mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 13:38:26 +00:00
Code Issues Releases Wiki Activity
19,857 Commits 657 Branches 820 Tags
Commit Graph

209 Commits

Author SHA1 Message Date
Mark Andrews
ff30cdeb78 The validator didn't handle missing DS records correctly. 2002-07-19 03:29:15 +00:00
Mark Andrews
86f6b92e35 1248. [bug] The validator could incorrectly verify an invalid 
negative proof.

When checking the range of the nxt record, the code needs to handle
the case where the 'next name' field points to the origin.  The way
that the origin was determined was looking at the 'signer' field
of the first SIG NXT, since NXTs are signed by the zone key.  This
doesn't work, because the first SIG could have been spoofed.  It
now defers checking the nxt range until both the SOA and NXT have
been verified, and uses the owner of the SOA name as the origin.
bwelling
 2002-07-15 03:25:28 +00:00
Mark Andrews
25276bd1ec 1247. [bug] The validator would incorrectly mark data as insecure 
when seeing a bogus signature before a correct
                        signature.
 2002-07-15 02:57:14 +00:00
Mark Andrews
b0d31c78bc uninitalised variable 2002-06-19 04:15:12 +00:00
Mark Andrews
0b09763c35 1328. [func] DS (delegation signer) support. 2002-06-17 04:01:37 +00:00
Mark Andrews
c99d9017ba 1275. [bug] When verifying that an NXT proves nonexistence, check 
the rcode of the message and only do the matching NXT
                        check.  That is, for NXDOMAIN responses, check that
                        the name is in the range between the NXT owner and
                        next name, and for NOERROR NODATA responses, check
                        that the type is not present in the NXT bitmap.
 2002-04-29 23:50:26 +00:00
Mark Andrews
a7038d1a05 copyrights 2002-02-20 03:35:59 +00:00
Brian Wellington
60e9e70654 1024 -> DNS_NAME_FORMATSIZE 2002-02-05 21:41:31 +00:00
Brian Wellington
47db0efda1 spacing 2002-02-05 20:02:47 +00:00
Brian Wellington
8839b6acbf clean up the shutdown "logic". 2002-02-05 19:46:30 +00:00
Brian Wellington
32dd66cc5e spacing 2002-02-05 07:54:08 +00:00
Brian Wellington
18b7133679 more minor cleanups 2002-02-01 20:18:33 +00:00
Brian Wellington
23e4260821 minor cleanup 2002-02-01 20:08:56 +00:00
Andreas Gustafsson
1f1d36a87b Check return values or cast them to (void), as required by the coding 
standards; add exceptions to the coding standards for cases where this is
not desirable
 2001-11-30 01:59:49 +00:00
Andreas Gustafsson
f3ca27e9fe sizeof style 2001-11-12 19:05:39 +00:00
Andreas Gustafsson
01446841be 1006. [bug] If a KEY RR was found missing during DNSSEC validation, 
an assertion failure could subsequently be triggered
                        in the resolver. [RT #1763]
 2001-09-19 21:25:46 +00:00
Andreas Gustafsson
34aa790937 reverted 994. 2001-09-14 20:53:33 +00:00
Mark Andrews
56d69016f4 994. [bug] If the unsecure proof fails for unsigned NS records 
attempt a secure proof using the NS records found as
                        glue to find the NS records from the zone's servers
                        along with associated glue rather than from parent
                        servers.  [RT #1706]
 2001-09-13 07:23:39 +00:00
Andreas Gustafsson
76c8294c81 format string bugs and improved format string checking [RT #1578] 2001-08-08 22:54:55 +00:00
David Lawrence
92ef1a9b9d use ISC_MAGIC for all magic numbers, for our friends in EBCDIC land 2001-06-04 19:33:39 +00:00
Brian Wellington
26e5029fd5 Added a cast. [RT #899] 2001-02-21 19:57:38 +00:00
Brian Wellington
499b34cea0 copyright update 2001-01-09 22:01:04 +00:00
Brian Wellington
78838d3e0c 8 space -> tab conversion 2000-12-11 19:24:30 +00:00
Brian Wellington
c70908209e replace some INSISTs that theoretically could occur with normal failures 2000-12-05 18:53:43 +00:00
Brian Wellington
f439363eeb minor code simplification 2000-11-08 00:51:24 +00:00
Mark Andrews
368b37b616 dns_rdata_invalidate -> dns_rdata_reset 2000-10-31 03:22:05 +00:00
Mark Andrews
c03bb27f06 532. [func] Implement DNS UPDATE pseudo records using 
DNS_RDATA_UPDATE flag.

 531.   [func]          Rdata really should be initalized before being
                        assigned to (dns_rdata_fromwire(), dns_rdata_fromtext(),
                        dns_rdata_clone(), dns_rdata_fromregion()),
                        check that it is.
 2000-10-25 04:26:57 +00:00
Brian Wellington
d1cbf71409 clean up suspicious looking and incorrect uses of dns_name_fromregion 2000-10-07 00:09:28 +00:00
Brian Wellington
a9ba7e6564 Allow a keyset to be self-signed if the signing key is a trusted-key. 2000-09-12 12:01:50 +00:00
Brian Wellington
d6be55c63f comment the infinite loop fix 2000-09-12 10:21:45 +00:00
Brian Wellington
5c29047792 minor dst api change 2000-09-12 09:59:28 +00:00
Brian Wellington
c38cf70db1 Fix an assertion failure and a case where an rdataset's trust wasn't set. 2000-09-08 14:18:17 +00:00
Brian Wellington
32b2cdf212 427. [bug] Avoid going into an infinite loop when the validator 
gets a negative response to a key query where the
                        records are signed by the missing key.
 2000-09-07 19:46:52 +00:00
Brian Wellington
5e387b9ce6 and more calls to DESTROYLOCK 2000-08-26 01:37:00 +00:00
Brian Wellington
6f071989da cancellation fixes 2000-08-15 01:22:33 +00:00
Brian Wellington
2a123ac026 remove unused variable 2000-08-15 00:52:49 +00:00
Brian Wellington
9cd6710f91 validators can now be cancelled. 2000-08-15 00:21:05 +00:00
Andreas Gustafsson
ef97e09e20 make the validator attach to the view only weakly, so that 
the view can start shutting down even though a validation is in progress.
 2000-08-14 22:17:40 +00:00
David Lawrence
40f53fa8d9 Trailing whitespace trimmed. Perhaps running "perl util/spacewhack.pl in your 
own CVS tree will help minimize CVS conflicts.  Maybe not.
Blame Graff for getting me to trim all trailing whitespace.
 2000-08-01 01:33:37 +00:00
Brian Wellington
f15af68028 negative responses to cd queries should work now. 2000-07-27 18:42:08 +00:00
David Lawrence
15a4474541 word wrap copyright notice at column 70 2000-07-27 09:55:03 +00:00
Brian Wellington
98d010a24a If a negative insecurity proof succeeds, set all of the rdatasets in the 
authority section of the message to non-pending, so that the response
has the ad bit set.
 2000-07-27 01:26:15 +00:00
Brian Wellington
5b0413f993 Call isc_log_wouldlog to potentially avoid extra work in validator_log. 2000-07-26 00:50:02 +00:00
Brian Wellington
60783293cc If a failed positive validation led us to try an insecurity proof, and the 
insecurity proof also failed, the validator event should normally contain
the error from the positive validation.
 2000-07-25 01:24:18 +00:00
Brian Wellington
6bc1a64561 If a positive validation fails and it looks like the reason is that there 
are no material DNSSEC signatures, try an insecurity proof.
 2000-07-13 23:52:04 +00:00
Brian Wellington
25496cebad If trying to validate a key set that happens to be a security root, the 
validation should only consist of checking that each key in the key set
is also in the list of security root keys.

Strangeness occurs when the key set is signed, since the key set is marked
as secure, but the sig set is not, since it wasn't used in the validation
process.  This means that a query for a key set at a security root will
have the AD bit set if the key set is unsigned and not if the key set is signed.
 2000-07-07 00:44:01 +00:00
David Lawrence
9c3531d72a add RCS id string 2000-06-22 22:00:42 +00:00
Andreas Gustafsson
6036112f48 more detailed logging during insecurity proofs 2000-06-22 21:14:48 +00:00
Brian Wellington
77c67dfb26 Repeatedly querying for nonexistant data could lead to a crash. 2000-06-07 01:32:47 +00:00
Brian Wellington
e27021ee1f Certain negative responses could crash the validator. 
The insecurity proof code didn't check to see if the name was below a security
root.
 2000-06-03 00:18:43 +00:00