1. 29 Aug, 2014 1 commit
    • Evan Hunt's avatar
      [master] ECS authoritative support · d46855ca
      Evan Hunt authored
      3936.	[func]		Added authoritative support for the EDNS Client
      			Subnet (ECS) option.
      			ACLs can now include "ecs" elements which specify
      			an address or network prefix; if an ECS option is
      			included in a DNS query, then the address encoded
      			in the option will be matched against "ecs" ACL
      			Also, if an ECS address is included in a query,
      			then it will be used instead of the client source
      			address when matching "geoip" ACL elements.  This
      			behavior can be overridden with "geoip-use-ecs no;".
      			When "ecs" or "geoip" ACL elements are used to
      			select a view for a query, the response will include
      			an ECS option to indicate which client network the
      			answer is valid for.
      			(Thanks to Vincent Bernat.) [RT #36781]
  2. 26 Aug, 2014 2 commits
  3. 23 Aug, 2014 1 commit
  4. 22 Aug, 2014 1 commit
  5. 18 Aug, 2014 1 commit
  6. 06 Aug, 2014 1 commit
  7. 02 Aug, 2014 1 commit
  8. 30 Jul, 2014 1 commit
    • Evan Hunt's avatar
      [master] complete change #3882 · a5e2e389
      Evan Hunt authored
      Parse arguments to "rndc nta" so they can be either
      long or shortened (i.e., both "-dump" and "-d" will work).
  9. 25 Jun, 2014 1 commit
  10. 19 Jun, 2014 1 commit
  11. 18 Jun, 2014 1 commit
    • Evan Hunt's avatar
      [master] complete NTA work · b8a96323
      Evan Hunt authored
      3882.	[func]		By default, negative trust anchors will be tested
      			periodically to see whether data below them can be
      			validated, and if so, they will be allowed to
      			expire early. The "rndc nta -force" option
      			overrides this behvaior.  The default NTA lifetime
      			and the recheck frequency can be configured by the
      			"nta-lifetime" and "nta-recheck" options. [RT #36146]
  12. 30 May, 2014 2 commits
    • Evan Hunt's avatar
      [master] rndc nta · 0cfb2473
      Evan Hunt authored
      3867.	[func]		"rndc nta" can now be used to set a temporary
      			negative trust anchor, which disables DNSSEC
      			validation below a specified name for a specified
      			period of time (not exceeding 24 hours).  This
      			can be used when validation for a domain is known
      			to be failing due to a configuration error on
      			the part of the domain owner rather than a
      			spoofing attack. [RT #29358]
    • Mark Andrews's avatar
  13. 15 May, 2014 1 commit
  14. 26 Apr, 2014 1 commit
  15. 04 Apr, 2014 1 commit
  16. 13 Mar, 2014 1 commit
  17. 12 Mar, 2014 3 commits
  18. 11 Mar, 2014 1 commit
    • Evan Hunt's avatar
      [master] auto-generate salt · 62258ada
      Evan Hunt authored
      3781.	[func]		Specifying "auto" as the salt when using
      			"rndc signing -nsec3param" causes named to
      			generate a 64-bit salt at random. [RT #35322]
  19. 07 Mar, 2014 1 commit
  20. 01 Mar, 2014 1 commit
  21. 23 Feb, 2014 2 commits
  22. 19 Feb, 2014 2 commits
    • Evan Hunt's avatar
      [master] add "--with-tuning=large" option · 6a3fa181
      Evan Hunt authored
      3745.	[func]		"configure --with-tuning=large" adjusts various
      			compiled-in constants and default settings to
      			values suited to large servers with abundant
      			memory. [RT #29538]
    • Mark Andrews's avatar
      3744. [experimental] SIT: send and process Source Identity Tokens · b5f6271f
      Mark Andrews authored
                              (which are similar to DNS Cookies by Donald Eastlake)
                              and are designed to help clients detect off path
                              spoofed responses and for servers to detect legitimate
                              SIT use a experimental EDNS option code (65001).
                              SIT can be enabled via --enable-developer or
                              --enable-sit.  It is on by default in Windows.
                              RRL processing as been updated to know about SIT with
                              legitimate clients not being rate limited. [RT #35389]
  23. 17 Feb, 2014 1 commit
  24. 16 Feb, 2014 2 commits
    • Evan Hunt's avatar
      [master] delve · 1d761cb4
      Evan Hunt authored
      3741.	[func]		"delve" (domain entity lookup and validation engine):
      			A new tool with dig-like semantics for performing DNS
      			lookups, with internal DNSSEC validation, using the
      			same resolver and validator logic as named. This
      			allows easy validation of DNSSEC data in environments
      			with untrustworthy resolvers, and assists with
      			troubleshooting of DNSSEC problems. (Note: not yet
      			available on win32.) [RT #32406]
    • Francis Dupont's avatar
      spurious space · a3a74b30
      Francis Dupont authored
  25. 12 Feb, 2014 1 commit
  26. 07 Feb, 2014 3 commits
    • Mark Andrews's avatar
      fix typo in comment · 404d7c96
      Mark Andrews authored
    • Mark Andrews's avatar
      3733. [func] Improve interface scanning support. Interface · 62ec9fd1
      Mark Andrews authored
                              information will be automatically updated if the
                              OS supports routing sockets.  Use
                              "automatic-interface-scan no;" to disable.
                              Add "rndc scan" to trigger a scan. [RT #23027]
    • Evan Hunt's avatar
      [master] add no-case-compress · 166341d5
      Evan Hunt authored
      3731.	[func]		Added a "no-case-compress" ACL, which causes
      			named to use case-insensitive compression
      			(disabling change #3645) for specified
      			clients. (This is useful when dealing
      			with broken client implementations that
      			use case-sensitive name comparisons,
      			rejecting responses that fail to match the
      			capitalization of the query that was sent.)
      			[RT #35300]
  27. 06 Feb, 2014 1 commit
  28. 31 Jan, 2014 1 commit
  29. 16 Jan, 2014 1 commit
  30. 14 Jan, 2014 1 commit
    • Evan Hunt's avatar
      [master] native PKCS#11 support · ba751492
      Evan Hunt authored
      3705.	[func]		"configure --enable-native-pkcs11" enables BIND
      			to use the PKCS#11 API for all cryptographic
      			functions, so that it can drive a hardware service
      			module directly without the need to use a modified
      			OpenSSL as intermediary (so long as the HSM's vendor
      			provides a complete-enough implementation of the
      			PKCS#11 interface). This has been tested successfully
      			with the Thales nShield HSM and with SoftHSMv2 from
      			the OpenDNSSEC project. [RT #29031]
  31. 12 Jan, 2014 1 commit