Commit graph

44276 commits

Author SHA1 Message Date
Matthijs Mekking
6f70cb7a39 A unified way to verify the zone fetch
There is a lot of similarity when checking the completed fetch is legit.
Create a new function to verify the fetch and to reduce code
duplication.
2025-11-06 10:54:55 +01:00
Matthijs Mekking
94a82c2ecb Count per fetch type
Track fetch counts per type in an array, rather than special named
variables within the zone structure.
2025-11-06 10:54:55 +01:00
Matthijs Mekking
7ac02d4c04 Refactor zone fetch code
There is code duplication between keyfetch and nsfetch, refactor to
allow common code paths to differentiate between them.
2025-11-06 10:54:54 +01:00
Matthijs Mekking
6adfc2348b Export zone functions
Make some zone functions available that we are going to need in the
zonefetch code.
2025-11-06 10:54:54 +01:00
Štěpán Balážik
799fc93619 chg: ci: Run system tests on all platforms on MR that touches system tests
Not doing this has lead to breakage caused by different dnspython
versions on different platforms only discovered in full nightly
pipelines.

Add a triggering rule for MRs changing code in bin/test/system.
Apply this rule to all nightly-only system test jobs.

Merge branch 'stepan/run-all-system-tests-on-system-test-change' into 'main'

See merge request isc-projects/bind9!11214
2025-11-06 09:08:30 +00:00
Štěpán Balážik
8c050fe15c Run system tests on all platforms on MR that touches system tests
Not doing this has lead to breakage caused by different dnspython
versions on different platforms only discovered in full nightly
pipelines.

Add a triggering rule for MRs changing code in bin/test/system.
Apply this rule to all nightly-only system test jobs.
2025-11-06 09:21:40 +01:00
Michal Nowak
037a72e29d chg: doc: Set up version for BIND 9.21.16
Merge branch 'mnowak/set-up-version-for-bind-9.21.16' into 'main'

See merge request isc-projects/bind9!11218
2025-11-05 19:38:15 +01:00
Michal Nowak
26a993a312 Update BIND version to 9.21.16-dev 2025-11-05 19:32:17 +01:00
Colin Vidal
6af8f8ba5e fix: dev: Fix parser test (missing string termination)
Compare only the dumped configuration as the `cfg_printx` does not NULL-terminate the configuration strings.

Merge branch 'colin/fix-parser-test' into 'main'

See merge request isc-projects/bind9!11215
2025-11-05 13:59:23 +01:00
Ondřej Surý
47328cc1f8 Fix parser test (missing string termination)
Parser test could crash because the `dumpb2` buffer hasn't explicit C
NULL string termination after dumping the configuration tree in it.
`cfg_printx` does not doing this by default.

Fix the test by comparing only the strings written with strncmp.
2025-11-05 13:06:38 +01:00
Štěpán Balážik
7f1d36db22 fix: test: Fix NSEC3HASH system test on jammy
a94aab9440 removed importorskip call from
isctest.name on which the functionality of this test relied.

Add an explicit importorskip call to the test.

Merge branch 'stepan/fix-tools-nsec3hash-on-jammy' into 'main'

See merge request isc-projects/bind9!11213
2025-11-05 11:54:23 +00:00
Štěpán Balážik
35923a952e Fix NSEC3HASH system test on jammy
a94aab9440 removed importorskip call from
isctest.name on which the functionality of this test relied.

Add an explicit importorskip call to the test.
2025-11-05 10:51:26 +01:00
Ondřej Surý
7ca069e28f fix: usr: Skip unsupported algorithms when looking for signing key
A mix of supported and unsupported DNSSEC algorithms in the same zone could have caused validation failures. Ignore the DNSSEC keys with unsupported algorithm when looking for the signing keys.

Closes #5622

Merge branch '5622-dont-fail-on-unsupported-algorithms' into 'main'

See merge request isc-projects/bind9!11208
2025-11-04 20:30:08 +01:00
Ondřej Surý
a94a7c1a1e
Skip unsupported algorithms when looking for signing key
When looking for a signing key in select_signing_key(), the result code
indicating unsupported algorithm would abort the search.  Instead, skip
such keys and continue searching for the right key.

Co-Authored-By: Aram Sargsyan <aram@isc.org>
Co-Authored-By: Petr Menšík <pemensik@redhat.com>
2025-11-04 19:53:26 +01:00
Ondřej Surý
488d7bfc75
Add a system test with one good and one bad algorithm
The case where there would be one supported algorithm and one already
unsupported (like RSAMD5 or RSASHA1) was missing.
2025-11-04 19:53:25 +01:00
Ondřej Surý
28926f210e fix: dev: Only unlink from SIEVE LRU if it is still linked
Under the overmem conditions, the header could get unlinked from the
SIEVE LRU using a different path.  This could lead to double-unlink
which causes assertion failure.  Add a guard to ISC_SIEVE_UNLINK() to
unlink only still linked headers.

Closes #5606

Merge branch '5606-fix-assertion-failure-in-overmem-cleaning' into 'main'

See merge request isc-projects/bind9!11166
2025-11-04 19:53:09 +01:00
Ondřej Surý
0d8dedf73b
Only unlink from SIEVE LRU if it is still linked
Under the overmem conditions, the header could get unlinked from the
SIEVE LRU using a different path.  This could lead to double-unlink
which causes assertion failure.  Add a guard to ISC_SIEVE_UNLINK() to
unlink only still linked headers.
2025-11-04 19:52:45 +01:00
Štěpán Balážik
173868e380 fix: test: Require dnspython>2.0.0 in system tests using asyncserver
Maintaining compatibility with pre-2.0.0 dnspython became cumbersome
leading to failure in nightly CI jobs which are the only ones that run
with dnspython this old.

Abort all AsyncServer instances when running with old dnspython. Add an
importor skip for all system tests using isctest.asyncserver.

Full removal of pre-2.0.0 `dnspython` support is planned for after 9.18
goes EoL.

Merge branch 'stepan/require-dnspython-2-for-asyncserver' into 'main'

See merge request isc-projects/bind9!11191
2025-11-04 17:14:35 +00:00
Štěpán Balážik
db00ce14c0 Run system tests on AlmaLinux 8 on merge requests in CI
Ensure that system tests don't blow up completely with pre-2.0.0
dnspython.
2025-11-04 16:57:59 +01:00
Štěpán Balážik
072a82a6c5 Require dnspython>2.0.0 in system tests using asyncserver
Maintaining compatibility with pre-2.0.0 dnspython became cumbersome
leading to failure in nightly CI jobs which are the only ones that run
with dnspython this old.

Abort all AsyncServer instances when running with old dnspython. Add an
importor skip for all system tests using isctest.asyncserver.
2025-11-04 16:57:59 +01:00
Štěpán Balážik
a94aab9440 Don't use pytest.importorskip in isctest.name
They can be used outside of test modules (like ans.py custom servers)
which leads to pytest.outcomes.Skipped being raised in weird places and
skipping of tests which don't need dnspython this new.

Remove pytest.importskip from top scope in isctest.name, only run the
check when ZoneAnalyzer is used.
2025-11-04 16:57:59 +01:00
Michał Kępień
496a5e876a new: ci: Add vulnerability-related jobs
Merge branch 'michal/add-vulnerability-related-jobs-to-ci' into 'main'

See merge request isc-projects/bind9!11188
2025-11-04 12:53:46 +01:00
Michał Kępień
83b83bac5a
Add a job preparing post-disclosure notifications
Add a new GitLab CI job that automatically generates post-disclosure
notifications for BIND 9 security releases based on the metadata for the
current release cycle.
2025-11-04 12:51:35 +01:00
Michał Kępień
11e59c96ba
Add a job preparing packager notifications
Add a new GitLab CI job that automatically generates T-1 packager
notifications for BIND 9 security releases based on the metadata for the
current release cycle.
2025-11-04 12:51:35 +01:00
Michał Kępień
f81757bdf3
Add a job preparing security pre-announcements
Add a new GitLab CI job that automatically generates public T-5
pre-announcements for BIND 9 security releases based on the metadata for
the current release cycle.
2025-11-04 12:51:35 +01:00
Michał Kępień
126ed8707e
Add a job preparing EVNs
Add a new GitLab CI job that automatically generates BIND 9 Early
Vulnerability Notifications based on the metadata for the current
release cycle.
2025-11-04 12:51:35 +01:00
Michał Kępień
963bf4e326
Enable overriding the list of security releases
Enable manually providing (via an optional CI variable) Printing Press
jobs with the list of security releases in a given release cycle in case
autodetection fails for any reason.
2025-11-04 12:51:35 +01:00
Michał Kępień
bc84907882
Enable overriding the list of fixed CVE IDs
Enable manually providing (via an optional CI variable) Printing Press
jobs with the list of CVE IDs fixed in a given release cycle in case
autodetection fails for any reason.
2025-11-04 12:51:35 +01:00
Michał Kępień
ca7dbdc3c1
Deduplicate definitions of release-related jobs
Extract common YAML keys used by release-related job definitions into
reusable anchors to ensure consistency and limit repetition across
multiple similar jobs.
2025-11-04 12:51:35 +01:00
Michał Kępień
b026651c44
Change the script generating release announcements
Use a different, generic script for preparing release announcements.
2025-11-04 12:51:35 +01:00
Colin Vidal
ac2b36c4bf new: usr: "named-checkconf -b" dumps the built-in configuration
`named-checkconf` now supports the command line switch `-b`,  which prints the default built-in configuration used by `named`.
    
When `-b` is in use, other options are ignored.

Closes #1326

Merge branch '1326-named-checkconf-builtin' into 'main'

See merge request isc-projects/bind9!11177
2025-11-04 10:04:31 +01:00
Colin Vidal
a18cac7917 "named-checkconf -b" dumps built-in config
`named-checkconf` now supports the command line switch `-b`,  which
prints the default built-in configuration used by `named`.

When `-b` is in use, other options are ignored.
2025-11-04 09:26:33 +01:00
Arаm Sаrgsyаn
3ee98de6b6 fix: usr: Prevent assertion failures of dig when server is specified before the -b option
Previously, :iscman:`dig` could exit with an assertion failure when the server was specified before the :option:`dig -b` option. This has been fixed.

Closes #5609

Merge branch '5609-fix-dig-crash-with-at-and-dash-b-on-main' into 'main'

See merge request isc-projects/bind9!11183
2025-11-04 08:00:25 +00:00
Aram Sargsyan
0e8c547e5b Test dig with a IPv4 source address and a IPv4+IPv6 server
Check that dig doesn't exit with an assertion failure when a IPv4
source address is defined after defining a server address which has
both IPv4 and IPv6 addresses (in this case, @localhost).
2025-11-03 19:37:09 +00:00
JINMEI Tatuya
022bf31fab avoid retrying a server if its address is unusable
Previously, if there's no more server to try in force_next,
it attempted to retry the current server similar to a query
timeout case. But, force_next() is called only when the
current server's address is unusable and the query was not
even sent, so recvcount was not incremented, causing an
assertion failure.

We might be able to fix it so the retry doesn't cause a crash,
but it doesn't make sense to retry the server when its address
is known to be unusable. So, simply avoiding the retry would be
the easiest and safest way to prevent the crash.
2025-11-03 19:37:09 +00:00
JINMEI Tatuya
141f68437d make sure current_query is detached before trying next server
Without this, start_udp or start_tcp would trigger an assertion
failure. Detaching it at this point is also consistent with
other failure handling cases, such as in recv_done.
2025-11-03 19:37:09 +00:00
Colin Vidal
4941d33a8a new: usr: Add support for Extended DNS Error 24 (Invalid Data)
Extended DNS Error 24 (Invalid Data) is returned when the server cannot answer data for a zone it is configured for. This occurs typically when an authoritative server does not have loaded the DB of a configured zone, or a secondary server zone is expired.

See RFC 8914 section 4.25.

See #1836

Merge branch 'colin/ede24' into 'main'

See merge request isc-projects/bind9!11169
2025-11-03 18:25:38 +01:00
Colin Vidal
e4851fcdb7 log that a zone is expired after setting the flag
When a (secondary) zone is expired, the log message `<zone> expired` is
printed and the flag `DNS_ZONEFLG_EXPIRED` is set. Change the order by
setting the expired flag first, then printing the log.

This should fixes (rare but persistent) timing-related CI error when the
EDE 24 tests expect the zone to be expired (from the log) and
immediately after request and expect an EDE 24 error. (In some rare
cases, the server was still answering the response).
2025-11-03 17:34:25 +01:00
Colin Vidal
082e1aa834 add tests for EDE 24 support
Add system test covering EDE 24 being added in the response in both
common cases: when the server has not loaded the DB of a zone and when
the zone has expired (secondary).
2025-11-03 17:34:25 +01:00
Colin Vidal
59f116fbc9 support EDE 24 (Invalid Data)
Extended DNS Error 24 (Invalid Data) is returned when the server cannot
answer data for a zone it is configured for. This occurs typically when
an authoritative server does not have loaded the DB of a configured
zone, or a secondary server zone is expired.

See RFC 8914 section 4.25.
2025-11-03 17:34:25 +01:00
Colin Vidal
90b4f256a7 query_getzonedb can returns DNS_R_EXPIRED
If `query_getzonedb()` finds a zone but the zone is expired it
immediately returns `DNS_R_EXPIRED` and doesn't attempt to get the zone
DB (which would be NULL in this case).

This enable caller to have a more precise reason of why getting the DB
has failed.
2025-11-03 17:34:25 +01:00
Colin Vidal
6883282929 add dns_zone_isexpired API
Introduce the `dns_zone_isexpired()` API which returns `true` when a
secondary, mirror, etc. zone is expired.

This internally use the `DNS_ZONEFLG_EXPIRED` which was already set when
the zone gets expired, but never used.

The flag `DNS_ZONEFLG_EXPIRED` is also now cleared when the expiration
time of the zone is updated and in the future.
2025-11-03 17:34:25 +01:00
Petr Špaček
069bfab5b3 rem: nil: Remove leftover FCTX_ATTR_NEEDEDNS0
Merge branch 'pspacek/remove-dead-NEEDEDNS0' into 'main'

See merge request isc-projects/bind9!11198
2025-11-03 15:25:20 +00:00
Petr Špaček
4e167e5c65 Remove leftover FCTX_ATTR_NEEDEDNS0
This is leftover from commit b6309ed962
which removed support for bitstring labels back in 2002.
2025-11-03 15:24:59 +00:00
Matthijs Mekking
9215ae3c7e fix: dev: Remove unused dns_zone_getnotifyacl() function
Deals with Coverity issues:
- CID 638286: Concurrent data access violations (MISSING_LOCK).
- CID 638287: Concurrent data access violations (MISSING_LOCK).

Merge branch 'matthijs-cid-638286-missing-lock' into 'main'

See merge request isc-projects/bind9!11200
2025-11-03 14:38:12 +00:00
Matthijs Mekking
c9ecc0bd26 Remove unused dns_zone_getnotifyacl() function
CID 638286: Concurrent data access violations (MISSING_LOCK).  This
complains about accessing "zone->notifyctx.notify_acl" without holding
the lock "dns_zone.lock".  Elsewhere, reading this data does have the
lock, so it makes sense that in the getter function this must also be
so.  However, the function is unused so we can just remove it.

CID 638287: Concurrent data access violations (MISSING_LOCK).  This
complains about accessing "zone->locked" without holding the lock
"dns_zone.lock". I think this is a false positive as "dns__zone_lock()"
and "dns__zone_unlock() are wrappers around "LOCK_ZONE()" and
"UNLOCK_ZONE()" and where these macros were used they were only
replaced with the internal zone functions. Moreover, "zone->locked"
is only accessed in these macros (and "TRYLOCK_ZONE()" and
"LOCKED_ZONE()").
2025-11-03 12:45:39 +01:00
Colin Vidal
056a32798c fix: dev: restore reuseport to yes by default on supported platforms
Changes introduced by 72862c2a moved the
default configuration from within `bin/named` to a central place
`bin/includes`.

The default configuration is conditioned by several compile-time macro.
While for most of them it's fine because they are defined in the global
`config.h` file included by default to all binaries (by meson), one
specific is not defined here. `HAVE_SO_REUSEPORT_LB` was defined in
`lib/isc/include/isc/netmgr.h` which is of course not included in
`bin/includes/defaultconfig.h`.

As a result, reuseport was disabled for all platform by default, even
the supported ones. This fixes the problem by checking if reuseport is
available on the platform from meson `config.h` generation directly,
which makes `HAVE_SO_REUSEPORT_LB` available everywhere.

Merge branch 'colin/fix-reuseport-default' into 'main'

See merge request isc-projects/bind9!11180
2025-10-31 15:50:56 +01:00
Colin Vidal
608c56f4ac restore reuseport to yes by default on supported platforms
Changes introduced by 72862c2abc moved the
default configuration from within `bin/named` to a central place
`bin/includes`.

The default configuration is conditioned by several compile-time macro.
While for most of them it's fine because they are defined in the global
`config.h` file included by default to all binaries (by meson), one
specific is not defined here. `HAVE_SO_REUSEPORT_LB` was defined in
`lib/isc/include/isc/netmgr.h` which is of course not included in
`bin/includes/defaultconfig.h`.

As a result, reuseport was disabled for all platform by default, even
the supported ones. This fixes the problem by checking if reuseport is
available on the platform from meson `config.h` generation directly,
which makes `HAVE_SO_REUSEPORT_LB` available everywhere.
2025-10-31 15:11:08 +01:00
Matthijs Mekking
0dd1da7959 chg: dev: Refactor notify code
Move notify code in separate source files in preparation for support of generalized DNS notifications.

Merge branch 'matthijs-refactor-notify-code-2' into 'main'

See merge request isc-projects/bind9!11146
2025-10-31 13:47:19 +00:00
Matthijs Mekking
680becfb33 Move notify functions to notify source files
Move dns_notify_destroy, dns_notify_log, dns_notify_cancel,
dns_notify_queue, dns_notify_isqueued, dns_notify_find_address, and
notify related static functions over to the notify source files.
2025-10-31 13:43:47 +01:00