upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-04-21 06:09:13 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
30021 commits 18 branches 854 tags 440 MiB
Commit graph

271 commits

Author SHA1 Message Date
Mark Andrews
8462dfb880 3443. [bug] The NOQNAME proof was not being returned from cached 
insecure responses. [RT #21409]
 2012-12-19 09:55:02 +11:00
Mark Andrews
39bfdc2ff9 3419. [bug] Memory leak on validation cancel. [RT #31869] 
Squashed commit of the following:

commit 452b07ec7cb31784d90d9c2e45ca708df306302e
Author: Mark Andrews <marka@isc.org>
Date:   Wed Nov 14 23:36:36 2012 +1100

    destroy fetch when canceling validator
 2012-11-15 11:16:28 +11:00
Mark Andrews
d8fc410cf8 Redo 
3415.   [bug]           named could die with a REQUIRE failure if a valdation
                        was canceled. [RT #31804]
 2012-11-14 07:41:32 +11:00
Mark Andrews
1a09fefa59 3415. [bug] named could die with a REQUIRE failure id a valdation 
was canceled. [RT #31804]

Squashed commit of the following:

commit d414d3cb4244daeca4159ac1f8a82322e4a20e5a
Author: Mark Andrews <marka@isc.org>
Date:   Wed Nov 7 14:19:28 2012 +1100

    check that val->fetch != NULL before calling dns_resolver_destroyfetch
 2012-11-09 09:09:52 +11:00
Evan Hunt
47c5b8af92 [master] silence coverity warnings 
3401.	[bug]		Addressed Coverity warnings. [RT #31484]
 2012-10-23 22:04:06 -07:00
Mark Andrews
dbf693fdfd 3391. [bug] DNSKEY that encountered a CNAME failed. [RT #31262] 2012-10-06 14:56:33 +10:00
Evan Hunt
41bbb34bc2 fix coverity issues 
3388.	[bug]		Fixed several Coverity warnings. [RT #30996]
 2012-10-02 23:44:03 -07:00
Mark Andrews
058e44186b 3387. [func] Support for a DS digest can be disabled at 
runtime with disable-ds-digests. [RT #21581]
 2012-10-03 12:38:43 +10:00
ckb
e7857b5ee0 3356. [bug] Cap the TTL of signed RRsets when RRSIGs are 
approaching their expiry, so they don't remain
			in caches after expiry. [RT #26429]
 2012-07-25 17:06:34 -05:00
Mark Andrews
7865ea9545 3339. [func] Allow the maximum supported rsa exponent size to be specified: "max-rsa-exponent-size <value>;" [RT #29228] 2012-06-14 15:44:20 +10:00
Mark Andrews
28a8f5b0de set $Id$ 2012-03-08 00:21:15 +11:00
Automatic Updater
5fec28507a update copyright notice 2012-02-15 21:19:59 +00:00
Mark Andrews
6d386978b3 3285. [bug] val-frdataset was incorrectly disassociated in 
proveunsecure after calling startfinddlvsep.
                        [RT #27928]
 2012-02-15 20:59:40 +00:00
Evan Hunt
25845da41a 3203. [bug] Increase log level to 'info' for validation failures 
from expired or not-yet-valid RRSIGs. [RT #21796]
 2011-11-04 05:36:28 +00:00
Automatic Updater
dfc015bc7e update copyright notice 2011-10-20 23:46:51 +00:00
Mark Andrews
ada40193c8 3175. [bug] Fix how DNSSEC positive wildcard responses from a 
NSEC3 signed zone are validated.  Stop sending a
                        unnecessary NSEC3 record when generating such
                        responses. [RT #26200]
 2011-10-20 21:42:11 +00:00
Mark Andrews
020c4484fe 3173. [port] Correctly validate root DS responses. [RT #25726] 2011-10-15 05:00:15 +00:00
Evan Hunt
6de9744cf9 3124. [bug] Use an rdataset attribute flag to indicate 
negative-cache records rather than using rrtype 0;
			this will prevent problems when that rrtype is
			used in actual DNS packets. [RT #24777]

3123.	[security]	Change #2912 exposed a latent flaw in
			dns_rdataset_totext() that could cause named to
			crash with an assertion failure. [RT #24777]
 2011-06-08 22:13:51 +00:00
Mark Andrews
ea82782532 3120. [bug] Named could fail to validate zones list in a DLV 
that validated insecure without using DLV and had
                        DS records in the parent zone. [RT #24631]
 2011-05-26 04:35:02 +00:00
Mark Andrews
0874abad14 3069. [cleanup] Silence warnings messages from clang static analysis. 
[RT #20256]
 2011-03-11 06:11:27 +00:00
Automatic Updater
c8175ece69 update copyright notice 2011-03-01 23:48:07 +00:00
Scott Mann
d31740ce28 Fixed DNSKEY NODATA responses not cached (RT #22908). 2011-03-01 14:40:39 +00:00
Francis Dupont
664917beda Use RRSIG original TTL in validated RRset TTL [RT #23332] 2011-02-28 14:21:35 +00:00
Mark Andrews
4b45a8fc5a handle cname response 2011-02-21 23:37:31 +00:00
Mark Andrews
37dee1ff94 2999. [func] Add GOST support (RFC 5933). [RT #20639] 2010-12-23 04:08:00 +00:00
Mark Andrews
a27b3757fd 2968. [security] Named could fail to prove a data set was insecure 
before marking it as insecure.  One set of conditions
                        that can trigger this occurs naturally when rolling
                        DNSKEY algorithms.  [RT #22309]
 2010-11-16 01:14:51 +00:00
Mark Andrews
810656a187 2925. [bug] Named failed to accept uncachable negative responses 
from insecure zones. [RT# 21555]
 2010-06-25 23:50:13 +00:00
Mark Andrews
e27d55e3ee 2904. [bug] When using DLV, sub-zones of the zones in the DLV, 
could be incorrectly marked as insecure instead of
                        secure leading to negative proofs failing.  This was
                        a unintended outcome from change 2890. [RT# 21392]
 2010-05-26 06:28:00 +00:00
Automatic Updater
515c7f3c43 update copyright notice 2010-05-14 23:50:40 +00:00
Mark Andrews
44f175a90a 2892. [bug] Handle REVOKED keys better. [RT #20961] 2010-05-14 04:38:52 +00:00
Mark Andrews
b335299322 2890. [bug] Handle the introduction of new trusted-keys and 
DS, DLV RRsets better. [RT #21097]
 2010-05-14 00:13:43 +00:00
Mark Andrews
fd95cc0da9 2877. [bug] The validator failed to skip obviously mismatching 
RRSIGs. [RT #21138]
 2010-04-21 05:45:47 +00:00
Mark Andrews
bb6d33103e 2876. [bug] Named could return SERVFAIL for negative responses 
from unsigned zones. [RT #21131]
 2010-04-21 04:16:49 +00:00
Mark Andrews
b8d036c434 2869. [bug] Fix arguments to dns_keytable_findnextkeynode() call. 
[RT #20877]
 2010-03-26 17:12:48 +00:00
Automatic Updater
4d42b714be update copyright notice 2010-03-04 23:50:34 +00:00
Mark Andrews
22c4126ba5 2958. [bug] When canceling validation it was possible to leak 
memory. [RT #20800]
 2010-03-04 22:25:31 +00:00
Automatic Updater
bd2b08d5a3 update copyright notice 2010-02-25 05:08:01 +00:00
Mark Andrews
0cae66577c 2852. [bug] Handle broken DNSSEC trust chains better. [RT #15619] 2010-02-25 04:39:13 +00:00
Evan Hunt
9ead684875 2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712] 2009-12-30 06:46:58 +00:00
Mark Andrews
a39a5f4d81 2772. [security] When validating, track whether pending data was from 
the additional section or not and only return it if
                        validates as secure. [RT #20438]
 2009-11-17 23:55:18 +00:00
Evan Hunt
7048af0a55 2769. [cleanup] Change #2742 was incomplete. [RT #19589] 2009-11-16 07:56:06 +00:00
Evan Hunt
be69d48443 2742. [cleanup] Clarify some DNSSEC-related log messages in 
validator.c. [RT #19589]
 2009-10-28 05:34:21 +00:00
Evan Hunt
95f2377b4f 2739. [cleanup] Clean up API for initializing and clearing trust 
anchors for a view. [RT #20211]
 2009-10-27 22:46:13 +00:00
Evan Hunt
cfb1587eb9 2619. [func] Add support for RFC 5011, automatic trust anchor 
maintenance.  The new "managed-keys" statement can
			be used in place of "trusted-keys" for zones which
			support this protocol.  (Note: this syntax is
			expected to change prior to 9.7.0 final.) [RT #19248]
 2009-06-30 02:53:46 +00:00
Mark Andrews
afbe695de3 "got insecure response; parent indicates it should be secure" wrongly emitted [RT #19800] 2009-06-09 22:57:09 +00:00
Automatic Updater
54cdd2b307 update copyright notice 2009-05-07 23:47:44 +00:00
Francis Dupont
ff380b05fe comment fixes (rt19624) 2009-05-07 09:41:23 +00:00
Mark Andrews
e7eede965d 2597. [bug] Handle a validation failure with a insecure delegation 
from a NSEC3 signed master/slave zone.  [RT #19464]
 2009-05-07 02:34:19 +00:00
Evan Hunt
6b9728dde7 ARM and log message changes to clarify "insecure response". [rt19400] 2009-03-23 22:30:57 +00:00
Automatic Updater
8e3d340655 update copyright notice 2009-03-17 23:48:02 +00:00
Mark Andrews
72dbc7216a 2579. [bug] DNSSEC lookaside validation failed to handle unknown 
algorithms. [RT #19479]
 2009-03-17 01:34:28 +00:00
Evan Hunt
bfe0517fdc Clarify logged message when an insecure DNSSEC response arrives from a zone 
thought to be secure: "insecurity proof failed" instead of "not insecure".
[RT #19400]
 2009-03-01 02:45:38 +00:00
Mark Andrews
7d211b458f 2554. [bug] Validation of uppercase queries from NSEC3 zones could 
fail. [RT #19297]
 2009-02-15 23:46:23 +00:00
Mark Andrews
d2ef5b3c5c 2553. [bug] Reference leak on DNSSEC validation errors. [RT #19291] 2009-02-15 23:37:29 +00:00
Francis Dupont
708383382f spelling 2009-01-17 15:12:26 +00:00
Automatic Updater
5569e7de51 update copyright notice 2009-01-05 23:47:54 +00:00
Tatuya JINMEI 神明達哉
3fb1637c92 trivial comment cleanups (RT#19118) 2009-01-05 23:20:22 +00:00
Automatic Updater
49960a74b5 update copyright notice 2008-11-14 23:47:33 +00:00
Mark Andrews
50df1ec60a 2495. [bug] Tighten RRSIG checks. [RT #18795] 2008-11-14 22:53:46 +00:00
Mark Andrews
6098d364b6 2448. [func] Add NSEC3 support. [RT #15452] 2008-09-24 02:46:23 +00:00
Mark Andrews
1bfe8851c0 2421. [bug] Handle the special return value of a empty node as 
if it was a NXRRSET in the validator. [RT #18447]
 2008-08-21 04:43:49 +00:00
Evan Hunt
e4d304b70b Fix build error: parameter type was changed in the prototype but not in 
the function header.
 2008-02-19 17:07:55 +00:00
Mark Andrews
664e11f0b1 2238. [bug] check_ds() could be called with a non DS rdataset. 
[RT #17598]
 2008-02-18 23:06:54 +00:00
Automatic Updater
2f012d936b update copyright notice 2008-01-18 23:46:58 +00:00
Automatic Updater
9d5ed744c4 update copyright notice 2008-01-14 23:46:56 +00:00
Mark Andrews
f1263d2aa4 2304. [bug] Check returns from all dns_rdata_tostruct() calls. 
[RT #17460]
 2008-01-14 23:24:24 +00:00
Mark Andrews
8bedd9647f 2245. [bug] Validating lack of DS records at trust anchors wasn't 
working. [RT #17151]
 2007-09-19 03:38:56 +00:00
Mark Andrews
e2c3f8059e 2238. [bug] It was possible to trigger a REQUIRE when a 
validation was cancelled. [RT #17106]
 2007-09-14 05:43:05 +00:00
Mark Andrews
3eab85ca54 2218. [bug] Remove unnecessary REQUIRE from dns_validator_create(). 
[RT #16976]
 2007-08-27 04:36:54 +00:00
Automatic Updater
ec5347e2c7 update copyright notice 2007-06-18 23:47:57 +00:00
Mark Andrews
a05f23d07e 2171. [bug] Handle breaks in DNSSEC trust chains where the parent 
servers are not DS aware (DS queries to the parent
                        return a referral to the child).
 2007-04-27 06:13:29 +00:00
Mark Andrews
394f4aec21 2145. [bug] Check DS/DLV digest lengths for known digests. 
[RT #16622]
 2007-02-26 01:20:44 +00:00
Mark Andrews
f36c85c3ce update copyright notice 2007-01-08 02:45:04 +00:00
Mark Andrews
3052274767 2126. [bug] Serialise validation of type ANY responses. [RT #16555] 2007-01-08 01:13:38 +00:00
Mark Andrews
29747dfe5e 2123. [func] Use Doxygen to generate internal documention. 
[RT #11398]
 2006-12-22 01:46:19 +00:00
Mark Andrews
1ea2595e1b 2117. [bug] DNSSEC fixes: named could fail to cache NSEC records 
which could lead to validation failures.  named didn't
                        handle negative DS responses that were in the process
                        of being validated.  Check CNAME bit before accepting
                        NODATA proof. To be able to ignore a child NSEC there
                        must be SOA (and NS) set in the bitmap. [RT #16399]
 2006-12-07 06:47:36 +00:00
Mark Andrews
cc7d91bd5c 2061. [bug] Accept expired wildcard message reversed. [RT #16296] 2006-07-24 22:41:59 +00:00
Mark Andrews
d2ef84e07b 2008. [func] It is now posssible to enable/disable DNSSEC 
validation from rndc.  This is useful for the
                        mobile hosts where the current connection point
                        breaks DNSSEC (firewall/proxy).  [RT #15592]

                                rndc validation newstate [view]
 2006-03-09 23:39:00 +00:00
Mark Andrews
95b484c958 fix minor typos 2006-02-26 22:57:18 +00:00
Mark Andrews
fcbc5d2353 post merge problem 2006-02-22 01:55:10 +00:00
Mark Andrews
c5387e6942 1987. [func] DS/DLV SHA256 digest algorithm support. [RT #15608] 2006-02-21 23:49:51 +00:00
Mark Andrews
acb4f52369 update copyright notice 2006-01-04 23:50:24 +00:00
Mark Andrews
fabf2ee6b0 1947. [func] It is now possible to configure named to accept 
expired RRSIGs.  Default "dnssec-accept-expired no;".
                        Setting "dnssec-accept-expired yes;" leaves named
                        vulnerable to replay attacks.  [RT #14685]
 2006-01-04 02:35:49 +00:00
Mark Andrews
cf224bbf7b 1942. [bug] If the name of a DNSKEY match that of one in 
trusted-keys do not attempt to validate the DNSKEY
                        using the parents DS RRset. [RT #15649]
 2005-12-04 23:54:01 +00:00
Mark Andrews
470c726bc8 silence dereferencing type-punned pointer will break strict-aliasing rules warning 2005-11-30 05:01:34 +00:00
Mark Andrews
2674e1a455 1940. [bug] Fixed a number of error conditions reported by 
Coverity.
 2005-11-30 03:33:49 +00:00
Mark Andrews
60ab03125c 1939. [bug] The resolver could dereference a null pointer after 
validation if all the queries have timed out.
                        [RT #15528]

1938.   [bug]           The validator was not correctly handling unsecure
                        negative responses at or below a SEP. [RT #15528]
 2005-11-03 00:51:55 +00:00
Mark Andrews
7d116211ec 1936. [bug] The validator could leak memory. [RT #5544] 2005-11-02 01:46:31 +00:00
Mark Andrews
216030f284 1930. [port] HPUX: ia64 support. [RT #15473] 
1929.   [port]          FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM.
 2005-10-14 01:18:47 +00:00
Mark Andrews
676619a22f win32 fixes 2005-09-05 02:54:38 +00:00
Mark Andrews
5be3685b0e 1919. [bug] dig's +sigchase code overhauled. [RT #14933] 
1918.   [bug]           The DLV code has been re-worked to make no longer
                        query order sensitive. [RT #14933]
 2005-08-25 00:56:08 +00:00
Mark Andrews
116e6b4257 1867. [bug] It was possible to trigger a INSIST in 
dlv_validatezonekey(). [RT #14846]
 2005-06-07 00:39:05 +00:00
Mark Andrews
9840a0767d 1853. [bug] Rework how DLV interacts with proveunsecure(). 
[RT #13605]
 2005-05-06 01:59:38 +00:00
Rob Austein
ab023a6556 1851. [doc] Doxygen comment markup. [RT #11398] 2005-04-27 04:57:32 +00:00
Mark Andrews
c941e32d22 1819. [bug] The validator needed to check both the algorithm and 
digest types of the DS to determine if it could be
                        used to introduce a secure zone. [RT #13593]
 2005-03-04 03:53:22 +00:00
Mark Andrews
2d7fc01cb3 update copyright notice 2005-02-09 05:19:30 +00:00
Mark Andrews
0ad024cc42 1806. [bug] The resolver returned the wrong result when a CNAME / 
DNAME was encountered when fetching glue from a
                        secure namespace. [RT #13501]

1805.   [bug]           Pending status was not being cleared when DLV was
                        active. [RT #13501]
 2005-02-08 23:51:32 +00:00
Mark Andrews
4e259c5a23 1768. [bug] nsecnoexistnodata() could be called with a non-NSEC 
rdataset. [RT #12907]
 2004-11-17 23:52:31 +00:00
Mark Andrews
cc3aafe737 1659. [cleanup] Cleanup some messages that were referring to KEY vs 
DNSKEY, NXT vs NSEC and SIG vs RRSIG.

1658.   [func]          Update dnssec-keygen to default to KEY for HMAC-MD5
                        and DH.  Tighten which options apply to KEY and
                        DNSKEY records.
 2004-06-11 01:12:40 +00:00
Mark Andrews
6fac7ff1f9 1606. [bug] DVL insecurity proof was failing. 
1605.   [func]          New dns_db_find() option DNS_DBFIND_COVERINGNSEC.
 2004-05-14 04:45:58 +00:00