{resolver,validator}: provide more EDE codes.

dnssec:

• Provide a way to retrieve whether a DNSKEY has the Zone Key Bit set, and add bindings for Lua modules (kr_dnssec_key_zonekey_flag), like kr_dnssec_key_sep_flag.
• In kr_ds_algo_support() provide a way to retrieve what is wrong with the keys.
• Check if a RRSIG RR has the signature expired already before inception time.

validator:

• Set EDE "Unsupported NSEC3 Iterations Value" when downgrading.
• Set EDE "Signature Expired before Valid" when checking RRSIGs.
• Set EDE "No Zone Key Bit Set" when a DNSKEY with the Zone Key Bit set to 0 is discarded.
• Instead of the generic "Other Error" with extra text "unsupported digest/key", set appropriate EDEs "Unsupported DNSKEY Algorithm" and "Unsupported DS Digest Type".

resolver:

• Set EDE "No Reachable Authority" when it is decided that all authoritative servers are unreachable or misbehaving.

Depends on/supersedes !1585 (merged).

changed the description

added 6 commits

• 5c137728...8fe3c5ac - 5 commits from branch knot:master
• ec740bb7 - {resolver,validator}: provide more EDE codes.

Compare with previous version

added 4 commits

• ec740bb7...3c71c0de - 2 commits from branch knot:master
• 0b7f1eeb - {resolver,validator}: provide more EDE codes.
• 86afd40f - validator: set EDE code if SEP does not match or DNSKEY is revoked.

Compare with previous version

changed the description

I have added a commit to set EDE "DNSKEY Missing".

added 1 commit

• 1b84f2e7 - validator: set EDE code if SEP does not match or DNSKEY is revoked.

Compare with previous version

mentioned in merge request !1592 (merged)

added 2 commits

• 825504a7 - fixup! {resolver,validator}: provide more EDE codes.
• 0580b567 - validator: set EDE code if SEP does not match or DNSKEY is revoked.

Compare with previous version

marked this merge request as draft from menakite/knot-resolver@825504a783b4ee187233d1f666024b5e4475bb96

added 3 commits

• f7cb6c41 - {resolver,validator}: provide more EDE codes.
• c56538d5 - validator: set EDE code if SEP does not match or DNSKEY is revoked.
• 954b2bf7 - cache: set EDE when synthesizing answer from aggressive NSEC(3) cache.

Compare with previous version

added 1 commit

• 1b54f8d0 - cache: set EDE when synthesizing answer from aggressive NSEC(3) cache.

Compare with previous version

added 1 commit

• 99355a64 - modules/dns64: change EDE from "Forged Answer" to "Synthesized".

Compare with previous version

added 2 commits

• 73765672 - cache: set EDE when synthesizing answer from aggressive NSEC(3) cache.
• f56259f8 - modules/dns64: change EDE from "Forged Answer" to "Synthesized".

Compare with previous version

added 9 commits

• f56259f8...e6411386 - 5 commits from branch knot:master
• 6df20c27 - {resolver,validator}: provide more EDE codes.
• 15e9a64a - validator: set EDE code if SEP does not match or DNSKEY is revoked.
• fb810d84 - cache: set EDE when synthesizing answer from aggressive NSEC(3) cache.
• ff5feb32 - modules/dns64: change EDE from "Forged Answer" to "Synthesized".

Compare with previous version

added 2 commits

• 137d3be8 - cache: set EDE when synthesizing answer from aggressive NSEC(3) cache.
• 1128ca40 - modules/dns64: change EDE from "Forged Answer" to "Synthesized".

Compare with previous version

I have rebased and can't see any room for further improvement, so I'm marking this ready.

marked this merge request as ready

added 4 commits

• 6f51f7f0 - resolver,validator: provide more EDE codes.
• 62cdb791 - validator: set EDE code if SEP does not match or DNSKEY is revoked.
• d3d5cb73 - cache: set EDE when synthesizing answer from aggressive NSEC(3) cache.
• 6558817d - modules/dns64: change EDE from "Forged Answer" to "Synthesized".

Compare with previous version

added 10 commits

• 6558817d...900c018e - 6 commits from branch knot:master
• 553a048f - resolver,validator: provide more EDE codes.
• f8ba58fb - validator: set EDE code if SEP does not match or DNSKEY is revoked.
• ab4dffef - cache: set EDE when synthesizing answer from aggressive NSEC(3) cache.
• 30e0d3db - modules/dns64: change EDE from "Forged Answer" to "Synthesized".

Compare with previous version