The `pytest` cases checks if a zone is signed by looking at the `NSEC` record at the apex. If that has an RRSIG record, it is considered signed. But `named` signs zones incrementally (in batches) and so the zone may still lack some signatures. In other words, the tests may consider a zone signed while in fact signing is not yet complete, then performs additional checks such as is a subdomain signed with the right key. If this check happens before the zone is actually fully
signed, the check will fail.
Fix this by using `check_dnssec_verify` instead of `check_is_zone_signed`. We were already doing this check, but we now move it up. This will transfer the zone and then run `dnssec-verify` on the response. If the zone is partially signed, the check will fail, and it will retry for up to ten times.
Closes#5303
Backport of MR !10445
Merge branch 'backport-5303-kasp-pytest-intermittent-test-failures-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10510
The pytest cases checks if a zone is signed by looking at the NSEC
record at the apex. If that has an RRSIG record, it is considered
signed. But 'named' signs zones incrementally (in batches) and so
the zone may still lack some signatures. In other words, the tests
may consider a zone signed while in fact signing is not yet complete,
then performs additional checks such as is a subdomain signed with the
right key. If this check happens before the zone is actually fully
signed, the check will fail.
Fix this by using 'check_dnssec_verify' instead of
'check_is_zone_signed'. We were already doing this check, but we now
move it up. This will transfer the zone and then run 'dnssec-verify'
on the response. If the zone is partially signed, the check will fail,
and it will retry for up to ten times.
(cherry picked from commit 7a31fd57e2fbb9b4a4cdf169698425742f407b18)
On FIPS-enabled platforms, we need to ensure a minimal version of
hypothesis which no longer uses MD5. This doesn't need to be enforced
for other platforms.
Move the import magic to a utility module to avoid copy-pasting the
boilerplate code around.
Backport of MR !10442
Merge branch 'backport-nicki/pytest-import-hypothesis-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10507
On FIPS-enabled platforms, we need to ensure a minimal version of
hypothesis which no longer uses MD5. This doesn't need to be enforced
for other platforms.
Move the import magic to a utility module to avoid copy-pasting the
boilerplate code around.
(cherry picked from commit 0aff715f4040abd21f0bce9d48a2dc3f99186697)
Coverity detected that 'optlen' was not being checked in 'process_opt'.
This is actually already done when the OPT record was initially
parsed. Add an INSIST to silence Coverity as is done in message.c.
Closes#5330
Backport of MR !10500
Merge branch 'backport-5330-tainted-scalar-in-client-c-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10505
Coverity detected that 'optlen' was not being checked in 'process_opt'.
This is actually already done when the OPT record was initially
parsed. Add an INSIST to silence Coverity as is done in message.c.
(cherry picked from commit 72cd6e85916e02fe7f51806eb25ee0c5a973398a)
The memory context for managers and dlz_dlopen_driver units had no name
and that was causing trouble with the statistics channel output. Set
the name for the two memory context that were missing a proper name.
(cherry picked from commit 5d264b33295d164d55659b166ead7b31b92eda39)
A secondary zone could initiate a new zone transfer from the
primary server after it had been already deleted from the
secondary server, and before the internal garbage collection
was activated to clean it up completely. This has been fixed.
Closes#5291
Backport of MR !10449
Merge branch 'backport-5291-zone-delete-bug-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10496
After b171cacf4f0123ba96bef6eedfc92dfb608db6b7, a zone object can
remain in the memory for a while, until garbage collection is run.
Setting the DNS_ZONEFLG_EXITING flag should prevent the zone
maintenance function from running while it's in that state.
Otherwise, a secondary zone could initiate a zone transfer after
it had been deleted.
(cherry picked from commit 874ca5ca2f1f381e434304e262ea08e77e3bdf65)
A secondary zone could fail to further refresh with new
versions of the zone from a primary server if named was
reconfigured during the SOA request step of an ongoing
zone transfer. This has been fixed.
Closes#5307
Backport of MR !10468
Merge branch 'backport-5307-zone-refresh-stuck-after-reconfiguration-fix-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10495
When request manager shuts down, it also shuts down all its ongoing
requests. Currently it calls their callback functions with a
ISC_R_SHUTTINGDOWN result code for the request. Since a request
manager can shutdown not only during named shutdown but also during
named reconfiguration, instead of sending ISC_R_SHUTTINGDOWN result
code send a ISC_R_CANCELED code to avoid confusion and errors with
the expectation that a ISC_R_SHUTTINGDOWN result code can only be
received during actual shutdown of named.
All the callback functions which are passed to either the
dns_request_create() or the dns_request_createraw() functions have
been analyzed to confirm that they can process both the
ISC_R_SHUTTINGDOWN and ISC_R_CANCELED result codes. Changes were
made where it was necessary.
(cherry picked from commit f4cd307c6b705e13c45136ac4dc49e262a598297)
This new test checks that named can correctly process an interrupted
SOA request during zone transfer, caused by reconfiguration.
Co-authored-by: Michał Kępień <michal@isc.org>
(cherry picked from commit aa6ca3e77682462ed3af8bc42ea8590addba6626)
The new debug message logs the request result in the SOA request
callback function.
(cherry picked from commit b07ec4f0b3429f688d35d2694f56cffc9d3ac56b)
When the zone.c:refresh_callback() callback function is called during
a SOA request before a zone transfer, it can receive a
ISC_R_SHUTTINGDOWN result for the sent request when named is shutting
down, and in that case it just destroys the request and finishes the
ongoing transfer, without clearing the DNS_ZONEFLG_REFRESH flag of the
zone. This is alright when named is going to shutdown, but currently
the callback can get a ISC_R_SHUTTINGDOWN result also when named is
reconfigured during the ongoibg SOA request. In that case, leaving the
DNS_ZONEFLG_REFRESH flag set results in the zone never being able
to refresh again, because any new attempts will be caneled while
the flag is set. Clear the DNS_ZONEFLG_REFRESH flag on the 'exiting'
error path of the callback function.
(cherry picked from commit 228e441328af8f3a54c1ae3f0cd7b871dab83609)
Enable existing rndc system tests (the python test function calling the
shell file was missing). Also update the extra artifacts list to remove
one generated file which was left behind.
Backport of MR !10489
Merge branch 'backport-colin/rndc-tests-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10493
Enable existing rndc system tests (the python test function calling the
shell file was missing). Also update the extra artifacts list to remove
one generated file which was left behind.
(cherry picked from commit f84065a32c393daa32e8236b440ac6f2ecdeedc8)
Backport of MR !10487
Merge branch 'backport-pspacek/update-reporting-procedure-sec-md-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10491
We have a new template for people to use. It saves lots of back and
forth if people use it.
(cherry picked from commit cc60cc9a3249665edf5dcef33b526b8669138e51)
the comments for some calls in the dns_message API specified
requirements which were not actually enforced in the functions.
in most cases, this has now been corrected by adding the missing
REQUIREs. in one case, the comment was incorrect and has been
revised.
Backport of MR !10466
Merge branch 'backport-each-fix-message-requires-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10484
the comments for some calls in the dns_message API specified
requirements which were not actually enforced in the functions.
in most cases, this has now been corrected by adding the missing
REQUIREs. in one case, the comment was incorrect and has been
revised.
(cherry picked from commit c437da59ee78df59ce8708fa87a489154745a383)
This new option sets a delay (in seconds) to wait before sending
a set of NOTIFY messages for a zone. Whenever a NOTIFY message is
ready to be sent, sending will be deferred for this duration. This
option is not to be confused with the :any:`notify-delay` option.
The default is 0 seconds.
Closes#5259
Backport of MR !10419
Merge branch 'backport-5259-implement-zone-notify-defer-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10465
This new option sets the delay, in seconds, to wait before sending
a set of NOTIFY messages for a zone. Whenever a NOTIFY message is
ready to be sent, sending will be deferred for this duration.
(cherry picked from commit e42d6b48108e6c879fb7d152194708b0cb6d62b0)
A quick grep check discovered a couple of more errors similar to the
one fixed in the previous commit. Fix them too.
(cherry picked from commit 52ac03f0643cbc85493ca43c717a2c8dde080db8)
The '|| ret=1' is omitted from the check. This was introduced in the
b171cacf4f0123ba96bef6eedfc92dfb608db6b7 commit. Fix the error.
(cherry picked from commit f200b1ac18e8085e0689656da1af2f59d84db4ee)
The test_idle_timeout check in the "timeouts" system test has been
failing often on FreeBSD 13 AWS hosts. Adding timestamped debug logging
shows that the time.sleep() calls used in that check are returning
significantly later than asked to on that platform (e.g. after 4 seconds
when just 1 second is requested), breaking the test's timing assumptions
and triggering false positives. These failures are not an indication of
a bug in named and have not been observed on any other platform. Mark
the problematic check as flaky, but only on FreeBSD 13, so that other
failure modes are caught appropriately.
Backport of MR !10459
Merge branch 'backport-michal/mark-test_idle_timeout-as-flaky-on-freebsd-13-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10461
The test_idle_timeout check in the "timeouts" system test has been
failing often on FreeBSD 13 AWS hosts. Adding timestamped debug logging
shows that the time.sleep() calls used in that check are returning
significantly later than asked to on that platform (e.g. after 4 seconds
when just 1 second is requested), breaking the test's timing assumptions
and triggering false positives. These failures are not an indication of
a bug in named and have not been observed on any other platform. Mark
the problematic check as flaky, but only on FreeBSD 13, so that other
failure modes are caught appropriately.
(cherry picked from commit cb76b3729e082f6c1ac0fbf608cee9bcb879cefa)
Focal-specific ./configure options were moved to Jammy.
Backport of MR !9899
Merge branch 'backport-mnowak/drop-ubuntu-focal-9.20' into 'bind-9.20'
See merge request isc-projects/bind9!10455
DNS messages that included a Transaction Signature (TSIG) containing an
invalid value in the algorithm field caused :iscman:`named` to crash
with an assertion failure. This has been fixed. :cve:`2025-40775`
Backport of !793
See isc-projects/bind9#5300
Merge branch '5300-confidential-tsig-unknown-alg-bind-9.20' into 'v9.20.9-release'
See merge request isc-private/bind9!795
