Example:
  assert(require('ffi').C.kr_view_insert_action(
  		'127.0.0.0/24', 'policy.DENY_MSG("message")'
	) == 0)

Picked up old work, rebase-squashed after many months;
then fixed up a little as needed in this newer version.
(and later many minor fixes got squashed in)

When a whole packet is cached (instead of individual RRs),
let's simplify the way the packet's TTL gets computed.

The previous mechanism came from commit 5b383a2b,
probably a misunderstanding of:
https://datatracker.ietf.org/doc/html/rfc2308#section-5
Anyway, I see no motivation to do it, and this way we should
get rid of some weird cases where we might extend TTL of some records,
except if they were below the cache.min_ttl() setting (5s default).

Oto Šťáva authored 3 years ago and Vladimír Čunát committed 3 years ago

Also change the return type of kr_pkt_has_dnssec() and lua's :dobit()

We can always easily add groups when needed.

The approach of the code was rather hacky, simulating some packets
arriving from upstream and making the module stack CONSUME that.
Instead we take a direct approach now: use the simplified validator API
and then insert into cache directly.

One effect is improved performance, and consequently roughly halving
the lag which happens when prefill module invokes this.
(With root zone the lag goes down to 0.1 s from over 0.2 s,
 on my relatively fast CPU.  Fortunately it's just once a day.)

The following actions will now be logged in debug level (or request
tracing): ANSWER, DENY, DENY_MSG, DROP, REFUSE, TC

This can be useful for RPZ and other policy debugging.

Purposefully ommitted actions:
PASS - since it's the same as normal processing
REROUTE - the action itself comes from renumber module
STUB,FORWARD,TLS_FORWARD - this could be more confusing than useful
  (e.g. when response comes from cache)

Version 2.9 isn't supported anymore anyway, but 3.0.2 is needed for
extended error constants.

Tomas Krizek authored 3 years ago and Vladimír Čunát committed 3 years ago

Answers to EDNS requests from certain lua policies that use the
answer_clear() function would lack OPT RR and thus violate the MUST
condition in RFC6891.6.1.1.

Vladimír Čunát authored 3 years ago and Tomas Krizek committed 3 years ago

NSEC* params were not being stashed by this function.  For prefilling
it's useful, but doing it on *every* NSEC* record would be quite a waste,
so we introduce a parameter to select this.

Implementation: there were good reasons not to implement this until
needed - it wasn't straightforward at all.

It's not a perfect solution and with the future policy engine it will
hopefully be better, but it's really trivial to add this already.
(should've done that years ago)

Vladimír Čunát authored 3 years ago and Tomas Krizek committed 3 years ago

It's special: always on and not shown in log_groups() output.

It's been quite a long fight to find how to best deal with such
a special case (from user perspective; code itself is easy).

Vladimír Čunát authored 3 years ago and Tomas Krizek committed 3 years ago

The former "default" dumping style isn't really used anywhere in Knot.
The only visible difference is that RRSIGs are now logged *without*
replacing their TTLs by the original non-decremented TTL values.
That can avoid some confusion when reading debug logs.
(Those original TTLs are still shown a bit further on each line.)

Vladimír Čunát authored 3 years ago and Tomas Krizek committed 3 years ago

Let's be consistent witk kr_log_name2level()
and even generally we tend to use negative numbers for errors.

Vladimír Čunát authored 3 years ago and Tomas Krizek committed 3 years ago

Probably, it seems "more consistent".
Some defines still don't have it, but I left those.

Lukas Jezek authored 3 years ago and Tomas Krizek committed 3 years ago

logging

Vladimír Čunát authored 3 years ago and Tomas Krizek committed 3 years ago

- unify interactive mode to stdout
- use its own logging group
- elevated log level when the command throws an exception
- don't try detecting that the logs go back into the same console
  (yes, in that case you can see some lines twice)
- don't make the binary mode turn off logging

Vladimír Čunát authored 3 years ago and Tomas Krizek committed 3 years ago

- const for names of log groups
- enum kr_log_group for a single log group
- the kr_log_groups bitmap doesn't need to be exposed or even exported
- return bool instead of int

It's better to use separate log group, to separate between logs that
come from the lua module vs native C implementation. It is also more
descriptive, since http modules is used for other stuff besides its
deprecated DoH.

This serves two purposes:

1. As a utility logger during development.
2. As the last entry in enum - to make iteration over the values
   possible. Changing the value of LOG_GRP_DEVEL shouldn't be an issue,
   since it shouldn't be used in production code.

Now those type definitions can be simply loaded without any error, e.g.
luajit daemon/lua/kres-gen.lua
That will be useful for checking them without regenerating them.

To (hopefully) improve readability, rename the typical macro usage of:

    if (!kr_assume(x)) y; // to
    if (kr_fails_assert(x)) y;

As a convenience, replace the assert without a return value to a more
simple version:

    (void)!kr_assume(x);  // becomes
    kr_assert(x);