ISC Open Source Projects issueshttps://gitlab.isc.org/groups/isc-projects/-/issues2023-07-17T13:58:24Zhttps://gitlab.isc.org/isc-projects/kea/-/issues/2556update configure.ac to 2.3.12023-07-17T13:58:24ZWlodzimierz Wencelupdate configure.ac to 2.3.1kea2.3.1Wlodzimierz WencelWlodzimierz Wencelhttps://gitlab.isc.org/isc-projects/kea/-/issues/2552Sanity checks for Kea 2.3.0 rc12022-09-08T13:36:13ZjenkinsSanity checks for Kea 2.3.0 rc1We are now at step SANITY CHECKS of Kea 2.3.0 rc1.
Please verify the tarballs and packages according to [chapter `4. Sanity Checks` of the release procedure](https://gitlab.isc.org/isc-private/qa-dhcp/-/wikis/Kea/Release-Process#user-co...We are now at step SANITY CHECKS of Kea 2.3.0 rc1.
Please verify the tarballs and packages according to [chapter `4. Sanity Checks` of the release procedure](https://gitlab.isc.org/isc-private/qa-dhcp/-/wikis/Kea/Release-Process#user-content-4-sanity-checks) and according to your imagination.
Before starting, please state what you are checking in a thread/discussion (not as comment).
When you finish a check, state in the same thread/discussion what the result is.
This way we know what is covered upfront and we can avoid repeating ourselves.
#### Tarballs on repo.isc.org
* `/data/shared/sweng/kea/releases/2.3.0-rc1`
* `/data/shared/sweng/kea/releases/premium-2.3.0-rc1`
* `/data/shared/sweng/kea/releases/subscription-2.3.0-rc1`
* `/data/shared/sweng/kea/releases/enterprise-2.3.0-rc1`
```
SHA256 (kea-2.3.0.tar.gz) = fd0e91824a1348e644e7201e624be3adbeb2887e11d6592f3b12b0c90c8a6822
SHA256 (kea-enterprise-2.3.0.tar.gz) = bef8080f76c262379449035763096177c2081c385afa3c4513156e18d7f42c5e
SHA256 (kea-premium-2.3.0.tar.gz) = bcb859daedd871d98cf228471f63aeb5d1a3db089e6ba83a4717a603a9a20e14
SHA256 (kea-subscription-2.3.0.tar.gz) = a20d375afb262b046abd4519997a297f10ce6c644f5576dc67faf4dc0c8c8c0f
```
#### Packages on packages.aws.isc.org
* [APK: 2.3.0-r20220829143617](https://packages.aws.isc.org/#browse/search/raw=format%3Draw%20AND%20name.raw%3D*r20220829143617.apk)
* [deb: 2.3.0-isc20220829143617](https://packages.aws.isc.org/#browse/search/apt=format%3Dapt%20AND%20version%3D2.3.0-isc20220829143617)
* [RPM: 2.3.0-isc20220829143617.\[os\]](https://packages.aws.isc.org/#browse/search/yum=format%3Dyum%20AND%20version%3D2.3.0-isc20220829143617*)
You can find the name for all the packages attached as build artifacts in the pkg job: https://jenkins.aws.isc.org/job/kea-dev/job/pkg/911/
Instructions for installing packages are at point 9 of [chapter `4. Sanity Checks` of the release procedure](https://gitlab.isc.org/isc-private/qa-dhcp/-/wikis/Kea/Release-Process#user-content-4-sanity-checks).kea2.3.1https://gitlab.isc.org/isc-projects/kea/-/issues/2405GSS-TSIG Broken response2022-09-15T13:09:56ZPeter DaviesGSS-TSIG Broken response GSS-TSIG Broken response
MS DNS servers seem to return a broken DDNS response, copying the entire
original request (including the TSIG RR) just setting the QR bit. The only
exception seems to be a response for a successful DDNS req... GSS-TSIG Broken response
MS DNS servers seem to return a broken DDNS response, copying the entire
original request (including the TSIG RR) just setting the QR bit. The only
exception seems to be a response for a successful DDNS request using TSIG, in
which case the TSIG RR of the response has a valid MAC for the response. In
our experience the broken responses can be sent when a DDNS prerequisite check
fails, authentication fails, or non-secure DDNS is allowed.
In the case of GSS-TSIG, the copied (broken) GSS token triggers the following
error:
INFO [kea-dhcp-ddns.gss-tsig-hooks/4678.139690935890624]
GSS_TSIG_VERIFY_FAILED GSS-TSIG verify failed: gss_verify_mic failed with
GSSAPI error:
Major = 'A token had an invalid Message Integrity Check (MIC)' (393216),
Minor = 'Packet was replayed in wrong direction' (100002).
it's not surprising since it's the token sent by Kea and the direction is
indeed wrong. I also suspect it's irrelevant to configuring or not configuring
a reverse mapping zone.
We might provide a way to disable integrity check on the response (usually DDNS
response is not that important) to work around this buggy behavior of MS
server. But that's probably considered to be too radical. (Relatively)
fortunately, these cases are usually just treated as an update failure anyway,
so probably we'll just need to live with the bug.
[RT #20795](https://support.isc.org/Ticket/Display.html?id=20795)kea2.3.1Peter DaviesPeter Davieshttps://gitlab.isc.org/isc-projects/kea/-/issues/2003host reservations and replicated databases2022-09-30T10:13:20ZPeter Davieshost reservations and replicated databaseshost reservations and replicated databases:
In order to increase availability would it be possible to configure Kea so that Host Reservation (HR) lookups could be directed to one or more read only database replicates.
Also that HR u...host reservations and replicated databases:
In order to increase availability would it be possible to configure Kea so that Host Reservation (HR) lookups could be directed to one or more read only database replicates.
Also that HR update commands in the Host Commands hooks libraries (host_cmd) can be configured to use a read/write database, or to be able to identify a read/write database from the set of "hosts-databases".
Maybe something like:
```
"hosts-databases": [
{
"type": "mysql",
"name": "Repicate-1",
"user-context": {
"use": "query",
"next": "Master"
},
...
},
"type": "mysql,
"name": "Repicate-2",
"user-context": {
"use": "query",
"next": "Master"
},
"type": "mysql,
"name": "Master",
"user-context": {
"use": "update",
"next": ""
},
...
}
],
```
[support#18800](https://support.isc.org/Ticket/Display.html?id=18800)kea2.3.1Wlodzimierz WencelWlodzimierz Wencelhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3587Debugging named ACLs is hard2022-10-20T09:34:31ZMichał KępieńDebugging named ACLs is hardSee #3481 & #3482 for context.
There is much room for improvement in terms of making `named` more
verbose about which ACLs matched during query processing and which ones
did not. Better logging would help administrators understand and
...See #3481 & #3482 for context.
There is much room for improvement in terms of making `named` more
verbose about which ACLs matched during query processing and which ones
did not. Better logging would help administrators understand and
fine-tune ACLs.October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)https://gitlab.isc.org/isc-projects/bind9/-/issues/3578Retain the possibility to use OpenSSL engines with OpenSSL 3.x2024-03-28T16:48:17ZMichał KępieńRetain the possibility to use OpenSSL engines with OpenSSL 3.xSee #2996 for context.
It would be useful to retain the possibility to use OpenSSL engines with
OpenSSL 3.x; it is possible to build against the latter in API
compatibility mode (`-DOPENSSL_API_COMPAT=10100`), so we should take
advantag...See #2996 for context.
It would be useful to retain the possibility to use OpenSSL engines with
OpenSSL 3.x; it is possible to build against the latter in API
compatibility mode (`-DOPENSSL_API_COMPAT=10100`), so we should take
advantage of that before a "native" OpenSSL 3.x provider gets
implemented.October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)https://gitlab.isc.org/isc-projects/bind9/-/issues/3577reloads in ixfr system test happen too fast2022-10-06T09:28:53ZMark Andrewsreloads in ixfr system test happen too fastThe ixfr system test can fail because reloads happen too fast causing the reload of
zone files to be skipped as up to date.
```
I:ixfr:testing 'request-ixfr yes' option inheritance from view (7)
I:ixfr:ns3 server reload successful
I:ixf...The ixfr system test can fail because reloads happen too fast causing the reload of
zone files to be skipped as up to date.
```
I:ixfr:testing 'request-ixfr yes' option inheritance from view (7)
I:ixfr:ns3 server reload successful
I:ixfr:exceeded time limit waiting for literal 'got incremental response' in ns4/named.run
I:ixfr:failed
```
```
05-Oct-2022 16:18:18.158 received control channel command 'reload'
05-Oct-2022 16:18:18.254 received control channel command 'reload'
05-Oct-2022 16:18:18.350 received control channel command 'reload'
```October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)https://gitlab.isc.org/isc-projects/bind9/-/issues/3575CID 357159 Double free in lib/dns/request.c2022-10-05T09:29:12ZMichal NowakCID 357159 Double free in lib/dns/request.cCoverity Scan reports on `v9_18`:
```
/lib/dns/request.c: 794 in dns_request_create()
788 /* connect failed, detach here */
789 req_detach(&(dns_request_t *){ request });
790
791 cleanup:
792 isc_task_detach(&(isc...Coverity Scan reports on `v9_18`:
```
/lib/dns/request.c: 794 in dns_request_create()
788 /* connect failed, detach here */
789 req_detach(&(dns_request_t *){ request });
790
791 cleanup:
792 isc_task_detach(&(isc_task_t *){ task });
793 /* final detach to shut down request */
>>> CID 357159: (USE_AFTER_FREE)
>>> Calling "req_detach" frees pointer "request" which has already been freed.
794 req_detach(&request);
795 req_log(ISC_LOG_DEBUG(3), "dns_request_create: failed %s",
796 isc_result_totext(result));
797 return (result);
798 }
799
```
This seems to come from 8f61d07918d083600404b230c7254dab72e5fd5f.October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)Evan HuntEvan Hunthttps://gitlab.isc.org/isc-projects/bind9/-/issues/3572Sphinx 5.2 reports a warning for doc/arm/catz.inc.rst2022-10-05T12:11:57ZMichał KępieńSphinx 5.2 reports a warning for doc/arm/catz.inc.rstSphinx 5.2.2 reports the following warning when `make doc` is run for
current `main` and `v9_18`:
```
Running Sphinx v5.2.2
making output directory... done
building [mo]: all of 0 po files
building [html]: all source files
updating envi...Sphinx 5.2.2 reports the following warning when `make doc` is run for
current `main` and `v9_18`:
```
Running Sphinx v5.2.2
making output directory... done
building [mo]: all of 0 po files
building [html]: all source files
updating environment: [new config] 16 added, 0 changed, 0 removed
reading sources... [100%] reference
looking for now-outdated files... none found
pickling environment... done
checking consistency... done
preparing documents... done
writing output... [100%] reference
Warning, treated as error:
/tmp/bind9/doc/arm/catz.inc.rst:234:more than one target found for 'any' cross-reference 'allow-query': could be :std:ref:`allow-query` or :namedconf:ref:`namedconf-statement-allow-query`
make[2]: *** [Makefile:757: html-local] Error 2
```
The line being flagged above has been around for the past two months and
it worked fine with Sphinx 5.1.1, so I assume that it is some new check
in the most up-to-date Sphinx version that triggers this warning.October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)Petr Špačekpspacek@isc.orgPetr Špačekpspacek@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/issues/3569dns_message_checksig under oss_fuzz is not seeing the data files2022-10-06T09:21:47ZMark Andrewsdns_message_checksig under oss_fuzz is not seeing the data filesoss_fuzz is reporting an assertion that happens when the data files are not available.
https://google.github.io/oss-fuzz/further-reading/fuzzer-environment/ says very little about how to rectify this but as `/tmp` is available we can ju...oss_fuzz is reporting an assertion that happens when the data files are not available.
https://google.github.io/oss-fuzz/further-reading/fuzzer-environment/ says very little about how to rectify this but as `/tmp` is available we can just create a key directory there.October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)https://gitlab.isc.org/isc-projects/bind9/-/issues/3565AddressSanitizer: stack-use-after-scope in dns_tsig_verify (dns_message_check...2022-09-29T10:24:54ZPetr Špačekpspacek@isc.orgAddressSanitizer: stack-use-after-scope in dns_tsig_verify (dns_message_checksig test)### Summary
ASAN error:
```
testing 63 bytes from /builds/isc-projects/bind9/fuzz/dns_message_checksig.in/tsig-reply
=================================================================
==1074==ERROR: AddressSanitizer: stack-use-after-scop...### Summary
ASAN error:
```
testing 63 bytes from /builds/isc-projects/bind9/fuzz/dns_message_checksig.in/tsig-reply
=================================================================
==1074==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ffe14b1d780 at pc 0x55eeaf01c3ff bp 0x7ffe14b1c990 sp 0x7ffe14b1c160
READ of size 12 at 0x7ffe14b1d780 thread T0
#0 0x55eeaf01c3fe in __asan_memmove (/builds/isc-projects/bind9/fuzz/.libs/dns_message_checksig+0xa63fe) (BuildId: 73cf12c5424a9fda378fddea924b696e6cb966ca)
#1 0x7f93f3d6a227 in memmove /usr/include/x86_64-linux-gnu/bits/string_fortified.h:40:10
#2 0x7f93f3d6a227 in dns_tsig_verify /builds/isc-projects/bind9/lib/dns/tsig.c:1241:3
#3 0x7f93f3dd122d in dns_view_checksig /builds/isc-projects/bind9/lib/dns/view.c:1471:10
#4 0x7f93f38f42a8 in dns_message_checksig /builds/isc-projects/bind9/lib/dns/message.c:3145:12
#5 0x55eeaf058c18 in LLVMFuzzerTestOneInput /builds/isc-projects/bind9/fuzz/dns_message_checksig.c:393:11
#6 0x55eeaf05c189 in test_one_file /builds/isc-projects/bind9/fuzz/main.c:53:3
#7 0x55eeaf05c468 in test_all_from /builds/isc-projects/bind9/fuzz/main.c:89:3
#8 0x55eeaf05bc18 in main /builds/isc-projects/bind9/fuzz/main.c:130:2
#9 0x7f93f2dc5d09 in __libc_start_main csu/../csu/libc-start.c:308:16
#10 0x55eeaef9a569 in _start (/builds/isc-projects/bind9/fuzz/.libs/dns_message_checksig+0x24569) (BuildId: 73cf12c5424a9fda378fddea924b696e6cb966ca)
```
Jobs:
- https://gitlab.isc.org/isc-projects/bind9/-/jobs/2793490: [test-suite.log](/uploads/83a286ac6c986172669ad2e5579a8716/test-suite.log)
- https://gitlab.isc.org/isc-projects/bind9/-/jobs/2793597: [test-suite.log](/uploads/e091fdf3e65bbbd62b360da2d700fe51/test-suite.log)
### BIND version used
4108d79c9a3bc7a617d7ca24adc1180043ee9919 (!6822), but change in this MR affects only tests.
### Steps to reproduce
Run unit:clang:asan job in CI.
### What is the current *bug* behavior?October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)https://gitlab.isc.org/isc-projects/bind9/-/issues/3562suffix may be used before being assigned in qmin/ans3/ans.py2022-09-29T10:03:12ZMark Andrewssuffix may be used before being assigned in qmin/ans3/ans.pyCoverity reports `Bad use of null-like value`
```
139 if lqname == "zoop.boing." and rrtype == NS:
CID 350722 (#1 of 7): Bad use of null-like value (FORWARD_NULL) [select issue]
140 r.answer.append(
141 dns.r...Coverity reports `Bad use of null-like value`
```
139 if lqname == "zoop.boing." and rrtype == NS:
CID 350722 (#1 of 7): Bad use of null-like value (FORWARD_NULL) [select issue]
140 r.answer.append(
141 dns.rrset.from_text(lqname + suffix, 1, IN, NS, "ns3." + suffix)
142 )
143 r.flags |= dns.flags.AA
11. Condition endswith(lqname, "icky.ptang.zoop.boing."), taking true branch.
144 elif endswith(lqname, "icky.ptang.zoop.boing."):
CID 350722 (#5 of 7): Bad use of null-like value (FORWARD_NULL)
12. invalid_operation: Invalid operation on null-like value suffix.
145 r.authority.append(
146 dns.rrset.from_text(
147 "icky.ptang.zoop.boing." + suffix,
148 1,
149 IN,
150 NS,
151 "a.bit.longer.ns.name." + suffix,
152 )
153 )
154 elif endswith("icky.ptang.zoop.boing.", lqname):
CID 350722 (#3 of 7): Bad use of null-like value (FORWARD_NULL) [select issue]
155 r.authority.append(
156 dns.rrset.from_text(
157 "zoop.boing." + suffix,
158 1,
159 IN,
160 SOA,
161 "ns3." + suffix + " hostmaster.arpa. 2018050100 1 1 1 1",
162 )
163 )
164 if bad:
165 r.set_rcode(NXDOMAIN)
166 if ugly:
167 r.set_rcode(FORMERR)
168 elif endswith(lqname, "zoop.boing."):
CID 350722 (#4 of 7): Bad use of null-like value (FORWARD_NULL) [select issue]
169 r.authority.append(
```October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/3557Catalog zone processing failed to detect TSIG key changes for primaries2022-10-19T11:01:53ZMark AndrewsCatalog zone processing failed to detect TSIG key changes for primariesIf only the TSIG key names where changed in primary statements of catalog zone entries the zone's configuration was not being updated to reflect that change.
[RT #21307](https://support.isc.org/Ticket/Display.html?id=21307)If only the TSIG key names where changed in primary statements of catalog zone entries the zone's configuration was not being updated to reflect that change.
[RT #21307](https://support.isc.org/Ticket/Display.html?id=21307)October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/3553followups from #34932022-09-27T12:59:11ZEvan Huntfollowups from #3493Now that the minimal fix for the statistics channel overread issue has been merged to the public repository, related code that was written while fixing it can be made public as well:
- further cleaning up httpd.c
- adding assertions to ...Now that the minimal fix for the statistics channel overread issue has been merged to the public repository, related code that was written while fixing it can be made public as well:
- further cleaning up httpd.c
- adding assertions to the `ISC__BUFFER` macros
- changing `ISC__BUFFER` macros to static inline functions in 9.19 and 9.18October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)Evan HuntEvan Hunthttps://gitlab.isc.org/isc-projects/bind9/-/issues/3551Missing RSA_free call in opensslrsa_verify22022-09-28T00:06:52ZMark AndrewsMissing RSA_free call in opensslrsa_verify2If `e == NULL` then we should be freeing `rsa`. I don't believe that there is a path where we construct a `rsa` key without `e` and thereby trigger this path but marking confidential until that review is done. This was reported by Seth...If `e == NULL` then we should be freeing `rsa`. I don't believe that there is a path where we construct a `rsa` key without `e` and thereby trigger this path but marking confidential until that review is done. This was reported by Seth Arnold <seth.arnold@canonical.com>.
```
#if OPENSSL_VERSION_NUMBER < 0x30000000L
rsa = EVP_PKEY_get1_RSA(pkey);
if (rsa == NULL) {
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
}
RSA_get0_key(rsa, NULL, &e, NULL);
if (e == NULL) {
return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
}
bits = BN_num_bits(e);
RSA_free(rsa);
#else
```October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)https://gitlab.isc.org/isc-projects/bind9/-/issues/3548Static declaration of 'sallocx' follows non-static declaration on FreeBSD 13.12022-09-27T13:35:39ZMichal NowakStatic declaration of 'sallocx' follows non-static declaration on FreeBSD 13.1`main` fails to build on FreeBSD 13.1-RELEASE-p2 when `--without-jemalloc` is present:
```
In file included from mem.c:58:
./jemalloc_shim.h:70:1: error: static declaration of 'sallocx' follows non-static declaration
sallocx(void *ptr, i...`main` fails to build on FreeBSD 13.1-RELEASE-p2 when `--without-jemalloc` is present:
```
In file included from mem.c:58:
./jemalloc_shim.h:70:1: error: static declaration of 'sallocx' follows non-static declaration
sallocx(void *ptr, int flags) {
^
/usr/include/malloc_np.h:99:8: note: previous declaration is here
size_t sallocx(const void *ptr, int flags);
^
1 error generated.
```October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)https://gitlab.isc.org/isc-projects/bind9/-/issues/3547memory leak in dns_message_checksig function - SIG(0) without view2022-09-29T10:48:45ZPetr Špačekpspacek@isc.orgmemory leak in dns_message_checksig function - SIG(0) without viewReproduced using code from !5923 commit 4a3aa7abc8fb0610a807dcbd5ca34af1b332d97e.
It was caught by AFL fuzzer when tests were crashing wildly.
AFL output:
```
american fuzzy lop ++4.02c {default} (.libs/lt-dns_message_checksig) [fast...Reproduced using code from !5923 commit 4a3aa7abc8fb0610a807dcbd5ca34af1b332d97e.
It was caught by AFL fuzzer when tests were crashing wildly.
AFL output:
```
american fuzzy lop ++4.02c {default} (.libs/lt-dns_message_checksig) [fast]
┌─ process timing ────────────────────────────────────┬─ overall results ────┐
│ run time : 0 days, 0 hrs, 0 min, 26 sec │ cycles done : 14 │
│ last new find : 0 days, 0 hrs, 0 min, 0 sec │ corpus count : 117 │
│last saved crash : 0 days, 0 hrs, 0 min, 4 sec │saved crashes : 27 │
│ last saved hang : none seen yet │ saved hangs : 0 │
├─ cycle progress ─────────────────────┬─ map coverage┴──────────────────────┤
│ now processing : 31.274 (26.5%) │ map density : 0.31% / 1.41% │
│ runs timed out : 0 (0.00%) │ count coverage : 1.45 bits/tuple │
├─ stage progress ─────────────────────┼─ findings in depth ─────────────────┤
│ now trying : havoc │ favored items : 60 (51.28%) │
│ stage execs : 117/220 (53.18%) │ new edges on : 76 (64.96%) │
│ total execs : 1.62M │ total crashes : 158 (27 saved) │
│ exec speed : 61.6k/sec │ total tmouts : 0 (0 saved) │
├─ fuzzing strategy yields ────────────┴─────────────┬─ item geometry ───────┤
│ bit flips : disabled (default, enable with -D) │ levels : 8 │
│ byte flips : disabled (default, enable with -D) │ pending : 27 │
│ arithmetics : disabled (default, enable with -D) │ pend fav : 0 │
│ known ints : disabled (default, enable with -D) │ own finds : 114 │
│ dictionary : n/a │ imported : 0 │
│havoc/splice : 93/655k, 48/959k │ stability : 99.27% │
│py/custom/rq : unused, unused, unused, unused ├───────────────────────┘
│ trim/eff : 32.43%/2274, disabled │ [cpu000: 25%]
└────────────────────────────────────────────────────┘^C
+++ Baking aborted by the chef +++
[+] We're done here. Have a nice day!
```
Reproducer:
```shell
autoreconf -fiv
CC='afl-clang-fast' CFLAGS='-O2 -march=native' CPPFLAGS='-D_FORTIFY_SOURCE=0' ./configure --enable-fuzzing=afl
make
cd fuzz
make check # fails, but nevermind
./dns_message_checksig
```
This will print a message with a value you sound set in the next step. E.g.
```
Warning: AFL++ tools might need to set AFL_MAP_SIZE to 67237 to be able to run this instrumented program if this crashes!
```
Go on:
```
AFL_MAP_SIZE=67237 afl-fuzz -i dns_message_checksig.in -o dns_message_checksig.out .libs/lt-dns_message_checksig
```
:boom:
Versions used:
```
$ pacman -Q afl clang
aflplusplus 4.02c-1
clang 14.0.6-2
BIND 90949da78f048eca660417906a25165de676e8c1
```October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)Petr Špačekpspacek@isc.orgPetr Špačekpspacek@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/issues/3544Add dohpath parsing to SVCB2022-10-04T04:36:43ZMark AndrewsAdd dohpath parsing to SVCB"dohpath" has key value 7 per https://www.iana.org/assignments/dns-svcb/dns-svcb.xhtml and is specified in https://datatracker.ietf.org/doc/html/draft-ietf-add-svcb-dns"dohpath" has key value 7 per https://www.iana.org/assignments/dns-svcb/dns-svcb.xhtml and is specified in https://datatracker.ietf.org/doc/html/draft-ietf-add-svcb-dnsOctober 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/3542BIND sometimes exits with "assertion failure" when accessing the statistics c...2022-09-27T13:01:48ZGreg ChoulesBIND sometimes exits with "assertion failure" when accessing the statistics channelThe following Support ticket provide evidence of this happening:
[Named crashes "critical: httpd.c:871: REQUIRE(httpd->state == RECV) failed" with statistics-channel call](https://support.isc.org/Ticket/Display.html?id=21145)
This may a...The following Support ticket provide evidence of this happening:
[Named crashes "critical: httpd.c:871: REQUIRE(httpd->state == RECV) failed" with statistics-channel call](https://support.isc.org/Ticket/Display.html?id=21145)
This may also be related to CVE-2022-2881October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)https://gitlab.isc.org/isc-projects/bind9/-/issues/3541Have 'named -V' report supported algorithms2023-06-15T16:19:32ZMark AndrewsHave 'named -V' report supported algorithmsThese vary depending upon the version of OpenSSL in use and how OpenSSL is configured.
These may also depend on FIPS mode and crypto graphic engine configuration.
These may also depend on what is discovered at compile time.
e.g.
```
D...These vary depending upon the version of OpenSSL in use and how OpenSSL is configured.
These may also depend on FIPS mode and crypto graphic engine configuration.
These may also depend on what is discovered at compile time.
e.g.
```
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): yes
```October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)