Vladimír Čunát authored 4 years ago and Petr Špaček committed 4 years ago

The line was being logged a bit prematurely when the validator isn't
really going insecure yet.  This solves (some of?) those cases.

The original approach was using SOA owner in negative answers
to optimize number of DS queries. This approarch is less realiable with
weird "servers", including pre-DNSSEC servers which reply to DS query
with an SOA owner pointing to the child zone instead of parent zone.

We now walk the tree from root down to find the missing DS or proof of
its non-existance.

Vladimír Čunát authored 4 years ago and Petr Špaček committed 4 years ago

This is about situations when validator *thinks* it's in a signed zone
but an unsigned answer comes in. The assumption was that RRSIGs didn't
make it through some middle-boxes and it retried with explicit QTYPE=RRSIG.

There were two issues with that.
1. It seems that in most cases the cause of the situation is that
   we skipped over a zone cut that transitioned to insecure state,
   so the signatures correctly don't exist.
2. An explicit RRSIG query appears to be more trouble than worth;
   it seems reasonable for servers not to answer it (fully);
   see RFC 8482 sect. 7.

The new approach simply tries to find a proof that the name is insecure,
by spawning a QTYPE=DS sub-query on that name.  That fixes some
real-life cases; usually this happens in iteration mode where one IP
address serves zones on both sides of a cut that transitions to insecure.
For details see new comments in that rrsig_not_found() function.

The change resulted in the iterator f...

cache: add number of entries to cache.stats()

Closes #510

See merge request !1028

daemon/lua: get rid of __engine symbol in lua

See merge request !1033

Lots of lines affected, but it gets slightly simpler.

In particular this gets rid of last light user data inside kresd.

It was still causing problems on some systems, for example Debian Sid.
The error was the same: "bad light userdata pointer" from luajit,
but note that the problem can still be triggered by lua libraries,
e.g. cqueues.

doc: include worker.stats() description

See merge request !1034

CI docker image update

See merge request !1032

References:
- https://github.com/pytest-dev/pytest/pull/7565
- https://github.com/rthalley/dnspython/pull/561

Previous code incorrectly assumed that OPT was last RR in section
and this lead to truncating output.
https://tools.ietf.org/html/rfc6891#section-6.1.1 clearly states that
OPT can be anywhere in Additional section.

Printer relies on checks in libknot packet parser: check_rr_constraints()
prevents packets with more OPT RRs or OPT outside of additional section
from being parsed so the printer cannot see them.

meson: don't pass libsystemd version to C preprocessor

Closes #592

See merge request !1029

We don't use it anymore, and on some systems it's apparently
not an integer.

validate: don't chase non-sensical signers

Closes #587

See merge request !1022

Vladimír Čunát authored 4 years ago and Petr Špaček committed 4 years ago

When signer name isn't a prefix of owner, the signature does not make
sense and it's no use trying to use that signer name in any way.

We generally don't force queries on every level of the path,
so this signer confusion could "introduce SERVFAILs" if we
skip over a transition to insecure.

cache: add percentage usage to cache stats

Closes #580

See merge request !1025

nitpicks: batch of tiny fixes collected over time

See merge request !1024

Vladimír Čunát authored 4 years ago and Petr Špaček committed 4 years ago

So that the overall pipeline time isn't extended too much.

Vladimír Čunát authored 4 years ago and Petr Špaček committed 4 years ago

In the past week the Travis runs have been consistently taking much more
time than before, usually around 20 minutes, leading to our CI timing out.
https://travis-ci.com/github/CZ-NIC/knot-resolver/builds

Vladimír Čunát authored 4 years ago and Petr Špaček committed 4 years ago

- root: deprecated key sudo (The key `sudo` has no effect anymore.)
- root: key matrix is an alias for jobs, using jobs

Vladimír Čunát authored 4 years ago and Petr Špaček committed 4 years ago

There's still frequent issue that documenting some parameters would be
mainly noise but doxygen will warn when not doing it.
WARN_IF_UNDOCUMENTED apparently doesn't cover this and
WARN_IF_DOC_ERROR would probably remove even some useful warnings.

Vladimír Čunát authored 4 years ago and Petr Špaček committed 4 years ago

It's deprecated since 5.0.0.

tls: fix compilation to support net.tls_sticket_secret()

See merge request !1021

The trick there is that it isn't supported (by us) on gnutls < 3.6.3.
I checked that the test fails before the fix in parent commit
and that it succeeds (is skipped) with gnutls 3.6.2.

treewide: move to our new GitLab URL

See merge request !1019

Vladimír Čunát authored 4 years ago and Tomas Krizek committed 4 years ago

s/gitlab\.labs\.nic/gitlab.nic/g
Redirects are in place, so it shouldn't be required now, but why not.

test cleanups

See merge request !1017