Commit graph

45593 commits

Author SHA1 Message Date
Matthijs Mekking
4ee526cb6d Add serve-stale test case for CNAME to A
Add a serve-stale system test case where the authority changes a
CNAME RRset to A (at cname2.stale.test). The CNAME that is in the
cache is stale and should be refreshed. The target A record (at
a2.stale.test) has a longer TTL and is also still in the cache. The
next query should return the refreshed A RRset to the client.

Then the authority changes back the A RRset to CNAME. The A RRset
has become stale and should be refreshed. The next query should
return the refreshed CNAME RRset plus the already cached
a2.stale.test A record.

This test requires ns1 to allow dynamic updates to stale.test, and
prefetch to be disabled. The latter is to ensure the record is not
prefetched, but only refreshed when stale (and logs the expected
"an attempt to refresh the RRset" messages).
2026-05-17 08:42:05 +00:00
Matthijs Mekking
c95128ed47 Remove duplicate check in serve-stale test 2026-05-17 08:42:05 +00:00
Ondřej Surý
abe0369436 fix: nil: More changes to PR-Agent CI job
Some checks are pending
CodeQL / Analyze (push) Waiting to run
SonarCloud / Build and analyze (push) Waiting to run
Merge branch 'ondrej/use-claude-opus-4-6' into 'main'

See merge request isc-projects/bind9!12037
2026-05-17 00:04:49 +02:00
Ondřej Surý
ee5e933933
Add both Claude 4.6 and ChatGPT in two separate job pipelines 2026-05-16 22:26:05 +02:00
Ondřej Surý
dae0820f80
Allow failure to not block pipelines for the PR-Agent CI job 2026-05-16 17:53:20 +02:00
Ondřej Surý
99194aec84
Change the PR-Agent configuration to use Claude 4.6 2026-05-16 17:50:42 +02:00
Ondřej Surý
a44b91eae1 fix: nil: Properly use other_checks_jobs template for pr-agent CI job
Some checks are pending
CodeQL / Analyze (push) Waiting to run
SonarCloud / Build and analyze (push) Waiting to run
Merge branch 'ondrej/pr-agent-other-check' into 'main'

See merge request isc-projects/bind9!12035
2026-05-16 13:29:30 +02:00
Ondřej Surý
5550fb84ae
Properly use other_checks_jobs template for pr-agent CI job 2026-05-16 13:22:45 +02:00
Ondřej Surý
be727bd5e2 fix: dev: Run PR-Agent only when manually triggered
Merge branch 'ondrej/run-pr-agent-only-manually' into 'main'

See merge request isc-projects/bind9!12033
2026-05-16 12:50:19 +02:00
Ondřej Surý
4257454262
Run PR-Agent only when manually triggered 2026-05-16 12:49:54 +02:00
Ondřej Surý
9755fb6455 new: dev: Enable PR-Agent reviews on merge requests
Adds a CI job that runs PR-Agent against each merge request opened
from the canonical repository, posting an automated review and
code-improvement suggestions as MR comments. The job is gated to
same-project source branches so the OpenAI key and personal access
token are not exposed to fork pipelines.

Merge branch 'ondrej/add-pr-agent' into 'main'

See merge request isc-projects/bind9!12032
2026-05-16 12:30:01 +02:00
Ondřej Surý
07345b25d9
Add PR-Agent job to GitLab CI for merge-request review
Run PR-Agent's `review` and `improve` commands against each merge
request from the canonical repository, posting an automated review
and code-improvement suggestions as MR comments. The rule restricts
the job to MRs whose source project matches CI_PROJECT_PATH so the
OpenAI key and GitLab personal access token are never exposed to
fork pipelines.
2026-05-16 12:14:33 +02:00
Ondřej Surý
fce9f32367 chg: dev: Allow any valid DNS name as a TSIG/RNDC key name
Some checks are pending
CodeQL / Analyze (push) Waiting to run
SonarCloud / Build and analyze (push) Waiting to run
The key-generation tools (tsig-keygen, rndc-confgen) now accept any valid DNS name for key names.

Merge branch 'ondrej/allow-all-valid-keynames' into 'main'

See merge request isc-projects/bind9!12029
2026-05-15 11:00:31 +02:00
Ondřej Surý
85f854b076 Allow any valid DNS name as a key name
TSIG key names need to be any valid DNS name so that update-policy
"self" rules work with arbitrary names.  Replace the
alnum+'.'+'-'+'_' charset filter in the key-generation tools with a
dns_name_fromstring() validity check.
2026-05-15 10:14:46 +02:00
Ondřej Surý
c708d694fe chg: dev: Use SipHash-1-3 for hash tables, keep SipHash-2-4 for cookies
SipHash-2-4 was designed as a conservative PRF/MAC with extra rounds
against future attacks.  For hash tables, where outputs are never
exposed, SipHash-1-3 provides sufficient collision resistance with
fewer rounds.  As the SipHash author noted: "I would be very surprised
if SipHash-1-3 introduced weaknesses for hash tables."

DNS cookies continue to use SipHash-2-4 since cookie values are sent
on the wire and must resist online attacks.

Merge branch 'ondrej/siphash-1-3' into 'main'

See merge request isc-projects/bind9!11787
2026-05-15 09:33:09 +02:00
Ondřej Surý
6175577210
Use SipHash-1-3 for hash tables, keep SipHash-2-4 for cookies
SipHash-2-4 was designed as a conservative PRF/MAC with extra rounds
against future attacks.  For hash tables, where outputs are never
exposed, SipHash-1-3 provides sufficient collision resistance with
fewer rounds.  As the SipHash author noted: "I would be very surprised
if SipHash-1-3 introduced weaknesses for hash tables."

DNS cookies continue to use SipHash-2-4 since cookie values are sent
on the wire and must resist online attacks.
2026-05-15 08:15:59 +02:00
Ondřej Surý
62f1672609 fix: test: Fix flaky reclimit test
Some checks are pending
CodeQL / Analyze (push) Waiting to run
SonarCloud / Build and analyze (push) Waiting to run
The max-types-per-name cache eviction tests were flaky because two test steps were missing a sleep between queries, causing TTL-based cache verification to fail when both queries completed within the same second.

Merge branch 'ondrej/fix-flaky-reclimit' into 'main'

See merge request isc-projects/bind9!11782
2026-05-15 08:03:16 +02:00
Ondřej Surý
80f04a9ee5
Fix flaky reclimit test by adding missing sleep
The cache verification in steps 11 and 15 checks that the TTL has
decreased from its initial value to confirm the response was served
from cache, but the sleep between the two queries was missing. Both
queries could complete within the same second, leaving the TTL
unchanged and causing the test to incorrectly conclude the entry was
not cached.
2026-05-15 08:02:56 +02:00
Ondřej Surý
c7b53348fc chg: dev: Skip in-domain nameservers that have no glue
A referral that names a nameserver inside the delegated zone but
provides no address for it leaves the resolver unable to reach that
server. named now logs "missing mandatory glue for <name>" at notice
level and skips the nameserver.

Merge branch 'ondrej/dont-store-missing-in-domain-glue-ns' into 'main'

See merge request isc-projects/bind9!11971
2026-05-15 07:48:26 +02:00
Ondřej Surý
28483b3b73
Drop in-domain NS without glue from the delegation set
Pull the dns_message_findname() lookups into cache_delegglue() and
cache_delegglue6() so each helper now owns its glue lookup and returns
the number of addresses cached.  cache_delegns() splits referrals into
two cases: in-domain (the NS name is below the delegation point) and
sibling/in-bailiwick.

An in-domain NS without glue is unresolvable by definition - the
resolver would have to ask the very server it's trying to find.  Log
"missing mandatory glue" at notice level and skip the deleg entirely
rather than leaving an unusable entry in the set.  A new
dns_delegset_freedeleg() undoes a fresh dns_delegset_allocdeleg() so
the rest of the delegation set is preserved.
2026-05-15 07:26:38 +02:00
Ondřej Surý
ef405bfa6d chg: usr: Fall back to TCP on a UDP response with a mismatched query id
BIND used to wait silently for the correct DNS message id on a UDP fetch
even after receiving a response from the expected server with the wrong
id, leaving room for off-path spoofing attempts to keep guessing within
that window.  The resolver now retries the fetch over TCP on the first
such response, and a new MismatchTCP statistics counter tracks how
often the fallback fires.

Closes #5449

Merge branch '5449-immediate-tcp-fallback-on-id-mismatch' into 'main'

See merge request isc-projects/bind9!12023
2026-05-15 06:57:00 +02:00
Ondřej Surý
11bca1051f
Switch UDP fetches to TCP on the first response with a wrong query id
Until now, the dispatcher silently dropped UDP responses from the
expected peer that carried the wrong DNS message id and kept listening
for the correct id to arrive within the read timeout.  An off-path
attacker who knows the destination address and source port of an
outgoing fetch could exploit that quiet retry window to flood the
resolver with guessed responses; with a gigabit link the per-query
success probability grows linearly with the number of guesses that
arrive before the legitimate answer or the timeout.

Treat any such mismatch as a possible spoofing attempt and let the
resolver immediately retry the same query over TCP, the same control
path the truncation handler already uses.

Add a resolver statistics counter - exposed as 'queries retried over TCP
after a response with mismatched query id' in rndc stats and
'MismatchTCP' in the statistics channel

Assisted-by: Claude:claude-opus-4-7
2026-05-14 15:56:18 +02:00
Ondřej Surý
29f0b07e8c fix: dev: Fix data race during rndc dumpdb or zone load
Some checks are pending
CodeQL / Analyze (push) Waiting to run
SonarCloud / Build and analyze (push) Waiting to run
'rndc dumpdb' against a server with zones, and async zone load,
had a timing window where the operation's completion could fire
before the server had finished registering the operation,
occasionally leading to a possible crash.  The completion is now
delivered after the registration is in place.

Closes #5952

Merge branch '5952-fix-masterdump-async-ctx-race' into 'main'

See merge request isc-projects/bind9!11991
2026-05-14 08:52:58 +02:00
Ondřej Surý
8ae464d552
Fix data race in async master dump/load context publication
Bouncing the offload itself to the target loop let the after-work
callback fire on the target thread and run the user's done callback
before the calling thread had published *dctxp / *lctxp.  Enqueue on
the calling loop and bounce only the done callback instead, so the
publish is sequenced before the cross-thread hand-off by construction
and cannot be reintroduced by reordering the entry-point body.
2026-05-14 08:51:39 +02:00
Mark Andrews
2091d703ac fix: usr: Disable output escaping in bind9.xsl
Some checks are pending
CodeQL / Analyze (push) Waiting to run
SonarCloud / Build and analyze (push) Waiting to run
The statistics charts where not displaying on some browsers.
This has been fixed.

Closes #5990

Merge branch '5990-disable-output-escaping-in-bind9-xsl' into 'main'

See merge request isc-projects/bind9!12018
2026-05-14 12:06:41 +10:00
Mark Andrews
9b6c018425 Disable output escaping in bind9.xsl
The statistics charts where not displaying on some browsers (e.g. Chrome)
due to '>' being escaped as '&gt;'.  Use disable-output-escaping="yes" to
turn this off.
2026-05-14 10:00:21 +10:00
Colin Vidal
b4e8e431eb fix: test: Fix cyclic glues (again)
Some checks are pending
CodeQL / Analyze (push) Waiting to run
SonarCloud / Build and analyze (push) Waiting to run
Previous fix `ed90d578b3a98f45eb8bc09966e9c4ab870a156d` uses
`wait_for_line()` by mistake, and the test aims to wait for two log
lines to be printed before continuing.

In principle, `wait_for_all()` should do, but `running` should always be
printed first, so `wait_for_sequence()` seems to be the right fit here.

Merge branch 'colin/fix-cyclic-glues-again' into 'main'

See merge request isc-projects/bind9!12013
2026-05-13 22:31:32 +02:00
Colin Vidal
5655fa9183 Fix cyclic glues (again)
Previous fix `ed90d578b3a98f45eb8bc09966e9c4ab870a156d` uses
`wait_for_line()` by mistake as the test aims to wait for two log lines
to be printed before continuing (and not continuing as soon as one of
them is printed).

Instead, `wait_for_all()` is used since the order between the two
expected log line is not guaranteed.
2026-05-13 22:27:05 +02:00
Michal Nowak
d8e196a76a fix: ci: Don't forward parent yaml variables to stress child pipelines
The global RUNNER_SCRIPT_TIMEOUT: 55m in the parent pipeline was being
forwarded to the stress and tsan:stress child pipelines, where forwarded
yaml variables outrank job-level variables. That caused stress jobs with
BIND_STRESS_TESTS_RUN_TIME >= 60 to be killed at 55 minutes, regardless
of the per-job RUNNER_SCRIPT_TIMEOUT set in the generated child config.

Set forward:yaml_variables: false on both trigger jobs; the generated
configs already declare every variable they need.

Assisted-by: Claude:claude-opus-4-7

Merge branch 'mnowak/fix-stress-test-script-timeout' into 'main'

See merge request isc-projects/bind9!12012
2026-05-13 18:41:42 +02:00
Michal Nowak
73915b73d1 Selectively inherit yaml vars in stress trigger jobs
The parent's global RUNNER_SCRIPT_TIMEOUT: 55m was reaching the stress
and tsan:stress child pipelines via inherited yaml variables, where
inherited values outrank the child's job-level variables. That caused
stress jobs with BIND_STRESS_TESTS_RUN_TIME >= 60 to be killed at 55
minutes, regardless of the per-job RUNNER_SCRIPT_TIMEOUT set in the
generated child config.

Use inherit:variables with a positive list on both trigger jobs:
inherit only CI_REGISTRY_IMAGE so the parent's registry override
(needed for image pulls in the child) flows through, while keeping
RUNNER_SCRIPT_TIMEOUT (and other globals) out of the child pipeline's
variable scope. The per-job RUNNER_SCRIPT_TIMEOUT values set by the
generated child config now take effect.

Assisted-by: Claude:claude-opus-4-7
2026-05-13 17:38:55 +02:00
Michal Nowak
d9e1308363 chg: ci: Set RUNNER_SCRIPT_TIMEOUTs
Some checks are pending
CodeQL / Analyze (push) Waiting to run
SonarCloud / Build and analyze (push) Waiting to run
Merge branch 'mnowak/set-script-timeouts' into 'main'

See merge request isc-projects/bind9!11750
2026-05-12 18:04:29 +02:00
Michal Nowak
7928127d8b Get some useful data out of respdiff even in case of a failure
Assisted-by: Claude:claude-opus-4-7
2026-05-12 17:24:15 +02:00
Michal Nowak
4f410ee1e6 Pass -r option to respdiff.sh
Tell respdiff.sh where to find the respdiff Python tools (msgdiff.py,
diffsum.py, ...) so the in-tree copy from bind9-qa is used.

Assisted-by: Claude:claude-opus-4-7
2026-05-12 17:24:15 +02:00
Michal Nowak
e3d2f5ad94 Set RUNNER_SCRIPT_TIMEOUTs
Sometimes jobs can get stuck and be terminated by GitLab, leaving us
without artefacts that could contain useful information about why the
job got stuck.

Assisted-by: Claude:claude-opus-4-7
2026-05-12 17:24:15 +02:00
Colin Vidal
ed90d578b3 fix: test: Fix cyclic_glue system test
The cyclic_glue system test was waiting for `running` log after
an `rndc reload` command, but wasn't waiting for the log saying a
specific zone which changed has been reloaded `zone <zone>/IN: loaded`.

As a result, the test could randomly fails. This is now fixed.

Closes #5953

Merge branch '5953-fix-cyclic-glue-test' into 'main'

See merge request isc-projects/bind9!12003
2026-05-12 16:42:43 +02:00
Colin Vidal
591317efd7 Fix cyclic_glue system test
The cyclic_glue system test was waiting for `running` log after
an `rndc reload` command, but wasn't waiting for the log saying a
specific zone which changed has been reloaded `zone <zone>/IN: loaded`.

As a result, the test could randomly fails. This is now fixed.
2026-05-12 16:42:31 +02:00
Ondřej Surý
8c4e7d533e chg: usr: Cap glue records cached from a referral
named cached every glue record from a referral, retaining far more
than resolution will ever use.  The number of nameservers and
addresses kept per referral is now bounded in the delegation database.

Closes #5701

Merge branch '5701-limit-the-number-of-GLUE-records' into 'main'

See merge request isc-projects/bind9!11970
2026-05-12 16:17:59 +02:00
Ondřej Surý
ea00ea92fb
Cap glue records cached from a referral
The resolver populated the delegation database with every NS RR and
every glue address from a referral, with no aggregate bound.  Resolution
only ever uses the first max-delegation-servers NS owners and a handful
of addresses per NS, so anything beyond that is dead memory.

Stop the NS loop in cache_delegns() at view->max_delegation_servers and
cap each glue rdataset at DELEG_MAX_GLUES_PER_NS (20) addresses, so each
NS owner contributes at most 20 A and 20 AAAA glues.
2026-05-12 16:17:24 +02:00
Michal Nowak
729a145789 new: ci: Add Ubuntu 26.04 Resolute Raccoon
Some checks are pending
CodeQL / Analyze (push) Waiting to run
SonarCloud / Build and analyze (push) Waiting to run
Merge branch 'mnowak/ubuntu-26.04-resolute-raccoon' into 'main'

See merge request isc-projects/bind9!11812
2026-05-11 18:36:17 +02:00
Michal Nowak
9978393c36
Do not run Noble Numbat unit test job in MRs 2026-05-11 17:56:34 +02:00
Michal Nowak
14457ec326
Add Ubuntu 26.04 Resolute Raccoon 2026-05-11 17:56:34 +02:00
Michał Kępień
b986bab60a chg: ci: Add commit link and diff to RPM build job logs
The output of update_rpms.py is terse, making it difficult to verify its
actions.  Add a commit link and "git show" output to the log of every CI
job running the update_rpms.py script in "build" mode to facilitate
double-checking its actions.

Merge branch 'michal/add-commit-link-and-diff-to-rpm-build-job-logs' into 'main'

See merge request isc-projects/bind9!11828
2026-05-11 17:43:55 +02:00
Michał Kępień
6d51073f22
Add commit link and diff to RPM build job logs
The output of update_rpms.py is terse, making it difficult to verify its
actions.  Add a commit link and "git show" output to the log of every CI
job running the update_rpms.py script in "build" mode to facilitate
double-checking its actions.
2026-05-11 17:41:50 +02:00
Michał Kępień
e5bbed78b1 fix: ci: Increase GIT_DEPTH for the "assign-milestones" job
Cloning tags with the default GIT_DEPTH of 1 prevents the milestone
assignment script from identifying any merge requests that are included
in a given release.  Fix by increasing GIT_DEPTH to an arbitrary value
that is high enough for practical purposes.

The GIT_DEPTH CI variable defaults to 1 for all jobs through the
top-level "variables" key.  Explicitly setting it to 1 in job
definitions is unnecessary and may cause confusion.  Remove these
redundant assignments.

Merge branch 'michal/fix-assign-milestones-job' into 'main'

See merge request isc-projects/bind9!11996
2026-05-11 16:23:16 +02:00
Michał Kępień
703ad9a6de
Remove redundant "GIT_DEPTH: 1" assignments
The GIT_DEPTH CI variable defaults to 1 for all jobs through the
top-level "variables" key.  Explicitly setting it to 1 in job
definitions is unnecessary and may cause confusion.  Remove these
redundant assignments.
2026-05-11 16:07:47 +02:00
Michał Kępień
bac4a57759
Increase GIT_DEPTH for the "assign-milestones" job
Cloning tags with the default GIT_DEPTH of 1 prevents the milestone
assignment script from identifying any merge requests that are included
in a given release.  Fix by increasing GIT_DEPTH to an arbitrary value
that is high enough for practical purposes.
2026-05-11 16:07:47 +02:00
Michal Nowak
15854d4a85 new: test: Add isctest.transfer.transfer_message() helper and convert tests
Add a new helper function, `isctest.transfer.transfer_message()`, to
`bin/tests/system/isctest/transfer.py` that generates the log message
produced by `xfrin_log()` in `lib/dns/xfrin.c` for an incoming zone
transfer:

    transfer of '<zone>/IN' from <source_ns>#<port>: <msg>

The explicit use of `port` matches current shell system usage.

Interface
---------
    transfer_message(zone, source_ns, msg, port=None)

-  zone      - zone name without class (e.g. "example.com")
-  source_ns - IP string, or None to wildcard the source address
-  msg       - the transfer-level message
              (e.g. "Transfer status: success")
-  port      - integer source port, or None to wildcard the port number

When both source_ns and port are concrete values a plain str is returned
and `wait_for_line()` treats it as a literal substring match.  Whenever
either is `None` a compiled `re.Pattern` is returned, with the unknown part
replaced by a constrained wildcard:

-  source_ns=None, port=None      -> from .*#[0-9]+:
-  source_ns=None, port=53        -> from .*#53:
-  source_ns="1.2.3.4", port=None -> from 1.2.3.4#[0-9]+:
-  source_ns="1.2.3.4", port=N   -> "from 1.2.3.4#N:"  (plain str)

The port wildcard is [0-9]+ (not .*) because a port is always numeric.

Convert all hard-coded transfer log patterns in the Python system tests
to use transfer_message().

Notable cases:
- `mirror_root_zone`: source_ns=None (live internet, any root server),
  port=53.
- `cipher_suites`: source_ns="10.53.0.1", port=None (each zone transfers
  over a different TLS port).
- `test_under_signed_transfer`: parametrize gains a boolean xfrin_msg
  flag to distinguish messages that go through xfrin_log() from
  lower-level TSIG errors that do not.

Testing
-------
All system tests pass under `pytest -n auto`. The `mirror_root_zone`
live-internet test was also verified separately with
`CI_ENABLE_LIVE_INTERNET_TESTS=1`.

LLM usage
---------
This commit was produced in an interactive session with Claude Code
(Claude Sonnet 4.6), guided step by step by a human reviewer.

Closes #5735

Merge branch '5735-make-transfer-message-formatter' into 'main'

See merge request isc-projects/bind9!11796
2026-05-11 15:34:30 +02:00
Michal Nowak
27ee27d4e3
Add isctest.transfer.transfer_message() helper and convert tests
Add a new helper function, isctest.transfer.transfer_message(), to
bin/tests/system/isctest/transfer.py that generates the log message
produced by xfrin_log() in lib/dns/xfrin.c for an incoming zone
transfer:

    transfer of '<zone>/IN' from <source_ns>#<port>: <msg>

The helper always returns a compiled re.Pattern.  source_ns and port
each accept None to match any source address / port.  msg accepts
either a plain str (regex-escaped automatically) or a compiled
re.Pattern (spliced into the regex as-is), so callers that need regex
syntax in the message part can pass Re(r"...") without having to
wrap the whole result.

source_ns is passed through re.escape() when provided, so dots in
IPv4 addresses (e.g. "10.53.0.1") match a literal dot rather than
any character.

Convert the existing call sites across the system tests to use the
new helper.

Co-Authored-By: Nicki Křížek <nicki@isc.org>
Assisted-by: Claude:claude-sonnet-4-6
Assisted-by: Claude:claude-opus-4-7
2026-05-11 15:31:41 +02:00
Alessio Podda
f65c5b0ab6 chg: dev: Make dns_glue_t private to qpzone
The dns_glue struct currently contains four dns_rdataset structs to hold
the glue. These structs are over 100 bytes each because they need to be
able to hold data for multiple types of databases.

Since the dns_glue_t type is only used by qpzone, we can instead hold pointers
to the vecheaders directly, and only bind the vecheaders to the
rdatasets when adding the glue to the message.

This leads to a 33% memory reduction in some authoritative benchmarks.

Merge branch 'alessio/glue-ozempic' into 'main'

See merge request isc-projects/bind9!11801
2026-05-11 12:52:17 +00:00
Alessio Podda
ffbab8ce23 Clean up comments
A comment was still referencing the rdataset attribute, now it has been
fixed.
2026-05-11 10:28:20 +02:00