Vladimír Čunát [Mon, 5 Feb 2018 15:13:55 +0000 (16:13 +0100)]
update README.md
- no need to have gitter twice
- update information about modules (one cache, no alternative backends)
- add EPEL 7
- add mailing-list
- link to stable docs instead of latest master
Vladimír Čunát [Fri, 2 Feb 2018 10:25:52 +0000 (11:25 +0100)]
cache: assume NSEC if ". NS" is missing in cache
This happens e.g. after cache.clear(), and currently one can stay
long-term without that record in cache. That was effectively disabling
aggressive answers from the root zone.
This needs disabling a buggy part of Deckard test.
doc: kresd.systemd belongs in section 7 of the manual
"man man" says that the sections are:
1 Executable programs or shell commands
2 System calls (functions provided by the kernel)
3 Library calls (functions within program libraries)
4 Special files (usually found in /dev)
5 File formats and conventions eg /etc/passwd
6 Games
7 Miscellaneous (including macro packages and conventions), e.g.
man(7), groff(7)
8 System administration commands (usually only for root)
9 Kernel routines [Non standard]
Since there is no command named kresd.system it does not belong in
section 8.
Section 7 includes conventions and useful patterns like gitcli(7),
which seems more similar to the documentation that is supplied in
kresd.systemd.
Tomas Krizek [Mon, 5 Feb 2018 09:10:35 +0000 (10:10 +0100)]
systemd defaults: turn off verbose logging
Verbose logging should be used for debugging purposes, as it generates a
lot of output. It shouldn't be turned on by default for normal mode of
operation.
drop world-executable permissions on /run/knot-resolver
It's not clear why anyone other that the superuser needs to be able to
descend into /run/knot-resolver, so we should drop this extra
permission.
it appears to have been added e0f33604fac3bdd6f105ed0c50a4a08f562c72f8, but the log message for that
commit doesn't explain why the permission needs to be loosened.
The main situation that calls for executable but not readable
directories is when a directory contains something at a known location
that everyone must be able to reach, but also contains some sensitive
file with a name that itself is unguessable (i.e. high entropy
string). That doesn't appear to be the case here.
By principle of least privilege, we should leave it locked down unless
there's a clear justification for opening it up.
Tomas Krizek [Tue, 30 Jan 2018 17:29:34 +0000 (18:29 +0100)]
ci: increase respdiff mismatch tolerance to 3%
Since we've added the `timeout` metric to respdiff, it uncovered
an issue when running in Docker, where a large amount of queries
(~2% / resolver) end with a timeout.
Until the issue is investigated and fixed, temporarily bump the CI's
tolerance for the test to pass to 3%.
Tomas Krizek [Thu, 25 Jan 2018 17:17:09 +0000 (18:17 +0100)]
systemd: enable multiple processes with socket activation
In order to be able to spawn multiple processes with socket activation,
systemd template (see systemd.unit(5)) is used. This allows the user to
create any amount of instances by simply providing a unique name for
each of them. The most sensible instance identifiers are natural
numbers, but any convention could be used.
The default recommended service name becomes kresd@1.service, replacing
the older kresd.service. Sockets are renamed in a similar way. Users are
able to take advantage of bash expansion to spawn/control multiple
processes, e.g. "systemctl start kresd@{1..16}.service"
The socket-activated service can now be launched directly with
"systemctl start kresd@1.service", which will request the associated
sockets without the need for any extra priviledges or capabilities.
Stopping the kresd service now also stops the associated sockets.
Stopping any individual socket is an isolated opration now (stopping
kresd@1.socket no longer stop kresd-tls@1.socket and
kresd-control@1.socket).
Users and packagers are also encouraged to use drop-in files for extra
configuration or modifications to ensure compatibility with their
distribution.
Tomas Krizek [Tue, 30 Jan 2018 11:52:59 +0000 (12:52 +0100)]
documentation: reorganize chapters
The manual page discusses basic usage of kresd, but completely lacks
configuration description. Users are pointed to
https://knot-resolver.readthedocs.io for reference. When visiting this
page, the most important information they don't have yet, is how to
configure kresd. This should be the first chapter in the documentation
to make it easier to find.
Petr Špaček [Thu, 25 Jan 2018 11:46:53 +0000 (12:46 +0100)]
policy: fix generated SOA RR so it can be cached
RFC 6303 section 3 explains that
The SOA RR is needed to support negative caching [RFC2308] of name
error responses and to point clients to the primary master for DNS
dynamic updates.
Now SOA RR owner name matches query name so it can be cached.
Using zone name as owner would be more difficult so it is left for
further optimizations.
I've verified that nsupdate correctly determines that master name
does not exist and stops update process.