interesting
/
getdns
mirror of https://github.com/getdnsapi/getdns.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
3,295 Commits 58 Branches 69 Tags 14 MiB
Commit Graph

191 Commits

Author SHA1 Message Date
Willem Toorop 45683d3cfe Fix for getdnsapi/stubby#295 
rdata not correctly written for validation for certain RR types
 2022-01-11 00:09:44 +01:00
Willem Toorop 2a0114591a Resolve compile warnings 
Thanks Andreas!
 2021-06-03 20:45:55 +02:00
Willem Toorop 3345bb615d One more gldns_wire2str_rr_scan fix 2019-12-20 10:29:54 +00:00
Jim Hague 5db0d03b13 Enable building on Windows with Visual Studio. 
The change mostly consists of removing or replacing non-standard (usually POSIX) header includes.

Guards for replacements for inet_ntop(), inet_pton() and gettimeofday() are updated; the first two are macros on Windows, so the guards are changed to HAVE_DECL. gettimeofday() is present on MinGW builds but not Visual Studio, so that has a function check.
 2019-10-15 10:09:17 +01:00
Willem Toorop 99d15b999c Issue #423: Fix insecure delegation detection while scheduling 2019-03-13 14:21:06 +01:00
Jim Hague 3fe0c94357 Merge branch 'develop' into feature/abstract-tls 2019-01-14 19:09:20 +00:00
Willem Toorop 41f4940072 Log messages about trust anchor fetching and installing 2018-12-13 14:23:32 +01:00
Willem Toorop bb99321e57 More constness for issue #410 2018-12-07 16:34:03 +01:00
Willem Toorop 8a7226baee Move from debugging to logging for 
- upstream_stats & stub system
 2018-12-07 14:02:17 +01:00
Willem Toorop a1692359f3 RFE #408: Retry fetching of TA after backoff time 2018-12-03 12:27:31 +01:00
Jim Hague 0cdede21df Abstract SHA1 calculation. 2018-11-27 15:29:48 +00:00
Willem Toorop 6b10570842 DNSSEC bugfix found with static analysis 
* Fix for DNSSEC bug in finding most specific key when
  trust anchor proves non-existance of one of the labels
  along the authentication chain other than the non-
  existance of a DS record on a zonecut.
 2018-11-22 10:21:48 +01:00
Jim Hague 4f67491971 Remove unnecessary OpenSSL include in dnssec.c. 2018-11-20 17:36:56 +00:00
Willem Toorop 884f6ddc5e DS is always a delegation and never at the apex 2018-06-10 16:57:40 +02:00
Willem Toorop 25231aa686 Fix finding signer of NSEC and NSEC3s 
Thanks Philip Homburg
 2018-06-08 21:39:59 +02:00
Willem Toorop 9c01968048 DS and DNSKEY lookups for tld and sld immediately 
Resolves issue getdnsapi/stubby#99
 2018-05-01 17:07:16 +02:00
Willem Toorop 7fecf5a93d Allow NSEC spans starting from (unexpanded) wildcards 2018-05-01 13:19:24 +02:00
Willem Toorop e93b583a26 Merge branch 'devel/dnssec_issues' into release/1.4.1 2018-03-05 11:41:55 +01:00
Willem Toorop e29cfb6b6a Query for DS i.s.o. SOA to find zonecuts 
Because of broken setups that have zonecuts without SOA:

```
$ drill -T www.gslb.kpn.com A
.	518400	IN	NS	i.root-servers.net.
com.	172800	IN	NS	a.gtld-servers.net.
kpn.com.	172800	IN	NS	ns1.kpn.net.
kpn.com.	172800	IN	NS	ns2.kpn.net.
gslb.kpn.com.	3600	IN	NS	gss1.kpn.com.
gslb.kpn.com.	3600	IN	NS	gss2.kpn.com.
www.gslb.kpn.com.	10	IN	A	145.7.170.135
```

but

```
$ drill gslb.kpn.com SOA
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 48303
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; gslb.kpn.com.	IN	SOA

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 8 msec
;; SERVER: 185.49.140.100
;; WHEN: Fri Mar  2 14:13:21 2018
;; MSG SIZE  rcvd: 30
```
 2018-03-02 14:14:28 +01:00
Willem Toorop abc69f96fe Follow unsigned SOA's as insecure zonecut indication 
Should resolve issue #385
 2018-03-02 11:15:45 +01:00
Daniel Kahn Gillmor 9301f8970c Fix minor spelling and formatting. 
These issues were found with the codespell tool.
 2018-02-23 14:12:11 -08:00
Willem Toorop 4f37d2b933 No wildcard expansions allowed for RRs used in DNSSEC proofs 
Signatures of DNSKEYs, DSs, NSECs and NSEC3s can not be wildcard expansions when used with DNSSEC proofs.
Only direct queries for those types are allowed to be wildcard expansions.

This in response to https://unbound.net/downloads/CVE-2017-15105.txt, although getdns was not vulnerable for this specific issue.
 2018-01-23 16:50:05 +01:00
Willem Toorop 8c87028d77 Only get root-anchors.xml when BOGUS root dnskey... 
did have signatures which did not validate
 2017-11-28 16:58:12 +01:00
Willem Toorop 30e440d35c Access of freed memory in stub DNSSEC cleanup code 
Should fix the latest core dump reported in getdnsapi/stubby#34
 2017-11-27 15:26:45 +01:00
Willem Toorop 3a1cb30c28 BOGUS answer because unable to fetch root DNSKEY... 
... should not cause segfault
 2017-11-21 15:38:49 +01:00
Willem Toorop 2434336ead Include all RRSIGs in validation chain 
Because we don't know algorithm support of other validators.

But still canonicalize the RRset with the one used to validate just because we can.
 2017-11-02 12:42:26 +01:00
Willem Toorop 7e103217c6 unsigned RRs in authority section with BIND 
when +CD flag is used
 2017-11-01 16:47:28 +01:00
Willem Toorop 270c3d654f Support DNSSEC validation without support records 2017-11-01 15:28:46 +01:00
Willem Toorop b4ae4b7121 Cannot fetch DNSKEY when in DNSKEY callback ... 
for the same name in full recursion
 2017-11-01 15:01:58 +01:00
Willem Toorop 23daf9aac3 Fix TLS authentication 2017-09-28 22:17:36 +02:00
Willem Toorop cefeed2b47 PRIsz usage like PRIu64 etc. 2017-09-27 13:15:12 +02:00
Willem Toorop 36943a4380 A dnsreq is bogus if any of its netreqs is 2017-09-20 14:42:35 +02:00
Willem Toorop 17d7ee79f2 Fix NULL pointer dereference 2017-09-20 12:44:14 +02:00
Willem Toorop f0f2afbca7 Fetch TA before resolve for full recursion too 2017-09-20 12:40:59 +02:00
Willem Toorop e2abb8aff4 Fetch TA when ZONE or APP TASRC and bogus answer 2017-09-20 11:44:21 +02:00
Willem Toorop 34d35f9e79 Track updating TA's with root DNSKEY rrset 2017-09-20 10:30:13 +02:00
Willem Toorop f31eb517e0 Lazy TA and time checking 2017-09-14 11:47:02 +02:00
Willem Toorop 2ed2871549 Merge branch 'develop' into features/zeroconf-dnssec 2017-08-30 15:09:39 +02:00
Willem Toorop 5a94081634 Make switch/case fallthroughs explicit 
+1 fallthrough bugfix in getdns_query
 2017-08-24 13:51:58 +02:00
Willem Toorop e11dc92df1 Hopefully the last warning 2017-07-15 18:38:31 +02:00
Willem Toorop 84430e02cd Actually working roadblocks and getting validation chains 2017-07-15 17:48:24 +02:00
Willem Toorop bceb6c8c87 Resubmit netreqs when roadblocks need to be avoided 2017-07-15 11:14:35 +02:00
Willem Toorop 3e6c5775ff Fetch and equip context with trust-anchors 2017-06-30 10:18:07 +02:00
Willem Toorop fb267938c3 Start with fetching root-anchors remotely 
Also lays the foundation for looking up upstreams by name and DANE authentication of upstreams.
 2017-06-28 20:35:30 +02:00
Willem Toorop b4eecd59ab Merge branch 'develop' into release/1.1.0 2017-04-13 15:46:24 +02:00
Willem Toorop 02516c4079 Two last warnings 2017-04-13 15:45:59 +02:00
Willem Toorop 691d1a77e6 Fix VS Code analysis warning 
Should settle issue #239
 2017-04-13 10:59:20 +02:00
Willem Toorop e08d3592a0 Schedule timeout when collecting for dnssec chain 2017-04-06 11:20:08 +02:00
Willem Toorop 14c9f3aafc Track netreqs "in flight" 2017-03-14 17:17:56 +01:00
Willem Toorop 639239f45c Schedule dnsreqs with absolute timeout/expiry time 2017-03-13 14:20:47 +01:00