TA RRset might change asynchronously between zi_zone_import() and
zi_zone_process(), we cannot rely pointer from zi_zone_import().

cache: fix cases of CNAMEs not getting cached

See merge request !974

Vladimír Čunát authored 4 years ago and Petr Špaček committed 4 years ago

+ REFUSED and SERVFAIL (in non-STUB)

It's disallowed combination, but why not fix it when it's so easy.

This was exposed by some of the previous two commits (not sure why)
in CI test for kresd->kresd forwarding.

This also fixes the same for DNAMEs - soon, when they get supported.

Only the special case is changed - xNAMEs when no TAs exist.
Overall the TA handling in kresd is buggy; fortunately in practice it
seems very rare to run in other configuration than single root TA.

... instead of individual records.
- iterator in STUB mode can't process individual CNAME steps from cache
- perhaps it's more suitable for STUB anyway

ci: enable docker-build to run non-interactively

See merge request !981

ci: add dumpcap for Deckard to Debian image

See merge request !980

Formerly multiple instances could use the same seed,
which prevented the retry logic in Lua modules (e.g. prefill) from
retrying at different times.

AFAIK security impact is zero aside from potential thundering-herd
problem with many kresd instances.

Tomas Krizek authored 4 years ago and Vladimír Čunát committed 4 years ago

Our lua functions don't conform to C function declarations, which
generates warnings when using Sphinx 3.0.0+.

Tomas Krizek authored 4 years ago and Vladimír Čunát committed 4 years ago

The macros that expand to __attribute__(x) should precede function
declaration, consistently with all the other code.

Tomas Krizek authored 4 years ago and Vladimír Čunát committed 4 years ago

Configure doxygen to expand/ignore some macros like KR_EXPORT.

Skip some edge-case symbols that would be difficult to fix otherwise.

Closes #396

MISSING triggers re-query to auth in attempt to find missing RRSIGs.
It causes reduntant queries and also puts some BOGUS RRsets in answers.
(It sounds bad but we were correctly setting rcode=SERVFAIL and AD=0
even before this commit.)

Formerly RRSIG ranks did not reflect results of validation.
Now we mark them as BOGUS and upgrade them to SECURE if they validate.

New validator phase answer_finalize prevents BOGUS RRsets from being
put even into SERVFAIL answers.

Closes: #396

support arbitrary data in RPZ

See merge request !964

systemd/tmpfiles: change directory owner to root

See merge request !972

Change the owner of kresd files to root:knot-resolver. This improves
behaviour for Fedora, where kresd can run under root (e.g. in Docker).
Otherwise, running kresd as root on Fedora would fail because of dropped
capabilities and attempting to access /var/lib/knot-resolver, which was
owned by knot-resolver.

This change makes it possible for both root (user) and knot-resolver
(group) to have the same permissions on these directories despite
dropped capabilities.

cache: fix large answers from packet cache

See merge request !976

Vladimír Čunát authored 4 years ago and Petr Špaček committed 4 years ago

Atomic packets larger than both 4k and net.bufsize() could not
be fetched from cache; now that's fixed in a minimalistic way.
(Minimalistic except for nitpicks like adding comments.)