the validator module should ignore any data that
will be scrubbed, that includes non-authoritative
data outside current bailiwick. previously, 
validator attempted to ignore these records only
for answer section and had a special case for NS
records.

cache: non-authoritative NS records are always
unchecked and must be treated as insecure

affected: www.iana.org trying to provide
delegation information for CNAME target, which is
moot with CNAME target explicit-fetch policy unless
the the resolver already knows DNSKEY with which
is could verify the records

breathe failed to process the typedef thinking
the macro expansion was a function pointer

updated tests

when raised, a response zone cut will be recovered
even if the response came from cache. this is
normally not needed (and incurs additional cache
lookups), but it may be useful for
inspection

Marek Vavrusa authored 9 years ago and Grigorii Demidov committed 9 years ago

there are broken resolution chains where a zone cut is advertised,
but it doesn't exist and the final NS answers from its parent's
zone cut, which is an attempt to escape bailiwick

example:

resolving A ab.cd.ef
NS ef responds:
 - ab.cd.ef NS X ; adverises ab.cd.ef zone cut
X responds:
 - A ab.cd.ef A 1.2.3.4
 - cd.ef NS X ; escapes previously advertised cut

on the other hand, it is important to fail early for referrals as
it signifies a lame answer

there are broken resolution chains where a zone cut is advertised,
but it doesn't exist and the final NS answers from its parent's
zone cut, which is an attempt to escape bailiwick

example:

resolving A ab.cd.ef
NS ef responds:
 - ab.cd.ef NS X ; adverises ab.cd.ef zone cut
X responds:
 - A ab.cd.ef A 1.2.3.4
 - cd.ef NS X ; escapes previously advertised cut

on the other hand, it is important to fail early for referrals as
it signifies a lame answer

the field length is platform-dependent

Grigorii Demidov authored 9 years ago and Marek Vavrusa committed 9 years ago

lib: answer finalization was changed

this is not going to be backwards compatible change, but it will be the first tagged libknot release sufficient for resolver

thanks @darix!
fixes #21,#22

* PIE,RELRO+NOW and other security features enabled
* support for both static/dynamic builds with BUILDMODE
* dynamic library is ABI-versioned, starting at 1
* pkg-config file is installed

this is needed to make sure it always compiles with PIC

rdata may be <=64k + 8B on stack which may be source of various mystery
errors later, for example in bindings or stackspace-constricted env

this allows to override any dstdir variable without
patching config.mk

worker can track outbound requests and if N resolutions want the same
subrequest, only one will lead it and others will be notified when it
finishes

this massively reduces number of outbound requests for
slow/unresponsive/low ttl requests

any answer that is considered as malformed/servfail/otherwise bad
penalizes the NS for the next time like timeout, this doesn't apply for
DNSSEC validation failures as it still may be okay for insecure
resolution. EDNS failures are okay because the server is requeried in
the most simple RFC1035 mode before flagging it as failed

this avoids instant requeries for SERVFAILing resolutions

when a delegation is provably insecure, it is flagged as INSECURE in
cache (this is different from "unchecked"), when the next query finds
the same zone cut, this information is retrieved and if it was proved to
be insecure before, this status is reused

this prevents refetching of NS/DNSKEY in some situations