Reproducer for CVE-2026-1519

When a validating resolver processes a delegation from a DNSSEC-signed
zone which uses too many NSEC3 iterations, it should cease the attempt
to validate due to an NSEC3 iteration limit being exceeded and fall back
to insecure.

(cherry picked from commit 9bc14a89f1)

bin/tests/system/nsec3-delegation/ns1/named.conf.j2

@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.1;
+	notify-source 10.53.0.1;
+	transfer-source 10.53.0.1;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.1; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+include "../../_common/rndc.key";
+
+zone "." {
+	type primary;
+	file "root.db";
+};

bin/tests/system/nsec3-delegation/ns1/root.db

@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+.			IN SOA	. . (
+				2025063000	; serial
+				600		; refresh
+				600		; retry
+				1200		; expire
+				600		; minimum
+				)
+.			NS	a.root-servers.nil.
+
+a.root-servers.nil	A	10.53.0.1
+
+iter-too-many.		NS	ns2.iter-too-many.
+ns2.iter-too-many.	A	10.53.0.2

bin/tests/system/nsec3-delegation/ns2/iter-too-many.db.j2.manual

@@ -0,0 +1,31 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+{% raw %}
+$TTL 300
+@			IN SOA	ns2.iter-too-many. hostmaster.iter-too-many. (
+				2026020300	; serial
+				20		; refresh (20 seconds)
+				20		; retry (20 seconds)
+				1814400		; expire (3 weeks)
+				3600		; minimum (1 hour)
+)
+
+@	IN	NS	ns2.iter-too-many.
+ns2	IN	A	10.53.0.2
+
+sub	IN	NS	ns2.sub.iter-too-many.
+ns2.sub	IN	A	10.53.0.2
+{% endraw %}
+
+{% for dnskey in dnskeys %}
+@dnskey@
+{% endfor %}

bin/tests/system/nsec3-delegation/ns2/named.conf.j2

@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+include "../../_common/rndc.key";
+
+zone "iter-too-many" {
+	type primary;
+	file "iter-too-many.signed.db";
+};
+
+zone "sub.iter-too-many" {
+	type primary;
+	file "sub.iter-too-many.db";
+};

bin/tests/system/nsec3-delegation/ns2/sub.iter-too-many.db

@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@			IN SOA	ns2.sub.iter-too-many. hostmaster.sub.iter-too-many. (
+				2026020300	; serial
+				20		; refresh (20 seconds)
+				20		; retry (20 seconds)
+				1814400		; expire (3 weeks)
+				3600		; minimum (1 hour)
+)
+
+@	IN	NS	ns2.sub.iter-too-many.
+ns2	IN	A	10.53.0.2
+
+example	IN	A	127.0.0.1

bin/tests/system/nsec3-delegation/ns3/named.conf.j2

@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation yes;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+include "../../_common/rndc.key";
+
+zone "." {
+	type hint;
+	file "../../_common/root.hint";
+};
+
+include "trusted.conf";

bin/tests/system/nsec3-delegation/ns3/trusted.conf.j2

@@ -0,0 +1 @@
+../../_common/trusted.conf.j2

bin/tests/system/nsec3-delegation/tests_excessive_nsec3_iterations.py

@@ -0,0 +1,61 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+from isctest.run import EnvCmd
+
+import isctest
+
+
+def bootstrap():
+    templates = isctest.template.TemplateEngine(".")
+    keygen = EnvCmd("KEYGEN", "-a ECDSA256")
+    signer = EnvCmd("SIGNER")
+
+    isctest.log.info("setup iter-too-many.")
+    zonename = "iter-too-many."
+    ksk_name = keygen(f"-f KSK {zonename}", cwd="ns2").out.strip()
+    zsk_name = keygen(f"{zonename}", cwd="ns2").out.strip()
+    ksk = isctest.kasp.Key(ksk_name, keydir="ns2")
+    zsk = isctest.kasp.Key(zsk_name, keydir="ns2")
+    dnskeys = [ksk.dnskey, zsk.dnskey]
+
+    tdata = {
+        "dnskeys": dnskeys,
+    }
+    templates.render(f"ns2/{zonename}db", tdata, template=f"ns2/{zonename}db.j2.manual")
+    signer(
+        f"-P -o {zonename} -f {zonename}signed.db -3 A1B2C3D4 -H too-many -H 51 -S {zonename}db",
+        cwd="ns2",
+    )
+
+    return {
+        "trust_anchors": [
+            ksk.into_ta("static-key"),
+        ],
+    }
+
+
+def test_excessive_nsec3_iterations_delegation(ns3):
+    # reproducer for CVE-2026-1519 [GL#5708]
+    zone = "example.sub.iter-too-many"
+    msg = isctest.query.create(zone, "A")
+    res = isctest.query.tcp(msg, ns3.ip)
+
+    # an insecure response is expected regardless of the NSEC3 iteration limit,
+    # because the sub.iter-too-many. zone is unsigned. the real difference is
+    # in the CPU usage required for generating such response, but that can't be
+    # easily and reliably tested in an automated fashion
+    isctest.check.noerror(res)
+
+    with ns3.watch_log_from_start() as watcher:
+        watcher.wait_for_line(
+            f"validating {zone}/A: validator_callback_ds: too many iterations"
+        )