bc6f4c1c4c1b739fd06d2de05b77b9d08c4d8a5a |
|
02-Aug-2017 |
Tinderbox User <tbox@isc.org> |
update copyright notice / whitespace |
78608b0a454246d0e1e0169f1d671b8427e48199 |
|
31-Jul-2017 |
Francis Dupont <fdupont@isc.org> |
Added Ed25519 support (#44696) |
0c27b3fe77ac1d5094ba3521e8142d9e7973133f |
|
27-Jun-2016 |
Mark Andrews <marka@isc.org> |
4401. [misc] Change LICENSE to MPL 2.0. |
e939674d53a127ddeeaf4b41fd72933f0b493308 |
|
04-Nov-2015 |
Mark Andrews <marka@isc.org> |
4252. [func] Add support for automating the generation CDS and
CDNSKEY rrsets to named and dnssec-signzone.
[RT #40424] |
c4567d06753c4420af492d07b720125a918fcf23 |
|
08-Aug-2015 |
Tinderbox User <tbox@isc.org> |
update copyright notice / whitespace |
ce9f893e21d2ffc6f6a78bf226c038c396740aeb |
|
07-Aug-2015 |
Evan Hunt <each@isc.org> |
[master] address buffer accounting error
4168. [security] A buffer accounting error could trigger an
assertion failure when parsing certain malformed
DNSSEC keys. (CVE-2015-5722) [RT #40212] |
aa232396eeb4b4f89ec47cbefcb4b41698055ea9 |
|
10-Jun-2014 |
Mukund Sivaraman <muks@isc.org> |
[24702] Include key filename in logged message
Squashed commit of the following:
commit 593e6bc7e29938ff5c2f7508bde303fb069a97a9
Author: Mukund Sivaraman <muks@isc.org>
Date: Tue Jun 10 19:17:40 2014 +0530
Increase size of filename buffers
commit b8685678e026ba98b8833e26664193b6345eb00e
Author: Evan Hunt <each@isc.org>
Date: Wed Jun 4 18:57:44 2014 -0700
[rt24702] some tweaks during review
commit adfbc8f808716c63e9e097d92beef104527e5c6f
Author: Mukund Sivaraman <muks@isc.org>
Date: Wed Jun 4 18:18:35 2014 +0530
[24702] Include key filename in logged message
commit f1eff77e7e3704b145c3d65101a735467dd81dc3
Author: Mukund Sivaraman <muks@isc.org>
Date: Wed Jun 4 18:12:43 2014 +0530
Add dst_key_getfilename() |
e20788e1216ed720aefa84f3295f7899d9f28c22 |
|
16-Jan-2014 |
Mark Andrews <marka@isc.org> |
update copyrights |
ba751492fcc4f161a18b983d4f018a1a52938cb9 |
|
15-Jan-2014 |
Evan Hunt <each@isc.org> |
[master] native PKCS#11 support
3705. [func] "configure --enable-native-pkcs11" enables BIND
to use the PKCS#11 API for all cryptographic
functions, so that it can drive a hardware service
module directly without the need to use a modified
OpenSSL as intermediary (so long as the HSM's vendor
provides a complete-enough implementation of the
PKCS#11 interface). This has been tested successfully
with the Thales nShield HSM and with SoftHSMv2 from
the OpenDNSSEC project. [RT #29031] |
0c91911b4d1e872b87eaf6431ed47fe24d18dd43 |
|
04-Sep-2013 |
Mark Andrews <marka@isc.org> |
3642. [func] Allow externally generated DNSKEY to be imported
into the DNSKEY management framework. A new tool
dnssec-importkey is used to this. [RT #34698] |
377b774598f3973c2b231fb88d39acca1ff5ebc4 |
|
16-Aug-2013 |
Tinderbox User <tbox@isc.org> |
update copyright notice |
7ace3277956c49f7554b7130ef761bde3b35db30 |
|
15-Aug-2013 |
Mark Andrews <marka@isc.org> |
3632. [bug] Signature from newly inactive keys were not being
removed. [RT #32178] |
0e37e9e3d7f6de7d93212bd4596d16ebc809492e |
|
24-Oct-2012 |
Evan Hunt <each@isc.org> |
[master] silence noisy OpenSSL logging
3402. [bug] Correct interface numbers for IPv4 and IPv6 interfaces. |
058e44186b74531402c1f99088eb9dbe4926f8da |
|
02-Oct-2012 |
Mark Andrews <marka@isc.org> |
3387. [func] Support for a DS digest can be disabled at
runtime with disable-ds-digests. [RT #21581] |
7865ea9545f28f12f046b32d24c989e8441b9812 |
|
14-Jun-2012 |
Mark Andrews <marka@isc.org> |
3339. [func] Allow the maximum supported rsa exponent size to be specified: "max-rsa-exponent-size <value>;" [RT #29228] |
99d8f5a70440ee8b63ab1745d713b96dde890546 |
|
03-May-2012 |
Tinderbox User <tbox@isc.org> |
update copyright notice |
aaaf8d4f4873d21e55c3ffb4f656203d08339865 |
|
02-May-2012 |
Mark Andrews <marka@isc.org> |
3317. [func] Add ECDSA support (RFC 6605). [RT #21918] |
1946c596b47b0495ce745fe2fff7da799919b0d2 |
|
20-Oct-2011 |
Mark Andrews <marka@isc.org> |
3174. [bug] Always compute to revoked key tag from scratch.
[RT #24711] |
0994d3a21baeedf28cbf7e461b3bd8de5f9a6654 |
|
21-Mar-2011 |
Evan Hunt <each@isc.org> |
3087. [bug] DDNS updates using SIG(0) with update-policy match
type "external" could cause a crash. [RT #23735] |
61bcc232038f0a2cb77ed6269675fdc288f5ec98 |
|
17-Mar-2011 |
Evan Hunt <each@isc.org> |
3076. [func] New '-L' option in dnssec-keygen, dnsset-settime, and
dnssec-keyfromlabel sets the default TTL of the
key. When possible, automatic signing will use that
TTL when the key is published. [RT #23304] |
135bcc2e42a94543f11af2a4196b13552ab46d89 |
|
12-Jan-2011 |
Automatic Updater <source@isc.org> |
update copyright notice |
433e06a25cdd92d665abda3e64c2c65f4a3f9b21 |
|
10-Jan-2011 |
Mark Andrews <marka@isc.org> |
3006. [func] Allow dynamically generated TSIG keys to be preserved
across restarts of named. Initially this is for
TSIG keys generated using GSSAPI. [RT #22639] |
37dee1ff94960a61243f611c0f87f8c316815c53 |
|
23-Dec-2010 |
Mark Andrews <marka@isc.org> |
2999. [func] Add GOST support (RFC 5933). [RT #20639] |
71bd858d8ed62672e7c23999dc7c02fd16a55089 |
|
18-Dec-2010 |
Evan Hunt <each@isc.org> |
2989. [func] Added support for writable DLZ zones. (Contributed
by Andrew Tridgell of the Samba project.) [RT #22629]
2988. [experimental] Added a "dlopen" DLZ driver, allowing the creation
of external DLZ drivers that can be loaded as
shared objects at runtime rather than linked with
named. Currently this is switched on via a
compile-time option, "configure --with-dlz-dlopen".
Note: the syntax for configuring DLZ zones
is likely to be refined in future releases.
(Contributed by Andrew Tridgell of the Samba
project.) [RT #22629]
2987. [func] Improve ease of configuring TKEY/GSS updates by
adding a "tkey-gssapi-keytab" option. If set,
updates will be allowed with any key matching
a principal in the specified keytab file.
"tkey-gssapi-credential" is no longer required
and is expected to be deprecated. (Contributed
by Andrew Tridgell of the Samba project.)
[RT #22629] |
fd6a9d688c5afb8bd70697208d16621cfcc6b718 |
|
09-Dec-2010 |
Automatic Updater <source@isc.org> |
update copyright notice |
9f9b7f0e8d455b1c88e51ddcefdbf19b472e1ef2 |
|
09-Dec-2010 |
Mark Andrews <marka@isc.org> |
2982. [bug] Reference count dst keys. dst_key_attach() can be used
increment the reference count.
Note: dns_tsigkey_createfromkey() callers should now
always call dst_key_free() rather than setting it
to NULL on success. [RT #22672] |
c02149960459e4406d9e50fb1867433e7f0e8f0d |
|
26-Oct-2009 |
Evan Hunt <each@isc.org> |
2731. [func] Additional work on change 2709. The key parser
will now ignore unrecognized fields when the
minor version number of the private key format
has been increased. It will reject any key with
the major version number increased. [RT #20310] |
775a8d86d93269a621a7ad15c49b31b533da0671 |
|
24-Oct-2009 |
Francis Dupont <fdupont@isc.org> |
keygen progress indication [RT #20284] |
cc6cddfd94e8f0c58c290317b0853dac30b1b895 |
|
22-Oct-2009 |
Evan Hunt <each@isc.org> |
2726. [func] Added support for SHA-2 DNSSEC algorithms,
RSASHA256 and RSASHA512. [RT #20023] |
77b8f88f144928eddcca144c348d6ef53e7d5c43 |
|
12-Oct-2009 |
Evan Hunt <each@isc.org> |
2712. [func] New 'auto-dnssec' zone option allows zone signing
to be fully automated in zones configured for
dynamic DNS. 'auto-dnssec allow;' permits a zone
to be signed by creating keys for it in the
key-directory and using 'rndc sign <zone>'.
'auto-dnssec maintain;' allows that too, plus it
also keeps the zone's DNSSEC keys up to date
according to their timing metadata. [RT #19943] |
315a1514a58dbb1ca563445313d67c1cf664d248 |
|
09-Oct-2009 |
Evan Hunt <each@isc.org> |
2709. [func] Added some data fields, currently unused, to the
private key file format, to allow implementation
of explicit key rollover in a future release
without impairing backward or forward compatibility.
[RT #20310] |
8b78c993cb475cc94e88560941b28c37684789d9 |
|
05-Oct-2009 |
Francis Dupont <fdupont@isc.org> |
explicit engine rt20230a |
53c22b8e0da67ca756ca309d5f84db9c189cd0a2 |
|
23-Sep-2009 |
Evan Hunt <each@isc.org> |
2685. [bug] Fixed dnssec-signzone -S handling of revoked keys.
Also, added warnings when revoking a ZSK, as this is
not defined by protocol (but is legal). [RT #19943] |
b843f577bbcd6660fbaa506d9e55b156c689a5a8 |
|
14-Sep-2009 |
Evan Hunt <each@isc.org> |
2677. [func] Changes to key metadata behavior:
- Keys without "publish" or "active" dates set will
no longer be used for smart signing. However,
those dates will be set to "now" by default when
a key is created; to generate a key but not use
it yet, use dnssec-keygen -G.
- New "inactive" date (dnssec-keygen/settime -I)
sets the time when a key is no longer used for
signing but is still published.
- The "unpublished" date (-U) is deprecated in
favor of "deleted" (-D).
[rt20247] |
eab9975bcf5830a73f18ed8f320ae18ea32775ee |
|
02-Sep-2009 |
Evan Hunt <each@isc.org> |
2668. [func] Several improvements to dnssec-* tools, including:
- dnssec-keygen and dnssec-settime can now set key
metadata fields 0 (to unset a value, use "none")
- dnssec-revoke sets the revocation date in
addition to the revoke bit
- dnssec-settime can now print individual metadata
fields instead of always printing all of them,
and can print them in unix epoch time format for
use by scripts
[RT #19942] |
553ead32ff5b00284e574dcabc39115d4d74ec66 |
|
19-Jul-2009 |
Evan Hunt <each@isc.org> |
2636. [func] Simplify zone signing and key maintenance with the
dnssec-* tools. Major changes:
- all dnssec-* tools now take a -K option to
specify a directory in which key files will be
stored
- DNSSEC can now store metadata indicating when
they are scheduled to be published, acttivated,
revoked or removed; these values can be set by
dnssec-keygen or overwritten by the new
dnssec-settime command
- dnssec-signzone -S (for "smart") option reads key
metadata and uses it to determine automatically
which keys to publish to the zone, use for
signing, revoke, or remove from the zone
[RT #19816] |
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88 |
|
30-Jun-2009 |
Evan Hunt <each@isc.org> |
2619. [func] Add support for RFC 5011, automatic trust anchor
maintenance. The new "managed-keys" statement can
be used in place of "trusted-keys" for zones which
support this protocol. (Note: this syntax is
expected to change prior to 9.7.0 final.) [RT #19248] |
754cb8a2b33fa6cfaa15d6470f66e5fb0eab4764 |
|
12-Jun-2009 |
Automatic Updater <source@isc.org> |
update copyright notice |
351b62535d4c4f89883bfdba025999dd32490266 |
|
10-Jun-2009 |
Evan Hunt <each@isc.org> |
2609. [func] Simplify the configuration of dynamic zones:
- add ddns-confgen command to generate
configuration text for named.conf
- add zone option "ddns-autoconf yes;", which
causes named to generate a TSIG session key
and allow updates to the zone using that key
- add '-l' (localhost) option to nsupdate, which
causes nsupdate to connect to a locally-running
named process using the session key generated
by named
[RT #19284] |
6098d364b690cb9dabf96e9664c4689c8559bd2e |
|
24-Sep-2008 |
Mark Andrews <marka@isc.org> |
2448. [func] Add NSEC3 support. [RT #15452] |
e672951ed28b2e9cc7a19c3d7fa4a258382f981c |
|
02-Apr-2008 |
Automatic Updater <source@isc.org> |
update copyright notice |
2a31bd531072824ef252c18303859d6af7451b00 |
|
31-Mar-2008 |
Francis Dupont <fdupont@isc.org> |
add EVP and PKCS11 |
70e5a7403f0e0a3bd292b8287c5fed5772c15270 |
|
20-Jun-2007 |
Automatic Updater <source@isc.org> |
update copyright notice |
ec5347e2c775f027573ce5648b910361aa926c01 |
|
19-Jun-2007 |
Automatic Updater <source@isc.org> |
update copyright notice |
29747dfe5e073a299b3681e01f5c55540f8bfed7 |
|
22-Dec-2006 |
Mark Andrews <marka@isc.org> |
2123. [func] Use Doxygen to generate internal documention.
[RT #11398] |
289ae548d52bc8f982d9823af64cafda7bd92232 |
|
04-Dec-2006 |
Mark Andrews <marka@isc.org> |
2105. [func] GSS-TSIG support (RFC 3645). |
26e2a07a0b6a3b1eccef82ba31270d0c54ad4f06 |
|
28-Jan-2006 |
Mark Andrews <marka@isc.org> |
update copyright notice |
c6d4f781529d2f28693546b25b2967d44ec89e60 |
|
27-Jan-2006 |
Mark Andrews <marka@isc.org> |
1973. [func] TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
HMACSHA512 support. [RT #13606] |
69fe9aaafdd6a141610e86a777d325db75422070 |
|
29-Apr-2005 |
Mark Andrews <marka@isc.org> |
update copyright notice |
ab023a65562e62b85a824509d829b6fad87e00b1 |
|
27-Apr-2005 |
Rob Austein <sra@isc.org> |
1851. [doc] Doxygen comment markup. [RT #11398] |
494576ce20cfd98d74955698cf8f7b37dce2f740 |
|
09-Dec-2004 |
Mark Andrews <marka@isc.org> |
1790. [cleanup] Move lib/dns/sec/dst up into lib/dns. This should
allow parallel make to succeed. |