Vitezslav Kriz authored 7 years ago and Petr Špaček committed 7 years ago

Config tests now have ability to run daemon with different arguments and
to check exit code.

Vitezslav Kriz authored 7 years ago and Petr Špaček committed 7 years ago

Arguments --keyfile, -k for managed mode
and
--keyfile-ro, -K for unmanaged (readonly) mode.

Automatic setting based on the file permission is removed because it was
confusing and could easily lead to state where automatic update does not
happen because of unexpected file permissions.

Check if folder is writeable was moved into Lua code.

Default unmanaged keyfile path can be specified at compile
time with option KEYFILE_DEFAULT. This default
configuration can be disabled in configuration file with
trust_anchors.keyfile_default = nil.

Implement draft-ietf-dnsop-kskroll-sentinel-00

Closes #266

See merge request !382

It is enabled by default.

policy: load policy module by default

See merge request !457

RFC 6761 mandates functionality implemented by policy module, so it is
now loaded by default. Users with special needs can still unload the
module.

Anbang Wen authored 7 years ago and Vladimír Čunát committed 7 years ago

Without changing the interface, map_contains is able to tell whether
the item exist in map or not.

Discovered by clang scan.

daemon/worker: worker_process_tcp: cleanup

See merge request !452

daemon/worker: worker_process_tcp: cleanup; there are no need in special processing for qr_task_step return code

layer/iterate: forwarding; repeat query to upstream if SERVFAIL\REFUSE has been received

See merge request !451

ci: add flake8 to Dockerfile

See merge request !449

Tomas Krizek authored 7 years ago and Petr Špaček committed 7 years ago

We do not use Infer after all (see MR !435) so it does not make sense to
have it in the image.

daemon/worker: clean up some unnecessary asserts

See merge request !450

TLS polish

See merge request !447

gnutls-3.3.26-9.el7.x86_64 and libgnutls30-3.5.8-5+deb9u3 do not support
@SYSTEM keyword and CentOS 7 has problem with -VERS-DTLS-ALL.

We do not configure DTLS sockets so it should be harmless to delete
the DTLS keyword.

@SYSTEM is replaced by NORMAL, oh well.

fixup! TLS client: enforce minimal TLS version and no compression

Same change as in a625a0ea1ce03b0707fd421633f21c0aacb786da but for
client.

Server side now enforces security requirements from
draft-ietf-dprive-dtls-and-tls-profiles-11 section 9

GnuTLS manual for some functions do not declare that error return code
must be negative, so we should use constants to avoid potential
problems.

gnutls_certificate_set_x509_trust_file could theoretically return 0
to indicate nothing was read, so we need to check for this as well.

tmpfiles: create cache and use proper tmpfiles name

See merge request !440