Commit Graph

452 Commits

Author SHA1 Message Date
Mukund Sivaraman
e315a20bd4 Validate glue before adding it to the additional section (#45062)
(cherry picked from commit b0dbcba2d2)
(cherry picked from commit fec9247b8f)
(cherry picked from commit b958488b2e)
2017-04-21 16:03:28 +05:30
Mark Andrews
35ca802c7b 4575. [security] Dns64 with break-dnssec yes; can result in a
assertion failure. (CVE-2017-3136) [RT #44653]

(cherry picked from commit 3bce12e4b6)
2017-02-15 12:24:33 +11:00
Mark Andrews
eaa394fcfa address rpz version issue 2017-01-24 11:21:55 +11:00
Mark Andrews
4b843e0cc8 4556. [security] Combining dns64 and rpz can result in dereferencing
a NULL pointer (read).  (CVE-2017-3135) [RT#44434]

(cherry picked from commit 5abe80ef13)
2017-01-24 09:56:20 +11:00
Tinderbox User
3d51a06d9d update copyright notice / whitespace 2017-01-19 23:47:43 +00:00
Mark Andrews
3f4d134e72 use TCP macro
(cherry picked from commit 2fa1676380)
2017-01-19 13:14:11 +11:00
Mark Andrews
3a125854c9 4472. [bug] Named could fail to find the correct NSEC3 records when
a zone was update between looking for the answer and
                        looking for the NSEC3 records proving non-existance
                        of the answer. [RT #43247]
2016-10-05 10:41:05 +11:00
Mark Andrews
0ba8ac54c7 also cleanup node 2016-06-03 18:35:07 +10:00
Mark Andrews
e4ae68f50c detach before restore 2016-06-03 18:34:59 +10:00
Mark Andrews
944b398582 reset zversion on restart
(cherry picked from commit b4750b5991)
2016-06-03 14:33:52 +10:00
Mark Andrews
cb735b3f90 fix merge error 2016-05-27 18:39:33 +10:00
Mark Andrews
dfdf6773a6 REDIRECT macro is 9.11.0+ 2016-05-27 10:06:42 +10:00
Mark Andrews
c3fbf330bc 4377. [bug] Don't reuse zero TTL responses beyond the current
client set (excludes ANY/SIG/RRSIG queries).
                        [RT #42142]

(cherry picked from commit aabcb1fde0)
2016-05-27 10:05:52 +10:00
Tinderbox User
addd839e4a update copyright notice / whitespace 2016-05-26 23:46:02 +00:00
Mark Andrews
900a63cb04 4374. [bug] Use SAVE/RESTORE macros in query.c to reduce the
probability of reference counting errors as seen
                        in 4365. [RT #42405]

(cherry picked from commit ac11084829)
2016-05-26 13:37:43 +10:00
Mukund Sivaraman
65f562e5e4 Code cleanups (#41656)
(cherry picked from commit 9da98335c1)
(cherry picked from commit b15dde2889)
2016-03-04 13:00:43 +05:30
Mark Andrews
87c8fae1dc add missing line break
(cherry picked from commit 68ecf1c9a5)
2016-02-04 11:52:24 +11:00
Mark Andrews
04e34494ea 4313. [bug] Handle ns_client_replace failures in test mode.
[RT #41190]

(cherry picked from commit d88ba93712)
2016-02-03 15:04:06 +11:00
Evan Hunt
70280057b4 [v9_9] expanded query trace logging
4300.	[cleanup]	Added new querytrace logging. [RT #41155]
2016-01-22 14:33:50 -08:00
Tinderbox User
7b7d845166 update copyright notice / whitespace 2016-01-21 23:46:08 +00:00
Evan Hunt
4b8c357439 [v9_9] hold 2016-01-20 17:32:39 -08:00
Mark Andrews
b1fd8ee3ad 4281. [bug] Teach dns_message_totext about BADCOOKIE. [RT #41257]
(cherry picked from commit f647c0df9f)

Conflicts:
	CHANGES
	bin/named/query.c
	bin/tests/system/sit/tests.sh
	lib/dns/message.c

(cherry picked from commit d090709551)

Conflicts:
	CHANGES
2015-12-15 20:10:37 +11:00
Mark Andrews
3b8f8695af 4227. [bug] Silence static analysis warnings. [RT #40828
(cherry picked from commit 2a12984ce6)
2015-09-30 14:35:42 +10:00
Mark Andrews
17747a8059 make macro name match category name
(cherry picked from commit 4d085258cc)
2015-09-29 15:05:53 +10:00
Mark Andrews
1c33552240 4081. [cleanup] Use dns_rdatalist_init consistently. [RT #38759]
(cherry picked from commit 29d52c001f)
(cherry picked from commit a55c3151b2)
2015-03-03 16:52:02 +11:00
Mukund Sivaraman
e62afa3177 Add a --enable-querytrace configure switch for very verbose query tracelogging (#37520)
(cherry picked from commit 1783676a64)
(cherry picked from commit b83c20df65)

Conflicts:
	CHANGES
	config.h.in
	configure
	configure.in
2015-02-26 17:04:18 +05:30
Evan Hunt
ec856a0ed6 [v9_9] add better servfail logging
3937.	[func]		Added some debug logging to better indicate the
			conditions causing SERVFAILs when resolving.
			[RT #35538]

(cherry picked from commit f5c24a7f48)
(cherry picked from commit 09a87d841f)
2015-02-25 16:05:45 -08:00
Evan Hunt
adf9e1c676 [v9_9] silence RPZ log messages
4050.	[cleanup]	Silence occasional spurious "duplicate query" log
			messages from RPZ. [RT #38510]
2015-02-10 15:03:05 -08:00
Mukund Sivaraman
015371d584 Fix a leak of query fetchlock (#38454)
4052.	[bug]		Fix a leak of query fetchlock. [RT #38454]

Conflicts:
	CHANGES
2015-02-03 11:54:16 +05:30
Tinderbox User
9cbd625449 update copyright notice / whitespace 2015-01-20 23:47:26 +00:00
Evan Hunt
57f015bd2a [v9_9] clean up gcc -Wshadow warnings
4039.	[cleanup]	Cleaned up warnings from gcc -Wshadow. [RT #37381]
2015-01-20 14:55:41 -08:00
Evan Hunt
1d47cb124d [v9_9] refactor max-recursion-queries
- the counters weren't set correctly when fetches timed out.
  instead we now pass down a counter object.

(cherry picked from commit 05e448935c)
(cherry picked from commit 6c049c57d9)
2014-11-19 18:38:52 -08:00
Evan Hunt
603a0e2637 [v9_9] limit recursion depth and iterative queries
4006.	[security]	A flaw in delegation handling could be exploited
			to put named into an infinite loop.  This has
			been addressed by placing limits on the number
			of levels of recursion named will allow (default 7),
			and the number of iterative queries that it will
			send (default 50) before terminating a recursive
			query (CVE-2014-8500).

			The recursion depth limit is configured via the
			"max-recursion-depth" option.  [RT #35780]
2014-11-17 23:49:07 -08:00
Evan Hunt
b2630b7363 [v9_9] fix nxrrset in nxdomain redirection
4000.	[bug]		NXDOMAIN redirection incorrectly handled NXRRSET
			from the redirect zone. [RT #37722]

(cherry picked from commit 3cc8c7d630)
(cherry picked from commit 56293cd148)
2014-11-04 23:54:25 -08:00
Mark Andrews
fb7f157cd8 3921. [bug] AD was inappopriately set on RPZ responses. [RT #36833]
(cherry picked from commit cef76ee5bd)
(cherry picked from commit 0597c5fd5e)
2014-08-22 15:46:54 +10:00
Tinderbox User
3a1808bb0c update copyright notice 2014-07-31 23:46:06 +00:00
Mark Andrews
570effe386 3904. [func] Add the RPZ SOA to the additional section. [RT36507]
(cherry picked from commit 3a55d43527)
2014-07-31 10:53:33 +10:00
Mark Andrews
c1c8bd9171 More changes for:
3864.   [bug]           RPZ didn't work well when being used as forwarder.
                        [RT #36060]
2014-05-30 08:53:42 +10:00
Mark Andrews
e10c6afa15 3864. [bug] RPZ didn't work well when being used as forwarder.
[RT #36060]
2014-05-29 17:35:14 +10:00
Mark Andrews
1f03f95c2a 3842. [bug] Adjust RRL log-only logging category. [RT #35945]
(cherry picked from commit 2c172a42b3)
2014-05-11 11:00:26 +10:00
Evan Hunt
b469c7b50c [v9_9] fix misuses of isc__buffer functions, update comment 2014-03-06 17:25:02 -08:00
Tinderbox User
864ca7ce33 update copyright notice 2014-01-09 23:45:53 +00:00
Evan Hunt
8c7ce6d3e6 [v9_9] replace memcpy() with memmove().
3698.	[cleanup]	Replaced all uses of memcpy() with memmove().
			[RT #35120]

(cherry picked from commit ebe54c7d2221c6a0a4b3d96bcae3280c823a45e6)
2014-01-08 16:38:56 -08:00
Mark Andrews
c781dea647 3693. [security] memcpy was incorrectly called with overlapping
ranges resulting in malformed names being generated
                        on some platforms.  This could cause INSIST failures
                        when serving NSEC3 signed zones.  [RT #35120]

(cherry picked from commit fa467e60c5)
2013-12-20 10:59:01 +11:00
Mark Andrews
1550e4aa95 3674. [bug] RPZ zeroed ttls if the query type was '*'. [RT #35026]
(cherry picked from commit 225146b2c8)
2013-11-18 11:24:24 +11:00
Mark Andrews
2b9e561f05 3636. [bug] Automatic empty zones now behave better with
forward only "zones" beneath them. [RT #34583]

(cherry picked from commit 997c2c5116)
2013-08-19 09:19:03 +10:00
Mark Andrews
310bcbf417 3631. [bug] Remove spurious warning about missing signatures when
qtype is SIG. [RT #34600]

(cherry picked from commit 06ace051e7)
2013-08-15 08:05:56 +10:00
Evan Hunt
fbae832784 [v9_9] improve RRL handling of deferrals and slipped NXDOMAIN
3590.	[bug]		When using RRL on recursive servers, defer
			rate-limiting until after recursion is complete;
			also, use correct rcode for slipped NXDOMAIN
			responses.  [RT #33604]
(cherry picked from commit 89be55dc90)
2013-06-08 13:20:02 -07:00
Evan Hunt
6260eef2be [v9_9] backport RRL to 9.9.x
This incorporates the following changes, plus a new configure
option "--enable-rrl" to turn them on:

3575.	[func]		Changed the logging category for RRL events from
			'queries' to 'query-errors'. [RT #33540]

3554.	[bug]		RRL failed to correctly rate-limit upward
			referrals and failed to count dropped error
			responses in the statistics. [RT #33225]

3545.	[bug]		RRL slip behavior was incorrect when set to 1.
			[RT #33111]

3518.	[bug]		Increase the size of dns_rrl_key.s.rtype by one bit
			so that all dns_rrl_rtype_t enum values fit regardless
			of whether it is teated as signed or unsigned by
			the compiler. [RT #32792]

3494.	[func]		DNS RRL: Blunt the impact of DNS reflection and
			amplification attacks by rate-limiting substantially-
			identical responses. To enable, use "configure
			--enable-rrl". [RT #28130]
2013-06-07 12:47:11 -07:00
Evan Hunt
55bbac8bfe [v9_9] RPZ speed up (phase 1, single RPZ)
3496.	[func]		Improvements to RPZ performance. The "response-policy"
			syntax now includes a "min-ns-dots" clause, with
			default 1, to exclude top-level domains from
			NSIP and NSDNAME checking. --enable-rpz-nsip and
                        --enable-rpz-nsdname are now the default. [RT #32251]

    Response policy (rpz) changes to
      - add zone statistics
      - speed up by adding min-ns-dots to the response-policy syntax
         with a default of 1
      - detect and reject policy zones with a database other than rbt
         only rbtdb has rpz hooks
      - allow empty response-policy{} statement
      - make --enable-rpz-nsip and --enable-rpz-nsdname the default
2013-02-25 14:32:36 -08:00