Commit graph

45513 commits

Author SHA1 Message Date
Mark Andrews
cd96894bcd
Remove remaining RFC 3445 KEY flags
RFC 3445 also eliminated the DNS_KEYTYPE_NOAUTH, DNS_KEYTYPE_NOCONF,
and DNS_KEYOWNER_ENTITY flags. With NOAUTH and NOCONF gone, the
concept of NOKEY can no longer be expressed in KEY records.

DNS_KEYOWNER_ENTITY was already unused as of 22d688f656 but still
defined; that is now also removed.
2026-05-05 10:17:31 +02:00
Evan Hunt
9c06f0a41d
Remove DNS_KEYFLAG_EXTENDED
The DNS_KEYFLAG_EXTENDED flag was only legitimate for type KEY
and was eliminated by RFC 3445. Dropping the extended-flags
handling in pub_compare() also fixes a possible crash when
signing a zone whose journal contains a crafted DNSKEY: a
6-byte record with the EXTENDED bit set produced a memmove()
length that underflowed and ran off a stack buffer.
2026-05-05 10:16:02 +02:00
Ondřej Surý
cf18479882 fix: usr: Prevent crafted queries from degrading RRL performance
With response rate limiting enabled, an attacker sending queries from many
spoofed source addresses could steer entries into the same slot of the
internal rate-limit table and slow down query processing on the affected
server. The table now uses a per-process keyed hash so the placement of
entries cannot be predicted or influenced from the network.

Closes #5906

Merge branch '5906-rrl-hash-collision-dos' into 'main'

See merge request isc-projects/bind9!11950
2026-05-04 14:58:42 +02:00
Ondřej Surý
a6b7ce29c4
Use a keyed hash for the RRL bucket table
The previous hash_key() was a deterministic, unkeyed (<<1) + add over the
key words.  An off-path attacker could invert it offline and submit
queries whose source /24, qname hash, and qtype map to a single bucket;
under chaining this turns every lookup into an O(N) walk under
rrl->lock and starves legitimate query processing on the very feature
deployed to mitigate DoS.

Replace it with isc_hash32(), which is HalfSipHash-2-4 keyed by a
per-process random seed, so collision sets cannot be precomputed.

Assisted-by: Claude:claude-opus-4-7
2026-05-04 13:39:01 +02:00
Evan Hunt
d12d3b2c09 chg: nil: Minor simplification in dnssec-keygen
The name of the key to generate can be passed to `keygen()` as a
string; we don't need to pass it using argc/argv.

Merge branch 'each-keygen-cleanup' into 'main'

See merge request isc-projects/bind9!11942
2026-05-01 20:22:58 +00:00
Evan Hunt
84f3a4aebe minor simplification in dnssec-keygen
The name of the key to generate can be passed to `keygen()` as a
string; we don't need to pass it using argc/argv.
2026-05-01 20:22:52 +00:00
Ondřej Surý
90c7385000 fix: dev: Avoid named assertion failure during parent-NS lookups when none exist
Configuring the root zone as a signed primary with parental agents (or with
notify-on-cds-changes) caused named to exit on an internal assertion as soon
as the DS-publication machinery tried to look up the parent NS RRset — the root
has no parent. The lookup is now short-circuited cleanly.

Similar, a zone with no NS records in the parent caused named to exit in the same way.

Closes #5910

Merge branch '5910-nsfetch-start-root-domain-assertion' into 'main'

See merge request isc-projects/bind9!11909
2026-05-01 08:18:44 +02:00
Ondřej Surý
141e8110f7 Guard parent-NS walk against running off the root
Once the walk reaches the root, splitting one more label off would
trip an internal assertion and abort named.  Stop cleanly with
ISC_R_NOTFOUND so the dispatcher cancels the fetch.  Only reachable
through misconfiguration (root configured as a primary with parental
agents, or a parent zone that NODATAs its own NS).

Assisted-by: Claude:claude-opus-4-7
2026-05-01 08:18:36 +02:00
Matthijs Mekking
1ce7cf2dd2 Change isctest.kasp.dnssec_verify to take FQDN
This is required to AXFR and verify the root zone and it makes no
difference for non-root zones (dnssec-verify takes FQDN or makes the
provided name absolute).
2026-05-01 08:18:36 +02:00
Matthijs Mekking
9e9af18e4a Add kasp test case for root with checkds enabled
Add a test case where the root zone has dnssec-policy configured, with
checkds enabled. This is a silly case because the root does not have
any parent NS records, but it should not crash the server.

The same is true for zones that do not have parent NS records, but
eventually they will hit the same code path.
2026-05-01 08:18:36 +02:00
Ondřej Surý
3c9a848be7 chg: dev: Catch rare named crash in recursive resolution earlier for diagnosis
A rare crash has been observed in named while it is resolving upstream nameserver
addresses for a recursive query, surfacing as a segmentation fault with no immediate
clue as to the cause. This change adds internal consistency checks so that a future
occurrence of the same condition aborts named with a diagnostic message at the point
the inconsistency arises, rather than corrupting state and crashing later in
an unrelated location.

Closes #5602

Merge branch '5602-adb-find-sanity-checks' into 'main'

See merge request isc-projects/bind9!11943
2026-05-01 07:50:38 +02:00
Ondřej Surý
2d468cb21f Assert adb find loop-affinity invariant at lifetime entry points
The dns_adbfind_t lifetime model has no reference counting; storage
liveness is held together by find->lock and the FIND_EVENT_SENT
idempotency flag, plus an unwritten cross-module rule that all
non-trivial operations on a find run on find->loop. If a caller
violates that rule, the unlock-relock window in dns_adb_cancelfind
(and similar paths) becomes a use-after-free and we crash later
inside libpthread on a corrupted mutex.

Add REQUIREs at dns_adb_cancelfind, dns_adb_destroyfind and
find_sendevent so a violation aborts at the offending call site
rather than silently freeing storage another loop is still touching.
Also poison find->magic with ~DNS_ADBFIND_MAGIC in free_adbfind so
DNS_ADBFIND_VALID catches reuse-after-free at the next public entry
point instead of letting the dangling pointer reach the mutex code.

Assisted-by: Claude:claude-opus-4-7
2026-05-01 07:50:29 +02:00
Ondřej Surý
7b87ab0236 fix: dev: Harden dig's EDNS option parsing against malformed replies
dig's parser for EDNS options in a DNS reply now stops cleanly when an
option declares a length that runs past the end of the option data,
rather than trusting the upstream OPT-record validator to reject the
reply first. This is a defensive change; behavior is unchanged in
practice.

Merge branch 'ondrej/dig-process-opt-edns-optlen-oob' into 'main'

See merge request isc-projects/bind9!11937
2026-05-01 07:19:57 +02:00
Ondřej Surý
0d0f69db89 Bound EDNS option length in dig's process_opt() walk
process_opt() reads the per-option (optcode, optlen) header from the
OPT rdata and then advances the buffer by optlen, both for the COOKIE
branch (via process_cookie()) and for any other optcode.  The walk
itself never compared optlen to the buffer remainder; the only reason
it cannot trip the isc_buffer_forward() REQUIRE today is that
fromwire_opt() (lib/dns/rdata/generic/opt_41.c) already validates each
option's length against the rdata bounds before the rdataset is
handed back, so process_opt() never sees a self-inconsistent rdata.

That upstream guarantee is fine, but it leaves the local walker
trusting an invariant established elsewhere.  Add a defensive check
that just stops the walk when a future caller (a cached message, an
alternate parser, a refactor of the OPT validator) hands process_opt()
a buffer where optlen would run past the end.

Assisted-by: Claude:claude-opus-4-7
2026-05-01 07:19:49 +02:00
Michał Kępień
5c66f1a241 fix: ci: Use "git push --force-with-lease" for autorebases
If a merge request is merged to an autorebased branch while it is
getting rebased, the "git push -f" command at the end of the autorebase
job will cause the contents of that merge request to be silently deleted
from Git history even though the merge request will still be (correctly)
shown as "merged" by GitLab.

Use "git push --force-with-lease" instead to prevent force-pushing the
rebased version of the branch if it is pushed to after its pre-rebase
version is fetched by the autorebase job.  Report such an event
accordingly.  For simplicity, no retries are attempted as the problem is
expected to be resolved by the next autorebase and the chances of this
scenario happening in practice are already low to begin with.

Merge branch 'michal/use-git-push-force-with-lease-for-autorebases' into 'main'

See merge request isc-projects/bind9!11939
2026-04-30 22:34:55 +02:00
Michał Kępień
f5a7671107
Use "git push --force-with-lease" for autorebases
If a merge request is merged to an autorebased branch while it is
getting rebased, the "git push -f" command at the end of the autorebase
job will cause the contents of that merge request to be silently deleted
from Git history even though the merge request will still be (correctly)
shown as "merged" by GitLab.

Use "git push --force-with-lease" instead to prevent force-pushing the
rebased version of the branch if it is pushed to after its pre-rebase
version is fetched by the autorebase job.  Report such an event
accordingly.  For simplicity, no retries are attempted as the problem is
expected to be resolved by the next autorebase and the chances of this
scenario happening in practice are already low to begin with.
2026-04-30 22:19:59 +02:00
Ondřej Surý
31818f6417 fix: usr: Reject negative and out-of-range TTLs in dnssec-* tools
The dnssec-* tools accepted negative and out-of-range values for TTL
flags such as dnssec-keygen -L, dnssec-signzone -t and
dnssec-settime -L, silently turning them into TTLs of around 136 years
in the resulting key or zone files. The flag values are now validated
and rejected with a clear "TTL must be non-negative" or "TTL out of
range" error.

Closes #5923

Merge branch '5923-dnssectool-strtottl-negative-ttl-accepted' into 'main'

See merge request isc-projects/bind9!11933
2026-04-30 17:40:39 +02:00
Ondřej Surý
51774decd2 Reject negative and out-of-range TTLs in dnssec-* tools
strtottl() parsed the operator's TTL string with strtol() and assigned
the long directly to dns_ttl_t (uint32_t) with no sign or ERANGE
check. The only validation was the "no digits parsed" branch, so a
fully-consumed "-1" became UINT32_MAX (~136 years) and was silently
written into DNSKEY/key files by dnssec-keygen -L, dnssec-signzone -t,
dnssec-settime -L, etc. Any signing pipeline interpolating the TTL
from a variable could mint a key with a multi-decade TTL and never see
an error.

Switch to strtoul(), reject a leading '-' explicitly (strtoul silently
negates), check errno == ERANGE, and reject values exceeding
UINT32_MAX before handing the result to time_units(). The pre-existing
multiplication wrap inside time_units() is tracked separately.

Assisted-by: Claude:claude-opus-4-7
2026-04-30 17:40:19 +02:00
Colin Vidal
ffb5b76dbf fix: test: Fix cyclic_glue system test
The `cyclic_glue` system test was not explicitly waiting for the dump to
complete. As a result, the test could read an outdated dump file and
perform assertions on database state. Fix this by waiting for `dumpdb`
command to finish before reading `named_dump.db`.

Merge branch 'colin/fix-cyclic_glue-test' into 'main'

See merge request isc-projects/bind9!11934
2026-04-30 16:31:21 +02:00
Colin Vidal
69fad4f7a4 Fix cyclic_glue system test
The `cyclic_glue` system test was not explicitly waiting for the dump to
complete. As a result, the test could read an outdated dump file and
perform assertions on database state. Fix this by waiting for `dumpdb`
command to finish before reading `named_dump.db`.
2026-04-30 16:31:16 +02:00
Ondřej Surý
d455794d0d fix: dev: Reject RSA DNSKEYs with degenerate modulus
A crafted DNSKEY rdata whose declared exponent length consumed the
whole buffer produced an RSA key with no modulus, which dnssec-importkey
accepted as valid and wrote to a .private file with no key material.
The wire-format parser now rejects RSA public keys with a modulus
smaller than 512 bits, the lowest legitimate size across the RSA
DNSSEC algorithms.

Closes #5920

Merge branch '5920-opensslrsa-fromdns-zero-modulus-accepted' into 'main'

See merge request isc-projects/bind9!11929
2026-04-30 15:50:37 +02:00
Ondřej Surý
045d5d0455 Reject RSA DNSKEYs with degenerate modulus at parse time
The wire-format RSA DNSKEY parser used the residual rdata length after
the exponent as the modulus length, with no positive lower bound.  A
crafted DNSKEY whose declared exponent length consumed the whole buffer
produced n = 0; the BN_bin2bn(_, 0, _) returned a non-NULL BIGNUM, the
NULL-check passed, and dnssec-importkey -f wrote out a "valid" key with
no key material.  RSASHA1 also bypassed the algorithm-specific lower
bound in opensslrsa_createctx (which only checks an upper bound for the
SHA1 algorithms), so the degenerate key reached the verify path with
whatever behaviour the linked OpenSSL exhibits for n = 0.

Add OPENSSLRSA_MIN_MODULUS_BITS = 512 (the lowest legitimate modulus
across the RSA DNSSEC algorithms per RFC 5702) and reject smaller
moduli at parse time in opensslrsa_fromdns, opensslrsa_parse, and
opensslrsa_fromlabel — the same three load paths where the existing
exponent upper-bound check lives.

Assisted-by: Claude:claude-opus-4-7
2026-04-30 15:50:32 +02:00
Ondřej Surý
62ced63e22 fix: usr: Fix dig -x crash on excessively long arguments
dig -x crashed with a segmentation fault rather than printing an
error when given an argument with thousands of dot-separated
components. dig -x now rejects such inputs cleanly with "Invalid IP
address".

Closes #5917

Merge branch '5917-dig-reverse-octets-stack-overflow' into 'main'

See merge request isc-projects/bind9!11928
2026-04-30 14:02:08 +02:00
Ondřej Surý
f1ec5e1809 Process dig -x reverse octets iteratively
reverse_octets() recursed once per dot, with depth bounded only by
ARG_MAX (~2 MiB on Linux), so feeding dig -x a deep input like
'1.1.1.…1' busted the call stack and crashed the tool with SIGSEGV
instead of a structured error.  The transformation it performs is
purely textual (split on '.', emit components in reverse), so the
recursion was never load-bearing.

Walk the input once into a fixed-size array of label slices, capped at
DNS_NAME_MAXLABELS (which is the most we could ever fit into the
result buffer anyway), then iterate the array in reverse to write the
output.  Inputs with more than DNS_NAME_MAXLABELS labels now return
DNS_R_NAMETOOLONG, which dig.c surfaces as 'Invalid IP address' and
exit 1.  Drop the unnecessary (int) casts on ptrdiff_t/size_t lengths
while at it.

Assisted-by: Claude:claude-opus-4-7
2026-04-30 14:02:02 +02:00
Michał Kępień
688e8667a3 new: ci: Set up automatic rebasing for security-* branches
Introduce a set of private branches containing only security fixes that
are automatically rebased onto the corresponding open source branches
whenever new changes are merged.  Each rebase triggers a basic build,
failing the CI job if the build breaks.

When a security-* branch is rebased, create a CI pipeline for its new
revision and rebase its corresponding bind-9.x-sub branch (if it exists)
on top of it, creating a rebase chain.

Report any failures in the process via Mattermost.

These changes enable treating security fixes similarly to other code
changes, without deferring merges all the way until release prep.

Merge branch 'michal/autorebase-chain' into 'main'

See merge request isc-projects/bind9!11930
2026-04-30 12:17:32 +02:00
Michał Kępień
af7d5e566e
Set up automatic rebasing for security-* branches
Introduce a set of private branches containing only security fixes that
are automatically rebased onto the corresponding open source branches
whenever new changes are merged.  Each rebase triggers a basic build,
failing the CI job if the build breaks.

When a security-* branch is rebased, create a CI pipeline for its new
revision and rebase its corresponding bind-9.x-sub branch (if it exists)
on top of it, creating a rebase chain.

Report any failures in the process via Mattermost.

These changes enable treating security fixes similarly to other code
changes, without deferring merges all the way until release prep.
2026-04-30 11:58:55 +02:00
Ondřej Surý
ddf6239534 fix: usr: Stop delv from aborting on a malformed query name
delv aborts with SIGABRT instead of exiting cleanly when given a query
name that fails wire-format conversion (e.g. a label longer than 63
octets). After this change delv prints the parse error and exits with
a normal failure code.

Closes #5916

Merge branch '5916-delv-run-resolve-null-detach-abort' into 'main'

See merge request isc-projects/bind9!11921
2026-04-30 10:56:18 +02:00
Ondřej Surý
dba102ef16 Skip detach when delv's client never created
run_resolve allocates dns_client_t late, but the cleanup epilogue
called dns_client_detach() unconditionally. When convert_name() or
dns_client_create() failed first, the detach hit a NULL client and
the REQUIRE(DNS_CLIENT_VALID) inside it aborted the process with
SIGABRT instead of a clean error exit.

Guard the detach with a NULL check. Add a digdelv test that runs
delv on a query name whose first label exceeds 63 octets and
asserts the process does not exit 134.

Assisted-by: Claude:claude-opus-4-7
2026-04-30 10:56:11 +02:00
Ondřej Surý
120eaf546f fix: usr: prevent malicious DNSSEC zones from exhausting validator CPU
A DNSSEC-signed zone could publish a DNSKEY with an unusually large
RSA public exponent and force any validator resolving names in that
zone to spend disproportionate CPU verifying signatures.  The
validator now rejects such DNSKEYs, matching the limit already
applied to keys read from files or HSMs.

Closes #5881

Merge branch '5881-rsa-exponent-keytrap-cpu-amplification' into 'main'

See merge request isc-projects/bind9!11917
2026-04-30 10:55:49 +02:00
Ondřej Surý
ab8c1a77e0 Reject RSA DNSKEYs with oversize public exponents at parse time
The wire-format RSA DNSKEY parser was the only key path with no upper
bound on the public exponent — opensslrsa_parse and opensslrsa_fromlabel
already cap at RSA_MAX_PUBEXP_BITS.  An attacker-controlled DNSKEY could
therefore force a validator to compute s^e mod n with e up to ~|n| bits,
amplifying every verify by ~120x for typical 2048-bit moduli (OpenSSL
itself only caps the exponent for moduli above 3072 bits).  Apply the
same bit-count cap to wire-format keys.

Assisted-by: Claude:claude-opus-4-7
2026-04-30 10:55:42 +02:00
Ondřej Surý
d079ca1b92 fix: usr: prevent rare named crash when notifies are cancelled
Under heavy load, named could occasionally crash when a queued
outbound notify or zone refresh was cancelled at the moment it
was being sent — for example, while a zone was being reloaded or
removed.  The race that caused the crash is now prevented.

Closes #5915

Merge branch '5915-ratelimiter-dequeue-tick-uaf' into 'main'

See merge request isc-projects/bind9!11918
2026-04-30 10:16:46 +02:00
Ondřej Surý
4d465f4fa5 Dispatch ratelimiter events under the lock
isc__ratelimiter_tick() and isc_ratelimiter_shutdown() each pulled
events out of rl->pending into a function-local list, dropped the
mutex, and then iterated.  ISC_LIST_APPEND leaves the link in the
LINKED state, so a concurrent isc_ratelimiter_dequeue() saw an
event as still queued, called ISC_LIST_UNLINK against rl->pending —
which patched the prev/next of the local list — and freed the
event before dispatch finished, producing either an INSIST in the
unlink macro or a use-after-free in the dispatch loop.

isc_async_run() is a non-blocking wfcq enqueue, so there is no
benefit to dropping the mutex around it.  Unlink each event and
hand it to isc_async_run() while still holding rl->lock; the
existing ISC_LINK_LINKED check in dequeue then correctly
distinguishes "still queued and cancellable" from "already taken".

Assisted-by: Claude:claude-opus-4-7
2026-04-30 10:16:32 +02:00
Ondřej Surý
bf7ee390ba fix: dev: free per-command rndc state when response serialisation fails
When isccc_cc_towire failed while building an rndc reply,
control_respond returned without releasing the per-command request,
response, HMAC secret copy, and text buffer.  They were eventually
freed when the connection closed, but until then the HMAC key copy
stayed in named's memory.  The failure path now goes through the
same cleanup label as every other error.

Closes #5913

Merge branch '5913-controlconf-control-respond-cleanup-leak' into 'main'

See merge request isc-projects/bind9!11915
2026-04-30 09:33:00 +02:00
Ondřej Surý
1b681dfa2f
Run conn_cleanup on isccc_cc_towire failure in control_respond
The bare return left conn->secret, conn->response, conn->request, and
conn->text pinned until the connection itself was torn down — every
other error in the function reaches conn_cleanup via goto, and the
success path falls into the same label, so the towire-failure return
was the lone outlier.  Send it through the existing cleanup path.

Assisted-by: Claude:claude-opus-4-7
2026-04-30 06:47:39 +02:00
Ondřej Surý
28025ceff8 fix: dev: remove the rndc testgen command
testgen existed only to let the rndc system test generate large response payloads.
It accepted an unbounded count and was reachable from read-only control channels,
so any read-only rndc client could drive named into memory exhaustion. The command
and its supporting test helper are gone; remaining rndc commands already produce
non-trivial responses, so transport coverage is preserved.

Closes #5911

Merge branch '5911-rndc-testgen-32bit-truncation-memory-exhaustion' into 'main'

See merge request isc-projects/bind9!11912
2026-04-30 06:35:07 +02:00
Ondřej Surý
ac79f8cfeb Remove the rndc testgen command
testgen existed solely to let the rndc system test exercise large
response payloads — it has no operator value, accepts an unbounded
count, and could be invoked by any read-only rndc client to drive
named into memory exhaustion.  Drop the command, the gencheck helper
that validated its output, and the buffer-size loop in the rndc
system test; the remaining rndc subcommands already produce
non-trivial responses, so the framing path stays exercised.

Assisted-by: Claude:claude-opus-4-7
2026-04-30 06:35:01 +02:00
Ondřej Surý
f5853e765f fix: dev: Fix swapped arguments in redirect2() single-label branch
On a recursive resolver with nxdomain-redirect configured, an
NXDOMAIN result for a query whose qname is the root could corrupt
the view's nxdomain-redirect target, after which the redirect
feature stopped working for every subsequent query in that view
until named was restarted.

Closes #5908

Merge branch '5908-query-redirect2-name-copy-arg-swap' into 'main'

See merge request isc-projects/bind9!11908
2026-04-29 21:46:32 +02:00
Ondřej Surý
c62f24f7ee Fix swapped arguments in redirect2() single-label branch
For a query whose qname is the root, the labels==1 branch in
redirect2() called dns_name_copy(redirectname, view->redirectzone)
with arguments reversed, overwriting the view-global
nxdomain-redirect target with the empty redirectname rather than
copying the configured target into the per-query lookup name.  After
the corruption, view->redirectzone names the root, so
dns_name_issubdomain() makes redirect2() short-circuit for every
subsequent query and the nxdomain-redirect feature stops working
until named is restarted.

Triggering this needs the resolver to receive an NXDOMAIN for the
root from upstream, which does not happen in normal DNS operation.

Swap the arguments to match the dns_name_copy(source, dest)
signature.  Add a system test that issues a root query through the
nxdomain-redirect resolver and verifies the redirect feature still
works for a normal NXDOMAIN-producing query afterwards.

Assisted-by: Claude:claude-opus-4-7
2026-04-29 21:46:27 +02:00
Ondřej Surý
c137dcd1a4 fix: usr: Fix rndc-confgen aborting on HMAC-SHA-384/512 keys above 512 bits
`rndc-confgen -A hmac-sha384` and `-A hmac-sha512` documented a `-b`
range of 1..1024, but any value above 512 aborted on hardened builds
instead of producing a key. The full advertised range now works.

Closes #5903

Merge branch '5903-hmac-generate-stack-overflow' into 'main'

See merge request isc-projects/bind9!11903
2026-04-29 20:34:31 +02:00
Ondřej Surý
46f6bb6364
Size HMAC key generation buffers to the maximum block size
hmac_generate() declared its on-stack nonce buffer as
unsigned char data[ISC_MAX_MD_SIZE], i.e. 64 bytes. That is the maximum
digest size, but the buffer is filled up to the algorithm's HMAC block
size, which is 128 bytes for SHA-384 and SHA-512. Asking rndc-confgen
for an HMAC-SHA-384 or HMAC-SHA-512 key with -b > 512 (the documented
range allows up to 1024) wrote past the end of the stack buffer; on
hardened builds this aborted with a stack-smash detector firing
instead of producing a key.

Use the existing ISC_MAX_BLOCK_SIZE (128) for the buffer so the full
1..1024 range advertised by -A hmac-sha{384,512} works as documented.
The matching key_rawsecret[64] in confgen's generate_key() is enlarged
the same way so the generated key fits when dumped to the buffer.

Add a system test that exercises rndc-confgen across the previously
overflowing keysizes; with -Db_sanitize=address it caught the abort
before the fix.

Assisted-by: Claude:claude-opus-4-7
2026-04-29 19:21:20 +02:00
Ondřej Surý
ce77138b5c fix: dev: Do not follow symlinks when chowning the NZD database
When `named` runs as root, the per-view NZD database file is chowned
to the user `named` drops to. The chown call followed symlinks, so a
symlink at the database path could redirect the ownership change to an
unrelated file. The chown now refuses non-regular files and never
follows symlinks.

Closes #5905

Merge branch '5905-nzd-env-close-symlink-chown' into 'main'

See merge request isc-projects/bind9!11907
2026-04-29 19:18:55 +02:00
Ondřej Surý
63d30566bb Stop nzd_env_close from chowning through symlinks
When named is running as root, nzd_env_close() chowns the per-view
NZD database file to the unprivileged user that named will drop to.
The call used chown(), which follows symlinks, so a symlink at the
NZD path would silently transfer ownership of whatever the link
pointed at instead of the database file itself.

Switch to lstat() + S_ISREG() + lchown() so the chown only fires when
the path is a regular file and never traverses a symlink even if one
is planted between the lstat and the lchown.

Assisted-by: Claude:claude-opus-4-7
2026-04-29 19:18:47 +02:00
Ondřej Surý
b8e09a5b5f fix: usr: Validate key names in rndc-confgen, tsig-keygen, ddns-confgen
The three tools embedded the key-name argument verbatim into the
generated `named.conf` block, so a name containing characters like
`"`, `{`, or `;` produced output that did not match the intended
`key` clause. Key names are now restricted to letters, digits, dots,
hyphens, and underscores.

Closes #5904

Merge branch '5904-confgen-keyname-config-injection' into 'main'

See merge request isc-projects/bind9!11904
2026-04-29 18:12:52 +02:00
Ondřej Surý
d5ba6e1c26 Reject unsafe key names in rndc-confgen, tsig-keygen, ddns-confgen
The three tools interpolated their key-name argument verbatim into the
generated 'key "..." { ... };' clause. A name containing '"', '{', '}',
or ';' could close the clause and append additional named.conf
statements — for example, a second key block with an attacker-chosen
secret. The injected output passes named-checkconf and is loaded by
named as a valid configuration. The risk shows up when an automation
wrapper feeds tenant or zone names from a less-trusted source through
-k / -y / -s / -z (or the tsig-keygen positional argument).

Validate the final key name (after the optional -s / -z suffix is
concatenated in tsig-keygen) against [A-Za-z0-9._-]+ and exit with an
error otherwise. The allowlist covers the documented usage; every
character used in the injection vectors is excluded.

Add a system test that runs the documented PoC payloads through each
tool and asserts a non-zero exit, plus sanity coverage for the default
key names and dotted DNS-style names.

Assisted-by: Claude:claude-opus-4-7
2026-04-29 18:12:35 +02:00
Ondřej Surý
e75f146485 fix: usr: Fix suppressed missing-glue check in named-checkzone
named-checkzone and named-checkconf -z silently skipped the
missing-glue check for any NS name that had already triggered an
extra-AAAA-glue warning, so zones missing required A glue could pass
validation and be deployed with broken delegations.

Merge branch 'ondrej/check-tool-err-glue-code-collision' into 'main'

See merge request isc-projects/bind9!11899
2026-04-29 17:31:30 +02:00
Ondřej Surý
72d21a0806 Resolve ERR_MISSING_GLUE / ERR_EXTRA_AAAA value collision
Both constants were defined as 5. The symbol table used by checkns() to
deduplicate log messages keys on (name, error_code), so logging an
extra-AAAA error caused logged() to also return true for the
missing-glue check, silently skipping the entire missing-glue block for
the same name in named-checkzone and named-checkconf -z.

Convert the ERR_* defines to an auto-numbered enum so the compiler
guarantees the values stay pairwise distinct.

Assisted-by: Claude:claude-opus-4-7
2026-04-29 17:31:23 +02:00
Ondřej Surý
1064d11af2 fix: dev: Validate -l and -L numeric arguments in named-checkzone
named-checkzone and named-compilezone parsed the -l (max TTL) and -L
(source serial) arguments with strtol(), so a negative value such as
-1 silently became UINT32_MAX and out-of-range values were truncated
to 32 bits without warning; -l in particular appeared to cap TTLs but
no longer enforced anything. Both flags now go through isc_parse_uint32()
and reject any value that is not a valid 32-bit unsigned integer.

Merge branch 'ondrej/named-checkzone-strtol-truncation' into 'main'

See merge request isc-projects/bind9!11900
2026-04-29 17:25:53 +02:00
Ondřej Surý
042e86fa84 Validate -l and -L arguments in named-checkzone
The -l (max TTL) and -L (source serial) flags parsed their arguments
with strtol() and assigned the result directly to uint32_t with no
range check. A negative value such as -1 became UINT32_MAX, which made
-l silently disable the TTL cap it claimed to enforce, and out-of-range
values truncated to 32 bits without warning.

Switch both flags to isc_parse_uint32(), which rejects leading non-
alphanumeric input (catching '-'), checks ERANGE, and validates the
32-bit range, so an invalid argument now exits with an error instead
of being silently coerced.

Assisted-by: Claude:claude-opus-4-7
2026-04-29 17:25:49 +02:00
Ondřej Surý
468b09feb2 fix: usr: Stop rndc-confgen from following symlinks when writing the keyfile
When rndc-confgen -a (re)created the rndc control key, it followed a
symbolic link if one happened to exist at the keyfile path: the
existence check looked through the link, then the file was truncated,
its ownership changed, and the key contents written into whatever file
the link pointed at. rndc-confgen now refuses to follow symbolic links
at the keyfile path and fails with an error instead, so the wrong file
can no longer be overwritten by accident.

Merge branch '5901-rndc-confgen-symlink-attack' into 'main'

See merge request isc-projects/bind9!11902
2026-04-29 16:56:37 +02:00
Ondřej Surý
6082274450 Stop isc_file_safecreate from following symlinks
The function existence-checked the target with stat() and then opened
the same path without O_NOFOLLOW, so a symlink at the target path
passed the regular-file test against the link's destination and the
open() that followed truncated and wrote through the link.
rndc-confgen -a is typically run as root and writes the keyfile under
a directory that service accounts may have write access to, so a stray
symlink there would silently redirect the truncate, fchown, and
overwrite to whatever file the link pointed at.

Switch the existence check to lstat() and use S_ISREG() so a symlink's
S_IFLNK mode is detected directly (a plain bitmask of S_IFREG matches
both, since S_IFLNK shares its high bit). Add O_NOFOLLOW to both
open() flag sets to close the lstat/open TOCTOU window. Hardening
against unexpected symlinks on intermediate path components is out of
scope.

Assisted-by: Claude:claude-opus-4-7
2026-04-29 16:56:25 +02:00