mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-28 13:08:06 +00:00
Code Issues Releases Wiki Activity
30,206 Commits 660 Branches 820 Tags
Commit Graph

184 Commits

Author SHA1 Message Date
Matthijs Mekking
67033bfd3d Code changes for CSK 
Update dns_dnssec_keyactive to differentiate between the roles ZSK
and KSK.  A key is active if it is signing but that differs per role.
A ZSK is signing if its ZRRSIG state is in RUMOURED or OMNIPRESENT,
a KSK is signing if its KRRSIG state is in RUMOURED or OMNIPRESENT.

This means that a key can be actively signing for one role but not
the other.  Add checks in inline signing (zone.c and update.c) to
cover the case where a CSK is active in its KSK role but not the ZSK
role.
 2019-11-06 22:36:21 +01:00
Matthijs Mekking
fcf14b2b47 DNSSEC hints use dst_key functions and key states 
Update dns_dnssec_get_hints and dns_dnssec_keyactive to use dst_key
functions and thus if dnssec-policy/KASP is used the key states are
being considered.

Add a new variable to 'struct dns_dnsseckey' to signal whether this
key is a zone-signing key (it is no longer true that ksk == !zsk).

Also introduce a hint for revoke.

Update 'dns_dnssec_findzonekeys' and 'dns_dnssec_findmatchingkeys'
to also read the key state file, if available.

Remove 'allzsk' from 'dns_dnssec_updatekeys' as this was only a
hint for logging.

Also make get_hints() (now dns_dnssec_get_hints()) public so that
we can use it in the key manager.
 2019-11-06 22:36:21 +01:00
Mark Andrews
b59fe46e76 address or suppress cppcheck warnings 2019-09-12 17:59:28 +10:00
Evan Hunt
664b8f04f5 add -q to getopt flags, and use newlines consistently with report() 2019-07-31 10:05:52 +02:00
Ondřej Surý
ae83801e2b Remove blocks checking whether isc_mem_get() failed using the coccinelle 2019-07-23 15:32:35 -04:00
Tony Finch
8785f6fa34 Deprecate SHA-1 CDS records 
This affects CDS records generated by `named` and `dnssec-signzone`
based on `-P sync` and `-D sync` key timing instructions.

This is for conformance with the DS/CDS algorithm requirements in
https://tools.ietf.org/html/draft-ietf-dnsop-algorithm-update
 2019-05-08 18:17:55 -07:00
Ondřej Surý
78d0cb0a7d Use coccinelle to remove explicit '#include <config.h>' from the source files 2019-03-08 15:15:05 +01:00
Evan Hunt
3c75d5d7c5 add more key maintenance event logging 
log when a key is:
- published in the DNSKEY rrset
- activated
- deactivated
- unpublished from the DNSKEY rrset
- revoked
 2019-01-31 12:18:55 -08:00
Evan Hunt
7fa6b88d9b include the name when logging that a key is being fetched from key repostitory 2019-01-31 12:18:19 -08:00
Evan Hunt
308ab1b4a5 style cleanups 2019-01-31 11:57:16 -08:00
Matthijs Mekking
5ca649967e Move REQUIRE outside comment unsupported alg 2018-12-19 12:54:57 +01:00
Matthijs Mekking
1dd11fc754 Allow unsupported alg in zone /w dnssec-signzone 
dnssec-signzone should sign a zonefile that contains a DNSKEY record
with an unsupported algorithm.  Current behavior is that it will
fail, hitting a fatal error.  The fix detects unsupported algorithms
and will not try to add it to the keylist.

Also when determining the maximum iterations for NSEC3, don't take
into account DNSKEY records in the zonefile with an unsupported
algorithm.
 2018-12-19 12:54:31 +01:00
Ondřej Surý
b2b43fd235 Turn (int & flag) into (int & flag) != 0 when implicitly typed to bool 2018-11-08 12:21:53 +07:00
Ondřej Surý
f0f71420c8 Remove legacy support for AIX 2018-08-28 10:31:47 +02:00
Ondřej Surý
994e656977 Replace custom isc_boolean_t with C standard bool type 2018-08-08 09:37:30 +02:00
Ondřej Surý
cb6a185c69 Replace custom isc_u?intNN_t types with C99 u?intNN_t types 2018-08-08 09:37:28 +02:00
Ondřej Surý
c3b8130fe8 Make OpenSSL mandatory 2018-07-19 12:47:03 -04:00
Michał Kępień
172d0c401e Address GCC 8 -Wformat-truncation warnings 2018-05-10 10:35:01 +02:00
Witold Kręcicki
702c022016 libdns refactoring: get rid of multiple versions of dns_xfrin_create, dst_key_generate, dst_lib_init and dst_context_create 2018-04-06 08:04:41 +02:00
Witold Kręcicki
25cd3168a7 libdns refactoring: get rid of multiple versions of dns_dnssec_findmatchingkeys and dns_dnssec_findzonekeys 2018-04-06 08:04:41 +02:00
Ondřej Surý
843d389661 Update license headers to not include years in copyright in all applicable files 2018-02-23 10:12:02 +01:00
Tinderbox User
9ab5ec1d72 update copyright notice / whitespace 2017-07-21 23:46:06 +00:00
Mark Andrews
4bf32aa587 4654. [cleanup] Don't use C++ keywords delete, new and namespace. 
[RT #45538]
 2017-07-21 11:52:24 +10:00
Tinderbox User
b6a4f7937e update copyright notice / whitespace 2017-06-27 23:45:38 +00:00
Evan Hunt
581c1526ab [master] address TSIG bypass/forgery vulnerabilities 
4643.	[security]	An error in TSIG handling could permit unauthorized
			zone transfers or zone updates. (CVE-2017-3142)
			(CVE-2017-3143) [RT #45383]
 2017-06-27 11:39:19 -07:00
Mark Andrews
52e2aab392 4546. [func] Extend the use of const declarations. [RT #43379] 2016-12-30 15:45:08 +11:00
Mark Andrews
8ee6f289d8 4450. [port] Provide more nuanced HSM support which better matches 
the specific PKCS11 providers capabilities. [RT #42458]
 2016-08-19 08:02:51 +10:00
Mark Andrews
0c27b3fe77 4401. [misc] Change LICENSE to MPL 2.0. 2016-06-27 14:56:38 +10:00
Mark Andrews
26f652d387 simplify 2016-05-18 10:40:20 +10:00
Mark Andrews
75167fb746 silence compiler warning 2016-05-17 17:33:59 +10:00
Tinderbox User
f89adb2c2a update copyright notice / whitespace 2016-05-05 23:45:48 +00:00
Mark Andrews
5ac427050f 4360. [bug] Silence spurious 'bad key type' message when there is 
a existing TSIG key. [RT #42195]
 2016-05-05 22:27:08 +10:00
Mark Andrews
e939674d53 4252. [func] Add support for automating the generation CDS and 
CDNSKEY rrsets to named and dnssec-signzone.
                        [RT #40424]
 2015-11-05 12:09:48 +11:00
Evan Hunt
a32b6291aa [master] address regression 
4126.	[bug]		Addressed a regression introduced in change #4121.
			[RT #39611]
 2015-05-26 19:11:08 -07:00
Mukund Sivaraman
f5a62d97e3 Fix -Wshadow warnings (#38762) 
These happen due to ntohs()/htons() macro expansion in glibc.
 2015-03-09 09:23:46 +05:30
Tinderbox User
811acf52b8 update copyright notice / whitespace 2015-03-04 23:45:21 +00:00
Mark Andrews
29d52c001f 4081. [cleanup] Use dns_rdatalist_init consistently. [RT #38759] 2015-03-03 16:43:42 +11:00
Evan Hunt
7c9d11b654 [master] add print.h, CHANGES note 2014-06-10 08:54:16 -07:00
Mukund Sivaraman
aa232396ee [24702] Include key filename in logged message 
Squashed commit of the following:

commit 593e6bc7e29938ff5c2f7508bde303fb069a97a9
Author: Mukund Sivaraman <muks@isc.org>
Date:   Tue Jun 10 19:17:40 2014 +0530

    Increase size of filename buffers

commit b8685678e026ba98b8833e26664193b6345eb00e
Author: Evan Hunt <each@isc.org>
Date:   Wed Jun 4 18:57:44 2014 -0700

    [rt24702] some tweaks during review

commit adfbc8f808716c63e9e097d92beef104527e5c6f
Author: Mukund Sivaraman <muks@isc.org>
Date:   Wed Jun 4 18:18:35 2014 +0530

    [24702] Include key filename in logged message

commit f1eff77e7e3704b145c3d65101a735467dd81dc3
Author: Mukund Sivaraman <muks@isc.org>
Date:   Wed Jun 4 18:12:43 2014 +0530

    Add dst_key_getfilename()
 2014-06-10 19:18:34 +05:30
Mukund Sivaraman
79d27f505a [35063] Don't publish an activated key automatically before its publish time 2014-06-04 14:31:42 +05:30
Mark Andrews
dd820d8fd2 3836. [bug] Address C++ keyword usage in header file. 2014-05-02 11:34:32 +10:00
Evan Hunt
ba751492fc [master] native PKCS#11 support 
3705.	[func]		"configure --enable-native-pkcs11" enables BIND
			to use the PKCS#11 API for all cryptographic
			functions, so that it can drive a hardware service
			module directly without the need to use a modified
			OpenSSL as intermediary (so long as the HSM's vendor
			provides a complete-enough implementation of the
			PKCS#11 interface). This has been tested successfully
			with the Thales nShield HSM and with SoftHSMv2 from
			the OpenDNSSEC project. [RT #29031]
 2014-01-14 15:40:56 -08:00
Tinderbox User
431a83fb29 update copyright notice 2014-01-09 23:46:35 +00:00
Evan Hunt
e851ea8260 [master] replace memcpy() with memmove(). 
3698.	[cleanup]	Replaced all uses of memcpy() with memmove().
			[RT #35120]
 2014-01-08 16:39:05 -08:00
Evan Hunt
0bbe3273a2 [master] dnssec-signzone -Q 
3686.	[func]		"dnssec-signzone -Q" drops signatures from keys
			that are still published but no longer active.
			[RT #34990]
 2013-12-11 13:25:21 -08:00
Mark Andrews
0c91911b4d 3642. [func] Allow externally generated DNSKEY to be imported 
into the DNSKEY management framework.  A new tool
                        dnssec-importkey is used to this. [RT #34698]
 2013-09-04 13:53:02 +10:00
Tinderbox User
377b774598 update copyright notice 2013-08-15 23:46:17 +00:00
Mark Andrews
7ace327795 3632. [bug] Signature from newly inactive keys were not being 
removed.  [RT #32178]
 2013-08-15 10:48:05 +10:00
Evan Hunt
086cb64a78 [master] remove unnecessary memcpy 2012-12-20 10:33:47 -08:00
Evan Hunt
0e37e9e3d7 [master] silence noisy OpenSSL logging 
3402.	[bug]		Correct interface numbers for IPv4 and IPv6 interfaces.
 2012-10-24 12:58:16 -07:00