refactoring: RR ranks and AD flag (!269) · Merge requests · Knot projects / Knot Resolver

Merged Ondřej Surý requested to merge ad-refactor into master 8 years ago

Apr 24, 2017
- misc nitpicks, not really changing anything · 377f5a81
  Vladimír Čunát authored 7 years ago
  
  377f5a81
- rrcache: always stash authority records · 17ee62a4
  Vladimír Čunát authored 7 years ago
  
  It's up to iterator to pick the interesting cases to auth_selected.
  17ee62a4
- Merge branch 'master' into ad-refactor · b9e001df
  Vladimír Čunát authored 7 years ago
  
  b9e001df
Apr 13, 2017
- iterate: don't inherit _INSECURE on CNAME jumps · e14eebec
  Vladimír Čunát authored 7 years ago
  
  The jump may lead to secure zone, so let the sub-query find out by itself. Otherwise we might cache those RRs with INSECURE rank even though they are secure. This shouldn't harm AD flags anymore.
  e14eebec
- ranked_rr_array_entry: update some comments · 3356da17
  Vladimír Čunát authored 7 years ago
  
  3356da17
- kr_ta_covers: fix returning error code in a bool · 450b5685
  Vladimír Čunát authored 7 years ago
  
  450b5685
Apr 10, 2017

resolve: fix AD flag for negative answers · aeecc780

This part of code still deserves better review.
It's a bit surprising that our current tests didn't discover it.

We incorrectly answered with AD in some cases, e.g. ntp.pool.org AAAA.

aeecc780

pktcache: put more info into --verbose messages · 3246c4ba
Vladimír Čunát authored 7 years ago

3246c4ba

iterator: improve get_initial_rank · 0e2c20dd

Vladimír Čunát authored 7 years ago

If a server puts NS into the authority section that refers to itself,
accept it as autoritative and validate it (if applicable).  This fixes
the val_nsec3_cnametocnamewctoposwc test, as unvalidated NS in the
final answer would prevent adding the AD flag.  The iter_pcname test is
broken by this, but the team's consensus is to prefer this solution.

Nitpicks: cleaner style in the function, and don't force inlining anymore.
(It's no longer a trivial function and compilers should be good at
determining whether to inline static functions or not.)

0e2c20dd

rrcache: put more info into --verbose messages · c1bc70b4

Vladimír Čunát authored 7 years ago

Especially when stashing into the cache, it was unclear which RRset
was being referred to.  Let's add type and owner name.

c1bc70b4

Apr 07, 2017

AD flag: the ranks from cache should be safe now · afe1e466
Vladimír Čunát authored 7 years ago

afe1e466

move a decision from validator to iterator · df2ff65d

Vladimír Čunát authored 7 years ago

NS records from AUTHORITY aren't validated.  The iterator seems a
better place, as that's where delegations are handled, etc.

df2ff65d

validate: fix bad usage of KR_RANK_INSECURE · 444b2618

Vladimír Čunát authored 7 years ago

It's supposed to mean that we have a proof from configured TAs that
the RR isn't secure (typically proof of missing DS at some point).
This case was just failure to find a fitting RRSIG; new KR_RANK_MISSING
is introduced for that purpose, for simplicity.

Also, make the validator more thorough about what ranks are safe to skip.

444b2618

rrcache verbose: print rank information · 90302cfe
Vladimír Čunát authored 7 years ago

90302cfe

iterator: don't retry if REFUSED · 79f0d1d0

Vladimír Čunát authored 7 years ago

It's unlikely to be a temporary condition, unless the reply was spoofed
or something.  Fixes val_cname_to_unsigned_fake_rrsig test.

(cherry picked from commit bc2a2670)

79f0d1d0

rrcache, pktcache: check security only if under a TA · f3aa1ecf

Vladimír Čunát authored 7 years ago

Tests: iter_minmaxttl and iter_soamin get fixed, probably because
they're without a root TA but have some lower TA(s).

f3aa1ecf

kr_ta_covers_qry: add this wrapper function · a3dbd1de
Vladimír Čunát authored 7 years ago

a3dbd1de

kr_rank: improve the API to manipulate ranks · 416aec46

Vladimír Čunát authored 7 years ago

_SECURE and _INSECURE weren't real flags, as their setting was
logically exclusive of the "values".  That made changing ranks rather
cumbersome.

Tests: val_cname_to_unsigned_fake_rrsig gets broken, but I hope this
change just uncovered a hidden bug.

416aec46

Apr 06, 2017
- utils: fix KEY_* defines · db4e4d72
  Vladimír Čunát authored 8 years ago
  
  The argument to KEY_FLAG_RANK was (signed) char*, so for secure rank the shift was setting the highest two bits (which are unused). Let me end that rubbish.
  db4e4d72
- layer/validate: mark all selected records as insecure is case of insecured query detection · c24c0386
  Grigorii Demidov authored 8 years ago
  
  c24c0386
Apr 05, 2017
- extend NONAUTH even to non-validated records · 3cb60b6e
  Vladimír Čunát authored 8 years ago
  
  Also rename NOAUTH->NONAUTH.
  3cb60b6e
- OK to use non-authoritative sources for NS addresses · 810067af
  Vladimír Čunát authored 8 years ago
  
  ... *if* we only want to ask the NSs, i.e. not to be put into answer. This fixes iter_cname_cache test.
  810067af
- don't attempt to reuse cached nonvalidated records · 9eeaf750
  Vladimír Čunát authored 8 years ago
  
  at least for now (for queries without +cd). It wasn't complete, and it turned out to need more changes, and the benefits would be rather limited.
  9eeaf750
- kr_rank: use functions to manipulate the non-flag part · 54c43370
  Vladimír Čunát authored 8 years ago
  
  Also fix a related bug in pktcache.
  54c43370
Apr 04, 2017
- rrcache: harden against spoofing, again · 3701c86e
  Vladimír Čunát authored 8 years ago
  
  This fixes the iter_ns_spoof test.
  3701c86e
- Merge branch 'master' into ad-refactor · 68737ecc
  Vladimír Čunát authored 8 years ago
  
  68737ecc
Apr 03, 2017
- cache: bump cache version · 5874a1c3
  Vladimír Čunát authored 8 years ago
  
  The ranks stored within are changing their meaning.
  5874a1c3
- iterate: improve get_initial_rank · 24fea48d
  Vladimír Čunát authored 8 years ago
  
  This fixes tests for hints, in particular.
  24fea48d
- rrcache, pktcache: better explain passing of ranks · a819448a
  Vladimír Čunát authored 8 years ago
  
  a819448a
- layer/validate: fix broken rank_test_flag() · 9c4839ab
  Grigorii Demidov authored 8 years ago
  
  9c4839ab
- rrcache: fix code that was missed by mistake · a14dbcb4
  Vladimír Čunát authored 8 years ago
  
  a14dbcb4
- layer/iterate: treat rrset->additional as pointer to uint8_t instead of uintptr_t · 4d5c6462
  Grigorii Demidov authored 8 years ago
  
  4d5c6462
- layer/{iterate,validate}: adapt to new rank style · ac4cf4a3
  Grigorii Demidov authored 8 years ago
  
  ac4cf4a3
- zonecut.c: restrict ranks when fetching TA+key for cut · c5752bdb
  Vladimír Čunát authored 8 years ago
  
  This is mainly to avoid bad entries, e.g. cached for +cd.
  c5752bdb
- zonecut.c: remove indirection that didn't seem useful · 5d422b14
  Vladimír Čunát authored 8 years ago
  
  5d422b14
- pktcache: also send ranks in the additional field · c62ff21c
  Vladimír Čunát authored 8 years ago
  
  It will be better to have a more consistent interface with rrcache.
  c62ff21c
Mar 31, 2017
- pktcache: adapt to the new rank style · 0cd530da
  Vladimír Čunát authored 8 years ago
  
  TODO: check CD in the iterator if CACHED.
  0cd530da
- lib/{resolve,zonecut}: review & fix RANK ocurrences · fc229e01
  Vladimír Čunát authored 8 years ago
  
  fc229e01
- rrcache: adapt stashing to the new rank style · 62bce57f
  Vladimír Čunát authored 8 years ago
  
  Note that the stash_ds call wasn't useful anymore, as it was only re-stashing DS that were already stashed anyway (from auth_selected).
  62bce57f
- Merge: util: add kr_rrset_type_maysig(knot_rrset_t *) · ac26c25e
  Vladimír Čunát authored 8 years ago
  
  ac26c25e
- util: add kr_rrset_type_maysig(knot_rrset_t *) · ff4b59a5
  Vladimír Čunát authored 8 years ago
  
  Also correct a tiny bug where iterator didn't skip RRSIGs that covered non-interesting types of the name we desired.
  ff4b59a5
- rrcache: adapt looting to the new rank style · c46017bb
  Vladimír Čunát authored 8 years ago
  
  c46017bb
- Merge rrcache changes into ad-refactor · 9aa9408d
  Vladimír Čunát authored 8 years ago
  
  9aa9408d
- rrcache: avoid knot_pkt_put · 58b709d6
  Vladimír Čunát authored 8 years ago
  
  Constructing the wire format in rrcache was useless and it took 2-4 % of time in the resperf profile. Let's also pass the rank (used soon).
  58b709d6
- Merge branch 'master' into ad-refactor · 630c2694
  Vladimír Čunát authored 8 years ago
  
  630c2694
Mar 29, 2017
- WIP: drafting rank refactoring · 783c85f6
  Vladimír Čunát authored 8 years ago
  
  783c85f6
- use a different mechanism for AD flag · a5957c6d
  Vladimír Čunát authored 8 years ago
  
  To make this work, do not use KR_VLDRANK_SECURE as the default value. It's just too dangerous, and here it complicated determining the appropriate value for the AD flag.
  a5957c6d
Mar 27, 2017
- resolve answer_finalize(): check knot_pkt_put errors · 6a61b0e5
  Vladimír Čunát authored 8 years ago
  
  6a61b0e5

Admin message

refactoring: RR ranks and AD flag

Merge request reports

Activity