GitLab

The test was removed by commit 5573a6dd.

For now at least.  This basically reverts 68abde7f which tried
to make it work, but this negative trust anchor was a really bad idea.
The test (also) relies on names underneath getting validated
and used by aggressive cache later.
(They are also signed as belonging to the root zone, so it's ugly.)

With "previous" kresd versions the problematic NSEC inside
somehow validated as secure, but I don't want to be restricted here.

Support for BIND

See merge request !217

Older versions of BIND require commenting out qname-minimization configuration.

BIND builds linked to jemalloc or Clang ASAN will fail to start
on systems with libfaketime versions > 0.9.6:
- jemalloc https://github.com/wolfcw/libfaketime/issues/130
- Clang ASAN https://github.com/wolfcw/libfaketime/issues/365

BIND 9.17.22 treated the old responses as "non-improving delegation".

ci: fix some pylint issues

See merge request !215

improve links and e-mail contact

See merge request !216

It was migrated long ago.  The old URLs still work (redirect)
at this point, but I see no reason to keep using them.

It's not ideal, but so far the communication traffic has been very low.

template/kresd: replace verbose log with request log

See merge request !213

Since kresd 5.4.0, using both debug level logging _and_ request log
will duplicate the request log lines in the output.

I think it is sufficient to log just everything related to the request
and otherwise stick with the default log level. This makes the resulting
log more readable.

val_iter_high.rpl: new tests for NSEC3 with many iterations

See merge request !212

It works with Unbound, too.  The wildcard part triggers an assertion
in kresd 5.3.1.

I wanted to pass --junitxml=path/file.xml and the logs from the
currently empty set of tests were overwriting the interesting ones;
the other way it will be just fine ;-)

iter_formerr.rpl: remove for now

See merge request !210

Note: it was confusing that the copy of iter_formerr.rpl started
already one step above the comment describing it.

We need to control EDNS presence in the auth packet to test this well.

remove kresd's option NO_THROTTLE

See merge request !209

Accomodate workaround changes in Knot Resolver

See merge request !208

There might be more missing, these will be uncovered by more runs in CI,
I quess.

Fix for resolver that does apply query minimization.

Some are intentional and since rplint doesn't allow selective disabling
of checks, we have to live with them for now.

This allows the test to work with more adventurous DNS resolvers which
search for missing AAAA records on NS names.

We also avoid resigning the whole test by selectively turning off
validation for some subtrees.

This however triggers a probable bug in Knot Resolver which tries to
validate names from zones that are set as insecure. We therefore use
built-in root hints which is fragile but works for now. 🤷

Partial fix for #65.

This is a workaround for knot-resolver#626
and to avoid rewriting/regenerationg some of signed tests with missing
A records.