After a release is signed (the "sign" job), the "assign-milestones" job
will assign issues and merge requests to the corresponding version
milestones.
(cherry picked from commit ad95cdb9e2)
The prepare-release-announcement job is now extended so that after
creating the announcement MR, it posts a message with links to the newly
released versions to Mattermost.
Backport of MR !11860
Merge branch 'backport-andoni/extend-prepare-release-announcement-with-urls-message-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11869
The prepare-release-announcement job is now extended so that after
creating the announcement MR, it posts a message with links to the newly
released versions to Mattermost.
(cherry picked from commit a486a38a7f)
Add short notes in CONTRIBUTING.md telling automated agents to append
🤖 to the title of issues and merge requests so they can be routed
through the streamlined agent triage/merge process.
Backport of MR !11861
Merge branch 'backport-ondrej/agent-contributing-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11862
Add short notes in CONTRIBUTING.md telling automated agents to append
🤖 to the title of issues and merge requests so they can be routed
through the streamlined agent triage/merge process.
(cherry picked from commit 2ec8d3ce7c)
Recently, a broken version of libuv was released breaking BIND on
several platforms. The offending [commit](https://github.com/libuv/libuv/issues/5030) was on the development branch
for months, but we didn't notice.
In nightly pipelines, build the current 'main' (actually 'v1.x') branch
of libuv and run the unit and system tests against it.
Backport of MR !11647
Merge branch 'backport-stepan/prelease-testing-for-libuv-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11842
Recently, a broken version of libuv was released breaking BIND on
several platforms. The offending commit [1] was on the development
branch for months, but we didn't notice.
In nightly pipelines, build the current 'main' (actually 'v1.x') branch
of libuv and run the unit and system tests against it.
[1]: https://github.com/libuv/libuv/issues/5030
(cherry picked from commit 23d11de2b4)
When processing a catalog zone member's primaries definition and
there is a TXT record containing an invalid name TSIG key name,
dns_name_free was incorrectly called triggering an assertion.
This has been fixed.
Closes#5858
Backport of MR !11832
Merge branch 'backport-5858-remove-unnecessary-dns-name-free-call-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11848
When processing a catalog zone member's primaries definition and
there is a TXT record containing an invalid name TSIG key name,
dns_name_free was incorrectly called triggering an assertion.
This has been fixed.
(cherry picked from commit 9f411c93c4)
Previously, when computing the compressed bitmap during verification of an NSEC3-signed zone, an undersized buffer was used that resulted in an out-of-bounds write if there were too many active windows in the bitmap. This impacted mirror zones which are NSEC3-signed, `dnssec-signzone` and `dnssec-verifyzone`. This has been fixed.
Closes#5834
Backport of MR !11804
Merge branch 'backport-5834-fix-cbm-size-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11833
Add records that will be at end of each compressed bitmap less 1
of the NSEC3 record. Zone verification should still work.
(cherry picked from commit e9a58de251)
The "publish" job runs on a dedicated, locked-down runner that lacks the
Python modules necessary to execute the manage_distros_token.py script.
Instead of deleting the token within the "publish" job, purge it in a
separate job that automatically runs on the "base" image after the
"publish" job succeeds. Define "rules" for the new job so that the
token is only deleted for security releases, as it should have been
initially.
Backport of MR !11817
Merge branch 'backport-michal/purge-distros-token-in-a-separate-ci-job-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11826
The "publish" job runs on a dedicated, locked-down runner that lacks the
Python modules necessary to execute the manage_distros_token.py script.
Instead of deleting the token within the "publish" job, purge it in a
separate job that automatically runs on the "base" image after the
"publish" job succeeds. Define "rules" for the new job so that the
token is only deleted for security releases, as it should have been
initially.
(cherry picked from commit 36411e7c84)
Rarely, RNDC fails to reconfigure zones on FreeBSD in the default 10
seconds.
Backport of MR !11820
Merge branch 'backport-mnowak/xfer-bump-reconfigure-timeout-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11821
Nsupdate does not distinguish between a non-existing RDATA field
and an empty RDATA field when determining which action is desired
when the RDATA field is empty. This only affects a few data types,
like APL, which allow an empty RDATA field. Document a workaround
of using the '\# 0' form for entering these specific records. e.g.
# delete the APL RRset
update delete IN APL
# delete the APL record with a zero length rdata
update delete IN APL \# 0
Closes#5835
Backport of MR !11775
Merge branch 'backport-5835-nsupdate-doc-zero-length-rdata-how-to-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11823
Nsupdate does not distinguish between a non-existing RDATA field
and an empty RDATA field when determining which action is desired
when the RDATA field is empty. This only affects a few data types,
like APL, which allow an empty RDATA field. Document a workaround
of using the '\# 0' form for entering these specific records. e.g.
# delete the APL RRset
update delete IN APL
# delete the APL record with a zero length rdata
update delete IN APL \# 0
(cherry picked from commit f45762a5be)
The const property was discarded by a strstr call in test-data.c.
This has been fixed.
Closes#5861
Merge branch '5861-fix-const-inheritance-issue-in-test' into 'bind-9.20'
See merge request isc-projects/bind9!11815
Add missing failure checks to six dig and nsupdate invocations in nsupdate system test so that command failures are properly caught instead of silently ignored.
Backport of MR !11811
Merge branch 'backport-marka/check-return-codes-in-nsupdate-test-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11813
Add missing `|| ret=1` to six dig and nsupdate invocations in
tests.sh so that command failures are properly caught instead
of silently ignored.
(cherry picked from commit 9ba03a1848)
If the inception time of the signature is exactly equal to the inactive time of the key, add the signature.
Backport of MR !11791
Merge branch 'backport-matthijs-skr-off-by-one-bug-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11795
The system test was also subject to the same off by one bug that also
existed in the code. That is: if the inception time of the signature
is exactly equal to the inactive time of the key, we still have to
expect the signature.
(cherry picked from commit d9b6036e0f)
This specific test case triggered a bug where the SKR included bundles
with unsigned DNSKEY RRsets (signatures where omitted because the
inception time was equal to the inactive time of the key).
(cherry picked from commit 784a441e2d)
If the inception time of the signature is exactly equal to the
inactive time of the key, still include the signature. Otherwise there
may be corner cases where signatures are omitted erroneously.
(cherry picked from commit bc6dad585d)
Closes#5838
Backport of MR !11792
Merge branch 'backport-5838-cid-645252-control-flow-issues-deadcode-in-validator-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11802
The name 'isdelegation()' was confusing. This function is not checking
whether this message is a delegation, but whether the denial of
existence proofs in this message is a proof of a referral to an
unsigned zone.
The name 'is_unsecure_referral()' is more appropriate.
(cherry picked from commit e0f09bb374)
The isdelegation() was changed to return an isc_result_t because the
idea was to have a separate return value DNS_R_NSEC3ITERRANGE to signal
to the caller we could not verify the proof because of too many
iterations in the NSEC3 record, or perhaps ISC_R_UNEXPECTED for a more
generic cause that verification was not done.
But this would make error handling more fragile and all we care about
is whether we can reliably say the NS bit was not set.
If we can not reliably say so, we have to treat it as an insecure
referrral.
Since the answer is either yes or no, we can revert back to returning
a boolean value.
(cherry picked from commit 3ac1bb1c39)
The :iscman:`named` process could terminate unexpectedly
when processing an IXFR message during a zone transfer.
This has been fixed.
Closes#5767
Backport of MR !11781
Merge branch 'backport-5767-use-after-free-xfrin_reset-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11799
Replace the hand-rolled threaded socket server with the standard
AsyncDnsServer framework used by other ans.py servers in the test suite.
The DNS wire-format message builders (IXFR diff, AXFR, SOA, SERVFAIL)
are retained unchanged since they produce carefully crafted messages
needed to trigger the IXFR->AXFR race condition. The server
infrastructure is replaced:
- Manual TCP/UDP socket management and threading replaced by
AsyncDnsServer, which handles both protocols, pidfile lifecycle,
and signal handling.
- Query parsing replaced by the framework's dns.message-based parser;
query dispatch moved into IxfrRaceHandler.get_responses().
- The axfr_done_event threading.Event replaced by a boolean instance
variable on IxfrRaceHandler, safe within the single asyncio event
loop.
- For IXFR over TCP, the handler yields two BytesResponseSend actions
(msg1 then msg2) so the framework sends both with TCP length prefixes,
preserving the race-triggering sequence.
- For IXFR over UDP, the TC flag is set on the response to force TCP
retry.
- Unused encode_name_compressed() and parse_dns_query() removed.
Also fix a timing issue that might result in the initial transfer not
being done by the time the test is executed -- since ns11 is started
after ns6. Ensure the initial transfer has happened before running the
ixfr_race test.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
(cherry picked from commit 187e571f4d)
When the xfrin_recv_done() function decides to retry the transfer
using AXFR because of a previous error, it calls the xfrin_reset()
function which calls dns_db_closeversion() on 'xfr->ver'. The problem
is that the ixfr processing of a previous message could be still
in process in a worker thread, which then can use freed 'xfr->ver'.
If there is an ongoing worker thread delay the AXFR retry until after
the worker thread has finished its work.
(cherry picked from commit 141ff7bfa7)
The test initiates a zone transfer with IXFR, which produces
a big amount of differences and then generates an error. The
secondary should be able to gracefully shutdown the ongoing
IXFR transfer and retry with AXFR without race conditions
between them.
This test checks for an issue (GL#5767) but since a race
condition is usually time-sensitive it might require several
attempts before it reproduces the issue.
(cherry picked from commit 5c248e7d1a)
Test that a secondary receiving an IXFR transitioning a zone from
unsigned to NSEC-signed returns the correct covering NSEC record
for empty non-terminal names.
Backport of MR !11786
Merge branch 'backport-ondrej/fix-nsec-ixfr-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11797
Test that a secondary receiving an IXFR transitioning a zone from
unsigned to NSEC-signed returns the correct covering NSEC record
for empty non-terminal names.
Add isctest.query.wait_for_serial() shared helper for waiting until
a server has a specific SOA serial.
(cherry picked from commit 8a4990d6ff)
In `dnssec-signzone` and `dnssec-verify`, when the zone origin is not specified using the `-o` parameter, the default behavior is to try to sign using the zone's file name as the origin. So, for example, `dnssec-signzone -S example.com` will work, so long as the file name matches the zone name.
This now also works if the zone is in a different directory. For example, `dnssec-signzone -S zones/example.com` will set the origin value to `example.com`.
Closes#5678
Backport of MR !11360
Merge branch 'backport-5678-signzone-basename-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11784
Add test cases where dnssec-signzone and dnssec-verify use the
zone file's basename as the origin when '-o' is omitted.
(cherry picked from commit 1251ae896c)
In dnssec-signzone and dnssec-verify, if the zone origin is not
specified using the `-o` parameter, the default behavior is to try
to use the zone's file name as the origin. So, for example,
`dnssec-signzone -S example.com` or 'dnssec-verify example.com'
will work, so long as the file name matches the zone name.
This now also works if the zone is in a different directory.
For example, `dnssec-signzone -S zones/example.com` or
'dnssec-verify zones/example.com' will set the origin value
to `example.com`.
(cherry picked from commit b8cb65db93)
In order to avoid the need to repeat the license header in named.conf
files and zone files, add the paths to REUSE.toml to assign the license.
Backport of MR !11766
Merge branch 'backport-nicki/reuse-cover-configs-and-zones-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11773
