This changes more time than anticipated, as the old naming didn't apply
anymore (time of last cache clear).

It mostly worked, just by accident.
I see no use for negative initialization in this case.

Daniel Kahn Gillmor authored 7 years ago and Vladimír Čunát committed 7 years ago

"man man" says that the sections are:

       1   Executable programs or shell commands
       2   System calls (functions provided by the kernel)
       3   Library calls (functions within program libraries)
       4   Special files (usually found in /dev)
       5   File formats and conventions eg /etc/passwd
       6   Games
       7   Miscellaneous  (including  macro  packages  and  conventions), e.g.
           man(7), groff(7)
       8   System administration commands (usually only for root)
       9   Kernel routines [Non standard]

Since there is no command named kresd.system it does not belong in
section 8.

Section 7 includes conventions and useful patterns like gitcli(7),
which seems more similar to the documentation that is supplied in
kresd.systemd.

Tomas Krizek authored 7 years ago and Grigorii Demidov committed 7 years ago

When older gnutls version is used, make sure not to use undeclared
symbols or functions.

Decision function is separated out.

Some parts were hand-written, apparently.

In order to be able to spawn multiple processes with socket activation,
systemd template (see systemd.unit(5)) is used. This allows the user to
create any amount of instances by simply providing a unique name for
each of them. The most sensible instance identifiers are natural
numbers, but any convention could be used.

The default recommended service name becomes kresd@1.service, replacing
the older kresd.service. Sockets are renamed in a similar way. Users are
able to take advantage of bash expansion to spawn/control multiple
processes, e.g. "systemctl start kresd@{1..16}.service"

The socket-activated service can now be launched directly with
"systemctl start kresd@1.service", which will request the associated
sockets without the need for any extra priviledges or capabilities.

Stopping the kresd service now also stops the associated sockets.
Stopping any individual socket is an isolated opration now (stopping
kresd@1.socket no longer stop kresd-tls@1.socket and
kresd-control@1.socket).

Users and packagers are also encouraged to use drop-in files for extra
configuration or modifications to ensure compatibility with their
distribution.

Almost.  A trivial lib/layer/cache.c remains.
I put all lib/generic/*.h into libkres_HEADERS, to be sure.
They rarely change anyway.

The manual page discusses basic usage of kresd, but completely lacks
configuration description. Users are pointed to
https://knot-resolver.readthedocs.io for reference. When visiting this
page, the most important information they don't have yet, is how to
configure kresd. This should be the first chapter in the documentation
to make it easier to find.

The deckard change was probably unintentional, so I reverted that.
The only real mistake I found was `sizeof(128)`, though the effect was
just unnecessary reallocations.

On the whole I really like it.  Verbose logging might get slightly
slower, due to increased amount of string allocation and copying,
but it does seem worth it, at least until we can prove otherwise.
I didn't look much into http module changes, etc.

Vitezslav Kriz authored 7 years ago and Petr Špaček committed 7 years ago

Config tests now have ability to run daemon with different arguments and
to check exit code.

Vitezslav Kriz authored 7 years ago and Petr Špaček committed 7 years ago

Arguments --keyfile, -k for managed mode
and
--keyfile-ro, -K for unmanaged (readonly) mode.

Automatic setting based on the file permission is removed because it was
confusing and could easily lead to state where automatic update does not
happen because of unexpected file permissions.

Check if folder is writeable was moved into Lua code.

Default unmanaged keyfile path can be specified at compile
time with option KEYFILE_DEFAULT. This default
configuration can be disabled in configuration file with
trust_anchors.keyfile_default = nil.

Symbols not marked by KR_EXPORT shouldn't be visible outside
the same output binary (e.g. sbin/kresd or lib/kdns_modules/hints.so)
Also mark `engine_hint_root_file`.

It is enabled by default.

RFC 6761 mandates functionality implemented by policy module, so it is
now loaded by default. Users with special needs can still unload the
module.

daemon/worker: worker_process_tcp: cleanup; there are no need in special processing for qr_task_step return code

gnutls-3.3.26-9.el7.x86_64 and libgnutls30-3.5.8-5+deb9u3 do not support
@SYSTEM keyword and CentOS 7 has problem with -VERS-DTLS-ALL.

We do not configure DTLS sockets so it should be harmless to delete
the DTLS keyword.

@SYSTEM is replaced by NORMAL, oh well.

fixup! TLS client: enforce minimal TLS version and no compression

Same change as in a625a0ea1ce03b0707fd421633f21c0aacb786da but for
client.

Server side now enforces security requirements from
draft-ietf-dprive-dtls-and-tls-profiles-11 section 9