Commit graph

44042 commits

Author SHA1 Message Date
Ondřej Surý
abe201bac3 Do not reuse shared TCP dispatches for zone transfers
Zone transfers (XFRIN) need a dedicated TCP connection because they
are long-lived and stream the entire zone.

(cherry picked from commit 6e78094ebd)
2026-05-06 15:05:48 +02:00
Ondřej Surý
4f54328eaf Use sequential per-dispatch message IDs for TCP
TCP dispentries no longer use the global QID hash table at all.
Responses are matched by scanning disp->active, and sequential
per-dispatch IDs (bounded by the pipelining limit) are unique
within a single dispatch by construction.  Since TCP delivers
only data we asked for on a specific connection, the per-peer
uniqueness that the global table enforced was never actually
needed for TCP.

DNS_DISPATCHOPT_FIXEDID is plumbed through dns_request_createraw
-> get_dispatch -> dns_dispatch_createtcp so FIXEDID TCP requests
always get a fresh isolated dispatch — the caller-supplied ID
then cannot collide with any other in-flight query either.

(cherry picked from commit 3e364aec2b)
2026-05-06 15:05:48 +02:00
Ondřej Surý
a3ba799eae Limit TCP pipelining per shared dispatch
Cap the number of in-flight queries on a single shared TCP dispatch.
When the limit is reached, the dispatch is removed from the hash
table so subsequent queries get a fresh connection.  The existing
dispatch continues serving its queries until they complete.

This bounds the blast radius of a connection drop: at most N queries
fail simultaneously instead of all queries to that server.

The default limit is 256.  It can be overridden for testing via
'named -T tcppipelining=N'.

(cherry picked from commit 385ceabe8f)
2026-05-06 15:05:48 +02:00
Ondřej Surý
cb6a92696a Disable TCP pipelining in tcp and masterformat system test
Set tcppipelining=1 on recursive servers in the system tests to
restore one-query-per-connection behavior.  The tests relies on
specific connection and query counting that breaks with TCP
connection sharing.

(cherry picked from commit 05e8b58307)
2026-05-06 15:05:48 +02:00
Ondřej Surý
d35bc843c5 Implement seamless TCP connection reuse in dns_dispatch
Previously, the user of dns_dispatch API had to first call
dns_dispatch_gettcp() and if that failed create a new TCP dispatch with
dns_dispatch_createtcp().  This has been changed and the TCP connection
reuse happens transparently inside dns_dispatch_createtcp().  There are
separate buckets for dns_resolver, dns_request and dns_xfrin units, so
these don't get mixed together.

(cherry picked from commit d5ee86b799)
2026-05-06 15:05:48 +02:00
Ondřej Surý
971ca4df1a [9.20] fix: usr: Fix a crash when reconfiguring while an NTA is being rechecked
When named was reconfigured or shut down while a negative trust anchor
was being rechecked against authoritative servers, the in-flight recheck
could outlive the view that owned it and cause `named` to crash.  This
has been fixed.

Closes #5938

Backport of MR !11948

Merge branch 'backport-5938-ref-ntatable-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11966
2026-05-06 09:33:18 +02:00
Evan Hunt
3db5d47ed4 Hold a reference to the NTA table for the lifetime of each NTA
Each dns__nta_t now references its parent ntatable in nta_create() and
releases it in dns__nta_destroy().  This avoids a use-after-free in
fetch_done() and other callbacks that dereference nta->ntatable: the
ntatable could otherwise be released by view destruction while an
in-flight resolver fetch still holds a reference to the NTA.

(cherry picked from commit 26c895cc92)
2026-05-06 09:33:11 +02:00
Ondřej Surý
ddcacbc5a8 [9.20] fix: usr: Prevent a crash when using both dns64 and filter-aaaa
An assertion failure could be triggered if both `dns64` and the `filter-aaaa` plugin were in use simultaneously. This happened if the plugin triggered a second recursion process, which then attempted to store DNS64 state information in a pointer that had already been set by the original recursion process. This has been fixed.

Closes #5854

Backport of MR !11949

Merge branch 'backport-5854-dns64-aaaaok-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11967
2026-05-06 07:53:51 +02:00
Evan Hunt
d42b3e7b91 Clear dns64_aaaaok immediately after use
The DNS64 state information stored in client->query.dns64_aaaaok
could cause an assertion failure in query_respond() if the server
was configured in such a way as to trigger a new recursion before
the query had been reset - for example, by using the filter-aaaa
plugin, which may need to recurse to find out whether an A record
exists.

This has been addressed by clearing DNS64 state information
immediately after the call to query_filter64().

(cherry picked from commit 7213b038f0)
2026-05-06 04:47:07 +00:00
Evan Hunt
ddea991c07 [9.20] fix: dev: Fix a stack use-after-free in qpzone
In previous_closest_nsec(), a new qpreader was opened to search the NSEC
tree. It was possible for that to be used to update a QP iterator object
owned by the caller, and then be destroyed when the function returned.

This has been addressed by having the caller open the NSEC qpreader
instead.

Closes #5942

Merge branch '5942-qpiter-fix-bind-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11956
2026-05-06 00:01:08 +00:00
Evan Hunt
8e31dc5353 Fix a stack use-after-free in qpzone
In previous_closest_nsec(), a new qpreader was opened to search the NSEC
tree. It was possible for that to be used to update a QP iterator object
owned by the caller, and then be destroyed when the function returned.

This has been addressed by having the caller open the NSEC qpreader
instead.
2026-05-05 16:17:25 -07:00
Ondřej Surý
933a8de056 [9.20] fix: usr: Reject record sets too large to serve in DNS
When BIND was asked to store a record set whose total size exceeds
what fits in a DNS message, it would allocate memory and build the
structure, then fail later at response time. Such oversized record
sets are now rejected at the time of storage with an error, avoiding
wasted work on data that can never be served.

Backport of MR !11963

Merge branch 'backport-ondrej/harden-buflen-overflow-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11964
2026-05-05 21:18:27 +02:00
Ondřej Surý
2bbbd60de3
Reject oversized RRsets at slab construction
dns_rdataslab_fromrdataset(), dns_rdataslab_merge() and
dns_rdataslab_subtract() summed per-record storage into an
unsigned int with no upper-bound check.  An RRset whose total
encoded size exceeds DNS_RDATA_MAXLENGTH cannot fit in a DNS
message and is unservable; building its in-memory representation
only burns memory on data that will fail at response time, and at
the upper bound the running sum could in theory wrap.

Cap the running total at DNS_RDATA_MAXLENGTH and return ISC_R_NOSPACE
when exceeded.  Update the qpdb cache memory-purge test to use a
record size that fits within the new limit.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit f9d24b1b85)
2026-05-05 19:24:29 +02:00
Ondřej Surý
99c226576a [9.20] rem: dev: Remove obsolete KEY record EXTENDED flag deprecated by RFC 3445
KEY resource records originally defined EXTENDED flag that was removed
by RFC 3445 back in 2002. BIND still carried code to parse and emit it,
including the additional two-octet flags field that followed when the
EXTENDED bit was set. That handling has been removed and the affected
bit positions are now reserved.

Dropping the extended-flags handling also eliminates a possible crash
that could be reached when signing a zone containing an invalid key.

Closes #5900

Partial backport of MR !11961

Merge branch 'backport-5900-remove-keyflag-extended-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11962
2026-05-05 14:24:06 +02:00
Evan Hunt
0af1b07aad
Remove DNS_KEYFLAG_EXTENDED
The DNS_KEYFLAG_EXTENDED flag was only legitimate for type KEY
and was eliminated by RFC 3445. Dropping the extended-flags
handling in pub_compare() also fixes a possible crash when
signing a zone whose journal contains a crafted DNSKEY: a
6-byte record with the EXTENDED bit set produced a memmove()
length that underflowed and ran off a stack buffer.

(cherry picked from commit 9c06f0a41d)
2026-05-05 11:07:32 +02:00
Ondřej Surý
cf517f73d5 [9.20] fix: dev: Tidy up the cleanup path in check_signer()
When check_signer() processed a DNSKEY whose public-key data could not
be parsed, the early return on the parse error skipped the cleanup of
the cloned signature rdataset.  In every code path that currently
reaches this function the cloned rdataset holds no resources, so no
memory was actually leaked, but the cleanup is restructured so the
parse and the iteration cannot diverge again.

Closes #5869

Merge branch '5869-fix-memory-leak-in-check_signer-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11957
2026-05-05 08:20:19 +02:00
Ondřej Surý
19f44a0aa3
Tidy up cleanup path in check_signer()
The cloned signature rdataset was not disassociated on the early
return taken when dns_dnssec_keyfromrdata() fails to parse the DNSKEY
public-key data.  In every current caller val->sigrdataset reaches
check_signer() rdatalist-backed, so dns_rdataset_clone() copies the
struct without taking any reference and dns_rdataset_disassociate()
is a no-op -- no memory is actually leaked today.  Hoist the key
parse out of the per-RRSIG loop and let the function fall through
to a single cleanup path, so the parse and the iteration cannot
diverge again.

Assisted-by: Claude:claude-opus-4-7
2026-05-05 07:43:15 +02:00
Evan Hunt
a812bc52eb
Add a test with an active truncated key
Check that an invalid truncated key is handled correctly.
2026-05-05 07:43:15 +02:00
Ondřej Surý
bf4cdca7e9 [9.20] fix: usr: Prevent crafted queries from degrading RRL performance
With response rate limiting enabled, an attacker sending queries from many
spoofed source addresses could steer entries into the same slot of the
internal rate-limit table and slow down query processing on the affected
server. The table now uses a per-process keyed hash so the placement of
entries cannot be predicted or influenced from the network.

Closes #5906

Backport of MR !11950

Merge branch 'backport-5906-rrl-hash-collision-dos-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11952
2026-05-05 07:07:28 +02:00
Ondřej Surý
0f821104e0
Use a keyed hash for the RRL bucket table
The previous hash_key() was a deterministic, unkeyed (<<1) + add over the
key words.  An off-path attacker could invert it offline and submit
queries whose source /24, qname hash, and qtype map to a single bucket;
under chaining this turns every lookup into an O(N) walk under
rrl->lock and starves legitimate query processing on the very feature
deployed to mitigate DoS.

Replace it with isc_hash32(), which is HalfSipHash-2-4 keyed by a
per-process random seed, so collision sets cannot be precomputed.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit a6b7ce29c4)
2026-05-04 16:15:58 +02:00
Michał Kępień
93cfd196db [9.20] fix: ci: Use "git push --force-with-lease" for autorebases
If a merge request is merged to an autorebased branch while it is
getting rebased, the "git push -f" command at the end of the autorebase
job will cause the contents of that merge request to be silently deleted
from Git history even though the merge request will still be (correctly)
shown as "merged" by GitLab.

Use "git push --force-with-lease" instead to prevent force-pushing the
rebased version of the branch if it is pushed to after its pre-rebase
version is fetched by the autorebase job.  Report such an event
accordingly.  For simplicity, no retries are attempted as the problem is
expected to be resolved by the next autorebase and the chances of this
scenario happening in practice are already low to begin with.

Backport of MR !11939

Merge branch 'backport-michal/use-git-push-force-with-lease-for-autorebases-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11940
2026-04-30 22:38:25 +02:00
Michał Kępień
67c9c118ba Use "git push --force-with-lease" for autorebases
If a merge request is merged to an autorebased branch while it is
getting rebased, the "git push -f" command at the end of the autorebase
job will cause the contents of that merge request to be silently deleted
from Git history even though the merge request will still be (correctly)
shown as "merged" by GitLab.

Use "git push --force-with-lease" instead to prevent force-pushing the
rebased version of the branch if it is pushed to after its pre-rebase
version is fetched by the autorebase job.  Report such an event
accordingly.  For simplicity, no retries are attempted as the problem is
expected to be resolved by the next autorebase and the chances of this
scenario happening in practice are already low to begin with.

(cherry picked from commit f5a7671107)
2026-04-30 20:35:21 +00:00
Michał Kępień
84103837f3 [9.20] new: ci: Set up automatic rebasing for security-* branches
Introduce a set of private branches containing only security fixes that
are automatically rebased onto the corresponding open source branches
whenever new changes are merged.  Each rebase triggers a basic build,
failing the CI job if the build breaks.

When a security-* branch is rebased, create a CI pipeline for its new
revision and rebase its corresponding bind-9.x-sub branch (if it exists)
on top of it, creating a rebase chain.

Report any failures in the process via Mattermost.

These changes enable treating security fixes similarly to other code
changes, without deferring merges all the way until release prep.

Backport of MR !11930

Merge branch 'backport-michal/autorebase-chain-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11931
2026-04-30 13:27:56 +02:00
Michał Kępień
ed627c6947
Set up automatic rebasing for security-* branches
Introduce a set of private branches containing only security fixes that
are automatically rebased onto the corresponding open source branches
whenever new changes are merged.  Each rebase triggers a basic build,
failing the CI job if the build breaks.

When a security-* branch is rebased, create a CI pipeline for its new
revision and rebase its corresponding bind-9.x-sub branch (if it exists)
on top of it, creating a rebase chain.

Report any failures in the process via Mattermost.

These changes enable treating security fixes similarly to other code
changes, without deferring merges all the way until release prep.

(cherry picked from commit af7d5e566e)
2026-04-30 13:25:42 +02:00
Ondřej Surý
c425827743 [9.20] fix: usr: prevent malicious DNSSEC zones from exhausting validator CPU
A DNSSEC-signed zone could publish a DNSKEY with an unusually large
RSA public exponent and force any validator resolving names in that
zone to spend disproportionate CPU verifying signatures.  The
validator now rejects such DNSKEYs, matching the limit already
applied to keys read from files or HSMs.

Closes #5881

Backport of MR !11917

Merge branch 'backport-5881-rsa-exponent-keytrap-cpu-amplification-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11923
2026-04-30 13:24:00 +02:00
Ondřej Surý
2b18aa9d59 Reject RSA DNSKEYs with oversize public exponents at parse time
The wire-format RSA DNSKEY parser was the only key path with no upper
bound on the public exponent — opensslrsa_parse and opensslrsa_fromlabel
already cap at RSA_MAX_PUBEXP_BITS.  An attacker-controlled DNSKEY could
therefore force a validator to compute s^e mod n with e up to ~|n| bits,
amplifying every verify by ~120x for typical 2048-bit moduli (OpenSSL
itself only caps the exponent for moduli above 3072 bits).  Apply the
same bit-count cap to wire-format keys.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit ab8c1a77e0)
2026-04-30 13:16:30 +02:00
Ondřej Surý
ca8315bb4d [9.20] fix: usr: Stop delv from aborting on a malformed query name
delv aborts with SIGABRT instead of exiting cleanly when given a query
name that fails wire-format conversion (e.g. a label longer than 63
octets). After this change delv prints the parse error and exits with
a normal failure code.

Closes #5916

Backport of MR !11921

Merge branch 'backport-5916-delv-run-resolve-null-detach-abort-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11927
2026-04-30 12:08:04 +02:00
Ondřej Surý
96d3b29968 Skip detach when delv's client never created
run_resolve allocates dns_client_t late, but the cleanup epilogue
called dns_client_detach() unconditionally. When convert_name() or
dns_client_create() failed first, the detach hit a NULL client and
the REQUIRE(DNS_CLIENT_VALID) inside it aborted the process with
SIGABRT instead of a clean error exit.

Guard the detach with a NULL check. Add a digdelv test that runs
delv on a query name whose first label exceeds 63 octets and
asserts the process does not exit 134.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit dba102ef16)
2026-04-30 12:07:49 +02:00
Ondřej Surý
49509dcbae [9.20] fix: usr: prevent rare named crash when notifies are cancelled
Under heavy load, named could occasionally crash when a queued
outbound notify or zone refresh was cancelled at the moment it
was being sent — for example, while a zone was being reloaded or
removed.  The race that caused the crash is now prevented.

Closes #5915

Backport of MR !11918

Merge branch 'backport-5915-ratelimiter-dequeue-tick-uaf-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11922
2026-04-30 12:04:06 +02:00
Ondřej Surý
9a15d2c973
Dispatch ratelimiter events under the lock
isc__ratelimiter_tick() and isc_ratelimiter_shutdown() each pulled
events out of rl->pending into a function-local list, dropped the
mutex, and then iterated.  ISC_LIST_APPEND leaves the link in the
LINKED state, so a concurrent isc_ratelimiter_dequeue() saw an
event as still queued, called ISC_LIST_UNLINK against rl->pending —
which patched the prev/next of the local list — and freed the
event before dispatch finished, producing either an INSIST in the
unlink macro or a use-after-free in the dispatch loop.

isc_async_run() is a non-blocking wfcq enqueue, so there is no
benefit to dropping the mutex around it.  Unlink each event and
hand it to isc_async_run() while still holding rl->lock; the
existing ISC_LINK_LINKED check in dequeue then correctly
distinguishes "still queued and cancellable" from "already taken".

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit 4d465f4fa5)
2026-04-30 10:53:49 +02:00
Ondřej Surý
070b394f53 [9.20] fix: dev: free per-command rndc state when response serialisation fails
When isccc_cc_towire failed while building an rndc reply,
control_respond returned without releasing the per-command request,
response, HMAC secret copy, and text buffer.  They were eventually
freed when the connection closed, but until then the HMAC key copy
stayed in named's memory.  The failure path now goes through the
same cleanup label as every other error.

Closes #5913

Backport of MR !11915

Merge branch 'backport-5913-controlconf-control-respond-cleanup-leak-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11919
2026-04-30 10:31:47 +02:00
Ondřej Surý
88537d6d84 Run conn_cleanup on isccc_cc_towire failure in control_respond
The bare return left conn->secret, conn->response, conn->request, and
conn->text pinned until the connection itself was torn down — every
other error in the function reaches conn_cleanup via goto, and the
success path falls into the same label, so the towire-failure return
was the lone outlier.  Send it through the existing cleanup path.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit 1b681dfa2f)
2026-04-30 07:33:28 +00:00
Ondřej Surý
3728b405ea [9.20] fix: dev: Fix swapped arguments in redirect2() single-label branch
On a recursive resolver with nxdomain-redirect configured, an
NXDOMAIN result for a query whose qname is the root could corrupt
the view's nxdomain-redirect target, after which the redirect
feature stopped working for every subsequent query in that view
until named was restarted.

Closes #5908

Backport of MR !11908

Merge branch 'backport-5908-query-redirect2-name-copy-arg-swap-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11913
2026-04-30 07:39:10 +02:00
Ondřej Surý
36897a0872 Fix swapped arguments in redirect2() single-label branch
For a query whose qname is the root, the labels==1 branch in
redirect2() called dns_name_copy(redirectname, view->redirectzone)
with arguments reversed, overwriting the view-global
nxdomain-redirect target with the empty redirectname rather than
copying the configured target into the per-query lookup name.  After
the corruption, view->redirectzone names the root, so
dns_name_issubdomain() makes redirect2() short-circuit for every
subsequent query and the nxdomain-redirect feature stops working
until named is restarted.

Triggering this needs the resolver to receive an NXDOMAIN for the
root from upstream, which does not happen in normal DNS operation.

Swap the arguments to match the dns_name_copy(source, dest)
signature.  Add a system test that issues a root query through the
nxdomain-redirect resolver and verifies the redirect feature still
works for a normal NXDOMAIN-producing query afterwards.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit c62f24f7ee)
2026-04-30 07:38:57 +02:00
Ondřej Surý
7e1eace6cd [9.20] fix: usr: Fix rndc-confgen aborting on HMAC-SHA-384/512 keys above 512 bits
`rndc-confgen -A hmac-sha384` and `-A hmac-sha512` documented a `-b`
range of 1..1024, but any value above 512 aborted on hardened builds
instead of producing a key. The full advertised range now works.

Closes #5903

Backport of MR !11903

Merge branch 'backport-5903-hmac-generate-stack-overflow-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11910
2026-04-30 07:06:31 +02:00
Ondřej Surý
45ea92ea4b
Size HMAC key generation buffers to the maximum block size
hmac_generate() declared its on-stack nonce buffer as
unsigned char data[ISC_MAX_MD_SIZE], i.e. 64 bytes. That is the maximum
digest size, but the buffer is filled up to the algorithm's HMAC block
size, which is 128 bytes for SHA-384 and SHA-512. Asking rndc-confgen
for an HMAC-SHA-384 or HMAC-SHA-512 key with -b > 512 (the documented
range allows up to 1024) wrote past the end of the stack buffer; on
hardened builds this aborted with a stack-smash detector firing
instead of producing a key.

Use the existing ISC_MAX_BLOCK_SIZE (128) for the buffer so the full
1..1024 range advertised by -A hmac-sha{384,512} works as documented.
The matching key_rawsecret[64] in confgen's generate_key() is enlarged
the same way so the generated key fits when dumped to the buffer.

Add a system test that exercises rndc-confgen across the previously
overflowing keysizes; with -Db_sanitize=address it caught the abort
before the fix.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit 46f6bb6364)
2026-04-30 06:00:07 +02:00
Ondřej Surý
dc5eb3fe25 [9.20] fix: usr: Fix suppressed missing-glue check in named-checkzone
named-checkzone and named-checkconf -z silently skipped the
missing-glue check for any NS name that had already triggered an
extra-AAAA-glue warning, so zones missing required A glue could pass
validation and be deployed with broken delegations.

Backport of MR !11899

Merge branch 'backport-ondrej/check-tool-err-glue-code-collision-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11905
2026-04-29 18:13:23 +02:00
Ondřej Surý
5c1ccb1483 Resolve ERR_MISSING_GLUE / ERR_EXTRA_AAAA value collision
Both constants were defined as 5. The symbol table used by checkns() to
deduplicate log messages keys on (name, error_code), so logging an
extra-AAAA error caused logged() to also return true for the
missing-glue check, silently skipping the entire missing-glue block for
the same name in named-checkzone and named-checkconf -z.

Convert the ERR_* defines to an auto-numbered enum so the compiler
guarantees the values stay pairwise distinct.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit 72d21a0806)
2026-04-29 15:31:58 +00:00
Colin Vidal
823d36c3a2 [9.20] chg: nil: Disable licensing check for root.hints
Removing REUSE licensing header check for `root.hints` files.

Backport of MR !11893

Merge branch 'backport-colin/disable-licensing-check-roothints-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11894
2026-04-28 16:51:41 +02:00
Colin Vidal
ecb96166b0 Remove licensing header check for root.hint[s]
Removing REUSE licensing header check for `root.hint` and `root.hints`
files.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit 19a446f00e)
2026-04-28 14:41:49 +00:00
Ondřej Surý
c3ab432270 [9.20] new: doc: Add AI coding assistants guidance to CONTRIBUTING.md
Adapted from the Linux kernel's Documentation/process/coding-assistants.rst
to the BIND 9 context. Adds three subsections under the existing
"Guidelines for Tool-Generated Content" section:

- Licensing and legal requirements (MPL-2.0, SPDX identifiers).
- Signed-off-by and Developer Certificate of Origin: AI agents must
  not add Signed-off-by trailers; only the human submitter may
  certify the DCO.
- Attribution: the Assisted-by: AGENT_NAME:MODEL_VERSION trailer
  for recording AI involvement, with an explicit prohibition on
  AI-added Co-Authored-By trailers (Co-Authored-By designates a
  human co-author who shares responsibility).

Backport of MR !11888

Merge branch 'backport-ondrej/coding-assistants-doc-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11891
2026-04-27 10:58:12 +02:00
Ondřej Surý
8c26db3c8c Add AI coding assistants guidance to CONTRIBUTING.md
Adapted from the Linux kernel's Documentation/process/coding-assistants.rst
to the BIND 9 context. Adds three subsections under the existing
"Guidelines for Tool-Generated Content" section:

- Licensing and legal requirements (MPL-2.0, SPDX identifiers).
- Signed-off-by and Developer Certificate of Origin: AI agents must
  not add Signed-off-by trailers; only the human submitter may
  certify the DCO.
- Attribution: the Assisted-by: AGENT_NAME:MODEL_VERSION trailer
  for recording AI involvement, with an explicit prohibition on
  AI-added Co-Authored-By trailers (Co-Authored-By designates a
  human co-author who shares responsibility).

(cherry picked from commit 2339bcd493)
2026-04-27 08:12:28 +00:00
Ondřej Surý
9e34ef0f7e [9.20] fix: usr: Fix named crash when processing SIG records in dynamic updates
Previously, :iscman:`named` could abort if a client sent a dynamic update containing a SIG record (the legacy signature type) to a zone configured with an update-policy. The function `dns_db_findrdataset` had an incorrect requirements prerequisite that prevented SIG records being looked up, which was triggered as part of processing an UPDATE request and could be triggered remotely by any client permitted to send updates. This has been fixed by ensuring that SIG records are handled consistently with RRSIG records during update processing.

Closes #5818

Backport of MR !11864

Merge branch 'backport-5818-fix-update-of-sig-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11876
2026-04-17 19:24:17 +02:00
Matthijs Mekking
9c0e5da3aa Add test for SIG in prequisites of dynamic update
Make sure the nameserver correctly handles SIG records in the
prerequisites of the dynamic update. The first check is to ensure that
the prerequisites are not examined prior to checking the credentials.

The second test case checks that the SIG present prerequisite is
examined and therefore refuses the update. Also this should not trigger
an assertion failure in dns__db_findrdataset() (due to the REQUIRE()
only accepted dns_rdatatype_rrsig when the covers parameter was set).

(cherry picked from commit 51f27fda46)
2026-04-17 19:24:13 +02:00
Ondřej Surý
8f75c7c3dd Add AXFR regression test for SIG covers preservation
diff.c rdata_covers() runs on both dns_diff_apply (IXFR, ns/update.c
dynamic updates) and dns_diff_load (AXFR).  After the previous commit
refused SIG and NXT in dynamic updates, the AXFR path remains the
most natural way to drive legacy SIG records into a secondary's zone
DB and regression-gate the rdata_covers() fix.

The test adds ans11 as an AsyncDnsServer primary for a small zone
whose AXFR carries two SIG rdatas at the same owner with different
covered types (A, MX) and different TTLs (600, 1200), and declares
ns6 a secondary of that zone.  With the bug present, dns_diff_load
groups both tuples at typepair (SIG, 0) and the MX-covering record
inherits the first-seen TTL (600); the fix keeps them at (SIG, A)
and (SIG, MX) with their original TTLs.

rndc dumpdb -zones on the secondary is used to inspect stored state
directly, because the wire-level SIG query response merges
same-(owner,type,class) RRs and masks the per-rdataset TTLs.

(cherry picked from commit e9f880c78f)
2026-04-17 19:24:13 +02:00
Ondřej Surý
1a93486cde Refuse SIG and NXT records in dynamic updates
SIG (24) and NXT (30) are obsolete DNSSEC record types, superseded by
RRSIG and NSEC in RFC 3755.  Allowing them through dynamic update
exposes two distinct bugs that the surrounding GL#5818 work already
fixes as defense-in-depth:

  - dns__db_findrdataset() used to REQUIRE that (covers == 0 ||
    type == RRSIG), which aborts named when a SIG update reaches the
    prescan foreach_rr() call.  Fixed to accept dns_rdatatype_issig().
  - diff.c rdata_covers() used to test only RRSIG, dropping the
    covered-type field for SIG rdatas; the zone DB then filed every
    SIG rdataset under typepair (SIG, 0) instead of
    (SIG, covered_type) and follow-up adds collided at that bucket.
    Fixed to use dns_rdatatype_issig().

Both underlying bugs are still reachable via inbound zone transfer
(diff.c rdata_covers() runs from both dns_diff_apply on the IXFR path
and dns_diff_load on the AXFR path), so the type-helper fixes above
remain necessary.  For the dynamic-update path, the simplest and
safest posture is to refuse SIG and NXT outright at the front door in
ns/update.c, alongside the existing NSEC/NSEC3/non-apex-RRSIG
refusals.  KEY remains permitted because it is still used to carry
public keys for SIG(0) transaction authentication.

The existing tcp-self SIG regression test is repointed to assert
REFUSED on the SIG add, a symmetric NXT test is added, and the
SIG-via-dyn-update covers-bucket test is removed because it is no
longer reachable through this entry point; AXFR-based coverage of
diff.c rdata_covers() follows in a separate commit.

(cherry picked from commit 3a44a13232)
2026-04-17 19:24:13 +02:00
Ondřej Surý
bc771b033a Add regression test for SIG covers being dropped in dns_diff_apply
rdata_covers() in lib/dns/diff.c tests `type == dns_rdatatype_rrsig`
instead of dns_rdatatype_issig(), so for a legacy SIG (24) rdata it
returns 0 and the covered type is discarded on the dynamic-update /
IXFR path.  The zone DB then files every SIG rdataset under typepair
(SIG, 0) instead of (SIG, covered_type), and a follow-up add with a
different covers field but a different TTL collides at that bucket,
trips DNS_DBADD_EXACTTTL in qpzone, returns DNS_R_NOTEXACT, and comes
back to the client as SERVFAIL.

The new test adds a PTR to establish the node (tcp-self requires the
client IP's reverse form to equal the owner), then two SIG updates
with different covers and different TTLs; on a buggy build the second
update is SERVFAIL and named logs `dns_diff_apply: .../SIG/IN: add
not exact`.  The test is expected to pass once rdata_covers() is
switched to dns_rdatatype_issig(), matching the fix already adopted
for dns__db_findrdataset() on this branch and the helper pattern used
in master.c, xfrout.c, and qpcache.c.

(cherry picked from commit b9fc0e595b)
2026-04-17 19:24:13 +02:00
Ondřej Surý
2c2533774c Fix dropped covers field for SIG records in dns_diff_apply
rdata_covers() in lib/dns/diff.c discriminated only on
dns_rdatatype_rrsig (46) and returned 0 for the legacy SIG (24), so
the covered-type field was silently discarded on the dynamic-update
and IXFR paths.  Every SIG rdataset was then filed in the zone DB
under typepair (SIG, 0) instead of (SIG, covered_type); a second SIG
add with a different covers but a different TTL collided at that
bucket, tripped DNS_DBADD_EXACTTTL in qpzone, returned
DNS_R_NOTEXACT, and came back to the client as SERVFAIL.

Use dns_rdatatype_issig() here so both SIG and RRSIG carry their
covers through the diff, matching the helper pattern already used in
lib/dns/master.c, lib/ns/xfrout.c, lib/dns/qpcache.c, and the
dns__db_findrdataset() REQUIRE that the surrounding merge request
just relaxed.

(cherry picked from commit 0a5ba57116)
2026-04-17 19:24:13 +02:00
Ondřej Surý
7e5c15ce9b Add system test for SIG record handling in update-policy tcp-self
Verify that a SIG record sent via TCP dynamic update is accepted
by the tcp-self update-policy and correctly stored in the zone.

(cherry picked from commit ecddeab696)
2026-04-17 19:24:13 +02:00
Mark Andrews
62920a981f Fix assertion failure in dns_db_findrdataset() for SIG records
dns__db_findrdataset() had a REQUIRE() that only accepted
dns_rdatatype_rrsig when the covers parameter was set.  A dynamic
update containing a SIG record (type 24) would trigger this
assertion, crashing named.  Use dns_rdatatype_issig() to accept
both SIG and RRSIG.

(cherry picked from commit 03edeccaa1)
2026-04-17 19:24:13 +02:00