It creates new callback functions for every request which
uses "callback chaining" but these should be rare.

It seems there is no reason to keep this function private in policy
module.

Attempt to avoid duplicating ten lines in debug_logfinish_cb lead me
to splitting kr_log_qverbose_impl into two functions kr_log_q and kr_log_req.
This is another minor change to API exposed to modules.

Formerly both logs used slightly different formats and duplicated code.
From now on verbose log and request tracing are generated using the same
code.

This required a small change to request trace_log_f definition so it
might affect external modules.

Petr Špaček authored 5 years ago and Vladimír Čunát committed 5 years ago

These files did not have GNU GPL v3 boilderplate in them so
I've added machine readable tag with appropriate license.

The preconfig is used to set distro-specific values to avoid messing
with user config, in partciular:

- binding to control sockets under systemd
- setting default cache location

Petr Špaček authored 5 years ago and Tomas Krizek committed 5 years ago

Also remove extra headers for trust anchors and mode(), this is an
implementation detail not important for users.

Petr Špaček authored 5 years ago and Lukas Jezek committed 5 years ago

It also improves error reporting from store:add() call.
Sometimes the error message from lua-ossl is incomplete. This is fixed
by https://github.com/wahern/luaossl/pull/176.

Petr Špaček authored 5 years ago and Lukas Jezek committed 5 years ago

Previous code inconsistently thrown some errors and returned as string
other ones, so we now return all errors as strings in classic Lua-style.

Vladimír Čunát authored 5 years ago and Tomas Krizek committed 5 years ago

- written relatively defensively - act OK even if the API
  isn't used in an ideal way
- CI lint:scan-build: bump the error count;
  It's only another instance of the mis-detected array_push().
- the removed stale note in modules/meson.build isn't really related

The accounting was just broken and overly messy anyway.

The new way of transitioning to layer callbacks - done because of
portability (mainly to aarch64) - is a bit expensive.  This is a simple
way of recovering that cost.  Merge 603a24fc regressed speed a bit.

The watchdog module now can be loaded without systemd, has customisable
callbacks, and can do real DNS queries and check their results.

I'm really sorry; I didn't notice and it only hit parts that
*apparently* aren't tested normally.  Only 32-bit systems would be
affected, due to the structure only changing ABI on 32-bit systems.

Refusing to answer queries without RD bit makes it harder
to read what data is present in resolver's cache.

Somehow I didn't notice this field when adding ::add_selected.
We probably never put anything into answer's ADDITIONAL,
so noone's noticed a problem until now.

Vladimír Čunát authored 5 years ago and Petr Špaček committed 5 years ago

Don't stash a packet with mismatching QNAME+QTYPE.
When receiving an NXDOMAIN or NODATA packet in an insecure zone,
it would get cached with KR_RANK_INSECURE regardless of mismatch
in QNAME.  If the 0x20 pattern was preserved in the fake QNAME,
such packet would then be used to answer queries with matching QNAME,
even if there's no proof that this QNAME is insecure.

Also the log now uses the same format query UID format as elsewhere.