ci: add curl to debian-stable, skip respdiff

See merge request !647

fixup! fixup! ci: do not re-run tests on master, use nightly instead

See merge request !646

Oh well, this is nightmare to debug.

fixup! ci: do not re-run tests on master, use nightly instead

See merge request !645

ci: do not re-run tests on master, use nightly instead

See merge request !644

All tests are executed before merge and we allow only fast-forward
merges so it is pointless to re-run them again on merge commit.

Code coverage and OBS will be done on auto-synchornized nightly branch.

trust anchors: use parallel-safe temporary name

See merge request !643

Previously multiple kresd processes might use the same .lock file at
once and thus have a race between writing and renaming.  That could
happen relatively often if starting many instances *at once*.

ci: fixes and optimizations

See merge request !641

Vladimír Čunát authored 6 years ago and Petr Špaček committed 6 years ago

Replaced by a visually recognizable dummy value, for simplicity.
These were introduced in commits:
  cache: don't require cached NS for aggresive answers
  cache closest_NS(): factor out the inside of a loop

Sometimes, for a unknown reason, coverage computation fails in Deckard pipeline:

$ MAKEFLAGS="--jobs $(nproc)" make coverage-c coverage-lua COVERAGE_STAGE=gcov-deckard 2>&1 | grep -vE '(source file is newer than notes file)|(the message is displayed only once per source file)'
lcov: Need one of options -z, -c, -a, -e, -r, -l, --diff or --summary
Use lcov --help to get usage information
coverage.mk:15: recipe for target 'coverage-c' failed
make: *** [coverage-c] Error 255

This is now normally disabled not to interfere with normal development.

This helps with debugging.

nitpicks: comment + unused variables

See merge request !642

I forgot to squash this before 2.4.1; better late than never.

These happen with -DNDEBUG only, and clang detects them (not gcc 7).

zimport nitpick: fix printing of uint64_t

See merge request !640

Equality to `unsigned long` is not guaranteed, and was getting us
warnings on macos (maybe it's not equal there).
Also reduce the overlong lines.

ci: run respdiff jobs

See merge request !638

The catch is that during configuration file processing,
no cache is open (yet), as kresd can't know if the config
does open it in some later part (with non-default path or size).
Now we just throw an error.  Exceptions:
 - cache.open() and cache.backends(), of course :-)
 - cache.ns_tout() - not required, it's not really inside cache
 - cache.close() - it sounds reasonable to allow "closing a closed cache"

This immediately caught a typo in cache metatable.

update NEWS, version and deckard

See merge request !637

Tomas Krizek authored 6 years ago and Vladimír Čunát committed 6 years ago

(cherry picked from commit 54797e88)

cache: fix TTL overflow in packet due to min_ttl

See merge request knot/knot-resolver-security!8

Vladimír Čunát authored 6 years ago and Tomas Krizek committed 6 years ago

- `min_ttl()` enforces packet being alive longer than original TTL
  of some records; but
- the packet is copied to cache as it was.

Resolution: just serve packet the same but with those record's TTLs
remaining at zero.

validate: additional bailiwick checks

See merge request knot/knot-resolver-security!9

Vladimír Čunát authored 6 years ago and Tomas Krizek committed 6 years ago

Let's use this as another layer of defense against our internal bugs.

layer/iterate: fix cache injection via CNAME

See merge request knot/knot-resolver-security!7

Marek Vavruša authored 6 years ago and Tomas Krizek committed 6 years ago

The current default mode doesn't check bailiwick anymore when unrolling
CNAME chains, so if an answer contains:

```
testingme.com.      	3600	IN	CNAME	victim.com.
victim.com.        	172800	IN	NS	attackers.ns
```

The resolver will cache both records as authoritative even though
`victim.com` isn't in the current bailiwick. This was previously
checked in 79d9931d, but removed
in refactoring.