Commit graph

4992 commits

Author SHA1 Message Date
Automatic Updater
15bbb8a129 update copyright notice 2009-10-08 23:48:10 +00:00
Mark Andrews
2847930722 2708. [func] Insecure to secure and NSEC3 parameter changes via
update are now fully supported and no longer require
                        defines to enable.  We now no longer overload the
                        NSEC3PARAM flag field, nor the NSEC OPT bit at the
                        apex.  Secure to insecure changes are controlled by
                        by the named.conf option 'secure-to-insecure'.

                        Warning: If you had previously enabled support by
                        adding defines at compile time to BIND 9.6 you should
                        ensure that all changes that are in progress have
                        completed prior to upgrading to BIND 9.7.  BIND 9.7
                        is not backwards compatible.
2009-10-08 23:13:07 +00:00
Automatic Updater
2a6d4c9948 regen 2009-10-07 01:14:42 +00:00
Evan Hunt
22b23fb59d tbox wants an #include <isc/print.h>... 2009-10-06 23:22:51 +00:00
Evan Hunt
d1f39121a6 2707. [func] dnssec-keyfromlabel no longer require engine name
to be specified in the label if there is a default
			engine or the -E option has been used.  Also, it
			now uses default algorithms as dnssec-keygen does
			(i.e., RSASHA1, or NSEC3RSASHA1 if -3 is used).
			[RT #20371]
2009-10-06 22:58:45 +00:00
Evan Hunt
ca60f7ba75 Add pkcs11 tools to standard windows BIND 9 build. 2009-10-06 22:14:13 +00:00
Evan Hunt
246c504f90 2706. [bug] Loading a zone with a very large NSEC3 salt could
trigger an assert. [RT #20368]
2009-10-06 21:20:45 +00:00
Evan Hunt
95b41985f7 - build pkcs11 tools when compiling --with-pkcs11=yes
- add PKCS11_PROVIDER environment variable as a method for specifying
  the provider.
2009-10-06 20:27:55 +00:00
Automatic Updater
e74245134d update copyright notice 2009-10-06 04:40:14 +00:00
Automatic Updater
8ec3c08523 regen 2009-10-06 01:14:42 +00:00
Evan Hunt
3ff75c89eb 2704. [bug] Serial of dynamic and stub zones could be inconsistent
with their SOA serial.  [RT #19387]
2009-10-05 19:39:20 +00:00
Francis Dupont
8b78c993cb explicit engine rt20230a 2009-10-05 17:30:49 +00:00
Francis Dupont
e853728477 update OpenSSL PKCS#11 patch (rt19910) 2009-10-05 13:20:06 +00:00
Francis Dupont
d220cab39d pkcs11 rt20229 2009-10-05 13:02:31 +00:00
Francis Dupont
247806c820 regen 2009-10-05 12:25:29 +00:00
Francis Dupont
f89a9bcf1c pkcs11 rt20236 2009-10-05 12:23:11 +00:00
Francis Dupont
b091b4bb80 regen 2009-10-05 12:13:15 +00:00
Francis Dupont
a631b30b1d pkcs11 rt20225 2009-10-05 12:07:08 +00:00
Francis Dupont
78e0199a39 update OpenSSL PKCS#11 patch (19143) 2009-10-05 11:12:45 +00:00
Evan Hunt
1210799345 Add /* NOTREACHED */ comments 2009-10-03 18:03:54 +00:00
Automatic Updater
66fec05962 regen 2009-09-30 01:14:47 +00:00
Automatic Updater
61dd99bfae update copyright notice 2009-09-29 23:48:04 +00:00
Evan Hunt
a93a66f618 2794. [bug] Reduce default NSEC3 iterations from 100 to 10.
[RT #19970]
2009-09-29 22:17:34 +00:00
Francis Dupont
debd489a44 noreturn RT #20257 2009-09-29 15:06:07 +00:00
Mark Andrews
1e733ffc11 2792. [port] win32: 32/64 bit cleanups. [RT #128244] 2009-09-29 04:38:23 +00:00
Automatic Updater
f3d1a0ba52 regen 2009-09-26 01:14:51 +00:00
Automatic Updater
627f3e0805 update copyright notice 2009-09-25 23:48:13 +00:00
Evan Hunt
1e3c9961bb Move dns_rdataset_init() call earlier so "goto cleanup" won't trigger
an assert in dns_rdataset_isassociated().  (This is trivial, I'm going
to commit without review.)
2009-09-25 14:30:10 +00:00
Evan Hunt
fb596cc9af 2691. [func] dnssec-signzone: retain the existing NSEC or NSEC3
chain when re-signing a previously-signed zone.
			Use -u to modify NSEC3 parameters or switch
			between NSEC and NSEC3. [RT #20304]
2009-09-25 06:47:50 +00:00
Francis Dupont
c59a7b0629 missing updates in recent changes 2009-09-24 14:39:17 +00:00
Evan Hunt
63a1800105 Fix several problems introduced by rt19943 2009-09-24 04:36:28 +00:00
Automatic Updater
d48690af7a update copyright notice 2009-09-23 23:47:56 +00:00
Evan Hunt
53c22b8e0d 2685. [bug] Fixed dnssec-signzone -S handling of revoked keys.
Also, added warnings when revoking a ZSK, as this is
			not defined by protocol (but is legal).  [RT #19943]
2009-09-23 16:01:57 +00:00
Mark Andrews
4d0e2cf9b9 2684. [bug] dnssec-signzone should clean the old NSEC chain when
signing with NSEC3 and vica versa. [RT #20301]
2009-09-23 14:05:11 +00:00
Francis Dupont
e25451b66c pkcs11 tools were moved (20067) 2009-09-23 10:54:46 +00:00
Evan Hunt
8436cc14ba 2684. [cleanup] dig: formalize +ad and +cd as synonyms for
+adflag and +cdflag.  [RT #19305]
2009-09-23 06:21:36 +00:00
Mark Andrews
011d0b7dc8 2683. [bug] dnssec-signzone should clean out old NSEC3 chains when
the NSEC3 parameters used to sign the zone change.
                        [RT #20246]
2009-09-23 04:30:16 +00:00
Francis Dupont
2f4d747a26 "configure --enable-symtable=all" failed to build. [RT #20282] 2009-09-22 08:47:55 +00:00
Automatic Updater
d2ebd5d5fb regen 2009-09-19 01:14:52 +00:00
Francis Dupont
b67b58ebe7 small improvement (rt20291) 2009-09-18 22:08:55 +00:00
Francis Dupont
b0dafbb309 spelling 2009-09-18 13:14:47 +00:00
Francis Dupont
1def913211 config.h issue is fixed: cleanup 2009-09-18 11:07:04 +00:00
Evan Hunt
0e32dda176 add include <config.h>, and update comments to use the new names 2009-09-17 23:46:34 +00:00
Francis Dupont
be728633c1 init .cvsignore 2009-09-17 22:55:59 +00:00
Francis Dupont
8b5a11217c from contrib/pkcs11-keygen 2009-09-17 22:51:59 +00:00
Automatic Updater
4765fc7c3f update copyright notice 2009-09-15 23:48:09 +00:00
Evan Hunt
d514c0dc9b 2679. [func] dig -k can now accept TSIG keys in named.conf
format.  [RT #20031]
2009-09-15 03:13:44 +00:00
Automatic Updater
f8e3e03cac regen 2009-09-15 01:14:42 +00:00
Mark Andrews
a12c8549d6 2678. [func] Treat DS queries as if "minimal-response yes;"
was set. [RT #20258]
2009-09-14 23:13:37 +00:00
Evan Hunt
b843f577bb 2677. [func] Changes to key metadata behavior:
- Keys without "publish" or "active" dates set will
			  no longer be used for smart signing.  However,
			  those dates will be set to "now" by default when
			  a key is created; to generate a key but not use
			  it yet, use dnssec-keygen -G.
			- New "inactive" date (dnssec-keygen/settime -I)
			  sets the time when a key is no longer used for
			  signing but is still published.
			- The "unpublished" date (-U) is deprecated in
			  favor of "deleted" (-D).
			[rt20247]
2009-09-14 18:45:45 +00:00