Previously, the packet.pl script was used to send the a series of frames
to named; this worked by accident as most of these were refused by the
kernel with EAGAIN. packet.pl prints a dot every 1000 packets, so this
slowed the script down and allowed some frames to get through.
Reimplement the test in Python: build the packet with dnspython, send
~6 MiB of data over TCP discarding all replies and then check if the
server is still alive.
Add Python helpers for inspecting `rndc status`, opening probe
connections, and waiting for counter changes, then use them to port the
TCP and recursive high-water checks from the shell script.
Connections are now managed by the test script directly removing the
need for the ans6 server. This also removes the need for the send.pl
script and the respective shell test helper as they were used to control
said server.
Add a helper that runs `rndc stats` and reads the TCP request counter
from named.stats, then use it to port the resolver and forwarder checks
from the shell script to tests_tcp.py. Record named.stats as an extra
artifact so the generated statistics remain available after test runs.
Use isctest.query.create() and a shared round-trip helper in
bin/tests/system/tcp/tests_tcp.py, add type hints, and reorganize the
existing tests to follow current style.
Mark Andrews [Wed, 15 Jul 2026 23:36:30 +0000 (09:36 +1000)]
fix: nil: Extend meson.build to support python 3.13 and 3.14
The later releases of python are not supported by meson.build
requiring the built environment to maintain / install older
versions of python to be able build and test.
Merge branch 'marka-support-python-3.14' into 'main'
When adding a new key into a full list, the newly inserted key
could be evicted just after the insertion if all the existing
keys were marked as visited. This has been fixed.
Closes #6263
Merge branch '6263-tkey-quota-bug-fix' into 'main'
When adding a new key to the SIEVE list, make the eviction decision
first, and then add the new key, so that it doesn't get evicted
immediately after insertion.
The new check creates more TSIG keys than the maximum allowed number,
and expectes that all the newly created keys are findable just after
they were created. I.e., when full, the newly created key should not
evicted.
fix: test: Increase timeout for zone update in multisigner test
In slower platforms in CI (e.g. freebsd14), the 10s timeout could be too
short causing the test to fail. Increase it to make the test stable even
during heavy CI load.
Increase timeout for zone update in multisigner test
In slower platforms in CI (e.g. freebsd14), the 10s timeout could be too
short causing the test to fail. Increase it to make the test stable even
during heavy CI load.
fix: test: Extend the check_dnssec_verify retry window to 60 seconds
A fixed ten-iteration poll could be too short for a freshly signed
zone to become fully valid on a heavily loaded host, occasionally
yielding a spurious "zone not verified".
Bump the budget to a 60-second window and, in the process, replace the
hand-rolled retry loop with the standard isctest.run.retry_with_timeout
helper already used by check_next_key_event.
---
Example of the failure: https://gitlab.isc.org/isc-private/bind9/-/jobs/7773885
Merge branch 'nicki/widen-dnssec-verify-timeout' into 'main'
Extend the check_dnssec_verify retry window to 60 seconds
A fixed ten-iteration poll could be too short for a freshly signed
zone to become fully valid on a heavily loaded host, occasionally
yielding a spurious "zone not verified".
Bump the budget to a 60-second window and, in the process, replace the
hand-rolled retry loop with the standard isctest.run.retry_with_timeout
helper already used by check_next_key_event.
Catalog zones might need to inspect the change-of-ownership records
of other catalog zones, which required to release the lock in the
middle of certain operations, leading to possible race conditions.
Since the operations on change-of-ownership records are limited, we
can instead use a design with a second lock protecting the
change-of-ownership records on read. We structure the API so that
holding two change-of-ownership locks at the same time is impossible.
Closes #6131
Merge branch '6131-catz-dns__catz_zones_merge-uaf-fix-v2' into 'main'
Alessio Podda [Wed, 10 Jun 2026 13:24:06 +0000 (15:24 +0200)]
Split lock coos check design
Catalog zones might need to inspect the change-of-ownership records
of other catalog zones, which required to release the lock in the
middle of certain operations, leading to possible race conditions.
Since the operations on change-of-ownership records are limited, we
can instead use a design with a second lock protecting the
change-of-ownership records on read. We structure the API so that
holding two change-of-ownership locks at the same time is impossible.
fix: dev: Use correct port and target for NOTIFY(CDS)
If there is a DSYNC RRset with multiple records, and unsupported scheme/type records follow supported ones, the port and target of the last record were being used to queue the notify. This does not necessarily match the port and target of the supported record. This has been fixed.
Closes #6080
Merge branch '6080-dsync-mismatch-queue' into 'main'
Only save the DSYNC target and port when a record matches CDS NOTIFY,
then after scanning the complete RRset require count == 1 before using
the stored values.
Current system tests cover a mixed RRset in but the unsupported and
supported records use the same target and port, so the test does not
catch that the wrong port and target are being used for the supported
type.
Change the test such that the supported DSYNC record is followed
by the unsupported ones, and use different port and target for
supported and unsupported DSYNC records.
Mark Andrews [Tue, 14 Jul 2026 23:08:44 +0000 (09:08 +1000)]
fix: test: test-syncplugin treats firstlbl as a prefix, not an exact label
The label length and the string length where not being checked so
a label that started with a string that matched the skip label would
incorrectly match.
Closes #6212
Merge branch '6212-fix-syncplugin-test-driver' into 'main'
Mark Andrews [Wed, 8 Jul 2026 02:08:38 +0000 (12:08 +1000)]
Properly check test-syncplugin skip label for equality
The label length and the string length where not being checked so
a label that started with a string that matched the skip label would
incorrectly match.
Mark Andrews [Thu, 9 Jul 2026 04:47:28 +0000 (14:47 +1000)]
cdnxdomain test is failing on some platforms
Ensure the modification time is newer (second granuality) when the
zone file is rewritten as named uses the file modification time to
determine if it needs to reload a file.
Aydın Mercan [Thu, 12 Feb 2026 07:07:57 +0000 (10:07 +0300)]
clear the error stack at the end of fetching
Clearning the error stack at the very end will get rid of any other
optional fetch failures since fetch failures are treated as-if they are
unsupported by the provider.
Aydın Mercan [Thu, 12 Feb 2026 06:08:56 +0000 (09:08 +0300)]
add quic header protection to isc_crypto
QUIC uses a custom PRF construction to protect parts of the packet
header. This PRF is derived from the negotiated AEAD key and uses
unauthenticated encryption internally.
We do not expose the primitives underneath (AES-ECB and ChaCha20) as
they shouldn't be within the reach of contributors for their own safety.
Allowing such functionality to be used easily can only result it
problems not to dissimilar to leaving a baby with open bottles of
cleaning supplies.
Aydın Mercan [Mon, 9 Feb 2026 05:03:02 +0000 (08:03 +0300)]
add aead api to isc_crypto
The new AEAD API exists to cather to the needs for QUIC but is still
usable in other future contexts. Only AES-128-GCM, AES-256-GCM and
ChaCha20-Poly1305 are supported.
AES-128-CCM is intentionally skipped as the algorithm is neither
encountered in the wild nor has any useful advantages comapred to the
more popular AES-128-GCM mode.
Aydın Mercan [Tue, 3 Feb 2026 07:56:00 +0000 (10:56 +0300)]
add types compatible builtin
This builtin function makes macros gain type safety and also the ability
to statically assert the correctness of typedefs that target external
libraries.
Martin Basti [Tue, 14 Jul 2026 13:08:01 +0000 (13:08 +0000)]
fix: test: Replace python deprecated datetime utc functions
Functions `utcnow` and `utcfromtimestamp` are deprecated in python and
print warnings into tests logs about it.
Use the python prefered way by defining `timezone.utc` in `now` and
`fromtimestamp` functions. Which are equivalent but safer than naive
objects without timezone.
To ensure comptibility `%z` was added to format string to properly
process `Z` as UTC timezone.
Assisted-by: Claude Code:claude-opus-4-8[1m]
Merge branch 'mbasti/python-fix-deprecated-utcfromtimestamp' into 'main'
Martin Basti [Tue, 14 Jul 2026 09:09:10 +0000 (11:09 +0200)]
Replace python deprecated datetime utc functions
Functions `utcnow` and `utcfromtimestamp` are deprecated in python and
print warnings into tests logs about it.
Use the python prefered way by defining `timezone.utc` in `now` and
`fromtimestamp` functions. Which are equivalent but safer than naive
objects without timezone.
To ensure comptibility `%z` was added to format string to properly
process `Z` as UTC timezone.
Martin Basti [Tue, 14 Jul 2026 12:24:27 +0000 (12:24 +0000)]
new: usr: Built-in hints can be printed with named -H command
Additionally root hints were updated to precisely match authoritative source including comments. This is a cosmetic change IP addresses haven't been changed.
new: dev: Add development guidance for AI coding agents under .agents/skills/
This adds a set of skill documents that give AI coding agents the
project's established practices up front instead of having them
rediscovered (or gotten wrong) in every session: the canonical build
and test invocations, the memory-allocator contract, the disciplines
for RCU mutation, per-loop sharded structures, struct-layout work, and
flight-recorder debugging of concurrency bugs, plus the commit and
merge-request conventions.
Merge branch 'ondrej/add-agents-skills' into 'main'
Explain that MR titles and descriptions feed the generated release
notes, so agents must write them for system administrators: one short
paragraph in operational terms, no internal names or jargon, no
hand-written doc/notes/ entries, and bug framing rather than security
framing for local-filesystem misbehavior.
Walk agents through the full commit workflow: the git-clang-format
staging sequence, reason-focused messages hard-wrapped at 72 columns
with no type prefixes, the Assisted-by trailer and the forbidden ones,
amend and fixup discipline for HEAD and non-HEAD commits, and the rule
that agents commit locally and leave publishing to the user.
Capture the ownership-instead-of-locking pattern for per-loop sharded
structures: owner-only mutation under isc_tid() affinity, foreign
deletion as mark plus wait-free handoff of the exact entry to the
owner (never an O(shard) scan for marked entries), shard-held
references with bounded zombie lifetime, and eviction pressure spread
across shards instead of draining one before the next.
Point agents at pahole on the developer build's DWARF instead of
compiling throwaway sizeof programs, and document the cacheline-padding
idiom (union arm with a plain ISC_OS_CACHELINE_SIZE multiplier plus a
STATIC_ASSERT) over the enumerated-sizeof formula, which silently
miscounts when members are added.
Add the lttng-tracing-root-cause-analysis agent skill
Describe the LTTng flight-recorder methodology for concurrency bugs
that static reading, printf and debuggers all miss: small snapshot
buffers to keep timing faithful, a self-diagnosing violation tracepoint
followed by snapshot-and-abort, and the trace-reading patterns —
notably that a stale-read-after-write "paradox" indicates a missing
happens-before edge, not a timing problem.
Capture the build-invisible/publish/reclaim discipline for mutating
RCU-read structures: what makes a node observable (forward, backward
and secondary-index channels), why allocation failure must stay in the
invisible phase, publish-ordering rules for reader consistency, and the
anti-patterns (mutate-then-rollback, wiring clusters via read-side
recovery) that lead to use-after-free. Includes a worked
compressed-split example.
Condense the isc_mem/isc_mempool contract into agent guidance: the two
allocation families and why mixing them detonates the inuse INSIST at
context destroy, the pointer-NULLing put/free macros, water-mark and
striped-statistics behavior, ISC_MEM_DEBUG* facilities, and mempool
locking/ASAN caveats. Ends with a review checklist for allocation code.
fix: usr: Properly prevent TSIG generation command line injection attacks
When key names are generated with `rndc-confgen`, `tsig-keygen` and `ddns-confgen`, special characters must be escaped to ensure the configuration is parsed correctly.
Closes #6071
Merge branch '6071-allow-all-valid-keynames' into 'main'
Mark Andrews [Tue, 7 Jul 2026 01:02:34 +0000 (11:02 +1000)]
Update tests_rndc_confgen.py to show escaped double quotes
The old INJECTION string was failing due to not being a valid
DNS name providing a false assertion that injections where
no longer possible. Shorten it to fit in a single label then
check that it is properly escaped to prevent the injection attack.
Mark Andrews [Tue, 5 May 2026 01:54:35 +0000 (11:54 +1000)]
Allow all valid key names
TSIG keys names need to be able to be set to any valid name so that
update self rules can work for any valid name. Restore this ability
to the key generating tool while preventing rndc.conf and named.conf
from being compromised due to specially crafted key names.
Mark Andrews [Mon, 6 Jul 2026 02:59:50 +0000 (12:59 +1000)]
Add DNS_NAME_QUOTED flag for dns_name_totext()
Names that are to be printed within a pair of double quotes,
(for example, in named.conf), don't need spaces and special
characters to be fully escaped.
fix: usr: Ensure NSEC authority does not cross zonecut boundary
When using a cached NSEC record to prove that a delegation is insecure,
we now check that the signer name in the corresponding RRSIG is not
above a known secure delegation point. This prevents a signed namespace
from being downgraded to insecure using an NSEC record from the
grandparent zone.
Alessio Podda [Thu, 4 Jun 2026 14:40:03 +0000 (16:40 +0200)]
Add a system test for the grandparent NSEC downgrade
A resolver must not accept an NSEC or NSEC3 record signed by a zone
above a known secure delegation as proof that the delegation is
insecure. Otherwise anyone able to answer for the grandparent can
downgrade the signed namespace below it and serve forged, unsigned
records for any name in it.
Checking for SERVFAIL alone would not pin this down: a resolver that
rejects the forged proof but keeps walking down fails too, on the
unvalidatable answer it meets further along. The tests therefore
assert the refusal itself -- it is logged, and no DS query for a name
below the forged proof ever reaches the authoritative server -- and
they do so both for a proof fetched on demand and for one already in
the cache.
Evan Hunt [Fri, 22 May 2026 02:34:00 +0000 (19:34 -0700)]
Ensure NSEC authority does not cross zonecut boundary
When using a cached NSEC record to prove that a delegation is insecure,
we now check that the signer name in the corresponding RRSIG is not
above a known secure delegation point. This prevents a signed namespace
from being downgraded to insecure using an NSEC record from the
grandparent zone.
chg: dev: Pass the work callback result to the done callback
The `isc_work` callback now returns `isc_result_t` and the value is
handed to the done callback, so the callers no longer need their own
result-passing state.
Merge branch 'ondrej/pass-result-from-work-callback' into 'main'
Pass the work callback result to the done callback
The isc_work callback returned void, so every user that cared about
the outcome of the offloaded work had to smuggle it through its own
context state (xfrin_work_t, the catz/rpz updateresult fields, result
members in the dump/load/checksig contexts). Make the work callback
return isc_result_t and have isc_work deliver that value to the done
callback.
fix: usr: Prevent aborts during expired cache dumps
Running rndc dumpdb -expired could cause named to abort when the cache contained internal deletion markers for records that had already been removed. BIND now skips those markers when preparing expired cache dumps, so the dump includes only real cached records and completes normally.
Closes #6064
Merge branch '6064-skip-nonexistent-headers' into 'main'
Add a regression test that deletes a cached rdataset and then walks
all rdatasets with expired entries allowed. The iterator must report no
datasets for the deleted type rather than exposing the tombstone.
The cache rdataset iterator must never bind delete tombstones, even
when expired cache entries are requested for dumpdb. Treat non-existent
slab headers as inactive so expired dumps cannot expose headers without
a backing rdataslab.
Remove prereq.sh support from the system test runner
With every prereq.sh converted to pytest markers, the conftest
fixture no longer needs to locate and run a per-directory prereq.sh.
Drop check_prerequisites() and the README entry for the file.
The libxml2/json-c requirement becomes with_libxml2_or_json_c. The
stale Net::DNS check and the core-Perl File::Fetch check are dropped
rather than carried over.
Nicki Křížek [Tue, 30 Jun 2026 14:53:10 +0000 (14:53 +0000)]
Move Perl-module prereq.sh checks to pytest markers
fetchlimit and nsupdate still invoke ungated Perl helpers that
need Net::DNS (ditch.pl, packet.pl); reclimit and serve_stale
still run Perl ans.pl servers needing Net::DNS::Nameserver and
Time::HiRes. Replace the directory-scoped prereq.sh with new
runtime-probing markers applied only to the tests.sh wrappers
that actually run the Perl code -- native pytest modules in the
same directory (e.g. nsupdate) no longer skip when these modules
are absent.
fix: usr: Negative caching stopped working with stale-answer-client-timeout 0
With "stale-answer-client-timeout 0" configured, every client query for a
name cached as NXDOMAIN or NODATA was sent on to the authoritative servers,
even while the cached negative answer was still within its TTL, so the
resolver effectively lost negative caching. Negative answers are now
refreshed only once they have actually gone stale.
Closes #6245
Merge branch '6245-fix-query_stale_refresh_ncache' into 'main'
Test that a fresh negative cache entry is not refreshed
The existing serve-stale tests all use negative answers with a two
second TTL, because they are there to exercise stale data. Nothing
covered the far more common case of a negative answer that is still
fresh, which is how the needless refresh went unnoticed.
ans2 grows a NODATA and an NXDOMAIN name backed by a SOA with a 600
second TTL and MINIMUM, so the cached entry cannot go stale while the
test runs, and the test counts the queries that reach ans2: priming the
cache may send one, the repeated client queries must send none.
Only refresh negative cache entries that are actually stale
query_ncache() always passed a NULL rdataset to query_stale_refresh(),
which reads NULL as "this RRset is stale". NULL is only meaningful for
the DNS64 caller, whose rdataset has already been detached by the time
the answer is turned into an NXDOMAIN; everywhere else a perfectly fresh
negative cache entry was taken for a stale one.
With stale-answer-client-timeout 0 the staleness check is the only gate
left on the refresh, so every client query for a cached NXDOMAIN or
NODATA name started another fetch and negative caching stopped having
any effect.
The OID printed in the "; alg = ..." comment of a PRIVATEOID KEY,
DNSKEY, CDNSKEY or RKEY record was truncated to sixteen characters:
1.2.840.113549.1.1.11 came out as 1.2.840.113549.1. Only the comment
was ever affected, never the record itself.
fix: dev: Fix a crash when resolving names below a cached DNAME
A recursive resolver could crash when it answered a query for a name beneath a
cached DNAME while that same DNAME record was concurrently refreshed or evicted
from the cache.
Closes #6182
Merge branch '6182-qpcache-dname-zonecut-uaf' into 'main'
check_dname() cached the DNAME header and its RRSIG in the search block
and dropped the node lock holding only a node reference. Since cache
headers became reference counted and are freed synchronously, and
delegation adds no longer take the tree write lock, a concurrent refresh
or eviction can free the header before setup_delegation() reads it. Take
a reference on the headers in check_dname() and release it once the
lookup finishes.
chg: dev: Support larger DNSSEC keys and signatures
Some DNSSEC tools and trust-anchor handling could fail when
working with unusually large DNSSEC keys or signatures,
including those used by post-quantum algorithms. These paths
now accept DNSKEY, CDNSKEY, CDS, and RRSIG data up to the DNS
record size limits, so large key material can be parsed, written,
checked, and signed consistently.
Merge branch 'ondrej/dynamic-dnssec-buffers' into 'main'
Remove the fixed DST_KEY_MAXSIZE limit from key parsing paths
The buffers receiving DNSKEY (and SKR resource record) rdata parsed
from text or wire form were sized by DST_KEY_MAXSIZE (1280 octets),
which is too small for post-quantum public keys. Parse into
DNS_RDATA_MAXLENGTH sized buffers instead, which cannot be exceeded
by construction, and drop the DST_KEY_MAXSIZE and DST_KEY_MAXTEXTSIZE
constants that no longer have any users.
Size RRSIG rdata buffers by the maximum rdata length
The buffers receiving the RRSIG rdata built by dns_dnssec_sign() were
fixed-size arrays (1024 or 2048 octets), which is too small for
post-quantum signatures. Use DNS_RDATA_MAXLENGTH sized buffers
instead, which no RRSIG rdata can exceed by construction.
Size DNSKEY rdata buffers by the maximum rdata length
Post-quantum signature algorithms have public keys that do not fit
into the fixed DST_KEY_MAXSIZE (1280 octets) buffers used when
converting a dst_key to DNSKEY rdata. Use DNS_RDATA_MAXLENGTH sized
buffers instead, which no DNSKEY rdata can exceed by construction.
Cover exact-name NODATA synthesis from a pending NSEC
The #5872 reproducer plants a covering NSEC that is rejected inside the
cache (find_coveringnsec), so it never reaches the trust check on the
exact-match NODATA branch of query_coveringnsec(). This adds a companion
case: an NSEC owned by the victim name itself, injected at pending trust
via a CD=1 query, is returned by the cache as a NODATA proof for the
exact node and must not be used to synthesize a NODATA that would deny
the victim's real A record.
Reuses the f004.test fixture with a victim-owned forged NSEC.
Colin Vidal [Wed, 8 Jul 2026 09:03:52 +0000 (11:03 +0200)]
fix: dev: Detect UTF-16 surrogates in `isc_utf8_valid()`
UTF-8 standard forbid usage of unicode character between the range of
0xD800..0xDFFF (reserved, and used as UTF-16 surrogates, see RFC 3629).
However, `usc_utf8_valid()` was not checking if the encoded unicode
character was in this range, which then would accept invalid UTF-8
strings. This is now fixed.
Closes #6151
Merge branch '6151-utf16-surrogates-detection' into 'main'