ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity
23,355 Commits 589 Branches 805 Tags
3fe33590315cd5ab2af1f1b49e5ac36c9c195991
Commit Graph

98 Commits

Author SHA1 Message Date
Evan Hunt
cd249675a1 [v9_9] fixed revoked key regression 
4436.	[bug]		Fixed a regression introduced in change #4337 which
			caused signed domains with revoked KSKs to fail
			validation. [RT #42147]
 2016-04-14 18:54:09 -07:00
Tinderbox User
0208e57e6b update copyright notice / whitespace 2016-03-11 23:46:03 +00:00
Mark Andrews
af59b16e3d 4331. [func] When loading managed signed zones detect if the 
RRSIG's inception time is in the future and regenerate
                        the RRSIG immediately. [RT #41808]

(cherry picked from commit 7c52595464)
 2016-03-11 12:26:16 +11:00
Tinderbox User
2a71b08491 update copyright notice / whitespace 2015-05-28 23:46:13 +00:00
Mark Andrews
f381cb86da 4127. [protocol] CDS and CDNSKEY need to be signed by the key signing 
key as per RFC 7344, Section 4.1. [RT #37215]

(cherry picked from commit 598b502695)
 2015-05-27 15:45:46 +10:00
Mark Andrews
bfef33cbe3 3990. [testing] Add tests for unknown DNSSEC algorithm handling. 
[RT #37541]

(cherry picked from commit a5c7cfbac4)
 2014-10-30 11:22:17 +11:00
Tinderbox User
aaa24cf075 update copyright notice 2014-09-30 23:47:13 +00:00
Mark Andrews
57acbfc9c7 3960. [bug] 'dig +sigchase' could loop forever. [RT #37220] 
(cherry picked from commit c83b91fb63)
 2014-10-01 07:18:49 +10:00
Tinderbox User
9b86fb9fda update copyright notice 2014-08-22 23:46:15 +00:00
Mark Andrews
007ef6f18e 3925. [bug] DS lookup of RFC 1918 empty zones failed. [RT #36917 
(cherry picked from commit 840d6a4614)
 2014-08-22 16:33:11 +10:00
Evan Hunt
5409faef5e [v9_9] use posix-compatible shell in system tests 
3839.	[test]		Use only posix-compatible shell in system tests.
			[RT #35625]

(cherry picked from commit 60988462e5)
(cherry picked from commit 812cf443bb)
 2014-05-06 22:18:08 -07:00
Evan Hunt
a9eb392c55 [v9_9] testcrypto.sh in system tests 
3714.  [test]          System tests that need to test for cryptography
                       support before running can now use a common
                       "testcrypto.sh" script to do so. [RT #35213]
 2014-02-06 16:10:03 -08:00
Tinderbox User
02dc6a8b00 update copyright notice 2013-12-13 23:45:38 +00:00
Evan Hunt
0c0ce5f9a4 [v9_9] fix insecure delegation across static-stub zones 
3689.	[bug]		Fixed a bug causing an insecure delegation from one
			static-stub zone to another to fail with a broken
			trust chain. [RT #35081]

(cherry picked from commit 9b895f30f1)
 2013-12-12 22:20:21 -08:00
ckb
66e472cd74 3356. [bug] Cap the TTL of signed RRsets when RRSIGs are 
approaching their expiry, so they don't remain
			in caches after expiry. [RT #26429]
 2012-07-25 17:12:57 -05:00
Tinderbox User
a2093c07a5 update copyright notice 2012-05-17 23:45:48 +00:00
Evan Hunt
e39b4d8054 Handle RRSIG signer case consistently 
3329.	[bug]	Handle RRSIG signer-name case consistently: We
		generate RRSIG records with the signer-name in
		lower case.  We accept them with any case, but if
		they fail to validate, we try again in lower case.
		[RT #27451]
 2012-05-17 10:59:07 -07:00
Evan Hunt
8047e7c06f re-remove cvsignore files 2012-03-05 08:29:31 -08:00
Evan Hunt
f94af76649 Revert "added gitignore, removed cvsignore" 
This reverts commit e8ae173655.
 2012-03-05 08:24:17 -08:00
Evan Hunt
e8ae173655 added gitignore, removed cvsignore 2012-03-03 23:24:11 -08:00
Evan Hunt
25845da41a 3203. [bug] Increase log level to 'info' for validation failures 
from expired or not-yet-valid RRSIGs. [RT #21796]
 2011-11-04 05:36:28 +00:00
Automatic Updater
6333ba02a5 update copyright notice 2011-03-21 23:47:21 +00:00
Mark Andrews
c2265bd341 adjust rt23702 test to take less time 2011-03-21 20:31:22 +00:00
Mark Andrews
5095e72ac3 3083. [bug] NOTIFY messages were not being sent when generating 
a NSEC3 chain incrementally. [RT #23702]
 2011-03-21 01:02:39 +00:00
Mark Andrews
eff7f78bc6 3061. [func] New option "dnssec-signzone -D", only write out 
generated DNSSEC records. [RT #22896]
 2011-03-05 06:35:41 +00:00
Francis Dupont
664917beda Use RRSIG original TTL in validated RRset TTL [RT #23332] 2011-02-28 14:21:35 +00:00
Mark Andrews
4f07b2b00c 3040. [bug] Named failed to validate insecure zones where a node 
with a CNAME existed between the trust anchor and the
                        top of the zone. [RT #23338]
 2011-02-23 11:30:35 +00:00
Automatic Updater
c41b2924a5 update copyright notice 2011-02-15 23:47:36 +00:00
Mark Andrews
b1b42b03b7 3020. [bug] auto-dnssec failed to correctly update the zone when changing the DNSKEY RRset. [RT #23232] 2011-02-15 22:02:36 +00:00
Mark Andrews
c5fa370695 3019. [func] Test: check apex NSEC3 records after adding DNSKEY 
record via UPDATE. [RT #23229]
 2011-02-14 23:53:44 +00:00
Automatic Updater
33cc94f04c update copyright notice 2010-11-17 23:47:09 +00:00
Mark Andrews
a27b3757fd 2968. [security] Named could fail to prove a data set was insecure 
before marking it as insecure.  One set of conditions
                        that can trigger this occurs naturally when rolling
                        DNSKEY algorithms.  [RT #22309]
 2010-11-16 01:14:51 +00:00
Mark Andrews
240a7dc59d 2951. [bug] named failed to generate a correct signed response 
in a optout, delegation only zone with no secure
                        delegations. [RT #22007]
 2010-09-07 00:58:36 +00:00
Automatic Updater
2b43d1d8c5 update copyright notice 2010-08-13 23:47:04 +00:00
Mark Andrews
c73d8c1b72 2938. [bug] When skipping NSEC3 records that don't match the 
current NSEC3PARAM record in use for zone named
                        could dereference a uninitialised pointer attempting
                        to obtain a lock. [RT# 21868]
 2010-08-13 06:46:25 +00:00
Automatic Updater
6bb1560124 update copyright notice 2010-01-18 23:48:40 +00:00
Evan Hunt
e11a0c114c 2841. [func] Added "smartsign" and improved "autosign" and 
"dnssec" regression tests. [RT #20865]
 2010-01-18 19:19:31 +00:00
Tatuya JINMEI 神明達哉
d8680445d6 2828. [security] Cached CNAME or DNAME RR could be returned to clients 
without DNSSEC validation. [RT #20737]

9.4-ESV, 9.5.3, 9.6.2, 9.7.0, 9.8.0(?)
 2009-12-30 08:02:23 +00:00
Mark Andrews
c6d2578fd6 2741. [func] Allow the dnssec-keygen progress messages to be 
suppressed (dnssec-keygen -q).  Automatically
                        suppress the progress messages when stdin is not
                        a tty. [RT #20474]
 2009-10-28 00:27:10 +00:00
Automatic Updater
990dca4605 update copyright notice 2009-10-27 23:47:45 +00:00
Mark Andrews
e09cdbac08 2738. [func] Add RSASHA256 and RSASHA512 tests to the dnssec system 
test. [RT #20453]
 2009-10-27 22:25:37 +00:00
Evan Hunt
553ead32ff 2636. [func] Simplify zone signing and key maintenance with the 
dnssec-* tools.  Major changes:
			- all dnssec-* tools now take a -K option to
			  specify a directory in which key files will be
			  stored
			- DNSSEC can now store metadata indicating when
			  they are scheduled to be published, acttivated,
			  revoked or removed; these values can be set by
			  dnssec-keygen or overwritten by the new
			  dnssec-settime command
			- dnssec-signzone -S (for "smart") option reads key
			  metadata and uses it to determine automatically
			  which keys to publish to the zone, use for
			  signing, revoke, or remove from the zone
			[RT #19816]
 2009-07-19 04:18:05 +00:00
Automatic Updater
39844d4710 update copyright notice 2009-06-04 02:56:47 +00:00
Mark Andrews
2534a73a59 2608. [func] Perform post signing verification checks in 
dnssec-signzone.  These can be disabled with -P.

                        The post sign verification test ensures that for each
                        algorithm in use there is at least one non revoked
                        self signed KSK key.  That all revoked KSK keys are
                        self signed.  That all records in the zone are signed
                        by the algorithm.  [RT #19653]
 2009-06-04 02:13:37 +00:00
Automatic Updater
3398334b3a update copyright notice 2008-09-25 04:02:39 +00:00
Mark Andrews
6098d364b6 2448. [func] Add NSEC3 support. [RT #15452] 2008-09-24 02:46:23 +00:00
Automatic Updater
70e5a7403f update copyright notice 2007-06-19 23:47:24 +00:00
Automatic Updater
ec5347e2c7 update copyright notice 2007-06-18 23:47:57 +00:00
Mark Andrews
d6b5e0b0e8 update copyright notice 2006-03-10 00:23:21 +00:00
Mark Andrews
cfe92110ce 2007. [func] It is now possible to explicitly enable DNSSEC 
validation.  default dnssec-validation no; to
                        be changed to yes in 9.5.0.  [RT #15674]
 2006-03-09 23:21:54 +00:00