Only class IN is allowed for user-defined views; the internally
generated `_bind` view stays in the CH class. Both `named` and the
shared checker in `lib/isccfg/check.c` now reject non-IN views, so a
config can no longer pass `named-checkconf` yet fail to start in
`named`.
Tests, configs, and catalog zones using CH or arbitrary classes
(e.g. `class10`) are removed accordingly.
Force recursion off, and set allow-recursion/allow-recursion-on ACLs
to none, for views with a class other than IN. Log a configuration
warning if recursion is explicitly enabled for a non-IN view.
This addresses YWH-PGM40640-74 and YWH-PGM40640-75 by preventing any
attempt at recursive processing in a class-CHAOS view, ensuring that
server addresses used for recursive queries and received in recursive
responses are of the expected format.
Fixes: isc-projects/bind9#5780Fixes: isc-projects/bind9#5781
The removal has been done with the following command:
find bin/tests/system/ -type f -name "*.db*" -exec sed -i '1,10d; 11{/^$/d}' {} +
The following files have been handled manually, since they already
didn't have the license info, or had it in a slightly different format:
bin/tests/system/ssutoctou/ns1/example.db.in
bin/tests/system/checkzone/zones/crashzone.db
bin/tests/system/checkzone/zones/warn.deprecated.cds-sha1.db
bin/tests/system/checkzone/zones/warn.deprecated.digest-sha1.db
bin/tests/system/checkzone/zones/warn.deprecated.ds-alg.db
bin/tests/system/legacy/ns6/edns512.db.signed
The removal was done with the following commands:
find bin/tests/system/ -type f -name "*.conf" -exec sed -i '1,12d; 13{/^$/d}' {} +
find bin/tests/system/ -type f -name "*.conf.*" -exec sed -i '1,12d; 13{/^$/d}' {} +
The default max-cache-size on the system test being enforced to 2MB
(from the -T switch). It means the main cache size is 6/8 of it (1/8
being reserved for ADB and 1/8 for the delegation database).
However, the minimal cache size of the main cache is 2MB, which means
that the main cache size will actually be 2MB anyway when running the system tests.
This was breaking some resolver tests were failing because when the
cache was shared and named reload, the previous cache size was, indeed,
2MB whereas the newly requested size only 6/8 of it (that happened
before the size is bumped to the minimal value).
Set the ns1 of resolver tests max cache size of 3MB, so even 6/8 of the
max cache size is more than the minimum 2MB of the main cache size,
which enable to keep the shared cached between views for this test
between reloads.
Remove the dynamic NS update loop from the delegation expiry test.
With the delegation DB, it is sufficient to wait for the delegation
to expire (after 5 seconds) and verify that names below the removed
zone return NXDOMAIN.
In 'additional', pre-cache the A RRset for ns1.rt.example so the
additional-data handling in the cache can be tested; previously this
was cached as part of resolution, but now must be queried explicitly.
In 'cookie', pre-cache an NS to prevent a QMIN query from distorting
log results and causing a test failure.
In 'resolver', increase the expected query count in the timeout test.
Commit `604d8f0b967563b0ba9dcd4f09559fdd9e21dfbe` introduced during 9.19
development cycle a check to ensure the resolver never attempts to
lookup more than 20 NS names. This limit was introduced by
`3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a` as part of the CVE-2022-2795.
However, this test relies on the fact that, at the time, the NS names
were processed in a specific order in the nameserver, as this snip from
the log (from a build on `604d8f0` branch) running the test illustrates:
```
24-Mar-2026 21:19:46.346 dispatch 0x7fdaa722d200: success, length == 19956, addr = 0x7fdaa0a7c102
24-Mar-2026 21:19:46.346 dispatch 0x7fdaa722d200: got valid DNS message header, /QR 1, id 14328
24-Mar-2026 21:19:46.346 dispatch 0x7fdaa722d200: search for response in bucket 7213: success
24-Mar-2026 21:19:46.354 received packet from 10.53.0.3#5300
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14328
;; flags: qr aa; QUESTION: 1, ANSWER: 0, AUTHORITY: 999, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: baf16b0241efc700
;; QUESTION SECTION:
;large-referral.example.net. IN A
;; AUTHORITY SECTION:
;large-referral.example.net. 300 IN NS ns1.fake.redirect.com.
;large-referral.example.net. 300 IN NS ns2.fake.redirect.com.
;large-referral.example.net. 300 IN NS ns3.fake.redirect.com.
;large-referral.example.net. 300 IN NS ns4.fake.redirect.com.
;large-referral.example.net. 300 IN NS ns5.fake.redirect.com.
;large-referral.example.net. 300 IN NS ns6.fake.redirect.com.
;large-referral.example.net. 300 IN NS ns7.fake.redirect.com.
;large-referral.example.net. 300 IN NS ns8.fake.redirect.com.
;large-referral.example.net. 300 IN NS ns9.fake.redirect.com.
;large-referral.example.net. 300 IN NS ns10.fake.redirect.com.
;large-referral.example.net. 300 IN NS ns11.fake.redirect.com.
;large-referral.example.net. 300 IN NS ns12.fake.redirect.com.
;large-referral.example.net. 300 IN NS ns13.fake.redirect.com.
;large-referral.example.net. 300 IN NS ns14.fake.redirect.com.
;large-referral.example.net. 300 IN NS ns15.fake.redirect.com.
;large-referral.example.net. 300 IN NS ns16.fake.redirect.com.
;large-referral.example.net. 300 IN NS ns17.fake.redirect.com.
;large-referral.example.net. 300 IN NS ns18.fake.redirect.com.
;large-referral.example.net. 300 IN NS ns19.fake.redirect.com.
;large-referral.example.net. 300 IN NS ns20.fake.redirect.com.
```
This is not true anymore, as the NS are in a random order. Moreover,
commit `3c33e7d9370006b1599e3d99c0d5fa6a6dad7979` introduced the
randomization of the selection of the NS names to lookup, which make the
test potentially unreliable, as it now doesn't mean anything to check
the nameserver does not query `ns21.fake.redirect.com.`, as it could be
the first one, or in any position form the randomized list.
Another test has been added in commit
`c67b52684f11652b07afaa75a917f6f0355dbca6` which test both the
randomization of the NS name to be looked up, as well as the upper bound
limit of NS name lookup to be done.
For all those reasons, this specific legacy check is now removed.
ANY queries are widely abused by attackers doing reflection attacks as
they return the largest answers. Enable minimal ANY answers by default
to reduce the attack surface of the DNS servers.
- Move ns1/named.conf.j2 to ns1/named2.conf.j2 and adjust the python
test to render this template.
- Convert remaining .in files to .j2 and handle the multiple configs.
To unify the command handling, utilize EnvCmd() to handle rndc commands:
1. Remove isctest.rndc abstractions. They were intended for an upcoming
python-only implementation. A couple of years later, it doesn't seem
to be coming any time soon, so let's stick with the interface that
makes sense today, i.e. use the same command handling interface
everywhere.
2. Remove the specialized rndc.log in favor of the generic logging
already implemented by isctest.run.cmd(). I believe the cause of the
many rndc(log=False) invocations was that nobody wanted this extra
file. Yet, logging everything by default makes sense for debugging,
unless there's a good reason not to. In almost all cases, logging was
switched to the default (enabled).
3. With the NamedInstance.rndc() call now returning CmdResult rather
than combined stdout+stderr string, adjust all the invocations to use
`.out` or `.err` as necessary.
4. Replace some manual rndc invocation and its base argument
construction with the standardized nsX.rndc() call.
5. In cases where rndc is expected to fail, utilize
raise_on_exception=False and check the `.rc` from the result, rather
than handling an exception.
6. In addzone/tests_rndc_deadlock.py, refactor the test slightly to
avoid using EnvCmd() entirely to avoid spamming the logs. This test
calls rndc in a loop from multiple threads and such test case is an
exception which doesn't warrant changing the `isctest.run.cmd()`
implementation.
In !9155, the QNAME minimization was changed to not leak the query type
to the parent name server. This violates RFC 9156 Section 3, step (3)
and it is not necessary. It also breaks some (weird) authoritative DNS
setups, especially when CNAMEs are involved. Also there is really no
privacy leak with query type.
The dns_resolver mode of operation is to resolve all the domains as it
iterates the DNS tree to fill up the cache as quickly as possible.
This commit reduces the number of outgoing queries by reducing the
number of remote fetches started for the nameserver addresses resolution
via dns_adb_createfind() to a smaller number per depth of the recursion
since the delegation point (3 2 1 0) - where 0 means only create fetch
on demand if we don't have any addresses yet.
A named bug scrap the cache on a second reload after an initial reload
failure. Adds a test checking that the cache is preserved between server
reconfiguration/reloads even if it fails at some point (after attempting
to re-use the cache) and the server is re-loaded later.
There are many system tests where we set `dnssec-validation yes;` only
to also set `trust-anchors { };` which effectively disables the
validation.
This commit replaces this convoluted setup with just
`dnssec-validation no;`.
When performing QNAME minimization, named now sends an NS
query for the original QNAME, to prevent the parent zone from
receiving the QTYPE.
For example, when looking up example.com/A, we now send NS queries
for both com and example.com before sending the A query to the
servers for example.com. Previously, an A query for example.com
would have been sent to the servers for com.
Several system tests needed to be adjusted for the new query pattern:
- Some queries in the serve-stale test were sent to the wrong server.
- The synthfromdnssec test could fail due to timing issues; this
has been addressed by adding a 1-second delay.
- The cookie test could fail due to the a change in the count of
TSIG records received in the "check that missing COOKIE with a
valid TSIG signed response does not trigger TCP fallback" test case.
- The GL #4652 regression test case in the chain system test depends
on a particular query order, which no longer occurs when QNAME
minimization is active. We now disable qname-minimization
for that test.
Now that fctx_try is being called when adb returns DNS_ADB_NOMOREADDRESSES
we don't need these priming queries for the dual-stack-servers test
to succeed.
This re-do a previously existing EDE 22 system test as well as add
another one making sure the timed out flow detection works also on UDP
when the resolver is contacting the authoritative server. (the existing
test was using TCP to contact the authoritative servers).
Since the read timeout now works, the resolver time outs from the
dispatch level instead of from the "hung fetch" timer, and so the
EDE value in 'fctx_expired()' is not being set. Remove the expected
EDE value from the test.
Instead of running the whole resolver/ns4 server with -T noaa flag,
use it only for the part where it is actually needed. The -T noaa
could interfere with other parts of the test because the answers don't
have the authoritative-answer bit set, and we could have false
positives (or false negatives) in the test because the authoritative
server doesn't follow the DNS protocol for all the tests in the resolver
system test.
when the attach-cache option is used in the options block
with an arbitrary name, it causes all views to use the same
cache. however, previously, this could cause the cache to be
deleted and a new cache created every time the server was
reconfigured. this did *not* occur when attach-cache was
used at the view level to refer back to another view's cache.
in this commit we correct the problem by checking for
pre-existing caches during reconfiguration, and moving
them from the old server cache list to the new cache list
before cleaning up and freeing the old cache list.
Add support for Extended DNS Errors (EDE) error 22: No reachable
authority. This occurs when after a timeout delay when the resolver is
trying to query an authority server.
Remove the use of "port" when configuring query-source(-v6),
transfer-source(-v6), notify-source(-v6), parental-source(-v6),
etc. Remove the use of source ports for parental-agents.
Also remove the deprecated options use-{v4,v6}-udp-ports and
avoid-{v4,v6}udp-ports.
With max-recursion-queries set to 50 the resolver system test was
unstable in the "checking query resolution for a domain with a valid
glueless delegation chain" check as ns1 replied with SERVFAIL.
the number of steps that can be followed in a CNAME chain
before terminating the lookup has been reduced from 16 to 11.
(this is a hard-coded value, but will be made configurable later.)
