Two more DNSSEC fixes #4187

Merged
merged 7 commits into from Jul 19, 2016

Projects

None yet

2 participants

@pieterlexis
Member
pieterlexis commented Jul 14, 2016 edited

This PR fixes several DNSSEC issues:

  • No longer 'jojo' between Secure and Insecure states. Once we have an Insecure, we can only go Bogus but not Secure.
  • Fix the CNAME at apex issue
  • Check all DNSSEC chains on a possible Insecure (i.e. no signatures whatsoever)

Needs a very big review.

@pieterlexis pieterlexis added this to the rec-4.0.x milestone Jul 14, 2016
pieterlexis added some commits Jul 14, 2016
@pieterlexis pieterlexis Add missing DNSSEC trace message f79cb80
@pieterlexis pieterlexis Add test for island of security (#4181) 3bebf5f
@pieterlexis pieterlexis Compress 3 lines into 1 bd27d3d
@pieterlexis pieterlexis Don't go bogus on CNAMEs to islands of security
Closes #4181

Incidentally, this commit also ensures that we no longer 'jojo' between
Secure and Insecure states. Once we have an Insecure, we can only go
Bogus but not Secure.
15bfa0b
@pieterlexis pieterlexis changed the title from Don't go Bogus on islands of trust to Don't go Bogus on islands of security Jul 15, 2016
@pieterlexis pieterlexis changed the title from Don't go Bogus on islands of security to Two more DNSSEC fixes Jul 15, 2016
pieterlexis added some commits Jul 15, 2016
@pieterlexis pieterlexis Add changelog entry 16a6e36
@pieterlexis pieterlexis Do not follow CNAMEs when hunting for DS records
This fixes the CNAME at apex bogus
54d12bd
@pieterlexis pieterlexis Validate all key paths on possible Insecure
Before, we only checked the first QName, now we go through every name we
have to verify that the answer is indeed insecure.
45a08be
@ahupowerdns ahupowerdns merged commit 3fabbb1 into PowerDNS:master Jul 19, 2016

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
@pieterlexis pieterlexis deleted the pieterlexis:bogus-island-of-trust branch Jul 20, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment