We called kr_crypto_init() just before forking and then _reinit() in
all children, but we never did any cryptography in-between - better
initialize after forking.

Note: the function is KR_EXPORT.  It might not be useful anymore, but
its removal would require bumping libkres soname.

timeouts over TCP when <n> first nameservers timeout over UDP as
previously the TCP would connect again to the first and only the
first nameserver in task->addrlist.

This would need to be ultimately fixed in TCP Fast Retransmit.

when doing fast retransmit, each address may be
contacted 1-N times, but previously only cumulative
RTT was tracked for the NS that sent the answer.

now the approximate query start time is subtracted
from cumulative RTT to give an idea how long it
took since the query was actually sent, and all
the NSs that didn't respond within their retransmit
windows are penalised too

example:

> daf.add 'forward 127.0.0.1@5353'

The missing entry caused some entries to be dear and written to wrong
positions.

Karel Slaný authored 8 years ago and Ondřej Surý committed 8 years ago

The control structure is part of the resolver context.

Karel Slaný authored 8 years ago and Ondřej Surý committed 8 years ago

Use ENABLE_cookies=yes variable to compile functionality.

Karel Slaný authored 8 years ago and Ondřej Surý committed 8 years ago

Cookies are not stored in separate cache.

Daniel Kahn Gillmor authored 8 years ago and Ondřej Surý committed 8 years ago

RFC 7858 explicitly defines an out-of-band key pinning profile as one
authentication mechanism.  It uses the same format for representing
the pin as HPKP does (RFC 7469).

By logging this pin directly upon first use of the X.509 credentials,
we make it a little bit easier for an admin to publish part of a
pinset.

For ideal operation (including preparation for key rollover), a backup
public key should also be provided, but this is not defined
functionally here.