Vladimír Čunát [Tue, 18 Jun 2024 08:24:17 +0000 (10:24 +0200)]
drop libknot 3.0.x support
- Upstream last maintained 3.0.x in summer 2022.
- Our packaging shouldn't be affected, neither the new one, nor OBS.
- If someone updates resolver, it shouldn't be too hard
to update libknot as well.
- Maintenance on resolver side still needed effort for kres-gen-30.lua
Vladimír Čunát [Mon, 10 Jun 2024 14:05:41 +0000 (16:05 +0200)]
etc/: add the fresh DNSSEC root key "KSK-2024" already
The key still won't be used for some time, two years maybe,
but I think it's better to preemptively trust it already.
(outdated machines, etc.)
Some evidence that it's not just a hash of *my* private key:
https://www.iana.org/dnssec/ceremonies/53-2
https://data.iana.org/ksk-ceremony/53-2/kskm-keymaster-20240426-173035-995.log
https://www.youtube.com/live/gw4PFhtnVpk?si=C8zevM3nG9O0XAJr&t=12726
Vladimír Čunát [Wed, 29 May 2024 13:07:46 +0000 (15:07 +0200)]
iterate: fix NSEC3 records missing from answer in an edge case
When positive wildcard expansion happens, NSEC(3) records are needed
to prove that the expansion was allowed. If the NSEC3 had too many
iterations, we downgrade the answer to insecure status, but
unintentionally we also dropped the NSEC3 record from the answer.
That was breaking DNSSEC validation of that answer, e.g. when
forwarding to Knot Resolver. The validator needs the NSEC3 -
either to validate the expansion or to determine that it's too expensive.
Vladimír Čunát [Mon, 20 May 2024 11:32:52 +0000 (13:32 +0200)]
modules/stats: split request.* metrics to IPv4 and IPv6
Let's have .total4 and .total6, too. Then .total could be expressed
as a sum of *three* (including .internal), so it's still counted
separately, as an exception.
Oto Šťáva [Tue, 7 May 2024 14:41:42 +0000 (16:41 +0200)]
tests/pytests/utils: handle SSLEOFError
It used to just throw BrokenPipeError, but newer versions of Python have
a separate exception for when the connection is closed in violation of
TLS rules, which Knot Resolver does deliberately so as to not waste time
on properly closing TLS connections with misbehaving peers.
Oto Šťáva [Tue, 7 May 2024 11:29:32 +0000 (13:29 +0200)]
test/pytests/test_tls: remove resumption test
Knot Resolver disables resumption on TLS <=1.2 as it is vulnerable to
replay attacks, so the test makes no sense, as that one was specifically
disabled for TLS >=1.3 (Python had no support for it at the time).
We should make a new test for this with TLS 1.3 support.
Oto Šťáva [Mon, 29 Apr 2024 13:09:01 +0000 (15:09 +0200)]
Silence Clang-Tidy
This commit makes lots of changes to the C code to appease the
Clang-Tidy linter. Some of the less obvious ones are due to C's weird
semantics regarding handling of numeric literals.
We also disable a bunch of the detections because they are
super-pedantic, arguably useless, or we have our own unwritten coding
style rules that solve the issues.
Oto Šťáva [Tue, 23 Apr 2024 14:34:08 +0000 (16:34 +0200)]
.gitlab-ci, tests, modules: adapt to knot-resolver-ci repo
This is the bulk of the CI/CD overhaul.
Most of the changes are to the `.gitlab-ci.yml` file, where the build
images used are replaced with the ones provided by the
`knot-resolver-ci` repository. Some cleanups have also been done.
The commit also adds unit testing with Knot Resolver built against
multiple versions of Knot DNS, including the `master` branch. The
`master` branch image is built nightly in the `knot-resolver-ci` repo.
We have also removed `scan-build`, as its tests change frequently, with
lots of false-positives, which are very different on each version, and
there is no good way to ignore some detections. Clang-Tidy covers some
of the same issues, and we also have Coverity Scan. Should be more than
enough.
A few config tests were also excluded in the AddressSanitizer tests,
because they produce false-positives.
Oto Šťáva [Fri, 5 Apr 2024 09:57:22 +0000 (11:57 +0200)]
daemon/meson.build: add install_rpath to kresd
This fixes the default use-case for developers when they put their
install prefix somewhere where the system `LD_LIBRARY_PATH` does not
point. Before this, `kresd` would fail to start after `ninja install`
because it would not be able to find the `libkres.so` library.
The original workaround to this was to use `meson configure
-Ddefault_library=static`, but firstly, we would like it to be working
with the default settings, and secondly, we would like to have it as
similar to what most users will encounter as possible.
Vladimír Čunát [Wed, 6 Mar 2024 11:19:28 +0000 (12:19 +0100)]
daemon/lua: fix on 32-bit systems with 64-bit time_t
This improves the heuristics.
The problem would be detected by meson, but not when cross-compiling,
in which case things would mostly run OK, except some lua code/modules.
Vladimír Čunát [Fri, 23 Feb 2024 09:07:35 +0000 (10:07 +0100)]
lib/cache: bump CACHE_VERSION
Ideally we would've done that at once with increasing NSEC3 strictness,
i.e. in 5.7.1 + 6.0.6, as otherwise we could run into some recoverable
assertions until the records got removed or expired.
We at least do the bump now.
Vladimír Čunát [Tue, 2 Jan 2024 10:18:31 +0000 (11:18 +0100)]
validator: similarly also limit excessive NSEC3 salt length
Limit combination of iterations and salt length, based on estimated
expense of the computation. Note that the result only differs for
salt length > 44 which is rather nonsensical and very rare:
https://chat.dns-oarc.net/community/pl/h58qx9sjkbgt9dajb7x988p78a
Oto Šťáva [Tue, 12 Sep 2023 12:27:09 +0000 (14:27 +0200)]
.gitlab-ci: fix Pages publishing
This commit renames `docs:public` to `pages` as required by GitLab CI to
recognize Pages jobs correctly. It also adds the `public` directory into
`artifacts:paths`.
Oto Šťáva [Tue, 29 Aug 2023 08:38:13 +0000 (10:38 +0200)]
.gitlab-ci.yml: use environments for documentation versioning
This leverages Environments on GitLab to expose different versions of
Knot Resolver docs. The `docs:build` job builds the documentation and
exposes it via job artifacts. Then `docs:develop` (for branches) and
`docs:release` (for tags) take these artifacts and expose them via an
Environment link (an example of this in action may be seen at
[https://gitlab.nic.cz/ostava/knot-resolver/-/environments]).
There is also an optional, manually runnable `docs:public` job, which,
when run, propagates the documentation to the main GitLab Pages of the
project (e.g. [https://knot.pages.nic.cz/knot-resolver]) - this will
probably be mostly used for the latest release, although this setup
pretty much allows us to swap it for whatever version we like at any
time.
Officially yesterday, but there's long overlap when both address pairs
are promised to work. See e.g. this e-mail thread:
https://lists.dns-oarc.net/pipermail/dns-operations/2023-June/022052.html
Vladimír Čunát [Fri, 3 Nov 2023 11:31:06 +0000 (12:31 +0100)]
lib/zonecut.c fetch_addr(): resurrect filtering by NO_IPV*
This filtering was dropped in 4565cc596680 (v5.3.0).
Now it's reintroduced - but inside the function, as that seems nicer.
Nit: naming and comment were updated to fit the current usage.
As the code is designed so far (in whole history probably), in order
to detect whether we need to choose a zone cut closer to the root,
we need to do something like this in lib/zonecut.c already,
instead of just during server selection.
I don't think this change can break anything.
Fetching unusable addresses from cache seems pointless,
as selection wouldn't be allowed to use them or try resolving them.
projects / thirdparty / knot-resolver.git / log
