[CVE-2022-38178][v9_11] eddsa verify leak

See merge request !7242

In order to trigger the EDDSA verify memory leak, use the algorithm in
the mkeys system test accordingly.

[CVE-2022-38177][v9_11] ecdsa verify leak

See merge request !7241

Mark Andrews authored Jul 08, 2022 and Michal Nowak committed Dec 21, 2022

(cherry picked from commit 78fa0829)

[CVE-2022-2795] [v9_11] Bound the amount of work performed for delegations

See merge request !7240

Michał Kępień authored Sep 06, 2022 and Michal Nowak committed Dec 21, 2022

Add a test ensuring that the amount of work fctx_getaddresses() performs
for any encountered delegation is limited: delegate example.net to a set
of 1,000 name servers in the redirect.com zone, the names of which all
resolve to IP addresses that nothing listens on, and query for a name in
the example.net domain, checking the number of times the findname()
function gets executed in the process; fail if that count is excessively
large.

Since the size of the referral response sent by ans3 is about 20 kB, it
cannot be sent back over UDP (EMSGSIZE) on some operating systems in
their default configuration (e.g. FreeBSD - see the
net.inet.udp.maxdgram sysctl).  To enable reliable reproduction of
CVE-2022-2795 (retry patterns vary across BIND 9 versions) and avoid
false positives at the same time (thread scheduling - and therefore the
number of fetch context restarts - vary across operating systems and
across test runs), extend bin/tests/system/resolver/ans3/ans.pl so that
it also lis...

Michał Kępień authored Sep 06, 2022 and Michal Nowak committed Dec 21, 2022

Limit the amount of database lookups that can be triggered in
fctx_getaddresses() (i.e. when determining the name server addresses to
query next) by setting a hard limit on the number of NS RRs processed
for any delegation encountered.  Without any limit in place, named can
be forced to perform large amounts of database lookups per each query
received, which severely impacts resolver performance.

The limit used (20) is an arbitrary value that is considered to be big
enough for any sane DNS delegation.

Check backport workflow in danger CI [v9_11]

See merge request !7247

A full backport must have all the commit from the original MR and the
original commit IDs must be referenced in the backport commit messages.

If the criteria above is not met, the MR should be marked as a partial
backport. In that case, any discrepencies are only logged as informative
messages rather than failures.

(cherry picked from commit c617f977)

When checking a backport MR, ensure that the original MR has been merged
already. This is vital for followup checks that verify commit IDs from
original commits are present in backport commit messages.

(cherry picked from commit 89530f1a)

When doing archeology, it is much easier to find stuff if it's properly
linked. This check ensures that backport MR are linked to their original
MR via a "Backport of !XXXX" message.

The regular expression is fairly broad and has been tested to accept the
following variants of the message:
Backport of MR !XXXX
Backport of: !XXXX
backport of mr !XXXX
Backport of   !XXXX
Backport of https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/XXXX

(cherry picked from commit 12e0b057)

Having the MR title clearly marked in its title can be very useful when
looking through older issues/MRs.

This check also ensures that the version from the version label matches
the proper version branch (i.e. v9.16 must be marked with [v9_16]).

(cherry picked from commit 14b027cf)

Treat the Backport::Partial label as a backport as well.

(cherry picked from commit 1c0c1ba8)

[CVE-2021-25220] Add tests for forwarder cache poisoning scenarios [v9_11]

See merge request !6108

Mark Andrews authored Jan 18, 2022 and Petr Špaček committed Apr 08, 2022

- Check that an NS in an authority section returned from a forwarder
  which is above the name in a configured "forward first" or "forward
  only" zone (i.e., net/NS in a response from a forwarder configured for
  local.net) is not cached.
- Test that a DNAME for a parent domain will not be cached when sent
  in a response from a forwarder configured to answer for a child.
- Check that glue is rejected if its name falls below that of zone
  configured locally.
- Check that an extra out-of-bailiwick data in the answer section is
  not cached (this was already working correctly, but was not explicitly
  tested before).

- v9_11 backport: Revert primary/secondary to master/slave,
  backport rndc helper, backport ns8 config.

(cherry picked from commit bf3fffff)

Save parsed tsan files with .txt extension

See merge request !6022

When the parse tsan files have text extension they can be viewed
directly in the GitLab web UI without downloading them locally.

(cherry picked from commit 80582073)

Merge 9.11.37 release branch

See merge request !5992

Prepare documentation for BIND 9.11.37

See merge request isc-private/bind9!394

[CVE-2021-25220] [v9_11] prevent cache poisoning from forwarder responses

See merge request isc-private/bind9!381

Petr Špaček authored Mar 03, 2022 and Michał Kępień committed Mar 03, 2022

Compound literals are not used in BIND 9.11, in order to ensure backward
compatibility with ancient compilers.  Rework the relevant parts of the
BIND 9.11 backport of the CVE-2021-25220 fix so that compound literals
are not used.

Mark Andrews authored Feb 02, 2022 and Michał Kępień committed Mar 03, 2022

When caching glue, we need to ensure that there is no closer
source of truth for the name. If the owner name for the glue
record would be answered by a locally configured zone, do not
cache.

Mark Andrews authored Mar 01, 2022 and Michał Kępień committed Mar 03, 2022

When caching additional and glue data *not* from a forwarder, we must
check that there is no "forward only" clause covering the owner name
that would take precedence.  Such names would normally be allowed by
baliwick rules, but a "forward only" zone introduces a new baliwick
scope.

Mark Andrews authored Jan 21, 2022 and Michał Kępień committed Mar 03, 2022

If we are using a fowarder, in addition to checking that names to
be cached are subdomains of the forwarded namespace, we must also
check that there are no subsidiary forwarded namespaces which would
take precedence. To be safe, we don't cache any responses if the
forwarding configuration has changed since the query was sent.

Mark Andrews authored Mar 01, 2022 and Michał Kępień committed Mar 03, 2022

When using a forwarder, check that the owner name of response
records are within the bailiwick of the forwarded name space.

[v9_11] Run spatch jobs in parallel

See merge request !5834

Also make the script more verbose to identify which patch is being
processed and check for failures in spatch standard error output.

(cherry picked from commit 48c44fe6)

[v9_11] Update Coverity Scan CI job to 2021.12.1

See merge request !5831

(cherry picked from commit f0edf07f)

[v9_11] Update copyrights to 2022

See merge request !5683