Commit graph

44342 commits

Author SHA1 Message Date
Colin Vidal
a404d72d36 System test covering SERVFAIL cache and CNAME
Add a system test for the case where resolution SERVFAILs because the
fetch context reaches the `max-query-count` threshold while following a
CNAME.

Resolving the CNAME target independently should still work, because the
SERVFAIL cache stores the original query name rather than the target.

(cherry picked from commit d238b8eece)
2026-06-18 14:06:14 +02:00
Andoni Duarte
294df42043 [9.20] chg: ci: Migrate Mattermost notifications to Zulip in CI
Since internal communications are now Zulip based, CI jobs now target
Zulip instead of Mattermost. The `MATTERMOST_WEBHOOK_URL` environment
variable is no longer needed, scripts now use `ZULIP_SERVER_URL` and
`ZULIP_API_KEY`.

In order to harmonize Zulip messaging, `message_zulip.py` is used where
curl calls to the webhook were previously used.

Backport of MR !12199

Merge branch 'backport-andoni/mattermost-to-zulip-migration-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12275
2026-06-18 11:33:07 +00:00
Andoni Duarte Pintado
7905a52ebd Migrate Mattermost notifications to Zulip in .gitlab-ci.yml
Since internal communications are now Zulip based, CI jobs now target
Zulip instead of Mattermost. The MATTERMOST_WEBHOOK_URL environment
variable is no longer needed, scripts now use ZULIP_SERVER_URL and
ZULIP_API_KEY.

In order to harmonize Zulip messaging, message_zulip.py is used where
curl calls to the webhook were previously used.

(cherry picked from commit ae45f4fa84)
2026-06-18 11:29:48 +00:00
Ondřej Surý
b18f0c647b [9.20] fix: test: Fix the rpz servfail-until-ready test when zone updates run serially
The rpz servfail-until-ready test assumed a particular policy zone always
finished loading last, which only holds when zone updates run in parallel;
on a single CPU (or with serialized offload) it could fail spuriously. It now
polls until RPZ reports ready instead.

Backport of MR !12251

Merge branch 'backport-ondrej/fix-rpz-system-test-on-single-cpu-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12253
2026-06-18 07:08:27 +02:00
Ondřej Surý
8f848851ef Poll for RPZ readiness in the servfail-until-ready test
RPZ is ready only once every policy zone has completed its first update,
and the zones do not finish in a fixed order, so whenever the updates
run serially (per-loop offload, or any single-CPU run): 'slow-rpz' zone
can finish before the others and the query still gets SERVFAIL.  Poll
the query until it returns NOERROR instead.

Assisted-by: Claude:claude-opus-4-8
(cherry picked from commit 153c9d3509)
2026-06-18 07:08:19 +02:00
Ondřej Surý
51d67c173e [9.20] chg: dev: Rework isc_work as per-loop, per-lane cancelable worker threads
Fold the libuv thread pool and the per-loop isc_helper threads into a single
isc_work pool. Each (loop, lane) gets its own SPSC queue and worker, which drops
the shared-queue contention, and the FAST/SLOW lanes keep short crypto tasks off
the long blocking ones (zone dump/load, xfrin). isc_work jobs are now cancelable:
isc_work_cancel() tombstones a still-queued job and its after_cb fires with
ISC_R_CANCELED, so abandoned work can be dropped instead of run to completion.

Backport of MR !12226

Merge branch 'backport-ondrej/rewrite-threadpool-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12267
2026-06-17 22:29:42 +02:00
Ondřej Surý
cd348cf255
Replace the shared work pool with per-loop, per-lane worker threads
Offloaded work used two different mechanisms: a per-loop isc_helper
thread for CPU-bound crypto (DNSSEC validation, message signature
checks) and the process-global libuv thread pool for blocking I/O (zone
load and dump, inbound transfer apply). Neither could cancel a queued
task, and the two disagreed about exclusive mode — the helper paused
with its loop under isc_loopmgr_pause() but the libuv pool did not, so
blocking offloaded work kept running while a loop held the exclusive
lock.

Unify both behind isc_work: each loop gets its own worker thread per
lane — FAST for short, bounded tasks and SLOW for long, blocking ones —
fed by a private queue. Separate lanes keep a short crypto task off the
path of a multi-second zone dump once both run on per-loop workers;
every lane parks with isc_loopmgr_pause() so exclusive mode now quiesces
offloaded work too; and a still-queued task can be canceled before it
starts (isc_work_cancel). isc_helper is removed and its callers select a
lane.

(cherry picked from commit a5f13b3410)
2026-06-17 21:15:17 +02:00
Evan Hunt
1687a3d0b8 [9.20] rem: usr: remove the secondary validator in query.c
Previously, when the additional section of a response was being
populated, if cached data was found with pending trust, it would be
opportunistically validated. The code implementing this validation was
not quite formally correct. Rather than fixing it, the code has been
removed: RRsets with pending trust are now omitted from responses.

Closes #5966

Closes #5968

Closes #5972

Backport of MR !12236

Merge branch 'backport-each-remove-lightweight-validator-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12258
2026-06-17 19:00:29 +00:00
Evan Hunt
989c2701af Change tests to reflect new behavior
The removal of the secondary validator in lib/ns/query.c now means
that some responses will omit additional data or NS records in the
authority section that had pending trust. Some test cases have been
revised or deleted to take this into account.
2026-06-17 18:59:47 +00:00
Nicki Křížek
47f7e71b06 Don't run vulture on ansX system test dirs
Exclude ansX directories from vulture, as splitting up the handlers into
multiple files gets flagged as unused code.

(cherry picked from commit 72bda8335f)
2026-06-17 18:59:47 +00:00
Evan Hunt
93386681db Merge DNSSEC wildcard tests
Merge the tests for #5966 (F-043) and #5972 (F-045), previously called
dnssec_wildcard_additional and dnssec_replayed_parent_wildcard, into a
single directory with two modules.

(cherry picked from commit 05691b53da)
2026-06-17 18:59:47 +00:00
Alessio Podda
962e223ac4 Reproducer for #5968 parent RRSIG in additional
Add a new "dnssec_parent_rrsig" system test.

Co-Authored-By: Matthijs Mekking <matthijs@isc.org>
(cherry picked from commit 99377e9fdd)
2026-06-17 18:59:47 +00:00
Alessio Podda
c53e43749b Reproducer for #5972 DNS_R_FROMWILDCARD accepted
Add a new "dnssec_wildcard_additional" system test.

Co-Authored-By: Evan Hunt <each@isc.org>
(cherry picked from commit 4466bbcb4a)
2026-06-17 18:59:47 +00:00
Alessio Podda
7fc7744720 Reproducer for #5966 replay parent wildcard
Add a new "dnssec_replayed_parent_wildcard" system test.

Co-Authored-By: Matthijs Mekking <matthijs@isc.org>
(cherry picked from commit 1d4d3e09ad)
2026-06-17 18:59:47 +00:00
Evan Hunt
3f58cb8b5c add isctest.mark method for ecdsa_deterinistic
This checks support for ECDSA deterministic mode in the cryptography
library.

(cherry picked from commit 6e44151466)
2026-06-17 18:59:47 +00:00
Matthijs Mekking
745662d3c5 Add isctest.check methods for AA flag
Similar to checking AD flag, add methods to see if the AA flag is
present or absent.

(cherry picked from commit f678d03a67)
2026-06-17 18:59:47 +00:00
Evan Hunt
6ab9b77f93 Remove the secondary validator in query.c
Previously, when the additional section of a response was being
populated, if cached data was found with pending trust, it would be
opportunistically validated. The code implementing this validation was
not quite formally correct; rather than fixing it, the code has been
removed; RRsets with pending trust are now omitted from responses.

Fixes: isc-projects/bind9#5966
Fixes: isc-projects/bind9#5968
Fixes: isc-projects/bind9#5972

(cherry picked from commit 7ec85b4bd2)
2026-06-17 18:59:47 +00:00
Alessio Podda
097e530348 [9.20] fix: usr: Only print per zone glue stats when query statistics is full
The code printing query statistics was ignoring the zone-statistics
option. This has been fixed.

Closes #6164

Backport of MR !12262

Merge branch 'backport-6164-no-per-zone-glue-stats-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12263
2026-06-17 16:13:10 +00:00
Alessio Podda
97e73e4a57 Add test for query statistics
Ensure that no per-zone glue statistic is printed unless
zone-statistics is set to full.

(cherry picked from commit e1cb775e95)
2026-06-17 14:35:40 +00:00
Alessio Podda
a5bc4955c7 Only print per zone glue cache stats when zone-statistics is full
The code printing glue cache statistics was ignoring the
zone-statistics option. This has been fixed.

(cherry picked from commit f655b6af84)
2026-06-17 14:35:40 +00:00
Nicki Křížek (GitLab job 7567435)
5feb254436 Merge tag 'v9.20.24' into bind-9.20 2026-06-17 13:49:58 +00:00
Vicky Risk
61c81ff65b [9.20] fix: doc: Edit SECURITY.md to remove references to bind-security@isc.org
We no longer want to encourage people to open new issues via email because we are getting too many spammy reports generated by LLM. By requiring people actually login to Gitlab to make their report, they will (hopefully) see our reporting template, and think at least a little bit about whether they are making a well-considered, valid report.

Backport of MR !12248

Merge branch 'backport-vicky-main-patch-01884-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12254
2026-06-16 12:08:51 -04:00
Vicky Risk
ea97dac80c Edit SECURITY.md to remove references to bind-security@isc.org
(cherry picked from commit ce17ffcb48)
2026-06-16 15:26:32 +00:00
Ondřej Surý
1e0857de0e [9.20] fix: nil: Fix a latent NULL dereference in the DoH client request helper
isc__nm_http_request()'s error path reloaded sock->h2->connect.cstream after client_send() had already detached and freed it on a submit failure, dereferencing NULL. The helper is only used by the DoH unit tests. Guard the cleanup path against the detached stream.

Closes #6160

Backport of MR !12247

Merge branch 'backport-6160-fix-latent-NULL-dereference-in-http2-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12249
2026-06-16 15:21:03 +02:00
Ondřej Surý
72255dfc36 Guard against a detached stream in isc__nm_http_request() error path
On a submit failure, client_send() nullifies sock->h2->connect.cstream
and frees the stream before returning the error. The error: label in
isc__nm_http_request() reloaded that pointer and dereferenced it
unconditionally, reading through a NULL stream. The function is only
used by the DoH unit tests -- production DoH client send goes through
isc__nm_http_send()/client_httpsend(), whose submit failure is reported
via the NULL-safe send callback -- so this is a latent defect in the
test helper rather than a reachable named crash.

Skip the read callback when the stream has already been detached and
let the caller report the failure from the error result it receives.

Assisted-by: Claude:claude-opus-4-8
(cherry picked from commit 7df91b7634)
2026-06-16 15:20:56 +02:00
Arаm Sаrgsyаn
47d375b9e6 [9.20] fix: usr: Fix a 'deny-answer-aliases' configuration bypass issue
It was possible to use a maliciously crafted authoritative
zone to make :iscman:`named` resolver synthesize a ``DNAME``
"alias" that should have been rejected by the configured
:any:`deny-answer-aliases` option. This has been fixed.

Closes #5930

Backport of MR !12044

Merge branch 'backport-5930-deny-answer-aliases-and-cached-dname-buf-fix-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12245
2026-06-16 09:41:14 +00:00
Aram Sargsyan
6d209d9bd0 Fix a 'deny-answer-aliases' bug when using a cached DNAME
When using a cached DNAME to resolve a name, make sure to consult
the denied answers lists, otherwise it is possible to consutruct
a restricted alias by caching a DNAME that is a parent of the
denied alias. See the comments in the tests case from the previous
commit an example.

(cherry picked from commit 45c1d760a8)
2026-06-16 09:40:32 +00:00
Aram Sargsyan
f976409770 Add a new 'deny-answer-aliases' check in 'resolver' system test
This new check exercises an attack against guarantees given by the
'deny-answer-aliases' configuration option by caching a DNAME
that is a parent of the restricted alias, and then "constructing"
the restricted alias from the cache.

(cherry picked from commit 1645b09341)
2026-06-16 09:40:32 +00:00
Nicki Křížek
6a85693487 [9.20] new: test: Add AnsInstance as the ans counterpart of NamedInstance
Tests interacting with mock ans servers had to hardcode their IP
addresses and open ans.run directly, while named instances already
had the NamedInstance abstraction with `.ip`, `.log` and the
watch_log_*() helpers.  Factor the parts of NamedInstance that are
not named-specific into a ServerInstance base class and add an
AnsInstance subclass for ans servers, exposed through the `servers`
fixture and new ans1-ans11 convenience fixtures.

Assisted-by: Claude:claude-fable-5

Backport of MR !12241

Merge branch 'backport-nicki/pytest-ans-instance-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12250
2026-06-16 11:10:02 +02:00
Nicki Křížek
992ec9da64 Add AnsInstance as the ans counterpart of NamedInstance
Tests interacting with mock ans servers had to hardcode their IP
addresses and open ans.run directly, while named instances already
had the NamedInstance abstraction with `.ip`, `.log` and the
watch_log_*() helpers.  Factor the parts of NamedInstance that are
not named-specific into a ServerInstance base class and add an
AnsInstance subclass for ans servers, exposed through the `servers`
fixture and new ans1-ans11 convenience fixtures.

Assisted-by: Claude:claude-fable-5
(cherry picked from commit f6a0c1fd63)
2026-06-16 11:09:54 +02:00
Nicki Křížek
3f3be1c810 [9.20] new: test: Add a system test cookbook
The README documents what the framework is; the cookbook documents how
to get common tasks done with it: iterating on a single test, adding a
new test directory, writing a regression reproducer, mocking a
misbehaving server with isctest.asyncserver, signing zones in
bootstrap(), and driving named via the NamedInstance fixtures. All
recipes are distilled from existing tests (cyclic_glue, dnssec_py,
dispatch) so they reflect the current canonical patterns.

Assisted-by: Claude:claude-fable-5

Backport of MR !12234

Merge branch 'backport-nicki/systest-cookbook-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12239
2026-06-16 10:29:42 +02:00
Nicki Křížek
7566365dbb Add a system test cookbook
The README documents what the framework is; the cookbook documents how
to get common tasks done with it: iterating on a single test, adding a
new test directory, writing a regression reproducer, mocking a
misbehaving server with isctest.asyncserver, signing zones in
bootstrap(), and driving named via the NamedInstance fixtures. All
recipes are distilled from existing tests (cyclic_glue, dnssec_py,
dispatch) so they reflect the current canonical patterns.

Assisted-by: Claude:claude-fable-5
(cherry picked from commit e1cd8e5cfa)
2026-06-16 10:29:24 +02:00
Arаm Sаrgsyаn
11fcd8206a fix: dev: Fix compatibility with OpenSSL 1.0.2u
BIND failed to build with OpenSSL 1.0.2u. Add the missing header
file includes.

Merge branch 'aram/openssl-1.0.2-compat-fix-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11897
2026-06-12 23:42:30 +00:00
Aram Sargsyan
0f7aa44e87 Fix compatibility with OpenSSL 1.0.2u
BIND failed to build with OpenSSL 1.0.2u. Add the missing header
file includes.
2026-06-12 23:05:13 +00:00
Arаm Sаrgsyаn
40b64d1386 [9.20] fix: usr: Fix a zone transfer over TLS (XoT) issue when using the opportunistic TLS mode
The :iscman:`named` process, running as secondary DNS server,
configured to transfer a zone from a primary server using an
encrypted XoT transport in opportunistic TLS mode (i.e. without
peer certificate/hostname validation) could terminate unexpectedly
when the TLS ALPN negotiation with primary server was unsuccessful.
This has been fixed.

Closes #5957

Backport of MR !12081

Merge branch 'backport-5957-xot-xfrin_connect_done-bug-fix-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12242
2026-06-12 23:00:19 +00:00
Aram Sargsyan
5f28dfbb64 Fix a bug in xfrin.c:xfrin_connect_done()
When the connect callback's result is ISC_R_SUCCESS and the callback
changes the result because of some condition, the 'xfr' should not
be detached, because it now belongs to the receive callback.

Detach the reference only if the callback's result is non-success.

(cherry picked from commit fb27599b58)
2026-06-12 15:37:29 +00:00
Aram Sargsyan
331231e203 Add a check for the "doth" system test
Configure a zone transfer using XoT (with opportunistic TLS) from
a non-DoT port, which does not provide ALPN "dot" (in this case
it will try to connect to a DoH port). This is expected to fail,
but the client should handle the error gracefully and not to crash.

(cherry picked from commit 6e0d998ff6)
2026-06-12 15:37:29 +00:00
Michal Nowak
904b669f2d [9.20] new: ci: Enforce AI commit-trailer rules in danger checks
`CONTRIBUTING.md` documents several rules around how AI coding assistants should (and should not) be attributed in commit messages.  Teach `dangerfile.py` to enforce them so that violations are caught at MR time.

Backport of MR !11969

Merge branch 'backport-mnowak/danger-ai-trailer-checks-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12238
2026-06-12 12:10:31 +02:00
Michal Nowak
7c1e80603a Validate Assisted-by trailer format and tool list
CONTRIBUTING.md documents the Assisted-by trailer format as

    Assisted-by: AGENT_NAME:MODEL_VERSION [TOOL1] [TOOL2]

and excludes basic development tools (git, compilers, meson,
ninja, editors, clang-format, black, ruff) from the optional
tool list.

Walk every `Assisted-by:` line in each commit message and emit a
`warn()` when:

  - the line does not match the documented `AGENT:VERSION` shape;
  - the optional tool list contains basic-tool names.

The basic-tool list extends the CONTRIBUTING.md examples with
other formatters, generic linters, and build/test runners
commonly invoked from `.gitlab-ci.yml`.  Specialized analysis
tools (coccinelle, clang-tidy, AFL, Coverity, cppcheck,
valgrind, sanitizers) are intentionally absent so they remain
allowed in the trailer.

Use `warn()` rather than `fail()` because the format is
human-written and overly strict matching would produce false
positives on edge cases.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit 2cac546d08)
2026-06-12 10:03:12 +00:00
Michal Nowak
760b20df01 Reject Signed-off-by trailers from AI tools in danger check
CONTRIBUTING.md states that AI agents must not add Signed-off-by
tags, since only humans can legally certify the Developer
Certificate of Origin.  Mirror the existing LLM Co-Authored-By
check against the Signed-off-by trailer line so danger fails on
commits that violate the rule.

The shared alternation of known LLM agent names is factored out
into LLM_AGENT_NAMES_RE so adding a new tool only requires one
edit.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit 65d082277d)
2026-06-12 10:03:12 +00:00
Michal Nowak
9dbb8a8082 Detect Co-Authored-By trailers and reject AI co-authors
CONTRIBUTING.md states that AI agents must not be listed as
co-authors and that contributors should use the `Assisted-by:`
trailer instead.  Teach `dangerfile.py` to fail merge requests
whose commit messages include a `Co-Authored-By:` trailer naming
a known LLM (Claude, Codex, Mistral, Copilot, Gemini, Cursor,
Devin, Aider, Sourcegraph, CodeWhisperer).

For any other `Co-Authored-By:` trailer, emit an info-level
`message()` that includes the full trailer line so reviewers can
confirm the named co-author is a human contributor and not an
unrecognised AI tool.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit f5e9dd3dd6)
2026-06-12 10:03:12 +00:00
Arаm Sаrgsyаn
f8f5e6a9d7 [9.20] fix: usr: Fix a bug in GeoIP2 string matching
When using GeoIP2 ACLs (see :any:`acl`), :iscman:`named` could
incorrectly match a name using a sub-string instead of the full
name match. This has been fixed.

Closes #6019

Backport of MR !12092

Merge branch 'backport-6019-geoip2-string-match-buf-fix-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12235
2026-06-11 16:17:06 +00:00
Aram Sargsyan
faccdd5479 Fix 'geoip' ACL matching bug
The geoip2.c:match_string() function can incorrectly return 'true'
when matching strings of different lengths (i.e. it matches a
substring). Return 'false' when the lengths of the matched strings
are different.

(cherry picked from commit 8448136b16)
2026-06-11 16:15:45 +00:00
Aram Sargsyan
4fc13d7f62 Add a new check for the 'geoip2' system test
Check that an ACL can't be matched by a substring in the
GeoIP database, instead of the full string comparision.

(cherry picked from commit bdf4ab9280)
2026-06-11 16:15:45 +00:00
Matthijs Mekking
6a533ec622 [9.20] fix: usr: Ignore updates removing DNSKEY RRset with class ANY
When a Dynamic Update is received that removes the ``DNSKEY`` (or ``CDNSKEY``,
or ``CDS``) RRset, remove all records except the ones that are in use
for signing for the zone.

Closes #6045

Backport of MR !12166

Merge branch 'backport-6045-dns-update-delete-in-use-dnskey-any-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12230
2026-06-11 14:42:52 +00:00
Matthijs Mekking
09990f45b7 ISC_ATTR_UNUSED in favor of UNUSED()
(cherry picked from commit 008ad8ade2)
2026-06-11 14:42:41 +00:00
Matthijs Mekking
75c6db2388 Keep our key on update removing DNSKEY RRset
When a Dynamic Update is received that removes the DNSKEY (or CDNSKEY,
or CDS) RRset, remove all records except the ones that are in use
for signing for the zone (with dnssec-policy).

(cherry picked from commit 97b9c9c823)
2026-06-11 14:42:41 +00:00
Matthijs Mekking
2556c40a84 Test removing DNSKEY records with class ANY
The update should ignore DNSKEY, CDNSKEY and CDS records
for keys that are used for signing.

(cherry picked from commit 3711f3b3c6)
2026-06-11 14:42:41 +00:00
Nicki Křížek
f0053656de [9.20] chg: nil: Update the system test README for the pytest-native workflow
The README predated most of the pytest runner features. Document
building BIND along with the test-only binaries, refresh the stale -T
flag list, and describe the jinja2 templating, bootstrap(), the
conftest fixtures, and the pytest marks; recommend node IDs and
parametrization over -k matching. Fix the directory naming rule, which
switched from hyphens to underscores.

Also declare pytest and pytest-xdist as required dependencies: the
runner's pytest.ini uses --dist=loadscope unconditionally, so pytest
without pytest-xdist cannot even start.

Related #3810

Assisted-by: Claude:claude-fable-5

Backport of MR !12232

Merge branch 'backport-nicki/systest-readme-refresh-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!12233
2026-06-11 16:06:12 +02:00
Nicki Křížek
83d66e48f3 Update the system test README for the pytest-native workflow
The README predated most of the pytest runner features. Document
building BIND along with the test-only binaries, refresh the stale -T
flag list, and describe the jinja2 templating, bootstrap(), the
conftest fixtures, and the pytest marks; recommend node IDs and
parametrization over -k matching. Fix the directory naming rule, which
switched from hyphens to underscores.

Also declare pytest and pytest-xdist as required dependencies: the
runner's pytest.ini uses --dist=loadscope unconditionally, so pytest
without pytest-xdist cannot even start.

Related #3810

Assisted-by: Claude:claude-fable-5
(cherry picked from commit abd37e03d6)
2026-06-11 15:50:16 +02:00