1. 22 Apr, 2017 1 commit
  2. 05 Jan, 2017 1 commit
  3. 04 Jan, 2017 1 commit
    • Evan Hunt's avatar
      [master] EDNS padding and keepalive support · 58043325
      Evan Hunt authored
      4549.	[func]		Added support for the EDNS TCP Keepalive option
      			(RFC 7828). [RT #42126]
      
      4548.	[func]		Added support for the EDNS Padding option (RFC 7830).
      			[RT #42094]
      58043325
  4. 11 Aug, 2016 1 commit
  5. 22 Jul, 2016 1 commit
  6. 21 Jul, 2016 1 commit
    • Evan Hunt's avatar
      [master] store "addzone" zone config in a NZD database · eca74c52
      Evan Hunt authored
      4421.	[func]		When built with LMDB (Lightning Memory-mapped
      			Database), named will now use a database to store
      			the configuration for zones added by "rndc addzone"
      			instead of using a flat NZF file. This improves
      			performance of "rndc delzone" and "rndc modzone"
      			significantly. Existing NZF files will
      			automatically by converted to NZD databases.
      			To view the contents of an NZD or to roll back to
      			NZF format, use "named-nzd2nzf". To disable
                              this feature, use "configure --without-lmdb".
                              [RT #39837]
      eca74c52
  7. 13 Jul, 2016 1 commit
    • Evan Hunt's avatar
      [master] rndc dnstap -roll · ffa622d7
      Evan Hunt authored
      4411.	[func]		"rndc dnstap -roll" automatically rolls the
      			dnstap output file; the previous version is
      			saved with ".0" suffix, and earlier versions
      			with ".1" and so on. An optional numeric argument
      			indicates how many prior files to save. [RT #42830]
      ffa622d7
  8. 27 Jun, 2016 1 commit
  9. 23 Jun, 2016 1 commit
  10. 22 Jun, 2016 2 commits
  11. 15 Dec, 2015 1 commit
  12. 11 Nov, 2015 1 commit
  13. 06 Nov, 2015 1 commit
  14. 02 Oct, 2015 1 commit
    • Evan Hunt's avatar
      [master] dnstap · b66b333f
      Evan Hunt authored
      4235.	[func]		Added support in named for "dnstap", a fast method of
      			capturing and logging DNS traffic, and a new command
      			"dnstap-read" to read a dnstap log file.  Use
      			"configure --enable-dnstap" to enable this
      			feature (note that this requires libprotobuf-c
      			and libfstrm). See the ARM for configuration details.
      
      			Thanks to Robert Edmonds of Farsight Security.
      			[RT #40211]
      b66b333f
  15. 09 Jul, 2015 1 commit
    • Evan Hunt's avatar
      [master] DDoS mitigation features · 1479200a
      Evan Hunt authored
      3938.	[func]		Added quotas to be used in recursive resolvers
      			that are under high query load for names in zones
      			whose authoritative servers are nonresponsive or
      			are experiencing a denial of service attack.
      
      			- "fetches-per-server" limits the number of
      			  simultaneous queries that can be sent to any
      			  single authoritative server.  The configured
      			  value is a starting point; it is automatically
      			  adjusted downward if the server is partially or
      			  completely non-responsive. The algorithm used to
      			  adjust the quota can be configured via the
      			  "fetch-quota-params" option.
      			- "fetches-per-zone" limits the number of
      			  simultaneous queries that can be sent for names
      			  within a single domain.  (Note: Unlike
      			  "fetches-per-server", this value is not
      			  self-tuning.)
      			- New stats counters have been added to count
      			  queries spilled due to these quotas.
      
      			See the ARM for details of these options. [RT #37125]
      1479200a
  16. 07 Jul, 2015 1 commit
    • Evan Hunt's avatar
      [master] traffic size stats · 70d987de
      Evan Hunt authored
      4156.	[func]		Added statistics counters to track the sizes
      			of incoming queries and outgoing responses in
      			histogram buckets, as specified in RSSAC002.
      			[RT #39049]
      70d987de
  17. 05 Jul, 2015 1 commit
    • Mark Andrews's avatar
      4152. [func] Implement DNS COOKIE option. This replaces the · ce67023a
      Mark Andrews authored
                              experimental SIT option of BIND 9.10.  The following
                              named.conf directives are avaliable: send-cookie,
                              cookie-secret, cookie-algorithm and nocookie-udp-size.
                              The following dig options are available:
                              +[no]cookie[=value] and +[no]badcookie.  [RT #39928]
      ce67023a
  18. 25 Jun, 2015 1 commit
  19. 12 Jun, 2015 1 commit
  20. 03 Mar, 2015 1 commit
    • Evan Hunt's avatar
      [master] add "lock-file" and fix up singleton code · 7ae96d88
      Evan Hunt authored
      4080.	[func]		Completed change #4022, adding a "lock-file" option
      			to named.conf to override the default lock file,
      			in addition to the "named -X <filename>" command
      			line option.  Setting the lock file to "none"
      			using either method disables the check completely.
      			[RT #37908]
      7ae96d88
  21. 06 Feb, 2015 1 commit
    • Evan Hunt's avatar
      [master] 5011 tests and fixes · 591389c7
      Evan Hunt authored
      4056.	[bug]		Expanded automatic testing of trust anchor
      			management and fixed several small bugs including
      			a memory leak and a possible loss of key state
      			information. [RT #38458]
      
      4055.	[func]		"rndc managed-keys" can be used to check status
      			of trust anchors or to force keys to be refreshed,
      			Also, the managed keys data file has easier-to-read
      			comments.  [RT #38458]
      591389c7
  22. 21 Jan, 2015 2 commits
    • Evan Hunt's avatar
      [master] "rndc modzone" · 2817aa56
      Evan Hunt authored
      4043.	[func]		"rndc modzone" can be used to modify the
      			configuration of an existing zone, using similar
      			syntax to "rndc addzone". [RT #37895]
      2817aa56
    • Evan Hunt's avatar
      [master] add TCP pipelining support · 761d135e
      Evan Hunt authored
      4040.	[func]		Added server-side support for pipelined TCP
      			queries. TCP connections are no longer closed after
      			the first query received from a client. (The new
      			"keep-response-order" option allows clients to be
      			specified for which the old behavior will still be
      			used.) [RT #37821]
      761d135e
  23. 12 Jan, 2015 1 commit
    • Mukund Sivaraman's avatar
      Add NTA persistence (#37087) · a6f0e9c9
      Mukund Sivaraman authored
      4034.   [func]          When added, negative trust anchors (NTA) are now
                              saved to files (viewname.nta), in order to
                              persist across restarts of the named server.
                              [RT #37087]
      a6f0e9c9
  24. 07 Jan, 2015 2 commits
  25. 14 Nov, 2014 1 commit
    • Evan Hunt's avatar
      [master] allow arbitrary-size rndc output · e32d354f
      Evan Hunt authored
      4005.	[func]		The buffer used for returning text from rndc
      			commands is now dynamically resizable, allowing
      			arbitrarily large amounts of text to be sent back
      			to the client. (Prior to this change, it was
      			possible for the output of "rndc tsig-list" to be
      			truncated.) [RT #37731]
      e32d354f
  26. 29 Aug, 2014 1 commit
    • Evan Hunt's avatar
      [master] ECS authoritative support · d46855ca
      Evan Hunt authored
      3936.	[func]		Added authoritative support for the EDNS Client
      			Subnet (ECS) option.
      
      			ACLs can now include "ecs" elements which specify
      			an address or network prefix; if an ECS option is
      			included in a DNS query, then the address encoded
      			in the option will be matched against "ecs" ACL
      			elements.
      
      			Also, if an ECS address is included in a query,
      			then it will be used instead of the client source
      			address when matching "geoip" ACL elements.  This
      			behavior can be overridden with "geoip-use-ecs no;".
      
      			When "ecs" or "geoip" ACL elements are used to
      			select a view for a query, the response will include
      			an ECS option to indicate which client network the
      			answer is valid for.
      
      			(Thanks to Vincent Bernat.) [RT #36781]
      d46855ca
  27. 22 Aug, 2014 1 commit
  28. 18 Aug, 2014 1 commit
  29. 30 May, 2014 1 commit
    • Evan Hunt's avatar
      [master] rndc nta · 0cfb2473
      Evan Hunt authored
      3867.	[func]		"rndc nta" can now be used to set a temporary
      			negative trust anchor, which disables DNSSEC
      			validation below a specified name for a specified
      			period of time (not exceeding 24 hours).  This
      			can be used when validation for a domain is known
      			to be failing due to a configuration error on
      			the part of the domain owner rather than a
      			spoofing attack. [RT #29358]
      0cfb2473
  30. 26 Feb, 2014 1 commit
  31. 23 Feb, 2014 1 commit
  32. 19 Feb, 2014 1 commit
    • Mark Andrews's avatar
      3744. [experimental] SIT: send and process Source Identity Tokens · b5f6271f
      Mark Andrews authored
                              (which are similar to DNS Cookies by Donald Eastlake)
                              and are designed to help clients detect off path
                              spoofed responses and for servers to detect legitimate
                              clients.
      
                              SIT use a experimental EDNS option code (65001).
      
                              SIT can be enabled via --enable-developer or
                              --enable-sit.  It is on by default in Windows.
      
                              RRL processing as been updated to know about SIT with
                              legitimate clients not being rate limited. [RT #35389]
      b5f6271f
  33. 16 Feb, 2014 1 commit
  34. 07 Feb, 2014 2 commits
  35. 04 Dec, 2013 1 commit
  36. 04 Mar, 2013 1 commit