- The API and ABI for modules changes slightly (details below).
  KR_MODULE_API is bumped to avoid loading incompatible code.
  We have bumped libkres ABIVER since the last release 1.1.1,
  so leaving that one intact.

- Make KR_STATE_YIELD not reuse 0 value anymore.
  It's easy to e.g. return kr_ok() by mistake.
- struct kr_layer_t:
  * ::mm was unused, uninitialized, etc.
  * Make ::state an int, as it was everywhere else.
  * void *data was ugly and always containing struct kr_request *
- struct kr_layer_api:
  * Drop the void* parameter from ::begin, as it was only used
    for the request which is available as ctx->req anyway
    (formerly ctx->data).
  * Drop ::fail.  It wasn't even called.  Modules can watch for
    KR_STATE_FAIL in ::finish.
- Document the apparent meaning of the layer interface, deduced mainly
  from the way it's used in the code.  Caveats:
  * enum knot_layer_state handling seems to assume that it holds exactly
    one of the possibilities at a time.  The cookie module does NOT
    follow that (intentionally), apparently depending on the exact
    implementation of the handling at that moment.  It feels fragile.
  * I was unable to deduce a plausible description of when ::reset is
    called.  It's practically unused in modules, too.

It causes lots of line changes, but it would be confusing to keep the
current state over long term.

RTT tracking for all targets is also supported,
but no loadbalancing is done based on that yet

REFUSED response no longer causes retry in
iterator when operating in stub mode

Use ENABLE_cookies=yes variable to compile functionality.

The cookies layer injects a new query into the plan when a DADCOOKIE
response is detected. After failing the second attempt a TCP fallback is
signalised.

in normal mode, only final CNAME target is refetched, but
not intermediate CNAMEs. intermediate CNAMEs are *never* cached,
but they are used to get final name for requery. in strict mode now,
every CNAME target is explicitly fetched even if it's a chained CNAME.

this is required to avoid REFUSED loops if the origin doesn't handle
minimisation well

* simplified soft-fail per-ns limit to per-query
  limit, each query gets 4 tries at resolving
* instead of locking at single servfailing NS,
  penalise it and run reelection, this may or
  may not try other servers but avoids pathologic
  case when single NS is servfailing while others
  are good but never probed
* added new nsrep update mode (addition)

the daemon has now three modes of strictness
checking from strict to permissive.
it reflects the tradeoff between resolving the
query in as few steps as possible and security
for insecure zones

in permissive mode, resolver is free to use
(but not cache) non-mandatory glue records even
if they're not resolvable. this is great as a 
workaround for broken child-side zones, but
not great for security of, well, insecure
delegations. it's off by default.

Marek Vavruša authored 9 years ago and Grigorii Demidov committed 9 years ago

there are broken resolution chains where a zone cut is advertised,
but it doesn't exist and the final NS answers from its parent's
zone cut, which is an attempt to escape bailiwick

example:

resolving A ab.cd.ef
NS ef responds:
 - ab.cd.ef NS X ; adverises ab.cd.ef zone cut
X responds:
 - A ab.cd.ef A 1.2.3.4
 - cd.ef NS X ; escapes previously advertised cut

on the other hand, it is important to fail early for referrals as
it signifies a lame answer

there are broken resolution chains where a zone cut is advertised,
but it doesn't exist and the final NS answers from its parent's
zone cut, which is an attempt to escape bailiwick

example:

resolving A ab.cd.ef
NS ef responds:
 - ab.cd.ef NS X ; adverises ab.cd.ef zone cut
X responds:
 - A ab.cd.ef A 1.2.3.4
 - cd.ef NS X ; escapes previously advertised cut

on the other hand, it is important to fail early for referrals as
it signifies a lame answer

this is not going to be backwards compatible change, but it will be the first tagged libknot release sufficient for resolver

amalgamated build concatenates all files into a single .c file to
allow compiler see all symbols and produce possibly smaller code.
for binary distributions this is what you want, as it's faster but
may consume more memory during compilation.
it however cannot do incremental builds.

refs #33

RRs may be touched after resolution completion, this copies RR from
temporary per-recv buffer to answer, which is persistent for the whole
duration of request

the library is able to resolve query in stub mode (no referral chasing,
zone cut lookup) if asked to
validator turns off for stub queries, validating stub is NYI

as the libknot packet interface disallows out-of-order packet
writes, authority and additional records must be written after
the answer is complete; records in the rr arrays will be written to final answer during finalization

[1] shows an attack using spoofed CNAME targets to replace legitimate
entries in resolver cache by speeding up once-per-TTL attack opportunity

as a defense, the resolver almost always requeries CNAME targets and
doesn't store them in cache. the only exception is when the CNAME target
is within current authority, and the answer is DNSSEC-secured

thanks to Toshinori Maeno (@beyondDNS) for pointing this out [2]

[1]: https://tools.ietf.org/id/draft-weaver-dnsext-comprehensive-
resolver-00.html
[2]: https://moin.qmail.jp/DNS/KnotResolver/CNAMEpatch

validator can now yield, but it doesn't plan the sub-requests directly,
that is still a job of the driver

this is useful when you need to issue several subrequests before
continuing with the current query, resuming is not supported yet, so it
will requery after the subrequests complete

current processed query is always in `request->current_query`

this is a workaround for missing DEFER operation, as the
validator module can only detect trust chain breakage
(caused by answering from different authority) after the
iterator writes answer. this causes duplicated answer on
uncached queries

this doesn’t fix record duplication in answer when not answered from cache