1. 27 Jun, 2014 1 commit
  2. 26 Jun, 2014 1 commit
  3. 24 Jun, 2014 1 commit
  4. 18 Jun, 2014 1 commit
    • Evan Hunt's avatar
      [master] complete NTA work · b8a96323
      Evan Hunt authored
      3882.	[func]		By default, negative trust anchors will be tested
      			periodically to see whether data below them can be
      			validated, and if so, they will be allowed to
      			expire early. The "rndc nta -force" option
      			overrides this behvaior.  The default NTA lifetime
      			and the recheck frequency can be configured by the
      			"nta-lifetime" and "nta-recheck" options. [RT #36146]
      b8a96323
  5. 30 May, 2014 1 commit
    • Evan Hunt's avatar
      [master] rndc nta · 0cfb2473
      Evan Hunt authored
      3867.	[func]		"rndc nta" can now be used to set a temporary
      			negative trust anchor, which disables DNSSEC
      			validation below a specified name for a specified
      			period of time (not exceeding 24 hours).  This
      			can be used when validation for a domain is known
      			to be failing due to a configuration error on
      			the part of the domain owner rather than a
      			spoofing attack. [RT #29358]
      0cfb2473
  6. 01 May, 2014 1 commit
  7. 30 Apr, 2014 1 commit
  8. 29 Apr, 2014 1 commit
  9. 23 Apr, 2014 1 commit
  10. 07 Apr, 2014 2 commits
  11. 04 Apr, 2014 1 commit
  12. 12 Mar, 2014 1 commit
  13. 11 Mar, 2014 1 commit
    • Evan Hunt's avatar
      [master] auto-generate salt · 62258ada
      Evan Hunt authored
      3781.	[func]		Specifying "auto" as the salt when using
      			"rndc signing -nsec3param" causes named to
      			generate a 64-bit salt at random. [RT #35322]
      62258ada
  14. 19 Feb, 2014 3 commits
    • Mark Andrews's avatar
    • Evan Hunt's avatar
      [master] max-zone-ttl · 35f6a21f
      Evan Hunt authored
      3746.	[func]		New "max-zone-ttl" option enforces maximum
      			TTLs for zones. If loading a zone containing a
      			higher TTL, the load fails. DDNS updates with
      			higher TTLs are accepted but the TTL is truncated.
      			(Note: Currently supported for master zones only;
      			inline-signing slaves will be added.) [RT #38405]
      35f6a21f
    • Mark Andrews's avatar
      3744. [experimental] SIT: send and process Source Identity Tokens · b5f6271f
      Mark Andrews authored
                              (which are similar to DNS Cookies by Donald Eastlake)
                              and are designed to help clients detect off path
                              spoofed responses and for servers to detect legitimate
                              clients.
      
                              SIT use a experimental EDNS option code (65001).
      
                              SIT can be enabled via --enable-developer or
                              --enable-sit.  It is on by default in Windows.
      
                              RRL processing as been updated to know about SIT with
                              legitimate clients not being rate limited. [RT #35389]
      b5f6271f
  15. 16 Feb, 2014 3 commits
  16. 21 Jan, 2014 1 commit
    • Evan Hunt's avatar
      [master] testcrypto.sh in system tests · d58e33bf
      Evan Hunt authored
      3714.	[test]		System tests that need to test for cryptography
      			support before running can now use a common
      			"testcrypto.sh" script to do so. [RT #35213]
      d58e33bf
  17. 14 Jan, 2014 2 commits
  18. 13 Dec, 2013 1 commit
  19. 11 Dec, 2013 2 commits
    • Evan Hunt's avatar
      typo · 4e1d84a3
      Evan Hunt authored
      4e1d84a3
    • Evan Hunt's avatar
      [master] dnssec-signzone -Q · 0bbe3273
      Evan Hunt authored
      3686.	[func]		"dnssec-signzone -Q" drops signatures from keys
      			that are still published but no longer active.
      			[RT #34990]
      0bbe3273
  20. 18 Sep, 2013 1 commit
  21. 04 Sep, 2013 2 commits
  22. 15 Aug, 2013 1 commit
  23. 12 Aug, 2013 2 commits
  24. 12 Jun, 2013 1 commit
  25. 10 Apr, 2013 1 commit
  26. 04 Apr, 2013 1 commit
  27. 03 Apr, 2013 1 commit
  28. 21 Mar, 2013 1 commit
  29. 20 Mar, 2013 1 commit
    • Evan Hunt's avatar
      [master] add dnssec-coverage tool · 831f59eb
      Evan Hunt authored
      3528.	[func]		New "dnssec-coverage" command scans the timing
      			metadata for a set of DNSSEC keys and reports if a
      			lapse in signing coverage has been scheduled
      			inadvertently. (Note: This tool depends on python;
      			it will not be built or installed on systems that
      			do not have a python interpreter.) [RT #28098]
      831f59eb
  30. 23 Jan, 2013 1 commit
    • Evan Hunt's avatar
      [master] fix incorrect nsec3 check · 9a0dd99a
      Evan Hunt authored
          - check for NSEC3 in empty nodes when not due to optout delegations
          - fixed typo in output ("Bad record NSEC record")
          - incidentally fixed an error in signzone that caused an
            incorrect warning about missing DNSKEYs when using -S
            and -3 together
      
      3473.	[bug]		dnssec-signzone/verify could incorrectly report
      			an error condition due to an empty node above an
      			opt-out delegation lacking an NSEC3. [RT #32072]
      9a0dd99a
  31. 10 Jan, 2013 1 commit