From: Vladimír Čunát Date: Wed, 9 Aug 2017 14:28:36 +0000 (+0200) Subject: Merge branch 'master' into flags-refactor X-Git-Tag: v1.4.0~20^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3a33dcf96fe1f82a626eb21a0efd79ffb2060d37;p=thirdparty%2Fknot-resolver.git Merge branch 'master' into flags-refactor There were just simple conflicts in NEWS and docs. --- 3a33dcf96fe1f82a626eb21a0efd79ffb2060d37 diff --cc NEWS index a0c33843e,445d7bcbf..ff45a641b --- a/NEWS +++ b/NEWS @@@ -1,14 -1,24 +1,35 @@@ +Knot Resolver 1.4.0 (2017-0x-yy) +================================ + +Incompatible changes +-------------------- +- lua: query flag-sets are no longer represented as plain integers. + kres.query.* no longer works, and kr_query_t lost trivial methods + 'hasflag' and 'resolved'. + You can instead write code like qry.flags.NO_0X20 = true. + + + Knot Resolver 1.3.3 (2017-08-09) + ================================ + + Security + -------- + - Fix a critical DNSSEC flaw. Signatures might be accepted as valid + even if the signed data was not in bailiwick of the DNSKEY used to + sign it, assuming the trust chain to that DNSKEY was valid. + + Bugfixes + -------- + - iterate: skip RRSIGs with bad label count instead of immediate SERVFAIL + - utils: fix possible incorrect seeding of the random generator + - modules/http: fix compatibility with the Prometheus text format + + Improvements + ------------ + - policy: implement remaining special-use domain names from RFC6761 (#205), + and make these rules apply only if no other non-chain rule applies + + Knot Resolver 1.3.2 (2017-07-28) ================================ diff --cc config.mk index 64b55bdf2,d688dc0ec..abb62413c --- a/config.mk +++ b/config.mk @@@ -1,9 -1,9 +1,9 @@@ # Project MAJOR := 1 MINOR := 3 - PATCH := 2 + PATCH := 3 EXTRA := -ABIVER := 3 +ABIVER := 4 BUILDMODE := dynamic HARDENING := yes diff --cc daemon/lua/kres-gen.lua index 44cb9b37a,fbe4208d9..78f402148 --- a/daemon/lua/kres-gen.lua +++ b/daemon/lua/kres-gen.lua @@@ -199,8 -165,12 +199,11 @@@ struct kr_context struct kr_zonecut root_hints; char _stub[]; }; - int knot_dname_size(const knot_dname_t *); -struct query_flag {static const int NO_MINIMIZE = 1; static const int NO_THROTTLE = 2; static const int NO_IPV6 = 4; static const int NO_IPV4 = 8; static const int TCP = 16; static const int RESOLVED = 32; static const int AWAIT_IPV4 = 64; static const int AWAIT_IPV6 = 128; static const int AWAIT_CUT = 256; static const int SAFEMODE = 512; static const int CACHED = 1024; static const int NO_CACHE = 2048; static const int EXPIRING = 4096; static const int ALLOW_LOCAL = 8192; static const int DNSSEC_WANT = 16384; static const int DNSSEC_BOGUS = 32768; static const int DNSSEC_INSECURE = 65536; static const int STUB = 131072; static const int ALWAYS_CUT = 262144; static const int DNSSEC_WEXPAND = 524288; static const int PERMISSIVE = 1048576; static const int STRICT = 2097152; static const int BADCOOKIE_AGAIN = 4194304; static const int CNAME = 8388608; static const int REORDER_RR = 16777216; static const int TRACE = 33554432; static const int NO_0X20 = 67108864; static const int DNSSEC_NODS = 134217728; static const int DNSSEC_OPTOUT = 268435456; static const int NONAUTH = 536870912; static const int FORWARD = 1073741824; static const int DNS64_MARK = 2147483648;}; knot_dname_t *knot_dname_from_str(uint8_t *, const char *, size_t); + _Bool knot_dname_is_equal(const knot_dname_t *, const knot_dname_t *); + _Bool knot_dname_is_sub(const knot_dname_t *, const knot_dname_t *); + int knot_dname_labels(const uint8_t *, const uint8_t *); + int knot_dname_size(const knot_dname_t *); char *knot_dname_to_str(char *, const knot_dname_t *, size_t); uint16_t knot_rdata_rdlen(const knot_rdata_t *); uint8_t *knot_rdata_data(const knot_rdata_t *); diff --cc lib/layer/iterate.c index 5e31c6767,5c1017b81..791b9d09f --- a/lib/layer/iterate.c +++ b/lib/layer/iterate.c @@@ -465,10 -465,13 +465,13 @@@ static int unroll_cname(knot_pkt_t *pkt if (rr->type == KNOT_RRTYPE_RRSIG) { int rrsig_labels = knot_rrsig_labels(&rr->rrs, 0); if (rrsig_labels > cname_labels) { - return KR_STATE_FAIL; + /* clearly wrong RRSIG, don't pick it. + * don't fail immediately, + * let validator work. */ + continue; } if (rrsig_labels < cname_labels) { - query->flags |= QUERY_DNSSEC_WEXPAND; + query->flags.DNSSEC_WEXPAND = true; } } diff --cc lib/resolve.c index 76c3ec8a3,2fdd47071..fabcdd007 --- a/lib/resolve.c +++ b/lib/resolve.c @@@ -1420,8 -1412,8 +1420,8 @@@ ns_election } /* Randomize query case (if not in safemode or turned off) */ - qry->secret = (qry->flags & (QUERY_SAFEMODE | QUERY_NO_0X20)) + qry->secret = (qry->flags.SAFEMODE || qry->flags.NO_0X20) - ? 0 : kr_rand_uint(UINT32_MAX); + ? 0 : kr_rand_uint(0); knot_dname_t *qname_raw = (knot_dname_t *)knot_pkt_qname(packet); randomized_qname_case(qname_raw, qry->secret); diff --cc modules/policy/README.rst index 2746497b3,b5a527d10..d7cb29d7c --- a/modules/policy/README.rst +++ b/modules/policy/README.rst @@@ -28,10 -32,12 +32,12 @@@ There are several actions available in the parameter can be a single IP (string) or a lua list of up to four IPs. * ``STUB(ip)`` - similar to ``FORWARD(ip)`` but *without* attempting DNSSEC validation. Each request may be either answered from cache or simply sent to one of the IPs with proxying back the answer. - * ``MIRROR(ip)`` - mirror query to given IP and continue solving it (useful for partial snooping) + * ``MIRROR(ip)`` - mirror query to given IP and continue solving it (useful for partial snooping); it's a chain action * ``REROUTE({{subnet,target}, ...})`` - reroute addresses in response matching given subnet to given target, e.g. ``{'192.0.2.0/24', '127.0.0.0'}`` will rewrite '192.0.2.55' to '127.0.0.55', see :ref:`renumber module ` for more information. - * ``QTRACE`` - pretty-print DNS response packets into the log (useful for debugging weird DNS servers). - * ``FLAGS(set, clear)`` - set and/or clear some flags for the query. There can be multiple flags to set/clear. You can just pass a single flag name (string) or a set of names. + * ``QTRACE`` - pretty-print DNS response packets into the log for the query and its sub-queries. It's useful for debugging weird DNS servers. It's a chain action. -* ``FLAGS(set, clear)`` - set and/or clear some flags for the query. There can be multiple flags to set/clear, combined by ``bit.bor`` from ``kres.query.*`` values. It's a chain action. ++* ``FLAGS(set, clear)`` - set and/or clear some flags for the query. There can be multiple flags to set/clear. You can just pass a single flag name (string) or a set of names. It's a chain action. + + Most actions stop the policy matching on the query, but "chain actions" allow to keep trying to match other rules, until a non-chain action is triggered. .. warning:: The policy module currently only looks at whole DNS requests. The rules won't be re-applied e.g. when following CNAMEs.