| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2015-12-03 | resolved: introduce a dnssec_mode setting per scope | Lennart Poettering | |
| The setting controls which kind of DNSSEC validation is done: none at all, trusting the AD bit, or client-side validation. For now, no validation is implemented, hence the setting doesn't do much yet, except of toggling the CD bit in the generated messages if full client-side validation is requested. | |||
| 2015-12-03 | resolved: don't accept expired RRSIGs | Lennart Poettering | |
| 2015-12-02 | resolved: add basic DNSSEC support | Lennart Poettering | |
| This adds most basic operation for doing DNSSEC validation on the client side. However, it does not actually add the verification logic to the resolver. Specifically, this patch only includes: - Verifying DNSKEY RRs against a DS RRs - Verifying RRSets against a combination of RRSIG and DNSKEY RRs - Matching up RRSIG RRs and DNSKEY RRs - Matching up RR keys and RRSIG RRs - Calculating the DNSSEC key tag from a DNSKEY RR All currently used DNSSEC combinations of SHA and RSA are implemented. Support for MD5 hashing and DSA or EC cyphers are not. MD5 and DSA are probably obsolete, and shouldn't be added. EC should probably be added eventually, if it actually is deployed on the Internet. | |||
 |
index : ~lukeshu/systemd | |
| Unnamed repository; edit this file 'description' to name the repository. | git-mirror |
| summaryrefslogtreecommitdiff |