1. 10 Jul, 2018 6 commits
    • Michał Kępień's avatar
      Rework libidn2 detection · a0571d38
      Michał Kępień authored
      Clean up the parts of configure.in responsible for handling libidn2
      detection and adjust other pieces of the build system to match these
        - use pkg-config when --with-libidn2 is used without an explicit path,
        - look for idn2_to_ascii_lz() rather than idn2_to_ascii_8z() as the
          former is used in BIND while the latter is not,
        - do not look for idn2_to_unicode_8zlz() as it is present in all
          libidn2 versions which have idn2_to_ascii_lz(),
        - check whether the <idn2.h> header is usable,
        - set LDFLAGS in the Makefile for dig so that, if specified, the
          requested libidn2 path is used when linking with libidn2,
        - override CPPFLAGS when looking for libidn2 components so that the
          configure script does not produce warnings when libidn2 is not
          installed system-wide,
        - merge the AS_CASE() call into the AS_IF() call below it to simplify
        - indicate the default value of --with-libidn2 in "./configure --help"
        - use $with_libidn2 rather than $use_libidn2 to better match the name
          of the configure script argument,
        - stop differentiating between IDN "in" and "out" support, i.e. make
          dig either support libidn2 or not; remove WITH_* Autoconf macros and
          use a new one, HAVE_LIBIDN2, to determine whether libidn2 support
          should be enabled.
    • Witold Krecicki's avatar
      Merge branch 'fix-synth-from-dnssec-dname-handling' into 'master' · f02e3c4b
      Witold Krecicki authored
      Don't synthesize NXDOMAIN from NSEC for records under a DNAME.
      Closes #386
      See merge request !481
    • Mark Andrews's avatar
      the presence of a DNAME record proves that the name does not exist in the zone... · 8ef23f9f
      Mark Andrews authored
      the presence of a DNAME record proves that the name does not exist in the zone but as we don't want to use that for NXDMOMAIN return DNS_R_DNAME from dns_nsec_noexistnodata
    • Witold Krecicki's avatar
    • Mark Andrews's avatar
      Merge branch '402-memory-leak-found-in-file-fuzz-c-in-bind-9-12-1-p2' into 'master' · cd0e7df6
      Mark Andrews authored
      Resolve "Memory Leak found in file 'fuzz.c' in BIND-9.12.1-P2"
      Closes #402
      See merge request !488
    • Mark Andrews's avatar
      free rbuf · ecb2f203
      Mark Andrews authored
  2. 03 Jul, 2018 9 commits
  3. 02 Jul, 2018 3 commits
  4. 30 Jun, 2018 5 commits
  5. 28 Jun, 2018 17 commits
    • Evan Hunt's avatar
      Merge branch 'fix-win32' into 'master' · 8d9196be
      Evan Hunt authored
      add missing symbols for windows build
      See merge request !454
    • Evan Hunt's avatar
      add missing symbols · b529de91
      Evan Hunt authored
    • Michał Kępień's avatar
      Merge branch '33-implement-mirror-zones' into 'master' · 8ccd8f4f
      Michał Kępień authored
      Implement mirror zones
      Closes #33
      See merge request !329
    • Michał Kępień's avatar
      Add CHANGES entry · 6f719b48
      Michał Kępień authored
      4985.	[func]		Add a new slave zone option, "mirror", to enable
      			serving a non-authoritative copy of a zone that
      			is subject to DNSSEC validation before being
      			used.  For now, this option is only meant to
      			facilitate deployment of an RFC 7706-style local
      			copy of the root zone. [GL #33]
    • Michał Kępień's avatar
      Add a release note · 92ae05e1
      Michał Kępień authored
    • Michał Kępień's avatar
      Add documentation for mirror zones · dbe6a1a0
      Michał Kępień authored
      Update the ARM and various option lists with information about the
      "mirror" option for slave zones.
    • Michał Kępień's avatar
      Make "rndc zonestatus" output for mirror zones different than for regular slave zones · 73d64de7
      Michał Kępień authored
      Replace "type: slave" with "type: mirror" in "rndc zonestatus" output
      for mirror zones in order to enable the user to tell a regular slave
      zone and a mirror zone apart.
    • Michał Kępień's avatar
      Disable notifies for mirror zones unless also-notify is used · dd30f53e
      Michał Kępień authored
      Since the mirror zone feature is expected to mostly be used for the root
      zone, prevent slaves from sending NOTIFY messages for mirror zones by
      default.  Retain the possibility to use "also-notify" as it might be
      useful in certain cases.
    • Michał Kępień's avatar
      Disable outgoing mirror zone transfers by default · 3af412c0
      Michał Kępień authored
      As mirror zone data should be treated the way validated, cached DNS
      responses are, outgoing mirror zone transfers should be disabled unless
      they are explicitly enabled by zone configuration.
    • Michał Kępień's avatar
      Treat mirror zone data as cache data for access control purposes · c3f3b824
      Michał Kępień authored
      As mirror zone data should be treated the way validated, cached DNS
      responses are, it should not be used when responding to clients who are
      not allowed cache access.  Reuse code responsible for determining cache
      database access for evaluating mirror zone access.
    • Michał Kępień's avatar
      Rework query_checkcacheaccess() · 18ced942
      Michał Kępień authored
      Modify query_checkcacheaccess() so that it only contains a single return
      statement rather than three and so that the "check_acl" variable is no
      longer needed.  Tweak and expand comments.  Fix coding style issues.
    • Michał Kępień's avatar
      Simplify query_getcachedb() · cde16236
      Michał Kępień authored
      Modify query_getcachedb() so that it uses a common return path for both
      success and failure.  Remove a redundant NULL check since 'db' will
      never be NULL after being passed as a target pointer to dns_db_attach().
      Fix coding style issues.
    • Michał Kępień's avatar
      Extract cache access checks in query_getcachedb() to a separate function · e9f17da6
      Michał Kępień authored
      Extract the parts of query_getcachedb() responsible for checking whether
      the client is allowed to access the cache to a separate function, so
      that it can be reused for determining mirror zone access.
    • Michał Kępień's avatar
      Fall back to normal recursion when mirror zone data is unavailable · 8d996fd7
      Michał Kępień authored
      If transferring or loading a mirror zone fails, resolution should still
      succeed by means of falling back to regular recursive queries.
      Currently, though, if a slave zone is present in the zone table and not
      loaded, a SERVFAIL response is generated.  Thus, mirror zones need
      special handling in this regard.
      Add a new dns_zt_find() flag, DNS_ZTFIND_MIRROR, and set it every time a
      domain name is looked up rather than a zone itself.  Handle that flag in
      dns_zt_find() in such a way that a mirror zone which is expired or not
      yet loaded is ignored when looking up domain names, but still possible
      to find when the caller wants to know whether the zone is configured.
      This causes a fallback to recursion when mirror zone data is unavailable
      without making unloaded mirror zones invisible to code checking a zone's
    • Michał Kępień's avatar
      Ensure responses sourced from mirror zones have the AD bit set · e3160b27
      Michał Kępień authored
      Zone RRsets are assigned trust level "ultimate" upon load, which causes
      the AD bit to not be set in responses coming from slave zones, including
      mirror zones.  Make dns_zoneverify_dnssec() update the trust level of
      verified RRsets to "secure" so that the AD bit is set in such responses.
      No rollback mechanism is implemented as dns_zoneverify_dnssec() fails in
      case of any DNSSEC failure, which causes the mirror zone version being
      verified to be discarded.
    • Michał Kępień's avatar
      Do not treat mirror zone data as authoritative · ad0ec2ea
      Michał Kępień authored
      Section 4 of RFC 7706 suggests that responses sourced from a local copy
      of a zone should not have the AA bit set.  Follow that recommendation by
      setting 'qctx->authoritative' to ISC_FALSE when a response to a query is
      coming from a mirror zone.
    • Michał Kępień's avatar
      Ensure delegations inside mirror zones are properly handled for non-recursive queries · 179d5faa
      Michał Kępień authored
      When a resolver is a regular slave (i.e. not a mirror) for some zone,
      non-recursive queries for names below that slaved zone will return a
      delegation sourced from it.  This behavior is suboptimal for mirror
      zones as their contents should rather be treated as validated, cached
      DNS responses.  Modify query_delegation() and query_zone_delegation() to
      permit clients allowed cache access to check its contents for a better
      answer when responding to non-recursive queries.