distro/arch: add lua51-cqueues optional dependency

See merge request knot/knot-resolver!871

minor fixes

See merge request knot/knot-resolver!870

release 4.2.1

See merge request knot/knot-resolver!869

nsrep fixes

Closes #497

See merge request knot/knot-resolver!868

... as input into the *unchanged* algorithm (which is ugly).
This partially addresses the problem attempted by reverted commit,
and it also improves some other properties of the algorithm.

This reverts commit 196ebd4f.
It was buggy, and I can't simply recover the intended effect.

validator: trim TTLs by RRSIG's expiration and original TTL

Closes #319

See merge request knot/knot-resolver!866

Vladimír Čunát authored 5 years ago and Tomas Krizek committed 5 years ago

A down-side is that validation can now modify the validated RRset
on success.  I checked all transitive call sites that it's OK.
The change is pretty simple; I just hand-tested it a bit with faketime.

modules/policy: DENY forgotten special-use domains

See merge request knot/knot-resolver!855

Vladimír Čunát authored 5 years ago and Tomas Krizek committed 5 years ago

- home.arpa.: 4. from https://tools.ietf.org/html/rfc8375#section-4
- local.: 4. from https://tools.ietf.org/html/rfc6762#section-22.1
Well, it's just an approximation... if the user specifies a forwarding
policy, any special names will also get forwarded, even though the RFC
says not to.  And this code will also reply NXDOMAIN to home.arpa. DS.

Some of these DENY rules are perhaps unnecessary, but for now we keep
the same approach.  For arguments see the MR 855 thread and linked ML.

add compatibility with libknot 2.9

See merge request knot/knot-resolver!864

Vladimír Čunát authored 5 years ago and Tomas Krizek committed 5 years ago

I think it's safer to block it by default.  For developer convenience,
let's allow pre-release variants of one further minor version.

Vladimír Čunát authored 5 years ago and Tomas Krizek committed 5 years ago

It's fairly easy to keep keep compatible with both 2.8 and 2.9,
so I'd go for that for now, as it may be practical.

prefill module: allow a different module-loading style

Closes #506

See merge request knot/knot-resolver!863

Otherwise plain `modules = { 'prefill' }` will error out,
which is surprising wrt. to style used/allowed by other modules.

ci updates

See merge request knot/knot-resolver!865

Leap15 box was (allegedly temporarily) removed from vagrantcloud.
This is official upstream box generated by openSUSE that should be the
same as the one that used to be available on vagrantcloud.

Fixes #496

Fixes: #496

lib/resolve answer_finalize: don't SERVFAIL bogus +cd

See merge request knot/knot-resolver!860

As kresd works now, typically we do not know whether these records are
bogus, as with +cd we do not attempt validation.  Still, it's possible
that we have those records in cache from an occasion without +cd, in
which case we know they're bogus and this regression happened.

The potential impact of this issue seems minimal.

Rebinding fixes

See merge request knot/knot-resolver!859

Vladimír Čunát authored 5 years ago and Tomas Krizek committed 5 years ago

This avoids getting into an inconsistent state of the request (assert),
and it also allows some real-life cases to succeed without using
a forbidden address in any way (even though they *are* weird).

I can still imagine weird setups where a request gets failed even
though it would be resolvable without *using* a forbidden address,
but none of these seem reasonable anyway (or common in practice).

Vladimír Čunát authored 5 years ago and Tomas Krizek committed 5 years ago

Some people might want the rebinding module generally but still use
policy to allow local addresses in some specific cases.

distro/deb: generate *-dbg symbols package explicitly

See merge request knot/knot-resolver!858

Related #496

ci: fix obs:release job

See merge request knot/knot-resolver!857

Release 4.2.0

See merge request knot/knot-resolver!856