mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-28 21:17:54 +00:00
Code Issues Releases Wiki Activity
26,614 Commits 656 Branches 820 Tags
Commit Graph

630 Commits

Author SHA1 Message Date
Mark Andrews
f3bf3905c3 4517. [security] Named could mishandle authority sections that were 
missing RRSIGs triggering an assertion failure.
                        (CVE-2016-9444) [RT # 43632]

(cherry picked from commit 1df30cfd27c5a3c57fce357c54aaf6c702227d51)
 2016-12-29 10:39:51 +11:00
Mark Andrews
60cb462c56 4530. [bug] Change 4489 broke the handling of CNAME -> DNAME 
in responses resulting in SERVFAIL being returned.
                        [RT #43779]
 2016-12-09 12:50:18 +11:00
Mark Andrews
bd6f27f5c3 4489. [security] It was possible to trigger assertions when processing 
a response. (CVE-2016-8864) [RT #43465]
 2016-10-21 14:55:10 +11:00
Mark Andrews
d9bc0a865e 4470. [bug] Reset message with intent parse before 
calling dns_dispatch_getnext. [RT #43229]
 2016-09-20 21:12:16 +10:00
Mark Andrews
f431bf02a6 4453. [bug] Prefetching of DS records failed to update their 
RRSIGs. [RT #42865]
 2016-08-25 09:51:31 +10:00
Tinderbox User
3e0b34d0ac update copyright notice / whitespace 2016-07-11 23:46:33 +00:00
Mark Andrews
ec5e01747a 4408. [func] Continue waiting for expected response when we the 
response we get does not match the request. [RT #41026]
 2016-07-11 13:36:16 +10:00
Mark Andrews
ecfa005085 4403. [bug] Rename variables and arguments that shadow: basename, 
clone and gai_error.
 2016-06-28 21:25:30 -04:00
Mark Andrews
0c27b3fe77 4401. [misc] Change LICENSE to MPL 2.0. 2016-06-27 14:56:38 +10:00
Witold Krecicki
19d80ce584 4358. [test] Added American Fuzzy Lop harness that allows 
feeding fuzzed packets into BIND.
			[RT #41723]
 2016-05-05 11:49:38 +02:00
Mukund Sivaraman
275265ab27 Log query and depth counters during fetches when querytrace is enabled (#41787) 2016-03-04 13:25:37 +05:30
Mark Andrews
c7aae79b62 silence may be used when unset false positive 2016-02-29 11:24:15 +11:00
Mark Andrews
2de89ee9de Part 2 of: 
4319.   [security]      Fix resolver assertion failure due to improper
                        DNAME handling when parsing fetch reply messages.
                        (CVE-2016-1286) [RT #41753]
 2016-02-29 07:16:48 +11:00
Mark Andrews
455c0848f8 4322. [security] Duplicate EDNS COOKIE options in a response could 
trigger an assertion failure. (CVE-2016-2088)
                        [RT #41809]
 2016-02-27 11:23:50 +11:00
Mukund Sivaraman
5995fec51c Fix resolver assertion failure due to improper DNAME handling (CVE-2016-1286) (#41753) 2016-02-22 12:22:43 +05:30
Mark Andrews
d372f426ca 4317. [bug] Age all unused servers on fetch timeout. [RT #41597] 2016-02-12 12:32:58 +11:00
Mark Andrews
73fbd4c9d3 4293. [bug] Address memory leak on priming query creation failure. 
[RT #41512]
 2016-01-20 16:38:11 +11:00
Tinderbox User
feb1ccdaf1 update copyright notice / whitespace 2016-01-05 23:45:26 +00:00
Evan Hunt
41494939b6 [master] fixed bogus server regression 
4288.	[bug]		Fixed a regression in resolver.c:possibly_mark()
			which caused known-bogus servers to be queried
			anyway. [RT #41321]
 2016-01-04 15:47:16 -08:00
Mark Andrews
c8821d124c 4260. [security] Insufficient testing when parsing a message allowed 
records with an incorrect class to be be accepted,
                        triggering a REQUIRE failure when those records
                        were subsequently cached. (CVE-2015-8000) [RT #4098]
 2015-11-16 13:12:20 +11:00
Mark Andrews
2f450fcd29 4253. [bug] Address fetch context reference count handling error 
on socket error.  [RT#40945]
 2015-11-05 17:10:10 +11:00
Mark Andrews
6588a2b404 4238. [bug] Don't send to servers on net zero (0.0.0.0/8). 
[RT #40947]
 2015-10-16 08:00:15 +11:00
Evan Hunt
b66b333f59 [master] dnstap 
4235.	[func]		Added support in named for "dnstap", a fast method of
			capturing and logging DNS traffic, and a new command
			"dnstap-read" to read a dnstap log file.  Use
			"configure --enable-dnstap" to enable this
			feature (note that this requires libprotobuf-c
			and libfstrm). See the ARM for configuration details.

			Thanks to Robert Edmonds of Farsight Security.
			[RT #40211]
 2015-10-02 12:32:42 -07:00
Mark Andrews
1b1f6d21c7 curr_srtt = curr->srtt 2015-10-02 07:45:45 +10:00
Mark Andrews
b959848051 compare curr_srtt and best_srtt 2015-10-01 22:12:56 +10:00
Mark Andrews
85e7a259a4 re-organise sort to use best_srtt and curr_srtt 2015-09-29 08:06:21 +10:00
Mark Andrews
98a7f8c7ae 4222. [func] Bias IPv6 servers when selecting the next server to 
query. [RT #40836]
 2015-09-28 18:57:19 +10:00
Mark Andrews
8d80b4939d 4221. [bug] Resource leak on DNS_R_NXDOMAIN in fctx_create. 
[RT #40583]
 2015-09-25 09:18:43 +10:00
Mark Andrews
741b63c869 4212. [func] Re-query if we get a bad client cookie returned over 
UDP. [RT #40748]
 2015-09-17 14:20:32 +10:00
Mark Andrews
02093e4c3b 4193. [bug] Handle broken servers that return BADVERS incorrectly. 
[RT #40427]
 2015-08-25 16:52:43 +10:00
Evan Hunt
ce9f893e21 [master] address buffer accounting error 
4168.	[security]	A buffer accounting error could trigger an
			assertion failure when parsing certain malformed
			DNSSEC keys. (CVE-2015-5722) [RT #40212]
 2015-08-07 13:16:10 -07:00
Evan Hunt
1479200aa0 [master] DDoS mitigation features 
3938.	[func]		Added quotas to be used in recursive resolvers
			that are under high query load for names in zones
			whose authoritative servers are nonresponsive or
			are experiencing a denial of service attack.

			- "fetches-per-server" limits the number of
			  simultaneous queries that can be sent to any
			  single authoritative server.  The configured
			  value is a starting point; it is automatically
			  adjusted downward if the server is partially or
			  completely non-responsive. The algorithm used to
			  adjust the quota can be configured via the
			  "fetch-quota-params" option.
			- "fetches-per-zone" limits the number of
			  simultaneous queries that can be sent for names
			  within a single domain.  (Note: Unlike
			  "fetches-per-server", this value is not
			  self-tuning.)
			- New stats counters have been added to count
			  queries spilled due to these quotas.

			See the ARM for details of these options. [RT #37125]
 2015-07-08 22:53:39 -07:00
Tinderbox User
8f0b326d9a update copyright notice / whitespace 2015-07-05 23:45:22 +00:00
Mark Andrews
ce67023ae3 4152. [func] Implement DNS COOKIE option. This replaces the 
experimental SIT option of BIND 9.10.  The following
                        named.conf directives are avaliable: send-cookie,
                        cookie-secret, cookie-algorithm and nocookie-udp-size.
                        The following dig options are available:
                        +[no]cookie[=value] and +[no]badcookie.  [RT #39928]
 2015-07-06 09:44:24 +10:00
Mark Andrews
adbf81335b 4146. [bug] Address reference leak that could prevent a clean 
shutdown. [RT #37125]
 2015-06-25 18:36:27 +10:00
Evan Hunt
a32b6291aa [master] address regression 
4126.	[bug]		Addressed a regression introduced in change #4121.
			[RT #39611]
 2015-05-26 19:11:08 -07:00
Evan Hunt
c03fe78ef5 [master] use after free in resquery_destroy() 
4102.	[bug]		Fix a use after free bug introduced in change
			#4094.  [RT #39281]
 2015-04-15 15:38:14 -07:00
Mukund Sivaraman
2c4d5faf7f Don't use query->sendevent after it's been destroyed (#39132) 2015-04-13 15:04:41 +05:30
Evan Hunt
d9b37259f3 [master] hold a reference on fetch context during query 
4094.	[bug]		A race during shutdown or reconfiguration could
			cause an assertion in mem.c. [RT #38979]
 2015-04-08 14:33:45 -07:00
Mark Andrews
af669cb4fd 4074. [cleanup] Cleaned up more warnings from gcc -Wshadow. [RT #38708] 2015-02-27 10:55:55 +11:00
Mukund Sivaraman
1783676a64 Add a --enable-querytrace configure switch for very verbose query tracelogging (#37520) 2015-02-26 16:51:07 +05:30
Tinderbox User
c110d61b17 update copyright notice / whitespace 2015-01-20 23:45:26 +00:00
Evan Hunt
11463c0ac2 [master] clean up gcc -Wshadow warnings 
4039.	[cleanup]	Cleaned up warnings from gcc -Wshadow. [RT #37381]
 2015-01-20 13:29:18 -08:00
Mark Andrews
1e0ed0c6f5 4024. [bug] dns_rdata_opt_first, dns_rdata_opt_next, 
dns_rdata_opt_current, dns_rdata_txt_first,
                        dns_rdata_txt_next and dns_rdata_txt_current were
                        documented but not implemented.  These have now been
                        implemented.

                        dns_rdata_spf_first, dns_rdata_spf_next and
                        dns_rdata_spf_current were document but not
                        implemented.  The prototypes for these
                        functions have been removed. [RT #38068]

4023.   [bug]           win32: socket handling with explict ports and
                        invoking named with -4 was broken for some
                        configurations. [RT #38068]
 2014-12-19 11:35:07 +11:00
Evan Hunt
be7fba8019 [master] adjust max-recursion-queries 
4021.	[bug]		Adjust max-recursion-queries to accommodate
			the need for more queries when the cache is
			empty. [RT #38104]
 2014-12-15 22:28:06 -08:00
Mark Andrews
017aa9aef6 4019. [func] If named is not configured to validate the answer 
then allow fallback to plain DNS on timeout even
                        when we know the server supports EDNS. [RT #37978]
 2014-12-05 17:47:26 +11:00
Mark Andrews
ea3aa401bc 4015. [bug] Nameservers that are skipped due to them being 
CNAMEs were not being logged. They are now logged
                        to category 'cname' as per BIND 8. [RT #37935]
 2014-12-03 11:34:07 +11:00
Francis Dupont
5c5c6d289d Add a TCP only option to server/peer 2014-12-02 14:17:59 +01:00
Evan Hunt
05e448935c [master] refactor max-recursion-queries 
- the counters weren't set correctly when fetches timed out.
  instead we now pass down a counter object.
 2014-11-19 18:21:02 -08:00
Evan Hunt
c4f54e5bd1 [master] add max-recursion-queries 
also fixes and documentation for max-recursion-depth
 2014-11-18 22:02:02 -08:00