chg: doc: Add non-IN RR classes to list of unsupported configurations
This adds a note to the security documentation that configuring
resources with non-Internet DNS classes (CHAOS, HESIOD, ...) is not
a supported configuration and could potentially cause issues.
Closes #5805
Merge branch '5805-add-clarification-on-non-IN-classes' into 'main'
Nicki Křížek [Mon, 29 Jun 2026 13:34:29 +0000 (13:34 +0000)]
amend! Add non-IN RR classes to list of unsupported configurations
Document that non-IN RR class issues are out of CVE scope
CVE-2026-5946 covered assertion failures reachable only through the
handling of resource record classes other than Internet (IN).
Configuring zones or views with such classes is a supported feature;
document in the security assumptions that problems reachable only
through it cannot be the basis for CVE assignment.
Ondřej Surý [Wed, 11 Mar 2026 18:18:32 +0000 (19:18 +0100)]
Add non-IN RR classes to list of unsupported configurations
This adds a note to the security documentation that configuring
resources with non-Internet DNS classes (CHAOS, HESIOD, ...) is not
a supported configuration and could potentially cause issues.
fix: dev: Fix a memory leak when updating a zone with more than 32 DNSSEC keys
Applying changes to a signed zone — via DNS UPDATE or the inline-signing
raw-to-secure sync — leaked the surplus keys when the zone's key
directory held more than 32, slowly growing named's memory use.
Closes #6051
Merge branch '6051-find-zone-keys-key-leak' into 'main'
Ondřej Surý [Mon, 29 Jun 2026 06:48:03 +0000 (08:48 +0200)]
Add a regression test for the find_zone_keys() key leak
Generate more than DNS_MAXZONEKEYS distinct matching private keys for a
zone and call find_zone_keys() through it. The keys past the limit must
be released; the default memory context's leak check, armed with
isc_mem_checkdestroyed(), fails the test if any are abandoned.
Ondřej Surý [Mon, 29 Jun 2026 06:48:03 +0000 (08:48 +0200)]
Stop leaking DNSSEC keys past the zone key limit
find_zone_keys() collects every matching private key into a local list,
hands the first DNS_MAXZONEKEYS keys to the caller, and frees the rest.
On overflow it destroyed only the first surplus key before breaking out
of the loop, so any keys after it stayed linked on the local list and
were lost when the function returned.
Unlink and destroy every list entry, transferring a key to the caller
only while under the limit. No entry is left behind, so a zone with
more than DNS_MAXZONEKEYS matching keys no longer leaks memory on each
signing attempt.
Colin Vidal [Wed, 1 Jul 2026 06:40:18 +0000 (08:40 +0200)]
chg: usr: Introduce a minimum TTL for cached delegations
Delegations are now cached with a minimum TTL of 60 seconds by default. Any NS record or A/AAAA glue record with a TTL below this threshold will be raised to 60 seconds.
A new configuration option `min-delegation-ttl` has been added to adjust this limit, or disable it by setting the value to `0`. The corresponding `max-delegation-ttl` option allows the user to configure a maximum TTL for delegations; it is disabled by default.
Colin Vidal [Fri, 29 May 2026 20:06:30 +0000 (22:06 +0200)]
Remove useless TTL override in rctx_referral()
Function `rctx_referral()` used to force the TTL of an NS record with
TTL 0 to be 1. This has now been removed, as the delegation database
already forces a minimum hard-coded TTL of 1 when the delegation has
a TTL of 0.
Colin Vidal [Fri, 29 May 2026 08:59:41 +0000 (10:59 +0200)]
System test for delegation TTL options
Add a system test which covers the behavior of the `min-delegation-ttl`
and `max-delegation-ttl` options (including default, disabling, and
enforcing that min- must be strictly less than max-).
Colin Vidal [Tue, 26 May 2026 13:58:44 +0000 (15:58 +0200)]
Delegations have a minimal TTL of 60 seconds
Delegations are now stored in delegdb with a TTL of at least 60 seconds
by default. A new configuration option `min-delegation-ttl` allows
overriding this value or disabling entirely it with `0`.
This hardens the resolver against misconfigured glue or NS records
with very low TTLs, which would otherwise trigger delegation refetches
too often.
A new option `max-delegation-ttl` (which default to `0`) is also added,
enabling an operator to enforce a maximum TTL check for delegations.
Colin Vidal [Tue, 26 May 2026 13:56:03 +0000 (15:56 +0200)]
Introduce min/max TTL bounds for delegations
The TTL of cached delegations can now have a minimum bound and a maximum
bound. By default, delegdb does not enable TTL bound checking, but this
can be configured from the caller using `dns_delegdb_config_t`.
chg: dev: Simplify and modernize the radix tree implementation
Refactor the radix tree used for ACL IP prefix matching, originally imported
from the MRT routing toolkit in 1999 and never modernized. Node size drops
from 100+ bytes across two allocations to 64 bytes in a single cache line.
Expand the unit test suite.
Merge branch 'ondrej/refactor-isc_radix-unit' into 'main'
Ondřej Surý [Sun, 22 Mar 2026 11:14:03 +0000 (12:14 +0100)]
Replace void* data pointers with match enum in radix nodes
The node data[] array only ever held pointers to two static bools
(dns_iptable_pos/neg). Replace with isc_radix_match_t enum
(RADIX_UNSET/RADIX_ALLOW/RADIX_DENY) stored directly in the node.
This eliminates the void* casts, the static bool variables, the
isc_radix_destroyfunc_t callback (always NULL), and shrinks
isc_radix_node_t from 80 to 64 bytes. Also use sa_family_t for
the prefix family field.
Ondřej Surý [Sun, 22 Mar 2026 10:58:30 +0000 (11:58 +0100)]
Replace RADIX_WALK macro with isc_radix_foreach function
Replace the RADIX_WALK/RADIX_WALK_END macro pair (which injected
hidden variables and split a do/while block across two macros)
with a proper isc_radix_foreach() function that takes a callback
and user argument.
This also eliminates the insecure_prefix_found global variable
and its associated mutex in acl.c -- the foreach argument replaces
both.
Ondřej Surý [Sun, 22 Mar 2026 10:06:37 +0000 (11:06 +0100)]
Make isc_radix_insert, dns_iptable_addprefix/merge return void
isc_radix_insert can no longer fail: node allocation uses
isc_mem_get which aborts on OOM, and prefix copying was eliminated
by inlining. Propagate the void return through dns_iptable_addprefix,
dns_iptable_merge, dns_acl_any, dns_acl_none, and all their callers.
Ondřej Surý [Sun, 22 Mar 2026 00:18:47 +0000 (01:18 +0100)]
Clean up radix tree code style
Improve the radix tree code:
- Rename node children from .l/.r to .left/.right
- Rename static functions to drop reserved leading underscores
- Rename legacy macro variables (Xrn, Xsp, Xstack) to
readable names (cur, sp, stack)
- Narrow variable scopes to point of first use
- Use size_t for loop iterators, uint8_t for byte values
- Replace do/while(0) with plain blocks in macros
- Clean up unit test with helpers and meaningful data values
Ondřej Surý [Sat, 21 Mar 2026 16:26:30 +0000 (17:26 +0100)]
Remove AF_UNSPEC and has_prefix from radix tree
Instead of treating AF_UNSPEC as a special "any" prefix that sets
both IPv4 and IPv6 data slots, insert two separate entries (one
per address family). Both land on the same 0/0 node via the
existing dual-family data[] mechanism.
This eliminates AF_UNSPEC handling from isc_radix_insert (4 branch
blocks removed), removes the has_prefix bool from isc_radix_node_t
(using family==0 for glue nodes instead), and simplifies the
NETADDR_TO_PREFIX_T macro.
Ondřej Surý [Sat, 21 Mar 2026 16:19:40 +0000 (17:19 +0100)]
Inline prefix into radix tree node
Embed isc_prefix_t directly in isc_radix_node_t instead of heap-
allocating it separately. This eliminates per-node isc_mem_get/put
and isc_mem_attach/detach calls, removes a pointer dereference on
every search comparison, and simplifies the code by removing the
_new_prefix, _ref_prefix, and _deref_prefix helpers entirely.
Remove isc_mem_t from isc_prefix_t since it is now a plain value
type with no memory management. Remove per-node isc_mem_t since
nodes use the tree's memory context. Reorder struct fields to
eliminate padding holes.
Ondřej Surý [Sat, 21 Mar 2026 16:12:15 +0000 (17:12 +0100)]
Remove prefix refcounting from radix tree
Radix tree prefixes were reference-counted to allow sharing between
nodes, with refcount==0 used as a sentinel for stack-allocated
prefixes. Since the radix tree is only modified during config
parsing (single-threaded) and read-only during query processing,
the sharing optimization is unnecessary. Always copy prefixes
instead, eliminating the refcount field and the sentinel hack.
Michal Nowak [Tue, 30 Jun 2026 17:20:11 +0000 (19:20 +0200)]
new: test: Add build-time check for unregistered rdata files
Fail at meson configure if an rdata source file in lib/dns/rdata is not
registered in dns_header_depfiles, so edits no longer silently skip
header regeneration (as happened with brid, dsync, hhit, and wallet).
Assisted-by: Claude:claude-opus-4-8
Merge branch 'mnowak/check-rdata-registration' into 'main'
Michal Nowak [Tue, 9 Jun 2026 16:11:51 +0000 (16:11 +0000)]
Check for unregistered rdata files in CI
Verify in the misc CI job that every rdata source file under
lib/dns/rdata is an input of the generated lib/dns/code.h, i.e.
registered in dns_header_depfiles. An unregistered file is still
compiled into BIND 9 (gen.c scans the directories directly), but
editing it does not trigger regeneration of code.h.
Michal Nowak [Tue, 2 Jun 2026 09:36:43 +0000 (09:36 +0000)]
Avoid leaking FLAKY into every unit test
meson stores the test env by reference, so mutating the shared
test_env leaked FLAKY and TIMEOUT into all later tests. Build a
fresh environment for flaky tests instead.
Alessio Podda [Tue, 30 Jun 2026 13:36:46 +0000 (13:36 +0000)]
fix: dev: Fold receive_secure_serial into zone maintainance
Having two separate zone maintainance async jobs increases the risk of
race conditions. This commit folds the inline-signing resigning job
into the zone maintainance of the secure zone, ensuring only one async
job acts on a zone.
Closes #5816
Merge branch '5816-resign-single-source-of-truth' into 'main'
Alessio Podda [Thu, 4 Jun 2026 09:55:15 +0000 (11:55 +0200)]
Rename inline sync related methods
The inline sync related methods and structs retained the old
receive_secure_ prefix. Since there is no async tasks involved anymore
we change the naming scheme to a more descriptive one.
Alessio Podda [Thu, 21 May 2026 11:05:55 +0000 (13:05 +0200)]
Fix rss_state leak in receive_secure_serial_cancel
Previously receive_secure_serial_cancel() could leak .rss_state on
inline secure bootstrap or zone shutdown, if a pre-existing DNSSEC
signing pass was paused. This has been fixed.
Alessio Podda [Sun, 24 May 2026 12:03:38 +0000 (14:03 +0200)]
Serialize zone maintenance requests
Some rndc-driven maintenance operations interact with raw-to-secure
synchronization in the same way as setting NSEC3PARAM did. They are
scheduled via async tasks, which can interleave with raw-to-secure sync
and cause crashes.
To solve this, treat them the same as NSEC3PARAM changes, and extend
the pending NSEC3PARAM change queue to a generic maintenance queue that
rndc can post commands to.
These commands are dispatched by the zone_maintenance() callback, which
delays them if a raw-to-secure sync is in progress.
Alessio Podda [Sun, 24 May 2026 11:57:24 +0000 (13:57 +0200)]
Fix setnsec3param DNSSEC maintenance ordering
Before this commit, NSEC3PARAM changes were scheduled through an async
callback. This leads to a similar problem of interleaving with an
existing raw-to-secure sync, which is unsound since only one writer
version can be active at a time.
The zone already has a queue of "pending" NSEC3PARAM changes, so the
use of async tasks is also redundant. With this commit, we schedule
NSEC3PARAM changes using the pre-existing queues plus a timer.
Alessio Podda [Sun, 24 May 2026 11:57:13 +0000 (13:57 +0200)]
Move inline sync into zone maintenance
Before this commit, synchronization between raw and secure zones ran as
async tasks split into quanta. As a consequence, it could interleave
with some zone maintenance operations.
However, synchronization between raw and secure zones needs to keep the
version open across the full operation. There can be only one writer
version open at a time, which makes any model where synchronization and
maintenance interleave unsound.
To fix that, this commit models raw-to-secure synchronization as an
explicit state machine and moves the synchronization operations inside
the zone_maintenance() callback.
This way, zone maintenance operations can be intercepted so they do not
run on a partially synced secure zone. Pending zone maintenance or sync
operations can also be flushed when a full database reload has happened
on the raw side.
Alessio Podda [Mon, 18 May 2026 22:03:32 +0000 (00:03 +0200)]
Add NSEC3-to-NSEC rollover regression test
Before this commit, the NSEC3-to-NSEC transition was only tested by
test_nsec_case[nsec3-to-rsasha1-ds.kasp], which is gated by
RSASHA1_SUPPORTED.
Add another test that does not depend on RSASHA1_SUPPORTED, so this
coverage also runs when RSASHA1 signing is unavailable, such as with
newer OpenSSL configurations.
Aydın Mercan [Tue, 30 Jun 2026 09:40:20 +0000 (12:40 +0300)]
fix: usr: validate query and response time nanosecs when parsing dnstap
An assertion is triggered inside `isc_time_set` when dnstap-read calls
`dns_dt_parse` on dnstap files with query/response time nanosecond
fields greater than a second.
Avoid the assertion by validating the nanosecond fields to be subsecond
when parsing.
Closes #6123
Merge branch '6123-dnstap-parse-invalid-nsec-assert-md' into 'main'
Aydın Mercan [Wed, 10 Jun 2026 14:40:00 +0000 (17:40 +0300)]
validate query and response time nanosecs when parsing dnstap
An assertion is triggered inside `isc_time_set` when dnstap-read calls
`dns_dt_parse` on dnstap files with query/response time nanosecond
fields greater than a second.
Avoid the assertion by validating the nanosecond fields to be subsecond
when parsing.
Matthijs Mekking [Mon, 22 Jun 2026 13:31:20 +0000 (15:31 +0200)]
Small update to patch
../lib/dns/rdataslab.c
../lib/dns/rdataslab.c:168:3: error: expression result unused; should this cast be to 'void'? [-Werror,-Wunused-value]
168 | (void *)newslab(rdataset, mctx, region, 0, buflen);
|
Add dnssec_py/tests_sibling_ds: reject DS for sibling zones in referrals
Add a system test that verifies the resolver rejects DS records whose
owner name does not match the delegation (NS) name in a referral
response.
A custom authoritative server (ans4) serves the parent zone sibling-ds.
from zone file with delegations for child and sibling subzones. Its
DomainHandler injects a DS record for sibling.sibling-ds into referrals
for child.sibling-ds. The resolver must detect the mismatch, log "DS
doesn't match referral (NS)", and return SERVFAIL.
Evan Hunt [Wed, 24 Jun 2026 21:04:20 +0000 (21:04 +0000)]
fix: usr: Check that an NSEC signer is at or above the name to be validated
Add a check that an NSEC record being used as a proof of nonexistence
for a given name is not signed by a name lower in the DNS hierarchy than
the one in question.
Closes #5876
Merge branch '5876-nsec-signer-above-name' into 'main'
Evan Hunt [Sat, 23 May 2026 04:04:03 +0000 (21:04 -0700)]
Check that an NSEC signer is at or above the name to be validated
Add a check that an NSEC record being used as a proof of nonexistence
for a given name is not signed by a name lower in the DNS hierarchy than
the one in question.
Colin Vidal [Wed, 24 Jun 2026 20:31:27 +0000 (22:31 +0200)]
fix: test: Fix RRL test random failure
RRL test were randomly failing because `ns2` hint files uses
```
. NS ns1.
ns1. A 10.53.0.1
```
Whereas `ns1` root zone didn't contains `ns1.` as NS (but only `ns.`).
This is a problem with the following scenario:
- A query starts before priming;
- It gets the root hints as zonecut (with `. NS ns1.`, and no glues, this
is how parent-centric currently works);
- Priming starts and complete (so now rootdb contains the answer/glues
from `ns1` root file);
- Then the query go to ADB to resolve `ns1.`.
Resolution of `ns1.` fails since it doesn't exists from the rootdb
anymore. This is a configuration issue (the resolver behavior is correct
and expected) whch is now fixed.
Colin Vidal [Wed, 24 Jun 2026 16:52:41 +0000 (18:52 +0200)]
Fix RRL random failure
RRL test were randomly failing because `ns2` hint files uses
```
. NS ns1.
ns1. A 10.53.0.1
```
Whereas `ns1` root zone didn't contains `ns1.` as NS (but only `ns.`).
This is a problem with the following scenario:
- A query starts before priming;
- It gets the root hints as zonecut (with `. NS ns1.`, and no glues, this
is how parent-centric currently works);
- Priming starts and complete (so now rootdb contains the answer/glues
from `ns1` root file);
- Then the query go to ADB to resolve `ns1.`.
Resolution of `ns1.` fails since it doesn't exists from the rootdb
anymore. This is a configuration issue (the resolver behavior is correct
and expected) whch is now fixed.
Michal Nowak [Thu, 11 Jun 2026 11:39:14 +0000 (11:39 +0000)]
Fix a false positive compiler warning/error on Alpine 3.24
On Alpine Linux 3.24, GCC 15 with fortify-headers produces a compiler
warning when building bin/nsupdate/nsupdate.c:
In function 'fgets',
inlined from 'get_next_command' at ../bin/nsupdate/nsupdate.c:2414:13:
/usr/include/fortify/stdio.h:48:16: error: 'cmdlinebuf' may be used uninitialized [-Werror=maybe-uninitialized]
48 | return __orig_fgets(__s, __n, __f);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/include/fortify/stdio.h:42:1: note: in a call to '*fgets' declared with attribute 'access (read_write, 1, 2)' here
42 | _FORTIFY_FN(fgets) char *fgets(char * _FORTIFY_POS0 __s, int __n, FILE *__f)
| ^~~~~~~~~~~
../bin/nsupdate/nsupdate.c:2405:14: note: 'cmdlinebuf' declared here
2405 | char cmdlinebuf[MAXCMD];
| ^~~~~~~~~~
This is a false positive, because fgets() only writes into the buffer;
the fortify-headers wrapper annotates the buffer argument with
'access (read_write, ...)', which makes GCC treat passing an
uninitialized buffer as a read of uninitialized memory.
Initialize the 'cmdlinebuf' buffer anyway to avoid the build error.
Michal Nowak [Wed, 24 Jun 2026 15:16:14 +0000 (17:16 +0200)]
fix: test: Retry pipequeries on a transient EADDRINUSE in the pipelined test
On FreeBSD, the TCP connect() call can transiently fail with
EADDRINUSE under parallel CI load. The netmgr already retries such
connects (see #3451), but it retries on the same socket, which is
already bound to the same ephemeral source port, so when the
four-tuple is genuinely busy (e.g. in TIME_WAIT) every retry fails
the same way. pipequeries then exits with "request event result:
address in use", leaving raw.1 empty and failing the first check.
All eight requests share a single TCP dispatch, so the failed connect
means no query ever reached ns4 and its cache is still cold. It is
therefore safe to run pipequeries again: a fresh process binds a new
ephemeral port, and the out-of-order check keeps its meaning. Retry
for up to ten attempts, but only on this specific transient error.
Assisted-by: Claude Code:claude-fable-5
Merge branch 'mnowak/pipelined-retry-transient-eaddrinuse' into 'main'
Michal Nowak [Thu, 11 Jun 2026 08:32:13 +0000 (08:32 +0000)]
Retry pipequeries on a transient EADDRINUSE in the pipelined test
On FreeBSD, the TCP connect() call can transiently fail with
EADDRINUSE under parallel CI load. The netmgr already retries such
connects (see #3451), but it retries on the same socket, which is
already bound to the same ephemeral source port, so when the
four-tuple is genuinely busy (e.g. in TIME_WAIT) every retry fails
the same way. pipequeries then exits with "request event result:
address in use", leaving raw.1 empty and failing the first check.
All eight requests share a single TCP dispatch, so the failed connect
means no query ever reached ns4 and its cache is still cold. It is
therefore safe to run pipequeries again: a fresh process binds a new
ephemeral port, and the out-of-order check keeps its meaning. Retry
for up to ten attempts, but only on this specific transient error.
Michal Nowak [Wed, 24 Jun 2026 15:06:30 +0000 (17:06 +0200)]
new: dev: Print OS platform in "named -V"
The "running on" line emitted by `named -V` (as well as the startup
log and `rndc status`, which share the same source) now appends the
PRETTY_NAME value from /etc/os-release in parentheses after the uname
output, e.g.:
running on Linux x86_64 6.19.14-... (Fedora Linux 42 (Workstation Edition))
This helps disambiguate environments where the kernel string is not a
reliable indicator of the userspace, such as RHEL clones and
containers whose kernel does not match the host OS.
When /etc/os-release is absent, /usr/lib/os-release is tried as a
fallback per the systemd os-release(5) specification. When neither is
available or no PRETTY_NAME is found, the output is unchanged.
Assisted-by: Claude:claude-opus-4-7
Closes #5334
Merge branch '5334-add-os-platform-to-named-V' into 'main'
Michal Nowak [Tue, 19 May 2026 16:09:36 +0000 (16:09 +0000)]
Print OS platform in "named -V"
The "running on" line emitted by `named -V` (as well as the startup
log and `rndc status`, which share the same source) now appends the
PRETTY_NAME value from /etc/os-release in parentheses after the uname
output, e.g.:
running on Linux x86_64 6.19.14-... (Fedora Linux 42 (Workstation Edition))
This helps disambiguate environments where the kernel string is not a
reliable indicator of the userspace, such as RHEL clones and
containers whose kernel does not match the host OS.
When /etc/os-release is absent, /usr/lib/os-release is tried as a
fallback per the systemd os-release(5) specification. When neither is
available or no PRETTY_NAME is found, the output is unchanged.
The test verifies that a validating resolver enforces the
max-validations-per-fetch limit when encountering a record with multiple
expired RRSIGs followed by a valid one. One of the records is signed
three times: twice with expired timestamps (to produce two expired
RRSIGs for a.rrsigs-extra-expired/A) and once with valid timestamps,
after which the expired RRSIGs are injected back into the signed zone
file. max-validations-per-fetch is set to 2 via the template variable so
that the third (valid) RRSIG is never reached, causing SERVFAIL.
Ondřej Surý [Wed, 24 Jun 2026 11:52:58 +0000 (13:52 +0200)]
fix: usr: Stop reusing outgoing TCP connections the peer has already closed
``named`` could hand a new query an idle forwarder/upstream TCP or TLS
connection that the peer had already closed, causing the query to fail
(and CLOSE-WAIT sockets to pile up). Idle reused connections are now
watched, so a close is noticed and the connection is dropped instead of
reused. A new ``tcp-reuse-timeout`` option controls how long an idle
outgoing connection is kept open for reuse (default 5 seconds).
Closes #6171
Merge branch '6171-tcp-reuse-idle-read' into 'main'
Ondřej Surý [Sun, 21 Jun 2026 18:20:35 +0000 (20:20 +0200)]
Add the tcp-reuse-timeout option
The idle timeout that bounds how long a reused outgoing TCP/TLS
connection is held open for reuse was only tunable through the 'named -T
tcpidletimeout' developer hook added earlier on this branch. Make it a
proper configuration option, tcp-reuse-timeout (options block, in units
of 100 milliseconds like the other tcp-*-timeout options), and drop the
-T hook.
Ondřej Surý [Sun, 21 Jun 2026 07:24:14 +0000 (09:24 +0200)]
Keep idle reused outgoing TCP connections under read
A reused TCP/TLS dispatch with no outstanding responses was left in the
reuse pool with no read pending, so a peer closing the idle connection
went unnoticed: the socket lingered in CLOSE-WAIT and the dead dispatch
was later handed to a new query, which failed and the fetch timed out.
Keep a read pending on an idle connected dispatch, bounded by an idle
timeout, so the close is seen promptly and the connection is dropped
from the pool instead of reused.
The idle read may only be (re)armed while the dispatch is still
connected; arming it on a dispatch that is already shutting down
re-reads a dying handle and double-schedules a netmgr job.
On shutdown, close the connection as soon as the dispatch reaches its
terminal state instead of waiting for the last reference to drop, so an
unexpected read (or a peer-side close) cannot leave the socket in
CLOSE-WAIT while a reference still lingers.
Michał Kępień [Wed, 24 Jun 2026 11:33:57 +0000 (13:33 +0200)]
rem: ci: Drop Danger check related to pre-release testing
With the advent of the new development model involving security-*
branches and autorebasing, the value added by the pre-release testing
mechanism dropped drastically. The only remaining benefit of
pre-release testing is flagging in-progress security fixes targeting
open source branches that conflict with the corresponding bind-9.x-sub
branches. However, such conflicts are a rare occurrence and can be
handled after merging anyway.
Remove the Danger check related to pre-release testing.
Merge branch 'michal/drop-danger-check-related-to-pre-release-testing' into 'main'
Michał Kępień [Wed, 24 Jun 2026 11:25:27 +0000 (13:25 +0200)]
Drop Danger check related to pre-release testing
With the advent of the new development model involving security-*
branches and autorebasing, the value added by the pre-release testing
mechanism dropped drastically. The only remaining benefit of
pre-release testing is flagging in-progress security fixes targeting
open source branches that conflict with the corresponding bind-9.x-sub
branches. However, such conflicts are a rare occurrence and can be
handled after merging anyway.
Remove the Danger check related to pre-release testing.
Andoni Duarte [Wed, 24 Jun 2026 10:33:10 +0000 (10:33 +0000)]
fix: ci: Use resource-group for RPM-related CI jobs
RPM build jobs work by pushing a commits to main in a repository. Each
repository is identified by the `SERVICE variable and, since race
conditions may happen, the jobs are run serially via GitLab's
resource_group mechanism.
Merge branch 'andoni/use-resource-group-for-rpms-copr-ci-job' into 'main'
RPM build jobs push commits to Git repositories. If multiple such jobs
are triggered simultaneously, some of these pushes may fail due to the
same Git branch getting updated by one job while another one attempts to
do the same thing in parallel. Use GitLab's resource group mechanism to
prevent such races: group jobs by the Git repository they push to, which
is indicated by the $SERVICE variable set for each job.
Ondřej Surý [Wed, 24 Jun 2026 10:18:30 +0000 (12:18 +0200)]
fix: usr: Truncated reply to a TSIG query no longer stalls the resolver
When an upstream server returned a truncated reply to a query that BIND had
signed with TSIG, the resolver could keep waiting for a follow-up UDP packet
that never arrived, so the query stalled until it hit resolver-query-timeout
and the client received no answer. BIND now treats any reply it cannot
authenticate as an immediate failure and returns SERVFAIL right away as a
defense in depth.
Closes #6028
Merge branch '6028-tsig-truncated-tsig-response' into 'main'
Ondřej Surý [Mon, 22 Jun 2026 11:29:58 +0000 (13:29 +0200)]
Fail the fetch when a response fails the TSIG signature check
A response that failed the signature check with a missing or unexpected
TSIG used to set nextitem, so the resolver kept reading the dispatch for
another response. When the response was truncated with the TSIG cut off
the end of the wire, no further response ever arrived and the fetch
stalled until resolver-query-timeout.
Treat an unauthenticated response like every other signature-check
failure and finish the fetch immediately. A response carrying a missing
or bogus TSIG now yields SERVFAIL instead of being skipped in favour of
a later one; the cookie system test that fed a spoofed TSIG response is
updated to expect that. The unauthenticated data is still never
returned.
Michal Nowak [Wed, 24 Jun 2026 09:30:59 +0000 (11:30 +0200)]
fix: dev: Avoid writing through a const pointer in render_xsl()
render_xsl() served the static XSL stylesheet by casting away the const
qualifier of xslmsg and handing the pointer to isc_buffer_reinit():
p = UNCONST(xslmsg);
isc_buffer_reinit(b, p, strlen(xslmsg));
isc_buffer_reinit() copies any pre-existing buffer content into the new
base with memmove(), so the call would write into xslmsg, which is a
'const char[]' living in read-only memory. This is safe today only
because the supplied bodybuffer is always freshly initialized with
length 0, so the memmove() never runs -- a fragile, action-at-a-distance
invariant that GCC's -fanalyzer flags as a write to a const object
(-Wanalyzer-write-to-const).
Use isc_buffer_constinit(), the primitive intended for pointing a buffer
at constant data: it goes through isc_buffer_init() and never writes to
the base. This drops the UNCONST cast, keeps xslmsg in read-only
memory, and silences the analyzer warning.
Assisted-by: Claude:claude-opus-4-8
Merge branch 'mnowak/render-xsl-const-buffer' into 'main'
Michal Nowak [Tue, 2 Jun 2026 17:27:16 +0000 (17:27 +0000)]
Avoid writing through a const pointer in render_xsl()
render_xsl() cast away the const of the static xslmsg stylesheet and
passed it to isc_buffer_reinit(), which memmove()s into the base when
the buffer is non-empty -- a write to read-only memory that -fanalyzer
flags (-Wanalyzer-write-to-const). It only stayed safe because the
body buffer is always empty here.
Use isc_buffer_constinit(), which never writes to the base, and assert
the empty-buffer contract with REQUIRE(isc_buffer_length(b) == 0).
Michał Kępień [Wed, 24 Jun 2026 08:04:06 +0000 (10:04 +0200)]
Send Zulip notifications for autorebase failures
Use the GitLab-to-Zulip username map available in the BIND 9 QA
repository to determine the Zulip username of the developer who happened
to author a breaking base branch change, so that a Zulip notification
can be triggered for that developer.
Michał Kępień [Wed, 24 Jun 2026 08:04:06 +0000 (10:04 +0200)]
Fix formatting of autorebase failure notifications
Using a plain "echo" command does not turn "\n" into newline
characters, breaking the formatting of the Zulip notifications sent upon
autorebase failures. Fix by using "echo -e" instead, which enables
interpreting backslash sequences in the provided input.
Michał Kępień [Wed, 24 Jun 2026 08:04:06 +0000 (10:04 +0200)]
Remove the "autorebase-merge-request" CI job
The "autorebase-merge-request" CI job is not useful in practice as the
Danger check whose complaints it was supposed to address does not look
for commit hashes in the original merge request's target branch, but
rather in the original merge request itself - and those commit hashes
remain stable over time. Furthermore, after a backport gets merged, any
cherry-pick references its commits might contain will be maintained by
other autorebasing jobs. Given the above, remove the
"autorebase-merge-request" CI job as it serves no useful purpose.
Ondřej Surý [Wed, 24 Jun 2026 04:53:34 +0000 (06:53 +0200)]
fix: dev: Don't serve a stale CNAME or record when fresh data of the other exists
When a cached name held both a CNAME and records of another type — one stale,
the other still fresh — named with serve-stale could return the expired set
instead of the fresh one, in either direction. It now prefers whichever is fresh.
Merge branch 'ondrej/fix-serve_stale-cname-and-type' into 'main'
Ondřej Surý [Thu, 18 Jun 2026 21:26:12 +0000 (23:26 +0200)]
Don't stop qpcache_find on a stale header while fresh data remains
With serve-stale enabled, stale rdataset headers are kept at a node so
they can be served as a last resort. The find loop, however, accepted a
stale CNAME or stale record of the requested type as a final answer and
broke out of the iteration early, returning stale data even when a fresh
header for the same name appeared later in the scan. Treat STALE(found)
like a missing answer so the loop keeps looking and only falls back to
the stale header when no fresh answer is found.
Arаm Sаrgsyаn [Mon, 22 Jun 2026 20:56:07 +0000 (20:56 +0000)]
fix: usr: Fix a bug in DNS UPDATE processing with inline-signing enabled
In rare cases the :iscman:`named` process could terminate unexpectedly
when processing authorized DNS UPDATE messages in quick procession
which are updating a zone with inline-signing enabled. This has been
fixed.
Closes #5816
Merge branch '5816-inline-signing-concurrent-update-fix' into 'main'
Aram Sargsyan [Thu, 7 May 2026 23:24:22 +0000 (23:24 +0000)]
Fix memory leak bug during zone shutdown
The dns_update_signaturesinc() updates zone signatures in chunks,
keeping its current state in 'zone->rss_state'. When a zone shuts
down, the signature update process is canceled, and all the data
in the state is not freed.
Create a new dns_update_state_clear() function which can be called
from dns_zone_free() to free the memory.
When a DNS UPDATE messages is received, the zone_send_secureserial()
function can schedule a new receive_secure_serial() call with a new
'rss' object before a previous one had a chance to be fully processed.
This can cause an assertion failure in receive_secure_serial() with a
new 'rss' object (when the old one was rescheduled because it got
DNS_R_CONTINUE from dns_update_signaturesinc()). In other words:
1. receive_secure_serial() called with rss, sets zone->rss = rss,
reschedules because of DNS_R_CONTINUE
2. receive_secure_serial() called with rss_new, INSIST fails because
zone->rss != rss_new), i.e. this was called before the old 'rss'
was fully processed
Change the code logic by introducing a new 'rss_next' field and making
sure the old 'rss' is complete before starting processing the new
one.
Aram Sargsyan [Thu, 7 May 2026 11:44:44 +0000 (11:44 +0000)]
Add a new check in "inline" system test
This new check floods the server with DNS UPDATE messages for an
'inline-signing yes; sig-signing-signatures 1;' zone to see if
it manages to process the updates correctly.
Ondřej Surý [Mon, 22 Jun 2026 13:05:10 +0000 (15:05 +0200)]
chg: dev: Reference count and flatten the cache slabheader storage
Internal refactoring of the cache database (qpcache) with no functional
change. The slab headers that hold cached rdatasets are now reference
counted and own their memory context and node reference directly, so a
header can outlive the cleaning of its node and be reclaimed
independently of it. Building on that, the per-type slabtop container is
folded into the slab header itself, removing a level of indirection and
one allocation per cached type.
Merge branch 'ondrej/slabheader-reference-counting' into 'main'