1. 10 Jul, 2018 4 commits
  2. 03 Jul, 2018 9 commits
  3. 02 Jul, 2018 3 commits
  4. 30 Jun, 2018 5 commits
  5. 28 Jun, 2018 19 commits
    • Evan Hunt's avatar
      Merge branch 'fix-win32' into 'master' · 8d9196be
      Evan Hunt authored
      add missing symbols for windows build
      
      See merge request !454
      8d9196be
    • Evan Hunt's avatar
      add missing symbols · b529de91
      Evan Hunt authored
      b529de91
    • Michał Kępień's avatar
      Merge branch '33-implement-mirror-zones' into 'master' · 8ccd8f4f
      Michał Kępień authored
      Implement mirror zones
      
      Closes #33
      
      See merge request !329
      8ccd8f4f
    • Michał Kępień's avatar
      Add CHANGES entry · 6f719b48
      Michał Kępień authored
      4985.	[func]		Add a new slave zone option, "mirror", to enable
      			serving a non-authoritative copy of a zone that
      			is subject to DNSSEC validation before being
      			used.  For now, this option is only meant to
      			facilitate deployment of an RFC 7706-style local
      			copy of the root zone. [GL #33]
      6f719b48
    • Michał Kępień's avatar
      Add a release note · 92ae05e1
      Michał Kępień authored
      92ae05e1
    • Michał Kępień's avatar
      Add documentation for mirror zones · dbe6a1a0
      Michał Kępień authored
      Update the ARM and various option lists with information about the
      "mirror" option for slave zones.
      dbe6a1a0
    • Michał Kępień's avatar
      Make "rndc zonestatus" output for mirror zones different than for regular slave zones · 73d64de7
      Michał Kępień authored
      Replace "type: slave" with "type: mirror" in "rndc zonestatus" output
      for mirror zones in order to enable the user to tell a regular slave
      zone and a mirror zone apart.
      73d64de7
    • Michał Kępień's avatar
      Disable notifies for mirror zones unless also-notify is used · dd30f53e
      Michał Kępień authored
      Since the mirror zone feature is expected to mostly be used for the root
      zone, prevent slaves from sending NOTIFY messages for mirror zones by
      default.  Retain the possibility to use "also-notify" as it might be
      useful in certain cases.
      dd30f53e
    • Michał Kępień's avatar
      Disable outgoing mirror zone transfers by default · 3af412c0
      Michał Kępień authored
      As mirror zone data should be treated the way validated, cached DNS
      responses are, outgoing mirror zone transfers should be disabled unless
      they are explicitly enabled by zone configuration.
      3af412c0
    • Michał Kępień's avatar
      Treat mirror zone data as cache data for access control purposes · c3f3b824
      Michał Kępień authored
      As mirror zone data should be treated the way validated, cached DNS
      responses are, it should not be used when responding to clients who are
      not allowed cache access.  Reuse code responsible for determining cache
      database access for evaluating mirror zone access.
      c3f3b824
    • Michał Kępień's avatar
      Rework query_checkcacheaccess() · 18ced942
      Michał Kępień authored
      Modify query_checkcacheaccess() so that it only contains a single return
      statement rather than three and so that the "check_acl" variable is no
      longer needed.  Tweak and expand comments.  Fix coding style issues.
      18ced942
    • Michał Kępień's avatar
      Simplify query_getcachedb() · cde16236
      Michał Kępień authored
      Modify query_getcachedb() so that it uses a common return path for both
      success and failure.  Remove a redundant NULL check since 'db' will
      never be NULL after being passed as a target pointer to dns_db_attach().
      Fix coding style issues.
      cde16236
    • Michał Kępień's avatar
      Extract cache access checks in query_getcachedb() to a separate function · e9f17da6
      Michał Kępień authored
      Extract the parts of query_getcachedb() responsible for checking whether
      the client is allowed to access the cache to a separate function, so
      that it can be reused for determining mirror zone access.
      e9f17da6
    • Michał Kępień's avatar
      Fall back to normal recursion when mirror zone data is unavailable · 8d996fd7
      Michał Kępień authored
      If transferring or loading a mirror zone fails, resolution should still
      succeed by means of falling back to regular recursive queries.
      Currently, though, if a slave zone is present in the zone table and not
      loaded, a SERVFAIL response is generated.  Thus, mirror zones need
      special handling in this regard.
      
      Add a new dns_zt_find() flag, DNS_ZTFIND_MIRROR, and set it every time a
      domain name is looked up rather than a zone itself.  Handle that flag in
      dns_zt_find() in such a way that a mirror zone which is expired or not
      yet loaded is ignored when looking up domain names, but still possible
      to find when the caller wants to know whether the zone is configured.
      This causes a fallback to recursion when mirror zone data is unavailable
      without making unloaded mirror zones invisible to code checking a zone's
      existence.
      8d996fd7
    • Michał Kępień's avatar
      Ensure responses sourced from mirror zones have the AD bit set · e3160b27
      Michał Kępień authored
      Zone RRsets are assigned trust level "ultimate" upon load, which causes
      the AD bit to not be set in responses coming from slave zones, including
      mirror zones.  Make dns_zoneverify_dnssec() update the trust level of
      verified RRsets to "secure" so that the AD bit is set in such responses.
      No rollback mechanism is implemented as dns_zoneverify_dnssec() fails in
      case of any DNSSEC failure, which causes the mirror zone version being
      verified to be discarded.
      e3160b27
    • Michał Kępień's avatar
      Do not treat mirror zone data as authoritative · ad0ec2ea
      Michał Kępień authored
      Section 4 of RFC 7706 suggests that responses sourced from a local copy
      of a zone should not have the AA bit set.  Follow that recommendation by
      setting 'qctx->authoritative' to ISC_FALSE when a response to a query is
      coming from a mirror zone.
      ad0ec2ea
    • Michał Kępień's avatar
      Ensure delegations inside mirror zones are properly handled for non-recursive queries · 179d5faa
      Michał Kępień authored
      When a resolver is a regular slave (i.e. not a mirror) for some zone,
      non-recursive queries for names below that slaved zone will return a
      delegation sourced from it.  This behavior is suboptimal for mirror
      zones as their contents should rather be treated as validated, cached
      DNS responses.  Modify query_delegation() and query_zone_delegation() to
      permit clients allowed cache access to check its contents for a better
      answer when responding to non-recursive queries.
      179d5faa
    • Michał Kępień's avatar
      Perform basic resolution checks with a mirror zone in use · c9accfde
      Michał Kępień authored
      Make ns3 mirror the "root" zone from ns1 and query the former for a
      properly signed record below the root.  Ensure ns1 is not queried during
      resolution and that the AD bit is set in the response.
      c9accfde
    • Michał Kępień's avatar
      Verify mirror zone journals · edbb256c
      Michał Kępień authored
      As mirror zone files are verified when they are loaded from disk, verify
      journal files as well to ensure invalid data is not used.  Reuse the
      journals generated during IXFR tests to test this.
      edbb256c