upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-04-22 23:01:43 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
42880 commits 18 branches 854 tags 440 MiB
Commit graph

360 commits

Author SHA1 Message Date
Automatic Updater
5fec28507a update copyright notice 2012-02-15 21:19:59 +00:00
Mark Andrews
6d386978b3 3285. [bug] val-frdataset was incorrectly disassociated in 
proveunsecure after calling startfinddlvsep.
                        [RT #27928]
 2012-02-15 20:59:40 +00:00
Evan Hunt
25845da41a 3203. [bug] Increase log level to 'info' for validation failures 
from expired or not-yet-valid RRSIGs. [RT #21796]
 2011-11-04 05:36:28 +00:00
Automatic Updater
dfc015bc7e update copyright notice 2011-10-20 23:46:51 +00:00
Mark Andrews
ada40193c8 3175. [bug] Fix how DNSSEC positive wildcard responses from a 
NSEC3 signed zone are validated.  Stop sending a
                        unnecessary NSEC3 record when generating such
                        responses. [RT #26200]
 2011-10-20 21:42:11 +00:00
Mark Andrews
020c4484fe 3173. [port] Correctly validate root DS responses. [RT #25726] 2011-10-15 05:00:15 +00:00
Evan Hunt
6de9744cf9 3124. [bug] Use an rdataset attribute flag to indicate 
negative-cache records rather than using rrtype 0;
			this will prevent problems when that rrtype is
			used in actual DNS packets. [RT #24777]

3123.	[security]	Change #2912 exposed a latent flaw in
			dns_rdataset_totext() that could cause named to
			crash with an assertion failure. [RT #24777]
 2011-06-08 22:13:51 +00:00
Mark Andrews
ea82782532 3120. [bug] Named could fail to validate zones list in a DLV 
that validated insecure without using DLV and had
                        DS records in the parent zone. [RT #24631]
 2011-05-26 04:35:02 +00:00
Mark Andrews
0874abad14 3069. [cleanup] Silence warnings messages from clang static analysis. 
[RT #20256]
 2011-03-11 06:11:27 +00:00
Automatic Updater
c8175ece69 update copyright notice 2011-03-01 23:48:07 +00:00
Scott Mann
d31740ce28 Fixed DNSKEY NODATA responses not cached (RT #22908). 2011-03-01 14:40:39 +00:00
Francis Dupont
664917beda Use RRSIG original TTL in validated RRset TTL [RT #23332] 2011-02-28 14:21:35 +00:00
Mark Andrews
4b45a8fc5a handle cname response 2011-02-21 23:37:31 +00:00
Mark Andrews
37dee1ff94 2999. [func] Add GOST support (RFC 5933). [RT #20639] 2010-12-23 04:08:00 +00:00
Mark Andrews
a27b3757fd 2968. [security] Named could fail to prove a data set was insecure 
before marking it as insecure.  One set of conditions
                        that can trigger this occurs naturally when rolling
                        DNSKEY algorithms.  [RT #22309]
 2010-11-16 01:14:51 +00:00
Mark Andrews
810656a187 2925. [bug] Named failed to accept uncachable negative responses 
from insecure zones. [RT# 21555]
 2010-06-25 23:50:13 +00:00
Mark Andrews
e27d55e3ee 2904. [bug] When using DLV, sub-zones of the zones in the DLV, 
could be incorrectly marked as insecure instead of
                        secure leading to negative proofs failing.  This was
                        a unintended outcome from change 2890. [RT# 21392]
 2010-05-26 06:28:00 +00:00
Automatic Updater
515c7f3c43 update copyright notice 2010-05-14 23:50:40 +00:00
Mark Andrews
44f175a90a 2892. [bug] Handle REVOKED keys better. [RT #20961] 2010-05-14 04:38:52 +00:00
Mark Andrews
b335299322 2890. [bug] Handle the introduction of new trusted-keys and 
DS, DLV RRsets better. [RT #21097]
 2010-05-14 00:13:43 +00:00
Mark Andrews
fd95cc0da9 2877. [bug] The validator failed to skip obviously mismatching 
RRSIGs. [RT #21138]
 2010-04-21 05:45:47 +00:00
Mark Andrews
bb6d33103e 2876. [bug] Named could return SERVFAIL for negative responses 
from unsigned zones. [RT #21131]
 2010-04-21 04:16:49 +00:00
Mark Andrews
b8d036c434 2869. [bug] Fix arguments to dns_keytable_findnextkeynode() call. 
[RT #20877]
 2010-03-26 17:12:48 +00:00
Automatic Updater
4d42b714be update copyright notice 2010-03-04 23:50:34 +00:00
Mark Andrews
22c4126ba5 2958. [bug] When canceling validation it was possible to leak 
memory. [RT #20800]
 2010-03-04 22:25:31 +00:00
Automatic Updater
bd2b08d5a3 update copyright notice 2010-02-25 05:08:01 +00:00
Mark Andrews
0cae66577c 2852. [bug] Handle broken DNSSEC trust chains better. [RT #15619] 2010-02-25 04:39:13 +00:00
Evan Hunt
9ead684875 2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712] 2009-12-30 06:46:58 +00:00
Mark Andrews
a39a5f4d81 2772. [security] When validating, track whether pending data was from 
the additional section or not and only return it if
                        validates as secure. [RT #20438]
 2009-11-17 23:55:18 +00:00
Evan Hunt
7048af0a55 2769. [cleanup] Change #2742 was incomplete. [RT #19589] 2009-11-16 07:56:06 +00:00
Evan Hunt
be69d48443 2742. [cleanup] Clarify some DNSSEC-related log messages in 
validator.c. [RT #19589]
 2009-10-28 05:34:21 +00:00
Evan Hunt
95f2377b4f 2739. [cleanup] Clean up API for initializing and clearing trust 
anchors for a view. [RT #20211]
 2009-10-27 22:46:13 +00:00
Evan Hunt
cfb1587eb9 2619. [func] Add support for RFC 5011, automatic trust anchor 
maintenance.  The new "managed-keys" statement can
			be used in place of "trusted-keys" for zones which
			support this protocol.  (Note: this syntax is
			expected to change prior to 9.7.0 final.) [RT #19248]
 2009-06-30 02:53:46 +00:00
Mark Andrews
afbe695de3 "got insecure response; parent indicates it should be secure" wrongly emitted [RT #19800] 2009-06-09 22:57:09 +00:00
Automatic Updater
54cdd2b307 update copyright notice 2009-05-07 23:47:44 +00:00
Francis Dupont
ff380b05fe comment fixes (rt19624) 2009-05-07 09:41:23 +00:00
Mark Andrews
e7eede965d 2597. [bug] Handle a validation failure with a insecure delegation 
from a NSEC3 signed master/slave zone.  [RT #19464]
 2009-05-07 02:34:19 +00:00
Evan Hunt
6b9728dde7 ARM and log message changes to clarify "insecure response". [rt19400] 2009-03-23 22:30:57 +00:00
Automatic Updater
8e3d340655 update copyright notice 2009-03-17 23:48:02 +00:00
Mark Andrews
72dbc7216a 2579. [bug] DNSSEC lookaside validation failed to handle unknown 
algorithms. [RT #19479]
 2009-03-17 01:34:28 +00:00
Evan Hunt
bfe0517fdc Clarify logged message when an insecure DNSSEC response arrives from a zone 
thought to be secure: "insecurity proof failed" instead of "not insecure".
[RT #19400]
 2009-03-01 02:45:38 +00:00
Mark Andrews
7d211b458f 2554. [bug] Validation of uppercase queries from NSEC3 zones could 
fail. [RT #19297]
 2009-02-15 23:46:23 +00:00
Mark Andrews
d2ef5b3c5c 2553. [bug] Reference leak on DNSSEC validation errors. [RT #19291] 2009-02-15 23:37:29 +00:00
Francis Dupont
708383382f spelling 2009-01-17 15:12:26 +00:00
Automatic Updater
5569e7de51 update copyright notice 2009-01-05 23:47:54 +00:00
Tatuya JINMEI 神明達哉
3fb1637c92 trivial comment cleanups (RT#19118) 2009-01-05 23:20:22 +00:00
Automatic Updater
49960a74b5 update copyright notice 2008-11-14 23:47:33 +00:00
Mark Andrews
50df1ec60a 2495. [bug] Tighten RRSIG checks. [RT #18795] 2008-11-14 22:53:46 +00:00
Mark Andrews
6098d364b6 2448. [func] Add NSEC3 support. [RT #15452] 2008-09-24 02:46:23 +00:00
Mark Andrews
1bfe8851c0 2421. [bug] Handle the special return value of a empty node as 
if it was a NXRRSET in the validator. [RT #18447]
 2008-08-21 04:43:49 +00:00
Evan Hunt
e4d304b70b Fix build error: parameter type was changed in the prototype but not in 
the function header.
 2008-02-19 17:07:55 +00:00
Mark Andrews
664e11f0b1 2238. [bug] check_ds() could be called with a non DS rdataset. 
[RT #17598]
 2008-02-18 23:06:54 +00:00
Automatic Updater
2f012d936b update copyright notice 2008-01-18 23:46:58 +00:00
Automatic Updater
9d5ed744c4 update copyright notice 2008-01-14 23:46:56 +00:00
Mark Andrews
f1263d2aa4 2304. [bug] Check returns from all dns_rdata_tostruct() calls. 
[RT #17460]
 2008-01-14 23:24:24 +00:00
Mark Andrews
8bedd9647f 2245. [bug] Validating lack of DS records at trust anchors wasn't 
working. [RT #17151]
 2007-09-19 03:38:56 +00:00
Mark Andrews
e2c3f8059e 2238. [bug] It was possible to trigger a REQUIRE when a 
validation was cancelled. [RT #17106]
 2007-09-14 05:43:05 +00:00
Mark Andrews
3eab85ca54 2218. [bug] Remove unnecessary REQUIRE from dns_validator_create(). 
[RT #16976]
 2007-08-27 04:36:54 +00:00
Automatic Updater
ec5347e2c7 update copyright notice 2007-06-18 23:47:57 +00:00
Mark Andrews
a05f23d07e 2171. [bug] Handle breaks in DNSSEC trust chains where the parent 
servers are not DS aware (DS queries to the parent
                        return a referral to the child).
 2007-04-27 06:13:29 +00:00
Mark Andrews
394f4aec21 2145. [bug] Check DS/DLV digest lengths for known digests. 
[RT #16622]
 2007-02-26 01:20:44 +00:00
Mark Andrews
f36c85c3ce update copyright notice 2007-01-08 02:45:04 +00:00
Mark Andrews
3052274767 2126. [bug] Serialise validation of type ANY responses. [RT #16555] 2007-01-08 01:13:38 +00:00
Mark Andrews
29747dfe5e 2123. [func] Use Doxygen to generate internal documention. 
[RT #11398]
 2006-12-22 01:46:19 +00:00
Mark Andrews
1ea2595e1b 2117. [bug] DNSSEC fixes: named could fail to cache NSEC records 
which could lead to validation failures.  named didn't
                        handle negative DS responses that were in the process
                        of being validated.  Check CNAME bit before accepting
                        NODATA proof. To be able to ignore a child NSEC there
                        must be SOA (and NS) set in the bitmap. [RT #16399]
 2006-12-07 06:47:36 +00:00
Mark Andrews
cc7d91bd5c 2061. [bug] Accept expired wildcard message reversed. [RT #16296] 2006-07-24 22:41:59 +00:00
Mark Andrews
d2ef84e07b 2008. [func] It is now posssible to enable/disable DNSSEC 
validation from rndc.  This is useful for the
                        mobile hosts where the current connection point
                        breaks DNSSEC (firewall/proxy).  [RT #15592]

                                rndc validation newstate [view]
 2006-03-09 23:39:00 +00:00
Mark Andrews
95b484c958 fix minor typos 2006-02-26 22:57:18 +00:00
Mark Andrews
fcbc5d2353 post merge problem 2006-02-22 01:55:10 +00:00
Mark Andrews
c5387e6942 1987. [func] DS/DLV SHA256 digest algorithm support. [RT #15608] 2006-02-21 23:49:51 +00:00
Mark Andrews
acb4f52369 update copyright notice 2006-01-04 23:50:24 +00:00
Mark Andrews
fabf2ee6b0 1947. [func] It is now possible to configure named to accept 
expired RRSIGs.  Default "dnssec-accept-expired no;".
                        Setting "dnssec-accept-expired yes;" leaves named
                        vulnerable to replay attacks.  [RT #14685]
 2006-01-04 02:35:49 +00:00
Mark Andrews
cf224bbf7b 1942. [bug] If the name of a DNSKEY match that of one in 
trusted-keys do not attempt to validate the DNSKEY
                        using the parents DS RRset. [RT #15649]
 2005-12-04 23:54:01 +00:00
Mark Andrews
470c726bc8 silence dereferencing type-punned pointer will break strict-aliasing rules warning 2005-11-30 05:01:34 +00:00
Mark Andrews
2674e1a455 1940. [bug] Fixed a number of error conditions reported by 
Coverity.
 2005-11-30 03:33:49 +00:00
Mark Andrews
60ab03125c 1939. [bug] The resolver could dereference a null pointer after 
validation if all the queries have timed out.
                        [RT #15528]

1938.   [bug]           The validator was not correctly handling unsecure
                        negative responses at or below a SEP. [RT #15528]
 2005-11-03 00:51:55 +00:00
Mark Andrews
7d116211ec 1936. [bug] The validator could leak memory. [RT #5544] 2005-11-02 01:46:31 +00:00
Mark Andrews
216030f284 1930. [port] HPUX: ia64 support. [RT #15473] 
1929.   [port]          FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM.
 2005-10-14 01:18:47 +00:00
Mark Andrews
676619a22f win32 fixes 2005-09-05 02:54:38 +00:00
Mark Andrews
5be3685b0e 1919. [bug] dig's +sigchase code overhauled. [RT #14933] 
1918.   [bug]           The DLV code has been re-worked to make no longer
                        query order sensitive. [RT #14933]
 2005-08-25 00:56:08 +00:00
Mark Andrews
116e6b4257 1867. [bug] It was possible to trigger a INSIST in 
dlv_validatezonekey(). [RT #14846]
 2005-06-07 00:39:05 +00:00
Mark Andrews
9840a0767d 1853. [bug] Rework how DLV interacts with proveunsecure(). 
[RT #13605]
 2005-05-06 01:59:38 +00:00
Rob Austein
ab023a6556 1851. [doc] Doxygen comment markup. [RT #11398] 2005-04-27 04:57:32 +00:00
Mark Andrews
c941e32d22 1819. [bug] The validator needed to check both the algorithm and 
digest types of the DS to determine if it could be
                        used to introduce a secure zone. [RT #13593]
 2005-03-04 03:53:22 +00:00
Mark Andrews
2d7fc01cb3 update copyright notice 2005-02-09 05:19:30 +00:00
Mark Andrews
0ad024cc42 1806. [bug] The resolver returned the wrong result when a CNAME / 
DNAME was encountered when fetching glue from a
                        secure namespace. [RT #13501]

1805.   [bug]           Pending status was not being cleared when DLV was
                        active. [RT #13501]
 2005-02-08 23:51:32 +00:00
Mark Andrews
4e259c5a23 1768. [bug] nsecnoexistnodata() could be called with a non-NSEC 
rdataset. [RT #12907]
 2004-11-17 23:52:31 +00:00
Mark Andrews
cc3aafe737 1659. [cleanup] Cleanup some messages that were referring to KEY vs 
DNSKEY, NXT vs NSEC and SIG vs RRSIG.

1658.   [func]          Update dnssec-keygen to default to KEY for HMAC-MD5
                        and DH.  Tighten which options apply to KEY and
                        DNSKEY records.
 2004-06-11 01:12:40 +00:00
Mark Andrews
6fac7ff1f9 1606. [bug] DVL insecurity proof was failing. 
1605.   [func]          New dns_db_find() option DNS_DBFIND_COVERINGNSEC.
 2004-05-14 04:45:58 +00:00
Mark Andrews
8d414d1559 1600. [bug] Duplicate zone pre-load checks were not case 
insensitive.

1599.   [bug]           Fix memory leak on error path when checking named.conf.

1598.   [func]          Specify that certain parts of the namespace must
                        be secure (dnssec-must-be-secure).
 2004-04-15 23:40:27 +00:00
Mark Andrews
42b48d11ca hide ((isc_event_t **) (void *)) cast using a macro, ISC_EVENT_PTR. 2004-04-15 01:58:25 +00:00
Mark Andrews
50105afc55 1589. [func] DNSSEC lookaside validation. 
enable-dnssec -> dnssec-enable
 2004-03-10 02:19:58 +00:00
Mark Andrews
dafcb997e3 update copyright notice 2004-03-05 05:14:21 +00:00
Mark Andrews
daa73eae70 silence punned messages 2004-02-03 00:59:05 +00:00
Mark Andrews
519b239fc4 #include <isc/string.h> 2004-01-20 14:19:42 +00:00
Mark Andrews
35541328a8 1558. [func] New DNSSEC 'disable-algorithms'. Support entry into 
child zones for which we don't have a supported
                        algorithm.  Such child zones are treated as unsigned.

1557.   [func]          Implement missing DNSSEC tests for
                        * NOQNAME proof with wildcard answers.
                        * NOWILDARD proof with NXDOMAIN.
                        Cache and return NOQNAME with wildcard answers.
 2004-01-14 02:06:51 +00:00
Tatuya JINMEI 神明達哉
e407562a75 1528. [cleanup] Simplify some dns_name_ functions based on the 
deprecation of bitstring labels.
 2003-10-25 00:31:12 +00:00
Mark Andrews
93d6dfaf66 1516. [func] Roll the DNSSEC types to RRSIG, NSEC and DNSKEY. 2003-09-30 06:00:40 +00:00
Mark Andrews
8b5de97014 1448. [bug] Handle empty wildcards labels. 
developer: marka
reviewer: explorer
 2003-02-27 00:19:04 +00:00
Mark Andrews
421e4cf66e 1416. [bug] Empty node should return NOERROR NODATA, not NXDOMAIN. 
[RT #4715]
developer: marka
reviewer: explorer
 2003-01-18 03:18:31 +00:00
Mark Andrews
638fe804a5 1255. [bug] When performing a nonexistence proof, the validator 
should discard parent NXTs from higher in the DNS.
 2002-07-22 03:00:49 +00:00
Mark Andrews
ff30cdeb78 The validator didn't handle missing DS records correctly. 2002-07-19 03:29:15 +00:00
Mark Andrews
86f6b92e35 1248. [bug] The validator could incorrectly verify an invalid 
negative proof.

When checking the range of the nxt record, the code needs to handle
the case where the 'next name' field points to the origin.  The way
that the origin was determined was looking at the 'signer' field
of the first SIG NXT, since NXTs are signed by the zone key.  This
doesn't work, because the first SIG could have been spoofed.  It
now defers checking the nxt range until both the SOA and NXT have
been verified, and uses the owner of the SOA name as the origin.
bwelling
 2002-07-15 03:25:28 +00:00
Mark Andrews
25276bd1ec 1247. [bug] The validator would incorrectly mark data as insecure 
when seeing a bogus signature before a correct
                        signature.
 2002-07-15 02:57:14 +00:00
Mark Andrews
b0d31c78bc uninitalised variable 2002-06-19 04:15:12 +00:00
Mark Andrews
0b09763c35 1328. [func] DS (delegation signer) support. 2002-06-17 04:01:37 +00:00
Mark Andrews
c99d9017ba 1275. [bug] When verifying that an NXT proves nonexistence, check 
the rcode of the message and only do the matching NXT
                        check.  That is, for NXDOMAIN responses, check that
                        the name is in the range between the NXT owner and
                        next name, and for NOERROR NODATA responses, check
                        that the type is not present in the NXT bitmap.
 2002-04-29 23:50:26 +00:00
Mark Andrews
a7038d1a05 copyrights 2002-02-20 03:35:59 +00:00
Brian Wellington
60e9e70654 1024 -> DNS_NAME_FORMATSIZE 2002-02-05 21:41:31 +00:00
Brian Wellington
47db0efda1 spacing 2002-02-05 20:02:47 +00:00
Brian Wellington
8839b6acbf clean up the shutdown "logic". 2002-02-05 19:46:30 +00:00
Brian Wellington
32dd66cc5e spacing 2002-02-05 07:54:08 +00:00
Brian Wellington
18b7133679 more minor cleanups 2002-02-01 20:18:33 +00:00
Brian Wellington
23e4260821 minor cleanup 2002-02-01 20:08:56 +00:00
Andreas Gustafsson
1f1d36a87b Check return values or cast them to (void), as required by the coding 
standards; add exceptions to the coding standards for cases where this is
not desirable
 2001-11-30 01:59:49 +00:00
Andreas Gustafsson
f3ca27e9fe sizeof style 2001-11-12 19:05:39 +00:00
Andreas Gustafsson
01446841be 1006. [bug] If a KEY RR was found missing during DNSSEC validation, 
an assertion failure could subsequently be triggered
                        in the resolver. [RT #1763]
 2001-09-19 21:25:46 +00:00
Andreas Gustafsson
34aa790937 reverted 994. 2001-09-14 20:53:33 +00:00
Mark Andrews
56d69016f4 994. [bug] If the unsecure proof fails for unsigned NS records 
attempt a secure proof using the NS records found as
                        glue to find the NS records from the zone's servers
                        along with associated glue rather than from parent
                        servers.  [RT #1706]
 2001-09-13 07:23:39 +00:00
Andreas Gustafsson
76c8294c81 format string bugs and improved format string checking [RT #1578] 2001-08-08 22:54:55 +00:00
David Lawrence
92ef1a9b9d use ISC_MAGIC for all magic numbers, for our friends in EBCDIC land 2001-06-04 19:33:39 +00:00
Brian Wellington
26e5029fd5 Added a cast. [RT #899] 2001-02-21 19:57:38 +00:00
Brian Wellington
499b34cea0 copyright update 2001-01-09 22:01:04 +00:00
Brian Wellington
78838d3e0c 8 space -> tab conversion 2000-12-11 19:24:30 +00:00
Brian Wellington
c70908209e replace some INSISTs that theoretically could occur with normal failures 2000-12-05 18:53:43 +00:00
Brian Wellington
f439363eeb minor code simplification 2000-11-08 00:51:24 +00:00
Mark Andrews
368b37b616 dns_rdata_invalidate -> dns_rdata_reset 2000-10-31 03:22:05 +00:00
Mark Andrews
c03bb27f06 532. [func] Implement DNS UPDATE pseudo records using 
DNS_RDATA_UPDATE flag.

 531.   [func]          Rdata really should be initalized before being
                        assigned to (dns_rdata_fromwire(), dns_rdata_fromtext(),
                        dns_rdata_clone(), dns_rdata_fromregion()),
                        check that it is.
 2000-10-25 04:26:57 +00:00
Brian Wellington
d1cbf71409 clean up suspicious looking and incorrect uses of dns_name_fromregion 2000-10-07 00:09:28 +00:00
Brian Wellington
a9ba7e6564 Allow a keyset to be self-signed if the signing key is a trusted-key. 2000-09-12 12:01:50 +00:00
Brian Wellington
d6be55c63f comment the infinite loop fix 2000-09-12 10:21:45 +00:00
Brian Wellington
5c29047792 minor dst api change 2000-09-12 09:59:28 +00:00
Brian Wellington
c38cf70db1 Fix an assertion failure and a case where an rdataset's trust wasn't set. 2000-09-08 14:18:17 +00:00
Brian Wellington
32b2cdf212 427. [bug] Avoid going into an infinite loop when the validator 
gets a negative response to a key query where the
                        records are signed by the missing key.
 2000-09-07 19:46:52 +00:00
Brian Wellington
5e387b9ce6 and more calls to DESTROYLOCK 2000-08-26 01:37:00 +00:00
Brian Wellington
6f071989da cancellation fixes 2000-08-15 01:22:33 +00:00
Brian Wellington
2a123ac026 remove unused variable 2000-08-15 00:52:49 +00:00
Brian Wellington
9cd6710f91 validators can now be cancelled. 2000-08-15 00:21:05 +00:00
Andreas Gustafsson
ef97e09e20 make the validator attach to the view only weakly, so that 
the view can start shutting down even though a validation is in progress.
 2000-08-14 22:17:40 +00:00
David Lawrence
40f53fa8d9 Trailing whitespace trimmed. Perhaps running "perl util/spacewhack.pl in your 
own CVS tree will help minimize CVS conflicts.  Maybe not.
Blame Graff for getting me to trim all trailing whitespace.
 2000-08-01 01:33:37 +00:00
Brian Wellington
f15af68028 negative responses to cd queries should work now. 2000-07-27 18:42:08 +00:00
David Lawrence
15a4474541 word wrap copyright notice at column 70 2000-07-27 09:55:03 +00:00
Brian Wellington
98d010a24a If a negative insecurity proof succeeds, set all of the rdatasets in the 
authority section of the message to non-pending, so that the response
has the ad bit set.
 2000-07-27 01:26:15 +00:00
Brian Wellington
5b0413f993 Call isc_log_wouldlog to potentially avoid extra work in validator_log. 2000-07-26 00:50:02 +00:00
Brian Wellington
60783293cc If a failed positive validation led us to try an insecurity proof, and the 
insecurity proof also failed, the validator event should normally contain
the error from the positive validation.
 2000-07-25 01:24:18 +00:00
Brian Wellington
6bc1a64561 If a positive validation fails and it looks like the reason is that there 
are no material DNSSEC signatures, try an insecurity proof.
 2000-07-13 23:52:04 +00:00
Brian Wellington
25496cebad If trying to validate a key set that happens to be a security root, the 
validation should only consist of checking that each key in the key set
is also in the list of security root keys.

Strangeness occurs when the key set is signed, since the key set is marked
as secure, but the sig set is not, since it wasn't used in the validation
process.  This means that a query for a key set at a security root will
have the AD bit set if the key set is unsigned and not if the key set is signed.
 2000-07-07 00:44:01 +00:00
David Lawrence
9c3531d72a add RCS id string 2000-06-22 22:00:42 +00:00
Andreas Gustafsson
6036112f48 more detailed logging during insecurity proofs 2000-06-22 21:14:48 +00:00
Brian Wellington
77c67dfb26 Repeatedly querying for nonexistant data could lead to a crash. 2000-06-07 01:32:47 +00:00
Brian Wellington
e27021ee1f Certain negative responses could crash the validator. 
The insecurity proof code didn't check to see if the name was below a security
root.
 2000-06-03 00:18:43 +00:00
Brian Wellington
75f6c57d95 When an rdataset is signed, its ttl is normalized based on the signature 
validity period.
 2000-05-31 22:01:39 +00:00
Brian Wellington
9a4a878733 removed debugging code 2000-05-26 22:03:47 +00:00
Brian Wellington
ca9af3aaf7 Lots of restructuring to make code easier to follow. Also a few bugs fixed, 
and hopefully not too many new ones introduced.
 2000-05-26 21:45:53 +00:00
Andreas Gustafsson
115635379a style 2000-05-26 17:46:16 +00:00
Brian Wellington
a9bc95f22e dst now stores the key name as a dns_name_t, not a char *. 2000-05-24 23:13:32 +00:00
David Lawrence
ed019cabc1 fixed lines > 79 columns wide 2000-05-24 05:10:00 +00:00
David Lawrence
1d198e8a6b removed unused stack variable sigrdataset from authvalidated() 2000-05-24 02:47:15 +00:00
Brian Wellington
feb40fc5f9 keytag collision handling was broken and a memory leak existed in the error 
handling code.
 2000-05-22 21:17:05 +00:00
Brian Wellington
17a3fcecd0 Propagate errors out of the validator in all cases. This means that if there 
are any problems in a validation, a SERVFAIL will be returned.  This may not
be correct in all cases (and will be fixed), but it leaves the server in a
much more consistent state after failures.
 2000-05-19 23:04:14 +00:00
Brian Wellington
e49c834de8 Replaced dns_keynode_next by the more correct dns_keytable_findnextkeynode 2000-05-19 20:25:55 +00:00
Andreas Gustafsson
e755d59880 validator.c failed to compile on many platforms because 
a label was not followed by a statement.  Added a null statement.
 2000-05-19 18:48:27 +00:00
Brian Wellington
ba393f380e better keytag collision handling with trusted keys 2000-05-19 18:39:49 +00:00
Brian Wellington
187604c1ad accidentally removed an assignment to NULL before; added a note to look 
back at keytag collisions later
 2000-05-19 01:23:12 +00:00
Brian Wellington
c50936eb40 changed dst_key_free() prototype, misc. dst cleanup 2000-05-19 00:20:59 +00:00
Brian Wellington
d6643ef587 snapshot - support for keytag collision, better support for signed subdomains 
of insecure domains.
 2000-05-18 23:22:14 +00:00
Brian Wellington
aa863b2d1e insecurity proof wasn't correctly setting the rdataset trust level; 
added more debug output
 2000-05-18 18:29:29 +00:00
Brian Wellington
5c61176885 insecurity proof for negative responses 2000-05-18 02:02:05 +00:00
Brian Wellington
94766449d6 restructuring snapshot 2000-05-17 18:24:59 +00:00
David Lawrence
0013c93bc4 "validator.c", line 343: remark(1552): variable "rdataset" was set but never 
used

Removed rdataset from function.
 2000-05-14 02:33:29 +00:00
Andreas Gustafsson
e1f16346db validator must not indicate a validation failure by returning 
ISC_R_NOTFOUND as that seriously confuses query_find().  Introduced new
result codes DNS_R_NOVALIDSIG and DNS_R_NOVALIDNXT to use instead.
 2000-05-12 21:25:17 +00:00
Andreas Gustafsson
78951552dc removed support for trusted keys other than security 
roots; check that key name is appropriate even if it is a security
root; added/clarified log messages
 2000-05-12 17:41:30 +00:00
Andreas Gustafsson
3ce4b8b03e added a comment 2000-05-11 22:58:17 +00:00
David Lawrence
1a69a1a78c Megacommit of dozens of files. 
Cleanup of redundant/useless header file inclusion.

ISC style lint, primarily for function declarations and standalone
comments -- ie, those that appear on a line without any code, which
should be written as follows:
   /*
    * This is a comment.
    */
 2000-05-08 14:38:29 +00:00
Andreas Gustafsson
59e9979330 REQUIRE(type != 0) 2000-05-05 00:18:36 +00:00
Andreas Gustafsson
c37a906752 more logging 2000-05-03 23:58:35 +00:00
David Lawrence
09f22ac5b0 Redundant header work, mostly removing <dns/result.h> from installed 
headers and adding it to source files that need it.
 2000-05-02 03:54:17 +00:00
Brian Wellington
48e27f529d Conform to the dns_dnssec_verify api change and fix an nxt processing crash 2000-04-27 18:14:11 +00:00
Andreas Gustafsson
fa04a194fb return value from dns_rdataset_first() was ignored; 
added more comments and logging to nxtvalidate()
 2000-04-27 00:15:16 +00:00
David Lawrence
6e49e91bd0 103. [func] libisc buffer API changes for <isc/buffer.h>: 
Added:
                                isc_buffer_base(b)          (pointer)
                                isc_buffer_current(b)       (pointer)
                                isc_buffer_active(b)        (pointer)
                                isc_buffer_used(b)          (pointer)
                                isc_buffer_length(b)            (int)
                                isc_buffer_usedlength(b)        (int)
                                isc_buffer_consumedlength(b)    (int)
                                isc_buffer_remaininglength(b)   (int)
                                isc_buffer_activelength(b)      (int)
                                isc_buffer_availablelength(b)   (int)
                        Removed:
                                ISC_BUFFER_USEDCOUNT(b)
                                ISC_BUFFER_AVAILABLECOUNT(b)
                                isc_buffer_type(b)
                        Changed names:
                                isc_buffer_used(b, r) ->
                                        isc_buffer_usedregion(b, r)
                                isc_buffer_available(b, r) ->
                                        isc_buffer_available_region(b, r)
                                isc_buffer_consumed(b, r) ->
                                        isc_buffer_consumedregion(b, r)
                                isc_buffer_active(b, r) ->
                                        isc_buffer_activeregion(b, r)
                                isc_buffer_remaining(b, r) ->
                                        isc_buffer_remainingregion(b, r)

                        Buffer types were removed, so the ISC_BUFFERTYPE_*
                        macros are no more, and the type argument to
                        isc_buffer_init and isc_buffer_allocate were removed.
                        isc_buffer_putstr is now void (instead of isc_result_t)
                        and requires that the caller ensure that there
                        is enough available buffer space for the string.
 2000-04-27 00:03:12 +00:00
Andreas Gustafsson
8db70f36be isc_buffer_putstr() will soon return void 2000-04-26 18:24:15 +00:00
David Lawrence
e1a5f4cd31 Shut up compiler about sigrdataset possibly being used before set in 
nxtvalidate().  The warning is bogus.
 2000-04-25 19:57:47 +00:00
Brian Wellington
ec371edc34 Add 'type' as a parameter to dns_validator_create() 2000-04-20 20:43:52 +00:00
Andreas Gustafsson
264fd373f3 added log message about not finding relevant NXTs; 
added REQUIREs to enforce prerequisites as documented in validator.h;
added cancelation cleanup code
 2000-04-20 18:03:12 +00:00
Brian Wellington
48ed268b33 snapshot - downward chaining support is much more complete, but still won't 
work until the server returns the child's null key from the parent.
 2000-04-19 18:08:27 +00:00
Andreas Gustafsson
d325d53d03 declare static function proveunsecure() before use; 
eliminate compiler warning
 2000-04-18 18:17:49 +00:00
Brian Wellington
613efcd8fb snapshot - includes (untested) code to find unsecured subdomains, which 
won't work until the server returns keys/nxts from the parent zones.
Also some style fixes.
 2000-04-18 17:50:38 +00:00
Michael Graff
e44487bfc2 convert sender, arg, action, etc. to ev_sender, ev_arg, ev_action, etc. 2000-04-17 19:22:44 +00:00
Brian Wellington
fe5ba8ddb5 memory leak cleanup, error if multiple nxts are present in negative answer 2000-04-14 16:00:33 +00:00
Brian Wellington
777ac454c0 Fixed locking problems in event handlers. Reordered NXT processing to 
do range checks before verify, since it's faster.
 2000-04-14 02:30:12 +00:00
Brian Wellington
e83cae7fa8 snapshot - partial support for negative answer verification and a couple bug 
fixes.
 2000-04-13 18:10:07 +00:00
Bob Halley
fca5f81ad6 using snprintf or vsnprintf requires isc/print.h 2000-04-12 19:07:12 +00:00
Brian Wellington
63bf060be4 dst_key_iszonekey() checks that the key's protocol is DNSSEC or ANY. 
Remove this check from the validator, and remove more redundant constants
from dst.h
 2000-04-12 15:52:12 +00:00
Andreas Gustafsson
ecfe4a3490 validator_log() logged garbage after RR type 2000-04-11 22:17:49 +00:00
Brian Wellington
538fea1c91 Added back some code lost by the logging patch, made the keyvalidated event 
handler actually work in the easy case.
 2000-04-11 20:59:37 +00:00
Andreas Gustafsson
1b1e1fda46 logging 2000-04-11 20:35:37 +00:00
Brian Wellington
e7a8dfd296 If we mark an rdataset as secure, also mark the sigrdataset as secure. 2000-04-11 17:12:31 +00:00
Brian Wellington
3676eeb6ca snapshot. Includes creating a new validator to validate pending KEYs. 2000-04-07 21:44:47 +00:00
Brian Wellington
b5debbe212 snapshot. Sends a fetch when a KEY isn't present and would partially handle 
a successful response if it got one.  Starts the validator with an
event to avoid deadlock in the resolver.
 2000-04-07 17:36:40 +00:00
Andreas Gustafsson
93c786e092 cleared up some DNS_R_CONTINUE/DNS_R_WAIT confusion; 
commented get_dst_key()
 2000-04-06 23:09:01 +00:00