Fixed nsec3 proof validation with opt-out below wildcard



See merge request !17

graphite module now supports sending over TCP,
if the connection is severed it will attempt to
reconnect periodically. the stats module is now
optional, if not loaded only core built-in stats
will be transmitted

the validator module should ignore any data that
will be scrubbed, that includes non-authoritative
data outside current bailiwick. previously, 
validator attempted to ignore these records only
for answer section and had a special case for NS
records.

cache: non-authoritative NS records are always
unchecked and must be treated as insecure

affected: www.iana.org trying to provide
delegation information for CNAME target, which is
moot with CNAME target explicit-fetch policy unless
the the resolver already knows DNSKEY with which
is could verify the records

kresd accepts DS records in root keys if provided,
it will eventually replace them with DNSKEY in
automatic mode

breathe failed to process the typedef thinking
the macro expansion was a function pointer

updated tests

the utility supports most of the 'unbound-host'
functionality except PTR records

this is a temporary change until luajit-kdns is
merged-in with complete functionality,
this will break the API later and will require a
couple changes in several modules and trust anchors

this is a boilerplate for a CLI utility to resolve
names and execute script on query response
in another words, "a jq for resolver answers"

this is a scaffolding for alternative tools like
'host' or a plug-in part for scripting around it.

it basically starts a kresd instance, but doesn't
bind to any interface or read configuration,
then a query + callback is sent to kresd standard
input, and it quits after the execution

when boostrapping root TA, the DNSKEYs are updated
immediately after retrieving DS from the side channel

a part of the zone cut is visible from Lua world:
- zone cut name (dname)
- trust anchor (rrset)
- current key (rrset)

when raised, a response zone cut will be recovered
even if the response came from cache. this is
normally not needed (and incurs additional cache
lookups), but it may be useful for
inspection

this includes default configuration, resolver
starts completely blank

the second parameter to resolve() callback function
is request (kres.request_t), so the caller can
look into request stats, timing and zone cut data

the quiet mode doesn't print neither intro messages nor prompt
in the interactive mode, which makes it useful for scripted usage

Marek Vavrusa authored 9 years ago and Grigorii Demidov committed 9 years ago

there are broken resolution chains where a zone cut is advertised,
but it doesn't exist and the final NS answers from its parent's
zone cut, which is an attempt to escape bailiwick

example:

resolving A ab.cd.ef
NS ef responds:
 - ab.cd.ef NS X ; adverises ab.cd.ef zone cut
X responds:
 - A ab.cd.ef A 1.2.3.4
 - cd.ef NS X ; escapes previously advertised cut

on the other hand, it is important to fail early for referrals as
it signifies a lame answer

there are broken resolution chains where a zone cut is advertised,
but it doesn't exist and the final NS answers from its parent's
zone cut, which is an attempt to escape bailiwick

example:

resolving A ab.cd.ef
NS ef responds:
 - ab.cd.ef NS X ; adverises ab.cd.ef zone cut
X responds:
 - A ab.cd.ef A 1.2.3.4
 - cd.ef NS X ; escapes previously advertised cut

on the other hand, it is important to fail early for referrals as
it signifies a lame answer