTIzNTBaGA8yMDUyMDgzMDIxMjM1MFow
+bjELMAkGA1UEBhMCVUExFzAVBgNVBAgMDktoYXJraXYgT2JsYXN0MRAwDgYDVQQH
+DAdLaGFya2l2MQwwCgYDVQQKDANJU0MxJjAkBgNVBAsMHVNvZnR3YXJlIEVuZ2Vu
+ZWVyaW5nIChCSU5EIDkpMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA
+10Xj8dH8/XCfUvhdL/S3E10TnrYY8IIDBmU0lkUR5IHwgP9IYVyR/0Mibg79FAs+
+rvuEDifUK+6wvkpj+BXNVZCspo9/u3cl7dqrLH+1SeUs50OeQnbbTrBl0PuNwvzE
+kbk7xwLlVDOyRmmvY/EEu7WkitQZgXSAYgttrk62CuJUQUmwUTX5Jxndsjydk/zW
+/DiulTsX+zv8kG5NiwpXCfL6QxBoMZNI4fUmDL3bX1XfHaFA+45GT2lHu07xc+cV
+eZIRCo0Nk+fIO53lDol8mmR8/5vna27gRnqEUSU7MZAMG6QBXkotnq3rHnrI/ku6
+dCJW4tbWV/ANQ+TG17g2tygzC/smqTuLqavyP9V5cRrdU9awEqwvy8uVbGkTmUZd
+tjkGWCcmBSWJvkH3MRJmijS7rDcb8m/g9+xKe79V1c8durGWvcfMRZZhWaoHyhnH
+g9+JLUCC3EUCp/1206w5vTXEQNpqi9Z3AZfgboPzJyji4OeYfcQ5eaIZ3OuIpyQz
+AgMBAAEwDQYJKoZIhvcNAQELBQADggGBAKdQkmmyUqcE1by7AeHoxkqFgqUeSAlh
+flXi5DD+j5+Op2GAUrx84LGy4+heKEwAkV5Cw2c9IMHmDDMnGe/g4FjBS+dTZsTs
+JRXXDR7t20eWiBpvO/3IMqVpPq9CAQY1L9PYAVuVM5cwdzsJXdH82z2BZ3Ttg3GX
+NPnybxzD/auC051vqEp28Jzbswd4c3VvTmRnYY7rYNNKnLD7812BIp7lnE6s5X2D
+y0PPSYdhscTqfJV0+GDF5hUduOFX1xTcPlXaXfyKLLelqtrw40p3ynww9v/J4mwt
+FBV+a8gguM7tCZMoV/VJZghObglV/wpokAQchL/pnxL7+U8JklRqaU4DlxyGZ+K4
+QlR5mJe19ZlkgHePk1MbwNZaTXjaOFirYmZzs4YynOp3iBHrW3CYY3kVlrUpKP08
+o101hce32VxkyST6i5W24MU02O/wuPdyQpN+rJjYv32Axsrh/ePkI5qKew9eZ63i
+WzNb7BW1LrHrQ/lXoJ3ekRQd10UX3xhk/w==
+-----END CERTIFICATE-----
diff --git a/bin/tests/system/nsupdate/CA/CA.cfg b/bin/tests/system/nsupdate/CA/CA.cfg
new file mode 100644
index 0000000000..1a3ed65f67
--- /dev/null
+++ b/bin/tests/system/nsupdate/CA/CA.cfg
@@ -0,0 +1,77 @@
+# See ../../doth/CA/ca.cfg for more information
+
+# certificate authority configuration
+[ca]
+default_ca      = CA_default               # The default ca section
+
+[CA_default]
+dir            = .
+new_certs_dir  = $dir/newcerts         # new certs dir (must be created)
+certificate    = $dir/CA.pem           # The CA cert
+private_key    = $dir/private/CA.key   # CA private key
+
+serial         = $dir/serial           # serial number file for the next certificate
+                                       # Update before issuing it:
+                                       # xxd -l 8 -u -ps /dev/urandom > ./serial
+database = $dir/index.txt                 # (must be created manually: touch ./index.txt)
+
+default_days   = 1                 # how long to certify for
+
+#default_crl_days = 30                 # the number of days before the
+default_crl_days = 10950               # next CRL is due. That is the
+                                       # days from now to place in the
+                                       # CRL nextUpdate field.  If CRL
+                                       # is expired, certificate
+                                       # verifications will fail even
+                                       # for otherwise valid
+                                       # certificates. Clients might
+                                       # cache the CRL, so the expiry
+                                       # period should normally be
+                                       # relatively short (default:
+                                       # 30) for production CAs.
+
+default_md     = sha256                # digest to use
+
+policy         = policy_default        # default policy
+email_in_dn    = no                    # Don't add the email into cert DN
+
+name_opt       = ca_default            # Subject name display option
+cert_opt       = ca_default            # Certificate display option
+
+# We need the following in order to copy Subject Alt Name(s) from a
+# request to the certificate.
+copy_extensions = copy                 # copy extensions from request
+
+[policy_default]
+countryName            = optional
+stateOrProvinceName    = optional
+organizationalUnitName = optional
+commonName             = supplied
+emailAddress           = optional
+
+# default certificate requests settings
+[req]
+# Options for the `req` tool (`man req`).
+default_bits        = 3072 # for RSA only
+distinguished_name  = req_default
+string_mask         = utf8only
+# SHA-1 is deprecated, so use SHA-256 instead.
+default_md          = sha256
+# do not encrypt the private key file
+encrypt_key         = no
+
+[req_default]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name (full name)
+localityName                    = Locality Name (e.g., city)
+0.organizationName              = Organization Name (e.g., company)
+organizationalUnitName          = Organizational Unit Name (e.g. department)
+commonName                      = Common Name (e.g. server FQDN or YOUR name)
+emailAddress                    = Email Address
+# defaults
+countryName_default                     = UA
+stateOrProvinceName_default             = Kharkiv Oblast
+localityName_default                    = Kharkiv
+0.organizationName_default              = ISC
+organizationalUnitName_default          = Software Engeneering (BIND 9)
diff --git a/bin/tests/system/nsupdate/CA/CA.pem b/bin/tests/system/nsupdate/CA/CA.pem
new file mode 100644
index 0000000000..1f725dbb8a
--- /dev/null
+++ b/bin/tests/system/nsupdate/CA/CA.pem
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE3TCCA0WgAwIBAgIUeZPKrvbGEBZaRc2jNczlIsJXyPYwDQYJKoZIhvcNAQEL
+BQAwfTELMAkGA1UEBhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4G
+A1UEBwwHS2hhcmtpdjEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0
+aXVtMRwwGgYDVQQDDBNjYS50ZXN0LmV4YW1wbGUuY29tMCAXDTIyMDEyNDEyNDA1
+NFoYDzIwNTIwMTE3MTI0MDU0WjB9MQswCQYDVQQGEwJVQTEYMBYGA1UECAwPS2hh
+cmtpdiBPYmxhc3QnMRAwDgYDVQQHDAdLaGFya2l2MSQwIgYDVQQKDBtJbnRlcm5l
+dCBTeXN0ZW1zIENvbnNvcnRpdW0xHDAaBgNVBAMME2NhLnRlc3QuZXhhbXBsZS5j
+b20wggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCi6hEegBzpUKbE1NTo
+Z7uz7EMUY7TBckkiw/7ydTLKNa8YI4JpBguFvWQsDY0dGFJIoVwyHyNx3seW/LoI
+B5zWPZ2xbOvLLceA+t2NZpbc98E7jUOVS123yED+nqlfZjCq9Zt0r/ezwnQtjnFF
+ko1mcU4H9Jvg8aIgnU2AxE78zciU9CY8799pFFNThIjbooI8oVbfjbzbpmLzxjA5
+3rDmZBTh+ySTlMa2U2oT4WPjRltZWnJVegRRLpG95GnTbQ1fkJAbj1Iu10XTkCee
+wBOqaA1UJem0a6pby5odE414Y7c0ETKcmaJtYENQyO0IJwZWDKtVe5OTIAklakia
+eyFTCAw1h5tHCYLaJW/Yu2wlLl5RNQcRZ9+cWXnldTY+TI1iBjfmADjLdKJYUlhX
+z7kWJtTi63Sdv6WYcEXxaWpxT+R3e2kaR/R7GOo4gdkWpX1siGlRteHHH2/36CSQ
+ZD2etcTUpGW+KDHFR4grnEfL1rt9UgvCjpa4KcssmZtWSSUCAwEAAaNTMFEwHQYD
+VR0OBBYEFHyJ6Fzr5R9ySATFj/uSCJz1YCY5MB8GA1UdIwQYMBaAFHyJ6Fzr5R9y
+SATFj/uSCJz1YCY5MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggGB
+AF3y0hvzyZWtmuG1JwIcOcc1aPl1KdRy8bao/5iHYGYYrsdDgcO5/e+y9S/izalc
+TdW7SKB5iBOCiE8fBNtToCvGP+fxNxHijpAmTr37G5sWuSo1T1VYFizHWL+df/Ig
+TcSvDrEjSnAwaEdNJUWtjoIC4VzNKTLtZf16QIATTzTZa3bfgSetpWS7LhLQbHod
+CSGI2QB1LRbqGC+a1Y85QxHv81jWzPWPzXYvnOLrDdQyBMOBcxDzrN4b6zg+5Itz
+qGYt+IS71jAH0IhxAyD/U5n1jGJv02BnSq0ynLEOD6gsnZjqAwPbt/PM9pGbtbXO
+70Q9rxr+vQc1IISKAEiH3txaEPi10wU98d6LbInJvQrmgHo/ntet8skWNYuxlEzS
+wvynuE9KvvQtOTodWt5AePtKrhHdxu527a4CHVp59nYUjKSdMKjvmhMRXM1cNjFE
+rA/pyyhozR47w3RzHMJVHw2GJ2B/HeqmxpXr1CmJjoRP38QCR7N+mqiZy85Fq2j2
+8Q==
+-----END CERTIFICATE-----
diff --git a/bin/tests/system/nsupdate/CA/README b/bin/tests/system/nsupdate/CA/README
new file mode 100644
index 0000000000..13069ca2f8
--- /dev/null
+++ b/bin/tests/system/nsupdate/CA/README
@@ -0,0 +1,2 @@
+Please take a look at the contents of the CA.cfg file for further
+instructions and configurations options.
diff --git a/bin/tests/system/nsupdate/CA/certs/srv01.client01.example.nil.key b/bin/tests/system/nsupdate/CA/certs/srv01.client01.example.nil.key
new file mode 100644
index 0000000000..5e3420eda2
--- /dev/null
+++ b/bin/tests/system/nsupdate/CA/certs/srv01.client01.example.nil.key
@@ -0,0 +1,40 @@
+-----BEGIN PRIVATE KEY-----
+MIIG/gIBADANBgkqhkiG9w0BAQEFAASCBugwggbkAgEAAoIBgQCrYC6cYeOJxlIr
+vOnhBf0YZUIg9lYWQDPSy5/37yJUp8lVcMpS8OKiWDh/EK0rBeARtmkhfy04Vt3V
+5PPepzI19zMqUoCut9Z8NXTDDIrDOhhhaHNiWFb/eCVXHHu+mIgh3RyKE6WaUkiY
+2T3EKKZ+mxFWfs4Ju1GJiqgbALVzK0GTsWJAMCnq9qPnvPDpngcrrqmgHU3Z+BhN
+g0dOaO5XyFUVhjxtHvUx8d7Pwn5rjiJaxXav0AHeq3oDspYzzKAmrt7EvXaFlseI
+5Ea8P8ZUyZWDh5xJDTHdxBdSmeRlSZud863OZghX9IO+XofaQloBKm1o0Y042Riu
+Xi5UcosBRZav9aPQKV0ii7TUMK8CNsUt6SnrLOpqfiezcPyHHyvEsTqmwum3wm9G
+Y7eWLlPYt83D9LVtsvxXSayfmMn+tPV8k0guk9zpGFRjXxij5xKq/jjwc+UXHv5A
+ZYGoj2BGwhbyqJ2xG7zOBd43sqiGR72Nkt7g5UKJuOP4sSQIfpkCAwEAAQKCAYEA
+i3PT2fsp3cXcvayXID3wSvayzgHF4YtS4FhEDsuvwvVZtsX2TXGo6fQh3Pvj/dtl
+DuTBPbmwQWUmVNRewbKKADHsl6bVAdekmCQjpEhDbkOK7VDCe6do+693qyAJbfnO
+5Md5Xr5IBoCohIBaa5Gskd97R0gePvsHiYWj730vKc1sKlOwoIzQv1r92yf7Xg7y
+xM/3RcwyuojQtdp6nspyEEp7Oe2mpCEJ4x9vcN5SYxEg0X5Xaw83RkuBGRsscHA0
+GN+4eJ59Ld1R9uktLYvUA06ZdoAVZyblE4xxjk2vueE3K2/kT2ooKHVWulGI+PnF
+2xYedZsZkgwLbXcEhPXBo3vMTjzRlePh668ULi9B6ntMjWpCSCvGnz142Uwatfq0
+PeasBVgRngu9Wg+smkA4kHnDi7ih3zpLh6sTcOKL7F1cBgvtjgIyzZDp9eJUEfVH
+G/89mTCswhqV1WtQ3n9zbYVbSK9vaAxCrfK50pG+IfHXG9EqnrQPzKsRxNsDpN91
+AoHBANeNLQb3gSk6sBg53smh9oFUEwwgAjHY31ZOOInO4X7udXrtRcON6SCkZjaD
+6y1N3Orjama6mr+/eHxJeDEbWBB7INOsaqHewoQF8qaOa7HHmCbXcUIlAQFvaE6e
+Qd5e+YHLmbYZbkPfntqWmXuSmk7hUxjnPPOv1P9sgv/3b4TJQJ4FEJasKpWgIOAy
+3g8UrjtbI3ITSo3SKCei3wvOCzIdnzwgcHY420jU1yU/oDzN07D4K0iODAbasUl1
+ZH5UvwKBwQDLiNual2aCUtjKAoRLnGDtP6LOYV3eXchBrywIj2tNAMlD7TXbjG04
+Le+I9O+azRorvXQ2WBBIYzka1JozK8WTsxkQYRd9AEy2AsQgPlK5hfy3xcGxSscC
+vdxSdQQQ/ASKHHbCTKhDhnA2b2fvLhWxZqsbSO4hSmvjXrSUpGrAABFipK9VqS6Y
+Sg6uEo1AlTrwsGW66LHpFeG6YQ0uj4sF0x5mzH7R50And30lVg8DjJASdClzOIWJ
+WV+3opbgSqcCgcEAvGGJhJkyrJG57LJG3vlJsmWD8AjZYi8joQ3jo6zGrmRBEBnl
+6q5PnFORcPuBwapW9IGkL/vN2t6/sf+Tp3c6U80IN3ZsCuPgI/n+w0mdHVZOx0Nq
+nGAyrMps4qi08F8YuDL0N42qLG93KZqMsM7DRUTvlsghIOf+wuxW4NWjBO3OJ0xN
+3yDAZtv3X3mVUKDGVOGl7MCnW6LbrShOvsZoSnhQ/f9ryiaOnuxEyyz8IafQ5s09
+Jr/eCu9+GbEbDr2JAoHAXUZg7Z3IupzhAOLaYhROTyvEnrP8YrWz2nY+xcWENQvR
+MLH65pyaSQ60IZ2uWND512XBZk5BWAsw1lzsNdsvdpqzN9BnBUAn55mo6+Xj32XK
+BSY5t9g/D8CWwasiq+3y3qBgxHaA/kEUF75CcVg7VMtqStzHVLZYbyCtvRkEWu0t
+CnnSaH1Z/yyhQaD63sgE9NzCIkAVmG4QvmtPsTDTU14HJrE8xVEnE28tCPlBdCzs
+sahOfqE+gU1WEkAOyMctAoHAASVc1KFfBI48tM+cr8vDt1QklVgnKn44DL6HF5tp
+iA8/xhB2fHKq6a+xuGxubXo7jo0KbKyYXPFyE5MDrzIDKp0GLUr7WtaunNVMKbKs
+B/2YSw+PELoIc5GpiH4lqP5iFYyHKmJighou4oxLcjMlHpRWUERPdxA+L6zggPyJ
+56PX2tcezcCZMVm65VpHsX3CqEQyWnFDCt0zclRNFWPKCENsl10emenBZVnxb8fc
+smxv7aRpgoWBRa5vinKvOv2T
+-----END PRIVATE KEY-----
diff --git a/bin/tests/system/nsupdate/CA/certs/srv01.client01.example.nil.pem b/bin/tests/system/nsupdate/CA/certs/srv01.client01.example.nil.pem
new file mode 100644
index 0000000000..f546d35e7d
--- /dev/null
+++ b/bin/tests/system/nsupdate/CA/certs/srv01.client01.example.nil.pem
@@ -0,0 +1,93 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 8122792693893010842 (0x70b9f4eb2fa1959a)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com
+        Validity
+            Not Before: Sep  8 08:20:17 2022 GMT
+            Not After : Aug 31 08:20:17 2052 GMT
+        Subject: CN=srv01.client01.example.nil
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (3072 bit)
+                Modulus:
+                    00:ab:60:2e:9c:61:e3:89:c6:52:2b:bc:e9:e1:05:
+                    fd:18:65:42:20:f6:56:16:40:33:d2:cb:9f:f7:ef:
+                    22:54:a7:c9:55:70:ca:52:f0:e2:a2:58:38:7f:10:
+                    ad:2b:05:e0:11:b6:69:21:7f:2d:38:56:dd:d5:e4:
+                    f3:de:a7:32:35:f7:33:2a:52:80:ae:b7:d6:7c:35:
+                    74:c3:0c:8a:c3:3a:18:61:68:73:62:58:56:ff:78:
+                    25:57:1c:7b:be:98:88:21:dd:1c:8a:13:a5:9a:52:
+                    48:98:d9:3d:c4:28:a6:7e:9b:11:56:7e:ce:09:bb:
+                    51:89:8a:a8:1b:00:b5:73:2b:41:93:b1:62:40:30:
+                    29:ea:f6:a3:e7:bc:f0:e9:9e:07:2b:ae:a9:a0:1d:
+                    4d:d9:f8:18:4d:83:47:4e:68:ee:57:c8:55:15:86:
+                    3c:6d:1e:f5:31:f1:de:cf:c2:7e:6b:8e:22:5a:c5:
+                    76:af:d0:01:de:ab:7a:03:b2:96:33:cc:a0:26:ae:
+                    de:c4:bd:76:85:96:c7:88:e4:46:bc:3f:c6:54:c9:
+                    95:83:87:9c:49:0d:31:dd:c4:17:52:99:e4:65:49:
+                    9b:9d:f3:ad:ce:66:08:57:f4:83:be:5e:87:da:42:
+                    5a:01:2a:6d:68:d1:8d:38:d9:18:ae:5e:2e:54:72:
+                    8b:01:45:96:af:f5:a3:d0:29:5d:22:8b:b4:d4:30:
+                    af:02:36:c5:2d:e9:29:eb:2c:ea:6a:7e:27:b3:70:
+                    fc:87:1f:2b:c4:b1:3a:a6:c2:e9:b7:c2:6f:46:63:
+                    b7:96:2e:53:d8:b7:cd:c3:f4:b5:6d:b2:fc:57:49:
+                    ac:9f:98:c9:fe:b4:f5:7c:93:48:2e:93:dc:e9:18:
+                    54:63:5f:18:a3:e7:12:aa:fe:38:f0:73:e5:17:1e:
+                    fe:40:65:81:a8:8f:60:46:c2:16:f2:a8:9d:b1:1b:
+                    bc:ce:05:de:37:b2:a8:86:47:bd:8d:92:de:e0:e5:
+                    42:89:b8:e3:f8:b1:24:08:7e:99
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Alternative Name: 
+                DNS:srv01.client01.example.nil, IP Address:10.53.0.1
+    Signature Algorithm: sha256WithRSAEncryption
+         07:97:69:51:12:50:6a:e1:02:a0:b0:dc:93:75:16:c4:38:0f:
+         5c:b3:47:da:bf:fa:9c:b6:de:c0:ef:38:f7:cc:d9:8d:71:ba:
+         51:89:e5:48:36:dd:e1:f8:73:9d:92:80:1c:42:30:69:4f:8c:
+         19:5d:f7:1d:03:e4:f2:76:e0:58:7b:c2:76:c4:0a:7e:20:69:
+         26:6c:3e:cb:31:45:93:1d:07:5f:45:44:8e:5a:fb:87:17:7b:
+         4d:5c:bf:37:bd:5e:ba:5c:22:84:bf:26:21:4a:c4:e9:f9:cb:
+         73:de:fc:62:04:96:ad:aa:fd:89:09:5c:74:d6:bd:5f:07:17:
+         ef:9c:3d:ee:b7:dc:08:11:7f:12:66:ab:c4:ff:43:6d:7f:1e:
+         01:b6:d1:19:73:53:18:e4:02:b0:7c:9e:99:63:d8:57:dd:07:
+         79:fb:83:39:09:de:76:6e:68:b7:87:81:13:b8:26:e5:1c:c9:
+         a0:23:e5:97:39:ff:93:c7:8d:08:d8:ce:97:34:fc:ad:22:14:
+         89:c0:ae:83:7d:0a:3f:cf:a0:9b:b4:6a:5c:b3:6d:5d:3b:88:
+         ca:1e:9b:99:54:64:57:58:3c:4c:bd:26:ee:11:c3:13:0b:1d:
+         f5:fd:d9:37:b0:31:72:6f:1d:e8:ba:43:37:46:f7:71:fe:6d:
+         4a:30:33:29:c5:7b:37:8b:7e:06:22:89:a4:46:36:f0:fe:c6:
+         f5:f0:53:04:c0:35:52:78:6e:10:24:3a:d8:bf:7b:13:2f:98:
+         bc:69:31:41:68:02:5a:c4:f9:11:a2:6b:3f:c8:e0:d4:b3:80:
+         af:d2:be:fe:28:70:61:18:ed:8a:de:c4:cb:da:c9:60:94:91:
+         76:63:69:8c:6e:96:f5:ba:e7:be:1e:1c:c3:84:b1:8d:e8:31:
+         f7:66:8c:0d:da:a8:78:57:19:fd:a0:8d:fa:9a:7e:51:1c:d1:
+         d0:84:07:a2:45:40:2d:c4:6b:e9:9f:86:4a:08:20:8f:9c:79:
+         97:e3:7f:2a:14:73
+-----BEGIN CERTIFICATE-----
+MIIEVTCCAr2gAwIBAgIIcLn06y+hlZowDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE
+BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp
+djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD
+DBNjYS50ZXN0LmV4YW1wbGUuY29tMCAXDTIyMDkwODA4MjAxN1oYDzIwNTIwODMx
+MDgyMDE3WjAlMSMwIQYDVQQDDBpzcnYwMS5jbGllbnQwMS5leGFtcGxlLm5pbDCC
+AaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAKtgLpxh44nGUiu86eEF/Rhl
+QiD2VhZAM9LLn/fvIlSnyVVwylLw4qJYOH8QrSsF4BG2aSF/LThW3dXk896nMjX3
+MypSgK631nw1dMMMisM6GGFoc2JYVv94JVcce76YiCHdHIoTpZpSSJjZPcQopn6b
+EVZ+zgm7UYmKqBsAtXMrQZOxYkAwKer2o+e88OmeByuuqaAdTdn4GE2DR05o7lfI
+VRWGPG0e9THx3s/CfmuOIlrFdq/QAd6regOyljPMoCau3sS9doWWx4jkRrw/xlTJ
+lYOHnEkNMd3EF1KZ5GVJm53zrc5mCFf0g75eh9pCWgEqbWjRjTjZGK5eLlRyiwFF
+lq/1o9ApXSKLtNQwrwI2xS3pKess6mp+J7Nw/IcfK8SxOqbC6bfCb0Zjt5YuU9i3
+zcP0tW2y/FdJrJ+Yyf609XyTSC6T3OkYVGNfGKPnEqr+OPBz5Rce/kBlgaiPYEbC
+FvKonbEbvM4F3jeyqIZHvY2S3uDlQom44/ixJAh+mQIDAQABoy8wLTArBgNVHREE
+JDAighpzcnYwMS5jbGllbnQwMS5leGFtcGxlLm5pbIcECjUAATANBgkqhkiG9w0B
+AQsFAAOCAYEAB5dpURJQauECoLDck3UWxDgPXLNH2r/6nLbewO8498zZjXG6UYnl
+SDbd4fhznZKAHEIwaU+MGV33HQPk8nbgWHvCdsQKfiBpJmw+yzFFkx0HX0VEjlr7
+hxd7TVy/N71eulwihL8mIUrE6fnLc978YgSWrar9iQlcdNa9XwcX75w97rfcCBF/
+EmarxP9DbX8eAbbRGXNTGOQCsHyemWPYV90HefuDOQnedm5ot4eBE7gm5RzJoCPl
+lzn/k8eNCNjOlzT8rSIUicCug30KP8+gm7RqXLNtXTuIyh6bmVRkV1g8TL0m7hHD
+Ewsd9f3ZN7Axcm8d6LpDN0b3cf5tSjAzKcV7N4t+BiKJpEY28P7G9fBTBMA1Unhu
+ECQ62L97Ey+YvGkxQWgCWsT5EaJrP8jg1LOAr9K+/ihwYRjtit7Ey9rJYJSRdmNp
+jG6W9brnvh4cw4Sxjegx92aMDdqoeFcZ/aCN+pp+URzR0IQHokVALcRr6Z+GSggg
+j5x5l+N/KhRz
+-----END CERTIFICATE-----
diff --git a/bin/tests/system/nsupdate/CA/certs/srv01.client02-expired.example.nil.key b/bin/tests/system/nsupdate/CA/certs/srv01.client02-expired.example.nil.key
new file mode 100644
index 0000000000..d8f68ac3eb
--- /dev/null
+++ b/bin/tests/system/nsupdate/CA/certs/srv01.client02-expired.example.nil.key
@@ -0,0 +1,40 @@
+-----BEGIN PRIVATE KEY-----
+MIIG/wIBADANBgkqhkiG9w0BAQEFAASCBukwggblAgEAAoIBgQDAEScXJTqthaA7
+WQsiZGN9uwUyNU9o1RkrzUa94rZCjAjPCQ2ozVjZG3fbF4r88FXy4VD0/ZCqSRVd
+6ptaR8QvggdGh/YF7xUCpDyh2vxbdTYS9xJQVfi+DH0hkeKS2EE/cf6yF8BoHQm+
+/MQk7O/SXFKpT9ZdMLiraC456YtbxvBkQve4vbKQMiJovDhwLxSuyHxjBNURsgrx
+jhMQsjtp9P464vFYViiTwSiqpxnJkRJD+PUdNFg9Mp8RZ9EfU9Tg1Qx4LG84P+GJ
+abUJPBL0qe7lL8VHZaaC+up4SDGJEbYjiiftfB1t6KugKd5A9PKbYSLanCIy9z34
+TOE4p+LDr6Rnf5Sk/VIliU30mtY1upgg8UvJpc+sclgqzTtKPukEMeKadDLVUmA0
+rQyFAmVYQXQqV5E0VTapFFtFzCgn1226VaPdnwAEpEPCr1yvhlOm1adJqjHWXpJ9
+Jt2N9IeKm0joJfTHNMrP4/eEGTtDx2q42m5vha+NDPt86sdznJsCAwEAAQKCAYBv
+D3wTHiv3+rTUnICbuoDtSx+OENWCQPb1JRYq5tWNVXwie5GycktV/1QnFE4CRNbu
+QuuVPqpQTUJVtDtw0N7Yuc+LMUNJ2x3DEUUeMoqKOBS0krm8SnozKvWQW9MwJmxU
+S46DXMida20fSvoAgCGM+mWyEcBa0rl2JB/WzP0QbNDEqRSldsuyJctP1Mat2AuV
+pciHWVv7h4BcfVL47Jb+hfQcCO6Vrfx4s9DYHRgEPibZtzPFV2dOu97PKcD65HXL
+o30hP9xhhy8nT4oFijEQ9rPi0JvOpvB5bJQ42OAznWByR0uL9ZoXopkYDDemzt7t
+D5F9X/2iH9dv3GA0AiPCF6DjyVMwbh/NOt8oxS+NMY2RPlzA+r9SZpCcyPFk1hMi
+LHzrPU8dwC2GmaMKB3Uw/bA5ufw3IpcbJIZEBJQ5Ttf7zEFcfDo/jidTz3ZOptOT
+kSKoCN73AUlmcx8UoKF9JwcpJq63ww8eef+1HLL5Dk0uM4YSKd15gI6477RgfgEC
+gcEA48ZpMdz4mz7rO0CMyPfOLdHOcxHuZI4oJg6gJ1IBxCnIB1mhy6xn+NdkS5Mm
+/1S6eFuo+DgabXO/A2xSDrJ4Lnlf4H4OjQKCeJdO9JglHjdTzv7TB8Vm/IdGC0Jk
+eDRY1lmkSXcdSmGqPVgd2AHpkcTgLyUb+iIWkIspelsaNNQBHJzd4S/x9Pp/ftrg
+CpfwGKsmNia3n3m21lkeTLtKVsPuK8CAJnCDaEI22mhV83x6grPxA0GVFZ0VHfCL
+qZVhAoHBANfd/oVKWGTiJzlc+aHJAb4XRROQzCL4yi6uspT3h9QN5QiFD7PhgIOg
+mES35mpGocN78oc19zhfD4XLNkLbQuMQhpk0D4MjLfUS/IskFoOJWuQbIBPqrMzY
+Z93DDkiBno2As1IN7fZ9amw7Thcf8Qt6yVNFjIMcfk63VmC+AnPUj4KCes7IuGDH
+SA/LjjiKgMa3g3I5/HVB6q1dyZQggBF3dCJ/V8ecgtdibUfzvvViZ52Hd7XDs1SX
+yCas+IE3ewKBwQC/YSFYBRtZjacmFNl1rkitVQCKzMEp+guf1mAYSZ40TQrFqjj4
+obaGbavWmCCHHpDCufkh/jmuRzdyT9wufyPdoJu/Sws8zaQEYNW1S/S8C66+WHvF
+psYeXiarJTC3kvwlthIErDGPIrpgap5AtXKjyPC4jAySwXuGHXdPWCaPxqXcfa0s
+HRXGSYdAdfUS0ZCpmXw0uZlFRIYsWZrMy/ztJBkE5+yE37p5qlDeeBXnzGo/UaOq
+obr6+w4YJtmiNmECgcEAsSAPqzEgrM7AnpoCn1S+4EpZvL8wMXXw+DMSh5dAVah9
+COudwdzDxb2tk51OLF/+dderXnTSgOfHZeIjiOI+1PAHcYg9Pj5MhG5q2ITpEE9R
+TCBRxuXlmkPrnhRiEO6CudsjyK1zV7D69QoIfoMQF3pN3c0QibiEj3RyJPlkK8T7
+aHxF5ozedVKvd35wGUbUebm02rJny5Mly9FMCQZN74cTvQa+cSSkW7UAtGx1gQWY
+vbKdcIC/Eidk7Q867VQnAoHBAKqiugBoItfhuN1GUI5bqIx0ya4DSVECpSFiF8h3
+eK+bO7uG4OBH+qoAmC8EqQNVPtivxpsA2aBvdoUMTYPu/S5cVFXcMkEJ1jX8L8IZ
+ImE5LXC+SiZO3G9SyHfj+rgwr66G7NWDVJhZ2t/56s4qEdewwR4Vjm99gVvHHAFP
+rrkT9jfHVmozRroL/XAMNITZpJw+vwPMwWOaRncjzyyPp0JWt0h+Wv0+A3SjBIh2
+c+Ctg5Ig6vwr2weVc7s/4jz9Kg==
+-----END PRIVATE KEY-----
diff --git a/bin/tests/system/nsupdate/CA/certs/srv01.client02-expired.example.nil.pem b/bin/tests/system/nsupdate/CA/certs/srv01.client02-expired.example.nil.pem
new file mode 100644
index 0000000000..365b493f7e
--- /dev/null
+++ b/bin/tests/system/nsupdate/CA/certs/srv01.client02-expired.example.nil.pem
@@ -0,0 +1,93 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 8122792693893010843 (0x70b9f4eb2fa1959b)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com
+        Validity
+            Not Before: Sep  7 08:14:18 2022 GMT
+            Not After : Sep  8 08:14:18 2022 GMT
+        Subject: CN=srv01.client02-expired.example.nil
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (3072 bit)
+                Modulus:
+                    00:c0:11:27:17:25:3a:ad:85:a0:3b:59:0b:22:64:
+                    63:7d:bb:05:32:35:4f:68:d5:19:2b:cd:46:bd:e2:
+                    b6:42:8c:08:cf:09:0d:a8:cd:58:d9:1b:77:db:17:
+                    8a:fc:f0:55:f2:e1:50:f4:fd:90:aa:49:15:5d:ea:
+                    9b:5a:47:c4:2f:82:07:46:87:f6:05:ef:15:02:a4:
+                    3c:a1:da:fc:5b:75:36:12:f7:12:50:55:f8:be:0c:
+                    7d:21:91:e2:92:d8:41:3f:71:fe:b2:17:c0:68:1d:
+                    09:be:fc:c4:24:ec:ef:d2:5c:52:a9:4f:d6:5d:30:
+                    b8:ab:68:2e:39:e9:8b:5b:c6:f0:64:42:f7:b8:bd:
+                    b2:90:32:22:68:bc:38:70:2f:14:ae:c8:7c:63:04:
+                    d5:11:b2:0a:f1:8e:13:10:b2:3b:69:f4:fe:3a:e2:
+                    f1:58:56:28:93:c1:28:aa:a7:19:c9:91:12:43:f8:
+                    f5:1d:34:58:3d:32:9f:11:67:d1:1f:53:d4:e0:d5:
+                    0c:78:2c:6f:38:3f:e1:89:69:b5:09:3c:12:f4:a9:
+                    ee:e5:2f:c5:47:65:a6:82:fa:ea:78:48:31:89:11:
+                    b6:23:8a:27:ed:7c:1d:6d:e8:ab:a0:29:de:40:f4:
+                    f2:9b:61:22:da:9c:22:32:f7:3d:f8:4c:e1:38:a7:
+                    e2:c3:af:a4:67:7f:94:a4:fd:52:25:89:4d:f4:9a:
+                    d6:35:ba:98:20:f1:4b:c9:a5:cf:ac:72:58:2a:cd:
+                    3b:4a:3e:e9:04:31:e2:9a:74:32:d5:52:60:34:ad:
+                    0c:85:02:65:58:41:74:2a:57:91:34:55:36:a9:14:
+                    5b:45:cc:28:27:d7:6d:ba:55:a3:dd:9f:00:04:a4:
+                    43:c2:af:5c:af:86:53:a6:d5:a7:49:aa:31:d6:5e:
+                    92:7d:26:dd:8d:f4:87:8a:9b:48:e8:25:f4:c7:34:
+                    ca:cf:e3:f7:84:19:3b:43:c7:6a:b8:da:6e:6f:85:
+                    af:8d:0c:fb:7c:ea:c7:73:9c:9b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Alternative Name: 
+                DNS:srv01.client02-expired.example.nil, IP Address:10.53.0.1
+    Signature Algorithm: sha256WithRSAEncryption
+         18:f1:7c:24:5b:d2:03:b0:60:0e:60:e6:32:f9:a7:47:d1:e4:
+         bd:3f:a3:21:53:90:84:9a:c6:2c:87:b2:16:28:95:07:a3:2a:
+         c3:33:8f:60:70:3f:26:58:be:ec:a2:6c:44:89:d3:4e:ef:bb:
+         ce:af:9b:5f:15:06:03:21:74:e3:6f:2a:dc:5c:19:4e:d3:cb:
+         ba:c3:5f:d8:76:89:59:50:82:69:5f:a1:ac:9f:be:79:e1:22:
+         12:37:f9:d3:2e:00:35:03:03:9d:08:24:45:65:7a:e9:72:31:
+         e1:67:44:32:17:25:dd:b9:72:eb:c6:40:d7:5d:8d:5f:00:48:
+         07:09:0d:3c:4c:a1:f1:05:4b:05:9b:2b:5a:21:09:46:f4:17:
+         7a:cf:34:87:ad:bf:ef:bd:56:74:d7:1a:8f:07:ce:70:b1:aa:
+         4d:82:4f:08:dc:56:27:f9:21:20:b8:06:c7:29:b4:8e:36:82:
+         b8:43:85:1c:2d:9f:be:2d:b9:9d:40:de:52:55:6a:2e:0b:28:
+         33:fc:f8:1b:70:e9:c5:46:50:f3:05:be:8d:ed:99:ec:f1:8c:
+         51:8a:1c:4b:95:f4:c4:dd:cd:42:74:bc:6f:66:64:54:b8:c1:
+         6e:c8:3d:e9:fe:10:02:61:50:77:38:b9:b0:b8:13:37:8f:0e:
+         5b:49:92:3a:9d:9a:60:51:68:99:8a:d5:7e:92:71:7e:fa:db:
+         52:37:4d:f9:0d:6c:3b:79:a3:b9:16:b7:95:00:ea:eb:17:54:
+         e2:50:d7:a5:08:54:58:2c:79:66:01:4b:95:65:ed:b8:81:f7:
+         4c:fa:f8:89:37:ad:d9:dc:c9:75:9d:02:3e:e5:92:b3:03:ab:
+         70:69:83:f5:6c:a6:27:7e:2e:fc:9d:b2:59:0a:43:ad:3f:55:
+         2f:5d:ec:ef:52:f0:3e:be:b5:d6:e2:c3:91:9d:dd:5d:e1:9e:
+         e6:18:90:0b:6a:85:f8:e3:83:2a:7c:91:c3:52:1c:6d:aa:2b:
+         44:b8:6f:2b:af:6e
+-----BEGIN CERTIFICATE-----
+MIIEYzCCAsugAwIBAgIIcLn06y+hlZswDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE
+BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp
+djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD
+DBNjYS50ZXN0LmV4YW1wbGUuY29tMB4XDTIyMDkwNzA4MTQxOFoXDTIyMDkwODA4
+MTQxOFowLTErMCkGA1UEAwwic3J2MDEuY2xpZW50MDItZXhwaXJlZC5leGFtcGxl
+Lm5pbDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAMARJxclOq2FoDtZ
+CyJkY327BTI1T2jVGSvNRr3itkKMCM8JDajNWNkbd9sXivzwVfLhUPT9kKpJFV3q
+m1pHxC+CB0aH9gXvFQKkPKHa/Ft1NhL3ElBV+L4MfSGR4pLYQT9x/rIXwGgdCb78
+xCTs79JcUqlP1l0wuKtoLjnpi1vG8GRC97i9spAyImi8OHAvFK7IfGME1RGyCvGO
+ExCyO2n0/jri8VhWKJPBKKqnGcmREkP49R00WD0ynxFn0R9T1ODVDHgsbzg/4Ylp
+tQk8EvSp7uUvxUdlpoL66nhIMYkRtiOKJ+18HW3oq6Ap3kD08pthItqcIjL3PfhM
+4Tin4sOvpGd/lKT9UiWJTfSa1jW6mCDxS8mlz6xyWCrNO0o+6QQx4pp0MtVSYDSt
+DIUCZVhBdCpXkTRVNqkUW0XMKCfXbbpVo92fAASkQ8KvXK+GU6bVp0mqMdZekn0m
+3Y30h4qbSOgl9Mc0ys/j94QZO0PHarjabm+Fr40M+3zqx3OcmwIDAQABozcwNTAz
+BgNVHREELDAqgiJzcnYwMS5jbGllbnQwMi1leHBpcmVkLmV4YW1wbGUubmlshwQK
+NQABMA0GCSqGSIb3DQEBCwUAA4IBgQAY8XwkW9IDsGAOYOYy+adH0eS9P6MhU5CE
+msYsh7IWKJUHoyrDM49gcD8mWL7somxEidNO77vOr5tfFQYDIXTjbyrcXBlO08u6
+w1/YdolZUIJpX6Gsn7554SISN/nTLgA1AwOdCCRFZXrpcjHhZ0QyFyXduXLrxkDX
+XY1fAEgHCQ08TKHxBUsFmytaIQlG9Bd6zzSHrb/vvVZ01xqPB85wsapNgk8I3FYn
++SEguAbHKbSONoK4Q4UcLZ++LbmdQN5SVWouCygz/PgbcOnFRlDzBb6N7Zns8YxR
+ihxLlfTE3c1CdLxvZmRUuMFuyD3p/hACYVB3OLmwuBM3jw5bSZI6nZpgUWiZitV+
+knF++ttSN035DWw7eaO5FreVAOrrF1TiUNelCFRYLHlmAUuVZe24gfdM+viJN63Z
+3Ml1nQI+5ZKzA6twaYP1bKYnfi78nbJZCkOtP1UvXezvUvA+vrXW4sORnd1d4Z7m
+GJALaoX444MqfJHDUhxtqitEuG8rr24=
+-----END CERTIFICATE-----
diff --git a/bin/tests/system/nsupdate/CA/certs/srv01.crt01.example.nil.key b/bin/tests/system/nsupdate/CA/certs/srv01.crt01.example.nil.key
new file mode 100644
index 0000000000..8a1f5dce5e
--- /dev/null
+++ b/bin/tests/system/nsupdate/CA/certs/srv01.crt01.example.nil.key
@@ -0,0 +1,40 @@
+-----BEGIN PRIVATE KEY-----
+MIIG/AIBADANBgkqhkiG9w0BAQEFAASCBuYwggbiAgEAAoIBgQC0mmOYBK29qym/
+InBUMN/Ha3dduF4LzQ6gbHQ350t40Zbaypl9krHkGgoetBy+7syVjFIDk4XhQENo
+hoa8amJt1grK7k+TLe5r33r23PpEpjmALDh8ic3Zo5ns6CtIbYRBPQ4aH2heF4iP
+pdpNHDYmrrR+0v6iWdVnOlbCIWUN3Zdv8OW0HoeulzUN9Juu3Io+KKq4oqvunbLF
+kfZxmaWGyzGcBdablBNGqZrJpVVfbMzQhCfisbVzOQh/gC8EJpYMjSmbvl7MOa+i
+24KCVwfmskrZPch5bmdh80g3qE+fs8+EtlAIPemF6al2UIDnLG9llcviI0FYOXDn
+eCk9wtYgfCuHML2Yh2PtSq257XpLE6E9Yl62dGTvJaPdk0eq0yV+KtcJG1xZUPHU
+xpzyZIp8y8xSN1CIS4Q1QFEOoQaiYLaw44/52I5Fd30OfRGSIhUPozeExCXcFLQg
+ercWlnLUv01d0qtxQ0S+h0TSuHT3hj/SXd1e5nSr+8yjXaaEgAsCAwEAAQKCAYAG
+wzkzeglfbsdTZuC55lKazwVbNwoeewEvNKBtb3W+AmsZqjhxIUsT9X2nhKsG4z45
+41U22RFMS/G6Oj9VUs54umkRDDdilXe2Blo+YCvm4iqJCB7dWvOgUKX03wSv45nu
+L3EVvVNVIqB0cItqE8JbVHNhxFjQj3iUMvUIs+Nqz39aK7UON45xFSxhZ2Vk+NEc
+Xr11yHGTr8f/6eVGf7BZCcbDxtwwWy0Vmkg3gL9foV1R+YDc1jarJ9mPnKcmCqPH
+lW5aT5putR0kO1vO6Rh7YfbHsqw334B9v1yjB4TgaJBKVHz5Z8KTvDFHodMtLqCC
+WV61O2h7gh4mQ6lEX5tjArqYdKMuWLAhZ+9AK9sSs4k+/nlvEbqAOCbkx7UmrZoF
+QkYfDt2Gjrk7WLwb9CCFIH0a2EEB2Fms1iHBK++S3iA4w0kfbePP0mo4GTsTwA45
+DKDbYByzJzVUvGmowMaaypE548sopQ9K4kQJ9okLV+Gc1V7fjklYIIBmwDgqfIEC
+gcEA5Xt0qFjYn4H2gu2xyD0etx83CjKUx0mjwPvdwLg79HMb9P+OTTU+NzsHTa2I
+CTEJ1gA4VkqOtKxEBJQarQmJnVL/fiIp88h9fmLBQ48HLefH33S+bF3VWvKOgJeY
+uVyyWnhTwHNQv3RsO+DEcjqG3aJ2vdzCnDLBr9ATFV8uzpk1Op0h7QljUbhHv1mS
+ip2yQVeuJwtWFixjqEp7BuTluqk/UlGP39PBjgG04Tpw3MkiZNJgk/kSnN+YYOiu
+i91rAoHBAMl4/WAaIL5lHiyakHAmE0fwUm+LUKPG1rF22qvqdBFV6OE14/VgTKNP
+LfcS7Ulzmt7hM7fbcJ0FYxeyPbbQRjBRsGXFzLU96VgoUxoI/IyFXFY83UJ0s63L
+RhZmg4GNvpO0qfOjL4wQtB3N6LPhxpF+pLkkHXSdFkUyocaXGUGOBC+ZEBaCd8Lm
+2GlGoi/f+zSl4xSY4crspS7GNG2+jcXh5K/OMdjEb1/tyRYnHf0D89WNmr10EeYG
+Pe9alaDv4QKBwDROcYa1yZqB6who2W8Ez216BfejE9pg5JxmTGNTGwda/XJYlbzv
+d+Dq6X1BIpLFxLIslqrEj8aKxW4tu+7ZD672bhn3+4v/lOsr41Vc0owaGqrKV2Un
+9iumweh5pWwKvvR0HNLu9ebNyKXVU7GduYPnNh2MpicoQpGqYc8rROX+ce2MR2Fa
+FHNaB7CL4CUMUMcoDyADK3oeYBDJ+UTXA64KSc6fnKWuBJ4zsWDtCzCn/9jvQug3
+i5CKPpdIMhDbRQKBwEekz61B/UzXVnCUEjLfR1H4osfpqaZjyerXkhE6UUXs3+Be
+Mo8KTJZyTK0kvN62zmbdfG+wCA6+YKuHhayhyaPbGLhIK3Bz8KuZw1tpwK0Tq287
+O48rQs3VkDndAHysdA3AXAM4j2rmcbZ7h3mYGu2YNGll71eNmOLIi4C8MI4AO3rV
+mkP25zGWt3RQWtJdes4RA3xKlVh86IyGjRRNg8rPdmwSDeXAjL53J1/KTz6vDiFt
+to4SXV8H7zRTaQwO4QKBwBwMU2zjMYXLJq0LAmn3h4h6CVZjPrqzR8PeSd/YM831
+qdH7OvnkadqIdqMOo6BUA9PvUIY/B5c5zSSOJg9gh1PJ3vDLIZY23zkXigh7poBe
+YW6/PLvGQJ0Rzyz5pf6uPX8AWkAqTyI1Ox3NdxzirarxWDPznvA2KsVxVF/jxnvr
+TD/R5kCQUcxZuInguahGYd1JF3dArYh6NKRPyVO0r73LfVeZ+udlo/+ZMNVGlNNF
+v3Tmy/b2gUdEwuKFCxx97g==
+-----END PRIVATE KEY-----
diff --git a/bin/tests/system/nsupdate/CA/certs/srv01.crt01.example.nil.pem b/bin/tests/system/nsupdate/CA/certs/srv01.crt01.example.nil.pem
new file mode 100644
index 0000000000..4a4556c2b0
--- /dev/null
+++ b/bin/tests/system/nsupdate/CA/certs/srv01.crt01.example.nil.pem
@@ -0,0 +1,93 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 8122792693893010840 (0x70b9f4eb2fa19598)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com
+        Validity
+            Not Before: Sep  7 20:28:03 2022 GMT
+            Not After : Aug 30 20:28:03 2052 GMT
+        Subject: CN=srv01.crt01.example.nil
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (3072 bit)
+                Modulus:
+                    00:b4:9a:63:98:04:ad:bd:ab:29:bf:22:70:54:30:
+                    df:c7:6b:77:5d:b8:5e:0b:cd:0e:a0:6c:74:37:e7:
+                    4b:78:d1:96:da:ca:99:7d:92:b1:e4:1a:0a:1e:b4:
+                    1c:be:ee:cc:95:8c:52:03:93:85:e1:40:43:68:86:
+                    86:bc:6a:62:6d:d6:0a:ca:ee:4f:93:2d:ee:6b:df:
+                    7a:f6:dc:fa:44:a6:39:80:2c:38:7c:89:cd:d9:a3:
+                    99:ec:e8:2b:48:6d:84:41:3d:0e:1a:1f:68:5e:17:
+                    88:8f:a5:da:4d:1c:36:26:ae:b4:7e:d2:fe:a2:59:
+                    d5:67:3a:56:c2:21:65:0d:dd:97:6f:f0:e5:b4:1e:
+                    87:ae:97:35:0d:f4:9b:ae:dc:8a:3e:28:aa:b8:a2:
+                    ab:ee:9d:b2:c5:91:f6:71:99:a5:86:cb:31:9c:05:
+                    d6:9b:94:13:46:a9:9a:c9:a5:55:5f:6c:cc:d0:84:
+                    27:e2:b1:b5:73:39:08:7f:80:2f:04:26:96:0c:8d:
+                    29:9b:be:5e:cc:39:af:a2:db:82:82:57:07:e6:b2:
+                    4a:d9:3d:c8:79:6e:67:61:f3:48:37:a8:4f:9f:b3:
+                    cf:84:b6:50:08:3d:e9:85:e9:a9:76:50:80:e7:2c:
+                    6f:65:95:cb:e2:23:41:58:39:70:e7:78:29:3d:c2:
+                    d6:20:7c:2b:87:30:bd:98:87:63:ed:4a:ad:b9:ed:
+                    7a:4b:13:a1:3d:62:5e:b6:74:64:ef:25:a3:dd:93:
+                    47:aa:d3:25:7e:2a:d7:09:1b:5c:59:50:f1:d4:c6:
+                    9c:f2:64:8a:7c:cb:cc:52:37:50:88:4b:84:35:40:
+                    51:0e:a1:06:a2:60:b6:b0:e3:8f:f9:d8:8e:45:77:
+                    7d:0e:7d:11:92:22:15:0f:a3:37:84:c4:25:dc:14:
+                    b4:20:7a:b7:16:96:72:d4:bf:4d:5d:d2:ab:71:43:
+                    44:be:87:44:d2:b8:74:f7:86:3f:d2:5d:dd:5e:e6:
+                    74:ab:fb:cc:a3:5d:a6:84:80:0b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Alternative Name: 
+                DNS:srv01.crt01.example.nil, IP Address:10.53.0.1
+    Signature Algorithm: sha256WithRSAEncryption
+         94:15:c0:4a:f1:aa:15:30:f7:cb:fe:f9:fa:ba:5f:f0:18:1f:
+         7e:44:9a:b1:d4:9c:f9:78:d3:a7:c7:65:f2:d1:48:62:f4:cb:
+         2f:20:ea:7c:af:08:cf:db:e2:0f:ab:c0:22:38:16:c5:0c:e5:
+         c7:6e:34:b1:ed:f6:02:1a:69:c0:09:d1:43:b3:30:77:fc:00:
+         07:1b:da:88:97:5b:28:4e:e6:92:ca:00:cc:86:66:a9:a9:0a:
+         75:be:74:88:7d:09:52:e7:a9:82:8f:a9:62:5e:b3:19:64:14:
+         e5:54:9e:6d:9c:98:39:8b:1f:92:92:59:f9:a2:46:75:96:11:
+         71:8a:c8:71:05:10:2a:b8:f3:a4:19:db:eb:05:17:0a:dd:98:
+         2c:58:54:3a:7f:8c:c2:26:9e:62:ca:04:dd:3c:99:1f:a0:64:
+         69:fb:d6:04:c1:0b:8c:62:f6:2d:ea:bc:6c:a9:39:7b:f1:20:
+         b8:b7:04:3c:a7:65:fa:1f:db:22:e2:5b:8b:91:75:60:be:e1:
+         1e:50:13:23:d5:4b:93:87:20:ec:46:6f:5f:94:dc:b1:60:d1:
+         79:4b:5e:76:c9:6d:0d:be:a6:9a:6b:67:8b:a7:48:7e:51:b5:
+         9b:9d:ec:a6:0c:c1:b3:d9:0b:26:8b:f2:7c:cf:61:d0:a2:a0:
+         90:90:18:6b:b4:ca:56:b8:5e:5a:8b:78:71:c4:d1:fc:15:30:
+         0a:03:26:74:85:3d:6c:ed:d3:e1:c9:c1:b0:d4:0c:b9:f3:04:
+         93:0d:e3:a6:2c:a7:ee:e0:24:0d:dd:37:fc:6b:09:d5:b5:55:
+         33:12:82:cf:f2:ba:0f:b0:e2:ce:f7:c0:ac:2c:7f:ab:f9:dd:
+         87:b1:9b:95:f2:d7:32:98:dd:4c:b3:28:b7:0d:2b:2f:62:65:
+         ce:59:fb:95:d4:5f:9d:fd:83:5a:01:3b:5f:48:5f:3c:fa:4b:
+         52:91:66:e1:49:8e:cd:09:78:f5:ce:f8:cd:5c:85:3e:ad:bd:
+         1c:4e:e0:3f:0a:8b
+-----BEGIN CERTIFICATE-----
+MIIETzCCAregAwIBAgIIcLn06y+hlZgwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE
+BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp
+djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD
+DBNjYS50ZXN0LmV4YW1wbGUuY29tMCAXDTIyMDkwNzIwMjgwM1oYDzIwNTIwODMw
+MjAyODAzWjAiMSAwHgYDVQQDDBdzcnYwMS5jcnQwMS5leGFtcGxlLm5pbDCCAaIw
+DQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALSaY5gErb2rKb8icFQw38drd124
+XgvNDqBsdDfnS3jRltrKmX2SseQaCh60HL7uzJWMUgOTheFAQ2iGhrxqYm3WCsru
+T5Mt7mvfevbc+kSmOYAsOHyJzdmjmezoK0hthEE9DhofaF4XiI+l2k0cNiautH7S
+/qJZ1Wc6VsIhZQ3dl2/w5bQeh66XNQ30m67cij4oqriiq+6dssWR9nGZpYbLMZwF
+1puUE0apmsmlVV9szNCEJ+KxtXM5CH+ALwQmlgyNKZu+Xsw5r6LbgoJXB+ayStk9
+yHluZ2HzSDeoT5+zz4S2UAg96YXpqXZQgOcsb2WVy+IjQVg5cOd4KT3C1iB8K4cw
+vZiHY+1KrbnteksToT1iXrZ0ZO8lo92TR6rTJX4q1wkbXFlQ8dTGnPJkinzLzFI3
+UIhLhDVAUQ6hBqJgtrDjj/nYjkV3fQ59EZIiFQ+jN4TEJdwUtCB6txaWctS/TV3S
+q3FDRL6HRNK4dPeGP9Jd3V7mdKv7zKNdpoSACwIDAQABoywwKjAoBgNVHREEITAf
+ghdzcnYwMS5jcnQwMS5leGFtcGxlLm5pbIcECjUAATANBgkqhkiG9w0BAQsFAAOC
+AYEAlBXASvGqFTD3y/75+rpf8BgffkSasdSc+XjTp8dl8tFIYvTLLyDqfK8Iz9vi
+D6vAIjgWxQzlx240se32AhppwAnRQ7Mwd/wABxvaiJdbKE7mksoAzIZmqakKdb50
+iH0JUuepgo+pYl6zGWQU5VSebZyYOYsfkpJZ+aJGdZYRcYrIcQUQKrjzpBnb6wUX
+Ct2YLFhUOn+MwiaeYsoE3TyZH6BkafvWBMELjGL2Leq8bKk5e/EguLcEPKdl+h/b
+IuJbi5F1YL7hHlATI9VLk4cg7EZvX5TcsWDReUtedsltDb6mmmtni6dIflG1m53s
+pgzBs9kLJovyfM9h0KKgkJAYa7TKVrheWot4ccTR/BUwCgMmdIU9bO3T4cnBsNQM
+ufMEkw3jpiyn7uAkDd03/GsJ1bVVMxKCz/K6D7DizvfArCx/q/ndh7GblfLXMpjd
+TLMotw0rL2Jlzln7ldRfnf2DWgE7X0hfPPpLUpFm4UmOzQl49c74zVyFPq29HE7g
+PwqL
+-----END CERTIFICATE-----
diff --git a/bin/tests/system/nsupdate/CA/certs/srv01.crt02-expired.example.nil.key b/bin/tests/system/nsupdate/CA/certs/srv01.crt02-expired.example.nil.key
new file mode 100644
index 0000000000..307d26df74
--- /dev/null
+++ b/bin/tests/system/nsupdate/CA/certs/srv01.crt02-expired.example.nil.key
@@ -0,0 +1,40 @@
+-----BEGIN PRIVATE KEY-----
+MIIG/gIBADANBgkqhkiG9w0BAQEFAASCBugwggbkAgEAAoIBgQDsLIgBtYs6dFYN
+V7N1/QVYBe2Kq+gpDvFSNC4iYm5BdP94M7T/FXP6zpAQpP7SZhR7C3l71iCI+UEx
+FJpJNow4dEvz4lHn5W+9ZTjmnDCAPyRW9mieCXaBW1mBRFafHD9I8JW/YEAp36xC
+PcNvhS3DDgi29xIqUQC/z/5srtd93sFy+DIDX8k/St7l+iSQRvBKXwnYk0y/HGFM
+0tzbbPivc1u3O3robRy7JiNHh/1QBg/xtYiKqCVpV+NGO9JrUvtaAfaW6SrPE+cW
+TP1a9h8Ljfclo2jXFfxcSEkF4oUkcFex2AUkriY6AJtyqEcFxfN8LfJYcjf7wYtP
+Qo/dmqxbrm8hYq0pgbmLS2z/YZkPfAnTbQAgLbEMAGyZTJLcDhEt57p7x8ixoxph
++Mwsrxe228w2Av77ZhV3hHDNQiW3FmQorp2MgYWg4FCCqujprFH8K2NEsQi4kNeM
+HCOyGwhZhdXdOUT3R15ICDTrLN91Rwi2tuYy7XZ0d849Tf4CsTMCAwEAAQKCAYA+
+B7AtKr6HutiDJp63BZ6qsNvkCSSv7AHMAnJ/i3TD8nPK4WHPgZX1sN070eov3qnQ
+a4Ib2XCwKS9LMcsYIaCQj1MHmlDC5IsFpplcUHeYp3zm7k8p+vhKH3ERt548qhGh
+GbdrDV+s39eBinFTUBpl2cDGNXxq6t2Ug4+iggWNRL1wcenI4xabbhG/O4Tw9ADW
+t8GBRabppw2TPOrPIv7qLhVPueqdM1NRgEHR3tDUfNMhO/nB2UoCMhg6cSniEGf8
+32NDQHI7ajIcETnn9z0tAP67+w5VUYMlP3+VGr8v4UZCL6Qal9Swv4XWPqHjHoIi
+q5by4H6HEYeoUPT5hCJjMdXlHrWWUgsX/YdgY4tJJBowMR6rovA7Ypy71FxRnXkP
+2iD36jZmDI1mBQ41Yx7P5iM+veRQmBOH/x70Bd9ZbSLlmeTX5dhjAxNShjZxxeUy
+QbQGe3JLzdCGzRY9TKFMmLa/qs+Ggqxopdh4AZuHtQpKUej6g9GI9Eo0IIWTKEkC
+gcEA+EC1ms0MEIIq/JJrsN4ByEyZXbuNKny/04h8dfkT0lTXk8QihQLke6ZLLOl9
+mwgO9NOHkghtU9wdNXg/dNR2VDevUZCjIlYZT6stjEX7X0oNACJwSeBwEXxn6I94
+umuvJ9hq9WchTnQA4lrIXCETIUxThjm7jfJe9RKzghQkCfGnxzclXg0viqxvm21j
+eg0iide23y9xpFd8Qn1oq+hhzcKqHWdkHuDjRJD5gfAEPD7MJ7oT5jR4szQoIUcP
+4C+NAoHBAPOLUwAwcY5zUBAZ7oZ8wRgnAFZjHdYYWDr04ahA1DpwPeX67MczdGud
+L7hUq3APa3qcj4hrDL2jkF6FkbURhtdguMccb4hBENyYr+qjoTAfYJIZwJ9akQ/j
+x8u+5kGsN+ozaKikHFsI2xXHJhbShICL3sIfNeqGFB2onp/dv8WdywTnSf2aXGjf
+NFvVJYnaEOGiTM7uIf/F0n8Iae8HSdPZXtDTXNjnLFzzHjvFe1mfyYO55BDkxmr2
+PDnhVkbTvwKBwQCNPwQU16WNnwImQojTUP1ioXKBSjy/d8sM6BMobFdCzNL7WBTr
+6QFm+O681vyIQMWBtvjjtbe+hvZ3fbtdFaVdtXEiz1CCMMql8ZcwwICNbuyGrxGE
+dxZMXKQiRb9DEhHOcewpRExG/umh4FUvVgI0Z+D99csosEYm2kUYNa1rmvsC9fVk
+1cu+8u1tWYfH4cFM/FcoFS5revtQOVpctRMwpxlzMWhdyUaFtJbBv3YpcPFniQ/Z
+YvFpxLswc+Ysf+ECgcEAhEeMUXH+e6zOM7CiCZIBHykv2bwEHKEkawFO/6AWpZcJ
+R7y+loOwHDNIFAqJA1icvAAFRcc/KFGKvIw30+0tHBaAxkT/nzYX/nlAM2Wkywp/
+3Vr3cJY0bDj/7/5D+i+cPyylD9PzQs7QkEeWvJajOV6/Ixjoo/UnP+SyI4rB+of2
+GTe2zHPm9V8mhSqENReoS6Vnqo1VEiNUbYMYZqfCxbou8aWbrIQDaIj0RurAULGl
+NlLlOPfJfZc4pwdpYRbpAoHAJ7Vxdfn1ec+8xIpjn6dQzWDQWrOw+4pyi54sPlVb
+RUWC9nYDbTwEKkWdQ0FdyJkU7tiYIIFlVNfPAa1lkujIiC5zxe41VJ1598pXPEXn
+a6UB1yn2Ay7kmCq7/qOD6IRkAS8TKyzM6Z7nFgglMEPPdzYBkeKP/aWl75el1B4e
+mpGz7o6u6kSHXt0UWZ7VT9AspEw0oyHIoaXmYHvpXjGtWghn6MKPMngKIb87Xjvt
+bKvcUjDKJOb0BURXpKzS8Rf9
+-----END PRIVATE KEY-----
diff --git a/bin/tests/system/nsupdate/CA/certs/srv01.crt02-expired.example.nil.pem b/bin/tests/system/nsupdate/CA/certs/srv01.crt02-expired.example.nil.pem
new file mode 100644
index 0000000000..3fa0b9ae88
--- /dev/null
+++ b/bin/tests/system/nsupdate/CA/certs/srv01.crt02-expired.example.nil.pem
@@ -0,0 +1,93 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 8122792693893010841 (0x70b9f4eb2fa19599)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com
+        Validity
+            Not Before: Sep  6 20:34:09 2022 GMT
+            Not After : Sep  7 20:34:09 2022 GMT
+        Subject: CN=srv01.crt02-expired.example.nil
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (3072 bit)
+                Modulus:
+                    00:ec:2c:88:01:b5:8b:3a:74:56:0d:57:b3:75:fd:
+                    05:58:05:ed:8a:ab:e8:29:0e:f1:52:34:2e:22:62:
+                    6e:41:74:ff:78:33:b4:ff:15:73:fa:ce:90:10:a4:
+                    fe:d2:66:14:7b:0b:79:7b:d6:20:88:f9:41:31:14:
+                    9a:49:36:8c:38:74:4b:f3:e2:51:e7:e5:6f:bd:65:
+                    38:e6:9c:30:80:3f:24:56:f6:68:9e:09:76:81:5b:
+                    59:81:44:56:9f:1c:3f:48:f0:95:bf:60:40:29:df:
+                    ac:42:3d:c3:6f:85:2d:c3:0e:08:b6:f7:12:2a:51:
+                    00:bf:cf:fe:6c:ae:d7:7d:de:c1:72:f8:32:03:5f:
+                    c9:3f:4a:de:e5:fa:24:90:46:f0:4a:5f:09:d8:93:
+                    4c:bf:1c:61:4c:d2:dc:db:6c:f8:af:73:5b:b7:3b:
+                    7a:e8:6d:1c:bb:26:23:47:87:fd:50:06:0f:f1:b5:
+                    88:8a:a8:25:69:57:e3:46:3b:d2:6b:52:fb:5a:01:
+                    f6:96:e9:2a:cf:13:e7:16:4c:fd:5a:f6:1f:0b:8d:
+                    f7:25:a3:68:d7:15:fc:5c:48:49:05:e2:85:24:70:
+                    57:b1:d8:05:24:ae:26:3a:00:9b:72:a8:47:05:c5:
+                    f3:7c:2d:f2:58:72:37:fb:c1:8b:4f:42:8f:dd:9a:
+                    ac:5b:ae:6f:21:62:ad:29:81:b9:8b:4b:6c:ff:61:
+                    99:0f:7c:09:d3:6d:00:20:2d:b1:0c:00:6c:99:4c:
+                    92:dc:0e:11:2d:e7:ba:7b:c7:c8:b1:a3:1a:61:f8:
+                    cc:2c:af:17:b6:db:cc:36:02:fe:fb:66:15:77:84:
+                    70:cd:42:25:b7:16:64:28:ae:9d:8c:81:85:a0:e0:
+                    50:82:aa:e8:e9:ac:51:fc:2b:63:44:b1:08:b8:90:
+                    d7:8c:1c:23:b2:1b:08:59:85:d5:dd:39:44:f7:47:
+                    5e:48:08:34:eb:2c:df:75:47:08:b6:b6:e6:32:ed:
+                    76:74:77:ce:3d:4d:fe:02:b1:33
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Alternative Name: 
+                DNS:srv01.crt02-expired.example.nil, IP Address:10.53.0.1
+    Signature Algorithm: sha256WithRSAEncryption
+         2a:52:c4:cb:a9:2f:f7:2b:ed:04:b5:03:d5:06:59:ed:5c:7c:
+         b7:00:9e:c4:33:90:fe:d0:b0:18:f3:f2:06:30:54:18:fe:34:
+         cb:ea:61:4f:9c:23:67:3c:ae:ed:20:df:82:52:ec:59:88:45:
+         ad:3c:6c:a7:34:24:1c:4d:66:ab:71:3d:59:8c:ef:cd:a0:e2:
+         7b:59:2d:43:94:cd:f5:0a:3c:4e:81:24:e8:fd:c6:d0:fd:ad:
+         6f:cc:29:5b:67:0b:b7:ee:43:38:a4:91:c2:d9:3b:f8:d6:97:
+         bc:92:dd:ec:a1:ab:85:35:44:f4:0a:df:ad:8d:8c:52:c3:49:
+         7e:39:10:a1:13:43:78:71:e2:92:aa:31:3d:d9:94:15:7f:86:
+         c8:aa:b4:a1:6d:bf:eb:55:b1:d7:41:6f:c3:7d:88:5e:9c:b7:
+         b1:4b:0d:a7:17:4f:3e:4a:46:3f:6f:48:27:8c:d0:e5:51:fc:
+         42:ba:c5:b9:4f:63:6f:2e:f2:fd:0c:c0:6e:23:b4:59:93:68:
+         a4:2d:16:ce:f4:7b:3a:45:1d:a0:6e:98:0b:f7:6a:e6:75:0c:
+         db:56:19:6b:88:f0:7f:6b:08:f8:fc:bb:d1:3f:25:25:1a:6c:
+         8e:34:cb:91:18:54:d5:2d:ce:9c:d0:b7:c3:bc:b5:0a:e0:b9:
+         73:6f:4d:ad:6b:3c:b6:49:ef:c0:10:13:c7:0a:78:4d:98:7d:
+         cb:84:a1:29:40:8c:dd:31:7d:ae:c4:f5:25:5d:b9:74:b2:f5:
+         e2:2b:e0:43:c8:50:61:a3:a8:26:1a:03:ab:1a:24:3b:13:56:
+         da:0d:ee:ff:2f:bd:d5:77:82:72:63:b8:aa:e1:18:f7:3b:c1:
+         a1:f8:51:b1:70:b9:25:39:df:a3:41:79:d7:2b:ec:32:f6:cb:
+         30:28:d2:1e:f1:b4:e1:80:03:9f:c2:0f:36:85:82:5e:39:ba:
+         9e:eb:67:76:42:93:bf:e0:df:64:b2:b5:5f:98:a1:45:3f:4a:
+         1f:5c:c5:04:10:f6
+-----BEGIN CERTIFICATE-----
+MIIEXTCCAsWgAwIBAgIIcLn06y+hlZkwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE
+BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp
+djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD
+DBNjYS50ZXN0LmV4YW1wbGUuY29tMB4XDTIyMDkwNjIwMzQwOVoXDTIyMDkwNzIw
+MzQwOVowKjEoMCYGA1UEAwwfc3J2MDEuY3J0MDItZXhwaXJlZC5leGFtcGxlLm5p
+bDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAOwsiAG1izp0Vg1Xs3X9
+BVgF7Yqr6CkO8VI0LiJibkF0/3gztP8Vc/rOkBCk/tJmFHsLeXvWIIj5QTEUmkk2
+jDh0S/PiUeflb71lOOacMIA/JFb2aJ4JdoFbWYFEVp8cP0jwlb9gQCnfrEI9w2+F
+LcMOCLb3EipRAL/P/myu133ewXL4MgNfyT9K3uX6JJBG8EpfCdiTTL8cYUzS3Nts
++K9zW7c7euhtHLsmI0eH/VAGD/G1iIqoJWlX40Y70mtS+1oB9pbpKs8T5xZM/Vr2
+HwuN9yWjaNcV/FxISQXihSRwV7HYBSSuJjoAm3KoRwXF83wt8lhyN/vBi09Cj92a
+rFuubyFirSmBuYtLbP9hmQ98CdNtACAtsQwAbJlMktwOES3nunvHyLGjGmH4zCyv
+F7bbzDYC/vtmFXeEcM1CJbcWZCiunYyBhaDgUIKq6OmsUfwrY0SxCLiQ14wcI7Ib
+CFmF1d05RPdHXkgINOss33VHCLa25jLtdnR3zj1N/gKxMwIDAQABozQwMjAwBgNV
+HREEKTAngh9zcnYwMS5jcnQwMi1leHBpcmVkLmV4YW1wbGUubmlshwQKNQABMA0G
+CSqGSIb3DQEBCwUAA4IBgQAqUsTLqS/3K+0EtQPVBlntXHy3AJ7EM5D+0LAY8/IG
+MFQY/jTL6mFPnCNnPK7tIN+CUuxZiEWtPGynNCQcTWarcT1ZjO/NoOJ7WS1DlM31
+CjxOgSTo/cbQ/a1vzClbZwu37kM4pJHC2Tv41pe8kt3soauFNUT0Ct+tjYxSw0l+
+ORChE0N4ceKSqjE92ZQVf4bIqrShbb/rVbHXQW/DfYhenLexSw2nF08+SkY/b0gn
+jNDlUfxCusW5T2NvLvL9DMBuI7RZk2ikLRbO9Hs6RR2gbpgL92rmdQzbVhlriPB/
+awj4/LvRPyUlGmyONMuRGFTVLc6c0LfDvLUK4Llzb02tazy2Se/AEBPHCnhNmH3L
+hKEpQIzdMX2uxPUlXbl0svXiK+BDyFBho6gmGgOrGiQ7E1baDe7/L73Vd4JyY7iq
+4Rj3O8Gh+FGxcLklOd+jQXnXK+wy9sswKNIe8bThgAOfwg82hYJeObqe62d2QpO/
+4N9ksrVfmKFFP0ofXMUEEPY=
+-----END CERTIFICATE-----
diff --git a/bin/tests/system/nsupdate/CA/index.txt b/bin/tests/system/nsupdate/CA/index.txt
new file mode 100644
index 0000000000..020155fb37
--- /dev/null
+++ b/bin/tests/system/nsupdate/CA/index.txt
@@ -0,0 +1,4 @@
+V	20520830202803Z		70B9F4EB2FA19598	unknown	/CN=srv01.crt01.example.nil
+V	220907203409Z		70B9F4EB2FA19599	unknown	/CN=srv01.crt02-expired.example.nil
+V	20520831082017Z		70B9F4EB2FA1959A	unknown	/CN=srv01.client01.example.nil
+V	220908081418Z		70B9F4EB2FA1959B	unknown	/CN=srv01.client02-expired.example.nil
diff --git a/bin/tests/system/nsupdate/CA/index.txt.attr b/bin/tests/system/nsupdate/CA/index.txt.attr
new file mode 100644
index 0000000000..8f7e63a347
--- /dev/null
+++ b/bin/tests/system/nsupdate/CA/index.txt.attr
@@ -0,0 +1 @@
+unique_subject = yes
diff --git a/bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA19598.pem b/bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA19598.pem
new file mode 100644
index 0000000000..4a4556c2b0
--- /dev/null
+++ b/bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA19598.pem
@@ -0,0 +1,93 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 8122792693893010840 (0x70b9f4eb2fa19598)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com
+        Validity
+            Not Before: Sep  7 20:28:03 2022 GMT
+            Not After : Aug 30 20:28:03 2052 GMT
+        Subject: CN=srv01.crt01.example.nil
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (3072 bit)
+                Modulus:
+                    00:b4:9a:63:98:04:ad:bd:ab:29:bf:22:70:54:30:
+                    df:c7:6b:77:5d:b8:5e:0b:cd:0e:a0:6c:74:37:e7:
+                    4b:78:d1:96:da:ca:99:7d:92:b1:e4:1a:0a:1e:b4:
+                    1c:be:ee:cc:95:8c:52:03:93:85:e1:40:43:68:86:
+                    86:bc:6a:62:6d:d6:0a:ca:ee:4f:93:2d:ee:6b:df:
+                    7a:f6:dc:fa:44:a6:39:80:2c:38:7c:89:cd:d9:a3:
+                    99:ec:e8:2b:48:6d:84:41:3d:0e:1a:1f:68:5e:17:
+                    88:8f:a5:da:4d:1c:36:26:ae:b4:7e:d2:fe:a2:59:
+                    d5:67:3a:56:c2:21:65:0d:dd:97:6f:f0:e5:b4:1e:
+                    87:ae:97:35:0d:f4:9b:ae:dc:8a:3e:28:aa:b8:a2:
+                    ab:ee:9d:b2:c5:91:f6:71:99:a5:86:cb:31:9c:05:
+                    d6:9b:94:13:46:a9:9a:c9:a5:55:5f:6c:cc:d0:84:
+                    27:e2:b1:b5:73:39:08:7f:80:2f:04:26:96:0c:8d:
+                    29:9b:be:5e:cc:39:af:a2:db:82:82:57:07:e6:b2:
+                    4a:d9:3d:c8:79:6e:67:61:f3:48:37:a8:4f:9f:b3:
+                    cf:84:b6:50:08:3d:e9:85:e9:a9:76:50:80:e7:2c:
+                    6f:65:95:cb:e2:23:41:58:39:70:e7:78:29:3d:c2:
+                    d6:20:7c:2b:87:30:bd:98:87:63:ed:4a:ad:b9:ed:
+                    7a:4b:13:a1:3d:62:5e:b6:74:64:ef:25:a3:dd:93:
+                    47:aa:d3:25:7e:2a:d7:09:1b:5c:59:50:f1:d4:c6:
+                    9c:f2:64:8a:7c:cb:cc:52:37:50:88:4b:84:35:40:
+                    51:0e:a1:06:a2:60:b6:b0:e3:8f:f9:d8:8e:45:77:
+                    7d:0e:7d:11:92:22:15:0f:a3:37:84:c4:25:dc:14:
+                    b4:20:7a:b7:16:96:72:d4:bf:4d:5d:d2:ab:71:43:
+                    44:be:87:44:d2:b8:74:f7:86:3f:d2:5d:dd:5e:e6:
+                    74:ab:fb:cc:a3:5d:a6:84:80:0b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Alternative Name: 
+                DNS:srv01.crt01.example.nil, IP Address:10.53.0.1
+    Signature Algorithm: sha256WithRSAEncryption
+         94:15:c0:4a:f1:aa:15:30:f7:cb:fe:f9:fa:ba:5f:f0:18:1f:
+         7e:44:9a:b1:d4:9c:f9:78:d3:a7:c7:65:f2:d1:48:62:f4:cb:
+         2f:20:ea:7c:af:08:cf:db:e2:0f:ab:c0:22:38:16:c5:0c:e5:
+         c7:6e:34:b1:ed:f6:02:1a:69:c0:09:d1:43:b3:30:77:fc:00:
+         07:1b:da:88:97:5b:28:4e:e6:92:ca:00:cc:86:66:a9:a9:0a:
+         75:be:74:88:7d:09:52:e7:a9:82:8f:a9:62:5e:b3:19:64:14:
+         e5:54:9e:6d:9c:98:39:8b:1f:92:92:59:f9:a2:46:75:96:11:
+         71:8a:c8:71:05:10:2a:b8:f3:a4:19:db:eb:05:17:0a:dd:98:
+         2c:58:54:3a:7f:8c:c2:26:9e:62:ca:04:dd:3c:99:1f:a0:64:
+         69:fb:d6:04:c1:0b:8c:62:f6:2d:ea:bc:6c:a9:39:7b:f1:20:
+         b8:b7:04:3c:a7:65:fa:1f:db:22:e2:5b:8b:91:75:60:be:e1:
+         1e:50:13:23:d5:4b:93:87:20:ec:46:6f:5f:94:dc:b1:60:d1:
+         79:4b:5e:76:c9:6d:0d:be:a6:9a:6b:67:8b:a7:48:7e:51:b5:
+         9b:9d:ec:a6:0c:c1:b3:d9:0b:26:8b:f2:7c:cf:61:d0:a2:a0:
+         90:90:18:6b:b4:ca:56:b8:5e:5a:8b:78:71:c4:d1:fc:15:30:
+         0a:03:26:74:85:3d:6c:ed:d3:e1:c9:c1:b0:d4:0c:b9:f3:04:
+         93:0d:e3:a6:2c:a7:ee:e0:24:0d:dd:37:fc:6b:09:d5:b5:55:
+         33:12:82:cf:f2:ba:0f:b0:e2:ce:f7:c0:ac:2c:7f:ab:f9:dd:
+         87:b1:9b:95:f2:d7:32:98:dd:4c:b3:28:b7:0d:2b:2f:62:65:
+         ce:59:fb:95:d4:5f:9d:fd:83:5a:01:3b:5f:48:5f:3c:fa:4b:
+         52:91:66:e1:49:8e:cd:09:78:f5:ce:f8:cd:5c:85:3e:ad:bd:
+         1c:4e:e0:3f:0a:8b
+-----BEGIN CERTIFICATE-----
+MIIETzCCAregAwIBAgIIcLn06y+hlZgwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE
+BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp
+djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD
+DBNjYS50ZXN0LmV4YW1wbGUuY29tMCAXDTIyMDkwNzIwMjgwM1oYDzIwNTIwODMw
+MjAyODAzWjAiMSAwHgYDVQQDDBdzcnYwMS5jcnQwMS5leGFtcGxlLm5pbDCCAaIw
+DQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALSaY5gErb2rKb8icFQw38drd124
+XgvNDqBsdDfnS3jRltrKmX2SseQaCh60HL7uzJWMUgOTheFAQ2iGhrxqYm3WCsru
+T5Mt7mvfevbc+kSmOYAsOHyJzdmjmezoK0hthEE9DhofaF4XiI+l2k0cNiautH7S
+/qJZ1Wc6VsIhZQ3dl2/w5bQeh66XNQ30m67cij4oqriiq+6dssWR9nGZpYbLMZwF
+1puUE0apmsmlVV9szNCEJ+KxtXM5CH+ALwQmlgyNKZu+Xsw5r6LbgoJXB+ayStk9
+yHluZ2HzSDeoT5+zz4S2UAg96YXpqXZQgOcsb2WVy+IjQVg5cOd4KT3C1iB8K4cw
+vZiHY+1KrbnteksToT1iXrZ0ZO8lo92TR6rTJX4q1wkbXFlQ8dTGnPJkinzLzFI3
+UIhLhDVAUQ6hBqJgtrDjj/nYjkV3fQ59EZIiFQ+jN4TEJdwUtCB6txaWctS/TV3S
+q3FDRL6HRNK4dPeGP9Jd3V7mdKv7zKNdpoSACwIDAQABoywwKjAoBgNVHREEITAf
+ghdzcnYwMS5jcnQwMS5leGFtcGxlLm5pbIcECjUAATANBgkqhkiG9w0BAQsFAAOC
+AYEAlBXASvGqFTD3y/75+rpf8BgffkSasdSc+XjTp8dl8tFIYvTLLyDqfK8Iz9vi
+D6vAIjgWxQzlx240se32AhppwAnRQ7Mwd/wABxvaiJdbKE7mksoAzIZmqakKdb50
+iH0JUuepgo+pYl6zGWQU5VSebZyYOYsfkpJZ+aJGdZYRcYrIcQUQKrjzpBnb6wUX
+Ct2YLFhUOn+MwiaeYsoE3TyZH6BkafvWBMELjGL2Leq8bKk5e/EguLcEPKdl+h/b
+IuJbi5F1YL7hHlATI9VLk4cg7EZvX5TcsWDReUtedsltDb6mmmtni6dIflG1m53s
+pgzBs9kLJovyfM9h0KKgkJAYa7TKVrheWot4ccTR/BUwCgMmdIU9bO3T4cnBsNQM
+ufMEkw3jpiyn7uAkDd03/GsJ1bVVMxKCz/K6D7DizvfArCx/q/ndh7GblfLXMpjd
+TLMotw0rL2Jlzln7ldRfnf2DWgE7X0hfPPpLUpFm4UmOzQl49c74zVyFPq29HE7g
+PwqL
+-----END CERTIFICATE-----
diff --git a/bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA19599.pem b/bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA19599.pem
new file mode 100644
index 0000000000..3fa0b9ae88
--- /dev/null
+++ b/bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA19599.pem
@@ -0,0 +1,93 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 8122792693893010841 (0x70b9f4eb2fa19599)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com
+        Validity
+            Not Before: Sep  6 20:34:09 2022 GMT
+            Not After : Sep  7 20:34:09 2022 GMT
+        Subject: CN=srv01.crt02-expired.example.nil
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (3072 bit)
+                Modulus:
+                    00:ec:2c:88:01:b5:8b:3a:74:56:0d:57:b3:75:fd:
+                    05:58:05:ed:8a:ab:e8:29:0e:f1:52:34:2e:22:62:
+                    6e:41:74:ff:78:33:b4:ff:15:73:fa:ce:90:10:a4:
+                    fe:d2:66:14:7b:0b:79:7b:d6:20:88:f9:41:31:14:
+                    9a:49:36:8c:38:74:4b:f3:e2:51:e7:e5:6f:bd:65:
+                    38:e6:9c:30:80:3f:24:56:f6:68:9e:09:76:81:5b:
+                    59:81:44:56:9f:1c:3f:48:f0:95:bf:60:40:29:df:
+                    ac:42:3d:c3:6f:85:2d:c3:0e:08:b6:f7:12:2a:51:
+                    00:bf:cf:fe:6c:ae:d7:7d:de:c1:72:f8:32:03:5f:
+                    c9:3f:4a:de:e5:fa:24:90:46:f0:4a:5f:09:d8:93:
+                    4c:bf:1c:61:4c:d2:dc:db:6c:f8:af:73:5b:b7:3b:
+                    7a:e8:6d:1c:bb:26:23:47:87:fd:50:06:0f:f1:b5:
+                    88:8a:a8:25:69:57:e3:46:3b:d2:6b:52:fb:5a:01:
+                    f6:96:e9:2a:cf:13:e7:16:4c:fd:5a:f6:1f:0b:8d:
+                    f7:25:a3:68:d7:15:fc:5c:48:49:05:e2:85:24:70:
+                    57:b1:d8:05:24:ae:26:3a:00:9b:72:a8:47:05:c5:
+                    f3:7c:2d:f2:58:72:37:fb:c1:8b:4f:42:8f:dd:9a:
+                    ac:5b:ae:6f:21:62:ad:29:81:b9:8b:4b:6c:ff:61:
+                    99:0f:7c:09:d3:6d:00:20:2d:b1:0c:00:6c:99:4c:
+                    92:dc:0e:11:2d:e7:ba:7b:c7:c8:b1:a3:1a:61:f8:
+                    cc:2c:af:17:b6:db:cc:36:02:fe:fb:66:15:77:84:
+                    70:cd:42:25:b7:16:64:28:ae:9d:8c:81:85:a0:e0:
+                    50:82:aa:e8:e9:ac:51:fc:2b:63:44:b1:08:b8:90:
+                    d7:8c:1c:23:b2:1b:08:59:85:d5:dd:39:44:f7:47:
+                    5e:48:08:34:eb:2c:df:75:47:08:b6:b6:e6:32:ed:
+                    76:74:77:ce:3d:4d:fe:02:b1:33
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Alternative Name: 
+                DNS:srv01.crt02-expired.example.nil, IP Address:10.53.0.1
+    Signature Algorithm: sha256WithRSAEncryption
+         2a:52:c4:cb:a9:2f:f7:2b:ed:04:b5:03:d5:06:59:ed:5c:7c:
+         b7:00:9e:c4:33:90:fe:d0:b0:18:f3:f2:06:30:54:18:fe:34:
+         cb:ea:61:4f:9c:23:67:3c:ae:ed:20:df:82:52:ec:59:88:45:
+         ad:3c:6c:a7:34:24:1c:4d:66:ab:71:3d:59:8c:ef:cd:a0:e2:
+         7b:59:2d:43:94:cd:f5:0a:3c:4e:81:24:e8:fd:c6:d0:fd:ad:
+         6f:cc:29:5b:67:0b:b7:ee:43:38:a4:91:c2:d9:3b:f8:d6:97:
+         bc:92:dd:ec:a1:ab:85:35:44:f4:0a:df:ad:8d:8c:52:c3:49:
+         7e:39:10:a1:13:43:78:71:e2:92:aa:31:3d:d9:94:15:7f:86:
+         c8:aa:b4:a1:6d:bf:eb:55:b1:d7:41:6f:c3:7d:88:5e:9c:b7:
+         b1:4b:0d:a7:17:4f:3e:4a:46:3f:6f:48:27:8c:d0:e5:51:fc:
+         42:ba:c5:b9:4f:63:6f:2e:f2:fd:0c:c0:6e:23:b4:59:93:68:
+         a4:2d:16:ce:f4:7b:3a:45:1d:a0:6e:98:0b:f7:6a:e6:75:0c:
+         db:56:19:6b:88:f0:7f:6b:08:f8:fc:bb:d1:3f:25:25:1a:6c:
+         8e:34:cb:91:18:54:d5:2d:ce:9c:d0:b7:c3:bc:b5:0a:e0:b9:
+         73:6f:4d:ad:6b:3c:b6:49:ef:c0:10:13:c7:0a:78:4d:98:7d:
+         cb:84:a1:29:40:8c:dd:31:7d:ae:c4:f5:25:5d:b9:74:b2:f5:
+         e2:2b:e0:43:c8:50:61:a3:a8:26:1a:03:ab:1a:24:3b:13:56:
+         da:0d:ee:ff:2f:bd:d5:77:82:72:63:b8:aa:e1:18:f7:3b:c1:
+         a1:f8:51:b1:70:b9:25:39:df:a3:41:79:d7:2b:ec:32:f6:cb:
+         30:28:d2:1e:f1:b4:e1:80:03:9f:c2:0f:36:85:82:5e:39:ba:
+         9e:eb:67:76:42:93:bf:e0:df:64:b2:b5:5f:98:a1:45:3f:4a:
+         1f:5c:c5:04:10:f6
+-----BEGIN CERTIFICATE-----
+MIIEXTCCAsWgAwIBAgIIcLn06y+hlZkwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE
+BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp
+djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD
+DBNjYS50ZXN0LmV4YW1wbGUuY29tMB4XDTIyMDkwNjIwMzQwOVoXDTIyMDkwNzIw
+MzQwOVowKjEoMCYGA1UEAwwfc3J2MDEuY3J0MDItZXhwaXJlZC5leGFtcGxlLm5p
+bDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAOwsiAG1izp0Vg1Xs3X9
+BVgF7Yqr6CkO8VI0LiJibkF0/3gztP8Vc/rOkBCk/tJmFHsLeXvWIIj5QTEUmkk2
+jDh0S/PiUeflb71lOOacMIA/JFb2aJ4JdoFbWYFEVp8cP0jwlb9gQCnfrEI9w2+F
+LcMOCLb3EipRAL/P/myu133ewXL4MgNfyT9K3uX6JJBG8EpfCdiTTL8cYUzS3Nts
++K9zW7c7euhtHLsmI0eH/VAGD/G1iIqoJWlX40Y70mtS+1oB9pbpKs8T5xZM/Vr2
+HwuN9yWjaNcV/FxISQXihSRwV7HYBSSuJjoAm3KoRwXF83wt8lhyN/vBi09Cj92a
+rFuubyFirSmBuYtLbP9hmQ98CdNtACAtsQwAbJlMktwOES3nunvHyLGjGmH4zCyv
+F7bbzDYC/vtmFXeEcM1CJbcWZCiunYyBhaDgUIKq6OmsUfwrY0SxCLiQ14wcI7Ib
+CFmF1d05RPdHXkgINOss33VHCLa25jLtdnR3zj1N/gKxMwIDAQABozQwMjAwBgNV
+HREEKTAngh9zcnYwMS5jcnQwMi1leHBpcmVkLmV4YW1wbGUubmlshwQKNQABMA0G
+CSqGSIb3DQEBCwUAA4IBgQAqUsTLqS/3K+0EtQPVBlntXHy3AJ7EM5D+0LAY8/IG
+MFQY/jTL6mFPnCNnPK7tIN+CUuxZiEWtPGynNCQcTWarcT1ZjO/NoOJ7WS1DlM31
+CjxOgSTo/cbQ/a1vzClbZwu37kM4pJHC2Tv41pe8kt3soauFNUT0Ct+tjYxSw0l+
+ORChE0N4ceKSqjE92ZQVf4bIqrShbb/rVbHXQW/DfYhenLexSw2nF08+SkY/b0gn
+jNDlUfxCusW5T2NvLvL9DMBuI7RZk2ikLRbO9Hs6RR2gbpgL92rmdQzbVhlriPB/
+awj4/LvRPyUlGmyONMuRGFTVLc6c0LfDvLUK4Llzb02tazy2Se/AEBPHCnhNmH3L
+hKEpQIzdMX2uxPUlXbl0svXiK+BDyFBho6gmGgOrGiQ7E1baDe7/L73Vd4JyY7iq
+4Rj3O8Gh+FGxcLklOd+jQXnXK+wy9sswKNIe8bThgAOfwg82hYJeObqe62d2QpO/
+4N9ksrVfmKFFP0ofXMUEEPY=
+-----END CERTIFICATE-----
diff --git a/bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA1959A.pem b/bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA1959A.pem
new file mode 100644
index 0000000000..f546d35e7d
--- /dev/null
+++ b/bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA1959A.pem
@@ -0,0 +1,93 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 8122792693893010842 (0x70b9f4eb2fa1959a)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com
+        Validity
+            Not Before: Sep  8 08:20:17 2022 GMT
+            Not After : Aug 31 08:20:17 2052 GMT
+        Subject: CN=srv01.client01.example.nil
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (3072 bit)
+                Modulus:
+                    00:ab:60:2e:9c:61:e3:89:c6:52:2b:bc:e9:e1:05:
+                    fd:18:65:42:20:f6:56:16:40:33:d2:cb:9f:f7:ef:
+                    22:54:a7:c9:55:70:ca:52:f0:e2:a2:58:38:7f:10:
+                    ad:2b:05:e0:11:b6:69:21:7f:2d:38:56:dd:d5:e4:
+                    f3:de:a7:32:35:f7:33:2a:52:80:ae:b7:d6:7c:35:
+                    74:c3:0c:8a:c3:3a:18:61:68:73:62:58:56:ff:78:
+                    25:57:1c:7b:be:98:88:21:dd:1c:8a:13:a5:9a:52:
+                    48:98:d9:3d:c4:28:a6:7e:9b:11:56:7e:ce:09:bb:
+                    51:89:8a:a8:1b:00:b5:73:2b:41:93:b1:62:40:30:
+                    29:ea:f6:a3:e7:bc:f0:e9:9e:07:2b:ae:a9:a0:1d:
+                    4d:d9:f8:18:4d:83:47:4e:68:ee:57:c8:55:15:86:
+                    3c:6d:1e:f5:31:f1:de:cf:c2:7e:6b:8e:22:5a:c5:
+                    76:af:d0:01:de:ab:7a:03:b2:96:33:cc:a0:26:ae:
+                    de:c4:bd:76:85:96:c7:88:e4:46:bc:3f:c6:54:c9:
+                    95:83:87:9c:49:0d:31:dd:c4:17:52:99:e4:65:49:
+                    9b:9d:f3:ad:ce:66:08:57:f4:83:be:5e:87:da:42:
+                    5a:01:2a:6d:68:d1:8d:38:d9:18:ae:5e:2e:54:72:
+                    8b:01:45:96:af:f5:a3:d0:29:5d:22:8b:b4:d4:30:
+                    af:02:36:c5:2d:e9:29:eb:2c:ea:6a:7e:27:b3:70:
+                    fc:87:1f:2b:c4:b1:3a:a6:c2:e9:b7:c2:6f:46:63:
+                    b7:96:2e:53:d8:b7:cd:c3:f4:b5:6d:b2:fc:57:49:
+                    ac:9f:98:c9:fe:b4:f5:7c:93:48:2e:93:dc:e9:18:
+                    54:63:5f:18:a3:e7:12:aa:fe:38:f0:73:e5:17:1e:
+                    fe:40:65:81:a8:8f:60:46:c2:16:f2:a8:9d:b1:1b:
+                    bc:ce:05:de:37:b2:a8:86:47:bd:8d:92:de:e0:e5:
+                    42:89:b8:e3:f8:b1:24:08:7e:99
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Alternative Name: 
+                DNS:srv01.client01.example.nil, IP Address:10.53.0.1
+    Signature Algorithm: sha256WithRSAEncryption
+         07:97:69:51:12:50:6a:e1:02:a0:b0:dc:93:75:16:c4:38:0f:
+         5c:b3:47:da:bf:fa:9c:b6:de:c0:ef:38:f7:cc:d9:8d:71:ba:
+         51:89:e5:48:36:dd:e1:f8:73:9d:92:80:1c:42:30:69:4f:8c:
+         19:5d:f7:1d:03:e4:f2:76:e0:58:7b:c2:76:c4:0a:7e:20:69:
+         26:6c:3e:cb:31:45:93:1d:07:5f:45:44:8e:5a:fb:87:17:7b:
+         4d:5c:bf:37:bd:5e:ba:5c:22:84:bf:26:21:4a:c4:e9:f9:cb:
+         73:de:fc:62:04:96:ad:aa:fd:89:09:5c:74:d6:bd:5f:07:17:
+         ef:9c:3d:ee:b7:dc:08:11:7f:12:66:ab:c4:ff:43:6d:7f:1e:
+         01:b6:d1:19:73:53:18:e4:02:b0:7c:9e:99:63:d8:57:dd:07:
+         79:fb:83:39:09:de:76:6e:68:b7:87:81:13:b8:26:e5:1c:c9:
+         a0:23:e5:97:39:ff:93:c7:8d:08:d8:ce:97:34:fc:ad:22:14:
+         89:c0:ae:83:7d:0a:3f:cf:a0:9b:b4:6a:5c:b3:6d:5d:3b:88:
+         ca:1e:9b:99:54:64:57:58:3c:4c:bd:26:ee:11:c3:13:0b:1d:
+         f5:fd:d9:37:b0:31:72:6f:1d:e8:ba:43:37:46:f7:71:fe:6d:
+         4a:30:33:29:c5:7b:37:8b:7e:06:22:89:a4:46:36:f0:fe:c6:
+         f5:f0:53:04:c0:35:52:78:6e:10:24:3a:d8:bf:7b:13:2f:98:
+         bc:69:31:41:68:02:5a:c4:f9:11:a2:6b:3f:c8:e0:d4:b3:80:
+         af:d2:be:fe:28:70:61:18:ed:8a:de:c4:cb:da:c9:60:94:91:
+         76:63:69:8c:6e:96:f5:ba:e7:be:1e:1c:c3:84:b1:8d:e8:31:
+         f7:66:8c:0d:da:a8:78:57:19:fd:a0:8d:fa:9a:7e:51:1c:d1:
+         d0:84:07:a2:45:40:2d:c4:6b:e9:9f:86:4a:08:20:8f:9c:79:
+         97:e3:7f:2a:14:73
+-----BEGIN CERTIFICATE-----
+MIIEVTCCAr2gAwIBAgIIcLn06y+hlZowDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE
+BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp
+djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD
+DBNjYS50ZXN0LmV4YW1wbGUuY29tMCAXDTIyMDkwODA4MjAxN1oYDzIwNTIwODMx
+MDgyMDE3WjAlMSMwIQYDVQQDDBpzcnYwMS5jbGllbnQwMS5leGFtcGxlLm5pbDCC
+AaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAKtgLpxh44nGUiu86eEF/Rhl
+QiD2VhZAM9LLn/fvIlSnyVVwylLw4qJYOH8QrSsF4BG2aSF/LThW3dXk896nMjX3
+MypSgK631nw1dMMMisM6GGFoc2JYVv94JVcce76YiCHdHIoTpZpSSJjZPcQopn6b
+EVZ+zgm7UYmKqBsAtXMrQZOxYkAwKer2o+e88OmeByuuqaAdTdn4GE2DR05o7lfI
+VRWGPG0e9THx3s/CfmuOIlrFdq/QAd6regOyljPMoCau3sS9doWWx4jkRrw/xlTJ
+lYOHnEkNMd3EF1KZ5GVJm53zrc5mCFf0g75eh9pCWgEqbWjRjTjZGK5eLlRyiwFF
+lq/1o9ApXSKLtNQwrwI2xS3pKess6mp+J7Nw/IcfK8SxOqbC6bfCb0Zjt5YuU9i3
+zcP0tW2y/FdJrJ+Yyf609XyTSC6T3OkYVGNfGKPnEqr+OPBz5Rce/kBlgaiPYEbC
+FvKonbEbvM4F3jeyqIZHvY2S3uDlQom44/ixJAh+mQIDAQABoy8wLTArBgNVHREE
+JDAighpzcnYwMS5jbGllbnQwMS5leGFtcGxlLm5pbIcECjUAATANBgkqhkiG9w0B
+AQsFAAOCAYEAB5dpURJQauECoLDck3UWxDgPXLNH2r/6nLbewO8498zZjXG6UYnl
+SDbd4fhznZKAHEIwaU+MGV33HQPk8nbgWHvCdsQKfiBpJmw+yzFFkx0HX0VEjlr7
+hxd7TVy/N71eulwihL8mIUrE6fnLc978YgSWrar9iQlcdNa9XwcX75w97rfcCBF/
+EmarxP9DbX8eAbbRGXNTGOQCsHyemWPYV90HefuDOQnedm5ot4eBE7gm5RzJoCPl
+lzn/k8eNCNjOlzT8rSIUicCug30KP8+gm7RqXLNtXTuIyh6bmVRkV1g8TL0m7hHD
+Ewsd9f3ZN7Axcm8d6LpDN0b3cf5tSjAzKcV7N4t+BiKJpEY28P7G9fBTBMA1Unhu
+ECQ62L97Ey+YvGkxQWgCWsT5EaJrP8jg1LOAr9K+/ihwYRjtit7Ey9rJYJSRdmNp
+jG6W9brnvh4cw4Sxjegx92aMDdqoeFcZ/aCN+pp+URzR0IQHokVALcRr6Z+GSggg
+j5x5l+N/KhRz
+-----END CERTIFICATE-----
diff --git a/bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA1959B.pem b/bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA1959B.pem
new file mode 100644
index 0000000000..365b493f7e
--- /dev/null
+++ b/bin/tests/system/nsupdate/CA/newcerts/70B9F4EB2FA1959B.pem
@@ -0,0 +1,93 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 8122792693893010843 (0x70b9f4eb2fa1959b)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=UA, ST=Kharkiv Oblast', L=Kharkiv, O=Internet Systems Consortium, CN=ca.test.example.com
+        Validity
+            Not Before: Sep  7 08:14:18 2022 GMT
+            Not After : Sep  8 08:14:18 2022 GMT
+        Subject: CN=srv01.client02-expired.example.nil
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (3072 bit)
+                Modulus:
+                    00:c0:11:27:17:25:3a:ad:85:a0:3b:59:0b:22:64:
+                    63:7d:bb:05:32:35:4f:68:d5:19:2b:cd:46:bd:e2:
+                    b6:42:8c:08:cf:09:0d:a8:cd:58:d9:1b:77:db:17:
+                    8a:fc:f0:55:f2:e1:50:f4:fd:90:aa:49:15:5d:ea:
+                    9b:5a:47:c4:2f:82:07:46:87:f6:05:ef:15:02:a4:
+                    3c:a1:da:fc:5b:75:36:12:f7:12:50:55:f8:be:0c:
+                    7d:21:91:e2:92:d8:41:3f:71:fe:b2:17:c0:68:1d:
+                    09:be:fc:c4:24:ec:ef:d2:5c:52:a9:4f:d6:5d:30:
+                    b8:ab:68:2e:39:e9:8b:5b:c6:f0:64:42:f7:b8:bd:
+                    b2:90:32:22:68:bc:38:70:2f:14:ae:c8:7c:63:04:
+                    d5:11:b2:0a:f1:8e:13:10:b2:3b:69:f4:fe:3a:e2:
+                    f1:58:56:28:93:c1:28:aa:a7:19:c9:91:12:43:f8:
+                    f5:1d:34:58:3d:32:9f:11:67:d1:1f:53:d4:e0:d5:
+                    0c:78:2c:6f:38:3f:e1:89:69:b5:09:3c:12:f4:a9:
+                    ee:e5:2f:c5:47:65:a6:82:fa:ea:78:48:31:89:11:
+                    b6:23:8a:27:ed:7c:1d:6d:e8:ab:a0:29:de:40:f4:
+                    f2:9b:61:22:da:9c:22:32:f7:3d:f8:4c:e1:38:a7:
+                    e2:c3:af:a4:67:7f:94:a4:fd:52:25:89:4d:f4:9a:
+                    d6:35:ba:98:20:f1:4b:c9:a5:cf:ac:72:58:2a:cd:
+                    3b:4a:3e:e9:04:31:e2:9a:74:32:d5:52:60:34:ad:
+                    0c:85:02:65:58:41:74:2a:57:91:34:55:36:a9:14:
+                    5b:45:cc:28:27:d7:6d:ba:55:a3:dd:9f:00:04:a4:
+                    43:c2:af:5c:af:86:53:a6:d5:a7:49:aa:31:d6:5e:
+                    92:7d:26:dd:8d:f4:87:8a:9b:48:e8:25:f4:c7:34:
+                    ca:cf:e3:f7:84:19:3b:43:c7:6a:b8:da:6e:6f:85:
+                    af:8d:0c:fb:7c:ea:c7:73:9c:9b
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Alternative Name: 
+                DNS:srv01.client02-expired.example.nil, IP Address:10.53.0.1
+    Signature Algorithm: sha256WithRSAEncryption
+         18:f1:7c:24:5b:d2:03:b0:60:0e:60:e6:32:f9:a7:47:d1:e4:
+         bd:3f:a3:21:53:90:84:9a:c6:2c:87:b2:16:28:95:07:a3:2a:
+         c3:33:8f:60:70:3f:26:58:be:ec:a2:6c:44:89:d3:4e:ef:bb:
+         ce:af:9b:5f:15:06:03:21:74:e3:6f:2a:dc:5c:19:4e:d3:cb:
+         ba:c3:5f:d8:76:89:59:50:82:69:5f:a1:ac:9f:be:79:e1:22:
+         12:37:f9:d3:2e:00:35:03:03:9d:08:24:45:65:7a:e9:72:31:
+         e1:67:44:32:17:25:dd:b9:72:eb:c6:40:d7:5d:8d:5f:00:48:
+         07:09:0d:3c:4c:a1:f1:05:4b:05:9b:2b:5a:21:09:46:f4:17:
+         7a:cf:34:87:ad:bf:ef:bd:56:74:d7:1a:8f:07:ce:70:b1:aa:
+         4d:82:4f:08:dc:56:27:f9:21:20:b8:06:c7:29:b4:8e:36:82:
+         b8:43:85:1c:2d:9f:be:2d:b9:9d:40:de:52:55:6a:2e:0b:28:
+         33:fc:f8:1b:70:e9:c5:46:50:f3:05:be:8d:ed:99:ec:f1:8c:
+         51:8a:1c:4b:95:f4:c4:dd:cd:42:74:bc:6f:66:64:54:b8:c1:
+         6e:c8:3d:e9:fe:10:02:61:50:77:38:b9:b0:b8:13:37:8f:0e:
+         5b:49:92:3a:9d:9a:60:51:68:99:8a:d5:7e:92:71:7e:fa:db:
+         52:37:4d:f9:0d:6c:3b:79:a3:b9:16:b7:95:00:ea:eb:17:54:
+         e2:50:d7:a5:08:54:58:2c:79:66:01:4b:95:65:ed:b8:81:f7:
+         4c:fa:f8:89:37:ad:d9:dc:c9:75:9d:02:3e:e5:92:b3:03:ab:
+         70:69:83:f5:6c:a6:27:7e:2e:fc:9d:b2:59:0a:43:ad:3f:55:
+         2f:5d:ec:ef:52:f0:3e:be:b5:d6:e2:c3:91:9d:dd:5d:e1:9e:
+         e6:18:90:0b:6a:85:f8:e3:83:2a:7c:91:c3:52:1c:6d:aa:2b:
+         44:b8:6f:2b:af:6e
+-----BEGIN CERTIFICATE-----
+MIIEYzCCAsugAwIBAgIIcLn06y+hlZswDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE
+BhMCVUExGDAWBgNVBAgMD0toYXJraXYgT2JsYXN0JzEQMA4GA1UEBwwHS2hhcmtp
+djEkMCIGA1UECgwbSW50ZXJuZXQgU3lzdGVtcyBDb25zb3J0aXVtMRwwGgYDVQQD
+DBNjYS50ZXN0LmV4YW1wbGUuY29tMB4XDTIyMDkwNzA4MTQxOFoXDTIyMDkwODA4
+MTQxOFowLTErMCkGA1UEAwwic3J2MDEuY2xpZW50MDItZXhwaXJlZC5leGFtcGxl
+Lm5pbDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAMARJxclOq2FoDtZ
+CyJkY327BTI1T2jVGSvNRr3itkKMCM8JDajNWNkbd9sXivzwVfLhUPT9kKpJFV3q
+m1pHxC+CB0aH9gXvFQKkPKHa/Ft1NhL3ElBV+L4MfSGR4pLYQT9x/rIXwGgdCb78
+xCTs79JcUqlP1l0wuKtoLjnpi1vG8GRC97i9spAyImi8OHAvFK7IfGME1RGyCvGO
+ExCyO2n0/jri8VhWKJPBKKqnGcmREkP49R00WD0ynxFn0R9T1ODVDHgsbzg/4Ylp
+tQk8EvSp7uUvxUdlpoL66nhIMYkRtiOKJ+18HW3oq6Ap3kD08pthItqcIjL3PfhM
+4Tin4sOvpGd/lKT9UiWJTfSa1jW6mCDxS8mlz6xyWCrNO0o+6QQx4pp0MtVSYDSt
+DIUCZVhBdCpXkTRVNqkUW0XMKCfXbbpVo92fAASkQ8KvXK+GU6bVp0mqMdZekn0m
+3Y30h4qbSOgl9Mc0ys/j94QZO0PHarjabm+Fr40M+3zqx3OcmwIDAQABozcwNTAz
+BgNVHREELDAqgiJzcnYwMS5jbGllbnQwMi1leHBpcmVkLmV4YW1wbGUubmlshwQK
+NQABMA0GCSqGSIb3DQEBCwUAA4IBgQAY8XwkW9IDsGAOYOYy+adH0eS9P6MhU5CE
+msYsh7IWKJUHoyrDM49gcD8mWL7somxEidNO77vOr5tfFQYDIXTjbyrcXBlO08u6
+w1/YdolZUIJpX6Gsn7554SISN/nTLgA1AwOdCCRFZXrpcjHhZ0QyFyXduXLrxkDX
+XY1fAEgHCQ08TKHxBUsFmytaIQlG9Bd6zzSHrb/vvVZ01xqPB85wsapNgk8I3FYn
++SEguAbHKbSONoK4Q4UcLZ++LbmdQN5SVWouCygz/PgbcOnFRlDzBb6N7Zns8YxR
+ihxLlfTE3c1CdLxvZmRUuMFuyD3p/hACYVB3OLmwuBM3jw5bSZI6nZpgUWiZitV+
+knF++ttSN035DWw7eaO5FreVAOrrF1TiUNelCFRYLHlmAUuVZe24gfdM+viJN63Z
+3Ml1nQI+5ZKzA6twaYP1bKYnfi78nbJZCkOtP1UvXezvUvA+vrXW4sORnd1d4Z7m
+GJALaoX444MqfJHDUhxtqitEuG8rr24=
+-----END CERTIFICATE-----
diff --git a/bin/tests/system/nsupdate/CA/private/CA-other.key b/bin/tests/system/nsupdate/CA/private/CA-other.key
new file mode 100644
index 0000000000..41818aacd8
--- /dev/null
+++ b/bin/tests/system/nsupdate/CA/private/CA-other.key
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG5AIBAAKCAYEA10Xj8dH8/XCfUvhdL/S3E10TnrYY8IIDBmU0lkUR5IHwgP9I
+YVyR/0Mibg79FAs+rvuEDifUK+6wvkpj+BXNVZCspo9/u3cl7dqrLH+1SeUs50Oe
+QnbbTrBl0PuNwvzEkbk7xwLlVDOyRmmvY/EEu7WkitQZgXSAYgttrk62CuJUQUmw
+UTX5Jxndsjydk/zW/DiulTsX+zv8kG5NiwpXCfL6QxBoMZNI4fUmDL3bX1XfHaFA
++45GT2lHu07xc+cVeZIRCo0Nk+fIO53lDol8mmR8/5vna27gRnqEUSU7MZAMG6QB
+Xkotnq3rHnrI/ku6dCJW4tbWV/ANQ+TG17g2tygzC/smqTuLqavyP9V5cRrdU9aw
+Eqwvy8uVbGkTmUZdtjkGWCcmBSWJvkH3MRJmijS7rDcb8m/g9+xKe79V1c8durGW
+vcfMRZZhWaoHyhnHg9+JLUCC3EUCp/1206w5vTXEQNpqi9Z3AZfgboPzJyji4OeY
+fcQ5eaIZ3OuIpyQzAgMBAAECggGAD+vUWvsr2datgeZqhfR0YdM9czyGhasn7B4q
+EH8VPrA5iGDZCpJdHeLqNfeX0hau0SQ69Q0PDRy/J6O61wtNv2lOy5bLXKMIRBor
+FMRxNQDlHEmM999wgtZbAWTJbEVjiF+Jw0M8kMiuA7UnSp31uqhJfhcHt+JU6Gtt
+9jlOD2oDzzxS9P6n6bNpCRigkuRdRhQvHUxcjrE2EbyGsaTXIR4+Uh1xh1EcT9Hg
+uYqFIfzo3nkhpDk2jAL+UiUZiHfrpO6OfqpNQj27jju/35DT+2hgGuS2JApzpi91
+gJSDXwsDQYdP2a2B0y3K0+HwC7/YovAzlXkfes06ebtsiG4Nzl15vnKaTbON0vZO
+7jMkedmstKaLGM5PlLW0afls5ahr0dtrhWFs+1QKcv1JahcfeEvggeH9/gtjpunM
+MT31VuYbwleWAsRxjGG3OWKLgst4cJXqGTdM21JzBDOP43/ZIaaedl43jJzIgIM5
+b4ae9DrhsTNIboYO20XYdwtn9Q2pAoHBAPLO1xTWfqpCwZU6udtX73jMfpwhGlWW
+0jqg9gvxs9Neg4nfYMtiliBS5VT+6oID8YSKOSWXHWFGFkBN5hqfGbu5Nd94rY0J
+g6UYgGOAcNfoGOTpI2xljpEWJJfquTFgbajwFg+q3p6mL1zShkzvf6hzqENxbLxy
+OvEPkszN6cy16jgEUv5qK9qNf7ISB8Ki3yFSKAfuRlapny3TcRTYkJNZ0y398/sG
+E5vqrrYyjUWv5Uwz0mHmZpmZuZuaUJxtlwKBwQDi+BKnIiYYwdJPmCNCykRJB02Z
+QZlxtnrrajxZsXHysTopX5HkOQH80VSbH6fj287qX7vV0ux2maFLoszjM0wtfQhE
+8fsuKRPfzxR0cFtPFtncCHI5FVT2MOsdz5dZ8BsinCgsVlZ3SrUC9gxPKpVdRd21
+OUC3r+tOPvM0gdfyT560GDLhaH12iOA5KtWnE3FIEpk6y95D1a4E7zu4ZaoI98UU
+F8ezSREzF9UzAcdVn8MA3v82nlGQS8iFI9mHicUCgcACWkS1O/rQNYNgqcgBOxHj
+7r9PTfbOW36/+K1JolbmtmS54kMy1Uq1F3iHYUzuY5Fkgl5ZYeRz+9TdXKPdICuE
+qR+/gZDU7AGtiNY9oJH3VZVgKm4gb7944mkKW8jdlJybZXAhSLuNd/i/gn6woiVv
+gWdg9+lgzg6KJWd7uocIZ77UOh5/vpGcNYDGPex7U06sKPqgUQu3bT9Ql1riI9MK
+ynUEXhCOHxnzicuVklnSEgk7usjQEAZweI/W1SDw0xMCgcEAm9BQBdsEqlRNDAVW
+l6CB9lyEIiUNsSnkAr9AxRZzMngGhKauYi3ctnICkifOOzgIOZAVRDpzyQu41lLi
+M0thDY1bYvF4TX03vprL4Q/NL2NxloNZ3uRNGmIE1sdPkRermTv4vE9dNrHbyDef
+xa1nMswm4yV1z2R+to2yqqZE2H1eZyaBr4rrLrfSroxAdl17lE3oUZvpb0o/F/Yg
+Wnu4mkV2T0/v8Z3Ep/3BiC29aYOu/Gcab6WKOvQ7qWMuD8U9AoHBAJslXJMsMZVc
+UIaxRbknRMEBRBJW6X6EPbV3zGa+R9e9XRSG7jYSOWB9Yb2AbwjsvF4Qq+8VQq+V
+Ksxs7XOuwR202oZFzQDMoVj1LL4Cn60rRWlI+p6Q5SB2DQVo2kulTv1NtvdVR+U0
+ABa0xp5TKi7+jTY/e3CJGiT69sZc7v2VXptoiGytlUl9GVr0SImD1ZJdaJSJCPZX
+S+cEzfF6LVnnhlaq4puuv/vKjumNWDymv3zwZOy9D8nn/tMHqLKWSg==
+-----END RSA PRIVATE KEY-----
diff --git a/bin/tests/system/nsupdate/CA/private/CA.key b/bin/tests/system/nsupdate/CA/private/CA.key
new file mode 100644
index 0000000000..2d5419d89a
--- /dev/null
+++ b/bin/tests/system/nsupdate/CA/private/CA.key
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG5AIBAAKCAYEAouoRHoAc6VCmxNTU6Ge7s+xDFGO0wXJJIsP+8nUyyjWvGCOC
+aQYLhb1kLA2NHRhSSKFcMh8jcd7Hlvy6CAec1j2dsWzryy3HgPrdjWaW3PfBO41D
+lUtdt8hA/p6pX2YwqvWbdK/3s8J0LY5xRZKNZnFOB/Sb4PGiIJ1NgMRO/M3IlPQm
+PO/faRRTU4SI26KCPKFW342826Zi88YwOd6w5mQU4fskk5TGtlNqE+Fj40ZbWVpy
+VXoEUS6RveRp020NX5CQG49SLtdF05AnnsATqmgNVCXptGuqW8uaHRONeGO3NBEy
+nJmibWBDUMjtCCcGVgyrVXuTkyAJJWpImnshUwgMNYebRwmC2iVv2LtsJS5eUTUH
+EWffnFl55XU2PkyNYgY35gA4y3SiWFJYV8+5FibU4ut0nb+lmHBF8WlqcU/kd3tp
+Gkf0exjqOIHZFqV9bIhpUbXhxx9v9+gkkGQ9nrXE1KRlvigxxUeIK5xHy9a7fVIL
+wo6WuCnLLJmbVkklAgMBAAECggGBAI5ZV3v/FUQIZK+4CBDKEwizeClotZgR9DWc
+bDgOj8KABe5hmKGL1qWVRuH3NUYm6j7sP1LMQnxM3LjhOuupOzE3xYIyWhW+eoQI
+r23OJiQNl5ohZNweblUXdTMGD5h8AipfUOY0m4tGbZ0gyXixBTxt5HCvG0UB3VgC
+GqZY4Wujo5ADhSXZsqxuRiDDvZGr/YBcuTu87Tg/ulam5ZyrKIcnC9gpSVxqsva9
+DAMy/cSoxUjd7ukhJISK3G3AF3fV4GSslQcJTlyJ2D3+LnqPuHJKYTI4hc46lN3x
+E2g24GdSCPYf6SoEPwACXtbavV8TXwQPJrHN+f+0/ePCI4jkYe5NoA3gwVgMb/WB
+wFchxzVh3V4e8tPGiG+ofKl81DSAW8VZCJLUIbTEce9oxafPT78WJxdC0wWbh5S8
+V/qN6sW/yWnK3oY9SilWhJGRwKOZ+8xtStaDeCzyCaOqEcWi8ZR0QfC33UozlhdC
+SrMKnOXmn/rUuXGrVR56IzIl0M7YAQKBwQDM3GJDdlFuHn6L0syKYdHDS8gXD9ke
+s+ochIP6jvkEPcayaEoZGl8s7RT3iztqXod7wLaZdotktxfDAZnJfeuOcVrCu+Bx
+HLytnBvV6czMfp3REGgQAJQeusSgtlBCTHHVOsDzIjdnkY3WBa7IiFYWO5wnYrGx
+r3ucnwnHaUVDMj1r4YI7mYIpCuYQl6eGyW7mhWewyhVwoQXKbifdrXxjvOigL0Cp
+tgsoU9pql3hpphOaYMX6hLOincTfaMxfnCECgcEAy5UXp3dA0OwK+4iDGKr+cUpk
+AtGTheiE+8zEVh2KYFLt921mW/QZiB1+xtnkknp3c7u07Ugk8jAEXzCkwMnN5ZCx
+LrJ72fC+cLIAbRm6/vMMP8iz83wyttao4qNMeoOBBfE9rEiP+lrugpv282V3ZHYa
+IUZWTeugJbckUHTbD3RZQExmQcRVG3m/TzonBfoZ8HoRj/n3d7V2T911cHUhi8Xn
+RQIi2m63VofOIep86LgartlKneMWnL0oOPq4RKyFAoHAZUzpDkD4nUJZAx025Yrf
+ZfoYNEcy7vq6XmWsuX5vZoiBs4DcezNOMvH9NzdTJxMdXbV61cIHxcK/7j7hZABv
+NZ2Z6sdqgaRbLGIQZaPaEJjfwxygyKDwnY1vY6UjZNVWSMFn3hJiYUVZZKakuiao
+ow/Q9KzZ/2ot7tG5zTCh/ktekfUOKBiNg2wPPc8wGPeMblMzZflXxrzpFyOHdRev
+dcZZJbSX/hO1yrhEPgculNd5xBHsdCegiF4JlwvEW9bhAoHAZQQiy5bx03j8bhkr
+q6bVQFPAUmG5iL16lxLg7TYVPnyH1bk0DDaQIKk6CeN+dmxML2IZgY/FvWK0GKOj
+bIH2J43nTRuFNvwtEvBQI9KbpfvlvRSSriOXaoATJvoObdAoylEM4BrVTk2mgapw
+HA/h8Thk+NPU6S8ctPouC7ogJIf/7Va7erC35j0//0kEqgOSsW9wnXdUItMo1LI3
+nsiQD7Hwcp5/utErKcWTM+MNfdA0dUQesT9ILhfyCGvn2TOdAoHBAKldZkDyRcu9
+r9uDF1bhUEnpV2k4hgvTuCvQ3rzyx3WrVT8ChEmePC8Ke5A54ffu/YdbpDLbdf2c
+j4n5CQhHbMIZs3P2hB3WqDCImApCfMbXaltfBbaT0j7uLJPMp+2+f/wWYpc3R+bn
+HVnaRI2PoXXmG9OjQSQdVZ5gNpkEuemAo3dJOSS6BMqQaSxUynGy7o/a/d4izBjd
+B58Fwq3sZI/Xv90Se9+b6ICST3YJ3p0vn8RKzmlCQjLg/xynpCByiw==
+-----END RSA PRIVATE KEY-----
diff --git a/bin/tests/system/nsupdate/CA/serial b/bin/tests/system/nsupdate/CA/serial
new file mode 100644
index 0000000000..0a263a531a
--- /dev/null
+++ b/bin/tests/system/nsupdate/CA/serial
@@ -0,0 +1 @@
+70B9F4EB2FA1959C
diff --git a/bin/tests/system/nsupdate/dhparam3072.pem b/bin/tests/system/nsupdate/dhparam3072.pem
new file mode 100644
index 0000000000..9c2e0aa42b
--- /dev/null
+++ b/bin/tests/system/nsupdate/dhparam3072.pem
@@ -0,0 +1,11 @@
+-----BEGIN DH PARAMETERS-----
+MIIBiAKCAYEA5D/Oioe+G+EMf/9RVxmcV4rZAtqZpVTFHcX0ZulvdiQGCQmopm6K
+3+0uoU2J6WVMjhna5nHD2NO9miRDI/jIxX9g9k6PedSB4o3fSTtkAnGtUbB8S+Ab
+EHtWfd7FTES8P1n16HN7BfPXVbP8zTcK+jO63KdQoxueYoETcrw0Myi9Lm8ri8os
+O4oQ+XAH7GzZ60bcYV9jge0XIRUGVnYZDjWMlnwMvZyjLivxKXTC9HPNA6FF1/0H
+0LPhsfjdoLNsVHFzfQz7QELMfHbTd0C8y0UMDQw9FqUp0esHZ5gsTlqnDHp2ZHoR
+JDfNl4yVO5Gv4HiFJ0NSdggefhESU3FRAOhMmUkctOCxk5hyPqGMsvofOajY2MBp
+eCffrKuAU6/dGUeq8inwrZlAMIZ20WyskHmbHnc4DXo2Uo6xSZo3xyEq1ofXXwTZ
+vPw4e12so3RJAT2a8UsHf7DG1tH+9ke7HCAJQWxUizRFRsMi1Nl/7ikS4f3zgIbX
+GKz9+uk5eS6jAgEC
+-----END DH PARAMETERS-----
diff --git a/bin/tests/system/nsupdate/ns1/named.conf.in b/bin/tests/system/nsupdate/ns1/named.conf.in
index 36e7b5910a..30c2ff84da 100644
--- a/bin/tests/system/nsupdate/ns1/named.conf.in
+++ b/bin/tests/system/nsupdate/ns1/named.conf.in
@@ -11,14 +11,48 @@
  * information regarding copyright ownership.
  */
 
+tls tls-forward-secrecy {
+    protocols { TLSv1.2; };
+    ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
+    prefer-server-ciphers yes;
+    key-file "../CA/certs/srv01.crt01.example.nil.key";
+    cert-file "../CA/certs/srv01.crt01.example.nil.pem";
+    dhparam-file "../dhparam3072.pem";
+};
+
+tls tls-forward-secrecy-mutual-tls {
+    protocols { TLSv1.2; };
+    ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
+    prefer-server-ciphers yes;
+    key-file "../CA/certs/srv01.crt01.example.nil.key";
+    cert-file "../CA/certs/srv01.crt01.example.nil.pem";
+    dhparam-file "../dhparam3072.pem";
+    ca-file "../CA/CA.pem";
+};
+
+tls tls-expired {
+    protocols { TLSv1.2; };
+    ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
+    prefer-server-ciphers yes;
+    key-file "../CA/certs/srv01.crt02-expired.example.nil.key";
+    cert-file "../CA/certs/srv01.crt02-expired.example.nil.pem";
+    dhparam-file "../dhparam3072.pem";
+};
+
+
 options {
 	query-source address 10.53.0.1 dscp 1;
 	notify-source 10.53.0.1 dscp 22;
 	transfer-source 10.53.0.1 dscp 3;
 	port @PORT@;
+	tls-port @TLSPORT@;
 	pid-file "named.pid";
 	session-keyfile "session.key";
 	listen-on { 10.53.0.1; 127.0.0.1; };
+	listen-on tls ephemeral { 10.53.0.1; };
+	listen-on port @EXTRAPORT1@ tls tls-forward-secrecy { 10.53.0.1; };
+	listen-on port @EXTRAPORT2@ tls tls-forward-secrecy-mutual-tls { 10.53.0.1; };
+	listen-on port @EXTRAPORT3@ tls tls-expired { 10.53.0.1; };
 	listen-on-v6 { none; };
 	recursion no;
 	notify yes;
diff --git a/bin/tests/system/nsupdate/ns10/named.conf.in b/bin/tests/system/nsupdate/ns10/named.conf.in
index f28c90bded..397501a352 100644
--- a/bin/tests/system/nsupdate/ns10/named.conf.in
+++ b/bin/tests/system/nsupdate/ns10/named.conf.in
@@ -16,9 +16,11 @@ options {
 	notify-source 10.53.0.10;
 	transfer-source 10.53.0.10;
 	port @PORT@;
+	tls-port @TLSPORT@;
 	pid-file "named.pid";
 	session-keyfile "session.key";
 	listen-on { 10.53.0.10; };
+	listen-on tls ephemeral { 10.53.0.10; };
 	recursion no;
 	notify yes;
 	minimal-responses no;
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
index 3ae78a8c9d..10fde1ecad 100755
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -738,7 +738,7 @@ grep "TXT.*everywhere" dig.out.2.test$n > /dev/null || ret=1
 n=$((n + 1))
 ret=0
 echo_i "check 'grant' in deny name + grant subdomain ($n)"
-$NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1
+$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1
 key $DEFAULT_HMAC:subkey 1234abcd8765
 server 10.53.0.9 ${PORT}
 zone denyname.example
@@ -752,7 +752,7 @@ grep "added" dig.out.ns9.test$n > /dev/null || ret=1
 n=$((n + 1))
 ret=0
 echo_i "check 'deny' in deny name + grant subdomain ($n)"
-$NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+$NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
 key $DEFAULT_HMAC:subkey 1234abcd8765
 server 10.53.0.9 ${PORT}
 zone denyname.example
@@ -838,6 +838,182 @@ if [ $ret -ne 0 ]; then
     status=1
 fi
 
+n=$((n + 1))
+ret=0
+echo_i "check DoT (opportunistic-tls) ($n)"
+$NSUPDATE -D -S -O -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 || ret=1
+server 10.53.0.1 ${TLSPORT}
+update add dot-non-auth-client-o.example.nil. 600 A 10.10.10.3
+send
+END
+sleep 2
+$DIG $DIGOPTS +short @10.53.0.1 dot-non-auth-client-o.example.nil >dig.out.test$n 2>&1 || ret=1
+grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 || ret=1
+if [ $ret -ne 0 ]; then
+    echo_i "failed"
+    status=1
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "check DoT (strict-tls) with an implicit hostname (by IP address) ($n)"
+$NSUPDATE -D -S -A CA/CA.pem -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 || ret=1
+server 10.53.0.1 ${EXTRAPORT1}
+update add dot-non-auth-client.example.nil. 600 A 10.10.10.3
+send
+END
+sleep 2
+$DIG $DIGOPTS +short @10.53.0.1 dot-non-auth-client.example.nil >dig.out.test$n 2>&1 || ret=1
+grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 || ret=1
+if [ $ret -ne 0 ]; then
+    echo_i "failed"
+    status=1
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "check DoT (strict-tls) with an implicit hostname (by IP address) ($n)"
+$NSUPDATE -D -S -A CA/CA.pem -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 || ret=1
+server 10.53.0.1 ${EXTRAPORT1}
+update add dot-fs.example.nil. 600 A 10.10.10.3
+send
+END
+sleep 2
+$DIG $DIGOPTS +short @10.53.0.1 dot-fs.example.nil >dig.out.test$n 2>&1 || ret=1
+grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 || ret=1
+if [ $ret -ne 0 ]; then
+    echo_i "failed"
+    status=1
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "check DoT (strict-tls) with a correct hostname ($n)"
+$NSUPDATE -D -S -A CA/CA.pem -H srv01.crt01.example.nil -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 || ret=1
+server 10.53.0.1 ${EXTRAPORT1}
+update add dot-fs-h.example.nil. 600 A 10.10.10.3
+send
+END
+sleep 2
+$DIG $DIGOPTS +short @10.53.0.1 dot-fs-h.example.nil >dig.out.test$n 2>&1 || ret=1
+grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 || ret=1
+if [ $ret -ne 0 ]; then
+    echo_i "failed"
+    status=1
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "check DoT (strict-tls) with an incorrect hostname (failure expected) ($n)"
+$NSUPDATE -D -S -A CA/CA.pem -H srv01.crt01.example.bad -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 && ret=1
+server 10.53.0.1 ${EXTRAPORT1}
+update add dot-fs-h-bad.example.nil. 600 A 10.10.10.3
+send
+END
+sleep 2
+$DIG $DIGOPTS +short @10.53.0.1 dot-fs-h-bad.example.nil >dig.out.test$n 2>&1 || ret=1
+grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 && ret=1
+if [ $ret -ne 0 ]; then
+    echo_i "failed"
+    status=1
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "check DoT (strict-tls) with a wrong authority (failure expected) ($n)"
+$NSUPDATE -D -S -A CA/CA-other.pem -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 && ret=1
+server 10.53.0.1 ${EXTRAPORT1}
+update add dot-fs-auth-bad.example.nil. 600 A 10.10.10.3
+send
+END
+sleep 2
+$DIG $DIGOPTS +short @10.53.0.1 dot-fs-auth-bad.example.nil >dig.out.test$n 2>&1 || ret=1
+grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 && ret=1
+if [ $ret -ne 0 ]; then
+    echo_i "failed"
+    status=1
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "check DoT (mutual-tls) with a valid client certificate ($n)"
+$NSUPDATE -D -S -A CA/CA.pem -K CA/certs/srv01.client01.example.nil.key -E CA/certs/srv01.client01.example.nil.pem -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 || ret=1
+server 10.53.0.1 ${EXTRAPORT2}
+update add dot-fsmt.example.nil. 600 A 10.10.10.3
+send
+END
+sleep 2
+$DIG $DIGOPTS +short @10.53.0.1 dot-fsmt.example.nil >dig.out.test$n 2>&1 || ret=1
+grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 || ret=1
+if [ $ret -ne 0 ]; then
+    echo_i "failed"
+    status=1
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "check DoT (mutual-tls) with a valid client certificate but with an incorrect hostname (failure expected) ($n)"
+$NSUPDATE -D -S -A CA/CA.pem -K CA/certs/srv01.client01.example.nil.key -E CA/certs/srv01.client01.example.nil.pem -H srv01.crt01.example.bad -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 && ret=1
+server 10.53.0.1 ${EXTRAPORT2}
+update add dot-fsmt-h-bad.example.nil. 600 A 10.10.10.3
+send
+END
+sleep 2
+$DIG $DIGOPTS +short @10.53.0.1 dot-fsmt-h-bad.example.nil >dig.out.test$n 2>&1 || ret=1
+grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 && ret=1
+if [ $ret -ne 0 ]; then
+    echo_i "failed"
+    status=1
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "check DoT (mutual-tls) with a valid client certificate but with a wrong authority (failure expected) ($n)"
+$NSUPDATE -D -S -A CA/CA-other.pem -K CA/certs/srv01.client01.example.nil.key -E CA/certs/client01.crt01.example.nil.pem -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 && ret=1
+server 10.53.0.1 ${EXTRAPORT2}
+update add dot-fsmt-auth-bad.example.nil. 600 A 10.10.10.3
+send
+END
+sleep 2
+$DIG $DIGOPTS +short @10.53.0.1 dot-fsmt-auth-bad.example.nil >dig.out.test$n 2>&1 || ret=1
+grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 && ret=1
+if [ $ret -ne 0 ]; then
+    echo_i "failed"
+    status=1
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "check DoT (mutual-tls) with an expired client certificate (failure expected) ($n)"
+$NSUPDATE -D -S -A CA/CA.pem -K CA/certs/srv01.client02-expired.example.nil.key -E CA/certs/srv01.client02-expired.example.nil.pem -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 && ret=1
+server 10.53.0.1 ${EXTRAPORT2}
+update add dot-fsmt-exp-bad.example.nil. 600 A 10.10.10.3
+send
+END
+sleep 2
+$DIG $DIGOPTS +short @10.53.0.1 dot-fsmt-exp-bad.example.nil >dig.out.test$n 2>&1 || ret=1
+grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 && ret=1
+if [ $ret -ne 0 ]; then
+    echo_i "failed"
+    status=1
+fi
+
+n=$((n + 1))
+ret=0
+echo_i "check DoT (mutual-tls) with a valid client certificate and an expired server certificate (failure expected) ($n)"
+$NSUPDATE -D -S -A CA/CA.pem -K CA/certs/srv01.client01.example.nil.key -E CA/certs/srv01.client01.example.nil.pem -k ns1/ddns.key <<END >nsupdate.out.test$n 2>&1 && ret=1
+server 10.53.0.1 ${EXTRAPORT3}
+update add dot-fsmt-exp-bad.example.nil. 600 A 10.10.10.3
+send
+END
+sleep 2
+$DIG $DIGOPTS +short @10.53.0.1 dot-fsmt-exp-bad.example.nil >dig.out.test$n 2>&1 || ret=1
+grep -F "10.10.10.3" dig.out.test$n >/dev/null 2>&1 && ret=1
+if [ $ret -ne 0 ]; then
+    echo_i "failed"
+    status=1
+fi
+
 n=$((n + 1))
 ret=0
 echo_i "check TSIG key algorithms (nsupdate -k) ($n)"
@@ -1026,7 +1202,7 @@ grep "bad name" nsupdate.out4-$n > /dev/null && ret=1
 n=$((n + 1))
 echo_i "check adding of delegating NS records processing ($n)"
 ret=0
-$NSUPDATE -v << EOF > nsupdate.out-$n 2>&1 || ret=1
+$NSUPDATE -v << EOF > nsupdate.out.test$n 2>&1 || ret=1
 server 10.53.0.3 ${PORT}
 zone delegation.test.
 update add child.delegation.test. 3600 NS foo.example.net.
@@ -1041,7 +1217,7 @@ grep "AUTHORITY: 2" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1
 n=$((n + 1))
 echo_i "check deleting of delegating NS records processing ($n)"
 ret=0
-$NSUPDATE -v << EOF > nsupdate.out-$n 2>&1 || ret=1
+$NSUPDATE -v << EOF > nsupdate.out.test$n 2>&1 || ret=1
 server 10.53.0.3 ${PORT}
 zone delegation.test.
 update del child.delegation.test. 3600 NS foo.example.net.
@@ -1055,13 +1231,13 @@ grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1
 n=$((n + 1))
 echo_i "check that adding too many records is blocked ($n)"
 ret=0
-$NSUPDATE -v << EOF > nsupdate.out-$n 2>&1 && ret=1
+$NSUPDATE -v << EOF > nsupdate.out.test$n 2>&1 && ret=1
 server 10.53.0.3 ${PORT}
 zone too-big.test.
 update add r1.too-big.test 3600 IN TXT r1.too-big.test
 send
 EOF
-grep "update failed: SERVFAIL" nsupdate.out-$n > /dev/null || ret=1
+grep "update failed: SERVFAIL" nsupdate.out.test$n > /dev/null || ret=1
 $DIG $DIGOPTS +tcp @10.53.0.3 r1.too-big.test TXT > dig.out.ns3.test$n
 grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1
 grep "records in zone (4) exceeds max-records (3)" ns3/named.run > /dev/null || ret=1
@@ -1070,14 +1246,14 @@ grep "records in zone (4) exceeds max-records (3)" ns3/named.run > /dev/null ||
 n=$((n + 1))
 ret=0
 echo_i "check whether valid addresses are used for primary failover ($n)"
-$NSUPDATE -t 1 <<END > nsupdate.out-$n 2>&1 && ret=1
+$NSUPDATE -t 1 <<END > nsupdate.out.test$n 2>&1 && ret=1
 server 10.53.0.4 ${PORT}
 zone unreachable.
 update add unreachable. 600 A 192.0.2.1
 send
 END
-grep "; Communication with 10.53.0.4#${PORT} failed: timed out" nsupdate.out-$n > /dev/null 2>&1 || ret=1
-grep "not implemented" nsupdate.out-$n > /dev/null 2>&1 && ret=1
+grep "; Communication with 10.53.0.4#${PORT} failed: timed out" nsupdate.out.test$n > /dev/null 2>&1 || ret=1
+grep "not implemented" nsupdate.out.test$n > /dev/null 2>&1 && ret=1
 [ $ret = 0 ] || { echo_i "failed"; status=1; }
 
 n=$((n + 1))
@@ -1141,39 +1317,39 @@ grep "syntax error" nsupdate.out > /dev/null && ret=1
 n=$((n + 1))
 ret=0
 echo_i "check nsupdate -4 -6 ($n)"
-$NSUPDATE -4 -6 <<END > nsupdate.out-$n 2>&1 && ret=1
+$NSUPDATE -4 -6 <<END > nsupdate.out.test$n 2>&1 && ret=1
 server 10.53.0.3 ${PORT}
 zone delegation.test.
 update del child.delegation.test. 3600 NS foo.example.net.
 update del child.delegation.test. 3600 NS bar.example.net.
 send
 END
-grep "only one of -4 and -6 allowed" nsupdate.out-$n > /dev/null 2>&1 || ret=1
+grep "only one of -4 and -6 allowed" nsupdate.out.test$n > /dev/null 2>&1 || ret=1
 [ $ret = 0 ] || { echo_i "failed"; status=1; }
 
 n=$((n + 1))
 ret=0
 echo_i "check nsupdate -4 with an IPv6 server address ($n)"
-$NSUPDATE -4 <<END > nsupdate.out-$n 2>&1 && ret=1
+$NSUPDATE -4 <<END > nsupdate.out.test$n 2>&1 && ret=1
 server fd92:7065:b8e:ffff::2 ${PORT}
 zone delegation.test.
 update del child.delegation.test. 3600 NS foo.example.net.
 update del child.delegation.test. 3600 NS bar.example.net.
 send
 END
-grep "address family not supported" nsupdate.out-$n > /dev/null 2>&1 || ret=1
+grep "address family not supported" nsupdate.out.test$n > /dev/null 2>&1 || ret=1
 [ $ret = 0 ] || { echo_i "failed"; status=1; }
 
 n=$((n + 1))
 ret=0
 echo_i "check that TKEY in a update is rejected ($n)"
-$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 && ret=1
+$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 && ret=1
 server 10.53.0.3 ${PORT}
 update add tkey.example 0 in tkey invalid.algorithm. 1516055980 1516140801 1 0 16 gRof8D2BFKvl/vrr9Lmnjw== 16 gRof8D2BFKvl/vrr9Lmnjw==
 send
 END
-grep "UPDATE, status: NOERROR" nsupdate.out-$n > /dev/null 2>&1 || ret=1
-grep "UPDATE, status: FORMERR" nsupdate.out-$n > /dev/null 2>&1 || ret=1
+grep "UPDATE, status: NOERROR" nsupdate.out.test$n > /dev/null 2>&1 || ret=1
+grep "UPDATE, status: FORMERR" nsupdate.out.test$n > /dev/null 2>&1 || ret=1
 [ $ret = 0 ] || { echo_i "failed"; status=1; }
 
 n=$((n + 1))
@@ -1243,7 +1419,7 @@ grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1
 grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1
 nextpart ns3/named.run > /dev/null
 # specify zone to override the default of adding to parent zone
-$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 || ret=1
+$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || ret=1
 server 10.53.0.3 ${PORT}
 zone example
 update add example 0 in DS 14364 10 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C
@@ -1262,7 +1438,7 @@ echo_i "check that CDS with mismatched algorithm to DNSSEC multisigner zone is n
 $DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 > dig.out.pre.test$n || ret=1
 grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1
 grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1
-$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 && ret=1
+$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 && ret=1
 server 10.53.0.3 ${PORT}
 zone multisigner.test
 update add multisigner.test 3600 IN CDS 14364 14 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C
@@ -1282,7 +1458,7 @@ $DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 > dig.out.pre.test
 grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1
 grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1
 nextpart ns3/named.run > /dev/null
-$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 && ret=1
+$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 && ret=1
 server 10.53.0.3 ${PORT}
 zone multisigner.test
 update add multisigner.test 3600 IN CDNSKEY 257 3 14 d0NQ5PKmDz6P0B1WPMH9/UKRux/toSFwV2nTJYPA1Cx8pB0sJGTXbVhG U+6gye7VCHDhGIn9CjVfb2RJPW7GnQ==
@@ -1301,7 +1477,7 @@ echo_i "check that CDS to DNSSEC multisigner zone is allowed ($n)"
 $DIG $DIGOPTS +tcp +norec multisigner.test CDS @10.53.0.3 > dig.out.pre.test$n || ret=1
 grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1
 grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1
-$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 || ret=1
+$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || ret=1
 server 10.53.0.3 ${PORT}
 zone multisigner.test
 update add multisigner.test 3600 IN CDS 14364 13 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C
@@ -1316,7 +1492,7 @@ echo_i "check that CDNSKEY to DNSSEC multisigner zone is allowed ($n)"
 $DIG $DIGOPTS +tcp +norec multisigner.test CDNSKEY @10.53.0.3 > dig.out.pre.test$n || ret=1
 grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1
 grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1
-$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 || ret=1
+$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || ret=1
 server 10.53.0.3 ${PORT}
 zone multisigner.test
 update add multisigner.test 3600 IN CDNSKEY 257 3 13 d0NQ5PKmDz6P0B1WPMH9/UKRux/toSFwV2nTJYPA1Cx8pB0sJGTXbVhG U+6gye7VCHDhGIn9CjVfb2RJPW7GnQ==
@@ -1328,12 +1504,12 @@ retry_quiet 5 has_positive_response multisigner.test CDNSKEY 10.53.0.3 || ret=1
 n=$((n + 1))
 ret=0
 echo_i "check that excessive NSEC3PARAM iterations are rejected by nsupdate ($n)"
-$NSUPDATE -d <<END > nsupdate.out-$n 2>&1 && ret=1
+$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 && ret=1
 server 10.53.0.3 ${PORT}
 zone example
 update add example 0 in NSEC3PARAM 1 0 151 -
 END
-grep "NSEC3PARAM has excessive iterations (> 150)" nsupdate.out-$n >/dev/null || ret=1
+grep "NSEC3PARAM has excessive iterations (> 150)" nsupdate.out.test$n >/dev/null || ret=1
 [ $ret = 0 ] || { echo_i "failed"; status=1; }
 
 n=$((n + 1))
@@ -1344,13 +1520,13 @@ echo_i "check nsupdate retries with another server on REFUSED response ($n)"
 # that's what we're testing for. (failure is still expected, however,
 # because the address lookup for the primary doesn't use the overridden
 # resolv.conf file).
-$NSUPDATE -D -C resolv.conf -p ${PORT} << EOF > nsupdate.out-$n 2>&1 && ret=1
+$NSUPDATE -D -C resolv.conf -p ${PORT} << EOF > nsupdate.out.test$n 2>&1 && ret=1
 zone example
 update add a 3600 IN A 1.2.3.4
 send
 EOF
-grep '10.53.0.1.*REFUSED' nsupdate.out-$n > /dev/null || ret=1
-grep 'Reply from SOA query' nsupdate.out-$n > /dev/null || ret=1
+grep '10.53.0.1.*REFUSED' nsupdate.out.test$n > /dev/null || ret=1
+grep 'Reply from SOA query' nsupdate.out.test$n > /dev/null || ret=1
 [ $ret = 0 ] || { echo_i "failed"; status=1; }
 
 if ! $FEATURETEST --gssapi ; then
@@ -1361,7 +1537,7 @@ else
   echo_i "check krb5-self match ($n)"
   KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
   export KRB5CCNAME
-  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1
+  $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1
   gsstsig
   realm EXAMPLE.COM
   server 10.53.0.7 ${PORT}
@@ -1379,7 +1555,7 @@ EOF
   echo_i "check krb5-self no-match ($n)"
   KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
   export KRB5CCNAME
-  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+  $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
   gsstsig
   realm EXAMPLE.COM
   server 10.53.0.7 ${PORT}
@@ -1387,7 +1563,7 @@ EOF
   update add foo.example.com 3600 IN A 10.53.0.7
   send
 EOF
-  grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+  grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
   $DIG $DIGOPTS +tcp @10.53.0.7 foo.example.com A > dig.out.ns7.test$n
   grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1
   [ $ret = 0 ] || { echo_i "failed"; status=1; }
@@ -1397,7 +1573,7 @@ EOF
   echo_i "check krb5-subdomain match ($n)"
   KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
   export KRB5CCNAME
-  $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1
+  $NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1
   gsstsig
   realm EXAMPLE.COM
   server 10.53.0.7 ${PORT}
@@ -1415,7 +1591,7 @@ EOF
   echo_i "check krb5-subdomain no-match ($n)"
   KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
   export KRB5CCNAME
-  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+  $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
   gsstsig
   realm EXAMPLE.COM
   server 10.53.0.7 ${PORT}
@@ -1423,7 +1599,7 @@ EOF
   update add _xxx._udp.example.com 3600 IN SRV 0 0 0 machine.example.com
   send
 EOF
-  grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+  grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
   $DIG $DIGOPTS +tcp @10.53.0.7 _xxx._udp.example.com SRV > dig.out.ns7.test$n
   grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1
   [ $ret = 0 ] || { echo_i "failed"; status=1; }
@@ -1433,7 +1609,7 @@ EOF
   echo_i "check krb5-subdomain-self-rhs match PTR ($n)"
   KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
   export KRB5CCNAME
-  $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1
+  $NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1
   gsstsig
   realm EXAMPLE.COM
   server 10.53.0.7 ${PORT}
@@ -1451,7 +1627,7 @@ EOF
   echo_i "check krb5-subdomain-self-rhs no-match PTR ($n)"
   KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
   export KRB5CCNAME
-  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+  $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
   gsstsig
   realm EXAMPLE.COM
   server 10.53.0.7 ${PORT}
@@ -1459,7 +1635,7 @@ EOF
   update add 5.3.2.1.in-addr.arpa 3600 IN PTR notme.example.com
   send
 EOF
-  grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+  grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
   $DIG $DIGOPTS +tcp @10.53.0.7 5.3.2.1.in-addr.arpa PTR > dig.out.ns7.test$n
   grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1
   [ $ret = 0 ] || { echo_i "failed"; status=1; }
@@ -1469,7 +1645,7 @@ EOF
   echo_i "check krb5-subdomain-self-rhs match SRV ($n)"
   KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
   export KRB5CCNAME
-  $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1
+  $NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1
   gsstsig
   realm EXAMPLE.COM
   server 10.53.0.7 ${PORT}
@@ -1487,7 +1663,7 @@ EOF
   echo_i "check krb5-subdomain-self-rhs no listed types match (SRV & TXT) ($n)"
   KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
   export KRB5CCNAME
-  $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1
+  $NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1
   gsstsig
   realm EXAMPLE.COM
   server 10.53.0.7 ${PORT}
@@ -1507,7 +1683,7 @@ EOF
   echo_i "check krb5-subdomain-self-rhs no-match RDATA (SRV) ($n)"
   KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
   export KRB5CCNAME
-  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+  $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
   gsstsig
   realm EXAMPLE.COM
   server 10.53.0.7 ${PORT}
@@ -1515,7 +1691,7 @@ EOF
   update add _yyy.self-srv.example.com 3600 IN SRV 0 0 0 notme.example.com
   send
 EOF
-  grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+  grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
   $DIG $DIGOPTS +tcp @10.53.0.7 _yyy.self-srv.example.com SRV > dig.out.ns7.test$n
   grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1
   [ $ret = 0 ] || { echo_i "failed"; status=1; }
@@ -1525,7 +1701,7 @@ EOF
   echo_i "check krb5-subdomain-self-rhs no-match TYPE (TXT) ($n)"
   KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
   export KRB5CCNAME
-  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+  $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
   gsstsig
   realm EXAMPLE.COM
   server 10.53.0.7 ${PORT}
@@ -1533,7 +1709,7 @@ EOF
   update add _yyy.self-srv.example.com 3600 IN TXT a-txt-record
   send
 EOF
-  grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+  grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
   $DIG $DIGOPTS +tcp @10.53.0.7 _yyy.self-srv.example.com TXT > dig.out.ns7.test$n
   grep "status: NXDOMAIN" dig.out.ns7.test$n > /dev/null || ret=1
   [ $ret = 0 ] || { echo_i "failed"; status=1; }
@@ -1546,7 +1722,7 @@ EOF
   grep "ANSWER: 1," dig.out.ns7.pre.test$n > /dev/null || ret=1
   KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
   export KRB5CCNAME
-  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1
+  $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1
   gsstsig
   realm EXAMPLE.COM
   server 10.53.0.7 ${PORT}
@@ -1563,7 +1739,7 @@ EOF
   echo_i "check krb5-subdomain-self-rhs delete PTR (matching PTR with non-matching PTR) ($n)"
   KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
   export KRB5CCNAME
-  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+  $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
   gsstsig
   realm EXAMPLE.COM
   server 10.53.0.7 ${PORT}
@@ -1571,7 +1747,7 @@ EOF
   update delete many.ptr.self-ptr.in-addr.arpa PTR
   send
 EOF
-  grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+  grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
   $DIG $DIGOPTS +tcp @10.53.0.7 many.ptr.self-ptr.in-addr.arpa PTR > dig.out.ns7.test$n
   grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1
   grep "ANSWER: 2," dig.out.ns7.test$n > /dev/null || ret=1
@@ -1585,7 +1761,7 @@ EOF
   grep "ANSWER: 1," dig.out.ns7.pre.test$n > /dev/null || ret=1
   KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
   export KRB5CCNAME
-  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1
+  $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1
   gsstsig
   realm EXAMPLE.COM
   server 10.53.0.7 ${PORT}
@@ -1602,7 +1778,7 @@ EOF
   echo_i "check krb5-subdomain-self-rhs delete ANY (matching PTR with non-matching PTR) ($n)"
   KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
   export KRB5CCNAME
-  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+  $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
   gsstsig
   realm EXAMPLE.COM
   server 10.53.0.7 ${PORT}
@@ -1610,7 +1786,7 @@ EOF
   update delete many.any.self-ptr.in-addr.arpa
   send
 EOF
-  grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+  grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
   $DIG $DIGOPTS +tcp @10.53.0.7 many.any.self-ptr.in-addr.arpa PTR > dig.out.ns7.test$n
   grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1
   grep "ANSWER: 2," dig.out.ns7.test$n > /dev/null || ret=1
@@ -1624,7 +1800,7 @@ EOF
   grep "ANSWER: 1," dig.out.ns7.pre.test$n > /dev/null || ret=1
   KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
   export KRB5CCNAME
-  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1
+  $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1
   gsstsig
   realm EXAMPLE.COM
   server 10.53.0.7 ${PORT}
@@ -1641,7 +1817,7 @@ EOF
   echo_i "check krb5-subdomain-self-rhs delete SRV (matching SRV with non-matching SRV) ($n)"
   KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
   export KRB5CCNAME
-  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+  $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
   gsstsig
   realm EXAMPLE.COM
   server 10.53.0.7 ${PORT}
@@ -1649,7 +1825,7 @@ EOF
   update delete many.srv.self-srv.example.com SRV
   send
 EOF
-  grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+  grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
   $DIG $DIGOPTS +tcp @10.53.0.7 many.srv.self-srv.example.com SRV > dig.out.ns7.test$n
   grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1
   grep "ANSWER: 2," dig.out.ns7.test$n > /dev/null || ret=1
@@ -1663,7 +1839,7 @@ EOF
   grep "ANSWER: 1," dig.out.ns7.pre.test$n > /dev/null || ret=1
   KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
   export KRB5CCNAME
-  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1
+  $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1
   gsstsig
   realm EXAMPLE.COM
   server 10.53.0.7 ${PORT}
@@ -1680,7 +1856,7 @@ EOF
   echo_i "check krb5-subdomain-self-rhs delete ANY (matching SRV with non-matching SRV) ($n)"
   KRB5CCNAME="FILE:$(pwd)/ns7/machine.ccache"
   export KRB5CCNAME
-  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+  $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
   gsstsig
   realm EXAMPLE.COM
   server 10.53.0.7 ${PORT}
@@ -1688,7 +1864,7 @@ EOF
   update delete many.any.self-srv.example.com
   send
 EOF
-  grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+  grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
   $DIG $DIGOPTS +tcp @10.53.0.7 many.any.self-srv.example.com SRV > dig.out.ns7.test$n
   grep "status: NOERROR" dig.out.ns7.test$n > /dev/null || ret=1
   grep "ANSWER: 2," dig.out.ns7.test$n > /dev/null || ret=1
@@ -1699,7 +1875,7 @@ EOF
   echo_i "check krb5-selfsub match ($n)"
   KRB5CCNAME="FILE:$(pwd)/ns8/machine.ccache"
   export KRB5CCNAME
-  $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1
+  $NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1
   gsstsig
   realm EXAMPLE.COM
   server 10.53.0.8 ${PORT}
@@ -1717,7 +1893,7 @@ EOF
   echo_i "check krb5-selfsub no-match ($n)"
   KRB5CCNAME="FILE:$(pwd)/ns8/machine.ccache"
   export KRB5CCNAME
-  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+  $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
   gsstsig
   realm EXAMPLE.COM
   server 10.53.0.8 ${PORT}
@@ -1725,7 +1901,7 @@ EOF
   update add foo.example.com 3600 IN A 10.53.0.8
   send
 EOF
-  grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+  grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
   $DIG $DIGOPTS +tcp @10.53.0.8 foo.example.com A > dig.out.ns8.test$n
   grep "status: NXDOMAIN" dig.out.ns8.test$n > /dev/null || ret=1
   [ $ret = 0 ] || { echo_i "failed"; status=1; }
@@ -1735,7 +1911,7 @@ EOF
   echo_i "check ms-self match ($n)"
   KRB5CCNAME="FILE:$(pwd)/ns9/machine.ccache"
   export KRB5CCNAME
-  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1
+  $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1
   gsstsig
   realm EXAMPLE.COM
   server 10.53.0.9 ${PORT}
@@ -1753,7 +1929,7 @@ EOF
   echo_i "check ms-self no-match ($n)"
   KRB5CCNAME="FILE:$(pwd)/ns9/machine.ccache"
   export KRB5CCNAME
-  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+  $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
   gsstsig
   realm EXAMPLE.COM
   server 10.53.0.9 ${PORT}
@@ -1761,7 +1937,7 @@ EOF
   update add foo.example.com 3600 IN A 10.53.0.9
   send
 EOF
-  grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+  grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
   $DIG $DIGOPTS +tcp @10.53.0.9 foo.example.com A > dig.out.ns9.test$n
   grep "status: NXDOMAIN" dig.out.ns9.test$n > /dev/null || ret=1
   [ $ret = 0 ] || { echo_i "failed"; status=1; }
@@ -1771,7 +1947,7 @@ EOF
   echo_i "check ms-subdomain match ($n)"
   KRB5CCNAME="FILE:$(pwd)/ns9/machine.ccache"
   export KRB5CCNAME
-  $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1
+  $NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1
   gsstsig
   realm EXAMPLE.COM
   server 10.53.0.9 ${PORT}
@@ -1789,7 +1965,7 @@ EOF
   echo_i "check ms-subdomain no-match ($n)"
   KRB5CCNAME="FILE:$(pwd)/ns9/machine.ccache"
   export KRB5CCNAME
-  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+  $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
   gsstsig
   realm EXAMPLE.COM
   server 10.53.0.9 ${PORT}
@@ -1797,7 +1973,7 @@ EOF
   update add _xxx._udp.example.com 3600 IN SRV 0 0 0 machine.example.com
   send
 EOF
-  grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+  grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
   $DIG $DIGOPTS +tcp @10.53.0.9 _xxx._udp.example.com SRV > dig.out.ns9.test$n
   grep "status: NXDOMAIN" dig.out.ns9.test$n > /dev/null || ret=1
   [ $ret = 0 ] || { echo_i "failed"; status=1; }
@@ -1807,7 +1983,7 @@ EOF
   echo_i "check ms-subdomain-self-rhs match (PTR) ($n)"
   KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache"
   export KRB5CCNAME
-  $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1
+  $NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1
   gsstsig
   realm EXAMPLE.COM
   server 10.53.0.10 ${PORT}
@@ -1825,7 +2001,7 @@ EOF
   echo_i "check ms-subdomain-self-rhs no-match (PTR) ($n)"
   KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache"
   export KRB5CCNAME
-  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+  $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
   gsstsig
   realm EXAMPLE.COM
   server 10.53.0.10 ${PORT}
@@ -1833,7 +2009,7 @@ EOF
   update add 5.3.2.1.in-addr.arpa 3600 IN PTR notme.example.com
   send
 EOF
-  grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+  grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
   $DIG $DIGOPTS +tcp @10.53.0.10 5.3.2.1.in-addr.arpa PTR > dig.out.ns10.test$n
   grep "status: NXDOMAIN" dig.out.ns10.test$n > /dev/null || ret=1
   [ $ret = 0 ] || { echo_i "failed"; status=1; }
@@ -1843,7 +2019,7 @@ EOF
   echo_i "check ms-subdomain-self-rhs match (SRV) ($n)"
   KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache"
   export KRB5CCNAME
-  $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1
+  $NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1
   gsstsig
   realm EXAMPLE.COM
   server 10.53.0.10 ${PORT}
@@ -1861,7 +2037,7 @@ EOF
   echo_i "check ms-subdomain-self-rhs no-match (SRV) ($n)"
   KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache"
   export KRB5CCNAME
-  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+  $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
   gsstsig
   realm EXAMPLE.COM
   server 10.53.0.10 ${PORT}
@@ -1869,7 +2045,7 @@ EOF
   update add _yyy.self-srv.example.com 3600 IN SRV 0 0 0 notme.example.com
   send
 EOF
-  grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+  grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
   $DIG $DIGOPTS +tcp @10.53.0.10 _yyy.self-srv.example.com SRV > dig.out.ns10.test$n
   grep "status: NXDOMAIN" dig.out.ns10.test$n > /dev/null || ret=1
   [ $ret = 0 ] || { echo_i "failed"; status=1; }
@@ -1882,7 +2058,7 @@ EOF
   grep "ANSWER: 1," dig.out.ns10.pre.test$n > /dev/null || ret=1
   KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache"
   export KRB5CCNAME
-  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1
+  $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1
   gsstsig
   realm EXAMPLE.COM
   server 10.53.0.10 ${PORT}
@@ -1899,7 +2075,7 @@ EOF
   echo_i "check ms-subdomain-self-rhs delete SRV (matching SRV with non-matching SRV) ($n)"
   KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache"
   export KRB5CCNAME
-  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+  $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
   gsstsig
   realm EXAMPLE.COM
   server 10.53.0.10 ${PORT}
@@ -1907,7 +2083,7 @@ EOF
   update delete many.srv.self-srv.example.com SRV
   send
 EOF
-  grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+  grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
   $DIG $DIGOPTS +tcp @10.53.0.10 many.srv.self-srv.example.com SRV > dig.out.ns10.test$n
   grep "status: NOERROR" dig.out.ns10.test$n > /dev/null || ret=1
   grep "ANSWER: 2," dig.out.ns10.test$n > /dev/null || ret=1
@@ -1921,7 +2097,7 @@ EOF
   grep "ANSWER: 1," dig.out.ns10.pre.test$n > /dev/null || ret=1
   KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache"
   export KRB5CCNAME
-  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1
+  $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1
   gsstsig
   realm EXAMPLE.COM
   server 10.53.0.10 ${PORT}
@@ -1938,7 +2114,7 @@ EOF
   echo_i "check ms-subdomain-self-rhs delete PTR (matching PTR with non-matching PTR) ($n)"
   KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache"
   export KRB5CCNAME
-  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+  $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
   gsstsig
   realm EXAMPLE.COM
   server 10.53.0.10 ${PORT}
@@ -1946,7 +2122,7 @@ EOF
   update delete many.ptr.self-ptr.in-addr.arpa PTR
   send
 EOF
-  grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+  grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
   $DIG $DIGOPTS +tcp @10.53.0.10 many.ptr.self-ptr.in-addr.arpa PTR > dig.out.ns10.test$n
   grep "status: NOERROR" dig.out.ns10.test$n > /dev/null || ret=1
   grep "ANSWER: 2," dig.out.ns10.test$n > /dev/null || ret=1
@@ -1960,7 +2136,7 @@ EOF
   grep "ANSWER: 1," dig.out.ns10.pre.test$n > /dev/null || ret=1
   KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache"
   export KRB5CCNAME
-  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1
+  $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1
   gsstsig
   realm EXAMPLE.COM
   server 10.53.0.10 ${PORT}
@@ -1977,7 +2153,7 @@ EOF
   echo_i "check ms-subdomain-self-rhs delete ANY (matching PTR with non-matching PTR) ($n)"
   KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache"
   export KRB5CCNAME
-  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+  $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
   gsstsig
   realm EXAMPLE.COM
   server 10.53.0.10 ${PORT}
@@ -1985,7 +2161,7 @@ EOF
   update delete many.any.self-ptr.in-addr.arpa
   send
 EOF
-  grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+  grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
   $DIG $DIGOPTS +tcp @10.53.0.10 many.any.self-ptr.in-addr.arpa PTR > dig.out.ns10.test$n
   grep "status: NOERROR" dig.out.ns10.test$n > /dev/null || ret=1
   grep "ANSWER: 2," dig.out.ns10.test$n > /dev/null || ret=1
@@ -1999,7 +2175,7 @@ EOF
   grep "ANSWER: 1," dig.out.ns10.pre.test$n > /dev/null || ret=1
   KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache"
   export KRB5CCNAME
-  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1
+  $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 || ret=1
   gsstsig
   realm EXAMPLE.COM
   server 10.53.0.10 ${PORT}
@@ -2016,7 +2192,7 @@ EOF
   echo_i "check ms-subdomain-self-rhs delete ANY (matching SRV with non-matching SRV) ($n)"
   KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache"
   export KRB5CCNAME
-  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+  $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
   gsstsig
   realm EXAMPLE.COM
   server 10.53.0.10 ${PORT}
@@ -2024,7 +2200,7 @@ EOF
   update delete many.any.self-srv.example.com
   send
 EOF
-  grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+  grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
   $DIG $DIGOPTS +tcp @10.53.0.10 many.any.self-srv.example.com SRV > dig.out.ns10.test$n
   grep "status: NOERROR" dig.out.ns10.test$n > /dev/null || ret=1
   grep "ANSWER: 2," dig.out.ns10.test$n > /dev/null || ret=1
@@ -2035,7 +2211,7 @@ EOF
   echo_i "check ms-selfsub match ($n)"
   KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache"
   export KRB5CCNAME
-  $NSUPDATE -d << EOF > nsupdate.out-$n 2>&1 || ret=1
+  $NSUPDATE -d << EOF > nsupdate.out.test$n 2>&1 || ret=1
   gsstsig
   realm EXAMPLE.COM
   server 10.53.0.10 ${PORT}
@@ -2053,7 +2229,7 @@ EOF
   echo_i "check ms-selfsub no-match ($n)"
   KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache"
   export KRB5CCNAME
-  $NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+  $NSUPDATE << EOF > nsupdate.out.test$n 2>&1 && ret=1
   gsstsig
   realm EXAMPLE.COM
   server 10.53.0.10 ${PORT}
@@ -2061,11 +2237,28 @@ EOF
   update add foo.example.com 3600 IN A 10.53.0.10
   send
 EOF
-  grep "update failed: REFUSED" nsupdate.out-$n > /dev/null || ret=1
+  grep "update failed: REFUSED" nsupdate.out.test$n > /dev/null || ret=1
   $DIG $DIGOPTS +tcp @10.53.0.10 foo.example.com A > dig.out.ns10.test$n
   grep "status: NXDOMAIN" dig.out.ns10.test$n > /dev/null || ret=1
   [ $ret = 0 ] || { echo_i "failed"; status=1; }
 
+  n=$((n + 1))
+  ret=0
+  echo_i "check ms-selfsub match using DoT (opportunistic-tls) ($n)"
+  KRB5CCNAME="FILE:$(pwd)/ns10/machine.ccache"
+  export KRB5CCNAME
+  $NSUPDATE -d -S -O << EOF > nsupdate.out.test$n 2>&1 || ret=1
+  gsstsig
+  realm EXAMPLE.COM
+  server 10.53.0.10 ${TLSPORT}
+  zone example.com
+  update add dot.machine.example.com 3600 IN A 10.53.0.10
+  send
+EOF
+  $DIG $DIGOPTS +tcp @10.53.0.10 dot.machine.example.com A > dig.out.ns10.test$n
+  grep "status: NOERROR" dig.out.ns10.test$n > /dev/null || ret=1
+  grep "dot.machine.example.com..*A.*10.53.0.10" dig.out.ns10.test$n > /dev/null || ret=1
+  [ $ret = 0 ] || { echo_i "failed"; status=1; }
 fi
 
 echo_i "exit status: $status"

From bd8299d7b501234263a6aee98049f879b1c700b7 Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Wed, 21 Sep 2022 15:05:11 +0000
Subject: [PATCH 4/6] Document nsupdate options related to DoT

Add documentation for the newly implemented DoT feature of the
nsupdate program.
---
 bin/nsupdate/nsupdate.rst | 48 +++++++++++++++++++++++++++++++++-
 doc/man/nsupdate.1in      | 54 ++++++++++++++++++++++++++++++++++++++-
 2 files changed, 100 insertions(+), 2 deletions(-)

diff --git a/bin/nsupdate/nsupdate.rst b/bin/nsupdate/nsupdate.rst
index 17ab96d421..8ce42b2f66 100644
--- a/bin/nsupdate/nsupdate.rst
+++ b/bin/nsupdate/nsupdate.rst
@@ -19,7 +19,7 @@ nsupdate - dynamic DNS update utility
 Synopsis
 ~~~~~~~~
 
-:program:`nsupdate` [**-d**] [**-D**] [**-i**] [**-L** level] [ [**-g**] | [**-o**] | [**-l**] | [**-y** [hmac:]keyname:secret] | [**-k** keyfile] ] [**-t** timeout] [**-u** udptimeout] [**-r** udpretries] [**-v**] [**-T**] [**-P**] [**-V**] [ [**-4**] | [**-6**] ] [filename]
+:program:`nsupdate` [**-d**] [**-D**] [**-i**] [**-L** level] [ [**-g**] | [**-o**] | [**-l**] | [**-y** [hmac:]keyname:secret] | [**-k** keyfile] ] [ [**-S**] [**-K** tlskeyfile] [**-E** tlscertfile] [**-A** tlscafile] [**-H** tlshostname] [-O] ] [**-t** timeout] [**-u** udptimeout] [**-r** udpretries] [**-v**] [**-T**] [**-P**] [**-V**] [ [**-4**] | [**-6**] ] [filename]
 
 Description
 ~~~~~~~~~~~
@@ -71,6 +71,15 @@ Options
 
    This option sets use of IPv6 only.
 
+.. option:: -A tlscafile
+
+   This option specifies the file of the certificate authorities (CA) certificates
+   (in PEM format) in order to verify the remote server TLS certificate when
+   using DNS-over-TLS (DoT), to achieve Strict or Mutual TLS. When used, it will
+   override the certificates from the global certificates store, which are
+   otherwise used by default when :option:`-S` is enabled. This option can not
+   be used in conjuction with :option:`-O`, and it implies :option:`-S`.
+
 .. option:: -C
 
    Overrides the default `resolv.conf` file. This is only intended for testing.
@@ -84,10 +93,23 @@ Options
 
    This option sets extra debug mode.
 
+.. option:: -E tlscertfile
+
+   This option sets the certificate(s) file for authentication for the
+   DNS-over-TLS (DoT) transport to the remote server. The certificate
+   chain file is expected to be in PEM format. This option implies :option:`-S`,
+   and can only be used with :option:`-K`.
+
 .. option:: -g
 
    This option enables standard GSS-TSIG mode.
 
+.. option:: -H tlshostname
+
+   This option makes :program:`nsupdate` use the provided hostname during remote
+   server TLS certificate verification. Otherwise, the DNS server name
+   is used. This option implies :option:`-S`.
+
 .. option:: -i
 
    This option forces interactive mode, even when standard input is not a terminal.
@@ -104,6 +126,13 @@ Options
    key used to authenticate Dynamic DNS update requests. In this case,
    the key specified is not an HMAC-MD5 key.
 
+.. option:: -K tlskeyfile
+
+   This option sets the key file for authenticated encryption for the
+   DNS-over-TLS (DoT) transport with the remote server. The private key file is
+   expected to be in PEM format. This option implies :option:`-S`, and can only
+   be used with :option:`-E`.
+
 .. option:: -l
 
    This option sets local-host only mode, which sets the server address to localhost
@@ -123,6 +152,14 @@ Options
    This option enables a non-standards-compliant variant of GSS-TSIG
    used by Windows 2000.
 
+.. option:: -O
+
+   This option enables Opportunistic TLS. When used, the remote peer's TLS
+   certificate will not be verified. This option should be used for debugging
+   purposes only, and it is not recommended to use it in production. This
+   option can not be used in conjuction with :option:`-A`, and it implies
+   :option:`-S`.
+
 .. option:: -p port
 
    This option sets the port to use for connections to a name server. The default is
@@ -138,6 +175,15 @@ Options
    This option sets the number of UDP retries. The default is 3. If zero, only one update
    request is made.
 
+.. option:: -S
+
+   This option indicates whether to use DNS-over-TLS (DoT) when querying
+   name servers specified by ``server servername port`` syntax in the input
+   file, and the primary server discovered through a SOA request. When the
+   :option:`-K` and :option:`-E` options are used, then the specified TLS
+   client certificate and private key pair are used for authentication
+   (Mutual TLS). This option implies :option:`-v`.
+
 .. option:: -t timeout
 
    This option sets the maximum time an update request can take before it is aborted. The
diff --git a/doc/man/nsupdate.1in b/doc/man/nsupdate.1in
index d83bd49ccd..621d1e65e7 100644
--- a/doc/man/nsupdate.1in
+++ b/doc/man/nsupdate.1in
@@ -32,7 +32,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 nsupdate \- dynamic DNS update utility
 .SH SYNOPSIS
 .sp
-\fBnsupdate\fP [\fB\-d\fP] [\fB\-D\fP] [\fB\-i\fP] [\fB\-L\fP level] [ [\fB\-g\fP] | [\fB\-o\fP] | [\fB\-l\fP] | [\fB\-y\fP [hmac:]keyname:secret] | [\fB\-k\fP keyfile] ] [\fB\-t\fP timeout] [\fB\-u\fP udptimeout] [\fB\-r\fP udpretries] [\fB\-v\fP] [\fB\-T\fP] [\fB\-P\fP] [\fB\-V\fP] [ [\fB\-4\fP] | [\fB\-6\fP] ] [filename]
+\fBnsupdate\fP [\fB\-d\fP] [\fB\-D\fP] [\fB\-i\fP] [\fB\-L\fP level] [ [\fB\-g\fP] | [\fB\-o\fP] | [\fB\-l\fP] | [\fB\-y\fP [hmac:]keyname:secret] | [\fB\-k\fP keyfile] ] [ [\fB\-S\fP] [\fB\-K\fP tlskeyfile] [\fB\-E\fP tlscertfile] [\fB\-A\fP tlscafile] [\fB\-H\fP tlshostname] [\-O] ] [\fB\-t\fP timeout] [\fB\-u\fP udptimeout] [\fB\-r\fP udpretries] [\fB\-v\fP] [\fB\-T\fP] [\fB\-P\fP] [\fB\-V\fP] [ [\fB\-4\fP] | [\fB\-6\fP] ] [filename]
 .SH DESCRIPTION
 .sp
 \fBnsupdate\fP is used to submit Dynamic DNS Update requests, as defined in
@@ -83,6 +83,16 @@ This option sets use of IPv6 only.
 .UNINDENT
 .INDENT 0.0
 .TP
+.B \-A tlscafile
+This option specifies the file of the certificate authorities (CA) certificates
+(in PEM format) in order to verify the remote server TLS certificate when
+using DNS\-over\-TLS (DoT), to achieve Strict or Mutual TLS. When used, it will
+override the certificates from the global certificates store, which are
+otherwise used by default when \fI\%\-S\fP is enabled. This option can not
+be used in conjuction with \fI\%\-O\fP, and it implies \fI\%\-S\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
 .B \-C
 Overrides the default \fIresolv.conf\fP file. This is only intended for testing.
 .UNINDENT
@@ -99,11 +109,26 @@ This option sets extra debug mode.
 .UNINDENT
 .INDENT 0.0
 .TP
+.B \-E tlscertfile
+This option sets the certificate(s) file for authentication for the
+DNS\-over\-TLS (DoT) transport to the remote server. The certificate
+chain file is expected to be in PEM format. This option implies \fI\%\-S\fP,
+and can only be used with \fI\%\-K\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
 .B \-g
 This option enables standard GSS\-TSIG mode.
 .UNINDENT
 .INDENT 0.0
 .TP
+.B \-H tlshostname
+This option makes \fBnsupdate\fP use the provided hostname during remote
+server TLS certificate verification. Otherwise, the DNS server name
+is used. This option implies \fI\%\-S\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
 .B \-i
 This option forces interactive mode, even when standard input is not a terminal.
 .UNINDENT
@@ -122,6 +147,14 @@ the key specified is not an HMAC\-MD5 key.
 .UNINDENT
 .INDENT 0.0
 .TP
+.B \-K tlskeyfile
+This option sets the key file for authenticated encryption for the
+DNS\-over\-TLS (DoT) transport with the remote server. The private key file is
+expected to be in PEM format. This option implies \fI\%\-S\fP, and can only
+be used with \fI\%\-E\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
 .B \-l
 This option sets local\-host only mode, which sets the server address to localhost
 (disabling the \fBserver\fP so that the server address cannot be
@@ -144,6 +177,15 @@ used by Windows 2000.
 .UNINDENT
 .INDENT 0.0
 .TP
+.B \-O
+This option enables Opportunistic TLS. When used, the remote peer\(aqs TLS
+certificate will not be verified. This option should be used for debugging
+purposes only, and it is not recommended to use it in production. This
+option can not be used in conjuction with \fI\%\-A\fP, and it implies
+\fI\%\-S\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
 .B \-p port
 This option sets the port to use for connections to a name server. The default is
 53.
@@ -162,6 +204,16 @@ request is made.
 .UNINDENT
 .INDENT 0.0
 .TP
+.B \-S
+This option indicates whether to use DNS\-over\-TLS (DoT) when querying
+name servers specified by \fBserver servername port\fP syntax in the input
+file, and the primary server discovered through a SOA request. When the
+\fI\%\-K\fP and \fI\%\-E\fP options are used, then the specified TLS
+client certificate and private key pair are used for authentication
+(Mutual TLS). This option implies \fI\%\-v\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
 .B \-t timeout
 This option sets the maximum time an update request can take before it is aborted. The
 default is 300 seconds. If zero, the timeout is disabled.

From 7ea4e4a1ce8374264beb3224f3f8f2e2c9ea0b16 Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Wed, 21 Sep 2022 15:11:22 +0000
Subject: [PATCH 5/6] Add a CHANGES note for [GL #1781]

---
 CHANGES | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGES b/CHANGES
index b2f904045f..36dd658a36 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+5979.	[func]		Implement DoT support for nsupdate. [GL #1781]
+
 5978.	[port]		The ability to use pkcs11 via engine_pkcs11 has been
 			restored, by only using deprecated APIs in
 			OpenSSL 3.0.0. BIND needs to be compiled with

From 34f06fd2b5fed778ae20af4ba25550d2acec2ae3 Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Wed, 21 Sep 2022 15:15:26 +0000
Subject: [PATCH 6/6] Add a release note for [GL #1781]

---
 doc/notes/notes-current.rst | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index 8748f48718..3385bdd975 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -38,6 +38,8 @@ New Features
   fully started before starting other services that depend on name resolution.
   :gl:`#1176`
 
+- The ``nsupdate`` tool now supports DNS-over-TLS (DoT). :gl:`#1781`
+
 Removed Features
 ~~~~~~~~~~~~~~~~