Vladimír Čunát authored 5 years ago and Petr Špaček committed 5 years ago

Running the full special-domain checks is relatively expensive.

I've never seen anyone use postrules.

Vladimír Čunát authored 5 years ago and Tomas Krizek committed 5 years ago

- home.arpa.: 4. from https://tools.ietf.org/html/rfc8375#section-4
- local.: 4. from https://tools.ietf.org/html/rfc6762#section-22.1
Well, it's just an approximation... if the user specifies a forwarding
policy, any special names will also get forwarded, even though the RFC
says not to.  And this code will also reply NXDOMAIN to home.arpa. DS.

Some of these DENY rules are perhaps unnecessary, but for now we keep
the same approach.  For arguments see the MR 855 thread and linked ML.

Thanks to changes in this branch the functions are called with correctly
typed parameters already, so these weird casts can be deleted.

Vladimír Čunát authored 5 years ago and Petr Špaček committed 5 years ago

"Unfortunately", for FFI-bound C functions there it doesn't hold that
missing parameters would be converted to nil/NULL.
Still, this function seems unlikely to have been used outside the repo.

and deduplicate the parsing logic.

Vladimír Čunát authored 6 years ago and Petr Špaček committed 6 years ago

It's mainly about the way we parse and validate them.

Almost all of the parts of validation that were being done
in modules/policy/policy.lua and daemon/tls.c got moved
to daemon/bindings/net.c, so it's easier to follow that.
Also more checks are being done now, e.g. contents of .pin_sha256
and .hostname strings.

Vladimír Čunát authored 6 years ago and Petr Špaček committed 6 years ago

In https world it's standard to do that, and it's relied on.
Real-life example: 8.8.8.8#853 over TLSv1.3 won't send a certificate
if we don't send SNI (no idea why; also they do send it with TLSv1.2).

As a consequence, we no longer allow multiple hostnames per
address-port tuple, but that didn't seem useful.

- logging
- watch by default
- in Fedora we need to depend on the version for lua 5.1

Jonathan Coetzee authored 6 years ago and Vladimír Čunát committed 6 years ago

vcunat squashed this, rebased, etc.

Vladimír Čunát authored 6 years ago and Petr Špaček committed 6 years ago

Not all actions are destructive, but it seems generally expected that if
an earlier module or other code already transitioned the request into
a FAIL or DONE state, we don't want to apply rules anymore.
In particular, later rule actions would "overwrite" what previous
actions did.

Continuation of the parent commit.  In particular, kr_nsrep_set()
can't be used to create NS list "with holes".

Grigorii Demidov authored 6 years ago and Petr Špaček committed 6 years ago

daemon/tls: system CA's are used by default with TLS_FORWARD policy when ca_file parameter is omitted

Petr Špaček authored 6 years ago and Grigorii Demidov committed 6 years ago

Fixes: #337

Vladimír Čunát authored 7 years ago and Petr Špaček committed 7 years ago

Fixes https://gitlab.labs.nic.cz/knot/knot-resolver/issues/306

RFC 6303 section 3 explains that

   The SOA RR is needed to support negative caching [RFC2308] of name
   error responses and to point clients to the primary master for DNS
   dynamic updates.

Now SOA RR owner name matches query name so it can be cached.
Using zone name as owner would be more difficult so it is left for
further optimizations.

I've verified that nsupdate correctly determines that master name
does not exist and stops update process.

I've removed couple layers of indirection to make it easier to follow.
This should make it easier to extend the policy module.

The pin parameter contains SHA-256 encoded using Base64, but this is not
the only option. Explicit name allows us to add alternative formats
later on, and is consistent with GnuTLS naming.

Policy handling was split into smaller functions to allow easier
checking. The code needs further refactoring, it seems that
net_tls_client is just a thin wrapper around tls_client_params_set in C,
which is unnecessary and error prone.

Vladimír Čunát authored 7 years ago and Petr Špaček committed 7 years ago

It should be enough to update the table once per TLS_FORWARD rule,
without re-doing that every time the policy is triggered.

there are two modules that couldn't work before:

* graphite
* ketcd

It was rather low-level anyway.