From: Vladimír Čunát Date: Mon, 22 Jul 2024 11:42:35 +0000 (+0200) Subject: doc+NEWS for the buffering changes X-Git-Tag: v6.0.8^2~1^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=183192d0927f9dc0d6225a2e04b93d33b66d2639;p=thirdparty%2Fknot-resolver.git doc+NEWS for the buffering changes --- diff --git a/NEWS b/NEWS index 28c6a1c9a..5803058a5 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,13 @@ -Knot Resolver 6.0.8 (2024-0m-dd) +Knot Resolver 6.0.8 (2024-07-23) ================================ +Security +-------- +- reduce buffering of transmitted data, especially TCP-based in userspace + Also expose some of the new tweaks in lua: + (require 'ffi').C.the_worker.engine.net.tcp.user_timeout = 1000 + (require 'ffi').C.the_worker.engine.net.listen_{tcp,udp}_buflens.{snd,rcv} + Improvements ------------ - TLS (DoT, DoH): respect crypto policy overrides in OS (!1526) @@ -115,9 +122,16 @@ https://www.knot-resolver.cz/documentation/latest/upgrading-to-6.html 5.x branch longterm support ~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Knot Resolver 5.7.4 (2024-0m-dd) +Knot Resolver 5.7.4 (2024-07-23) ================================ +Security +-------- +- reduce buffering of transmitted data, especially TCP-based in userspace + Also expose some of the new tweaks in lua: + (require 'ffi').C.the_worker.engine.net.tcp.user_timeout = 1000 + (require 'ffi').C.the_worker.engine.net.listen_{tcp,udp}_buflens.{snd,rcv} + Improvements ------------ - add the fresh DNSSEC root key "KSK-2024" already, Key ID 38696 (!1556) diff --git a/daemon/bindings/net_buffering.rst b/daemon/bindings/net_buffering.rst new file mode 100644 index 000000000..946fc28e6 --- /dev/null +++ b/daemon/bindings/net_buffering.rst @@ -0,0 +1,25 @@ +.. SPDX-License-Identifier: GPL-3.0-or-later + +Buffering tweaks +---------------- + +We (can) set various server-side socket options that affect buffering. +The values are stored in C structures without real Lua bindings, +so setting them is a bit long. + +.. py:data:: (require 'ffi').C.the_worker.engine.net.tcp.user_timeout + + On TCP-based server-side sockets we set ``TCP_USER_TIMEOUT`` option if available (~Linux). + We use default 1000, i.e. one second. For details see the definition in ``man tcp.7``. + +.. py:data:: (require 'ffi').C.the_worker.engine.net.listen_tcp_buflens.snd +.. py:data:: (require 'ffi').C.the_worker.engine.net.listen_tcp_buflens.rcv +.. py:data:: (require 'ffi').C.the_worker.engine.net.listen_udp_buflens.snd +.. py:data:: (require 'ffi').C.the_worker.engine.net.listen_udp_buflens.rcv + + If overridden to nonzero, these variables instruct the OS to modify kernel-space buffers + for server-side sockets. We split the setting for UDP vs. TCP and sending vs. receiving. + + For details see ``SO_SNDBUF`` and ``SO_RCVBUF`` in ``man socket.7``. + There is no user-space buffering beyond immediate manipulation, only the OS keeps some. + diff --git a/doc/dev/config-lua-network.rst b/doc/dev/config-lua-network.rst index 241b67ff7..d4f806460 100644 --- a/doc/dev/config-lua-network.rst +++ b/doc/dev/config-lua-network.rst @@ -61,3 +61,12 @@ DNS protocol tweaks :maxdepth: 2 daemon-bindings-net_dns_tweaks + +Buffering tweaks +================ + +.. toctree:: + :maxdepth: 2 + + daemon-bindings-net_buffering + diff --git a/doc/dev/daemon-bindings-net_buffering.rst b/doc/dev/daemon-bindings-net_buffering.rst new file mode 120000 index 000000000..9386a5fae --- /dev/null +++ b/doc/dev/daemon-bindings-net_buffering.rst @@ -0,0 +1 @@ +../../daemon/bindings/net_buffering.rst \ No newline at end of file diff --git a/modules/workarounds/README.rst b/modules/workarounds/README.rst index fcb04aa31..f456c6c13 100644 --- a/modules/workarounds/README.rst +++ b/modules/workarounds/README.rst @@ -2,7 +2,7 @@ .. _mod-workarounds: -Module `workarounds` resolver behavior on specific broken sub-domains. +Module `workarounds` tweaks resolver behavior on specific broken sub-domains. Currently it mainly disables case randomization. .. code-block:: lua