interesting
/
getdns
mirror of https://github.com/getdnsapi/getdns.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
2,462 Commits 58 Branches 69 Tags 14 MiB
Commit Graph

161 Commits

Author SHA1 Message Date
Willem Toorop 2918c8b472 DSes with best digest + INSECURE on unsupportd alg 
Adaptations to function ds_authenticates_keys.

With multiple DSes, only the ones with the highest (supported)
digest type will be used to authenticate DNSKEYs.

NO_SUPPORTED_ALGORITHMS will be returned if there were
DSes for a key in the DNSKEY set, but none of them has a supported
digest or algorithm.  This leads to dnssec_status INSECURE.
 2015-07-08 12:21:04 +02:00
Willem Toorop a5bacfefcf memory leak fixes 2015-07-08 11:07:44 +02:00
Willem Toorop 51a04f8f6c RSAMD5 is deprecated 2015-07-08 00:18:19 +02:00
Willem Toorop 3b45255d1e Try only closest trust anchors 2015-07-08 00:10:10 +02:00
Willem Toorop e48b0c7fd7 INSECURE when NSEC3 iteration count too high 
Fix from Wouter's review
 2015-07-07 22:33:53 +02:00
Willem Toorop 4b53d70199 Review from Wouter minor issues 2015-07-07 14:52:32 +02:00
Willem Toorop 83425f959e Review comments from Wouter 
Thanks!
 2015-07-07 11:15:38 +02:00
Willem Toorop 43980e9020 [API 0.601] CSYNC RR type 2015-07-06 14:14:46 +02:00
Willem Toorop 55444d07a2 Documentation in comments as a review guideline 2015-07-06 11:57:16 +02:00
Willem Toorop 70edb60f09 Some comment about google public dns 2015-07-04 13:14:16 +02:00
Willem Toorop 0e977ee4fb rearrangements for documentational reasons 
+ a fix for opt_out bug
 2015-07-04 13:01:16 +02:00
Willem Toorop 7e3fbe547a Check NSEC3 CE to be without delegations 
(no DNAME, no NS or, if NS then also SOA)
 2015-07-04 10:53:31 +02:00
Willem Toorop f59b32414c Three NSEC3 related things: 
- Better checking for type bits
- NSEC3 Insecure proofs for opt-out on head's
- NSEC3 wildcard NODATA proof
 2015-07-04 10:23:02 +02:00
Willem Toorop 99f0026961 Allow remaining data RDF to be zero size 
Usefull for NSECs on empty non terminals!
 2015-07-04 08:09:50 +02:00
Willem Toorop 682f10b271 NSEC3s on empty non terminals 
bitmap might even not be present.
 2015-07-04 00:08:03 +02:00
Willem Toorop 2c09ff2541 Deal with synthesized CNAMEs from DNAMEs 2015-07-03 23:44:15 +02:00
Willem Toorop 4d4f235f76 NSEC handling complete 2015-07-03 22:50:29 +02:00
Willem Toorop a66232153a Some more NSEC conditional checks 
(from studying unbound code)
 2015-07-03 00:44:53 +02:00
Willem Toorop af49184fd5 A single RRSIG per RRSET in validation_chain 2015-07-02 17:30:37 +02:00
Willem Toorop d47c533b64 getdns_validate_dnssec validate replies in turn 2015-07-02 15:31:31 +02:00
Willem Toorop ae580575d0 Only validate NOERROR & NXDOMAIN 2015-07-02 12:59:28 +02:00
Willem Toorop 6cffc4792b Validate replies with getdns_validate_dnssec 
You can feed it the replies_tree as the records to validate list
 2015-07-02 00:25:41 +02:00
Willem Toorop f92dd5ac0d getdns_validate_dnssec with new DNSSEC code 2015-07-01 21:50:47 +02:00
Willem Toorop 41cf772fb3 Trust anchors in wireformat in context 2015-06-30 14:43:52 +02:00
Willem Toorop 996b09ba2b Reminder for single RRSIG per RRSET return 
With the dnssec_return_validation_chain extension
 2015-06-30 00:12:30 +02:00
Willem Toorop 3cd9caa704 Evaluate DNSSEC only with stub resolution 2015-06-29 23:48:46 +02:00
Willem Toorop 8d5ac3afde Store dnsreq->name in wire format 2015-06-29 23:32:49 +02:00
Willem Toorop 407ecffb67 dnssec_status in netreqs 2015-06-29 22:23:01 +02:00
Willem Toorop 2b83bddd4d More sense making parameter names for is_subdomain 2015-06-29 09:18:53 +02:00
Willem Toorop 4e45d31413 No wildcard NSEC3 check on opt-out 2015-06-28 13:41:48 +02:00
Willem Toorop 170218c350 Expand dname rdata fields before compare 2015-06-27 23:47:47 +02:00
Willem Toorop f6c1a48b6e Validaton of wildcard answers 2015-06-27 23:28:23 +02:00
Willem Toorop 19b79b066f NSEC NXDOMAIN + NSEC3 denial of exist. validation 2015-06-26 00:26:40 +02:00
Willem Toorop ea69d30e64 Validation of signed responses 
+ start with unsigned responses (only the NSEC NOERROR case)
 2015-06-25 10:04:19 +02:00
Willem Toorop c7c7884350 Generalize getdns_rrset for raw pkt, not netreq 2015-06-23 16:41:34 +02:00
Willem Toorop 3631cd658a get_val_chain for all possible scenarios 2015-06-23 00:00:20 +02:00
Willem Toorop e328f848eb getdns_rrset and iterators 2015-06-19 18:02:16 +02:00
Willem Toorop 129e340e8e Collect validation chains for RRs without sigs 2015-06-17 14:46:44 +02:00
Willem Toorop 97f0dddb1e remove ldns dependency from rr-dict.c 
Only dnssec.c left
 2015-06-12 13:51:36 +02:00
Willem Toorop ae1db39a33 Native stub validation 2015-06-11 15:40:44 +02:00
Willem Toorop 526c3a3491 Fix stub validation key rollover issue 2015-03-22 15:41:55 -05:00
Willem Toorop a53f50b530 Minor stub validation fixes and improvements 2015-03-19 10:55:34 +01:00
Willem Toorop d2345285a6 dnssec_return_validation_chain with stub resolving 2015-03-18 23:45:26 +01:00
Willem Toorop 7fc18e8c35 Anticipate older libldns with travis 2015-03-18 21:43:41 +01:00
Willem Toorop fa782d1043 --enable-broken-native-stub-dnssec 
Still needs a little more work for wildcards and NODATA answers...
 2015-03-18 14:45:06 +01:00
Willem Toorop 9942550748 dnssec_return_validation_chain without ldns 2015-03-16 17:05:03 +01:00
Willem Toorop 70cb26bb00 Read trust anchor file without ldns 2015-03-15 21:25:38 +01:00
Willem Toorop a77f156d08 Remote the ldns_pkt result from the netreq 
Proving that we don't need ldns_pkt any more
 2015-02-18 12:36:42 +01:00
Willem Toorop 3f046cf573 Embed netreqs in dns_reqs and wire_data in netreqs 
TODO: make sure the wire_data buffer is filled with the response
 2015-01-29 12:30:40 +01:00
Willem Toorop b780db0538 Portability with older systems 
(tested on SunOS 5.11)
 2014-11-07 16:57:24 +01:00
Willem Toorop 114e459a43 Make things work on FreeBSD again 2014-10-31 14:17:30 +01:00
Willem Toorop 4a3d7fd8b2 Replace ldns_rbtree with getdns_rbtree 
As much as possible.
In dnssec ldns_rbtree is inderectly used via the dnssec_zone struct

This change forces use to embed the data in the nodes as getdns_rbtree does not have a data attribute. This is good because lesser allocs and free's and thus slightly faster and less likely to leak memory.
 2014-10-23 23:00:30 +02:00
Willem Toorop a0cb4e1774 Move stub resolving to stub.c again 
Merged hostname.c and service.c in general so that getdns_general_ns can become static.
Removed specialized synchronous handling from return_validation_chain code.
Removed un_timed_resolve (specialized sync handling is not needed anymore)
Renamed inter-object file symbols to priv_<name> and made intra-object symbols static as much as possible.
 2014-10-15 23:04:39 +02:00
Willem Toorop a9dbea22ad Chase NSEC and NSEC3 with return_validation_chain 2014-09-03 20:53:26 +02:00
Willem Toorop fc2f091f05 timed synchronous resolves 
Also returns an response dict with status GETDNS_RESPSTATUS_ALL_TIMEOUT on timeout
 2014-07-01 23:31:40 +02:00
Willem Toorop 57b51a5dcc prefer includes local to builddir 2014-05-19 15:50:34 +02:00
Willem Toorop d2c890ab6a Fill in <organization> place holder. 
s/the name of the <organization>/the names of the copyright holders/g
 2014-02-25 14:23:19 +01:00
Willem Toorop 8d77505219 s/Versign/Verisign/g in all files 2014-02-25 14:12:33 +01:00
Glen Wiley 6dd03b1cdc fixed spelling of NLnet in licenses, fixed make clean errs in docs 2014-02-24 09:26:20 -05:00
Glen Wiley 344893f87f fixed license and copyright notices 2014-02-20 09:12:19 -05:00
Willem Toorop 96b9f095a7 Implement getdns_root_trust_anchor 2014-02-19 16:56:00 +01:00