Commit graph

44199 commits

Author SHA1 Message Date
Nicki Křížek
613f48ebcb Improve isctest.template dataclasses' defaults
Extend the Nameserver to generate the default IPv4/IPv6 values, add NSX
values for the predefined nameservers (there are 11 of them, as per
bin/tests/system/ifconfig.sh.in max value). Add the missing ns11
fixture.

Extend the Zone to derive the zone filename by default, unless
specified.

Adjust the existing uses of these classes to utilize the simplified
defaults.

(cherry picked from commit fa3a59e70c)
2026-05-28 11:36:55 +02:00
Ondřej Surý
8851b279d0 [9.20] rem: dev: Remove useless PR-Agent jobs
The experiment was a failure, the PR-Agent doesn't send a full context
to the AI Agents and the results are abysmal because of that.

Backport of MR !12119

Merge branch 'backport-ondrej/remove-useless-pr-agent-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12120
2026-05-28 11:28:27 +02:00
Ondřej Surý
5d9f1fd73d
Remove useless PR-Agent jobs
The experiment was a failure, the PR-Agent doesn't send a full context
to the AI Agents and the results are abysmal because of that.

(cherry picked from commit d3dbcd21df)
2026-05-28 11:08:46 +02:00
Ondřej Surý
dd02abde67 [9.20] chg: usr: named could crash on concurrent TKEY DELETE for the same key
On a server configured with tkey-gssapi-keytab (or tkey-gssapi-credential),
an authenticated peer could crash named by sending two TKEY DELETE requests
for the same dynamic key in rapid succession.  This has been fixed.

Closes #6001

Backport of MR !12041

Merge branch 'backport-6001-tsig-tkey-delete-uaf-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12042
2026-05-28 11:05:57 +02:00
Ondřej Surý
5fe9e7f6ed Fix use-after-free in concurrent dns_tsigkey_delete()
Two TSIG-authenticated TKEY DELETE queries for the same dynamic key,
arriving on different worker loops, could each enter
dns_tsigkey_delete() and cause over-decrementing the key refcount.

This has been fixed by making dns_tsigkey_delete() idempotent.

(cherry picked from commit 5c8dcd4419)
2026-05-28 11:05:34 +02:00
Matthijs Mekking
1547447491 [9.20] fix: usr: The resolver now removes other RRsets at the same name when caching a CNAME
When an RRset is in stale cache, and the authoritative server changes the record type to CNAME, the resolver fails to refresh the stale cache. This has been fixed.

Closes #5302

Backport of MR !11758

Merge branch 'backport-5302-serve-stale-cname-to-a-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12040
2026-05-28 08:49:48 +00:00
Matthijs Mekking
0d91c23c10 When caching names, check for CNAME RRsets
Matthijs Mekking authored 2 months ago
CNAME and other record types cannot coexist. DNSSEC records are the
exceptions to this rule.

If the answer contains a name with a CNAME, remove existing RRsets at
the same name from the cache.

If the answer contains a name without a CNAME, remove the CNAME RRset
at the same name from the cache.

(manually picked from commit 69a560fff1)
2026-05-28 09:59:15 +02:00
Matthijs Mekking
a7c93ea3d9 Add serve-stale test case for CNAME to A
Add a serve-stale system test case where the authority changes a
CNAME RRset to A (at cname2.stale.test). The CNAME that is in the
cache is stale and should be refreshed. The target A record (at
a2.stale.test) has a longer TTL and is also still in the cache. The
next query should return the refreshed A RRset to the client.

Then the authority changes back the A RRset to CNAME. The A RRset
has become stale and should be refreshed. The next query should
return the refreshed CNAME RRset plus the already cached
a2.stale.test A record.

This test requires ns1 to allow dynamic updates to stale.test, and
prefetch to be disabled. The latter is to ensure the record is not
prefetched, but only refreshed when stale (and logs the expected
"an attempt to refresh the RRset" messages).

(cherry picked from commit 4ee526cb6d)
2026-05-28 09:59:15 +02:00
Matthijs Mekking
c13e73e0b8 Remove duplicate check in serve-stale test
(cherry picked from commit c95128ed47)
2026-05-28 09:59:15 +02:00
Ondřej Surý
7517e39504 [9.20] fix: usr: Reject RRSIG records covering meta-types
A recursive resolver could accept and cache an RRSIG record whose
Type-Covered field names a meta-type (ANY, AXFR, IXFR, MAILA, MAILB),
even though no real RRset of those types ever exists. Such records
are now rejected by the DNS message parser.

Closes #6002

Backport of MR !12048

Merge branch 'backport-6002-reject-rrsig-covering-meta-types-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12051
2026-05-28 09:52:19 +02:00
Ondřej Surý
faf9fb0b82 Reject malformed RRSIG records
A signature cannot cover a meta-type (NONE, ANY, AXFR, IXFR, MAILB,
MAILA, OPT, TSIG, TKEY); previously such records were cached by the
recursive resolver and collided with negative-cache entries on the
same owner name, corrupting the QP-trie cache.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit c28ba9c3c6)
2026-05-28 09:51:27 +02:00
Matthijs Mekking
edc1ef084f [9.20] fix: usr: Fix crash on badly configured secondary signer
A badly configured secondary signer that was missing the 'file' entry caused the server to crash, rather than to reject the configuration. This has been fixed.

Closes #5993

Backport of MR !12045

Merge branch 'backport-5993-fix-bump-in-the-wire-crash-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12112
2026-05-27 14:01:27 +00:00
Matthijs Mekking
3204b12d1a Fix startup crash on bump in the wire signer
A secondary server that is configured as a bump in the wire signer
with inline-signing implicitly enabled via dnssec-policy requires
a 'file' entry.

(cherry picked from commit 77649ea8e2)
2026-05-27 14:39:10 +02:00
Matthijs Mekking
f98638904d Check conf dnssec-policy inline-signing secondary
Add a variant of checking configuration where inline-signing is
enabled on the secondary, requiring the 'file' entry. This time,
inline-signing is implicitly enabled via dnssec-policy.

(cherry picked from commit 43bbfbeb3c)
2026-05-27 14:38:54 +02:00
Michal Nowak
309b501ef0 [9.20] fix: doc: Ignore gitlab.gnome.org links in Sphinx linkcheck
Backport of MR !12109

Merge branch 'backport-mnowak/linkcheck-fix-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12110
2026-05-27 11:42:24 +02:00
Michal Nowak
ad3ac34b2b Ignore gitlab.gnome.org links in Sphinx linkcheck
GNOME GitLab returns HTTP 406 to Sphinx's linkcheck requests, the
same behavior already worked around for gitlab.isc.org.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit 2850dc9d71)
2026-05-27 09:21:41 +00:00
Andoni Duarte
f2a5c580ef [9.20] chg: ci: Add rule for stable tags in CI and use it in the update-stable-tag job
Add a rule to match open source stable tags in CI and apply it to the
update-stable-tag job.

Backport of MR !11646

Merge branch 'backport-andoni/show-update-stable-tag-job-in-stable-versions-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12107
2026-05-27 08:32:32 +00:00
Andoni Duarte Pintado
e4ccf36de6 Add rule for the stable tags in CI and use for job update-stable-tag
The update-stable-tag job should only be run for the stable tag, which
is used by Read the Docs to build the docs for the "stable" version.

A new rule called rule_tag_open_source_stable is introduced, in order to
prevent the job from appearing in the pipeline for non-stable versions.
Having this rule in YAML is necessary, because if it were in the script
itself, the job would show up in the pipeline.

Besides, the new rule allows other jobs to be run only for the stable
tag in the future, without modifying their internal logic.

The CI variable STABLE_VERSION contains a regular expression in
Gitlab CI sense[1]: it uses the RE2 syntax[2] and must be enclosed by
slashes (i.e. /.../). It must be updated every time the minor version
is changed: releasing v9.22 will require changing STABLE_VERSION from
"/v9.20/" to "/v9.22/".

The variable is imported from common Gitlab CI YAML in the project
isc-projects/bind9-qa, so as to maintain it in a central place.

[1]: https://docs.gitlab.com/ci/jobs/job_rules/#compare-a-variable-to-a-regular-expression
[2]: https://github.com/google/re2/wiki/Syntax

(cherry picked from commit 38e80f542e)
2026-05-27 08:25:06 +00:00
Andoni Duarte Pintado
918fbcea12 Include common Gitlab CI YAML from isc-projects/bind9-qa
The template file .gitlab-ci-common.yml is to be used across ISC
projects, while it is maintained in the isc-projects/bind9-qa project.

(cherry picked from commit 1c31e6fea9)
2026-05-27 08:25:05 +00:00
Michal Nowak
639946b38c [9.20] chg: ci: Run unit tests with PKCS#11-aware OpenSSL
Closes isc-projects/bind9#4958

Closes isc-projects/bind9#4957

Backport of MR !9543

Merge branch 'backport-mnowak/pkcs11-aware-unit-gcc-ossl3-amd64-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12099
2026-05-26 18:20:14 +02:00
Michal Nowak
e574119a19 Call tzset() after setenv("TZ", ...) in unit tests
POSIX does not require localtime_r() to behave as if tzset() was called,
so the TZ environment change isn't picked up if some library has already
primed libc's tz cache.  Loading pkcs11-provider during OpenSSL init
does exactly that, causing the time and dnstap cmocka tests to format
timestamps in UTC instead of the requested zone.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit c14f7881f2)
2026-05-26 17:09:11 +02:00
Michal Nowak
1805817c3c Run unit tests with PKCS#11-aware OpenSSL
(cherry picked from commit 27babd5fa9)
2026-05-26 15:01:38 +00:00
Štěpán Balážik
33cdb6e4bc [9.20] fix: test: Handle large query IDs in xfer/ans5 properly
Previously, the server would crash if it received a query with an ID
close to 65535 in the badmessageid case, as adding 50 to it would not
fit in uint16.

This was an oversight in porting it from Perl to Python in
f9ed3650ac.

Fixes #6025.

Backport of MR !12097

Merge branch 'backport-stepan/fix-xfer-large-qid-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12098
2026-05-26 13:50:38 +00:00
Štěpán Balážik
daa01f2079 Handle large query IDs in xfer/ans5 properly
Previously, the server would crash if it received a query with an ID
close to 65535 in the badmessageid case, as adding 50 to it would not
fit in uint16.

This was an oversight in porting it from Perl to Python in
f9ed3650ac.

(cherry picked from commit e0ef63532f)
2026-05-26 13:49:34 +00:00
Nicki Křížek
04127edcda [9.20] fix: nil: Fix mypy var-annotated error on FEATURE_VARS
Mypy reports 'Need type annotation for "FEATURE_VARS"'; init_features()
populates it with str->str entries.

Assisted-by: Claude:claude-opus-4-7

Backport of MR !12086

Merge branch 'backport-nicki/fix-isctest-vars-mypy-annotation-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12088
2026-05-25 15:57:47 +02:00
Nicki Křížek
e4066a938d Fix mypy var-annotated error on FEATURE_VARS
Mypy reports 'Need type annotation for "FEATURE_VARS"'; init_features()
populates it with str->str entries.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit 81c1105125)
2026-05-25 13:03:53 +00:00
Michal Nowak
08aa108415 [9.20] new: ci: Add Debian "trixie" (386)
Backport of MR !12079

Merge branch 'backport-mnowak/add-debian-trixie-386-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12082
2026-05-22 20:22:52 +02:00
Michal Nowak
754ee3158f Tolerate dnspython post-2038 timestamp overflow on 32-bit
dnspython's RRSIG.to_text() converts the signature inception/expiration
fields by calling time.gmtime(), which on 32-bit platforms raises
OverflowError for values past 2038-01-19 (INT32_MAX). Several DNSSEC
test fixtures use far-future expirations: the precomputed RRSIGs in
the dnssec test's rsasha1.example.db.in zone expire in 2093, ans4 of
the chain test hardcodes 2090, and ans10 of the dnssec test uses
2**32-1 (year 2106). Whenever a response carrying such an RRSIG is
formatted with str()/to_text() the overflow propagates out and either
fails the test (when triggered in isctest.query's debug logging) or
kills the asyncserver-based ans* server (when triggered in its
response logger), which in turn cascades into "Failed to stop
servers" teardown errors and SERVFAIL responses for subsequent tests.

Wrap the to_text() calls in isctest/query.py and the str(response)
call in asyncserver's _log_response() with try/except OverflowError,
falling back to a placeholder message. The conversions are only used
for debug logging, so losing the human-readable form there does not
affect what the tests actually validate.

Assisted-by: Claude:claude-opus-4-7

(cherry picked from commit 968ccdeeda)
2026-05-22 16:33:43 +00:00
Michal Nowak
650b88467e Add Debian "trixie" (386)
(cherry picked from commit b076c43b1c)
2026-05-22 16:33:17 +00:00
Andoni Duarte
bee7362e24 fix: doc: Remove 9.21-only release note from May 2026 release notes
Issue #5826 has two different fixes: one released in April 2026 that
applies to 9.20 and 9.18, and another released in May 2026 that applies
to 9.21. The 9.21 release note was mistakenly included in the release
notes for 9.20 and 9.18. This commit removes it.

Merge branch 'andoni/fix-doc-duplicate-note-5826' into 'bind-9.20'

See merge request isc-projects/bind9!12067
2026-05-21 13:52:33 +00:00
Andoni Duarte Pintado
931bc821d8 Remove 9.21-only release note from May 2026 release notes
Issue #5826 has two different fixes: one released in April 2026 that
applies to 9.20 and 9.18, and another released in May 2026 that applies
to 9.21. The 9.21 release note was mistakenly included in the release
notes for 9.20 and 9.18. This commit removes it.
2026-05-21 15:46:42 +02:00
Michał Kępień
86bb27060c [9.20] fix: usr: Clear REDIRECT flag when it isn't needed
When `nxdomain-redirect` is in use, and a recursive query is used to get the redirected answer, a flag is set to distinguish it from a normal recursive response. Previously, that flag was left set afterward, which could trigger an assertion if a normal recursive query was sent later on behalf of the same client: for example, because the `filter-aaaa` plugin was in use.  This has been fixed.

Closes #5936

Backport of MR !12073

Merge branch 'backport-5936-clear-redirect-flag-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12076
2026-05-21 15:11:32 +02:00
Evan Hunt
d1a32c003c
Clear REDIRECT flag when it isn't needed
The NS_QUERYATTR_REDIRECT flag is set when processing a recursive
NXDOMAIN redirection lookup, so that if that lookup also returns
NXDOMAIN we don't end up looping.

Previously, the flag was left active after use, but if the
same client triggered a subsequent recursive lookup (for example,
in the filter-aaaa plugin), then the wrong branch could be reached
in query_resume(), potentially leading to an assertion failure.  This
has been fixed.

(cherry picked from commit 3ff0018308)
2026-05-21 15:04:41 +02:00
Michal Nowak
a59080c053 [9.20] fix: dev: Validate nsec3hash arguments instead of relying on atoi()
The nsec3hash tool parsed its algorithm, flags, and iterations
arguments with atoi(), then range-checked the result. For values
that overflow int during digit-by-digit accumulation, atoi() is
undefined; in practice on musl libc the modular wrap leaves
n == 0, which silently passes the "iterations > 0xffffU" check.
On Alpine Linux this made nsec3hash succeed with iterations
treated as 0 for inputs like 4294967296 (2^32).

The latent bug only surfaced when the recent image rebuild pulled
in Hypothesis 6.152.9 (2026-05-19), which unified the distribution
used for bounded and unbounded integers() strategies. The new
smoother distribution explores the 2^32 boundary on unbounded
ranges like integers(min_value=65536); earlier versions did not
reach there, so test_nsec3hash_too_many_iterations only started
failing on Alpine after the image refresh.

Replace the three atoi() calls with isc_parse_uint8 /
isc_parse_uint16, which uniformly reject overflow, trailing
garbage, leading sign, and non-numeric input across libc
implementations. As a side effect, error messages now include
the offending argument and a specific reason ("out of range" vs
"not a valid number").

Assisted-by: Claude:claude-opus-4-7

Closes #6013

Backport of MR !12062

Merge branch 'backport-6013-nsec3hash-iterations-overflow-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12074
2026-05-21 14:50:13 +02:00
Michal Nowak
bb8321c637 Validate nsec3hash arguments instead of relying on atoi()
The nsec3hash tool parsed its algorithm, flags, and iterations
arguments with atoi(), then range-checked the result. For values
that overflow int during digit-by-digit accumulation, atoi() is
undefined; in practice on musl libc the modular wrap leaves
n == 0, which silently passes the "iterations > 0xffffU" check.
On Alpine Linux this made nsec3hash succeed with iterations
treated as 0 for inputs like 4294967296 (2^32).

The latent bug only surfaced when the recent image rebuild pulled
in Hypothesis 6.152.9 (2026-05-19), which unified the distribution
used for bounded and unbounded integers() strategies. The new
smoother distribution explores the 2^32 boundary on unbounded
ranges like integers(min_value=65536); earlier versions did not
reach there, so test_nsec3hash_too_many_iterations only started
failing on Alpine after the image refresh.

Replace the three atoi() calls with isc_parse_uint8 /
isc_parse_uint16, which uniformly reject overflow, trailing
garbage, leading sign, and non-numeric input across libc
implementations. As a side effect, error messages now include
the offending argument and a specific reason ("out of range" vs
"not a valid number").

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit e13302a6bc)
2026-05-21 11:41:29 +00:00
Michał Kępień
ebe67bf017 [9.20] chg: test: Clean up custom server code in the "resend_loop" system test
Apply assorted cleanups to `bin/tests/system/resend_loop/ans3/ans.py`.

Backport of MR !12063

Merge branch 'backport-michal/resend_loop-test-ans3-cleanup-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12071
2026-05-21 12:42:36 +02:00
Michał Kępień
553c97834a
Follow common naming and coding conventions
Make the handlers defined in bin/tests/system/resend_loop/ans3/ans.py
follow canonical naming conventions used in other system tests.  Keep
all server initialization code in the main() function.

(cherry picked from commit c5a30a7220)
2026-05-21 12:02:20 +02:00
Michał Kępień
0cbf295bca
Turn _get_cookie() into a method
Since the _get_cookie() function is only used by the CookieHandler
class, make the former a method of the latter to keep related logic
close in the source code.

(cherry picked from commit c3839e830c)
2026-05-21 12:02:20 +02:00
Michał Kępień
c42aea399d
Tweak the _get_cookie() method
The "len(cookie.server) == 0" condition is superfluous for the
"resend_loop" system test, so remove it.  Add a return type annotation
to the _get_cookie() function.

(cherry picked from commit 5fa2bd7e53)
2026-05-21 12:02:20 +02:00
Michał Kępień
5a828431f8
Remove workarounds for dnspython < 2.7.0
dnspython 2.7.0 is now required to run the BIND 9 system test suite.
Drop the workarounds for older dnspython versions as they are now
redundant.

(cherry picked from commit c9ceb191e8)
2026-05-21 12:02:20 +02:00
Michał Kępień
ef0502bcc6
Fix flawed response logic for COOKIE-less queries
The "yield" keyword does not cause a function to return.  By design,
get_responses() may yield multiple DNS responses in a single call.  As
currently implemented, CookieHandler.get_responses() sends two responses
to each client query that does not contain a COOKIE option.  Make the
logic in that method consistent with code comments by only sending one
response to every query - either SERVFAIL or BADCOOKIE, never both.

(cherry picked from commit de42425bbd)
2026-05-21 12:02:20 +02:00
Michał Kępień
cfa16e3f24
Drop redundant uses of authoritative=True
The ans3 custom server instance is created with default_aa=True.  Do not
pass the authoritative=True keyword argument to the DnsResponseSend
constructor in CookieHandler.get_responses() as it is redundant.

(cherry picked from commit c61539279d)
2026-05-21 12:02:20 +02:00
Michał Kępień
5b73bbac14
Drop unnecessary qctx.prepare_new_response() call
The ans3 custom server does not have any zones defined, so the responses
passed to its handlers by core isctest.asyncserver code are guaranteed
to be empty.  Remove a call to qctx.prepare_new_response() from
CookieHandler.get_responses() as it is redundant.

(cherry picked from commit 802c03313f)
2026-05-21 12:02:20 +02:00
Michał Kępień
9c24d5a16d
Remove NoErrorHandler
The NoErrorHandler class does not get matched to any query sent by ns4
in the "resend_loop" test.  Remove it as it is redundant.

(cherry picked from commit a296bcf587)
2026-05-21 12:02:20 +02:00
Michał Kępień
c0e52f4ec2
Simplify match criteria for CookieHandler
The CookieHandler class handles all traffic for the "example." domain.
Make it a subclass of DomainHandler to simplify its definition.

(cherry picked from commit ba6eee2b80)
2026-05-21 12:02:20 +02:00
Michał Kępień
7ef692746a
Simplify ./NS query handling
Replace PrimeHandler with a StaticResponseHandler subclass achieving the
same goal.

(cherry picked from commit c0f01b60fd)
2026-05-21 12:02:20 +02:00
Michał Kępień
29a132b5d0 [9.20] chg: ci: Various autorebase improvements
- Rewrite cherry-pick references during autorebases
  - Fix autorebase error reporting
  - Limit post-push pipelines for autorebased branches
  - Only autorebase when there is anything to rebase
  - Conflate missing commit reference notifications
  - Support autorebasing backported security MRs

Backport of MR !12024

Merge branch 'backport-michal/autorebase-improvements-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12069
2026-05-21 11:33:24 +02:00
Michał Kępień
0b63ecd2bb
Support autorebasing backported security MRs
Autorebasing a backported security fix enables convenient refreshing of
cherry-pick references, which makes it trivial for developers to satisfy
Danger rules just before the merge request is merged.  Add a manual CI
job that is only created for backported merge requests targeting
security-* branches.

(cherry picked from commit dd723d93cb)
2026-05-21 11:27:46 +02:00
Michał Kępień
ab2aa2f4cc
Conflate missing commit reference notifications
Instead of creating a separate (potentially lengthy) Danger notification
for every missing commit reference in a backport, produce a single
notification with a list of all unreferenced commit hashes.  This makes
Danger output more concise while retaining all the relevant feedback for
the developer.

(cherry picked from commit 086780dcf0)
2026-05-21 11:27:46 +02:00
Michał Kępień
3265127e6d
Only autorebase when there is anything to rebase
In an optimistic future, security-* branches will become empty, at least
intermittently.  When that happens, there will be nothing left to rebase
on those branches, so when something gets merged into their base
branches, an autorebase will effectively be a fast-forward.  While the
existing autorebase logic would handle such a case perfectly fine, it is
prudent to avoid creating a test pipeline after pushing such a
fast-forward update as the code revision getting pushed will have
already been tested by other pipelines.  However, the push should still
happen as non-empty downstream autorebased branches may exist and those
will still need to be rebased.  Achieve both of these objectives by
checking early whether there is anything to rebase and pushing the
fast-forwarded version of the branch without setting the AUTOREBASE CI
variable if there is not.

(cherry picked from commit 497f771ae3)
2026-05-21 11:27:46 +02:00