The hostname() of a given machine might be different from the service
the host is offering.  In fact, many hosts might offer the same DNS
resolver servicename, while having distinct hostnames.

The configuration net.tls_servicename() represents the public-facing
name of the service offered by the host.

for example, the host might be named "pluto", but the service might be
"dns.example.org"

RFC 7858 explicitly defines an out-of-band key pinning profile as one
authentication mechanism.  It uses the same format for representing
the pin as HPKP does (RFC 7469).

By logging this pin directly upon first use of the X.509 credentials,
we make it a little bit easier for an admin to publish part of a
pinset.

For ideal operation (including preparation for key rollover), a backup
public key should also be provided, but this is not defined
functionally here.

nettle is already being used by libkres.so, so this does not add any
new runtime dependencies.

When kresd is listening on TLS, and it is aware that the files which
offer it credentials have changed, it should try to reload them for
all future TLS sessions.

If reloading fails for whatever reason (e.g. if the key has been
updated but not the cert, or vice versa), carry on using the old
credentials until new valid credentials are available.

There is no reason to load TLS X.509 credentials at each session
initialization.  This changeset loads credentials lazily, when a
session starts or when changed, and then reuses them until the next
change event.

We also propagate kresd's verbosity into the TLS logging level

If the user has not specified net.tls_cert or net.tls_key, try loading
them from reasonably-named files in the cwd.

kresd has --tls/-t by analogy with --addr/-a where the daemon opens
the socket itself.

This changeset adds equivalent functionality for inherited sockets:
--tlsfd/-T by analogy with --fd/-S

Marek Vavrusa authored 8 years ago and Daniel Kahn Gillmor committed 8 years ago

the TLS sessions now bypass the usuall event loop asynchronous iops
this is because the whole operation is synchronous right now, and
implementing asynchronous send operations would require TLS session to
restart write events on the event loop and making sure the "on complete"
callback is called eventually

Marek Vavrusa authored 8 years ago and Daniel Kahn Gillmor committed 8 years ago

this is a workaround probably, but we need to
process all records in received buffer otherwise
it loses the rest of the data

If stdout is buffered, kr_log_info() might take ages to show up in the
output stream.  Since this stream could be interleaved with stderr
(e.g. kr_log_error()), it would be good to be able to see the messages
in the order in which they are generated.

add Documentation= reference to knot-resolver.service

This makes "systemctl help knot-resolver" bring up the appropriate man
page.

See merge request !39

This makes "systemctl help knot-resolver" bring up the appropriate man
page.

Control socket activation

This branch provides reasonable configs for full systemd socket activation for kresd.

See merge request !36

This is a fully-socket-activated knot-resolver service that can run as
a non-priivleged user named knot-resolver.

When run under systemd supervision, accept a control socket from the
supervisor if the name supplied is "control".

See FileDescriptorName= in systemd.socket(5) for more details.

this module is superseded by http module, removing

iterator already checks this and also chain length,
however these checks were omitted in the rrcache
CNAME unroll loop

there are cases where switches or middle-boxes
block DNS/UDP answers >512 octets completely,
this gives user an option to mitigate that.
however, there are authoritatives serving
large answers that don't support TCP, so it's
a compromise as always

in normal mode, only final CNAME target is refetched, but
not intermediate CNAMEs. intermediate CNAMEs are *never* cached,
but they are used to get final name for requery. in strict mode now,
every CNAME target is explicitly fetched even if it's a chained CNAME.

more kresd.8 cleanup



See merge request !35

emacs turds should never make it into git



See merge request !34

Doc cleanup

This is a simple cleanup of documentation

See merge request !33