1. 25 Jun, 2019 1 commit
  2. 17 Apr, 2019 1 commit
    • Vladimír Čunát's avatar
      module API+ABI: remove one level of indirection · 176b1c28
      Vladimír Čunát authored
      ... for layers and props.  This breaks C module API+ABI.
      
      It seemed weird to repeatedly call a function that returns a pointer
      to a structure in which we find the function we want to actually call.
      We've never used changing these functions AFAIK, and the target
      functions could easily be written to change their behavior instead
      (i.e. move the indirection *inside* the function).
      
      When breaking this, I also removed these two (_layers and _props)
      from the dynamic symbols (to be) exported from the C modules.
      They always pointed to memory belonging inside the module,
      and they seem quite sensible to be set up by the _init symbol instead.
      176b1c28
  3. 08 Apr, 2019 1 commit
    • Vladimír Čunát's avatar
      validate nitpick fix: unsupported algo edge case · 2bd31a48
      Vladimír Čunát authored
      kr_dnskeys_trusted() semantics is changed, but I do NOT consider that
      a part of public API.
      
      Go insecure due to algorithm support even if DNSKEY is NODATA.
      I can't see how that's relevant to practical usage, but I think this new
      behavior makes more sense.  We still do try to fetch the DNSKEY even
      though we have information about its un-usability beforehand.
      I'd consider fixing that a premature optimization.
      We'll still be affected if the DNSKEY query SERVFAILs or something.
      
      Thanks to PowerDNS people for catching this!
      2bd31a48
  4. 12 Mar, 2019 1 commit
  5. 08 Mar, 2019 1 commit
  6. 20 Dec, 2018 2 commits
  7. 11 Dec, 2018 1 commit
  8. 26 Nov, 2018 3 commits
  9. 12 Nov, 2018 1 commit
  10. 12 Oct, 2018 2 commits
  11. 14 Aug, 2018 9 commits
  12. 07 Aug, 2018 1 commit
  13. 02 Aug, 2018 2 commits
    • Vladimír Čunát's avatar
      validate: additional bailiwick checks · 0d20fe3c
      Vladimír Čunát authored
      Let's use this as another layer of defense against our internal bugs.
      0d20fe3c
    • Marek Vavruša's avatar
      layer/iterate: fix cache injection via CNAME · d2dd680d
      Marek Vavruša authored
      The current default mode doesn't check bailiwick anymore when unrolling
      CNAME chains, so if an answer contains:
      
      ```
      testingme.com.      	3600	IN	CNAME	victim.com.
      victim.com.        	172800	IN	NS	attackers.ns
      ```
      
      The resolver will cache both records as authoritative even though
      `victim.com` isn't in the current bailiwick. This was previously
      checked in 79d9931d, but removed
      in refactoring.
      d2dd680d
  14. 25 Jun, 2018 2 commits
  15. 16 May, 2018 2 commits
  16. 11 May, 2018 1 commit
  17. 23 Apr, 2018 4 commits
  18. 12 Apr, 2018 1 commit
  19. 09 Apr, 2018 1 commit
  20. 08 Apr, 2018 1 commit
    • Marek Vavruša's avatar
      iterate: update zone cut when NS is authoritative for both parent and child · 614d12a5
      Marek Vavruša authored
      In some cases the NS is authoritative for both parent and the child side of
      the delegation (e.g. nrl.navy.mil). When it gets the query for such NS,
      it can respond from the child side with an NS record in the answer and AA=1.
      The resolver should update the zone cut accordingly, otherwise it would fail
      validation in cases when the child-side of the delegation is insecure,
      but parent side  of the delegation is secure, because the child side
      would respond without DNSSEC records, and it wouldn't indicate that
      the zone cut needs updating (when using minimal answers) (e.g. www.nrl.navy.mil).
      614d12a5
  21. 03 Apr, 2018 1 commit
  22. 20 Feb, 2018 1 commit