I'm overall unsure here, but this does seem as improvement.

The target of STUB might commonly not have good support
for "advanced" features like TCP.

policy.TLS_FORWARD: better avoid dead addresses

See merge request !1156

lib/resolve *_LAYERS: detect bad return code from module

See merge request !1151

Vladimír Čunát authored 4 years ago and Tomas Krizek committed 4 years ago

Practical example was now in dnstap (060349c9).  This way we detect
such mistakes more often and closer to their point of origin.

selection: cap the timeout value when probing a random server

See merge request !1154

Štěpán Balážik authored 4 years ago and Tomas Krizek committed 4 years ago

This patch caps the timeout set on UDP queries to servers chosen in the
EXPLORE phase of the selection algorithm to two times the timeout that
would be set if we were EXPLOITing.

This measns that we no longer spend an unreasonable amount of time
probing servers that are probably dead anyway while ensuring that we do
probe them from time to time to check if they didn't come to life.

If the timeout value is capped and the server fails to respond, we don't
punish the server for it i.e. we don't cache the timeout.

Previously, qry->flags.TCP flag was incorectly set, which led
to incorrect logging and maybe other troubles down the line.

utils/cache_gc: fix crashes/assertions on RTT entries

See merge request !1153

I missed some parts when finishing this.  I should've tested it better.
GC would hit assertions or NULL dereferences when removing entries,
and eventually that would lead to cache overflowing (and getting
cleared).

daemon/http: replace assertions

See merge request !1152

ci: update ODVR distros

See merge request !1148

doh2: refuse stream on failure

See merge request !1149

dnstap: don't break request resolution on dnstap errors

See merge request !1147

This isn't a regression of 5.3.0 changes.
Layer functions are supposed to return new values for ctx->state,
but here we were sometimes returning kr_error(EFOO) which altered
processing of the request.

Our case: answers directly from policy module would not end up
finishing the request and we'd hit an assert at the end of processing.

doh2: send HTTP error status code

Closes #618

See merge request !1102

predict docs: better explain how it works

See merge request !1145

release 5.3.0

See merge request !1138

lib/selection: add simple detection of IPv6 being broken

See merge request !1143

Details are described in code comments.

lib/selection: halve the default timeout (for iteration)

See merge request !1141

lib/selection{,_iter}.c: allow switching back to UDP

See merge request !1140

Switching to TCP instead of querying very slow servers over UDP has had
unwanted side effect – we would sometimes get stuck with a server
permanently switched to TCP. And if the server happens to not reply over
TCP we were in trouble.

Therefore after we TCP connect fails or timeouts we provide one last
chance for the server over UDP. This will not prevent the next request
to try TCP again on this server again, but we don't care because
DNS MUST ******* work over TCP.

daemon/udp_queue: drop the error logging

See merge request !1139

We should do this for all transports and probably just in verbose mode.
We were printing lots of these on Turris OS (for one user at least):
https://forum.turris.cz/t/5-1-8-kresd-throwing-many-errors-in-var-log-messages/14775

EACCESS in particular apparently may happen (on Linux) when the network
is "unavailable", EPERM because of firewall/netfilter:
https://stackoverflow.com/a/23869102