Previously, when the additional section of a response was being
populated, if cached data was found with pending trust, it would be
opportunistically validated. The code implementing this validation was
not quite formally correct; rather than fixing it, the code has been
removed; RRsets with pending trust are now omitted from responses.
Fixes: isc-projects/bind9#5966Fixes: isc-projects/bind9#5968Fixes: isc-projects/bind9#5972
(cherry picked from commit 7ec85b4bd2)
The code printing query statistics was ignoring the zone-statistics
option. This has been fixed.
Closes#6164
Backport of MR !12262
Merge branch 'backport-6164-no-per-zone-glue-stats-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!12263
We no longer want to encourage people to open new issues via email because we are getting too many spammy reports generated by LLM. By requiring people actually login to Gitlab to make their report, they will (hopefully) see our reporting template, and think at least a little bit about whether they are making a well-considered, valid report.
Backport of MR !12248
Merge branch 'backport-vicky-main-patch-01884-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!12254
isc__nm_http_request()'s error path reloaded sock->h2->connect.cstream after client_send() had already detached and freed it on a submit failure, dereferencing NULL. The helper is only used by the DoH unit tests. Guard the cleanup path against the detached stream.
Closes#6160
Backport of MR !12247
Merge branch 'backport-6160-fix-latent-NULL-dereference-in-http2-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!12249
On a submit failure, client_send() nullifies sock->h2->connect.cstream
and frees the stream before returning the error. The error: label in
isc__nm_http_request() reloaded that pointer and dereferenced it
unconditionally, reading through a NULL stream. The function is only
used by the DoH unit tests -- production DoH client send goes through
isc__nm_http_send()/client_httpsend(), whose submit failure is reported
via the NULL-safe send callback -- so this is a latent defect in the
test helper rather than a reachable named crash.
Skip the read callback when the stream has already been detached and
let the caller report the failure from the error result it receives.
Assisted-by: Claude:claude-opus-4-8
(cherry picked from commit 7df91b7634)
It was possible to use a maliciously crafted authoritative
zone to make :iscman:`named` resolver synthesize a ``DNAME``
"alias" that should have been rejected by the configured
:any:`deny-answer-aliases` option. This has been fixed.
Closes#5930
Backport of MR !12044
Merge branch 'backport-5930-deny-answer-aliases-and-cached-dname-buf-fix-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!12245
When using a cached DNAME to resolve a name, make sure to consult
the denied answers lists, otherwise it is possible to consutruct
a restricted alias by caching a DNAME that is a parent of the
denied alias. See the comments in the tests case from the previous
commit an example.
(cherry picked from commit 45c1d760a8)
This new check exercises an attack against guarantees given by the
'deny-answer-aliases' configuration option by caching a DNAME
that is a parent of the restricted alias, and then "constructing"
the restricted alias from the cache.
(cherry picked from commit 1645b09341)
Tests interacting with mock ans servers had to hardcode their IP
addresses and open ans.run directly, while named instances already
had the NamedInstance abstraction with `.ip`, `.log` and the
watch_log_*() helpers. Factor the parts of NamedInstance that are
not named-specific into a ServerInstance base class and add an
AnsInstance subclass for ans servers, exposed through the `servers`
fixture and new ans1-ans11 convenience fixtures.
Assisted-by: Claude:claude-fable-5
Backport of MR !12241
Merge branch 'backport-nicki/pytest-ans-instance-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!12250
Tests interacting with mock ans servers had to hardcode their IP
addresses and open ans.run directly, while named instances already
had the NamedInstance abstraction with `.ip`, `.log` and the
watch_log_*() helpers. Factor the parts of NamedInstance that are
not named-specific into a ServerInstance base class and add an
AnsInstance subclass for ans servers, exposed through the `servers`
fixture and new ans1-ans11 convenience fixtures.
Assisted-by: Claude:claude-fable-5
(cherry picked from commit f6a0c1fd63)
The README documents what the framework is; the cookbook documents how
to get common tasks done with it: iterating on a single test, adding a
new test directory, writing a regression reproducer, mocking a
misbehaving server with isctest.asyncserver, signing zones in
bootstrap(), and driving named via the NamedInstance fixtures. All
recipes are distilled from existing tests (cyclic_glue, dnssec_py,
dispatch) so they reflect the current canonical patterns.
Assisted-by: Claude:claude-fable-5
Backport of MR !12234
Merge branch 'backport-nicki/systest-cookbook-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!12239
The README documents what the framework is; the cookbook documents how
to get common tasks done with it: iterating on a single test, adding a
new test directory, writing a regression reproducer, mocking a
misbehaving server with isctest.asyncserver, signing zones in
bootstrap(), and driving named via the NamedInstance fixtures. All
recipes are distilled from existing tests (cyclic_glue, dnssec_py,
dispatch) so they reflect the current canonical patterns.
Assisted-by: Claude:claude-fable-5
(cherry picked from commit e1cd8e5cfa)
BIND failed to build with OpenSSL 1.0.2u. Add the missing header
file includes.
Merge branch 'aram/openssl-1.0.2-compat-fix-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11897
The :iscman:`named` process, running as secondary DNS server,
configured to transfer a zone from a primary server using an
encrypted XoT transport in opportunistic TLS mode (i.e. without
peer certificate/hostname validation) could terminate unexpectedly
when the TLS ALPN negotiation with primary server was unsuccessful.
This has been fixed.
Closes#5957
Backport of MR !12081
Merge branch 'backport-5957-xot-xfrin_connect_done-bug-fix-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!12242
When the connect callback's result is ISC_R_SUCCESS and the callback
changes the result because of some condition, the 'xfr' should not
be detached, because it now belongs to the receive callback.
Detach the reference only if the callback's result is non-success.
(cherry picked from commit fb27599b58)
Configure a zone transfer using XoT (with opportunistic TLS) from
a non-DoT port, which does not provide ALPN "dot" (in this case
it will try to connect to a DoH port). This is expected to fail,
but the client should handle the error gracefully and not to crash.
(cherry picked from commit 6e0d998ff6)
`CONTRIBUTING.md` documents several rules around how AI coding assistants should (and should not) be attributed in commit messages. Teach `dangerfile.py` to enforce them so that violations are caught at MR time.
Backport of MR !11969
Merge branch 'backport-mnowak/danger-ai-trailer-checks-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!12238
CONTRIBUTING.md documents the Assisted-by trailer format as
Assisted-by: AGENT_NAME:MODEL_VERSION [TOOL1] [TOOL2]
and excludes basic development tools (git, compilers, meson,
ninja, editors, clang-format, black, ruff) from the optional
tool list.
Walk every `Assisted-by:` line in each commit message and emit a
`warn()` when:
- the line does not match the documented `AGENT:VERSION` shape;
- the optional tool list contains basic-tool names.
The basic-tool list extends the CONTRIBUTING.md examples with
other formatters, generic linters, and build/test runners
commonly invoked from `.gitlab-ci.yml`. Specialized analysis
tools (coccinelle, clang-tidy, AFL, Coverity, cppcheck,
valgrind, sanitizers) are intentionally absent so they remain
allowed in the trailer.
Use `warn()` rather than `fail()` because the format is
human-written and overly strict matching would produce false
positives on edge cases.
Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit 2cac546d08)
CONTRIBUTING.md states that AI agents must not add Signed-off-by
tags, since only humans can legally certify the Developer
Certificate of Origin. Mirror the existing LLM Co-Authored-By
check against the Signed-off-by trailer line so danger fails on
commits that violate the rule.
The shared alternation of known LLM agent names is factored out
into LLM_AGENT_NAMES_RE so adding a new tool only requires one
edit.
Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit 65d082277d)
CONTRIBUTING.md states that AI agents must not be listed as
co-authors and that contributors should use the `Assisted-by:`
trailer instead. Teach `dangerfile.py` to fail merge requests
whose commit messages include a `Co-Authored-By:` trailer naming
a known LLM (Claude, Codex, Mistral, Copilot, Gemini, Cursor,
Devin, Aider, Sourcegraph, CodeWhisperer).
For any other `Co-Authored-By:` trailer, emit an info-level
`message()` that includes the full trailer line so reviewers can
confirm the named co-author is a human contributor and not an
unrecognised AI tool.
Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit f5e9dd3dd6)
When using GeoIP2 ACLs (see :any:`acl`), :iscman:`named` could
incorrectly match a name using a sub-string instead of the full
name match. This has been fixed.
Closes#6019
Backport of MR !12092
Merge branch 'backport-6019-geoip2-string-match-buf-fix-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!12235
The geoip2.c:match_string() function can incorrectly return 'true'
when matching strings of different lengths (i.e. it matches a
substring). Return 'false' when the lengths of the matched strings
are different.
(cherry picked from commit 8448136b16)
Check that an ACL can't be matched by a substring in the
GeoIP database, instead of the full string comparision.
(cherry picked from commit bdf4ab9280)
When a Dynamic Update is received that removes the ``DNSKEY`` (or ``CDNSKEY``,
or ``CDS``) RRset, remove all records except the ones that are in use
for signing for the zone.
Closes#6045
Backport of MR !12166
Merge branch 'backport-6045-dns-update-delete-in-use-dnskey-any-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!12230
When a Dynamic Update is received that removes the DNSKEY (or CDNSKEY,
or CDS) RRset, remove all records except the ones that are in use
for signing for the zone (with dnssec-policy).
(cherry picked from commit 97b9c9c823)
The README predated most of the pytest runner features. Document
building BIND along with the test-only binaries, refresh the stale -T
flag list, and describe the jinja2 templating, bootstrap(), the
conftest fixtures, and the pytest marks; recommend node IDs and
parametrization over -k matching. Fix the directory naming rule, which
switched from hyphens to underscores.
Also declare pytest and pytest-xdist as required dependencies: the
runner's pytest.ini uses --dist=loadscope unconditionally, so pytest
without pytest-xdist cannot even start.
Related #3810
Assisted-by: Claude:claude-fable-5
Backport of MR !12232
Merge branch 'backport-nicki/systest-readme-refresh-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!12233
The README predated most of the pytest runner features. Document
building BIND along with the test-only binaries, refresh the stale -T
flag list, and describe the jinja2 templating, bootstrap(), the
conftest fixtures, and the pytest marks; recommend node IDs and
parametrization over -k matching. Fix the directory naming rule, which
switched from hyphens to underscores.
Also declare pytest and pytest-xdist as required dependencies: the
runner's pytest.ini uses --dist=loadscope unconditionally, so pytest
without pytest-xdist cannot even start.
Related #3810
Assisted-by: Claude:claude-fable-5
(cherry picked from commit abd37e03d6)
The :any:`http-listener-clients` and :any:`http-streams-per-connection`
configuration options could be truncated to smaller values (or to ``0``,
which means unlimited) when very big configuration values were used, which
exceeded ``65535``. As a note - it is very unlikely that such big values
are used in production, and the default values for the affected options
are ``300`` and ``100``, correspondingly. This has been fixed.
Closes#6021
Backport of MR !12085
Merge branch 'backport-6021-doh-quota-type-truncation-fix-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!12231
The 'named_g_http_listener_clients' and 'named_g_http_streams_per_conn'
global variables are defined as 'in_port_t', which is usually 16 bits,
but both the readers and the writers of those variables use 'uint32_t'
as the target/source, which can result in truncation.
Use correct types.
(cherry picked from commit 281660ecc1)
Doubling system-test parallelism and removing the `@pytest.mark.flaky` markers exposed a set of timing-sensitive failures across CI. This branch keeps only the fixes for failures that are test-robustness bugs. Other - frequent - failures often guarded by `@pytest.mark.flaky` have their separate MRs already.
Backport of MR !12171
Merge branch 'backport-mnowak/system-test-stability-fixes-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!12227
While a response-policy zone is being (re)loaded it can briefly answer
with no SOA (SERVFAIL/REFUSED), which `dig +short` renders as empty
output. get_sn() aborted the whole tests.sh on the first such miss.
Keep probing for up to ten seconds instead of failing on a single
transient miss.
Assisted-by: Claude:claude-opus-4-8
(cherry picked from commit bb4afd1332)
The shutting-down and success transfers can exceed 30s on slow
instrumented builds.
Assisted-by: Claude:claude-opus-4-8
(cherry picked from commit 842a0fa289)