BIND issueshttps://gitlab.isc.org/isc-projects/bind9/-/issues2024-03-28T11:19:14Zhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4659rootkeysentinel test is unstable2024-03-28T11:19:14ZPetr Špačekpspacek@isc.orgrootkeysentinel test is unstableVersion: main branch
Test: bin/tests/system/rootkeysentinel
This test fails repeatedly and needs investigation. It has failed 3/14 runs in the last two weeks.
Last failed run: https://gitlab.isc.org/isc-projects/bind9/-/jobs/4166955Version: main branch
Test: bin/tests/system/rootkeysentinel
This test fails repeatedly and needs investigation. It has failed 3/14 runs in the last two weeks.
Last failed run: https://gitlab.isc.org/isc-projects/bind9/-/jobs/4166955https://gitlab.isc.org/isc-projects/bind9/-/issues/4658Release Checklist for BIND 9.16.50, 9.16.50-S1, 9.18.26, 9.18.26-S1, 9.19.232024-03-28T10:11:38ZPetr Špačekpspacek@isc.orgRelease Checklist for BIND 9.16.50, 9.16.50-S1, 9.18.26, 9.18.26-S1, 9.19.23## Release Schedule
**Code Freeze:** Tuesday, 2 April 2024
**Tagging Deadline:** Friday, 5 April 2024
**Public Release:** Wednesday, 17 April 2024
## Documentation Review Links
**Closed issues assigned to the milestone without a r...## Release Schedule
**Code Freeze:** Tuesday, 2 April 2024
**Tagging Deadline:** Friday, 5 April 2024
**Public Release:** Wednesday, 17 April 2024
## Documentation Review Links
**Closed issues assigned to the milestone without a release note:**
- [9.16.50](https://gitlab.isc.org/isc-projects/bind9/-/issues?scope=all&sort=created_asc&state=closed&milestone_title=April+2024+%289.16.50%2C+9.16.50-S1%2C+9.18.26%2C+9.18.26-S1%2C+9.19.23%29¬%5Blabel_name%5D%5B%5D=Release+Notes¬%5Blabel_name%5D%5B%5D=Duplicate&label_name%5B%5D=v9.16)
- [9.16.50-S1](https://gitlab.isc.org/isc-projects/bind9/-/issues?scope=all&sort=created_asc&state=closed&milestone_title=April+2024+%289.16.50%2C+9.16.50-S1%2C+9.18.26%2C+9.18.26-S1%2C+9.19.23%29¬%5Blabel_name%5D%5B%5D=Release+Notes¬%5Blabel_name%5D%5B%5D=Duplicate&label_name%5B%5D=v9.16-S)
- [9.18.26](https://gitlab.isc.org/isc-projects/bind9/-/issues?scope=all&sort=created_asc&state=closed&milestone_title=April+2024+%289.16.50%2C+9.16.50-S1%2C+9.18.26%2C+9.18.26-S1%2C+9.19.23%29¬%5Blabel_name%5D%5B%5D=Release+Notes¬%5Blabel_name%5D%5B%5D=Duplicate&label_name%5B%5D=v9.18)
- [9.18.26-S1](https://gitlab.isc.org/isc-projects/bind9/-/issues?scope=all&sort=created_asc&state=closed&milestone_title=April+2024+%289.16.50%2C+9.16.50-S1%2C+9.18.26%2C+9.18.26-S1%2C+9.19.23%29¬%5Blabel_name%5D%5B%5D=Release+Notes¬%5Blabel_name%5D%5B%5D=Duplicate&label_name%5B%5D=v9.18-S)
- [9.19.23](https://gitlab.isc.org/isc-projects/bind9/-/issues?scope=all&sort=created_asc&state=closed&milestone_title=April+2024+%289.16.50%2C+9.16.50-S1%2C+9.18.26%2C+9.18.26-S1%2C+9.19.23%29¬%5Blabel_name%5D%5B%5D=Release+Notes¬%5Blabel_name%5D%5B%5D=Duplicate&label_name%5B%5D=v9.19)
**Merge requests merged into the milestone without a release note:**
- [9.16.50](https://gitlab.isc.org/isc-projects/bind9/-/merge_requests?scope=all&sort=merged_at&state=merged&milestone_title=April+2024+%289.16.50%2C+9.16.50-S1%2C+9.18.26%2C+9.18.26-S1%2C+9.19.23%29¬%5Blabel_name%5D%5B%5D=Release+Notes&target_branch=bind-9.16)
- [9.16.50-S1](https://gitlab.isc.org/isc-private/bind9/-/merge_requests?scope=all&sort=merged_at&state=merged&milestone_title=April+2024+%289.16.50%2C+9.16.50-S1%2C+9.18.26%2C+9.18.26-S1%2C+9.19.23%29¬%5Blabel_name%5D%5B%5D=Release+Notes&target_branch=bind-9.16-sub)
- [9.18.26](https://gitlab.isc.org/isc-projects/bind9/-/merge_requests?scope=all&sort=merged_at&state=merged&milestone_title=April+2024+%289.16.50%2C+9.16.50-S1%2C+9.18.26%2C+9.18.26-S1%2C+9.19.23%29¬%5Blabel_name%5D%5B%5D=Release+Notes&target_branch=bind-9.18)
- [9.18.26-S1](https://gitlab.isc.org/isc-private/bind9/-/merge_requests?scope=all&sort=merged_at&state=merged&milestone_title=April+2024+%289.16.50%2C+9.16.50-S1%2C+9.18.26%2C+9.18.26-S1%2C+9.19.23%29¬%5Blabel_name%5D%5B%5D=Release+Notes&target_branch=bind-9.18-sub)
- [9.19.23](https://gitlab.isc.org/isc-projects/bind9/-/merge_requests?scope=all&sort=merged_at&state=merged&milestone_title=April+2024+%289.16.50%2C+9.16.50-S1%2C+9.18.26%2C+9.18.26-S1%2C+9.19.23%29¬%5Blabel_name%5D%5B%5D=Release+Notes&target_branch=main)
**Merge requests merged into the milestone without a `CHANGES` entry:**
- [9.16.50](https://gitlab.isc.org/isc-projects/bind9/-/merge_requests?scope=all&sort=merged_at&state=merged&milestone_title=April+2024+%289.16.50%2C+9.16.50-S1%2C+9.18.26%2C+9.18.26-S1%2C+9.19.23%29&label_name%5B%5D=No+CHANGES&target_branch=bind-9.16)
- [9.16.50-S1](https://gitlab.isc.org/isc-private/bind9/-/merge_requests?scope=all&sort=merged_at&state=merged&milestone_title=April+2024+%289.16.50%2C+9.16.50-S1%2C+9.18.26%2C+9.18.26-S1%2C+9.19.23%29&label_name%5B%5D=No+CHANGES&target_branch=bind-9.16-sub)
- [9.18.26](https://gitlab.isc.org/isc-projects/bind9/-/merge_requests?scope=all&sort=merged_at&state=merged&milestone_title=April+2024+%289.16.50%2C+9.16.50-S1%2C+9.18.26%2C+9.18.26-S1%2C+9.19.23%29&label_name%5B%5D=No+CHANGES&target_branch=bind-9.18)
- [9.18.26-S1](https://gitlab.isc.org/isc-private/bind9/-/merge_requests?scope=all&sort=merged_at&state=merged&milestone_title=April+2024+%289.16.50%2C+9.16.50-S1%2C+9.18.26%2C+9.18.26-S1%2C+9.19.23%29&label_name%5B%5D=No+CHANGES&target_branch=bind-9.18-sub)
- [9.19.23](https://gitlab.isc.org/isc-projects/bind9/-/merge_requests?scope=all&sort=merged_at&state=merged&milestone_title=April+2024+%289.16.50%2C+9.16.50-S1%2C+9.18.26%2C+9.18.26-S1%2C+9.19.23%29&label_name%5B%5D=No+CHANGES&target_branch=main)
## Release Checklist
### Before the Code Freeze
- [ ] ***(QA)*** Rebase -S editions on top of current open-source versions: `git checkout bind-9.18-sub && git rebase origin/bind-9.18`
- [x] ***(QA)*** [Inform](https://gitlab.isc.org/isc-private/bind-qa/-/blob/master/bind9/releng/inform_supp_marketing.py) Support and Marketing of impending release (and give estimated release dates).
- [ ] ***(QA)*** Ensure there are no permanent test failures on any platform. Check [public](https://gitlab.isc.org/isc-projects/bind9/-/pipelines?scope=all&source=schedule) and [private](https://gitlab.isc.org/isc-private/bind9/-/pipelines?scope=all&source=schedule) scheduled pipelines.
- [ ] ***(QA)*** Check charts from `shotgun:*` jobs in the scheduled pipelines to verify there is no unexplained performance drop for any protocol.
- [ ] ***(QA)*** Check [Perflab](https://perflab.isc.org/) to ensure there has been no unexplained drop in performance for the versions being released.
- [ ] ***(QA)*** Check whether all issues assigned to the release milestone are resolved[^1].
- [ ] ***(QA)*** Ensure that there are no outstanding [merge requests in the private repository](https://gitlab.isc.org/isc-private/bind9/-/merge_requests/)[^1] (Subscription Edition only).
- [ ] ***(QA)*** [Ensure](https://gitlab.isc.org/isc-private/bind-qa/-/blob/master/bind9/releng/check_backports.py) all merge requests marked for backporting have been indeed backported.
- [ ] ***(QA)*** [Announce](https://gitlab.isc.org/isc-private/bind-qa/-/blob/master/bind9/releng/inform_code_freeze.py) (on Mattermost) that the code freeze is in effect.
### Before the Tagging Deadline
- [ ] ***(QA)*** Inspect the current output of the `cross-version-config-tests` job to verify that no unexpected backward-incompatible change was introduced in the current release cycle.
- [ ] ***(QA)*** Ensure release notes are correct, ask Support and Marketing to check them as well. [Example](https://gitlab.isc.org/isc-private/bind9/-/merge_requests/510)
- [ ] ***(QA)*** Add a release marker to `CHANGES`. Examples: [9.18](https://gitlab.isc.org/isc-projects/bind9/-/commit/f14d8ad78c0506fd4247187f2177f8eceeb6b3b9), [9.16](https://gitlab.isc.org/isc-projects/bind9/-/commit/1bcdf21874f99a00da389d723e0ad07dfd70f9f1)
- [ ] ***(QA)*** Add a release marker to `CHANGES.SE` (Subscription Edition only). [Example](https://gitlab.isc.org/isc-private/bind9/-/commit/0f03d5737bcbdaa1bf713c6db1887b14938c3421)
- [ ] ***(QA)*** Update BIND 9 version in `configure.ac` ([9.18+](https://gitlab.isc.org/isc-projects/bind9/-/commit/3c85ab7f4c35e6d8acef1393606002a0a8730100)) or `version` ([9.16](https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/7692/diffs?commit_id=1bcdf21874f99a00da389d723e0ad07dfd70f9f1)).
- [ ] ***(QA)*** Rebuild `configure` using Autoconf on `docs.isc.org` (9.16).
- [ ] ***(QA)*** Update GitLab settings for all maintained branches to disallow merging to them: [public](https://gitlab.isc.org/isc-projects/bind9/-/settings/repository), [private](https://gitlab.isc.org/isc-private/bind9/-/settings/repository)
- [ ] ***(QA)*** Tag the releases in the private repository (`git tag -s -m "BIND 9.x.y" v9.x.y`).
### Before the ASN Deadline (for ASN Releases) or the Public Release Date (for Regular Releases)
- [ ] ***(QA)*** Check that the formatting is correct for the HTML version of release notes.
- [ ] ***(QA)*** Check that the formatting of the generated man pages is correct.
- [ ] ***(QA)*** Verify GitLab CI results [for the tags](https://gitlab.isc.org/isc-private/bind9/-/pipelines?scope=tags) created and sign off on the releases to be published.
- [ ] ***(QA)*** Update GitLab settings for all maintained branches to allow merging to them again: [public](https://gitlab.isc.org/isc-projects/bind9/-/settings/repository), [private](https://gitlab.isc.org/isc-private/bind9/-/settings/repository)
- [ ] ***(QA)*** Prepare (using [`version_bump.py`](https://gitlab.isc.org/isc-private/bind-qa/-/blob/master/bind9/releng/version_bump.py)) and merge MRs resetting the release notes and updating the version string for each maintained branch.
- [ ] ***(QA)*** Rebase the Subscription Edition branches (including recent release prep commits) on top of the open source branches with updated version strings.
- [ ] ***(QA)*** Announce (on Mattermost) that the code freeze is over.
- [ ] ***(QA)*** Request signatures for the tarballs, providing their location and checksums. Ask [signers on Mattermost](https://mattermost.isc.org/isc/channels/bind-9-qa).
- [ ] ***(Signers)*** Ensure that the contents of tarballs and tags are identical.
- [ ] ***(Signers)*** Validate tarball checksums, sign tarballs, and upload signatures.
- [ ] ***(QA)*** Verify tarball signatures and check tarball checksums again: Run `publish_bind.sh` on repo.isc.org to pre-publish.
- [ ] ***(QA)*** Prepare the `patches/` subdirectory for each security release (if applicable).
- [ ] ***(QA)*** Pre-publish ASN and/or Subscription Edition tarballs so that packages can be built.
- [ ] ***(QA)*** Build and test ASN and/or Subscription Edition packages (in [cloudsmith branch in private repo](https://gitlab.isc.org/isc-private/rpms/bind/-/tree/cloudsmith)). [Example](https://gitlab.isc.org/isc-private/rpms/bind/-/commit/e2512f4cfaf991827a635e374e7e93b27a5f38ba)
- [ ] ***(Marketing)*** Prepare and send out ASN emails (as outlined in the CVE checklist; if applicable).
### On the Day of Public Release
- [ ] ***(QA)*** Wait for clearance from Security Officer to proceed with the public release (if applicable).
- [ ] ***(QA)*** Place tarballs in public location on FTP site.
- [ ] ***(QA)*** Inform Marketing of the release, providing FTP links for the published tarballs.
- [ ] ***(QA)*** Use the [Printing Press project](https://gitlab.isc.org/isc-private/printing-press/-/wikis/home#adding-new-documents) to prepare a release announcement email.
- [ ] ***(Marketing)*** Publish links to downloads on ISC website. [Example](https://gitlab.isc.org/website/theme-staging-site/-/commit/1ac7b30b73cb03228df4cd5651fa4e774ac35625)
- [ ] ***(Marketing)*** Update the BIND -S information document in SF with download links to the new versions. (If this is a security release, this will have already been done as part of the ASN process.)
- [ ] ***(Marketing)*** Update the Current Software Versions document in the SF portal if any stable versions were released.
- [ ] ***(Marketing)*** Send the release announcement email to the *bind-announce* mailing list (and to *bind-users* if a major release - [example](https://lists.isc.org/pipermail/bind-users/2022-January/105624.html)).
- [ ] ***(Marketing)*** Announce release on social media sites.
- [ ] ***(Marketing)*** Update [Wikipedia entry for BIND](https://en.wikipedia.org/wiki/BIND).
- [ ] ***(Support)*** Add the new releases to the [vulnerability matrix in the Knowledge Base](https://kb.isc.org/docs/aa-00913).
- [ ] ***(Support)*** Update tickets in case of waiting support customers.
- [ ] ***(QA)*** Build and test any outstanding private packages in [private repo](https://gitlab.isc.org/isc-private/rpms/bind/-/tree/cloudsmith). [Example](https://gitlab.isc.org/isc-private/rpms/bind/-/commit/2007d566db81dd9dfd79e571e2f600a3bc284da4)
- [ ] ***(QA)*** Build [public RPMs](https://gitlab.isc.org/isc-packages/rpms/bind). [Example commit](https://gitlab.isc.org/isc-packages/rpms/bind/-/commit/3b5e851ea7c4e3570371a4878b5461f02a44f8cc) which triggers [Copr builds](https://copr.fedorainfracloud.org/coprs/isc/) automatically
- [ ] ***(SwEng)*** Build Debian/Ubuntu packages.
- [ ] ***(SwEng)*** Update Docker files [here](https://gitlab.isc.org/isc-projects/bind9-docker/-/branches) and make sure push is synchronized to [GitHub](https://github.com/isc-projects/bind9-docker). [Docker Hub](https://hub.docker.com/r/internetsystemsconsortium/bind9) should pick it up automatically. [Example](https://gitlab.isc.org/isc-projects/bind9-docker/-/commit/cada7e10e9af951595c98bfffc4bd42512faac05)
- [ ] ***(QA)*** Ensure all new tags are annotated and signed. `git show --show-signature v9.19.12`
- [ ] ***(QA)*** Push tags for the published releases to the public repository.
- [ ] ***(QA)*** Using [`merge_tag.py`](https://gitlab.isc.org/isc-private/bind-qa/-/blob/master/bind9/releng/merge_tag.py), merge published release tags back into the their relevant development/maintenance branches.
- [ ] ***(QA)*** Ensure `allow_failure: true` is removed from the `cross-version-config-tests` job if it was set during the current release cycle.
- [ ] ***(QA)*** Sanitize confidential issues which are assigned to the current release milestone and do not describe a security vulnerability, then make them public.
- [ ] ***(QA)*** Sanitize [confidential issues](https://gitlab.isc.org/isc-projects/bind9/-/issues/?sort=milestone_due_desc&state=opened&confidential=yes) which are assigned to older release milestones and describe security vulnerabilities, then make them public if appropriate[^2].
- [ ] ***(QA)*** Update QA tools used in GitLab CI (e.g. Black, PyLint, Sphinx) by modifying the relevant [`Dockerfile`](https://gitlab.isc.org/isc-projects/images/-/merge_requests/228/diffs).
- [ ] ***(QA)*** Run a pipeline to rebuild all [images](https://gitlab.isc.org/isc-projects/images) used in GitLab CI.
- [ ] ***(QA)*** Update [`metadata.json`](https://gitlab.isc.org/isc-private/bind-qa/-/blob/master/bind9/releng/metadata.json) with the upcoming release information.
[^1]: If not, use the time remaining until the tagging deadline to ensure all outstanding issues are either resolved or moved to a different milestone.
[^2]: As a rule of thumb, security vulnerabilities which have reproducers merged to the public repository are considered okay for full disclosure.April 2024 (9.16.50, 9.16.50-S1, 9.18.26, 9.18.26-S1, 9.19.23)Petr Špačekpspacek@isc.orgPetr Špačekpspacek@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/issues/4656BIND resolver locks up2024-03-28T11:26:32ZKlemen MihevcBIND resolver locks up### Summary
With dnssec-validation enabled (auto), after ~15 min CPU utilization shoots up and named process becomes unresponsive. Only solution is kill -9 and restart it.
### BIND version affected
```
BIND 9.19.22 (Development Release...### Summary
With dnssec-validation enabled (auto), after ~15 min CPU utilization shoots up and named process becomes unresponsive. Only solution is kill -9 and restart it.
### BIND version affected
```
BIND 9.19.22 (Development Release) <id:d01a4e5>
running on Linux x86_64 6.7.10-gentoo-dist-hardened #1 SMP PREEMPT_DYNAMIC Sat Mar 16 10:24:08 CET 2024
built by make with '--build=x86_64-pc-linux-gnu' '--host=x86_64-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--datarootdir=/usr/share' '--disable-dependency-tracking' '--disable-silent-rules' '--docdir=/usr/share/doc/bind-9.19.22' '--htmldir=/usr/share/doc/bind-9.19.22/html' '--with-sysroot=/' '--libdir=/usr/lib64' '--prefix=/usr' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-full-report' '--without-readline' '--with-openssl=/usr' '--with-jemalloc' '--with-json-c' '--with-zlib' '--disable-dnsrps' '--disable-dnstap' '--enable-doh' '--with-libnghttp2' '--disable-fixed-rrset' '--disable-static' '--disable-geoip' '--without-maxminddb' '--with-gssapi' '--with-libidn2' '--without-lmdb' '--with-libxml2' 'build_alias=x86_64-pc-linux-gnu' 'host_alias=x86_64-pc-linux-gnu' 'CFLAGS=-march=native -O2 -pipe -fomit-frame-pointer -flto -Werror=odr -Werror=lto-type-mismatch -Werror=strict-aliasing' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed -Wl,-z,pack-relative-relocs' 'PKG_CONFIG_PATH=/var/tmp/portage/net-dns/bind-9.19.22/temp/python3.11/pkgconfig' 'PYTHON=/usr/bin/python3.11'
compiled by GCC 13.2.1 20240210
compiled with OpenSSL version: OpenSSL 3.2.1 30 Jan 2024
linked to OpenSSL version: OpenSSL 3.2.1 30 Jan 2024
compiled with libuv version: 1.48.0
linked to libuv version: 1.48.0
compiled with liburcu version: 0.14.0
compiled with jemalloc version: 5.3.0
compiled with libnghttp2 version: 1.60.0
linked to libnghttp2 version: 1.60.0
compiled with libxml2 version: 2.12.6
linked to libxml2 version: 21206
compiled with json-c version: 0.17
linked to json-c version: 0.17
compiled with zlib version: 1.3.1
linked to zlib version: 1.3.1
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): no
TKEY mode 3 support (GSS-API): yes
default paths:
named configuration: /etc/bind/named.conf
rndc configuration: /etc/bind/rndc.conf
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/named.pid
```
### Steps to reproduce
1. Use _attached_ configuration file
2. Start BIND server with command: `/usr/sbin/named -u named'
3. Clients on local network using recursion, it only takes ~15min for bug to show.
### What is the current *bug* behavior?
Named process locks up and stops responding 'named 31677 158 0.2 469800 45472 ? Rsl 09:12 26:18 /usr/sbin/named -u named', utilization 158...
### What is the expected *correct* behavior?
Named process not locking up? There was no such issue in 9.19.21 or there isnt one in 9.18.25.
### Relevant configuration files
```
key "dhcp" {
algorithm hmac-sha512;
secret "";
};
key "acmechallenge" {
algorithm hmac-sha512;
secret "";
};
tls "local-tls" {
cert-file "/etc/acme-sh/domain.net_ecc/fullchain.cer";
key-file "/etc/acme-sh/domain.net_ecc/domain.net.key";
protocols { TLSv1.2; TLSv1.3; };
ciphers "EECDH+AES256+AESGCM:EECDH+CHACHA20:EECDH+AES128+AESGCM:EECDH+AES256+SHA384";
prefer-server-ciphers yes;
session-tickets no;
};
masters "notifyhenet" {
216.218.130.2;
2001:470:100::2;
};
acl "xferhenet" {
216.218.133.2;
2001:470:600::2;
};
acl "trusted" {
127.0.0.1;
10.0.0.0/16;
IPV4;
::1;
IPV6_SUBNET/56;
};
dnssec-policy "standard" {
keys {
ksk lifetime unlimited algorithm ecdsap256sha256;
zsk lifetime 90d algorithm ecdsap256sha256;
};
dnskey-ttl 86400;
publish-safety 7d;
retire-safety 7d;
purge-keys 7d;
nsec3param iterations 0 optout no salt-length 0;
};
options {
directory "/var/bind";
pid-file "/run/named/named.pid";
server-id "ns.domain.net";
version none;
listen-on { 127.0.0.1; IPV4; 10.0.0.1; };
listen-on-v6 { ::1; IPV6; };
listen-on port 853 tls local-tls { 127.0.0.1; IPV4; 10.0.0.1; };
listen-on-v6 port 853 tls local-tls { ::1; IPV6; };
allow-query { trusted; };
allow-query-cache { trusted; };
allow-recursion { trusted; };
allow-transfer { trusted; };
allow-update { none; };
forward first;
forwarders port 853 tls local-tls {
1.1.1.1; 2606:4700:4700::1111; // Cloudflare DNS
1.0.0.1; 2606:4700:4700::1001; // Cloudflare DNS
/* 8.8.8.8; 2001:4860:4860::8888; // Google DNS
8.8.4.4; 2001:4860:4860::8844; // Google DNS */
};
/* forwarders {
1.1.1.1; 2606:4700:4700::1111; // Cloudflare DNS
1.0.0.1; 2606:4700:4700::1001; // Cloudflare DNS
84.255.209.79; 2a01:260:1:2::3; // T-2 DNS
84.255.210.79; 2a01:260:1:3::3; // T-2 DNS
}; */
bindkeys-file "/etc/bind/bind.keys";
dnssec-validation auto; // auto - check from time to time, a lot of broken dnssec mess
validate-except {
plex.tv;
anker-in.com;
};
max-cache-size 512M;
edns-udp-size 1232;
max-udp-size 1232;
ixfr-from-differences yes;
};
logging {
channel info_log {
file "/var/log/named/named.log";
print-time yes;
print-severity yes;
print-category yes;
severity info;
};
channel notice_log {
file "/var/log/named/named.log";
print-time yes;
print-severity yes;
print-category yes;
severity notice;
};
category default { info_log; };
category lame-servers { notice_log; };
category security { notice_log; };
};
//controls { };
include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; ::1; } keys { "rndc-key"; };
inet ::1 port 953 allow { 127.0.0.1; ::1; } keys { "rndc-key"; };
};
/*
statistics-channels {
inet 127.0.0.1 port 8053 allow { 127.0.0.1; ::1; };
inet ::1 port 8053 allow { 127.0.0.1; ::1; };
};
*/
zone "localhost" {
type master;
file "pri/localhost.zone";
notify no;
};
zone "127.in-addr.arpa" {
type master;
file "pri/127.zone";
notify no;
};
zone "0.10.in-addr.arpa" {
type master;
file "dyn/0.10.in-addr.arpa.zone";
notify no;
allow-update { key dhcp; };
};
zone "ipv6subnet.ip6.arpa" {
type master;
file "dyn/ipv6subnet.ip6.arpa.zone";
notify explicit;
also-notify { notifyhenet; };
allow-query { any; };
allow-transfer { xferhenet; trusted; };
allow-update { key dhcp; };
key-directory "keys/ipv6subnet.ip6.arpa";
dnssec-policy standard;
inline-signing yes;
};
zone "domain.net" {
type master;
file "pri/domain.net.zone";
notify explicit;
also-notify { notifyhenet; };
allow-query { any; };
allow-transfer { xferhenet; trusted; };
key-directory "keys/domain.net";
dnssec-policy standard;
inline-signing yes;
};
zone "lan.domain.net" {
type master;
file "dyn/lan.domain.net.zone";
notify explicit;
also-notify { notifyhenet; };
allow-query { any; };
allow-transfer { xferhenet; trusted; };
allow-update { key dhcp; };
key-directory "keys/lan.domain.net";
dnssec-policy standard;
inline-signing yes;
};
zone "acme-challenge.domain.net" {
type master;
file "dyn/acme-challenge.domain.net.zone";
notify no;
allow-query { any; };
allow-update { key acmechallenge; };
key-directory "keys/acme-challenge.domain.net";
dnssec-policy standard;
inline-signing yes;
};
zone "dnswl.org" {
type forward;
forwarders { };
};
zone "uribl.com" {
type forward;
forwarders { };
};
zone "surbl.org" {
type forward;
forwarders { };
};
```
### Relevant logs
From 9:12 to 9:28 was session with broken behavior, there is nothing in logs, session that starts at 9:28 had dnssec-validation turned off (no).
```
26-Mar-2024 09:12:02.547 general: notice: command channel listening on 127.0.0.1#953
26-Mar-2024 09:12:02.547 general: notice: command channel listening on ::1#953
26-Mar-2024 09:12:02.547 network: info: updating TLS context on 127.0.0.1#853
26-Mar-2024 09:12:02.547 network: info: updating TLS context on IPV4#853
26-Mar-2024 09:12:02.547 network: info: updating TLS context on 10.0.0.1#853
26-Mar-2024 09:12:02.547 network: info: updating TLS context on ::1#853
26-Mar-2024 09:12:02.547 network: info: updating TLS context on IPV6#853
26-Mar-2024 09:12:02.547 zoneload: info: managed-keys-zone: loaded serial 259
26-Mar-2024 09:12:02.550 zoneload: info: zone 0.10.in-addr.arpa/IN: loaded serial 2024022951
26-Mar-2024 09:12:02.550 zoneload: info: zone localhost/IN: loaded serial 2008122601
26-Mar-2024 09:12:02.550 zoneload: info: zone 127.in-addr.arpa/IN: loaded serial 2008122601
26-Mar-2024 09:12:02.550 zoneload: info: zone domain.net/IN (unsigned): loaded serial 2024022900
26-Mar-2024 09:12:02.550 zoneload: info: zone ipv6subnet.ip6.arpa/IN (unsigned): loaded serial 2024022843
26-Mar-2024 09:12:02.550 zoneload: info: zone acme-challenge.domain.net/IN (unsigned): loaded serial 2024022800
26-Mar-2024 09:12:02.550 zoneload: info: zone domain.net/IN (signed): loaded serial 2024022983 (DNSSEC signed)
26-Mar-2024 09:12:02.550 zoneload: info: zone lan.domain.net/IN (unsigned): loaded serial 2024023082
26-Mar-2024 09:12:02.550 zoneload: info: zone acme-challenge.domain.net/IN (signed): loaded serial 2024022817 (DNSSEC signed)
26-Mar-2024 09:12:02.550 general: info: zone acme-challenge.domain.net/IN (signed): receive_secure_serial: unchanged
26-Mar-2024 09:12:02.550 zoneload: info: zone ipv6subnet.ip6.arpa/IN (signed): loaded serial 2024022872 (DNSSEC signed)
26-Mar-2024 09:12:02.550 dnssec: info: zone acme-challenge.domain.net/IN (signed): reconfiguring zone keys
26-Mar-2024 09:12:02.550 zoneload: info: zone lan.domain.net/IN (signed): loaded serial 2024023184 (DNSSEC signed)
26-Mar-2024 09:12:02.550 general: notice: all zones loaded
26-Mar-2024 09:12:02.550 general: info: zone ipv6subnet.ip6.arpa/IN (signed): receive_secure_serial: unchanged
26-Mar-2024 09:12:02.550 notify: info: zone ipv6subnet.ip6.arpa/IN (signed): sending notifies (serial 2024022872)
26-Mar-2024 09:12:02.550 dnssec: info: zone ipv6subnet.ip6.arpa/IN (signed): reconfiguring zone keys
26-Mar-2024 09:12:02.550 general: notice: FIPS mode is disabled
26-Mar-2024 09:12:02.550 general: notice: running
26-Mar-2024 09:12:02.550 general: info: zone domain.net/IN (signed): receive_secure_serial: unchanged
26-Mar-2024 09:12:02.550 general: info: zone lan.domain.net/IN (signed): receive_secure_serial: unchanged
26-Mar-2024 09:12:02.550 notify: info: zone domain.net/IN (signed): sending notifies (serial 2024022983)
26-Mar-2024 09:12:02.550 dnssec: info: zone domain.net/IN (signed): reconfiguring zone keys
26-Mar-2024 09:12:02.553 dnssec: info: zone domain.net/IN (signed): next key event: 20-Apr-2024 13:00:00.550
26-Mar-2024 09:12:02.553 notify: info: zone lan.domain.net/IN (signed): sending notifies (serial 2024023184)
26-Mar-2024 09:12:02.553 dnssec: info: zone lan.domain.net/IN (signed): reconfiguring zone keys
26-Mar-2024 09:12:02.557 dnssec: info: zone ipv6subnet.ip6.arpa/IN (signed): next key event: 20-Apr-2024 13:00:00.550
26-Mar-2024 09:12:02.557 notify: info: zone ipv6subnet.ip6.arpa/IN (signed): sending notify to 216.218.130.2#53
26-Mar-2024 09:12:02.557 notify: info: zone ipv6subnet.ip6.arpa/IN (signed): sending notify to 2001:470:100::2#53
26-Mar-2024 09:12:02.560 dnssec: info: zone acme-challenge.domain.net/IN (signed): next key event: 20-Apr-2024 13:00:00.550
26-Mar-2024 09:12:02.560 dnssec: info: zone lan.domain.net/IN (signed): next key event: 20-Apr-2024 13:00:00.553
26-Mar-2024 09:12:02.563 notify: info: zone domain.net/IN (signed): sending notify to 216.218.130.2#53
26-Mar-2024 09:12:02.563 notify: info: zone domain.net/IN (signed): sending notify to 2001:470:100::2#53
26-Mar-2024 09:12:02.563 notify: info: zone lan.domain.net/IN (signed): sending notify to 2001:470:100::2#53
26-Mar-2024 09:12:02.563 notify: info: zone lan.domain.net/IN (signed): sending notify to 216.218.130.2#53
26-Mar-2024 09:12:02.573 dnssec: info: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
26-Mar-2024 09:28:47.548 general: notice: command channel listening on 127.0.0.1#953
26-Mar-2024 09:28:47.548 general: notice: command channel listening on ::1#953
26-Mar-2024 09:28:47.548 network: info: updating TLS context on 127.0.0.1#853
26-Mar-2024 09:28:47.548 network: info: updating TLS context on IPV4#853
26-Mar-2024 09:28:47.548 network: info: updating TLS context on 10.0.0.1#853
26-Mar-2024 09:28:47.548 network: info: updating TLS context on ::1#853
26-Mar-2024 09:28:47.548 network: info: updating TLS context on IPV6#853
26-Mar-2024 09:28:47.548 zoneload: info: zone 0.10.in-addr.arpa/IN: loaded serial 2024022951
26-Mar-2024 09:28:47.548 zoneload: info: zone acme-challenge.domain.net/IN (unsigned): loaded serial 2024022800
26-Mar-2024 09:28:47.548 zoneload: info: zone acme-challenge.domain.net/IN (signed): loaded serial 2024022817 (DNSSEC signed)
26-Mar-2024 09:28:47.548 zoneload: info: zone 127.in-addr.arpa/IN: loaded serial 2008122601
26-Mar-2024 09:28:47.548 zoneload: info: zone ipv6subnet.ip6.arpa/IN (unsigned): loaded serial 2024022843
26-Mar-2024 09:28:47.548 general: info: zone acme-challenge.domain.net/IN (signed): receive_secure_serial: unchanged
26-Mar-2024 09:28:47.548 dnssec: info: zone acme-challenge.domain.net/IN (signed): reconfiguring zone keys
26-Mar-2024 09:28:47.552 zoneload: info: zone ipv6subnet.ip6.arpa/IN (signed): loaded serial 2024022872 (DNSSEC signed)
26-Mar-2024 09:28:47.552 zoneload: info: zone domain.net/IN (unsigned): loaded serial 2024022900
26-Mar-2024 09:28:47.552 zoneload: info: zone localhost/IN: loaded serial 2008122601
26-Mar-2024 09:28:47.552 zoneload: info: zone lan.domain.net/IN (unsigned): loaded serial 2024023082
26-Mar-2024 09:28:47.552 zoneload: info: zone domain.net/IN (signed): loaded serial 2024022983 (DNSSEC signed)
26-Mar-2024 09:28:47.552 general: info: zone domain.net/IN (signed): receive_secure_serial: unchanged
26-Mar-2024 09:28:47.552 notify: info: zone domain.net/IN (signed): sending notifies (serial 2024022983)
26-Mar-2024 09:28:47.552 dnssec: info: zone domain.net/IN (signed): reconfiguring zone keys
26-Mar-2024 09:28:47.552 zoneload: info: zone lan.domain.net/IN (signed): loaded serial 2024023184 (DNSSEC signed)
26-Mar-2024 09:28:47.552 general: notice: all zones loaded
26-Mar-2024 09:28:47.552 general: notice: FIPS mode is disabled
26-Mar-2024 09:28:47.552 general: notice: running
26-Mar-2024 09:28:47.552 general: info: zone ipv6subnet.ip6.arpa/IN (signed): receive_secure_serial: unchanged
26-Mar-2024 09:28:47.552 general: info: zone lan.domain.net/IN (signed): receive_secure_serial: unchanged
26-Mar-2024 09:28:47.552 notify: info: zone ipv6subnet.ip6.arpa/IN (signed): sending notifies (serial 2024022872)
26-Mar-2024 09:28:47.552 dnssec: info: zone ipv6subnet.ip6.arpa/IN (signed): reconfiguring zone keys
26-Mar-2024 09:28:47.558 dnssec: info: zone acme-challenge.domain.net/IN (signed): next key event: 20-Apr-2024 13:00:00.548
26-Mar-2024 09:28:47.562 dnssec: info: zone domain.net/IN (signed): next key event: 20-Apr-2024 13:00:00.552
26-Mar-2024 09:28:47.562 notify: info: zone domain.net/IN (signed): sending notify to 216.218.130.2#53
26-Mar-2024 09:28:47.562 notify: info: zone domain.net/IN (signed): sending notify to 2001:470:100::2#53
26-Mar-2024 09:28:47.565 dnssec: info: zone ipv6subnet.ip6.arpa/IN (signed): next key event: 20-Apr-2024 13:00:00.552
26-Mar-2024 09:28:47.565 notify: info: zone lan.domain.net/IN (signed): sending notifies (serial 2024023184)
26-Mar-2024 09:28:47.565 dnssec: info: zone lan.domain.net/IN (signed): reconfiguring zone keys
26-Mar-2024 09:28:47.572 dnssec: info: zone lan.domain.net/IN (signed): next key event: 20-Apr-2024 13:00:00.565
26-Mar-2024 09:28:47.572 notify: info: zone ipv6subnet.ip6.arpa/IN (signed): sending notify to 216.218.130.2#53
26-Mar-2024 09:28:47.572 notify: info: zone ipv6subnet.ip6.arpa/IN (signed): sending notify to 2001:470:100::2#53
26-Mar-2024 09:28:47.572 notify: info: zone lan.domain.net/IN (signed): sending notify to 2001:470:100::2#53
26-Mar-2024 09:28:47.572 notify: info: zone lan.domain.net/IN (signed): sending notify to 216.218.130.2#53
```https://gitlab.isc.org/isc-projects/bind9/-/issues/4655More statistics counters for average query/response size2024-03-26T12:49:52ZperlangMore statistics counters for average query/response size### Description
(Describe the problem, use cases, benefits, and/or goals.)
To get the average query/response size timely.
Is it possible to add two new statistics counters for total query/response size by byte ?
And even more, to add...### Description
(Describe the problem, use cases, benefits, and/or goals.)
To get the average query/response size timely.
Is it possible to add two new statistics counters for total query/response size by byte ?
And even more, to add a serials of counter to record the accumulate bytes for each range according to the query/response's size in bytes, such as,
```
16-31: 1482763
32-47: 170843916
48-63: 111988356
64-79: 11257767
```
I am not sure if this feature could affect the performance of the server, if it do, it's prefered to be configurable to enable or disable it at compile time or at run time.
### Request
(Describe the solution you'd like to see.)
fetch the statistics data via 'rndc stats' or 'rndc status'.
### Links / referenceshttps://gitlab.isc.org/isc-projects/bind9/-/issues/4653Are Application-layer Loop DoS Attacks relevant for bind9?2024-03-25T05:26:23ZPetr MenšíkAre Application-layer Loop DoS Attacks relevant for bind9?A new document were shared to me from our security team:
<<redacted>>
They are mentioning DNS, but it seems to be not a problem for any well behaving DNS server. Have you seen this paper already? Do you have already some stance for desc...A new document were shared to me from our security team:
<<redacted>>
They are mentioning DNS, but it seems to be not a problem for any well behaving DNS server. Have you seen this paper already? Do you have already some stance for described attacks? To me it seems this should not affect any well behaving resolver or its client.
Have you already assessed this kind of attack, whether it is relevant on bind9 in any well configured instance?
Can you confirm whether this strange thing is known to be relevant or irelevant to bind9 versions?https://gitlab.isc.org/isc-projects/bind9/-/issues/4652query.c:10467: INSIST(namereln == dns_namereln_subdomain) failed, back trace2024-03-27T14:02:05ZOndřej Surýquery.c:10467: INSIST(namereln == dns_namereln_subdomain) failed, back trace### Summary
Server crash caused by external UDP queries.
### BIND versions affected
```
BIND 9.19.23-dev (Development Release) <id:b1ebd49>
running on Linux x86_64 6.1.0-13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29)
bui...### Summary
Server crash caused by external UDP queries.
### BIND versions affected
```
BIND 9.19.23-dev (Development Release) <id:b1ebd49>
running on Linux x86_64 6.1.0-13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29)
built by make with 'CC=' 'LD=' 'CFLAGS=-O0 -ggdb -Wno-deprecated-declarations -fno-omit-frame-pointer -fno-optimize-sibling-calls -mtune=alderlake -DISC_MEM_USE_INTERNAL_MALLOC=0 -DISC_MEM_TRACKLINES=1 -DISC_TRACK_PTHREADS_OBJECTS' 'LDFLAGS=' '--enable-developer' '--enable-warn-error' '--with-openssl' '--with-zlib' '--with-libxml2' '--with-json-c' '--with-readline' '--with-libidn2' '--disable-dnstap' '--with-libtool' '--without-make-clean'
compiled by GCC 12.2.0
compiled with OpenSSL version: OpenSSL 3.0.11 19 Sep 2023
linked to OpenSSL version: OpenSSL 3.0.11 19 Sep 2023
compiled with libuv version: 1.44.2
linked to libuv version: 1.44.2
compiled with liburcu version: 0.15.0-pre
compiled with jemalloc version: 5.3.0
compiled with libnghttp2 version: 1.52.0
linked to libnghttp2 version: 1.52.0
compiled with libxml2 version: 2.9.14
linked to libxml2 version: 20914
compiled with json-c version: 0.16
linked to json-c version: 0.16
compiled with zlib version: 1.2.13
linked to zlib version: 1.2.13
linked to maxminddb version: 1.7.1
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): no
TKEY mode 3 support (GSS-API): yes
default paths:
named configuration: /dev/null
rndc configuration: /usr/local/etc/rndc.conf
nsupdate session key: /usr/local/var/run/named/session.key
named PID file: /usr/local/var/run/named/named.pid
geoip-directory: /usr/share/GeoIP
```
9.18 is not affected with the same attack pattern.
### Preconditions and assumptions
None.
### Attacker's abilities
Ability to send queries to the server.
### Impact
Server crashes with assertion failure.
### Steps to reproduce
1. Run `bin/named/named -g -c /dev/null -p 12345`
2. Run 2x `dnsperf -d queryfile-example-10million-201202 -p 12345 -s 10.10.10.20 -t 20 -S 1 -e -D -b 16000`
3. Wait
### What is the current *bug* behavior?
Server crashes.
### What is the expected *correct* behavior?
Server doesn't crash.
### Relevant logs
```
21-Mar-2024 14:58:36.219 REFUSED unexpected RCODE resolving 'www.pressrepublicanevents.com/A/IN': 64.40.12.250#53
21-Mar-2024 14:58:36.227 REFUSED unexpected RCODE resolving '3.gvt0.com/A/IN': 2001:4860:4802:32::a#53
21-Mar-2024 14:58:36.259 DNS format error from 89.108.89.143#53 resolving 4kings.ru/MX for 10.10.10.106#36493: empty question section
21-Mar-2024 14:58:36.283 REFUSED unexpected RCODE resolving '3.gvt0.com/A/IN': 2001:4860:4802:34::a#53
21-Mar-2024 14:58:36.311 REFUSED unexpected RCODE resolving 'bioquimicasrl.com/A/IN': 209.244.0.3#53
21-Mar-2024 14:58:36.323 SERVFAIL unexpected RCODE resolving 'www.tom-morrow-land.com/AAAA/IN': 1.1.1.1#53
21-Mar-2024 14:58:36.327 REFUSED unexpected RCODE resolving '3.gvt0.com/A/IN': 216.239.36.10#53
21-Mar-2024 14:58:36.331 REFUSED unexpected RCODE resolving 'www.pressrepublicanevents.com/A/IN': 64.40.12.251#53
21-Mar-2024 14:58:36.331 query client=0x7fa869baf000 thread=0x7fa86cefd680(www.pressrepublicanevents.com/A): query_gotanswer: unexpected error: failure
21-Mar-2024 14:58:36.331 query client=0x7fa83b1a3400 thread=0x7fa85b3fe680(www.pressrepublicanevents.com/A): query_gotanswer: unexpected error: failure
21-Mar-2024 14:58:36.339 success resolving 'www.angrybirdsfree.net/AAAA' after disabling qname minimization due to 'ncache nxdomain'
21-Mar-2024 14:58:36.339 query client=0x7fa83b221400 thread=0x7fa85b3fe680(www.tom-morrow-land.com/AAAA): query_gotanswer: unexpected error: failure
21-Mar-2024 14:58:36.339 query client=0x7fa869a3e400 thread=0x7fa86cefd680(www.tom-morrow-land.com/AAAA): query_gotanswer: unexpected error: failure
21-Mar-2024 14:58:36.359 success resolving 'e1.mc658.mail.yahoo.com/AAAA' after disabling qname minimization due to 'ncache nxdomain'
21-Mar-2024 14:58:36.371 validating ksg07.harvard.edu/MX: no valid signature found
21-Mar-2024 14:58:36.371 REFUSED unexpected RCODE resolving '3.gvt0.com/A/IN': 216.239.38.10#53
21-Mar-2024 14:58:36.379 success resolving 'a-0.19-21098801.c0c0083.1518.19d4.3ea1.210.0.qfptcsf437v6s7kaak2qs267pq.avqs.mcafee.com/A' after disabling qname minimization due to 'ncache nxdomain'
21-Mar-2024 14:58:36.387 REFUSED unexpected RCODE resolving 'www.untwistedvortex.com/A/IN': 128.199.213.165#53
21-Mar-2024 14:58:36.387 query client=0x7fa869b1f000 thread=0x7fa86cefd680(www.untwistedvortex.com/A): query_gotanswer: unexpected error: failure
21-Mar-2024 14:58:36.387 query client=0x7fa83b2d7000 thread=0x7fa85b3fe680(www.untwistedvortex.com/A): query_gotanswer: unexpected error: failure
21-Mar-2024 14:58:36.403 query.c:10467: INSIST(namereln == dns_namereln_subdomain) failed
```https://gitlab.isc.org/isc-projects/bind9/-/issues/4651Add Dual Queue Low Latency Networking Support (NQB)2024-03-22T08:48:50ZJason LivingoodAdd Dual Queue Low Latency Networking Support (NQB)### Description
Add Dual Queue Low Latency Networking Support (NQB)
Please consider adding server-side support for IETF Non-Queue-Building (NQB) Per Hop Behavior (PHB) as outlined in the IETF TSVWG RFCs 9330, 9331, 9332 and https://dat...### Description
Add Dual Queue Low Latency Networking Support (NQB)
Please consider adding server-side support for IETF Non-Queue-Building (NQB) Per Hop Behavior (PHB) as outlined in the IETF TSVWG RFCs 9330, 9331, 9332 and https://datatracker.ietf.org/doc/draft-ietf-tsvwg-nqb/. Specifically, I would like the recursive resolver to set DSCP-45 marking in all packets sent back to users (stub resolvers) in DNS responses. This will have the benefit of marking DNS responses as suitable for placement in the low latency queue at bottleneck links supporting dual queue (such as a CMTS or Cable Modem).
NQB marking enables latency-sensitive traffic like DNS lookups to be handled in a separate queue from classic traffic. The result is that, even when competing with significant other LAN or access network traffic from a user, that the NQB-marked traffic will get very low working latency (usually close to what is observed for idle latency).
Comcast has tested this on resolvers in the lab as part of our low latency field trial of L4S and NQB and found it meaningfully reduced Query Response Times (QRT) under normal working conditions.
Comcast is currently the world's first ISP trialing this in the field and anticipates it being available to millions of end users in 2024.
### Request
Enable a new configuration parameter in the server enabling a resolver operator to turn on NQB support. That specifically will mean setting DSCP value 45 in the packet header. This configuration can either cover recursive responses or all outbound traffic from the server (there should be no downside to this).
### Links / references
RFC 9330 https://www.rfc-editor.org/rfc/rfc9330.html
RFC 9331 https://www.rfc-editor.org/rfc/rfc9331.html
RFC 9332 https://www.rfc-editor.org/rfc/rfc9332.html
NQB PHB Draft https://datatracker.ietf.org/doc/draft-ietf-tsvwg-nqb/
Comcast explainer for app developers https://github.com/jlivingood/IETF-L4S-Deployment/blob/main/App-Developer-Guide.md
Comcast explainer for network operators https://github.com/jlivingood/IETF-L4S-Deployment/blob/main/Network-Config-Guide.md
Comcast field trial announcement https://corporate.comcast.com/stories/comcast-kicks-off-industrys-first-low-latency-docsis-field-trialshttps://gitlab.isc.org/isc-projects/bind9/-/issues/4649All TSAN-enabled builds fail in AWS-based GitLab CI jobs2024-03-25T13:45:40ZMichał KępieńAll TSAN-enabled builds fail in AWS-based GitLab CI jobs[Yesterday's mass-rebuild of Docker images][1] caused some update to be
pulled into `tsan-fedora-39-amd64` that does not play nicely with AWS
hosts because all TSAN-enabled builds now fail with an error message
like:
FATAL: ThreadSa...[Yesterday's mass-rebuild of Docker images][1] caused some update to be
pulled into `tsan-fedora-39-amd64` that does not play nicely with AWS
hosts because all TSAN-enabled builds now fail with an error message
like:
FATAL: ThreadSanitizer: unexpected memory mapping 0x7d00e0772000-0x7d00e0c00000
While it is not clear what exactly happened, here are two jobs that were
run in CI for the same commit:
- [2024-03-20 14:24, passed][2]
- [2024-03-20 16:41, failed][3]
The refreshed TSAN image was pushed to the container registry at 15:13.
The TSAN builds seemingly still work fine with the refreshed TSAN image
on our bare metal runners, which use older kernels. This is consistent
with similar reports found online:
https://stackoverflow.com/questions/77850769/fatal-threadsanitizer-unexpected-memory-mapping-when-running-on-linux-kernels
The simplest course of action is to apply the workaround mentioned in
the StackOverflow post above (`sysctl vm.mmap_rnd_bits=28`) and remove
it once the issue resolves itself as kernels and packages get updated
over time.
[1]: https://gitlab.isc.org/isc-projects/images/-/pipelines/168133
[2]: https://gitlab.isc.org/isc-projects/bind9/-/jobs/4142725
[3]: https://gitlab.isc.org/isc-projects/bind9/-/jobs/4143237April 2024 (9.16.50, 9.16.50-S1, 9.18.26, 9.18.26-S1, 9.19.23)Michal NowakMichal Nowakhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4648pytest failure oraclelinux8 in rpz/tests_sh_rpz_dnsrps.py2024-03-21T12:09:20ZMark Andrewspytest failure oraclelinux8 in rpz/tests_sh_rpz_dnsrps.pyJob [#4143909](https://gitlab.isc.org/isc-projects/bind9/-/jobs/4143909) failed for ecb043fc7b1a99a7e2ffb3d34974d16c00348471:
```
INTERNALERROR> File "/usr/local/lib/python3.6/site-packages/flaky/flaky_pytest_plugin.py", line 142, in...Job [#4143909](https://gitlab.isc.org/isc-projects/bind9/-/jobs/4143909) failed for ecb043fc7b1a99a7e2ffb3d34974d16c00348471:
```
INTERNALERROR> File "/usr/local/lib/python3.6/site-packages/flaky/flaky_pytest_plugin.py", line 142, in _call_runtest_hook
INTERNALERROR> reraise = (runner.Exit,)
INTERNALERROR> AttributeError: module '_pytest.runner' has no attribute 'Exit'
INTERNALERROR> Traceback (most recent call last):
```https://gitlab.isc.org/isc-projects/bind9/-/issues/4647root "mirror" zone overrides forward zone (forward only)2024-03-22T09:42:32ZCarsten Strotmannroot "mirror" zone overrides forward zone (forward only)
### Summary
When a root zone mirror in configured in BIND 9.18.24, a forward zone (forward only) is not used.
The forward zone is for an undelegated private namespace "example.internal"
Once the root mirror is removed from the BIND ...
### Summary
When a root zone mirror in configured in BIND 9.18.24, a forward zone (forward only) is not used.
The forward zone is for an undelegated private namespace "example.internal"
Once the root mirror is removed from the BIND 9 configuration, the forward zone starts working again.
The expectation is that the forward zone is more specific, therefor it is checked first before using recursion via the root zone mirror data
### BIND version affected
```
BIND 9.18.24 (Extended Support Version) <id:6d7674f>
running on Linux x86_64 4.18.0-513.18.1.el8_9.x86_64 #1 SMP Thu Feb 1 03:51:05 EST 2024
built by make with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/opt/isc/isc-bind/root/usr' '--exec-prefix=/opt/isc/isc-bind/root/usr' '--bindir=/opt/isc/isc-bind/root/usr/bin' '--sbindir=/opt/isc/isc-bind/root/usr/sbin' '--sysconfdir=/etc/opt/isc/scls/isc-bind' '--datadir=/opt/isc/isc-bind/root/usr/share' '--includedir=/opt/isc/isc-bind/root/usr/include' '--libdir=/opt/isc/isc-bind/root/usr/lib64' '--libexecdir=/opt/isc/isc-bind/root/usr/libexec' '--localstatedir=/var/opt/isc/scls/isc-bind' '--sharedstatedir=/var/opt/isc/scls/isc-bind/lib' '--mandir=/opt/isc/isc-bind/root/usr/share/man' '--infodir=/opt/isc/isc-bind/root/usr/share/info' '--enable-warn-error' '--disable-static' '--enable-dnstap' '--with-pic' '--with-gssapi' '--with-json-c' '--with-libxml2' '--without-lmdb' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fno-omit-frame-pointer' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -L/opt/isc/isc-bind/root/usr/lib64' 'CPPFLAGS= -I/opt/isc/isc-bind/root/usr/include' 'LT_SYS_LIBRARY_PATH=/usr/lib64' 'PKG_CONFIG_PATH=:/opt/isc/isc-bind/root/usr/lib64/pkgconfig:/opt/isc/isc-bind/root/usr/share/pkgconfig' 'SPHINX_BUILD=/builddir/build/BUILD/bind-9.18.24/sphinx/bin/sphinx-build'
compiled by GCC 8.5.0 20210514 (Red Hat 8.5.0-20)
compiled with OpenSSL version: OpenSSL 1.1.1k FIPS 25 Mar 2021
linked to OpenSSL version: OpenSSL 1.1.1k FIPS 25 Mar 2021
compiled with libuv version: 1.44.2
linked to libuv version: 1.44.2
compiled with libnghttp2 version: 1.33.0
linked to libnghttp2 version: 1.33.0
compiled with libxml2 version: 2.9.7
linked to libxml2 version: 20907
compiled with json-c version: 0.13.1
linked to json-c version: 0.13.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
compiled with protobuf-c version: 1.4.1
linked to protobuf-c version: 1.4.1
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): yes
default paths:
named configuration: /etc/opt/isc/scls/isc-bind/named.conf
rndc configuration: /etc/opt/isc/scls/isc-bind/rndc.conf
DNSSEC root key: /etc/opt/isc/scls/isc-bind/bind.keys
nsupdate session key: /var/opt/isc/scls/isc-bind/run/named/session.key
named PID file: /var/opt/isc/scls/isc-bind/run/named/named.pid
named lock file: /var/opt/isc/scls/isc-bind/run/named/named.lock
```
### Steps to reproduce
named.conf:
```
options {
directory "/var/named";
};
zone "." {
type mirror;
file "root.zone";
};
zone "example.internal" IN {
type forward;
forwarders { 192.0.2.53; };
forward only;
};
```
Test:
```
dig @<ip-of-resolver> example.internal soa
```
will return an NXDOMAIN answer (with AD flag) from the (local) root zone
Once the Root-Mirror zone is removed, the forwarding configuration works as expected (returns the SOA record for example.internal)https://gitlab.isc.org/isc-projects/bind9/-/issues/4646CID 488065: Null pointer dereferences (REVERSE_INULL)2024-03-19T22:41:36ZMichal NowakCID 488065: Null pointer dereferences (REVERSE_INULL)Coverity Scan claims the following issue:
```c
/lib/dns/qpzone.c: 4805 in addrdataset()
4799 newheader->ttl = rdataset->ttl;
4800 if (rdataset->ttl == 0U) {
4801 DNS_SLABHEADER_SETATTR(newheader, DNS_SLABHEADERATTR_ZEROT...Coverity Scan claims the following issue:
```c
/lib/dns/qpzone.c: 4805 in addrdataset()
4799 newheader->ttl = rdataset->ttl;
4800 if (rdataset->ttl == 0U) {
4801 DNS_SLABHEADER_SETATTR(newheader, DNS_SLABHEADERATTR_ZEROTTL);
4802 }
4803 atomic_init(&newheader->count,
4804 atomic_fetch_add_relaxed(&init_count, 1));
>>> CID 488065: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "version" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
4805 if (version != NULL) {
4806 newheader->serial = version->serial;
4807
4808 if ((rdataset->attributes & DNS_RDATASETATTR_RESIGN) != 0) {
4809 DNS_SLABHEADER_SETATTR(newheader,
4810 DNS_SLABHEADERATTR_RESIGN);
```April 2024 (9.16.50, 9.16.50-S1, 9.18.26, 9.18.26-S1, 9.19.23)https://gitlab.isc.org/isc-projects/bind9/-/issues/4645CID 488064: Passing null pointer "version" to "maybe_update_recordsandsize", ...2024-03-19T22:41:36ZMichal NowakCID 488064: Passing null pointer "version" to "maybe_update_recordsandsize", which dereferences itCoverity Scan claims the following issues:
```
/lib/dns/qpzone.c: 1994 in add()
1988 newheader->down = topheader;
1989 topheader->next = newheader;
1990 node->dirty = 1;
1991 if (changed != NULL) {
1992 ...Coverity Scan claims the following issues:
```
/lib/dns/qpzone.c: 1994 in add()
1988 newheader->down = topheader;
1989 topheader->next = newheader;
1990 node->dirty = 1;
1991 if (changed != NULL) {
1992 changed->dirty = true;
1993 }
>>> CID 488064: (FORWARD_NULL)
>>> Passing null pointer "version" to "maybe_update_recordsandsize", which dereferences it.
1994 maybe_update_recordsandsize(false, version, header,
1995 nodename->length);
1996 }
1997 } else {
1998 /*
1999 * No non-IGNORED rdatasets of the given type exist at
/lib/dns/qpzone.c: 1972 in add()
1966 if (topheader_prev != NULL) {
1967 topheader_prev->next = newheader;
1968 } else {
1969 node->data = newheader;
1970 }
1971 newheader->next = topheader->next;
>>> CID 488064: (FORWARD_NULL)
>>> Passing null pointer "version" to "maybe_update_recordsandsize", which dereferences it.
1972 maybe_update_recordsandsize(false, version, header,
1973 nodename->length);
1974 dns_slabheader_destroy(&header);
1975 } else {
1976 idx = HEADERNODE(newheader)->locknum;
1977 if (RESIGN(newheader)) {
/lib/dns/qpzone.c: 1979 in add()
1973 nodename->length);
1974 dns_slabheader_destroy(&header);
1975 } else {
1976 idx = HEADERNODE(newheader)->locknum;
1977 if (RESIGN(newheader)) {
1978 resigninsert(qpdb, idx, newheader);
>>> CID 488064: (FORWARD_NULL)
>>> Passing null pointer "version" to "resigndelete", which dereferences it.
1979 resigndelete(qpdb, version,
1980 header DNS__DB_FLARG_PASS);
1981 }
1982 if (topheader_prev != NULL) {
1983 topheader_prev->next = newheader;
1984 } else {
/lib/dns/qpzone.c: 2061 in add()
2055 newheader->next = node->data;
2056 node->data = newheader;
2057 }
2058 }
2059 }
2060
>>> CID 488064: (FORWARD_NULL)
>>> Passing null pointer "version" to "maybe_update_recordsandsize", which dereferences it.
2061 maybe_update_recordsandsize(true, version, newheader, nodename->length);
2062
2063 /*
2064 * Check if the node now contains CNAME and other data.
2065 */
2066 if (version != NULL && cname_and_other(node, version->serial)) {
```April 2024 (9.16.50, 9.16.50-S1, 9.18.26, 9.18.26-S1, 9.19.23)https://gitlab.isc.org/isc-projects/bind9/-/issues/4644Make BIND 9.16.48 got warnings and got errors whtn configure with --enable-de...2024-03-18T03:31:51Znanwn147929@alibaba-inc.comMake BIND 9.16.48 got warnings and got errors whtn configure with --enable-developer<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please make sure that you make the new issue
confident...<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please make sure that you make the new issue
confidential by clicking the checkbox at the bottom!
-->
### Summary
Compilation got error when configure with developer mode enabled.
### BIND version affected
BIND 9.16.48
### Steps to reproduce
1. Configure by default options `./configure`, and compile source code `make`
2. Configure by enable tests `./configure --with-cmocka --enable-developer`, and compile source code `make; make test`
### What is the current *bug* behavior?
1. Compilation by default configuration
```
base32.c: In function ‘str_totext’:
./include/isc/buffer.h:845:20: warning: the comparison will always evaluate as ‘true’ for the address of ‘region’ will never be NULL [-Waddress]
ISC_REQUIRE((_r) != NULL); \
^
./include/isc/likely.h:25:43: note: in definition of macro ‘ISC_LIKELY’
#define ISC_LIKELY(x) __builtin_expect(!!(x), 1)
^
./include/isc/buffer.h:845:3: note: in expansion of macro ‘ISC_REQUIRE’
ISC_REQUIRE((_r) != NULL); \
^
./include/isc/buffer.h:1046:36: note: in expansion of macro ‘ISC__BUFFER_AVAILABLEREGION’
#define isc_buffer_availableregion ISC__BUFFER_AVAILABLEREGION
^
base32.c:420:2: note: in expansion of macro ‘isc_buffer_availableregion’
isc_buffer_availableregion(target, ®ion);
^
base32.c: In function ‘mem_tobuffer’:
./include/isc/buffer.h:845:20: warning: the comparison will always evaluate as ‘true’ for the address of ‘tr’ will never be NULL [-Waddress]
ISC_REQUIRE((_r) != NULL); \
^
./include/isc/likely.h:25:43: note: in definition of macro ‘ISC_LIKELY’
#define ISC_LIKELY(x) __builtin_expect(!!(x), 1)
^
./include/isc/buffer.h:845:3: note: in expansion of macro ‘ISC_REQUIRE’
ISC_REQUIRE((_r) != NULL); \
^
./include/isc/buffer.h:1046:36: note: in expansion of macro ‘ISC__BUFFER_AVAILABLEREGION’
#define isc_buffer_availableregion ISC__BUFFER_AVAILABLEREGION
^
base32.c:436:2: note: in expansion of macro ‘isc_buffer_availableregion’
isc_buffer_availableregion(target, &tr);
^
gcc -std=gnu99 -include /home/wn147929/bind/bind-9.16.48/config.h -I/home/wn147929/bind/bind-9.16.48 -I../.. -I./unix/include -I./pthreads/include -I./include -I./include -I. -I/home/wn147929/bind/bind-9.16.48/lib/dns/include -I../../lib/dns/include -DOPENSSL_SUPPRESS_DEPRECATED -g -O2 -pthread -fPIC -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -Wno-missing-field-initializers -fno-strict-aliasing -c base64.c
In file included from ./include/isc/assertions.h:21:0,
from ./include/isc/list.h:16,
from ./include/isc/types.h:32,
from ./include/isc/base64.h:20,
from base64.c:18:
base64.c: In function ‘str_totext’:
./include/isc/buffer.h:845:20: warning: the comparison will always evaluate as ‘true’ for the address of ‘region’ will never be NULL [-Waddress]
ISC_REQUIRE((_r) != NULL); \
^
```
2. Compilation with developer mode enabled
```
base32.c: In function ‘str_totext’:
./include/isc/buffer.h:845:20: error: the comparison will always evaluate as ‘true’ for the address of ‘region’ will never be NULL [-Werror=address]
ISC_REQUIRE((_r) != NULL); \
^
./include/isc/likely.h:25:43: note: in definition of macro ‘ISC_LIKELY’
#define ISC_LIKELY(x) __builtin_expect(!!(x), 1)
^
./include/isc/buffer.h:845:3: note: in expansion of macro ‘ISC_REQUIRE’
ISC_REQUIRE((_r) != NULL); \
^
./include/isc/buffer.h:1046:36: note: in expansion of macro ‘ISC__BUFFER_AVAILABLEREGION’
#define isc_buffer_availableregion ISC__BUFFER_AVAILABLEREGION
^
base32.c:420:2: note: in expansion of macro ‘isc_buffer_availableregion’
isc_buffer_availableregion(target, ®ion);
^
base32.c: In function ‘mem_tobuffer’:
./include/isc/buffer.h:845:20: error: the comparison will always evaluate as ‘true’ for the address of ‘tr’ will never be NULL [-Werror=address]
ISC_REQUIRE((_r) != NULL); \
^
./include/isc/likely.h:25:43: note: in definition of macro ‘ISC_LIKELY’
#define ISC_LIKELY(x) __builtin_expect(!!(x), 1)
^
./include/isc/buffer.h:845:3: note: in expansion of macro ‘ISC_REQUIRE’
ISC_REQUIRE((_r) != NULL); \
^
./include/isc/buffer.h:1046:36: note: in expansion of macro ‘ISC__BUFFER_AVAILABLEREGION’
#define isc_buffer_availableregion ISC__BUFFER_AVAILABLEREGION
^
base32.c:436:2: note: in expansion of macro ‘isc_buffer_availableregion’
isc_buffer_availableregion(target, &tr);
^
cc1: all warnings being treated as errors
```
### What is the expected *correct* behavior?
Compile success
### Relevant configuration files
<!-- Paste any relevant configuration files here - please use code blocks (```)
to format console output. If submitting the contents of your
configuration file in a non-confidential issue, it is advisable to
obscure key secrets; this can be done automatically by using
`named-checkconf -px`. -->
### Relevant logs
<!-- Paste any relevant logs here - please use code blocks (```) to format console
output, logs, and code, as it's very hard to read otherwise. -->https://gitlab.isc.org/isc-projects/bind9/-/issues/4643Properly document how the IDN arguments work2024-03-16T06:52:25ZOndřej SurýProperly document how the IDN arguments workDocument how +idn, +idnin and +idnout interact when run interactively and non-interactively.
This has changed between the version.Document how +idn, +idnin and +idnout interact when run interactively and non-interactively.
This has changed between the version.https://gitlab.isc.org/isc-projects/bind9/-/issues/4642[dig] +ednsflags do not enable EDNS2024-03-17T03:16:43ZStéphane Bortzmeyer[dig] +ednsflags do not enable EDNS### Summary
dig's +ednsflags do not enable EDNS
### BIND version affected
```
BIND 9.19.21 (Development Release) <id:c030a67>
running on Linux x86_64 6.5.0-10022-tuxedo #26 SMP PREEMPT_DYNAMIC Thu Jan 18 02:29:42 UTC 2024
built by mak...### Summary
dig's +ednsflags do not enable EDNS
### BIND version affected
```
BIND 9.19.21 (Development Release) <id:c030a67>
running on Linux x86_64 6.5.0-10022-tuxedo #26 SMP PREEMPT_DYNAMIC Thu Jan 18 02:29:42 UTC 2024
built by make with default
compiled by GCC 11.4.0
compiled with OpenSSL version: OpenSSL 3.0.2 15 Mar 2022
linked to OpenSSL version: OpenSSL 3.0.2 15 Mar 2022
compiled with libuv version: 1.43.0
linked to libuv version: 1.43.0
compiled with liburcu version: 0.13.1
compiled with libnghttp2 version: 1.43.0
linked to libnghttp2 version: 1.43.0
compiled with libxml2 version: 2.9.13
linked to libxml2 version: 20913
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): no
TKEY mode 3 support (GSS-API): no
default paths:
named configuration: /usr/local/etc/named.conf
rndc configuration: /usr/local/etc/rndc.conf
nsupdate session key: /usr/local/var/run/named/session.key
named PID file: /usr/local/var/run/named/named.pid
```
### Steps to reproduce
```
dig +noedns +ednsflags=0x4000 isc.org SOA
``
### What is the current *bug* behavior?
EDNS is still disabled
### What is the expected *correct* behavior?
+ednsflags should enable EDNS, like +nsid or +dnssec do. (Or may be only if the value is not-zero.)
/label ~Bughttps://gitlab.isc.org/isc-projects/bind9/-/issues/4641dig +ednsflags does not re-enable EDNS2024-03-17T03:12:44ZMark Andrewsdig +ednsflags does not re-enable EDNS+dnssec, +nsid re-enable EDNS if currently disabled. +ednsflags should do the same+dnssec, +nsid re-enable EDNS if currently disabled. +ednsflags should do the sameApril 2024 (9.16.50, 9.16.50-S1, 9.18.26, 9.18.26-S1, 9.19.23)https://gitlab.isc.org/isc-projects/bind9/-/issues/4640Checkzone in system test leaks queries2024-03-21T02:40:22ZMark AndrewsCheckzone in system test leaks queriesThe checkzone "checking with max ttl (text)" test leaks queries.The checkzone "checking with max ttl (text)" test leaks queries.April 2024 (9.16.50, 9.16.50-S1, 9.18.26, 9.18.26-S1, 9.19.23)https://gitlab.isc.org/isc-projects/bind9/-/issues/4639Add OpenSSL Flags to proxystream_test2024-03-14T23:42:27ZSamuel ChiangAdd OpenSSL Flags to proxystream_testproxystream_test does not seem to have OpenSSL Flags defined, which causes issues if OpenSSL is not within the standard path. Adding this adheres to the other test executables that are dependent on OpenSSL in this file. I have a patch pr...proxystream_test does not seem to have OpenSSL Flags defined, which causes issues if OpenSSL is not within the standard path. Adding this adheres to the other test executables that are dependent on OpenSSL in this file. I have a patch provided below :smile:
```
diff --git a/tests/isc/Makefile.am b/tests/isc/Makefile.am
index 5cdd915..6ee1935 100644
--- a/tests/isc/Makefile.am
+++ b/tests/isc/Makefile.am
@@ -115,10 +115,12 @@ proxyheader_test_SOURCES = \
proxyheader_test_data.h
proxystream_test_CPPFLAGS = \
- $(AM_CPPFLAGS)
+ $(AM_CPPFLAGS) \
+ $(OPENSSL_CFLAGS)
proxystream_test_LDADD = \
- $(LDADD)
+ $(LDADD) \
+ $(OPENSSL_LIBS)
proxystream_test_SOURCES = \
proxystream_test.c \
```April 2024 (9.16.50, 9.16.50-S1, 9.18.26, 9.18.26-S1, 9.19.23)https://gitlab.isc.org/isc-projects/bind9/-/issues/4637host, dig and nslookup don't resolve IDN domains when not used in a tty2024-03-16T06:49:38ZDirk Stöckerhost, dig and nslookup don't resolve IDN domains when not used in a tty### Summary
When calling the tools host, dig or nslookup getting data for a IDN domain only works in a tty environment. That's an extremely non-obvious bug.
Calling `host stöcker.eu` works, while `host stöcker.eu |cat` cannot resolve t...### Summary
When calling the tools host, dig or nslookup getting data for a IDN domain only works in a tty environment. That's an extremely non-obvious bug.
Calling `host stöcker.eu` works, while `host stöcker.eu |cat` cannot resolve the domain.
See also my initial bug report to perl (https://github.com/Perl/perl5/issues/22080) which points to the exact code location for this bug.
### BIND version affected
I'm using bind-utils-9.18.24-1.1.x86_64 on openSUSE Tumbleweed. Same happens on older version (Ubuntu LTS).
### Steps to reproduce
See description above
1. Call `host stöcker.eu |cat` in Linux shell
### What is the current *bug* behavior?
Does not resolve a correct name
### What is the expected *correct* behavior?
Does resolve the name whether it's a tty or not.
### Relevant configuration files
none
### Relevant logs
noneNot plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/4636rndc.py got 'NotImplementedError: Wrong message version'2024-03-14T12:25:47Zbino oetomorndc.py got 'NotImplementedError: Wrong message version'dear All.
I'm trying to delete a zone in catalog zone using python.
the script is adopted (to Python 3.9.2) from catz-del.py of https://kb.isc.org/docs/aa-01401
here is the script.
```
import sys
import os
import isc
import dns.query
i...dear All.
I'm trying to delete a zone in catalog zone using python.
the script is adopted (to Python 3.9.2) from catz-del.py of https://kb.isc.org/docs/aa-01401
here is the script.
```
import sys
import os
import isc
import dns.query
import dns.update
import dns.name
import hashlib
ZONEPATH='/var/cache/bind/'
MASTERS=['192.168.1.101']
SERVER = '192.168.8.78'
DNSPORT=53
RNDCPORT=9953
RNDCALGO='sha256'
RNDCKEY='1234abcd8765'
CATZONE='catalog.example'
PTR_EXPIRE = 31622400
PRIMARIES = ';'.join(MASTERS)
def hashzones(domain):
hash = hashlib.sha1(dns.name.from_text(domain).to_wire()).hexdigest()
return f'{hash}.zones'
def del_zone(name):
# Update catalog zone
update = dns.update.Update(CATZONE)
update.delete(f'{hashzones(name)}','ptr')
response = dns.query.tcp(update, SERVER, port=DNSPORT)
if response.rcode() != 0:
raise Exception(f"Error updating catalog zone: {response.rcode()}" )
# Delete zone from primary using RNDC
r = isc.rndc((SERVER, DNSPORT), RNDCALGO, RNDCKEY)
response = r.call(f'delzone {name}')
if response['result'] != b'0':
raise Exception(f"Error deleting zone from primary: {response['err']}" )
del_zone(sys.argv[1])
```
I Got error when try to run it
```
(venv) debian@risetdns01:~/catzman$ python ./delzone.py domain20.bino
Traceback (most recent call last):
File "/home/debian/catzman/./delzone.py", line 40, in <module>
del_zone(sys.argv[1])
File "/home/debian/catzman/./delzone.py", line 35, in del_zone
r = isc.rndc((SERVER, DNSPORT), RNDCALGO, RNDCKEY)
File "/home/debian/catzman/isc/rndc.py", line 54, in __init__
self.__connect_login()
File "/home/debian/catzman/isc/rndc.py", line 158, in __connect_login
msg = self.__command(type="null")
File "/home/debian/catzman/isc/rndc.py", line 139, in __command
raise NotImplementedError("Wrong message version %d" % version)
NotImplementedError: Wrong message version 2147549184
```
while from my bind9 log file, I got
```
13-Mar-2024 22:35:29.991 update: info: client @0x7ff0a4030080 192.168.8.78#33920: updating zone 'catalog.example/IN': deleting rrset at '5858ea66ec75231963ecb03723e1ce3295e23349.zones.catalog.example' PTR
13-Mar-2024 22:35:29.991 client: debug 1: client @0x7ff0a40322c0 192.168.8.78#33926: message parsing failed: bad label type
```
my isc python module version '9.16.48-Debian'
Its /usr/lib/python3/dist-packages/isc/__init__.py since it cannot accessed directly when I use venv
My named details :
```
root@risetdns01:~# named -V
BIND 9.16.48-Debian (Extended Support Version) <id:0dab57e>
running on Linux x86_64 5.10.0-28-amd64 #1 SMP Debian 5.10.209-2 (2024-01-31)
built by make with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-option-checking' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2' '--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' '--enable-dnstap' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -ffile-prefix-map=/build/reproducible-path/bind9-9.16.48=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
compiled by GCC 10.2.1 20210110
compiled with OpenSSL version: OpenSSL 1.1.1w 11 Sep 2023
linked to OpenSSL version: OpenSSL 1.1.1w 11 Sep 2023
compiled with libuv version: 1.40.0
linked to libuv version: 1.40.0
compiled with libxml2 version: 2.9.10
linked to libxml2 version: 20910
compiled with json-c version: 0.15
linked to json-c version: 0.15
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.5.2
compiled with protobuf-c version: 1.3.3
linked to protobuf-c version: 1.3.3
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): yes
default paths:
named configuration: /etc/bind/named.conf
rndc configuration: /etc/bind/rndc.conf
DNSSEC root key: /etc/bind/bind.keys
nsupdate session key: //run/named/session.key
named PID file: //run/named/named.pid
named lock file: //run/named/named.lock
geoip-directory: /usr/share/GeoIP
```
Problem is not occur with 'add zone'
Kindly please tell me what to check or do to fix this problem.
sincerely
-bino-