Commit Graph
1523 Commits
Author SHA1 Message Date
Mark Andrews 0a2897853b 2963. [security] The allow-query acl was being applied instead of the
allow-query-cache acl to cache lookups. [RT #22114]
2010-09-24 05:54:06 +00:00
Mark Andrews 30579c29be 2943. [func] Add support to load new keys into managed zones
without signing immediately with "rndc loadkeys".
                        Add support to link keys with "dnssec-keygen -S"
                        and "dnssec-settime -S".  [RT #21351]
2010-08-16 22:27:18 +00:00
Automatic Updater 770279e013 update copyright notice 2010-08-13 23:46:29 +00:00
Evan Hunt 0658d99891 2936. [func] Improved configuration syntax and multiple-view
support for addzone/delzone feature (see change
			#2930).  Removed "new-zone-file" option, replaced
			with "allow-new-zones (yes|no)".  The new-zone-file
			for each view is now created automatically, with
			a filename generated from a hash of the view name.
			It is no longer necessary to "include" the
			new-zone-file in named.conf; this happens
			automatically.  Zones that were not added via
			"rndc addzone" can no longer be removed with
			"rndc delzone". [RT #19447]
2010-08-11 18:19:59 +00:00
Evan Hunt 92f39ccb5b 2930. [experimental] New "rndc addzone" and "rndc delzone" commads
allow dynamic addition and deletion of zones.
			To enable this feature, specify a "new-zone-file"
			option at the view or options level in named.conf.
			Zone configuration information for the new zones
			will be written into that file.  To make the new
			zones persist after a restart, "include" the file
			into named.conf in the appropriate view.  (Note:
			This feature is not yet documented, and its syntax
			is expected to change.) [RT #19447]
2010-07-11 00:12:19 +00:00
Automatic Updater 98afc1a6dd update copyright notice 2010-07-09 23:46:27 +00:00
Evan Hunt 59c9c71f36 2929. [bug] Improved handling of GSS security contexts:
- added LRU expiration for generated TSIGs
			 - added the ability to use a non-default realm
                         - added new "realm" keyword in nsupdate
			 - limited lifetime of generated keys to 1 hour
			   or the lifetime of the context (whichever is
			   smaller)
			[RT #19737]
2010-07-09 05:14:08 +00:00
Mark Andrews 9777316c64 2924. [func] 'rndc secroots' dump a combined summary of the
current managed keys combined with trusted keys.
                        [RT #20904]
2010-06-25 03:51:07 +00:00
Mark Andrews 13ce1be5d3 2920. [func] Allow 'filter-aaaa-on-v4' to be applied selectively
to IPv4 clients.  New acl 'filter-aaaa' (default any).
2010-06-22 04:04:22 +00:00
Automatic Updater db8dce00b0 update copyright notice 2010-06-04 23:50:01 +00:00
Mark Andrews 2b631b5d6f remove trailing comma 2010-06-04 00:14:53 +00:00
Automatic Updater e08a20aa98 update copyright notice 2010-05-18 02:35:12 +00:00
Mark Andrews 0517d21ebd 2897. [bug] NSEC3 chains could be left behind when transitioning
to insecure. [RT #21040]
2010-05-18 01:40:35 +00:00
Automatic Updater 71324ae046 update copyright notice 2010-05-14 23:49:21 +00:00
Mark Andrews 812b6d8d11 2893. [bug] Improve managed keys support. New named.conf option
managed-keys-directory. [RT #20924]
2010-05-14 04:49:40 +00:00
Mark Andrews d133eb632a 2892. [bug] Handle REVOKED keys better. [RT #20961] 2010-05-14 04:41:12 +00:00
Mark Andrews 0463ffd804 2890. [bug] Handle the introduction of new trusted-keys and
DS, DLV RRsets better. [RT #21097]
2010-05-14 00:16:32 +00:00
Automatic Updater efc6a99370 update copyright notice 2010-05-10 23:49:42 +00:00
Mark Andrews d779f5e15d 2881. [bug] Reduce the amount of time the rbtdb write lock
is held when closing a version. [RT #21198]
2010-05-10 01:41:11 +00:00
Automatic Updater e1bd9f2ed3 update copyright notice 2010-02-25 05:25:53 +00:00
Mark Andrews 8a98023414 2852. [bug] Handle broken DNSSEC trust chains better. [RT #15619] 2010-02-25 05:05:09 +00:00
Evan Hunt 96c51eadc9 Commit to v9_7 some changes that had been left out:
2838.	[bug]		A KSK revoked by named could not be deleted.
			[RT #20881]

2837.	[port]		Prevent Linux spurious warnings about fwrite().
			[RT #20812]
2010-01-13 19:31:53 +00:00
Automatic Updater 8bd217efdb update copyright notice 2009-12-30 23:48:30 +00:00
Tatuya JINMEI 神明達哉 6ca6cc975f 2828. [security] Cached CNAME or DNAME RR could be returned to clients
without DNSSEC validation. [RT #20737]

9.4-ESV, 9.5.3, 9.6.2, 9.7.0, 9.8.0(?)
2009-12-30 08:33:41 +00:00
Evan Hunt a2ba550880 2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712] 2009-12-30 06:46:36 +00:00
Mark Andrews 2b662f27f6 2824. [bug] "rndc sign" was not being run by the correct task.
[RT #20759]
2009-12-29 22:23:01 +00:00
Evan Hunt 5f7159f897 2819. [cleanup] Removed unnecessary DNS_POINTER_MAXHOPS define
[RT #20771]
2009-12-24 00:35:21 +00:00
Evan Hunt 7290687619 2813. [bug] Better handling of unreadable DNSSEC key files.
[RT #20710]

2812.	[bug]		Make sure updates can't result in a zone with
			NSEC-only keys and NSEC3 records. [RT 20748]
2009-12-18 22:13:54 +00:00
Automatic Updater 4b6dc226f7 update copyright notice 2009-12-04 22:06:37 +00:00
Mark Andrews 3d17a3ba61 2801. [func] Detect and report records that are different according
to DNSSEC but are sematically equal according to plain
                        DNS.  Apply plain DNS comparisons rather than DNSSEC
                        comparisons when processing UPDATE requests.
                        dnssec-signzone now removes such semantically duplicate
                        records prior to signing the RRset.

                        named-checkzone -r {ignore|warn|fail} (default warn)
                        named-compilezone -r {ignore|warn|fail} (default warn)

                        named.conf: check-dup-records {ignore|warn|fail};
2009-12-04 21:09:34 +00:00
Mark Andrews 5d850024cb 2800. [func] Reject zones which have NS records which refer to
CNAMEs, DNAMEs or don't have address record (class IN
                        only).  Reject UPDATEs which would cause the zone
                        to fail the above checks if committed. [RT #20678]
2009-12-04 03:33:15 +00:00
Evan Hunt 8e4f3f1cbc 2799. [cleanup] Changed the "secure-to-insecure" option to
"dnssec-secure-to-insecure", and "dnskey-ksk-only"
			to "dnssec-dnskey-kskonly", for clarity. [RT #20586]
2009-12-03 23:18:17 +00:00
Evan Hunt 22304041d1 typo caused a missing semicolon 2009-12-03 16:49:09 +00:00
Evan Hunt e6dda86e8b 2798. [bug] Addressed bugs in managed-keys initialization
and rollover. [RT #20683]
2009-12-03 15:40:03 +00:00
Vernon Schryver 5d9922e86f Allow the optional filter-aaaa-on-v4 option in view statements to close #20635 2009-11-28 15:57:37 +00:00
Automatic Updater 2b2fc9b4df update copyright notice 2009-11-25 23:49:22 +00:00
Mark Andrews d0ca4e90e2 2786. [bug] Additional could be promoted to answer. [RT #20663] 2009-11-25 02:22:05 +00:00
Evan Hunt cef109efa7 2780. [bug] dnssec-keygen -A none didn't properly unset the
activation date in all cases. [RT #20648]

2779.	[bug]		Dynamic key revokation could fail. [RT #20644]

2778.	[bug]		dnssec-signzone could fail when a key was revoked
			without deleting the unrevoked version. [RT #20638]
2009-11-23 02:55:41 +00:00
Mark Andrews a39a5f4d81 2772. [security] When validating, track whether pending data was from
the additional section or not and only return it if
                        validates as secure. [RT #20438]
2009-11-17 23:55:18 +00:00
Automatic Updater 2d84cba8f4 update copyright notice 2009-11-04 23:48:18 +00:00
Mark Andrews 0181a0a92f 2747. [bug] Journal roll forwards failed to set the re-signing
time of RRSIGs correctly. [RT #20541]
2009-11-04 01:25:55 +00:00
Mark Andrews a3285e811d 2746. [port] hpux: address signed/unsigned expansion mismatch of
dns_rbtnode_t.nsec. [RT #20542]
2009-11-04 01:18:19 +00:00
Evan Hunt 95f2377b4f 2739. [cleanup] Clean up API for initializing and clearing trust
anchors for a view. [RT #20211]
2009-10-27 22:46:13 +00:00
Mark Andrews 63d5a6f680 2736. [func] Improve the performance of NSEC signed zones with
more than a normal amount of glue below a delegation.
                        [RT #20191]
2009-10-27 04:46:58 +00:00
Evan Hunt e8831e51c1 2735. [bug] dnssec-signzone could fail to read keys
that were specified on the command line with
			full paths, but weren't in the current
			directory. [RT #20421]
2009-10-27 03:59:45 +00:00
Automatic Updater 5f744ebbdc update copyright notice 2009-10-26 23:47:35 +00:00
Evan Hunt c8aa7ce70d 2732. [func] Add optional filter-aaaa-on-v4 option, available
if built with './configure --enable-filter-aaaa'.
			Filters out AAAA answers to clients connecting
			via IPv4.  (This is NOT recommended for general
			use.) [RT #20339]
2009-10-26 23:14:54 +00:00
Evan Hunt c021499604 2731. [func] Additional work on change 2709. The key parser
will now ignore unrecognized fields when the
			minor version number of the private key format
			has been increased.  It will reject any key with
			the major version number increased. [RT #20310]
2009-10-26 21:18:24 +00:00
Francis Dupont 775a8d86d9 keygen progress indication [RT #20284] 2009-10-24 09:46:19 +00:00
Evan Hunt cc6cddfd94 2726. [func] Added support for SHA-2 DNSSEC algorithms,
RSASHA256 and RSASHA512. [RT #20023]
2009-10-22 02:21:31 +00:00