Vladimír Čunát authored 6 years ago and Petr Špaček committed 6 years ago

It's mainly about the way we parse and validate them.

Almost all of the parts of validation that were being done
in modules/policy/policy.lua and daemon/tls.c got moved
to daemon/bindings/net.c, so it's easier to follow that.
Also more checks are being done now, e.g. contents of .pin_sha256
and .hostname strings.

Vladimír Čunát authored 6 years ago and Petr Špaček committed 6 years ago

In https world it's standard to do that, and it's relied on.
Real-life example: 8.8.8.8#853 over TLSv1.3 won't send a certificate
if we don't send SNI (no idea why; also they do send it with TLSv1.2).

As a consequence, we no longer allow multiple hostnames per
address-port tuple, but that didn't seem useful.

- logging
- watch by default
- in Fedora we need to depend on the version for lua 5.1

Jonathan Coetzee authored 6 years ago and Vladimír Čunát committed 6 years ago

vcunat squashed this, rebased, etc.

Vladimír Čunát authored 6 years ago and Petr Špaček committed 6 years ago

Not all actions are destructive, but it seems generally expected that if
an earlier module or other code already transitioned the request into
a FAIL or DONE state, we don't want to apply rules anymore.
In particular, later rule actions would "overwrite" what previous
actions did.

Continuation of the parent commit.  In particular, kr_nsrep_set()
can't be used to create NS list "with holes".

Grigorii Demidov authored 6 years ago and Petr Špaček committed 6 years ago

daemon/tls: system CA's are used by default with TLS_FORWARD policy when ca_file parameter is omitted

Petr Špaček authored 6 years ago and Grigorii Demidov committed 6 years ago

Fixes: #337

Vladimír Čunát authored 7 years ago and Petr Špaček committed 7 years ago

Fixes https://gitlab.labs.nic.cz/knot/knot-resolver/issues/306

RFC 6303 section 3 explains that

   The SOA RR is needed to support negative caching [RFC2308] of name
   error responses and to point clients to the primary master for DNS
   dynamic updates.

Now SOA RR owner name matches query name so it can be cached.
Using zone name as owner would be more difficult so it is left for
further optimizations.

I've verified that nsupdate correctly determines that master name
does not exist and stops update process.

I've removed couple layers of indirection to make it easier to follow.
This should make it easier to extend the policy module.

The pin parameter contains SHA-256 encoded using Base64, but this is not
the only option. Explicit name allows us to add alternative formats
later on, and is consistent with GnuTLS naming.

Policy handling was split into smaller functions to allow easier
checking. The code needs further refactoring, it seems that
net_tls_client is just a thin wrapper around tls_client_params_set in C,
which is unnecessary and error prone.

Vladimír Čunát authored 7 years ago and Petr Špaček committed 7 years ago

It should be enough to update the table once per TLS_FORWARD rule,
without re-doing that every time the policy is triggered.

there are two modules that couldn't work before:

* graphite
* ketcd

It was rather low-level anyway.

Library lua-aho-corasick is provided as git submodule. Library
build is triggered with kresd build. ahocorasick.so is copied into
modules directory.

The RFC seems to read that resolvers should reply with address records
even for foo.bar.localhost.  Note: Unbound-1.6.4 does NOT do that.
https://tools.ietf.org/html/rfc6761#section-6.3

In particular, try to make the locally-served zones valid,
including SOA and NS in apex, empty non-terminal vs. NXDOMAIN, etc.
I might've missed something, but it should certainly be closer to ideal.

According to RFC6761 query to localhost domain should generate
immediate response with loopback ip address.

This allows to disable specific deny rules on zone-by-zone basis
as it should be according to RFC6303 sec.3. Disable can be done by
policy rule PASS.

Also any FORWARD rule for such zone will be evaluated before DENY
that query.

Casting is dangerous, e.g. it's easy to misconfigure policy with
  policy.add(policy.FORWARD('some address'))
which lead to segfault without showing any indication of the cause.
Now this case will show as
  .../policy.lua:98: 'struct kr_query' has no member named 'current'
and only abort the policy module instead of the whole process.