interesting
/
getdns
mirror of https://github.com/getdnsapi/getdns.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
2,523 Commits 58 Branches 69 Tags 14 MiB
Commit Graph

164 Commits

Author SHA1 Message Date
Willem Toorop a8dbb3dd51 Static checking fixes 2016-04-29 12:00:17 +02:00
Willem Toorop af8e27f059 Merge branch 'devel/scheduling_bug_detection' into features/canonical_dnssec_chain 2016-04-22 14:42:25 +02:00
Willem Toorop d61e64c9c7 Fix callbacks during scheduling in DNSSEC code too 2016-04-22 14:09:18 +02:00
Willem Toorop 15271d0438 Account for callbacks fired during scheduling 2016-04-21 15:16:38 +02:00
Willem Toorop 4849329818 dnssec_return_full_validation_chain extension 
That also returns all records that had to be proofed secure in canonical form in the "validation_chain".
 2016-04-18 22:06:12 +02:00
Willem Toorop e1126c9cf8 Canonicalize dnssec chain 
When validated
 2016-04-18 15:36:39 +02:00
Willem Toorop 90beaaff1d Use non-copying list_append_this_dict 2016-03-21 14:56:09 +01:00
Willem Toorop 4551f0850b Use non-copying dict_set_list 2016-03-21 12:50:43 +01:00
Melinda Shore 4b5c61145a Merge pull request #144 from wtoorop/devel/default_eventloop 
Devel/default eventloop
 2016-03-14 20:02:57 -08:00
Willem Toorop 707b0d21c8 bugfix: don't reset skew 2016-02-11 11:27:03 +01:00
Willem Toorop 045d0d481c Offline dnssec validation at a given point in time 2016-02-11 11:24:22 +01:00
Willem Toorop 24b58074bf Prevent chain checks to be performed too early 2016-01-20 13:09:18 +01:00
Willem Toorop 39f7e87f1a Get rid of unkown format specifiers on windows 2016-01-11 12:11:17 +01:00
Willem Toorop 08c0c4d6e4 Fixes from testing on different platforms 2015-12-30 14:39:11 +01:00
Willem Toorop 89b6c04d4f First query append 2015-12-29 17:34:14 +01:00
Willem Toorop fe7a1e89e3 Constify new work 2015-12-22 11:32:15 +01:00
Willem Toorop 5bbcbb97a1 Merge branch 'develop' into features/conversion_functions 2015-12-22 11:28:27 +01:00
Willem Toorop 5663f914fb Mode debug marco's to own header 
To reduce dependency location fixes in test directory.
 2015-12-18 13:40:52 +01:00
Willem Toorop e747efe415 Merge branch 'develop' into features/conversion_functions 2015-12-16 12:42:32 +01:00
Willem Toorop 1ef4db8e9d Unique NSEC and NSEC3 rrsets in "validation_chain" 2015-12-16 12:40:32 +01:00
Willem Toorop d09e892285 Convert rr_dict with missing rdata to wire format 
In wireformat this then means no rdata.
This is needed with the zonecut indicating DSes returned in the validation chain.
 2015-12-16 12:02:53 +01:00
Willem Toorop 2c2359af61 Remove duplicate records in RRset before verifying 
As suggested in RFC4034 section 6.3
 2015-12-16 10:47:15 +01:00
Willem Toorop c53f074fdf Propagate consts with debugging symbols 2015-12-08 09:39:28 +01:00
Willem Toorop d67949d1e7 iterators go over const wireformat data 2015-12-07 16:43:41 +01:00
Willem Toorop afe5db6b55 Get validation chain avoiding roadblocks 2015-11-14 20:00:13 -05:00
Willem Toorop c7f4fc3625 Fix disabling roadblock avoidance with configure 2015-11-05 07:43:33 +09:00
Willem Toorop eb4ba438f7 return_validation_chain + roadblock_avoidance bug 2015-11-05 07:11:51 +09:00
Willem Toorop 58885e04d7 dnssec_roadblock_avoidance extension 2015-10-31 21:04:08 +09:00
Willem Toorop 65663e6da8 DNSSEC zonecut finding issues 
Thanks Theogene Bucuti
 2015-10-02 12:45:32 +02:00
Willem Toorop 8dfb7454d6 Signature inception and expiry checking 2015-09-28 13:48:51 +02:00
Willem Toorop 59f4feb5e6 Native DS with DNSKEY compare + rm ldns dependency 2015-09-25 14:28:47 +02:00
Willem Toorop d8cc7b1ba3 Native signature verification 2015-09-25 11:48:58 +02:00
Willem Toorop 2e4c0928f7 Import unbound's crypto 2015-09-23 16:48:54 +02:00
Willem Toorop fda5394540 Verify raw buffer (still with ldns) 2015-09-23 16:03:59 +02:00
Willem Toorop 8b414c8570 Sort RR's to validate 2015-09-22 12:27:17 +02:00
Willem Toorop e47bd33ec0 Determine validation buffer size 2015-09-21 17:13:44 +02:00
Willem Toorop bf7f44dcb7 Put rrs to validate in rrset 2015-09-21 12:59:30 +02:00
Willem Toorop f673e12106 Memory management for _getdns_verify_rrsig 2015-09-21 12:36:41 +02:00
Willem Toorop 5db5a8b5e6 Correct some comment text 2015-09-18 09:53:27 +02:00
Willem Toorop dbc53e773d 0.3.3 quickfix release 2015-09-09 12:45:29 +02:00
Willem Toorop a543c23926 Spelling 2015-09-08 11:24:45 +02:00
Willem Toorop 46ea366f5f Fix dnssec validation of direct CNAME queries 
Thanks Simson L. Garfinkel.
 2015-09-08 10:52:04 +02:00
Willem Toorop 015e387ea5 Final internal symbols rename to _getdns prefix 2015-08-19 16:33:19 +02:00
Willem Toorop b9e8455e27 Internal symbols always prefixed with _getdns 2015-08-19 16:30:15 +02:00
Willem Toorop fcd595298a Rename all priv_getdns internal symbols to _getdns 2015-08-19 16:22:38 +02:00
Willem Toorop 09492cbf46 _getdns_nsec3_hash_label without ldns 2015-08-19 15:19:02 +02:00
Willem Toorop 6350b4fad4 --without-libunbound option to configure 2015-08-19 10:47:46 +02:00
Willem Toorop 587b320d95 DNS tree was upside down (wording in comments) 
According to RFC1034 Section 4.2.1., the zone's apex is at the top and delegations at the bottom.
 2015-07-14 10:49:00 +02:00
Willem Toorop 6f21d89e2a Lookup DS only, for no sigs INSECURE 2015-07-14 10:22:42 +02:00
Willem Toorop 2dab8dd4d6 Fix handling of non specific trust anchors and ... 
unsported DS digest types
 2015-07-09 23:11:56 +02:00
Willem Toorop 098e0f19c4 Don't skip points zone cuts with trusted keys 
A new keyset must be authenticated at every zone cut.
A keyset from an ancecter of the immediate zone may never be used
to authenticate RRsets within a zone.

(Review from Wouter)
 2015-07-09 08:15:38 +02:00
Willem Toorop d87d951874 set ds_signer only when actually signed 2015-07-08 17:15:27 +02:00
Willem Toorop 201b6af9a2 clang compiler warnings + 1 bug! 
Bug is countring insecure answers in util-internal.c
found by clang warning reporting
 2015-07-08 13:07:24 +02:00
Willem Toorop 2918c8b472 DSes with best digest + INSECURE on unsupportd alg 
Adaptations to function ds_authenticates_keys.

With multiple DSes, only the ones with the highest (supported)
digest type will be used to authenticate DNSKEYs.

NO_SUPPORTED_ALGORITHMS will be returned if there were
DSes for a key in the DNSKEY set, but none of them has a supported
digest or algorithm.  This leads to dnssec_status INSECURE.
 2015-07-08 12:21:04 +02:00
Willem Toorop a5bacfefcf memory leak fixes 2015-07-08 11:07:44 +02:00
Willem Toorop 51a04f8f6c RSAMD5 is deprecated 2015-07-08 00:18:19 +02:00
Willem Toorop 3b45255d1e Try only closest trust anchors 2015-07-08 00:10:10 +02:00
Willem Toorop e48b0c7fd7 INSECURE when NSEC3 iteration count too high 
Fix from Wouter's review
 2015-07-07 22:33:53 +02:00
Willem Toorop 4b53d70199 Review from Wouter minor issues 2015-07-07 14:52:32 +02:00
Willem Toorop 83425f959e Review comments from Wouter 
Thanks!
 2015-07-07 11:15:38 +02:00
Willem Toorop 43980e9020 [API 0.601] CSYNC RR type 2015-07-06 14:14:46 +02:00
Willem Toorop 55444d07a2 Documentation in comments as a review guideline 2015-07-06 11:57:16 +02:00
Willem Toorop 70edb60f09 Some comment about google public dns 2015-07-04 13:14:16 +02:00
Willem Toorop 0e977ee4fb rearrangements for documentational reasons 
+ a fix for opt_out bug
 2015-07-04 13:01:16 +02:00
Willem Toorop 7e3fbe547a Check NSEC3 CE to be without delegations 
(no DNAME, no NS or, if NS then also SOA)
 2015-07-04 10:53:31 +02:00
Willem Toorop f59b32414c Three NSEC3 related things: 
- Better checking for type bits
- NSEC3 Insecure proofs for opt-out on head's
- NSEC3 wildcard NODATA proof
 2015-07-04 10:23:02 +02:00
Willem Toorop 99f0026961 Allow remaining data RDF to be zero size 
Usefull for NSECs on empty non terminals!
 2015-07-04 08:09:50 +02:00
Willem Toorop 682f10b271 NSEC3s on empty non terminals 
bitmap might even not be present.
 2015-07-04 00:08:03 +02:00
Willem Toorop 2c09ff2541 Deal with synthesized CNAMEs from DNAMEs 2015-07-03 23:44:15 +02:00
Willem Toorop 4d4f235f76 NSEC handling complete 2015-07-03 22:50:29 +02:00
Willem Toorop a66232153a Some more NSEC conditional checks 
(from studying unbound code)
 2015-07-03 00:44:53 +02:00
Willem Toorop af49184fd5 A single RRSIG per RRSET in validation_chain 2015-07-02 17:30:37 +02:00
Willem Toorop d47c533b64 getdns_validate_dnssec validate replies in turn 2015-07-02 15:31:31 +02:00
Willem Toorop ae580575d0 Only validate NOERROR & NXDOMAIN 2015-07-02 12:59:28 +02:00
Willem Toorop 6cffc4792b Validate replies with getdns_validate_dnssec 
You can feed it the replies_tree as the records to validate list
 2015-07-02 00:25:41 +02:00
Willem Toorop f92dd5ac0d getdns_validate_dnssec with new DNSSEC code 2015-07-01 21:50:47 +02:00
Willem Toorop 41cf772fb3 Trust anchors in wireformat in context 2015-06-30 14:43:52 +02:00
Willem Toorop 996b09ba2b Reminder for single RRSIG per RRSET return 
With the dnssec_return_validation_chain extension
 2015-06-30 00:12:30 +02:00
Willem Toorop 3cd9caa704 Evaluate DNSSEC only with stub resolution 2015-06-29 23:48:46 +02:00
Willem Toorop 8d5ac3afde Store dnsreq->name in wire format 2015-06-29 23:32:49 +02:00
Willem Toorop 407ecffb67 dnssec_status in netreqs 2015-06-29 22:23:01 +02:00
Willem Toorop 2b83bddd4d More sense making parameter names for is_subdomain 2015-06-29 09:18:53 +02:00
Willem Toorop 4e45d31413 No wildcard NSEC3 check on opt-out 2015-06-28 13:41:48 +02:00
Willem Toorop 170218c350 Expand dname rdata fields before compare 2015-06-27 23:47:47 +02:00
Willem Toorop f6c1a48b6e Validaton of wildcard answers 2015-06-27 23:28:23 +02:00
Willem Toorop 19b79b066f NSEC NXDOMAIN + NSEC3 denial of exist. validation 2015-06-26 00:26:40 +02:00
Willem Toorop ea69d30e64 Validation of signed responses 
+ start with unsigned responses (only the NSEC NOERROR case)
 2015-06-25 10:04:19 +02:00
Willem Toorop c7c7884350 Generalize getdns_rrset for raw pkt, not netreq 2015-06-23 16:41:34 +02:00
Willem Toorop 3631cd658a get_val_chain for all possible scenarios 2015-06-23 00:00:20 +02:00
Willem Toorop e328f848eb getdns_rrset and iterators 2015-06-19 18:02:16 +02:00
Willem Toorop 129e340e8e Collect validation chains for RRs without sigs 2015-06-17 14:46:44 +02:00
Willem Toorop 97f0dddb1e remove ldns dependency from rr-dict.c 
Only dnssec.c left
 2015-06-12 13:51:36 +02:00
Willem Toorop ae1db39a33 Native stub validation 2015-06-11 15:40:44 +02:00
Willem Toorop 526c3a3491 Fix stub validation key rollover issue 2015-03-22 15:41:55 -05:00
Willem Toorop a53f50b530 Minor stub validation fixes and improvements 2015-03-19 10:55:34 +01:00
Willem Toorop d2345285a6 dnssec_return_validation_chain with stub resolving 2015-03-18 23:45:26 +01:00
Willem Toorop 7fc18e8c35 Anticipate older libldns with travis 2015-03-18 21:43:41 +01:00
Willem Toorop fa782d1043 --enable-broken-native-stub-dnssec 
Still needs a little more work for wildcards and NODATA answers...
 2015-03-18 14:45:06 +01:00
Willem Toorop 9942550748 dnssec_return_validation_chain without ldns 2015-03-16 17:05:03 +01:00
Willem Toorop 70cb26bb00 Read trust anchor file without ldns 2015-03-15 21:25:38 +01:00