1. 12 Aug, 2015 1 commit
    • Mark Andrews's avatar
      Updated CHANGES note to include require-server-cookie: · c631ff56
      Mark Andrews authored
      4152.   [func]          Implement DNS COOKIE option.  This replaces the
                              experimental SIT option of BIND 9.10.  The following
                              named.conf directives are available: send-cookie,
                              cookie-secret, cookie-algorithm, nocookie-udp-size
                              and require-server-cookie.  The following dig options
                              are available: +[no]cookie[=value] and +[no]badcookie.
                              [RT #39928]
  2. 12 Jul, 2015 1 commit
  3. 09 Jul, 2015 1 commit
    • Evan Hunt's avatar
      [master] DDoS mitigation features · 1479200a
      Evan Hunt authored
      3938.	[func]		Added quotas to be used in recursive resolvers
      			that are under high query load for names in zones
      			whose authoritative servers are nonresponsive or
      			are experiencing a denial of service attack.
      			- "fetches-per-server" limits the number of
      			  simultaneous queries that can be sent to any
      			  single authoritative server.  The configured
      			  value is a starting point; it is automatically
      			  adjusted downward if the server is partially or
      			  completely non-responsive. The algorithm used to
      			  adjust the quota can be configured via the
      			  "fetch-quota-params" option.
      			- "fetches-per-zone" limits the number of
      			  simultaneous queries that can be sent for names
      			  within a single domain.  (Note: Unlike
      			  "fetches-per-server", this value is not
      			- New stats counters have been added to count
      			  queries spilled due to these quotas.
      			See the ARM for details of these options. [RT #37125]
  4. 05 Jul, 2015 1 commit
    • Mark Andrews's avatar
      4152. [func] Implement DNS COOKIE option. This replaces the · ce67023a
      Mark Andrews authored
                              experimental SIT option of BIND 9.10.  The following
                              named.conf directives are avaliable: send-cookie,
                              cookie-secret, cookie-algorithm and nocookie-udp-size.
                              The following dig options are available:
                              +[no]cookie[=value] and +[no]badcookie.  [RT #39928]
  5. 22 May, 2015 1 commit
  6. 28 Apr, 2015 1 commit
  7. 03 Mar, 2015 1 commit
    • Evan Hunt's avatar
      [master] add "lock-file" and fix up singleton code · 7ae96d88
      Evan Hunt authored
      4080.	[func]		Completed change #4022, adding a "lock-file" option
      			to named.conf to override the default lock file,
      			in addition to the "named -X <filename>" command
      			line option.  Setting the lock file to "none"
      			using either method disables the check completely.
      			[RT #37908]
  8. 21 Jan, 2015 2 commits
  9. 16 Dec, 2014 1 commit
  10. 24 Nov, 2014 1 commit
  11. 19 Nov, 2014 1 commit
  12. 18 Nov, 2014 1 commit
    • Evan Hunt's avatar
      [master] limit recursion depth and iterative queries · 3230429e
      Evan Hunt authored
      4006.	[security]	A flaw in delegation handling could be exploited
      			to put named into an infinite loop.  This has
      			been addressed by placing limits on the number
      			of levels of recursion named will allow (default 7),
      			and the number of iterative queries that it will
      			send (default 50) before terminating a recursive
      			query (CVE-2014-8500).
      			The recursion depth limit is configured via the
      			"max-recursion-depth" option.  [RT #35780]
  13. 29 Sep, 2014 1 commit
  14. 04 Sep, 2014 1 commit
    • Evan Hunt's avatar
      [master] servfail cache · a8783019
      Evan Hunt authored
      3943.	[func]		SERVFAIL responses can now be cached for a
      			limited time (configured by "servfail-ttl",
      			default 10 seconds, limit 30). This can reduce
      			the frequency of retries when an authoritative
      			server is known to be failing, e.g., due to
      			ongoing DNSSEC validation problems. [RT #21347]
  15. 29 Aug, 2014 1 commit
    • Evan Hunt's avatar
      [master] ECS authoritative support · d46855ca
      Evan Hunt authored
      3936.	[func]		Added authoritative support for the EDNS Client
      			Subnet (ECS) option.
      			ACLs can now include "ecs" elements which specify
      			an address or network prefix; if an ECS option is
      			included in a DNS query, then the address encoded
      			in the option will be matched against "ecs" ACL
      			Also, if an ECS address is included in a query,
      			then it will be used instead of the client source
      			address when matching "geoip" ACL elements.  This
      			behavior can be overridden with "geoip-use-ecs no;".
      			When "ecs" or "geoip" ACL elements are used to
      			select a view for a query, the response will include
      			an ECS option to indicate which client network the
      			answer is valid for.
      			(Thanks to Vincent Bernat.) [RT #36781]
  16. 06 Aug, 2014 1 commit
  17. 18 Jun, 2014 1 commit
    • Evan Hunt's avatar
      [master] complete NTA work · b8a96323
      Evan Hunt authored
      3882.	[func]		By default, negative trust anchors will be tested
      			periodically to see whether data below them can be
      			validated, and if so, they will be allowed to
      			expire early. The "rndc nta -force" option
      			overrides this behvaior.  The default NTA lifetime
      			and the recheck frequency can be configured by the
      			"nta-lifetime" and "nta-recheck" options. [RT #36146]
  18. 19 Feb, 2014 1 commit
    • Mark Andrews's avatar
      3744. [experimental] SIT: send and process Source Identity Tokens · b5f6271f
      Mark Andrews authored
                              (which are similar to DNS Cookies by Donald Eastlake)
                              and are designed to help clients detect off path
                              spoofed responses and for servers to detect legitimate
                              SIT use a experimental EDNS option code (65001).
                              SIT can be enabled via --enable-developer or
                              --enable-sit.  It is on by default in Windows.
                              RRL processing as been updated to know about SIT with
                              legitimate clients not being rate limited. [RT #35389]
  19. 16 Feb, 2014 1 commit
    • Evan Hunt's avatar
      [master] delve · 1d761cb4
      Evan Hunt authored
      3741.	[func]		"delve" (domain entity lookup and validation engine):
      			A new tool with dig-like semantics for performing DNS
      			lookups, with internal DNSSEC validation, using the
      			same resolver and validator logic as named. This
      			allows easy validation of DNSSEC data in environments
      			with untrustworthy resolvers, and assists with
      			troubleshooting of DNSSEC problems. (Note: not yet
      			available on win32.) [RT #32406]
  20. 07 Feb, 2014 1 commit
  21. 12 Jan, 2014 1 commit
  22. 09 Jan, 2014 2 commits
  23. 03 Jun, 2013 1 commit
  24. 30 Apr, 2013 1 commit
  25. 19 Apr, 2013 1 commit
  26. 23 Mar, 2013 1 commit
  27. 22 Mar, 2013 1 commit
    • Evan Hunt's avatar
      [master] add DSCP support · 67adc03e
      Evan Hunt authored
      3535.	[func]		Add support for setting Differentiated Services Code
      			Point (DSCP) values in named.  Most configuration
      			options which take a "port" option (e.g.,
      			listen-on, forwarders, also-notify, masters,
      			notify-source, etc) can now also take a "dscp"
      			option specifying a code point for use with
      			outgoing traffic, if supported by the underlying
      			OS. [RT #27596]
  28. 20 Mar, 2013 1 commit
  29. 27 Feb, 2013 2 commits
  30. 25 Feb, 2013 1 commit
    • Evan Hunt's avatar
      [master] DNS RRL · 55e5c51e
      Evan Hunt authored
      3494.	[func]		DNS RRL: Blunt the impact of DNS reflection and
      			amplification attacks by rate-limiting substantially-
      			identical responses. [RT #28130]
  31. 08 Dec, 2012 1 commit
    • Mark Andrews's avatar
      3437. [bug] isc_buffer_init -> isc_buffer_constinit to initialise · 6f7abb89
      Mark Andrews authored
                              buffers with constant data. [RT #32064]
      Squashed commit of the following:
      commit 3433b96bf11f8c90ccbe412f01d02a6d8bbc2d33
      Author: Mark Andrews <marka@isc.org>
      Date:   Sat Dec 8 12:41:16 2012 +1100
          isc_buffer_init -> isc_buffer_constinit
      commit c22dbcc1122a0a44f7b46068e0ccbc25353a57d5
      Author: Mark Andrews <marka@isc.org>
      Date:   Sat Dec 8 12:38:39 2012 +1100
          isc_buffer_init -> isc_buffer_constinit
      commit 900820416c45c1887d0d22d7a010df60a903bd56
      Author: Mark Andrews <marka@isc.org>
      Date:   Sat Dec 8 12:24:19 2012 +1100
          remove isc_buffer_reconstinit
      commit f815711c17b05f9961786a90b9bae902d3c01494
      Author: Mark Andrews <marka@isc.org>
      Date:   Wed Dec 5 15:42:57 2012 +1100
          add isc_buffer_constinit
  32. 26 Sep, 2012 1 commit
  33. 14 Jun, 2012 1 commit
  34. 08 Jun, 2012 1 commit
  35. 14 May, 2012 1 commit
    • Evan Hunt's avatar
      merged filter-aaaa-on-v6 (ATT SoW) · d878b8d8
      Evan Hunt authored
      3327.	[func]		Added 'filter-aaaa-on-v6' option; this is similar
      			to 'filter-aaaa-on-v4' but applies to IPv6
      			connections.  (Use "configure --enable-filter-aaaa"
      			to enable this option.)  [RT #27308]
  36. 06 Jan, 2012 2 commits