Ondřej Surý [Wed, 22 Oct 2025 17:25:55 +0000 (19:25 +0200)]
Detect resolution loops between fetches
Maintain the relationship between the parent and child fetch and when
creating a new child fetch, properly check the resolution loops that
would lead to a new fetch would join one of the parent's fetch contexts.
Michal Nowak [Wed, 22 Oct 2025 11:27:45 +0000 (13:27 +0200)]
chg: ci: Fail when spatch can't process source code
Sometimes spatch fails to process the source code:
EXN: Failure("replacement: node 80: {7[1,2,30,31,32] in isc__nm_base64_to_base64url reachable by inconsistent control-flow paths") in ./lib/isc/netmgr/http.c
Closes #5567
Merge branch '5567-spatch-detect-more-error-conditions' into 'main'
Michal Nowak [Mon, 20 Oct 2025 15:36:36 +0000 (17:36 +0200)]
Fail when spatch can't process source code
Sometimes spatch fails to process the source code:
EXN: Failure("replacement: node 80: {7[1,2,30,31,32] in isc__nm_base64_to_base64url reachable by inconsistent control-flow paths") in ./lib/isc/netmgr/http.c
Colin Vidal [Wed, 22 Oct 2025 07:16:52 +0000 (09:16 +0200)]
new: dev: run individual spatch form check-cocci.sh
Add util/check-cocci.sh support for a command-line argument which is a
path to a spatch file. Running `util/check-cocci.sh` runs all the spatch
in `cocci` folder. Running `util/check-cocci.sh cocci/foo.spatch` only
run the spatch `cocci/foo.spatch`.
Any command line parameters after `--` are forwarded to `spatch`
command, for instance:
Colin Vidal [Tue, 14 Oct 2025 12:01:42 +0000 (14:01 +0200)]
run individual spatch form check-cocci.sh
Add util/check-cocci.sh support for a command-line argument which is a
path to a spatch file. Running `util/check-cocci.sh` runs all the spatch
in `cocci` folder. Running `util/check-cocci.sh cocci/foo.spatch` only
run the spatch `cocci/foo.spatch`.
Any command line parameters after `--` are forwarded to `spatch`
command, for instance:
The :iscman:`dnssec-keygen` utility program failed to detect
possible Key ID collisions with the existing keys generated
using the non-default ``-T KEY`` option (e.g. for ``SIG(0)``).
This has been fixed.
Closes #5506
Merge branch '5506-dnssec-keygen-sig0-keys-collision-fix' into 'main'
Aram Sargsyan [Thu, 2 Oct 2025 12:52:12 +0000 (12:52 +0000)]
Fix dnssec-keygen key collision checking for KEY rrtype keys
When generating a new key, dnssec-keygen checks for possible
key ID collisions with existing keys. The dnssec.c:findmatchingkeys()
function, which is supposed to get the list of the existing keys,
fails to do that for the existing KEY rrtype keys (i.e. generated
using 'dnssec-keygen -T KEY') because it doesn't pass down to the
dst_key_fromnamedfile() -> dst_key_read_public() functions the type
of the keys it's interested in. Fix the issue by introducing a new
function parameter which tells in which type of keys the caller is
currently interested in.
Nicki Křížek [Tue, 21 Oct 2025 14:04:30 +0000 (16:04 +0200)]
new: test: Add module-specific python setup to system tests
During the system test execution, allow use of module-specific setup()
function in addition to the setup.sh script which this function should
ultimately replace.
The purpose of setup() is two-fold. First, it can execute any commands
needed to create the initial conditions for the test, such as creating
key materials, manipulating files etc. Second, it should return any
test-specific template values as a dictionary. Those will be used to
render the jinja2 templates.
Merge branch 'nicki/pytest-add-python-setup-func' into 'main'
Unify the names of autouse module-wide fixtures that perform
after_servers_start() setup. The consistent naming doesn't just help
readability, but also makes it simpler for the vulture exception (since
it doesn't properly deal with autouse fixtures).
Replace the autouse fixtures which were only used to change the initial
server configuration into proper bootstrap() functions. This gets rid of
an extraneous reconfigure.
In the tests_validation_many_anchors.py, split the fixture into a proper
bootstrap() and a separate test for checking the expected log lines for
the ignored keys. Previously, the test was broken - it should check for
all the messages being present in the log, and some of the keys are
actually initial-key rather than static-key. This has been fixed in the
parametrized test.
During the system test execution, allow use of module-specific
bootstrap() function in addition to the setup.sh script which this
function should ultimately replace.
The purpose of bootstrap() is two-fold. First, it can execute any
commands needed to create the initial conditions for the test, such as
creating key materials, manipulating files etc. Second, it should return
any test-specific template values as a dictionary. Those will be used to
render the jinja2 templates.
Evan Hunt [Tue, 21 Oct 2025 04:58:27 +0000 (04:58 +0000)]
fix: nil: simplify dns_dumpctx API
the functions dns_dumpctx_db() and dns_dumpctx_version() are used in
only one place, to get the serial number of the version being dumped.
it's simpler to expose the serial number through its own call,
dns_dumpctx_serial(), and remove the others.
the functions dns_dumpctx_db() and dns_dumpctx_version() are used in
only one place, to get the serial number of the version being dumped.
it's simpler to expose the serial number through its own call,
dns_dumpctx_serial(), and remove the others.
Colin Vidal [Sun, 19 Oct 2025 08:38:18 +0000 (10:38 +0200)]
chg: dev: mem: checkfree assertion after debug list dump
When a memory context is destroyed, if the `checkfree` property is set,
the program assert there is no remaining allocation. If there are and
assertions are enabled, the program immediately stops.
However, if memory trace/record debug is enabled, the dump of
outstanding allocation won't be printed as it is done after the
no remaining allocation assertion check.
This moves the no remaining allocation assertion check after the dump of
outstanding allocations, so it is still possible to figure out what's
still allocated by this memory context.
Merge branch 'colin/mem-checkfree-check-after-debuglist' into 'main'
Colin Vidal [Sat, 18 Oct 2025 15:44:27 +0000 (17:44 +0200)]
check memory context validity before mem_destory
Add a magic number check to ensure the memory context validity before
destorying it.
This check is needed now as it was done before implicitly when
isc_mem_inuse was called, but isc_mem_inuse is now called later (to be
able to dump the outstanding allocations).
Colin Vidal [Fri, 17 Oct 2025 08:54:09 +0000 (10:54 +0200)]
mem: checkfree assertion after debug list dump
When a memory context is destroyed, if the `checkfree` property is set,
the program assert there is no remaining allocation. If there are and
assertions are enabled, the program immediately stops.
However, if memory trace/record debug is enabled, the dump of
outstanding allocation won't be printed as it is done after the
no remaining allocation assertion check.
This moves the no remaining allocation assertion check after the dump of
outstanding allocations, so it is still possible to figure out what's
still allocated by this memory context.
Nicki Křížek [Mon, 6 Oct 2025 15:45:07 +0000 (17:45 +0200)]
Remove reuse annotations for unused m4 libtool files
The files in question are no longer included in the git tree and
distributed with the code. Remove the reuse annotations as they caused
issues with reuse 6.0.0, as multiline annotation for
SPDX-FileCopyrightText breaks the parsing.
Michał Kępień [Sat, 18 Oct 2025 07:39:35 +0000 (09:39 +0200)]
fix: usr: Fix the assertion failure in the selfsigned DNSKEY handling
The selfsigned_dnskey() function can now return all the return codes
that dns_dnssec_keyfromrdata() can return and this would cause an
assertion failure as we were not expecting new isc_result_t codes.
Closes isc-projects/bind9#5343
Merge branch 'ondrej/security-fix-crash-in-selfsigned-key-handling' into 'v9.21.14-release'
Evan Hunt [Fri, 17 Oct 2025 20:36:32 +0000 (20:36 +0000)]
fix: usr: Report when a zone reload is already in progress
If a zone reload was already in progress when `rndc reload <zone>` was
run, the message returned was "zone reload queued", which was technically
correct, but it was identical to the message returned when a reload
was not in progress. Consequently, a user could issue two reload commands
without realizing that only one reload had actually taken place. This has
been addressed by changing the message returned to "zone reload was already queued".
Closes #5140
Merge branch '5140-report-reload-in-progress' into 'main'
Evan Hunt [Wed, 13 Aug 2025 20:15:23 +0000 (13:15 -0700)]
report when zone reload already in progress
if a zone reload is already in progress when 'rndc reload <zone>' is
run, currently the message returned in "zone reload queued", which
is correct, but it's identical to the message returned when a reload
was *not* in progress, so the user can't easily tell what happened.
a user could reload a zone twice and not realize that only one
reload actually took place.
this has been addressed by changing the message returned to
"zone reload was already queued".
a new result code ISC_R_LOADING has been added to signal this
condition, taking the place of ISC_R_RELOAD, which was obsolete
and has been removed.
Colin Vidal [Fri, 17 Oct 2025 20:08:54 +0000 (22:08 +0200)]
fix: test: fix random failure on synthrecord system test
One of the synthrecord system tests uses a test function to generate an expected name based on some randomly generated IPv6 (using Hypothesis). Turns out the test function generating the name didn't handle the case where the label which encodes the IPv6 could have a leading or trailing '-' character. (The plugin needs to add a leading or trailing 0 so as not to break IDN compatibility.)
Merge branch 'colin/fix-synthrecord-v6test' into 'main'
Colin Vidal [Fri, 10 Oct 2025 07:35:05 +0000 (09:35 +0200)]
fix random failure on synthrecord system test
One of the synthrecord system tests uses a test function to generate an
expected name based on some randomly generated IPv6 (using Hypothesis).
Turns out the test function generating the name didn't handle the case
where the label which encodes the IPv6 could have a leading or trailing
'-' character. (The plugin needs to add a leading or trailing 0 so as
not to break IDN compatibility.)
Ondřej Surý [Mon, 13 Oct 2025 12:10:06 +0000 (14:10 +0200)]
Fix the assertion failure in the selfsigned DNSKEY handling
The selfsigned_dnskey() function can now return all the return codes
that dns_dnssec_keyfromrdata() can return and this would cause an
assertion failure as we were not expecting new isc_result_t codes.
Evan Hunt [Thu, 16 Oct 2025 05:42:15 +0000 (05:42 +0000)]
fix: dev: Ensure correct result from check_signer()
It was possible for the result to be overwritten after a validation failure, causing `check_signer()` to return success when it should have returned an error.
Closes #5575
Merge branch '5575-ensure-correct-result-from-check_signer' into 'main'
Evan Hunt [Wed, 15 Oct 2025 15:06:25 +0000 (08:06 -0700)]
Ensure correct result from check_signer()
It was possible for the result to be overwritten after a
validation failure, causing check_signer() to return success
when it should have returned an error.
Ondřej Surý [Thu, 16 Oct 2025 05:04:19 +0000 (07:04 +0200)]
doc: nil: Add a section about AI use in BIND 9 issue templates
Generally speaking, no AI generated slop is permitted. If AI has been
used to find an actual problem, the findings need to be verified by a
person, and the report should be written by the person. No copy and
paste is allowed. Anyone reporting the problem needs to be able to
verify the problem independently of the AI.
Ondřej Surý [Thu, 16 Oct 2025 04:58:12 +0000 (06:58 +0200)]
Add a section about AI use in BIND 9 issue templates
Generally speaking, no AI generated slop is permitted. If AI has been
used to find an actual problem, the findings need to be verified by a
person, and the report should be written by the person. No copy and
paste is allowed. Anyone reporting the problem needs to be able to
verify the problem independently of the AI.
Matthijs Mekking [Fri, 10 Oct 2025 17:34:59 +0000 (17:34 +0000)]
chg: nil: Add dnssec-policy text for dnssec-importkey
:program:`dnssec-importkey` should not be used to import DNSKEY records from other providers (for example when setting up multi-signer). Clarify this in the manpage.
Merge branch 'matthijs-clarify-import-key-dnssec-policy' into 'main'
Nicki Křížek [Fri, 10 Oct 2025 09:24:39 +0000 (11:24 +0200)]
fix: test: Disable keyfromlabel collision avoidance in tests
With the collision avoidance on, some of the tests would occasionally
fail. None of the tests using keyfromlabel are revoking the keys so it
should be safe to disable it.
Closes #5554
Merge branch '5554-disable-keyfromlabel-collision-avoidance-in-tests' into 'main'
Nicki Křížek [Wed, 8 Oct 2025 09:35:24 +0000 (11:35 +0200)]
Disable keyfromlabel collision avoidance in tests
With the collision avoidance on, some of the tests would occasionally
fail. None of the tests using keyfromlabel are revoking the keys so it
should be safe to disable it.
Nicki Křížek [Mon, 6 Oct 2025 16:04:51 +0000 (18:04 +0200)]
fix: ci: Remove reuse annotations for unused m4 libtool files
The files in question are no longer included in the git tree and
distributed with the code. Remove the reuse annotations as they caused
issues with reuse 6.0.0, as multiline annotation for
SPDX-FileCopyrightText breaks the parsing.
Merge branch 'nicki/reuse-remove-m4-annotations' into 'main'
Nicki Křížek [Mon, 6 Oct 2025 15:45:07 +0000 (17:45 +0200)]
Remove reuse annotations for unused m4 libtool files
The files in question are no longer included in the git tree and
distributed with the code. Remove the reuse annotations as they caused
issues with reuse 6.0.0, as multiline annotation for
SPDX-FileCopyrightText breaks the parsing.
Michał Kępień [Mon, 6 Oct 2025 11:19:50 +0000 (13:19 +0200)]
Simplify named_tkeyctx_fromconfig()
With the code handling the "tkey-gssapi-credential" statement removed,
the named_tkeyctx_fromconfig() function can no longer fail. Update its
return type to void and revise its only call site accordingly. Clean up
the function's documentation. Declare the 's' helper variable only in
the scope it is used in to improve readability.
Michał Kępień [Mon, 6 Oct 2025 11:19:50 +0000 (13:19 +0200)]
Remove "tkey-gssapi-credential" and related code
Since the "tkey-gssapi-credential" statement has been previously
deprecated, mark it as ancient and remove all code related to it:
- The code processing the "tkey-gssapi-credential" statement in the
configuration is the only user of the dst_gssapi_acquirecred() and
dst_gssapi_releasecred() functions, so remove them along with their
static helper functions and a backup definition of the
GSS_KRB5_MECHANISM macro.
- When calling gss_accept_sec_context(), pass GSS_C_NO_CREDENTIAL
instead of the credential acquired by gss_acquire_cred().
(Previously, NULL was passed when "tkey-gssapi-credential" was not
specified. Kerberos headers define GSS_C_NO_CREDENTIAL as
(gss_cred_id_t) 0, so the logic was effectively the same, but using
the GSS_C_NO_CREDENTIAL macro is more appropriate.) This renders
the 'cred' parameter for dst_gssapi_acceptctx() redundant, so remove
it from the prototype of the latter. (Contrary to what the
documentation for dst_gssapi_acceptctx() claims,
dst_gssapi_releasecred() does not need to subsequently be called to
free the GSS-API context; a dst_gssapi_deletectx() call in
gssapi_destroy() takes care of that when the dynamically generated
TSIG key is destroyed.)
- Remove the 'gsscred' member from struct dns_tkeyctx, along with its
related dns_gss_cred_id_t typedef.
Update the relevant sections of the ARM and code comments accordingly.
This makes the "tkey-gssapi-keytab" statement the only way to set up
GSS-TSIG in named.
Remove redundant code from bin/named/tkeyconf.c while at it.
Michał Kępień [Mon, 6 Oct 2025 11:19:50 +0000 (13:19 +0200)]
Stop using "tkey-gssapi-credential" in tests
Since the "tkey-gssapi-credential" statement is now deprecated and is
about to be removed, migrate the only system test using it ("nsupdate")
to "tkey-gssapi-keytab".
Currently, the GSS-TSIG parts of the "nsupdate" system test require
properly setting up a combination of:
- "tkey-gssapi-credential" statements in named.conf files,
- the KRB5_KTNAME environment variable.
Specifically, this configuration causes named startup to include
acquiring the credential that GSS-API is allowed to match keys against
from a keytab file specified by the KRB5_KTNAME environment variable.
By contrast, the revised configuration uses the "tkey-gssapi-keytab"
statement, which makes GSS-API match keys against any credential present
in the specified keytab file.
Since both keytabs in question (ns9/dns.keytab, ns10/dns.keytab) only
contain a single credential, the two configurations are functionally
equivalent, with the revised one being significantly more readable and
simpler to prepare.
projects / thirdparty / bind9.git / log
