Commit 41a85186 authored by Evan Hunt's avatar Evan Hunt
Browse files

Merge 'managed-key-assert' into security-master

parents 91550e21 3022633d
......@@ -159,7 +159,10 @@
 
5119. [placeholder]
 
5118. [placeholder]
5118. [security] Named could crash if it is managing a key with
`managed-keys` and the authoritative zone is rolling
the key to an unsupported algorithm. (CVE-2018-5745)
[GL #780]
 
5117. [placeholder]
 
......
......@@ -19,3 +19,6 @@ managed-keys.jnl, causing RFC 5011 initialization to fail.
ns5 is a validator which is prevented from getting a response from the
root server, causing key refresh queries to fail.
ns6 is a validator which has unsupported algorithms, one at start up,
one because of an algorithm rollover.
......@@ -16,9 +16,10 @@ rm -f */named.conf
rm -f */named.memstats */named.run */named.run.prev
rm -f dig.out* delv.out* rndc.out* signer.out*
rm -f dsset-. ns1/dsset-.
rm -f ns1/zone.key
rm -f ns*/managed-keys.bind*
rm -f ns*/named.lock
rm -f ns1/named.secroots ns1/root.db.signed* ns1/root.db.tmp
rm -f ns5/named.args
rm -f ns6/view1.mkeys ns6/view2.mkeys
rm -f ns7/view1.mkeys ns7/view2.mkeys
rm -rf ns4/nope
......@@ -8,16 +8,16 @@
; information regarding copyright ownership.
$TTL 20
. IN SOA gson.nominum.com. a.root.servers.nil. (
2000042100 ; serial
600 ; refresh
600 ; retry
1200 ; expire
2 ; minimum
)
. NS a.root-servers.nil.
a.root-servers.nil. A 10.53.0.1
. IN SOA gson.nominum.com. a.root.servers.nil. (
2000042100 ; serial
600 ; refresh
600 ; retry
1200 ; expire
2 ; minimum
)
. NS a.root-servers.nil.
a.root-servers.nil. A 10.53.0.1
; no delegation
example. TXT "This is a test."
example. TXT "This is a test."
......@@ -26,13 +26,18 @@ cp managed.conf ../ns2/managed.conf
cp managed.conf ../ns4/managed.conf
cp managed.conf ../ns5/managed.conf
# Configure a trusted key statement (used by delv)
# Configure a trusted key statement (used by delv).
keyfile_to_trusted_keys $keyname > trusted.conf
# Prepare an unsupported algorithm key.
unsupportedkey=Kunknown.+255+00000
cp unsupported.key "${unsupportedkey}.key"
#
# Save keyname and keyid for managed key id test.
#
echo "$keyname" > managed.key
echo "$zskkeyname" > zone.key
keyid=`expr $keyname : 'K\.+00.+\([0-9]*\)'`
keyid=`expr $keyid + 0`
echo "$keyid" > managed.key.id
. IN DNSKEY 257 3 255 BJiXuidPHuGIne8GlCBLG+Oq/FZruQd2s3uBo+SxY16NUP/Vwl8MctMK62KsblDU1gIJAdEMVep2tsOkuSm0bIbJ8NBex+N9rSvzH2YJlDCT9QnNfv4q5RRTcVA3lk9nkmWHo6zcAT33yuS+THOCSznOMCJRq8JGZ6xqMJLv9FucuK6CCe6QBAZ5e98dpyGTWQLu7AERKKFqda9YCk3KQfdzx/HZ4SpQpRLncIXvGm1PIMT8Ar95NB/BsFJGwr5ZTaQtRYOXf2DD7wD3pfMsTJCdZyC0J0EtGBG109I+Oou1cswUfqZLXip/aV3eaBAUqLcZpg8P8vAbrvEq4uMS4OMZeXL6nu0irrdS1Pqmax8RsC+x3fg9EBH3QmHroJZtiU5h+0x4qApp7HE4Z5zFRuxIp9iB
-m record,size,mctx -T clienttest -c named.conf -d 99 -X named.lock -g -T mkeytimers=5/10/20
......@@ -22,8 +22,8 @@ options {
recursion yes;
notify no;
dnssec-enable yes;
dnssec-validation auto;
bindkeys-file "managed.conf";
dnssec-validation yes;
trust-anchor-telemetry no;
};
key rndc_key {
......@@ -35,16 +35,9 @@ controls {
inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
view view1 {
zone "." {
type hint;
file "../../common/root.hint";
};
zone "." {
type hint;
file "../../common/root.hint";
};
view view2 {
zone "." {
type hint;
file "../../common/root.hint";
};
};
include "managed.conf";
#!/bin/sh -e
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
zone=.
zonefile=root.db
# an RSA key
rsakey=`$KEYGEN -a rsasha256 -qfk rsasha256.`
# a key with unsupported algorithm
unsupportedkey=Kunknown.+255+00000
cp unsupported-managed.key "${unsupportedkey}.key"
# root key
rootkey=`cat ../ns1/managed.key`
cp "../ns1/${rootkey}.key" .
# Configure the resolving server with a managed trusted key.
keyfile_to_managed_keys $unsupportedkey $rsakey $rootkey > managed.conf
unsupported. IN DNSKEY 257 3 255 BOOVAhiJDPqhfU7+yGXjhetrtC/rtjmwO1yo52BUHUd8R4hQ/ZPdYCVvQlvNkRxDblPkFM5YRXkesS30pJSoNYrg+djbMNumJrLG+lbhFIc/ahTjlYOxb1zm2z00ubHju/1uGBifiRvKWSK0Vr0u6NtS4PKZfsnXt+piSHiRAHSfkjGHwqPYYKh9EUW12kJmIzlMaM6WYl+gJOvL+f8VqNLtvsMPT6OPK/3h/Dnfnxyeudp/jzAnNDDiTgX2XfzIXB4UwxtzIOGaHLnprpNf3zoBm0kyaEdSQQ/qKkpCOqjBasYEHRjVz3RncPUkdLr7PQuPBfFDr3SUMMJqufJrO4IJjtD4cCBT7K1i39Jg471nEzU1vkPzxF+Rw1QHT4nZaXbltf3BEZGS4Knoe9XPwi5KjGW6
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS7
options {
query-source address 10.53.0.7;
notify-source 10.53.0.7;
transfer-source 10.53.0.7;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.7; };
listen-on-v6 { none; };
recursion yes;
notify no;
dnssec-enable yes;
dnssec-validation auto;
bindkeys-file "managed.conf";
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
view view1 {
zone "." {
type hint;
file "../../common/root.hint";
};
};
view view2 {
zone "." {
type hint;
file "../../common/root.hint";
};
};
......@@ -20,10 +20,12 @@ copy_setports ns3/named.conf.in ns3/named.conf
copy_setports ns4/named.conf.in ns4/named.conf
copy_setports ns5/named.conf.in ns5/named.conf
copy_setports ns6/named.conf.in ns6/named.conf
copy_setports ns7/named.conf.in ns7/named.conf
cp ns5/named1.args ns5/named.args
( cd ns1 && $SHELL sign.sh )
( cd ns6 && $SHELL setup.sh )
cp ns2/managed.conf ns2/managed1.conf
......
......@@ -745,7 +745,7 @@ nextpart ns5/named.run > /dev/null
mkeys_reconfig_on 1
wait_for_log "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run
mkeys_secroots_on 5
grep '; managed' ns5/named.secroots > /dev/null 2>&1 || ret=1
grep '; managed' ns5/named.secroots > /dev/null || ret=1
# ns1 should not longer REFUSE queries from ns5, so managed keys should be
# correctly refreshed and resolving should succeed
$DIG $DIGOPTS +noauth example. @10.53.0.5 txt > dig.out.ns5.b.test$n || ret=1
......@@ -755,17 +755,71 @@ grep "status: NOERROR" dig.out.ns5.b.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "reinitialize trust anchors, add unsupported algorithm ($n)"
ret=0
$PERL $SYSTEMTESTTOP/stop.pl --use-rndc --port ${CONTROLPORT} mkeys ns6
rm -f ns6/managed-keys.bind*
nextpart ns6/named.run > /dev/null
$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} mkeys ns6
# log when an unsupported algorithm is encountered during startup
wait_for_log "skipping managed key for 'unsupported\.': algorithm is unsupported" ns6/named.run
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "skipping unsupported algorithm in managed-keys ($n)"
ret=0
mkeys_status_on 6 > rndc.out.$n 2>&1
# there should still be only two keys listed (for . and rsasha256.)
count=`grep -c "keyid: " rndc.out.$n`
[ "$count" -eq 2 ] || ret=1
# two lines indicating trust status
count=`grep -c "trust" rndc.out.$n`
[ "$count" -eq 2 ] || ret=1
n=`expr $n + 1`
echo_i "introduce unsupported algorithm rollover in authoritative zone ($n)"
ret=0
cp ns1/root.db ns1/root.db.orig
ksk=`cat ns1/managed.key`
zsk=`cat ns1/zone.key`
cat "ns1/${ksk}.key" "ns1/${zsk}.key" ns1/unsupported.key >> ns1/root.db
grep "\..*IN.*DNSKEY.*257 3 255" ns1/root.db > /dev/null || ret=1
$SIGNER -K ns1 -N unixtime -o . ns1/root.db $ksk $zsk > /dev/null 2>/dev/null || ret=1
grep "DNSKEY.*257 3 255" ns1/root.db.signed > /dev/null || ret=1
cp ns1/root.db.orig ns1/root.db
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "skipping unsupported algorithm in rollover ($n)"
ret=0
mkeys_reload_on 1
mkeys_refresh_on 6
mkeys_status_on 6 > rndc.out.$n 2>&1
# there should still be only two keys listed (for . and rsasha256.)
count=`grep -c "keyid: " rndc.out.$n`
[ "$count" -eq 2 ] || ret=1
# two lines indicating trust status
count=`grep -c "trust" rndc.out.$n`
[ "$count" -eq 2 ] || ret=1
# log when an unsupported algorithm is encountered during rollover
wait_for_log "Cannot compute tag for key in zone \.: algorithm is unsupported" ns6/named.run
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "check 'rndc managed-keys' and views ($n)"
ret=0
$RNDCCMD 10.53.0.6 managed-keys refresh in view1 > rndc.out.ns6.view1.test$n || ret=1
grep "refreshing managed keys for 'view1'" rndc.out.ns6.view1.test$n > /dev/null || ret=1
lines=`wc -l < rndc.out.ns6.view1.test$n`
$RNDCCMD 10.53.0.7 managed-keys refresh in view1 > rndc.out.ns7.view1.test$n || ret=1
grep "refreshing managed keys for 'view1'" rndc.out.ns7.view1.test$n > /dev/null || ret=1
lines=`wc -l < rndc.out.ns7.view1.test$n`
[ $lines -eq 1 ] || ret=1
$RNDCCMD 10.53.0.6 managed-keys refresh > rndc.out.ns6.view2.test$n || ret=1
lines=`wc -l < rndc.out.ns6.view2.test$n`
grep "refreshing managed keys for 'view1'" rndc.out.ns6.view2.test$n > /dev/null || ret=1
grep "refreshing managed keys for 'view2'" rndc.out.ns6.view2.test$n > /dev/null || ret=1
$RNDCCMD 10.53.0.7 managed-keys refresh > rndc.out.ns7.view2.test$n || ret=1
lines=`wc -l < rndc.out.ns7.view2.test$n`
grep "refreshing managed keys for 'view1'" rndc.out.ns7.view2.test$n > /dev/null || ret=1
grep "refreshing managed keys for 'view2'" rndc.out.ns7.view2.test$n > /dev/null || ret=1
[ $lines -eq 2 ] || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
......
......@@ -140,6 +140,14 @@
for records in the zone. [GL #771]
</para>
</listitem>
<listitem>
<para>
<command>named</command> could crash if it managed a DNSSEC
security root with <command>managed-keys</command> and the
authoritative zone rolled the key to an algorithm not supported
by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL #780]
</para>
</listitem>
</itemizedlist>
</section>
......
......@@ -70,8 +70,7 @@ typedef struct dst_context dst_context_t;
#define DST_ALG_HMACSHA512 165 /* XXXMPA */
#define DST_ALG_INDIRECT 252
#define DST_ALG_PRIVATE 254
#define DST_ALG_EXPAND 255
#define DST_MAX_ALGS 255
#define DST_MAX_ALGS 256
/*% A buffer of this size is large enough to hold any key */
#define DST_KEY_MAXSIZE 1280
......
......@@ -3931,9 +3931,10 @@ compute_tag(dns_name_t *name, dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx,
dns_rdatatype_dnskey, dnskey, &buffer);
result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &dstkey);
if (result == ISC_R_SUCCESS)
if (result == ISC_R_SUCCESS) {
*tag = dst_key_id(dstkey);
dst_key_free(&dstkey);
dst_key_free(&dstkey);
}
return (result);
}
......@@ -9652,6 +9653,17 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
dns_keydata_todnskey(&keydata, &dnskey, NULL);
result = compute_tag(keyname, &dnskey, mctx, &keytag);
if (result != ISC_R_SUCCESS) {
/*
* Skip if we cannot compute the key tag.
* This may happen if the algorithm is unsupported
*/
dns_zone_log(zone, ISC_LOG_ERROR,
"Cannot compute tag for key in zone %s: %s "
"(skipping)",
namebuf, dns_result_totext(result));
continue;
}
RUNTIME_CHECK(result == ISC_R_SUCCESS);
/*
......@@ -9765,6 +9777,17 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
}
result = compute_tag(keyname, &dnskey, mctx, &keytag);
if (result != ISC_R_SUCCESS) {
/*
* Skip if we cannot compute the key tag.
* This may happen if the algorithm is unsupported
*/
dns_zone_log(zone, ISC_LOG_ERROR,
"Cannot compute tag for key in zone %s: %s "
"(skipping)",
namebuf, dns_result_totext(result));
continue;
}
RUNTIME_CHECK(result == ISC_R_SUCCESS);
revoked = ((dnskey.flags & DNS_KEYFLAG_REVOKE) != 0);
......
......@@ -156,7 +156,7 @@
./bin/dnssec/win32/verify.vcxproj.filters.in X 2013,2015,2018,2019
./bin/dnssec/win32/verify.vcxproj.in X 2013,2014,2015,2016,2017,2018,2019
./bin/dnssec/win32/verify.vcxproj.user X 2013,2018,2019
./bin/named/Makefile.in MAKE 1998,1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018
./bin/named/Makefile.in MAKE 1998,1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019
./bin/named/bind9.xsl SGML 2006,2007,2008,2009,2012,2013,2014,2015,2016,2017,2018,2019
./bin/named/bind9.xsl.h X 2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019
./bin/named/builtin.c C 2001,2002,2003,2004,2005,2007,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019
......@@ -425,22 +425,22 @@
./bin/tests/system/checkds/dig.bat BAT 2016,2018,2019
./bin/tests/system/checkds/dig.pl PERL 2014,2016,2017,2018,2019
./bin/tests/system/checkds/dig.sh SH 2012,2013,2016,2017,2018,2019
./bin/tests/system/checkds/missing.example.dlv.example.dlv.db X 2012,2018
./bin/tests/system/checkds/missing.example.dnskey.db X 2012,2018
./bin/tests/system/checkds/missing.example.ds.db X 2012,2018
./bin/tests/system/checkds/none.example.dlv.example.dlv.db X 2012,2018
./bin/tests/system/checkds/none.example.dnskey.db X 2012,2018
./bin/tests/system/checkds/none.example.ds.db X 2012,2018
./bin/tests/system/checkds/ok.example.dlv.example.dlv.db X 2012,2018
./bin/tests/system/checkds/ok.example.dnskey.db X 2012,2018
./bin/tests/system/checkds/ok.example.ds.db X 2012,2018
./bin/tests/system/checkds/prep.example.db X 2017,2018
./bin/tests/system/checkds/prep.example.ds.db X 2017,2018
./bin/tests/system/checkds/missing.example.dlv.example.dlv.db X 2012,2018,2019
./bin/tests/system/checkds/missing.example.dnskey.db X 2012,2018,2019
./bin/tests/system/checkds/missing.example.ds.db X 2012,2018,2019
./bin/tests/system/checkds/none.example.dlv.example.dlv.db X 2012,2018,2019
./bin/tests/system/checkds/none.example.dnskey.db X 2012,2018,2019
./bin/tests/system/checkds/none.example.ds.db X 2012,2018,2019
./bin/tests/system/checkds/ok.example.dlv.example.dlv.db X 2012,2018,2019
./bin/tests/system/checkds/ok.example.dnskey.db X 2012,2018,2019
./bin/tests/system/checkds/ok.example.ds.db X 2012,2018,2019
./bin/tests/system/checkds/prep.example.db X 2017,2018,2019
./bin/tests/system/checkds/prep.example.ds.db X 2017,2018,2019
./bin/tests/system/checkds/setup.sh SH 2012,2013,2014,2016,2018,2019
./bin/tests/system/checkds/tests.sh SH 2012,2013,2014,2016,2017,2018,2019
./bin/tests/system/checkds/wrong.example.dlv.example.dlv.db X 2012,2018
./bin/tests/system/checkds/wrong.example.dnskey.db X 2012,2018
./bin/tests/system/checkds/wrong.example.ds.db X 2012,2018
./bin/tests/system/checkds/wrong.example.dlv.example.dlv.db X 2012,2018,2019
./bin/tests/system/checkds/wrong.example.dnskey.db X 2012,2018,2019
./bin/tests/system/checkds/wrong.example.ds.db X 2012,2018,2019
./bin/tests/system/checknames/clean.sh SH 2004,2007,2012,2014,2015,2016,2018,2019
./bin/tests/system/checknames/setup.sh SH 2004,2007,2012,2014,2016,2018,2019
./bin/tests/system/checknames/tests.sh SH 2004,2007,2012,2013,2014,2015,2016,2018,2019
......@@ -536,11 +536,11 @@
./bin/tests/system/dnssec/clean.sh SH 2000,2001,2002,2004,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019
./bin/tests/system/dnssec/dnssec_update_test.pl PERL 2002,2004,2007,2010,2012,2016,2018,2019
./bin/tests/system/dnssec/ns1/sign.sh SH 2000,2001,2002,2003,2004,2006,2007,2008,2009,2010,2011,2012,2013,2014,2016,2017,2018,2019
./bin/tests/system/dnssec/ns2/rfc2335.example.db X 2004,2018
./bin/tests/system/dnssec/ns2/rfc2335.example.db X 2004,2018,2019
./bin/tests/system/dnssec/ns2/sign.sh SH 2000,2001,2002,2003,2004,2006,2007,2008,2009,2010,2011,2012,2014,2015,2016,2017,2018,2019
./bin/tests/system/dnssec/ns3/sign.sh SH 2000,2001,2002,2004,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019
./bin/tests/system/dnssec/ns3/unsupported-algorithm.key X 2018,2019
./bin/tests/system/dnssec/ns5/.gitignore X 2015,2018
./bin/tests/system/dnssec/ns5/.gitignore X 2015,2018,2019
./bin/tests/system/dnssec/ns5/sign.sh SH 2015,2016,2017,2018,2019
./bin/tests/system/dnssec/ns6/named.args X 2013,2014,2016,2018,2019
./bin/tests/system/dnssec/ns6/sign.sh SH 2013,2014,2016,2017,2018,2019
......@@ -585,8 +585,8 @@
./bin/tests/system/dyndb/driver/AUTHORS X 2015,2018,2019
./bin/tests/system/dyndb/driver/COPYING X 2015,2016,2018,2019
./bin/tests/system/dyndb/driver/README X 2015,2018,2019
./bin/tests/system/dyndb/driver/db.c X 2015,2016,2017,2018
./bin/tests/system/dyndb/driver/db.h X 2015,2016,2018
./bin/tests/system/dyndb/driver/db.c X 2015,2016,2017,2018,2019
./bin/tests/system/dyndb/driver/db.h X 2015,2016,2018,2019
./bin/tests/system/dyndb/driver/driver.c X 2015,2016,2018,2019
./bin/tests/system/dyndb/driver/instance.c X 2015,2016,2018,2019
./bin/tests/system/dyndb/driver/instance.h X 2015,2016,2018,2019
......@@ -645,8 +645,8 @@
./bin/tests/system/formerr/twoquestions X 2013,2018,2019
./bin/tests/system/forward/ans6/startme X 2019
./bin/tests/system/forward/clean.sh SH 2000,2001,2004,2007,2012,2014,2015,2016,2018,2019
./bin/tests/system/forward/ns1/example.db X 2000,2001,2018
./bin/tests/system/forward/ns2/example.db X 2000,2001,2018
./bin/tests/system/forward/ns1/example.db X 2000,2001,2018,2019
./bin/tests/system/forward/ns2/example.db X 2000,2001,2018,2019
./bin/tests/system/forward/prereq.sh SH 2019
./bin/tests/system/forward/setup.sh SH 2018,2019
./bin/tests/system/forward/tests.sh SH 2000,2001,2004,2007,2011,2012,2013,2014,2016,2018,2019
......@@ -760,7 +760,7 @@
./bin/tests/system/keymgr/tests.sh SH 2016,2018,2019
./bin/tests/system/legacy/build.sh SH 2014,2016,2017,2018,2019
./bin/tests/system/legacy/clean.sh SH 2014,2016,2018,2019
./bin/tests/system/legacy/ns1/trusted.conf X 2014,2018
./bin/tests/system/legacy/ns1/trusted.conf X 2014,2018,2019
./bin/tests/system/legacy/ns10/named.ednsrefused X 2018,2019
./bin/tests/system/legacy/ns2/named.dropedns X 2014,2018,2019
./bin/tests/system/legacy/ns3/named.dropedns X 2014,2018,2019
......@@ -768,10 +768,10 @@
./bin/tests/system/legacy/ns4/named.args X 2014,2018,2019
./bin/tests/system/legacy/ns5/named.args X 2014,2018,2019
./bin/tests/system/legacy/ns5/named.notcp X 2014,2018,2019
./bin/tests/system/legacy/ns6/edns512.db.signed X 2014,2018
./bin/tests/system/legacy/ns6/edns512.db.signed X 2014,2018,2019
./bin/tests/system/legacy/ns6/named.args X 2014,2018,2019
./bin/tests/system/legacy/ns6/sign.sh SH 2014,2016,2018,2019
./bin/tests/system/legacy/ns7/edns512-notcp.db.signed X 2014,2018
./bin/tests/system/legacy/ns7/edns512-notcp.db.signed X 2014,2018,2019
./bin/tests/system/legacy/ns7/named.args X 2014,2018,2019
./bin/tests/system/legacy/ns7/named.notcp X 2014,2018,2019
./bin/tests/system/legacy/ns7/sign.sh SH 2014,2016,2018,2019
......@@ -822,10 +822,14 @@
./bin/tests/system/mkeys/README TXT.BRIEF 2015,2016,2017,2018,2019
./bin/tests/system/mkeys/clean.sh SH 2015,2016,2017,2018,2019
./bin/tests/system/mkeys/ns1/sign.sh SH 2015,2016,2017,2018,2019
./bin/tests/system/mkeys/ns1/unsupported.key X 2018,2019
./bin/tests/system/mkeys/ns2/named.args X 2015,2016,2017,2018,2019
./bin/tests/system/mkeys/ns3/named.args X 2015,2016,2017,2018,2019
./bin/tests/system/mkeys/ns5/named1.args X 2017,2018,2019
./bin/tests/system/mkeys/ns5/named2.args X 2017,2018,2019
./bin/tests/system/mkeys/ns6/named.args X 2018,2019
./bin/tests/system/mkeys/ns6/setup.sh SH 2018,2019
./bin/tests/system/mkeys/ns6/unsupported-managed.key X 2018,2019
./bin/tests/system/mkeys/setup.sh SH 2015,2016,2017,2018,2019
./bin/tests/system/mkeys/tests.sh SH 2015,2016,2017,2018,2019
./bin/tests/system/names/clean.sh SH 2015,2016,2018,2019
......@@ -933,7 +937,7 @@
./bin/tests/system/rpz/ckdnsrps.sh SH 2017,2018,2019
./bin/tests/system/rpz/clean.sh SH 2011,2012,2013,2014,2016,2017,2018,2019
./bin/tests/system/rpz/dnsrps.c C 2017,2018,2019
./bin/tests/system/rpz/dnsrpzd-license.conf X 2017,2018
./bin/tests/system/rpz/dnsrpzd-license.conf X 2017,2018,2019
./bin/tests/system/rpz/ns3/crash1 X 2011,2013,2018,2019
./bin/tests/system/rpz/ns3/crash2 X 2011,2012,2013,2018,2019
./bin/tests/system/rpz/ns5/named.args X 2013,2014,2018,2019
......@@ -1101,17 +1105,17 @@
./bin/tests/system/tsiggss/clean.sh SH 2010,2011,2014,2015,2016,2018,2019
./bin/tests/system/tsiggss/ns1/administrator.ccache X 2010,2018,2019
./bin/tests/system/tsiggss/ns1/dns.keytab X 2010,2018,2019
./bin/tests/system/tsiggss/ns1/example.nil.db.in X 2011,2018
./bin/tests/system/tsiggss/ns1/example.nil.db.in X 2011,2018,2019
./bin/tests/system/tsiggss/ns1/testdenied.ccache X 2010,2018,2019
./bin/tests/system/tsiggss/prereq.sh SH 2010,2011,2012,2014,2016,2018,2019
./bin/tests/system/tsiggss/setup.sh SH 2010,2011,2012,2014,2016,2017,2018,2019
./bin/tests/system/tsiggss/tests.sh SH 2010,2011,2014,2016,2017,2018,2019
./bin/tests/system/ttl/clean.sh X 2018,2019
./bin/tests/system/ttl/ns1/max-example.db X 2018
./bin/tests/system/ttl/ns1/min-example.db X 2018
./bin/tests/system/ttl/ns1/named.conf.in X 2018
./bin/tests/system/ttl/ns2/hints.db X 2018
./bin/tests/system/ttl/ns2/named.conf.in X 2018
./bin/tests/system/ttl/ns1/max-example.db X 2018,2019
./bin/tests/system/ttl/ns1/min-example.db X 2018,2019
./bin/tests/system/ttl/ns1/named.conf.in X 2018,2019
./bin/tests/system/ttl/ns2/hints.db X 2018,2019
./bin/tests/system/ttl/ns2/named.conf.in X 2018,2019
./bin/tests/system/ttl/setup.sh X 2018,2019
./bin/tests/system/ttl/tests.sh X 2018,2019
./bin/tests/system/unknown/clean.sh SH 2000,2001,2004,2007,2012,2013,2014,2015,2016,2018,2019
......@@ -1185,10 +1189,10 @@
./bin/tests/system/zonechecks/clean.sh SH 2004,2007,2012,2014,2015,2016,2018,2019
./bin/tests/system/zonechecks/setup.sh SH 2012,2013,2014,2015,2016,2017,2018,2019
./bin/tests/system/zonechecks/tests.sh SH 2004,2007,2009,2012,2013,2014,2015,2016,2018,2019
./bin/tests/testdata/wire/wire_test.data X 1999,2000,2001,2018
./bin/tests/testdata/wire/wire_test.data2 X 1999,2000,2001,2018
./bin/tests/testdata/wire/wire_test.data3 X 1999,2000,2001,2018
./bin/tests/testdata/wire/wire_test.data4 X 1999,2000,2001,2018
./bin/tests/testdata/wire/wire_test.data X 1999,2000,2001,2018,2019
./bin/tests/testdata/wire/wire_test.data2 X 1999,2000,2001,2018,2019
./bin/tests/testdata/wire/wire_test.data3 X 1999,2000,2001,2018,2019
./bin/tests/testdata/wire/wire_test.data4 X 1999,2000,2001,2018,2019
./bin/tests/virtual-time/README TXT.BRIEF 2010,2016,2018,2019
./bin/tests/virtual-time/autosign-ksk/clean.sh SH 2010,2012,2015,2016,2018,2019
./bin/tests/virtual-time/autosign-ksk/ns1/sign.sh SH 2010,2012,2016,2018,2019
......@@ -1345,7 +1349,7 @@
./contrib/dlz/example/Makefile X 2010,2013,2018,2019
./contrib/dlz/example/README X 2011,2012,2013,2014,2018,2019
./contrib/dlz/example/dlz_example.c X 2010,2011,2012,2013,2014,2018,2019
./contrib/dlz/example/named.conf X 2011,2014,2018
./contrib/dlz/example/named.conf X 2011,2014,2018,2019
./contrib/dlz/example/win32/DLLMain.c X 2011,2016,2018,2019
./contrib/dlz/example/win32/dxdriver.def X 2011,2018,2019
./contrib/dlz/example/win32/dxdriver.dsp X 2018,2019
......@@ -1356,7 +1360,7 @@
./contrib/dlz/modules/bdbhpt/testing/README X 2015,2018,2019
./contrib/dlz/modules/bdbhpt/testing/bdbhpt-populate.pl X 2013,2018,2019
./contrib/dlz/modules/bdbhpt/testing/dns-data.txt X 2013,2015,2018,2019
./contrib/dlz/modules/bdbhpt/testing/named.conf X 2015,2018
./contrib/dlz/modules/bdbhpt/testing/named.conf X 2015,2018,2019
./contrib/dlz/modules/common/dlz_dbi.c X 2013,2014,2016,2018,2019
./contrib/dlz/modules/filesystem/Makefile X 2013,2018,2019
./contrib/dlz/modules/filesystem/dir.c X 2013,2018,2019
......@@ -1371,19 +1375,19 @@
./contrib/dlz/modules/ldap/testing/README X 2013,2018,2019
./contrib/dlz/modules/ldap/testing/dlz.schema X 2013,2018,2019
./contrib/dlz/modules/ldap/testing/example.ldif X 2013,2018,2019
./contrib/dlz/modules/ldap/testing/named.conf X 2013,2018
./contrib/dlz/modules/ldap/testing/slapd.conf X 2013,2018
./contrib/dlz/modules/ldap/testing/named.conf X 2013,2018,2019
./contrib/dlz/modules/ldap/testing/slapd.conf X 2013,2018,2019
./contrib/dlz/modules/mysql/dlz_mysql_dynamic.c X 2013,2016,2018,2019
./contrib/dlz/modules/mysql/testing/README X 2013,2018,2019
./contrib/dlz/modules/mysql/testing/dlz.data X 2013,2017,2018
./contrib/dlz/modules/mysql/testing/dlz.data X 2013,2017,2018,2019
./contrib/dlz/modules/mysql/testing/dlz.schema X 2013,2018,2019
./contrib/dlz/modules/mysql/testing/named.conf X 2013,2018
./contrib/dlz/modules/mysql/testing/named.conf X 2013,2018,2019
./contrib/dlz/modules/mysqldyn/README X 2014,2018,2019
./contrib/dlz/modules/mysqldyn/dlz_mysqldyn_mod.c X 2014,2015,2018,2019
./contrib/dlz/modules/mysqldyn/testing/README X 2014,2018,2019
./contrib/dlz/modules/mysqldyn/testing/dlz.data X 2014,2018
./contrib/dlz/modules/mysqldyn/testing/dlz.data X 2014,2018,2019
./contrib/dlz/modules/mysqldyn/testing/dlz.schema X 2014,2018,2019
./contrib/dlz/modules/mysqldyn/testing/named.conf X 2014,2018
./contrib/dlz/modules/mysqldyn/testing/named.conf X 2014,2018,2019
./contrib/dlz/modules/perl/Makefile X 2013,2018,2019
./contrib/dlz/modules/perl/README X 2013,2018,2019
./contrib/dlz/modules/perl/dlz_perl_callback.xs X 2013,2018,2019
......@@ -1391,18 +1395,18 @@
./contrib/dlz/modules/perl/dlz_perl_driver.c X 2013,2015,2016,2018,2019
./contrib/dlz/modules/perl/dlz_perl_driver.h X 2013,2018,2019
./contrib/dlz/modules/perl/testing/dlz_perl_example.pm X 2013,2018,2019
./contrib/dlz/modules/perl/testing/named.conf X 2013,2018
./contrib/dlz/modules/perl/testing/named.conf X 2013,2018,2019
./contrib/dlz/modules/sqlite3/Makefile X 2014,2018,2019
./contrib/dlz/modules/sqlite3/dlz_sqlite3_dynamic.c X 2014,2016,2018,2019
./contrib/dlz/modules/sqlite3/testing/README X 2014,2018,2019
./contrib/dlz/modules/sqlite3/testing/dlz.data X 2014,2018
./contrib/dlz/modules/sqlite3/testing/dlz.data X 2014,2018,2019
./contrib/dlz/modules/sqlite3/testing/dlz.schema X 2014,2018,2019
./contrib/dlz/modules/sqlite3/testing/named.conf X 2014,2018
./contrib/dlz/modules/sqlite3/testing/named.conf X 2014,2018,2019
./contrib/dlz/modules/wildcard/Makefile X 2013,2018,2019
./contrib/dlz/modules/wildcard/README X 2013,2018,2019
./contrib/dlz/modules/wildcard/dlz_wildcard_dynamic.c X 2013,2015,2016,2018,2019
./contrib/dlz/modules/wildcard/testing/named.conf X 2013,2018
./contrib/dnspriv/nginx.conf SH 2017,2018
./contrib/dlz/modules/wildcard/testing/named.conf X 2013,2018,2019
./contrib/dnspriv/nginx.conf SH 2017,2018,2019
./contrib/kasp/README X 2016,2018,2019
./contrib/kasp/kasp.xml X 2016,2018,2019
./contrib/kasp/kasp2policy.py X 2016,2018,2019
......@@ -1426,7 +1430,7 @@
./doc/arm/Bv9ARM.ch10.html X 2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019
./doc/arm/Bv9ARM.ch11.html X 2015,2016,2017,2018,2019
./doc/arm/Bv9ARM.ch12.html X 2015,2016,2017,2018,2019
./doc/arm/Bv9ARM.conf X 2015,2018
./doc/arm/Bv9ARM.conf X 2015,2018,2019
./doc/arm/Bv9ARM.html X 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019
./doc/arm/Bv9ARM.pdf X 2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019
./doc/arm/README-SGML TXT.BRIEF 2000,2001,2004,2015,2016,2018,2019
......@@ -1488,7 +1492,7 @@
./doc/arm/masters.grammar.xml SGML 2018,2019
./doc/arm/mirror.zoneopt.xml SGML 2018,2019
./doc/arm/notes-wrapper.xml SGML 2014,2015,2016,2018,2019
./doc/arm/notes.conf X 2015,2018
./doc/arm/notes.conf X 2015,2018,2019
./doc/arm/notes.html X 2014,2015,2016,2017,2018,2019
./doc/arm/notes.pdf X 2014,2015,2016,2017,2018,2019
./doc/arm/notes.txt X 2018,2019
......@@ -1531,7 +1535,7 @@
./doc/dev/coding.html HTML 1999,2000,2001,2002,2004,2007,2016,2018,2019
./doc/dev/cvs-usage TXT.BRIEF 2000,2001,2004,2016,2018,2019
./doc/dev/magic_numbers TXT.BRIEF 1999,2000,2001,2002,2004,2016,2018,2019
./doc/dev/rdata.md MKD 1999,2000,2001,2004,2007,2016,2017,2018
./doc/dev/rdata.md MKD 1999,2000,2001,2004,2007,2016,2017,2018,2019
./doc/dev/release TXT.BRIEF 2000,2001,2002,2003,2004,2005,2006,2007,2009,2014,2016,2018,2019
./doc/dev/results TXT.BRIEF 1999,2000,2001,2004,2016,2018,2019
./doc/dev/tests TXT.BRIEF 2000,2001,2004,2016,2018,2019
......@@ -1624,7 +1628,7 @@
./lib/dns/client.c C 2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019