The OID in the "; alg = ..." comment of a PRIVATEOID key was truncated to sixteen characters.
Closes#6092
Merge branch '6092-fix-PRIVATEOID-output' into 'main'
See merge request isc-projects/bind9!12377
The OID printed in the "; alg = ..." comment of a PRIVATEOID KEY,
DNSKEY, CDNSKEY or RKEY record was truncated to sixteen characters:
1.2.840.113549.1.1.11 came out as 1.2.840.113549.1. Only the comment
was ever affected, never the record itself.
A recursive resolver could crash when it answered a query for a name beneath a
cached DNAME while that same DNAME record was concurrently refreshed or evicted
from the cache.
Closes#6182
Merge branch '6182-qpcache-dname-zonecut-uaf' into 'main'
See merge request isc-projects/bind9!12337
check_dname() cached the DNAME header and its RRSIG in the search block
and dropped the node lock holding only a node reference. Since cache
headers became reference counted and are freed synchronously, and
delegation adds no longer take the tree write lock, a concurrent refresh
or eviction can free the header before setup_delegation() reads it. Take
a reference on the headers in check_dname() and release it once the
lookup finishes.
Some DNSSEC tools and trust-anchor handling could fail when
working with unusually large DNSSEC keys or signatures,
including those used by post-quantum algorithms. These paths
now accept DNSKEY, CDNSKEY, CDS, and RRSIG data up to the DNS
record size limits, so large key material can be parsed, written,
checked, and signed consistently.
Merge branch 'ondrej/dynamic-dnssec-buffers' into 'main'
See merge request isc-projects/bind9!12370
The buffers receiving DNSKEY (and SKR resource record) rdata parsed
from text or wire form were sized by DST_KEY_MAXSIZE (1280 octets),
which is too small for post-quantum public keys. Parse into
DNS_RDATA_MAXLENGTH sized buffers instead, which cannot be exceeded
by construction, and drop the DST_KEY_MAXSIZE and DST_KEY_MAXTEXTSIZE
constants that no longer have any users.
Assisted-by: Claude:claude-fable-5
The buffers receiving the RRSIG rdata built by dns_dnssec_sign() were
fixed-size arrays (1024 or 2048 octets), which is too small for
post-quantum signatures. Use DNS_RDATA_MAXLENGTH sized buffers
instead, which no RRSIG rdata can exceed by construction.
Assisted-by: Claude:claude-fable-5
Post-quantum signature algorithms have public keys that do not fit
into the fixed DST_KEY_MAXSIZE (1280 octets) buffers used when
converting a dst_key to DNSKEY rdata. Use DNS_RDATA_MAXLENGTH sized
buffers instead, which no DNSKEY rdata can exceed by construction.
Assisted-by: Claude:claude-fable-5
If an NSEC record has not yet been validated and is cached with trust
pending, don't use it to synthesize negative responses.
Closes#5872Closes#5887Closes#5977
Merge branch '5977-validate-synth-from-dnssec' into 'main'
See merge request isc-projects/bind9!12281
The #5872 reproducer plants a covering NSEC that is rejected inside the
cache (find_coveringnsec), so it never reaches the trust check on the
exact-match NODATA branch of query_coveringnsec(). This adds a companion
case: an NSEC owned by the victim name itself, injected at pending trust
via a CD=1 query, is returned by the cache as a NODATA proof for the
exact node and must not be used to synthesize a NODATA that would deny
the victim's real A record.
Reuses the f004.test fixture with a victim-owned forged NSEC.
Assisted-by: Claude:claude-fable-5
UTF-8 standard forbid usage of unicode character between the range of
0xD800..0xDFFF (reserved, and used as UTF-16 surrogates, see RFC 3629).
However, `usc_utf8_valid()` was not checking if the encoded unicode
character was in this range, which then would accept invalid UTF-8
strings. This is now fixed.
Closes#6151
Merge branch '6151-utf16-surrogates-detection' into 'main'
See merge request isc-projects/bind9!12345
Add a unit test suite for `isc_utf8_valid()` function. It test the
varioutes encoding lower/upper ranges as well as UTF-16 surrogate
exclusion.
Also add unit tests for `usc_utf8_bom()` function.
UTF-8 standard forbid usage of unicode character between the range of
0xD800..0xDFFF (reserved, and used as UTF-16 surrogates, see RFC 3629).
However, `usc_utf8_valid()` was not checking if the encoded unicode
character was in this range, which then would accept invalid UTF-8
strings. This is now fixed.
Since `188aa43e`, `dns_acl_any()` can't
fail (and thus would always set memory to its target). Removing deadcode
that would detach the ACL if `dns_acl_any()` would return some error
while the ACL would be created and attached.
Merge branch 'colin/remove-acl-detach-deadcode' into 'main'
See merge request isc-projects/bind9!12333
Since `188aa43e48379572ffa758e45333c67214917d39`, `dns_acl_any()` can't
fail (and thus would always set memory to its target). Removing deadcode
that would detach the ACL if `dns_acl_any()` would return some error
while the ACL would be created and attached.
A cache hit only marked the looked-up header as SIEVE-visited, leaving
its related header (the flattened counterpart) a candidate for eviction.
Mark both so related slabheaders age together.
Merge branch 'ondrej/mark-related-header-visited-on-cache-hit' into 'main'
See merge request isc-projects/bind9!12306
A cache hit only marked the looked-up header as SIEVE-visited, leaving
its related header (the flattened counterpart) a candidate for eviction.
Mark both so related slabheaders age together.
The brackets are not included in the host component of the parsed
URL/URI. Change the parser to include the brackets.
Closes#6147
Merge branch '6147-isc_url_parse-ipv6-brackets-fix' into 'main'
See merge request isc-projects/bind9!12266
The isc_url_parse() function failed to check the input buffer's
length and assumed that it can't be bigger than UINT16_MAX, because
both the 'off' and 'len' fields of the 'isc_url_parser_t' structure
are uint16_t.
Add a check to not accept a buffer longer than 8192 octets.
Closes#6150
Merge branch '6150-isc_url_parse-buffer-size-check-fix' into 'main'
See merge request isc-projects/bind9!12252
Cover IPv6 literal hosts (the brackets are stripped from the host, zone
identifiers are kept verbatim), userinfo, explicit ports and case
preservation, plus inputs that isc_url_parse() rejects although a generic
RFC 3986 parser would accept them: a '+' in the scheme, an IPvFuture
literal, and a percent-encoded port. The cases are drawn from the
Addressable URI test suite. The shared table runner is factored out so
both table-driven tests reuse it.
Assisted-by: Claude:claude-opus-4-8
Parse the absolute URIs from RFC 3986 section 5.4 and verify the
component split, and assert the input-length boundary (UINT16_MAX is
accepted, UINT16_MAX + 1 is rejected). isc_url_parse() splits request
targets but does not resolve relative references, so the dot-segments
in path/query/fragment are expected to survive verbatim.
Assisted-by: Claude:claude-opus-4-8
The isc_url_parse() function failed to check the input buffer's
length and assumed that it can't be bigger than UINT16_MAX, because
both the 'off' and 'len' fields of the 'isc_url_parser_t' structure
are uint16_t.
Add a check to not accept a buffer longer than UINT16_MAX.
The 'isc_proxy2_handler_t' structure stores some size values in a
'uint16_t' type, while the maximum size can be bigger, which results
in truncation. Change the affected types to 'size_t'.
Closes#6142
Merge branch '6142-proxyv2-header-length-fix' into 'main'
See merge request isc-projects/bind9!12294
The 'isc_proxy2_handler_t' structure stores some size values in a
'uint16_t' type, while the maximum size can be bigger, which results
in truncation. Change the affected types to 'size_t'.
Update the manual rollover system test with a multi-master setup.
Merge branch 'matthijs-test-dnssec-policy-multimaster' into 'main'
See merge request isc-projects/bind9!11268
Update the manual rollover test case with a multi-master setup. In this
scenario, key files are generated, as well as rollovers are started
on one server (ns3) and key files are copied to the other server (ns4).
Add checks that the begin and end key states are the same.
When determining whether an insecure delegation is legitimate, NSEC3 opt-out records which had not yet passed validation could be used. This has been fixed.
Closes#5970
Merge branch '5970-pending-nsec3' into 'main'
See merge request isc-projects/bind9!12283
DNSSEC validation could fail with SERVFAIL for names covered by a DNAME
at the apex of a signed zone, unless the zone's keys were already validated
in the cache. This regression was introduced by the recent fix for resolver
stalls on CNAME responses to DS queries.
Closes#6176
Merge branch '6176-validator-apex-dname' into 'main'
See merge request isc-projects/bind9!12353
The dnssec system test signs a DNAME-at-apex zone but only ever
queried the apex directly; nothing resolved a name under the DNAME
through the validating resolver, so a validator regression on that
path went unnoticed.
Assisted-by: Claude:claude-fable-5
check_deadlock() aborted any fetch whose name equals the owner of a
chaining rdataset, assuming nothing the validator needs can live at an
alias. That is true for a CNAME, but a DNAME aliases only the names
below its owner: with a DNAME at a zone apex, the DNSKEY signing the
DNAME lives at the owner name itself, so every answer synthesized from
a signed apex DNAME failed validation whenever that key was not
already validated in the cache.
Chaining CNAMEs, including those synthesized from a DNAME, still cover
the self-join case the check was added for.
When a signed zone is served by the same nameserver instance as
its parent, the child's dnssec-signzone has already written
dsset-<child>. into that directory. Don't attempt to copy the dsset if
the destination and source files are the same.
Assisted-by: Claude:claude-opus-4-8
Merge branch 'nicki/serve-signed-child-same-ns' into 'main'
See merge request isc-projects/bind9!12354
When a signed zone is served by the same nameserver instance as
its parent, the child's dnssec-signzone has already written
dsset-<child>. into that directory. Don't attempt to copy the dsset if
the destination and source files are the same.
Assisted-by: Claude:claude-opus-4-8
Add practical tips about specific handler classes. Mention some good
practices and point developers at existing code written in the desired
manner. Document common pitfalls. Suggest preferred approaches for
splitting up complex response handling code.
Merge branch 'michal/update-asyncdnsserver-related-test-cookbook-parts' into 'main'
See merge request isc-projects/bind9!12260
COOKBOOK.md is supposed to be minimal and heavy on examples, so move the
lengthy section about implementing custom ans.py servers from
COOKBOOK.md to README.md.
Add practical tips about specific handler classes. Mention some good
practices and point developers at existing code written in the desired
manner. Document common pitfalls. Suggest preferred approaches for
splitting up complex response handling code.
The Algorithm type, the per-algorithm constants, and the ALL_ALGORITHMS*
lookup tables are general DNSSEC key definitions used across isctest
package and the tests. Move them into a dedicated module to separate
these from the environment-specific setup that remains in
isctest.vars.algorithms.
Assisted-by: Claude:claude-opus-4-8