mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 21:47:59 +00:00
Code Issues Releases Wiki Activity
27,032 Commits 657 Branches 820 Tags
Commit Graph

647 Commits

Author SHA1 Message Date
Mark Andrews
73cc289e79 remove unused variable 'fctx' from rctx_next 2017-08-05 12:31:45 +10:00
Evan Hunt
61367c604c [master] refactor resquery_response() and related functions 
4669.	[func]		Iterative query logic in resolver.c has been
			refactored into smaller functions and commented,
			for improved readability, maintainability and
			testability. [RT #45362]
 2017-08-04 16:08:11 -07:00
Mark Andrews
4bf32aa587 4654. [cleanup] Don't use C++ keywords delete, new and namespace. 
[RT #45538]
 2017-07-21 11:52:24 +10:00
Mark Andrews
638c7c635d 4580. [bug] 4578 introduced a regression when handling CNAME to 
referral below the current domain. [RT #44850]
 2017-03-14 15:07:00 +11:00
Mark Andrews
f240f4a5de Reimplement: 
4578.   [security]      Some chaining (CNAME or DNAME) responses to upstream
                        queries could trigger assertion failures.
                        (CVE-2017-3137) [RT #44734]
 2017-03-01 12:01:16 +11:00
Evan Hunt
a1365a0042 [master] remove unnecessary INSIST 
4578.	[security]	Some chaining (CNAME or DNAME) responses to upstream
			queries could trigger assertion failures.
			(CVE-2017-3137) [RT #44734]
 2017-02-23 14:34:33 -08:00
Witold Krecicki
0790f8a361 4577. [func] Make qtype of resolver fuzzing packet configurable via command line. [RT #43540] 2017-02-21 03:49:55 -08:00
Evan Hunt
650b5e7592 [master] store local and remote addresses in dnstap 
4569.	[func]		Store both local and remote addresses in dnstap
			logging, and modify dnstap-read output format to
			print them. [RT #43595]
 2017-02-03 17:05:58 -08:00
Evan Hunt
a2bd99a959 [master] address portability issues 2017-01-30 16:52:18 -08:00
Evan Hunt
cd668ea57f [master] change 4558 was incomplete 2017-01-30 14:10:30 -08:00
Mark Andrews
9f4bf43b79 4558. [bug] Synthesised CNAME before matching DNAME was still 
being cached when it should have been.  [RT #44318]
 2017-01-24 17:40:12 +11:00
Evan Hunt
4f744a027f [master] fix dig +ednsopt padding error 
4556.	[bug]		Sending an EDNS Padding option using "dig
			+ednsopt" could cause a crash in dig. [RT #44462]
 2017-01-19 23:52:41 -08:00
Tinderbox User
f557aeef7c update copyright notice / whitespace 2017-01-05 23:45:24 +00:00
Evan Hunt
5804332588 [master] EDNS padding and keepalive support 
4549.	[func]		Added support for the EDNS TCP Keepalive option
			(RFC 7828). [RT #42126]

4548.	[func]		Added support for the EDNS Padding option (RFC 7830).
			[RT #42094]
 2017-01-04 09:16:30 -08:00
Mark Andrews
52e2aab392 4546. [func] Extend the use of const declarations. [RT #43379] 2016-12-30 15:45:08 +11:00
Mark Andrews
6adf421e7e 4510. [security] Named mishandled some responses where covering RRSIG 
records are returned without the requested data
                        resulting in a assertion failure. (CVE-2016-9147)
                        [RT #43548]
 2016-12-29 11:47:19 +11:00
Mark Andrews
2c1c4b99a1 4508. [security] Named incorrectly tried to cache TKEY records which 
could trigger a assertion failure when there was
                            a class mismatch. (CVE-2016-9131) [RT #43522]
 2016-12-29 11:07:40 +11:00
Mark Andrews
f3bf3905c3 4517. [security] Named could mishandle authority sections that were 
missing RRSIGs triggering an assertion failure.
                        (CVE-2016-9444) [RT # 43632]

(cherry picked from commit 1df30cfd27c5a3c57fce357c54aaf6c702227d51)
 2016-12-29 10:39:51 +11:00
Mark Andrews
60cb462c56 4530. [bug] Change 4489 broke the handling of CNAME -> DNAME 
in responses resulting in SERVFAIL being returned.
                        [RT #43779]
 2016-12-09 12:50:18 +11:00
Mark Andrews
bd6f27f5c3 4489. [security] It was possible to trigger assertions when processing 
a response. (CVE-2016-8864) [RT #43465]
 2016-10-21 14:55:10 +11:00
Mark Andrews
d9bc0a865e 4470. [bug] Reset message with intent parse before 
calling dns_dispatch_getnext. [RT #43229]
 2016-09-20 21:12:16 +10:00
Mark Andrews
f431bf02a6 4453. [bug] Prefetching of DS records failed to update their 
RRSIGs. [RT #42865]
 2016-08-25 09:51:31 +10:00
Tinderbox User
3e0b34d0ac update copyright notice / whitespace 2016-07-11 23:46:33 +00:00
Mark Andrews
ec5e01747a 4408. [func] Continue waiting for expected response when we the 
response we get does not match the request. [RT #41026]
 2016-07-11 13:36:16 +10:00
Mark Andrews
ecfa005085 4403. [bug] Rename variables and arguments that shadow: basename, 
clone and gai_error.
 2016-06-28 21:25:30 -04:00
Mark Andrews
0c27b3fe77 4401. [misc] Change LICENSE to MPL 2.0. 2016-06-27 14:56:38 +10:00
Witold Krecicki
19d80ce584 4358. [test] Added American Fuzzy Lop harness that allows 
feeding fuzzed packets into BIND.
			[RT #41723]
 2016-05-05 11:49:38 +02:00
Mukund Sivaraman
275265ab27 Log query and depth counters during fetches when querytrace is enabled (#41787) 2016-03-04 13:25:37 +05:30
Mark Andrews
c7aae79b62 silence may be used when unset false positive 2016-02-29 11:24:15 +11:00
Mark Andrews
2de89ee9de Part 2 of: 
4319.   [security]      Fix resolver assertion failure due to improper
                        DNAME handling when parsing fetch reply messages.
                        (CVE-2016-1286) [RT #41753]
 2016-02-29 07:16:48 +11:00
Mark Andrews
455c0848f8 4322. [security] Duplicate EDNS COOKIE options in a response could 
trigger an assertion failure. (CVE-2016-2088)
                        [RT #41809]
 2016-02-27 11:23:50 +11:00
Mukund Sivaraman
5995fec51c Fix resolver assertion failure due to improper DNAME handling (CVE-2016-1286) (#41753) 2016-02-22 12:22:43 +05:30
Mark Andrews
d372f426ca 4317. [bug] Age all unused servers on fetch timeout. [RT #41597] 2016-02-12 12:32:58 +11:00
Mark Andrews
73fbd4c9d3 4293. [bug] Address memory leak on priming query creation failure. 
[RT #41512]
 2016-01-20 16:38:11 +11:00
Tinderbox User
feb1ccdaf1 update copyright notice / whitespace 2016-01-05 23:45:26 +00:00
Evan Hunt
41494939b6 [master] fixed bogus server regression 
4288.	[bug]		Fixed a regression in resolver.c:possibly_mark()
			which caused known-bogus servers to be queried
			anyway. [RT #41321]
 2016-01-04 15:47:16 -08:00
Mark Andrews
c8821d124c 4260. [security] Insufficient testing when parsing a message allowed 
records with an incorrect class to be be accepted,
                        triggering a REQUIRE failure when those records
                        were subsequently cached. (CVE-2015-8000) [RT #4098]
 2015-11-16 13:12:20 +11:00
Mark Andrews
2f450fcd29 4253. [bug] Address fetch context reference count handling error 
on socket error.  [RT#40945]
 2015-11-05 17:10:10 +11:00
Mark Andrews
6588a2b404 4238. [bug] Don't send to servers on net zero (0.0.0.0/8). 
[RT #40947]
 2015-10-16 08:00:15 +11:00
Evan Hunt
b66b333f59 [master] dnstap 
4235.	[func]		Added support in named for "dnstap", a fast method of
			capturing and logging DNS traffic, and a new command
			"dnstap-read" to read a dnstap log file.  Use
			"configure --enable-dnstap" to enable this
			feature (note that this requires libprotobuf-c
			and libfstrm). See the ARM for configuration details.

			Thanks to Robert Edmonds of Farsight Security.
			[RT #40211]
 2015-10-02 12:32:42 -07:00
Mark Andrews
1b1f6d21c7 curr_srtt = curr->srtt 2015-10-02 07:45:45 +10:00
Mark Andrews
b959848051 compare curr_srtt and best_srtt 2015-10-01 22:12:56 +10:00
Mark Andrews
85e7a259a4 re-organise sort to use best_srtt and curr_srtt 2015-09-29 08:06:21 +10:00
Mark Andrews
98a7f8c7ae 4222. [func] Bias IPv6 servers when selecting the next server to 
query. [RT #40836]
 2015-09-28 18:57:19 +10:00
Mark Andrews
8d80b4939d 4221. [bug] Resource leak on DNS_R_NXDOMAIN in fctx_create. 
[RT #40583]
 2015-09-25 09:18:43 +10:00
Mark Andrews
741b63c869 4212. [func] Re-query if we get a bad client cookie returned over 
UDP. [RT #40748]
 2015-09-17 14:20:32 +10:00
Mark Andrews
02093e4c3b 4193. [bug] Handle broken servers that return BADVERS incorrectly. 
[RT #40427]
 2015-08-25 16:52:43 +10:00
Evan Hunt
ce9f893e21 [master] address buffer accounting error 
4168.	[security]	A buffer accounting error could trigger an
			assertion failure when parsing certain malformed
			DNSSEC keys. (CVE-2015-5722) [RT #40212]
 2015-08-07 13:16:10 -07:00
Evan Hunt
1479200aa0 [master] DDoS mitigation features 
3938.	[func]		Added quotas to be used in recursive resolvers
			that are under high query load for names in zones
			whose authoritative servers are nonresponsive or
			are experiencing a denial of service attack.

			- "fetches-per-server" limits the number of
			  simultaneous queries that can be sent to any
			  single authoritative server.  The configured
			  value is a starting point; it is automatically
			  adjusted downward if the server is partially or
			  completely non-responsive. The algorithm used to
			  adjust the quota can be configured via the
			  "fetch-quota-params" option.
			- "fetches-per-zone" limits the number of
			  simultaneous queries that can be sent for names
			  within a single domain.  (Note: Unlike
			  "fetches-per-server", this value is not
			  self-tuning.)
			- New stats counters have been added to count
			  queries spilled due to these quotas.

			See the ARM for details of these options. [RT #37125]
 2015-07-08 22:53:39 -07:00
Tinderbox User
8f0b326d9a update copyright notice / whitespace 2015-07-05 23:45:22 +00:00