Changes in tests_expiredglue.py http://nxr.netbsd.org/rss/src/external/mpl/bind/dist/bin/tests/system/expiredglue/tests_expiredglue.py en Copyright 2005 Java branches: 1.1.1;<br/>Initial revision /src/external/mpl/bind/dist/bin/tests/system/expiredglue/tests_expiredglue.py - 1.1 Tue Apr 07 23:58:13 UTC 2026 christos Import bind-9.20.22 (previous was 9.20.18)<br/><br/>Notes for BIND 9.20.22<br/>Security Fixes<br/>Fix crash when reconfiguring zone update policy during active updates.<br/>We fixed a crash that could occur when running rndc reconfig to change a zone's<br/>update policy (e.g., from allow-update to update-policy) while DNS UPDATE<br/>requests were being processed for that zone. ISC would like to thank Vitaly<br/>Simonovich for bringing this issue to our attention. [GL #5817]<br/><br/>Bug Fixes<br/>Fix intermittent named crashes during asynchronous zone operations.<br/>Asynchronous zone loading and dumping operations occasionally dispatched tasks<br/>to the wrong internal event loop. This threading violation triggered internal<br/>safety assertions that abruptly terminated named. Strict loop affinity is now<br/>enforced for these tasks, ensuring they execute on their designated threads and<br/>preventing the crashes. [GL #4882]<br/><br/>Count temporal problems with DNSSEC validation as attempts.<br/>After the KeyTrap vulnerability (CVE-2023-50387), any temporal DNSSEC errors<br/>were originally hard errors that caused validation failures, even if the<br/>records had another valid signature. This has been changed; RRSIGs outside of<br/>the inception and expiration time are not counted as hard errors. However,<br/>these errors were not even counted as validation attempts, so an excessive<br/>number of expired RRSIGs would cause some non-cryptographic extra work for the<br/>validator. This has been fixed and the temporal errors are now correctly<br/>counted as validation attempts. [GL #5760]<br/><br/>Fix a possible deadlock in RPZ processing.<br/>The named process could hang when processing a maliciously crafted update for a<br/>response policy zone (RPZ). This has been fixed. [GL #5775]<br/><br/>Fix a crash triggered by rndc modzone on a zone from a configuration file.<br/>Calling rndc modzone on a zone that was configured in the configuration file<br/>caused a crash. This has been fixed. [GL #5800]<br/><br/>Fix the processing of empty catalog zone ACLs.<br/>The named process could terminate unexpectedly when processing a catalog zone<br/>ACL in an APL resource record that was completely empty. This has been fixed.<br/>[GL #5801]<br/><br/>Fix a crash triggered by rndc modzone on zone that already existed in NZF file.<br/>Calling rndc modzone didn't work properly for a zone that was configured in the<br/>configuration file. It could crash if BIND 9 was built without LMDB or if there<br/>was already an NZF file for the zone. This has been fixed. [GL #5826]<br/><br/>Fix potential resource leak during resolver error handling.<br/>Under specific error conditions during query processing, resources were not<br/>being properly released, which could eventually lead to unnecessary memory<br/>consumption for the server. A potential resource leak in the resolver has been<br/>fixed. [GL !11658]<br/><br/>Notes for BIND 9.20.21<br/>Security Fixes<br/>Fix unbounded NSEC3 iterations when validating referrals to unsigned<br/>delegations. (CVE-2026-1519)<br/>DNSSEC-signed zones may contain high iteration-count NSEC3 records, which prove<br/>that certain delegations are insecure. Previously, a validating resolver<br/>encountering such a delegation processed these iterations up to the number<br/>given, which could be a maximum of 65,535. This has been addressed by<br/>introducing a processing limit, set at 50. Now, if such an NSEC3 record is<br/>encountered, the delegation will be treated as insecure. ISC would like to<br/>thank Samy Medjahed/Ap4sh for bringing this vulnerability to our attention.<br/>[GL #5708]<br/><br/>Fix memory leaks in code preparing DNSSEC proofs of non-existence.<br/>(CVE-2026-3104)<br/>An attacker controlling a DNSSEC-signed zone could trigger a memory leak in the<br/>logic preparing DNSSEC proofs of non-existence, by creating more than<br/>max-records-per-type RRSIGs for NSEC records. These memory leaks have been<br/>fixed. ISC would like to thank Vitaly Simonovich for bringing this<br/>vulnerability to our attention. [GL #5742]<br/><br/>Prevent a crash in code processing queries containing a TKEY record.<br/>(CVE-2026-3119)<br/>The named process could terminate unexpectedly when processing a correctly<br/>signed query containing a TKEY record. This has been fixed. ISC would like to<br/>thank Vitaly Simonovich for bringing this vulnerability to our attention.<br/>[GL #5748]<br/><br/>Fix a stack use-after-return flaw in SIG(0) handling code. (CVE-2026-3591)<br/>A stack use-after-return flaw in SIG(0) handling code could enable ACL bypass<br/>and/or assertion failures in certain circumstances. This flaw has been fixed.<br/>ISC would like to thank Mcsky23 for bringing this vulnerability to our<br/>attention. [GL #5754]<br/><br/>Bug Fixes<br/>Fix the handling of key statements defined inside views.<br/>A recent change introduced in BIND 9.20.17 hardened the key name check when<br/>used in primaries, to immediately reject the configuration if the key was not<br/>defined (rather than only checking whether the key name was correctly formed).<br/>However, that change introduced a regression that prevented the use of a key<br/>defined in a view. This has now been fixed. [GL #5761]<br/><br/>Notes for BIND 9.20.20<br/>Security Fixes<br/>Fix a use-after-free error in dns_client_resolve() triggered by a DNAME<br/>response.<br/>This issue only affected the delv tool and it has now been fixed. ISC would<br/>like to thank Vitaly Simonovich for bringing this vulnerability to our<br/>attention. [GL #5728]<br/><br/>Feature Changes<br/>Record query time for all dnstap responses.<br/>Not all DNS responses had the query time set in their corresponding dnstap<br/>messages. This has been fixed. [GL #3695]<br/><br/>Optimize TCP source port selection on Linux.<br/>Enable the IP_LOCAL_PORT_RANGE socket option on the outgoing TCP sockets to<br/>allow faster selection of the source <address,port> tuple for different<br/>destination <address,port> tuples, when nearing over 70-80% of the source port<br/>utilization. [GL !11569]<br/><br/>Bug Fixes<br/>Fix an assertion failure triggered by non-minimal IXFRs.<br/>Processing an IXFR that included an RRset whose contents were not changed by<br/>the transfer triggered an assertion failure. This has been fixed. [GL #5759]<br/><br/>Fix a crash when retrying a NOTIFY over TCP.<br/>Furthermore, do not attempt to retry over TCP at all if the source address is<br/>not available. [GL #5457]<br/><br/>Fetch loop detection improvements.<br/>Fix a case where an in-domain nameserver with expired glue would fail to<br/>resolve. [GL #5588]<br/><br/>Randomize nameserver selection.<br/>Since BIND 9.20.17, when selecting nameserver addresses to be looked up, named<br/>selected them in DNSSEC order from the start of the NS RRset. This could lead<br/>to a resolution failure despite there being an address that could be resolved<br/>using the other nameserver names. named now randomizes the order in which<br/>nameserver addresses are looked up. [GL #5695] [GL #5745]<br/><br/>Fix dnstap logging of forwarded queries. [GL #5724]<br/>A stale answer could have been served in case of multiple upstream failures<br/>when following CNAME chains. This has been fixed. [GL #5751]<br/><br/>Fail DNSKEY validation when supported but invalid DS is found.<br/>A regression was introduced in BIND 9.20.6 when adding the EDE code for<br/>unsupported DNSKEY and DS algorithms. When the parent had both supported and<br/>unsupported algorithms in the DS record, the validator would treat the<br/>supported DS algorithm as insecure instead of bogus when validating DNSKEY<br/>records. This has no security impact, as the rest of the child zone correctly<br/>ends with bogus status, but it is incorrect and thus the regression has been<br/>fixed. [GL #5757]<br/><br/>Importing an invalid SKR file might corrupt stack memory.<br/>If an administrator imported an invalid SKR file, the local stack in the import<br/>function might overflow. This could lead to a memory corruption on the stack<br/>and ultimately a server crash. This has been fixed. [GL #5758]<br/><br/>Return FORMERR for queries with the EDNS Client Subnet FAMILY field set to 0.<br/>RFC 7871 only defines families 1 (IPv4) and 2 (IPv6), and requires FORMERR to<br/>be returned for all unknown families. Queries with the EDNS Client Subnet<br/>FAMILY field set to 0 now elicit responses with RCODE=FORMERR. [GL !11565]<br/><br/>Notes for BIND 9.20.19<br/>Feature Changes<br/>Update requirements for system test suite.<br/>Python 3.10 or newer is now required for running the system test suite. The<br/>required Python packages and their version requirements are now tracked in the<br/>file bin/tests/system/requirements.txt. [GL #5690] [GL #5614]<br/><br/>Bug Fixes<br/>Fix inbound IXFR performance regression.<br/>Very large inbound IXFR transfers were much slower compared to BIND 9.18. The<br/>performance was improved by adding specialized logic to handle IXFR transfers.<br/>[GL #5442]<br/><br/>Make catalog zone names and member zones' entry names case-insensitive.<br/>[GL #5693]<br/><br/>Fix implementation of BRID and HHIT record types. [GL #5710]<br/><br/>Fix implementation of DSYNC record type. [GL #5711]<br/><br/>Fix response policy and catalog zones to work with $INCLUDE directive.<br/>Reloading a RPZ or a catalog zone could have failed when $INCLUDE was in use.<br/>[GL #5714] /src/external/mpl/bind/dist/bin/tests/system/expiredglue/tests_expiredglue.py - 1.1.1.1 Tue Apr 07 23:58:13 UTC 2026 christos