Aram Sargsyan [Mon, 30 Mar 2026 12:11:46 +0000 (12:11 +0000)]
Revert NTA flush on expire
Flushing the name when NTA expires causes problems for the ongoing
resolving process. Do not flush the name from the cache. Instead,
the resolver should do the flushing (this is planned to be merged
next).
Ondřej Surý [Mon, 30 Mar 2026 10:32:23 +0000 (12:32 +0200)]
fix: usr: Count temporal problems with DNSSEC validation as attempts
After KeyTrap, the temporal DNSSEC were originally hard errors that
caused validation failures even if the records had another valid
signature. This has been changed and the RRSIGs outside of the
inception and expiration time are not counted as hard errors. However,
these errors are not even counted as validation attempts, so excessive
number of expired RRSIGs would cause some non-cryptograhic extra work
for the validator. This has been fixed and the temporal errors are
correctly counted as validation attempts.
Closes #5760
Merge branch '5760-count-DNSSEC-temporal-errors-as-validation-attempts' into 'main'
Ondřej Surý [Mon, 23 Feb 2026 18:42:49 +0000 (19:42 +0100)]
Count temporal problems with DNSSEC validation as attempts
After KeyTrap, the temporal DNSSEC were originally hard errors that
caused validation failures even if the records had another valid
signature. This has been changed and the RRSIGs outside of the
inception and expiration time are not counted as hard errors. However,
these errors are not even counted as validation attempts, so excessive
number of expired RRSIGs would cause some non-cryptograhic extra work
for the validator. This has been fixed and the temporal errors are
correctly counted as validation attempts.
Ondřej Surý [Sat, 28 Mar 2026 09:44:21 +0000 (10:44 +0100)]
fix: usr: Fix update-policy per-type max quota bypass via crafted UPDATE messages
An authenticated DDNS client could bypass update-policy per-type record limits
(e.g. TXT(3)) by including padding records in the UPDATE message that are
silently skipped during processing. Each skipped record shifted an internal
counter, causing subsequent records to be checked against the wrong quota —
potentially reading an unlimited (0) entry instead of the configured maximum.
This allowed a client with valid TSIG credentials to add an arbitrary number of
records beyond the configured limit across repeated UPDATE messages up to the
`max-records-per-type` limit.
Closes #5799
Merge branch '5799-fix-counter-desync-in-SSU' into 'main'
Ondřej Surý [Wed, 18 Mar 2026 09:33:06 +0000 (10:33 +0100)]
Fix update-policy per-type max quota bypass via counter desynchronization
The prescan and main update loops in DNS UPDATE processing both used the
same counter to index the maxbytype[] quota array. The prescan loop
always incremented the counter, but the main loop had 14 continue paths
that skipped the increment. This allowed an authenticated DDNS client to
craft an UPDATE message with padding records (e.g. CNAME+A pairs that
trigger CNAME-conflict skips) to shift the counter and read wrong quota
entries, bypassing per-type record limits entirely.
Fix by incrementing the counter unconditionally at the start of each
iteration in the main loop.
Arаm Sаrgsyаn [Fri, 27 Mar 2026 12:37:33 +0000 (12:37 +0000)]
fix: usr: Fix the processing of empty catalog zone ACLs
The :iscman:`named` process could terminate unexpectedly when
processing a catalog zone ACL in an APL resource record that
was completely empty. This has been fixed.
Closes #5801
Merge branch '5801-catz-empty-apl-rr-bug-fix' into 'main'
Aram Sargsyan [Mon, 23 Mar 2026 15:15:18 +0000 (15:15 +0000)]
Allow empty APL records
Allow empty APL records because RFC 3123 (Section 4) says "zero or
more items". This fixes processing of a catalog zone ACL (which is
based on APL records) when the zone contains an empty APL record or
when a zone update arrives which creates an empty APL record.
Alessio Podda [Thu, 26 Mar 2026 10:53:29 +0000 (10:53 +0000)]
chg: dev: Add low contention stats counter
In the current statistics counter implementation, the statistics are
backed by an array of counters, which are updated via atomic operations.
This leads to contention, especially on high core count
machines.
This commit introduces a new isc_statsmulti_t counter that keeps a
separate array per thread. These counters are then aggregated only when
statistics are queried, shifting work off the critical path.
These changes lead to a ~2% improvement in perflab.
Alessio Podda [Wed, 25 Mar 2026 12:12:41 +0000 (13:12 +0100)]
Move ns_highwater_recursclients to highwater stats
Since it is impossible to increase an isc_statsmulti counter and
retrieve the new counter atomically, and we need the output of
recursclients in order to compute ns_highwater_recursive, we change the
recursclients counter to an isc_stats one.
In the current statistics counter implementation, the statistics are
backed by an array of counters, which are updated via atomic operations.
This leads to contention, especially on high core count
machines.
This commit introduces a new isc_statsmulti_t counter that keeps a
separate array per thread. These counters are then aggregated only when
statistics are queried, shifting work off the critical path.
These changes lead to a ~2% improvement in perflab.
Mark Andrews [Thu, 26 Mar 2026 00:57:04 +0000 (11:57 +1100)]
new: usr: Add switch to disable cookie checking in delv
This adds the switch +[no]cookie to delv to control the sending of
DNS COOKIE options when sending requests. The default is to send
DNS COOKIE options.
Closes #5825
Merge branch '5825-switch-to-disable-cookie-checking-in-delv' into 'main'
Mark Andrews [Mon, 23 Mar 2026 05:43:32 +0000 (16:43 +1100)]
Add switch to disable cookie checking in delv
This adds the switch +[no]cookie to delv to control the sending of
DNS COOKIE options when sending requests. The default is to send
DNS COOKIE options.
Michał Kępień [Wed, 25 Mar 2026 17:09:02 +0000 (18:09 +0100)]
Prevent unscheduled release publication
The "publish" job has no dependencies on other jobs, so nothing prevents
it from being accidentally started before the scheduled publication
date. Although publication still requires confirmation via an SSH
connection to a dedicated, locked-down runner, performing that action
prematurely may have drastic consequences. Therefore, it is worth
implementing additional safeguards.
Add an extra check to the "publish" job to ensure it can only be run on
the scheduled publication day. In exceptional circumstances, this check
can be overridden by setting the FORCE_PUBLICATION CI variable to any
non-empty value.
Michał Kępień [Wed, 25 Mar 2026 17:09:02 +0000 (18:09 +0100)]
Tighten dependencies for tag-related jobs
The "merge-tag" and "update-stable-tag" jobs currently use the
"manual_release_job_qa" YAML anchor, which makes them depend on the
"staging" job. Meanwhile, both of these jobs require the tag they were
created for to be public for them to work. While this is harmless, as
these jobs will simply fail if they are run too early, it still makes
sense for them to depend on the "publish" job instead, if only to reduce
confusion in the pipeline view. Adjust the "needs" key for the
"merge-tag" and "update-stable-tag" jobs accordingly.
Michał Kępień [Wed, 25 Mar 2026 17:09:02 +0000 (18:09 +0100)]
Extend artifact lifetime for Cloudsmith build jobs
The commit.txt file produced by each Cloudsmith build job is required to
run the corresponding publication job. Therefore, the artifact lifetime
for the former must be long enough to prevent the file from expiring
before the publication job is run. Set the lifetime of the artifacts
created by Cloudsmith build jobs to one month to ensure that the
publication jobs can access them.
Michał Kępień [Wed, 25 Mar 2026 17:09:02 +0000 (18:09 +0100)]
Fix building EVN & -S Cloudsmith packages
Setting "artifacts: false" for the dependency on the "publish-private"
job prevents the url-*.txt files produced by that job from being pulled
from GitLab when the jobs that build EVN & -S Cloudsmith packages are
run, effectively breaking the latter. Fix by making these jobs depend
on the artifacts of the "publish-private" job.
Michał Kępień [Wed, 25 Mar 2026 15:52:06 +0000 (16:52 +0100)]
chg: test: Rename "nsec3-delegation" to "nsec3_delegation"
The "nsec3-delegation" test was added in a release branch, before commit 67aca1f8c6f19de11f238a402604697be4ff64dc introduced the current system
test naming convention. Rename the test to comply with that convention.
Merge branch 'michal/rename-nsec3-delegation-test' into 'main'
Michał Kępień [Wed, 25 Mar 2026 14:36:17 +0000 (15:36 +0100)]
Rename "nsec3-delegation" to "nsec3_delegation"
The "nsec3-delegation" test was added in a release branch, before commit 67aca1f8c6f19de11f238a402604697be4ff64dc introduced the current system
test naming convention. Rename the test to comply with that convention.
Aydın Mercan [Wed, 25 Mar 2026 12:37:37 +0000 (15:37 +0300)]
new: dev: optionally use libngtcp2 in development builds
Unlike new transports with a new dependency DNS-over-QUIC support will
be added incrementally due to the non-trivial amound of plumbing
required by libngtcp2. This will require non-functional QUIC code in the
main branch that won't be exposed for non-development builds.
Therefore, libngtcp2 is linked as an optional dependency only on
explicitly enabled development builds and cannot be required. This will
be changed with a `doq` meson build option once the server-side
functionality is complete for consumption.
Aydın Mercan [Tue, 17 Feb 2026 12:43:16 +0000 (15:43 +0300)]
optionally use libngtcp2 only in development builds
Unlike new transports with a new dependency DNS-over-QUIC support will
be added incrementally due to the non-trivial amound of plumbing
required by libngtcp2. This will require non-functional QUIC code in the
main branch that won't be exposed for non-development builds.
Therefore, libngtcp2 is linked as an optional dependency only on
explicitly enabled development builds and cannot be required. This will
be changed with a `doq` meson build option once the server-side
functionality is complete for consumption.
Michal Nowak [Wed, 25 Mar 2026 10:26:02 +0000 (11:26 +0100)]
fix: ci: Set User-Agent for Sphinx to fix gitlab.gnome.org
The linkcheck started to fail because of a new check on gitlab.gnome.org
that now forbids Sphinx User-Agent, returnin 406 HTTP status.
( chapter10: line 115) broken https://gitlab.gnome.org/GNOME/libxml2/-/wikis/home - 406 Client Error: Not Acceptable for url: https://gitlab.gnome.org/GNOME/libxml2/-/wikis/home
Merge branch 'mnowak/linkcheck-set-user-agent' into 'main'
Michal Nowak [Wed, 25 Mar 2026 09:39:15 +0000 (10:39 +0100)]
Set User-Agent for Sphinx to fix gitlab.gnome.org
The linkcheck started to fail because of a new check on gitlab.gnome.org
that now forbids Sphinx User-Agent, returnin 406 HTTP status.
( chapter10: line 115) broken https://gitlab.gnome.org/GNOME/libxml2/-/wikis/home - 406 Client Error: Not Acceptable for url: https://gitlab.gnome.org/GNOME/libxml2/-/wikis/home
However, this test relies on the fact that, at the time, the NS names
were processed in a specific order in the nameserver.
This is not true anymore, as the NS are in a random order. Moreover,
commit `3c33e7d9370006b1599e3d99c0d5fa6a6dad7979` introduced the
randomization of the selection of the NS names to lookup, which make the
test potentially unreliable, as it now doesn't mean anything to check
the nameserver does not query `ns21.fake.redirect.com.`, as it could be
the first one, or in any position form the randomized list.
Another test has been added in commit
`c67b52684f11652b07afaa75a917f6f0355dbca6` which test both the
randomization of the NS name to be looked up, as well as the upper bound
limit of NS name lookup to be done.
For all those reasons, this specific legacy check is now removed.
Merge branch 'colin/remove-incompatble-nslimit-check' into 'main'
However, this test relies on the fact that, at the time, the NS names
were processed in a specific order in the nameserver, as this snip from
the log (from a build on `604d8f0` branch) running the test illustrates:
```
24-Mar-2026 21:19:46.346 dispatch 0x7fdaa722d200: success, length == 19956, addr = 0x7fdaa0a7c102
24-Mar-2026 21:19:46.346 dispatch 0x7fdaa722d200: got valid DNS message header, /QR 1, id 14328
24-Mar-2026 21:19:46.346 dispatch 0x7fdaa722d200: search for response in bucket 7213: success
24-Mar-2026 21:19:46.354 received packet from 10.53.0.3#5300
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14328
;; flags: qr aa; QUESTION: 1, ANSWER: 0, AUTHORITY: 999, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: baf16b0241efc700
;; QUESTION SECTION:
;large-referral.example.net. IN A
;; AUTHORITY SECTION:
;large-referral.example.net. 300 IN NS ns1.fake.redirect.com.
;large-referral.example.net. 300 IN NS ns2.fake.redirect.com.
;large-referral.example.net. 300 IN NS ns3.fake.redirect.com.
;large-referral.example.net. 300 IN NS ns4.fake.redirect.com.
;large-referral.example.net. 300 IN NS ns5.fake.redirect.com.
;large-referral.example.net. 300 IN NS ns6.fake.redirect.com.
;large-referral.example.net. 300 IN NS ns7.fake.redirect.com.
;large-referral.example.net. 300 IN NS ns8.fake.redirect.com.
;large-referral.example.net. 300 IN NS ns9.fake.redirect.com.
;large-referral.example.net. 300 IN NS ns10.fake.redirect.com.
;large-referral.example.net. 300 IN NS ns11.fake.redirect.com.
;large-referral.example.net. 300 IN NS ns12.fake.redirect.com.
;large-referral.example.net. 300 IN NS ns13.fake.redirect.com.
;large-referral.example.net. 300 IN NS ns14.fake.redirect.com.
;large-referral.example.net. 300 IN NS ns15.fake.redirect.com.
;large-referral.example.net. 300 IN NS ns16.fake.redirect.com.
;large-referral.example.net. 300 IN NS ns17.fake.redirect.com.
;large-referral.example.net. 300 IN NS ns18.fake.redirect.com.
;large-referral.example.net. 300 IN NS ns19.fake.redirect.com.
;large-referral.example.net. 300 IN NS ns20.fake.redirect.com.
```
This is not true anymore, as the NS are in a random order. Moreover,
commit `3c33e7d9370006b1599e3d99c0d5fa6a6dad7979` introduced the
randomization of the selection of the NS names to lookup, which make the
test potentially unreliable, as it now doesn't mean anything to check
the nameserver does not query `ns21.fake.redirect.com.`, as it could be
the first one, or in any position form the randomized list.
Another test has been added in commit
`c67b52684f11652b07afaa75a917f6f0355dbca6` which test both the
randomization of the NS name to be looked up, as well as the upper bound
limit of NS name lookup to be done.
For all those reasons, this specific legacy check is now removed.
Evan Hunt [Tue, 24 Mar 2026 20:24:58 +0000 (20:24 +0000)]
rem: usr: Remove -C option from dnssec-keygen and dnssec-keyfromlabel
The -C option, introduced in BIND 9.7, caused a backward-compatible
key to be generated, using private key format version 1.2, omitting the
creation date and other timing metadata. This made it possible to
generate keys that could be loaded by older versions of BIND.
Those older versions having reached end of life many years ago, the
option can now be removed, along with the `dnssec-settime -f` option,
which caused old-style keys to be upgraded.
Merge branch 'each-remove-keygen-compat' into 'main'
Evan Hunt [Sat, 10 Jan 2026 07:37:49 +0000 (23:37 -0800)]
remove -C option from dnssec-keygen and dnssec-keyfromlabel
The -C option, introduced in BIND 9.7, caused a backward-compatible
key to be generated, using private key format version 1.2, omitting the
creation date and other timing metadata. This made it possible to
generate keys that could be loaded by older versions of BIND.
Those older versions having reached end of life many years ago, the
option can now be removed, along with the "dnssec-settime -f" option,
which caused old-style keys to be upgraded.
Evan Hunt [Tue, 24 Mar 2026 00:14:10 +0000 (00:14 +0000)]
fix: dev: rpz_rrset_find() now recurses on ISC_R_NOTFOUND
Previously, `rpz_rrset_find()` behaved differently depending on whether
a cache lookup returned `DNS_R_DELEGATION` or `ISC_R_NOTFOUND`. The former
indicates the presence of a cached NS rrset, and the latter indicates
that the cache is cold or that all NS rrsets above the query name have
expired. Both results indicate that the caller should recurse, but
`rpz_rrset_find()` only recursed in the case of `DNS_R_DELEGATION`. This
has been fixed and the test updated to match.
Evan Hunt [Sun, 22 Mar 2026 03:28:24 +0000 (20:28 -0700)]
rpz_rrset_find() now recurses on ISC_R_NOTFOUND
previously, rpz_rrset_find() behaved differently depending on whether
a cache lookup returned DNS_R_DELEGATION or ISC_R_NOTFOUND. the former
indicates the presence of a cached NS rrset, and the latter indicates
that the cache is cold or that all NS rrsets above the query name have
expired. both results indicate that the caller should recurse, but
rpz_rrset_find() only recursed in the case of DNS_R_DELEGATION.
the nsip-wait-recurse and nsdname-wait-recurse test cases in the
rpzrecurse system test were dependent on this misbehavior. the test
server was configured with a lame delegation, so that recursion always
failed, but once the lame delegation was expired due to a zero TTL, the
cache returned ISC_R_NOTFOUND, which caused the recursion not to be
attempted. the test seemed to be observing a delay before recursion
succeeded, but it was actually observing a delay before recursion was
skipped. fixing this bug caused the test to fail.
the test server has now been reconfigured so that recursion succeeds
after a delay, instead of failing. now we're able to test that
we're waiting for the successful completion of recursion.
Ondřej Surý [Mon, 23 Mar 2026 11:10:49 +0000 (12:10 +0100)]
sec: usr: Fix crash when reconfiguring zone update policy during active updates
Fixed a crash that could occur when running rndc reconfig to change a zone's update policy (e.g., from allow-update to update-policy) while DNS UPDATE requests were being processed for that zone.
ISC would like to thank Vitaly Simonovich for bringing this issue to our attention.
Fixes #5817
Merge branch '5817-fix-crash-via-SSU-table-desynchronization' into 'main'
Ondřej Surý [Wed, 18 Mar 2026 03:09:50 +0000 (04:09 +0100)]
Add regression test for TOCTOU race in DNS UPDATE SSU handling
Race rndc reconfig (toggling between allow-update and update-policy)
against a stream of DNS UPDATEs for 5 seconds and verify that named
does not crash.
Before the fix, the race between send_update() and update_action()
reading the SSU table independently could trigger an assertion
failure (INSIST) when the zone's update policy changed between the
two reads.
Ondřej Surý [Wed, 18 Mar 2026 02:55:51 +0000 (03:55 +0100)]
Fix TOCTOU race in DNS UPDATE SSU table handling
Pass the SSU table through the update event struct from
send_update() to update_action() instead of reading it from the
zone twice. If rndc reconfig changed the zone's update policy
between the two reads (e.g., from allow-update to update-policy),
send_update() would skip the maxbytype allocation but
update_action() would see a non-NULL ssutable, triggering
INSIST(ssutable == NULL || maxbytype != NULL) and crashing named.
The ssutable reference is now taken once in send_update() and
transferred to update_action() via the event struct, ensuring
both functions see the same value.
Ondřej Surý [Mon, 23 Mar 2026 10:06:48 +0000 (11:06 +0100)]
new: dev: Add MOVE_OWNERSHIP() macro for transferring pointer ownership
A helper macro that returns the current value of a pointer and sets
it to NULL in one expression, useful for transferring ownership in
designated initializers.
Merge branch 'ondrej/TAKE_OWNERSHIP-macro' into 'main'
Ondřej Surý [Sat, 21 Mar 2026 14:35:34 +0000 (15:35 +0100)]
Replace SAVE/RESTORE/INITANDSAVE macros with MOVE_OWNERSHIP()
Replace the local SAVE(), RESTORE(), and INITANDSAVE() macros in
query.c with the project-wide MOVE_OWNERSHIP() macro. The new
form is clearer about the intent: ownership of a pointer is being
transferred from source to destination, with the source set to NULL.
SAVE and RESTORE were identical macros with different names used to
indicate the direction of transfer, but this distinction was purely
cosmetic. INITANDSAVE additionally set the destination to NULL
first, which is unnecessary because the preceding memcpy already
initialized all fields from the source struct.
Ondřej Surý [Fri, 20 Mar 2026 01:15:17 +0000 (02:15 +0100)]
Add MOVE_OWNERSHIP() macro for transferring pointer ownership
A helper macro that returns the current value of a pointer and sets
it to NULL in one expression, useful for transferring ownership in
designated initializers.
Ondřej Surý [Fri, 20 Mar 2026 16:18:04 +0000 (17:18 +0100)]
chg: dev: Fix cache flush ordering on NTA expiry
dns_view_flushnode() was called in the delete_expired() async
callback, which runs after the query that detected the NTA expiry.
This created a race: the query would proceed with stale cached data
from the NTA period before the flush had a chance to run, resulting
in transient SERVFAIL with EDE 22 (No Reachable Authority).
Move dns_view_flushnode() into dns_ntatable_covered() so the cache
is flushed synchronously when the expiry is detected, before the
query continues.
Also simplify the expiry comparison in delete_expired() to a direct
pointer comparison (nta == pval) instead of comparing expiry
timestamps.
Merge branch 'ondrej/refactor-nta-using-RCU-delete-order-fix' into 'main'
Ondřej Surý [Fri, 20 Mar 2026 13:29:57 +0000 (14:29 +0100)]
Fix cache flush ordering on NTA expiry
dns_view_flushnode() was called in the delete_expired() async
callback, which runs after the query that detected the NTA expiry.
This created a race: the query would proceed with stale cached data
from the NTA period before the flush had a chance to run, resulting
in transient SERVFAIL with EDE 22 (No Reachable Authority).
Move dns_view_flushnode() into dns_ntatable_covered() so the cache
is flushed synchronously when the expiry is detected, before the
query continues.
Also simplify the expiry comparison in delete_expired() to a direct
pointer comparison (nta == pval) instead of comparing expiry
timestamps.
Ondřej Surý [Fri, 20 Mar 2026 01:06:29 +0000 (02:06 +0100)]
fix: dev: Fix data race in server round-trip time tracking
The SRTT (Smoothed Round-Trip Time) update for remote servers was not
atomic — concurrent callers could each read the same value and one
update would be silently lost. Additionally, the aging decay applied
once per second could run multiple times if several threads entered the
function simultaneously.
Use compare-and-swap loops for the SRTT update and for the aging
timestamp to ensure no updates are lost.
Merge branch 'ondrej/fix-non-atomic-srtt-aging' into 'main'
Ondřej Surý [Thu, 19 Mar 2026 03:17:45 +0000 (04:17 +0100)]
Fix non-atomic read-modify-write on entry->srtt in adjustsrtt()
The SRTT update loaded the old value, computed a new one, and stored it
back as separate operations. Two concurrent callers could each read the
same old value and one update would be silently lost.
Use a CAS loop for the read-modify-write on entry->srtt. For the aging
path, also CAS on entry->lastage to prevent multiple threads from aging
the same entry in the same second.
Ondřej Surý [Thu, 19 Mar 2026 23:56:24 +0000 (00:56 +0100)]
fix: dev: Fix data race on fctx->vresult in validated()
Move the write to fctx->vresult after LOCK(&fctx->lock). The field was
being set before acquiring the lock, but dns_resolver_logfetch() reads
it under the same lock from another thread.
Merge branch 'ondrej/fix-data-race-on-fctx-result-in-validated' into 'main'
Ondřej Surý [Thu, 19 Mar 2026 02:42:08 +0000 (03:42 +0100)]
Fix data race on fctx->vresult in validated()
Move the write to fctx->vresult after LOCK(&fctx->lock). The field was
being set before acquiring the lock, but dns_resolver_logfetch() reads
it under the same lock from another thread.
Ondřej Surý [Thu, 19 Mar 2026 18:04:09 +0000 (19:04 +0100)]
fix: dev: Fix data race in glue cache RCU pointer publication
The liburcu rcu_cmpxchg_pointer() uses relaxed ordering on the CAS
failure path. When two threads race to publish a new pointer and one
loses the CAS, the returned pointer has no acquire semantics - reading
fields through it is a data race on weakly-ordered architectures.
Override rcu_cmpxchg_pointer() and rcu_xchg_pointer() to use
acquire/release ordering via standard __atomic builtins, which also
makes the operations natively visible to ThreadSanitizer.
Closes #5182
Merge branch '5182-fix-false-tsan-report-in-addglue' into 'main'
Ondřej Surý [Thu, 19 Mar 2026 06:30:24 +0000 (07:30 +0100)]
Fix data race in RCU pointer exchange operations
The liburcu rcu_cmpxchg_pointer() uses CMM_RELAXED ordering on the CAS
failure path. When a thread loses the CAS and gets another thread's
pointer back, reading fields through that pointer is a data race on
weakly-ordered architectures (ARM, POWER) because the failing load has
no acquire semantics.
Override rcu_cmpxchg_pointer() and rcu_xchg_pointer() to use standard
__atomic builtins with __ATOMIC_ACQ_REL (success) and __ATOMIC_ACQUIRE
(failure) ordering. This fixes the race on all architectures and is
natively visible to ThreadSanitizer.
Ondřej Surý [Tue, 17 Mar 2026 03:08:54 +0000 (04:08 +0100)]
Fix data race on nta->expiry
Use CMM_LOAD_SHARED/CMM_STORE_SHARED for nta->expiry, which is
written from the NTA's owning loop but read from any loop (validator,
rndc status, rndc nta -dump).
Also dispatch delete_expired to the NTA's owning loop rather than
the caller's loop.
Ondřej Surý [Sun, 15 Mar 2026 13:42:06 +0000 (14:42 +0100)]
Refactor NTA to use RCU instead of rwlock
Replace the ntatable rwlock with RCU read-side critical sections.
The QP multi trie already provides its own concurrency control for
reads and writes, making the rwlock redundant. NTA fields like
expiry are only accessed from the NTA's own event loop thread, so
no additional synchronization is needed.
The table shutdown is now deferred via call_rcu to ensure all
read-side critical sections have completed before iterating and
shutting down individual NTAs.
Ondřej Surý [Wed, 18 Mar 2026 23:56:31 +0000 (00:56 +0100)]
fix: usr: Fix NTA (Negative Trust Anchor) expiration issue
When a configured NTA for a name expired, any possibly cached
data for the name (with "insecure" DNSSEC validation result)
was not flushed from the resolver's cache. This has been fixed.
Closes #5747
Merge branch '5747-nta-expiry-cache-flush-bug-fix' into 'main'
Arаm Sаrgsyаn [Wed, 18 Mar 2026 17:04:31 +0000 (17:04 +0000)]
fix: dev: Take dns_dtenv_t reference before an async function call
A 'dns_dtenv_t' pointer is passed to an async function without taking
a reference first, which can potentially cause a use-after-free error.
Take a reference, then detach in the async function.
Closes #5820
Merge branch '5820-dns_dtenv-reference-bug-fix' into 'main'
Aram Sargsyan [Tue, 17 Mar 2026 11:23:22 +0000 (11:23 +0000)]
Take 'env' reference before async calling perform_reopen()
The 'env' pointer is passed to an async function without taking
a reference first, which can potentially cause a use-after-free
error. Take a reference, then detach in the async function.
Nicki Křížek [Wed, 18 Mar 2026 14:10:30 +0000 (15:10 +0100)]
chg: dev: Use underscore for system test names
Change the convention for system test directory names to always use an
underscore rather than a hyphen. Names using underscore are valid python
package names and can be used with standard `import` facilities in
python, which allows easier code reuse.
Merge branch 'nicki/system-test-dir-underscore-names' into 'main'
Nicki Křížek [Tue, 17 Mar 2026 16:18:48 +0000 (17:18 +0100)]
Rename all system test to use underscore
All system tests previously using a hyphen have been renamed to use
underscore instead. A couple of symlinks were corrected and one path in
`nsec3-answer` adjusted accordingly.
Nicki Křížek [Tue, 17 Mar 2026 16:08:15 +0000 (17:08 +0100)]
Use underscore for system test names
Change the convention for system test directory names to always use an
underscore rather than a hyphen. Names using underscore are valid python
package names and can be used with standard `import` facilities in
python, which allows easier code reuse.
The temporary directories for test execution and their convenience
symlinks have been switched to using hyphens rather than underscores to
keep the pytest collection, filtering and .gitignore working as
expected.
Ondřej Surý [Wed, 18 Mar 2026 10:39:16 +0000 (11:39 +0100)]
fix: dev: Fix isc_buffer_init capacity mismatch in DoH data chunk callback
isc_buffer_init() is given MAX_DNS_MESSAGE_SIZE (65535) as capacity but
only h2->content_length bytes are allocated. This makes the buffer
believe it has more space than actually allocated. A secondary bounds
check (new_bufsize <= h2->content_length) prevents actual overflow, but
the buffer invariant is violated.
Pass h2->content_length as the capacity to match the allocation.
Merge branch 'ondrej/fix-isc_buffer_init-capacity-mismatch-in-DoH' into 'main'
Ondřej Surý [Wed, 11 Mar 2026 12:17:45 +0000 (13:17 +0100)]
Fix isc_buffer_init capacity mismatch in DoH data chunk callback
isc_buffer_init() is given MAX_DNS_MESSAGE_SIZE (65535) as capacity but
only h2->content_length bytes are allocated. This makes the buffer
believe it has more space than actually allocated. A secondary bounds
check (new_bufsize <= h2->content_length) prevents actual overflow, but
the buffer invariant is violated.
Pass h2->content_length as the capacity to match the allocation.
Ondřej Surý [Wed, 18 Mar 2026 10:37:31 +0000 (11:37 +0100)]
rem: usr: Remove NZF file support in favor of NZD (New Zone Database)
The NZF (New Zone File) backend for storing rndc addzone configurations
has been removed; LMDB-based NZD is now the only storage backend and
LMDB is now a required build dependency.
Existing NZF files are automatically migrated to NZD on startup, so no manual
intervention is required when upgrading.
Merge branch 'ondrej/drop-nzf-support' into 'main'
Ondřej Surý [Sun, 15 Mar 2026 04:05:09 +0000 (05:05 +0100)]
Split NZD functions into a separate compilation unit
Move all LMDB-based new zone database functions from server.c into
nzd.c to reduce the size of server.c and isolate the NZD/LMDB
interface. Rename load_nzf() to nzd_load_nzf() to match the nzd_
namespace.
Ondřej Surý [Sun, 15 Mar 2026 03:42:45 +0000 (04:42 +0100)]
Remove dead NZF writer parameter and simplify newzone locking
Now that NZF write support is gone, remove the unused nzfwriter_t
typedef and nzfwriter parameter from delete_zoneconf(). Remove the
bool locked parameter and simplify the locking in do_modzone() and
rmzone() to unconditional lock/unlock pairs.
Ondřej Surý [Sun, 15 Mar 2026 03:25:12 +0000 (04:25 +0100)]
Remove NZF support, make LMDB required for new zone storage
Drop the NZF (New Zone File) fallback for persisting runtime zone
configurations, making LMDB (NZD) the only storage backend. This
removes all #ifdef HAVE_LMDB conditionals, the meson 'lmdb' option,
and the NZF-related functions. LMDB is now a mandatory build
dependency.
Ondřej Surý [Tue, 17 Mar 2026 15:40:29 +0000 (16:40 +0100)]
fix: usr: Fix potential resource during resolver error handling
Under specific error conditions during query processing, resources were not
being properly released, which could eventually lead to unnecessary memory
consumption for the server. The a potential resource leak in the resolver
has been fixed.
Merge branch 'ondrej/fix-pthread-primitives-usage' into 'main'
Ondřej Surý [Tue, 10 Mar 2026 10:30:54 +0000 (11:30 +0100)]
Fix missing mutex destroy and ede invalidate on fctx_create() error paths
The error cleanup in fctx_create() was missing isc_mutex_destroy() and
dns_ede_invalidate() calls. When error paths (cleanup_nameservers,
cleanup_fcount, cleanup_qmessage, cleanup_adb) were taken after the
mutex and edectx were initialized, the fctx memory was freed without
properly destroying these resources first.
Mark Andrews [Wed, 4 Mar 2026 06:51:09 +0000 (17:51 +1100)]
Clear errno before calling strtol
The previous code was incorrectly clearing errno after calling
strtol but before testing the result rather than clearing it and
then calling strtol so that changes to errno can be correctly
determined.
We return DNS_R_NOVALIDSIG if we detected a deadlock. Then in
'validate_async_done()', this result value is used to check if we
need to fall back to insecure. As part of that we create a new fetch
but that fails because of the detected deadlock. This results in a loop
of deadlock detected, fallback to insecure, deadlock detected, ...
Add a new result value, ISC_R_DEADLOCK, and return this instead when
we have detected a deadlock. This will be treated as a generic error,
as there is no special handling for this result value.
Ondřej Surý [Mon, 16 Mar 2026 11:17:16 +0000 (12:17 +0100)]
chg: nil: Cleanup the duplicate logic and comments around add into NSEC tree
After merging the NORMAL, NSEC and NSEC3 tree into single QP tree, there were some comments still speaking about auxiliary NSEC tree. These were cleaned up and the logic when we pass the qp tree (write transaction) to qpzone_addrdataset_inner() was changed to be more obvious that this is needed only when we are adding NSEC records.
Merge branch 'ondrej/additional-cleanups-around-NSEC-namespace' into 'main'
Ondřej Surý [Sat, 31 Jan 2026 06:32:08 +0000 (07:32 +0100)]
Cleanup weird syntax defining struct dns_ixfr
The struct dns_ixfr was defined as part of struct dns_xfrin, probably
because at some point it was an anonymous struct and then it was changed
to named struct with typedef at the top. Move the definition from
struct dns_xfrin into and fold into the typedef ... dns_ixfr_t.
Ondřej Surý [Sat, 31 Jan 2026 06:24:49 +0000 (07:24 +0100)]
Cleanup the duplicate logic and comments around add into NSEC tree
After merging the NORMAL, NSEC and NSEC3 tree into single QP tree, there
were some comments still speaking about auxiliary NSEC tree. These were
cleaned up and the logic when we pass the qp tree (write transaction) to
qpzone_addrdataset_inner() was changed to be more obvious that this is
needed only when we are adding NSEC records.
Colin Vidal [Mon, 16 Mar 2026 10:36:25 +0000 (11:36 +0100)]
chg: dev: Exclude named.args.j2 and system test README files from license header checks
Exclude named.args.j2 files from license header checks so named.args can
be generated from Jinja templates. Also exclude system test README files
from the license header checks.
Ondřej Surý [Mon, 16 Mar 2026 10:06:28 +0000 (11:06 +0100)]
fix: dev: Fix use-after-free in xfrin_recv_done
Move the LIBDNS_XFRIN_RECV_DONE probe execution before dns_xfrin_detach
in xfrin_recv_done.
Previously, dns_xfrin_detach was called before the trace probe, which
could free the xfr object. Because the accessed member xfr->info is an
embedded array, the expression evaluates via pointer arithmetic rather
than a direct memory dereference. Although this prevents a reliable
crash in practice, it technically remains a use-after-free issue.
Reorder the statements to ensure the transfer context is fully valid
when the probe executes.
Closes #5786
Merge branch '5786-fix-dtrace-after-free' into 'main'
Ondřej Surý [Wed, 4 Mar 2026 16:08:50 +0000 (17:08 +0100)]
Fix use-after-free in xfrin_recv_done
Move the LIBDNS_XFRIN_RECV_DONE probe execution before dns_xfrin_detach
in xfrin_recv_done.
Previously, dns_xfrin_detach was called before the trace probe, which
could free the xfr object. Because the accessed member xfr->info is an
embedded array, the expression evaluates via pointer arithmetic rather
than a direct memory dereference. Although this prevents a reliable
crash in practice, it technically remains a use-after-free issue.
Reorder the statements to ensure the transfer context is fully valid
when the probe executes.
Arаm Sаrgsyаn [Mon, 16 Mar 2026 10:01:32 +0000 (10:01 +0000)]
fix: dev: Fix OpenSSL 4 compatibility issue when calling X509_get_subject_name()
Starting from OpenSSL 4 the the X509_get_subject_name() function
returns a 'const' pointer to a name instead of a regular pointer.
Duplicate the name before operating on it, then free it.
Closes #5807
Merge branch '5807-openssl-4-X509_get_subject_name-compat-fix' into 'main'
Aram Sargsyan [Thu, 12 Mar 2026 13:10:38 +0000 (13:10 +0000)]
OpenSSL 4 compatibility fix
Starting from OpenSSL 4 the the X509_get_subject_name() function
returns a 'const' pointer to a name instead of a regular pointer.
Duplicate the name before operating on it, then free it.
projects / thirdparty / bind9.git / log
