ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity
23,381 Commits 589 Branches 805 Tags
de7ba81cb4e777282827deb06fe7113a852635b5
Commit Graph

166 Commits

Author SHA1 Message Date
Mark Andrews
d8161b8756 4127. [protocol] CDS and CDNSKEY need to be signed by the key signing 
key as per RFC 7344, Section 4.1. [RT #37215]

(cherry picked from commit 598b502695)
 2015-05-27 15:36:55 +10:00
Tinderbox User
d5bad8c9b9 update copyright notice / whitespace 2015-02-10 23:45:50 +00:00
Evan Hunt
83b613cbfb [v9_10] fix "initialize with revoked key" test 2015-02-10 13:40:39 -08:00
Evan Hunt
f87d4ca084 [v9_10] 5011 fixes 
4056.	[bug]		Fixed several small bugs in automatic trust anchor
			management, including a memory leak and a possible
			loss of key state information. [RT #38458]
 2015-02-10 12:59:38 -08:00
Mark Andrews
a1675b15dc 3990. [testing] Add tests for unknown DNSSEC algorithm handling. 
[RT #37541]

(cherry picked from commit a5c7cfbac4)
 2014-10-30 11:21:38 +11:00
Mark Andrews
27231c6877 allow for the set of ttls to be empty 
(cherry picked from commit 44ef2206d7)
 2014-10-16 14:47:02 +11:00
Mark Andrews
bd5d920bd5 make test more robust in the face of server failures 2014-10-16 12:34:29 +11:00
Mark Andrews
7e2d191c0a 3960. [bug] 'dig +sigchase' could loop forever. [RT #37220] 
(cherry picked from commit c83b91fb63)
 2014-10-01 07:17:42 +10:00
Mark Andrews
d8aa4db790 use RANDFILE rather than /dev/urandom 
(cherry picked from commit 4bc581ca31)
 2014-09-29 23:39:22 +10:00
Mark Andrews
c85116cb56 3957. [bug] "dnssec-keygen -S" failed for ECCGOST, ECDSAP256SHA256 
and ECDSAP384SHA384. [RT #37183]

(cherry picked from commit 80169c379d)
 2014-09-29 10:19:52 +10:00
Mark Andrews
99a3873ba5 3942. [bug] Wildcard responses from a optout range should be 
marked as insecure. [RT #37072]
 2014-09-04 13:58:15 +10:00
Mark Andrews
fb5ab2d4ae 3925. [bug] DS lookup of RFC 1918 empty zones failed. [RT #36917 
(cherry picked from commit 840d6a4614)
 2014-08-22 16:33:06 +10:00
Mark Andrews
f2d672a7e0 3890. [bug] RRSIG sets that were not loaded in a single transaction 
at start up where not being correctly added to
                        re-signing heaps.  [RT #36302]

(cherry picked from commit 63e1ac1e09)
 2014-07-07 12:07:44 +10:00
Mark Andrews
0e41705fa7 use $PERL 
(cherry picked from commit 1c95f67232)
 2014-06-24 13:50:41 +10:00
Evan Hunt
8103fbabd5 [v9_10] globally rename "delve" to "delv" 
3817.	[func]		The "delve" command is now spelled "delv" to avoid
			a namespace collision with the Xapian project.
			[RT #35801]

(cherry picked from commit 2ae159b376)
 2014-04-23 11:15:36 -07:00
Mark Andrews
5b60bde47b use perl 2014-04-07 21:53:47 +10:00
Mark Andrews
a4941d6b5e update check the correct resigning time is reported in zonestatus test to be more portable 2014-04-07 11:50:50 +10:00
Mark Andrews
0dfd942409 3798. [bug] 'rndc zonestatus' was reporting the wrong re-signing 
time. [RT #35659]
 2014-04-04 11:33:49 +11:00
Mark Andrews
bab2bf7dfd expr length arg is not portable 2014-03-12 13:59:41 +11:00
Evan Hunt
62258ada48 [master] auto-generate salt 
3781.	[func]		Specifying "auto" as the salt when using
			"rndc signing -nsec3param" causes named to
			generate a 64-bit salt at random. [RT #35322]
 2014-03-11 08:46:58 -07:00
Mark Andrews
7e2e41df67 3748. [func] Use delve to test dns_client interfaces. [RT #35383] 2014-02-19 19:33:21 +11:00
Evan Hunt
35f6a21f5f [master] max-zone-ttl 
3746.	[func]		New "max-zone-ttl" option enforces maximum
			TTLs for zones. If loading a zone containing a
			higher TTL, the load fails. DDNS updates with
			higher TTLs are accepted but the TTL is truncated.
			(Note: Currently supported for master zones only;
			inline-signing slaves will be added.) [RT #38405]
 2014-02-18 23:26:50 -08:00
Mark Andrews
b5f6271f4d 3744. [experimental] SIT: send and process Source Identity Tokens 
(which are similar to DNS Cookies by Donald Eastlake)
                        and are designed to help clients detect off path
                        spoofed responses and for servers to detect legitimate
                        clients.

                        SIT use a experimental EDNS option code (65001).

                        SIT can be enabled via --enable-developer or
                        --enable-sit.  It is on by default in Windows.

                        RRL processing as been updated to know about SIT with
                        legitimate clients not being rate limited. [RT #35389]
 2014-02-19 12:53:42 +11:00
Evan Hunt
7ba88e2a95 [master] fix dnssec test errors 2014-02-16 14:14:56 -08:00
Evan Hunt
72fd845d5a [master] remove accidentally committed changes 2014-02-16 13:59:19 -08:00
Evan Hunt
792915beb0 [master] fix accidental dig breakage 2014-02-16 13:42:42 -08:00
Evan Hunt
d58e33bfab [master] testcrypto.sh in system tests 
3714.	[test]		System tests that need to test for cryptography
			support before running can now use a common
			"testcrypto.sh" script to do so. [RT #35213]
 2014-01-20 16:08:09 -08:00
Tinderbox User
bf0266f286 update copyright notice 2014-01-14 23:46:22 +00:00
Mark Andrews
07fb9b8330 3704. [protocol] Accept integer timestamps in RRSIG records. [RT #35185] 2014-01-14 16:12:30 +11:00
Evan Hunt
9b895f30f1 [master] fix insecure delegation across static-stub zones 
3689.	[bug]		Fixed a bug causing an insecure delegation from one
			static-stub zone to another to fail with a broken
			trust chain. [RT #35081]
 2013-12-12 22:19:33 -08:00
Evan Hunt
4e1d84a33c typo 2013-12-11 14:00:07 -08:00
Evan Hunt
0bbe3273a2 [master] dnssec-signzone -Q 
3686.	[func]		"dnssec-signzone -Q" drops signatures from keys
			that are still published but no longer active.
			[RT #34990]
 2013-12-11 13:25:21 -08:00
Mark Andrews
7667dd1a03 call zone_settimer; sub test failure was not being detected 
(cherry picked from commit ebd7900670)
 2013-09-18 12:57:46 +10:00
Mark Andrews
b5f4cc132e 3641. [bug] Handle changes to sig-validity-interval settings 
better. [RT #34625]
 2013-09-04 13:45:00 +10:00
Mark Andrews
d6f99498d6 3639. [bug] Treat type 65533 (KEYDATA) as opaque except when used 
in a key zone. [RT #34238]
 2013-09-04 13:14:06 +10:00
Mark Andrews
7ace327795 3632. [bug] Signature from newly inactive keys were not being 
removed.  [RT #32178]
 2013-08-15 10:48:05 +10:00
Mark Andrews
75ae74f8fd 3629. [func] Allow the printing of cryptographic fields in DNSSEC 
records by dig to be suppressed (dig +nocrypto).
                        [RT #34534]
 2013-08-12 15:37:51 +10:00
Mark Andrews
16bd30ae69 3628. [func] Report DNSKEY key id's when dumping the cache. 
[RT #34533]
 2013-08-12 14:38:26 +10:00
Mark Andrews
8e15d5eb3a 3593. [func] Update EDNS processing to better track remote server 
capabilities. [RT #30655]
 2013-06-12 11:31:30 +10:00
Evan Hunt
b99bfa184b [master] unify internal and export libraries 
3550.	[func]		Unified the internal and export versions of the
			BIND libraries, allowing external clients to use
			the same libraries as BIND. [RT #33131]
 2013-04-10 13:49:57 -07:00
Mark Andrews
c2838610c6 s/-e/-x/ 2013-04-05 07:37:40 +11:00
Mark Andrews
8013077aa7 3541. [bug] The parts if libdns was not being properly initialized 
in when built in libexport mode. [RT #33028]
 2013-04-03 17:27:40 +11:00
Mark Andrews
15d970cb23 remove broken redundant test 2013-03-21 12:38:16 +11:00
Evan Hunt
831f59eb43 [master] add dnssec-coverage tool 
3528.	[func]		New "dnssec-coverage" command scans the timing
			metadata for a set of DNSSEC keys and reports if a
			lapse in signing coverage has been scheduled
			inadvertently. (Note: This tool depends on python;
			it will not be built or installed on systems that
			do not have a python interpreter.) [RT #28098]
 2013-03-20 14:39:13 -07:00
Evan Hunt
9a0dd99a75 [master] fix incorrect nsec3 check 
- check for NSEC3 in empty nodes when not due to optout delegations
    - fixed typo in output ("Bad record NSEC record")
    - incidentally fixed an error in signzone that caused an
      incorrect warning about missing DNSKEYs when using -S
      and -3 together

3473.	[bug]		dnssec-signzone/verify could incorrectly report
			an error condition due to an empty node above an
			opt-out delegation lacking an NSEC3. [RT #32072]
 2013-01-23 14:56:00 -08:00
Tinderbox User
5c6b95ba1b update copyright notice 2013-01-10 23:46:00 +00:00
Mark Andrews
4801931443 3461. [bug] Negative responses could incorrectly have AD=1 
set. [RT #32237]
 2013-01-10 23:09:08 +11:00
Mark Andrews
53e52b463e adjust looping threshold from 10 to 15 2012-11-28 12:05:56 +11:00
Mark Andrews
b13b452020 3424. [func] dnssec-dsfromkey now emits the hash without spaces. 
[RT #31951]

Squashed commit of the following:

commit 7369da0369e1de1fe6c5b5f84df8848b9a0984eb
Author: Mark Andrews <marka@isc.org>
Date:   Fri Nov 23 17:24:04 2012 +1100

    dupped/created reversed in log message

commit 0cef5faaf3ac22b00ed0f95b6bb7a146cf4cac15
Author: Mark Andrews <marka@isc.org>
Date:   Fri Nov 23 13:40:14 2012 +1100

    remove space from DS hash
 2012-11-27 14:22:28 +11:00
Mark Andrews
20b95f5ff6 3421. [bug] Named loops when re-signing if all keys are offline. 
[RT #31916]

Squashed commit of the following:

commit f47af0ca6793687b9c8d08fd44b0c091ba5a4f9a
Author: Mark Andrews <marka@isc.org>
Date:   Wed Nov 21 17:45:21 2012 +1100

    dns_dns_zonediff_t -> dns_zonediff_t, clarify comment

commit 344edefc3ee90856a7ff990abe7971925ba843b2
Author: Mark Andrews <marka@isc.org>
Date:   Tue Nov 20 13:12:26 2012 +1100

    commit the zone changes if a keep was marked as being offline

commit cad2c2446ebfc20b6d8c4f6dd0d6596d7106cc0f
Author: Mark Andrews <marka@isc.org>
Date:   Tue Nov 20 13:08:29 2012 +1100

    check for looping when re-signing expiring.example
 2012-11-21 17:48:57 +11:00