1. 02 Jul, 2018 3 commits
  2. 30 Jun, 2018 5 commits
  3. 28 Jun, 2018 30 commits
    • Evan Hunt's avatar
      Merge branch 'fix-win32' into 'master' · 8d9196be
      Evan Hunt authored
      add missing symbols for windows build
      
      See merge request !454
      8d9196be
    • Evan Hunt's avatar
      add missing symbols · b529de91
      Evan Hunt authored
      b529de91
    • Michał Kępień's avatar
      Merge branch '33-implement-mirror-zones' into 'master' · 8ccd8f4f
      Michał Kępień authored
      Implement mirror zones
      
      Closes #33
      
      See merge request !329
      8ccd8f4f
    • Michał Kępień's avatar
      Add CHANGES entry · 6f719b48
      Michał Kępień authored
      4985.	[func]		Add a new slave zone option, "mirror", to enable
      			serving a non-authoritative copy of a zone that
      			is subject to DNSSEC validation before being
      			used.  For now, this option is only meant to
      			facilitate deployment of an RFC 7706-style local
      			copy of the root zone. [GL #33]
      6f719b48
    • Michał Kępień's avatar
      Add a release note · 92ae05e1
      Michał Kępień authored
      92ae05e1
    • Michał Kępień's avatar
      Add documentation for mirror zones · dbe6a1a0
      Michał Kępień authored
      Update the ARM and various option lists with information about the
      "mirror" option for slave zones.
      dbe6a1a0
    • Michał Kępień's avatar
      Make "rndc zonestatus" output for mirror zones different than for regular slave zones · 73d64de7
      Michał Kępień authored
      Replace "type: slave" with "type: mirror" in "rndc zonestatus" output
      for mirror zones in order to enable the user to tell a regular slave
      zone and a mirror zone apart.
      73d64de7
    • Michał Kępień's avatar
      Disable notifies for mirror zones unless also-notify is used · dd30f53e
      Michał Kępień authored
      Since the mirror zone feature is expected to mostly be used for the root
      zone, prevent slaves from sending NOTIFY messages for mirror zones by
      default.  Retain the possibility to use "also-notify" as it might be
      useful in certain cases.
      dd30f53e
    • Michał Kępień's avatar
      Disable outgoing mirror zone transfers by default · 3af412c0
      Michał Kępień authored
      As mirror zone data should be treated the way validated, cached DNS
      responses are, outgoing mirror zone transfers should be disabled unless
      they are explicitly enabled by zone configuration.
      3af412c0
    • Michał Kępień's avatar
      Treat mirror zone data as cache data for access control purposes · c3f3b824
      Michał Kępień authored
      As mirror zone data should be treated the way validated, cached DNS
      responses are, it should not be used when responding to clients who are
      not allowed cache access.  Reuse code responsible for determining cache
      database access for evaluating mirror zone access.
      c3f3b824
    • Michał Kępień's avatar
      Rework query_checkcacheaccess() · 18ced942
      Michał Kępień authored
      Modify query_checkcacheaccess() so that it only contains a single return
      statement rather than three and so that the "check_acl" variable is no
      longer needed.  Tweak and expand comments.  Fix coding style issues.
      18ced942
    • Michał Kępień's avatar
      Simplify query_getcachedb() · cde16236
      Michał Kępień authored
      Modify query_getcachedb() so that it uses a common return path for both
      success and failure.  Remove a redundant NULL check since 'db' will
      never be NULL after being passed as a target pointer to dns_db_attach().
      Fix coding style issues.
      cde16236
    • Michał Kępień's avatar
      Extract cache access checks in query_getcachedb() to a separate function · e9f17da6
      Michał Kępień authored
      Extract the parts of query_getcachedb() responsible for checking whether
      the client is allowed to access the cache to a separate function, so
      that it can be reused for determining mirror zone access.
      e9f17da6
    • Michał Kępień's avatar
      Fall back to normal recursion when mirror zone data is unavailable · 8d996fd7
      Michał Kępień authored
      If transferring or loading a mirror zone fails, resolution should still
      succeed by means of falling back to regular recursive queries.
      Currently, though, if a slave zone is present in the zone table and not
      loaded, a SERVFAIL response is generated.  Thus, mirror zones need
      special handling in this regard.
      
      Add a new dns_zt_find() flag, DNS_ZTFIND_MIRROR, and set it every time a
      domain name is looked up rather than a zone itself.  Handle that flag in
      dns_zt_find() in such a way that a mirror zone which is expired or not
      yet loaded is ignored when looking up domain names, but still possible
      to find when the caller wants to know whether the zone is configured.
      This causes a fallback to recursion when mirror zone data is unavailable
      without making unloaded mirror zones invisible to code checking a zone's
      existence.
      8d996fd7
    • Michał Kępień's avatar
      Ensure responses sourced from mirror zones have the AD bit set · e3160b27
      Michał Kępień authored
      Zone RRsets are assigned trust level "ultimate" upon load, which causes
      the AD bit to not be set in responses coming from slave zones, including
      mirror zones.  Make dns_zoneverify_dnssec() update the trust level of
      verified RRsets to "secure" so that the AD bit is set in such responses.
      No rollback mechanism is implemented as dns_zoneverify_dnssec() fails in
      case of any DNSSEC failure, which causes the mirror zone version being
      verified to be discarded.
      e3160b27
    • Michał Kępień's avatar
      Do not treat mirror zone data as authoritative · ad0ec2ea
      Michał Kępień authored
      Section 4 of RFC 7706 suggests that responses sourced from a local copy
      of a zone should not have the AA bit set.  Follow that recommendation by
      setting 'qctx->authoritative' to ISC_FALSE when a response to a query is
      coming from a mirror zone.
      ad0ec2ea
    • Michał Kępień's avatar
      Ensure delegations inside mirror zones are properly handled for non-recursive queries · 179d5faa
      Michał Kępień authored
      When a resolver is a regular slave (i.e. not a mirror) for some zone,
      non-recursive queries for names below that slaved zone will return a
      delegation sourced from it.  This behavior is suboptimal for mirror
      zones as their contents should rather be treated as validated, cached
      DNS responses.  Modify query_delegation() and query_zone_delegation() to
      permit clients allowed cache access to check its contents for a better
      answer when responding to non-recursive queries.
      179d5faa
    • Michał Kępień's avatar
      Perform basic resolution checks with a mirror zone in use · c9accfde
      Michał Kępień authored
      Make ns3 mirror the "root" zone from ns1 and query the former for a
      properly signed record below the root.  Ensure ns1 is not queried during
      resolution and that the AD bit is set in the response.
      c9accfde
    • Michał Kępień's avatar
      Verify mirror zone journals · edbb256c
      Michał Kępień authored
      As mirror zone files are verified when they are loaded from disk, verify
      journal files as well to ensure invalid data is not used.  Reuse the
      journals generated during IXFR tests to test this.
      edbb256c
    • Michał Kępień's avatar
      Verify mirror zone files loaded from disk · befd4294
      Michał Kępień authored
      Verify data read from mirror zone files before it is used in order to
      prevent loading corrupt mirror zones from disk.
      befd4294
    • Michał Kępień's avatar
      Verify mirror zone IXFRs · 6439a76c
      Michał Kępień authored
      Update ixfr_commit() so that all incoming versions of a mirror zone
      transferred using IXFR are verified before being used.
      6439a76c
    • Michał Kępień's avatar
      Verify mirror zone AXFRs · d86f1d00
      Michał Kępień authored
      Update axfr_commit() so that all incoming versions of a mirror zone
      transferred using AXFR are verified before being used.  If zone
      verification fails, discard the received version of the zone, wait until
      the next refresh and retry.
      d86f1d00
    • Michał Kępień's avatar
      Add dns_zone_verifydb() · eaf1c0f6
      Michał Kępień authored
      Add a function for determining whether the supplied version of a mirror
      zone passes DNSSEC validation and is signed using a trusted key.  Define
      a new libdns result signifying a zone verification failure.
      eaf1c0f6
    • Michał Kępień's avatar
      Enable dns_zoneverify_dnssec() to check whether the zone was signed by a trust anchor · fc3dd703
      Michał Kępień authored
      Extend check_dnskey_sigs() so that, if requested, it checks whether the
      DNSKEY RRset at zone apex is signed by at least one trust anchor.  The
      trust anchor table is passed as an argument to dns_zoneverify_dnssec()
      and passed around in the verification context structure.  Neither
      dnssec-signzone nor dnssec-verify are yet modified to make use of that
      feature, though.
      fc3dd703
    • Michał Kępień's avatar
      Add a system test for mirror zones · f86f314d
      Michał Kępień authored
      Create the basic files comprising a system test and define a few helper
      functions which will be useful when testing mirror zones.
      f86f314d
    • Michał Kępień's avatar
      Implement a "read-only" version of nextpart() · facb68b2
      Michał Kępień authored
      The system test helper function nextpart() always updates the "lines
      read so far" marker ("<file>.prev") when it is called, which somewhat
      limits its flexibility.  Add two new helper functions, nextpartpeek()
      and nextpartreset(), so that certain parts of log files can be easily
      examined more than once.  Add some documentation to help understand the
      purpose of each function in the nextpart*() family.
      facb68b2
    • Michał Kępień's avatar
      Add new "mirror" slave zone option · 49201f10
      Michał Kępień authored
      Add a new slave-only boolean configuration option, "mirror", along with
      its corresponding dns_zoneopt_t enum and a helper function for checking
      whether that option was set for a given zone.  This commit does not
      introduce any behavior changes yet.
      49201f10
    • Evan Hunt's avatar
      Merge branch '339-issues-with-large-journal-entries' into 'master' · be38c1f0
      Evan Hunt authored
      Fix handling of large journal entries.
      
      Closes #339
      
      See merge request !432
      be38c1f0
    • Evan Hunt's avatar
      CHANGES, release note · 2aee33f4
      Evan Hunt authored
      2aee33f4
    • Witold Krecicki's avatar
  4. 27 Jun, 2018 2 commits