Aram Sargsyan [Thu, 2 Oct 2025 12:52:12 +0000 (12:52 +0000)]
Fix dnssec-keygen key collision checking for KEY rrtype keys
When generating a new key, dnssec-keygen checks for possible
key ID collisions with existing keys. The dnssec.c:findmatchingkeys()
function, which is supposed to get the list of the existing keys,
fails to do that for the existing KEY rrtype keys (i.e. generated
using 'dnssec-keygen -T KEY') because it doesn't pass down to the
dst_key_fromnamedfile() -> dst_key_read_public() functions the type
of the keys it's interested in. Fix the issue by introducing a new
function parameter which tells in which type of keys the caller is
currently interested in.
Nicki Křížek [Tue, 21 Oct 2025 14:04:30 +0000 (16:04 +0200)]
new: test: Add module-specific python setup to system tests
During the system test execution, allow use of module-specific setup()
function in addition to the setup.sh script which this function should
ultimately replace.
The purpose of setup() is two-fold. First, it can execute any commands
needed to create the initial conditions for the test, such as creating
key materials, manipulating files etc. Second, it should return any
test-specific template values as a dictionary. Those will be used to
render the jinja2 templates.
Merge branch 'nicki/pytest-add-python-setup-func' into 'main'
Unify the names of autouse module-wide fixtures that perform
after_servers_start() setup. The consistent naming doesn't just help
readability, but also makes it simpler for the vulture exception (since
it doesn't properly deal with autouse fixtures).
Replace the autouse fixtures which were only used to change the initial
server configuration into proper bootstrap() functions. This gets rid of
an extraneous reconfigure.
In the tests_validation_many_anchors.py, split the fixture into a proper
bootstrap() and a separate test for checking the expected log lines for
the ignored keys. Previously, the test was broken - it should check for
all the messages being present in the log, and some of the keys are
actually initial-key rather than static-key. This has been fixed in the
parametrized test.
During the system test execution, allow use of module-specific
bootstrap() function in addition to the setup.sh script which this
function should ultimately replace.
The purpose of bootstrap() is two-fold. First, it can execute any
commands needed to create the initial conditions for the test, such as
creating key materials, manipulating files etc. Second, it should return
any test-specific template values as a dictionary. Those will be used to
render the jinja2 templates.
Evan Hunt [Tue, 21 Oct 2025 04:58:27 +0000 (04:58 +0000)]
fix: nil: simplify dns_dumpctx API
the functions dns_dumpctx_db() and dns_dumpctx_version() are used in
only one place, to get the serial number of the version being dumped.
it's simpler to expose the serial number through its own call,
dns_dumpctx_serial(), and remove the others.
the functions dns_dumpctx_db() and dns_dumpctx_version() are used in
only one place, to get the serial number of the version being dumped.
it's simpler to expose the serial number through its own call,
dns_dumpctx_serial(), and remove the others.
Colin Vidal [Sun, 19 Oct 2025 08:38:18 +0000 (10:38 +0200)]
chg: dev: mem: checkfree assertion after debug list dump
When a memory context is destroyed, if the `checkfree` property is set,
the program assert there is no remaining allocation. If there are and
assertions are enabled, the program immediately stops.
However, if memory trace/record debug is enabled, the dump of
outstanding allocation won't be printed as it is done after the
no remaining allocation assertion check.
This moves the no remaining allocation assertion check after the dump of
outstanding allocations, so it is still possible to figure out what's
still allocated by this memory context.
Merge branch 'colin/mem-checkfree-check-after-debuglist' into 'main'
Colin Vidal [Sat, 18 Oct 2025 15:44:27 +0000 (17:44 +0200)]
check memory context validity before mem_destory
Add a magic number check to ensure the memory context validity before
destorying it.
This check is needed now as it was done before implicitly when
isc_mem_inuse was called, but isc_mem_inuse is now called later (to be
able to dump the outstanding allocations).
Colin Vidal [Fri, 17 Oct 2025 08:54:09 +0000 (10:54 +0200)]
mem: checkfree assertion after debug list dump
When a memory context is destroyed, if the `checkfree` property is set,
the program assert there is no remaining allocation. If there are and
assertions are enabled, the program immediately stops.
However, if memory trace/record debug is enabled, the dump of
outstanding allocation won't be printed as it is done after the
no remaining allocation assertion check.
This moves the no remaining allocation assertion check after the dump of
outstanding allocations, so it is still possible to figure out what's
still allocated by this memory context.
Nicki Křížek [Mon, 6 Oct 2025 15:45:07 +0000 (17:45 +0200)]
Remove reuse annotations for unused m4 libtool files
The files in question are no longer included in the git tree and
distributed with the code. Remove the reuse annotations as they caused
issues with reuse 6.0.0, as multiline annotation for
SPDX-FileCopyrightText breaks the parsing.
Michał Kępień [Sat, 18 Oct 2025 07:39:35 +0000 (09:39 +0200)]
fix: usr: Fix the assertion failure in the selfsigned DNSKEY handling
The selfsigned_dnskey() function can now return all the return codes
that dns_dnssec_keyfromrdata() can return and this would cause an
assertion failure as we were not expecting new isc_result_t codes.
Closes isc-projects/bind9#5343
Merge branch 'ondrej/security-fix-crash-in-selfsigned-key-handling' into 'v9.21.14-release'
Evan Hunt [Fri, 17 Oct 2025 20:36:32 +0000 (20:36 +0000)]
fix: usr: Report when a zone reload is already in progress
If a zone reload was already in progress when `rndc reload <zone>` was
run, the message returned was "zone reload queued", which was technically
correct, but it was identical to the message returned when a reload
was not in progress. Consequently, a user could issue two reload commands
without realizing that only one reload had actually taken place. This has
been addressed by changing the message returned to "zone reload was already queued".
Closes #5140
Merge branch '5140-report-reload-in-progress' into 'main'
Evan Hunt [Wed, 13 Aug 2025 20:15:23 +0000 (13:15 -0700)]
report when zone reload already in progress
if a zone reload is already in progress when 'rndc reload <zone>' is
run, currently the message returned in "zone reload queued", which
is correct, but it's identical to the message returned when a reload
was *not* in progress, so the user can't easily tell what happened.
a user could reload a zone twice and not realize that only one
reload actually took place.
this has been addressed by changing the message returned to
"zone reload was already queued".
a new result code ISC_R_LOADING has been added to signal this
condition, taking the place of ISC_R_RELOAD, which was obsolete
and has been removed.
Colin Vidal [Fri, 17 Oct 2025 20:08:54 +0000 (22:08 +0200)]
fix: test: fix random failure on synthrecord system test
One of the synthrecord system tests uses a test function to generate an expected name based on some randomly generated IPv6 (using Hypothesis). Turns out the test function generating the name didn't handle the case where the label which encodes the IPv6 could have a leading or trailing '-' character. (The plugin needs to add a leading or trailing 0 so as not to break IDN compatibility.)
Merge branch 'colin/fix-synthrecord-v6test' into 'main'
Colin Vidal [Fri, 10 Oct 2025 07:35:05 +0000 (09:35 +0200)]
fix random failure on synthrecord system test
One of the synthrecord system tests uses a test function to generate an
expected name based on some randomly generated IPv6 (using Hypothesis).
Turns out the test function generating the name didn't handle the case
where the label which encodes the IPv6 could have a leading or trailing
'-' character. (The plugin needs to add a leading or trailing 0 so as
not to break IDN compatibility.)
Ondřej Surý [Mon, 13 Oct 2025 12:10:06 +0000 (14:10 +0200)]
Fix the assertion failure in the selfsigned DNSKEY handling
The selfsigned_dnskey() function can now return all the return codes
that dns_dnssec_keyfromrdata() can return and this would cause an
assertion failure as we were not expecting new isc_result_t codes.
Evan Hunt [Thu, 16 Oct 2025 05:42:15 +0000 (05:42 +0000)]
fix: dev: Ensure correct result from check_signer()
It was possible for the result to be overwritten after a validation failure, causing `check_signer()` to return success when it should have returned an error.
Closes #5575
Merge branch '5575-ensure-correct-result-from-check_signer' into 'main'
Evan Hunt [Wed, 15 Oct 2025 15:06:25 +0000 (08:06 -0700)]
Ensure correct result from check_signer()
It was possible for the result to be overwritten after a
validation failure, causing check_signer() to return success
when it should have returned an error.
Ondřej Surý [Thu, 16 Oct 2025 05:04:19 +0000 (07:04 +0200)]
doc: nil: Add a section about AI use in BIND 9 issue templates
Generally speaking, no AI generated slop is permitted. If AI has been
used to find an actual problem, the findings need to be verified by a
person, and the report should be written by the person. No copy and
paste is allowed. Anyone reporting the problem needs to be able to
verify the problem independently of the AI.
Ondřej Surý [Thu, 16 Oct 2025 04:58:12 +0000 (06:58 +0200)]
Add a section about AI use in BIND 9 issue templates
Generally speaking, no AI generated slop is permitted. If AI has been
used to find an actual problem, the findings need to be verified by a
person, and the report should be written by the person. No copy and
paste is allowed. Anyone reporting the problem needs to be able to
verify the problem independently of the AI.
Matthijs Mekking [Fri, 10 Oct 2025 17:34:59 +0000 (17:34 +0000)]
chg: nil: Add dnssec-policy text for dnssec-importkey
:program:`dnssec-importkey` should not be used to import DNSKEY records from other providers (for example when setting up multi-signer). Clarify this in the manpage.
Merge branch 'matthijs-clarify-import-key-dnssec-policy' into 'main'
Nicki Křížek [Fri, 10 Oct 2025 09:24:39 +0000 (11:24 +0200)]
fix: test: Disable keyfromlabel collision avoidance in tests
With the collision avoidance on, some of the tests would occasionally
fail. None of the tests using keyfromlabel are revoking the keys so it
should be safe to disable it.
Closes #5554
Merge branch '5554-disable-keyfromlabel-collision-avoidance-in-tests' into 'main'
Nicki Křížek [Wed, 8 Oct 2025 09:35:24 +0000 (11:35 +0200)]
Disable keyfromlabel collision avoidance in tests
With the collision avoidance on, some of the tests would occasionally
fail. None of the tests using keyfromlabel are revoking the keys so it
should be safe to disable it.
Nicki Křížek [Mon, 6 Oct 2025 16:04:51 +0000 (18:04 +0200)]
fix: ci: Remove reuse annotations for unused m4 libtool files
The files in question are no longer included in the git tree and
distributed with the code. Remove the reuse annotations as they caused
issues with reuse 6.0.0, as multiline annotation for
SPDX-FileCopyrightText breaks the parsing.
Merge branch 'nicki/reuse-remove-m4-annotations' into 'main'
Nicki Křížek [Mon, 6 Oct 2025 15:45:07 +0000 (17:45 +0200)]
Remove reuse annotations for unused m4 libtool files
The files in question are no longer included in the git tree and
distributed with the code. Remove the reuse annotations as they caused
issues with reuse 6.0.0, as multiline annotation for
SPDX-FileCopyrightText breaks the parsing.
Michał Kępień [Mon, 6 Oct 2025 11:19:50 +0000 (13:19 +0200)]
Simplify named_tkeyctx_fromconfig()
With the code handling the "tkey-gssapi-credential" statement removed,
the named_tkeyctx_fromconfig() function can no longer fail. Update its
return type to void and revise its only call site accordingly. Clean up
the function's documentation. Declare the 's' helper variable only in
the scope it is used in to improve readability.
Michał Kępień [Mon, 6 Oct 2025 11:19:50 +0000 (13:19 +0200)]
Remove "tkey-gssapi-credential" and related code
Since the "tkey-gssapi-credential" statement has been previously
deprecated, mark it as ancient and remove all code related to it:
- The code processing the "tkey-gssapi-credential" statement in the
configuration is the only user of the dst_gssapi_acquirecred() and
dst_gssapi_releasecred() functions, so remove them along with their
static helper functions and a backup definition of the
GSS_KRB5_MECHANISM macro.
- When calling gss_accept_sec_context(), pass GSS_C_NO_CREDENTIAL
instead of the credential acquired by gss_acquire_cred().
(Previously, NULL was passed when "tkey-gssapi-credential" was not
specified. Kerberos headers define GSS_C_NO_CREDENTIAL as
(gss_cred_id_t) 0, so the logic was effectively the same, but using
the GSS_C_NO_CREDENTIAL macro is more appropriate.) This renders
the 'cred' parameter for dst_gssapi_acceptctx() redundant, so remove
it from the prototype of the latter. (Contrary to what the
documentation for dst_gssapi_acceptctx() claims,
dst_gssapi_releasecred() does not need to subsequently be called to
free the GSS-API context; a dst_gssapi_deletectx() call in
gssapi_destroy() takes care of that when the dynamically generated
TSIG key is destroyed.)
- Remove the 'gsscred' member from struct dns_tkeyctx, along with its
related dns_gss_cred_id_t typedef.
Update the relevant sections of the ARM and code comments accordingly.
This makes the "tkey-gssapi-keytab" statement the only way to set up
GSS-TSIG in named.
Remove redundant code from bin/named/tkeyconf.c while at it.
Michał Kępień [Mon, 6 Oct 2025 11:19:50 +0000 (13:19 +0200)]
Stop using "tkey-gssapi-credential" in tests
Since the "tkey-gssapi-credential" statement is now deprecated and is
about to be removed, migrate the only system test using it ("nsupdate")
to "tkey-gssapi-keytab".
Currently, the GSS-TSIG parts of the "nsupdate" system test require
properly setting up a combination of:
- "tkey-gssapi-credential" statements in named.conf files,
- the KRB5_KTNAME environment variable.
Specifically, this configuration causes named startup to include
acquiring the credential that GSS-API is allowed to match keys against
from a keytab file specified by the KRB5_KTNAME environment variable.
By contrast, the revised configuration uses the "tkey-gssapi-keytab"
statement, which makes GSS-API match keys against any credential present
in the specified keytab file.
Since both keytabs in question (ns9/dns.keytab, ns10/dns.keytab) only
contain a single credential, the two configurations are functionally
equivalent, with the revised one being significantly more readable and
simpler to prepare.
Michał Kępień [Thu, 2 Oct 2025 12:17:17 +0000 (14:17 +0200)]
[CVE-2025-40780] sec: usr: Cache-poisoning due to weak pseudo-random number generator
It was discovered during research for an upcoming academic paper that a
xoshiro128\*\* internal state can be recovered by an external 3rd party,
allowing the prediction of UDP ports and DNS IDs in outgoing queries.
This could lead to an attacker spoofing the DNS answers with great
efficiency and poisoning the DNS cache.
The internal random generator has been changed to a cryptographically
secure pseudo-random generator.
ISC would like to thank Prof. Amit Klein and Omer Ben Simhon from Hebrew
University of Jerusalem for bringing this vulnerability to our
attention.
Closes isc-projects/bind9#5484
Merge branch '5484-security-make-isc_random-csprng' into 'v9.21.13-release'
Ondřej Surý [Mon, 25 Aug 2025 17:02:54 +0000 (19:02 +0200)]
Use arc4random for CSPRNG when available
Use arc4random on platforms where available. arc4random() provides high
quality cryptographically-secure pseudo-random numbers and is generally
recommended for application use.
The uv_random() call unfortunately uses getentropy() on platforms like
MacOS, OpenBSD or NetBSD which is not recommended for application use.
Ondřej Surý [Tue, 19 Aug 2025 17:22:18 +0000 (19:22 +0200)]
Use cryptographically-secure pseudo-random generator everywhere
It was discovered in an upcoming academic paper that a xoshiro128**
internal state can be recovered by an external 3rd party allowing to
predict UDP ports and DNS IDs in the outgoing queries. This could lead
to an attacker spoofing the DNS answers with great efficiency and
poisoning the DNS cache.
Change the internal random generator to system CSPRNG with buffering to
avoid excessive syscalls.
Thanks Omer Ben Simhon and Amit Klein of Hebrew University of Jerusalem
for responsibly reporting this to us. Very cool research!
Michał Kępień [Thu, 2 Oct 2025 11:24:53 +0000 (13:24 +0200)]
[CVE-2025-40778] sec: usr: Address various spoofing attacks
Previously, several issues could be exploited to poison a DNS cache with
spoofed records for zones which were not DNSSEC-signed or if the
resolver was configured to not do DNSSEC validation. These issues were
assigned CVE-2025-40778 and have now been fixed.
As an additional layer of protection, :iscman:`named` no longer accepts
DNAME records or extraneous NS records in the AUTHORITY section unless
these are received via spoofing-resistant transport (TCP, UDP with DNS
cookies, TSIG, or SIG(0)).
ISC would like to thank Yuxiao Wu, Yunyi Zhang, Baojun Liu, and Haixin
Duan from Tsinghua University for bringing this vulnerability to our
attention.
Closes isc-projects/bind9#5414
Merge branch '5414-security-check-name-vs-qname-again' into 'v9.21.13-release'
Mark Andrews [Wed, 13 Aug 2025 03:56:01 +0000 (13:56 +1000)]
Retry lookups with unsigned DNAME over TCP
To prevent spoofed unsigned DNAME responses being accepted retry
response with unsigned DNAMEs over TCP if the response is not TSIG
signed or there isn't a good DNS CLIENT COOKIE.
Mark Andrews [Thu, 14 Aug 2025 04:35:46 +0000 (14:35 +1000)]
Further restrict addresses that are cached when processing referrals
Use the owner name of the NS record as the bailwick apex name
when determining which additional records to cache, rather than
the name of the delegating zone (or a parent thereof).
Mark Andrews [Wed, 9 Jul 2025 23:37:36 +0000 (09:37 +1000)]
Tighten restrictions on caching NS RRsets in authority section
To prevent certain spoofing attacks, a new check has been added
to the existing rules for whether NS data can be cached: the owner
name of the NS RRset must be an ancestor of the name being queried.
Michał Kępień [Thu, 2 Oct 2025 10:53:46 +0000 (12:53 +0200)]
[CVE-2025-8677] sec: usr: DNSSEC validation fails if matching but invalid DNSKEY is found
Previously, if a matching but cryptographically invalid key was encountered during
DNSSEC validation, the key was skipped and not counted
towards validation failures. :iscman:`named` now treats such DNSSEC keys
as hard failures and the DNSSEC validation fails immediately, instead of
continuing with the next DNSKEYs in the RRset.
ISC would like to thank Zuyao Xu and Xiang Li from the All-in-One
Security and Privacy Laboratory at Nankai University for bringing this
vulnerability to our attention.
Closes isc-projects/bind9#5343
Merge branch '5343-security-count-invalid-keys-into-validation-fails' into 'v9.21.13-release'
Fail the DNSSEC validation if matching but invalid DNSKEY is found
If a matching but cryptographically invalid key was encountered during
the DNSSEC validation, the key would be just skipped and not counted
towards validation failures. Treat such DNSSEC keys as hard failures
and fail the DNSSEC validation immediatelly instead of continuing the
DNSSEC validation with the next DNSKEYs in the RRset.
Michał Kępień [Thu, 2 Oct 2025 10:15:11 +0000 (12:15 +0200)]
fix: test: Reorganize imports in tests_synthrecord.py
bin/tests/system/synthrecord/tests_synthrecord.py imports hypothesis
before importing isctest.hypothesis, which causes the "synthrecord"
system test to fail on platforms on which the Hypothesis module is not
available. Reorganize Python imports in tests_synthrecord.py to fix the
above issue and also to make it more in line with other similar test
scripts.
Closes #1586
Merge branch '1586-reorganize-imports-in-tests_synthrecord.py' into 'main'
Michał Kępień [Thu, 2 Oct 2025 09:13:05 +0000 (11:13 +0200)]
Reorganize imports in tests_synthrecord.py
bin/tests/system/synthrecord/tests_synthrecord.py imports hypothesis
before importing isctest.hypothesis, which causes the "synthrecord"
system test to fail on platforms on which the Hypothesis module is not
available. Reorganize Python imports in tests_synthrecord.py to fix the
above issue and also to make it more in line with other similar test
scripts.
projects / thirdparty / bind9.git / log
