ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity
19,967 Commits 589 Branches 805 Tags
d0cc47cef94de7931a492e32ec3b25145560d16b
Commit Graph

181 Commits

Author SHA1 Message Date
Automatic Updater
11b8a4afdf update copyright notice 2011-02-27 23:45:16 +00:00
Mark Andrews
920650f048 3040. [bug] Named failed to validate insecure zones where a node 
with a CNAME existed between the trust anchor and the
                        top of the zone. [RT #23338]
 2011-02-23 13:15:39 +00:00
Mark Andrews
a407ead333 2968. [security] Named could fail to prove a data set was insecure 
before marking it as insecure.  One set of conditions
                        that can trigger this occurs naturally when rolling
                        DNSKEY algorithms.  [RT #22309]

Had to adjust the test to use RSAMD5 -> RSASH1 as we need to use algorithms
supported by 9.4.
 2010-11-16 04:17:44 +00:00
Mark Andrews
43a1ec8d9f 2869. [bug] Fix arguments to dns_keytable_findnextkeynode() call. 
[RT #20877]
 2010-09-02 07:21:53 +00:00
Mark Andrews
7b67408765 2925. [bug] Named failed to accept uncachable negative responses 
from insecure zones. [RT# 21555]
 2010-06-26 00:11:50 +00:00
Automatic Updater
bda132bcaf update copyright notice 2010-06-03 23:46:10 +00:00
Mark Andrews
1a677bc3f7 2904. [bug] When using DLV, sub-zones of the zones in the DLV, 
could be incorrectly marked as insecure instead of
                        secure leading to negative proofs failing.  This was
                        a unintended outcome from change 2890. [RT# 21392]
 2010-06-03 00:36:02 +00:00
Mark Andrews
0cd3b8cc3e 2890. [bug] Handle the introduction of new trusted-keys and 
DS, DLV RRsets better. [RT #21097]
 2010-06-03 00:07:59 +00:00
Mark Andrews
af9bcac6c5 2876. [bug] Named could return SERVFAIL for negative responses 
from unsigned zones. [RT #21131]
 2010-04-21 04:23:47 +00:00
Automatic Updater
e95ab03354 update copyright notice 2010-02-26 23:46:37 +00:00
Mark Andrews
b6a3b10da7 2852. [bug] Handle broken DNSSEC trust chains better. [RT #15619] 2010-02-26 01:03:56 +00:00
Evan Hunt
d7985983b0 2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712] 2009-12-30 06:44:05 +00:00
Mark Andrews
b4bd8d0662 772. [security] When validating, track whether pending data was from 
the additional section or not and only return it if
                        validates as secure. [RT #20438]
 2009-11-25 04:50:25 +00:00
Automatic Updater
a028d5830c update copyright notice 2009-03-17 23:46:05 +00:00
Mark Andrews
a5e67fba38 2579. [bug] DNSSEC lookaside validation failed to handle unknown 
algorithms. [RT #19479]
 2009-03-17 01:32:04 +00:00
Mark Andrews
bace9ed24d 2553. [bug] Reference leak on DNSSEC validation errors. [RT #19291] 2009-02-15 23:39:53 +00:00
Mark Andrews
0f4ec602dd spelling 2009-01-19 00:36:29 +00:00
Automatic Updater
9a2ebc4415 update copyright notice 2009-01-05 23:46:21 +00:00
Tatuya JINMEI 神明達哉
42c20e9207 trivial comment cleanups (RT#19118) 2009-01-05 23:22:26 +00:00
Automatic Updater
d53d756c84 update copyright notice 2008-11-20 23:46:03 +00:00
Mark Andrews
7e6d364ec0 2495. [bug] Tighten RRSIG checks. [RT #18795] 2008-11-20 02:02:44 +00:00
Mark Andrews
badb7014bb 2421. [bug] Handle the special return value of a empty node as 
if it was a NXRRSET in the validator. [RT #18447]
 2008-08-21 04:59:42 +00:00
Evan Hunt
9fceeebc72 Fix build error: parameter type was changed in the prototype but not in 
the function header.
 2008-02-19 17:10:04 +00:00
Mark Andrews
c819d94359 2238. [bug] check_ds() could be called with a non DS rdataset. 
[RT #17598]
 2008-02-18 23:08:50 +00:00
Automatic Updater
fcef5293d2 update copyright notice 2008-01-17 23:46:05 +00:00
Automatic Updater
fc36e4d54b update copyright notice 2008-01-15 23:46:02 +00:00
Mark Andrews
59aeb87035 2304. [bug] Check returns from all dns_rdata_tostruct() calls. 
[RT #17460]
 2008-01-15 01:13:05 +00:00
Evan Hunt
47e37d8ebd Validating lack of DS records at trust anchors wasn't working. [RT #17151] 2007-09-26 04:39:45 +00:00
Mark Andrews
8a4538cafc 2238. [bug] It was possible to trigger a REQUIRE when a 
validation was cancelled. [RT #17106]
 2007-09-14 05:52:50 +00:00
Automatic Updater
beb9fabda3 update copyright notice 2007-08-28 07:20:06 +00:00
Mark Andrews
b5ded8a160 2218. [bug] Remove unnecessary REQUIRE from dns_validator_create(). 
[RT #16976]
 2007-08-27 04:47:14 +00:00
Mark Andrews
81a0879a12 2171. [bug] Handle breaks in DNSSEC trust chains where the parent 
servers are not DS aware (DS queries to the parent
                        return a referral to the child).
 2007-04-27 06:37:38 +00:00
Mark Andrews
f40348003a 2145. [bug] Check DS/DLV digest lengths for known digests. 
[RT #16622]
 2007-02-26 01:30:22 +00:00
Mark Andrews
64d5cc809c update copyright notice 2007-01-08 02:42:00 +00:00
Mark Andrews
9aefa7e508 2126. [bug] Serialise validation of type ANY responses. [RT #16555] 2007-01-08 01:37:53 +00:00
Mark Andrews
b486456a3d 2117. [bug] DNSSEC fixes: named could fail to cache NSEC records 
which could lead to validation failures.  named didn't
                        handle negative DS responses that were in the process
                        of being validated.  Check CNAME bit before accepting
                        NODATA proof. To be able to ignore a child NSEC there
                        must be SOA (and NS) set in the bitmap. [RT #16399]
 2006-12-07 06:50:34 +00:00
Mark Andrews
41b6189259 2061. [bug] Accept expired wildcard message reversed. [RT #16296] 2006-07-24 22:43:31 +00:00
Mark Andrews
e9724570aa 2008. [func] It is now posssible to enable/disable DNSSEC 
validation from rndc.  This is useful for the
                        mobile hosts where the current connection point
                        breaks DNSSEC (firewall/proxy).  [RT #15592]

                                rndc validation newstate [view]
 2006-03-09 23:46:20 +00:00
Mark Andrews
7af42116ba fix minor typos 2006-02-26 23:01:58 +00:00
Mark Andrews
2f46120278 post merge problem 2006-02-22 01:57:12 +00:00
Mark Andrews
c017465e4a 1987. [func] DS/DLV SHA256 digest algorithm support. [RT #15608] 2006-02-21 23:53:35 +00:00
Mark Andrews
e770e36d60 update copyright notice 2006-01-04 23:50:23 +00:00
Mark Andrews
f53e702b25 1947. [func] It is now possible to configure named to accept 
expired RRSIGs.  Default "dnssec-accept-expired no;".
                        Setting "dnssec-accept-expired yes;" leaves named
                        vulnerable to replay attacks.  [RT #14685]
 2006-01-04 02:58:42 +00:00
Mark Andrews
cf4e1143ea 1942. [bug] If the name of a DNSKEY match that of one in 
trusted-keys do not attempt to validate the DNSKEY
                        using the parents DS RRset. [RT #15649]
 2005-12-05 00:00:03 +00:00
Mark Andrews
864f9d0d0a silence dereferencing type-punned pointer will break strict-aliasing rules warning 2005-11-30 04:58:32 +00:00
Mark Andrews
3c8367a203 1940. [bug] Fixed a number of error conditions reported by 
Coverity.
 2005-11-30 03:44:39 +00:00
Mark Andrews
c7d337e4ff 1939. [bug] The resolver could dereference a null pointer after 
validation if all the queries have timed out.
                        [RT #15528]

1938.   [bug]           The validator was not correctly handling unsecure
                        negative responses at or below a SEP. [RT #15528]
 2005-11-03 00:58:00 +00:00
Mark Andrews
43d25d3d13 1936. [bug] The validator could leak memory. [RT #15544] 2005-11-02 01:53:25 +00:00
Mark Andrews
3a204dc120 1930. [port] HPUX: ia64 support. [RT #15473] 
1929.   [port]          FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM.
 2005-10-14 01:33:30 +00:00
Mark Andrews
c0c29fa38f sync with head 2005-09-05 03:01:49 +00:00