https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878976
In general, platforms with page size other than 4k might better compile
with -DCPU_PAGE_SIZE=nnnnn but real impact should only be this test and
better alignment in the mempool allocator.

We can ignore the signal, as the affected libuv calls report error
by returning EPIPE anyway.
Fixes https://gitlab.labs.nic.cz/knot/knot-resolver/issues/271

attempt validation for more records but require it for fewer of them
(e.g. avoids SERVFAIL when server adds extra records but omits RRSIGs)

Vitezslav Kriz authored 7 years ago and Petr Špaček committed 7 years ago

Implementation of RFC 8145 section 5 as module.

Fixes: #383

fixup! Signaling Trust Anchor Knowledge in DNSSEC using Key Tag Query

We pushed all authority to the wire, but that was unnecessary,
and in particular it clashed with not validating NS in authority when
forwarding (new change).  Let's only apply this to NSEC* RRs.

Fixes https://gitlab.labs.nic.cz/knot/knot-resolver/issues/248
Some (exotic?) resolvers add extra NS records but doesn't provide
signatures for them even though we ask with +dnssec +cd.
That lead to validation errors.  Current example server: 198.101.242.72
Let's not try to validate them when FORWARDing, as we won't most likely
need those records anyway (contrary to iteration mode).

- expose the function as hints.root_file
- use the same filename as Debian
- remove the unneeded script
- docs and some nitpicks

Fixes https://gitlab.labs.nic.cz/knot/knot-resolver/issues/240

Stop IPC after getting an error.  One point is the situation when one
of the forks ends for some reason, which lead to problems.
Another point is pipes getting out of sync.

Smaller changes:
- don't free the handle while it's still half-in-use
- don't fully panic here because of ENOMEM, just stop IPC

Fixes https://gitlab.labs.nic.cz/knot/knot-resolver/issues/150

If the fread didn't read all in one go, the buffer was being repeatedly
overwritten from the start instead of continuing the read :-/
I also changed the overall approach in some respects.

Grigorii Demidov authored 7 years ago and Vladimír Čunát committed 7 years ago

... functionality from iterator: don't fail immediately if actual number
of labels in owner name exceeds number in label field of RRSIG rrset

Fixes https://gitlab.labs.nic.cz/knot/knot-resolver/issues/200

Fixes https://gitlab.labs.nic.cz/knot/knot-resolver/issues/154
I'm sorry I broke the module in 06b0d3d4.  Thaks Vita!

i.e. downgrade a zone to insecure when *all* DNSKEYs of the apex are
unverifiable due to unimplemented DNSKEY or DS algorithms.
Fixes https://gitlab.labs.nic.cz/knot/resolver/issues/210

At least it seems so...

Fixes https://gitlab.labs.nic.cz/knot/resolver/issues/204

... data from cache as keys for validation

Maybe some coverity issues will get fixed, even though
they had seemed not to be affecting our use cases in kresd.

Tests+Deckard look OK and I've been using my system and kresd with
system-wide 0.9.21 for some time already.

- sort the list instead of just picking the best one
- prefer unknown RTTs to probe them
- verbose output of the choice

Fixes https://gitlab.labs.nic.cz/knot/resolver/issues/125
Fixes https://gitlab.labs.nic.cz/knot/resolver/issues/208

... even if rundir isn't specified.  No other changes in semantics.
Before this a typo in config path would pass silently.

I also verified there's no other usage of the `moduledir` symbol from
lua.  Bug introduced in 2f81b111 (within !298).

Fixes https://gitlab.labs.nic.cz/knot/resolver/issues/198.
We can't let multiple "matching RRsets" to the wire, and we can't just
merge the sets from multiple queries either.  The only way is to choose
either of the sets and put it on the wire.  ATM the last one wins.

Common ocurrence of the bug: if www.example.cz was a CNAME for example.cz
and we ask for a non-existent type, we would get the SOA record twice
in the final answer.

A few related changes:
 - don't just assert, also return error code if -DNDEBUG
 - kr_ranked_rrarray_set_wire: don't do full-content comparison anymore;
   see the first paragraph in this commit message for the reasons
 - minor refactoring of that code, more comments, etc.

This reverts commit bc2a2670 (almost).
It would be best to avoid retrying with the same NS and keep trying with
others (if any), but that would require larger changes if it should work
well, so let's err on the side of sending more queries.