Version in base suite: 9.18.41-1~deb12u1
Version in overlay suite: 9.18.44-1~deb12u1
Base version: bind9_9.18.44-1~deb12u1
Target version: bind9_9.18.47-1~deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/b/bind9/bind9_9.18.44-1~deb12u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/b/bind9/bind9_9.18.47-1~deb12u1.dsc
CONTRIBUTING.md | 96 ++++
ChangeLog | 3
NEWS | 3
bin/delv/delv.c | 2
bin/dig/dig.rst | 2
bin/named/statschannel.c | 4
bin/tests/Makefile.am | 2
bin/tests/Makefile.in | 2
bin/tests/convert-trs-to-junit.py | 154 -------
bin/tests/convert_trs_to_junit.py | 154 +++++++
bin/tests/system/_common/trusted.conf.j2 | 18
bin/tests/system/auth/ns1/example.com.db | 3
bin/tests/system/auth/tests.sh | 17
bin/tests/system/bailiwick/ans1/ans.py | 1
bin/tests/system/bailiwick/ans2/ans.py | 1
bin/tests/system/bailiwick/tests_bailiwick.py | 3
bin/tests/system/checkds/tests_checkds.py | 2
bin/tests/system/checkzone/zones/crashzone.db | 1
bin/tests/system/conftest.py | 74 ---
bin/tests/system/convert-junit-to-trs.py | 70 ---
bin/tests/system/convert_junit_to_trs.py | 70 +++
bin/tests/system/cookie/ans9/ans.py | 2
bin/tests/system/custom-test-driver | 2
bin/tests/system/dispatch/tests_connreset.py | 1
bin/tests/system/dnssec-malformed-dnskey/tests_malformed_dnskey.py | 16
bin/tests/system/dnstap/tests_dnstap.py | 1
bin/tests/system/doth/tests_gnutls.py | 2
bin/tests/system/glue/tests_glue.py | 3
bin/tests/system/isctest/__init__.py | 6
bin/tests/system/isctest/asyncserver.py | 10
bin/tests/system/isctest/check.py | 20
bin/tests/system/isctest/compat.py | 56 --
bin/tests/system/isctest/hypothesis/__init__.py | 12
bin/tests/system/isctest/hypothesis/strategies.py | 9
bin/tests/system/isctest/kasp.py | 91 ++++
bin/tests/system/isctest/log/basic.py | 1
bin/tests/system/isctest/log/watchlog.py | 1
bin/tests/system/isctest/mark.py | 1
bin/tests/system/isctest/name.py | 3
bin/tests/system/isctest/query.py | 43 +-
bin/tests/system/isctest/run.py | 4
bin/tests/system/isctest/template.py | 8
bin/tests/system/isctest/text.py | 1
bin/tests/system/keepalive/tests_keepalive.py | 1
bin/tests/system/keyfromlabel/tests_keyfromlabel.py | 1
bin/tests/system/limits/tests_limits.py | 3
bin/tests/system/mkeys/tests_sh_mkeys.py | 1
bin/tests/system/names/tests_names.py | 4
bin/tests/system/nsec3-answer/tests_nsec3.py | 5
bin/tests/system/nsec3-delegation/ns1/named.conf.j2 | 35 +
bin/tests/system/nsec3-delegation/ns1/root.db | 25 +
bin/tests/system/nsec3-delegation/ns2/iter-too-many.db.j2.manual | 31 +
bin/tests/system/nsec3-delegation/ns2/named.conf.j2 | 40 +
bin/tests/system/nsec3-delegation/ns2/sub.iter-too-many.db | 24 +
bin/tests/system/nsec3-delegation/ns3/named.conf.j2 | 37 +
bin/tests/system/nsec3-delegation/ns3/trusted.conf.j2 | 18
bin/tests/system/nsec3-delegation/tests_excessive_nsec3_iterations.py | 61 ++
bin/tests/system/optout/tests_optout.py | 3
bin/tests/system/pipelined/ans5/ans.py | 2
bin/tests/system/requirements.txt | 13
bin/tests/system/rndc/tests_cve-2023-3341.py | 70 ---
bin/tests/system/rndc/tests_cve_2023_3341.py | 69 +++
bin/tests/system/rpzextra/tests_rpzextra.py | 8
bin/tests/system/selftest/tests_zone_analyzer.py | 1
bin/tests/system/serve-stale/ans2/ans.pl | 37 +
bin/tests/system/serve-stale/ans8/ans.pl | 164 +++++++
bin/tests/system/serve-stale/ns6/stale.db | 13
bin/tests/system/serve-stale/ns7/named.conf.j2 | 62 +++
bin/tests/system/serve-stale/ns7/named1.conf.j2 | 63 +++
bin/tests/system/serve-stale/ns7/root.db | 20
bin/tests/system/serve-stale/ns7/target.stale.db | 18
bin/tests/system/serve-stale/tests.sh | 206 ++++++++++
bin/tests/system/serve-stale/tests_sh_serve_stale.py | 2
bin/tests/system/shutdown/tests_shutdown.py | 2
bin/tests/system/statschannel/generic.py | 5
bin/tests/system/statschannel/tests_json.py | 3
bin/tests/system/statschannel/tests_xml.py | 3
bin/tests/system/tcp/ans6/ans.py | 3
bin/tests/system/tcp/tests_tcp.py | 2
bin/tests/system/timeouts/tests_tcp_timeouts.py | 16
bin/tests/system/tsig/tests_tsig_hypothesis.py | 7
bin/tests/system/tsiggss/tests_isc_spnego_flaws.py | 2
bin/tests/system/wildcard/tests_wildcard.py | 6
bin/tests/system/xferquota/setup.py | 6
bin/tools/mdig.c | 17
configure | 36 -
configure.ac | 4
contrib/gitchangelog/gitchangelog.py | 13
debian/changelog | 8
doc/arm/_ext/iscconf.py | 1
doc/arm/_ext/namedconf.py | 1
doc/arm/changelog.rst | 3
doc/arm/notes.rst | 3
doc/arm/reference.rst | 11
doc/changelog/changelog-9.18.45.rst | 48 ++
doc/changelog/changelog-9.18.46.rst | 35 +
doc/changelog/changelog-9.18.47.rst | 32 +
doc/man/arpaname.1in | 10
doc/man/ddns-confgen.8in | 38 -
doc/man/delv.1in | 54 +-
doc/man/dig.1in | 110 ++---
doc/man/dnssec-cds.1in | 52 +-
doc/man/dnssec-dsfromkey.1in | 40 -
doc/man/dnssec-importkey.1in | 18
doc/man/dnssec-keyfromlabel.1in | 32 -
doc/man/dnssec-keygen.1in | 48 +-
doc/man/dnssec-revoke.1in | 14
doc/man/dnssec-settime.1in | 30 -
doc/man/dnssec-signzone.1in | 62 +--
doc/man/dnssec-verify.1in | 16
doc/man/dnstap-read.1in | 14
doc/man/filter-a.8in | 14
doc/man/filter-aaaa.8in | 18
doc/man/host.1in | 52 +-
doc/man/mdig.1in | 30 -
doc/man/named-checkconf.1in | 34 -
doc/man/named-checkzone.1in | 36 -
doc/man/named-compilezone.1in | 42 +-
doc/man/named-journalprint.1in | 20
doc/man/named-nzd2nzf.1in | 12
doc/man/named-rrchecker.1in | 44 +-
doc/man/named.8in | 46 +-
doc/man/named.conf.5in | 14
doc/man/nsec3hash.1in | 12
doc/man/nslookup.1in | 18
doc/man/nsupdate.1in | 68 +--
doc/man/rndc-confgen.8in | 60 +-
doc/man/rndc.8in | 122 ++---
doc/man/rndc.conf.5in | 36 -
doc/man/tsig-keygen.8in | 16
doc/misc/parsegrammar.py | 1
doc/notes/notes-9.18.45.rst | 30 +
doc/notes/notes-9.18.46.rst | 19
doc/notes/notes-9.18.47.rst | 30 +
lib/dns/adb.c | 20
lib/dns/gssapictx.c | 18
lib/dns/include/dns/message.h | 2
lib/dns/include/dns/nsec3.h | 6
lib/dns/include/dns/sdlz.h | 4
lib/dns/include/dns/types.h | 1
lib/dns/rdata/generic/brid_68.c | 4
lib/dns/rdata/generic/dsync_66.c | 2
lib/dns/rdata/generic/hhit_67.c | 4
lib/dns/rdata/generic/nsec3_50.c | 35 +
lib/dns/rdata/in_1/dhcid_49.c | 2
lib/dns/time.c | 4
lib/dns/validator.c | 91 +++-
lib/dns/zone.c | 2
lib/isc/file.c | 2
lib/isc/include/isc/iterated_hash.h | 12
lib/ns/include/ns/client.h | 16
lib/ns/query.c | 9
srcid | 2
tests/dns/rdata_test.c | 71 ++-
tests/include/tests/isc.h | 8
tests/isc/file_test.c | 4
tests/isc/task_test.c | 1
157 files changed, 2598 insertions(+), 1313 deletions(-)
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpyhw0tj21/bind9_9.18.44-1~deb12u1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpyhw0tj21/bind9_9.18.47-1~deb12u1.dsc: no acceptable signature found
diff -Nru bind9-9.18.44/CONTRIBUTING.md bind9-9.18.47/CONTRIBUTING.md
--- bind9-9.18.44/CONTRIBUTING.md 2026-01-09 13:44:04.459032968 +0000
+++ bind9-9.18.47/CONTRIBUTING.md 2026-03-13 21:59:39.515897657 +0000
@@ -18,6 +18,7 @@
1. [Access to source code](#access)
1. [Reporting bugs](#bugs)
1. [Contributing code](#contrib)
+1. [Generated code](#generated-code)
### Introduction
@@ -188,6 +189,101 @@
Please see [the "Testing" section of doc/dev/dev.md](doc/dev/dev.md#testing)
for more information.
+### Guidelines for Tool-Generated Content
+
+#### Purpose
+
+BIND 9 contributors have long used tooling to assist in development.
+These tools can increase the volume and velocity of contributions. At
+the same time, reviewer and maintainer bandwidth is a scarce resource,
+and the stability of DNS software is critical infrastructure.
+Understanding which portions of a contribution come from humans versus
+tools is helpful to maintain those resources, assess risk, and keep
+BIND 9 development healthy.
+
+The goal here is to clarify community expectations around tools,
+particularly LLMs (Large Language Models) and generative AI. This
+lets everyone become more productive while maintaining high degrees of
+trust between submitters and reviewers.
+
+#### Out of Scope
+
+These guidelines do not apply to tools that make trivial tweaks to
+preexisting content or verify adherence to style guides. Nor do they
+pertain to AI tooling that helps with menial tasks. Some examples:
+
+ - Spelling and grammar fix-ups, like rephrasing documentation to the
+ imperative voice.
+ - Typing aids like IDE identifier completion, common boilerplate, or
+ trivial pattern completion.
+ - Purely mechanical transformations like variable renaming across a
+ scope.
+ - Reformatting using the standard BIND 9 clang-format configuration
+ or black (for Python system tests).
+
+Even if your tool use is out of scope, you should still always
+consider if it would assist the review of your contribution if the
+reviewer knows about the tool that you used.
+
+#### In Scope
+
+These guidelines apply when a meaningful amount of content in a BIND 9
+contribution (code, documentation, or tests) was not written by a
+person contributing the patch or merge request, but was instead
+created by a tool.
+
+Detection of a problem and testing the fix for it is also part of the
+development process; if a tool was used to find a problem addressed by
+a change (e.g., a fuzzer or static analyzer), that should be noted in
+the commit message or MR description. This not only gives credit where
+it is due, it also helps fellow developers find out about these tools.
+
+Some examples:
+
+ - Complex semantic patches generated by Coccinelle scripts.
+ - A chatbot or AI assistant generated a new function in your Merge
+ Request to handle a specific DNS RR type.
+ - A .c file or system test in the MR was originally generated by a
+ coding assistant but cleaned up by hand.
+ - The commit message or MR description was generated by handing the
+ diff to a generative AI tool.
+ - Documentation or comments were translated from another language
+ using an automated tool.
+
+If in doubt, choose transparency and assume these guidelines apply to
+your contribution.
+
+#### Guidelines
+
+You are responsible for the code you submit, regardless of how it was generated.
+When opening a Merge Request, be transparent about the origin of content in the
+MR description and commit messages. You can be more transparent by adding
+information like this:
+
+ - What tools were used?
+ - The input to the tools you used, like the Coccinelle source script
+ or specific configuration.
+ - If code was largely generated from a single or short set of
+ prompts, include those prompts. For longer sessions, include a
+ summary of the prompts and the nature of the resulting assistance.
+ - Which portions of the content were affected by that tool?
+ - How is the submission tested? (e.g., "I used tool X to generate a
+ system test case that triggers the bug.")
+
+As with all contributions, BIND 9 maintainers have discretion to
+choose how they handle the contribution. For example, they might:
+
+ - Treat it just like any other contribution.
+ - Reject it outright if the provenance is unclear or the code quality
+ is low.
+ - Treat the contribution specially, such as reviewing with extra
+ scrutiny regarding memory safety or RFC compliance.
+ - Suggest a better prompt or approach instead of suggesting specific
+ code changes.
+ - Ask the submitter to explain in more detail about the contribution
+ to ensure the submitter fully understands the DNS logic or internal
+ BIND 9 architecture implemented by the tool.
+
#### Thanks
Thank you for your interest in contributing to the ongoing development
diff -Nru bind9-9.18.44/ChangeLog bind9-9.18.47/ChangeLog
--- bind9-9.18.44/ChangeLog 2026-01-09 13:44:04.731037455 +0000
+++ bind9-9.18.47/ChangeLog 2026-03-13 21:59:39.798906408 +0000
@@ -18,6 +18,9 @@
development. Regular users should refer to :ref:`Release Notes `
for changes relevant to them.
+.. include:: ../changelog/changelog-9.18.47.rst
+.. include:: ../changelog/changelog-9.18.46.rst
+.. include:: ../changelog/changelog-9.18.45.rst
.. include:: ../changelog/changelog-9.18.44.rst
.. include:: ../changelog/changelog-9.18.43.rst
.. include:: ../changelog/changelog-9.18.42.rst
diff -Nru bind9-9.18.44/NEWS bind9-9.18.47/NEWS
--- bind9-9.18.44/NEWS 2026-01-09 13:44:04.731037455 +0000
+++ bind9-9.18.47/NEWS 2026-03-13 21:59:39.798906408 +0000
@@ -18,6 +18,9 @@
development. Regular users should refer to :ref:`Release Notes `
for changes relevant to them.
+.. include:: ../changelog/changelog-9.18.47.rst
+.. include:: ../changelog/changelog-9.18.46.rst
+.. include:: ../changelog/changelog-9.18.45.rst
.. include:: ../changelog/changelog-9.18.44.rst
.. include:: ../changelog/changelog-9.18.43.rst
.. include:: ../changelog/changelog-9.18.42.rst
diff -Nru bind9-9.18.44/bin/delv/delv.c bind9-9.18.47/bin/delv/delv.c
--- bind9-9.18.44/bin/delv/delv.c 2026-01-09 13:44:04.464033050 +0000
+++ bind9-9.18.47/bin/delv/delv.c 2026-03-13 21:59:39.521897842 +0000
@@ -1651,7 +1651,7 @@
static isc_result_t
reverse_octets(const char *in, char **p, char *end) {
- char *dot = strchr(in, '.');
+ const char *dot = strchr(in, '.');
int len;
if (dot != NULL) {
isc_result_t result;
diff -Nru bind9-9.18.44/bin/dig/dig.rst bind9-9.18.47/bin/dig/dig.rst
--- bind9-9.18.44/bin/dig/dig.rst 2026-01-09 13:44:04.465033067 +0000
+++ bind9-9.18.47/bin/dig/dig.rst 2026-03-13 21:59:39.522897873 +0000
@@ -227,7 +227,7 @@
assign values to options, like the timeout interval. They have the form
``+keyword=value``. Keywords may be abbreviated, provided the
abbreviation is unambiguous; for example, :option:`+cd` is equivalent to
-:option:`+cdflag`. The query options are:
+:option:`+cdflag`. Query options are order sensitive. The query options are:
.. option:: +aaflag, +noaaflag
diff -Nru bind9-9.18.44/bin/named/statschannel.c bind9-9.18.47/bin/named/statschannel.c
--- bind9-9.18.44/bin/named/statschannel.c 2026-01-09 13:44:04.476033248 +0000
+++ bind9-9.18.47/bin/named/statschannel.c 2026-03-13 21:59:39.533898213 +0000
@@ -56,11 +56,11 @@
#define STATS_XML_VERSION_MAJOR "3"
#define STATS_XML_VERSION_MINOR "13"
-#define STATS_XML_VERSION STATS_XML_VERSION_MAJOR "." STATS_XML_VERSION_MINOR
+#define STATS_XML_VERSION STATS_XML_VERSION_MAJOR "." STATS_XML_VERSION_MINOR
#define STATS_JSON_VERSION_MAJOR "1"
#define STATS_JSON_VERSION_MINOR "7"
-#define STATS_JSON_VERSION STATS_JSON_VERSION_MAJOR "." STATS_JSON_VERSION_MINOR
+#define STATS_JSON_VERSION STATS_JSON_VERSION_MAJOR "." STATS_JSON_VERSION_MINOR
struct named_statschannel {
/* Unlocked */
diff -Nru bind9-9.18.44/bin/tests/Makefile.am bind9-9.18.47/bin/tests/Makefile.am
--- bind9-9.18.44/bin/tests/Makefile.am 2026-01-09 13:44:04.479033298 +0000
+++ bind9-9.18.47/bin/tests/Makefile.am 2026-03-13 21:59:39.536898306 +0000
@@ -1,6 +1,6 @@
include $(top_srcdir)/Makefile.top
-EXTRA_DIST = convert-trs-to-junit.py
+EXTRA_DIST = convert_trs_to_junit.py
SUBDIRS = system
diff -Nru bind9-9.18.44/bin/tests/Makefile.in bind9-9.18.47/bin/tests/Makefile.in
--- bind9-9.18.44/bin/tests/Makefile.in 2026-01-09 13:45:07.597171326 +0000
+++ bind9-9.18.47/bin/tests/Makefile.in 2026-03-13 22:03:17.295204807 +0000
@@ -510,7 +510,7 @@
LIBBIND9_LIBS = \
$(top_builddir)/lib/bind9/libbind9.la
-EXTRA_DIST = convert-trs-to-junit.py
+EXTRA_DIST = convert_trs_to_junit.py
SUBDIRS = system
test_client_CPPFLAGS = \
$(AM_CPPFLAGS) \
diff -Nru bind9-9.18.44/bin/tests/convert-trs-to-junit.py bind9-9.18.47/bin/tests/convert-trs-to-junit.py
--- bind9-9.18.44/bin/tests/convert-trs-to-junit.py 2026-01-09 13:44:04.479033298 +0000
+++ bind9-9.18.47/bin/tests/convert-trs-to-junit.py 1970-01-01 00:00:00.000000000 +0000
@@ -1,154 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# Convert automake .trs files into JUnit format suitable for Gitlab
-
-import argparse
-import os
-import sys
-from xml.etree import ElementTree
-from xml.etree.ElementTree import Element
-from xml.etree.ElementTree import SubElement
-
-
-# getting explicit encoding specification right for Python 2/3 would be messy,
-# so let's hope for the best
-def read_whole_text(filename):
- with open(filename) as inf: # pylint: disable-msg=unspecified-encoding
- return inf.read().strip()
-
-
-def read_trs_result(filename):
- result = None
- with open(filename, "r") as trs: # pylint: disable-msg=unspecified-encoding
- for line in trs:
- items = line.split()
- if len(items) < 2:
- raise ValueError("unsupported line in trs file", filename, line)
- if items[0] != (":global-test-result:"):
- continue
- if result is not None:
- raise NotImplementedError("double :global-test-result:", filename)
- result = items[1].upper()
-
- if result is None:
- raise ValueError(":global-test-result: not found", filename)
-
- return result
-
-
-def find_test_relative_path(source_dir, in_path):
- """Return {in_path}.c if it exists, with fallback to {in_path}"""
- candidates_relative = [in_path + ".c", in_path]
- for relative in candidates_relative:
- absolute = os.path.join(source_dir, relative)
- if os.path.exists(absolute):
- return relative
- raise KeyError
-
-
-def err_out(exception):
- raise exception
-
-
-def walk_trss(source_dir):
- for cur_dir, _dirs, files in os.walk(source_dir, onerror=err_out):
- for filename in files:
- if not filename.endswith(".trs"):
- continue
-
- filename_prefix = filename[: -len(".trs")]
- log_name = filename_prefix + ".log"
- full_trs_path = os.path.join(cur_dir, filename)
- full_log_path = os.path.join(cur_dir, log_name)
- sub_dir = os.path.relpath(cur_dir, source_dir)
- test_dir_path = os.path.join(sub_dir, filename_prefix)
-
- if sub_dir.startswith("bin/tests/system"):
- # Match the `pytest` style test names for system tests
- test_name = f"test_{filename_prefix}"
- else:
- test_name = test_dir_path
-
- t = {
- "name": test_name,
- "full_log_path": full_log_path,
- "rel_log_path": os.path.relpath(full_log_path, source_dir),
- }
- t["result"] = read_trs_result(full_trs_path)
-
- # try to find dir/file path for a clickable link
- try:
- t["rel_file_path"] = find_test_relative_path(source_dir, test_dir_path)
- except KeyError:
- pass # no existing path found
-
- yield t
-
-
-def append_testcase(testsuite, t):
- # attributes taken from
- # https://gitlab.com/gitlab-org/gitlab-foss/-/blob/master/lib/gitlab/ci/parsers/test/junit.rb
- attrs = {"name": t["name"]}
- if "rel_file_path" in t:
- attrs["file"] = t["rel_file_path"]
-
- testcase = SubElement(testsuite, "testcase", attrs)
-
- # Gitlab accepts only [[ATTACHMENT| links for system-out, not raw text
- s = SubElement(testcase, "system-out")
- s.text = "[[ATTACHMENT|" + t["rel_log_path"] + "]]"
- if t["result"].lower() == "pass":
- return
-
- # Gitlab shows output only for failed or skipped tests
- if t["result"].lower() == "skip":
- err = SubElement(testcase, "skipped")
- else:
- err = SubElement(testcase, "failure")
- err.text = read_whole_text(t["full_log_path"])
-
-
-def gen_junit(results):
- testsuites = Element("testsuites")
- testsuite = SubElement(testsuites, "testsuite")
- for test in results:
- append_testcase(testsuite, test)
- return testsuites
-
-
-def check_directory(path):
- try:
- os.listdir(path)
- return path
- except OSError as ex:
- msg = "Path {} cannot be listed as a directory: {}".format(path, ex)
- raise argparse.ArgumentTypeError(msg)
-
-
-def main():
- parser = argparse.ArgumentParser(
- description="Recursively search for .trs + .log files and compile "
- "them into JUnit XML suitable for Gitlab. Paths in the "
- "XML are relative to the specified top directory."
- )
- parser.add_argument(
- "top_directory",
- type=check_directory,
- help="root directory where to start scanning for .trs files",
- )
- args = parser.parse_args()
- junit = gen_junit(walk_trss(args.top_directory))
-
- # encode results into file format, on Python 3 it produces bytes
- xml = ElementTree.tostring(junit, "utf-8")
- # use stdout as a binary file object, Python2/3 compatibility
- output = getattr(sys.stdout, "buffer", sys.stdout)
- output.write(xml)
-
-
-if __name__ == "__main__":
- main()
diff -Nru bind9-9.18.44/bin/tests/convert_trs_to_junit.py bind9-9.18.47/bin/tests/convert_trs_to_junit.py
--- bind9-9.18.44/bin/tests/convert_trs_to_junit.py 1970-01-01 00:00:00.000000000 +0000
+++ bind9-9.18.47/bin/tests/convert_trs_to_junit.py 2026-03-13 21:59:39.536898306 +0000
@@ -0,0 +1,154 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# Convert automake .trs files into JUnit format suitable for Gitlab
+
+import argparse
+import os
+import sys
+from xml.etree import ElementTree
+from xml.etree.ElementTree import Element
+from xml.etree.ElementTree import SubElement
+
+
+# getting explicit encoding specification right for Python 2/3 would be messy,
+# so let's hope for the best
+def read_whole_text(filename):
+ with open(filename) as inf: # pylint: disable-msg=unspecified-encoding
+ return inf.read().strip()
+
+
+def read_trs_result(filename):
+ result = None
+ with open(filename, "r") as trs: # pylint: disable-msg=unspecified-encoding
+ for line in trs:
+ items = line.split()
+ if len(items) < 2:
+ raise ValueError("unsupported line in trs file", filename, line)
+ if items[0] != (":global-test-result:"):
+ continue
+ if result is not None:
+ raise NotImplementedError("double :global-test-result:", filename)
+ result = items[1].upper()
+
+ if result is None:
+ raise ValueError(":global-test-result: not found", filename)
+
+ return result
+
+
+def find_test_relative_path(source_dir, in_path):
+ """Return {in_path}.c if it exists, with fallback to {in_path}"""
+ candidates_relative = [in_path + ".c", in_path]
+ for relative in candidates_relative:
+ absolute = os.path.join(source_dir, relative)
+ if os.path.exists(absolute):
+ return relative
+ raise KeyError
+
+
+def err_out(exception):
+ raise exception
+
+
+def walk_trss(source_dir):
+ for cur_dir, _dirs, files in os.walk(source_dir, onerror=err_out):
+ for filename in files:
+ if not filename.endswith(".trs"):
+ continue
+
+ filename_prefix = filename[: -len(".trs")]
+ log_name = filename_prefix + ".log"
+ full_trs_path = os.path.join(cur_dir, filename)
+ full_log_path = os.path.join(cur_dir, log_name)
+ sub_dir = os.path.relpath(cur_dir, source_dir)
+ test_dir_path = os.path.join(sub_dir, filename_prefix)
+
+ if sub_dir.startswith("bin/tests/system"):
+ # Match the `pytest` style test names for system tests
+ test_name = f"test_{filename_prefix}"
+ else:
+ test_name = test_dir_path
+
+ t = {
+ "name": test_name,
+ "full_log_path": full_log_path,
+ "rel_log_path": os.path.relpath(full_log_path, source_dir),
+ }
+ t["result"] = read_trs_result(full_trs_path)
+
+ # try to find dir/file path for a clickable link
+ try:
+ t["rel_file_path"] = find_test_relative_path(source_dir, test_dir_path)
+ except KeyError:
+ pass # no existing path found
+
+ yield t
+
+
+def append_testcase(testsuite, t):
+ # attributes taken from
+ # https://gitlab.com/gitlab-org/gitlab-foss/-/blob/master/lib/gitlab/ci/parsers/test/junit.rb
+ attrs = {"name": t["name"]}
+ if "rel_file_path" in t:
+ attrs["file"] = t["rel_file_path"]
+
+ testcase = SubElement(testsuite, "testcase", attrs)
+
+ # Gitlab accepts only [[ATTACHMENT| links for system-out, not raw text
+ s = SubElement(testcase, "system-out")
+ s.text = "[[ATTACHMENT|" + t["rel_log_path"] + "]]"
+ if t["result"].lower() == "pass":
+ return
+
+ # Gitlab shows output only for failed or skipped tests
+ if t["result"].lower() == "skip":
+ err = SubElement(testcase, "skipped")
+ else:
+ err = SubElement(testcase, "failure")
+ err.text = read_whole_text(t["full_log_path"])
+
+
+def gen_junit(results):
+ testsuites = Element("testsuites")
+ testsuite = SubElement(testsuites, "testsuite")
+ for test in results:
+ append_testcase(testsuite, test)
+ return testsuites
+
+
+def check_directory(path):
+ try:
+ os.listdir(path)
+ return path
+ except OSError as ex:
+ msg = "Path {} cannot be listed as a directory: {}".format(path, ex)
+ raise argparse.ArgumentTypeError(msg)
+
+
+def main():
+ parser = argparse.ArgumentParser(
+ description="Recursively search for .trs + .log files and compile "
+ "them into JUnit XML suitable for Gitlab. Paths in the "
+ "XML are relative to the specified top directory."
+ )
+ parser.add_argument(
+ "top_directory",
+ type=check_directory,
+ help="root directory where to start scanning for .trs files",
+ )
+ args = parser.parse_args()
+ junit = gen_junit(walk_trss(args.top_directory))
+
+ # encode results into file format, on Python 3 it produces bytes
+ xml = ElementTree.tostring(junit, "utf-8")
+ # use stdout as a binary file object, Python2/3 compatibility
+ output = getattr(sys.stdout, "buffer", sys.stdout)
+ output.write(xml)
+
+
+if __name__ == "__main__":
+ main()
diff -Nru bind9-9.18.44/bin/tests/system/_common/trusted.conf.j2 bind9-9.18.47/bin/tests/system/_common/trusted.conf.j2
--- bind9-9.18.44/bin/tests/system/_common/trusted.conf.j2 1970-01-01 00:00:00.000000000 +0000
+++ bind9-9.18.47/bin/tests/system/_common/trusted.conf.j2 2026-03-13 21:59:39.537898337 +0000
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+trust-anchors {
+{% for ta in trust_anchors %}
+ "@ta.domain@" @ta.type@ @ta.contents@;
+{% endfor %}
+};
diff -Nru bind9-9.18.44/bin/tests/system/auth/ns1/example.com.db bind9-9.18.47/bin/tests/system/auth/ns1/example.com.db
--- bind9-9.18.44/bin/tests/system/auth/ns1/example.com.db 2026-01-09 13:44:04.490033479 +0000
+++ bind9-9.18.47/bin/tests/system/auth/ns1/example.com.db 2026-03-13 21:59:39.547898646 +0000
@@ -23,3 +23,6 @@
inzone CNAME a.example.com.
a A 10.53.0.1
dname DNAME @
+
+brid BRID \# 2 0000
+hhit HHIT \# 2 0000
diff -Nru bind9-9.18.44/bin/tests/system/auth/tests.sh bind9-9.18.47/bin/tests/system/auth/tests.sh
--- bind9-9.18.44/bin/tests/system/auth/tests.sh 2026-01-09 13:44:04.490033479 +0000
+++ bind9-9.18.47/bin/tests/system/auth/tests.sh 2026-03-13 21:59:39.547898646 +0000
@@ -196,5 +196,22 @@
[ $ret -eq 0 ] || echo_i "failed"
status=$((status + ret))
+# Regression tests for #5616 [CVE-2025-13878] BRID and HHIT assertion failure.
+n=$((n + 1))
+echo_i "check that BRID query does not trigger assertion failure ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 brid.example.com BRID >dig.out.test$n
+grep "BRID" dig.out.test$n >/dev/null || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that HHIT query does not trigger assertion failure ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 hhit.example.com HHIT >dig.out.test$n
+grep "HHIT" dig.out.test$n >/dev/null || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status + ret))
+
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
diff -Nru bind9-9.18.44/bin/tests/system/bailiwick/ans1/ans.py bind9-9.18.47/bin/tests/system/bailiwick/ans1/ans.py
--- bind9-9.18.44/bin/tests/system/bailiwick/ans1/ans.py 2026-01-09 13:44:04.496033578 +0000
+++ bind9-9.18.47/bin/tests/system/bailiwick/ans1/ans.py 2026-03-13 21:59:39.553898832 +0000
@@ -24,7 +24,6 @@
from bailiwick_ans import ResponseSpoofer, spoofing_server
-
ATTACKER_IP = "10.53.0.3"
TTL = 3600
diff -Nru bind9-9.18.44/bin/tests/system/bailiwick/ans2/ans.py bind9-9.18.47/bin/tests/system/bailiwick/ans2/ans.py
--- bind9-9.18.44/bin/tests/system/bailiwick/ans2/ans.py 2026-01-09 13:44:04.496033578 +0000
+++ bind9-9.18.47/bin/tests/system/bailiwick/ans2/ans.py 2026-03-13 21:59:39.553898832 +0000
@@ -24,7 +24,6 @@
from bailiwick_ans import ResponseSpoofer, spoofing_server
-
ATTACKER_IP = "10.53.0.3"
TTL = 3600
diff -Nru bind9-9.18.44/bin/tests/system/bailiwick/tests_bailiwick.py bind9-9.18.47/bin/tests/system/bailiwick/tests_bailiwick.py
--- bind9-9.18.44/bin/tests/system/bailiwick/tests_bailiwick.py 2026-01-09 13:44:04.497033595 +0000
+++ bind9-9.18.47/bin/tests/system/bailiwick/tests_bailiwick.py 2026-03-13 21:59:39.554898863 +0000
@@ -17,9 +17,6 @@
import pytest
-# isctest.asyncserver requires dnspython >= 2.0.0
-pytest.importorskip("dns", minversion="2.0.0")
-
import isctest
from isctest.instance import NamedInstance
diff -Nru bind9-9.18.44/bin/tests/system/checkds/tests_checkds.py bind9-9.18.47/bin/tests/system/checkds/tests_checkds.py
--- bind9-9.18.44/bin/tests/system/checkds/tests_checkds.py 2026-01-09 13:44:04.534034205 +0000
+++ bind9-9.18.47/bin/tests/system/checkds/tests_checkds.py 2026-03-13 21:59:39.591900007 +0000
@@ -21,7 +21,6 @@
import isctest
import pytest
-pytest.importorskip("dns", minversion="2.0.0")
import dns.exception
import dns.message
import dns.name
@@ -29,7 +28,6 @@
import dns.rdataclass
import dns.rdatatype
-
pytestmark = [
pytest.mark.skipif(
sys.version_info < (3, 7), reason="Python >= 3.7 required [GL #3001]"
diff -Nru bind9-9.18.44/bin/tests/system/checkzone/zones/crashzone.db bind9-9.18.47/bin/tests/system/checkzone/zones/crashzone.db
--- bind9-9.18.44/bin/tests/system/checkzone/zones/crashzone.db 2026-01-09 13:44:04.544034370 +0000
+++ bind9-9.18.47/bin/tests/system/checkzone/zones/crashzone.db 2026-03-13 21:59:39.602900347 +0000
@@ -47,7 +47,6 @@
577WZnTQemStx+diON9rEGXAGnU7C0KLjrFL
VyhocnBnNtxJS8eRMSWvb9XuYCMNhYKOurtt
Ar4qh4VW1+unmA== )
-I7A7A184GGMI35K1E3IR650LKO7NOB5R.dyn.example.net. 7200 IN NSEC3 1 0 10 76931F IMQ912BREQP1POLAH3RMONG;UED541AS A RRSIG
IMQ912BREQP1POLAH3RMONG3UED541AS.dyn.example.net. 7200 IN NSEC3 1 0 10 76931F S3USV4M1HLVJ8F88EDSG8N9PVQRQ20N7 A RRSIG
7200 RRSIG NSEC3 7 4 7200 20100227180048 (
20100221180048 30323 dyn.example.net.
diff -Nru bind9-9.18.44/bin/tests/system/conftest.py bind9-9.18.47/bin/tests/system/conftest.py
--- bind9-9.18.44/bin/tests/system/conftest.py 2026-01-09 13:44:04.547034419 +0000
+++ bind9-9.18.47/bin/tests/system/conftest.py 2026-03-13 21:59:39.605900440 +0000
@@ -18,7 +18,8 @@
import subprocess
import tempfile
import time
-from typing import Any, Dict, List, Optional
+from typing import Dict, List, Optional
+import sys
import pytest
@@ -26,24 +27,11 @@
import isctest
-
# Silence warnings caused by passing a pytest fixture to another fixture.
# pylint: disable=redefined-outer-name
-
-# ----------------- Older pytest / xdist compatibility -------------------
-# As of 2023-01-11, the minimal supported pytest / xdist versions are
-# determined by what is available in EL8/EPEL8:
-# - pytest 3.4.2
-# - pytest-xdist 1.24.1
-_pytest_ver = pytest.__version__.split(".")
-_pytest_major_ver = int(_pytest_ver[0])
-if _pytest_major_ver < 7:
- # pytest.Stash/pytest.StashKey mechanism has been added in 7.0.0
- # for older versions, use regular dictionary with string keys instead
- FIXTURE_OK = "fixture_ok" # type: Any
-else:
- FIXTURE_OK = pytest.StashKey[bool]() # pylint: disable=no-member
+if sys.version_info[1] < 10:
+ raise RuntimeError("Python 3.10 or newer is required to run system tests.")
# ----------------------- Globals definition -----------------------------
@@ -137,7 +125,7 @@
config.option.dist = "loadscope"
-def pytest_ignore_collect(path):
+def pytest_ignore_collect(collection_path):
# System tests are executed in temporary directories inside
# bin/tests/system. These temporary directories contain all files
# needed for the system tests - including tests_*.py files. Make sure to
@@ -146,9 +134,9 @@
# convenience symlinks to those test directories. In both of those
# cases, the system test name (directory) contains an underscore, which
# is otherwise and invalid character for a system test name.
- match = SYSTEM_TEST_NAME_RE.search(str(path))
+ match = SYSTEM_TEST_NAME_RE.search(str(collection_path))
if match is None:
- isctest.log.warning("unexpected test path: %s (ignored)", path)
+ isctest.log.warning("unexpected test path: %s (ignored)", collection_path)
return True
system_test_name = match.groups()[0]
return "_" in system_test_name
@@ -328,19 +316,10 @@
return path.parent.name
-def _get_marker(node, marker):
- try:
- # pytest >= 4.x
- return node.get_closest_marker(marker)
- except AttributeError:
- # pytest < 4.x
- return node.get_marker(marker)
-
-
@pytest.fixture(autouse=True)
def wait_for_zones_loaded(request, servers):
"""Wait for all zones to be loaded by specified named instances."""
- instances = _get_marker(request.node, "requires_zones_loaded")
+ instances = request.node.get_closest_marker("requires_zones_loaded")
if not instances:
return
@@ -432,12 +411,6 @@
assert all(res.outcome == "passed" for res in test_results.values())
return "passed"
- def unlink(path):
- try:
- path.unlink() # missing_ok=True isn't available on Python 3.6
- except FileNotFoundError:
- pass
-
def check_artifacts(source_dir, run_dir):
def check_artifacts_recursive(dcmp):
def artifact_expected(path, expected):
@@ -472,7 +445,9 @@
), f"Unexpected files found in test directory: {unexpected_files}"
# Create a temporary directory with a copy of the original system test dir contents
- system_test_root = Path(f"{env['TOP_BUILDDIR']}/{SYSTEM_TEST_DIR_GIT_PATH}")
+ system_test_root = Path(
+ f"{env['TOP_BUILDDIR']}/{SYSTEM_TEST_DIR_GIT_PATH}"
+ ).resolve()
testdir = Path(
tempfile.mkdtemp(prefix=f"{system_test_name}_tmp_", dir=system_test_root)
)
@@ -480,9 +455,9 @@
shutil.copytree(system_test_root / system_test_name, testdir)
# Create a convenience symlink with a stable and predictable name
- module_name = SYMLINK_REPLACEMENT_RE.sub(r"\1", str(_get_node_path(request.node)))
+ module_name = SYMLINK_REPLACEMENT_RE.sub(r"\1", str(request.node.path))
symlink_dst = system_test_root / module_name
- unlink(symlink_dst)
+ symlink_dst.unlink(missing_ok=True)
symlink_dst.symlink_to(os.path.relpath(testdir, start=system_test_root))
isctest.log.init_module_logger(system_test_name, testdir)
@@ -514,7 +489,7 @@
"test failure detected, keeping temporary directory %s", testdir
)
keep = True
- elif not request.node.stash[FIXTURE_OK]:
+ elif not request.node.stash["fixture_ok"]:
isctest.log.debug(
"test setup/teardown issue detected, keeping temporary directory %s",
testdir,
@@ -531,7 +506,7 @@
isctest.log.deinit_module_logger()
if not keep:
shutil.rmtree(testdir)
- unlink(symlink_dst)
+ symlink_dst.unlink(missing_ok=True)
@pytest.fixture(scope="module")
@@ -581,15 +556,6 @@
isctest.log.debug(" exited with %d", returncode)
-def _get_node_path(node) -> Path:
- if isinstance(node.parent, pytest.Session):
- if _pytest_major_ver >= 8:
- return Path()
- return Path(node.name)
- assert node.parent is not None
- return _get_node_path(node.parent) / node.name
-
-
@pytest.fixture(scope="module")
def shell(env, system_test_dir):
"""Function to call a shell script with arguments."""
@@ -703,13 +669,11 @@
pytest.fail(f"get_core_dumps.sh exited with {exc.returncode}")
os.environ.update(env) # Ensure pytests have the same env vars as shell tests.
- isctest.log.info(f"test started: {_get_node_path(request.node)}")
+ isctest.log.info(f"test started: {request.node.path}")
port = int(env["PORT"])
isctest.log.info("using port range: <%d, %d>", port, port + PORTS_PER_TEST - 1)
- if not hasattr(request.node, "stash"): # compatibility with pytest<7.0.0
- request.node.stash = {} # use regular dict instead of pytest.Stash
- request.node.stash[FIXTURE_OK] = True
+ request.node.stash["fixture_ok"] = True
# Perform checks which may skip this test.
check_net_interfaces()
@@ -718,7 +682,7 @@
# Store the fact that this fixture hasn't successfully finished yet.
# This is checked before temporary directory teardown to decide whether
# it's okay to remove the directory.
- request.node.stash[FIXTURE_OK] = False
+ request.node.stash["fixture_ok"] = False
setup_test()
try:
@@ -729,7 +693,7 @@
isctest.log.debug("test(s) finished")
stop_servers()
get_core_dumps()
- request.node.stash[FIXTURE_OK] = True
+ request.node.stash["fixture_ok"] = True
@pytest.fixture(scope="module")
diff -Nru bind9-9.18.44/bin/tests/system/convert-junit-to-trs.py bind9-9.18.47/bin/tests/system/convert-junit-to-trs.py
--- bind9-9.18.44/bin/tests/system/convert-junit-to-trs.py 2026-01-09 13:44:04.547034419 +0000
+++ bind9-9.18.47/bin/tests/system/convert-junit-to-trs.py 1970-01-01 00:00:00.000000000 +0000
@@ -1,70 +0,0 @@
-#!/usr/bin/env python3
-#
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# Convert JUnit pytest output to automake .trs files
-
-import argparse
-import sys
-from xml.etree import ElementTree
-
-
-def junit_to_trs(junit_xml):
- root = ElementTree.fromstring(junit_xml)
- testcases = root.findall(".//testcase")
-
- if len(testcases) < 1:
- print(":test-result: ERROR convert-junit-to-trs.py")
- return 99
-
- has_fail = False
- has_error = False
- has_skipped = False
- for testcase in testcases:
- filename = f"{testcase.attrib['classname'].replace('.', '/')}.py"
- name = f"{filename}::{testcase.attrib['name']}"
- res = "PASS"
- for node in testcase:
- if node.tag == "failure":
- res = "FAIL"
- has_fail = True
- elif node.tag == "error":
- res = "ERROR"
- has_error = True
- elif node.tag == "skipped":
- if node.attrib.get("type") == "pytest.xfail":
- res = "XFAIL"
- else:
- res = "SKIP"
- has_skipped = True
- print(f":test-result: {res} {name}")
-
- if has_error:
- return 99
- if has_fail:
- return 1
- if has_skipped:
- return 77
- return 0
-
-
-def main():
- parser = argparse.ArgumentParser(
- description="Convert JUnit XML to Automake TRS and exit with "
- "the appropriate Automake-compatible exit code."
- )
- parser.add_argument(
- "junit_file",
- type=argparse.FileType("r", encoding="utf-8"),
- help="junit xml result file",
- )
- args = parser.parse_args()
-
- junit_xml = args.junit_file.read()
- sys.exit(junit_to_trs(junit_xml))
-
-
-if __name__ == "__main__":
- main()
diff -Nru bind9-9.18.44/bin/tests/system/convert_junit_to_trs.py bind9-9.18.47/bin/tests/system/convert_junit_to_trs.py
--- bind9-9.18.44/bin/tests/system/convert_junit_to_trs.py 1970-01-01 00:00:00.000000000 +0000
+++ bind9-9.18.47/bin/tests/system/convert_junit_to_trs.py 2026-03-13 21:59:39.605900440 +0000
@@ -0,0 +1,70 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# Convert JUnit pytest output to automake .trs files
+
+import argparse
+import sys
+from xml.etree import ElementTree
+
+
+def junit_to_trs(junit_xml):
+ root = ElementTree.fromstring(junit_xml)
+ testcases = root.findall(".//testcase")
+
+ if len(testcases) < 1:
+ print(":test-result: ERROR convert_junit_to_trs.py")
+ return 99
+
+ has_fail = False
+ has_error = False
+ has_skipped = False
+ for testcase in testcases:
+ filename = f"{testcase.attrib['classname'].replace('.', '/')}.py"
+ name = f"{filename}::{testcase.attrib['name']}"
+ res = "PASS"
+ for node in testcase:
+ if node.tag == "failure":
+ res = "FAIL"
+ has_fail = True
+ elif node.tag == "error":
+ res = "ERROR"
+ has_error = True
+ elif node.tag == "skipped":
+ if node.attrib.get("type") == "pytest.xfail":
+ res = "XFAIL"
+ else:
+ res = "SKIP"
+ has_skipped = True
+ print(f":test-result: {res} {name}")
+
+ if has_error:
+ return 99
+ if has_fail:
+ return 1
+ if has_skipped:
+ return 77
+ return 0
+
+
+def main():
+ parser = argparse.ArgumentParser(
+ description="Convert JUnit XML to Automake TRS and exit with "
+ "the appropriate Automake-compatible exit code."
+ )
+ parser.add_argument(
+ "junit_file",
+ type=argparse.FileType("r", encoding="utf-8"),
+ help="junit xml result file",
+ )
+ args = parser.parse_args()
+
+ junit_xml = args.junit_file.read()
+ sys.exit(junit_to_trs(junit_xml))
+
+
+if __name__ == "__main__":
+ main()
diff -Nru bind9-9.18.44/bin/tests/system/cookie/ans9/ans.py bind9-9.18.47/bin/tests/system/cookie/ans9/ans.py
--- bind9-9.18.44/bin/tests/system/cookie/ans9/ans.py 2026-01-09 13:44:04.547034419 +0000
+++ bind9-9.18.47/bin/tests/system/cookie/ans9/ans.py 2026-03-13 21:59:39.605900440 +0000
@@ -294,7 +294,7 @@
if s == query4_tcp1 or s == query6_tcp1 or s == query4_tcp2 or s == query6_tcp2:
try:
- (cs, _) = s.accept()
+ cs, _ = s.accept()
if s == query4_tcp1 or s == query6_tcp1:
print(
"TCP Query received on %s"
diff -Nru bind9-9.18.44/bin/tests/system/custom-test-driver bind9-9.18.47/bin/tests/system/custom-test-driver
--- bind9-9.18.44/bin/tests/system/custom-test-driver 2026-01-09 13:44:04.550034469 +0000
+++ bind9-9.18.47/bin/tests/system/custom-test-driver 2026-03-13 21:59:39.608900532 +0000
@@ -146,7 +146,7 @@
fi
# Run junit to trs converter script.
-./convert-junit-to-trs.py $junit_file >$trs_file
+./convert_junit_to_trs.py $junit_file >$trs_file
estatus=$?
if test $enable_hard_errors = no && test $estatus -eq 99; then
diff -Nru bind9-9.18.44/bin/tests/system/dispatch/tests_connreset.py bind9-9.18.47/bin/tests/system/dispatch/tests_connreset.py
--- bind9-9.18.44/bin/tests/system/dispatch/tests_connreset.py 2026-01-09 13:44:04.554034535 +0000
+++ bind9-9.18.47/bin/tests/system/dispatch/tests_connreset.py 2026-03-13 21:59:39.612900656 +0000
@@ -14,7 +14,6 @@
import pytest
import isctest
-pytest.importorskip("dns")
import dns.message
pytestmark = pytest.mark.extra_artifacts(
diff -Nru bind9-9.18.44/bin/tests/system/dnssec-malformed-dnskey/tests_malformed_dnskey.py bind9-9.18.47/bin/tests/system/dnssec-malformed-dnskey/tests_malformed_dnskey.py
--- bind9-9.18.44/bin/tests/system/dnssec-malformed-dnskey/tests_malformed_dnskey.py 2026-01-09 13:44:04.558034601 +0000
+++ bind9-9.18.47/bin/tests/system/dnssec-malformed-dnskey/tests_malformed_dnskey.py 2026-03-13 21:59:39.617900811 +0000
@@ -12,12 +12,10 @@
import base64
from re import compile as Re
+import os
import pytest
pytest.importorskip("cryptography")
-pytest.importorskip(
- "dns", minversion="2.7.0"
-) # dns.dnssec.sign_zone(deterministic=...) needed
from cryptography.hazmat.primitives.asymmetric import ec
@@ -124,7 +122,11 @@
msg = isctest.query.create("malformed-dnskey.example", "A")
openssl_vers = ns3.log.grep(log_openssl_version)
- if openssl_vers and int(openssl_vers[0].group(1)) >= 3:
+ if (
+ openssl_vers
+ and int(openssl_vers[0].group(1)) >= 3
+ and os.getenv("FEATURE_QUERYTRACE") == "1"
+ ):
# extra check for OpenSSL 3.0.0+
with ns3.watch_log_from_here() as watcher:
res = isctest.query.tcp(msg, "10.53.0.3")
@@ -169,7 +171,11 @@
pytest.skip("valid RRSIG listed first in response, re-run test")
openssl_vers = ns3.log.grep(log_openssl_version)
- if openssl_vers and int(openssl_vers[0].group(1)) >= 3:
+ if (
+ openssl_vers
+ and int(openssl_vers[0].group(1)) >= 3
+ and os.getenv("FEATURE_QUERYTRACE") == "1"
+ ):
# extra check for OpenSSL 3.0.0+
with ns3.watch_log_from_here() as watcher:
res = isctest.query.tcp(msg, "10.53.0.3")
diff -Nru bind9-9.18.44/bin/tests/system/dnstap/tests_dnstap.py bind9-9.18.47/bin/tests/system/dnstap/tests_dnstap.py
--- bind9-9.18.44/bin/tests/system/dnstap/tests_dnstap.py 2026-01-09 13:44:04.573034848 +0000
+++ bind9-9.18.47/bin/tests/system/dnstap/tests_dnstap.py 2026-03-13 21:59:39.632901275 +0000
@@ -17,7 +17,6 @@
import isctest
import pytest
-pytest.importorskip("dns", minversion="2.0.0")
import dns.rrset
pytestmark = pytest.mark.extra_artifacts(
diff -Nru bind9-9.18.44/bin/tests/system/doth/tests_gnutls.py bind9-9.18.47/bin/tests/system/doth/tests_gnutls.py
--- bind9-9.18.44/bin/tests/system/doth/tests_gnutls.py 2026-01-09 13:44:04.580034964 +0000
+++ bind9-9.18.47/bin/tests/system/doth/tests_gnutls.py 2026-03-13 21:59:39.639901491 +0000
@@ -18,7 +18,7 @@
import pytest
-pytest.importorskip("dns")
+import dns
import dns.exception
import dns.name
import dns.rdataclass
diff -Nru bind9-9.18.44/bin/tests/system/glue/tests_glue.py bind9-9.18.47/bin/tests/system/glue/tests_glue.py
--- bind9-9.18.44/bin/tests/system/glue/tests_glue.py 2026-01-09 13:44:04.603035343 +0000
+++ bind9-9.18.47/bin/tests/system/glue/tests_glue.py 2026-03-13 21:59:39.663902233 +0000
@@ -12,12 +12,9 @@
import dns.flags
import dns.message
-import pytest
import isctest
-pytest.importorskip("dns", minversion="2.0.0")
-
def test_glue_full_glue_set():
"""test that a ccTLD referral gets a full glue set from the root zone"""
diff -Nru bind9-9.18.44/bin/tests/system/isctest/__init__.py bind9-9.18.47/bin/tests/system/isctest/__init__.py
--- bind9-9.18.44/bin/tests/system/isctest/__init__.py 2026-01-09 13:44:04.610035459 +0000
+++ bind9-9.18.47/bin/tests/system/isctest/__init__.py 2026-03-13 21:59:39.670902449 +0000
@@ -11,15 +11,13 @@
from . import check
from . import instance
+from . import hypothesis
from . import query
+from . import kasp
from . import run
from . import template
from . import log
-# isctest.hypothesis is intentionally NOT imported, because it detects proper
-# hypothesis support and instructs pytest to skip the tests otherwise. It
-# should be manually imported only in the modules that require hypothesis.
-
# isctest.mark module is intentionally NOT imported, because it relies on
# environment variables which might not be set at the time of import of the
# `isctest` package. To use the marks, manual `import isctest.mark` is needed
diff -Nru bind9-9.18.44/bin/tests/system/isctest/asyncserver.py bind9-9.18.47/bin/tests/system/isctest/asyncserver.py
--- bind9-9.18.44/bin/tests/system/isctest/asyncserver.py 2026-01-09 13:44:04.610035459 +0000
+++ bind9-9.18.47/bin/tests/system/isctest/asyncserver.py 2026-03-13 21:59:39.670902449 +0000
@@ -55,7 +55,6 @@
import dns.version
import dns.zone
-
_UdpHandler = Callable[
[bytes, Tuple[str, int], asyncio.DatagramTransport], Coroutine[Any, Any, None]
]
@@ -113,7 +112,6 @@
tcp_handler: Optional[_TcpHandler],
pidfile: Optional[str] = None,
) -> None:
- self._abort_if_on_dnspython_version_less_than_2_0_0()
logging.basicConfig(
format="%(asctime)s %(levelname)8s %(message)s",
level=os.environ.get("ANS_LOG_LEVEL", "INFO").upper(),
@@ -141,14 +139,6 @@
self._pidfile: Optional[str] = pidfile
self._work_done: Optional[asyncio.Future] = None
- @classmethod
- def _abort_if_on_dnspython_version_less_than_2_0_0(cls) -> None:
- if dns.version.MAJOR < 2:
- error = f"Using {cls.__name__} requires dnspython >= 2.0.0; "
- error += 'add `pytest.importorskip("dns", minversion="2.0.0")` '
- error += "to the test module to skip this test."
- raise RuntimeError(error)
-
def _get_ipv4_address_from_directory_name(self) -> str:
containing_directory = pathlib.Path().absolute().stem
match_result = re.match(r"ans(?P\d+)", containing_directory)
diff -Nru bind9-9.18.44/bin/tests/system/isctest/check.py bind9-9.18.47/bin/tests/system/isctest/check.py
--- bind9-9.18.44/bin/tests/system/isctest/check.py 2026-01-09 13:44:04.610035459 +0000
+++ bind9-9.18.47/bin/tests/system/isctest/check.py 2026-03-13 21:59:39.670902449 +0000
@@ -13,13 +13,13 @@
from typing import cast, List, Optional
import dns.edns
+from dns.edns import EDECode, EDEOption
import dns.flags
import dns.message
import dns.rcode
import dns.zone
import isctest.log
-from isctest.compat import dns_rcode, EDECode, EDEOption
def rcode(message: dns.message.Message, expected_rcode) -> None:
@@ -27,19 +27,19 @@
def noerror(message: dns.message.Message) -> None:
- rcode(message, dns_rcode.NOERROR)
+ rcode(message, dns.rcode.NOERROR)
def notimp(message: dns.message.Message) -> None:
- rcode(message, dns_rcode.NOTIMP)
+ rcode(message, dns.rcode.NOTIMP)
def refused(message: dns.message.Message) -> None:
- rcode(message, dns_rcode.REFUSED)
+ rcode(message, dns.rcode.REFUSED)
def servfail(message: dns.message.Message) -> None:
- rcode(message, dns_rcode.SERVFAIL)
+ rcode(message, dns.rcode.SERVFAIL)
def adflag(message: dns.message.Message) -> None:
@@ -82,10 +82,6 @@
def noede(message: dns.message.Message) -> None:
"""Check that message contains no EDE option."""
- if not hasattr(dns.edns, "EDECode"):
- # dnspython<2.2.0 doesn't support EDE, skip check
- return
-
ede_options = _extract_ede_options(message)
assert not ede_options, f"unexpected EDE options {ede_options} in {message}"
@@ -94,10 +90,6 @@
message: dns.message.Message, code: EDECode, text: Optional[str] = None
) -> None:
"""Check if message contains expected EDE code (and its text)."""
- if not hasattr(dns.edns, "EDECode"):
- # dnspython<2.2.0 doesn't support EDE, skip check
- return
-
msg_opts = _extract_ede_options(message)
matching_opts = [opt for opt in msg_opts if opt.code == code]
@@ -204,7 +196,7 @@
def named_alive(named_proc, resolver_ip):
assert named_proc.poll() is None, "named isn't running"
msg = isctest.query.create("version.bind", "TXT", "CH")
- isctest.query.tcp(msg, resolver_ip, expected_rcode=dns_rcode.NOERROR)
+ isctest.query.tcp(msg, resolver_ip, expected_rcode=dns.rcode.NOERROR)
def notauth(message: dns.message.Message) -> None:
diff -Nru bind9-9.18.44/bin/tests/system/isctest/compat.py bind9-9.18.47/bin/tests/system/isctest/compat.py
--- bind9-9.18.44/bin/tests/system/isctest/compat.py 2026-01-09 13:44:04.610035459 +0000
+++ bind9-9.18.47/bin/tests/system/isctest/compat.py 1970-01-01 00:00:00.000000000 +0000
@@ -1,56 +0,0 @@
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-from typing import Any, TYPE_CHECKING
-
-import dns.edns
-import dns.rcode
-
-# compatiblity with dnspython<2.0.0
-try:
- # In dnspython>=2.0.0, dns.rcode.Rcode class is available
- # pylint: disable=invalid-name
- dns_rcode = dns.rcode.Rcode # type: Any
-except AttributeError:
- # In dnspython<2.0.0, selected rcodes are available as integers directly
- # from dns.rcode
- dns_rcode = dns.rcode
-
-
-if TYPE_CHECKING:
- EDECode = dns.edns.EDECode
- EDEOption = dns.edns.EDEOption
-else:
- try: # compatiblity with dnspython<2.2.0
- EDECode = dns.edns.EDECode
- except AttributeError:
- # In dnspython<2.2.0, the dns.edns.EDECode doesn't exist.
- #
- # The primary use-case is for us to use existing EDECode objects from the
- # class, e.g. EDECode.FILTERED. To mimick this behavior, use a string
- # factory that just turns the attribute name into a string.
- #
- # The used compatibility hack doesn't really matter (as long as EDECode.xxx
- # doesn't raise exception), as with dnspython versions prior to 2.2.0, any
- # EDE checking will be skipped anyway.
- class _CompatEDECode:
- def __getattr__(self, name: str) -> str:
- return name
-
- EDECode = _CompatEDECode()
- try:
- EDEOption = dns.edns.EDEOption
- except AttributeError:
- # In dnspython<2.2.0, the dns.edns.EDEOption doesn't exist, so we stub it to be
- # able to use it in type annotations.
- class EDEOption:
- def __new__(cls, *args, **kwargs):
- raise RuntimeError("Using EDEOption requires dnspython>=2.2.0")
diff -Nru bind9-9.18.44/bin/tests/system/isctest/hypothesis/__init__.py bind9-9.18.47/bin/tests/system/isctest/hypothesis/__init__.py
--- bind9-9.18.44/bin/tests/system/isctest/hypothesis/__init__.py 2026-01-09 13:44:04.610035459 +0000
+++ bind9-9.18.47/bin/tests/system/isctest/hypothesis/__init__.py 2026-03-13 21:59:39.670902449 +0000
@@ -12,17 +12,5 @@
# This ensures we're using a suitable hypothesis version. A newer version is
# required for FIPS-enabled platforms.
-import hashlib
-
-import pytest
-
-MIN_HYPOTHESIS_VERSION = None
-
-if "md5" not in hashlib.algorithms_available:
- # FIPS mode is enabled, use hypothesis 4.41.2 which doesn't use md5
- MIN_HYPOTHESIS_VERSION = "4.41.2"
-
-pytest.importorskip("hypothesis", minversion=MIN_HYPOTHESIS_VERSION)
-
from . import settings
from . import strategies
diff -Nru bind9-9.18.44/bin/tests/system/isctest/hypothesis/strategies.py bind9-9.18.47/bin/tests/system/isctest/hypothesis/strategies.py
--- bind9-9.18.44/bin/tests/system/isctest/hypothesis/strategies.py 2026-01-09 13:44:04.610035459 +0000
+++ bind9-9.18.47/bin/tests/system/isctest/hypothesis/strategies.py 2026-03-13 21:59:39.670902449 +0000
@@ -143,13 +143,8 @@
RDATACLASS_MAX = RDATATYPE_MAX = 65535
-try:
- dns_rdataclasses = builds(dns.rdataclass.RdataClass, integers(0, RDATACLASS_MAX))
- dns_rdatatypes = builds(dns.rdatatype.RdataType, integers(0, RDATATYPE_MAX))
-except AttributeError:
- # In old dnspython versions, RDataTypes and RDataClasses are int and not enums.
- dns_rdataclasses = integers(0, RDATACLASS_MAX) # type: ignore
- dns_rdatatypes = integers(0, RDATATYPE_MAX) # type: ignore
+dns_rdataclasses = builds(dns.rdataclass.RdataClass, integers(0, RDATACLASS_MAX))
+dns_rdatatypes = builds(dns.rdatatype.RdataType, integers(0, RDATATYPE_MAX))
dns_rdataclasses_without_meta = dns_rdataclasses.filter(dns.rdataclass.is_metaclass)
# NOTE: This should really be `dns_rdatatypes_without_meta = dns_rdatatypes_without_meta.filter(dns.rdatatype.is_metatype()`,
diff -Nru bind9-9.18.44/bin/tests/system/isctest/kasp.py bind9-9.18.47/bin/tests/system/isctest/kasp.py
--- bind9-9.18.44/bin/tests/system/isctest/kasp.py 1970-01-01 00:00:00.000000000 +0000
+++ bind9-9.18.47/bin/tests/system/isctest/kasp.py 2026-03-13 21:59:39.671902481 +0000
@@ -0,0 +1,91 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+from functools import total_ordering
+from pathlib import Path
+
+import dns.dnssec
+import dns.exception
+import dns.message
+import dns.name
+import dns.rcode
+import dns.rdataclass
+import dns.rdatatype
+import dns.rrset
+import dns.tsig
+import dns.zone
+import dns.zonefile
+
+from isctest.template import TrustAnchor
+
+DEFAULT_TTL = 300
+
+
+@total_ordering
+class Key:
+ """
+ Represent a key from a keyfile.
+
+ This object keeps track of its origin (keydir + name), can be used to
+ retrieve metadata from the underlying files and supports convenience
+ operations for KASP tests.
+ """
+
+ def __init__(self, name: str, keydir: str | Path | None = None):
+ self.name = name
+ if keydir is None:
+ self.keydir = Path()
+ else:
+ self.keydir = Path(keydir)
+ self.path = str(self.keydir / name)
+ self.privatefile = f"{self.path}.private"
+ self.keyfile = f"{self.path}.key"
+ self.statefile = f"{self.path}.state"
+ self.tag = int(self.name[-5:])
+ self.external = False
+
+ @property
+ def dnskey(self) -> dns.rrset.RRset:
+ with open(self.keyfile, "r", encoding="utf-8") as file:
+ rrsets = dns.zonefile.read_rrsets(
+ file.read(),
+ rdclass=None, # read rdclass from the file
+ default_ttl=DEFAULT_TTL, # use this TTL if not present
+ )
+ assert len(rrsets) == 1, f"{self.keyfile} has multiple RRsets"
+ dnskey_rr = rrsets[0]
+ assert len(dnskey_rr) == 1, f"{self.keyfile} has multiple RRs"
+ assert (
+ dnskey_rr.rdtype == dns.rdatatype.DNSKEY
+ ), f"DNSKEY not found in {self.keyfile}"
+ return dnskey_rr
+
+ def into_ta(self, ta_type: str, dsdigest=dns.dnssec.DSDigest.SHA256) -> TrustAnchor:
+ dnskey = self.dnskey
+ if ta_type in ["static-ds", "initial-ds"]:
+ ds = dns.dnssec.make_ds(dnskey.name, dnskey[0], dsdigest)
+ parts = str(ds).split()
+ contents = " ".join(parts[:3]) + f' "{parts[3]}"'
+ elif ta_type in ["static-key", "initial-key"]:
+ parts = str(dnskey).split()
+ contents = " ".join(parts[4:7]) + f' "{"".join(parts[7:])}"'
+ else:
+ raise ValueError(f"invalid trust anchor type: {ta_type}")
+ return TrustAnchor(str(dnskey.name), ta_type, contents)
+
+ def __lt__(self, other: "Key"):
+ return self.name < other.name
+
+ def __eq__(self, other: object):
+ return isinstance(other, Key) and self.path == other.path
+
+ def __repr__(self):
+ return self.path
diff -Nru bind9-9.18.44/bin/tests/system/isctest/log/basic.py bind9-9.18.47/bin/tests/system/isctest/log/basic.py
--- bind9-9.18.44/bin/tests/system/isctest/log/basic.py 2026-01-09 13:44:04.611035475 +0000
+++ bind9-9.18.47/bin/tests/system/isctest/log/basic.py 2026-03-13 21:59:39.671902481 +0000
@@ -14,7 +14,6 @@
import textwrap
from typing import Dict, Optional
-
CONFTEST_LOGGER = logging.getLogger("conftest")
LOG_FORMAT = "%(asctime)s %(levelname)7s:%(name)s %(message)s"
LOG_INDENT = 4
diff -Nru bind9-9.18.44/bin/tests/system/isctest/log/watchlog.py bind9-9.18.47/bin/tests/system/isctest/log/watchlog.py
--- bind9-9.18.44/bin/tests/system/isctest/log/watchlog.py 2026-01-09 13:44:04.611035475 +0000
+++ bind9-9.18.47/bin/tests/system/isctest/log/watchlog.py 2026-03-13 21:59:39.671902481 +0000
@@ -17,7 +17,6 @@
from isctest.text import compile_pattern, FlexPattern, LineReader
-
T = TypeVar("T")
OneOrMore = Union[T, List[T]]
diff -Nru bind9-9.18.44/bin/tests/system/isctest/mark.py bind9-9.18.47/bin/tests/system/isctest/mark.py
--- bind9-9.18.44/bin/tests/system/isctest/mark.py 2026-01-09 13:44:04.611035475 +0000
+++ bind9-9.18.47/bin/tests/system/isctest/mark.py 2026-03-13 21:59:39.671902481 +0000
@@ -20,7 +20,6 @@
import pytest
-
long_test = pytest.mark.skipif(
not os.environ.get("CI_ENABLE_LONG_TESTS"), reason="CI_ENABLE_LONG_TESTS not set"
)
diff -Nru bind9-9.18.44/bin/tests/system/isctest/name.py bind9-9.18.47/bin/tests/system/isctest/name.py
--- bind9-9.18.44/bin/tests/system/isctest/name.py 2026-01-09 13:44:04.611035475 +0000
+++ bind9-9.18.47/bin/tests/system/isctest/name.py 2026-03-13 21:59:39.671902481 +0000
@@ -11,9 +11,6 @@
from typing import Container, Iterable, FrozenSet
-import pytest
-
-pytest.importorskip("dns", minversion="2.3.0") # NameRelation
from dns.name import Name, NameRelation
import dns.zone
import dns.rdatatype
diff -Nru bind9-9.18.44/bin/tests/system/isctest/query.py bind9-9.18.47/bin/tests/system/isctest/query.py
--- bind9-9.18.44/bin/tests/system/isctest/query.py 2026-01-09 13:44:04.611035475 +0000
+++ bind9-9.18.47/bin/tests/system/isctest/query.py 2026-03-13 21:59:39.671902481 +0000
@@ -17,7 +17,6 @@
import dns.message
import isctest.log
-from isctest.compat import dns_rcode
QUERY_TIMEOUT = 10
@@ -30,40 +29,62 @@
source: Optional[str] = None,
timeout: int = QUERY_TIMEOUT,
attempts: int = 10,
- expected_rcode: dns_rcode = None,
+ expected_rcode: Optional[dns.rcode.Rcode] = None,
log_query: bool = True,
log_response: bool = True,
) -> Any:
+
+ def log_querymsg(exception: Exception | None = None) -> None:
+ """
+ Helper for logging query message. Call this *after* query_func() has
+ been called, as it may modify the message, e.g. with a TSIG.
+
+ If an exception is provided, it will be logged as well.
+ """
+ nonlocal log_query
+ if log_query:
+ isctest.log.debug(
+ f"isc.query.{query_func.__name__}(): query\n{message.to_text()}"
+ )
+ log_query = False # only log query once
+
+ if exception:
+ isctest.log.debug(
+ f"isc.query.{query_func.__name__}(): the '{exception}' exception raised"
+ )
+
if port is None:
port = int(os.environ["PORT"])
res = None
+
for attempt in range(attempts):
log_msg = (
f"isc.query.{query_func.__name__}(): ip={ip}, port={port}, source={source}, "
f"timeout={timeout}, attempts left={attempts-attempt}"
)
- if log_query:
- log_msg += f"\n{message.to_text()}"
- log_query = False # only log query on first attempt
isctest.log.debug(log_msg)
+
+ exc = None
try:
res = query_func(message, ip, timeout, port=port, source=source)
except (dns.exception.Timeout, ConnectionRefusedError) as e:
- isctest.log.debug(
- f"isc.query.{query_func.__name__}(): the '{e}' exception raised"
- )
- else:
+ exc = e
+ finally:
+ log_querymsg(exc)
+
+ if res:
if log_response:
isctest.log.debug(
f"isc.query.{query_func.__name__}(): response\n{res.to_text()}"
)
if res.rcode() == expected_rcode or expected_rcode is None:
return res
+
time.sleep(1)
if expected_rcode is not None:
- last_rcode = dns_rcode.to_text(res.rcode()) if res else None
+ last_rcode = dns.rcode.to_text(res.rcode()) if res else None
isctest.log.debug(
- f"isc.query.{query_func.__name__}(): expected rcode={dns_rcode.to_text(expected_rcode)}, last rcode={last_rcode}"
+ f"isc.query.{query_func.__name__}(): expected rcode={dns.rcode.to_text(expected_rcode)}, last rcode={last_rcode}"
)
raise dns.exception.Timeout
diff -Nru bind9-9.18.44/bin/tests/system/isctest/run.py bind9-9.18.47/bin/tests/system/isctest/run.py
--- bind9-9.18.44/bin/tests/system/isctest/run.py 2026-01-09 13:44:04.611035475 +0000
+++ bind9-9.18.47/bin/tests/system/isctest/run.py 2026-03-13 21:59:39.671902481 +0000
@@ -16,9 +16,9 @@
import isctest.log
import isctest.text
-from isctest.compat import dns_rcode
import dns.message
+import dns.rcode
class CmdResult:
@@ -149,4 +149,4 @@
def assert_custom_named_is_alive(named_proc, resolver_ip):
assert named_proc.poll() is None, "named isn't running"
msg = dns.message.make_query("version.bind", "TXT", "CH")
- isctest.query.tcp(msg, resolver_ip, expected_rcode=dns_rcode.NOERROR)
+ isctest.query.tcp(msg, resolver_ip, expected_rcode=dns.rcode.NOERROR)
diff -Nru bind9-9.18.44/bin/tests/system/isctest/template.py bind9-9.18.47/bin/tests/system/isctest/template.py
--- bind9-9.18.44/bin/tests/system/isctest/template.py 2026-01-09 13:44:04.611035475 +0000
+++ bind9-9.18.47/bin/tests/system/isctest/template.py 2026-03-13 21:59:39.671902481 +0000
@@ -11,6 +11,7 @@
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
+from dataclasses import dataclass
import os
from pathlib import Path
from typing import Any, Dict, Optional, Union
@@ -98,3 +99,10 @@
]
for template in templates:
self.render(template[:-3], data)
+
+
+@dataclass
+class TrustAnchor:
+ domain: str
+ type: str
+ contents: str
diff -Nru bind9-9.18.44/bin/tests/system/isctest/text.py bind9-9.18.47/bin/tests/system/isctest/text.py
--- bind9-9.18.44/bin/tests/system/isctest/text.py 2026-01-09 13:44:04.611035475 +0000
+++ bind9-9.18.47/bin/tests/system/isctest/text.py 2026-03-13 21:59:39.672902511 +0000
@@ -16,7 +16,6 @@
from re import compile as Re
from typing import Iterator, List, Match, Optional, Pattern, TextIO, Union
-
FlexPattern = Union[str, Pattern]
diff -Nru bind9-9.18.44/bin/tests/system/keepalive/tests_keepalive.py bind9-9.18.47/bin/tests/system/keepalive/tests_keepalive.py
--- bind9-9.18.44/bin/tests/system/keepalive/tests_keepalive.py 2026-01-09 13:44:04.619035607 +0000
+++ bind9-9.18.47/bin/tests/system/keepalive/tests_keepalive.py 2026-03-13 21:59:39.679902728 +0000
@@ -12,7 +12,6 @@
import isctest
import pytest
-
pytestmark = pytest.mark.extra_artifacts(
["ns2/named.stats"],
)
diff -Nru bind9-9.18.44/bin/tests/system/keyfromlabel/tests_keyfromlabel.py bind9-9.18.47/bin/tests/system/keyfromlabel/tests_keyfromlabel.py
--- bind9-9.18.44/bin/tests/system/keyfromlabel/tests_keyfromlabel.py 2026-01-09 13:44:04.620035624 +0000
+++ bind9-9.18.47/bin/tests/system/keyfromlabel/tests_keyfromlabel.py 2026-03-13 21:59:39.680902759 +0000
@@ -18,7 +18,6 @@
import isctest.mark
-
pytestmark = [
isctest.mark.supported_openssl_version,
isctest.mark.softhsm2_environment,
diff -Nru bind9-9.18.44/bin/tests/system/limits/tests_limits.py bind9-9.18.47/bin/tests/system/limits/tests_limits.py
--- bind9-9.18.44/bin/tests/system/limits/tests_limits.py 2026-01-09 13:44:04.626035723 +0000
+++ bind9-9.18.47/bin/tests/system/limits/tests_limits.py 2026-03-13 21:59:39.686902944 +0000
@@ -14,9 +14,6 @@
import isctest
import pytest
-# Everything from getting a big answer to creating an RR set with thousands
-# of records takes minutes of CPU and real time with dnspython < 2.0.0.
-pytest.importorskip("dns", minversion="2.0.0")
import dns.rrset
diff -Nru bind9-9.18.44/bin/tests/system/mkeys/tests_sh_mkeys.py bind9-9.18.47/bin/tests/system/mkeys/tests_sh_mkeys.py
--- bind9-9.18.44/bin/tests/system/mkeys/tests_sh_mkeys.py 2026-01-09 13:44:04.635035871 +0000
+++ bind9-9.18.47/bin/tests/system/mkeys/tests_sh_mkeys.py 2026-03-13 21:59:39.695903223 +0000
@@ -11,7 +11,6 @@
import pytest
-
pytestmark = pytest.mark.extra_artifacts(
[
"delv.*",
diff -Nru bind9-9.18.44/bin/tests/system/names/tests_names.py bind9-9.18.47/bin/tests/system/names/tests_names.py
--- bind9-9.18.44/bin/tests/system/names/tests_names.py 2026-01-09 13:44:04.635035871 +0000
+++ bind9-9.18.47/bin/tests/system/names/tests_names.py 2026-03-13 21:59:39.695903223 +0000
@@ -9,10 +9,6 @@
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
-import pytest
-
-pytest.importorskip("dns", minversion="2.7.0")
-
import isctest
diff -Nru bind9-9.18.44/bin/tests/system/nsec3-answer/tests_nsec3.py bind9-9.18.47/bin/tests/system/nsec3-answer/tests_nsec3.py
--- bind9-9.18.44/bin/tests/system/nsec3-answer/tests_nsec3.py 2026-01-09 13:44:04.637035904 +0000
+++ bind9-9.18.47/bin/tests/system/nsec3-answer/tests_nsec3.py 2026-03-13 21:59:39.697903284 +0000
@@ -11,6 +11,10 @@
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
+# Silence incorrect warnings cause by hypothesis.assume()
+# https://github.com/pylint-dev/pylint/issues/10785#issuecomment-3677224217
+# pylint: disable=unreachable
+
from dataclasses import dataclass
import os
from pathlib import Path
@@ -18,7 +22,6 @@
import pytest
-pytest.importorskip("dns", minversion="2.5.0")
import dns.dnssec
import dns.message
import dns.name
diff -Nru bind9-9.18.44/bin/tests/system/nsec3-delegation/ns1/named.conf.j2 bind9-9.18.47/bin/tests/system/nsec3-delegation/ns1/named.conf.j2
--- bind9-9.18.44/bin/tests/system/nsec3-delegation/ns1/named.conf.j2 1970-01-01 00:00:00.000000000 +0000
+++ bind9-9.18.47/bin/tests/system/nsec3-delegation/ns1/named.conf.j2 2026-03-13 21:59:39.697903284 +0000
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ query-source address 10.53.0.1;
+ notify-source 10.53.0.1;
+ transfer-source 10.53.0.1;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.1; };
+ listen-on-v6 { none; };
+ recursion no;
+ dnssec-validation no;
+};
+
+controls {
+ inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+include "../../_common/rndc.key";
+
+zone "." {
+ type primary;
+ file "root.db";
+};
diff -Nru bind9-9.18.44/bin/tests/system/nsec3-delegation/ns1/root.db bind9-9.18.47/bin/tests/system/nsec3-delegation/ns1/root.db
--- bind9-9.18.44/bin/tests/system/nsec3-delegation/ns1/root.db 1970-01-01 00:00:00.000000000 +0000
+++ bind9-9.18.47/bin/tests/system/nsec3-delegation/ns1/root.db 2026-03-13 21:59:39.697903284 +0000
@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. IN SOA . . (
+ 2025063000 ; serial
+ 600 ; refresh
+ 600 ; retry
+ 1200 ; expire
+ 600 ; minimum
+ )
+. NS a.root-servers.nil.
+
+a.root-servers.nil A 10.53.0.1
+
+iter-too-many. NS ns2.iter-too-many.
+ns2.iter-too-many. A 10.53.0.2
diff -Nru bind9-9.18.44/bin/tests/system/nsec3-delegation/ns2/iter-too-many.db.j2.manual bind9-9.18.47/bin/tests/system/nsec3-delegation/ns2/iter-too-many.db.j2.manual
--- bind9-9.18.44/bin/tests/system/nsec3-delegation/ns2/iter-too-many.db.j2.manual 1970-01-01 00:00:00.000000000 +0000
+++ bind9-9.18.47/bin/tests/system/nsec3-delegation/ns2/iter-too-many.db.j2.manual 2026-03-13 21:59:39.698903315 +0000
@@ -0,0 +1,31 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+{% raw %}
+$TTL 300
+@ IN SOA ns2.iter-too-many. hostmaster.iter-too-many. (
+ 2026020300 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+)
+
+@ IN NS ns2.iter-too-many.
+ns2 IN A 10.53.0.2
+
+sub IN NS ns2.sub.iter-too-many.
+ns2.sub IN A 10.53.0.2
+{% endraw %}
+
+{% for dnskey in dnskeys %}
+@dnskey@
+{% endfor %}
diff -Nru bind9-9.18.44/bin/tests/system/nsec3-delegation/ns2/named.conf.j2 bind9-9.18.47/bin/tests/system/nsec3-delegation/ns2/named.conf.j2
--- bind9-9.18.44/bin/tests/system/nsec3-delegation/ns2/named.conf.j2 1970-01-01 00:00:00.000000000 +0000
+++ bind9-9.18.47/bin/tests/system/nsec3-delegation/ns2/named.conf.j2 2026-03-13 21:59:39.698903315 +0000
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ query-source address 10.53.0.2;
+ notify-source 10.53.0.2;
+ transfer-source 10.53.0.2;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.2; };
+ listen-on-v6 { none; };
+ recursion no;
+ dnssec-validation no;
+};
+
+controls {
+ inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+include "../../_common/rndc.key";
+
+zone "iter-too-many" {
+ type primary;
+ file "iter-too-many.signed.db";
+};
+
+zone "sub.iter-too-many" {
+ type primary;
+ file "sub.iter-too-many.db";
+};
diff -Nru bind9-9.18.44/bin/tests/system/nsec3-delegation/ns2/sub.iter-too-many.db bind9-9.18.47/bin/tests/system/nsec3-delegation/ns2/sub.iter-too-many.db
--- bind9-9.18.44/bin/tests/system/nsec3-delegation/ns2/sub.iter-too-many.db 1970-01-01 00:00:00.000000000 +0000
+++ bind9-9.18.47/bin/tests/system/nsec3-delegation/ns2/sub.iter-too-many.db 2026-03-13 21:59:39.698903315 +0000
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ IN SOA ns2.sub.iter-too-many. hostmaster.sub.iter-too-many. (
+ 2026020300 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+)
+
+@ IN NS ns2.sub.iter-too-many.
+ns2 IN A 10.53.0.2
+
+example IN A 127.0.0.1
diff -Nru bind9-9.18.44/bin/tests/system/nsec3-delegation/ns3/named.conf.j2 bind9-9.18.47/bin/tests/system/nsec3-delegation/ns3/named.conf.j2
--- bind9-9.18.44/bin/tests/system/nsec3-delegation/ns3/named.conf.j2 1970-01-01 00:00:00.000000000 +0000
+++ bind9-9.18.47/bin/tests/system/nsec3-delegation/ns3/named.conf.j2 2026-03-13 21:59:39.698903315 +0000
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ query-source address 10.53.0.3;
+ notify-source 10.53.0.3;
+ transfer-source 10.53.0.3;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.3; };
+ listen-on-v6 { none; };
+ recursion yes;
+ dnssec-validation yes;
+};
+
+controls {
+ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+include "../../_common/rndc.key";
+
+zone "." {
+ type hint;
+ file "../../_common/root.hint";
+};
+
+include "trusted.conf";
diff -Nru bind9-9.18.44/bin/tests/system/nsec3-delegation/ns3/trusted.conf.j2 bind9-9.18.47/bin/tests/system/nsec3-delegation/ns3/trusted.conf.j2
--- bind9-9.18.44/bin/tests/system/nsec3-delegation/ns3/trusted.conf.j2 1970-01-01 00:00:00.000000000 +0000
+++ bind9-9.18.47/bin/tests/system/nsec3-delegation/ns3/trusted.conf.j2 2026-03-13 21:59:39.537898337 +0000
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+trust-anchors {
+{% for ta in trust_anchors %}
+ "@ta.domain@" @ta.type@ @ta.contents@;
+{% endfor %}
+};
diff -Nru bind9-9.18.44/bin/tests/system/nsec3-delegation/tests_excessive_nsec3_iterations.py bind9-9.18.47/bin/tests/system/nsec3-delegation/tests_excessive_nsec3_iterations.py
--- bind9-9.18.44/bin/tests/system/nsec3-delegation/tests_excessive_nsec3_iterations.py 1970-01-01 00:00:00.000000000 +0000
+++ bind9-9.18.47/bin/tests/system/nsec3-delegation/tests_excessive_nsec3_iterations.py 2026-03-13 21:59:39.698903315 +0000
@@ -0,0 +1,61 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+from isctest.run import EnvCmd
+
+import isctest
+
+
+def bootstrap():
+ templates = isctest.template.TemplateEngine(".")
+ keygen = EnvCmd("KEYGEN", "-a ECDSA256")
+ signer = EnvCmd("SIGNER")
+
+ isctest.log.info("setup iter-too-many.")
+ zonename = "iter-too-many."
+ ksk_name = keygen(f"-f KSK {zonename}", cwd="ns2").out.strip()
+ zsk_name = keygen(f"{zonename}", cwd="ns2").out.strip()
+ ksk = isctest.kasp.Key(ksk_name, keydir="ns2")
+ zsk = isctest.kasp.Key(zsk_name, keydir="ns2")
+ dnskeys = [ksk.dnskey, zsk.dnskey]
+
+ tdata = {
+ "dnskeys": dnskeys,
+ }
+ templates.render(f"ns2/{zonename}db", tdata, template=f"ns2/{zonename}db.j2.manual")
+ signer(
+ f"-P -o {zonename} -f {zonename}signed.db -3 A1B2C3D4 -H too-many -H 151 -S {zonename}db",
+ cwd="ns2",
+ )
+
+ return {
+ "trust_anchors": [
+ ksk.into_ta("static-key"),
+ ],
+ }
+
+
+def test_excessive_nsec3_iterations_delegation(ns3):
+ # reproducer for CVE-2026-1519 [GL#5708]
+ zone = "example.sub.iter-too-many"
+ msg = isctest.query.create(zone, "A")
+ res = isctest.query.tcp(msg, ns3.ip)
+
+ # an insecure response is expected regardless of the NSEC3 iteration limit,
+ # because the sub.iter-too-many. zone is unsigned. the real difference is
+ # in the CPU usage required for generating such response, but that can't be
+ # easily and reliably tested in an automated fashion
+ isctest.check.noerror(res)
+
+ with ns3.watch_log_from_start() as watcher:
+ watcher.wait_for_line(
+ f"validating {zone}/A: validator_callback_ds: too many iterations"
+ )
diff -Nru bind9-9.18.44/bin/tests/system/optout/tests_optout.py bind9-9.18.47/bin/tests/system/optout/tests_optout.py
--- bind9-9.18.44/bin/tests/system/optout/tests_optout.py 2026-01-09 13:44:04.646036053 +0000
+++ bind9-9.18.47/bin/tests/system/optout/tests_optout.py 2026-03-13 21:59:39.706903563 +0000
@@ -19,7 +19,7 @@
import isctest
import pytest
-pytest.importorskip("dns", minversion="2.0.0")
+import dns
import dns.exception
import dns.message
import dns.name
@@ -28,7 +28,6 @@
import dns.rdataclass
import dns.rdatatype
-
pytestmark = [
pytest.mark.skipif(
sys.version_info < (3, 7), reason="Python >= 3.7 required [GL #3001]"
diff -Nru bind9-9.18.44/bin/tests/system/pipelined/ans5/ans.py bind9-9.18.47/bin/tests/system/pipelined/ans5/ans.py
--- bind9-9.18.44/bin/tests/system/pipelined/ans5/ans.py 2026-01-09 13:44:04.648036086 +0000
+++ bind9-9.18.47/bin/tests/system/pipelined/ans5/ans.py 2026-03-13 21:59:39.709903656 +0000
@@ -199,7 +199,7 @@
while True:
try:
- (clientsock, _) = sock.accept()
+ clientsock, _ = sock.accept()
log("Accepted connection from %s" % clientsock)
thread = TCPDelayer(clientsock, serverip, port)
thread.start()
diff -Nru bind9-9.18.44/bin/tests/system/requirements.txt bind9-9.18.47/bin/tests/system/requirements.txt
--- bind9-9.18.44/bin/tests/system/requirements.txt 1970-01-01 00:00:00.000000000 +0000
+++ bind9-9.18.47/bin/tests/system/requirements.txt 2026-03-13 21:59:39.718903934 +0000
@@ -0,0 +1,13 @@
+### Test requirements
+
+dnspython>=2.7.0
+
+cryptography
+hypothesis>=4.41.2
+jinja2
+pytest>=7.0.0
+requests
+
+### Utility packages for executing the tests
+flaky
+pytest-xdist
diff -Nru bind9-9.18.44/bin/tests/system/rndc/tests_cve-2023-3341.py bind9-9.18.47/bin/tests/system/rndc/tests_cve-2023-3341.py
--- bind9-9.18.44/bin/tests/system/rndc/tests_cve-2023-3341.py 2026-01-09 13:44:04.662036317 +0000
+++ bind9-9.18.47/bin/tests/system/rndc/tests_cve-2023-3341.py 1970-01-01 00:00:00.000000000 +0000
@@ -1,70 +0,0 @@
-#!/usr/bin/python3
-
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-import socket
-import time
-
-import pytest
-
-import isctest
-
-
-pytestmark = pytest.mark.extra_artifacts(
- [
- "ns2/nil.db",
- "ns2/other.db",
- "ns2/secondkey.conf",
- "ns2/static.db",
- "ns4/example.db",
- "ns4/key*.conf",
- "ns6/huge.zone.db",
- "ns7/include.db",
- "ns7/test.db",
- ]
-)
-
-
-def test_cve_2023_3341(control_port):
- depth = 4500
- # Should not be more than isccc_ccmsg_setmaxsize(&conn->ccmsg, 32768)
- total_len = 10 + (depth * 7) - 6
-
- with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
- data = b"".join(
- [
- total_len.to_bytes(4, "big"), #
- b"\x00\x00\x00\x01", #
- b"\x01\x41", #
- ]
- )
-
- for i in range(depth, 0, -1):
- l = (i - 1) * 7
- t = b"".join(
- [
- b"\x02", # ISCCC_CCMSGTYPE_TABLE
- l.to_bytes(4, "big"), #
- b"\x01\x41", #
- ]
- )
- data = b"".join([data, t])
-
- s.connect(("10.53.0.2", control_port))
- s.sendall(data)
-
- # Wait for named to (possibly) crash
- time.sleep(10)
-
- msg = isctest.query.create("version.bind", "TXT", "CH")
- res = isctest.query.udp(msg, "10.53.0.2")
- isctest.check.noerror(res)
diff -Nru bind9-9.18.44/bin/tests/system/rndc/tests_cve_2023_3341.py bind9-9.18.47/bin/tests/system/rndc/tests_cve_2023_3341.py
--- bind9-9.18.44/bin/tests/system/rndc/tests_cve_2023_3341.py 1970-01-01 00:00:00.000000000 +0000
+++ bind9-9.18.47/bin/tests/system/rndc/tests_cve_2023_3341.py 2026-03-13 21:59:39.725904150 +0000
@@ -0,0 +1,69 @@
+#!/usr/bin/python3
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import socket
+import time
+
+import pytest
+
+import isctest
+
+pytestmark = pytest.mark.extra_artifacts(
+ [
+ "ns2/nil.db",
+ "ns2/other.db",
+ "ns2/secondkey.conf",
+ "ns2/static.db",
+ "ns4/example.db",
+ "ns4/key*.conf",
+ "ns6/huge.zone.db",
+ "ns7/include.db",
+ "ns7/test.db",
+ ]
+)
+
+
+def test_cve_2023_3341(control_port):
+ depth = 4500
+ # Should not be more than isccc_ccmsg_setmaxsize(&conn->ccmsg, 32768)
+ total_len = 10 + (depth * 7) - 6
+
+ with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
+ data = b"".join(
+ [
+ total_len.to_bytes(4, "big"), #
+ b"\x00\x00\x00\x01", #
+ b"\x01\x41", #
+ ]
+ )
+
+ for i in range(depth, 0, -1):
+ l = (i - 1) * 7
+ t = b"".join(
+ [
+ b"\x02", # ISCCC_CCMSGTYPE_TABLE
+ l.to_bytes(4, "big"), #
+ b"\x01\x41", #
+ ]
+ )
+ data = b"".join([data, t])
+
+ s.connect(("10.53.0.2", control_port))
+ s.sendall(data)
+
+ # Wait for named to (possibly) crash
+ time.sleep(10)
+
+ msg = isctest.query.create("version.bind", "TXT", "CH")
+ res = isctest.query.udp(msg, "10.53.0.2")
+ isctest.check.noerror(res)
diff -Nru bind9-9.18.44/bin/tests/system/rpzextra/tests_rpzextra.py bind9-9.18.47/bin/tests/system/rpzextra/tests_rpzextra.py
--- bind9-9.18.44/bin/tests/system/rpzextra/tests_rpzextra.py 2026-01-09 13:44:04.670036448 +0000
+++ bind9-9.18.47/bin/tests/system/rpzextra/tests_rpzextra.py 2026-03-13 21:59:39.732904367 +0000
@@ -15,13 +15,11 @@
import pytest
-pytest.importorskip("dns", minversion="2.0.0")
+import dns
import dns.rcode
import dns.rrset
import isctest
-from isctest.compat import dns_rcode
-
pytestmark = pytest.mark.extra_artifacts(
[
@@ -78,13 +76,13 @@
msg,
ip="10.53.0.3",
source="10.53.0.2",
- expected_rcode=dns_rcode.NOERROR,
+ expected_rcode=dns.rcode.NOERROR,
)
isctest.query.tcp(
msg,
ip="10.53.0.3",
source="10.53.0.5",
- expected_rcode=dns_rcode.NOERROR,
+ expected_rcode=dns.rcode.NOERROR,
)
msg = isctest.query.create(qname, "A")
diff -Nru bind9-9.18.44/bin/tests/system/selftest/tests_zone_analyzer.py bind9-9.18.47/bin/tests/system/selftest/tests_zone_analyzer.py
--- bind9-9.18.44/bin/tests/system/selftest/tests_zone_analyzer.py 2026-01-09 13:44:04.681036630 +0000
+++ bind9-9.18.47/bin/tests/system/selftest/tests_zone_analyzer.py 2026-03-13 21:59:39.744904738 +0000
@@ -14,7 +14,6 @@
Generate insane test zone and check expected output of ZoneAnalyzer utility class
"""
-
import collections
import itertools
from pathlib import Path
diff -Nru bind9-9.18.44/bin/tests/system/serve-stale/ans2/ans.pl bind9-9.18.47/bin/tests/system/serve-stale/ans2/ans.pl
--- bind9-9.18.44/bin/tests/system/serve-stale/ans2/ans.pl 2026-01-09 13:44:04.682036647 +0000
+++ bind9-9.18.47/bin/tests/system/serve-stale/ans2/ans.pl 2026-03-13 21:59:39.744904738 +0000
@@ -72,6 +72,15 @@
my $LONGTARGET = "longttl.target.example 600 IN A $localaddr";
my $OUTCNAME = "out-cname.example 600 IN CNAME serve.stale";
+#
+# YWH records
+#
+my $ywhSOA = "source.stale 300 IN SOA . . 0 0 0 0 300";
+my $ywhNS = "source.stale 300 IN NS ns.source.stale";
+my $ywhA = "ns.source.stale 300 IN A $localaddr";
+my $ywhCNAME = "alias.source.stale 2 IN CNAME www.target.stale";
+my $ywhCNAMENX = "aliasnx.source.stale 2 IN CNAME nonexist.target.stale";
+
sub reply_handler {
my ($qname, $qclass, $qtype) = @_;
my ($rcode, @ans, @auth, @add);
@@ -290,6 +299,34 @@
push @auth, $rr;
}
$rcode = "NOERROR";
+ } elsif ($qname eq "source.stale") {
+ if ($qtype eq "SOA") {
+ my $rr = new Net::DNS::RR($ywhSOA);
+ push @ans, $rr;
+ } elsif ($qtype eq "NS") {
+ my $rr = new Net::DNS::RR($ywhNS);
+ push @ans, $rr;
+ $rr = new Net::DNS::RR($ywhA);
+ push @add, $rr;
+ }
+ $rcode = "NOERROR";
+ } elsif ($qname eq "ns.source.stale") {
+ if ($qtype eq "A") {
+ my $rr = new Net::DNS::RR($ywhA);
+ push @ans, $rr;
+ } else {
+ my $rr = new Net::DNS::RR($ywhSOA);
+ push @auth, $rr;
+ }
+ $rcode = "NOERROR";
+ } elsif ($qname eq "alias.source.stale") {
+ my $rr = new Net::DNS::RR($ywhCNAME);
+ push @ans, $rr;
+ $rcode = "NOERROR";
+ } elsif ($qname eq "aliasnx.source.stale") {
+ my $rr = new Net::DNS::RR($ywhCNAMENX);
+ push @ans, $rr;
+ $rcode = "NOERROR";
} else {
my $rr = new Net::DNS::RR($SOA);
push @auth, $rr;
diff -Nru bind9-9.18.44/bin/tests/system/serve-stale/ans8/ans.pl bind9-9.18.47/bin/tests/system/serve-stale/ans8/ans.pl
--- bind9-9.18.44/bin/tests/system/serve-stale/ans8/ans.pl 1970-01-01 00:00:00.000000000 +0000
+++ bind9-9.18.47/bin/tests/system/serve-stale/ans8/ans.pl 2026-03-13 21:59:39.744904738 +0000
@@ -0,0 +1,164 @@
+#!/usr/bin/env perl
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+use strict;
+use warnings;
+
+use IO::File;
+use IO::Socket;
+use Getopt::Long;
+use Net::DNS;
+use Time::HiRes qw(usleep nanosleep);
+
+my $pidf = new IO::File "ans.pid", "w" or die "cannot open pid file: $!";
+print $pidf "$$\n" or die "cannot write pid file: $!";
+$pidf->close or die "cannot close pid file: $!";
+sub rmpid { unlink "ans.pid"; exit 1; };
+
+$SIG{INT} = \&rmpid;
+$SIG{TERM} = \&rmpid;
+
+my $localaddr = "10.53.0.8";
+
+my $localport = int($ENV{'PORT'});
+if (!$localport) { $localport = 5300; }
+
+my $udpsock = IO::Socket::INET->new(LocalAddr => "$localaddr",
+ LocalPort => $localport, Proto => "udp", Reuse => 1) or die "$!";
+
+#
+# YWH records
+#
+my $ywhSOA = "target.stale 300 IN SOA . . 0 0 0 0 300";
+my $ywhNS = "target.stale 300 IN NS ns.target.stale";
+my $ywhA = "ns.target.stale 300 IN A $localaddr";
+my $ywhWWW = "www.target.stale 2 IN A 10.0.0.1";
+
+sub reply_handler {
+ my ($qname, $qclass, $qtype) = @_;
+ my ($rcode, @ans, @auth, @add);
+
+ print ("request: $qname/$qtype\n");
+ STDOUT->flush();
+
+ # Control what response we send.
+ if ($qname eq "update" ) {
+ if ($qtype eq "TXT") {
+ $ywhWWW = "www.target.stale 2 IN A 10.0.0.2";
+ my $rr = new Net::DNS::RR("$qname 0 $qclass TXT \"update\"");
+ push @ans, $rr;
+ }
+ $rcode = "NOERROR";
+ return ($rcode, \@ans, \@auth, \@add, { aa => 1 });
+ } elsif ($qname eq "restore" ) {
+ if ($qtype eq "TXT") {
+ $ywhWWW = "www.target.stale 2 IN A 10.0.0.1";
+ my $rr = new Net::DNS::RR("$qname 0 $qclass TXT \"restore\"");
+ push @ans, $rr;
+ }
+ $rcode = "NOERROR";
+ return ($rcode, \@ans, \@auth, \@add, { aa => 1 });
+ }
+
+ if ($qname eq "target.stale") {
+ if ($qtype eq "SOA") {
+ my $rr = new Net::DNS::RR($ywhSOA);
+ push @ans, $rr;
+ } elsif ($qtype eq "NS") {
+ my $rr = new Net::DNS::RR($ywhNS);
+ push @ans, $rr;
+ $rr = new Net::DNS::RR($ywhA);
+ push @add, $rr;
+ }
+ $rcode = "NOERROR";
+ } elsif ($qname eq "ns.target.stale") {
+ if ($qtype eq "A") {
+ my $rr = new Net::DNS::RR($ywhA);
+ push @ans, $rr;
+ } else {
+ my $rr = new Net::DNS::RR($ywhSOA);
+ push @auth, $rr;
+ }
+ $rcode = "NOERROR";
+ } elsif ($qname eq "www.target.stale") {
+ if ($qtype eq "A") {
+ my $rr = new Net::DNS::RR($ywhWWW);
+ push @ans, $rr;
+ } else {
+ my $rr = new Net::DNS::RR($ywhSOA);
+ push @auth, $rr;
+ }
+ $rcode = "NOERROR";
+ } else {
+ my $rr = new Net::DNS::RR($ywhSOA);
+ push @auth, $rr;
+ $rcode = "NXDOMAIN";
+ }
+
+ # mark the answer as authoritative (by setting the 'aa' flag)
+ return ($rcode, \@ans, \@auth, \@add, { aa => 1 });
+}
+
+GetOptions(
+ 'port=i' => \$localport,
+);
+
+my $rin;
+my $rout;
+
+for (;;) {
+ $rin = '';
+ vec($rin, fileno($udpsock), 1) = 1;
+
+ select($rout = $rin, undef, undef, undef);
+
+ if (vec($rout, fileno($udpsock), 1)) {
+ my ($buf, $request, $err);
+ $udpsock->recv($buf, 512);
+
+ if ($Net::DNS::VERSION > 0.68) {
+ $request = new Net::DNS::Packet(\$buf, 0);
+ $@ and die $@;
+ } else {
+ my $err;
+ ($request, $err) = new Net::DNS::Packet(\$buf, 0);
+ $err and die $err;
+ }
+
+ my @questions = $request->question;
+ my $qname = $questions[0]->qname;
+ my $qclass = $questions[0]->qclass;
+ my $qtype = $questions[0]->qtype;
+ my $id = $request->header->id;
+
+ my ($rcode, $ans, $auth, $add, $headermask) = reply_handler($qname, $qclass, $qtype);
+
+ if (!defined($rcode)) {
+ print " Silently ignoring query\n";
+ next;
+ }
+
+ my $reply = Net::DNS::Packet->new();
+ $reply->header->qr(1);
+ $reply->header->aa(1) if $headermask->{'aa'};
+ $reply->header->id($id);
+ $reply->header->rcode($rcode);
+ $reply->push("question", @questions);
+ $reply->push("answer", @$ans) if $ans;
+ $reply->push("authority", @$auth) if $auth;
+ $reply->push("additional", @$add) if $add;
+
+ my $num_chars = $udpsock->send($reply->data);
+ print " Sent $num_chars bytes via UDP\n";
+ }
+}
diff -Nru bind9-9.18.44/bin/tests/system/serve-stale/ns6/stale.db bind9-9.18.47/bin/tests/system/serve-stale/ns6/stale.db
--- bind9-9.18.44/bin/tests/system/serve-stale/ns6/stale.db 2026-01-09 13:44:04.684036679 +0000
+++ bind9-9.18.47/bin/tests/system/serve-stale/ns6/stale.db 2026-03-13 21:59:39.746904800 +0000
@@ -9,9 +9,12 @@
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
-stale. IN SOA ns.stale. matthijs.isc.org. 1 0 0 0 0
-stale. IN NS ns.stale.
-ns.stale. IN A 10.53.0.6
+stale. IN SOA ns.stale. matthijs.isc.org. 1 0 0 0 0
+stale. IN NS ns.stale.
+ns.stale. IN A 10.53.0.6
-serve.stale. IN NS ns.serve.stale.
-ns.serve.stale. IN A 10.53.0.6
+serve.stale. IN NS ns.serve.stale.
+ns.serve.stale. IN A 10.53.0.6
+
+target.stale. IN NS ns.target.stale.
+ns.target.stale. IN A 10.53.0.7
diff -Nru bind9-9.18.44/bin/tests/system/serve-stale/ns7/named.conf.j2 bind9-9.18.47/bin/tests/system/serve-stale/ns7/named.conf.j2
--- bind9-9.18.44/bin/tests/system/serve-stale/ns7/named.conf.j2 1970-01-01 00:00:00.000000000 +0000
+++ bind9-9.18.47/bin/tests/system/serve-stale/ns7/named.conf.j2 2026-03-13 21:59:39.747904830 +0000
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+ inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+ query-source address 10.53.0.7;
+ notify-source 10.53.0.7;
+ transfer-source 10.53.0.7;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.7; };
+ listen-on-v6 { none; };
+ recursion yes;
+ dnssec-validation no;
+ qname-minimization off;
+
+ stale-answer-enable yes;
+ stale-cache-enable yes;
+ max-stale-ttl 3600;
+
+ stale-answer-client-timeout off;
+ stale-refresh-time 30;
+
+ max-cache-ttl 300;
+ max-ncache-ttl 300;
+};
+
+zone "." {
+ type hint;
+ file "root.db";
+};
+
+// Authoritative zone: nonexist.target.stale -> NXDOMAIN
+zone "target.stale" {
+ type primary;
+ file "target.stale.db";
+};
+
+// Forward source.stale queries to ans2
+zone "source.stale" {
+ type forward;
+ forward only;
+ forwarders { 10.53.0.2 port @PORT@; };
+};
diff -Nru bind9-9.18.44/bin/tests/system/serve-stale/ns7/named1.conf.j2 bind9-9.18.47/bin/tests/system/serve-stale/ns7/named1.conf.j2
--- bind9-9.18.44/bin/tests/system/serve-stale/ns7/named1.conf.j2 1970-01-01 00:00:00.000000000 +0000
+++ bind9-9.18.47/bin/tests/system/serve-stale/ns7/named1.conf.j2 2026-03-13 21:59:39.747904830 +0000
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+ inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+ query-source address 10.53.0.7;
+ notify-source 10.53.0.7;
+ transfer-source 10.53.0.7;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.7; };
+ listen-on-v6 { none; };
+ recursion yes;
+ dnssec-validation no;
+ qname-minimization off;
+
+ stale-answer-enable yes;
+ stale-cache-enable yes;
+ max-stale-ttl 3600;
+
+ stale-answer-client-timeout off;
+ stale-refresh-time 30;
+
+ max-cache-ttl 300;
+ max-ncache-ttl 300;
+};
+
+zone "." {
+ type hint;
+ file "root.db";
+};
+
+// Forward source.stale queries to ans2
+zone "source.stale" {
+ type forward;
+ forward only;
+ forwarders { 10.53.0.2 port @PORT@; };
+};
+
+// Forward target.stale queries to ans8
+zone "target.stale" {
+ type forward;
+ forward only;
+ forwarders { 10.53.0.8 port @PORT@; };
+};
diff -Nru bind9-9.18.44/bin/tests/system/serve-stale/ns7/root.db bind9-9.18.47/bin/tests/system/serve-stale/ns7/root.db
--- bind9-9.18.44/bin/tests/system/serve-stale/ns7/root.db 1970-01-01 00:00:00.000000000 +0000
+++ bind9-9.18.47/bin/tests/system/serve-stale/ns7/root.db 2026-03-13 21:59:39.745904769 +0000
@@ -0,0 +1,20 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+. 300 SOA . . 0 0 0 0 0
+. 300 NS ns.nil.
+ns.nil. 300 A 10.53.0.1
+example. 300 NS ns.example.
+ns.example. 300 A 10.53.0.2
+slow. 300 NS ns.slow.
+ns.slow. 300 A 10.53.0.2
+stale. 300 NS ns.stale.
+ns.stale. 300 A 10.53.0.6
diff -Nru bind9-9.18.44/bin/tests/system/serve-stale/ns7/target.stale.db bind9-9.18.47/bin/tests/system/serve-stale/ns7/target.stale.db
--- bind9-9.18.44/bin/tests/system/serve-stale/ns7/target.stale.db 1970-01-01 00:00:00.000000000 +0000
+++ bind9-9.18.47/bin/tests/system/serve-stale/ns7/target.stale.db 2026-03-13 21:59:39.747904830 +0000
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+target.stale. IN SOA ns.target.stale. ywh. 1 0 0 0 0
+target.stale. IN NS ns.target.stale.
+ns.target.stale. IN A 10.53.0.6
+
+; NOTE: "nonexist.target.stale." is NOT defined here.
+; Queries for it will return authoritative NXDOMAIN.
+; This is the CNAME target from alias.source.stale.
diff -Nru bind9-9.18.44/bin/tests/system/serve-stale/tests.sh bind9-9.18.47/bin/tests/system/serve-stale/tests.sh
--- bind9-9.18.44/bin/tests/system/serve-stale/tests.sh 2026-01-09 13:44:04.684036679 +0000
+++ bind9-9.18.47/bin/tests/system/serve-stale/tests.sh 2026-03-13 21:59:39.747904830 +0000
@@ -25,6 +25,212 @@
n=0
#
+# YWH-PGM40640-56:
+# Stale/Wrong DNS Data Served via CNAME Flag Leak.
+#
+echo_i "test server with serve-stale options set"
+
+#
+# Variant 1: local authoritative zone
+#
+
+# Initial query — populates cache, gets correct NXDOMAIN
+n=$((n + 1))
+echo_i "prime cache aliasnx.source.stale A ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.7 aliasnx.source.stale A >dig.out.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.test$n >/dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+# Wait for CNAME TTL to expire
+sleep 3
+# Kill auth server — source.test becomes unreachable
+n=$((n + 1))
+echo_i "disable responses from authoritative server ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.2 txt disable >dig.out.test$n || ret=1
+grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1
+grep "TXT.\"0\"" dig.out.test$n >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+# Query via stale CNAME — triggers the bug
+n=$((n + 1))
+echo_i "check stale aliasnx.source.stale A ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.7 aliasnx.source.stale A >dig.out.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.test$n >/dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+# Restore auth server
+n=$((n + 1))
+echo_i "enable responses from authoritative server ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.2 txt enable >dig.out.test$n || ret=1
+grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1
+grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+#
+# Variant 2: stale/wrong data served
+#
+n=$((n + 1))
+echo_i "updating ns7/named.conf ($n)"
+ret=0
+cp ns7/named1.conf ns7/named.conf
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "running 'rndc reload' ($n)"
+ret=0
+rndc_reload ns7 10.53.0.7
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+# Initial query — caches both CNAME and A record
+n=$((n + 1))
+echo_i "prime cache alias.source.stale A ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.7 alias.source.stale A >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
+grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1
+grep "alias.source.stale.*2.*IN.*CNAME.*www.target.stale." dig.out.test$n >/dev/null || ret=1
+grep "www.target.stale.*2.*IN.*A.*10.0.0.1" dig.out.test$n >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+# Wait for both TTLs to expire
+sleep 3
+# Kill source.test auth (CNAME becomes stale)
+n=$((n + 1))
+echo_i "disable responses from authoritative server ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.2 txt disable >dig.out.test$n || ret=1
+grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1
+grep "TXT.\"0\"" dig.out.test$n >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+# Kill target auth, restart with NEW IP (10.0.0.2)
+n=$((n + 1))
+echo_i "update target authoritative server ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.8 txt update >dig.out.test$n || ret=1
+grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1
+grep "TXT.\"update\"" dig.out.test$n >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+# Query via stale CNAME — triggers the bug
+n=$((n + 1))
+echo_i "check stale alias.source.stale A ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.7 alias.source.stale A >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
+grep "ANSWER: 2," dig.out.test$n >/dev/null || ret=1
+grep "alias.source.stale.*30.*IN.*CNAME.*www.target.stale." dig.out.test$n >/dev/null || ret=1
+grep "www.target.stale.*2.*IN.*A.*10.0.0.2" dig.out.test$n >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+# Control: direct query for same name (no stale CNAME involved)
+n=$((n + 1))
+echo_i "check target www.target.stale A ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.7 www.target.stale A >dig.out.test$n || ret=1
+grep "status: NOERROR" dig.out.test$n >/dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1
+grep "www.target.stale.*IN.*A.*10.0.0.2" dig.out.test$n >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+# Restore auth servers
+n=$((n + 1))
+echo_i "enable responses from authoritative server ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.2 txt enable >dig.out.test$n || ret=1
+grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1
+grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "update target authoritative server ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.8 txt restore >dig.out.test$n || ret=1
+grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1
+grep "TXT.\"restore\"" dig.out.test$n >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+#
+# Variant 3: recursion blocked, servfail
+#
+
+# Flush stale data
+n=$((n + 1))
+echo_i "flush stale data ($n)"
+ret=0
+$RNDCCMD 10.53.0.7 flushtree stale >/dev/null 2>&1 || ret=1
+sleep 1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+# Initial query — NXDOMAIN via CNAME chain through BOTH forwarders
+n=$((n + 1))
+echo_i "prime cache aliasnx.source.stale A ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.7 aliasnx.source.stale A >dig.out.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.test$n >/dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1
+grep "aliasnx.source.stale.*2.*IN.*CNAME.*nonexist.target.stale." dig.out.test$n >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+# Wait for CNAME TTL to expire
+sleep 3
+# Kill source.test auth ONLY (target.test auth stays alive!)
+n=$((n + 1))
+echo_i "disable responses from authoritative server ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.2 txt disable >dig.out.test$n || ret=1
+grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1
+grep "TXT.\"0\"" dig.out.test$n >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+# Flush target's negative cache entry (simulates cache eviction/pressure)
+n=$((n + 1))
+echo_i "flush name nonexist.target.stale ($n)"
+ret=0
+$RNDCCMD 10.53.0.7 flushname nonexist.target.stale >/dev/null 2>&1 || ret=1
+sleep 1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+# Verify target auth is STILL ALIVE and returns correct NXDOMAIN
+n=$((n + 1))
+echo_i "verify nonexist.target.stale A ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.8 nonexist.target.stale A >dig.out.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.test$n >/dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+# Query via stale CNAME — triggers the bug
+n=$((n + 1))
+echo_i "check stale aliasnx.source.stale A ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.7 aliasnx.source.stale A >dig.out.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.test$n >/dev/null || ret=1
+grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+grep "aliasnx.source.stale.*30.*IN.*CNAME.*nonexist.target.stale." dig.out.test$n >/dev/null || ret=1
+# Restore auth server
+n=$((n + 1))
+echo_i "enable responses from authoritative server ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.2 txt enable >dig.out.test$n || ret=1
+grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1
+grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+#
# First test server with serve-stale options set.
#
echo_i "test server with serve-stale options set"
diff -Nru bind9-9.18.44/bin/tests/system/serve-stale/tests_sh_serve_stale.py bind9-9.18.47/bin/tests/system/serve-stale/tests_sh_serve_stale.py
--- bind9-9.18.44/bin/tests/system/serve-stale/tests_sh_serve_stale.py 2026-01-09 13:44:04.684036679 +0000
+++ bind9-9.18.47/bin/tests/system/serve-stale/tests_sh_serve_stale.py 2026-03-13 21:59:39.747904830 +0000
@@ -19,6 +19,8 @@
"ns*/named.stats*",
"ns*/named_dump*",
"ns*/named.stats*",
+ "ns*/named.conf",
+ "ns*/named1.conf",
"ns*/root.bk",
]
)
diff -Nru bind9-9.18.44/bin/tests/system/shutdown/tests_shutdown.py bind9-9.18.47/bin/tests/system/shutdown/tests_shutdown.py
--- bind9-9.18.44/bin/tests/system/shutdown/tests_shutdown.py 2026-01-09 13:44:04.686036712 +0000
+++ bind9-9.18.47/bin/tests/system/shutdown/tests_shutdown.py 2026-03-13 21:59:39.749904892 +0000
@@ -21,7 +21,7 @@
import pytest
-pytest.importorskip("dns", minversion="2.0.0")
+import dns
import dns.exception
import isctest
diff -Nru bind9-9.18.44/bin/tests/system/statschannel/generic.py bind9-9.18.47/bin/tests/system/statschannel/generic.py
--- bind9-9.18.44/bin/tests/system/statschannel/generic.py 2026-01-09 13:44:04.692036811 +0000
+++ bind9-9.18.47/bin/tests/system/statschannel/generic.py 2026-03-13 21:59:39.756905109 +0000
@@ -20,7 +20,6 @@
import isctest
-
# ISO datetime format without msec
fmt = "%Y-%m-%dT%H:%M:%SZ"
@@ -87,7 +86,7 @@
zones = fetch_zones(statsip, statsport)
for zone in zones:
- (name, loaded, expires, refresh) = load_timers(zone, True)
+ name, loaded, expires, refresh = load_timers(zone, True)
mtime = zone_mtime(zonedir, name)
check_zone_timers(loaded, expires, refresh, mtime)
@@ -103,7 +102,7 @@
zones = fetch_zones(statsip, statsport)
again = False
for zone in zones:
- (name, loaded, expires, refresh) = load_timers(zone, False)
+ name, loaded, expires, refresh = load_timers(zone, False)
mtime = zone_mtime(zonedir, name)
if (mtime != dayzero) or (tries == 0):
# mtime was either retrieved successfully or no tries were
diff -Nru bind9-9.18.44/bin/tests/system/statschannel/tests_json.py bind9-9.18.47/bin/tests/system/statschannel/tests_json.py
--- bind9-9.18.44/bin/tests/system/statschannel/tests_json.py 2026-01-09 13:44:04.694036844 +0000
+++ bind9-9.18.47/bin/tests/system/statschannel/tests_json.py 2026-03-13 21:59:39.758905171 +0000
@@ -14,14 +14,13 @@
from datetime import datetime
import pytest
+import requests
import isctest.mark
pytest.register_assert_rewrite("generic")
import generic
-requests = pytest.importorskip("requests")
-
pytestmark = [
isctest.mark.have_json_c,
pytest.mark.extra_artifacts(
diff -Nru bind9-9.18.44/bin/tests/system/statschannel/tests_xml.py bind9-9.18.47/bin/tests/system/statschannel/tests_xml.py
--- bind9-9.18.44/bin/tests/system/statschannel/tests_xml.py 2026-01-09 13:44:04.694036844 +0000
+++ bind9-9.18.47/bin/tests/system/statschannel/tests_xml.py 2026-03-13 21:59:39.758905171 +0000
@@ -15,14 +15,13 @@
import xml.etree.ElementTree as ET
import pytest
+import requests
import isctest.mark
pytest.register_assert_rewrite("generic")
import generic
-requests = pytest.importorskip("requests")
-
pytestmark = [
isctest.mark.have_libxml2,
pytest.mark.extra_artifacts(
diff -Nru bind9-9.18.44/bin/tests/system/tcp/ans6/ans.py bind9-9.18.47/bin/tests/system/tcp/ans6/ans.py
--- bind9-9.18.44/bin/tests/system/tcp/ans6/ans.py 2026-01-09 13:44:04.701036960 +0000
+++ bind9-9.18.47/bin/tests/system/tcp/ans6/ans.py 2026-03-13 21:59:39.764905356 +0000
@@ -39,7 +39,6 @@
import sys
import time
-
# Timeout for establishing all connections requested by a single 'open' command.
OPEN_TIMEOUT = 2
VERSION_QUERY = b"\x00\x1e\xaf\xb8\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x07version\x04bind\x00\x00\x10\x00\x03"
@@ -136,7 +135,7 @@
ctlsock.listen(1)
while True:
- (clientsock, _) = ctlsock.accept()
+ clientsock, _ = ctlsock.accept()
log("Accepted control connection from %s" % clientsock)
cmdline = clientsock.recv(512).decode("ascii").strip()
if cmdline:
diff -Nru bind9-9.18.44/bin/tests/system/tcp/tests_tcp.py bind9-9.18.47/bin/tests/system/tcp/tests_tcp.py
--- bind9-9.18.44/bin/tests/system/tcp/tests_tcp.py 2026-01-09 13:44:04.702036976 +0000
+++ bind9-9.18.47/bin/tests/system/tcp/tests_tcp.py 2026-03-13 21:59:39.766905418 +0000
@@ -19,7 +19,7 @@
import pytest
-pytest.importorskip("dns", minversion="2.0.0")
+import dns
import dns.message
import dns.query
diff -Nru bind9-9.18.44/bin/tests/system/timeouts/tests_tcp_timeouts.py bind9-9.18.47/bin/tests/system/timeouts/tests_tcp_timeouts.py
--- bind9-9.18.44/bin/tests/system/timeouts/tests_tcp_timeouts.py 2026-01-09 13:44:04.703036993 +0000
+++ bind9-9.18.47/bin/tests/system/timeouts/tests_tcp_timeouts.py 2026-03-13 21:59:39.767905449 +0000
@@ -18,7 +18,7 @@
import pytest
-pytest.importorskip("dns", minversion="2.0.0")
+import dns
import dns.edns
import dns.message
import dns.name
@@ -170,7 +170,7 @@
dns.query.send_tcp(sock, msg, timeout())
# Receive the initial DNS message with SOA
- (response, _) = dns.query.receive_tcp(sock, timeout(), one_rr_per_rrset=True)
+ response, _ = dns.query.receive_tcp(sock, timeout(), one_rr_per_rrset=True)
soa = response.get_rrset(
dns.message.ANSWER, name, dns.rdataclass.IN, dns.rdatatype.SOA
)
@@ -178,9 +178,7 @@
# Pull DNS message from wire until the second SOA is received
while True:
- (response, _) = dns.query.receive_tcp(
- sock, timeout(), one_rr_per_rrset=True
- )
+ response, _ = dns.query.receive_tcp(sock, timeout(), one_rr_per_rrset=True)
soa = response.get_rrset(
dns.message.ANSWER, name, dns.rdataclass.IN, dns.rdatatype.SOA
)
@@ -226,7 +224,7 @@
dns.query.send_tcp(sock, msg, timeout())
# Receive the initial DNS message with SOA
- (response, _) = dns.query.receive_tcp(sock, timeout(), one_rr_per_rrset=True)
+ response, _ = dns.query.receive_tcp(sock, timeout(), one_rr_per_rrset=True)
soa = response.get_rrset(
dns.message.ANSWER, name, dns.rdataclass.IN, dns.rdatatype.SOA
)
@@ -237,7 +235,7 @@
with pytest.raises(ConnectionResetError):
# Process queued TCP messages
while True:
- (response, _) = dns.query.receive_tcp(
+ response, _ = dns.query.receive_tcp(
sock, timeout(), one_rr_per_rrset=True
)
soa = response.get_rrset(
@@ -258,7 +256,7 @@
dns.query.send_tcp(sock, msg, timeout())
# Receive the initial DNS message with SOA
- (response, _) = dns.query.receive_tcp(sock, timeout(), one_rr_per_rrset=True)
+ response, _ = dns.query.receive_tcp(sock, timeout(), one_rr_per_rrset=True)
soa = response.get_rrset(
dns.message.ANSWER, name, dns.rdataclass.IN, dns.rdatatype.SOA
)
@@ -268,7 +266,7 @@
with pytest.raises(EOFError):
while True:
time.sleep(1)
- (response, _) = dns.query.receive_tcp(
+ response, _ = dns.query.receive_tcp(
sock, timeout(), one_rr_per_rrset=True
)
soa = response.get_rrset(
diff -Nru bind9-9.18.44/bin/tests/system/tsig/tests_tsig_hypothesis.py bind9-9.18.47/bin/tests/system/tsig/tests_tsig_hypothesis.py
--- bind9-9.18.44/bin/tests/system/tsig/tests_tsig_hypothesis.py 2026-01-09 13:44:04.707037059 +0000
+++ bind9-9.18.47/bin/tests/system/tsig/tests_tsig_hypothesis.py 2026-03-13 21:59:39.771905573 +0000
@@ -11,12 +11,14 @@
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
+# Silence incorrect warnings cause by hypothesis.assume()
+# https://github.com/pylint-dev/pylint/issues/10785#issuecomment-3677224217
+# pylint: disable=unreachable
+
import time
import pytest
-pytest.importorskip("dns", minversion="2.7.0") # TSIG parsing without validation
-
import dns.exception
import dns.message
import dns.name
@@ -32,7 +34,6 @@
from hypothesis import assume, example, given, HealthCheck, settings
from hypothesis.strategies import binary, booleans, composite, just, sampled_from
-
pytestmark = pytest.mark.extra_artifacts(
[
"ans*/ans.run",
diff -Nru bind9-9.18.44/bin/tests/system/tsiggss/tests_isc_spnego_flaws.py bind9-9.18.47/bin/tests/system/tsiggss/tests_isc_spnego_flaws.py
--- bind9-9.18.44/bin/tests/system/tsiggss/tests_isc_spnego_flaws.py 2026-01-09 13:44:04.708037075 +0000
+++ bind9-9.18.47/bin/tests/system/tsiggss/tests_isc_spnego_flaws.py 2026-03-13 21:59:39.772905603 +0000
@@ -24,7 +24,7 @@
import isctest
-pytest.importorskip("dns")
+import dns
import dns.message
import dns.name
import dns.rdata
diff -Nru bind9-9.18.44/bin/tests/system/wildcard/tests_wildcard.py bind9-9.18.47/bin/tests/system/wildcard/tests_wildcard.py
--- bind9-9.18.44/bin/tests/system/wildcard/tests_wildcard.py 2026-01-09 13:44:04.717037224 +0000
+++ bind9-9.18.47/bin/tests/system/wildcard/tests_wildcard.py 2026-03-13 21:59:39.782905913 +0000
@@ -27,9 +27,13 @@
- special behavior of rdtypes like CNAME
"""
+# Silence incorrect warnings cause by hypothesis.assume()
+# https://github.com/pylint-dev/pylint/issues/10785#issuecomment-3677224217
+# pylint: disable=unreachable
+
import pytest
-pytest.importorskip("dns", minversion="2.0.0")
+import dns
import dns.message
import dns.name
import dns.query
diff -Nru bind9-9.18.44/bin/tests/system/xferquota/setup.py bind9-9.18.47/bin/tests/system/xferquota/setup.py
--- bind9-9.18.44/bin/tests/system/xferquota/setup.py 2026-01-09 13:44:04.721037290 +0000
+++ bind9-9.18.47/bin/tests/system/xferquota/setup.py 2026-03-13 21:59:39.786906037 +0000
@@ -20,8 +20,7 @@
for z in range(zones):
zn = f"zone{z:06d}.example"
with open(f"ns1/{zn}.db", "w", encoding="utf-8") as f:
- f.write(
- """$TTL 300
+ f.write("""$TTL 300
@ IN SOA ns1 . 1 300 120 3600 86400
NS ns1
NS ns2
@@ -31,8 +30,7 @@
MX 20 mail2.isp.example.
www A 10.0.0.1
xyzzy A 10.0.0.2
-"""
- )
+""")
with open("ns1/zones.conf", "w", encoding="utf-8") as priconf, open(
"ns2/zones.conf", "w", encoding="utf-8"
diff -Nru bind9-9.18.44/bin/tools/mdig.c bind9-9.18.47/bin/tools/mdig.c
--- bind9-9.18.44/bin/tools/mdig.c 2026-01-09 13:44:04.725037356 +0000
+++ bind9-9.18.47/bin/tools/mdig.c 2026-03-13 21:59:39.790906160 +0000
@@ -1658,7 +1658,7 @@
dash_option(const char *option, char *next, struct query *query, bool global,
bool *setname) {
char opt;
- const char *value;
+ const char *value, *oldvalue;
isc_result_t result;
bool value_from_next;
isc_consttextregion_t tr;
@@ -1668,7 +1668,7 @@
struct in_addr in4;
struct in6_addr in6;
in_port_t srcport;
- char *hash;
+ const char *hash;
uint32_t num;
while (strpbrk(option, single_dash_opts) == &option[0]) {
@@ -1739,12 +1739,15 @@
case 'b':
GLOBAL();
hash = strchr(value, '#');
+ oldvalue = value;
if (hash != NULL) {
result = parse_uint(&num, hash + 1, MAXPORT,
"port number");
CHECKM("parse_uint(srcport)", result);
srcport = num;
- *hash = '\0';
+ snprintf(textname, sizeof(textname), "%.*s",
+ (int)(hash - value), value);
+ value = textname;
} else {
srcport = 0;
}
@@ -1755,13 +1758,7 @@
isc_sockaddr_fromin(&srcaddr, &in4, srcport);
isc_net_disableipv6();
} else {
- if (hash != NULL) {
- *hash = '#';
- }
- fatal("invalid address %s", value);
- }
- if (hash != NULL) {
- *hash = '#';
+ fatal("invalid address %s", oldvalue);
}
have_src = true;
return value_from_next;
diff -Nru bind9-9.18.44/configure bind9-9.18.47/configure
--- bind9-9.18.44/configure 2026-01-09 13:45:06.614152475 +0000
+++ bind9-9.18.47/configure 2026-03-13 22:03:16.249179725 +0000
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.72 for BIND 9.18.44.
+# Generated by GNU Autoconf 2.72 for BIND 9.18.47.
#
# Report bugs to .
#
@@ -615,8 +615,8 @@
# Identity of this package.
PACKAGE_NAME='BIND'
PACKAGE_TARNAME='bind'
-PACKAGE_VERSION='9.18.44'
-PACKAGE_STRING='BIND 9.18.44'
+PACKAGE_VERSION='9.18.47'
+PACKAGE_STRING='BIND 9.18.47'
PACKAGE_BUGREPORT='https://gitlab.isc.org/isc-projects/bind9/-/issues/new?issuable_template=Bug'
PACKAGE_URL='https://www.isc.org/downloads/'
@@ -1544,7 +1544,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-'configure' configures BIND 9.18.44 to adapt to many kinds of systems.
+'configure' configures BIND 9.18.47 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1616,7 +1616,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of BIND 9.18.44:";;
+ short | recursive ) echo "Configuration of BIND 9.18.47:";;
esac
cat <<\_ACEOF
@@ -1842,7 +1842,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-BIND configure 9.18.44
+BIND configure 9.18.47
generated by GNU Autoconf 2.72
Copyright (C) 2023 Free Software Foundation, Inc.
@@ -2262,7 +2262,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by BIND $as_me 9.18.44, which was
+It was created by BIND $as_me 9.18.47, which was
generated by GNU Autoconf 2.72. Invocation command line was
$ $0$ac_configure_args_raw
@@ -3046,7 +3046,7 @@
printf "%s\n" "#define PACKAGE_VERSION_MINOR \"18\"" >>confdefs.h
-printf "%s\n" "#define PACKAGE_VERSION_PATCH \"44\"" >>confdefs.h
+printf "%s\n" "#define PACKAGE_VERSION_PATCH \"47\"" >>confdefs.h
printf "%s\n" "#define PACKAGE_VERSION_EXTRA \"\"" >>confdefs.h
@@ -3055,7 +3055,7 @@
printf "%s\n" "#define PACKAGE_DESCRIPTION \" (Extended Support Version)\"" >>confdefs.h
-printf "%s\n" "#define PACKAGE_SRCID \"2e74eea\"" >>confdefs.h
+printf "%s\n" "#define PACKAGE_SRCID \"84c0d37\"" >>confdefs.h
bind_CONFIGARGS="${ac_configure_args:-default}"
@@ -3890,7 +3890,7 @@
# Define the identity of the package.
PACKAGE='bind'
- VERSION='9.18.44'
+ VERSION='9.18.47'
printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h
@@ -18243,13 +18243,13 @@
if test -n "$PYTHON"; then
# If the user set $PYTHON, use it and don't search something else.
- { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether $PYTHON version is >= 3.6" >&5
-printf %s "checking whether $PYTHON version is >= 3.6... " >&6; }
+ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether $PYTHON version is >= 3.10" >&5
+printf %s "checking whether $PYTHON version is >= 3.10... " >&6; }
prog="import sys
# split strings by '.' and convert to numeric. Append some zeros
# because we need at least 4 digits for the hex conversion.
# map returns an iterator in Python 3.0 and a list in 2.x
-minver = list(map(int, '3.6'.split('.'))) + [0, 0, 0]
+minver = list(map(int, '3.10'.split('.'))) + [0, 0, 0]
minverhex = 0
# xrange is not present in Python 3.0 and range returns an iterator
for i in list(range(0, 4)): minverhex = (minverhex << 8) + minver[i]
@@ -18272,8 +18272,8 @@
else
# Otherwise, try each interpreter until we find one that satisfies
# VERSION.
- { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for a Python interpreter with version >= 3.6" >&5
-printf %s "checking for a Python interpreter with version >= 3.6... " >&6; }
+ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for a Python interpreter with version >= 3.10" >&5
+printf %s "checking for a Python interpreter with version >= 3.10... " >&6; }
if test ${am_cv_pathless_PYTHON+y}
then :
printf %s "(cached) " >&6
@@ -18285,7 +18285,7 @@
# split strings by '.' and convert to numeric. Append some zeros
# because we need at least 4 digits for the hex conversion.
# map returns an iterator in Python 3.0 and a list in 2.x
-minver = list(map(int, '3.6'.split('.'))) + [0, 0, 0]
+minver = list(map(int, '3.10'.split('.'))) + [0, 0, 0]
minverhex = 0
# xrange is not present in Python 3.0 and range returns an iterator
for i in list(range(0, 4)): minverhex = (minverhex << 8) + minver[i]
@@ -29899,7 +29899,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by BIND $as_me 9.18.44, which was
+This file was extended by BIND $as_me 9.18.47, which was
generated by GNU Autoconf 2.72. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -29968,7 +29968,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config='$ac_cs_config_escaped'
ac_cs_version="\\
-BIND config.status 9.18.44
+BIND config.status 9.18.47
configured by $0, generated by GNU Autoconf 2.72,
with options \\"\$ac_cs_config\\"
diff -Nru bind9-9.18.44/configure.ac bind9-9.18.47/configure.ac
--- bind9-9.18.44/configure.ac 2026-01-09 13:44:04.728037405 +0000
+++ bind9-9.18.47/configure.ac 2026-03-13 21:59:39.794906284 +0000
@@ -16,7 +16,7 @@
#
m4_define([bind_VERSION_MAJOR], 9)dnl
m4_define([bind_VERSION_MINOR], 18)dnl
-m4_define([bind_VERSION_PATCH], 44)dnl
+m4_define([bind_VERSION_PATCH], 47)dnl
m4_define([bind_VERSION_EXTRA], )dnl
m4_define([bind_DESCRIPTION], [(Extended Support Version)])dnl
m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl
@@ -240,7 +240,7 @@
#
# Python is optional, it is used only by some of the system test scripts.
#
-AM_PATH_PYTHON([3.6], [], [:])
+AM_PATH_PYTHON([3.10], [], [:])
AM_CONDITIONAL([HAVE_PYTHON], [test "$PYTHON" != ":"])
AC_PATH_PROGS([PYTEST], [pytest-3 py.test-3 pytest py.test pytest-pypy], [])
diff -Nru bind9-9.18.44/contrib/gitchangelog/gitchangelog.py bind9-9.18.47/contrib/gitchangelog/gitchangelog.py
--- bind9-9.18.44/contrib/gitchangelog/gitchangelog.py 2026-01-09 13:44:04.729037422 +0000
+++ bind9-9.18.47/contrib/gitchangelog/gitchangelog.py 2026-03-13 21:59:39.795906315 +0000
@@ -483,7 +483,7 @@
return TextProc(lambda text: value.fun(self.fun(text)))
import inspect
- (_frame, filename, lineno, _function_name, lines, _index) = inspect.stack()[1]
+ _frame, filename, lineno, _function_name, lines, _index = inspect.stack()[1]
raise SyntaxError(
"Invalid syntax in config file",
(
@@ -2084,10 +2084,7 @@
raise
## XXXvlab: should use $COLUMNS in bash and for windows:
## http://stackoverflow.com/questions/14978548
- stderr(
- paragraph_wrap(
- textwrap.dedent(
- """\
+ stderr(paragraph_wrap(textwrap.dedent("""\
UnicodeEncodeError:
There was a problem outputing the resulting changelog to
your console.
@@ -2095,11 +2092,7 @@
This probably means that the changelog contains characters
that can't be translated to characters in your current charset
(%s).
- """
- )
- % sys.stdout.encoding
- )
- )
+ """) % sys.stdout.encoding))
if WIN32 and PY_VERSION < 3.6 and sys.stdout.encoding != "utf-8":
## As of PY 3.6, encoding is now ``utf-8`` regardless of
## PYTHONIOENCODING
diff -Nru bind9-9.18.44/debian/changelog bind9-9.18.47/debian/changelog
--- bind9-9.18.44/debian/changelog 2026-01-22 07:24:36.000000000 +0000
+++ bind9-9.18.47/debian/changelog 2026-03-25 15:59:36.000000000 +0000
@@ -1,3 +1,11 @@
+bind9 (1:9.18.47-1~deb12u1) bookworm-security; urgency=high
+
+ * New upstream version 9.18.47
+ - [CVE-2026-1519]: Fix unbounded NSEC3 iterations when validating
+ referrals to unsigned delegations.
+
+ -- Ondřej Surý Wed, 25 Mar 2026 16:59:36 +0100
+
bind9 (1:9.18.44-1~deb12u1) bookworm-security; urgency=high
* New upstream version 9.18.44
diff -Nru bind9-9.18.44/doc/arm/_ext/iscconf.py bind9-9.18.47/doc/arm/_ext/iscconf.py
--- bind9-9.18.44/doc/arm/_ext/iscconf.py 2026-01-09 13:44:04.730037438 +0000
+++ bind9-9.18.47/doc/arm/_ext/iscconf.py 2026-03-13 21:59:39.797906377 +0000
@@ -35,7 +35,6 @@
import checkgrammar
-
logger = logging.getLogger(__name__)
diff -Nru bind9-9.18.44/doc/arm/_ext/namedconf.py bind9-9.18.47/doc/arm/_ext/namedconf.py
--- bind9-9.18.44/doc/arm/_ext/namedconf.py 2026-01-09 13:44:04.731037455 +0000
+++ bind9-9.18.47/doc/arm/_ext/namedconf.py 2026-03-13 21:59:39.797906377 +0000
@@ -15,6 +15,7 @@
Sphinx domain "namedconf". See iscconf.py for details.
"""
+
from docutils import nodes
import iscconf
diff -Nru bind9-9.18.44/doc/arm/changelog.rst bind9-9.18.47/doc/arm/changelog.rst
--- bind9-9.18.44/doc/arm/changelog.rst 2026-01-09 13:44:04.731037455 +0000
+++ bind9-9.18.47/doc/arm/changelog.rst 2026-03-13 21:59:39.798906408 +0000
@@ -18,6 +18,9 @@
development. Regular users should refer to :ref:`Release Notes `
for changes relevant to them.
+.. include:: ../changelog/changelog-9.18.47.rst
+.. include:: ../changelog/changelog-9.18.46.rst
+.. include:: ../changelog/changelog-9.18.45.rst
.. include:: ../changelog/changelog-9.18.44.rst
.. include:: ../changelog/changelog-9.18.43.rst
.. include:: ../changelog/changelog-9.18.42.rst
diff -Nru bind9-9.18.44/doc/arm/notes.rst bind9-9.18.47/doc/arm/notes.rst
--- bind9-9.18.44/doc/arm/notes.rst 2026-01-09 13:44:04.736037537 +0000
+++ bind9-9.18.47/doc/arm/notes.rst 2026-03-13 21:59:39.802906531 +0000
@@ -45,6 +45,9 @@
found at
https://gitlab.isc.org/isc-projects/bind9/-/wikis/Known-Issues-in-BIND-9.18
+.. include:: ../notes/notes-9.18.47.rst
+.. include:: ../notes/notes-9.18.46.rst
+.. include:: ../notes/notes-9.18.45.rst
.. include:: ../notes/notes-9.18.44.rst
.. include:: ../notes/notes-9.18.43.rst
.. include:: ../notes/notes-9.18.42.rst
diff -Nru bind9-9.18.44/doc/arm/reference.rst bind9-9.18.47/doc/arm/reference.rst
--- bind9-9.18.44/doc/arm/reference.rst 2026-01-09 13:44:04.738037570 +0000
+++ bind9-9.18.47/doc/arm/reference.rst 2026-03-13 21:59:39.804906593 +0000
@@ -3149,6 +3149,17 @@
from or use to resolve a query. Queries from these addresses are not
responded to. The default is ``none``.
+ When configuring this list, note that BIND evaluates Access Control Lists
+ sequentially (first match wins). A common misconception is that the directive
+ ``!address;`` blocks everything except that address. In reality, it only
+ explicitly exempts ``address`` from the blackhole; all other IP addresses
+ reach the end of the list without matching, meaning they are also not
+ blackholed.
+
+ To successfully blackhole all traffic *except* specific addresses, you must
+ explicitly catch the remaining traffic with ``any;`` at the end of the list.
+ For example: ``!address; any;``
+
.. namedconf:statement:: keep-response-order
:tags: server
:short: Defines an :any:`address_match_list` of addresses which do not accept reordered answers within a single TCP stream.
diff -Nru bind9-9.18.44/doc/changelog/changelog-9.18.45.rst bind9-9.18.47/doc/changelog/changelog-9.18.45.rst
--- bind9-9.18.44/doc/changelog/changelog-9.18.45.rst 1970-01-01 00:00:00.000000000 +0000
+++ bind9-9.18.47/doc/changelog/changelog-9.18.45.rst 2026-03-13 21:59:39.807906686 +0000
@@ -0,0 +1,48 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+BIND 9.18.45
+------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- Update requirements for system test suite. ``37bd997a39``
+
+ Python 3.10 or newer is now required for running the system test
+ suite. The required python packages and their version requirements are
+ now tracked in `bin/tests/system/requirements.txt`.
+
+ Support for pytest 9.0.0 has been added its minimum supported version
+ has been raised to 7.0.0. The minimum supported dnspython version has
+ been raised to 2.3.0. :gl:`#5690` :gl:`#5614` :gl:`!11470`
+
+Bug Fixes
+~~~~~~~~~
+
+- Use const pointer with strchr of const pointer. ``2b10ee4f13``
+
+ :gl:`#5694` :gl:`!11464`
+
+- Fix brid and hhit implementation. ``e3caaa16f1``
+
+ Fix bugs in BRID and HHIT implementation and enable the unit tests.
+ :gl:`#5710` :gl:`!11493`
+
+- DSYNC record incorrectly used two octets for the Scheme Field.
+ ``6fd748d1fc``
+
+ When creating the `DSYNC` record from a structure, `uint16_tobuffer`
+ was used instead of `uint8_tobuffer` when adding the scheme, causing a
+ `DSYNC` record that was one octet too long. This has been fixed.
+ :gl:`#5711` :gl:`!11484`
+
+
diff -Nru bind9-9.18.44/doc/changelog/changelog-9.18.46.rst bind9-9.18.47/doc/changelog/changelog-9.18.46.rst
--- bind9-9.18.44/doc/changelog/changelog-9.18.46.rst 1970-01-01 00:00:00.000000000 +0000
+++ bind9-9.18.47/doc/changelog/changelog-9.18.46.rst 2026-03-13 21:59:39.807906686 +0000
@@ -0,0 +1,35 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+BIND 9.18.46
+------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- Invalid NSEC3 can cause OOB read of the isdelegation() stack.
+ ``97fd0c56e48``
+
+ When .next_length is longer than NSEC3_MAX_HASH_LENGTH, it causes a
+ harmless out-of-bound read of the isdelegation() stack. This has been
+ fixed. :gl:`#5749` :gl:`!11595`
+
+Bug Fixes
+~~~~~~~~~
+
+- Clear serve-stale flags when following the CNAME chains.
+ ``7733cb4580e``
+
+ A stale answer could have been served in case of multiple upstream
+ failures when following the CNAME chains. This has been fixed.
+ :gl:`#5751` :gl:`!11584`
+
+
diff -Nru bind9-9.18.44/doc/changelog/changelog-9.18.47.rst bind9-9.18.47/doc/changelog/changelog-9.18.47.rst
--- bind9-9.18.44/doc/changelog/changelog-9.18.47.rst 1970-01-01 00:00:00.000000000 +0000
+++ bind9-9.18.47/doc/changelog/changelog-9.18.47.rst 2026-03-13 21:59:39.807906686 +0000
@@ -0,0 +1,32 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+BIND 9.18.47
+------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- [CVE-2026-1519] Fix unbounded NSEC3 iterations when validating
+ referrals to unsigned delegations. ``5ef459eeaa9``
+
+ DNSSEC-signed zones may contain high iteration-count NSEC3 records,
+ which prove that certain delegations are insecure. Previously, a
+ validating resolver encountering such a delegation processed these
+ iterations up to the number given, which could be a maximum of 65,535.
+ This has been addressed by introducing a processing limit, set at 150.
+ Now, if such an NSEC3 record is encountered, the delegation will be
+ treated as insecure.
+
+ ISC would like to thank Samy Medjahed/Ap4sh for bringing this
+ vulnerability to our attention. :gl:`#5708`
+
+
diff -Nru bind9-9.18.44/doc/man/arpaname.1in bind9-9.18.47/doc/man/arpaname.1in
--- bind9-9.18.44/doc/man/arpaname.1in 2026-01-09 13:46:03.126233616 +0000
+++ bind9-9.18.47/doc/man/arpaname.1in 2026-03-13 22:13:22.066609049 +0000
@@ -1,4 +1,5 @@
-.\" Man page generated from reStructuredText.
+.\" Man page generated from reStructuredText
+.\" by the Docutils 0.22.4 manpage writer.
.
.
.nr rst2man-indent-level 0
@@ -40,9 +41,8 @@
.SH SEE ALSO
.sp
BIND 9 Administrator Reference Manual.
-.SH AUTHOR
+.SH Author
Internet Systems Consortium
-.SH COPYRIGHT
+.SH Copyright
2026, Internet Systems Consortium
-.\" Generated by docutils manpage writer.
-.
+.\" End of generated man page.
diff -Nru bind9-9.18.44/doc/man/ddns-confgen.8in bind9-9.18.47/doc/man/ddns-confgen.8in
--- bind9-9.18.44/doc/man/ddns-confgen.8in 2026-01-09 13:46:03.130233693 +0000
+++ bind9-9.18.47/doc/man/ddns-confgen.8in 2026-03-13 22:13:22.070609145 +0000
@@ -1,4 +1,5 @@
-.\" Man page generated from reStructuredText.
+.\" Man page generated from reStructuredText
+.\" by the Docutils 0.22.4 manpage writer.
.
.
.nr rst2man-indent-level 0
@@ -37,19 +38,19 @@
.sp
\fBddns\-confgen\fP is an utility that generates keys for use in TSIG signing.
The resulting keys can be used, for example, to secure dynamic DNS updates
-to a zone, or for the \fI\%rndc\fP command channel.
+to a zone, or for the \fBrndc\fP \%<#\:std-iscman-rndc> command channel.
.sp
-The key name can specified using \fI\%\-k\fP parameter and defaults to \fBddns\-key\fP\&.
+The key name can specified using \fB\-k\fP parameter and defaults to \fBddns\-key\fP\&.
The generated key is accompanied by configuration text and instructions that
-can be used with \fI\%nsupdate\fP and \fI\%named\fP when setting up dynamic DNS,
+can be used with \fBnsupdate\fP \%<#\:std-iscman-nsupdate> and \fBnamed\fP \%<#\:std-iscman-named> when setting up dynamic DNS,
including an example \fBupdate\-policy\fP statement.
-(This usage is similar to the \fI\%rndc\-confgen\fP command for setting up
+(This usage is similar to the \fBrndc\-confgen\fP \%<#\:std-iscman-rndc-confgen> command for setting up
command\-channel security.)
.sp
-Note that \fI\%named\fP itself can configure a local DDNS key for use with
-\fI\%nsupdate \-l\fP; it does this when a zone is configured with
+Note that \fBnamed\fP \%<#\:std-iscman-named> itself can configure a local DDNS key for use with
+\fBnsupdate \-l\fP \%<#\:cmdoption-nsupdate-l>; it does this when a zone is configured with
\fBupdate\-policy local;\fP\&. \fBddns\-confgen\fP is only needed when a more
-elaborate configuration is required: for instance, if \fI\%nsupdate\fP is to
+elaborate configuration is required: for instance, if \fBnsupdate\fP \%<#\:std-iscman-nsupdate> is to
be used from a remote system.
.SH OPTIONS
.INDENT 0.0
@@ -69,7 +70,7 @@
.TP
.B \-k keyname
This option specifies the key name of the DDNS authentication key. The
-default is \fBddns\-key\fP when neither the \fI\%\-s\fP nor \fI\%\-z\fP option is
+default is \fBddns\-key\fP when neither the \fB\-s\fP nor \fB\-z\fP option is
specified; otherwise, the default is \fBddns\-key\fP as a separate label
followed by the argument of the option, e.g., \fBddns\-key.example.com.\fP
The key name must have the format of a valid domain name, consisting of
@@ -80,33 +81,32 @@
.B \-q
This option enables quiet mode, which prints only the key, with no
explanatory text or usage examples. This is essentially identical to
-\fI\%tsig\-keygen\fP\&.
+\fBtsig\-keygen\fP \%<#\:std-iscman-tsig-keygen>\&.
.UNINDENT
.INDENT 0.0
.TP
.B \-s name
This option generates a configuration example to allow dynamic updates
-of a single hostname. The example \fI\%named.conf\fP text shows how to set
+of a single hostname. The example \fBnamed.conf\fP \%<#\:std-iscman-named\:.conf> text shows how to set
an update policy for the specified name using the \(dqname\(dq nametype. The
default key name is \fBddns\-key.name\fP\&. Note that the \(dqself\(dq nametype
cannot be used, since the name to be updated may differ from the key
-name. This option cannot be used with the \fI\%\-z\fP option.
+name. This option cannot be used with the \fB\-z\fP option.
.UNINDENT
.INDENT 0.0
.TP
.B \-z zone
This option generates a configuration example to allow
-dynamic updates of a zone. The example \fI\%named.conf\fP text shows how
+dynamic updates of a zone. The example \fBnamed.conf\fP \%<#\:std-iscman-named\:.conf> text shows how
to set an update policy for the specified zone using the \(dqzonesub\(dq
nametype, allowing updates to all subdomain names within that zone.
-This option cannot be used with the \fI\%\-s\fP option.
+This option cannot be used with the \fB\-s\fP option.
.UNINDENT
.SH SEE ALSO
.sp
-\fI\%nsupdate(1)\fP, \fI\%named.conf(5)\fP, \fI\%named(8)\fP, BIND 9 Administrator Reference Manual.
-.SH AUTHOR
+\fBnsupdate(1)\fP \%<#\:std-iscman-nsupdate>, \fBnamed.conf(5)\fP \%<#\:std-iscman-named\:.conf>, \fBnamed(8)\fP \%<#\:std-iscman-named>, BIND 9 Administrator Reference Manual.
+.SH Author
Internet Systems Consortium
-.SH COPYRIGHT
+.SH Copyright
2026, Internet Systems Consortium
-.\" Generated by docutils manpage writer.
-.
+.\" End of generated man page.
diff -Nru bind9-9.18.44/doc/man/delv.1in bind9-9.18.47/doc/man/delv.1in
--- bind9-9.18.44/doc/man/delv.1in 2026-01-09 13:46:03.142233923 +0000
+++ bind9-9.18.47/doc/man/delv.1in 2026-03-13 22:13:22.081609407 +0000
@@ -1,4 +1,5 @@
-.\" Man page generated from reStructuredText.
+.\" Man page generated from reStructuredText
+.\" by the Docutils 0.22.4 manpage writer.
.
.
.nr rst2man-indent-level 0
@@ -42,7 +43,7 @@
.SH DESCRIPTION
.sp
\fBdelv\fP is a tool for sending DNS queries and validating the results,
-using the same internal resolver and validator logic as \fI\%named\fP\&.
+using the same internal resolver and validator logic as \fBnamed\fP \%<#\:std-iscman-named>\&.
.sp
\fBdelv\fP sends to a specified name server all queries needed to
fetch and validate the requested data; this includes the original
@@ -92,7 +93,7 @@
.sp
If no \fBserver\fP argument is provided, \fBdelv\fP consults
\fB/etc/resolv.conf\fP; if an address is found there, it queries the
-name server at that address. If either of the \fI\%\-4\fP or \fI\%\-6\fP
+name server at that address. If either of the \fB\-4\fP or \fB\-6\fP
options is in use, then only addresses for the corresponding
transport are tried. If no usable addresses are found, \fBdelv\fP
sends queries to the localhost addresses (127.0.0.1 for IPv4, ::1
@@ -119,13 +120,13 @@
or more trust anchors for the root zone (\(dq.\(dq).
.sp
Keys that do not match the root zone name are ignored. An alternate
-key name can be specified using the \fI\%+root\fP option.
+key name can be specified using the \fB+root\fP option.
.sp
Note: When reading the trust anchor file, \fBdelv\fP treats \fBtrust\-anchors\fP,
\fBinitial\-key\fP, and \fBstatic\-key\fP identically. That is, for a managed key,
-it is the \fIinitial\fP key that is trusted; \X'tty: link https://datatracker.ietf.org/doc/html/rfc5011.html'\fI\%RFC 5011\fP\X'tty: link' key management is not
+it is the \fIinitial\fP key that is trusted; \fBRFC 5011\fP \% key management is not
supported. \fBdelv\fP does not consult the managed\-keys database maintained by
-\fI\%named\fP, which means that if either of the keys in \fB@sysconfdir@/bind.keys\fP is
+\fBnamed\fP \%<#\:std-iscman-named>, which means that if either of the keys in \fB@sysconfdir@/bind.keys\fP is
revoked and rolled over, \fB@sysconfdir@/bind.keys\fP must be updated to
use DNSSEC validation in \fBdelv\fP\&.
.UNINDENT
@@ -149,7 +150,7 @@
This option sets the systemwide debug level to \fBlevel\fP\&. The allowed range is
from 0 to 99. The default is 0 (no debugging). Debugging traces from
\fBdelv\fP become more verbose as the debug level increases. See the
-\fI\%+mtrace\fP, \fI\%+rtrace\fP, and \fI\%+vtrace\fP options below for
+\fB+mtrace\fP, \fB+rtrace\fP, and \fB+vtrace\fP options below for
additional debugging details.
.UNINDENT
.INDENT 0.0
@@ -165,7 +166,7 @@
server being queried is performing DNSSEC validation, then it does
not return invalid data; this can cause \fBdelv\fP to time out. When it
is necessary to examine invalid data to debug a DNSSEC problem, use
-\fI\%dig +cd\fP\&.)
+\fBdig +cd\fP \%<#\:cmdoption-dig-arg-cd>\&.)
.UNINDENT
.INDENT 0.0
.TP
@@ -184,7 +185,7 @@
.TP
.B \-q name
This option sets the query name to \fBname\fP\&. While the query name can be
-specified without using the \fI\%\-q\fP option, it is sometimes necessary to
+specified without using the \fB\-q\fP option, it is sometimes necessary to
disambiguate names from types or classes (for example, when looking
up the name \(dqns\(dq, which could be misinterpreted as the type NS, or
\(dqch\(dq, which could be misinterpreted as class CH).
@@ -194,11 +195,11 @@
.B \-t type
This option sets the query type to \fBtype\fP, which can be any valid query type
supported in BIND 9 except for zone transfer types AXFR and IXFR. As
-with \fI\%\-q\fP, this is useful to distinguish query\-name types or classes
+with \fB\-q\fP, this is useful to distinguish query\-name types or classes
when they are ambiguous. It is sometimes necessary to disambiguate
names from types.
.sp
-The default query type is \(dqA\(dq, unless the \fI\%\-x\fP option is supplied
+The default query type is \(dqA\(dq, unless the \fB\-x\fP option is supplied
to indicate a reverse lookup, in which case it is \(dqPTR\(dq.
.UNINDENT
.INDENT 0.0
@@ -211,7 +212,7 @@
.B \-x addr
This option performs a reverse lookup, mapping an address to a name. \fBaddr\fP
is an IPv4 address in dotted\-decimal notation, or a colon\-delimited
-IPv6 address. When \fI\%\-x\fP is used, there is no need to provide the
+IPv6 address. When \fB\-x\fP is used, there is no need to provide the
\fBname\fP or \fBtype\fP arguments; \fBdelv\fP automatically performs a
lookup for a name like \fB11.12.13.10.in\-addr.arpa\fP and sets the
query type to PTR. IPv6 addresses are looked up using nibble format
@@ -271,7 +272,7 @@
.sp
This is equivalent to setting the debug level to 1 in the \(dqresolver\(dq
logging category. Setting the systemwide debug level to 1 using the
-\fI\%\-d\fP option produces the same output, but affects other
+\fB\-d\fP option produces the same output, but affects other
logging categories as well.
.UNINDENT
.INDENT 0.0
@@ -283,7 +284,7 @@
.sp
This is equivalent to setting the debug level to 10 for the \(dqpackets\(dq
module of the \(dqresolver\(dq logging category. Setting the systemwide
-debug level to 10 using the \fI\%\-d\fP option produces the same
+debug level to 10 using the \fB\-d\fP option produces the same
output, but affects other logging categories as well.
.UNINDENT
.INDENT 0.0
@@ -295,7 +296,7 @@
.sp
This is equivalent to setting the debug level to 3 for the
\(dqvalidator\(dq module of the \(dqdnssec\(dq logging category. Setting the
-systemwide debug level to 3 using the \fI\%\-d\fP option produces the
+systemwide debug level to 3 using the \fB\-d\fP option produces the
same output, but affects other logging categories as well.
.UNINDENT
.INDENT 0.0
@@ -345,8 +346,8 @@
.INDENT 0.0
.TP
.B +all, +noall
-This option sets or clears the display options \fI\%+comments\fP,
-\fI\%+rrcomments\fP, and \fI\%+trust\fP as a group.
+This option sets or clears the display options \fB+comments\fP,
+\fB+rrcomments\fP, and \fB+trust\fP as a group.
.UNINDENT
.INDENT 0.0
.TP
@@ -360,11 +361,11 @@
.TP
.B +dnssec, +nodnssec
This option indicates whether to display RRSIG records in the \fBdelv\fP output.
-The default is to do so. Note that (unlike in \fI\%dig\fP) this does
+The default is to do so. Note that (unlike in \fBdig\fP \%<#\:std-iscman-dig>) this does
\fInot\fP control whether to request DNSSEC records or to
validate them. DNSSEC records are always requested, and validation
-always occurs unless suppressed by the use of \fI\%\-i\fP or
-\fI\%+noroot\fP\&.
+always occurs unless suppressed by the use of \fB\-i\fP or
+\fB+noroot\fP\&.
.UNINDENT
.INDENT 0.0
.TP
@@ -372,7 +373,7 @@
This option indicates whether to perform conventional DNSSEC validation, and if so,
specifies the name of a trust anchor. The default is to validate using a
trust anchor of \(dq.\(dq (the root zone), for which there is a built\-in key. If
-specifying a different trust anchor, then \fI\%\-a\fP must be used to specify a
+specifying a different trust anchor, then \fB\-a\fP must be used to specify a
file containing the key.
.UNINDENT
.INDENT 0.0
@@ -384,7 +385,7 @@
.INDENT 0.0
.TP
.B +unknownformat, +nounknownformat
-This option prints all RDATA in unknown RR\-type presentation format (\X'tty: link https://datatracker.ietf.org/doc/html/rfc3597.html'\fI\%RFC 3597\fP\X'tty: link').
+This option prints all RDATA in unknown RR\-type presentation format (\fBRFC 3597\fP \%).
The default is to print RDATA for known types in the type\(aqs
presentation format.
.UNINDENT
@@ -400,10 +401,9 @@
\fB/etc/resolv.conf\fP
.SH SEE ALSO
.sp
-\fI\%dig(1)\fP, \fI\%named(8)\fP, \X'tty: link https://datatracker.ietf.org/doc/html/rfc4034.html'\fI\%RFC 4034\fP\X'tty: link', \X'tty: link https://datatracker.ietf.org/doc/html/rfc4035.html'\fI\%RFC 4035\fP\X'tty: link', \X'tty: link https://datatracker.ietf.org/doc/html/rfc4431.html'\fI\%RFC 4431\fP\X'tty: link', \X'tty: link https://datatracker.ietf.org/doc/html/rfc5074.html'\fI\%RFC 5074\fP\X'tty: link', \X'tty: link https://datatracker.ietf.org/doc/html/rfc5155.html'\fI\%RFC 5155\fP\X'tty: link'\&.
-.SH AUTHOR
+\fBdig(1)\fP \%<#\:std-iscman-dig>, \fBnamed(8)\fP \%<#\:std-iscman-named>, \fBRFC 4034\fP \%, \fBRFC 4035\fP \%, \fBRFC 4431\fP \%, \fBRFC 5074\fP \%, \fBRFC 5155\fP \%\&.
+.SH Author
Internet Systems Consortium
-.SH COPYRIGHT
+.SH Copyright
2026, Internet Systems Consortium
-.\" Generated by docutils manpage writer.
-.
+.\" End of generated man page.
diff -Nru bind9-9.18.44/doc/man/dig.1in bind9-9.18.47/doc/man/dig.1in
--- bind9-9.18.44/doc/man/dig.1in 2026-01-09 13:46:03.171234478 +0000
+++ bind9-9.18.47/doc/man/dig.1in 2026-03-13 22:13:22.109610074 +0000
@@ -1,4 +1,5 @@
-.\" Man page generated from reStructuredText.
+.\" Man page generated from reStructuredText
+.\" by the Docutils 0.22.4 manpage writer.
.
.
.nr rst2man-indent-level 0
@@ -49,7 +50,7 @@
Although \fBdig\fP is normally used with command\-line arguments, it also
has a batch mode of operation for reading lookup requests from a file. A
brief summary of its command\-line arguments and options is printed when
-the \fI\%\-h\fP option is given. The BIND 9
+the \fB\-h\fP option is given. The BIND 9
implementation of \fBdig\fP allows multiple lookups to be issued from the
command line.
.sp
@@ -62,12 +63,12 @@
.sp
It is possible to set per\-user defaults for \fBdig\fP via
\fB${HOME}/.digrc\fP\&. This file is read and any options in it are applied
-before the command\-line arguments. The \fI\%\-r\fP option disables this
+before the command\-line arguments. The \fB\-r\fP option disables this
feature, for scripts that need predictable behavior.
.sp
The IN and CH class names overlap with the IN and CH top\-level domain
-names. Either use the \fI\%\-t\fP and \fI\%\-c\fP options to specify the type and
-class, use the \fI\%\-q\fP to specify the domain name, or use \(dqIN.\(dq and
+names. Either use the \fB\-t\fP and \fB\-c\fP options to specify the type and
+class, use the \fB\-q\fP to specify the domain name, or use \(dqIN.\(dq and
\(dqCH.\(dq when looking up these top\-level domains.
.SH SIMPLE USAGE
.sp
@@ -93,7 +94,7 @@
.sp
If no \fBserver\fP argument is provided, \fBdig\fP consults
\fB/etc/resolv.conf\fP; if an address is found there, it queries the
-name server at that address. If either of the \fI\%\-4\fP or \fI\%\-6\fP
+name server at that address. If either of the \fB\-4\fP or \fB\-6\fP
options are in use, then only addresses for the corresponding
transport are tried. If no usable addresses are found, \fBdig\fP
sends the query to the local host. The reply from the name server
@@ -153,11 +154,11 @@
.B \-k keyfile
This option tells \fBdig\fP to sign queries using TSIG or
SIG(0) using a key read from the given file. Key files can be
-generated using \fI\%tsig\-keygen\fP\&. When using TSIG authentication
+generated using \fBtsig\-keygen\fP \%<#\:std-iscman-tsig-keygen>\&. When using TSIG authentication
with \fBdig\fP, the name server that is queried needs to
know the key and algorithm that is being used. In BIND, this is
done by providing appropriate \fBkey\fP and \fBserver\fP statements
-in \fI\%named.conf\fP for TSIG and by looking up the KEY record
+in \fBnamed.conf\fP \%<#\:std-iscman-named\:.conf> for TSIG and by looking up the KEY record
in zone data for SIG(0).
.UNINDENT
.INDENT 0.0
@@ -191,7 +192,7 @@
This option indicates the resource record type to query, which can be any valid query type. If
it is a resource record type supported in BIND 9, it can be given by
the type mnemonic (such as \fBNS\fP or \fBAAAA\fP). The default query type is
-\fBA\fP, unless the \fI\%\-x\fP option is supplied to indicate a reverse
+\fBA\fP, unless the \fB\-x\fP option is supplied to indicate a reverse
lookup. A zone transfer can be requested by specifying a type of
AXFR. When an incremental zone transfer (IXFR) is required, set the
\fBtype\fP to \fBixfr=N\fP\&. The incremental zone transfer contains
@@ -200,7 +201,7 @@
.sp
All resource record types can be expressed as \fBTYPEnn\fP, where \fBnn\fP is
the number of the type. If the resource record type is not supported
-in BIND 9, the result is displayed as described in \X'tty: link https://datatracker.ietf.org/doc/html/rfc3597.html'\fI\%RFC 3597\fP\X'tty: link'\&.
+in BIND 9, the result is displayed as described in \fBRFC 3597\fP \%\&.
.UNINDENT
.INDENT 0.0
.TP
@@ -217,7 +218,7 @@
.B \-x addr
This option sets simplified reverse lookups, for mapping addresses to names. The
\fBaddr\fP is an IPv4 address in dotted\-decimal notation, or a
-colon\-delimited IPv6 address. When the \fI\%\-x\fP option is used, there is no
+colon\-delimited IPv6 address. When the \fB\-x\fP option is used, there is no
need to provide the \fBname\fP, \fBclass\fP, and \fBtype\fP arguments.
\fBdig\fP automatically performs a lookup for a name like
\fB94.2.0.192.in\-addr.arpa\fP and sets the query type and class to PTR
@@ -236,11 +237,11 @@
\fBhmac\-sha256\fP\&.
.UNINDENT
.sp
-\fBNOTE:\fP
+\fBNote:\fP
.INDENT 0.0
.INDENT 3.5
-Only the \fI\%\-k\fP option should be used, rather than the \fI\%\-y\fP option,
-because with \fI\%\-y\fP the shared secret is supplied as a command\-line
+Only the \fB\-k\fP option should be used, rather than the \fB\-y\fP option,
+because with \fB\-y\fP the shared secret is supplied as a command\-line
argument in clear text. This may be visible in the output from \fBps1\fP or
in a history file maintained by the user\(aqs shell.
.UNINDENT
@@ -258,12 +259,12 @@
the string \fBno\fP to negate the meaning of that keyword. Other keywords
assign values to options, like the timeout interval. They have the form
\fB+keyword=value\fP\&. Keywords may be abbreviated, provided the
-abbreviation is unambiguous; for example, \fI\%+cd\fP is equivalent to
-\fI\%+cdflag\fP\&. The query options are:
+abbreviation is unambiguous; for example, \fB+cd\fP is equivalent to
+\fB+cdflag\fP\&. Query options are order sensitive. The query options are:
.INDENT 0.0
.TP
.B +aaflag, +noaaflag
-This option is a synonym for \fI\%+aaonly\fP, \fI\%+noaaonly\fP\&.
+This option is a synonym for \fB+aaonly\fP, \fB+noaaonly\fP\&.
.UNINDENT
.INDENT 0.0
.TP
@@ -359,7 +360,7 @@
.sp
Other types of comments in the output are not affected by this option, but
can be controlled using other command\-line switches. These include
-\fI\%+cmd\fP, \fI\%+question\fP, \fI\%+stats\fP, and \fI\%+rrcomments\fP\&.
+\fB+cmd\fP, \fB+question\fP, \fB+stats\fP, and \fB+rrcomments\fP\&.
.UNINDENT
.INDENT 0.0
.TP
@@ -368,7 +369,7 @@
from a previous response allows the server to identify a previous
client. The default is \fB+cookie\fP\&.
.sp
-\fB+cookie\fP is also set when \fI\%+trace\fP is set to better emulate the
+\fB+cookie\fP is also set when \fB+trace\fP is set to better emulate the
default queries from a nameserver.
.UNINDENT
.INDENT 0.0
@@ -385,7 +386,7 @@
.TP
.B +defname, +nodefname
This option, which is deprecated, is treated as a synonym for
-\fI\%+search\fP, \fI\%+nosearch\fP\&.
+\fB+search\fP, \fB+nosearch\fP\&.
.UNINDENT
.INDENT 0.0
.TP
@@ -403,7 +404,7 @@
.B +domain=somename
This option sets the search list to contain the single domain \fBsomename\fP, as if
specified in a \fBdomain\fP directive in \fB/etc/resolv.conf\fP, and
-enables search list processing as if the \fI\%+search\fP option were
+enables search list processing as if the \fB+search\fP option were
given.
.UNINDENT
.INDENT 0.0
@@ -449,7 +450,7 @@
.INDENT 0.0
.TP
.B +fail, +nofail
-This option indicates that \fI\%named\fP should try [or not try] the next server if a SERVFAIL is received. The default is
+This option indicates that \fBnamed\fP \%<#\:std-iscman-named> should try [or not try] the next server if a SERVFAIL is received. The default is
to not try the next server, which is the reverse of normal stub
resolver behavior.
.UNINDENT
@@ -483,36 +484,36 @@
.INDENT 0.0
.TP
.B +https\-get[=value], +nohttps\-get
-Similar to \fI\%+https\fP, except that the HTTP GET request mode is used
+Similar to \fB+https\fP, except that the HTTP GET request mode is used
when sending the query.
.UNINDENT
.INDENT 0.0
.TP
.B +https\-post[=value], +nohttps\-post
-Same as \fI\%+https\fP\&.
+Same as \fB+https\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B +http\-plain[=value], +nohttp\-plain
-Similar to \fI\%+https\fP, except that HTTP queries will be sent over a
+Similar to \fB+https\fP, except that HTTP queries will be sent over a
non\-encrypted channel. When this option is in use, the port number
defaults to 80 and the HTTP request mode is POST.
.UNINDENT
.INDENT 0.0
.TP
.B +http\-plain\-get[=value], +nohttp\-plain\-get
-Similar to \fI\%+http\-plain\fP, except that the HTTP request mode is GET.
+Similar to \fB+http\-plain\fP, except that the HTTP request mode is GET.
.UNINDENT
.INDENT 0.0
.TP
.B +http\-plain\-post[=value], +nohttp\-plain\-post
-Same as \fI\%+http\-plain\fP\&.
+Same as \fB+http\-plain\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B +identify, +noidentify
This option shows [or does not show] the IP address and port number that
-supplied the answer, when the \fI\%+short\fP option is enabled. If short
+supplied the answer, when the \fB+short\fP option is enabled. If short
form answers are requested, the default is not to show the source
address and port number of the server that provided the answer.
.UNINDENT
@@ -570,7 +571,7 @@
statement is present. Names with fewer dots are interpreted as
relative names, and are searched for in the domains listed in the
\fBsearch\fP or \fBdomain\fP directive in \fB/etc/resolv.conf\fP if
-\fI\%+search\fP is set.
+\fB+search\fP is set.
.UNINDENT
.INDENT 0.0
.TP
@@ -635,7 +636,7 @@
.INDENT 0.0
.TP
.B +rdflag, +nordflag
-This option is a synonym for \fI\%+recurse\fP, \fI\%+norecurse\fP\&.
+This option is a synonym for \fB+recurse\fP, \fB+norecurse\fP\&.
.UNINDENT
.INDENT 0.0
.TP
@@ -643,13 +644,13 @@
This option toggles the setting of the RD (recursion desired) bit in the query.
This bit is set by default, which means \fBdig\fP normally sends
recursive queries. Recursion is automatically disabled when the
-\fI\%+nssearch\fP or \fI\%+trace\fP query option is used.
+\fB+nssearch\fP or \fB+trace\fP query option is used.
.UNINDENT
.INDENT 0.0
.TP
.B +retry=T
This option sets the number of times to retry UDP and TCP queries to server to \fBT\fP
-instead of the default, 2. Unlike \fI\%+tries\fP, this does not include
+instead of the default, 2. Unlike \fB+tries\fP, this does not include
the initial query.
.UNINDENT
.INDENT 0.0
@@ -667,7 +668,7 @@
default.
.sp
\fBndots\fP from \fBresolv.conf\fP (default 1), which may be overridden by
-\fI\%+ndots\fP, determines whether the name is treated as relative
+\fB+ndots\fP, determines whether the name is treated as relative
and hence whether a search is eventually performed.
.UNINDENT
.INDENT 0.0
@@ -692,7 +693,7 @@
.INDENT 0.0
.TP
.B +sigchase, +nosigchase
-This feature is now obsolete and has been removed; use \fI\%delv\fP
+This feature is now obsolete and has been removed; use \fBdelv\fP \%<#\:std-iscman-delv>
instead.
.UNINDENT
.INDENT 0.0
@@ -772,13 +773,13 @@
.B +tls\-hostname=hostname, +notls\-hostname
This option makes \fBdig\fP use the provided hostname during remote
server TLS certificate verification. Otherwise, the DNS server name
-is used. This option has no effect if \fI\%+tls\-ca\fP is not specified.
+is used. This option has no effect if \fB+tls\-ca\fP is not specified.
.UNINDENT
.INDENT 0.0
.TP
.B +topdown, +notopdown
-This feature is related to \fI\%dig +sigchase\fP, which is obsolete and
-has been removed. Use \fI\%delv\fP instead.
+This feature is related to \fBdig +sigchase\fP, which is obsolete and
+has been removed. Use \fBdelv\fP \%<#\:std-iscman-delv> instead.
.UNINDENT
.INDENT 0.0
.TP
@@ -793,7 +794,7 @@
If \fB@server\fP is also specified, it affects only the initial query for
the root zone name servers.
.sp
-\fI\%+dnssec\fP is also set when \fI\%+trace\fP is set, to better emulate the
+\fB+dnssec\fP is also set when \fB+trace\fP is set, to better emulate the
default queries from a name server.
.UNINDENT
.INDENT 0.0
@@ -806,8 +807,8 @@
.INDENT 0.0
.TP
.B +trusted\-key=####
-This option formerly specified trusted keys for use with \fI\%dig +sigchase\fP\&. This
-feature is now obsolete and has been removed; use \fI\%delv\fP instead.
+This option formerly specified trusted keys for use with \fBdig +sigchase\fP\&. This
+feature is now obsolete and has been removed; use \fBdelv\fP \%<#\:std-iscman-delv> instead.
.UNINDENT
.INDENT 0.0
.TP
@@ -819,12 +820,12 @@
.B +ttlunits, +nottlunits
This option displays [or does not display] the TTL in friendly human\-readable time
units of \fBs\fP, \fBm\fP, \fBh\fP, \fBd\fP, and \fBw\fP, representing seconds, minutes,
-hours, days, and weeks. This implies \fI\%+ttlid\fP\&.
+hours, days, and weeks. This implies \fB+ttlid\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B +unknownformat, +nounknownformat
-This option prints all RDATA in unknown RR type presentation format (\X'tty: link https://datatracker.ietf.org/doc/html/rfc3597.html'\fI\%RFC 3597\fP\X'tty: link').
+This option prints all RDATA in unknown RR type presentation format (\fBRFC 3597\fP \%).
The default is to print RDATA for known types in the type\(aqs
presentation format.
.UNINDENT
@@ -832,13 +833,13 @@
.TP
.B +vc, +novc
This option uses [or does not use] TCP when querying name servers. This alternate
-syntax to \fI\%+tcp\fP is provided for backwards compatibility. The
+syntax to \fB+tcp\fP is provided for backwards compatibility. The
\fBvc\fP stands for \(dqvirtual circuit.\(dq
.UNINDENT
.INDENT 0.0
.TP
.B +yaml, +noyaml
-When enabled, this option prints the responses (and, if \fI\%+qr\fP is in use, also the
+When enabled, this option prints the responses (and, if \fB+qr\fP is in use, also the
outgoing queries) in a detailed YAML format.
.UNINDENT
.INDENT 0.0
@@ -850,7 +851,7 @@
.SH MULTIPLE QUERIES
.sp
The BIND 9 implementation of \fBdig\fP supports specifying multiple
-queries on the command line (in addition to supporting the \fI\%\-f\fP batch
+queries on the command line (in addition to supporting the \fB\-f\fP batch
file option). Each of those queries can be supplied with its own set of
flags, options, and query options.
.sp
@@ -863,8 +864,8 @@
A global set of query options, which should be applied to all queries,
can also be supplied. These global query options must precede the first
tuple of name, class, type, options, flags, and query options supplied
-on the command line. Any global query options (except \fI\%+cmd\fP and
-\fI\%+short\fP options) can be overridden by a query\-specific set of
+on the command line. Any global query options (except \fB+cmd\fP and
+\fB+short\fP options) can be overridden by a query\-specific set of
query options. For example:
.INDENT 0.0
.INDENT 3.5
@@ -878,8 +879,8 @@
shows how \fBdig\fP can be used from the command line to make three
lookups: an ANY query for \fBwww.isc.org\fP, a reverse lookup of 127.0.0.1,
and a query for the NS records of \fBisc.org\fP\&. A global query option of
-\fI\%+qr\fP is applied, so that \fBdig\fP shows the initial query it made for
-each lookup. The final query has a local query option of \fI\%+noqr\fP which
+\fB+qr\fP is applied, so that \fBdig\fP shows the initial query it made for
+each lookup. The final query has a local query option of \fB+noqr\fP which
means that \fBdig\fP does not print the initial query when it looks up the
NS records for \fBisc.org\fP\&.
.SH IDN SUPPORT
@@ -889,7 +890,7 @@
appropriately converts character encoding of a domain name before sending
a request to a DNS server or displaying a reply from the server.
To turn off IDN support, use the parameters
-\fI\%+idnin\fP and \fI\%+idnout\fP, or define the \fBIDN_DISABLE\fP environment
+\fB+idnin\fP and \fB+idnout\fP, or define the \fBIDN_DISABLE\fP environment
variable.
.SH RETURN CODES
.sp
@@ -918,13 +919,12 @@
\fB${HOME}/.digrc\fP
.SH SEE ALSO
.sp
-\fI\%delv(1)\fP, \fI\%host(1)\fP, \fI\%named(8)\fP, \fI\%dnssec\-keygen(8)\fP, \X'tty: link https://datatracker.ietf.org/doc/html/rfc1035.html'\fI\%RFC 1035\fP\X'tty: link'\&.
+\fBdelv(1)\fP \%<#\:std-iscman-delv>, \fBhost(1)\fP \%<#\:std-iscman-host>, \fBnamed(8)\fP \%<#\:std-iscman-named>, \fBdnssec\-keygen(8)\fP \%<#\:std-iscman-dnssec-keygen>, \fBRFC 1035\fP \%\&.
.SH BUGS
.sp
There are probably too many query options.
-.SH AUTHOR
+.SH Author
Internet Systems Consortium
-.SH COPYRIGHT
+.SH Copyright
2026, Internet Systems Consortium
-.\" Generated by docutils manpage writer.
-.
+.\" End of generated man page.
diff -Nru bind9-9.18.44/doc/man/dnssec-cds.1in bind9-9.18.47/doc/man/dnssec-cds.1in
--- bind9-9.18.44/doc/man/dnssec-cds.1in 2026-01-09 13:46:03.178234612 +0000
+++ bind9-9.18.47/doc/man/dnssec-cds.1in 2026-03-13 22:13:22.116610240 +0000
@@ -1,4 +1,5 @@
-.\" Man page generated from reStructuredText.
+.\" Man page generated from reStructuredText
+.\" by the Docutils 0.22.4 manpage writer.
.
.
.nr rst2man-indent-level 0
@@ -43,23 +44,23 @@
parent can keep the DS records up\-to\-date and enable automatic rolling
of KSKs.
.sp
-Two input files are required. The \fI\%\-f child\-file\fP option specifies a
+Two input files are required. The \fB\-f child\-file\fP option specifies a
file containing the child\(aqs CDS and/or CDNSKEY records, plus RRSIG and
-DNSKEY records so that they can be authenticated. The \fI\%\-d path\fP option
+DNSKEY records so that they can be authenticated. The \fB\-d path\fP option
specifies the location of a file containing the current DS records. For
example, this could be a \fBdsset\-\fP file generated by
-\fI\%dnssec\-signzone\fP, or the output of \fI\%dnssec\-dsfromkey\fP, or the
+\fBdnssec\-signzone\fP \%<#\:std-iscman-dnssec-signzone>, or the output of \fBdnssec\-dsfromkey\fP \%<#\:std-iscman-dnssec-dsfromkey>, or the
output of a previous run of \fBdnssec\-cds\fP\&.
.sp
The \fBdnssec\-cds\fP command uses special DNSSEC validation logic
-specified by \X'tty: link https://datatracker.ietf.org/doc/html/rfc7344.html'\fI\%RFC 7344\fP\X'tty: link'\&. It requires that the CDS and/or CDNSKEY records
+specified by \fBRFC 7344\fP \%\&. It requires that the CDS and/or CDNSKEY records
be validly signed by a key represented in the existing DS records. This
is typically the pre\-existing KSK.
.sp
For protection against replay attacks, the signatures on the child
records must not be older than they were on a previous run of
\fBdnssec\-cds\fP\&. Their age is obtained from the modification time of the
-\fBdsset\-\fP file, or from the \fI\%\-s\fP option.
+\fBdsset\-\fP file, or from the \fB\-s\fP option.
.sp
To protect against breaking the delegation, \fBdnssec\-cds\fP ensures that
the DNSKEY RRset can be verified by every key algorithm in the new DS
@@ -67,21 +68,21 @@
type.
.sp
By default, replacement DS records are written to the standard output;
-with the \fI\%\-i\fP option the input file is overwritten in place. The
+with the \fB\-i\fP option the input file is overwritten in place. The
replacement DS records are the same as the existing records, when no
change is required. The output can be empty if the CDS/CDNSKEY records
specify that the child zone wants to be insecure.
.sp
-\fBWARNING:\fP
+\fBWarning:\fP
.INDENT 0.0
.INDENT 3.5
Be careful not to delete the DS records when \fBdnssec\-cds\fP fails!
.UNINDENT
.UNINDENT
.sp
-Alternatively, :option\(gadnssec\-cds \-u\(ga writes an \fI\%nsupdate\fP script to the
-standard output. The \fI\%\-u\fP and \fI\%\-i\fP options can be used together to
-maintain a \fBdsset\-\fP file as well as emit an \fI\%nsupdate\fP script.
+Alternatively, :option\(gadnssec\-cds \-u\(ga writes an \fBnsupdate\fP \%<#\:std-iscman-nsupdate> script to the
+standard output. The \fB\-u\fP and \fB\-i\fP options can be used together to
+maintain a \fBdsset\-\fP file as well as emit an \fBnsupdate\fP \%<#\:std-iscman-nsupdate> script.
.SH OPTIONS
.INDENT 0.0
.TP
@@ -121,7 +122,7 @@
.sp
To protect against replay attacks, child records are rejected if they
were signed earlier than the modification time of the \fBdsset\-\fP
-file. This can be adjusted with the \fI\%\-s\fP option.
+file. This can be adjusted with the \fB\-s\fP option.
.UNINDENT
.INDENT 0.0
.TP
@@ -138,7 +139,7 @@
This option updates the \fBdsset\-\fP file in place, instead of writing DS records to
the standard output.
.sp
-There must be no space between the \fI\%\-i\fP and the extension. If
+There must be no space between the \fB\-i\fP and the extension. If
no extension is provided, the old \fBdsset\-\fP is discarded. If an
extension is present, a backup of the old \fBdsset\-\fP file is kept
with the extension appended to its filename.
@@ -172,13 +173,13 @@
.INDENT 0.0
.TP
.B \-u
-This option writes an \fI\%nsupdate\fP script to the standard output, instead of
+This option writes an \fBnsupdate\fP \%<#\:std-iscman-nsupdate> script to the standard output, instead of
printing the new DS reords. The output is empty if no change is
needed.
.sp
Note: The TTL of new records needs to be specified: it can be done in the
-original \fBdsset\-\fP file, with the \fI\%\-T\fP option, or using the
-\fI\%nsupdate\fP \fBttl\fP command.
+original \fBdsset\-\fP file, with the \fB\-T\fP option, or using the
+\fBnsupdate\fP \%<#\:std-iscman-nsupdate> \fBttl\fP command.
.UNINDENT
.INDENT 0.0
.TP
@@ -205,11 +206,11 @@
changed.
.SH EXAMPLES
.sp
-Before running \fI\%dnssec\-signzone\fP, ensure that the delegations
+Before running \fBdnssec\-signzone\fP \%<#\:std-iscman-dnssec-signzone>, ensure that the delegations
are up\-to\-date by running \fBdnssec\-cds\fP on every \fBdsset\-\fP file.
.sp
To fetch the child records required by \fBdnssec\-cds\fP, invoke
-\fI\%dig\fP as in the script below. It is acceptable if the \fI\%dig\fP fails, since
+\fBdig\fP \%<#\:std-iscman-dig> as in the script below. It is acceptable if the \fBdig\fP \%<#\:std-iscman-dig> fails, since
\fBdnssec\-cds\fP performs all the necessary checking.
.INDENT 0.0
.INDENT 3.5
@@ -225,8 +226,8 @@
.UNINDENT
.UNINDENT
.sp
-When the parent zone is automatically signed by \fI\%named\fP,
-\fBdnssec\-cds\fP can be used with \fI\%nsupdate\fP to maintain a delegation as follows.
+When the parent zone is automatically signed by \fBnamed\fP \%<#\:std-iscman-named>,
+\fBdnssec\-cds\fP can be used with \fBnsupdate\fP \%<#\:std-iscman-nsupdate> to maintain a delegation as follows.
The \fBdsset\-\fP file allows the script to avoid having to fetch and
validate the parent DS records, and it maintains the replay attack
protection time.
@@ -242,11 +243,10 @@
.UNINDENT
.SH SEE ALSO
.sp
-\fI\%dig(1)\fP, \fI\%dnssec\-settime(8)\fP, \fI\%dnssec\-signzone(8)\fP, \fI\%nsupdate(1)\fP, BIND 9 Administrator
-Reference Manual, \X'tty: link https://datatracker.ietf.org/doc/html/rfc7344.html'\fI\%RFC 7344\fP\X'tty: link'\&.
-.SH AUTHOR
+\fBdig(1)\fP \%<#\:std-iscman-dig>, \fBdnssec\-settime(8)\fP \%<#\:std-iscman-dnssec-settime>, \fBdnssec\-signzone(8)\fP \%<#\:std-iscman-dnssec-signzone>, \fBnsupdate(1)\fP \%<#\:std-iscman-nsupdate>, BIND 9 Administrator
+Reference Manual, \fBRFC 7344\fP \%\&.
+.SH Author
Internet Systems Consortium
-.SH COPYRIGHT
+.SH Copyright
2026, Internet Systems Consortium
-.\" Generated by docutils manpage writer.
-.
+.\" End of generated man page.
diff -Nru bind9-9.18.44/doc/man/dnssec-dsfromkey.1in bind9-9.18.47/doc/man/dnssec-dsfromkey.1in
--- bind9-9.18.44/doc/man/dnssec-dsfromkey.1in 2026-01-09 13:46:03.184234727 +0000
+++ bind9-9.18.47/doc/man/dnssec-dsfromkey.1in 2026-03-13 22:13:22.123610407 +0000
@@ -1,4 +1,5 @@
-.\" Man page generated from reStructuredText.
+.\" Man page generated from reStructuredText
+.\" by the Docutils 0.22.4 manpage writer.
.
.
.nr rst2man-indent-level 0
@@ -43,35 +44,35 @@
.sp
The \fBdnssec\-dsfromkey\fP command outputs DS (Delegation
Signer) resource records (RRs), or CDS (Child DS) RRs with the
-\fI\%\-C\fP option.
+\fB\-C\fP option.
.sp
By default, only KSKs are converted (keys with flags = 257). The
-\fI\%\-A\fP option includes ZSKs (flags = 256). Revoked keys are
+\fB\-A\fP option includes ZSKs (flags = 256). Revoked keys are
never included.
.sp
The input keys can be specified in a number of ways:
.sp
By default, \fBdnssec\-dsfromkey\fP reads a key file named in
the format \fBKnnnn.+aaa+iiiii.key\fP, as generated by
-\fI\%dnssec\-keygen\fP\&.
+\fBdnssec\-keygen\fP \%<#\:std-iscman-dnssec-keygen>\&.
.sp
-With the \fI\%\-f file\fP option, \fBdnssec\-dsfromkey\fP
+With the \fB\-f file\fP option, \fBdnssec\-dsfromkey\fP
reads keys from a zone file or partial zone file (which can contain
just the DNSKEY records).
.sp
-With the \fI\%\-s\fP option, \fBdnssec\-dsfromkey\fP reads a
-\fBkeyset\-\fP file, as generated by \fI\%dnssec\-keygen\fP \fI\%\-C\fP\&.
+With the \fB\-s\fP option, \fBdnssec\-dsfromkey\fP reads a
+\fBkeyset\-\fP file, as generated by \fBdnssec\-keygen\fP \%<#\:std-iscman-dnssec-keygen> \fB\-C\fP\&.
.SH OPTIONS
.INDENT 0.0
.TP
.B \-1
-This option is an abbreviation for \fI\%\-a SHA1\fP\&. This
+This option is an abbreviation for \fB\-a SHA1\fP\&. This
digest is deprecated.
.UNINDENT
.INDENT 0.0
.TP
.B \-2
-This option is an abbreviation for \fI\%\-a SHA\-256\fP\&.
+This option is an abbreviation for \fB\-a SHA\-256\fP\&.
.UNINDENT
.INDENT 0.0
.TP
@@ -90,13 +91,13 @@
This option indicates that ZSKs are to be included when generating
DS records. Without this option, only keys which have the KSK
flag set are converted to DS records and printed. This option
-is only useful in \fI\%\-f\fP zone file mode.
+is only useful in \fB\-f\fP zone file mode.
.UNINDENT
.INDENT 0.0
.TP
.B \-c class
This option specifies the DNS class; the default is IN. This
-option is only useful in \fI\%\-s\fP keyset or \fI\%\-f\fP
+option is only useful in \fB\-s\fP keyset or \fB\-f\fP
zone file mode.
.UNINDENT
.INDENT 0.0
@@ -113,7 +114,7 @@
zone name is the same as \fBfile\fP, then it may be omitted.
.sp
If \fBfile\fP is \fB\-\fP, then the zone data is read from the standard
-input. This makes it possible to use the output of the \fI\%dig\fP
+input. This makes it possible to use the output of the \fBdig\fP \%<#\:std-iscman-dig>
command as input, as in:
.sp
\fBdig dnskey example.com | dnssec\-dsfromkey \-f \- example.com\fP
@@ -166,7 +167,7 @@
.sp
The keyfile can be designated by the key identification
\fBKnnnn.+aaa+iiiii\fP or the full file name \fBKnnnn.+aaa+iiiii.key\fP, as
-generated by \fI\%dnssec\-keygen\fP\&.
+generated by \fBdnssec\-keygen\fP \%<#\:std-iscman-dnssec-keygen>\&.
.sp
The keyset file name is built from the \fBdirectory\fP, the string
\fBkeyset\-\fP, and the \fBdnsname\fP\&.
@@ -175,12 +176,11 @@
A keyfile error may return \(dqfile not found,\(dq even if the file exists.
.SH SEE ALSO
.sp
-\fI\%dnssec\-keygen(8)\fP, \fI\%dnssec\-signzone(8)\fP, BIND 9 Administrator Reference Manual,
-\X'tty: link https://datatracker.ietf.org/doc/html/rfc3658.html'\fI\%RFC 3658\fP\X'tty: link' (DS RRs), \X'tty: link https://datatracker.ietf.org/doc/html/rfc4509.html'\fI\%RFC 4509\fP\X'tty: link' (SHA\-256 for DS RRs),
-\X'tty: link https://datatracker.ietf.org/doc/html/rfc6605.html'\fI\%RFC 6605\fP\X'tty: link' (SHA\-384 for DS RRs), \X'tty: link https://datatracker.ietf.org/doc/html/rfc7344.html'\fI\%RFC 7344\fP\X'tty: link' (CDS and CDNSKEY RRs).
-.SH AUTHOR
+\fBdnssec\-keygen(8)\fP \%<#\:std-iscman-dnssec-keygen>, \fBdnssec\-signzone(8)\fP \%<#\:std-iscman-dnssec-signzone>, BIND 9 Administrator Reference Manual,
+\fBRFC 3658\fP \% (DS RRs), \fBRFC 4509\fP \% (SHA\-256 for DS RRs),
+\fBRFC 6605\fP \% (SHA\-384 for DS RRs), \fBRFC 7344\fP \% (CDS and CDNSKEY RRs).
+.SH Author
Internet Systems Consortium
-.SH COPYRIGHT
+.SH Copyright
2026, Internet Systems Consortium
-.\" Generated by docutils manpage writer.
-.
+.\" End of generated man page.
diff -Nru bind9-9.18.44/doc/man/dnssec-importkey.1in bind9-9.18.47/doc/man/dnssec-importkey.1in
--- bind9-9.18.44/doc/man/dnssec-importkey.1in 2026-01-09 13:46:03.189234822 +0000
+++ bind9-9.18.47/doc/man/dnssec-importkey.1in 2026-03-13 22:13:22.127610502 +0000
@@ -1,4 +1,5 @@
-.\" Man page generated from reStructuredText.
+.\" Man page generated from reStructuredText
+.\" by the Docutils 0.22.4 manpage writer.
.
.
.nr rst2man-indent-level 0
@@ -45,7 +46,7 @@
.sp
The newly created .private file does \fInot\fP contain private key data, and
cannot be used for signing. However, having a .private file makes it
-possible to set publication (\fI\%\-P\fP) and deletion (\fI\%\-D\fP) times for the
+possible to set publication (\fB\-P\fP) and deletion (\fB\-D\fP) times for the
key, which means the public key can be added to and removed from the
DNSKEY RRset on schedule even if the true private key is stored offline.
.sp
@@ -144,14 +145,13 @@
.sp
A keyfile can be designed by the key identification \fBKnnnn.+aaa+iiiii\fP
or the full file name \fBKnnnn.+aaa+iiiii.key\fP, as generated by
-\fI\%dnssec\-keygen\fP\&.
+\fBdnssec\-keygen\fP \%<#\:std-iscman-dnssec-keygen>\&.
.SH SEE ALSO
.sp
-\fI\%dnssec\-keygen(8)\fP, \fI\%dnssec\-signzone(8)\fP, BIND 9 Administrator Reference Manual,
-\X'tty: link https://datatracker.ietf.org/doc/html/rfc5011.html'\fI\%RFC 5011\fP\X'tty: link'\&.
-.SH AUTHOR
+\fBdnssec\-keygen(8)\fP \%<#\:std-iscman-dnssec-keygen>, \fBdnssec\-signzone(8)\fP \%<#\:std-iscman-dnssec-signzone>, BIND 9 Administrator Reference Manual,
+\fBRFC 5011\fP \%\&.
+.SH Author
Internet Systems Consortium
-.SH COPYRIGHT
+.SH Copyright
2026, Internet Systems Consortium
-.\" Generated by docutils manpage writer.
-.
+.\" End of generated man page.
diff -Nru bind9-9.18.44/doc/man/dnssec-keyfromlabel.1in bind9-9.18.47/doc/man/dnssec-keyfromlabel.1in
--- bind9-9.18.44/doc/man/dnssec-keyfromlabel.1in 2026-01-09 13:46:03.199235014 +0000
+++ bind9-9.18.47/doc/man/dnssec-keyfromlabel.1in 2026-03-13 22:13:22.136610717 +0000
@@ -1,4 +1,5 @@
-.\" Man page generated from reStructuredText.
+.\" Man page generated from reStructuredText
+.\" by the Docutils 0.22.4 manpage writer.
.
.
.nr rst2man-indent-level 0
@@ -38,7 +39,7 @@
\fBdnssec\-keyfromlabel\fP generates a pair of key files that reference a
key object stored in a cryptographic hardware service module (HSM). The
private key file can be used for DNSSEC signing of zone data as if it
-were a conventional signing key created by \fI\%dnssec\-keygen\fP, but the
+were a conventional signing key created by \fBdnssec\-keygen\fP \%<#\:std-iscman-dnssec-keygen>, but the
key material is stored within the HSM and the actual signing takes
place there.
.sp
@@ -56,10 +57,10 @@
These values are case\-insensitive. In some cases, abbreviations
are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384
for ECDSAP384SHA384. If RSASHA1 (deprecated) is specified along
-with the \fI\%\-3\fP option, then NSEC3RSASHA1 (deprecated) is
+with the \fB\-3\fP option, then NSEC3RSASHA1 (deprecated) is
used instead.
.sp
-This option is mandatory except when using the \fI\%\-S\fP
+This option is mandatory except when using the \fB\-S\fP
option, which copies the algorithm from the predecessory key.
.sp
Changed in version 9.12.0: The default value RSASHA1 (deprecated) for newly generated
@@ -111,7 +112,7 @@
date in the metadata stored with the private key; other dates may
be set there as well, including publication date, activation date, etc. Keys
that include this data may be incompatible with older versions of
-BIND; the \fI\%\-C\fP option suppresses them.
+BIND; the \fB\-C\fP option suppresses them.
.UNINDENT
.INDENT 0.0
.TP
@@ -129,7 +130,7 @@
.TP
.B \-G
This option generates a key, but does not publish it or sign with it. This option is
-incompatible with \fI\%\-P\fP and \fI\%\-A\fP\&.
+incompatible with \fB\-P\fP and \fB\-A\fP\&.
.UNINDENT
.INDENT 0.0
.TP
@@ -161,7 +162,7 @@
.B \-p protocol
This option sets the protocol value for the key. The protocol is a number between
0 and 255. The default is 3 (DNSSEC). Other possible values for this
-argument are listed in \X'tty: link https://datatracker.ietf.org/doc/html/rfc2535.html'\fI\%RFC 2535\fP\X'tty: link' and its successors.
+argument are listed in \fBRFC 2535\fP \% and its successors.
.UNINDENT
.INDENT 0.0
.TP
@@ -197,7 +198,7 @@
This option allows DNSSEC key files to be generated even if the key ID would
collide with that of an existing key, in the event of either key
being revoked. (This is only safe to enable if
-\X'tty: link https://datatracker.ietf.org/doc/html/rfc5011.html'\fI\%RFC 5011\fP\X'tty: link' trust anchor maintenance is not used with either of the keys
+\fBRFC 5011\fP \% trust anchor maintenance is not used with either of the keys
involved.)
.UNINDENT
.SH TIMING OPTIONS
@@ -225,7 +226,7 @@
.B \-P date/offset
This option sets the date on which a key is to be published to the zone. After
that date, the key is included in the zone but is not used
-to sign it. If not set, and if the \fI\%\-G\fP option has not been used, the
+to sign it. If not set, and if the \fB\-G\fP option has not been used, the
default is the current date.
.INDENT 7.0
.TP
@@ -239,7 +240,7 @@
.B \-A date/offset
This option sets the date on which the key is to be activated. After that date,
the key is included in the zone and used to sign it. If not set,
-and if the \fI\%\-G\fP option has not been used, the default is the current date.
+and if the \fB\-G\fP option has not been used, the default is the current date.
.UNINDENT
.INDENT 0.0
.TP
@@ -313,11 +314,10 @@
security reasons, this file does not have general read permission.
.SH SEE ALSO
.sp
-\fI\%dnssec\-keygen(8)\fP, \fI\%dnssec\-signzone(8)\fP, BIND 9 Administrator Reference Manual,
-\X'tty: link https://datatracker.ietf.org/doc/html/rfc4034.html'\fI\%RFC 4034\fP\X'tty: link', \X'tty: link https://datatracker.ietf.org/doc/html/rfc7512.html'\fI\%RFC 7512\fP\X'tty: link'\&.
-.SH AUTHOR
+\fBdnssec\-keygen(8)\fP \%<#\:std-iscman-dnssec-keygen>, \fBdnssec\-signzone(8)\fP \%<#\:std-iscman-dnssec-signzone>, BIND 9 Administrator Reference Manual,
+\fBRFC 4034\fP \%, \fBRFC 7512\fP \%\&.
+.SH Author
Internet Systems Consortium
-.SH COPYRIGHT
+.SH Copyright
2026, Internet Systems Consortium
-.\" Generated by docutils manpage writer.
-.
+.\" End of generated man page.
diff -Nru bind9-9.18.44/doc/man/dnssec-keygen.1in bind9-9.18.47/doc/man/dnssec-keygen.1in
--- bind9-9.18.44/doc/man/dnssec-keygen.1in 2026-01-09 13:46:03.209235205 +0000
+++ bind9-9.18.47/doc/man/dnssec-keygen.1in 2026-03-13 22:13:22.147610979 +0000
@@ -1,4 +1,5 @@
-.\" Man page generated from reStructuredText.
+.\" Man page generated from reStructuredText
+.\" by the Docutils 0.22.4 manpage writer.
.
.
.nr rst2man-indent-level 0
@@ -36,7 +37,7 @@
.SH DESCRIPTION
.sp
\fBdnssec\-keygen\fP generates keys for DNSSEC (Secure DNS), as defined in
-\X'tty: link https://datatracker.ietf.org/doc/html/rfc2535.html'\fI\%RFC 2535\fP\X'tty: link' and \X'tty: link https://datatracker.ietf.org/doc/html/rfc4034.html'\fI\%RFC 4034\fP\X'tty: link'\&.
+\fBRFC 2535\fP \% and \fBRFC 4034\fP \%\&.
.sp
The \fBname\fP of the key is specified on the command line. For DNSSEC
keys, this must match the name of the zone for which the key is being
@@ -59,20 +60,20 @@
NSEC3RSASHA1 deprecated), RSASHA256, RSASHA512, ECDSAP256SHA256,
ECDSAP384SHA384, ED25519, or ED448. For TKEY, the value must be
DH (Diffie\-Hellman); specifying this value automatically sets
-the \fI\%\-T KEY\fP option as well.
+the \fB\-T KEY\fP option as well.
.sp
These values are case\-insensitive. In some cases, abbreviations
are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384
for ECDSAP384SHA384. If RSASHA1 (deprecated) is specified along
-with the \fI\%\-3\fP option, NSEC3RSASHA1 (deprecated) is used
+with the \fB\-3\fP option, NSEC3RSASHA1 (deprecated) is used
instead.
.sp
-This parameter \fImust\fP be specified except when using the \fI\%\-S\fP
+This parameter \fImust\fP be specified except when using the \fB\-S\fP
option, which copies the algorithm from the predecessor key.
.sp
In prior releases, HMAC algorithms could be generated for use as TSIG
keys, but that feature was removed in BIND 9.13.0. Use
-\fI\%tsig\-keygen\fP to generate TSIG keys.
+\fBtsig\-keygen\fP \%<#\:std-iscman-tsig-keygen> to generate TSIG keys.
.UNINDENT
.INDENT 0.0
.TP
@@ -85,7 +86,7 @@
If the key size is not specified, some algorithms have pre\-defined
defaults. For example, RSA keys for use as DNSSEC zone\-signing keys
have a default size of 1024 bits; RSA keys for use as key\-signing
-keys (KSKs, generated with \fI\%\-f KSK\fP) default to 2048 bits.
+keys (KSKs, generated with \fB\-f KSK\fP) default to 2048 bits.
.UNINDENT
.INDENT 0.0
.TP
@@ -95,7 +96,7 @@
creation date in the metadata stored with the private key; other
dates may be set there as well, including publication date, activation date,
etc. Keys that include this data may be incompatible with older
-versions of BIND; the \fI\%\-C\fP option suppresses them.
+versions of BIND; the \fB\-C\fP option suppresses them.
.UNINDENT
.INDENT 0.0
.TP
@@ -130,14 +131,14 @@
.TP
.B \-G
This option generates a key, but does not publish it or sign with it. This option is
-incompatible with \fI\%\-P\fP and \fI\%\-A\fP\&.
+incompatible with \fB\-P\fP and \fB\-A\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B \-g generator
This option indicates the generator to use if generating a Diffie\-Hellman key. Allowed
values are 2 and 5. If no generator is specified, a known prime from
-\X'tty: link https://datatracker.ietf.org/doc/html/rfc2539.html'\fI\%RFC 2539\fP\X'tty: link' is used if possible; otherwise the default is 2.
+\fBRFC 2539\fP \% is used if possible; otherwise the default is 2.
.UNINDENT
.INDENT 0.0
.TP
@@ -176,7 +177,7 @@
.TP
.B \-l file
This option provides a configuration file that contains a \fBdnssec\-policy\fP statement
-(matching the policy set with \fI\%\-k\fP).
+(matching the policy set with \fB\-k\fP).
.UNINDENT
.INDENT 0.0
.TP
@@ -191,9 +192,9 @@
.TP
.B \-p protocol
This option sets the protocol value for the generated key, for use with
-\fI\%\-T KEY\fP\&. The protocol is a number between 0 and 255. The default
+\fB\-T KEY\fP\&. The protocol is a number between 0 and 255. The default
is 3 (DNSSEC). Other possible values for this argument are listed in
-\X'tty: link https://datatracker.ietf.org/doc/html/rfc2535.html'\fI\%RFC 2535\fP\X'tty: link' and its successors.
+\fBRFC 2535\fP \% and its successors.
.UNINDENT
.INDENT 0.0
.TP
@@ -234,7 +235,7 @@
.INDENT 0.0
.TP
.B \-t type
-This option indicates the type of the key for use with \fI\%\-T KEY\fP\&. \fBtype\fP
+This option indicates the type of the key for use with \fB\-T KEY\fP\&. \fBtype\fP
must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate data, and
CONF to the ability to encrypt data.
@@ -271,7 +272,7 @@
.B \-P date/offset
This option sets the date on which a key is to be published to the zone. After
that date, the key is included in the zone but is not used
-to sign it. If not set, and if the \fI\%\-G\fP option has not been used, the
+to sign it. If not set, and if the \fB\-G\fP option has not been used, the
default is the current date.
.INDENT 7.0
.TP
@@ -285,8 +286,8 @@
.B \-A date/offset
This option sets the date on which the key is to be activated. After that date,
the key is included in the zone and used to sign it. If not set,
-and if the \fI\%\-G\fP option has not been used, the default is the current date. If set,
-and \fI\%\-P\fP is not set, the publication date is set to the
+and if the \fB\-G\fP option has not been used, the default is the current date. If set,
+and \fB\-P\fP is not set, the publication date is set to the
activation date minus the prepublication interval.
.UNINDENT
.INDENT 0.0
@@ -355,7 +356,7 @@
\fBKnnnn.+aaa+iiiii.private\fP contains the private key.
.sp
The \fB\&.key\fP file contains a DNSKEY or KEY record. When a zone is being
-signed by \fI\%named\fP or \fI\%dnssec\-signzone \-S\fP, DNSKEY records are
+signed by \fBnamed\fP \%<#\:std-iscman-named> or \fBdnssec\-signzone \-S\fP \%<#\:cmdoption-dnssec-signzone-S>, DNSKEY records are
included automatically. In other cases, the \fB\&.key\fP file can be
inserted into a zone file manually or with an \fB$INCLUDE\fP statement.
.sp
@@ -380,11 +381,10 @@
\fBdnssec\-keygen \-a ECDSAP256SHA256 \-f KSK example.com\fP
.SH SEE ALSO
.sp
-\fI\%dnssec\-signzone(8)\fP, BIND 9 Administrator Reference Manual, \X'tty: link https://datatracker.ietf.org/doc/html/rfc2539.html'\fI\%RFC 2539\fP\X'tty: link',
-\X'tty: link https://datatracker.ietf.org/doc/html/rfc2845.html'\fI\%RFC 2845\fP\X'tty: link', \X'tty: link https://datatracker.ietf.org/doc/html/rfc4034.html'\fI\%RFC 4034\fP\X'tty: link'\&.
-.SH AUTHOR
+\fBdnssec\-signzone(8)\fP \%<#\:std-iscman-dnssec-signzone>, BIND 9 Administrator Reference Manual, \fBRFC 2539\fP \%,
+\fBRFC 2845\fP \%, \fBRFC 4034\fP \%\&.
+.SH Author
Internet Systems Consortium
-.SH COPYRIGHT
+.SH Copyright
2026, Internet Systems Consortium
-.\" Generated by docutils manpage writer.
-.
+.\" End of generated man page.
diff -Nru bind9-9.18.44/doc/man/dnssec-revoke.1in bind9-9.18.47/doc/man/dnssec-revoke.1in
--- bind9-9.18.44/doc/man/dnssec-revoke.1in 2026-01-09 13:46:03.212235263 +0000
+++ bind9-9.18.47/doc/man/dnssec-revoke.1in 2026-03-13 22:13:22.150611050 +0000
@@ -1,4 +1,5 @@
-.\" Man page generated from reStructuredText.
+.\" Man page generated from reStructuredText
+.\" by the Docutils 0.22.4 manpage writer.
.
.
.nr rst2man-indent-level 0
@@ -36,7 +37,7 @@
.SH DESCRIPTION
.sp
\fBdnssec\-revoke\fP reads a DNSSEC key file, sets the REVOKED bit on the
-key as defined in \X'tty: link https://datatracker.ietf.org/doc/html/rfc5011.html'\fI\%RFC 5011\fP\X'tty: link', and creates a new pair of key files
+key as defined in \fBRFC 5011\fP \%, and creates a new pair of key files
containing the now\-revoked key.
.SH OPTIONS
.INDENT 0.0
@@ -88,10 +89,9 @@
.UNINDENT
.SH SEE ALSO
.sp
-\fI\%dnssec\-keygen(8)\fP, BIND 9 Administrator Reference Manual, \X'tty: link https://datatracker.ietf.org/doc/html/rfc5011.html'\fI\%RFC 5011\fP\X'tty: link'\&.
-.SH AUTHOR
+\fBdnssec\-keygen(8)\fP \%<#\:std-iscman-dnssec-keygen>, BIND 9 Administrator Reference Manual, \fBRFC 5011\fP \%\&.
+.SH Author
Internet Systems Consortium
-.SH COPYRIGHT
+.SH Copyright
2026, Internet Systems Consortium
-.\" Generated by docutils manpage writer.
-.
+.\" End of generated man page.
diff -Nru bind9-9.18.44/doc/man/dnssec-settime.1in bind9-9.18.47/doc/man/dnssec-settime.1in
--- bind9-9.18.44/doc/man/dnssec-settime.1in 2026-01-09 13:46:03.222235454 +0000
+++ bind9-9.18.47/doc/man/dnssec-settime.1in 2026-03-13 22:13:22.158611241 +0000
@@ -1,4 +1,5 @@
-.\" Man page generated from reStructuredText.
+.\" Man page generated from reStructuredText
+.\" by the Docutils 0.22.4 manpage writer.
.
.
.nr rst2man-indent-level 0
@@ -36,9 +37,9 @@
.SH DESCRIPTION
.sp
\fBdnssec\-settime\fP reads a DNSSEC private key file and sets the key
-timing metadata as specified by the \fI\%\-P\fP, \fI\%\-A\fP, \fI\%\-R\fP,
-\fI\%\-I\fP, and \fI\%\-D\fP options. The metadata can then be used by
-\fI\%dnssec\-signzone\fP or other signing software to determine when a key is
+timing metadata as specified by the \fB\-P\fP, \fB\-A\fP, \fB\-R\fP,
+\fB\-I\fP, and \fB\-D\fP options. The metadata can then be used by
+\fBdnssec\-signzone\fP \%<#\:std-iscman-dnssec-signzone> or other signing software to determine when a key is
to be published, whether it should be used for signing a zone, etc.
.sp
If none of these options is set on the command line,
@@ -55,12 +56,12 @@
inaccessible to anyone other than the owner (mode 0600).
.sp
When working with state files, it is possible to update the timing metadata in
-those files as well with \fI\%\-s\fP\&. With this option, it is also possible
-to update key states with \fI\%\-d\fP (DS), \fI\%\-k\fP (DNSKEY), \fI\%\-r\fP
-(RRSIG of KSK), or \fI\%\-z\fP (RRSIG of ZSK). Allowed states are HIDDEN,
+those files as well with \fB\-s\fP\&. With this option, it is also possible
+to update key states with \fB\-d\fP (DS), \fB\-k\fP (DNSKEY), \fB\-r\fP
+(RRSIG of KSK), or \fB\-z\fP (RRSIG of ZSK). Allowed states are HIDDEN,
RUMOURED, OMNIPRESENT, and UNRETENTIVE.
.sp
-The goal state of the key can also be set with \fI\%\-g\fP\&. This should be either
+The goal state of the key can also be set with \fB\-g\fP\&. This should be either
HIDDEN or OMNIPRESENT, representing whether the key should be removed from the
zone or published.
.sp
@@ -275,7 +276,7 @@
.TP
.B \-p C/P/Pds/Psync/A/R/I/D/Dds/Dsync/all
This option prints a specific metadata value or set of metadata values.
-The \fI\%\-p\fP option may be followed by one or more of the following letters or
+The \fB\-p\fP option may be followed by one or more of the following letters or
strings to indicate which value or values to print: \fBC\fP for the
creation date, \fBP\fP for the publication date, \fBPds\(ga for the DS publication
date, \(ga\(gaPsync\fP for the CDS and CDNSKEY publication date, \fBA\fP for the
@@ -286,11 +287,10 @@
.UNINDENT
.SH SEE ALSO
.sp
-\fI\%dnssec\-keygen(8)\fP, \fI\%dnssec\-signzone(8)\fP, BIND 9 Administrator Reference Manual,
-\X'tty: link https://datatracker.ietf.org/doc/html/rfc5011.html'\fI\%RFC 5011\fP\X'tty: link'\&.
-.SH AUTHOR
+\fBdnssec\-keygen(8)\fP \%<#\:std-iscman-dnssec-keygen>, \fBdnssec\-signzone(8)\fP \%<#\:std-iscman-dnssec-signzone>, BIND 9 Administrator Reference Manual,
+\fBRFC 5011\fP \%\&.
+.SH Author
Internet Systems Consortium
-.SH COPYRIGHT
+.SH Copyright
2026, Internet Systems Consortium
-.\" Generated by docutils manpage writer.
-.
+.\" End of generated man page.
diff -Nru bind9-9.18.44/doc/man/dnssec-signzone.1in bind9-9.18.47/doc/man/dnssec-signzone.1in
--- bind9-9.18.44/doc/man/dnssec-signzone.1in 2026-01-09 13:46:03.233235664 +0000
+++ bind9-9.18.47/doc/man/dnssec-signzone.1in 2026-03-13 22:13:22.172611574 +0000
@@ -1,4 +1,5 @@
-.\" Man page generated from reStructuredText.
+.\" Man page generated from reStructuredText
+.\" by the Docutils 0.22.4 manpage writer.
.
.
.nr rst2man-indent-level 0
@@ -68,9 +69,9 @@
.B \-D
This option indicates that only those record types automatically managed by
\fBdnssec\-signzone\fP, i.e., RRSIG, NSEC, NSEC3 and NSEC3PARAM records, should be included in the output.
-If smart signing (\fI\%\-S\fP) is used, DNSKEY records are also included.
+If smart signing (\fB\-S\fP) is used, DNSKEY records are also included.
The resulting file can be included in the original zone file with
-\fB$INCLUDE\fP\&. This option cannot be combined with \fI\%\-O raw\fP
+\fB$INCLUDE\fP\&. This option cannot be combined with \fB\-O raw\fP
or serial\-number updating.
.UNINDENT
.INDENT 0.0
@@ -111,7 +112,7 @@
possible time before signatures that have been retrieved by resolvers
expire from resolver caches. Zones that are signed with this
option should be configured to use a matching \fBmax\-zone\-ttl\fP in
-\fI\%named.conf\fP\&. (Note: This option is incompatible with \fI\%\-D\fP,
+\fBnamed.conf\fP \%<#\:std-iscman-named\:.conf>\&. (Note: This option is incompatible with \fB\-D\fP,
because it modifies non\-DNSSEC data in the output zone.)
.UNINDENT
.INDENT 0.0
@@ -244,7 +245,7 @@
This format indicates that the SOA serial number should not be modified.
.TP
\fBincrement\fP
-This format increments the SOA serial number using \X'tty: link https://datatracker.ietf.org/doc/html/rfc1982.html'\fI\%RFC 1982\fP\X'tty: link' arithmetic.
+This format increments the SOA serial number using \fBRFC 1982\fP \% arithmetic.
.TP
\fBunixtime\fP
This format sets the SOA serial number to the number of seconds
@@ -273,8 +274,8 @@
textual representation of the zone; \fBfull\fP, which is text output in a
format suitable for processing by external scripts; and \fBraw\fP and
\fBraw=N\fP, which store the zone in binary formats for rapid loading by
-\fI\%named\fP\&. \fBraw=N\fP specifies the format version of the raw zone file:
-if N is 0, the raw file can be read by any version of \fI\%named\fP; if N is
+\fBnamed\fP \%<#\:std-iscman-named>\&. \fBraw=N\fP specifies the format version of the raw zone file:
+if N is 0, the raw file can be read by any version of \fBnamed\fP \%<#\:std-iscman-named>; if N is
1, the file can be read by release 9.9.0 or higher. The default is 1.
.UNINDENT
.INDENT 0.0
@@ -296,10 +297,10 @@
signer, and a DNSKEY record has been removed and replaced with a new
one, signatures from the old key that are still within their validity
period are retained. This allows the zone to continue to validate
-with cached copies of the old DNSKEY RRset. The \fI\%\-Q\fP option forces
+with cached copies of the old DNSKEY RRset. The \fB\-Q\fP option forces
\fBdnssec\-signzone\fP to remove signatures from keys that are no longer
active. This enables ZSK rollover using the procedure described in
-\X'tty: link https://datatracker.ietf.org/doc/html/rfc6781.html#section-4.1.1.1'\fI\%RFC 6781 Section 4.1.1.1\fP\X'tty: link' (\(dqPre\-Publish Zone Signing Key Rollover\(dq).
+\fBRFC 6781 Section 4.1.1.1\fP \% (\(dqPre\-Publish Zone Signing Key Rollover\(dq).
.UNINDENT
.INDENT 0.0
.TP
@@ -315,10 +316,10 @@
.B \-R
This option removes signatures from keys that are no longer published.
.sp
-This option is similar to \fI\%\-Q\fP, except it forces
+This option is similar to \fB\-Q\fP, except it forces
\fBdnssec\-signzone\fP to remove signatures from keys that are no longer
published. This enables ZSK rollover using the procedure described in
-\X'tty: link https://datatracker.ietf.org/doc/html/rfc6781.html#section-4.1.1.2'\fI\%RFC 6781 Section 4.1.1.2\fP\X'tty: link' (\(dqDouble Signature Zone Signing Key
+\fBRFC 6781 Section 4.1.1.2\fP \% (\(dqDouble Signature Zone Signing Key
Rollover\(dq).
.UNINDENT
.INDENT 0.0
@@ -365,7 +366,7 @@
This option specifies a TTL to be used for new DNSKEY records imported into the
zone from the key repository. If not specified, the default is the
TTL value from the zone\(aqs SOA record. This option is ignored when
-signing without \fI\%\-S\fP, since DNSKEY records are not imported from
+signing without \fB\-S\fP, since DNSKEY records are not imported from
the key repository in that case. It is also ignored if there are any
pre\-existing DNSKEY records at the zone apex, in which case new
records\(aq TTL values are set to match them, or if any of the
@@ -397,7 +398,7 @@
.B \-x
This option indicates that BIND 9 should only sign the DNSKEY, CDNSKEY, and CDS RRsets with key\-signing keys,
and should omit signatures from zone\-signing keys. (This is similar to the
-\fBdnssec\-dnskey\-kskonly yes;\fP zone option in \fI\%named\fP\&.)
+\fBdnssec\-dnskey\-kskonly yes;\fP zone option in \fBnamed\fP \%<#\:std-iscman-named>\&.)
.UNINDENT
.INDENT 0.0
.TP
@@ -405,7 +406,7 @@
This option indicates that BIND 9 should ignore the KSK flag on keys when determining what to sign. This causes
KSK\-flagged keys to sign all records, not just the DNSKEY RRset.
(This is similar to the \fBupdate\-check\-ksk no;\fP zone option in
-\fI\%named\fP\&.)
+\fBnamed\fP \%<#\:std-iscman-named>\&.)
.UNINDENT
.INDENT 0.0
.TP
@@ -414,11 +415,11 @@
(\-) can be used to indicate that no salt is to be used when
generating the NSEC3 chain.
.sp
-\fBNOTE:\fP
+\fBNote:\fP
.INDENT 7.0
.INDENT 3.5
\fB\-3 \-\fP is the recommended configuration. Adding salt provides no practical benefits.
-See \X'tty: link https://datatracker.ietf.org/doc/html/rfc9276.html'\fI\%RFC 9276\fP\X'tty: link'\&.
+See \fBRFC 9276\fP \%\&.
.UNINDENT
.UNINDENT
.UNINDENT
@@ -428,11 +429,11 @@
This option indicates that, when generating an NSEC3 chain, BIND 9 should use this many iterations. The default
is 0.
.sp
-\fBWARNING:\fP
+\fBWarning:\fP
.INDENT 7.0
.INDENT 3.5
Values greater than 0 cause interoperability issues and also increase the risk of CPU\-exhausting DoS attacks.
-See \X'tty: link https://datatracker.ietf.org/doc/html/rfc9276.html'\fI\%RFC 9276\fP\X'tty: link'\&.
+See \fBRFC 9276\fP \%\&.
.UNINDENT
.UNINDENT
.UNINDENT
@@ -442,11 +443,11 @@
This option indicates that, when generating an NSEC3 chain, BIND 9 should set the OPTOUT flag on all NSEC3
records and should not generate NSEC3 records for insecure delegations.
.sp
-\fBWARNING:\fP
+\fBWarning:\fP
.INDENT 7.0
.INDENT 3.5
Do not use this option unless all its implications are fully understood. This option is intended only for extremely large zones (comparable to \fBcom.\fP) with sparse secure delegations.
-See \X'tty: link https://datatracker.ietf.org/doc/html/rfc9276.html'\fI\%RFC 9276\fP\X'tty: link'\&.
+See \fBRFC 9276\fP \%\&.
.UNINDENT
.UNINDENT
.UNINDENT
@@ -454,7 +455,7 @@
.TP
.B \-AA
This option turns the OPTOUT flag off for
-all records. This is useful when using the \fI\%\-u\fP option to modify an
+all records. This is useful when using the \fB\-u\fP option to modify an
NSEC3 chain which previously had OPTOUT set.
.UNINDENT
.INDENT 0.0
@@ -473,11 +474,11 @@
.SH EXAMPLE
.sp
The following command signs the \fBexample.com\fP zone with the
-ECDSAP256SHA256 key generated by \fI\%dnssec\-keygen\fP
-(Kexample.com.+013+17247). Because the \fI\%\-S\fP option is not being used,
+ECDSAP256SHA256 key generated by \fBdnssec\-keygen\fP \%<#\:std-iscman-dnssec-keygen>
+(Kexample.com.+013+17247). Because the \fB\-S\fP option is not being used,
the zone\(aqs keys must be in the master file (\fBdb.example.com\fP). This
invocation looks for \fBdsset\fP files in the current directory, so that
-DS records can be imported from them (\fI\%\-g\fP).
+DS records can be imported from them (\fB\-g\fP).
.INDENT 0.0
.INDENT 3.5
.sp
@@ -492,7 +493,7 @@
.sp
In the above example, \fBdnssec\-signzone\fP creates the file
\fBdb.example.com.signed\fP\&. This file should be referenced in a zone
-statement in the \fI\%named.conf\fP file.
+statement in the \fBnamed.conf\fP \%<#\:std-iscman-named\:.conf> file.
.sp
This example re\-signs a previously signed zone with default parameters.
The private keys are assumed to be in the current directory.
@@ -509,11 +510,10 @@
.UNINDENT
.SH SEE ALSO
.sp
-\fI\%dnssec\-keygen(8)\fP, BIND 9 Administrator Reference Manual, \X'tty: link https://datatracker.ietf.org/doc/html/rfc4033.html'\fI\%RFC 4033\fP\X'tty: link',
-\X'tty: link https://datatracker.ietf.org/doc/html/rfc6781.html'\fI\%RFC 6781\fP\X'tty: link'\&.
-.SH AUTHOR
+\fBdnssec\-keygen(8)\fP \%<#\:std-iscman-dnssec-keygen>, BIND 9 Administrator Reference Manual, \fBRFC 4033\fP \%,
+\fBRFC 6781\fP \%\&.
+.SH Author
Internet Systems Consortium
-.SH COPYRIGHT
+.SH Copyright
2026, Internet Systems Consortium
-.\" Generated by docutils manpage writer.
-.
+.\" End of generated man page.
diff -Nru bind9-9.18.44/doc/man/dnssec-verify.1in bind9-9.18.47/doc/man/dnssec-verify.1in
--- bind9-9.18.44/doc/man/dnssec-verify.1in 2026-01-09 13:46:03.237235741 +0000
+++ bind9-9.18.47/doc/man/dnssec-verify.1in 2026-03-13 22:13:22.176611669 +0000
@@ -1,4 +1,5 @@
-.\" Man page generated from reStructuredText.
+.\" Man page generated from reStructuredText
+.\" by the Docutils 0.22.4 manpage writer.
.
.
.nr rst2man-indent-level 0
@@ -94,7 +95,7 @@
Without this flag, it is assumed that the DNSKEY RRset is signed
by all active keys. When this flag is set, it is not an error if
the DNSKEY RRset is not signed by zone\-signing keys. This corresponds
-to the \fI\%\-x option in dnssec\-signzone\fP\&.
+to the \fB\-x option in dnssec\-signzone\fP \%<#\:cmdoption-dnssec-signzone-x>\&.
.UNINDENT
.INDENT 0.0
.TP
@@ -110,7 +111,7 @@
the KSK flag state, and that other RRsets be signed by a
non\-revoked key for the same algorithm that includes the self\-signed
key; the same key may be used for both purposes. This corresponds to
-the \fI\%\-z option in dnssec\-signzone\fP\&.
+the \fB\-z option in dnssec\-signzone\fP \%<#\:cmdoption-dnssec-signzone-z>\&.
.UNINDENT
.INDENT 0.0
.TP
@@ -119,10 +120,9 @@
.UNINDENT
.SH SEE ALSO
.sp
-\fI\%dnssec\-signzone(8)\fP, BIND 9 Administrator Reference Manual, \X'tty: link https://datatracker.ietf.org/doc/html/rfc4033.html'\fI\%RFC 4033\fP\X'tty: link'\&.
-.SH AUTHOR
+\fBdnssec\-signzone(8)\fP \%<#\:std-iscman-dnssec-signzone>, BIND 9 Administrator Reference Manual, \fBRFC 4033\fP \%\&.
+.SH Author
Internet Systems Consortium
-.SH COPYRIGHT
+.SH Copyright
2026, Internet Systems Consortium
-.\" Generated by docutils manpage writer.
-.
+.\" End of generated man page.
diff -Nru bind9-9.18.44/doc/man/dnstap-read.1in bind9-9.18.47/doc/man/dnstap-read.1in
--- bind9-9.18.44/doc/man/dnstap-read.1in 2026-01-09 13:46:03.240235799 +0000
+++ bind9-9.18.47/doc/man/dnstap-read.1in 2026-03-13 22:13:22.178611717 +0000
@@ -1,4 +1,5 @@
-.\" Man page generated from reStructuredText.
+.\" Man page generated from reStructuredText
+.\" by the Docutils 0.22.4 manpage writer.
.
.
.nr rst2man-indent-level 0
@@ -37,7 +38,7 @@
.sp
\fBdnstap\-read\fP reads \fBdnstap\fP data from a specified file and prints
it in a human\-readable format. By default, \fBdnstap\fP data is printed in
-a short summary format, but if the \fI\%\-y\fP option is specified, a
+a short summary format, but if the \fB\-y\fP option is specified, a
longer and more detailed YAML format is used.
.SH OPTIONS
.INDENT 0.0
@@ -64,10 +65,9 @@
.UNINDENT
.SH SEE ALSO
.sp
-\fI\%named(8)\fP, \fI\%rndc(8)\fP, BIND 9 Administrator Reference Manual.
-.SH AUTHOR
+\fBnamed(8)\fP \%<#\:std-iscman-named>, \fBrndc(8)\fP \%<#\:std-iscman-rndc>, BIND 9 Administrator Reference Manual.
+.SH Author
Internet Systems Consortium
-.SH COPYRIGHT
+.SH Copyright
2026, Internet Systems Consortium
-.\" Generated by docutils manpage writer.
-.
+.\" End of generated man page.
diff -Nru bind9-9.18.44/doc/man/filter-a.8in bind9-9.18.47/doc/man/filter-a.8in
--- bind9-9.18.44/doc/man/filter-a.8in 2026-01-09 13:46:03.245235894 +0000
+++ bind9-9.18.47/doc/man/filter-a.8in 2026-03-13 22:13:22.183611836 +0000
@@ -1,4 +1,5 @@
-.\" Man page generated from reStructuredText.
+.\" Man page generated from reStructuredText
+.\" by the Docutils 0.22.4 manpage writer.
.
.
.nr rst2man-indent-level 0
@@ -35,8 +36,8 @@
\fBplugin query\fP \(dqfilter\-a.so\(dq [{ parameters }];
.SH DESCRIPTION
.sp
-\fBfilter\-a.so\fP is a query plugin module for \fI\%named\fP, enabling
-\fI\%named\fP to omit some IPv4 addresses when responding to clients.
+\fBfilter\-a.so\fP is a query plugin module for \fBnamed\fP \%<#\:std-iscman-named>, enabling
+\fBnamed\fP \%<#\:std-iscman-named> to omit some IPv4 addresses when responding to clients.
.sp
For example:
.INDENT 0.0
@@ -96,9 +97,8 @@
.SH SEE ALSO
.sp
BIND 9 Administrator Reference Manual.
-.SH AUTHOR
+.SH Author
Internet Systems Consortium
-.SH COPYRIGHT
+.SH Copyright
2026, Internet Systems Consortium
-.\" Generated by docutils manpage writer.
-.
+.\" End of generated man page.
diff -Nru bind9-9.18.44/doc/man/filter-aaaa.8in bind9-9.18.47/doc/man/filter-aaaa.8in
--- bind9-9.18.44/doc/man/filter-aaaa.8in 2026-01-09 13:46:03.242235837 +0000
+++ bind9-9.18.47/doc/man/filter-aaaa.8in 2026-03-13 22:13:22.181611788 +0000
@@ -1,4 +1,5 @@
-.\" Man page generated from reStructuredText.
+.\" Man page generated from reStructuredText
+.\" by the Docutils 0.22.4 manpage writer.
.
.
.nr rst2man-indent-level 0
@@ -35,13 +36,13 @@
\fBplugin query\fP \(dqfilter\-aaaa.so\(dq [{ parameters }];
.SH DESCRIPTION
.sp
-\fBfilter\-aaaa.so\fP is a query plugin module for \fI\%named\fP, enabling
-\fI\%named\fP to omit some IPv6 addresses when responding to clients.
+\fBfilter\-aaaa.so\fP is a query plugin module for \fBnamed\fP \%<#\:std-iscman-named>, enabling
+\fBnamed\fP \%<#\:std-iscman-named> to omit some IPv6 addresses when responding to clients.
.sp
-Until BIND 9.12, this feature was implemented natively in \fI\%named\fP and
+Until BIND 9.12, this feature was implemented natively in \fBnamed\fP \%<#\:std-iscman-named> and
enabled with the \fBfilter\-aaaa\fP ACL and the \fBfilter\-aaaa\-on\-v4\fP and
\fBfilter\-aaaa\-on\-v6\fP options. These options are now deprecated in
-\fI\%named.conf\fP but can be passed as parameters to the
+\fBnamed.conf\fP \%<#\:std-iscman-named\:.conf> but can be passed as parameters to the
\fBfilter\-aaaa.so\fP plugin, for example:
.INDENT 0.0
.INDENT 3.5
@@ -100,9 +101,8 @@
.SH SEE ALSO
.sp
BIND 9 Administrator Reference Manual.
-.SH AUTHOR
+.SH Author
Internet Systems Consortium
-.SH COPYRIGHT
+.SH Copyright
2026, Internet Systems Consortium
-.\" Generated by docutils manpage writer.
-.
+.\" End of generated man page.
diff -Nru bind9-9.18.44/doc/man/host.1in bind9-9.18.47/doc/man/host.1in
--- bind9-9.18.44/doc/man/host.1in 2026-01-09 13:46:03.255236086 +0000
+++ bind9-9.18.47/doc/man/host.1in 2026-03-13 22:13:22.190612003 +0000
@@ -1,4 +1,5 @@
-.\" Man page generated from reStructuredText.
+.\" Man page generated from reStructuredText
+.\" by the Docutils 0.22.4 manpage writer.
.
.
.nr rst2man-indent-level 0
@@ -50,23 +51,23 @@
.INDENT 0.0
.TP
.B \-4
-This option specifies that only IPv4 should be used for query transport. See also the \fI\%\-6\fP option.
+This option specifies that only IPv4 should be used for query transport. See also the \fB\-6\fP option.
.UNINDENT
.INDENT 0.0
.TP
.B \-6
-This option specifies that only IPv6 should be used for query transport. See also the \fI\%\-4\fP option.
+This option specifies that only IPv6 should be used for query transport. See also the \fB\-4\fP option.
.UNINDENT
.INDENT 0.0
.TP
.B \-a
-The \fI\%\-a\fP (\(dqall\(dq) option is normally equivalent to \fI\%\-v\fP \fI\%\-t ANY\fP\&. It
-also affects the behavior of the \fI\%\-l\fP list zone option.
+The \fB\-a\fP (\(dqall\(dq) option is normally equivalent to \fB\-v\fP \fB\-t ANY\fP\&. It
+also affects the behavior of the \fB\-l\fP list zone option.
.UNINDENT
.INDENT 0.0
.TP
.B \-A
-The \fI\%\-A\fP (\(dqalmost all\(dq) option is equivalent to \fI\%\-a\fP, except that RRSIG,
+The \fB\-A\fP (\(dqalmost all\(dq) option is equivalent to \fB\-a\fP, except that RRSIG,
NSEC, and NSEC3 records are omitted from the output.
.UNINDENT
.INDENT 0.0
@@ -78,7 +79,7 @@
.INDENT 0.0
.TP
.B \-C
-This option indicates that \fI\%named\fP should check consistency, meaning that \fBhost\fP queries the SOA records for zone
+This option indicates that \fBnamed\fP \%<#\:std-iscman-named> should check consistency, meaning that \fBhost\fP queries the SOA records for zone
\fBname\fP from all the listed authoritative name servers for that
zone. The list of name servers is defined by the NS records that are
found for the zone.
@@ -86,15 +87,15 @@
.INDENT 0.0
.TP
.B \-d
-This option prints debugging traces, and is equivalent to the \fI\%\-v\fP verbose option.
+This option prints debugging traces, and is equivalent to the \fB\-v\fP verbose option.
.UNINDENT
.INDENT 0.0
.TP
.B \-l
-This option tells \fI\%named\fP to list the zone, meaning the \fBhost\fP command performs a zone transfer of zone
+This option tells \fBnamed\fP \%<#\:std-iscman-named> to list the zone, meaning the \fBhost\fP command performs a zone transfer of zone
\fBname\fP and prints out the NS, PTR, and address records (A/AAAA).
.sp
-Together, the \fI\%\-l\fP \fI\%\-a\fP options print all records in the zone.
+Together, the \fB\-l\fP \fB\-a\fP options print all records in the zone.
.UNINDENT
.INDENT 0.0
.TP
@@ -116,7 +117,7 @@
.B \-r
This option specifies a non\-recursive query; setting this option clears the RD (recursion
desired) bit in the query. This means that the name server
-receiving the query does not attempt to resolve \fBname\fP\&. The \fI\%\-r\fP
+receiving the query does not attempt to resolve \fBname\fP\&. The \fB\-r\fP
option enables \fBhost\fP to mimic the behavior of a name server by
making non\-recursive queries, and expecting to receive answers to
those queries that can be referrals to other name servers.
@@ -131,7 +132,7 @@
.INDENT 0.0
.TP
.B \-s
-This option tells \fI\%named\fP \fInot\fP to send the query to the next nameserver if any server responds
+This option tells \fBnamed\fP \%<#\:std-iscman-named> \fInot\fP to send the query to the next nameserver if any server responds
with a SERVFAIL response, which is the reverse of normal stub
resolver behavior.
.UNINDENT
@@ -143,34 +144,34 @@
.sp
When no query type is specified, \fBhost\fP automatically selects an
appropriate query type. By default, it looks for A, AAAA, and MX
-records. If the \fI\%\-C\fP option is given, queries are made for SOA
+records. If the \fB\-C\fP option is given, queries are made for SOA
records. If \fBname\fP is a dotted\-decimal IPv4 address or
colon\-delimited IPv6 address, \fBhost\fP queries for PTR records.
.sp
If a query type of IXFR is chosen, the starting serial number can be
specified by appending an equals sign (=), followed by the starting serial
-number, e.g., \fI\%\-t IXFR=12345678\fP\&.
+number, e.g., \fB\-t IXFR=12345678\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B \-T, \-U
This option specifies TCP or UDP. By default, \fBhost\fP uses UDP when making queries; the
-\fI\%\-T\fP option makes it use a TCP connection when querying the name
+\fB\-T\fP option makes it use a TCP connection when querying the name
server. TCP is automatically selected for queries that require
it, such as zone transfer (AXFR) requests. Type \fBANY\fP queries default
-to TCP, but can be forced to use UDP initially via \fI\%\-U\fP\&.
+to TCP, but can be forced to use UDP initially via \fB\-U\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B \-m flag
This option sets memory usage debugging: the flag can be \fBrecord\fP, \fBusage\fP, or
-\fBtrace\fP\&. The \fI\%\-m\fP option can be specified more than once to set
+\fBtrace\fP\&. The \fB\-m\fP option can be specified more than once to set
multiple flags.
.UNINDENT
.INDENT 0.0
.TP
.B \-v
-This option sets verbose output, and is equivalent to the \fI\%\-d\fP debug option. Verbose output
+This option sets verbose output, and is equivalent to the \fB\-d\fP debug option. Verbose output
can also be enabled by setting the \fBdebug\fP option in
\fB/etc/resolv.conf\fP\&.
.UNINDENT
@@ -183,19 +184,19 @@
.TP
.B \-w
This option sets \(dqwait forever\(dq: the query timeout is set to the maximum possible. See
-also the \fI\%\-W\fP option.
+also the \fB\-W\fP option.
.UNINDENT
.INDENT 0.0
.TP
.B \-W wait
-This options sets the length of the wait timeout, indicating that \fI\%named\fP should wait for up to \fBwait\fP seconds for a reply. If \fBwait\fP is
+This options sets the length of the wait timeout, indicating that \fBnamed\fP \%<#\:std-iscman-named> should wait for up to \fBwait\fP seconds for a reply. If \fBwait\fP is
less than 1, the wait interval is set to 1 second.
.sp
By default, \fBhost\fP waits for 5 seconds for UDP responses and 10
seconds for TCP connections. These defaults can be overridden by the
\fBtimeout\fP option in \fB/etc/resolv.conf\fP\&.
.sp
-See also the \fI\%\-w\fP option.
+See also the \fB\-w\fP option.
.UNINDENT
.SH IDN SUPPORT
.sp
@@ -211,10 +212,9 @@
\fB/etc/resolv.conf\fP
.SH SEE ALSO
.sp
-\fI\%dig(1)\fP, \fI\%named(8)\fP\&.
-.SH AUTHOR
+\fBdig(1)\fP \%<#\:std-iscman-dig>, \fBnamed(8)\fP \%<#\:std-iscman-named>\&.
+.SH Author
Internet Systems Consortium
-.SH COPYRIGHT
+.SH Copyright
2026, Internet Systems Consortium
-.\" Generated by docutils manpage writer.
-.
+.\" End of generated man page.
diff -Nru bind9-9.18.44/doc/man/mdig.1in bind9-9.18.47/doc/man/mdig.1in
--- bind9-9.18.44/doc/man/mdig.1in 2026-01-09 13:46:03.266236296 +0000
+++ bind9-9.18.47/doc/man/mdig.1in 2026-03-13 22:13:22.203612312 +0000
@@ -1,4 +1,5 @@
-.\" Man page generated from reStructuredText.
+.\" Man page generated from reStructuredText
+.\" by the Docutils 0.22.4 manpage writer.
.
.
.nr rst2man-indent-level 0
@@ -32,25 +33,25 @@
mdig \- DNS pipelined lookup utility
.SH SYNOPSIS
.sp
-\fBmdig\fP \X'tty: link mailto:{@server'\fI\%{@server\fP\X'tty: link'} [\fB\-f\fP filename] [\fB\-h\fP] [\fB\-v\fP] [ [\fB\-4\fP] | [\fB\-6\fP] ] [\fB\-m\fP] [\fB\-b\fP address] [\fB\-p\fP port#] [\fB\-c\fP class] [\fB\-t\fP type] [\fB\-i\fP] [\fB\-x\fP addr] [plusopt...]
+\fBmdig\fP \%<{@\:server>} [\fB\-f\fP filename] [\fB\-h\fP] [\fB\-v\fP] [ [\fB\-4\fP] | [\fB\-6\fP] ] [\fB\-m\fP] [\fB\-b\fP address] [\fB\-p\fP port#] [\fB\-c\fP class] [\fB\-t\fP type] [\fB\-i\fP] [\fB\-x\fP addr] [plusopt...]
.sp
\fBmdig\fP {\fB\-h\fP}
.sp
\fBmdig\fP [@server] {global\-opt...} { {local\-opt...} {query} ...}
.SH DESCRIPTION
.sp
-\fBmdig\fP is a multiple/pipelined query version of \fI\%dig\fP: instead of
+\fBmdig\fP is a multiple/pipelined query version of \fBdig\fP \%<#\:std-iscman-dig>: instead of
waiting for a response after sending each query, it begins by sending
all queries. Responses are displayed in the order in which they are
received, not in the order the corresponding queries were sent.
.sp
-\fBmdig\fP options are a subset of the \fI\%dig\fP options, and are divided
+\fBmdig\fP options are a subset of the \fBdig\fP \%<#\:std-iscman-dig> options, and are divided
into \(dqanywhere options,\(dq which can occur anywhere, \(dqglobal options,\(dq which
must occur before the query name (or they are ignored with a warning),
and \(dqlocal options,\(dq which apply to the next query on the command line.
.sp
The \fB@server\fP option is a mandatory global option. It is the name or IP
-address of the name server to query. (Unlike \fI\%dig\fP, this value is not
+address of the name server to query. (Unlike \fBdig\fP \%<#\:std-iscman-dig>, this value is not
retrieved from \fB/etc/resolv.conf\fP\&.) It can be an IPv4 address in
dotted\-decimal notation, an IPv6 address in colon\-delimited notation, or
a hostname. When the supplied \fBserver\fP argument is a hostname,
@@ -247,7 +248,7 @@
.TP
.B +vc, +novc
This option uses [or does not use] TCP when querying name servers. This alternate
-syntax to \fI\%+tcp\fP is provided for backwards compatibility. The
+syntax to \fB+tcp\fP is provided for backwards compatibility. The
\fBvc\fP stands for \(dqvirtual circuit\(dq.
.UNINDENT
.SH LOCAL OPTIONS
@@ -263,7 +264,7 @@
.B \-t type
This option sets the query type to \fBtype\fP\&. It can be any valid
query type which is supported in BIND 9. The default query type is \(dqA\(dq,
-unless the \fI\%\-x\fP option is supplied to indicate a reverse lookup with
+unless the \fB\-x\fP option is supplied to indicate a reverse lookup with
the \(dqPTR\(dq query type.
.UNINDENT
.INDENT 0.0
@@ -282,7 +283,7 @@
.INDENT 0.0
.TP
.B +aaflag, +noaaflag
-This is a synonym for \fI\%+aaonly\fP, \fI\%+noaaonly\fP\&.
+This is a synonym for \fB+aaonly\fP, \fB+noaaonly\fP\&.
.UNINDENT
.INDENT 0.0
.TP
@@ -371,7 +372,7 @@
.TP
.B +retry=T
This sets the number of times to retry UDP queries to server to \fBT\fP
-instead of the default, 2. Unlike \fI\%+tries\fP, this does not include
+instead of the default, 2. Unlike \fB+tries\fP, this does not include
the initial query.
.UNINDENT
.INDENT 0.0
@@ -410,7 +411,7 @@
.INDENT 0.0
.TP
.B +unknownformat, +nounknownformat
-This prints [or does not print] all RDATA in unknown RR\-type presentation format (see \X'tty: link https://datatracker.ietf.org/doc/html/rfc3597.html'\fI\%RFC 3597\fP\X'tty: link').
+This prints [or does not print] all RDATA in unknown RR\-type presentation format (see \fBRFC 3597\fP \%).
The default is to print RDATA for known types in the type\(aqs
presentation format.
.UNINDENT
@@ -427,10 +428,9 @@
.UNINDENT
.SH SEE ALSO
.sp
-\fI\%dig(1)\fP, \X'tty: link https://datatracker.ietf.org/doc/html/rfc1035.html'\fI\%RFC 1035\fP\X'tty: link'\&.
-.SH AUTHOR
+\fBdig(1)\fP \%<#\:std-iscman-dig>, \fBRFC 1035\fP \%\&.
+.SH Author
Internet Systems Consortium
-.SH COPYRIGHT
+.SH Copyright
2026, Internet Systems Consortium
-.\" Generated by docutils manpage writer.
-.
+.\" End of generated man page.
diff -Nru bind9-9.18.44/doc/man/named-checkconf.1in bind9-9.18.47/doc/man/named-checkconf.1in
--- bind9-9.18.44/doc/man/named-checkconf.1in 2026-01-09 13:46:03.270236373 +0000
+++ bind9-9.18.47/doc/man/named-checkconf.1in 2026-03-13 22:13:22.208612432 +0000
@@ -1,4 +1,5 @@
-.\" Man page generated from reStructuredText.
+.\" Man page generated from reStructuredText
+.\" by the Docutils 0.22.4 manpage writer.
.
.
.nr rst2man-indent-level 0
@@ -36,14 +37,14 @@
.SH DESCRIPTION
.sp
\fBnamed\-checkconf\fP checks the syntax, but not the semantics, of a
-\fI\%named\fP configuration file. The file, along with all files included by it, is parsed and checked for syntax
+\fBnamed\fP \%<#\:std-iscman-named> configuration file. The file, along with all files included by it, is parsed and checked for syntax
errors. If no file is specified,
\fB@sysconfdir@/named.conf\fP is read by default.
.sp
-Note: files that \fI\%named\fP reads in separate parser contexts, such as
+Note: files that \fBnamed\fP \%<#\:std-iscman-named> reads in separate parser contexts, such as
\fBrndc.key\fP and \fBbind.keys\fP, are not automatically read by
\fBnamed\-checkconf\fP\&. Configuration errors in these files may cause
-\fI\%named\fP to fail to run, even if \fBnamed\-checkconf\fP was successful.
+\fBnamed\fP \%<#\:std-iscman-named> to fail to run, even if \fBnamed\-checkconf\fP was successful.
However, \fBnamed\-checkconf\fP can be run on these files explicitly.
.SH OPTIONS
.INDENT 0.0
@@ -54,7 +55,7 @@
.INDENT 0.0
.TP
.B \-j
-When loading a zonefile, this option instructs \fI\%named\fP to read the journal if it exists.
+When loading a zonefile, this option instructs \fBnamed\fP \%<#\:std-iscman-named> to read the journal if it exists.
.UNINDENT
.INDENT 0.0
.TP
@@ -77,15 +78,15 @@
.INDENT 0.0
.TP
.B \-p
-This option prints out the \fI\%named.conf\fP and included files in canonical form if
-no errors were detected. See also the \fI\%\-x\fP option.
+This option prints out the \fBnamed.conf\fP \%<#\:std-iscman-named\:.conf> and included files in canonical form if
+no errors were detected. See also the \fB\-x\fP option.
.UNINDENT
.INDENT 0.0
.TP
.B \-t directory
-This option instructs \fI\%named\fP to chroot to \fBdirectory\fP, so that \fBinclude\fP directives in the
+This option instructs \fBnamed\fP \%<#\:std-iscman-named> to chroot to \fBdirectory\fP, so that \fBinclude\fP directives in the
configuration file are processed as if run by a similarly chrooted
-\fI\%named\fP\&.
+\fBnamed\fP \%<#\:std-iscman-named>\&.
.UNINDENT
.INDENT 0.0
.TP
@@ -97,15 +98,15 @@
.B \-x
When printing the configuration files in canonical form, this option obscures
shared secrets by replacing them with strings of question marks
-(\fB?\fP). This allows the contents of \fI\%named.conf\fP and related files
+(\fB?\fP). This allows the contents of \fBnamed.conf\fP \%<#\:std-iscman-named\:.conf> and related files
to be shared \- for example, when submitting bug reports \-
without compromising private data. This option cannot be used without
-\fI\%\-p\fP\&.
+\fB\-p\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B \-z
-This option performs a test load of all zones of type \fBprimary\fP found in \fI\%named.conf\fP\&.
+This option performs a test load of all zones of type \fBprimary\fP found in \fBnamed.conf\fP \%<#\:std-iscman-named\:.conf>\&.
.UNINDENT
.INDENT 0.0
.TP
@@ -119,10 +120,9 @@
and 0 otherwise.
.SH SEE ALSO
.sp
-\fI\%named(8)\fP, \fI\%named\-checkzone(8)\fP, BIND 9 Administrator Reference Manual.
-.SH AUTHOR
+\fBnamed(8)\fP \%<#\:std-iscman-named>, \fBnamed\-checkzone(8)\fP \%<#\:std-iscman-named-checkzone>, BIND 9 Administrator Reference Manual.
+.SH Author
Internet Systems Consortium
-.SH COPYRIGHT
+.SH Copyright
2026, Internet Systems Consortium
-.\" Generated by docutils manpage writer.
-.
+.\" End of generated man page.
diff -Nru bind9-9.18.44/doc/man/named-checkzone.1in bind9-9.18.47/doc/man/named-checkzone.1in
--- bind9-9.18.44/doc/man/named-checkzone.1in 2026-01-09 13:46:03.352237942 +0000
+++ bind9-9.18.47/doc/man/named-checkzone.1in 2026-03-13 22:13:22.216612622 +0000
@@ -1,4 +1,5 @@
-.\" Man page generated from reStructuredText.
+.\" Man page generated from reStructuredText
+.\" by the Docutils 0.22.4 manpage writer.
.
.
.nr rst2man-indent-level 0
@@ -36,7 +37,7 @@
.SH DESCRIPTION
.sp
\fBnamed\-checkzone\fP checks the syntax and integrity of a zone file. It
-performs the same checks as \fI\%named\fP does when loading a zone. This
+performs the same checks as \fBnamed\fP \%<#\:std-iscman-named> does when loading a zone. This
makes \fBnamed\-checkzone\fP useful for checking zone files before
configuring them into a name server.
.SH OPTIONS
@@ -64,15 +65,15 @@
.INDENT 0.0
.TP
.B \-j
-When loading a zone file, this option tells \fI\%named\fP to read the journal if it exists. The journal
+When loading a zone file, this option tells \fBnamed\fP \%<#\:std-iscman-named> to read the journal if it exists. The journal
file name is assumed to be the zone file name with the
string \fB\&.jnl\fP appended.
.UNINDENT
.INDENT 0.0
.TP
.B \-J filename
-When loading the zone file, this option tells \fI\%named\fP to read the journal from the given file, if
-it exists. This implies \fI\%\-j\fP\&.
+When loading the zone file, this option tells \fBnamed\fP \%<#\:std-iscman-named> to read the journal from the given file, if
+it exists. This implies \fB\-j\fP\&.
.UNINDENT
.INDENT 0.0
.TP
@@ -122,9 +123,9 @@
.sp
Possible formats are \fBtext\fP (the default), which is the standard
textual representation of the zone, and \fBraw\fP and \fBraw=N\fP, which
-store the zone in a binary format for rapid loading by \fI\%named\fP\&.
+store the zone in a binary format for rapid loading by \fBnamed\fP \%<#\:std-iscman-named>\&.
\fBraw=N\fP specifies the format version of the raw zone file: if \fBN\fP is
-0, the raw file can be read by any version of \fI\%named\fP; if N is 1, the
+0, the raw file can be read by any version of \fBnamed\fP \%<#\:std-iscman-named>; if N is 1, the
file can only be read by release 9.9.0 or higher. The default is 1.
.UNINDENT
.INDENT 0.0
@@ -138,7 +139,7 @@
.B \-l ttl
This option sets a maximum permissible TTL for the input file. Any record with a
TTL higher than this value causes the zone to be rejected. This
-is similar to using the \fBmax\-zone\-ttl\fP option in \fI\%named.conf\fP\&.
+is similar to using the \fBmax\-zone\-ttl\fP option in \fBnamed.conf\fP \%<#\:std-iscman-named\:.conf>\&.
.UNINDENT
.INDENT 0.0
.TP
@@ -199,9 +200,9 @@
.INDENT 0.0
.TP
.B \-t directory
-This option tells \fI\%named\fP to chroot to \fBdirectory\fP, so that \fBinclude\fP directives in the
+This option tells \fBnamed\fP \%<#\:std-iscman-named> to chroot to \fBdirectory\fP, so that \fBinclude\fP directives in the
configuration file are processed as if run by a similarly chrooted
-\fI\%named\fP\&.
+\fBnamed\fP \%<#\:std-iscman-named>\&.
.UNINDENT
.INDENT 0.0
.TP
@@ -213,9 +214,9 @@
.INDENT 0.0
.TP
.B \-w directory
-This option instructs \fI\%named\fP to chdir to \fBdirectory\fP, so that relative filenames in master file
+This option instructs \fBnamed\fP \%<#\:std-iscman-named> to chdir to \fBdirectory\fP, so that relative filenames in master file
\fB$INCLUDE\fP directives work. This is similar to the directory clause in
-\fI\%named.conf\fP\&.
+\fBnamed.conf\fP \%<#\:std-iscman-named\:.conf>\&.
.UNINDENT
.INDENT 0.0
.TP
@@ -227,7 +228,7 @@
.B \-W mode
This option specifies whether to check for non\-terminal wildcards. Non\-terminal
wildcards are almost always the result of a failure to understand the
-wildcard matching algorithm (\X'tty: link https://datatracker.ietf.org/doc/html/rfc4592.html'\fI\%RFC 4592\fP\X'tty: link'). Possible modes are \fBwarn\fP
+wildcard matching algorithm (\fBRFC 4592\fP \%). Possible modes are \fBwarn\fP
(the default) and \fBignore\fP\&.
.UNINDENT
.INDENT 0.0
@@ -246,11 +247,10 @@
and 0 otherwise.
.SH SEE ALSO
.sp
-\fI\%named(8)\fP, \fI\%named\-checkconf(8)\fP, \fI\%named\-compilezone(8)\fP, \X'tty: link https://datatracker.ietf.org/doc/html/rfc1035.html'\fI\%RFC 1035\fP\X'tty: link', BIND 9 Administrator Reference
+\fBnamed(8)\fP \%<#\:std-iscman-named>, \fBnamed\-checkconf(8)\fP \%<#\:std-iscman-named-checkconf>, \fBnamed\-compilezone(8)\fP \%<#\:std-iscman-named-compilezone>, \fBRFC 1035\fP \%, BIND 9 Administrator Reference
Manual.
-.SH AUTHOR
+.SH Author
Internet Systems Consortium
-.SH COPYRIGHT
+.SH Copyright
2026, Internet Systems Consortium
-.\" Generated by docutils manpage writer.
-.
+.\" End of generated man page.
diff -Nru bind9-9.18.44/doc/man/named-compilezone.1in bind9-9.18.47/doc/man/named-compilezone.1in
--- bind9-9.18.44/doc/man/named-compilezone.1in 2026-01-09 13:46:03.361238115 +0000
+++ bind9-9.18.47/doc/man/named-compilezone.1in 2026-03-13 22:13:22.225612836 +0000
@@ -1,4 +1,5 @@
-.\" Man page generated from reStructuredText.
+.\" Man page generated from reStructuredText
+.\" by the Docutils 0.22.4 manpage writer.
.
.
.nr rst2man-indent-level 0
@@ -38,9 +39,9 @@
\fBnamed\-compilezone\fP checks the syntax and integrity of a zone file,
and dumps the zone contents to a specified file in a specified format.
It applies strict check levels by default, since the
-dump output is used as an actual zone file loaded by \fI\%named\fP\&.
+dump output is used as an actual zone file loaded by \fBnamed\fP \%<#\:std-iscman-named>\&.
When manually specified otherwise, the check levels must at least be as
-strict as those specified in the \fI\%named\fP configuration file.
+strict as those specified in the \fBnamed\fP \%<#\:std-iscman-named> configuration file.
.SH OPTIONS
.INDENT 0.0
.TP
@@ -61,20 +62,20 @@
.INDENT 0.0
.TP
.B \-v
-This option prints the version of the \fI\%named\-checkzone\fP program and exits.
+This option prints the version of the \fBnamed\-checkzone\fP \%<#\:std-iscman-named-checkzone> program and exits.
.UNINDENT
.INDENT 0.0
.TP
.B \-j
-When loading a zone file, this option tells \fI\%named\fP to read the journal if it exists. The journal
+When loading a zone file, this option tells \fBnamed\fP \%<#\:std-iscman-named> to read the journal if it exists. The journal
file name is assumed to be the zone file name with the
string \fB\&.jnl\fP appended.
.UNINDENT
.INDENT 0.0
.TP
.B \-J filename
-When loading the zone file, this option tells \fI\%named\fP to read the journal from the given file, if
-it exists. This implies \fI\%\-j\fP\&.
+When loading the zone file, this option tells \fBnamed\fP \%<#\:std-iscman-named> to read the journal from the given file, if
+it exists. This implies \fB\-j\fP\&.
.UNINDENT
.INDENT 0.0
.TP
@@ -119,14 +120,14 @@
.TP
.B \-F format
This option specifies the format of the output file specified. For
-\fI\%named\-checkzone\fP, this does not have any effect unless it dumps
+\fBnamed\-checkzone\fP \%<#\:std-iscman-named-checkzone>, this does not have any effect unless it dumps
the zone contents.
.sp
Possible formats are \fBtext\fP (the default), which is the standard
textual representation of the zone, and \fBraw\fP and \fBraw=N\fP, which
-store the zone in a binary format for rapid loading by \fI\%named\fP\&.
+store the zone in a binary format for rapid loading by \fBnamed\fP \%<#\:std-iscman-named>\&.
\fBraw=N\fP specifies the format version of the raw zone file: if \fBN\fP is
-0, the raw file can be read by any version of \fI\%named\fP; if N is 1, the
+0, the raw file can be read by any version of \fBnamed\fP \%<#\:std-iscman-named>; if N is 1, the
file can only be read by release 9.9.0 or higher. The default is 1.
.UNINDENT
.INDENT 0.0
@@ -140,7 +141,7 @@
.B \-l ttl
This option sets a maximum permissible TTL for the input file. Any record with a
TTL higher than this value causes the zone to be rejected. This
-is similar to using the \fBmax\-zone\-ttl\fP option in \fI\%named.conf\fP\&.
+is similar to using the \fBmax\-zone\-ttl\fP option in \fBnamed.conf\fP \%<#\:std-iscman-named\:.conf>\&.
.UNINDENT
.INDENT 0.0
.TP
@@ -200,9 +201,9 @@
.INDENT 0.0
.TP
.B \-t directory
-This option tells \fI\%named\fP to chroot to \fBdirectory\fP, so that \fBinclude\fP directives in the
+This option tells \fBnamed\fP \%<#\:std-iscman-named> to chroot to \fBdirectory\fP, so that \fBinclude\fP directives in the
configuration file are processed as if run by a similarly chrooted
-\fI\%named\fP\&.
+\fBnamed\fP \%<#\:std-iscman-named>\&.
.UNINDENT
.INDENT 0.0
.TP
@@ -214,9 +215,9 @@
.INDENT 0.0
.TP
.B \-w directory
-This option instructs \fI\%named\fP to chdir to \fBdirectory\fP, so that relative filenames in master file
+This option instructs \fBnamed\fP \%<#\:std-iscman-named> to chdir to \fBdirectory\fP, so that relative filenames in master file
\fB$INCLUDE\fP directives work. This is similar to the directory clause in
-\fI\%named.conf\fP\&.
+\fBnamed.conf\fP \%<#\:std-iscman-named\:.conf>\&.
.UNINDENT
.INDENT 0.0
.TP
@@ -229,7 +230,7 @@
.B \-W mode
This option specifies whether to check for non\-terminal wildcards. Non\-terminal
wildcards are almost always the result of a failure to understand the
-wildcard matching algorithm (\X'tty: link https://datatracker.ietf.org/doc/html/rfc4592.html'\fI\%RFC 4592\fP\X'tty: link'). Possible modes are \fBwarn\fP
+wildcard matching algorithm (\fBRFC 4592\fP \%). Possible modes are \fBwarn\fP
(the default) and \fBignore\fP\&.
.UNINDENT
.INDENT 0.0
@@ -248,11 +249,10 @@
and 0 otherwise.
.SH SEE ALSO
.sp
-\fI\%named(8)\fP, \fI\%named\-checkconf(8)\fP, \fI\%named\-checkzone(8)\fP, \X'tty: link https://datatracker.ietf.org/doc/html/rfc1035.html'\fI\%RFC 1035\fP\X'tty: link',
+\fBnamed(8)\fP \%<#\:std-iscman-named>, \fBnamed\-checkconf(8)\fP \%<#\:std-iscman-named-checkconf>, \fBnamed\-checkzone(8)\fP \%<#\:std-iscman-named-checkzone>, \fBRFC 1035\fP \%,
BIND 9 Administrator Reference Manual.
-.SH AUTHOR
+.SH Author
Internet Systems Consortium
-.SH COPYRIGHT
+.SH Copyright
2026, Internet Systems Consortium
-.\" Generated by docutils manpage writer.
-.
+.\" End of generated man page.
diff -Nru bind9-9.18.44/doc/man/named-journalprint.1in bind9-9.18.47/doc/man/named-journalprint.1in
--- bind9-9.18.44/doc/man/named-journalprint.1in 2026-01-09 13:46:03.364238172 +0000
+++ bind9-9.18.47/doc/man/named-journalprint.1in 2026-03-13 22:13:22.228612908 +0000
@@ -1,4 +1,5 @@
-.\" Man page generated from reStructuredText.
+.\" Man page generated from reStructuredText
+.\" by the Docutils 0.22.4 manpage writer.
.
.
.nr rst2man-indent-level 0
@@ -39,8 +40,8 @@
printing it in a human\-readable form, or, optionally, converting it
to a different journal file format.
.sp
-Journal files are automatically created by \fI\%named\fP when changes are
-made to dynamic zones (e.g., by \fI\%nsupdate\fP). They record each addition
+Journal files are automatically created by \fBnamed\fP \%<#\:std-iscman-named> when changes are
+made to dynamic zones (e.g., by \fBnsupdate\fP \%<#\:std-iscman-nsupdate>). They record each addition
or deletion of a resource record, in binary format, allowing the changes
to be re\-applied to the zone when the server is restarted after a
shutdown or crash. By default, the name of the journal file is formed by
@@ -54,7 +55,7 @@
.sp
The \fB\-c\fP (compact) option provides a mechanism to reduce the size of
a journal by removing (most/all) transactions prior to the specified
-serial number. Note: this option \fImust not\fP be used while \fI\%named\fP is
+serial number. Note: this option \fImust not\fP be used while \fBnamed\fP \%<#\:std-iscman-named> is
running, and can cause data loss if the zone file has not been updated
to contain the data being removed from the journal. Use with extreme caution.
.sp
@@ -67,13 +68,12 @@
versions of BIND up to 9.16.11; \fB\-u\fP writes it out in the format used
by versions since 9.16.13. (9.16.12 is omitted due to a journal\-formatting
bug in that release.) Note that these options \fImust not\fP be used while
-\fI\%named\fP is running.
+\fBnamed\fP \%<#\:std-iscman-named> is running.
.SH SEE ALSO
.sp
-\fI\%named(8)\fP, \fI\%nsupdate(1)\fP, BIND 9 Administrator Reference Manual.
-.SH AUTHOR
+\fBnamed(8)\fP \%<#\:std-iscman-named>, \fBnsupdate(1)\fP \%<#\:std-iscman-nsupdate>, BIND 9 Administrator Reference Manual.
+.SH Author
Internet Systems Consortium
-.SH COPYRIGHT
+.SH Copyright
2026, Internet Systems Consortium
-.\" Generated by docutils manpage writer.
-.
+.\" End of generated man page.
diff -Nru bind9-9.18.44/doc/man/named-nzd2nzf.1in bind9-9.18.47/doc/man/named-nzd2nzf.1in
--- bind9-9.18.44/doc/man/named-nzd2nzf.1in 2026-01-09 13:46:03.365238191 +0000
+++ bind9-9.18.47/doc/man/named-nzd2nzf.1in 2026-03-13 22:13:22.232613003 +0000
@@ -1,4 +1,5 @@
-.\" Man page generated from reStructuredText.
+.\" Man page generated from reStructuredText
+.\" by the Docutils 0.22.4 manpage writer.
.
.
.nr rst2man-indent-level 0
@@ -37,7 +38,7 @@
.sp
\fBnamed\-nzd2nzf\fP converts an NZD database to NZF format and prints it
to standard output. This can be used to review the configuration of
-zones that were added to \fI\%named\fP via \fI\%rndc addzone\fP\&. It can also be
+zones that were added to \fBnamed\fP \%<#\:std-iscman-named> via \fBrndc addzone\fP \%<#\:cmdoption-rndc-arg-addzone>\&. It can also be
used to restore the old file format when rolling back from a newer
version of BIND to an older version.
.SH ARGUMENTS
@@ -49,9 +50,8 @@
.SH SEE ALSO
.sp
BIND 9 Administrator Reference Manual.
-.SH AUTHOR
+.SH Author
Internet Systems Consortium
-.SH COPYRIGHT
+.SH Copyright
2026, Internet Systems Consortium
-.\" Generated by docutils manpage writer.
-.
+.\" End of generated man page.
diff -Nru bind9-9.18.44/doc/man/named-rrchecker.1in bind9-9.18.47/doc/man/named-rrchecker.1in
--- bind9-9.18.44/doc/man/named-rrchecker.1in 2026-01-09 13:46:03.379238459 +0000
+++ bind9-9.18.47/doc/man/named-rrchecker.1in 2026-03-13 22:13:22.306614766 +0000
@@ -1,4 +1,5 @@
-.\" Man page generated from reStructuredText.
+.\" Man page generated from reStructuredText
+.\" by the Docutils 0.22.4 manpage writer.
.
.
.nr rst2man-indent-level 0
@@ -55,9 +56,9 @@
Leading and trailing whitespace in each field is ignored.
.UNINDENT
.sp
-Format details can be found in \X'tty: link https://datatracker.ietf.org/doc/html/rfc1035.html#section-5.1'\fI\%RFC 1035 Section 5.1\fP\X'tty: link' under \fB\fP
-specification. \X'tty: link https://datatracker.ietf.org/doc/html/rfc3597.html'\fI\%RFC 3597\fP\X'tty: link' format is also accepted in any of the input fields.
-See \fI\%Examples\fP\&.
+Format details can be found in \fBRFC 1035 Section 5.1\fP \% under \fB\fP
+specification. \fBRFC 3597\fP \% format is also accepted in any of the input fields.
+See Examples\&.
.SH OPTIONS
.INDENT 0.0
.TP
@@ -69,13 +70,13 @@
.TP
.B \-p
This option prints out the resulting record in canonical form. If there
-is no canonical form defined, the record is printed in \X'tty: link https://datatracker.ietf.org/doc/html/rfc3597.html'\fI\%RFC 3597\fP\X'tty: link' unknown
+is no canonical form defined, the record is printed in \fBRFC 3597\fP \% unknown
record format.
.UNINDENT
.INDENT 0.0
.TP
.B \-u
-This option prints out the resulting record in \X'tty: link https://datatracker.ietf.org/doc/html/rfc3597.html'\fI\%RFC 3597\fP\X'tty: link' unknown record
+This option prints out the resulting record in \fBRFC 3597\fP \% unknown record
format.
.UNINDENT
.INDENT 0.0
@@ -98,7 +99,7 @@
.B echo \-n \(aqIN A 192.0.2.1\(aq | named\-rrchecker
.INDENT 7.0
.IP \(bu 2
-Valid input is in \X'tty: link https://datatracker.ietf.org/doc/html/rfc1035.html'\fI\%RFC 1035\fP\X'tty: link' format with no newline at the end of the input.
+Valid input is in \fBRFC 1035\fP \% format with no newline at the end of the input.
.IP \(bu 2
Return code 0.
.UNINDENT
@@ -148,7 +149,7 @@
.UNINDENT
.SS Special characters
.sp
-Special characters allowed in zone files by \X'tty: link https://datatracker.ietf.org/doc/html/rfc1035.html#section-5.1'\fI\%RFC 1035 Section 5.1\fP\X'tty: link' are accepted.
+Special characters allowed in zone files by \fBRFC 1035 Section 5.1\fP \% are accepted.
.INDENT 0.0
.TP
.B echo \(aqIN CNAME t\e097r\eget\e.\(aq | named\-rrchecker \-p \-o origin.test
@@ -211,7 +212,7 @@
.IP \(bu 2
Output: \fBIN TXT \(dqtwo\(dq \(dqwords\(dq\fP
.IP \(bu 2
-Two unquoted words in the input are treated as two \fI\fPs per \X'tty: link https://datatracker.ietf.org/doc/html/rfc1035.html#section-3.3.14'\fI\%RFC 1035 Section 3.3.14\fP\X'tty: link'\&.
+Two unquoted words in the input are treated as two \fI\fPs per \fBRFC 1035 Section 3.3.14\fP \%\&.
.IP \(bu 2
Trailing whitespace is omitted from the last \fI\fP\&.
.UNINDENT
@@ -272,7 +273,7 @@
.INDENT 7.0
.IP \(bu 2
Valid HTTPS record with individual sub\-fields split across multiple lines
-using \X'tty: link https://datatracker.ietf.org/doc/html/rfc1035.html#section-5.1'\fI\%RFC 1035 Section 5.1\fP\X'tty: link' parentheses syntax to group data that crosses
+using \fBRFC 1035 Section 5.1\fP \% parentheses syntax to group data that crosses
a line boundary.
.IP \(bu 2
Note the missing whitespace between the closing parenthesis and adjacent tokens.
@@ -286,31 +287,31 @@
.B echo \(aqIN A 192.0.2.1\(aq | named\-rrchecker \-u
.INDENT 7.0
.IP \(bu 2
-Valid input in \X'tty: link https://datatracker.ietf.org/doc/html/rfc1035.html'\fI\%RFC 1035\fP\X'tty: link' format.
+Valid input in \fBRFC 1035\fP \% format.
.IP \(bu 2
-Output in \X'tty: link https://datatracker.ietf.org/doc/html/rfc3957.html'\fI\%RFC 3957\fP\X'tty: link' format: \fBCLASS1 TYPE1 \e# 4 C0000201\fP
+Output in \fBRFC 3957\fP \% format: \fBCLASS1 TYPE1 \e# 4 C0000201\fP
.UNINDENT
.TP
.B echo \(aqCLASS1 TYPE1 \e# 4 C0000201\(aq | named\-rrchecker \-p
.INDENT 7.0
.IP \(bu 2
-Valid input in \X'tty: link https://datatracker.ietf.org/doc/html/rfc3597.html'\fI\%RFC 3597\fP\X'tty: link' format.
+Valid input in \fBRFC 3597\fP \% format.
.IP \(bu 2
-Output in \X'tty: link https://datatracker.ietf.org/doc/html/rfc1035.html'\fI\%RFC 1035\fP\X'tty: link' format: \fBIN A 192.0.2.1\fP
+Output in \fBRFC 1035\fP \% format: \fBIN A 192.0.2.1\fP
.UNINDENT
.TP
.B echo \(aqIN A \e# 4 C0000201\(aq | named\-rrchecker \-p
.INDENT 7.0
.IP \(bu 2
-Valid input with class and type in \X'tty: link https://datatracker.ietf.org/doc/html/rfc1035.html'\fI\%RFC 1035\fP\X'tty: link' format and rdata in \X'tty: link https://datatracker.ietf.org/doc/html/rfc3597.html'\fI\%RFC 3597\fP\X'tty: link' format.
+Valid input with class and type in \fBRFC 1035\fP \% format and rdata in \fBRFC 3597\fP \% format.
.IP \(bu 2
-Output in \X'tty: link https://datatracker.ietf.org/doc/html/rfc1035.html'\fI\%RFC 1035\fP\X'tty: link' format: \fBIN A 192.0.2.1\fP
+Output in \fBRFC 1035\fP \% format: \fBIN A 192.0.2.1\fP
.UNINDENT
.TP
.B echo \(aqIN HTTPS 1 . key3=\e001\e000\(aq | named\-rrchecker \-p
.INDENT 7.0
.IP \(bu 2
-Valid input with \X'tty: link https://datatracker.ietf.org/doc/html/rfc9460.html'\fI\%RFC 9460\fP\X'tty: link' syntax for an unknown \fIkey3\fP field. Syntax \fB\e001\e000\fP produces two octets with values 1 and 0, respectively.
+Valid input with \fBRFC 9460\fP \% syntax for an unknown \fIkey3\fP field. Syntax \fB\e001\e000\fP produces two octets with values 1 and 0, respectively.
.IP \(bu 2
Output: \fBIN HTTPS 1 . port=256\fP
.IP \(bu 2
@@ -364,10 +365,9 @@
.UNINDENT
.SH SEE ALSO
.sp
-\X'tty: link https://datatracker.ietf.org/doc/html/rfc1034.html'\fI\%RFC 1034\fP\X'tty: link', \X'tty: link https://datatracker.ietf.org/doc/html/rfc1035.html'\fI\%RFC 1035\fP\X'tty: link', \X'tty: link https://datatracker.ietf.org/doc/html/rfc3957.html'\fI\%RFC 3957\fP\X'tty: link', \fI\%named(8)\fP\&.
-.SH AUTHOR
+\fBRFC 1034\fP \%, \fBRFC 1035\fP \%, \fBRFC 3957\fP \%, \fBnamed(8)\fP \%<#\:std-iscman-named>\&.
+.SH Author
Internet Systems Consortium
-.SH COPYRIGHT
+.SH Copyright
2026, Internet Systems Consortium
-.\" Generated by docutils manpage writer.
-.
+.\" End of generated man page.
diff -Nru bind9-9.18.44/doc/man/named.8in bind9-9.18.47/doc/man/named.8in
--- bind9-9.18.44/doc/man/named.8in 2026-01-09 13:46:03.391238689 +0000
+++ bind9-9.18.47/doc/man/named.8in 2026-03-13 22:13:22.318615051 +0000
@@ -1,4 +1,5 @@
-.\" Man page generated from reStructuredText.
+.\" Man page generated from reStructuredText
+.\" by the Docutils 0.22.4 manpage writer.
.
.
.nr rst2man-indent-level 0
@@ -36,8 +37,8 @@
.SH DESCRIPTION
.sp
\fBnamed\fP is a Domain Name System (DNS) server, part of the BIND 9
-distribution from ISC. For more information on the DNS, see \X'tty: link https://datatracker.ietf.org/doc/html/rfc1033.html'\fI\%RFC 1033\fP\X'tty: link',
-\X'tty: link https://datatracker.ietf.org/doc/html/rfc1034.html'\fI\%RFC 1034\fP\X'tty: link', and \X'tty: link https://datatracker.ietf.org/doc/html/rfc1035.html'\fI\%RFC 1035\fP\X'tty: link'\&.
+distribution from ISC. For more information on the DNS, see \fBRFC 1033\fP \%,
+\fBRFC 1034\fP \%, and \fBRFC 1035\fP \%\&.
.sp
When invoked without arguments, \fBnamed\fP reads the default
configuration file \fB@sysconfdir@/named.conf\fP, reads any initial data, and
@@ -46,14 +47,14 @@
.INDENT 0.0
.TP
.B \-4
-This option tells \fBnamed\fP to use only IPv4, even if the host machine is capable of IPv6. \fI\%\-4\fP and
-\fI\%\-6\fP are mutually exclusive.
+This option tells \fBnamed\fP to use only IPv4, even if the host machine is capable of IPv6. \fB\-4\fP and
+\fB\-6\fP are mutually exclusive.
.UNINDENT
.INDENT 0.0
.TP
.B \-6
-This option tells \fBnamed\fP to use only IPv6, even if the host machine is capable of IPv4. \fI\%\-4\fP and
-\fI\%\-6\fP are mutually exclusive.
+This option tells \fBnamed\fP to use only IPv6, even if the host machine is capable of IPv4. \fB\-4\fP and
+\fB\-6\fP are mutually exclusive.
.UNINDENT
.INDENT 0.0
.TP
@@ -70,7 +71,7 @@
This option prints out the default built\-in configuration and exits.
.sp
NOTE: This is for debugging purposes only and is not an
-accurate representation of the actual configuration used by \fI\%named\fP
+accurate representation of the actual configuration used by \fBnamed\fP
at runtime.
.UNINDENT
.INDENT 0.0
@@ -162,7 +163,7 @@
This option writes memory usage statistics to \fBstdout\fP on exit.
.UNINDENT
.sp
-\fBNOTE:\fP
+\fBNote:\fP
.INDENT 0.0
.INDENT 3.5
This option is mainly of interest to BIND 9 developers and may be
@@ -175,7 +176,7 @@
This option is deprecated and no longer has any function.
.UNINDENT
.sp
-\fBWARNING:\fP
+\fBWarning:\fP
.INDENT 0.0
.INDENT 3.5
This option should be unnecessary for the vast majority of users.
@@ -196,10 +197,10 @@
before reading the configuration file.
.UNINDENT
.sp
-\fBWARNING:\fP
+\fBWarning:\fP
.INDENT 0.0
.INDENT 3.5
-This option should be used in conjunction with the \fI\%\-u\fP option,
+This option should be used in conjunction with the \fB\-u\fP option,
as chrooting a process running as root doesn\(aqt enhance security on
most systems; the way \fBchroot\fP is defined allows a process
with root privileges to escape a chroot jail.
@@ -216,10 +217,10 @@
one for machines with more than 1 CPU.
.sp
This cannot be increased to a value higher than the number of CPUs
-(see \fI\%\-n\fP on how to override the value).
+(see \fB\-n\fP on how to override the value).
.UNINDENT
.sp
-\fBWARNING:\fP
+\fBWarning:\fP
.INDENT 0.0
.INDENT 3.5
This option should be unnecessary for the vast majority of users,
@@ -233,13 +234,13 @@
creating sockets that listen on privileged ports.
.UNINDENT
.sp
-\fBNOTE:\fP
+\fBNote:\fP
.INDENT 0.0
.INDENT 3.5
On Linux, \fBnamed\fP uses the kernel\(aqs capability mechanism to drop
all root privileges except the ability to \fBbind\fP to a
privileged port and set process resource limits. Unfortunately,
-this means that the \fI\%\-u\fP option only works when \fBnamed\fP is run
+this means that the \fB\-u\fP option only works when \fBnamed\fP is run
on kernel 2.2.18 or later, or kernel 2.3.99\-pre3 or later, since
previous kernels did not allow privileges to be retained after
\fBsetuid\fP\&.
@@ -262,12 +263,12 @@
This option acquires a lock on the specified file at runtime; this helps to
prevent duplicate \fBnamed\fP instances from running simultaneously.
Use of this option overrides the \fBlock\-file\fP option in
-\fI\%named.conf\fP\&. If set to \fBnone\fP, the lock file check is disabled.
+\fBnamed.conf\fP \%<#\:std-iscman-named\:.conf>\&. If set to \fBnone\fP, the lock file check is disabled.
.UNINDENT
.SH SIGNALS
.sp
In routine operation, signals should not be used to control the
-nameserver; \fI\%rndc\fP should be used instead.
+nameserver; \fBrndc\fP \%<#\:std-iscman-rndc> should be used instead.
.INDENT 0.0
.TP
.B SIGHUP
@@ -299,10 +300,9 @@
.UNINDENT
.SH SEE ALSO
.sp
-\X'tty: link https://datatracker.ietf.org/doc/html/rfc1033.html'\fI\%RFC 1033\fP\X'tty: link', \X'tty: link https://datatracker.ietf.org/doc/html/rfc1034.html'\fI\%RFC 1034\fP\X'tty: link', \X'tty: link https://datatracker.ietf.org/doc/html/rfc1035.html'\fI\%RFC 1035\fP\X'tty: link', \fI\%named\-checkconf(8)\fP, \fI\%named\-checkzone(8)\fP, \fI\%rndc(8)\fP, \fI\%named.conf(5)\fP, BIND 9 Administrator Reference Manual.
-.SH AUTHOR
+\fBRFC 1033\fP \%, \fBRFC 1034\fP \%, \fBRFC 1035\fP \%, \fBnamed\-checkconf(8)\fP \%<#\:std-iscman-named-checkconf>, \fBnamed\-checkzone(8)\fP \%<#\:std-iscman-named-checkzone>, \fBrndc(8)\fP \%<#\:std-iscman-rndc>, \fBnamed.conf(5)\fP \%<#\:std-iscman-named\:.conf>, BIND 9 Administrator Reference Manual.
+.SH Author
Internet Systems Consortium
-.SH COPYRIGHT
+.SH Copyright
2026, Internet Systems Consortium
-.\" Generated by docutils manpage writer.
-.
+.\" End of generated man page.
diff -Nru bind9-9.18.44/doc/man/named.conf.5in bind9-9.18.47/doc/man/named.conf.5in
--- bind9-9.18.44/doc/man/named.conf.5in 2026-01-09 13:46:03.382238517 +0000
+++ bind9-9.18.47/doc/man/named.conf.5in 2026-03-13 22:13:22.309614837 +0000
@@ -1,4 +1,5 @@
-.\" Man page generated from reStructuredText.
+.\" Man page generated from reStructuredText
+.\" by the Docutils 0.22.4 manpage writer.
.
.
.nr rst2man-indent-level 0
@@ -35,7 +36,7 @@
\fBnamed.conf\fP
.SH DESCRIPTION
.sp
-\fBnamed.conf\fP is the configuration file for \fI\%named\fP\&.
+\fBnamed.conf\fP is the configuration file for \fBnamed\fP \%<#\:std-iscman-named>\&.
.sp
For complete documentation about the configuration statements, please refer to
the Configuration Reference section in the BIND 9 Administrator Reference
@@ -1002,10 +1003,9 @@
\fB@sysconfdir@/named.conf\fP
.SH SEE ALSO
.sp
-\fI\%named(8)\fP, \fI\%named\-checkconf(8)\fP, \fI\%rndc(8)\fP, \fI\%rndc\-confgen(8)\fP, \fI\%tsig\-keygen(8)\fP, BIND 9 Administrator Reference Manual.
-.SH AUTHOR
+\fBnamed(8)\fP \%<#\:std-iscman-named>, \fBnamed\-checkconf(8)\fP \%<#\:std-iscman-named-checkconf>, \fBrndc(8)\fP \%<#\:std-iscman-rndc>, \fBrndc\-confgen(8)\fP \%<#\:std-iscman-rndc-confgen>, \fBtsig\-keygen(8)\fP \%<#\:std-iscman-tsig-keygen>, BIND 9 Administrator Reference Manual.
+.SH Author
Internet Systems Consortium
-.SH COPYRIGHT
+.SH Copyright
2026, Internet Systems Consortium
-.\" Generated by docutils manpage writer.
-.
+.\" End of generated man page.
diff -Nru bind9-9.18.44/doc/man/nsec3hash.1in bind9-9.18.47/doc/man/nsec3hash.1in
--- bind9-9.18.44/doc/man/nsec3hash.1in 2026-01-09 13:46:03.393238727 +0000
+++ bind9-9.18.47/doc/man/nsec3hash.1in 2026-03-13 22:13:22.320615099 +0000
@@ -1,4 +1,5 @@
-.\" Man page generated from reStructuredText.
+.\" Man page generated from reStructuredText
+.\" by the Docutils 0.22.4 manpage writer.
.
.
.nr rst2man-indent-level 0
@@ -77,10 +78,9 @@
.UNINDENT
.SH SEE ALSO
.sp
-BIND 9 Administrator Reference Manual, \X'tty: link https://datatracker.ietf.org/doc/html/rfc5155.html'\fI\%RFC 5155\fP\X'tty: link'\&.
-.SH AUTHOR
+BIND 9 Administrator Reference Manual, \fBRFC 5155\fP \%\&.
+.SH Author
Internet Systems Consortium
-.SH COPYRIGHT
+.SH Copyright
2026, Internet Systems Consortium
-.\" Generated by docutils manpage writer.
-.
+.\" End of generated man page.
diff -Nru bind9-9.18.44/doc/man/nslookup.1in bind9-9.18.47/doc/man/nslookup.1in
--- bind9-9.18.44/doc/man/nslookup.1in 2026-01-09 13:46:03.399238842 +0000
+++ bind9-9.18.47/doc/man/nslookup.1in 2026-03-13 22:13:22.328615290 +0000
@@ -1,4 +1,5 @@
-.\" Man page generated from reStructuredText.
+.\" Man page generated from reStructuredText
+.\" by the Docutils 0.22.4 manpage writer.
.
.
.nr rst2man-indent-level 0
@@ -75,9 +76,9 @@
.INDENT 0.0
.TP
.B \fBhost [server]\fP
-This command looks up information for \fI\%host\fP using the current default server or
-using \fBserver\fP, if specified. If \fI\%host\fP is an Internet address and the
-query type is A or PTR, the name of the host is returned. If \fI\%host\fP is
+This command looks up information for \fBhost\fP \%<#\:std-iscman-host> using the current default server or
+using \fBserver\fP, if specified. If \fBhost\fP \%<#\:std-iscman-host> is an Internet address and the
+query type is A or PTR, the name of the host is returned. If \fBhost\fP \%<#\:std-iscman-host> is
a name and does not have a trailing period (\fB\&.\fP), the search list is used
to qualify the name.
.sp
@@ -214,10 +215,9 @@
\fB/etc/resolv.conf\fP
.SH SEE ALSO
.sp
-\fI\%dig(1)\fP, \fI\%host(1)\fP, \fI\%named(8)\fP\&.
-.SH AUTHOR
+\fBdig(1)\fP \%<#\:std-iscman-dig>, \fBhost(1)\fP \%<#\:std-iscman-host>, \fBnamed(8)\fP \%<#\:std-iscman-named>\&.
+.SH Author
Internet Systems Consortium
-.SH COPYRIGHT
+.SH Copyright
2026, Internet Systems Consortium
-.\" Generated by docutils manpage writer.
-.
+.\" End of generated man page.
diff -Nru bind9-9.18.44/doc/man/nsupdate.1in bind9-9.18.47/doc/man/nsupdate.1in
--- bind9-9.18.44/doc/man/nsupdate.1in 2026-01-09 13:46:03.414239129 +0000
+++ bind9-9.18.47/doc/man/nsupdate.1in 2026-03-13 22:13:22.341615599 +0000
@@ -1,4 +1,5 @@
-.\" Man page generated from reStructuredText.
+.\" Man page generated from reStructuredText
+.\" by the Docutils 0.22.4 manpage writer.
.
.
.nr rst2man-indent-level 0
@@ -36,7 +37,7 @@
.SH DESCRIPTION
.sp
\fBnsupdate\fP is used to submit Dynamic DNS Update requests, as defined in
-\X'tty: link https://datatracker.ietf.org/doc/html/rfc2136.html'\fI\%RFC 2136\fP\X'tty: link', to a name server. This allows resource records to be added or
+\fBRFC 2136\fP \%, to a name server. This allows resource records to be added or
removed from a zone without manually editing the zone file. A single
update request can contain requests to add or remove more than one
resource record.
@@ -51,25 +52,25 @@
zone\(aqs SOA record.
.sp
Transaction signatures can be used to authenticate the Dynamic DNS
-updates. These use the TSIG resource record type described in \X'tty: link https://datatracker.ietf.org/doc/html/rfc2845.html'\fI\%RFC 2845\fP\X'tty: link',
-the SIG(0) record described in \X'tty: link https://datatracker.ietf.org/doc/html/rfc2535.html'\fI\%RFC 2535\fP\X'tty: link' and \X'tty: link https://datatracker.ietf.org/doc/html/rfc2931.html'\fI\%RFC 2931\fP\X'tty: link', or GSS\-TSIG as
-described in \X'tty: link https://datatracker.ietf.org/doc/html/rfc3645.html'\fI\%RFC 3645\fP\X'tty: link'\&.
+updates. These use the TSIG resource record type described in \fBRFC 2845\fP \%,
+the SIG(0) record described in \fBRFC 2535\fP \% and \fBRFC 2931\fP \%, or GSS\-TSIG as
+described in \fBRFC 3645\fP \%\&.
.sp
TSIG relies on a shared secret that should only be known to \fBnsupdate\fP
and the name server. For instance, suitable \fBkey\fP and \fBserver\fP
statements are added to \fB@sysconfdir@/named.conf\fP so that the name server
can associate the appropriate secret key and algorithm with the IP
address of the client application that is using TSIG
-authentication. \fI\%ddns\-confgen\fP can generate suitable
-configuration fragments. \fBnsupdate\fP uses the \fI\%\-y\fP or \fI\%\-k\fP options
+authentication. \fBddns\-confgen\fP \%<#\:std-iscman-ddns-confgen> can generate suitable
+configuration fragments. \fBnsupdate\fP uses the \fB\-y\fP or \fB\-k\fP options
to provide the TSIG shared secret; these options are mutually exclusive.
.sp
SIG(0) uses public key cryptography. To use a SIG(0) key, the public key
must be stored in a KEY record in a zone served by the name server.
.sp
GSS\-TSIG uses Kerberos credentials. Standard GSS\-TSIG mode is switched
-on with the \fI\%\-g\fP flag. A non\-standards\-compliant variant of GSS\-TSIG
-used by Windows 2000 can be switched on with the \fI\%\-o\fP flag.
+on with the \fB\-g\fP flag. A non\-standards\-compliant variant of GSS\-TSIG
+used by Windows 2000 can be switched on with the \fB\-o\fP flag.
.SH OPTIONS
.INDENT 0.0
.TP
@@ -111,12 +112,12 @@
.TP
.B \-k keyfile
This option indicates the file containing the TSIG authentication key. Keyfiles may be in
-two formats: a single file containing a \fI\%named.conf\fP\-format \fBkey\fP
-statement, which may be generated automatically by \fI\%ddns\-confgen\fP;
+two formats: a single file containing a \fBnamed.conf\fP \%<#\:std-iscman-named\:.conf>\-format \fBkey\fP
+statement, which may be generated automatically by \fBddns\-confgen\fP \%<#\:std-iscman-ddns-confgen>;
or a pair of files whose names are of the format
\fBK{name}.+157.+{random}.key\fP and
\fBK{name}.+157.+{random}.private\fP, which can be generated by
-\fI\%dnssec\-keygen\fP\&. The \fI\%\-k\fP option can also be used to specify a SIG(0)
+\fBdnssec\-keygen\fP \%<#\:std-iscman-dnssec-keygen>\&. The \fB\-k\fP option can also be used to specify a SIG(0)
key used to authenticate Dynamic DNS update requests. In this case,
the key specified is not an HMAC\-MD5 key.
.UNINDENT
@@ -127,9 +128,9 @@
(disabling the \fBserver\fP so that the server address cannot be
overridden). Connections to the local server use a TSIG key
found in \fB@runstatedir@/session.key\fP, which is automatically
-generated by \fI\%named\fP if any local \fBprimary\fP zone has set
+generated by \fBnamed\fP \%<#\:std-iscman-named> if any local \fBprimary\fP zone has set
\fBupdate\-policy\fP to \fBlocal\fP\&. The location of this key file can be
-overridden with the \fI\%\-k\fP option.
+overridden with the \fB\-k\fP option.
.UNINDENT
.INDENT 0.0
.TP
@@ -152,7 +153,7 @@
.TP
.B \-P
This option prints the list of private BIND\-specific resource record types whose
-format is understood by \fBnsupdate\fP\&. See also the \fI\%\-T\fP option.
+format is understood by \fBnsupdate\fP\&. See also the \fB\-T\fP option.
.UNINDENT
.INDENT 0.0
.TP
@@ -165,17 +166,17 @@
.B \-t timeout
This option sets the maximum time an update request can take before it is aborted. The
default is 300 seconds. If zero, the timeout is disabled for TCP mode. For UDP mode,
-the option \fI\%\-u\fP takes precedence over this option, unless the option \fI\%\-u\fP
-is set to zero, in which case the interval is computed from the \fI\%\-t\fP timeout interval
+the option \fB\-u\fP takes precedence over this option, unless the option \fB\-u\fP
+is set to zero, in which case the interval is computed from the \fB\-t\fP timeout interval
and the number of UDP retries. For UDP mode, the timeout can not be disabled, and will
-be rounded up to 1 second in case if both \fI\%\-t\fP and \fI\%\-u\fP are set to zero.
+be rounded up to 1 second in case if both \fB\-t\fP and \fB\-u\fP are set to zero.
.UNINDENT
.INDENT 0.0
.TP
.B \-T
This option prints the list of IANA standard resource record types whose format is
understood by \fBnsupdate\fP\&. \fBnsupdate\fP exits after the lists
-are printed. The \fI\%\-T\fP option can be combined with the \fI\%\-P\fP
+are printed. The \fB\-T\fP option can be combined with the \fB\-P\fP
option.
.sp
Other types can be entered using \fBTYPEXXXXX\fP where \fBXXXXX\fP is the
@@ -213,7 +214,7 @@
\fBhmac\-sha512\fP\&. If \fBhmac\fP is not specified, the default is
\fBhmac\-md5\fP, or if MD5 was disabled, \fBhmac\-sha256\fP\&.
.sp
-NOTE: Use of the \fI\%\-y\fP option is discouraged because the shared
+NOTE: Use of the \fB\-y\fP option is discouraged because the shared
secret is supplied as a command\-line argument in clear text. This may
be visible in the output from ps1 or in a history file maintained by
the user\(aqs shell.
@@ -248,7 +249,7 @@
update requests are sent. If no port number is specified, the default
DNS port number of 53 is used.
.sp
-\fBNOTE:\fP
+\fBNote:\fP
.INDENT 7.0
.INDENT 3.5
This command has no effect when GSS\-TSIG is in use.
@@ -280,15 +281,15 @@
\fBkeyname\fP\-\fBsecret\fP pair. If \fBhmac\fP is specified, it sets
the signing algorithm in use. The default is \fBhmac\-md5\fP; if MD5
was disabled, the default is \fBhmac\-sha256\fP\&. The \fBkey\fP command overrides any key
-specified on the command line via \fI\%\-y\fP or \fI\%\-k\fP\&.
+specified on the command line via \fB\-y\fP or \fB\-k\fP\&.
.TP
.B \fBgsstsig\fP
This command uses GSS\-TSIG to sign the updates. This is equivalent to specifying
-\fI\%\-g\fP on the command line.
+\fB\-g\fP on the command line.
.TP
.B \fBoldgsstsig\fP
This command uses the Windows 2000 version of GSS\-TSIG to sign the updates. This is
-equivalent to specifying \fI\%\-o\fP on the command line.
+equivalent to specifying \fB\-o\fP on the command line.
.TP
.B \fBrealm [realm_name]\fP
When using GSS\-TSIG, this command specifies the use of \fBrealm_name\fP rather than the default realm
@@ -397,9 +398,9 @@
no resource records of any type for \fBnickname.example.com\fP\&. If there
are, the update request fails. If this name does not exist, a CNAME for
it is added. This ensures that when the CNAME is added, it cannot
-conflict with the long\-standing rule in \X'tty: link https://datatracker.ietf.org/doc/html/rfc1034.html'\fI\%RFC 1034\fP\X'tty: link' that a name must not
+conflict with the long\-standing rule in \fBRFC 1034\fP \% that a name must not
exist as any other record type if it exists as a CNAME. (The rule has
-been updated for DNSSEC in \X'tty: link https://datatracker.ietf.org/doc/html/rfc2535.html'\fI\%RFC 2535\fP\X'tty: link' to allow CNAMEs to have RRSIG,
+been updated for DNSSEC in \fBRFC 2535\fP \% to allow CNAMEs to have RRSIG,
DNSKEY, and NSEC records.)
.SH FILES
.INDENT 0.0
@@ -411,23 +412,22 @@
Sets the default TSIG key for use in local\-only mode
.TP
.B \fBK{name}.+157.+{random}.key\fP
-Base\-64 encoding of the HMAC\-MD5 key created by \fI\%dnssec\-keygen\fP\&.
+Base\-64 encoding of the HMAC\-MD5 key created by \fBdnssec\-keygen\fP \%<#\:std-iscman-dnssec-keygen>\&.
.TP
.B \fBK{name}.+157.+{random}.private\fP
-Base\-64 encoding of the HMAC\-MD5 key created by \fI\%dnssec\-keygen\fP\&.
+Base\-64 encoding of the HMAC\-MD5 key created by \fBdnssec\-keygen\fP \%<#\:std-iscman-dnssec-keygen>\&.
.UNINDENT
.SH SEE ALSO
.sp
-\X'tty: link https://datatracker.ietf.org/doc/html/rfc2136.html'\fI\%RFC 2136\fP\X'tty: link', \X'tty: link https://datatracker.ietf.org/doc/html/rfc3007.html'\fI\%RFC 3007\fP\X'tty: link', \X'tty: link https://datatracker.ietf.org/doc/html/rfc2104.html'\fI\%RFC 2104\fP\X'tty: link', \X'tty: link https://datatracker.ietf.org/doc/html/rfc2845.html'\fI\%RFC 2845\fP\X'tty: link', \X'tty: link https://datatracker.ietf.org/doc/html/rfc1034.html'\fI\%RFC 1034\fP\X'tty: link', \X'tty: link https://datatracker.ietf.org/doc/html/rfc2535.html'\fI\%RFC 2535\fP\X'tty: link', \X'tty: link https://datatracker.ietf.org/doc/html/rfc2931.html'\fI\%RFC 2931\fP\X'tty: link',
-\fI\%named(8)\fP, \fI\%dnssec\-keygen(8)\fP, \fI\%tsig\-keygen(8)\fP\&.
+\fBRFC 2136\fP \%, \fBRFC 3007\fP \%, \fBRFC 2104\fP \%, \fBRFC 2845\fP \%, \fBRFC 1034\fP \%, \fBRFC 2535\fP \%, \fBRFC 2931\fP \%,
+\fBnamed(8)\fP \%<#\:std-iscman-named>, \fBdnssec\-keygen(8)\fP \%<#\:std-iscman-dnssec-keygen>, \fBtsig\-keygen(8)\fP \%<#\:std-iscman-tsig-keygen>\&.
.SH BUGS
.sp
The TSIG key is redundantly stored in two separate files. This is a
consequence of \fBnsupdate\fP using the DST library for its cryptographic
operations, and may change in future releases.
-.SH AUTHOR
+.SH Author
Internet Systems Consortium
-.SH COPYRIGHT
+.SH Copyright
2026, Internet Systems Consortium
-.\" Generated by docutils manpage writer.
-.
+.\" End of generated man page.
diff -Nru bind9-9.18.44/doc/man/rndc-confgen.8in bind9-9.18.47/doc/man/rndc-confgen.8in
--- bind9-9.18.44/doc/man/rndc-confgen.8in 2026-01-09 13:46:03.420239244 +0000
+++ bind9-9.18.47/doc/man/rndc-confgen.8in 2026-03-13 22:13:22.346615718 +0000
@@ -1,4 +1,5 @@
-.\" Man page generated from reStructuredText.
+.\" Man page generated from reStructuredText
+.\" by the Docutils 0.22.4 manpage writer.
.
.
.nr rst2man-indent-level 0
@@ -35,26 +36,26 @@
\fBrndc\-confgen\fP [\fB\-a\fP] [\fB\-A\fP algorithm] [\fB\-b\fP keysize] [\fB\-c\fP keyfile] [\fB\-h\fP] [\fB\-k\fP keyname] [\fB\-p\fP port] [\fB\-s\fP address] [\fB\-t\fP chrootdir] [\fB\-u\fP user]
.SH DESCRIPTION
.sp
-\fBrndc\-confgen\fP generates configuration files for \fI\%rndc\fP\&. It can be
-used as a convenient alternative to writing the \fI\%rndc.conf\fP file and
-the corresponding \fBcontrols\fP and \fBkey\fP statements in \fI\%named.conf\fP
-by hand. Alternatively, it can be run with the \fI\%\-a\fP option to set up a
-\fBrndc.key\fP file and avoid the need for a \fI\%rndc.conf\fP file and a
+\fBrndc\-confgen\fP generates configuration files for \fBrndc\fP \%<#\:std-iscman-rndc>\&. It can be
+used as a convenient alternative to writing the \fBrndc.conf\fP \%<#\:std-iscman-rndc\:.conf> file and
+the corresponding \fBcontrols\fP and \fBkey\fP statements in \fBnamed.conf\fP \%<#\:std-iscman-named\:.conf>
+by hand. Alternatively, it can be run with the \fB\-a\fP option to set up a
+\fBrndc.key\fP file and avoid the need for a \fBrndc.conf\fP \%<#\:std-iscman-rndc\:.conf> file and a
\fBcontrols\fP statement altogether.
.SH OPTIONS
.INDENT 0.0
.TP
.B \-a
-This option sets automatic \fI\%rndc\fP configuration, which creates a file
-\fB@sysconfdir@/rndc.key\fP that is read by both \fI\%rndc\fP and \fI\%named\fP on startup.
+This option sets automatic \fBrndc\fP \%<#\:std-iscman-rndc> configuration, which creates a file
+\fB@sysconfdir@/rndc.key\fP that is read by both \fBrndc\fP \%<#\:std-iscman-rndc> and \fBnamed\fP \%<#\:std-iscman-named> on startup.
The \fBrndc.key\fP file defines a default command channel and
-authentication key allowing \fI\%rndc\fP to communicate with \fI\%named\fP on
+authentication key allowing \fBrndc\fP \%<#\:std-iscman-rndc> to communicate with \fBnamed\fP \%<#\:std-iscman-named> on
the local host with no further configuration.
.sp
If a more elaborate configuration than that generated by
-\fI\%rndc\-confgen \-a\fP is required, for example if rndc is to be used
-remotely, run \fBrndc\-confgen\fP without the \fI\%\-a\fP option
-and set up \fI\%rndc.conf\fP and \fI\%named.conf\fP as directed.
+\fBrndc\-confgen \-a\fP is required, for example if rndc is to be used
+remotely, run \fBrndc\-confgen\fP without the \fB\-a\fP option
+and set up \fBrndc.conf\fP \%<#\:std-iscman-rndc\:.conf> and \fBnamed.conf\fP \%<#\:std-iscman-named\:.conf> as directed.
.UNINDENT
.INDENT 0.0
.TP
@@ -72,7 +73,7 @@
.INDENT 0.0
.TP
.B \-c keyfile
-This option is used with the \fI\%\-a\fP option to specify an alternate location for
+This option is used with the \fB\-a\fP option to specify an alternate location for
\fBrndc.key\fP\&.
.UNINDENT
.INDENT 0.0
@@ -84,14 +85,14 @@
.INDENT 0.0
.TP
.B \-k keyname
-This option specifies the key name of the \fI\%rndc\fP authentication key. This must be a
+This option specifies the key name of the \fBrndc\fP \%<#\:std-iscman-rndc> authentication key. This must be a
valid domain name. The default is \fBrndc\-key\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B \-p port
-This option specifies the command channel port where \fI\%named\fP listens for
-connections from \fI\%rndc\fP\&. The default is 953.
+This option specifies the command channel port where \fBnamed\fP \%<#\:std-iscman-named> listens for
+connections from \fBrndc\fP \%<#\:std-iscman-rndc>\&. The default is 953.
.UNINDENT
.INDENT 0.0
.TP
@@ -101,41 +102,40 @@
.INDENT 0.0
.TP
.B \-s address
-This option specifies the IP address where \fI\%named\fP listens for command\-channel
-connections from \fI\%rndc\fP\&. The default is the loopback address
+This option specifies the IP address where \fBnamed\fP \%<#\:std-iscman-named> listens for command\-channel
+connections from \fBrndc\fP \%<#\:std-iscman-rndc>\&. The default is the loopback address
127.0.0.1.
.UNINDENT
.INDENT 0.0
.TP
.B \-t chrootdir
-This option is used with the \fI\%\-a\fP option to specify a directory where \fI\%named\fP
+This option is used with the \fB\-a\fP option to specify a directory where \fBnamed\fP \%<#\:std-iscman-named>
runs chrooted. An additional copy of the \fBrndc.key\fP is
written relative to this directory, so that it is found by the
-chrooted \fI\%named\fP\&.
+chrooted \fBnamed\fP \%<#\:std-iscman-named>\&.
.UNINDENT
.INDENT 0.0
.TP
.B \-u user
-This option is used with the \fI\%\-a\fP option to set the owner of the generated \fBrndc.key\fP file.
-If \fI\%\-t\fP is also specified, only the file in the chroot
+This option is used with the \fB\-a\fP option to set the owner of the generated \fBrndc.key\fP file.
+If \fB\-t\fP is also specified, only the file in the chroot
area has its owner changed.
.UNINDENT
.SH EXAMPLES
.sp
-To allow \fI\%rndc\fP to be used with no manual configuration, run:
+To allow \fBrndc\fP \%<#\:std-iscman-rndc> to be used with no manual configuration, run:
.sp
\fBrndc\-confgen \-a\fP
.sp
-To print a sample \fI\%rndc.conf\fP file and the corresponding \fBcontrols\fP and
-\fBkey\fP statements to be manually inserted into \fI\%named.conf\fP, run:
+To print a sample \fBrndc.conf\fP \%<#\:std-iscman-rndc\:.conf> file and the corresponding \fBcontrols\fP and
+\fBkey\fP statements to be manually inserted into \fBnamed.conf\fP \%<#\:std-iscman-named\:.conf>, run:
.sp
\fBrndc\-confgen\fP
.SH SEE ALSO
.sp
-\fI\%rndc(8)\fP, \fI\%rndc.conf(5)\fP, \fI\%named(8)\fP, BIND 9 Administrator Reference Manual.
-.SH AUTHOR
+\fBrndc(8)\fP \%<#\:std-iscman-rndc>, \fBrndc.conf(5)\fP \%<#\:std-iscman-rndc\:.conf>, \fBnamed(8)\fP \%<#\:std-iscman-named>, BIND 9 Administrator Reference Manual.
+.SH Author
Internet Systems Consortium
-.SH COPYRIGHT
+.SH Copyright
2026, Internet Systems Consortium
-.\" Generated by docutils manpage writer.
-.
+.\" End of generated man page.
diff -Nru bind9-9.18.44/doc/man/rndc.8in bind9-9.18.47/doc/man/rndc.8in
--- bind9-9.18.44/doc/man/rndc.8in 2026-01-09 13:46:03.445239723 +0000
+++ bind9-9.18.47/doc/man/rndc.8in 2026-03-13 22:13:22.371616314 +0000
@@ -1,4 +1,5 @@
-.\" Man page generated from reStructuredText.
+.\" Man page generated from reStructuredText
+.\" by the Docutils 0.22.4 manpage writer.
.
.
.nr rst2man-indent-level 0
@@ -42,7 +43,7 @@
.sp
\fBrndc\fP communicates with the name server over a TCP connection,
sending commands authenticated with digital signatures. In the current
-versions of \fBrndc\fP and \fI\%named\fP, the only supported authentication
+versions of \fBrndc\fP and \fBnamed\fP \%<#\:std-iscman-named>, the only supported authentication
algorithms are HMAC\-MD5 (for compatibility), HMAC\-SHA1, HMAC\-SHA224,
HMAC\-SHA256 (default), HMAC\-SHA384, and HMAC\-SHA512. They use a shared
secret on each end of the connection, which provides TSIG\-style
@@ -108,7 +109,7 @@
.INDENT 0.0
.TP
.B \-r
-This option instructs \fBrndc\fP to print the result code returned by \fI\%named\fP
+This option instructs \fBrndc\fP to print the result code returned by \fBnamed\fP \%<#\:std-iscman-named>
after executing the requested command (e.g., ISC_R_SUCCESS,
ISC_R_FAILURE, etc.).
.UNINDENT
@@ -121,7 +122,7 @@
.TP
.B \-y server_key
This option indicates use of the key \fBserver_key\fP from the configuration file. For control message validation to succeed, \fBserver_key\fP must be known
-by \fI\%named\fP with the same algorithm and secret string. If no \fBserver_key\fP is specified,
+by \fBnamed\fP \%<#\:std-iscman-named> with the same algorithm and secret string. If no \fBserver_key\fP is specified,
\fBrndc\fP first looks for a key clause in the server statement of
the server being used, or if no server statement is present for that
host, then in the default\-key clause of the options statement. Note that
@@ -141,14 +142,14 @@
This command adds a zone while the server is running. This command
requires the \fBallow\-new\-zones\fP option to be set to \fByes\fP\&. The
configuration string specified on the command line is the zone
-configuration text that would ordinarily be placed in \fI\%named.conf\fP\&.
+configuration text that would ordinarily be placed in \fBnamed.conf\fP \%<#\:std-iscman-named\:.conf>\&.
.sp
The configuration is saved in a file called \fBviewname.nzf\fP (or, if
-\fI\%named\fP is compiled with liblmdb, an LMDB database file called
+\fBnamed\fP \%<#\:std-iscman-named> is compiled with liblmdb, an LMDB database file called
\fBviewname.nzd\fP). \fBviewname\fP is the name of the view, unless the view
name contains characters that are incompatible with use as a file
name, in which case a cryptographic hash of the view name is used
-instead. When \fI\%named\fP is restarted, the file is loaded into
+instead. When \fBnamed\fP \%<#\:std-iscman-named> is restarted, the file is loaded into
the view configuration so that zones that were added can persist
after a restart.
.sp
@@ -160,7 +161,7 @@
(Note the brackets around and semi\-colon after the zone configuration
text.)
.sp
-See also \fI\%rndc delzone\fP and \fI\%rndc modzone\fP\&.
+See also \fBrndc delzone\fP and \fBrndc modzone\fP\&.
.UNINDENT
.INDENT 0.0
.TP
@@ -175,12 +176,12 @@
.sp
If the zone was originally added via \fBrndc addzone\fP, then it is
removed permanently. However, if it was originally configured in
-\fI\%named.conf\fP, then that original configuration remains in place;
+\fBnamed.conf\fP \%<#\:std-iscman-named\:.conf>, then that original configuration remains in place;
when the server is restarted or reconfigured, the zone is
recreated. To remove it permanently, it must also be removed from
-\fI\%named.conf\fP\&.
+\fBnamed.conf\fP \%<#\:std-iscman-named\:.conf>\&.
.sp
-See also \fI\%rndc addzone\fP and \fI\%rndc modzone\fP\&.
+See also \fBrndc addzone\fP and \fBrndc modzone\fP\&.
.UNINDENT
.INDENT 0.0
.TP
@@ -194,7 +195,7 @@
\fBrndc dnssec \-rollover\fP allows you to schedule key rollover for a
specific key (overriding the original key lifetime).
.sp
-\fBrndc dnssec \-checkds\fP informs \fI\%named\fP that the DS for
+\fBrndc dnssec \-checkds\fP informs \fBnamed\fP \%<#\:std-iscman-named> that the DS for
a specified zone\(aqs key\-signing key has been confirmed to be published
in, or withdrawn from, the parent zone. This is required in order to
complete a KSK rollover. The \fB\-key id\fP and \fB\-alg algorithm\fP arguments
@@ -211,7 +212,7 @@
This command closes and re\-opens DNSTAP output files.
.sp
\fBrndc dnstap \-reopen\fP allows
-the output file to be renamed externally, so that \fI\%named\fP can
+the output file to be renamed externally, so that \fBnamed\fP \%<#\:std-iscman-named> can
truncate and re\-open it.
.sp
\fBrndc dnstap \-roll\fP causes the output file
@@ -255,7 +256,7 @@
journal file to be synced into the master file. All dynamic update
attempts are refused while the zone is frozen.
.sp
-See also \fI\%rndc thaw\fP\&.
+See also \fBrndc thaw\fP\&.
.UNINDENT
.INDENT 0.0
.TP
@@ -263,18 +264,18 @@
This command stops the server immediately. Recent changes made through dynamic
update or IXFR are not saved to the master files, but are rolled
forward from the journal files when the server is restarted. If
-\fB\-p\fP is specified, \fI\%named\fP\(aqs process ID is returned. This allows
-an external process to determine when \fI\%named\fP has completed
+\fB\-p\fP is specified, \fBnamed\fP \%<#\:std-iscman-named>\(aqs process ID is returned. This allows
+an external process to determine when \fBnamed\fP \%<#\:std-iscman-named> has completed
halting.
.sp
-See also \fI\%rndc stop\fP\&.
+See also \fBrndc stop\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B loadkeys [zone [class [view]]]
This command fetches all DNSSEC keys for the given zone from the key directory. If
they are within their publication period, they are merged into the
-zone\(aqs DNSKEY RRset. Unlike \fI\%rndc sign\fP, however, the zone is not
+zone\(aqs DNSKEY RRset. Unlike \fBrndc sign\fP, however, the zone is not
immediately re\-signed by the new keys, but is allowed to
incrementally re\-sign over time.
.sp
@@ -287,7 +288,7 @@
.TP
.B managed\-keys (status | refresh | sync | destroy) [class [view]]
This command inspects and controls the \(dqmanaged\-keys\(dq database which handles
-\X'tty: link https://datatracker.ietf.org/doc/html/rfc5011.html'\fI\%RFC 5011\fP\X'tty: link' DNSSEC trust anchor maintenance. If a view is specified, these
+\fBRFC 5011\fP \% DNSSEC trust anchor maintenance. If a view is specified, these
commands are applied to that view; otherwise, they are applied to all
views.
.INDENT 7.0
@@ -312,11 +313,11 @@
.sp
Existing keys that are already trusted are not deleted from
memory; DNSSEC validation can continue after this command is used.
-However, key maintenance operations cease until \fI\%named\fP is
+However, key maintenance operations cease until \fBnamed\fP \%<#\:std-iscman-named> is
restarted or reconfigured, and all existing key maintenance states
are deleted.
.sp
-Running \fI\%rndc reconfig\fP or restarting \fI\%named\fP immediately
+Running \fBrndc reconfig\fP or restarting \fBnamed\fP \%<#\:std-iscman-named> immediately
after this command causes key maintenance to be reinitialized
from scratch, just as if the server were being started for the
first time. This is primarily intended for testing, but it may
@@ -332,18 +333,18 @@
running. This command requires the \fBallow\-new\-zones\fP option to be set
to \fByes\fP\&. As with \fBaddzone\fP, the configuration string specified on
the command line is the zone configuration text that would ordinarily be
-placed in \fI\%named.conf\fP\&.
+placed in \fBnamed.conf\fP \%<#\:std-iscman-named\:.conf>\&.
.sp
-If the zone was originally added via \fI\%rndc addzone\fP, the
+If the zone was originally added via \fBrndc addzone\fP, the
configuration changes are recorded permanently and are still
in effect after the server is restarted or reconfigured. However, if
-it was originally configured in \fI\%named.conf\fP, then that original
+it was originally configured in \fBnamed.conf\fP \%<#\:std-iscman-named\:.conf>, then that original
configuration remains in place; when the server is restarted or
reconfigured, the zone reverts to its original configuration. To
make the changes permanent, it must also be modified in
-\fI\%named.conf\fP\&.
+\fBnamed.conf\fP \%<#\:std-iscman-named\:.conf>\&.
.sp
-See also \fI\%rndc addzone\fP and \fI\%rndc delzone\fP\&.
+See also \fBrndc addzone\fP and \fBrndc delzone\fP\&.
.UNINDENT
.INDENT 0.0
.TP
@@ -355,25 +356,25 @@
.B notrace
This command sets the server\(aqs debugging level to 0.
.sp
-See also \fI\%rndc trace\fP\&.
+See also \fBrndc trace\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B nta [(\-class class | \-dump | \-force | \-remove | \-lifetime duration)] domain [view]
This command sets a DNSSEC negative trust anchor (NTA) for \fBdomain\fP, with a
lifetime of \fBduration\fP\&. The default lifetime is configured in
-\fI\%named.conf\fP via the \fBnta\-lifetime\fP option, and defaults to one
+\fBnamed.conf\fP \%<#\:std-iscman-named\:.conf> via the \fBnta\-lifetime\fP option, and defaults to one
hour. The lifetime cannot exceed one week.
.sp
A negative trust anchor selectively disables DNSSEC validation for
zones that are known to be failing because of misconfiguration rather
than an attack. When data to be validated is at or below an active
-NTA (and above any other configured trust anchors), \fI\%named\fP
+NTA (and above any other configured trust anchors), \fBnamed\fP \%<#\:std-iscman-named>
aborts the DNSSEC validation process and treats the data as insecure
rather than bogus. This continues until the NTA\(aqs lifetime has
elapsed.
.sp
-NTAs persist across restarts of the \fI\%named\fP server. The NTAs for a
+NTAs persist across restarts of the \fBnamed\fP \%<#\:std-iscman-named> server. The NTAs for a
view are saved in a file called \fBname.nta\fP, where \fBname\fP is the name
of the view; if it contains characters that are incompatible with
use as a file name, a cryptographic hash is generated from the name of
@@ -391,7 +392,7 @@
of existing NTAs is printed. Note that this may include NTAs that are
expired but have not yet been cleaned up.
.sp
-Normally, \fI\%named\fP periodically tests to see whether data below
+Normally, \fBnamed\fP \%<#\:std-iscman-named> periodically tests to see whether data below
an NTA can now be validated (see the \fBnta\-recheck\fP option in the
Administrator Reference Manual for details). If data can be
validated, then the NTA is regarded as no longer necessary and is
@@ -419,21 +420,21 @@
.sp
Query logging can also be enabled by explicitly directing the
\fBqueries\fP \fBcategory\fP to a \fBchannel\fP in the \fBlogging\fP section
-of \fI\%named.conf\fP, or by specifying \fBquerylog yes;\fP in the
-\fBoptions\fP section of \fI\%named.conf\fP\&.
+of \fBnamed.conf\fP \%<#\:std-iscman-named\:.conf>, or by specifying \fBquerylog yes;\fP in the
+\fBoptions\fP section of \fBnamed.conf\fP \%<#\:std-iscman-named\:.conf>\&.
.UNINDENT
.INDENT 0.0
.TP
.B reconfig
This command reloads the configuration file and loads new zones, but does not reload
existing zone files even if they have changed. This is faster than a
-full \fI\%rndc reload\fP when there is a large number of zones, because it
+full \fBrndc reload\fP when there is a large number of zones, because it
avoids the need to examine the modification times of the zone files.
.UNINDENT
.INDENT 0.0
.TP
.B recursing
-This command dumps the list of queries \fI\%named\fP is currently
+This command dumps the list of queries \fBnamed\fP \%<#\:std-iscman-named> is currently
recursing on, and the list of domains to which iterative queries
are currently being sent.
.sp
@@ -483,7 +484,7 @@
.TP
.B scan
This command scans the list of available network interfaces for changes, without
-performing a full \fI\%rndc reconfig\fP or waiting for the
+performing a full \fBrndc reconfig\fP or waiting for the
\fBinterface\-interval\fP timer.
.UNINDENT
.INDENT 0.0
@@ -501,19 +502,19 @@
\fBrndc\fP response channel and printed to the standard output.
Otherwise, it is written to the secroots dump file, which defaults to
\fBnamed.secroots\fP, but can be overridden via the \fBsecroots\-file\fP
-option in \fI\%named.conf\fP\&.
+option in \fBnamed.conf\fP \%<#\:std-iscman-named\:.conf>\&.
.sp
-See also \fI\%rndc managed\-keys\fP\&.
+See also \fBrndc managed\-keys\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B serve\-stale (on | off | reset | status) [class [view]]
This command enables, disables, resets, or reports the current status of
-the serving of stale answers as configured in \fI\%named.conf\fP\&.
+the serving of stale answers as configured in \fBnamed.conf\fP \%<#\:std-iscman-named\:.conf>\&.
.sp
If serving of stale answers is disabled by \fBrndc\-serve\-stale off\fP, then it
-remains disabled even if \fI\%named\fP is reloaded or reconfigured. \fBrndc
-serve\-stale reset\fP restores the setting as configured in \fI\%named.conf\fP\&.
+remains disabled even if \fBnamed\fP \%<#\:std-iscman-named> is reloaded or reconfigured. \fBrndc
+serve\-stale reset\fP restores the setting as configured in \fBnamed.conf\fP \%<#\:std-iscman-named\:.conf>\&.
.sp
\fBrndc serve\-stale status\fP reports whether caching and serving of stale
answers is currently enabled or disabled. It also reports the values of
@@ -525,8 +526,8 @@
If the server is configured with \fBallow\-new\-zones\fP set to \fByes\fP,
then this command prints the configuration of a running zone.
.sp
-See also \fI\%rndc addzone\fP, \fI\%rndc modzone\fP\&.
-and \fI\%rndc delzone\fP\&.
+See also \fBrndc addzone\fP, \fBrndc modzone\fP\&.
+and \fBrndc delzone\fP\&.
.UNINDENT
.INDENT 0.0
.TP
@@ -543,7 +544,7 @@
\(dqDynamic Update Policies\(dq in the BIND 9 Administrator Reference Manual for more
details.)
.sp
-See also \fI\%rndc loadkeys\fP\&.
+See also \fBrndc loadkeys\fP\&.
.UNINDENT
.INDENT 0.0
.TP
@@ -575,13 +576,13 @@
chain should be set. \fBiterations\fP defines the number of additional times to apply
the algorithm when generating an NSEC3 hash. The \fBsalt\fP is a string
of data expressed in hexadecimal, a hyphen (\fB\-\fP) if no salt is to be
-used, or the keyword \fBauto\fP, which causes \fI\%named\fP to generate a
+used, or the keyword \fBauto\fP, which causes \fBnamed\fP \%<#\:std-iscman-named> to generate a
random 64\-bit salt.
.sp
The only recommended configuration is \fBrndc signing \-nsec3param 1 0 0 \- zone\fP,
i.e. no salt, no additional iterations, no opt\-out.
.sp
-\fBWARNING:\fP
+\fBWarning:\fP
.INDENT 7.0
.INDENT 3.5
Do not use extra iterations, salt, or opt\-out unless all their implications
@@ -617,11 +618,11 @@
.B stop \-p
This command stops the server, making sure any recent changes made through dynamic
update or IXFR are first saved to the master files of the updated
-zones. If \fB\-p\fP is specified, \fI\%named\fP\(aqs process ID is returned.
-This allows an external process to determine when \fI\%named\fP has
+zones. If \fB\-p\fP is specified, \fBnamed\fP \%<#\:std-iscman-named>\(aqs process ID is returned.
+This allows an external process to determine when \fBnamed\fP \%<#\:std-iscman-named> has
completed stopping.
.sp
-See also \fI\%rndc halt\fP\&.
+See also \fBrndc halt\fP\&.
.UNINDENT
.INDENT 0.0
.TP
@@ -654,7 +655,7 @@
journal file is removed. If no zone is specified, the reloading happens
asynchronously.
.sp
-See also \fI\%rndc freeze\fP\&.
+See also \fBrndc freeze\fP\&.
.UNINDENT
.INDENT 0.0
.TP
@@ -668,7 +669,7 @@
provided value.
.UNINDENT
.sp
-See also \fI\%rndc notrace\fP\&.
+See also \fBrndc notrace\fP\&.
.UNINDENT
.INDENT 0.0
.TP
@@ -680,7 +681,7 @@
.TP
.B tsig\-list
This command lists the names of all TSIG keys currently configured for use by
-\fI\%named\fP in each view. The list includes both statically configured keys and
+\fBnamed\fP \%<#\:std-iscman-named> in each view. The list includes both statically configured keys and
dynamic TKEY\-negotiated keys.
.UNINDENT
.INDENT 0.0
@@ -702,11 +703,11 @@
signed, whether it uses automatic DNSSEC key management or inline
signing, and the scheduled refresh or expiry times for the zone.
.sp
-See also \fI\%rndc showzone\fP\&.
+See also \fBrndc showzone\fP\&.
.UNINDENT
.sp
-\fBrndc\fP commands that specify zone names, such as \fI\%reload\fP
-\fI\%retransfer\fP, or \fI\%zonestatus\fP, can be ambiguous when applied to zones
+\fBrndc\fP commands that specify zone names, such as \fBreload\fP
+\fBretransfer\fP, or \fBzonestatus\fP, can be ambiguous when applied to zones
of type \fBredirect\fP\&. Redirect zones are always called \fB\&.\fP, and can be
confused with zones of type \fBhint\fP or with secondary copies of the root
zone. To specify a redirect zone, use the special zone name
@@ -720,12 +721,11 @@
Several error messages could be clearer.
.SH SEE ALSO
.sp
-\fI\%rndc.conf(5)\fP, \fI\%rndc\-confgen(8)\fP,
-\fI\%named(8)\fP, \fI\%named.conf(5)\fP, BIND 9 Administrator
+\fBrndc.conf(5)\fP \%<#\:std-iscman-rndc\:.conf>, \fBrndc\-confgen(8)\fP \%<#\:std-iscman-rndc-confgen>,
+\fBnamed(8)\fP \%<#\:std-iscman-named>, \fBnamed.conf(5)\fP \%<#\:std-iscman-named\:.conf>, BIND 9 Administrator
Reference Manual.
-.SH AUTHOR
+.SH Author
Internet Systems Consortium
-.SH COPYRIGHT
+.SH Copyright
2026, Internet Systems Consortium
-.\" Generated by docutils manpage writer.
-.
+.\" End of generated man page.
diff -Nru bind9-9.18.44/doc/man/rndc.conf.5in bind9-9.18.47/doc/man/rndc.conf.5in
--- bind9-9.18.44/doc/man/rndc.conf.5in 2026-01-09 13:46:03.424239321 +0000
+++ bind9-9.18.47/doc/man/rndc.conf.5in 2026-03-13 22:13:22.350615814 +0000
@@ -1,4 +1,5 @@
-.\" Man page generated from reStructuredText.
+.\" Man page generated from reStructuredText
+.\" by the Docutils 0.22.4 manpage writer.
.
.
.nr rst2man-indent-level 0
@@ -35,9 +36,9 @@
\fBrndc.conf\fP
.SH DESCRIPTION
.sp
-\fBrndc.conf\fP is the configuration file for \fI\%rndc\fP, the BIND 9 name
+\fBrndc.conf\fP is the configuration file for \fBrndc\fP \%<#\:std-iscman-rndc>, the BIND 9 name
server control utility. This file has a similar structure and syntax to
-\fI\%named.conf\fP\&. Statements are enclosed in braces and terminated with a
+\fBnamed.conf\fP \%<#\:std-iscman-named\:.conf>\&. Statements are enclosed in braces and terminated with a
semi\-colon. Clauses in the statements are also semi\-colon terminated.
The usual comment styles are supported:
.sp
@@ -47,13 +48,13 @@
.sp
Unix style: # to end of line
.sp
-\fBrndc.conf\fP is much simpler than \fI\%named.conf\fP\&. The file uses three
+\fBrndc.conf\fP is much simpler than \fBnamed.conf\fP \%<#\:std-iscman-named\:.conf>\&. The file uses three
statements: an options statement, a server statement, and a key
statement.
.sp
The \fBoptions\fP statement contains five clauses. The \fBdefault\-server\fP
clause is followed by the name or address of a name server. This host
-is used when no name server is given as an argument to \fI\%rndc\fP\&.
+is used when no name server is given as an argument to \fBrndc\fP \%<#\:std-iscman-rndc>\&.
The \fBdefault\-key\fP clause is followed by the name of a key, which is
identified by a \fBkey\fP statement. If no \fBkeyid\fP is provided on the
rndc command line, and no \fBkey\fP clause is found in a matching
@@ -78,14 +79,14 @@
.sp
The \fBkey\fP statement begins with an identifying string, the name of the
key. The statement has two clauses. \fBalgorithm\fP identifies the
-authentication algorithm for \fI\%rndc\fP to use; currently only HMAC\-MD5
+authentication algorithm for \fBrndc\fP \%<#\:std-iscman-rndc> to use; currently only HMAC\-MD5
(for compatibility), HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256 (default),
HMAC\-SHA384, and HMAC\-SHA512 are supported. This is followed by a secret
clause which contains the base\-64 encoding of the algorithm\(aqs
authentication key. The base\-64 string is enclosed in double quotes.
.sp
There are two common ways to generate the base\-64 string for the secret.
-The BIND 9 program \fI\%rndc\-confgen\fP can be used to generate a random
+The BIND 9 program \fBrndc\-confgen\fP \%<#\:std-iscman-rndc-confgen> can be used to generate a random
key, or the \fBmmencode\fP program, also known as \fBmimencode\fP, can be
used to generate a base\-64 string from known input. \fBmmencode\fP does
not ship with BIND 9 but is available on many systems. See the Example
@@ -146,7 +147,7 @@
.UNINDENT
.UNINDENT
.sp
-In the above example, \fI\%rndc\fP by default uses the server at
+In the above example, \fBrndc\fP \%<#\:std-iscman-rndc> by default uses the server at
localhost (127.0.0.1) and the key called \(dqsamplekey\(dq. Commands to the
localhost server use the \(dqsamplekey\(dq key, which must also be defined
in the server\(aqs configuration file with the same name and secret. The
@@ -154,16 +155,16 @@
and its secret clause contains the base\-64 encoding of the HMAC\-SHA256
secret enclosed in double quotes.
.sp
-If \fI\%rndc \-s testserver\fP is used, then \fI\%rndc\fP connects to the server
+If \fBrndc \-s testserver\fP \%<#\:cmdoption-rndc-s> is used, then \fBrndc\fP \%<#\:std-iscman-rndc> connects to the server
on localhost port 5353 using the key \(dqtestkey\(dq.
.sp
-To generate a random secret with \fI\%rndc\-confgen\fP:
+To generate a random secret with \fBrndc\-confgen\fP \%<#\:std-iscman-rndc-confgen>:
.sp
-\fI\%rndc\-confgen\fP
+\fBrndc\-confgen\fP \%<#\:std-iscman-rndc-confgen>
.sp
A complete \fBrndc.conf\fP file, including the randomly generated key,
is written to the standard output. Commented\-out \fBkey\fP and
-\fBcontrols\fP statements for \fI\%named.conf\fP are also printed.
+\fBcontrols\fP statements for \fBnamed.conf\fP \%<#\:std-iscman-named\:.conf> are also printed.
.sp
To generate a base\-64 secret with \fBmmencode\fP:
.sp
@@ -172,15 +173,14 @@
.sp
The name server must be configured to accept rndc connections and to
recognize the key specified in the \fBrndc.conf\fP file, using the
-controls statement in \fI\%named.conf\fP\&. See the sections on the
+controls statement in \fBnamed.conf\fP \%<#\:std-iscman-named\:.conf>\&. See the sections on the
\fBcontrols\fP statement in the BIND 9 Administrator Reference Manual for
details.
.SH SEE ALSO
.sp
-\fI\%rndc(8)\fP, \fI\%rndc\-confgen(8)\fP, \fBmmencode(1)\fP, BIND 9 Administrator Reference Manual.
-.SH AUTHOR
+\fBrndc(8)\fP \%<#\:std-iscman-rndc>, \fBrndc\-confgen(8)\fP \%<#\:std-iscman-rndc-confgen>, \fBmmencode(1)\fP, BIND 9 Administrator Reference Manual.
+.SH Author
Internet Systems Consortium
-.SH COPYRIGHT
+.SH Copyright
2026, Internet Systems Consortium
-.\" Generated by docutils manpage writer.
-.
+.\" End of generated man page.
diff -Nru bind9-9.18.44/doc/man/tsig-keygen.8in bind9-9.18.47/doc/man/tsig-keygen.8in
--- bind9-9.18.44/doc/man/tsig-keygen.8in 2026-01-09 13:46:03.447239761 +0000
+++ bind9-9.18.47/doc/man/tsig-keygen.8in 2026-03-13 22:13:22.373616361 +0000
@@ -1,4 +1,5 @@
-.\" Man page generated from reStructuredText.
+.\" Man page generated from reStructuredText
+.\" by the Docutils 0.22.4 manpage writer.
.
.
.nr rst2man-indent-level 0
@@ -36,8 +37,8 @@
.SH DESCRIPTION
.sp
\fBtsig\-keygen\fP is an utility that generates keys for use with TSIG
-(Transaction Signatures) as defined in \X'tty: link https://datatracker.ietf.org/doc/html/rfc2845.html'\fI\%RFC 2845\fP\X'tty: link'\&. The resulting keys can be used,
-for example, to secure dynamic DNS updates to a zone, or for the \fI\%rndc\fP
+(Transaction Signatures) as defined in \fBRFC 2845\fP \%\&. The resulting keys can be used,
+for example, to secure dynamic DNS updates to a zone, or for the \fBrndc\fP \%<#\:std-iscman-rndc>
command channel.
.sp
A domain name can be specified on the command line to be used as the name
@@ -58,10 +59,9 @@
.UNINDENT
.SH SEE ALSO
.sp
-\fI\%nsupdate(1)\fP, \fI\%named.conf(5)\fP, \fI\%named(8)\fP, BIND 9 Administrator Reference Manual.
-.SH AUTHOR
+\fBnsupdate(1)\fP \%<#\:std-iscman-nsupdate>, \fBnamed.conf(5)\fP \%<#\:std-iscman-named\:.conf>, \fBnamed(8)\fP \%<#\:std-iscman-named>, BIND 9 Administrator Reference Manual.
+.SH Author
Internet Systems Consortium
-.SH COPYRIGHT
+.SH Copyright
2026, Internet Systems Consortium
-.\" Generated by docutils manpage writer.
-.
+.\" End of generated man page.
diff -Nru bind9-9.18.44/doc/misc/parsegrammar.py bind9-9.18.47/doc/misc/parsegrammar.py
--- bind9-9.18.44/doc/misc/parsegrammar.py 2026-01-09 13:44:04.763037983 +0000
+++ bind9-9.18.47/doc/misc/parsegrammar.py 2026-03-13 21:59:39.831907428 +0000
@@ -59,6 +59,7 @@
}
}
"""
+
import fileinput
import json
import re
diff -Nru bind9-9.18.44/doc/notes/notes-9.18.45.rst bind9-9.18.47/doc/notes/notes-9.18.45.rst
--- bind9-9.18.44/doc/notes/notes-9.18.45.rst 1970-01-01 00:00:00.000000000 +0000
+++ bind9-9.18.47/doc/notes/notes-9.18.45.rst 2026-03-13 21:59:39.834907521 +0000
@@ -0,0 +1,30 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.45
+----------------------
+
+Feature Changes
+~~~~~~~~~~~~~~~
+
+- Update requirements for system test suite.
+
+ Python 3.10 or newer is now required for running the system test suite. The
+ required Python packages and their version requirements are now tracked in the
+ file `bin/tests/system/requirements.txt`. :gl:`#5690` :gl:`#5614`
+
+
+Bug Fixes
+~~~~~~~~~
+
+- Fix implementation of BRID and HHIT record types. :gl:`#5710`
+
+- Fix implementation of DSYNC record type. :gl:`#5711`
diff -Nru bind9-9.18.44/doc/notes/notes-9.18.46.rst bind9-9.18.47/doc/notes/notes-9.18.46.rst
--- bind9-9.18.44/doc/notes/notes-9.18.46.rst 1970-01-01 00:00:00.000000000 +0000
+++ bind9-9.18.47/doc/notes/notes-9.18.46.rst 2026-03-13 21:59:39.835907552 +0000
@@ -0,0 +1,19 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.46
+----------------------
+
+Bug Fixes
+~~~~~~~~~
+
+- A stale answer could have been served in case of multiple upstream
+ failures when following CNAME chains. This has been fixed. :gl:`#5751`
diff -Nru bind9-9.18.44/doc/notes/notes-9.18.47.rst bind9-9.18.47/doc/notes/notes-9.18.47.rst
--- bind9-9.18.44/doc/notes/notes-9.18.47.rst 1970-01-01 00:00:00.000000000 +0000
+++ bind9-9.18.47/doc/notes/notes-9.18.47.rst 2026-03-13 21:59:39.835907552 +0000
@@ -0,0 +1,30 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+Notes for BIND 9.18.47
+----------------------
+
+Security Fixes
+~~~~~~~~~~~~~~
+
+- Fix unbounded NSEC3 iterations when validating referrals to unsigned
+ delegations. :cve:`2026-1519`
+
+ DNSSEC-signed zones may contain high iteration-count NSEC3 records,
+ which prove that certain delegations are insecure. Previously, a
+ validating resolver encountering such a delegation processed these
+ iterations up to the number given, which could be a maximum of 65,535.
+ This has been addressed by introducing a processing limit, set at 150.
+ Now, if such an NSEC3 record is encountered, the delegation will be
+ treated as insecure.
+
+ ISC would like to thank Samy Medjahed/Ap4sh for bringing this
+ vulnerability to our attention. :gl:`#5708`
diff -Nru bind9-9.18.44/lib/dns/adb.c bind9-9.18.47/lib/dns/adb.c
--- bind9-9.18.44/lib/dns/adb.c 2026-01-09 13:44:04.802038626 +0000
+++ bind9-9.18.47/lib/dns/adb.c 2026-03-13 21:59:39.871908665 +0000
@@ -438,14 +438,14 @@
*/
#define FIND_WANTEVENT(fn) (((fn)->options & DNS_ADBFIND_WANTEVENT) != 0)
#define FIND_WANTEMPTYEVENT(fn) (((fn)->options & DNS_ADBFIND_EMPTYEVENT) != 0)
-#define FIND_AVOIDFETCHES(fn) (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) != 0)
-#define FIND_STARTATZONE(fn) (((fn)->options & DNS_ADBFIND_STARTATZONE) != 0)
-#define FIND_STATICSTUB(fn) (((fn)->options & DNS_ADBFIND_STATICSTUB) != 0)
-#define FIND_HINTOK(fn) (((fn)->options & DNS_ADBFIND_HINTOK) != 0)
-#define FIND_GLUEOK(fn) (((fn)->options & DNS_ADBFIND_GLUEOK) != 0)
-#define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list))
-#define FIND_RETURNLAME(fn) (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0)
-#define FIND_NOFETCH(fn) (((fn)->options & DNS_ADBFIND_NOFETCH) != 0)
+#define FIND_AVOIDFETCHES(fn) (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) != 0)
+#define FIND_STARTATZONE(fn) (((fn)->options & DNS_ADBFIND_STARTATZONE) != 0)
+#define FIND_STATICSTUB(fn) (((fn)->options & DNS_ADBFIND_STATICSTUB) != 0)
+#define FIND_HINTOK(fn) (((fn)->options & DNS_ADBFIND_HINTOK) != 0)
+#define FIND_GLUEOK(fn) (((fn)->options & DNS_ADBFIND_GLUEOK) != 0)
+#define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list))
+#define FIND_RETURNLAME(fn) (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0)
+#define FIND_NOFETCH(fn) (((fn)->options & DNS_ADBFIND_NOFETCH) != 0)
/*
* These are currently used on simple unsigned ints, so they are
@@ -461,8 +461,8 @@
* glue, and compare this to the appropriate bits set in o, to see if
* this is ok.
*/
-#define GLUE_OK(nf, o) (!NAME_GLUEOK(nf) || (((o) & DNS_ADBFIND_GLUEOK) != 0))
-#define HINT_OK(nf, o) (!NAME_HINTOK(nf) || (((o) & DNS_ADBFIND_HINTOK) != 0))
+#define GLUE_OK(nf, o) (!NAME_GLUEOK(nf) || (((o) & DNS_ADBFIND_GLUEOK) != 0))
+#define HINT_OK(nf, o) (!NAME_HINTOK(nf) || (((o) & DNS_ADBFIND_HINTOK) != 0))
#define GLUEHINT_OK(nf, o) (GLUE_OK(nf, o) || HINT_OK(nf, o))
#define STARTATZONE_MATCHES(nf, o) \
(((nf)->flags & DNS_ADBFIND_STARTATZONE) == \
diff -Nru bind9-9.18.44/lib/dns/gssapictx.c bind9-9.18.47/lib/dns/gssapictx.c
--- bind9-9.18.44/lib/dns/gssapictx.c 2026-01-09 13:44:04.807038709 +0000
+++ bind9-9.18.47/lib/dns/gssapictx.c 2026-03-13 21:59:39.876908820 +0000
@@ -774,15 +774,6 @@
CHECK(dns_name_fromtext(principal, &namebuf, dns_rootname, 0,
NULL));
-
- if (gnamebuf.length != 0U) {
- gret = gss_release_buffer(&minor, &gnamebuf);
- if (gret != GSS_S_COMPLETE) {
- gss_log(3, "failed gss_release_buffer: %s",
- gss_error_tostring(gret, minor, buf,
- sizeof(buf)));
- }
- }
} else {
result = DNS_R_CONTINUE;
}
@@ -790,6 +781,15 @@
*ctxout = context;
cleanup:
+ if (gnamebuf.length != 0U) {
+ gret = gss_release_buffer(&minor, &gnamebuf);
+ if (gret != GSS_S_COMPLETE) {
+ gss_log(3, "failed gss_release_buffer: %s",
+ gss_error_tostring(gret, minor, buf,
+ sizeof(buf)));
+ }
+ }
+
if (gname != NULL) {
gret = gss_release_name(&minor, &gname);
if (gret != GSS_S_COMPLETE) {
diff -Nru bind9-9.18.44/lib/dns/include/dns/message.h bind9-9.18.47/lib/dns/include/dns/message.h
--- bind9-9.18.44/lib/dns/include/dns/message.h 2026-01-09 13:44:04.813038808 +0000
+++ bind9-9.18.47/lib/dns/include/dns/message.h 2026-03-13 21:59:39.881908974 +0000
@@ -159,7 +159,7 @@
*/
#define DNS_EDE_EXTRATEXT_LEN 64
-#define DNS_MESSAGE_REPLYPRESERVE (DNS_MESSAGEFLAG_RD | DNS_MESSAGEFLAG_CD)
+#define DNS_MESSAGE_REPLYPRESERVE (DNS_MESSAGEFLAG_RD | DNS_MESSAGEFLAG_CD)
#define DNS_MESSAGEEXTFLAG_REPLYPRESERVE (DNS_MESSAGEEXTFLAG_DO)
#define DNS_MESSAGE_HEADERLEN 12 /*%< 6 uint16_t's */
diff -Nru bind9-9.18.44/lib/dns/include/dns/nsec3.h bind9-9.18.47/lib/dns/include/dns/nsec3.h
--- bind9-9.18.44/lib/dns/include/dns/nsec3.h 2026-01-09 13:44:04.813038808 +0000
+++ bind9-9.18.47/lib/dns/include/dns/nsec3.h 2026-03-13 21:59:39.882909005 +0000
@@ -29,6 +29,12 @@
#define DNS_NSEC3_MAXITERATIONS 150U
/*
+ * The maximum hash that can be encoded in a single label using
+ * base32hexnp. floor(63*5/8)
+ */
+#define NSEC3_MAX_HASH_LENGTH 39
+
+/*
* hash = 1, flags =1, iterations = 2, salt length = 1, salt = 255 (max)
* hash length = 1, hash = 255 (max), bitmap = 8192 + 512 (max)
*/
diff -Nru bind9-9.18.44/lib/dns/include/dns/sdlz.h bind9-9.18.47/lib/dns/include/dns/sdlz.h
--- bind9-9.18.44/lib/dns/include/dns/sdlz.h 2026-01-09 13:44:04.816038857 +0000
+++ bind9-9.18.47/lib/dns/include/dns/sdlz.h 2026-03-13 21:59:39.884909067 +0000
@@ -332,8 +332,8 @@
*/
typedef isc_result_t
- dns_sdlz_putsoa_t(dns_sdlzlookup_t *lookup, const char *mname,
- const char *rname, uint32_t serial);
+dns_sdlz_putsoa_t(dns_sdlzlookup_t *lookup, const char *mname,
+ const char *rname, uint32_t serial);
dns_sdlz_putsoa_t dns_sdlz_putsoa;
/*%<
* This function may optionally be called from the 'authority'
diff -Nru bind9-9.18.44/lib/dns/include/dns/types.h bind9-9.18.47/lib/dns/include/dns/types.h
--- bind9-9.18.44/lib/dns/include/dns/types.h 2026-01-09 13:44:04.817038873 +0000
+++ bind9-9.18.47/lib/dns/include/dns/types.h 2026-03-13 21:59:39.885909098 +0000
@@ -352,6 +352,7 @@
((x) == dns_trust_additional || (x) == dns_trust_pending_additional)
#define DNS_TRUST_GLUE(x) ((x) == dns_trust_glue)
#define DNS_TRUST_ANSWER(x) ((x) == dns_trust_answer)
+#define DNS_TRUST_SECURE(x) ((x) >= dns_trust_secure)
/*%
* Name checking severities.
diff -Nru bind9-9.18.44/lib/dns/rdata/generic/brid_68.c bind9-9.18.47/lib/dns/rdata/generic/brid_68.c
--- bind9-9.18.44/lib/dns/rdata/generic/brid_68.c 2026-01-09 13:44:04.827039039 +0000
+++ bind9-9.18.47/lib/dns/rdata/generic/brid_68.c 2026-03-13 21:59:39.896909438 +0000
@@ -28,7 +28,7 @@
UNUSED(options);
UNUSED(callbacks);
- return isc_base64_tobuffer(lexer, target, -1);
+ return isc_base64_tobuffer(lexer, target, -2);
}
static isc_result_t
@@ -45,8 +45,6 @@
RETERR(str_totext(" (", target));
}
- RETERR(str_totext(tctx->linebreak, target));
-
if (tctx->width == 0) { /* No splitting */
RETERR(isc_base64_totext(&sr, 60, "", target));
} else {
diff -Nru bind9-9.18.44/lib/dns/rdata/generic/dsync_66.c bind9-9.18.47/lib/dns/rdata/generic/dsync_66.c
--- bind9-9.18.44/lib/dns/rdata/generic/dsync_66.c 2026-01-09 13:44:04.829039071 +0000
+++ bind9-9.18.47/lib/dns/rdata/generic/dsync_66.c 2026-03-13 21:59:39.899909531 +0000
@@ -237,7 +237,7 @@
UNUSED(rdclass);
RETERR(uint16_tobuffer(dsync->type, target));
- RETERR(uint16_tobuffer(dsync->scheme, target));
+ RETERR(uint8_tobuffer(dsync->scheme, target));
RETERR(uint16_tobuffer(dsync->port, target));
dns_name_toregion(&dsync->target, ®ion);
return isc_buffer_copyregion(target, ®ion);
diff -Nru bind9-9.18.44/lib/dns/rdata/generic/hhit_67.c bind9-9.18.47/lib/dns/rdata/generic/hhit_67.c
--- bind9-9.18.44/lib/dns/rdata/generic/hhit_67.c 2026-01-09 13:44:04.830039088 +0000
+++ bind9-9.18.47/lib/dns/rdata/generic/hhit_67.c 2026-03-13 21:59:39.900909562 +0000
@@ -28,7 +28,7 @@
UNUSED(options);
UNUSED(callbacks);
- return isc_base64_tobuffer(lexer, target, -1);
+ return isc_base64_tobuffer(lexer, target, -2);
}
static isc_result_t
@@ -45,8 +45,6 @@
RETERR(str_totext(" (", target));
}
- RETERR(str_totext(tctx->linebreak, target));
-
if (tctx->width == 0) { /* No splitting */
RETERR(isc_base64_totext(&sr, 60, "", target));
} else {
diff -Nru bind9-9.18.44/lib/dns/rdata/generic/nsec3_50.c bind9-9.18.47/lib/dns/rdata/generic/nsec3_50.c
--- bind9-9.18.44/lib/dns/rdata/generic/nsec3_50.c 2026-01-09 13:44:04.834039154 +0000
+++ bind9-9.18.47/lib/dns/rdata/generic/nsec3_50.c 2026-03-13 21:59:39.904909685 +0000
@@ -35,6 +35,8 @@
#include
#include
+#include
+
#define RRTYPE_NSEC3_ATTRIBUTES DNS_RDATATYPEATTR_DNSSEC
static isc_result_t
@@ -96,8 +98,17 @@
false));
isc_buffer_init(&b, buf, sizeof(buf));
RETTOK(isc_base32hexnp_decodestring(DNS_AS_STR(token), &b));
- if (isc_buffer_usedlength(&b) > 0xffU) {
- RETTOK(ISC_R_RANGE);
+ switch (hashalg) {
+ case dns_hash_sha1:
+ if (isc_buffer_usedlength(&b) != ISC_SHA1_DIGESTLENGTH) {
+ RETTOK(ISC_R_RANGE);
+ }
+ break;
+ default:
+ if (isc_buffer_usedlength(&b) > NSEC3_MAX_HASH_LENGTH) {
+ RETTOK(ISC_R_RANGE);
+ }
+ break;
}
RETERR(uint8_tobuffer(isc_buffer_usedlength(&b), target));
RETERR(mem_tobuffer(target, &buf, isc_buffer_usedlength(&b)));
@@ -184,7 +195,7 @@
static isc_result_t
fromwire_nsec3(ARGS_FROMWIRE) {
isc_region_t sr, rr;
- unsigned int saltlen, hashlen;
+ unsigned int hash, saltlen, hashlen;
REQUIRE(type == dns_rdatatype_nsec3);
@@ -200,6 +211,7 @@
if (sr.length < 5U) {
RETERR(DNS_R_FORMERR);
}
+ hash = sr.base[0];
saltlen = sr.base[4];
isc_region_consume(&sr, 5);
@@ -214,8 +226,19 @@
hashlen = sr.base[0];
isc_region_consume(&sr, 1);
- if (hashlen < 1 || sr.length < hashlen) {
- RETERR(DNS_R_FORMERR);
+ switch (hash) {
+ case dns_hash_sha1:
+ if (hashlen != ISC_SHA1_DIGESTLENGTH || sr.length < hashlen) {
+ RETERR(DNS_R_FORMERR);
+ }
+ break;
+ default:
+ if (hashlen < 1 || hashlen > NSEC3_MAX_HASH_LENGTH ||
+ sr.length < hashlen)
+ {
+ RETERR(DNS_R_FORMERR);
+ }
+ break;
}
isc_region_consume(&sr, hashlen);
@@ -265,7 +288,6 @@
REQUIRE(nsec3->common.rdtype == type);
REQUIRE(nsec3->common.rdclass == rdclass);
REQUIRE(nsec3->typebits != NULL || nsec3->len == 0);
- REQUIRE(nsec3->hash == dns_hash_sha1);
UNUSED(type);
UNUSED(rdclass);
@@ -324,6 +346,7 @@
}
nsec3->mctx = mctx;
+
return ISC_R_SUCCESS;
cleanup:
diff -Nru bind9-9.18.44/lib/dns/rdata/in_1/dhcid_49.c bind9-9.18.47/lib/dns/rdata/in_1/dhcid_49.c
--- bind9-9.18.44/lib/dns/rdata/in_1/dhcid_49.c 2026-01-09 13:44:04.842039286 +0000
+++ bind9-9.18.47/lib/dns/rdata/in_1/dhcid_49.c 2026-03-13 21:59:39.911909902 +0000
@@ -153,7 +153,7 @@
if (dhcid->dhcid == NULL) {
return ISC_R_NOMEMORY;
}
-
+ dhcid->length = region.length;
dhcid->mctx = mctx;
return ISC_R_SUCCESS;
}
diff -Nru bind9-9.18.44/lib/dns/time.c bind9-9.18.47/lib/dns/time.c
--- bind9-9.18.44/lib/dns/time.c 2026-01-09 13:44:04.848039385 +0000
+++ bind9-9.18.47/lib/dns/time.c 2026-03-13 21:59:39.918910118 +0000
@@ -42,8 +42,8 @@
/*
* Warning. Do NOT use arguments with side effects with these macros.
*/
-#define is_leap(y) ((((y) % 4) == 0 && ((y) % 100) != 0) || ((y) % 400) == 0)
-#define year_secs(y) ((is_leap(y) ? 366 : 365) * 86400)
+#define is_leap(y) ((((y) % 4) == 0 && ((y) % 100) != 0) || ((y) % 400) == 0)
+#define year_secs(y) ((is_leap(y) ? 366 : 365) * 86400)
#define month_secs(m, y) ((days[m] + ((m == 1 && is_leap(y)) ? 1 : 0)) * 86400)
tm.tm_year = 70;
diff -Nru bind9-9.18.44/lib/dns/validator.c bind9-9.18.47/lib/dns/validator.c
--- bind9-9.18.44/lib/dns/validator.c 2026-01-09 13:44:04.850039418 +0000
+++ bind9-9.18.47/lib/dns/validator.c 2026-03-13 21:59:39.919910149 +0000
@@ -256,12 +256,25 @@
}
/*%
- * Look in the NSEC record returned from a DS query to see if there is
- * a NS RRset at this name. If it is found we are at a delegation point.
+ * The isdelegation() function is called as part of seeking the DS record.
+ * Look in the NSEC or NSEC3 record returned from a DS query to see if the
+ * record has the NS bitmap set. If so, we are at a delegation point.
+ *
+ * If the response contains NSEC3 records with too high iterations, we cannot
+ * (or rather we are not going to) validate the insecurity proof. Instead we
+ * are going to treat the message as insecure and just assume the DS was at
+ * the delegation.
+ *
+ * Returns:
+ *\li #ISC_R_SUCCESS the NS bitmap was set in the NSEC or NSEC3 record, or
+ * the NSEC3 covers the name (in case of opt-out), or
+ * we cannot validate the insecurity proof and are going
+ * to treat the message as isnecure.
+ *\li #ISC_R_NOTFOUND the NS bitmap was not set,
*/
-static bool
-isdelegation(dns_name_t *name, dns_rdataset_t *rdataset,
- isc_result_t dbresult) {
+static isc_result_t
+isdelegation(dns_validator_t *val, dns_name_t *name, dns_rdataset_t *rdataset,
+ isc_result_t dbresult, const char *caller) {
dns_fixedname_t fixed;
dns_label_t hashlabel;
dns_name_t nsec3name;
@@ -289,7 +302,7 @@
goto trynsec3;
}
if (result != ISC_R_SUCCESS) {
- return false;
+ return ISC_R_NOTFOUND;
}
}
@@ -303,7 +316,7 @@
dns_rdata_reset(&rdata);
}
dns_rdataset_disassociate(&set);
- return found;
+ return found ? ISC_R_SUCCESS : ISC_R_NOTFOUND;
trynsec3:
/*
@@ -339,6 +352,21 @@
if (nsec3.hash != 1) {
continue;
}
+ if (nsec3.next_length > NSEC3_MAX_HASH_LENGTH) {
+ continue;
+ }
+ /*
+ * If there are too many iterations assume bad things
+ * are happening and bail out early. Treat as if the
+ * DS was at the delegation.
+ */
+ if (nsec3.iterations > DNS_NSEC3_MAXITERATIONS) {
+ validator_log(val, ISC_LOG_DEBUG(3),
+ "%s: too many iterations",
+ caller);
+ dns_rdataset_disassociate(&set);
+ return ISC_R_SUCCESS;
+ }
length = isc_iterated_hash(
hash, nsec3.hash, nsec3.iterations, nsec3.salt,
nsec3.salt_length, name->ndata, name->length);
@@ -350,7 +378,7 @@
found = dns_nsec3_typepresent(&rdata,
dns_rdatatype_ns);
dns_rdataset_disassociate(&set);
- return found;
+ return found ? ISC_R_SUCCESS : ISC_R_NOTFOUND;
}
if ((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) == 0) {
continue;
@@ -366,12 +394,12 @@
memcmp(hash, nsec3.next, length) < 0)))
{
dns_rdataset_disassociate(&set);
- return true;
+ return ISC_R_SUCCESS;
}
}
dns_rdataset_disassociate(&set);
}
- return found;
+ return found ? ISC_R_SUCCESS : ISC_R_NOTFOUND;
}
/*%
@@ -587,8 +615,9 @@
} else if (eresult == DNS_R_SERVFAIL) {
goto unexpected;
} else if (eresult != DNS_R_CNAME &&
- isdelegation(devent->foundname, &val->frdataset,
- eresult))
+ isdelegation(val, devent->foundname, &val->frdataset,
+ eresult,
+ "fetch_callback_ds") == ISC_R_SUCCESS)
{
/*
* Failed to find a DS while trying to prove
@@ -752,10 +781,13 @@
dns_trust_totext(val->frdataset.trust));
have_dsset = (val->frdataset.type == dns_rdatatype_ds);
name = dns_fixedname_name(&val->fname);
+
if ((val->attributes & VALATTR_INSECURITY) != 0 &&
val->frdataset.covers == dns_rdatatype_ds &&
NEGATIVE(&val->frdataset) &&
- isdelegation(name, &val->frdataset, DNS_R_NCACHENXRRSET))
+ isdelegation(val, name, &val->frdataset,
+ DNS_R_NCACHENXRRSET,
+ "validator_callback_ds") == ISC_R_SUCCESS)
{
result = markanswer(val, "validator_callback_ds",
"no DS and this is a delegation");
@@ -1491,6 +1523,13 @@
bool ignore = false;
dns_name_t *wild;
+ if (DNS_TRUST_SECURE(val->event->rdataset->trust)) {
+ /*
+ * This RRset was already verified before.
+ */
+ return ISC_R_SUCCESS;
+ }
+
val->attributes |= VALATTR_TRIEDVERIFY;
wild = dns_fixedname_initname(&fixed);
again:
@@ -2424,6 +2463,17 @@
}
}
+ if (rdataset->type != dns_rdatatype_nsec &&
+ DNS_TRUST_SECURE(rdataset->trust))
+ {
+ /*
+ * The negative response data is already verified.
+ * We skip NSEC records, because they require special
+ * processing in validator_callback_nsec().
+ */
+ return DNS_R_CONTINUE;
+ }
+
val->currentset = rdataset;
result = create_validator(val, name, rdataset->type, rdataset,
sigrdataset, validator_callback_nsec,
@@ -2534,11 +2584,9 @@
}
result = validate_neg_rrset(val, name, rdataset, sigrdataset);
- if (result == DNS_R_CONTINUE) {
- continue;
+ if (result != DNS_R_CONTINUE) {
+ return result;
}
-
- return result;
}
if (result == ISC_R_NOMORE) {
result = ISC_R_SUCCESS;
@@ -2587,7 +2635,8 @@
result = findnsec3proofs(val);
if (result == DNS_R_NSEC3ITERRANGE) {
validator_log(val, ISC_LOG_DEBUG(3),
- "too many iterations");
+ "%s: too many iterations",
+ __func__);
markanswer(val, "validate_nx (3)", NULL);
return ISC_R_SUCCESS;
}
@@ -2623,7 +2672,7 @@
result = findnsec3proofs(val);
if (result == DNS_R_NSEC3ITERRANGE) {
validator_log(val, ISC_LOG_DEBUG(3),
- "too many iterations");
+ "%s: too many iterations", __func__);
markanswer(val, "validate_nx (4)", NULL);
return ISC_R_SUCCESS;
}
@@ -2830,7 +2879,9 @@
return ISC_R_COMPLETE;
}
- if (isdelegation(tname, &val->frdataset, result)) {
+ result = isdelegation(val, tname, &val->frdataset, result,
+ "seek_ds");
+ if (result == ISC_R_SUCCESS) {
*resp = markanswer(val, "seek_ds (3)",
"this is a delegation");
return ISC_R_COMPLETE;
diff -Nru bind9-9.18.44/lib/dns/zone.c bind9-9.18.47/lib/dns/zone.c
--- bind9-9.18.44/lib/dns/zone.c 2026-01-09 13:44:04.853039467 +0000
+++ bind9-9.18.47/lib/dns/zone.c 2026-03-13 21:59:39.922910242 +0000
@@ -574,7 +574,7 @@
DNS_ZONEFLG___MAX = UINT64_MAX, /* trick to make the ENUM 64-bit wide */
} dns_zoneflg_t;
-#define DNS_ZONE_OPTION(z, o) ((atomic_load_relaxed(&(z)->options) & (o)) != 0)
+#define DNS_ZONE_OPTION(z, o) ((atomic_load_relaxed(&(z)->options) & (o)) != 0)
#define DNS_ZONE_SETOPTION(z, o) atomic_fetch_or(&(z)->options, (o))
#define DNS_ZONE_CLROPTION(z, o) atomic_fetch_and(&(z)->options, ~(o))
diff -Nru bind9-9.18.44/lib/isc/file.c bind9-9.18.47/lib/isc/file.c
--- bind9-9.18.44/lib/isc/file.c 2026-01-09 13:44:04.856039517 +0000
+++ bind9-9.18.47/lib/isc/file.c 2026-03-13 21:59:39.925910335 +0000
@@ -354,7 +354,7 @@
return isc__errno2result(errno);
}
for (cp = x;;) {
- char *t;
+ const char *t;
if (*cp == '\0') {
return ISC_R_FAILURE;
}
diff -Nru bind9-9.18.44/lib/isc/include/isc/iterated_hash.h bind9-9.18.47/lib/isc/include/isc/iterated_hash.h
--- bind9-9.18.44/lib/isc/include/isc/iterated_hash.h 2026-01-09 13:44:04.859039566 +0000
+++ bind9-9.18.47/lib/isc/include/isc/iterated_hash.h 2026-03-13 21:59:39.929910459 +0000
@@ -15,18 +15,6 @@
#include
-/*
- * The maximal hash length that can be encoded in a name
- * using base32hex. floor(255/8)*5
- */
-#define NSEC3_MAX_HASH_LENGTH 155
-
-/*
- * The maximum has that can be encoded in a single label using
- * base32hex. floor(63/8)*5
- */
-#define NSEC3_MAX_LABEL_HASH 35
-
ISC_LANG_BEGINDECLS
int
diff -Nru bind9-9.18.44/lib/ns/include/ns/client.h bind9-9.18.47/lib/ns/include/ns/client.h
--- bind9-9.18.44/lib/ns/include/ns/client.h 2026-01-09 13:44:04.880039913 +0000
+++ bind9-9.18.47/lib/ns/include/ns/client.h 2026-03-13 21:59:39.949911077 +0000
@@ -255,14 +255,14 @@
#define NS_CLIENTATTR_WANTNSID 0x00020 /*%< include nameserver ID */
/* Obsolete: NS_CLIENTATTR_FILTER_AAAA 0x00040 */
/* Obsolete: NS_CLIENTATTR_FILTER_AAAA_RC 0x00080 */
-#define NS_CLIENTATTR_WANTAD 0x00100 /*%< want AD in response if possible */
-#define NS_CLIENTATTR_WANTCOOKIE 0x00200 /*%< return a COOKIE */
-#define NS_CLIENTATTR_HAVECOOKIE 0x00400 /*%< has a valid COOKIE */
-#define NS_CLIENTATTR_WANTEXPIRE 0x00800 /*%< return seconds to expire */
-#define NS_CLIENTATTR_HAVEEXPIRE 0x01000 /*%< return seconds to expire */
-#define NS_CLIENTATTR_WANTOPT 0x02000 /*%< add opt to reply */
-#define NS_CLIENTATTR_HAVEECS 0x04000 /*%< received an ECS option */
-#define NS_CLIENTATTR_WANTPAD 0x08000 /*%< pad reply */
+#define NS_CLIENTATTR_WANTAD 0x00100 /*%< want AD in response if possible */
+#define NS_CLIENTATTR_WANTCOOKIE 0x00200 /*%< return a COOKIE */
+#define NS_CLIENTATTR_HAVECOOKIE 0x00400 /*%< has a valid COOKIE */
+#define NS_CLIENTATTR_WANTEXPIRE 0x00800 /*%< return seconds to expire */
+#define NS_CLIENTATTR_HAVEEXPIRE 0x01000 /*%< return seconds to expire */
+#define NS_CLIENTATTR_WANTOPT 0x02000 /*%< add opt to reply */
+#define NS_CLIENTATTR_HAVEECS 0x04000 /*%< received an ECS option */
+#define NS_CLIENTATTR_WANTPAD 0x08000 /*%< pad reply */
#define NS_CLIENTATTR_USEKEEPALIVE 0x10000 /*%< use TCP keepalive */
#define NS_CLIENTATTR_NOSETFC 0x20000 /*%< don't set servfail cache */
diff -Nru bind9-9.18.44/lib/ns/query.c bind9-9.18.47/lib/ns/query.c
--- bind9-9.18.44/lib/ns/query.c 2026-01-09 13:44:04.883039962 +0000
+++ bind9-9.18.47/lib/ns/query.c 2026-03-13 21:59:39.952911170 +0000
@@ -5550,6 +5550,8 @@
isc_result_t
ns__query_start(query_ctx_t *qctx) {
isc_result_t result = ISC_R_UNSET;
+ ns_client_t *client = qctx->client;
+
CCTRACE(ISC_LOG_DEBUG(3), "ns__query_start");
qctx->want_restart = false;
qctx->authoritative = false;
@@ -5558,6 +5560,13 @@
qctx->need_wildcardproof = false;
qctx->rpz = false;
+ /*
+ * Clean existing stale options in case ns__query_start was restarted
+ * due to the CNAME/DNAME chains.
+ */
+ client->query.dboptions &= ~(DNS_DBFIND_STALETIMEOUT |
+ DNS_DBFIND_STALEOK);
+
CALL_HOOK(NS_QUERY_START_BEGIN, qctx);
/*
diff -Nru bind9-9.18.44/srcid bind9-9.18.47/srcid
--- bind9-9.18.44/srcid 2026-01-09 13:46:21.762592221 +0000
+++ bind9-9.18.47/srcid 2026-03-13 22:17:48.858975814 +0000
@@ -1 +1 @@
-2e74eea
+84c0d37
diff -Nru bind9-9.18.44/tests/dns/rdata_test.c bind9-9.18.47/tests/dns/rdata_test.c
--- bind9-9.18.44/tests/dns/rdata_test.c 2026-01-09 13:44:04.891040094 +0000
+++ bind9-9.18.47/tests/dns/rdata_test.c 2026-03-13 21:59:39.960911417 +0000
@@ -1101,10 +1101,14 @@
dns_rdatatype_amtrelay, sizeof(dns_rdata_amtrelay_t));
}
-/* BRIB RDATA - base64 encoded opaque */
-ISC_RUN_TEST_IMPL(brib) {
+/* BRID RDATA - base64 encoded opaque */
+ISC_RUN_TEST_IMPL(brid) {
text_ok_t text_ok[] = { /* empty */
TEXT_INVALID(""),
+ /* zero length */
+ TEXT_INVALID("\\# 0"),
+ /* valid base64 string - minimum size */
+ TEXT_VALID("AA=="),
/* valid base64 string */
TEXT_VALID("aaaa"),
/* invalid base64 string */
@@ -1790,43 +1794,43 @@
/*
* Known type and known scheme.
*/
- TEXT_VALID("CDS NOTIFY 0 example.com"),
+ TEXT_VALID("CDS NOTIFY 0 example.com."),
/*
* Known type and unknown scheme.
*/
- TEXT_VALID("CDS 3 0 example.com"),
+ TEXT_VALID("CDS 3 0 example.com."),
/*
* Unknown type and known scheme.
*/
- TEXT_VALID("TYPE1000 NOTIFY 0 example.com"),
+ TEXT_VALID("TYPE1000 NOTIFY 0 example.com."),
/*
* Unknown type and unknown scheme.
*/
- TEXT_VALID("TYPE1000 3 0 example.com"),
+ TEXT_VALID("TYPE1000 3 0 example.com."),
/*
* Unknown type and unknown scheme, max port.
*/
- TEXT_VALID("TYPE1000 3 65535 example.com"),
+ TEXT_VALID("TYPE1000 3 65535 example.com."),
/*
* Unknown type and max scheme, max port.
*/
- TEXT_VALID("TYPE64000 255 65535 example.com"),
+ TEXT_VALID("TYPE64000 255 65535 example.com."),
/*
* Invalid type and max scheme, max port.
*/
- TEXT_INVALID("INVALID 255 65536 example.com"),
+ TEXT_INVALID("INVALID 255 65536 example.com."),
/*
* Unknown type and too big scheme, max port.
*/
- TEXT_INVALID("TYPE1000 256 65536 example.com"),
+ TEXT_INVALID("TYPE1000 256 65536 example.com."),
/*
* Unknown type and unknown scheme, port too big.
*/
- TEXT_INVALID("TYPE1000 3 65536 example.com"),
+ TEXT_INVALID("TYPE1000 3 65536 example.com."),
/*
* Unknown type and bad scheme, max port.
*/
- TEXT_INVALID("TYPE1000 UNKNOWN 65535 example.com"),
+ TEXT_INVALID("TYPE1000 UNKNOWN 65535 example.com."),
/*
* Sentinel.
*/
@@ -2059,6 +2063,10 @@
ISC_RUN_TEST_IMPL(hhit) {
text_ok_t text_ok[] = { /* empty */
TEXT_INVALID(""),
+ /* zero length */
+ TEXT_INVALID("\\# 0"),
+ /* valid base64 string - minimum size */
+ TEXT_VALID("AA=="),
/* valid base64 string */
TEXT_VALID("aaaa"),
/* invalid base64 string */
@@ -2366,8 +2374,7 @@
* RFC 5155.
*/
ISC_RUN_TEST_IMPL(nsec3) {
- text_ok_t text_ok[] = { TEXT_INVALID(""),
- TEXT_INVALID("."),
+ text_ok_t text_ok[] = { TEXT_INVALID(""), TEXT_INVALID("."),
TEXT_INVALID(". RRSIG"),
TEXT_INVALID("1 0 10 76931F"),
TEXT_INVALID("1 0 10 76931F "
@@ -2383,9 +2390,38 @@
"AJHVGTICN6K0VDA53GCHFMT219SRRQLM"),
TEXT_VALID("1 0 10 - "
"AJHVGTICN6K0VDA53GCHFMT219SRRQLM"),
+ /* 123456789012345678901234567890123456789 */
+ TEXT_VALID("2 0 10 - "
+ "64P36D1L6ORJGE9G64P36D1L6ORJGE9G64P"
+ "36D1L6ORJGE9G64P36D1L6ORJGE8"),
+ /* 1234567890123456789012345678901234567890 */
+ TEXT_INVALID("2 0 10 - "
+ "64P36D1L6ORJGE9G64P36D1L6ORJGE9G6"
+ "4P36D1L6ORJGE9G64P36D1L6ORJGE9G"),
TEXT_SENTINEL() };
+ wire_ok_t wire_ok[] = {
+ WIRE_VALID(0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00),
+ /* maximal hash */
+ WIRE_VALID(0x00, 0x00, 0x00, 0x00, 0x00, 0x27, 0x01, 0x02, 0x03,
+ 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x00, 0x01, 0x02,
+ 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x00, 0x01,
+ 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x00,
+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+ 0x09),
+ /* Too big hash */
+ WIRE_INVALID(0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x01, 0x02,
+ 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x00,
+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+ 0x09, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06,
+ 0x07, 0x08, 0x09, 0x00, 0x01, 0x02, 0x03, 0x04,
+ 0x05, 0x06, 0x07, 0x08, 0x09, 0x00),
+ /*
+ * Sentinel.
+ */
+ WIRE_SENTINEL()
+ };
- check_rdata(text_ok, NULL, NULL, false, dns_rdataclass_in,
+ check_rdata(text_ok, wire_ok, NULL, false, dns_rdataclass_in,
dns_rdatatype_nsec3, sizeof(dns_rdata_nsec3_t));
}
@@ -3280,12 +3316,15 @@
ISC_TEST_ENTRY(amtrelay)
ISC_TEST_ENTRY(apl)
ISC_TEST_ENTRY(atma)
+ISC_TEST_ENTRY(brid)
ISC_TEST_ENTRY(cdnskey)
ISC_TEST_ENTRY(csync)
ISC_TEST_ENTRY(dnskey)
ISC_TEST_ENTRY(doa)
ISC_TEST_ENTRY(ds)
+ISC_TEST_ENTRY(dsync)
ISC_TEST_ENTRY(eid)
+ISC_TEST_ENTRY(hhit)
ISC_TEST_ENTRY(hip)
ISC_TEST_ENTRY(https_svcb)
ISC_TEST_ENTRY(isdn)
@@ -3295,8 +3334,8 @@
ISC_TEST_ENTRY(nsec)
ISC_TEST_ENTRY(nsec3)
ISC_TEST_ENTRY(nxt)
-ISC_TEST_ENTRY(rkey)
ISC_TEST_ENTRY(resinfo)
+ISC_TEST_ENTRY(rkey)
ISC_TEST_ENTRY(sshfp)
ISC_TEST_ENTRY(wallet)
ISC_TEST_ENTRY(wks)
diff -Nru bind9-9.18.44/tests/include/tests/isc.h bind9-9.18.47/tests/include/tests/isc.h
--- bind9-9.18.44/tests/include/tests/isc.h 2026-01-09 13:44:04.898040210 +0000
+++ bind9-9.18.47/tests/include/tests/isc.h 2026-03-13 21:59:39.967911634 +0000
@@ -90,7 +90,7 @@
int setup_test_##name(void **state __attribute__((unused)));
#define ISC_RUN_TEST_DECLARE(name) \
- void run_test_##name(void **state __attribute__((unused)));
+ static void run_test_##name(void **state __attribute__((unused)));
#define ISC_TEARDOWN_TEST_DECLARE(name) \
int teardown_test_##name(void **state __attribute__((unused)))
@@ -99,9 +99,9 @@
int setup_test_##name(void **state __attribute__((unused))); \
int setup_test_##name(void **state __attribute__((unused)))
-#define ISC_RUN_TEST_IMPL(name) \
- void run_test_##name(void **state __attribute__((unused))); \
- void run_test_##name(void **state __attribute__((unused)))
+#define ISC_RUN_TEST_IMPL(name) \
+ static void run_test_##name(void **state __attribute__((unused))); \
+ static void run_test_##name(void **state __attribute__((unused)))
#define ISC_TEARDOWN_TEST_IMPL(name) \
int teardown_test_##name(void **state __attribute__((unused))); \
diff -Nru bind9-9.18.44/tests/isc/file_test.c bind9-9.18.47/tests/isc/file_test.c
--- bind9-9.18.44/tests/isc/file_test.c 2026-01-09 13:44:04.900040243 +0000
+++ bind9-9.18.47/tests/isc/file_test.c 2026-03-13 21:59:39.970911726 +0000
@@ -30,8 +30,8 @@
#include
-#define NAME "internal"
-#define SHA "3bed2cb3a3acf7b6a8ef408420cc682d5520e26976d354254f528c965612054f"
+#define NAME "internal"
+#define SHA "3bed2cb3a3acf7b6a8ef408420cc682d5520e26976d354254f528c965612054f"
#define TRUNC_SHA "3bed2cb3a3acf7b6"
#define BAD1 "in/internal"
diff -Nru bind9-9.18.44/tests/isc/task_test.c bind9-9.18.47/tests/isc/task_test.c
--- bind9-9.18.44/tests/isc/task_test.c 2026-01-09 13:44:04.903040292 +0000
+++ bind9-9.18.47/tests/isc/task_test.c 2026-03-13 21:59:39.973911819 +0000
@@ -1463,6 +1463,7 @@
ISC_TEST_ENTRY_CUSTOM(privileged_events, _setup, _teardown)
ISC_TEST_ENTRY_CUSTOM(purge, _setup2, _teardown)
ISC_TEST_ENTRY_CUSTOM(purgeevent, _setup2, _teardown)
+ISC_TEST_ENTRY_CUSTOM(purgerange, _setup2, _teardown)
ISC_TEST_ENTRY_CUSTOM(task_shutdown, _setup4, _teardown)
ISC_TEST_ENTRY_CUSTOM(task_exclusive, _setup4, _teardown)