upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-04-29 01:49:02 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
16951 commits 18 branches 854 tags 440 MiB
Commit graph

2115 commits

Author SHA1 Message Date
Automatic Updater
5bdf8cd3c2 update copyright notice 2010-01-13 23:48:59 +00:00
Francis Dupont
b3990d04da fix built-in view comment 2010-01-13 08:29:11 +00:00
Tatuya JINMEI 神明達哉
d8680445d6 2828. [security] Cached CNAME or DNAME RR could be returned to clients 
without DNSSEC validation. [RT #20737]

9.4-ESV, 9.5.3, 9.6.2, 9.7.0, 9.8.0(?)
 2009-12-30 08:02:23 +00:00
Mark Andrews
57fb4f7bbe 2825. [bug] Changing the setting of OPTOUT in a NSEC3 chain that 
was in the process of being created was not properly
                        recorded in the zone. [RT #20786]
 2009-12-30 02:43:09 +00:00
Mark Andrews
5b77627c09 2824. [bug] "rndc sign" was not being run by the correct task. 
[RT #20759]
 2009-12-29 22:20:33 +00:00
Evan Hunt
1361014b02 2818. [cleanup] rndc could return an incorrect error code 
when a zone was not found. [RT #20767]
 2009-12-24 00:14:20 +00:00
Evan Hunt
40ad4ed01b 2817. [cleanup] Removed unnecessary isc_tasc_endexclusive() calls. 
[RT #20768]
 2009-12-23 23:59:42 +00:00
Evan Hunt
aa3415ba49 2815. [bug] Exclusively lock the task when freezing a zone. 
[RT #19838]
 2009-12-23 23:33:09 +00:00
Automatic Updater
928e12ccdc update copyright notice 2009-12-18 23:49:03 +00:00
Evan Hunt
4e55893d30 2813. [bug] Better handling of unreadable DNSSEC key files. 
[RT #20710]

2812.	[bug]		Make sure updates can't result in a zone with
			NSEC-only keys and NSEC3 records. [RT 20748]
 2009-12-18 22:16:49 +00:00
Evan Hunt
12178c8652 2805. [bug] Fixed namespace problems encountered when building 
external programs using non-exported BIND9 libraries
			(i.e., built without --enable-exportlib). [RT #20679]
 2009-12-05 23:31:41 +00:00
Mark Andrews
3d17a3ba61 2801. [func] Detect and report records that are different according 
to DNSSEC but are sematically equal according to plain
                        DNS.  Apply plain DNS comparisons rather than DNSSEC
                        comparisons when processing UPDATE requests.
                        dnssec-signzone now removes such semantically duplicate
                        records prior to signing the RRset.

                        named-checkzone -r {ignore|warn|fail} (default warn)
                        named-compilezone -r {ignore|warn|fail} (default warn)

                        named.conf: check-dup-records {ignore|warn|fail};
 2009-12-04 21:09:34 +00:00
Evan Hunt
e438e29354 claried log message when no active private keys are found to use for 
signing. [rt20690]
 2009-12-04 20:32:07 +00:00
Mark Andrews
5d850024cb 2800. [func] Reject zones which have NS records which refer to 
CNAMEs, DNAMEs or don't have address record (class IN
                        only).  Reject UPDATEs which would cause the zone
                        to fail the above checks if committed. [RT #20678]
 2009-12-04 03:33:15 +00:00
Automatic Updater
089c63b69c regen 2009-12-04 01:13:45 +00:00
Automatic Updater
63aeaafd97 update copyright notice 2009-12-03 23:48:22 +00:00
Evan Hunt
8e4f3f1cbc 2799. [cleanup] Changed the "secure-to-insecure" option to 
"dnssec-secure-to-insecure", and "dnskey-ksk-only"
			to "dnssec-dnskey-kskonly", for clarity. [RT #20586]
 2009-12-03 23:18:17 +00:00
Vernon Schryver
5d9922e86f Allow the optional filter-aaaa-on-v4 option in view statements to close #20635 2009-11-28 15:57:37 +00:00
Mark Andrews
d0ca4e90e2 2786. [bug] Additional could be promoted to answer. [RT #20663] 2009-11-25 02:22:05 +00:00
Evan Hunt
d312bc5d81 2785. [bug] Revoked keys could fail to self-sign [RT #20652] 2009-11-24 03:42:32 +00:00
Mark Andrews
dc92707066 2783. [func] Return minimal responses to EDNS/UDP queries with a UDP 
buffer size of 512 or less.  [RT #20654]
 2009-11-24 03:09:57 +00:00
Evan Hunt
cef109efa7 2780. [bug] dnssec-keygen -A none didn't properly unset the 
activation date in all cases. [RT #20648]

2779.	[bug]		Dynamic key revokation could fail. [RT #20644]

2778.	[bug]		dnssec-signzone could fail when a key was revoked
			without deleting the unrevoked version. [RT #20638]
 2009-11-23 02:55:41 +00:00
Evan Hunt
0088b45de5 2774. [bug] Existing cache DB wasn't being reused after 
reconfiguration. [RT #20629]
 2009-11-19 18:52:40 +00:00
Evan Hunt
b08325a7f3 2773. [bug] In autosigned zones, the SOA could be signed 
with the KSK. [RT #20628]
 2009-11-18 21:22:31 +00:00
Mark Andrews
a39a5f4d81 2772. [security] When validating, track whether pending data was from 
the additional section or not and only return it if
                        validates as secure. [RT #20438]
 2009-11-17 23:55:18 +00:00
Evan Hunt
e2facd7af2 2756. [bug] Fixed corrupt logfile message in update.c. [RT# 20597] 2009-11-09 01:28:32 +00:00
Evan Hunt
cc3ed192b0 2754. [bug] Secure-to-insecure transitions failed when zone 
was signed with NSEC3. [RT #20587]
 2009-11-06 08:38:56 +00:00
Mark Andrews
052e7083ac correct bind9.xsl.h dependancy 2009-11-05 02:59:04 +00:00
Mark Andrews
9d856845d6 2744. [func] Log if a query was over TCP. [RT #19961] 2009-11-03 04:39:41 +00:00
Evan Hunt
95f2377b4f 2739. [cleanup] Clean up API for initializing and clearing trust 
anchors for a view. [RT #20211]
 2009-10-27 22:46:13 +00:00
Evan Hunt
312a00fb75 add named-symtbl.c to .cvsignore 2009-10-27 06:06:46 +00:00
Mark Andrews
9e9e7112f9 2737. [func] UPDATE requests can leak existance information. 
[RT #17261]
 2009-10-27 05:42:25 +00:00
Automatic Updater
5f744ebbdc update copyright notice 2009-10-26 23:47:35 +00:00
Evan Hunt
c8aa7ce70d 2732. [func] Add optional filter-aaaa-on-v4 option, available 
if built with './configure --enable-filter-aaaa'.
			Filters out AAAA answers to clients connecting
			via IPv4.  (This is NOT recommended for general
			use.) [RT #20339]
 2009-10-26 23:14:54 +00:00
Mark Andrews
c07236a635 2729. [func] When constructing a CNAME from a DNAME use the DNAME 
TTL. [RT #20451]
 2009-10-24 04:38:19 +00:00
Automatic Updater
510032fdf4 update copyright notice 2009-10-22 23:48:07 +00:00
Evan Hunt
f10a8fa034 2727. [func] The 'key-directory' option can now specify a relative 
path. [RT #20154]
 2009-10-22 03:43:16 +00:00
Mark Andrews
d2a8d00228 2724. [bug] Updates to a existing node in secure zone using NSEC 
were failing. [RT #20448]
 2009-10-22 01:55:55 +00:00
Mark Andrews
859cfb24bf silence compiler warnings. [RT #20412] 2009-10-20 03:30:07 +00:00
Mark Andrews
06e7340198 2719. [func] Skip trusted/managed keys for unsupported algorithms. 
[RT #20392]
 2009-10-20 03:15:06 +00:00
Automatic Updater
d060d8669f regen 2009-10-16 04:20:49 +00:00
Evan Hunt
8f7de3db7e Respinning to fix memory leak in dnssec-signzone. (Also adopting doc changes.) 2009-10-16 02:59:41 +00:00
Automatic Updater
97639003b0 update copyright notice 2009-10-12 23:48:02 +00:00
Evan Hunt
77b8f88f14 2712. [func] New 'auto-dnssec' zone option allows zone signing 
to be fully automated in zones configured for
			dynamic DNS.  'auto-dnssec allow;' permits a zone
			to be signed by creating keys for it in the
			key-directory and using 'rndc sign <zone>'.
			'auto-dnssec maintain;' allows that too, plus it
			also keeps the zone's DNSSEC keys up to date
			according to their timing metadata. [RT #19943]
 2009-10-12 20:48:12 +00:00
Automatic Updater
8de0d8a690 regen 2009-10-11 01:14:49 +00:00
Automatic Updater
8667770ad2 update copyright notice 2009-10-10 23:47:58 +00:00
Evan Hunt
3727725bb7 2710. [func] New 'dnssec-signzone -x' flag and 'dnskey-ksk-only' 
zone option cause a zone to be signed with only KSKs
			signing the DNSKEY RRset, not ZSKs.  This reduces
			the size of a DNSKEY answer.  [RT #20340]
 2009-10-10 01:48:00 +00:00
Automatic Updater
b05106c7e6 regen 2009-10-09 01:14:47 +00:00
Automatic Updater
15bbb8a129 update copyright notice 2009-10-08 23:48:10 +00:00
Mark Andrews
2847930722 2708. [func] Insecure to secure and NSEC3 parameter changes via 
update are now fully supported and no longer require
                        defines to enable.  We now no longer overload the
                        NSEC3PARAM flag field, nor the NSEC OPT bit at the
                        apex.  Secure to insecure changes are controlled by
                        by the named.conf option 'secure-to-insecure'.

                        Warning: If you had previously enabled support by
                        adding defines at compile time to BIND 9.6 you should
                        ensure that all changes that are in progress have
                        completed prior to upgrading to BIND 9.7.  BIND 9.7
                        is not backwards compatible.
 2009-10-08 23:13:07 +00:00