chg: dev: Change NSEC3 and NSEC3PARAM rdata struct fields to use isc_region_t
Replace the separate pointer+length field pairs in the NSEC3 and NSEC3PARAM rdata structures (salt/salt_length, next/next_length, typebits/len) with isc_region_t, making the fields self-describing and eliminating a class of length-mismatch bugs.
Merge branch 'ondrej/change-nsec3-and-nsec3param-to-use-isc_region_t' into 'main'
Ondřej Surý [Tue, 24 Feb 2026 12:30:56 +0000 (13:30 +0100)]
Change NSEC3 and NSEC3PARAM struct fields to use isc_region_t
Replace the separate pointer+length field pairs in dns_rdata_nsec3_t
(salt/salt_length, next/next_length, typebits/len) and
dns_rdata_nsec3param_t (salt/salt_length) with isc_region_t. This
makes the structs self-describing and eliminates a class of
length-mismatch bugs.
The dns_zone_setnsec3param() signature is updated to take
isc_region_t *salt instead of separate saltlen and salt arguments.
Function signatures for dns_nsec3_addnsec3, dns_db_getnsec3parameters,
and related internal functions still use separate pointer+length pairs
and should be updated in a follow-up.
The system test was also subject to the same off by one bug that also
existed in the code. That is: if the inception time of the signature
is exactly equal to the inactive time of the key, we still have to
expect the signature.
This specific test case triggered a bug where the SKR included bundles
with unsigned DNSKEY RRsets (signatures where omitted because the
inception time was equal to the inactive time of the key).
If the inception time of the signature is exactly equal to the
inactive time of the key, still include the signature. Otherwise there
may be corner cases where signatures are omitted erroneously.
Matthijs Mekking [Thu, 19 Mar 2026 15:23:59 +0000 (16:23 +0100)]
Return void in functions that cannot fail
dns_zone_getloadtime(), dns_zone_getexpiretime(),
dns_zone_getrefreshtime(), and dns_zone_getrefreshkeytime()
cannot fail, so return void instead of ISC_R_SUCCESS.
Matthijs Mekking [Thu, 19 Mar 2026 14:59:59 +0000 (15:59 +0100)]
Lock zone when checking for inline raw/secure
The caller is supposed to hold the zone lock for 'inline_raw()' and
'inline_secure()', but when adding 'REQUIRE(LOCKED_ZONE(zone));' to
these functions it turned out to be not always the case.
Matthijs Mekking [Thu, 19 Mar 2026 13:56:43 +0000 (14:56 +0100)]
Move zone set/get properties to own source file
In order to make zone.c more readable, we are splitting it up in
separate source files. This moves the set and get functions to its
own file ("zoneproperties.c").
Since this code accesses the zone structure directly, move the
'struct dns_zone' and its prerequisites to "zone_p.h".
The helper functions 'inline_raw()', 'inline_secure()',
'dns_zone_setview_helper()', 'zone_settimer(), 'set_resigntime()', and
'zone_freedbargs()' need to be internally accessible to both source
files.
fix: usr: Fix rndc modzone behavior for a zone in named.conf
If a zone was present in the configuration file and not originally added by `rndc addzone`, `rndc modzone` for that zone would succeed once but subsequent `modzone` attempts would fail. This has been fixed.
Closes #5826
Merge branch '5826-fix-subsequenrt-rndc-modzone' into 'main'
In the rare case where a catalog zone member is being modified with
'rndc modzone', also mark the zone as modded, so when the zone is
deleted again with 'rndc delzone', the configuration is also removed
from the NZD.
Matthijs Mekking [Tue, 31 Mar 2026 12:46:19 +0000 (14:46 +0200)]
Test restart works after rndc modzone
When a zone that is configured in named.conf is modified with
'rndc modzone', the new zone configuration is now also stored in the
NZD. Add a test to ensure that after a restart, the old zone
configuration is used.
Matthijs Mekking [Tue, 24 Mar 2026 16:02:36 +0000 (17:02 +0100)]
Add the modified zone configuration to NZD
When a zone that is configured in named.conf is modified with
'rndc modzone', the zone configuration is deleted from the effective
config. Store the new configuration in the NZD. Mark the zone
as 'modified by rndc modzone'. Otherwise, subsequent calls to
'rndc modzone' would fail because the zone configuration cannot be
found.
JINMEI Tatuya [Tue, 24 Mar 2026 15:57:49 +0000 (16:57 +0100)]
Test rndc modzone succeeds twice for a zone in named.conf
If a zone is in named.conf, not originally added by rndc addzone,
rndc modzone for that zone succeeds once, but subsequent modzone
attempts fail. This is because do_modzone removes the zone config
from global or view options, but it would fail due to 'not found'
once the config is removed.
Colin Vidal [Thu, 2 Apr 2026 07:17:17 +0000 (09:17 +0200)]
fix NULL dereference in dns_view_bestzonecut()
When `dns_view_bestzonecut()` is called with a NULL `delegsetp`, it
calls `bestzonecut_zone()` with a NULL `rdataset` pointer but there is a
non-guarded de-reference of the `rdataset` pointer in
`bestzonecut_zone()`.
In practice, the only current situation where `dns_view_bestzonecut()`
is called with NULL `delegsetp` is from a case of `seek_ds()` _and_ the
non-guarded dereference occurs only if there is a static-stub local
zone matching the zonecut `seek_ds()` is looking for. It's unclear if
such flow is actually possible.
The `rdataset` is now always valid inside `dns_view_bestzonecut()`. (It
was initially set only if `delegsetp` was set to avoid extra works in
the qpzone, which can be skipped when `rdataset` is NULL, but this
doesn't really make a difference, considering we are in a slow path
considering the result wasn't found in this case.)
Colin Vidal [Thu, 2 Apr 2026 09:51:25 +0000 (11:51 +0200)]
fix: dev: remove deadcode in `query_addbestns()`
The local variable `zfname` was released in the cleanup part of the
function if not NULL, but it turns out it is now always NULL at that
point.
The flow can get to that part only in two cases: either `zfname` is not
NULL, and then it's ownership is moved to a different variable (thus, it
is now NULL), or `zfname` is already NULL.
Removing the bit of deadcode releasing it.
Merge branch 'colin/fix-getbestns-deadcode' into 'main'
Colin Vidal [Thu, 2 Apr 2026 08:48:41 +0000 (10:48 +0200)]
remove deadcode in `query_addbestns()`
The local variable `zfname` was released in the cleanup part of the
function if not NULL, but it turns out it is now always NULL at that
point.
The flow can get to that part only in two cases: either `zfname` is not
NULL, and then it's ownership is moved to a different variable (thus, it
is now NULL), or `zfname` is already NULL.
python -m pip install -r https://gitlab.isc.org/isc-projects/bind9/-/raw/main/doc/arm/requirements.txt
ERROR: Ignored the following yanked versions: 8.3.0
ERROR: Ignored the following versions that require a different python version: 9.1.0 Requires-Python >=3.12; 9.1.0rc1 Requires-Python >=3.12; 9.1.0rc2 Requires-Python >=3.12
ERROR: Could not find a version that satisfies the requirement Sphinx==9.1.0 (from versions: 0.1.61611, ..., 9.0.4)
ERROR: No matching distribution found for Sphinx==9.1.0
Merge branch 'mnowak/revert-sphinx-9.1.0' into 'main'
python -m pip install -r https://gitlab.isc.org/isc-projects/bind9/-/raw/main/doc/arm/requirements.txt
ERROR: Ignored the following yanked versions: 8.3.0
ERROR: Ignored the following versions that require a different python version: 9.1.0 Requires-Python >=3.12; 9.1.0rc1 Requires-Python >=3.12; 9.1.0rc2 Requires-Python >=3.12
ERROR: Could not find a version that satisfies the requirement Sphinx==9.1.0 (from versions: 0.1.61611, ..., 9.0.4)
ERROR: No matching distribution found for Sphinx==9.1.0
fix: usr: Use the zone file's basename as origin in DNSSEC tools
In `dnssec-signzone` and `dnssec-verify`, when the zone origin is not specified using the `-o` parameter, the default behavior is to try to sign using the zone's file name as the origin. So, for example, `dnssec-signzone -S example.com` will work, so long as the file name matches the zone name.
This now also works if the zone is in a different directory. For example, `dnssec-signzone -S zones/example.com` will set the origin value to `example.com`.
Evan Hunt [Wed, 10 Dec 2025 00:52:44 +0000 (16:52 -0800)]
use the zone file's basename as origin in dnssec tools
In dnssec-signzone and dnssec-verify, if the zone origin is not
specified using the `-o` parameter, the default behavior is to try
to use the zone's file name as the origin. So, for example,
`dnssec-signzone -S example.com` or 'dnssec-verify example.com'
will work, so long as the file name matches the zone name.
This now also works if the zone is in a different directory.
For example, `dnssec-signzone -S zones/example.com` or
'dnssec-verify zones/example.com' will set the origin value
to `example.com`.
Check for existing TSIG keys before accepting a new
GSS-API negotiation and delete the key if it has expired.
Previously, an expired GSS key would permanently block
re-negotiation for that name until the server was restarted.
Merge branch 'ondrej/cleanup-gssapi-and-tkey-api' into 'main'
Ondřej Surý [Fri, 20 Mar 2026 07:43:28 +0000 (08:43 +0100)]
Add regression test for RFC 3645 Section 4.1.1 duplicate TKEY name
Add 'tkeyname' command to nsupdate to allow specifying a fixed TKEY
name instead of the default random one. This is used by the test to
send two GSS-API TKEY negotiations with the same name.
After a successful GSS-API TKEY negotiation via nsupdate -g, a second
attempt with the same TKEY name must be rejected with BADKEY
(error=17), not BADNAME (error=20).
Ondřej Surý [Wed, 18 Mar 2026 00:01:34 +0000 (01:01 +0100)]
Fix GSS context leak on error paths in process_gsstkey()
After gss_accept_sec_context() succeeds, the GSS context is passed
to dst_key_fromgssapi() which transfers ownership to the dst_key.
If a subsequent operation fails (dst_key_fromgssapi itself,
dns_tsigkey_createfromkey, or dns_tsigkeyring_add), the cleanup
label frees the dst_key but only if it was created. If the failure
happened before dst_key_fromgssapi, the GSS context was orphaned.
Delete the GSS context in the cleanup path when it was not
transferred to a dst_key.
Ondřej Surý [Wed, 18 Mar 2026 00:00:39 +0000 (01:00 +0100)]
Fix GSS context leak when principal name is empty
When gss_accept_sec_context() completes successfully but
gss_display_name() returns an empty principal, the GSS context
was leaked — it was neither stored in a key nor deleted.
Delete the context and reject with BADKEY in this case. This
should only occur due to a GSS library bug, since a completed
context should always have a valid principal.
Ondřej Surý [Tue, 17 Mar 2026 23:28:04 +0000 (00:28 +0100)]
Fix off-by-one in TSIG generated key eviction
Use pre-increment (++ring->generated) instead of post-increment
(ring->generated++) so the comparison against DNS_TSIG_MAXGENERATEDKEYS
happens after counting the new key. With post-increment, one extra key
beyond the limit was allowed before eviction kicked in.
Michal Nowak [Tue, 31 Mar 2026 15:36:38 +0000 (17:36 +0200)]
new: doc: Prepare documentation for BIND 9.21.21
I asked Claude to prepare the "Tweak and reword release notes" (663dba18f3015aefe178ba8b4790c7180f943c74) commit with the following guidance:
> add RST markup to @doc/notes/notes-9.21.21.rst. possible RST markups are to be found in @doc/arm/. if in doubt look at previous release notes in @doc/notes/. while at it, fix grammar and make sure the text is aligned to max 72 characters.
It did better that I'd do.
Merge branch 'mnowak/prepare-documentation-for-bind-9.21.21' into 'v9.21.21-release'
Alessio Podda [Tue, 31 Mar 2026 15:17:43 +0000 (15:17 +0000)]
chg: dev: Add a refcount to the vecheaders
This MR changes the way the ownership of the vecheaders is tracked. Before this MR, the ownership of the vecheader was implicitely tracked through a mix of the refcount on the node owning the header, the external refcount of the same node and the version. This has some adverse consequences in terms of contention, such as that querying A and AAAA glue hits the same refcount.
This MR adds a refcount to the vecheader itself, allowing it to exist independently of the node it is contained in. On its own, this would create a cycle, where the node has a reference to the header, which has a reference to the heap, which in turn has a reference to the node.
To break this cycle, this MR also moves from an "intrusive" heap, to a more traditional one where pointers to the node and vecheader in the heap are stored in a hashmap.
Alessio Podda [Thu, 5 Mar 2026 14:24:01 +0000 (15:24 +0100)]
Fix benign race condition
The dns_rdatavec_subtractrdataset function would copy the old header
using memmove but the old header includes fields such as trust and
reference counts that are atomic.
While the values of those fields were never used, it did cause a benign
race condition. This commit refactors dns_rdatavec_subtractrdataset and
dns_rdatavec_merge not to use memmove.
Alessio Podda [Mon, 2 Mar 2026 12:52:02 +0000 (13:52 +0100)]
Remove node and db pointer from dns_rdataset_t.vec
Now that we track the references at the vecheader level, binding an
rdataset is no longer guaranteed to keep its node alive. Therefore
remove the node pointer from the rdataset, and instead decide whether
glue is required by explicitely passing the owner name to addglue.
Alessio Podda [Thu, 18 Dec 2025 00:37:53 +0000 (01:37 +0100)]
Add hashmap to qpz_heap
This commit adds a level of indirection to the signing operations.
Instead of being intrusive, the qpz_heap will keep track of which
headers must be resigned through a hashmap.
The intent is to make dns_vecheader_t entirely self-contained. In
particular, the ownership structure between the heap and the headers is
flipped. Before, the headers would "own" the heap, now the heap owns
the header.
Alessio Podda [Wed, 17 Dec 2025 23:54:24 +0000 (00:54 +0100)]
Refactor setsigningtime
Change setsigningtime to take the node of the header being changed.
Done to facilitate further refactoring that will remove the header
pointer from vecheader.
Alessio Podda [Wed, 17 Dec 2025 23:54:48 +0000 (00:54 +0100)]
Extract heap deregistration
This commit changes the deregistration of vecheaders from the heap to
go through a private api instead of the dyndb public one. This is safe
since vecheader is only used by qpzone.
This is done in order to facilitate further refactoring.
Aydın Mercan [Tue, 31 Mar 2026 13:07:05 +0000 (16:07 +0300)]
fix: dev: include <sys/endian.h> according by checking in meson
The <sys/endian.h> header has existed in macOS since around ~26. This
causes the `htobeNN`/`htoleNN` macros to be redefined in <isc/endian.h>
in terms of <libkern/OSByteOrder.h> when other system headers include
<sys/endian.h>.
Fix this issue by using checking for the existence of <sys/endian.h> in
meson and including it according to the probe result.
Merge branch 'aydin/isc-endian-macos-fix' into 'main'
Aydın Mercan [Wed, 25 Mar 2026 13:28:48 +0000 (16:28 +0300)]
include <sys/endian.h> according by checking in meson
The <sys/endian.h> header has existed in macOS since around ~26. This
causes the `htobeNN`/`htoleNN` macros to be redefined in <isc/endian.h>
in terms of <libkern/OSByteOrder.h> when other system headers include
<sys/endian.h>.
Fix this issue by using checking for the existence of <sys/endian.h> in
meson and including it according to the probe result.
Busy resolvers will now gradually fill the configured :any:max-cache-size
before entries start being evicted. Previously, expired records were
proactively removed based on their TTL, which kept memory usage below the
configured limit but added overhead. Cache eviction now relies solely on the
SIEVE-LRU mechanism, which has matured to the point where TTL-based cleaning
is no longer necessary.
Setting :any:max-cache-size to unlimited or 0 is no longer supported
and falls back to the default (90% of physical memory).
Merge branch 'ondrej/no-ttl-based-cleaning' into 'main'
Ondřej Surý [Mon, 30 Mar 2026 09:54:34 +0000 (11:54 +0200)]
Remove the dead dns_expire_ttl code path and deletettl stats counter
Now that TTL-based cleaning has been removed, the dns_expire_ttl enum
value, its switch case in expireheader(), and the deletettl stats counter
(text, XML, JSON) are all dead code. Remove them so the stats channel
no longer reports a permanently-zero counter.
Ondřej Surý [Sat, 14 Mar 2026 08:45:05 +0000 (09:45 +0100)]
Move ADB TTL-based cleanup into dump_adb()
Instead of doing a full sweep of all names and entries before dumping,
expire stale entries lazily as they are encountered during the dump
iteration. This aligns with the QPcache approach of avoiding separate
TTL-based cleaning passes.
dns_adb_flush() retains its explicit full sweep since it needs to
force-expire everything.
Ondřej Surý [Thu, 19 Feb 2026 09:24:13 +0000 (10:24 +0100)]
Raise the minimum cache size to 8 MB, warn below 256 MB
Lower the hard floor for max-cache-size from 2 MB to 8 MB to support
resource-constrained environments (e.g. CPE devices) while remaining
safe for LRU-only eviction.
Ondřej Surý [Thu, 19 Feb 2026 09:03:45 +0000 (10:03 +0100)]
Refactor the 'max-cache-size' configuration handling
Extract the inline max-cache-size logic from configure_view() into
reusable helpers: configure_max_cache_size(), default_max_cache_size(),
max_cache_size_as_percent(), and sanitized_max_cache_size().
Move DNS_CACHE_MINSIZE and DNS_ADB_MINADBSIZE to public headers and
remove the SIZE_AS_PERCENT sentinel.
Ondřej Surý [Wed, 14 Jan 2026 15:35:27 +0000 (16:35 +0100)]
Remove the heap memory context from QPcache
The heaps have been removed, so the separate heap memory context
(hmctx) is no longer needed. Remove it from both dns_cache and
dns_qpcache, along with the HeapMemInUse statistics.
Ondřej Surý [Wed, 14 Jan 2026 12:17:30 +0000 (13:17 +0100)]
Remove useless .expire initialization from rdataslab
dns_rdataslab_fromrdataset() set .expire to rdataset->ttl, but the
only consumer (qpcache_addrdataset) immediately overwrote it with
now + rdataset->ttl. Remove the redundant initialization and set the
expire time only once.
Colin Vidal [Mon, 30 Mar 2026 19:45:03 +0000 (21:45 +0200)]
chg: usr: Parent-centric resolver
The `named` resolver now uses a separate "delegation database" to store zone referral data instead of the DNS cache. This new database holds the NS RRset on the parent side of a zone cut, as well as necessary glue records that were included in the referral. The NS RRset from the child side is cached in the DNS cache and is not used for name resolution.
This will be a step toward simplifying resolver logic and also supporting DELEG referrals.
Colin Vidal [Mon, 30 Mar 2026 13:37:52 +0000 (15:37 +0200)]
resolver tests: set 3MB cache size
The default max-cache-size on the system test being enforced to 2MB
(from the -T switch). It means the main cache size is 6/8 of it (1/8
being reserved for ADB and 1/8 for the delegation database).
However, the minimal cache size of the main cache is 2MB, which means
that the main cache size will actually be 2MB anyway when running the system tests.
This was breaking some resolver tests were failing because when the
cache was shared and named reload, the previous cache size was, indeed,
2MB whereas the newly requested size only 6/8 of it (that happened
before the size is bumped to the minimal value).
Set the ns1 of resolver tests max cache size of 3MB, so even 6/8 of the
max cache size is more than the minimum 2MB of the main cache size,
which enable to keep the shared cached between views for this test
between reloads.
Colin Vidal [Mon, 30 Mar 2026 12:49:28 +0000 (14:49 +0200)]
cache memory adjustements
The delegation DB now uses the same amount of memory than ADB, which is
1/8 of the `max-cache-size`.
The main cache database, instead of using `max-cache-size`, now use the
"remaining" part of it, after the delegation DB and ADB took their part,
so 6/8.
This avoid blowing up the host memory, typically when specifying
`max-cache-size 95%`, as the global cache usage would go way ahead 100%.
Colin Vidal [Fri, 27 Mar 2026 12:12:17 +0000 (13:12 +0100)]
Add RPZ NSDNAME test
Add a simple case (i.e. not relying on zone being generated during the
test) ensuring that RPZ NSDNAME rules are correctly applied using the
parent-centric resolver.
Colin Vidal [Fri, 27 Mar 2026 15:00:25 +0000 (16:00 +0100)]
test for auth+res server and glues in delegation
When a resolver+auth server has a delegation on a local zone and has a
glue, the glue can only be for in-domain NS.
In this case, when the resolver is looking at the zonecut,
`dns_view_bestzonecut()` synthesizes a delegset from an NS rdataset
found in the local zone (the delegation inside auth zone), and ignores
the glues if any.
As a result, the delegset will contain a single delegation of type
DNS_DELEGTYPE_NS_NAMES, which leads to an ADB fetch. But it's actually an
in-memory fetch, because in this case, the fetch will immediately find
the A/AAAA glues from the local zone.
An alternative approach (not chosen here) would be to make
`dns_view_bestzonecut()`, when converting an NS rdataset into a
`dns_deleg_t`, check for glues for the delegation in the auth zone, and
add those in the `dns_deleg_t`. The delegation would be of type
DNS_DELEGTYPE_NS_GLUES which would avoid the ADB name lookup.
However, that's extra code, extra logic and complexities, for a lookup
that will be done in memory anyway, just a bit later. So for now, this
is not implemented that way.
The test is added, however, to confirm that there is no attempt from the
resolver to get the NS fron the child zone.
Evan Hunt [Sat, 21 Mar 2026 04:45:29 +0000 (21:45 -0700)]
remove find_deepest_zonecut() from qpcache
because the cache no longer stores delegation (parent-side) NS rrsets,
and authoritative (child-side) NS rrsets don't affect recursion,
it no longer makes sense for qpcache_find() to look for NS rrsets
and return DNS_R_DELEGATION. that code has been removed.
the cache still does search for covering DNAME records. the
check_zonecut() function has been renamed to check_dname() for clarity.
related changes:
- one test case has been removed from the mirror system test, because it
tested the behavior of a cached delegation.
- query_checkrrl() and rpz_rrset_find() have been updated so they no
longer expect cache responses to have DNS_R_DELEGATION response codes.
Colin Vidal [Mon, 30 Mar 2026 09:22:32 +0000 (11:22 +0200)]
Dump delegation database in 'rndc dumpdb'
When dumping the cache, include the contents of the delegation
database. Add a new 'rndc dumpdb -deleg' option, which dumps
the delegation database exclusively.
While the delegation database dumping format mimic the zone file format,
the API does not use the `dns_master_style_t` configuration (i.e. to
specify how many spaces/tab are used between each RR fields), because
the generic API handling this relies on databse using `dns_rdataset_t`
as internal storage format. This can be improved later.
Ondřej Surý [Sat, 14 Mar 2026 09:10:34 +0000 (10:10 +0100)]
Add invariant check for delegset in rctx_nextserver()
The get_nameservers path in rctx_nextserver() is only reachable from
rctx_referral(), which already detaches fctx->delegset. Assert that
it is NULL rather than redundantly detaching it, since
dns_view_bestzonecut() requires *delegsetp == NULL.
Ondřej Surý [Sat, 14 Mar 2026 07:20:43 +0000 (08:20 +0100)]
Guard against NULL delegset in query_delegation_recurse()
If both dns_view_bestzonecut() and dns_deleg_fromrdataset() fail,
delegset stays NULL. Passing it to ns_query_recurse() would crash
on the REQUIRE(DNS_DELEGSET_VALID(delegset)) in createfetch().
Return ISC_R_NOTFOUND instead, which lets the caller handle the
failure gracefully.
Ondřej Surý [Sat, 14 Mar 2026 07:20:05 +0000 (08:20 +0100)]
Clean up frdataset in resume_dslookup() on shutdown
When resume_dslookup() receives ISC_R_SHUTTINGDOWN or ISC_R_CANCELED,
frdataset (fctx->nsrrset) was not disassociated. While fctx__destroy()
eventually cleans it up, leaving it associated keeps the underlying DB
node referenced longer than necessary.
Evan Hunt [Tue, 3 Mar 2026 06:29:20 +0000 (22:29 -0800)]
Fix fetchlimit test failure
When a referral lookup is triggered by a QMIN query, it should be
exempt from the fetches-per-zone limit just as the QMIN query itself
is.
Also restart the test server between the fetches-per-server and
fetches-per-zone tests so that leftover statistics from the former
do not pollute the latter.
Another fix is because zone spills and general query drops are no longer
in a strict >= relation (on a parent-centric resolver), so check that
both counters are non-zero instead.
Evan Hunt [Tue, 3 Mar 2026 02:12:33 +0000 (18:12 -0800)]
Fix chain system test for parent-centric resolver
The resolver now uses glue addresses from the parent side of a
zonecut without triggering an additional address lookup. Update the
test involving a nameserver target name below a DNAME so that the
delegation does not use glue.
Colin Vidal [Fri, 27 Feb 2026 16:07:31 +0000 (17:07 +0100)]
Do not cache NS from referral in negative responses
Stop storing the NS referral into the main cache when processing a
negative response. These records are already cached in the delegation
database and are not needed elsewhere.
Update dnssec tests that relied on parent-side NS RRsets being
returned in recursive query responses.
Colin Vidal [Thu, 19 Feb 2026 15:56:10 +0000 (16:56 +0100)]
Fix cacheclean system test for parent-centric resolver
The ADB flushtree test was failing because the test zone
(flushtest.example.) uses an in-domain nameserver with parent glue,
so the ADB cache was never populated.
Add a new zone with an out-of-domain nameserver to force an ADB
lookup and ensure the flushtree test exercises the intended code
path.
Colin Vidal [Wed, 18 Feb 2026 15:05:19 +0000 (16:05 +0100)]
Use delegdb for lookup in query_delegation_recurse()
When `query.c` finds a zonecut in the main cache (e.g. from stale NS
records), it must still use the correct delegation for recursion. Look
up the delegation DB via `dns_view_bestzonecut()` first; fall back to
`dns_deleg_fromrdataset()` only if no delegation is found.
This might also be done inside `query_lookup()` instead, with the `qctx`
holding a delegset property, but that approach needs further work to
avoid breakage and it is not clear so far if there would be other use
case of it. Current approach is simpler for now.
Colin Vidal [Wed, 18 Feb 2026 15:04:04 +0000 (16:04 +0100)]
Simplify resolver delegation expiry test
Remove the dynamic NS update loop from the delegation expiry test.
With the delegation DB, it is sufficient to wait for the delegation
to expire (after 5 seconds) and verify that names below the removed
zone return NXDOMAIN.
Evan Hunt [Wed, 11 Feb 2026 21:56:59 +0000 (13:56 -0800)]
Fix tests for parent-centric resolver behavior
In 'additional', pre-cache the A RRset for ns1.rt.example so the
additional-data handling in the cache can be tested; previously this
was cached as part of resolution, but now must be queried explicitly.
In 'cookie', pre-cache an NS to prevent a QMIN query from distorting
log results and causing a test failure.
In 'resolver', increase the expected query count in the timeout test.
Colin Vidal [Wed, 11 Feb 2026 13:47:51 +0000 (14:47 +0100)]
Fix qmin test with parent-centric resolver
Remove expected queries for ns2 addresses (and ns.b.stale.) from the
qmin system test. The parent-centric resolver no longer attempts to
get the child-side NS of the delegation, so these queries do not
occur.
Colin Vidal [Tue, 10 Feb 2026 15:08:36 +0000 (16:08 +0100)]
update camp system test max-query-count
As named is now parent-centric, the global query count can be lower (in
particular for queries which has a long delegation chain), as the
resolver doesn't proactively resolve an NS name when a glue is provided
by the parent-side of a zonecut.
Update camp system test to lower the max-query-count of ns9, to ensure
the max-query-count limit enforcement is still working.
Colin Vidal [Mon, 30 Mar 2026 09:45:15 +0000 (11:45 +0200)]
Resolver is parent-centric
The resolver now uses glue addresses from `dns_deleg_t` objects stored
in the delegation database. The main cache is still used for ADB A/AAAA
lookups when no glue is available for a nameserver name.
The resolver's `fctx_getaddresses()` is refactored to, for each
delegation of the delegation set, try to get the address-based finds,
then nameserver name lookups. (Later, the logic to handle DELEG
`include-delegparm=` will be hooked there too.)
Colin Vidal [Sat, 28 Mar 2026 09:02:22 +0000 (10:02 +0100)]
Add dns_adb_createaddrinfosfind() for address-based lookups
Add a new ADB API function that creates a find from a list of addresses
rather than by looking up nameserver names. This enables the resolver
to handle address-based delegations (NS-based with glues or DELEG with
addresses) and name-based delegations uniformly (i.e. the list of finds
from ADB is handled the same way no matter the type of the delegation).
projects / thirdparty / bind9.git / log
