Ben Scott [Wed, 10 Jun 2026 19:56:00 +0000 (15:56 -0400)]
Explicit sub-steps for assessing -S and EOL
For the step where we assess which product versions/branches are
vulnerable to the flaw, add explicit subordinate steps for assessing
Special Subscriber -S Preview edition, and end-of-life versions that
are still received paid fixes.
While we have GitLab labels to indicate affected versions, there is no
satisfactory mechanism in place to indicate that assessment of all
versions is complete, and thus anything not labeled as affected can be
considered immune. Explicit checklist steps will allow others to see
when assessment is complete.
Ben Scott [Wed, 10 Jun 2026 17:08:32 +0000 (13:08 -0400)]
CVE and CVSS+CWE as separate steps
"Assigning CVE" and "Assigning CVSS+CWE" are really two different
steps. CVE is bookeeping; we just request the ID and type it in.
CVSS and CWE require a judgement determination, and often involve
discussion. At the same time, sometimes we forget to put the CVE ID
in right away. Since we already have a separate step for CVE
assignment, let's put "update the issue with the CVE ID" in that step,
too. Then the second step can be entirely about CVSS+CWE. Same
number of steps, just clearer separation of what the steps are about.
Michal Nowak [Wed, 10 Jun 2026 19:49:10 +0000 (21:49 +0200)]
fix: test: Various system test stability fixes for CI
Doubling system-test parallelism and removing the `@pytest.mark.flaky` markers exposed a set of timing-sensitive failures across CI. This branch keeps only the fixes for failures that are test-robustness bugs. Other - frequent - failures often guarded by `@pytest.mark.flaky` have their separate MRs already.
Merge branch 'mnowak/system-test-stability-fixes' into 'main'
Michal Nowak [Wed, 3 Jun 2026 16:39:56 +0000 (16:39 +0000)]
Retry the SOA serial check in the rpz test
While a response-policy zone is being (re)loaded it can briefly answer
with no SOA (SERVFAIL/REFUSED), which `dig +short` renders as empty
output. get_sn() aborted the whole tests.sh on the first such miss,
defeating the retry_quiet() loop in ck_soa() that is meant to wait for
the reload to settle. Return failure instead so the check is retried.
Michal Nowak [Thu, 28 May 2026 13:38:37 +0000 (13:38 +0000)]
Drop flaky marker from the fetchlimit system test
With the per-domain limit and clients-per-query spill checks no longer
sensitive to fetch-counter timing, the test no longer needs the
flaky-retry workaround.
Michal Nowak [Wed, 10 Jun 2026 17:22:50 +0000 (17:22 +0000)]
Accept a clients-per-query spill range in the fetchlimit test
The clients-per-query spill steps required exactly 55 spills, but the
auto-tuning ramp-up lags under load and spills more. Accept the 55..75
range; the ramp-up is already verified by the "clients-per-query
increased to 10" log wait.
Michal Nowak [Wed, 10 Jun 2026 17:22:44 +0000 (17:22 +0000)]
Make the fetchlimit per-domain limit check robust under load
The per-domain limit step required the active fetch count for
lamesub.example to read exactly 40 on a single sample. It parsed the
cumulative "allowed" field (6) rather than the active count (field 3),
and even the active count can briefly dip below 40 between bursts.
Sample the active count with retry_quiet, flag only a count above 40,
and require the limit to be reached at least once.
Michal Nowak [Tue, 9 Jun 2026 11:22:56 +0000 (13:22 +0200)]
fix: test: Register orphaned diff and skr unit tests in meson build
Both test files existed on disk but were never added to the meson test
list when the build system switched from autoconf.
skr_test.c also had a spurious #include <dns/tls.h> for a header that
never existed in this repo -- no symbols from it were used. Removing
the include is the only fix needed; the test itself is correct and
passes.
Assisted-by: Claude:claude-opus-4-7
Merge branch 'mnowak/fix-orphaned-unit-tests' into 'main'
Michal Nowak [Sun, 24 May 2026 18:12:53 +0000 (18:12 +0000)]
Add build-time check for unregistered unit test files
Fail at meson configure time if a *_test.c file exists in a test
directory but is not listed in the corresponding test array. This
prevents test files from being silently orphaned when added without
updating meson.build, as happened with diff_test.c and skr_test.c.
Michal Nowak [Mon, 25 May 2026 08:17:02 +0000 (08:17 +0000)]
Register orphaned diff and skr unit tests in meson build
Both test files existed on disk but were never added to the meson test
list when the build system switched from autoconf.
skr_test.c also had a spurious #include <dns/tls.h> for a header that
never existed in this repo -- no symbols from it were used. Removing
the include is the only fix needed; the test itself is correct and
passes.
Nicki Křížek [Tue, 9 Jun 2026 10:34:25 +0000 (12:34 +0200)]
chg: test: Add NSEC3 answer correctness test to dnssec_py
Rewrite nsec3_answer/tests_nsec3.py as dnssec_py/tests_nsec3_answer.py
using the isctest.zone helpers for zone setup. ns1 (auth) and ns2
(resolver) were renumbered to ns2 and ns9 respectively to fit the
existing dnssec_py server infrastructure.
Assisted-by: Claude:claude-opus-4-8
Merge branch 'nicki/pytest-dnssec-py-nsec3-answer' into 'main'
Nicki Křížek [Mon, 8 Jun 2026 15:26:02 +0000 (15:26 +0000)]
Add NSEC3 answer correctness test to dnssec_py
Rewrite nsec3_answer/tests_nsec3.py as dnssec_py/tests_nsec3_answer.py
using the isctest.zone helpers for zone setup. ns1 (auth) and ns2
(resolver) were renumbered to ns2 and ns9 respectively to fit the
existing dnssec_py server infrastructure.
Nicki Křížek [Mon, 8 Jun 2026 15:34:35 +0000 (15:34 +0000)]
Add revoked truncated self-signed DNSKEY test to dnssec_py
Port test_truncated_dnskey from dnssec_malformed_dnskey into the shared
dnssec_py fixture harness, completing the migration and deleting the
remaining dnssec_malformed_dnskey files.
Nicki Křížek [Mon, 8 Jun 2026 15:33:59 +0000 (15:33 +0000)]
Add malformed ECDSA DNSKEY tests to dnssec_py
Port test_malformed_ecdsa and test_multiple_rrsigs from the standalone
dnssec_malformed_dnskey directory into the shared dnssec_py fixture
harness. The zone is renamed from example. to dnskey-malformed., the
resolver fixture changes from a dedicated ns3 to the shared ns9, and
trust anchors are wired in via bootstrap() rather than per-directory
config files.
Nicki Křížek [Tue, 9 Jun 2026 08:34:32 +0000 (10:34 +0200)]
chg: test: Add mixed DS test to dnssec_py
Rewrite dnssec_unsupported_ds/tests_mixed_ds.py as
dnssec_py/tests_mixed_ds.py using the isctest.zone helpers for zone
setup.
The test verifies that a zone whose DS RRset contains only an
unsupported algorithm DS and a bogus DS record is treated as insecure
by a validating resolver, resulting in SERVFAIL for queries to that
zone. The DS set for child.mixed-ds. is deliberately corrupted after
signing to contain a DS record with an unsupported algorithm (12) and
a DS record with an invalid digest, exercising the mixed-DS insecurity
proof path.
Assisted-by: Claude:claude-opus-4-8
Merge branch 'nicki/pytest-dnssec-py-mixed-ds' into 'main'
Nicki Křížek [Mon, 8 Jun 2026 15:19:22 +0000 (15:19 +0000)]
Add mixed DS test to dnssec_py
Rewrite dnssec_unsupported_ds/tests_mixed_ds.py as
dnssec_py/tests_mixed_ds.py using the isctest.zone helpers for zone
setup.
The test verifies that a zone whose DS RRset contains only an
unsupported algorithm DS and a bogus DS record is treated as insecure
by a validating resolver, resulting in SERVFAIL for queries to that
zone. The DS set for child.mixed-ds. is deliberately corrupted after
signing to contain a DS record with an unsupported algorithm (12) and
a DS record with an invalid digest, exercising the mixed-DS insecurity
proof path.
Ondřej Surý [Mon, 8 Jun 2026 16:01:03 +0000 (18:01 +0200)]
fix: usr: Reject unsupported RSA DNSKEY shapes during DNSSEC validation
An authoritative server publishing an RSA DNSKEY with an unusually
large modulus or an exotic public exponent could make each DNSSEC
signature check on a validating recursive resolver noticeably more
expensive than for a normally sized key. Such DNSKEYs are now
treated as invalid.
Closes #6008
Merge branch '6008-reject-oversized-rsa-dnskeys' into 'main'
Ondřej Surý [Tue, 19 May 2026 15:52:22 +0000 (17:52 +0200)]
Enforce strict RSA DNSKEY shape during DNSSEC validation
A resolver that validated DNSSEC accepted RSA DNSKEYs of any modulus
size up to OpenSSL's compile-time ceiling, and accepted any public
exponent the wire format could carry. RSA verification cost grows
sharply with the modulus length, so an authoritative server could
publish an oversized DNSKEY to make each signature check on the
resolver many times more expensive than for a normally sized key.
The intended verify-time cap had no effect because the helper it called
returned the public-exponent bit length rather than the modulus bit
length, so the test was always satisfied. Replace it with an honest
modulus-range check and a stricter exponent check that accepts only odd
exponents in the closed range [3, 2^32 + 1] (covering every Fermat
prime up to F5 and the odd intermediate values seen in deployed keys),
reject anything outside those bounds at every RSA key load path so an
invalid key never reaches the verifier, and keep the same checks at the
verifier as a backstop against future load paths.
Ondřej Surý [Mon, 8 Jun 2026 15:55:37 +0000 (17:55 +0200)]
fix: dev: Fix the memory ordering in the adaptive read-write lock
On hardware with a weak memory model, the internal read-write lock could
briefly admit a reader and a writer at the same time, risking sporadic
crashes or incorrect data. The reader/writer handshake now uses
sequentially consistent ordering so the two can no longer overlap.
Closes #6060
Merge branch '6060-rwlock-seq-cst-handshake' into 'main'
Ondřej Surý [Tue, 2 Jun 2026 04:32:20 +0000 (06:32 +0200)]
Use sequentially consistent ordering in the adaptive rwlock handshake
The adaptive isc_rwlock (the modified C-RW-WP variant) synchronizes a
reader against a writer through a store-buffer handshake across two
independent atomic objects: the reader publishes its arrival in
readers_ingress and then reads writers_lock, while the writer publishes
its lock in writers_lock and then reads the reader indicator. With the
acquire/release ordering introduced by the 2021 simplification, neither
side is forced to observe the other's publish store before its own check
load, so on weak-memory targets a reader could see writers_lock unlocked
while the writer sees the indicator empty, and both would enter their
critical sections at once.
Restore the sequentially consistent ordering the original algorithm
specifies on the handshake atomics. The single total order over the
seq_cst operations is what forbids the overlap; targeting individual
fences is both more fragile and, on x86, more expensive. On x86 this
ordering is free (seq_cst loads remain plain loads and the RMWs remain
lock-prefixed); the added cost falls only on the weak-memory targets that
actually need it.
Ondřej Surý [Mon, 8 Jun 2026 15:50:38 +0000 (17:50 +0200)]
rem: usr: Restrict views to the Internet (IN) class
Views could previously be declared in classes other than Internet (IN),
but that support was inconsistent — ``named-checkconf`` accepted configurations
that ``named`` then refused to load. Views are now restricted to class IN, and
both tools reject any other class. Configurations declaring a non-IN view
must drop the class to keep working.
Merge branch '5784-improve-class-handling' into 'main'
Ondřej Surý [Wed, 4 Mar 2026 12:24:53 +0000 (13:24 +0100)]
Disallow configuration of user-defined non-IN class views
Only class IN is allowed for user-defined views; the internally
generated `_bind` view stays in the CH class. Both `named` and the
shared checker in `lib/isccfg/check.c` now reject non-IN views, so a
config can no longer pass `named-checkconf` yet fail to start in
`named`.
Tests, configs, and catalog zones using CH or arbitrary classes
(e.g. `class10`) are removed accordingly.
Ondřej Surý [Thu, 4 Jun 2026 08:25:42 +0000 (10:25 +0200)]
Use variable size struct for zonecut ndata to avoid allocation
Previously, the node_deleg_t would do double allocation, one for the
struct itself and one for the zonecut. This has been changed to use
variable sized struct with the zonecut .ndata buffer attached to the end
of node_deleg_t structure.
Michal Nowak [Mon, 8 Jun 2026 13:23:27 +0000 (15:23 +0200)]
fix: ci: Escape literal dots in branch-name match regexes
The backports and merged-metadata rules used unescaped dots in their
branch-name regexes, causing them to over-match. Escape the dots so the
patterns match the intended version branch names exactly.
Assisted-by: Claude:claude-opus-4-8
Merge branch 'mnowak/ci-fix-regex-escaping' into 'main'
Michal Nowak [Wed, 3 Jun 2026 11:56:17 +0000 (11:56 +0000)]
Escape literal dots in branch-name match regexes
The backports and merged-metadata rules used unescaped dots in their
branch-name regexes, causing them to over-match. Escape the dots so the
patterns match the intended version branch names exactly.
Michal Nowak [Mon, 8 Jun 2026 11:44:10 +0000 (13:44 +0200)]
fix: dev: Preserve the request message across async SIG(0) processing
For SIG(0)-signed requests, view matching is offloaded and the request
is finished asynchronously from ns_client_request_continue(), which
passes client->inner.buffer to dns_dt_send(). That buffer aliases the
network manager's receive buffer, only valid during the read callback,
so it may already be freed and reused, producing garbage dnstap frames
(e.g. the "upforwd" sig0-over-DoT test fails with UQ=0).
Copy the request message when entering async mode and reference the
copy, freeing it in ns__client_reset_cb().
Assisted-by: Claude:claude-opus-4-8
Closes #6139
Merge branch '6139-dnstap-sig0-request-buffer-uaf' into 'main'
Michal Nowak [Thu, 4 Jun 2026 12:09:26 +0000 (12:09 +0000)]
Preserve the request buffer across async SIG(0) processing
For SIG(0)-signed requests, view matching is offloaded and the request
is finished asynchronously from ns_client_request_continue(), which
passes client->inner.buffer to dns_dt_send(). That buffer aliases the
network manager's receive buffer, only valid during the read callback,
so it may already be freed and reused, producing garbage dnstap frames
(e.g. the "upforwd" sig0-over-DoT test fails with UQ=0).
When the request is offloaded (ns_client_setup_view() returns
DNS_R_WAIT) and dnstap is enabled, copy the request buffer and point
client->inner.buffer at the copy so it survives the asynchronous hop;
free it in ns__client_reset_cb(). When dnstap is disabled there is no
async consumer of the buffer, so detach it from the receive buffer
instead.
Michal Nowak [Mon, 8 Jun 2026 10:09:24 +0000 (12:09 +0200)]
fix: dev: Build the fuzzers without the libbindtest test library
Every fuzz target depended on libtest_dep, which forces building the
libbindtest shared library. In a static build (as used by OSS-Fuzz)
that link fails: libbindtest's netmgr wrappers multiply-define symbols
that also live in the static libisc/libns archives, and the static
system libraries are not position independent.
Only fuzz_dns_qp actually uses the qp test helpers, so give it just
tests/libtest/qp.c via the new libtest_qp_dep and drop libtest_dep
from the fuzzers.
Assisted-by: Claude:claude-opus-4-8
Merge branch 'mnowak/fuzz-drop-libbindtest' into 'main'
Michal Nowak [Fri, 5 Jun 2026 10:08:03 +0000 (10:08 +0000)]
Build the fuzzers without the libbindtest test library
Every fuzz target depended on libtest_dep, which forces building the
libbindtest shared library. In a static build (as used by OSS-Fuzz)
that link fails: libbindtest's netmgr wrappers multiply-define symbols
that also live in the static libisc/libns archives, and the static
system libraries are not position independent.
Only fuzz_dns_qp actually uses the qp test helpers, so give it just
tests/libtest/qp.c via the new libtest_qp_dep and drop libtest_dep
from the fuzzers.
Michal Nowak [Fri, 5 Jun 2026 14:33:17 +0000 (16:33 +0200)]
chg: ci: Build unit tests in the unit test job
Building the unit tests in the build job ships them in the CI artifact
(+200 MB) and transfers them over the network. Build them in the unit
test job instead.
Git checks the sources out newer than the build tree restored from the
artifact, which would make meson rebuild all of BIND 9 in the unit test
job. Age the sources so the build is treated as up to date and only the
unit tests get compiled.
Assisted-by: Claude:claude-opus-4-8
Merge branch 'mnowak/build-unit-tests-in-unit-job' into 'main'
Michal Nowak [Wed, 3 Jun 2026 13:53:51 +0000 (13:53 +0000)]
Build unit tests in the unit test job
Building the unit tests in the build job ships them in the CI artifact
(+200 MB) and transfers them over the network. Build them in the unit
test job instead.
When Git checks out the sources, their modification times are newer than
the build tree restored from the artifact, so meson would rebuild all of
BIND 9 in the unit test job. Age the tracked sources so the build is
treated as up to date and only the unit tests get compiled.
Nicki Křížek [Thu, 4 Jun 2026 17:16:12 +0000 (19:16 +0200)]
new: test: pytest helpers for dnssec and zone setup
- Create `isctest.zone.Zone` helper for zone setup (including signing).
- Add `ZoneKey` helpers for both dnssec-keygen managed keys and python-based keys.
- Add `dnssec_py` shared test setup for DNSSEC tests.
- Add the first example - refactor `nsec3_delegations` into a `dnssec_py` test module.
Add ZoneKey helpers for key operations in isctest.zone
Introduce an abstract ZoneKey base class with two concrete
implementations:
- FileZoneKey wraps a dnssec-keygen-managed key file (kasp.Key).
- PythonZoneKey holds a Python-native keypair for dnspython-based
signing and key operations.
Both share ZoneKey.into_ta() and ZoneKey.is_ksk(). The ZoneKey
abstraction lets Zone.copy_dssets() and Zone.trust_anchors() handle
pure-Python keys without callers needing to know how the key was made.
Rewrite nsec3_delegation/tests_excessive_nsec3_iterations.py as
dnssec_py/tests_nsec3_iter_too_many.py using the isctest.zone helpers.
The test is a reproducer for CVE-2026-1519 [GL#5708]. It sets up a
delegation from nsec3-iter-too-many. (ns2) to an unsigned sub zone
(ns3), signing the parent with NSEC3 at 51 iterations. A validating
resolver (ns9) must use NSEC3 to prove the sub zone is insecure; the
excessive iteration count is logged as a warning. The test verifies that
the query still resolves successfully (insecure, not SERVFAIL) despite
the high iteration count.
Add a new system test directory for DNSSEC tests written in Python,
using the isctest.zone helpers for zone setup rather than shell sign
scripts.
Set up four nameservers:
- ns1: authoritative for the signed root zone
- ns2: authoritative for test zones (primary)
- ns3: authoritative for additional test zones (typically delegations)
- ns9: validating resolver
Zone configuration for ns2 and ns3 is driven by the ``zones`` template
variable via _common/zones.conf.j2, so each test module's bootstrap()
controls which zones those servers load without touching named.conf.
Individual test modules will be added in subsequent commits.
System tests that set up zones — especially DNSSEC tests — require a
chain of common operations: rendering zone files from templates,
generating keys, signing, and propagating DS records to parent zones.
Implement these as methods on isctest.zone.Zone so individual tests
don't need to repeat the logic in shell or ad-hoc Python.
isctest.zone.Zone is a plain class that holds the zone's data and
accumulated state (delegations, keys) alongside the methods that operate
on it. It is intentionally separate from isctest.template.Zone, which
remains a dumb data container for jinja2 template rendering.
Key design points:
- zone.Zone.name is the text form without trailing dot ("." for root);
zone.Zone.dname holds the dns.name.Name for DNS-level operations;
zone.Zone.basename is the filesystem-safe name ("root" for ".").
- filepath_unsigned / filepath_signed are both always available.
filepath returns the appropriate one based on zone.Zone.signed.
- The zones/ subdirectory is the default (subdir="zones"); old-style
tests that place zone files directly in the ns workdir can pass
subdir=None.
- Signing is opt-in via signed=True; configure() auto-detects whether to
generate keys and sign based on this flag, so the same method handles
both signed and unsigned zones.
- delegations and keys are mutable list attributes; callers append to
them before calling configure() rather than threading them through
every call.
Also:
- Add isctest.template.zones() as a bridge from a list of zone.Zone to a
{name: template.Zone} dict suitable for use as the ``zones`` template
variable. template.zones() resolves filepath to the actual zone file
so templates don't need to know whether a zone is signed.
Ondřej Surý [Thu, 4 Jun 2026 13:55:29 +0000 (15:55 +0200)]
fix: dev: Fix a possible crash when cleaning up a view's caches
In rare cases named could crash while a view was being removed, for example
during reconfiguration or shutdown, as its internal caches were torn down.
This has been fixed.
Closes #6119
Merge branch '6119-fix-possible-uaf-when-destroying-dns_badcache' into 'main'
Ondřej Surý [Wed, 3 Jun 2026 09:27:14 +0000 (11:27 +0200)]
Fix use-after-free when destroying the bad and unreachable caches
Eviction of an entry owned by another loop was bounced to that loop via
isc_async_run(), so a queued list removal could run after the cache had
freed its LRU lists. Use a single mutex-guarded LRU list instead, removing
entries synchronously under the lock, and let each entry hold its own
memory-context reference so the RCU free never touches a gone loop.
Colin Vidal [Thu, 4 Jun 2026 13:09:46 +0000 (15:09 +0200)]
new: dev: Add DTrace support for resolver queries
When `fctx_query()` is called, a DTrace probe (if enabled) prints the
fetch context address, the upstream server address and port, and the
latest known SRTT for the server.
Merge branch 'colin/dtrace-resolver-query' into 'main'
Colin Vidal [Wed, 13 May 2026 07:53:35 +0000 (09:53 +0200)]
Add DTrace support for resolver queries
When `fctx_query()` is called, a DTrace probe (if enabled) prints the
fetch context address, the upstream server address and port, and the
latest known SRTT for the server.
Colin Vidal [Thu, 4 Jun 2026 11:53:39 +0000 (13:53 +0200)]
fix: usr: Do not assert on synthrecord reverse mode with huge prefix
When using the `synthrecord` plugin in reverse mode, if a very long
prefix is configured by the operator such that there is no room to fit
the reversed IP address into a DNS name, `named` could assert. This has
now been fixed. In such situations, an error is logged so the operator
is aware of the problem, and `NXDOMAIN` is answered.
Closes #6115
Merge branch '6115-synthrecord-prefix' into 'main'
Colin Vidal [Wed, 3 Jun 2026 14:08:57 +0000 (16:08 +0200)]
Do not assert on synthrecord reverse mode with huge prefix
When using the `synthrecord` plugin in reverse mode, if a very long
prefix is configured by the operator such that there is no room to fit
the reversed IP address into a DNS name, `named` could assert. This has
now been fixed. In such situations, an error is logged so the operator
is aware of the problem, and `NXDOMAIN` is answered.
Colin Vidal [Wed, 3 Jun 2026 14:09:12 +0000 (16:09 +0200)]
Add synthrecord systest with long prefix
Add a system test covering the synthrecord in reverse mode with a (too)
long prefix. If the prefix size doesn't leave room to add the reversed
IP address, the attempt to generate a name is aborted, and `NXDOMAIN` is
returned.
Ondřej Surý [Thu, 4 Jun 2026 11:25:09 +0000 (13:25 +0200)]
chg: dev: Simplify the delegation database memory management
This is an internal simplification of the delegation database's memory
management, replacing the per-thread eviction lists and deferred,
cross-thread record cleanup with a single shared eviction list and
immediate cleanup. There is no change to how delegations are cached or
resolved.
Merge branch 'ondrej/delegdb-shared-sieve-lru' into 'main'
Ondřej Surý [Wed, 3 Jun 2026 17:58:03 +0000 (19:58 +0200)]
Simplify the delegation database LRU to a single shared SIEVE
The delegation database kept one SIEVE LRU list per loop so that node
eviction could run lock-free on each node's owning loop; this required
every node to hold a loop reference and to defer its own destruction to
that loop via isc_async_run(). Move the SIEVE unlink into the QP write
transaction, taking the evicted node directly from dns_qp_deletename(),
which serialises every list mutation under the qpmulti writer lock and
lets a single shared list replace the per-loop arrays. Node and database
teardown are now synchronous.
The QP trie and the SIEVE list are wrapped in a reference-counted holder.
Each node keeps a reference to the holder so it (and its memory context)
stays valid until the node is destroyed, while shutdown drains the SIEVE
and destroys the trie from an RCU callback and frees the holder once the
last node drops its reference. Reuse across a reconfiguration now moves
ownership of the holder to the new view instead of sharing it through a
separate owners counter, so dns_delegdb_reuse() is removed.
Ondřej Surý [Thu, 4 Jun 2026 09:58:12 +0000 (11:58 +0200)]
Only update the global tid_count once
Normally, the tid_count is initialized only once at the beginning of the
application. The only exception is the pattern in the unit test where
isc_loopmgr is repeatedly created and torn down and each creation of
isc_loopmgr_t calls isc__tid_initcount() with the previous value.
ThreadSanitizer sees that as write operation on unprotected memory are
reports this as data race even though the value has not really changed.
This has been fixed by skipping the tid_count value update on repeated
calls.
Alessio Podda [Mon, 11 May 2026 12:42:24 +0000 (12:42 +0000)]
sec: usr: Fix DNS64 owner case after DNAME restart
When BIND 9 is configured to use DNS64 and encounters a DNAME redirect, it could end up using freed memory for the DNS response owner name. This caused the response to contain corrupted data.
This fix ensures the correct owner name is used when constructing the synthesized response after a DNAME redirect.
ISC thanks Qifan Zhang of Palo Alto Networks for reporting the issue.
Closes isc-projects/bind9#5934
Merge branch '5934-dns64-dname-fix' into 'security-main'
Alessio Podda [Mon, 4 May 2026 08:20:28 +0000 (10:20 +0200)]
Fix DNS64 owner case after DNAME restart
When DNS64 filters a partially excluded AAAA RRset after a DNAME
restart, dns_message_findname() can return an existing message-owned
owner name while qctx->fname is released on the NXRRSET path.
Set owner case from the message-owned name used for attaching the
filtered rdataset, avoiding a stale alias to the released temporary
name.
Alessio Podda [Mon, 4 May 2026 07:43:01 +0000 (09:43 +0200)]
Add DNS64 DNAME restart regression test
Exercise a recursive AAAA query below a DNAME owner that also has a
partially excluded AAAA RRset. This covers the query_filter64() path
where the response already contains the owner name and DNS64 attaches a
filtered AAAA rdataset to it.
A previous commit introduced a latent bug where the wrong popcount
definition was used when overriding the compilation mode to C23.
This commit fixes it.
Michal Nowak [Mon, 1 Jun 2026 20:56:50 +0000 (22:56 +0200)]
fix: ci: Disable dnstap in reproducible-build CI job
Commit 515ff3763c ("Simplify reproducible-build CI job") dropped the
-Ddnstap=disabled option from the "meson reprotest" invocation, which
re-introduced a known reproducibility failure:
The job builds with CFLAGS=${CFLAGS_COMMON}, which enables LTO with
-ffat-lto-objects. Fat LTO objects embed GIMPLE bytecode keyed by a
per-compilation random LTO hash, so they are not reproducible run to
run. libdnstap.a is the only static archive in the build, and meson
treats every .a as a final, checked artifact, so the two reprotest
builds disagree on its contents. The shared libraries are unaffected
because final LTO linking re-emits and strips the bytecode.
Restore the -Ddnstap=disabled workaround, along with a comment
explaining the instability. The unrelated -Ddoc=disabled and
-Doptimization=1 options are left dropped, as they were only build-time
speedups and not related to reproducibility.
Assisted-by: Claude:claude-opus-4-8
Merge branch 'mnowak/reprotest-disable-dnstap-lto' into 'main'
Michal Nowak [Mon, 1 Jun 2026 20:38:50 +0000 (20:38 +0000)]
Disable dnstap in reproducible-build CI job
Commit 515ff3763c ("Simplify reproducible-build CI job") dropped the
-Ddnstap=disabled option from the "meson reprotest" invocation, which
re-introduced a known reproducibility failure:
The job builds with CFLAGS=${CFLAGS_COMMON}, which enables LTO with
-ffat-lto-objects. Fat LTO objects embed GIMPLE bytecode keyed by a
per-compilation random LTO hash, so they are not reproducible run to
run. libdnstap.a is the only static archive in the build, and meson
treats every .a as a final, checked artifact, so the two reprotest
builds disagree on its contents. The shared libraries are unaffected
because final LTO linking re-emits and strips the bytecode.
Restore the -Ddnstap=disabled workaround, along with a comment
explaining the instability. The unrelated -Ddoc=disabled and
-Doptimization=1 options are left dropped, as they were only build-time
speedups and not related to reproducibility.
projects / thirdparty / bind9.git / log
