1. 23 Apr, 2019 4 commits
  2. 19 Apr, 2019 15 commits
  3. 18 Apr, 2019 6 commits
  4. 17 Apr, 2019 2 commits
  5. 12 Apr, 2019 12 commits
    • Matthijs Mekking's avatar
      Merge branch '763-matthijs-active-zsk-but-ksk-only-v9_11' into 'v9_11' · f5b60bb8
      Matthijs Mekking authored
      Don't sign DNSKEY RRset with ZSK if KSK is offline
      See merge request !1797
    • Matthijs Mekking's avatar
      Fix dnssec test · ce3d35d9
      Matthijs Mekking authored
      The following changes were needed:
      * Remove dnskey-sig-validity option (added in 9.12)
      * Replace rndccmd, dig_with_opts with export variables
      * Remove tests for CDNSKEY and CDS (in 9.11 always signed with ZSK)
    • Matthijs Mekking's avatar
      Fix copyrights · c5e1bfc6
      Matthijs Mekking authored
    • Matthijs Mekking's avatar
      With update-check-ksk also consider offline keys · 4af2d5b6
      Matthijs Mekking authored
      The option `update-check-ksk` will look if both KSK and ZSK are
      available before signing records.  It will make sure the keys are
      active and available.  However, for operational practices keys may
      be offline.  This commit relaxes the update-check-ksk check and will
      mark a key that is offline to be available when adding signature
      (cherry picked from commit 3cb8c49c)
      (cherry picked from commit b508cffe)
    • Matthijs Mekking's avatar
      Style: some curly brackets · 9079ae03
      Matthijs Mekking authored
      (cherry picked from commit 2e83e325)
      (cherry picked from commit 42b0bf4d)
    • Matthijs Mekking's avatar
      Add detail on echo message in autosign test · 944c2b5a
      Matthijs Mekking authored
      (cherry picked from commit d3309863)
      (cherry picked from commit d281d9ae)
    • Matthijs Mekking's avatar
      Add test for ZSK rollover while KSK offline · 537a88e4
      Matthijs Mekking authored
      This commit adds a lengthy test where the ZSK is rolled but the
      KSK is offline (except for when the DNSKEY RRset is changed).  The
      specific scenario has the `dnskey-kskonly` configuration option set
      meaning the DNSKEY RRset should only be signed with the KSK.
      A new zone `updatecheck-kskonly.secure` is added to test against,
      that can be dynamically updated, and that can be controlled with rndc
      to load the DNSSEC keys.
      There are some pre-checks for this test to make sure everything is
      fine before the ZSK roll, after the new ZSK is published, and after
      the old ZSK is deleted.  Note there are actually two ZSK rolls in
      quick succession.
      When the latest added ZSK becomes active and its predecessor becomes
      inactive, the KSK is offline.  However, the DNSKEY RRset did not
      change and it has a good signature that is valid for long enough.
      The expected behavior is that the DNSKEY RRset stays signed with
      the KSK only (signature does not need to change).  However, the
      test will fail because after reconfiguring the keys for the zone,
      it wants to add re-sign tasks for the new active keys (in sign_apex).
      Because the KSK is offline, named determines that the only other
      active key, the latest ZSK, will be used to resign the DNSKEY RRset,
      in addition to keeping the RRSIG of the KSK.
      The question is: Why do we need to resign the DNSKEY RRset
      immediately when a new key becomes active?  This is not required,
      only once the next resign task is triggered the new active key
      should replace signatures that are in need of refreshing.
      (cherry-picked from commit c48b85d0)
    • Mark Andrews's avatar
      Merge branch... · 13dcf61a
      Mark Andrews authored
      Merge branch '980-util-update_copyrights-now-needs-to-handle-files-with-cr-lf-endings-v9_11' into 'v9_11'
      Resolve "util/update_copyrights now needs to handle files with CR LF endings."
      See merge request !1802
    • Mark Andrews's avatar
      support files which have CR LF ending like those in win32utils · 66b82fab
      Mark Andrews authored
      (cherry picked from commit e76936fd)
    • Evan Hunt's avatar
      Merge branch '963-dnstap-check-ra-v9_14-v9_11' into 'v9_11' · c39fc19d
      Evan Hunt authored
      dnstap: if recursion is not available, log queries as AQ instead of CQ
      See merge request !1800
    • Evan Hunt's avatar
      CHANGES · 9c9ee359
      Evan Hunt authored
      (cherry picked from commit ded46507)
    • Evan Hunt's avatar
      dnstap: if recursion is not available, log queries as AQ instead of CQ · fbcaadb2
      Evan Hunt authored
      (cherry picked from commit 1f578cdb)
      (cherry picked from commit f6c3b135)
  6. 11 Apr, 2019 1 commit