upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-04-23 23:28:18 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
16475 commits 18 branches 854 tags 440 MiB
Commit graph

157 commits

Author SHA1 Message Date
Automatic Updater
fcef5293d2 update copyright notice 2008-01-17 23:46:05 +00:00
Automatic Updater
fc36e4d54b update copyright notice 2008-01-15 23:46:02 +00:00
Mark Andrews
59aeb87035 2304. [bug] Check returns from all dns_rdata_tostruct() calls. 
[RT #17460]
 2008-01-15 01:13:05 +00:00
Evan Hunt
47e37d8ebd Validating lack of DS records at trust anchors wasn't working. [RT #17151] 2007-09-26 04:39:45 +00:00
Mark Andrews
8a4538cafc 2238. [bug] It was possible to trigger a REQUIRE when a 
validation was cancelled. [RT #17106]
 2007-09-14 05:52:50 +00:00
Automatic Updater
beb9fabda3 update copyright notice 2007-08-28 07:20:06 +00:00
Mark Andrews
b5ded8a160 2218. [bug] Remove unnecessary REQUIRE from dns_validator_create(). 
[RT #16976]
 2007-08-27 04:47:14 +00:00
Mark Andrews
81a0879a12 2171. [bug] Handle breaks in DNSSEC trust chains where the parent 
servers are not DS aware (DS queries to the parent
                        return a referral to the child).
 2007-04-27 06:37:38 +00:00
Mark Andrews
f40348003a 2145. [bug] Check DS/DLV digest lengths for known digests. 
[RT #16622]
 2007-02-26 01:30:22 +00:00
Mark Andrews
64d5cc809c update copyright notice 2007-01-08 02:42:00 +00:00
Mark Andrews
9aefa7e508 2126. [bug] Serialise validation of type ANY responses. [RT #16555] 2007-01-08 01:37:53 +00:00
Mark Andrews
b486456a3d 2117. [bug] DNSSEC fixes: named could fail to cache NSEC records 
which could lead to validation failures.  named didn't
                        handle negative DS responses that were in the process
                        of being validated.  Check CNAME bit before accepting
                        NODATA proof. To be able to ignore a child NSEC there
                        must be SOA (and NS) set in the bitmap. [RT #16399]
 2006-12-07 06:50:34 +00:00
Mark Andrews
41b6189259 2061. [bug] Accept expired wildcard message reversed. [RT #16296] 2006-07-24 22:43:31 +00:00
Mark Andrews
e9724570aa 2008. [func] It is now posssible to enable/disable DNSSEC 
validation from rndc.  This is useful for the
                        mobile hosts where the current connection point
                        breaks DNSSEC (firewall/proxy).  [RT #15592]

                                rndc validation newstate [view]
 2006-03-09 23:46:20 +00:00
Mark Andrews
7af42116ba fix minor typos 2006-02-26 23:01:58 +00:00
Mark Andrews
2f46120278 post merge problem 2006-02-22 01:57:12 +00:00
Mark Andrews
c017465e4a 1987. [func] DS/DLV SHA256 digest algorithm support. [RT #15608] 2006-02-21 23:53:35 +00:00
Mark Andrews
e770e36d60 update copyright notice 2006-01-04 23:50:23 +00:00
Mark Andrews
f53e702b25 1947. [func] It is now possible to configure named to accept 
expired RRSIGs.  Default "dnssec-accept-expired no;".
                        Setting "dnssec-accept-expired yes;" leaves named
                        vulnerable to replay attacks.  [RT #14685]
 2006-01-04 02:58:42 +00:00
Mark Andrews
cf4e1143ea 1942. [bug] If the name of a DNSKEY match that of one in 
trusted-keys do not attempt to validate the DNSKEY
                        using the parents DS RRset. [RT #15649]
 2005-12-05 00:00:03 +00:00
Mark Andrews
864f9d0d0a silence dereferencing type-punned pointer will break strict-aliasing rules warning 2005-11-30 04:58:32 +00:00
Mark Andrews
3c8367a203 1940. [bug] Fixed a number of error conditions reported by 
Coverity.
 2005-11-30 03:44:39 +00:00
Mark Andrews
c7d337e4ff 1939. [bug] The resolver could dereference a null pointer after 
validation if all the queries have timed out.
                        [RT #15528]

1938.   [bug]           The validator was not correctly handling unsecure
                        negative responses at or below a SEP. [RT #15528]
 2005-11-03 00:58:00 +00:00
Mark Andrews
43d25d3d13 1936. [bug] The validator could leak memory. [RT #15544] 2005-11-02 01:53:25 +00:00
Mark Andrews
3a204dc120 1930. [port] HPUX: ia64 support. [RT #15473] 
1929.   [port]          FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM.
 2005-10-14 01:33:30 +00:00
Mark Andrews
c0c29fa38f sync with head 2005-09-05 03:01:49 +00:00
Mark Andrews
55ae24844a 1919. [bug] dig's +sigchase code overhauled. [RT #14933] 
1918.   [bug]           The DLV code has been re-worked to make no longer
                        query order sensitive. [RT #14933]
 2005-08-25 01:54:01 +00:00
Mark Andrews
468fdfbc2b 1867. [bug] It was possible to trigger a INSIST in 
dlv_validatezonekey(). [RT #14846]
 2005-06-07 00:39:12 +00:00
Mark Andrews
13dea06bd6 1853. [bug] Rework how DLV interacts with proveunsecure(). 
[RT #13605]
 2005-05-06 01:59:48 +00:00
Rob Austein
372edff338 1851. [doc] Doxygen comment markup. [RT #11398] 2005-04-27 05:02:59 +00:00
Mark Andrews
db82e0aaa3 1819. [bug] The validator needed to check both the algorithm and 
digest types of the DS to determine if it could be
                        used to introduce a secure zone. [RT #13593]
 2005-03-04 03:53:54 +00:00
Mark Andrews
a88ca26544 update copyright notice 2005-02-09 05:18:28 +00:00
Mark Andrews
950a40375d 1806. [bug] The resolver returned the wrong result when a CNAME / 
DNAME was encountered when fetching glue from a
                        secure namespace. [RT #13501]

1805.   [bug]           Pending status was not being cleared when DLV was
                        active. [RT #13501]
 2005-02-09 00:00:35 +00:00
Mark Andrews
85b5356472 1768. [bug] nsecnoexistnodata() could be called with a non-NSEC 
rdataset. [RT #12907]
 2004-11-17 23:53:01 +00:00
Mark Andrews
220322f0cf 1659. [cleanup] Cleanup some messages that were referring to KEY vs 
DNSKEY, NXT vs NSEC and SIG vs RRSIG.

1658.   [func]          Update dnssec-keygen to default to KEY for HMAC-MD5
                        and DH.  Tighten which options apply to KEY and
                        DNSKEY records.
 2004-06-11 01:17:46 +00:00
Mark Andrews
aa1a497079 1606. [bug] DVL insecurity proof was failing. 
1605.   [func]          New dns_db_find() option DNS_DBFIND_COVERINGNSEC.
 2004-05-14 05:07:12 +00:00
Mark Andrews
c1425cc1d5 1600. [bug] Duplicate zone pre-load checks were not case 
insensitive.

1599.   [bug]           Fix memory leak on error path when checking named.conf.

1598.   [func]          Specify that certain parts of the namespace must
                        be secure (dnssec-must-be-secure).
 2004-04-16 00:01:45 +00:00
Mark Andrews
3bdf0a6885 hide ((isc_event_t **) (void *)) cast using a macro, ISC_EVENT_PTR. 2004-04-15 02:04:05 +00:00
Mark Andrews
50105afc55 1589. [func] DNSSEC lookaside validation. 
enable-dnssec -> dnssec-enable
 2004-03-10 02:19:58 +00:00
Mark Andrews
dafcb997e3 update copyright notice 2004-03-05 05:14:21 +00:00
Mark Andrews
daa73eae70 silence punned messages 2004-02-03 00:59:05 +00:00
Mark Andrews
519b239fc4 #include <isc/string.h> 2004-01-20 14:19:42 +00:00
Mark Andrews
35541328a8 1558. [func] New DNSSEC 'disable-algorithms'. Support entry into 
child zones for which we don't have a supported
                        algorithm.  Such child zones are treated as unsigned.

1557.   [func]          Implement missing DNSSEC tests for
                        * NOQNAME proof with wildcard answers.
                        * NOWILDARD proof with NXDOMAIN.
                        Cache and return NOQNAME with wildcard answers.
 2004-01-14 02:06:51 +00:00
Tatuya JINMEI 神明達哉
e407562a75 1528. [cleanup] Simplify some dns_name_ functions based on the 
deprecation of bitstring labels.
 2003-10-25 00:31:12 +00:00
Mark Andrews
93d6dfaf66 1516. [func] Roll the DNSSEC types to RRSIG, NSEC and DNSKEY. 2003-09-30 06:00:40 +00:00
Mark Andrews
8b5de97014 1448. [bug] Handle empty wildcards labels. 
developer: marka
reviewer: explorer
 2003-02-27 00:19:04 +00:00
Mark Andrews
421e4cf66e 1416. [bug] Empty node should return NOERROR NODATA, not NXDOMAIN. 
[RT #4715]
developer: marka
reviewer: explorer
 2003-01-18 03:18:31 +00:00
Mark Andrews
638fe804a5 1255. [bug] When performing a nonexistence proof, the validator 
should discard parent NXTs from higher in the DNS.
 2002-07-22 03:00:49 +00:00
Mark Andrews
ff30cdeb78 The validator didn't handle missing DS records correctly. 2002-07-19 03:29:15 +00:00
Mark Andrews
86f6b92e35 1248. [bug] The validator could incorrectly verify an invalid 
negative proof.

When checking the range of the nxt record, the code needs to handle
the case where the 'next name' field points to the origin.  The way
that the origin was determined was looking at the 'signer' field
of the first SIG NXT, since NXTs are signed by the zone key.  This
doesn't work, because the first SIG could have been spoofed.  It
now defers checking the nxt range until both the SOA and NXT have
been verified, and uses the owner of the SOA name as the origin.
bwelling
 2002-07-15 03:25:28 +00:00