Commit graph

44024 commits

Author SHA1 Message Date
Ondřej Surý
bf4cdca7e9 [9.20] fix: usr: Prevent crafted queries from degrading RRL performance
With response rate limiting enabled, an attacker sending queries from many
spoofed source addresses could steer entries into the same slot of the
internal rate-limit table and slow down query processing on the affected
server. The table now uses a per-process keyed hash so the placement of
entries cannot be predicted or influenced from the network.

Closes #5906

Backport of MR !11950

Merge branch 'backport-5906-rrl-hash-collision-dos-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11952
2026-05-05 07:07:28 +02:00
Ondřej Surý
0f821104e0
Use a keyed hash for the RRL bucket table
The previous hash_key() was a deterministic, unkeyed (<<1) + add over the
key words.  An off-path attacker could invert it offline and submit
queries whose source /24, qname hash, and qtype map to a single bucket;
under chaining this turns every lookup into an O(N) walk under
rrl->lock and starves legitimate query processing on the very feature
deployed to mitigate DoS.

Replace it with isc_hash32(), which is HalfSipHash-2-4 keyed by a
per-process random seed, so collision sets cannot be precomputed.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit a6b7ce29c4)
2026-05-04 16:15:58 +02:00
Michał Kępień
93cfd196db [9.20] fix: ci: Use "git push --force-with-lease" for autorebases
If a merge request is merged to an autorebased branch while it is
getting rebased, the "git push -f" command at the end of the autorebase
job will cause the contents of that merge request to be silently deleted
from Git history even though the merge request will still be (correctly)
shown as "merged" by GitLab.

Use "git push --force-with-lease" instead to prevent force-pushing the
rebased version of the branch if it is pushed to after its pre-rebase
version is fetched by the autorebase job.  Report such an event
accordingly.  For simplicity, no retries are attempted as the problem is
expected to be resolved by the next autorebase and the chances of this
scenario happening in practice are already low to begin with.

Backport of MR !11939

Merge branch 'backport-michal/use-git-push-force-with-lease-for-autorebases-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11940
2026-04-30 22:38:25 +02:00
Michał Kępień
67c9c118ba Use "git push --force-with-lease" for autorebases
If a merge request is merged to an autorebased branch while it is
getting rebased, the "git push -f" command at the end of the autorebase
job will cause the contents of that merge request to be silently deleted
from Git history even though the merge request will still be (correctly)
shown as "merged" by GitLab.

Use "git push --force-with-lease" instead to prevent force-pushing the
rebased version of the branch if it is pushed to after its pre-rebase
version is fetched by the autorebase job.  Report such an event
accordingly.  For simplicity, no retries are attempted as the problem is
expected to be resolved by the next autorebase and the chances of this
scenario happening in practice are already low to begin with.

(cherry picked from commit f5a7671107)
2026-04-30 20:35:21 +00:00
Michał Kępień
84103837f3 [9.20] new: ci: Set up automatic rebasing for security-* branches
Introduce a set of private branches containing only security fixes that
are automatically rebased onto the corresponding open source branches
whenever new changes are merged.  Each rebase triggers a basic build,
failing the CI job if the build breaks.

When a security-* branch is rebased, create a CI pipeline for its new
revision and rebase its corresponding bind-9.x-sub branch (if it exists)
on top of it, creating a rebase chain.

Report any failures in the process via Mattermost.

These changes enable treating security fixes similarly to other code
changes, without deferring merges all the way until release prep.

Backport of MR !11930

Merge branch 'backport-michal/autorebase-chain-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11931
2026-04-30 13:27:56 +02:00
Michał Kępień
ed627c6947
Set up automatic rebasing for security-* branches
Introduce a set of private branches containing only security fixes that
are automatically rebased onto the corresponding open source branches
whenever new changes are merged.  Each rebase triggers a basic build,
failing the CI job if the build breaks.

When a security-* branch is rebased, create a CI pipeline for its new
revision and rebase its corresponding bind-9.x-sub branch (if it exists)
on top of it, creating a rebase chain.

Report any failures in the process via Mattermost.

These changes enable treating security fixes similarly to other code
changes, without deferring merges all the way until release prep.

(cherry picked from commit af7d5e566e)
2026-04-30 13:25:42 +02:00
Ondřej Surý
c425827743 [9.20] fix: usr: prevent malicious DNSSEC zones from exhausting validator CPU
A DNSSEC-signed zone could publish a DNSKEY with an unusually large
RSA public exponent and force any validator resolving names in that
zone to spend disproportionate CPU verifying signatures.  The
validator now rejects such DNSKEYs, matching the limit already
applied to keys read from files or HSMs.

Closes #5881

Backport of MR !11917

Merge branch 'backport-5881-rsa-exponent-keytrap-cpu-amplification-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11923
2026-04-30 13:24:00 +02:00
Ondřej Surý
2b18aa9d59 Reject RSA DNSKEYs with oversize public exponents at parse time
The wire-format RSA DNSKEY parser was the only key path with no upper
bound on the public exponent — opensslrsa_parse and opensslrsa_fromlabel
already cap at RSA_MAX_PUBEXP_BITS.  An attacker-controlled DNSKEY could
therefore force a validator to compute s^e mod n with e up to ~|n| bits,
amplifying every verify by ~120x for typical 2048-bit moduli (OpenSSL
itself only caps the exponent for moduli above 3072 bits).  Apply the
same bit-count cap to wire-format keys.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit ab8c1a77e0)
2026-04-30 13:16:30 +02:00
Ondřej Surý
ca8315bb4d [9.20] fix: usr: Stop delv from aborting on a malformed query name
delv aborts with SIGABRT instead of exiting cleanly when given a query
name that fails wire-format conversion (e.g. a label longer than 63
octets). After this change delv prints the parse error and exits with
a normal failure code.

Closes #5916

Backport of MR !11921

Merge branch 'backport-5916-delv-run-resolve-null-detach-abort-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11927
2026-04-30 12:08:04 +02:00
Ondřej Surý
96d3b29968 Skip detach when delv's client never created
run_resolve allocates dns_client_t late, but the cleanup epilogue
called dns_client_detach() unconditionally. When convert_name() or
dns_client_create() failed first, the detach hit a NULL client and
the REQUIRE(DNS_CLIENT_VALID) inside it aborted the process with
SIGABRT instead of a clean error exit.

Guard the detach with a NULL check. Add a digdelv test that runs
delv on a query name whose first label exceeds 63 octets and
asserts the process does not exit 134.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit dba102ef16)
2026-04-30 12:07:49 +02:00
Ondřej Surý
49509dcbae [9.20] fix: usr: prevent rare named crash when notifies are cancelled
Under heavy load, named could occasionally crash when a queued
outbound notify or zone refresh was cancelled at the moment it
was being sent — for example, while a zone was being reloaded or
removed.  The race that caused the crash is now prevented.

Closes #5915

Backport of MR !11918

Merge branch 'backport-5915-ratelimiter-dequeue-tick-uaf-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11922
2026-04-30 12:04:06 +02:00
Ondřej Surý
9a15d2c973
Dispatch ratelimiter events under the lock
isc__ratelimiter_tick() and isc_ratelimiter_shutdown() each pulled
events out of rl->pending into a function-local list, dropped the
mutex, and then iterated.  ISC_LIST_APPEND leaves the link in the
LINKED state, so a concurrent isc_ratelimiter_dequeue() saw an
event as still queued, called ISC_LIST_UNLINK against rl->pending —
which patched the prev/next of the local list — and freed the
event before dispatch finished, producing either an INSIST in the
unlink macro or a use-after-free in the dispatch loop.

isc_async_run() is a non-blocking wfcq enqueue, so there is no
benefit to dropping the mutex around it.  Unlink each event and
hand it to isc_async_run() while still holding rl->lock; the
existing ISC_LINK_LINKED check in dequeue then correctly
distinguishes "still queued and cancellable" from "already taken".

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit 4d465f4fa5)
2026-04-30 10:53:49 +02:00
Ondřej Surý
070b394f53 [9.20] fix: dev: free per-command rndc state when response serialisation fails
When isccc_cc_towire failed while building an rndc reply,
control_respond returned without releasing the per-command request,
response, HMAC secret copy, and text buffer.  They were eventually
freed when the connection closed, but until then the HMAC key copy
stayed in named's memory.  The failure path now goes through the
same cleanup label as every other error.

Closes #5913

Backport of MR !11915

Merge branch 'backport-5913-controlconf-control-respond-cleanup-leak-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11919
2026-04-30 10:31:47 +02:00
Ondřej Surý
88537d6d84 Run conn_cleanup on isccc_cc_towire failure in control_respond
The bare return left conn->secret, conn->response, conn->request, and
conn->text pinned until the connection itself was torn down — every
other error in the function reaches conn_cleanup via goto, and the
success path falls into the same label, so the towire-failure return
was the lone outlier.  Send it through the existing cleanup path.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit 1b681dfa2f)
2026-04-30 07:33:28 +00:00
Ondřej Surý
3728b405ea [9.20] fix: dev: Fix swapped arguments in redirect2() single-label branch
On a recursive resolver with nxdomain-redirect configured, an
NXDOMAIN result for a query whose qname is the root could corrupt
the view's nxdomain-redirect target, after which the redirect
feature stopped working for every subsequent query in that view
until named was restarted.

Closes #5908

Backport of MR !11908

Merge branch 'backport-5908-query-redirect2-name-copy-arg-swap-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11913
2026-04-30 07:39:10 +02:00
Ondřej Surý
36897a0872 Fix swapped arguments in redirect2() single-label branch
For a query whose qname is the root, the labels==1 branch in
redirect2() called dns_name_copy(redirectname, view->redirectzone)
with arguments reversed, overwriting the view-global
nxdomain-redirect target with the empty redirectname rather than
copying the configured target into the per-query lookup name.  After
the corruption, view->redirectzone names the root, so
dns_name_issubdomain() makes redirect2() short-circuit for every
subsequent query and the nxdomain-redirect feature stops working
until named is restarted.

Triggering this needs the resolver to receive an NXDOMAIN for the
root from upstream, which does not happen in normal DNS operation.

Swap the arguments to match the dns_name_copy(source, dest)
signature.  Add a system test that issues a root query through the
nxdomain-redirect resolver and verifies the redirect feature still
works for a normal NXDOMAIN-producing query afterwards.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit c62f24f7ee)
2026-04-30 07:38:57 +02:00
Ondřej Surý
7e1eace6cd [9.20] fix: usr: Fix rndc-confgen aborting on HMAC-SHA-384/512 keys above 512 bits
`rndc-confgen -A hmac-sha384` and `-A hmac-sha512` documented a `-b`
range of 1..1024, but any value above 512 aborted on hardened builds
instead of producing a key. The full advertised range now works.

Closes #5903

Backport of MR !11903

Merge branch 'backport-5903-hmac-generate-stack-overflow-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11910
2026-04-30 07:06:31 +02:00
Ondřej Surý
45ea92ea4b
Size HMAC key generation buffers to the maximum block size
hmac_generate() declared its on-stack nonce buffer as
unsigned char data[ISC_MAX_MD_SIZE], i.e. 64 bytes. That is the maximum
digest size, but the buffer is filled up to the algorithm's HMAC block
size, which is 128 bytes for SHA-384 and SHA-512. Asking rndc-confgen
for an HMAC-SHA-384 or HMAC-SHA-512 key with -b > 512 (the documented
range allows up to 1024) wrote past the end of the stack buffer; on
hardened builds this aborted with a stack-smash detector firing
instead of producing a key.

Use the existing ISC_MAX_BLOCK_SIZE (128) for the buffer so the full
1..1024 range advertised by -A hmac-sha{384,512} works as documented.
The matching key_rawsecret[64] in confgen's generate_key() is enlarged
the same way so the generated key fits when dumped to the buffer.

Add a system test that exercises rndc-confgen across the previously
overflowing keysizes; with -Db_sanitize=address it caught the abort
before the fix.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit 46f6bb6364)
2026-04-30 06:00:07 +02:00
Ondřej Surý
dc5eb3fe25 [9.20] fix: usr: Fix suppressed missing-glue check in named-checkzone
named-checkzone and named-checkconf -z silently skipped the
missing-glue check for any NS name that had already triggered an
extra-AAAA-glue warning, so zones missing required A glue could pass
validation and be deployed with broken delegations.

Backport of MR !11899

Merge branch 'backport-ondrej/check-tool-err-glue-code-collision-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11905
2026-04-29 18:13:23 +02:00
Ondřej Surý
5c1ccb1483 Resolve ERR_MISSING_GLUE / ERR_EXTRA_AAAA value collision
Both constants were defined as 5. The symbol table used by checkns() to
deduplicate log messages keys on (name, error_code), so logging an
extra-AAAA error caused logged() to also return true for the
missing-glue check, silently skipping the entire missing-glue block for
the same name in named-checkzone and named-checkconf -z.

Convert the ERR_* defines to an auto-numbered enum so the compiler
guarantees the values stay pairwise distinct.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit 72d21a0806)
2026-04-29 15:31:58 +00:00
Colin Vidal
823d36c3a2 [9.20] chg: nil: Disable licensing check for root.hints
Removing REUSE licensing header check for `root.hints` files.

Backport of MR !11893

Merge branch 'backport-colin/disable-licensing-check-roothints-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11894
2026-04-28 16:51:41 +02:00
Colin Vidal
ecb96166b0 Remove licensing header check for root.hint[s]
Removing REUSE licensing header check for `root.hint` and `root.hints`
files.

Assisted-by: Claude:claude-opus-4-7
(cherry picked from commit 19a446f00e)
2026-04-28 14:41:49 +00:00
Ondřej Surý
c3ab432270 [9.20] new: doc: Add AI coding assistants guidance to CONTRIBUTING.md
Adapted from the Linux kernel's Documentation/process/coding-assistants.rst
to the BIND 9 context. Adds three subsections under the existing
"Guidelines for Tool-Generated Content" section:

- Licensing and legal requirements (MPL-2.0, SPDX identifiers).
- Signed-off-by and Developer Certificate of Origin: AI agents must
  not add Signed-off-by trailers; only the human submitter may
  certify the DCO.
- Attribution: the Assisted-by: AGENT_NAME:MODEL_VERSION trailer
  for recording AI involvement, with an explicit prohibition on
  AI-added Co-Authored-By trailers (Co-Authored-By designates a
  human co-author who shares responsibility).

Backport of MR !11888

Merge branch 'backport-ondrej/coding-assistants-doc-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11891
2026-04-27 10:58:12 +02:00
Ondřej Surý
8c26db3c8c Add AI coding assistants guidance to CONTRIBUTING.md
Adapted from the Linux kernel's Documentation/process/coding-assistants.rst
to the BIND 9 context. Adds three subsections under the existing
"Guidelines for Tool-Generated Content" section:

- Licensing and legal requirements (MPL-2.0, SPDX identifiers).
- Signed-off-by and Developer Certificate of Origin: AI agents must
  not add Signed-off-by trailers; only the human submitter may
  certify the DCO.
- Attribution: the Assisted-by: AGENT_NAME:MODEL_VERSION trailer
  for recording AI involvement, with an explicit prohibition on
  AI-added Co-Authored-By trailers (Co-Authored-By designates a
  human co-author who shares responsibility).

(cherry picked from commit 2339bcd493)
2026-04-27 08:12:28 +00:00
Ondřej Surý
9e34ef0f7e [9.20] fix: usr: Fix named crash when processing SIG records in dynamic updates
Previously, :iscman:`named` could abort if a client sent a dynamic update containing a SIG record (the legacy signature type) to a zone configured with an update-policy. The function `dns_db_findrdataset` had an incorrect requirements prerequisite that prevented SIG records being looked up, which was triggered as part of processing an UPDATE request and could be triggered remotely by any client permitted to send updates. This has been fixed by ensuring that SIG records are handled consistently with RRSIG records during update processing.

Closes #5818

Backport of MR !11864

Merge branch 'backport-5818-fix-update-of-sig-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11876
2026-04-17 19:24:17 +02:00
Matthijs Mekking
9c0e5da3aa Add test for SIG in prequisites of dynamic update
Make sure the nameserver correctly handles SIG records in the
prerequisites of the dynamic update. The first check is to ensure that
the prerequisites are not examined prior to checking the credentials.

The second test case checks that the SIG present prerequisite is
examined and therefore refuses the update. Also this should not trigger
an assertion failure in dns__db_findrdataset() (due to the REQUIRE()
only accepted dns_rdatatype_rrsig when the covers parameter was set).

(cherry picked from commit 51f27fda46)
2026-04-17 19:24:13 +02:00
Ondřej Surý
8f75c7c3dd Add AXFR regression test for SIG covers preservation
diff.c rdata_covers() runs on both dns_diff_apply (IXFR, ns/update.c
dynamic updates) and dns_diff_load (AXFR).  After the previous commit
refused SIG and NXT in dynamic updates, the AXFR path remains the
most natural way to drive legacy SIG records into a secondary's zone
DB and regression-gate the rdata_covers() fix.

The test adds ans11 as an AsyncDnsServer primary for a small zone
whose AXFR carries two SIG rdatas at the same owner with different
covered types (A, MX) and different TTLs (600, 1200), and declares
ns6 a secondary of that zone.  With the bug present, dns_diff_load
groups both tuples at typepair (SIG, 0) and the MX-covering record
inherits the first-seen TTL (600); the fix keeps them at (SIG, A)
and (SIG, MX) with their original TTLs.

rndc dumpdb -zones on the secondary is used to inspect stored state
directly, because the wire-level SIG query response merges
same-(owner,type,class) RRs and masks the per-rdataset TTLs.

(cherry picked from commit e9f880c78f)
2026-04-17 19:24:13 +02:00
Ondřej Surý
1a93486cde Refuse SIG and NXT records in dynamic updates
SIG (24) and NXT (30) are obsolete DNSSEC record types, superseded by
RRSIG and NSEC in RFC 3755.  Allowing them through dynamic update
exposes two distinct bugs that the surrounding GL#5818 work already
fixes as defense-in-depth:

  - dns__db_findrdataset() used to REQUIRE that (covers == 0 ||
    type == RRSIG), which aborts named when a SIG update reaches the
    prescan foreach_rr() call.  Fixed to accept dns_rdatatype_issig().
  - diff.c rdata_covers() used to test only RRSIG, dropping the
    covered-type field for SIG rdatas; the zone DB then filed every
    SIG rdataset under typepair (SIG, 0) instead of
    (SIG, covered_type) and follow-up adds collided at that bucket.
    Fixed to use dns_rdatatype_issig().

Both underlying bugs are still reachable via inbound zone transfer
(diff.c rdata_covers() runs from both dns_diff_apply on the IXFR path
and dns_diff_load on the AXFR path), so the type-helper fixes above
remain necessary.  For the dynamic-update path, the simplest and
safest posture is to refuse SIG and NXT outright at the front door in
ns/update.c, alongside the existing NSEC/NSEC3/non-apex-RRSIG
refusals.  KEY remains permitted because it is still used to carry
public keys for SIG(0) transaction authentication.

The existing tcp-self SIG regression test is repointed to assert
REFUSED on the SIG add, a symmetric NXT test is added, and the
SIG-via-dyn-update covers-bucket test is removed because it is no
longer reachable through this entry point; AXFR-based coverage of
diff.c rdata_covers() follows in a separate commit.

(cherry picked from commit 3a44a13232)
2026-04-17 19:24:13 +02:00
Ondřej Surý
bc771b033a Add regression test for SIG covers being dropped in dns_diff_apply
rdata_covers() in lib/dns/diff.c tests `type == dns_rdatatype_rrsig`
instead of dns_rdatatype_issig(), so for a legacy SIG (24) rdata it
returns 0 and the covered type is discarded on the dynamic-update /
IXFR path.  The zone DB then files every SIG rdataset under typepair
(SIG, 0) instead of (SIG, covered_type), and a follow-up add with a
different covers field but a different TTL collides at that bucket,
trips DNS_DBADD_EXACTTTL in qpzone, returns DNS_R_NOTEXACT, and comes
back to the client as SERVFAIL.

The new test adds a PTR to establish the node (tcp-self requires the
client IP's reverse form to equal the owner), then two SIG updates
with different covers and different TTLs; on a buggy build the second
update is SERVFAIL and named logs `dns_diff_apply: .../SIG/IN: add
not exact`.  The test is expected to pass once rdata_covers() is
switched to dns_rdatatype_issig(), matching the fix already adopted
for dns__db_findrdataset() on this branch and the helper pattern used
in master.c, xfrout.c, and qpcache.c.

(cherry picked from commit b9fc0e595b)
2026-04-17 19:24:13 +02:00
Ondřej Surý
2c2533774c Fix dropped covers field for SIG records in dns_diff_apply
rdata_covers() in lib/dns/diff.c discriminated only on
dns_rdatatype_rrsig (46) and returned 0 for the legacy SIG (24), so
the covered-type field was silently discarded on the dynamic-update
and IXFR paths.  Every SIG rdataset was then filed in the zone DB
under typepair (SIG, 0) instead of (SIG, covered_type); a second SIG
add with a different covers but a different TTL collided at that
bucket, tripped DNS_DBADD_EXACTTTL in qpzone, returned
DNS_R_NOTEXACT, and came back to the client as SERVFAIL.

Use dns_rdatatype_issig() here so both SIG and RRSIG carry their
covers through the diff, matching the helper pattern already used in
lib/dns/master.c, lib/ns/xfrout.c, lib/dns/qpcache.c, and the
dns__db_findrdataset() REQUIRE that the surrounding merge request
just relaxed.

(cherry picked from commit 0a5ba57116)
2026-04-17 19:24:13 +02:00
Ondřej Surý
7e5c15ce9b Add system test for SIG record handling in update-policy tcp-self
Verify that a SIG record sent via TCP dynamic update is accepted
by the tcp-self update-policy and correctly stored in the zone.

(cherry picked from commit ecddeab696)
2026-04-17 19:24:13 +02:00
Mark Andrews
62920a981f Fix assertion failure in dns_db_findrdataset() for SIG records
dns__db_findrdataset() had a REQUIRE() that only accepted
dns_rdatatype_rrsig when the covers parameter was set.  A dynamic
update containing a SIG record (type 24) would trigger this
assertion, crashing named.  Use dns_rdatatype_issig() to accept
both SIG and RRSIG.

(cherry picked from commit 03edeccaa1)
2026-04-17 19:24:13 +02:00
Ondřej Surý
5ede4a87eb [9.20] fix: dev: Fix inverted gethostname() check in rndc status
The replacement of named_os_gethostname() with raw gethostname()
inverted the success check: the "localhost" fallback runs on success,
and on failure the uninitialized hostname buffer is read by snprintf(),
leaking stack memory via the rndc status reply.

Closes #5889

Backport of MR !11879

Merge branch 'backport-5889-fix-gethostname-inverted-check-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11881
2026-04-17 18:46:53 +02:00
Ondřej Surý
1a4ec35e84 Fix inverted gethostname() check in rndc status
When named_os_gethostname() was replaced with raw gethostname(), the
success/failure polarity was flipped: the fallback to "localhost" now
runs on success and the hostname buffer is left uninitialized on
failure.  In the failure path, snprintf() then reads the uninitialized
stack buffer, disclosing stack contents via the rndc status reply.

(cherry picked from commit f7859247df)
2026-04-17 15:53:06 +00:00
Štěpán Balážik
02cdc61f5b [9.20] chg: test: Reimplement xfer/ans5 using ControllableAsyncServer
Backport of MR !11626

Merge branch 'backport-stepan/xfer-asyncserver-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11878
2026-04-17 15:16:41 +00:00
Štěpán Balážik
150c28fc9c Reimplement xfer/ans5 using ControllableAsyncServer
Remove the last usage of the `ans.pl` server and the server itself.

(cherry picked from commit f9ed3650ac)
2026-04-17 14:26:42 +00:00
Štěpán Balážik
80614f6a7f Convert responses to bytes before logging them in asyncserver
Ensure that the actual packet contents are logged including the TSIG
record which is calculated on `to_wire` call.

(cherry picked from commit 37b0502cf4)
2026-04-17 14:26:42 +00:00
Štěpán Balážik
e745990e5c Improve readability of endianness conversions
Replace the less obvious and less explicit `struct.unpack()` and
`struct.pack()` calls with calls to `int.from_bytes()` and
`int.to_bytes()`, respectively.

(cherry picked from commit e43fa1dc5a)
2026-04-17 14:26:42 +00:00
Štěpán Balážik
7ee0f2b7ad Refactor AxfrHandler and hoist it to isctest.asyncserver
It will be useful in the xfer system test as well.

(cherry picked from commit a58952e1f7)
2026-04-17 14:26:42 +00:00
Štěpán Balážik
a12ae42b94 Fix FallbackTooManyRecordsAxfrHandler to follow convention
All the other subclasses AxfrHandler send three messages.
This oversight was inherited from the original Perl implementation of
the server and was not fixed in 46ecbbe where it was rewritten.

This allows refactoring and sharing of the superclass.

(cherry picked from commit 93a8079489)
2026-04-17 14:26:42 +00:00
Andoni Duarte
1c642afd78 [9.20] new: ci: Add "assign-milestones" job to CI
After a release is signed (the "sign" job), the "assign-milestones" job
will assign issues and merge requests to the corresponding version
milestones.

Backport of MR !11868

Merge branch 'backport-andoni/add-assign-milestone-ci-job-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11871
2026-04-17 09:49:27 +00:00
Andoni Duarte Pintado
3d508bf12b Add job to assign issues and merge requests to version milestones
After a release is signed (the "sign" job), the "assign-milestones" job
will assign issues and merge requests to the corresponding version
milestones.

(cherry picked from commit ad95cdb9e2)
2026-04-17 09:42:46 +00:00
Andoni Duarte
33f90767c7 [9.20] new: ci: Extend the prepare-release-announcement job to post release links
The prepare-release-announcement job is now extended so that after
creating the announcement MR, it posts a message with links to the newly
released versions to Mattermost.

Backport of MR !11860

Merge branch 'backport-andoni/extend-prepare-release-announcement-with-urls-message-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11869
2026-04-17 08:53:49 +00:00
Andoni Duarte Pintado
bd7a39fb64 Extend the prepare-release-announcement job post release links
The prepare-release-announcement job is now extended so that after
creating the announcement MR, it posts a message with links to the newly
released versions to Mattermost.

(cherry picked from commit a486a38a7f)
2026-04-17 08:52:01 +00:00
Ondřej Surý
3a97d3c583 [9.20] new: doc: Document opt-in 🤖 marker for agent-authored issues and MRs
Add short notes in CONTRIBUTING.md telling automated agents to append
🤖 to the title of issues and merge requests so they can be routed
through the streamlined agent triage/merge process.

Backport of MR !11861

Merge branch 'backport-ondrej/agent-contributing-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11862
2026-04-16 19:10:39 +02:00
Ondřej Surý
f9ccbd95d7
Document opt-in 🤖 marker for agent-authored issues and MRs
Add short notes in CONTRIBUTING.md telling automated agents to append
🤖 to the title of issues and merge requests so they can be routed
through the streamlined agent triage/merge process.

(cherry picked from commit 2ec8d3ce7c)
2026-04-16 19:04:44 +02:00
Ondřej Surý
30b6c25c8b
Change the CONTRIBUTING to use Developer's Certificate of Origin 1.1
(cherry picked from commit 845eb2ebbc)
2026-04-16 19:04:36 +02:00
Štěpán Balážik
18e0fe880c [9.20] chg: ci: Test development version of libuv in CI
Recently, a broken version of libuv was released breaking BIND on
several platforms. The offending [commit](https://github.com/libuv/libuv/issues/5030) was on the development branch
for months, but we didn't notice.

In nightly pipelines, build the current 'main' (actually 'v1.x') branch
of libuv and run the unit and system tests against it.

Backport of MR !11647

Merge branch 'backport-stepan/prelease-testing-for-libuv-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11842
2026-04-15 14:49:04 +00:00
Štěpán Balážik
df1bde488c Test development version of libuv in CI
Recently, a broken version of libuv was released breaking BIND on
several platforms. The offending commit [1] was on the development
branch for months, but we didn't notice.

In nightly pipelines, build the current 'main' (actually 'v1.x') branch
of libuv and run the unit and system tests against it.

[1]: https://github.com/libuv/libuv/issues/5030

(cherry picked from commit 23d11de2b4)
2026-04-15 13:42:20 +00:00
Mark Andrews
35d94fffb0 [9.20] fix: usr: Remove unnecessary dns_name_free call
When processing a catalog zone member's primaries definition and
there is a TXT record containing an invalid name TSIG key name,
dns_name_free was incorrectly called triggering an assertion.
This has been fixed.

Closes #5858

Backport of MR !11832

Merge branch 'backport-5858-remove-unnecessary-dns-name-free-call-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11848
2026-04-15 13:53:52 +10:00