head 1.1; branch 1.1.1; access; symbols bind-9-20-24:1.1.1.2 bind-9-20-23:1.1.1.1 ISC:1.1.1; locks; strict; comment @# @; 1.1 date 2026.05.20.16.43.04; author christos; state Exp; branches 1.1.1.1; next ; commitid 8F4FGV2ey5ZbCzGG; 1.1.1.1 date 2026.05.20.16.43.04; author christos; state Exp; branches; next 1.1.1.2; commitid 8F4FGV2ey5ZbCzGG; 1.1.1.2 date 2026.06.19.19.52.01; author christos; state Exp; branches; next ; commitid kgAYnCgffgejHrKG; desc @@ 1.1 log @Initial revision @ text @.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") .. .. SPDX-License-Identifier: MPL-2.0 .. .. This Source Code Form is subject to the terms of the Mozilla Public .. License, v. 2.0. If a copy of the MPL was not distributed with this .. file, you can obtain one at https://mozilla.org/MPL/2.0/. .. .. See the COPYRIGHT file distributed with this work for additional .. information regarding copyright ownership. Notes for BIND 9.20.23 ---------------------- Security Fixes ~~~~~~~~~~~~~~ - Limit resolver server list size. :cve:`2026-3592` When resolving a domain with many nameservers that shared overlapping IP addresses (e.g., 10 NS records all pointing at the same set of addresses), BIND could previously waste time querying duplicate addresses and build up excessively large server lists. Addresses in the resolver's server list are now deduplicated so that each unique IP is only queried once per resolution attempt, regardless of how many NS records point to it. The number of addresses stored per nameserver name is also now capped at six (combined A and AAAA), preventing memory and CPU overhead from domains with unusually large NS/glue sets. ISC would like to thank Shuhan Zhang from Tsinghua University for reporting this issue. :gl:`#5641` - Fix GSS-API resource leak. :cve:`2026-3039` A memory leak was fixed where each GSS-API TKEY negotiation leaked a security context inside the GSS library. An unauthenticated attacker could exhaust server memory by sending repeated TKEY queries to a server with :any:`tkey-gssapi-keytab` configured. The leaked memory was allocated by the GSS library, bypassing BIND's memory accounting. Multi-round GSS-API negotiation (GSS_S_CONTINUE_NEEDED) is now rejected, as BIND never supported it correctly and Kerberos/SPNEGO completes in a single round. ISC would like to thank Vitaly Simonovich for bringing this vulnerability to our attention. :gl:`#5752` - Disable recursion, UPDATE, and NOTIFY for non-IN views. :cve:`2026-5946` Recursion, dynamic updates (UPDATE), and zone change notifications (NOTIFY) are now disabled for views with a class other than IN (such as CHAOS or HESIOD); authoritative service for non-IN zones (e.g. version.bind in class CHAOS) continues to work as before. Servers configured with :namedconf:ref:`recursion yes; ` in a non-IN view log a warning at startup, and :iscman:`named-checkconf` flags the same condition. UPDATE and NOTIFY messages that specify the meta-classes ANY or NONE in the question section are now rejected with FORMERR. This addresses a set of closely related security issues collectively identified as CVE-2026-5946. ISC would like to thank Mcsky23 for bringing these issues to our attention. :gl:`#5784` - Avoid unbounded recursion loop. :cve:`2026-5950` A bug during bad server handling could cause the resolver to enter an infinite loop, continuously sending queries to an upstream server with no exit condition, until the resolver query timeout was hit. This has been fixed. ISC would like to thank Billy Baraja (BielraX) for bringing this issue to our attention. :gl:`#5804` - Fix crash in resolver when SIG(0)-signed responses are received under load. :cve:`2026-5947` A resolver could crash when handling a SIG(0)-signed response if the matching client query was cancelled while signature verification was still in progress — for example, when the recursive-clients quota was exhausted. This has been fixed. ISC would like to thank Naoki Wakamatsu for bringing this vulnerability to our attention. :gl:`#5819` - Fix use-after-free error in DNS-over-HTTPS when processing HTTP/2 SETTINGS frames. :cve:`2026-3593` Previously, a use-after-free vulnerability in the DNS-over-HTTPS implementation could cause :iscman:`named` to crash when a client sent a flood of HTTP/2 SETTINGS frames while a DoH response was being written. This affected servers with DoH (DNS-over-HTTPS) enabled and has been fixed. ISC would like to thank Naresh Kandula Parmar (Nottiboy) for reporting this. :gl:`#5755` - Fix outgoing zone transfers' quota issue. Unauthorized clients could consume the entire outgoing zone-transfer quota and block authorized zone transfer clients. This has been fixed. :gl:`#3589` Feature Changes ~~~~~~~~~~~~~~~ - Fix CPU spikes and slow queries when cache approaches memory limit. Cache cleanup is now spread probabilistically to avoid CPU usage spikes and a drop in query throughput. :gl:`#5891` Bug Fixes ~~~~~~~~~ - Use the zone file's basename as origin in DNSSEC tools. In :iscman:`dnssec-signzone` and :iscman:`dnssec-verify`, when the zone origin is not specified using the ``-o`` parameter, the default behavior is to try to sign using the zone's file name as the origin. So, for example, ``dnssec-signzone -S example.com`` will work, so long as the file name matches the zone name. This now also works if the zone is in a different directory. For example, ``dnssec-signzone -S zones/example.com`` will set the origin value to ``example.com``. :gl:`#5678` - Fix a possible race condition during zone transfers. The :iscman:`named` process could terminate unexpectedly when processing an IXFR message during a zone transfer. This has been fixed. :gl:`#5767` - Fix :iscman:`named` crash when processing SIG records in dynamic updates. Previously, :iscman:`named` could abort if a client sent a dynamic update containing a SIG record (the legacy signature type) to a zone configured with an update-policy. The function `dns_db_findrdataset` had an incorrect requirements prerequisite that prevented SIG records from being looked up, which was triggered as part of processing an UPDATE request and could be triggered remotely by any client permitted to send updates. This has been fixed by ensuring that SIG records are handled consistently with RRSIG records during update processing. :gl:`#5818` - Fix :option:`rndc modzone` behavior for a zone in named.conf. If a zone was present in the configuration file and not originally added by :option:`rndc addzone`, :option:`rndc modzone` for that zone would succeed once but subsequent :option:`rndc modzone` attempts would fail. This has been fixed. :gl:`#5826` - Fix zone verification of NSEC3 signed zones. Previously, when computing the compressed bitmap during verification of an NSEC3-signed zone, an undersized buffer was used that resulted in an out-of-bounds write if there were too many active windows in the bitmap. This impacted the mirror zones which are NSEC3-signed, :iscman:`dnssec-signzone` and :iscman:`dnssec-verify`. This has been fixed. :gl:`#5834` - Prevent a crash when using both :any:`dns64` and :any:`filter-aaaa`. An assertion failure could be triggered if both :any:`dns64` and the :any:`filter-aaaa` plugin were in use simultaneously. This happened if the plugin triggered a second recursion process, which then attempted to store DNS64 state information in a pointer that had already been set by the original recursion process. This has been fixed. :gl:`#5854` - Fixed an assertion failure when processing catalog zones. If a TXT record containing an invalid name TSIG key name was found when processing a catalog zone member's primaries definition, ``dns_name_free`` was incorrectly called, triggering an assertion. This has been fixed. :gl:`#5858` - Prevent malicious DNSSEC zones from exhausting validator CPU. A DNSSEC-signed zone could publish a DNSKEY with an unusually large RSA public exponent and force any validator resolving names in that zone to spend disproportionate CPU verifying signatures. The validator now rejects such DNSKEYs, matching the limit already applied to keys read from files or HSMs. :gl:`#5881` - Fix :iscman:`rndc-confgen` aborting on HMAC-SHA-384/512 keys above 512 bits. :iscman:`rndc-confgen` (with either ``-A hmac-sha384`` or ``-A hmac-sha512``) previously documented a ``-b`` range of 1..1024, but any value above 512 aborted on hardened builds instead of producing a key. The full advertised range now works. :gl:`#5903` - Prevent crafted queries from degrading RRL performance. With response rate limiting enabled, an attacker sending queries from many spoofed source addresses could steer entries into the same slot of the internal rate-limit table and slow down query processing on the affected server. The table now uses a per-process keyed hash so the placement of entries cannot be predicted or influenced from the network. :gl:`#5906` - Prevent rare :iscman:`named` crash when notifies are cancelled. Under heavy load, :iscman:`named` could occasionally crash when a queued outbound notify or zone refresh was cancelled at the moment it was being sent — for example, while a zone was being reloaded or removed. The race that caused the crash is now prevented. :gl:`#5915` - Stop :iscman:`delv` from aborting on a malformed query name. :iscman:`delv` previously aborted with SIGABRT instead of exiting cleanly when given a query name that failed wire-format conversion (e.g. a label longer than 63 octets). After this change :iscman:`delv` prints the parse error and exits with a normal failure code. :gl:`#5916` - Fix a crash when reconfiguring while an NTA is being rechecked. Previously, if :iscman:`named` was reconfigured or shut down while a negative trust anchor was being rechecked against authoritative servers, the in-flight recheck could outlive the view that owned it and cause :iscman:`named` to crash. This has been fixed. :gl:`#5938` - Fix a bug in :any:`allow-query`/:any:`allow-transfer` catalog zone custom properties. The :iscman:`named` process could terminate unexpectedly when processing a catalog zone with an invalid :any:`allow-query` or :any:`allow-transfer` custom property (i.e. having a non-APL type) coexisting with the valid property. This has been fixed. :gl:`#5941` - Fix a memory leak issue in catalog zones. The :iscman:`named` process could leak small amounts of memory when processing a catalog zone entry which had defined custom primary servers with TSIG keys, if both the regular ``primaries`` custom property syntax and the legacy alternative syntax (``masters``) were used at the same time. This has been fixed. :gl:`#5943` - Fix suppressed missing-glue check in :iscman:`named-checkzone`. :iscman:`named-checkzone` and :option:`named-checkconf -z` silently skipped the missing-glue check for any NS name that had already triggered an extra-AAAA-glue warning, so zones missing required A glue could pass validation and be deployed with broken delegations. :gl:`!11899` - Implement seamless outgoing TCP connection reuse. The resolver can and will reuse outgoing TCP connections to the same host, as recommended by :rfc:`7766`. This prevents a whole class of attacks that abuse the fact that establishing a TCP connection is expensive and it is fairly easy to deplete the outgoing TCP ports by putting them into ``TIME_WAIT`` state. The number of pipelined queries per connection is capped at 256 to limit the impact of a connection drop. :gl:`!11845` - Reject record sets too large to serve in DNS. When BIND was asked to store a record set whose total size exceeded what fit in a DNS message, it would allocate memory and build the structure, then fail later at response time. Such oversized record sets are now rejected at the time of storage with an error, avoiding wasted work on data that can never be served. :gl:`!11963` @ 1.1.1.1 log @ Import bind 9.20.23 (previous was 9.20.22) Security Fixes Limit resolver server list size. (CVE-2026-3592) When resolving a domain with many nameservers that shared overlapping IP addresses (e.g., 10 NS records all pointing at the same set of addresses), BIND could previously waste time querying duplicate addresses and build up excessively large server lists. Addresses in the resolver's server list are now deduplicated so that each unique IP is only queried once per resolution attempt, regardless of how many NS records point to it. The number of addresses stored per nameserver name is also now capped at six (combined A and AAAA), preventing memory and CPU overhead from domains with unusually large NS/glue sets. ISC would like to thank Shuhan Zhang from Tsinghua University for reporting this issue. [GL #5641] Fix GSS-API resource leak. (CVE-2026-3039) A memory leak was fixed where each GSS-API TKEY negotiation leaked a security context inside the GSS library. An unauthenticated attacker could exhaust server memory by sending repeated TKEY queries to a server with tkey-gssapi-keytab configured. The leaked memory was allocated by the GSS library, bypassing BIND's memory accounting. Multi-round GSS-API negotiation (GSS_S_CONTINUE_NEEDED) is now rejected, as BIND never supported it correctly and Kerberos/SPNEGO completes in a single round. ISC would like to thank Vitaly Simonovich for bringing this vulnerability to our attention. [GL #5752] Disable recursion, UPDATE, and NOTIFY for non-IN views. (CVE-2026-5946) Recursion, dynamic updates (UPDATE), and zone change notifications (NOTIFY) are now disabled for views with a class other than IN (such as CHAOS or HESIOD); authoritative service for non-IN zones (e.g. version.bind in class CHAOS) continues to work as before. Servers configured with recursion yes; in a non-IN view log a warning at startup, and named-checkconf flags the same condition. UPDATE and NOTIFY messages that specify the meta-classes ANY or NONE in the question section are now rejected with FORMERR. This addresses a set of closely related security issues collectively identified as CVE-2026-5946. ISC would like to thank Mcsky23 for bringing these issues to our attention. [GL #5784] Avoid unbounded recursion loop. (CVE-2026-5950) A bug during bad server handling could cause the resolver to enter an infinite loop, continuously sending queries to an upstream server with no exit condition, until the resolver query timeout was hit. This has been fixed. ISC would like to thank Billy Baraja (BielraX) for bringing this issue to our attention. [GL #5804] dfmt: Command not found. A resolver could crash when handling a SIG(0)-signed response if the matching client query was cancelled while signature verification was still in progress for example, when the recursive-clients quota was exhausted. This has been fixed. ISC would like to thank Naoki Wakamatsu for bringing this vulnerability to our attention. [GL #5819] Fix use-after-free error in DNS-over-HTTPS when processing HTTP/2 SETTINGS frames. (CVE-2026-3593) Previously, a use-after-free vulnerability in the DNS-over-HTTPS implementation could cause named to crash when a client sent a flood of HTTP/2 SETTINGS frames while a DoH response was being written. This affected servers with DoH (DNS-over-HTTPS) enabled and has been fixed. ISC would like to thank Naresh Kandula Parmar (Nottiboy) for reporting this. [GL #5755] Fix outgoing zone transfers' quota issue. Unauthorized clients could consume the entire outgoing zone-transfer quota and block authorized zone transfer clients. This has been fixed. [GL #3589] Feature Changes Fix CPU spikes and slow queries when cache approaches memory limit. Cache cleanup is now spread probabilistically to avoid CPU usage spikes and a drop in query throughput. [GL #5891] Bug Fixes Use the zone file's basename as origin in DNSSEC tools. In dnssec-signzone and dnssec-verify, when the zone origin is not specified using the -o parameter, the default behavior is to try to sign using the zone's file name as the origin. So, for example, dnssec-signzone -S example.com will work, so long as the file name matches the zone name. This now also works if the zone is in a different directory. For example, dnssec-signzone -S zones/example.com will set the origin value to example.com. [GL #5678] Fix a possible race condition during zone transfers. The named process could terminate unexpectedly when processing an IXFR message during a zone transfer. This has been fixed. [GL #5767] Fix named crash when processing SIG records in dynamic updates. Previously, named could abort if a client sent a dynamic update containing a SIG record (the legacy signature type) to a zone configured with an update-policy. The function dns_db_findrdataset had an incorrect requirements prerequisite that prevented SIG records from being looked up, which was triggered as part of processing an UPDATE request and could be triggered remotely by any client permitted to send updates. This has been fixed by ensuring that SIG records are handled consistently with RRSIG records during update processing. [GL #5818] Fix rndc modzone behavior for a zone in named.conf. If a zone was present in the configuration file and not originally added by rndc addzone, rndc modzone for that zone would succeed once but subsequent rndc modzone attempts would fail. This has been fixed. [GL #5826] Fix zone verification of NSEC3 signed zones. Previously, when computing the compressed bitmap during verification of an NSEC3-signed zone, an undersized buffer was used that resulted in an out-of-bounds write if there were too many active windows in the bitmap. This impacted the mirror zones which are NSEC3-signed, dnssec-signzone and dnssec-verify. This has been fixed. [GL #5834] Prevent a crash when using both dns64 and filter-aaaa. An assertion failure could be triggered if both dns64 and the filter-aaaa plugin were in use simultaneously. This happened if the plugin triggered a second recursion process, which then attempted to store DNS64 state information in a pointer that had already been set by the original recursion process. This has been fixed. [GL #5854] Fixed an assertion failure when processing catalog zones. If a TXT record containing an invalid name TSIG key name was found when processing a catalog zone member's primaries definition, dns_name_free was incorrectly called, triggering an assertion. This has been fixed. [GL #5858] Prevent malicious DNSSEC zones from exhausting validator CPU. A DNSSEC-signed zone could publish a DNSKEY with an unusually large RSA public exponent and force any validator resolving names in that zone to spend disproportionate CPU verifying signatures. The validator now rejects such DNSKEYs, matching the limit already applied to keys read from files or HSMs. [GL #5881] Fix rndc-confgen aborting on HMAC-SHA-384/512 keys above 512 bits. rndc-confgen (with either -A hmac-sha384 or -A hmac-sha512) previously documented a -b range of 1..1024, but any value above 512 aborted on hardened builds instead of producing a key. The full advertised range now works. [GL #5903] Prevent crafted queries from degrading RRL performance. With response rate limiting enabled, an attacker sending queries from many spoofed source addresses could steer entries into the same slot of the internal rate-limit table and slow down query processing on the affected server. The table now uses a per-process keyed hash so the placement of entries cannot be predicted or influenced from the network. [GL #5906] Prevent rare named crash when notifies are cancelled. Under heavy load, named could occasionally crash when a queued outbound notify or zone refresh was cancelled at the moment it was being sent for example, while a zone was being reloaded or removed. The race that caused the crash is now prevented. [GL #5915] Stop delv from aborting on a malformed query name. delv previously aborted with SIGABRT instead of exiting cleanly when given a query name that failed wire-format conversion (e.g. a label longer than 63 octets). After this change delv prints the parse error and exits with a normal failure code. [GL #5916] Fix a crash when reconfiguring while an NTA is being rechecked. Previously, if named was reconfigured or shut down while a negative trust anchor was being rechecked against authoritative servers, the in-flight recheck could outlive the view that owned it and cause named to crash. This has been fixed. [GL #5938] Fix a bug in allow-query/allow-transfer catalog zone custom properties. The named process could terminate unexpectedly when processing a catalog zone with an invalid allow-query or allow-transfer custom property (i.e. having a non-APL type) coexisting with the valid property. This has been fixed. [GL #5941] Fix a memory leak issue in catalog zones. The named process could leak small amounts of memory when processing a catalog zone entry which had defined custom primary servers with TSIG keys, if both the regular primaries custom property syntax and the legacy alternative syntax (masters) were used at the same time. This has been fixed. [GL #5943] Fix suppressed missing-glue check in named-checkzone. named-checkzone and named-checkconf -z silently skipped the missing-glue check for any NS name that had already triggered an extra-AAAA-glue warning, so zones missing required A glue could pass validation and be deployed with broken delegations. [GL !11899] Implement seamless outgoing TCP connection reuse. The resolver can and will reuse outgoing TCP connections to the same host, as recommended by RFC 7766. This prevents a whole class of attacks that abuse the fact that establishing a TCP connection is expensive and it is fairly easy to deplete the outgoing TCP ports by putting them into TIME_WAIT state. The number of pipelined queries per connection is capped at 256 to limit the impact of a connection drop. [GL !11845] Reject record sets too large to serve in DNS. When BIND was asked to store a record set whose total size exceeded what fit in a DNS message, it would allocate memory and build the structure, then fail later at response time. Such oversized record sets are now rejected at the time of storage with an error, avoiding wasted work on data that can never be served. [GL !11963] @ text @@ 1.1.1.2 log @ Import bind 9.20.24 (previous was 9.20.23) Security Fixes ============== Fix DNS64 owner case after DNAME restart. 4de2229364 When BIND 9 is configured to use DNS64 and encounters a DNAME redirect, it could end up using freed memory for the DNS response owner name. This caused the response to contain corrupted data. This fix ensures the correct owner name is used when constructing the synthesized response after a DNAME redirect. ISC thanks Qifan Zhang of Palo Alto Networks for reporting the issue. [GL #5934] New Features ============ Enable PR-Agent reviews on merge requests. 46e4c236a3 Adds a CI job that runs PR-Agent against each merge request opened from the canonical repository, posting an automated review and code-improvement suggestions as MR comments. The job is gated to same-project source branches so the OpenAI key and personal access token are not exposed to fork pipelines. [GL !12034] Removed Features ================ Remove ineffective TCP fallback after repeated UDP timeouts. eb13adcb47 When an authoritative server failed to respond to two consecutive UDP queries, named marked the next retry as TCP but still sent it over UDP, producing misleading dnstap records. The ineffective retry path has been removed; a corrected TCP fallback will be restored in future BIND 9 versions. [GL #5529] [GL !12049] Remove useless PR-Agent jobs. 8851b279d0 The experiment was a failure, the PR-Agent doesn't send a full context to the AI Agents and the results are abysmal because of that. [GL !12120] Feature Changes =============== Fall back to TCP on a UDP response with a mismatched query id. b2367aaea2 BIND used to wait silently for the correct DNS message id on a UDP fetch even after receiving a response from the expected server with the wrong id, leaving room for off-path spoofing attempts to keep guessing within that window. The resolver now retries the fetch over TCP on the first such response, and a new MismatchTCP statistics counter tracks how often the fallback fires. [GL #5449] [GL !12025] Limit the number of glue records cached from a referral. eb401f6b92 When a delegation response contained many glue addresses per listed nameserver, all of them were cached without a per-nameserver bound, inflating resolver cache memory beyond what resolution could ever use. The cache now keeps at most 20 IPv4 and 20 IPv6 glue addresses per nameserver from a delegation. [GL #5701] [GL !11972] Fix a resolver stall on a CNAME response to a DS query. 1407f48670 A validating resolver could stall for about twelve seconds and then return SERVFAIL when an authoritative server answered a DS query with a CNAME. Such responses are now rejected promptly, so the query fails fast instead of hanging. [GL #5878] [GL !12147] Named could crash on concurrent TKEY DELETE for the same key. dd02abde67 On a server configured with tkey-gssapi-keytab (or tkey-gssapi-credential), an authenticated peer could crash named by sending two TKEY DELETE requests for the same dynamic key in rapid succession. This has been fixed. [GL #6001] [GL !12042] Bug Fixes ========= The resolver now removes other RRsets at the same name when caching a CNAME. 1547447491 When an RRset is in stale cache, and the authoritative server changes the record type to CNAME, the resolver fails to refresh the stale cache. This has been fixed. [GL #5302] [GL !12040] Fix nxdomain-redirect combined with dns64. 95274e9455 When a resolver was configured with both nxdomain-redirect and dns64 in the same view, an AAAA query for a nonexistent name could abort named. The combination failed whenever the redirect zone held A records but no AAAA records. The server now serves the empty AAAA response from the redirect zone as-is, instead of attempting DNS64 synthesis on top of it. [GL #5789] [GL !12123] Clear REDIRECT flag when it isn't needed. 86bb27060c When nxdomain-redirect is in use, and a recursive query is used to get the redirected answer, a flag is set to distinguish it from a normal recursive response. Previously, that flag was left set afterward, which could trigger an assertion if a normal recursive query was sent later on behalf of the same client: for example, because the filter-aaaa plugin was in use. This has been fixed. [GL #5936] [GL !12076] Fix data race during rndc dumpdb or zone load. 947e5c7983 'rndc dumpdb' against a server with zones, and async zone load, had a timing window where the operation's completion could fire before the server had finished registering the operation, occasionally leading to a possible crash. The completion is now delivered after the registration is in place. [GL #5952] [GL !12021] Bound memory use during incoming zone transfers. 5d7f241fdf During an incoming zone transfer, an optimization could let the batch of pending records grow without bound for a large zone, raising memory usage. It gave no measurable performance benefit, so it has been removed. [GL #5958] [GL !12142] Disable output escaping in bind9.xsl. b514e663eb The statistics charts where not displaying on some browsers. This has been fixed. [GL #5990] [GL !12019] Fix crash on badly configured secondary signer. edc1ef084f A badly configured secondary signer that was missing the 'file' entry caused the server to crash, rather than to reject the configuration. This has been fixed. [GL #5993] [GL !12112] Avoid named assertion failure during parent-NS lookups when none exist. 5c0c4786dd Configuring the root zone as a signed primary with parental agents (or with notify-on-cds-changes) caused named to exit on an internal assertion as soon as the DS-publication machinery tried to look up the parent NS RRset — the root has no parent. The lookup is now short-circuited cleanly. Similar, a zone with no NS records in the parent caused named to exit in the same way. [GL #5910] [GL #5996] [GL !12053] Reject RRSIG records covering meta-types. 7517e39504 A recursive resolver could accept and cache an RRSIG record whose Type-Covered field names a meta-type (ANY, AXFR, IXFR, MAILA, MAILB), even though no real RRset of those types ever exists. Such records are now rejected by the DNS message parser. [GL #6002] [GL !12051] Validate nsec3hash arguments instead of relying on atoi() a59080c053 The nsec3hash tool parsed its algorithm, flags, and iterations arguments with atoi(), then range-checked the result. For values that overflow int during digit-by-digit accumulation, atoi() is undefined; in practice on musl libc the modular wrap leaves n == 0, which silently passes the "iterations > 0xffffU" check. On Alpine Linux this made nsec3hash succeed with iterations treated as 0 for inputs like 4294967296 (2^32). The latent bug only surfaced when the recent image rebuild pulled in Hypothesis 6.152.9 (2026-05-19), which unified the distribution used for bounded and unbounded integers() strategies. The new smoother distribution explores the 2^32 boundary on unbounded ranges like integers(min_value=65536); earlier versions did not reach there, so test_nsec3hash_too_many_iterations only started failing on Alpine after the image refresh. Replace the three atoi() calls with isc_parse_uint8 / isc_parse_uint16, which uniformly reject overflow, trailing garbage, leading sign, and non-numeric input across libc implementations. As a side effect, error messages now include the offending argument and a specific reason ("out of range" vs "not a valid number"). Assisted-by: Claude:claude-opus-4-7 [GL #6013] [GL !12074] Fix wrong variable in named_server_sync() log message. 09f9889ef6 named_server_sync() logged isc_result_totext(result) but returns tresult. The loop accumulates errors into tresult, so result only holds the last iteration's value. If the last view succeeded but an earlier one failed, the log would incorrectly say "success". [GL !12156] Refine resolver fetch loop detection. 787faa02a7 The resolver's fetch loop detection now triggers only when a new fetch would join an already in-flight fetch that is also one of its own ancestors, which is the actual loop condition. Previously the check ran against the original request before the fetch was set up. [GL !12146] @ text @d144 7 @