8d1b3ceb4d491ce32572f1702f37ed585eede993 |
|
02-Mar-2018 |
Evan Hunt <each@isc.org> |
temporarily revert change #4859 |
dc2a85bed7fcfceab0df1867fbc1d35796261ded |
|
05-Jan-2018 |
Tinderbox User <tbox@isc.org> |
update copyright notice / whitespace |
7ff28f5befbee76048a23e504dcd3f9a44ce6209 |
|
04-Jan-2018 |
Evan Hunt <each@isc.org> |
[v9_11] block validator deadlock and prevent use-after-free
4859. [bug] A loop was possible when attempting to validate
unsigned CNAME responses from secure zones;
this caused a delay in returning SERVFAIL and
also increased the chances of encountering
CVE-2017-3145. [RT #46839]
4858. [security] Addresses could be referenced after being freed
in resolver.c, causing an assertion failure.
(CVE-2017-3145) [RT #46839] |
1ca2cf024391992fe14b2df7d3ae0f575d074452 |
|
24-Apr-2017 |
Evan Hunt <each@isc.org> |
[v9_11] update copyrights that had been missed recently |
9540b42695c15fdd5f01b4c663e21936e6c38c82 |
|
21-Apr-2017 |
Mukund Sivaraman <muks@isc.org> |
Ignore SHA-1 DS digest type when SHA-384 DS digest type is present (#45017)
(cherry picked from commit 5d01eab088e5ec135f74a796b3b15e5feb77ba84) |
0c27b3fe77ac1d5094ba3521e8142d9e7973133f |
|
27-Jun-2016 |
Mark Andrews <marka@isc.org> |
4401. [misc] Change LICENSE to MPL 2.0. |
a85c6b35affa7179434c41b277109dca2cbe01ec |
|
17-Jun-2015 |
Mark Andrews <marka@isc.org> |
4138. [bug] A uninitialized value in validator.c could result
in a assertion failure. (CVE-2015-4620) [RT #39795] |
c110d61b173a68420d19858abb80285be0dc1120 |
|
21-Jan-2015 |
Tinderbox User <tbox@isc.org> |
update copyright notice / whitespace |
59c489552dedeee2444e88b7c6b2849e3cb591e6 |
|
20-Jan-2015 |
Evan Hunt <each@isc.org> |
[master] remove a potentially misleading log message |
2fa1fc53324c0fca978c902e883c7cc011210536 |
|
04-Sep-2014 |
Mark Andrews <marka@isc.org> |
3945. [bug] Invalid wildcard expansions could be incorrectly
accepted by the validator. [RT #37093] |
fec7998314cbdaf1dc89513ffff5b45fc8ed73fd |
|
04-Sep-2014 |
Mark Andrews <marka@isc.org> |
3942. [bug] Wildcard responses from a optout range should be
marked as insecure. [RT #37072] |
5d63868ad0d3865118ad294081cfa03df51d1de8 |
|
02-Jul-2014 |
Mark Andrews <marka@isc.org> |
DNS_VALIDATOR_NONTA needs passed to sub validator |
b8a9632333a92d73a503afe1aaa7990016c8bee9 |
|
19-Jun-2014 |
Evan Hunt <each@isc.org> |
[master] complete NTA work
3882. [func] By default, negative trust anchors will be tested
periodically to see whether data below them can be
validated, and if so, they will be allowed to
expire early. The "rndc nta -force" option
overrides this behvaior. The default NTA lifetime
and the recheck frequency can be configured by the
"nta-lifetime" and "nta-recheck" options. [RT #36146] |
0cfb24736841b3e98bb25853229a0efabab88bdd |
|
30-May-2014 |
Evan Hunt <each@isc.org> |
[master] rndc nta
3867. [func] "rndc nta" can now be used to set a temporary
negative trust anchor, which disables DNSSEC
validation below a specified name for a specified
period of time (not exceeding 24 hours). This
can be used when validation for a domain is known
to be failing due to a configuration error on
the part of the domain owner rather than a
spoofing attack. [RT #29358] |
36e5ac00333d89001f0c518a7d381d16c38d0402 |
|
24-Apr-2014 |
Mark Andrews <marka@isc.org> |
3819. [bug] NSEC3 hashes need to be able to be entered and
displayed without padding. This is not a issue for
currently defined algorithms but may be for future
hash algorithms. [RT #27925] |
72141595cf9d7faefcf7cf4fbab044c61a902b0f |
|
17-Feb-2014 |
Tinderbox User <tbox@isc.org> |
update copyright notice |
1d761cb453c76353deb8423c78e98d00c5f86ffa |
|
16-Feb-2014 |
Evan Hunt <each@isc.org> |
[master] delve
3741. [func] "delve" (domain entity lookup and validation engine):
A new tool with dig-like semantics for performing DNS
lookups, with internal DNSSEC validation, using the
same resolver and validator logic as named. This
allows easy validation of DNSSEC data in environments
with untrustworthy resolvers, and assists with
troubleshooting of DNSSEC problems. (Note: not yet
available on win32.) [RT #32406] |
ff8ab6befe10bfa68d98969a569b773eac602d1f |
|
04-Jun-2013 |
Mark Andrews <marka@isc.org> |
redo: 3576. [bug] Address a shutdown race when validating. [RT #33573] |
c611465739500968dd757ccb5a8abc13b4fcf56b |
|
30-May-2013 |
Mark Andrews <marka@isc.org> |
address memory in dns_view_getsecroots failure |
2cd3c8856c97b770cc4843bfad63922e23a6f661 |
|
29-May-2013 |
Mark Andrews <marka@isc.org> |
3576. [bug] Address a shutdown race when validating. [RT #33573] |
8013077aa7ed5d6e1daddc973ddb3c7cc7d28df1 |
|
03-Apr-2013 |
Mark Andrews <marka@isc.org> |
3541. [bug] The parts if libdns was not being properly initialized
in when built in libexport mode. [RT #33028] |
5c6b95ba1b2e35f8dd6b0a7f25aacba91fff3aa2 |
|
11-Jan-2013 |
Tinderbox User <tbox@isc.org> |
update copyright notice |
48019314431389cca5f8eba7ee9aa5bc08a67f4e |
|
10-Jan-2013 |
Mark Andrews <marka@isc.org> |
3461. [bug] Negative responses could incorrectly have AD=1
set. [RT #32237] |
b16174507d1429ae4dbf7b4939f9e45ca7b76d74 |
|
19-Dec-2012 |
Tinderbox User <tbox@isc.org> |
update copyright notice |
8462dfb880040cde3a60f047ec18808737fd7e85 |
|
18-Dec-2012 |
Mark Andrews <marka@isc.org> |
3443. [bug] The NOQNAME proof was not being returned from cached
insecure responses. [RT #21409] |
39bfdc2ff9da3c2ecdbc70d46cabfd56d66f24f6 |
|
15-Nov-2012 |
Mark Andrews <marka@isc.org> |
3419. [bug] Memory leak on validation cancel. [RT #31869]
Squashed commit of the following:
commit 452b07ec7cb31784d90d9c2e45ca708df306302e
Author: Mark Andrews <marka@isc.org>
Date: Wed Nov 14 23:36:36 2012 +1100
destroy fetch when canceling validator |
d8fc410cf830606a82c7ca169714d2f489b19d77 |
|
13-Nov-2012 |
Mark Andrews <marka@isc.org> |
Redo
3415. [bug] named could die with a REQUIRE failure if a valdation
was canceled. [RT #31804] |
1a09fefa59a9f00ed380494ae4722a0666f1ccaa |
|
08-Nov-2012 |
Mark Andrews <marka@isc.org> |
3415. [bug] named could die with a REQUIRE failure id a valdation
was canceled. [RT #31804]
Squashed commit of the following:
commit d414d3cb4244daeca4159ac1f8a82322e4a20e5a
Author: Mark Andrews <marka@isc.org>
Date: Wed Nov 7 14:19:28 2012 +1100
check that val->fetch != NULL before calling dns_resolver_destroyfetch |
47c5b8af920a93763c97d9a93ea1fd766961a5b3 |
|
24-Oct-2012 |
Evan Hunt <each@isc.org> |
[master] silence coverity warnings
3401. [bug] Addressed Coverity warnings. [RT #31484] |
dbf693fdfd2bb495cf6d176ecebd173331c3d94a |
|
06-Oct-2012 |
Mark Andrews <marka@isc.org> |
3391. [bug] DNSKEY that encountered a CNAME failed. [RT #31262] |
41bbb34bc20f189af62e7047ce42822615417f15 |
|
03-Oct-2012 |
Evan Hunt <each@isc.org> |
fix coverity issues
3388. [bug] Fixed several Coverity warnings. [RT #30996] |
058e44186b74531402c1f99088eb9dbe4926f8da |
|
02-Oct-2012 |
Mark Andrews <marka@isc.org> |
3387. [func] Support for a DS digest can be disabled at
runtime with disable-ds-digests. [RT #21581] |
e7857b5ee05414961bb11f9e57f654163fae6acb |
|
26-Jul-2012 |
ckb <ckb@isc.org> |
3356. [bug] Cap the TTL of signed RRsets when RRSIGs are
approaching their expiry, so they don't remain
in caches after expiry. [RT #26429] |
7865ea9545f28f12f046b32d24c989e8441b9812 |
|
14-Jun-2012 |
Mark Andrews <marka@isc.org> |
3339. [func] Allow the maximum supported rsa exponent size to be specified: "max-rsa-exponent-size <value>;" [RT #29228] |
28a8f5b0de57d269cf2845c69cb6abe18cbd3b3a |
|
07-Mar-2012 |
Mark Andrews <marka@isc.org> |
set $Id$ |
5fec28507abad910acf4afa3efa1e634acab6d9e |
|
15-Feb-2012 |
Automatic Updater <source@isc.org> |
update copyright notice |
6d386978b3a1f20a613ae10565c855aee084e2a0 |
|
15-Feb-2012 |
Mark Andrews <marka@isc.org> |
3285. [bug] val-frdataset was incorrectly disassociated in
proveunsecure after calling startfinddlvsep.
[RT #27928] |
25845da41a621f35e76dc8560ca40de6859e0a11 |
|
04-Nov-2011 |
Evan Hunt <each@isc.org> |
3203. [bug] Increase log level to 'info' for validation failures
from expired or not-yet-valid RRSIGs. [RT #21796] |
dfc015bc7e99019373878f8eb4527f5ebd0e0969 |
|
21-Oct-2011 |
Automatic Updater <source@isc.org> |
update copyright notice |
ada40193c85276867c6904545601c7c01e3236c3 |
|
20-Oct-2011 |
Mark Andrews <marka@isc.org> |
3175. [bug] Fix how DNSSEC positive wildcard responses from a
NSEC3 signed zone are validated. Stop sending a
unnecessary NSEC3 record when generating such
responses. [RT #26200] |
020c4484fe510434c1b3aaac040ab6cfb3340115 |
|
15-Oct-2011 |
Mark Andrews <marka@isc.org> |
3173. [port] Correctly validate root DS responses. [RT #25726] |
6de9744cf9c64be2145f663e4051196a4eaa9d45 |
|
09-Jun-2011 |
Evan Hunt <each@isc.org> |
3124. [bug] Use an rdataset attribute flag to indicate
negative-cache records rather than using rrtype 0;
this will prevent problems when that rrtype is
used in actual DNS packets. [RT #24777]
3123. [security] Change #2912 exposed a latent flaw in
dns_rdataset_totext() that could cause named to
crash with an assertion failure. [RT #24777] |
ea8278253210df030a24f0c89342b43fe279a127 |
|
26-May-2011 |
Mark Andrews <marka@isc.org> |
3120. [bug] Named could fail to validate zones list in a DLV
that validated insecure without using DLV and had
DS records in the parent zone. [RT #24631] |
0874abad14e3e9ecfc3dc1a1a2b9969f2f027724 |
|
11-Mar-2011 |
Mark Andrews <marka@isc.org> |
3069. [cleanup] Silence warnings messages from clang static analysis.
[RT #20256] |
c8175ece69d986ccd0671bc4d2571b247dfae177 |
|
02-Mar-2011 |
Automatic Updater <source@isc.org> |
update copyright notice |
d31740ce282bcf0a27e17dec49a3ff9ddd26e814 |
|
01-Mar-2011 |
Scott Mann <smann@isc.org> |
Fixed DNSKEY NODATA responses not cached (RT #22908). |
664917bedafa65dee4349c84324a31731aa1e228 |
|
28-Feb-2011 |
Francis Dupont <fdupont@isc.org> |
Use RRSIG original TTL in validated RRset TTL [RT #23332] |
4b45a8fc5a47dcff7473003ceeac6f6bb3e21e79 |
|
22-Feb-2011 |
Mark Andrews <marka@isc.org> |
handle cname response |
37dee1ff94960a61243f611c0f87f8c316815c53 |
|
23-Dec-2010 |
Mark Andrews <marka@isc.org> |
2999. [func] Add GOST support (RFC 5933). [RT #20639] |
a27b3757fdd8976ce05e37f391ad9e7ac4638e5d |
|
16-Nov-2010 |
Mark Andrews <marka@isc.org> |
2968. [security] Named could fail to prove a data set was insecure
before marking it as insecure. One set of conditions
that can trigger this occurs naturally when rolling
DNSKEY algorithms. [RT #22309] |
810656a187f2c358323bbf679f792f19a46a7973 |
|
26-Jun-2010 |
Mark Andrews <marka@isc.org> |
2925. [bug] Named failed to accept uncachable negative responses
from insecure zones. [RT# 21555] |
e27d55e3ee06b6edcf625b8920a5c809da7f0b98 |
|
26-May-2010 |
Mark Andrews <marka@isc.org> |
2904. [bug] When using DLV, sub-zones of the zones in the DLV,
could be incorrectly marked as insecure instead of
secure leading to negative proofs failing. This was
a unintended outcome from change 2890. [RT# 21392] |
515c7f3c43f76d7b439905b18009105364b36100 |
|
15-May-2010 |
Automatic Updater <source@isc.org> |
update copyright notice |
44f175a90a855326725439b2f1178f0dcca8f67d |
|
14-May-2010 |
Mark Andrews <marka@isc.org> |
2892. [bug] Handle REVOKED keys better. [RT #20961] |
b335299322e50f045f10e4636262cd2f8d407a8b |
|
14-May-2010 |
Mark Andrews <marka@isc.org> |
2890. [bug] Handle the introduction of new trusted-keys and
DS, DLV RRsets better. [RT #21097] |
fd95cc0da9563aa85ac67462433b6a2b6ac0db9f |
|
21-Apr-2010 |
Mark Andrews <marka@isc.org> |
2877. [bug] The validator failed to skip obviously mismatching
RRSIGs. [RT #21138] |
bb6d33103e672d21429ae1837ce10d91f2419800 |
|
21-Apr-2010 |
Mark Andrews <marka@isc.org> |
2876. [bug] Named could return SERVFAIL for negative responses
from unsigned zones. [RT #21131] |
b8d036c434d68e358c95bcb7268b5c310ed0579c |
|
26-Mar-2010 |
Mark Andrews <marka@isc.org> |
2869. [bug] Fix arguments to dns_keytable_findnextkeynode() call.
[RT #20877] |
4d42b714be10e6f163d23507e4e3a396a8ac0364 |
|
05-Mar-2010 |
Automatic Updater <source@isc.org> |
update copyright notice |
22c4126ba51175af1453cd2254c303c6f65a766c |
|
04-Mar-2010 |
Mark Andrews <marka@isc.org> |
2958. [bug] When canceling validation it was possible to leak
memory. [RT #20800] |
bd2b08d5a30e61117c1218fc7dd81d700d9d30f9 |
|
25-Feb-2010 |
Automatic Updater <source@isc.org> |
update copyright notice |
0cae66577c69c89086cd065bb297690072b471b4 |
|
25-Feb-2010 |
Mark Andrews <marka@isc.org> |
2852. [bug] Handle broken DNSSEC trust chains better. [RT #15619] |
9ead684875ab0ab5fdb8b5dd837a88f7dbd0e01d |
|
30-Dec-2009 |
Evan Hunt <each@isc.org> |
2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712] |
a39a5f4d816ca7d3f43106712ca668dd1ab31d69 |
|
18-Nov-2009 |
Mark Andrews <marka@isc.org> |
2772. [security] When validating, track whether pending data was from
the additional section or not and only return it if
validates as secure. [RT #20438] |
7048af0a551f13d2916a06cce21357714939a89b |
|
16-Nov-2009 |
Evan Hunt <each@isc.org> |
2769. [cleanup] Change #2742 was incomplete. [RT #19589] |
be69d484434e10d920c4d8a8bb735356eb0c2cc8 |
|
28-Oct-2009 |
Evan Hunt <each@isc.org> |
2742. [cleanup] Clarify some DNSSEC-related log messages in
validator.c. [RT #19589] |
95f2377b4f180a564d35343c8d150e8f03c98a52 |
|
27-Oct-2009 |
Evan Hunt <each@isc.org> |
2739. [cleanup] Clean up API for initializing and clearing trust
anchors for a view. [RT #20211] |
cfb1587eb9a6dc6d1d36ea0344e1b20068b81e88 |
|
30-Jun-2009 |
Evan Hunt <each@isc.org> |
2619. [func] Add support for RFC 5011, automatic trust anchor
maintenance. The new "managed-keys" statement can
be used in place of "trusted-keys" for zones which
support this protocol. (Note: this syntax is
expected to change prior to 9.7.0 final.) [RT #19248] |
afbe695de3f85c3d5cfae1a555aeadf44b43a77e |
|
10-Jun-2009 |
Mark Andrews <marka@isc.org> |
"got insecure response; parent indicates it should be secure" wrongly emitted [RT #19800] |
54cdd2b3070640311cd9ddeb6ca3514b3116e62b |
|
08-May-2009 |
Automatic Updater <source@isc.org> |
update copyright notice |
ff380b05fec3746934c74b78bb44f641d2acb359 |
|
07-May-2009 |
Francis Dupont <fdupont@isc.org> |
comment fixes (rt19624) |
e7eede965dbc67842cb32591a8c2ace2620e5359 |
|
07-May-2009 |
Mark Andrews <marka@isc.org> |
2597. [bug] Handle a validation failure with a insecure delegation
from a NSEC3 signed master/slave zone. [RT #19464] |
6b9728dde7c7ca15b19ea65ae35d9425c0d340ca |
|
23-Mar-2009 |
Evan Hunt <each@isc.org> |
ARM and log message changes to clarify "insecure response". [rt19400] |
8e3d340655954c2331abc46c444986d5c93d98be |
|
18-Mar-2009 |
Automatic Updater <source@isc.org> |
update copyright notice |
72dbc7216aae3626a66e6154443be219f5edcaf0 |
|
17-Mar-2009 |
Mark Andrews <marka@isc.org> |
2579. [bug] DNSSEC lookaside validation failed to handle unknown
algorithms. [RT #19479] |
bfe0517fdcbe1dc62fee18e460ecf467dd491d9b |
|
01-Mar-2009 |
Evan Hunt <each@isc.org> |
Clarify logged message when an insecure DNSSEC response arrives from a zone
thought to be secure: "insecurity proof failed" instead of "not insecure".
[RT #19400] |
7d211b458fed36326b9e125b9d74089f9dccc140 |
|
16-Feb-2009 |
Mark Andrews <marka@isc.org> |
2554. [bug] Validation of uppercase queries from NSEC3 zones could
fail. [RT #19297] |
d2ef5b3c5c8e08694f8f755cf2f14f8ec2f248a6 |
|
16-Feb-2009 |
Mark Andrews <marka@isc.org> |
2553. [bug] Reference leak on DNSSEC validation errors. [RT #19291] |
708383382ff1d3fdd27527e5d63120a3c6c6d3b3 |
|
17-Jan-2009 |
Francis Dupont <fdupont@isc.org> |
spelling |
5569e7de51513952d89f29de08049ed6bb054d6e |
|
06-Jan-2009 |
Automatic Updater <source@isc.org> |
update copyright notice |
3fb1637c9265cc593973326ae193783413f68699 |
|
06-Jan-2009 |
Tatuya JINMEI 神明達哉 <ji <jinmei@isc.org> |
trivial comment cleanups (RT#19118) |
49960a74b5d82d000c281af09d7c668bdd1671a1 |
|
15-Nov-2008 |
Automatic Updater <source@isc.org> |
update copyright notice |
50df1ec60af410fca6b7a85d5c85e8f31bb13bc3 |
|
14-Nov-2008 |
Mark Andrews <marka@isc.org> |
2495. [bug] Tighten RRSIG checks. [RT #18795] |
6098d364b690cb9dabf96e9664c4689c8559bd2e |
|
24-Sep-2008 |
Mark Andrews <marka@isc.org> |
2448. [func] Add NSEC3 support. [RT #15452] |
1bfe8851c0a2eb1d7e15556bfa21291cd62ee2bc |
|
21-Aug-2008 |
Mark Andrews <marka@isc.org> |
2421. [bug] Handle the special return value of a empty node as
if it was a NXRRSET in the validator. [RT #18447] |
e4d304b70b81ca9956c2eff7c24aacf4dd00266e |
|
19-Feb-2008 |
Evan Hunt <each@isc.org> |
Fix build error: parameter type was changed in the prototype but not in
the function header. |
664e11f0b14c78cef7cf6b8c70323a1da494e351 |
|
19-Feb-2008 |
Mark Andrews <marka@isc.org> |
2238. [bug] check_ds() could be called with a non DS rdataset.
[RT #17598] |
2f012d936b5ccdf6520c96a4de23721dc58a2221 |
|
19-Jan-2008 |
Automatic Updater <source@isc.org> |
update copyright notice |
9d5ed744c46ef241b9d3ba134bf3155e0b62ac9e |
|
15-Jan-2008 |
Automatic Updater <source@isc.org> |
update copyright notice |
f1263d2aa405087e74caf001cd443079f50ee903 |
|
15-Jan-2008 |
Mark Andrews <marka@isc.org> |
2304. [bug] Check returns from all dns_rdata_tostruct() calls.
[RT #17460] |
8bedd9647f4d6894e12a8c94d3ccc624dddcee50 |
|
19-Sep-2007 |
Mark Andrews <marka@isc.org> |
2245. [bug] Validating lack of DS records at trust anchors wasn't
working. [RT #17151] |
e2c3f8059e77a8e11c4378d22e5d8e78b423a28f |
|
14-Sep-2007 |
Mark Andrews <marka@isc.org> |
2238. [bug] It was possible to trigger a REQUIRE when a
validation was cancelled. [RT #17106] |
3eab85ca54b681504d772b1d6bb3ccf4f08d4305 |
|
27-Aug-2007 |
Mark Andrews <marka@isc.org> |
2218. [bug] Remove unnecessary REQUIRE from dns_validator_create().
[RT #16976] |
ec5347e2c775f027573ce5648b910361aa926c01 |
|
19-Jun-2007 |
Automatic Updater <source@isc.org> |
update copyright notice |
a05f23d07e1b60a1d88119678111a47014480611 |
|
27-Apr-2007 |
Mark Andrews <marka@isc.org> |
2171. [bug] Handle breaks in DNSSEC trust chains where the parent
servers are not DS aware (DS queries to the parent
return a referral to the child). |
394f4aec2189750d7f861d00f97fe28ffcd9f659 |
|
26-Feb-2007 |
Mark Andrews <marka@isc.org> |
2145. [bug] Check DS/DLV digest lengths for known digests.
[RT #16622] |
f36c85c3cee0b7022d6a99077fab2e5afc4e357d |
|
08-Jan-2007 |
Mark Andrews <marka@isc.org> |
update copyright notice |
305227476756aecb11cebbc811dba88a2d147b34 |
|
08-Jan-2007 |
Mark Andrews <marka@isc.org> |
2126. [bug] Serialise validation of type ANY responses. [RT #16555] |
29747dfe5e073a299b3681e01f5c55540f8bfed7 |
|
22-Dec-2006 |
Mark Andrews <marka@isc.org> |
2123. [func] Use Doxygen to generate internal documention.
[RT #11398] |
1ea2595e1b33cc63ea73ee1d54b580b717d7d155 |
|
07-Dec-2006 |
Mark Andrews <marka@isc.org> |
2117. [bug] DNSSEC fixes: named could fail to cache NSEC records
which could lead to validation failures. named didn't
handle negative DS responses that were in the process
of being validated. Check CNAME bit before accepting
NODATA proof. To be able to ignore a child NSEC there
must be SOA (and NS) set in the bitmap. [RT #16399] |
cc7d91bd5c6b9be5a3c67a99112b885602c24873 |
|
25-Jul-2006 |
Mark Andrews <marka@isc.org> |
2061. [bug] Accept expired wildcard message reversed. [RT #16296] |
d2ef84e07b67e72a4bd9c729c6b8228067d17584 |
|
10-Mar-2006 |
Mark Andrews <marka@isc.org> |
2008. [func] It is now posssible to enable/disable DNSSEC
validation from rndc. This is useful for the
mobile hosts where the current connection point
breaks DNSSEC (firewall/proxy). [RT #15592]
rndc validation newstate [view] |
95b484c9580d06eb2f9735a22e9841389c2859ba |
|
26-Feb-2006 |
Mark Andrews <marka@isc.org> |
fix minor typos |
fcbc5d2353971f65726a9e86c1f37c813f9c2176 |
|
22-Feb-2006 |
Mark Andrews <marka@isc.org> |
post merge problem |
c5387e694299c41361660e54f23e89c7da3ede1d |
|
22-Feb-2006 |
Mark Andrews <marka@isc.org> |
1987. [func] DS/DLV SHA256 digest algorithm support. [RT #15608] |
acb4f5236966c2b680b949c1eda826948b24fc23 |
|
05-Jan-2006 |
Mark Andrews <marka@isc.org> |
update copyright notice |
fabf2ee6b01ee06a0de940b83d53cf57f9f79265 |
|
04-Jan-2006 |
Mark Andrews <marka@isc.org> |
1947. [func] It is now possible to configure named to accept
expired RRSIGs. Default "dnssec-accept-expired no;".
Setting "dnssec-accept-expired yes;" leaves named
vulnerable to replay attacks. [RT #14685] |
cf224bbf7bab87bc28b12f5b30f5ca3f3e5bf604 |
|
05-Dec-2005 |
Mark Andrews <marka@isc.org> |
1942. [bug] If the name of a DNSKEY match that of one in
trusted-keys do not attempt to validate the DNSKEY
using the parents DS RRset. [RT #15649] |
470c726bc894b1c528cb84e7e1f7e44770ffc485 |
|
30-Nov-2005 |
Mark Andrews <marka@isc.org> |
silence dereferencing type-punned pointer will break strict-aliasing rules warning |
2674e1a455d4f71de09b2b60e7a8304b9a305588 |
|
30-Nov-2005 |
Mark Andrews <marka@isc.org> |
1940. [bug] Fixed a number of error conditions reported by
Coverity. |
60ab03125c137c48a6b2ed6df1d2c8657757e09d |
|
03-Nov-2005 |
Mark Andrews <marka@isc.org> |
1939. [bug] The resolver could dereference a null pointer after
validation if all the queries have timed out.
[RT #15528]
1938. [bug] The validator was not correctly handling unsecure
negative responses at or below a SEP. [RT #15528] |
7d116211ec7b063891130f191e3ed437b45dba70 |
|
02-Nov-2005 |
Mark Andrews <marka@isc.org> |
1936. [bug] The validator could leak memory. [RT #5544] |
216030f2849b0812910fbc1817ca17208a112663 |
|
14-Oct-2005 |
Mark Andrews <marka@isc.org> |
1930. [port] HPUX: ia64 support. [RT #15473]
1929. [port] FreeBSD: extend use of PTHREAD_SCOPE_SYSTEM. |
676619a22fbc760875adb00b58aaef6a22ced18a |
|
05-Sep-2005 |
Mark Andrews <marka@isc.org> |
win32 fixes |
5be3685b0e57677c0cc03113099cb8f99f9a070b |
|
25-Aug-2005 |
Mark Andrews <marka@isc.org> |
1919. [bug] dig's +sigchase code overhauled. [RT #14933]
1918. [bug] The DLV code has been re-worked to make no longer
query order sensitive. [RT #14933] |
116e6b4257e3efceca3e82af1e695579129af93d |
|
07-Jun-2005 |
Mark Andrews <marka@isc.org> |
1867. [bug] It was possible to trigger a INSIST in
dlv_validatezonekey(). [RT #14846] |
9840a0767d02f6c6b9d1f73d54e0cab2e8192a93 |
|
06-May-2005 |
Mark Andrews <marka@isc.org> |
1853. [bug] Rework how DLV interacts with proveunsecure().
[RT #13605] |
ab023a65562e62b85a824509d829b6fad87e00b1 |
|
27-Apr-2005 |
Rob Austein <sra@isc.org> |
1851. [doc] Doxygen comment markup. [RT #11398] |
c941e32d221fbb0cb760e3bc24c7f221c0cf8b97 |
|
04-Mar-2005 |
Mark Andrews <marka@isc.org> |
1819. [bug] The validator needed to check both the algorithm and
digest types of the DS to determine if it could be
used to introduce a secure zone. [RT #13593] |
2d7fc01cb302bfb7ff10aa2fbee529389e0211f2 |
|
09-Feb-2005 |
Mark Andrews <marka@isc.org> |
update copyright notice |
0ad024cc4272894e877e3a7896f80a2892bc703c |
|
09-Feb-2005 |
Mark Andrews <marka@isc.org> |
1806. [bug] The resolver returned the wrong result when a CNAME /
DNAME was encountered when fetching glue from a
secure namespace. [RT #13501]
1805. [bug] Pending status was not being cleared when DLV was
active. [RT #13501] |
4e259c5a2321e994708fb1fe04cd4da30aa3b612 |
|
18-Nov-2004 |
Mark Andrews <marka@isc.org> |
1768. [bug] nsecnoexistnodata() could be called with a non-NSEC
rdataset. [RT #12907] |
cc3aafe737334d444781f8a34ffaf459e075bb9a |
|
11-Jun-2004 |
Mark Andrews <marka@isc.org> |
1659. [cleanup] Cleanup some messages that were referring to KEY vs
DNSKEY, NXT vs NSEC and SIG vs RRSIG.
1658. [func] Update dnssec-keygen to default to KEY for HMAC-MD5
and DH. Tighten which options apply to KEY and
DNSKEY records. |
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146 |
|
14-May-2004 |
Mark Andrews <marka@isc.org> |
1606. [bug] DVL insecurity proof was failing.
1605. [func] New dns_db_find() option DNS_DBFIND_COVERINGNSEC. |
8d414d155953f89a4eff40f16878438a8c9228f3 |
|
16-Apr-2004 |
Mark Andrews <marka@isc.org> |
1600. [bug] Duplicate zone pre-load checks were not case
insensitive.
1599. [bug] Fix memory leak on error path when checking named.conf.
1598. [func] Specify that certain parts of the namespace must
be secure (dnssec-must-be-secure). |
42b48d11ca7b296324d7a8a98cdbf0070b0deb1d |
|
15-Apr-2004 |
Mark Andrews <marka@isc.org> |
hide ((isc_event_t **) (void *)) cast using a macro, ISC_EVENT_PTR. |
50105afc551903541608b11851d73278b23579a3 |
|
10-Mar-2004 |
Mark Andrews <marka@isc.org> |
1589. [func] DNSSEC lookaside validation.
enable-dnssec -> dnssec-enable |
dafcb997e390efa4423883dafd100c975c4095d6 |
|
05-Mar-2004 |
Mark Andrews <marka@isc.org> |
update copyright notice |
daa73eae708d568d453e6082e0890d35886a9e0f |
|
03-Feb-2004 |
Mark Andrews <marka@isc.org> |
silence punned messages |
519b239fc4ef1e070e2da182a4ea559ae0152151 |
|
20-Jan-2004 |
Mark Andrews <marka@isc.org> |
#include <isc/string.h> |
35541328a8c18ba1f984300dfe30ec8713c90031 |
|
14-Jan-2004 |
Mark Andrews <marka@isc.org> |
1558. [func] New DNSSEC 'disable-algorithms'. Support entry into
child zones for which we don't have a supported
algorithm. Such child zones are treated as unsigned.
1557. [func] Implement missing DNSSEC tests for
* NOQNAME proof with wildcard answers.
* NOWILDARD proof with NXDOMAIN.
Cache and return NOQNAME with wildcard answers. |
e407562a75eb93073bb72089cced150d7ffe4d4f |
|
25-Oct-2003 |
Tatuya JINMEI 神明達哉 <ji <jinmei@isc.org> |
1528. [cleanup] Simplify some dns_name_ functions based on the
deprecation of bitstring labels. |
93d6dfaf66258337985427c86181f01fc51f0bb4 |
|
30-Sep-2003 |
Mark Andrews <marka@isc.org> |
1516. [func] Roll the DNSSEC types to RRSIG, NSEC and DNSKEY. |
8b5de9701428e2b5eb50aba96af23dc1186124dd |
|
27-Feb-2003 |
Mark Andrews <marka@isc.org> |
1448. [bug] Handle empty wildcards labels.
developer: marka
reviewer: explorer |
421e4cf66e4cba0b0751a34a9c027e39fe0474f9 |
|
18-Jan-2003 |
Mark Andrews <marka@isc.org> |
1416. [bug] Empty node should return NOERROR NODATA, not NXDOMAIN.
[RT #4715]
developer: marka
reviewer: explorer |
638fe804a524ee0c028863c0301b999c79de7651 |
|
22-Jul-2002 |
Mark Andrews <marka@isc.org> |
1255. [bug] When performing a nonexistence proof, the validator
should discard parent NXTs from higher in the DNS. |
ff30cdeb783ca7ffe69b222c56197828e882c229 |
|
19-Jul-2002 |
Mark Andrews <marka@isc.org> |
The validator didn't handle missing DS records correctly. |
86f6b92e35c7bdb5fc1fd1021af75b981863313e |
|
15-Jul-2002 |
Mark Andrews <marka@isc.org> |
1248. [bug] The validator could incorrectly verify an invalid
negative proof.
When checking the range of the nxt record, the code needs to handle
the case where the 'next name' field points to the origin. The way
that the origin was determined was looking at the 'signer' field
of the first SIG NXT, since NXTs are signed by the zone key. This
doesn't work, because the first SIG could have been spoofed. It
now defers checking the nxt range until both the SOA and NXT have
been verified, and uses the owner of the SOA name as the origin.
bwelling |
25276bd1ecb372b82c9235648e5defab0655dcd5 |
|
15-Jul-2002 |
Mark Andrews <marka@isc.org> |
1247. [bug] The validator would incorrectly mark data as insecure
when seeing a bogus signature before a correct
signature. |
b0d31c78bc24080d4c470a8bd98862375f6e3055 |
|
19-Jun-2002 |
Mark Andrews <marka@isc.org> |
uninitalised variable |
0b09763c354ec91fb352b6b4cea383bd0195b2d8 |
|
17-Jun-2002 |
Mark Andrews <marka@isc.org> |
1328. [func] DS (delegation signer) support. |
c99d9017ba00099bfa89e1ed53e63a5cb07d28d5 |
|
30-Apr-2002 |
Mark Andrews <marka@isc.org> |
1275. [bug] When verifying that an NXT proves nonexistence, check
the rcode of the message and only do the matching NXT
check. That is, for NXDOMAIN responses, check that
the name is in the range between the NXT owner and
next name, and for NOERROR NODATA responses, check
that the type is not present in the NXT bitmap. |
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5 |
|
20-Feb-2002 |
Mark Andrews <marka@isc.org> |
copyrights |
60e9e7065418e658c069ce91cc6f27c4a55bb4a5 |
|
05-Feb-2002 |
Brian Wellington <source@isc.org> |
1024 -> DNS_NAME_FORMATSIZE |
47db0efda121f416ae5a61dc2f7f2b92a0e18380 |
|
05-Feb-2002 |
Brian Wellington <source@isc.org> |
spacing |
8839b6acbf816fedc15b8e9e1c71fd606a9cd8ea |
|
05-Feb-2002 |
Brian Wellington <source@isc.org> |
clean up the shutdown "logic". |
32dd66cc5e24d32626af25202996a3f3b8071e20 |
|
05-Feb-2002 |
Brian Wellington <source@isc.org> |
spacing |
18b7133679efa8f60fd4e396c628576f3f416b3e |
|
01-Feb-2002 |
Brian Wellington <source@isc.org> |
more minor cleanups |
23e4260821eefa5019808e18e14e2b366461aad7 |
|
01-Feb-2002 |
Brian Wellington <source@isc.org> |
minor cleanup |
1f1d36a87b65186d9f89aac7f456ab1fd2a39ef6 |
|
30-Nov-2001 |
Andreas Gustafsson <source@isc.org> |
Check return values or cast them to (void), as required by the coding
standards; add exceptions to the coding standards for cases where this is
not desirable |
f3ca27e9fe307b55e35ea8d7b37351650630e5a3 |
|
12-Nov-2001 |
Andreas Gustafsson <source@isc.org> |
sizeof style |
01446841be2b73f9a2ead74056df2d5342414041 |
|
19-Sep-2001 |
Andreas Gustafsson <source@isc.org> |
1006. [bug] If a KEY RR was found missing during DNSSEC validation,
an assertion failure could subsequently be triggered
in the resolver. [RT #1763] |
34aa7909371f13b4bc0ba6d155cfc38bfa1e3c5c |
|
14-Sep-2001 |
Andreas Gustafsson <source@isc.org> |
reverted 994. |
56d69016f4fae2eda4d39c92fe13595251aaadd3 |
|
13-Sep-2001 |
Mark Andrews <marka@isc.org> |
994. [bug] If the unsecure proof fails for unsigned NS records
attempt a secure proof using the NS records found as
glue to find the NS records from the zone's servers
along with associated glue rather than from parent
servers. [RT #1706] |
76c8294c81fb48b1da6e1fc5b83322a4cedb8e58 |
|
09-Aug-2001 |
Andreas Gustafsson <source@isc.org> |
format string bugs and improved format string checking [RT #1578] |
92ef1a9b9dbd48ecb507b42ac62c15afefdaf838 |
|
04-Jun-2001 |
David Lawrence <source@isc.org> |
use ISC_MAGIC for all magic numbers, for our friends in EBCDIC land |
26e5029fd55434db52702313a49e3dc7d47bd328 |
|
21-Feb-2001 |
Brian Wellington <source@isc.org> |
Added a cast. [RT #899] |
499b34cea04a46823d003d4c0520c8b03e8513cb |
|
09-Jan-2001 |
Brian Wellington <source@isc.org> |
copyright update |
78838d3e0cd62423c23de5503910e01884d2104b |
|
11-Dec-2000 |
Brian Wellington <source@isc.org> |
8 space -> tab conversion |
c70908209ee26c51a8e7242a56fdb73847249728 |
|
05-Dec-2000 |
Brian Wellington <source@isc.org> |
replace some INSISTs that theoretically could occur with normal failures |
f439363eeb4052fddc0e3ec648658548daa10506 |
|
08-Nov-2000 |
Brian Wellington <source@isc.org> |
minor code simplification |
368b37b616234fce3d23099eb180f1dd38e1fb62 |
|
31-Oct-2000 |
Mark Andrews <marka@isc.org> |
dns_rdata_invalidate -> dns_rdata_reset |
c03bb27f0675a6e60ceea66b451548e8481bc05c |
|
25-Oct-2000 |
Mark Andrews <marka@isc.org> |
532. [func] Implement DNS UPDATE pseudo records using
DNS_RDATA_UPDATE flag.
531. [func] Rdata really should be initalized before being
assigned to (dns_rdata_fromwire(), dns_rdata_fromtext(),
dns_rdata_clone(), dns_rdata_fromregion()),
check that it is. |
d1cbf714097e900ed1703529584d3e1a50e8a4a8 |
|
07-Oct-2000 |
Brian Wellington <source@isc.org> |
clean up suspicious looking and incorrect uses of dns_name_fromregion |
a9ba7e65644c50e1549b38150ba8d4787e1fe643 |
|
12-Sep-2000 |
Brian Wellington <source@isc.org> |
Allow a keyset to be self-signed if the signing key is a trusted-key. |
d6be55c63f83194d97a565d0fd7b632b31b52a68 |
|
12-Sep-2000 |
Brian Wellington <source@isc.org> |
comment the infinite loop fix |
5c29047792191d6141f69b2684314d0b762fedeb |
|
12-Sep-2000 |
Brian Wellington <source@isc.org> |
minor dst api change |
c38cf70db10594c4d23f092a65e17b123b381a60 |
|
08-Sep-2000 |
Brian Wellington <source@isc.org> |
Fix an assertion failure and a case where an rdataset's trust wasn't set. |
32b2cdf212de957e3f9b0efca59f098ed4fb42de |
|
07-Sep-2000 |
Brian Wellington <source@isc.org> |
427. [bug] Avoid going into an infinite loop when the validator
gets a negative response to a key query where the
records are signed by the missing key. |
5e387b9ce6bafdfadedb5b34e4c33a4404e5d589 |
|
26-Aug-2000 |
Brian Wellington <source@isc.org> |
and more calls to DESTROYLOCK |
6f071989da905bb5ab2c6dfd01a71ee5ecea5918 |
|
15-Aug-2000 |
Brian Wellington <source@isc.org> |
cancellation fixes |
2a123ac026fd2cc5f2dd7ef2c14692c33b3fe3a8 |
|
15-Aug-2000 |
Brian Wellington <source@isc.org> |
remove unused variable |
9cd6710f91bdffef5aed68ab02533e398f6134d7 |
|
15-Aug-2000 |
Brian Wellington <source@isc.org> |
validators can now be cancelled. |
ef97e09e20da2133adc731cf7e29e72d04dfc93f |
|
15-Aug-2000 |
Andreas Gustafsson <source@isc.org> |
make the validator attach to the view only weakly, so that
the view can start shutting down even though a validation is in progress. |
40f53fa8d9c6a4fc38c0014495e7a42b08f52481 |
|
01-Aug-2000 |
David Lawrence <source@isc.org> |
Trailing whitespace trimmed. Perhaps running "perl util/spacewhack.pl in your
own CVS tree will help minimize CVS conflicts. Maybe not.
Blame Graff for getting me to trim all trailing whitespace. |
f15af68028adc665d3bdddf955fc52bad83f0514 |
|
27-Jul-2000 |
Brian Wellington <source@isc.org> |
negative responses to cd queries should work now. |
15a44745412679c30a6d022733925af70a38b715 |
|
27-Jul-2000 |
David Lawrence <source@isc.org> |
word wrap copyright notice at column 70 |
98d010a24a9f1b4b45ce9791845941ef90426d0c |
|
27-Jul-2000 |
Brian Wellington <source@isc.org> |
If a negative insecurity proof succeeds, set all of the rdatasets in the
authority section of the message to non-pending, so that the response
has the ad bit set. |
5b0413f993b1c1ed837d23641e9f696cda1ee293 |
|
26-Jul-2000 |
Brian Wellington <source@isc.org> |
Call isc_log_wouldlog to potentially avoid extra work in validator_log. |
60783293cc27f74a84ec93c95c5d46edd30bd8e0 |
|
25-Jul-2000 |
Brian Wellington <source@isc.org> |
If a failed positive validation led us to try an insecurity proof, and the
insecurity proof also failed, the validator event should normally contain
the error from the positive validation. |
6bc1a645619a14707da68b130dafe41721fd2f25 |
|
14-Jul-2000 |
Brian Wellington <source@isc.org> |
If a positive validation fails and it looks like the reason is that there
are no material DNSSEC signatures, try an insecurity proof. |
25496cebadd170fd5fae2aabf0469eef551259aa |
|
07-Jul-2000 |
Brian Wellington <source@isc.org> |
If trying to validate a key set that happens to be a security root, the
validation should only consist of checking that each key in the key set
is also in the list of security root keys.
Strangeness occurs when the key set is signed, since the key set is marked
as secure, but the sig set is not, since it wasn't used in the validation
process. This means that a query for a key set at a security root will
have the AD bit set if the key set is unsigned and not if the key set is signed. |
9c3531d72aeaad6c5f01efe6a1c82023e1379e4d |
|
23-Jun-2000 |
David Lawrence <source@isc.org> |
add RCS id string |
6036112f4874637240d461c3ccbcb8dbfb1f405b |
|
22-Jun-2000 |
Andreas Gustafsson <source@isc.org> |
more detailed logging during insecurity proofs |
77c67dfb2607618f5e7940486daebafd42a502ab |
|
07-Jun-2000 |
Brian Wellington <source@isc.org> |
Repeatedly querying for nonexistant data could lead to a crash. |
e27021ee1f37185ab839a7a3b6bc078c24255e62 |
|
03-Jun-2000 |
Brian Wellington <source@isc.org> |
Certain negative responses could crash the validator.
The insecurity proof code didn't check to see if the name was below a security
root. |
75f6c57d9544aa77a3b1a04587b4702c07343c90 |
|
01-Jun-2000 |
Brian Wellington <source@isc.org> |
When an rdataset is signed, its ttl is normalized based on the signature
validity period. |
9a4a878733cc4ab9ecf0b50027e4e948df5eeaa3 |
|
27-May-2000 |
Brian Wellington <source@isc.org> |
removed debugging code |
ca9af3aaf798f98624fc1dc69d8c7d51bf01334d |
|
26-May-2000 |
Brian Wellington <source@isc.org> |
Lots of restructuring to make code easier to follow. Also a few bugs fixed,
and hopefully not too many new ones introduced. |
115635379a2baf2100695018109ad39e0dac349d |
|
26-May-2000 |
Andreas Gustafsson <source@isc.org> |
style |
a9bc95f22ef2dd4a12e79be99412c9f18b814a5d |
|
25-May-2000 |
Brian Wellington <source@isc.org> |
dst now stores the key name as a dns_name_t, not a char *. |
ed019cabc1cc75d4412010c331876e4ae5080a4d |
|
24-May-2000 |
David Lawrence <source@isc.org> |
fixed lines > 79 columns wide |
1d198e8a6bb62ef9dc5227d8d576f6424549c7a6 |
|
24-May-2000 |
David Lawrence <source@isc.org> |
removed unused stack variable sigrdataset from authvalidated() |
feb40fc5f911d0b2050fb9fd34950a52930b981d |
|
22-May-2000 |
Brian Wellington <source@isc.org> |
keytag collision handling was broken and a memory leak existed in the error
handling code. |
17a3fcecd069130a5f318685493b0db5639a77c9 |
|
20-May-2000 |
Brian Wellington <source@isc.org> |
Propagate errors out of the validator in all cases. This means that if there
are any problems in a validation, a SERVFAIL will be returned. This may not
be correct in all cases (and will be fixed), but it leaves the server in a
much more consistent state after failures. |
e49c834de8cdf92d4b85ef0fbf1d9dc59620a342 |
|
19-May-2000 |
Brian Wellington <source@isc.org> |
Replaced dns_keynode_next by the more correct dns_keytable_findnextkeynode |
e755d59880acfe0c4ac515a9c1a60f821d142930 |
|
19-May-2000 |
Andreas Gustafsson <source@isc.org> |
validator.c failed to compile on many platforms because
a label was not followed by a statement. Added a null statement. |
ba393f380e4cd93029f6a7291d6c2d14f9022b3c |
|
19-May-2000 |
Brian Wellington <source@isc.org> |
better keytag collision handling with trusted keys |
187604c1adfe841d909d4a8453b6900e652f7f6d |
|
19-May-2000 |
Brian Wellington <source@isc.org> |
accidentally removed an assignment to NULL before; added a note to look
back at keytag collisions later |
c50936eb40263b65ebf6afe4e6556e2dc67c10e4 |
|
19-May-2000 |
Brian Wellington <source@isc.org> |
changed dst_key_free() prototype, misc. dst cleanup |
d6643ef587324e40d8bda63e9f80be8141e101ed |
|
19-May-2000 |
Brian Wellington <source@isc.org> |
snapshot - support for keytag collision, better support for signed subdomains
of insecure domains. |
aa863b2d1e3739ac958c510aa7d61137860c3b7e |
|
18-May-2000 |
Brian Wellington <source@isc.org> |
insecurity proof wasn't correctly setting the rdataset trust level;
added more debug output |
5c6117688525d0e8d247f50c63364f66bd8d4185 |
|
18-May-2000 |
Brian Wellington <source@isc.org> |
insecurity proof for negative responses |
94766449d6125cd5870891b70d46573e5deaceb4 |
|
17-May-2000 |
Brian Wellington <source@isc.org> |
restructuring snapshot |
0013c93bc4d3d982b9ac13881931125884bf6144 |
|
14-May-2000 |
David Lawrence <source@isc.org> |
"validator.c", line 343: remark(1552): variable "rdataset" was set but never
used
Removed rdataset from function. |
e1f16346db02486f751c6db683fffe53c866c186 |
|
12-May-2000 |
Andreas Gustafsson <source@isc.org> |
validator must not indicate a validation failure by returning
ISC_R_NOTFOUND as that seriously confuses query_find(). Introduced new
result codes DNS_R_NOVALIDSIG and DNS_R_NOVALIDNXT to use instead. |
78951552dccf0d0004d61072bbc71fa4b1aab30f |
|
12-May-2000 |
Andreas Gustafsson <source@isc.org> |
removed support for trusted keys other than security
roots; check that key name is appropriate even if it is a security
root; added/clarified log messages |
3ce4b8b03ebd017c1d1b320429219ba91e705ea4 |
|
12-May-2000 |
Andreas Gustafsson <source@isc.org> |
added a comment |
1a69a1a78cfaa86f3b68bbc965232b7876d4da2a |
|
08-May-2000 |
David Lawrence <source@isc.org> |
Megacommit of dozens of files.
Cleanup of redundant/useless header file inclusion.
ISC style lint, primarily for function declarations and standalone
comments -- ie, those that appear on a line without any code, which
should be written as follows:
/*
* This is a comment.
*/ |
59e99793307eed0914f8467243d1c4ac761b1d9c |
|
05-May-2000 |
Andreas Gustafsson <source@isc.org> |
REQUIRE(type != 0) |
c37a9067523d885f593325e9efb85e506eb0c68c |
|
04-May-2000 |
Andreas Gustafsson <source@isc.org> |
more logging |
09f22ac5b09e70bc526015f37168ba33e21ea91f |
|
02-May-2000 |
David Lawrence <source@isc.org> |
Redundant header work, mostly removing <dns/result.h> from installed
headers and adding it to source files that need it. |
48e27f529db5e9e7e1dbcab3657a507e35c7b78e |
|
27-Apr-2000 |
Brian Wellington <source@isc.org> |
Conform to the dns_dnssec_verify api change and fix an nxt processing crash |
fa04a194fb9612169b8e066e292ff9b6c5fd0af4 |
|
27-Apr-2000 |
Andreas Gustafsson <source@isc.org> |
return value from dns_rdataset_first() was ignored;
added more comments and logging to nxtvalidate() |
6e49e91bd08778d7eae45a2229dcf41ed97cc636 |
|
27-Apr-2000 |
David Lawrence <source@isc.org> |
103. [func] libisc buffer API changes for <isc/buffer.h>:
Added:
isc_buffer_base(b) (pointer)
isc_buffer_current(b) (pointer)
isc_buffer_active(b) (pointer)
isc_buffer_used(b) (pointer)
isc_buffer_length(b) (int)
isc_buffer_usedlength(b) (int)
isc_buffer_consumedlength(b) (int)
isc_buffer_remaininglength(b) (int)
isc_buffer_activelength(b) (int)
isc_buffer_availablelength(b) (int)
Removed:
ISC_BUFFER_USEDCOUNT(b)
ISC_BUFFER_AVAILABLECOUNT(b)
isc_buffer_type(b)
Changed names:
isc_buffer_used(b, r) ->
isc_buffer_usedregion(b, r)
isc_buffer_available(b, r) ->
isc_buffer_available_region(b, r)
isc_buffer_consumed(b, r) ->
isc_buffer_consumedregion(b, r)
isc_buffer_active(b, r) ->
isc_buffer_activeregion(b, r)
isc_buffer_remaining(b, r) ->
isc_buffer_remainingregion(b, r)
Buffer types were removed, so the ISC_BUFFERTYPE_*
macros are no more, and the type argument to
isc_buffer_init and isc_buffer_allocate were removed.
isc_buffer_putstr is now void (instead of isc_result_t)
and requires that the caller ensure that there
is enough available buffer space for the string. |
8db70f36bee634ad850bc5ab60afab5c6123bc01 |
|
26-Apr-2000 |
Andreas Gustafsson <source@isc.org> |
isc_buffer_putstr() will soon return void |
e1a5f4cd31893572ec21c214dfbb19fa6527fbc2 |
|
25-Apr-2000 |
David Lawrence <source@isc.org> |
Shut up compiler about sigrdataset possibly being used before set in
nxtvalidate(). The warning is bogus. |
ec371edc34e2adb9e337b774d1a6e613f5863655 |
|
20-Apr-2000 |
Brian Wellington <source@isc.org> |
Add 'type' as a parameter to dns_validator_create() |
264fd373f3f6cc7f271bdff14a020385620015f1 |
|
20-Apr-2000 |
Andreas Gustafsson <source@isc.org> |
added log message about not finding relevant NXTs;
added REQUIREs to enforce prerequisites as documented in validator.h;
added cancelation cleanup code |
48ed268b3378a8b729a0037bc4ae2ed73647a96a |
|
19-Apr-2000 |
Brian Wellington <source@isc.org> |
snapshot - downward chaining support is much more complete, but still won't
work until the server returns the child's null key from the parent. |
d325d53d03013a50a286b0066c9647370466ae26 |
|
18-Apr-2000 |
Andreas Gustafsson <source@isc.org> |
declare static function proveunsecure() before use;
eliminate compiler warning |
613efcd8fbd0d1ce0d0afd1ac85d95cf85bffc27 |
|
18-Apr-2000 |
Brian Wellington <source@isc.org> |
snapshot - includes (untested) code to find unsecured subdomains, which
won't work until the server returns keys/nxts from the parent zones.
Also some style fixes. |
e44487bfc23599b6b240e09d83d1c862fecfcc82 |
|
17-Apr-2000 |
Michael Graff <mgraff@isc.org> |
convert sender, arg, action, etc. to ev_sender, ev_arg, ev_action, etc. |
fe5ba8ddb55b2b3ee139e13b7891817117ad4e63 |
|
14-Apr-2000 |
Brian Wellington <source@isc.org> |
memory leak cleanup, error if multiple nxts are present in negative answer |
777ac454c0cdec27dc11d80b9b2a8d7239d833a8 |
|
14-Apr-2000 |
Brian Wellington <source@isc.org> |
Fixed locking problems in event handlers. Reordered NXT processing to
do range checks before verify, since it's faster. |
e83cae7fa837e4757c687035d6f6c0900f152749 |
|
13-Apr-2000 |
Brian Wellington <source@isc.org> |
snapshot - partial support for negative answer verification and a couple bug
fixes. |
fca5f81ad69098ea8abba130c7f841c951ef91c2 |
|
12-Apr-2000 |
Bob Halley <source@isc.org> |
using snprintf or vsnprintf requires isc/print.h |
63bf060be4ff2a7ade02fd86abb98694a5afc250 |
|
12-Apr-2000 |
Brian Wellington <source@isc.org> |
dst_key_iszonekey() checks that the key's protocol is DNSSEC or ANY.
Remove this check from the validator, and remove more redundant constants
from dst.h |
ecfe4a349073b60eeaf7f1362d7dd48695514205 |
|
12-Apr-2000 |
Andreas Gustafsson <source@isc.org> |
validator_log() logged garbage after RR type |
538fea1c91c68c0a5569c7b8552c8fd0490055ef |
|
11-Apr-2000 |
Brian Wellington <source@isc.org> |
Added back some code lost by the logging patch, made the keyvalidated event
handler actually work in the easy case. |
1b1e1fda4638334b484aa38c15f53a131c0b0fdf |
|
11-Apr-2000 |
Andreas Gustafsson <source@isc.org> |
logging |
e7a8dfd2968634d025dbdbf39b9b7009e65f43d1 |
|
11-Apr-2000 |
Brian Wellington <source@isc.org> |
If we mark an rdataset as secure, also mark the sigrdataset as secure. |
3676eeb6ca95c66aae1256f37af8c990d9f25eb4 |
|
07-Apr-2000 |
Brian Wellington <source@isc.org> |
snapshot. Includes creating a new validator to validate pending KEYs. |
b5debbe212097d1c573a2ba3bd9a3d526d86b0ae |
|
07-Apr-2000 |
Brian Wellington <source@isc.org> |
snapshot. Sends a fetch when a KEY isn't present and would partially handle
a successful response if it got one. Starts the validator with an
event to avoid deadlock in the resolver. |
93c786e0924aeca2c258e32355349e6ae60a0f72 |
|
07-Apr-2000 |
Andreas Gustafsson <source@isc.org> |
cleared up some DNS_R_CONTINUE/DNS_R_WAIT confusion;
commented get_dst_key() |
419590499823ce15b5d2ad4fe71eaf04bd5a86c0 |
|
07-Apr-2000 |
Michael Graff <mgraff@isc.org> |
s/DNS_R_/ISC_R_/ change for some codes. |
1c776a2909632bc755f3fddd3b53addd792ab4d0 |
|
06-Apr-2000 |
Brian Wellington <source@isc.org> |
missing an #include <dns/dnssec.h> |
0a3e2e1d590dac7fb011e72bd3a4982c179d8e68 |
|
06-Apr-2000 |
Brian Wellington <source@isc.org> |
- added a call to dns_dnssec_verify
- swapped ISC_R_SUCCESS/DNS_R_CONTINUE in two places
- hitting the end of the list of SIGs without a verification is not success. |
1854401d34e3cdaec6d167e82655c0448ed92a92 |
|
23-Mar-2000 |
Bob Halley <source@isc.org> |
was dereferencing the wrong rdataset |
1872808932603066d401d3de97db11af8ffee78a |
|
23-Mar-2000 |
Andreas Gustafsson <source@isc.org> |
don't access freed memory |
62a84c4a27033bb0e7316256964a6950b1e230bd |
|
23-Mar-2000 |
Andreas Gustafsson <source@isc.org> |
val->view was not NULL before attach |
0ec4b862c9abd11c82c88ed62438f0cf06fed25d |
|
17-Mar-2000 |
Bob Halley <source@isc.org> |
checkpoint |
e419f613d8591885df608cb73065921be07dd12e |
|
24-Feb-2000 |
Bob Halley <source@isc.org> |
checkpoint |
9695ae1c24b168996e3a267855dc754971ccb32c |
|
24-Feb-2000 |
Bob Halley <source@isc.org> |
add missing #include |
bf43fdafa3bff9e84cb03f1a19aca74514d2516e |
|
24-Feb-2000 |
Bob Halley <source@isc.org> |
add keytable, validator |