Commit Graph
58 Commits
Author SHA1 Message Date
Michał KępieńandEvan Hunt 911836509e Apply raw zone deltas to yet unsigned secure zones
When inline signing is enabled for a zone without creating signing keys
for it, changes subsequently applied to the raw zone will not be
reflected in the secure zone due to the dns_update_signaturesinc() call
inside receive_secure_serial() failing.  Given that an inline zone will
be served (without any signatures) even with no associated signing keys
being present, keep applying raw zone deltas to the secure zone until
keys become available in an attempt to follow the principle of least
astonishment.

(cherry picked from commit 6acf326969)
(cherry picked from commit 8a58a60772)
2018-04-25 12:09:53 -07:00
Evan Hunt 8b205089b7 update file headers to remove copyright years 2018-03-14 16:40:20 -07:00
Evan Hunt 167fa161d1 parallelize most system tests
(cherry picked from commit c032c54dda)
(cherry picked from commit 2b81f322cb)
2018-02-23 13:23:31 -08:00
Tinderbox User d2017ba188 update copyright notice / whitespace 2018-01-03 23:46:13 +00:00
Mark Andrews adfe58e8e5 4856. [bug] 'rndc zonestatus' reported the wrong underlying type
for a inline slave zone. [RT #46875]

(cherry picked from commit 0b27aa0712)
2018-01-04 10:12:15 +11:00
Mark Andrews 0d6328ce5f 4840. [test] Add tests to cover fallback to using ZSK on inactive
KSK. [RT #46787]

(cherry picked from commit 32d09cd7e0)
2017-12-06 20:38:26 +11:00
Evan Hunt 95d40c1e9d [v9_11] fix test descriptions 2017-12-04 15:49:13 -08:00
Mark Andrews bf459d24a1 4837. [bug] dns_update_signatures{inc} (add_sigs) was not
properly determining if there were active KSK and
                        ZSK keys for a algorithm when update-check-ksk is
                        true (default) leaving records unsigned. [RT #46743]

(cherry picked from commit 196e01da5f)
2017-12-04 10:04:58 +11:00
Michał Kępień 62f2fefaec [v9_11] Prevent possible infinite signing loop after retransferring an inline-signed slave using NSEC3
4727.	[bug]		Retransferring an inline-signed slave using NSEC3
			around the time its NSEC3 salt was changed could result
			in an infinite signing loop. [RT #45080]

(cherry picked from commit f665c724e4)
2017-09-18 09:23:18 +02:00
Tinderbox User bd911976d5 update copyright notice / whitespace 2017-09-13 23:52:25 +00:00
Mark Andrews a27226b849 give more time for the initial signing of bits in the inline signing test to complete
(cherry picked from commit e930487ce7)
2017-09-13 12:19:42 +10:00
Mark Andrews 0c27b3fe77 4401. [misc] Change LICENSE to MPL 2.0. 2016-06-27 14:56:38 +10:00
Tinderbox User dce54b9b5c update copyright notice / whitespace 2016-06-14 23:45:25 +00:00
Mark Andrews 3635d8f910 do not overflow exit status. [RT #42643] 2016-06-14 13:48:39 +10:00
Mark Andrews d65fb496fb use perl not awk to do serial additions 2014-11-21 18:08:04 +11:00
Evan Hunt 0ada3802ea [master] awk portability fix 2014-11-17 12:22:18 -08:00
Mark Andrews 4140a96f22 3987. [func] Allow the zone serial of a dynamically updatable
zone to be updated via rndc. [RT #37404]
2014-10-21 18:15:42 +11:00
Evan Hunt a878301981 [master] servfail cache
3943.	[func]		SERVFAIL responses can now be cached for a
			limited time (configured by "servfail-ttl",
			default 10 seconds, limit 30). This can reduce
			the frequency of retries when an authoritative
			server is known to be failing, e.g., due to
			ongoing DNSSEC validation problems. [RT #21347]
2014-09-03 23:28:14 -07:00
Mark Andrews 62275d5306 make test for nsec3param more robust 2014-06-27 15:50:51 +10:00
Evan Hunt d58e33bfab [master] testcrypto.sh in system tests
3714.	[test]		System tests that need to test for cryptography
			support before running can now use a common
			"testcrypto.sh" script to do so. [RT #35213]
2014-01-20 16:08:09 -08:00
Evan Hunt 12bf5d4796 [master] address several issues with native pkcs11 2014-01-18 11:51:07 -08:00
Mark Andrews e20788e121 update copyrights 2014-01-16 15:19:24 +11:00
Evan Hunt ba751492fc [master] native PKCS#11 support
3705.	[func]		"configure --enable-native-pkcs11" enables BIND
			to use the PKCS#11 API for all cryptographic
			functions, so that it can drive a hardware service
			module directly without the need to use a modified
			OpenSSL as intermediary (so long as the HSM's vendor
			provides a complete-enough implementation of the
			PKCS#11 interface). This has been tested successfully
			with the Thales nShield HSM and with SoftHSMv2 from
			the OpenDNSSEC project. [RT #29031]
2014-01-14 15:40:56 -08:00
Curtis Blackburn 8009525601 3682. [bug] Correct the behavior of rndc retransfer to allow
inline-signing slave zones to retain NSEC3 parameters instead of
			reverting to NSEC [RT #34745]
2013-12-04 12:26:20 -06:00
Mark Andrews 6b0434299b 3671. [bug] Don't allow dnssec-importkey overwrite a existing
non-imported private key.
2013-11-13 12:01:09 +11:00
Mark Andrews 88a6dc33b7 only generate DSA/ECDSA signatures in named if we have a source of randomness and only on specific platforms 2013-09-19 10:40:38 +10:00
Mark Andrews 3d3aa9cde6 use -r rather then -f 2013-09-09 12:19:30 +10:00
Mark Andrews 23c73a1848 only test dsa if we have a random device 2013-09-09 11:42:58 +10:00
Evan Hunt 690bd6bf5d [master] fix inline test, add importkey to win32 build 2013-09-04 18:56:50 -07:00
Mark Andrews 5b9469c0db test for ECDSAP256SHA256 support 2013-09-04 22:33:31 +10:00
Mark Andrews 0c91911b4d 3642. [func] Allow externally generated DNSKEY to be imported
into the DNSKEY management framework.  A new tool
                        dnssec-importkey is used to this. [RT #34698]
2013-09-04 13:53:02 +10:00
Mark Andrews d1e22676de 3635. [bug] Signatures were not being removed from a zone with
only KSK keys for a algorithm. [RT #24439]
2013-08-15 13:37:07 +10:00
Evan Hunt 1d26c6b9b8 [master] count the test cases correctly 2013-07-09 22:52:43 -07:00
Evan Hunt 927e4c9fec [master] address race conditions with removing inline zones
3513.	[bug]		named could crash when deleting inline-signing
			zones with "rndc delzone". [RT #34066]
2013-07-09 17:39:21 -07:00
Tinderbox User 6d4487398e update copyright notice 2013-05-29 23:46:19 +00:00
Mark Andrews 5f238c3c64 3577. [bug] Handle zero TTL values better. [RT #33411] 2013-05-29 18:10:11 +10:00
Mark Andrews c3c30fc43c force integer output 2012-11-17 23:58:50 +11:00
Mark Andrews de0fd68097 3398. [bug] SOA parameters were not being updated with inline
signed zones if the zone was modified while the
                        server was offline. [RT #29272]
2012-10-19 10:25:06 +11:00
Mark Andrews bf8267aa45 reverse bad copyright update 2012-06-29 11:39:47 +10:00
Tinderbox User 247bf37860 update copyright notice 2012-06-29 01:22:18 +00:00
Mark Andrews 1864400107 3289. [bug] 'rndc retransfer' failed for inline zones. [RT #28036] 2012-02-23 06:53:15 +00:00
Evan Hunt c54dadd853 3270. [bug] "rndc reload" didn't reuse existing zones correctly
when inline-signing was in use. [RT #27650]
2012-01-31 01:13:10 +00:00
Mark Andrews bfe720adb5 reverse accidental commit 2012-01-17 08:26:03 +00:00
Mark Andrews 00164c8db2 fetches in progress/buckets 2012-01-16 08:35:09 +00:00
Evan Hunt a06e0a14cc use test -f; solaris doesn't support test -e 2012-01-12 00:37:18 +00:00
Automatic Updater edb4393ef5 update copyright notice 2012-01-10 23:46:58 +00:00
Evan Hunt 9a02019889 3264. [bug] Automatic regeneration of signatures in an
inline-signing zone could stall when the server
			was restarted. [RT #27344]

3263.	[bug]		"rndc sync" did not affect the unsigned side of an
			inline-signing zone. [RT #27337]
2012-01-10 18:13:37 +00:00
Evan Hunt f30785f506 3252. [bug] When master zones using inline-signing were
updated while the server was offline, the source
			zone could fall out of sync with the signed
			copy. They can now resynchronize. [RT #26676]
2011-12-22 07:32:41 +00:00
Mark Andrews b290d10fc4 3245. [bug] Don't report a error unchanged serials unless there
were other changes when thawing a zone with
                        ixfr-fromdifferences. [RT #26845]
2011-12-19 23:46:13 +00:00
Mark Andrews e238ebd9b3 Backout accident commit to head 2011-12-09 22:09:26 +00:00