Commit graph

45921 commits

Author SHA1 Message Date
Alessio Podda
aa022f7ea2 Keep RRL ncache fixed name alive
Move the fixed name storage out of the NCACHE branch so the name passed to
dns_rrl() remains valid for cached NXDOMAIN responses.
2026-06-16 11:56:59 +02:00
Alessio Podda
c2ebd1f66e Add RRL cached NXDOMAIN system test
Add a Python system test that primes ns2's negative cache, queries the
cached NXDOMAIN through RRL, and verifies named remains responsive.
2026-06-16 11:47:09 +02:00
Nicki Křížek
139b0fc48e new: test: Add AnsInstance as the ans counterpart of NamedInstance
Tests interacting with mock ans servers had to hardcode their IP
addresses and open ans.run directly, while named instances already
had the NamedInstance abstraction with `.ip`, `.log` and the
watch_log_*() helpers.  Factor the parts of NamedInstance that are
not named-specific into a ServerInstance base class and add an
AnsInstance subclass for ans servers, exposed through the `servers`
fixture and new ans1-ans11 convenience fixtures.

Assisted-by: Claude:claude-fable-5

Merge branch 'nicki/pytest-ans-instance' into 'main'

See merge request isc-projects/bind9!12241
2026-06-16 10:28:36 +02:00
Nicki Křížek
630247e845 Use AnsInstance fixture in dispatch test
Replace manual ans.run parsing with the ans4 fixture.

Assisted-by: Claude:claude-fable-5
2026-06-16 09:34:25 +02:00
Nicki Křížek
f6a0c1fd63 Add AnsInstance as the ans counterpart of NamedInstance
Tests interacting with mock ans servers had to hardcode their IP
addresses and open ans.run directly, while named instances already
had the NamedInstance abstraction with `.ip`, `.log` and the
watch_log_*() helpers.  Factor the parts of NamedInstance that are
not named-specific into a ServerInstance base class and add an
AnsInstance subclass for ans servers, exposed through the `servers`
fixture and new ans1-ans11 convenience fixtures.

Assisted-by: Claude:claude-fable-5
2026-06-16 09:34:25 +02:00
Ondřej Surý
72ac4bbdb2 fix: nil: Fix a latent NULL dereference in the DoH client request helper
isc__nm_http_request()'s error path reloaded sock->h2->connect.cstream after client_send() had already detached and freed it on a submit failure, dereferencing NULL. The helper is only used by the DoH unit tests. Guard the cleanup path against the detached stream.

Closes #6160

Merge branch '6160-fix-latent-NULL-dereference-in-http2' into 'main'

See merge request isc-projects/bind9!12247
2026-06-15 20:05:17 +02:00
Ondřej Surý
7df91b7634
Guard against a detached stream in isc__nm_http_request() error path
On a submit failure, client_send() nullifies sock->h2->connect.cstream
and frees the stream before returning the error. The error: label in
isc__nm_http_request() reloaded that pointer and dereferenced it
unconditionally, reading through a NULL stream. The function is only
used by the DoH unit tests -- production DoH client send goes through
isc__nm_http_send()/client_httpsend(), whose submit failure is reported
via the NULL-safe send callback -- so this is a latent defect in the
test helper rather than a reachable named crash.

Skip the read callback when the stream has already been detached and
let the caller report the failure from the error result it receives.

Assisted-by: Claude:claude-opus-4-8
2026-06-15 18:09:37 +02:00
Arаm Sаrgsyаn
50dbab9340 fix: usr: Fix a 'deny-answer-aliases' configuration bypass issue
It was possible to use a maliciously crafted authoritative
zone to make :iscman:`named` resolver synthesize a ``DNAME``
"alias" that should have been rejected by the configured
:any:`deny-answer-aliases` option. This has been fixed.

Closes #5930

Merge branch '5930-deny-answer-aliases-and-cached-dname-buf-fix' into 'main'

See merge request isc-projects/bind9!12044
2026-06-15 11:35:12 +00:00
Aram Sargsyan
45c1d760a8 Fix a 'deny-answer-aliases' bug when using a cached DNAME
When using a cached DNAME to resolve a name, make sure to consult
the denied answers lists, otherwise it is possible to consutruct
a restricted alias by caching a DNAME that is a parent of the
denied alias. See the comments in the tests case from the previous
commit an example.
2026-06-15 09:37:07 +00:00
Aram Sargsyan
1645b09341 Add a new 'deny-answer-aliases' check in 'resolver' system test
This new check exercises an attack against guarantees given by the
'deny-answer-aliases' configuration option by caching a DNAME
that is a parent of the restricted alias, and then "constructing"
the restricted alias from the cache.
2026-06-15 09:37:07 +00:00
Ondřej Surý
2f3c040d19 fix: nil: Remove isc_mem_strndup()
The isc_mem_strndup() function had a single caller, the HTTP/2
request-path handling, which now uses isc_mem_allocate() and strlcpy()
directly.  Remove the function from the libisc API.

Closes #6087

Merge branch '6087-remove-isc_mem_strndup' into 'main'

See merge request isc-projects/bind9!12240
2026-06-12 17:40:20 +02:00
Ondřej Surý
5f068a307f Remove isc_mem_strndup()
The function had a single caller, the HTTP/2 request-path handling in
the network manager, and its semantics (strlen() of the source clamped
to the requested size) amounted to an obscured bounded string copy.
Replace the only use with a plain allocation and strlcpy(), and drop the
function.
2026-06-12 17:40:05 +02:00
Arаm Sаrgsyаn
e0d84f8370 fix: usr: Fix a zone transfer over TLS (XoT) issue when using the opportunistic TLS mode
The :iscman:`named` process, running as secondary DNS server,
configured to transfer a zone from a primary server using an
encrypted XoT transport in opportunistic TLS mode (i.e. without
peer certificate/hostname validation) could terminate unexpectedly
when the TLS ALPN negotiation with primary server was unsuccessful.
This has been fixed.

Closes #5957

Merge branch '5957-xot-xfrin_connect_done-bug-fix' into 'main'

See merge request isc-projects/bind9!12081
2026-06-12 15:36:57 +00:00
Aram Sargsyan
fb27599b58 Fix a bug in xfrin.c:xfrin_connect_done()
When the connect callback's result is ISC_R_SUCCESS and the callback
changes the result because of some condition, the 'xfr' should not
be detached, because it now belongs to the receive callback.

Detach the reference only if the callback's result is non-success.
2026-06-12 14:59:47 +00:00
Aram Sargsyan
6e0d998ff6 Add a check for the "doth" system test
Configure a zone transfer using XoT (with opportunistic TLS) from
a non-DoT port, which does not provide ALPN "dot" (in this case
it will try to connect to a DoH port). This is expected to fail,
but the client should handle the error gracefully and not to crash.
2026-06-12 14:59:47 +00:00
Colin Vidal
684f577458 fix: dev: Fix delegdb dump buffer overflow
A buffer used to dump a DNS name in the delegdb dump flow was using the
wrong size: it was using `DNS_NAME_MAXWIRE` which is the actual max
length of a DNS name on the wire instead of using `DNS_NAME_FORMATSIZE`
which is the maximum length of a textual representation of a DNS name
(which can be way longer than `DNS_NAME_MAXWIRE` if using the master
file escape sequence format) plus 1 (end of string byte). This could
lead to a buffer overflow. This is now fixed.

Closes #6132

Merge branch '6132-delegdb-dump-overflow' into 'main'

See merge request isc-projects/bind9!12195
2026-06-12 16:50:23 +02:00
Colin Vidal
ebd4e26f46 Fix delegdb dump buffer overflow
A buffer used to dump a DNS name in the delegdb dump flow was using the
wrong size: it was using `DNS_NAME_MAXWIRE` which is the actual max
length of a DNS name on the wire instead of using `DNS_NAME_FORMATSIZE`
which is the maximum length of a textual representation of a DNS name
(which can be way longer than `DNS_NAME_MAXWIRE` if using the master
file escape sequence format) plus 1 (end of string byte). This could
lead to a buffer overflow. This is now fixed.
2026-06-12 15:45:22 +02:00
Colin Vidal
7a1a3a0251 Add test for delegdb dump with very long name
Add a delegdb test which dump a database which contains a very long name
(using DNS master file format with escape sequence as defined per RFC
1035). This ensure that the delegdb uses large enough internal buffers
to load the names in DB and generate the dump. If this is not the case,
the test crashes on a build with address sanatizer enabled.
2026-06-12 15:45:22 +02:00
Nicki Křížek
02425ce4b4 new: test: Add a system test cookbook
The README documents what the framework is; the cookbook documents how
to get common tasks done with it: iterating on a single test, adding a
new test directory, writing a regression reproducer, mocking a
misbehaving server with isctest.asyncserver, signing zones in
bootstrap(), and driving named via the NamedInstance fixtures. All
recipes are distilled from existing tests (cyclic_glue, dnssec_py,
dispatch) so they reflect the current canonical patterns.

Assisted-by: Claude:claude-fable-5

Merge branch 'nicki/systest-cookbook' into 'main'

See merge request isc-projects/bind9!12234
2026-06-12 14:37:21 +02:00
Nicki Křížek
e1cd8e5cfa Add a system test cookbook
The README documents what the framework is; the cookbook documents how
to get common tasks done with it: iterating on a single test, adding a
new test directory, writing a regression reproducer, mocking a
misbehaving server with isctest.asyncserver, signing zones in
bootstrap(), and driving named via the NamedInstance fixtures. All
recipes are distilled from existing tests (cyclic_glue, dnssec_py,
dispatch) so they reflect the current canonical patterns.

Assisted-by: Claude:claude-fable-5
2026-06-12 14:31:49 +02:00
Michal Nowak
4957da2e29 new: ci: Enforce AI commit-trailer rules in danger checks
`CONTRIBUTING.md` documents several rules around how AI coding assistants should (and should not) be attributed in commit messages.  Teach `dangerfile.py` to enforce them so that violations are caught at MR time.

Merge branch 'mnowak/danger-ai-trailer-checks' into 'main'

See merge request isc-projects/bind9!11969
2026-06-12 12:02:45 +02:00
Michal Nowak
2cac546d08 Validate Assisted-by trailer format and tool list
CONTRIBUTING.md documents the Assisted-by trailer format as

    Assisted-by: AGENT_NAME:MODEL_VERSION [TOOL1] [TOOL2]

and excludes basic development tools (git, compilers, meson,
ninja, editors, clang-format, black, ruff) from the optional
tool list.

Walk every `Assisted-by:` line in each commit message and emit a
`warn()` when:

  - the line does not match the documented `AGENT:VERSION` shape;
  - the optional tool list contains basic-tool names.

The basic-tool list extends the CONTRIBUTING.md examples with
other formatters, generic linters, and build/test runners
commonly invoked from `.gitlab-ci.yml`.  Specialized analysis
tools (coccinelle, clang-tidy, AFL, Coverity, cppcheck,
valgrind, sanitizers) are intentionally absent so they remain
allowed in the trailer.

Use `warn()` rather than `fail()` because the format is
human-written and overly strict matching would produce false
positives on edge cases.

Assisted-by: Claude:claude-opus-4-7
2026-06-12 11:59:44 +02:00
Michal Nowak
65d082277d Reject Signed-off-by trailers from AI tools in danger check
CONTRIBUTING.md states that AI agents must not add Signed-off-by
tags, since only humans can legally certify the Developer
Certificate of Origin.  Mirror the existing LLM Co-Authored-By
check against the Signed-off-by trailer line so danger fails on
commits that violate the rule.

The shared alternation of known LLM agent names is factored out
into LLM_AGENT_NAMES_RE so adding a new tool only requires one
edit.

Assisted-by: Claude:claude-opus-4-7
2026-06-12 11:59:44 +02:00
Michal Nowak
f5e9dd3dd6 Detect Co-Authored-By trailers and reject AI co-authors
CONTRIBUTING.md states that AI agents must not be listed as
co-authors and that contributors should use the `Assisted-by:`
trailer instead.  Teach `dangerfile.py` to fail merge requests
whose commit messages include a `Co-Authored-By:` trailer naming
a known LLM (Claude, Codex, Mistral, Copilot, Gemini, Cursor,
Devin, Aider, Sourcegraph, CodeWhisperer).

For any other `Co-Authored-By:` trailer, emit an info-level
`message()` that includes the full trailer line so reviewers can
confirm the named co-author is a human contributor and not an
unrecognised AI tool.

Assisted-by: Claude:claude-opus-4-7
2026-06-12 11:05:14 +02:00
Arаm Sаrgsyаn
242d931956 fix: usr: Fix a bug in GeoIP2 string matching
When using GeoIP2 ACLs (see :any:`acl`), :iscman:`named` could
incorrectly match a name using a sub-string instead of the full
name match. This has been fixed.

Closes #6019

Merge branch '6019-geoip2-string-match-buf-fix' into 'main'

See merge request isc-projects/bind9!12092
2026-06-11 14:38:23 +00:00
Aram Sargsyan
8448136b16 Fix 'geoip' ACL matching bug
The geoip2.c:match_string() function can incorrectly return 'true'
when matching strings of different lengths (i.e. it matches a
substring). Return 'false' when the lengths of the matched strings
are different.
2026-06-11 13:28:21 +00:00
Aram Sargsyan
bdf4ab9280 Add a new check for the 'geoip2' system test
Check that an ACL can't be matched by a substring in the
GeoIP database, instead of the full string comparision.
2026-06-11 13:28:21 +00:00
Nicki Křížek
eec23bbe29 chg: nil: Update the system test README for the pytest-native workflow
The README predated the meson migration and most of the pytest runner
features. Document building the test dependencies with meson and drop
the make-based instructions, the Makefile.am registration step, and the
stale -T flag list. Describe the jinja2 templating, bootstrap(), the
conftest fixtures, the pytest marks, and recommend node IDs and
parametrization over -k matching. Fix the directory naming rule, which
switched from hyphens to underscores.

Also declare pytest and pytest-xdist as required dependencies: the
runner's pytest.ini uses --dist=loadscope unconditionally, so pytest
without pytest-xdist cannot even start.

Related #3810

Assisted-by: Claude:claude-fable-5

Merge branch 'nicki/systest-readme-refresh' into 'main'

See merge request isc-projects/bind9!12232
2026-06-11 15:22:49 +02:00
Nicki Křížek
abd37e03d6 Update the system test README for the pytest-native workflow
The README predated the meson migration and most of the pytest runner
features. Document building the test dependencies with meson and drop
the make-based instructions, the Makefile.am registration step, and the
stale -T flag list. Describe the jinja2 templating, bootstrap(), the
conftest fixtures, the pytest marks, and recommend node IDs and
parametrization over -k matching. Fix the directory naming rule, which
switched from hyphens to underscores.

Also declare pytest and pytest-xdist as required dependencies: the
runner's pytest.ini uses --dist=loadscope unconditionally, so pytest
without pytest-xdist cannot even start.

Related #3810

Assisted-by: Claude:claude-fable-5
2026-06-11 15:04:21 +02:00
Arаm Sаrgsyаn
476fdc5365 fix: usr: Fix DNS-over-HTTPS (DoH) quota configuration issue
The :any:`http-listener-clients` and :any:`http-streams-per-connection`
configuration options could be truncated to smaller values (or to ``0``,
which means unlimited) when very big configuration values were used, which
exceeded ``65535``. As a note - it is very unlikely that such big values
are used in production, and the default values for the affected options
are ``300`` and ``100``, correspondingly. This has been fixed.

Closes #6021

Merge branch '6021-doh-quota-type-truncation-fix' into 'main'

See merge request isc-projects/bind9!12085
2026-06-11 11:33:05 +00:00
Aram Sargsyan
281660ecc1 Fix DoH quota global variables type
The 'named_g_http_listener_clients' and 'named_g_http_streams_per_conn'
global variables are defined as 'in_port_t', which is usually 16 bits,
but both the readers and the writers of those variables use 'uint32_t'
as the target/source, which can result in truncation.

Use correct types.
2026-06-11 11:32:26 +00:00
Matthijs Mekking
e62fb7cb1b fix: usr: Ignore updates removing DNSKEY RRset with class ANY
When a Dynamic Update is received that removes the ``DNSKEY`` (or ``CDNSKEY``,
or ``CDS``) RRset, remove all records except the ones that are in use
for signing for the zone.

Closes #6045

Merge branch '6045-dns-update-delete-in-use-dnskey-any' into 'main'

See merge request isc-projects/bind9!12166
2026-06-11 11:27:41 +00:00
Matthijs Mekking
008ad8ade2 ISC_ATTR_UNUSED in favor of UNUSED() 2026-06-11 10:53:56 +00:00
Matthijs Mekking
97b9c9c823 Keep our key on update removing DNSKEY RRset
When a Dynamic Update is received that removes the DNSKEY (or CDNSKEY,
or CDS) RRset, remove all records except the ones that are in use
for signing for the zone (with dnssec-policy).
2026-06-11 10:53:56 +00:00
Matthijs Mekking
3711f3b3c6 Test removing DNSKEY records with class ANY
The update should ignore DNSKEY, CDNSKEY and CDS records
for keys that are used for signing.
2026-06-11 10:53:56 +00:00
Petr Špaček
767dc16481 chg: doc: CVE template suggestions
Suggested changes to the CVE checklist, submitted for your approval (or rejection).  Commits in order of decreasing priority:

* 81bd4025c0e4ac407d5a8c7e0c414e2ed20f543f: Update Zulip link for new bind-incidents channel
* 65caa4912b25058cdeaef35094985424f2b2478f: Explicit sub-steps for assessing -S and EOL
* 1dc0d656edc1f6b5586da3ec1d416e5223c5504a: Clearer separation between CVE and CVSS+CWE steps
* 5ebb9ac33fda59adec6b9019bd211e96edebca49: EVN texts: Clarify what is done, when, and using which tool
* 29a79c21cbfe3477cd706861eeb12b53c98e2091: Use reference links for Earliest Notification and printing-press, to make the table less cumbersome to edit
* fd1b6d98c3cef2f6d212a5988b3726d933c84d27: Add TOC and sections for better (?) navigation
* 803b1d2aff04cf88ab860b42e3463c57fbf17f6d: Remove a few words to make the table narrower
* e68a1c84bd41a769ea8d96b7542cd7c062dd4af1: Clearer links to instructions, at top (bikeshed-y)
* e75b65072fe6eb271667659eac79817da1dd6515: Typo fix to the above

Merge branch 'bscott-cve-quicklist-tweaks' into 'main'

See merge request isc-projects/bind9!12221
2026-06-11 10:51:39 +00:00
Ben Scott
485d750ae9 Clarify EVN steps
Support has to prepare and send EVN/Advisory texts.  Clarify what is done,
when, and using which tool.
2026-06-10 16:46:29 -04:00
Ben Scott
eb2c533799 Fix typo
Learn to spell, Ben.
2026-06-10 16:46:29 -04:00
Ben Scott
4fac2a92db Explicit sub-steps for assessing -S and EOL
For the step where we assess which product versions/branches are
vulnerable to the flaw, add explicit subordinate steps for assessing
Special Subscriber -S Preview edition, and end-of-life versions that
are still received paid fixes.

While we have GitLab labels to indicate affected versions, there is no
satisfactory mechanism in place to indicate that assessment of all
versions is complete, and thus anything not labeled as affected can be
considered immune.  Explicit checklist steps will allow others to see
when assessment is complete.

Per the following discussions:

https://zulip.isc.org/#narrow/channel/4-bind9/topic/Unaffected.20labels.20for.20vulnerability.20issues/near/25643

https://zulip.isc.org/#narrow/channel/4-bind9/topic/CVE.20checklist.20updates/near/26307
2026-06-10 16:46:29 -04:00
Ben Scott
a026d31095 CVE and CVSS+CWE as separate steps
"Assigning CVE" and "Assigning CVSS+CWE" are really two different
steps.  CVE is bookeeping; we just request the ID and type it in.
CVSS and CWE require a judgement determination, and often involve
discussion.  At the same time, sometimes we forget to put the CVE ID
in right away.  Since we already have a separate step for CVE
assignment, let's put "update the issue with the CVE ID" in that step,
too.  Then the second step can be entirely about CVSS+CWE.  Same
number of steps, just clearer separation of what the steps are about.
2026-06-10 16:46:29 -04:00
Ben Scott
74e3e7f756 Add TOC and section headings
These can make navigation much easier,
when the original report is large.
2026-06-10 16:46:29 -04:00
Ben Scott
62c10ec450 Clearer links to instructions, at top
I think this gets lost as part of the table header.
Maybe that's just me.
2026-06-10 16:46:29 -04:00
Ben Scott
6200f7eeb9 Make table narrower
Drop some unneccesary words to make it narrower.
Makes it a little easier to  work with, and
a little easier to read quickly.
2026-06-10 16:46:29 -04:00
Ben Scott
fdf91833b2 Zulip URL to bind-incidents channel 2026-06-10 16:46:29 -04:00
Ben Scott
037d845266 Use reference links for e-n-d and p-p 2026-06-10 16:46:29 -04:00
Michal Nowak
c4b6ff517f fix: test: Various system test stability fixes for CI
Doubling system-test parallelism and removing the `@pytest.mark.flaky` markers exposed a set of timing-sensitive failures across CI. This branch keeps only the fixes for failures that are test-robustness bugs. Other - frequent - failures often guarded by `@pytest.mark.flaky` have their separate MRs already.

Merge branch 'mnowak/system-test-stability-fixes' into 'main'

See merge request isc-projects/bind9!12171
2026-06-10 21:49:10 +02:00
Michal Nowak
bb4afd1332 Retry the SOA serial check in the rpz test
While a response-policy zone is being (re)loaded it can briefly answer
with no SOA (SERVFAIL/REFUSED), which `dig +short` renders as empty
output.  get_sn() aborted the whole tests.sh on the first such miss,
defeating the retry_quiet() loop in ck_soa() that is meant to wait for
the reload to settle.  Return failure instead so the check is retried.

Assisted-by: Claude:claude-opus-4-8
2026-06-10 19:15:09 +00:00
Michal Nowak
9fd01e5121 Keep probing for the send timeout under load
One shot raced named; keep sending until it closes the connection.

Assisted-by: Claude:claude-opus-4-8
2026-06-10 19:15:09 +00:00
Michal Nowak
842a0fa289 Give the retransfer-force watchers a 60s timeout
The shutting-down and success transfers can exceed 30s on slow
instrumented builds.

Assisted-by: Claude:claude-opus-4-8
2026-06-10 19:15:09 +00:00
Michal Nowak
aac9cc40a8 Count distinct destinations in selfpointedglue dnstap checks
Tolerates retransmissions, which would inflate a raw line count.

Assisted-by: Claude:claude-opus-4-8
2026-06-10 19:15:09 +00:00