1. 21 Jan, 2015 1 commit
    • Evan Hunt's avatar
      [master] add TCP pipelining support · 761d135e
      Evan Hunt authored
      4040.	[func]		Added server-side support for pipelined TCP
      			queries. TCP connections are no longer closed after
      			the first query received from a client. (The new
      			"keep-response-order" option allows clients to be
      			specified for which the old behavior will still be
      			used.) [RT #37821]
      761d135e
  2. 16 Dec, 2014 1 commit
  3. 24 Nov, 2014 1 commit
  4. 19 Nov, 2014 1 commit
  5. 18 Nov, 2014 1 commit
    • Evan Hunt's avatar
      [master] limit recursion depth and iterative queries · 3230429e
      Evan Hunt authored
      4006.	[security]	A flaw in delegation handling could be exploited
      			to put named into an infinite loop.  This has
      			been addressed by placing limits on the number
      			of levels of recursion named will allow (default 7),
      			and the number of iterative queries that it will
      			send (default 50) before terminating a recursive
      			query (CVE-2014-8500).
      
      			The recursion depth limit is configured via the
      			"max-recursion-depth" option.  [RT #35780]
      3230429e
  6. 29 Sep, 2014 1 commit
  7. 04 Sep, 2014 1 commit
    • Evan Hunt's avatar
      [master] servfail cache · a8783019
      Evan Hunt authored
      3943.	[func]		SERVFAIL responses can now be cached for a
      			limited time (configured by "servfail-ttl",
      			default 10 seconds, limit 30). This can reduce
      			the frequency of retries when an authoritative
      			server is known to be failing, e.g., due to
      			ongoing DNSSEC validation problems. [RT #21347]
      a8783019
  8. 29 Aug, 2014 1 commit
    • Evan Hunt's avatar
      [master] ECS authoritative support · d46855ca
      Evan Hunt authored
      3936.	[func]		Added authoritative support for the EDNS Client
      			Subnet (ECS) option.
      
      			ACLs can now include "ecs" elements which specify
      			an address or network prefix; if an ECS option is
      			included in a DNS query, then the address encoded
      			in the option will be matched against "ecs" ACL
      			elements.
      
      			Also, if an ECS address is included in a query,
      			then it will be used instead of the client source
      			address when matching "geoip" ACL elements.  This
      			behavior can be overridden with "geoip-use-ecs no;".
      
      			When "ecs" or "geoip" ACL elements are used to
      			select a view for a query, the response will include
      			an ECS option to indicate which client network the
      			answer is valid for.
      
      			(Thanks to Vincent Bernat.) [RT #36781]
      d46855ca
  9. 06 Aug, 2014 1 commit
  10. 18 Jun, 2014 1 commit
    • Evan Hunt's avatar
      [master] complete NTA work · b8a96323
      Evan Hunt authored
      3882.	[func]		By default, negative trust anchors will be tested
      			periodically to see whether data below them can be
      			validated, and if so, they will be allowed to
      			expire early. The "rndc nta -force" option
      			overrides this behvaior.  The default NTA lifetime
      			and the recheck frequency can be configured by the
      			"nta-lifetime" and "nta-recheck" options. [RT #36146]
      b8a96323
  11. 19 Feb, 2014 1 commit
    • Mark Andrews's avatar
      3744. [experimental] SIT: send and process Source Identity Tokens · b5f6271f
      Mark Andrews authored
                              (which are similar to DNS Cookies by Donald Eastlake)
                              and are designed to help clients detect off path
                              spoofed responses and for servers to detect legitimate
                              clients.
      
                              SIT use a experimental EDNS option code (65001).
      
                              SIT can be enabled via --enable-developer or
                              --enable-sit.  It is on by default in Windows.
      
                              RRL processing as been updated to know about SIT with
                              legitimate clients not being rate limited. [RT #35389]
      b5f6271f
  12. 16 Feb, 2014 1 commit
    • Evan Hunt's avatar
      [master] delve · 1d761cb4
      Evan Hunt authored
      3741.	[func]		"delve" (domain entity lookup and validation engine):
      			A new tool with dig-like semantics for performing DNS
      			lookups, with internal DNSSEC validation, using the
      			same resolver and validator logic as named. This
      			allows easy validation of DNSSEC data in environments
      			with untrustworthy resolvers, and assists with
      			troubleshooting of DNSSEC problems. (Note: not yet
      			available on win32.) [RT #32406]
      1d761cb4
  13. 07 Feb, 2014 1 commit
  14. 12 Jan, 2014 1 commit
  15. 09 Jan, 2014 2 commits
  16. 03 Jun, 2013 1 commit
  17. 30 Apr, 2013 1 commit
  18. 19 Apr, 2013 1 commit
  19. 23 Mar, 2013 1 commit
  20. 22 Mar, 2013 1 commit
    • Evan Hunt's avatar
      [master] add DSCP support · 67adc03e
      Evan Hunt authored
      3535.	[func]		Add support for setting Differentiated Services Code
      			Point (DSCP) values in named.  Most configuration
      			options which take a "port" option (e.g.,
      			listen-on, forwarders, also-notify, masters,
      			notify-source, etc) can now also take a "dscp"
      			option specifying a code point for use with
      			outgoing traffic, if supported by the underlying
      			OS. [RT #27596]
      67adc03e
  21. 20 Mar, 2013 1 commit
  22. 27 Feb, 2013 2 commits
  23. 25 Feb, 2013 1 commit
    • Evan Hunt's avatar
      [master] DNS RRL · 55e5c51e
      Evan Hunt authored
      3494.	[func]		DNS RRL: Blunt the impact of DNS reflection and
      			amplification attacks by rate-limiting substantially-
      			identical responses. [RT #28130]
      55e5c51e
  24. 08 Dec, 2012 1 commit
    • Mark Andrews's avatar
      3437. [bug] isc_buffer_init -> isc_buffer_constinit to initialise · 6f7abb89
      Mark Andrews authored
                              buffers with constant data. [RT #32064]
      
      Squashed commit of the following:
      
      commit 3433b96bf11f8c90ccbe412f01d02a6d8bbc2d33
      Author: Mark Andrews <marka@isc.org>
      Date:   Sat Dec 8 12:41:16 2012 +1100
      
          isc_buffer_init -> isc_buffer_constinit
      
      commit c22dbcc1122a0a44f7b46068e0ccbc25353a57d5
      Author: Mark Andrews <marka@isc.org>
      Date:   Sat Dec 8 12:38:39 2012 +1100
      
          isc_buffer_init -> isc_buffer_constinit
      
      commit 900820416c45c1887d0d22d7a010df60a903bd56
      Author: Mark Andrews <marka@isc.org>
      Date:   Sat Dec 8 12:24:19 2012 +1100
      
          remove isc_buffer_reconstinit
      
      commit f815711c17b05f9961786a90b9bae902d3c01494
      Author: Mark Andrews <marka@isc.org>
      Date:   Wed Dec 5 15:42:57 2012 +1100
      
          add isc_buffer_constinit
      6f7abb89
  25. 26 Sep, 2012 1 commit
  26. 14 Jun, 2012 1 commit
  27. 08 Jun, 2012 1 commit
  28. 14 May, 2012 1 commit
    • Evan Hunt's avatar
      merged filter-aaaa-on-v6 (ATT SoW) · d878b8d8
      Evan Hunt authored
      3327.	[func]		Added 'filter-aaaa-on-v6' option; this is similar
      			to 'filter-aaaa-on-v4' but applies to IPv6
      			connections.  (Use "configure --enable-filter-aaaa"
      			to enable this option.)  [RT #27308]
      d878b8d8
  29. 06 Jan, 2012 2 commits
  30. 30 Aug, 2011 2 commits
  31. 01 Jul, 2011 1 commit
  32. 23 May, 2011 1 commit
  33. 29 Apr, 2011 1 commit
    • Evan Hunt's avatar
      3102. [func] New 'dnssec-loadkeys-interval' option configures · 39f2d1a9
      Evan Hunt authored
      			how often, in minutes, to check the key repository
      			for updates when using automatic key maintenance.
      			Default is every 60 minutes (formerly hard-coded
      			to 12 hours). [RT #23744]
      
      3101.	[bug]		Zones using automatic key maintenance could fail
      			to check the key repository for updates. [RT #23744]
      39f2d1a9
  34. 23 Feb, 2011 1 commit
  35. 03 Feb, 2011 2 commits