nitpicks: comment + unused variables

See merge request !642

I forgot to squash this before 2.4.1; better late than never.

These happen with -DNDEBUG only, and clang detects them (not gcc 7).

zimport nitpick: fix printing of uint64_t

See merge request !640

Equality to `unsigned long` is not guaranteed, and was getting us
warnings on macos (maybe it's not equal there).
Also reduce the overlong lines.

ci: run respdiff jobs

See merge request !638

The catch is that during configuration file processing,
no cache is open (yet), as kresd can't know if the config
does open it in some later part (with non-default path or size).
Now we just throw an error.  Exceptions:
 - cache.open() and cache.backends(), of course :-)
 - cache.ns_tout() - not required, it's not really inside cache
 - cache.close() - it sounds reasonable to allow "closing a closed cache"

This immediately caught a typo in cache metatable.

update NEWS, version and deckard

See merge request !637

Tomas Krizek authored 6 years ago and Vladimír Čunát committed 6 years ago

(cherry picked from commit 54797e88)

cache: fix TTL overflow in packet due to min_ttl

See merge request knot/knot-resolver-security!8

Vladimír Čunát authored 6 years ago and Tomas Krizek committed 6 years ago

- `min_ttl()` enforces packet being alive longer than original TTL
  of some records; but
- the packet is copied to cache as it was.

Resolution: just serve packet the same but with those record's TTLs
remaining at zero.

validate: additional bailiwick checks

See merge request knot/knot-resolver-security!9

Vladimír Čunát authored 6 years ago and Tomas Krizek committed 6 years ago

Let's use this as another layer of defense against our internal bugs.

layer/iterate: fix cache injection via CNAME

See merge request knot/knot-resolver-security!7

Marek Vavruša authored 6 years ago and Tomas Krizek committed 6 years ago

The current default mode doesn't check bailiwick anymore when unrolling
CNAME chains, so if an answer contains:

```
testingme.com.      	3600	IN	CNAME	victim.com.
victim.com.        	172800	IN	NS	attackers.ns
```

The resolver will cache both records as authoritative even though
`victim.com` isn't in the current bailiwick. This was previously
checked in 79d9931d, but removed
in refactoring.

ci: update dockerfiles to support different knot versions

See merge request !635

Petr Špaček authored 6 years ago and Vladimír Čunát committed 6 years ago

/feed disappeared in v1.1.0 and never worked since then.
fixup! 6887a4a2

Petr Špaček authored 6 years ago and Vladimír Čunát committed 6 years ago

This is now covered by test suite.
fixup! b2cefdcf (regressed in 2.4.0).

Parameter cert=false did not work even in 2.3.0 so it was replaced with cleaner
tls=false.

Petr Špaček authored 6 years ago and Vladimír Čunát committed 6 years ago

We want to encourage users to use HTTPS everywhere.

(Thanks to Láďa.)
Also try to stress that hints.set() only takes a pair and not more.

Aggressive nsec3 fixes

Closes #384

See merge request !628

The code around was getting too complex and too deeply indented.

daemon/tls session tickets: avoid bad scheduling cycles

Closes #385

See merge request !631

This should fix #385: possible floods with
> scheduling rotation check in 0 ms

daemon/tls: properly process TLS rehandshake

See merge request !623

distro/rpm: add BuildRequires: gcc

See merge request !625