GitLab

It fired also when the name didn't contain the final dot.

I believe that's what most users want; practical motivation:
https://forum.turris.cz/t/kresd-responds-to-hints-with-nxdomain-for-aaaa-requests/8353

When suspect SIGBUS happens, print helpful error and try to remove
the cache, so that the service might work again if auto-restarted.
Theoretically we could longjmp() out of the SIGBUS handler,
but that would be rather messy, so let the process die.

We need to think about the API carefully.

- fix some edge cases and nitpicks
- static storage -> stack (for temporaries of a few kilobytes)
- sync docs, including caveats of the implementation

i.e. those not managed via RFC 5011.
The verbose log format is changed a bit, consequently.

Let's see if it helps against confusion with "Knot DNS" authoritative
server or not.

I intentionally didn't mark the function names as code or similar,
as changing formatting every other word seemed too visually distracting.

... thanks to new API in libknot-2.7.
Apart from being simpler, it now rotates even uncached answers.

The catch is that during configuration file processing,
no cache is open (yet), as kresd can't know if the config
does open it in some later part (with non-default path or size).
Now we just throw an error.  Exceptions:
 - cache.open() and cache.backends(), of course :-)
 - cache.ns_tout() - not required, it's not really inside cache
 - cache.close() - it sounds reasonable to allow "closing a closed cache"

This immediately caught a typo in cache metatable.

(cherry picked from commit 54797e88)

This should fix #385: possible floods with
> scheduling rotation check in 0 ms

Starting multiple systemd units with a target is conceptually cleaner
than using globbing expression.

Related https://github.com/systemd/systemd/issues/9080

- don't synthesize if +CD
- bound synthesized TTL by SOA's TTL
- set AD flag if synthesizing from secure NODATA and A.
- review the RFC for properties that the module is missing

Closes: #320

Also minor fixes and speed enhancement (not measured).

The validation fails in current implementation when queried directly
for the wildcard. In that case the count of the common labels with the
NSEC record is the same, and not shorter by 1 (to accomodate wildcard
expansion).

Fixes: #337

Thanks to @ spakka for discovering this and authoring an earlier version
of this commit.

In case of referrals the authoritative server might add also another NS
record(s), and this might lead to downgrading the corresponding zones.
Regressed probably in f0da0a35 !505.

- TLS errors were mentioned twice
- the option mode wasn't changed, just a static function name

The root DS exists outside of DNS hierarchy, so its NSEC proving non-existence
always contains the SOA, as that's the root of DNS and there's nothing above it.

Real example: cname.nohats.ca
This case was handled for forwarding only, presumably because it
happened more often (no need to be withing single zone to be within
single answer); now the approach is the same.

This is just annoying for development.  You want -O0 or -Og,
and consequently you get lots of warnings that are difficult to disable.

I believe hardening options are more of a responsibility/choice of the
caller, typically distributions have some general policies and pass the
flags (almost) uniformly to all packages.  I can't see any part of kresd
being so specific to warrant explicit hardening.