Really support 64-bit return value even there.
Currently we only use such large value in an unimportant case
(lua_Number seed).

Vladimír Čunát authored 3 years ago and Tomas Krizek committed 3 years ago

murmurhash3.c:43:40: runtime error: addition of unsigned offset
                     to 0x7ffce41c2014 overflowed to 0x7ffce41c2000
The `i` was used in a super-ugly way; I suspect the only reason was
to optimize that end-loop condition was zero comparison *vomit*

Vladimír Čunát authored 3 years ago and Tomas Krizek committed 3 years ago

The misaligned accesses were just throwing warnings for me (with gcc),
so I added the flag to stregthen what we get in CI.

Vladimír Čunát authored 3 years ago and Tomas Krizek committed 3 years ago

Some less common HW (not x86, usually ARM) doesn't tolerate unaligned
access to memory and it's breakage of C as well.

It's easiest to check by meson's -Db_sanitize=undefined (on any HW).
I pushed millions of real-life QNAME+QTYPE queries over UDP in default
mode and the sanitizer seems clear now.

Vladimír Čunát authored 3 years ago and Tomas Krizek committed 3 years ago

libknot >= 2.9 provides it and their version is less buggy :-)
In particular, it works with unaligned pointers.

cache: improve handling write errors from LMDB

See merge request !1159

Vladimír Čunát authored 4 years ago and Tomas Krizek committed 3 years ago

In particular, ignore ENOSPC from LMDB for a short time unless the
space-usage estimate is over 90%.  See code comments for details.

Vladimír Čunát authored 4 years ago and Tomas Krizek committed 3 years ago

I suspect there's an edge case where cache thinks it provided enough
data but iterator (or who) disagrees and resolution continues.
We observed (flags.CACHED == true) even when processing a reply from
internet, and that could be confusing and even trigger a segfault.
Clearing the flag sounds OK semantically; it never meant that no cached
data have been used within the kr_query (e.g. zone cut, DS/DNSKEY, ...)

fix SERVFAIL for some rare dynamic proofs

See merge request !1166

Our aggressive NSEC cache doesn't handle these well and the case
with only the end-label being like this was forgotten.
See the parent commit for a test case.

Also, larger NSEC* sets are now considered weird.

Example case: denying existence of ok.rdns.dev by
oj\255.rdns.dev. NSEC ok\000.rdns.dev.
This NSEC end was incorrectly ordered with the QNAME.
https://gitter.im/CZ-NIC/knot-resolver?at=606055b82beb1e1da3d73892

The code is Libor's :-)

dnstap: fix repeated configuration

See merge request !1168

In practice it can easily happen, as loading module and really
configuring it is often done separately.  Then we'd see two fstrm
threads, etc.

release 5.3.1

See merge request !1162

This change already took place in !1082, this just updates the files to
correctly reflect the current situation.

validator: downgrade NSEC3 records with too many iterations

See merge request !1160

(in aggressive cache part)  Also bump cache version, so that we clear
those that have been left by previous kresd releases.

It seems better to check RRSIGs before checking negative proofs,
in terms of reasoning, being less error-prone, etc.

This reverts commit 4079a1a9, reversing
changes made to a900fdbf.

This reverts commit 4dab349e, reversing
changes made to 4bcf335d.

This reverts commit 99e6e754, reversing
changes made to 65bed85f.

Regressed in acd019db.  The intention was clearly to say that
encryption (i.e. DNS-over-TLS) is not supported.

I'm overall unsure here, but this does seem as improvement.

The target of STUB might commonly not have good support
for "advanced" features like TCP.

policy.TLS_FORWARD: better avoid dead addresses

See merge request !1156

lib/resolve *_LAYERS: detect bad return code from module

See merge request !1151

Vladimír Čunát authored 4 years ago and Tomas Krizek committed 4 years ago

Practical example was now in dnstap (060349c9).  This way we detect
such mistakes more often and closer to their point of origin.

selection: cap the timeout value when probing a random server

See merge request !1154

Štěpán Balážik authored 4 years ago and Tomas Krizek committed 4 years ago

This patch caps the timeout set on UDP queries to servers chosen in the
EXPLORE phase of the selection algorithm to two times the timeout that
would be set if we were EXPLOITing.

This measns that we no longer spend an unreasonable amount of time
probing servers that are probably dead anyway while ensuring that we do
probe them from time to time to check if they didn't come to life.

If the timeout value is capped and the server fails to respond, we don't
punish the server for it i.e. we don't cache the timeout.

Previously, qry->flags.TCP flag was incorectly set, which led
to incorrect logging and maybe other troubles down the line.

utils/cache_gc: fix crashes/assertions on RTT entries

See merge request !1153