1. 19 Jul, 2018 1 commit
  2. 28 Jun, 2018 1 commit
    • Michał Kępień's avatar
      Enable dns_zoneverify_dnssec() to check whether the zone was signed by a trust anchor · fc3dd703
      Michał Kępień authored
      Extend check_dnskey_sigs() so that, if requested, it checks whether the
      DNSKEY RRset at zone apex is signed by at least one trust anchor.  The
      trust anchor table is passed as an argument to dns_zoneverify_dnssec()
      and passed around in the verification context structure.  Neither
      dnssec-signzone nor dnssec-verify are yet modified to make use of that
      feature, though.
      fc3dd703
  3. 15 Jun, 2018 4 commits
    • Michał Kępień's avatar
      Propagate dns_zoneverify_dnssec() errors to callers · 24bca1c4
      Michał Kępień authored
      Since exit() is no longer called upon any dns_zoneverify_dnssec() error,
      verification failures should be signalled to callers.  Make
      dns_zoneverify_dnssec() return an isc_result_t and handle both success
      and error appropriately in bin/dnssec/dnssec-signzone.c and
      bin/dnssec/dnssec-verify.c.  This enables memory leak detection during
      shutdown of these tools and causes dnssec-signzone to print signing
      statistics even when zone verification fails.
      24bca1c4
    • Michał Kępień's avatar
      Implement zoneverify_log_error() and zoneverify_print() · d949a5d8
      Michał Kępień authored
      These functions will be used in the process of replacing fatal(),
      check_result(), and fprintf() calls throughout lib/dns/zoneverify.c with
      code that does not call exit().  They are intended for:
      
        - zoneverify_log_error(): logging problems encountered while
          performing zone verification,
      
        - zoneverify_print(): printing status messages and reports which are
          only useful in standalone tools.
      
      To make using dns_zone_logv() possible, add a new "zone" argument to
      dns_zoneverify_dnssec() that standalone tools are expected to set to
      NULL.
      d949a5d8
    • Michał Kępień's avatar
      Rename verifyzone() to dns_zoneverify_dnssec() · 7554e8d2
      Michał Kępień authored
      This makes the function's name match the naming convention used for
      libdns functions.
      7554e8d2
    • Michał Kępień's avatar
      Move verifyzone() and its dependencies into lib/dns/zoneverify.c · 3a14450d
      Michał Kępień authored
      This commit only moves code around, with the following exceptions:
      
        - the check_dns_dbiterator_current() macro and functions
          is_delegation() and has_dname() were removed from
          bin/dnssec/dnssectool.{c,h} and duplicated in two locations:
          bin/dnssec/dnssec-signzone.c and lib/dns/zoneverify.c; these
          functions are used both by the code in bin/dnssec/dnssec-signzone.c
          and verifyzone(), but are not a good fit for being exported by a
          code module responsible for zone verification,
      
        - fatal() and check_result() were duplicated in lib/dns/zoneverify.c
          as static functions which do not use the "program" variable any more
          (as it is only set by the tools in bin/dnssec/); this is a temporary
          step which only aims to prevent compilation from breaking - these
          duplicate functions will be removed once lib/dns/zoneverify.c is
          refactored not to use them,
      
        - the list of header files included by lib/dns/zoneverify.c was
          expanded to encompass all header files that are actually used by the
          code in that file,
      
        - a description of the purpose of the commented out "fields" inside
          struct nsec3_chain_fixed was added.
      3a14450d
  4. 22 May, 2018 1 commit
    • Ondřej Surý's avatar
      address win32 build issues · 7ee8a7e6
      Ondřej Surý authored
      - Replace external -DOPENSSL/-DPKCS11CRYPTO with properly AC_DEFINEd
        HAVE_OPENSSL/HAVE_PKCS11
      - Don't enforce the crypto provider from platform.h, just from dst_api.c
        and configure scripts
      7ee8a7e6
  5. 16 May, 2018 1 commit
    • Ondřej Surý's avatar
      Replace all random functions with isc_random, isc_random_buf and isc_random_uniform API. · 3a4f820d
      Ondřej Surý authored
      The three functions has been modeled after the arc4random family of
      functions, and they will always return random bytes.
      
      The isc_random family of functions internally use these CSPRNG (if available):
      
      1. getrandom() libc call (might be available on Linux and Solaris)
      2. SYS_getrandom syscall (might be available on Linux, detected at runtime)
      3. arc4random(), arc4random_buf() and arc4random_uniform() (available on BSDs and Mac OS X)
      4. crypto library function:
      4a. RAND_bytes in case OpenSSL
      4b. pkcs_C_GenerateRandom() in case PKCS#11 library
      3a4f820d
  6. 09 Apr, 2018 1 commit
    • Michał Kępień's avatar
      Use dns_fixedname_initname() where possible · 4df4a8e7
      Michał Kępień authored
      Replace dns_fixedname_init() calls followed by dns_fixedname_name()
      calls with calls to dns_fixedname_initname() where it is possible
      without affecting current behavior and/or performance.
      
      This patch was mostly prepared using Coccinelle and the following
      semantic patch:
      
          @@
          expression fixedname, name;
          @@
          -	dns_fixedname_init(&fixedname);
          	...
          -	name = dns_fixedname_name(&fixedname);
          +	name = dns_fixedname_initname(&fixedname);
      
      The resulting set of changes was then manually reviewed to exclude false
      positives and apply minor tweaks.
      
      It is likely that more occurrences of this pattern can be refactored in
      an identical way.  This commit only takes care of the low-hanging fruit.
      4df4a8e7
  7. 06 Apr, 2018 2 commits
  8. 04 Apr, 2018 1 commit
  9. 23 Feb, 2018 1 commit
  10. 13 Sep, 2017 1 commit
  11. 14 Aug, 2017 2 commits
  12. 27 Jun, 2016 1 commit
  13. 20 Jan, 2015 2 commits
  14. 16 Jun, 2014 1 commit
    • Mukund Sivaraman's avatar
      [10686] Add version printing option to various BIND utilites · 42782931
      Mukund Sivaraman authored
      Squashed commit of the following:
      
      commit 95effe9b2582a7eb878ccb8cb9ef51dfc5bbfde7
      Author: Evan Hunt <each@isc.org>
      Date:   Tue Jun 10 16:52:45 2014 -0700
      
          [rt10686] move version() to dnssectool.c
      
      commit df205b541d1572ea5306a5f671af8b54b9c5c770
      Author: Mukund Sivaraman <muks@isc.org>
      Date:   Tue Jun 10 21:38:31 2014 +0530
      
          Rearrange order of cases
      
      commit cfd30893f2540bf9d607e1fd37545ea7b441e0d0
      Author: Mukund Sivaraman <muks@isc.org>
      Date:   Tue Jun 10 21:38:08 2014 +0530
      
          Add version printer to dnssec-verify
      
      commit a625ea338c74ab5e21634033ef87f170ba37fdbe
      Author: Mukund Sivaraman <muks@isc.org>
      Date:   Tue Jun 10 21:32:19 2014 +0530
      
          Add version printer to dnssec-signzone
      
      commit d91e1c0f0697b3304ffa46fccc66af65591040d9
      Author: Mukund Sivaraman <muks@isc.org>
      Date:   Tue Jun 10 21:26:01 2014 +0530
      
          Add version printer to dnssec-settime
      
      commit 46fc8775da3e13725c31d13e090b406d69b8694f
      Author: Mukund Sivaraman <muks@isc.org>
      Date:   Tue Jun 10 21:25:48 2014 +0530
      
          Fix docbook
      
      commit 8123d2efbd84cdfcbc70403aa9bb27b96921bab2
      Author: Mukund Sivaraman <muks@isc.org>
      Date:   Tue Jun 10 21:20:17 2014 +0530
      
          Add version printer to dnssec-revoke
      
      commit d0916420317d3e8c69cf1b37d2209ea2d072b913
      Author: Mukund Sivaraman <muks@isc.org>
      Date:   Tue Jun 10 21:17:54 2014 +0530
      
          Add version printer to dnssec-keygen
      
      commit 93b0bd5ebc043298dc7d8f446ea543cb40eaecf8
      Author: Mukund Sivaraman <muks@isc.org>
      Date:   Tue Jun 10 21:14:11 2014 +0530
      
          Add version printer to dnssec-keyfromlabel
      
      commit 07001bcd9ae2d7b09dd9e243b0ab35307290d05d
      Author: Mukund Sivaraman <muks@isc.org>
      Date:   Tue Jun 10 21:13:39 2014 +0530
      
          Update usage help output, docbook
      
      commit 85cdd702f41c96fbc767fc689d1ed97fe1f3a926
      Author: Mukund Sivaraman <muks@isc.org>
      Date:   Tue Jun 10 21:07:18 2014 +0530
      
          Add version printer to dnssec-importkey
      
      commit 9274fc61e38205aad561edf445940b4e73d788dc
      Author: Mukund Sivaraman <muks@isc.org>
      Date:   Tue Jun 10 21:01:53 2014 +0530
      
          Add version printer to dnssec-dsfromkey
      
      commit bf4605ea2d7282e751fd73489627cc8a99f45a90
      Author: Mukund Sivaraman <muks@isc.org>
      Date:   Tue Jun 10 20:49:22 2014 +0530
      
          Add -V to nsupdate usage output
      42782931
  15. 13 Mar, 2014 1 commit
    • Evan Hunt's avatar
      [master] better error output when initializing pkcs11 · acbb301e
      Evan Hunt authored
      3786.	[func]		Provide more detailed error codes when using
      			native PKCS#11. "pkcs11-tokens" now fails robustly
      			rather than asserting when run against an HSM with
      			an incomplete PCKS#11 API implementation. [RT #35479]
      acbb301e
  16. 04 Mar, 2014 1 commit
  17. 16 Jan, 2014 1 commit
  18. 14 Jan, 2014 1 commit
    • Evan Hunt's avatar
      [master] native PKCS#11 support · ba751492
      Evan Hunt authored
      3705.	[func]		"configure --enable-native-pkcs11" enables BIND
      			to use the PKCS#11 API for all cryptographic
      			functions, so that it can drive a hardware service
      			module directly without the need to use a modified
      			OpenSSL as intermediary (so long as the HSM's vendor
      			provides a complete-enough implementation of the
      			PKCS#11 interface). This has been tested successfully
      			with the Thales nShield HSM and with SoftHSMv2 from
      			the OpenDNSSEC project. [RT #29031]
      ba751492
  19. 06 Oct, 2012 1 commit
  20. 26 Jun, 2012 1 commit
  21. 25 Jun, 2012 1 commit