| Age | Commit message (Collapse) | Author |
|---|
|
- Deny ANY with only one RR in response, by default. Patch from
Daisuke Higashi. The deny-any statement in nsd.conf sets ANY
queries over UDP to be further moved to TCP as well.
Also no additional section processig for type ANY, reducing
the response size.
with an ifdef NOTYET. It is too close to release and we want to let
this sit for a bit.
Pointed out / requested by sthen.
|
|
OK sthen
|
|
brad@
|
|
OK sthen
|
|
OK sthen (on a slightly different configure script version)
|
|
It is of course not relevant for us but introduces a diff when
the configure script is regenerated on upgrades and this file is
not arround.
|
|
OK sthen
|
|
brad@
|
|
|
|
------------------------------------------------------------------------
NSD versions 4.1.22 and before are vulnerable in comparing TSIG
information and this can be used to discover a TSIG secret.
NSD uses TSIG to protect zone transfers. The TSIG code uses a secret
key to protect the data. The secret key is shared with both sides of
the zone transfer connection. The comparison code in NSD was not time
insensitive, causing the potential for an attacker to use timing
information to discover data about the key contents.
NSD versions from 2.2.0 to 4.1.22 are vulnerable. Upgrade to 4.1.23 or
newer to get the fix.
It was reported by Ondrej Sury (ISC).
------------------------------------------------------------------------
OK tb, sthen
|
|
|
|
The improved refuse-any option that showed up in upstream 4.1.22 had
already been cherry picked in OpenBSD.
OK sthen
|
|
OK sthen
|
|
refuse-any sends truncation (+TC) in reply to ANY queries over UDP,
and allows TCP queries like normal
OK sthen
|
|
OK sthen
|
|
- Fix memory leak in zone file read of unknown rr formatted RRs.
- Fix memory leak when rehashing nsec3 after axfr or zonefile read,
in the selectively allocated precompiled nsec3 hashes.
|
|
|
|
generated configure file, but old configure.ac.
|
|
|
|
OK sthen@, "so far so good" millert@
Obligatory commit from 33,000 ft.
|
|
will run. OK florian@
|
|
OK jca, benno
jca also points out that Delan Azabani (delan _AT_ azabani.com) wrote
exactly the same diff in 2016. It was OK bluhm but apparently never
commited.
|
|
|
|
|
|
OK sthen
|
|
out by clang.
This is a local diff we have to carry so config.h.in is good a place
as any and it's included everywhere.
OK sthen
|
|
okay millert@ deraadt@
|
|
|
|
tests & OK sthen
(if there are more changes coming for 4.1.16 release we will just
commit them on top)
|
|
|
|
|
|
This contains a local patch to query.c (missed _t conversion) that has
been submitted upstream.
OK sthen
|
|
brad@
|
|
|
|
|
|
OK sthen@
|
|
brad@
|
|
|
|
|
|
Testing millert, brad and myself.
OK millert@
|
|
brad@
|
|
|
|
shadows the real user's identity.
ok deraadt
|
|
|
|
-----------------------------------------------------------------
BUG FIXES:
- Fix malformed edns query assertion failure, reported by
Michal Kepien (NASK).
-----------------------------------------------------------------
Does not effect OpenBSD since we are not running configure with
--enable-checking
OK sthen@
|
|
|
|
|
|
"Working fine here." millert@
OK dlg, sthen
|
|
|
|
|
