1. 07 Sep, 2018 3 commits
  2. 31 Aug, 2018 1 commit
  3. 29 Aug, 2018 1 commit
  4. 28 Aug, 2018 8 commits
  5. 23 Aug, 2018 3 commits
  6. 22 Aug, 2018 1 commit
    • Michał Kępień's avatar
      Fix reloading inline-signed zones · 54315839
      Michał Kępień authored
      While "rndc reload" causes dns_zone_asyncload() to be called for the
      signed version of an inline-signed zone, the subsequent zone_load() call
      causes the raw version to be reloaded from storage.  This means that
      DNS_ZONEFLG_LOADPENDING gets set for the signed version of the zone by
      dns_zone_asyncload() before the reload is attempted, but zone_postload()
      is only called for the raw version and thus DNS_ZONEFLG_LOADPENDING is
      cleared for the raw version, but not for the signed version.  This in
      turn prevents zone maintenance from happening for the signed version of
      the zone.
      
      Until commit 29b7efdd, this problem
      remained dormant because DNS_ZONEFLG_LOADPENDING was previously
      immediately, unconditionally cleared after zone loading was started
      (whereas it should only be cleared when zone loading is finished or an
      error occurs).  This behavior caused other issues [1] and thus had to be
      changed.
      
      Fix reloading inline-signed zones by clearing DNS_ZONEFLG_LOADPENDING
      for the signed version of the zone once the raw version reload
      completes.  Take care not to clear it prematurely during initial zone
      load.  Also make sure that DNS_ZONEFLG_LOADPENDING gets cleared when
      zone_postload() encounters an error or returns early, to prevent other
      scenarios from resulting in the same problem.  Add comments aiming to
      help explain code flow.
      
      [1] see RT #47076
      54315839
  7. 16 Aug, 2018 1 commit
  8. 14 Aug, 2018 1 commit
  9. 13 Aug, 2018 1 commit
  10. 08 Aug, 2018 2 commits
  11. 19 Jul, 2018 3 commits
  12. 11 Jul, 2018 3 commits
  13. 10 Jul, 2018 1 commit
  14. 28 Jun, 2018 5 commits
    • Michał Kępień's avatar
      Fall back to normal recursion when mirror zone data is unavailable · 8d996fd7
      Michał Kępień authored
      If transferring or loading a mirror zone fails, resolution should still
      succeed by means of falling back to regular recursive queries.
      Currently, though, if a slave zone is present in the zone table and not
      loaded, a SERVFAIL response is generated.  Thus, mirror zones need
      special handling in this regard.
      
      Add a new dns_zt_find() flag, DNS_ZTFIND_MIRROR, and set it every time a
      domain name is looked up rather than a zone itself.  Handle that flag in
      dns_zt_find() in such a way that a mirror zone which is expired or not
      yet loaded is ignored when looking up domain names, but still possible
      to find when the caller wants to know whether the zone is configured.
      This causes a fallback to recursion when mirror zone data is unavailable
      without making unloaded mirror zones invisible to code checking a zone's
      existence.
      8d996fd7
    • Michał Kępień's avatar
      Ensure delegations inside mirror zones are properly handled for non-recursive queries · 179d5faa
      Michał Kępień authored
      When a resolver is a regular slave (i.e. not a mirror) for some zone,
      non-recursive queries for names below that slaved zone will return a
      delegation sourced from it.  This behavior is suboptimal for mirror
      zones as their contents should rather be treated as validated, cached
      DNS responses.  Modify query_delegation() and query_zone_delegation() to
      permit clients allowed cache access to check its contents for a better
      answer when responding to non-recursive queries.
      179d5faa
    • Michał Kępień's avatar
      Perform basic resolution checks with a mirror zone in use · c9accfde
      Michał Kępień authored
      Make ns3 mirror the "root" zone from ns1 and query the former for a
      properly signed record below the root.  Ensure ns1 is not queried during
      resolution and that the AD bit is set in the response.
      c9accfde
    • Michał Kępień's avatar
      Verify mirror zone AXFRs · d86f1d00
      Michał Kępień authored
      Update axfr_commit() so that all incoming versions of a mirror zone
      transferred using AXFR are verified before being used.  If zone
      verification fails, discard the received version of the zone, wait until
      the next refresh and retry.
      d86f1d00
    • Michał Kępień's avatar
      Add a system test for mirror zones · f86f314d
      Michał Kępień authored
      Create the basic files comprising a system test and define a few helper
      functions which will be useful when testing mirror zones.
      f86f314d
  15. 26 Jun, 2018 2 commits
  16. 25 Jun, 2018 1 commit
  17. 19 Jun, 2018 1 commit
  18. 15 Jun, 2018 1 commit
    • Michał Kępień's avatar
      Move verifyzone() and its dependencies into lib/dns/zoneverify.c · 3a14450d
      Michał Kępień authored
      This commit only moves code around, with the following exceptions:
      
        - the check_dns_dbiterator_current() macro and functions
          is_delegation() and has_dname() were removed from
          bin/dnssec/dnssectool.{c,h} and duplicated in two locations:
          bin/dnssec/dnssec-signzone.c and lib/dns/zoneverify.c; these
          functions are used both by the code in bin/dnssec/dnssec-signzone.c
          and verifyzone(), but are not a good fit for being exported by a
          code module responsible for zone verification,
      
        - fatal() and check_result() were duplicated in lib/dns/zoneverify.c
          as static functions which do not use the "program" variable any more
          (as it is only set by the tools in bin/dnssec/); this is a temporary
          step which only aims to prevent compilation from breaking - these
          duplicate functions will be removed once lib/dns/zoneverify.c is
          refactored not to use them,
      
        - the list of header files included by lib/dns/zoneverify.c was
          expanded to encompass all header files that are actually used by the
          code in that file,
      
        - a description of the purpose of the commented out "fields" inside
          struct nsec3_chain_fixed was added.
      3a14450d
  19. 14 Jun, 2018 1 commit