Knot DNS merge requestshttps://gitlab.nic.cz/knot/knot-dns/-/merge_requests2018-01-17T16:56:19+01:00https://gitlab.nic.cz/knot/knot-dns/-/merge_requests/475WIP: Geographic split-horizon2018-01-17T16:56:19+01:00Jan VčelákWIP: Geographic split-horizonLibor PeltanLibor Peltanhttps://gitlab.nic.cz/knot/knot-dns/-/merge_requests/623WIP: ddns: failing updates silently skipped2019-02-16T19:29:55+01:00Libor PeltanWIP: ddns: failing updates silently skippedThis is a serious change in DDNS's behaviour with unapplicable updates.
Please think of this before merging ;)
WIP: there is NO work-in-progress, the tag is just to prevent random merge temptation.
Before:
- some unapplicable up...This is a serious change in DDNS's behaviour with unapplicable updates.
Please think of this before merging ;)
WIP: there is NO work-in-progress, the tag is just to prevent random merge temptation.
Before:
- some unapplicable updates were ignored (e.g. removing nonexistent)
- most unapplicable updates led to discarding whole DDNS query queue
(e.g. out-of-zone addition, DNAME child, DNSSEC-protected records)
- proper (not really, see below) error code returned
- this is good in simpler cases where the user usually puts one query
a time and can see the result
After:
- all unapplicable updates are silently ignored. DDNS always returns EOK
(except for ENOMEM or so...) even if some (or even all) updates fail
- all (even partially) applicable queries are (partially) applied
- this fixes the case of busy-DDNS to not discard randomly some queries
that are completely okay
- the ddns/basic test had to be simplified, not checking error codes
and not employing rollback records, just SOA (un)change check remained
Additional thoughts:
- there is no way (except deep refactoring) how to return proper errcode per
single query anyway. All the time there was just one errcode returned for
whole query queue
- it would be nice if we could ignore whole queries with at least one unapplicable
update, and apply just completely clean queries. However, this is not possible
without shallow-copying zone contents for each query: there is no possibility
of failed-partial-query rollback
- one alternative is to process queries optimisticly and fast, and do an
expensive restart in case of each failed update. This would allow to return
proper errcode and have everything nice - except the case of too many failing
updates, causing performance disasterDaniel SalzmanDaniel Salzmanhttps://gitlab.nic.cz/knot/knot-dns/-/merge_requests/851DNS cookies2017-12-19T15:56:05+01:00Mark KarpilovskijDNS cookiesCloses #505Closes #5052.7.0Daniel SalzmanDaniel Salzmanhttps://gitlab.nic.cz/knot/knot-dns/-/merge_requests/852Key logging evolution2017-12-06T10:48:26+01:00Libor PeltanKey logging evolutionDaniel SalzmanDaniel Salzmanhttps://gitlab.nic.cz/knot/knot-dns/-/merge_requests/855Child records evo2017-12-06T10:48:26+01:00Libor PeltanChild records evoDaniel SalzmanDaniel Salzmanhttps://gitlab.nic.cz/knot/knot-dns/-/merge_requests/856CSK rollovers2017-11-13T15:34:28+01:00Libor PeltanCSK rolloversImplementation of various rollovers regarding CombinedSigningKey:
- algorithm rollover using CSK either on first algo, second algo, or both
- signing scheme rollover: from CSK to KSK+ZSK in the same algo and back
The rollovers a...Implementation of various rollovers regarding CombinedSigningKey:
- algorithm rollover using CSK either on first algo, second algo, or both
- signing scheme rollover: from CSK to KSK+ZSK in the same algo and back
The rollovers are triggered by reloading configuration and are exclusive in time.
nextDaniel SalzmanDaniel Salzmanhttps://gitlab.nic.cz/knot/knot-dns/-/merge_requests/858Stss present2017-11-24T14:44:33+01:00Libor PeltanStss presentFixed a bug of wrongly starting of Signing Scheme Rollover in the situation where only KSK is present (in the role of CSK), not yet marked as CSK. This had not been covered by `dnssec\single_type_signing` test, because it was `manual = T...Fixed a bug of wrongly starting of Signing Scheme Rollover in the situation where only KSK is present (in the role of CSK), not yet marked as CSK. This had not been covered by `dnssec\single_type_signing` test, because it was `manual = True` there.nextDaniel SalzmanDaniel Salzmanhttps://gitlab.nic.cz/knot/knot-dns/-/merge_requests/876Structured logging for the KSK submission event2018-04-07T19:22:57+02:00Libor PeltanStructured logging for the KSK submission eventExample of such message in journalctl:
```
...
"__REALTIME_TIMESTAMP" : "1522777159435398",
"PRIORITY" : "5",
"SYSLOG_IDENTIFIER" : "knotd",
"ZONE" : "flags.",
"MESSAGE" : "notice: [flags.] DNSSEC, KSK submission, wai...Example of such message in journalctl:
```
...
"__REALTIME_TIMESTAMP" : "1522777159435398",
"PRIORITY" : "5",
"SYSLOG_IDENTIFIER" : "knotd",
"ZONE" : "flags.",
"MESSAGE" : "notice: [flags.] DNSSEC, KSK submission, waiting for confirmation",
"KEY_SUBMISSION" : "20026",
```
Fixes #5512.7.0Daniel SalzmanDaniel Salzmanhttps://gitlab.nic.cz/knot/knot-dns/-/merge_requests/877ctl: added knotc zone-notify command to send notify manually2018-02-05T13:42:18+01:00Libor Peltanctl: added knotc zone-notify command to send notify manually2.7.0Daniel SalzmanDaniel Salzmanhttps://gitlab.nic.cz/knot/knot-dns/-/merge_requests/880Journal optimization2018-03-15T22:35:22+01:00Libor PeltanJournal optimization2.7.0Mark KarpilovskijMark Karpilovskijhttps://gitlab.nic.cz/knot/knot-dns/-/merge_requests/904knot: add support for ECS EDNS option2018-05-22T10:16:20+02:00Mark Karpilovskijknot: add support for ECS EDNS optionAdds a server configuration option for enabling EDNS Client Subnet. If enabled, all responses to queries containing ECS contain ECS themselves.Adds a server configuration option for enabling EDNS Client Subnet. If enabled, all responses to queries containing ECS contain ECS themselves.2.7.0Daniel SalzmanDaniel Salzmanhttps://gitlab.nic.cz/knot/knot-dns/-/merge_requests/906NSEC3 optimization2018-06-13T12:19:35+02:00Libor PeltanNSEC3 optimizationAn optimization of NSEC3 responses. This might make us almost as fast as NSD ;)
We pre-link on load time the nodes with their respective wildcard-proving NSEC3s.
Details:
On NSEC3 NXDOMAIN answer, we need to compute three NSEC3 ha...An optimization of NSEC3 responses. This might make us almost as fast as NSD ;)
We pre-link on load time the nodes with their respective wildcard-proving NSEC3s.
Details:
On NSEC3 NXDOMAIN answer, we need to compute three NSEC3 hashes:
1 for the name in question
2 for closest encloser
3 for wildcard child of closest encloser
Actually, 2 and 3 can be pre-computed. In Knot, only 2 had been pre-computed, this adds 3.2.7.0Daniel SalzmanDaniel Salzmanhttps://gitlab.nic.cz/knot/knot-dns/-/merge_requests/931Offline ksk2018-11-06T15:42:13+01:00Libor PeltanOffline kskThis new feature should allow separating operators that have access to ZSK private keys and KSK private keys, respectively. It's inspired of how CZ zone keys are handled.
This new feature should allow separating operators that have access to ZSK private keys and KSK private keys, respectively. It's inspired of how CZ zone keys are handled.
2.8Daniel SalzmanDaniel Salzmanhttps://gitlab.nic.cz/knot/knot-dns/-/merge_requests/968Don't create journal during full commit if journal disabled or not present2019-01-14T10:59:06+01:00Daniel SalzmanDon't create journal during full commit if journal disabled or not presentfixes #635fixes #6352.7Libor PeltanLibor Peltanhttps://gitlab.nic.cz/knot/knot-dns/-/merge_requests/1000QP-trie NULL callback2019-04-29T13:29:16+02:00Daniel SalzmanQP-trie NULL callback2.9Libor PeltanLibor Peltanhttps://gitlab.nic.cz/knot/knot-dns/-/merge_requests/1015Blocking zone event triggers2019-05-29T21:03:09+02:00Daniel SalzmanBlocking zone event triggers2.8Libor PeltanLibor Peltanhttps://gitlab.nic.cz/knot/knot-dns/-/merge_requests/1024Offline ksk test2019-06-27T20:22:18+02:00Libor PeltanOffline ksk test2.8Daniel SalzmanDaniel Salzmanhttps://gitlab.nic.cz/knot/knot-dns/-/merge_requests/1031RRL slip2019-07-09T14:17:03+02:00Daniel SalzmanRRL slip2.9Libor PeltanLibor Peltanhttps://gitlab.nic.cz/knot/knot-dns/-/merge_requests/1036Geoip wildcard2019-09-08T19:27:38+02:00Jan Hákjan.hak@nic.czGeoip wildcardCloses #650Closes #6502.9Daniel SalzmanDaniel Salzmanhttps://gitlab.nic.cz/knot/knot-dns/-/merge_requests/1048Warn about unsupported dynamic conf changes, effective after a restart2019-08-23T10:09:22+02:00David VasekWarn about unsupported dynamic conf changes, effective after a restart2.9Daniel SalzmanDaniel Salzman