1. 06 Oct, 2017 1 commit
    • Evan Hunt's avatar
      [master] further restrict update-policy local · 995c41e8
      Evan Hunt authored
      4762.	[func]		"update-policy local" is now restricted to updates
      			from local addresses. (Previously, other addresses
      			were allowed so long as updates were signed by the
      			local session key.) [RT #45492]
      995c41e8
  2. 05 Oct, 2017 3 commits
  3. 03 Oct, 2017 4 commits
    • Evan Hunt's avatar
      [master] dnssec-signzone can now add sync records · e515fae2
      Evan Hunt authored
      4751.	[func]		"dnssec-signzone -S" can now automatically add parent
      			synchronization records (CDS and CDNSKEY) according
      			to key metadata set using the -Psync and -Dsync
      			options to dnssec-keygen and dnssec-settime.
      			[RT #46149]
      e515fae2
    • Evan Hunt's avatar
      [master] rndc managed-keys destroy · 762dc8b8
      Evan Hunt authored
      4750.	[func]		"rndc managed-keys destroy" shuts down RFC 5011 key
      			maintenance and deletes the managed-keys database.
      			If followed by "rndc reconfig" or a server restart,
      			key maintenance is reinitialized from scratch.
      			This is primarily intended for testing. [RT #32456]
      762dc8b8
    • Evan Hunt's avatar
      [master] de-DLV · f2935929
      Evan Hunt authored
      4749.	[func]		The ISC DLV service has been shut down, and all
      			DLV records have been removed from dlv.isc.org.
      			- Removed references to ISC DLV in documentation
      			- Removed DLV key from bind.keys
      			- No longer use ISC DLV by default in delv
      			[RT #46155]
      f2935929
    • Mark Andrews's avatar
      4747. [func] Synthesis of responses from DNSSEC-verified records. · c85b467d
      Mark Andrews authored
                              Stage 3 - synthesize NODATA responses. [RT #40138]
      c85b467d
  4. 28 Sep, 2017 2 commits
    • Evan Hunt's avatar
      [master] completed and corrected the crypto-random change · 24172bd2
      Evan Hunt authored
      4724.	[func]		By default, BIND now uses the random number
      			functions provided by the crypto library (i.e.,
      			OpenSSL or a PKCS#11 provider) as a source of
      			randomness rather than /dev/random.  This is
      			suitable for virtual machine environments
      			which have limited entropy pools and lack
      			hardware random number generators.
      
      			This can be overridden by specifying another
      			entropy source via the "random-device" option
      			in named.conf, or via the -r command line option;
      			however, for functions requiring full cryptographic
      			strength, such as DNSSEC key generation, this
      			cannot be overridden. In particular, the -r
      			command line option no longer has any effect on
      			dnssec-keygen.
      
      			This can be disabled by building with
      			"configure --disable-crypto-rand".
      			[RT #31459] [RT #46047]
      24172bd2
    • Mark Andrews's avatar
      4742. [func] Synthesis of responses from DNSSEC-verified records. · e00fdad1
      Mark Andrews authored
                              Stage 2 - synthesis of records from wildcard data.
                              If the dns64 or filter-aaaa* is configured then the
                              involved lookups are currently excluded. [RT #40138]
      e00fdad1
  5. 20 Sep, 2017 1 commit
    • Evan Hunt's avatar
      [master] fix memory growth problem · 7a2112ff
      Evan Hunt authored
      4733.	[bug]		Change #4706 introduced a bug causing TCP clients
      			not be reused correctly, leading to unconstrained
      			memory growth. [RT #46029]
      7a2112ff
  6. 16 Sep, 2017 3 commits
  7. 14 Sep, 2017 1 commit
  8. 13 Sep, 2017 2 commits
  9. 11 Sep, 2017 2 commits
  10. 09 Sep, 2017 1 commit
  11. 08 Sep, 2017 1 commit
    • Evan Hunt's avatar
      [master] add libns and remove liblwres · 8eb88aaf
      Evan Hunt authored
      4708.   [cleanup]       Legacy Windows builds (i.e. for XP and earlier)
                              are no longer supported. [RT #45186]
      
      4707.	[func]		The lightweight resolver daemon and library (lwresd
      			and liblwres) have been removed. [RT #45186]
      
      4706.	[func]		Code implementing name server query processing has
      			been moved from bin/named to a new library "libns".
      			Functions remaining in bin/named are now prefixed
      			with "named_" rather than "ns_".  This will make it
      			easier to write unit tests for name server code, or
      			link name server functionality into new tools.
      			[RT #45186]
      8eb88aaf
  12. 04 Sep, 2017 1 commit
  13. 31 Aug, 2017 1 commit
    • Evan Hunt's avatar
      [master] remove default algorithm in dnssec-keygen · 45afdb26
      Evan Hunt authored
      4594.	[func]		dnssec-keygen no longer uses RSASHA1 by default;
      			the signing algorithm must be specified on
      			the command line with the "-a" option.  Signing
      			scripts that rely on the existing default behavior
      			will break; use "dnssec-keygen -a RSASHA1" to
      			repair them. (The goal of this change is to make
      			it easier to find scripts using RSASHA1 so they
      			can be changed in the event of that algorithm
      			being deprecated in the future.) [RT #44755]
      45afdb26
  14. 30 Aug, 2017 1 commit
  15. 29 Aug, 2017 1 commit
  16. 24 Aug, 2017 1 commit
  17. 16 Aug, 2017 1 commit
  18. 15 Aug, 2017 1 commit
  19. 10 Aug, 2017 1 commit
  20. 09 Aug, 2017 1 commit
    • Evan Hunt's avatar
      [master] remove dig +sigchase · c4cfb0b4
      Evan Hunt authored
      4674.   [func]          "dig +sigchase", and related options "+topdown" and
                              "+trusted-keys", have been removed. Use "delv" for
                              queries with DNSSEC validation. [RT #42793]
      c4cfb0b4
  21. 04 Aug, 2017 1 commit
  22. 31 Jul, 2017 1 commit
  23. 28 Jul, 2017 1 commit
    • Evan Hunt's avatar
      [master] glue-cache option · 268cea9c
      Evan Hunt authored
      4664.	[func]		Add a "glue-cache" option to enable or disable the
      			glue cache. The default is "no" to reduce memory
      			usage, but enabling this option will improve
      			performance in delegation-heavy zones. [RT #45125]
      268cea9c
  24. 15 Jul, 2017 1 commit
  25. 11 Jul, 2017 2 commits
  26. 27 Jun, 2017 1 commit
  27. 13 Jun, 2017 2 commits
    • Evan Hunt's avatar
      [master] prevent reload failure due to LMDB database perms · bf05e66b
      Evan Hunt authored
      4638.	[bug]		Reloading or reconfiguring named could fail on
      			some platforms when LMDB was in use. [RT #45203]
      bf05e66b
    • Evan Hunt's avatar
      [master] nsec3hash -r · 0471530a
      Evan Hunt authored
      4637.	[func]		"nsec3hash -r" option ("rdata order") takes arguments
      			in the same order as they appear in NSEC3 or
      			NSEC3PARAM records, so that NSEC3 parameters can
      			be cut and pasted from an existing record. Thanks
      			to Tony Finch for the contribution. [RT #45183]
      0471530a
  28. 30 May, 2017 1 commit
    • Evan Hunt's avatar
      [master] quote service registry paths · 967a3b94
      Evan Hunt authored
      4532.	[security]	The BIND installer on Windows used an unquoted
                              service path, which can enable privilege escalation.
      			(CVE-2017-3141) [RT #45229]
      967a3b94