Age | Commit message (Collapse) | Author | |
---|---|---|---|
2016-01-04 | resolved: actually make use of message ID when logging about failed DNSSEC ↵ | Lennart Poettering | |
validation | |||
2016-01-03 | resolved: refuse revoked DNSKEYs in trust anchor | Lennart Poettering | |
2016-01-03 | resolved: never authenticate RRsets with revoked keys | Lennart Poettering | |
2016-01-03 | resolved: print a log message when we ignore an NSEC3 RR with an excessive ↵ | Lennart Poettering | |
amount of iterations | |||
2016-01-03 | Merge pull request #2245 from ssahani/socket1 | Lennart Poettering | |
core: socket options fix SCTP_NODELAY | |||
2016-01-03 | Merge pull request #2254 from kelemeng/master | Lennart Poettering | |
Updated Hungarian translations | |||
2016-01-03 | Merge pull request #2255 from teg/resolved-fixes-2 | Lennart Poettering | |
Fixes to NSEC3 proof v2 | |||
2016-01-03 | Merge pull request #2256 from poettering/dnssec10 | Tom Gundersen | |
Tenth DNSSEC patch set | |||
2016-01-03 | resolve: add RFC4501 URI support to systemd-resolve-host | Lennart Poettering | |
2016-01-03 | resolved: add negative trust anchro support, and add trust anchor ↵ | Lennart Poettering | |
configuration files This adds negative trust anchor support and allows reading trust anchor data from disk, from files /etc/systemd/dnssec-trust-anchors.d/*.positive and /etc/systemd/dnssec-trust-anchros.d/*.negative, as well as the matching counterparts in /usr/lib and /run. The positive trust anchor files are more or less compatible to normal DNS zone files containing DNSKEY and DS RRs. The negative trust anchor files contain only new-line separated hostnames for which to require no signing. By default no trust anchor files are installed, in which case the compiled-in root domain DS RR is used, as before. As soon as at least one positive root anchor for the root is defined via trust anchor files this buil-in DS RR is not added though. | |||
2016-01-03 | resolved: dnssec - properly take wildcards into account in NESC3 proof | Tom Gundersen | |
For NXDOMAIN, it is not sufficient to prove that the next-closest enclosure does not exist, we must also prove that there is no wildcard domain directly below the closest enclosure which would synthesise the name that has been requested. For positive responses, in addition to exact matches, we should accept wildcard ones. In that case we must first prove that there is no precise match (i.e., that the closest encounter is not the record itself) and secondly that the source of synthesis exists. | |||
2016-01-03 | resolved: dnssec - factor out hashed domain generation | Tom Gundersen | |
2016-01-03 | resolved: don't conclude NODATA if CNAME exists | Tom Gundersen | |
Instead introduce the new return-code DNSSEC_NSEC_CNAME to indicate this condition. See RFC 6840, Section 4.3. | |||
2016-01-02 | Add initial Hungarian message catalog translation | Gabor Kelemen | |
2016-01-02 | Update Hungarian translation | Gabor Kelemen | |
2016-01-02 | resolved: fix serialization of the root domain | Lennart Poettering | |
2016-01-02 | resolved: only suffix RR key names with a dot if they don't have one yet | Lennart Poettering | |
2016-01-02 | resolved: don't accept NSEC3 iteration fields unbounded | Lennart Poettering | |
2016-01-02 | basic: modernize conf-files.c a bit | Lennart Poettering | |
2016-01-02 | resolved: explain why we don't check IP addresses/ports of incoming DNS UDP ↵ | Lennart Poettering | |
traffic | |||
2016-01-02 | resolved: extend RFCs list a bit | Lennart Poettering | |
2016-01-01 | resolved: dnssec - add reference to the algorithm we implement | Tom Gundersen | |
2016-01-01 | resolved: dnssec - prepend hashed labels to zone name | Tom Gundersen | |
All hashed names consist of the hashed label prepended to the zone name, not to the closest enclosure. | |||
2016-01-01 | resolved: dnssec - rename some variables | Tom Gundersen | |
Makes the NSEC3 proof somewhat simpler to follow. | |||
2016-01-01 | resoled: dnssec - don't refuse to verify answer due to too many unrelated RRs | Tom Gundersen | |
Let VERIFY_RRS_MAX be about the max number of RRs in an RRSet that we actually try to verify, not about the total number of RRs in the RRSet. | |||
2016-01-01 | resolved: dnssec - fix off-by-one in RSA key parsing | Tom Gundersen | |
If the first byte of the key is zero, the key-length is stored in the second and third byte (not first and second). | |||
2016-01-01 | Merge pull request #2241 from poettering/dnssec9 | Tom Gundersen | |
Ninth DNSSEC patch set | |||
2015-12-31 | core: socket options fix SCTP_NODELAY | Susant Sahani | |
SCTP_NODELAY is diffrent to TCP_NODELAY. Apply proper options in case of SCTP. | |||
2015-12-30 | Merge pull request #2229 from cjmayo/m500 | Martin Pitt | |
hwdb: move Logitech M-U0007 [M500] to 1000dpi | |||
2015-12-29 | resolved: add a list of DNS-related RFCs and their implementation status in ↵ | Lennart Poettering | |
resolved | |||
2015-12-29 | resolved: append RFC6975 algorithm data to EDNS OPT RR | Lennart Poettering | |
2015-12-29 | resolved: NSEC3 hash algorithms are distinct from DS digest algorithms | Lennart Poettering | |
Previously, we'd use the same set of identifiers for both, but that's actually incorrect. It didn't matter much since the only NSEC3 hash algorithm defined (SHA-1) is mapped to code 1 which is also what it is encoded as in DS digests, but we really should make sure to use two distinct enumerations. | |||
2015-12-29 | update DNSSEC TODO | Lennart Poettering | |
2015-12-29 | resolved: add comments referencing various RFCs to various places | Lennart Poettering | |
2015-12-29 | resolved: include GOST in list of DNSSEC algorithms | Lennart Poettering | |
We don't implement it, and we have no intention to, but at least mention that it exists. (This also adds a couple of other algorithms to the algorithm string list, where these strings were missing previously.) | |||
2015-12-29 | resolved: use CLAMP() intsead of MIN(MAX()) | Lennart Poettering | |
2015-12-29 | resolved: don't allow RRs with TTL=0 and TTL!=0 in the same RRset | Lennart Poettering | |
2015-12-29 | resolved: parse EDNS0 rcode extension bits | Lennart Poettering | |
2015-12-29 | resolved: reset RR TTL to 0, if MSB is set | Lennart Poettering | |
RFC 2181, Section 8 suggests to treat an RR TTL with the MSB set as 0. Implement this. | |||
2015-12-29 | resolved: properly handle SRV RRs with the DNS root as hostname | Lennart Poettering | |
2015-12-29 | resolved: add errno mapping for BUS_ERROR_CONNECTION_FAILURE | Lennart Poettering | |
This was missing when the error type was added in ac720200b7e5b80cc4985087e38f3452e5b3b080. | |||
2015-12-29 | resolved: change mapping of BUS_ERROR_NO_NAME_SERVERS to ESRCH | Lennart Poettering | |
EIO is really too generic, and indicates transmission problems. | |||
2015-12-29 | Merge pull request #2237 from evverx/fix-valgrind-tests | Lennart Poettering | |
build-sys: fix valgrind-tests | |||
2015-12-29 | Merge pull request #2239 from evverx/fix-memory-leak-in-test-bus-marshal | Lennart Poettering | |
tests: fix memory leak in test-bus-marshal | |||
2015-12-29 | tests: fix memory leak in test-bus-marshal | Evgeny Vereshchagin | |
Fixes: ``` $ ./configure ... --enable-dbus $ make $ make valgrind-tests TESTS=test-bus-marshal ... ==25301== 51 bytes in 1 blocks are definitely lost in loss record 7 of 18 ==25301== at 0x4C2DD9F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==25301== by 0x5496B8C: ??? (in /lib/x86_64-linux-gnu/libdbus-1.so.3.14.3) ==25301== by 0x54973E3: _dbus_string_append_printf_valist (in /lib/x86_64-linux-gnu/libdbus-1.so.3.14.3) ==25301== by 0x547E5C2: _dbus_set_error_valist (in /lib/x86_64-linux-gnu/libdbus-1.so.3.14.3) ==25301== by 0x547E73E: dbus_set_error (in /lib/x86_64-linux-gnu/libdbus-1.so.3.14.3) ==25301== by 0x548969A: dbus_message_demarshal (in /lib/x86_64-linux-gnu/libdbus-1.so.3.14.3) ==25301== by 0x115C1A: main (test-bus-marshal.c:244) ==25301== ``` | |||
2015-12-29 | Merge pull request #2233 from kinvolk/alban/cgroup2-userns | Lennart Poettering | |
nspawn: userns and unified cgroup: chown cgroup.events | |||
2015-12-29 | build-sys: fix valgrind-tests | Evgeny Vereshchagin | |
Fixes: ``` $ make valgrind-tests TESTS=test-acl-util GEN valgrind-tests Running test-acl-util /bin/bash: line 4: libtool: command not found ``` | |||
2015-12-28 | Merge pull request #2231 from phomes/resolve-misc2 | Tom Gundersen | |
Resolve misc2 | |||
2015-12-28 | Merge pull request #2226 from jwilk/spelling | Zbigniew Jędrzejewski-Szmek | |
man: fix typos | |||
2015-12-28 | Merge pull request #2232 from poettering/dnssec8 | Tom Gundersen | |
Eigth DNSSEC patch set |