]>
git.ipfire.org Git - thirdparty/knot-resolver.git/log
Marek Vavruša [Sat, 19 Sep 2015 19:33:30 +0000 (21:33 +0200)]
lib/validate: fixed referrals, insecure delegations, cut updates
as per rfc4035 all secured referrals must have either DS or proof
of non-existence. there is one use case where the resolver doesn’t
learn a DS this way, when a single server hosts both parent and
child zone. in this case, DS must be requested separetely
Marek Vavruša [Sat, 19 Sep 2015 19:30:20 +0000 (21:30 +0200)]
lib/validate: fixed revalidation of cached answers
also answers for which minimisation failed or truncated
are fixed, for such answers iterator sets state to ‘consume’
to indicate the answer wasn’t processed
Marek Vavruša [Sat, 19 Sep 2015 19:27:45 +0000 (21:27 +0200)]
lib/resolve: AD flag is set only for secure answers
if the final query isn’t satisfied with DNSSEC on,
then the answer counts as insecure
Marek Vavruša [Sat, 19 Sep 2015 19:26:37 +0000 (21:26 +0200)]
lib: turn on DO=1 per query, fixed caching of DNSSEC data
subrequests may be insecure (e.g. out of bailiwick insecure NS),
but the final answer may be secured
the commit also fixes caching in this case
Marek Vavruša [Sat, 19 Sep 2015 19:22:12 +0000 (21:22 +0200)]
lib: per-query islands of trust, prep for NTA
each subrequest can now enter and leave islands of trust
independently. this fixes a case when a zone is in an
island of trust, but one of its NS isn’t (different zone for example)
Marek Vavruša [Fri, 18 Sep 2015 20:11:33 +0000 (22:11 +0200)]
lib: cleanup of zone cut resolution code
Marek Vavruša [Fri, 18 Sep 2015 20:10:56 +0000 (22:10 +0200)]
tests: need brewed Python on 10.11, cleanup
the SIP on OSX 10.11 disables library injection
on system binaries (python is considered as it)
make needs to call python binary directly to allow
brewed python to be used
Karel Slany [Fri, 18 Sep 2015 09:30:14 +0000 (11:30 +0200)]
layer/validate: Enabled validation of no data responses.
Karel Slany [Fri, 18 Sep 2015 09:25:12 +0000 (11:25 +0200)]
layer/validate: Implemented empty non-terminal NSEC check.
Karel Slany [Thu, 17 Sep 2015 15:32:47 +0000 (17:32 +0200)]
layer/validate: Fixed error in NSEC3 wildcard no data check.
Karel Slany [Thu, 17 Sep 2015 15:31:46 +0000 (17:31 +0200)]
Merge branch 'cache-rrsig-wip' of gitlab.labs.nic.cz:knot/resolver into cache-rrsig-wip
Marek Vavruša [Thu, 17 Sep 2015 12:20:49 +0000 (14:20 +0200)]
daemon: allow binding to multiple addresses
`kresd -a 127.0.0.1 -a ::1` binds to both addresses
Karel Slany [Thu, 17 Sep 2015 12:16:03 +0000 (14:16 +0200)]
tests: added NSEC and NSEC3 wildcard answer response check
Marek Vavruša [Thu, 17 Sep 2015 11:58:51 +0000 (13:58 +0200)]
Merge branch 'master' into cache-rrsig-wip
Marek Vavruša [Thu, 17 Sep 2015 11:50:51 +0000 (13:50 +0200)]
Merge branch 'remove-sync-api'
Marek Vavruša [Thu, 17 Sep 2015 11:50:36 +0000 (13:50 +0200)]
lib: removed synchronous api code
the reason is that it's not actively used since we moved to binary
testing, and it depends on libknot internal api that has changed
also removed several unused libknot internal headers
Marek Vavruša [Thu, 17 Sep 2015 11:35:44 +0000 (13:35 +0200)]
tests: cleanup
Marek Vavruša [Thu, 17 Sep 2015 11:35:27 +0000 (13:35 +0200)]
lib: dnssec enabled by default
Marek Vavruša [Thu, 17 Sep 2015 11:35:00 +0000 (13:35 +0200)]
lib/dnssec: handle islands of trust correctly
previously, only root TA was considered
Karel Slany [Wed, 16 Sep 2015 16:42:12 +0000 (18:42 +0200)]
tests: added NSEC3 name error response checks
Karel Slany [Wed, 16 Sep 2015 15:52:52 +0000 (17:52 +0200)]
layer/validate: Fixed error in NSEC3 name error response check.
Function determining whether a NSEC3 record covers a name was wrong. The
case when the owner and next hashed name was wrapping over zero was
wrongly interpreted.
Karel Slany [Tue, 15 Sep 2015 16:49:23 +0000 (18:49 +0200)]
tests: added NSEC name error response checks
Karel Slany [Tue, 15 Sep 2015 16:47:10 +0000 (18:47 +0200)]
tests: added support for stub-addr entries with local addresses in rpl
Karel Slany [Tue, 15 Sep 2015 16:22:04 +0000 (18:22 +0200)]
tests: removed failing test
The test is failing because of address mangling performed by test
environment.
Marek Vavruša [Tue, 15 Sep 2015 16:00:41 +0000 (18:00 +0200)]
tests: do not remap addresses already in local range
Marek Vavruša [Tue, 15 Sep 2015 15:49:45 +0000 (17:49 +0200)]
tests: use bigger edns0 payload (fixes some tests causing causing TC)
Marek Vavruša [Tue, 15 Sep 2015 15:42:35 +0000 (17:42 +0200)]
tests: enable verbose logging
Marek Vavruša [Tue, 15 Sep 2015 14:37:19 +0000 (16:37 +0200)]
daemon: '-v' turns verbose log, debug messages built in by default
previously, debug messages were optional with -DWITH_DEBUG
now the debug messages are built in (unless compiled with -DNDEBUG), but
disabled by default
verbose output can be enabled by '-v' or '--verbose' CLI option
or interactively by 'verbose(true|false)' (or in config)
Karel Slany [Mon, 14 Sep 2015 15:14:38 +0000 (17:14 +0200)]
Merge branch 'cache-rrsig-wip' of gitlab.labs.nic.cz:knot/resolver into cache-rrsig-wip
Marek Vavruša [Mon, 14 Sep 2015 14:55:30 +0000 (16:55 +0200)]
tests: cleanup, VERBOSE mode (if set in env vars)
Marek Vavruša [Mon, 14 Sep 2015 13:25:21 +0000 (15:25 +0200)]
tests: unit tests don't require preloaded libs
Karel Slany [Thu, 10 Sep 2015 14:35:24 +0000 (16:35 +0200)]
tests: MX query for serve authoritative for two zones
Query for A or AAAA cannot be currently validated because the test
server mangles all A and AAAA records.
Karel Slany [Wed, 9 Sep 2015 16:00:13 +0000 (18:00 +0200)]
tests: converted a simple DNSSEC test for new conditions
Karel Slany [Wed, 9 Sep 2015 15:53:26 +0000 (17:53 +0200)]
tests: added support for val-override-date in rpl files
Also fixed TIME_PASSES ELAPSE which ignored the overridden time.
Karel Slany [Mon, 7 Sep 2015 16:46:57 +0000 (18:46 +0200)]
tests: Fixed disappearing DO bit in queries in DNSSEC tests.
Karel Slany [Fri, 21 Aug 2015 10:20:41 +0000 (12:20 +0200)]
tests: trust anchors from rpl files are used for server configuration
Karel Slany [Fri, 21 Aug 2015 10:18:59 +0000 (12:18 +0200)]
layer/validate: trust anchors are loaded from the configuration file
The hard-wired root trust anchor was removed.
Karel Slany [Fri, 21 Aug 2015 10:06:42 +0000 (12:06 +0200)]
layer/validate: trust anchor string can also contain TTL value
Karel Slany [Thu, 20 Aug 2015 15:09:07 +0000 (17:09 +0200)]
layer/validate: trust anchors can be added via lua interface
Karel Slany [Thu, 20 Aug 2015 15:07:42 +0000 (17:07 +0200)]
layer/validate: fixed wrong TA RRSet format when converting to text
Karel Slany [Thu, 20 Aug 2015 13:07:23 +0000 (15:07 +0200)]
build: DNSSEC validator layer needs json
Karel Slany [Thu, 20 Aug 2015 13:02:01 +0000 (15:02 +0200)]
layer/validate: trust anchors can be listed in interactive mode
Karel Slany [Wed, 19 Aug 2015 16:27:32 +0000 (18:27 +0200)]
layer/validate: preliminary code enabling trust anchor configuration
Karel Slany [Wed, 19 Aug 2015 08:58:37 +0000 (10:58 +0200)]
Merge branch 'master' into cache-rrsig-wip
Karel Slany [Wed, 19 Aug 2015 08:55:08 +0000 (10:55 +0200)]
lib: module properties were ignored for embedded modules
Karel Slany [Tue, 18 Aug 2015 11:43:43 +0000 (13:43 +0200)]
layer/validate: NSEC3 wildcard answer response check is enabled
Karel Slany [Tue, 18 Aug 2015 11:34:08 +0000 (13:34 +0200)]
layer/validate: minor code changes
Karel Slany [Tue, 18 Aug 2015 11:29:48 +0000 (13:29 +0200)]
layer/validate: added missing CNAME check in NSEC3 no data response code
Karel Slany [Tue, 18 Aug 2015 09:52:23 +0000 (11:52 +0200)]
tests: fixed compilation error
Karel Slany [Mon, 17 Aug 2015 17:18:36 +0000 (19:18 +0200)]
layer/validate: NSEC3wild card answer response
Karel Slany [Mon, 17 Aug 2015 16:20:34 +0000 (18:20 +0200)]
layer/validate: NSEC3 wildcard no data response check
Karel Slany [Mon, 17 Aug 2015 13:58:39 +0000 (15:58 +0200)]
layer/validate: disabled validation of truncated messages
Karel Slany [Mon, 17 Aug 2015 09:11:42 +0000 (11:11 +0200)]
Merge branch 'master' into cache-rrsig-wip
Karel Slany [Fri, 14 Aug 2015 11:36:05 +0000 (13:36 +0200)]
layer/validate: NSEC3 no data response check
Marek Vavruša [Thu, 13 Aug 2015 17:37:16 +0000 (19:37 +0200)]
lib: fixed AD=1 bit never set
Marek Vavruša [Thu, 13 Aug 2015 17:32:19 +0000 (19:32 +0200)]
lib: fixed bad merge (failed to copy TA with root hints)
Marek Vavruša [Thu, 13 Aug 2015 17:30:38 +0000 (19:30 +0200)]
fixed debug build
Marek Vavruša [Thu, 13 Aug 2015 17:02:46 +0000 (19:02 +0200)]
fixed build
Karel Slany [Thu, 13 Aug 2015 13:27:14 +0000 (15:27 +0200)]
layer/validate: fixed error when checking RRSIGs
Original TTL has not been set.
Karel Slany [Thu, 13 Aug 2015 08:18:57 +0000 (10:18 +0200)]
layer/validate: added NSEC3 name error response check
Karel Slany [Wed, 12 Aug 2015 20:23:08 +0000 (22:23 +0200)]
layer/validate: fixed possible bug in NSEC checking code
Karel Slany [Wed, 12 Aug 2015 20:21:33 +0000 (22:21 +0200)]
layer/validate: implemented basic NSEC3 closest encloser proof
Karel Slany [Wed, 12 Aug 2015 07:38:24 +0000 (09:38 +0200)]
layer/validate: added missing empty NSEC3 module
Marek Vavruša [Tue, 11 Aug 2015 16:40:14 +0000 (18:40 +0200)]
tests: updated with 'policy' modules, tweaks
Marek Vavruša [Tue, 11 Aug 2015 16:37:06 +0000 (18:37 +0200)]
build: no parallel tests
Marek Vavruša [Tue, 11 Aug 2015 15:54:02 +0000 (17:54 +0200)]
Merge branch 'tests_raw_query'
Marek Vavruša [Tue, 11 Aug 2015 15:33:12 +0000 (17:33 +0200)]
Merge branch 'policy'
Marek Vavruša [Tue, 11 Aug 2015 11:57:10 +0000 (13:57 +0200)]
modules/policy: added support for a subset of RPZ
the module can enforce RPZ from zone file, later a LMDB binary database
is going to come to solve following:
- updating zones on the fly
- instant startup (although it loads 1M blocklist in a fraction of
second)
- no extra memory usage between multiple processes
the compatibility notes are in the documentation
Marek Vavruša [Mon, 10 Aug 2015 15:07:12 +0000 (17:07 +0200)]
modules: 'view' that implements views and ACLs
module can identify clients based on their source address or used TSIG
key
Marek Vavruša [Mon, 10 Aug 2015 15:06:18 +0000 (17:06 +0200)]
lib: added query source information to request (optional)
the requestor can provide information identifying the query originator
here (address and TSIG key), both fields are optional
update Lua FFI bindings
Marek Vavruša [Mon, 10 Aug 2015 12:56:16 +0000 (14:56 +0200)]
daemon/lua: packet gets :tc([val]) for TC bit
Marek Vavruša [Mon, 10 Aug 2015 12:55:48 +0000 (14:55 +0200)]
daemon/io: zero-initialize TCP handles
Marek Vavruša [Mon, 10 Aug 2015 12:55:15 +0000 (14:55 +0200)]
modules/block -> modules/policy
Karel Slany [Fri, 7 Aug 2015 09:16:02 +0000 (11:16 +0200)]
layer/validate: added function searching for RR type in packet
Karel Slany [Fri, 7 Aug 2015 09:00:36 +0000 (11:00 +0200)]
layer/validate: moved NSEC wildcard response check to nsec.c
Marek Vavruša [Thu, 6 Aug 2015 17:57:32 +0000 (19:57 +0200)]
tests: added console assertions to config file template
Marek Vavruša [Thu, 6 Aug 2015 17:10:46 +0000 (19:10 +0200)]
tests: added block module to tests
Marek Vavruša [Thu, 6 Aug 2015 17:08:38 +0000 (19:08 +0200)]
tests: renamed config_template -> kresd.j2
Marek Vavruša [Thu, 6 Aug 2015 16:51:56 +0000 (18:51 +0200)]
daemon: fixed forgotten disabled minimization
Marek Vavruša [Thu, 6 Aug 2015 16:57:33 +0000 (18:57 +0200)]
build: fixed check running before modules are installed
Marek Vavruša [Thu, 6 Aug 2015 16:52:15 +0000 (18:52 +0200)]
tests: simple test for synchronous resolution API
Marek Vavruša [Thu, 6 Aug 2015 16:51:35 +0000 (18:51 +0200)]
build: added 'daemon' coverage tracking
Karel Slany [Thu, 6 Aug 2015 16:54:25 +0000 (18:54 +0200)]
layer/validate: added some NSEC-related checks
Marek Vavruša [Thu, 6 Aug 2015 15:24:27 +0000 (17:24 +0200)]
build: fix gcov integration tests
fixes killing the server with SIGKILL causing abortiong,
added SIGTERM handler and ignored retcode from uv_run()
Marek Vavruša [Thu, 6 Aug 2015 12:47:08 +0000 (14:47 +0200)]
build: added jinja2 to Travis build
Grigorii Demidov [Thu, 6 Aug 2015 11:20:09 +0000 (13:20 +0200)]
tests: jinja2 is used for config generation
Grigorii Demidov [Thu, 6 Aug 2015 08:27:56 +0000 (10:27 +0200)]
tests: config sections in tests/testdata/*.rpl contains only key:value pairs
Grigorii Demidov [Thu, 6 Aug 2015 07:38:38 +0000 (09:38 +0200)]
tests: debug print was removed
Karel Slany [Wed, 5 Aug 2015 16:05:41 +0000 (18:05 +0200)]
tests/validate: added NSEC NXDOMAIN response test
Karel Slany [Wed, 5 Aug 2015 16:02:46 +0000 (18:02 +0200)]
layer/validate: NSEC authenticated denial of existence check
Karel Slany [Wed, 5 Aug 2015 15:51:50 +0000 (17:51 +0200)]
later/validate: fixed mistake when detecting wildcard expansion
Marek Vavruša [Wed, 5 Aug 2015 15:46:22 +0000 (17:46 +0200)]
tests: removed pointless timeout
Marek Vavruša [Wed, 5 Aug 2015 15:44:15 +0000 (17:44 +0200)]
Merge branch 'master' into tests_raw_query
Marek Vavruša [Wed, 5 Aug 2015 15:28:11 +0000 (17:28 +0200)]
tests: allow test driver response failure
Marek Vavruša [Wed, 5 Aug 2015 15:24:35 +0000 (17:24 +0200)]
tests/integration: removed buggy wait, cleanup
- the test driver now waits for daemon to accept TCP
- workaround cwrap bug, Python prebinds to daemon sockets to create files
- tested daemon runs in the testdir
- test driver doesn’t kill all kresd processes
Marek Vavruša [Wed, 5 Aug 2015 15:22:34 +0000 (17:22 +0200)]
test/scenario: fixed buggy query sending code
- no need to bind to client socket
- relying on short timeouts is bad
- no check for send buffers overflow
Marek Vavruša [Wed, 5 Aug 2015 15:20:24 +0000 (17:20 +0200)]
tests/integration: fixed libfaketime on Darwin
Grigorii Demidov [Wed, 5 Aug 2015 13:23:05 +0000 (15:23 +0200)]
tests: decreased timeout
Grigorii Demidov [Wed, 5 Aug 2015 13:16:57 +0000 (15:16 +0200)]
tests: set SO_REUSEADDR for client socket
Grigorii Demidov [Wed, 5 Aug 2015 12:57:09 +0000 (14:57 +0200)]
tests: increased subprocess timeout