From d598399af2576a078f6f490e1bb6c34c8a27acbb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Fri, 27 Mar 2026 12:48:31 +0100 Subject: [PATCH] [9.18] [CVE-2026-1519] sec: usr: Fix unbounded NSEC3 iterations when validating referrals to unsigned delegations DNSSEC-signed zones may contain high iteration-count NSEC3 records, which prove that certain delegations are insecure. Previously, a validating resolver encountering such a delegation processed these iterations up to the number given, which could be a maximum of 65,535. This has been addressed by introducing a processing limit, set at 150. Now, if such an NSEC3 record is encountered, the delegation will be treated as insecure. ISC would like to thank Samy Medjahed/Ap4sh for bringing this vulnerability to our attention. Closes isc-projects/bind9#5708 Resolves-Vulnerability: CVE-2026-1519 --- bind-9.18-CVE-2026-1519-test.patch | 337 +++++++++++++++++++++++++++++ bind-9.18-CVE-2026-1519.patch | 251 +++++++++++++++++++++ bind.spec | 9 +- 3 files changed, 596 insertions(+), 1 deletion(-) create mode 100644 bind-9.18-CVE-2026-1519-test.patch create mode 100644 bind-9.18-CVE-2026-1519.patch diff --git a/bind-9.18-CVE-2026-1519-test.patch b/bind-9.18-CVE-2026-1519-test.patch new file mode 100644 index 0000000..6048e76 --- /dev/null +++ b/bind-9.18-CVE-2026-1519-test.patch @@ -0,0 +1,337 @@ +From 7df00188c93d1fb8496328976e00192dd657d5aa Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= +Date: Tue, 3 Feb 2026 18:25:04 +0100 +Subject: [PATCH] Reproducer for CVE-2026-1519 + +When a validating resolver processes a delegation from a DNSSEC-signed +zone which uses too many NSEC3 iterations, it should cease the attempt +to validate due to an NSEC3 iteration limit being exceeded and fall back +to insecure. + +(cherry picked from commit 9bc14a89f1313aa38330e84674ac3b7691db3383) +(cherry picked from commit 2c82f99a3c95f356861d5977f12ef9bbe2063cb6) +--- + .../system/nsec3-delegation/ns1/named.conf.j2 | 35 +++++++++++ + bin/tests/system/nsec3-delegation/ns1/root.db | 25 ++++++++ + .../ns2/iter-too-many.db.j2.manual | 31 ++++++++++ + .../system/nsec3-delegation/ns2/named.conf.j2 | 40 ++++++++++++ + .../nsec3-delegation/ns2/sub.iter-too-many.db | 24 ++++++++ + .../system/nsec3-delegation/ns3/named.conf.j2 | 37 +++++++++++ + .../nsec3-delegation/ns3/trusted.conf.j2 | 1 + + .../tests_excessive_nsec3_iterations.py | 61 +++++++++++++++++++ + 8 files changed, 254 insertions(+) + create mode 100644 bin/tests/system/nsec3-delegation/ns1/named.conf.j2 + create mode 100644 bin/tests/system/nsec3-delegation/ns1/root.db + create mode 100644 bin/tests/system/nsec3-delegation/ns2/iter-too-many.db.j2.manual + create mode 100644 bin/tests/system/nsec3-delegation/ns2/named.conf.j2 + create mode 100644 bin/tests/system/nsec3-delegation/ns2/sub.iter-too-many.db + create mode 100644 bin/tests/system/nsec3-delegation/ns3/named.conf.j2 + create mode 120000 bin/tests/system/nsec3-delegation/ns3/trusted.conf.j2 + create mode 100644 bin/tests/system/nsec3-delegation/tests_excessive_nsec3_iterations.py + +diff --git a/bin/tests/system/nsec3-delegation/ns1/named.conf.j2 b/bin/tests/system/nsec3-delegation/ns1/named.conf.j2 +new file mode 100644 +index 0000000000..65016d1c67 +--- /dev/null ++++ b/bin/tests/system/nsec3-delegation/ns1/named.conf.j2 +@@ -0,0 +1,35 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * SPDX-License-Identifier: MPL-2.0 ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, you can obtain one at https://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++options { ++ query-source address 10.53.0.1; ++ notify-source 10.53.0.1; ++ transfer-source 10.53.0.1; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.1; }; ++ listen-on-v6 { none; }; ++ recursion no; ++ dnssec-validation no; ++}; ++ ++controls { ++ inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; ++}; ++ ++include "../../_common/rndc.key"; ++ ++zone "." { ++ type primary; ++ file "root.db"; ++}; +diff --git a/bin/tests/system/nsec3-delegation/ns1/root.db b/bin/tests/system/nsec3-delegation/ns1/root.db +new file mode 100644 +index 0000000000..c3f80d0d4b +--- /dev/null ++++ b/bin/tests/system/nsec3-delegation/ns1/root.db +@@ -0,0 +1,25 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 300 ++. IN SOA . . ( ++ 2025063000 ; serial ++ 600 ; refresh ++ 600 ; retry ++ 1200 ; expire ++ 600 ; minimum ++ ) ++. NS a.root-servers.nil. ++ ++a.root-servers.nil A 10.53.0.1 ++ ++iter-too-many. NS ns2.iter-too-many. ++ns2.iter-too-many. A 10.53.0.2 +diff --git a/bin/tests/system/nsec3-delegation/ns2/iter-too-many.db.j2.manual b/bin/tests/system/nsec3-delegation/ns2/iter-too-many.db.j2.manual +new file mode 100644 +index 0000000000..fa5023d21b +--- /dev/null ++++ b/bin/tests/system/nsec3-delegation/ns2/iter-too-many.db.j2.manual +@@ -0,0 +1,31 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++{% raw %} ++$TTL 300 ++@ IN SOA ns2.iter-too-many. hostmaster.iter-too-many. ( ++ 2026020300 ; serial ++ 20 ; refresh (20 seconds) ++ 20 ; retry (20 seconds) ++ 1814400 ; expire (3 weeks) ++ 3600 ; minimum (1 hour) ++) ++ ++@ IN NS ns2.iter-too-many. ++ns2 IN A 10.53.0.2 ++ ++sub IN NS ns2.sub.iter-too-many. ++ns2.sub IN A 10.53.0.2 ++{% endraw %} ++ ++{% for dnskey in dnskeys %} ++@dnskey@ ++{% endfor %} +diff --git a/bin/tests/system/nsec3-delegation/ns2/named.conf.j2 b/bin/tests/system/nsec3-delegation/ns2/named.conf.j2 +new file mode 100644 +index 0000000000..2f4823574f +--- /dev/null ++++ b/bin/tests/system/nsec3-delegation/ns2/named.conf.j2 +@@ -0,0 +1,40 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * SPDX-License-Identifier: MPL-2.0 ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, you can obtain one at https://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++options { ++ query-source address 10.53.0.2; ++ notify-source 10.53.0.2; ++ transfer-source 10.53.0.2; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.2; }; ++ listen-on-v6 { none; }; ++ recursion no; ++ dnssec-validation no; ++}; ++ ++controls { ++ inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; ++}; ++ ++include "../../_common/rndc.key"; ++ ++zone "iter-too-many" { ++ type primary; ++ file "iter-too-many.signed.db"; ++}; ++ ++zone "sub.iter-too-many" { ++ type primary; ++ file "sub.iter-too-many.db"; ++}; +diff --git a/bin/tests/system/nsec3-delegation/ns2/sub.iter-too-many.db b/bin/tests/system/nsec3-delegation/ns2/sub.iter-too-many.db +new file mode 100644 +index 0000000000..09b2bb6fb3 +--- /dev/null ++++ b/bin/tests/system/nsec3-delegation/ns2/sub.iter-too-many.db +@@ -0,0 +1,24 @@ ++; Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++; ++; SPDX-License-Identifier: MPL-2.0 ++; ++; This Source Code Form is subject to the terms of the Mozilla Public ++; License, v. 2.0. If a copy of the MPL was not distributed with this ++; file, you can obtain one at https://mozilla.org/MPL/2.0/. ++; ++; See the COPYRIGHT file distributed with this work for additional ++; information regarding copyright ownership. ++ ++$TTL 300 ++@ IN SOA ns2.sub.iter-too-many. hostmaster.sub.iter-too-many. ( ++ 2026020300 ; serial ++ 20 ; refresh (20 seconds) ++ 20 ; retry (20 seconds) ++ 1814400 ; expire (3 weeks) ++ 3600 ; minimum (1 hour) ++) ++ ++@ IN NS ns2.sub.iter-too-many. ++ns2 IN A 10.53.0.2 ++ ++example IN A 127.0.0.1 +diff --git a/bin/tests/system/nsec3-delegation/ns3/named.conf.j2 b/bin/tests/system/nsec3-delegation/ns3/named.conf.j2 +new file mode 100644 +index 0000000000..e36b88c53e +--- /dev/null ++++ b/bin/tests/system/nsec3-delegation/ns3/named.conf.j2 +@@ -0,0 +1,37 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * SPDX-License-Identifier: MPL-2.0 ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, you can obtain one at https://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++options { ++ query-source address 10.53.0.3; ++ notify-source 10.53.0.3; ++ transfer-source 10.53.0.3; ++ port @PORT@; ++ pid-file "named.pid"; ++ listen-on { 10.53.0.3; }; ++ listen-on-v6 { none; }; ++ recursion yes; ++ dnssec-validation yes; ++}; ++ ++controls { ++ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; ++}; ++ ++include "../../_common/rndc.key"; ++ ++zone "." { ++ type hint; ++ file "../../_common/root.hint"; ++}; ++ ++include "trusted.conf"; +diff --git a/bin/tests/system/nsec3-delegation/ns3/trusted.conf.j2 b/bin/tests/system/nsec3-delegation/ns3/trusted.conf.j2 +new file mode 120000 +index 0000000000..cb0be77b22 +--- /dev/null ++++ b/bin/tests/system/nsec3-delegation/ns3/trusted.conf.j2 +@@ -0,0 +1 @@ ++../../_common/trusted.conf.j2 +\ No newline at end of file +diff --git a/bin/tests/system/nsec3-delegation/tests_excessive_nsec3_iterations.py b/bin/tests/system/nsec3-delegation/tests_excessive_nsec3_iterations.py +new file mode 100644 +index 0000000000..f85384bb1e +--- /dev/null ++++ b/bin/tests/system/nsec3-delegation/tests_excessive_nsec3_iterations.py +@@ -0,0 +1,61 @@ ++# Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++# ++# SPDX-License-Identifier: MPL-2.0 ++# ++# This Source Code Form is subject to the terms of the Mozilla Public ++# License, v. 2.0. If a copy of the MPL was not distributed with this ++# file, you can obtain one at https://mozilla.org/MPL/2.0/. ++# ++# See the COPYRIGHT file distributed with this work for additional ++# information regarding copyright ownership. ++ ++from isctest.run import EnvCmd ++ ++import isctest ++ ++ ++def bootstrap(): ++ templates = isctest.template.TemplateEngine(".") ++ keygen = EnvCmd("KEYGEN", "-a ECDSA256") ++ signer = EnvCmd("SIGNER") ++ ++ isctest.log.info("setup iter-too-many.") ++ zonename = "iter-too-many." ++ ksk_name = keygen(f"-f KSK {zonename}", cwd="ns2").out.strip() ++ zsk_name = keygen(f"{zonename}", cwd="ns2").out.strip() ++ ksk = isctest.kasp.Key(ksk_name, keydir="ns2") ++ zsk = isctest.kasp.Key(zsk_name, keydir="ns2") ++ dnskeys = [ksk.dnskey, zsk.dnskey] ++ ++ tdata = { ++ "dnskeys": dnskeys, ++ } ++ templates.render(f"ns2/{zonename}db", tdata, template=f"ns2/{zonename}db.j2.manual") ++ signer( ++ f"-P -o {zonename} -f {zonename}signed.db -3 A1B2C3D4 -H too-many -H 151 -S {zonename}db", ++ cwd="ns2", ++ ) ++ ++ return { ++ "trust_anchors": [ ++ ksk.into_ta("static-key"), ++ ], ++ } ++ ++ ++def test_excessive_nsec3_iterations_delegation(ns3): ++ # reproducer for CVE-2026-1519 [GL#5708] ++ zone = "example.sub.iter-too-many" ++ msg = isctest.query.create(zone, "A") ++ res = isctest.query.tcp(msg, ns3.ip) ++ ++ # an insecure response is expected regardless of the NSEC3 iteration limit, ++ # because the sub.iter-too-many. zone is unsigned. the real difference is ++ # in the CPU usage required for generating such response, but that can't be ++ # easily and reliably tested in an automated fashion ++ isctest.check.noerror(res) ++ ++ with ns3.watch_log_from_start() as watcher: ++ watcher.wait_for_line( ++ f"validating {zone}/A: validator_callback_ds: too many iterations" ++ ) +-- +2.53.0 + diff --git a/bind-9.18-CVE-2026-1519.patch b/bind-9.18-CVE-2026-1519.patch new file mode 100644 index 0000000..575851e --- /dev/null +++ b/bind-9.18-CVE-2026-1519.patch @@ -0,0 +1,251 @@ +From e388088ed01874485d8bd38e332a54b0c1fb5605 Mon Sep 17 00:00:00 2001 +From: Matthijs Mekking +Date: Tue, 3 Mar 2026 10:40:36 +0100 +Subject: [PATCH] Check iterations in isdelegation() + +When looking up an NSEC3 as part of an insecurity proof, check the +number of iterations. If this is too high, treat the answer as insecure +by marking the answer with trust level "answer", indicating that they +did not validate, but could be cached as insecure. + +(cherry picked from commit 988040a5e02f86f4a8cdb0704e8d501f9082a89c) +(cherry picked from commit 85c21feff9acb0982fe60f2c88201bf55533bd0e) + +Don't verify already trusted rdatasets + +If we already marked an rdataset as secure (or it has even stronger +trust), there is no need to cryptographically verify it again. + +(cherry picked from commit 0ec08c212022d08c9717f2bc6bd3e8ebd6f034ce) +(cherry picked from commit 8890a91c1c16129333139b9d8a4381e0f741f0d6) + +Check RRset trust in validate_neg_rrset() + +In many places we only create a validator if the RRset has too low +trust (the RRset is pending validation, or could not be validated +before). This check was missing prior to validating negative response +data. + +(cherry picked from commit 6ca67f65cd685cf8699540a852c1e3775bd48d64) +(cherry picked from commit 85fcd704e2f7cc2a25d2195bc4bb28398c889ed3) +--- + lib/dns/include/dns/types.h | 1 + + lib/dns/validator.c | 90 ++++++++++++++++++++++++++++--------- + 2 files changed, 70 insertions(+), 21 deletions(-) + +diff --git a/lib/dns/include/dns/types.h b/lib/dns/include/dns/types.h +index f0aaa24e93..a945f0e73f 100644 +--- a/lib/dns/include/dns/types.h ++++ b/lib/dns/include/dns/types.h +@@ -353,6 +353,7 @@ enum { + ((x) == dns_trust_additional || (x) == dns_trust_pending_additional) + #define DNS_TRUST_GLUE(x) ((x) == dns_trust_glue) + #define DNS_TRUST_ANSWER(x) ((x) == dns_trust_answer) ++#define DNS_TRUST_SECURE(x) ((x) >= dns_trust_secure) + + /*% + * Name checking severities. +diff --git a/lib/dns/validator.c b/lib/dns/validator.c +index a9db844c27..0c805af6fa 100644 +--- a/lib/dns/validator.c ++++ b/lib/dns/validator.c +@@ -252,12 +252,25 @@ exit_check(dns_validator_t *val) { + } + + /*% +- * Look in the NSEC record returned from a DS query to see if there is +- * a NS RRset at this name. If it is found we are at a delegation point. ++ * The isdelegation() function is called as part of seeking the DS record. ++ * Look in the NSEC or NSEC3 record returned from a DS query to see if the ++ * record has the NS bitmap set. If so, we are at a delegation point. ++ * ++ * If the response contains NSEC3 records with too high iterations, we cannot ++ * (or rather we are not going to) validate the insecurity proof. Instead we ++ * are going to treat the message as insecure and just assume the DS was at ++ * the delegation. ++ * ++ * Returns: ++ *\li #ISC_R_SUCCESS the NS bitmap was set in the NSEC or NSEC3 record, or ++ * the NSEC3 covers the name (in case of opt-out), or ++ * we cannot validate the insecurity proof and are going ++ * to treat the message as isnecure. ++ *\li #ISC_R_NOTFOUND the NS bitmap was not set, + */ +-static bool +-isdelegation(dns_name_t *name, dns_rdataset_t *rdataset, +- isc_result_t dbresult) { ++static isc_result_t ++isdelegation(dns_validator_t *val, dns_name_t *name, dns_rdataset_t *rdataset, ++ isc_result_t dbresult, const char *caller) { + dns_fixedname_t fixed; + dns_label_t hashlabel; + dns_name_t nsec3name; +@@ -285,7 +298,7 @@ isdelegation(dns_name_t *name, dns_rdataset_t *rdataset, + goto trynsec3; + } + if (result != ISC_R_SUCCESS) { +- return false; ++ return ISC_R_NOTFOUND; + } + } + +@@ -299,7 +312,7 @@ isdelegation(dns_name_t *name, dns_rdataset_t *rdataset, + dns_rdata_reset(&rdata); + } + dns_rdataset_disassociate(&set); +- return found; ++ return found ? ISC_R_SUCCESS : ISC_R_NOTFOUND; + + trynsec3: + /* +@@ -335,6 +348,18 @@ trynsec3: + if (nsec3.hash != 1) { + continue; + } ++ /* ++ * If there are too many iterations assume bad things ++ * are happening and bail out early. Treat as if the ++ * DS was at the delegation. ++ */ ++ if (nsec3.iterations > DNS_NSEC3_MAXITERATIONS) { ++ validator_log(val, ISC_LOG_DEBUG(3), ++ "%s: too many iterations", ++ caller); ++ dns_rdataset_disassociate(&set); ++ return ISC_R_SUCCESS; ++ } + length = isc_iterated_hash( + hash, nsec3.hash, nsec3.iterations, nsec3.salt, + nsec3.salt_length, name->ndata, name->length); +@@ -346,7 +371,7 @@ trynsec3: + found = dns_nsec3_typepresent(&rdata, + dns_rdatatype_ns); + dns_rdataset_disassociate(&set); +- return found; ++ return found ? ISC_R_SUCCESS : ISC_R_NOTFOUND; + } + if ((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) == 0) { + continue; +@@ -362,12 +387,12 @@ trynsec3: + memcmp(hash, nsec3.next, length) < 0))) + { + dns_rdataset_disassociate(&set); +- return true; ++ return ISC_R_SUCCESS; + } + } + dns_rdataset_disassociate(&set); + } +- return found; ++ return found ? ISC_R_SUCCESS : ISC_R_NOTFOUND; + } + + /*% +@@ -583,8 +608,9 @@ fetch_callback_ds(isc_task_t *task, isc_event_t *event) { + } else if (eresult == DNS_R_SERVFAIL) { + goto unexpected; + } else if (eresult != DNS_R_CNAME && +- isdelegation(devent->foundname, &val->frdataset, +- eresult)) ++ isdelegation(val, devent->foundname, &val->frdataset, ++ eresult, ++ "fetch_callback_ds") == ISC_R_SUCCESS) + { + /* + * Failed to find a DS while trying to prove +@@ -744,10 +770,13 @@ validator_callback_ds(isc_task_t *task, isc_event_t *event) { + dns_trust_totext(val->frdataset.trust)); + have_dsset = (val->frdataset.type == dns_rdatatype_ds); + name = dns_fixedname_name(&val->fname); ++ + if ((val->attributes & VALATTR_INSECURITY) != 0 && + val->frdataset.covers == dns_rdatatype_ds && + NEGATIVE(&val->frdataset) && +- isdelegation(name, &val->frdataset, DNS_R_NCACHENXRRSET)) ++ isdelegation(val, name, &val->frdataset, ++ DNS_R_NCACHENXRRSET, ++ "validator_callback_ds") == ISC_R_SUCCESS) + { + result = markanswer(val, "validator_callback_ds", + "no DS and this is a delegation"); +@@ -1485,6 +1514,13 @@ verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata, + bool ignore = false; + dns_name_t *wild; + ++ if (DNS_TRUST_SECURE(val->event->rdataset->trust)) { ++ /* ++ * This RRset was already verified before. ++ */ ++ return ISC_R_SUCCESS; ++ } ++ + val->attributes |= VALATTR_TRIEDVERIFY; + wild = dns_fixedname_initname(&fixed); + again: +@@ -2425,6 +2461,17 @@ validate_neg_rrset(dns_validator_t *val, dns_name_t *name, + } + } + ++ if (rdataset->type != dns_rdatatype_nsec && ++ DNS_TRUST_SECURE(rdataset->trust)) ++ { ++ /* ++ * The negative response data is already verified. ++ * We skip NSEC records, because they require special ++ * processing in validator_callback_nsec(). ++ */ ++ return DNS_R_CONTINUE; ++ } ++ + val->currentset = rdataset; + result = create_validator(val, name, rdataset->type, rdataset, + sigrdataset, validator_callback_nsec, +@@ -2535,11 +2582,9 @@ validate_ncache(dns_validator_t *val, bool resume) { + } + + result = validate_neg_rrset(val, name, rdataset, sigrdataset); +- if (result == DNS_R_CONTINUE) { +- continue; ++ if (result != DNS_R_CONTINUE) { ++ return result; + } +- +- return result; + } + if (result == ISC_R_NOMORE) { + result = ISC_R_SUCCESS; +@@ -2588,7 +2633,8 @@ validate_nx(dns_validator_t *val, bool resume) { + result = findnsec3proofs(val); + if (result == DNS_R_NSEC3ITERRANGE) { + validator_log(val, ISC_LOG_DEBUG(3), +- "too many iterations"); ++ "%s: too many iterations", ++ __func__); + markanswer(val, "validate_nx (3)", NULL); + return ISC_R_SUCCESS; + } +@@ -2624,7 +2670,7 @@ validate_nx(dns_validator_t *val, bool resume) { + result = findnsec3proofs(val); + if (result == DNS_R_NSEC3ITERRANGE) { + validator_log(val, ISC_LOG_DEBUG(3), +- "too many iterations"); ++ "%s: too many iterations", __func__); + markanswer(val, "validate_nx (4)", NULL); + return ISC_R_SUCCESS; + } +@@ -2841,8 +2887,10 @@ seek_ds(dns_validator_t *val, isc_result_t *resp) { + return ISC_R_COMPLETE; + } + +- if (isdelegation(tname, &val->frdataset, result)) { +- *resp = markanswer(val, "proveunsecure (4)", ++ result = isdelegation(val, tname, &val->frdataset, result, ++ "seek_ds"); ++ if (result == ISC_R_SUCCESS) { ++ *resp = markanswer(val, "seek_ds (3)", + "this is a delegation"); + return ISC_R_COMPLETE; + } +-- +2.53.0 + diff --git a/bind.spec b/bind.spec index 6855476..b158a70 100644 --- a/bind.spec +++ b/bind.spec @@ -80,7 +80,7 @@ License: MPL-2.0 AND ISC AND MIT AND BSD-3-Clause AND BSD-2-Clause # Before rebasing bind, ensure bind-dyndb-ldap is ready to be rebuild and use side-tag with it. # Updating just bind will cause freeipa-dns-server package to be uninstallable. Version: 9.18.33 -Release: 17%{?dist} +Release: 18%{?dist} Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -163,6 +163,9 @@ Patch229: bind-9.20-robust-key-rollovers-tests.patch # https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/10767 Patch230: bind-9.20-stale-cname.patch Patch231: bind-9.20-stale-cname-tests.patch +# https://gitlab.isc.org/isc-projects/bind9/-/commit/5ef459eeaa92222ad28d2186f5eae9a586dece70 +Patch232: bind-9.18-CVE-2026-1519.patch +Patch233: bind-9.18-CVE-2026-1519-test.patch %{?systemd_ordering} # https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers @@ -964,6 +967,10 @@ fi; %endif %changelog +* Fri Mar 27 2026 Petr Menšík - 32:9.18.33-18 +- Prevent Denial of Service via maliciously crafted DNSSEC-validated zone + (CVE-2026-1519) + * Thu Feb 26 2026 Fedor Vorobev - 32:9.18.33-17 - Backport fixes for stale CNAME chains. (RHEL-142289)