The deckard change was probably unintentional, so I reverted that.
The only real mistake I found was `sizeof(128)`, though the effect was
just unnecessary reallocations.

On the whole I really like it.  Verbose logging might get slightly
slower, due to increased amount of string allocation and copying,
but it does seem worth it, at least until we can prove otherwise.
I didn't look much into http module changes, etc.

Vitezslav Kriz authored 7 years ago and Petr Špaček committed 7 years ago

Config tests now have ability to run daemon with different arguments and
to check exit code.

Vitezslav Kriz authored 7 years ago and Petr Špaček committed 7 years ago

Arguments --keyfile, -k for managed mode
and
--keyfile-ro, -K for unmanaged (readonly) mode.

Automatic setting based on the file permission is removed because it was
confusing and could easily lead to state where automatic update does not
happen because of unexpected file permissions.

Check if folder is writeable was moved into Lua code.

Default unmanaged keyfile path can be specified at compile
time with option KEYFILE_DEFAULT. This default
configuration can be disabled in configuration file with
trust_anchors.keyfile_default = nil.

Symbols not marked by KR_EXPORT shouldn't be visible outside
the same output binary (e.g. sbin/kresd or lib/kdns_modules/hints.so)
Also mark `engine_hint_root_file`.

It is enabled by default.

RFC 6761 mandates functionality implemented by policy module, so it is
now loaded by default. Users with special needs can still unload the
module.

daemon/worker: worker_process_tcp: cleanup; there are no need in special processing for qr_task_step return code

gnutls-3.3.26-9.el7.x86_64 and libgnutls30-3.5.8-5+deb9u3 do not support
@SYSTEM keyword and CentOS 7 has problem with -VERS-DTLS-ALL.

We do not configure DTLS sockets so it should be harmless to delete
the DTLS keyword.

@SYSTEM is replaced by NORMAL, oh well.

fixup! TLS client: enforce minimal TLS version and no compression

Same change as in a625a0ea1ce03b0707fd421633f21c0aacb786da but for
client.

Server side now enforces security requirements from
draft-ietf-dprive-dtls-and-tls-profiles-11 section 9

GnuTLS manual for some functions do not declare that error return code
must be negative, so we should use constants to avoid potential
problems.

gnutls_certificate_set_x509_trust_file could theoretically return 0
to indicate nothing was read, so we need to check for this as well.

this helps avoid false positive leaks caused by combination of
cleanup functions and goto

refs #291

attribute cleanup (auto_free) gets called when variable goes out of
scope, not on longjmp (in lua_error), so the variable never gets freed

this checks things such as inconsistent declarations and definitions

Tomas Krizek authored 7 years ago and Petr Špaček committed 7 years ago

The /run directory is non-persistent. Use /var/cache/knot-resolver
as a persistent cache.

This reverts commit 9ca537e8.

This is a followup on addition of trace callbacks in the resolver library,
to get rid of the Lua/C interfacing in daemon and unify it with the log tracing.
All modules can now install completion callback on the kr_request object that
will be called after the resolution is done.

By default the reassembly packet buffer is set to EDNS buffer size,
which is correct for UDP, but not for TCP which may accept any
allowed response size. This should be only used for responses to
outbound queries over TCP, not for inbound TCP queries.

Marek Vavruša authored 7 years ago and Marek Vavrusa committed 7 years ago

This implements worker coroutines in Lua to perform non-blocking I/O and do many things concurrently.
For example a file watcher can be now implemented as:

```
  local watcher = notify.opendir('/etc')
  watcher:add('hosts')

  -- Watch changes to /etc/hosts
  worker.coroutine(function ()
    for flags, name in watcher:changes() do
      for flag in notify.flags(flags) do
        print(name, notify[flag])
      end
    end
  end)
```

In order to make this work, the runtime uses the cqueues library which
can run coroutines concurrently, and return a file descriptor to poll on
if it's blocked. The worker takes that file descriptor and calls
`event.socket(pollfd, resume_callback)` so that libuv can wake up
the worker when its ready again.

The cqueues library is still optional, but if it's not present following stuff
won't work:

* worker.coroutine()
* worker.sleep()