Robert Edmonds authored 8 years ago and Daniel Salzman committed 8 years ago

This commit adds a new "whoami" module. It synthesizes an A or AAAA
record containing the query source IP address, at the apex of the zone
being served. It makes sure to allow Knot to generate cacheable negative
responses, and to allow fallback to extra records defined in the
underlying zone file. The TTL of the synthesized record is copied from
the TTL of the SOA record in the zone file.

Because a DNS query for type A or AAAA has nothing to do with whether
the query is occurs over IPv4 or IPv6, this module requires a special
zone configuration to support both address families. For A queries, the
underlying zone must have a set of nameservers that only have IPv4
addresses, and for AAAA queries, the underlying zone must have a set of
nameservers that only have IPv6 addresses.

To enable this module, you need to add something like the following to
the Knot configuration file:

    mod-whoami:
      - id: default

    zone:
      - domain: whoami.domain.example
        file: "/path/to/whoami.domain.example"
        module: [mod-whoami/default]

    zone:
      - domain: whoami6.domain.example
        file: "/path/to/whoami6.domain.example"
        module: [mod-whoami/default]

The whoami.domain.example zone file would look something like:

    $TTL 1

    @       SOA     (
                            whoami.domain.example.          ; MNAME
                            hostmaster.domain.example.      ; RNAME
                            2016051300                      ; SERIAL
                            86400                           ; REFRESH
                            86400                           ; RETRY
                            86400                           ; EXPIRE
                            1                               ; MINIMUM
                    )

    $TTL 86400

    @       NS      ns1.whoami.domain.example.
    @       NS      ns2.whoami.domain.example.
    @       NS      ns3.whoami.domain.example.
    @       NS      ns4.whoami.domain.example.

    ns1     A       198.51.100.53
    ns2     A       192.0.2.53
    ns3     A       203.0.113.53
    ns4     A       198.19.123.53

The whoami6.domain.example zone file would look something like:

    $TTL 1

    @       SOA     (
                            whoami6.domain.example.         ; MNAME
                            hostmaster.domain.example.      ; RNAME
                            2016051300                      ; SERIAL
                            86400                           ; REFRESH
                            86400                           ; RETRY
                            86400                           ; EXPIRE
                            1                               ; MINIMUM
                    )

    $TTL 86400

    @       NS      ns1.whoami6.domain.example.
    @       NS      ns2.whoami6.domain.example.
    @       NS      ns3.whoami6.domain.example.
    @       NS      ns4.whoami6.domain.example.

    ns1     AAAA    2001:db8:100::53
    ns2     AAAA    2001:db8:200::53
    ns3     AAAA    2001:db8:300::53
    ns4     AAAA    2001:db8:400::53

The parent domain would then delegate whoami.domain.example to
ns[1-4].whoami.domain.example and whoami6.domain.example to
ns[1-4].whoami6.domain.example, and include the corresponding A-only or
AAAA-only glue records.

To test this locally, I stubbed out the zones in my Unbound
configuration:

    server:
        domain-insecure: "whoami.domain.example"
        domain-insecure: "whoami6.domain.example"

    stub-zone:
        name: "whoami.domain.example"
        stub-addr: <IPv4 address that Knot listens on>

    stub-zone:
        name: "whoami6.domain.example"
        stub-addr: <IPv6 address that Knot listens on>

Robert Edmonds authored 8 years ago and Ondřej Surý committed 8 years ago

The autoconf macro AC_USE_SYSTEM_EXTENSIONS does not take any arguments.

See:

    https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Posix-Variants.html

    http://git.savannah.gnu.org/gitweb/?p=autoconf.git;a=blob;f=lib/autoconf/specific.m4;h=7d6be579294f0668554b2c598f6a972767c51f89;hb=771017a4336bcc38b99c84e345c94a8910b89996#l359

    https://lists.gnu.org/archive/html/autoconf/2014-02/msg00064.html

Zone update v2

Upgraded zone_update code to build the resulting zone on-the-fly using the apply_ functions. This mimics the changeset application that would normally happen at the commit phase. The advantages are:
- can fail right away during addition/removal instead of during commit
- saves lots of memory by not synthesizing nodes
- discards lots of duplicate code and simplifies other; primarily only zone_update addition and removals are more complicated.
- makes the apply_ functions more generic, robust

Only disadvantage I can think of is that the complexity of changesets, zone contents, pointers, nsec chains, etc. makes it difficult to consider whether the code is correct. It requires more testing over CTL, but it mostly should work very well considering all code used now was used before. Also the ddns/basic test is pretty extensive, making at least some guarantee of correctness.

See merge request !576

The structs cannot be compared directly because BSDs use some
extra fields which don't have match. Compare just address and port.

Write DNS cookies in network-order.

See merge request !575

utils/tls: print certificate hierarchy



See merge request !573

Test on big-endian machines have been failing.