Mark Andrews
48e7dcf0d2
2984. [bug] Don't run MX checks when the target of the MX record
...
is ".". [RT #22645 ]
2010-12-14 00:46:41 +00:00
Automatic Updater
9164ae2297
update copyright notice
2010-12-09 04:31:30 +00:00
Mark Andrews
93b433d299
2982. [bug] Reference count dst keys. dst_key_attach() can be used
...
increment the reference count.
Note: dns_tsigkey_createfromkey() callers should now
always call dst_key_free() rather than setting it
to NULL on success. [RT #22672 ]
2010-12-09 01:05:29 +00:00
Automatic Updater
1517558cd3
update copyright notice
2010-12-02 23:46:30 +00:00
Mark Andrews
e7ca8c91ec
2976. [bug] named die on exit after negotiating a GSS-TSIG key.
...
[RT #3415 ]
2010-12-02 23:26:58 +00:00
Mark Andrews
0a2897853b
2963. [security] The allow-query acl was being applied instead of the
...
allow-query-cache acl to cache lookups. [RT #22114 ]
2010-09-24 05:54:06 +00:00
Mark Andrews
30579c29be
2943. [func] Add support to load new keys into managed zones
...
without signing immediately with "rndc loadkeys".
Add support to link keys with "dnssec-keygen -S"
and "dnssec-settime -S". [RT #21351 ]
2010-08-16 22:27:18 +00:00
Automatic Updater
770279e013
update copyright notice
2010-08-13 23:46:29 +00:00
Evan Hunt
0658d99891
2936. [func] Improved configuration syntax and multiple-view
...
support for addzone/delzone feature (see change
#2930 ). Removed "new-zone-file" option, replaced
with "allow-new-zones (yes|no)". The new-zone-file
for each view is now created automatically, with
a filename generated from a hash of the view name.
It is no longer necessary to "include" the
new-zone-file in named.conf; this happens
automatically. Zones that were not added via
"rndc addzone" can no longer be removed with
"rndc delzone". [RT #19447 ]
2010-08-11 18:19:59 +00:00
Evan Hunt
92f39ccb5b
2930. [experimental] New "rndc addzone" and "rndc delzone" commads
...
allow dynamic addition and deletion of zones.
To enable this feature, specify a "new-zone-file"
option at the view or options level in named.conf.
Zone configuration information for the new zones
will be written into that file. To make the new
zones persist after a restart, "include" the file
into named.conf in the appropriate view. (Note:
This feature is not yet documented, and its syntax
is expected to change.) [RT #19447 ]
2010-07-11 00:12:19 +00:00
Automatic Updater
98afc1a6dd
update copyright notice
2010-07-09 23:46:27 +00:00
Evan Hunt
59c9c71f36
2929. [bug] Improved handling of GSS security contexts:
...
- added LRU expiration for generated TSIGs
- added the ability to use a non-default realm
- added new "realm" keyword in nsupdate
- limited lifetime of generated keys to 1 hour
or the lifetime of the context (whichever is
smaller)
[RT #19737 ]
2010-07-09 05:14:08 +00:00
Mark Andrews
9777316c64
2924. [func] 'rndc secroots' dump a combined summary of the
...
current managed keys combined with trusted keys.
[RT #20904 ]
2010-06-25 03:51:07 +00:00
Mark Andrews
13ce1be5d3
2920. [func] Allow 'filter-aaaa-on-v4' to be applied selectively
...
to IPv4 clients. New acl 'filter-aaaa' (default any).
2010-06-22 04:04:22 +00:00
Automatic Updater
db8dce00b0
update copyright notice
2010-06-04 23:50:01 +00:00
Mark Andrews
2b631b5d6f
remove trailing comma
2010-06-04 00:14:53 +00:00
Automatic Updater
e08a20aa98
update copyright notice
2010-05-18 02:35:12 +00:00
Mark Andrews
0517d21ebd
2897. [bug] NSEC3 chains could be left behind when transitioning
...
to insecure. [RT #21040 ]
2010-05-18 01:40:35 +00:00
Automatic Updater
71324ae046
update copyright notice
2010-05-14 23:49:21 +00:00
Mark Andrews
812b6d8d11
2893. [bug] Improve managed keys support. New named.conf option
...
managed-keys-directory. [RT #20924 ]
2010-05-14 04:49:40 +00:00
Mark Andrews
d133eb632a
2892. [bug] Handle REVOKED keys better. [RT #20961 ]
2010-05-14 04:41:12 +00:00
Mark Andrews
0463ffd804
2890. [bug] Handle the introduction of new trusted-keys and
...
DS, DLV RRsets better. [RT #21097 ]
2010-05-14 00:16:32 +00:00
Automatic Updater
efc6a99370
update copyright notice
2010-05-10 23:49:42 +00:00
Mark Andrews
d779f5e15d
2881. [bug] Reduce the amount of time the rbtdb write lock
...
is held when closing a version. [RT #21198 ]
2010-05-10 01:41:11 +00:00
Automatic Updater
e1bd9f2ed3
update copyright notice
2010-02-25 05:25:53 +00:00
Mark Andrews
8a98023414
2852. [bug] Handle broken DNSSEC trust chains better. [RT #15619 ]
2010-02-25 05:05:09 +00:00
Evan Hunt
96c51eadc9
Commit to v9_7 some changes that had been left out:
...
2838. [bug] A KSK revoked by named could not be deleted.
[RT #20881 ]
2837. [port] Prevent Linux spurious warnings about fwrite().
[RT #20812 ]
2010-01-13 19:31:53 +00:00
Automatic Updater
8bd217efdb
update copyright notice
2009-12-30 23:48:30 +00:00
Tatuya JINMEI 神明達哉
6ca6cc975f
2828. [security] Cached CNAME or DNAME RR could be returned to clients
...
without DNSSEC validation. [RT #20737 ]
9.4-ESV, 9.5.3, 9.6.2, 9.7.0, 9.8.0(?)
2009-12-30 08:33:41 +00:00
Evan Hunt
a2ba550880
2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712 ]
2009-12-30 06:46:36 +00:00
Mark Andrews
2b662f27f6
2824. [bug] "rndc sign" was not being run by the correct task.
...
[RT #20759 ]
2009-12-29 22:23:01 +00:00
Evan Hunt
5f7159f897
2819. [cleanup] Removed unnecessary DNS_POINTER_MAXHOPS define
...
[RT #20771 ]
2009-12-24 00:35:21 +00:00
Evan Hunt
7290687619
2813. [bug] Better handling of unreadable DNSSEC key files.
...
[RT #20710 ]
2812. [bug] Make sure updates can't result in a zone with
NSEC-only keys and NSEC3 records. [RT 20748]
2009-12-18 22:13:54 +00:00
Automatic Updater
4b6dc226f7
update copyright notice
2009-12-04 22:06:37 +00:00
Mark Andrews
3d17a3ba61
2801. [func] Detect and report records that are different according
...
to DNSSEC but are sematically equal according to plain
DNS. Apply plain DNS comparisons rather than DNSSEC
comparisons when processing UPDATE requests.
dnssec-signzone now removes such semantically duplicate
records prior to signing the RRset.
named-checkzone -r {ignore|warn|fail} (default warn)
named-compilezone -r {ignore|warn|fail} (default warn)
named.conf: check-dup-records {ignore|warn|fail};
2009-12-04 21:09:34 +00:00
Mark Andrews
5d850024cb
2800. [func] Reject zones which have NS records which refer to
...
CNAMEs, DNAMEs or don't have address record (class IN
only). Reject UPDATEs which would cause the zone
to fail the above checks if committed. [RT #20678 ]
2009-12-04 03:33:15 +00:00
Evan Hunt
8e4f3f1cbc
2799. [cleanup] Changed the "secure-to-insecure" option to
...
"dnssec-secure-to-insecure", and "dnskey-ksk-only"
to "dnssec-dnskey-kskonly", for clarity. [RT #20586 ]
2009-12-03 23:18:17 +00:00
Evan Hunt
22304041d1
typo caused a missing semicolon
2009-12-03 16:49:09 +00:00
Evan Hunt
e6dda86e8b
2798. [bug] Addressed bugs in managed-keys initialization
...
and rollover. [RT #20683 ]
2009-12-03 15:40:03 +00:00
Vernon Schryver
5d9922e86f
Allow the optional filter-aaaa-on-v4 option in view statements to close #20635
2009-11-28 15:57:37 +00:00
Automatic Updater
2b2fc9b4df
update copyright notice
2009-11-25 23:49:22 +00:00
Mark Andrews
d0ca4e90e2
2786. [bug] Additional could be promoted to answer. [RT #20663 ]
2009-11-25 02:22:05 +00:00
Evan Hunt
cef109efa7
2780. [bug] dnssec-keygen -A none didn't properly unset the
...
activation date in all cases. [RT #20648 ]
2779. [bug] Dynamic key revokation could fail. [RT #20644 ]
2778. [bug] dnssec-signzone could fail when a key was revoked
without deleting the unrevoked version. [RT #20638 ]
2009-11-23 02:55:41 +00:00
Mark Andrews
a39a5f4d81
2772. [security] When validating, track whether pending data was from
...
the additional section or not and only return it if
validates as secure. [RT #20438 ]
2009-11-17 23:55:18 +00:00
Automatic Updater
2d84cba8f4
update copyright notice
2009-11-04 23:48:18 +00:00
Mark Andrews
0181a0a92f
2747. [bug] Journal roll forwards failed to set the re-signing
...
time of RRSIGs correctly. [RT #20541 ]
2009-11-04 01:25:55 +00:00
Mark Andrews
a3285e811d
2746. [port] hpux: address signed/unsigned expansion mismatch of
...
dns_rbtnode_t.nsec. [RT #20542 ]
2009-11-04 01:18:19 +00:00
Evan Hunt
95f2377b4f
2739. [cleanup] Clean up API for initializing and clearing trust
...
anchors for a view. [RT #20211 ]
2009-10-27 22:46:13 +00:00
Mark Andrews
63d5a6f680
2736. [func] Improve the performance of NSEC signed zones with
...
more than a normal amount of glue below a delegation.
[RT #20191 ]
2009-10-27 04:46:58 +00:00
Evan Hunt
e8831e51c1
2735. [bug] dnssec-signzone could fail to read keys
...
that were specified on the command line with
full paths, but weren't in the current
directory. [RT #20421 ]
2009-10-27 03:59:45 +00:00