Commit Graph

169 Commits

Author SHA1 Message Date
Matthijs Mekking
1360a1fa1a Move REQUIRE outside comment unsupported alg
(cherry picked from commit 5ca649967e)
2018-12-20 04:50:08 -05:00
Matthijs Mekking
040e132f16 Allow unsupported alg in zone /w dnssec-signzone
dnssec-signzone should sign a zonefile that contains a DNSKEY record
with an unsupported algorithm.  Current behavior is that it will
fail, hitting a fatal error.  The fix detects unsupported algorithms
and will not try to add it to the keylist.

Also when determining the maximum iterations for NSEC3, don't take
into account DNSKEY records in the zonefile with an unsupported
algorithm.

(cherry picked from commit 1dd11fc754)
2018-12-20 04:50:08 -05:00
Ondřej Surý
12a266211e Turn (int & flag) into (int & flag) != 0 when implicitly typed to bool
(cherry picked from commit b2b43fd235)
(cherry picked from commit fcd1569e2b)
2018-11-08 22:02:58 +07:00
Ondřej Surý
1084b40b44 Replace custom isc_boolean_t with C standard bool type
(cherry picked from commit 994e656977)
(cherry picked from commit 884929400c)
2018-08-10 15:20:57 +02:00
Ondřej Surý
aaa76dc654 Replace custom isc_u?intNN_t types with C99 u?intNN_t types
(cherry picked from commit cb6a185c69)
(cherry picked from commit d61e6a3111)
2018-08-10 15:20:57 +02:00
Michał Kępień
b4f07af8df Address GCC 8 -Wformat-truncation warnings
(cherry picked from commit 172d0c401e)
2018-05-10 10:54:38 +02:00
Evan Hunt
8b205089b7 update file headers to remove copyright years 2018-03-14 16:40:20 -07:00
Tinderbox User
6fb9b25791 update copyright notice / whitespace 2017-07-21 23:46:43 +00:00
Mark Andrews
bfde61d519 4654. [cleanup] Don't use C++ keywords delete, new and namespace.
[RT #45538]

(cherry picked from commit 4bf32aa587)
2017-07-21 12:28:58 +10:00
Tinderbox User
710a238dfe update copyright notice / whitespace 2017-06-27 23:46:13 +00:00
Evan Hunt
a03f4b1ea4 [v9_11] address TSIG bypass/forgery vulnerabilities
4643.	[security]	An error in TSIG handling could permit unauthorized
			zone transfers or zone updates. (CVE-2017-3142)
			(CVE-2017-3143) [RT #45383]

(cherry picked from commit 581c1526ab)
2017-06-27 11:39:33 -07:00
Mark Andrews
c40906dfad 4450. [port] Provide more nuanced HSM support which better matches
the specific PKCS11 providers capabilities. [RT #42458]

(cherry picked from commit 8ee6f289d8)
2016-08-19 08:05:47 +10:00
Mark Andrews
0c27b3fe77 4401. [misc] Change LICENSE to MPL 2.0. 2016-06-27 14:56:38 +10:00
Mark Andrews
26f652d387 simplify 2016-05-18 10:40:20 +10:00
Mark Andrews
75167fb746 silence compiler warning 2016-05-17 17:33:59 +10:00
Tinderbox User
f89adb2c2a update copyright notice / whitespace 2016-05-05 23:45:48 +00:00
Mark Andrews
5ac427050f 4360. [bug] Silence spurious 'bad key type' message when there is
a existing TSIG key. [RT #42195]
2016-05-05 22:27:08 +10:00
Mark Andrews
e939674d53 4252. [func] Add support for automating the generation CDS and
CDNSKEY rrsets to named and dnssec-signzone.
                        [RT #40424]
2015-11-05 12:09:48 +11:00
Evan Hunt
a32b6291aa [master] address regression
4126.	[bug]		Addressed a regression introduced in change #4121.
			[RT #39611]
2015-05-26 19:11:08 -07:00
Mukund Sivaraman
f5a62d97e3 Fix -Wshadow warnings (#38762)
These happen due to ntohs()/htons() macro expansion in glibc.
2015-03-09 09:23:46 +05:30
Tinderbox User
811acf52b8 update copyright notice / whitespace 2015-03-04 23:45:21 +00:00
Mark Andrews
29d52c001f 4081. [cleanup] Use dns_rdatalist_init consistently. [RT #38759] 2015-03-03 16:43:42 +11:00
Evan Hunt
7c9d11b654 [master] add print.h, CHANGES note 2014-06-10 08:54:16 -07:00
Mukund Sivaraman
aa232396ee [24702] Include key filename in logged message
Squashed commit of the following:

commit 593e6bc7e29938ff5c2f7508bde303fb069a97a9
Author: Mukund Sivaraman <muks@isc.org>
Date:   Tue Jun 10 19:17:40 2014 +0530

    Increase size of filename buffers

commit b8685678e026ba98b8833e26664193b6345eb00e
Author: Evan Hunt <each@isc.org>
Date:   Wed Jun 4 18:57:44 2014 -0700

    [rt24702] some tweaks during review

commit adfbc8f808716c63e9e097d92beef104527e5c6f
Author: Mukund Sivaraman <muks@isc.org>
Date:   Wed Jun 4 18:18:35 2014 +0530

    [24702] Include key filename in logged message

commit f1eff77e7e3704b145c3d65101a735467dd81dc3
Author: Mukund Sivaraman <muks@isc.org>
Date:   Wed Jun 4 18:12:43 2014 +0530

    Add dst_key_getfilename()
2014-06-10 19:18:34 +05:30
Mukund Sivaraman
79d27f505a [35063] Don't publish an activated key automatically before its publish time 2014-06-04 14:31:42 +05:30
Mark Andrews
dd820d8fd2 3836. [bug] Address C++ keyword usage in header file. 2014-05-02 11:34:32 +10:00
Evan Hunt
ba751492fc [master] native PKCS#11 support
3705.	[func]		"configure --enable-native-pkcs11" enables BIND
			to use the PKCS#11 API for all cryptographic
			functions, so that it can drive a hardware service
			module directly without the need to use a modified
			OpenSSL as intermediary (so long as the HSM's vendor
			provides a complete-enough implementation of the
			PKCS#11 interface). This has been tested successfully
			with the Thales nShield HSM and with SoftHSMv2 from
			the OpenDNSSEC project. [RT #29031]
2014-01-14 15:40:56 -08:00
Tinderbox User
431a83fb29 update copyright notice 2014-01-09 23:46:35 +00:00
Evan Hunt
e851ea8260 [master] replace memcpy() with memmove().
3698.	[cleanup]	Replaced all uses of memcpy() with memmove().
			[RT #35120]
2014-01-08 16:39:05 -08:00
Evan Hunt
0bbe3273a2 [master] dnssec-signzone -Q
3686.	[func]		"dnssec-signzone -Q" drops signatures from keys
			that are still published but no longer active.
			[RT #34990]
2013-12-11 13:25:21 -08:00
Mark Andrews
0c91911b4d 3642. [func] Allow externally generated DNSKEY to be imported
into the DNSKEY management framework.  A new tool
                        dnssec-importkey is used to this. [RT #34698]
2013-09-04 13:53:02 +10:00
Tinderbox User
377b774598 update copyright notice 2013-08-15 23:46:17 +00:00
Mark Andrews
7ace327795 3632. [bug] Signature from newly inactive keys were not being
removed.  [RT #32178]
2013-08-15 10:48:05 +10:00
Evan Hunt
086cb64a78 [master] remove unnecessary memcpy 2012-12-20 10:33:47 -08:00
Evan Hunt
0e37e9e3d7 [master] silence noisy OpenSSL logging
3402.	[bug]		Correct interface numbers for IPv4 and IPv6 interfaces.
2012-10-24 12:58:16 -07:00
Mark Andrews
47c6d89485 3394. [bug] Adjust 'sucessfully validated after lower casing
signer' log level and category. [RT #31414]
2012-10-16 11:56:05 +11:00
Mark Andrews
b29e848220 3367. [bug] dns_dnsseckey_create() result was not being checked.
[RT #30685]
2012-08-21 12:04:09 +10:00
Mark Andrews
7865ea9545 3339. [func] Allow the maximum supported rsa exponent size to be specified: "max-rsa-exponent-size <value>;" [RT #29228] 2012-06-14 15:44:20 +10:00
Tinderbox User
a847a4bcd6 update copyright notice 2012-05-17 23:46:03 +00:00
Evan Hunt
26833735d3 Handle RRSIG signer case consistently
3329.	[bug]		Handle RRSIG signer-name case consistently: We
			generate RRSIG records with the signer-name in
			lower case.  We accept them with any case, but if
			they fail to validate, we try again in lower case.
			[RT #27451]
2012-05-17 10:44:16 -07:00
Mark Andrews
840659f1d7 3302. [bug] dns_dnssec_findmatchingkeys could fail to find
keys if the zone name contained character that
                        required special mappings. [RT #28600]
2012-03-30 12:05:13 +11:00
Tinderbox User
5fa46bc916 update copyright notice 2012-03-10 23:45:53 +00:00
Mark Andrews
4c1847ef47 set $Id$ 2012-03-07 22:17:19 +11:00
Mark Andrews
04281728d4 3239. [bug] dns_dnssec_findmatchingkeys needs to use a consistent
timestamp. [RT #26883]
2011-12-07 22:36:25 +00:00
Mark Andrews
069182809a remove unnecessary assignment to found_ttl 2011-08-26 05:29:48 +00:00
Evan Hunt
485522d7e1 3108. [cleanup] dnssec-signzone: Clarified some error and
warning messages; removed #ifdef ALLOW_KSKLESS_ZONES
			code (use -P instead). [RT #20852]

3107.	[bug]		dnssec-signzone: Report the correct number of ZSKs
			when using -x. [RT #20852]
2011-05-06 21:08:33 +00:00
Evan Hunt
61bcc23203 3076. [func] New '-L' option in dnssec-keygen, dnsset-settime, and
dnssec-keyfromlabel sets the default TTL of the
			key.  When possible, automatic signing will use that
			TTL when the key is published.  [RT #23304]
2011-03-17 01:40:40 +00:00
Mark Andrews
0e095727ff 3075. [bug] dns_dnssec_findzonekeys{2} used a inconsistant
timestamp when determining which keys are active.
                        [RT #23642]
2011-03-17 01:17:21 +00:00
Automatic Updater
c1aef54e14 update copyright notice 2011-03-12 04:59:49 +00:00
Mark Andrews
0874abad14 3069. [cleanup] Silence warnings messages from clang static analysis.
[RT #20256]
2011-03-11 06:11:27 +00:00