Commit graph

1480 commits

Author SHA1 Message Date
Aram Sargsyan
9adab9e577 Fix memory leak bug during zone shutdown
The dns_update_signaturesinc() updates zone signatures in chunks,
keeping its current state in 'zone->rss_state'. When a zone shuts
down, the signature update process is canceled, and all the data
in the state is not freed.

Create a new dns_update_state_clear() function which can be called
from dns_zone_free() to free the memory.

(cherry picked from commit 5e12906669)
2026-06-22 21:14:02 +00:00
Aram Sargsyan
7398fa2476 Handle zone shutting down case in receive_secure_serial()
When the zone is shutting down jump straight to cleanup, otherwise
an assertion failure is possible, e.g. because zone->loop can be
already NULL.

(cherry picked from commit b56e3cd2ee)
2026-06-22 21:06:58 +00:00
Aram Sargsyan
0b07018e3b Remove the unused link from 'struct rss'
The link is declared but never used. Remove it.

(cherry picked from commit fad2c5b757)
2026-06-22 21:06:49 +00:00
Aram Sargsyan
34b40e9272 Fix a bug in "receive secure serial" processing
When a DNS UPDATE messages is received, the zone_send_secureserial()
function can schedule a new receive_secure_serial() call with a new
'rss' object before a previous one had a chance to be fully processed.
This can cause an assertion failure in receive_secure_serial() with a
new 'rss' object (when the old one was rescheduled because it got
DNS_R_CONTINUE from dns_update_signaturesinc()). In other words:

1. receive_secure_serial() called with rss, sets zone->rss = rss,
   reschedules because of DNS_R_CONTINUE
2. receive_secure_serial() called with rss_new, INSIST fails because
   zone->rss != rss_new), i.e. this was called before the old 'rss'
   was fully processed

Change the code logic by introducing a new 'rss_next' field and making
sure the old 'rss' is complete before starting processing the new
one.

(cherry picked from commit 5118f3bad6)
2026-06-22 21:05:07 +00:00
Aram Sargsyan
7303689183 Remove redundant INSIST
The check is already performed in the INSIST above.

(cherry picked from commit 7d7130f51a)
2026-06-22 20:56:41 +00:00
Matthijs Mekking
dbb0dd5088 Remove CDs/CDNSKEY records on reconfig
When adding to dnssec-policy:

    cdnskey no;
    cds-digest-types { };

and then reconfig the server, named must remove existing CDS and CDNSKEY
records. Note this already worked when adding CDS digest, or setting
'cdnskey yes;', but not when digests were removed from the list, or
when setting 'cdnskey no;'.

(cherry picked from commit 1c4c2cba8b)
2026-06-19 12:39:11 +02:00
Evan Hunt
9eeb8bde5a Check wildcard signer and NOQNAME signer match
A positive wildcard answer, and the NSEC3 proof that the requested
name doesn't exist in the zone, must both be from the same zone.
Otherwise, an NSEC3 from an ancestor zone could be used to interfere
with validation.

We now retrieve the signer name from a wildcard response's signature.
An NSEC3 record cannot be used as a NOQNAME proof for the wildcard
unless it exactly matches the name one level above the NSEC3.

Fixes: isc-projects/bind9#5971

(cherry picked from commit 45c9bd2603)
2026-06-18 10:58:11 -07:00
Matthijs Mekking
75c6db2388 Keep our key on update removing DNSKEY RRset
When a Dynamic Update is received that removes the DNSKEY (or CDNSKEY,
or CDS) RRset, remove all records except the ones that are in use
for signing for the zone (with dnssec-policy).

(cherry picked from commit 97b9c9c823)
2026-06-11 14:42:41 +00:00
Evan Hunt
65a3694f2a Check dns_rdata_fromstruct() return values
The in some functions implementing RFC 5011 key maintenance, the
results of dns_rdata_fromstruct() were not checked. This has been
fixed.

(cherry picked from commit 175d418e28)
2026-06-04 09:46:58 -07:00
Ondřej Surý
f756907f24 Guard parent-NS walk against running off the root
Once the walk reaches the root, splitting one more label off would
trip an internal assertion and abort named.  Stop cleanly with
ISC_R_NOTFOUND so the dispatcher cancels the fetch.  Only reachable
through misconfiguration (root configured as a primary with parental
agents, or a parent zone that NODATAs its own NS).

Assisted-by: Claude:claude-opus-4-7

Manually edited to resolve conflicts.

(cherry picked from commit 141e8110f7)
2026-05-19 15:30:34 +02:00
Ondřej Surý
f907b229d3
Simplify checkds_create() to return void
Since memory allocation never fails in BIND 9, checkds_create() cannot
fail.  Change it to return void and use designated initializers,
removing error handling at all call sites.

(cherry picked from commit 63d3c1f58a)
2026-03-16 11:04:58 +01:00
Ondřej Surý
dc419568d1
Fix cb_args memory leak in ns_query() error path
Initialize cb_args to NULL and free it in the cleanup path so it
is not leaked when the function fails after allocation.

(cherry picked from commit d7e1013741)
2026-03-16 10:50:22 +01:00
Ondřej Surý
109d100495
Fix TSIG key and transport leaks in zone_notify() error paths
Two 'goto next' paths in zone_notify() skipped detaching the TSIG
key and transport, leaking them on TLS configuration failure and
when the destination address is disabled.

(cherry picked from commit 1505cb1c24)
2026-03-16 10:50:22 +01:00
Michal Nowak
82991c7881
Use clang-format-22 to update formatting
(cherry picked from commit 239464f276)
2026-03-04 12:18:27 +01:00
Ondřej Surý
9213c42bc0
Don't retry notify over TCP if it could not successed
Prevent retrying the notify over TCP in case the source address is not
available or the source vs the destination address family mismatch or
when the destination address has been blackholed.  Properly log the
hard notify failures.

(cherry picked from commit 5a5bc6de22)
2026-02-20 10:50:19 +01:00
Aram Sargsyan
0ae305c952 Fix a bug in zone_loaddone()
The zone_loaddone() function disables database notifications for
a catalog zones and response policy zones (RPZ) when loading had
failed. Howerer, the 'result != ISC_R_SUCCESS' check is insufficient,
because the DNS_R_SEENINCLUDE result also indicates success.

Add a second condition for the "if" block.

(cherry picked from commit 31290eccb1)
2026-01-27 12:45:48 +00:00
Matthijs Mekking
1b3fb1b966 Refactor code that checks if records are seen
There are three places that do roughly the same. Refactor the code to
a helper function.

(cherry picked from commit ae151a7a76)
2025-12-22 15:31:43 +11:00
Matthijs Mekking
07a4d63fd9 Add NSEC for opt-out names
When switching from NSEC3 opt-out to NSEC, add NSEC records if we saw an
RR. This corrects a mistake in style cleanups done in commit
308ab1b4a5.

(cherry picked from commit 6f285bff6a)
2025-12-22 15:31:43 +11:00
Matthijs Mekking
d3e74983bb Nit fix removing a newline in the logs
(cherry picked from commit 780e8e8f1c)
2025-12-22 15:31:42 +11:00
Evan Hunt
25c9fb54da standardize CHECK and RETERR macros
previously, there were over 40 separate definitions of CHECK macros, of
which most used "goto cleanup", and the rest "goto failure" or "goto
out". there were another 10 definitions of RETERR, of which most were
identical to CHECK, but some simply returned a result code instead of
jumping to a cleanup label.

this has now been standardized throughout the code base: RETERR is for
returning an error code in the case of an error, and CHECK is for jumping
to a cleanup tag, which is now always called "cleanup". both macros are
defined in isc/util.h.

(cherry picked from commit 52bba5cc34)
2025-12-03 19:17:20 -08:00
Ondřej Surý
5cd69a3dcf
Detect resolution loops between fetches
Maintain the relationship between the parent and child fetch and when
creating a new child fetch, properly check the resolution loops that
would lead to a new fetch would join one of the parent's fetch contexts.

(cherry picked from commit 4d307ac67a)
2025-11-28 09:32:53 +01:00
Matthijs Mekking
34b5030336 Skip private records when syncing secure db
When synchronizing the secure database, we skip DNSSEC records that
BIND 9 maintains with inline-signing. We should also skip private
RDATA type records that are used to track the current state of a
zone-signing process.

(cherry picked from commit 6dcb9ce77f)
2025-11-24 13:23:48 +00:00
Aram Sargsyan
3a1922f464 Fix dnssec-keygen key collision checking for KEY rrtype keys
When generating a new key, dnssec-keygen checks for possible
key ID collisions with existing keys. The dnssec.c:findmatchingkeys()
function, which is supposed to get the list of the existing keys,
fails to do that for the existing KEY rrtype keys (i.e. generated
using 'dnssec-keygen -T KEY') because it doesn't pass down to the
dst_key_fromnamedfile() -> dst_key_read_public() functions the type
of the keys it's interested in. Fix the issue by introducing a new
function parameter which tells in which type of keys the caller is
currently interested in.

(cherry picked from commit 49b7ce9a54)
2025-10-22 12:55:41 +11:00
Matthijs Mekking
c2c6f60928 Minor refactor of dst code
Convert the defines to enums. Initialize the tags more explicitly and
less ugly.

(cherry picked from commit 4a0c829584)
2025-10-01 12:26:40 +00:00
Matthijs Mekking
bd13d0d2af Update the retire interval after full sign
After a full sign we no longer have to need to take the sign delay into
account. Update the timing checks in keymgr_transition_time to determine
the start of the interval: Either the last change, or if SigPublish/
SigDelete is set. The latter case indicates a full sign was done and
so we no longer have to take the sign delay into account.

(cherry picked from commit 489752eb1f)
2025-09-26 14:36:25 +02:00
Matthijs Mekking
76ecde48af Force full sign to generate new signatures
When introducing the kasp logic, a full sign of the zone did not
generate new signatures for the new active keys during a ZSK rollover.

The introduced kasp logic ensured that the rollover is performed
smoothly, as in the signatures are only replaced if the old signature
is close to expiring (depending on the signatures-refresh option).

Fix by maintaining a fullsign boolean value in the signing structure,
that will ensure the RRsets are signed with the correct key, rather
than a similar good key.

In case of a fullsign, we can also remove signatures from inactive
keys.

Remove the unused dns_zone_signwithkey function.

(cherry picked from commit 844bde0c70)
2025-09-26 14:18:57 +02:00
Matthijs Mekking
b022a05cad Detect if keymgr made changes
If so we also want to tickle the apex because DNSKEY/CDNSKEY/CDS
RRsets may need to be re-signed.

Note that this may be overzealous, because if state transitions
happen just because of timing events (RUMOURED -> OMNIPRESENT,
UNRETENTIVE -> HIDDEN) this would have to cause changes in the
zone DNSSEC records.

(cherry picked from commit a0dc0434e5)
2025-08-27 08:16:52 +00:00
Matthijs Mekking
c75cab3f96 Implement manual-mode for kasp
When a key retire, key generation/introduction, or a state transition
to RUMOURED/UNRETENTIVE should happen, instead they are logged.
When those logs look good, you can run 'rndc dnssec -step' to run the
keymgr and apply those steps.

(cherry picked from commit aa49850b5e)
2025-08-27 08:16:52 +00:00
Mark Andrews
77e6b07fae Digest type GOST is also deprecated
(cherry picked from commit 125a232bfb)
2025-07-16 01:42:17 +10:00
Mark Andrews
d03d58a10f Warn about deprecated DNSKEY and DS algorithms / digest types
DNSKEY algorithms RSASHA1 and RSASHA-NSEC3-SHA1 and DS digest type
SHA1 are deprecated.  Log when these are present in primary zone
files and when generating new DNSKEYs, DS and CDS records.

(cherry picked from commit cb6903c55e)
2025-07-16 01:39:58 +10:00
Mark Andrews
53738b0e5e Use clang-format-20 to update formatting
(cherry picked from commit 422b9118e8)
2025-06-25 13:32:08 +10:00
Matthijs Mekking
54a68a4a97 Fix spurious missing key files log messages
This happens because old key is purged by one zone view, then the other
is freaking out about it.

Keys that are unused or being purged should not be taken into account
when verifying key files are available.

The keyring is maintained per zone. So in one zone, a key in the
keyring is being purged. The corresponding key file is removed.

The key maintenance is done for the other zone view. The key in that
keyring is not yet set to purge, but its corresponding key file is
removed. This leads to "some keys are missing" log errors.

We should not check the purge variable at this point, but the
current time and purge-keys duration.

This commit fixes this erroneous logic.

(cherry picked from commit d494698852)
2025-06-19 11:42:04 +02:00
Aram Sargsyan
80a43c9241 Prepare a zone for shutting down when deleting it from a view
After b171cacf4f, a zone object can
remain in the memory for a while, until garbage collection is run.
Setting the DNS_ZONEFLG_EXITING flag should prevent the zone
maintenance function from running while it's in that state.
Otherwise, a secondary zone could initiate a zone transfer after
it had been deleted.

(cherry picked from commit 874ca5ca2f)
2025-05-28 18:30:45 +00:00
Aram Sargsyan
fa974811a9
Emit a ISC_R_CANCELED result instead of ISC_R_SHUTTINGDOWN
When request manager shuts down, it also shuts down all its ongoing
requests. Currently it calls their callback functions with a
ISC_R_SHUTTINGDOWN result code for the request. Since a request
manager can shutdown not only during named shutdown but also during
named reconfiguration, instead of sending ISC_R_SHUTTINGDOWN result
code send a ISC_R_CANCELED code to avoid confusion and errors with
the expectation that a ISC_R_SHUTTINGDOWN result code can only be
received during actual shutdown of named.

All the callback functions which are passed to either the
dns_request_create() or the dns_request_createraw() functions have
been analyzed to confirm that they can process both the
ISC_R_SHUTTINGDOWN and ISC_R_CANCELED result codes. Changes were
made where it was necessary.

(cherry picked from commit f4cd307c6b)
2025-05-28 19:18:19 +02:00
Aram Sargsyan
0d1251a2ec
Add a debug log in zone.c:refresh_callback()
The new debug message logs the request result in the SOA request
callback function.

(cherry picked from commit b07ec4f0b3)
2025-05-28 19:18:19 +02:00
Aram Sargsyan
7b46d898b6
Fix a zone refresh bug in zone.c:refresh_callback()
When the zone.c:refresh_callback() callback function is called during
a SOA request before a zone transfer, it can receive a
ISC_R_SHUTTINGDOWN result for the sent request when named is shutting
down, and in that case it just destroys the request and finishes the
ongoing transfer, without clearing the DNS_ZONEFLG_REFRESH flag of the
zone. This is alright when named is going to shutdown, but currently
the callback can get a ISC_R_SHUTTINGDOWN result also when named is
reconfigured during the ongoibg SOA request. In that case, leaving the
DNS_ZONEFLG_REFRESH flag set results in the zone never being able
to refresh again, because any new attempts will be caneled while
the flag is set. Clear the DNS_ZONEFLG_REFRESH flag on the 'exiting'
error path of the callback function.

(cherry picked from commit 228e441328)
2025-05-28 19:01:33 +02:00
Aram Sargsyan
a90e3b9e6f Implement a new 'notify-defer' configuration option
This new option sets the delay, in seconds, to wait before sending
a set of NOTIFY messages for a zone. Whenever a NOTIFY message is
ready to be sent, sending will be deferred for this duration.

(cherry picked from commit e42d6b4810)
2025-05-16 09:58:48 +00:00
Aram Sargsyan
53c9817b29 Delete the unused dns_zone_getnotifydelete() function
The function is unused, delete it.

(cherry picked from commit 62f66c0be0)
2025-05-15 13:29:13 +00:00
Evan Hunt
080299bf49 Don't check DNS_KEYFLAG_NOAUTH
All DNSKEY keys are able to authenticate. The DNS_KEYTYPE_NOAUTH
(and DNS_KEYTYPE_NOCONF) flags were defined for the KEY rdata type,
and are not applicable to DNSKEY.

Previously, because the DNSKEY implementation was built on top of
KEY, the NOAUTH flag prevented authentication in DNSKEYs as well.
This has been corrected.

(cherry picked from commit 5c21576f82)
2025-03-24 23:52:02 -07:00
Mark Andrews
0f0b143b35 Add missing locks when returning addresses
Add missing locks in dns_zone_getxfrsource4 et al. Addresses CID
468706, 468708, 468741, 468742, 468785 and 468778.

Cleanup dns_zone_setxfrsource4 et al to now return void.

Remove double copies with dns_zone_getprimaryaddr and dns_zone_getsourceaddr.

(cherry picked from commit d0a59277fb)
2025-03-15 06:07:55 +00:00
Aram Sargsyan
0561936272 Fix a bug in get_request_transport_type()
When dns_remote_done() is true, calling dns_remote_curraddr() asserts.
Add a dns_remote_curraddr() check before calling dns_remote_curraddr().

(cherry picked from commit 6cd9e4f67c)
2025-03-05 13:18:09 +00:00
Aram Sargsyan
079a4176bb Fix a bug in dns_zone_getprimaryaddr()
When all the addresses were already iterated over, the
dns_remote_curraddr() function asserts. So before calling it,
dns_zone_getprimaryaddr() now checks the address list using the
dns_remote_done() function. This also means that instead of
returning 'isc_sockaddr_t' it now returns 'isc_result_t' and
writes the primary's address into the provided pointer only when
returning success.

(cherry picked from commit 7293cb0612)
2025-03-03 12:23:23 +00:00
Aram Sargsyan
e6b14365ad Implement the min-transfer-rate-in configuration option
This new option sets a minimum amount of transfer rate for
an incoming zone transfer that will abort a transfer, which
for some network related reasons run very slowly.

(cherry picked from commit 91ea156203)
2025-02-20 11:05:09 +00:00
Artem Boldariev
7b0a5596d6 Fix wrong logging severity in do_nsfetch()
ISC_LOG_WARNING was used while ISC_LOG_DEBUG(3) was implied.

(cherry picked from commit fd3beaba2e)
2025-02-18 10:30:18 +02:00
Ondřej Surý
1ffb67a135 Split and simplify the use of EDE list implementation
Instead of mixing the dns_resolver and dns_validator units directly with
the EDE code, split-out the dns_ede functionality into own separate
compilation unit and hide the implementation details behind abstraction.

Additionally, the EDE codes are directly copied into the ns_client
buffers by passing the EDE context to dns_resolver_createfetch().

This makes the dns_ede implementation simpler to use, although sligtly
more complicated on the inside.

Co-authored-by: Colin Vidal <colin@isc.org>
Co-authored-by: Ondřej Surý <ondrej@isc.org>
(cherry picked from commit 2f8e0edf3b)
2025-01-30 12:37:55 +00:00
Aram Sargsyan
1c6a97055d Don't disable RPZ and CATZ for zones with an $INCLUDE statement
The code in zone_startload() disables RPZ and CATZ for a zone if
dns_master_loadfile() returns anything other than ISC_R_SUCCESS,
which makes sense, but it's an error because zone_startload() can
also return DNS_R_SEENINCLUDE upon success when the zone had an
$INCLUDE statement.

(cherry picked from commit 3d7a9fba3b)
2025-01-08 15:21:28 +00:00
Alessio Podda
1edf405add Optimize memory layout of core structs
Reduce memory footprint by:

 - Reordering struct fields to minimize padding.
 - Using exact-sized atomic types instead of *_least/*_fast variants
 - Downsizing integer fields where possible

Affected structs:

 - dns_name_t
 - dns_slabheader_t
 - dns_rdata_t
 - qpcnode_t
 - qpznode_t

(cherry picked from commit 32c7060bd2)
2024-12-09 09:04:28 +01:00
Ondřej Surý
81d661ffc0
Revert "Attach dnssecsignstats, rcvquerystats, and requeststats"
This reverts commit fb50a71159.

(cherry picked from commit 7a99d1baf8)
2024-12-08 12:03:12 +01:00
Matthijs Mekking
492f79560d Implement global limit for outgoing queries
This global limit is not reset on query restarts and is a hard limit
for any client request.

(cherry picked from commit 16b3bd1cc7)
2024-12-06 06:20:33 +00:00
Mark Andrews
bcf3f8b44d Attach dnssecsignstats, rcvquerystats, and requeststats
In dns_zone_getdnssecsignstats, dns_zone_getrcvquerystats and
dns_zone_getrequeststats attach to the statistics structure.

(cherry picked from commit fb50a71159)
2024-12-06 16:45:52 +11:00