1. 03 Jun, 2019 1 commit
  2. 29 May, 2019 1 commit
    • Vladimír Čunát's avatar
      daemon TCP to upstream: don't send wrong message length · 10a113d7
      Vladimír Čunát authored
      See the added comments.  Such bugs are tricky, because the old code
      would typically work just fine, only if libuv/OS decided to postpone
      copying the data (perhaps large load), we would send two bytes from
      this address on C stack - their later value (hard to predict what).
      
      Security risks: the two bytes might theoretically contain information
      that was more or less private and we just send it to some DNS server
      (possibly over unencrypted TCP), but ATM I find it very unlikely that
      this bug could be practically exploited.
      10a113d7
  3. 18 Apr, 2019 3 commits
  4. 17 Apr, 2019 1 commit
  5. 08 Apr, 2019 1 commit
    • Vladimír Čunát's avatar
      validate nitpick fix: unsupported algo edge case · 2bd31a48
      Vladimír Čunát authored
      kr_dnskeys_trusted() semantics is changed, but I do NOT consider that
      a part of public API.
      
      Go insecure due to algorithm support even if DNSKEY is NODATA.
      I can't see how that's relevant to practical usage, but I think this new
      behavior makes more sense.  We still do try to fetch the DNSKEY even
      though we have information about its un-usability beforehand.
      I'd consider fixing that a premature optimization.
      We'll still be affected if the DNSKEY query SERVFAILs or something.
      
      Thanks to PowerDNS people for catching this!
      2bd31a48
  6. 04 Apr, 2019 2 commits
  7. 12 Mar, 2019 6 commits
  8. 08 Mar, 2019 2 commits
  9. 05 Mar, 2019 2 commits
  10. 28 Feb, 2019 1 commit
  11. 25 Feb, 2019 1 commit
  12. 22 Feb, 2019 1 commit
    • Vladimír Čunát's avatar
      policy.TLS_FORWARD: send SNI on wire if configured · a4284580
      Vladimír Čunát authored
      In https world it's standard to do that, and it's relied on.
      Real-life example: 8.8.8.8#853 over TLSv1.3 won't send a certificate
      if we don't send SNI (no idea why; also they do send it with TLSv1.2).
      
      As a consequence, we no longer allow multiple hostnames per
      address-port tuple, but that didn't seem useful.
      a4284580
  13. 11 Feb, 2019 1 commit
  14. 06 Feb, 2019 1 commit
  15. 29 Jan, 2019 1 commit
  16. 23 Jan, 2019 2 commits
  17. 14 Jan, 2019 1 commit
  18. 10 Jan, 2019 1 commit
  19. 09 Jan, 2019 2 commits
  20. 04 Jan, 2019 1 commit
  21. 17 Dec, 2018 2 commits
  22. 14 Dec, 2018 2 commits
  23. 13 Dec, 2018 1 commit
    • Vladimír Čunát's avatar
      view: change :addr to a more natural semantics · 732a6616
      Vladimír Čunát authored
      Continue executing :addr rules until a non-chain action is executed.
      Before this, the only the first match in view:addr rules got a chance,
      even though the inner policy rule might not trigger in that case
      or be a chain action.
      732a6616
  24. 11 Dec, 2018 3 commits