Vladimír Čunát authored 5 years ago and Petr Špaček committed 5 years ago

It's a regression of b00ee5fa (v3.0.0).  Fortunately, since that
version we use cache for positive packets only when they are BOGUS
(see `bool want_pkt =`) so that they're available for +cd queries.
Therefore the impact was really negligible, until the DoT module.

First version which actually works with Firefox DoH in default
configuration.

Limitations:
- does not support HTTP GET method
- headers for HTTP cache are not generated
- error handling is largely missing
- no tests
- ACLs will not work, modules do not see source IP address of the HTTP
endpoint

Usability improvements for table_print

See merge request knot/knot-resolver!790

This does not work with C functions etc. but it seems that we do not
expose them directly in Lua interface for users.

This makes it much easier to navigate in complex data structures.
AFAIK table_print is not used for anything except user interface so it
is not performance critical and we can re-sort table every time.

drop libkres9 and libkres-dev packages

See merge request knot/knot-resolver!795

Daniel Kahn Gillmor authored 6 years ago and Tomas Krizek committed 5 years ago

Debian packaging as of 3.2.1-3 is no longer shipping libkres9 or
libkres-dev (see https://bugs.debian.org/923970

).  This brings the
upstream debian-style packaging in line with the Debian packaging on
that front.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

validate nitpick fix: unsupported algo edge case

See merge request knot/knot-resolver!798

Vladimír Čunát authored 5 years ago and Petr Špaček committed 5 years ago

kr_dnskeys_trusted() semantics is changed, but I do NOT consider that
a part of public API.

Go insecure due to algorithm support even if DNSKEY is NODATA.
I can't see how that's relevant to practical usage, but I think this new
behavior makes more sense.  We still do try to fetch the DNSKEY even
though we have information about its un-usability beforehand.
I'd consider fixing that a premature optimization.
We'll still be affected if the DNSKEY query SERVFAILs or something.

Thanks to PowerDNS people for catching this!

pytests: check minimum required gnutls version

Closes #457

See merge request knot/knot-resolver!796

Tomas Krizek authored 6 years ago and Petr Špaček committed 5 years ago

Add a message to make extra requirements clear instead of throwing
a compilation error.

Closes #457

daemon/lua/trust_anchors: don't crash when dealing with unknown algorhitm

Closes #449

See merge request knot/knot-resolver!788

User-friendly error message is intentionally at the end so users,
typically looking at the last line in logs, can see immediatelly what
happened.

Previous version would add the TA and then print error message, which is
not expected.

Tomas Krizek authored 6 years ago and Petr Špaček committed 5 years ago

It's impossible to add managed keysets unless ta_update is loaded,
in which case ta_update.start() is called by trust_anchors.add_file().

On ta_update unload, previously managed keys are flagged as unmanaged.

Tomas Krizek authored 6 years ago and Petr Špaček committed 5 years ago

Since DNSSEC is now enabled by default and always loads the
keyfile_default specified during compilation, these options are
obsolete.

Use trust_anchors.add_file() in config file if you require this
functionality.

It was unused since cleanup in trust_anchors and just cluttering the code.

Tomas Krizek authored 6 years ago and Petr Špaček committed 5 years ago

+ tests

Exracting RFC 5011 to separate module was a good opportunity for
cleanup.

Previously a typo in keyfile path triggered re-bootstrap even if root TA
was already installed.

This simple change makes it easier to follow what the code does.