Commit graph

44364 commits

Author SHA1 Message Date
Aram Sargsyan
9adab9e577 Fix memory leak bug during zone shutdown
The dns_update_signaturesinc() updates zone signatures in chunks,
keeping its current state in 'zone->rss_state'. When a zone shuts
down, the signature update process is canceled, and all the data
in the state is not freed.

Create a new dns_update_state_clear() function which can be called
from dns_zone_free() to free the memory.

(cherry picked from commit 5e12906669)
2026-06-22 21:14:02 +00:00
Aram Sargsyan
7398fa2476 Handle zone shutting down case in receive_secure_serial()
When the zone is shutting down jump straight to cleanup, otherwise
an assertion failure is possible, e.g. because zone->loop can be
already NULL.

(cherry picked from commit b56e3cd2ee)
2026-06-22 21:06:58 +00:00
Aram Sargsyan
0b07018e3b Remove the unused link from 'struct rss'
The link is declared but never used. Remove it.

(cherry picked from commit fad2c5b757)
2026-06-22 21:06:49 +00:00
Aram Sargsyan
34b40e9272 Fix a bug in "receive secure serial" processing
When a DNS UPDATE messages is received, the zone_send_secureserial()
function can schedule a new receive_secure_serial() call with a new
'rss' object before a previous one had a chance to be fully processed.
This can cause an assertion failure in receive_secure_serial() with a
new 'rss' object (when the old one was rescheduled because it got
DNS_R_CONTINUE from dns_update_signaturesinc()). In other words:

1. receive_secure_serial() called with rss, sets zone->rss = rss,
   reschedules because of DNS_R_CONTINUE
2. receive_secure_serial() called with rss_new, INSIST fails because
   zone->rss != rss_new), i.e. this was called before the old 'rss'
   was fully processed

Change the code logic by introducing a new 'rss_next' field and making
sure the old 'rss' is complete before starting processing the new
one.

(cherry picked from commit 5118f3bad6)
2026-06-22 21:05:07 +00:00
Aram Sargsyan
7303689183 Remove redundant INSIST
The check is already performed in the INSIST above.

(cherry picked from commit 7d7130f51a)
2026-06-22 20:56:41 +00:00
Aram Sargsyan
f4a77a59ef Add a new check in "inline" system test
This new check floods the server with DNS UPDATE messages for an
'inline-signing yes; sig-signing-signatures 1;' zone to see if
it manages to process the updates correctly.

(cherry picked from commit 37f265f59a)
2026-06-22 20:56:41 +00:00
Ondřej Surý
b8e5801ec5 [9.20] fix: usr: Fix a crash when querying an empty non-terminal in a wildcard zone in RBTDB
A query for an empty non-terminal in a wildcard zone served
from the RBT zone database could abort named with an assertion
failure.  It now returns the correct NODATA answer.

Closes #6170

Merge branch '6170-fix-non-terminal-wildcard-in-rbtdb-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12299
2026-06-22 22:46:35 +02:00
Ondřej Surý
033a15061b
Add a regression test for an empty non-terminal under a wildcard
The NSEC3-signed entwild.test zone places an apex wildcard above empty
non-terminals; querying one of them with DNSSEC requested reproduces
the abort seen with the RBT zone database. The query must instead
return NODATA with an NSEC3 proof. The zone uses the default zone
database, so it only exercises RBTDB on a build that defaults to it.

Assisted-by: Claude:claude-opus-4-8
2026-06-22 21:58:25 +02:00
Ondřej Surý
a7a77a0db5
Handle DNS_R_NEWORIGIN when stepping to a wildcard's successor
dns_rbtnodechain_next() returns DNS_R_NEWORIGIN rather than
ISC_R_SUCCESS whenever the successor lies in a different RBT origin,
which is the case when the queried name's predecessor is an empty
non-terminal with children. Treating that as a failure made
wildcard_blocked() miss the empty non-terminal that must block the
wildcard, so the expansion proceeded and later tripped an assertion.
activeempty() already handled both results.
2026-06-22 21:55:00 +02:00
Aydın Mercan
8588ffec7d [9.20] fix: usr: ignore 0-byte reads in the TCP read callback
Callbacks for libuv stream reads do not signal zero-length reads as a
failure signal but rather as EAGAIN/EWOULDBLOCK. This can trigger an
assertion when a zero-length read is pushed onto a PROXYv2 endpoint that
has not yet processed the headers as it expects a non-NULL region of
positive length.

Closes #6140

Backport of MR !12261

Merge branch 'backport-6140-proxyv2-assertion-on-zero-byte-read-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12291
2026-06-22 17:04:11 +03:00
Aydın Mercan
6850c4606e ignore 0-byte reads in the TCP read callback
Callbacks for libuv stream reads do not signal zero-length reads as a
failure signal but rather as EAGAIN/EWOULDBLOCK. This can trigger an
assertion when a zero-length read is pushed onto a PROXYv2 endpoint that
has not yet processed the headers as it expects a non-NULL region of
positive length.

(cherry picked from commit 20d3ef1643)
2026-06-22 07:05:41 +00:00
Nicki Křížek
82870906cb [9.20] chg: ci: Raise respdiff third-party and recent-named disagreement thresholds
The third-party comparison is right at the 0.4 % threshold, making it
fail quite often. The current range of observed values ranges from
0.3-0.5 %. Raise the threshold to 0.5 %.

The recent-named comparison produces values ranging from 0.05 to 0.12 %,
but appears to be more sensitive to time of the day when the test runs.
Raise the threshold to 0.15 %.

Both results are stable within the specified ranges across the last
three releases in both main and bind-9.20 series.

Backport of MR !12286

Merge branch 'backport-nicki/respdiff-threshold-bump-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12287
2026-06-19 14:08:05 +02:00
Nicki Křížek
4a67334156 Raise respdiff third-party and recent-named disagreement thresholds
The third-party comparison is right at the 0.4 % threshold, making it
fail quite often. The current range of observed values ranges from
0.3-0.5 %. Raise the threshold to 0.5 %.

The recent-named comparison produces values ranging from 0.05 to 0.12 %,
but appears to be more sensitive to time of the day when the test runs.
Raise the threshold to 0.15 %.

Both results are stable within the specified ranges across the last
three releases in both main and bind-9.20 series.

(cherry picked from commit a8413fa94c)
2026-06-19 13:55:20 +02:00
Matthijs Mekking
20db02121f [9.20] fix: usr: CDS/CDNSKEY records were not removed when re-configuring the server
When on an ``rndc reconfig`` the DNSSEC policy changes such that it changes the expected ``CDNSKEY`` and/or ``CDS`` records in the zone, the RRset should
be updated accordingly. This did not happen when removing digests from the configuration, or setting `cdnskey no;`. This has been fixed.

Closes #6166

Backport of MR !12265

Merge branch 'backport-6166-reconfig-delete-cds-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12284
2026-06-19 11:40:37 +00:00
Matthijs Mekking
4bed09f3c4 Don't rely on smart signing in cds system test
With dnssec-signzone smart-signing (-S), the CDS and CDSNKEY are
derived from the key timing metadata and the configuration options (-G).

The test has specific test cases that smart signing (with the fix)
interferes with. Therefor, disable smart-signing in the cds system test.

(cherry picked from commit fdf74636e2)
2026-06-19 12:39:17 +02:00
Matthijs Mekking
dbb0dd5088 Remove CDs/CDNSKEY records on reconfig
When adding to dnssec-policy:

    cdnskey no;
    cds-digest-types { };

and then reconfig the server, named must remove existing CDS and CDNSKEY
records. Note this already worked when adding CDS digest, or setting
'cdnskey yes;', but not when digests were removed from the list, or
when setting 'cdnskey no;'.

(cherry picked from commit 1c4c2cba8b)
2026-06-19 12:39:11 +02:00
Matthijs Mekking
75bfd8820d Add system test for reconfiguring CDS/CDNSKEY
When on an 'rndc reconfig' the DNSSEC policy changes such that it
changes the expected CDNSKEY/CDS records in the zone, the RRset should
be updated accordingly.

Add a test case where we reconfigure a zone with a policy such that
these records should be removed, and on a second reconfigure add
them back again.

Note the test deliberately adds a different CDS digest on the
second reconfigure.

(cherry picked from commit 89ebe61ad3)
2026-06-19 09:07:41 +00:00
Evan Hunt
3621c8169b [9.20] fix: usr: Check wildcard signer and NOQNAME signer match
A positive wildcard answer, and the NSEC3 proof that the requested
name doesn't exist in the zone, must both be from the same zone.
Otherwise, an NSEC3 from an ancestor zone could be used to interfere
with validation.

We now retrieve the signer name from a wildcard response's signature.
An NSEC3 record cannot be used as a NOQNAME proof for the
wildcard unless it exactly matches the name one level above the NSEC3.

Closes #5971

Backport of MR !12256

Merge branch 'backport-5971-wildcard-noqname-mismatch-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12279
2026-06-18 18:40:42 +00:00
Alessio Podda
d45ee682d8 Reproducer for #5971 NSEC3 from ancestor zone
Create a new nsec3_wrong_zone system test as a regression test.

Co-Authored By: Evan Hunt <each@isc.org>

(cherry picked from commit 680e0d8532)
2026-06-18 10:58:11 -07:00
Evan Hunt
9eeb8bde5a Check wildcard signer and NOQNAME signer match
A positive wildcard answer, and the NSEC3 proof that the requested
name doesn't exist in the zone, must both be from the same zone.
Otherwise, an NSEC3 from an ancestor zone could be used to interfere
with validation.

We now retrieve the signer name from a wildcard response's signature.
An NSEC3 record cannot be used as a NOQNAME proof for the wildcard
unless it exactly matches the name one level above the NSEC3.

Fixes: isc-projects/bind9#5971

(cherry picked from commit 45c9bd2603)
2026-06-18 10:58:11 -07:00
Colin Vidal
b1e0a58f4f [9.20] fix: usr: Fix CNAME resolution failure caused by a cached SERVFAIL response
Under certain circumstances, a cached SERVFAIL response could incorrectly prevent successful resolution of a CNAME target. This could cause resolution failures to persist until the cached SERVFAIL entry expired, even when the CNAME target itself was otherwise resolvable. This issue has been fixed.

Closes #5983

Backport of MR !12158

Merge branch 'backport-5983-servfail-cache-cname-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12259
2026-06-18 14:06:24 +02:00
Colin Vidal
f35817f620 Use original query name when caching SERVFAIL
Instead of using `client->query.qname` when caching a SERVFAIL answer,
use `client->query.origqname` when available.

This avoids caching a SERVFAIL against a CNAME target when the failure
occurs while the resolver is following the CNAME chain. This is
problematic, for instance, when the SERVFAIL is triggered by the
`max-query-count` threshold being reached, which would incorrectly
prevent legitimate resolution of the CNAME target while in the SERVFAIL
cache.

Note that if the SERVFAIL genuinely originated from resolving the CNAME
target, that specific failure will no longer be cached, and a direct
query for the CNAME target will trigger a fresh (likely failing)
resolution attempt. However, this is still preferable to the previous
behaviour, which would wrongly prevent resolving the CNAME target if it
was cached for other reasons (like the example above).

(cherry picked from commit 66af5b464d)
2026-06-18 14:06:14 +02:00
Colin Vidal
a404d72d36 System test covering SERVFAIL cache and CNAME
Add a system test for the case where resolution SERVFAILs because the
fetch context reaches the `max-query-count` threshold while following a
CNAME.

Resolving the CNAME target independently should still work, because the
SERVFAIL cache stores the original query name rather than the target.

(cherry picked from commit d238b8eece)
2026-06-18 14:06:14 +02:00
Andoni Duarte
294df42043 [9.20] chg: ci: Migrate Mattermost notifications to Zulip in CI
Since internal communications are now Zulip based, CI jobs now target
Zulip instead of Mattermost. The `MATTERMOST_WEBHOOK_URL` environment
variable is no longer needed, scripts now use `ZULIP_SERVER_URL` and
`ZULIP_API_KEY`.

In order to harmonize Zulip messaging, `message_zulip.py` is used where
curl calls to the webhook were previously used.

Backport of MR !12199

Merge branch 'backport-andoni/mattermost-to-zulip-migration-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12275
2026-06-18 11:33:07 +00:00
Andoni Duarte Pintado
7905a52ebd Migrate Mattermost notifications to Zulip in .gitlab-ci.yml
Since internal communications are now Zulip based, CI jobs now target
Zulip instead of Mattermost. The MATTERMOST_WEBHOOK_URL environment
variable is no longer needed, scripts now use ZULIP_SERVER_URL and
ZULIP_API_KEY.

In order to harmonize Zulip messaging, message_zulip.py is used where
curl calls to the webhook were previously used.

(cherry picked from commit ae45f4fa84)
2026-06-18 11:29:48 +00:00
Ondřej Surý
b18f0c647b [9.20] fix: test: Fix the rpz servfail-until-ready test when zone updates run serially
The rpz servfail-until-ready test assumed a particular policy zone always
finished loading last, which only holds when zone updates run in parallel;
on a single CPU (or with serialized offload) it could fail spuriously. It now
polls until RPZ reports ready instead.

Backport of MR !12251

Merge branch 'backport-ondrej/fix-rpz-system-test-on-single-cpu-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12253
2026-06-18 07:08:27 +02:00
Ondřej Surý
8f848851ef Poll for RPZ readiness in the servfail-until-ready test
RPZ is ready only once every policy zone has completed its first update,
and the zones do not finish in a fixed order, so whenever the updates
run serially (per-loop offload, or any single-CPU run): 'slow-rpz' zone
can finish before the others and the query still gets SERVFAIL.  Poll
the query until it returns NOERROR instead.

Assisted-by: Claude:claude-opus-4-8
(cherry picked from commit 153c9d3509)
2026-06-18 07:08:19 +02:00
Ondřej Surý
51d67c173e [9.20] chg: dev: Rework isc_work as per-loop, per-lane cancelable worker threads
Fold the libuv thread pool and the per-loop isc_helper threads into a single
isc_work pool. Each (loop, lane) gets its own SPSC queue and worker, which drops
the shared-queue contention, and the FAST/SLOW lanes keep short crypto tasks off
the long blocking ones (zone dump/load, xfrin). isc_work jobs are now cancelable:
isc_work_cancel() tombstones a still-queued job and its after_cb fires with
ISC_R_CANCELED, so abandoned work can be dropped instead of run to completion.

Backport of MR !12226

Merge branch 'backport-ondrej/rewrite-threadpool-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12267
2026-06-17 22:29:42 +02:00
Ondřej Surý
cd348cf255
Replace the shared work pool with per-loop, per-lane worker threads
Offloaded work used two different mechanisms: a per-loop isc_helper
thread for CPU-bound crypto (DNSSEC validation, message signature
checks) and the process-global libuv thread pool for blocking I/O (zone
load and dump, inbound transfer apply). Neither could cancel a queued
task, and the two disagreed about exclusive mode — the helper paused
with its loop under isc_loopmgr_pause() but the libuv pool did not, so
blocking offloaded work kept running while a loop held the exclusive
lock.

Unify both behind isc_work: each loop gets its own worker thread per
lane — FAST for short, bounded tasks and SLOW for long, blocking ones —
fed by a private queue. Separate lanes keep a short crypto task off the
path of a multi-second zone dump once both run on per-loop workers;
every lane parks with isc_loopmgr_pause() so exclusive mode now quiesces
offloaded work too; and a still-queued task can be canceled before it
starts (isc_work_cancel). isc_helper is removed and its callers select a
lane.

(cherry picked from commit a5f13b3410)
2026-06-17 21:15:17 +02:00
Evan Hunt
1687a3d0b8 [9.20] rem: usr: remove the secondary validator in query.c
Previously, when the additional section of a response was being
populated, if cached data was found with pending trust, it would be
opportunistically validated. The code implementing this validation was
not quite formally correct. Rather than fixing it, the code has been
removed: RRsets with pending trust are now omitted from responses.

Closes #5966

Closes #5968

Closes #5972

Backport of MR !12236

Merge branch 'backport-each-remove-lightweight-validator-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12258
2026-06-17 19:00:29 +00:00
Evan Hunt
989c2701af Change tests to reflect new behavior
The removal of the secondary validator in lib/ns/query.c now means
that some responses will omit additional data or NS records in the
authority section that had pending trust. Some test cases have been
revised or deleted to take this into account.
2026-06-17 18:59:47 +00:00
Nicki Křížek
47f7e71b06 Don't run vulture on ansX system test dirs
Exclude ansX directories from vulture, as splitting up the handlers into
multiple files gets flagged as unused code.

(cherry picked from commit 72bda8335f)
2026-06-17 18:59:47 +00:00
Evan Hunt
93386681db Merge DNSSEC wildcard tests
Merge the tests for #5966 (F-043) and #5972 (F-045), previously called
dnssec_wildcard_additional and dnssec_replayed_parent_wildcard, into a
single directory with two modules.

(cherry picked from commit 05691b53da)
2026-06-17 18:59:47 +00:00
Alessio Podda
962e223ac4 Reproducer for #5968 parent RRSIG in additional
Add a new "dnssec_parent_rrsig" system test.

Co-Authored-By: Matthijs Mekking <matthijs@isc.org>
(cherry picked from commit 99377e9fdd)
2026-06-17 18:59:47 +00:00
Alessio Podda
c53e43749b Reproducer for #5972 DNS_R_FROMWILDCARD accepted
Add a new "dnssec_wildcard_additional" system test.

Co-Authored-By: Evan Hunt <each@isc.org>
(cherry picked from commit 4466bbcb4a)
2026-06-17 18:59:47 +00:00
Alessio Podda
7fc7744720 Reproducer for #5966 replay parent wildcard
Add a new "dnssec_replayed_parent_wildcard" system test.

Co-Authored-By: Matthijs Mekking <matthijs@isc.org>
(cherry picked from commit 1d4d3e09ad)
2026-06-17 18:59:47 +00:00
Evan Hunt
3f58cb8b5c add isctest.mark method for ecdsa_deterinistic
This checks support for ECDSA deterministic mode in the cryptography
library.

(cherry picked from commit 6e44151466)
2026-06-17 18:59:47 +00:00
Matthijs Mekking
745662d3c5 Add isctest.check methods for AA flag
Similar to checking AD flag, add methods to see if the AA flag is
present or absent.

(cherry picked from commit f678d03a67)
2026-06-17 18:59:47 +00:00
Evan Hunt
6ab9b77f93 Remove the secondary validator in query.c
Previously, when the additional section of a response was being
populated, if cached data was found with pending trust, it would be
opportunistically validated. The code implementing this validation was
not quite formally correct; rather than fixing it, the code has been
removed; RRsets with pending trust are now omitted from responses.

Fixes: isc-projects/bind9#5966
Fixes: isc-projects/bind9#5968
Fixes: isc-projects/bind9#5972

(cherry picked from commit 7ec85b4bd2)
2026-06-17 18:59:47 +00:00
Alessio Podda
097e530348 [9.20] fix: usr: Only print per zone glue stats when query statistics is full
The code printing query statistics was ignoring the zone-statistics
option. This has been fixed.

Closes #6164

Backport of MR !12262

Merge branch 'backport-6164-no-per-zone-glue-stats-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12263
2026-06-17 16:13:10 +00:00
Alessio Podda
97e73e4a57 Add test for query statistics
Ensure that no per-zone glue statistic is printed unless
zone-statistics is set to full.

(cherry picked from commit e1cb775e95)
2026-06-17 14:35:40 +00:00
Alessio Podda
a5bc4955c7 Only print per zone glue cache stats when zone-statistics is full
The code printing glue cache statistics was ignoring the
zone-statistics option. This has been fixed.

(cherry picked from commit f655b6af84)
2026-06-17 14:35:40 +00:00
Nicki Křížek (GitLab job 7567435)
5feb254436 Merge tag 'v9.20.24' into bind-9.20 2026-06-17 13:49:58 +00:00
Vicky Risk
61c81ff65b [9.20] fix: doc: Edit SECURITY.md to remove references to bind-security@isc.org
We no longer want to encourage people to open new issues via email because we are getting too many spammy reports generated by LLM. By requiring people actually login to Gitlab to make their report, they will (hopefully) see our reporting template, and think at least a little bit about whether they are making a well-considered, valid report.

Backport of MR !12248

Merge branch 'backport-vicky-main-patch-01884-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12254
2026-06-16 12:08:51 -04:00
Vicky Risk
ea97dac80c Edit SECURITY.md to remove references to bind-security@isc.org
(cherry picked from commit ce17ffcb48)
2026-06-16 15:26:32 +00:00
Ondřej Surý
1e0857de0e [9.20] fix: nil: Fix a latent NULL dereference in the DoH client request helper
isc__nm_http_request()'s error path reloaded sock->h2->connect.cstream after client_send() had already detached and freed it on a submit failure, dereferencing NULL. The helper is only used by the DoH unit tests. Guard the cleanup path against the detached stream.

Closes #6160

Backport of MR !12247

Merge branch 'backport-6160-fix-latent-NULL-dereference-in-http2-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12249
2026-06-16 15:21:03 +02:00
Ondřej Surý
72255dfc36 Guard against a detached stream in isc__nm_http_request() error path
On a submit failure, client_send() nullifies sock->h2->connect.cstream
and frees the stream before returning the error. The error: label in
isc__nm_http_request() reloaded that pointer and dereferenced it
unconditionally, reading through a NULL stream. The function is only
used by the DoH unit tests -- production DoH client send goes through
isc__nm_http_send()/client_httpsend(), whose submit failure is reported
via the NULL-safe send callback -- so this is a latent defect in the
test helper rather than a reachable named crash.

Skip the read callback when the stream has already been detached and
let the caller report the failure from the error result it receives.

Assisted-by: Claude:claude-opus-4-8
(cherry picked from commit 7df91b7634)
2026-06-16 15:20:56 +02:00
Arаm Sаrgsyаn
47d375b9e6 [9.20] fix: usr: Fix a 'deny-answer-aliases' configuration bypass issue
It was possible to use a maliciously crafted authoritative
zone to make :iscman:`named` resolver synthesize a ``DNAME``
"alias" that should have been rejected by the configured
:any:`deny-answer-aliases` option. This has been fixed.

Closes #5930

Backport of MR !12044

Merge branch 'backport-5930-deny-answer-aliases-and-cached-dname-buf-fix-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12245
2026-06-16 09:41:14 +00:00
Aram Sargsyan
6d209d9bd0 Fix a 'deny-answer-aliases' bug when using a cached DNAME
When using a cached DNAME to resolve a name, make sure to consult
the denied answers lists, otherwise it is possible to consutruct
a restricted alias by caching a DNAME that is a parent of the
denied alias. See the comments in the tests case from the previous
commit an example.

(cherry picked from commit 45c1d760a8)
2026-06-16 09:40:32 +00:00
Aram Sargsyan
f976409770 Add a new 'deny-answer-aliases' check in 'resolver' system test
This new check exercises an attack against guarantees given by the
'deny-answer-aliases' configuration option by caching a DNAME
that is a parent of the restricted alias, and then "constructing"
the restricted alias from the cache.

(cherry picked from commit 1645b09341)
2026-06-16 09:40:32 +00:00