Vladimír Čunát [Fri, 1 Aug 2025 16:29:28 +0000 (18:29 +0200)]
tests/integration/deckard: pull updates
- 224: hack compat with python >= 3.11 + libfaketime
- 225: val_nsec3_cnametocnamewctoposwc.rpl: reinstate NS in an answer
This one finally fixes deckard in CI.
Vladimír Čunát [Wed, 4 Jun 2025 07:32:14 +0000 (09:32 +0200)]
lib/dnssec: drop incorrect `requirement` and comment
I don't think this can happen on correct records,
due to the way that the root zone is. But we've seen
this assertion happen in real life, and attackers
might be able to misuse it to cause crashes.
Vladimír Čunát [Mon, 14 Apr 2025 09:13:32 +0000 (11:13 +0200)]
modules/stats: further improve latency measurements
libuv's updating the stamp just once per event loop
might be too coarse, as processing multiple packets
(e.g. DNSSEC validation) may take milliseconds together.
Of course we still don't measure e.g. the time when incoming
client requests stay in OS buffers.
Aleš Mrázek [Mon, 24 Mar 2025 12:36:08 +0000 (13:36 +0100)]
ci: update to new IMAGE_TAG
For 6.x we started using this TAG in commit a1aa3a51a2ede
but there have been other IMAGE_TAG bumps in the meantime.
Here we'll need it for the deckard update in the next commit,
which is needed due to validator tweaks.
And to fix CI, let's do the tiny bump in the lua bindings
(no practical impact whatsoever due to struct alignment).
Oto Šťáva [Fri, 2 Aug 2024 13:43:04 +0000 (15:43 +0200)]
bench/bench_lru: make it build again, and check it in CI
It's not too important, but I just stumbled upon this and it looked like
nobody has touched it in a long time. Since it's not completely broken
(the fix is trivial), I decided to fix it and add it to CI to ensure
that we can still build it. Maybe `lru` will be used some more at some
point again in the future...
Vladimír Čunát [Mon, 10 Jun 2024 13:52:42 +0000 (15:52 +0200)]
daemon/lua: bind `struct network` into lua
Because why not. It's easy and it might become useful one day.
Unfortunately porting this to 5.x was a bit involved,
as there's no `the_network` yet - I reordered struct engine for it.
Vladimír Čunát [Tue, 18 Jun 2024 08:24:17 +0000 (10:24 +0200)]
drop libknot 3.0.x support
- Upstream last maintained 3.0.x in summer 2022.
- Our packaging shouldn't be affected, neither the new one, nor OBS.
- If someone updates resolver, it shouldn't be too hard
to update libknot as well.
- Maintenance on resolver side still needed effort for kres-gen-30.lua
Vladimír Čunát [Mon, 10 Jun 2024 14:05:41 +0000 (16:05 +0200)]
etc/: add the fresh DNSSEC root key "KSK-2024" already
The key still won't be used for some time, two years maybe,
but I think it's better to preemptively trust it already.
(outdated machines, etc.)
Some evidence that it's not just a hash of *my* private key:
https://www.iana.org/dnssec/ceremonies/53-2
https://data.iana.org/ksk-ceremony/53-2/kskm-keymaster-20240426-173035-995.log
https://www.youtube.com/live/gw4PFhtnVpk?si=C8zevM3nG9O0XAJr&t=12726
Vladimír Čunát [Wed, 29 May 2024 13:07:46 +0000 (15:07 +0200)]
iterate: fix NSEC3 records missing from answer in an edge case
When positive wildcard expansion happens, NSEC(3) records are needed
to prove that the expansion was allowed. If the NSEC3 had too many
iterations, we downgrade the answer to insecure status, but
unintentionally we also dropped the NSEC3 record from the answer.
That was breaking DNSSEC validation of that answer, e.g. when
forwarding to Knot Resolver. The validator needs the NSEC3 -
either to validate the expansion or to determine that it's too expensive.
Vladimír Čunát [Mon, 20 May 2024 11:32:52 +0000 (13:32 +0200)]
modules/stats: split request.* metrics to IPv4 and IPv6
Let's have .total4 and .total6, too. Then .total could be expressed
as a sum of *three* (including .internal), so it's still counted
separately, as an exception.
Oto Šťáva [Tue, 7 May 2024 14:41:42 +0000 (16:41 +0200)]
tests/pytests/utils: handle SSLEOFError
It used to just throw BrokenPipeError, but newer versions of Python have
a separate exception for when the connection is closed in violation of
TLS rules, which Knot Resolver does deliberately so as to not waste time
on properly closing TLS connections with misbehaving peers.
Oto Šťáva [Tue, 7 May 2024 11:29:32 +0000 (13:29 +0200)]
test/pytests/test_tls: remove resumption test
Knot Resolver disables resumption on TLS <=1.2 as it is vulnerable to
replay attacks, so the test makes no sense, as that one was specifically
disabled for TLS >=1.3 (Python had no support for it at the time).
We should make a new test for this with TLS 1.3 support.
Oto Šťáva [Mon, 29 Apr 2024 13:09:01 +0000 (15:09 +0200)]
Silence Clang-Tidy
This commit makes lots of changes to the C code to appease the
Clang-Tidy linter. Some of the less obvious ones are due to C's weird
semantics regarding handling of numeric literals.
We also disable a bunch of the detections because they are
super-pedantic, arguably useless, or we have our own unwritten coding
style rules that solve the issues.
Oto Šťáva [Tue, 23 Apr 2024 14:34:08 +0000 (16:34 +0200)]
.gitlab-ci, tests, modules: adapt to knot-resolver-ci repo
This is the bulk of the CI/CD overhaul.
Most of the changes are to the `.gitlab-ci.yml` file, where the build
images used are replaced with the ones provided by the
`knot-resolver-ci` repository. Some cleanups have also been done.
The commit also adds unit testing with Knot Resolver built against
multiple versions of Knot DNS, including the `master` branch. The
`master` branch image is built nightly in the `knot-resolver-ci` repo.
We have also removed `scan-build`, as its tests change frequently, with
lots of false-positives, which are very different on each version, and
there is no good way to ignore some detections. Clang-Tidy covers some
of the same issues, and we also have Coverity Scan. Should be more than
enough.
A few config tests were also excluded in the AddressSanitizer tests,
because they produce false-positives.
projects / thirdparty / knot-resolver.git / log
