Vladimír Čunát authored 3 years ago and Tomas Krizek committed 3 years ago

NSEC* params were not being stashed by this function.  For prefilling
it's useful, but doing it on *every* NSEC* record would be quite a waste,
so we introduce a parameter to select this.

Implementation: there were good reasons not to implement this until
needed - it wasn't straightforward at all.

Vladimír Čunát authored 3 years ago and Tomas Krizek committed 3 years ago

It was a bit weird that the API had mempool creation but no deletion.

Vladimír Čunát authored 3 years ago and Tomas Krizek committed 3 years ago

Also be more careful about rounding, overflows and assertions in there.
The implicit internal timer was unused and didn't seem worth keeping.

Vladimír Čunát authored 3 years ago and Tomas Krizek committed 3 years ago

The POSIX APIs using `struct timeval` are deprecated anyway
in favor of clock_gettime() + `struct timespec`.

The function didn't seem well designed anyway, as `long` is just
32-bit on usual 32-bit platforms, which certainly isn't safe.
(roughly one month, on a quick glance)

modules/priming: don't query A/AAAA when IPv4/IPv6 is disabled

See merge request !1222

Štěpán Balážik authored 3 years ago and Tomas Krizek committed 3 years ago

Previously we primed for A/AAAA addresses of root servers even when
the respective IP version was disabled from configuration.

lib/dnssec: refactor some parts

See merge request !1213

Vladimír Čunát authored 3 years ago and Tomas Krizek committed 3 years ago

This way it will be easier to re-use (and more efficient).
I really disliked those searches for RRSIGs embedded deep inside.

Uh, I tried to keep the new function as clean as possible,
moving hacks to outside.

Vladimír Čunát authored 3 years ago and Tomas Krizek committed 3 years ago

That `pkt` check was useless.

Vladimír Čunát authored 3 years ago and Tomas Krizek committed 3 years ago

I can't see motivation to add another abstraction layer here,
and it caused ugly type juggling.  Let's use the libdnssec's type.

Dockerfile: polish request tracing in debug_mode

See merge request !1217

Since v5.4.0, using both debug level log and request tracing duplicates
lines in the log output. This makes the log more readable while
hopefully keeping all the relevant information there.

ci: use knot 3.1

See merge request !1219

policy.rpz: fix origin detection in files without $ORIGIN

See merge request !1215

Vladimír Čunát authored 3 years ago and Tomas Krizek committed 3 years ago

Issues affecting functionality of the RPZ should NOT be hidden
by default.

systemd: add interaction with nss-lookup.target

See merge request !1216

The point is to allow other services wait for DNS availability.
Of course, kresd may not be the DNS provider for this machine,
but it seems reasonable to still do this by default.

release 5.4.2

See merge request !1212

nitpicks

See merge request !1206

So far we have no idea how it can happen, but in this (rare) case
it seems fine to keep the process running.

Builds are still checked by the other pkftest suite. However, OBS
mirrors for CentOS 7 are just problematic. We've already tried to
contact them once, they fixed the issue but mentioned it will probably
come back. No point in wasting any more time with this test then.

Vladimír Čunát authored 3 years ago and Tomas Krizek committed 3 years ago

Our "debian-buster" CI image was clearly not a buster
(based on versions in logs).  I suspect this change can help.