Simon Kelley
e3ec6f0bd7
Handle CNAMEs to DS records when confirming absence of DS for DNSSEC.
2015-06-12 21:39:11 +01:00
swigger
bd7bfa21c4
Correctly sanitise DNS header bits in answer when recreating query for retry.
2015-06-01 20:54:59 +01:00
Simon Kelley
86fa104692
Tweak EDNS timeout code.
2015-05-10 14:04:06 +01:00
Simon Kelley
a77cec8d58
Handle UDP packet loss when fragmentation of large packets is broken.
2015-05-08 16:25:38 +01:00
Simon Kelley
e66b4dff3c
Fix argument-order botch which broke DNSSEC for TCP queries.
2015-04-28 20:45:57 +01:00
Simon Kelley
554b580e97
Log domain when reporting DNSSEC validation failure.
2015-04-17 22:50:20 +01:00
Simon Kelley
982faf4024
Fix compiler warning when not including DNSSEC.
2015-04-03 21:42:30 +01:00
Simon Kelley
fe3992f9fa
Return INSECURE, rather than BOGUS when DS proved not to exist.
...
Return INSECURE when validating DNS replies which have RRSIGs, but
when a needed DS record in the trust chain is proved not to exist.
It's allowed for a zone to set up DNSKEY and RRSIG records first, then
add a DS later, completing the chain of trust.
Also, since we don't have the infrastructure to track that these
non-validated replies have RRSIGS, don't cache them, so we don't
provide answers with missing RRSIGS from the cache.
2015-04-03 21:25:05 +01:00
Simon Kelley
150162bc37
Return SERVFAIL when validation abandoned.
2015-03-27 09:58:26 +00:00
Simon Kelley
ff841ebf5a
Fix boilerplate code for re-running system calls on EINTR and EAGAIN etc.
...
The nasty code with static variable in retry_send() which
avoids looping forever needs to be called on success of the syscall,
to reset the static variable.
2015-03-11 21:36:30 +00:00
Simon Kelley
aff3396280
Update copyrights for dawn of 2015.
2015-01-31 20:13:40 +00:00
Simon Kelley
2ae195f5a7
Don't treat SERVFAIL as a recoverable error.....
2015-01-18 22:20:48 +00:00
Simon Kelley
25cf5e373e
Add --log-queries=extra option for more complete logging.
2015-01-09 15:53:03 +00:00
Simon Kelley
424c4a8a53
Merge branch 'unsigned'
2015-01-07 22:01:14 +00:00
Simon Kelley
97e618a0e3
DNSSEC: do top-down search for limit of secure delegation.
2015-01-07 21:55:43 +00:00
Glen Huang
32fc6dbe03
Add --ignore-address option.
2014-12-27 15:28:12 +00:00
Hans Dedecker
98906275a0
Fix conntrack with --bind-interfaces
...
Make sure dst_addr is assigned the correct address in receive_query when OPTNOWILD is
enabled so the assigned mark can be correctly retrieved and set in forward_query when
conntrack is enabled.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com >
2014-12-09 22:22:53 +00:00
Karl Vogel
e9828b6f66
Set conntrack mark before connect() call.
...
SO_MARK has to be done before issuing the connect() call on the
TCP socket.
2014-10-03 21:45:15 +01:00
Richard Genoud
15b1b7e9c3
Fix endian bug in --local-service code.
2014-09-17 21:12:00 +01:00
Simon Kelley
b5ea1cc255
Add --dns-loop-detect feature.
2014-07-29 16:34:14 +01:00
Simon Kelley
47a9516980
Use event system to re-send query on new route. Tidies module boundaries.
2014-07-08 22:22:02 +01:00
Simon Kelley
8938ae05ac
Get packet size right when removing pseudoheader.
2014-05-01 17:46:25 +01:00
Simon Kelley
1fc02680af
Do SERVFAIL, therefore continue when searching for DS in TCP path too.
2014-04-29 12:30:18 +01:00
Simon Kelley
4872aa747b
Handle SERVFAIL replies when looking for proven-nonexistence of DS.
2014-04-26 22:13:31 +01:00
Simon Kelley
6375838445
Fix crash on TCP DNS request when DNSSEC not enabled.
2014-04-16 22:20:55 +01:00
Simon Kelley
82a14af5e7
Ensure request name in buffer for ipset lookup.
2014-04-13 20:48:57 +01:00
Simon Kelley
8a8bbad0cf
Ensure ->sentto is valid for DNSSEC forwards. Otherwise retries SEGV.
2014-03-27 22:02:17 +00:00
Simon Kelley
4e1fe44428
Terminate DS-search when reaching the root via cache entries.
2014-03-26 12:24:19 +00:00
Simon Kelley
51967f9807
SERVFAIL is an expected error return, don't try all servers.
2014-03-25 21:07:00 +00:00
Tomas Hozza
b37f8b99ae
Handle failure of hash_questions()
2014-03-25 20:52:28 +00:00
Tomas Hozza
fc2833f172
Memory leak in error path.
2014-03-25 20:43:21 +00:00
Simon Kelley
490f90758d
Reorder sanity checks on UDP packet reception, to cope with failed recvfrom()
2014-03-24 22:04:42 +00:00
Simon Kelley
2a7a2b84ec
Ignore DNS queries from port 0: http://www.ietf.org/mail-archive/web/dnsop/current/msg11441.html
2014-03-22 19:18:06 +00:00
Simon Kelley
2b29191e7c
Fix DNSSEC crash retrying to IPv6 server.
2014-03-21 11:13:55 +00:00
Simon Kelley
0c8584eabc
Warn about non-local queries once only for UDP.
2014-03-12 20:12:56 +00:00
Simon Kelley
c8a80487cd
--local-service. Default protection from DNS amplification attacks.
2014-03-05 14:29:54 +00:00
Simon Kelley
00a5b5d477
Check that unsigned replies come from unsigned zones if --dnssec-check-unsigned set.
2014-02-28 18:10:55 +00:00
Simon Kelley
613ad15d02
Strip DNSSEC RRs when query doesn't have DO bit set.
2014-02-25 23:02:28 +00:00
Simon Kelley
dac74312da
TYpo.
2014-02-13 16:43:49 +00:00
Simon Kelley
2ecd9bd5c0
No CD in forwarded queries unless dnssec-debug for TCP too.
2014-02-13 16:42:02 +00:00
Simon Kelley
83349b8aa4
Further tidying of AD and DO bit handling.
2014-02-10 21:02:01 +00:00
Simon Kelley
7fa836e105
Handle validation when more one key is needed.
2014-02-10 20:11:24 +00:00
Simon Kelley
e243c072b5
AD bit in queries handled as RFC6840 p5.7
2014-02-06 18:14:09 +00:00
Simon Kelley
610e782a29
Fix stack-smashing crash in DNSSEC. Thanks to Henk Jan Agteresch.
2014-02-06 14:45:17 +00:00
Simon Kelley
81a883fda3
Format tweak.
2014-02-03 21:17:04 +00:00
Simon Kelley
8d718cbb3e
Nasty cache failure and memory leak with DNSSEC.
2014-02-03 16:27:37 +00:00
Simon Kelley
97bc798b05
Init ->dependent field in frec allocation.
2014-01-31 10:19:52 +00:00
Simon Kelley
6938f3476e
Don't mark answers as DNSEC validated if DNS-doctored.
2014-01-26 22:47:39 +00:00
Simon Kelley
7d23a66ff0
Remove --dnssec-permissive, pointless if we don't set CD upstream.
2014-01-26 09:33:21 +00:00
Simon Kelley
703c7ff429
Fix to last commit.
2014-01-25 23:46:23 +00:00
