1. 22 Apr, 2017 1 commit
  2. 05 Jan, 2017 1 commit
  3. 04 Jan, 2017 1 commit
    • Evan Hunt's avatar
      [master] EDNS padding and keepalive support · 58043325
      Evan Hunt authored
      4549.	[func]		Added support for the EDNS TCP Keepalive option
      			(RFC 7828). [RT #42126]
      
      4548.	[func]		Added support for the EDNS Padding option (RFC 7830).
      			[RT #42094]
      58043325
  4. 30 Dec, 2016 1 commit
  5. 02 Nov, 2016 1 commit
  6. 11 Oct, 2016 1 commit
  7. 18 Aug, 2016 1 commit
  8. 22 Jul, 2016 1 commit
  9. 27 Jun, 2016 1 commit
  10. 22 Jun, 2016 1 commit
  11. 26 May, 2016 1 commit
  12. 25 May, 2016 2 commits
  13. 15 Dec, 2015 1 commit
  14. 05 Nov, 2015 1 commit
  15. 29 Oct, 2015 1 commit
  16. 17 Oct, 2015 1 commit
  17. 02 Oct, 2015 1 commit
    • Evan Hunt's avatar
      [master] dnstap · b66b333f
      Evan Hunt authored
      4235.	[func]		Added support in named for "dnstap", a fast method of
      			capturing and logging DNS traffic, and a new command
      			"dnstap-read" to read a dnstap log file.  Use
      			"configure --enable-dnstap" to enable this
      			feature (note that this requires libprotobuf-c
      			and libfstrm). See the ARM for configuration details.
      
      			Thanks to Robert Edmonds of Farsight Security.
      			[RT #40211]
      b66b333f
  18. 28 Sep, 2015 2 commits
  19. 12 Aug, 2015 1 commit
    • Mark Andrews's avatar
      Updated CHANGES note to include require-server-cookie: · c631ff56
      Mark Andrews authored
      4152.   [func]          Implement DNS COOKIE option.  This replaces the
                              experimental SIT option of BIND 9.10.  The following
                              named.conf directives are available: send-cookie,
                              cookie-secret, cookie-algorithm, nocookie-udp-size
                              and require-server-cookie.  The following dig options
                              are available: +[no]cookie[=value] and +[no]badcookie.
                              [RT #39928]
      c631ff56
  20. 12 Jul, 2015 1 commit
  21. 09 Jul, 2015 1 commit
    • Evan Hunt's avatar
      [master] DDoS mitigation features · 1479200a
      Evan Hunt authored
      3938.	[func]		Added quotas to be used in recursive resolvers
      			that are under high query load for names in zones
      			whose authoritative servers are nonresponsive or
      			are experiencing a denial of service attack.
      
      			- "fetches-per-server" limits the number of
      			  simultaneous queries that can be sent to any
      			  single authoritative server.  The configured
      			  value is a starting point; it is automatically
      			  adjusted downward if the server is partially or
      			  completely non-responsive. The algorithm used to
      			  adjust the quota can be configured via the
      			  "fetch-quota-params" option.
      			- "fetches-per-zone" limits the number of
      			  simultaneous queries that can be sent for names
      			  within a single domain.  (Note: Unlike
      			  "fetches-per-server", this value is not
      			  self-tuning.)
      			- New stats counters have been added to count
      			  queries spilled due to these quotas.
      
      			See the ARM for details of these options. [RT #37125]
      1479200a
  22. 05 Jul, 2015 1 commit
    • Mark Andrews's avatar
      4152. [func] Implement DNS COOKIE option. This replaces the · ce67023a
      Mark Andrews authored
                              experimental SIT option of BIND 9.10.  The following
                              named.conf directives are avaliable: send-cookie,
                              cookie-secret, cookie-algorithm and nocookie-udp-size.
                              The following dig options are available:
                              +[no]cookie[=value] and +[no]badcookie.  [RT #39928]
      ce67023a
  23. 22 May, 2015 1 commit
  24. 28 Apr, 2015 1 commit
  25. 03 Mar, 2015 1 commit
    • Evan Hunt's avatar
      [master] add "lock-file" and fix up singleton code · 7ae96d88
      Evan Hunt authored
      4080.	[func]		Completed change #4022, adding a "lock-file" option
      			to named.conf to override the default lock file,
      			in addition to the "named -X <filename>" command
      			line option.  Setting the lock file to "none"
      			using either method disables the check completely.
      			[RT #37908]
      7ae96d88
  26. 21 Jan, 2015 2 commits
  27. 16 Dec, 2014 1 commit
  28. 24 Nov, 2014 1 commit
  29. 19 Nov, 2014 1 commit
  30. 18 Nov, 2014 1 commit
    • Evan Hunt's avatar
      [master] limit recursion depth and iterative queries · 3230429e
      Evan Hunt authored
      4006.	[security]	A flaw in delegation handling could be exploited
      			to put named into an infinite loop.  This has
      			been addressed by placing limits on the number
      			of levels of recursion named will allow (default 7),
      			and the number of iterative queries that it will
      			send (default 50) before terminating a recursive
      			query (CVE-2014-8500).
      
      			The recursion depth limit is configured via the
      			"max-recursion-depth" option.  [RT #35780]
      3230429e
  31. 29 Sep, 2014 1 commit
  32. 04 Sep, 2014 1 commit
    • Evan Hunt's avatar
      [master] servfail cache · a8783019
      Evan Hunt authored
      3943.	[func]		SERVFAIL responses can now be cached for a
      			limited time (configured by "servfail-ttl",
      			default 10 seconds, limit 30). This can reduce
      			the frequency of retries when an authoritative
      			server is known to be failing, e.g., due to
      			ongoing DNSSEC validation problems. [RT #21347]
      a8783019
  33. 29 Aug, 2014 1 commit
    • Evan Hunt's avatar
      [master] ECS authoritative support · d46855ca
      Evan Hunt authored
      3936.	[func]		Added authoritative support for the EDNS Client
      			Subnet (ECS) option.
      
      			ACLs can now include "ecs" elements which specify
      			an address or network prefix; if an ECS option is
      			included in a DNS query, then the address encoded
      			in the option will be matched against "ecs" ACL
      			elements.
      
      			Also, if an ECS address is included in a query,
      			then it will be used instead of the client source
      			address when matching "geoip" ACL elements.  This
      			behavior can be overridden with "geoip-use-ecs no;".
      
      			When "ecs" or "geoip" ACL elements are used to
      			select a view for a query, the response will include
      			an ECS option to indicate which client network the
      			answer is valid for.
      
      			(Thanks to Vincent Bernat.) [RT #36781]
      d46855ca
  34. 06 Aug, 2014 1 commit
  35. 18 Jun, 2014 1 commit
    • Evan Hunt's avatar
      [master] complete NTA work · b8a96323
      Evan Hunt authored
      3882.	[func]		By default, negative trust anchors will be tested
      			periodically to see whether data below them can be
      			validated, and if so, they will be allowed to
      			expire early. The "rndc nta -force" option
      			overrides this behvaior.  The default NTA lifetime
      			and the recheck frequency can be configured by the
      			"nta-lifetime" and "nta-recheck" options. [RT #36146]
      b8a96323
  36. 19 Feb, 2014 1 commit
    • Mark Andrews's avatar
      3744. [experimental] SIT: send and process Source Identity Tokens · b5f6271f
      Mark Andrews authored
                              (which are similar to DNS Cookies by Donald Eastlake)
                              and are designed to help clients detect off path
                              spoofed responses and for servers to detect legitimate
                              clients.
      
                              SIT use a experimental EDNS option code (65001).
      
                              SIT can be enabled via --enable-developer or
                              --enable-sit.  It is on by default in Windows.
      
                              RRL processing as been updated to know about SIT with
                              legitimate clients not being rate limited. [RT #35389]
      b5f6271f
  37. 16 Feb, 2014 1 commit
    • Evan Hunt's avatar
      [master] delve · 1d761cb4
      Evan Hunt authored
      3741.	[func]		"delve" (domain entity lookup and validation engine):
      			A new tool with dig-like semantics for performing DNS
      			lookups, with internal DNSSEC validation, using the
      			same resolver and validator logic as named. This
      			allows easy validation of DNSSEC data in environments
      			with untrustworthy resolvers, and assists with
      			troubleshooting of DNSSEC problems. (Note: not yet
      			available on win32.) [RT #32406]
      1d761cb4