David Vasek authored 2 years ago and Daniel Salzman committed 2 years ago

The upper limit (C_EXPIRE_MAX_INTERVAL) is still valid even for
expire timer values received as EDNS EXPIRE options.

This partially changes the effect of commit b1f7e2f8
"refresh: don't impose limits on expire when EDNS expire takes effect".

add a requestor state for situations where data are ignored (i.e. not a processing error)

See merge request !1474

distro/nix: sync changes accumulated over longer time

See merge request !1473

All are quite minor.

catalog: "never" expire interpreted catalog zones automatically

See merge request !1472

David Vasek authored 2 years ago and Daniel Salzman committed 2 years ago

Ignore the value from SOA actually.

Move offline records loading from knot_zone_sign_update_dnskeys() to context initialization

See merge request !1471

Fix zonedb reload related leaks

See merge request !1460

Zone expiration improvements

See merge request !1470

This change should improve next bootstrap attempt planning after zone expiration.

Support haproxy PROXY v2 protocol on incoming UDP packets

Closes #762

See merge request !1468

Robert Edmonds authored 3 years ago and Daniel Salzman committed 2 years ago

This commit adds minimal support for the haproxy PROXY v2 protocol which
is described at
https://www.haproxy.org/download/2.5/doc/proxy-protocol.txt.

Only the UDP-over-IPv4 and UDP-over-IPv6 PROXY v2 family/transports are
supported, and only the original source address/port of the proxied
client are recovered from the PROXY v2 payload. Only the PROXY command
is supported.

There is a hardcoded ACL check to verify that the query was sent from
127.0.0.0/8 before PROXY v2 decapsulation is attempted. This prevents
spoofing of the PROXY v2 header and avoids exposing the PROXY v2 parsing
code to the Internet. This should probably be converted to a real ACL
check that can be configured.

If a proxied client address/port was successfully extracted from the
PROXY v2 payload, the 'remote' field in the knotd_qdata_params_t
structure will be updated to represent the address of the real (proxied)
client. This way query modules (e.g. whoami) don't need to be updated to
continue to produce correct source address dependent behavior. The
address of the proxy that actually sent the proxied packet will be saved
in a new 'proxy' field in knotd_qdata_params_t in case this value needs
to be processed.

The 'sdig' utility that comes with PowerDNS supports generating queries
with a PROXY v2 header, which is in the 'pdns-tools' package on
Debian/Ubuntu systems. Example command-line invocations:

 * sdig 127.0.0.1 53053 example.net a proxy 0 192.0.2.1:49153 198.51.100.1:53

 * sdig 127.0.0.1 53053 example.net a proxy 0 '[2001:db8::1]:49153' '[2001:db8::100:1]:53'

Includes some code improvements and an optimization of reusing unchanged member zones.

catalog: purge members before catDB commit

Closes #805

See merge request !1469

relates #805

distro: knot-dnssecutils subpackaage

See merge request !1467

This is for compatibility with Debian knot-dnsutils subpackage.