ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity
34,370 Commits 589 Branches 805 Tags
f563cd570c8a4e24e0c6a1cf7cf6e11da1b090fb
Commit Graph

73 Commits

Author SHA1 Message Date
Evan Hunt
b0aadaac8e rename dns_name_copynf() to dns_name_copy() 
dns_name_copy() is now the standard name-copying function.
 2021-05-22 00:37:27 -07:00
Mark Andrews
af02bbcdd6 Mark DNSSEC responses with NSEC3 records that exceed 150 as insecure 2021-04-29 13:43:40 +02:00
Mark Andrews
29126500d2 Reduce nsec3 max iterations to 150 2021-04-29 17:18:26 +10:00
Matthijs Mekking
6b5d7357df Detect NSEC3 salt collisions 
When generating a new salt, compare it with the previous NSEC3
paremeters to ensure the new parameters are different from the
previous ones.

This moves the salt generation call from 'bin/named/*.s' to
'lib/dns/zone.c'. When setting new NSEC3 parameters, you can set a new
function parameter 'resalt' to enforce a new salt to be generated. A
new salt will also be generated if 'salt' is set to NULL.

Logging salt with zone context can now be done with 'dnssec_log',
removing the need for 'dns_nsec3_log_salt'.
 2020-11-26 10:43:59 +01:00
Matthijs Mekking
7878f300ff Move logging of salt in separate function 
There may be a desire to log the salt without losing the context
of log module, level, and category.
 2020-11-26 10:43:59 +01:00
Matthijs Mekking
84a4273074 Move generate_salt function to lib/dns/nsec3 
We will be using this function also on reconfig, so it should have
a wider availability than just bin/named/server.
 2020-11-26 10:43:27 +01:00
Evan Hunt
dcee985b7f update all copyright headers to eliminate the typo 2020-09-14 16:20:40 -07:00
Evan Hunt
e851ed0bb5 apply the modified style 2020-02-13 15:05:06 -08:00
Ondřej Surý
056e133c4c Use clang-tidy to add curly braces around one-line statements 
The command used to reformat the files in this commit was:

./util/run-clang-tidy \
	-clang-tidy-binary clang-tidy-11
	-clang-apply-replacements-binary clang-apply-replacements-11 \
	-checks=-*,readability-braces-around-statements \
	-j 9 \
	-fix \
	-format \
	-style=file \
	-quiet
clang-format -i --style=format $(git ls-files '*.c' '*.h')
uncrustify -c .uncrustify.cfg --replace --no-backup $(git ls-files '*.c' '*.h')
clang-format -i --style=format $(git ls-files '*.c' '*.h')
 2020-02-13 22:07:21 +01:00
Ondřej Surý
f50b1e0685 Use clang-format to reformat the source files 2020-02-12 15:04:17 +01:00
Ondřej Surý
c2dad0dcb2 Replace RUNTIME_CHECK(dns_name_copy(..., NULL)) with dns_name_copynf() 
Use the semantic patch from the previous commit to replace all the calls to
dns_name_copy() with NULL as third argument with dns_name_copynf().
 2019-10-01 10:43:26 +10:00
Ondřej Surý
35bd7e4da0 Add RUNTIME_CHECK() around plain dns_name_copy(..., NULL) calls using spatch 
This commit add RUNTIME_CHECK() around all simple dns_name_copy() calls where
the third argument is NULL using the semantic patch from the previous commit.
 2019-10-01 10:43:26 +10:00
Ondřej Surý
78d0cb0a7d Use coccinelle to remove explicit '#include <config.h>' from the source files 2019-03-08 15:15:05 +01:00
Matthijs Mekking
5ca649967e Move REQUIRE outside comment unsupported alg 2018-12-19 12:54:57 +01:00
Matthijs Mekking
1dd11fc754 Allow unsupported alg in zone /w dnssec-signzone 
dnssec-signzone should sign a zonefile that contains a DNSKEY record
with an unsupported algorithm.  Current behavior is that it will
fail, hitting a fatal error.  The fix detects unsupported algorithms
and will not try to add it to the keylist.

Also when determining the maximum iterations for NSEC3, don't take
into account DNSKEY records in the zonefile with an unsupported
algorithm.
 2018-12-19 12:54:31 +01:00
Ondřej Surý
b2b43fd235 Turn (int & flag) into (int & flag) != 0 when implicitly typed to bool 2018-11-08 12:21:53 +07:00
Ondřej Surý
7fd3dc63de Add generic message digest API (isc_md) to replace specific MD functions md5/sha1/sha256 2018-10-25 08:15:42 +02:00
Ondřej Surý
994e656977 Replace custom isc_boolean_t with C standard bool type 2018-08-08 09:37:30 +02:00
Ondřej Surý
cb6a185c69 Replace custom isc_u?intNN_t types with C99 u?intNN_t types 2018-08-08 09:37:28 +02:00
Ondřej Surý
b105ccee68 Remove isc_safe_memcompare, it's not needed anywhere and can't be replaced with CRYPTO_memcmp() 2018-07-20 10:06:14 -04:00
Ondřej Surý
55a10b7acd Remove $Id markers, Principal Author and Reviewed tags from the full source tree 2018-05-11 13:17:46 +02:00
Michał Kępień
4df4a8e731 Use dns_fixedname_initname() where possible 
Replace dns_fixedname_init() calls followed by dns_fixedname_name()
calls with calls to dns_fixedname_initname() where it is possible
without affecting current behavior and/or performance.

This patch was mostly prepared using Coccinelle and the following
semantic patch:

    @@
    expression fixedname, name;
    @@
    -	dns_fixedname_init(&fixedname);
    	...
    -	name = dns_fixedname_name(&fixedname);
    +	name = dns_fixedname_initname(&fixedname);

The resulting set of changes was then manually reviewed to exclude false
positives and apply minor tweaks.

It is likely that more occurrences of this pattern can be refactored in
an identical way.  This commit only takes care of the low-hanging fruit.
 2018-04-09 12:14:16 +02:00
Ondřej Surý
843d389661 Update license headers to not include years in copyright in all applicable files 2018-02-23 10:12:02 +01:00
Michał Kępień
910a01550a [master] Rename nsec3param_salt_totext() to dns_nsec3param_salttotext(), make it public, add unit tests 
4786.	[cleanup]	Turn nsec3param_salt_totext() into a public function,
			dns_nsec3param_salttotext(), and add unit tests for it.
			[RT #46289]
 2017-10-25 09:46:18 +02:00
Tinderbox User
9ab5ec1d72 update copyright notice / whitespace 2017-07-21 23:46:06 +00:00
Mark Andrews
4bf32aa587 4654. [cleanup] Don't use C++ keywords delete, new and namespace. 
[RT #45538]
 2017-07-21 11:52:24 +10:00
Tinderbox User
ed07d7a8f5 update copyright notice / whitespace 2016-12-30 23:46:36 +00:00
Mark Andrews
52e2aab392 4546. [func] Extend the use of const declarations. [RT #43379] 2016-12-30 15:45:08 +11:00
Mark Andrews
d811a7d9ef 4405. [bug] Change 4342 introduced a regression where you could 
not remove a delegation in a NSEC3 signed zone using
                        OPTOUT via nsupdate. [RT #42702]
 2016-07-06 10:13:15 +10:00
Mark Andrews
0c27b3fe77 4401. [misc] Change LICENSE to MPL 2.0. 2016-06-27 14:56:38 +10:00
Evan Hunt
420a43c8d8 [master] timing safe memory comparisons 
4183.	[cleanup]	Use timing-safe memory comparisons in cryptographic
			code. Also, the timing-safe comparison functions have
			been renamed to avoid possible confusion with
			memcmp(). [RT #40148]
 2015-08-17 18:26:44 -07:00
Tinderbox User
c110d61b17 update copyright notice / whitespace 2015-01-20 23:45:26 +00:00
Evan Hunt
11463c0ac2 [master] clean up gcc -Wshadow warnings 
4039.	[cleanup]	Cleaned up warnings from gcc -Wshadow. [RT #37381]
 2015-01-20 13:29:18 -08:00
Mark Andrews
fec7998314 3942. [bug] Wildcard responses from a optout range should be 
marked as insecure. [RT #37072]
 2014-09-04 13:57:50 +10:00
Mark Andrews
e58154a6ec silence coverity warnings 2014-07-02 15:28:02 +10:00
Mark Andrews
b16d99bac1 3872. [bug] Address issues found by static analysis. [RT #36209] 2014-06-10 09:17:15 +10:00
Mark Andrews
36e5ac0033 3819. [bug] NSEC3 hashes need to be able to be entered and 
displayed without padding.  This is not a issue for
                        currently defined algorithms but may be for future
                        hash algorithms. [RT #27925]
 2014-04-24 18:58:03 +10:00
Tinderbox User
431a83fb29 update copyright notice 2014-01-09 23:46:35 +00:00
Evan Hunt
e851ea8260 [master] replace memcpy() with memmove(). 
3698.	[cleanup]	Replaced all uses of memcpy() with memmove().
			[RT #35120]
 2014-01-08 16:39:05 -08:00
Mark Andrews
c3c8823fed 3681. [port] Update the Windows build system to support feature 
selection and WIN64 builds.  This is a work in
                        progress. [RT #34160]
 2013-12-04 12:47:23 +11:00
Mark Andrews
b5f4cc132e 3641. [bug] Handle changes to sig-validity-interval settings 
better. [RT #34625]
 2013-09-04 13:45:00 +10:00
Tinderbox User
12253af346 update copyright notice 2013-04-10 23:46:01 +00:00
Evan Hunt
b99bfa184b [master] unify internal and export libraries 
3550.	[func]		Unified the internal and export versions of the
			BIND libraries, allowing external clients to use
			the same libraries as BIND. [RT #33131]
 2013-04-10 13:49:57 -07:00
Mark Andrews
8462dfb880 3443. [bug] The NOQNAME proof was not being returned from cached 
insecure responses. [RT #21409]
 2012-12-19 09:55:02 +11:00
Mark Andrews
463f4ad70b silence clang --analyzer warnin by checking rdata.length 2012-12-10 08:24:17 +11:00
Tinderbox User
6d5f928b26 update copyright notice 2012-06-25 23:46:00 +00:00
Mark Andrews
ad127d839d 3341. [func] New "dnssec-verify" command checks a signed zone 
to ensure correctness of signatures and of NSEC/NSEC3
                        chains. [RT #23673]
 2012-06-25 13:57:32 +10:00
Mark Andrews
28a8f5b0de set $Id$ 2012-03-08 00:21:15 +11:00
Automatic Updater
80c7083796 update copyright notice 2012-01-27 23:46:59 +00:00
Mark Andrews
ef9f4d0977 3266. [bug] The maximum number of NSEC3 iterations for a 
DNSKEY RRset was not being properly computed.
                        [RT #26543]
 2012-01-27 00:49:42 +00:00