Marek Vavruša [Thu, 24 May 2018 23:08:07 +0000 (16:08 -0700)]
nsrep: verbose probe message, cap timeout value, less aggressive retry
The timeouted NS retry probed is now logged when tracing
Long response RTT is capped to KR_NS_TIMEOUT to smooth out transient errors.
The retry timer minimum interval is increased from 250ms to 500ms, as NSs taking
typically longer than 1s would just waste time retrying.
Marek Vavruša [Sat, 12 May 2018 01:39:12 +0000 (18:39 -0700)]
don't rewrite cached SOA records from negative answers
Currently there's only exception to avoid rewriting secure NS records.
Most of the negative answers provide SOA record, so it's undesirable
to keep rewriting it for every negative answer.
Marek Vavruša [Tue, 1 May 2018 06:20:27 +0000 (23:20 -0700)]
daemon/worker: always try multiple upstreams even if sending fails
Before no other upstreams were tried if qr_task_send or kr_resolve_checkout
failed, which isn't correct, as it doesn't allow blocking of outbound requests.
Marek Vavruša [Fri, 27 Apr 2018 06:27:33 +0000 (23:27 -0700)]
modules/daf,renumber: fixed the modules and added tests
This fixes most of the rules in DAF that were broken in 2.0 and adds tests.
It also allows policy filter to evaluate policies in the checkout layer,
before the subrequest is sent to authoritative. This is used primarily for
negotiating features between resolver and authoritatives, or disabling transports.
The policy filter can now match on:
* NS suffix - to apply policies on any zone on given nameservers
* Query type
New actions:
* REFUSE - block query with an RCODE=REFUSED, fixes #337
The DAF can now toggle features between resolver and authoritatives.
Marek Vavruša [Fri, 27 Apr 2018 06:21:31 +0000 (23:21 -0700)]
daemon/worker: move checkout layer before connect, catch checkout errors
The checkout layer was moved to where upstream address is known, but
before outbound message is sent (or connected to upstream).
The reason is to allow checkout layer to block outbound queries
without wasting time waiting for connect.
Marek Vavruša [Fri, 20 Apr 2018 03:15:19 +0000 (20:15 -0700)]
lib/generic/pack: fix operations on empty pack
Several operations were not safe to call on empty pack and would
return invalid memory. If the pack would have reserved space, but
would be empty (length = 0), it's head would be NULL but tail would
be array address (pack->at + 0). This is mostly checked by caller,
but it wasn't in several places (object deletion).
Marek Vavruša [Thu, 12 Apr 2018 17:35:57 +0000 (10:35 -0700)]
iterate: fix minimisation downgrade when encountering authoritative referrals
This fixes turning off minimisation when there's an authoritative referral
answer on the resolution path. This happens when there's a nameserver,
which is authoritative for both parent and child side of the delegation,
so it answers from the child side with AA=1. Such answer will be mistakenly
processed as authoritative, and QNAME minimisation will be turned off
(assuming this is the final zone cut).
Marek Vavruša [Thu, 12 Apr 2018 08:35:50 +0000 (01:35 -0700)]
nsrep: never blacklist NSs because of SERVFAIL/REFUSED
The SERVFAIL is a soft-failure, and REFUSED isn't something the server
is really in control of. It is easy to trick the resolver into blacklisting
a NS by creating a bad delegation and pointing it at the victim NS.
This changes the scoring function to degrade server score on these rcodes,
but cap it to a really bad score. It should be treated as timed out only
if it really times out or is unreachable.
Marek Vavruša [Thu, 12 Apr 2018 08:32:34 +0000 (01:32 -0700)]
iterate: do not treat REFUSED as soft fail with retries
REFUSED means the NS isn't authoritative for given zone, so it
shouldn't be treated like SERVFAIL. This fixes when a server is not
authoritative for given zone (failed transfer, bad delegation), and the
resolver enters into a retry loop and eventually runs out of time,
instead of trying different servers.
Marek Vavruša [Tue, 10 Apr 2018 06:11:16 +0000 (23:11 -0700)]
implement basic infrastructure for scoped cache
This commit adds support for scoped cache, e.g. keys can be tagged
with a scope, so that the same key can exist in multiple scope and
returns the value based on the scope set.
This is practically requires for scoping by subnet in ECS, but
it doesn't implement ECS completely. This is just a framework
to make something like ECS possible in a module.
The scope search is currently non-exhaustive, it either returns
a value bound to given scope or look into global scope, nothing
in between.
Marek Vavruša [Fri, 6 Apr 2018 05:43:57 +0000 (22:43 -0700)]
check per-query flags instead of global options, getter for NS name
Checking query flags instead of global context option allows setting
overrides on individual queries. The effect is the same as query flags
start by copying request flags which start by copying context options.
Marek Vavruša [Fri, 6 Apr 2018 05:48:51 +0000 (22:48 -0700)]
add bindings for the checkout layer
This one was missing from the current bindings. The checkout layer
runs when the worker attempts to send a DNS query to given upstream
when the address is already determined. The layer can add EDNS options
or update outbound query, or block particular addresses / protocol.
Marek Vavruša [Tue, 3 Apr 2018 21:04:32 +0000 (14:04 -0700)]
lib/resolve: don't append EDNS to garbage packets
The current handler will try to construct the compression table
starting with query name in question. If there's no query name,
it's going to construct it with garbage bytes.
Marek Vavruša [Mon, 2 Apr 2018 23:42:42 +0000 (16:42 -0700)]
modules/http: added an error handler to HTTP streams
Instead of throwing an error in the HTTP handler, server should log it.
This covers errors like client disconnecting before reading the response
body etc.
Marek Vavruša [Sat, 24 Mar 2018 04:00:37 +0000 (21:00 -0700)]
resolve: always update QNAME after zone cut update
Previously the code didn't update query if the minimization was turned off,
but that broke resolution for deep zones (like in-addr.arpa) when part of
the chain fell out of cache, and nearest zone cut was longer than
current query name. The condition is not necessary, since kr_make_query
already checks for query name minimisation flag.
Marek Vavruša [Mon, 12 Mar 2018 04:04:19 +0000 (21:04 -0700)]
cache: restored kr_cache_insert_rr API
This commit abstracts out stash_rrset from stash_rrarray_entry,
and fixes incrementing metrics on actual record insertion.
It then resurfaces kr_cache_insert_rr that was deleted in 2.0
using the extracted function.
Petr Špaček [Thu, 23 Aug 2018 08:16:50 +0000 (10:16 +0200)]
ci: update Deckard in attempt to make CI more reliable
Changes related to monotonic fake time and detection logic for overload
should make CI a little bit more reliable. It should be even better once
we combine overload-detection with some kind of auto-retry.
Petr Špaček [Fri, 17 Aug 2018 13:40:20 +0000 (15:40 +0200)]
cache.clear: clearing root clears everything, not only the root zone
Problem was caused by our lookup format where only the root zone starts
with \0 and all other zones start differently. This caused
cache_match('.') to match only data from root zone.
Petr Špaček [Fri, 17 Aug 2018 12:55:56 +0000 (14:55 +0200)]
remove memcached and redis modules from source tree
Source was kept for historical reasons but was not in use since 2.0.0.
It is now clear that there are better approaches to implement
distributed cache so it is pointless to keep old stuff in tree and
confuse users.
projects / thirdparty / knot-resolver.git / log
