Ondřej Surý [Sat, 21 Mar 2026 14:35:34 +0000 (15:35 +0100)]
Replace SAVE/RESTORE/INITANDSAVE macros with MOVE_OWNERSHIP()
Replace the local SAVE(), RESTORE(), and INITANDSAVE() macros in
query.c with the project-wide MOVE_OWNERSHIP() macro. The new
form is clearer about the intent: ownership of a pointer is being
transferred from source to destination, with the source set to NULL.
SAVE and RESTORE were identical macros with different names used to
indicate the direction of transfer, but this distinction was purely
cosmetic. INITANDSAVE additionally set the destination to NULL
first, which is unnecessary because the preceding memcpy already
initialized all fields from the source struct.
Ondřej Surý [Fri, 20 Mar 2026 01:15:17 +0000 (02:15 +0100)]
Add MOVE_OWNERSHIP() macro for transferring pointer ownership
A helper macro that returns the current value of a pointer and sets
it to NULL in one expression, useful for transferring ownership in
designated initializers.
Ondřej Surý [Fri, 20 Mar 2026 16:18:04 +0000 (17:18 +0100)]
chg: dev: Fix cache flush ordering on NTA expiry
dns_view_flushnode() was called in the delete_expired() async
callback, which runs after the query that detected the NTA expiry.
This created a race: the query would proceed with stale cached data
from the NTA period before the flush had a chance to run, resulting
in transient SERVFAIL with EDE 22 (No Reachable Authority).
Move dns_view_flushnode() into dns_ntatable_covered() so the cache
is flushed synchronously when the expiry is detected, before the
query continues.
Also simplify the expiry comparison in delete_expired() to a direct
pointer comparison (nta == pval) instead of comparing expiry
timestamps.
Merge branch 'ondrej/refactor-nta-using-RCU-delete-order-fix' into 'main'
Ondřej Surý [Fri, 20 Mar 2026 13:29:57 +0000 (14:29 +0100)]
Fix cache flush ordering on NTA expiry
dns_view_flushnode() was called in the delete_expired() async
callback, which runs after the query that detected the NTA expiry.
This created a race: the query would proceed with stale cached data
from the NTA period before the flush had a chance to run, resulting
in transient SERVFAIL with EDE 22 (No Reachable Authority).
Move dns_view_flushnode() into dns_ntatable_covered() so the cache
is flushed synchronously when the expiry is detected, before the
query continues.
Also simplify the expiry comparison in delete_expired() to a direct
pointer comparison (nta == pval) instead of comparing expiry
timestamps.
Ondřej Surý [Fri, 20 Mar 2026 01:06:29 +0000 (02:06 +0100)]
fix: dev: Fix data race in server round-trip time tracking
The SRTT (Smoothed Round-Trip Time) update for remote servers was not
atomic — concurrent callers could each read the same value and one
update would be silently lost. Additionally, the aging decay applied
once per second could run multiple times if several threads entered the
function simultaneously.
Use compare-and-swap loops for the SRTT update and for the aging
timestamp to ensure no updates are lost.
Merge branch 'ondrej/fix-non-atomic-srtt-aging' into 'main'
Ondřej Surý [Thu, 19 Mar 2026 03:17:45 +0000 (04:17 +0100)]
Fix non-atomic read-modify-write on entry->srtt in adjustsrtt()
The SRTT update loaded the old value, computed a new one, and stored it
back as separate operations. Two concurrent callers could each read the
same old value and one update would be silently lost.
Use a CAS loop for the read-modify-write on entry->srtt. For the aging
path, also CAS on entry->lastage to prevent multiple threads from aging
the same entry in the same second.
Ondřej Surý [Thu, 19 Mar 2026 23:56:24 +0000 (00:56 +0100)]
fix: dev: Fix data race on fctx->vresult in validated()
Move the write to fctx->vresult after LOCK(&fctx->lock). The field was
being set before acquiring the lock, but dns_resolver_logfetch() reads
it under the same lock from another thread.
Merge branch 'ondrej/fix-data-race-on-fctx-result-in-validated' into 'main'
Ondřej Surý [Thu, 19 Mar 2026 02:42:08 +0000 (03:42 +0100)]
Fix data race on fctx->vresult in validated()
Move the write to fctx->vresult after LOCK(&fctx->lock). The field was
being set before acquiring the lock, but dns_resolver_logfetch() reads
it under the same lock from another thread.
Ondřej Surý [Thu, 19 Mar 2026 18:04:09 +0000 (19:04 +0100)]
fix: dev: Fix data race in glue cache RCU pointer publication
The liburcu rcu_cmpxchg_pointer() uses relaxed ordering on the CAS
failure path. When two threads race to publish a new pointer and one
loses the CAS, the returned pointer has no acquire semantics - reading
fields through it is a data race on weakly-ordered architectures.
Override rcu_cmpxchg_pointer() and rcu_xchg_pointer() to use
acquire/release ordering via standard __atomic builtins, which also
makes the operations natively visible to ThreadSanitizer.
Closes #5182
Merge branch '5182-fix-false-tsan-report-in-addglue' into 'main'
Ondřej Surý [Thu, 19 Mar 2026 06:30:24 +0000 (07:30 +0100)]
Fix data race in RCU pointer exchange operations
The liburcu rcu_cmpxchg_pointer() uses CMM_RELAXED ordering on the CAS
failure path. When a thread loses the CAS and gets another thread's
pointer back, reading fields through that pointer is a data race on
weakly-ordered architectures (ARM, POWER) because the failing load has
no acquire semantics.
Override rcu_cmpxchg_pointer() and rcu_xchg_pointer() to use standard
__atomic builtins with __ATOMIC_ACQ_REL (success) and __ATOMIC_ACQUIRE
(failure) ordering. This fixes the race on all architectures and is
natively visible to ThreadSanitizer.
Ondřej Surý [Tue, 17 Mar 2026 03:08:54 +0000 (04:08 +0100)]
Fix data race on nta->expiry
Use CMM_LOAD_SHARED/CMM_STORE_SHARED for nta->expiry, which is
written from the NTA's owning loop but read from any loop (validator,
rndc status, rndc nta -dump).
Also dispatch delete_expired to the NTA's owning loop rather than
the caller's loop.
Ondřej Surý [Sun, 15 Mar 2026 13:42:06 +0000 (14:42 +0100)]
Refactor NTA to use RCU instead of rwlock
Replace the ntatable rwlock with RCU read-side critical sections.
The QP multi trie already provides its own concurrency control for
reads and writes, making the rwlock redundant. NTA fields like
expiry are only accessed from the NTA's own event loop thread, so
no additional synchronization is needed.
The table shutdown is now deferred via call_rcu to ensure all
read-side critical sections have completed before iterating and
shutting down individual NTAs.
Ondřej Surý [Wed, 18 Mar 2026 23:56:31 +0000 (00:56 +0100)]
fix: usr: Fix NTA (Negative Trust Anchor) expiration issue
When a configured NTA for a name expired, any possibly cached
data for the name (with "insecure" DNSSEC validation result)
was not flushed from the resolver's cache. This has been fixed.
Closes #5747
Merge branch '5747-nta-expiry-cache-flush-bug-fix' into 'main'
Arаm Sаrgsyаn [Wed, 18 Mar 2026 17:04:31 +0000 (17:04 +0000)]
fix: dev: Take dns_dtenv_t reference before an async function call
A 'dns_dtenv_t' pointer is passed to an async function without taking
a reference first, which can potentially cause a use-after-free error.
Take a reference, then detach in the async function.
Closes #5820
Merge branch '5820-dns_dtenv-reference-bug-fix' into 'main'
Aram Sargsyan [Tue, 17 Mar 2026 11:23:22 +0000 (11:23 +0000)]
Take 'env' reference before async calling perform_reopen()
The 'env' pointer is passed to an async function without taking
a reference first, which can potentially cause a use-after-free
error. Take a reference, then detach in the async function.
Nicki Křížek [Wed, 18 Mar 2026 14:10:30 +0000 (15:10 +0100)]
chg: dev: Use underscore for system test names
Change the convention for system test directory names to always use an
underscore rather than a hyphen. Names using underscore are valid python
package names and can be used with standard `import` facilities in
python, which allows easier code reuse.
Merge branch 'nicki/system-test-dir-underscore-names' into 'main'
Nicki Křížek [Tue, 17 Mar 2026 16:18:48 +0000 (17:18 +0100)]
Rename all system test to use underscore
All system tests previously using a hyphen have been renamed to use
underscore instead. A couple of symlinks were corrected and one path in
`nsec3-answer` adjusted accordingly.
Nicki Křížek [Tue, 17 Mar 2026 16:08:15 +0000 (17:08 +0100)]
Use underscore for system test names
Change the convention for system test directory names to always use an
underscore rather than a hyphen. Names using underscore are valid python
package names and can be used with standard `import` facilities in
python, which allows easier code reuse.
The temporary directories for test execution and their convenience
symlinks have been switched to using hyphens rather than underscores to
keep the pytest collection, filtering and .gitignore working as
expected.
Ondřej Surý [Wed, 18 Mar 2026 10:39:16 +0000 (11:39 +0100)]
fix: dev: Fix isc_buffer_init capacity mismatch in DoH data chunk callback
isc_buffer_init() is given MAX_DNS_MESSAGE_SIZE (65535) as capacity but
only h2->content_length bytes are allocated. This makes the buffer
believe it has more space than actually allocated. A secondary bounds
check (new_bufsize <= h2->content_length) prevents actual overflow, but
the buffer invariant is violated.
Pass h2->content_length as the capacity to match the allocation.
Merge branch 'ondrej/fix-isc_buffer_init-capacity-mismatch-in-DoH' into 'main'
Ondřej Surý [Wed, 11 Mar 2026 12:17:45 +0000 (13:17 +0100)]
Fix isc_buffer_init capacity mismatch in DoH data chunk callback
isc_buffer_init() is given MAX_DNS_MESSAGE_SIZE (65535) as capacity but
only h2->content_length bytes are allocated. This makes the buffer
believe it has more space than actually allocated. A secondary bounds
check (new_bufsize <= h2->content_length) prevents actual overflow, but
the buffer invariant is violated.
Pass h2->content_length as the capacity to match the allocation.
Ondřej Surý [Wed, 18 Mar 2026 10:37:31 +0000 (11:37 +0100)]
rem: usr: Remove NZF file support in favor of NZD (New Zone Database)
The NZF (New Zone File) backend for storing rndc addzone configurations
has been removed; LMDB-based NZD is now the only storage backend and
LMDB is now a required build dependency.
Existing NZF files are automatically migrated to NZD on startup, so no manual
intervention is required when upgrading.
Merge branch 'ondrej/drop-nzf-support' into 'main'
Ondřej Surý [Sun, 15 Mar 2026 04:05:09 +0000 (05:05 +0100)]
Split NZD functions into a separate compilation unit
Move all LMDB-based new zone database functions from server.c into
nzd.c to reduce the size of server.c and isolate the NZD/LMDB
interface. Rename load_nzf() to nzd_load_nzf() to match the nzd_
namespace.
Ondřej Surý [Sun, 15 Mar 2026 03:42:45 +0000 (04:42 +0100)]
Remove dead NZF writer parameter and simplify newzone locking
Now that NZF write support is gone, remove the unused nzfwriter_t
typedef and nzfwriter parameter from delete_zoneconf(). Remove the
bool locked parameter and simplify the locking in do_modzone() and
rmzone() to unconditional lock/unlock pairs.
Ondřej Surý [Sun, 15 Mar 2026 03:25:12 +0000 (04:25 +0100)]
Remove NZF support, make LMDB required for new zone storage
Drop the NZF (New Zone File) fallback for persisting runtime zone
configurations, making LMDB (NZD) the only storage backend. This
removes all #ifdef HAVE_LMDB conditionals, the meson 'lmdb' option,
and the NZF-related functions. LMDB is now a mandatory build
dependency.
Ondřej Surý [Tue, 17 Mar 2026 15:40:29 +0000 (16:40 +0100)]
fix: usr: Fix potential resource during resolver error handling
Under specific error conditions during query processing, resources were not
being properly released, which could eventually lead to unnecessary memory
consumption for the server. The a potential resource leak in the resolver
has been fixed.
Merge branch 'ondrej/fix-pthread-primitives-usage' into 'main'
Ondřej Surý [Tue, 10 Mar 2026 10:30:54 +0000 (11:30 +0100)]
Fix missing mutex destroy and ede invalidate on fctx_create() error paths
The error cleanup in fctx_create() was missing isc_mutex_destroy() and
dns_ede_invalidate() calls. When error paths (cleanup_nameservers,
cleanup_fcount, cleanup_qmessage, cleanup_adb) were taken after the
mutex and edectx were initialized, the fctx memory was freed without
properly destroying these resources first.
Mark Andrews [Wed, 4 Mar 2026 06:51:09 +0000 (17:51 +1100)]
Clear errno before calling strtol
The previous code was incorrectly clearing errno after calling
strtol but before testing the result rather than clearing it and
then calling strtol so that changes to errno can be correctly
determined.
We return DNS_R_NOVALIDSIG if we detected a deadlock. Then in
'validate_async_done()', this result value is used to check if we
need to fall back to insecure. As part of that we create a new fetch
but that fails because of the detected deadlock. This results in a loop
of deadlock detected, fallback to insecure, deadlock detected, ...
Add a new result value, ISC_R_DEADLOCK, and return this instead when
we have detected a deadlock. This will be treated as a generic error,
as there is no special handling for this result value.
Ondřej Surý [Mon, 16 Mar 2026 11:17:16 +0000 (12:17 +0100)]
chg: nil: Cleanup the duplicate logic and comments around add into NSEC tree
After merging the NORMAL, NSEC and NSEC3 tree into single QP tree, there were some comments still speaking about auxiliary NSEC tree. These were cleaned up and the logic when we pass the qp tree (write transaction) to qpzone_addrdataset_inner() was changed to be more obvious that this is needed only when we are adding NSEC records.
Merge branch 'ondrej/additional-cleanups-around-NSEC-namespace' into 'main'
Ondřej Surý [Sat, 31 Jan 2026 06:32:08 +0000 (07:32 +0100)]
Cleanup weird syntax defining struct dns_ixfr
The struct dns_ixfr was defined as part of struct dns_xfrin, probably
because at some point it was an anonymous struct and then it was changed
to named struct with typedef at the top. Move the definition from
struct dns_xfrin into and fold into the typedef ... dns_ixfr_t.
Ondřej Surý [Sat, 31 Jan 2026 06:24:49 +0000 (07:24 +0100)]
Cleanup the duplicate logic and comments around add into NSEC tree
After merging the NORMAL, NSEC and NSEC3 tree into single QP tree, there
were some comments still speaking about auxiliary NSEC tree. These were
cleaned up and the logic when we pass the qp tree (write transaction) to
qpzone_addrdataset_inner() was changed to be more obvious that this is
needed only when we are adding NSEC records.
Colin Vidal [Mon, 16 Mar 2026 10:36:25 +0000 (11:36 +0100)]
chg: dev: Exclude named.args.j2 and system test README files from license header checks
Exclude named.args.j2 files from license header checks so named.args can
be generated from Jinja templates. Also exclude system test README files
from the license header checks.
Ondřej Surý [Mon, 16 Mar 2026 10:06:28 +0000 (11:06 +0100)]
fix: dev: Fix use-after-free in xfrin_recv_done
Move the LIBDNS_XFRIN_RECV_DONE probe execution before dns_xfrin_detach
in xfrin_recv_done.
Previously, dns_xfrin_detach was called before the trace probe, which
could free the xfr object. Because the accessed member xfr->info is an
embedded array, the expression evaluates via pointer arithmetic rather
than a direct memory dereference. Although this prevents a reliable
crash in practice, it technically remains a use-after-free issue.
Reorder the statements to ensure the transfer context is fully valid
when the probe executes.
Closes #5786
Merge branch '5786-fix-dtrace-after-free' into 'main'
Ondřej Surý [Wed, 4 Mar 2026 16:08:50 +0000 (17:08 +0100)]
Fix use-after-free in xfrin_recv_done
Move the LIBDNS_XFRIN_RECV_DONE probe execution before dns_xfrin_detach
in xfrin_recv_done.
Previously, dns_xfrin_detach was called before the trace probe, which
could free the xfr object. Because the accessed member xfr->info is an
embedded array, the expression evaluates via pointer arithmetic rather
than a direct memory dereference. Although this prevents a reliable
crash in practice, it technically remains a use-after-free issue.
Reorder the statements to ensure the transfer context is fully valid
when the probe executes.
Arаm Sаrgsyаn [Mon, 16 Mar 2026 10:01:32 +0000 (10:01 +0000)]
fix: dev: Fix OpenSSL 4 compatibility issue when calling X509_get_subject_name()
Starting from OpenSSL 4 the the X509_get_subject_name() function
returns a 'const' pointer to a name instead of a regular pointer.
Duplicate the name before operating on it, then free it.
Closes #5807
Merge branch '5807-openssl-4-X509_get_subject_name-compat-fix' into 'main'
Aram Sargsyan [Thu, 12 Mar 2026 13:10:38 +0000 (13:10 +0000)]
OpenSSL 4 compatibility fix
Starting from OpenSSL 4 the the X509_get_subject_name() function
returns a 'const' pointer to a name instead of a regular pointer.
Duplicate the name before operating on it, then free it.
Ondřej Surý [Sat, 14 Mar 2026 11:53:51 +0000 (12:53 +0100)]
Simplify checkds_create() to return void
Since memory allocation never fails in BIND 9, checkds_create() cannot
fail. Change it to return void and use designated initializers,
removing error handling at all call sites.
Ondřej Surý [Sat, 14 Mar 2026 11:53:03 +0000 (12:53 +0100)]
Fix TSIG key and transport leaks in zone_notify() error paths
Two 'goto next' paths in zone_notify() skipped detaching the TSIG
key and transport, leaking them on TLS configuration failure and
when the destination address is disabled.
The INSIST in isc_radix_insert() checks node->data[RADIX_V4] and
node->node_num[RADIX_V4] twice due to a copy-paste error, never
verifying the RADIX_V6 fields.
Fix the second pair to check RADIX_V6.
Merge branch 'ondrej/fix-copy-paste-error-checking-RADIX_V4-instead-of-RADIX_V6' into 'main'
Ondřej Surý [Wed, 11 Mar 2026 12:17:56 +0000 (13:17 +0100)]
Fix INSIST copy-paste error checking RADIX_V4 instead of RADIX_V6
The INSIST in isc_radix_insert() checks node->data[RADIX_V4] and
node->node_num[RADIX_V4] twice due to a copy-paste error, never
verifying the RADIX_V6 fields.
Ondřej Surý [Sat, 14 Mar 2026 10:02:10 +0000 (11:02 +0100)]
fix: dev: Fix port validation rejecting valid port 65535
Three port validation checks use >= UINT16_MAX instead of > UINT16_MAX,
incorrectly rejecting port 65535 as out of range. Port 65535 is a valid
TCP/UDP port number. Other port checks in the same file already use the
correct > comparison.
Merge branch 'ondrej/fix-port-validation-rejecting-valid-port-65535' into 'main'
Ondřej Surý [Wed, 11 Mar 2026 12:18:01 +0000 (13:18 +0100)]
Fix port validation rejecting valid port 65535
A few port validation checks use >= UINT16_MAX instead of > UINT16_MAX,
incorrectly rejecting port 65535 as out of range. Port 65535 is a valid
TCP/UDP port number. Other port checks in the same file already use the
correct > comparison.
Ondřej Surý [Sat, 14 Mar 2026 09:10:37 +0000 (10:10 +0100)]
fix: dev: Fix memory leak in dns_catz_options_setdefault() for zonedir
When defaults->zonedir is set, opts->zonedir is unconditionally
overwritten without freeing the previous value. This leaks memory
on every catalog zone update when zonedir defaults are configured.
Free the existing opts->zonedir before replacing it.
Merge branch 'ondrej/fix-memory-leak-in-dns_catz_options_setdefault' into 'main'
Ondřej Surý [Wed, 11 Mar 2026 12:17:32 +0000 (13:17 +0100)]
Fix memory leak in dns_catz_options_setdefault() for zonedir
When defaults->zonedir is set, opts->zonedir is unconditionally
overwritten without freeing the previous value. This leaks memory
on every catalog zone update when zonedir defaults are configured.
Free the existing opts->zonedir before replacing it.
Ondřej Surý [Sat, 14 Mar 2026 06:45:57 +0000 (07:45 +0100)]
fix: usr: Fix intermittent named crashes during asynchronous zone operations
Asynchronous zone loading and dumping operations occasionally dispatched tasks
to the wrong internal event loop. This threading violation triggered internal
safety assertions that abruptly terminated named. Strict loop affinity is now
enforced for these tasks, ensuring they execute on their designated threads
and preventing the crashes.
Closes #4882
Merge branch '4882-run-rndc-zone-commands-on-correct-loop' into 'main'
Ondřej Surý [Tue, 10 Mar 2026 17:25:54 +0000 (18:25 +0100)]
Dispatch async work jobs from the correct loop
Refactor dns_loadctx_t and dns_dumpctx_t to use standard
ISC_REFCOUNT_DECL and ISC_REFCOUNT_IMPL macros, retiring the
redundant manual attach and detach implementations.
Introduce dns_loadctx_enqueue() and dns_dumpctx_enqueue() to
ensure compliance with the new strict loop affinity in
isc_work_enqueue(). If the current loop does not match the
target loop, the enqueue operation is safely bounced to the
correct thread via isc_async_run().
Ondřej Surý [Tue, 10 Mar 2026 17:25:37 +0000 (18:25 +0100)]
Enforce isc_work enqueue loop affinity
Add a REQUIRE(isc_loop() == loop) assertion to isc_work_enqueue()
to strictly enforce that work is enqueued from the loop it is
assigned to. This loudly prohibits cross-thread queue manipulation
before it inevitably turns into a concurrency debugging nightmare.
Michał Kępień [Fri, 13 Mar 2026 13:31:40 +0000 (14:31 +0100)]
[CVE-2026-3591] sec: usr: Fix a stack use-after-return flaw in SIG(0) handling code
A stack use-after-return flaw in SIG(0) handling code could enable ACL
bypass and/or assertion failures in certain circumstances. This flaw has
been fixed.
ISC would like to thank Mcsky23 for bringing this vulnerability to our
attention.
Closes isc-projects/bind9#5754
Merge branch '5754-stack-use-after-free-sig0' into 'v9.21.20-release'
Ondřej Surý [Fri, 20 Feb 2026 08:46:32 +0000 (09:46 +0100)]
Fix stack Use-After-Return in SIG(0) handling
The asynchronous SIG(0) handling improperly used srcaddr, and dstaddr
from the caller's stack and didn't attach to aclenv. This could
possibly lead to ACL bypass as an invalid srcaddr could be matched or
possible assertion failure if the ACL environment would change between
the initial call and the SIG(0) processing due to the server
reconfiguration. This has been fixed.
Ondřej Surý [Tue, 24 Feb 2026 18:20:14 +0000 (19:20 +0100)]
Add system test using SIG(0) and ACL matching
This adds a system test to verify that asynchronous SIG(0)
validation correctly retains the ACL environment and network
addresses of the caller, preventing unauthorized ACL bypass
when evaluating match-clients and match-destinations.
Aram Sargsyan [Fri, 20 Feb 2026 11:18:52 +0000 (11:18 +0000)]
Fix a bug in dns_tkey_processquery()
The 'keyname' variable could be used in the add_rdata_to_list()
call without being initialized. Make sure that 'keyname' is non-NULL
for all the cases that do not jump to the 'cleanup:' label.
Michał Kępień [Fri, 13 Mar 2026 12:35:24 +0000 (13:35 +0100)]
[CVE-2026-3104] sec: usr: Fix memory leaks in code preparing DNSSEC proofs of non-existence
An attacker controlling a DNSSEC-signed zone could trigger a memory leak
in the logic preparing DNSSEC proofs of non-existence, by creating more
than :any:`max-records-per-type` RRSIGs for NSEC records. These memory
leaks have been fixed.
ISC would like to thank Vitaly Simonovich for bringing this
vulnerability to our attention.
Closes isc-projects/bind9#5742
Merge branch '5742-fix-memory-leak-in-addnoqname-and-addclosest' into 'v9.21.20-release'
Ondřej Surý [Tue, 10 Feb 2026 15:16:25 +0000 (16:16 +0100)]
Fix memory leak in QPcache addnoqname/addclosest mechanism
The attacker that controls DNSSEC-signed zone can trigger a memory leak
in the addnoqname() and/or addclosest() by creating more than
max-records-per-type RRSIG for any NSEC records. The memory leaks have
been fixed.
Michał Kępień [Fri, 13 Mar 2026 12:16:28 +0000 (13:16 +0100)]
[CVE-2026-1519] sec: usr: Fix unbounded NSEC3 iterations when validating referrals to unsigned delegations
DNSSEC-signed zones may contain high iteration-count NSEC3 records,
which prove that certain delegations are insecure. Previously, a
validating resolver encountering such a delegation processed these
iterations up to the number given, which could be a maximum of 65,535.
This has been addressed by introducing a processing limit, set at 50.
Now, if such an NSEC3 record is encountered, the delegation will be
treated as insecure.
ISC would like to thank Samy Medjahed/Ap4sh for bringing this
vulnerability to our attention.
Closes isc-projects/bind9#5708
Merge branch '5708-confidential-nsec3-delegation-iteration-fix-fallback-to-insecure' into 'v9.21.20-release'
In many places we only create a validator if the RRset has too low
trust (the RRset is pending validation, or could not be validated
before). This check was missing prior to validating negative response
data.
When looking up an NSEC3 as part of an insecurity proof, check the
number of iterations. If this is too high, treat the answer as insecure
by marking the answer with trust level "answer", indicating that they
did not validate, but could be cached as insecure.
Nicki Křížek [Tue, 3 Feb 2026 17:25:04 +0000 (18:25 +0100)]
Reproducer for CVE-2026-1519
When a validating resolver processes a delegation from a DNSSEC-signed
zone which uses too many NSEC3 iterations, it should cease the attempt
to validate due to an NSEC3 iteration limit being exceeded and fall back
to insecure.
projects / thirdparty / bind9.git / log
