Commit Graph

185 Commits

Author SHA1 Message Date
ralph
07d180c1d1 strcpy to memmove, to please analysers
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4656 be551aaa-1e26-0410-a405-d3ace91eadb9
2018-04-24 10:10:11 +00:00
ralph
38b5b4c8c6 - Added root-key-sentinel support
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4652 be551aaa-1e26-0410-a405-d3ace91eadb9
2018-04-24 09:03:49 +00:00
wouter
06453716e5 - patch to log creates keytag queries, from A. Schulze.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4566 be551aaa-1e26-0410-a405-d3ace91eadb9
2018-03-07 08:39:10 +00:00
wouter
692f648a6e - Reverted fix for #3512, this may not be the best way forward;
although it could be changed at a later time, to stay similar to
  other implementations.


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4560 be551aaa-1e26-0410-a405-d3ace91eadb9
2018-03-06 08:22:33 +00:00
wouter
340efc3a79 - Fix compile without threads, and remove unused variable.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4553 be551aaa-1e26-0410-a405-d3ace91eadb9
2018-02-27 10:36:12 +00:00
ralph
3377e6f8ee - Save wildcard RRset from answer with original owner for use in aggressive
NSEC.


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4550 be551aaa-1e26-0410-a405-d3ace91eadb9
2018-02-22 15:12:31 +00:00
wouter
ffa1194628 - Fix validation for CNAME loops. When it detects a cname loop,
by finding the cname, cname in the existing list, it returns
  the partial result with the validation result up to then.


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4547 be551aaa-1e26-0410-a405-d3ace91eadb9
2018-02-21 14:04:02 +00:00
ralph
35bc8a1ecc - Aggressive use of NSEC implementation. Use cached NSEC records to generate
NXDOMAIN, NODATA and positive wildcard answers.


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4522 be551aaa-1e26-0410-a405-d3ace91eadb9
2018-02-08 13:16:36 +00:00
ralph
b20df48e61 Also use NSEC with longest closest encloser for CNAME responses.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4463 be551aaa-1e26-0410-a405-d3ace91eadb9
2018-01-29 14:44:39 +00:00
ralph
5489a6b54b - Use NSEC with longest ce to prove wildcard absence.
- Only use *.ce to prove wildcard absence, no longer names.


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4460 be551aaa-1e26-0410-a405-d3ace91eadb9
2018-01-29 13:46:57 +00:00
wouter
7911e492f9 - patch for CVE-2017-15105: vulnerability in the processing of
wildcard synthesized NSEC records.


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4441 be551aaa-1e26-0410-a405-d3ace91eadb9
2018-01-19 09:50:35 +00:00
wouter
39ba948040 - Spelling fixes, from Phil Porada.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4344 be551aaa-1e26-0410-a405-d3ace91eadb9
2017-09-15 14:29:28 +00:00
wouter
9df24fe7cd Fixup compile for clean_additional changes
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4211 be551aaa-1e26-0410-a405-d3ace91eadb9
2017-06-07 09:24:33 +00:00
wouter
8314a4493d - Fix that unbound-control can set val_clean_additional and val_permissive_mode.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4209 be551aaa-1e26-0410-a405-d3ace91eadb9
2017-06-07 06:59:47 +00:00
ralph
865b0eb154 - Added mesh_add_sub to add detached mesh entries.
- Use mesh_add_sub for key tag signaling queries.


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4144 be551aaa-1e26-0410-a405-d3ace91eadb9
2017-05-02 13:17:56 +00:00
ralph
fd4bcbf41b regional_alloc + memcpy to regional_alloc_init
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4136 be551aaa-1e26-0410-a405-d3ace91eadb9
2017-04-26 15:03:32 +00:00
ralph
4449cb4ed8 please lint
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4135 be551aaa-1e26-0410-a405-d3ace91eadb9
2017-04-26 13:27:07 +00:00
ralph
0be5e03a03 - Implemented trust anchor signaling using key tag query.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4134 be551aaa-1e26-0410-a405-d3ace91eadb9
2017-04-26 12:58:13 +00:00
george
b92d2de4fd - Fix to prevent non-referal query from being cached as referal when the
no_cache_store flag was set.


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@4080 be551aaa-1e26-0410-a405-d3ace91eadb9
2017-03-24 10:51:56 +00:00
george
4812f02dd0 - Added generic EDNS code for registering known EDNS option codes,
bypassing the cache response stage and uniquifying mesh states. Four EDNS
  option lists were added to module_qstate (module_qstate.edns_opts_*) to
  store EDNS options from/to front/back side.
- Added two flags to module_qstate (no_cache_lookup, no_cache_store) that
  control the modules' cache interactions.
- Added code for registering inplace callback functions. The registered
  functions can be called just before replying with local data or Chaos,
  replying from cache, replying with SERVFAIL, replying with a resolved
  query, sending a query to a nameserver. The functions can inspect the
  available data and maybe change response/query related data (i.e. append
  EDNS options).
- Updated Python module for the above.
- Updated Python documentation.



git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@3947 be551aaa-1e26-0410-a405-d3ace91eadb9
2016-12-06 13:42:51 +00:00
wouter
bc78c785ce - Patch that resolves CNAMEs entered in local-data conf statements that
point to data on the internet, from Jinmei Tatuya (Infoblox).


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@3885 be551aaa-1e26-0410-a405-d3ace91eadb9
2016-10-18 13:18:20 +00:00
wouter
4f8df458fc - Improve threadsafety for openssl 0.9.8 ecdsa dnssec signatures.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@3766 be551aaa-1e26-0410-a405-d3ace91eadb9
2016-06-07 13:02:02 +00:00
wouter
33c3822724 - spelling fixes from Igor Sobrado Delgado.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@3544 be551aaa-1e26-0410-a405-d3ace91eadb9
2015-11-18 14:11:46 +00:00
wouter
94981e10b4 configuration option affects autotrust.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@3472 be551aaa-1e26-0410-a405-d3ace91eadb9
2015-08-13 12:52:51 +00:00
wouter
c17574c81a - DLV is going to be decommissioned. Advice to stop using it, and
put text in the example configuration and man page to that effect.


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@3424 be551aaa-1e26-0410-a405-d3ace91eadb9
2015-05-20 06:24:06 +00:00
wouter
97ffe64ba3 - Change syntax of particular validator error to be easier for
machine parse, swap rrset and ip adres info so it looks like:
  validation failure <www.example.nl. TXT IN>: signature crypto
  failed from 2001:DB8:7:bba4::53 for <*.example.nl. NSEC IN>


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@3422 be551aaa-1e26-0410-a405-d3ace91eadb9
2015-05-10 12:04:22 +00:00
wouter
410ac6cd67 - rename ldns subdirectory to sldns to avoid name collision.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@3380 be551aaa-1e26-0410-a405-d3ace91eadb9
2015-03-26 10:21:38 +00:00
wouter
d1bf57dfd1 - Fixes to add integer overflow checks on allocation (defense in depth).
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@3372 be551aaa-1e26-0410-a405-d3ace91eadb9
2015-03-20 15:36:25 +00:00
wouter
5a4a7863b6 - Fix #644: harden-algo-downgrade option, if turned off, fixes the
reported excessive validation failure when multiple algorithms
  are present.  It allows the weakest algorithm to validate the zone.


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@3354 be551aaa-1e26-0410-a405-d3ace91eadb9
2015-03-09 13:30:37 +00:00
wouter
16b3909f91 - Fix validation failure in case upstream forwarder (ISC BIND) does
not have the same trust anchors and decides to insert unsigned NS
  record in authority section.


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@3329 be551aaa-1e26-0410-a405-d3ace91eadb9
2015-02-09 11:44:46 +00:00
wouter
f9213eaf93 - Fix cdflag dns64 processing.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@3275 be551aaa-1e26-0410-a405-d3ace91eadb9
2014-11-19 08:43:08 +00:00
wouter
0778829809 - Fix that CD flag disables DNS64 processing, returning the DNSSEC
signed AAAA denial.


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@3273 be551aaa-1e26-0410-a405-d3ace91eadb9
2014-11-18 15:15:57 +00:00
matje
96e1b5ac58 Be lenient when a NSEC NameError response with RCODE=NXDOMAIN is received.
This is okay according 4035, but not after revising existence in 4592. 
NSEC empty non-terminals exist and thus the RCODE should have been NOERROR.

If this occurs, and the RRsets are secure, we set the RCODE to NOERROR and
the security status of the reponse is also considered secure.



git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@3089 be551aaa-1e26-0410-a405-d3ace91eadb9
2014-02-20 09:46:50 +00:00
wouter
68b138cbd3 And fix #551 REGENT to COPYRIGHT HOLDER in license in file headings.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@3079 be551aaa-1e26-0410-a405-d3ace91eadb9
2014-02-07 13:28:39 +00:00
wouter
db8f72c4f7 - Fix sldns to use sldns_ prefix for all ldns_ variables.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@3022 be551aaa-1e26-0410-a405-d3ace91eadb9
2013-12-03 09:11:16 +00:00
wouter
8e6ee27eda - separate ldns into core ldns inside ldns/ subdirectory. No more
--with-ldns is needed and unbound does not rely on libldns.


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@2998 be551aaa-1e26-0410-a405-d3ace91eadb9
2013-10-31 15:09:26 +00:00
wouter
b4a007738c - Fix for 2038, with time_t instead of uint32_t.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@2939 be551aaa-1e26-0410-a405-d3ace91eadb9
2013-08-20 12:23:42 +00:00
matje
aae7a518bf Fix validation for responses with CNAME and wildcard expanded CNAME in
ANSWER section.



git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@2777 be551aaa-1e26-0410-a405-d3ace91eadb9
2012-10-29 14:06:00 +00:00
wouter
1caf700c2e - fix bogus nodata cname chain not reported as bogus by validator,
(Thanks Peter van Dijk).


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@2727 be551aaa-1e26-0410-a405-d3ace91eadb9
2012-07-27 13:38:00 +00:00
wouter
5a7af9871a Fix prefetch and stickyness.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@2632 be551aaa-1e26-0410-a405-d3ace91eadb9
2012-02-16 11:04:53 +00:00
wouter
d5150eafeb - unbound-control forward_add, forward_remove, stub_add, stub_remove
can modify stubs and forwards for running unbound (on mobile computer)
  they can also add and remove domain-insecure for the zone.


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@2623 be551aaa-1e26-0410-a405-d3ace91eadb9
2012-02-15 14:35:28 +00:00
wouter
25fbc19b64 - Fix bug #425: unbound reports wrong TTL in reply, it reports a TTL
that would be permissible by the RFCs but it is not the TTL in the
  cache.


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@2581 be551aaa-1e26-0410-a405-d3ace91eadb9
2012-01-10 09:42:32 +00:00
wouter
9bf6080a27 - Fix to constrain signer_name to be a parent of the lookupname.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@2571 be551aaa-1e26-0410-a405-d3ace91eadb9
2011-12-13 12:37:47 +00:00
wouter
a1f677fcac - Makefile changed for BSD make compatibility.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@2544 be551aaa-1e26-0410-a405-d3ace91eadb9
2011-11-10 18:44:06 +00:00
wouter
f5be858e6b - algorithm compromise protection using the algorithms signalled in
the DS record.  Also, trust anchors, DLV, and RFC5011 receive this,
         and thus, if you have multiple algorithms in your trust-anchor-file
         then it will now behave different than before.  Also, 5011 rollover
         for algorithms needs to be double-signature until the old algorithm
         is revoked.


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@2358 be551aaa-1e26-0410-a405-d3ace91eadb9
2010-12-21 14:19:55 +00:00
wouter
a33b75aebf Work on validation of multiple algorithms.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@2356 be551aaa-1e26-0410-a405-d3ace91eadb9
2010-12-20 15:58:12 +00:00
wouter
206d95e87a - Fix validation failure for parent and child on same server with an
insecure childzone and a CNAME from parent to child.


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@2321 be551aaa-1e26-0410-a405-d3ace91eadb9
2010-10-29 13:10:26 +00:00
wouter
fc57d16d98 - Fix bug when DLV below a trust-anchor that uses NSEC3 optout where
the zone has a secure delegation hosted on the same server did not
         verify as secure (it was insecure by mistake).


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@2275 be551aaa-1e26-0410-a405-d3ace91eadb9
2010-10-11 12:21:19 +00:00
wouter
47f65c133a - DLV has downgrade protection again, because the RFC says so.
git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@2238 be551aaa-1e26-0410-a405-d3ace91eadb9
2010-09-17 08:54:16 +00:00
wouter
db4944a21d - Algorithm rollover operational reality intrudes, for trust-anchor,
5011-store, and DLV-anchor if one key matches it's good enough.


git-svn-id: https://unbound.nlnetlabs.nl/svn/trunk@2235 be551aaa-1e26-0410-a405-d3ace91eadb9
2010-09-16 13:40:26 +00:00