1. 03 Mar, 2020 1 commit
  2. 27 Feb, 2020 1 commit
  3. 21 Feb, 2020 1 commit
  4. 21 Jan, 2020 1 commit
  5. 08 Jan, 2020 1 commit
  6. 07 Jan, 2020 1 commit
    • Mark Andrews's avatar
      Address timing issues in 'inline' system test. · 13fa80ed
      Mark Andrews authored
      "rndc signing -serial <value>" could take longer than a second to
      complete.  Loop waiting for update to succeed.
      
      For tests where "rndc signing -serial <value>" is supposed to not
      succeed, repeatedly test that we don't get the new serial, then
      test that we have the old value.  This should prevent false negatives.
      13fa80ed
  7. 26 Jun, 2019 1 commit
  8. 19 Mar, 2019 1 commit
  9. 25 Jan, 2019 1 commit
    • Evan Hunt's avatar
      fix inline test · 2ae3c975
      Evan Hunt authored
      use regex instead of exact string matching, to deal with CR at end of ine
      2ae3c975
  10. 19 Dec, 2018 1 commit
  11. 03 Dec, 2018 2 commits
  12. 05 Oct, 2018 1 commit
  13. 24 Aug, 2018 1 commit
    • Michał Kępień's avatar
      Prevent a race in the "inline" system test · e36c869e
      Michał Kępień authored
      A short time window exists between logging the addition of an NSEC3PARAM
      record to a zone and committing it to the current version of the zone
      database.  If a query arrives during such a time window, an unsigned
      response will be returned.  One of the checks in the "inline" system
      test requires NSEC3 records to be present in an answer - that check
      would fail in the case described above.  Use rndc instead of log
      watching for checking whether zone signing and NSEC3 chain modifications
      are complete in order to prevent intermittent "inline" system test
      failures.
      e36c869e
  14. 22 Aug, 2018 2 commits
    • Michał Kępień's avatar
      Fix reloading inline-signed zones · 54315839
      Michał Kępień authored
      While "rndc reload" causes dns_zone_asyncload() to be called for the
      signed version of an inline-signed zone, the subsequent zone_load() call
      causes the raw version to be reloaded from storage.  This means that
      DNS_ZONEFLG_LOADPENDING gets set for the signed version of the zone by
      dns_zone_asyncload() before the reload is attempted, but zone_postload()
      is only called for the raw version and thus DNS_ZONEFLG_LOADPENDING is
      cleared for the raw version, but not for the signed version.  This in
      turn prevents zone maintenance from happening for the signed version of
      the zone.
      
      Until commit 29b7efdd, this problem
      remained dormant because DNS_ZONEFLG_LOADPENDING was previously
      immediately, unconditionally cleared after zone loading was started
      (whereas it should only be cleared when zone loading is finished or an
      error occurs).  This behavior caused other issues [1] and thus had to be
      changed.
      
      Fix reloading inline-signed zones by clearing DNS_ZONEFLG_LOADPENDING
      for the signed version of the zone once the raw version reload
      completes.  Take care not to clear it prematurely during initial zone
      load.  Also make sure that DNS_ZONEFLG_LOADPENDING gets cleared when
      zone_postload() encounters an error or returns early, to prevent other
      scenarios from resulting in the same problem.  Add comments aiming to
      help explain code flow.
      
      [1] see RT #47076
      54315839
    • Michał Kępień's avatar
      Set DNS_JOURNALOPT_RESIGN when loading the secure journal for an inline-signed zone · 8db550c4
      Michał Kępień authored
      When an inline-signed zone is loaded, the master file for its signed
      version is loaded and then a rollforward of the journal for the signed
      version of the zone is performed.  If DNS_JOURNALOPT_RESIGN is not set
      during the latter phase, signatures loaded from the journal for the
      signed version of the zone will not be scheduled for refresh.  Fix the
      conditional expression determining which flags should be used for the
      dns_journal_rollforward() call so that DNS_JOURNALOPT_RESIGN is set when
      zone_postload() is called for the signed version of an inline-signed
      zone.
      
      Extend bin/tests/system/stop.pl so that it can use "rndc halt" instead
      of "rndc stop" as the former allows master file flushing upon shutdown
      to be suppressed.
      8db550c4
  15. 14 Aug, 2018 1 commit
    • Michał Kępień's avatar
      Queue "rndc signing -nsec3param ..." requests if needed · cb40c522
      Michał Kępień authored
      If "rndc signing -nsec3param ..." is ran for a zone which has not yet
      been loaded or transferred (i.e. its "db" field is NULL), it will be
      silently ignored by named despite rndc logging an "nsec3param request
      queued" message, which is misleading.  Prevent this by keeping a
      per-zone queue of NSEC3PARAM change requests which arrive before a zone
      is loaded or transferred and processing that queue once the raw version
      of an inline-signed zone becomes available.
      cb40c522
  16. 05 Jun, 2018 1 commit
  17. 16 May, 2018 1 commit
  18. 25 Apr, 2018 1 commit
    • Michał Kępień's avatar
      Apply raw zone deltas to yet unsigned secure zones · 6acf3269
      Michał Kępień authored
      When inline signing is enabled for a zone without creating signing keys
      for it, changes subsequently applied to the raw zone will not be
      reflected in the secure zone due to the dns_update_signaturesinc() call
      inside receive_secure_serial() failing.  Given that an inline zone will
      be served (without any signatures) even with no associated signing keys
      being present, keep applying raw zone deltas to the secure zone until
      keys become available in an attempt to follow the principle of least
      astonishment.
      6acf3269
  19. 23 Feb, 2018 1 commit
  20. 22 Feb, 2018 1 commit
  21. 03 Jan, 2018 2 commits
  22. 06 Dec, 2017 1 commit
  23. 04 Dec, 2017 1 commit
  24. 03 Dec, 2017 1 commit
  25. 18 Sep, 2017 1 commit
  26. 13 Sep, 2017 1 commit
  27. 01 Sep, 2017 1 commit
  28. 31 Aug, 2017 1 commit
    • Evan Hunt's avatar
      [master] remove default algorithm in dnssec-keygen · 45afdb26
      Evan Hunt authored
      4594.	[func]		dnssec-keygen no longer uses RSASHA1 by default;
      			the signing algorithm must be specified on
      			the command line with the "-a" option.  Signing
      			scripts that rely on the existing default behavior
      			will break; use "dnssec-keygen -a RSASHA1" to
      			repair them. (The goal of this change is to make
      			it easier to find scripts using RSASHA1 so they
      			can be changed in the event of that algorithm
      			being deprecated in the future.) [RT #44755]
      45afdb26
  29. 27 Jun, 2016 1 commit
  30. 14 Jun, 2016 2 commits
  31. 21 Nov, 2014 1 commit
  32. 17 Nov, 2014 1 commit
  33. 21 Oct, 2014 1 commit
  34. 04 Sep, 2014 1 commit
    • Evan Hunt's avatar
      [master] servfail cache · a8783019
      Evan Hunt authored
      3943.	[func]		SERVFAIL responses can now be cached for a
      			limited time (configured by "servfail-ttl",
      			default 10 seconds, limit 30). This can reduce
      			the frequency of retries when an authoritative
      			server is known to be failing, e.g., due to
      			ongoing DNSSEC validation problems. [RT #21347]
      a8783019
  35. 27 Jun, 2014 1 commit
  36. 21 Jan, 2014 1 commit
    • Evan Hunt's avatar
      [master] testcrypto.sh in system tests · d58e33bf
      Evan Hunt authored
      3714.	[test]		System tests that need to test for cryptography
      			support before running can now use a common
      			"testcrypto.sh" script to do so. [RT #35213]
      d58e33bf