Štěpán Balážik [Tue, 23 Dec 2025 13:36:56 +0000 (14:36 +0100)]
Add SwitchControlCommand for ControllableAsyncServer
To provide feature parity with `bin/tests/system/ans.pl` add a control
command to allow easy switching between different sequences of
ResponseHandlers.
Štěpán Balážik [Wed, 17 Dec 2025 13:08:03 +0000 (14:08 +0100)]
Use variadic positional parameters for plural install_* methods
It saves an indent and brackets on the call sites.
Also sort the handlers alphabetically where their order doesn't matter
and split the fallback handlers into a separate call to signify that
their position in the end matters.
Aram Sargsyan [Thu, 25 Dec 2025 12:25:48 +0000 (12:25 +0000)]
Make catalog zones' entry names case-insensitive
Previously, the isc_ht hash table module was case-sensitive, but now
it supports case-insensitive mode. Use the case-insensitive mode
for the catalog zones' entry names.
Aram Sargsyan [Fri, 19 Dec 2025 17:51:08 +0000 (17:51 +0000)]
Make catalog zone names case-insensitive
Previously, the isc_ht hash table module was case-sensitive, but now
it supports case-insensitive mode. Use the case-insensitive mode
for catalog zone names.
Nicki Křížek [Fri, 28 Nov 2025 15:41:44 +0000 (16:41 +0100)]
Replace digdelv/ans8 with AsyncDnsServer
Previously, the ans8 server had different response modes that applied to
all queries. Replace it with AsyncDnsServer that has serves the different
response modes under different domains without the need to change the
server behaviour at runtime.
Add the new queries that require an ns3 fallback to the ns3/example.db
zone.
Nicki Křížek [Fri, 28 Nov 2025 15:13:43 +0000 (16:13 +0100)]
Replace digdelv/ans5 with ControllableAsyncDnsServer
The server has three modes of operation - either no response, a partial
AXFR or a complete AXFR. To test the fallback behaviour of dig, these
actions are be combined in a specific sequences. To set up the desired
server behaviour, use the _control queries for the server.
Nicki Křížek [Fri, 28 Nov 2025 14:34:38 +0000 (15:34 +0100)]
Rename ResponseDropAndCloseConnection action
The action can be used to close the connection even after some response
was sent, depending on the ordering of actions in the handler that uses
it. Rename it to CloseConnection to use a more fitting name.
Štěpán Balážik [Fri, 9 Jan 2026 15:22:31 +0000 (15:22 +0000)]
chg: test: Avoid sending manually created responses in asyncserver
If at all possible, all the responses should be created by
AsyncDnsServer's internal methods. To ensure this, mark them with a
magic attribute and check it on send and crash the server if a manually
created response is detected.
Merge branch 'stepan/avoid-using-hand-rolled-responses-in-asyncserver' into 'main'
Štěpán Balážik [Fri, 2 Jan 2026 19:36:29 +0000 (20:36 +0100)]
Avoid sending manually created responses in asyncserver
If at all possible, all the responses should be created by
AsyncDnsServer's internal methods. To ensure this, mark them with a
magic attribute and check it on send and crash the server if a manually
created response is detected.
Fix the qmin test server which uses `make_response`.
Colin Vidal [Thu, 8 Jan 2026 20:01:22 +0000 (21:01 +0100)]
chg: dev: Split and refactor dns_view_findzonecut()
The function `dns_view_findzonecut()` was previously a complex bit of code (multiple pages long with multiple gotos and mutating states) into a simpler main entry point making explicit the various steps and layers involved into the delegation lookup.
Separate helper functions are added for specific sub-tasks (lookup from the zones, from the cache, deciding which result to use if there are valid candidates from the zone or cache, etc.)
Finally, the range of result values returned by `dns_view_findzonecut()` is simplified and clearly specified. This simplifies a bit the callers code.
See #5681
Merge branch 'colin/refactor-findzonecut' into 'main'
Colin Vidal [Wed, 17 Dec 2025 14:27:39 +0000 (15:27 +0100)]
simplify usage of dns_view_findzonecut()
As `dns_view_findzonecut()` only returns either ISC_R_SUCCESS or
DNS_R_NXDOMAIN, and since it automatically disassociates the rdatasets
in case of failure, some call sites are simplified.
Colin Vidal [Tue, 16 Dec 2025 13:24:41 +0000 (14:24 +0100)]
findzonecut: helper function to choose zone or cache
When a delegation is found at a zone level, the cache is also looked up,
in case a more specific delegation is found. If it is, then the records
from the zone are disassociated and then associated with those from the
cache.
There is no return value, because even if the cache lookup fails, there
is a valid delegation from the zone, so this is a success either way.
The main function `dns_view_findzonecut()` is also strongly refactored,
as `findzonecut_zoneorcache()` allows a sequential flow between the
various DB lookup attempts, instead of jumping back to the begining of
the lookup code using `goto`.
From the caller's point of view, the API is slightly simplified: the
return value can only be ISC_R_SUCCESS (a delegation is found) or
DNS_R_NXDOMAIN (no delegation is found). Also, if no delegation is
found, this guarantees that the rdatasets passed as parameter are
disassociated.
Colin Vidal [Tue, 16 Dec 2025 13:26:11 +0000 (14:26 +0100)]
findzonecut: helper function for zone lookup
Move the zone lookup code into a separate helper function.
The main extra change here is the return codes. This helper function can
return 3 (and only those 3) values:
- ISC_R_SUCCESS: a delegation is found
- DNS_R_NXDOMAIN: no zone matches the qname
- ISC_R_NOTFOUND: a zone is found, but no delegation in the zone (this
can be either because there is simply no delegation, or for other
reasons, like, the zone DB is not loaded yet).
This enables the caller to make decisions about whether to attempt a
cache and/or hints lookup or not.
Colin Vidal [Tue, 16 Dec 2025 13:22:10 +0000 (14:22 +0100)]
findzonecut: helper function for cache lookup
Extract the cache lookup implementation from `dns_view_findzonecut()`
into a separate helper function.
Also, when the cache result is not ISC_R_SUCCESS (which is the only
"success" value from the existing code in this case), the return value
is overriden to DNS_R_NXDOMAIN. This enables the caller (in follow-up
commit) to differentiate the case where a zone is found, but for
whatever reason, no delegation is in there, from the case where no zone
is found. Separating those cases enables the caller to know whether it
needs to hit the cache/hints or not.
Alessio Podda [Thu, 8 Jan 2026 15:32:23 +0000 (15:32 +0000)]
chg: dev: Remove rrset-order cyclic from the default config, with shim
Currently we add an rrset-order cyclic statement to the default config.
Since the rrset-order allows matching a subset of all names, it must
be implemented with a comparison against a wildcard, and since
the statement applies per rrset, this can result in million of
comparisons per second on a busy authoritative server.
This commit removes rrset-order from the default config, but adds back
a code shim in query_setorder to preserve the previous behaviour.
Alessio Podda [Tue, 23 Dec 2025 15:38:53 +0000 (16:38 +0100)]
Remove rrset-order cyclic from the default config, with shim
Currently we add an rrset-order cyclic statement to the default config.
Since the rrset-order allows matching a subset of all names, it must
be implemented with a string comparison against a wildcard, and since
the statement applies per rrset, this can result in millions of
comparisons per second on a busy authoritative server.
This commit removes rrset-order from the default config, but adds back
a code shim in query_setorder to preserve the previous behaviour.
Nicki Křížek [Wed, 7 Jan 2026 10:12:50 +0000 (11:12 +0100)]
chg: dev: Support compilation with cmocka 2.0.0+
The `assert_in_range()` function was deprecated in favor of
`assert_int_in_range()` and `assert_uint_in_range()`. Add compatibility
shims for cmocka<2.0.0 and use the new functions.
Closes #5699
Merge branch '5699-support-cmocka-2.0.0' into 'main'
Nicki Křížek [Mon, 29 Dec 2025 12:37:34 +0000 (13:37 +0100)]
Support compilation with cmocka 2.0.0+
The `assert_in_range()` function was deprecated in favor of
`assert_int_in_range()` and `assert_uint_in_range()`. Add compatibility
shims for cmocka<2.0.0 and use the new functions.
Evan Hunt [Wed, 7 Jan 2026 07:02:22 +0000 (07:02 +0000)]
chg: usr: Enforce bounds of multiple configuration options
The configuration options `edns-version`, `edns-udp-size`,
`max-udp-size`, `no-cookie-udp-size` and `padding` now enforce
boundaries. The configuration (including when using `named-checkconf`)
now fails if those options are set out of range.
Merge branch 'colin/multiple-options-strict-boundaries' into 'main'
Colin Vidal [Wed, 19 Nov 2025 11:34:31 +0000 (12:34 +0100)]
update doc for strict boundaries check
Update documentation, removing the mention of statements being
implicitely "fixed" if they are defined out of range (for
`edns-version`, `edns-udp-size`, `max-udp-size`, `no-cookie-udp-size`
and `padding`) as the ranges are now enforced.
Colin Vidal [Wed, 19 Nov 2025 11:36:13 +0000 (12:36 +0100)]
remove implicit bounds fixes in server config
Now that the configuration options `edns-version`, `edns-udp-size`,
`max-udp-size`, `no-cookie-udp-size` and `padding` have strict boundaries
(configuration failing if they are not respected), remove configuration
loading code which implicitely raises or lowers them.
Colin Vidal [Wed, 19 Nov 2025 11:31:50 +0000 (12:31 +0100)]
enforce bounds of multiple configuration options
The configuration options `edns-version`, `edns-udp-size`,
`max-udp-size`, `no-cookie-udp-size` and `padding` now enforce
boundaries. The configuration (including when using `named-checkconf`)
now fails if those options are out of range.
Nicki Křížek [Mon, 5 Jan 2026 13:45:06 +0000 (14:45 +0100)]
[CVE-2025-8677] sec: test: Test that DNSSEC validation is aborted on malformed DNSKEY
Create a signed zone file that contains malformed ZSKs with colliding
key tags. The ZSKs don't represent valid ECDSA keys and will cause a
crypto failure when attempting to use them. Sign the zone with KSK, with
the exception of one record which is "signed" with the invalid ZSKs.
Check that the resolver aborts the DNSSEC verification after
encountering the first crypto failure, indicating malformed DNSKEY.
Closes #5343
Merge branch '5343-count-invalid-keys-into-validation-fails-test' into 'main'
Nicki Křížek [Mon, 13 Oct 2025 16:35:33 +0000 (18:35 +0200)]
Test zone with truncated revoked DNSKEY
Ensure that named can handle a situation where the zone is signed with a
truncated, self-signed revoked DNSKEY. The signatures are inevitably
bogus and a SERVFAIL is expected. However, prior to CVE-2025-8677 fix,
this could trigger an assertion failure.
Test that DNSSEC validation is aborted on malformed DNSKEY
Create a signed zone file that contains malformed ZSKs with colliding
key tags. The ZSKs don't represent valid ECDSA keys and will cause a
crypto failure when attempting to use them. Sign the zone with KSK, with
the exception of one record which is "signed" with the invalid ZSKs.
Check that the resolver aborts the DNSSEC verification after
encountering the first crypto failure, indicating malformed DNSKEY.
Štěpán Balážik [Mon, 5 Jan 2026 13:03:11 +0000 (13:03 +0000)]
fix: test: Set default_aa on AsyncDnsServer to False by default
In !11179 I mistakenly set the default for `default_aa` for
`AsyncDnsServer()` to `True` and then explicitly set it to True in
cases where all the `ResponseHandlers` said
`yield DnsResponseSend(..., authoritative=True)` as if the default was
`False`.
Also the rest of `AsyncDnsServer` code (namely `_prepare_responses`)
reads like `default_aa` is `False` by default.
This accidentally changed the behavior of servers which don't set the
`default_aa` and where AA is not set from the zone data
(e.g. `dispatch/ans3`).
Merge branch 'stepan/set-asyncdnsserver-dafault-aa-to-false-by-default' into 'main'
Štěpán Balážik [Fri, 2 Jan 2026 18:05:33 +0000 (19:05 +0100)]
Set default_aa on AsyncDnsServer to False by default
In 6e684d44 I mistakenly set the default for `default_aa` for
`AsyncDnsServer()` to `True` and then explicitly set it to True in
cases where all the `ResponseHandlers` said
`yield DnsResponseSend(..., authoritative=True)` as if the default was
`False`.
Also the rest of `AsyncDnsServer` code (namely `_prepare_responses`)
reads like `default_aa` is `False` by default.
This accidentally changed the behavior of servers which don't set the
`default_aa` and where AA is not set from the zone data
(e.g. `dispatch/ans3`).
Ondřej Surý [Sun, 4 Jan 2026 20:46:05 +0000 (21:46 +0100)]
fix: nil: Fix building on uclibc
While building on uclibc this error is thrown:
In file included from ./include/dns/log.h:20,
from callbacks.c:19:
../../lib/isc/include/isc/log.h:141:9: error: unknown type name ‘off_t’
141 | off_t maximum_size;
| ^~~~~
This is due to missing include unistd.h, so let's add it on top of
isc/log.h
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Merge branch 'fix/uclibc-off_t-main' into 'main'
Giulio Benetti [Sat, 3 Jan 2026 21:59:39 +0000 (22:59 +0100)]
Fix building on uclibc
While building on uclibc this error is thrown:
In file included from ./include/dns/log.h:20,
from callbacks.c:19:
../../lib/isc/include/isc/log.h:141:9: error: unknown type name ‘off_t’
141 | off_t maximum_size;
| ^~~~~
This is due to missing include unistd.h, so let's add it on top of
isc/log.h
Matthijs Mekking [Wed, 31 Dec 2025 10:40:42 +0000 (11:40 +0100)]
Wait for "sending notifies" for step3.zsk-prepub
Commit c17ac426082b2eca802dd1b2e1bb9b4b4b291199 changed some tests to
wait for "zone_needdump" messages instead of "sending notifies", because
notifies are rate limited and "zone_needdump" happen on every change.
However, inspecting the logs, the "zone_needdump" changes happen more
than once (likely because the re-signing is done in batches):
received control channel command 'sign step3.zsk-prepub.manual'
zone_journal: zone step3.zsk-prepub.manual/IN (signed): enter
zone_needdump: zone step3.zsk-prepub.manual/IN (signed): enter
zone_journal: zone step3.zsk-prepub.manual/IN (signed): enter
zone_needdump: zone step3.zsk-prepub.manual/IN (signed): enter
zone_journal: zone step3.zsk-prepub.manual/IN (signed): enter
zone_needdump: zone step3.zsk-prepub.manual/IN (signed): enter
zone step3.zsk-prepub.manual/IN (signed): sending notifies
This means we are running the rollover step checks too fast in some
test runs.
Revert the wait for log change for the rollover-zsk-prepub test.
Matthijs Mekking [Tue, 16 Dec 2025 16:31:24 +0000 (17:31 +0100)]
Change zone set/get options related to notify
Add a type to all dns_zone_(get|set) functions that apply to sending
notifies, so the options can be set and retrieved separately per type.
This affects dns_zone_setnotifydefer, dns_zone_getnotifydefer,
dns_zone_setnotifydelay, dns_zone_getnotifydelay,
dns_zone_setnotifysrc4, and dns_zone_setnotifysrc6.
The functions dns_zone_getnotifysrc4 and dns_zone_getnotifysrc6 are
unused and can be removed.
Petr Špaček [Mon, 28 Jul 2025 09:33:14 +0000 (11:33 +0200)]
Test that spoofed DNAME is not accepted via spoofable transport
A single spoofed DNAME answer can impact many names, and because of the
nature of DNAME, the attacker can use randomized query names to get
unlimited number of tries to spoof the answer. To limit impact, we
should not be accepting DNAME over insecure transport, like UDP without
cookies etc.
In short, the attacker tries to spoof at least one answer that has the
following form:
opcode QUERY
rcode NOERROR
flags QR AA
;QUESTION
trigger$RANDOM.test. IN A
;ANSWER
trigger$RANDOM.test. 3600 IN CNAME trigger$RANDOM.attacker.net.
test. 3600 IN DNAME attacker.net.
;AUTHORITY
;ADDITIONAL
Petr Špaček [Wed, 23 Jul 2025 18:26:43 +0000 (20:26 +0200)]
Test that fake child delegation cannot overwrite parent's glue RR
In short, the attacker tries to spoof at least one answer that has the
following form:
rcode NOERROR
flags QR
;QUESTION
trigger$RANDOM.victim. IN TXT
;ANSWER
;AUTHORITY
trigger$RANDOM.victim. 3600 IN NS ns.victim.
;ADDITIONAL
ns.victim. 3600 IN A 10.53.0.3
This attack was originally reported as "test case 2".
Petr Špaček [Wed, 23 Jul 2025 15:25:18 +0000 (17:25 +0200)]
Test that unsolicited NS in positive answer cannot overwrite current NS
Before the fixes for CVE-2025-40778, an unsolicited in-bailiwick NS
record was accepted from a (spoofed) answer, enabling a single spoofed A
query/response to redirect traffic for a whole delegation.
In short, the attacker tries to spoof at least one answer that has the
following form:
rcode NOERROR
flags QR AA
;QUESTION
trigger$RANDOM.victim. IN TXT
;ANSWER
trigger$RANDOM.victim. 3600 IN TXT "spoofed answer with extra NS"
;AUTHORITY
victim. 3600 IN NS ns.attacker.
;ADDITIONAL
This attack was originally reported as "test case 1".
Petr Špaček [Fri, 11 Jul 2025 16:37:57 +0000 (18:37 +0200)]
Test that positive answer cannot overwrite sibling NS RRs
Before the fixes for CVE-2025-40778, a positive answer was allowed to
overwrite sibling NS RRs. The answer had to be a positive AA=1 answer
with a fake NS along with it. This combination of conditions avoided
the code path with "unrelated <RRTYPE>" detection logic.
If it were some other answer, named from the main branch would detect
the attempt and log:
DNS format error from 10.53.0.1#16386 resolving trigger/A for <unknown>: unrelated NS victim in trigger authority section
In short, the attacker tries to spoof at least one answer that has the
following form:
opcode QUERY
rcode NOERROR
flags QR AA
;QUESTION
trigger$RANDOM. IN A
;ANSWER
trigger$RANDOM. 3600 IN A 10.53.0.3
;AUTHORITY
victim. 3600 IN NS ns.attacker.
;ADDITIONAL
ns.attacker. 3600 IN A 10.53.0.3
This attack was originally reported as "test case 1c".
Michał Kępień [Mon, 22 Dec 2025 10:58:39 +0000 (11:58 +0100)]
Add a reusable, bare-bones AsyncDnsServer
Add bin/tests/system/ans.py, a bare-bones DNS server that can be used in
system tests instead of full-blown named instances when a server is only
required to return zone-based data. Where applicable, this reduces load
on the test host and the amount of generated logs.
Mark Andrews [Mon, 22 Dec 2025 02:31:09 +0000 (13:31 +1100)]
Tidy up (fixed)names in dsyncfetch_start
Use a static dns_name_t for the "_dsync" label. Remove some
unnecessary dns_fixedname_t variables. Remove unnecessary dsyncname
dns_name_t from dns_dsyncfetch and rename dns_fixedname_t fname to
dsyncname.
Due to the way various asyncio-related objects (tasks, streams,
transports, selectors) are referencing each other, pausing reads for a
TCP transport (which in practice means removing the client socket from
the set of descriptors monitored by a selector) can cause the client
task (AsyncDnsServer._handle_tcp()) to be prematurely garbage-collected,
causing asyncio code to raise a "Task was destroyed but it is pending!"
exception. Who knew that solutions as elegant as the one introduced by e4078885073a6c5b59729f4313108e3e7637efdb could cause unexpected trouble?
Fix by making a horrible hack even more horrible, specifically by
keeping a reference to each incoming TCP connection to protect its
related asyncio objects from getting garbage-collected. This prevents
AsyncDnsServer from closing any of the ignored TCP connections
indefinitely, which is obviously a pretty brain-dead idea for a
production-grade DNS server, but AsyncDnsServer was never meant to be
one and this hack reliably solves the problem at hand.
Only apply this change for the IgnoreAllConnections handler as the
ConnectionReset handler triggers a connection reset immediately after
pausing reads for an incoming TCP connection.
As pointed out in e4078885073a6c5b59729f4313108e3e7637efdb, the proper
solution would require implementing a custom asyncio transport from
scratch and that is still deemed to be too much work for the purpose at
hand. Let's see how much longer we can limp along with the existing
approach.
Michał Kępień [Sun, 21 Dec 2025 05:25:56 +0000 (06:25 +0100)]
Make exception/signal handlers idempotent
Calling asyncio.Future.set_exception() or asyncio.Future.set_result()
more than once for a given Future object raises an
asyncio.InvalidStateError exception.
In the case of AsyncServer:
- it is enough to capture the first exception raised by higher-level
logic as no exceptions at all are expected to be raised in the first
place,
- no distinction is made between SIGINT and SIGTERM; the only purpose
of the signal handler is to make the server exit cleanly.
Given the above, make both AsyncServer._handle_exception() and
AsyncServer._signal_done() idempotent by ignoring
asyncio.InvalidStateError exceptions raised by the relevant
asyncio.Future.set_*() calls.
Štěpán Balážik [Fri, 19 Dec 2025 19:02:17 +0000 (19:02 +0000)]
chg: ci: Use CMocka generated JUnit reports where possible
Where applicable, use the more detailed CMocka generated JUnit
reports which include subtest results and timings instead of the
one generated by Meson.
Prerequisites:
- bind9-qa!137
Closes #5511
Merge branch '5511-cmocka-junit-ouput' into 'main'
Štěpán Balážik [Wed, 15 Oct 2025 17:23:59 +0000 (19:23 +0200)]
Use CMocka generated JUnit reports where possible
Where applicable, use the more detailed CMocka generated JUnit
reports which include subtest results and timings instead of the
one generated by Meson.
Flaky tests also require retrying, so use a wrapper and mark them
with a environment variable. This is done to avoid the need to compute
an intersection of suites in Meson which is not supported out-of-the-box
(`meson test --suite=foo,bar` runs the union of foo and bar).
Matthijs Mekking [Fri, 19 Dec 2025 16:33:53 +0000 (16:33 +0000)]
fix: usr: Reconfigure NSEC3 opt-out zone to NSEC causes zone to be invalid
A zone that is signed with NSEC3, opt-out enabled, and then reconfigured to use NSEC, causes the zone to be published with missing NSEC records. This has been fixed.
Closes #5679
Merge branch '5679-nsec3-optout-to-nsec' into 'main'
When switching from NSEC3 opt-out to NSEC, add NSEC records if we saw an
RR. This corrects a mistake in style cleanups done in commit 308ab1b4a5c5239860ca06c64b0def9b98ae4b17.
If we change from NSEC3 to NSEC we should not produce a zone with
missing NSEC records.
The code only considered having seen a record if there was previously
a signature present at the owner name. However with opt-out, insecure
delegations don't have a RRSIG record. Reconfiguring to NSEC causes
all insecure delegations to have a missing NSEC record.
Add a DNAME record to the test zone to also cover DNAME delegations.
In a sense, the ans6 black holeserver, based on asyncserver, "does
nothing". In our case, it won't respond to any query, and if the
IgnoreAllConnections connection handler was installed, it would not read
anything from the client socket.
Previously, sending notifications to an unconfigured address resulted in
no communication from the target (10.53.10.53); hence, the ns3
configuration comment requested a "non-responsive notify recipient (no
reply, no ICMP errors)".
However, examining the PCAP of ans6 reveals some communication from the
10.53.0.6 server to the 10.53.0.3 client, including ICMP Destination
Unreachable (Port Unreachable), and TCP SYN/ACK.
The ans6 communication seems to be sufficiently different to touch
different code paths in named, resulting in the BIND 9.20 backport
failing in the "checking notify retries expire within 30 seconds" test.
But we better revert it from "main" as well.
Matthijs Mekking [Fri, 19 Dec 2025 14:46:23 +0000 (14:46 +0000)]
new: usr: Add support for Generalized DNS Notifications
A new configuration option, ``notify-cfg CDS``, is added to enable Generalized DNS Notifications for CDS and/or CDNSKEY RRset changes, as specified in RFC 9859.
Closes #5611
Merge branch '5611-generalized-dns-notifications-rfc-9859' into 'main'
Matthijs Mekking [Fri, 12 Dec 2025 14:49:19 +0000 (15:49 +0100)]
Test invalid DSYNC RRset is rejected
The RFC says There MUST NOT be more than one DSYNC record for each
combination of RRtype and Scheme. If we encounter more we should drop
the response, as the DSYNC RRset is invalid.
When doing rollover and the CDS/CDNSKEY RRset is updated, test that a
NOTIFY(CDS) message is sent. For other steps in the rollover, prohibit
any dsyncfetch activity.
Matthijs Mekking [Tue, 25 Nov 2025 07:56:32 +0000 (08:56 +0100)]
Test sending NOTIFY(CDS) messages
When starting up the services, send notifies for the existing CDS RRset.
This requires setting up a chain of trust for the test, so the DSYNC
records can be retrieved and validated.
This feature requires enabling 'notify-cds' and 'dnssec-validation'.
In this test, the scanner is pointed to ns2. Since there is no code
for receiving NOTIFY(CDS) messages for delegations, this is treated
as "not authoritative". Checking for this log message ensures us that
the NOTIFY(CDS) message was actually sent.
Matthijs Mekking [Thu, 30 Oct 2025 08:48:35 +0000 (09:48 +0100)]
Implement NOTIFY(CDS) logic
When the CDS/CDNSKEY RRset gets updated, schedule a NOTIFY(CDS) to be
sent to the parental agent. The parental agent is published in the
parent zone as a DSYNC RRset, so first we need to figure out the
parent owner name. This is done by finding the zonecut (querying for
NS RRset until we find a postive answer).
In nsfetch_dsync, we then schedule a zone fetch for the DSYNC record
at <child-labels>._dsync.<parent-labels>. Then we queue the notify
for each target in the DSYNC records that matches the NOTIFY scheme
and CDS RRtype.
Now that we log the type of the notify, some expected log messages
in the system tests need to be adjusted accordingly.
The bin/tests/system/nsec3/tests_nsec3_retransfer.py log is changed
to zone_needdump because it is more reliable. Other tests were
adjusted similar in MR !11265, but !11226 introduced a new
"sending notify" log line.
Matthijs Mekking [Tue, 18 Nov 2025 08:56:34 +0000 (09:56 +0100)]
Add type parameter to dns_notify_create()
With Generalized DNS Notifications, a zone may need to send different
type of NOTIFY messages for different reasons. When creating a new
notify, allow for specifying the type.
Matthijs Mekking [Tue, 28 Oct 2025 14:25:29 +0000 (15:25 +0100)]
Add port parameter to dns_notify_create()
The DSYNC record has a Port rdata field, so NOTIFY(CDS) messages may be
configured at different ports. When creating a new notify, allow for
specifying the port.
projects / thirdparty / bind9.git / log
