1. 05 Nov, 2019 1 commit
  2. 29 Oct, 2019 1 commit
    • Ondřej Surý's avatar
      Disable NSEC Aggressive Cache (synth-from-dnssec) by default · a20c42dc
      Ondřej Surý authored
      It was found that NSEC Aggressive Caching has a significant performance impact
      on BIND 9 when used as recursor.  This commit disables the synth-from-dnssec
      configuration option by default to provide immediate remedy for people running
      BIND 9.12+.  The NSEC Aggressive Cache will be enabled again after a proper fix
      will be prepared.
      a20c42dc
  3. 12 Sep, 2019 1 commit
  4. 06 Sep, 2019 1 commit
  5. 23 Jul, 2019 1 commit
  6. 21 Jul, 2019 1 commit
    • Ondřej Surý's avatar
      Add new default siphash24 cookie algorithm, but keep AES as legacy · a912f313
      Ondřej Surý authored
      This commit changes the BIND cookie algorithms to match
      draft-sury-toorop-dnsop-server-cookies-00.  Namely, it changes the Client Cookie
      algorithm to use SipHash 2-4, adds the new Server Cookie algorithm using SipHash
      2-4, and changes the default for the Server Cookie algorithm to be siphash24.
      
      Add siphash24 cookie algorithm, and make it keep legacy aes as
      a912f313
  7. 04 Jul, 2019 1 commit
  8. 27 Jun, 2019 1 commit
    • Evan Hunt's avatar
      add a search for GeoIP2 libraries in configure · fea6b5bf
      Evan Hunt authored
      - "--with-geoip" is used to enable the legacy GeoIP library.
      - "--with-geoip2" is used to enable the new GeoIP2 library
        (libmaxminddb), and is on by default if the library is found.
      - using both "--with-geoip" and "--with-geoip2" at the same time
        is an error.
      - an attempt is made to determine the default GeoIP2 database path at
        compile time if pkg-config is able to report the module prefix. if
        this fails, it will be necessary to set the path in named.conf with
        geoip-directory
      - Makefiles have been updated, and a stub lib/dns/geoip2.c has been
        added for the eventual GeoIP2 search implementation.
      fea6b5bf
  9. 17 Jun, 2019 1 commit
  10. 05 Jun, 2019 2 commits
    • Evan Hunt's avatar
      "dnssec-keys" is now a synonym for "managed-keys" · 821f041d
      Evan Hunt authored
      - managed-keys is now deprecated as well as trusted-keys, though
        it continues to work as a synonym for dnssec-keys
      - references to managed-keys have been updated throughout the code.
      - tests have been updated to use dnssec-keys format
      - also the trusted-keys entries have been removed from the generated
        bind.keys.h file and are no longer generated by bindkeys.pl.
      821f041d
    • Tony Finch's avatar
      Remove `cleaning-interval` remnants. · a9dca583
      Tony Finch authored
      Since 2008, the cleaning-interval timer has been documented as
      "effectively obsolete" and disabled in the default configuration with
      a comment saying "now meaningless".
      
      This change deletes all the code that implements the cleaning-interval
      timer, except for the config parser in whcih it is now explicitly
      marked as obsolete.
      
      I have verified (using the deletelru and deletettl cache stats) that
      named still cleans the cache after this change.
      a9dca583
  11. 15 Mar, 2019 1 commit
  12. 08 Mar, 2019 1 commit
  13. 24 Jan, 2019 1 commit
  14. 06 Dec, 2018 1 commit
    • Evan Hunt's avatar
      add a parser to filter-aaaa.so and pass in the parameters · 9911c835
      Evan Hunt authored
      - make some cfg-parsing functions global so they can be run
        from filter-aaaa.so
      - add filter-aaaa options to the hook module's parser
      - mark filter-aaaa options in named.conf as obsolete, remove
        from named and checkconf, and update the filter-aaaa test not to
        use checkconf anymore
      - remove filter-aaaa-related struct members from dns_view
      9911c835
  15. 14 Nov, 2018 1 commit
  16. 08 Nov, 2018 1 commit
  17. 24 Oct, 2018 2 commits
    • Michał Kępień's avatar
      Define a default master server list for the root zone · 2c69734b
      Michał Kępień authored
      To minimize the effort required to set up IANA root zone mirroring,
      define a default master server list for the root zone and use it when
      that zone is to be mirrored and no master server list was explicitly
      specified.  Contents of that list are taken from RFC 7706 and are
      subject to change in future releases.
      
      Since the static get_masters_def() function in bin/named/config.c does
      exactly what named_zone_configure() in bin/named/zoneconf.c needs to do,
      make the former non-static and use it in the latter to prevent code
      duplication.
      2c69734b
    • Michał Kępień's avatar
      Define a separate dns_zonetype_t for mirror zones · e1bb8de6
      Michał Kępień authored
      Rather than overloading dns_zone_slave and discerning between a slave
      zone and a mirror zone using a zone option, define a separate enum
      value, dns_zone_mirror, to be used exclusively by mirror zones.  Update
      code handling slave zones to ensure it also handles mirror zones where
      applicable.
      e1bb8de6
  18. 08 Aug, 2018 1 commit
  19. 19 Jul, 2018 1 commit
  20. 26 Jun, 2018 1 commit
  21. 19 Jun, 2018 1 commit
  22. 12 Jun, 2018 3 commits
  23. 08 Jun, 2018 2 commits
  24. 31 May, 2018 1 commit
    • Evan Hunt's avatar
      Set "dnssec-validation auto" by default · bef18eca
      Evan Hunt authored
      - the default setting for dnssec-validation is now "auto", which
        activates DNSSEC validation using the IANA root key.  The old behavior
        can be restored by explicitly setting "dnssec-validation yes", which
        "yes", which activates DNSSEC validation only if keys are explicitly
        configured in named.conf.
      - the ARM has been updated to describe the new behavior
      bef18eca
  25. 16 May, 2018 1 commit
    • Ondřej Surý's avatar
      Replace all random functions with isc_random, isc_random_buf and isc_random_uniform API. · 3a4f820d
      Ondřej Surý authored
      The three functions has been modeled after the arc4random family of
      functions, and they will always return random bytes.
      
      The isc_random family of functions internally use these CSPRNG (if available):
      
      1. getrandom() libc call (might be available on Linux and Solaris)
      2. SYS_getrandom syscall (might be available on Linux, detected at runtime)
      3. arc4random(), arc4random_buf() and arc4random_uniform() (available on BSDs and Mac OS X)
      4. crypto library function:
      4a. RAND_bytes in case OpenSSL
      4b. pkcs_C_GenerateRandom() in case PKCS#11 library
      3a4f820d
  26. 03 May, 2018 1 commit
  27. 20 Apr, 2018 1 commit
  28. 18 Apr, 2018 1 commit
  29. 23 Feb, 2018 1 commit
  30. 15 Dec, 2017 1 commit
  31. 25 Oct, 2017 1 commit
  32. 03 Oct, 2017 1 commit
    • Evan Hunt's avatar
      [master] de-DLV · f2935929
      Evan Hunt authored
      4749.	[func]		The ISC DLV service has been shut down, and all
      			DLV records have been removed from dlv.isc.org.
      			- Removed references to ISC DLV in documentation
      			- Removed DLV key from bind.keys
      			- No longer use ISC DLV by default in delv
      			[RT #46155]
      f2935929
  33. 28 Sep, 2017 1 commit
    • Evan Hunt's avatar
      [master] completed and corrected the crypto-random change · 24172bd2
      Evan Hunt authored
      4724.	[func]		By default, BIND now uses the random number
      			functions provided by the crypto library (i.e.,
      			OpenSSL or a PKCS#11 provider) as a source of
      			randomness rather than /dev/random.  This is
      			suitable for virtual machine environments
      			which have limited entropy pools and lack
      			hardware random number generators.
      
      			This can be overridden by specifying another
      			entropy source via the "random-device" option
      			in named.conf, or via the -r command line option;
      			however, for functions requiring full cryptographic
      			strength, such as DNSSEC key generation, this
      			cannot be overridden. In particular, the -r
      			command line option no longer has any effect on
      			dnssec-keygen.
      
      			This can be disabled by building with
      			"configure --disable-crypto-rand".
      			[RT #31459] [RT #46047]
      24172bd2
  34. 19 Sep, 2017 1 commit
  35. 08 Sep, 2017 1 commit
    • Evan Hunt's avatar
      [master] add libns and remove liblwres · 8eb88aaf
      Evan Hunt authored
      4708.   [cleanup]       Legacy Windows builds (i.e. for XP and earlier)
                              are no longer supported. [RT #45186]
      
      4707.	[func]		The lightweight resolver daemon and library (lwresd
      			and liblwres) have been removed. [RT #45186]
      
      4706.	[func]		Code implementing name server query processing has
      			been moved from bin/named to a new library "libns".
      			Functions remaining in bin/named are now prefixed
      			with "named_" rather than "ns_".  This will make it
      			easier to write unit tests for name server code, or
      			link name server functionality into new tools.
      			[RT #45186]
      8eb88aaf