I was diffing logs from different runs and got annoyed by the shuffles.

I'm really sorry about this.  It's my regression in 5.5.0 (!1225)

Practical consequence was that the RW transaction was held open
until that instance did something with cache (and thus closed),
so any other instance would be frozen in the meantime if doing
anything non-read-only with cache (e.g. startup).
https://lists.nic.cz/hyperkitty/list/knot-resolver-users@lists.nic.cz/thread/6DOXXOA6ACEUBVYPUY3T2MLGIHWOMV6M/

It's probably a bit more efficient, but this part of code should be
rarely used even on a resolver serving all in XDP.

Somehow I did this wrong when porting to libknot 3.1.

Oto Šťáva authored 3 years ago and Vladimír Čunát committed 3 years ago

Also change the return type of kr_pkt_has_dnssec() and lua's :dobit()

This reverts commit 0c9ea133 (!1226).

CI rp:fwd-tls6.udp-asan now repeatedly shows use-after-free.
That could be a serious issue, and this commit's feature
seems less important than the risk.  Let's revert until the issue
gets deeper investigation.

The new limit is over 68 years, so still completely meaningless.

Oto Šťáva authored 3 years ago and Vladimír Čunát committed 3 years ago

Targeted CIDs: 155456, 155962, 346121, 346123, 346124, 346125,
  346126, 346127, 346130, 346131, 346132, 346134, 346135, 346138,
  346140, 346145, 346146, 346149, 346152, 346154, 346156, 346157

lib/dnssec/nsec3.c change:
  apparently cleaning fallout from my (= vcunat's) commit b5cf6132

For old doh we added this in commit a34aa1ee;
with the new implementation we somehow forgot.

The typical DNSSEC problems should happen already when trying to
validate the DNSKEY set, so it's better to be more verbose there.

In the end I gave up on deduplicating with log_bogus_rrsig() code,
as it's different logging group, logging level, no kr_query, etc.

We can always easily add groups when needed.

The approach of the code was rather hacky, simulating some packets
arriving from upstream and making the module stack CONSUME that.
Instead we take a direct approach now: use the simplified validator API
and then insert into cache directly.

One effect is improved performance, and consequently roughly halving
the lag which happens when prefill module invokes this.
(With root zone the lag goes down to 0.1 s from over 0.2 s,
 on my relatively fast CPU.  Fortunately it's just once a day.)

The following actions will now be logged in debug level (or request
tracing): ANSWER, DENY, DENY_MSG, DROP, REFUSE, TC

This can be useful for RPZ and other policy debugging.

Purposefully ommitted actions:
PASS - since it's the same as normal processing
REROUTE - the action itself comes from renumber module
STUB,FORWARD,TLS_FORWARD - this could be more confusing than useful
  (e.g. when response comes from cache)

To allow for easier debugging, each origin of an extended DNS error has
a unique 4-byte identifier that is included in the extra_text message.

The identifiers are random 4-letter base32 strings, generated with:
base32 /dev/random | head -c 4

Add a utility function for simpler lua API when setting extended errors.