Commit graph

45935 commits

Author SHA1 Message Date
Evan Hunt
05691b53da Merge DNSSEC wildcard tests
Merge the tests for #5966 (F-043) and #5972 (F-045), previously called
dnssec_wildcard_additional and dnssec_replayed_parent_wildcard, into a
single directory with two modules.
2026-06-16 19:07:06 -07:00
Alessio Podda
99377e9fdd Reproducer for #5968 parent RRSIG in additional
Add a new "dnssec_parent_rrsig" system test.

Co-Authored-By: Matthijs Mekking <matthijs@isc.org>
2026-06-16 19:07:06 -07:00
Alessio Podda
4466bbcb4a Reproducer for #5972 DNS_R_FROMWILDCARD accepted
Add a new "dnssec_wildcard_additional" system test.

Co-Authored-By: Evan Hunt <each@isc.org>
2026-06-16 19:07:06 -07:00
Alessio Podda
1d4d3e09ad Reproducer for #5966 replay parent wildcard
Add a new "dnssec_replayed_parent_wildcard" system test.

Co-Authored-By: Matthijs Mekking <matthijs@isc.org>
2026-06-16 19:07:06 -07:00
Evan Hunt
6e44151466 add isctest.mark method for ecdsa_deterinistic
This checks support for ECDSA deterministic mode in the cryptography
library.
2026-06-16 19:07:06 -07:00
Matthijs Mekking
f678d03a67 Add isctest.check methods for AA flag
Similar to checking AD flag, add methods to see if the AA flag is
present or absent.
2026-06-16 14:45:49 -07:00
Evan Hunt
7ec85b4bd2 Remove the secondary validator in query.c
Previously, when the additional section of a response was being
populated, if cached data was found with pending trust, it would be
opportunistically validated. The code implementing this validation was
not quite formally correct; rather than fixing it, the code has been
removed; RRsets with pending trust are now omitted from responses.

Fixes: isc-projects/bind9#5966
Fixes: isc-projects/bind9#5968
Fixes: isc-projects/bind9#5972
2026-06-16 10:11:16 -07:00
Vicky Risk
499da939f8 fix: doc: Edit SECURITY.md to remove references to bind-security@isc.org
We no longer want to encourage people to open new issues via email because we are getting too many spammy reports generated by LLM. By requiring people actually login to Gitlab to make their report, they will (hopefully) see our reporting template, and think at least a little bit about whether they are making a well-considered, valid report.

Merge branch 'vicky-main-patch-01884' into 'main'

See merge request isc-projects/bind9!12248
2026-06-16 11:26:01 -04:00
Vicky Risk
ce17ffcb48 Edit SECURITY.md to remove references to bind-security@isc.org 2026-06-16 15:32:52 +02:00
Ondřej Surý
1d6b19549c chg: dev: Use SIEVE for TSIG generated-key LRU
Replace the list-based LRU for TSIG KEYs with SIEVE-based LRU.

Merge branch 'ondrej/use-sieve-for-tsigkey-lru' into 'main'

See merge request isc-projects/bind9!12043
2026-06-16 15:13:30 +02:00
Ondřej Surý
bb353200da
Use SIEVE for TSIG generated-key LRU
The generated-key cache used a strict LRU: every lookup hit promoted
the key to the tail of the list under the write lock, even when the
caller arrived holding only the read lock.  That promotion was both
a lock upgrade and a list reshuffle on the hot path.

Replace the LRU with the SIEVE eviction policy.  Lookups now do a
lock-free atomic mark of the visited bit; eviction work moves to
insertion time, which already holds the write lock.
2026-06-16 14:40:49 +02:00
Ondřej Surý
bfb61e1dbc fix: test: Fix the rpz servfail-until-ready test when zone updates run serially
The rpz servfail-until-ready test assumed a particular policy zone always
finished loading last, which only holds when zone updates run in parallel;
on a single CPU (or with serialized offload) it could fail spuriously. It now
polls until RPZ reports ready instead.

Merge branch 'ondrej/fix-rpz-system-test-on-single-cpu' into 'main'

See merge request isc-projects/bind9!12251
2026-06-16 14:01:33 +02:00
Ondřej Surý
153c9d3509 Poll for RPZ readiness in the servfail-until-ready test
RPZ is ready only once every policy zone has completed its first update,
and the zones do not finish in a fixed order, so whenever the updates
run serially (per-loop offload, or any single-CPU run): 'slow-rpz' zone
can finish before the others and the query still gets SERVFAIL.  Poll
the query until it returns NOERROR instead.

Assisted-by: Claude:claude-opus-4-8
2026-06-16 14:01:13 +02:00
Alessio Podda
074efb5768 fix: dev: Keep RRL ncache fixed name alive
Move the fixed name storage out of the NCACHE branch so the name passed to dns_rrl() remains valid for cached NXDOMAIN responses.

Closes #6029

Merge branch '6029-fixedname-fix' into 'main'

See merge request isc-projects/bind9!12096
2026-06-16 11:01:52 +00:00
Alessio Podda
aa022f7ea2 Keep RRL ncache fixed name alive
Move the fixed name storage out of the NCACHE branch so the name passed to
dns_rrl() remains valid for cached NXDOMAIN responses.
2026-06-16 11:56:59 +02:00
Alessio Podda
c2ebd1f66e Add RRL cached NXDOMAIN system test
Add a Python system test that primes ns2's negative cache, queries the
cached NXDOMAIN through RRL, and verifies named remains responsive.
2026-06-16 11:47:09 +02:00
Nicki Křížek
139b0fc48e new: test: Add AnsInstance as the ans counterpart of NamedInstance
Tests interacting with mock ans servers had to hardcode their IP
addresses and open ans.run directly, while named instances already
had the NamedInstance abstraction with `.ip`, `.log` and the
watch_log_*() helpers.  Factor the parts of NamedInstance that are
not named-specific into a ServerInstance base class and add an
AnsInstance subclass for ans servers, exposed through the `servers`
fixture and new ans1-ans11 convenience fixtures.

Assisted-by: Claude:claude-fable-5

Merge branch 'nicki/pytest-ans-instance' into 'main'

See merge request isc-projects/bind9!12241
2026-06-16 10:28:36 +02:00
Nicki Křížek
630247e845 Use AnsInstance fixture in dispatch test
Replace manual ans.run parsing with the ans4 fixture.

Assisted-by: Claude:claude-fable-5
2026-06-16 09:34:25 +02:00
Nicki Křížek
f6a0c1fd63 Add AnsInstance as the ans counterpart of NamedInstance
Tests interacting with mock ans servers had to hardcode their IP
addresses and open ans.run directly, while named instances already
had the NamedInstance abstraction with `.ip`, `.log` and the
watch_log_*() helpers.  Factor the parts of NamedInstance that are
not named-specific into a ServerInstance base class and add an
AnsInstance subclass for ans servers, exposed through the `servers`
fixture and new ans1-ans11 convenience fixtures.

Assisted-by: Claude:claude-fable-5
2026-06-16 09:34:25 +02:00
Ondřej Surý
72ac4bbdb2 fix: nil: Fix a latent NULL dereference in the DoH client request helper
isc__nm_http_request()'s error path reloaded sock->h2->connect.cstream after client_send() had already detached and freed it on a submit failure, dereferencing NULL. The helper is only used by the DoH unit tests. Guard the cleanup path against the detached stream.

Closes #6160

Merge branch '6160-fix-latent-NULL-dereference-in-http2' into 'main'

See merge request isc-projects/bind9!12247
2026-06-15 20:05:17 +02:00
Ondřej Surý
7df91b7634
Guard against a detached stream in isc__nm_http_request() error path
On a submit failure, client_send() nullifies sock->h2->connect.cstream
and frees the stream before returning the error. The error: label in
isc__nm_http_request() reloaded that pointer and dereferenced it
unconditionally, reading through a NULL stream. The function is only
used by the DoH unit tests -- production DoH client send goes through
isc__nm_http_send()/client_httpsend(), whose submit failure is reported
via the NULL-safe send callback -- so this is a latent defect in the
test helper rather than a reachable named crash.

Skip the read callback when the stream has already been detached and
let the caller report the failure from the error result it receives.

Assisted-by: Claude:claude-opus-4-8
2026-06-15 18:09:37 +02:00
Arаm Sаrgsyаn
50dbab9340 fix: usr: Fix a 'deny-answer-aliases' configuration bypass issue
It was possible to use a maliciously crafted authoritative
zone to make :iscman:`named` resolver synthesize a ``DNAME``
"alias" that should have been rejected by the configured
:any:`deny-answer-aliases` option. This has been fixed.

Closes #5930

Merge branch '5930-deny-answer-aliases-and-cached-dname-buf-fix' into 'main'

See merge request isc-projects/bind9!12044
2026-06-15 11:35:12 +00:00
Aram Sargsyan
45c1d760a8 Fix a 'deny-answer-aliases' bug when using a cached DNAME
When using a cached DNAME to resolve a name, make sure to consult
the denied answers lists, otherwise it is possible to consutruct
a restricted alias by caching a DNAME that is a parent of the
denied alias. See the comments in the tests case from the previous
commit an example.
2026-06-15 09:37:07 +00:00
Aram Sargsyan
1645b09341 Add a new 'deny-answer-aliases' check in 'resolver' system test
This new check exercises an attack against guarantees given by the
'deny-answer-aliases' configuration option by caching a DNAME
that is a parent of the restricted alias, and then "constructing"
the restricted alias from the cache.
2026-06-15 09:37:07 +00:00
Ondřej Surý
2f3c040d19 fix: nil: Remove isc_mem_strndup()
The isc_mem_strndup() function had a single caller, the HTTP/2
request-path handling, which now uses isc_mem_allocate() and strlcpy()
directly.  Remove the function from the libisc API.

Closes #6087

Merge branch '6087-remove-isc_mem_strndup' into 'main'

See merge request isc-projects/bind9!12240
2026-06-12 17:40:20 +02:00
Ondřej Surý
5f068a307f Remove isc_mem_strndup()
The function had a single caller, the HTTP/2 request-path handling in
the network manager, and its semantics (strlen() of the source clamped
to the requested size) amounted to an obscured bounded string copy.
Replace the only use with a plain allocation and strlcpy(), and drop the
function.
2026-06-12 17:40:05 +02:00
Arаm Sаrgsyаn
e0d84f8370 fix: usr: Fix a zone transfer over TLS (XoT) issue when using the opportunistic TLS mode
The :iscman:`named` process, running as secondary DNS server,
configured to transfer a zone from a primary server using an
encrypted XoT transport in opportunistic TLS mode (i.e. without
peer certificate/hostname validation) could terminate unexpectedly
when the TLS ALPN negotiation with primary server was unsuccessful.
This has been fixed.

Closes #5957

Merge branch '5957-xot-xfrin_connect_done-bug-fix' into 'main'

See merge request isc-projects/bind9!12081
2026-06-12 15:36:57 +00:00
Aram Sargsyan
fb27599b58 Fix a bug in xfrin.c:xfrin_connect_done()
When the connect callback's result is ISC_R_SUCCESS and the callback
changes the result because of some condition, the 'xfr' should not
be detached, because it now belongs to the receive callback.

Detach the reference only if the callback's result is non-success.
2026-06-12 14:59:47 +00:00
Aram Sargsyan
6e0d998ff6 Add a check for the "doth" system test
Configure a zone transfer using XoT (with opportunistic TLS) from
a non-DoT port, which does not provide ALPN "dot" (in this case
it will try to connect to a DoH port). This is expected to fail,
but the client should handle the error gracefully and not to crash.
2026-06-12 14:59:47 +00:00
Colin Vidal
684f577458 fix: dev: Fix delegdb dump buffer overflow
A buffer used to dump a DNS name in the delegdb dump flow was using the
wrong size: it was using `DNS_NAME_MAXWIRE` which is the actual max
length of a DNS name on the wire instead of using `DNS_NAME_FORMATSIZE`
which is the maximum length of a textual representation of a DNS name
(which can be way longer than `DNS_NAME_MAXWIRE` if using the master
file escape sequence format) plus 1 (end of string byte). This could
lead to a buffer overflow. This is now fixed.

Closes #6132

Merge branch '6132-delegdb-dump-overflow' into 'main'

See merge request isc-projects/bind9!12195
2026-06-12 16:50:23 +02:00
Colin Vidal
ebd4e26f46 Fix delegdb dump buffer overflow
A buffer used to dump a DNS name in the delegdb dump flow was using the
wrong size: it was using `DNS_NAME_MAXWIRE` which is the actual max
length of a DNS name on the wire instead of using `DNS_NAME_FORMATSIZE`
which is the maximum length of a textual representation of a DNS name
(which can be way longer than `DNS_NAME_MAXWIRE` if using the master
file escape sequence format) plus 1 (end of string byte). This could
lead to a buffer overflow. This is now fixed.
2026-06-12 15:45:22 +02:00
Colin Vidal
7a1a3a0251 Add test for delegdb dump with very long name
Add a delegdb test which dump a database which contains a very long name
(using DNS master file format with escape sequence as defined per RFC
1035). This ensure that the delegdb uses large enough internal buffers
to load the names in DB and generate the dump. If this is not the case,
the test crashes on a build with address sanatizer enabled.
2026-06-12 15:45:22 +02:00
Nicki Křížek
02425ce4b4 new: test: Add a system test cookbook
The README documents what the framework is; the cookbook documents how
to get common tasks done with it: iterating on a single test, adding a
new test directory, writing a regression reproducer, mocking a
misbehaving server with isctest.asyncserver, signing zones in
bootstrap(), and driving named via the NamedInstance fixtures. All
recipes are distilled from existing tests (cyclic_glue, dnssec_py,
dispatch) so they reflect the current canonical patterns.

Assisted-by: Claude:claude-fable-5

Merge branch 'nicki/systest-cookbook' into 'main'

See merge request isc-projects/bind9!12234
2026-06-12 14:37:21 +02:00
Nicki Křížek
e1cd8e5cfa Add a system test cookbook
The README documents what the framework is; the cookbook documents how
to get common tasks done with it: iterating on a single test, adding a
new test directory, writing a regression reproducer, mocking a
misbehaving server with isctest.asyncserver, signing zones in
bootstrap(), and driving named via the NamedInstance fixtures. All
recipes are distilled from existing tests (cyclic_glue, dnssec_py,
dispatch) so they reflect the current canonical patterns.

Assisted-by: Claude:claude-fable-5
2026-06-12 14:31:49 +02:00
Michal Nowak
4957da2e29 new: ci: Enforce AI commit-trailer rules in danger checks
`CONTRIBUTING.md` documents several rules around how AI coding assistants should (and should not) be attributed in commit messages.  Teach `dangerfile.py` to enforce them so that violations are caught at MR time.

Merge branch 'mnowak/danger-ai-trailer-checks' into 'main'

See merge request isc-projects/bind9!11969
2026-06-12 12:02:45 +02:00
Michal Nowak
2cac546d08 Validate Assisted-by trailer format and tool list
CONTRIBUTING.md documents the Assisted-by trailer format as

    Assisted-by: AGENT_NAME:MODEL_VERSION [TOOL1] [TOOL2]

and excludes basic development tools (git, compilers, meson,
ninja, editors, clang-format, black, ruff) from the optional
tool list.

Walk every `Assisted-by:` line in each commit message and emit a
`warn()` when:

  - the line does not match the documented `AGENT:VERSION` shape;
  - the optional tool list contains basic-tool names.

The basic-tool list extends the CONTRIBUTING.md examples with
other formatters, generic linters, and build/test runners
commonly invoked from `.gitlab-ci.yml`.  Specialized analysis
tools (coccinelle, clang-tidy, AFL, Coverity, cppcheck,
valgrind, sanitizers) are intentionally absent so they remain
allowed in the trailer.

Use `warn()` rather than `fail()` because the format is
human-written and overly strict matching would produce false
positives on edge cases.

Assisted-by: Claude:claude-opus-4-7
2026-06-12 11:59:44 +02:00
Michal Nowak
65d082277d Reject Signed-off-by trailers from AI tools in danger check
CONTRIBUTING.md states that AI agents must not add Signed-off-by
tags, since only humans can legally certify the Developer
Certificate of Origin.  Mirror the existing LLM Co-Authored-By
check against the Signed-off-by trailer line so danger fails on
commits that violate the rule.

The shared alternation of known LLM agent names is factored out
into LLM_AGENT_NAMES_RE so adding a new tool only requires one
edit.

Assisted-by: Claude:claude-opus-4-7
2026-06-12 11:59:44 +02:00
Michal Nowak
f5e9dd3dd6 Detect Co-Authored-By trailers and reject AI co-authors
CONTRIBUTING.md states that AI agents must not be listed as
co-authors and that contributors should use the `Assisted-by:`
trailer instead.  Teach `dangerfile.py` to fail merge requests
whose commit messages include a `Co-Authored-By:` trailer naming
a known LLM (Claude, Codex, Mistral, Copilot, Gemini, Cursor,
Devin, Aider, Sourcegraph, CodeWhisperer).

For any other `Co-Authored-By:` trailer, emit an info-level
`message()` that includes the full trailer line so reviewers can
confirm the named co-author is a human contributor and not an
unrecognised AI tool.

Assisted-by: Claude:claude-opus-4-7
2026-06-12 11:05:14 +02:00
Arаm Sаrgsyаn
242d931956 fix: usr: Fix a bug in GeoIP2 string matching
When using GeoIP2 ACLs (see :any:`acl`), :iscman:`named` could
incorrectly match a name using a sub-string instead of the full
name match. This has been fixed.

Closes #6019

Merge branch '6019-geoip2-string-match-buf-fix' into 'main'

See merge request isc-projects/bind9!12092
2026-06-11 14:38:23 +00:00
Aram Sargsyan
8448136b16 Fix 'geoip' ACL matching bug
The geoip2.c:match_string() function can incorrectly return 'true'
when matching strings of different lengths (i.e. it matches a
substring). Return 'false' when the lengths of the matched strings
are different.
2026-06-11 13:28:21 +00:00
Aram Sargsyan
bdf4ab9280 Add a new check for the 'geoip2' system test
Check that an ACL can't be matched by a substring in the
GeoIP database, instead of the full string comparision.
2026-06-11 13:28:21 +00:00
Nicki Křížek
eec23bbe29 chg: nil: Update the system test README for the pytest-native workflow
The README predated the meson migration and most of the pytest runner
features. Document building the test dependencies with meson and drop
the make-based instructions, the Makefile.am registration step, and the
stale -T flag list. Describe the jinja2 templating, bootstrap(), the
conftest fixtures, the pytest marks, and recommend node IDs and
parametrization over -k matching. Fix the directory naming rule, which
switched from hyphens to underscores.

Also declare pytest and pytest-xdist as required dependencies: the
runner's pytest.ini uses --dist=loadscope unconditionally, so pytest
without pytest-xdist cannot even start.

Related #3810

Assisted-by: Claude:claude-fable-5

Merge branch 'nicki/systest-readme-refresh' into 'main'

See merge request isc-projects/bind9!12232
2026-06-11 15:22:49 +02:00
Nicki Křížek
abd37e03d6 Update the system test README for the pytest-native workflow
The README predated the meson migration and most of the pytest runner
features. Document building the test dependencies with meson and drop
the make-based instructions, the Makefile.am registration step, and the
stale -T flag list. Describe the jinja2 templating, bootstrap(), the
conftest fixtures, the pytest marks, and recommend node IDs and
parametrization over -k matching. Fix the directory naming rule, which
switched from hyphens to underscores.

Also declare pytest and pytest-xdist as required dependencies: the
runner's pytest.ini uses --dist=loadscope unconditionally, so pytest
without pytest-xdist cannot even start.

Related #3810

Assisted-by: Claude:claude-fable-5
2026-06-11 15:04:21 +02:00
Arаm Sаrgsyаn
476fdc5365 fix: usr: Fix DNS-over-HTTPS (DoH) quota configuration issue
The :any:`http-listener-clients` and :any:`http-streams-per-connection`
configuration options could be truncated to smaller values (or to ``0``,
which means unlimited) when very big configuration values were used, which
exceeded ``65535``. As a note - it is very unlikely that such big values
are used in production, and the default values for the affected options
are ``300`` and ``100``, correspondingly. This has been fixed.

Closes #6021

Merge branch '6021-doh-quota-type-truncation-fix' into 'main'

See merge request isc-projects/bind9!12085
2026-06-11 11:33:05 +00:00
Aram Sargsyan
281660ecc1 Fix DoH quota global variables type
The 'named_g_http_listener_clients' and 'named_g_http_streams_per_conn'
global variables are defined as 'in_port_t', which is usually 16 bits,
but both the readers and the writers of those variables use 'uint32_t'
as the target/source, which can result in truncation.

Use correct types.
2026-06-11 11:32:26 +00:00
Matthijs Mekking
e62fb7cb1b fix: usr: Ignore updates removing DNSKEY RRset with class ANY
When a Dynamic Update is received that removes the ``DNSKEY`` (or ``CDNSKEY``,
or ``CDS``) RRset, remove all records except the ones that are in use
for signing for the zone.

Closes #6045

Merge branch '6045-dns-update-delete-in-use-dnskey-any' into 'main'

See merge request isc-projects/bind9!12166
2026-06-11 11:27:41 +00:00
Matthijs Mekking
008ad8ade2 ISC_ATTR_UNUSED in favor of UNUSED() 2026-06-11 10:53:56 +00:00
Matthijs Mekking
97b9c9c823 Keep our key on update removing DNSKEY RRset
When a Dynamic Update is received that removes the DNSKEY (or CDNSKEY,
or CDS) RRset, remove all records except the ones that are in use
for signing for the zone (with dnssec-policy).
2026-06-11 10:53:56 +00:00
Matthijs Mekking
3711f3b3c6 Test removing DNSKEY records with class ANY
The update should ignore DNSKEY, CDNSKEY and CDS records
for keys that are used for signing.
2026-06-11 10:53:56 +00:00
Petr Špaček
767dc16481 chg: doc: CVE template suggestions
Suggested changes to the CVE checklist, submitted for your approval (or rejection).  Commits in order of decreasing priority:

* 81bd4025c0e4ac407d5a8c7e0c414e2ed20f543f: Update Zulip link for new bind-incidents channel
* 65caa4912b25058cdeaef35094985424f2b2478f: Explicit sub-steps for assessing -S and EOL
* 1dc0d656edc1f6b5586da3ec1d416e5223c5504a: Clearer separation between CVE and CVSS+CWE steps
* 5ebb9ac33fda59adec6b9019bd211e96edebca49: EVN texts: Clarify what is done, when, and using which tool
* 29a79c21cbfe3477cd706861eeb12b53c98e2091: Use reference links for Earliest Notification and printing-press, to make the table less cumbersome to edit
* fd1b6d98c3cef2f6d212a5988b3726d933c84d27: Add TOC and sections for better (?) navigation
* 803b1d2aff04cf88ab860b42e3463c57fbf17f6d: Remove a few words to make the table narrower
* e68a1c84bd41a769ea8d96b7542cd7c062dd4af1: Clearer links to instructions, at top (bikeshed-y)
* e75b65072fe6eb271667659eac79817da1dd6515: Typo fix to the above

Merge branch 'bscott-cve-quicklist-tweaks' into 'main'

See merge request isc-projects/bind9!12221
2026-06-11 10:51:39 +00:00