BIND issueshttps://gitlab.isc.org/isc-projects/bind9/-/issues2022-03-01T09:47:10Zhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3034UDP dispatch can reuse <srcip, srcport, dstip, dstport>2022-03-01T09:47:10ZOndřej SurýUDP dispatch can reuse <srcip, srcport, dstip, dstport>This could possibly lead to the wrong callback receiving the response and dropping it on the floor because of non-matching QID.This could possibly lead to the wrong callback receiving the response and dropping it on the floor because of non-matching QID.Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3031Add support for caching parent and child NSEC and RRSIG at the same name2022-06-01T14:34:00ZMark AndrewsAdd support for caching parent and child NSEC and RRSIG at the same nameThis should improve synth-from-dnssec hit rates as we currently only keep the latest one we learn.
rbtdb will also need to become more selective about the covering NSEC returned. If we have a parental NSEC it is not valid for names tha...This should improve synth-from-dnssec hit rates as we currently only keep the latest one we learn.
rbtdb will also need to become more selective about the covering NSEC returned. If we have a parental NSEC it is not valid for names that are subdomains of the NSEC owner.Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2992Replace "tcp-only" with a more generic option2023-11-02T17:02:20ZArtem BoldarievReplace "tcp-only" with a more generic optionBind has a `tcp-only` option to force interaction with a server using TCP only.
```
server <address> {
...
tcp-only yes;
...
};
```
This option was enough when DNS was using UDP and TCP only (Do53), however as it becomes po...Bind has a `tcp-only` option to force interaction with a server using TCP only.
```
server <address> {
...
tcp-only yes;
...
};
```
This option was enough when DNS was using UDP and TCP only (Do53), however as it becomes possible to carry DNS traffic with more transports, we might need to replace this option with a more generic one which could specify the desired transport explicitly, e.g.:
```
server <address> {
...
transport tcp; # or "tls", or "quic" (in the future), etc
...
};
```
When the option is omitted, it means use the default (Do53 - the current behaviour).
This issue, in a way, mirrors #2776.Not plannedArtem BoldarievArtem Boldarievhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2981Add EDNS option to report raw zone's serial with SOA query for inline zones2021-10-27T20:45:10ZMark AndrewsAdd EDNS option to report raw zone's serial with SOA query for inline zonesThis would be useful when monitoring that the raw contents are up-to-date.This would be useful when monitoring that the raw contents are up-to-date.https://gitlab.isc.org/isc-projects/bind9/-/issues/2967Consider adding back resolver timers2021-10-21T08:10:52ZMatthijs Mekkingmatthijs@isc.orgConsider adding back resolver timers#2927 unveiled a cycle that would result in a hang, that previously was a timeout. Consider adding back timers, either with `isc_timers` or with the new network manager timers.#2927 unveiled a cycle that would result in a hang, that previously was a timeout. Consider adding back timers, either with `isc_timers` or with the new network manager timers.https://gitlab.isc.org/isc-projects/bind9/-/issues/2965RPZ and /0 prefixes2021-11-09T17:33:50ZMark AndrewsRPZ and /0 prefixesOn quick examination of lib/dns/rpz.c it looks just removing the check for zero length prefixes is not enough to have them work.On quick examination of lib/dns/rpz.c it looks just removing the check for zero length prefixes is not enough to have them work.Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2964Templates in the configuration2024-01-15T07:00:03ZOndřej SurýTemplates in the configurationThe zone should contain reusable chunks (something like yaml: `<< *foo`).The zone should contain reusable chunks (something like yaml: `<< *foo`).Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2955Bad html generated for 9.11 doc on web site2022-03-01T09:46:14ZMark AndrewsBad html generated for 9.11 doc on web siteSee https://bind.isc.org/doc/arm/9.11/man.named.conf.html for example. White space is incorrect.See https://bind.isc.org/doc/arm/9.11/man.named.conf.html for example. White space is incorrect.Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2936dispatch_test failed2023-11-02T17:02:19ZOndřej Surýdispatch_test failedhttps://gitlab.isc.org/isc-projects/bind9/-/jobs/2023742https://gitlab.isc.org/isc-projects/bind9/-/jobs/2023742Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2919nsupdate with GSS-TSIG ignores server keyword2022-04-26T13:38:48ZPetr Špačekpspacek@isc.orgnsupdate with GSS-TSIG ignores server keyword### Summary
`nsupdate -g` ignores `server` keyword and sends updates to SOA MNAME (instead of sending them to server specified by user).
### BIND version used
(Paste the output of `named -V`.)
```
named -V
BIND 9.16.8-Ubuntu (Stable R...### Summary
`nsupdate -g` ignores `server` keyword and sends updates to SOA MNAME (instead of sending them to server specified by user).
### BIND version used
(Paste the output of `named -V`.)
```
named -V
BIND 9.16.8-Ubuntu (Stable Release) <id:539f9f0>
running on Linux x86_64 5.4.0-84-generic #94-Ubuntu SMP Thu Aug 26 20:27:37 UTC 2021
built by make with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2' '--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' '--disable-isc-spnego' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -ffile-prefix-map=/build/bind9-ctcsDC/bind9-9.16.8=. -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-Bsymbolic-functions -flto=auto -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
compiled by GCC 10.3.0
compiled with OpenSSL version: OpenSSL 1.1.1j 16 Feb 2021
linked to OpenSSL version: OpenSSL 1.1.1j 16 Feb 2021
compiled with libuv version: 1.40.0
linked to libuv version: 1.40.0
compiled with libxml2 version: 2.9.10
linked to libxml2 version: 20910
compiled with json-c version: 0.15
linked to json-c version: 0.15
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.5.2
threads support is enabled
default paths:
named configuration: /etc/bind/named.conf
rndc configuration: /etc/bind/rndc.conf
DNSSEC root key: /etc/bind/bind.keys
nsupdate session key: //run/named/session.key
named PID file: //run/named/named.pid
named lock file: //run/named/named.lock
geoip-directory: /usr/share/GeoIP
```
### Steps to reproduce
0. Configure GSS-TSIG (good luck...)
1. Configure a test DNS zone ZZZ with SOA MNAME = MNAMEINSOA
2. Run `nsupdate -g`
3. Use input which modifies a record in zone ZZZ **and** includes keyword `server DIFFERENTSERVER` (DIFFERENTSERVER != MNAMEINSOA)
### What is the current *bug* behavior?
`nsupdate` attempts to obtain Kerberos service ticket for DNS server name MNAMEINSOA (from SOA RR) and ignores value provided in keyword `server`.
### What is the expected *correct* behavior?
`nsupdate` should respect value provided in `server` keyword.
### Relevant configuration files
named.conf:
```
zone "example.org" {
type master;
file "/var/lib/bind/db.example.org";
update-policy {
grant "DHCP/admin.example.org@EXAMPLE.ORG" zonesub any;
};
};
```
Input:
```
nsupdate -g <<EOF
server server.example.org
update add abc.example.org. 120 TXT "Hello from Kerberos"
send
EOF
```
### Relevant logs and/or screenshots
```
setup_system()
reset_system()
user_interaction()
do_next_command()
do_next_command()
evaluate_update()
update_addordelete()
do_next_command()
start_update()
recvsoa()
About to create rcvmsg
show_message()
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 37613
;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;abc.example.org. IN SOA
;; AUTHORITY SECTION:
example.org. 0 IN SOA example.org. root.example.org. 8 604800 86400 2419200 604800
Found zone name: example.org
The master is: example.org <<<--- THIS SHOULD NOT HAPPEN
start_gssrequest
Found realm from ticket: EXAMPLE.ORG
[404] 1632329550.171413: ccselect module realm chose cache FILE:/tmp/krb5cc_0 with client principal DHCP/admin.example.org@EXAMPLE.ORG for server principal DNS/example.org@EXAMPLE.ORG
```
### Additional notes
We need to inspect other parameters as well.
Chat with investigation starts here:
https://mattermost.isc.org/isc/pl/jrk7fqwp4pbr9n787qx7wi18ghhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2883Let name of inline-signed zone file be configured2023-11-02T16:26:08ZMagnus HolmgrenLet name of inline-signed zone file be configured### Description
The names of journal files can be overridden (with `journal`), but not the names of the signed zone files created when `inline-signing=yes`. They are always named like the original file with `.signed` appended. https://g...### Description
The names of journal files can be overridden (with `journal`), but not the names of the signed zone files created when `inline-signing=yes`. They are always named like the original file with `.signed` appended. https://gitlab.isc.org/isc-projects/bind9/-/blob/2872d6a12efe578360a641c1ba90884ea9a7dd01/bin/named/zoneconf.c#L1116
It's not a huge deal, but I'd like to separate manually edited configuration from software managed data per the FHS, and thus keep non-dynamic master zones in /etc (which is also what the Debian package recommends) but the inline-signed zone data in /var/lib. (It appears that the Debian BIND maintainers didn't consider inline signing, because the included AppArmor profile prevents `named` from writing to /etc/bind.)
### Request
Define a new option `signed-file` or similar. Could something like [signed-file.patch](/uploads/ec5f66b98f5c986d867ea76ccc4a89d9/signed-file.patch) work?Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2879Add --disable-doh to a CI build?2023-11-02T16:26:08ZMark AndrewsAdd --disable-doh to a CI build?The following discussion from !5353 should be addressed:
- [ ] @marka started a [discussion](https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5353#note_231504): (+1 comment)
> One remaining question is "do we add yet ano...The following discussion from !5353 should be addressed:
- [ ] @marka started a [discussion](https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5353#note_231504): (+1 comment)
> One remaining question is "do we add yet another system with --disable-doh to CI?"
- [ ] Also should we have a CI build that does not have libnghttp2 installed.Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2876upgrade tests for persistent data are missing2021-08-26T20:32:47ZPetr Špačekpspacek@isc.orgupgrade tests for persistent data are missingWe need tests to cover compatibility of persistent files between versions. List of formats which come to mind:
- [ ] zone journal
- [ ] zone in raw format
- [ ] zone in map format
- [ ] new-zone database (NZD) in our custom format
- [ ] ...We need tests to cover compatibility of persistent files between versions. List of formats which come to mind:
- [ ] zone journal
- [ ] zone in raw format
- [ ] zone in map format
- [ ] new-zone database (NZD) in our custom format
- [ ] new-zone database (NZD) in LMDB
- [ ] managed-keys
This list might not be exhaustive.Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2865Follow-up from "Test migrating CSK to dnssec-policy"2021-08-17T14:52:13ZMatthijs Mekkingmatthijs@isc.orgFollow-up from "Test migrating CSK to dnssec-policy"The following discussion from !5328 should be addressed:
- [ ] @marka started a [discussion](https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5328#note_230211): (+2 comments)
> I would test migrating 2 SEP keys. I would...The following discussion from !5328 should be addressed:
- [ ] @marka started a [discussion](https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5328#note_230211): (+2 comments)
> I would test migrating 2 SEP keys. I would also test migrating 2 non-SEP keys.Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2862Persistent mode doesn't work with `named` AFL fuzzing2022-04-02T07:50:35ZSiva Kesava R KakarlaPersistent mode doesn't work with `named` AFL fuzzing### Summary
When the code is compiled with `afl-clang-fast` to enable fuzzing of `named` in persistent mode, it either results in a compilation error with an older version (2.52b) or goes through with the latest version (3.14c), but the...### Summary
When the code is compiled with `afl-clang-fast` to enable fuzzing of `named` in persistent mode, it either results in a compilation error with an older version (2.52b) or goes through with the latest version (3.14c), but the persistent mode is not detected.
### BIND version used
Older version:
- BIND 9.17.5 (Development Release) <id:dbcf683>
- afl-clang-fast 2.52b
- clang version 4.0.1-10 (tags/RELEASE_401/final)
- Ubuntu:bionic container; afl-clang-fast installed with `apt install afl++`
Latest Version:
- BIND 9.17.16 (Development Release) <id:502f48a>
- afl-cc ++3.14c, mode: LLVM-PCGUARD [(afl-clang-fast symlinks to afl-cc and uses the mode variable to detect LLVM or gcc)](https://github.com/AFLplusplus/AFLplusplus#a-selecting-the-best-afl-compiler-for-instrumenting-the-target)
- Ubuntu clang version 12.0.1-++20210630032618+fed41342a82f-1~exp1~20210630133332.127
- Using aflplusplus/aflplusplus:latest container
### Steps to reproduce
Older version:
- cd bind9; `autoreconf -fi`
- `CXX=afl-clang-fast++ CC=afl-clang-fast ./configure --enable-fuzzing=afl --disable-linux-caps --disable-shared --enable-static --enable-developer --without-cmocka --without-zlib`
- `make -j`
The above `make` results in the following error:
```
make[4]: Entering directory '/bind9/bin/named'
CC fuzz.o
afl-clang-fast 2.52b by <lszekeres@google.com>
fuzz.c:585:2: error: cast from 'const char *' to 'char *' drops const qualifier [-Werror,-Wcast-qual]
__AFL_LOOP(0);
^
<command line>:11:88: note: expanded from here
#define __AFL_LOOP(_A) ({ static volatile char *_B __attribute__((used)); _B = (char*)"##SIG_AFL_PERS...
^
1 error generated.
```
Commenting out that [line from `fuzz.c`](https://gitlab.isc.org/isc-projects/bind9/-/blob/dbcf683c1a57f49876e329fca183cb39d20ca3a4/bin/named/fuzz.c#L577) makes without any issue, but AFL doesn’t recognize it to be in persistent mode (expected as this line was used to signal that).
The build goes through if `afl-clang` is used instead of the `afl-clang-fast`. The problem is that `named` has to be fuzzed in persistent mode only: there is a check for if the environment variable [`AFL_Persistent` is set in fuzz.c](https://gitlab.isc.org/isc-projects/bind9/-/blob/dbcf683c1a57f49876e329fca183cb39d20ca3a4/bin/named/fuzz.c#L752 ) and then it spawns a new fuzz thread.
Latest Version:
Everything gets built using the same above commands, but the new thread is not spawned when run as the above check fails. Running `named -A client:127.0.0.1:53 -g` actually results in a segmentation fault (printing `...found 8 CPUs, using 8 worker threads; using 8 UDP listeners per interface; segmentation fault`) when compiled with the latest version of afl++.
----------------
What version combination (Bind version + clang version) works well for fuzzing the `named` binary using the `-A client:127.0.0.1:53` argument? Are there some flags that have to be set to allow the detection of the persistent mode and allows fuzz thread spawning in the `named_fuzz_setup` function?Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2849Dig: Add option to change default record type2022-04-26T13:36:02ZSören KleinDig: Add option to change default record type### Description
It would be great to have the option to change the default record type from e.g. `A` to `AAAA`.
It would also be very helpful if multiple default record types are supported, e.g. `A, AAAA`.
### Request
I would like t...### Description
It would be great to have the option to change the default record type from e.g. `A` to `AAAA`.
It would also be very helpful if multiple default record types are supported, e.g. `A, AAAA`.
### Request
I would like to set the default records either with an option, e.g. `dig --set-default-records "A, AAAA"` or as part of an system environment variable.
If multiple record types are defined, then the command `dig example.com` with the types `A, AAAA` should be extended to `dig example.com A example.com AAAA`.
### Links / referencesNot plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2806Remove AX_CHECK_OPENSSL2022-03-01T09:56:02ZOndřej SurýRemove AX_CHECK_OPENSSLIn favor of openssl.pcIn favor of openssl.pcNot plannedOndřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2805Session persistence for forwarders2023-11-02T17:02:19ZPeter DaviesSession persistence for forwardersSession persistence for forwarders:
Where Bind is configured to use forwarding extensively or exclusively and the environment in which it is located precludes the use of udp as a transport protocol.
It may enhance throughput and limi...Session persistence for forwarders:
Where Bind is configured to use forwarding extensively or exclusively and the environment in which it is located precludes the use of udp as a transport protocol.
It may enhance throughput and limit resources utilisation if tcp sessions could be made persistent to some configurable degree.
Bind would need to be able to discover if there was an existing tcp session that could be (re)used when it needs to forward queries to some well known source.
[RT #18727](https://support.isc.org/Ticket/Display.html?id=18727)Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2803Add missing zone locks in dns_zone_get_.* functions2021-06-28T12:32:08ZMatthijs Mekkingmatthijs@isc.orgAdd missing zone locks in dns_zone_get_.* functionsSee https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5234#note_223073See https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5234#note_223073https://gitlab.isc.org/isc-projects/bind9/-/issues/2798named-checkconf -p does not print effective values2023-11-02T16:26:07ZPetr Špačekpspacek@isc.orgnamed-checkconf -p does not print effective values### Description
Bordeline bug and feature request:
`named-checkconf -p` does not print effective values but only how the _text_ was parsed.
Example:
`resolver-query-timeout 3;` is silently set to `10` by named, but named-checkconf stil...### Description
Bordeline bug and feature request:
`named-checkconf -p` does not print effective values but only how the _text_ was parsed.
Example:
`resolver-query-timeout 3;` is silently set to `10` by named, but named-checkconf still prints value `3`.
### Request
An option to print effective values would be useful, especially if it highlighted where effective value differs from the configured value.
Obviously this is hard to do. From what I see in code, config handling in server.c nad in named-checkconf is completely different. Inheritance rules limits are implemented as ad-hoc code in server.c.
### Links / references
*See also:*
* #1326;Not planned