Do not use DNSKEYs found below an apex for validation.¶
References: #10565, pull request 10806
Detect a loop when the denial of the DS comes from the child zone.¶
References: #10622, pull request 10807
Match ordering of PacketID using the Birthday vs non-Birthday comparator.¶
References: #10632, pull request 10809
Pass the Lua context to follow up queries (follow CNAME, dns64).¶
References: #10633, pull request 10811
Only the DNAME records are authoritative in DNAME answers.¶
References: #10718, pull request 10813
Use the correct RPZ policy name for statistics when loading via XFR.¶
References: #10768, pull request 10803
Fix the aggressive cache returning duplicated NSEC3 records.¶
References: #10701, pull request 10717
NS from the cache could be a forwarder, take that into account for throttling decision.¶
References: #10643, pull request 10655
Check in more places if the policy has been updated before using or modifying it.¶
References: #10627, pull request 10629
Work around clueless servers sending AA=0 answers.¶
References: #10555, pull request 10564
Ancestor NSEC3s can only deny the existence of a DS.¶
References: #10587, pull request 10593
Make really sure we did not miss a cut on validation failure.¶
References: #10570, pull request 10575
Clear the current proxy protocol values each iteration.¶
References: #10515, pull request 10573
Make sure that we pass the SOA along the NSEC(3) proof for DS queries.¶
References: pull request 10519
Change nsec3-max-iterations default to 150.¶
References: #10440, pull request 10477
For the NOD lookup case, we don’t want QName Minimization.¶
References: #10420, pull request 10422
Don’t follow referral from the parent to the child for DS queries.¶
References: #10460, pull request 10476
When refreshing, do not consider root almost expired.¶
References: #10426, pull request 10475
Take into account q_quiet when determining loglevel and change a few loglevels.¶
References: #10396, pull request 10474
Only add the NSEC and RRSIG records once in wildcard NODATA answers.¶
References: #10350, pull request 10473
Prevent a race in the aggressive NSEC cache.¶
References: pull request 10377
Apply dns64 on RPZ hits generated after a gettag_ffi hit.¶
References: pull request 10353
Boost 1.76 containers: use standard exceptions.¶
References: #10329, pull request 10335
Fix wording in edns-padding-tag help.¶
References: #10318, pull request 10334
Improve packet cache size computation now that TCP answers are also cached.¶
References: #10312, pull request 10333
Print the covering NSEC in tracing log.¶
References: #10298, pull request 10307
Do not put results of DS query for auth or forward domains in negcache.¶
References: #10317, pull request 10320
Use the correct ECS address when proxy-protocol is enabled.¶
References: #10303, pull request 10319
Exception loading the RPZ seed file is not fatal.¶
References: #10291, pull request 10306
RPZ dumper: stop generating double zz labels on networks that start with zeroes.¶
References: #10286, pull request 10305
Log local IP in dnstap messages.¶
References: #10268, pull request 10280
Also disable PMTU for IPv6.¶
References: #10264, pull request 10279
Clear “from” in record cache if we don’t know where the update came from.¶
References: #10232, pull request 10278
Better handling of stranded DNSKeys.¶
References: #10223, pull request 10277
Support TCP FastOpen connect on outgoing connections.¶
References: #7982, pull request 9995
Implement EDNS0 padding (rfc7830) for outgoing responses.¶
References: pull request 8918
Get rid of early zone cut computation when doing DNSSEC validation.¶
References: pull request 10057
Insert hints as non-auth into cache.¶
References: #10177, pull request 10182
Don’t pick up random root NS records from AUTHORITY sections.¶
References: #10125, pull request 10178
Using DATA to report memory usage is unreliable, start using RES instead, as it seems reliable and relevant.¶
References: #7591, pull request 10161
Make sure we take the right minimum for the packet cache TTL data.¶
References: pull request 10185
Check sizeof(time_t) to be at least 8.¶
References: pull request 10010
Change dnssec default to process.¶
References: pull request 10118
Implement rfc 8198 - Aggressive Use of DNSSEC-Validated Cache.¶
References: pull request 10047
Be less verbose telling we are looking up CNAMEs or DNAMEs while tracing.¶
References: pull request 10112
Add validation state to protobuf message.¶
References: #8587, pull request 10113
Add Policy Kind / RPZ action to Protobuf messages.¶
References: #9654, #9653, pull request 10109
Count DNSSEC stats for given names in a different set of counters.¶
References: #10058, pull request 10089
Remember non-resolving nameservers.¶
References: pull request 10096
Pass an fd to dump to from rec_control to the recursor.¶
References: pull request 9468
Introduce settings to never cache EDNS Client (v4/v6) Subnet carrying replies.¶
References: pull request 10075
Change spoof-nearmiss-max default to 1.¶
References: #9845, pull request 10077
Add missing entries to Prometheus metrics.¶
References: #10021, pull request 10022
Also use packetcache for tcp queries.¶
References: pull request 9990
Document taskqueue metrics and add them to SNMP MIB.¶
References: #10009, pull request 10020
Treat the .localhost domain as special.¶
References: pull request 9996
Handle policy (if needed) after postresolve and document the hooks better.¶
References: #10080, pull request 10111
Return current rcode instead of 0 if there are no CNAME records to follow.¶
References: #9547, pull request 10064
Introduce “Refresh almost expired” a mechanism to keep the record cache warm.¶
References: #440, pull request 9699
Use protozero for Protocol Buffer operations in dnsdist, and dnstap/outgoing for the recursor.¶
References: #9781, #9780, pull request 9630, pull request 9843
Use a short-lived NSEC3 hashes cache for denial validation.¶
References: pull request 9856
Introduce synonyms for offensive language in settings and docs.¶
References: pull request 9670
Handle failure to start the web server more gracefully.¶
References: #9808, pull request 9812
Switch default TTL override to 1.¶
References: pull request 9720
Log the exact Bogus state when ‘dnssec-log-bogus’ is enabled.¶
References: pull request 9806 9828
Switch to TCP in case of spoofing (near-miss) attempts.¶
References: pull request 9744
Add support for rfc8914: Extended DNS Errors.¶
References: pull request 9673
Two OpenBSD improvements for UDP sockets: port randomization and EAGAIN errors.¶
References: pull request 9633
Cleanup of RPZ refresh handling.¶
References: pull request 9594
Refactor the percentage computation and use rounding.¶
References: pull request 9629
Throttle servers sending invalid data and rcodes.¶
References: pull request 9571
Terminate TCP connections instead of ‘ignoring’ errors.¶
References: pull request 9572
Don’t parse any config with –version.¶
References: pull request 9569
Expose typed cache flush via Web API.¶
References: pull request 9562
Remove query-local-address6.¶
References: pull request 9554
Lua: add backtraces to errors.¶
References: pull request 8942
Log the line received from rec_control.¶
References: pull request 9493
Shared and sharded neg cache.¶
References: pull request 9475
Lookup DS entries before CNAME entries.¶
References: #9621, pull request 9883
Fix the gathering of denial proof for wildcard-expanded answers.¶
References: pull request 9793
Actually discard invalid RRSIGs with too high labels count.¶
References: pull request 9789
x-our-latency is a gauge.¶
References: #9638, pull request 9686
Make parse ip:port a bit smarter.¶
References: #7743, pull request 9432
Fix wipe-cache-typed.¶
References: pull request 9515
Detach snmp thread to avoid trouble when trying to quit nicely.¶
References: pull request 9492