Nicki Křížek [Tue, 16 Dec 2025 17:27:20 +0000 (18:27 +0100)]
Add requirements.txt for system tests
This file lists the required Python packages and versions for running
system tests. The easiest way to obtain them is:
pip install -r requirements.txt
The minimum dnspython version is 2.7.0 because it supports TSIG parsing
without validation (for tsig/tests_tsig_hypothesis.py) and wire() (for
names/tests_names.py).
The minimum pytest version was bumped to 7.0.0 because it supports the
collection hook API required by pytest 9.
The minimum hypothesis version was set to 4.41.2 as prior versions might
have issues on FIPS systems.
Arаm Sаrgsyаn [Wed, 21 Jan 2026 10:47:31 +0000 (10:47 +0000)]
fix: dev: Fix a bug in qpzone.c:first_existing_header_indirect()
There is a bug in qpzone.c:first_existing_header_indirect() where
it does not advance the pointer in the FOREACH type loop.
Remove the static function altogether, as it was used only once and
had some other problems too, and use simpler custom code instead in
the place where it was used.
Closes #5691
Merge branch '5691-qpzone.c-first_existing_header_indirect-fix' into 'main'
Aram Sargsyan [Tue, 20 Jan 2026 16:20:35 +0000 (16:20 +0000)]
Add a new dbversion unit test
Test that closing a writer with a rollback, then opening another
writer and adding a rdataset (while still holding the node reference)
works correctly.
This test checks that the bugfix in the previous commit is correct.
Aram Sargsyan [Fri, 16 Jan 2026 14:07:39 +0000 (14:07 +0000)]
Remove qpzone.c:first_existing_header_indirect() which had bugs
The first_existing_header_indirect() static function is used only
in one place and it has bugs:
1. It doesn't advance the pointer and can cause an infinite loop
if it doesn't break out from the loop on the first iteration.
2. It doesn't check if the header EXISTS, though its name indicates
that it should.
3. Even if the infinite loop bug is fixed, it would eventually
return the last checked header's pointer even if all the
candidates do not match the criteria of the selection.
Instead of fixing it, remove the function and use simpler code in
the place where it was being called.
Mark Andrews [Fri, 19 Dec 2025 01:32:33 +0000 (12:32 +1100)]
Use const pointer with strchr of const pointer
C23 now has qualifier preserving standard functions for strchr,
bsearch, strpbrk, strrchr, strstr, memchr. There where a few places
where the return value was not assigned to a const qualified pointer.
These have been fixed.
Colin Vidal [Fri, 16 Jan 2026 07:29:45 +0000 (08:29 +0100)]
chg: dev: remove `sigrdataset` from `dns_view_findzonecut()`
Since the `sigrdataset` "output" parameter of `dns_view_findzonecut()` is never used (always called with NULL), it is now removed. As the resolver is moving towards a parent-centric direction, there is no point having a signature for the NS record (which is not authoritative in the parent, so never signed) when `dns_view_findzonecut()` is called.
Also, rename `dns_view_findzonecut()` as `dns_view_bestzonecut()` as it is used only in the context where the closest name servers for a name need to be queried and to avoid ambiguities with other code flows using `dns_db_findzonecut()`.
Merge branch 'colin/findzonecut-removesig' into 'main'
Colin Vidal [Mon, 12 Jan 2026 08:23:01 +0000 (09:23 +0100)]
rename `dns_view_findzonecut()` into `dns_view_bestzonecut()`
`dns_view_findzonecut()` is used only in the context where the closest
name servers for a name need to be queried. In the future, this API
will also return the glues (if known) for those name servers, as well
as (exclusively, if both NS and DELEG exist) the DELEG record.
To avoid ambiguities with other code flows using `dns_db_findzonecut()`,
`dns_view_findzonecut()` has been renamed into `dns_view_bestzonecut()`.
Colin Vidal [Fri, 9 Jan 2026 14:47:52 +0000 (15:47 +0100)]
remove `sigrdataset` from `dns_view_findzonecut()`
Since the `sigrdataset` "output" parameter of `dns_view_findzonecut()`
is never used (always called with NULL), it is now removed.
Also, since the resolver is moving towards a parent-centric direction,
there is no point having a signature for the NS record (which is not
authoritative in the parent, so never signed) in the contextes where
`dns_view_findzonecut()` is called.
Arаm Sаrgsyаn [Thu, 15 Jan 2026 17:50:33 +0000 (17:50 +0000)]
fix: test: Fix a false positive compiler warning/error
When built with '-Doptimization=1', GCC produces a compiler warning:
In file included from ../lib/isc/include/isc/lib.h:44,
from ../tests/dns/qp_test.c:26:
../tests/dns/qp_test.c: In function ‘check_predecessors_withchain’:
../lib/isc/include/isc/util.h:182:33: error: ‘ival’ may be used uninitialized [-Werror=maybe-uninitialized]
182 | (((a) == (b)) ? (void)0 : (_assert_int_equal(a, b, f, l), abort()))
| ~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/include/cmocka.h:1234:5: note: in expansion of macro ‘_assert_int_equal’
1234 | _assert_int_equal(cast_to_largest_integral_type(a), \
| ^~~~~~~~~~~~~~~~~
../tests/dns/qp_test.c:859:18: note: ‘ival’ was declared here
859 | uint32_t ival;
| ^~~~
This is apparently a false positive, because the qpiter_prev_with_name()
function, when returning ISC_R_SUCCESS, sets the 'ival' (passed to
it by a pointer), and the caller checks that the return value is
ISC_R_SUCCESS before using 'ival'.
Initialize the 'ival' variable to 0 anyway to avoid the build error.
Closes #5704
Merge branch '5704-qp_test-uninitialized-false-positive-error-fix' into 'main'
Aram Sargsyan [Thu, 15 Jan 2026 11:26:47 +0000 (11:26 +0000)]
Fix a false positive compiler warning/error
When built with '-Doptimization=1', GCC produces a compiler warning:
In file included from ../lib/isc/include/isc/lib.h:44,
from ../tests/dns/qp_test.c:26:
../tests/dns/qp_test.c: In function ‘check_predecessors_withchain’:
../lib/isc/include/isc/util.h:182:33: error: ‘ival’ may be used uninitialized [-Werror=maybe-uninitialized]
182 | (((a) == (b)) ? (void)0 : (_assert_int_equal(a, b, f, l), abort()))
| ~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/include/cmocka.h:1234:5: note: in expansion of macro ‘_assert_int_equal’
1234 | _assert_int_equal(cast_to_largest_integral_type(a), \
| ^~~~~~~~~~~~~~~~~
../tests/dns/qp_test.c:859:18: note: ‘ival’ was declared here
859 | uint32_t ival;
| ^~~~
This is apparently a false positive, because the qpiter_prev_with_name()
function, when returning ISC_R_SUCCESS, sets the 'ival' (passed to
it by a pointer), and the caller checks that the return value is
ISC_R_SUCCESS before using 'ival'.
Initialize the 'ival' variable to 0 anyway to avoid the build error.
Štěpán Balážik [Tue, 23 Dec 2025 13:36:56 +0000 (14:36 +0100)]
Add SwitchControlCommand for ControllableAsyncServer
To provide feature parity with `bin/tests/system/ans.pl` add a control
command to allow easy switching between different sequences of
ResponseHandlers.
Štěpán Balážik [Wed, 17 Dec 2025 13:08:03 +0000 (14:08 +0100)]
Use variadic positional parameters for plural install_* methods
It saves an indent and brackets on the call sites.
Also sort the handlers alphabetically where their order doesn't matter
and split the fallback handlers into a separate call to signify that
their position in the end matters.
Aram Sargsyan [Thu, 25 Dec 2025 12:25:48 +0000 (12:25 +0000)]
Make catalog zones' entry names case-insensitive
Previously, the isc_ht hash table module was case-sensitive, but now
it supports case-insensitive mode. Use the case-insensitive mode
for the catalog zones' entry names.
Aram Sargsyan [Fri, 19 Dec 2025 17:51:08 +0000 (17:51 +0000)]
Make catalog zone names case-insensitive
Previously, the isc_ht hash table module was case-sensitive, but now
it supports case-insensitive mode. Use the case-insensitive mode
for catalog zone names.
Nicki Křížek [Fri, 28 Nov 2025 15:41:44 +0000 (16:41 +0100)]
Replace digdelv/ans8 with AsyncDnsServer
Previously, the ans8 server had different response modes that applied to
all queries. Replace it with AsyncDnsServer that has serves the different
response modes under different domains without the need to change the
server behaviour at runtime.
Add the new queries that require an ns3 fallback to the ns3/example.db
zone.
Nicki Křížek [Fri, 28 Nov 2025 15:13:43 +0000 (16:13 +0100)]
Replace digdelv/ans5 with ControllableAsyncDnsServer
The server has three modes of operation - either no response, a partial
AXFR or a complete AXFR. To test the fallback behaviour of dig, these
actions are be combined in a specific sequences. To set up the desired
server behaviour, use the _control queries for the server.
Nicki Křížek [Fri, 28 Nov 2025 14:34:38 +0000 (15:34 +0100)]
Rename ResponseDropAndCloseConnection action
The action can be used to close the connection even after some response
was sent, depending on the ordering of actions in the handler that uses
it. Rename it to CloseConnection to use a more fitting name.
Štěpán Balážik [Fri, 9 Jan 2026 15:22:31 +0000 (15:22 +0000)]
chg: test: Avoid sending manually created responses in asyncserver
If at all possible, all the responses should be created by
AsyncDnsServer's internal methods. To ensure this, mark them with a
magic attribute and check it on send and crash the server if a manually
created response is detected.
Merge branch 'stepan/avoid-using-hand-rolled-responses-in-asyncserver' into 'main'
Štěpán Balážik [Fri, 2 Jan 2026 19:36:29 +0000 (20:36 +0100)]
Avoid sending manually created responses in asyncserver
If at all possible, all the responses should be created by
AsyncDnsServer's internal methods. To ensure this, mark them with a
magic attribute and check it on send and crash the server if a manually
created response is detected.
Fix the qmin test server which uses `make_response`.
Colin Vidal [Thu, 8 Jan 2026 20:01:22 +0000 (21:01 +0100)]
chg: dev: Split and refactor dns_view_findzonecut()
The function `dns_view_findzonecut()` was previously a complex bit of code (multiple pages long with multiple gotos and mutating states) into a simpler main entry point making explicit the various steps and layers involved into the delegation lookup.
Separate helper functions are added for specific sub-tasks (lookup from the zones, from the cache, deciding which result to use if there are valid candidates from the zone or cache, etc.)
Finally, the range of result values returned by `dns_view_findzonecut()` is simplified and clearly specified. This simplifies a bit the callers code.
See #5681
Merge branch 'colin/refactor-findzonecut' into 'main'
Colin Vidal [Wed, 17 Dec 2025 14:27:39 +0000 (15:27 +0100)]
simplify usage of dns_view_findzonecut()
As `dns_view_findzonecut()` only returns either ISC_R_SUCCESS or
DNS_R_NXDOMAIN, and since it automatically disassociates the rdatasets
in case of failure, some call sites are simplified.
Colin Vidal [Tue, 16 Dec 2025 13:24:41 +0000 (14:24 +0100)]
findzonecut: helper function to choose zone or cache
When a delegation is found at a zone level, the cache is also looked up,
in case a more specific delegation is found. If it is, then the records
from the zone are disassociated and then associated with those from the
cache.
There is no return value, because even if the cache lookup fails, there
is a valid delegation from the zone, so this is a success either way.
The main function `dns_view_findzonecut()` is also strongly refactored,
as `findzonecut_zoneorcache()` allows a sequential flow between the
various DB lookup attempts, instead of jumping back to the begining of
the lookup code using `goto`.
From the caller's point of view, the API is slightly simplified: the
return value can only be ISC_R_SUCCESS (a delegation is found) or
DNS_R_NXDOMAIN (no delegation is found). Also, if no delegation is
found, this guarantees that the rdatasets passed as parameter are
disassociated.
Colin Vidal [Tue, 16 Dec 2025 13:26:11 +0000 (14:26 +0100)]
findzonecut: helper function for zone lookup
Move the zone lookup code into a separate helper function.
The main extra change here is the return codes. This helper function can
return 3 (and only those 3) values:
- ISC_R_SUCCESS: a delegation is found
- DNS_R_NXDOMAIN: no zone matches the qname
- ISC_R_NOTFOUND: a zone is found, but no delegation in the zone (this
can be either because there is simply no delegation, or for other
reasons, like, the zone DB is not loaded yet).
This enables the caller to make decisions about whether to attempt a
cache and/or hints lookup or not.
Colin Vidal [Tue, 16 Dec 2025 13:22:10 +0000 (14:22 +0100)]
findzonecut: helper function for cache lookup
Extract the cache lookup implementation from `dns_view_findzonecut()`
into a separate helper function.
Also, when the cache result is not ISC_R_SUCCESS (which is the only
"success" value from the existing code in this case), the return value
is overriden to DNS_R_NXDOMAIN. This enables the caller (in follow-up
commit) to differentiate the case where a zone is found, but for
whatever reason, no delegation is in there, from the case where no zone
is found. Separating those cases enables the caller to know whether it
needs to hit the cache/hints or not.
Alessio Podda [Thu, 8 Jan 2026 15:32:23 +0000 (15:32 +0000)]
chg: dev: Remove rrset-order cyclic from the default config, with shim
Currently we add an rrset-order cyclic statement to the default config.
Since the rrset-order allows matching a subset of all names, it must
be implemented with a comparison against a wildcard, and since
the statement applies per rrset, this can result in million of
comparisons per second on a busy authoritative server.
This commit removes rrset-order from the default config, but adds back
a code shim in query_setorder to preserve the previous behaviour.
Alessio Podda [Tue, 23 Dec 2025 15:38:53 +0000 (16:38 +0100)]
Remove rrset-order cyclic from the default config, with shim
Currently we add an rrset-order cyclic statement to the default config.
Since the rrset-order allows matching a subset of all names, it must
be implemented with a string comparison against a wildcard, and since
the statement applies per rrset, this can result in millions of
comparisons per second on a busy authoritative server.
This commit removes rrset-order from the default config, but adds back
a code shim in query_setorder to preserve the previous behaviour.
Nicki Křížek [Wed, 7 Jan 2026 10:12:50 +0000 (11:12 +0100)]
chg: dev: Support compilation with cmocka 2.0.0+
The `assert_in_range()` function was deprecated in favor of
`assert_int_in_range()` and `assert_uint_in_range()`. Add compatibility
shims for cmocka<2.0.0 and use the new functions.
Closes #5699
Merge branch '5699-support-cmocka-2.0.0' into 'main'
Nicki Křížek [Mon, 29 Dec 2025 12:37:34 +0000 (13:37 +0100)]
Support compilation with cmocka 2.0.0+
The `assert_in_range()` function was deprecated in favor of
`assert_int_in_range()` and `assert_uint_in_range()`. Add compatibility
shims for cmocka<2.0.0 and use the new functions.
Evan Hunt [Wed, 7 Jan 2026 07:02:22 +0000 (07:02 +0000)]
chg: usr: Enforce bounds of multiple configuration options
The configuration options `edns-version`, `edns-udp-size`,
`max-udp-size`, `no-cookie-udp-size` and `padding` now enforce
boundaries. The configuration (including when using `named-checkconf`)
now fails if those options are set out of range.
Merge branch 'colin/multiple-options-strict-boundaries' into 'main'
Colin Vidal [Wed, 19 Nov 2025 11:34:31 +0000 (12:34 +0100)]
update doc for strict boundaries check
Update documentation, removing the mention of statements being
implicitely "fixed" if they are defined out of range (for
`edns-version`, `edns-udp-size`, `max-udp-size`, `no-cookie-udp-size`
and `padding`) as the ranges are now enforced.
Colin Vidal [Wed, 19 Nov 2025 11:36:13 +0000 (12:36 +0100)]
remove implicit bounds fixes in server config
Now that the configuration options `edns-version`, `edns-udp-size`,
`max-udp-size`, `no-cookie-udp-size` and `padding` have strict boundaries
(configuration failing if they are not respected), remove configuration
loading code which implicitely raises or lowers them.
Colin Vidal [Wed, 19 Nov 2025 11:31:50 +0000 (12:31 +0100)]
enforce bounds of multiple configuration options
The configuration options `edns-version`, `edns-udp-size`,
`max-udp-size`, `no-cookie-udp-size` and `padding` now enforce
boundaries. The configuration (including when using `named-checkconf`)
now fails if those options are out of range.
Nicki Křížek [Mon, 5 Jan 2026 13:45:06 +0000 (14:45 +0100)]
[CVE-2025-8677] sec: test: Test that DNSSEC validation is aborted on malformed DNSKEY
Create a signed zone file that contains malformed ZSKs with colliding
key tags. The ZSKs don't represent valid ECDSA keys and will cause a
crypto failure when attempting to use them. Sign the zone with KSK, with
the exception of one record which is "signed" with the invalid ZSKs.
Check that the resolver aborts the DNSSEC verification after
encountering the first crypto failure, indicating malformed DNSKEY.
Closes #5343
Merge branch '5343-count-invalid-keys-into-validation-fails-test' into 'main'
Nicki Křížek [Mon, 13 Oct 2025 16:35:33 +0000 (18:35 +0200)]
Test zone with truncated revoked DNSKEY
Ensure that named can handle a situation where the zone is signed with a
truncated, self-signed revoked DNSKEY. The signatures are inevitably
bogus and a SERVFAIL is expected. However, prior to CVE-2025-8677 fix,
this could trigger an assertion failure.
Test that DNSSEC validation is aborted on malformed DNSKEY
Create a signed zone file that contains malformed ZSKs with colliding
key tags. The ZSKs don't represent valid ECDSA keys and will cause a
crypto failure when attempting to use them. Sign the zone with KSK, with
the exception of one record which is "signed" with the invalid ZSKs.
Check that the resolver aborts the DNSSEC verification after
encountering the first crypto failure, indicating malformed DNSKEY.
Štěpán Balážik [Mon, 5 Jan 2026 13:03:11 +0000 (13:03 +0000)]
fix: test: Set default_aa on AsyncDnsServer to False by default
In !11179 I mistakenly set the default for `default_aa` for
`AsyncDnsServer()` to `True` and then explicitly set it to True in
cases where all the `ResponseHandlers` said
`yield DnsResponseSend(..., authoritative=True)` as if the default was
`False`.
Also the rest of `AsyncDnsServer` code (namely `_prepare_responses`)
reads like `default_aa` is `False` by default.
This accidentally changed the behavior of servers which don't set the
`default_aa` and where AA is not set from the zone data
(e.g. `dispatch/ans3`).
Merge branch 'stepan/set-asyncdnsserver-dafault-aa-to-false-by-default' into 'main'
Štěpán Balážik [Fri, 2 Jan 2026 18:05:33 +0000 (19:05 +0100)]
Set default_aa on AsyncDnsServer to False by default
In 6e684d44 I mistakenly set the default for `default_aa` for
`AsyncDnsServer()` to `True` and then explicitly set it to True in
cases where all the `ResponseHandlers` said
`yield DnsResponseSend(..., authoritative=True)` as if the default was
`False`.
Also the rest of `AsyncDnsServer` code (namely `_prepare_responses`)
reads like `default_aa` is `False` by default.
This accidentally changed the behavior of servers which don't set the
`default_aa` and where AA is not set from the zone data
(e.g. `dispatch/ans3`).
Ondřej Surý [Sun, 4 Jan 2026 20:46:05 +0000 (21:46 +0100)]
fix: nil: Fix building on uclibc
While building on uclibc this error is thrown:
In file included from ./include/dns/log.h:20,
from callbacks.c:19:
../../lib/isc/include/isc/log.h:141:9: error: unknown type name ‘off_t’
141 | off_t maximum_size;
| ^~~~~
This is due to missing include unistd.h, so let's add it on top of
isc/log.h
Signed-off-by: Giulio Benetti <giulio.benetti@benettiengineering.com>
Merge branch 'fix/uclibc-off_t-main' into 'main'
Giulio Benetti [Sat, 3 Jan 2026 21:59:39 +0000 (22:59 +0100)]
Fix building on uclibc
While building on uclibc this error is thrown:
In file included from ./include/dns/log.h:20,
from callbacks.c:19:
../../lib/isc/include/isc/log.h:141:9: error: unknown type name ‘off_t’
141 | off_t maximum_size;
| ^~~~~
This is due to missing include unistd.h, so let's add it on top of
isc/log.h
Matthijs Mekking [Wed, 31 Dec 2025 10:40:42 +0000 (11:40 +0100)]
Wait for "sending notifies" for step3.zsk-prepub
Commit c17ac426082b2eca802dd1b2e1bb9b4b4b291199 changed some tests to
wait for "zone_needdump" messages instead of "sending notifies", because
notifies are rate limited and "zone_needdump" happen on every change.
However, inspecting the logs, the "zone_needdump" changes happen more
than once (likely because the re-signing is done in batches):
received control channel command 'sign step3.zsk-prepub.manual'
zone_journal: zone step3.zsk-prepub.manual/IN (signed): enter
zone_needdump: zone step3.zsk-prepub.manual/IN (signed): enter
zone_journal: zone step3.zsk-prepub.manual/IN (signed): enter
zone_needdump: zone step3.zsk-prepub.manual/IN (signed): enter
zone_journal: zone step3.zsk-prepub.manual/IN (signed): enter
zone_needdump: zone step3.zsk-prepub.manual/IN (signed): enter
zone step3.zsk-prepub.manual/IN (signed): sending notifies
This means we are running the rollover step checks too fast in some
test runs.
Revert the wait for log change for the rollover-zsk-prepub test.
Matthijs Mekking [Tue, 16 Dec 2025 16:31:24 +0000 (17:31 +0100)]
Change zone set/get options related to notify
Add a type to all dns_zone_(get|set) functions that apply to sending
notifies, so the options can be set and retrieved separately per type.
This affects dns_zone_setnotifydefer, dns_zone_getnotifydefer,
dns_zone_setnotifydelay, dns_zone_getnotifydelay,
dns_zone_setnotifysrc4, and dns_zone_setnotifysrc6.
The functions dns_zone_getnotifysrc4 and dns_zone_getnotifysrc6 are
unused and can be removed.
Petr Špaček [Mon, 28 Jul 2025 09:33:14 +0000 (11:33 +0200)]
Test that spoofed DNAME is not accepted via spoofable transport
A single spoofed DNAME answer can impact many names, and because of the
nature of DNAME, the attacker can use randomized query names to get
unlimited number of tries to spoof the answer. To limit impact, we
should not be accepting DNAME over insecure transport, like UDP without
cookies etc.
In short, the attacker tries to spoof at least one answer that has the
following form:
opcode QUERY
rcode NOERROR
flags QR AA
;QUESTION
trigger$RANDOM.test. IN A
;ANSWER
trigger$RANDOM.test. 3600 IN CNAME trigger$RANDOM.attacker.net.
test. 3600 IN DNAME attacker.net.
;AUTHORITY
;ADDITIONAL
Petr Špaček [Wed, 23 Jul 2025 18:26:43 +0000 (20:26 +0200)]
Test that fake child delegation cannot overwrite parent's glue RR
In short, the attacker tries to spoof at least one answer that has the
following form:
rcode NOERROR
flags QR
;QUESTION
trigger$RANDOM.victim. IN TXT
;ANSWER
;AUTHORITY
trigger$RANDOM.victim. 3600 IN NS ns.victim.
;ADDITIONAL
ns.victim. 3600 IN A 10.53.0.3
This attack was originally reported as "test case 2".
Petr Špaček [Wed, 23 Jul 2025 15:25:18 +0000 (17:25 +0200)]
Test that unsolicited NS in positive answer cannot overwrite current NS
Before the fixes for CVE-2025-40778, an unsolicited in-bailiwick NS
record was accepted from a (spoofed) answer, enabling a single spoofed A
query/response to redirect traffic for a whole delegation.
In short, the attacker tries to spoof at least one answer that has the
following form:
rcode NOERROR
flags QR AA
;QUESTION
trigger$RANDOM.victim. IN TXT
;ANSWER
trigger$RANDOM.victim. 3600 IN TXT "spoofed answer with extra NS"
;AUTHORITY
victim. 3600 IN NS ns.attacker.
;ADDITIONAL
This attack was originally reported as "test case 1".
Petr Špaček [Fri, 11 Jul 2025 16:37:57 +0000 (18:37 +0200)]
Test that positive answer cannot overwrite sibling NS RRs
Before the fixes for CVE-2025-40778, a positive answer was allowed to
overwrite sibling NS RRs. The answer had to be a positive AA=1 answer
with a fake NS along with it. This combination of conditions avoided
the code path with "unrelated <RRTYPE>" detection logic.
If it were some other answer, named from the main branch would detect
the attempt and log:
DNS format error from 10.53.0.1#16386 resolving trigger/A for <unknown>: unrelated NS victim in trigger authority section
In short, the attacker tries to spoof at least one answer that has the
following form:
opcode QUERY
rcode NOERROR
flags QR AA
;QUESTION
trigger$RANDOM. IN A
;ANSWER
trigger$RANDOM. 3600 IN A 10.53.0.3
;AUTHORITY
victim. 3600 IN NS ns.attacker.
;ADDITIONAL
ns.attacker. 3600 IN A 10.53.0.3
This attack was originally reported as "test case 1c".
Michał Kępień [Mon, 22 Dec 2025 10:58:39 +0000 (11:58 +0100)]
Add a reusable, bare-bones AsyncDnsServer
Add bin/tests/system/ans.py, a bare-bones DNS server that can be used in
system tests instead of full-blown named instances when a server is only
required to return zone-based data. Where applicable, this reduces load
on the test host and the amount of generated logs.
projects / thirdparty / bind9.git / log
