upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-04-22 06:37:42 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
30021 commits 18 branches 854 tags 440 MiB
Commit graph

271 commits

Author SHA1 Message Date
Mark Andrews
8d414d1559 1600. [bug] Duplicate zone pre-load checks were not case 
insensitive.

1599.   [bug]           Fix memory leak on error path when checking named.conf.

1598.   [func]          Specify that certain parts of the namespace must
                        be secure (dnssec-must-be-secure).
 2004-04-15 23:40:27 +00:00
Mark Andrews
42b48d11ca hide ((isc_event_t **) (void *)) cast using a macro, ISC_EVENT_PTR. 2004-04-15 01:58:25 +00:00
Mark Andrews
50105afc55 1589. [func] DNSSEC lookaside validation. 
enable-dnssec -> dnssec-enable
 2004-03-10 02:19:58 +00:00
Mark Andrews
dafcb997e3 update copyright notice 2004-03-05 05:14:21 +00:00
Mark Andrews
daa73eae70 silence punned messages 2004-02-03 00:59:05 +00:00
Mark Andrews
519b239fc4 #include <isc/string.h> 2004-01-20 14:19:42 +00:00
Mark Andrews
35541328a8 1558. [func] New DNSSEC 'disable-algorithms'. Support entry into 
child zones for which we don't have a supported
                        algorithm.  Such child zones are treated as unsigned.

1557.   [func]          Implement missing DNSSEC tests for
                        * NOQNAME proof with wildcard answers.
                        * NOWILDARD proof with NXDOMAIN.
                        Cache and return NOQNAME with wildcard answers.
 2004-01-14 02:06:51 +00:00
Tatuya JINMEI 神明達哉
e407562a75 1528. [cleanup] Simplify some dns_name_ functions based on the 
deprecation of bitstring labels.
 2003-10-25 00:31:12 +00:00
Mark Andrews
93d6dfaf66 1516. [func] Roll the DNSSEC types to RRSIG, NSEC and DNSKEY. 2003-09-30 06:00:40 +00:00
Mark Andrews
8b5de97014 1448. [bug] Handle empty wildcards labels. 
developer: marka
reviewer: explorer
 2003-02-27 00:19:04 +00:00
Mark Andrews
421e4cf66e 1416. [bug] Empty node should return NOERROR NODATA, not NXDOMAIN. 
[RT #4715]
developer: marka
reviewer: explorer
 2003-01-18 03:18:31 +00:00
Mark Andrews
638fe804a5 1255. [bug] When performing a nonexistence proof, the validator 
should discard parent NXTs from higher in the DNS.
 2002-07-22 03:00:49 +00:00
Mark Andrews
ff30cdeb78 The validator didn't handle missing DS records correctly. 2002-07-19 03:29:15 +00:00
Mark Andrews
86f6b92e35 1248. [bug] The validator could incorrectly verify an invalid 
negative proof.

When checking the range of the nxt record, the code needs to handle
the case where the 'next name' field points to the origin.  The way
that the origin was determined was looking at the 'signer' field
of the first SIG NXT, since NXTs are signed by the zone key.  This
doesn't work, because the first SIG could have been spoofed.  It
now defers checking the nxt range until both the SOA and NXT have
been verified, and uses the owner of the SOA name as the origin.
bwelling
 2002-07-15 03:25:28 +00:00
Mark Andrews
25276bd1ec 1247. [bug] The validator would incorrectly mark data as insecure 
when seeing a bogus signature before a correct
                        signature.
 2002-07-15 02:57:14 +00:00
Mark Andrews
b0d31c78bc uninitalised variable 2002-06-19 04:15:12 +00:00
Mark Andrews
0b09763c35 1328. [func] DS (delegation signer) support. 2002-06-17 04:01:37 +00:00
Mark Andrews
c99d9017ba 1275. [bug] When verifying that an NXT proves nonexistence, check 
the rcode of the message and only do the matching NXT
                        check.  That is, for NXDOMAIN responses, check that
                        the name is in the range between the NXT owner and
                        next name, and for NOERROR NODATA responses, check
                        that the type is not present in the NXT bitmap.
 2002-04-29 23:50:26 +00:00
Mark Andrews
a7038d1a05 copyrights 2002-02-20 03:35:59 +00:00
Brian Wellington
60e9e70654 1024 -> DNS_NAME_FORMATSIZE 2002-02-05 21:41:31 +00:00
Brian Wellington
47db0efda1 spacing 2002-02-05 20:02:47 +00:00
Brian Wellington
8839b6acbf clean up the shutdown "logic". 2002-02-05 19:46:30 +00:00
Brian Wellington
32dd66cc5e spacing 2002-02-05 07:54:08 +00:00
Brian Wellington
18b7133679 more minor cleanups 2002-02-01 20:18:33 +00:00
Brian Wellington
23e4260821 minor cleanup 2002-02-01 20:08:56 +00:00
Andreas Gustafsson
1f1d36a87b Check return values or cast them to (void), as required by the coding 
standards; add exceptions to the coding standards for cases where this is
not desirable
 2001-11-30 01:59:49 +00:00
Andreas Gustafsson
f3ca27e9fe sizeof style 2001-11-12 19:05:39 +00:00
Andreas Gustafsson
01446841be 1006. [bug] If a KEY RR was found missing during DNSSEC validation, 
an assertion failure could subsequently be triggered
                        in the resolver. [RT #1763]
 2001-09-19 21:25:46 +00:00
Andreas Gustafsson
34aa790937 reverted 994. 2001-09-14 20:53:33 +00:00
Mark Andrews
56d69016f4 994. [bug] If the unsecure proof fails for unsigned NS records 
attempt a secure proof using the NS records found as
                        glue to find the NS records from the zone's servers
                        along with associated glue rather than from parent
                        servers.  [RT #1706]
 2001-09-13 07:23:39 +00:00
Andreas Gustafsson
76c8294c81 format string bugs and improved format string checking [RT #1578] 2001-08-08 22:54:55 +00:00
David Lawrence
92ef1a9b9d use ISC_MAGIC for all magic numbers, for our friends in EBCDIC land 2001-06-04 19:33:39 +00:00
Brian Wellington
26e5029fd5 Added a cast. [RT #899] 2001-02-21 19:57:38 +00:00
Brian Wellington
499b34cea0 copyright update 2001-01-09 22:01:04 +00:00
Brian Wellington
78838d3e0c 8 space -> tab conversion 2000-12-11 19:24:30 +00:00
Brian Wellington
c70908209e replace some INSISTs that theoretically could occur with normal failures 2000-12-05 18:53:43 +00:00
Brian Wellington
f439363eeb minor code simplification 2000-11-08 00:51:24 +00:00
Mark Andrews
368b37b616 dns_rdata_invalidate -> dns_rdata_reset 2000-10-31 03:22:05 +00:00
Mark Andrews
c03bb27f06 532. [func] Implement DNS UPDATE pseudo records using 
DNS_RDATA_UPDATE flag.

 531.   [func]          Rdata really should be initalized before being
                        assigned to (dns_rdata_fromwire(), dns_rdata_fromtext(),
                        dns_rdata_clone(), dns_rdata_fromregion()),
                        check that it is.
 2000-10-25 04:26:57 +00:00
Brian Wellington
d1cbf71409 clean up suspicious looking and incorrect uses of dns_name_fromregion 2000-10-07 00:09:28 +00:00
Brian Wellington
a9ba7e6564 Allow a keyset to be self-signed if the signing key is a trusted-key. 2000-09-12 12:01:50 +00:00
Brian Wellington
d6be55c63f comment the infinite loop fix 2000-09-12 10:21:45 +00:00
Brian Wellington
5c29047792 minor dst api change 2000-09-12 09:59:28 +00:00
Brian Wellington
c38cf70db1 Fix an assertion failure and a case where an rdataset's trust wasn't set. 2000-09-08 14:18:17 +00:00
Brian Wellington
32b2cdf212 427. [bug] Avoid going into an infinite loop when the validator 
gets a negative response to a key query where the
                        records are signed by the missing key.
 2000-09-07 19:46:52 +00:00
Brian Wellington
5e387b9ce6 and more calls to DESTROYLOCK 2000-08-26 01:37:00 +00:00
Brian Wellington
6f071989da cancellation fixes 2000-08-15 01:22:33 +00:00
Brian Wellington
2a123ac026 remove unused variable 2000-08-15 00:52:49 +00:00
Brian Wellington
9cd6710f91 validators can now be cancelled. 2000-08-15 00:21:05 +00:00
Andreas Gustafsson
ef97e09e20 make the validator attach to the view only weakly, so that 
the view can start shutting down even though a validation is in progress.
 2000-08-14 22:17:40 +00:00
David Lawrence
40f53fa8d9 Trailing whitespace trimmed. Perhaps running "perl util/spacewhack.pl in your 
own CVS tree will help minimize CVS conflicts.  Maybe not.
Blame Graff for getting me to trim all trailing whitespace.
 2000-08-01 01:33:37 +00:00
Brian Wellington
f15af68028 negative responses to cd queries should work now. 2000-07-27 18:42:08 +00:00
David Lawrence
15a4474541 word wrap copyright notice at column 70 2000-07-27 09:55:03 +00:00
Brian Wellington
98d010a24a If a negative insecurity proof succeeds, set all of the rdatasets in the 
authority section of the message to non-pending, so that the response
has the ad bit set.
 2000-07-27 01:26:15 +00:00
Brian Wellington
5b0413f993 Call isc_log_wouldlog to potentially avoid extra work in validator_log. 2000-07-26 00:50:02 +00:00
Brian Wellington
60783293cc If a failed positive validation led us to try an insecurity proof, and the 
insecurity proof also failed, the validator event should normally contain
the error from the positive validation.
 2000-07-25 01:24:18 +00:00
Brian Wellington
6bc1a64561 If a positive validation fails and it looks like the reason is that there 
are no material DNSSEC signatures, try an insecurity proof.
 2000-07-13 23:52:04 +00:00
Brian Wellington
25496cebad If trying to validate a key set that happens to be a security root, the 
validation should only consist of checking that each key in the key set
is also in the list of security root keys.

Strangeness occurs when the key set is signed, since the key set is marked
as secure, but the sig set is not, since it wasn't used in the validation
process.  This means that a query for a key set at a security root will
have the AD bit set if the key set is unsigned and not if the key set is signed.
 2000-07-07 00:44:01 +00:00
David Lawrence
9c3531d72a add RCS id string 2000-06-22 22:00:42 +00:00
Andreas Gustafsson
6036112f48 more detailed logging during insecurity proofs 2000-06-22 21:14:48 +00:00
Brian Wellington
77c67dfb26 Repeatedly querying for nonexistant data could lead to a crash. 2000-06-07 01:32:47 +00:00
Brian Wellington
e27021ee1f Certain negative responses could crash the validator. 
The insecurity proof code didn't check to see if the name was below a security
root.
 2000-06-03 00:18:43 +00:00
Brian Wellington
75f6c57d95 When an rdataset is signed, its ttl is normalized based on the signature 
validity period.
 2000-05-31 22:01:39 +00:00
Brian Wellington
9a4a878733 removed debugging code 2000-05-26 22:03:47 +00:00
Brian Wellington
ca9af3aaf7 Lots of restructuring to make code easier to follow. Also a few bugs fixed, 
and hopefully not too many new ones introduced.
 2000-05-26 21:45:53 +00:00
Andreas Gustafsson
115635379a style 2000-05-26 17:46:16 +00:00
Brian Wellington
a9bc95f22e dst now stores the key name as a dns_name_t, not a char *. 2000-05-24 23:13:32 +00:00
David Lawrence
ed019cabc1 fixed lines > 79 columns wide 2000-05-24 05:10:00 +00:00
David Lawrence
1d198e8a6b removed unused stack variable sigrdataset from authvalidated() 2000-05-24 02:47:15 +00:00
Brian Wellington
feb40fc5f9 keytag collision handling was broken and a memory leak existed in the error 
handling code.
 2000-05-22 21:17:05 +00:00
Brian Wellington
17a3fcecd0 Propagate errors out of the validator in all cases. This means that if there 
are any problems in a validation, a SERVFAIL will be returned.  This may not
be correct in all cases (and will be fixed), but it leaves the server in a
much more consistent state after failures.
 2000-05-19 23:04:14 +00:00
Brian Wellington
e49c834de8 Replaced dns_keynode_next by the more correct dns_keytable_findnextkeynode 2000-05-19 20:25:55 +00:00
Andreas Gustafsson
e755d59880 validator.c failed to compile on many platforms because 
a label was not followed by a statement.  Added a null statement.
 2000-05-19 18:48:27 +00:00
Brian Wellington
ba393f380e better keytag collision handling with trusted keys 2000-05-19 18:39:49 +00:00
Brian Wellington
187604c1ad accidentally removed an assignment to NULL before; added a note to look 
back at keytag collisions later
 2000-05-19 01:23:12 +00:00
Brian Wellington
c50936eb40 changed dst_key_free() prototype, misc. dst cleanup 2000-05-19 00:20:59 +00:00
Brian Wellington
d6643ef587 snapshot - support for keytag collision, better support for signed subdomains 
of insecure domains.
 2000-05-18 23:22:14 +00:00
Brian Wellington
aa863b2d1e insecurity proof wasn't correctly setting the rdataset trust level; 
added more debug output
 2000-05-18 18:29:29 +00:00
Brian Wellington
5c61176885 insecurity proof for negative responses 2000-05-18 02:02:05 +00:00
Brian Wellington
94766449d6 restructuring snapshot 2000-05-17 18:24:59 +00:00
David Lawrence
0013c93bc4 "validator.c", line 343: remark(1552): variable "rdataset" was set but never 
used

Removed rdataset from function.
 2000-05-14 02:33:29 +00:00
Andreas Gustafsson
e1f16346db validator must not indicate a validation failure by returning 
ISC_R_NOTFOUND as that seriously confuses query_find().  Introduced new
result codes DNS_R_NOVALIDSIG and DNS_R_NOVALIDNXT to use instead.
 2000-05-12 21:25:17 +00:00
Andreas Gustafsson
78951552dc removed support for trusted keys other than security 
roots; check that key name is appropriate even if it is a security
root; added/clarified log messages
 2000-05-12 17:41:30 +00:00
Andreas Gustafsson
3ce4b8b03e added a comment 2000-05-11 22:58:17 +00:00
David Lawrence
1a69a1a78c Megacommit of dozens of files. 
Cleanup of redundant/useless header file inclusion.

ISC style lint, primarily for function declarations and standalone
comments -- ie, those that appear on a line without any code, which
should be written as follows:
   /*
    * This is a comment.
    */
 2000-05-08 14:38:29 +00:00
Andreas Gustafsson
59e9979330 REQUIRE(type != 0) 2000-05-05 00:18:36 +00:00
Andreas Gustafsson
c37a906752 more logging 2000-05-03 23:58:35 +00:00
David Lawrence
09f22ac5b0 Redundant header work, mostly removing <dns/result.h> from installed 
headers and adding it to source files that need it.
 2000-05-02 03:54:17 +00:00
Brian Wellington
48e27f529d Conform to the dns_dnssec_verify api change and fix an nxt processing crash 2000-04-27 18:14:11 +00:00
Andreas Gustafsson
fa04a194fb return value from dns_rdataset_first() was ignored; 
added more comments and logging to nxtvalidate()
 2000-04-27 00:15:16 +00:00
David Lawrence
6e49e91bd0 103. [func] libisc buffer API changes for <isc/buffer.h>: 
Added:
                                isc_buffer_base(b)          (pointer)
                                isc_buffer_current(b)       (pointer)
                                isc_buffer_active(b)        (pointer)
                                isc_buffer_used(b)          (pointer)
                                isc_buffer_length(b)            (int)
                                isc_buffer_usedlength(b)        (int)
                                isc_buffer_consumedlength(b)    (int)
                                isc_buffer_remaininglength(b)   (int)
                                isc_buffer_activelength(b)      (int)
                                isc_buffer_availablelength(b)   (int)
                        Removed:
                                ISC_BUFFER_USEDCOUNT(b)
                                ISC_BUFFER_AVAILABLECOUNT(b)
                                isc_buffer_type(b)
                        Changed names:
                                isc_buffer_used(b, r) ->
                                        isc_buffer_usedregion(b, r)
                                isc_buffer_available(b, r) ->
                                        isc_buffer_available_region(b, r)
                                isc_buffer_consumed(b, r) ->
                                        isc_buffer_consumedregion(b, r)
                                isc_buffer_active(b, r) ->
                                        isc_buffer_activeregion(b, r)
                                isc_buffer_remaining(b, r) ->
                                        isc_buffer_remainingregion(b, r)

                        Buffer types were removed, so the ISC_BUFFERTYPE_*
                        macros are no more, and the type argument to
                        isc_buffer_init and isc_buffer_allocate were removed.
                        isc_buffer_putstr is now void (instead of isc_result_t)
                        and requires that the caller ensure that there
                        is enough available buffer space for the string.
 2000-04-27 00:03:12 +00:00
Andreas Gustafsson
8db70f36be isc_buffer_putstr() will soon return void 2000-04-26 18:24:15 +00:00
David Lawrence
e1a5f4cd31 Shut up compiler about sigrdataset possibly being used before set in 
nxtvalidate().  The warning is bogus.
 2000-04-25 19:57:47 +00:00
Brian Wellington
ec371edc34 Add 'type' as a parameter to dns_validator_create() 2000-04-20 20:43:52 +00:00
Andreas Gustafsson
264fd373f3 added log message about not finding relevant NXTs; 
added REQUIREs to enforce prerequisites as documented in validator.h;
added cancelation cleanup code
 2000-04-20 18:03:12 +00:00
Brian Wellington
48ed268b33 snapshot - downward chaining support is much more complete, but still won't 
work until the server returns the child's null key from the parent.
 2000-04-19 18:08:27 +00:00
Andreas Gustafsson
d325d53d03 declare static function proveunsecure() before use; 
eliminate compiler warning
 2000-04-18 18:17:49 +00:00
Brian Wellington
613efcd8fb snapshot - includes (untested) code to find unsecured subdomains, which 
won't work until the server returns keys/nxts from the parent zones.
Also some style fixes.
 2000-04-18 17:50:38 +00:00
Michael Graff
e44487bfc2 convert sender, arg, action, etc. to ev_sender, ev_arg, ev_action, etc. 2000-04-17 19:22:44 +00:00
Brian Wellington
fe5ba8ddb5 memory leak cleanup, error if multiple nxts are present in negative answer 2000-04-14 16:00:33 +00:00
Brian Wellington
777ac454c0 Fixed locking problems in event handlers. Reordered NXT processing to 
do range checks before verify, since it's faster.
 2000-04-14 02:30:12 +00:00
Brian Wellington
e83cae7fa8 snapshot - partial support for negative answer verification and a couple bug 
fixes.
 2000-04-13 18:10:07 +00:00
Bob Halley
fca5f81ad6 using snprintf or vsnprintf requires isc/print.h 2000-04-12 19:07:12 +00:00
Brian Wellington
63bf060be4 dst_key_iszonekey() checks that the key's protocol is DNSSEC or ANY. 
Remove this check from the validator, and remove more redundant constants
from dst.h
 2000-04-12 15:52:12 +00:00
Andreas Gustafsson
ecfe4a3490 validator_log() logged garbage after RR type 2000-04-11 22:17:49 +00:00
Brian Wellington
538fea1c91 Added back some code lost by the logging patch, made the keyvalidated event 
handler actually work in the easy case.
 2000-04-11 20:59:37 +00:00
Andreas Gustafsson
1b1e1fda46 logging 2000-04-11 20:35:37 +00:00
Brian Wellington
e7a8dfd296 If we mark an rdataset as secure, also mark the sigrdataset as secure. 2000-04-11 17:12:31 +00:00
Brian Wellington
3676eeb6ca snapshot. Includes creating a new validator to validate pending KEYs. 2000-04-07 21:44:47 +00:00
Brian Wellington
b5debbe212 snapshot. Sends a fetch when a KEY isn't present and would partially handle 
a successful response if it got one.  Starts the validator with an
event to avoid deadlock in the resolver.
 2000-04-07 17:36:40 +00:00
Andreas Gustafsson
93c786e092 cleared up some DNS_R_CONTINUE/DNS_R_WAIT confusion; 
commented get_dst_key()
 2000-04-06 23:09:01 +00:00
Michael Graff
4195904998 s/DNS_R_/ISC_R_/ change for some codes. 2000-04-06 22:03:35 +00:00
Brian Wellington
1c776a2909 missing an #include <dns/dnssec.h> 2000-04-05 22:30:57 +00:00
Brian Wellington
0a3e2e1d59 - added a call to dns_dnssec_verify 
- swapped ISC_R_SUCCESS/DNS_R_CONTINUE in two places
- hitting the end of the list of SIGs without a verification is not success.
 2000-04-05 22:29:47 +00:00
Bob Halley
1854401d34 was dereferencing the wrong rdataset 2000-03-23 22:52:22 +00:00
Andreas Gustafsson
1872808932 don't access freed memory 2000-03-23 20:33:15 +00:00
Andreas Gustafsson
62a84c4a27 val->view was not NULL before attach 2000-03-23 20:24:28 +00:00
Bob Halley
0ec4b862c9 checkpoint 2000-03-17 00:01:28 +00:00
Bob Halley
e419f613d8 checkpoint 2000-02-24 22:40:55 +00:00
Bob Halley
9695ae1c24 add missing #include 2000-02-24 21:05:28 +00:00
Bob Halley
bf43fdafa3 add keytable, validator 2000-02-23 23:31:33 +00:00