Vladimír Čunát [Tue, 3 Apr 2018 14:15:26 +0000 (16:15 +0200)]
validator: fix CNAME to NXDOMAIN in a single answer
Real example: cname.nohats.ca
This case was handled for forwarding only, presumably because it
happened more often (no need to be withing single zone to be within
single answer); now the approach is the same.
Marek Vavruša [Wed, 28 Mar 2018 05:10:09 +0000 (22:10 -0700)]
cache: fixed crash with RR sets with over 255 records
The previous cache version encoded RR count as uint8_t, which doesn't
work with RR sets with over 255 records. This caused cache writes
to fail and subsequently ending in an assertion failure.
It is not very common to have large RR sets, but it has legitimate
use cases such as a lot of SRV or address records for large container
deployments etc.
Marek Vavruša [Tue, 20 Mar 2018 22:41:05 +0000 (15:41 -0700)]
daemon/worker: allow large responses for outbound over TCP
This was previously fixed in e25358d4f6521a55c33ec1d3a55f2bf6e2f99607,
but broken in the rewrite. The answer buffer size must be a maximum size,
otherwise payloads larger than configured UDP buffer size can't be
transmitted over TCP.
Marek Vavruša [Fri, 23 Mar 2018 21:32:08 +0000 (14:32 -0700)]
daemon/tls: downgraded TLS logging to verbose
Logging handshake and connection failures should be verbose, as
it's not really a server failure if client errors, or uses a wrong
SPKI pin to the certificate. It is however not ideal to flood logs.
Tomas Krizek [Thu, 22 Mar 2018 15:59:48 +0000 (16:59 +0100)]
ci: execute OBS build nightly instead of after every change
There are couple reasons to prefer nightly builds:
- to conserve hw resources
- automated builds at predictable times make it easier to use the devel
repo for manual testing builds
Vladimír Čunát [Wed, 7 Mar 2018 09:40:25 +0000 (10:40 +0100)]
make: don't magically -D_FORTIFY_SOURCE=2
This is just annoying for development. You want -O0 or -Og,
and consequently you get lots of warnings that are difficult to disable.
I believe hardening options are more of a responsibility/choice of the
caller, typically distributions have some general policies and pass the
flags (almost) uniformly to all packages. I can't see any part of kresd
being so specific to warrant explicit hardening.
Vladimír Čunát [Mon, 19 Feb 2018 17:56:03 +0000 (18:56 +0100)]
map_t, set_t: unify memory allocation to mm_*
We use the knot style everywhere else; this was very similar and yet
different, so really annoying to me. In the long term we might better
migrate to qp-tries from knot, but the API differs, so it's delayed...
Tomas Krizek [Mon, 19 Feb 2018 09:49:01 +0000 (10:49 +0100)]
scripts: use dot as a separator for pre-release versions
To be able to use the exact same version in both upstream tarballs
and downstream packages always use dot as a version separator.
This enables downstream packages to re-use the upstream versions
(especially the pre-release ones which no longer contain dash) when
building packages. This is very useful for building testing packages
e.g. in Fedora and Arch, which do not allow dash in version number.
Tags should follow this format from now on as well, e.g. 2.99.0.alpha
instead of 2.99.0-alpha
Vladimír Čunát [Tue, 20 Feb 2018 14:50:48 +0000 (15:50 +0100)]
avoid iterating from a too short zone cut
Example: after foo.sk query the bar.sk query started iterating from
asking the root again for NS sk. This bug was present on insecure zones,
and before version 2.0.0 only such that have a secure parent.
(These two parts of the bug correspond to the two changes in this commit.)
Tomas Krizek [Fri, 16 Feb 2018 09:20:32 +0000 (10:20 +0100)]
systemd: compatibility drop-in for kresd@.service
Unify the drop-in files for manual activation and systemd compatibility,
since it is not recommended to use manual activation if socket
activation is supported.
Also add --forks=1 to the command, otherwise the service attempts to
start in interactive mode.
Tomas Krizek [Fri, 9 Feb 2018 11:03:07 +0000 (12:03 +0100)]
systemd: remove kresd.service meta-service
The kresd.service meta-service could be confusing for users and provides
no extra functionality. The system-kresd.slice can be used to restart or
stop all running instances.
Distributions shipping with /etc/init.d/kresd should symlink the
kresd.service to /dev/null to prevent systemd-sysv-generator from
creating this service.
systemd: clarify dropping Sockets= for non-socket-activated services
If the adminstrator of a non-socket-activated kresd installation
doesn't clear Sockets=, then they will also inherit sockets from the
process manager, which doesn't make sense. Help them avoid that
situation.
projects / thirdparty / knot-resolver.git / log
