Commit graph

43542 commits

Author SHA1 Message Date
Štěpán Balážik
596cdfb75d Don't overwrite JUnit file generated by pytest in post-processing
When both input and output files are the same, it creates unnecesary
troubles in debugging issues with the JUnit files.

Keep the Pytest-generated file in the artifacts and output the checked
version as a new file.

(cherry picked from commit 1a85a27f54)
2026-01-07 18:26:41 +01:00
Štěpán Balážik
5baddb2c23 Use git_clone_bind9-qa anchor in .system_test_common
This was missed in abecddb13a.

(cherry picked from commit af809329b3)
2026-01-07 18:26:41 +01:00
Štěpán Balážik
ba9b80de32 [9.20] chg: ci: Replace the check_for_junit_xml anchor with a Python script
~~Where applicable, use the more detailed CMocka generated JUnit
reports which include subtest results and timings instead of the
one generated by Meson.~~

Prerequisites:
- bind9-qa!137

~~Closes #5511~~

Partial backport of MR !11100

Merge branch 'backport-5511-cmocka-junit-ouput-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11433
2026-01-07 17:08:50 +00:00
Štěpán Balážik
e2d389b60a Replace check_for_junit_xml anchor with a Python script
This allows checking of multiple files with variable filenames rather
than insisting on harcoded `junit.xml`.

(cherry picked from commit abecddb13a)
2026-01-07 17:29:53 +01:00
Štěpán Balážik
ccc2008d1f Check the validity of cross-version-config-test's XML output
This was overlooked before.

(cherry picked from commit 5528ed7a5b)
2026-01-07 17:20:02 +01:00
Štěpán Balážik
e0aed1db4d Factor the cloning of the QA repo into an anchor
The unusual hyphen in the anchor name is used for symmetry with the
bind9-qa repo and directory name.

(cherry picked from commit c3f5db6dbc)
2026-01-07 17:19:06 +01:00
Nicki Křížek
bb9234c6ce [9.20] chg: dev: Support compilation with cmocka 2.0.0+
The `assert_in_range()` function was deprecated in favor of
`assert_int_in_range()` and `assert_uint_in_range()`. Add compatibility
shims for cmocka<2.0.0 and use the new functions.

Closes #5699

Backport of MR !11412

Merge branch 'backport-5699-support-cmocka-2.0.0-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11437
2026-01-07 13:09:19 +01:00
Nicki Křížek
0a09df0b7a Support compilation with cmocka 2.0.0+
The `assert_in_range()` function was deprecated in favor of
`assert_int_in_range()` and `assert_uint_in_range()`. Add compatibility
shims for cmocka<2.0.0 and use the new functions.

(cherry picked from commit 6843a4bd9a)
2026-01-07 11:17:42 +01:00
Michal Nowak
c967fa58c2 [9.20] new: ci: Add FreeBSD 15.0
Backport of MR !11320

Merge branch 'backport-mnowak/freebsd-15.0-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11435
2026-01-06 23:26:23 +01:00
Michal Nowak
e21d1086a8
Disable DoH on FreeBSD 15.0 2026-01-06 22:48:21 +01:00
Michal Nowak
c00d48cf60
Inline FreeBSD jobs from anchors
Although markup extraction to anchors makes FreeBSD jobs cleaner, it
prevents job customization, say, enabling or disabling a build option.

(cherry picked from commit 636a617f66)
2026-01-06 22:48:02 +01:00
Michal Nowak
d77b8be2b1
Add ans10 blackhole server to xfer system test
On FreeBSD 15.0, sending requests to non-existent address produces
unexpected results. Add a blackhole server instead.

(cherry picked from commit b4c0408d81)
2026-01-06 22:47:47 +01:00
Michal Nowak
0a55f28bc8
Add FreeBSD 15.0
(cherry picked from commit 282f87461b)
2026-01-06 22:47:09 +01:00
Nicki Křížek
04b4ff606d [9.20] [CVE-2025-8677] sec: test: Test that DNSSEC validation is aborted on malformed DNSKEY
Create a signed zone file that contains malformed ZSKs with colliding
key tags. The ZSKs don't represent valid ECDSA keys and will cause a
crypto failure when attempting to use them. Sign the zone with KSK, with
the exception of one record which is "signed" with the invalid ZSKs.

Check that the resolver aborts the DNSSEC verification after
encountering the first crypto failure, indicating malformed DNSKEY.

Closes #5343

Backport of MR !11425

Merge branch 'backport-5343-count-invalid-keys-into-validation-fails-test-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11427
2026-01-05 15:41:19 +01:00
Nicki Křížek
ccfe50a9b1 Test zone with truncated revoked DNSKEY
Ensure that named can handle a situation where the zone is signed with a
truncated, self-signed revoked DNSKEY. The signatures are inevitably
bogus and a SERVFAIL is expected. However, prior to CVE-2025-8677 fix,
this could trigger an assertion failure.

(cherry picked from commit 0ddfa108a7)
2026-01-05 15:02:51 +01:00
Nicki Křížek
024d67eca9 Test that DNSSEC validation is aborted on malformed DNSKEY
Create a signed zone file that contains malformed ZSKs with colliding
key tags. The ZSKs don't represent valid ECDSA keys and will cause a
crypto failure when attempting to use them. Sign the zone with KSK, with
the exception of one record which is "signed" with the invalid ZSKs.

Check that the resolver aborts the DNSSEC verification after
encountering the first crypto failure, indicating malformed DNSKEY.

(cherry picked from commit 1a2e46d364)
2026-01-05 15:02:51 +01:00
Štěpán Balážik
9e7ad999f4 [9.20] fix: test: Set default_aa on AsyncDnsServer to False by default
In !11179 I mistakenly set the default for `default_aa` for
`AsyncDnsServer()` to `True` and then explicitly set it to True in
cases where all the `ResponseHandlers` said
`yield DnsResponseSend(..., authoritative=True)` as if the default was
`False`.

Also the rest of `AsyncDnsServer` code (namely `_prepare_responses`)
reads like `default_aa` is `False` by default.

This accidentally changed the behavior of servers which don't set the
`default_aa` and where AA is not set from the zone data
(e.g. `dispatch/ans3`).

Backport of MR !11419

Merge branch 'backport-stepan/set-asyncdnsserver-dafault-aa-to-false-by-default-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11426
2026-01-05 13:46:17 +00:00
Štěpán Balážik
6e2fbe7081 Set default_aa on AsyncDnsServer to False by default
In 6e684d44 I mistakenly set the default for `default_aa` for
`AsyncDnsServer()` to `True` and then explicitly set it to True in
cases where all the `ResponseHandlers` said
`yield DnsResponseSend(..., authoritative=True)` as if the default was
`False`.

Also the rest of `AsyncDnsServer` code (namely `_prepare_responses`)
reads like `default_aa` is `False` by default.

This accidentally changed the behavior of servers which don't set the
`default_aa` and where AA is not set from the zone data
(e.g. `dispatch/ans3`).

(cherry picked from commit dc58c73264)
2026-01-05 13:05:08 +00:00
Ondřej Surý
40e46b5a1d [9.20] fix: nil: Fix building on uclibc
While building on uclibc this error is thrown:
In file included from ./include/dns/log.h:20,
                 from callbacks.c:19:
../../lib/isc/include/isc/log.h:141:9: error: unknown type name ‘off_t’
  141 |         off_t maximum_size;
      |         ^~~~~

This is due to missing include unistd.h, so let's add it on top of
isc/log.h

Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>

Backport of MR !11422

Merge branch 'backport-fix/uclibc-off_t-main-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11423
2026-01-05 03:09:11 +01:00
Giulio Benetti
ad25f0c514 Fix building on uclibc
While building on uclibc this error is thrown:
In file included from ./include/dns/log.h:20,
                 from callbacks.c:19:
../../lib/isc/include/isc/log.h:141:9: error: unknown type name ‘off_t’
  141 |         off_t maximum_size;
      |         ^~~~~

This is due to missing include unistd.h, so let's add it on top of
isc/log.h

Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
(cherry picked from commit 0e43f62c12)
2026-01-04 20:47:47 +00:00
Matthijs Mekking
51ad47975a [9.20] fix: test: Fix intermittent test failure in rollover-zsk-prepub
Revert the wait for log change for the rollover-zsk-prepub test.

Closes #5692

Backport of MR !11413

Merge branch 'backport-5692-rollover-zsk-prepub-step3-intermittent-test-fail-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11416
2026-01-02 08:54:36 +00:00
Matthijs Mekking
056d73dd08 Wait for "sending notifies" for step3.zsk-prepub
Commit c17ac42608 changed some tests to
wait for "zone_needdump" messages instead of "sending notifies", because
notifies are rate limited and "zone_needdump" happen on every change.

However, inspecting the logs, the "zone_needdump" changes happen more
than once (likely because the re-signing is done in batches):

    received control channel command 'sign step3.zsk-prepub.manual'
    zone_journal: zone step3.zsk-prepub.manual/IN (signed): enter
    zone_needdump: zone step3.zsk-prepub.manual/IN (signed): enter
    zone_journal: zone step3.zsk-prepub.manual/IN (signed): enter
    zone_needdump: zone step3.zsk-prepub.manual/IN (signed): enter
    zone_journal: zone step3.zsk-prepub.manual/IN (signed): enter
    zone_needdump: zone step3.zsk-prepub.manual/IN (signed): enter
    zone step3.zsk-prepub.manual/IN (signed): sending notifies

This means we are running the rollover step checks too fast in some
test runs.

Revert the wait for log change for the rollover-zsk-prepub test.

(cherry picked from commit 22c02a4df9)
2026-01-02 08:13:31 +00:00
Matthijs Mekking
4bdd934562 [9.20] chg: test: Update rollover system tests with chain of trust
Backport of MR !11309

Merge branch 'backport-matthijs-trust-chain-rollover-system-tests-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11399
2025-12-22 15:25:32 +00:00
Matthijs Mekking
705cfac99f Drop and replace CmdHelper with EnvCmd
A generic helper that calls environment-specified binaries has been added,
drop and replace the introduced CmdHelper for the more generic method.

(cherry picked from commit 594ff0816a)
2025-12-22 15:25:12 +00:00
Matthijs Mekking
ddd532ace0 rollover-zsk-prepub: From setup.sh to pytest bootstrap
Symlink ns1 and ns2 to rollover/ns1 and rollover/ns2.
Symlink ns3/template.db.j2.manual to rollover/ns3/template.db.j2.manual.

Since the bootstrapping is done before the templates are rendered
automatically, replace @DEFAULT_ALGORITHM@ in ns3/kasp.conf.j2 to
ecdsa256 and rename to ns3/kasp.conf.

(cherry picked from commit e172b4ff1a)
2025-12-22 15:25:12 +00:00
Matthijs Mekking
74ed63eb8d rollover-straight2none: From setup.sh to pytest bootstrap
Similar to rollover-going-insecure.

(cherry picked from commit da04c75cec)
2025-12-22 15:25:12 +00:00
Matthijs Mekking
e403f6dc2c rollover-lifetime: Update templates
This test does not require a trust chain. Merely update the template
zone files to not point to the common template.

(cherry picked from commit 0016791c91)
2025-12-22 15:25:12 +00:00
Matthijs Mekking
f814553696 rollover-multisigner: Update templates
This test does not require a trust chain. However, it does have a setup
script. Rewrite the setup shell script to a pytest bootstrap method.

(cherry picked from commit b6c091d113)
2025-12-22 15:25:12 +00:00
Matthijs Mekking
7b92adde63 rollover-ksk-3crowd: From setup.sh to pytest bootstrap
Similar to rollover-ksk-doubleksk.

(cherry picked from commit 4ed35f02b1)
2025-12-22 15:25:12 +00:00
Matthijs Mekking
f8ce10ea24 rollover-ksk-doubleksk: From setup.sh to pytest bootstrap
Symlink ns1 and ns2 to rollover/ns1 and rollover/ns2.
Symlink ns3/template.db.j2.manual to rollover/ns3/template.db.j2.manual.

Since the bootstrapping is done before the templates are rendered
automatically, replace @DEFAULT_ALGORITHM@ in ns3/kasp.conf.j2 to
ecdsa256 and rename to ns3/kasp.conf.

(cherry picked from commit 08236f4bd6)
2025-12-22 15:25:12 +00:00
Matthijs Mekking
40330867b1 rollover-going-insecure: From setup.sh to pytest bootstrap
Symlink ns1 and ns2 to rollover/ns1 and rollover/ns2.
Symlink ns3/template.db.j2.manual to rollover/ns3/template.db.j2.manual.

Since the bootstrapping is done before the templates are rendered
automatically, replace @DEFAULT_ALGORITHM@ in ns3/kasp.conf.j2 to
ecdsa256 and rename to ns3/kasp.conf.

Now we have to fake different lifetimes, so adjust fake_lifetime
to update a single key.

Note that we have changed the setup slightly: We also sign the
step2 zones, but with post validation disabled. This is more
accurate because we need to test that the public keys and signatures
are being removed from the zone.

(cherry picked from commit cc4244f384)
2025-12-22 15:25:12 +00:00
Matthijs Mekking
5c499eb2c5 rollover-enable-dnssec: From setup.sh to pytest bootstrap
Symlink ns1 and ns2 to rollover/ns1 and rollover/ns2.
Symlink ns3/template.db.j2.manual to rollover/ns3/template.db.j2.manual.

Since the bootstrapping is done before the templates are rendered
automatically, replace @DEFAULT_ALGORITHM_NUMBER@ in ns3/kasp.conf.j2 to
13 and rename to ns3/kasp.conf.

This test introduces an unsigned delegation, adjust render_and_sign_zone
and configure_tld accordingly.

(cherry picked from commit ef2a824df6)
2025-12-22 15:25:12 +00:00
Matthijs Mekking
b2dab768bf rollover-dynamic2inline: Update templates
This test does not require a trust chain. Merely update the template
zonefile to not point to the common template.

(cherry picked from commit 281f71be60)
2025-12-22 15:25:12 +00:00
Matthijs Mekking
1e7121604e rollover-csk-roll2: From setup.sh to pytest bootstrap
Similar to rollover-csk-roll1.

(cherry picked from commit ef7d617e3f)
2025-12-22 15:25:12 +00:00
Matthijs Mekking
5de11b95e9 rollover-csk-roll1: From setup.sh to pytest bootstrap
Symlink ns1 and ns2 to rollover/ns1 and rollover/ns2.
Symlink ns3/template.db.j2.manual to rollover/ns3/template.db.j2.manual.

Since the bootstrapping is done before the templates are rendered
automatically, replace @DEFAULT_ALGORITHM@ in ns3/kasp.conf.j2 to
ecdsa256 and rename to ns3/kasp.conf.

Write a python method to set the key predecessor/successor relationship
into the key state files.

(cherry picked from commit 1635bcf1ef)
2025-12-22 15:25:12 +00:00
Matthijs Mekking
b649c41005 rollover-algo-ksk-zsk: From setup.sh to pytest bootstrap
Symlink ns1 and ns2 to rollover/ns1 and rollover/ns2.
Symlink ns3/template.db.j2.manual to rollover/ns3/template.db.j2.manual.

The RSASHA256 keys are generated with dnssec-keygen, without a policy
provided. Thus we have to fake the lifetime for these keys.

Signing has to be done without the -z option, because the KSK should
not sign all records in case of a KSK/ZSK split. Update the signing
code to allow for extra options when signing with CSK only.

(cherry picked from commit 72d3551355)
2025-12-22 15:25:12 +00:00
Matthijs Mekking
7732f07a63 rollover-algo-csk: From setup.sh to pytest bootstrap
Symlink ns1 and ns2 to rollover/ns1 and rollover/ns2.
Symlink ns3/template.db.j2.manual to rollover/ns3/template.db.j2.manual.

Since the bootstrapping is done before the templates are rendered
automatically, replace @DEFAULT_ALGORITHM@ in ns3/csk2.conf.j2 to
ecdsa256 and rename to ns3/csk2.conf.

(cherry picked from commit 3a6ed195fa)
2025-12-22 15:25:12 +00:00
Matthijs Mekking
ef1ac155b0 rollover: From setup.sh to pytest bootstrap
Introduce rollover/setup.py for all setup related test code.

Introduce rollover/ns1 and rollover/ns2 to create a chain of trust to
all rollover related test zones. The tld zones in rollover/ns2 contain
a DSYNC record that at a later time will be used for testing Generalized
DNS Notifications.

Write a python version of private_type_record so we can put such
records in the zone via jinja2 templating.

(cherry picked from commit f31514e658)
2025-12-22 15:25:12 +00:00
Matthijs Mekking
72b7c2385d Move ns6 to ns3 in rollover tests
There is no difference, so we are going to make it consistent. This will
make it easier to add a chain of trust for these zones (to be done in
a future commit).

(cherry picked from commit e620b29e35)
2025-12-22 15:25:12 +00:00
Matthijs Mekking
6f2fe873be [9.20] chg: doc: Clarify rndc sign
It was not explicitly clear that ``rndc sign`` replaces signatures of inactive keys and updates signatures that are not so fresh.

Closes #5490

Backport of MR !11396

Merge branch 'backport-5490-clear-rndc-sign-on-error-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11409
2025-12-22 15:12:49 +00:00
Matthijs Mekking
aec7f3586e Clarify rndc sign
It was not explicitly clear that 'rndc sign' replaces signatures of
inactive keys and updates signatures that are not so fresh.

(cherry picked from commit 3f52303ef7)
2025-12-22 14:12:24 +00:00
Michał Kępień
7861d0264c [9.20] [CVE-2025-40778] sec: test: Add various bailiwick-related tests
Closes #5414

Backport of MR !11406

Merge branch 'backport-5414-add-various-bailiwick-related-tests-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11407
2025-12-22 13:42:18 +01:00
Petr Špaček
3fc64f1b5e Test that spoofed DNAME is not accepted via spoofable transport
A single spoofed DNAME answer can impact many names, and because of the
nature of DNAME, the attacker can use randomized query names to get
unlimited number of tries to spoof the answer.  To limit impact, we
should not be accepting DNAME over insecure transport, like UDP without
cookies etc.

In short, the attacker tries to spoof at least one answer that has the
following form:

    opcode QUERY
    rcode NOERROR
    flags QR AA
    ;QUESTION
    trigger$RANDOM.test. IN A
    ;ANSWER
    trigger$RANDOM.test. 3600 IN CNAME trigger$RANDOM.attacker.net.
    test. 3600 IN DNAME attacker.net.
    ;AUTHORITY
    ;ADDITIONAL

This has been discovered internally.

Co-authored-by: Michał Kępień <michal@isc.org>
(cherry picked from commit e223ee7097)
2025-12-22 11:47:26 +00:00
Petr Špaček
6b315c08eb Test that fake child delegation cannot overwrite parent's glue RR
In short, the attacker tries to spoof at least one answer that has the
following form:

    rcode NOERROR
    flags QR
    ;QUESTION
    trigger$RANDOM.victim. IN TXT
    ;ANSWER
    ;AUTHORITY
    trigger$RANDOM.victim. 3600 IN NS ns.victim.
    ;ADDITIONAL
    ns.victim. 3600 IN A 10.53.0.3

This attack was originally reported as "test case 2".

Co-authored-by: Michał Kępień <michal@isc.org>
(cherry picked from commit b5dc46fe6e)
2025-12-22 11:47:26 +00:00
Petr Špaček
ae0afc1d42 Test that unsolicited NS in positive answer cannot overwrite current NS
Before the fixes for CVE-2025-40778, an unsolicited in-bailiwick NS
record was accepted from a (spoofed) answer, enabling a single spoofed A
query/response to redirect traffic for a whole delegation.

In short, the attacker tries to spoof at least one answer that has the
following form:

    rcode NOERROR
    flags QR AA
    ;QUESTION
    trigger$RANDOM.victim. IN TXT
    ;ANSWER
    trigger$RANDOM.victim. 3600 IN TXT "spoofed answer with extra NS"
    ;AUTHORITY
    victim. 3600 IN NS ns.attacker.
    ;ADDITIONAL

This attack was originally reported as "test case 1".

Co-authored-by: Michał Kępień <michal@isc.org>
(cherry picked from commit 658d2e9f8e)
2025-12-22 11:47:26 +00:00
Petr Špaček
0a00d3c2c9 Test that positive answer cannot overwrite sibling NS RRs
Before the fixes for CVE-2025-40778, a positive answer was allowed to
overwrite sibling NS RRs.  The answer had to be a positive AA=1 answer
with a fake NS along with it.  This combination of conditions avoided
the code path with "unrelated <RRTYPE>" detection logic.

If it were some other answer, named from the main branch would detect
the attempt and log:

    DNS format error from 10.53.0.1#16386 resolving trigger/A for <unknown>: unrelated NS victim in trigger authority section

In short, the attacker tries to spoof at least one answer that has the
following form:

    opcode QUERY
    rcode NOERROR
    flags QR AA
    ;QUESTION
    trigger$RANDOM. IN A
    ;ANSWER
    trigger$RANDOM. 3600 IN A 10.53.0.3
    ;AUTHORITY
    victim. 3600 IN NS ns.attacker.
    ;ADDITIONAL
    ns.attacker. 3600 IN A 10.53.0.3

This attack was originally reported as "test case 1c".

Co-authored-by: Michał Kępień <michal@isc.org>
(cherry picked from commit 26eed16d61)
2025-12-22 11:47:26 +00:00
Petr Špaček
f5b5a94439 Add a common base for CVE-2025-40778 tests
Add the zone files, configuration, and code that will be reused by all
tests related to CVE-2025-40778.

Co-authored-by: Michał Kępień <michal@isc.org>
(cherry picked from commit 607974b1bc)
2025-12-22 11:47:26 +00:00
Michał Kępień
1a4c816344 Add a reusable, bare-bones AsyncDnsServer
Add bin/tests/system/ans.py, a bare-bones DNS server that can be used in
system tests instead of full-blown named instances when a server is only
required to return zone-based data.  Where applicable, this reduces load
on the test host and the amount of generated logs.

(cherry picked from commit 440e510f75)
2025-12-22 11:47:26 +00:00
Mark Andrews
1d0e19c612 [9.20] fix: usr: Reconfigure NSEC3 opt-out zone to NSEC causes zone to be invalid
A zone that is signed with NSEC3, opt-out enabled, and then reconfigured to use NSEC, causes the zone to be published with missing NSEC records. This has been fixed.

Closes #5679

Backport of MR !11359

Merge branch 'backport-5679-nsec3-optout-to-nsec-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11401
2025-12-22 16:09:08 +11:00
Matthijs Mekking
1b3fb1b966 Refactor code that checks if records are seen
There are three places that do roughly the same. Refactor the code to
a helper function.

(cherry picked from commit ae151a7a76)
2025-12-22 15:31:43 +11:00