+ Knot Resolver 1.5.0 (2017-11-02)
+ ================================
+
+ Bugfixes
+ --------
+ - fix loading modules on Darwin
+
+ Improvements
+ ------------
+ - new module ta_signal_query supporting Signaling Trust Anchor Knowledge
+ using Keytag Query (RFC 8145 section 5); it is enabled by default
+ - attempt validation for more records but require it for fewer of them
+ (e.g. avoids SERVFAIL when server adds extra records but omits RRSIGs)
+
+
+Knot Resolver 1.99.1-alpha (2017-10-26)
+=======================================
+This is an experimental release meant for testing aggressive caching.
+It contains some regressions and might (theoretically) be even vulnerable.
+The current focus is to minimize queries into the root zone.
+
+Improvements
+------------
+- negative answers from validated NSEC (NXDOMAIN, NODATA)
+- verbose log is very chatty around cache operations (maybe too much)
+
+Regressions
+-----------
+- dropped support for alternative cache backends
+ and for some specific cache operations
+- caching doesn't yet work for various cases:
+ * negative answers without NSEC (i.e. with NSEC3 or insecure)
+ * +cd queries (needs other internal changes)
+ * positive wildcard answers
+- spurious SERVFAIL on specific combinations of cached records, printing:
+ <= bad keys, broken trust chain
+- make check
+- a few Deckard tests are broken, probably due to some problems above
++ unknown ones?
+
+
+
Knot Resolver 1.4.0 (2017-09-22)
================================
/* ^^ Current use case for "cached" RRs without rank: hints module. */
}
if (answer || type == KNOT_RRTYPE_DS
+ || type == KNOT_RRTYPE_SOA /* needed for aggressive negative caching */
|| type == KNOT_RRTYPE_NSEC || type == KNOT_RRTYPE_NSEC3) {
+ /* We almost always want these validated, and it should be possible. */
return KR_RANK_INITIAL | KR_RANK_AUTH;
}
- if (type == KNOT_RRTYPE_NS) {
- /* Some servers add extra NS RRset, which allows us to refresh
- * cache "for free", potentially speeding up zone cut lookups
- * in future. Still, it might theoretically cause some problems:
- * https://mailarchive.ietf.org/arch/msg/dnsop/CYjPDlwtpxzdQV_qycB-WfnW6CI
- */
- if (!is_nonauth && knot_dname_is_equal(qry->zone_cut.name, rr->owner)) {
- return KR_RANK_INITIAL | KR_RANK_AUTH;
- } else {
- return KR_RANK_OMIT;
- }
- }
-
- return KR_RANK_INITIAL;
+ /* Be aggressive: try to validate anything else (almost never extra latency). */
+ return KR_RANK_TRY;
/* TODO: this classifier of authoritativity may not be perfect yet. */
}
return type;
}
+ /** Printf onto the lua stack, avoiding additional copy (thin wrapper). */
+ static inline const char *lua_push_printf(lua_State *L, const char *fmt, ...)
+ {
+ va_list args;
+ va_start(args, fmt);
+ const char *ret = lua_pushvfstring(L, fmt, args);
+ va_end(args);
+ return ret;
+ }
+
+/** Convert name from lookup format to wire. See knot_dname_lf
+ *
+ * \note len bytes are read and len+1 are written with *normal* LF,
+ * but it's also allowed that the final zero byte is omitted in LF.
+ * \return the number of bytes written (>0) or error code (<0)
+ */
+int knot_dname_lf2wire(knot_dname_t *dst, uint8_t len, const uint8_t *lf);
+
+/** Patched knot_dname_lf. LF for "." has length zero instead of one, for consistency.
+ */
+static inline int kr_dname_lf(uint8_t *dst, const knot_dname_t *src, const uint8_t *pkt)
+{
+ int ret = knot_dname_lf(dst, src, pkt);
+ if (!ret && dst[0] == 1)
+ dst[0] = 0;
+ return ret;
+};
projects / thirdparty / knot-resolver.git / commitdiff
