doc/introduction.rst

@@ -42,7 +42,7 @@ DNS features:
   TXT, RP, AFSDB, RT, KEY, AAAA, LOC, SRV, NAPTR, KX, CERT, DNAME, APL, DS,
   SSHFP, IPSECKEY, RRSIG, NSEC, DNSKEY, DHCID, NSEC3, NSEC3PARAM, TLSA, SMIMEA,
   CDS, CDNSKEY, OPENPGPKEY, CSYNC, ZONEMD, SVCB, HTTPS, SPF, NID, L32, L64, LP,
-  EUI48, EUI64, URI, CAA, and Unknown
+  EUI48, EUI64, URI, CAA, WALLET, and Unknown
 
 Server features:
 

src/knot/dnssec/nsec-chain.c

@@ -127,10 +127,11 @@ static int connect_nsec_nodes(zone_node_t *a, zone_node_t *b,
 
 	/*!
 	 * If the node has no other RRSets than NSEC (and possibly RRSIGs),
+	 * or the node is not authoritative,
 	 * just remove the NSEC and its RRSIG, they are redundant
 	 */
-	if (node_rrtype_exists(b, KNOT_RRTYPE_NSEC)
-	    && knot_nsec_empty_nsec_and_rrsigs_in_node(b)) {
+	if (node_rrtype_exists(b, KNOT_RRTYPE_NSEC) &&
+	    (b->flags & NODE_FLAGS_NONAUTH || knot_nsec_empty_nsec_and_rrsigs_in_node(b))) {
 		ret = knot_nsec_changeset_remove(b, data->update);
 		if (ret != KNOT_EOK) {
 			return ret;

src/knot/events/handlers/load.c

@@ -221,9 +221,10 @@ int event_load(conf_t *conf, zone_t *zone)
 				ret = zone_update_increment_soa(&up, conf);
 			}
 		} else if (zf_conts == NULL) {
-			// nothing to be re-loaded
-			ret = KNOT_EOK;
-			goto cleanup;
+			// nothing to be re-loaded. We could nicely end here...
+			// BUT in case of conf change, it's proper to re-ZONEMD and re-DNSSEC
+			// ALSO replan_load_updated() relies on that DNSSEC event planning cascades from here
+			ret = zone_update_init(&up, zone, UPDATE_INCREMENTAL);
 		} else if (zf_from == ZONEFILE_LOAD_WHOLE) {
 			// throw old zone contents and load new from ZF
 			ret = zone_update_from_contents(&up, zone, zf_conts,

src/libknot/codes.c

-/*  Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+/*  Copyright (C) 2024 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
 
     This program is free software: you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -126,6 +126,8 @@ const knot_lookup_t knot_svcb_param_names[] = {
 	{ KNOT_SVCB_PARAM_IPV4HINT,  "ipv4hint" },
 	{ KNOT_SVCB_PARAM_ECH,       "ech" },
 	{ KNOT_SVCB_PARAM_IPV6HINT,  "ipv6hint" },
+	{ KNOT_SVCB_PARAM_DOHPATH,   "dohpath" },
+	{ KNOT_SVCB_PARAM_OHTTP,     "ohttp" },
 	{ 0, NULL }
 };
 
@@ -139,4 +141,5 @@ const knot_lookup_t knot_edns_opt_names[] = {
 	{ KNOT_EDNS_OPTION_PADDING,       "PADDING" },
 	{ KNOT_EDNS_OPTION_CHAIN,         "CHAIN" },
 	{ KNOT_EDNS_OPTION_EDE,           "EDE" },
+	{ 0, NULL }
 };

src/libknot/consts.h

-/*  Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+/*  Copyright (C) 2024 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
 
     This program is free software: you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -148,7 +148,7 @@ typedef enum {
 /*!
  * \brief Service Binding (SVCB) Parameter Registry
  *
- * https://tools.ietf.org/html/draft-ietf-dnsop-svcb-https-05 // FIXME
+ * https://www.iana.org/assignments/dns-svcb/dns-svcb.xhtml
  */
 typedef enum {
 	KNOT_SVCB_PARAM_MANDATORY = 0,
@@ -158,6 +158,8 @@ typedef enum {
 	KNOT_SVCB_PARAM_IPV4HINT  = 4,
 	KNOT_SVCB_PARAM_ECH       = 5,
 	KNOT_SVCB_PARAM_IPV6HINT  = 6,
+	KNOT_SVCB_PARAM_DOHPATH   = 7,
+	KNOT_SVCB_PARAM_OHTTP     = 8,
 } knot_svcb_param_t;
 
 /*! @} */

src/libknot/descriptor.c

-/*  Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+/*  Copyright (C) 2024 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
 
     This program is free software: you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -150,6 +150,8 @@ static const knot_rdata_descriptor_t rdata_descriptors[] = {
 	                               KNOT_RDATA_WF_END }, "URI" },
 	[KNOT_RRTYPE_CAA]        = { { KNOT_RDATA_WF_REMAINDER,
 	                               KNOT_RDATA_WF_END }, "CAA" },
+	[KNOT_RRTYPE_WALLET]     = { { KNOT_RDATA_WF_REMAINDER,
+	                               KNOT_RDATA_WF_END }, "WALLET" },
 };
 
 #define MAX_RRTYPE sizeof(rdata_descriptors) / sizeof(knot_rdata_descriptor_t) - 1

src/libknot/descriptor.h

-/*  Copyright (C) 2021 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+/*  Copyright (C) 2024 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
 
     This program is free software: you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -126,6 +126,8 @@ enum knot_rr_type {
 	KNOT_RRTYPE_ANY        = 255, /*!< QTYPE. Any record. */
 	KNOT_RRTYPE_URI        = 256, /*!< Uniform resource identifier. */
 	KNOT_RRTYPE_CAA        = 257, /*!< Certification authority restriction. */
+
+	KNOT_RRTYPE_WALLET     = 262, /*!< Public wallet address. */
 };
 
 /*!

src/libknot/errcode.h

@@ -58,6 +58,7 @@ enum knot_error {
 	KNOT_EADDRNOTAVAIL = -EADDRNOTAVAIL,
 	KNOT_ENOTDIR       = -ENOTDIR,
 	KNOT_EPERM         = -EPERM,
+	KNOT_EROFS         = -EROFS,
 
 	KNOT_ERRNO_ERROR   = -500,
 

src/libknot/error.c

@@ -59,6 +59,7 @@ static const struct error errors[] = {
 	{ KNOT_EADDRNOTAVAIL, "address is not available" },
 	{ KNOT_ENOTDIR,       "not a directory" },
 	{ KNOT_EPERM,         "operation not permitted" },
+	{ KNOT_EROFS,         "read-only file system" },
 
 	{ KNOT_ERRNO_ERROR,   "unknown system error" },
 

src/libknot/rrset-dump.c

@@ -1576,6 +1576,12 @@ static void wire_svcparam_to_str(rrset_dump_params_t *p)
 		case KNOT_SVCB_PARAM_IPV6HINT:
 			wire_value_list_to_str(p, wire_ipv6_to_str, p->in + val_len);
 			break;
+		case KNOT_SVCB_PARAM_DOHPATH:
+			wire_text_to_str(p, val_len, NULL, true, false);
+			break;
+		case KNOT_SVCB_PARAM_OHTTP:
+			p->ret = -1; // must not have value
+			break;
 		default:
 			wire_text_to_str(p, val_len, NULL, true, false);
 		}
@@ -2283,6 +2289,7 @@ static int txt_dump_data(rrset_dump_params_t *p, uint16_t type)
 			return dump_mx(p);
 		case KNOT_RRTYPE_TXT:
 		case KNOT_RRTYPE_SPF:
+		case KNOT_RRTYPE_WALLET:
 			return dump_txt(p);
 		case KNOT_RRTYPE_KEY:
 		case KNOT_RRTYPE_DNSKEY:

src/libknot/xdp/tcp.c

@@ -348,7 +348,10 @@ int knot_tcp_recv(knot_tcp_relay_t *relay, knot_xdp_msg_t *msg,
 			bool synack = (msg->flags & KNOT_XDP_MSG_ACK);
 
 			knot_tcp_table_t *add_table = tcp_table;
-			if (syn_table != NULL && !synack) {
+			if (syn_table != NULL) {
+				if (synack) {
+					break; // creating conn based on SYN+ACK is only for kxdpgun, disallow in knotd
+				}
 				add_table = syn_table;
 				if (*tcp_table_lookup(&msg->ip_from, &msg->ip_to, &conn_hash, syn_table) != NULL) {
 					break;
@@ -378,7 +381,7 @@ int knot_tcp_recv(knot_tcp_relay_t *relay, knot_xdp_msg_t *msg,
 		break;
 	case KNOT_XDP_MSG_ACK:
 		if (!seq_ack_match) {
-			if (syn_table != NULL && msg->payload.iov_len == 0 &&
+			if (syn_table != NULL && msg->payload.iov_len == 0 && conn == NULL &&
 			    (pconn = tcp_table_lookup(&msg->ip_from, &msg->ip_to, &conn_hash, syn_table)) != NULL &&
 			    (conn = *pconn) != NULL && check_seq_ack(msg, conn)) {
 				// move conn from syn_table to tcp_table

src/libknot/xdp/xdp.c

@@ -545,7 +545,7 @@ int knot_xdp_recv(knot_xdp_socket_t *socket, knot_xdp_msg_t msgs[],
 
 static uint8_t *msg_uframe_ptr(const knot_xdp_msg_t *msg)
 {
-	return NULL + ((msg->payload.iov_base - NULL) & ~(FRAME_SIZE - 1));
+	return (uint8_t *)((uintptr_t)msg->payload.iov_base & ~(FRAME_SIZE - 1));
 }
 
 _public_

src/libzscanner/scanner_body.rl

@@ -1432,6 +1432,7 @@
 	    | "CAA"i        %{ type_num(KNOT_RRTYPE_CAA, &rdata_tail); }
 	    | "SVCB"i       %{ type_num(KNOT_RRTYPE_SVCB, &rdata_tail); }
 	    | "HTTPS"i      %{ type_num(KNOT_RRTYPE_HTTPS, &rdata_tail); }
+	    | "WALLET"i     %{ type_num(KNOT_RRTYPE_WALLET, &rdata_tail); }
 	    | "TYPE"i      . num16 # TYPE0-TYPE65535.
 	    ) $!_type_error;
 	# END
@@ -1498,6 +1499,7 @@
 	    | "CAA"i        %{ window_add_bit(KNOT_RRTYPE_CAA, s); }
 	    | "SVCB"i       %{ window_add_bit(KNOT_RRTYPE_SVCB, s); }
 	    | "HTTPS"i      %{ window_add_bit(KNOT_RRTYPE_HTTPS, s); }
+	    | "WALLET"i     %{ window_add_bit(KNOT_RRTYPE_WALLET, s); }
 	    | "TYPE"i      . type_bitmap # TYPE0-TYPE65535.
 	    );
 
@@ -1840,10 +1842,13 @@
 	svcb_key_ipv4hint  = ("ipv4hint"        %_write16_4);
 	svcb_key_ech       = ("ech"             %_write16_5);
 	svcb_key_ipv6hint  = ("ipv6hint"        %_write16_6);
+	svcb_key_dohpath   = ("dohpath"         %_write16_7);
+	svcb_key_ohttp     = ("ohttp"           %_write16_8);
 
 	mandat_value_ :=
 		(svcb_key_generic | svcb_key_alpn | svcb_key_ndalpn | svcb_key_port |
-		 svcb_key_ipv4hint | svcb_key_ech | svcb_key_ipv6hint
+		 svcb_key_ipv4hint | svcb_key_ech | svcb_key_ipv6hint | svcb_key_dohpath |
+		 svcb_key_ohttp
 		) >_rdata_2B_check $!_mandat_value_error %_ret . ([,\"] | all_wchar);
 	mandat_value = alpha ${ fhold; fcall mandat_value_; };
 
@@ -1857,20 +1862,24 @@
 	svcb_ipv4     = ((ipv4_addr_write . ("," . ipv4_addr_write)*) >_item_length2_init %_item_length2_exit);
 	svcb_ech      = (base64_quartet+                              >_item_length2_init %_item_length2_exit);
 	svcb_ipv6     = ((ipv6_addr_write . ("," . ipv6_addr_write)*) >_item_length2_init %_item_length2_exit);
+	svcb_dohpath  = (text                                         >_item_length2_init %_item_length2_exit);
 
 	svcb_param_generic   = (svcb_key_generic   . svcb_generic);
-	svcb_param_mandatory = (svcb_key_mandatory . "=" . (svcb_mandat | ('\"' . svcb_mandat . '\"')));
-	svcb_param_alpn      = (svcb_key_alpn      . "=" . (svcb_alpn   | ('\"' . svcb_alpn   . '\"')));
+	svcb_param_mandatory = (svcb_key_mandatory . "=" . (svcb_mandat  | ('\"' . svcb_mandat  . '\"')));
+	svcb_param_alpn      = (svcb_key_alpn      . "=" . (svcb_alpn    | ('\"' . svcb_alpn    . '\"')));
 	svcb_param_ndalpn    = (svcb_key_ndalpn    . svcb_empty);
-	svcb_param_port      = (svcb_key_port      . "=" . (svcb_port   | ('\"' . svcb_port   . '\"')));
-	svcb_param_ipv4hint  = (svcb_key_ipv4hint  . "=" . (svcb_ipv4   | ('\"' . svcb_ipv4   . '\"')));
-	svcb_param_ech       = (svcb_key_ech       . "=" . (svcb_ech    | ('\"' . svcb_ech    . '\"')));
-	svcb_param_ipv6hint  = (svcb_key_ipv6hint  . "=" . (svcb_ipv6   | ('\"' . svcb_ipv6   . '\"')));
+	svcb_param_port      = (svcb_key_port      . "=" . (svcb_port    | ('\"' . svcb_port    . '\"')));
+	svcb_param_ipv4hint  = (svcb_key_ipv4hint  . "=" . (svcb_ipv4    | ('\"' . svcb_ipv4    . '\"')));
+	svcb_param_ech       = (svcb_key_ech       . "=" . (svcb_ech     | ('\"' . svcb_ech     . '\"')));
+	svcb_param_ipv6hint  = (svcb_key_ipv6hint  . "=" . (svcb_ipv6    | ('\"' . svcb_ipv6    . '\"')));
+	svcb_param_dohpath   = (svcb_key_dohpath   . "=" . (svcb_dohpath | ('\"' . svcb_dohpath . '\"')));
+	svcb_param_ohttp     = (svcb_key_ohttp     . svcb_empty);
 
 	svcb_param_any =
 		(svcb_param_generic | svcb_param_mandatory | svcb_param_alpn |
 		 svcb_param_ndalpn | svcb_param_port | svcb_param_ipv4hint |
-		 svcb_param_ech | svcb_param_ipv6hint
+		 svcb_param_ech | svcb_param_ipv6hint | svcb_param_dohpath |
+		 svcb_param_ohttp
 		) >_svcb_param_init %_svcb_param_exit;
 	svcb_params_ :=
 		((sep . svcb_param_any)* . sep?) >_svcb_params_init
@@ -2092,6 +2101,7 @@
 			fcall r_data_mx;
 		case KNOT_RRTYPE_TXT:
 		case KNOT_RRTYPE_SPF:
+		case KNOT_RRTYPE_WALLET:
 			fcall r_data_txt;
 		case KNOT_RRTYPE_AAAA:
 			fcall r_data_aaaa;
@@ -2205,6 +2215,7 @@
 		case KNOT_RRTYPE_CAA:
 		case KNOT_RRTYPE_SVCB:
 		case KNOT_RRTYPE_HTTPS:
+		case KNOT_RRTYPE_WALLET:
 			fcall nonempty_hex_r_data;
 		// Next types can have empty rdata.
 		case KNOT_RRTYPE_APL:
@@ -2289,6 +2300,7 @@
 		| "CAA"i        %{ s->r_type = KNOT_RRTYPE_CAA; }
 		| "SVCB"i       %{ s->r_type = KNOT_RRTYPE_SVCB; }
 		| "HTTPS"i      %{ s->r_type = KNOT_RRTYPE_HTTPS; }
+		| "WALLET"i     %{ s->r_type = KNOT_RRTYPE_WALLET; }
 		| "TYPE"i      . type_number
 		) $!_r_type_error;
 	# END

tests-extra/tests/ctl/blocking_txn/test.py

@@ -61,10 +61,13 @@ if not BACKUP_FIRST:
     master.ctl("zone-begin " + ZONE)
 run_thr(background_backup, master, ZONE)
 if BACKUP_FIRST:
-    t.sleep(2.1)
-    master.zones_wait(zones)
+    t.sleep(2.05)
     try:
         master.ctl("zone-begin " + ZONE)
+        has_soa = master.ctl("zone-get " + ZONE + " " + ZONE + " SOA", availability=False, read_result=True)
+        if not " SOA " in has_soa:
+            master.ctl("zone-abort " + ZONE, availability=False)
+            raise Exception("restored and not yet loaded")
     except:
         t.sleep(1)
         master.zones_wait(zones)

tests-extra/tests/dnssec/nsec_rem_nonauth/data/example.zone

 example.		3600 IN SOA		ns1.example. ns1.example. 1081539377 3600 300 3600000 3600
 example.		3600 IN NS		ns1.example.
+
 deleg			3600 IN NS		example.com.
-nonauth.deleg	3600 IN NSEC	nonautj.deleg TXT RRSIG NSEC
+nonauth.deleg		3600 IN NSEC		nonautj.deleg TXT RRSIG NSEC
+
+deleg2			3600 IN NS		example.com.
+nonauth.deleg2		3600 IN TXT		"text"
+nonauth.deleg2		3600 IN NSEC		nonautj.deleg TXT RRSIG NSEC

tests-extra/tests/dnssec/zsk_rollover/test.py

@@ -62,7 +62,7 @@ def check_same_rrsig(server, zone, last):
 
 t = Test()
 
-unsigned_master = t.server("knot")
+unsigned_master = t.server("knot", xdp_enable=False) # forwarded DDNS
 master = t.server("knot")
 zone = t.zone("example.com.", storage=".")
 t.link(zone, unsigned_master, master, ddns=True)

tests-extra/tests/records/load/data/knot-only.zone

+$ORIGIN knot-only.
+$TTL 3600
+
+@	SOA	dns1 hostmaster 1 100 100 1000 600
+	NS	dns1
+dns1	A	192.0.2.1
+
+wallet WALLET	"BTC" "bc1qf2kdgu2vlctqlnlxk4smkxd68grl5q2we8dzfd"
+wallet WALLET	"ETH" "0x87D487fa59274545743949BE4282EA87F316821E"

tests-extra/tests/records/load/data/svcb.zone

@@ -92,3 +92,9 @@ example12 SVCB 1 . alpn=foo\\\092,bar
 
 example20 SVCB 1 . alpn=\ 
 example21 SVCB 1 . alpn=a\ b
+
+example30 SVCB 1 . dohpath=/q{?dns}
+example31 SVCB 1 . dohpath="/dns-query{?dns}"
+
+;example40 SVCB 1 . ohttp
+example40 SVCB 1 . key8