System tests to check named behaviour for unexpected opcodes

This commit adds a set of tests to verify that BIND will not crash
when some opcodes are sent over DoT or DoH, leading to marking network
handle in question as sequential.

bin/tests/system/doth/tests.sh

@@ -9,6 +9,7 @@
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
+# shellcheck disable=SC1091
 . ../conf.sh
 
 dig_with_tls_opts() {
@@ -218,5 +219,40 @@ grep "ANSWER: 2500" dig.out.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
+test_opcodes() {
+	EXPECT_STATUS="$1"
+	shift
+	for op in "$@";
+	do
+		n=$((n + 1))
+		echo_i "checking unexpected opcode query over DoH for opcode $op ($n)"
+		ret=0
+		dig_with_https_opts +https @10.53.0.1 +opcode="$op" > dig.out.test$n
+		grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1
+		if [ $ret != 0 ]; then echo_i "failed"; fi
+		status=$((status + ret))
+
+		n=$((n + 1))
+		echo_i "checking unexpected opcode query over DoH without encryption for opcode $op ($n)"
+		ret=0
+		dig_with_http_opts +http-plain @10.53.0.1 +opcode="$op" > dig.out.test$n
+		grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1
+		if [ $ret != 0 ]; then echo_i "failed"; fi
+		status=$((status + ret))
+
+		n=$((n + 1))
+		echo_i "checking unexpected opcode query over DoT for opcode $op ($n)"
+		ret=0
+		dig_with_tls_opts +tls @10.53.0.1 +opcode="$op" > dig.out.test$n
+		grep "status: $EXPECT_STATUS" dig.out.test$n > /dev/null || ret=1
+		if [ $ret != 0 ]; then echo_i "failed"; fi
+		status=$((status + ret))
+	done
+}
+
+test_opcodes NOERROR 0
+test_opcodes NOTIMP 1 2 3 6 7 8 9 10 11 12 13 14 15
+test_opcodes FORMERR 4 5
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1