Little NSEC3 fixes

See merge request !1121

David Vasek authored 4 years ago and Daniel Salzman committed 4 years ago

Until now, after the first error, both errors and warnings had been logged as errors.

Alexander Schultz authored 4 years ago and Daniel Salzman committed 4 years ago

This causes the error messages when invalid OCSP data is found to be the ones
found in the verify_ocsp function, rather than than the accurate, but less
helpful "handshake failed" messages that currently gets displayed.

onlinesign: allow explicit single-type-signing:off

See merge request !1120

dnssec: re-plan sign when failed

See merge request !1119

bugfix: shared KSK: race-condition preventer not working with initial first key

See merge request !1118

bugfix: journal orphan purge not working due to concurrent RO txns

See merge request !1116

kjournalprint: -z -d lists zones with sizes

See merge request !1115

KASP db: use server->kaspdb also in onlinesign...

See merge request !1117

...otherwise the extra environment breaks up server->kaspdb once deinitialized.
This caused rarely MDB_BAD_RSLOT after onlinesign reload.

nsec3: bugfix: empty-non-terminal above unchanged deleg has NSEC3:

See merge request !1113

Libor Peltan authored 4 years ago and Daniel Salzman committed 4 years ago

this happens when an incremental update removes a record from
a node, which becomes empty-non-terminal, and there is a
delegation below the node. In this situation, NSEC3 record
for this empty-non-terminal was created, which is not against
RFCs, but inconsistent with general Knot behaviour.
The fix always iterates to a subtree of empty-non-terminal
with mark_empty on incremental update.

David Vasek authored 5 years ago and Daniel Salzman committed 4 years ago

FreeBSD removed EAI_ADDRFAMILY as a result of RFC 2553 having been obsoleted by RFC 3493,
which doesn't mention EAI_ADDRFAMILY any longer. As FreeBSD (and macOS) return EAI_NONAME
in such a case, some EAI_NONAME errors ("Name does not resolve for server@service") are being
sacrified on FreeBSD/macOS and others, so as to avoid reporting an error for every
configured resolver that doesn't have a network addresses in the requested address family.

Linux's glibc, OpenBSD, NetBSD, and DragonFlyBSD still have EAI_ADDRFAMILY implemented, at
least according to man pages. FreeBSD, macOS, and e.g. Solaris do not. Let's suppose that
these all return EAI_NONAME instead of the original EAI_ADDRFAMILY.

Allow sockaddr_cmp() to ignore port if needed

See merge request !1114

David Vasek authored 5 years ago and Daniel Salzman committed 5 years ago

At the same time, fix the wrong return value from journals_walk().

David Vasek authored 5 years ago and Daniel Salzman committed 5 years ago

Provide more detailed error reports when translating an address of the server.
Also, don't report each server that doesn't have a network addresses in the requested address family.

nsec3 increm upd: better deleg and empty-non-term handling

See merge request !1110