summaryrefslogtreecommitdiffstats
path: root/lib/dnssec.h (follow)
Commit message (Collapse)AuthorAgeFilesLines
* mitigate KeyTrap DoS = CVE-2023-50387Vladimír Čunát2024-02-131-0/+1
|
* Copyright notices: remove years and replace e-mailOto Šťáva2022-12-141-1/+1
|
* TTL bounds: improve the logicVladimír Čunát2022-12-131-0/+1
| | | | | | | | | - apply to first (uncached) answer already - don't extend over signature validity Nit: the tests were using too high TTL (RFCs disallow the "sign bit"). It was working because (manual) cache-insertion was applying bounds, but now the bounds don't get applied anymore, so it would fail.
* daemon/zimport: better failure loggingVladimír Čunát2021-12-221-1/+3
| | | | | | | | The typical DNSSEC problems should happen already when trying to validate the DNSKEY set, so it's better to be more verbose there. In the end I gave up on deduplicating with log_bogus_rrsig() code, as it's different logging group, logging level, no kr_query, etc.
* lib/dnssec.h: improve API docsVladimír Čunát2021-11-031-2/+10
|
* lib/dnssec: add a simple validator APIVladimír Čunát2021-11-031-0/+31
|
* lib/dnssec: make kr_dnskeys_trusted() cleanerVladimír Čunát2021-11-031-2/+5
| | | | | | | | This way it will be easier to re-use (and more efficient). I really disliked those searches for RRSIGs embedded deep inside. Uh, I tried to keep the new function as clean as possible, moving hacks to outside.
* lib/dnssec refactor: struct dseckey -> struct dnssec_keyVladimír Čunát2021-11-031-5/+5
| | | | | I can't see motivation to add another abstraction layer here, and it caused ugly type juggling. Let's use the libdnssec's type.
* validate: add kr_rrset_validation_ctx_t::log_qryVladimír Čunát2021-07-291-0/+1
| | | | | | | ... so we can use it for more precise logging. Some calls get simpler. In particular, without the associated request, we can't produce anything into trace-logs, which could be confusing. Normal logs will benefit, too. (more precise replacement of WITH_VERBOSE will come in a subsequent commit)
* fix DNAME supportVladimír Čunát2020-04-271-0/+1
|
* treewide: machine readable license for GNU GPLv3+ source codePetr Špaček2020-02-251-13/+1
| | | | | Long GNU GPLv3 boilderplate was automatically replaced with machine readable tag.
* validator: trim TTLs by RRSIG's expiration and original TTLVladimír Čunát2019-09-201-4/+4
| | | | | | A down-side is that validation can now modify the validated RRset on success. I checked all transitive call sites that it's OK. The change is pretty simple; I just hand-tested it a bit with faketime.
* validate nitpick fix: unsupported algo edge caseVladimír Čunát2019-04-081-3/+7
| | | | | | | | | | | | | | kr_dnskeys_trusted() semantics is changed, but I do NOT consider that a part of public API. Go insecure due to algorithm support even if DNSKEY is NODATA. I can't see how that's relevant to practical usage, but I think this new behavior makes more sense. We still do try to fetch the DNSKEY even though we have information about its un-usability beforehand. I'd consider fixing that a premature optimization. We'll still be affected if the DNSKEY query SERVFAILs or something. Thanks to PowerDNS people for catching this!
* dnssec: improve bogus logging to give more infoPetr Špaček2018-12-201-0/+10
|
* dnssec: make a function static (unused outside)Vladimír Čunát2017-08-041-12/+0
|
* layer/validate: handle unknown algorithmsVladimír Čunát2017-07-241-3/+6
| | | | | | i.e. downgrade a zone to insecure when *all* DNSKEYs of the apex are unverifiable due to unimplemented DNSKEY or DS algorithms. Fixes https://gitlab.labs.nic.cz/knot/resolver/issues/210
* nitpicks from doxygen parserVladimír Čunát2017-06-011-6/+6
|
* lib: forwarding, some improvements in zone cut detection algorythmGrigorii Demidov2017-06-011-0/+11
|
* layer/validate: check if NSEC3 records in wildcard expansion proof has an optoutGrigorii Demidov2017-03-221-0/+1
|
* Update copyright information with 2017Ondřej Surý2017-01-251-1/+1
|
* layer/validate: fix for issue 144Grigorii Demidov2017-01-241-0/+1
|
* layer/validate: refactoringGrigorii Demidov2017-01-111-0/+3
|
* www.gnu.org prefers httpsDaniel Kahn Gillmor2016-07-161-1/+1
|
* lib/cache: flags field was added to cache entry headerGrigorii Demidov2016-04-141-8/+0
|
* dnssec: wildcard answer proofGrigorii Demidov2016-04-141-39/+42
|
* all: ported to upcoming libknot APIsMarek Vavruša2015-12-171-1/+0
| | | this is not going to be backwards compatible change, but it will be the first tagged libknot release sufficient for resolver
* build: library able to compile to both static/dynamic versioned libsMarek Vavruša2015-12-101-0/+9
| | | | | | * PIE,RELRO+NOW and other security features enabled * support for both static/dynamic builds with BUILDMODE * dynamic library is ABI-versioned, starting at 1 * pkg-config file is installed
* lib/dnssec: accept valid and unrevoked keys (SEP not required), key matchingMarek Vavruša2015-09-251-0/+15
|
* lib/dnssec: added missing functions, new key APIsMarek Vavruša2015-09-251-4/+12
|
* lib/dnssec: fixed bad SEP checkMarek Vavruša2015-09-241-0/+6
|
* layer/validate: NSEC3 wildcard answer response check is enabledKarel Slany2015-08-181-3/+9
|
* layer/validate: NSEC authenticated denial of existence checkKarel Slany2015-08-051-0/+1
|
* layer/validate: basic NSEC exact match non-existence checkKarel Slany2015-08-041-25/+30
|
* layer/validate: validate_records()Karel Slany2015-07-211-3/+16
|
* layer/validate: implemented kr_rrset_validate()Karel Slany2015-07-201-5/+19
|
* layer/validate: implemented checking of RRSIG RR validity (RFC4035 5.3.1)Karel Slany2015-07-151-4/+24
|
* layer/validate: added DS to DNSKEY authentication codeKarel Slany2015-07-151-0/+11
|
* crypto: added libdnssec dependency and initialisationKarel Slany2015-07-151-0/+33
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-18 20:22:42 +0100