Vladimír Čunát authored 3 years ago and Tomas Krizek committed 3 years ago

Issues affecting functionality of the RPZ should NOT be hidden
by default.

Vladimír Čunát authored 3 years ago and Tomas Krizek committed 3 years ago

The logs can be triggered from policy actions, in per-request fashion:
- they're on LOG_DEBUG level but always sent, regardless of log config
- those messages will show double group tags: "[reqdbg][foo   ]"
  (but they lack proper meta-data - about location of the log's origin)
- reqdbg is *in addition* to normal logs, so the lines may be duplicated
  if that's how the logging was configured

Vladimír Čunát authored 3 years ago and Tomas Krizek committed 3 years ago

It's mainly in tests.

Vladimír Čunát authored 3 years ago and Štěpán Balážik committed 3 years ago

Perhaps this bug was now more pronounced since 5.3.0 changes.
Example problem was disabling minimization or 0x20 (globally or
for some problematic requests); without this change they would get
re-enabled during some fallback actions... which might be exactly
the wrong moment wrt. the motivation to setting these.
https://gitter.im/CZ-NIC/knot-resolver?at=60a221e86a950f3d46ed1cd9

- return SOA in NODATA answers and allow customizing it
- only call ensure_answer() if really generating an answer
  (otherwise we might e.g. deplete XDP buffers, in extreme cases)

Štěpán Balážik authored 5 years ago and Vladimír Čunát committed 4 years ago

Design discussion: #447
Code discussion: !1030

This amends commit 99e014ac.

For now I was too afraid to use "multi-flag" kr_request::state,
so I kept it at _FAIL; anyone can recognize it by NULL answer anyway.

Lua wrapper: using exception was considered but didn't seem good.
I utilized the fact that modules can return nil meaning no state change.

FIXME: see FIXMEs in diff, document the API change, re-review.

... by allowing .rdata to be a table.  Larger RRsets seem useful.

- use parser-detected $ORIGIN instead of looking at SOA owner
- skip records outside $ORIGIN (and warn) instead of nesting them
- simplify a bit, and tweak warnings

Also utilize table indexing.
This was a "regression" from extending RPZ support in 5.1.0.
NS and SOA are even mandatory, as RPZ is supposed to be a valid zone:
https://tools.ietf.org/html/draft-ietf-dnsop-dns-rpz-00#section-2

Some rules need it and it was nil until now.

DENY, DENY_MSG, DROP, REFUSE and TC will now clear the _selected RRs.
I believe that's what people usually expect of these actions anyway.

This new approach uses per-request variables in Lua and creates new
callback for each DEBUG_IF call instead of each request.

It creates new callback functions for every request which
uses "callback chaining" but these should be rare.

It seems there is no reason to keep this function private in policy
module.

DEBUG_IF accepts user-supplied function which decides which requests
should be logged.

Attempt to avoid duplicating ten lines in debug_logfinish_cb lead me
to splitting kr_log_qverbose_impl into two functions kr_log_q and kr_log_req.
This is another minor change to API exposed to modules.

Formerly both logs used slightly different formats and duplicated code.
From now on verbose log and request tracing are generated using the same
code.

This required a small change to request trace_log_f definition so it
might affect external modules.

Petr Špaček authored 5 years ago and Vladimír Čunát committed 5 years ago

These files did not have GNU GPL v3 boilderplate in them so
I've added machine readable tag with appropriate license.

In finish() phase DONE is (almost?) always set, so it didn't make sense.
The mistake came from c16728f5 !678.

Vladimír Čunát authored 5 years ago and Petr Špaček committed 5 years ago

Running the full special-domain checks is relatively expensive.

I've never seen anyone use postrules.