Matthijs Mekking [Mon, 22 Jun 2026 13:31:20 +0000 (15:31 +0200)]
Small update to patch
../lib/dns/rdataslab.c
../lib/dns/rdataslab.c:168:3: error: expression result unused; should this cast be to 'void'? [-Werror,-Wunused-value]
168 | (void *)newslab(rdataset, mctx, region, 0, buflen);
|
Add dnssec_py/tests_sibling_ds: reject DS for sibling zones in referrals
Add a system test that verifies the resolver rejects DS records whose
owner name does not match the delegation (NS) name in a referral
response.
A custom authoritative server (ans4) serves the parent zone sibling-ds.
from zone file with delegations for child and sibling subzones. Its
DomainHandler injects a DS record for sibling.sibling-ds into referrals
for child.sibling-ds. The resolver must detect the mismatch, log "DS
doesn't match referral (NS)", and return SERVFAIL.
Evan Hunt [Wed, 24 Jun 2026 21:04:20 +0000 (21:04 +0000)]
fix: usr: Check that an NSEC signer is at or above the name to be validated
Add a check that an NSEC record being used as a proof of nonexistence
for a given name is not signed by a name lower in the DNS hierarchy than
the one in question.
Closes #5876
Merge branch '5876-nsec-signer-above-name' into 'main'
Evan Hunt [Sat, 23 May 2026 04:04:03 +0000 (21:04 -0700)]
Check that an NSEC signer is at or above the name to be validated
Add a check that an NSEC record being used as a proof of nonexistence
for a given name is not signed by a name lower in the DNS hierarchy than
the one in question.
Colin Vidal [Wed, 24 Jun 2026 20:31:27 +0000 (22:31 +0200)]
fix: test: Fix RRL test random failure
RRL test were randomly failing because `ns2` hint files uses
```
. NS ns1.
ns1. A 10.53.0.1
```
Whereas `ns1` root zone didn't contains `ns1.` as NS (but only `ns.`).
This is a problem with the following scenario:
- A query starts before priming;
- It gets the root hints as zonecut (with `. NS ns1.`, and no glues, this
is how parent-centric currently works);
- Priming starts and complete (so now rootdb contains the answer/glues
from `ns1` root file);
- Then the query go to ADB to resolve `ns1.`.
Resolution of `ns1.` fails since it doesn't exists from the rootdb
anymore. This is a configuration issue (the resolver behavior is correct
and expected) whch is now fixed.
Colin Vidal [Wed, 24 Jun 2026 16:52:41 +0000 (18:52 +0200)]
Fix RRL random failure
RRL test were randomly failing because `ns2` hint files uses
```
. NS ns1.
ns1. A 10.53.0.1
```
Whereas `ns1` root zone didn't contains `ns1.` as NS (but only `ns.`).
This is a problem with the following scenario:
- A query starts before priming;
- It gets the root hints as zonecut (with `. NS ns1.`, and no glues, this
is how parent-centric currently works);
- Priming starts and complete (so now rootdb contains the answer/glues
from `ns1` root file);
- Then the query go to ADB to resolve `ns1.`.
Resolution of `ns1.` fails since it doesn't exists from the rootdb
anymore. This is a configuration issue (the resolver behavior is correct
and expected) whch is now fixed.
Michal Nowak [Thu, 11 Jun 2026 11:39:14 +0000 (11:39 +0000)]
Fix a false positive compiler warning/error on Alpine 3.24
On Alpine Linux 3.24, GCC 15 with fortify-headers produces a compiler
warning when building bin/nsupdate/nsupdate.c:
In function 'fgets',
inlined from 'get_next_command' at ../bin/nsupdate/nsupdate.c:2414:13:
/usr/include/fortify/stdio.h:48:16: error: 'cmdlinebuf' may be used uninitialized [-Werror=maybe-uninitialized]
48 | return __orig_fgets(__s, __n, __f);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/include/fortify/stdio.h:42:1: note: in a call to '*fgets' declared with attribute 'access (read_write, 1, 2)' here
42 | _FORTIFY_FN(fgets) char *fgets(char * _FORTIFY_POS0 __s, int __n, FILE *__f)
| ^~~~~~~~~~~
../bin/nsupdate/nsupdate.c:2405:14: note: 'cmdlinebuf' declared here
2405 | char cmdlinebuf[MAXCMD];
| ^~~~~~~~~~
This is a false positive, because fgets() only writes into the buffer;
the fortify-headers wrapper annotates the buffer argument with
'access (read_write, ...)', which makes GCC treat passing an
uninitialized buffer as a read of uninitialized memory.
Initialize the 'cmdlinebuf' buffer anyway to avoid the build error.
Michal Nowak [Wed, 24 Jun 2026 15:16:14 +0000 (17:16 +0200)]
fix: test: Retry pipequeries on a transient EADDRINUSE in the pipelined test
On FreeBSD, the TCP connect() call can transiently fail with
EADDRINUSE under parallel CI load. The netmgr already retries such
connects (see #3451), but it retries on the same socket, which is
already bound to the same ephemeral source port, so when the
four-tuple is genuinely busy (e.g. in TIME_WAIT) every retry fails
the same way. pipequeries then exits with "request event result:
address in use", leaving raw.1 empty and failing the first check.
All eight requests share a single TCP dispatch, so the failed connect
means no query ever reached ns4 and its cache is still cold. It is
therefore safe to run pipequeries again: a fresh process binds a new
ephemeral port, and the out-of-order check keeps its meaning. Retry
for up to ten attempts, but only on this specific transient error.
Assisted-by: Claude Code:claude-fable-5
Merge branch 'mnowak/pipelined-retry-transient-eaddrinuse' into 'main'
Michal Nowak [Thu, 11 Jun 2026 08:32:13 +0000 (08:32 +0000)]
Retry pipequeries on a transient EADDRINUSE in the pipelined test
On FreeBSD, the TCP connect() call can transiently fail with
EADDRINUSE under parallel CI load. The netmgr already retries such
connects (see #3451), but it retries on the same socket, which is
already bound to the same ephemeral source port, so when the
four-tuple is genuinely busy (e.g. in TIME_WAIT) every retry fails
the same way. pipequeries then exits with "request event result:
address in use", leaving raw.1 empty and failing the first check.
All eight requests share a single TCP dispatch, so the failed connect
means no query ever reached ns4 and its cache is still cold. It is
therefore safe to run pipequeries again: a fresh process binds a new
ephemeral port, and the out-of-order check keeps its meaning. Retry
for up to ten attempts, but only on this specific transient error.
Michal Nowak [Wed, 24 Jun 2026 15:06:30 +0000 (17:06 +0200)]
new: dev: Print OS platform in "named -V"
The "running on" line emitted by `named -V` (as well as the startup
log and `rndc status`, which share the same source) now appends the
PRETTY_NAME value from /etc/os-release in parentheses after the uname
output, e.g.:
running on Linux x86_64 6.19.14-... (Fedora Linux 42 (Workstation Edition))
This helps disambiguate environments where the kernel string is not a
reliable indicator of the userspace, such as RHEL clones and
containers whose kernel does not match the host OS.
When /etc/os-release is absent, /usr/lib/os-release is tried as a
fallback per the systemd os-release(5) specification. When neither is
available or no PRETTY_NAME is found, the output is unchanged.
Assisted-by: Claude:claude-opus-4-7
Closes #5334
Merge branch '5334-add-os-platform-to-named-V' into 'main'
Michal Nowak [Tue, 19 May 2026 16:09:36 +0000 (16:09 +0000)]
Print OS platform in "named -V"
The "running on" line emitted by `named -V` (as well as the startup
log and `rndc status`, which share the same source) now appends the
PRETTY_NAME value from /etc/os-release in parentheses after the uname
output, e.g.:
running on Linux x86_64 6.19.14-... (Fedora Linux 42 (Workstation Edition))
This helps disambiguate environments where the kernel string is not a
reliable indicator of the userspace, such as RHEL clones and
containers whose kernel does not match the host OS.
When /etc/os-release is absent, /usr/lib/os-release is tried as a
fallback per the systemd os-release(5) specification. When neither is
available or no PRETTY_NAME is found, the output is unchanged.
The test verifies that a validating resolver enforces the
max-validations-per-fetch limit when encountering a record with multiple
expired RRSIGs followed by a valid one. One of the records is signed
three times: twice with expired timestamps (to produce two expired
RRSIGs for a.rrsigs-extra-expired/A) and once with valid timestamps,
after which the expired RRSIGs are injected back into the signed zone
file. max-validations-per-fetch is set to 2 via the template variable so
that the third (valid) RRSIG is never reached, causing SERVFAIL.
Ondřej Surý [Wed, 24 Jun 2026 11:52:58 +0000 (13:52 +0200)]
fix: usr: Stop reusing outgoing TCP connections the peer has already closed
``named`` could hand a new query an idle forwarder/upstream TCP or TLS
connection that the peer had already closed, causing the query to fail
(and CLOSE-WAIT sockets to pile up). Idle reused connections are now
watched, so a close is noticed and the connection is dropped instead of
reused. A new ``tcp-reuse-timeout`` option controls how long an idle
outgoing connection is kept open for reuse (default 5 seconds).
Closes #6171
Merge branch '6171-tcp-reuse-idle-read' into 'main'
Ondřej Surý [Sun, 21 Jun 2026 18:20:35 +0000 (20:20 +0200)]
Add the tcp-reuse-timeout option
The idle timeout that bounds how long a reused outgoing TCP/TLS
connection is held open for reuse was only tunable through the 'named -T
tcpidletimeout' developer hook added earlier on this branch. Make it a
proper configuration option, tcp-reuse-timeout (options block, in units
of 100 milliseconds like the other tcp-*-timeout options), and drop the
-T hook.
Ondřej Surý [Sun, 21 Jun 2026 07:24:14 +0000 (09:24 +0200)]
Keep idle reused outgoing TCP connections under read
A reused TCP/TLS dispatch with no outstanding responses was left in the
reuse pool with no read pending, so a peer closing the idle connection
went unnoticed: the socket lingered in CLOSE-WAIT and the dead dispatch
was later handed to a new query, which failed and the fetch timed out.
Keep a read pending on an idle connected dispatch, bounded by an idle
timeout, so the close is seen promptly and the connection is dropped
from the pool instead of reused.
The idle read may only be (re)armed while the dispatch is still
connected; arming it on a dispatch that is already shutting down
re-reads a dying handle and double-schedules a netmgr job.
On shutdown, close the connection as soon as the dispatch reaches its
terminal state instead of waiting for the last reference to drop, so an
unexpected read (or a peer-side close) cannot leave the socket in
CLOSE-WAIT while a reference still lingers.
Michał Kępień [Wed, 24 Jun 2026 11:33:57 +0000 (13:33 +0200)]
rem: ci: Drop Danger check related to pre-release testing
With the advent of the new development model involving security-*
branches and autorebasing, the value added by the pre-release testing
mechanism dropped drastically. The only remaining benefit of
pre-release testing is flagging in-progress security fixes targeting
open source branches that conflict with the corresponding bind-9.x-sub
branches. However, such conflicts are a rare occurrence and can be
handled after merging anyway.
Remove the Danger check related to pre-release testing.
Merge branch 'michal/drop-danger-check-related-to-pre-release-testing' into 'main'
Michał Kępień [Wed, 24 Jun 2026 11:25:27 +0000 (13:25 +0200)]
Drop Danger check related to pre-release testing
With the advent of the new development model involving security-*
branches and autorebasing, the value added by the pre-release testing
mechanism dropped drastically. The only remaining benefit of
pre-release testing is flagging in-progress security fixes targeting
open source branches that conflict with the corresponding bind-9.x-sub
branches. However, such conflicts are a rare occurrence and can be
handled after merging anyway.
Remove the Danger check related to pre-release testing.
Andoni Duarte [Wed, 24 Jun 2026 10:33:10 +0000 (10:33 +0000)]
fix: ci: Use resource-group for RPM-related CI jobs
RPM build jobs work by pushing a commits to main in a repository. Each
repository is identified by the `SERVICE variable and, since race
conditions may happen, the jobs are run serially via GitLab's
resource_group mechanism.
Merge branch 'andoni/use-resource-group-for-rpms-copr-ci-job' into 'main'
RPM build jobs push commits to Git repositories. If multiple such jobs
are triggered simultaneously, some of these pushes may fail due to the
same Git branch getting updated by one job while another one attempts to
do the same thing in parallel. Use GitLab's resource group mechanism to
prevent such races: group jobs by the Git repository they push to, which
is indicated by the $SERVICE variable set for each job.
Ondřej Surý [Wed, 24 Jun 2026 10:18:30 +0000 (12:18 +0200)]
fix: usr: Truncated reply to a TSIG query no longer stalls the resolver
When an upstream server returned a truncated reply to a query that BIND had
signed with TSIG, the resolver could keep waiting for a follow-up UDP packet
that never arrived, so the query stalled until it hit resolver-query-timeout
and the client received no answer. BIND now treats any reply it cannot
authenticate as an immediate failure and returns SERVFAIL right away as a
defense in depth.
Closes #6028
Merge branch '6028-tsig-truncated-tsig-response' into 'main'
Ondřej Surý [Mon, 22 Jun 2026 11:29:58 +0000 (13:29 +0200)]
Fail the fetch when a response fails the TSIG signature check
A response that failed the signature check with a missing or unexpected
TSIG used to set nextitem, so the resolver kept reading the dispatch for
another response. When the response was truncated with the TSIG cut off
the end of the wire, no further response ever arrived and the fetch
stalled until resolver-query-timeout.
Treat an unauthenticated response like every other signature-check
failure and finish the fetch immediately. A response carrying a missing
or bogus TSIG now yields SERVFAIL instead of being skipped in favour of
a later one; the cookie system test that fed a spoofed TSIG response is
updated to expect that. The unauthenticated data is still never
returned.
Michal Nowak [Wed, 24 Jun 2026 09:30:59 +0000 (11:30 +0200)]
fix: dev: Avoid writing through a const pointer in render_xsl()
render_xsl() served the static XSL stylesheet by casting away the const
qualifier of xslmsg and handing the pointer to isc_buffer_reinit():
p = UNCONST(xslmsg);
isc_buffer_reinit(b, p, strlen(xslmsg));
isc_buffer_reinit() copies any pre-existing buffer content into the new
base with memmove(), so the call would write into xslmsg, which is a
'const char[]' living in read-only memory. This is safe today only
because the supplied bodybuffer is always freshly initialized with
length 0, so the memmove() never runs -- a fragile, action-at-a-distance
invariant that GCC's -fanalyzer flags as a write to a const object
(-Wanalyzer-write-to-const).
Use isc_buffer_constinit(), the primitive intended for pointing a buffer
at constant data: it goes through isc_buffer_init() and never writes to
the base. This drops the UNCONST cast, keeps xslmsg in read-only
memory, and silences the analyzer warning.
Assisted-by: Claude:claude-opus-4-8
Merge branch 'mnowak/render-xsl-const-buffer' into 'main'
Michal Nowak [Tue, 2 Jun 2026 17:27:16 +0000 (17:27 +0000)]
Avoid writing through a const pointer in render_xsl()
render_xsl() cast away the const of the static xslmsg stylesheet and
passed it to isc_buffer_reinit(), which memmove()s into the base when
the buffer is non-empty -- a write to read-only memory that -fanalyzer
flags (-Wanalyzer-write-to-const). It only stayed safe because the
body buffer is always empty here.
Use isc_buffer_constinit(), which never writes to the base, and assert
the empty-buffer contract with REQUIRE(isc_buffer_length(b) == 0).
Michał Kępień [Wed, 24 Jun 2026 08:04:06 +0000 (10:04 +0200)]
Send Zulip notifications for autorebase failures
Use the GitLab-to-Zulip username map available in the BIND 9 QA
repository to determine the Zulip username of the developer who happened
to author a breaking base branch change, so that a Zulip notification
can be triggered for that developer.
Michał Kępień [Wed, 24 Jun 2026 08:04:06 +0000 (10:04 +0200)]
Fix formatting of autorebase failure notifications
Using a plain "echo" command does not turn "\n" into newline
characters, breaking the formatting of the Zulip notifications sent upon
autorebase failures. Fix by using "echo -e" instead, which enables
interpreting backslash sequences in the provided input.
Michał Kępień [Wed, 24 Jun 2026 08:04:06 +0000 (10:04 +0200)]
Remove the "autorebase-merge-request" CI job
The "autorebase-merge-request" CI job is not useful in practice as the
Danger check whose complaints it was supposed to address does not look
for commit hashes in the original merge request's target branch, but
rather in the original merge request itself - and those commit hashes
remain stable over time. Furthermore, after a backport gets merged, any
cherry-pick references its commits might contain will be maintained by
other autorebasing jobs. Given the above, remove the
"autorebase-merge-request" CI job as it serves no useful purpose.
Ondřej Surý [Wed, 24 Jun 2026 04:53:34 +0000 (06:53 +0200)]
fix: dev: Don't serve a stale CNAME or record when fresh data of the other exists
When a cached name held both a CNAME and records of another type — one stale,
the other still fresh — named with serve-stale could return the expired set
instead of the fresh one, in either direction. It now prefers whichever is fresh.
Merge branch 'ondrej/fix-serve_stale-cname-and-type' into 'main'
Ondřej Surý [Thu, 18 Jun 2026 21:26:12 +0000 (23:26 +0200)]
Don't stop qpcache_find on a stale header while fresh data remains
With serve-stale enabled, stale rdataset headers are kept at a node so
they can be served as a last resort. The find loop, however, accepted a
stale CNAME or stale record of the requested type as a final answer and
broke out of the iteration early, returning stale data even when a fresh
header for the same name appeared later in the scan. Treat STALE(found)
like a missing answer so the loop keeps looking and only falls back to
the stale header when no fresh answer is found.
Arаm Sаrgsyаn [Mon, 22 Jun 2026 20:56:07 +0000 (20:56 +0000)]
fix: usr: Fix a bug in DNS UPDATE processing with inline-signing enabled
In rare cases the :iscman:`named` process could terminate unexpectedly
when processing authorized DNS UPDATE messages in quick procession
which are updating a zone with inline-signing enabled. This has been
fixed.
Closes #5816
Merge branch '5816-inline-signing-concurrent-update-fix' into 'main'
Aram Sargsyan [Thu, 7 May 2026 23:24:22 +0000 (23:24 +0000)]
Fix memory leak bug during zone shutdown
The dns_update_signaturesinc() updates zone signatures in chunks,
keeping its current state in 'zone->rss_state'. When a zone shuts
down, the signature update process is canceled, and all the data
in the state is not freed.
Create a new dns_update_state_clear() function which can be called
from dns_zone_free() to free the memory.
When a DNS UPDATE messages is received, the zone_send_secureserial()
function can schedule a new receive_secure_serial() call with a new
'rss' object before a previous one had a chance to be fully processed.
This can cause an assertion failure in receive_secure_serial() with a
new 'rss' object (when the old one was rescheduled because it got
DNS_R_CONTINUE from dns_update_signaturesinc()). In other words:
1. receive_secure_serial() called with rss, sets zone->rss = rss,
reschedules because of DNS_R_CONTINUE
2. receive_secure_serial() called with rss_new, INSIST fails because
zone->rss != rss_new), i.e. this was called before the old 'rss'
was fully processed
Change the code logic by introducing a new 'rss_next' field and making
sure the old 'rss' is complete before starting processing the new
one.
Aram Sargsyan [Thu, 7 May 2026 11:44:44 +0000 (11:44 +0000)]
Add a new check in "inline" system test
This new check floods the server with DNS UPDATE messages for an
'inline-signing yes; sig-signing-signatures 1;' zone to see if
it manages to process the updates correctly.
Ondřej Surý [Mon, 22 Jun 2026 13:05:10 +0000 (15:05 +0200)]
chg: dev: Reference count and flatten the cache slabheader storage
Internal refactoring of the cache database (qpcache) with no functional
change. The slab headers that hold cached rdatasets are now reference
counted and own their memory context and node reference directly, so a
header can outlive the cleaning of its node and be reclaimed
independently of it. Building on that, the per-type slabtop container is
folded into the slab header itself, removing a level of indirection and
one allocation per cached type.
Merge branch 'ondrej/slabheader-reference-counting' into 'main'
Ondřej Surý [Sat, 20 Jun 2026 07:33:55 +0000 (09:33 +0200)]
Keep in-flight cache headers safe from LRU eviction during add
When the cache is over its size limit, qpcache_miss() runs LRU eviction
while add() is still in progress. Eviction removes a header together
with its RRSIG/covered 'related' partner, so it could free a header the
add still needs -- the new header, the partner it was just paired with,
or the one about to be displaced for max-types-per-name. With 'related'
now a counted reference, that became a use-after-free reachable under
sustained load.
Run the eviction last, after the new header is linked, bound and any
over-limit header removed, and skip the new header and its partner in
the eviction loop (the partner is marked visited so the SIEVE hand still
advances). Per-header removal is factored into header_delete(),
expire_header() and flush_node().
Ondřej Surý [Fri, 19 Jun 2026 13:43:42 +0000 (15:43 +0200)]
Remove the ANCIENT slabheader attribute and statistics counter
Cache headers are now unlinked from their node as soon as they expire,
so a slabheader is never left in the "ancient, awaiting cleanup" state
that DNS_SLABHEADERATTR_ANCIENT tracked. Drop the attribute, rename
mark_ancient() to header_delete() to reflect that it now removes the
header rather than flagging it (keying idempotency on list membership),
and remove the ancient RRset statistics counter that recorded the state,
which is now always zero; the rdataset statistics array shrinks to
match.
The rdataset-level 'ancient' flag and 'rndc dumpdb -expired' are
unaffected: expiry is derived from the entry's TTL when the rdataset is
bound, not from the slabheader attribute.
Ondřej Surý [Fri, 19 Jun 2026 09:09:00 +0000 (11:09 +0200)]
Factor the header/RRSIG extraction out of the find paths
qpcache_find, qpcache_findrdataset, and find_headers each repeated the
same logic to pick a header and its RRSIG out of a slabheader and its
'related' link. Pull it into store_headers(), and rename check_header()
to invalid_header() since it returns true when the header should be
skipped.
Ondřej Surý [Fri, 19 Jun 2026 07:39:20 +0000 (09:39 +0200)]
Squash dns_slabtop into dns_slabheader
With headers removed eagerly in mark_ancient there is at most one header
per type at a node, so the separate per-type dns_slabtop container no
longer earns its keep. Fold its fields onto the header -- the link into
the node's list, the RRSIG/covered related pairing, and the SIEVE-LRU
state -- and link headers directly into the node, dropping a level of
indirection and an allocation per cached type.
Ondřej Surý [Thu, 18 Jun 2026 16:39:08 +0000 (18:39 +0200)]
Remove cache headers and empty slabtops eagerly in mark_ancient
Now that a bound rdataset keeps references to both the slabheader and
the node, an ancient header (and the slabtop it leaves empty) can be
removed from the cache immediately in mark_ancient, instead of being
parked on a per-node dirty list and reclaimed only once the node becomes
unreferenced. This drops the dirty list and the clean_cache_* machinery
entirely.
Because the cache structure can now change under a node that still has
external references, the all-rdatasets iterator no longer walks the live
slabtop list: allrdatasets() binds every matching rdataset up front and
the iterator works from that snapshot, cloning out each entry.
Ondřej Surý [Thu, 18 Jun 2026 15:15:32 +0000 (17:15 +0200)]
Free the slabheader proofs in its destructor
Now that the slabheader carries its own memory context, free its
noqname/closest proofs from slabheader_destroy rather than reaching
through the owning node's deletedata method. That was the method's last
caller, so remove dns_db_deletedata entirely; the cache bookkeeping it
performed (rrset statistics and the dirty list) becomes a plain helper
called wherever a header leaves the cache.
Ondřej Surý [Thu, 18 Jun 2026 14:51:28 +0000 (16:51 +0200)]
Store the bound node and slabheader reference on the rdataset
The bound rdataset now keeps its own node reference instead of reaching
it through the slabheader, and each slabheader carries its own memory
context so it can free itself once its reference count reaches zero.
The noqname/closest proof rdatasets are views into a slabheader's proof
slabs, so they now hold a reference to that slabheader too, keeping the
proof slab (and the cloned owner name): alive for as long as the proof
rdataset is. Keeping the node on the rdataset means node access stays
valid for the life of the rdataset, independent of the slabheader's own
node pointer.
Ondřej Surý [Thu, 18 Jun 2026 07:59:51 +0000 (09:59 +0200)]
Make the dns_slabheaders in the cache reference counted
Instead of only reference counting the enclosing qpcnode, add the
reference counting directly to the slabheaders. This will allow us to
simplify the data model, as the slabheaders reference is now incremented
when we bind the rdataset and decremented when we disassociate the
rdataset. This will allow us to remove the slabheader from the slabtop
directly instead of waiting for qpcnode to become completely
unreferenced.
Ondřej Surý [Thu, 18 Jun 2026 09:39:05 +0000 (11:39 +0200)]
Split the slabheader and slabheader_proof structures in rdataset
Follow the method split with a data split: give the proof
pseudo-rdataset its own member in the dns_rdataset union, carrying its
own node, instead of overloading the slab member. The proof methods
now read proof.raw/proof.node independently of the real
slab.raw/slab.noqname/slab.closest, so the two share no state and the
proof path is fully self-contained.
Ondřej Surý [Thu, 18 Jun 2026 09:23:37 +0000 (11:23 +0200)]
Split the slabheader and slabheader_proof methods
The noqname/closest proof pseudo-rdatasets share the slab data layout
but have a different lifecycle: they reference a bare proof slab owned
by the parent header and are torn down via dns_slabheader_freeproof(),
not the rdataset's own teardown. Give them a dedicated
dns_rdataslab_proof_rdatasetmethods table with their own
disassociate/clone so the proof path can diverge from the real
bound-rdataset path -- a prerequisite for reference counting the real
headers without it ever reaching the proof slabs.
Ondřej Surý [Thu, 18 Jun 2026 21:26:12 +0000 (23:26 +0200)]
Don't stop qpcache_find on a stale header while fresh data remains
With serve-stale enabled, stale rdataset headers are kept at a node so
they can be served as a last resort. The find loop, however, accepted a
stale CNAME or stale record of the requested type as a final answer and
broke out of the iteration early, returning stale data even when a fresh
header for the same name appeared later in the scan. Treat STALE(found)
like a missing answer so the loop keeps looking and only falls back to
the stale header when no fresh answer is found.
Aydın Mercan [Mon, 22 Jun 2026 07:05:02 +0000 (10:05 +0300)]
fix: usr: ignore 0-byte reads in the TCP read callback
Callbacks for libuv stream reads do not signal zero-length reads as a
failure signal but rather as EAGAIN/EWOULDBLOCK. This can trigger an
assertion when a zero-length read is pushed onto a PROXYv2 endpoint that
has not yet processed the headers as it expects a non-NULL region of
positive length.
Closes #6140
Merge branch '6140-proxyv2-assertion-on-zero-byte-read' into 'main'
Aydın Mercan [Thu, 11 Jun 2026 13:38:27 +0000 (16:38 +0300)]
ignore 0-byte reads in the TCP read callback
Callbacks for libuv stream reads do not signal zero-length reads as a
failure signal but rather as EAGAIN/EWOULDBLOCK. This can trigger an
assertion when a zero-length read is pushed onto a PROXYv2 endpoint that
has not yet processed the headers as it expects a non-NULL region of
positive length.
Nicki Křížek [Fri, 19 Jun 2026 11:50:58 +0000 (13:50 +0200)]
chg: ci: Raise respdiff third-party and recent-named disagreement thresholds
The third-party comparison is right at the 0.4 % threshold, making it
fail quite often. The current range of observed values ranges from
0.3-0.5 %. Raise the threshold to 0.5 %.
The recent-named comparison produces values ranging from 0.05 to 0.12 %,
but appears to be more sensitive to time of the day when the test runs.
Raise the threshold to 0.15 %.
Both results are stable within the specified ranges across the last
three releases in both main and bind-9.20 series.
Merge branch 'nicki/respdiff-threshold-bump' into 'main'
Nicki Křížek [Fri, 19 Jun 2026 11:09:42 +0000 (11:09 +0000)]
Raise respdiff third-party and recent-named disagreement thresholds
The third-party comparison is right at the 0.4 % threshold, making it
fail quite often. The current range of observed values ranges from
0.3-0.5 %. Raise the threshold to 0.5 %.
The recent-named comparison produces values ranging from 0.05 to 0.12 %,
but appears to be more sensitive to time of the day when the test runs.
Raise the threshold to 0.15 %.
Both results are stable within the specified ranges across the last
three releases in both main and bind-9.20 series.
Matthijs Mekking [Fri, 19 Jun 2026 09:07:10 +0000 (09:07 +0000)]
fix: usr: CDS/CDNSKEY records were not removed when re-configuring the server
When on an ``rndc reconfig`` the DNSSEC policy changes such that it changes the expected ``CDNSKEY`` and/or ``CDS`` records in the zone, the RRset should
be updated accordingly. This did not happen when removing digests from the configuration, or setting `cdnskey no;`. This has been fixed.
Closes #6166
Merge branch '6166-reconfig-delete-cds' into 'main'
Matthijs Mekking [Wed, 17 Jun 2026 15:34:42 +0000 (17:34 +0200)]
Remove CDs/CDNSKEY records on reconfig
When adding to dnssec-policy:
cdnskey no;
cds-digest-types { };
and then reconfig the server, named must remove existing CDS and CDNSKEY
records. Note this already worked when adding CDS digest, or setting
'cdnskey yes;', but not when digests were removed from the list, or
when setting 'cdnskey no;'.
Matthijs Mekking [Wed, 17 Jun 2026 15:29:51 +0000 (17:29 +0200)]
Add system test for reconfiguring CDS/CDNSKEY
When on an 'rndc reconfig' the DNSSEC policy changes such that it
changes the expected CDNSKEY/CDS records in the zone, the RRset should
be updated accordingly.
Add a test case where we reconfigure a zone with a policy such that
these records should be removed, and on a second reconfigure add
them back again.
Note the test deliberately adds a different CDS digest on the
second reconfigure.
Evan Hunt [Thu, 18 Jun 2026 18:40:03 +0000 (18:40 +0000)]
fix: dev: Update dnssec validation test to match new behavior
Some of the tests in `dnssec/tests_validation.py` worked by iterating through the response message looking for failure conditions, such as excessively high TTL values. In some cases, previous changes caused additional data not to be returned. Since there was nothing to iterate, the tests still "passed".
Tests that don't make sense anymore have been removed. Other tests that iterate through responses have been updated with checks to ensure that the responses actually do contain data.
Merge branch 'each-cleanup-validation-test' into 'main'
Evan Hunt [Wed, 17 Jun 2026 18:48:42 +0000 (11:48 -0700)]
update tests_validation.py test for new behavior
Some of the tests in in dnssec/tests_validation.py worked by iterating
through the response message looking for failure conditions, such as
excessively high TTL values. In some cases, previous changes caused
additional data not to be returned. Since there was nothing to
iterate, the tests still "passed".
Tests that don't make sense anymore have been removed. Other tests that
iterate through responses have been updated with checks to ensure that
the responses actually do contain data.
Evan Hunt [Wed, 17 Jun 2026 18:47:45 +0000 (11:47 -0700)]
add isctest.check functions for section empty or non-empty
expand on the isctest.check.empty_answer() function, adding
empty_authority(), empty_additional(), has_answer(), has_authority(),
and has_additional().
Evan Hunt [Thu, 18 Jun 2026 17:47:51 +0000 (17:47 +0000)]
fix: usr: Check wildcard signer and NOQNAME signer match
A positive wildcard answer, and the NSEC3 proof that the requested
name doesn't exist in the zone, must both be from the same zone.
Otherwise, an NSEC3 from an ancestor zone could be used to interfere
with validation.
We now retrieve the signer name from a wildcard response's signature.
An NSEC3 record cannot be used as a NOQNAME proof for the
wildcard unless it exactly matches the name one level above the NSEC3.
Closes #5971
Merge branch '5971-wildcard-noqname-mismatch' into 'main'
Evan Hunt [Tue, 16 Jun 2026 19:06:21 +0000 (12:06 -0700)]
Check wildcard signer and NOQNAME signer match
A positive wildcard answer, and the NSEC3 proof that the requested
name doesn't exist in the zone, must both be from the same zone.
Otherwise, an NSEC3 from an ancestor zone could be used to interfere
with validation.
We now retrieve the signer name from a wildcard response's signature.
An NSEC3 record cannot be used as a NOQNAME proof for the wildcard
unless it exactly matches the name one level above the NSEC3.
Alessio Podda [Tue, 16 Jun 2026 10:07:49 +0000 (12:07 +0200)]
Reject external referrals for forward zones
Apply the existing name_external() bailiwick check to NS RRsets
processed as referrals in rctx_authority_negative(), and enforce the
same check again in rctx_referral() before caching or following the
delegation.
This prevents a forward-first forwarder from installing a parent
zone-cut above the configured forward zone via an authority-section
NS RRset.
Andoni Duarte [Thu, 18 Jun 2026 11:29:23 +0000 (11:29 +0000)]
chg: ci: Migrate Mattermost notifications to Zulip in CI
Since internal communications are now Zulip based, CI jobs now target
Zulip instead of Mattermost. The `MATTERMOST_WEBHOOK_URL` environment
variable is no longer needed, scripts now use `ZULIP_SERVER_URL` and
`ZULIP_API_KEY`.
In order to harmonize Zulip messaging, `message_zulip.py` is used where
curl calls to the webhook were previously used.
Merge branch 'andoni/mattermost-to-zulip-migration' into 'main'
Migrate Mattermost notifications to Zulip in .gitlab-ci.yml
Since internal communications are now Zulip based, CI jobs now target
Zulip instead of Mattermost. The MATTERMOST_WEBHOOK_URL environment
variable is no longer needed, scripts now use ZULIP_SERVER_URL and
ZULIP_API_KEY.
In order to harmonize Zulip messaging, message_zulip.py is used where
curl calls to the webhook were previously used.
Colin Vidal [Thu, 18 Jun 2026 07:21:26 +0000 (09:21 +0200)]
fix: usr: Fix recursion loop in case of badly behaving forwarders
When forwarding DNS queries, the CD bit is cleared on the first query, and the CD bit is only used as a fallback if the first query fails. However, due to a logic bug this could lead to an unbounded loop re-sending the same message, until the maximum query count is hit. This has been fixed.
Closes #5804
Merge branch '5804-resend-loop-forwarder-cd' into 'main'
Colin Vidal [Wed, 8 Apr 2026 10:04:57 +0000 (12:04 +0200)]
Avoid resend loop when forwarder SERVFAILs with both CD=0 and CD=1
Commit `36cf1c6a5bf943ad718ddba9fbe6ea97810e3bc2` introduces the
`DNS_FETCHOPT_TRYCD` flag which enables, when sending a query to a
forwarder, the forwarder to validate the answer (CD=0). The crux is
that if for some reason the forwarder returns SERVFAIL, we can retry the
same query and disable the forwarder validation (CD=1) so the resolver
can attempt validation itself (or detect it's bogus).
The logic was to first set `DNS_FETCHOPT_TRYCD` to the query options but
not on the message (so CD=0), and, when getting a SERVFAIL answer, if
the option `DNS_FETCHOPT_TRYCD` was set, to also set it into the
message. However, there was no way to know if this was the first (or
second) query because the original message is discarded when getting the
answer. This can lead to an unbounded loop re-sending the same message
again and again (until the global query count stops it).
This is fixed by using two separate flags `DNS_FETCHOPT_TRYNOCD`, set on
the query options for the very first query, then, if it SERVFAIL,
check if `DNS_FETCHOPT_TRYNOCD` is set but `DNS_FETCHOPT_TRYCD` is not.
In this case, we know we're about to send the second query. If it also
fails, `DNS_FETCHOPT_TRYCD` will be set anyway, so there is no point
retrying. This breaks the unbounded loop.
OBSERVED BEHAVIOR
The malicious server receives tens of thousands of resend packets
within seconds. CPU usage of the named worker thread remains elevated
(50–100% of one core) until the default fetch timeout (~10 seconds)
terminates the request. Instrumentation during testing confirmed that
isc_counter_used(fctx->qc) remains constant (value 1) throughout the
entire resend loop.
Colin Vidal [Thu, 18 Jun 2026 06:48:29 +0000 (08:48 +0200)]
fix: usr: Cache glue only for enabled address families
When caching delegation NS data, only use A/AAAA glue records if the resolver has the corresponding IPv4/IPv6 dispatcher configured. If IPv4 or IPv6 is disabled, ignore glue for that family and fall back to caching the nameserver name if there is no glue from the other supported family.
Merge branch 'colin/glues-supported-stack' into 'main'
Colin Vidal [Wed, 22 Apr 2026 14:54:24 +0000 (16:54 +0200)]
Cache glue only for enabled address families
When caching delegation NS data, only use A/AAAA glue records if the
resolver has the corresponding IPv4/IPv6 dispatcher configured. If IPv4
or IPv6 is disabled, ignore glue for that family and fall back to
caching the nameserver name if there is no glue from the other supported
family.
The new `cache_delegns` system test is covering delegation NS caching
with dual-stack resolver, IPv4-only, IPv6-only configurations. It also
set up an authoritative sever with zones with A-only, AAAA-only, and
dual-stack glue, which are all queried, and checks the delegation
database dump to confirm that the cached delegation data correspond to
the resolver configuration.
Ondřej Surý [Thu, 18 Jun 2026 05:13:42 +0000 (07:13 +0200)]
fix: dev: Fix invalid pointer release in JSON statistics-channel response
Each response served on a JSON statistics endpoint released the wrong
pointer to the JSON library after the response was sent: the response
body string instead of the JSON document. With the current responses
this does not crash named in practice, but the call is incorrect and
can in principle corrupt memory. XML responses are not affected.
Closes #6024
Merge branch '6024-statschannel-json-response-invalid-free' into 'main'
Ondřej Surý [Thu, 21 May 2026 09:07:32 +0000 (11:07 +0200)]
Fix invalid free in statistics-channel JSON renderer
wrap_jsonfree() called json_object_put() on the response-body buffer
base, which is the JSON string returned by
json_object_to_json_string_ext(), not a struct json_object. The root
object is already passed in as the callback argument; release only
that.
Ondřej Surý [Thu, 21 May 2026 08:47:15 +0000 (10:47 +0200)]
Add regression test for statistics-channel JSON free bug
Hit every JSON statistics endpoint several times. The current code
calls json_object_put() on the response-body string pointer, which
doesn't crash just by accident - the memory position contains large
value from static string.
Ondřej Surý [Fri, 12 Jun 2026 13:43:16 +0000 (15:43 +0200)]
Re-apply the picohttpparser.c patch
This:
- makes sure all variables are initialized
- adds missing curly braces for single line statements
- use proper comment for fallthrough case statements
Michal Nowak [Mon, 1 Jun 2026 14:37:12 +0000 (16:37 +0200)]
Sync picohttpparser.c with upstream commit a875a01
Pull in upstream commit a875a01 from h2o/picohttpparser: enforce use of
CRLF in chunk headers, by rejecting bare CR / LF. Replaces the lenient
CHUNKED_IN_CHUNK_CRLF state with strict CHUNKED_IN_CHUNK_HEADER_EXPECT_LF,
CHUNKED_IN_CHUNK_DATA_EXPECT_CR and CHUNKED_IN_CHUNK_DATA_EXPECT_LF states.
Ondřej Surý [Wed, 17 Jun 2026 20:30:13 +0000 (22:30 +0200)]
fix: nil: Allocate work threads from their owning loop's memory context
The per-loop worker threads allocated their state from the loop manager's
memory context instead of the per-loop context that owns them. Allocate
from the owning loop's context and hold a reference to that loop for the
thread's lifetime, matching the context handling already used on the
work-enqueue and completion paths.
Already changed as part of 9.20 backport.
Merge branch 'ondrej/rewrite-threadpool-fixups' into 'main'
Ondřej Surý [Wed, 17 Jun 2026 19:16:50 +0000 (21:16 +0200)]
Run the work asynchronously when shutting down
Instead of running the work directly, run it asynchronously to prevent
dead-locks when then isc_work is scheduled from inside a lock and the
job itself is using locking.
Ondřej Surý [Wed, 17 Jun 2026 18:37:55 +0000 (20:37 +0200)]
Allocate work threads from their owning loop's memory context
A per-loop work thread referenced the loop manager's memory context,
which is not the context that backs the loop the thread serves. Pass
the owning loop instead and allocate from loop->mctx, keeping a loop
reference for the thread's lifetime. This matches how isc_work_enqueue
and work_done already obtain the context from the loop, and the
teardown uses loop->mctx before dropping the reference.
projects / thirdparty / bind9.git / log
