Pass "" instead of NULL to ns_client_dumpmessage() to get the log message printed.
Backport of MR !1022
Merge branch 'backport-ondrej/fix-ns_client_dumpmessage-calls-9.20' into 'security-bind-9.20'
See merge request isc-private/bind9!1023
A use-after-free vulnerability in the DNS-over-HTTPS implementation could cause named to crash when a client sends a flood of HTTP/2 SETTINGS frames while a DoH response is being written. This affects servers with DoH (DNS-over-HTTPS) enabled.
ISC would like to thank Naresh Kandula Parmar (Nottiboy) for reporting this.
For: https://gitlab.isc.org/isc-projects/bind9/-/issues/5755
Backport of https://gitlab.isc.org/isc-private/bind9/-/merge_requests/949
Merge branch '5755-security-heap-user-after-free-http2-settings-9.20' into 'security-bind-9.20'
See merge request isc-private/bind9!992
The two new call sites added by the CLASS-validation work passed NULL
as the reason, but ns_client_dumpmessage() bails out early on a NULL
reason — so the message dump never happened. The intent was to dump
the message and let the follow-up ns_client_log() carry the reason
text, so pass "" to suppress the prefix without short-circuiting the
dump.
(cherry picked from commit 3401cbd16f44b4ecb8b57dc9d1951037db6d0e32)
When the cache grew close to the configured max-cache-size, every
subsequent entry triggered all worker threads to run cache cleanup at
once, causing CPU spikes and a drop in query throughput. Cleanup is now
spread probabilistically across inserts as memory approaches the limit,
so the work is distributed evenly instead of piling up at the threshold.
Backport of MR !1002
Merge branch '5891-improve-overmem-cleaning-9.20' into 'security-bind-9.20'
See merge request isc-private/bind9!1000
After the send callback completes, the UV request is freed but
the HTTP/2 socket's write buffer still points to the freed memory.
If nghttp2 subsequently needs to send frames (e.g. SETTINGS ACK),
the server_read_callback reads from the dangling buffer.
Clear the write buffer before freeing the UV request.
(cherry picked from commit 6afc4270e0323a52262802d553dda8233df36d42)
Recursion, dynamic updates (UPDATE), and zone change notifications
(NOTIFY) are now disabled for views with a class other than IN
(such as CHAOS or HESIOD); authoritative service for non-IN zones
(e.g. version.bind in class CHAOS) continues to work as before.
Servers configured with recursion yes in a non-IN view will log a
warning at startup, and named-checkconf flags the same condition.
UPDATE and NOTIFY messages that specify the meta-classes ANY or NONE
in the question section are now rejected with FORMERR.
This addresses a set of closely related security issues collectively
identified as CVE-2026-5946. ISC would like to thank Mcsky23 for
bringing these issues to our attention.
Backport of https://gitlab.isc.org/isc-private/bind9/-/merge_requests/936
Merge branch 'each-security-disable-chaos-recursion-security-bind-9.20' into 'security-bind-9.20'
See merge request isc-private/bind9!1009
Replace the hysteretic hi_water/lo_water switch with a stochastic
check: always false below lo_water, always true at or above hi_water,
linearly ramped probability in between. This spreads cache cleaning
across many inserts instead of triggering a thundering herd once the
hi_water mark is crossed (which causes every addrdataset to enter the
LRU purge path simultaneously and serializes lookups behind the node
write locks).
The is_overmem atomic and its stores are no longer needed and are
removed. The existing tests that asserted specific hysteretic state
transitions are simplified to check only the deterministic boundaries.
(cherry picked from commit ee24d2a1c3361dcc1c48fb29bb2e0b91bc3405e8)
Send a valid DoH query followed by a flood of SETTINGS frames to
trigger a use-after-free in the write buffer. Under ASan, named
will abort if the bug is present.
(cherry picked from commit 680e57c8c7110828da22cbc94115a10e8dec2523)
Fixed a memory leak where each GSS-API TKEY negotiation leaked a security context inside the GSS library. An unauthenticated attacker could exhaust server memory by sending repeated TKEY queries to a server with tkey-gssapi-keytab configured. The leaked memory was allocated by the GSS library, bypassing BIND's memory accounting.
Multi-round GSS-API negotiation (GSS_S_CONTINUE_NEEDED) is now rejected, as BIND never supported it correctly and Kerberos/SPNEGO completes in a single round.
Also implemented missing RFC 3645 requirement: the client now verifies that mutual authentication and integrity flags are granted by the GSS-API mechanism (Section 3.1.1).
Closes: https://gitlab.isc.org/isc-projects/bind9/-/issues/5752
Backport of !965
Merge branch 'backport-5752-fix-memory-leak-in-TKEY-negotiation-9.20' into 'security-bind-9.20'
See merge request isc-private/bind9!974
Add an 'rd' parameter (default True) to isctest.query.create() so
that non-recursive queries can be sent with rd=False.
(cherry picked from commit 12e5113100)
A resolver could crash when handling a SIG(0)-signed response if the
matching client query was cancelled while signature verification was
still in progress — for example, when the recursive-clients quota
was exhausted. This has been fixed.
Closesisc-projects/bind9#5819
Merge branch 'backport-5819-fix-heap-use-after-free-in-resquery_response_continue-9.20' into 'security-bind-9.20'
See merge request isc-private/bind9!1001
In dst_gssapi_acceptctx(), rename outtoken to outtokenp (matching BIND
convention for output pointer parameters) and free the allocated output
token buffer on error in the cleanup path.
In process_gsstkey(), route the empty-principal error path through
cleanup via CLEANUP() instead of returning early, so that the output
token, GSS context, and TSIG key are all freed consistently by the
existing cleanup block.
(cherry picked from commit 6c46c85d02849fb659584275313529794039f433)
Send update messages for zones with CLASS0, ANY and NONE. The class
ANY UPDATE also attempts to delete a KX record in an existing IN
class zone to trigger a REQUIRE.
Test that the server is still running.
(cherry picked from commit 1fa1e84d286d5a6d9d3b72ed1c2c29142f40c81d)
When resolving a domain with many nameservers that share overlapping IP addresses (e.g., 10 NS records all pointing at the same set of addresses), BIND could previously waste time querying duplicate addresses and build up excessively large server lists. Deduplicate addresses in the resolver's server list so that each unique IP is only queried once per resolution attempt, regardless of how many NS records point to it and cap the number of addresses stored per nameserver name to 6 (combined A and AAAA), preventing memory and CPU overhead from domains with unusually large NS/glue sets.
Closes isc-projects/bind9#5641
Backport of !909
Merge branch 'backport-5641-selfpointedglue-9.20' into 'security-bind-9.20'
See merge request isc-private/bind9!951
When a SIG(0)-signed response triggers async ECDSA verification via
dns_message_checksig_async(), the respctx_t holds a raw pointer to
the resquery_t. If the fetch context is shut down while verification
is in flight (e.g. due to recursive-clients quota exhaustion), the
query is destroyed and the callback dereferences a dangling pointer.
Take a reference on the resquery_t when initializing the respctx_t,
and release it in both cleanup paths. The query's own reference to
the fetch context keeps the fctx alive transitively.
(cherry picked from commit 5b58caf5a2cd39d57a51b7b0373bfbc4877a96f9)
Send crafted SPNEGO NegTokenInit tokens that propose the krb5
mechanism without a mechToken. This causes gss_accept_sec_context()
to return GSS_S_CONTINUE_NEEDED, which on unfixed code leaks the
GSS context handle (~520 bytes per query).
The test verifies that the server rejects the negotiation (TKEY
error != 0, no continuation token) rather than returning a CONTINUE
response (error=0 with output token).
(cherry picked from commit 2f2fb32d737e12c817880d584145cdf85dbc8d06)
Send various UPDATE requests that are known to have caused
crashes previously with deliberately misconfigured non-IN
zones; confirm that UPDATE is not processed.
(cherry picked from commit e2f7ba2a4b6e7e5dba2fb1a2c9b2f0323e9a88be)
A bug during bad server handling could cause the resolver to enter an infinite loop, continuously sending queries to an upstream server with no exit condition, until the resolver query timeout was hit. This has been fixed.
ISC would like to thank Billy Baraja (BielraX) for bringing this issue to our attention.
Closes isc-projects/bind9#5804
Backport of !985
Merge branch 'backport-5804-incr-query-counters-9.20' into 'security-bind-9.20'
See merge request isc-private/bind9!981
Verify that the resolver selects authoritative servers in increasing
SRTT order. Four servers are configured with increasing response
delays. 100 queries are sent, expecting most to go to the fastest
server (ns2). Then ns2 stops responding, another 100 queries are
sent and should go to ns3 (the next fastest), and so on through
ns4 and ns5. Each query uses a unique name to avoid cache hits.
(cherry picked from commit a8d11e14f5b4e4d53219ba751d1b741162b0b84b)
Reject multi-round GSS-API negotiation (GSS_S_CONTINUE_NEEDED) in
dst_gssapi_acceptctx(). Each call to gss_accept_sec_context()
allocates a context inside the GSS library; without this fix, the
context handle was passed back to process_gsstkey() which did not
store it persistently, leaking it on every incomplete negotiation.
An unauthenticated attacker could exhaust server memory by sending
repeated TKEY queries with GSSAPI tokens, each leaking one GSS
context. The leaked memory is allocated by the GSS library via
malloc(), bypassing BIND's memory accounting.
In practice, Kerberos/SPNEGO (the only mechanism used with BIND)
completes in a single round, so rejecting continuation does not
affect real-world deployments. See RFC 3645 Section 4.1.3.
(cherry picked from commit 3d8e0d068f08694282c5ecd3bd6c332de6c75485)
Check that recursive and forward queries to views of type CHAOS
are REFUSED, but that authoritative queries are answered correctly.
(cherry picked from commit f33927cd3dd1195f3e70f5798ff7c384f265867e)
Unauthorized clients could consume outgoing zone transfers quota
and block authorized zone transfer clients. This has been fixed.
Backport of MR !971Fixesisc-projects/bind9#3589
Merge branch 'backport-3859-security-xfrout-quota-fix-9.20' into 'security-bind-9.20'
See merge request isc-private/bind9!996
Calls to `rctx_resend()` are done internally within the resolver, in
flow which are not supposed to happens more than once. For instance,
if some query fails, and a specific flag "F" wasn't set, then set the
flag and try again. This wouldn't occur more than once because if the
query fails the next attempt, the flag "F" would be set already, so the
resolver would move to the next server (or give up).
However, a subtle bug missing checking a flag, for instance, could lead
to an unbounded loop re-trying to query the same server. This is now
impossible as `rctx_resend()` also increment the query counters (so if
such case occurs, it would stop once the maximum limit is reached).
The dns_resstatscounter_retry are also only incremented if the
`fctx_query()` succeeds, similar to as is done in `fctx_try()`.
(cherry picked from commit f3e74304889a2e8b69c8e88fc9a383589decda32)
Test the resolver's behavior with self-pointed glue where each NS
has the same set of addresses. Verify that addresses are
deduplicated and each unique IP is only queried once.
Also test the ADB address limit knob (-T adbaddrslimit=).
(cherry picked from commit c21fc6cb95d77312d6fb891f17ce9df41a25af6d)
Ensure that we don't attempt an ACL match for answer addresses
when handling a class-CHAOS zone. This is an additional line of
defense for YWH-PGM40640-74.
(cherry picked from commit e62673c765b52307c800e86f0185fe52b573c145)
Unauthorized clients can consume XFR-out quota and block authorized
XFR clients. Apply the quota after ACL is checked.
(cherry picked from commit 5615e6c47a2cd00d82d48b568cc55a4b89daa330)
Move the logic incrementing the query counter and the global query
counter into a dedicated helper function.
(cherry picked from commit 05d6da2de54c093689e675e81ae898ee41220666)
The SLIST (essentially `fctx->finds`, forwarders and dual-stack
alternatives aside) can have duplicate server addresses when multiple
in-domain nameservers share the same IP addresses:
sub.example. NS ns1.sub.example.
sub.example. NS ns2.sub.example.
ns1.sub.example. A 1.2.3.4
ns1.sub.example. A 5.6.7.8
ns2.sub.example. A 1.2.3.4
ns2.sub.example. A 5.6.7.8
If both 1.2.3.4 and 5.6.7.8 fail to return a valid answer, the resolver
would query each address twice.
The problem is fixed by replacing the two-phase server selection (sort
each find list by SRTT, sort finds by head SRTT) with a single linear
scan in nextaddress() that finds the lowest-SRTT unmarked, non-duplicate
address across all find lists.
The old approach had a correctness bug: after sorting, the resolver
picked the next address from the "current" find list rather than
globally. For example, with find lists [1, 15, 26] and [3, 4, 5], the
second pick would be SRTT 15 instead of the correct SRTT 3.
The new approach is both simpler and correct: each call to nextaddress()
walks all addresses, skips marked and duplicate entries, and returns the
one with the lowest SRTT. While this walk is repeated for each server
attempt, it operates on a small bounded list and is negligible compared
to the network I/O of querying the server.
(cherry picked from commit b1c5856a3764b4025e93f8baf06c45c8fa029752)
NOTIFY and UPDATE messages must specify a data class in the
QUESTION/ZONE section. NONE and ANY are meta-classes and not
appropriate here. Return FORMERR if either is used.
Rejecting messages with a query class of NONE addresses YWH-PGM40640-72,
YWH-PGM40640-82, and YWH-PGM40640-83. Rejecting messages with a query
class of ANY addresses YWH-PGM40640-87, YWH-PGM40640-88, and
YWH-PGM40640-117.
Fixes: isc-projects/bind9#5778Fixes: isc-projects/bind9#5782Fixes: isc-projects/bind9#5783Fixes: isc-projects/bind9#5797Fixes: isc-projects/bind9#5798Fixes: isc-projects/bind9#5853
(cherry picked from commit c66a1b1e1bfd6c79d7b9bc8d4a59e69f4faa1563)
Add a starvation test that tries to starve the XFR quota with
unautorized requests.
(cherry picked from commit 53135592b7ff6c272b6577b2e7747258628442e3)
Run malicious server: resend_loop/ans3/ans.py
Start BIND: ns4
Send single query to test.example
The resolver will repeatedly resend queries until the fetch timeout
expires, resulting in resulting in thousands of qrysent while the quota
counter remains 0.
(cherry picked from commit 7eeb463bc58cbd71419aaf189d7829f2dfd8d055)
Add a hard limit on the number of addresses that ADB returns from a
single NS lookup (dns_adbfind_t). This mitigates a flood attack
where an attacker controls a zone with many addresses for a
nameserver, each returning an invalid response. The global
max-query count (default 50) also limits this, but significant harm
can be done before that limit is reached.
The default limit is now 6 (v4 and/or v6) addresses for an ADB find (so,
ADB looking up for A/AAAA addresses of a name server name). It can be
overridden for testing via 'named -T adbaddrslimit=N'.
(cherry picked from commit 3ec37fc69356ee682bee7f67940613ac31d93d7b)
Reject requests with unsupported or misused CLASS values before
further processing. Only IN, CH, HS, RESERVED0 (for DNS Cookies),
ANY (for TKEY negotiation), and NONE (for DNS UPDATE) are accepted;
all other classes return NOTIMP. Misuse of NONE or ANY outside
their allowed contexts returns FORMERR.
This adds further protection against bugs of the same general class
as YWH-PGM40640-70 and YWH-PGM40640-73.
(cherry picked from commit 0a687451505037e9f9a850c9cb113aed4995b03f)
Return NOTIMP for UPDATE and NOTIFY requests received for views with a
class other than IN. Only QUERY is now supported for non-IN views such
as CHAOS.
When running dns dns_rdata_tostruct() with types that are only defined
for class IN, ensure that the class is correct before proceeding.
Add an assertion that any zone being updated is of class IN. (Note
that previously, a DLZ zone could have its class value set incorrectly
to NONE; this has been fixed.)
This addresses YWH-PGM40640-70 and YWH-PGM40640-73 (as well as any
similar problems that might have occurred in the future) by minimizing
the code paths that can be reached by rdata classes other than IN, so it
is safe for the implementation to assume that rdatatypes that are only
defined for class IN, such as SVCB or WKS, have been parsed and
validated, and not accepted as unknown/opaque data.
Fixes: isc-projects/bind9#5777Fixes: isc-projects/bind9#5779
(cherry picked from commit a6d8e330ed6cf0021bff3f00aa1dc7a296f5aec0)
Force recursion off, and set allow-recursion/allow-recursion-on ACLs
to none, for views with a class other than IN. Log a configuration
warning if recursion is explicitly enabled for a non-IN view.
This addresses YWH-PGM40640-74 and YWH-PGM40640-75 by preventing any
attempt at recursive processing in a class-CHAOS view, ensuring that
server addresses used for recursive queries and received in recursive
responses are of the expected format.
Fixes: isc-projects/bind9#5780Fixes: isc-projects/bind9#5781
(cherry picked from commit 7becff1a14684a68208c92b3b0315c045c05ad75)
When a validator is being shut down, the associated name
`val->name` is set to NULL. This could cause a crash if a worker
thread subsequently added an EDE code with `val->name` in the
extra text.
`validator_addede()` now checks whether the name is NULL before
trying to add it to the extra text.
Closes#5613
Backport of MR !11945
Merge branch 'backport-each-validator-log-after-shutdown-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11977
When a validator is being shut down, the associated name
`val->name` is set to NULL. This could cause a crash if a worker
thread subsequently added an EDE code to the response containing
val->name in the extra text.
`validator_addede()` now checks whether the name is NULL before
trying to add it to the extra text.
(cherry picked from commit 2c60870527)
The :iscman:`named` process could terminate unexpectedly when
processing a catalog zone with an invalid ``allow-query`` or
``allow-transfer`` custom property (i.e. having a non-APL type)
coexisting with the valid property. This has been fixed.
Closes#5941
Backport of MR !11954
Merge branch 'backport-5941-catz-catz_process_apl-bug-fix-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11975
The allow-transfer/allow-query catalog zone custom properties support
only APL RRtypes. All other types are correctly rejected by the
catz_process_apl() function. However, when an APL RRtype is processed
by that function, and another (non-APL) RRtype is then attempted to be
processed, there is an assertion failure happening in the prologue
of the function because `*aclbp != NULL` (i.e. an APL has been already
processed). Move the code to do type checking before the affected
REQUIRE assertion.
(cherry picked from commit 67e0090371)
The :iscman:`named` process could leak small amounts of memory
when processing a catalog zone entry which had defined custom
primary servers with TSIG keys using both the regular ``primaries``
custom property syntax and the legacy alternative syntax (``masters``)
at the same time. This has been fixed.
Closes#5943
Backport of MR !11951
Merge branch 'backport-5943-catz-primaries-tsig-key-name-leak-fix-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11973
This new check ads a catalog member zone with both variants of
the labeled primaries/masters property. This should not cause
any issues.
(cherry picked from commit 4f5f4b77c7)
OPENSSL_cleanup() in OpenSSL 4 doesn't free the memory, and that is
not compatible with BIND 9's memory leak detection code. Don't use
custom allocation/deallocation functions for OpenSSL's internal memory
management.
See https://github.com/openssl/openssl/pull/29721Closes#5808
Backport of MR !11865
Merge branch 'backport-5808-openssl4-compat-fix-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!11896
OPENSSL_cleanup() in OpenSSL 4 doesn't free the memory, and that is
not compatible with BIND 9's memory leak detection code. Don't use
custom allocation/deallocation functions for OpenSSL's internal memory
management in the tls.c module.
See https://github.com/openssl/openssl/pull/29721
(cherry picked from commit 4ede6edc54)
