drop world-executable permissions on /run/knot-resolver
It's not clear why anyone other that the superuser needs to be able to
descend into /run/knot-resolver, so we should drop this extra
permission.
it appears to have been added e0f33604fac3bdd6f105ed0c50a4a08f562c72f8, but the log message for that
commit doesn't explain why the permission needs to be loosened.
The main situation that calls for executable but not readable
directories is when a directory contains something at a known location
that everyone must be able to reach, but also contains some sensitive
file with a name that itself is unguessable (i.e. high entropy
string). That doesn't appear to be the case here.
By principle of least privilege, we should leave it locked down unless
there's a clear justification for opening it up.
Tomas Krizek [Tue, 30 Jan 2018 17:29:34 +0000 (18:29 +0100)]
ci: increase respdiff mismatch tolerance to 3%
Since we've added the `timeout` metric to respdiff, it uncovered
an issue when running in Docker, where a large amount of queries
(~2% / resolver) end with a timeout.
Until the issue is investigated and fixed, temporarily bump the CI's
tolerance for the test to pass to 3%.
Tomas Krizek [Thu, 25 Jan 2018 17:17:09 +0000 (18:17 +0100)]
systemd: enable multiple processes with socket activation
In order to be able to spawn multiple processes with socket activation,
systemd template (see systemd.unit(5)) is used. This allows the user to
create any amount of instances by simply providing a unique name for
each of them. The most sensible instance identifiers are natural
numbers, but any convention could be used.
The default recommended service name becomes kresd@1.service, replacing
the older kresd.service. Sockets are renamed in a similar way. Users are
able to take advantage of bash expansion to spawn/control multiple
processes, e.g. "systemctl start kresd@{1..16}.service"
The socket-activated service can now be launched directly with
"systemctl start kresd@1.service", which will request the associated
sockets without the need for any extra priviledges or capabilities.
Stopping the kresd service now also stops the associated sockets.
Stopping any individual socket is an isolated opration now (stopping
kresd@1.socket no longer stop kresd-tls@1.socket and
kresd-control@1.socket).
Users and packagers are also encouraged to use drop-in files for extra
configuration or modifications to ensure compatibility with their
distribution.
Tomas Krizek [Tue, 30 Jan 2018 11:52:59 +0000 (12:52 +0100)]
documentation: reorganize chapters
The manual page discusses basic usage of kresd, but completely lacks
configuration description. Users are pointed to
https://knot-resolver.readthedocs.io for reference. When visiting this
page, the most important information they don't have yet, is how to
configure kresd. This should be the first chapter in the documentation
to make it easier to find.
Petr Špaček [Thu, 25 Jan 2018 11:46:53 +0000 (12:46 +0100)]
policy: fix generated SOA RR so it can be cached
RFC 6303 section 3 explains that
The SOA RR is needed to support negative caching [RFC2308] of name
error responses and to point clients to the primary master for DNS
dynamic updates.
Now SOA RR owner name matches query name so it can be cached.
Using zone name as owner would be more difficult so it is left for
further optimizations.
I've verified that nsupdate correctly determines that master name
does not exist and stops update process.
Petr Špaček [Wed, 24 Jan 2018 16:09:07 +0000 (17:09 +0100)]
Docker: fix Dockerfile for demo container
libstdc++ was missing in the Alpine image.
At the same time, I've enabled DNSSEC validation, DNS-over-TLS, HTTP interface
and added explanatory message.
Vladimír Čunát [Tue, 23 Jan 2018 18:07:35 +0000 (19:07 +0100)]
nitpicks from review of !405: query-trace
The deckard change was probably unintentional, so I reverted that.
The only real mistake I found was `sizeof(128)`, though the effect was
just unnecessary reallocations.
On the whole I really like it. Verbose logging might get slightly
slower, due to increased amount of string allocation and copying,
but it does seem worth it, at least until we can prove otherwise.
I didn't look much into http module changes, etc.
Vitezslav Kriz [Mon, 14 Aug 2017 07:25:42 +0000 (09:25 +0200)]
keyfile argument distiguish managed and unmanaged mode
Arguments --keyfile, -k for managed mode
and
--keyfile-ro, -K for unmanaged (readonly) mode.
Automatic setting based on the file permission is removed because it was
confusing and could easily lead to state where automatic update does not
happen because of unexpected file permissions.
Check if folder is writeable was moved into Lua code.
Default unmanaged keyfile path can be specified at compile
time with option KEYFILE_DEFAULT. This default
configuration can be disabled in configuration file with
trust_anchors.keyfile_default = nil.
Vladimír Čunát [Tue, 23 Jan 2018 12:36:17 +0000 (13:36 +0100)]
make: use -fvisibility=hidden by default
Symbols not marked by KR_EXPORT shouldn't be visible outside
the same output binary (e.g. sbin/kresd or lib/kdns_modules/hints.so)
Also mark `engine_hint_root_file`.
projects / thirdparty / knot-resolver.git / log
