clones/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2024-09-21 14:47:09 +00:00
Code Issues Packages Projects Releases Wiki Activity
7,699 Commits 27 Branches 196 Tags 104 MiB
a19009df1d
Commit Graph

582 Commits

Author SHA1 Message Date
W.C.A. Wijngaards
ff653a7ef8 Call module init init again, and new function startup and destartup. 
NULL can be used if the function is not used. Open shared ports during
reload. Deinit is called during reload.
 2024-07-01 16:10:07 +02:00
W.C.A. Wijngaards
3953f827fb Merge branch 'master' of https://github.com/madroach/unbound into ipset-pf-support 2024-07-01 14:36:33 +02:00
W.C.A. Wijngaards
4c2da2b979 - Fix validation for repeated use of a DNAME record. 2024-06-06 15:28:21 +02:00
W.C.A. Wijngaards
3cad5818a1 - Fix memory leak in setup of dsa sig. 2024-06-06 09:30:09 +02:00
Yorgos Thessalonikefs
63a6b7b255 - Cleanup unnecessary strdup calls for EDE strings. 2024-04-29 10:15:19 +02:00
W.C.A. Wijngaards
2a255076f5 - Fix validator classification of qtype DNAME for positive and 
redirection answers, and fix validator signature routine for dealing
  with the synthesized CNAME for a DNAME without previously
  encountering it and also for when the qtype is DNAME.
 2024-03-08 14:10:06 +01:00
Yorgos Thessalonikefs
33bdf44a04 - Document the suspend argument for process_ds_response(). 2024-02-23 14:34:33 +01:00
W.C.A. Wijngaards
56a2b564ef Merge commit '92f2a1ca690a44880f4c4fa70a4b5a4b029aaf1c' 2024-02-13 13:58:09 +01:00
W.C.A. Wijngaards
9a00877af9 Merge commit '882903f2fa800c4cb6f5e225b728e2887bb7b9ae' 2024-02-13 13:57:56 +01:00
W.C.A. Wijngaards
92f2a1ca69 - Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU. 2024-02-13 13:02:43 +01:00
W.C.A. Wijngaards
882903f2fa - Fix CVE-2023-50387, DNSSEC verification complexity can be exploited to 
exhaust CPU resources and stall DNS resolvers.
 2024-02-13 13:02:08 +01:00
Yorgos Thessalonikefs
fe03bacd6c - Update error printout for duplicate trust anchors to include the 
trust anchor name (relates to #920).
 2024-01-22 15:54:36 +01:00
W.C.A. Wijngaards
9a2d0238a8 - Fix #983: Sha1 runtime insecure change was incomplete. 2024-01-03 13:33:43 +01:00
Wouter Wijngaards
c8ae3de610
Update validator/validator.c 
Co-authored-by: Yorgos Thessalonikefs <george@nlnetlabs.nl>
 2023-10-06 16:39:33 +02:00
W.C.A. Wijngaards
b624ed5050 - disable-edns-do, validator init prints warning when disable-edns-do is 
turned on, but there are trust anchors, and then turns off disable-edns-do.
 2023-10-05 14:33:22 +02:00
George Thessalonikefs
4ccb613396 Merge branch 'master' into features/downstream-cookies 2023-08-05 20:37:48 +02:00
George Thessalonikefs
6e47c1e05b - For #762: remove relocated code. 2023-08-02 15:51:05 +02:00
George Thessalonikefs
5b55a46550 - For #762: relocate RFC 1982 serial number arithmetic functions to their own 
file in util/rfc_1982.[ch].
 2023-08-01 17:26:14 +02:00
George Thessalonikefs
843fc69927 Address review comments for #759: 
- Clear error text when an expected signature is missing.
 2023-07-28 14:05:25 +02:00
George Thessalonikefs
95604a90e8 Review for #759: 
- Keep EDE information for keys close to key creation.
- Fix inconsistencies between reply and cached EDEs.
- Incorporate EDE caching checks in EDE tests.
- Fix some EDE cases where missing DNSKEY was wrongly reported.
 2023-07-19 15:20:44 +02:00
George Thessalonikefs
f5a2a58ce3 Review for #759: 
- Fix SEGFAULT in load_cache control command.
- Change reason_bogus_str to an explicit NULL-terminated string.
- Fix potential memory leak when discarding a message for referrals and
  0 TTL answers.
- Fix reason_bogus initialization in localzone answers.
- reply_info creation in validator is always regional.
 2023-07-17 17:26:31 +02:00
George Thessalonikefs
15b8d8b96a Merge branch 'master' into features/ede-caching 2023-07-13 11:25:59 +02:00
W.C.A. Wijngaards
a97d7175a6 - Fix ssl.h include brackets, instead of quotes. 2023-03-16 15:40:43 +01:00
W.C.A. Wijngaards
ba6325f24f - Fix #823: Response change to NODATA for some ANY queries since 
1.12, tested on 1.16.1.
 2023-01-06 09:16:59 +01:00
Willem Toorop
75f3fbdd65 Downstream DNS Cookies a la RFC7873 and RFC9018 
Create server cookies for clients that send client cookies.
Needs to be turned on in the config file with:

	answer-cookie: yes

A cookie-secret can be configured for anycast setups.
Also adds an access control list that will allow queries with
either a valid cookie or over a stateful transport.
 2022-09-28 10:28:19 +02:00
TCY16
0b176750bd add @wcawijngaards' review comments 2022-09-26 12:14:17 +02:00
TCY16
dcfcde2ec8 add cached EDE strings 2022-09-21 11:21:33 +02:00
W.C.A. Wijngaards
f6753a0f10 - Fix the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699. 2022-08-01 13:24:40 +02:00
George Thessalonikefs
efdd70c7b5 - Cleanup some comments and TODO text. 2022-07-23 19:55:15 +02:00
George Thessalonikefs
eda0c0c194 - Fix bug introduced in 'improve val_sigcrypt.c::algo_needs_missing for 
one loop pass'.
 2022-07-04 09:34:45 +02:00
George Thessalonikefs
309b1d368b - Reintroduce documentation and more EDE support for 
val_sigcrypt.c::dnskeyset_verify_rrset_sig.
 2022-07-04 00:06:26 +02:00
George Thessalonikefs
c513119bba - Improve val_sigcrypt.c::algo_needs_missing for one loop pass. 2022-07-03 23:32:18 +02:00
George Thessalonikefs
317bab9f1d For #660: formatting, less verbose logging, add EDE information. 2022-07-03 22:32:56 +02:00
Yorgos Thessalonikefs
e102aea751
Merge pull request #660 from InfrastructureServices/sha1-runtime-insecure 
Sha1 runtime insecure
 2022-07-03 22:24:58 +02:00
George Thessalonikefs
391dd86c3b Merge branch 'master' into InfrastructureServices-fips-mode-algo-ed25519 2022-07-01 17:34:09 +02:00
W.C.A. Wijngaards
11d077c826 - Fix some lint type warnings. 2022-05-20 15:32:27 +02:00
Petr Mensik
917c30a46a Disable ED25519 and ED448 in FIPS mode on openssl3 
Both crypto functions are not allowed by FIPS 140-3. Use openssl 3.0
function to check FIPS mode presence and use it to make those algorithms
unsupported.
 2022-05-11 16:19:25 +02:00
tcarpay
0ce36e8289
Add the basic EDE (RFC8914) cases (#604) 2022-05-06 12:48:53 +02:00
Petr Mensik
74c6cf5ac6 Log detailed openssl error also for digests failures 
Make output still only shown in verbose detail. But provide openssl
error details to make a reason more obvious.
 2022-04-12 16:13:49 +02:00
Petr Mensik
33c8baaaba Forward indeterminate status higher 
Create a path where it can result in insecure.
 2022-04-08 16:26:50 +02:00
Petr Mensik
6cfcf21451 Make SHA-1 signed domains insecure if openssl refuses the digest 
RHEL9/CentOS 9 would fail in default crypto policy. If call to openssl
returns invalid digest then report the name insecure. If all tested
signatures return the same issue, then make the reply insecure.
 2022-04-08 16:26:50 +02:00
W.C.A. Wijngaards
f81420d77f - Fix compile warnings for printf ll format on mingw compile. 2022-03-02 14:34:36 +01:00
W.C.A. Wijngaards
2b90181d3a - Fix #628: A rpz-passthru action is not ending RPZ zone processing. 2022-02-15 16:20:12 +01:00
W.C.A. Wijngaards
c6c54f9de4 - Fix validator debug output about DS support, print correct algorithm. 2021-12-06 13:12:44 +01:00
Wouter Wijngaards
9645228f03
Merge pull request #570 from rex4539/typos 
Fix typos
 2021-11-29 11:39:48 +01:00
tcarpay
c5a1e87f75
Remove wrongly added EDE comments 
Co-authored-by: Wouter Wijngaards <wcawijngaards@users.noreply.github.com>
 2021-11-15 13:03:26 +01:00
Dimitris Apostolou
c21d6af617
Fix typos 2021-11-13 16:56:15 +02:00
TCY16
f5b586dbdc add potential EDE spots 2021-11-08 11:50:57 +01:00
TCY16
8205c87a96 complete renaming of the modules edns list 2021-11-08 11:50:29 +01:00
Tom Carpay
89d7476539 split edns_data.opt_list in opt_list_in and opt_list_out 
opt_list_in for parsed (incoming) edns options, and
opt_list_out for outgoing (to be encoded) edns options
 2021-11-01 12:48:40 +00:00