Karel Slaný authored 8 years ago and Ondřej Surý committed 8 years ago

Use ENABLE_cookies=yes variable to compile functionality.

Karel Slaný authored 8 years ago and Ondřej Surý committed 8 years ago

The cookies layer injects a new query into the plan when a DADCOOKIE
response is detected. After failing the second attempt a TCP fallback is
signalised.

in normal mode, only final CNAME target is refetched, but
not intermediate CNAMEs. intermediate CNAMEs are *never* cached,
but they are used to get final name for requery. in strict mode now,
every CNAME target is explicitly fetched even if it's a chained CNAME.

this is required to avoid REFUSED loops if the origin doesn't handle
minimisation well

* simplified soft-fail per-ns limit to per-query
  limit, each query gets 4 tries at resolving
* instead of locking at single servfailing NS,
  penalise it and run reelection, this may or
  may not try other servers but avoids pathologic
  case when single NS is servfailing while others
  are good but never probed
* added new nsrep update mode (addition)

the daemon has now three modes of strictness
checking from strict to permissive.
it reflects the tradeoff between resolving the
query in as few steps as possible and security
for insecure zones

in permissive mode, resolver is free to use
(but not cache) non-mandatory glue records even
if they're not resolvable. this is great as a 
workaround for broken child-side zones, but
not great for security of, well, insecure
delegations. it's off by default.

Marek Vavrusa authored 9 years ago and Grigorii Demidov committed 9 years ago

there are broken resolution chains where a zone cut is advertised,
but it doesn't exist and the final NS answers from its parent's
zone cut, which is an attempt to escape bailiwick

example:

resolving A ab.cd.ef
NS ef responds:
 - ab.cd.ef NS X ; adverises ab.cd.ef zone cut
X responds:
 - A ab.cd.ef A 1.2.3.4
 - cd.ef NS X ; escapes previously advertised cut

on the other hand, it is important to fail early for referrals as
it signifies a lame answer

there are broken resolution chains where a zone cut is advertised,
but it doesn't exist and the final NS answers from its parent's
zone cut, which is an attempt to escape bailiwick

example:

resolving A ab.cd.ef
NS ef responds:
 - ab.cd.ef NS X ; adverises ab.cd.ef zone cut
X responds:
 - A ab.cd.ef A 1.2.3.4
 - cd.ef NS X ; escapes previously advertised cut

on the other hand, it is important to fail early for referrals as
it signifies a lame answer

this is not going to be backwards compatible change, but it will be the first tagged libknot release sufficient for resolver

amalgamated build concatenates all files into a single .c file to
allow compiler see all symbols and produce possibly smaller code.
for binary distributions this is what you want, as it's faster but
may consume more memory during compilation.
it however cannot do incremental builds.

refs #33

RRs may be touched after resolution completion, this copies RR from
temporary per-recv buffer to answer, which is persistent for the whole
duration of request

the library is able to resolve query in stub mode (no referral chasing,
zone cut lookup) if asked to
validator turns off for stub queries, validating stub is NYI

as the libknot packet interface disallows out-of-order packet
writes, authority and additional records must be written after
the answer is complete; records in the rr arrays will be written to final answer during finalization

[1] shows an attack using spoofed CNAME targets to replace legitimate
entries in resolver cache by speeding up once-per-TTL attack opportunity

as a defense, the resolver almost always requeries CNAME targets and
doesn't store them in cache. the only exception is when the CNAME target
is within current authority, and the answer is DNSSEC-secured

thanks to Toshinori Maeno (@beyondDNS) for pointing this out [2]

[1]: https://tools.ietf.org/id/draft-weaver-dnsext-comprehensive-
resolver-00.html
[2]: https://moin.qmail.jp/DNS/KnotResolver/CNAMEpatch

validator can now yield, but it doesn't plan the sub-requests directly,
that is still a job of the driver

this is useful when you need to issue several subrequests before
continuing with the current query, resuming is not supported yet, so it
will requery after the subrequests complete

current processed query is always in `request->current_query`

this is a workaround for missing DEFER operation, as the
validator module can only detect trust chain breakage
(caused by answering from different authority) after the
iterator writes answer. this causes duplicated answer on
uncached queries

this doesn’t fix record duplication in answer when not answered from cache

this is a problem when both CNAME and the target are answered from the same NS (but different authority), but only the CNAME authority does DNSSEC. it’s probably legal, but it’s pretty stupid to do so

if the client doesn't support DNSSEC, scrub these from the answer
and do not set the AD bit