1. 05 Sep, 2018 1 commit
  2. 03 Sep, 2018 1 commit
  3. 28 Aug, 2018 3 commits
  4. 14 Aug, 2018 1 commit
    • Evan Hunt's avatar
      option to disable validation under specified names · eaac2057
      Evan Hunt authored
      - added new 'validate-except' option, which configures an NTA with
        expiry of 0xffffffff.  NTAs with that value in the expiry field do not
        expire, are are not written out when saving the NTA table and are not
        dumped by rndc secroots
      eaac2057
  5. 08 Aug, 2018 2 commits
  6. 19 Jul, 2018 1 commit
  7. 11 Jul, 2018 1 commit
  8. 10 Jul, 2018 2 commits
  9. 03 Jul, 2018 1 commit
  10. 28 Jun, 2018 5 commits
    • Michał Kępień's avatar
      Fall back to normal recursion when mirror zone data is unavailable · 8d996fd7
      Michał Kępień authored
      If transferring or loading a mirror zone fails, resolution should still
      succeed by means of falling back to regular recursive queries.
      Currently, though, if a slave zone is present in the zone table and not
      loaded, a SERVFAIL response is generated.  Thus, mirror zones need
      special handling in this regard.
      
      Add a new dns_zt_find() flag, DNS_ZTFIND_MIRROR, and set it every time a
      domain name is looked up rather than a zone itself.  Handle that flag in
      dns_zt_find() in such a way that a mirror zone which is expired or not
      yet loaded is ignored when looking up domain names, but still possible
      to find when the caller wants to know whether the zone is configured.
      This causes a fallback to recursion when mirror zone data is unavailable
      without making unloaded mirror zones invisible to code checking a zone's
      existence.
      8d996fd7
    • Michał Kępień's avatar
      Ensure responses sourced from mirror zones have the AD bit set · e3160b27
      Michał Kępień authored
      Zone RRsets are assigned trust level "ultimate" upon load, which causes
      the AD bit to not be set in responses coming from slave zones, including
      mirror zones.  Make dns_zoneverify_dnssec() update the trust level of
      verified RRsets to "secure" so that the AD bit is set in such responses.
      No rollback mechanism is implemented as dns_zoneverify_dnssec() fails in
      case of any DNSSEC failure, which causes the mirror zone version being
      verified to be discarded.
      e3160b27
    • Michał Kępień's avatar
      Add dns_zone_verifydb() · eaf1c0f6
      Michał Kępień authored
      Add a function for determining whether the supplied version of a mirror
      zone passes DNSSEC validation and is signed using a trusted key.  Define
      a new libdns result signifying a zone verification failure.
      eaf1c0f6
    • Michał Kępień's avatar
      Enable dns_zoneverify_dnssec() to check whether the zone was signed by a trust anchor · fc3dd703
      Michał Kępień authored
      Extend check_dnskey_sigs() so that, if requested, it checks whether the
      DNSKEY RRset at zone apex is signed by at least one trust anchor.  The
      trust anchor table is passed as an argument to dns_zoneverify_dnssec()
      and passed around in the verification context structure.  Neither
      dnssec-signzone nor dnssec-verify are yet modified to make use of that
      feature, though.
      fc3dd703
    • Michał Kępień's avatar
      Add new "mirror" slave zone option · 49201f10
      Michał Kępień authored
      Add a new slave-only boolean configuration option, "mirror", along with
      its corresponding dns_zoneopt_t enum and a helper function for checking
      whether that option was set for a given zone.  This commit does not
      introduce any behavior changes yet.
      49201f10
  11. 15 Jun, 2018 5 commits
    • Michał Kępień's avatar
      Propagate dns_zoneverify_dnssec() errors to callers · 24bca1c4
      Michał Kępień authored
      Since exit() is no longer called upon any dns_zoneverify_dnssec() error,
      verification failures should be signalled to callers.  Make
      dns_zoneverify_dnssec() return an isc_result_t and handle both success
      and error appropriately in bin/dnssec/dnssec-signzone.c and
      bin/dnssec/dnssec-verify.c.  This enables memory leak detection during
      shutdown of these tools and causes dnssec-signzone to print signing
      statistics even when zone verification fails.
      24bca1c4
    • Michał Kępień's avatar
      Implement zoneverify_log_error() and zoneverify_print() · d949a5d8
      Michał Kępień authored
      These functions will be used in the process of replacing fatal(),
      check_result(), and fprintf() calls throughout lib/dns/zoneverify.c with
      code that does not call exit().  They are intended for:
      
        - zoneverify_log_error(): logging problems encountered while
          performing zone verification,
      
        - zoneverify_print(): printing status messages and reports which are
          only useful in standalone tools.
      
      To make using dns_zone_logv() possible, add a new "zone" argument to
      dns_zoneverify_dnssec() that standalone tools are expected to set to
      NULL.
      d949a5d8
    • Michał Kępień's avatar
      Rename verifyzone() to dns_zoneverify_dnssec() · 7554e8d2
      Michał Kępień authored
      This makes the function's name match the naming convention used for
      libdns functions.
      7554e8d2
    • Michał Kępień's avatar
      Move verifyzone() and its dependencies into lib/dns/zoneverify.c · 3a14450d
      Michał Kępień authored
      This commit only moves code around, with the following exceptions:
      
        - the check_dns_dbiterator_current() macro and functions
          is_delegation() and has_dname() were removed from
          bin/dnssec/dnssectool.{c,h} and duplicated in two locations:
          bin/dnssec/dnssec-signzone.c and lib/dns/zoneverify.c; these
          functions are used both by the code in bin/dnssec/dnssec-signzone.c
          and verifyzone(), but are not a good fit for being exported by a
          code module responsible for zone verification,
      
        - fatal() and check_result() were duplicated in lib/dns/zoneverify.c
          as static functions which do not use the "program" variable any more
          (as it is only set by the tools in bin/dnssec/); this is a temporary
          step which only aims to prevent compilation from breaking - these
          duplicate functions will be removed once lib/dns/zoneverify.c is
          refactored not to use them,
      
        - the list of header files included by lib/dns/zoneverify.c was
          expanded to encompass all header files that are actually used by the
          code in that file,
      
        - a description of the purpose of the commented out "fields" inside
          struct nsec3_chain_fixed was added.
      3a14450d
    • Mark Andrews's avatar
  12. 12 Jun, 2018 4 commits
  13. 11 Jun, 2018 1 commit
    • Michał Kępień's avatar
      Add dns_zone_logv() · bb2dfb3f
      Michał Kępień authored
      Add a new libdns function, dns_zone_logv(), which takes a single va_list
      argument rather than a variable number of arguments and can be used as a
      base for implementing more specific zone logging functions.
      bb2dfb3f
  14. 05 Jun, 2018 2 commits
  15. 25 May, 2018 2 commits
    • Evan Hunt's avatar
      remove #ifndef DNS_RBT_USEHASH from rbtdb.c · 7fbffa6c
      Evan Hunt authored
      - this was a compile time option to disable the use of a hash table in
        the RBTDB. the code path without the hash table was buggy and
        untested, and unlikely to be needed by anyone anyway.
      7fbffa6c
    • Evan Hunt's avatar
      remove the experimental authoritative ECS support from named · e3244493
      Evan Hunt authored
      - mark the 'geoip-use-ecs' option obsolete; warn when it is used
        in named.conf
      - prohibit 'ecs' ACL tags in named.conf; note that this is a fatal error
        since simply ignoring the tags could make ACLs behave unpredictably
      - re-simplify the radix and iptable code
      - clean up dns_acl_match(), dns_aclelement_match(), dns_acl_allowed()
        and dns_geoip_match() so they no longer take ecs options
      - remove the ECS-specific unit and system test cases
      - remove references to ECS from the ARM
      e3244493
  16. 18 May, 2018 1 commit
  17. 16 May, 2018 1 commit
    • Ondřej Surý's avatar
      Replace all random functions with isc_random, isc_random_buf and isc_random_uniform API. · 3a4f820d
      Ondřej Surý authored
      The three functions has been modeled after the arc4random family of
      functions, and they will always return random bytes.
      
      The isc_random family of functions internally use these CSPRNG (if available):
      
      1. getrandom() libc call (might be available on Linux and Solaris)
      2. SYS_getrandom syscall (might be available on Linux, detected at runtime)
      3. arc4random(), arc4random_buf() and arc4random_uniform() (available on BSDs and Mac OS X)
      4. crypto library function:
      4a. RAND_bytes in case OpenSSL
      4b. pkcs_C_GenerateRandom() in case PKCS#11 library
      3a4f820d
  18. 11 May, 2018 1 commit
  19. 20 Apr, 2018 3 commits
  20. 18 Apr, 2018 1 commit
  21. 09 Apr, 2018 1 commit