interesting
/
getdns
mirror of https://github.com/getdnsapi/getdns.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
2,810 Commits 58 Branches 69 Tags 14 MiB
Commit Graph

182 Commits

Author SHA1 Message Date
Willem Toorop bb99321e57 More constness for issue #410 2018-12-07 16:34:03 +01:00
Willem Toorop 8a7226baee Move from debugging to logging for 
- upstream_stats & stub system
 2018-12-07 14:02:17 +01:00
Willem Toorop a1692359f3 RFE #408: Retry fetching of TA after backoff time 2018-12-03 12:27:31 +01:00
Willem Toorop 6b10570842 DNSSEC bugfix found with static analysis 
* Fix for DNSSEC bug in finding most specific key when
  trust anchor proves non-existance of one of the labels
  along the authentication chain other than the non-
  existance of a DS record on a zonecut.
 2018-11-22 10:21:48 +01:00
Willem Toorop 884f6ddc5e DS is always a delegation and never at the apex 2018-06-10 16:57:40 +02:00
Willem Toorop 25231aa686 Fix finding signer of NSEC and NSEC3s 
Thanks Philip Homburg
 2018-06-08 21:39:59 +02:00
Willem Toorop 9c01968048 DS and DNSKEY lookups for tld and sld immediately 
Resolves issue getdnsapi/stubby#99
 2018-05-01 17:07:16 +02:00
Willem Toorop 7fecf5a93d Allow NSEC spans starting from (unexpanded) wildcards 2018-05-01 13:19:24 +02:00
Willem Toorop e93b583a26 Merge branch 'devel/dnssec_issues' into release/1.4.1 2018-03-05 11:41:55 +01:00
Willem Toorop e29cfb6b6a Query for DS i.s.o. SOA to find zonecuts 
Because of broken setups that have zonecuts without SOA:

```
$ drill -T www.gslb.kpn.com A
.	518400	IN	NS	i.root-servers.net.
com.	172800	IN	NS	a.gtld-servers.net.
kpn.com.	172800	IN	NS	ns1.kpn.net.
kpn.com.	172800	IN	NS	ns2.kpn.net.
gslb.kpn.com.	3600	IN	NS	gss1.kpn.com.
gslb.kpn.com.	3600	IN	NS	gss2.kpn.com.
www.gslb.kpn.com.	10	IN	A	145.7.170.135
```

but

```
$ drill gslb.kpn.com SOA
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 48303
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; gslb.kpn.com.	IN	SOA

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 8 msec
;; SERVER: 185.49.140.100
;; WHEN: Fri Mar  2 14:13:21 2018
;; MSG SIZE  rcvd: 30
```
 2018-03-02 14:14:28 +01:00
Willem Toorop abc69f96fe Follow unsigned SOA's as insecure zonecut indication 
Should resolve issue #385
 2018-03-02 11:15:45 +01:00
Daniel Kahn Gillmor 9301f8970c Fix minor spelling and formatting. 
These issues were found with the codespell tool.
 2018-02-23 14:12:11 -08:00
Willem Toorop 4f37d2b933 No wildcard expansions allowed for RRs used in DNSSEC proofs 
Signatures of DNSKEYs, DSs, NSECs and NSEC3s can not be wildcard expansions when used with DNSSEC proofs.
Only direct queries for those types are allowed to be wildcard expansions.

This in response to https://unbound.net/downloads/CVE-2017-15105.txt, although getdns was not vulnerable for this specific issue.
 2018-01-23 16:50:05 +01:00
Willem Toorop 8c87028d77 Only get root-anchors.xml when BOGUS root dnskey... 
did have signatures which did not validate
 2017-11-28 16:58:12 +01:00
Willem Toorop 30e440d35c Access of freed memory in stub DNSSEC cleanup code 
Should fix the latest core dump reported in getdnsapi/stubby#34
 2017-11-27 15:26:45 +01:00
Willem Toorop 3a1cb30c28 BOGUS answer because unable to fetch root DNSKEY... 
... should not cause segfault
 2017-11-21 15:38:49 +01:00
Willem Toorop 2434336ead Include all RRSIGs in validation chain 
Because we don't know algorithm support of other validators.

But still canonicalize the RRset with the one used to validate just because we can.
 2017-11-02 12:42:26 +01:00
Willem Toorop 7e103217c6 unsigned RRs in authority section with BIND 
when +CD flag is used
 2017-11-01 16:47:28 +01:00
Willem Toorop 270c3d654f Support DNSSEC validation without support records 2017-11-01 15:28:46 +01:00
Willem Toorop b4ae4b7121 Cannot fetch DNSKEY when in DNSKEY callback ... 
for the same name in full recursion
 2017-11-01 15:01:58 +01:00
Willem Toorop 23daf9aac3 Fix TLS authentication 2017-09-28 22:17:36 +02:00
Willem Toorop cefeed2b47 PRIsz usage like PRIu64 etc. 2017-09-27 13:15:12 +02:00
Willem Toorop 36943a4380 A dnsreq is bogus if any of its netreqs is 2017-09-20 14:42:35 +02:00
Willem Toorop 17d7ee79f2 Fix NULL pointer dereference 2017-09-20 12:44:14 +02:00
Willem Toorop f0f2afbca7 Fetch TA before resolve for full recursion too 2017-09-20 12:40:59 +02:00
Willem Toorop e2abb8aff4 Fetch TA when ZONE or APP TASRC and bogus answer 2017-09-20 11:44:21 +02:00
Willem Toorop 34d35f9e79 Track updating TA's with root DNSKEY rrset 2017-09-20 10:30:13 +02:00
Willem Toorop f31eb517e0 Lazy TA and time checking 2017-09-14 11:47:02 +02:00
Willem Toorop 2ed2871549 Merge branch 'develop' into features/zeroconf-dnssec 2017-08-30 15:09:39 +02:00
Willem Toorop 5a94081634 Make switch/case fallthroughs explicit 
+1 fallthrough bugfix in getdns_query
 2017-08-24 13:51:58 +02:00
Willem Toorop e11dc92df1 Hopefully the last warning 2017-07-15 18:38:31 +02:00
Willem Toorop 84430e02cd Actually working roadblocks and getting validation chains 2017-07-15 17:48:24 +02:00
Willem Toorop bceb6c8c87 Resubmit netreqs when roadblocks need to be avoided 2017-07-15 11:14:35 +02:00
Willem Toorop 3e6c5775ff Fetch and equip context with trust-anchors 2017-06-30 10:18:07 +02:00
Willem Toorop fb267938c3 Start with fetching root-anchors remotely 
Also lays the foundation for looking up upstreams by name and DANE authentication of upstreams.
 2017-06-28 20:35:30 +02:00
Willem Toorop b4eecd59ab Merge branch 'develop' into release/1.1.0 2017-04-13 15:46:24 +02:00
Willem Toorop 02516c4079 Two last warnings 2017-04-13 15:45:59 +02:00
Willem Toorop 691d1a77e6 Fix VS Code analysis warning 
Should settle issue #239
 2017-04-13 10:59:20 +02:00
Willem Toorop e08d3592a0 Schedule timeout when collecting for dnssec chain 2017-04-06 11:20:08 +02:00
Willem Toorop 14c9f3aafc Track netreqs "in flight" 2017-03-14 17:17:56 +01:00
Willem Toorop 639239f45c Schedule dnsreqs with absolute timeout/expiry time 2017-03-13 14:20:47 +01:00
Willem Toorop 74b1f77357 Cancel get validation chain getdns_dns_reqs 
And miscellaneous little other scheduling fixes and optimizations
 2017-02-18 13:16:25 +01:00
Willem Toorop 6ed3d77523 Cancel child validation chain dns_reqs on ... 
parent dns_req cancelation.
 2017-02-17 23:35:50 +01:00
Willem Toorop 600036da73 Merge branch 'develop' into release/1.1.0-alpha3 2016-12-12 12:08:49 +01:00
Christian Huitema b91e13b13b Fixing VS studio analysis issues in Get DNS code. 2016-12-10 16:03:17 -08:00
Willem Toorop 37cced78fc Merge branch 'develop' into release/1.1.0-alpha3 2016-12-09 13:27:55 +01:00
Willem Toorop 4345905a81 Address things that came out of VS static analysis 
Except for the stack usage cases
 2016-12-09 12:57:47 +01:00
Willem Toorop 3428412629 Some more minor merge fixes 2016-12-09 12:13:36 +01:00
Willem Toorop 5cc67ff554 Merge branch 'develop' into merge-develops 2016-12-09 12:05:42 +01:00
Willem Toorop eeca7b32b1 One more unused variable 2016-12-08 22:46:53 +01:00