.clang-tidy

+---
+Checks: |-
+  bugprone-*,
+  cert-*,
+  google-readability-casting,
+  misc-*,
+  readability-*,
+
+  -bugprone-assignment-in-if-condition,
+  -bugprone-branch-clone,
+  -bugprone-easily-swappable-parameters,
+  -bugprone-inc-dec-in-conditions,
+  -bugprone-multi-level-implicit-pointer-conversion,
+  -bugprone-narrowing-conversions,
+  -bugprone-not-null-terminated-result,
+  -bugprone-sizeof-expression,
+  -bugprone-suspicious-string-compare,
+  -cert-dcl03-c,
+  -cert-dcl16-c,
+  -clang-analyzer-deadcode.DeadStores,
+  -clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling,
+  -clang-analyzer-unix.Malloc,
+  -clang-analyzer-valist.Uninitialized,
+  -clang-analyzer-optin.core.EnumCastOutOfRange,
+  -misc-include-cleaner,
+  -misc-macro-parentheses,
+  -misc-no-recursion,
+  -misc-static-assert,
+  -misc-unused-parameters,
+  -readability-avoid-nested-conditional-operator,
+  -readability-avoid-unconditional-preprocessor-if,
+  -readability-braces-*,
+  -readability-cognitive-complexity,
+  -readability-else-after-return,
+  -readability-function-cognitive-complexity,
+  -readability-identifier-length,
+  -readability-isolate-declaration,
+  -readability-magic-numbers,
+  -readability-non-const-parameter,
+  -readability-redundant-declaration,
+  -readability-uppercase-literal-suffix,
+  -clang-analyzer-core.UndefinedBinaryOperatorResult
+
+# TODO: remove `-clang-analyzer-core.UndefinedBinaryOperatorResult` when we
+# upgrade to Clang >=18 (it's a false positive )
+
+WarningsAsErrors: |-
+  cert-*,
+  clang-analyzer-*,
+  misc-*,
+  readability-*,
+  -readability-non-const-parameter,
+
+HeaderFilterRegex: 'contrib/ucw/*.h'
+CheckOptions:
+  - key:             readability-identifier-naming
+    value:           'lower_case'
+  - key:             readability-function-size.StatementThreshold
+    value:           '400'
+  - key:             readability-function-size.LineThreshold
+    value:           '500'

.dir-locals.el

 ;; emacs local configuration settings for knot-resolver source
 ;; surmised by dkg on 2016-04-02 23:46:50-0300
+;; SPDX-License-Identifier: GPL-3.0-or-later
 
 ((c-mode
   (indent-tabs-mode . t)

.gitattributes

+*.c	diff=cpp
+*.cpp	diff=cpp

.github/workflows/macOS.yaml

+name: macOS
+
+on: push
+
+jobs:
+  build-test:
+    name: Build & unit tests & sanity check
+    runs-on: macOS-latest
+    strategy:
+      matrix:
+        knot-version: ['3.3']
+
+    steps:
+      - name: Checkout resolver code
+        uses: actions/checkout@v2
+        with:
+          submodules: true
+
+      - name: Install dependecies from brew
+        run:
+          brew install cmocka luajit libuv lmdb meson nghttp2 autoconf automake m4 libtool pkg-config
+
+      - name: Install libknot from sources
+        env:
+          KNOT_DNS_VERSION: ${{ matrix.knot-version }}
+        run: |
+          git clone -b ${KNOT_DNS_VERSION} https://gitlab.nic.cz/knot/knot-dns.git
+          cd knot-dns
+          autoreconf -fi
+          ./configure --prefix=${HOME}/.local/usr --disable-static --disable-fastparser --disable-documentation --disable-daemon --disable-utilities --with-lmdb=no
+          make -j2 install
+          cd ..
+
+      - name: Build resolver
+        run: |
+          export PKG_CONFIG_PATH="${PKG_CONFIG_PATH}:${HOME}/.local/usr/lib/pkgconfig"
+          meson build_darwin --default-library=static --buildtype=debugoptimized --prefix=${HOME}/.local/usr -Dc_args='-fno-omit-frame-pointer'
+          ninja -C build_darwin -v install
+
+      - name: Run unit tests
+        env:
+          MALLOC_CHECK_: 3
+          MALLOC_PERTURB_: 223
+        run: meson test -C build_darwin --suite unit
+
+      - name: Run kresd
+        env:
+          MALLOC_CHECK_: 3
+          MALLOC_PERTURB_: 223
+        run: |
+          export DYLD_FALLBACK_LIBRARY_PATH="${DYLD_FALLBACK_LIBRARY_PATH}:${HOME}/.local/usr/lib/"
+          echo "quit()" | ${HOME}/.local/usr/sbin/kresd -a 127.0.0.1@53535 .

.gitignore

-*.o
+**/__pycache__/
+*.6
+*.Plo
 *.a
-*.so
-*.so.*
+*.db
 *.dylib
 *.dylib.*
-*.lo
+*.gcda
+*.gcno
+*.gcov
+*.info
+*.junit.xml
 *.la
-*.Plo
-*.swp
-*~
-*.d
-*.db
-*.out
-*.6
+*.lo
 *.log
-/daemon/lua/*.inc
 *.mdb
-*.gcno
-*.gcda
-*.gcov
+*.o
+*.out
+*.so
+*.so.*
+*.swp
+*~
+.coverage
+.deps
 .dirstamp
 .libs
-.deps
-_obj
+.mypy_cache
+.pytest_cache
+/.build*/
+/.cache
+/.install_dev
+/aclocal.m4
+/ar-lib
 /autom4te.cache/*
-/config.log
+/bench/bench_lru
+/build*/
+/compile
+/compile_commands.json
+/config.guess
 /config.h
+/config.log
 /config.status
-/config.guess
 /config.sub
 /configure
-/ar-lib
-/libtool
-/missing
-/compile
+/control
+/coverage
+/coverage.stats
+/daemon/kresd
+/daemon/lua/*.inc
+/daemon/lua/trust_anchors.lua
 /depcomp
+/dist
+/distro/tests/*/.vagrant
+/doc/**/.doctrees
+/doc/**/doxyxml
+/doc/html
+/doc/kresd.8
+/doc/texinfo
+/doc/_static/schema_doc*
+/doc/config-schema-body.md
+/ephemeral_key.pem
 /install-sh
-/stamp-h1
-/aclocal.m4
+/libkres.pc
+/libtool
 /ltmain.sh
-/ylwrap
-/doc/doxyxml
-/doc/html
-/daemon/kresd
+/missing
+/modules/dnstap/dnstap.pb-c.d
+/pkg
+/self.crt
+/self.key
+/stamp-h1
+/tags
+/tests/dnstap/src/dnstap-test/go.sum
+/tests/pytests/*/tcproxy
+/tests/pytests/*/tlsproxy
+/tests/pytests/pytests.*.html
+/tests/pytests/*.junit.xml
 /tests/test_array
 /tests/test_lru
 /tests/test_map
@@ -51,8 +83,9 @@ _obj
 /tests/test_set
 /tests/test_utils
 /tests/test_zonecut
+/ylwrap
+_obj
 kresd.amalg.c
 libkres.amalg.c
-/doc/kresd.8
-/libkres.pc
-/modules/version/version.lua
+luacov.*.out
+poetry.lock

.gitlab-ci.manager.yml

+stages:
+  - check
+
+default:
+  image: $IMAGE_PREFIX/manager:$IMAGE_TAG
+  before_script:
+    - poetry --version
+    - poetry env use $PYTHON_INTERPRETER
+  tags:
+    - docker
+    - linux
+    - amd64
+
+examples:py3.12:
+  stage: check
+  script:
+    - poetry install --all-extras --only main,dev
+    - poe examples
+  variables:
+    PYTHON_INTERPRETER: python3.12
+
+check:py3.12:
+  stage: check
+  script:
+    - poetry install --all-extras --only main,dev,lint
+    - poe check
+  variables:
+    PYTHON_INTERPRETER: python3.12
+
+format:py3.12:
+  stage: check
+  script:
+    - poetry install --all-extras --only main,dev,lint
+    - poe format
+  variables:
+    PYTHON_INTERPRETER: python3.12
+
+lint:py3.12:
+  stage: check
+  script:
+    - poetry install --all-extras --only main,dev,lint
+    - poe lint
+  variables:
+    PYTHON_INTERPRETER: python3.12
+
+.unit: &unit
+  stage: check
+  script:
+    - poetry install --all-extras --only main,dev,test
+    - poe test
+    # the following command makes sure that the source root of the coverage file is at $gitroot
+    - poetry run bash -c "coverage combine .coverage; coverage xml"
+  artifacts:
+    reports:
+      coverage_report:
+        coverage_format: cobertura
+        path: coverage.xml
+      junit: unit.junit.xml
+    paths:
+      - unit.junit.xml
+
+unit:py3.8:
+  <<: *unit
+  variables:
+    PYTHON_INTERPRETER: python3.8
+
+unit:py3.9:
+  <<: *unit
+  variables:
+    PYTHON_INTERPRETER: python3.9
+
+unit:py3.10:
+  <<: *unit
+  variables:
+    PYTHON_INTERPRETER: python3.10
+
+unit:py3.11:
+  <<: *unit
+  variables:
+    PYTHON_INTERPRETER: python3.11
+
+unit:py3.12:
+  <<: *unit
+  variables:
+    PYTHON_INTERPRETER: python3.12
+
+unit:py3.13:
+  <<: *unit
+  variables:
+    PYTHON_INTERPRETER: python3.13

.gitmodules

-[submodule "tests/deckard"]
-	path = tests/deckard
-	url = https://gitlab.labs.nic.cz/knot/deckard.git
+[submodule "tests/integration/deckard"]
+	path = tests/integration/deckard
+	url = https://gitlab.nic.cz/knot/deckard.git
+[submodule "modules/policy/lua-aho-corasick"]
+	path = modules/policy/lua-aho-corasick
+	url = https://gitlab.nic.cz/knot/3rdparty/lua-aho-corasick.git
+[submodule "tests/config/tapered"]
+	path = tests/config/tapered
+	url = https://gitlab.nic.cz/knot/3rdparty/lua-tapered.git

.luacheckrc

+-- SPDX-License-Identifier: GPL-3.0-or-later
+std = 'luajit'
+new_read_globals = {
+	'cache',
+	'eval_cmd',
+	'event',
+	'help',
+	'_hint_root_file',
+	'hostname',
+	'map',
+	'modules',
+	'net',
+	'package_version',
+	'quit',
+	'resolve',
+	'ta_update',
+	'fromjson',
+	'todname',
+	'tojson',
+	'user',
+	'worker',
+	'kluautil_list_dir',
+	-- Sandbox declarations
+	'kB',
+	'MB',
+	'GB',
+	'sec',
+	'second',
+	'minute',
+	'min',
+	'hour',
+	'day',
+	'panic',
+	'log',
+	'log_error',
+	'log_warn',
+	'log_info',
+	'log_debug',
+	'log_fmt',
+	'log_qry',
+	'log_req',
+	'log_level',
+	'log_target',
+	'log_groups',
+	'LOG_CRIT',
+	'LOG_ERR',
+	'LOG_WARNING',
+	'LOG_NOTICE',
+	'LOG_INFO',
+	'LOG_DEBUG',
+	'mode',
+	'reorder_RR',
+	'option',
+	'env',
+	'debugging',
+	'kres',
+	'libknot_SONAME',
+	'libzscanner_SONAME',
+	'table_print',
+	'_ENV',
+}
+
+new_globals = {
+	-- Modules are allowed to be set and accessed from global namespace
+	'policy',
+	'view',
+	'stats',
+	'http',
+	'trust_anchors',
+	'bogus_log',
+}
+
+-- Luacheck < 0.18 doesn't support new_read_globals
+for _, v in ipairs(new_read_globals) do
+	table.insert(new_globals, v)
+end
+
+exclude_files = {
+	'modules/policy/lua-aho-corasick', -- Vendored
+	'tests/config/tapered',
+	'build*/**', -- build outputs
+	'pkg/**', -- packaging outputs
+}
+
+-- Ignore some pedantic checks
+ignore = {
+	'4.1/err', -- Shadowing err
+	'4.1/.',   -- Shadowing one letter variables
+}
+
+-- Sandbox can set global variables
+files['**/daemon/lua'].ignore = {'111', '121', '122'}
+files['**/daemon/lua/kres-gen-*.lua'].ignore = {'631'} -- Allow overly long lines
+-- Tests and scripts can use global variables
+files['scripts'].ignore = {'111', '112', '113'}
+files['tests'].ignore = {'111', '112', '113'}
+files['**/utils/upgrade'].ignore = {'111', '112', '113'}
+files['**/modules/**/*.test.lua'].ignore = {'111', '112', '113', '121', '122'}
+files['**/daemon/**/*.test.lua'].ignore = {'111', '112', '113', '121', '122'}

.mailmap

+Aleš Mrázek <ales.mrazek@nic.cz>
+Alex Forster <aforster@cloudflare.com>
+Ali Asad Lotia <ali.asad.lotia@gmail.com>
+Anbang Wen <anbang@cloudflare.com> <xofyarg@gmail.com>
+Anbang Wen <anbang@cloudflare.com> <anb@dev.null>
+Andreas Rammhold <andreas@rammhold.de>
+Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Daniel Salzman <daniel.salzman@nic.cz>
+daurnimator <quae@daurnimator.com>
+David Beitey <david@davidjb.com>
+Grigorii Demidov <grigorii.demidov@nic.cz>
+Hasnat <hasnat.ullah@gmail.com>
+Jiří Helebrant <jiri.helebrant@nic.cz> <helb@helb.cz>
+Ivana Krumlová <ivana.krumlova@nic.cz>
+Jakub Ružička <jakub.ruzicka@nic.cz>
+Jan Hák <jan.hak@nic.cz>
+Jan Holuša <jan.holusa@nic.cz>
+Jan Pavlinec <jan.pavlinec@nic.cz>
+Jan Včelák <jan.vcelak@nic.cz> <jv@fcelda.cz>
+Jan Včelák <jan.vcelak@nic.cz>
+Jayson Reis <santosdosreis@gmail.com>
+Jonathan Coetzee <jon@thancoetzee.com>
+Josh Soref <jsoref@users.noreply.github.com>
+Karel Slaný <karel.slany@nic.cz>
+Libor Peltan <libor.peltan@nic.cz>
+Lukáš Ježek <lukas.jezek@nic.cz>
+Manu Bretelle <chantr4@gmail.com>
+Marek Vavruša <mvavrusa@cloudflare.com> Marek Vavrusa <marek@vavrusa.com>
+Marek Vavruša <mvavrusa@cloudflare.com> Marek Vavruša <mvavrusa@cloudflare.com>
+Marek Vavruša <mvavrusa@cloudflare.com> Marek Vavruša <marek.vavrusa@nic.cz>
+Marek Vavruša <mvavrusa@cloudflare.com> <marek@vavrusa.com>
+Marek Vavruša <mvavrusa@cloudflare.com> <marek.vavrusa@nic.cz>
+Michal Karm Babáček <karm@email.cz>
+Michal Lupečka <mlupecka@nic.cz>
+Ondřej Surý <ondrej.sury@nic.cz> <ondrej@sury.org>
+Oto Šťáva <oto.stava@nic.cz> <oto.stava@gmail.com>
+Paul Hoffman <paul.hoffman@icann.org> <phoffman@proper.com>
+Paul Hoffman <paul.hoffman@icann.org>
+Pavel Doležal <pavel.dolezal@nic.cz>
+Pavel Valach <valach.pavel@gmail.com>
+Petr Špaček <petr.spacek@nic.cz>
+rickhg12hs <rickhg12hs@users.noreply.github.com>
+Robert Šefr <robert.sefr@outlook.com>
+SH <sh@analogic.cz>
+Simon South <simon@simonsouth.net>
+Štěpán Balážik <stepan@balazik.cz> <stepan.balazik@nic.cz>
+Štěpán Kotek <stepan.kotek@nic.cz> Stepan Kotek <stepan.kotek@nic.cz>
+Štěpán Kotek <stepan.kotek@nic.cz> <stepan.kotek@gmail.com>
+The Gitter Badger <badger@gitter.im>
+Tomáš Hozza <thozza@redhat.com>
+Tomáš Křížek <tomas.krizek@nic.cz>
+Ulrich Wisser <ulrich.wisser@iis.se>
+Leo Vandewoestijne <github@unicycle.net>
+<vaclav.sraier@nic.cz> <git@vakabus.cz>
+Václav Šraier <vaclav.sraier@nic.cz>
+Vicky Shrestha <vicky@cloudflare.com> <vicky@geeks.net.np>
+Vítězslav Kříž <vitezslav.kriz@nic.cz>
+Vladimír Čunát <vladimir.cunat@nic.cz> <vcunat@gmail.com>

.python-version

+3.8.20
+3.9.20
+3.10.15
+3.11.10
+3.12.6
+3.13.0

.readthedocs.yaml

+version: 2
+
+build:
+  os: ubuntu-22.04
+  tools:
+    python: "3.11"
+
+sphinx:
+  configuration: doc/conf.py
+
+python:
+  install:
+    - requirements: doc/requirements.txt
+
+formats:
+  - pdf
+  - epub

.travis.yml

-language: c
-os:
-    - osx
-compiler:
-    - clang
-notifications:
-    email:
-        on_success: change
-        on_failure: change
-    slack:
-        rooms: cznic:xNJmvHU2xu2aGtN7Y2eqHKoD
-        on_success: change
-        on_failure: change
-    webhooks:
-        urls: https://webhooks.gitter.im/e/66485d8f591942052faa
-        on_success: always
-        on_failure: always
-matrix:
-    fast_finish: true
-env:
-    global:
-        - PKG_CONFIG_PATH="${HOME}/.local/lib/pkgconfig"
-        - PATH="${HOME}/.local/bin:/usr/local/bin:${PATH}"
-        - LD_LIBRARY_PATH="${HOME}/.local/lib"
-        - DYLD_LIBRARY_PATH="${HOME}/.local/lib"
-        - MALLOC_CHECK_=3
-        - MALLOC_PERTURB_=223
-before_script:
-    - echo $CFLAGS
-    - BOOTSTRAP_CLEANUP=1 ./scripts/bootstrap-depends.sh ${HOME}/.local
-script:
-    - CFLAGS="-O2 -g -fno-omit-frame-pointer -DDEBUG" make -j2 install check V=1 COVERAGE=1 PREFIX=${HOME}/.local DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}
-    - ./daemon/kresd -h
-    - ./daemon/kresd -V
-    - echo "quit()" | ./daemon/kresd -a 127.0.0.1#53535 .
-    - CFLAGS="-O2 -g -fno-omit-frame-pointer -DDEBUG" make -j2 check-integration COVERAGE=1 PREFIX=${HOME}/.local DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}
-after_success:
-    - if test $TRAVIS_OS_NAME = linux; then coveralls -i lib -i daemon -x ".c" --gcov-options '\-lp'; fi
-sudo: false
-cache:
-    directories:
-    - ${HOME}/.local
-    - ${HOME}/.cache/pip
-before_cache:
-    - rm -f ${HOME}/.local/sbin/kresd
-    - rm -f ${HOME}/.local/lib/libkres.*
-    - rm -rf ${HOME}/.local/include/libkres
-    - rm -rf ${HOME}/.local/lib/kdns_modules

ARCHITECTURE.md

+# Inner architecture of the manager
+
+![architecture diagram](docs/img/manager_architecture_diagram.svg)
+
+## API
+
+The API server is implemented using [`aiohttp`](https://docs.aiohttp.org/en/stable/). This framework provides the application skeleton and manages application runtime. The manager is actually a normal web application with the slight difference that we don't save the data in a database but rather modify systems state.
+
+## Data processing
+
+From the web framework, we receive data as simple strings. After this step, we return a fully typed object with valid configuration (or an exception with an error).
+
+### Parsing
+
+We currently support YAML and JSON and decide based on `Content-Type` header (JSON being the default if no `Content-Type` header is provided). We use the Python's [build-in JSON parser](https://docs.python.org/3/library/json.html) and [`PyYAML`](https://pyyaml.org/).
+
+### Schema and type validation
+
+The parsing step returns a dict-like object, which does not provide any guarantees about it's content. We map the values from this object to a proper class object based on Python's native type annotations. The code to do this is custom made, no libraries needed.
+
+### Normalization
+
+After we move the configuration to the typed objects, we need to normalize its values for further use. For example, all `auto` values should be replaced by real infered values. The result of this step is yet another typed object, but different than the input one so that we can statically distinguish between normalized and not-normalized config data.
+
+## Actual manager
+
+The actual core of the whole application is originally named the manager. It keeps a high-level view of the systems state and performs all necessary operations to change the state to the desired one. It does not interact with the system directly, majority of interactions are hidden behing abstract backends.
+
+Every other part of the processing pipeline is fully concurrent. The manager is a place where synchronization happens.
+
+## Backends
+
+The Knot Resolver Manager supports several backends, more specifically several service managers that can run our workers. The main one being `systemd` has several variants, so that it can run even without privileges. The other currently supported option is `supervisord`.
+
+The used backend is chosen automatically on startup based on available privileges and other running software. This decision can be overriden manually using a command line option.
+
+# Partial config updates
+
+The pipeline described above works well when the user provides full configuration through the API. However, some users might want to make only partial changes as it allows several independent client applications to change different parts of the config independently without explicit synchronization on their part.
+
+When a user submits a partial config, we parse it and change the last used config accordingly. The change happens before the normalization step as that is the first step modifing provided data.
\ No newline at end of file

AUTHORS

-Marek Vavrusa <marek@vavrusa.com>
-Ondřej Surý <ondrej.sury@nic.cz>
-Jan Vcelak <jan.vcelak@nic.cz>
-Grigorii Demidov <grigorii.demidov@nic.cz>
-Karel Slany <karel.slany@nic.cz>
+Knot Resolver was conceived and is being developed
+by research department of CZ.NIC, the CZ TLD operator.
+
+Over the years many organizations and individuals contributed to the project.
+Special thanks belongs to following organizations:
+- Comcast
+- Cloudflare
+- ICANN
+
+People who contributed commits to our Git repo are:
+Aleš Mrázek <ales.mrazek@nic.cz>
+Alex Forster <aforster@cloudflare.com>
+Ali Asad Lotia <ali.asad.lotia@gmail.com>
+Anbang Wen <anbang@cloudflare.com>
+Andreas Rammhold <andreas@rammhold.de>
+Christophe Nowicki <cscm@csquad.org>
+Christopher Ng <facboy@gmail.com>
+cronfy <cronfy@gmail.com>
+Daniel Kahn Gillmor <dkg@fifthhorseman.net>
 Daniel Salzman <daniel.salzman@nic.cz>
+daurnimator <quae@daurnimator.com>
+David Beitey <david@davidjb.com>
+Felix Yan <felixonmars@archlinux.org>
+Frantisek Tobias <frantisek.tobias@nic.cz>
+Grigorii Demidov <grigorii.demidov@nic.cz>
+Hasnat <hasnat.ullah@gmail.com>
+Héctor Molinero Fernández <hector@molinero.dev>
+Ivana Krumlová <ivana.krumlova@nic.cz>
+Jakub Jirutka <jakub@jirutka.cz>
+Jakub Ružička <jakub.ruzicka@nic.cz>
+Jan Hák <jan.hak@nic.cz>
+Jan Holuša <jan.holusa@nic.cz>
+Jan Pavlinec <jan.pavlinec@nic.cz>
+Jan Včelák <jan.vcelak@nic.cz>
+Jayson Reis <santosdosreis@gmail.com>
+Jiří Helebrant <jiri.helebrant@nic.cz>
+Jonathan Coetzee <jon@thancoetzee.com>
+Josh Soref <jsoref@users.noreply.github.com>
+Karel Slaný <karel.slany@nic.cz>
+Kirill A. Korinsky <kirill@korins.ky>
+Konstantin Amelichev <kostya.amelichev@gmail.com>
+Ladislav Lhotka <ladislav.lhotka@nic.cz>
+Leo Vandewoestijne <github@unicycle.net>
+Libor Peltan <libor.peltan@nic.cz>
+Lukáš Ježek <lukas.jezek@nic.cz>
+Lukáš Ondráček <lukas.ondracek@nic.cz>
+Manu Bretelle <chantr4@gmail.com>
+Marek Vavruša <mvavrusa@cloudflare.com>
+menakite <29005531+menakite@users.noreply.github.com>
+Michal Karm Babáček <karm@email.cz>
+Michal Lupečka <mlupecka@nic.cz>
+Ondřej Surý <ondrej.sury@nic.cz>
+Oto Šťáva <oto.stava@nic.cz>
+Paul Hoffman <paul.hoffman@icann.org>
+Pavel Doležal <pavel.dolezal@nic.cz>
 Pavel Valach <valach.pavel@gmail.com>
-Tomas Hozza <thozza@redhat.com>
-Daniel Kahn Gillmor <dkg@fifthhorseman.net>
-Vladimír Čunát <vladimir.cunat@nic.cz>
-Štěpán Balážik <stepan.balazik@nic.cz>
+Peter Keresztes Schmidt <carbenium@outlook.com>
 Petr Špaček <petr.spacek@nic.cz>
+realPy <t3sla@v-ip.fr>
+rickhg12hs <rickhg12hs@users.noreply.github.com>
+Robert Šefr <robert.sefr@outlook.com>
+SH <sh@analogic.cz>
+Simon South <simon@simonsouth.net>
+Štěpán Balážik <stepan@balazik.cz>
+Štěpán Kotek <stepan.kotek@nic.cz>
+The Gitter Badger <badger@gitter.im>
+Tomáš Hozza <thozza@redhat.com>
+Tomáš Křížek <tomas.krizek@nic.cz>
+Tom Herbers <mail@tomherbers.de>
+Ulrich Wisser <ulrich.wisser@iis.se>
+Václav Šraier <vaclav.sraier@nic.cz>
+Vicky Shrestha <vicky@cloudflare.com>
+Vítězslav Kříž <vitezslav.kriz@nic.cz>
+Vladimír Čunát <vladimir.cunat@nic.cz>
+
+Knot Resolver source tree also bundles code and content published by:
+Austin Appleby <aappleby@gmail.com>
+Dan Vanderkam <danvdk@gmail.com>
+Jonathan Allard <jonathan@allard.io>
+Joseph A. Adams <joeyadams3.14159@gmail.com>
+Mark DiMarco <mark.dimarco@gmail.com>
+Michael Bostock <mike@ocks.org>
+Rusty Russell <rusty@rustcorp.com.au>
+Thomas Park <thomas@thomaspark.co>
+Vincent Bernat <vincent@bernat.im>
+Fastly
+jQuery Foundation
+Knot DNS contributors
+Twitter
+United Computer Wizards
+
+Thanks to everyone who knowingly or unknowingly contributed!

CONTRIBUTING.md

+Contributing
+============
+
+Please file issues and merge requests against the upstream repository:
+
+[https://gitlab.nic.cz/knot/knot-resolver](https://gitlab.nic.cz/knot/knot-resolver)
+
+Opening a merge request on gitlab.nic.cz
+----------------------------------------
+
+Unfortunately, due to administrative policy, forking is disabled by default. To
+be able to fork, please send us an e-mail with your username to knot-resolver@labs.nic.cz
+
+We apologize for the inconvenience and if you can't be bothered, please
+consider alternate ways of contributing, such as:
+
+- Opening a pull request on [github.com](https://github.com/CZ-NIC/knot-resolver).
+  We'll take care of it and move it to our upstream.
+- Sending a patch to the users list: knot-resolver-users@lists.nic.cz

COPYING

+Unless specifically indicated otherwise in a file or directory,
+files are licensed under GNU GPL license either version 3, or
+(at your option) any later version.
+
+SPDX-License-Identifier: GPL-3.0-or-later
+SPDX-URL: https://spdx.org/licenses/GPL-3.0-or-later.html
+License-Text:
+
                     GNU GENERAL PUBLIC LICENSE
                        Version 3, 29 June 2007
 

Dockerfile

+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# Intermediate container for build
+FROM debian:12 AS build
+
+ENV OBS_REPO=knot-resolver-latest
+ENV DISTROTEST_REPO=Debian_12
+
+RUN apt-get update -qq && \
+	apt-get -qqq -y install \
+		apt-transport-https ca-certificates wget \
+		pipx devscripts && \
+	pipx install apkg
+
+RUN wget -O /usr/share/keyrings/cznic-labs-pkg.gpg https://pkg.labs.nic.cz/gpg && \
+	echo "deb [signed-by=/usr/share/keyrings/cznic-labs-pkg.gpg] https://pkg.labs.nic.cz/knot-resolver bookworm main" \
+		> /etc/apt/sources.list.d/cznic-labs-knot-resolver.list && \
+	apt-get update -qq
+
+COPY . /source
+
+RUN cd /source && \
+	export PATH="$PATH:/root/.local/bin" && \
+	git submodule update --init --recursive && \
+	git config --global user.name "Docker Build" && \
+	git config --global user.email docker-build@knot-resolver && \
+	\
+	# Replace 'knot-resolver' user and group with 'root'
+	# in meson_options.tx and python/knot_resolver/constants.py.
+	# This is needed for the file/directory permissions validation
+	# and then for the proper functioning of the resolver.
+	sed s/knot-resolver/root/g -i meson_options.txt && \
+	sed 's/USER.*/USER = "root"/g' -i python/knot_resolver/constants.py && \
+	sed 's/GROUP.*/GROUP = "root"/g' -i python/knot_resolver/constants.py && \
+	git commit -a -m TMP && \
+	\
+	/root/.local/bin/apkg build-dep -y && \
+	/root/.local/bin/apkg build
+
+# Real container
+FROM debian:12-slim AS runtime
+
+ENV OBS_REPO=knot-resolver-latest
+ENV DISTROTEST_REPO=Debian_12
+
+RUN apt-get update -qq && \
+	apt-get -qqq -y install apt-transport-https ca-certificates
+
+COPY --from=build \
+	/usr/share/keyrings/cznic-labs-pkg.gpg \
+	/usr/share/keyrings/cznic-labs-pkg.gpg
+COPY --from=build \
+	/etc/apt/sources.list.d/cznic-labs-knot-resolver.list \
+	/etc/apt/sources.list.d/cznic-labs-knot-resolver.list
+
+RUN apt-get update -qq && \
+	apt-get upgrade -qq
+
+COPY --from=build /source/pkg/pkgs/debian-12 /pkg
+
+# install resolver, minimize image and prepare config directory
+RUN apt-get install -y /pkg/*/*.deb && \
+	rm -r /pkg && \
+	apt-get remove -y -qq curl gnupg2 && \
+	apt-get autoremove -y && \
+	apt-get clean && \
+	rm -rf /var/lib/apt/lists/*
+
+COPY etc/config/config.example.docker.yaml /etc/knot-resolver/config.yaml
+
+LABEL cz.knot-resolver.vendor="CZ.NIC"
+LABEL maintainer="knot-resolver-users@lists.nic.cz"
+
+# Export plain DNS, DoT, DoH and management interface
+EXPOSE 53/UDP 53/TCP 443/TCP 853/TCP 5000/TCP
+
+# Prepare shared config
+VOLUME /etc/knot-resolver
+# Prepare shared cache
+VOLUME /var/cache/knot-resolver
+
+ENTRYPOINT ["/usr/bin/knot-resolver"]
+CMD ["-c", "/etc/knot-resolver/config.yaml"]

ERROR_HANDLING.md

+# Assumptions
+
+Our main design goal is, that **the manager MUST NOT BE a required component.** Domains must be resolveable even in the absense of the manager. We want this, because of backwards compatibility with the way `kresd` has worked before. But another good reason is that `kresd` has been battle tested and is reasonably reliable. We can't say the same about manager as we do not have practical experiences with it at the time of writing.
+
+This goal leads to usage of external service managers like systemd. Manager is therefore "just" a tool for configuring service managers. If we crash, the `kresd`'s will keep running.
+
+# When can we expect errors
+
+Majority of errors can meaningfully happen only when changing configuration which we do at different lifecycle stages of manager. We are changing configuration of the service managers on manager's startup and shutdown, and when change of configuration is requested (by a signal or HTTP request). Each of these situations can have a different error handling mechanisms to match user's expectations.
+
+Additional to the errors mentioned above, we can sometimes detect, that future configuration changes will fail. Manager has a periodic watchdog monitoring health of the system and detecting failures before they actually happen.
+
+To sum it up, errors can be raised:
+* on configuration changes
+    * during startup
+    * in response to a config change request
+    * on shutdown
+* proactively from our periodic watchdog
+
+
+# How should we handle errors
+
+## Errors on startup
+
+**All errors should be fatal.** If something goes wrong, it's better to stop immediately before we make anything worse. Also, if we fail to start, the user will more likely notice.
+
+## Error handling after config change requests
+
+**All errors, that stem from the configuration change, should be reported and the manager should keep running.** Before the actual change though, watchdog should be manually invoked.
+
+## Error handling during shutdown
+
+**All errors should be fatal.** It does not make sense to try to correct any problems at that point.
+
+## Error handling from watchdog
+
+```
+error_counter = 0
+
+on error:
+    if error_counter > ERROR_COUNTER_THRESHOLD:
+        raise a fatal error
+    
+    error_counter += 1
+    try to fix the situation
+    if unsucessful, fatal error
+
+
+every ERROR_COUNTER_DECREASE_INTERVAL:
+    if error_counter > 0:
+        error_counter -= 1
+```
+
+Reasonable constants are probably:
+```
+ERROR_COUNTER_THRESHOLD = 2
+ERROR_COUNTER_DECREASE_INTERVAL = 30min
+```
+    
+

Makefile

-include config.mk
-include platform.mk
-
-# Targets
-all: info lib daemon client modules
-install: lib-install daemon-install client-install modules-install etc-install
-check: all tests
-clean: contrib-clean lib-clean daemon-clean client-clean modules-clean \
-	tests-clean doc-clean bench-clean
-doc: doc-html
-.PHONY: all install check clean doc info
-
-# Options
-ifdef COVERAGE
-BUILD_CFLAGS += --coverage
-endif
-
-# Dependencies
-$(eval $(call find_lib,libknot,2.3.1,yes))
-$(eval $(call find_lib,libdnssec,2.3.1,yes))
-$(eval $(call find_lib,libzscanner,2.3.1,yes))
-$(eval $(call find_lib,lmdb))
-$(eval $(call find_lib,libuv,1.0,yes))
-$(eval $(call find_lib,nettle,,yes))
-$(eval $(call find_alt,lua,luajit))
-$(eval $(call find_luapkg,ltn12))
-$(eval $(call find_luapkg,ssl.https))
-$(eval $(call find_lib,cmocka))
-$(eval $(call find_bin,doxygen))
-$(eval $(call find_bin,sphinx-build))
-$(eval $(call find_pythonpkg,breathe))
-$(eval $(call find_lib,libmemcached,1.0))
-$(eval $(call find_lib,hiredis,,yes))
-$(eval $(call find_lib,socket_wrapper))
-$(eval $(call find_lib,libsystemd,227))
-$(eval $(call find_lib,gnutls))
-$(eval $(call find_lib,libedit))
-
-# Lookup SONAME
-$(eval $(call find_soname,libknot))
-$(eval $(call find_soname,libzscanner))
-
-ifeq ($(libknot_SONAME),)
-  $(error "Unable to resolve libknot_SONAME, update find_soname in platform.mk")
-endif
-ifeq ($(libzscanner_SONAME),)
-  $(error "Unable to resolve libzscanner_SONAME, update find_some in platform.mk")
-endif
-
-# Find Go version and platform
-GO_VERSION := $(shell $(GO) version 2>/dev/null)
-ifeq ($(GO_VERSION),)
-        GO_VERSION := 0
-else
-        GO_PLATFORM := $(word 2,$(subst /, ,$(word 4,$(GO_VERSION))))
-        GO_VERSION := $(subst .,,$(subst go,,$(word 3,$(GO_VERSION))))
-endif
-$(eval $(call find_ver,go,$(GO_VERSION),16))
-
-# Check if Go is able to build shared libraries
-ifeq ($(HAS_go),yes)
-ifneq ($(GO_PLATFORM),$(filter $(GO_PLATFORM),amd64 386 arm arm64))
-HAS_go := no
-endif
-else
-$(eval $(call find_ver,go,$(GO_VERSION),15))
-ifeq ($HAS_go,yes)
-ifneq ($(GO_PLATFORM),$(filter $(GO_PLATFORM),arm amd64))
-HAS_go := no
-endif
-endif
-endif
-
-# Overview
-info:
-	$(info Target:     Knot DNS Resolver $(VERSION)-$(PLATFORM))
-	$(info Compiler:   $(CC) $(BUILD_CFLAGS))
-	$(info )
-	$(info Variables)
-	$(info ---------)
-	$(info HARDENING:  $(HARDENING))
-	$(info BUILDMODE:  $(BUILDMODE))
-	$(info PREFIX:     $(PREFIX))
-	$(info PREFIX:     $(PREFIX))
-	$(info DESTDIR:    $(DESTDIR))
-	$(info BINDIR:     $(BINDIR))
-	$(info SBINDIR:    $(SBINDIR))
-	$(info LIBDIR:     $(LIBDIR))
-	$(info ETCDIR:     $(ETCDIR))
-	$(info INCLUDEDIR: $(INCLUDEDIR))
-	$(info MODULEDIR:  $(MODULEDIR))
-	$(info )
-	$(info Core Dependencies)
-	$(info ------------)
-	$(info [$(HAS_libknot)] libknot (lib))
-	$(info [yes] $(if $(filter $(HAS_lmdb),yes),system,embedded) lmdb (lib))
-	$(info [$(HAS_lua)] luajit (daemon))
-	$(info [$(HAS_libuv)] libuv (daemon))
-	$(info [$(HAS_gnutls)] libgnutls (daemon))
-	$(info )
-	$(info Optional)
-	$(info --------)
-	$(info [$(HAS_doxygen)] doxygen (doc))
-	$(info [$(HAS_sphinx-build)] sphinx-build (doc))
-	$(info [$(HAS_breathe)] python-breathe (doc))
-	$(info [$(HAS_go)] go (modules/go, Go buildmode=c-shared support))
-	$(info [$(HAS_libmemcached)] libmemcached (modules/memcached))
-	$(info [$(HAS_hiredis)] hiredis (modules/redis))
-	$(info [$(HAS_cmocka)] cmocka (tests/unit))
-	$(info [$(HAS_libsystemd)] systemd (daemon))
-	$(info [$(HAS_nettle)] nettle (modules/cookies))
-	$(info [$(HAS_ltn12)] Lua socket ltn12 (trust anchor bootstrapping))
-	$(info [$(HAS_ssl.https)] Lua ssl.https (trust anchor bootstrapping))
-	$(info [$(HAS_libedit)] libedit (client))
-	$(info )
-
-# Verify required dependencies are met, as listed above
-ifeq ($(HAS_libknot),no)
-	$(error libknot >= 2.3.1 required)
-endif
-ifeq ($(HAS_libzscanner),no)
-	$(error libzscanner >= 2.3.1 required)
-endif
-ifeq ($(HAS_libdnssec),no)
-	$(error libdnssec >= 2.3.1 required)
-endif
-ifeq ($(HAS_lua),no)
-	$(error luajit required)
-endif
-ifeq ($(HAS_libuv),no)
-	$(error libuv >= 1.0 required)
-endif
-ifeq ($(HAS_gnutls),no)
-	$(error gnutls required)
-endif
-
-
-BUILD_CFLAGS += $(libknot_CFLAGS) $(libuv_CFLAGS) $(nettle_CFLAGS) $(cmocka_CFLAGS) $(lua_CFLAGS) $(libdnssec_CFLAGS) $(libsystemd_CFLAGS)
-BUILD_CFLAGS += $(addprefix -I,$(wildcard contrib/ccan/*) contrib/murmurhash3)
-
-# Work around luajit on OS X
-ifeq ($(PLATFORM), Darwin)
-ifneq (,$(findstring luajit, $(lua_LIBS)))
-	lua_LIBS += -pagezero_size 10000 -image_base 100000000
-endif
-endif
-
-# Check if it has libknot 2.3.0 and nettle to support DNS cookies
-$(eval $(call find_alt,knot230,libknot,2.3))
-ifeq ($(HAS_nettle)|$(HAS_knot230),yes|yes)
-BUILD_CFLAGS += -DENABLE_COOKIES
-ENABLE_COOKIES := yes
-endif
-
-# Installation directories
-$(DESTDIR)$(MODULEDIR):
-	$(INSTALL) -d $@
-$(DESTDIR)$(ETCDIR):
-	$(INSTALL) -m 0750 -d $@
-
-# Sub-targets
-include contrib/contrib.mk
-include lib/lib.mk
-include daemon/daemon.mk
-include modules/modules.mk
-include tests/tests.mk
-include doc/doc.mk
-include etc/etc.mk
-include bench/bench.mk