Re-opening the cache causes fsync - every interval (1s by default).
Normally that isn't noticeable, but on encrypted ZFS it causes
high CPU consumption (even when "idle").

grahamc first reported this and Mic92 tested the patch helps. Thanks!
https://gitter.im/CZ-NIC/knot-resolver?at=5e4ea2343ca8a67fb808e349

In 5.0.0, the cache directory has been moved and the previous path is
incorrect.

Fixes #543

In finish() phase DONE is (almost?) always set, so it didn't make sense.
The mistake came from c16728f5 !678.

It was possible for some failures to disappear that way.

Vladimír Čunát authored 5 years ago and Tomas Krizek committed 5 years ago

... to avoid shadowing which broke lint:other in CI.
And add NEWS entry.

Vladimír Čunát authored 5 years ago and Tomas Krizek committed 5 years ago

The main problem was that SERVFAILs were not padded;
the recovery of answer->opt_rr has to happen before answer_padding()

Vladimír Čunát authored 5 years ago and Petr Špaček committed 5 years ago

and don't use SO_REUSEPORT on non-Linux.  (Free)BSD has a different
meaning for it, which only brings confusion - only the last instance
would be getting packets.

It's minimalistic: no change if in interactive or --verbose mode.

Vladimír Čunát authored 5 years ago and Tomas Krizek committed 5 years ago

- written relatively defensively - act OK even if the API
  isn't used in an ideal way
- CI lint:scan-build: bump the error count;
  It's only another instance of the mis-detected array_push().
- the removed stale note in modules/meson.build isn't really related

Unbound has limit 10, and practically useful numbers are way lower.

Vladimír Čunát authored 5 years ago and Petr Špaček committed 5 years ago

When inserting NS or xNAME, we could get into this place with
qry == NULL, and we'd crash when trying to use the memory pool.
Let's simply use the stack instead.

The missing Wants= and After= directives for network-online.target
made it possible for kresd to start before network interfaces were
properly initialized and configured with IP addresses, leading to a
failure to bind to addresses.

I'm really sorry; I didn't notice and it only hit parts that
*apparently* aren't tested normally.  Only 32-bit systems would be
affected, due to the structure only changing ABI on 32-bit systems.

... as input into the *unchanged* algorithm (which is ugly).
This partially addresses the problem attempted by reverted commit,
and it also improves some other properties of the algorithm.

Vladimír Čunát authored 5 years ago and Tomas Krizek committed 5 years ago

A down-side is that validation can now modify the validated RRset
on success.  I checked all transitive call sites that it's OK.
The change is pretty simple; I just hand-tested it a bit with faketime.

Vladimír Čunát authored 5 years ago and Tomas Krizek committed 5 years ago

- home.arpa.: 4. from https://tools.ietf.org/html/rfc8375#section-4
- local.: 4. from https://tools.ietf.org/html/rfc6762#section-22.1
Well, it's just an approximation... if the user specifies a forwarding
policy, any special names will also get forwarded, even though the RFC
says not to.  And this code will also reply NXDOMAIN to home.arpa. DS.

Some of these DENY rules are perhaps unnecessary, but for now we keep
the same approach.  For arguments see the MR 855 thread and linked ML.

Vladimír Čunát authored 5 years ago and Tomas Krizek committed 5 years ago

It's fairly easy to keep keep compatible with both 2.8 and 2.9,
so I'd go for that for now, as it may be practical.

Otherwise plain `modules = { 'prefill' }` will error out,
which is surprising wrt. to style used/allowed by other modules.

As kresd works now, typically we do not know whether these records are
bogus, as with +cd we do not attempt validation.  Still, it's possible
that we have those records in cache from an occasion without +cd, in
which case we know they're bogus and this regression happened.

The potential impact of this issue seems minimal.