Previous code incorrectly assumed that OPT was last RR in section
and this lead to truncating output.
https://tools.ietf.org/html/rfc6891#section-6.1.1 clearly states that
OPT can be anywhere in Additional section.

Printer relies on checks in libknot packet parser: check_rr_constraints()
prevents packets with more OPT RRs or OPT outside of additional section
from being parsed so the printer cannot see them.

meson: don't pass libsystemd version to C preprocessor

Closes #592

See merge request !1029

We don't use it anymore, and on some systems it's apparently
not an integer.

validate: don't chase non-sensical signers

Closes #587

See merge request knot/knot-resolver!1022

Vladimír Čunát authored 4 years ago and Petr Špaček committed 4 years ago

When signer name isn't a prefix of owner, the signature does not make
sense and it's no use trying to use that signer name in any way.

We generally don't force queries on every level of the path,
so this signer confusion could "introduce SERVFAILs" if we
skip over a transition to insecure.

cache: add percentage usage to cache stats

Closes #580

See merge request !1025

nitpicks: batch of tiny fixes collected over time

See merge request !1024

Vladimír Čunát authored 4 years ago and Petr Špaček committed 4 years ago

So that the overall pipeline time isn't extended too much.

Vladimír Čunát authored 4 years ago and Petr Špaček committed 4 years ago

In the past week the Travis runs have been consistently taking much more
time than before, usually around 20 minutes, leading to our CI timing out.
https://travis-ci.com/github/CZ-NIC/knot-resolver/builds

Vladimír Čunát authored 4 years ago and Petr Špaček committed 4 years ago

- root: deprecated key sudo (The key `sudo` has no effect anymore.)
- root: key matrix is an alias for jobs, using jobs

Vladimír Čunát authored 4 years ago and Petr Špaček committed 4 years ago

There's still frequent issue that documenting some parameters would be
mainly noise but doxygen will warn when not doing it.
WARN_IF_UNDOCUMENTED apparently doesn't cover this and
WARN_IF_DOC_ERROR would probably remove even some useful warnings.

Vladimír Čunát authored 4 years ago and Petr Špaček committed 4 years ago

It's deprecated since 5.0.0.

tls: fix compilation to support net.tls_sticket_secret()

See merge request !1021

The trick there is that it isn't supported (by us) on gnutls < 3.6.3.
I checked that the test fails before the fix in parent commit
and that it succeeds (is skipped) with gnutls 3.6.2.

treewide: move to our new GitLab URL

See merge request !1019

Vladimír Čunát authored 4 years ago and Tomas Krizek committed 4 years ago

s/gitlab\.labs\.nic/gitlab.nic/g
Redirects are in place, so it shouldn't be required now, but why not.

test cleanups

See merge request !1017

Vladimír Čunát authored 4 years ago and Petr Špaček committed 4 years ago

I think this eliminates the remaining copies.  Most of the places don't
need all the features, but it still seems worth to deduplicate.

Old behavior where test definition without "return" was silently
skipped was very confusing.

It was only generating noise in test logs, especially when network is
not abvailable/is intentionally disabled.

Tomas Krizek authored 4 years ago and Vladimír Čunát committed 4 years ago

When the effective user is root, no capabilities are dropped. This
change has no effect when running as non-privileged user or when
switching to non-privileged user via user() in config.

Dropping capabilities as a root user resulted in the following
unexpected behaviour:

1. When using trust anchor update, r/w access to root keys is neeeded.
   These are typically owned by knot-resolver user. When kresd is
   executed as root and capabilities are dropped, this file was no longer
   writable, because it is owned by knot-resolver, not root.
2. It is impossible to recreate/resize cache due to the same permission
   issue as above.

If you want to drop capabilities when starting kresd as a root user,
you can switch the user with the `user()` command. This changes the
effective user ID and drops any capabilities as well.

release 5.1.2

See merge request !1018

Add new target doc-strict for development to detect warnings, but avoid
failing package builds due to documentation warnings.

opensuse and fedora/epel use different license strings, but the opensuse
value is used in Knot DNS, so let's be consistent.

Cherry picked from https://build.opensuse.org/request/show/817870

policy.rpz: various fixes

See merge request !1016