Aleš Mrázek [Fri, 17 May 2024 13:09:44 +0000 (15:09 +0200)]
manager: wait for 'policy-loader' to finish on the resolver startup
When starting the resolver, we wait for policy-loader until policy rules are successfully loaded into the cache where the rules are shared between kred workers. After that, other processes are started. Otherwise, the workers might start without the configured rules in the cache while they are already resolving DNS traffic.
Vladimír Čunát [Tue, 14 May 2024 09:03:59 +0000 (11:03 +0200)]
lib/rules: tweak how the read-only transactions work
Let's avoid reloading the RO transaction unless necessary.
For example, when normal config reload happens (one kresd at a time),
we most likely do *not* want to reload the rule DB prematurely.
Oto Šťáva [Tue, 18 Jun 2024 15:18:37 +0000 (17:18 +0200)]
daemon: use __attribute__((constructor)) for protolayer_globals
The `protolayer_globals` array can basically be treated as a constant by
most of the program and its initialization only uses compile-time-known
values. We basically only initialize parts of the array in different
files throughout the codebase to maintain separation of concerns, so
that each piece of Knot Resolver initializes the part that pertains to
it. Therefore, I believe that it is more ergonomic to just use
`__attribute__((constructor))` for these functions, so as not to pollute
`daemon/main.c` with these calls.
Jakub Ružička [Tue, 11 Jun 2024 16:19:39 +0000 (18:19 +0200)]
distro/pkg/deb: remove undefined shlib:Depends
This addresses dpkg-gencontrol warnings:
dpkg-gencontrol: warning: Depends field of package knot-resolver6-module-http: substitution variable ${shlibs:Depends} used, but is not defined
dpkg-gencontrol: warning: Depends field of package knot-resolver6-dev: substitution variable ${shlibs:Depends} used, but is not defined
Vladimír Čunát [Mon, 10 Jun 2024 14:05:41 +0000 (16:05 +0200)]
etc/: add the fresh DNSSEC root key "KSK-2024" already
The key still won't be used for some time, two years maybe,
but I think it's better to preemptively trust it already.
(outdated machines, etc.)
Some evidence that it's not just a hash of *my* private key:
https://www.iana.org/dnssec/ceremonies/53-2
https://data.iana.org/ksk-ceremony/53-2/kskm-keymaster-20240426-173035-995.log
https://www.youtube.com/live/gw4PFhtnVpk?si=C8zevM3nG9O0XAJr&t=12726
Oto Šťáva [Tue, 4 Jun 2024 08:49:49 +0000 (10:49 +0200)]
daemon/session2.h: clarify `struct session2` docs
As pointed out by @lukas.ondracek, the wording could be confusing when
mentioning *bottommost* and *topmost* layers. The original wording was
meant to reference the way the arrays in `daemon/session2.c` are laid
out, but never explicitly mentioned that, so one could be implicitly
think it was in reference to the widely known ISO/OSI or TCP/IP models,
which could be interpreted incorrectly (the layers are traditionally
laid out the other way around there).
There were a few bugs in the protolayer system that prevented us from
pausing iteration and resuming it properly. This commit should hopefully
resolve them.
Oto Šťáva [Wed, 22 May 2024 13:18:30 +0000 (15:18 +0200)]
daemon/session2: optimize allocations
A) Context-specific allocations
-------------------------------
There were two problems:
1) Some payloads are short-lived (e.g. allocated on stack) and we need
to make a copy of them if the iteration over protocol layers becomes
asynchronous.
2) The `pl_dns_stream_wrap` function used a mempool belonging to its
session-wide context. Some sessions may live for a long time, which
could potentially lead to needlessly long-lived memory allocations.
Both of these problems are solved in this commit by using a new
`knot_mm_t pool` field in `struct protolayer_iter_ctx`, which lives only
for a single submit (and survives asynchronicity). The whole pool is
then freed all at once when the `struct protolayer_iter_ctx` is
finalized.
B) Merging `struct protolayer_manager` into `struct session2`
-------------------------------------------------------------
It actually made no real sense to have the two separated. It only
introduced an extra layer of indirection and many layers actually needed
to access both anyway. This should simplify things considerably.
Oto Šťáva [Tue, 21 May 2024 17:04:38 +0000 (19:04 +0200)]
daemon/proxyv2: move PROXY protocol into its own layer
Previously, PROXYv2 handling was partially implemented in the `io.c`
unit in the `_TCP` and `_UDP` protocol layers, which technically made
very little sense. This commit moves this handling into separate
`_PROXYV2_DGRAM` and `_PROXYV2_STREAM` protocol layers, basically
encapsulating the handling of proxies in the `proxyv2.c` unit.
This commit also makes the PROXYv2 stream layer only support
`PROTOLAYER_PAYLOAD_WIRE_BUF` on its input, as other payload types were
unused and untested in this context.
Oto Šťáva [Tue, 21 May 2024 16:38:56 +0000 (18:38 +0200)]
daemon/session2: protocol layer refactors + docs
This makes some readability enhancements to the `protolayer_` API as
well as clarifies some of the documentation.
There is also a change where the definitions of protocol layer sequences
does not require a `_NULL` layer to be present at the end anymore, as
the number of layers in a sequence is determined at compile time. This
makes defining new sequences less error-prone.
Oto Šťáva [Wed, 15 May 2024 14:04:21 +0000 (16:04 +0200)]
utils/client/.clang-tidy: remove
This is a leftover from the merged CI/CD overhaul. Only relevant for
Knot Resolver 5 - in 6, the experimental client was removed in favour of
`kresctl` from `manager`.
Oto Šťáva [Thu, 16 May 2024 12:17:12 +0000 (14:17 +0200)]
manager: configurable Meson directory
This commit makes it more convenient to change the configuration of the
build directory of `kresd` when using Knot Resolver Manager. It adds a
new `./poe configure` command, which optionally takes the same arguments
as the standard `meson configure` command.
The `./poe run` command now requires running `./poe configure` at least
once to set up the build directory. If the directory has been configured
before this commit (i.e. `./poe run` has been executed at least once),
no extra action is required, as the directory structure remains the
same.
The commit also removes the `manager` configuration option from Meson as
we were not using it and it was broken and potentially confusing to
newcomers.
Vladimír Čunát [Wed, 29 May 2024 13:07:46 +0000 (15:07 +0200)]
iterate: fix NSEC3 records missing from answer in an edge case
When positive wildcard expansion happens, NSEC(3) records are needed
to prove that the expansion was allowed. If the NSEC3 had too many
iterations, we downgrade the answer to insecure status, but
unintentionally we also dropped the NSEC3 record from the answer.
That was breaking DNSSEC validation of that answer, e.g. when
forwarding to Knot Resolver. The validator needs the NSEC3 -
either to validate the expansion or to determine that it's too expensive.
Oto Šťáva [Mon, 27 May 2024 10:59:51 +0000 (12:59 +0200)]
Non-trivial merge 'master-5' (see 'modules/stats')
modules/stats: adapt aggregate stats to the new hierarchical format
Knot Resolver 6 changed the structure of the stats return value, making
it more hierarchical, i.e. the returned object contains nested
"sub-objects", rather than being flat. This commit adapts the new
aggregate stats to this new structure, for consistency.
Vladimír Čunát [Mon, 20 May 2024 11:32:52 +0000 (13:32 +0200)]
modules/stats: split request.* metrics to IPv4 and IPv6
Let's have .total4 and .total6, too. Then .total could be expressed
as a sum of *three* (including .internal), so it's still counted
separately, as an exception.
projects / thirdparty / knot-resolver.git / log
