Marek Vavrusa [Wed, 24 Feb 2016 06:40:17 +0000 (22:40 -0800)]
modules/graphite: support for Graphite/TCP
graphite module now supports sending over TCP,
if the connection is severed it will attempt to
reconnect periodically. the stats module is now
optional, if not loaded only core built-in stats
will be transmitted
Marek Vavrusa [Mon, 8 Feb 2016 01:36:48 +0000 (01:36 +0000)]
lib/validate: scrubbed extra rrs in NS were checked
the validator module should ignore any data that
will be scrubbed, that includes non-authoritative
data outside current bailiwick. previously,
validator attempted to ignore these records only
for answer section and had a special case for NS
records.
cache: non-authoritative NS records are always
unchecked and must be treated as insecure
affected: www.iana.org trying to provide
delegation information for CNAME target, which is
moot with CNAME target explicit-fetch policy unless
the the resolver already knows DNSKEY with which
is could verify the records
Marek Vavrusa [Fri, 22 Jan 2016 23:59:40 +0000 (15:59 -0800)]
daemon/lua: rrset printing, new flags
this is a temporary change until luajit-kdns is
merged-in with complete functionality,
this will break the API later and will require a
couple changes in several modules and trust anchors
Marek Vavrusa [Fri, 22 Jan 2016 07:48:58 +0000 (23:48 -0800)]
scripts: kresd-query.lua (new)
this is a boilerplate for a CLI utility to resolve
names and execute script on query response
in another words, "a jq for resolver answers"
this is a scaffolding for alternative tools like
'host' or a plug-in part for scripting around it.
it basically starts a kresd instance, but doesn't
bind to any interface or read configuration,
then a query + callback is sent to kresd standard
input, and it quits after the execution
Marek Vavrusa [Fri, 22 Jan 2016 07:42:17 +0000 (23:42 -0800)]
lib/resolve: new flag ALWAYS_CUT
when raised, a response zone cut will be recovered
even if the response came from cache. this is
normally not needed (and incurs additional cache
lookups), but it may be useful for
inspection
Marek Vavrusa [Tue, 19 Jan 2016 20:27:23 +0000 (12:27 -0800)]
lib/iterate: ignore out-of-bailiwick NSs for positive answers
there are broken resolution chains where a zone cut is advertised,
but it doesn't exist and the final NS answers from its parent's
zone cut, which is an attempt to escape bailiwick
example:
resolving A ab.cd.ef
NS ef responds:
- ab.cd.ef NS X ; adverises ab.cd.ef zone cut
X responds:
- A ab.cd.ef A 1.2.3.4
- cd.ef NS X ; escapes previously advertised cut
on the other hand, it is important to fail early for referrals as
it signifies a lame answer
Marek Vavrusa [Tue, 19 Jan 2016 20:27:23 +0000 (12:27 -0800)]
lib/iterate: ignore out-of-bailiwick NSs for positive answers
there are broken resolution chains where a zone cut is advertised,
but it doesn't exist and the final NS answers from its parent's
zone cut, which is an attempt to escape bailiwick
example:
resolving A ab.cd.ef
NS ef responds:
- ab.cd.ef NS X ; adverises ab.cd.ef zone cut
X responds:
- A ab.cd.ef A 1.2.3.4
- cd.ef NS X ; escapes previously advertised cut
on the other hand, it is important to fail early for referrals as
it signifies a lame answer
Marek Vavruša [Wed, 9 Dec 2015 22:52:09 +0000 (23:52 +0100)]
build: library able to compile to both static/dynamic versioned libs
* PIE,RELRO+NOW and other security features enabled
* support for both static/dynamic builds with BUILDMODE
* dynamic library is ABI-versioned, starting at 1
* pkg-config file is installed
Marek Vavruša [Sat, 5 Dec 2015 17:09:23 +0000 (18:09 +0100)]
daemon: root trust anchors automatically bootstrapped from IANA
if the root key file doesn’t exist, it will be populated from root DNSKEY query, which will be validated against root trust anchors retrieved over HTTPS with IANA cert verification against built-in current IANA cert CA. it requires luasocket and luasec for it to work. trust anchors XML file signature is not checked, as there’s no facility for PKCS7 checking yet.
Marek Vavruša [Thu, 3 Dec 2015 13:54:30 +0000 (14:54 +0100)]
lib/resolve: penalize failing NSs
any answer that is considered as malformed/servfail/otherwise bad
penalizes the NS for the next time like timeout, this doesn't apply for
DNSSEC validation failures as it still may be okay for insecure
resolution. EDNS failures are okay because the server is requeried in
the most simple RFC1035 mode before flagging it as failed
this avoids instant requeries for SERVFAILing resolutions
Marek Vavruša [Thu, 3 Dec 2015 12:55:04 +0000 (13:55 +0100)]
lib/zonecut: do not fetch DS/DNSKEY for cached insecure delegations
when a delegation is provably insecure, it is flagged as INSECURE in
cache (this is different from "unchecked"), when the next query finds
the same zone cut, this information is retrieved and if it was proved to
be insecure before, this status is reused
this prevents refetching of NS/DNSKEY in some situations