Commit graph

44267 commits

Author SHA1 Message Date
Nicki Křížek
4bd8622682 [9.20] chg: test: Add mixed DS test to dnssec_py
Rewrite dnssec_unsupported_ds/tests_mixed_ds.py as
dnssec_py/tests_mixed_ds.py using the isctest.zone helpers for zone
setup.

The test verifies that a zone whose DS RRset contains only an
unsupported algorithm DS and a bogus DS record is treated as insecure
by a validating resolver, resulting in SERVFAIL for queries to that
zone. The DS set for child.mixed-ds. is deliberately corrupted after
signing to contain a DS record with an unsupported algorithm (12) and
a DS record with an invalid digest, exercising the mixed-DS insecurity
proof path.

Assisted-by: Claude:claude-opus-4-8

Backport of MR !12206

Merge branch 'backport-nicki/pytest-dnssec-py-mixed-ds-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12213
2026-06-09 11:57:19 +02:00
Nicki Křížek
b9a5f63270 Add mixed DS test to dnssec_py
Rewrite dnssec_unsupported_ds/tests_mixed_ds.py as
dnssec_py/tests_mixed_ds.py using the isctest.zone helpers for zone
setup.

The test verifies that a zone whose DS RRset contains only an
unsupported algorithm DS and a bogus DS record is treated as insecure
by a validating resolver, resulting in SERVFAIL for queries to that
zone. The DS set for child.mixed-ds. is deliberately corrupted after
signing to contain a DS record with an unsupported algorithm (12) and
a DS record with an invalid digest, exercising the mixed-DS insecurity
proof path.

Assisted-by: Claude:claude-opus-4-8
(cherry picked from commit cdafea5f12)
2026-06-09 09:11:19 +00:00
Ondřej Surý
ea91570492 [9.20] fix: usr: Reject unsupported RSA DNSKEY shapes during DNSSEC validation
An authoritative server publishing an RSA DNSKEY with an unusually
large modulus or an exotic public exponent could make each DNSSEC
signature check on a validating recursive resolver noticeably more
expensive than for a normally sized key.  Such DNSKEYs are now
treated as invalid.

Closes #6008

Backport of MR !12054

Merge branch 'backport-6008-reject-oversized-rsa-dnskeys-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12207
2026-06-08 23:02:06 +02:00
Ondřej Surý
78a7f7da4f
Enforce strict RSA DNSKEY shape during DNSSEC validation
A resolver that validated DNSSEC accepted RSA DNSKEYs of any modulus
size up to OpenSSL's compile-time ceiling, and accepted any public
exponent the wire format could carry.  RSA verification cost grows
sharply with the modulus length, so an authoritative server could
publish an oversized DNSKEY to make each signature check on the
resolver many times more expensive than for a normally sized key.

The intended verify-time cap had no effect because the helper it called
returned the public-exponent bit length rather than the modulus bit
length, so the test was always satisfied.  Replace it with an honest
modulus-range check and a stricter exponent check that accepts only odd
exponents in the closed range [3, 2^32 + 1] (covering every Fermat
prime up to F5 and the odd intermediate values seen in deployed keys),
reject anything outside those bounds at every RSA key load path so an
invalid key never reaches the verifier, and keep the same checks at the
verifier as a backstop against future load paths.

(cherry picked from commit 8b2c490811)
2026-06-08 20:54:22 +02:00
Ondřej Surý
350d9737d7 [9.20] fix: nil: Ignore explict memory ordering in lib/isc/rwlock.c
Backport of MR !12211

Merge branch 'backport-ondrej/update-checklibs.out-for-isc_rwlock-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12212
2026-06-08 19:48:11 +02:00
Ondřej Surý
b5f0c3a7a8 Ignore explict memory ordering in lib/isc/rwlock.c
(cherry picked from commit fbe8c85854)
2026-06-08 17:46:32 +00:00
Ondřej Surý
eff9a306d8 [9.20] fix: dev: Fix the memory ordering in the adaptive read-write lock
On hardware with a weak memory model, the internal read-write lock could
briefly admit a reader and a writer at the same time, risking sporadic
crashes or incorrect data. The reader/writer handshake now uses
sequentially consistent ordering so the two can no longer overlap.

Closes #6060

Backport of MR !12162

Merge branch 'backport-6060-rwlock-seq-cst-handshake-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12205
2026-06-08 19:05:16 +02:00
Ondřej Surý
14641573da Use sequentially consistent ordering in the adaptive rwlock handshake
The adaptive isc_rwlock (the modified C-RW-WP variant) synchronizes a
reader against a writer through a store-buffer handshake across two
independent atomic objects: the reader publishes its arrival in
readers_ingress and then reads writers_lock, while the writer publishes
its lock in writers_lock and then reads the reader indicator. With the
acquire/release ordering introduced by the 2021 simplification, neither
side is forced to observe the other's publish store before its own check
load, so on weak-memory targets a reader could see writers_lock unlocked
while the writer sees the indicator empty, and both would enter their
critical sections at once.

Restore the sequentially consistent ordering the original algorithm
specifies on the handshake atomics. The single total order over the
seq_cst operations is what forbids the overlap; targeting individual
fences is both more fragile and, on x86, more expensive. On x86 this
ordering is free (seq_cst loads remain plain loads and the RMWs remain
lock-prefixed); the added cost falls only on the weak-memory targets that
actually need it.

(cherry picked from commit b11bf7a45e)
2026-06-08 15:56:13 +00:00
Michal Nowak
e59aa01691 [9.20] fix: ci: Escape literal dots in branch-name match regexes
The backports and merged-metadata rules used unescaped dots in their
branch-name regexes, causing them to over-match. Escape the dots so the
patterns match the intended version branch names exactly.

Assisted-by: Claude:claude-opus-4-8

Backport of MR !12172

Merge branch 'backport-mnowak/ci-fix-regex-escaping-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12201
2026-06-08 15:40:35 +02:00
Michal Nowak
2a86ab44f4 Escape literal dots in branch-name match regexes
The backports and merged-metadata rules used unescaped dots in their
branch-name regexes, causing them to over-match. Escape the dots so the
patterns match the intended version branch names exactly.

Assisted-by: Claude:claude-opus-4-8
(cherry picked from commit 934cda2a7a)
2026-06-08 13:24:05 +00:00
Michal Nowak
d6a4aa5ce5 [9.20] fix: dev: Preserve the request message across async SIG(0) processing
For SIG(0)-signed requests, view matching is offloaded and the request
is finished asynchronously from ns_client_request_continue(), which
passes client->inner.buffer to dns_dt_send().  That buffer aliases the
network manager's receive buffer, only valid during the read callback,
so it may already be freed and reused, producing garbage dnstap frames
(e.g. the "upforwd" sig0-over-DoT test fails with UQ=0).

Copy the request message when entering async mode and reference the
copy, freeing it in ns__client_reset_cb().

Assisted-by: Claude:claude-opus-4-8

Closes #6139

Backport of MR !12189

Merge branch 'backport-6139-dnstap-sig0-request-buffer-uaf-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12200
2026-06-08 15:17:53 +02:00
Michal Nowak
62b971a1d6 Preserve the request buffer across async SIG(0) processing
For SIG(0)-signed requests, view matching is offloaded and the request
is finished asynchronously from ns_client_request_continue(), which
passes client->inner.buffer to dns_dt_send().  That buffer aliases the
network manager's receive buffer, only valid during the read callback,
so it may already be freed and reused, producing garbage dnstap frames
(e.g. the "upforwd" sig0-over-DoT test fails with UQ=0).

When the request is offloaded (ns_client_setup_view() returns
DNS_R_WAIT) and dnstap is enabled, copy the request buffer and point
client->inner.buffer at the copy so it survives the asynchronous hop;
free it in ns__client_reset_cb().  When dnstap is disabled there is no
async consumer of the buffer, so detach it from the receive buffer
instead.

Assisted-by: Claude:claude-opus-4-8
(cherry picked from commit ddfe8a1bdc)
2026-06-08 13:13:27 +00:00
Nicki Křížek
c8ec396581 [9.20] new: test: pytest helpers for dnssec and zone setup
- Create `isctest.zone.Zone` helper for zone setup (including signing).
- Add `ZoneKey` helpers for both dnssec-keygen managed keys and python-based keys.
- Add `dnssec_py` shared test setup for DNSSEC tests.
- Add the first example - refactor `nsec3_delegations` into a `dnssec_py` test module.

Backport of MR !11807

Merge branch 'backport-nicki/pytest-dnssec-py-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12191
2026-06-05 12:00:48 +02:00
Nicki Křížek
aed978cad8 Add ZoneKey helpers for key operations in isctest.zone
Introduce an abstract ZoneKey base class with two concrete
implementations:

- FileZoneKey wraps a dnssec-keygen-managed key file (kasp.Key).
- PythonZoneKey holds a Python-native keypair for dnspython-based
  signing and key operations.

Both share ZoneKey.into_ta() and ZoneKey.is_ksk(). The ZoneKey
abstraction lets Zone.copy_dssets() and Zone.trust_anchors() handle
pure-Python keys without callers needing to know how the key was made.

Assisted-by: Claude:claude-opus-4-8
(cherry picked from commit e11e2c9032)
2026-06-05 10:44:46 +02:00
Nicki Křížek
5a3d403a0b Add NSEC3 excessive iterations test to dnssec_py
Rewrite nsec3_delegation/tests_excessive_nsec3_iterations.py as
dnssec_py/tests_nsec3_iter_too_many.py using the isctest.zone helpers.

The test is a reproducer for CVE-2026-1519 [GL#5708]. It sets up a
delegation from nsec3-iter-too-many. (ns2) to an unsigned sub zone
(ns3), signing the parent with NSEC3 at 51 iterations. A validating
resolver (ns9) must use NSEC3 to prove the sub zone is insecure; the
excessive iteration count is logged as a warning. The test verifies that
the query still resolves successfully (insecure, not SERVFAIL) despite
the high iteration count.

Assisted-by: Claude:claude-opus-4-8
(cherry picked from commit fc5116ed91)
2026-06-05 10:44:42 +02:00
Nicki Křížek
676e49546c Add dnssec_py system test directory
Add a new system test directory for DNSSEC tests written in Python,
using the isctest.zone helpers for zone setup rather than shell sign
scripts.

Set up four nameservers:
- ns1: authoritative for the signed root zone
- ns2: authoritative for test zones (primary)
- ns3: authoritative for additional test zones (typically delegations)
- ns9: validating resolver

Zone configuration for ns2 and ns3 is driven by the ``zones`` template
variable via _common/zones.conf.j2, so each test module's bootstrap()
controls which zones those servers load without touching named.conf.

Individual test modules will be added in subsequent commits.

Assisted-by: Claude:claude-opus-4-8
(cherry picked from commit 7ff0321ffa)
2026-06-05 10:35:07 +02:00
Nicki Křížek
a80af4d216 Create zone setup helpers in isctest.zone
System tests that set up zones — especially DNSSEC tests — require a
chain of common operations: rendering zone files from templates,
generating keys, signing, and propagating DS records to parent zones.
Implement these as methods on isctest.zone.Zone so individual tests
don't need to repeat the logic in shell or ad-hoc Python.

isctest.zone.Zone is a plain class that holds the zone's data and
accumulated state (delegations, keys) alongside the methods that operate
on it. It is intentionally separate from isctest.template.Zone, which
remains a dumb data container for jinja2 template rendering.

Key design points:
- zone.Zone.name is the text form without trailing dot ("." for root);
  zone.Zone.dname holds the dns.name.Name for DNS-level operations;
  zone.Zone.basename is the filesystem-safe name ("root" for ".").
- filepath_unsigned / filepath_signed are both always available.
  filepath returns the appropriate one based on zone.Zone.signed.
- The zones/ subdirectory is the default (subdir="zones"); old-style
  tests that place zone files directly in the ns workdir can pass
  subdir=None.
- Signing is opt-in via signed=True; configure() auto-detects whether to
  generate keys and sign based on this flag, so the same method handles
  both signed and unsigned zones.
- delegations and keys are mutable list attributes; callers append to
  them before calling configure() rather than threading them through
  every call.

Also:
- Add isctest.template.zones() as a bridge from a list of zone.Zone to a
  {name: template.Zone} dict suitable for use as the ``zones`` template
  variable. template.zones() resolves filepath to the actual zone file
  so templates don't need to know whether a zone is signed.

Assisted-by: Claude:claude-opus-4-8
(cherry picked from commit 7853dbac43)
2026-06-05 10:35:07 +02:00
Evan Hunt
416b0817d1 [9.20] fix: dev: Check dns_rdata_fromstruct() return values
In some functions implementing RFC 5011 key maintenance, the
results of `dns_rdata_fromstruct()` were not checked. This has been
fixed.

Closes #5982

Backport of MR !12017

Merge branch 'backport-5982-keyfetch-done-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12183
2026-06-04 17:36:18 +00:00
Evan Hunt
849aaacaae Add "warn_unused_result" to attributes.h
A new ISC_ATTR_WARN_UNUSED_RESULT macro now defines
__attribute__((warn_unused_result)) and is used for
dns_rdata_fromstruct().

(cherry picked from commit 07c8c1d242)
2026-06-04 09:49:41 -07:00
Evan Hunt
65a3694f2a Check dns_rdata_fromstruct() return values
The in some functions implementing RFC 5011 key maintenance, the
results of dns_rdata_fromstruct() were not checked. This has been
fixed.

(cherry picked from commit 175d418e28)
2026-06-04 09:46:58 -07:00
Ondřej Surý
746d9bfd3a [9.20] fix: dev: Only update the global tid_count once
Skip updating the `tid_count` value on repeated calls to prevent ThreadSanitizer 'data race'.

Backport of MR !12186

Merge branch 'backport-ondrej/skip-repeated-tid_count-update-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12188
2026-06-04 13:27:52 +02:00
Ondřej Surý
1846bbbc31
Only update the global tid_count once
Normally, the tid_count is initialized only once at the beginning of the
application.  The only exception is the pattern in the unit test where
isc_loopmgr is repeatedly created and torn down and each creation of
isc_loopmgr_t calls isc__tid_initcount() with the previous value.

ThreadSanitizer sees that as write operation on unprotected memory are
reports this as data race even though the value has not really changed.

This has been fixed by skipping the tid_count value update on repeated
calls.

(cherry picked from commit a570e37c06)
2026-06-04 12:50:57 +02:00
Nicki Křížek
a1e824e26e chg: doc: Set up version for BIND 9.20.25
Merge branch 'nicki/set-up-version-for-bind-9.20.25' into 'bind-9.20'

See merge request isc-projects/bind9!12175
2026-06-03 17:15:13 +02:00
Nicki Křížek
3d785a3fee Update BIND version to 9.20.25-dev 2026-06-03 17:09:56 +02:00
Štěpán Balážik
6712048d7e [9.20] chg: test: Move requirement checks to pytest_configure hook
This leads to nicer logging if requirements aren't met.

Backport of MR !11551

Merge branch 'backport-stepan/dont-run-system-tests-without-requirements-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12105
2026-06-02 10:10:48 +00:00
Štěpán Balážik
91a273e9cd Move pytest requirements check to pytest_configure hook
Logging from a pytest hook looks better.

Reorder the check for presence of `featuretest` before `init_vars` to
produce more sensible errors.

(cherry picked from commit b31f058ad0)
2026-06-02 10:08:14 +00:00
Ondřej Surý
95274e9455 [9.20] fix: usr: Fix nxdomain-redirect combined with dns64
When a resolver was configured with both `nxdomain-redirect` and `dns64`
in the same view, an AAAA query for a nonexistent name could abort
`named`. The combination failed whenever the redirect zone held A
records but no AAAA records.  The server now serves the empty AAAA
response from the redirect zone as-is, instead of attempting DNS64
synthesis on top of it.

Closes #5789

Backport of MR !12059

Merge branch 'backport-5789-fix-nxdomain-redirect-dns64-assert-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12123
2026-06-02 09:48:28 +02:00
Ondřej Surý
c3f14d568c Skip DNS64 synthesis when answering a redirected response
redirect2() swaps qctx->db to the redirect zone before
query_nodata() runs. The DNS64 fallback there issues an A lookup
for the original query name, which is out of zone for the
redirect db, and the resulting query_notfound() trips
INSIST(!is_zone). The cached NCACHENXRRSET variant trips a
REQUIRE in dns_rdataset_first() on a disassociated rdataset.
The synth-from-dnssec entry reaches the same fallback via
query_coveringnsec(). Guarding the fallback with
!qctx->redirected leaves the nxdomain-redirect NXRRSET answer to
be served as-is.

(cherry picked from commit 4bfd18d08d)
2026-06-02 09:48:13 +02:00
Ondřej Surý
4fc5d25012 System test for nxdomain-redirect combined with dns64
An AAAA query for a non-existent name into a view that combines
nxdomain-redirect with dns64 used to abort named via the DNS64
fallback in query_nodata(). The new module exercises all three
documented entry paths into query_redirect(): the authoritative
NXDOMAIN path (ns7, tripping INSIST(!is_zone) in
query_notfound()), the recursive NCACHENXRRSET path (ns8,
tripping REQUIRE in dns_rdataset_first() on a disassociated
rdataset), and the synth-from-dnssec path (ns10 validating
against ns9's signed root, with a primer A query so the second
AAAA reaches query_redirect() via query_coveringnsec()). ns9
serves as a neutral upstream so the cached and synthesized
negatives land real NXRRSETs.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit 739a067de8)
2026-06-02 09:48:13 +02:00
Michal Nowak
77fe5a3c9a [9.20] fix: test: Remove redundant Python 3.7 skip markers from system tests
Backport of MR !12087

Merge branch 'backport-mnowak/fix-system-test-skips-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12160
2026-06-01 21:17:49 +02:00
Michal Nowak
a17b677ece Remove redundant Python 3.7 skip markers from system tests
The test framework already requires Python 3.10+ (conftest.py raises
RuntimeError if version < 3.10), so skipif(sys.version_info < (3, 7))
can never trigger. Remove the dead markers and now-unused sys imports.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit c41f63c82d)
2026-06-01 19:39:22 +02:00
Michal Nowak
09f9889ef6 [9.20] fix: dev: Fix wrong variable in named_server_sync() log message
named_server_sync() logged isc_result_totext(result) but returns
tresult. The loop accumulates errors into tresult, so result only
holds the last iteration's value. If the last view succeeded but an
earlier one failed, the log would incorrectly say "success".

Backport of MR !12090

Merge branch 'backport-mnowak/fix-server-sync-log-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12156
2026-06-01 17:44:44 +02:00
Michal Nowak
84f5610d4f Fix wrong variable in named_server_sync() log message
named_server_sync() logged isc_result_totext(result) but returns
tresult. The loop accumulates errors into tresult, so result only
holds the last iteration's value. If the last view succeeded but an
earlier one failed, the log would incorrectly say "success".

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit 1b984b1f11)
2026-06-01 17:43:58 +02:00
Michal Nowak
1ad556d99d [9.20] fix: doc: Fix spelling typos in comments and code
Backport of MR !12089

Merge branch 'backport-mnowak/fix-spelling-typos-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12157
2026-06-01 17:40:55 +02:00
Michal Nowak
e7aab7f7d1 Fix spelling typos in comments and code
Assisted-by: Mistral Vibe:mistral-medium-3.5
Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit 36fe37f6b4)
2026-06-01 15:04:31 +00:00
Michal Nowak
ae09ace7d9 [9.20] fix: test: Increase timeout for reload-based kasp signing checks
```
______________________________ test_kasp_default _______________________________
[gw0] freebsd15 -- Python 3.11.15 /usr/local/bin/python3.11
/home/ec2-user/builds/isc-private/bind9/bin/tests/system/kasp/tests_kasp.py:910: in test_kasp_default
    isctest.run.retry_with_timeout(update_is_signed, timeout=5)
/home/ec2-user/builds/isc-private/bind9/bin/tests/system/isctest/run.py:164: in retry_with_timeout
    assert False, msg
E   AssertionError: tests_kasp.test_kasp_default.<locals>.update_is_signed() timed out after 5 s
E   assert False
```

Backport of MR !12151

Merge branch 'backport-mnowak/kasp-default-update-is-signed-timeout-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12155
2026-06-01 16:49:01 +02:00
Michal Nowak
1b2d92be14 Increase timeout for reload-based kasp signing checks
After reloading an inline-signed zone from file, named must re-read it,
detect the deltas and generate RRSIGs before the answer is signed, which
can take longer than 5 seconds on a loaded CI host and cause spurious
update_is_signed() timeouts. Bump these reload-based checks to 10
seconds, matching cb_ixfr_is_signed.

Assisted-by: Claude:claude-opus-4-8
(cherry picked from commit a2ccc04ae3)
2026-06-01 16:48:32 +02:00
Michal Nowak
840cf8e434 [9.20] fix: test: Bump edns-expire refresh timeout to 30 seconds
Rarely, RNDC fails to refresh the zone on FreeBSD in the default 10
seconds, causing test_edns_expire_refresh to fail with a TimeoutExpired
on the "rndc refresh edns-expire." call.  Give it more time, the same
way the reconfigure timeout was bumped in
test_reconfiguration_when_zone_transfer_is_in_the_middle_of_soa_query.

Assisted-by: Claude:claude-opus-4-8

Backport of MR !12152

Merge branch 'backport-mnowak/bump-edns-expire-refresh-rndc-timeout-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12153
2026-06-01 16:39:05 +02:00
Michal Nowak
4087efac0f Bump edns-expire refresh timeout to 30 seconds
Rarely, RNDC fails to refresh the zone on FreeBSD in the default 10
seconds, causing test_edns_expire_refresh to fail with a TimeoutExpired
on the "rndc refresh edns-expire." call.  Give it more time, the same
way the reconfigure timeout was bumped in
test_reconfiguration_when_zone_transfer_is_in_the_middle_of_soa_query.

Assisted-by: Claude:claude-opus-4-8
(cherry picked from commit c93d68a36b)
2026-06-01 16:38:48 +02:00
Nicki Křížek
ecc8628acf [9.20] fix: test: Avoid rndc loadkeys race in checkds system test
Address a `checkds` test race condition.

Example failure:

```
________________ test_checkds[incomplete.yes.dspublish.ns2-4-5] ________________
[gw3] linux -- Python 3.13.5 /usr/bin/python3
/builds/isc-projects/bind9/bin/tests/system/checkds/tests_checkds.py:451: in test_checkds
    keystate_check(ns2, params.zone, params.expected_parent_state)
/builds/isc-projects/bind9/bin/tests/system/checkds/tests_checkds.py:183: in keystate_check
    assert val == 0
E   AssertionError: assert '20260528103555 (Thu May 28 10:35:55 2026)' == 0
```

https://gitlab.isc.org/isc-projects/bind9/-/jobs/7497509

Backport of MR !12138

Merge branch 'backport-nicki/fix-checkds-loadkeys-race-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12150
2026-06-01 16:25:32 +02:00
Nicki Křížek
a2a53931de Avoid rndc loadkeys race in checkds system test
The wait loop in test_checkds() called "rndc loadkeys" once per
second while polling ns9.log for expected parental-agent response
lines. Under load (notably the rbt CI job), responses to one query
batch could land after a subsequent loadkeys had already reset the
per-key DSPUBCOUNT counter in lib/dns/zone.c without cancelling the
in-flight requests. Stragglers from the earlier round then bumped the
new round's counter to parentalscnt and BIND finalized DSPublish for
zones where one parental-agent legitimately serves no DS, spuriously
failing the !DSPublish keystate assertion.

Trigger at most one loadkeys per test case and wait passively via
watch_log_from_start() / wait_for_all().  Watching from the start
of the log preserves the original implicit semantics for zones
whose DS state was already finalized by BIND's automatic checkds
polling at zone-load time -- the expected lines are already
present and the watcher returns immediately.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit 02b6239489)
2026-06-01 15:48:46 +02:00
Alessio Podda
5d7f241fdf [9.20] fix: dev: Bound memory use during incoming zone transfers
During an incoming zone transfer, an optimization could let
the batch of pending records grow without bound for a large
zone, raising memory usage. It gave no measurable performance
benefit, so it has been removed.

Closes #5958

Backport of MR !12141

Merge branch 'backport-5958-no-name-boundary-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12142
2026-06-01 12:24:57 +00:00
Alessio Podda
2c998e4e00 Remove name boundary optimization
In MR !9740, we introduced an optimization that reduces memory usage
by processing rdatas in batches during AXFR.

The maximum batch size is 128, but the batch size was allowed to grow
beyond that limit if all rdatas in a batch were for the same name, as
that allows a more efficient optimization.

This optimization could theoretically allow the batch size arbitrarily
for a sufficient large zone transfer. Since synthetic tests don't show
any performance improvement from the optimization, this MR removes it.

(cherry picked from commit 7502e73333)
2026-06-01 13:49:55 +02:00
Ondřej Surý
1407f48670 [9.20] chg: usr: Fix a resolver stall on a CNAME response to a DS query
A validating resolver could stall for about twelve seconds and then return
SERVFAIL when an authoritative server answered a DS query with a CNAME. Such
responses are now rejected promptly, so the query fails fast instead of
hanging.

Closes #5878

Backport of MR !11867

Merge branch 'backport-5878-reject-cname-at-dnssec-types-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12147
2026-05-30 08:02:13 +02:00
Ondřej Surý
088d909188
Add a system test for CNAME answers to DNSSEC meta-type queries
Two authoritative zones drive the cases. 'example.' answers DNSKEY,
NSEC, NSEC3 and RRSIG queries with a CNAME: a direct recursive query for
one of these must not crash the resolver, and the validator's own DNSKEY
fetch for a signed name must fail as a broken trust chain and return
SERVFAIL promptly.

'secure.' is served faithfully but answers DS queries with an unsigned
CNAME -- the input that drove the validator's insecurity proof into a
self-join.  The resolver must return SERVFAIL within a couple of seconds
instead of stalling for twelve.

Assisted-by: Claude:claude-opus-4-8
(cherry picked from commit 358c55ffa2)
2026-05-30 06:13:58 +02:00
Ondřej Surý
9f98ac625a
Fail promptly on an RRSIG answer with no usable record
A query for an RRSIG is handled as a subset of ANY, so rctx_answer_any()
filters out records that do not match the queried type. When every
record was filtered out (an answer carrying only unrelated types), the
function still returned success with nothing cached, and the fetch then
waited for a validator that was never started until the backstop fetch
timer fired ~12s later. Treat an all-filtered answer as a broken
response, matching how non-meta types already reject a reply with no
usable record.

(cherry picked from commit 938b58a809)
2026-05-30 06:13:58 +02:00
Ondřej Surý
d8ec05c17f
Detect non-advancing alias chains in the validator
The resolver turned a CNAME response to an RRSIG or NSEC query into
FORMERR inside rctx_answer_cname().  That is redundant -- every caller
already copes with a DNS_R_CNAME or DNS_R_DNAME result -- and it is the
wrong layer, because the resolver cannot tell a legitimate alias from a
broken one.  Drop it; a CNAME for one of these types now flows back as
an ordinary alias.

The case that must be stopped lives in the validator.  While proving an
unsigned CNAME insecure, proveunsecure() fetches the DS for the CNAME's
own name; because fetches are shared, that fetch re-enters and stalls on
the in-flight fetch the validator is waiting for, deadlocking for about
twelve seconds (GL#5878).  Unlike the resolver, the validator knows it
is validating an alias, so check_chaining() now aborts a fetch whose
name matches the chaining rdataset's owner: it cannot advance the chain
and would only self-join.

(cherry picked from commit d0c6219d66)
2026-05-30 06:13:58 +02:00
Ondřej Surý
787faa02a7 [9.20] fix: dev: Refine resolver fetch loop detection
The resolver's fetch loop detection now triggers only when a new
fetch would join an already in-flight fetch that is also one of
its own ancestors, which is the actual loop condition.  Previously
the check ran against the original request before the fetch was
set up.

Backport of MR !12145

Merge branch 'backport-ondrej/improve-resolver-loop-detection-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12146
2026-05-30 05:58:58 +02:00
Ondřej Surý
c479706872
Detect resolver fetch loops only when joining an in-flight fetch
dns_resolver_createfetch() guarded against fetch loops by comparing the
raw request name/type/domain before any fetch context existed. Move the
check after the context is obtained and run it against the context
itself, and only when we joined an already in-flight context
(!new_fctx) that is also an ancestor in the parent chain. That is the
real loop condition: the new fetch would block waiting on a fetch that
is itself waiting on us. A newly created context waits on nothing, so it
proceeds, bounded by the fetch depth limit and the complementary ADB
loop detection.

(cherry picked from commit 0e04671b65)
2026-05-29 21:34:10 +02:00
Michal Nowak
1efa52a3f0 [9.20] fix: test: Fix pytest-xdist loadscope splitting on "::" in params
LoadScopeScheduling._split_scope() uses rsplit("::", 1) to
extract the test file scope from a node ID.  When parametrized
test values contain "::" (IPv6 addresses like "cafe:cafe::cafe"
or "::1"), the split lands inside the parameter instead of at
the .py:: boundary.  This creates spurious scopes that get
assigned to different workers, each triggering a full fixture
setup (starting named instances).

Override _split_scope() in conftest.py to split on ".py::"
which is unambiguous.

Six tests in synthrecord/tests_synthrecord.py are affected.
A verification script is included in util/.

Assisted-by: Claude:claude-opus-4-7

Backport of MR !12103

Merge branch 'backport-mnowak/fix-xdist-loadscope-split-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12137
2026-05-28 18:49:04 +02:00