BIND issueshttps://gitlab.isc.org/isc-projects/bind9/-/issues2024-02-23T20:10:41Zhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4601wrong filename looked when reading key files2024-02-23T20:10:41ZMichael Tokarevwrong filename looked when reading key files### Summary
When bind9 tools read a zone file with DNSKEY records, for which no .key file is provided but .private exists, a misleading error message is generated. For example:
```
$ dnssec-signzone 168.192.in-addr.arpa
dnssec-signzone...### Summary
When bind9 tools read a zone file with DNSKEY records, for which no .key file is provided but .private exists, a misleading error message is generated. For example:
```
$ dnssec-signzone 168.192.in-addr.arpa
dnssec-signzone: warning: dns_dnssec_keylistfromrdataset: error reading ./K168.192.in-addr.arpa.+007+13293.private: file not found
$ ls -l ./K168.192.in-addr.arpa.+007+13293.*
-rw------- 1 root root 1707 Oct 28 2011 ./K168.192.in-addr.arpa.+007+13293.private
```
So, it reports an existing file as "not found", while actually (according to strace) it looked for a .key file (which indeed does not exist, since it is inlined in the zone itself).
The end result is that this key is not processed at all, despite the tool has all the information, - the .key file contents is in the zone already (that's where dnssec-signzone found the `+007+13293` part, so it does have the DNSKEY record and don't actually need the .key file), and the .private file which it reported as missing (while not even trying to open it), is actually exists.
### BIND version affected
```
BIND 9.18.24-1-Debian (Extended Support Version) <id:>
running on Linux x86_64 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01)
built by make with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=${prefix}/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--disable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=yes' '--with-libidn2' '--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' '--enable-dnstap' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -ffile-prefix-map=/build/reproducible-path/bind9-9.18.24=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
compiled by GCC 12.2.0
compiled with OpenSSL version: OpenSSL 3.0.11 19 Sep 2023
linked to OpenSSL version: OpenSSL 3.0.11 19 Sep 2023
compiled with libuv version: 1.44.2
linked to libuv version: 1.44.2
compiled with libnghttp2 version: 1.52.0
linked to libnghttp2 version: 1.52.0
compiled with libxml2 version: 2.9.14
linked to libxml2 version: 20914
compiled with json-c version: 0.16
linked to json-c version: 0.16
compiled with zlib version: 1.2.13
linked to zlib version: 1.2.13
linked to maxminddb version: 1.7.1
compiled with protobuf-c version: 1.4.1
linked to protobuf-c version: 1.4.1
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): yes
default paths:
named configuration: /etc/bind/named.conf
rndc configuration: /etc/bind/rndc.conf
DNSSEC root key: /etc/bind/bind.keys
nsupdate session key: //run/named/session.key
named PID file: //run/named/named.pid
named lock file: //run/named/named.lock
geoip-directory: /usr/share/GeoIP
```Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4603Comments to CVE-2023-56802024-02-26T16:05:08ZPeter DaviesComments to CVE-2023-5680Comments to CVE-2023-5680:
Description: When reviewing the fix for CVE-2023-5680 due to the crash we
reported separately, we've noticed many other suspicious points in its implemen
-tation. Though these are based on code inspect...Comments to CVE-2023-5680:
Description: When reviewing the fix for CVE-2023-5680 due to the crash we
reported separately, we've noticed many other suspicious points in its implemen
-tation. Though these are based on code inspection and we haven't checked whether
the issue is real or it can cause any practical problem like a crash, we're
deeply concerned about the overall quality of this implementation, and would
like to suggest ISC revisiting it, perhaps fundamentally.
The issues we've noticed are as follows (there may be more):
- it looks like a longer prefix match in ->old_ecs_root will not be found if
a shorter prefix match is found in ->ecs_root. When using two address prefix
trees, we ought to search both and use the longest prefix match, with ->ecs_root
in preference if both have equal prefix lengths.
- On a related note, it seems possible that copying (moving) data in old_ecs_root
to ecs_root can result in separate rdatasetheaders at the top level for the same record type.
- unlikely to be a big deal in practice, but this code in clean_iptree_nodedata()
probably doesn't do what it appears to intend; it results in cleaning up to 12
- as a meta issue, we're afraid the introduction of old_ecs_root and incremental
cleaning needs a lot more tests, especially low level unit tests, given its comp
-lexity. For example, if the last point is indeed an oversight, it could have
been caught by a unit test easily.
See also #4587https://gitlab.isc.org/isc-projects/bind9/-/issues/4606"dry-run" mode to help with dnssec-policy migration2024-02-28T10:46:36ZCarsten Strotmann"dry-run" mode to help with dnssec-policy migration### Description
For some users of BIND 9, esp. people are part time DNS admins only, migrating from manual DNSSEC key management with "auto-dnssec maintain;" towards "dnssec-policy" is difficult.
While the documentation provided by ISC...### Description
For some users of BIND 9, esp. people are part time DNS admins only, migrating from manual DNSSEC key management with "auto-dnssec maintain;" towards "dnssec-policy" is difficult.
While the documentation provided by ISC is good, there is currently no way to "verify" the new "dnssec-policy" configuration before enabling it. Experience has shown (in DNS training classes, but also in real world deployments) that there are many things that can go wrong:
- differences in the DNSSEC key configuration (old vs. new)
- file system permissions on the old key material
- file system location of the old key material
- issues with the time-events stored in the old key material
Going online with a slightly wrong configuration can cause an immediate key rollover, which might break the zone. Recovering from this situation is possible, but requires good knowledge of BIND 9 DNSSEC workings
### Request
Provide a "dnssec-policy dry-run" mode, where BIND 9 will log the next steps in the automatic DNSSEC management to the log files (e.g. category "DNSSEC"), but will not execute any changes to the DNSSEC signed zone or the key material. This will enable the user to test drive the new "dnssec-policy" to see if it will act as expected.
Admins can create a configuration with "dry-run" mode enabled, check the logfiles, and if the actions in the log-file match the expectations, the "dry-run" mode can be removed and the new configuration will become active.
### Links / referencesMatthijs Mekkingmatthijs@isc.orgMatthijs Mekkingmatthijs@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/issues/4607chain system test: mem.c:1311: INSIST(unreachable) failed2024-03-18T08:53:51ZMichal Nowakchain system test: mem.c:1311: INSIST(unreachable) failedJob [#4071483](https://gitlab.isc.org/isc-projects/bind9/-/jobs/4071483) failed for f42a441b05408f4e816ea44a4780667a00c5fb86.
ns1 of the `chain` system test ended up in a bad place.
```
context: 0x7b3000001b00 (zonemgr-mctxpoo): 2 refe...Job [#4071483](https://gitlab.isc.org/isc-projects/bind9/-/jobs/4071483) failed for f42a441b05408f4e816ea44a4780667a00c5fb86.
ns1 of the `chain` system test ended up in a bad place.
```
context: 0x7b3000001b00 (zonemgr-mctxpoo): 2 references
Dump of all outstanding memory allocations:
ptr 0x7b5000020200 size 496 file rbtdb.c line 3866
ptr 0x7b6000001000 size 1016 file rbt-zonedb.c line 2091
mem.c:1311: INSIST(unreachable) failed
```
```
2024-02-27 17:50:11 INFO:chain D:Core was generated by `/builds/isc-projects/bind9/bin/named/.libs/named -D chain_tmp_qm1vyy5o-ns1 -m r'.
2024-02-27 17:50:11 INFO:chain D:Program terminated with signal SIGABRT, Aborted.
2024-02-27 17:50:11 INFO:chain D:#0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
2024-02-27 17:50:11 INFO:chain D:Downloading source file /usr/src/debug/glibc-2.38-16.fc39.x86_64/nptl/pthread_kill.c...
2024-02-27 17:50:11 INFO:chain D:44 return INTERNAL_SYSCALL_ERROR_P (ret) ? INTERNAL_SYSCALL_ERRNO (ret) : 0;
2024-02-27 17:50:11 INFO:chain D:[Current thread is 1 (Thread 0x7f96faa8a380 (LWP 77097))]
2024-02-27 17:50:11 INFO:chain D:#0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
2024-02-27 17:50:11 INFO:chain D:#1 0x00007f96fb0ed8a3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
2024-02-27 17:50:11 INFO:chain D:#2 0x00007f96fb09b8ee in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
2024-02-27 17:50:11 INFO:chain D:#3 0x00007f96fb0838ff in __GI_abort () at abort.c:79
2024-02-27 17:50:11 INFO:chain D:#4 0x00007f96fc0bee3c in __interceptor_abort (fake=-89613312) at ../../../../libsanitizer/tsan/tsan_interceptors_posix.cpp:1875
2024-02-27 17:50:11 INFO:chain D:#5 0x0000000000427e49 in assertion_failed (file=<optimized out>, line=1311, type=<optimized out>, cond=0x7f96fc065ac3 "unreachable") at main.c:234
2024-02-27 17:50:11 INFO:chain D:#6 0x00007f96fc00b194 in isc_assertion_failed (file=file@entry=0x7f96fc0624cb "mem.c", line=line@entry=1311, type=type@entry=isc_assertiontype_insist, cond=cond@entry=0x7f96fc065ac3 "unreachable") at assertions.c:48
2024-02-27 17:50:11 INFO:chain D:#7 0x00007f96fc02f45f in isc__mem_checkdestroyed () at mem.c:1311
2024-02-27 17:50:11 INFO:chain D:#8 0x00007f96fc02f54c in mem_shutdown () at mem.c:442
2024-02-27 17:50:11 INFO:chain D:#9 0x00007f96fc0da084 in __interceptor_pthread_once (o=o@entry=0x7f96fc07dec8 <shut_once>, f=f@entry=0x7f96fc02f533 <mem_shutdown>) at ../../../../libsanitizer/tsan/tsan_interceptors_posix.cpp:1551
2024-02-27 17:50:11 INFO:chain D:#10 0x00007f96fc02ce7e in isc__mem_shutdown () at mem.c:455
2024-02-27 17:50:11 INFO:chain D:#11 0x00007f96fc023088 in isc__shutdown () at lib.c:67
2024-02-27 17:50:11 INFO:chain D:#12 0x00007f96fd0ec0f2 in _dl_call_fini (closure_map=closure_map@entry=0x7f96fd0e98d0) at dl-call_fini.c:43
2024-02-27 17:50:11 INFO:chain D:#13 0x00007f96fd0f006e in _dl_fini () at dl-fini.c:114
2024-02-27 17:50:11 INFO:chain D:#14 0x00007f96fb09dfd6 in __run_exit_handlers (status=0, listp=<optimized out>, run_list_atexit=run_list_atexit@entry=true, run_dtors=run_dtors@entry=true) at exit.c:111
2024-02-27 17:50:11 INFO:chain D:#15 0x00007f96fb09e11e in __GI_exit (status=<optimized out>) at exit.c:141
2024-02-27 17:50:11 INFO:chain D:#16 0x00007f96fb085151 in __libc_start_call_main (main=main@entry=0x429913 <main>, argc=argc@entry=12, argv=argv@entry=0x7ffe1fcbda88) at ../sysdeps/nptl/libc_start_call_main.h:74
2024-02-27 17:50:11 INFO:chain D:#17 0x00007f96fb08520b in __libc_start_main_impl (main=0x429913 <main>, argc=12, argv=0x7ffe1fcbda88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffe1fcbda78) at ../csu/libc-start.c:360
2024-02-27 17:50:11 INFO:chain D:#18 0x0000000000418d35 in _start ()
```
[core.77097-backtrace.txt](/uploads/dfe2e0c9ee3a48df96c87773f2674a12/core.77097-backtrace.txt)
[core.77097.gz](/uploads/6a868166ed706bec348e2930ddc5fa5c/core.77097.gz)
[named.run](/uploads/ef60bc0ac117defd99c6f3c831f99368/named.run)May 2024 (9.18.27, 9.18.27-S1, 9.19.24)Arаm SаrgsyаnArаm Sаrgsyаnhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4609ADB memory growth in 9.192024-02-28T06:53:58ZOndřej SurýADB memory growth in 9.19During the 25h test, it was discovered that ADB and main memory contextx grows suspiciously:
![bindstats.memory.contexts.ADB._sum_inuse-http_3A_2F_2F127.0.0.1_3A8888_2Fjson_2Fv1-9.19](/uploads/5e5f039e83e4a892554001b6c7348e92/bindstats....During the 25h test, it was discovered that ADB and main memory contextx grows suspiciously:
![bindstats.memory.contexts.ADB._sum_inuse-http_3A_2F_2F127.0.0.1_3A8888_2Fjson_2Fv1-9.19](/uploads/5e5f039e83e4a892554001b6c7348e92/bindstats.memory.contexts.ADB._sum_inuse-http_3A_2F_2F127.0.0.1_3A8888_2Fjson_2Fv1-9.19.png)
![bindstats.memory.contexts.main._sum_inuse-http_3A_2F_2F127.0.0.1_3A8888_2Fjson_2Fv1-main-9.19](/uploads/bad7883a65948bfd2946b84fe6505cdf/bindstats.memory.contexts.main._sum_inuse-http_3A_2F_2F127.0.0.1_3A8888_2Fjson_2Fv1-main-9.19.png)
The growth is much slower in 9.18:
![bindstats.memory.contexts.ADB._sum_inuse-http_3A_2F_2F127.0.0.1_3A8888_2Fjson_2Fv1](/uploads/4cc202485a129130ecd978cf23ad452a/bindstats.memory.contexts.ADB._sum_inuse-http_3A_2F_2F127.0.0.1_3A8888_2Fjson_2Fv1.png)May 2024 (9.18.27, 9.18.27-S1, 9.19.24)https://gitlab.isc.org/isc-projects/bind9/-/issues/4615Improve dnssec-keygen warnings when unnecessary parameters are ignored2024-02-29T15:48:40ZCathy AlmondImprove dnssec-keygen warnings when unnecessary parameters are ignored### Summary
The specific instance that inspires this bug report is that these commands
> dnssec-keygen -b 2048 -a ECDSAP256SHA256 -f KSK example.com
> dnssec-keygen -b 2048 -a ECDSAP256SHA256 example.com
.. don't generate a warning th...### Summary
The specific instance that inspires this bug report is that these commands
> dnssec-keygen -b 2048 -a ECDSAP256SHA256 -f KSK example.com
> dnssec-keygen -b 2048 -a ECDSAP256SHA256 example.com
.. don't generate a warning that the -b 2048 is ignored because key algorithm ECDSAP256SHA256 has a predefined length
There may be other scenarios worth checking at the same time?
### BIND version affected
Noted against 9.16.28 (a long time ago), but the situation I don't think has changed.
### Steps to reproduce
See above - just do it?
### What is the current *bug* behavior?
No warning. dnssec-keygen goes its own sweet way and uses its built-in default length for this key
### What is the expected *correct* behavior?
It would have been really helpful to have known that the keys didn't have the requested length - this caused a bunch of other problems during migration to dnssec-policy using these keys!
What actually happened is that after restarting named and switching to dnssec-policy with these parameters:
> ksk lifetime unlimited algorithm ECDSAP256SHA256 2048;
> zsk lifetime unlimited algorithm ECDSAP256SHA256 2048;
named didn't recognise the existing keys as matching the policy and generated new ones for the zone, retiring the old keys - which is just what you don't want when migrating your existing zone's configuration and not intending to abruptly re-sign it with new keys (aargh!)
In fact, named-checkconf does fuss about the 2048:
> /etc/namedb/named.conf:54: dnssec-policy: key algorithm ECDSAP256SHA256 has predefined length; ignoring length value 2048
> /etc/namedb/named.conf:55: dnssec-policy: key algorithm ECDSAP256SHA256 has predefined length; ignoring length value 2048
So perhaps this is another small bug too - if the length is irrelevant and ignored - why did it not just recognise the existing keys?
It was perfectly happy with the same keys and with:
> ksk lifetime unlimited algorithm ECDSAP256SHA256;
> zsk lifetime unlimited algorithm ECDSAP256SHA256;May 2024 (9.18.27, 9.18.27-S1, 9.19.24)https://gitlab.isc.org/isc-projects/bind9/-/issues/4616Resolver cache redesign2024-03-01T12:29:31ZPetr Špačekpspacek@isc.orgResolver cache redesignThis is a meta issue to collect current problems & ideas what to do about it.
Current known problems:
- LRU cleaning can get state into a weird state: #2744
- Cache cleaning can block things, and is generally a mess: #3261, #4383
- Neg...This is a meta issue to collect current problems & ideas what to do about it.
Current known problems:
- LRU cleaning can get state into a weird state: #2744
- Cache cleaning can block things, and is generally a mess: #3261, #4383
- Negative answers from e.g. a random subdomain attack can push out useful things: #2495, #1831
- ADB vs. cache size is hardcoded and nobody knows if this is optimal or not: #2483, #2405
- Sizing is hard to get right: #614
- Cache is child-centric: #3311
- RRSIGs and not tightly bound to respective RR: #3396
- Data structures referenced by RBTDB are a mess: #4356, #3403, #3405Štěpán BalážikŠtěpán Balážikhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4620Cleanup: the characters from Regexp field are all unsigned and use unsigned c...2024-03-05T05:17:25ZMingshuai Renrenmingshuai@huawei.comCleanup: the characters from Regexp field are all unsigned and use unsigned char instead.```
From 0eac3b986972b2888ebf386642c1d281344aba91 Mon Sep 17 00:00:00 2001
From: renmingshuai <renmingshuai@huawei.com>
Date: Tue, 5 Mar 2024 09:49:01 +0800
Subject: [PATCH] Cleanup: the characters from Regexp field are all unsinged.
Us...```
From 0eac3b986972b2888ebf386642c1d281344aba91 Mon Sep 17 00:00:00 2001
From: renmingshuai <renmingshuai@huawei.com>
Date: Tue, 5 Mar 2024 09:49:01 +0800
Subject: [PATCH] Cleanup: the characters from Regexp field are all unsinged.
Use unsigned char instead.
Signed-off-by: renmingshuai <renmingshuai@huawei.com>
---
lib/dns/rdata/generic/naptr_35.c | 4 ++--
lib/isc/regex.c | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/lib/dns/rdata/generic/naptr_35.c b/lib/dns/rdata/generic/naptr_35.c
index ecae2c0ca3..abc1e41101 100644
--- a/lib/dns/rdata/generic/naptr_35.c
+++ b/lib/dns/rdata/generic/naptr_35.c
@@ -25,8 +25,8 @@
static inline isc_result_t
txt_valid_regex(const unsigned char *txt) {
unsigned int nsub = 0;
- char regex[256];
- char *cp;
+ unsigned char regex[256];
+ unsigned char *cp;
bool flags = false;
bool replace = false;
unsigned char c;
diff --git a/lib/isc/regex.c b/lib/isc/regex.c
index 99809cc244..eb01c7d4d9 100644
--- a/lib/isc/regex.c
+++ b/lib/isc/regex.c
@@ -28,7 +28,7 @@
* Validate the regular expression 'C' locale.
*/
int
-isc_regex_validate(const char *c) {
+isc_regex_validate(const unsigned char *c) {
enum {
none, parse_bracket, parse_bound,
parse_ce, parse_ec, parse_cc
--
2.33.0
```https://gitlab.isc.org/isc-projects/bind9/-/issues/4626Repatedly hitting max-cache-size leads to all-SERVFAIL answers2024-03-08T17:59:30ZPetr Špačekpspacek@isc.orgRepatedly hitting max-cache-size leads to all-SERVFAIL answers### Summary
This needs proper investigation.
### BIND version affected
- v9.16.49-to-be
- v9.16.45 - even worse, response rate goes down
**Other versions were not tested** but I assume the same problem in other branches, too.
### Ste...### Summary
This needs proper investigation.
### BIND version affected
- v9.16.49-to-be
- v9.16.45 - even worse, response rate goes down
**Other versions were not tested** but I assume the same problem in other branches, too.
### Steps to reproduce
Run [resolver test pipeline](https://gitlab.isc.org/isc-projects/bind9-shotgun-ci/-/pipelines/new) with these settings:
1. SHOTGUN_SCENARIO = udp
2. SHOTGUN_TRAFFIC_MULTIPLIER = 10
3. SHOTGUN_DURATION = 600
4. CACHE_SIZE_MB = 64
This ridiculously overloads resolver with 64 MB cache and floods it with 100 k QPS.
### What is the current *bug* behavior?
Initially SERVFAIL rate spikes - that's okay, probably recursive clients limit - and then goes down - also expected. But then it goes up again to the point where the resolver only SERVFAILs (by the end of tenth minute).
![response-rate-rcodes.svg](/uploads/0f6cec19b3c2eba1d343803e1f1e4c23/response-rate-rcodes.svg)
Second problem is that response rate goes down from time to time. It should not drop answers. But that might be an artifact of the measurement - it uses 2 second timeout.
### What is the expected *correct* behavior?
Well, I would expect very roughly constant SERVFAIL rate.
### Relevant configuration files
Auto-generated by the pipeline. Recursive-clients = probably 10 000.
### Relevant logs
https://gitlab.isc.org/isc-projects/bind9-shotgun-ci/-/pipelines/166603 (artifacts retained for a while)
Have a look at charts v9.1*/results-shotgun/charts/response-rate-rcodes.svg in individual jobs.https://gitlab.isc.org/isc-projects/bind9/-/issues/4634shutdown system test fails when machine is offline2024-03-15T15:04:16ZMark Andrewsshutdown system test fails when machine is offlineRunning the system tests when your machine is offline fails. In this case it was MacOS.
```
% more shutdown.log
============================= test session starts ==============================
platform darwin -- Python 3.10.13, pytest-...Running the system tests when your machine is offline fails. In this case it was MacOS.
```
% more shutdown.log
============================= test session starts ==============================
platform darwin -- Python 3.10.13, pytest-7.4.3, pluggy-1.3.0
rootdir: /Users/marka/git/bind9/bin/tests/system
configfile: pytest.ini
plugins: hypothesis-6.92.1
collected 2 items
tests_shutdown.py::test_named_shutdown[rndc]
-------------------------------- live log setup --------------------------------
2024-03-13 16:19:35 INFO:shutdown switching to tmpdir: /Users/marka/git/bind9/bin/tests/system/shutdown_tmp_n89rn3w9
2024-03-13 16:19:35 INFO:shutdown test started: shutdown/tests_shutdown.py
2024-03-13 16:19:35 INFO:shutdown using port range: <27538, 27557>
FAILED [ 50%]
tests_shutdown.py::test_named_shutdown[sigterm] FAILED [100%]
------------------------------ live log teardown -------------------------------
2024-03-13 16:19:41 INFO:shutdown test artifacts in: shutdown_shutdown
=================================== FAILURES ===================================
__________________________ test_named_shutdown[rndc] ___________________________
/Users/marka/git/bind9/bin/tests/system/shutdown/tests_shutdown.py:195: in test_named_shutdown
resolver = dns.resolver.Resolver()
/opt/local/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/dns/resolver.py:944: in __init__
self.read_resolv_conf(filename)
/opt/local/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/dns/resolver.py:1038: in read_resolv_conf
raise NoResolverConfiguration("no nameservers")
E dns.resolver.NoResolverConfiguration: no nameservers
------------------------------ Captured log setup ------------------------------
2024-03-13 16:19:35 INFO:shutdown switching to tmpdir: /Users/marka/git/bind9/bin/tests/system/shutdown_tmp_n89rn3w9
2024-03-13 16:19:35 INFO:shutdown test started: shutdown/tests_shutdown.py
2024-03-13 16:19:35 INFO:shutdown using port range: <27538, 27557>
_________________________ test_named_shutdown[sigterm] _________________________
/Users/marka/git/bind9/bin/tests/system/shutdown/tests_shutdown.py:195: in test_named_shutdown
resolver = dns.resolver.Resolver()
/opt/local/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/dns/resolver.py:944: in __init__
self.read_resolv_conf(filename)
/opt/local/Library/Frameworks/Python.framework/Versions/3.10/lib/python3.10/site-packages/dns/resolver.py:1038: in read_resolv_conf
raise NoResolverConfiguration("no nameservers")
E dns.resolver.NoResolverConfiguration: no nameservers
---------------------------- Captured log teardown -----------------------------
2024-03-13 16:19:41 INFO:shutdown test artifacts in: shutdown_shutdown
--- generated xml file: /Users/marka/git/bind9/bin/tests/system/shutdown.xml ---
=========================== short test summary info ============================
FAILED tests_shutdown.py::test_named_shutdown[rndc] - dns.resolver.NoResolver...
FAILED tests_shutdown.py::test_named_shutdown[sigterm] - dns.resolver.NoResol...
============================== 2 failed in 6.86s ===============================
FAIL shutdown (exit status: 1)
%
```Michal NowakMichal Nowakhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4635Rbt zone database not being tested in main.2024-03-28T11:53:56ZMark AndrewsRbt zone database not being tested in main.Looking at the coverage data from !8854 the rbtdb zone instance isn't being tested anymore for signed zones.Looking at the coverage data from !8854 the rbtdb zone instance isn't being tested anymore for signed zones.May 2024 (9.18.27, 9.18.27-S1, 9.19.24)https://gitlab.isc.org/isc-projects/bind9/-/issues/4636rndc.py got 'NotImplementedError: Wrong message version'2024-03-14T12:25:47Zbino oetomorndc.py got 'NotImplementedError: Wrong message version'dear All.
I'm trying to delete a zone in catalog zone using python.
the script is adopted (to Python 3.9.2) from catz-del.py of https://kb.isc.org/docs/aa-01401
here is the script.
```
import sys
import os
import isc
import dns.query
i...dear All.
I'm trying to delete a zone in catalog zone using python.
the script is adopted (to Python 3.9.2) from catz-del.py of https://kb.isc.org/docs/aa-01401
here is the script.
```
import sys
import os
import isc
import dns.query
import dns.update
import dns.name
import hashlib
ZONEPATH='/var/cache/bind/'
MASTERS=['192.168.1.101']
SERVER = '192.168.8.78'
DNSPORT=53
RNDCPORT=9953
RNDCALGO='sha256'
RNDCKEY='1234abcd8765'
CATZONE='catalog.example'
PTR_EXPIRE = 31622400
PRIMARIES = ';'.join(MASTERS)
def hashzones(domain):
hash = hashlib.sha1(dns.name.from_text(domain).to_wire()).hexdigest()
return f'{hash}.zones'
def del_zone(name):
# Update catalog zone
update = dns.update.Update(CATZONE)
update.delete(f'{hashzones(name)}','ptr')
response = dns.query.tcp(update, SERVER, port=DNSPORT)
if response.rcode() != 0:
raise Exception(f"Error updating catalog zone: {response.rcode()}" )
# Delete zone from primary using RNDC
r = isc.rndc((SERVER, DNSPORT), RNDCALGO, RNDCKEY)
response = r.call(f'delzone {name}')
if response['result'] != b'0':
raise Exception(f"Error deleting zone from primary: {response['err']}" )
del_zone(sys.argv[1])
```
I Got error when try to run it
```
(venv) debian@risetdns01:~/catzman$ python ./delzone.py domain20.bino
Traceback (most recent call last):
File "/home/debian/catzman/./delzone.py", line 40, in <module>
del_zone(sys.argv[1])
File "/home/debian/catzman/./delzone.py", line 35, in del_zone
r = isc.rndc((SERVER, DNSPORT), RNDCALGO, RNDCKEY)
File "/home/debian/catzman/isc/rndc.py", line 54, in __init__
self.__connect_login()
File "/home/debian/catzman/isc/rndc.py", line 158, in __connect_login
msg = self.__command(type="null")
File "/home/debian/catzman/isc/rndc.py", line 139, in __command
raise NotImplementedError("Wrong message version %d" % version)
NotImplementedError: Wrong message version 2147549184
```
while from my bind9 log file, I got
```
13-Mar-2024 22:35:29.991 update: info: client @0x7ff0a4030080 192.168.8.78#33920: updating zone 'catalog.example/IN': deleting rrset at '5858ea66ec75231963ecb03723e1ce3295e23349.zones.catalog.example' PTR
13-Mar-2024 22:35:29.991 client: debug 1: client @0x7ff0a40322c0 192.168.8.78#33926: message parsing failed: bad label type
```
my isc python module version '9.16.48-Debian'
Its /usr/lib/python3/dist-packages/isc/__init__.py since it cannot accessed directly when I use venv
My named details :
```
root@risetdns01:~# named -V
BIND 9.16.48-Debian (Extended Support Version) <id:0dab57e>
running on Linux x86_64 5.10.0-28-amd64 #1 SMP Debian 5.10.209-2 (2024-01-31)
built by make with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2' '--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' '--enable-dnstap' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -ffile-prefix-map=/build/reproducible-path/bind9-9.16.48=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
compiled by GCC 10.2.1 20210110
compiled with OpenSSL version: OpenSSL 1.1.1w 11 Sep 2023
linked to OpenSSL version: OpenSSL 1.1.1w 11 Sep 2023
compiled with libuv version: 1.40.0
linked to libuv version: 1.40.0
compiled with libxml2 version: 2.9.10
linked to libxml2 version: 20910
compiled with json-c version: 0.15
linked to json-c version: 0.15
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.5.2
compiled with protobuf-c version: 1.3.3
linked to protobuf-c version: 1.3.3
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): yes
default paths:
named configuration: /etc/bind/named.conf
rndc configuration: /etc/bind/rndc.conf
DNSSEC root key: /etc/bind/bind.keys
nsupdate session key: //run/named/session.key
named PID file: //run/named/named.pid
named lock file: //run/named/named.lock
geoip-directory: /usr/share/GeoIP
```
Problem is not occur with 'add zone'
Kindly please tell me what to check or do to fix this problem.
sincerely
-bino-https://gitlab.isc.org/isc-projects/bind9/-/issues/4643Properly document how the IDN arguments work2024-03-16T06:52:25ZOndřej SurýProperly document how the IDN arguments workDocument how +idn, +idnin and +idnout interact when run interactively and non-interactively.
This has changed between the version.Document how +idn, +idnin and +idnout interact when run interactively and non-interactively.
This has changed between the version.https://gitlab.isc.org/isc-projects/bind9/-/issues/4647root "mirror" zone overrides forward zone (forward only)2024-03-22T09:42:32ZCarsten Strotmannroot "mirror" zone overrides forward zone (forward only)
### Summary
When a root zone mirror in configured in BIND 9.18.24, a forward zone (forward only) is not used.
The forward zone is for an undelegated private namespace "example.internal"
Once the root mirror is removed from the BIND ...
### Summary
When a root zone mirror in configured in BIND 9.18.24, a forward zone (forward only) is not used.
The forward zone is for an undelegated private namespace "example.internal"
Once the root mirror is removed from the BIND 9 configuration, the forward zone starts working again.
The expectation is that the forward zone is more specific, therefor it is checked first before using recursion via the root zone mirror data
### BIND version affected
```
BIND 9.18.24 (Extended Support Version) <id:6d7674f>
running on Linux x86_64 4.18.0-513.18.1.el8_9.x86_64 #1 SMP Thu Feb 1 03:51:05 EST 2024
built by make with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/opt/isc/isc-bind/root/usr' '--exec-prefix=/opt/isc/isc-bind/root/usr' '--bindir=/opt/isc/isc-bind/root/usr/bin' '--sbindir=/opt/isc/isc-bind/root/usr/sbin' '--sysconfdir=/etc/opt/isc/scls/isc-bind' '--datadir=/opt/isc/isc-bind/root/usr/share' '--includedir=/opt/isc/isc-bind/root/usr/include' '--libdir=/opt/isc/isc-bind/root/usr/lib64' '--libexecdir=/opt/isc/isc-bind/root/usr/libexec' '--localstatedir=/var/opt/isc/scls/isc-bind' '--sharedstatedir=/var/opt/isc/scls/isc-bind/lib' '--mandir=/opt/isc/isc-bind/root/usr/share/man' '--infodir=/opt/isc/isc-bind/root/usr/share/info' '--enable-warn-error' '--disable-static' '--enable-dnstap' '--with-pic' '--with-gssapi' '--with-json-c' '--with-libxml2' '--without-lmdb' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fno-omit-frame-pointer' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -L/opt/isc/isc-bind/root/usr/lib64' 'CPPFLAGS= -I/opt/isc/isc-bind/root/usr/include' 'LT_SYS_LIBRARY_PATH=/usr/lib64' 'PKG_CONFIG_PATH=:/opt/isc/isc-bind/root/usr/lib64/pkgconfig:/opt/isc/isc-bind/root/usr/share/pkgconfig' 'SPHINX_BUILD=/builddir/build/BUILD/bind-9.18.24/sphinx/bin/sphinx-build'
compiled by GCC 8.5.0 20210514 (Red Hat 8.5.0-20)
compiled with OpenSSL version: OpenSSL 1.1.1k FIPS 25 Mar 2021
linked to OpenSSL version: OpenSSL 1.1.1k FIPS 25 Mar 2021
compiled with libuv version: 1.44.2
linked to libuv version: 1.44.2
compiled with libnghttp2 version: 1.33.0
linked to libnghttp2 version: 1.33.0
compiled with libxml2 version: 2.9.7
linked to libxml2 version: 20907
compiled with json-c version: 0.13.1
linked to json-c version: 0.13.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
compiled with protobuf-c version: 1.4.1
linked to protobuf-c version: 1.4.1
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): yes
default paths:
named configuration: /etc/opt/isc/scls/isc-bind/named.conf
rndc configuration: /etc/opt/isc/scls/isc-bind/rndc.conf
DNSSEC root key: /etc/opt/isc/scls/isc-bind/bind.keys
nsupdate session key: /var/opt/isc/scls/isc-bind/run/named/session.key
named PID file: /var/opt/isc/scls/isc-bind/run/named/named.pid
named lock file: /var/opt/isc/scls/isc-bind/run/named/named.lock
```
### Steps to reproduce
named.conf:
```
options {
directory "/var/named";
};
zone "." {
type mirror;
file "root.zone";
};
zone "example.internal" IN {
type forward;
forwarders { 192.0.2.53; };
forward only;
};
```
Test:
```
dig @<ip-of-resolver> example.internal soa
```
will return an NXDOMAIN answer (with AD flag) from the (local) root zone
Once the Root-Mirror zone is removed, the forwarding configuration works as expected (returns the SOA record for example.internal)https://gitlab.isc.org/isc-projects/bind9/-/issues/4651Add Dual Queue Low Latency Networking Support (NQB)2024-03-22T08:48:50ZJason LivingoodAdd Dual Queue Low Latency Networking Support (NQB)### Description
Add Dual Queue Low Latency Networking Support (NQB)
Please consider adding server-side support for IETF Non-Queue-Building (NQB) Per Hop Behavior (PHB) as outlined in the IETF TSVWG RFCs 9330, 9331, 9332 and https://dat...### Description
Add Dual Queue Low Latency Networking Support (NQB)
Please consider adding server-side support for IETF Non-Queue-Building (NQB) Per Hop Behavior (PHB) as outlined in the IETF TSVWG RFCs 9330, 9331, 9332 and https://datatracker.ietf.org/doc/draft-ietf-tsvwg-nqb/. Specifically, I would like the recursive resolver to set DSCP-45 marking in all packets sent back to users (stub resolvers) in DNS responses. This will have the benefit of marking DNS responses as suitable for placement in the low latency queue at bottleneck links supporting dual queue (such as a CMTS or Cable Modem).
NQB marking enables latency-sensitive traffic like DNS lookups to be handled in a separate queue from classic traffic. The result is that, even when competing with significant other LAN or access network traffic from a user, that the NQB-marked traffic will get very low working latency (usually close to what is observed for idle latency).
Comcast has tested this on resolvers in the lab as part of our low latency field trial of L4S and NQB and found it meaningfully reduced Query Response Times (QRT) under normal working conditions.
Comcast is currently the world's first ISP trialing this in the field and anticipates it being available to millions of end users in 2024.
### Request
Enable a new configuration parameter in the server enabling a resolver operator to turn on NQB support. That specifically will mean setting DSCP value 45 in the packet header. This configuration can either cover recursive responses or all outbound traffic from the server (there should be no downside to this).
### Links / references
RFC 9330 https://www.rfc-editor.org/rfc/rfc9330.html
RFC 9331 https://www.rfc-editor.org/rfc/rfc9331.html
RFC 9332 https://www.rfc-editor.org/rfc/rfc9332.html
NQB PHB Draft https://datatracker.ietf.org/doc/draft-ietf-tsvwg-nqb/
Comcast explainer for app developers https://github.com/jlivingood/IETF-L4S-Deployment/blob/main/App-Developer-Guide.md
Comcast explainer for network operators https://github.com/jlivingood/IETF-L4S-Deployment/blob/main/Network-Config-Guide.md
Comcast field trial announcement https://corporate.comcast.com/stories/comcast-kicks-off-industrys-first-low-latency-docsis-field-trialshttps://gitlab.isc.org/isc-projects/bind9/-/issues/4652query.c:10467: INSIST(namereln == dns_namereln_subdomain) failed, back trace2024-03-27T14:02:05ZOndřej Surýquery.c:10467: INSIST(namereln == dns_namereln_subdomain) failed, back trace### Summary
Server crash caused by external UDP queries.
### BIND versions affected
```
BIND 9.19.23-dev (Development Release) <id:b1ebd49>
running on Linux x86_64 6.1.0-13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29)
bui...### Summary
Server crash caused by external UDP queries.
### BIND versions affected
```
BIND 9.19.23-dev (Development Release) <id:b1ebd49>
running on Linux x86_64 6.1.0-13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29)
built by make with 'CC=' 'LD=' 'CFLAGS=-O0 -ggdb -Wno-deprecated-declarations -fno-omit-frame-pointer -fno-optimize-sibling-calls -mtune=alderlake -DISC_MEM_USE_INTERNAL_MALLOC=0 -DISC_MEM_TRACKLINES=1 -DISC_TRACK_PTHREADS_OBJECTS' 'LDFLAGS=' '--enable-developer' '--enable-warn-error' '--with-openssl' '--with-zlib' '--with-libxml2' '--with-json-c' '--with-readline' '--with-libidn2' '--disable-dnstap' '--with-libtool' '--without-make-clean'
compiled by GCC 12.2.0
compiled with OpenSSL version: OpenSSL 3.0.11 19 Sep 2023
linked to OpenSSL version: OpenSSL 3.0.11 19 Sep 2023
compiled with libuv version: 1.44.2
linked to libuv version: 1.44.2
compiled with liburcu version: 0.15.0-pre
compiled with jemalloc version: 5.3.0
compiled with libnghttp2 version: 1.52.0
linked to libnghttp2 version: 1.52.0
compiled with libxml2 version: 2.9.14
linked to libxml2 version: 20914
compiled with json-c version: 0.16
linked to json-c version: 0.16
compiled with zlib version: 1.2.13
linked to zlib version: 1.2.13
linked to maxminddb version: 1.7.1
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): no
TKEY mode 3 support (GSS-API): yes
default paths:
named configuration: /dev/null
rndc configuration: /usr/local/etc/rndc.conf
nsupdate session key: /usr/local/var/run/named/session.key
named PID file: /usr/local/var/run/named/named.pid
geoip-directory: /usr/share/GeoIP
```
9.18 is not affected with the same attack pattern.
### Preconditions and assumptions
None.
### Attacker's abilities
Ability to send queries to the server.
### Impact
Server crashes with assertion failure.
### Steps to reproduce
1. Run `bin/named/named -g -c /dev/null -p 12345`
2. Run 2x `dnsperf -d queryfile-example-10million-201202 -p 12345 -s 10.10.10.20 -t 20 -S 1 -e -D -b 16000`
3. Wait
### What is the current *bug* behavior?
Server crashes.
### What is the expected *correct* behavior?
Server doesn't crash.
### Relevant logs
```
21-Mar-2024 14:58:36.219 REFUSED unexpected RCODE resolving 'www.pressrepublicanevents.com/A/IN': 64.40.12.250#53
21-Mar-2024 14:58:36.227 REFUSED unexpected RCODE resolving '3.gvt0.com/A/IN': 2001:4860:4802:32::a#53
21-Mar-2024 14:58:36.259 DNS format error from 89.108.89.143#53 resolving 4kings.ru/MX for 10.10.10.106#36493: empty question section
21-Mar-2024 14:58:36.283 REFUSED unexpected RCODE resolving '3.gvt0.com/A/IN': 2001:4860:4802:34::a#53
21-Mar-2024 14:58:36.311 REFUSED unexpected RCODE resolving 'bioquimicasrl.com/A/IN': 209.244.0.3#53
21-Mar-2024 14:58:36.323 SERVFAIL unexpected RCODE resolving 'www.tom-morrow-land.com/AAAA/IN': 1.1.1.1#53
21-Mar-2024 14:58:36.327 REFUSED unexpected RCODE resolving '3.gvt0.com/A/IN': 216.239.36.10#53
21-Mar-2024 14:58:36.331 REFUSED unexpected RCODE resolving 'www.pressrepublicanevents.com/A/IN': 64.40.12.251#53
21-Mar-2024 14:58:36.331 query client=0x7fa869baf000 thread=0x7fa86cefd680(www.pressrepublicanevents.com/A): query_gotanswer: unexpected error: failure
21-Mar-2024 14:58:36.331 query client=0x7fa83b1a3400 thread=0x7fa85b3fe680(www.pressrepublicanevents.com/A): query_gotanswer: unexpected error: failure
21-Mar-2024 14:58:36.339 success resolving 'www.angrybirdsfree.net/AAAA' after disabling qname minimization due to 'ncache nxdomain'
21-Mar-2024 14:58:36.339 query client=0x7fa83b221400 thread=0x7fa85b3fe680(www.tom-morrow-land.com/AAAA): query_gotanswer: unexpected error: failure
21-Mar-2024 14:58:36.339 query client=0x7fa869a3e400 thread=0x7fa86cefd680(www.tom-morrow-land.com/AAAA): query_gotanswer: unexpected error: failure
21-Mar-2024 14:58:36.359 success resolving 'e1.mc658.mail.yahoo.com/AAAA' after disabling qname minimization due to 'ncache nxdomain'
21-Mar-2024 14:58:36.371 validating ksg07.harvard.edu/MX: no valid signature found
21-Mar-2024 14:58:36.371 REFUSED unexpected RCODE resolving '3.gvt0.com/A/IN': 216.239.38.10#53
21-Mar-2024 14:58:36.379 success resolving 'a-0.19-21098801.c0c0083.1518.19d4.3ea1.210.0.qfptcsf437v6s7kaak2qs267pq.avqs.mcafee.com/A' after disabling qname minimization due to 'ncache nxdomain'
21-Mar-2024 14:58:36.387 REFUSED unexpected RCODE resolving 'www.untwistedvortex.com/A/IN': 128.199.213.165#53
21-Mar-2024 14:58:36.387 query client=0x7fa869b1f000 thread=0x7fa86cefd680(www.untwistedvortex.com/A): query_gotanswer: unexpected error: failure
21-Mar-2024 14:58:36.387 query client=0x7fa83b2d7000 thread=0x7fa85b3fe680(www.untwistedvortex.com/A): query_gotanswer: unexpected error: failure
21-Mar-2024 14:58:36.403 query.c:10467: INSIST(namereln == dns_namereln_subdomain) failed
```https://gitlab.isc.org/isc-projects/bind9/-/issues/4658Release Checklist for BIND 9.16.50, 9.16.50-S1, 9.18.26, 9.18.26-S1, 9.19.232024-03-28T10:11:38ZPetr Špačekpspacek@isc.orgRelease Checklist for BIND 9.16.50, 9.16.50-S1, 9.18.26, 9.18.26-S1, 9.19.23## Release Schedule
**Code Freeze:** Tuesday, 2 April 2024
**Tagging Deadline:** Friday, 5 April 2024
**Public Release:** Wednesday, 17 April 2024
## Documentation Review Links
**Closed issues assigned to the milestone without a r...## Release Schedule
**Code Freeze:** Tuesday, 2 April 2024
**Tagging Deadline:** Friday, 5 April 2024
**Public Release:** Wednesday, 17 April 2024
## Documentation Review Links
**Closed issues assigned to the milestone without a release note:**
- [9.16.50](https://gitlab.isc.org/isc-projects/bind9/-/issues?scope=all&sort=created_asc&state=closed&milestone_title=April+2024+%289.16.50%2C+9.16.50-S1%2C+9.18.26%2C+9.18.26-S1%2C+9.19.23%29¬%5Blabel_name%5D%5B%5D=Release+Notes¬%5Blabel_name%5D%5B%5D=Duplicate&label_name%5B%5D=v9.16)
- [9.16.50-S1](https://gitlab.isc.org/isc-projects/bind9/-/issues?scope=all&sort=created_asc&state=closed&milestone_title=April+2024+%289.16.50%2C+9.16.50-S1%2C+9.18.26%2C+9.18.26-S1%2C+9.19.23%29¬%5Blabel_name%5D%5B%5D=Release+Notes¬%5Blabel_name%5D%5B%5D=Duplicate&label_name%5B%5D=v9.16-S)
- [9.18.26](https://gitlab.isc.org/isc-projects/bind9/-/issues?scope=all&sort=created_asc&state=closed&milestone_title=April+2024+%289.16.50%2C+9.16.50-S1%2C+9.18.26%2C+9.18.26-S1%2C+9.19.23%29¬%5Blabel_name%5D%5B%5D=Release+Notes¬%5Blabel_name%5D%5B%5D=Duplicate&label_name%5B%5D=v9.18)
- [9.18.26-S1](https://gitlab.isc.org/isc-projects/bind9/-/issues?scope=all&sort=created_asc&state=closed&milestone_title=April+2024+%289.16.50%2C+9.16.50-S1%2C+9.18.26%2C+9.18.26-S1%2C+9.19.23%29¬%5Blabel_name%5D%5B%5D=Release+Notes¬%5Blabel_name%5D%5B%5D=Duplicate&label_name%5B%5D=v9.18-S)
- [9.19.23](https://gitlab.isc.org/isc-projects/bind9/-/issues?scope=all&sort=created_asc&state=closed&milestone_title=April+2024+%289.16.50%2C+9.16.50-S1%2C+9.18.26%2C+9.18.26-S1%2C+9.19.23%29¬%5Blabel_name%5D%5B%5D=Release+Notes¬%5Blabel_name%5D%5B%5D=Duplicate&label_name%5B%5D=v9.19)
**Merge requests merged into the milestone without a release note:**
- [9.16.50](https://gitlab.isc.org/isc-projects/bind9/-/merge_requests?scope=all&sort=merged_at&state=merged&milestone_title=April+2024+%289.16.50%2C+9.16.50-S1%2C+9.18.26%2C+9.18.26-S1%2C+9.19.23%29¬%5Blabel_name%5D%5B%5D=Release+Notes&target_branch=bind-9.16)
- [9.16.50-S1](https://gitlab.isc.org/isc-private/bind9/-/merge_requests?scope=all&sort=merged_at&state=merged&milestone_title=April+2024+%289.16.50%2C+9.16.50-S1%2C+9.18.26%2C+9.18.26-S1%2C+9.19.23%29¬%5Blabel_name%5D%5B%5D=Release+Notes&target_branch=bind-9.16-sub)
- [9.18.26](https://gitlab.isc.org/isc-projects/bind9/-/merge_requests?scope=all&sort=merged_at&state=merged&milestone_title=April+2024+%289.16.50%2C+9.16.50-S1%2C+9.18.26%2C+9.18.26-S1%2C+9.19.23%29¬%5Blabel_name%5D%5B%5D=Release+Notes&target_branch=bind-9.18)
- [9.18.26-S1](https://gitlab.isc.org/isc-private/bind9/-/merge_requests?scope=all&sort=merged_at&state=merged&milestone_title=April+2024+%289.16.50%2C+9.16.50-S1%2C+9.18.26%2C+9.18.26-S1%2C+9.19.23%29¬%5Blabel_name%5D%5B%5D=Release+Notes&target_branch=bind-9.18-sub)
- [9.19.23](https://gitlab.isc.org/isc-projects/bind9/-/merge_requests?scope=all&sort=merged_at&state=merged&milestone_title=April+2024+%289.16.50%2C+9.16.50-S1%2C+9.18.26%2C+9.18.26-S1%2C+9.19.23%29¬%5Blabel_name%5D%5B%5D=Release+Notes&target_branch=main)
**Merge requests merged into the milestone without a `CHANGES` entry:**
- [9.16.50](https://gitlab.isc.org/isc-projects/bind9/-/merge_requests?scope=all&sort=merged_at&state=merged&milestone_title=April+2024+%289.16.50%2C+9.16.50-S1%2C+9.18.26%2C+9.18.26-S1%2C+9.19.23%29&label_name%5B%5D=No+CHANGES&target_branch=bind-9.16)
- [9.16.50-S1](https://gitlab.isc.org/isc-private/bind9/-/merge_requests?scope=all&sort=merged_at&state=merged&milestone_title=April+2024+%289.16.50%2C+9.16.50-S1%2C+9.18.26%2C+9.18.26-S1%2C+9.19.23%29&label_name%5B%5D=No+CHANGES&target_branch=bind-9.16-sub)
- [9.18.26](https://gitlab.isc.org/isc-projects/bind9/-/merge_requests?scope=all&sort=merged_at&state=merged&milestone_title=April+2024+%289.16.50%2C+9.16.50-S1%2C+9.18.26%2C+9.18.26-S1%2C+9.19.23%29&label_name%5B%5D=No+CHANGES&target_branch=bind-9.18)
- [9.18.26-S1](https://gitlab.isc.org/isc-private/bind9/-/merge_requests?scope=all&sort=merged_at&state=merged&milestone_title=April+2024+%289.16.50%2C+9.16.50-S1%2C+9.18.26%2C+9.18.26-S1%2C+9.19.23%29&label_name%5B%5D=No+CHANGES&target_branch=bind-9.18-sub)
- [9.19.23](https://gitlab.isc.org/isc-projects/bind9/-/merge_requests?scope=all&sort=merged_at&state=merged&milestone_title=April+2024+%289.16.50%2C+9.16.50-S1%2C+9.18.26%2C+9.18.26-S1%2C+9.19.23%29&label_name%5B%5D=No+CHANGES&target_branch=main)
## Release Checklist
### Before the Code Freeze
- [ ] ***(QA)*** Rebase -S editions on top of current open-source versions: `git checkout bind-9.18-sub && git rebase origin/bind-9.18`
- [x] ***(QA)*** [Inform](https://gitlab.isc.org/isc-private/bind-qa/-/blob/master/bind9/releng/inform_supp_marketing.py) Support and Marketing of impending release (and give estimated release dates).
- [ ] ***(QA)*** Ensure there are no permanent test failures on any platform. Check [public](https://gitlab.isc.org/isc-projects/bind9/-/pipelines?scope=all&source=schedule) and [private](https://gitlab.isc.org/isc-private/bind9/-/pipelines?scope=all&source=schedule) scheduled pipelines.
- [ ] ***(QA)*** Check charts from `shotgun:*` jobs in the scheduled pipelines to verify there is no unexplained performance drop for any protocol.
- [ ] ***(QA)*** Check [Perflab](https://perflab.isc.org/) to ensure there has been no unexplained drop in performance for the versions being released.
- [ ] ***(QA)*** Check whether all issues assigned to the release milestone are resolved[^1].
- [ ] ***(QA)*** Ensure that there are no outstanding [merge requests in the private repository](https://gitlab.isc.org/isc-private/bind9/-/merge_requests/)[^1] (Subscription Edition only).
- [ ] ***(QA)*** [Ensure](https://gitlab.isc.org/isc-private/bind-qa/-/blob/master/bind9/releng/check_backports.py) all merge requests marked for backporting have been indeed backported.
- [ ] ***(QA)*** [Announce](https://gitlab.isc.org/isc-private/bind-qa/-/blob/master/bind9/releng/inform_code_freeze.py) (on Mattermost) that the code freeze is in effect.
### Before the Tagging Deadline
- [ ] ***(QA)*** Inspect the current output of the `cross-version-config-tests` job to verify that no unexpected backward-incompatible change was introduced in the current release cycle.
- [ ] ***(QA)*** Ensure release notes are correct, ask Support and Marketing to check them as well. [Example](https://gitlab.isc.org/isc-private/bind9/-/merge_requests/510)
- [ ] ***(QA)*** Add a release marker to `CHANGES`. Examples: [9.18](https://gitlab.isc.org/isc-projects/bind9/-/commit/f14d8ad78c0506fd4247187f2177f8eceeb6b3b9), [9.16](https://gitlab.isc.org/isc-projects/bind9/-/commit/1bcdf21874f99a00da389d723e0ad07dfd70f9f1)
- [ ] ***(QA)*** Add a release marker to `CHANGES.SE` (Subscription Edition only). [Example](https://gitlab.isc.org/isc-private/bind9/-/commit/0f03d5737bcbdaa1bf713c6db1887b14938c3421)
- [ ] ***(QA)*** Update BIND 9 version in `configure.ac` ([9.18+](https://gitlab.isc.org/isc-projects/bind9/-/commit/3c85ab7f4c35e6d8acef1393606002a0a8730100)) or `version` ([9.16](https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/7692/diffs?commit_id=1bcdf21874f99a00da389d723e0ad07dfd70f9f1)).
- [ ] ***(QA)*** Rebuild `configure` using Autoconf on `docs.isc.org` (9.16).
- [ ] ***(QA)*** Update GitLab settings for all maintained branches to disallow merging to them: [public](https://gitlab.isc.org/isc-projects/bind9/-/settings/repository), [private](https://gitlab.isc.org/isc-private/bind9/-/settings/repository)
- [ ] ***(QA)*** Tag the releases in the private repository (`git tag -s -m "BIND 9.x.y" v9.x.y`).
### Before the ASN Deadline (for ASN Releases) or the Public Release Date (for Regular Releases)
- [ ] ***(QA)*** Check that the formatting is correct for the HTML version of release notes.
- [ ] ***(QA)*** Check that the formatting of the generated man pages is correct.
- [ ] ***(QA)*** Verify GitLab CI results [for the tags](https://gitlab.isc.org/isc-private/bind9/-/pipelines?scope=tags) created and sign off on the releases to be published.
- [ ] ***(QA)*** Update GitLab settings for all maintained branches to allow merging to them again: [public](https://gitlab.isc.org/isc-projects/bind9/-/settings/repository), [private](https://gitlab.isc.org/isc-private/bind9/-/settings/repository)
- [ ] ***(QA)*** Prepare (using [`version_bump.py`](https://gitlab.isc.org/isc-private/bind-qa/-/blob/master/bind9/releng/version_bump.py)) and merge MRs resetting the release notes and updating the version string for each maintained branch.
- [ ] ***(QA)*** Rebase the Subscription Edition branches (including recent release prep commits) on top of the open source branches with updated version strings.
- [ ] ***(QA)*** Announce (on Mattermost) that the code freeze is over.
- [ ] ***(QA)*** Request signatures for the tarballs, providing their location and checksums. Ask [signers on Mattermost](https://mattermost.isc.org/isc/channels/bind-9-qa).
- [ ] ***(Signers)*** Ensure that the contents of tarballs and tags are identical.
- [ ] ***(Signers)*** Validate tarball checksums, sign tarballs, and upload signatures.
- [ ] ***(QA)*** Verify tarball signatures and check tarball checksums again: Run `publish_bind.sh` on repo.isc.org to pre-publish.
- [ ] ***(QA)*** Prepare the `patches/` subdirectory for each security release (if applicable).
- [ ] ***(QA)*** Pre-publish ASN and/or Subscription Edition tarballs so that packages can be built.
- [ ] ***(QA)*** Build and test ASN and/or Subscription Edition packages (in [cloudsmith branch in private repo](https://gitlab.isc.org/isc-private/rpms/bind/-/tree/cloudsmith)). [Example](https://gitlab.isc.org/isc-private/rpms/bind/-/commit/e2512f4cfaf991827a635e374e7e93b27a5f38ba)
- [ ] ***(Marketing)*** Prepare and send out ASN emails (as outlined in the CVE checklist; if applicable).
### On the Day of Public Release
- [ ] ***(QA)*** Wait for clearance from Security Officer to proceed with the public release (if applicable).
- [ ] ***(QA)*** Place tarballs in public location on FTP site.
- [ ] ***(QA)*** Inform Marketing of the release, providing FTP links for the published tarballs.
- [ ] ***(QA)*** Use the [Printing Press project](https://gitlab.isc.org/isc-private/printing-press/-/wikis/home#adding-new-documents) to prepare a release announcement email.
- [ ] ***(Marketing)*** Publish links to downloads on ISC website. [Example](https://gitlab.isc.org/website/theme-staging-site/-/commit/1ac7b30b73cb03228df4cd5651fa4e774ac35625)
- [ ] ***(Marketing)*** Update the BIND -S information document in SF with download links to the new versions. (If this is a security release, this will have already been done as part of the ASN process.)
- [ ] ***(Marketing)*** Update the Current Software Versions document in the SF portal if any stable versions were released.
- [ ] ***(Marketing)*** Send the release announcement email to the *bind-announce* mailing list (and to *bind-users* if a major release - [example](https://lists.isc.org/pipermail/bind-users/2022-January/105624.html)).
- [ ] ***(Marketing)*** Announce release on social media sites.
- [ ] ***(Marketing)*** Update [Wikipedia entry for BIND](https://en.wikipedia.org/wiki/BIND).
- [ ] ***(Support)*** Add the new releases to the [vulnerability matrix in the Knowledge Base](https://kb.isc.org/docs/aa-00913).
- [ ] ***(Support)*** Update tickets in case of waiting support customers.
- [ ] ***(QA)*** Build and test any outstanding private packages in [private repo](https://gitlab.isc.org/isc-private/rpms/bind/-/tree/cloudsmith). [Example](https://gitlab.isc.org/isc-private/rpms/bind/-/commit/2007d566db81dd9dfd79e571e2f600a3bc284da4)
- [ ] ***(QA)*** Build [public RPMs](https://gitlab.isc.org/isc-packages/rpms/bind). [Example commit](https://gitlab.isc.org/isc-packages/rpms/bind/-/commit/3b5e851ea7c4e3570371a4878b5461f02a44f8cc) which triggers [Copr builds](https://copr.fedorainfracloud.org/coprs/isc/) automatically
- [ ] ***(SwEng)*** Build Debian/Ubuntu packages.
- [ ] ***(SwEng)*** Update Docker files [here](https://gitlab.isc.org/isc-projects/bind9-docker/-/branches) and make sure push is synchronized to [GitHub](https://github.com/isc-projects/bind9-docker). [Docker Hub](https://hub.docker.com/r/internetsystemsconsortium/bind9) should pick it up automatically. [Example](https://gitlab.isc.org/isc-projects/bind9-docker/-/commit/cada7e10e9af951595c98bfffc4bd42512faac05)
- [ ] ***(QA)*** Ensure all new tags are annotated and signed. `git show --show-signature v9.19.12`
- [ ] ***(QA)*** Push tags for the published releases to the public repository.
- [ ] ***(QA)*** Using [`merge_tag.py`](https://gitlab.isc.org/isc-private/bind-qa/-/blob/master/bind9/releng/merge_tag.py), merge published release tags back into the their relevant development/maintenance branches.
- [ ] ***(QA)*** Ensure `allow_failure: true` is removed from the `cross-version-config-tests` job if it was set during the current release cycle.
- [ ] ***(QA)*** Sanitize confidential issues which are assigned to the current release milestone and do not describe a security vulnerability, then make them public.
- [ ] ***(QA)*** Sanitize [confidential issues](https://gitlab.isc.org/isc-projects/bind9/-/issues/?sort=milestone_due_desc&state=opened&confidential=yes) which are assigned to older release milestones and describe security vulnerabilities, then make them public if appropriate[^2].
- [ ] ***(QA)*** Update QA tools used in GitLab CI (e.g. Black, PyLint, Sphinx) by modifying the relevant [`Dockerfile`](https://gitlab.isc.org/isc-projects/images/-/merge_requests/228/diffs).
- [ ] ***(QA)*** Run a pipeline to rebuild all [images](https://gitlab.isc.org/isc-projects/images) used in GitLab CI.
- [ ] ***(QA)*** Update [`metadata.json`](https://gitlab.isc.org/isc-private/bind-qa/-/blob/master/bind9/releng/metadata.json) with the upcoming release information.
[^1]: If not, use the time remaining until the tagging deadline to ensure all outstanding issues are either resolved or moved to a different milestone.
[^2]: As a rule of thumb, security vulnerabilities which have reproducers merged to the public repository are considered okay for full disclosure.April 2024 (9.16.50, 9.16.50-S1, 9.18.26, 9.18.26-S1, 9.19.23)Petr Špačekpspacek@isc.orgPetr Špačekpspacek@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/issues/4659rootkeysentinel test is unstable2024-03-28T11:19:14ZPetr Špačekpspacek@isc.orgrootkeysentinel test is unstableVersion: main branch
Test: bin/tests/system/rootkeysentinel
This test fails repeatedly and needs investigation. It has failed 3/14 runs in the last two weeks.
Last failed run: https://gitlab.isc.org/isc-projects/bind9/-/jobs/4166955Version: main branch
Test: bin/tests/system/rootkeysentinel
This test fails repeatedly and needs investigation. It has failed 3/14 runs in the last two weeks.
Last failed run: https://gitlab.isc.org/isc-projects/bind9/-/jobs/4166955