Closes #127 and #736

(and minor other changes)

- apply to first (uncached) answer already
- don't extend over signature validity

Nit: the tests were using too high TTL (RFCs disallow the "sign bit").
It was working because (manual) cache-insertion was applying bounds,
but now the bounds don't get applied anymore, so it would fail.

Allowing too much seems to have more risk than benefit.  For example,
the 2-day TTL on DS records in .com zone (e.g. Slack issue months ago).

When a whole packet is cached (instead of individual RRs),
let's simplify the way the packet's TTL gets computed.

The previous mechanism came from commit 5b383a2b,
probably a misunderstanding of:
https://datatracker.ietf.org/doc/html/rfc2308#section-5
Anyway, I see no motivation to do it, and this way we should
get rid of some weird cases where we might extend TTL of some records,
except if they were below the cache.min_ttl() setting (5s default).

Fixing all instances of the same issue on the same docs page.

Štěpán Balážik authored 2 years ago and Vladimír Čunát committed 2 years ago

This silences the following warning given on newer version of meson:

WARNING: Running the setup command as `meson [options]` instead of
`meson setup [options]` is ambiguous and deprecated.

We can get stricter here;
with negligible fraction of real-life names regressing.

The separate function wasn't really doing anything.
Also add a debug log.

I can't see any motivation for the copying behavior,
and it made caching non-deterministic.

In particular, avoids unintentional NXDOMAIN on grafted subtrees.
Consequently the users can drop 'NO_CACHE' flag and get caching.

I broke this in 54ab3f78 or closely around, so this never worked well
since 5.4.1, and maybe structured logging (5.4.0) had related issues.

And by default do so iff jemalloc is found.

I chose the simplicity of adding the chosen allocator just
in the single binary.  Other sbin/* don't matter really,
and dynamic libs (e.g. modules) will just follow whoever loaded them.

Last use case was dropped in 36b08eb3,
and I don't expect we'd use this in future anymore.
The "bullseye" in README was clearly a typo (it's the codename for 11).

As the web is now, combination without www doesn't redirect https
(only http).  So let's switch to the final URL; apex is problematic.

In that case there's no need to wait for other jobs, too.

We're usually not interested in CI on older commits,
and this default will help cancelling expensive respdiff jobs.

Also add default runner tags to make them less likely
to get underspecified.  For example, each job should choose
one option in the docker/lxc and amd64/arm64 pairs.

This reverts commit 15c13535, with some modifications.
On LXC we've had issues with
  FileExistsError: [Errno 17] File exists: '/tmp/pytest-kresd-portdir'
.. which disappear with this commit.  (I don't know how/why.)

We're the same as knotd in this; it evolved a bit
with libknot and kernel versions.  Taken from:
https://www.knot-dns.cz/docs/3.2/singlehtml/#mode-xdp-pre-requisites

Reproducible by listening on an interface by name, ASAN reports a
heap-buffer-overflow. This was a regression caused by !1286, which did
not account for null-terminators properly.

Tom Herbers authored 2 years ago and Vladimír Čunát committed 2 years ago

It's resonable to assume that people would also want to disable DNS64 for
IPv4 source addresses if they only enable it for some IPv6 sources.

Close https://github.com/CZ-NIC/knot-resolver/pull/83

https://gitlab.nic.cz/knot/knot-resolver/-/jobs/802541#L272