interesting
/
getdns
mirror of https://github.com/getdnsapi/getdns.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
1,279 Commits 58 Branches 69 Tags 14 MiB
Commit Graph

80 Commits

Author SHA1 Message Date
Willem Toorop 8b414c8570 Sort RR's to validate 2015-09-22 12:27:17 +02:00
Willem Toorop e47bd33ec0 Determine validation buffer size 2015-09-21 17:13:44 +02:00
Willem Toorop bf7f44dcb7 Put rrs to validate in rrset 2015-09-21 12:59:30 +02:00
Willem Toorop f673e12106 Memory management for _getdns_verify_rrsig 2015-09-21 12:36:41 +02:00
Willem Toorop 5db5a8b5e6 Correct some comment text 2015-09-18 09:53:27 +02:00
Willem Toorop dbc53e773d 0.3.3 quickfix release 2015-09-09 12:45:29 +02:00
Willem Toorop a543c23926 Spelling 2015-09-08 11:24:45 +02:00
Willem Toorop 46ea366f5f Fix dnssec validation of direct CNAME queries 
Thanks Simson L. Garfinkel.
 2015-09-08 10:52:04 +02:00
Willem Toorop 015e387ea5 Final internal symbols rename to _getdns prefix 2015-08-19 16:33:19 +02:00
Willem Toorop b9e8455e27 Internal symbols always prefixed with _getdns 2015-08-19 16:30:15 +02:00
Willem Toorop fcd595298a Rename all priv_getdns internal symbols to _getdns 2015-08-19 16:22:38 +02:00
Willem Toorop 09492cbf46 _getdns_nsec3_hash_label without ldns 2015-08-19 15:19:02 +02:00
Willem Toorop 6350b4fad4 --without-libunbound option to configure 2015-08-19 10:47:46 +02:00
Willem Toorop 587b320d95 DNS tree was upside down (wording in comments) 
According to RFC1034 Section 4.2.1., the zone's apex is at the top and delegations at the bottom.
 2015-07-14 10:49:00 +02:00
Willem Toorop 6f21d89e2a Lookup DS only, for no sigs INSECURE 2015-07-14 10:22:42 +02:00
Willem Toorop 2dab8dd4d6 Fix handling of non specific trust anchors and ... 
unsported DS digest types
 2015-07-09 23:11:56 +02:00
Willem Toorop 098e0f19c4 Don't skip points zone cuts with trusted keys 
A new keyset must be authenticated at every zone cut.
A keyset from an ancecter of the immediate zone may never be used
to authenticate RRsets within a zone.

(Review from Wouter)
 2015-07-09 08:15:38 +02:00
Willem Toorop d87d951874 set ds_signer only when actually signed 2015-07-08 17:15:27 +02:00
Willem Toorop 201b6af9a2 clang compiler warnings + 1 bug! 
Bug is countring insecure answers in util-internal.c
found by clang warning reporting
 2015-07-08 13:07:24 +02:00
Willem Toorop 2918c8b472 DSes with best digest + INSECURE on unsupportd alg 
Adaptations to function ds_authenticates_keys.

With multiple DSes, only the ones with the highest (supported)
digest type will be used to authenticate DNSKEYs.

NO_SUPPORTED_ALGORITHMS will be returned if there were
DSes for a key in the DNSKEY set, but none of them has a supported
digest or algorithm.  This leads to dnssec_status INSECURE.
 2015-07-08 12:21:04 +02:00
Willem Toorop a5bacfefcf memory leak fixes 2015-07-08 11:07:44 +02:00
Willem Toorop 51a04f8f6c RSAMD5 is deprecated 2015-07-08 00:18:19 +02:00
Willem Toorop 3b45255d1e Try only closest trust anchors 2015-07-08 00:10:10 +02:00
Willem Toorop e48b0c7fd7 INSECURE when NSEC3 iteration count too high 
Fix from Wouter's review
 2015-07-07 22:33:53 +02:00
Willem Toorop 4b53d70199 Review from Wouter minor issues 2015-07-07 14:52:32 +02:00
Willem Toorop 83425f959e Review comments from Wouter 
Thanks!
 2015-07-07 11:15:38 +02:00
Willem Toorop 43980e9020 [API 0.601] CSYNC RR type 2015-07-06 14:14:46 +02:00
Willem Toorop 55444d07a2 Documentation in comments as a review guideline 2015-07-06 11:57:16 +02:00
Willem Toorop 70edb60f09 Some comment about google public dns 2015-07-04 13:14:16 +02:00
Willem Toorop 0e977ee4fb rearrangements for documentational reasons 
+ a fix for opt_out bug
 2015-07-04 13:01:16 +02:00
Willem Toorop 7e3fbe547a Check NSEC3 CE to be without delegations 
(no DNAME, no NS or, if NS then also SOA)
 2015-07-04 10:53:31 +02:00
Willem Toorop f59b32414c Three NSEC3 related things: 
- Better checking for type bits
- NSEC3 Insecure proofs for opt-out on head's
- NSEC3 wildcard NODATA proof
 2015-07-04 10:23:02 +02:00
Willem Toorop 99f0026961 Allow remaining data RDF to be zero size 
Usefull for NSECs on empty non terminals!
 2015-07-04 08:09:50 +02:00
Willem Toorop 682f10b271 NSEC3s on empty non terminals 
bitmap might even not be present.
 2015-07-04 00:08:03 +02:00
Willem Toorop 2c09ff2541 Deal with synthesized CNAMEs from DNAMEs 2015-07-03 23:44:15 +02:00
Willem Toorop 4d4f235f76 NSEC handling complete 2015-07-03 22:50:29 +02:00
Willem Toorop a66232153a Some more NSEC conditional checks 
(from studying unbound code)
 2015-07-03 00:44:53 +02:00
Willem Toorop af49184fd5 A single RRSIG per RRSET in validation_chain 2015-07-02 17:30:37 +02:00
Willem Toorop d47c533b64 getdns_validate_dnssec validate replies in turn 2015-07-02 15:31:31 +02:00
Willem Toorop ae580575d0 Only validate NOERROR & NXDOMAIN 2015-07-02 12:59:28 +02:00
Willem Toorop 6cffc4792b Validate replies with getdns_validate_dnssec 
You can feed it the replies_tree as the records to validate list
 2015-07-02 00:25:41 +02:00
Willem Toorop f92dd5ac0d getdns_validate_dnssec with new DNSSEC code 2015-07-01 21:50:47 +02:00
Willem Toorop 41cf772fb3 Trust anchors in wireformat in context 2015-06-30 14:43:52 +02:00
Willem Toorop 996b09ba2b Reminder for single RRSIG per RRSET return 
With the dnssec_return_validation_chain extension
 2015-06-30 00:12:30 +02:00
Willem Toorop 3cd9caa704 Evaluate DNSSEC only with stub resolution 2015-06-29 23:48:46 +02:00
Willem Toorop 8d5ac3afde Store dnsreq->name in wire format 2015-06-29 23:32:49 +02:00
Willem Toorop 407ecffb67 dnssec_status in netreqs 2015-06-29 22:23:01 +02:00
Willem Toorop 2b83bddd4d More sense making parameter names for is_subdomain 2015-06-29 09:18:53 +02:00
Willem Toorop 4e45d31413 No wildcard NSEC3 check on opt-out 2015-06-28 13:41:48 +02:00
Willem Toorop 170218c350 Expand dname rdata fields before compare 2015-06-27 23:47:47 +02:00