Add a system test that sends TSIG with bad time

Add a system test that sets TSIG fudge to 0, waits three seconds and
then sends signed message to the server.  This tests the path where the
time difference between the client and the server is outside of the TSIG
fudge value.

bin/tests/system/tsig/tests_badtime.py

@@ -0,0 +1,63 @@
+#!/usr/bin/python3
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# pylint: disable=unused-variable
+
+import socket
+import time
+
+import pytest
+
+pytest.importorskip("dns", minversion="2.0.0")
+import dns.message
+import dns.query
+import dns.tsigkeyring
+
+TIMEOUT = 10
+
+
+def create_msg(qname, qtype, edns=-1):
+    msg = dns.message.make_query(qname, qtype, use_edns=edns)
+    return msg
+
+
+def timeout():
+    return time.time() + TIMEOUT
+
+
+def create_socket(host, port):
+    sock = socket.create_connection((host, port), timeout=10)
+    sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, True)
+    return sock
+
+
+def test_tsig_badtime(named_port):
+    with create_socket("10.53.0.1", named_port) as sock:
+        msg = create_msg("a.example.", "A")
+
+        keyring = dns.tsigkeyring.from_text(
+            {
+                "sha256": "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY=",
+            }
+        )
+
+        msg.use_tsig(keyring, keyname="sha256", fudge=0)
+
+        wire = msg.to_wire()
+        assert len(wire) > 0
+
+        time.sleep(3)
+
+        (sbytes, stime) = dns.query.send_tcp(sock, wire, timeout())
+        with pytest.raises(dns.tsig.PeerBadTime):
+            (response, rtime) = dns.query.receive_tcp(sock, timeout(), keyring=keyring)