Commits · aede98c2a690d81c513306c8f111ccc97ff65709 · Anbang Wen / Knot Resolver

Aug 05, 2016
- provide a way for systemd-supervised services to listen on TLS via socket activation · aede98c2
  Daniel Kahn Gillmor authored 8 years ago and Ondřej Surý committed 8 years ago
  
  aede98c2
- initialize GnuTLS logging cleanly, once at daemon/worker start. · aaa44f19
  Daniel Kahn Gillmor authored 8 years ago and Ondřej Surý committed 8 years ago
```
We also propagate kresd's verbosity into the TLS logging level
```
  aaa44f19
- Remove the extra indirection in tls_certificate_free · 34e74b49
  Ondřej Surý authored 8 years ago
  
  34e74b49
- Move struct tls_credentials_t from daemon/worker.h to daemon/tls.h · 07c752dd
  Ondřej Surý authored 8 years ago
  
  07c752dd
- daemon/tls: cleanup · 3b7070e4
  Marek Vavrusa authored 8 years ago and Ondřej Surý committed 8 years ago
  
  3b7070e4
- Fix the memory leak by returning kr_error(ECONNRESET) on end of stream · 7a2615e6
  Ondřej Surý authored 8 years ago
  
  7a2615e6
- Add reference counting to gnutls credentials, so they don't get destroyed while used · e915b41a
  Ondřej Surý authored 8 years ago
  
  e915b41a
- Initialize global TLS credentials in the worker_ctx and initialize GnuTLS logging at global level · 142eb1a0
  Ondřej Surý authored 8 years ago
  
  142eb1a0
- Miscelaneous fixes in coding style · 436ba6b7
  Ondřej Surý authored 8 years ago
  
  436ba6b7
- Revert default EDNS0 buffer size to 4096 · a3424c26
  Ondřej Surý authored 8 years ago
  
  a3424c26
- daemon: lower minimum allowed edns bufsize to 512 · 4ad0e8b4
  Marek Vavrusa authored 8 years ago and Ondřej Surý committed 8 years ago
```
there are cases where switches or middle-boxes
block DNS/UDP answers >512 octets completely,
this gives user an option to mitigate that.
however, there are authoritatives serving
large answers that don't support TCP, so it's
a compromise as always
```
  4ad0e8b4
- listen using TLS on specific sockets · 1e0a8b9d
  Daniel Kahn Gillmor authored 8 years ago and Ondřej Surý committed 8 years ago
```
kresd has --tls/-t by analogy with --addr/-a where the daemon opens
the socket itself.

This changeset adds equivalent functionality for inherited sockets:
--tlsfd/-T by analogy with --fd/-Sa
```
  1e0a8b9d
- fix kresd internal help docs, describe --tls in kresd(8) · 0c78ff54
  Daniel Kahn Gillmor authored 8 years ago and Ondřej Surý committed 8 years ago
  
  0c78ff54
- Handle more processing from tls_process to worker_process_tcp · cfe62671
  Ondřej Surý authored 8 years ago
  
  cfe62671
- daemon/tls: fixed improper use of callback, leaks · 098d2786
  Marek Vavrusa authored 8 years ago and Ondřej Surý committed 8 years ago
```
the TLS sessions now bypass the usuall event loop asynchronous iops
this is because the whole operation is synchronous right now, and
implementing asynchronous send operations would require TLS session to
restart write events on the event loop and making sure the "on complete"
callback is called eventually
```
  098d2786
- daemon/tls: process all records on input · bcdd8ff5
  Marek Vavrusa authored 8 years ago and Ondřej Surý committed 8 years ago
```
this is a workaround probably, but we need to
process all records in received buffer otherwise
it loses the rest of the data
```
  bcdd8ff5
- WIP: first pass at TLS implementation · 4330e95a
  Daniel Kahn Gillmor authored 8 years ago and Ondřej Surý committed 8 years ago
  
  4330e95a
- daemon/network: global TLS certificate and key configuration · 449ff02c
  Jan Včelák authored 8 years ago and Ondřej Surý committed 8 years ago
  
  449ff02c
- daemon: ported DNS/TLS preparation code to 1.1 · f22f5226
  Marek Vavrusa authored 8 years ago and Ondřej Surý committed 8 years ago
  
  f22f5226
- Actively link to gnutls · 316f24fb
  Daniel Kahn Gillmor authored 8 years ago and Ondřej Surý committed 8 years ago
  
  316f24fb
- TLS: update documentation · 9915bb6a
  Jan Včelák authored 8 years ago and Ondřej Surý committed 8 years ago
  
  9915bb6a
Aug 04, 2016
- sd_listen_fds_with_names() requires libsystemd >= 227 · 50eebc07
  Ondřej Surý authored 8 years ago
  
  50eebc07
Jul 29, 2016

Merge branch 'systemctl-help' into 'master' · 4a49a83f

Ondřej Surý authored 8 years ago

add Documentation= reference to knot-resolver.service

This makes "systemctl help knot-resolver" bring up the appropriate man
page.

See merge request !39

4a49a83f

Jul 28, 2016
- add Documentation= reference to knot-resolver.service · a950fe76
  Daniel Kahn Gillmor authored 8 years ago
```
This makes "systemctl help knot-resolver" bring up the appropriate man
page.
```
  a950fe76
- Merge branch 'control-socket-activation' into 'master' · 7dddb6c0
  Marek Vavrusa authored 8 years ago
```
Control socket activation

This branch provides reasonable configs for full systemd socket activation for kresd.

See merge request !36
```
  7dddb6c0
- update documentation to explain systemd socket-activation configuration · 023b92a4
  Daniel Kahn Gillmor authored 8 years ago
  
  023b92a4
- systemd rules for closely-supervised knot-resolver service · ed62cc88
  Daniel Kahn Gillmor authored 8 years ago
```
This is a fully-socket-activated knot-resolver service that can run as
a non-priivleged user named knot-resolver.
```
  ed62cc88
- allow control socket to be specified by systemd supervision · 2a95547e
  Daniel Kahn Gillmor authored 8 years ago
```
When run under systemd supervision, accept a control socket from the
supervisor if the name supplied is "control".

See FileDescriptorName= in systemd.socket(5) for more details.
```
  2a95547e
Jul 20, 2016

modules: deprecated tinyweb, superseded by http · 6887a4a2
Marek Vavrusa authored 8 years ago
```
this module is superseded by http module, removing
```
6887a4a2
Revert default EDNS0 buffer size to 4096 · 55520347
Ondřej Surý authored 8 years ago

55520347

layer/rrcache: added check for cname chain loops · 17b8cfc8

Marek Vavrusa authored 8 years ago

iterator already checks this and also chain length,
however these checks were omitted in the rrcache
CNAME unroll loop

17b8cfc8

daemon: lower minimum allowed edns bufsize to 512 · 2e253a83

Marek Vavrusa authored 8 years ago

there are cases where switches or middle-boxes
block DNS/UDP answers >512 octets completely,
this gives user an option to mitigate that.
however, there are authoritatives serving
large answers that don't support TCP, so it's
a compromise as always

2e253a83

Jul 18, 2016

daemon: always refetch CNAME target in 'strict' mode · 4e766ef0

Marek Vavrusa authored 8 years ago

in normal mode, only final CNAME target is refetched, but
not intermediate CNAMEs. intermediate CNAMEs are *never* cached,
but they are used to get final name for requery. in strict mode now,
every CNAME target is explicitly fetched even if it's a chained CNAME.

4e766ef0

modules/http: limit graph to 1000 datapoints · 736ba7c7
Marek Vavrusa authored 8 years ago

736ba7c7

Jul 17, 2016
- Merge branch 'doc-cleanup' into 'master' · 5426e206
  Ondřej Surý authored 8 years ago
```
more kresd.8 cleanup



See merge request !35
```
  5426e206
- Merge branch 'help-the-emacs-users' into 'master' · 3fbb9996
  Ondřej Surý authored 8 years ago
```
emacs turds should never make it into git



See merge request !34
```
  3fbb9996
- more kresd.8 cleanup · 6555eac9
  Daniel Kahn Gillmor authored 8 years ago
  
  6555eac9
- emacs turds should never make it into git · 2879281a
  Daniel Kahn Gillmor authored 8 years ago
  
  2879281a
Jul 16, 2016
- Add some autogenerated files to .gitignore · 66161442
  Ondřej Surý authored 8 years ago
  
  66161442
- Merge branch 'doc-cleanup' into 'master' · 60aa213e
  Ondřej Surý authored 8 years ago
```
Doc cleanup

This is a simple cleanup of documentation

See merge request !33
```
  60aa213e

Admin message

Admin message