From 35a5e29800bc0176bdf259dbca8fd0a141e6a4ab Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 10 Apr 2026 13:07:26 +1000 Subject: [PATCH 1/2] Remove unnecessary dns_name_free call When processing a catalog zone member's primaries definition and there is a TXT record containing an invalid name TSIG key name, dns_name_free was incorrectly called triggering an assertion. This has been fixed. (cherry picked from commit 9f411c93c4d87b8097d39024da5a9da447cddaf7) --- lib/dns/catz.c | 1 - 1 file changed, 1 deletion(-) diff --git a/lib/dns/catz.c b/lib/dns/catz.c index 30b0bc4d4a..2924a13462 100644 --- a/lib/dns/catz.c +++ b/lib/dns/catz.c @@ -1467,7 +1467,6 @@ catz_process_primaries(dns_catz_zone_t *catz, dns_ipkeylist_t *ipkl, result = dns_name_fromstring(keyname, keycbuf, dns_rootname, 0, mctx); if (result != ISC_R_SUCCESS) { - dns_name_free(keyname, mctx); isc_mem_put(mctx, keyname, sizeof(*keyname)); return result; } From 5daf7102a5f238bd701bbf134ff95113749ef697 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 10 Apr 2026 13:05:31 +1000 Subject: [PATCH 2/2] Checking invalid TSIG key name in a catalog zone (cherry picked from commit 213e59ccf56f4d66cf65f363be4563f2e853d12f) --- bin/tests/system/catz/ns1/catalog-bad6.example.db | 7 +++++++ bin/tests/system/catz/ns1/named.conf.j2 | 10 ++++++++++ bin/tests/system/catz/ns2/named.conf.j2 | 10 ++++++++++ bin/tests/system/catz/tests.sh | 6 ++++++ 4 files changed, 33 insertions(+) create mode 100644 bin/tests/system/catz/ns1/catalog-bad6.example.db diff --git a/bin/tests/system/catz/ns1/catalog-bad6.example.db b/bin/tests/system/catz/ns1/catalog-bad6.example.db new file mode 100644 index 0000000000..bc5ca70492 --- /dev/null +++ b/bin/tests/system/catz/ns1/catalog-bad6.example.db @@ -0,0 +1,7 @@ +@ 3600 SOA . . 1 86400 3600 86400 3600 +@ 3600 IN NS invalid. +version IN TXT "2" +deadbeef.zones IN PTR member.example. +mykey.primaries.ext.deadbeef.zones IN A 192.0.2.1 +; bad key name label too big +mykey.primaries.ext.deadbeef.zones IN TXT "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.example.com" diff --git a/bin/tests/system/catz/ns1/named.conf.j2 b/bin/tests/system/catz/ns1/named.conf.j2 index dc1e2d93f4..c39db0bddf 100644 --- a/bin/tests/system/catz/ns1/named.conf.j2 +++ b/bin/tests/system/catz/ns1/named.conf.j2 @@ -128,6 +128,16 @@ view "default" { notify explicit; }; + # Bad TSIG key name + zone "catalog-bad6.example" { + type primary; + file "catalog-bad6.example.db"; + allow-transfer { any; }; + allow-update { any; }; + also-notify { 10.53.0.2; }; + notify explicit; + }; + # A catalog zone that requires TLS to be used zone "catalog-tls.example" { type primary; diff --git a/bin/tests/system/catz/ns2/named.conf.j2 b/bin/tests/system/catz/ns2/named.conf.j2 index 57fdde0019..6c18631fb2 100644 --- a/bin/tests/system/catz/ns2/named.conf.j2 +++ b/bin/tests/system/catz/ns2/named.conf.j2 @@ -101,6 +101,10 @@ view "default" { default-masters { 10.53.0.1; } min-update-interval 1s in-memory yes; + zone "catalog-bad6.example" + default-masters { 10.53.0.1; } + min-update-interval 1s + in-memory yes; }; {% if bad_dlz %} @@ -206,6 +210,12 @@ view "default" { primaries { 10.53.0.1; }; }; + # Bad TSIG key name + zone "catalog-bad6.example" { + type secondary; + file "catalog-bad6.example.db"; + primaries { 10.53.0.1; }; + }; }; view "ch" ch { diff --git a/bin/tests/system/catz/tests.sh b/bin/tests/system/catz/tests.sh index 44821209ed..df148f2bde 100644 --- a/bin/tests/system/catz/tests.sh +++ b/bin/tests/system/catz/tests.sh @@ -134,6 +134,12 @@ grep -F "catz: dns_catz_zone_add catalog-bad5.example" ns2/named.run && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) +echo_i "checking that catalog-bad6.example (invalid TSIG key name) is handled ($n)" +ret=0 +wait_for_message ns2/named.run "catz: invalid record in catalog zone - mykey.primaries.ext.deadbeef.zones.catalog-bad6.example IN TXT (label too long) - ignoring" || ret=1 +if [ $ret -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + nextpart ns2/named.run >/dev/null ##########################################################################