upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-02-25 02:42:33 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
25079 commits 18 branches 854 tags 440 MiB
Commit graph

590 commits

Author SHA1 Message Date
Mark Andrews
7fcbbd6fa9 4580. [bug] 4578 introduced a regression when handling CNAME to 
referral below the current domain. [RT #44850]

(cherry picked from commit 638c7c635d)
 2017-03-14 15:12:03 +11:00
Mark Andrews
c006cfc5a2 Reimplement: 
4578.   [security]      Some chaining (CNAME or DNAME) responses to upstream
                        queries could trigger assertion failures.
                        (CVE-2017-3137) [RT #44734]

(cherry picked from commit f240f4a5de)
 2017-03-01 12:02:39 +11:00
Evan Hunt
559cbe04e7 [v9_11] remove unnecessary INSIST and prep 9.11.1rc2 
4578.	[security]	Some chaining (CNAME or DNAME) responses to upstream
			queries could trigger assertion failures.
			(CVE-2017-3137) [RT #44734]

(cherry picked from commit a1365a0042)
 2017-02-23 14:55:10 -08:00
Evan Hunt
07b7a3eade [v9_11] store local and remote addresses in dnstap 
4569.	[func]		Store both local and remote addresses in dnstap
			logging, and modify dnstap-read output format to
			print them. [RT #43595]

(cherry picked from commit 650b5e7592)
 2017-02-03 17:11:06 -08:00
Evan Hunt
05fce8cfff [v9_11] address portability issues 
(cherry picked from commit a2bd99a959)
 2017-01-30 16:52:32 -08:00
Evan Hunt
781f6daa74 [v9_11] change 4558 was incomplete 
(cherry picked from commit cd668ea57f)
 2017-01-30 14:11:17 -08:00
Tinderbox User
5688a47c15 update copyright notice / whitespace 2017-01-24 23:45:58 +00:00
Mark Andrews
4441328a1d 4558. [bug] Synthesised CNAME before matching DNAME was still 
being cached when it should have been.  [RT #44318]

(cherry picked from commit 9f4bf43b79)
 2017-01-24 17:41:17 +11:00
Mark Andrews
701aa95d96 4510. [security] Named mishandled some responses where covering RRSIG 
records are returned without the requested data
                        resulting in a assertion failure. (CVE-2016-9147)
                        [RT #43548]

(cherry picked from commit 6adf421e7e)
 2016-12-29 11:49:06 +11:00
Mark Andrews
b243aa40f9 4508. [security] Named incorrectly tried to cache TKEY records which 
could trigger a assertion failure when there was
                            a class mismatch. (CVE-2016-9131) [RT #43522]

(cherry picked from commit 2c1c4b99a1)
 2016-12-29 11:17:14 +11:00
Mark Andrews
2595d1da35 4517. [security] Named could mishandle authority sections that were 
missing RRSIGs triggering an assertion failure.
                        (CVE-2016-9444) [RT # 43632]

(cherry picked from commit 1df30cfd27c5a3c57fce357c54aaf6c702227d51)
 2016-12-29 10:41:06 +11:00
Mark Andrews
d77cab69bf 4530. [bug] Change 4489 broke the handling of CNAME -> DNAME 
in responses resulting in SERVFAIL being returned.
                        [RT #43779]

(cherry picked from commit 60cb462c56)
 2016-12-09 12:51:09 +11:00
Mark Andrews
7c66fc9700 4489. [security] It was possible to trigger assertions when processing 
a response. (CVE-2016-8864) [RT #43465]

(cherry picked from commit bd6f27f5c3)
 2016-10-21 14:56:20 +11:00
Mark Andrews
47f8b47b8d 9.11.0rc3 2016-09-20 21:19:46 +10:00
Mark Andrews
d1cacbb374 4453. [bug] Prefetching of DS records failed to update their 
RRSIGs. [RT #42865]

(cherry picked from commit f431bf02a6)
 2016-08-25 09:53:50 +10:00
Mark Andrews
f8ef82e475 sync 2016-07-12 11:34:50 +10:00
Mark Andrews
35c014cb1d 4408. [func] Continue waiting for expected response when we the 
response we get does not match the request. [RT #41026]

(cherry picked from commit ec5e01747a)
 2016-07-12 11:33:49 +10:00
Mark Andrews
cccfafa311 4403. [bug] Rename variables and arguments that shadow: basename, 
clone and gai_error.

(cherry picked from commit ecfa005085)
 2016-06-29 11:26:49 +10:00
Mark Andrews
0c27b3fe77 4401. [misc] Change LICENSE to MPL 2.0. 2016-06-27 14:56:38 +10:00
Witold Krecicki
19d80ce584 4358. [test] Added American Fuzzy Lop harness that allows 
feeding fuzzed packets into BIND.
			[RT #41723]
 2016-05-05 11:49:38 +02:00
Mukund Sivaraman
275265ab27 Log query and depth counters during fetches when querytrace is enabled (#41787) 2016-03-04 13:25:37 +05:30
Mark Andrews
c7aae79b62 silence may be used when unset false positive 2016-02-29 11:24:15 +11:00
Mark Andrews
2de89ee9de Part 2 of: 
4319.   [security]      Fix resolver assertion failure due to improper
                        DNAME handling when parsing fetch reply messages.
                        (CVE-2016-1286) [RT #41753]
 2016-02-29 07:16:48 +11:00
Mark Andrews
455c0848f8 4322. [security] Duplicate EDNS COOKIE options in a response could 
trigger an assertion failure. (CVE-2016-2088)
                        [RT #41809]
 2016-02-27 11:23:50 +11:00
Mukund Sivaraman
5995fec51c Fix resolver assertion failure due to improper DNAME handling (CVE-2016-1286) (#41753) 2016-02-22 12:22:43 +05:30
Mark Andrews
d372f426ca 4317. [bug] Age all unused servers on fetch timeout. [RT #41597] 2016-02-12 12:32:58 +11:00
Mark Andrews
73fbd4c9d3 4293. [bug] Address memory leak on priming query creation failure. 
[RT #41512]
 2016-01-20 16:38:11 +11:00
Tinderbox User
feb1ccdaf1 update copyright notice / whitespace 2016-01-05 23:45:26 +00:00
Evan Hunt
41494939b6 [master] fixed bogus server regression 
4288.	[bug]		Fixed a regression in resolver.c:possibly_mark()
			which caused known-bogus servers to be queried
			anyway. [RT #41321]
 2016-01-04 15:47:16 -08:00
Mark Andrews
c8821d124c 4260. [security] Insufficient testing when parsing a message allowed 
records with an incorrect class to be be accepted,
                        triggering a REQUIRE failure when those records
                        were subsequently cached. (CVE-2015-8000) [RT #4098]
 2015-11-16 13:12:20 +11:00
Mark Andrews
2f450fcd29 4253. [bug] Address fetch context reference count handling error 
on socket error.  [RT#40945]
 2015-11-05 17:10:10 +11:00
Mark Andrews
6588a2b404 4238. [bug] Don't send to servers on net zero (0.0.0.0/8). 
[RT #40947]
 2015-10-16 08:00:15 +11:00
Evan Hunt
b66b333f59 [master] dnstap 
4235.	[func]		Added support in named for "dnstap", a fast method of
			capturing and logging DNS traffic, and a new command
			"dnstap-read" to read a dnstap log file.  Use
			"configure --enable-dnstap" to enable this
			feature (note that this requires libprotobuf-c
			and libfstrm). See the ARM for configuration details.

			Thanks to Robert Edmonds of Farsight Security.
			[RT #40211]
 2015-10-02 12:32:42 -07:00
Mark Andrews
1b1f6d21c7 curr_srtt = curr->srtt 2015-10-02 07:45:45 +10:00
Mark Andrews
b959848051 compare curr_srtt and best_srtt 2015-10-01 22:12:56 +10:00
Mark Andrews
85e7a259a4 re-organise sort to use best_srtt and curr_srtt 2015-09-29 08:06:21 +10:00
Mark Andrews
98a7f8c7ae 4222. [func] Bias IPv6 servers when selecting the next server to 
query. [RT #40836]
 2015-09-28 18:57:19 +10:00
Mark Andrews
8d80b4939d 4221. [bug] Resource leak on DNS_R_NXDOMAIN in fctx_create. 
[RT #40583]
 2015-09-25 09:18:43 +10:00
Mark Andrews
741b63c869 4212. [func] Re-query if we get a bad client cookie returned over 
UDP. [RT #40748]
 2015-09-17 14:20:32 +10:00
Mark Andrews
02093e4c3b 4193. [bug] Handle broken servers that return BADVERS incorrectly. 
[RT #40427]
 2015-08-25 16:52:43 +10:00
Evan Hunt
ce9f893e21 [master] address buffer accounting error 
4168.	[security]	A buffer accounting error could trigger an
			assertion failure when parsing certain malformed
			DNSSEC keys. (CVE-2015-5722) [RT #40212]
 2015-08-07 13:16:10 -07:00
Evan Hunt
1479200aa0 [master] DDoS mitigation features 
3938.	[func]		Added quotas to be used in recursive resolvers
			that are under high query load for names in zones
			whose authoritative servers are nonresponsive or
			are experiencing a denial of service attack.

			- "fetches-per-server" limits the number of
			  simultaneous queries that can be sent to any
			  single authoritative server.  The configured
			  value is a starting point; it is automatically
			  adjusted downward if the server is partially or
			  completely non-responsive. The algorithm used to
			  adjust the quota can be configured via the
			  "fetch-quota-params" option.
			- "fetches-per-zone" limits the number of
			  simultaneous queries that can be sent for names
			  within a single domain.  (Note: Unlike
			  "fetches-per-server", this value is not
			  self-tuning.)
			- New stats counters have been added to count
			  queries spilled due to these quotas.

			See the ARM for details of these options. [RT #37125]
 2015-07-08 22:53:39 -07:00
Tinderbox User
8f0b326d9a update copyright notice / whitespace 2015-07-05 23:45:22 +00:00
Mark Andrews
ce67023ae3 4152. [func] Implement DNS COOKIE option. This replaces the 
experimental SIT option of BIND 9.10.  The following
                        named.conf directives are avaliable: send-cookie,
                        cookie-secret, cookie-algorithm and nocookie-udp-size.
                        The following dig options are available:
                        +[no]cookie[=value] and +[no]badcookie.  [RT #39928]
 2015-07-06 09:44:24 +10:00
Mark Andrews
adbf81335b 4146. [bug] Address reference leak that could prevent a clean 
shutdown. [RT #37125]
 2015-06-25 18:36:27 +10:00
Evan Hunt
a32b6291aa [master] address regression 
4126.	[bug]		Addressed a regression introduced in change #4121.
			[RT #39611]
 2015-05-26 19:11:08 -07:00
Evan Hunt
c03fe78ef5 [master] use after free in resquery_destroy() 
4102.	[bug]		Fix a use after free bug introduced in change
			#4094.  [RT #39281]
 2015-04-15 15:38:14 -07:00
Mukund Sivaraman
2c4d5faf7f Don't use query->sendevent after it's been destroyed (#39132) 2015-04-13 15:04:41 +05:30
Evan Hunt
d9b37259f3 [master] hold a reference on fetch context during query 
4094.	[bug]		A race during shutdown or reconfiguration could
			cause an assertion in mem.c. [RT #38979]
 2015-04-08 14:33:45 -07:00
Mark Andrews
af669cb4fd 4074. [cleanup] Cleaned up more warnings from gcc -Wshadow. [RT #38708] 2015-02-27 10:55:55 +11:00