Commit graph

45135 commits

Author SHA1 Message Date
Ondřej Surý
8e240bbb5f Fix isc_buffer_init capacity mismatch in DoH data chunk callback
isc_buffer_init() is given MAX_DNS_MESSAGE_SIZE (65535) as capacity but
only h2->content_length bytes are allocated.  This makes the buffer
believe it has more space than actually allocated.  A secondary bounds
check (new_bufsize <= h2->content_length) prevents actual overflow, but
the buffer invariant is violated.

Pass h2->content_length as the capacity to match the allocation.
2026-03-18 11:39:01 +01:00
Ondřej Surý
929eccdfdc rem: usr: Remove NZF file support in favor of NZD (New Zone Database)
The NZF (New Zone File) backend for storing rndc addzone configurations
has been removed; LMDB-based NZD is now the only storage backend and
LMDB is now a required build dependency.

Existing NZF files are automatically migrated to NZD on startup, so no manual
intervention is required when upgrading.

Merge branch 'ondrej/drop-nzf-support' into 'main'

See merge request isc-projects/bind9!11688
2026-03-18 11:37:31 +01:00
Matthijs Mekking
46e98295bb
Remove LDMB checks from system tests
Now that LMDB is required, there is no need to check if the feature is
enabled in the system tests.
2026-03-18 11:02:33 +01:00
Matthijs Mekking
81dca80877
Update documentation now that LMDB is required
Remove references to viewname.nzf, and no longer use "if LMDB is used".
2026-03-18 11:02:33 +01:00
Ondřej Surý
8ae0828e15
Split NZD functions into a separate compilation unit
Move all LMDB-based new zone database functions from server.c into
nzd.c to reduce the size of server.c and isolate the NZD/LMDB
interface. Rename load_nzf() to nzd_load_nzf() to match the nzd_
namespace.
2026-03-18 11:02:33 +01:00
Ondřej Surý
f203f6e77a
Remove dead NZF writer parameter and simplify newzone locking
Now that NZF write support is gone, remove the unused nzfwriter_t
typedef and nzfwriter parameter from delete_zoneconf().  Remove the
bool locked parameter and simplify the locking in do_modzone() and
rmzone() to unconditional lock/unlock pairs.
2026-03-18 11:02:33 +01:00
Ondřej Surý
7f8b972a3d
Remove NZF support, make LMDB required for new zone storage
Drop the NZF (New Zone File) fallback for persisting runtime zone
configurations, making LMDB (NZD) the only storage backend. This
removes all #ifdef HAVE_LMDB conditionals, the meson 'lmdb' option,
and the NZF-related functions. LMDB is now a mandatory build
dependency.

The named-nzd2nzf tool is now always built.
2026-03-18 11:02:33 +01:00
Ondřej Surý
97e78c6bf4 fix: usr: Fix potential resource during resolver error handling
Under specific error conditions during query processing, resources were not
being properly released, which could eventually lead to unnecessary memory
consumption for the server.  The a potential resource leak in the resolver
has been fixed.

Merge branch 'ondrej/fix-pthread-primitives-usage' into 'main'

See merge request isc-projects/bind9!11658
2026-03-17 16:40:29 +01:00
Ondřej Surý
5dc19a7d92 Add missing isc_rwlock_destroy() for keylist_lock in dnssec-signzone
The keylist_lock rwlock is initialized at startup but never destroyed
on exit, unlike the sibling namelock mutex which is properly cleaned up.
2026-03-17 16:05:11 +01:00
Ondřej Surý
5b1750f15f Fix missing mutex destroy and ede invalidate on fctx_create() error paths
The error cleanup in fctx_create() was missing isc_mutex_destroy() and
dns_ede_invalidate() calls. When error paths (cleanup_nameservers,
cleanup_fcount, cleanup_qmessage, cleanup_adb) were taken after the
mutex and edectx were initialized, the fctx memory was freed without
properly destroying these resources first.
2026-03-17 16:05:11 +01:00
Ondřej Surý
96a22451d7 Fix rwlock type mismatch in delete_ds() error path
The lock is acquired for reading but the error path from
dns_rdata_fromstruct() incorrectly unlocks it as a write lock.
2026-03-17 16:05:11 +01:00
Mark Andrews
106416eb38 fix: dev: Clear errno correctly
Zero errno before calling strtol.

Closes #5773

Merge branch '5773-clear-errno-correctly' into 'main'

See merge request isc-projects/bind9!11625
2026-03-17 11:27:38 +11:00
Mark Andrews
d3ffa1f007 Clear errno before calling strtol
The previous code was incorrectly clearing errno after calling
strtol but before testing the result rather than clearing it and
then calling strtol so that changes to errno can be correctly
determined.
2026-03-17 10:51:37 +11:00
Matthijs Mekking
5932af66c8 fix: nil: Fast fail a validator deadlock
Fail with a specific error code if we detect a deadlock in the validator.

Closes #5769

Merge branch '5769-deadlock-validator' into 'main'

See merge request isc-projects/bind9!11622
2026-03-16 16:46:56 +00:00
Matthijs Mekking
bc1d177cc2 Fast fail a validator deadlock
We return DNS_R_NOVALIDSIG if we detected a deadlock. Then in
'validate_async_done()', this result value is used to check if we
need to fall back to insecure. As part of that we create a new fetch
but that fails because of the detected deadlock. This results in a loop
of deadlock detected, fallback to insecure, deadlock detected, ...

Add a new result value, ISC_R_DEADLOCK, and return this instead when
we have detected a deadlock. This will be treated as a generic error,
as there is no special handling for this result value.
2026-03-16 16:46:51 +00:00
Matthijs Mekking
e0211a727b fix: doc: Fix keytag typos in DNSSEC guide
The key identifiers in the comments did not match those in the
output.

Closes #5785

Merge branch '5785-dnssec-guide-patch' into 'main'

See merge request isc-projects/bind9!11634
2026-03-16 16:11:39 +00:00
Ethan Meng
a2b36d4bcb Fix keytag typos in DNSSEC guide
The key identifiers in the comments did not match those in the
output.
2026-03-16 16:10:45 +00:00
Matthijs Mekking
48de26538c fix: usr: Fix a crash triggered by rndc modzone on zone from configuration file
Calling `rndc modzone` on a zone that was configured in the configuration file caused a crash. This has been fixed.

ISC would like to thank Nathan Reilly for reporting this.

Closes #5800

Merge branch '5800-rndc-modzone-non-dynamic-zone-crash' into 'main'

See merge request isc-projects/bind9!11683
2026-03-16 14:58:25 +00:00
Matthijs Mekking
780872e07e Don't call dns_zone_setadded() on modify
If we are modifiying the zone, the zone must have been added before.
Don't overwrite this value on modifications.

Also it feels cleaner to pass added=false to configure_zone() in
do_modzone().
2026-03-16 15:18:39 +01:00
Matthijs Mekking
71587b0816 Only lock view->newzone.lock if not already locked
Some code paths try to lock an already locked view->newzone.lock.

For example, do_modzone() aqcuires the lock and then calls
delete_zoneconf(), that wants to acquire the same lock.

Add a parameter to delete_zoneconf() that informs the function if the
lock has already been acquired.
2026-03-16 15:18:39 +01:00
Matthijs Mekking
900127c460 Test showzone and modzone on configured zone
Add test cases for 'rndc showzone' and 'rndc modzone' on a zone
that was configured in named.conf. This should not crash.
2026-03-16 15:18:39 +01:00
Ondřej Surý
afe1dc5da0 chg: nil: Cleanup the duplicate logic and comments around add into NSEC tree
After merging the NORMAL, NSEC and NSEC3 tree into single QP tree, there were some comments still speaking about auxiliary NSEC tree. These were cleaned up and the logic when we pass the qp tree (write transaction) to qpzone_addrdataset_inner() was changed to be more obvious that this is needed only when we are adding NSEC records.

Merge branch 'ondrej/additional-cleanups-around-NSEC-namespace' into 'main'

See merge request isc-projects/bind9!11695
2026-03-16 12:17:16 +01:00
Ondřej Surý
6e286beaa6 Cleanup weird syntax defining struct dns_ixfr
The struct dns_ixfr was defined as part of struct dns_xfrin, probably
because at some point it was an anonymous struct and then it was changed
to named struct with typedef at the top.  Move the definition from
struct dns_xfrin into and fold into the typedef ... dns_ixfr_t.
2026-03-16 12:17:06 +01:00
Ondřej Surý
f4b4f030c4 Cleanup the duplicate logic and comments around add into NSEC tree
After merging the NORMAL, NSEC and NSEC3 tree into single QP tree, there
were some comments still speaking about auxiliary NSEC tree.  These were
cleaned up and the logic when we pass the qp tree (write transaction) to
qpzone_addrdataset_inner() was changed to be more obvious that this is
needed only when we are adding NSEC records.
2026-03-16 12:17:06 +01:00
Colin Vidal
ac29faea16 chg: dev: Exclude named.args.j2 and system test README files from license header checks
Exclude named.args.j2 files from license header checks so named.args can
be generated from Jinja templates. Also exclude system test README files
from the license header checks.

Merge branch 'colin/reuse-namedargs' into 'main'

See merge request isc-projects/bind9!11690
2026-03-16 11:36:25 +01:00
Colin Vidal
c77c499254 Excluse system test README files from license header checks
Exclude README* files in system test directories from license header
checks.
2026-03-16 11:28:36 +01:00
Colin Vidal
63290c9e4e Exclude named.args.j2 files from license header checks
Exclude named.args.j2 files from license header checks so named.args can
be generated from Jinja templates.
2026-03-16 11:28:36 +01:00
Ondřej Surý
3df0f7fb9c fix: dev: Fix use-after-free in xfrin_recv_done
Move the LIBDNS_XFRIN_RECV_DONE probe execution before dns_xfrin_detach
in xfrin_recv_done.

Previously, dns_xfrin_detach was called before the trace probe, which
could free the xfr object.  Because the accessed member xfr->info is an
embedded array, the expression evaluates via pointer arithmetic rather
than a direct memory dereference.  Although this prevents a reliable
crash in practice, it technically remains a use-after-free issue.
Reorder the statements to ensure the transfer context is fully valid
when the probe executes.

Closes #5786

Merge branch '5786-fix-dtrace-after-free' into 'main'

See merge request isc-projects/bind9!11632
2026-03-16 11:06:28 +01:00
Ondřej Surý
e57245ee81
Fix use-after-free in xfrin_recv_done
Move the LIBDNS_XFRIN_RECV_DONE probe execution before dns_xfrin_detach
in xfrin_recv_done.

Previously, dns_xfrin_detach was called before the trace probe, which
could free the xfr object.  Because the accessed member xfr->info is an
embedded array, the expression evaluates via pointer arithmetic rather
than a direct memory dereference.  Although this prevents a reliable
crash in practice, it technically remains a use-after-free issue.
Reorder the statements to ensure the transfer context is fully valid
when the probe executes.
2026-03-16 11:06:06 +01:00
Arаm Sаrgsyаn
247a2df572 fix: dev: Fix OpenSSL 4 compatibility issue when calling X509_get_subject_name()
Starting from OpenSSL 4 the the X509_get_subject_name() function
returns a 'const' pointer to a name instead of a regular pointer.
Duplicate the name before operating on it, then free it.

Closes #5807

Merge branch '5807-openssl-4-X509_get_subject_name-compat-fix' into 'main'

See merge request isc-projects/bind9!11676
2026-03-16 10:01:32 +00:00
Aram Sargsyan
336c523b79 OpenSSL 4 compatibility fix
Starting from OpenSSL 4 the the X509_get_subject_name() function
returns a 'const' pointer to a name instead of a regular pointer.
Duplicate the name before operating on it, then free it.
2026-03-16 10:01:18 +00:00
Ondřej Surý
6a94864c62 fix: dev: Fix couple of reference counting bugs
Fix missing detach/free on error paths.

Merge branch 'ondrej/fix-reference-counting-errors' into 'main'

See merge request isc-projects/bind9!11666
2026-03-16 10:48:13 +01:00
Ondřej Surý
df1993611b
Fix KASP key leaks on keystore lookup failure
In both cfg_kasp_fromconfig() and cfg_kasp_builtinconfig(), the
newly allocated KASP key was not destroyed when the keystore
lookup failed.
2026-03-14 13:58:32 +01:00
Ondřej Surý
2ab3d7c075
Fix missing server socket detach in TLS accept error path
When TLS creation fails in tlslisten_acceptcb(), tlssock->server
was not detached before detaching tlssock itself.
2026-03-14 13:58:32 +01:00
Ondřej Surý
63d3c1f58a
Simplify checkds_create() to return void
Since memory allocation never fails in BIND 9, checkds_create() cannot
fail.  Change it to return void and use designated initializers,
removing error handling at all call sites.
2026-03-14 13:58:26 +01:00
Ondřej Surý
d7e1013741
Fix cb_args memory leak in ns_query() error path
Initialize cb_args to NULL and free it in the cleanup path so it
is not leaked when the function fails after allocation.
2026-03-14 13:48:08 +01:00
Ondřej Surý
1505cb1c24
Fix TSIG key and transport leaks in zone_notify() error paths
Two 'goto next' paths in zone_notify() skipped detaching the TSIG
key and transport, leaking them on TLS configuration failure and
when the destination address is disabled.
2026-03-14 13:48:08 +01:00
Ondřej Surý
80fae7a4b7
Fix memory leak in ixfr_commit() error path
The 'data' allocation was not freed when reaching the cleanup
label with an error result.
2026-03-14 13:48:08 +01:00
Ondřej Surý
d0165070c7
Fix memory context leak in dns_client_resolve() error path
Use isc_mem_putanddetach() instead of isc_mem_put() to properly
detach the attached memory context stored in resarg->mctx.
2026-03-14 13:47:48 +01:00
Ondřej Surý
5c8d64499e fix: usr: Fix a possible deadlock in RPZ processing
The :iscman:`named` process could hang when processing a
maliciously crafted update for a response policy zone (RPZ).
This has been fixed.

Closes #5775

Merge branch '5775-rpz-del_name-deadlock-fix' into 'main'

See merge request isc-projects/bind9!11659
2026-03-14 13:43:13 +01:00
Aram Sargsyan
4df5b9ac32
Fix a bug in rpz.c:del_name()
When the dns_qp_getname() call returns an error the del_name() function
just returns without cleaning up the trasnaction.

Instead of returning, jump to a new label 'done:' similar to the code
written in the add_nm() function.
2026-03-14 13:01:55 +01:00
Ondřej Surý
40aa5cfe2c chg: nil: Fix INSIST copy-paste error checking RADIX_V4 instead of RADIX_V6
The INSIST in isc_radix_insert() checks node->data[RADIX_V4] and
node->node_num[RADIX_V4] twice due to a copy-paste error, never
verifying the RADIX_V6 fields.

Fix the second pair to check RADIX_V6.

Merge branch 'ondrej/fix-copy-paste-error-checking-RADIX_V4-instead-of-RADIX_V6' into 'main'

See merge request isc-projects/bind9!11664
2026-03-14 11:42:56 +01:00
Ondřej Surý
3f15f2d9e5
Fix INSIST copy-paste error checking RADIX_V4 instead of RADIX_V6
The INSIST in isc_radix_insert() checks node->data[RADIX_V4] and
node->node_num[RADIX_V4] twice due to a copy-paste error, never
verifying the RADIX_V6 fields.

Fix the second pair to check RADIX_V6.
2026-03-14 11:03:31 +01:00
Ondřej Surý
38d0bbd0b8 fix: dev: Fix port validation rejecting valid port 65535
Three port validation checks use >= UINT16_MAX instead of > UINT16_MAX,
incorrectly rejecting port 65535 as out of range.  Port 65535 is a valid
TCP/UDP port number.  Other port checks in the same file already use the
correct > comparison.

Merge branch 'ondrej/fix-port-validation-rejecting-valid-port-65535' into 'main'

See merge request isc-projects/bind9!11665
2026-03-14 11:02:10 +01:00
Ondřej Surý
66ce33603b
Fix port validation rejecting valid port 65535
A few port validation checks use >= UINT16_MAX instead of > UINT16_MAX,
incorrectly rejecting port 65535 as out of range.  Port 65535 is a valid
TCP/UDP port number.  Other port checks in the same file already use the
correct > comparison.
2026-03-14 10:11:55 +01:00
Ondřej Surý
29790af335 fix: dev: Fix memory leak in dns_catz_options_setdefault() for zonedir
When defaults->zonedir is set, opts->zonedir is unconditionally
overwritten without freeing the previous value. This leaks memory
on every catalog zone update when zonedir defaults are configured.

Free the existing opts->zonedir before replacing it.

Merge branch 'ondrej/fix-memory-leak-in-dns_catz_options_setdefault' into 'main'

See merge request isc-projects/bind9!11660
2026-03-14 10:10:37 +01:00
Ondřej Surý
5cd17c8adc
Fix memory leak in dns_catz_options_setdefault() for zonedir
When defaults->zonedir is set, opts->zonedir is unconditionally
overwritten without freeing the previous value. This leaks memory
on every catalog zone update when zonedir defaults are configured.

Free the existing opts->zonedir before replacing it.
2026-03-14 07:57:00 +01:00
Ondřej Surý
da6a85dc63 fix: usr: Fix intermittent named crashes during asynchronous zone operations
Asynchronous zone loading and dumping operations occasionally dispatched tasks
to the wrong internal event loop. This threading violation triggered internal
safety assertions that abruptly terminated named. Strict loop affinity is now
enforced for these tasks, ensuring they execute on their designated threads
and preventing the crashes.

Closes #4882

Merge branch '4882-run-rndc-zone-commands-on-correct-loop' into 'main'

See merge request isc-projects/bind9!11655
2026-03-14 07:45:57 +01:00
Ondřej Surý
e7c550730a
Dispatch async work jobs from the correct loop
Refactor dns_loadctx_t and dns_dumpctx_t to use standard
ISC_REFCOUNT_DECL and ISC_REFCOUNT_IMPL macros, retiring the
redundant manual attach and detach implementations.

Introduce dns_loadctx_enqueue() and dns_dumpctx_enqueue() to
ensure compliance with the new strict loop affinity in
isc_work_enqueue(). If the current loop does not match the
target loop, the enqueue operation is safely bounced to the
correct thread via isc_async_run().
2026-03-14 06:32:54 +01:00
Ondřej Surý
f1311d2d19
Enforce isc_work enqueue loop affinity
Add a REQUIRE(isc_loop() == loop) assertion to isc_work_enqueue()
to strictly enforce that work is enqueued from the loop it is
assigned to. This loudly prohibits cross-thread queue manipulation
before it inevitably turns into a concurrency debugging nightmare.
2026-03-14 06:32:50 +01:00