]>
granicus.if.org Git - pdns/log
aerique [Tue, 28 Nov 2017 15:53:22 +0000 (16:53 +0100)]
Merge pull request #6011 from ahupowerdns/quote-server-id
quote server-id to hosts with - or . in their name get reported again
aerique [Tue, 28 Nov 2017 15:53:08 +0000 (16:53 +0100)]
Merge pull request #6015 from Habbie/id.server
it's id.server, not server.id
Peter van Dijk [Tue, 28 Nov 2017 13:18:44 +0000 (14:18 +0100)]
nit
Pieter Lexis [Tue, 28 Nov 2017 12:33:18 +0000 (13:33 +0100)]
Merge pull request #6000 from rgacogne/rec-authzone-validation
rec: Skip validation (including cached entries) for auth zones
Pieter Lexis [Tue, 28 Nov 2017 12:33:03 +0000 (13:33 +0100)]
Merge pull request #6001 from zeha/secpoll-servfail
recursor secpoll: improve message on timeout
Pieter Lexis [Tue, 28 Nov 2017 12:32:39 +0000 (13:32 +0100)]
Merge pull request #6009 from rgacogne/rec-zone-part-signer
rec: When validating DNSKeys, the zone should be part of the signer
Pieter Lexis [Tue, 28 Nov 2017 12:32:26 +0000 (13:32 +0100)]
Merge pull request #6008 from rgacogne/ecdsa-error-leak
rec: Don't leak when the loading a public ECDSA key fails
aerique [Tue, 28 Nov 2017 12:26:56 +0000 (13:26 +0100)]
Merge pull request #6007 from rgacogne/auth-web-readonly-ops
auth: Deny cache flush, zone retrieve and notify if the API is RO
bert hubert [Tue, 28 Nov 2017 10:44:51 +0000 (11:44 +0100)]
fix tab & {}
bert hubert [Tue, 28 Nov 2017 09:50:24 +0000 (10:50 +0100)]
quote server-id. This stops us from breaking serving chaos txt id.server if your server has a dash or a dot or an underscore in its name.
Peter van Dijk [Tue, 28 Nov 2017 09:28:17 +0000 (10:28 +0100)]
Merge pull request #5997 from rgacogne/rec-additional-val
rec: Store additional records as non-auth, even on AA=1 answers
Peter van Dijk [Tue, 28 Nov 2017 08:54:22 +0000 (09:54 +0100)]
Merge pull request #6004 from pieterlexis/rm-old-soa-edit
Remove deprecated SOA-EDIT values
Peter van Dijk [Tue, 28 Nov 2017 08:52:49 +0000 (09:52 +0100)]
Merge pull request #5617 from Habbie/ednsflags
fix reading of ednsflags in recursor testing
Remi Gacogne [Tue, 28 Nov 2017 08:15:45 +0000 (09:15 +0100)]
doc: Fix a typo in PowerDNS Advisory 2017-04
Remi Gacogne [Tue, 22 Aug 2017 09:48:07 +0000 (11:48 +0200)]
auth: Deny cache flush, zone retrieve and notify if the API is RO
Remi Gacogne [Wed, 11 Oct 2017 13:28:04 +0000 (15:28 +0200)]
Fix a memory leak when loading an RSA key with an invalid modulus
Remi Gacogne [Thu, 13 Jul 2017 14:22:30 +0000 (16:22 +0200)]
Don't leak when the loading a public ECDSA key fails
Remi Gacogne [Thu, 17 Aug 2017 16:05:54 +0000 (18:05 +0200)]
rec: When validating DNSKeys, the zone should be part of the signer
Peter van Dijk [Wed, 16 Aug 2017 12:08:13 +0000 (14:08 +0200)]
do not demand a DO reply to a non-DO query
Pieter Lexis [Mon, 27 Nov 2017 12:24:51 +0000 (13:24 +0100)]
Remove deprecated SOA-EDIT values
Pieter Lexis [Mon, 27 Nov 2017 16:58:49 +0000 (17:58 +0100)]
Merge pull request #5916 from pieterlexis/rm-wiki
Documentation additions so we can rid of the wiki
Pieter Lexis [Mon, 27 Nov 2017 16:58:32 +0000 (17:58 +0100)]
Merge pull request #5990 from jannyg/patch-2
Adds description of add-record
Chris Hofstaedtler [Mon, 27 Nov 2017 16:48:45 +0000 (17:48 +0100)]
recursor secpoll: improve message on timeout
Pieter Lexis [Mon, 27 Nov 2017 16:01:41 +0000 (17:01 +0100)]
Fix secpoll
Pieter Lexis [Mon, 27 Nov 2017 15:48:04 +0000 (16:48 +0100)]
Fix changelog syntax
aerique [Mon, 27 Nov 2017 15:35:39 +0000 (16:35 +0100)]
Merge pull request #5999 from aerique/advisories-2017
Add advisories 2017-03, 2017-04, 2017-05, 2017-06 and 2017-07.
Remi Gacogne [Fri, 24 Nov 2017 16:48:19 +0000 (17:48 +0100)]
rec: Skip validation (including cached entries) for auth zones
Pieter Lexis [Mon, 27 Nov 2017 11:56:06 +0000 (12:56 +0100)]
Update security advisory links in secpoll
Peter van Dijk [Wed, 16 Aug 2017 11:44:54 +0000 (13:44 +0200)]
read ednsflags instead of flags
Remi Gacogne [Mon, 27 Nov 2017 10:21:21 +0000 (11:21 +0100)]
rec: Store additional records as non-auth, even on AA=1 answers
We used to store additional records in AA=1 answers as auth. In addition
to being wrong, it also broke DNSSEC validation if the record was stored
as Indeterminate because while we take care of not validating additional
records when processing an answer, we have no way of knowing in which
section a record was originally located when we retrieve it from the cache.
When an answer becomes too big to fit in the requester UDP payload,
rfc4035 allows the sender to keep records in the additional section
while omitting the corresponding RRSIGs, without setting the TC bit.
Remi Gacogne [Mon, 27 Nov 2017 07:15:46 +0000 (08:15 +0100)]
Add release date, security advisories to the changelogs
Jan-Arve Nygård [Fri, 24 Nov 2017 12:47:04 +0000 (13:47 +0100)]
Added description of add-record
Added description of add-record with options to man-pages
Remi Gacogne [Fri, 24 Nov 2017 10:10:28 +0000 (11:10 +0100)]
Update secpoll
Remi Gacogne [Tue, 24 Oct 2017 09:02:57 +0000 (11:02 +0200)]
Add advisories 2017-03, 2017-04, 2017-05, 2017-06 and 2017-07
bert hubert [Thu, 23 Nov 2017 12:54:49 +0000 (13:54 +0100)]
make notify.cc compile again
aerique [Thu, 23 Nov 2017 11:24:15 +0000 (12:24 +0100)]
Merge pull request #5953 from pieterlexis/auth-405-rec-407-changelog
Add Authoritative Server 4.0.5 and Recursor 4.0.7 changelogs + secpoll
bert hubert [Wed, 22 Nov 2017 13:24:39 +0000 (14:24 +0100)]
clarify that dnsdist latency averages are in microseconds
Remi Gacogne [Wed, 22 Nov 2017 11:38:55 +0000 (12:38 +0100)]
Merge pull request #5970 from 42wim/burst
dnsdist: Add burst option to MaxQPSIPRule
Remi Gacogne [Wed, 22 Nov 2017 11:17:45 +0000 (12:17 +0100)]
Update auth 4.0.5 and rec 4.0.7 changelogs with recent backports
Pieter Lexis [Tue, 14 Nov 2017 08:45:26 +0000 (09:45 +0100)]
Add secpoll for auth 4.0.5 and rec 4.0.7
Pieter Lexis [Tue, 14 Nov 2017 08:44:09 +0000 (09:44 +0100)]
Add Recursor 4.0.7 changelog
Pieter Lexis [Fri, 3 Nov 2017 15:18:19 +0000 (16:18 +0100)]
Add Authoritative Server 4.0.5 changelog
Remi Gacogne [Wed, 22 Nov 2017 11:02:17 +0000 (12:02 +0100)]
Merge pull request #5978 from rgacogne/rec-negcache-referral-to-unsigned
rec: Fix DNSSEC validation of DS denial from the negative cache
aerique [Wed, 22 Nov 2017 10:11:01 +0000 (11:11 +0100)]
Merge pull request #5980 from rgacogne/rec-denial-validation-caching
rec: Cache Secure validation state when inserting negcache entries
aerique [Wed, 22 Nov 2017 09:15:26 +0000 (10:15 +0100)]
Merge pull request #5964 from pieterlexis/api-crypto-key-consistency
API: Make the /cryptokeys endpoint consistently use CryptoKey objects
aerique [Wed, 22 Nov 2017 08:34:39 +0000 (09:34 +0100)]
Merge pull request #5976 from Habbie/soa-unsetdnsname
report remote IP when SOA query comes back with empty question section
Pieter Lexis [Tue, 21 Nov 2017 16:31:42 +0000 (17:31 +0100)]
Merge pull request #5954 from pieterlexis/cherry-pick-script
Add two scripts: one to backport PRs and one to generate changelogs
Pieter Lexis [Tue, 21 Nov 2017 16:31:21 +0000 (17:31 +0100)]
Merge pull request #5972 from rgacogne/rec-dump-neg-status
rec: Dump the validation status of negcache entries, fix DNSSEC type
Pieter Lexis [Tue, 21 Nov 2017 16:30:34 +0000 (17:30 +0100)]
Merge pull request #5968 from pieterlexis/api-rectify-transaction
Fix hang when PATCHing zone during rectify
Pieter Lexis [Tue, 21 Nov 2017 16:29:32 +0000 (17:29 +0100)]
Merge pull request #5958 from pieterlexis/centos-7-ship-dnsdist-multi-instance
Packages: Ship dnsdist multi-instance files
Wim [Tue, 21 Nov 2017 13:17:58 +0000 (14:17 +0100)]
Fix typo
Remi Gacogne [Tue, 21 Nov 2017 09:42:43 +0000 (10:42 +0100)]
rec: Cache Secure validation state when inserting negcache entries
Fix a bug that prevented Secure negative cache entries to be marked
as such when they were first inserted, marking them as Indeterminate
instead. This would require us to validate them a second time for no
valid reason.
Remi Gacogne [Mon, 20 Nov 2017 17:12:48 +0000 (18:12 +0100)]
rec: Fix DNSSEC validation of DS denial from the negative cache
There is two reasons you can get a proper DS denial:
* Secure to insecure cut, and if we are getting a referral with a
DS denial, we know that we have to check that the NS bit is set
as described in section 8.9 of rfc5155
* No zone cut inside a secure zone, and then of course the NS is
not set
When we retrieve the DS denial from the negative cache with a
validation status of Indeterminate, most likely because validation
was not enabled during the query that landed it in the cache, we
don't have enough data to know which case we are looking at, so
let's just skip the NS check.
Peter van Dijk [Mon, 20 Nov 2017 13:32:23 +0000 (14:32 +0100)]
report remote IP when SOA query comes back with empty question section
this improves the #5974 situation a bit
bert hubert [Mon, 20 Nov 2017 11:23:45 +0000 (12:23 +0100)]
Merge pull request #5971 from rgacogne/rec-getdsrecords-erased-it
rec: Fix the use of a deleted iterator in SyncRes::getDSRecords()
Remi Gacogne [Mon, 20 Nov 2017 10:01:48 +0000 (11:01 +0100)]
rec: Fix the use of a deleted iterator in SyncRes::getDSRecords()
Remi Gacogne [Mon, 20 Nov 2017 08:56:34 +0000 (09:56 +0100)]
rec: Update the negcache's unit tests (validation status, DNSSEC type)
Remi Gacogne [Mon, 20 Nov 2017 08:55:50 +0000 (09:55 +0100)]
rec: Dump the correct NSEC record type for negative cache entries
Remi Gacogne [Sun, 19 Nov 2017 19:22:47 +0000 (20:22 +0100)]
rec: Add the validation status when dumping the negative cache
Wim [Fri, 17 Nov 2017 22:58:46 +0000 (23:58 +0100)]
dnsdist: Add burst option to MaxQPSIPRule
bert hubert [Fri, 17 Nov 2017 16:09:54 +0000 (17:09 +0100)]
Merge pull request #5969 from giganteous/rec-correct-documentation-typo
Fix reference to the wrong product
Kai Storbeck [Fri, 17 Nov 2017 16:04:37 +0000 (17:04 +0100)]
Fix reference to the wrong product
aerique [Fri, 17 Nov 2017 13:05:40 +0000 (14:05 +0100)]
Merge pull request #5965 from aerique:feature/update-rec-4.1.0-rc3-changelog
Update ChangeLog and secpoll for rec-4.1.0-rc3.
Pieter Lexis [Fri, 17 Nov 2017 12:20:52 +0000 (13:20 +0100)]
Fix hang when PATCHing zone during rectify
Before, we would spawn a new UeberBackend in the DNSSECKeeper, but there
was already a transaction going on, so the rectify would never finish,
as rectifyZone would not return.
aerique [Fri, 17 Nov 2017 11:27:31 +0000 (12:27 +0100)]
Merge pull request #5961 from jake2184/master
Edit configname definition to include the 'config-name' argument
Pieter Lexis [Thu, 16 Nov 2017 16:43:13 +0000 (17:43 +0100)]
Support csk in the cryptokey endpoint
Pieter Lexis [Thu, 16 Nov 2017 16:41:40 +0000 (17:41 +0100)]
Compare algorithm mnemonics case insensitive
Pieter Lexis [Thu, 16 Nov 2017 15:05:50 +0000 (16:05 +0100)]
Map DNSSEC algo-numbers and names 1:1
Pieter Lexis [Thu, 16 Nov 2017 13:53:47 +0000 (14:53 +0100)]
API: Make the /cryptokeys endpoint use CryptoKey objects
Add bits and algorithm to the CryptoKey object
bert hubert [Thu, 16 Nov 2017 16:13:02 +0000 (17:13 +0100)]
Merge pull request #5955 from Habbie/macos-build
macOS build fixes
aerique [Thu, 16 Nov 2017 13:01:58 +0000 (14:01 +0100)]
Merge pull request #5963 from aerique/bugfix/remove-5938-from-auth-docs
Remove #5938 from auth-4.1.0-rc3 ChangeLog.
Erik Winkels [Thu, 16 Nov 2017 12:43:18 +0000 (13:43 +0100)]
Remove #5938 from auth-4.1.0-rc3 ChangeLog.
It was accidentally labeled as "auth" but was only for "rec".
aerique [Thu, 16 Nov 2017 12:36:22 +0000 (13:36 +0100)]
Merge pull request #5962 from aerique:feature/update-auth-4.1.0-rc3-changelog
Update ChangeLog and secpoll for auth-4.1.0-rc3.
aerique [Thu, 16 Nov 2017 11:49:44 +0000 (12:49 +0100)]
Merge pull request #5936 from pieterlexis/api-allow-deactivate-dnssec
API: Allow disabling DNSSEC
aerique [Thu, 16 Nov 2017 10:24:54 +0000 (11:24 +0100)]
Merge pull request #5933 from pieterlexis/issue-5931-tsig-crash
Check return value for all getTSIGKey calls
Pieter Lexis [Thu, 16 Nov 2017 10:13:07 +0000 (11:13 +0100)]
Merge pull request #5943 from pieterlexis/pdnsutil-man-missing-command
document missing pdnsutil list-tsig-key command
aerique [Thu, 16 Nov 2017 09:17:10 +0000 (10:17 +0100)]
Merge pull request #5949 from rgacogne/auth-5948
auth: Don't complain that glues are occluded by a delegation
Jake Reynolds [Wed, 15 Nov 2017 14:59:43 +0000 (14:59 +0000)]
Edit configname to include the 'config-name' argument
Pieter Lexis [Tue, 14 Nov 2017 11:42:36 +0000 (12:42 +0100)]
dnsdist: Ship multiple unit files in RPM
And run dnsdist as an unprivileged user.
Pieter Lexis [Tue, 14 Nov 2017 11:39:49 +0000 (12:39 +0100)]
dnsdist: Ship multiple unit files for debian
Peter van Dijk [Tue, 14 Nov 2017 09:18:10 +0000 (10:18 +0100)]
document libcrypto usage for recent macOS
Peter van Dijk [Tue, 14 Nov 2017 09:17:58 +0000 (10:17 +0100)]
recent Apple Xcode headers need this
reference: https://github.com/arvidn/libtorrent/issues/2364#issuecomment-
336175406
Pieter Lexis [Tue, 14 Nov 2017 08:32:40 +0000 (09:32 +0100)]
Add script to generate changelogs
Remi Gacogne [Mon, 13 Nov 2017 11:42:22 +0000 (12:42 +0100)]
auth: Don't complain that glues are occluded by a delegation
Pieter Lexis [Fri, 10 Nov 2017 15:48:35 +0000 (16:48 +0100)]
document missing pdnsutil list-tsig-key command
Pieter Lexis [Fri, 10 Nov 2017 13:03:11 +0000 (14:03 +0100)]
Merge pull request #5935 from pieterlexis/no-metadata-on-non-existent-zone
API: Throw exception in metadata endpoint w/ wrong zone
Pieter Lexis [Fri, 10 Nov 2017 13:01:38 +0000 (14:01 +0100)]
Merge pull request #5941 from jpmens/patch-8
mention API key required for access
JP Mens [Fri, 10 Nov 2017 12:54:35 +0000 (13:54 +0100)]
mention API key required for access
Pieter Lexis [Fri, 10 Nov 2017 12:24:10 +0000 (13:24 +0100)]
Fix some nits
Pieter Lexis [Thu, 9 Nov 2017 11:01:32 +0000 (12:01 +0100)]
Check return of getTSIGKey and B64Decode in the Slave Communicator
Pieter Lexis [Thu, 9 Nov 2017 10:24:36 +0000 (11:24 +0100)]
Check return of getTSIGKey and B64Decode in the TCPReceiver
Pieter Lexis [Thu, 9 Nov 2017 10:09:32 +0000 (11:09 +0100)]
Check return value of getTSIGKey and B64Decode
This would lead to crashes if the TSIG key was referenced in
TSIG-ALLOW-FROM but the key was not in the tsigkeys table.
Closes #5931
bert hubert [Fri, 10 Nov 2017 11:39:42 +0000 (12:39 +0100)]
Merge pull request #5937 from rgacogne/rec-self-resolving-ns
rec: Allow the use of a 'self-resolving' NS if cached A/AAAA exists
bert hubert [Fri, 10 Nov 2017 09:33:00 +0000 (10:33 +0100)]
Merge pull request #5939 from rgacogne/rec-forward-rd-cname
rec: Only accept types not matching the query if we asked for ANY
bert hubert [Fri, 10 Nov 2017 09:31:15 +0000 (10:31 +0100)]
Merge pull request #5938 from rgacogne/rec-zero-threads
rec: Don't crash when asked to run with zero threads
Remi Gacogne [Thu, 9 Nov 2017 16:16:04 +0000 (17:16 +0100)]
rec: Only accept types not matching the query if we asked for ANY
Even from forward-recurse servers.
Pieter Lexis [Thu, 9 Nov 2017 15:56:30 +0000 (16:56 +0100)]
API: Allow disabling DNSSEC
Closes #5909
Closes #5910
Remi Gacogne [Thu, 9 Nov 2017 15:31:11 +0000 (16:31 +0100)]
rec: Allow the use of a 'self-resolving' NS if cached A/AAAA exists
We just have to take care not to try to contact that NS to learn
its own IP addresses, because that does not make sense.
Before this, we could skip a perfectly valid NS for which we had
retrieved the A and/or AAAA entries, for example via a glue.
Also get rid of a flawed calculation based on whether IPv6 was
enabled whereas we were only dealing with NS at this point.
Pieter Lexis [Thu, 9 Nov 2017 15:04:27 +0000 (16:04 +0100)]
Merge pull request #5879 from pieterlexis/issue-3059-check-zone-warn-eclipse
pdnsutil: Warn if records in a zone are eclipsed
Pieter Lexis [Thu, 9 Nov 2017 15:04:13 +0000 (16:04 +0100)]
Merge pull request #5924 from rgacogne/rec-cname-cache-validation
rec: Add unit tests for DNSSEC validation of cached CNAME answers