Commit graph

44734 commits

Author SHA1 Message Date
Nicki Křížek
320ec03c0d Tweak and reword release notes 2026-01-09 10:55:52 +01:00
Nicki Křížek
6aae2425b3 Move release note for EDE 13 to proper section 2026-01-09 10:55:21 +01:00
Nicki Křížek
7c3cce9e8b Remove release note for GL #5671
This was already fixed in the previous release.
2026-01-09 10:54:54 +01:00
Nicki Křížek
a1acf7f068 Remove release note for GL #5675
It is sufficient to leave this as a changelog entry.
2026-01-09 10:54:35 +01:00
Nicki Křížek
897f275934 Prepare release notes for BIND 9.21.17 2026-01-09 10:54:11 +01:00
Nicki Křížek
1959cfb07c Generate changelog for BIND 9.21.17 2026-01-08 13:28:40 +01:00
Nicki Křížek
7bf83f69a8 [CVE-2025-13878] sec: usr: Fix incorrect length checks for BRID and HHIT records
Malformed BRID and HHIT records could trigger an assertion failure. This has been fixed.

ISC would like to thank Vlatko Kosturjak from Marlink Cyber for bringing
this vulnerability to our attention.

Closes isc-projects/bind9#5616

Merge branch '5616-confidential-brid-hhit-towire' into 'v9.21.17-release'

See merge request isc-private/bind9!876
2026-01-08 12:32:38 +01:00
Mark Andrews
14e299995f Fix incorrect length checks for BRID and HHIT records
Fix incorrect length checks in the towire_*() methods for BRID and HHIT
records to prevent assertion failures when trying to serve short
records.
2026-01-08 10:45:18 +01:00
Nicki Křížek
c49ee7907d chg: dev: Support compilation with cmocka 2.0.0+
The `assert_in_range()` function was deprecated in favor of
`assert_int_in_range()` and `assert_uint_in_range()`. Add compatibility
shims for cmocka<2.0.0 and use the new functions.

Closes #5699

Merge branch '5699-support-cmocka-2.0.0' into 'main'

See merge request isc-projects/bind9!11412
2026-01-07 11:12:50 +01:00
Nicki Křížek
6843a4bd9a Support compilation with cmocka 2.0.0+
The `assert_in_range()` function was deprecated in favor of
`assert_int_in_range()` and `assert_uint_in_range()`. Add compatibility
shims for cmocka<2.0.0 and use the new functions.
2026-01-07 10:38:45 +01:00
Evan Hunt
57ee4d1e1c chg: usr: Enforce bounds of multiple configuration options
The configuration options `edns-version`, `edns-udp-size`,
`max-udp-size`, `no-cookie-udp-size` and `padding` now enforce
boundaries. The configuration (including when using `named-checkconf`)
now fails if those options are set out of range.

Merge branch 'colin/multiple-options-strict-boundaries' into 'main'

See merge request isc-projects/bind9!11248
2026-01-07 07:02:22 +00:00
Colin Vidal
7bf04a9a4c update doc for strict boundaries check
Update documentation, removing the mention of statements being
implicitely "fixed" if they are defined out of range (for
`edns-version`, `edns-udp-size`, `max-udp-size`, `no-cookie-udp-size`
and `padding`) as the ranges are now enforced.
2026-01-07 07:01:59 +00:00
Colin Vidal
588de09145 add strict bound check tests
Add checkconf system test covering the strict boundary checks for
`edns-version`, `edns-udp-size`, `max-udp-size`, `no-cookie-udp-size`
and `padding`.
2026-01-07 07:01:59 +00:00
Colin Vidal
a67487a4ad remove implicit bounds fixes in server config
Now that the configuration options `edns-version`, `edns-udp-size`,
`max-udp-size`, `no-cookie-udp-size` and `padding` have strict boundaries
(configuration failing if they are not respected), remove configuration
loading code which implicitely raises or lowers them.
2026-01-07 07:01:59 +00:00
Colin Vidal
4cf2efc97a small refactor for max-query-restart in check.c
Use the `check_range_uint32()` function in `check.c` to test the
boundaries of `max-query-restart` instead of custom code.
2026-01-07 07:01:59 +00:00
Colin Vidal
fe326a8c2f enforce bounds of multiple configuration options
The configuration options `edns-version`, `edns-udp-size`,
`max-udp-size`, `no-cookie-udp-size` and `padding` now enforce
boundaries. The configuration (including when using `named-checkconf`)
now fails if those options are out of range.
2026-01-07 07:01:59 +00:00
Michal Nowak
e5496bb41e new: ci: Add FreeBSD 15.0
Merge branch 'mnowak/freebsd-15.0' into 'main'

See merge request isc-projects/bind9!11320
2026-01-06 22:43:52 +01:00
Michal Nowak
636a617f66
Inline FreeBSD jobs from anchors
Although markup extraction to anchors makes FreeBSD jobs cleaner, it
prevents job customization, say, enabling or disabling a build option.
2026-01-06 21:17:48 +01:00
Michal Nowak
b4c0408d81
Add ans10 blackhole server to xfer system test
On FreeBSD 15.0, sending requests to non-existent address produces
unexpected results. Add a blackhole server instead.
2026-01-06 21:17:48 +01:00
Michal Nowak
282f87461b
Add FreeBSD 15.0 2026-01-06 21:17:48 +01:00
Štěpán Balážik
04e55696d6 chg: ci: Don't overwrite JUnit file generated by pytest in post-processing
When both input and output files are the same, it creates unnecesary
troubles in debugging issues with the JUnit files.

Keep the Pytest-generated file in the artifacts and output the checked
version as a new file.

Companion MR: https://gitlab.isc.org/isc-projects/bind9-qa/-/merge_requests/155

Merge branch 'stepan/dont-overwrite-pytest-junit-xml' into 'main'

See merge request isc-projects/bind9!11430
2026-01-06 16:49:16 +00:00
Štěpán Balážik
0f2d0daabc Generate, check the JUnit reports for the doctest job
Pass it to GitLab for display.
2026-01-06 16:54:37 +01:00
Štěpán Balážik
1a85a27f54 Don't overwrite JUnit file generated by pytest in post-processing
When both input and output files are the same, it creates unnecesary
troubles in debugging issues with the JUnit files.

Keep the Pytest-generated file in the artifacts and output the checked
version as a new file.
2026-01-06 15:15:43 +01:00
Štěpán Balážik
af809329b3 Use git_clone_bind9-qa anchor in .system_test_common
This was missed in abecddb13a.
2026-01-06 15:15:17 +01:00
Nicki Křížek
849c17abe5 [CVE-2025-8677] sec: test: Test that DNSSEC validation is aborted on malformed DNSKEY
Create a signed zone file that contains malformed ZSKs with colliding
key tags. The ZSKs don't represent valid ECDSA keys and will cause a
crypto failure when attempting to use them. Sign the zone with KSK, with
the exception of one record which is "signed" with the invalid ZSKs.

Check that the resolver aborts the DNSSEC verification after
encountering the first crypto failure, indicating malformed DNSKEY.

Closes #5343

Merge branch '5343-count-invalid-keys-into-validation-fails-test' into 'main'

See merge request isc-projects/bind9!11425
2026-01-05 14:45:06 +01:00
Nicki Křížek
0ddfa108a7 Test zone with truncated revoked DNSKEY
Ensure that named can handle a situation where the zone is signed with a
truncated, self-signed revoked DNSKEY. The signatures are inevitably
bogus and a SERVFAIL is expected. However, prior to CVE-2025-8677 fix,
this could trigger an assertion failure.
2026-01-05 14:04:58 +01:00
Nicki Křížek
1a2e46d364 Test that DNSSEC validation is aborted on malformed DNSKEY
Create a signed zone file that contains malformed ZSKs with colliding
key tags. The ZSKs don't represent valid ECDSA keys and will cause a
crypto failure when attempting to use them. Sign the zone with KSK, with
the exception of one record which is "signed" with the invalid ZSKs.

Check that the resolver aborts the DNSSEC verification after
encountering the first crypto failure, indicating malformed DNSKEY.
2026-01-05 14:04:58 +01:00
Štěpán Balážik
c511314c54 fix: test: Set default_aa on AsyncDnsServer to False by default
In !11179 I mistakenly set the default for `default_aa` for
`AsyncDnsServer()` to `True` and then explicitly set it to True in
cases where all the `ResponseHandlers` said
`yield DnsResponseSend(..., authoritative=True)` as if the default was
`False`.

Also the rest of `AsyncDnsServer` code (namely `_prepare_responses`)
reads like `default_aa` is `False` by default.

This accidentally changed the behavior of servers which don't set the
`default_aa` and where AA is not set from the zone data
(e.g. `dispatch/ans3`).

Merge branch 'stepan/set-asyncdnsserver-dafault-aa-to-false-by-default' into 'main'

See merge request isc-projects/bind9!11419
2026-01-05 13:03:11 +00:00
Štěpán Balážik
dc58c73264 Set default_aa on AsyncDnsServer to False by default
In 6e684d44 I mistakenly set the default for `default_aa` for
`AsyncDnsServer()` to `True` and then explicitly set it to True in
cases where all the `ResponseHandlers` said
`yield DnsResponseSend(..., authoritative=True)` as if the default was
`False`.

Also the rest of `AsyncDnsServer` code (namely `_prepare_responses`)
reads like `default_aa` is `False` by default.

This accidentally changed the behavior of servers which don't set the
`default_aa` and where AA is not set from the zone data
(e.g. `dispatch/ans3`).
2026-01-05 13:27:57 +01:00
Ondřej Surý
812d069e26 fix: nil: Fix building on uclibc
While building on uclibc this error is thrown:
In file included from ./include/dns/log.h:20,
                 from callbacks.c:19:
../../lib/isc/include/isc/log.h:141:9: error: unknown type name ‘off_t’
  141 |         off_t maximum_size;
      |         ^~~~~

This is due to missing include unistd.h, so let's add it on top of
isc/log.h

Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>

Merge branch 'fix/uclibc-off_t-main' into 'main'

See merge request isc-projects/bind9!11422
2026-01-04 21:46:05 +01:00
Giulio Benetti
0e43f62c12 Fix building on uclibc
While building on uclibc this error is thrown:
In file included from ./include/dns/log.h:20,
                 from callbacks.c:19:
../../lib/isc/include/isc/log.h:141:9: error: unknown type name ‘off_t’
  141 |         off_t maximum_size;
      |         ^~~~~

This is due to missing include unistd.h, so let's add it on top of
isc/log.h

Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
2026-01-04 15:14:10 +01:00
Matthijs Mekking
6cbc0fae44 fix: nil: Fix Coverity issue 640332/640331
Merge branch 'matthijs-cid-640332' into 'main'

See merge request isc-projects/bind9!11414
2026-01-02 08:52:49 +00:00
Matthijs Mekking
17f93fff78 Fix Coverity issue 640332/640331
The `notifytype = cfg_obj_asboolean(obj);` was left in place
erroneously in commit 52c940551d.

See https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/11384#note_628991
for background discussion.
2026-01-02 08:12:01 +00:00
Matthijs Mekking
9609bf4536 fix: test: Fix intermittent test failure in rollover-zsk-prepub
Revert the wait for log change for the rollover-zsk-prepub test.

Closes #5692

Merge branch '5692-rollover-zsk-prepub-step3-intermittent-test-fail' into 'main'

See merge request isc-projects/bind9!11413
2026-01-02 08:10:40 +00:00
Matthijs Mekking
22c02a4df9 Wait for "sending notifies" for step3.zsk-prepub
Commit c17ac42608 changed some tests to
wait for "zone_needdump" messages instead of "sending notifies", because
notifies are rate limited and "zone_needdump" happen on every change.

However, inspecting the logs, the "zone_needdump" changes happen more
than once (likely because the re-signing is done in batches):

    received control channel command 'sign step3.zsk-prepub.manual'
    zone_journal: zone step3.zsk-prepub.manual/IN (signed): enter
    zone_needdump: zone step3.zsk-prepub.manual/IN (signed): enter
    zone_journal: zone step3.zsk-prepub.manual/IN (signed): enter
    zone_needdump: zone step3.zsk-prepub.manual/IN (signed): enter
    zone_journal: zone step3.zsk-prepub.manual/IN (signed): enter
    zone_needdump: zone step3.zsk-prepub.manual/IN (signed): enter
    zone step3.zsk-prepub.manual/IN (signed): sending notifies

This means we are running the rollover step checks too fast in some
test runs.

Revert the wait for log change for the rollover-zsk-prepub test.
2025-12-31 11:40:42 +01:00
Matthijs Mekking
b47633ed42 chg: nil: change notify-cds to notify-cfg CDS
Change the notify configuration to be more flexible for other types of generalized DNS notifications.

Also allow for notify-cfg SOA.

Merge branch 'matthijs-notify-cfg' into 'main'

See merge request isc-projects/bind9!11384
2025-12-29 09:41:43 +00:00
Matthijs Mekking
52c940551d Change notify-cds option to notify-cfg CDS
Change the notify configuration to be more flexible for other types
of generalized DNS notifications.

Also allow for notify-cfg SOA.
2025-12-29 10:06:16 +01:00
Matthijs Mekking
7fd1eccb6e Change zone set/get options related to notify
Add a type to all dns_zone_(get|set) functions that apply to sending
notifies, so the options can be set and retrieved separately per type.

This affects dns_zone_setnotifydefer, dns_zone_getnotifydefer,
dns_zone_setnotifydelay, dns_zone_getnotifydelay,
dns_zone_setnotifysrc4, and dns_zone_setnotifysrc6.

The functions dns_zone_getnotifysrc4 and dns_zone_getnotifysrc6 are
unused and can be removed.
2025-12-29 09:43:04 +01:00
Matthijs Mekking
2118fa0b62 chg: doc: Clarify rndc sign
It was not explicitly clear that ``rndc sign`` replaces signatures of inactive keys and updates signatures that are not so fresh.

Closes #5490

Merge branch '5490-clear-rndc-sign-on-error' into 'main'

See merge request isc-projects/bind9!11396
2025-12-22 14:09:06 +00:00
Matthijs Mekking
3f52303ef7 Clarify rndc sign
It was not explicitly clear that 'rndc sign' replaces signatures of
inactive keys and updates signatures that are not so fresh.
2025-12-22 13:33:48 +00:00
Michał Kępień
4430632915 [CVE-2025-40778] sec: test: Add various bailiwick-related tests
Closes #5414

Merge branch '5414-add-various-bailiwick-related-tests' into 'main'

See merge request isc-projects/bind9!11406
2025-12-22 12:44:38 +01:00
Petr Špaček
e223ee7097
Test that spoofed DNAME is not accepted via spoofable transport
A single spoofed DNAME answer can impact many names, and because of the
nature of DNAME, the attacker can use randomized query names to get
unlimited number of tries to spoof the answer.  To limit impact, we
should not be accepting DNAME over insecure transport, like UDP without
cookies etc.

In short, the attacker tries to spoof at least one answer that has the
following form:

    opcode QUERY
    rcode NOERROR
    flags QR AA
    ;QUESTION
    trigger$RANDOM.test. IN A
    ;ANSWER
    trigger$RANDOM.test. 3600 IN CNAME trigger$RANDOM.attacker.net.
    test. 3600 IN DNAME attacker.net.
    ;AUTHORITY
    ;ADDITIONAL

This has been discovered internally.

Co-authored-by: Michał Kępień <michal@isc.org>
2025-12-22 11:58:39 +01:00
Petr Špaček
b5dc46fe6e
Test that fake child delegation cannot overwrite parent's glue RR
In short, the attacker tries to spoof at least one answer that has the
following form:

    rcode NOERROR
    flags QR
    ;QUESTION
    trigger$RANDOM.victim. IN TXT
    ;ANSWER
    ;AUTHORITY
    trigger$RANDOM.victim. 3600 IN NS ns.victim.
    ;ADDITIONAL
    ns.victim. 3600 IN A 10.53.0.3

This attack was originally reported as "test case 2".

Co-authored-by: Michał Kępień <michal@isc.org>
2025-12-22 11:58:39 +01:00
Petr Špaček
658d2e9f8e
Test that unsolicited NS in positive answer cannot overwrite current NS
Before the fixes for CVE-2025-40778, an unsolicited in-bailiwick NS
record was accepted from a (spoofed) answer, enabling a single spoofed A
query/response to redirect traffic for a whole delegation.

In short, the attacker tries to spoof at least one answer that has the
following form:

    rcode NOERROR
    flags QR AA
    ;QUESTION
    trigger$RANDOM.victim. IN TXT
    ;ANSWER
    trigger$RANDOM.victim. 3600 IN TXT "spoofed answer with extra NS"
    ;AUTHORITY
    victim. 3600 IN NS ns.attacker.
    ;ADDITIONAL

This attack was originally reported as "test case 1".

Co-authored-by: Michał Kępień <michal@isc.org>
2025-12-22 11:58:39 +01:00
Petr Špaček
26eed16d61
Test that positive answer cannot overwrite sibling NS RRs
Before the fixes for CVE-2025-40778, a positive answer was allowed to
overwrite sibling NS RRs.  The answer had to be a positive AA=1 answer
with a fake NS along with it.  This combination of conditions avoided
the code path with "unrelated <RRTYPE>" detection logic.

If it were some other answer, named from the main branch would detect
the attempt and log:

    DNS format error from 10.53.0.1#16386 resolving trigger/A for <unknown>: unrelated NS victim in trigger authority section

In short, the attacker tries to spoof at least one answer that has the
following form:

    opcode QUERY
    rcode NOERROR
    flags QR AA
    ;QUESTION
    trigger$RANDOM. IN A
    ;ANSWER
    trigger$RANDOM. 3600 IN A 10.53.0.3
    ;AUTHORITY
    victim. 3600 IN NS ns.attacker.
    ;ADDITIONAL
    ns.attacker. 3600 IN A 10.53.0.3

This attack was originally reported as "test case 1c".

Co-authored-by: Michał Kępień <michal@isc.org>
2025-12-22 11:58:39 +01:00
Petr Špaček
607974b1bc
Add a common base for CVE-2025-40778 tests
Add the zone files, configuration, and code that will be reused by all
tests related to CVE-2025-40778.

Co-authored-by: Michał Kępień <michal@isc.org>
2025-12-22 11:58:39 +01:00
Michał Kępień
440e510f75
Add a reusable, bare-bones AsyncDnsServer
Add bin/tests/system/ans.py, a bare-bones DNS server that can be used in
system tests instead of full-blown named instances when a server is only
required to return zone-based data.  Where applicable, this reduces load
on the test host and the amount of generated logs.
2025-12-22 11:58:39 +01:00
Matthijs Mekking
ab9899455b chg: test: Add isctest.kasp.Key.SettimeOptions
Merge branch 'matthijs-pytest-settime' into 'main'

See merge request isc-projects/bind9!11388
2025-12-22 09:06:14 +00:00
Matthijs Mekking
f6749a432b Add isctest.kasp.SettimeOptions
This Class sets settime parameters and these can be called with key.settime()
that runs dnssec-settime on the given key with the given parameters.
2025-12-22 09:04:46 +00:00
Mark Andrews
ffc02b12c9 fix: nil: "Don't use dns_name_fromstring in dsyncfetch_start"
Closes #5697

Merge branch '5697-don-t-use-dns_name_fromstring-in-dsyncfetch_start' into 'main'

See merge request isc-projects/bind9!11405
2025-12-22 19:55:46 +11:00