1. 12 Aug, 2015 1 commit
    • Mark Andrews's avatar
      Updated CHANGES note to include require-server-cookie: · c631ff56
      Mark Andrews authored
      4152.   [func]          Implement DNS COOKIE option.  This replaces the
                              experimental SIT option of BIND 9.10.  The following
                              named.conf directives are available: send-cookie,
                              cookie-secret, cookie-algorithm, nocookie-udp-size
                              and require-server-cookie.  The following dig options
                              are available: +[no]cookie[=value] and +[no]badcookie.
                              [RT #39928]
      c631ff56
  2. 09 Jul, 2015 1 commit
    • Evan Hunt's avatar
      [master] DDoS mitigation features · 1479200a
      Evan Hunt authored
      3938.	[func]		Added quotas to be used in recursive resolvers
      			that are under high query load for names in zones
      			whose authoritative servers are nonresponsive or
      			are experiencing a denial of service attack.
      
      			- "fetches-per-server" limits the number of
      			  simultaneous queries that can be sent to any
      			  single authoritative server.  The configured
      			  value is a starting point; it is automatically
      			  adjusted downward if the server is partially or
      			  completely non-responsive. The algorithm used to
      			  adjust the quota can be configured via the
      			  "fetch-quota-params" option.
      			- "fetches-per-zone" limits the number of
      			  simultaneous queries that can be sent for names
      			  within a single domain.  (Note: Unlike
      			  "fetches-per-server", this value is not
      			  self-tuning.)
      			- New stats counters have been added to count
      			  queries spilled due to these quotas.
      
      			See the ARM for details of these options. [RT #37125]
      1479200a
  3. 06 Jul, 2015 1 commit
  4. 05 Jul, 2015 1 commit
    • Mark Andrews's avatar
      4152. [func] Implement DNS COOKIE option. This replaces the · ce67023a
      Mark Andrews authored
                              experimental SIT option of BIND 9.10.  The following
                              named.conf directives are avaliable: send-cookie,
                              cookie-secret, cookie-algorithm and nocookie-udp-size.
                              The following dig options are available:
                              +[no]cookie[=value] and +[no]badcookie.  [RT #39928]
      ce67023a
  5. 23 Jun, 2015 2 commits
  6. 05 Jun, 2015 1 commit
  7. 23 Apr, 2015 1 commit
  8. 17 Apr, 2015 1 commit
  9. 03 Mar, 2015 1 commit
    • Evan Hunt's avatar
      [master] add "lock-file" and fix up singleton code · 7ae96d88
      Evan Hunt authored
      4080.	[func]		Completed change #4022, adding a "lock-file" option
      			to named.conf to override the default lock file,
      			in addition to the "named -X <filename>" command
      			line option.  Setting the lock file to "none"
      			using either method disables the check completely.
      			[RT #37908]
      7ae96d88
  10. 21 Jan, 2015 1 commit
    • Evan Hunt's avatar
      [master] add TCP pipelining support · 761d135e
      Evan Hunt authored
      4040.	[func]		Added server-side support for pipelined TCP
      			queries. TCP connections are no longer closed after
      			the first query received from a client. (The new
      			"keep-response-order" option allows clients to be
      			specified for which the old behavior will still be
      			used.) [RT #37821]
      761d135e
  11. 07 Jan, 2015 2 commits
  12. 02 Dec, 2014 1 commit
  13. 19 Nov, 2014 1 commit
  14. 18 Nov, 2014 1 commit
    • Evan Hunt's avatar
      [master] limit recursion depth and iterative queries · 3230429e
      Evan Hunt authored
      4006.	[security]	A flaw in delegation handling could be exploited
      			to put named into an infinite loop.  This has
      			been addressed by placing limits on the number
      			of levels of recursion named will allow (default 7),
      			and the number of iterative queries that it will
      			send (default 50) before terminating a recursive
      			query (CVE-2014-8500).
      
      			The recursion depth limit is configured via the
      			"max-recursion-depth" option.  [RT #35780]
      3230429e
  15. 30 Oct, 2014 1 commit
  16. 29 Sep, 2014 1 commit
  17. 10 Sep, 2014 1 commit
  18. 04 Sep, 2014 1 commit
    • Evan Hunt's avatar
      [master] servfail cache · a8783019
      Evan Hunt authored
      3943.	[func]		SERVFAIL responses can now be cached for a
      			limited time (configured by "servfail-ttl",
      			default 10 seconds, limit 30). This can reduce
      			the frequency of retries when an authoritative
      			server is known to be failing, e.g., due to
      			ongoing DNSSEC validation problems. [RT #21347]
      a8783019
  19. 29 Aug, 2014 1 commit
    • Evan Hunt's avatar
      [master] ECS authoritative support · d46855ca
      Evan Hunt authored
      3936.	[func]		Added authoritative support for the EDNS Client
      			Subnet (ECS) option.
      
      			ACLs can now include "ecs" elements which specify
      			an address or network prefix; if an ECS option is
      			included in a DNS query, then the address encoded
      			in the option will be matched against "ecs" ACL
      			elements.
      
      			Also, if an ECS address is included in a query,
      			then it will be used instead of the client source
      			address when matching "geoip" ACL elements.  This
      			behavior can be overridden with "geoip-use-ecs no;".
      
      			When "ecs" or "geoip" ACL elements are used to
      			select a view for a query, the response will include
      			an ECS option to indicate which client network the
      			answer is valid for.
      
      			(Thanks to Vincent Bernat.) [RT #36781]
      d46855ca
  20. 26 Aug, 2014 1 commit
  21. 25 Aug, 2014 1 commit
  22. 15 Aug, 2014 1 commit
  23. 06 Aug, 2014 2 commits
  24. 22 Jul, 2014 1 commit
  25. 18 Jun, 2014 1 commit
    • Evan Hunt's avatar
      [master] complete NTA work · b8a96323
      Evan Hunt authored
      3882.	[func]		By default, negative trust anchors will be tested
      			periodically to see whether data below them can be
      			validated, and if so, they will be allowed to
      			expire early. The "rndc nta -force" option
      			overrides this behvaior.  The default NTA lifetime
      			and the recheck frequency can be configured by the
      			"nta-lifetime" and "nta-recheck" options. [RT #36146]
      b8a96323
  26. 16 May, 2014 1 commit
  27. 18 Apr, 2014 1 commit
    • Evan Hunt's avatar
      [master] masterfile-style · ec3b2165
      Evan Hunt authored
      3814.	[func]		The "masterfile-style" zone option controls the
      			formatting of dumped zone files. Options are
      			"relative" (multiline format) and "full" (one
      			record per line). The default is "relative".
      			[RT #20798]
      ec3b2165
  28. 17 Apr, 2014 1 commit
    • Evan Hunt's avatar
      [master] serial-update-method date; · 7318bbc2
      Evan Hunt authored
      3811.	[func]		"serial-update-method date;" sets serial number
      			on dynamic update to today's date in YYYYMMDDNN
      			format. (Thanks to Bradley Forschinger.) [RT #24903]
      7318bbc2
  29. 26 Feb, 2014 1 commit
  30. 21 Feb, 2014 1 commit
  31. 19 Feb, 2014 2 commits
    • Evan Hunt's avatar
      [master] max-zone-ttl · 35f6a21f
      Evan Hunt authored
      3746.	[func]		New "max-zone-ttl" option enforces maximum
      			TTLs for zones. If loading a zone containing a
      			higher TTL, the load fails. DDNS updates with
      			higher TTLs are accepted but the TTL is truncated.
      			(Note: Currently supported for master zones only;
      			inline-signing slaves will be added.) [RT #38405]
      35f6a21f
    • Mark Andrews's avatar
      3744. [experimental] SIT: send and process Source Identity Tokens · b5f6271f
      Mark Andrews authored
                              (which are similar to DNS Cookies by Donald Eastlake)
                              and are designed to help clients detect off path
                              spoofed responses and for servers to detect legitimate
                              clients.
      
                              SIT use a experimental EDNS option code (65001).
      
                              SIT can be enabled via --enable-developer or
                              --enable-sit.  It is on by default in Windows.
      
                              RRL processing as been updated to know about SIT with
                              legitimate clients not being rate limited. [RT #35389]
      b5f6271f
  32. 07 Feb, 2014 2 commits
    • Mark Andrews's avatar
      3733. [func] Improve interface scanning support. Interface · 62ec9fd1
      Mark Andrews authored
                              information will be automatically updated if the
                              OS supports routing sockets.  Use
                              "automatic-interface-scan no;" to disable.
      
                              Add "rndc scan" to trigger a scan. [RT #23027]
      62ec9fd1
    • Evan Hunt's avatar
      [master] add no-case-compress · 166341d5
      Evan Hunt authored
      3731.	[func]		Added a "no-case-compress" ACL, which causes
      			named to use case-insensitive compression
      			(disabling change #3645) for specified
      			clients. (This is useful when dealing
      			with broken client implementations that
      			use case-sensitive name comparisons,
      			rejecting responses that fail to match the
      			capitalization of the query that was sent.)
      			[RT #35300]
      166341d5
  33. 12 Jan, 2014 1 commit
  34. 10 Jan, 2014 1 commit
  35. 09 Jan, 2014 1 commit