Commit graph

44299 commits

Author SHA1 Message Date
Aram Sargsyan
5f28dfbb64 Fix a bug in xfrin.c:xfrin_connect_done()
When the connect callback's result is ISC_R_SUCCESS and the callback
changes the result because of some condition, the 'xfr' should not
be detached, because it now belongs to the receive callback.

Detach the reference only if the callback's result is non-success.

(cherry picked from commit fb27599b58)
2026-06-12 15:37:29 +00:00
Aram Sargsyan
331231e203 Add a check for the "doth" system test
Configure a zone transfer using XoT (with opportunistic TLS) from
a non-DoT port, which does not provide ALPN "dot" (in this case
it will try to connect to a DoH port). This is expected to fail,
but the client should handle the error gracefully and not to crash.

(cherry picked from commit 6e0d998ff6)
2026-06-12 15:37:29 +00:00
Michal Nowak
904b669f2d [9.20] new: ci: Enforce AI commit-trailer rules in danger checks
`CONTRIBUTING.md` documents several rules around how AI coding assistants should (and should not) be attributed in commit messages.  Teach `dangerfile.py` to enforce them so that violations are caught at MR time.

Backport of MR !11969

Merge branch 'backport-mnowak/danger-ai-trailer-checks-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12238
2026-06-12 12:10:31 +02:00
Michal Nowak
7c1e80603a Validate Assisted-by trailer format and tool list
CONTRIBUTING.md documents the Assisted-by trailer format as

    Assisted-by: AGENT_NAME:MODEL_VERSION [TOOL1] [TOOL2]

and excludes basic development tools (git, compilers, meson,
ninja, editors, clang-format, black, ruff) from the optional
tool list.

Walk every `Assisted-by:` line in each commit message and emit a
`warn()` when:

  - the line does not match the documented `AGENT:VERSION` shape;
  - the optional tool list contains basic-tool names.

The basic-tool list extends the CONTRIBUTING.md examples with
other formatters, generic linters, and build/test runners
commonly invoked from `.gitlab-ci.yml`.  Specialized analysis
tools (coccinelle, clang-tidy, AFL, Coverity, cppcheck,
valgrind, sanitizers) are intentionally absent so they remain
allowed in the trailer.

Use `warn()` rather than `fail()` because the format is
human-written and overly strict matching would produce false
positives on edge cases.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit 2cac546d08)
2026-06-12 10:03:12 +00:00
Michal Nowak
760b20df01 Reject Signed-off-by trailers from AI tools in danger check
CONTRIBUTING.md states that AI agents must not add Signed-off-by
tags, since only humans can legally certify the Developer
Certificate of Origin.  Mirror the existing LLM Co-Authored-By
check against the Signed-off-by trailer line so danger fails on
commits that violate the rule.

The shared alternation of known LLM agent names is factored out
into LLM_AGENT_NAMES_RE so adding a new tool only requires one
edit.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit 65d082277d)
2026-06-12 10:03:12 +00:00
Michal Nowak
9dbb8a8082 Detect Co-Authored-By trailers and reject AI co-authors
CONTRIBUTING.md states that AI agents must not be listed as
co-authors and that contributors should use the `Assisted-by:`
trailer instead.  Teach `dangerfile.py` to fail merge requests
whose commit messages include a `Co-Authored-By:` trailer naming
a known LLM (Claude, Codex, Mistral, Copilot, Gemini, Cursor,
Devin, Aider, Sourcegraph, CodeWhisperer).

For any other `Co-Authored-By:` trailer, emit an info-level
`message()` that includes the full trailer line so reviewers can
confirm the named co-author is a human contributor and not an
unrecognised AI tool.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit f5e9dd3dd6)
2026-06-12 10:03:12 +00:00
Arаm Sаrgsyаn
f8f5e6a9d7 [9.20] fix: usr: Fix a bug in GeoIP2 string matching
When using GeoIP2 ACLs (see :any:`acl`), :iscman:`named` could
incorrectly match a name using a sub-string instead of the full
name match. This has been fixed.

Closes #6019

Backport of MR !12092

Merge branch 'backport-6019-geoip2-string-match-buf-fix-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12235
2026-06-11 16:17:06 +00:00
Aram Sargsyan
faccdd5479 Fix 'geoip' ACL matching bug
The geoip2.c:match_string() function can incorrectly return 'true'
when matching strings of different lengths (i.e. it matches a
substring). Return 'false' when the lengths of the matched strings
are different.

(cherry picked from commit 8448136b16)
2026-06-11 16:15:45 +00:00
Aram Sargsyan
4fc13d7f62 Add a new check for the 'geoip2' system test
Check that an ACL can't be matched by a substring in the
GeoIP database, instead of the full string comparision.

(cherry picked from commit bdf4ab9280)
2026-06-11 16:15:45 +00:00
Matthijs Mekking
6a533ec622 [9.20] fix: usr: Ignore updates removing DNSKEY RRset with class ANY
When a Dynamic Update is received that removes the ``DNSKEY`` (or ``CDNSKEY``,
or ``CDS``) RRset, remove all records except the ones that are in use
for signing for the zone.

Closes #6045

Backport of MR !12166

Merge branch 'backport-6045-dns-update-delete-in-use-dnskey-any-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12230
2026-06-11 14:42:52 +00:00
Matthijs Mekking
09990f45b7 ISC_ATTR_UNUSED in favor of UNUSED()
(cherry picked from commit 008ad8ade2)
2026-06-11 14:42:41 +00:00
Matthijs Mekking
75c6db2388 Keep our key on update removing DNSKEY RRset
When a Dynamic Update is received that removes the DNSKEY (or CDNSKEY,
or CDS) RRset, remove all records except the ones that are in use
for signing for the zone (with dnssec-policy).

(cherry picked from commit 97b9c9c823)
2026-06-11 14:42:41 +00:00
Matthijs Mekking
2556c40a84 Test removing DNSKEY records with class ANY
The update should ignore DNSKEY, CDNSKEY and CDS records
for keys that are used for signing.

(cherry picked from commit 3711f3b3c6)
2026-06-11 14:42:41 +00:00
Nicki Křížek
f0053656de [9.20] chg: nil: Update the system test README for the pytest-native workflow
The README predated most of the pytest runner features. Document
building BIND along with the test-only binaries, refresh the stale -T
flag list, and describe the jinja2 templating, bootstrap(), the
conftest fixtures, and the pytest marks; recommend node IDs and
parametrization over -k matching. Fix the directory naming rule, which
switched from hyphens to underscores.

Also declare pytest and pytest-xdist as required dependencies: the
runner's pytest.ini uses --dist=loadscope unconditionally, so pytest
without pytest-xdist cannot even start.

Related #3810

Assisted-by: Claude:claude-fable-5

Backport of MR !12232

Merge branch 'backport-nicki/systest-readme-refresh-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12233
2026-06-11 16:06:12 +02:00
Nicki Křížek
83d66e48f3 Update the system test README for the pytest-native workflow
The README predated most of the pytest runner features. Document
building BIND along with the test-only binaries, refresh the stale -T
flag list, and describe the jinja2 templating, bootstrap(), the
conftest fixtures, and the pytest marks; recommend node IDs and
parametrization over -k matching. Fix the directory naming rule, which
switched from hyphens to underscores.

Also declare pytest and pytest-xdist as required dependencies: the
runner's pytest.ini uses --dist=loadscope unconditionally, so pytest
without pytest-xdist cannot even start.

Related #3810

Assisted-by: Claude:claude-fable-5
(cherry picked from commit abd37e03d6)
2026-06-11 15:50:16 +02:00
Arаm Sаrgsyаn
72d538fe26 [9.20] fix: usr: Fix DNS-over-HTTPS (DoH) quota configuration issue
The :any:`http-listener-clients` and :any:`http-streams-per-connection`
configuration options could be truncated to smaller values (or to ``0``,
which means unlimited) when very big configuration values were used, which
exceeded ``65535``. As a note - it is very unlikely that such big values
are used in production, and the default values for the affected options
are ``300`` and ``100``, correspondingly. This has been fixed.

Closes #6021

Backport of MR !12085

Merge branch 'backport-6021-doh-quota-type-truncation-fix-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12231
2026-06-11 12:10:34 +00:00
Aram Sargsyan
cdceadf3f1 Fix DoH quota global variables type
The 'named_g_http_listener_clients' and 'named_g_http_streams_per_conn'
global variables are defined as 'in_port_t', which is usually 16 bits,
but both the readers and the writers of those variables use 'uint32_t'
as the target/source, which can result in truncation.

Use correct types.

(cherry picked from commit 281660ecc1)
2026-06-11 11:33:33 +00:00
Michal Nowak
d8c573f73b [9.20] fix: test: Various system test stability fixes for CI
Doubling system-test parallelism and removing the `@pytest.mark.flaky` markers exposed a set of timing-sensitive failures across CI. This branch keeps only the fixes for failures that are test-robustness bugs. Other - frequent - failures often guarded by `@pytest.mark.flaky` have their separate MRs already.

Backport of MR !12171

Merge branch 'backport-mnowak/system-test-stability-fixes-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12227
2026-06-11 09:47:15 +02:00
Michal Nowak
6efda73ed6 Retry the SOA serial check in the rpz test
While a response-policy zone is being (re)loaded it can briefly answer
with no SOA (SERVFAIL/REFUSED), which `dig +short` renders as empty
output.  get_sn() aborted the whole tests.sh on the first such miss.
Keep probing for up to ten seconds instead of failing on a single
transient miss.

Assisted-by: Claude:claude-opus-4-8
(cherry picked from commit bb4afd1332)
2026-06-10 21:04:23 +00:00
Michal Nowak
69f9beb2ff Keep probing for the send timeout under load
One shot raced named; keep sending until it closes the connection.

Assisted-by: Claude:claude-opus-4-8
(cherry picked from commit 9fd01e5121)
2026-06-10 20:33:43 +00:00
Michal Nowak
7928ff5062 Give the retransfer-force watchers a 60s timeout
The shutting-down and success transfers can exceed 30s on slow
instrumented builds.

Assisted-by: Claude:claude-opus-4-8
(cherry picked from commit 842a0fa289)
2026-06-10 20:33:43 +00:00
Michal Nowak
e5505dae77 Count distinct destinations in selfpointedglue dnstap checks
Tolerates retransmissions, which would inflate a raw line count.

Assisted-by: Claude:claude-opus-4-8
(cherry picked from commit aac9cc40a8)
2026-06-10 20:33:43 +00:00
Michal Nowak
61740468c4 Re-fetch traffic counters until they converge
The counters update asynchronously, so a single snapshot can lag.

Assisted-by: Claude:claude-opus-4-8
(cherry picked from commit f758ffe0aa)
2026-06-10 20:32:45 +00:00
Michal Nowak
4d93bcd5d6 Bump the next-key-event check timeout to 30s
5s was shorter than the inner watch_log timeout, so it got one try.

Assisted-by: Claude:claude-opus-4-8
(cherry picked from commit e010535597)
2026-06-10 19:49:42 +00:00
Michal Nowak
35787efdcc Retry the key-state check in test_ksr_fast
named updates the state file asynchronously; one read can race it.

Assisted-by: Claude:claude-opus-4-8
(cherry picked from commit a5a0dedfbc)
2026-06-10 19:49:41 +00:00
Michal Nowak
bd6ca980a1 Retry transient DNS timeouts in retry_with_timeout()
A transient query timeout should retry, not fail the test.

Assisted-by: Claude:claude-opus-4-8
(cherry picked from commit a7d1207324)
2026-06-10 19:49:41 +00:00
Nicki Křížek
3216dc7bce [9.20] chg: test: Add NSEC3 answer correctness test to dnssec_py
Rewrite nsec3_answer/tests_nsec3.py as dnssec_py/tests_nsec3_answer.py
using the isctest.zone helpers for zone setup. ns1 (auth) and ns2
(resolver) were renumbered to ns2 and ns9 respectively to fit the
existing dnssec_py server infrastructure.

Assisted-by: Claude:claude-opus-4-8

Backport of MR !12209

Merge branch 'backport-nicki/pytest-dnssec-py-nsec3-answer-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12215
2026-06-09 16:28:09 +02:00
Nicki Křížek
1fa65a58d8 Add NSEC3 answer correctness test to dnssec_py
Rewrite nsec3_answer/tests_nsec3.py as dnssec_py/tests_nsec3_answer.py
using the isctest.zone helpers for zone setup. ns1 (auth) and ns2
(resolver) were renumbered to ns2 and ns9 respectively to fit the
existing dnssec_py server infrastructure.

Assisted-by: Claude:claude-opus-4-8
(cherry picked from commit ca890789cd)
2026-06-09 13:32:15 +00:00
Nicki Křížek
8d9edf7767 [9.20] chg: test: Add malformed ECDSA DNSKEY tests to dnssec_py
Backport of MR !12210

Merge branch 'backport-nicki/pytest-dnssec-py-dnskey-malformed-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12214
2026-06-09 14:10:48 +02:00
Nicki Křížek
d33012d727 Port active truncated DNSKEY test to dnssec_py
The truncated-active DNSKEY test was only added to the stable branches,
conflicting with the backport. Re-add the truncated-active DNSKEY test
which was removed in the last commit.

Assisted-by: Claude:claude-opus-4-8
2026-06-09 13:28:51 +02:00
Nicki Křížek
c141c30040 Add revoked truncated self-signed DNSKEY test to dnssec_py
Port test_truncated_dnskey from dnssec_malformed_dnskey into the shared
dnssec_py fixture harness, completing the migration and deleting the
remaining dnssec_malformed_dnskey files.

Assisted-by: Claude:claude-opus-4-8
(cherry picked from commit 1d6866b0ee)
2026-06-09 13:28:51 +02:00
Nicki Křížek
6e070eaf6a Add malformed ECDSA DNSKEY tests to dnssec_py
Port test_malformed_ecdsa and test_multiple_rrsigs from the standalone
dnssec_malformed_dnskey directory into the shared dnssec_py fixture
harness. The zone is renamed from example. to dnskey-malformed., the
resolver fixture changes from a dedicated ns3 to the shared ns9, and
trust anchors are wired in via bootstrap() rather than per-directory
config files.

Assisted-by: Claude:claude-opus-4-8
(cherry picked from commit f1026e21bc)
2026-06-09 13:28:51 +02:00
Nicki Křížek
4bd8622682 [9.20] chg: test: Add mixed DS test to dnssec_py
Rewrite dnssec_unsupported_ds/tests_mixed_ds.py as
dnssec_py/tests_mixed_ds.py using the isctest.zone helpers for zone
setup.

The test verifies that a zone whose DS RRset contains only an
unsupported algorithm DS and a bogus DS record is treated as insecure
by a validating resolver, resulting in SERVFAIL for queries to that
zone. The DS set for child.mixed-ds. is deliberately corrupted after
signing to contain a DS record with an unsupported algorithm (12) and
a DS record with an invalid digest, exercising the mixed-DS insecurity
proof path.

Assisted-by: Claude:claude-opus-4-8

Backport of MR !12206

Merge branch 'backport-nicki/pytest-dnssec-py-mixed-ds-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12213
2026-06-09 11:57:19 +02:00
Nicki Křížek
b9a5f63270 Add mixed DS test to dnssec_py
Rewrite dnssec_unsupported_ds/tests_mixed_ds.py as
dnssec_py/tests_mixed_ds.py using the isctest.zone helpers for zone
setup.

The test verifies that a zone whose DS RRset contains only an
unsupported algorithm DS and a bogus DS record is treated as insecure
by a validating resolver, resulting in SERVFAIL for queries to that
zone. The DS set for child.mixed-ds. is deliberately corrupted after
signing to contain a DS record with an unsupported algorithm (12) and
a DS record with an invalid digest, exercising the mixed-DS insecurity
proof path.

Assisted-by: Claude:claude-opus-4-8
(cherry picked from commit cdafea5f12)
2026-06-09 09:11:19 +00:00
Ondřej Surý
ea91570492 [9.20] fix: usr: Reject unsupported RSA DNSKEY shapes during DNSSEC validation
An authoritative server publishing an RSA DNSKEY with an unusually
large modulus or an exotic public exponent could make each DNSSEC
signature check on a validating recursive resolver noticeably more
expensive than for a normally sized key.  Such DNSKEYs are now
treated as invalid.

Closes #6008

Backport of MR !12054

Merge branch 'backport-6008-reject-oversized-rsa-dnskeys-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12207
2026-06-08 23:02:06 +02:00
Ondřej Surý
78a7f7da4f
Enforce strict RSA DNSKEY shape during DNSSEC validation
A resolver that validated DNSSEC accepted RSA DNSKEYs of any modulus
size up to OpenSSL's compile-time ceiling, and accepted any public
exponent the wire format could carry.  RSA verification cost grows
sharply with the modulus length, so an authoritative server could
publish an oversized DNSKEY to make each signature check on the
resolver many times more expensive than for a normally sized key.

The intended verify-time cap had no effect because the helper it called
returned the public-exponent bit length rather than the modulus bit
length, so the test was always satisfied.  Replace it with an honest
modulus-range check and a stricter exponent check that accepts only odd
exponents in the closed range [3, 2^32 + 1] (covering every Fermat
prime up to F5 and the odd intermediate values seen in deployed keys),
reject anything outside those bounds at every RSA key load path so an
invalid key never reaches the verifier, and keep the same checks at the
verifier as a backstop against future load paths.

(cherry picked from commit 8b2c490811)
2026-06-08 20:54:22 +02:00
Ondřej Surý
350d9737d7 [9.20] fix: nil: Ignore explict memory ordering in lib/isc/rwlock.c
Backport of MR !12211

Merge branch 'backport-ondrej/update-checklibs.out-for-isc_rwlock-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12212
2026-06-08 19:48:11 +02:00
Ondřej Surý
b5f0c3a7a8 Ignore explict memory ordering in lib/isc/rwlock.c
(cherry picked from commit fbe8c85854)
2026-06-08 17:46:32 +00:00
Ondřej Surý
eff9a306d8 [9.20] fix: dev: Fix the memory ordering in the adaptive read-write lock
On hardware with a weak memory model, the internal read-write lock could
briefly admit a reader and a writer at the same time, risking sporadic
crashes or incorrect data. The reader/writer handshake now uses
sequentially consistent ordering so the two can no longer overlap.

Closes #6060

Backport of MR !12162

Merge branch 'backport-6060-rwlock-seq-cst-handshake-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12205
2026-06-08 19:05:16 +02:00
Ondřej Surý
14641573da Use sequentially consistent ordering in the adaptive rwlock handshake
The adaptive isc_rwlock (the modified C-RW-WP variant) synchronizes a
reader against a writer through a store-buffer handshake across two
independent atomic objects: the reader publishes its arrival in
readers_ingress and then reads writers_lock, while the writer publishes
its lock in writers_lock and then reads the reader indicator. With the
acquire/release ordering introduced by the 2021 simplification, neither
side is forced to observe the other's publish store before its own check
load, so on weak-memory targets a reader could see writers_lock unlocked
while the writer sees the indicator empty, and both would enter their
critical sections at once.

Restore the sequentially consistent ordering the original algorithm
specifies on the handshake atomics. The single total order over the
seq_cst operations is what forbids the overlap; targeting individual
fences is both more fragile and, on x86, more expensive. On x86 this
ordering is free (seq_cst loads remain plain loads and the RMWs remain
lock-prefixed); the added cost falls only on the weak-memory targets that
actually need it.

(cherry picked from commit b11bf7a45e)
2026-06-08 15:56:13 +00:00
Michal Nowak
e59aa01691 [9.20] fix: ci: Escape literal dots in branch-name match regexes
The backports and merged-metadata rules used unescaped dots in their
branch-name regexes, causing them to over-match. Escape the dots so the
patterns match the intended version branch names exactly.

Assisted-by: Claude:claude-opus-4-8

Backport of MR !12172

Merge branch 'backport-mnowak/ci-fix-regex-escaping-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12201
2026-06-08 15:40:35 +02:00
Michal Nowak
2a86ab44f4 Escape literal dots in branch-name match regexes
The backports and merged-metadata rules used unescaped dots in their
branch-name regexes, causing them to over-match. Escape the dots so the
patterns match the intended version branch names exactly.

Assisted-by: Claude:claude-opus-4-8
(cherry picked from commit 934cda2a7a)
2026-06-08 13:24:05 +00:00
Michal Nowak
d6a4aa5ce5 [9.20] fix: dev: Preserve the request message across async SIG(0) processing
For SIG(0)-signed requests, view matching is offloaded and the request
is finished asynchronously from ns_client_request_continue(), which
passes client->inner.buffer to dns_dt_send().  That buffer aliases the
network manager's receive buffer, only valid during the read callback,
so it may already be freed and reused, producing garbage dnstap frames
(e.g. the "upforwd" sig0-over-DoT test fails with UQ=0).

Copy the request message when entering async mode and reference the
copy, freeing it in ns__client_reset_cb().

Assisted-by: Claude:claude-opus-4-8

Closes #6139

Backport of MR !12189

Merge branch 'backport-6139-dnstap-sig0-request-buffer-uaf-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12200
2026-06-08 15:17:53 +02:00
Michal Nowak
62b971a1d6 Preserve the request buffer across async SIG(0) processing
For SIG(0)-signed requests, view matching is offloaded and the request
is finished asynchronously from ns_client_request_continue(), which
passes client->inner.buffer to dns_dt_send().  That buffer aliases the
network manager's receive buffer, only valid during the read callback,
so it may already be freed and reused, producing garbage dnstap frames
(e.g. the "upforwd" sig0-over-DoT test fails with UQ=0).

When the request is offloaded (ns_client_setup_view() returns
DNS_R_WAIT) and dnstap is enabled, copy the request buffer and point
client->inner.buffer at the copy so it survives the asynchronous hop;
free it in ns__client_reset_cb().  When dnstap is disabled there is no
async consumer of the buffer, so detach it from the receive buffer
instead.

Assisted-by: Claude:claude-opus-4-8
(cherry picked from commit ddfe8a1bdc)
2026-06-08 13:13:27 +00:00
Nicki Křížek
c8ec396581 [9.20] new: test: pytest helpers for dnssec and zone setup
- Create `isctest.zone.Zone` helper for zone setup (including signing).
- Add `ZoneKey` helpers for both dnssec-keygen managed keys and python-based keys.
- Add `dnssec_py` shared test setup for DNSSEC tests.
- Add the first example - refactor `nsec3_delegations` into a `dnssec_py` test module.

Backport of MR !11807

Merge branch 'backport-nicki/pytest-dnssec-py-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12191
2026-06-05 12:00:48 +02:00
Nicki Křížek
aed978cad8 Add ZoneKey helpers for key operations in isctest.zone
Introduce an abstract ZoneKey base class with two concrete
implementations:

- FileZoneKey wraps a dnssec-keygen-managed key file (kasp.Key).
- PythonZoneKey holds a Python-native keypair for dnspython-based
  signing and key operations.

Both share ZoneKey.into_ta() and ZoneKey.is_ksk(). The ZoneKey
abstraction lets Zone.copy_dssets() and Zone.trust_anchors() handle
pure-Python keys without callers needing to know how the key was made.

Assisted-by: Claude:claude-opus-4-8
(cherry picked from commit e11e2c9032)
2026-06-05 10:44:46 +02:00
Nicki Křížek
5a3d403a0b Add NSEC3 excessive iterations test to dnssec_py
Rewrite nsec3_delegation/tests_excessive_nsec3_iterations.py as
dnssec_py/tests_nsec3_iter_too_many.py using the isctest.zone helpers.

The test is a reproducer for CVE-2026-1519 [GL#5708]. It sets up a
delegation from nsec3-iter-too-many. (ns2) to an unsigned sub zone
(ns3), signing the parent with NSEC3 at 51 iterations. A validating
resolver (ns9) must use NSEC3 to prove the sub zone is insecure; the
excessive iteration count is logged as a warning. The test verifies that
the query still resolves successfully (insecure, not SERVFAIL) despite
the high iteration count.

Assisted-by: Claude:claude-opus-4-8
(cherry picked from commit fc5116ed91)
2026-06-05 10:44:42 +02:00
Nicki Křížek
676e49546c Add dnssec_py system test directory
Add a new system test directory for DNSSEC tests written in Python,
using the isctest.zone helpers for zone setup rather than shell sign
scripts.

Set up four nameservers:
- ns1: authoritative for the signed root zone
- ns2: authoritative for test zones (primary)
- ns3: authoritative for additional test zones (typically delegations)
- ns9: validating resolver

Zone configuration for ns2 and ns3 is driven by the ``zones`` template
variable via _common/zones.conf.j2, so each test module's bootstrap()
controls which zones those servers load without touching named.conf.

Individual test modules will be added in subsequent commits.

Assisted-by: Claude:claude-opus-4-8
(cherry picked from commit 7ff0321ffa)
2026-06-05 10:35:07 +02:00
Nicki Křížek
a80af4d216 Create zone setup helpers in isctest.zone
System tests that set up zones — especially DNSSEC tests — require a
chain of common operations: rendering zone files from templates,
generating keys, signing, and propagating DS records to parent zones.
Implement these as methods on isctest.zone.Zone so individual tests
don't need to repeat the logic in shell or ad-hoc Python.

isctest.zone.Zone is a plain class that holds the zone's data and
accumulated state (delegations, keys) alongside the methods that operate
on it. It is intentionally separate from isctest.template.Zone, which
remains a dumb data container for jinja2 template rendering.

Key design points:
- zone.Zone.name is the text form without trailing dot ("." for root);
  zone.Zone.dname holds the dns.name.Name for DNS-level operations;
  zone.Zone.basename is the filesystem-safe name ("root" for ".").
- filepath_unsigned / filepath_signed are both always available.
  filepath returns the appropriate one based on zone.Zone.signed.
- The zones/ subdirectory is the default (subdir="zones"); old-style
  tests that place zone files directly in the ns workdir can pass
  subdir=None.
- Signing is opt-in via signed=True; configure() auto-detects whether to
  generate keys and sign based on this flag, so the same method handles
  both signed and unsigned zones.
- delegations and keys are mutable list attributes; callers append to
  them before calling configure() rather than threading them through
  every call.

Also:
- Add isctest.template.zones() as a bridge from a list of zone.Zone to a
  {name: template.Zone} dict suitable for use as the ``zones`` template
  variable. template.zones() resolves filepath to the actual zone file
  so templates don't need to know whether a zone is signed.

Assisted-by: Claude:claude-opus-4-8
(cherry picked from commit 7853dbac43)
2026-06-05 10:35:07 +02:00
Evan Hunt
416b0817d1 [9.20] fix: dev: Check dns_rdata_fromstruct() return values
In some functions implementing RFC 5011 key maintenance, the
results of `dns_rdata_fromstruct()` were not checked. This has been
fixed.

Closes #5982

Backport of MR !12017

Merge branch 'backport-5982-keyfetch-done-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12183
2026-06-04 17:36:18 +00:00