1. 21 Feb, 2019 2 commits
  2. 29 Jan, 2019 1 commit
  3. 14 Jan, 2019 1 commit
  4. 19 Dec, 2018 1 commit
  5. 03 Dec, 2018 2 commits
  6. 19 Jul, 2018 1 commit
  7. 13 Jun, 2018 2 commits
  8. 31 May, 2018 1 commit
    • Evan Hunt's avatar
      update system tests so validation won't fail when using IANA key · a7a2fa29
      Evan Hunt authored
      - all tests with "recursion yes" now also specify "dnssec-validation yes",
        and all tests with "recursion no" also specify "dnssec-validation no".
        this must be maintained in all new tests, or else validation will fail
        when we use local root zones for testing.
      - clean.sh has been modified where necessary to remove managed-keys.bind
        and viewname.mkeys files.
      a7a2fa29
  9. 16 May, 2018 1 commit
  10. 11 May, 2018 1 commit
  11. 16 Mar, 2018 1 commit
  12. 08 Mar, 2018 1 commit
    • Michał Kępień's avatar
      Fix a race between "rndc reconfig" and waiting for a ./DNSKEY fetch to complete · 012ca0a2
      Michał Kępień authored
      Calling nextpart() after reconfiguring ns1 is not safe, because the
      expected log message may appear in ns5/named.run before nextpart() is
      run.  With the TTL for ./DNSKEY set to 20 seconds, ns5 will refresh it
      after 10 seconds, by which time wait_for_log() will already have failed.
      This results in a false negative.
      
      However, just calling nextpart() before reconfiguring ns1 would
      introduce a different problem: if ns5 refreshed ./DNSKEY between these
      two steps, the subsequent wait_for_log() call would return immediately
      as it would come across the log message about a failure while refreshing
      ./DNSKEY instead of the expected success.  This in turn would result in
      a different false negative as the root key would still be uninitialized
      by the time "rndc secroots" is called.
      
      Prevent both kinds of false negatives by:
      
        - calling nextpart() before reconfiguring ns1, in order to prevent the
          first case described above,
      
        - looking for a more specific log message, in order to prevent the
          second case described above.
      
      Also look for a more specific log message in the first part of the
      relevant check, not to fix any problem, but just to emphasize that a
      different fetch result is expected in that case.
      
      With these tweaks in place, if a (failed) ./DNSKEY refresh is scheduled
      between nextpart() and reconfiguring ns1, wait_for_log() will just wait
      for two more seconds (one "hour"), at which point another refresh
      attempt will be made that will succeed.
      012ca0a2
  13. 23 Feb, 2018 2 commits
  14. 22 Feb, 2018 1 commit
  15. 27 Nov, 2017 1 commit
  16. 09 Nov, 2017 1 commit
  17. 30 Oct, 2017 2 commits
  18. 28 Oct, 2017 1 commit
  19. 27 Oct, 2017 1 commit
    • Evan Hunt's avatar
      [master] tag initializing keys · c9f8165a
      Evan Hunt authored
      4798.	[func]		Keys specified in "managed-keys" statements
      			are tagged as "initializing" until they have been
      			updated by a key refresh query. If initialization
      			fails it will be visible from "rndc secroots".
      			[RT #46267]
      c9f8165a
  20. 12 Oct, 2017 4 commits
  21. 11 Oct, 2017 1 commit
  22. 03 Oct, 2017 1 commit
    • Evan Hunt's avatar
      [master] rndc managed-keys destroy · 762dc8b8
      Evan Hunt authored
      4750.	[func]		"rndc managed-keys destroy" shuts down RFC 5011 key
      			maintenance and deletes the managed-keys database.
      			If followed by "rndc reconfig" or a server restart,
      			key maintenance is reinitialized from scratch.
      			This is primarily intended for testing. [RT #32456]
      762dc8b8
  23. 01 Sep, 2017 1 commit
  24. 31 Aug, 2017 1 commit
    • Evan Hunt's avatar
      [master] remove default algorithm in dnssec-keygen · 45afdb26
      Evan Hunt authored
      4594.	[func]		dnssec-keygen no longer uses RSASHA1 by default;
      			the signing algorithm must be specified on
      			the command line with the "-a" option.  Signing
      			scripts that rely on the existing default behavior
      			will break; use "dnssec-keygen -a RSASHA1" to
      			repair them. (The goal of this change is to make
      			it easier to find scripts using RSASHA1 so they
      			can be changed in the event of that algorithm
      			being deprecated in the future.) [RT #44755]
      45afdb26
  25. 27 Jun, 2017 1 commit
    • Evan Hunt's avatar
      [master] enhanced rfc 5011 logging · 0d90835d
      Evan Hunt authored
      4642.	[cleanup]	Add more logging of RFC 5011 events affecting the
      			status of managed keys: newly observed keys,
      			deletion of revoked keys, etc. [RT #45354]
      0d90835d
  26. 08 Jun, 2017 3 commits
  27. 24 Apr, 2017 1 commit
  28. 21 Apr, 2017 1 commit
  29. 05 Oct, 2016 1 commit
  30. 22 Jul, 2016 1 commit