ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity
29,134 Commits 589 Branches 805 Tags
2e40cc94dc5ed7753c7e8a3ff128d60dbb4e3e2b
Commit Graph

138 Commits

Author SHA1 Message Date
Matthijs Mekking
4d1ed1283a Also ignore configured revoked trusted anchors 2019-03-19 17:14:18 +01:00
Matthijs Mekking
1d45ad8f39 Ignore trust anchors using disabled algorithm 
More specifically: ignore configured trusted and managed keys that
match a disabled algorithm.  The behavioral change is that
associated responses no longer SERVFAIL, but return insecure.
 2019-03-19 17:14:18 +01:00
Evan Hunt
885a3d208e remove "dnssec-enable" from all system tests 2019-03-14 23:30:13 -07:00
Evan Hunt
c6939f0bd4 test correct occlusion of DNSSEC records 2019-02-28 15:00:38 -08:00
Evan Hunt
747035dcc5 fix test error 2019-02-20 19:44:37 -08:00
Evan Hunt
6661db9564 silence a spurious dnssec-keygen warning in the dnssec system test 
the occluded-key test creates both a KEY and a DNSKEY. the second
call to dnssec-keygen calls dns_dnssec_findmatchingkeys(), which causes
a spurious warning to be printed when it sees the type KEY record.
this should be fixed in dnssec.c, but the meantime this change silences
the warning by reversing the order in which the keys are created.
 2019-01-31 13:23:11 -08:00
Matthijs Mekking
17cdde1e56 Replace DSA with Reserved algorithm 2018-12-19 12:54:57 +01:00
Matthijs Mekking
6d976b37c1 Add dnssec-signzone tests with unsupported alg 
dnssec-signzone should sign a zonefile that contains a DNSKEY record
with an unsupported algorithm.
 2018-12-19 12:54:31 +01:00
Mark Andrews
7e4b82103b check that DNSKEY and other occluded data are excluded from the delegating bitmap 2018-12-14 12:48:55 +11:00
Ondřej Surý
aeebcb4ae8 Run the dnssec system tests with set -e enabled 2018-12-10 19:47:32 +01:00
Ondřej Surý
ca7cadfa92 dnssec system test: Remove RSAMD5 usage and make script shellcheck compliant 2018-12-10 19:47:32 +01:00
Ondřej Surý
a160fecaa1 Replace RSAMD5 keys with keys using DEFAULT_ALGORITHM variable from conf.sh 2018-12-10 09:16:46 -08:00
Mark Andrews
06e218c421 verify that dnssec-signzone generates NSEC3 records with DNAME at the apex 2018-12-09 23:12:41 -05:00
Mark Andrews
7288d321ae remove re-signing race when testing dnskey-sig-validity 2018-06-27 07:27:07 -04:00
Ondřej Surý
2b8fab6828 Remove genrandom command and all usage of specific random files throughout the system test suite 2018-05-16 09:54:35 +02:00
Ondřej Surý
55a10b7acd Remove $Id markers, Principal Author and Reviewed tags from the full source tree 2018-05-11 13:17:46 +02:00
Ondřej Surý
3f66b8acb0 Update tests to not use '>&-' that closes file descriptor, but instead use correct redirection to '>/dev/null' 2018-05-11 12:44:27 +02:00
Evan Hunt
c592655c0f new option "dnskey-sig-validity" 
- overrides "sig-validity-interval" for DNSKEY, CDNSKEY and CDS RRSIGs
 2018-04-20 12:12:08 -07:00
Ondřej Surý
843d389661 Update license headers to not include years in copyright in all applicable files 2018-02-23 10:12:02 +01:00
Evan Hunt
0c559199bf final cleanup 
- add CHANGES note
- update copyrights and license headers
- add -j to the make commands in .gitlab-ci.yml to take
  advantage of parallelization in the gitlab CI process
 2018-02-22 22:58:15 -08:00
Evan Hunt
c032c54dda parallelize most system tests 2018-02-22 15:29:02 -08:00
Evan Hunt
45afdb2672 [master] remove default algorithm in dnssec-keygen 
4594.	[func]		dnssec-keygen no longer uses RSASHA1 by default;
			the signing algorithm must be specified on
			the command line with the "-a" option.  Signing
			scripts that rely on the existing default behavior
			will break; use "dnssec-keygen -a RSASHA1" to
			repair them. (The goal of this change is to make
			it easier to find scripts using RSASHA1 so they
			can be changed in the event of that algorithm
			being deprecated in the future.) [RT #44755]
 2017-08-30 18:51:11 -07:00
Evan Hunt
6ce8a05f6c [master] update copyrights that had been missed recently 2017-04-23 17:06:00 -07:00
Tinderbox User
1f6505a424 update copyright notice / whitespace 2017-04-22 23:45:41 +00:00
Mukund Sivaraman
03be5a6b4e Improve performance for delegation heavy answers and also general query performance (#44029) 2017-04-22 09:22:44 +05:30
Mukund Sivaraman
dd7d1df874 Increase minimum RSA keygen size to 1024 bits (#36895) 2017-04-21 12:00:40 +05:30
Witold Krecicki
358dfaee18 4487. [test] Make system tests work on Windows. [RT #42931] 2016-10-19 17:18:42 +02:00
Mark Andrews
0c27b3fe77 4401. [misc] Change LICENSE to MPL 2.0. 2016-06-27 14:56:38 +10:00
Evan Hunt
5ecfee97ba [master] copyrights 2016-04-14 19:12:13 -07:00
Evan Hunt
3cd204c4a4 [master] fixed revoked key regression 
4436.	[bug]		Fixed a regression introduced in change #4337 which
			caused signed domains with revoked KSKs to fail
			validation. [RT #42147]
 2016-04-14 18:52:52 -07:00
Tinderbox User
4a7004f3ce update copyright notice / whitespace 2016-03-10 23:45:16 +00:00
Mark Andrews
7c52595464 4331. [func] When loading managed signed zones detect if the 
RRSIG's inception time is in the future and regenerate
                        the RRSIG immediately. [RT #41808]
 2016-03-10 17:01:08 +11:00
Tinderbox User
29756974c5 update copyright notice / whitespace 2015-02-06 23:45:21 +00:00
Evan Hunt
591389c7d4 [master] 5011 tests and fixes 
4056.	[bug]		Expanded automatic testing of trust anchor
			management and fixed several small bugs including
			a memory leak and a possible loss of key state
			information. [RT #38458]

4055.	[func]		"rndc managed-keys" can be used to check status
			of trust anchors or to force keys to be refreshed,
			Also, the managed keys data file has easier-to-read
			comments.  [RT #38458]
 2015-02-05 17:18:15 -08:00
Mark Andrews
a5c7cfbac4 3990. [testing] Add tests for unknown DNSSEC algorithm handling. 
[RT #37541]
 2014-10-30 11:05:26 +11:00
Tinderbox User
be484acb22 update copyright notice 2014-09-30 23:45:22 +00:00
Mark Andrews
c83b91fb63 3960. [bug] 'dig +sigchase' could loop forever. [RT #37220] 2014-10-01 07:06:20 +10:00
Mark Andrews
1c95f67232 use $PERL 2014-06-24 13:50:14 +10:00
Tinderbox User
5a31767b09 update copyright notice 2014-06-19 23:45:23 +00:00
Evan Hunt
b8a9632333 [master] complete NTA work 
3882.	[func]		By default, negative trust anchors will be tested
			periodically to see whether data below them can be
			validated, and if so, they will be allowed to
			expire early. The "rndc nta -force" option
			overrides this behvaior.  The default NTA lifetime
			and the recheck frequency can be configured by the
			"nta-lifetime" and "nta-recheck" options. [RT #36146]
 2014-06-18 16:50:38 -07:00
Tinderbox User
aa7b16ec2a update copyright notice 2014-01-21 23:46:16 +00:00
Evan Hunt
d58e33bfab [master] testcrypto.sh in system tests 
3714.	[test]		System tests that need to test for cryptography
			support before running can now use a common
			"testcrypto.sh" script to do so. [RT #35213]
 2014-01-20 16:08:09 -08:00
Tinderbox User
eade480b33 update copyright notice 2013-12-13 23:46:17 +00:00
Evan Hunt
9b895f30f1 [master] fix insecure delegation across static-stub zones 
3689.	[bug]		Fixed a bug causing an insecure delegation from one
			static-stub zone to another to fail with a broken
			trust chain. [RT #35081]
 2013-12-12 22:19:33 -08:00
Mark Andrews
2c089bf6d2 whitspace 2013-09-16 10:14:07 +10:00
Tinderbox User
63737247d1 update copyright notice 2013-09-05 23:46:16 +00:00
Mark Andrews
b5f4cc132e 3641. [bug] Handle changes to sig-validity-interval settings 
better. [RT #34625]
 2013-09-04 13:45:00 +10:00
Tinderbox User
377b774598 update copyright notice 2013-08-15 23:46:17 +00:00
Mark Andrews
7ace327795 3632. [bug] Signature from newly inactive keys were not being 
removed.  [RT #32178]
 2013-08-15 10:48:05 +10:00
Tinderbox User
cfa2326b5c update copyright notice 2013-03-14 23:46:11 +00:00