forks are connected with IPC pipes to process
group leader and can execute expressions on its
behalf. so running commands over all workers
is easy now:

> hostname() -- single
localhost

> map 'hostname()' -- all
localhost
localhost
localhost

* SOA MINTTL always preferred for negative answers
* only SOA used for negative answers

refs #75

this is required to avoid REFUSED loops if the origin doesn't handle
minimisation well

this change introduces new API for cache backends,
that is a subset of knot_db_api_t from libknot
with several cache-specific operations

major changes are:
* merged 'cachectl' module into 'cache' as it is
  99% default-on and it simplifies things
* not transaction oriented, transactions may be
  reused and cached for higher performance
* scatter/gather API, this is important for
  latency and performance of non-local backends
  like Redis
* faster and reliable cache clearing
* cache-specific operations (prefix scan, ...) in
  the API not hacked in
* simpler code for both backends and caller

* simplified soft-fail per-ns limit to per-query
  limit, each query gets 4 tries at resolving
* instead of locking at single servfailing NS,
  penalise it and run reelection, this may or
  may not try other servers but avoids pathologic
  case when single NS is servfailing while others
  are good but never probed
* added new nsrep update mode (addition)

this code used memory pool of source packet instead
of the answer, this could result in invalidated
memory read if the memory occupied by source
packet was rewritten

the daemon has now three modes of strictness
checking from strict to permissive.
it reflects the tradeoff between resolving the
query in as few steps as possible and security
for insecure zones

This reverts commit f9ffeca9.

in permissive mode, resolver is free to use
(but not cache) non-mandatory glue records even
if they're not resolvable. this is great as a 
workaround for broken child-side zones, but
not great for security of, well, insecure
delegations. it's off by default.

the validator module should ignore any data that
will be scrubbed, that includes non-authoritative
data outside current bailiwick. previously, 
validator attempted to ignore these records only
for answer section and had a special case for NS
records.

cache: non-authoritative NS records are always
unchecked and must be treated as insecure

affected: www.iana.org trying to provide
delegation information for CNAME target, which is
moot with CNAME target explicit-fetch policy unless
the the resolver already knows DNSKEY with which
is could verify the records

updated tests

Marek Vavrusa authored 9 years ago and Grigorii Demidov committed 9 years ago

there are broken resolution chains where a zone cut is advertised,
but it doesn't exist and the final NS answers from its parent's
zone cut, which is an attempt to escape bailiwick

example:

resolving A ab.cd.ef
NS ef responds:
 - ab.cd.ef NS X ; adverises ab.cd.ef zone cut
X responds:
 - A ab.cd.ef A 1.2.3.4
 - cd.ef NS X ; escapes previously advertised cut

on the other hand, it is important to fail early for referrals as
it signifies a lame answer

there are broken resolution chains where a zone cut is advertised,
but it doesn't exist and the final NS answers from its parent's
zone cut, which is an attempt to escape bailiwick

example:

resolving A ab.cd.ef
NS ef responds:
 - ab.cd.ef NS X ; adverises ab.cd.ef zone cut
X responds:
 - A ab.cd.ef A 1.2.3.4
 - cd.ef NS X ; escapes previously advertised cut

on the other hand, it is important to fail early for referrals as
it signifies a lame answer

this is not going to be backwards compatible change, but it will be the first tagged libknot release sufficient for resolver

amalgamated build concatenates all files into a single .c file to
allow compiler see all symbols and produce possibly smaller code.
for binary distributions this is what you want, as it's faster but
may consume more memory during compilation.
it however cannot do incremental builds.

refs #33

refs #33

RRs may be touched after resolution completion, this copies RR from
temporary per-recv buffer to answer, which is persistent for the whole
duration of request