It was discovered in an upcoming academic paper that a xoshiro128**
internal state can be recovered by an external 3rd party allowing to
predict UDP ports and DNS IDs in the outgoing queries. This could lead
to an attacker spoofing the DNS answers with great efficiency and
poisoning the DNS cache.
Change the internal random generator to system CSPRNG with buffering to
avoid excessive syscalls.
Thanks Omer Ben Simhon and Amit Klein of Hebrew University of Jerusalem
for responsibly reporting this to us. Very cool research!
(cherry picked from commit cffcab9d5f)
Previously, several issues could be exploited to poison a DNS cache with
spoofed records for zones which were not DNSSEC-signed or if the
resolver was configured to not do DNSSEC validation. These issues were
assigned CVE-2025-40778 and have now been fixed.
As an additional layer of protection, :iscman:`named` no longer accepts
DNAME records or extraneous NS records in the AUTHORITY section unless
these are received via spoofing-resistant transport (TCP, UDP with DNS
cookies, TSIG, or SIG(0)).
ISC would like to thank Yuxiao Wu, Yunyi Zhang, Baojun Liu, and Haixin
Duan from Tsinghua University for bringing this vulnerability to our
attention.
Backport of !838Closesisc-projects/bind9#5414
Merge branch '5414-security-check-name-vs-qname-again-9.18' into 'v9.18.40-release'
See merge request isc-private/bind9!852
To prevent spoofed unsigned DNAME responses being accepted retry
response with unsigned DNAMEs over TCP if the response is not TSIG
signed or there isn't a good DNS CLIENT COOKIE.
To prevent test failures, this required adding TCP support to the
ans3 and ans4 servers in the chain system test.
(cherry picked from commit 2e40705c06)
Use the owner name of the NS record as the bailwick apex name
when determining which additional records to cache, rather than
the name of the delegating zone (or a parent thereof).
(cherry picked from commit a41054e9e6)
To prevent certain spoofing attacks, a new check has been added
to the existing rules for whether NS data can be cached: the owner
name of the NS RRset must be an ancestor of the name being queried.
(cherry picked from commit fa153f791f)
Previously, if a matching but cryptographically invalid key was encountered during
DNSSEC validation, the key was skipped and not counted
towards validation failures. :iscman:`named` now treats such DNSSEC keys
as hard failures and the DNSSEC validation fails immediately, instead of
continuing with the next DNSKEYs in the RRset.
ISC would like to thank Zuyao Xu and Xiang Li from the All-in-One
Security and Privacy Laboratory at Nankai University for bringing this
vulnerability to our attention.
Backport of MR !821Closesisc-projects/bind9#5343
Merge branch '5343-security-count-invalid-keys-into-validation-fails-9.18' into 'v9.18.40-release'
See merge request isc-private/bind9!843
If a matching but cryptographically invalid key was encountered during
the DNSSEC validation, the key would be just skipped and not counted
towards validation failures. Treat such DNSSEC keys as hard failures
and fail the DNSSEC validation immediatelly instead of continuing the
DNSSEC validation with the next DNSKEYs in the RRset.
Co-authored-by: Matthijs Mekking <matthijs@isc.org>
(cherry picked from commit f00117a422)
In the 'release' stage, create an MR automatically with the
corresponding release announcement. The input for this is taken from
metadata.json in bind9-qa.
Backport of MR !11039
Merge branch 'backport-andoni/release-announcement-preparation-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11041
In the 'release' stage, create an MR automatically with the
corresponding release announcement. The input for this is taken from
metadata.json in bind9-qa.
(cherry picked from commit 0f75741341)
Add a CI job to merge tags back to the respective base branch in tag pipelines.
Backport of MR !11001
Merge branch 'backport-andoni/add-merge-tag-to-tag-pipeline-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11025
The nsX are utility fixtures which can be used instead of the servers
fixture, which requires longer syntax(i.e. servers["nsX"]).
---
This MR is basically backporting pytest utility fixtures which were introduced to newer branches in !10717. This is a minimal change which only aims to facilitate easier test backports to ~"v9.18" in the future, without changing any of the existing tests.
Merge branch 'nicki/pytest-nsX-fixtures-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11015
There's currently an issue with the shotgun workflow that's being
investigated. Until it's resolved, there's no point in creating the
shotgun jobs as they'll just fail.
Backport of MR !11005
Merge branch 'backport-nicki/ci-temporarily-disable-shotgun-jobs-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11009
There's currently an issue with the shotgun workflow that's being
investigated. Until it's resolved, there's no point in creating the
shotgun jobs as they'll just fail.
(cherry picked from commit 2669463b43)
Trigger selected CI jobs on MR automatically only if there are related
code changes. Otherwise, offer an option to run the jobs manually in
MRs. For other sources, like schedules, tags etc., execute the jobs as
usual.
Backport of MR !10987
Merge branch 'backport-nicki/ci-restrict-rules-changes-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!10993
Trigger selected CI jobs on MR automatically only if there are related
code changes. Otherwise, offer an option to run the jobs manually in
MRs. For other sources, like schedules, tags etc., execute the jobs as
usual.
(cherry picked from commit 02c58d9baa)
Use .sh(.in) file extension consistently for shell scripts
to allow more reliable detection of shell scripts based on their file
extension.
(cherry picked from commit 2d690499dd)
When running with TSAN in CI, the test ocassionally fails on:
exceeded time limit waiting for literal 'keymgr: purgekeys.kasp done' in ns4/named.run
The line is actually present in the logs, but it take slightly longer
than 3 seconds to appear. Increase the wait_for_log timeout of the kasp test to 10
seconds to avoid such issues.
---
Example of failure: https://gitlab.isc.org/isc-projects/bind9/-/jobs/6176192
Merge branch 'nicki/kasp-shell-test-increase-log-timeout' into 'bind-9.18'
See merge request isc-projects/bind9!10976
When running with TSAN in CI, the test ocassionally fails on:
'exceeded time limit waiting for literal 'keymgr: purgekeys.kasp done'
in ns4/named.run'
The line is actually present in the logs, but it take slightly longer
than 3 seconds to appear. Increase the wait_for_log timeout of the kasp
test to 10 seconds to avoid such issues.
Sphinx's smartquotes feature was rewriting -- to en-dash, "" to proper
English quotes etc. This was messing up syntax at unpredictable places.
Disable this feature instead of attempting to escape all the places in
the manual.
(cherry picked from commit 66e58d3315)
The new order hopefully reflects likelihood of someone reading from start
to the end:
DNSSEC Guide
Manual Pages
General DNS Reference Information
Release Notes
Changelog
A Brief History of the DNS and BIND
(cherry picked from commit ed0db245be)
The RRSIGs for glue records were not being cached correctly for CD=1 queries. This has been fixed.
Closes#5502
Backport of MR !10938
Merge branch 'backport-5502-fix-missing-rrsig-with-cd-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!10957
The code to test whether to store the RRSIGs on DNS_R_UNCHANGED
with CD=1 was failing because the comparison methods of the two
rdatatset instances were not compatible. Move the testing into
dns_db_addrdataset(), and request it by setting the DNS_ADD_EQUALOK
option. If the option is set and the old and new rrsets compare
as equal, dns_db_addrdataset() returns ISC_R_SUCCESS instead of
DNS_R_UNCHANGED.
(cherry picked from commit b954a1df43)
Update to REUSE Specification 3.2+ that uses REUSE.toml instead of DEP5
based specification.
Backport of MR !10945
Merge branch 'backport-ondrej/cover-reuse-dep5-to-toml-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!10950
The randomized order of the records in the rrset is not uniform across
all permutations. Clarify this in the documentation.
Closes#5485
Backport of MR !10909
Merge branch 'backport-ondrej/clarify-rrset-order-random-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!10936
The randomized order of the records in the rrset is not uniform across
all permutations. Clarify this in the documentation.
(cherry picked from commit 369c8dc388)
Closes#5444
Backport of MR !10795
Merge branch 'backport-5444-add-hhit-and-brid-records-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!10933
When an IPv6 rpz prefix entry is entered incorrectly the log
message was just displaying the prefix rather than the full
entry. This has been corrected.
Closes#5491
Backport of MR !10890
Merge branch 'backport-5491-rpz-canonical-warning-displays-zone-entry-incorrectly-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!10931
Do not insert a NUL into ip_str too early as the full value
is needed later. Only insert the NUL immediately before
displaying just the prefix string.
(cherry picked from commit 283da99f02)
Mark the :any:`tkey-domain` statement as deprecated since it is only
used by code implementing TKEY Mode 2 (Diffie-Hellman), which was
removed from newer BIND 9 branches.
See #4204
Merge branch '4204-deprecate-tkey-domain' into 'bind-9.18'
See merge request isc-projects/bind9!10783
Mark the "tkey-domain" statement as deprecated since it is only used by
code implementing TKEY Mode 2 (Diffie-Hellman), which was removed from
newer BIND 9 branches.
The :any:`tkey-gssapi-keytab` statement allows GSS-TSIG to be set up in
a simpler and more reliable way than using the
:any:`tkey-gssapi-credential` statement and setting environment
variables (e.g. ``KRB5_KTNAME``). Therefore, the
:any:`tkey-gssapi-credential` statement has been deprecated;
:any:`tkey-gssapi-keytab` should be used instead.
For configurations currently using a combination of both
:any:`tkey-gssapi-keytab` *and* :any:`tkey-gssapi-credential`, the
latter should be dropped and the keytab pointed to by
:any:`tkey-gssapi-keytab` should now only contain the credential
previously specified by :any:`tkey-gssapi-credential`.
See #4204
Backport of MR !10782
Merge branch 'backport-4204-deprecate-tkey-gssapi-credential-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!10925
The "tkey-gssapi-keytab" statement enables GSS-TSIG to be set up in a
simpler and more reliable way than using the "tkey-gssapi-credential"
statement and setting environment variables (e.g. KRB5_KTNAME).
Mark the "tkey-gssapi-credential" statement as deprecated to eventually
only have one method for setting up GSS-TSIG in named. Do not mention
"tkey-gssapi-credential" in the section of the ARM on dynamic updates.
(cherry picked from commit 6de435c528)
Clang 20 was spuriously warning about the possibility of passing a NULL file pointer
to `fprintf()`, which uses the 'nonnull' attribute. To silence the warning, the functions
calling `fprintf()` have been marked with the same attribute to assure that NULL can't be
passed to them in the first place.
Close#5487
Backport of MR !10888
Merge branch 'backport-5487-mark-passed-file-pointer-as-nonnull-in-dnssec-signzone-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!10914
