Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 10:18:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
2,105 Commits 8 Branches 0 Tags
51471cafa5a4fa44d6fe490885d9910bd72a5907
Commit Graph

226 Commits

Author SHA1 Message Date
Vladislav Grishenko
4583dd9e42 Replace obsolete utime() usage with utimes(). 
This fixes build time warnings with POSIX.1-2008-aware c libraries.
 2017-05-03 23:16:51 +01:00
Josh Soref
730c6745f0 Comprehensive spelling/typo fixes. 
Thanks to Josh Soref for generating these fixes.
 2017-02-06 16:14:04 +00:00
Kevin Darbyshire-Bryant
06093a9a84 Fix problem with --dnssec-timestamp 
whereby receipt of SIGHUP would erroneously engage timestamp checking.
 2016-07-11 21:03:27 +01:00
Simon Kelley
a7b27e84fa NULL pointer check. 2016-03-16 19:11:52 +00:00
Simon Kelley
40205a053e Bound hash-iterations in DNSSEC NSEC3 checking. 2016-03-14 21:24:00 +00:00
Simon Kelley
367341f745 Disable DNSSEC for server=/domain/.. servers unless trust-anchor provided. 2016-01-12 15:58:23 +00:00
Simon Kelley
a63b8b89e6 DNSSEC: Handle non-root trust anchors, and check we have a root trust anchor. 2016-01-12 11:28:58 +00:00
Simon Kelley
c49778df4a Update copyright notices. Happy new year! 2016-01-06 18:52:33 +00:00
Simon Kelley
cc7cb0b893 Fix datatype-sixe botch which broke DNSSEC sig timestamps when far in the future. 2016-01-04 16:04:51 +00:00
Simon Kelley
ec0628c4b2 Trivial code tweak. 2015-12-31 20:55:39 +00:00
Simon Kelley
33702ab1f8 First complete version of DNS-client-id EDNS0 and ARP tracking code. 2015-12-28 23:17:15 +00:00
Simon Kelley
15379ea1f2 Log signature algo with DNSKEY and DS, also digest with DS. 2015-12-21 18:31:55 +00:00
Simon Kelley
5bb88f0963 Handle extending EDNS0 OPT RR. 2015-12-21 16:23:47 +00:00
Simon Kelley
ce5732e84f NSEC3 check: RFC5155 para 8.2 2015-12-20 21:39:19 +00:00
Simon Kelley
a86fdf437e Minor tweak to previous commit. 2015-12-20 21:19:20 +00:00
Simon Kelley
3e86d316c4 Nasty, rare and obscure off-by-one in DNSSEC hostname_cmp(). 2015-12-20 20:50:05 +00:00
Simon Kelley
d67ecac59d More tweaks in handling unknown DNSSEC algorithms. 2015-12-20 20:44:23 +00:00
Simon Kelley
fa14bec83b Major tidy up of EDNS0 handling and computation/use of udp packet size. 2015-12-20 17:12:16 +00:00
Simon Kelley
14a4ae883d Do a better job of determining which DNSSEC sig algos are supported. 2015-12-17 17:29:57 +00:00
Simon Kelley
3b799c826d Fix brace botch in dnssec_validate_ds() 
Thanks to Michał Kępień for spotting this.
 2015-12-17 16:58:04 +00:00
Simon Kelley
b40f26c019 Tidy up DNSSEC non-existence code. Check zone status is NSEC proof bad. 2015-12-17 11:57:26 +00:00
Simon Kelley
dd4ad9ac7e Tweaks to EDNS0 handling in DNS replies. 2015-12-17 10:44:58 +00:00
Simon Kelley
2dbba34b2c DNSSEC validation tweak. 
A zone which has at least one key with an algorithm we don't
support should be considered as insecure.
 2015-12-16 13:41:58 +00:00
Simon Kelley
c2bcd1e183 Generalise RR-filtering code, for use with EDNS0. 2015-12-15 17:25:21 +00:00
Simon Kelley
d64c81fff7 Move code which caches DS records to a more logical place. 2015-12-15 16:11:06 +00:00
Simon Kelley
93be5b1e02 Abandon caching RRSIGs and returning them from cache. 
The list of exceptions to being able to locally answer
cached data for validated records when DNSSEC data is requested
was getting too long, so don't ever do that. This means
that the cache no longer has to hold RRSIGS and allows
us to lose lots of code. Note that cached validated
answers are still returned as long as do=0
 2015-12-15 12:04:40 +00:00
Simon Kelley
9a31b68b59 Major rationalisation of DNSSEC validation. 
Much gnarly special-case code removed and replaced with correct
general implementaion. Checking of zone-status moved to DNSSEC code,
where it should be, vastly simplifying query-forwarding code.
 2015-12-15 10:20:39 +00:00
Simon Kelley
67ab3285b5 Handle unknown DS hash algos correctly. 
When we can validate a DS RRset, but don't speak the hash algo it
contains, treat that the same as an NSEC/3 proving that the DS
doesn't exist. 4025 5.2
 2015-11-20 23:20:47 +00:00
Simon Kelley
6de81f1250 Handle signed dangling CNAME replies to DS queries. 2015-09-09 22:51:13 +01:00
Simon Kelley
f6381cf482 Declare utime(). 2015-07-27 19:48:43 +01:00
Kevin Darbyshire-Bryant
34b5d19488 Update DNSSEC timestamp file on process TERM. 2015-07-27 19:34:23 +01:00
Simon Kelley
d389e0191b DNSSEC fix: correct logic for signed records in unsigned DNS space. 2015-07-27 18:56:43 +01:00
Simon Kelley
d3699bb6bc Small tweak to DNSSEC fix. 2015-07-16 22:37:37 +01:00
Simon Kelley
13480e8c2a DNSSEC fix, signed wildcard CNAME to unsigned domain. 2015-07-16 22:23:13 +01:00
Simon Kelley
e3ec6f0bd7 Handle CNAMEs to DS records when confirming absence of DS for DNSSEC. 2015-06-12 21:39:11 +01:00
Simon Kelley
4d25cf89d5 Handle corner cases in NSEC coverage checks. 2015-06-06 23:13:57 +01:00
Simon Kelley
a77cec8d58 Handle UDP packet loss when fragmentation of large packets is broken. 2015-05-08 16:25:38 +01:00
Simon Kelley
b8f16556d3 Tweaks to previous, DNS label charset commit. 2015-04-22 21:14:31 +01:00
Simon Kelley
cbe379ad6b Handle domain names with '.' or /000 within labels. 
Only in DNSSEC mode, where we might need to validate or store
such names. In none-DNSSEC mode, simply don't cache these, as before.
 2015-04-21 22:57:06 +01:00
Simon Kelley
fe3992f9fa Return INSECURE, rather than BOGUS when DS proved not to exist. 
Return INSECURE when validating DNS replies which have RRSIGs, but
when a needed DS record in the trust chain is proved not to exist.
It's allowed for a zone to set up DNSKEY and RRSIG records first, then
add a DS later, completing the chain of trust.

Also, since we don't have the infrastructure to track that these
non-validated replies have RRSIGS, don't cache them, so we don't
provide answers with missing RRSIGS from the cache.
 2015-04-03 21:25:05 +01:00
Simon Kelley
394ff492da Allow control characters in names in the cache, handle when logging. 2015-03-29 22:17:14 +01:00
Simon Kelley
1e153945de DNSSEC fix for non-ascii characters in labels. 2015-03-28 21:34:07 +00:00
Simon Kelley
0b8a5a30a7 Protect against broken DNSSEC upstreams. 2015-03-27 11:44:55 +00:00
Simon Kelley
8805283088 Don't fail DNSSEC when a signed CNAME dangles into an unsigned zone. 2015-03-26 21:15:43 +00:00
Simon Kelley
360f2513ab Tweak DNSSEC timestamp code to create file later, removing need to chown it. 2015-03-07 18:28:06 +00:00
Simon Kelley
9003b50b13 Fix last commit to not crash if uid changing not configured. 2015-03-02 22:47:23 +00:00
Simon Kelley
f6e62e2af9 Add --dnssec-timestamp option and facility. 2015-03-01 18:17:54 +00:00
Simon Kelley
6ef15b34ca Fix broken ECDSA DNSSEC signatures. 2015-01-31 22:44:26 +00:00
Simon Kelley
aff3396280 Update copyrights for dawn of 2015. 2015-01-31 20:13:40 +00:00
Simon Kelley
5e321739db Don't answer from cache RRsets from wildcards, as we don't have NSECs. 2015-01-12 23:16:56 +00:00