Marek Vavruša [Wed, 28 Mar 2018 05:10:09 +0000 (22:10 -0700)]
cache: fixed crash with RR sets with over 255 records
The previous cache version encoded RR count as uint8_t, which doesn't
work with RR sets with over 255 records. This caused cache writes
to fail and subsequently ending in an assertion failure.
It is not very common to have large RR sets, but it has legitimate
use cases such as a lot of SRV or address records for large container
deployments etc.
Marek Vavruša [Tue, 20 Mar 2018 22:41:05 +0000 (15:41 -0700)]
daemon/worker: allow large responses for outbound over TCP
This was previously fixed in e25358d4f6521a55c33ec1d3a55f2bf6e2f99607,
but broken in the rewrite. The answer buffer size must be a maximum size,
otherwise payloads larger than configured UDP buffer size can't be
transmitted over TCP.
Marek Vavruša [Fri, 23 Mar 2018 21:32:08 +0000 (14:32 -0700)]
daemon/tls: downgraded TLS logging to verbose
Logging handshake and connection failures should be verbose, as
it's not really a server failure if client errors, or uses a wrong
SPKI pin to the certificate. It is however not ideal to flood logs.
Tomas Krizek [Thu, 22 Mar 2018 15:59:48 +0000 (16:59 +0100)]
ci: execute OBS build nightly instead of after every change
There are couple reasons to prefer nightly builds:
- to conserve hw resources
- automated builds at predictable times make it easier to use the devel
repo for manual testing builds
Vladimír Čunát [Wed, 7 Mar 2018 09:40:25 +0000 (10:40 +0100)]
make: don't magically -D_FORTIFY_SOURCE=2
This is just annoying for development. You want -O0 or -Og,
and consequently you get lots of warnings that are difficult to disable.
I believe hardening options are more of a responsibility/choice of the
caller, typically distributions have some general policies and pass the
flags (almost) uniformly to all packages. I can't see any part of kresd
being so specific to warrant explicit hardening.
Vladimír Čunát [Mon, 19 Feb 2018 17:56:03 +0000 (18:56 +0100)]
map_t, set_t: unify memory allocation to mm_*
We use the knot style everywhere else; this was very similar and yet
different, so really annoying to me. In the long term we might better
migrate to qp-tries from knot, but the API differs, so it's delayed...
Tomas Krizek [Mon, 19 Feb 2018 09:49:01 +0000 (10:49 +0100)]
scripts: use dot as a separator for pre-release versions
To be able to use the exact same version in both upstream tarballs
and downstream packages always use dot as a version separator.
This enables downstream packages to re-use the upstream versions
(especially the pre-release ones which no longer contain dash) when
building packages. This is very useful for building testing packages
e.g. in Fedora and Arch, which do not allow dash in version number.
Tags should follow this format from now on as well, e.g. 2.99.0.alpha
instead of 2.99.0-alpha
Vladimír Čunát [Tue, 20 Feb 2018 14:50:48 +0000 (15:50 +0100)]
avoid iterating from a too short zone cut
Example: after foo.sk query the bar.sk query started iterating from
asking the root again for NS sk. This bug was present on insecure zones,
and before version 2.0.0 only such that have a secure parent.
(These two parts of the bug correspond to the two changes in this commit.)
Tomas Krizek [Fri, 16 Feb 2018 09:20:32 +0000 (10:20 +0100)]
systemd: compatibility drop-in for kresd@.service
Unify the drop-in files for manual activation and systemd compatibility,
since it is not recommended to use manual activation if socket
activation is supported.
Also add --forks=1 to the command, otherwise the service attempts to
start in interactive mode.
Tomas Krizek [Fri, 9 Feb 2018 11:03:07 +0000 (12:03 +0100)]
systemd: remove kresd.service meta-service
The kresd.service meta-service could be confusing for users and provides
no extra functionality. The system-kresd.slice can be used to restart or
stop all running instances.
Distributions shipping with /etc/init.d/kresd should symlink the
kresd.service to /dev/null to prevent systemd-sysv-generator from
creating this service.
systemd: clarify dropping Sockets= for non-socket-activated services
If the adminstrator of a non-socket-activated kresd installation
doesn't clear Sockets=, then they will also inherit sockets from the
process manager, which doesn't make sense. Help them avoid that
situation.
Administrators using bash tab completion with the full completion
utilities enabled will be able to tab-complete instantiated services.
shipping symlinks gets confused during tarball generation, and during
package installation, so it's safer and cleaner to just ship the
regular unit files.
Please see discussion at:
https://github.com/systemd/systemd/issues/8096
The new approach is:
* non-templated kresd.socket and kresd-tls.socket, for the
public-facing listening ports. They know to invoke kresd@1.service
if they're socket-activated.
* kresd@.service *is* templated, to allow the admin to add more
concurrent runners with:
systemctl enable kresd@2.service
* kresd-control@.socket is still templated, since each daemon has a
separately-addressable different control port.
* non-templated kresd.service is a dummy meta-service. it is in the
same slice as kresd@.service, and all the kresd@.service instances
are PartOf= it, so you should be able to stop and restart all
services together. On systems like debian that ship
/etc/init.d/kres, this also avoids having systemd-sysv-generator
create a kresd.service based on the initscript.
* no templated instances are explicitly instantiated during initial
ship, but kresd@1.service should be socket-activated cleanly
Gbp-Pq: Name 0010-More-systemd-service-management-cleanup.patch
Petr Špaček [Thu, 15 Feb 2018 16:25:56 +0000 (17:25 +0100)]
Require libknot 2.6.4 to avoid mysterious problems with DNS-over-TLS.
Respdiff on kresd under load showed that DNS-over-TLS has higher ratio
of SERVFAILs than other transports. For some reason the problem
disappeared after upgrading from libknot 2.6.3 to 2.6.4, and appeared
again after downgrade.
projects / thirdparty / knot-resolver.git / log
