BIND issueshttps://gitlab.isc.org/isc-projects/bind9/-/issues2022-10-05T09:37:10Zhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3579Add more debugging messages for network-level events2022-10-05T09:37:10ZMichał KępieńAdd more debugging messages for network-level eventsThe network manager code is currently not particularly verbose when it
comes to logging debug messages:
$ git grep isc_log_write lib/isc/netmgr/ | wc -l
9
In particular, this applies to "positive" events (non-errors), like
esta...The network manager code is currently not particularly verbose when it
comes to logging debug messages:
$ git grep isc_log_write lib/isc/netmgr/ | wc -l
9
In particular, this applies to "positive" events (non-errors), like
establishing a connection, correctly receiving data from a socket, etc.
This applies to both non-encrypted transports (like TCP) and encrypted
ones.
The problem for me as an administrator/troubleshooter is that I have
very limited visibility into what BIND 9 "sees" on its side of things
when things go south. For example, I recently experimented with getting
`systemd-resolved` to talk to `named` over DNS-over-TLS; the former
reported, well, *errors*, and I could not get a grasp of the point at
which things are failing without resorting to Wireshark ("Is it the TCP
connection on port 853 itself? Or maybe the TLS session negotiation?
Or is that part okay and it is something about the data that
`system-resolved` sends inside a properly-established TLS session that
makes `named` complain?" etc.)
I am opening this issue so that it can serve as a public acknowledgment
of this being a known deficiency. It would be nice to do something
about it in the log run. Obviously there will have to be performance
trade-offs, but I think even hiding certain log messages behind a
build-time switch is fine as long as there is *some* way of getting
`named` to become more talkative logging-wise when it comes to
network-level events.Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3509TSAN: TLS and DoH shutdown sequence2023-05-23T15:25:04ZOndřej SurýTSAN: TLS and DoH shutdown sequenceTSAN reports a warning where the underlying socket is not yet destroyed after `isc_nm_stoplistening()`, but the top socket already is.
The problem is that `isc_nm_stoplistening()` pretends to be synchronous, but it really isn't and we n...TSAN reports a warning where the underlying socket is not yet destroyed after `isc_nm_stoplistening()`, but the top socket already is.
The problem is that `isc_nm_stoplistening()` pretends to be synchronous, but it really isn't and we need to add per-thread child socket for TLS(stream) and DoH code, so we don't destroy the top socket before the underlying socket gets destroyed. Alternatively, the `isc_nm_stoplistening()` needs to take a callback and be converted to asynchronous code.
```
WARNING: ThreadSanitizer: data race (pid=7728)
Write of size 8 at 0x7b080002cbc0 by thread T11:
#0 free <null> (libtsan.so.0+0x37a28)
#1 OPENSSL_sk_free <null> (libcrypto.so.1.1+0x18156a)
#2 isc__nm_tls_cleanup_data netmgr/tlsstream.c:1122 (libisc-9.19.5-dev.so+0x8bd0d)
#3 nmsocket_cleanup netmgr/netmgr.c:729 (libisc-9.19.5-dev.so+0x252fd)
#4 nmsocket_maybe_destroy netmgr/netmgr.c:799 (libisc-9.19.5-dev.so+0x2556b)
#5 isc___nmsocket_prep_destroy netmgr/netmgr.c:861 (libisc-9.19.5-dev.so+0x256de)
#6 isc___nmsocket_detach netmgr/netmgr.c:888 (libisc-9.19.5-dev.so+0x25818)
#7 isc__nm_tls_cleanup_data netmgr/tlsstream.c:1141 (libisc-9.19.5-dev.so+0x8bb84)
#8 nmsocket_cleanup netmgr/netmgr.c:729 (libisc-9.19.5-dev.so+0x252fd)
#9 nmsocket_maybe_destroy netmgr/netmgr.c:799 (libisc-9.19.5-dev.so+0x2556b)
#10 isc___nmsocket_prep_destroy netmgr/netmgr.c:861 (libisc-9.19.5-dev.so+0x256de)
#11 tcp_close_sock netmgr/tcp.c:1209 (libisc-9.19.5-dev.so+0x29a8e)
#12 tcp_close_cb netmgr/tcp.c:1217 (libisc-9.19.5-dev.so+0x29b43)
#13 uv__finish_close /usr/src/libuv-v1.44.1/src/unix/core.c:308 (libuv.so.1+0x119b9)
#14 isc__trampoline_run /builds/isc-projects/bind9/lib/isc/trampoline.c:189 (libisc-9.19.5-dev.so+0x79d29)
Previous read of size 8 at 0x7b080002cbc0 by thread T16:
#0 memcpy <null> (libtsan.so.0+0x5da1e)
#1 OPENSSL_sk_dup <null> (libcrypto.so.1.1+0x183231)
#2 tls_readcb netmgr/tlsstream.c:606 (libisc-9.19.5-dev.so+0x89bbe)
#3 isc__nm_async_readcb netmgr/netmgr.c:2217 (libisc-9.19.5-dev.so+0x26e6b)
#4 isc__nm_readcb netmgr/netmgr.c:2190 (libisc-9.19.5-dev.so+0x2704f)
#5 isc__nm_tcp_read_cb netmgr/tcp.c:897 (libisc-9.19.5-dev.so+0x2bb8c)
#6 uv__read /usr/src/libuv-v1.44.1/src/unix/stream.c:1247 (libuv.so.1+0x22d21)
#7 isc__trampoline_run /builds/isc-projects/bind9/lib/isc/trampoline.c:189 (libisc-9.19.5-dev.so+0x79d29)
Thread T11 'isc-loop-0007' (tid=8083, running) created by main thread at:
#0 pthread_create <null> (libtsan.so.0+0x5bef5)
#1 isc_thread_create /builds/isc-projects/bind9/lib/isc/thread.c:70 (libisc-9.19.5-dev.so+0x72017)
#2 isc_loopmgr_run /builds/isc-projects/bind9/lib/isc/loop.c:467 (libisc-9.19.5-dev.so+0x596b1)
#3 run_test_doh_recv_send_POST_TLS /builds/isc-projects/bind9/tests/isc/doh_test.c:1035 (doh_test+0x40d088)
#4 cmocka_run_one_test_or_fixture <null> (libcmocka.so.0+0x5cb0)
#5 __libc_start_call_main <null> (libc.so.6+0x4043f)
Thread T16 'isc-loop-0012' (tid=8088, running) created by main thread at:
#0 pthread_create <null> (libtsan.so.0+0x5bef5)
#1 isc_thread_create /builds/isc-projects/bind9/lib/isc/thread.c:70 (libisc-9.19.5-dev.so+0x72017)
#2 isc_loopmgr_run /builds/isc-projects/bind9/lib/isc/loop.c:467 (libisc-9.19.5-dev.so+0x596b1)
#3 run_test_doh_recv_send_POST_TLS /builds/isc-projects/bind9/tests/isc/doh_test.c:1035 (doh_test+0x40d088)
#4 cmocka_run_one_test_or_fixture <null> (libcmocka.so.0+0x5cb0)
#5 __libc_start_call_main <null> (libc.so.6+0x4043f)
SUMMARY: ThreadSanitizer: data race (/lib64/libtsan.so.0+0x37a28) in free
```
and
```
WARNING: ThreadSanitizer: data race (pid=7728)
Write of size 8 at 0x7b04000055e0 by thread T11:
#0 free <null> (libtsan.so.0+0x37a28)
#1 SSL_SESSION_free <null> (libssl.so.1.1+0x3fa88)
#2 isc__nm_tls_cleanup_data netmgr/tlsstream.c:1122 (libisc-9.19.5-dev.so+0x8bd0d)
#3 nmsocket_cleanup netmgr/netmgr.c:729 (libisc-9.19.5-dev.so+0x252fd)
#4 nmsocket_maybe_destroy netmgr/netmgr.c:799 (libisc-9.19.5-dev.so+0x2556b)
#5 isc___nmsocket_prep_destroy netmgr/netmgr.c:861 (libisc-9.19.5-dev.so+0x256de)
#6 isc___nmsocket_detach netmgr/netmgr.c:888 (libisc-9.19.5-dev.so+0x25818)
#7 isc__nm_tls_cleanup_data netmgr/tlsstream.c:1141 (libisc-9.19.5-dev.so+0x8bb84)
#8 nmsocket_cleanup netmgr/netmgr.c:729 (libisc-9.19.5-dev.so+0x252fd)
#9 nmsocket_maybe_destroy netmgr/netmgr.c:799 (libisc-9.19.5-dev.so+0x2556b)
#10 isc___nmsocket_prep_destroy netmgr/netmgr.c:861 (libisc-9.19.5-dev.so+0x256de)
#11 tcp_close_sock netmgr/tcp.c:1209 (libisc-9.19.5-dev.so+0x29a8e)
#12 tcp_close_cb netmgr/tcp.c:1217 (libisc-9.19.5-dev.so+0x29b43)
#13 uv__finish_close /usr/src/libuv-v1.44.1/src/unix/core.c:308 (libuv.so.1+0x119b9)
#14 isc__trampoline_run /builds/isc-projects/bind9/lib/isc/trampoline.c:189 (libisc-9.19.5-dev.so+0x79d29)
Previous read of size 1 at 0x7b04000055e1 by thread T16:
#0 memcpy <null> (libtsan.so.0+0x5da1e)
#1 ssl_session_dup <null> (libssl.so.1.1+0x3fd8f)
#2 tls_readcb netmgr/tlsstream.c:606 (libisc-9.19.5-dev.so+0x89bbe)
#3 isc__nm_async_readcb netmgr/netmgr.c:2217 (libisc-9.19.5-dev.so+0x26e6b)
#4 isc__nm_readcb netmgr/netmgr.c:2190 (libisc-9.19.5-dev.so+0x2704f)
#5 isc__nm_tcp_read_cb netmgr/tcp.c:897 (libisc-9.19.5-dev.so+0x2bb8c)
#6 uv__read /usr/src/libuv-v1.44.1/src/unix/stream.c:1247 (libuv.so.1+0x22d21)
#7 isc__trampoline_run /builds/isc-projects/bind9/lib/isc/trampoline.c:189 (libisc-9.19.5-dev.so+0x79d29)
Thread T11 'isc-loop-0007' (tid=8083, running) created by main thread at:
#0 pthread_create <null> (libtsan.so.0+0x5bef5)
#1 isc_thread_create /builds/isc-projects/bind9/lib/isc/thread.c:70 (libisc-9.19.5-dev.so+0x72017)
#2 isc_loopmgr_run /builds/isc-projects/bind9/lib/isc/loop.c:467 (libisc-9.19.5-dev.so+0x596b1)
#3 run_test_doh_recv_send_POST_TLS /builds/isc-projects/bind9/tests/isc/doh_test.c:1035 (doh_test+0x40d088)
#4 cmocka_run_one_test_or_fixture <null> (libcmocka.so.0+0x5cb0)
#5 __libc_start_call_main <null> (libc.so.6+0x4043f)
Thread T16 'isc-loop-0012' (tid=8088, running) created by main thread at:
#0 pthread_create <null> (libtsan.so.0+0x5bef5)
#1 isc_thread_create /builds/isc-projects/bind9/lib/isc/thread.c:70 (libisc-9.19.5-dev.so+0x72017)
#2 isc_loopmgr_run /builds/isc-projects/bind9/lib/isc/loop.c:467 (libisc-9.19.5-dev.so+0x596b1)
#3 run_test_doh_recv_send_POST_TLS /builds/isc-projects/bind9/tests/isc/doh_test.c:1035 (doh_test+0x40d088)
#4 cmocka_run_one_test_or_fixture <null> (libcmocka.so.0+0x5cb0)
#5 __libc_start_call_main <null> (libc.so.6+0x4043f)
SUMMARY: ThreadSanitizer: data race (/lib64/libtsan.so.0+0x37a28) in free
```
This issue also affects 9.18, but is more prominent in 9.19 loopmgr code.Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3502xfer-in error failed while receiving responses: not exact2022-08-24T13:33:38ZJan Sorensenxfer-in error failed while receiving responses: not exact### Description
I have upgraded my secondary DNS server from 9.18.5 to 9.18.6. The primary is 9.18.5.
As a result I now receive a couple of error messages:
xfer-in: error: transfer of (various domains from master) failed while receiving ...### Description
I have upgraded my secondary DNS server from 9.18.5 to 9.18.6. The primary is 9.18.5.
As a result I now receive a couple of error messages:
xfer-in: error: transfer of (various domains from master) failed while receiving responses: not exact
A singe non-DNSSEC domain does not generate the error.
### Request
A more useful error message.
### Links / referencesNot plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3497CID 356081 356083 396973 396970: High impact quality (Y2K38_SAFETY)2022-08-18T07:04:24ZMichal NowakCID 356081 356083 396973 396970: High impact quality (Y2K38_SAFETY)Update Coverity Scan reported the following year 2038 issues:
```
*** CID 356083: High impact quality (Y2K38_SAFETY)
/bin/dnssec/dnssec-keygen.c: 775 in keygen()
769 if (ctx->setttl) {
770 dst_key_setttl(key, ctx->ttl);
7...Update Coverity Scan reported the following year 2038 issues:
```
*** CID 356083: High impact quality (Y2K38_SAFETY)
/bin/dnssec/dnssec-keygen.c: 775 in keygen()
769 if (ctx->setttl) {
770 dst_key_setttl(key, ctx->ttl);
771 }
772
773 /* Set dnssec-policy related metadata */
774 if (ctx->policy != NULL) {
>>> CID 356083: High impact quality (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "ctx->lifetime" is cast to "uint32_t".
775 dst_key_setnum(key, DST_NUM_LIFETIME, ctx->lifetime);
776 dst_key_setbool(key, DST_BOOL_KSK, ctx->ksk);
777 dst_key_setbool(key, DST_BOOL_ZSK, ctx->zsk);
778 }
779
780 /*
```
---
```
*** CID 356081: High impact quality (Y2K38_SAFETY)
/lib/isc/time.c: 401 in isc_time_parsehttptimestamp()
395 return (ISC_R_UNEXPECTED);
396 }
397 when = isc_tm_timegm(&t_tm);
398 if (when == -1) {
399 return (ISC_R_UNEXPECTED);
400 }
>>> CID 356081: High impact quality (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "when" is cast to "unsigned int".
401 isc_time_set(t, when, 0);
402 return (ISC_R_SUCCESS);
403 }
404
405 void
406 isc_time_formatISO8601L(const isc_time_t *t, char *buf, unsigned int len) {
```
Also in `lib/isc/unix/time.c` on ~"v9.16".
---
~"v9.16"-only and ~Low:
```
*** CID 396973: High impact quality (Y2K38_SAFETY)
/lib/dns/tests/update_test.c: 77 in set_mystdtime()
71 struct tm tm;
72
73 memset(&tm, 0, sizeof(tm));
74 tm.tm_year = year - 1900;
75 tm.tm_mon = month - 1;
76 tm.tm_mday = day;
>>> CID 396973: High impact quality (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "timegm(&tm)" is cast to "uint32_t".
77 mystdtime = timegm(&tm);
78 }
79
80 /*
81 * Override isc_stdtime_get() from lib/isc/[unix/win32]/stdtime.c
82 * with our own for testing purposes.
```
```
*** CID 396970: High impact quality (Y2K38_SAFETY)
/bin/tests/optional/gsstest.c: 360 in initctx1()
354 c = scanf("%511s", gssid);
355 if (c == EOF) {
356 return;
357 }
358
359 snprintf(contextname, sizeof(contextname), "gsstest.context.%d.",
>>> CID 396970: High impact quality (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "time(NULL)" is cast to "int".
360 (int)time(NULL));
361
362 printf("Initctx - context name we're using: %s\n", contextname);
363
364 printf("Negotiating GSSAPI context: ");
365 printf("%s", gssid);
```Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3472IPv4-only mode not respected for zone transfers2024-02-24T07:55:11ZThomas AmgartenIPv4-only mode not respected for zone transfers### Summary
Running BIND in IPv4-only-mode (```named -4```) and using a mirror zone (local root), then BIND tries to AXFR the root zone with IPv6 and reports failures about the unreachability:
```
27-Jul-2022 08:57:43.309 general: info:...### Summary
Running BIND in IPv4-only-mode (```named -4```) and using a mirror zone (local root), then BIND tries to AXFR the root zone with IPv6 and reports failures about the unreachability:
```
27-Jul-2022 08:57:43.309 general: info: zone ./IN: refresh: failure trying primary 2001:500:2::c#53 (source ::#0): operation canceled
27-Jul-2022 08:57:43.309 general: info: zone ./IN: refresh: failure trying primary 2001:500:2f::f#53 (source ::#0): operation canceled
27-Jul-2022 08:57:43.809 general: info: zone ./IN: refresh: failure trying primary 2001:500:12::d0d#53 (source ::#0): operation canceled
27-Jul-2022 08:57:43.809 general: info: zone ./IN: refresh: failure trying primary 2001:7fd::1#53 (source ::#0): operation canceled
27-Jul-2022 08:57:44.309 general: info: zone ./IN: refresh: failure trying primary 2620:0:2830:202::132#53 (source ::#0): operation canceled
27-Jul-2022 08:57:44.309 general: info: zone ./IN: refresh: failure trying primary 2620:0:2d0:202::132#53 (source ::#0): operation canceled
```
### BIND version used
```
$ named -V
BIND 9.18.5 (Stable Release) <id:6593103>
running on Linux x86_64 4.18.0-305.10.2.el8_4.x86_64 #1 SMP Tue Jul 20 20:34:55 UTC 2021
built by make with '--prefix=/usr/local/bind-9.18.5' '--sysconfdir=/opt/chroot/bind/etc/named/' '--mandir=/usr/local/share/man' '--localstatedir=/opt/chroot/bind/var' '--enable-largefile' '--enable-full-report' '--without-gssapi' '--with-json-c' '--enable-singletrace' 'PKG_CONFIG_PATH=:/usr/local/libuv/lib/pkgconfig/'
compiled by GCC 8.4.1 20200928 (Red Hat 8.4.1-1)
compiled with OpenSSL version: OpenSSL 1.1.1g FIPS 21 Apr 2020
linked to OpenSSL version: OpenSSL 1.1.1g FIPS 21 Apr 2020
compiled with libuv version: 1.41.1
linked to libuv version: 1.41.1
compiled with libnghttp2 version: 1.33.0
linked to libnghttp2 version: 1.33.0
compiled with json-c version: 0.13.1
linked to json-c version: 0.13.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled
default paths:
named configuration: /opt/chroot/bind/etc/named/named.conf
rndc configuration: /opt/chroot/bind/etc/named/rndc.conf
DNSSEC root key: /opt/chroot/bind/etc/named/bind.keys
nsupdate session key: /opt/chroot/bind/var/run/named/session.key
named PID file: /opt/chroot/bind/var/run/named/named.pid
named lock file: /opt/chroot/bind/var/run/named/named.lock
```
### Steps to reproduce
Create a mirror zone:
```
zone "." {
type mirror;
notify no;
};
```
Run BIND with IPv4-only:
```
$ /usr/local/bind/sbin/named -4 -t /opt/chroot/bind -u named -c /etc/named/named.conf
```
And now check the log for the IPv6 failure:
```
27-Jul-2022 09:18:59.148 general: info: zone ./IN: refresh: failure trying primary 2001:500:200::b#53 (source ::#0): operation canceled
27-Jul-2022 09:18:59.651 general: info: zone ./IN: refresh: failure trying primary 2001:500:2::c#53 (source ::#0): operation canceled
27-Jul-2022 09:18:59.651 general: info: zone ./IN: refresh: failure trying primary 2001:500:2f::f#53 (source ::#0): operation canceled
27-Jul-2022 09:19:00.151 general: info: zone ./IN: refresh: failure trying primary 2001:500:12::d0d#53 (source ::#0): operation canceled
27-Jul-2022 09:19:00.151 general: info: zone ./IN: refresh: failure trying primary 2001:7fd::1#53 (source ::#0): operation canceled
27-Jul-2022 09:19:00.651 general: info: zone ./IN: refresh: failure trying primary 2620:0:2830:202::132#53 (source ::#0): operation canceled
27-Jul-2022 09:19:00.651 general: info: zone ./IN: refresh: failure trying primary 2620:0:2d0:202::132#53 (source ::#0): operation canceled
```
### What is the current *bug* behavior?
BIND tries to AXFR the root zone over IPv6, although ```named``` is configured to run in IPv4-only-mode.
### What is the expected *correct* behavior?
Not trying to AXFR the mirror zone over IPv6.
### Relevant configuration files
### Relevant logs and/or screenshots
Failure in the log:
```
27-Jul-2022 09:11:18.990 general: info: zone ./IN: refresh: failure trying primary 2001:500:2::c#53 (source ::#0): operation canceled
27-Jul-2022 09:11:18.990 general: info: zone ./IN: refresh: failure trying primary 2001:500:2f::f#53 (source ::#0): operation canceled
27-Jul-2022 09:11:19.490 general: info: zone ./IN: refresh: failure trying primary 2001:500:12::d0d#53 (source ::#0): operation canceled
27-Jul-2022 09:11:19.490 general: info: zone ./IN: refresh: failure trying primary 2001:7fd::1#53 (source ::#0): operation canceled
27-Jul-2022 09:11:19.990 general: info: zone ./IN: refresh: failure trying primary 2620:0:2830:202::132#53 (source ::#0): operation canceled
27-Jul-2022 09:11:19.990 general: info: zone ./IN: refresh: failure trying primary 2620:0:2d0:202::132#53 (source ::#0): operation canceled
```
### Possible fixesMay 2024 (9.18.27, 9.18.27-S1, 9.19.24)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/3457Update BIND's catalog zones implementation to the latest draft (draft-ietf-dn...2023-03-28T08:52:32ZArаm SаrgsyаnUpdate BIND's catalog zones implementation to the latest draft (draft-ietf-dnsop-dns-catalog-zones-09)DNS Catalog Zones internet-draft document has been recently updated to draft version 9 (https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dns-catalog-zones-09).DNS Catalog Zones internet-draft document has been recently updated to draft version 9 (https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dns-catalog-zones-09).Not plannedArаm SаrgsyаnArаm Sаrgsyаnhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3434Define grammar for duration (and other elements) in the ARM2022-07-30T13:31:23ZPetr Špačekpspacek@isc.orgDefine grammar for duration (and other elements) in the ARMThe ARM does not define all grammar elements used through the text. I think the most complicated one which is missing is duration (TTL + ISO 8601 styles). ACL is defined in its own chapter so that one is somehow covered.
Terms missing i...The ARM does not define all grammar elements used through the text. I think the most complicated one which is missing is duration (TTL + ISO 8601 styles). ACL is defined in its own chapter so that one is somehow covered.
Terms missing in the ARM at the moment (commit 788aa4b12f0af3dae08c07dc79a6a13d2d768806):
```
$ diff -U0 <(grep --no-filename --only '<[^>]*>' doc/misc/options doc/misc/*.zoneopt | sort -u | tr -d '<>') <(grep '^ ``[^`]*``$' doc/arm/reference.rst | tr -d ' `' | sort -u) | grep '^-'
-address_match_element
-class
-duration
-duration_or_unlimited
-log_severity
-quoted_string
-rrtypelist
-string
-syslog_facility
-unspecified-text
```
Elements used by grammar:
```
$ grep --no-filename --only '<[^>]*>' doc/misc/options doc/misc/*.zoneopt | sort -u | tr -d '<>'
address_match_element
boolean
class
duration
duration_or_unlimited
fixedpoint
integer
ipv4_address
ipv6_address
log_severity
netprefix
percentage
portrange
quoted_string
remote-servers
rrtypelist
server_key
size
sizeval
string
syslog_facility
unspecified-text
```
Terms defined in the ARM (roughly!):
```
$ grep '^ ``[^`]*``$' doc/arm/reference.rst | tr -d ' `' | sort -u
acl_name
address_match_list
any
boolean
domain_name
dscp
fixedpoint
integer
ip_address
ipv4_address
ipv6_address
localhost
localnets
masters
netprefix
none
percentage
port
portrange
remote-servers
server_key
size
sizeval
tls_id
```https://gitlab.isc.org/isc-projects/bind9/-/issues/3409CID 353496: Error handling issue in lib/isc/netmgr/netmgr.c2022-07-07T08:04:26ZMichal NowakCID 353496: Error handling issue in lib/isc/netmgr/netmgr.cCoverity Scan finds suspicious that `isc__nm_process_sock_buffer()`'s return value is not being checked in `lib/isc/netmgr/netmgr.c`, it is elsewhere:
```
lib/isc/netmgr/netmgr.c: isc__nm_process_sock_buffer(sock);
lib/isc/netmgr/tcpd...Coverity Scan finds suspicious that `isc__nm_process_sock_buffer()`'s return value is not being checked in `lib/isc/netmgr/netmgr.c`, it is elsewhere:
```
lib/isc/netmgr/netmgr.c: isc__nm_process_sock_buffer(sock);
lib/isc/netmgr/tcpdns.c: result = isc__nm_process_sock_buffer(sock);
lib/isc/netmgr/tcpdns.c: result = isc__nm_process_sock_buffer(sock);
lib/isc/netmgr/tcpdns.c: result = isc__nm_process_sock_buffer(csock);
lib/isc/netmgr/tlsdns.c: result = isc__nm_process_sock_buffer(sock);
lib/isc/netmgr/tlsdns.c: result = isc__nm_process_sock_buffer(sock);
lib/isc/netmgr/tlsdns.c: result = isc__nm_process_sock_buffer(sock);
lib/isc/netmgr/tlsdns.c: result = isc__nm_process_sock_buffer(sock);
lib/isc/netmgr/tlsdns.c: result = isc__nm_process_sock_buffer(csock);
```
Related commit b432d5d3bcccf199141564b6a87d2cdac296ed7e.
From `v9_18`:
```
*** CID 353496: Error handling issues (CHECKED_RETURN)
/lib/isc/netmgr/netmgr.c: 2364 in isc__nm_resume_processing()
2358 REQUIRE(!atomic_load(&sock->client));
2359
2360 if (isc__nmsocket_closing(sock)) {
2361 return;
2362 }
2363
>>> CID 353496: Error handling issues (CHECKED_RETURN)
>>> Calling "isc__nm_process_sock_buffer" without checking return value (as is done elsewhere 8 out of 9 times).
2364 isc__nm_process_sock_buffer(sock);
2365 }
2366
2367 void
2368 isc_nmhandle_cleartimeout(isc_nmhandle_t *handle) {
2369 REQUIRE(VALID_NMHANDLE(handle));
```Not plannedOndřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3390Building unit tests separately has been broken2022-07-07T07:58:09ZArtem BoldarievBuilding unit tests separately has been brokenIt seems that recent unit tests refactoring broke ability to build unit tests separately.
For example:
```
$ pwd
<project root>/tests/isc
$ make doh_test
No rule to make target '../../tests/libtest/libtest.la'
```
The issue makes it h...It seems that recent unit tests refactoring broke ability to build unit tests separately.
For example:
```
$ pwd
<project root>/tests/isc
$ make doh_test
No rule to make target '../../tests/libtest/libtest.la'
```
The issue makes it harder to debug errors in the code which these tests are supposed to verify.Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3384Various coverity issues in contrib/ (CID 352903-352921)2022-05-31T14:44:39ZMichal NowakVarious coverity issues in contrib/ (CID 352903-352921)When isc-projects/bind9#3310 is resolved Coverity Scan will identify the following issues in `contrib/` sources.
I run Coverity Scan in my private `bind-mnowak` project over the `3310-build-contrib-in-ci` branch in advance, should anyon...When isc-projects/bind9#3310 is resolved Coverity Scan will identify the following issues in `contrib/` sources.
I run Coverity Scan in my private `bind-mnowak` project over the `3310-build-contrib-in-ci` branch in advance, should anyone care of these inherently ~Low issues.
```
** CID 352921: (USE_AFTER_FREE)
/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c: 464 in build_query()
/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c: 464 in build_query()
________________________________________________________________________________________________________
*** CID 352921: (USE_AFTER_FREE)
/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c: 464 in build_query()
458 }
459 }
460
461 fail:
462 va_end(ap1);
463
>>> CID 352921: (USE_AFTER_FREE)
>>> Using freed pointer "arglist.head".
464 while ((item = DLZ_LIST_HEAD(arglist)) != NULL) {
465 if (item->arg != NULL) {
466 free(item->arg);
467 }
468 free(item);
469 }
/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c: 464 in build_query()
458 }
459 }
460
461 fail:
462 va_end(ap1);
463
>>> CID 352921: (USE_AFTER_FREE)
>>> Using freed pointer "arglist.head".
464 while ((item = DLZ_LIST_HEAD(arglist)) != NULL) {
465 if (item->arg != NULL) {
466 free(item->arg);
467 }
468 free(item);
469 }
** CID 352919: Integer handling issues (NO_EFFECT)
/contrib/dlz/modules/perl/dlz_perl_callback_clientinfo.c: 268 in boot_DLZ_Perl__clientinfo()
________________________________________________________________________________________________________
*** CID 352919: Integer handling issues (NO_EFFECT)
/contrib/dlz/modules/perl/dlz_perl_callback_clientinfo.c: 268 in boot_DLZ_Perl__clientinfo()
262 XS_EXTERNAL(boot_DLZ_Perl__clientinfo); /* prototype to pass -Wmissing-prototypes */
263 XS_EXTERNAL(boot_DLZ_Perl__clientinfo)
264 {
265 #if PERL_VERSION_LE(5, 21, 5)
266 dVAR; dXSARGS;
267 #else
>>> CID 352919: Integer handling issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true. "0UL > 255UL".
268 dVAR; dXSBOOTARGSXSAPIVERCHK;
269 #endif
270 #if (PERL_REVISION == 5 && PERL_VERSION < 9)
271 char* file = __FILE__;
272 #else
273 const char* file = __FILE__;
** CID 352918: (LOCK)
/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c: 1546 in dlz_closeversion()
/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c: 1546 in dlz_closeversion()
________________________________________________________________________________________________________
*** CID 352918: (LOCK)
/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c: 1546 in dlz_closeversion()
1540 }
1541 }
1542
1543 /*
1544 * Unlock the mutex for this txn
1545 */
>>> CID 352918: (LOCK)
>>> "pthread_mutex_unlock" unlocks "txn->dbi->mutex" while it is unlocked.
1546 dlz_mutex_unlock(&txn->dbi->mutex);
1547
1548 /*
1549 * Free up other structures
1550 */
1551 free(txn->zone);
/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c: 1499 in dlz_closeversion()
1493 mysql_free_result(res);
1494 }
1495
1496 /*
1497 * Commit the transaction to the database
1498 */
>>> CID 352918: (LOCK)
>>> "db_execute" unlocks "txn->dbi->mutex" while it is unlocked.
1499 result = db_execute(state, txn->dbi, "COMMIT");
1500 if (result != ISC_R_SUCCESS && state->log != NULL) {
1501 state->log(ISC_LOG_INFO,
1502 "%s: (%x) commit transaction on zone %s",
1503 modname, txn, zone);
1504 return;
/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c: 1546 in dlz_closeversion()
1540 }
1541 }
1542
1543 /*
1544 * Unlock the mutex for this txn
1545 */
>>> CID 352918: (LOCK)
>>> "pthread_mutex_unlock" unlocks "txn->dbi->mutex" while it is unlocked.
1546 dlz_mutex_unlock(&txn->dbi->mutex);
1547
1548 /*
1549 * Free up other structures
1550 */
1551 free(txn->zone);
** CID 352917: API usage errors (LOCK)
/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c: 655 in db_query()
________________________________________________________________________________________________________
*** CID 352917: API usage errors (LOCK)
/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c: 655 in db_query()
649 state->log(ISC_LOG_INFO, "%s: query(%d) returned %d rows",
650 modname, dbi->id, mysql_num_rows(res));
651 }
652
653 fail:
654 if (dbi != NULL && localdbi) {
>>> CID 352917: API usage errors (LOCK)
>>> "pthread_mutex_unlock" unlocks "dbi->mutex" while it is unlocked.
655 dlz_mutex_unlock(&dbi->mutex);
656 }
657 return (res);
658 }
659
660 /*
** CID 352916: (STRING_OVERFLOW)
/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c: 901 in makerecord()
/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c: 902 in makerecord()
/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c: 900 in makerecord()
________________________________________________________________________________________________________
*** CID 352916: (STRING_OVERFLOW)
/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c: 901 in makerecord()
895 data = strtok_r(NULL, "\t", &saveptr);
896 if (data == NULL) {
897 goto error;
898 }
899
900 strcpy(new_record->name, name);
>>> CID 352916: (STRING_OVERFLOW)
>>> You might overrun the 10-character fixed-size string "new_record->type" by copying "type" without checking the length.
901 strcpy(new_record->type, type);
902 strcpy(new_record->data, data);
903 sprintf(new_record->ttl, "%d", ttlvalue);
904
905 free(buf);
906 return (new_record);
/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c: 902 in makerecord()
896 if (data == NULL) {
897 goto error;
898 }
899
900 strcpy(new_record->name, name);
901 strcpy(new_record->type, type);
>>> CID 352916: (STRING_OVERFLOW)
>>> You might overrun the 200-character fixed-size string "new_record->data" by copying "data" without checking the length.
902 strcpy(new_record->data, data);
903 sprintf(new_record->ttl, "%d", ttlvalue);
904
905 free(buf);
906 return (new_record);
907
/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c: 900 in makerecord()
894
895 data = strtok_r(NULL, "\t", &saveptr);
896 if (data == NULL) {
897 goto error;
898 }
899
>>> CID 352916: (STRING_OVERFLOW)
>>> You might overrun the 100-character fixed-size string "new_record->name" by copying "name" without checking the length.
900 strcpy(new_record->name, name);
901 strcpy(new_record->type, type);
902 strcpy(new_record->data, data);
903 sprintf(new_record->ttl, "%d", ttlvalue);
904
905 free(buf);
** CID 352915: Security best practices violations (DC.WEAK_CRYPTO)
/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c: 686 in make_notify()
________________________________________________________________________________________________________
*** CID 352915: Security best practices violations (DC.WEAK_CRYPTO)
/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c: 686 in make_notify()
680 }
681
682 *packetlen = strlen(zone) + 18;
683 memset(packet, 0, *packetlen);
684
685 /* Random query ID */
>>> CID 352915: Security best practices violations (DC.WEAK_CRYPTO)
>>> "rand" should not be used for security-related applications, because linear congruential algorithms are too easy to break.
686 i = rand();
687 packet[0] = htons(i) & 0xff;
688 packet[1] = htons(i) >> 8;
689
690 /* Flags (OpCode '4' in bits 14-11), Auth Answer set in bit 10 */
691 i = 0x2400;
** CID 352914: Null pointer dereferences (FORWARD_NULL)
/contrib/dlz/modules/sqlite3/dlz_sqlite3_dynamic.c: 414 in sqlite3_get_resultset()
________________________________________________________________________________________________________
*** CID 352914: Null pointer dereferences (FORWARD_NULL)
/contrib/dlz/modules/sqlite3/dlz_sqlite3_dynamic.c: 414 in sqlite3_get_resultset()
408
409 if (rsp != NULL) {
410 *rsp = rs;
411 }
412
413 cleanup:
>>> CID 352914: Null pointer dereferences (FORWARD_NULL)
>>> Dereferencing null pointer "dbi".
414 if (dbi->zone != NULL) {
415 free(dbi->zone);
416 dbi->zone = NULL;
417 }
418 if (dbi->record != NULL) {
419 free(dbi->record);
** CID 352913: Integer handling issues (NO_EFFECT)
/contrib/dlz/modules/perl/dlz_perl_callback.c: 317 in boot_DLZ_Perl()
________________________________________________________________________________________________________
*** CID 352913: Integer handling issues (NO_EFFECT)
/contrib/dlz/modules/perl/dlz_perl_callback.c: 317 in boot_DLZ_Perl()
311 XS_EXTERNAL(boot_DLZ_Perl); /* prototype to pass -Wmissing-prototypes */
312 XS_EXTERNAL(boot_DLZ_Perl)
313 {
314 #if PERL_VERSION_LE(5, 21, 5)
315 dVAR; dXSARGS;
316 #else
>>> CID 352913: Integer handling issues (NO_EFFECT)
>>> This less-than-zero comparison of an unsigned value is never true. "0UL > 255UL".
317 dVAR; dXSBOOTARGSXSAPIVERCHK;
318 #endif
319 #if (PERL_REVISION == 5 && PERL_VERSION < 9)
320 char* file = __FILE__;
321 #else
322 const char* file = __FILE__;
** CID 352912: API usage errors (LOCK)
/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c: 480 in build_query()
________________________________________________________________________________________________________
*** CID 352912: API usage errors (LOCK)
/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c: 480 in build_query()
474 }
475 if (querystr != NULL) {
476 free(querystr);
477 }
478
479 if (dbi != NULL && localdbi) {
>>> CID 352912: API usage errors (LOCK)
>>> "pthread_mutex_unlock" unlocks "dbi->mutex" while it is unlocked.
480 dlz_mutex_unlock(&dbi->mutex);
481 }
482
483 return (query);
484 }
485
** CID 352911: Error handling issues (CHECKED_RETURN)
/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c: 739 in send_notify()
________________________________________________________________________________________________________
*** CID 352911: Error handling issues (CHECKED_RETURN)
/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c: 739 in send_notify()
733 addr->sin_port = htons(53);
734
735 if ((s = socket(PF_INET, SOCK_DGRAM, 0)) < 0) {
736 return;
737 }
738
>>> CID 352911: Error handling issues (CHECKED_RETURN)
>>> Calling "sendto(s, p, plen, 0, (struct sockaddr *)addr, 16U)" without checking return value. This library function may fail and return an error code.
739 sendto(s, p, plen, 0, (struct sockaddr *)addr, sizeof(*addr));
740 close(s);
741 return;
742 }
743
744 /*
** CID 352910: Memory - illegal accesses (UNINIT)
/contrib/dlz/modules/bdbhpt/dlz_bdbhpt_dynamic.c: 272 in dlz_allowzonexfr()
________________________________________________________________________________________________________
*** CID 352910: Memory - illegal accesses (UNINIT)
/contrib/dlz/modules/bdbhpt/dlz_bdbhpt_dynamic.c: 272 in dlz_allowzonexfr()
266 /* free any memory duplicate string in the key field */
267 if (key.data != NULL) {
268 free(key.data);
269 }
270
271 /* free any memory allocated to the data field. */
>>> CID 352910: Memory - illegal accesses (UNINIT)
>>> Using uninitialized value "data.data".
272 if (data.data != NULL) {
273 free(data.data);
274 }
275
276 return (result);
277 }
** CID 352909: (RESOURCE_LEAK)
/contrib/dlz/modules/bdbhpt/dlz_bdbhpt_dynamic.c: 727 in dlz_create()
/contrib/dlz/modules/bdbhpt/dlz_bdbhpt_dynamic.c: 687 in dlz_create()
________________________________________________________________________________________________________
*** CID 352909: (RESOURCE_LEAK)
/contrib/dlz/modules/bdbhpt/dlz_bdbhpt_dynamic.c: 727 in dlz_create()
721 default:
722 db->log(ISC_LOG_ERROR,
723 "bdbhpt_dynamic: "
724 "operating mode must be set to P or C or T. "
725 "You specified '%s'",
726 argv[1]);
>>> CID 352909: (RESOURCE_LEAK)
>>> Variable "db" going out of scope leaks the storage it points to.
727 return (ISC_R_FAILURE);
728 }
729
730 /*
731 * create bdbhpt environment
732 * Basically bdbhpt allocates and assigns memory to db->dbenv
/contrib/dlz/modules/bdbhpt/dlz_bdbhpt_dynamic.c: 687 in dlz_create()
681 /* verify we have 4 arg's passed to the driver */
682 if (argc != 4) {
683 db->log(ISC_LOG_ERROR,
684 "bdbhpt_dynamic: please supply 3 command line args. "
685 "You supplied: %s",
686 argc);
>>> CID 352909: (RESOURCE_LEAK)
>>> Variable "db" going out of scope leaks the storage it points to.
687 return (ISC_R_FAILURE);
688 }
689
690 switch ((char)*argv[1]) {
691 /*
692 * Transactional mode. Highest safety - lowest speed.
** CID 352908: API usage errors (LOCK)
/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c: 1043 in dlz_create()
________________________________________________________________________________________________________
*** CID 352908: API usage errors (LOCK)
/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c: 1043 in dlz_create()
1037 }
1038
1039 free(state->db_name);
1040 free(state->db_host);
1041 free(state->db_user);
1042 free(state->db_pass);
>>> CID 352908: API usage errors (LOCK)
>>> "pthread_mutex_destroy" destroys "state->tx_mutex" while it is locked.
1043 dlz_mutex_destroy(&state->tx_mutex);
1044 free(state);
1045 return (ISC_R_FAILURE);
1046 }
1047
1048 /*
** CID 352907: Error handling issues (CHECKED_RETURN)
/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c: 1023 in dlz_create()
________________________________________________________________________________________________________
*** CID 352907: Error handling issues (CHECKED_RETURN)
/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c: 1023 in dlz_create()
1017 /*
1018 * Populate DB instances
1019 */
1020 if (mysql_thread_safe()) {
1021 for (n = 0; n < MAX_DBI; n++) {
1022 dlz_mutex_init(&state->db[n].mutex, NULL);
>>> CID 352907: Error handling issues (CHECKED_RETURN)
>>> Calling "pthread_mutex_lock" without checking return value (as is done elsewhere 24 out of 29 times).
1023 dlz_mutex_lock(&state->db[n].mutex);
1024 state->db[n].id = n;
1025 state->db[n].connected = 0;
1026 state->db[n].sock = mysql_init(NULL);
1027 mysql_options(state->db[n].sock,
1028 MYSQL_READ_DEFAULT_GROUP, modname);
** CID 352906: Memory - illegal accesses (UNINIT)
/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c: 464 in build_query()
________________________________________________________________________________________________________
*** CID 352906: Memory - illegal accesses (UNINIT)
/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c: 464 in build_query()
458 }
459 }
460
461 fail:
462 va_end(ap1);
463
>>> CID 352906: Memory - illegal accesses (UNINIT)
>>> Using uninitialized value "arglist.head".
464 while ((item = DLZ_LIST_HEAD(arglist))) {
465 item = DLZ_LIST_NEXT(item, link);
466 if (item->arg != NULL) {
467 free(item->arg);
468 }
469 free(item);
** CID 352905: Incorrect expression (COPY_PASTE_ERROR)
/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c: 1419 in dlz_newversion()
________________________________________________________________________________________________________
*** CID 352905: Incorrect expression (COPY_PASTE_ERROR)
/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c: 1419 in dlz_newversion()
1413 } else {
1414 dlz_mutex_unlock(&state->tx_mutex);
1415 if (newtx != NULL) {
1416 if (newtx->zone != NULL) {
1417 free(newtx->zone);
1418 }
>>> CID 352905: Incorrect expression (COPY_PASTE_ERROR)
>>> "zone" in "newtx->zone" looks like a copy-paste error.
1419 if (newtx->zone != NULL) {
1420 free(newtx->zone_id);
1421 }
1422 free(newtx);
1423 }
1424 }
** CID 352904: Error handling issues (CHECKED_RETURN)
/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c: 567 in validate_txn()
________________________________________________________________________________________________________
*** CID 352904: Error handling issues (CHECKED_RETURN)
/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c: 567 in validate_txn()
561
562 static isc_result_t
563 validate_txn(mysql_data_t *state, mysql_transaction_t *txn) {
564 isc_result_t result = ISC_R_FAILURE;
565 mysql_transaction_t *txp;
566
>>> CID 352904: Error handling issues (CHECKED_RETURN)
>>> Calling "pthread_mutex_lock" without checking return value (as is done elsewhere 24 out of 29 times).
567 dlz_mutex_lock(&state->tx_mutex);
568 for (txp = state->transactions; txp != NULL; txp = txp->next) {
569 if (txn == txp) {
570 result = ISC_R_SUCCESS;
571 break;
572 }
** CID 352903: Error handling issues (CHECKED_RETURN)
/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c: 1445 in dlz_closeversion()
________________________________________________________________________________________________________
*** CID 352903: Error handling issues (CHECKED_RETURN)
/contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c: 1445 in dlz_closeversion()
1439 MYSQL_RES *res;
1440 MYSQL_ROW row;
1441
1442 /*
1443 * Find the transaction
1444 */
>>> CID 352903: Error handling issues (CHECKED_RETURN)
>>> Calling "pthread_mutex_lock" without checking return value (as is done elsewhere 24 out of 29 times).
1445 dlz_mutex_lock(&state->tx_mutex);
1446 if (state->transactions == txn) {
1447 /* Tx is first in list; remove it. */
1448 state->transactions = txn->next;
1449 } else {
1450 txp = state->transactions;
```Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3340rpz QNAME rewrite a3-8.tld2 stop on unrecognized qresult in rpz_rewrite() failed2022-05-09T20:50:45ZMichal Nowakrpz QNAME rewrite a3-8.tld2 stop on unrecognized qresult in rpz_rewrite() failed`rpz:checking crashes` system test [failed](https://gitlab.isc.org/isc-private/bind9/-/jobs/2501631) with:
```
I:rpz:checking crashes (9)
I:rpz:performance not checked; queryperf not available
I:rpz:error messages in ns6/named.run starti...`rpz:checking crashes` system test [failed](https://gitlab.isc.org/isc-private/bind9/-/jobs/2501631) with:
```
I:rpz:checking crashes (9)
I:rpz:performance not checked; queryperf not available
I:rpz:error messages in ns6/named.run starting with:
I:rpz:ns6/named.run:09-May-2022 16:15:13.528 client @0x802559160 10.53.0.6#43512 (a3-8.tld2): rpz QNAME rewrite a3-8.tld2 stop on unrecognized qresult in rpz_rewrite() failed: operation canceled
```
<details><summary>ns6/named.run</summary>
```
09-May-2022 16:15:01.526 clientmgr @0x8024c8000 attach: 3
09-May-2022 16:15:01.526 query client=0x802559160 thread=0x801c13400(<unknown-query>): query_reset
09-May-2022 16:15:01.526 client @0x802559160 (no-peer): allocate new client
09-May-2022 16:15:01.526 client @0x802559160 10.53.0.6#43512: TCP request
09-May-2022 16:15:01.526 client @0x802559160 10.53.0.6#43512: using view '_default'
09-May-2022 16:15:01.526 client @0x802559160 10.53.0.6#43512: request is not signed
09-May-2022 16:15:01.526 client @0x802559160 10.53.0.6#43512: recursion available
09-May-2022 16:15:01.526 query client=0x802559160 thread=0x801c13400(<unknown-query>): ns_query_start
09-May-2022 16:15:01.526 query client=0x802559160 thread=0x801c13400(a3-8.tld2/ANY): qctx_init
09-May-2022 16:15:01.526 query client=0x802559160 thread=0x801c13400(a3-8.tld2/ANY): client attr:0x2103, query attr:0x303, restarts:0, origqname:a3-8.tld2, timer:0, authdb:0, referral:0
09-May-2022 16:15:01.526 query client=0x802559160 thread=0x801c13400(a3-8.tld2/ANY): ns__query_start
09-May-2022 16:15:01.526 client @0x802559160 10.53.0.6#43512 (a3-8.tld2): query (cache) 'a3-8.tld2/ANY/IN' approved
09-May-2022 16:15:01.526 query client=0x802559160 thread=0x801c13400(a3-8.tld2/ANY): query_lookup
09-May-2022 16:15:01.526 query client=0x802559160 thread=0x801c13400(a3-8.tld2/ANY): query_gotanswer
09-May-2022 16:15:01.526 client @0x802559160 10.53.0.6#43512 (a3-8.tld2): rrl=0x0, HAVECOOKIE=0, result=DNS_R_DELEGATION, fname=0x8024ead80(1), is_zone=0, RECURSIONOK=1, query.rpz_st=0x0(0), RRL_CHECKED=0
09-May-2022 16:15:01.526 query client=0x802559160 thread=0x801c13400(a3-8.tld2/ANY): query_checkrpz
09-May-2022 16:15:01.526 query client=0x802559160 thread=0x801c13400(a3-8.tld2/ANY): rpz_rewrite
09-May-2022 16:15:01.526 query client=0x802559160 thread=0x801c13400(a3-8.tld2/ANY): rpz_ck_dnssec
09-May-2022 16:15:01.526 query client=0x802559160 thread=0x801c13400(a3-8.tld2/ANY): query_delegation
09-May-2022 16:15:01.526 query client=0x802559160 thread=0x801c13400(a3-8.tld2/ANY): query_delegation_recurse
09-May-2022 16:15:01.526 query client=0x802559160 thread=0x801c13400(a3-8.tld2/ANY): ns_query_recurse
09-May-2022 16:15:01.526 fetch: a3-8.tld2/ANY
09-May-2022 16:15:01.526 res 0x8024e40c0: attach
09-May-2022 16:15:01.526 res 0x8024e40c0: attach
09-May-2022 16:15:01.526 fctx 0x8038d7c00(a3-8.tld2/ANY): create
09-May-2022 16:15:01.526 log_ns_ttl: fctx 0x8038d7c00: fctx_create: a3-8.tld2 (in 'tld2'?): 1 116
09-May-2022 16:15:01.526 fctx 0x8038d7c00(a3-8.tld2/ANY): join
09-May-2022 16:15:01.526 fctx 0x8038d7c00(a3-8.tld2/ANY): addevent
09-May-2022 16:15:01.526 fetch 0x802c1c080 (fctx 0x8038d7c00(a3-8.tld2/ANY)): created
09-May-2022 16:15:01.526 query client=0x802559160 thread=0x801c13400(a3-8.tld2/ANY): ns_query_done
09-May-2022 16:15:01.526 fctx 0x8038d7c00(a3-8.tld2/ANY): start
09-May-2022 16:15:01.526 fctx 0x8038d7c00(a3-8.tld2/ANY): try fctx->qc=0
09-May-2022 16:15:01.526 fctx 0x8038d7c00(a3-8.tld2/ANY): cancelqueries
09-May-2022 16:15:01.526 fctx 0x8038d7c00(a3-8.tld2/ANY): getaddresses fctx->depth=0
09-May-2022 16:15:01.526 findaddrinfo: found entry 0x8024e4700
09-May-2022 16:15:01.526 fctx 0x8038d7c00(a3-8.tld2/ANY): query
09-May-2022 16:15:01.526 dispatch 0x802530c00: UDP connected (0x802c01200): success
09-May-2022 16:15:01.526 resquery 0x80281ec00 (fctx 0x8038d7c00(a3-8.tld2/ANY)): connected
09-May-2022 16:15:01.526 resquery 0x80281ec00 (fctx 0x8038d7c00(a3-8.tld2/ANY)): send
09-May-2022 16:15:01.526 sending packet to 10.53.0.3#31859
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32311
;; flags: rd; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: e0ad29ea0481b9c30100000062793e05e7d24a8fef7243b5
;; QUESTION SECTION:
;a3-8.tld2. IN ANY
09-May-2022 16:15:01.526 resquery 0x80281ec00 (fctx 0x8038d7c00(a3-8.tld2/ANY)): sent
09-May-2022 16:15:01.526 resquery 0x80281ec00 (fctx 0x8038d7c00(a3-8.tld2/ANY)): senddone
09-May-2022 16:15:02.728 dispatch 0x802530c00: UDP response 0x802c01200:timed out:requests 1
09-May-2022 16:15:02.728 resquery 0x80281ec00 (fctx 0x8038d7c00(a3-8.tld2/ANY)): response
09-May-2022 16:15:02.728 fctx 0x8038d7c00(a3-8.tld2/ANY): timeout
09-May-2022 16:15:02.728 fctx 0x8038d7c00(a3-8.tld2/ANY): query timed out; no response
09-May-2022 16:15:02.728 fctx 0x8038d7c00(a3-8.tld2/ANY): [result: timed out] query canceled in rctx_done(); no response
09-May-2022 16:15:02.728 fctx 0x8038d7c00(a3-8.tld2/ANY): cancelquery
09-May-2022 16:15:02.728 dispatch 0x802530c00: detach: refcount 2
09-May-2022 16:15:02.728 fctx 0x8038d7c00(a3-8.tld2/ANY): resend
09-May-2022 16:15:02.728 fctx 0x8038d7c00(a3-8.tld2/ANY): query
09-May-2022 16:15:02.728 fctx 0x8038d7c00(a3-8.tld2/ANY): timed out
09-May-2022 16:15:02.728 dispatch 0x802530c00: detach: refcount 1
09-May-2022 16:15:02.728 dispatch 0x80252f000: UDP connected (0x802c01400): success
09-May-2022 16:15:02.728 resquery 0x80281ec00 (fctx 0x8038d7c00(a3-8.tld2/ANY)): connected
09-May-2022 16:15:02.728 resquery 0x80281ec00 (fctx 0x8038d7c00(a3-8.tld2/ANY)): send
09-May-2022 16:15:02.728 sending packet to 10.53.0.3#31859
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3478
;; flags: rd; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1084
; COOKIE: e0ad29ea0481b9c30100000062793e05e7d24a8fef7243b5
;; QUESTION SECTION:
;a3-8.tld2. IN ANY
09-May-2022 16:15:02.728 resquery 0x80281ec00 (fctx 0x8038d7c00(a3-8.tld2/ANY)): sent
09-May-2022 16:15:02.728 resquery 0x80281ec00 (fctx 0x8038d7c00(a3-8.tld2/ANY)): senddone
09-May-2022 16:15:03.938 dispatch 0x80252f000: UDP response 0x802c01400:timed out:requests 1
09-May-2022 16:15:03.938 resquery 0x80281ec00 (fctx 0x8038d7c00(a3-8.tld2/ANY)): response
09-May-2022 16:15:03.938 fctx 0x8038d7c00(a3-8.tld2/ANY): timeout
09-May-2022 16:15:03.938 fctx 0x8038d7c00(a3-8.tld2/ANY): query timed out; no response
09-May-2022 16:15:03.938 fctx 0x8038d7c00(a3-8.tld2/ANY): [result: timed out] query canceled in rctx_done(); no response
09-May-2022 16:15:03.938 fctx 0x8038d7c00(a3-8.tld2/ANY): cancelquery
09-May-2022 16:15:03.938 dispatch 0x80252f000: detach: refcount 3
09-May-2022 16:15:03.938 fctx 0x8038d7c00(a3-8.tld2/ANY): resend
09-May-2022 16:15:03.938 fctx 0x8038d7c00(a3-8.tld2/ANY): query
09-May-2022 16:15:03.938 fctx 0x8038d7c00(a3-8.tld2/ANY): timed out
09-May-2022 16:15:03.938 dispatch 0x80252f000: detach: refcount 2
09-May-2022 16:15:03.938 dispatch 0x80252f380: UDP connected (0x802c01200): success
09-May-2022 16:15:03.938 resquery 0x80281ec00 (fctx 0x8038d7c00(a3-8.tld2/ANY)): connected
09-May-2022 16:15:03.938 resquery 0x80281ec00 (fctx 0x8038d7c00(a3-8.tld2/ANY)): send
09-May-2022 16:15:03.938 sending packet to 10.53.0.3#31859
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53246
;; flags: rd; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: e0ad29ea0481b9c30100000062793e05e7d24a8fef7243b5
;; QUESTION SECTION:
;a3-8.tld2. IN ANY
09-May-2022 16:15:03.938 resquery 0x80281ec00 (fctx 0x8038d7c00(a3-8.tld2/ANY)): sent
09-May-2022 16:15:03.938 resquery 0x80281ec00 (fctx 0x8038d7c00(a3-8.tld2/ANY)): senddone
09-May-2022 16:15:05.149 dispatch 0x80252f380: UDP response 0x802c01200:timed out:requests 1
09-May-2022 16:15:05.149 resquery 0x80281ec00 (fctx 0x8038d7c00(a3-8.tld2/ANY)): response
09-May-2022 16:15:05.149 fctx 0x8038d7c00(a3-8.tld2/ANY): timeout
09-May-2022 16:15:05.149 fctx 0x8038d7c00(a3-8.tld2/ANY): query timed out; no response
09-May-2022 16:15:05.149 fctx 0x8038d7c00(a3-8.tld2/ANY): [result: timed out] query canceled in rctx_done(); no response
09-May-2022 16:15:05.149 fctx 0x8038d7c00(a3-8.tld2/ANY): cancelquery
09-May-2022 16:15:05.149 dispatch 0x80252f380: detach: refcount 2
09-May-2022 16:15:05.149 fctx 0x8038d7c00(a3-8.tld2/ANY): resend
09-May-2022 16:15:05.149 fctx 0x8038d7c00(a3-8.tld2/ANY): query
09-May-2022 16:15:05.149 dispatchmgr 0x801c35850: dns_dispatch_createtcp: created TCP dispatch 0x802ca0540
09-May-2022 16:15:05.149 fctx 0x8038d7c00(a3-8.tld2/ANY): connecting via TCP
09-May-2022 16:15:05.149 fctx 0x8038d7c00(a3-8.tld2/ANY): timed out
09-May-2022 16:15:05.149 dispatch 0x80252f380: detach: refcount 1
09-May-2022 16:15:05.149 dispatch 0x802ca0540: TCP connected (0x802ca0540): success
09-May-2022 16:15:05.149 resquery 0x80281ec00 (fctx 0x8038d7c00(a3-8.tld2/ANY)): connected
09-May-2022 16:15:05.149 resquery 0x80281ec00 (fctx 0x8038d7c00(a3-8.tld2/ANY)): send
09-May-2022 16:15:05.149 sending packet to 10.53.0.3#31859
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 561
;; flags: rd; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: e0ad29ea0481b9c30100000062793e05e7d24a8fef7243b5
;; QUESTION SECTION:
;a3-8.tld2. IN ANY
09-May-2022 16:15:05.149 resquery 0x80281ec00 (fctx 0x8038d7c00(a3-8.tld2/ANY)): sent
09-May-2022 16:15:05.149 dispatch 0x802ca0540: detach: refcount 3
09-May-2022 16:15:05.149 resquery 0x80281ec00 (fctx 0x8038d7c00(a3-8.tld2/ANY)): senddone
09-May-2022 16:15:06.967 allocate new control connection
09-May-2022 16:15:06.968 received control channel command 'stats'
09-May-2022 16:15:06.968 dumpstats complete
09-May-2022 16:15:06.968 freeing control connection
09-May-2022 16:15:13.527 shut down hung fetch while resolving 'a3-8.tld2/ANY'
09-May-2022 16:15:13.527 fctx 0x8038d7c00(a3-8.tld2/ANY): shutdown
09-May-2022 16:15:13.527 fctx 0x8038d7c00(a3-8.tld2/ANY): posting control event
09-May-2022 16:15:13.527 fctx 0x8038d7c00(a3-8.tld2/ANY): doshutdown
09-May-2022 16:15:13.527 fctx 0x8038d7c00(a3-8.tld2/ANY): cancelqueries
09-May-2022 16:15:13.527 fctx 0x8038d7c00(a3-8.tld2/ANY): cancelquery
09-May-2022 16:15:13.527 dispatch 0x802ca0540: detach: refcount 2
09-May-2022 16:15:13.528 dispatch 0x802ca0540: detach: refcount 1
09-May-2022 16:15:13.528 fctx 0x8038d7c00(a3-8.tld2/ANY): sendevents
09-May-2022 16:15:13.528 fctx 0x8038d7c00(a3-8.tld2/ANY): event
09-May-2022 16:15:13.528 query client=0x802559160 thread=0x801c13400(a3-8.tld2/ANY): fetch_callback
09-May-2022 16:15:13.528 query client=0x802559160 thread=0x801c13400(a3-8.tld2/ANY): qctx_init
09-May-2022 16:15:13.528 dispatch 0x802ca0540: TCP read:end of file:requests 0, buffers 0
09-May-2022 16:15:13.528 query client=0x802559160 thread=0x801c13400(a3-8.tld2/ANY): client attr:0x2103, query attr:0x3303, restarts:0, origqname:a3-8.tld2, timer:0, authdb:1, referral:0
09-May-2022 16:15:13.528 dispatch 0x802ca0540: shutting down TCP: 10.53.0.3#31859: end of file
09-May-2022 16:15:13.528 dispatch 0x802ca0540: detach: refcount 0
09-May-2022 16:15:13.528 dispatch 0x802ca0540: shutting down; detaching from handle 0x802492c80
09-May-2022 16:15:13.528 query client=0x802559160 thread=0x801c13400(a3-8.tld2/ANY): query_resume
09-May-2022 16:15:13.528 query client=0x802559160 thread=0x801c13400(a3-8.tld2/ANY): resume from normal recursion
09-May-2022 16:15:13.528 query client=0x802559160 thread=0x801c13400(a3-8.tld2/ANY): query_gotanswer
09-May-2022 16:15:13.528 client @0x802559160 10.53.0.6#43512 (a3-8.tld2): rrl=0x0, HAVECOOKIE=0, result=ISC_R_CANCELED, fname=0x8024ead80(0), is_zone=0, RECURSIONOK=1, query.rpz_st=0x802503800(0), RRL_CHECKED=0
09-May-2022 16:15:13.528 query client=0x802559160 thread=0x801c13400(a3-8.tld2/ANY): query_checkrpz
09-May-2022 16:15:13.528 query client=0x802559160 thread=0x801c13400(a3-8.tld2/ANY): rpz_rewrite
09-May-2022 16:15:13.528 query client=0x802559160 thread=0x801c13400(a3-8.tld2/ANY): rpz_ck_dnssec
09-May-2022 16:15:13.528 client @0x802559160 10.53.0.6#43512 (a3-8.tld2): rpz QNAME rewrite a3-8.tld2 stop on unrecognized qresult in rpz_rewrite() failed: operation canceled
09-May-2022 16:15:13.528 query client=0x802559160 thread=0x801c13400(a3-8.tld2/ANY): query_gotanswer: unexpected error: operation canceled
09-May-2022 16:15:13.528 query client=0x802559160 thread=0x801c13400(a3-8.tld2/ANY): free_devent
09-May-2022 16:15:13.528 query client=0x802559160 thread=0x801c13400(a3-8.tld2/ANY): ns_query_done
09-May-2022 16:15:13.528 client @0x802559160 10.53.0.6#43512 (a3-8.tld2): query failed (operation canceled) for a3-8.tld2/IN/ANY at query.c:7715
09-May-2022 16:15:13.528 fetch completed at resolver.c:4523 for a3-8.tld2/ANY in 12.001602: operation canceled/success [domain:tld2,referral:0,restart:1,qrysent:4,timeout:3,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
09-May-2022 16:15:13.528 fetch 0x802c1c080 (fctx 0x8038d7c00(a3-8.tld2/ANY)): destroyfetch
09-May-2022 16:15:13.528 fctx 0x8038d7c00(a3-8.tld2/ANY): destroy
09-May-2022 16:15:13.528 res 0x8024e40c0: detach
09-May-2022 16:15:13.528 res 0x8024e40c0: detach
09-May-2022 16:15:13.528 client @0x802559160 10.53.0.6#43512 (a3-8.tld2): send failed: operation canceled
09-May-2022 16:15:13.528 client @0x802559160 10.53.0.6#43512 (a3-8.tld2): reset client
09-May-2022 16:15:13.528 query client=0x802559160 thread=0x801c13400(a3-8.tld2/ANY): query_reset
09-May-2022 16:15:13.528 query client=0x802559160 thread=0x801c13400(<unknown-query>): rpz_st_clear
09-May-2022 16:15:13.528 client @0x802559160 10.53.0.6#43512: freeing client
09-May-2022 16:15:13.528 query client=0x802559160 thread=0x801c13400(<unknown-query>): query_reset
09-May-2022 16:15:13.528 query client=0x802559160 thread=0x801c13400(<unknown-query>): rpz_st_clear
09-May-2022 16:15:13.528 clientmgr @0x8024c8000 detach: 2
```
</details>Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3338zero system test fails often2022-10-05T08:30:56ZMichal Nowakzero system test fails oftenThe `zero:check lookups against TTL=0 records` system test [fails](https://gitlab.isc.org/isc-private/bind9/-/jobs/2500945) fairly often on `main` and `v9_18` in the CI (tho I was unable to reproduce it locally):
```
I:zero:check lookups...The `zero:check lookups against TTL=0 records` system test [fails](https://gitlab.isc.org/isc-private/bind9/-/jobs/2500945) fairly often on `main` and `v9_18` in the CI (tho I was unable to reproduce it locally):
```
I:zero:check lookups against TTL=0 records (1)
I:zero:failed
```
Looking at the code there are two possibilities to fail the test code:
1. Either of six `dig -f query.list` instances fails to finish in 69 seconds (`timeout=$(($(wc -l < query.list) / 5))`), or
2. `status: SERVFAIL` is identified in `dig` stdout logs (`dig.out$i.[1-6].test$n`).
Looking at `dig.out$i.[1-6].test$n` logs I am certain that they don't contain `status: SERVFAIL` for any query from the `query.list` file. Perhaps one of six `dig -f query.list` instances is stuck, waiting for being collected by `kill -TERM "$pid1" ...` and `wait "$pid1" || ret=1`?Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3329ADB uses recursion when auth zone is not ready2022-06-02T11:21:16ZCathy AlmondADB uses recursion when auth zone is not readyAs reported in [Support ticket #20672](https://support.isc.org/Ticket/Display.html?id=20672)
The bug was originally found in 9.11, but still exists in 9.16.
Quoting the reporter (almost) verbatim:
We found a bug where when a locally c...As reported in [Support ticket #20672](https://support.isc.org/Ticket/Display.html?id=20672)
The bug was originally found in 9.11, but still exists in 9.16.
Quoting the reporter (almost) verbatim:
We found a bug where when a locally configured authoritative zone was
not ready, ADB would try to resolve NS addresses whose names were under
such zones using the resolver and cache results (e.g., NXDOMAIN) within
the ADB cache. Whereas it should not, and it should fail such lookups
until the local zone database is ready.
This behavior of ADB was implemented differently from the query path.
The bug was readily reproducible by the customer who was using a custom
dns_db database implementation.
This caused resolution failures for upto NCACHE TTL (e.g.,
min(SOA.minimum TTL, SOA TTL)) in our customer's case (15 minutes).
in "our distribution (redacted)" with a unittest (similar to
ISC BIND system test) to reproduce it, but I am unable to share the
testcase code right now. The testcase is anyway reliant on the rest of
"our distribution (redacted)" test framework, so I don't know how useful it would
be to ISC. BUT, the testcase used database type "rbt" as in ISC BIND.
An extract of patch we used to fix it, which may be helpful to
understand the problem:
```
diff --git a/lib/dns/adb.c b/lib/dns/adb.c
index ea93fef..bdd514c 100644
--- a/lib/dns/adb.c
+++ b/lib/dns/adb.c
@@ -3177,6 +3177,25 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
if (!NAME_FETCH_V4(adbname)) {
wanted_fetches |= DNS_ADBFIND_INET;
}
+
+ /*
+ * If a dbfind_name() resulted in DNS_R_NOTLOADED, it
+ * would have happened because a zone database was not
+ * yet loaded (e.g., during named startup). In this
+ * case, don't attempt any fetches to avoid caching any
+ * results from recursion that may return undesired data
+ * vs. what is in the local zones.
+ *
+ * This may cause short-lived failures, but it is better
+ * than long-term failures, e.g., due to NXDOMAIN
+ * answers from upstream forwarders when looking up the
+ * addresses of nameservers because they don't exist
+ * outside local zones, that are cached for multiple
+ * minutes and cause SERVFAIL to downstream clients
+ * until their NCACHE TTL expire.
+ */
+ if (ISC_UNLIKELY(result == DNS_R_NOTLOADED))
+ find->options |= DNS_ADBFIND_NOFETCH;
}
v6:
@@ -3213,6 +3232,12 @@ v6:
if (!NAME_FETCH_V6(adbname)) {
wanted_fetches |= DNS_ADBFIND_INET6;
}
+
+ /*
+ * See similar comment in IPv4 case above.
+ */
+ if (ISC_UNLIKELY(result == DNS_R_NOTLOADED))
+ find->options |= DNS_ADBFIND_NOFETCH;
}
fetch:
diff --git a/lib/dns/view.c b/lib/dns/view.c
index 4a8f9af..c0e7f80 100644
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -1091,6 +1091,9 @@ dns_view_find(dns_view_t *view, const dns_name_t *name, dns_rdatatype_t type,
}
if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
result = dns_zone_getdb(zone, &db);
+ if (result == DNS_R_NOTLOADED) {
+ goto cleanup;
+ }
if (result != ISC_R_SUCCESS && view->cachedb != NULL) {
dns_db_attach(view->cachedb, &db);
} else if (result != ISC_R_SUCCESS) {
```Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3324clean up fctx_minimize_qname2022-06-02T11:15:31ZMark Andrewsclean up fctx_minimize_qnameThere are redundant variables and multiple initialisations of the same variable when constructing the next qminname.There are redundant variables and multiple initialisations of the same variable when constructing the next qminname.Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3323BIND 9.16.23-S1 different RPZ SOA TTL2022-06-02T11:21:23ZGreg ChoulesBIND 9.16.23-S1 different RPZ SOA TTLReported to us in [Support ticket #20670](https://support.isc.org/Ticket/Display.html?id=20670)
An RPZ response's SOA record TTL is set to 1 instead of the SOA TTL, due to what seems to be incorrectly modified code (from the difference...Reported to us in [Support ticket #20670](https://support.isc.org/Ticket/Display.html?id=20670)
An RPZ response's SOA record TTL is set to 1 instead of the SOA TTL, due to what seems to be incorrectly modified code (from the difference in types). A bool value is passed to **query_addsoa()** in an argument that expects unsigned int.
The diff below is from the BIND 9.16.23-S1 tree:
```
9.16.23-S1 (main)]$ git diff
diff --git a/lib/ns/query.c b/lib/ns/query.c
index ca1ffe4..f9e0f2b 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -7454,9 +7454,7 @@ query_checkrpz(query_ctx_t *qctx, isc_result_t result) {
* Add SOA record to additional section
*/
if (qctx->rpz_st->m.rpz->addsoa) {
- bool override_ttl =
- dns_rdataset_isassociated(qctx->rdataset);
- rresult = query_addsoa(qctx, override_ttl,
+ rresult = query_addsoa(qctx, UINT32_MAX,
DNS_SECTION_ADDITIONAL);
if (rresult != ISC_R_SUCCESS) {
QUERY_ERROR(qctx, result);
```Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3322BIND 9.16 startup crash (with two views with the same name but different clas...2023-06-05T14:26:41ZCathy AlmondBIND 9.16 startup crash (with two views with the same name but different classes)Reported to us in [Support ticket #20669](https://support.isc.org/Ticket/Display.html?id=20669)
As explained by the reporter (and testing against 9.16.23-S1, but likely affecting all current versions of BIND):
named crashes at startup ...Reported to us in [Support ticket #20669](https://support.isc.org/Ticket/Display.html?id=20669)
As explained by the reporter (and testing against 9.16.23-S1, but likely affecting all current versions of BIND):
named crashes at startup with a config file such as this:
```
view "test" in {
recursion no;
notify no;
};
view "test" chaos {
recursion no;
notify no;
};
```
The root cause appears to be due to the managed-keys KEYDATA zone file's
filename containing only the view's name and not the view's class.Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3308CI job timeout while system tests were running2023-03-17T08:47:32ZMichal NowakCI job timeout while system tests were runningThe CI job [2471391](https://gitlab.isc.org/isc-projects/bind9/-/jobs/2471391) reached a CI job timeout while four system test were running.
It's like isc-projects/bind9#3272 but the failed CI job did not happen in ASAN/TSAN environment...The CI job [2471391](https://gitlab.isc.org/isc-projects/bind9/-/jobs/2471391) reached a CI job timeout while four system test were running.
It's like isc-projects/bind9#3272 but the failed CI job did not happen in ASAN/TSAN environment but on OpenBSD and the `shutdown` system pytest actually passed.
```
$ curl -sSL https://gitlab.isc.org/isc-projects/bind9/-/jobs/2471391/raw | grep '^[SR]:' | cut -d: -f2 | sort | uniq -c | awk '$1 != "2" { print }'
1 forward
1 geoip2
1 inline
1 kasp
```
The job started at 6:07, last system test time stamp is from 6:15:53:
```
$ curl -sSL https://gitlab.isc.org/isc-projects/bind9/-/jobs/2471391/raw | grep -P '^(S|E):.*:'
S:logfileconfig:2022-04-27T06:08:03+0000
S:keymgr:2022-04-27T06:08:03+0000
S:coverage:2022-04-27T06:08:03+0000
S:cookie:2022-04-27T06:08:03+0000
...
E:ixfr:2022-04-27T06:15:53+0000
S:forward:2022-04-27T06:15:53+0000
```
```
S:forward:2022-04-27T06:15:53+0000
T:forward:1:A
A:forward:System test forward
I:forward:PORTRANGE:8200 - 8299
I:forward:starting servers
```
```
S:geoip2:2022-04-27T06:15:45+0000
T:geoip2:1:A
A:geoip2:System test geoip2
I:geoip2:PORTRANGE:8300 - 8399
I:geoip2:starting servers
I:geoip2:checking that conf/good-options.conf is accepted (1)
I:geoip2:checking that conf/bad-areacode.conf is rejected (2)
I:geoip2:checking that conf/bad-dbname.conf is rejected (3)
I:geoip2:checking that conf/bad-netspeed.conf is rejected (4)
I:geoip2:checking that conf/bad-regiondb.conf is rejected (5)
I:geoip2:checking that conf/bad-threeletter.conf is rejected (6)
I:geoip2:checking Country database by code using IPv4 (7)
I:geoip2:checking Country database by code using IPv6 (8)
I:geoip2:reloading server
I:geoip2:ns2 server reload successful
I:geoip2:checking Country database with nested ACLs using IPv4 (9)
I:geoip2:checking Country database with nested ACLs using IPv6 (10)
I:geoip2:reloading server
I:geoip2:ns2 server reload successful
I:geoip2:checking Country database by name using IPv4 (11)
I:geoip2:checking Country database by name using IPv6 (12)
I:geoip2:reloading server
I:geoip2:ns2 server reload successful
I:geoip2:checking Country database by continent code using IPv4 (13)
```
```
S:inline:2022-04-27T06:15:29+0000
T:inline:1:A
A:inline:System test inline
I:inline:PORTRANGE:8600 - 8699
I:inline:starting servers
I:inline:checking that an unsupported algorithm is not used for signing (1)
I:inline:checking that rrsigs are replaced with ksk only (2)
I:inline:checking that the zone is signed on initial transfer (3)
I:inline:checking expired signatures are updated on load (4)
I:inline:checking removal of private type record via 'rndc signing -clear' (5)
I:inline:checking private type was properly signed (6)
I:inline:checking removal of remaining private type record via 'rndc signing -clear all' (7)
I:inline:checking negative private type response was properly signed (8)
I:inline:checking that the record is added on the hidden primary (9)
I:inline:checking that update has been transferred and has been signed (10)
I:inline:checking YYYYMMDDVV (2011072400) serial on hidden primary (11)
I:inline:checking YYYYMMDDVV (2011072400) serial in signed zone (12)
I:inline:checking that the zone is signed on initial transfer, noixfr (13)
I:inline:checking that the record is added on the hidden primary, noixfr (14)
I:inline:checking that update has been transferred and has been signed, noixfr (15)
I:inline:checking YYYYMMDDVV (2011072400) serial on hidden primary, noixfr (16)
I:inline:checking YYYYMMDDVV (2011072400) serial in signed zone, noixfr (17)
I:inline:checking that the primary zone signed on initial load (18)
I:inline:checking removal of private type record via 'rndc signing -clear' (primary) (19)
I:inline:checking private type was properly signed (primary) (20)
I:inline:checking removal of remaining private type record via 'rndc signing -clear' (primary) (21)
I:inline:check adding of record to unsigned primary (22)
I:inline:ns3 zone reload queued
I:inline:check adding record fails when SOA serial not changed (23)
I:inline:ns3 server reload successful
I:inline:check adding record works after updating SOA serial (24)
```
<details><summary>kasp</summary>
```
S:kasp:2022-04-27T06:15:07+0000
T:kasp:1:A
A:kasp:System test kasp
I:kasp:PORTRANGE:9000 - 9099
I:kasp:This test requires support for EDDSA cryptography
I:kasp:configure with --with-openssl, or --enable-native-pkcs11 --with-pkcs11
I:kasp:This test requires support for EDDSA cryptography
I:kasp:configure with --with-openssl, or --enable-native-pkcs11 --with-pkcs11
I:kasp:starting servers
I:kasp:check that 'dnssec-keygen -k' (configured policy) creates valid files (1)
I:kasp:check that 'dnssec-keygen -k' (default policy) creates valid files (2)
I:kasp:check key file ./Kkasp.+013+51983
I:kasp:check key timing metadata for key KEY1 id 51983 zone kasp (3)
I:kasp:check that 'dnssec-settime' by default does not edit key state file (4)
I:kasp:check that 'dnssec-settime -s' also sets publish time metadata and states in key state file (5)
I:kasp:check key file ./Kkasp.+013+51983
I:kasp:check key timing metadata for key KEY1 id 51983 zone kasp (6)
I:kasp:check that 'dnssec-settime -s' also unsets publish time metadata and states in key state file (7)
I:kasp:check key file ./Kkasp.+013+51983
I:kasp:check key timing metadata for key KEY1 id 51983 zone kasp (8)
I:kasp:check that 'dnssec-settime -s' also sets active time metadata and states in key state file (uppercase) (9)
I:kasp:check key file ./Kkasp.+013+51983
I:kasp:check key timing metadata for key KEY1 id 51983 zone kasp (10)
I:kasp:waiting for kasp signing changes to take effect (11)
I:kasp:check keys are created for zone default.kasp (12)
I:kasp:check number of keys for zone default.kasp in dir ns3 (12)
I:kasp:check key id 39605
I:kasp:KEY1 ID 39605
I:kasp:check rndc dnssec -status output for default.kasp (policy: default) (13)
I:kasp:check key timing metadata for key KEY1 id 39605 zone default.kasp (14)
I:kasp:check DNSKEY rrset is signed correctly for zone default.kasp (15)
I:kasp:check SOA rrset is signed correctly for zone default.kasp (16)
I:kasp:check CDS and CDNSKEY rrset are signed correctly for zone default.kasp (17)
I:kasp:check A a.default.kasp rrset is signed correctly for zone default.kasp (18)
I:kasp:dnssec-verify zone default.kasp (19)
I:kasp:modify unsigned zone file and check that new record is signed for zone default.kasp (20)
I:kasp:test that if private key files are inaccessible this doesn't trigger a rollover (20)
I:kasp:check keys are created for zone default.kasp (21)
I:kasp:check number of keys for zone default.kasp in dir ns3 (21)
I:kasp:check key id 39605
I:kasp:KEY1 ID 39605
I:kasp:check rndc dnssec -status output for default.kasp (policy: default) (22)
I:kasp:check key timing metadata for key KEY1 id 39605 zone default.kasp (23)
I:kasp:check DNSKEY rrset is signed correctly for zone default.kasp (24)
I:kasp:check SOA rrset is signed correctly for zone default.kasp (25)
I:kasp:check CDS and CDNSKEY rrset are signed correctly for zone default.kasp (26)
I:kasp:check A a.default.kasp rrset is signed correctly for zone default.kasp (27)
I:kasp:dnssec-verify zone default.kasp (28)
I:kasp:check keys are created for zone dynamic.kasp (29)
I:kasp:check number of keys for zone dynamic.kasp in dir ns3 (29)
I:kasp:check key id 56831
I:kasp:KEY1 ID 56831
I:kasp:check rndc dnssec -status output for dynamic.kasp (policy: default) (30)
I:kasp:check key timing metadata for key KEY1 id 56831 zone dynamic.kasp (31)
I:kasp:check DNSKEY rrset is signed correctly for zone dynamic.kasp (32)
I:kasp:check SOA rrset is signed correctly for zone dynamic.kasp (33)
I:kasp:check CDS and CDNSKEY rrset are signed correctly for zone dynamic.kasp (34)
I:kasp:check A a.dynamic.kasp rrset is signed correctly for zone dynamic.kasp (35)
I:kasp:dnssec-verify zone dynamic.kasp (36)
I:kasp:nsupdate zone and check that new record is signed for zone dynamic.kasp (37)
I:kasp:nsupdate zone and check that new record is signed for zone dynamic.kasp (38)
I:kasp:modify zone file and check that new record is signed for zone dynamic.kasp (39)
I:kasp:check keys are created for zone dynamic-inline-signing.kasp (40)
I:kasp:check number of keys for zone dynamic-inline-signing.kasp in dir ns3 (40)
I:kasp:check key id 32461
I:kasp:KEY1 ID 32461
I:kasp:check rndc dnssec -status output for dynamic-inline-signing.kasp (policy: default) (41)
I:kasp:check key timing metadata for key KEY1 id 32461 zone dynamic-inline-signing.kasp (42)
I:kasp:check DNSKEY rrset is signed correctly for zone dynamic-inline-signing.kasp (43)
I:kasp:check SOA rrset is signed correctly for zone dynamic-inline-signing.kasp (44)
I:kasp:check CDS and CDNSKEY rrset are signed correctly for zone dynamic-inline-signing.kasp (45)
I:kasp:check A a.dynamic-inline-signing.kasp rrset is signed correctly for zone dynamic-inline-signing.kasp (46)
I:kasp:dnssec-verify zone dynamic-inline-signing.kasp (47)
I:kasp:modify unsigned zone file and check that new record is signed for zone dynamic-inline-signing.kasp (48)
I:kasp:check keys are created for zone inline-signing.kasp (49)
I:kasp:check number of keys for zone inline-signing.kasp in dir ns3 (49)
I:kasp:check key id 44130
I:kasp:KEY1 ID 44130
I:kasp:check rndc dnssec -status output for inline-signing.kasp (policy: default) (50)
I:kasp:check key timing metadata for key KEY1 id 44130 zone inline-signing.kasp (51)
I:kasp:check DNSKEY rrset is signed correctly for zone inline-signing.kasp (52)
I:kasp:check SOA rrset is signed correctly for zone inline-signing.kasp (53)
I:kasp:check CDS and CDNSKEY rrset are signed correctly for zone inline-signing.kasp (54)
I:kasp:check A a.inline-signing.kasp rrset is signed correctly for zone inline-signing.kasp (55)
I:kasp:dnssec-verify zone inline-signing.kasp (56)
I:kasp:check keys are created for zone checkds-ksk.kasp (57)
I:kasp:check number of keys for zone checkds-ksk.kasp in dir ns3 (57)
I:kasp:check key id 57464
I:kasp:check key id 12023
I:kasp:KEY1 ID 57464
I:kasp:KEY2 ID 12023
I:kasp:check rndc dnssec -status output for checkds-ksk.kasp (policy: checkds-ksk) (58)
I:kasp:check DNSKEY rrset is signed correctly for zone checkds-ksk.kasp (59)
I:kasp:check SOA rrset is signed correctly for zone checkds-ksk.kasp (60)
I:kasp:check CDS and CDNSKEY rrset are signed correctly for zone checkds-ksk.kasp (61)
I:kasp:check A a.checkds-ksk.kasp rrset is signed correctly for zone checkds-ksk.kasp (62)
I:kasp:dnssec-verify zone checkds-ksk.kasp (63)
I:kasp:checkds publish correctly sets DSPublish for zone checkds-ksk.kasp (64)
I:kasp:calling rndc dnssec -checkds -when 20190102121314 published zone checkds-ksk.kasp in (65)
I:kasp:checkds withdraw correctly sets DSRemoved for zone checkds-ksk.kasp (66)
I:kasp:calling rndc dnssec -checkds -when 20200102121314 withdrawn zone checkds-ksk.kasp in (67)
I:kasp:check keys are created for zone checkds-doubleksk.kasp (68)
I:kasp:check number of keys for zone checkds-doubleksk.kasp in dir ns3 (68)
I:kasp:check key id 26947
I:kasp:check key id 27455
I:kasp:check key id 07792
I:kasp:KEY1 ID 26947
I:kasp:KEY2 ID 27455
I:kasp:KEY3 ID 7792
I:kasp:check rndc dnssec -status output for checkds-doubleksk.kasp (policy: checkds-doubleksk) (69)
I:kasp:check DNSKEY rrset is signed correctly for zone checkds-doubleksk.kasp (70)
I:kasp:check SOA rrset is signed correctly for zone checkds-doubleksk.kasp (71)
I:kasp:check CDS and CDNSKEY rrset are signed correctly for zone checkds-doubleksk.kasp (72)
```
</details>Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3303assertion failure in isc_quota_destroy() on shutdown2023-11-06T08:52:44ZOndřej Surýassertion failure in isc_quota_destroy() on shutdownhttps://gitlab.isc.org/isc-projects/bind9/-/jobs/2469476
```
D:tcp:--------------------------------------------------------------------------------
D:tcp:Core was generated by `/builds/isc-projects/bind9/bin/named/.libs/named -D tcp-ns7 ...https://gitlab.isc.org/isc-projects/bind9/-/jobs/2469476
```
D:tcp:--------------------------------------------------------------------------------
D:tcp:Core was generated by `/builds/isc-projects/bind9/bin/named/.libs/named -D tcp-ns7 -X named.lock -m re'.
D:tcp:Program terminated with signal SIGABRT, Aborted.
D:tcp:#0 0xf7f88069 in __kernel_vsyscall ()
D:tcp:#0 0xf7f88069 in __kernel_vsyscall ()
D:tcp:#1 0xf72a0e02 in raise () from /lib/i386-linux-gnu/libc.so.6
D:tcp:#2 0xf7289306 in abort () from /lib/i386-linux-gnu/libc.so.6
D:tcp:#3 0x5663478e in assertion_failed (file=0xf7ce6750 "quota.c", line=46, type=isc_assertiontype_insist, cond=0xf7ce6908 "__extension__ ({ __auto_type __atomic_load_ptr = ("a->waiting); __typeof__ (*__atomic_load_ptr) __atomic_load_tmp; __atomic_load (__atomic_load_ptr, &__atomic_load_tmp, (5)); __atomic_load_tmp; })"...) at main.c:237
D:tcp:#4 0xf7cab95f in isc_assertion_failed (file=0xf7ce6750 "quota.c", line=46, type=isc_assertiontype_insist, cond=0xf7ce6908 "__extension__ ({ __auto_type __atomic_load_ptr = ("a->waiting); __typeof__ (*__atomic_load_ptr) __atomic_load_tmp; __atomic_load (__atomic_load_ptr, &__atomic_load_tmp, (5)); __atomic_load_tmp; })"...) at assertions.c:49
D:tcp:#5 0xf7cc1ce5 in isc_quota_destroy (quota=0xf422e078) at quota.c:46
D:tcp:#6 0xf7a6592b in ns_server_detach (sctxp=0xf4ee7108) at server.c:139
D:tcp:#7 0x56644360 in named_server_destroy (serverp=0x566986c8 <named_g_server>) at server.c:10358
D:tcp:#8 0x56636897 in cleanup () at main.c:1262
D:tcp:#9 main (argc=18, argv=0xff828604) at main.c:1492
D:tcp:--------------------------------------------------------------------------------
D:tcp:full backtrace from tcp/ns7/core.19616 saved in tcp/ns7/core.19616-backtrace.txt
```
I've seen this one before intermittently...Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3265ThreadSanitizer: data race in __interceptor_memcmp & __interceptor_memset2023-10-19T08:26:55ZMichal NowakThreadSanitizer: data race in __interceptor_memcmp & __interceptor_memsetJob [#2428973](https://gitlab.isc.org/isc-projects/bind9/-/jobs/2428973) failed for 4d57ef0c49e96d46a72f0d768d8973af76c9f691 in the `doth` system test:
```
WARNING: ThreadSanitizer: data race
Read of size 8 at 0x000000000001 by thread...Job [#2428973](https://gitlab.isc.org/isc-projects/bind9/-/jobs/2428973) failed for 4d57ef0c49e96d46a72f0d768d8973af76c9f691 in the `doth` system test:
```
WARNING: ThreadSanitizer: data race
Read of size 8 at 0x000000000001 by thread T1:
#0 memcmp <null>
#1 ASN1_STRING_cmp <null>
#2 isc__nm_tlsdns_read_cb netmgr/tlsdns.c:1409
#3 uv__read /usr/src/libuv-v1.43.0/src/unix/stream.c:1247
#4 isc__trampoline_run lib/isc/trampoline.c:187
Previous write of size 8 at 0x000000000001 by thread T2 (mutexes: write M1):
#0 malloc <null>
#1 ASN1_STRING_set <null>
#2 isc__nm_tlsdns_read_cb netmgr/tlsdns.c:1409
#3 uv__read /usr/src/libuv-v1.43.0/src/unix/stream.c:1247
#4 isc__trampoline_run lib/isc/trampoline.c:187
Location is heap block of size 21 at 0x000000000001 allocated by thread T2:
#0 malloc <null>
#1 ASN1_STRING_set <null>
#2 isc__nm_tlsdns_read_cb netmgr/tlsdns.c:1409
#3 uv__read /usr/src/libuv-v1.43.0/src/unix/stream.c:1247
#4 isc__trampoline_run lib/isc/trampoline.c:187
Mutex M1 (0x000000000009) created at:
#0 pthread_rwlock_init <null>
#1 CRYPTO_THREAD_lock_new <null>
#2 listenelt_create lib/ns/listenlist.c:73
#3 ns_listenelt_create lib/ns/listenlist.c:193
#4 listenelt_fromconfig bin/named/server.c:11127
#5 listenlist_fromconfig bin/named/server.c:10863
#6 load_configuration bin/named/server.c:8895
#7 run_server bin/named/server.c:9835
#8 task_run lib/isc/task.c:711
#9 isc_task_run lib/isc/task.c:791
#10 isc__nm_async_task netmgr/netmgr.c:782
#11 process_netievent netmgr/netmgr.c:853
#12 process_queue netmgr/netmgr.c:944
#13 process_all_queues netmgr/netmgr.c:716
#14 async_cb netmgr/netmgr.c:745
#15 uv__async_io /usr/src/libuv-v1.43.0/src/unix/async.c:163
#16 isc__trampoline_run lib/isc/trampoline.c:187
Thread T1 (running) created by main thread at:
#0 pthread_create <null>
#1 isc_thread_create lib/isc/thread.c:81
#2 isc__netmgr_create netmgr/netmgr.c:291
#3 isc_managers_create lib/isc/managers.c:31
#4 create_managers bin/named/main.c:920
#5 setup bin/named/main.c:1184
#6 main bin/named/main.c:1452
Thread T2 (running) created by main thread at:
#0 pthread_create <null>
#1 isc_thread_create lib/isc/thread.c:81
#2 isc__netmgr_create netmgr/netmgr.c:291
#3 isc_managers_create lib/isc/managers.c:31
#4 create_managers bin/named/main.c:920
#5 setup bin/named/main.c:1184
#6 main bin/named/main.c:1452
SUMMARY: ThreadSanitizer: data race in __interceptor_memcmp
```Not plannedhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3263CID 351415: Error handling issues (CHECKED_RETURN)2022-04-11T12:25:26ZMichal NowakCID 351415: Error handling issues (CHECKED_RETURN)Triggered by bfee4624036caf849721f7a986d36e736db6e16c on `v9_18`:
```
*** CID 351415: Error handling issues (CHECKED_RETURN)
/lib/dns/rpz.c: 2072 in rpz_destroy()
2066 dns_rpz_dbupdate_callback, rpz);
2067 dns_db...Triggered by bfee4624036caf849721f7a986d36e736db6e16c on `v9_18`:
```
*** CID 351415: Error handling issues (CHECKED_RETURN)
/lib/dns/rpz.c: 2072 in rpz_destroy()
2066 dns_rpz_dbupdate_callback, rpz);
2067 dns_db_detach(&rpz->db);
2068 }
2069
2070 INSIST(!rpz->updaterunning);
2071
>>> CID 351415: Error handling issues (CHECKED_RETURN)
>>> Calling "isc_timer_reset" without checking return value (as is done elsewhere 8 out of 9 times).
2072 isc_timer_reset(rpz->updatetimer, isc_timertype_inactive, NULL, NULL,
2073 true);
2074 isc_timer_detach(&rpz->updatetimer);
2075
2076 isc_ht_destroy(&rpz->nodes);
2077
```Not planned