Commit graph

44220 commits

Author SHA1 Message Date
Ondřej Surý
787faa02a7 [9.20] fix: dev: Refine resolver fetch loop detection
The resolver's fetch loop detection now triggers only when a new
fetch would join an already in-flight fetch that is also one of
its own ancestors, which is the actual loop condition.  Previously
the check ran against the original request before the fetch was
set up.

Backport of MR !12145

Merge branch 'backport-ondrej/improve-resolver-loop-detection-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12146
2026-05-30 05:58:58 +02:00
Ondřej Surý
c479706872
Detect resolver fetch loops only when joining an in-flight fetch
dns_resolver_createfetch() guarded against fetch loops by comparing the
raw request name/type/domain before any fetch context existed. Move the
check after the context is obtained and run it against the context
itself, and only when we joined an already in-flight context
(!new_fctx) that is also an ancestor in the parent chain. That is the
real loop condition: the new fetch would block waiting on a fetch that
is itself waiting on us. A newly created context waits on nothing, so it
proceeds, bounded by the fetch depth limit and the complementary ADB
loop detection.

(cherry picked from commit 0e04671b65)
2026-05-29 21:34:10 +02:00
Michal Nowak
1efa52a3f0 [9.20] fix: test: Fix pytest-xdist loadscope splitting on "::" in params
LoadScopeScheduling._split_scope() uses rsplit("::", 1) to
extract the test file scope from a node ID.  When parametrized
test values contain "::" (IPv6 addresses like "cafe:cafe::cafe"
or "::1"), the split lands inside the parameter instead of at
the .py:: boundary.  This creates spurious scopes that get
assigned to different workers, each triggering a full fixture
setup (starting named instances).

Override _split_scope() in conftest.py to split on ".py::"
which is unambiguous.

Six tests in synthrecord/tests_synthrecord.py are affected.
A verification script is included in util/.

Assisted-by: Claude:claude-opus-4-7

Backport of MR !12103

Merge branch 'backport-mnowak/fix-xdist-loadscope-split-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12137
2026-05-28 18:49:04 +02:00
Michal Nowak
5f7684537f Fix pytest-xdist loadscope splitting on "::" in params
LoadScopeScheduling._split_scope() uses rsplit("::", 1) to
extract the test file scope from a node ID.  When parametrized
test values contain "::" (IPv6 addresses like "cafe:cafe::cafe"
or "::1"), the split lands inside the parameter instead of at
the .py:: boundary.  This creates spurious scopes that get
assigned to different workers, each triggering a full fixture
setup (starting named instances).

Override _split_scope() in conftest.py to split on ".py::"
which is unambiguous.

Six tests in synthrecord/tests_synthrecord.py are affected.
A verification script is included in util/.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit 4eb893020e)
2026-05-28 18:06:11 +02:00
Michal Nowak
789ae5a982 [9.20] chg: test: Prioritize the 10 slowest system test scopes
Update PRIORITY_TESTS with the 10 longest-running test
scopes measured from CI (job 7468217).  These get scheduled
first so that with --dist=loadscope they land on separate
workers instead of piling up at the end.

Also fix "serve-stale/" to "serve_stale/" to match the
actual directory name, and add a startup check that fails
if any PRIORITY_TESTS entry does not match an existing
directory.

Assisted-by: Claude:claude-opus-4-7

Backport of MR !12104

Merge branch 'backport-mnowak/prioritize-slow-system-tests-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12134
2026-05-28 17:38:21 +02:00
Michal Nowak
1b49a1fccf Prioritize the 10 slowest system test scopes
Update PRIORITY_TESTS with the 10 longest-running test
scopes measured from CI (job 7468217).  These get scheduled
first so that with --dist=loadscope they land on separate
workers instead of piling up at the end.

Also fix "serve-stale/" to "serve_stale/" to match the
actual directory name, and add a startup check that fails
if any PRIORITY_TESTS entry does not match an existing
directory.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit 5e3c0b8463)
2026-05-28 14:55:47 +00:00
Michal Nowak
58c2cf54be [9.20] fix: ci: Drop ccache support from CI
The population of the compile cache is so slow, that a BIND 9 build can
take 20 minutes.

Assisted-by: Claude:claude-opus-4-7

Backport of MR !12127

Merge branch 'backport-mnowak/drop-ccache-support-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12128
2026-05-28 15:46:21 +02:00
Michal Nowak
2f4143ca8f Drop ccache support from CI
The population of the compile cache is so slow, that a BIND 9 build can
take 20 minutes.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit cbc8664567)
2026-05-28 15:46:02 +02:00
Nicki Křížek
8107131521 [9.20] new: test: Add isctest.mark.with_developer pytest mark
Backport of MR !12118

Merge branch 'backport-nicki/systest-with-developer-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12125
2026-05-28 15:32:23 +02:00
Nicki Křížek
11fed60395 Add isctest.mark.with_developer pytest mark
Tests that exercise instrumentation, log output, or other behaviour
that only exists in developer builds (the gcc:almalinux9:amd64 CI job
sets -Ddeveloper=disabled to guard against such accidental coupling)
can now decorate themselves with isctest.mark.with_developer to skip on
non-developer builds.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit f957b63010)
2026-05-28 14:54:37 +02:00
Nicki Křížek
2c11957c70 Add FEATURE_DEVELOPER variable to isctest
System tests can check FEATURE_DEVELOPER in the environment, but the
recommended pattern is the with_developer pytest marker added next.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit 950dc9945c)
2026-05-28 14:54:37 +02:00
Nicki Křížek
bb450eed70 Add --enable-developer probe to feature-test
System tests that depend on log output, instrumentation, or other
behaviour only present in developer builds can use this probe to detect
the build configuration at runtime.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit 113980d4b0)
2026-05-28 14:54:37 +02:00
Nicki Křížek
b58c9546e3 Define DEVELOPER_MODE in developer-mode builds
So that build-time consumers (e.g. feature-test) can detect developer
mode through a single dedicated symbol rather than proxying through
implementation-detail defines like ISC_MEM_TRACKLINES.

9.20 has no meson build; add the define alongside the other developer
defines on the existing STD_CPPFLAGS line in configure.ac.  Originally
landed on main in commit d9aeee7901 ("Define DEVELOPER_MODE in
developer-mode builds").

Assisted-by: Claude:claude-opus-4-7
2026-05-28 14:54:37 +02:00
Nicki Křížek
c8d86d8160 [9.20] chg: test: Improve pytest jinja2 templates
- Enable rendering ns-specific data in jinja2 templates using the `ns` varible.
- Add common zone/config snippets an `_common` templates.
- Allow jinja2 imports from `_common`.
- Improve the `_common/controls.conf.j2` snippet to render ns-specific IP rather than hardocded one.

Backport of MR !11805

Merge branch 'backport-nicki/pytest-template-improvements-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12116
2026-05-28 14:14:33 +02:00
Nicki Křížek
02de870059 Restrict cross-test jinja2 includes to _common/
The previous loader was a FileSystemLoader rooted at $srcdir, which
allowed any system test to include any other test's templates -- a
wider scope than intended. Every existing cross-test include already
targets _common/, so make that the only path.

ChoiceLoader + PrefixLoader keeps the existing '_common/foo.j2' path
convention working without changes to call sites. The '_common/'
prefix is deliberately kept rather than dropping it by rooting the
FileSystemLoader at _common/ directly:

  - It signals at the include site that the file is a shared
    template, not a sibling of the current test; readers don't need
    to know the loader configuration to understand where the file
    lives.
  - It prevents shadowing: a test-local 'controls.conf.j2' would
    not collide with the shared one, and the unqualified name keeps
    its test-local meaning.
  - It makes the dependency greppable: 'grep -rl _common/'
    identifies every test that consumes shared snippets.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit c2c2be9be0)
2026-05-28 11:36:55 +02:00
Nicki Křížek
23ad1bf27b Create common templates for test zones
Add commonly used zone-related data (config snippet and zone file
snippets) as templates which can be reused by filling in different data.

Adjust the isctest.template.Zone to use filepath argument rather than
filename for clarity.

(cherry picked from commit 317cd12779)
2026-05-28 11:36:55 +02:00
Nicki Křížek
cefbed1871 Include controls.conf as jinja2 template
Rather than using named.conf include, render the controls directly into
the config using jinja2 template include.

(cherry picked from commit f4ca352bc8)
2026-05-28 11:36:55 +02:00
Nicki Křížek
ff6a91438c Add _common dir to jinja2 template loader
This allows include of template snippets from _common/ directory.

(cherry picked from commit e34c3252d9)
2026-05-28 11:36:55 +02:00
Nicki Křížek
2cdaaf9d0e Reduce whitespace in jinja2 templates
Omit extra newlines when combining and including templates.

Adjust the xfer/ns8/small.db.j2 so it doesn't trim the endline twice
(as that would join the two subsequent records on the same line).

(cherry picked from commit 4f8e3774bb)
2026-05-28 11:36:55 +02:00
Nicki Křížek
8cda065d49 Allow instantiating template dataclasses in jinja2 templates
In some cases, the template data might need to be set directly in the
jinja2 templates using `{% set %}`. Expose the template dataclasses to
the templates so we can use these existing classes, rather than creating
ad-hoc data containers.

(cherry picked from commit dddb067351)
2026-05-28 11:36:55 +02:00
Nicki Křížek
6e31e36a0e Add a directory-specific nameserver data to templates
If a template is being rendered into a directory that represents a
nameserver (e.g. "ns1"), include a nameserver-specific information in
the data - variable called "ns" which has information about the
nameserver this file belongs to.

Ensure the "ns" variable is only exposed to the template when rendered,
without affecting the environment variables (always work with a copy of
the env_vars).

(cherry picked from commit aa435b2e03)
2026-05-28 11:36:55 +02:00
Nicki Křížek
613f48ebcb Improve isctest.template dataclasses' defaults
Extend the Nameserver to generate the default IPv4/IPv6 values, add NSX
values for the predefined nameservers (there are 11 of them, as per
bin/tests/system/ifconfig.sh.in max value). Add the missing ns11
fixture.

Extend the Zone to derive the zone filename by default, unless
specified.

Adjust the existing uses of these classes to utilize the simplified
defaults.

(cherry picked from commit fa3a59e70c)
2026-05-28 11:36:55 +02:00
Ondřej Surý
8851b279d0 [9.20] rem: dev: Remove useless PR-Agent jobs
The experiment was a failure, the PR-Agent doesn't send a full context
to the AI Agents and the results are abysmal because of that.

Backport of MR !12119

Merge branch 'backport-ondrej/remove-useless-pr-agent-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12120
2026-05-28 11:28:27 +02:00
Ondřej Surý
5d9f1fd73d
Remove useless PR-Agent jobs
The experiment was a failure, the PR-Agent doesn't send a full context
to the AI Agents and the results are abysmal because of that.

(cherry picked from commit d3dbcd21df)
2026-05-28 11:08:46 +02:00
Ondřej Surý
dd02abde67 [9.20] chg: usr: named could crash on concurrent TKEY DELETE for the same key
On a server configured with tkey-gssapi-keytab (or tkey-gssapi-credential),
an authenticated peer could crash named by sending two TKEY DELETE requests
for the same dynamic key in rapid succession.  This has been fixed.

Closes #6001

Backport of MR !12041

Merge branch 'backport-6001-tsig-tkey-delete-uaf-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12042
2026-05-28 11:05:57 +02:00
Ondřej Surý
5fe9e7f6ed Fix use-after-free in concurrent dns_tsigkey_delete()
Two TSIG-authenticated TKEY DELETE queries for the same dynamic key,
arriving on different worker loops, could each enter
dns_tsigkey_delete() and cause over-decrementing the key refcount.

This has been fixed by making dns_tsigkey_delete() idempotent.

(cherry picked from commit 5c8dcd4419)
2026-05-28 11:05:34 +02:00
Matthijs Mekking
1547447491 [9.20] fix: usr: The resolver now removes other RRsets at the same name when caching a CNAME
When an RRset is in stale cache, and the authoritative server changes the record type to CNAME, the resolver fails to refresh the stale cache. This has been fixed.

Closes #5302

Backport of MR !11758

Merge branch 'backport-5302-serve-stale-cname-to-a-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12040
2026-05-28 08:49:48 +00:00
Matthijs Mekking
0d91c23c10 When caching names, check for CNAME RRsets
Matthijs Mekking authored 2 months ago
CNAME and other record types cannot coexist. DNSSEC records are the
exceptions to this rule.

If the answer contains a name with a CNAME, remove existing RRsets at
the same name from the cache.

If the answer contains a name without a CNAME, remove the CNAME RRset
at the same name from the cache.

(manually picked from commit 69a560fff1)
2026-05-28 09:59:15 +02:00
Matthijs Mekking
a7c93ea3d9 Add serve-stale test case for CNAME to A
Add a serve-stale system test case where the authority changes a
CNAME RRset to A (at cname2.stale.test). The CNAME that is in the
cache is stale and should be refreshed. The target A record (at
a2.stale.test) has a longer TTL and is also still in the cache. The
next query should return the refreshed A RRset to the client.

Then the authority changes back the A RRset to CNAME. The A RRset
has become stale and should be refreshed. The next query should
return the refreshed CNAME RRset plus the already cached
a2.stale.test A record.

This test requires ns1 to allow dynamic updates to stale.test, and
prefetch to be disabled. The latter is to ensure the record is not
prefetched, but only refreshed when stale (and logs the expected
"an attempt to refresh the RRset" messages).

(cherry picked from commit 4ee526cb6d)
2026-05-28 09:59:15 +02:00
Matthijs Mekking
c13e73e0b8 Remove duplicate check in serve-stale test
(cherry picked from commit c95128ed47)
2026-05-28 09:59:15 +02:00
Ondřej Surý
7517e39504 [9.20] fix: usr: Reject RRSIG records covering meta-types
A recursive resolver could accept and cache an RRSIG record whose
Type-Covered field names a meta-type (ANY, AXFR, IXFR, MAILA, MAILB),
even though no real RRset of those types ever exists. Such records
are now rejected by the DNS message parser.

Closes #6002

Backport of MR !12048

Merge branch 'backport-6002-reject-rrsig-covering-meta-types-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12051
2026-05-28 09:52:19 +02:00
Ondřej Surý
faf9fb0b82 Reject malformed RRSIG records
A signature cannot cover a meta-type (NONE, ANY, AXFR, IXFR, MAILB,
MAILA, OPT, TSIG, TKEY); previously such records were cached by the
recursive resolver and collided with negative-cache entries on the
same owner name, corrupting the QP-trie cache.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit c28ba9c3c6)
2026-05-28 09:51:27 +02:00
Matthijs Mekking
edc1ef084f [9.20] fix: usr: Fix crash on badly configured secondary signer
A badly configured secondary signer that was missing the 'file' entry caused the server to crash, rather than to reject the configuration. This has been fixed.

Closes #5993

Backport of MR !12045

Merge branch 'backport-5993-fix-bump-in-the-wire-crash-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12112
2026-05-27 14:01:27 +00:00
Matthijs Mekking
3204b12d1a Fix startup crash on bump in the wire signer
A secondary server that is configured as a bump in the wire signer
with inline-signing implicitly enabled via dnssec-policy requires
a 'file' entry.

(cherry picked from commit 77649ea8e2)
2026-05-27 14:39:10 +02:00
Matthijs Mekking
f98638904d Check conf dnssec-policy inline-signing secondary
Add a variant of checking configuration where inline-signing is
enabled on the secondary, requiring the 'file' entry. This time,
inline-signing is implicitly enabled via dnssec-policy.

(cherry picked from commit 43bbfbeb3c)
2026-05-27 14:38:54 +02:00
Michal Nowak
309b501ef0 [9.20] fix: doc: Ignore gitlab.gnome.org links in Sphinx linkcheck
Backport of MR !12109

Merge branch 'backport-mnowak/linkcheck-fix-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12110
2026-05-27 11:42:24 +02:00
Michal Nowak
ad3ac34b2b Ignore gitlab.gnome.org links in Sphinx linkcheck
GNOME GitLab returns HTTP 406 to Sphinx's linkcheck requests, the
same behavior already worked around for gitlab.isc.org.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit 2850dc9d71)
2026-05-27 09:21:41 +00:00
Andoni Duarte
f2a5c580ef [9.20] chg: ci: Add rule for stable tags in CI and use it in the update-stable-tag job
Add a rule to match open source stable tags in CI and apply it to the
update-stable-tag job.

Backport of MR !11646

Merge branch 'backport-andoni/show-update-stable-tag-job-in-stable-versions-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12107
2026-05-27 08:32:32 +00:00
Andoni Duarte Pintado
e4ccf36de6 Add rule for the stable tags in CI and use for job update-stable-tag
The update-stable-tag job should only be run for the stable tag, which
is used by Read the Docs to build the docs for the "stable" version.

A new rule called rule_tag_open_source_stable is introduced, in order to
prevent the job from appearing in the pipeline for non-stable versions.
Having this rule in YAML is necessary, because if it were in the script
itself, the job would show up in the pipeline.

Besides, the new rule allows other jobs to be run only for the stable
tag in the future, without modifying their internal logic.

The CI variable STABLE_VERSION contains a regular expression in
Gitlab CI sense[1]: it uses the RE2 syntax[2] and must be enclosed by
slashes (i.e. /.../). It must be updated every time the minor version
is changed: releasing v9.22 will require changing STABLE_VERSION from
"/v9.20/" to "/v9.22/".

The variable is imported from common Gitlab CI YAML in the project
isc-projects/bind9-qa, so as to maintain it in a central place.

[1]: https://docs.gitlab.com/ci/jobs/job_rules/#compare-a-variable-to-a-regular-expression
[2]: https://github.com/google/re2/wiki/Syntax

(cherry picked from commit 38e80f542e)
2026-05-27 08:25:06 +00:00
Andoni Duarte Pintado
918fbcea12 Include common Gitlab CI YAML from isc-projects/bind9-qa
The template file .gitlab-ci-common.yml is to be used across ISC
projects, while it is maintained in the isc-projects/bind9-qa project.

(cherry picked from commit 1c31e6fea9)
2026-05-27 08:25:05 +00:00
Michal Nowak
639946b38c [9.20] chg: ci: Run unit tests with PKCS#11-aware OpenSSL
Closes isc-projects/bind9#4958

Closes isc-projects/bind9#4957

Backport of MR !9543

Merge branch 'backport-mnowak/pkcs11-aware-unit-gcc-ossl3-amd64-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12099
2026-05-26 18:20:14 +02:00
Michal Nowak
e574119a19 Call tzset() after setenv("TZ", ...) in unit tests
POSIX does not require localtime_r() to behave as if tzset() was called,
so the TZ environment change isn't picked up if some library has already
primed libc's tz cache.  Loading pkcs11-provider during OpenSSL init
does exactly that, causing the time and dnstap cmocka tests to format
timestamps in UTC instead of the requested zone.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit c14f7881f2)
2026-05-26 17:09:11 +02:00
Michal Nowak
1805817c3c Run unit tests with PKCS#11-aware OpenSSL
(cherry picked from commit 27babd5fa9)
2026-05-26 15:01:38 +00:00
Štěpán Balážik
33cdb6e4bc [9.20] fix: test: Handle large query IDs in xfer/ans5 properly
Previously, the server would crash if it received a query with an ID
close to 65535 in the badmessageid case, as adding 50 to it would not
fit in uint16.

This was an oversight in porting it from Perl to Python in
f9ed3650ac.

Fixes #6025.

Backport of MR !12097

Merge branch 'backport-stepan/fix-xfer-large-qid-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12098
2026-05-26 13:50:38 +00:00
Štěpán Balážik
daa01f2079 Handle large query IDs in xfer/ans5 properly
Previously, the server would crash if it received a query with an ID
close to 65535 in the badmessageid case, as adding 50 to it would not
fit in uint16.

This was an oversight in porting it from Perl to Python in
f9ed3650ac.

(cherry picked from commit e0ef63532f)
2026-05-26 13:49:34 +00:00
Nicki Křížek
04127edcda [9.20] fix: nil: Fix mypy var-annotated error on FEATURE_VARS
Mypy reports 'Need type annotation for "FEATURE_VARS"'; init_features()
populates it with str->str entries.

Assisted-by: Claude:claude-opus-4-7

Backport of MR !12086

Merge branch 'backport-nicki/fix-isctest-vars-mypy-annotation-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12088
2026-05-25 15:57:47 +02:00
Nicki Křížek
e4066a938d Fix mypy var-annotated error on FEATURE_VARS
Mypy reports 'Need type annotation for "FEATURE_VARS"'; init_features()
populates it with str->str entries.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit 81c1105125)
2026-05-25 13:03:53 +00:00
Michal Nowak
08aa108415 [9.20] new: ci: Add Debian "trixie" (386)
Backport of MR !12079

Merge branch 'backport-mnowak/add-debian-trixie-386-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12082
2026-05-22 20:22:52 +02:00
Michal Nowak
754ee3158f Tolerate dnspython post-2038 timestamp overflow on 32-bit
dnspython's RRSIG.to_text() converts the signature inception/expiration
fields by calling time.gmtime(), which on 32-bit platforms raises
OverflowError for values past 2038-01-19 (INT32_MAX). Several DNSSEC
test fixtures use far-future expirations: the precomputed RRSIGs in
the dnssec test's rsasha1.example.db.in zone expire in 2093, ans4 of
the chain test hardcodes 2090, and ans10 of the dnssec test uses
2**32-1 (year 2106). Whenever a response carrying such an RRSIG is
formatted with str()/to_text() the overflow propagates out and either
fails the test (when triggered in isctest.query's debug logging) or
kills the asyncserver-based ans* server (when triggered in its
response logger), which in turn cascades into "Failed to stop
servers" teardown errors and SERVFAIL responses for subsequent tests.

Wrap the to_text() calls in isctest/query.py and the str(response)
call in asyncserver's _log_response() with try/except OverflowError,
falling back to a placeholder message. The conversions are only used
for debug logging, so losing the human-readable form there does not
affect what the tests actually validate.

Assisted-by: Claude:claude-opus-4-7

(cherry picked from commit 968ccdeeda)
2026-05-22 16:33:43 +00:00
Michal Nowak
650b88467e Add Debian "trixie" (386)
(cherry picked from commit b076c43b1c)
2026-05-22 16:33:17 +00:00