From: Vladimír Čunát Date: Wed, 8 Nov 2017 09:10:07 +0000 (+0100) Subject: Merge tag 'v1.5.0' into cache-aggr-wip X-Git-Tag: v2.0.0~6^2~76 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5d5640b046828131da601a712a3f6e9d9f6541e6;p=thirdparty%2Fknot-resolver.git Merge tag 'v1.5.0' into cache-aggr-wip --- 5d5640b046828131da601a712a3f6e9d9f6541e6 diff --cc NEWS index 60f042228,fc8691834..87cbdbc4e --- a/NEWS +++ b/NEWS @@@ -1,30 -1,18 +1,45 @@@ + Knot Resolver 1.5.0 (2017-11-02) + ================================ + + Bugfixes + -------- + - fix loading modules on Darwin + + Improvements + ------------ + - new module ta_signal_query supporting Signaling Trust Anchor Knowledge + using Keytag Query (RFC 8145 section 5); it is enabled by default + - attempt validation for more records but require it for fewer of them + (e.g. avoids SERVFAIL when server adds extra records but omits RRSIGs) + + +Knot Resolver 1.99.1-alpha (2017-10-26) +======================================= +This is an experimental release meant for testing aggressive caching. +It contains some regressions and might (theoretically) be even vulnerable. +The current focus is to minimize queries into the root zone. + +Improvements +------------ +- negative answers from validated NSEC (NXDOMAIN, NODATA) +- verbose log is very chatty around cache operations (maybe too much) + +Regressions +----------- +- dropped support for alternative cache backends + and for some specific cache operations +- caching doesn't yet work for various cases: + * negative answers without NSEC (i.e. with NSEC3 or insecure) + * +cd queries (needs other internal changes) + * positive wildcard answers +- spurious SERVFAIL on specific combinations of cached records, printing: + <= bad keys, broken trust chain +- make check +- a few Deckard tests are broken, probably due to some problems above ++ unknown ones? + + + Knot Resolver 1.4.0 (2017-09-22) ================================ diff --cc lib/layer/iterate.c index 348c42b6d,9d5ded5ce..718e495ba --- a/lib/layer/iterate.c +++ b/lib/layer/iterate.c @@@ -321,24 -305,12 +321,13 @@@ static uint8_t get_initial_rank(const k /* ^^ Current use case for "cached" RRs without rank: hints module. */ } if (answer || type == KNOT_RRTYPE_DS + || type == KNOT_RRTYPE_SOA /* needed for aggressive negative caching */ || type == KNOT_RRTYPE_NSEC || type == KNOT_RRTYPE_NSEC3) { + /* We almost always want these validated, and it should be possible. */ return KR_RANK_INITIAL | KR_RANK_AUTH; } - if (type == KNOT_RRTYPE_NS) { - /* Some servers add extra NS RRset, which allows us to refresh - * cache "for free", potentially speeding up zone cut lookups - * in future. Still, it might theoretically cause some problems: - * https://mailarchive.ietf.org/arch/msg/dnsop/CYjPDlwtpxzdQV_qycB-WfnW6CI - */ - if (!is_nonauth && knot_dname_is_equal(qry->zone_cut.name, rr->owner)) { - return KR_RANK_INITIAL | KR_RANK_AUTH; - } else { - return KR_RANK_OMIT; - } - } - - return KR_RANK_INITIAL; + /* Be aggressive: try to validate anything else (almost never extra latency). */ + return KR_RANK_TRY; /* TODO: this classifier of authoritativity may not be perfect yet. */ } diff --cc lib/utils.h index fe9522f73,140cbde01..ebbfcaa35 --- a/lib/utils.h +++ b/lib/utils.h @@@ -290,20 -290,13 +291,30 @@@ static inline uint16_t kr_rrset_type_ma return type; } + /** Printf onto the lua stack, avoiding additional copy (thin wrapper). */ + static inline const char *lua_push_printf(lua_State *L, const char *fmt, ...) + { + va_list args; + va_start(args, fmt); + const char *ret = lua_pushvfstring(L, fmt, args); + va_end(args); + return ret; + } + +/** Convert name from lookup format to wire. See knot_dname_lf + * + * \note len bytes are read and len+1 are written with *normal* LF, + * but it's also allowed that the final zero byte is omitted in LF. + * \return the number of bytes written (>0) or error code (<0) + */ +int knot_dname_lf2wire(knot_dname_t *dst, uint8_t len, const uint8_t *lf); + +/** Patched knot_dname_lf. LF for "." has length zero instead of one, for consistency. + */ +static inline int kr_dname_lf(uint8_t *dst, const knot_dname_t *src, const uint8_t *pkt) +{ + int ret = knot_dname_lf(dst, src, pkt); + if (!ret && dst[0] == 1) + dst[0] = 0; + return ret; +};