ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity
19,255 Commits 589 Branches 805 Tags
75f83bc01de0ea32f46b26a42e1560f33db23aa3
Commit Graph

310 Commits

Author SHA1 Message Date
Tatuya JINMEI 神明達哉
59721b321d 2828. [security] Cached CNAME or DNAME RR could be returned to clients 
without DNSSEC validation. [RT #20737]

9.4-ESV, 9.5.3, 9.6.2, 9.7.0, 9.8.0(?)

Additional notes specific to 9.4-ESV:
- I needed to explicitly enable dnssec-validation in "pending" system tests
  because it's disabled by default for 9.4.  This is not a problem of this
  patch - the test was broken for 9.4 when it was first introduced.  Another
  reason why we need more detailed tests.
- I modified the test case for 9.4 so that it allows pending-additional-to-answer
   promotion as 9.4 doesn't include this bug fix.
 2009-12-30 08:55:48 +00:00
Mark Andrews
b4bd8d0662 772. [security] When validating, track whether pending data was from 
the additional section or not and only return it if
                        validates as secure. [RT #20438]
 2009-11-25 04:50:25 +00:00
Tatuya JINMEI 神明達哉
aaa2233e76 2525. [experimental] New logging category "query-errors" to provide detailed 
internal information about query failures, especially
			about server failures.  (backported as a special
			exception to the general policy) [RT #19027]
 2009-09-24 21:38:52 +00:00
Mark Andrews
695dbe1ce2 2551. [bug] Potential Reference leak on return. [RT #19341] 2009-02-15 23:08:14 +00:00
Automatic Updater
2a6997e72c update copyright notice 2009-01-19 23:46:17 +00:00
Mark Andrews
0f4ec602dd spelling 2009-01-19 00:36:29 +00:00
Tatuya JINMEI 神明達哉
35961b63b5 2516. [bug] glue sort for responses was performed even when not 
needed. [RT #19039]
 2008-12-16 02:21:19 +00:00
Mark Andrews
4e40ba55eb silence compiler warning 2008-10-15 22:33:01 +00:00
Mark Andrews
91a7efa2fd 2364. [bug] named could trigger a assertion when serving a 
malformed signed zone. [RT #17828]
 2008-04-29 00:56:22 +00:00
Tatuya JINMEI 神明達哉
bf80cd7bef 2361. [bug] "recursion" statistics counter could be counted 
multiple times for a single query.  [RT #17990]
 2008-04-23 01:19:06 +00:00
Automatic Updater
fcef5293d2 update copyright notice 2008-01-17 23:46:05 +00:00
Automatic Updater
47289f9dc1 update copyright notice 2008-01-09 23:45:58 +00:00
Mark Andrews
0c2ec376cd 2290. [bug] Let AD in the query signal that the client wants AD 
set in the response. [RT #17301]
 2008-01-09 04:14:23 +00:00
Evan Hunt
388933bf08 Only set Authentic Data bit if client requested DNSSEC, per RFC 3655 [RT #17175] 2007-09-26 03:08:14 +00:00
Automatic Updater
beb9fabda3 update copyright notice 2007-08-28 07:20:06 +00:00
Mark Andrews
ba2d3a220a 2187. [bug] query_addds(), query_addwildcardproof() and 
query_addnxrrsetnsec() should take a version
                        arguement. [RT #16368]
 2007-05-18 06:55:27 +00:00
Mark Andrews
7754a4eab9 2172. [bug] query_addsoa() was being called with a non zone db. 
[RT #16834]
 2007-04-30 01:04:51 +00:00
Mark Andrews
64d5cc809c update copyright notice 2007-01-08 02:42:00 +00:00
Mark Andrews
2399e06127 2124. [bug] It was possible to dereference a freed fetch 
context. [RT #16584]
 2007-01-08 00:45:12 +00:00
Mark Andrews
35bd1a5437 2110. [bug] "minimal-response yes;" interacted badly with BIND 8 
priming queries. [RT #16491]
 2006-12-07 04:38:39 +00:00
Mark Andrews
7185e0dc18 2066. [security] Handle SIG queries gracefully. [RT #16300] 2006-08-31 03:57:05 +00:00
Mark Andrews
5db4fd3a18 2036. [bug] 'rndc recursing' could cause trigger a REQUIRE. 
[RT #16075]
 2006-06-05 00:13:29 +00:00
Mark Andrews
4b0ee0ba86 2032. [bug] Remove a INSIST in query_addadditional2(). [RT #16074] 2006-05-26 02:48:26 +00:00
Mark Andrews
86c4403666 2026. [bug] Rate limit the two recursive client exceeded messages. 
[RT #16044]
 2006-05-18 03:14:03 +00:00
Mark Andrews
bbbdc97ccf 2016. [bug] Return a partial answer if recursion is not 
allowed but requested and we had the answer
                        to the original qname. [RT #15945]
 2006-05-16 03:28:16 +00:00
Mark Andrews
e9724570aa 2008. [func] It is now posssible to enable/disable DNSSEC 
validation from rndc.  This is useful for the
                        mobile hosts where the current connection point
                        breaks DNSSEC (firewall/proxy).  [RT #15592]

                                rndc validation newstate [view]
 2006-03-09 23:46:20 +00:00
Mark Andrews
f560a1877b 2007. [func] It is now possible to explicitly enable DNSSEC 
validation.  default dnssec-validation no; to
                        be changed to yes in 9.5.0.  [RT #15674]
 2006-03-09 23:38:21 +00:00
Mark Andrews
bf3bbdc9b6 1999. [func] Implement "rrset-order fixed". [RT #13662] 2006-03-03 00:56:53 +00:00
Mark Andrews
ea407e7082 1991. [cleanup] The configuration data, once read, should be treated 
as readonly.  Expand the use of const to enforce this
                        at compile time. [RT #15813]
 2006-02-28 03:10:49 +00:00
Mark Andrews
0c3fa5d938 1977. [bug] Silence noisy log message. [RT #15704] 2006-02-02 22:52:57 +00:00
Mark Andrews
ff3b707f8a 1959. [func] Control the zeroing of the negative response TTL to 
a soa query.  Defaults "zero-no-soa-ttl yes;" and
                        "zero-no-soa-ttl-cache no;". [RT #15460]
 2006-01-05 02:24:27 +00:00
Mark Andrews
e770e36d60 update copyright notice 2006-01-04 23:50:23 +00:00
Mark Andrews
f53e702b25 1947. [func] It is now possible to configure named to accept 
expired RRSIGs.  Default "dnssec-accept-expired no;".
                        Setting "dnssec-accept-expired yes;" leaves named
                        vulnerable to replay attacks.  [RT #14685]
 2006-01-04 02:58:42 +00:00
Mark Andrews
3c8367a203 1940. [bug] Fixed a number of error conditions reported by 
Coverity.
 2005-11-30 03:44:39 +00:00
Mark Andrews
52fa04c198 1935. [bug] 'acache' was DO sensitive. [RT #15430] 
1934.   [func]          Validate pending NS RRsets, in the authority section,
                        prior to returning them if it can be done without
                        requiring DNSKEYs to be fetched.  [RT #15430]
 2005-11-02 01:37:35 +00:00
Mark Andrews
369f44092a 1927. [bug] Access to soanode or nsnode in rbtdb violated the 
lock order rule and could cause a dead lock.
                        [RT# 15518]
 2005-10-13 02:12:25 +00:00
Mark Andrews
756c1c98e4 1913. [func] Integrate contibuted DLZ code into named. [RT #11382] 2005-09-05 00:20:08 +00:00
Mark Andrews
4df834d69f 1913. [func] Automatic empty zone creation for D.F.IP6.ARPA and 
friends.  Note: RFC 1918 zones are not yet covered by
                        this but are likely to be in a future release.

                        New options: empty-server, empty-contact,
                        empty-zones-enable and disable-empty-zone.
 2005-08-18 01:03:03 +00:00
Mark Andrews
79a5a49135 1910. [cleanup] Don't add DNSKEY records to the additional section. 2005-08-11 05:35:12 +00:00
Mark Andrews
6dff954cda result was not being assigned. 2005-07-28 05:46:55 +00:00
Mark Andrews
b9ee625560 1905. [bug] Recursive clients soft quota support wasn't working 
as expected. [RT #15103]
 2005-07-27 02:44:22 +00:00
Mark Andrews
e021d8eff8 1891. [func] Limit the number of recursive clients that can be 
waiting for a single query (<qname,qtype,qclass>) to
                        resolve.  New options clients-per-query and
                        max-clients-per-query.
 2005-06-27 00:20:04 +00:00
Mark Andrews
02ff44e8ef sync w/ head 2005-06-22 22:05:50 +00:00
Mark Andrews
9ac4b79fc1 1887. [func] Detect duplicates of UDP queries we are recursing on 
and drop them.  New stats category "duplicates".
                        [RT #2471]
 2005-06-17 02:04:33 +00:00
Mark Andrews
3783523d04 typo in comment 2005-05-16 05:31:22 +00:00
Rob Austein
372edff338 1851. [doc] Doxygen comment markup. [RT #11398] 2005-04-27 05:02:59 +00:00
Mark Andrews
04aed74c85 update copyright 2005-03-16 00:56:29 +00:00
Mark Andrews
163f0fd424 1804. [bug] Ensure that if we are queried for glue that it fits 
in the additional section or TC is set to tell the
                        client to retry using TCP. [RT #10114]
 2005-03-15 01:31:31 +00:00
Tatuya JINMEI 神明達哉
7a79852eb2 1526. [func] Implemented "additional section caching (or acache)", 
an internal cache framework for additional section
			content to improve response performance.  Several
			configuration options were provided to control the
			behavior.

(merged into 9_4)
 2004-12-21 10:59:02 +00:00
Mark Andrews
219967d623 order should be signed. 2004-06-30 14:14:46 +00:00