Commit graph

15999 commits

Author SHA1 Message Date
Evan Hunt
6ab9b77f93 Remove the secondary validator in query.c
Previously, when the additional section of a response was being
populated, if cached data was found with pending trust, it would be
opportunistically validated. The code implementing this validation was
not quite formally correct; rather than fixing it, the code has been
removed; RRsets with pending trust are now omitted from responses.

Fixes: isc-projects/bind9#5966
Fixes: isc-projects/bind9#5968
Fixes: isc-projects/bind9#5972

(cherry picked from commit 7ec85b4bd2)
2026-06-17 18:59:47 +00:00
Nicki Křížek (GitLab job 7567435)
5feb254436 Merge tag 'v9.20.24' into bind-9.20 2026-06-17 13:49:58 +00:00
Ondřej Surý
72255dfc36 Guard against a detached stream in isc__nm_http_request() error path
On a submit failure, client_send() nullifies sock->h2->connect.cstream
and frees the stream before returning the error. The error: label in
isc__nm_http_request() reloaded that pointer and dereferenced it
unconditionally, reading through a NULL stream. The function is only
used by the DoH unit tests -- production DoH client send goes through
isc__nm_http_send()/client_httpsend(), whose submit failure is reported
via the NULL-safe send callback -- so this is a latent defect in the
test helper rather than a reachable named crash.

Skip the read callback when the stream has already been detached and
let the caller report the failure from the error result it receives.

Assisted-by: Claude:claude-opus-4-8
(cherry picked from commit 7df91b7634)
2026-06-16 15:20:56 +02:00
Aram Sargsyan
6d209d9bd0 Fix a 'deny-answer-aliases' bug when using a cached DNAME
When using a cached DNAME to resolve a name, make sure to consult
the denied answers lists, otherwise it is possible to consutruct
a restricted alias by caching a DNAME that is a parent of the
denied alias. See the comments in the tests case from the previous
commit an example.

(cherry picked from commit 45c1d760a8)
2026-06-16 09:40:32 +00:00
Aram Sargsyan
0f7aa44e87 Fix compatibility with OpenSSL 1.0.2u
BIND failed to build with OpenSSL 1.0.2u. Add the missing header
file includes.
2026-06-12 23:05:13 +00:00
Aram Sargsyan
5f28dfbb64 Fix a bug in xfrin.c:xfrin_connect_done()
When the connect callback's result is ISC_R_SUCCESS and the callback
changes the result because of some condition, the 'xfr' should not
be detached, because it now belongs to the receive callback.

Detach the reference only if the callback's result is non-success.

(cherry picked from commit fb27599b58)
2026-06-12 15:37:29 +00:00
Aram Sargsyan
faccdd5479 Fix 'geoip' ACL matching bug
The geoip2.c:match_string() function can incorrectly return 'true'
when matching strings of different lengths (i.e. it matches a
substring). Return 'false' when the lengths of the matched strings
are different.

(cherry picked from commit 8448136b16)
2026-06-11 16:15:45 +00:00
Matthijs Mekking
09990f45b7 ISC_ATTR_UNUSED in favor of UNUSED()
(cherry picked from commit 008ad8ade2)
2026-06-11 14:42:41 +00:00
Matthijs Mekking
75c6db2388 Keep our key on update removing DNSKEY RRset
When a Dynamic Update is received that removes the DNSKEY (or CDNSKEY,
or CDS) RRset, remove all records except the ones that are in use
for signing for the zone (with dnssec-policy).

(cherry picked from commit 97b9c9c823)
2026-06-11 14:42:41 +00:00
Ondřej Surý
78a7f7da4f
Enforce strict RSA DNSKEY shape during DNSSEC validation
A resolver that validated DNSSEC accepted RSA DNSKEYs of any modulus
size up to OpenSSL's compile-time ceiling, and accepted any public
exponent the wire format could carry.  RSA verification cost grows
sharply with the modulus length, so an authoritative server could
publish an oversized DNSKEY to make each signature check on the
resolver many times more expensive than for a normally sized key.

The intended verify-time cap had no effect because the helper it called
returned the public-exponent bit length rather than the modulus bit
length, so the test was always satisfied.  Replace it with an honest
modulus-range check and a stricter exponent check that accepts only odd
exponents in the closed range [3, 2^32 + 1] (covering every Fermat
prime up to F5 and the odd intermediate values seen in deployed keys),
reject anything outside those bounds at every RSA key load path so an
invalid key never reaches the verifier, and keep the same checks at the
verifier as a backstop against future load paths.

(cherry picked from commit 8b2c490811)
2026-06-08 20:54:22 +02:00
Ondřej Surý
14641573da Use sequentially consistent ordering in the adaptive rwlock handshake
The adaptive isc_rwlock (the modified C-RW-WP variant) synchronizes a
reader against a writer through a store-buffer handshake across two
independent atomic objects: the reader publishes its arrival in
readers_ingress and then reads writers_lock, while the writer publishes
its lock in writers_lock and then reads the reader indicator. With the
acquire/release ordering introduced by the 2021 simplification, neither
side is forced to observe the other's publish store before its own check
load, so on weak-memory targets a reader could see writers_lock unlocked
while the writer sees the indicator empty, and both would enter their
critical sections at once.

Restore the sequentially consistent ordering the original algorithm
specifies on the handshake atomics. The single total order over the
seq_cst operations is what forbids the overlap; targeting individual
fences is both more fragile and, on x86, more expensive. On x86 this
ordering is free (seq_cst loads remain plain loads and the RMWs remain
lock-prefixed); the added cost falls only on the weak-memory targets that
actually need it.

(cherry picked from commit b11bf7a45e)
2026-06-08 15:56:13 +00:00
Michal Nowak
62b971a1d6 Preserve the request buffer across async SIG(0) processing
For SIG(0)-signed requests, view matching is offloaded and the request
is finished asynchronously from ns_client_request_continue(), which
passes client->inner.buffer to dns_dt_send().  That buffer aliases the
network manager's receive buffer, only valid during the read callback,
so it may already be freed and reused, producing garbage dnstap frames
(e.g. the "upforwd" sig0-over-DoT test fails with UQ=0).

When the request is offloaded (ns_client_setup_view() returns
DNS_R_WAIT) and dnstap is enabled, copy the request buffer and point
client->inner.buffer at the copy so it survives the asynchronous hop;
free it in ns__client_reset_cb().  When dnstap is disabled there is no
async consumer of the buffer, so detach it from the receive buffer
instead.

Assisted-by: Claude:claude-opus-4-8
(cherry picked from commit ddfe8a1bdc)
2026-06-08 13:13:27 +00:00
Alessio Podda
a9ba0515b7 Fix DNS64 owner case after DNAME restart
When DNS64 filters a partially excluded AAAA RRset after a DNAME
restart, dns_message_findname() can return an existing message-owned
owner name while qctx->fname is released on the NXRRSET path.

Set owner case from the message-owned name used for attaching the
filtered rdataset, avoiding a stale alias to the released temporary
name.

(cherry picked from commit ade6cdf477)
2026-06-08 10:12:18 +02:00
Evan Hunt
849aaacaae Add "warn_unused_result" to attributes.h
A new ISC_ATTR_WARN_UNUSED_RESULT macro now defines
__attribute__((warn_unused_result)) and is used for
dns_rdata_fromstruct().

(cherry picked from commit 07c8c1d242)
2026-06-04 09:49:41 -07:00
Evan Hunt
65a3694f2a Check dns_rdata_fromstruct() return values
The in some functions implementing RFC 5011 key maintenance, the
results of dns_rdata_fromstruct() were not checked. This has been
fixed.

(cherry picked from commit 175d418e28)
2026-06-04 09:46:58 -07:00
Ondřej Surý
1846bbbc31
Only update the global tid_count once
Normally, the tid_count is initialized only once at the beginning of the
application.  The only exception is the pattern in the unit test where
isc_loopmgr is repeatedly created and torn down and each creation of
isc_loopmgr_t calls isc__tid_initcount() with the previous value.

ThreadSanitizer sees that as write operation on unprotected memory are
reports this as data race even though the value has not really changed.

This has been fixed by skipping the tid_count value update on repeated
calls.

(cherry picked from commit a570e37c06)
2026-06-04 12:50:57 +02:00
Ondřej Surý
c3f14d568c Skip DNS64 synthesis when answering a redirected response
redirect2() swaps qctx->db to the redirect zone before
query_nodata() runs. The DNS64 fallback there issues an A lookup
for the original query name, which is out of zone for the
redirect db, and the resulting query_notfound() trips
INSIST(!is_zone). The cached NCACHENXRRSET variant trips a
REQUIRE in dns_rdataset_first() on a disassociated rdataset.
The synth-from-dnssec entry reaches the same fallback via
query_coveringnsec(). Guarding the fallback with
!qctx->redirected leaves the nxdomain-redirect NXRRSET answer to
be served as-is.

(cherry picked from commit 4bfd18d08d)
2026-06-02 09:48:13 +02:00
Michal Nowak
e7aab7f7d1 Fix spelling typos in comments and code
Assisted-by: Mistral Vibe:mistral-medium-3.5
Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit 36fe37f6b4)
2026-06-01 15:04:31 +00:00
Alessio Podda
2c998e4e00 Remove name boundary optimization
In MR !9740, we introduced an optimization that reduces memory usage
by processing rdatas in batches during AXFR.

The maximum batch size is 128, but the batch size was allowed to grow
beyond that limit if all rdatas in a batch were for the same name, as
that allows a more efficient optimization.

This optimization could theoretically allow the batch size arbitrarily
for a sufficient large zone transfer. Since synthetic tests don't show
any performance improvement from the optimization, this MR removes it.

(cherry picked from commit 7502e73333)
2026-06-01 13:49:55 +02:00
Ondřej Surý
9f98ac625a
Fail promptly on an RRSIG answer with no usable record
A query for an RRSIG is handled as a subset of ANY, so rctx_answer_any()
filters out records that do not match the queried type. When every
record was filtered out (an answer carrying only unrelated types), the
function still returned success with nothing cached, and the fetch then
waited for a validator that was never started until the backstop fetch
timer fired ~12s later. Treat an all-filtered answer as a broken
response, matching how non-meta types already reject a reply with no
usable record.

(cherry picked from commit 938b58a809)
2026-05-30 06:13:58 +02:00
Ondřej Surý
d8ec05c17f
Detect non-advancing alias chains in the validator
The resolver turned a CNAME response to an RRSIG or NSEC query into
FORMERR inside rctx_answer_cname().  That is redundant -- every caller
already copes with a DNS_R_CNAME or DNS_R_DNAME result -- and it is the
wrong layer, because the resolver cannot tell a legitimate alias from a
broken one.  Drop it; a CNAME for one of these types now flows back as
an ordinary alias.

The case that must be stopped lives in the validator.  While proving an
unsigned CNAME insecure, proveunsecure() fetches the DS for the CNAME's
own name; because fetches are shared, that fetch re-enters and stalls on
the in-flight fetch the validator is waiting for, deadlocking for about
twelve seconds (GL#5878).  Unlike the resolver, the validator knows it
is validating an alias, so check_chaining() now aborts a fetch whose
name matches the chaining rdataset's owner: it cannot advance the chain
and would only self-join.

(cherry picked from commit d0c6219d66)
2026-05-30 06:13:58 +02:00
Ondřej Surý
c479706872
Detect resolver fetch loops only when joining an in-flight fetch
dns_resolver_createfetch() guarded against fetch loops by comparing the
raw request name/type/domain before any fetch context existed. Move the
check after the context is obtained and run it against the context
itself, and only when we joined an already in-flight context
(!new_fctx) that is also an ancestor in the parent chain. That is the
real loop condition: the new fetch would block waiting on a fetch that
is itself waiting on us. A newly created context waits on nothing, so it
proceeds, bounded by the fetch depth limit and the complementary ADB
loop detection.

(cherry picked from commit 0e04671b65)
2026-05-29 21:34:10 +02:00
Ondřej Surý
5fe9e7f6ed Fix use-after-free in concurrent dns_tsigkey_delete()
Two TSIG-authenticated TKEY DELETE queries for the same dynamic key,
arriving on different worker loops, could each enter
dns_tsigkey_delete() and cause over-decrementing the key refcount.

This has been fixed by making dns_tsigkey_delete() idempotent.

(cherry picked from commit 5c8dcd4419)
2026-05-28 11:05:34 +02:00
Matthijs Mekking
0d91c23c10 When caching names, check for CNAME RRsets
Matthijs Mekking authored 2 months ago
CNAME and other record types cannot coexist. DNSSEC records are the
exceptions to this rule.

If the answer contains a name with a CNAME, remove existing RRsets at
the same name from the cache.

If the answer contains a name without a CNAME, remove the CNAME RRset
at the same name from the cache.

(manually picked from commit 69a560fff1)
2026-05-28 09:59:15 +02:00
Ondřej Surý
faf9fb0b82 Reject malformed RRSIG records
A signature cannot cover a meta-type (NONE, ANY, AXFR, IXFR, MAILB,
MAILA, OPT, TSIG, TKEY); previously such records were cached by the
recursive resolver and collided with negative-cache entries on the
same owner name, corrupting the QP-trie cache.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit c28ba9c3c6)
2026-05-28 09:51:27 +02:00
Evan Hunt
d1a32c003c
Clear REDIRECT flag when it isn't needed
The NS_QUERYATTR_REDIRECT flag is set when processing a recursive
NXDOMAIN redirection lookup, so that if that lookup also returns
NXDOMAIN we don't end up looping.

Previously, the flag was left active after use, but if the
same client triggered a subsequent recursive lookup (for example,
in the filter-aaaa plugin), then the wrong branch could be reached
in query_resume(), potentially leading to an assertion failure.  This
has been fixed.

(cherry picked from commit 3ff0018308)
2026-05-21 15:04:41 +02:00
Andoni Duarte
3d293e2a1e Merge tag 'v9.20.23' into bind-9.20 2026-05-20 10:18:28 +00:00
Ondřej Surý
f756907f24 Guard parent-NS walk against running off the root
Once the walk reaches the root, splitting one more label off would
trip an internal assertion and abort named.  Stop cleanly with
ISC_R_NOTFOUND so the dispatcher cancels the fetch.  Only reachable
through misconfiguration (root configured as a primary with parental
agents, or a parent zone that NODATAs its own NS).

Assisted-by: Claude:claude-opus-4-7

Manually edited to resolve conflicts.

(cherry picked from commit 141e8110f7)
2026-05-19 15:30:34 +02:00
Ondřej Surý
6b02ecb3f1
Remove TCP fallback after UDP timeouts
The retry path in resquery_send() that flipped DNS_FETCHOPT_TCP on a
query whose dispatch had already been bound as UDP in fctx_query() had
no effect on the transport actually used, but did leave a stale TCP
bit visible to downstream consumers (dnstap framing, cookie checks,
the AUTHORITY-NS spoofability guard).

The ineffective code has been removed from resquery_send().  The
TCP fallback functionality will be corrected and restored in the
BIND 9.22.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit 01523a078a)
2026-05-19 12:26:04 +02:00
Ondřej Surý
38dd0e0ccc Switch UDP fetches to TCP on the first response with a wrong query id
Until now, the dispatcher silently dropped UDP responses from the
expected peer that carried the wrong DNS message id and kept listening
for the correct id to arrive within the read timeout.  An off-path
attacker who knows the destination address and source port of an
outgoing fetch could exploit that quiet retry window to flood the
resolver with guessed responses; with a gigabit link the per-query
success probability grows linearly with the number of guesses that
arrive before the legitimate answer or the timeout.

Treat any such mismatch as a possible spoofing attempt and let the
resolver immediately retry the same query over TCP, the same control
path the truncation handler already uses.

Add a resolver statistics counter - exposed as 'queries retried over TCP
after a response with mismatched query id' in rndc stats and
'MismatchTCP' in the statistics channel

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit 11bca1051f)
2026-05-15 08:49:19 +02:00
Ondřej Surý
fbf5ecb5a8 Fix data race in async master dump/load context publication
Bouncing the offload itself to the target loop let the after-work
callback fire on the target thread and run the user's done callback
before the calling thread had published *dctxp / *lctxp.  Enqueue on
the calling loop and bounce only the done callback instead, so the
publish is sequenced before the cross-thread hand-off by construction
and cannot be reintroduced by reordering the entry-point body.

(cherry picked from commit 8ae464d552)
2026-05-14 06:53:23 +00:00
Ondřej Surý
ddf6274ba2
Cap glue records cached from a referral
The resolver marked every NS RR's glue from a referral for caching with
no aggregate bound, so a parent server returning many NS RRs and many
glue addresses per NS could inflate cache memory long beyond what
resolution can ever use.

Truncate each glue rdataset to DELEG_MAX_GLUES_PER_NS (20) A and 20 AAAA
records before marking it for caching.  The NS RRset itself is still
cached in full, bounded by max-records-per-type.
2026-05-12 16:18:40 +02:00
Ondřej Surý
c4d2675f48
Remove the disabled CHECK_FOR_GLUE_IN_ANSWER code
The CHECK_FOR_GLUE_IN_ANSWER macro defaulted to 0 and was never enabled
by the build system, leaving check_answer() and the answer-section glue
scan in rctx_referral() as dead code.  Drop them so the surrounding
referral-cache path is easier to reason about.
2026-05-12 16:18:16 +02:00
Ondřej Surý
005e151c5b
Pass empty string instead of NULL to ns_client_dumpmessage()
The two new call sites added by the CLASS-validation work passed NULL
as the reason, but ns_client_dumpmessage() bails out early on a NULL
reason — so the message dump never happened. The intent was to dump
the message and let the follow-up ns_client_log() carry the reason
text, so pass "" to suppress the prefix without short-circuiting the
dump.

(cherry picked from commit 3401cbd16f44b4ecb8b57dc9d1951037db6d0e32)
2026-05-07 13:09:18 +02:00
Aydın Mercan
637a127f65
Fix use-after-free in DoH write buffer after HTTP/2 send
After the send callback completes, the UV request is freed but
the HTTP/2 socket's write buffer still points to the freed memory.
If nghttp2 subsequently needs to send frames (e.g. SETTINGS ACK),
the server_read_callback reads from the dangling buffer.

Clear the write buffer before freeing the UV request.

(cherry picked from commit 6afc4270e0323a52262802d553dda8233df36d42)
2026-05-07 13:09:18 +02:00
Ondřej Surý
ddd5586a51
Make isc_mem_isovermem() probabilistic
Replace the hysteretic hi_water/lo_water switch with a stochastic
check: always false below lo_water, always true at or above hi_water,
linearly ramped probability in between.  This spreads cache cleaning
across many inserts instead of triggering a thundering herd once the
hi_water mark is crossed (which causes every addrdataset to enter the
LRU purge path simultaneously and serializes lookups behind the node
write locks).

The is_overmem atomic and its stores are no longer needed and are
removed.  The existing tests that asserted specific hysteretic state
transitions are simplified to check only the deterministic boundaries.

(cherry picked from commit ee24d2a1c3361dcc1c48fb29bb2e0b91bc3405e8)
2026-05-07 13:09:18 +02:00
Evan Hunt
ec1404cc4c
Skip "deny-answer-address" for non-IN addresses
Ensure that we don't attempt an ACL match for answer addresses
when handling a class-CHAOS zone. This is an additional line of
defense for YWH-PGM40640-74.

(cherry picked from commit e62673c765b52307c800e86f0185fe52b573c145)
2026-05-07 13:09:18 +02:00
Mark Andrews
a40325c6a2
Reject meta-classes in UPDATE and NOTIFY messages
NOTIFY and UPDATE messages must specify a data class in the
QUESTION/ZONE section.  NONE and ANY are meta-classes and not
appropriate here.  Return FORMERR if either is used.

Rejecting messages with a query class of NONE addresses YWH-PGM40640-72,
YWH-PGM40640-82, and YWH-PGM40640-83.  Rejecting messages with a query
class of ANY addresses YWH-PGM40640-87, YWH-PGM40640-88, and
YWH-PGM40640-117.

Fixes: isc-projects/bind9#5778
Fixes: isc-projects/bind9#5782
Fixes: isc-projects/bind9#5783
Fixes: isc-projects/bind9#5797
Fixes: isc-projects/bind9#5798
Fixes: isc-projects/bind9#5853

(cherry picked from commit c66a1b1e1bfd6c79d7b9bc8d4a59e69f4faa1563)
2026-05-07 13:09:18 +02:00
Ondřej Surý
39a4ad2330
Validate DNS message CLASS early in request processing
Reject requests with unsupported or misused CLASS values before
further processing.  Only IN, CH, HS, RESERVED0 (for DNS Cookies),
ANY (for TKEY negotiation), and NONE (for DNS UPDATE) are accepted;
all other classes return NOTIMP.  Misuse of NONE or ANY outside
their allowed contexts returns FORMERR.

This adds further protection against bugs of the same general class
as YWH-PGM40640-70 and YWH-PGM40640-73.

(cherry picked from commit 0a687451505037e9f9a850c9cb113aed4995b03f)
2026-05-07 13:09:18 +02:00
Evan Hunt
134706912f
Disable UPDATE and NOTIFY for non-IN classes
Return NOTIMP for UPDATE and NOTIFY requests received for views with a
class other than IN.  Only QUERY is now supported for non-IN views such
as CHAOS.

When running dns dns_rdata_tostruct() with types that are only defined
for class IN, ensure that the class is correct before proceeding.

Add an assertion that any zone being updated is of class IN. (Note
that previously, a DLZ zone could have its class value set incorrectly
to NONE; this has been fixed.)

This addresses YWH-PGM40640-70 and YWH-PGM40640-73 (as well as any
similar problems that might have occurred in the future) by minimizing
the code paths that can be reached by rdata classes other than IN, so it
is safe for the implementation to assume that rdatatypes that are only
defined for class IN, such as SVCB or WKS, have been parsed and
validated, and not accepted as unknown/opaque data.

Fixes: isc-projects/bind9#5777
Fixes: isc-projects/bind9#5779

(cherry picked from commit a6d8e330ed6cf0021bff3f00aa1dc7a296f5aec0)
2026-05-07 13:09:18 +02:00
Evan Hunt
95fc625d60
Disable recursion for non-IN classes
Force recursion off, and set allow-recursion/allow-recursion-on ACLs
to none, for views with a class other than IN. Log a configuration
warning if recursion is explicitly enabled for a non-IN view.

This addresses YWH-PGM40640-74 and YWH-PGM40640-75 by preventing any
attempt at recursive processing in a class-CHAOS view, ensuring that
server addresses used for recursive queries and received in recursive
responses are of the expected format.

Fixes: isc-projects/bind9#5780
Fixes: isc-projects/bind9#5781

(cherry picked from commit 7becff1a14684a68208c92b3b0315c045c05ad75)
2026-05-07 13:09:18 +02:00
Ondřej Surý
11276087a7
Fix output token and GSS context leaks in TKEY/GSS-API error paths
In dst_gssapi_acceptctx(), rename outtoken to outtokenp (matching BIND
convention for output pointer parameters) and free the allocated output
token buffer on error in the cleanup path.

In process_gsstkey(), route the empty-principal error path through
cleanup via CLEANUP() instead of returning early, so that the output
token, GSS context, and TSIG key are all freed consistently by the
existing cleanup block.

(cherry picked from commit 6c46c85d02849fb659584275313529794039f433)
2026-05-07 13:09:18 +02:00
Ondřej Surý
9bdace3fa3
Fix GSS-API context leak in TKEY negotiation
Reject multi-round GSS-API negotiation (GSS_S_CONTINUE_NEEDED) in
dst_gssapi_acceptctx().  Each call to gss_accept_sec_context()
allocates a context inside the GSS library; without this fix, the
context handle was passed back to process_gsstkey() which did not
store it persistently, leaking it on every incomplete negotiation.

An unauthenticated attacker could exhaust server memory by sending
repeated TKEY queries with GSSAPI tokens, each leaking one GSS
context.  The leaked memory is allocated by the GSS library via
malloc(), bypassing BIND's memory accounting.

In practice, Kerberos/SPNEGO (the only mechanism used with BIND)
completes in a single round, so rejecting continuation does not
affect real-world deployments.  See RFC 3645 Section 4.1.3.

(cherry picked from commit 3d8e0d068f08694282c5ecd3bd6c332de6c75485)
2026-05-07 13:09:18 +02:00
Ondřej Surý
1222a2aa05
Fix use-after-free in resolver SIG(0) async verification path
When a SIG(0)-signed response triggers async ECDSA verification via
dns_message_checksig_async(), the respctx_t holds a raw pointer to
the resquery_t. If the fetch context is shut down while verification
is in flight (e.g. due to recursive-clients quota exhaustion), the
query is destroyed and the callback dereferences a dangling pointer.

Take a reference on the resquery_t when initializing the respctx_t,
and release it in both cleanup paths. The query's own reference to
the fetch context keeps the fctx alive transitively.

(cherry picked from commit 5b58caf5a2cd39d57a51b7b0373bfbc4877a96f9)
2026-05-07 13:09:18 +02:00
Colin Vidal
b456007e2d
Remove duplicate addresses from the resolver SLIST
The SLIST (essentially `fctx->finds`, forwarders and dual-stack
alternatives aside) can have duplicate server addresses when multiple
in-domain nameservers share the same IP addresses:

  sub.example.          NS      ns1.sub.example.
  sub.example.          NS      ns2.sub.example.
  ns1.sub.example.      A       1.2.3.4
  ns1.sub.example.      A       5.6.7.8
  ns2.sub.example.      A       1.2.3.4
  ns2.sub.example.      A       5.6.7.8

If both 1.2.3.4 and 5.6.7.8 fail to return a valid answer, the resolver
would query each address twice.

The problem is fixed by replacing the two-phase server selection (sort
each find list by SRTT, sort finds by head SRTT) with a single linear
scan in nextaddress() that finds the lowest-SRTT unmarked, non-duplicate
address across all find lists.

The old approach had a correctness bug: after sorting, the resolver
picked the next address from the "current" find list rather than
globally.  For example, with find lists [1, 15, 26] and [3, 4, 5], the
second pick would be SRTT 15 instead of the correct SRTT 3.

The new approach is both simpler and correct: each call to nextaddress()
walks all addresses, skips marked and duplicate entries, and returns the
one with the lowest SRTT.  While this walk is repeated for each server
attempt, it operates on a small bounded list and is negligible compared
to the network I/O of querying the server.

(cherry picked from commit b1c5856a3764b4025e93f8baf06c45c8fa029752)
2026-05-07 13:09:18 +02:00
Colin Vidal
1bedd7f244
Limit the number of addresses returned per ADB find
Add a hard limit on the number of addresses that ADB returns from a
single NS lookup (dns_adbfind_t).  This mitigates a flood attack
where an attacker controls a zone with many addresses for a
nameserver, each returning an invalid response.  The global
max-query count (default 50) also limits this, but significant harm
can be done before that limit is reached.

The default limit is now 6 (v4 and/or v6) addresses for an ADB find (so,
ADB looking up for A/AAAA addresses of a name server name). It can be
overridden for testing via 'named -T adbaddrslimit=N'.

(cherry picked from commit 3ec37fc69356ee682bee7f67940613ac31d93d7b)
2026-05-07 13:09:18 +02:00
Colin Vidal
ac3ea4ecd4
rctx_resend() increment query counters
Calls to `rctx_resend()` are done internally within the resolver, in
flow which are not supposed to happens more than once. For instance,
if some query fails, and a specific flag "F" wasn't set, then set the
flag and try again. This wouldn't occur more than once because if the
query fails the next attempt, the flag "F" would be set already, so the
resolver would move to the next server (or give up).

However, a subtle bug missing checking a flag, for instance, could lead
to an unbounded loop re-trying to query the same server. This is now
impossible as `rctx_resend()` also increment the query counters (so if
such case occurs, it would stop once the maximum limit is reached).

The dns_resstatscounter_retry are also only incremented if the
`fctx_query()` succeeds, similar to as is done in `fctx_try()`.

(cherry picked from commit f3e74304889a2e8b69c8e88fc9a383589decda32)
2026-05-07 13:09:18 +02:00
Colin Vidal
ae554715ae
Refactor incrementing query counters
Move the logic incrementing the query counter and the global query
counter into a dedicated helper function.

(cherry picked from commit 05d6da2de54c093689e675e81ae898ee41220666)
2026-05-07 13:09:18 +02:00
Aram Sargsyan
69fb85d994
Apply XFR-out quota after ACL is checked
Unauthorized clients can consume XFR-out quota and block authorized
XFR clients. Apply the quota after ACL is checked.

(cherry picked from commit 5615e6c47a2cd00d82d48b568cc55a4b89daa330)
2026-05-07 13:09:18 +02:00
Evan Hunt
c665472b10 check for val->name == NULL when adding EDE text
When a validator is being shut down, the associated name
`val->name` is set to NULL.  This could cause a crash if a worker
thread subsequently added an EDE code to the response containing
val->name in the extra text.

`validator_addede()` now checks whether the name is NULL before
trying to add it to the extra text.

(cherry picked from commit 2c60870527)
2026-05-07 11:23:17 +10:00