upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-24 00:29:58 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
7948 commits 23 branches 209 tags 123 MiB
Commit graph

120 commits

Author SHA1 Message Date
W.C.A. Wijngaards
169acfc546 - Fixup algo_needs_reason string buffer length. 2024-07-08 15:38:27 +02:00
W.C.A. Wijngaards
bed7cc2a90 - Fix that validation reason failure that uses string print uses 
separate buffer that is passed, from the scratch validation buffer.
 2024-07-08 15:29:20 +02:00
W.C.A. Wijngaards
9a00877af9 Merge commit '882903f2fa800c4cb6f5e225b728e2887bb7b9ae' 2024-02-13 13:57:56 +01:00
W.C.A. Wijngaards
882903f2fa - Fix CVE-2023-50387, DNSSEC verification complexity can be exploited to 
exhaust CPU resources and stall DNS resolvers.
 2024-02-13 13:02:08 +01:00
W.C.A. Wijngaards
9a2d0238a8 - Fix #983: Sha1 runtime insecure change was incomplete. 2024-01-03 13:33:43 +01:00
George Thessalonikefs
4ccb613396 Merge branch 'master' into features/downstream-cookies 2023-08-05 20:37:48 +02:00
George Thessalonikefs
6e47c1e05b - For #762: remove relocated code. 2023-08-02 15:51:05 +02:00
George Thessalonikefs
5b55a46550 - For #762: relocate RFC 1982 serial number arithmetic functions to their own 
file in util/rfc_1982.[ch].
 2023-08-01 17:26:14 +02:00
George Thessalonikefs
843fc69927 Address review comments for #759: 
- Clear error text when an expected signature is missing.
 2023-07-28 14:05:25 +02:00
George Thessalonikefs
95604a90e8 Review for #759: 
- Keep EDE information for keys close to key creation.
- Fix inconsistencies between reply and cached EDEs.
- Incorporate EDE caching checks in EDE tests.
- Fix some EDE cases where missing DNSKEY was wrongly reported.
 2023-07-19 15:20:44 +02:00
George Thessalonikefs
eda0c0c194 - Fix bug introduced in 'improve val_sigcrypt.c::algo_needs_missing for 
one loop pass'.
 2022-07-04 09:34:45 +02:00
George Thessalonikefs
309b1d368b - Reintroduce documentation and more EDE support for 
val_sigcrypt.c::dnskeyset_verify_rrset_sig.
 2022-07-04 00:06:26 +02:00
George Thessalonikefs
c513119bba - Improve val_sigcrypt.c::algo_needs_missing for one loop pass. 2022-07-03 23:32:18 +02:00
George Thessalonikefs
317bab9f1d For #660: formatting, less verbose logging, add EDE information. 2022-07-03 22:32:56 +02:00
Yorgos Thessalonikefs
e102aea751
Merge pull request #660 from InfrastructureServices/sha1-runtime-insecure 
Sha1 runtime insecure
 2022-07-03 22:24:58 +02:00
tcarpay
0ce36e8289
Add the basic EDE (RFC8914) cases (#604) 2022-05-06 12:48:53 +02:00
Petr Mensik
33c8baaaba Forward indeterminate status higher 
Create a path where it can result in insecure.
 2022-04-08 16:26:50 +02:00
Petr Mensik
6cfcf21451 Make SHA-1 signed domains insecure if openssl refuses the digest 
RHEL9/CentOS 9 would fail in default crypto policy. If call to openssl
returns invalid digest then report the name insecure. If all tested
signatures return the same issue, then make the reply insecure.
 2022-04-08 16:26:50 +02:00
W.C.A. Wijngaards
e217bb48ad - Remove case fallthrough from deprecate-rsa-1024 code. 2021-05-07 17:06:09 +02:00
W.C.A. Wijngaards
59ea44322e - Add ./configure --with-deprecate-rsa-1024 that turns off RSA 1024. 2021-05-07 14:28:20 +02:00
W.C.A. Wijngaards
42d7cdb7d5 zonemd, region freed, and qstate not used when not in a query, and nsec 
and nsec3 bitmap checks.
 2020-10-14 14:46:59 +02:00
W.C.A. Wijngaards
3163a93121 zonemd, loop over zone and canonicalize data, test call in unit test. 2020-10-06 17:07:24 +02:00
W.C.A. Wijngaards
57bbbfc0e6 - Fix #170: Fix gcc undefined sanitizer signed integer overflow 
warning in signature expiry RFC1982 serial number arithmetic.
 2020-02-27 15:22:35 +01:00
W.C.A. Wijngaards
5a00b31f86 - Fix text around serial arithmatic used for RRSIG times to refer 
to correct RFC number.
 2019-12-03 12:58:09 +01:00
Wouter Wijngaards
2a6250e3fb - patch for CVE-2017-15105: vulnerability in the processing of 
wildcard synthesized NSEC records.


git-svn-id: file:///svn/unbound/trunk@4441 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-01-19 09:50:35 +00:00
Wouter Wijngaards
21d1989e05 fix oneoff 
git-svn-id: file:///svn/unbound/trunk@4433 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-01-02 13:36:17 +00:00
Wouter Wijngaards
fa90bbc07a fixup larger than 2**31 case. 
git-svn-id: file:///svn/unbound/trunk@4432 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-01-02 12:43:43 +00:00
Wouter Wijngaards
44eb7bfd25 - Remove clang optimizer disable, 
Fix that expiration date checks don't fail with clang -O2.


git-svn-id: file:///svn/unbound/trunk@4431 be551aaa-1e26-0410-a405-d3ace91eadb9
 2018-01-02 10:48:00 +00:00
Wouter Wijngaards
87edf6497d remove debug output 
git-svn-id: file:///svn/unbound/trunk@4426 be551aaa-1e26-0410-a405-d3ace91eadb9
 2017-12-15 10:21:38 +00:00
Wouter Wijngaards
6bae276ecb this version of unbound fails when compiled with CC=clang and -O (edit Makefile), or -O2 (default). If you use no optimizing flag, unittest works. 
git-svn-id: file:///svn/unbound/trunk@4425 be551aaa-1e26-0410-a405-d3ace91eadb9
 2017-12-15 10:16:06 +00:00
Wouter Wijngaards
7d17a926ac - Spelling fixes, from Phil Porada. 
git-svn-id: file:///svn/unbound/trunk@4344 be551aaa-1e26-0410-a405-d3ace91eadb9
 2017-09-15 14:29:28 +00:00
Wouter Wijngaards
05215e8e7d - --disable-sha1 disables SHA1 support in RRSIG, so from DNSKEY and 
DS records.  NSEC3 is not disabled.
- fake-sha1 test option; print warning if used.  To make unit tests.


git-svn-id: file:///svn/unbound/trunk@4043 be551aaa-1e26-0410-a405-d3ace91eadb9
 2017-03-09 13:18:08 +00:00
Wouter Wijngaards
c010e93d4a - Fix to rename internally used types from _t to _type, because _t 
type names are reserved by POSIX.
- iana portlist update


git-svn-id: file:///svn/unbound/trunk@3989 be551aaa-1e26-0410-a405-d3ace91eadb9
 2017-01-19 10:25:41 +00:00
Ralph Dolmans
0b3138e1bf - Fix #1117: spelling errors, from Robert Edmonds 
git-svn-id: file:///svn/unbound/trunk@3877 be551aaa-1e26-0410-a405-d3ace91eadb9
 2016-10-05 09:56:05 +00:00
Ralph Dolmans
19ebdbf6a6 Take configured minimum TTL into consideration when reducing TTL to original 
TTL from RRSIG.


git-svn-id: file:///svn/unbound/trunk@3849 be551aaa-1e26-0410-a405-d3ace91eadb9
 2016-09-05 12:30:46 +00:00
Wouter Wijngaards
2bdea62a9e - Fix #594. libunbound: optionally use libnettle for crypto. 
Contributed by Luca Bruno.  Added --with-nettle for use with
  --with-libunbound-only.


git-svn-id: file:///svn/unbound/trunk@3533 be551aaa-1e26-0410-a405-d3ace91eadb9
 2015-11-17 09:43:07 +00:00
Wouter Wijngaards
e3351c3606 - Remove confusion comment from canonical_compare() function. 
git-svn-id: file:///svn/unbound/trunk@3488 be551aaa-1e26-0410-a405-d3ace91eadb9
 2015-09-22 08:43:56 +00:00
Wouter Wijngaards
b2bdce46be - rename ldns subdirectory to sldns to avoid name collision. 
git-svn-id: file:///svn/unbound/trunk@3380 be551aaa-1e26-0410-a405-d3ace91eadb9
 2015-03-26 10:21:38 +00:00
Wouter Wijngaards
6feb8fb6a5 - Fixes to add integer overflow checks on allocation (defense in depth). 
git-svn-id: file:///svn/unbound/trunk@3372 be551aaa-1e26-0410-a405-d3ace91eadb9
 2015-03-20 15:36:25 +00:00
Wouter Wijngaards
2b90f38a70 And fix #551 REGENT to COPYRIGHT HOLDER in license in file headings. 
git-svn-id: file:///svn/unbound/trunk@3079 be551aaa-1e26-0410-a405-d3ace91eadb9
 2014-02-07 13:28:39 +00:00
Wouter Wijngaards
d3cbd76546 - Fix sldns to use sldns_ prefix for all ldns_ variables. 
git-svn-id: file:///svn/unbound/trunk@3022 be551aaa-1e26-0410-a405-d3ace91eadb9
 2013-12-03 09:11:16 +00:00
Wouter Wijngaards
3de090dadb Fix linking of sldns and ldns, unique identifiers for global variables. 
git-svn-id: file:///svn/unbound/trunk@3021 be551aaa-1e26-0410-a405-d3ace91eadb9
 2013-11-30 11:03:55 +00:00
Wouter Wijngaards
29e96e86c9 - separate ldns into core ldns inside ldns/ subdirectory. No more 
--with-ldns is needed and unbound does not rely on libldns.


git-svn-id: file:///svn/unbound/trunk@2998 be551aaa-1e26-0410-a405-d3ace91eadb9
 2013-10-31 15:09:26 +00:00
Wouter Wijngaards
f1fd2b53eb - Fix for 2038, with time_t instead of uint32_t. 
git-svn-id: file:///svn/unbound/trunk@2939 be551aaa-1e26-0410-a405-d3ace91eadb9
 2013-08-20 12:23:42 +00:00
Wouter Wijngaards
fbedfb7429 - Robust checks on dname validity from rdata for dname compare. 
git-svn-id: file:///svn/unbound/trunk@2892 be551aaa-1e26-0410-a405-d3ace91eadb9
 2013-04-25 10:28:25 +00:00
Wouter Wijngaards
ccf4099366 - work on --with-nss build option (for now, --with-libunbound-only). 
git-svn-id: file:///svn/unbound/trunk@2690 be551aaa-1e26-0410-a405-d3ace91eadb9
 2012-06-20 15:11:53 +00:00
Wouter Wijngaards
15aacbe89b code review. 
git-svn-id: file:///svn/unbound/trunk@2688 be551aaa-1e26-0410-a405-d3ace91eadb9
 2012-06-18 14:22:29 +00:00
Wouter Wijngaards
682ff957ed lint and doxygen fixes. 
git-svn-id: file:///svn/unbound/trunk@2631 be551aaa-1e26-0410-a405-d3ace91eadb9
 2012-02-16 10:08:07 +00:00
Wouter Wijngaards
c352ee2e85 - workaround for openssl 0.9.8 ecdsa sha2 and evp problem. 
git-svn-id: file:///svn/unbound/trunk@2608 be551aaa-1e26-0410-a405-d3ace91eadb9
 2012-02-08 16:40:46 +00:00
Wouter Wijngaards
924789d877 - implement draft-ietf-dnsext-ecdsa-04; which is in IETF LC; This 
implementation is experimental at this time and not recommended
  for use on the public internet (the protocol numbers have not
  been assigned).  Needs recent ldns with --enable-ecdsa.
- fix memory leak in errorcase for DSA signatures.


git-svn-id: file:///svn/unbound/trunk@2606 be551aaa-1e26-0410-a405-d3ace91eadb9
 2012-02-08 13:22:44 +00:00