Commits · 86c030e330a61818ae34d146fcba8eb8d2527fbf · Anbang Wen / Knot Resolver

Aug 11, 2016
- Preparations for using nsrep mechanism to guess response origin. · 86c030e3
  Karel Slaný authored 8 years ago and Ondřej Surý committed 8 years ago
  
  86c030e3
- Added code trying to obtain client IP address from libuv UDP handle. · 201c3516
  Karel Slaný authored 8 years ago and Ondřej Surý committed 8 years ago
  
  201c3516
- Using actual remote server address to re-generate cookie. · 19dc7748
  Karel Slaný authored 8 years ago and Ondřej Surý committed 8 years ago
  
  19dc7748
- Obtaining server IP address when generating query. · 784a363e
  Karel Slaný authored 8 years ago and Ondřej Surý committed 8 years ago
  
  784a363e
Aug 10, 2016
- daemon/lua: support new libknot 2.3 soversion · 80e5b6ac
  Marek Vavrusa authored 8 years ago
  
  80e5b6ac
Aug 09, 2016
- Fix segmentation fault in early shutdown from `quit()` in config · f0589e90
  Ondřej Surý authored 8 years ago
  
  f0589e90
Aug 05, 2016
- daemon/tls: cleanup, documented tls functions · 11ba210a
  Marek Vavrusa authored 8 years ago
  
  11ba210a
- gnutls_certificate_get_x509_crt requires gnutls 3.4.0 · edf23671
  Ondřej Surý authored 8 years ago
  
  edf23671
- Log key-pinning strings for TLS keys · 0cd371a4
  Daniel Kahn Gillmor authored 8 years ago and Ondřej Surý committed 8 years ago
```
RFC 7858 explicitly defines an out-of-band key pinning profile as one
authentication mechanism.  It uses the same format for representing
the pin as HPKP does (RFC 7469).

By logging this pin directly upon first use of the X.509 credentials,
we make it a little bit easier for an admin to publish part of a
pinset.

For ideal operation (including preparation for key rollover), a backup
public key should also be provided, but this is not defined
functionally here.
```
  0cd371a4
- daemon/main.c, daemon/bindings.c, daemon/tls.c, daemon/worker.h: cleanup · ddfff6d0
  Ondřej Surý authored 8 years ago
  
  ddfff6d0
- Move tls_credentials to struct network · 4725c6b5
  Ondřej Surý authored 8 years ago
  
  4725c6b5
- provide a way for systemd-supervised services to listen on TLS via socket activation · aede98c2
  Daniel Kahn Gillmor authored 8 years ago and Ondřej Surý committed 8 years ago
  
  aede98c2
- initialize GnuTLS logging cleanly, once at daemon/worker start. · aaa44f19
  Daniel Kahn Gillmor authored 8 years ago and Ondřej Surý committed 8 years ago
```
We also propagate kresd's verbosity into the TLS logging level
```
  aaa44f19
- Remove the extra indirection in tls_certificate_free · 34e74b49
  Ondřej Surý authored 8 years ago
  
  34e74b49
- Move struct tls_credentials_t from daemon/worker.h to daemon/tls.h · 07c752dd
  Ondřej Surý authored 8 years ago
  
  07c752dd
- daemon/tls: cleanup · 3b7070e4
  Marek Vavrusa authored 8 years ago and Ondřej Surý committed 8 years ago
  
  3b7070e4
- Fix the memory leak by returning kr_error(ECONNRESET) on end of stream · 7a2615e6
  Ondřej Surý authored 8 years ago
  
  7a2615e6
- Add reference counting to gnutls credentials, so they don't get destroyed while used · e915b41a
  Ondřej Surý authored 8 years ago
  
  e915b41a
- Initialize global TLS credentials in the worker_ctx and initialize GnuTLS logging at global level · 142eb1a0
  Ondřej Surý authored 8 years ago
  
  142eb1a0
- Miscelaneous fixes in coding style · 436ba6b7
  Ondřej Surý authored 8 years ago
  
  436ba6b7
- Revert default EDNS0 buffer size to 4096 · a3424c26
  Ondřej Surý authored 8 years ago
  
  a3424c26
- daemon: lower minimum allowed edns bufsize to 512 · 4ad0e8b4
  Marek Vavrusa authored 8 years ago and Ondřej Surý committed 8 years ago
```
there are cases where switches or middle-boxes
block DNS/UDP answers >512 octets completely,
this gives user an option to mitigate that.
however, there are authoritatives serving
large answers that don't support TCP, so it's
a compromise as always
```
  4ad0e8b4
- listen using TLS on specific sockets · 1e0a8b9d
  Daniel Kahn Gillmor authored 8 years ago and Ondřej Surý committed 8 years ago
```
kresd has --tls/-t by analogy with --addr/-a where the daemon opens
the socket itself.

This changeset adds equivalent functionality for inherited sockets:
--tlsfd/-T by analogy with --fd/-Sa
```
  1e0a8b9d
- fix kresd internal help docs, describe --tls in kresd(8) · 0c78ff54
  Daniel Kahn Gillmor authored 8 years ago and Ondřej Surý committed 8 years ago
  
  0c78ff54
- Handle more processing from tls_process to worker_process_tcp · cfe62671
  Ondřej Surý authored 8 years ago
  
  cfe62671
- daemon/tls: fixed improper use of callback, leaks · 098d2786
  Marek Vavrusa authored 8 years ago and Ondřej Surý committed 8 years ago
```
the TLS sessions now bypass the usuall event loop asynchronous iops
this is because the whole operation is synchronous right now, and
implementing asynchronous send operations would require TLS session to
restart write events on the event loop and making sure the "on complete"
callback is called eventually
```
  098d2786
- daemon/tls: process all records on input · bcdd8ff5
  Marek Vavrusa authored 8 years ago and Ondřej Surý committed 8 years ago
```
this is a workaround probably, but we need to
process all records in received buffer otherwise
it loses the rest of the data
```
  bcdd8ff5
- WIP: first pass at TLS implementation · 4330e95a
  Daniel Kahn Gillmor authored 8 years ago and Ondřej Surý committed 8 years ago
  
  4330e95a
- daemon/network: global TLS certificate and key configuration · 449ff02c
  Jan Včelák authored 8 years ago and Ondřej Surý committed 8 years ago
  
  449ff02c
- daemon: ported DNS/TLS preparation code to 1.1 · f22f5226
  Marek Vavrusa authored 8 years ago and Ondřej Surý committed 8 years ago
  
  f22f5226
- Actively link to gnutls · 316f24fb
  Daniel Kahn Gillmor authored 8 years ago and Ondřej Surý committed 8 years ago
  
  316f24fb
- TLS: update documentation · 9915bb6a
  Jan Včelák authored 8 years ago and Ondřej Surý committed 8 years ago
  
  9915bb6a
Jul 28, 2016

allow control socket to be specified by systemd supervision · 2a95547e

Daniel Kahn Gillmor authored 8 years ago

When run under systemd supervision, accept a control socket from the
supervisor if the name supplied is "control".

See FileDescriptorName= in systemd.socket(5) for more details.

2a95547e

Jul 20, 2016

Revert default EDNS0 buffer size to 4096 · 55520347
Ondřej Surý authored 8 years ago

55520347

daemon: lower minimum allowed edns bufsize to 512 · 2e253a83

Marek Vavrusa authored 8 years ago

there are cases where switches or middle-boxes
block DNS/UDP answers >512 octets completely,
this gives user an option to mitigate that.
however, there are authoritatives serving
large answers that don't support TCP, so it's
a compromise as always

2e253a83

Jul 16, 2016
- move URLs from http to https where supported · b11d4d00
  Daniel Kahn Gillmor authored 8 years ago
  
  b11d4d00
- www.gnu.org prefers https · 302117eb
  Daniel Kahn Gillmor authored 8 years ago
  
  302117eb
Jul 11, 2016
- doc: fix nitpicks · 70dc9f86
  Vladimír Čunát authored 8 years ago and Vladimír Čunát committed 8 years ago
  
  70dc9f86
Jul 06, 2016
- daemon/network: allow listening on part of interfaces · 0fb9983f
  Marek Vavrusa authored 8 years ago
```
when whole interface is passed and some of the addresses are not bindable,
the daemon will print them, but will continue to bind to the rest of the
addresses

fixes #80
```
  0fb9983f
- daemon: worker publishes usage information · 93303da5
  Marek Vavrusa authored 8 years ago
  
  93303da5

Admin message

Admin message