Closes#5414
Backport of MR !11406
Merge branch 'backport-5414-add-various-bailiwick-related-tests-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11408
A single spoofed DNAME answer can impact many names, and because of the
nature of DNAME, the attacker can use randomized query names to get
unlimited number of tries to spoof the answer. To limit impact, we
should not be accepting DNAME over insecure transport, like UDP without
cookies etc.
In short, the attacker tries to spoof at least one answer that has the
following form:
opcode QUERY
rcode NOERROR
flags QR AA
;QUESTION
trigger$RANDOM.test. IN A
;ANSWER
trigger$RANDOM.test. 3600 IN CNAME trigger$RANDOM.attacker.net.
test. 3600 IN DNAME attacker.net.
;AUTHORITY
;ADDITIONAL
This has been discovered internally.
Co-authored-by: Michał Kępień <michal@isc.org>
(cherry picked from commit e223ee7097)
In short, the attacker tries to spoof at least one answer that has the
following form:
rcode NOERROR
flags QR
;QUESTION
trigger$RANDOM.victim. IN TXT
;ANSWER
;AUTHORITY
trigger$RANDOM.victim. 3600 IN NS ns.victim.
;ADDITIONAL
ns.victim. 3600 IN A 10.53.0.3
This attack was originally reported as "test case 2".
Co-authored-by: Michał Kępień <michal@isc.org>
(cherry picked from commit b5dc46fe6e)
Before the fixes for CVE-2025-40778, an unsolicited in-bailiwick NS
record was accepted from a (spoofed) answer, enabling a single spoofed A
query/response to redirect traffic for a whole delegation.
In short, the attacker tries to spoof at least one answer that has the
following form:
rcode NOERROR
flags QR AA
;QUESTION
trigger$RANDOM.victim. IN TXT
;ANSWER
trigger$RANDOM.victim. 3600 IN TXT "spoofed answer with extra NS"
;AUTHORITY
victim. 3600 IN NS ns.attacker.
;ADDITIONAL
This attack was originally reported as "test case 1".
Co-authored-by: Michał Kępień <michal@isc.org>
(cherry picked from commit 658d2e9f8e)
Before the fixes for CVE-2025-40778, a positive answer was allowed to
overwrite sibling NS RRs. The answer had to be a positive AA=1 answer
with a fake NS along with it. This combination of conditions avoided
the code path with "unrelated <RRTYPE>" detection logic.
If it were some other answer, named from the main branch would detect
the attempt and log:
DNS format error from 10.53.0.1#16386 resolving trigger/A for <unknown>: unrelated NS victim in trigger authority section
In short, the attacker tries to spoof at least one answer that has the
following form:
opcode QUERY
rcode NOERROR
flags QR AA
;QUESTION
trigger$RANDOM. IN A
;ANSWER
trigger$RANDOM. 3600 IN A 10.53.0.3
;AUTHORITY
victim. 3600 IN NS ns.attacker.
;ADDITIONAL
ns.attacker. 3600 IN A 10.53.0.3
This attack was originally reported as "test case 1c".
Co-authored-by: Michał Kępień <michal@isc.org>
(cherry picked from commit 26eed16d61)
Add the zone files, configuration, and code that will be reused by all
tests related to CVE-2025-40778.
Co-authored-by: Michał Kępień <michal@isc.org>
(cherry picked from commit 607974b1bc)
Add bin/tests/system/ans.py, a bare-bones DNS server that can be used in
system tests instead of full-blown named instances when a server is only
required to return zone-based data. Where applicable, this reduces load
on the test host and the amount of generated logs.
(cherry picked from commit 440e510f75)
This commit imports latest version of asyncserver for system tests from
BIND main branch, commit 4430632915.
Doing it this way is much easier than attempting to cherry-pick 40
individual commits which modify the asyncserver in the main branch.
A zone that is signed with NSEC3, opt-out enabled, and then reconfigured to use NSEC, causes the zone to be published with missing NSEC records. This has been fixed.
Closes#5679
Backport of MR !11359
Merge branch 'backport-5679-nsec3-optout-to-nsec-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11402
When switching from NSEC3 opt-out to NSEC, add NSEC records if we saw an
RR. This corrects a mistake in style cleanups done in commit
308ab1b4a5.
(cherry picked from commit 6f285bff6a)
If we change from NSEC3 to NSEC we should not produce a zone with
missing NSEC records.
The code only considered having seen a record if there was previously
a signature present at the owner name. However with opt-out, insecure
delegations don't have a RRSIG record. Reconfiguring to NSEC causes
all insecure delegations to have a missing NSEC record.
Add a DNAME record to the test zone to also cover DNAME delegations.
(cherry picked from commit 3679bd4888)
Backport of MR !11392
Merge branch 'backport-mnowak/ignore-pytest-PytestRemovedIn9Warning-to-make-check-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11393
We need this to be able to use pytest 9.0 from Debian "sid".
Additionally, this error needs to be addressed before pytest 9.1 is
released, as the filter will no longer work. Also, all pytests in CI
images need to be upgraded to version 7, where the new API is supported.
Related #5690
Backport of MR !11379
Merge branch 'backport-mnowak/ignore-pytest-PytestRemovedIn9Warning-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11381
We need this to be able to use pytest 9.0 from Debian "sid".
Additionally, this error needs to be addressed before pytest 9.1 is
released, as the filter will no longer work. Also, all pytests in CI
images need to be upgraded to version 7, where the new API is supported.
We can't have the "filterwarnings" section in pytest.ini directly as
only pytest 8.0 knows about it.
(cherry picked from commit 0c5d9c00ef)
Backport of MR !11370
Merge branch 'backport-mnowak/add-tsan-reports-glob-to-expected-artifacts-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11372
When a query for type ANY triggered a delegation response, all additional data was omitted from the response, including mandatory glue. This has been corrected.
Closes#5659
Backport of MR !11283
Merge branch 'backport-5659-any-glue-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11368
when a query for type ANY triggers a delegation response, all
additional data was omitted from the response, including
mandatory glue. this has been corrected.
(cherry picked from commit aa13e62355)
Pytest sets the test names as `test_foo` and the old test runner spits
out `bin/tests/system/foo`.
Normalize this to match the new test runner.
Backport of MR !11085
Merge branch 'backport-stepan/match-pytest-junit-names-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11361
Pytest sets the test names as `test_foo` and the old test runner spits
out `bin/tests/system/foo`.
Normalize this to match the new test runner.
(cherry picked from commit 9d402aa100)
Improve and unify the handling of regular expressions when searching in logs, files and command output in system tests.
- Use `Re()` for constructing regular expressions, which is an imported shorthand for `re.compile()` (imported as `from re import compile as Re`
- Add new `isctest.text.Text` interface which is a text wrapper that supports the `in` operator for line matching operation for both strings and regular expressions, e.g.:
- `assert "running" in ns1.log`
- `assert Re("a.example..*10.0.0.1") in response.out`
- Use the new `isctest.text.Text` for:
- `isctest.run.cmd()` output, where `.out` and `.err` can be used for stdout and stderr contents
- `NamedInstance.log` rather than the previous log interface (`.expect()` and `.prohibit()` is no longer available or needed. The `in` operator along with an `assert` statement can be used now instead.)
- `NamedInstance.rndc()` output, which returns identical output as `isctest.run.cmd()`
Backport of MR !11054
Merge branch 'backport-nicki/pytest-grep-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11343
To unify the command handling, utilize EnvCmd() to handle rndc commands:
1. Remove isctest.rndc abstractions. They were intended for an upcoming
python-only implementation. A couple of years later, it doesn't seem
to be coming any time soon, so let's stick with the interface that
makes sense today, i.e. use the same command handling interface
everywhere.
2. Remove the specialized rndc.log in favor of the generic logging
already implemented by isctest.run.cmd(). I believe the cause of the
many rndc(log=False) invocations was that nobody wanted this extra
file. Yet, logging everything by default makes sense for debugging,
unless there's a good reason not to. In almost all cases, logging was
switched to the default (enabled).
3. With the NamedInstance.rndc() call now returning CmdResult rather
than combined stdout+stderr string, adjust all the invocations to use
`.out` or `.err` as necessary.
4. Replace some manual rndc invocation and its base argument
construction with the standardized nsX.rndc() call.
5. In cases where rndc is expected to fail, utilize
raise_on_exception=False and check the `.rc` from the result, rather
than handling an exception.
6. In addzone/tests_rndc_deadlock.py, refactor the test slightly to
avoid using EnvCmd() entirely to avoid spamming the logs. This test
calls rndc in a loop from multiple threads and such test case is an
exception which doesn't warrant changing the `isctest.run.cmd()`
implementation.
(cherry picked from commit f33e2b6d87)
A generic helper that calls the environment-specified binaries in a
developer-friendly manner, i.e. passing arguments as strings rather than
having to split them first.
The isctest.run.cmd() remains as the basis which provides a clean and
robust interface, while the isctest.run.EnvCmd() can be used as a
convenient wrapper for tests, or when there are some shared default
parameters.
The isctest.run.Dig() is superseded with the isctest.run.EnvCmd(). In
the future, we might revisit adding Dig() or command-specific helpers
again, but it probably only makes sense if they offer command-aware
attributes / methods, rather than just being shortcuts to
isctest.run.EnvCmd().
(cherry picked from commit ff613a72d7)
When commands are executed using the isctest.run.cmd() command, allow
the output to be Grep-able like logs and text files.
(cherry picked from commit 4b6a86b029)
Add a new Grep-like interface which can be used for searching for
regular expressions in files. Replace the prior LogFile used for named
logs with the new TextFile interface.
(cherry picked from commit 7743bab5fc)
Add a new module for working with text and keep the isctest.log.watchlog
module focused on its purpose. Move LogFile and LineReader into the new
module. Add compile_pattern() helper which will be useful in subsequent
commits.
(cherry picked from commit be6bae2a75)
It's a fairly common pattern to use regular expression in our tests.
Instead of using the fairly verbose re.compile(), import that function
as Re() instead to allow for more brevity in the test syntax.
(cherry picked from commit ac7127d620)
Avoid repeating the .decode("utf-8") snippet when processing command
output and provide a helper instead, which leads to more concise code.
(cherry picked from commit ac998da3f6)
When creating an NSEC3 opt-out chain, a node in the chain could be removed too soon, causing the previous NSEC3 being unable to be found, resulting in invalid NSEC3 records to be left in the zone. This has been fixed.
Closes#5671
Backport of MR !11328
Merge branch 'backport-5671-fix-dbiterator-prev-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11341
dns_rbtnodechain_prev requires the current node to still be valid
which was not always the case after dereference_iter_node was called.
Move the call to dereference_iter_node to after the dns_rbtnodechain_prev
to preserve the node.
(cherry picked from commit b677d31fca)
This test signs a large delegation with mostly insecure delegations
with NSEC3 optout. Once the NSEC3PARAM record is published, run
dnssec-verify to ensure the zone is correctly signed.
`padding` is incompatible with TSIG and SIG(0), not with "no" TSIG
and SIG(0).
Backport of MR !11333
Merge branch 'backport-each-fix-padding-doc-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11336
previously, there were over 40 separate definitions of CHECK macros, of which most used "goto cleanup", and the rest "goto failure" or "goto out". there were another 10 definitions of RETERR, of which most were identical to CHECK, but some simply returned a result code instead of jumping to a cleanup label.
this has now been standardized throughout the code base: RETERR is for returning an error code in the case of an error, and CHECK is for jumping to a cleanup tag, which is now always called "cleanup". both macros are defined in isc/util.h.
Backport of MR !10472
Merge branch 'each-check-and-cleanup-9.18' into 'bind-9.18'
See merge request isc-projects/bind9!11080
