There were just simple conflicts in NEWS and docs.
+Knot Resolver 1.4.0 (2017-0x-yy)
+================================
+
+Incompatible changes
+--------------------
+- lua: query flag-sets are no longer represented as plain integers.
+ kres.query.* no longer works, and kr_query_t lost trivial methods
+ 'hasflag' and 'resolved'.
+ You can instead write code like qry.flags.NO_0X20 = true.
+
+
+ Knot Resolver 1.3.3 (2017-08-09)
+ ================================
+
+ Security
+ --------
+ - Fix a critical DNSSEC flaw. Signatures might be accepted as valid
+ even if the signed data was not in bailiwick of the DNSKEY used to
+ sign it, assuming the trust chain to that DNSKEY was valid.
+
+ Bugfixes
+ --------
+ - iterate: skip RRSIGs with bad label count instead of immediate SERVFAIL
+ - utils: fix possible incorrect seeding of the random generator
+ - modules/http: fix compatibility with the Prometheus text format
+
+ Improvements
+ ------------
+ - policy: implement remaining special-use domain names from RFC6761 (#205),
+ and make these rules apply only if no other non-chain rule applies
+
+
Knot Resolver 1.3.2 (2017-07-28)
================================
# Project
MAJOR := 1
MINOR := 3
- PATCH := 2
+ PATCH := 3
EXTRA :=
-ABIVER := 3
+ABIVER := 4
BUILDMODE := dynamic
HARDENING := yes
struct kr_zonecut root_hints;
char _stub[];
};
- int knot_dname_size(const knot_dname_t *);
-struct query_flag {static const int NO_MINIMIZE = 1; static const int NO_THROTTLE = 2; static const int NO_IPV6 = 4; static const int NO_IPV4 = 8; static const int TCP = 16; static const int RESOLVED = 32; static const int AWAIT_IPV4 = 64; static const int AWAIT_IPV6 = 128; static const int AWAIT_CUT = 256; static const int SAFEMODE = 512; static const int CACHED = 1024; static const int NO_CACHE = 2048; static const int EXPIRING = 4096; static const int ALLOW_LOCAL = 8192; static const int DNSSEC_WANT = 16384; static const int DNSSEC_BOGUS = 32768; static const int DNSSEC_INSECURE = 65536; static const int STUB = 131072; static const int ALWAYS_CUT = 262144; static const int DNSSEC_WEXPAND = 524288; static const int PERMISSIVE = 1048576; static const int STRICT = 2097152; static const int BADCOOKIE_AGAIN = 4194304; static const int CNAME = 8388608; static const int REORDER_RR = 16777216; static const int TRACE = 33554432; static const int NO_0X20 = 67108864; static const int DNSSEC_NODS = 134217728; static const int DNSSEC_OPTOUT = 268435456; static const int NONAUTH = 536870912; static const int FORWARD = 1073741824; static const int DNS64_MARK = 2147483648;};
knot_dname_t *knot_dname_from_str(uint8_t *, const char *, size_t);
+ _Bool knot_dname_is_equal(const knot_dname_t *, const knot_dname_t *);
+ _Bool knot_dname_is_sub(const knot_dname_t *, const knot_dname_t *);
+ int knot_dname_labels(const uint8_t *, const uint8_t *);
+ int knot_dname_size(const knot_dname_t *);
char *knot_dname_to_str(char *, const knot_dname_t *, size_t);
uint16_t knot_rdata_rdlen(const knot_rdata_t *);
uint8_t *knot_rdata_data(const knot_rdata_t *);
if (rr->type == KNOT_RRTYPE_RRSIG) {
int rrsig_labels = knot_rrsig_labels(&rr->rrs, 0);
if (rrsig_labels > cname_labels) {
- return KR_STATE_FAIL;
+ /* clearly wrong RRSIG, don't pick it.
+ * don't fail immediately,
+ * let validator work. */
+ continue;
}
if (rrsig_labels < cname_labels) {
- query->flags |= QUERY_DNSSEC_WEXPAND;
+ query->flags.DNSSEC_WEXPAND = true;
}
}
}
/* Randomize query case (if not in safemode or turned off) */
- qry->secret = (qry->flags & (QUERY_SAFEMODE | QUERY_NO_0X20))
+ qry->secret = (qry->flags.SAFEMODE || qry->flags.NO_0X20)
- ? 0 : kr_rand_uint(UINT32_MAX);
+ ? 0 : kr_rand_uint(0);
knot_dname_t *qname_raw = (knot_dname_t *)knot_pkt_qname(packet);
randomized_qname_case(qname_raw, qry->secret);
the parameter can be a single IP (string) or a lua list of up to four IPs.
* ``STUB(ip)`` - similar to ``FORWARD(ip)`` but *without* attempting DNSSEC validation.
Each request may be either answered from cache or simply sent to one of the IPs with proxying back the answer.
- * ``MIRROR(ip)`` - mirror query to given IP and continue solving it (useful for partial snooping)
+ * ``MIRROR(ip)`` - mirror query to given IP and continue solving it (useful for partial snooping); it's a chain action
* ``REROUTE({{subnet,target}, ...})`` - reroute addresses in response matching given subnet to given target, e.g. ``{'192.0.2.0/24', '127.0.0.0'}`` will rewrite '192.0.2.55' to '127.0.0.55', see :ref:`renumber module <mod-renumber>` for more information.
- * ``QTRACE`` - pretty-print DNS response packets into the log (useful for debugging weird DNS servers).
- * ``FLAGS(set, clear)`` - set and/or clear some flags for the query. There can be multiple flags to set/clear. You can just pass a single flag name (string) or a set of names.
+ * ``QTRACE`` - pretty-print DNS response packets into the log for the query and its sub-queries. It's useful for debugging weird DNS servers. It's a chain action.
-* ``FLAGS(set, clear)`` - set and/or clear some flags for the query. There can be multiple flags to set/clear, combined by ``bit.bor`` from ``kres.query.*`` values. It's a chain action.
++* ``FLAGS(set, clear)`` - set and/or clear some flags for the query. There can be multiple flags to set/clear. You can just pass a single flag name (string) or a set of names. It's a chain action.
+
+ Most actions stop the policy matching on the query, but "chain actions" allow to keep trying to match other rules, until a non-chain action is triggered.
.. warning:: The policy module currently only looks at whole DNS requests. The rules won't be re-applied e.g. when following CNAMEs.
projects / thirdparty / knot-resolver.git / commitdiff
