Commit graph

5965 commits

Author SHA1 Message Date
Nicki Křížek
ee73ba3bba Add private_key support to all ZoneKey implementations
Extend the ZoneKeyFile to read the file-backed private key and return it
in a format suitable for use with dnspython. Add ZoneKey.private_key
property to unify the interface.
2026-07-02 14:51:41 +02:00
Nicki Křížek
7f69a57021 Replace get_dnsalg() with kasp.Key.algorithm
The get_dnsalg() was just a compatibility layer for 9.18 which lacked
the Algorithm support - remove it in favor of using the .algorithm
property.

In order to properly support private OID algorithms, use the DST value
which is unique across all algorithms.

Also fix private_type_record(): the choice between the 5- and 7-byte
signing record depends on the DST value (256/257 for the private-OID
algorithms), not the on-wire number, which never reaches 256.

Assisted-by: Claude:claude-opus-4-8
2026-07-02 14:51:41 +02:00
Nicki Křížek
596e41553c Add NSEC3RSASHA1 to list of algorithms
This algorithm is deprecated and not currently used in our system tests,
but it should be in the list of all algorithms.
2026-07-02 14:51:41 +02:00
Nicki Křížek
55cd4a1e11 Move dnskey method from kasp.Key to zone.FileZoneKey
Code move with one change - switch dnskey TTL from 300s (DEFAULT_TTL) to
3600s (DNSKEY_TTL).

Assisted-by: Claude:claude-opus-4-8
2026-07-02 14:51:41 +02:00
Nicki Křížek
35fc5ce8b4 Merge kasp.Key functionality into zone.FileZoneKey
Make zone.FileZoneKey the single representation of a file-backed key
(typically generated by dnssec-keygen). Move the common key-related
functionality into zone.FileZoneKey, and extend that functionality in
kasp.Key to also add state and timing related operations on top. Remove
duplicate into_ta() function.

Note that is_ksk() is implemented differently for kasp.Key: with the
metadata file available, the KSK status is loaded from that file, as it
indicates the authoritative policy decision which makes the key a KSK.
In zone.FileZoneKey which doesn't work with the metadata file, the KSK
status if inferred from the DNSKEY SEP flag - the best information
available for that class.

Assisted-by: Claude:claude-opus-4-8
2026-07-02 14:51:41 +02:00
Nicki Křížek
9dc039f735 Read DNSKEY TTL from kasp.Key.dnskey
Remove the redundant ttl() method. The DNSKEY RR already provides the
TTL.
2026-07-02 14:51:41 +02:00
Ondřej Surý
6c968be47d Add a regression test for an RRSIG that covers a signature
The qpcache_rrsig_any test enumerated only meta-types as the covered
type, so an RRSIG covering RRSIG -- a non-meta signature type -- slipped
through the earlier meta-type hardening. Probe that case too.

Assisted-by: Claude:claude-opus-4-8
2026-07-02 13:26:48 +02:00
Ondřej Surý
ddb6cb5c93 Add a system test for CD=1 NXDOMAIN cache protection
Cache a DNSSEC-validated A record, then make a CD=1 query elicit an
unvalidated NXDOMAIN for the name: the secure RRset must survive, and an
uncached-type query must not get the wrong RRset back.

Assisted-by: Claude:claude-opus-4-8
2026-07-01 23:56:50 -07:00
Mark Andrews
5725c4191f Test oversized private record is properly ignored 2026-07-02 10:08:52 +10:00
Colin Vidal
5dde593aa4 System test for delegation TTL options
Add a system test which covers the behavior of the `min-delegation-ttl`
and `max-delegation-ttl` options (including default, disabling, and
enforcing that min- must be strictly less than max-).
2026-07-01 08:40:05 +02:00
Colin Vidal
ff274e37af Delegations have a minimal TTL of 60 seconds
Delegations are now stored in delegdb with a TTL of at least 60 seconds
by default. A new configuration option `min-delegation-ttl` allows
overriding this value or disabling entirely it with `0`.

This hardens the resolver against misconfigured glue or NS records
with very low TTLs, which would otherwise trigger delegation refetches
too often.

A new option `max-delegation-ttl` (which default to `0`) is also added,
enabling an operator to enforce a maximum TTL check for delegations.
2026-07-01 08:40:05 +02:00
Ondřej Surý
188aa43e48
Make isc_radix_insert, dns_iptable_addprefix/merge return void
isc_radix_insert can no longer fail: node allocation uses
isc_mem_get which aborts on OOM, and prefix copying was eliminated
by inlining. Propagate the void return through dns_iptable_addprefix,
dns_iptable_merge, dns_acl_any, dns_acl_none, and all their callers.
2026-07-01 06:09:42 +02:00
Michal Nowak
2541674a9a Fix typo in build_vars comment
Assisted-by: Claude:claude-opus-4-8
2026-06-30 17:03:25 +02:00
Alessio Podda
0001066fb6 Rename inline sync related methods
The inline sync related methods and structs retained the old
receive_secure_ prefix. Since there is no async tasks involved anymore
we change the naming scheme to a more descriptive one.
2026-06-30 12:36:46 +00:00
Alessio Podda
0bb6cd432c Add NSEC3-to-NSEC rollover regression test
Before this commit, the NSEC3-to-NSEC transition was only tested by
test_nsec_case[nsec3-to-rsasha1-ds.kasp], which is gated by
RSASHA1_SUPPORTED.

Add another test that does not depend on RSASHA1_SUPPORTED, so this
coverage also runs when RSASHA1 signing is unavailable, such as with
newer OpenSSL configurations.
2026-06-30 12:36:46 +00:00
Nicki Křížek
a2b9dcff54 Add dnssec_py/tests_sibling_ds: reject DS for sibling zones in referrals
Add a system test that verifies the resolver rejects DS records whose
owner name does not match the delegation (NS) name in a referral
response.

A custom authoritative server (ans4) serves the parent zone sibling-ds.
from zone file with delegations for child and sibling subzones.  Its
DomainHandler injects a DS record for sibling.sibling-ds into referrals
for child.sibling-ds.  The resolver must detect the mismatch, log "DS
doesn't match referral (NS)", and return SERVFAIL.

Assisted-by: Claude:claude-opus-4-8
2026-06-25 15:21:00 +10:00
Nicki Křížek
95a268f119 Don't include ORIGIN for AsyncDnsServer zones
The zone template can't use $ORIGIN with AsyncDnsServer because
AsyncDnsServer._load_zone_file_with_origin() rejects it for non-root
zones.
2026-06-25 15:21:00 +10:00
Alessio Podda
4fb662a171 Reproducer for #5876 child apex self-loop NSEC
Added to "nsec_synthesis" system test.

Co-Authored-By: Evan Hunt <each@isc.org>
2026-06-24 21:03:45 +00:00
Colin Vidal
49cb99bb08 Fix RRL random failure
RRL test were randomly failing because `ns2` hint files uses

```
.	NS	ns1.
ns1.	A	10.53.0.1
```

Whereas `ns1` root zone didn't contains `ns1.` as NS (but only `ns.`).
This is a problem with the following scenario:

- A query starts before priming;
- It gets the root hints as zonecut (with `. NS ns1.`, and no glues, this
  is how parent-centric currently works);
- Priming starts and complete (so now rootdb contains the answer/glues
  from `ns1` root file);
- Then the query go to ADB to resolve `ns1.`.

Resolution of `ns1.` fails since it doesn't exists from the rootdb
anymore. This is a configuration issue (the resolver behavior is correct
and expected) whch is now fixed.
2026-06-24 21:56:16 +02:00
Michal Nowak
b9cf877277 Retry pipequeries on a transient EADDRINUSE in the pipelined test
On FreeBSD, the TCP connect() call can transiently fail with
EADDRINUSE under parallel CI load.  The netmgr already retries such
connects (see #3451), but it retries on the same socket, which is
already bound to the same ephemeral source port, so when the
four-tuple is genuinely busy (e.g. in TIME_WAIT) every retry fails
the same way.  pipequeries then exits with "request event result:
address in use", leaving raw.1 empty and failing the first check.

All eight requests share a single TCP dispatch, so the failed connect
means no query ever reached ns4 and its cache is still cold.  It is
therefore safe to run pipequeries again: a fresh process binds a new
ephemeral port, and the out-of-order check keeps its meaning.  Retry
for up to ten attempts, but only on this specific transient error.

Assisted-by: Claude:claude-fable-5
Assisted-by: Claude:claude-opus-4-8
2026-06-24 17:15:42 +02:00
Nicki Křížek
fe2fea73a4 Add extra expired RRSIGs test to dnssec_py
The test verifies that a validating resolver enforces the
max-validations-per-fetch limit when encountering a record with multiple
expired RRSIGs followed by a valid one. One of the records is signed
three times: twice with expired timestamps (to produce two expired
RRSIGs for a.rrsigs-extra-expired/A) and once with valid timestamps,
after which the expired RRSIGs are injected back into the signed zone
file. max-validations-per-fetch is set to 2 via the template variable so
that the third (valid) RRSIG is never reached, causing SERVFAIL.

Assisted-by: Claude:claude-opus-4-8
2026-06-24 15:09:38 +02:00
Ondřej Surý
2327277f90 Fail the fetch when a response fails the TSIG signature check
A response that failed the signature check with a missing or unexpected
TSIG used to set nextitem, so the resolver kept reading the dispatch for
another response.  When the response was truncated with the TSIG cut off
the end of the wire, no further response ever arrived and the fetch
stalled until resolver-query-timeout.

Treat an unauthenticated response like every other signature-check
failure and finish the fetch immediately.  A response carrying a missing
or bogus TSIG now yields SERVFAIL instead of being skipped in favour of
a later one; the cookie system test that fed a spoofed TSIG response is
updated to expect that.  The unauthenticated data is still never
returned.
2026-06-24 12:18:19 +02:00
Aram Sargsyan
37f265f59a Add a new check in "inline" system test
This new check floods the server with DNS UPDATE messages for an
'inline-signing yes; sig-signing-signatures 1;' zone to see if
it manages to process the updates correctly.
2026-06-22 20:51:53 +00:00
Ondřej Surý
057042304d
Keep in-flight cache headers safe from LRU eviction during add
When the cache is over its size limit, qpcache_miss() runs LRU eviction
while add() is still in progress.  Eviction removes a header together
with its RRSIG/covered 'related' partner, so it could free a header the
add still needs -- the new header, the partner it was just paired with,
or the one about to be displaced for max-types-per-name.  With 'related'
now a counted reference, that became a use-after-free reachable under
sustained load.

Run the eviction last, after the new header is linked, bound and any
over-limit header removed, and skip the new header and its partner in
the eviction loop (the partner is marked visited so the SIEVE hand still
advances).  Per-header removal is factored into header_delete(),
expire_header() and flush_node().
2026-06-22 13:45:23 +02:00
Ondřej Surý
76e21399dd
Remove cache headers and empty slabtops eagerly in mark_ancient
Now that a bound rdataset keeps references to both the slabheader and
the node, an ancient header (and the slabtop it leaves empty) can be
removed from the cache immediately in mark_ancient, instead of being
parked on a per-node dirty list and reclaimed only once the node becomes
unreferenced.  This drops the dirty list and the clean_cache_* machinery
entirely.

Because the cache structure can now change under a node that still has
external references, the all-rdatasets iterator no longer walks the live
slabtop list: allrdatasets() binds every matching rdataset up front and
the iterator works from that snapshot, cloning out each entry.
2026-06-22 13:45:08 +02:00
Matthijs Mekking
fdf74636e2 Don't rely on smart signing in cds system test
With dnssec-signzone smart-signing (-S), the CDS and CDSNKEY are
derived from the key timing metadata and the configuration options (-G).

The test has specific test cases that smart signing (with the fix)
interferes with. Therefor, disable smart-signing in the cds system test.
2026-06-19 08:34:54 +00:00
Matthijs Mekking
89ebe61ad3 Add system test for reconfiguring CDS/CDNSKEY
When on an 'rndc reconfig' the DNSSEC policy changes such that it
changes the expected CDNSKEY/CDS records in the zone, the RRset should
be updated accordingly.

Add a test case where we reconfigure a zone with a policy such that
these records should be removed, and on a second reconfigure add
them back again.

Note the test deliberately adds a different CDS digest on the
second reconfigure.
2026-06-19 08:34:54 +00:00
Evan Hunt
dc2640f87d update tests_validation.py test for new behavior
Some of the tests in in dnssec/tests_validation.py worked by iterating
through the response message looking for failure conditions, such as
excessively high TTL values. In some cases, previous changes caused
additional data not to be returned. Since there was nothing to
iterate, the tests still "passed".

Tests that don't make sense anymore have been removed. Other tests that
iterate through responses have been updated with checks to ensure that
the responses actually do contain data.
2026-06-18 18:39:42 +00:00
Evan Hunt
25e5a72ab7 add isctest.check functions for section empty or non-empty
expand on the isctest.check.empty_answer() function, adding
empty_authority(), empty_additional(), has_answer(), has_authority(),
and has_additional().
2026-06-18 18:39:42 +00:00
Alessio Podda
680e0d8532 Reproducer for #5971 NSEC3 from ancestor zone
Create a new nsec3_wrong_zone system test as a regression test.

Co-Authored By: Evan Hunt <each@isc.org>
2026-06-18 10:01:37 -07:00
Alessio Podda
ee34bbd208 Add forward-first referral poisoning reproducer
Add a system test covering authority-section NS referrals returned by
configured forwarders under forward first.

The test verifies that a forwarder for fwd.hack cannot install the
parent hack zone cut and redirect resolution for the sibling zone
sibling.hack.
2026-06-18 12:13:32 +00:00
Matthijs Mekking
4c22fa0d56 Reproducer forwarder resend loop
Run malicious server: resend_loop/ans2/ans.py

Start BIND: ns1

Send single query to test.com

OBSERVED BEHAVIOR
The malicious server receives tens of thousands of resend packets
within seconds. CPU usage of the named worker thread remains elevated
(50–100% of one core) until the default fetch timeout (~10 seconds)
terminates the request. Instrumentation during testing confirmed that
isc_counter_used(fctx->qc) remains constant (value 1) throughout the
entire resend loop.
2026-06-18 08:49:23 +02:00
Colin Vidal
7a27fdf3be Cache glue only for enabled address families
When caching delegation NS data, only use A/AAAA glue records if the
resolver has the corresponding IPv4/IPv6 dispatcher configured. If IPv4
or IPv6 is disabled, ignore glue for that family and fall back to
caching the nameserver name if there is no glue from the other supported
family.

The new `cache_delegns` system test is covering delegation NS caching
with dual-stack resolver, IPv4-only, IPv6-only configurations. It also
set up an authoritative sever with zones with A-only, AAAA-only, and
dual-stack glue, which are all queried, and checks the delegation
database dump to confirm that the cached delegation data correspond to
the resolver configuration.
2026-06-18 08:48:20 +02:00
Colin Vidal
6645371566 remove GeoIP2 metro and metrocode
The `geoip metro` and `geoip metrocode` configuration options has been
removed as metro code are deprecated from MaxMind library.
2026-06-18 07:23:31 +02:00
Ondřej Surý
9608158d73 Add regression test for statistics-channel JSON free bug
Hit every JSON statistics endpoint several times.  The current code
calls json_object_put() on the response-body string pointer, which
doesn't crash just by accident - the memory position contains large
value from static string.
2026-06-18 07:10:01 +02:00
Štěpán Balážik
62a3804a4c Simplify the packets in the formerr system test
Normalize the message ID to 0 and the TTL of records to 1 unless
required (OPT and UPDATE records require TTL=0).

Rename the questionclass test case to twoquestionclasses for
consistency.
2026-06-17 20:08:48 +02:00
Štěpán Balážik
151b2d6045 Reimplement the FORMERR system test in Python
Replace the shell and Perl based FORMERR system test with a Python
test that constructs the malformed DNS packets directly and checks
the responses.

Remove the legacy shell and Perl test script and the intermediate
packet files in hex, leaving the packet construction inline in
tests_formerr.py.

Preserve the same wire for all packets sent to the server, but
construct them in a more explicit and readable way.
2026-06-17 20:08:48 +02:00
Nicki Křížek (GitLab job 7567049)
46feca4e4a Merge tag 'v9.21.23' 2026-06-17 13:48:49 +00:00
Alessio Podda
e1cb775e95 Add test for query statistics
Ensure that no per-zone glue statistic is printed unless
zone-statistics is set to full.
2026-06-17 14:06:12 +02:00
Colin Vidal
66af5b464d Use original query name when caching SERVFAIL
Instead of using `client->query.qname` when caching a SERVFAIL answer,
use `client->query.origqname` when available.

This avoids caching a SERVFAIL against a CNAME target when the failure
occurs while the resolver is following the CNAME chain. This is
problematic, for instance, when the SERVFAIL is triggered by the
`max-query-count` threshold being reached, which would incorrectly
prevent legitimate resolution of the CNAME target while in the SERVFAIL
cache.

Note that if the SERVFAIL genuinely originated from resolving the CNAME
target, that specific failure will no longer be cached, and a direct
query for the CNAME target will trigger a fresh (likely failing)
resolution attempt. However, this is still preferable to the previous
behaviour, which would wrongly prevent resolving the CNAME target if it
was cached for other reasons (like the example above).
2026-06-17 09:32:19 +02:00
Colin Vidal
d238b8eece
System test covering SERVFAIL cache and CNAME
Add a system test for the case where resolution SERVFAILs because the
fetch context reaches the `max-query-count` threshold while following a
CNAME.

Resolving the CNAME target independently should still work, because the
SERVFAIL cache stores the original query name rather than the target.
2026-06-17 06:42:16 +02:00
Nicki Křížek
72bda8335f Don't run vulture on ansX system test dirs
Exclude ansX directories from vulture, as splitting up the handlers into
multiple files gets flagged as unused code.
2026-06-16 19:07:06 -07:00
Evan Hunt
05691b53da Merge DNSSEC wildcard tests
Merge the tests for #5966 (F-043) and #5972 (F-045), previously called
dnssec_wildcard_additional and dnssec_replayed_parent_wildcard, into a
single directory with two modules.
2026-06-16 19:07:06 -07:00
Alessio Podda
99377e9fdd Reproducer for #5968 parent RRSIG in additional
Add a new "dnssec_parent_rrsig" system test.

Co-Authored-By: Matthijs Mekking <matthijs@isc.org>
2026-06-16 19:07:06 -07:00
Alessio Podda
4466bbcb4a Reproducer for #5972 DNS_R_FROMWILDCARD accepted
Add a new "dnssec_wildcard_additional" system test.

Co-Authored-By: Evan Hunt <each@isc.org>
2026-06-16 19:07:06 -07:00
Alessio Podda
1d4d3e09ad Reproducer for #5966 replay parent wildcard
Add a new "dnssec_replayed_parent_wildcard" system test.

Co-Authored-By: Matthijs Mekking <matthijs@isc.org>
2026-06-16 19:07:06 -07:00
Evan Hunt
6e44151466 add isctest.mark method for ecdsa_deterinistic
This checks support for ECDSA deterministic mode in the cryptography
library.
2026-06-16 19:07:06 -07:00
Matthijs Mekking
f678d03a67 Add isctest.check methods for AA flag
Similar to checking AD flag, add methods to see if the AA flag is
present or absent.
2026-06-16 14:45:49 -07:00
Ondřej Surý
153c9d3509 Poll for RPZ readiness in the servfail-until-ready test
RPZ is ready only once every policy zone has completed its first update,
and the zones do not finish in a fixed order, so whenever the updates
run serially (per-loop offload, or any single-CPU run): 'slow-rpz' zone
can finish before the others and the query still gets SERVFAIL.  Poll
the query until it returns NOERROR instead.

Assisted-by: Claude:claude-opus-4-8
2026-06-16 14:01:13 +02:00
Alessio Podda
c2ebd1f66e Add RRL cached NXDOMAIN system test
Add a Python system test that primes ns2's negative cache, queries the
cached NXDOMAIN through RRL, and verifies named remains responsive.
2026-06-16 11:47:09 +02:00