Willem Toorop
2918c8b472
DSes with best digest + INSECURE on unsupportd alg
...
Adaptations to function ds_authenticates_keys.
With multiple DSes, only the ones with the highest (supported)
digest type will be used to authenticate DNSKEYs.
NO_SUPPORTED_ALGORITHMS will be returned if there were
DSes for a key in the DNSKEY set, but none of them has a supported
digest or algorithm. This leads to dnssec_status INSECURE.
2015-07-08 12:21:04 +02:00
Willem Toorop
a5bacfefcf
memory leak fixes
2015-07-08 11:07:44 +02:00
Willem Toorop
51a04f8f6c
RSAMD5 is deprecated
2015-07-08 00:18:19 +02:00
Willem Toorop
3b45255d1e
Try only closest trust anchors
2015-07-08 00:10:10 +02:00
Willem Toorop
e48b0c7fd7
INSECURE when NSEC3 iteration count too high
...
Fix from Wouter's review
2015-07-07 22:33:53 +02:00
Willem Toorop
4b53d70199
Review from Wouter minor issues
2015-07-07 14:52:32 +02:00
Willem Toorop
e571883811
Fix test for NODATA address_sync lookup
...
hampster.com no longer suitable anymore.
2015-07-07 11:46:52 +02:00
Willem Toorop
83425f959e
Review comments from Wouter
...
Thanks!
2015-07-07 11:15:38 +02:00
Willem Toorop
43980e9020
[API 0.601] CSYNC RR type
2015-07-06 14:14:46 +02:00
Willem Toorop
af23930725
CSYNC rr type
2015-07-06 12:45:08 +02:00
Willem Toorop
55444d07a2
Documentation in comments as a review guideline
2015-07-06 11:57:16 +02:00
Willem Toorop
70edb60f09
Some comment about google public dns
2015-07-04 13:14:16 +02:00
Willem Toorop
0e977ee4fb
rearrangements for documentational reasons
...
+ a fix for opt_out bug
2015-07-04 13:01:16 +02:00
Willem Toorop
7e3fbe547a
Check NSEC3 CE to be without delegations
...
(no DNAME, no NS or, if NS then also SOA)
2015-07-04 10:53:31 +02:00
Willem Toorop
f59b32414c
Three NSEC3 related things:
...
- Better checking for type bits
- NSEC3 Insecure proofs for opt-out on head's
- NSEC3 wildcard NODATA proof
2015-07-04 10:23:02 +02:00
Willem Toorop
99f0026961
Allow remaining data RDF to be zero size
...
Usefull for NSECs on empty non terminals!
2015-07-04 08:09:50 +02:00
Willem Toorop
682f10b271
NSEC3s on empty non terminals
...
bitmap might even not be present.
2015-07-04 00:08:03 +02:00
Willem Toorop
2c09ff2541
Deal with synthesized CNAMEs from DNAMEs
2015-07-03 23:44:15 +02:00
Willem Toorop
4d4f235f76
NSEC handling complete
2015-07-03 22:50:29 +02:00
Willem Toorop
a66232153a
Some more NSEC conditional checks
...
(from studying unbound code)
2015-07-03 00:44:53 +02:00
Willem Toorop
af49184fd5
A single RRSIG per RRSET in validation_chain
2015-07-02 17:30:37 +02:00
Willem Toorop
d47c533b64
getdns_validate_dnssec validate replies in turn
2015-07-02 15:31:31 +02:00
Willem Toorop
ae580575d0
Only validate NOERROR & NXDOMAIN
2015-07-02 12:59:28 +02:00
Willem Toorop
e3fe89c802
Turn on specific debugging with configure options
2015-07-02 12:49:50 +02:00
Willem Toorop
f066d5ef73
Merge branch 'features/native-stub-dnssec' into develop
...
Conflicts:
configure.ac
src/stub.c
2015-07-02 10:27:27 +02:00
Willem Toorop
6cffc4792b
Validate replies with getdns_validate_dnssec
...
You can feed it the replies_tree as the records to validate list
2015-07-02 00:25:41 +02:00
Willem Toorop
f92dd5ac0d
getdns_validate_dnssec with new DNSSEC code
2015-07-01 21:50:47 +02:00
Willem Toorop
2b3aa84337
getdns_query show output of getdns_validate_dnssec
2015-07-01 14:38:24 +02:00
Willem Toorop
41cf772fb3
Trust anchors in wireformat in context
2015-06-30 14:43:52 +02:00
Willem Toorop
996b09ba2b
Reminder for single RRSIG per RRSET return
...
With the dnssec_return_validation_chain extension
2015-06-30 00:12:30 +02:00
Willem Toorop
3cd9caa704
Evaluate DNSSEC only with stub resolution
2015-06-29 23:48:46 +02:00
Willem Toorop
8d5ac3afde
Store dnsreq->name in wire format
2015-06-29 23:32:49 +02:00
Willem Toorop
407ecffb67
dnssec_status in netreqs
2015-06-29 22:23:01 +02:00
wtoorop
93e0237273
Merge pull request #106 from saradickinson/features/transport_fixups
...
Features/transport fixups
2015-06-29 21:09:47 +02:00
Sara Dickinson
8bb01c46ad
Turn TFO off by default. Strange crash found if TCP is not available.
2015-06-29 17:39:14 +01:00
Sara Dickinson
e5a80943e2
Turn fast open on by default. Fix build warning.
2015-06-29 11:54:31 +01:00
Sara Dickinson
e20d679bc8
Improve TCP close handling and sync connection closing
2015-06-29 09:09:13 +01:00
wtoorop
9ac1ea39b8
Merge pull request #105 from saradickinson/features/transport_fallback
...
Features/transport fallback
2015-06-29 09:21:31 +02:00
Willem Toorop
2b83bddd4d
More sense making parameter names for is_subdomain
2015-06-29 09:18:53 +02:00
Willem Toorop
4e45d31413
No wildcard NSEC3 check on opt-out
2015-06-28 13:41:48 +02:00
Willem Toorop
170218c350
Expand dname rdata fields before compare
2015-06-27 23:47:47 +02:00
Willem Toorop
f6c1a48b6e
Validaton of wildcard answers
2015-06-27 23:28:23 +02:00
Sara Dickinson
8c61ecd024
Finally fix problem with upstream walking that was causing intermittent crash. And fix sync idle timeouts. Again.
2015-06-26 16:14:04 +01:00
Sara Dickinson
8925fb22fc
More bug fixes and tidy up
2015-06-26 14:27:21 +01:00
Willem Toorop
0411668cb4
blah
2015-06-26 11:39:44 +02:00
Sara Dickinson
ddd90e29c5
Fix idle_timeout bug
2015-06-26 08:19:22 +01:00
Willem Toorop
fe4b7095b3
Set has_ta before unbound context initialization
2015-06-26 00:29:20 +02:00
Willem Toorop
19b79b066f
NSEC NXDOMAIN + NSEC3 denial of exist. validation
2015-06-26 00:26:40 +02:00
Sara Dickinson
cb5bbac26d
Do better with unbound transport mapping and fix problems with sync fallback
2015-06-25 20:21:00 +01:00
Willem Toorop
ea69d30e64
Validation of signed responses
...
+ start with unsigned responses (only the NSEC NOERROR case)
2015-06-25 10:04:19 +02:00