mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-28 13:08:06 +00:00
Code Issues Releases Wiki Activity
13,652 Commits 660 Branches 820 Tags
Commit Graph

141 Commits

Author SHA1 Message Date
Mark Andrews
c5387e6942 1987. [func] DS/DLV SHA256 digest algorithm support. [RT #15608] 2006-02-21 23:49:51 +00:00
Mark Andrews
acb4f52369 update copyright notice 2006-01-04 23:50:24 +00:00
Mark Andrews
fabf2ee6b0 1947. [func] It is now possible to configure named to accept 
expired RRSIGs.  Default "dnssec-accept-expired no;".
                        Setting "dnssec-accept-expired yes;" leaves named
                        vulnerable to replay attacks.  [RT #14685]
 2006-01-04 02:35:49 +00:00
Mark Andrews
cf224bbf7b 1942. [bug] If the name of a DNSKEY match that of one in 
trusted-keys do not attempt to validate the DNSKEY
                        using the parents DS RRset. [RT #15649]
 2005-12-04 23:54:01 +00:00
Mark Andrews
470c726bc8 silence dereferencing type-punned pointer will break strict-aliasing rules warning 2005-11-30 05:01:34 +00:00
Mark Andrews
2674e1a455 1940. [bug] Fixed a number of error conditions reported by 
Coverity.
 2005-11-30 03:33:49 +00:00
Mark Andrews
60ab03125c 1939. [bug] The resolver could dereference a null pointer after 
validation if all the queries have timed out.
                        [RT #15528]

1938.   [bug]           The validator was not correctly handling unsecure
                        negative responses at or below a SEP. [RT #15528]
 2005-11-03 00:51:55 +00:00
Mark Andrews
7d116211ec 1936. [bug] The validator could leak memory. [RT #5544] 2005-11-02 01:46:31 +00:00
Mark Andrews
216030f284 1930. [port] HPUX: ia64 support. [RT #15473] 
1929.   [port]          FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM.
 2005-10-14 01:18:47 +00:00
Mark Andrews
676619a22f win32 fixes 2005-09-05 02:54:38 +00:00
Mark Andrews
5be3685b0e 1919. [bug] dig's +sigchase code overhauled. [RT #14933] 
1918.   [bug]           The DLV code has been re-worked to make no longer
                        query order sensitive. [RT #14933]
 2005-08-25 00:56:08 +00:00
Mark Andrews
116e6b4257 1867. [bug] It was possible to trigger a INSIST in 
dlv_validatezonekey(). [RT #14846]
 2005-06-07 00:39:05 +00:00
Mark Andrews
9840a0767d 1853. [bug] Rework how DLV interacts with proveunsecure(). 
[RT #13605]
 2005-05-06 01:59:38 +00:00
Rob Austein
ab023a6556 1851. [doc] Doxygen comment markup. [RT #11398] 2005-04-27 04:57:32 +00:00
Mark Andrews
c941e32d22 1819. [bug] The validator needed to check both the algorithm and 
digest types of the DS to determine if it could be
                        used to introduce a secure zone. [RT #13593]
 2005-03-04 03:53:22 +00:00
Mark Andrews
2d7fc01cb3 update copyright notice 2005-02-09 05:19:30 +00:00
Mark Andrews
0ad024cc42 1806. [bug] The resolver returned the wrong result when a CNAME / 
DNAME was encountered when fetching glue from a
                        secure namespace. [RT #13501]

1805.   [bug]           Pending status was not being cleared when DLV was
                        active. [RT #13501]
 2005-02-08 23:51:32 +00:00
Mark Andrews
4e259c5a23 1768. [bug] nsecnoexistnodata() could be called with a non-NSEC 
rdataset. [RT #12907]
 2004-11-17 23:52:31 +00:00
Mark Andrews
cc3aafe737 1659. [cleanup] Cleanup some messages that were referring to KEY vs 
DNSKEY, NXT vs NSEC and SIG vs RRSIG.

1658.   [func]          Update dnssec-keygen to default to KEY for HMAC-MD5
                        and DH.  Tighten which options apply to KEY and
                        DNSKEY records.
 2004-06-11 01:12:40 +00:00
Mark Andrews
6fac7ff1f9 1606. [bug] DVL insecurity proof was failing. 
1605.   [func]          New dns_db_find() option DNS_DBFIND_COVERINGNSEC.
 2004-05-14 04:45:58 +00:00
Mark Andrews
8d414d1559 1600. [bug] Duplicate zone pre-load checks were not case 
insensitive.

1599.   [bug]           Fix memory leak on error path when checking named.conf.

1598.   [func]          Specify that certain parts of the namespace must
                        be secure (dnssec-must-be-secure).
 2004-04-15 23:40:27 +00:00
Mark Andrews
42b48d11ca hide ((isc_event_t **) (void *)) cast using a macro, ISC_EVENT_PTR. 2004-04-15 01:58:25 +00:00
Mark Andrews
50105afc55 1589. [func] DNSSEC lookaside validation. 
enable-dnssec -> dnssec-enable
 2004-03-10 02:19:58 +00:00
Mark Andrews
dafcb997e3 update copyright notice 2004-03-05 05:14:21 +00:00
Mark Andrews
daa73eae70 silence punned messages 2004-02-03 00:59:05 +00:00
Mark Andrews
519b239fc4 #include <isc/string.h> 2004-01-20 14:19:42 +00:00
Mark Andrews
35541328a8 1558. [func] New DNSSEC 'disable-algorithms'. Support entry into 
child zones for which we don't have a supported
                        algorithm.  Such child zones are treated as unsigned.

1557.   [func]          Implement missing DNSSEC tests for
                        * NOQNAME proof with wildcard answers.
                        * NOWILDARD proof with NXDOMAIN.
                        Cache and return NOQNAME with wildcard answers.
 2004-01-14 02:06:51 +00:00
Tatuya JINMEI 神明達哉
e407562a75 1528. [cleanup] Simplify some dns_name_ functions based on the 
deprecation of bitstring labels.
 2003-10-25 00:31:12 +00:00
Mark Andrews
93d6dfaf66 1516. [func] Roll the DNSSEC types to RRSIG, NSEC and DNSKEY. 2003-09-30 06:00:40 +00:00
Mark Andrews
8b5de97014 1448. [bug] Handle empty wildcards labels. 
developer: marka
reviewer: explorer
 2003-02-27 00:19:04 +00:00
Mark Andrews
421e4cf66e 1416. [bug] Empty node should return NOERROR NODATA, not NXDOMAIN. 
[RT #4715]
developer: marka
reviewer: explorer
 2003-01-18 03:18:31 +00:00
Mark Andrews
638fe804a5 1255. [bug] When performing a nonexistence proof, the validator 
should discard parent NXTs from higher in the DNS.
 2002-07-22 03:00:49 +00:00
Mark Andrews
ff30cdeb78 The validator didn't handle missing DS records correctly. 2002-07-19 03:29:15 +00:00
Mark Andrews
86f6b92e35 1248. [bug] The validator could incorrectly verify an invalid 
negative proof.

When checking the range of the nxt record, the code needs to handle
the case where the 'next name' field points to the origin.  The way
that the origin was determined was looking at the 'signer' field
of the first SIG NXT, since NXTs are signed by the zone key.  This
doesn't work, because the first SIG could have been spoofed.  It
now defers checking the nxt range until both the SOA and NXT have
been verified, and uses the owner of the SOA name as the origin.
bwelling
 2002-07-15 03:25:28 +00:00
Mark Andrews
25276bd1ec 1247. [bug] The validator would incorrectly mark data as insecure 
when seeing a bogus signature before a correct
                        signature.
 2002-07-15 02:57:14 +00:00
Mark Andrews
b0d31c78bc uninitalised variable 2002-06-19 04:15:12 +00:00
Mark Andrews
0b09763c35 1328. [func] DS (delegation signer) support. 2002-06-17 04:01:37 +00:00
Mark Andrews
c99d9017ba 1275. [bug] When verifying that an NXT proves nonexistence, check 
the rcode of the message and only do the matching NXT
                        check.  That is, for NXDOMAIN responses, check that
                        the name is in the range between the NXT owner and
                        next name, and for NOERROR NODATA responses, check
                        that the type is not present in the NXT bitmap.
 2002-04-29 23:50:26 +00:00
Mark Andrews
a7038d1a05 copyrights 2002-02-20 03:35:59 +00:00
Brian Wellington
60e9e70654 1024 -> DNS_NAME_FORMATSIZE 2002-02-05 21:41:31 +00:00
Brian Wellington
47db0efda1 spacing 2002-02-05 20:02:47 +00:00
Brian Wellington
8839b6acbf clean up the shutdown "logic". 2002-02-05 19:46:30 +00:00
Brian Wellington
32dd66cc5e spacing 2002-02-05 07:54:08 +00:00
Brian Wellington
18b7133679 more minor cleanups 2002-02-01 20:18:33 +00:00
Brian Wellington
23e4260821 minor cleanup 2002-02-01 20:08:56 +00:00
Andreas Gustafsson
1f1d36a87b Check return values or cast them to (void), as required by the coding 
standards; add exceptions to the coding standards for cases where this is
not desirable
 2001-11-30 01:59:49 +00:00
Andreas Gustafsson
f3ca27e9fe sizeof style 2001-11-12 19:05:39 +00:00
Andreas Gustafsson
01446841be 1006. [bug] If a KEY RR was found missing during DNSSEC validation, 
an assertion failure could subsequently be triggered
                        in the resolver. [RT #1763]
 2001-09-19 21:25:46 +00:00
Andreas Gustafsson
34aa790937 reverted 994. 2001-09-14 20:53:33 +00:00
Mark Andrews
56d69016f4 994. [bug] If the unsecure proof fails for unsigned NS records 
attempt a secure proof using the NS records found as
                        glue to find the NS records from the zone's servers
                        along with associated glue rather than from parent
                        servers.  [RT #1706]
 2001-09-13 07:23:39 +00:00