1. 26 Sep, 2019 1 commit
  2. 24 Sep, 2019 1 commit
  3. 20 Sep, 2019 3 commits
  4. 17 Sep, 2019 1 commit
  5. 14 Aug, 2019 1 commit
    • Vladimír Čunát's avatar
      lib/resolve answer_finalize: don't SERVFAIL bogus +cd · e80fb5e6
      Vladimír Čunát authored
      As kresd works now, typically we do not know whether these records are
      bogus, as with +cd we do not attempt validation.  Still, it's possible
      that we have those records in cache from an occasion without +cd, in
      which case we know they're bogus and this regression happened.
      
      The potential impact of this issue seems minimal.
      e80fb5e6
  6. 12 Aug, 2019 1 commit
  7. 05 Aug, 2019 2 commits
  8. 24 Jul, 2019 1 commit
  9. 23 Jul, 2019 1 commit
    • Vladimír Čunát's avatar
      kr_request: remove ::additional · b902adaa
      Vladimír Čunát authored
      Somehow I didn't notice this field when adding ::add_selected.
      We probably never put anything into answer's ADDITIONAL,
      so noone's noticed a problem until now.
      b902adaa
  10. 22 Jul, 2019 1 commit
    • Tomas Krizek's avatar
      daemon/tls: fix handling of GNUTLS_E_AGAIN · d11ed9da
      Tomas Krizek authored
      The code incorrectly assumes GNUTLS_E_AGAIN can only be caused
      by reading the entire libuv buffer. Legitime causes of GNUTLS_E_AGAIN
      wouldn't be processed correctly. These could be caused by a new
      session ticket sent by the server.
      
      Fixes #489
      d11ed9da
  11. 10 Jul, 2019 6 commits
  12. 09 Jul, 2019 1 commit
  13. 03 Jul, 2019 1 commit
  14. 27 Jun, 2019 1 commit
  15. 25 Jun, 2019 1 commit
  16. 24 Jun, 2019 1 commit
  17. 18 Jun, 2019 1 commit
    • Vladimír Čunát's avatar
      modules/http: fixes around maintenance of ephemeral certs · 5826e485
      Vladimír Čunát authored
      The cert was updated only once :-/  Now it's updated until the http
      module is unloaded.
      
      Also, each socket would create its own ephemeral certificate,
      so now that's all shared within the process.  Technically we could
      synchronise even multiple instances, based on the files, but that would
      be much more complex, and it seems an unlikely combination to deploy.
      5826e485
  18. 17 Jun, 2019 1 commit
  19. 13 Jun, 2019 2 commits
  20. 03 Jun, 2019 2 commits
  21. 29 May, 2019 1 commit
    • Vladimír Čunát's avatar
      daemon TCP to upstream: don't send wrong message length · 10a113d7
      Vladimír Čunát authored
      See the added comments.  Such bugs are tricky, because the old code
      would typically work just fine, only if libuv/OS decided to postpone
      copying the data (perhaps large load), we would send two bytes from
      this address on C stack - their later value (hard to predict what).
      
      Security risks: the two bytes might theoretically contain information
      that was more or less private and we just send it to some DNS server
      (possibly over unencrypted TCP), but ATM I find it very unlikely that
      this bug could be practically exploited.
      10a113d7
  22. 18 Apr, 2019 3 commits
  23. 17 Apr, 2019 1 commit
  24. 08 Apr, 2019 1 commit
    • Vladimír Čunát's avatar
      validate nitpick fix: unsupported algo edge case · 2bd31a48
      Vladimír Čunát authored
      kr_dnskeys_trusted() semantics is changed, but I do NOT consider that
      a part of public API.
      
      Go insecure due to algorithm support even if DNSKEY is NODATA.
      I can't see how that's relevant to practical usage, but I think this new
      behavior makes more sense.  We still do try to fetch the DNSKEY even
      though we have information about its un-usability beforehand.
      I'd consider fixing that a premature optimization.
      We'll still be affected if the DNSKEY query SERVFAILs or something.
      
      Thanks to PowerDNS people for catching this!
      2bd31a48
  25. 04 Apr, 2019 2 commits
  26. 12 Mar, 2019 2 commits