1. 25 Oct, 2018 2 commits
  2. 24 Oct, 2018 2 commits
    • Michał Kępień's avatar
      Replace the "mirror" zone option with "type mirror;" · 2cb9e8a0
      Michał Kępień authored
      Use a zone's 'type' field instead of the value of its DNS_ZONEOPT_MIRROR
      option for checking whether it is a mirror zone.  This makes said zone
      option and its associated helper function, dns_zone_mirror(), redundant,
      so remove them.  Remove a check specific to mirror zones from
      named_zone_reusable() since another check in that function ensures that
      changing a zone's type prevents it from being reused during
      reconfiguration.
      2cb9e8a0
    • Michał Kępień's avatar
      Define a separate dns_zonetype_t for mirror zones · e1bb8de6
      Michał Kępień authored
      Rather than overloading dns_zone_slave and discerning between a slave
      zone and a mirror zone using a zone option, define a separate enum
      value, dns_zone_mirror, to be used exclusively by mirror zones.  Update
      code handling slave zones to ensure it also handles mirror zones where
      applicable.
      e1bb8de6
  3. 23 Oct, 2018 1 commit
  4. 22 Oct, 2018 1 commit
    • Ondřej Surý's avatar
      Add support for enabling and enforcing FIPS mode in OpenSSL: · c4cee27f
      Ondřej Surý authored
      * Add configure option --enable-fips-mode that detects and enables FIPS mode
      * Add a function to enable FIPS mode and call it on crypto init
      * Log an OpenSSL error when FIPS_mode_set() fails and exit
      * Report FIPS mode status in a separate log message from named
      c4cee27f
  5. 18 Oct, 2018 1 commit
  6. 05 Oct, 2018 1 commit
  7. 03 Oct, 2018 1 commit
  8. 28 Sep, 2018 1 commit
  9. 10 Sep, 2018 2 commits
  10. 28 Aug, 2018 2 commits
  11. 24 Aug, 2018 1 commit
    • Michał Kępień's avatar
      Log a message when "ixfr-from-differences" is set for an inline-signed zone · 087157d1
      Michał Kępień authored
      For inline-signed zones, the value of "ixfr-from-differences" is
      hardcoded to:
      
        - "yes" for the raw version of the zone,
        - "no" for the signed version of the zone.
      
      In other words, any user-provided "ixfr-from-differences" setting is
      effectively ignored for an inline-signed zone.  Ensure the user is aware
      of that by adding a note to the ARM and logging a message when an
      "ixfr-from-differences" option is found at the zone level.
      087157d1
  12. 16 Aug, 2018 1 commit
  13. 14 Aug, 2018 1 commit
    • Evan Hunt's avatar
      option to disable validation under specified names · eaac2057
      Evan Hunt authored
      - added new 'validate-except' option, which configures an NTA with
        expiry of 0xffffffff.  NTAs with that value in the expiry field do not
        expire, are are not written out when saving the NTA table and are not
        dumped by rndc secroots
      eaac2057
  14. 08 Aug, 2018 3 commits
  15. 02 Aug, 2018 1 commit
  16. 27 Jul, 2018 1 commit
  17. 19 Jul, 2018 2 commits
    • Ondřej Surý's avatar
      Make OpenSSL mandatory · c3b8130f
      Ondřej Surý authored
      c3b8130f
    • Michał Kępień's avatar
      Fix handling of TAT sending failures · 8666f8d2
      Michał Kępień authored
      dns_view_zonecut() may associate the dns_rdataset_t structure passed to
      it even if it returns a result different then ISC_R_SUCCESS.  Not
      handling this properly may cause a reference leak.  Fix by ensuring
      'nameservers' is cleaned up in all relevant failure modes.
      8666f8d2
  18. 11 Jul, 2018 2 commits
    • Michał Kępień's avatar
      Send upstream TAT queries for locally served zones · a7657dc1
      Michał Kępień authored
      Trying to resolve a trust anchor telemetry query for a locally served
      zone does not cause upstream queries to be sent as the response is
      determined just by consulting local data.  Work around this issue by
      calling dns_view_findzonecut() first in order to determine the NS RRset
      for a given domain name and then passing the zone cut found to
      dns_resolver_createfetch().
      
      Note that this change only applies to TAT queries generated by the
      resolver itself, not to ones received from downstream resolvers.
      a7657dc1
    • Michał Kępień's avatar
      Extract TAT QNAME preparation to a separate function · 127810e5
      Michał Kępień authored
      Extract the part of dotat() reponsible for preparing the QNAME for a TAT
      query to a separate function in order to limit the number of local
      variables used by each function and improve code readability.
      
      Rename 'name' to 'origin' to better convey the purpose of that variable.
      Also mark it with the const qualifier.
      127810e5
  19. 28 Jun, 2018 1 commit
  20. 26 Jun, 2018 1 commit
  21. 14 Jun, 2018 1 commit
  22. 12 Jun, 2018 5 commits
  23. 29 May, 2018 1 commit
    • Ondřej Surý's avatar
      Change isc_random() to be just PRNG, and add isc_nonce_buf() that uses CSPRNG · 99ba29bc
      Ondřej Surý authored
      This commit reverts the previous change to use system provided
      entropy, as (SYS_)getrandom is very slow on Linux because it is
      a syscall.
      
      The change introduced in this commit adds a new call isc_nonce_buf
      that uses CSPRNG from cryptographic library provider to generate
      secure data that can be and must be used for generating nonces.
      Example usage would be DNS cookies.
      
      The isc_random() API has been changed to use fast PRNG that is not
      cryptographically secure, but runs entirely in user space.  Two
      contestants have been considered xoroshiro family of the functions
      by Villa&Blackman and PCG by O'Neill.  After a consideration the
      xoshiro128starstar function has been used as uint32_t random number
      provider because it is very fast and has good enough properties
      for our usage pattern.
      
      The other change introduced in the commit is the more extensive usage
      of isc_random_uniform in places where the usage pattern was
      isc_random() % n to prevent modulo bias.  For usage patterns where
      only 16 or 8 bits are needed (DNS Message ID), the isc_random()
      functions has been renamed to isc_random32(), and isc_random16() and
      isc_random8() functions have been introduced by &-ing the
      isc_random32() output with 0xffff and 0xff.  Please note that the
      functions that uses stripped down bit count doesn't pass our
      NIST SP 800-22 based random test.
      99ba29bc
  24. 26 May, 2018 1 commit
    • Evan Hunt's avatar
      clarify serve-stale documentation, and add a floor for max-stale-ttl · d1ca21d5
      Evan Hunt authored
      - added a 1-second floor to max-stale-ttl similar to stale-answer-ttl;
        if set to 0, it will be silently updated to 1.
      - fixed the ARM entry on max-stale-ttl, which incorrectly suggested that
        the default was 0 instead of 1 week.
      - clarified rndc serve-stale documentation.
      d1ca21d5
  25. 25 May, 2018 1 commit
    • Evan Hunt's avatar
      remove the experimental authoritative ECS support from named · e3244493
      Evan Hunt authored
      - mark the 'geoip-use-ecs' option obsolete; warn when it is used
        in named.conf
      - prohibit 'ecs' ACL tags in named.conf; note that this is a fatal error
        since simply ignoring the tags could make ACLs behave unpredictably
      - re-simplify the radix and iptable code
      - clean up dns_acl_match(), dns_aclelement_match(), dns_acl_allowed()
        and dns_geoip_match() so they no longer take ecs options
      - remove the ECS-specific unit and system test cases
      - remove references to ECS from the ARM
      e3244493
  26. 23 May, 2018 1 commit
  27. 18 May, 2018 1 commit
  28. 16 May, 2018 1 commit
    • Ondřej Surý's avatar
      Replace all random functions with isc_random, isc_random_buf and isc_random_uniform API. · 3a4f820d
      Ondřej Surý authored
      The three functions has been modeled after the arc4random family of
      functions, and they will always return random bytes.
      
      The isc_random family of functions internally use these CSPRNG (if available):
      
      1. getrandom() libc call (might be available on Linux and Solaris)
      2. SYS_getrandom syscall (might be available on Linux, detected at runtime)
      3. arc4random(), arc4random_buf() and arc4random_uniform() (available on BSDs and Mac OS X)
      4. crypto library function:
      4a. RAND_bytes in case OpenSSL
      4b. pkcs_C_GenerateRandom() in case PKCS#11 library
      3a4f820d