1. 07 Nov, 2019 2 commits
  2. 06 Nov, 2019 10 commits
    • Matthijs Mekking's avatar
      dnssec-policy inheritance from options/view · 5f464d15
      Matthijs Mekking authored
      'dnssec-policy' can now also be set on the options and view level and
      a zone that does not set 'dnssec-policy' explicitly will inherit it
      from the view or options level.
      
      This requires a new keyword to be introduced: 'none'.  If set to
      'none' the zone will not be DNSSEC maintained, in other words it will
      stay unsigned.  You can use this to break the inheritance.  Of course
      you can also break the inheritance by referring to a different
      policy.
      
      The keywords 'default' and 'none' are not allowed when configuring
      your own dnssec-policy statement.
      
      Add appropriate tests for checking the configuration (checkconf)
      and add tests to the kasp system test to verify the inheritance
      works.
      
      Edit the kasp system test such that it can deal with unsigned zones
      and views (so setting a TSIG on the query).
      5f464d15
    • Matthijs Mekking's avatar
      Add kasp tests · c9f1ec83
      Matthijs Mekking authored
      Add more tests for kasp:
      
      - Add tests for different algorithms.
      
      - Add a test to ensure that an edit in an unsigned zone is
        picked up and properly signed.
      
      - Add two tests that ensures that a zone gets signed when it is
        configured as so-called 'inline-signing'.  In other words, a
        secondary zone that is configured with a 'dnssec-policy'.  A zone
        that is transferred over AXFR or IXFR will get signed.
      
      - Add a test to ensure signatures are reused if they are still
        fresh enough.
      
      - Adds two more tests to verify that expired and unfresh signatures
        will be regenerated.
      
      - Add tests for various cases with keys already available in the
        key-directory.
      c9f1ec83
    • Matthijs Mekking's avatar
      Introduce keymgr in named · 7e7aa538
      Matthijs Mekking authored
      Add a key manager to named.  If a 'dnssec-policy' is set, 'named'
      will run a key manager on the matching keys.  This will do a couple
      of things:
      
      1. Create keys when needed (in case of rollover for example)
         according to the set policy.
      
      2. Retire keys that are in excess of the policy.
      
      3. Maintain key states according to "Flexible and Robust Key
         Rollover" [1]. After key manager ran, key files will be saved to
         disk.
      
         [1] https://matthijsmekking.nl/static/pdf/satin2012-Schaeffer.pdf
      
      KEY GENERATION
      
      Create keys according to DNSSEC policy.  Zones configured with
      'dnssec-policy' will allow 'named' to create DNSSEC keys (similar
      to dnssec-keymgr) if not available.
      
      KEY ROLLOVER
      
      Rather than determining the desired state from timing metadata,
      add a key state goal.  Any keys that are created or picked from the
      key ring and selected to be a successor has its key state goal set
      to OMNIPRESENT (this key wants to be signing!). At the same time,
      a key that is being retired has its key state goal set to HIDDEN.
      
      The keymgr state machine with the three rules will make sure no
      introduction or withdrawal of DNSSEC records happens too soon.
      
      KEY TIMINGS
      
      All timings are based on RFC 7583.
      
      The keymgr will return when the next action is happening so
      that the zone can set the proper rekey event. Prior to this change
      the rekey event will run every hour by default (configurable),
      but with kasp we can determine exactly when we need to run again.
      
      The prepublication time is derived from policy.
      7e7aa538
    • Matthijs Mekking's avatar
      dnssec-keygen can create keys given dnssec-policy · 09ac224c
      Matthijs Mekking authored
      This commit adds code for generating keys with dnssec-keygen given
      a specific dnssec-policy.
      
      The dnssec-policy can be set with a new option '-k'. The '-l'
      option can be used to set a configuration file that contains a
      specific dnssec-policy.
      
      Because the dnssec-policy dictates how the keys should look like,
      many of the existing dnssec-keygen options cannot be used together
      with '-k'.
      
      If the dnssec-policy lists multiple keys, dnssec-keygen has now the
      possibility to generate multiple keys at one run.
      
      Add two tests for creating keys with '-k': One with the default
      policy, one with multiple keys from the configuration.
      09ac224c
    • Matthijs Mekking's avatar
      Add code for creating kasp from config · 7bfac503
      Matthijs Mekking authored
      Add code for creating, configuring, and destroying KASP keys.  When
      using the default policy, create one CSK, no rollover.
      7bfac503
    • Matthijs Mekking's avatar
      Introduce kasp structure · e9ccebd9
      Matthijs Mekking authored
      This stores the dnssec-policy configuration and adds methods to
      create, destroy, and attach/detach, as well as find a policy with
      the same name in a list.
      
      Also, add structures and functions for creating and destroying
      kasp keys.
      e9ccebd9
    • Matthijs Mekking's avatar
      Introduce dnssec-policy configuration · a50d707f
      Matthijs Mekking authored
      This commit introduces the initial `dnssec-policy` configuration
      statement. It has an initial set of options to deal with signature
      and key maintenance.
      
      Add some checks to ensure that dnssec-policy is configured at the
      right locations, and that policies referenced to in zone statements
      actually exist.
      
      Add some checks that when a user adds the new `dnssec-policy`
      configuration, it will no longer contain existing DNSSEC
      configuration options.  Specifically: `inline-signing`,
      `auto-dnssec`, `dnssec-dnskey-kskonly`, `dnssec-secure-to-insecure`,
      `update-check-ksk`, `dnssec-update-mode`, `dnskey-sig-validity`,
      and `sig-validity-interval`.
      
      Test a good kasp configuration, and some bad configurations.
      a50d707f
    • Matthijs Mekking's avatar
      Design documentation 'dnssec-policy' · 1fbd8bb1
      Matthijs Mekking authored
      Initial design document.
      1fbd8bb1
    • Matthijs Mekking's avatar
      Extend ttlval to accept ISO 8601 durations · b7c5bfb2
      Matthijs Mekking authored
      The ttlval configuration types are replaced by duration configuration
      types. The duration is an ISO 8601 duration that is going to be used
      for DNSSEC key timings such as key lifetimes, signature resign
      intervals and refresh periods, etc. But it is also still allowed to
      use the BIND ttlval ways of configuring intervals (number plus
      optional unit).
      
      A duration is stored as an array of 7 different time parts.
      A duration can either be expressed in weeks, or in a combination of
      the other datetime indicators.
      
      Add several unit tests to ensure the correct value is parsed given
      different string values.
      b7c5bfb2
    • Diego dos Santos Fronza's avatar
      Added TCP high-water system tests · 29be224a
      Diego dos Santos Fronza authored
      Note: ans6/ans6.py is a helper script that allows tests.sh to open/close
      TCP connections to some BIND instance.
      29be224a
  3. 04 Oct, 2019 1 commit
  4. 16 Sep, 2019 1 commit
    • Ondřej Surý's avatar
      Replace the OASIS PKCS#11 header file with one from p11-kit · c47fad24
      Ondřej Surý authored
      The OASIS pkcs11.h header has a restrictive license.  Replace the
      pkcs11.h pkcs11f.h and pkcs11t.h headers with pkcs11.h from p11-kit.
      
      For source distribution, the license for the OASIS headers itself
      doesn't pose any licensing problem when combined with MPL license, but
      it possibly creates problem for downstream distributors of BIND 9.
      c47fad24
  5. 12 Sep, 2019 1 commit
  6. 03 Sep, 2019 1 commit
  7. 29 Aug, 2019 1 commit
  8. 27 Aug, 2019 1 commit
  9. 25 Aug, 2019 1 commit
  10. 09 Aug, 2019 3 commits
    • Evan Hunt's avatar
      update docbook grammar, removing dnssec-looksaide · 02d95d0b
      Evan Hunt authored
      - this required modification to the code that generates grammar text for
        the documentation, because the "dnssec-lookaside" option spanned more
        than one line in doc/misc/options, so grepping out only the lines
        marked "// obsolete" didn't remove the whole option.  this commit adds
        an option to cfg_test to print named.conf clauses only if they don't
        have the obsolete, ancient, test-only, or not-yet-implemented flags
        set.
      02d95d0b
    • Evan Hunt's avatar
      remove DLV system tests · 2c87ab1c
      Evan Hunt authored
      2c87ab1c
    • Evan Hunt's avatar
      remove DLV support from dnssec-checkds · 0b2b6b2e
      Evan Hunt authored
      0b2b6b2e
  11. 31 Jul, 2019 1 commit
    • Ondřej Surý's avatar
      The BIND 9 libraries are now internal-only, so remove isc-config.sh · 4b44351e
      Ondřej Surý authored
      The isc-config.sh script was introduced before pkg-config as is a purely
      historical thing.  There are two reason for removal of isc-config.sh scripts:
      
      a) The BIND 9 libraries are now meant to be used only from BIND 9, so there's no
         reason to provide convenience script to link with the libraries.
      
      b) Even if that was not the case, we should and would replace the isc-config.sh
         with respective pkg-config (.pc) file for every library.
      4b44351e
  12. 12 Jul, 2019 1 commit
  13. 09 Jul, 2019 1 commit
  14. 04 Jul, 2019 1 commit
  15. 28 Jun, 2019 1 commit
    • Michał Kępień's avatar
      dnstap-read: clear buffer before expanding it · 3549abe8
      Michał Kępień authored
      When printing a packet, dnstap-read checks whether its text form takes
      up more than the 2048 bytes allocated for the output buffer by default.
      If that is the case, the output buffer is automatically expanded, but
      the truncated output is left in the buffer, resulting in malformed data
      being printed.  Clear the output buffer before expanding it to prevent
      this issue from occurring.
      3549abe8
  16. 27 Jun, 2019 2 commits
    • Evan Hunt's avatar
      add geoip2 system test · 9a1caf99
      Evan Hunt authored
      9a1caf99
    • Evan Hunt's avatar
      add a search for GeoIP2 libraries in configure · fea6b5bf
      Evan Hunt authored
      - "--with-geoip" is used to enable the legacy GeoIP library.
      - "--with-geoip2" is used to enable the new GeoIP2 library
        (libmaxminddb), and is on by default if the library is found.
      - using both "--with-geoip" and "--with-geoip2" at the same time
        is an error.
      - an attempt is made to determine the default GeoIP2 database path at
        compile time if pkg-config is able to report the module prefix. if
        this fails, it will be necessary to set the path in named.conf with
        geoip-directory
      - Makefiles have been updated, and a stub lib/dns/geoip2.c has been
        added for the eventual GeoIP2 search implementation.
      fea6b5bf
  17. 25 Jun, 2019 3 commits
    • Ondřej Surý's avatar
      Make the usage of json-c objects opaque to the caller · e3e68889
      Ondřej Surý authored
      The json-c have previously leaked into the global namespace leading
      to forced -I<include_path> for every compilation unit using isc/xml.h
      header.  This MR fixes the usage making the caller object opaque.
      e3e68889
    • Ondřej Surý's avatar
      Make the usage of libxml2 opaque to the caller · 0771dd3b
      Ondřej Surý authored
      The libxml2 have previously leaked into the global namespace leading
      to forced -I<include_path> for every compilation unit using isc/xml.h
      header.  This MR fixes the usage making the caller object opaque.
      0771dd3b
    • Matthijs Mekking's avatar
      Add tests for DNSSEC sign statistics · a8750a88
      Matthijs Mekking authored
      This adds tests to the statschannel system test for testing if
      the dnskey sign operation counters are incremented correctly.
      
      It tests three cases:
      
      1. A zone maintenance event where all the signatures that are about
         to expire are resigned.
      2. A dynamic update event where the new RR and other relevant records
         (SOA, NSEC) are resigned.
      3. Adding a standby key, that means the DNSKEY and SOA RRset are
         resigned.
      a8750a88
  18. 20 Jun, 2019 1 commit
    • Ondřej Surý's avatar
      Merge unix/app.c and win32/app.c · 5098c954
      Ondřej Surý authored
      The differences between two files are very minimal and most of the
      code is common.  Merge those two files and use #ifdef WIN32 to include
      the right bits on Windows.
      5098c954
  19. 05 Jun, 2019 1 commit
    • Evan Hunt's avatar
      update documentation · 3853b3cf
      Evan Hunt authored
      - change references to trusted-keys to dnssec-keys with static-key
      - rebuild doc/misc/options and other generated grammar doc
      - add a "see MANAGED-KEYS" note when building named.conf.docbook
      3853b3cf
  20. 30 May, 2019 1 commit
  21. 20 May, 2019 2 commits
  22. 13 May, 2019 1 commit
  23. 09 May, 2019 1 commit
    • Mark Andrews's avatar
      dns_rdata_fromwire_text fuzzer · 8ffdf675
      Mark Andrews authored
      Fuzz input to dns_rdata_fromwire(). Then convert the result
      to text, back to wire format, to multiline text, and back to wire
      format again, checking for consistency throughout the sequence.
      8ffdf675
  24. 06 May, 2019 1 commit
    • Evan Hunt's avatar
      enable parallel system tests on windows · bbae24c1
      Evan Hunt authored
      this moves the creation of "parallel.mk" into a separate shell script
      instead of bin/tests/system/Makefile. that shell script can now be
      executed by runall.sh, allowing us to make use of the cygwin "make"
      command, which supports parallel execution.
      bbae24c1