diff options
164 files changed, 666 insertions, 443 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index ac7cc46e..98925873 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -18,6 +18,12 @@ variables: EMAIL: 'ci@nic' image: $CI_REGISTRY/knot/knot-resolver/ci/debian-11:knot-$KNOT_VERSION +default: + interruptible: true + tags: + - docker + - linux + - amd64 stages: - build @@ -49,6 +55,10 @@ stages: - docker - linux - amd64 + # Tests which decided to skip themselves get orange non-failure. + allow_failure: + exit_codes: + - 77 .after_build: &after_build <<: *common @@ -101,7 +111,7 @@ archive: build: <<: *build script: - - meson build_ci --default-library=static --prefix=$PREFIX -Dwerror=true -Dextra_tests=enabled + - meson build_ci --default-library=static --prefix=$PREFIX -Dmalloc=disabled -Dwerror=true -Dextra_tests=enabled - ninja -C build_ci - ninja -C build_ci install >/dev/null - ${MESON_TEST} --suite unit --suite config --no-suite snowflake @@ -110,7 +120,7 @@ build-knot32: <<: *build image: $CI_REGISTRY/knot/knot-resolver/ci/debian-11:knot-3.2 script: - - meson build_ci_knot32 --default-library=static --prefix=$PREFIX -Dwerror=true -Dextra_tests=enabled + - meson build_ci_knot32 --default-library=static --prefix=$PREFIX -Dmalloc=disabled -Dwerror=true -Dextra_tests=enabled - ninja -C build_ci_knot32 - ninja -C build_ci_knot32 install >/dev/null - ${MESON_TEST} --suite unit --suite config --no-suite snowflake @@ -122,7 +132,7 @@ build-asan: - /^manager.*$/ script: # "undefined" sanitizer causes C++ issues when loading ahocorasick.so in CI - - CC=clang CXX=clang++ CFLAGS=-fno-sanitize-recover=all CXXFLAGS=-fno-sanitize=undefined meson build_ci_asan --default-library=static --prefix=$PREFIX -Db_sanitize=address,undefined -Dextra_tests=enabled + - CC=clang CXX=clang++ CFLAGS=-fno-sanitize-recover=all CXXFLAGS=-fno-sanitize=undefined meson build_ci_asan --default-library=static --prefix=$PREFIX -Dmalloc=jemalloc -Db_sanitize=address,undefined -Dextra_tests=enabled - ninja -C build_ci_asan - ninja -C build_ci_asan install >/dev/null # TODO _leaks: not sure what exactly is wrong in leak detection on config tests @@ -167,7 +177,7 @@ sonarcloud: - tags - master@knot/knot-resolver script: - - meson build_sonarcloud --default-library=static --prefix=$PREFIX + - meson build_sonarcloud --default-library=static --prefix=$PREFIX -Dmalloc=disabled - build-wrapper-linux-x86-64 --out-dir bw-output ninja -C build_sonarcloud - > sonar-scanner @@ -316,6 +326,8 @@ root.hints: deckard: <<: *test_flaky + # Deckard won't work with jemalloc due to a faketime bug: + # https://github.com/wolfcw/libfaketime/issues/130 only: # trigger job only in repos under our control (privileged runner required) - branches@knot/knot-resolver - branches@knot/security/knot-resolver @@ -372,25 +384,9 @@ manager: - $SKIP_CI == "1" pytests: - <<: *common - except: - refs: - - /^manager.*$/ - # these are executed on LXC runners to increase stability - image: $CI_REGISTRY/knot/knot-resolver/ci/lxc-debian-11:knot-$KNOT_VERSION - only: - refs: - - branches@knot/knot-resolver - needs: [] - tags: - - lxc - - amd64 - before_script: - # build-asan artifacts can't be reused (different container is used) - - CC=clang CXX=clang++ CFLAGS=-fno-sanitize-recover=all CXXFLAGS=-fno-sanitize=undefined meson build_ci_asan --default-library=static --prefix=$PREFIX -Db_sanitize=address,undefined -Dextra_tests=enabled - - ninja -C build_ci_asan - - ninja -C build_ci_asan install >/dev/null - # END lxc specific section + <<: *test_flaky + needs: + - build-asan artifacts: when: always paths: @@ -406,25 +402,20 @@ pytests: # respdiff {{{ .condor: &condor <<: *common - except: - refs: - - /^manager.*$/ - needs: - - job: deckard - artifacts: false - - job: respdiff:basic - artifacts: false + tags: + - condor + needs: [] only: # trigger job only in repos under our control - branches@knot/knot-resolver - branches@knot/security/knot-resolver - tags: - - condor + # The set of respdiff+resperf jobs takes over two hours to execute. + when: manual .respdiff: &respdiff <<: *condor stage: respdiff script: - - git diff-index --name-only origin/master | grep -qEv '^(AUTHORS|ci/|config.mk|COPYING|distro/|doc/|etc/|NEWS|README.md|scripts/|tests/|\.gitignore|\.gitlab-ci\.yml|\.travis\.yml)' || test $RESPDIFF_FORCE -gt 0 || exit 0 + - git diff-index --name-only origin/master | grep -qEv '^(AUTHORS|ci/|config.mk|COPYING|distro/|doc/|etc/|NEWS|README.md|scripts/|tests/|\.gitignore|\.gitlab-ci\.yml|\.travis\.yml)' || test $RESPDIFF_FORCE -gt 0 || exit 77 - test ! -f /var/tmp/respdiff-jobs/buffer/buffer_$RESPDIFF_TEST_stats.json || test $RESPDIFF_FORCE -gt 0 || ( echo "Reference unstable, try again in ~3h or use RESPDIFF_FORCE=1."; exit 1 ) - export LABEL=gl$(date +%s) - export COMMITDIR="/var/tmp/respdiff-jobs/$(git rev-parse --short HEAD)-$LABEL" @@ -490,7 +481,7 @@ fwd-udp6-unbound.tls6: <<: *condor stage: respdiff script: - - git diff-index --name-only origin/master | grep -qEv '^(AUTHORS|ci/|config.mk|COPYING|distro/|doc/|etc/|NEWS|README.md|scripts/|tests/|\.gitignore|\.gitlab-ci\.yml|\.travis\.yml)' || test $RESPERF_FORCE -gt 0 || exit 0 + - git diff-index --name-only origin/master | grep -qEv '^(AUTHORS|ci/|config.mk|COPYING|distro/|doc/|etc/|NEWS|README.md|scripts/|tests/|\.gitignore|\.gitlab-ci\.yml|\.travis\.yml)' || test $RESPERF_FORCE -gt 0 || exit 77 - export LABEL=gl$(date +%s) - export COMMITDIR="/var/tmp/respdiff-jobs/$(git rev-parse --short HEAD)-$LABEL" - export TESTDIR="$COMMITDIR/$RESPERF_TEST" @@ -1,3 +1,20 @@ +Knot Resolver 5.6.0 (202y-mm-dd) +================================ + +Improvements +------------ +- cache.max_ttl(): lower the default from six days to one day + and apply both limits to the first uncached answer already (!1323 #127) +- depend on jemalloc, preferably, to improve memory usage (!1353) +- no longer accept DNS messages with trailing data (!1365) +- policy.STUB: avoid applying aggressive DNSSEC denial proofs (!1364) +- policy.STUB: avoid copying +dnssec flag from client to upstream (!1364) + +Bugfixes +-------- +- policy.DEBUG_IF: don't print client's packet unconditionally (!1366) + + Knot Resolver 5.5.3 (2022-09-21) ================================ @@ -241,7 +258,7 @@ Improvements - doh2: add native C module for DNS-over-HTTPS (#600, !997) - xdp: add server-side XDP support for higher UDP performance (#533, !1083) - lower default EDNS buffer size to 1232 bytes (#538, #300, !920); - see https://dnsflagday.net/2020/ + see https://www.dnsflagday.net/2020/ - net: split the EDNS buffer size into upstream and downstream (!1026) - lua-http doh: answer to /dns-query endpoint as well as /doh (!1069) - improve resiliency against UDP fragmentation attacks (disable PMTUD) (!1061) diff --git a/bench/bench_lru.c b/bench/bench_lru.c index 1967f432..06f77c0d 100644 --- a/bench/bench_lru.c +++ b/bench/bench_lru.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2015-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/ci/images/README.md b/ci/images/README.md index 0224960d..d9efe0e8 100644 --- a/ci/images/README.md +++ b/ci/images/README.md @@ -23,20 +23,11 @@ environment variable, e.g.: $ COVERITY_SCAN_TOKEN=the_secret_token ./build.sh debian-11-coverity ``` -### debian-bullseye +### debian-buster (10) Used to serve the same purpose as `debian-11`. As of 2022-03-09, it is still used by some jobs (linters). -### lxc-debian-11 - -Very similar to the main image. The main difference is a custom base image -which can be used for LXC runners and boots into systemd. It is useful to -update it when `debian-11` gets updated, as it will allow some of the tests to -be migrated to the LXC runners in the future (especially the -unstable/problematic ones - pytests already migrated, deckard might be a good -candidate). - ## Maintenance The `ci/images/` directory contains utility scripts to build, push or update diff --git a/ci/images/debian-11/Dockerfile b/ci/images/debian-11/Dockerfile index 4ed7cff6..dd945572 100644 --- a/ci/images/debian-11/Dockerfile +++ b/ci/images/debian-11/Dockerfile @@ -16,7 +16,7 @@ RUN apt-get update -qq RUN apt-get install -y -qqq git make cmake pkg-config meson \ build-essential bsdmainutils libtool autoconf libcmocka-dev \ liburcu-dev libgnutls28-dev libedit-dev liblmdb-dev libcap-ng-dev libsystemd-dev \ - libelf-dev libmnl-dev libidn11-dev libuv1-dev \ + libelf-dev libmnl-dev libidn11-dev libuv1-dev libjemalloc-dev \ libluajit-5.1-dev lua-http libssl-dev libnghttp2-dev # Build and testing deps for Resolver's dnstap module (go stuff is just for testing) diff --git a/ci/images/lxc-debian-11/Dockerfile b/ci/images/lxc-debian-11/Dockerfile deleted file mode 100644 index 82b0ad6b..00000000 --- a/ci/images/lxc-debian-11/Dockerfile +++ /dev/null @@ -1,132 +0,0 @@ -# SPDX-License-Identifier: GPL-3.0-or-later - -FROM registry.nic.cz/labs/lxc-gitlab-runner/debian-11:latest -MAINTAINER Knot Resolver <knot-resolver@labs.nic.cz> -# >= 3.0 needed because of --enable-xdp=yes -ARG KNOT_BRANCH=3.1 -ENV DEBIAN_FRONTEND=noninteractive - -# generic cleanup -RUN apt-get update -qq - -# Knot and Knot Resolver dependencies -RUN apt-get install -y -qqq git make cmake pkg-config meson \ - build-essential bsdmainutils libtool autoconf libcmocka-dev \ - liburcu-dev libgnutls28-dev libedit-dev liblmdb-dev libcap-ng-dev libsystemd-dev \ - libelf-dev libmnl-dev libidn11-dev libuv1-dev \ - libluajit-5.1-dev lua-http libssl-dev libnghttp2-dev - -# Build and testing deps for Resolver's dnstap module (go stuff is just for testing) -RUN apt-get install -y -qqq \ - protobuf-c-compiler libprotobuf-c-dev libfstrm-dev -# Maintaining the go stuff in CI really seems more trouble than worth. -# golang-any -#RUN bash -c "go get github.com/{FiloSottile/gvt,cloudflare/dns,dnstap/golang-dnstap,golang/protobuf/proto}" - -# documentation dependencies -RUN apt-get install -y -qqq doxygen python3-sphinx python3-breathe python3-sphinx-rtd-theme - -# Python packages required for Deckard CI -# Python: grab latest versions from PyPi -# (Augeas binding in Debian packages are slow and buggy) -RUN apt-get install -y -qqq python3-pip wget augeas-tools -RUN pip3 install --upgrade pip -RUN pip3 install pylint -RUN pip3 install pep8 -RUN pip3 install pytest-xdist -# FIXME replace with dnspython >= 2.2.0 once released -RUN pip3 install git+https://github.com/bwelling/dnspython.git@72348d4698a8f8b209fbdf9e72738904ad31b930 -# tests/pytest dependencies: skip over broken versions -RUN pip3 install jinja2 'pytest != 6.0.0' pytest-html pytest-xdist -# apkg for packaging -RUN pip3 install apkg - -# packet capture tools for Deckard -RUN apt-get install --no-install-suggests --no-install-recommends -y -qqq tcpdump wireshark-common - -# Faketime for Deckard -RUN apt-get install -y -qqq faketime - -# C dependencies for python-augeas -RUN apt-get install -y -qqq libaugeas-dev libffi-dev -# Python dependencies for Deckard -RUN wget https://gitlab.nic.cz/knot/deckard/raw/master/requirements.txt -O /tmp/deckard-req.txt -RUN pip3 install -r /tmp/deckard-req.txt - -# build and install latest version of Knot DNS -RUN git clone --depth=1 --branch=$KNOT_BRANCH https://gitlab.nic.cz/knot/knot-dns.git /tmp/knot -WORKDIR /tmp/knot -RUN pwd -RUN autoreconf -if -RUN ./configure --prefix=/usr --enable-xdp=yes -RUN CFLAGS="-g" make -RUN make install -RUN ldconfig - -# Valgrind for kresd CI -RUN apt-get install valgrind -y -qqq -RUN wget https://github.com/LuaJIT/LuaJIT/raw/v2.1.0-beta3/src/lj.supp -O /lj.supp -# TODO: rebuild LuaJIT with Valgrind support - -# Lua lint for kresd CI -RUN apt-get install luarocks -y -qqq -RUN luarocks --lua-version 5.1 install luacheck - -# respdiff for kresd CI -RUN apt-get install lmdb-utils -y -qqq -RUN git clone --depth=1 https://gitlab.nic.cz/knot/respdiff /var/opt/respdiff -RUN pip3 install -r /var/opt/respdiff/requirements.txt - -# Python static analysis for respdiff -RUN pip3 install mypy -RUN pip3 install flake8 - -# Python requests for CI scripts -RUN pip3 install requests - -# docker-py for packaging tests -RUN pip3 install docker - -# Unbound for respdiff -RUN apt-get install unbound unbound-anchor -y -qqq -RUN printf "server:\n interface: 127.0.0.1@53535\n use-syslog: yes\n do-ip6: no\nremote-control:\n control-enable: no\n" >> /etc/unbound/unbound.conf - -# BIND for respdiff -RUN apt-get install bind9 -y -qqq -RUN printf '\nOPTIONS="-4 $OPTIONS"' >> /etc/default/bind9 -RUN printf 'options {\n directory "/var/cache/bind";\n listen-on port 53533 { 127.0.0.1; };\n listen-on-v6 port 53533 { ::1; };\n};\n' > /etc/bind/named.conf.options - -# PowerDNS Recursor for Deckard CI -RUN apt-get install pdns-recursor -y -qqq - -# code coverage -RUN apt-get install -y -qqq lcov -RUN luarocks --lua-version 5.1 install luacov - -# LuaJIT binary for stand-alone scripting -RUN apt-get install -y -qqq luajit - -# clang for kresd CI, version updated as debian updates it -RUN apt-get install -y -qqq clang clang-tools clang-tidy - -# OpenBuildService CLI tool -RUN apt-get install -y osc - -# curl (API) -RUN apt-get install -y curl - -# configure knot-resolver-testing OBS repo for dependencies missing in Debian -RUN echo 'deb http://download.opensuse.org/repositories/home:/CZ-NIC:/knot-resolver-testing/Debian_11/ /' > /etc/apt/sources.list.d/knot-resolver-testing.list -RUN wget -nv https://download.opensuse.org/repositories/home:CZ-NIC:knot-resolver-testing/Debian_11/Release.key -O Release.key -RUN APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt-key add Release.key -RUN rm Release.key -RUN apt-get update -qq - -# packages from our knot-resolver-testing repo -RUN apt-get update -RUN apt-get install -y -qqq lua-psl - -# en_US.UTF-8 locale for scripts.update-authors.sh -RUN apt-get install -y -qqq locales -RUN sed -i "/en_US.UTF-8/ s/^#\(.*\)/\1/" /etc/locale.gen -RUN locale-gen diff --git a/ci/pkgtest.yaml b/ci/pkgtest.yaml new file mode 100644 index 00000000..74f6ec8d --- /dev/null +++ b/ci/pkgtest.yaml @@ -0,0 +1,300 @@ +default: + interruptible: true + +stages: + - pkgbuild + - pkgtest + +# pkgbuild {{{ +.pkgbuild: &pkgbuild + stage: pkgbuild + tags: + - lxc + - amd64 + before_script: + - git config --global user.name CI + - git config --global user.email ci@nic + needs: # https://gitlab.nic.cz/help/ci/yaml/README.md#artifact-downloads-to-child-pipelines + - pipeline: $PARENT_PIPELINE_ID + job: archive + artifacts: + when: always + expire_in: '1 day' + paths: + - pkg/ + +.apkgbuild: &apkgbuild # new jinja2 breaks docs (sphinx/breathe) + - pip3 install -U apkg 'jinja2<3.1' + - apkg build-dep -y + - apkg build + +.pkgdebrepo: &pkgdebrepo + - apt-get update + - apt-get install -y curl gnupg2 + - echo "deb http://download.opensuse.org/repositories/home:/CZ-NIC:/$OBS_REPO/$DISTROTEST_REPO/ /" > /etc/apt/sources.list.d/obs.list + - curl -fsSL "https://download.opensuse.org/repositories/home:CZ-NIC:$OBS_REPO/$DISTROTEST_REPO/Release.key" | gpg --dearmor > /etc/apt/trusted.gpg.d/obs.gpg + - apt-get update + +.debpkgbuild: &debpkgbuild + - *pkgdebrepo + - apt-get install -y python3-pip devscripts + - *apkgbuild + +centos-7:pkgbuild: + <<: *pkgbuild + image: $CI_REGISTRY/labs/lxc-gitlab-runner/centos-7 + before_script: + - export LC_ALL=en_US.UTF-8 + - git config --global user.name CI + - git config --global user.email ci@nic + script: + - yum install -y rpm-build python3-pip epel-release + - *apkgbuild + +debian-9:pkgbuild: + <<: *pkgbuild + image: $CI_REGISTRY/labs/lxc-gitlab-runner/debian-9 + variables: + OBS_REPO: knot-resolver-build + DISTROTEST_REPO: Debian_9.0 + script: + - *debpkgbuild + +debian-10:pkgbuild: + <<: *pkgbuild + image: $CI_REGISTRY/labs/lxc-gitlab-runner/debian-10 + variables: + OBS_REPO: knot-resolver-build + DISTROTEST_REPO: Debian_10 + script: + - *debpkgbuild + +debian-11:pkgbuild: + <<: *pkgbuild + image: $CI_REGISTRY/labs/lxc-gitlab-runner/debian-11 + variables: + OBS_REPO: knot-resolver-build + DISTROTEST_REPO: Debian_11 + script: + - *debpkgbuild + +fedora-34:pkgbuild: + <<: *pkgbuild + image: $CI_REGISTRY/labs/lxc-gitlab-runner/fedora-34 + script: + - dnf install -y rpm-build python3-pip + - *apkgbuild + +fedora-35:pkgbuild: + <<: *pkgbuild + image: $CI_REGISTRY/labs/lxc-gitlab-runner/fedora-35 + script: + - dnf install -y rpm-build python3-pip + - *apkgbuild + +opensuse-15.2:pkgbuild: + <<: *pkgbuild + image: $CI_REGISTRY/labs/lxc-gitlab-runner/opensuse-15.2 + script: + - zypper addrepo -G -f https://download.opensuse.org/repositories/home:CZ-NIC:knot-resolver-build/openSUSE_Leap_15.2/home:CZ-NIC:knot-resolver-build.repo + - zypper install -y rpm-build python3-pip + - *apkgbuild + +opensuse-15.3:pkgbuild: + <<: *pkgbuild + image: $CI_REGISTRY/labs/lxc-gitlab-runner/opensuse-15.3 + script: + - zypper addrepo -G -f https://download.opensuse.org/repositories/home:CZ-NIC:knot-resolver-build/openSUSE_Leap_15.3/home:CZ-NIC:knot-resolver-build.repo + - zypper install -y rpm-build python3-pip + - *apkgbuild + +rocky-8:pkgbuild: + <<: *pkgbuild + image: $CI_REGISTRY/labs/lxc-gitlab-runner/rocky-8 + script: + - dnf install -y rpm-build python3-pip epel-release dnf-plugins-core + - dnf config-manager --set-enabled powertools + - *apkgbuild + +ubuntu-18.04:pkgbuild: + <<: *pkgbuild + image: $CI_REGISTRY/labs/lxc-gitlab-runner/ubuntu-18.04 + variables: + OBS_REPO: knot-resolver-build + DISTROTEST_REPO: xUbuntu_18.04 + script: + - *debpkgbuild + +ubuntu-20.04:pkgbuild: + <<: *pkgbuild + image: $CI_REGISTRY/labs/lxc-gitlab-runner/ubuntu-20.04 + variables: + OBS_REPO: knot-resolver-build + DISTROTEST_REPO: xUbuntu_20.04 + script: + - *debpkgbuild + +nixos-unstable:pkgbuild: + <<: *pkgbuild + # We do NOT use LXC, for now at least. + parallel: + matrix: + - PLATFORM: [ amd64, arm64 ] + tags: + - docker + - linux + - ${PLATFORM} + image: nixos/nix + + variables: + NIX_PATH: nixpkgs=https://github.com/nixos/nixpkgs/archive/nixos-unstable.tar.gz + before_script: + script: + - nix-build '<nixpkgs>' -QA apkg + # the image auto-detects as alpine distro + # If apkg version differs (too much), it will fail to reuse archive and fail. + - ./result/bin/apkg install -d nix + - kresd --version +# }}} + +# pkgtest {{{ +.pkgtest: &pkgtest + stage: pkgtest + tags: + - lxc + - amd64 + +.debpkgtest: &debpkgtest + - *pkgdebrepo + - apt-get install -y knot-dnsutils + - apt-get install -y $(find ./pkg/pkgs -name '*.deb' | grep -v module | grep -v debug | grep -v devel) + - systemctl start kresd@1 + - kdig @127.0.0.1 nic.cz | grep -qi NOERROR + +centos-7:pkgtest: + <<: *pkgtest + needs: + - centos-7:pkgbuild + image: $CI_REGISTRY/labs/lxc-gitlab-runner/centos-7 + before_script: + - export LC_ALL=en_US.UTF-8 + script: + - yum install -y epel-release + - yum install -y knot-utils findutils + - yum install -y $(find ./pkg/pkgs -name '*.rpm' | grep -v module | grep -v debug | grep -v devel) + - systemctl start kresd@1 + - kdig @127.0.0.1 nic.cz | grep -qi NOERROR + +debian-9:pkgtest: + <<: *pkgtest + needs: + - debian-9:pkgbuild + image: $CI_REGISTRY/labs/lxc-gitlab-runner/debian-9 + variables: + OBS_REPO: knot-resolver-build + DISTROTEST_REPO: Debian_9.0 + script: + - *debpkgtest + +debian-10:pkgtest: + <<: *pkgtest + needs: + - debian-10:pkgbuild + image: $CI_REGISTRY/labs/lxc-gitlab-runner/debian-10 + variables: + OBS_REPO: knot-resolver-build + DISTROTEST_REPO: Debian_10 + script: + - *debpkgtest + +debian-11:pkgtest: + <<: *pkgtest + needs: + - debian-11:pkgbuild + image: $CI_REGISTRY/labs/lxc-gitlab-runner/debian-11 + variables: + OBS_REPO: knot-resolver-build + DISTROTEST_REPO: Debian_11 + script: + - *debpkgtest + +fedora-34:pkgtest: + <<: *pkgtest + needs: + - fedora-34:pkgbuild + image: $CI_REGISTRY/labs/lxc-gitlab-runner/fedora-34 + script: + - dnf install -y knot-utils findutils + - dnf install -y $(find ./pkg/pkgs -name '*.rpm' | grep -v module | grep -v debug | grep -v devel) + - systemctl start kresd@1 + - kdig @127.0.0.1 nic.cz | grep -qi NOERROR + +fedora-35:pkgtest: + <<: *pkgtest + needs: + - fedora-35:pkgbuild + image: $CI_REGISTRY/labs/lxc-gitlab-runner/fedora-35 + script: + - dnf install -y knot-utils findutils + - dnf install -y $(find ./pkg/pkgs -name '*.rpm' | grep -v module | grep -v debug | grep -v devel) + - systemctl start kresd@1 + - kdig @127.0.0.1 nic.cz | grep -qi NOERROR + +opensuse-15.2:pkgtest: + <<: *pkgtest + needs: + - opensuse-15.2:pkgbuild + image: $CI_REGISTRY/labs/lxc-gitlab-runner/opensuse-15.2 + script: + - zypper addrepo -G -f https://download.opensuse.org/repositories/home:CZ-NIC:knot-resolver-build/openSUSE_Leap_15.2/home:CZ-NIC:knot-resolver-build.repo + - zypper install -y knot-utils + - zypper install --allow-unsigned-rpm -y $(find ./pkg/pkgs -name '*.rpm' | grep -v module | grep -v debug | grep -v devel) + - systemctl start kresd@1 + - kdig @127.0.0.1 nic.cz | grep -qi NOERROR + +opensuse-15.3:pkgtest: + <<: *pkgtest + needs: + - opensuse-15.3:pkgbuild + image: $CI_REGISTRY/labs/lxc-gitlab-runner/opensuse-15.3 + script: + - zypper addrepo -G -f https://download.opensuse.org/repositories/home:CZ-NIC:knot-resolver-build/openSUSE_Leap_15.3/home:CZ-NIC:knot-resolver-build.repo + - zypper install -y knot-utils + - zypper install --allow-unsigned-rpm -y $(find ./pkg/pkgs -name '*.rpm' | grep -v module | grep -v debug | grep -v devel) + - systemctl start kresd@1 + - kdig @127.0.0.1 nic.cz | grep -qi NOERROR + +rocky-8:pkgtest: + <<: *pkgtest + needs: + - rocky-8:pkgbuild + image: $CI_REGISTRY/labs/lxc-gitlab-runner/rocky-8 + script: + - dnf install -y epel-release + - dnf install -y knot-utils findutils + - dnf install -y $(find ./pkg/pkgs -name '*.rpm' | grep -v module | grep -v debug | grep -v devel) + - systemctl start kresd@1 + - kdig @127.0.0.1 nic.cz | grep -qi NOERROR + +ubuntu-18.04:pkgtest: + <<: *pkgtest + needs: + - ubuntu-18.04:pkgbuild + image: $CI_REGISTRY/labs/lxc-gitlab-runner/ubuntu-18.04 + variables: + OBS_REPO: knot-resolver-build + DISTROTEST_REPO: xUbuntu_18.04 + script: + - *debpkgtest + +ubuntu-20.04:pkgtest: + <<: *pkgtest + needs: + - ubuntu-20.04:pkgbuild + image: $CI_REGISTRY/labs/lxc-gitlab-runner/ubuntu-20.04 + variables: + OBS_REPO: knot-resolver-build + DISTROTEST_REPO: xUbuntu_20.04 + script: + - *debpkgtest +# }}} diff --git a/contrib/base32hex.c b/contrib/base32hex.c index 31c5bbde..b12718ec 100644 --- a/contrib/base32hex.c +++ b/contrib/base32hex.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2011-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/contrib/base32hex.h b/contrib/base32hex.h index ed90ceff..24167863 100644 --- a/contrib/base32hex.h +++ b/contrib/base32hex.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2011-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ /*! diff --git a/contrib/base64.c b/contrib/base64.c index 845b99c5..e5c004e5 100644 --- a/contrib/base64.c +++ b/contrib/base64.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/contrib/base64.h b/contrib/base64.h index 3c71431e..153aa720 100644 --- a/contrib/base64.h +++ b/contrib/base64.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2011-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ /*! diff --git a/contrib/base64url.c b/contrib/base64url.c index a0152057..b7c7d2b2 100644 --- a/contrib/base64url.c +++ b/contrib/base64url.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/contrib/base64url.h b/contrib/base64url.h index 875ecfa2..ad7c6e94 100644 --- a/contrib/base64url.h +++ b/contrib/base64url.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/contrib/cleanup.h b/contrib/cleanup.h index 7d6cdbed..c9d170a5 100644 --- a/contrib/cleanup.h +++ b/contrib/cleanup.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2015-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ /** diff --git a/contrib/dynarray.h b/contrib/dynarray.h index 06722ea1..7cbb686b 100644 --- a/contrib/dynarray.h +++ b/contrib/dynarray.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/contrib/mempattern.c b/contrib/mempattern.c index ae3bd6f5..6c237eac 100644 --- a/contrib/mempattern.c +++ b/contrib/mempattern.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/contrib/mempattern.h b/contrib/mempattern.h index a0cd9a62..4db147ae 100644 --- a/contrib/mempattern.h +++ b/contrib/mempattern.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by diff --git a/daemon/bindings/api.h b/daemon/bindings/api.h index 7ad6840e..2b433851 100644 --- a/daemon/bindings/api.h +++ b/daemon/bindings/api.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/daemon/bindings/cache.c b/daemon/bindings/cache.c index 4b168822..d42ff627 100644 --- a/daemon/bindings/cache.c +++ b/daemon/bindings/cache.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2015-2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/daemon/bindings/cache.rst b/daemon/bindings/cache.rst index f27b9d7b..36114d22 100644 --- a/daemon/bindings/cache.rst +++ b/daemon/bindings/cache.rst @@ -221,17 +221,15 @@ Configuration reference .. function:: cache.max_ttl([ttl]) - :param number ttl: maximum cache TTL in seconds (default: 6 days) + :param number ttl: maximum TTL in seconds (default: 1 day) .. KR_CACHE_DEFAULT_TTL_MAX ^^ :return: current maximum TTL - Get or set maximum cache TTL. + Get or set upper TTL bound applied to all received records. - .. note:: The `ttl` value must be in range `(min_ttl, 4294967295)`. - - .. warning:: This settings applies only to currently open cache, it will not persist if the cache is closed or reopened. + .. note:: The `ttl` value must be in range `(min_ttl, 2147483647)`. .. code-block:: lua @@ -244,18 +242,18 @@ Configuration reference .. function:: cache.min_ttl([ttl]) - :param number ttl: minimum cache TTL in seconds (default: 5 seconds) + :param number ttl: minimum TTL in seconds (default: 5 seconds) .. KR_CACHE_DEFAULT_TTL_MIN ^^ - :return: current maximum TTL + :return: current minimum TTL - Get or set minimum cache TTL. Any entry inserted into cache with TTL lower than minimal will be overridden to minimum TTL. Forcing TTL higher than specified violates DNS standards, use with care. + Get or set lower TTL bound applied to all received records. + Forcing TTL higher than specified violates DNS standards, so use higher values with care. + TTL still won't be extended beyond expiration of the corresponding DNSSEC signature. .. note:: The `ttl` value must be in range `<0, max_ttl)`. - .. warning:: This settings applies only to currently open cache, it will not persist if the cache is closed or reopened. - .. code-block:: lua -- Get minimum TTL diff --git a/daemon/bindings/event.c b/daemon/bindings/event.c index 0c5a6ba9..4cefa130 100644 --- a/daemon/bindings/event.c +++ b/daemon/bindings/event.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2015-2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/daemon/bindings/impl.c b/daemon/bindings/impl.c index 6f1383c7..8c48df8e 100644 --- a/daemon/bindings/impl.c +++ b/daemon/bindings/impl.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/daemon/bindings/impl.h b/daemon/bindings/impl.h index 5b923b52..d5227561 100644 --- a/daemon/bindings/impl.h +++ b/daemon/bindings/impl.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2015-2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/daemon/bindings/modules.c b/daemon/bindings/modules.c index 5116ff33..acae270c 100644 --- a/daemon/bindings/modules.c +++ b/daemon/bindings/modules.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2015-2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/daemon/bindings/net.c b/daemon/bindings/net.c index cd0a3e36..f1fa6f3a 100644 --- a/daemon/bindings/net.c +++ b/daemon/bindings/net.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2015-2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/daemon/bindings/net_dns_tweaks.rst b/daemon/bindings/net_dns_tweaks.rst index 4bdc1161..4cfeba64 100644 --- a/daemon/bindings/net_dns_tweaks.rst +++ b/daemon/bindings/net_dns_tweaks.rst @@ -10,7 +10,7 @@ Default values should not be changed except for very special cases. Get/set maximum EDNS payload size advertised in DNS packets. Different values can be configured for communication downstream (towards clients) and upstream (towards other DNS servers). Set and also get operations use values in this order. - Default is 1232 bytes which was chosen to minimize risk of `issues caused by IP fragmentation <https://blog.apnic.net/2019/07/12/its-time-to-consider-avoiding-ip-fragmentation-in-the-dns/>`_. Further details can be found at `DNS Flag Day 2020 <https://dnsflagday.net/2020/>`_ web site. + Default is 1232 bytes which was chosen to minimize risk of `issues caused by IP fragmentation <https://blog.apnic.net/2019/07/12/its-time-to-consider-avoiding-ip-fragmentation-in-the-dns/>`_. Further details can be found at `DNS Flag Day 2020 <https://www.dnsflagday.net/2020/>`_ web site. Minimal value allowed by standard :rfc:`6891` is 512 bytes, which is equal to DNS packet size without Extension Mechanisms for DNS. Value 1220 bytes is minimum size required by DNSSEC standard :rfc:`4035`. diff --git a/daemon/bindings/net_xdpsrv.rst b/daemon/bindings/net_xdpsrv.rst index 1abc9d36..e3014fec 100644 --- a/daemon/bindings/net_xdpsrv.rst +++ b/daemon/bindings/net_xdpsrv.rst @@ -57,8 +57,10 @@ And insert these lines: .. code-block:: ini [Service] - CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_ADMIN CAP_SYS_RESOURCE - AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_ADMIN CAP_SYS_RESOURCE + CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_ADMIN CAP_IPC_LOCK CAP_SYS_RESOURCE + AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_ADMIN CAP_IPC_LOCK CAP_SYS_RESOURCE + +The ``CAP_SYS_RESOURCE`` is only needed on Linux < 5.11. .. TODO suggest some way for ethtool -L? Perhaps via systemd units? diff --git a/daemon/bindings/worker.c b/daemon/bindings/worker.c index f0a533f5..d9850009 100644 --- a/daemon/bindings/worker.c +++ b/daemon/bindings/worker.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2015-2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/daemon/cache.test/insert_ns.test.integr/kresd_config.j2 b/daemon/cache.test/insert_ns.test.integr/kresd_config.j2 index ac83d20f..bf2165b8 100644 --- a/daemon/cache.test/insert_ns.test.integr/kresd_config.j2 +++ b/daemon/cache.test/insert_ns.test.integr/kresd_config.j2 @@ -14,7 +14,7 @@ local ffi = require('ffi') local c = kres.context().cache ns_name = todname('ns.example.com') local ns_addr = '\1\2\3\4' -local rr = kres.rrset(ns_name, kres.type.A, kres.class.IN, 3600999999) +local rr = kres.rrset(ns_name, kres.type.A, kres.class.IN, 2147483647) assert(rr:add_rdata(ns_addr, #ns_addr)) assert(c:insert(rr, nil, ffi.C.KR_RANK_SECURE)) diff --git a/daemon/engine.c b/daemon/engine.c index d18ed11d..26c225f3 100644 --- a/daemon/engine.c +++ b/daemon/engine.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2015-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/daemon/engine.h b/daemon/engine.h index d724f925..63accd37 100644 --- a/daemon/engine.h +++ b/daemon/engine.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2015-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/daemon/ffimodule.c b/daemon/ffimodule.c index 073b12c0..4206b4c8 100644 --- a/daemon/ffimodule.c +++ b/daemon/ffimodule.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2015-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/daemon/ffimodule.h b/daemon/ffimodule.h index f86c764c..beb1bf12 100644 --- a/daemon/ffimodule.h +++ b/daemon/ffimodule.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2015-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/daemon/http.c b/daemon/http.c index af387d81..0c6f361d 100644 --- a/daemon/http.c +++ b/daemon/http.c @@ -1,6 +1,5 @@ /* - * - * Copyright (C) 2020 CZ.NIC, z.s.p.o + * Copyright (C) CZ.NIC, z.s.p.o * * Initial Author: Jan Hák <jan.hak@nic.cz> * @@ -876,7 +875,6 @@ static int http_write_pkt(struct http_ctx *ctx, knot_pkt_t *pkt, int32_t stream_ { struct http_data *data; nghttp2_data_provider prov; - const bool is_negative = kr_response_classify(pkt) & (PKT_NODATA|PKT_NXDOMAIN); data = malloc(sizeof(struct http_data)); if (!data) @@ -887,7 +885,7 @@ static int http_write_pkt(struct http_ctx *ctx, knot_pkt_t *pkt, int32_t stream_ data->pos = 0; data->on_write = on_write; data->req = req; - data->ttl = packet_ttl(pkt, is_negative); + data->ttl = packet_ttl(pkt); prov.source.ptr = data; prov.read_callback = read_callback; diff --git a/daemon/http.h b/daemon/http.h index 9c34eef1..0749e3b8 100644 --- a/daemon/http.h +++ b/daemon/http.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2020 CZ.NIC, z.s.p.o + * Copyright (C) CZ.NIC, z.s.p.o * * Initial Author: Jan Hák <jan.hak@nic.cz> * diff --git a/daemon/io.c b/daemon/io.c index 4d857924..47aecccb 100644 --- a/daemon/io.c +++ b/daemon/io.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2014-2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/daemon/io.h b/daemon/io.h index bc1e800a..0e88dc18 100644 --- a/daemon/io.h +++ b/daemon/io.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2014-2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/daemon/lua/kres-gen-30.lua b/daemon/lua/kres-gen-30.lua index 76659b7f..4353c5ce 100644 --- a/daemon/lua/kres-gen-30.lua +++ b/daemon/lua/kres-gen-30.lua @@ -456,7 +456,7 @@ int kr_cache_insert_rr(struct kr_cache *, const knot_rrset_t *, const knot_rrset int kr_cache_remove(struct kr_cache *, const knot_dname_t *, uint16_t); int kr_cache_remove_subtree(struct kr_cache *, const knot_dname_t *, _Bool, int); int kr_cache_commit(struct kr_cache *); -uint32_t packet_ttl(const knot_pkt_t *, _Bool); +uint32_t packet_ttl(const knot_pkt_t *); typedef struct { int sock_type; _Bool tls; diff --git a/daemon/lua/kres-gen-31.lua b/daemon/lua/kres-gen-31.lua index b009868d..a68dd653 100644 --- a/daemon/lua/kres-gen-31.lua +++ b/daemon/lua/kres-gen-31.lua @@ -456,7 +456,7 @@ int kr_cache_insert_rr(struct kr_cache *, const knot_rrset_t *, const knot_rrset int kr_cache_remove(struct kr_cache *, const knot_dname_t *, uint16_t); int kr_cache_remove_subtree(struct kr_cache *, const knot_dname_t *, _Bool, int); int kr_cache_commit(struct kr_cache *); -uint32_t packet_ttl(const knot_pkt_t *, _Bool); +uint32_t packet_ttl(const knot_pkt_t *); typedef struct { int sock_type; _Bool tls; diff --git a/daemon/lua/kres-gen-32.lua b/daemon/lua/kres-gen-32.lua index 7686419f..222891e3 100644 --- a/daemon/lua/kres-gen-32.lua +++ b/daemon/lua/kres-gen-32.lua @@ -457,7 +457,7 @@ int kr_cache_insert_rr(struct kr_cache *, const knot_rrset_t *, const knot_rrset int kr_cache_remove(struct kr_cache *, const knot_dname_t *, uint16_t); int kr_cache_remove_subtree(struct kr_cache *, const knot_dname_t *, _Bool, int); int kr_cache_commit(struct kr_cache *); -uint32_t packet_ttl(const knot_pkt_t *, _Bool); +uint32_t packet_ttl(const knot_pkt_t *); typedef struct { int sock_type; _Bool tls; diff --git a/daemon/main.c b/daemon/main.c index 12826ac2..41a55ad5 100644 --- a/daemon/main.c +++ b/daemon/main.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2014-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ @@ -35,6 +35,26 @@ #endif #include <libknot/error.h> +#if ENABLE_JEMALLOC +/* Make the jemalloc library needed. + * + * The problem is with --as-needed for linker which is added by default by meson. + * If we don't use any jemalloc-specific calls, linker will decide that + * it is not needed and won't link it. Making it needed seems better than + * trying to override the flag which might be useful in some other cases, etc. + * + * Exporting the function is a very easy way of ensuring that it's not optimized out. + */ +#include <jemalloc/jemalloc.h> +KR_EXPORT void kr_jemalloc_unused(void) +{ + malloc_stats_print(NULL, NULL, NULL); +} +/* We don't use threads (or rarely in some parts), so multiple arenas don't make sense. + https://jemalloc.net/jemalloc.3.html + */ +KR_EXPORT const char *malloc_conf = "narenas:1"; +#endif struct args the_args_value; /** Static allocation for the_args singleton. */ diff --git a/daemon/meson.build b/daemon/meson.build index 4d9ca578..68a26466 100644 --- a/daemon/meson.build +++ b/daemon/meson.build @@ -51,6 +51,7 @@ kresd_deps = [ libsystemd, capng, nghttp2, + malloc, ] diff --git a/daemon/network.c b/daemon/network.c index 66809dff..a20b1e45 100644 --- a/daemon/network.c +++ b/daemon/network.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2015-2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ @@ -302,6 +302,8 @@ void network_deinit(struct network *net) } } +/** Creates an endpoint key for use with a `trie_t` and stores it into `dst`. + * Returns the actual length of the generated key. */ static ssize_t endpoint_key_create(struct endpoint_key_storage *dst, const char *addr_str, const struct sockaddr *sa) @@ -317,8 +319,11 @@ static ssize_t endpoint_key_create(struct endpoint_key_storage *dst, } else { struct endpoint_key_ifname *key = &dst->ifname; key->type = ENDPOINT_KEY_IFNAME; + + /* The subtractions and additions of 1 are here to account for + * null-terminators. */ strncpy(key->ifname, addr_str, sizeof(key->ifname) - 1); - return sizeof(struct endpoint_key) + strnlen(key->ifname, sizeof(key->ifname)); + return sizeof(struct endpoint_key) + strlen(key->ifname) + 1; } } diff --git a/daemon/network.h b/daemon/network.h index 8bc6a0a4..e21651fd 100644 --- a/daemon/network.h +++ b/daemon/network.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2015-2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/daemon/proxyv2.c b/daemon/proxyv2.c index a541541f..f977ccbb 100644 --- a/daemon/proxyv2.c +++ b/daemon/proxyv2.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2014-2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/daemon/proxyv2.h b/daemon/proxyv2.h index 0167e622..2d57744e 100644 --- a/daemon/proxyv2.h +++ b/daemon/proxyv2.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2014-2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/daemon/session.c b/daemon/session.c index 795a445e..97256be2 100644 --- a/daemon/session.c +++ b/daemon/session.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2018-2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/daemon/session.h b/daemon/session.h index e2718745..eccf45b5 100644 --- a/daemon/session.h +++ b/daemon/session.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2018-2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/daemon/tls.c b/daemon/tls.c index 8d69d856..9637369e 100644 --- a/daemon/tls.c +++ b/daemon/tls.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2016 American Civil Liberties Union (ACLU) - * 2016-2018 CZ.NIC, z.s.p.o + * Copyright (C) CZ.NIC, z.s.p.o * * Initial Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> * Ondřej Surý <ondrej@sury.org> diff --git a/daemon/tls.h b/daemon/tls.h index 23cd903a..76985d62 100644 --- a/daemon/tls.h +++ b/daemon/tls.h @@ -1,6 +1,7 @@ -/* Copyright (C) 2016 American Civil Liberties Union (ACLU) - * SPDX-License-Identifier: GPL-3.0-or-later -*/ +/* Copyright (C) 2016 American Civil Liberties Union (ACLU) + * Copyright (C) CZ.NIC, z.s.p.o + * SPDX-License-Identifier: GPL-3.0-or-later + */ #pragma once diff --git a/daemon/tls_ephemeral_credentials.c b/daemon/tls_ephemeral_credentials.c index 42e053b6..48e8d4a0 100644 --- a/daemon/tls_ephemeral_credentials.c +++ b/daemon/tls_ephemeral_credentials.c @@ -1,7 +1,7 @@ /* * Copyright (C) 2016 American Civil Liberties Union (ACLU) - * Copyright (C) 2016-2017 CZ.NIC, z.s.p.o. - * + * Copyright (C) CZ.NIC, z.s.p.o. + * * Initial Author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> * SPDX-License-Identifier: GPL-3.0-or-later */ @@ -66,7 +66,7 @@ static gnutls_x509_privkey_t get_ephemeral_privkey () kr_log_error(TLS, "unable to lock lockfile " EPHEMERAL_PRIVKEY_FILENAME ".lock\n"); goto done; } - + if ((err = gnutls_x509_privkey_init (&privkey)) < 0) { kr_log_error(TLS, "gnutls_x509_privkey_init() failed: %d (%s)\n", err, gnutls_strerror_name(err)); @@ -215,7 +215,7 @@ struct tls_credentials * tls_get_ephemeral_credentials(struct engine *engine) kr_log_error(TLS, "failed to allocate memory for ephemeral credentials\n"); goto failure; } - } + } if ((privkey = get_ephemeral_privkey()) == NULL) { goto failure; } diff --git a/daemon/tls_session_ticket-srv.c b/daemon/tls_session_ticket-srv.c index 68856b6b..b1989030 100644 --- a/daemon/tls_session_ticket-srv.c +++ b/daemon/tls_session_ticket-srv.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/daemon/udp_queue.c b/daemon/udp_queue.c index 7004d1ef..7460e041 100644 --- a/daemon/udp_queue.c +++ b/daemon/udp_queue.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/daemon/udp_queue.h b/daemon/udp_queue.h index 43fd56f1..f4a1ae1e 100644 --- a/daemon/udp_queue.h +++ b/daemon/udp_queue.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/daemon/worker.c b/daemon/worker.c index a50be16f..90fa8b2e 100644 --- a/daemon/worker.c +++ b/daemon/worker.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2014-2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ @@ -1691,27 +1691,6 @@ static int qr_task_step(struct qr_task *task, } } -static int parse_packet(knot_pkt_t *query) -{ - if (!query){ - return kr_error(EINVAL); - } - - /* Parse query packet. */ - int ret = knot_pkt_parse(query, 0); - if (ret == KNOT_ETRAIL) { - /* Extra data after message end. */ - ret = kr_error(EMSGSIZE); - } else if (ret != KNOT_EOK) { - /* Malformed query. */ - ret = kr_error(EPROTO); - } else { - ret = kr_ok(); - } - - return ret; -} - int worker_submit(struct session *session, struct io_comm_data *comm, const uint8_t *eth_from, const uint8_t *eth_to, knot_pkt_t *pkt) { @@ -1722,11 +1701,13 @@ int worker_submit(struct session *session, struct io_comm_data *comm, if (!handle || !handle->loop->data) return kr_error(EINVAL); - int ret = parse_packet(pkt); - const bool is_query = (knot_wire_get_qr(pkt->wire) == 0); const bool is_outgoing = session_flags(session)->outgoing; + int ret = knot_pkt_parse(pkt, 0); + if (ret == KNOT_ETRAIL && is_outgoing && !kr_fails_assert(pkt->parsed < pkt->size)) + ret = KNOT_EOK; // we deal with this later, so that `selection` applies + struct http_ctx *http_ctx = NULL; #if ENABLE_DOH2 http_ctx = session_http_get_server_ctx(session); @@ -1734,7 +1715,7 @@ int worker_submit(struct session *session, struct io_comm_data *comm, /* Badly formed query when using DoH leads to a Bad Request */ if (http_ctx && !is_outgoing && ret) { http_send_status(session, HTTP_STATUS_BAD_REQUEST); - return ret; + return kr_error(ret); } #endif @@ -1742,11 +1723,13 @@ int worker_submit(struct session *session, struct io_comm_data *comm, return kr_error(ENOENT); /* Ignore badly formed queries. */ - if ((ret != kr_ok() && ret != kr_error(EMSGSIZE)) || - (is_query == is_outgoing)) { - if (!is_outgoing) { + if (ret && kr_log_is_debug(WORKER, NULL)) { + VERBOSE_MSG(NULL, "=> incoming packet failed to parse, %s\n", + knot_strerror(ret)); + } + if (ret || is_query == is_outgoing) { + if (!is_outgoing) the_worker->stats.dropped += 1; - } return kr_error(EILSEQ); } diff --git a/daemon/worker.h b/daemon/worker.h index 2eaf0907..8885aebb 100644 --- a/daemon/worker.h +++ b/daemon/worker.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2014-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/daemon/zimport.c b/daemon/zimport.c index 55a651af..af21a159 100644 --- a/daemon/zimport.c +++ b/daemon/zimport.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/daemon/zimport.h b/daemon/zimport.h index 47974da6..5bbd992b 100644 --- a/daemon/zimport.h +++ b/daemon/zimport.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/distro/pkg/arch/PKGBUILD b/distro/pkg/arch/PKGBUILD index 967ad7ca..7eea556e 100644 --- a/distro/pkg/arch/PKGBUILD +++ b/distro/pkg/arch/PKGBUILD @@ -20,6 +20,7 @@ depends=( 'systemd' 'libcap-ng' 'libnghttp2' + 'jemalloc' ) makedepends=( 'cmocka' @@ -47,6 +48,7 @@ build() { -D systemd_files=enabled \ -D client=enabled \ -D install_kresd_conf=enabled \ + -D malloc=jemalloc \ -D unit_tests=enabled ninja -C build } diff --git a/distro/pkg/deb/control b/distro/pkg/deb/control index be545bb7..c4d1edb2 100644 --- a/distro/pkg/deb/control +++ b/distro/pkg/deb/control @@ -17,6 +17,7 @@ Build-Depends: libsystemd-dev (>= 227) [linux-any], libcap-ng-dev, libuv1-dev, + libjemalloc-dev, luajit, pkg-config, meson (>= 0.49), diff --git a/distro/pkg/deb/copyright b/distro/pkg/deb/copyright index dc2c9bbb..96e23ca2 100644 --- a/distro/pkg/deb/copyright +++ b/distro/pkg/deb/copyright @@ -3,7 +3,7 @@ Upstream-Name: knot-resolver Source: https://www.knot-resolver.cz/ Files: * -Copyright: 2015-2018 CZ.NIC +Copyright: CZ.NIC License: GPL-3.0+ Files: contrib/ccan/asprintf/* diff --git a/distro/pkg/deb/rules b/distro/pkg/deb/rules index 9864d5de..787dad99 100755 --- a/distro/pkg/deb/rules +++ b/distro/pkg/deb/rules @@ -34,6 +34,7 @@ override_dh_auto_build: -Droot_hints=/usr/share/dns/root.hints \ -Dinstall_kresd_conf=enabled \ -Dunit_tests=enabled \ + -Dmalloc=jemalloc \ -Dc_args="$${CFLAGS}" \ -Dc_link_args="$${LDFLAGS}" ninja -v -C build_deb diff --git a/distro/pkg/nix/default.nix b/distro/pkg/nix/default.nix index af42fa80..16c66d05 100644 --- a/distro/pkg/nix/default.nix +++ b/distro/pkg/nix/default.nix @@ -3,7 +3,7 @@ , runCommand, pkg-config, meson, ninja, makeWrapper # build+runtime deps. , knot-dns, luajitPackages, libuv, gnutls, lmdb -, systemd, libcap_ng, dns-root-data, nghttp2 # optionals, in principle +, jemalloc, systemd, libcap_ng, dns-root-data, nghttp2 # optionals, in principle # test-only deps. , cmocka, which, cacert , extraFeatures ? false /* catch-all if defaults aren't enough */ @@ -56,7 +56,7 @@ unwrapped = stdenv.mkDerivation rec { # http://knot-resolver.readthedocs.io/en/latest/build.html#requirements buildInputs = [ knot-dns lua.lua libuv gnutls lmdb ] ++ optionals stdenv.isLinux [ systemd libcap_ng ] - ++ [ nghttp2 ] + ++ [ jemalloc nghttp2 ] ## optional dependencies; TODO: dnstap ; @@ -64,6 +64,7 @@ unwrapped = stdenv.mkDerivation rec { "-Dkeyfile_default=${dns-root-data}/root.ds" "-Droot_hints=${dns-root-data}/root.hints" "-Dinstall_kresd_conf=disabled" # not really useful; examples are inside share/doc/ + "-Dmalloc=jemalloc" "--default-library=static" # not used by anyone ] ++ optional doInstallCheck "-Dunit_tests=enabled" diff --git a/distro/pkg/rpm/knot-resolver.spec b/distro/pkg/rpm/knot-resolver.spec index cff04740..565d47c0 100644 --- a/distro/pkg/rpm/knot-resolver.spec +++ b/distro/pkg/rpm/knot-resolver.spec @@ -48,6 +48,7 @@ BuildRequires: pkgconfig(libsystemd) BuildRequires: pkgconfig(libcap-ng) BuildRequires: pkgconfig(libuv) BuildRequires: pkgconfig(luajit) >= 2.0 +BuildRequires: jemalloc-devel BuildRequires: python3-devel Requires: systemd @@ -183,6 +184,7 @@ CFLAGS="%{optflags}" LDFLAGS="%{?__global_ldflags}" meson build_rpm \ -Dkeyfile_default="%{_sharedstatedir}/knot-resolver/root.keys" \ -Dinstall_root_keys=enabled \ -Dinstall_kresd_conf=enabled \ + -Dmalloc=jemalloc \ --buildtype=plain \ --prefix="%{_prefix}" \ --sbindir="%{_sbindir}" \ diff --git a/doc/build.rst b/doc/build.rst index c099b0ef..30f1d77b 100644 --- a/doc/build.rst +++ b/doc/build.rst @@ -111,6 +111,7 @@ Resolver: .. csv-table:: :header: "Optional", "Needed for", "Notes" + "jemalloc_", "``daemon``", "Improve long-term memory consumption." "nghttp2_", "``daemon``", "DNS over HTTPS support." "libsystemd_", "``daemon``", "Systemd watchdog support." "`libcap-ng`_", "``daemon``", "Linux capabilities: support dropping them." @@ -118,6 +119,7 @@ Resolver: "`lua-http`_", "``modules/http``", "HTTP/2 client/server for Lua." "`lua-cqueues`_", "some lua modules", "" "cmocka_", "``unit tests``", "Unit testing framework." + "dnsdist_", "``proxyv2 test``", "DNS proxy server" "Doxygen_", "``documentation``", "Generating API documentation." "Sphinx_, sphinx-tabs_ and sphinx_rtd_theme_", "``documentation``", "Building this documentation." @@ -171,7 +173,7 @@ After that it is possible to build and install Knot Resolver. .. code-block:: bash - # build Knot Resolver + $ meson setup build_dir --prefix=/tmp/kr --default-library=static $ ninja -C build_dir # install Knot Resolver into the previously configured '/tmp/kr' path @@ -196,7 +198,7 @@ For complete list of build options create a build directory and run: .. code-block:: bash - $ meson build_dir + $ meson setup build_dir $ meson configure build_dir To customize project build options, use ``-Doption=value`` when creating @@ -204,7 +206,7 @@ a build directory: .. code-block:: bash - $ meson build_dir -Ddoc=enabled + $ meson setup build_dir -Ddoc=enabled ... or change options in an already existing build directory: @@ -238,7 +240,7 @@ target ``doc`` must be called explicitly. .. code-block:: bash - $ meson build_dir -Ddoc=enabled + $ meson configure build_dir -Ddoc=enabled $ ninja -C build_dir doc Tarball @@ -320,6 +322,7 @@ For development, it's possible to build the container directly from your git tre $ docker build -t knot-resolver . +.. _jemalloc: https://jemalloc.net .. _libuv: https://github.com/libuv/libuv .. _LuaJIT: http://luajit.org/luajit.html .. _Doxygen: https://www.doxygen.nl/manual/index.html @@ -331,6 +334,7 @@ For development, it's possible to build the container directly from your git tre .. _pkg-config: https://www.freedesktop.org/wiki/Software/pkg-config/ .. _libknot: https://gitlab.nic.cz/knot/knot-dns .. _cmocka: https://cmocka.org/ +.. _dnsdist: https://dnsdist.org/ .. _lua-basexx: https://github.com/aiq/basexx .. _lua-http: https://luarocks.org/modules/daurnimator/http .. _lua-cqueues: https://25thandclement.com/~william/projects/cqueues.html diff --git a/doc/conf.py b/doc/conf.py index 3998df79..8f9c9ab9 100644 --- a/doc/conf.py +++ b/doc/conf.py @@ -32,7 +32,7 @@ master_doc = 'index' # General information about the project. project = u'Knot Resolver' -copyright = u'2014-2022 CZ.NIC labs' +copyright = u'CZ.NIC labs' with open('../meson.build') as f: for line in f: match = re.match(r"\s*version\s*:\s*'([^']+)'.*", line) diff --git a/doc/kresd.8.in b/doc/kresd.8.in index 04a8d888..b052a5af 100644 --- a/doc/kresd.8.in +++ b/doc/kresd.8.in @@ -2,7 +2,7 @@ .\" .\" kresd.8 -- kresd daemon manpage .\" -.\" Copyright (c) 2019, CZ.NIC. All rights reserved. +.\" Copyright (c) CZ.NIC. All rights reserved. .\" .\" SPDX-License-Identifier: GPL-3.0-or-later .\" diff --git a/doc/upgrading.rst b/doc/upgrading.rst index 019273b3..e630e9e7 100644 --- a/doc/upgrading.rst +++ b/doc/upgrading.rst @@ -99,7 +99,7 @@ Users * Users of :ref:`control-sockets` API need to terminate each command sent to resolver with newline character (ASCII ``\n``). Correct usage: ``cache.stats()\n``. Newline terminated commands are accepted by all resolver versions >= 1.0.0. -* `DNS Flag Day 2020 <https://dnsflagday.net/2020/>`_ is now effective and Knot Resolver uses +* `DNS Flag Day 2020 <https://www.dnsflagday.net/2020/>`_ is now effective and Knot Resolver uses maximum size of UDP answer to 1232 bytes. Please double-check your firewall, it has to allow DNS traffic on UDP and **also TCP** port 53. * Human readable output in interactive mode and from :ref:`control-sockets` was improved and diff --git a/lib/cache/api.c b/lib/cache/api.c index 6a572b03..116d775e 100644 --- a/lib/cache/api.c +++ b/lib/cache/api.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2014-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ @@ -597,14 +597,11 @@ static ssize_t stash_rrset(struct kr_cache *cache, const struct kr_query *qry, if (kr_fails_assert(val_new_entry.data)) return kr_error(EFAULT); - const uint32_t ttl = rr->ttl; - /* FIXME: consider TTLs and expirations of RRSIGs as well, just in case. */ - /* Write the entry itself. */ struct entry_h *eh = val_new_entry.data; memset(eh, 0, offsetof(struct entry_h, data)); eh->time = timestamp; - eh->ttl = MAX(MIN(ttl, cache->ttl_max), cache->ttl_min); + eh->ttl = rr->ttl; eh->rank = rank; rdataset_dematerialize(&rr->rrs, eh->data); rdataset_dematerialize(rds_sigs, eh->data + rr_ssize); diff --git a/lib/cache/api.h b/lib/cache/api.h index 76cbebc1..0abe9202 100644 --- a/lib/cache/api.h +++ b/lib/cache/api.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2014-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ @@ -25,7 +25,7 @@ struct kr_cache kr_cdb_pt db; /**< Storage instance */ const struct kr_cdb_api *api; /**< Storage engine */ struct kr_cdb_stats stats; - uint32_t ttl_min, ttl_max; /**< TTL limits */ + uint32_t ttl_min, ttl_max; /**< TTL limits; enforced primarily in iterator actually. */ /* A pair of stamps for detection of real-time shifts during runtime. */ struct timeval checkpoint_walltime; /**< Wall time on the last check-point. */ diff --git a/lib/cache/cdb_api.h b/lib/cache/cdb_api.h index ec184169..fcca8a9a 100644 --- a/lib/cache/cdb_api.h +++ b/lib/cache/cdb_api.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2016-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/cache/cdb_lmdb.c b/lib/cache/cdb_lmdb.c index 09a1c907..80c73729 100644 --- a/lib/cache/cdb_lmdb.c +++ b/lib/cache/cdb_lmdb.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2016-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/cache/cdb_lmdb.h b/lib/cache/cdb_lmdb.h index 3429a222..988fccf0 100644 --- a/lib/cache/cdb_lmdb.h +++ b/lib/cache/cdb_lmdb.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2016-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/cache/entry_list.c b/lib/cache/entry_list.c index 31688de1..4dced2fe 100644 --- a/lib/cache/entry_list.c +++ b/lib/cache/entry_list.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/cache/entry_pkt.c b/lib/cache/entry_pkt.c index fa59380d..884bfaa8 100644 --- a/lib/cache/entry_pkt.c +++ b/lib/cache/entry_pkt.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ @@ -13,33 +13,20 @@ #include "lib/cache/impl.h" -/** Compute TTL for a packet. Generally it's minimum TTL, with extra conditions. */ +/** Compute TTL for a packet. It's minimum TTL or zero. (You can apply limits.) */ KR_EXPORT -uint32_t packet_ttl(const knot_pkt_t *pkt, bool is_negative) +uint32_t packet_ttl(const knot_pkt_t *pkt) { bool has_ttl = false; uint32_t ttl = TTL_MAX_MAX; - /* Find minimum entry TTL in the packet or SOA minimum TTL. */ for (knot_section_t i = KNOT_ANSWER; i <= KNOT_ADDITIONAL; ++i) { const knot_pktsection_t *sec = knot_pkt_section(pkt, i); for (unsigned k = 0; k < sec->count; ++k) { const knot_rrset_t *rr = knot_pkt_rr(sec, k); - if (is_negative) { - /* Use SOA minimum TTL for negative answers. */ - if (rr->type == KNOT_RRTYPE_SOA) { - return MIN(rr->ttl, knot_soa_minimum(rr->rrs.rdata)); - } else { - continue; /* Use SOA only for negative answers. */ - } - } - if (knot_rrtype_is_metatype(rr->type)) { - continue; /* Skip metatypes. */ - } ttl = MIN(ttl, rr->ttl); has_ttl = true; } } - /* If no valid TTL present, go with zero (will get clamped to minimum). */ return has_ttl ? ttl : 0; } @@ -120,7 +107,7 @@ void stash_pkt(const knot_pkt_t *pkt, const struct kr_query *qry, struct entry_h *eh = val_new_entry.data; memset(eh, 0, offsetof(struct entry_h, data)); eh->time = qry->timestamp.tv_sec; - eh->ttl = MAX(MIN(packet_ttl(pkt, is_negative), cache->ttl_max), cache->ttl_min); + eh->ttl = MAX(MIN(packet_ttl(pkt), cache->ttl_max), cache->ttl_min); eh->rank = rank; eh->is_packet = true; eh->has_optout = qf->DNSSEC_OPTOUT; diff --git a/lib/cache/entry_rr.c b/lib/cache/entry_rr.c index 7ab5a56a..3239e7e5 100644 --- a/lib/cache/entry_rr.c +++ b/lib/cache/entry_rr.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/cache/impl.h b/lib/cache/impl.h index a670281e..305f36eb 100644 --- a/lib/cache/impl.h +++ b/lib/cache/impl.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/cache/knot_pkt.c b/lib/cache/knot_pkt.c index 4c3fc595..31fa7e9b 100644 --- a/lib/cache/knot_pkt.c +++ b/lib/cache/knot_pkt.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/cache/nsec1.c b/lib/cache/nsec1.c index 3fcd05e8..45543034 100644 --- a/lib/cache/nsec1.c +++ b/lib/cache/nsec1.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/cache/nsec3.c b/lib/cache/nsec3.c index 928b680c..0b707759 100644 --- a/lib/cache/nsec3.c +++ b/lib/cache/nsec3.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/cache/peek.c b/lib/cache/peek.c index 860ba86b..e1901ac3 100644 --- a/lib/cache/peek.c +++ b/lib/cache/peek.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ @@ -134,6 +134,12 @@ int peek_nosync(kr_layer_t *ctx, knot_pkt_t *pkt) return ctx->state; } + /* Avoid aggressive answers in STUB mode. + * As STUB mode doesn't validate, it wouldn't save the necessary records. + * Moreover, this special case avoids unintentional NXDOMAIN on grafted subtrees. */ + if (qry->flags.STUB) + return ctx->state; + /**** 1b. otherwise, find the longest prefix zone/xNAME (with OK time+rank). [...] */ k->zname = qry->sname; ret = kr_dname_lf(k->buf, k->zname, false); /* LATER(optim.): probably remove */ diff --git a/lib/cache/util.h b/lib/cache/util.h index 0a2f329c..3f818300 100644 --- a/lib/cache/util.h +++ b/lib/cache/util.h @@ -1,4 +1,4 @@ /* SPDX-License-Identifier: GPL-3.0-or-later */ #include <libknot/packet/pkt.h> -uint32_t packet_ttl(const knot_pkt_t *pkt, bool is_negative); +uint32_t packet_ttl(const knot_pkt_t *pkt); diff --git a/lib/cookies/alg_containers.c b/lib/cookies/alg_containers.c index e109ae6b..1da0bda9 100644 --- a/lib/cookies/alg_containers.c +++ b/lib/cookies/alg_containers.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2016-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/cookies/alg_containers.h b/lib/cookies/alg_containers.h index 3b50ccaa..5764c281 100644 --- a/lib/cookies/alg_containers.h +++ b/lib/cookies/alg_containers.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2016-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/cookies/alg_sha.c b/lib/cookies/alg_sha.c index 43b19eef..34e79c38 100644 --- a/lib/cookies/alg_sha.c +++ b/lib/cookies/alg_sha.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2016-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/cookies/alg_sha.h b/lib/cookies/alg_sha.h index de7a75a3..e97972ac 100644 --- a/lib/cookies/alg_sha.h +++ b/lib/cookies/alg_sha.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2016-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/cookies/control.h b/lib/cookies/control.h index f977c945..475b3fd5 100644 --- a/lib/cookies/control.h +++ b/lib/cookies/control.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2016-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/cookies/helper.c b/lib/cookies/helper.c index 8ef21517..48678176 100644 --- a/lib/cookies/helper.c +++ b/lib/cookies/helper.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2016-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/cookies/helper.h b/lib/cookies/helper.h index 0fee2fce..dfde90ee 100644 --- a/lib/cookies/helper.h +++ b/lib/cookies/helper.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2016-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/cookies/lru_cache.c b/lib/cookies/lru_cache.c index 1b629f71..245d1c38 100644 --- a/lib/cookies/lru_cache.c +++ b/lib/cookies/lru_cache.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2016-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/cookies/lru_cache.h b/lib/cookies/lru_cache.h index 3594ee13..a0f6cab2 100644 --- a/lib/cookies/lru_cache.h +++ b/lib/cookies/lru_cache.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2016-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/cookies/nonce.c b/lib/cookies/nonce.c index 2930ea0a..1b50d876 100644 --- a/lib/cookies/nonce.c +++ b/lib/cookies/nonce.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2016-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/cookies/nonce.h b/lib/cookies/nonce.h index 4d8460f9..6c2970f9 100644 --- a/lib/cookies/nonce.h +++ b/lib/cookies/nonce.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2016-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/defines.h b/lib/defines.h index 226f7216..6b6dac56 100644 --- a/lib/defines.h +++ b/lib/defines.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2014-2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ @@ -64,9 +64,9 @@ static inline int KR_COLD kr_error(int x) { #define KR_DNS_DOH_PORT 443 #define KR_DNS_TLS_PORT 853 #define KR_EDNS_VERSION 0 -#define KR_EDNS_PAYLOAD 1232 /* Default UDP payload; see https://dnsflagday.net/2020/ */ +#define KR_EDNS_PAYLOAD 1232 /* Default UDP payload; see https://www.dnsflagday.net/2020/ */ #define KR_CACHE_DEFAULT_TTL_MIN (5) /* avoid bursts of queries */ -#define KR_CACHE_DEFAULT_TTL_MAX (6 * 24 * 3600) /* 6 days, like the root NS TTL */ +#define KR_CACHE_DEFAULT_TTL_MAX (1 * 24 * 3600) /* one day seems enough; fits prefill module */ #define KR_DNAME_STR_MAXLEN (KNOT_DNAME_TXT_MAXLEN + 1) #define KR_RRTYPE_STR_MAXLEN (16 + 1) diff --git a/lib/dnssec.c b/lib/dnssec.c index f56ab759..d6ae3cc6 100644 --- a/lib/dnssec.c +++ b/lib/dnssec.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2015-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ @@ -144,16 +144,24 @@ int kr_rrset_validate(kr_rrset_validation_ctx_t *vctx, knot_rrset_t *covered) /** Assuming `rrs` was validated with `sig`, trim its TTL in case it's over-extended. */ static bool trim_ttl(knot_rrset_t *rrs, const knot_rdata_t *sig, - uint32_t timestamp, const struct kr_query *log_qry) + const kr_rrset_validation_ctx_t *vctx) { - const uint32_t ttl_max = MIN(knot_rrsig_original_ttl(sig), - knot_rrsig_sig_expiration(sig) - timestamp); + /* The trimming logic is a bit complicated. + * + * We respect configured ttl_min over the (signed) original TTL, + * but we very much want to avoid TTLs over signature expiration, + * as that could cause serious issues with downstream validators. + */ + const uint32_t ttl_max = MIN( + MAX(knot_rrsig_original_ttl(sig), vctx->ttl_min), + knot_rrsig_sig_expiration(sig) - vctx->timestamp + ); if (likely(rrs->ttl <= ttl_max)) return false; - if (kr_log_is_debug_qry(VALIDATOR, log_qry)) { + if (kr_log_is_debug_qry(VALIDATOR, vctx->log_qry)) { auto_free char *name_str = kr_dname_text(rrs->owner), *type_str = kr_rrtype_text(rrs->type); - kr_log_q(log_qry, VALIDATOR, "trimming TTL of %s %s: %d -> %d\n", + kr_log_q(vctx->log_qry, VALIDATOR, "trimming TTL of %s %s: %d -> %d\n", name_str, type_str, (int)rrs->ttl, (int)ttl_max); } rrs->ttl = ttl_max; @@ -204,7 +212,7 @@ struct kr_svldr_ctx * kr_svldr_new_ctx(const knot_rrset_t *ds, knot_rrset_t *dns struct kr_svldr_ctx *ctx = calloc(1, sizeof(*ctx)); if (unlikely(!ctx)) return NULL; - ctx->vctx.timestamp = timestamp; + ctx->vctx.timestamp = timestamp; // .ttl_min is implicitly zero ctx->vctx.zone_name = knot_dname_copy(ds->owner, NULL); if (unlikely(!ctx->vctx.zone_name)) goto fail; @@ -254,7 +262,7 @@ static int kr_svldr_rrset_with_key(knot_rrset_t *rrs, const knot_rdataset_t *rrs // that also means we don't need to perform non-existence proofs. const int trim_labels = (val_flgs & FLG_WILDCARD_EXPANSION) ? 1 : 0; if (kr_check_signature(rdata_j, key->key, rrs, trim_labels) == 0) { - trim_ttl(rrs, rdata_j, vctx->timestamp, vctx->log_qry); + trim_ttl(rrs, rdata_j, vctx); vctx->result = kr_ok(); return vctx->result; } else { @@ -382,7 +390,7 @@ static int kr_rrset_validate_with_key(kr_rrset_validation_ctx_t *vctx, vctx->flags |= KR_DNSSEC_VFLG_WEXPAND; } - trim_ttl(covered, rdata_j, vctx->timestamp, vctx->log_qry); + trim_ttl(covered, rdata_j, vctx); kr_dnssec_key_free(&created_key); vctx->result = kr_ok(); diff --git a/lib/dnssec.h b/lib/dnssec.h index 97c8831d..0fbd47c0 100644 --- a/lib/dnssec.h +++ b/lib/dnssec.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2015-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ @@ -38,6 +38,7 @@ struct kr_rrset_validation_ctx { knot_rrset_t *keys; /*!< DNSKEY RRSet; TTLs may get lowered when validating this set. */ const knot_dname_t *zone_name; /*!< Name of the zone containing the RRSIG RRSet. */ uint32_t timestamp; /*!< Validation time. */ + uint32_t ttl_min; /*!< See trim_ttl() for details. */ bool has_nsec3; /*!< Whether to use NSEC3 validation. */ uint32_t qry_uid; /*!< Current query uid. */ uint32_t flags; /*!< Output - Flags. */ diff --git a/lib/dnssec/nsec.c b/lib/dnssec/nsec.c index 7eaeedbe..8b172478 100644 --- a/lib/dnssec/nsec.c +++ b/lib/dnssec/nsec.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2015-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/dnssec/nsec.h b/lib/dnssec/nsec.h index 1ba9ec8e..a173fa54 100644 --- a/lib/dnssec/nsec.h +++ b/lib/dnssec/nsec.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2015-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/dnssec/nsec3.c b/lib/dnssec/nsec3.c index e260b046..037d5bdc 100644 --- a/lib/dnssec/nsec3.c +++ b/lib/dnssec/nsec3.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2015-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/dnssec/nsec3.h b/lib/dnssec/nsec3.h index 0fdbfcef..eb0bd397 100644 --- a/lib/dnssec/nsec3.h +++ b/lib/dnssec/nsec3.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2015-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/dnssec/signature.c b/lib/dnssec/signature.c index 062067a0..aadb5cb9 100644 --- a/lib/dnssec/signature.c +++ b/lib/dnssec/signature.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2015-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/dnssec/signature.h b/lib/dnssec/signature.h index 247d253e..1cc6c8f6 100644 --- a/lib/dnssec/signature.h +++ b/lib/dnssec/signature.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2015-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/dnssec/ta.c b/lib/dnssec/ta.c index 574563be..becf7d81 100644 --- a/lib/dnssec/ta.c +++ b/lib/dnssec/ta.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2014-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/dnssec/ta.h b/lib/dnssec/ta.h index 73292162..1eb1dd94 100644 --- a/lib/dnssec/ta.h +++ b/lib/dnssec/ta.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2015-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/generic/array.h b/lib/generic/array.h index 6f969a22..9f351189 100644 --- a/lib/generic/array.h +++ b/lib/generic/array.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2015-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/generic/lru.c b/lib/generic/lru.c index 5ad791f7..857b20b3 100644 --- a/lib/generic/lru.c +++ b/lib/generic/lru.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2016-2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/generic/lru.h b/lib/generic/lru.h index 32aabd7d..448c1b92 100644 --- a/lib/generic/lru.h +++ b/lib/generic/lru.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2016-2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ /** diff --git a/lib/generic/pack.h b/lib/generic/pack.h index c4aef3d3..18d57db5 100644 --- a/lib/generic/pack.h +++ b/lib/generic/pack.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2015-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/generic/queue.c b/lib/generic/queue.c index 88348752..5bed153e 100644 --- a/lib/generic/queue.c +++ b/lib/generic/queue.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/generic/queue.h b/lib/generic/queue.h index 034e5266..3fa52cea 100644 --- a/lib/generic/queue.h +++ b/lib/generic/queue.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ /** diff --git a/lib/generic/test_array.c b/lib/generic/test_array.c index 98c59584..3e95b497 100644 --- a/lib/generic/test_array.c +++ b/lib/generic/test_array.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2015-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/generic/test_lru.c b/lib/generic/test_lru.c index 5cd4811e..7c2f11f0 100644 --- a/lib/generic/test_lru.c +++ b/lib/generic/test_lru.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2014-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/generic/test_pack.c b/lib/generic/test_pack.c index 692f253d..e1c1ab59 100644 --- a/lib/generic/test_pack.c +++ b/lib/generic/test_pack.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2015-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/generic/test_queue.c b/lib/generic/test_queue.c index 3a6b5be9..eb26b01a 100644 --- a/lib/generic/test_queue.c +++ b/lib/generic/test_queue.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/generic/test_trie.c b/lib/generic/test_trie.c index c71005ae..9ecd67cd 100644 --- a/lib/generic/test_trie.c +++ b/lib/generic/test_trie.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/generic/trie.c b/lib/generic/trie.c index 51a37b93..f9aceda7 100644 --- a/lib/generic/trie.c +++ b/lib/generic/trie.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2016-2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later The code originated from https://github.com/fanf2/qp/blob/master/qp.c diff --git a/lib/generic/trie.h b/lib/generic/trie.h index 8c442976..a5f0347a 100644 --- a/lib/generic/trie.h +++ b/lib/generic/trie.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2017-2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/layer.h b/lib/layer.h index 1e7d112c..77215608 100644 --- a/lib/layer.h +++ b/lib/layer.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2014-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/layer/cache.c b/lib/layer/cache.c index a532efdf..2f1ba605 100644 --- a/lib/layer/cache.c +++ b/lib/layer/cache.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/layer/iterate.c b/lib/layer/iterate.c index a7308993..98202a18 100644 --- a/lib/layer/iterate.c +++ b/lib/layer/iterate.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2014-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ @@ -1010,6 +1010,22 @@ static bool satisfied_by_additional(const struct kr_query *qry) return false; } +/** Restrict all RRset TTLs to the specified bounds (if matching qry_uid). */ +static void bound_ttls(ranked_rr_array_t *array, uint32_t qry_uid, + uint32_t ttl_min, uint32_t ttl_max) +{ + for (ssize_t i = 0; i < array->len; ++i) { + if (array->at[i]->qry_uid != qry_uid) + continue; + uint32_t *ttl = &array->at[i]->rr->ttl; + if (*ttl < ttl_min) { + *ttl = ttl_min; + } else if (*ttl > ttl_max) { + *ttl = ttl_max; + } + } +} + /** Resolve input query or continue resolution with followups. * * This roughly corresponds to RFC1034, 5.3.3 4a-d. @@ -1039,12 +1055,6 @@ static int resolve(kr_layer_t *ctx, knot_pkt_t *pkt) /* Check for packet processing errors first. * Note - we *MUST* check if it has at least a QUESTION, * otherwise it would crash on accessing QNAME. */ -#ifdef STRICT_MODE - if (pkt->parsed < pkt->size) { - VERBOSE_MSG("<= pkt contains excessive data\n"); - return KR_STATE_FAIL; - } else -#endif if (pkt->parsed <= KNOT_WIRE_HEADER_SIZE) { if (pkt->parsed == KNOT_WIRE_HEADER_SIZE && knot_wire_get_rcode(pkt->wire) == KNOT_RCODE_FORMERR) { /* This is a special case where we get valid header with FORMERR and nothing else. @@ -1080,6 +1090,7 @@ static int resolve(kr_layer_t *ctx, knot_pkt_t *pkt) } /* If exiting above here, there's no sense to put it into packet cache. + * Having "extra bytes" at the end of DNS message is considered SANE here. * The most important part is to check for spoofing: is_paired_to_query() */ query->flags.PKT_IS_SANE = true; @@ -1135,6 +1146,15 @@ static int resolve(kr_layer_t *ctx, knot_pkt_t *pkt) break; } + /* Check for "extra bytes" is deferred, so that RCODE-based failures take priority. */ + if (ret != KR_STATE_FAIL && pkt->parsed < pkt->size) { + VERBOSE_MSG("<= malformed response with %zu extra bytes\n", + pkt->size - pkt->parsed); + ret = KR_STATE_FAIL; + if (selection_error == KR_SELECTION_OK) + selection_error = KR_SELECTION_MALFORMED; + } + if (query->server_selection.initialized) { query->server_selection.error(query, req->upstream.transport, selection_error); } @@ -1182,12 +1202,14 @@ rrarray_finalize: /* Finish construction of libknot-format RRsets. * We do this even if dropping the answer, though it's probably useless. */ (void)0; + const struct kr_cache *cache = &req->ctx->cache; ranked_rr_array_t *selected[] = kr_request_selected(req); for (knot_section_t i = KNOT_ANSWER; i <= KNOT_ADDITIONAL; ++i) { ret = kr_ranked_rrarray_finalize(selected[i], query->uid, &req->pool); - if (unlikely(ret)) { + if (unlikely(ret)) return KR_STATE_FAIL; - } + if (!query->flags.CACHED) + bound_ttls(selected[i], query->uid, cache->ttl_min, cache->ttl_max); } return state; diff --git a/lib/layer/iterate.h b/lib/layer/iterate.h index e5ebe383..4ea43517 100644 --- a/lib/layer/iterate.h +++ b/lib/layer/iterate.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2014-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/layer/validate.c b/lib/layer/validate.c index ef21e301..93f1d4fc 100644 --- a/lib/layer/validate.c +++ b/lib/layer/validate.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2014-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ @@ -268,6 +268,7 @@ static int validate_records(struct kr_request *req, knot_pkt_t *answer, knot_mm_ .keys = qry->zone_cut.key, .zone_name = qry->zone_cut.name, .timestamp = qry->timestamp.tv_sec, + .ttl_min = req->ctx->cache.ttl_min, .qry_uid = qry->uid, .has_nsec3 = has_nsec3, .flags = 0, @@ -377,6 +378,7 @@ static int validate_keyset(struct kr_request *req, knot_pkt_t *answer, bool has_ .keys = qry->zone_cut.key, .zone_name = qry->zone_cut.name, .timestamp = qry->timestamp.tv_sec, + .ttl_min = req->ctx->cache.ttl_min, .qry_uid = qry->uid, .has_nsec3 = has_nsec3, .flags = 0, @@ -1,4 +1,4 @@ -/* Copyright (C) 2014-2021 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ @@ -1,4 +1,4 @@ -/* Copyright (C) 2014-2021 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/module.c b/lib/module.c index e38ce618..83ae7737 100644 --- a/lib/module.c +++ b/lib/module.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2015-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/module.h b/lib/module.h index 011acbb7..7548803c 100644 --- a/lib/module.h +++ b/lib/module.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2015-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/resolve.c b/lib/resolve.c index 877b078a..aa3d5215 100644 --- a/lib/resolve.c +++ b/lib/resolve.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2014-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ @@ -619,11 +619,8 @@ static int query_finalize(struct kr_request *request, struct kr_query *qry, knot ret = edns_create(pkt, request); if (ret) return ret; if (qry->flags.STUB) { - /* Stub resolution (ask for +rd and +do) */ + /* Stub resolution */ knot_wire_set_rd(pkt->wire); - if (knot_pkt_has_dnssec(request->qsource.packet)) { - knot_edns_set_do(pkt->opt_rr); - } if (knot_wire_get_cd(request->qsource.packet->wire)) { knot_wire_set_cd(pkt->wire); } diff --git a/lib/resolve.h b/lib/resolve.h index 64c9fc3c..97ba07b7 100644 --- a/lib/resolve.h +++ b/lib/resolve.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2014-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/rplan.c b/lib/rplan.c index 821563d6..0bedd8a7 100644 --- a/lib/rplan.c +++ b/lib/rplan.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2014-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/rplan.h b/lib/rplan.h index f210231b..891781fc 100644 --- a/lib/rplan.h +++ b/lib/rplan.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2014-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/selection.c b/lib/selection.c index 0a112884..5aa2992c 100644 --- a/lib/selection.c +++ b/lib/selection.c @@ -1,3 +1,7 @@ +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> + * SPDX-License-Identifier: GPL-3.0-or-later + */ + #include <libknot/dname.h> #include "lib/selection.h" diff --git a/lib/selection.h b/lib/selection.h index 468638bf..34cc69c4 100644 --- a/lib/selection.h +++ b/lib/selection.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2014-2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/selection_forward.c b/lib/selection_forward.c index fe33c237..54f9a122 100644 --- a/lib/selection_forward.c +++ b/lib/selection_forward.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2014-2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/selection_forward.h b/lib/selection_forward.h index e66274ff..0c48c405 100644 --- a/lib/selection_forward.h +++ b/lib/selection_forward.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2014-2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ @@ -14,4 +14,4 @@ void forward_choose_transport(struct kr_query *qry, void forward_error(struct kr_query *qry, const struct kr_transport *transport, enum kr_selection_error sel_error); void forward_update_rtt(struct kr_query *qry, - const struct kr_transport *transport, unsigned rtt);
\ No newline at end of file + const struct kr_transport *transport, unsigned rtt); diff --git a/lib/selection_iter.c b/lib/selection_iter.c index c59a88c6..59782788 100644 --- a/lib/selection_iter.c +++ b/lib/selection_iter.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2014-2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/selection_iter.h b/lib/selection_iter.h index ed844476..692463cb 100644 --- a/lib/selection_iter.h +++ b/lib/selection_iter.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2014-2020 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/test_module.c b/lib/test_module.c index 5a8acfc0..d7124c19 100644 --- a/lib/test_module.c +++ b/lib/test_module.c @@ -1,4 +1,4 @@ -/* Copyright (C) 201 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/test_rplan.c b/lib/test_rplan.c index e56ea87d..12f4cc48 100644 --- a/lib/test_rplan.c +++ b/lib/test_rplan.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2014-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/test_utils.c b/lib/test_utils.c index a4b846fa..22f2483d 100644 --- a/lib/test_utils.c +++ b/lib/test_utils.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2015-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/test_zonecut.c b/lib/test_zonecut.c index f97c32d3..c0399636 100644 --- a/lib/test_zonecut.c +++ b/lib/test_zonecut.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2014-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/utils.c b/lib/utils.c index da2b8236..c1b25db6 100644 --- a/lib/utils.c +++ b/lib/utils.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2014-2021 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/utils.h b/lib/utils.h index 30ed4c49..0d1d8456 100644 --- a/lib/utils.h +++ b/lib/utils.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2014-2021 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/zonecut.c b/lib/zonecut.c index 00b9145b..4ec40367 100644 --- a/lib/zonecut.c +++ b/lib/zonecut.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2014-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/lib/zonecut.h b/lib/zonecut.h index b44977ae..9c960ec3 100644 --- a/lib/zonecut.h +++ b/lib/zonecut.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2014-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/meson.build b/meson.build index f67daf4c..a0172afe 100644 --- a/meson.build +++ b/meson.build @@ -116,6 +116,18 @@ xdp = meson.get_compiler('c').has_header('libknot/xdp/xdp.h') ### Systemd systemd_files = get_option('systemd_files') libsystemd = dependency('libsystemd', required: systemd_files == 'enabled') + +### Allocator +# use empty name to disable the dependency, but still compile the dependent kresd +malloc_name = get_option('malloc') == 'disabled' ? '' : 'jemalloc' +malloc = meson.get_compiler('c').find_library( + malloc_name, + required: get_option('malloc') == 'jemalloc', + #static: false, #TODO: add when bumping meson to >= 0.51; + # static linking would most likely cause issues. + # Fortunately it seems unlikely that dynamic wouldn't be found and static would be. +) + message('---------------------------') ## Compiler args @@ -175,6 +187,7 @@ conf_data.set('ENABLE_LIBSYSTEMD', libsystemd.found().to_int()) conf_data.set('ENABLE_SENDMMSG', sendmmsg.to_int()) conf_data.set('ENABLE_XDP', xdp.to_int()) conf_data.set('ENABLE_CAP_NG', capng.found().to_int()) +conf_data.set('ENABLE_JEMALLOC', malloc.found().to_int()) conf_data.set('ENABLE_DOH2', nghttp2.found().to_int()) conf_data.set('DBG_ASSERTION_ABORT', get_option('debug').to_int()) if get_option('debug') @@ -300,6 +313,7 @@ s_sendmmsg = sendmmsg ? 'enabled': 'disabled' s_xdp = xdp ? 'enabled': 'disabled' s_openssl = openssl.found() ? 'present': 'missing' s_capng = capng.found() ? 'enabled': 'disabled' +s_malloc = malloc.found() ? 'jemalloc' : 'libc default' s_doh2 = nghttp2.found() ? 'enabled': 'disabled' message(''' @@ -339,6 +353,7 @@ message(''' XDP (in libknot): @0@'''.format(s_xdp) + ''' openssl debug: @0@'''.format(s_openssl) + ''' capng: @0@'''.format(s_capng) + ''' + malloc: @0@'''.format(s_malloc) + ''' doh2: @0@'''.format(s_doh2) + ''' ======================================================= diff --git a/meson_options.txt b/meson_options.txt index 5e28e673..b1af4478 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -164,6 +164,18 @@ option( ) option( + 'malloc', + type: 'combo', + choices: [ + 'auto', # 'jemalloc' if available + 'disabled', # default provided by libc + 'jemalloc', + ], + value: 'auto', + description: 'memory allocator to use in kresd', +) + +option( 'doc', type: 'combo', choices: [ diff --git a/modules/cookies/cookiectl.c b/modules/cookies/cookiectl.c index 71673e26..f1ab80a7 100644 --- a/modules/cookies/cookiectl.c +++ b/modules/cookies/cookiectl.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2016-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/modules/cookies/cookiectl.h b/modules/cookies/cookiectl.h index 50ee9663..6740e165 100644 --- a/modules/cookies/cookiectl.h +++ b/modules/cookies/cookiectl.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2016-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/modules/cookies/cookiemonster.c b/modules/cookies/cookiemonster.c index af4655b4..595317bf 100644 --- a/modules/cookies/cookiemonster.c +++ b/modules/cookies/cookiemonster.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2016-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/modules/cookies/cookiemonster.h b/modules/cookies/cookiemonster.h index 5663b503..ab1fdeb9 100644 --- a/modules/cookies/cookiemonster.h +++ b/modules/cookies/cookiemonster.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2016-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/modules/cookies/cookies.c b/modules/cookies/cookies.c index 3ad82a16..5b688d3f 100644 --- a/modules/cookies/cookies.c +++ b/modules/cookies/cookies.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2016-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/modules/dns64/README.rst b/modules/dns64/README.rst index 07908c80..04d2427f 100644 --- a/modules/dns64/README.rst +++ b/modules/dns64/README.rst @@ -52,8 +52,11 @@ you can set ``DNS64_DISABLE`` flag via the :ref:`view module <mod-view>`. .. code-block:: lua modules = { 'dns64', 'view' } - -- Disable dns64 for everyone, but re-enable it for two particular subnets. + -- disable dns64 for all IPv4 source addresses + view:addr('0.0.0.0/0', policy.all(policy.FLAGS('DNS64_DISABLE'))) + -- disable dns64 for all IPv6 source addresses view:addr('::/0', policy.all(policy.FLAGS('DNS64_DISABLE'))) + -- re-enable dns64 for two IPv6 subnets view:addr('2001:db8:11::/48', policy.all(policy.FLAGS(nil, 'DNS64_DISABLE'))) view:addr('2001:db8:93::/48', policy.all(policy.FLAGS(nil, 'DNS64_DISABLE'))) diff --git a/modules/edns_keepalive/edns_keepalive.c b/modules/edns_keepalive/edns_keepalive.c index 609aa9d1..30d5df32 100644 --- a/modules/edns_keepalive/edns_keepalive.c +++ b/modules/edns_keepalive/edns_keepalive.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/modules/hints/hints.c b/modules/hints/hints.c index 7bdcd2ca..34c08b9f 100644 --- a/modules/hints/hints.c +++ b/modules/hints/hints.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2014-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/modules/http/http_doh.lua b/modules/http/http_doh.lua index 8625c12d..33815f7b 100644 --- a/modules/http/http_doh.lua +++ b/modules/http/http_doh.lua @@ -3,12 +3,6 @@ local basexx = require('basexx') local ffi = require('ffi') local condition = require('cqueues.condition') -local function get_http_ttl(pkt) - local an_records = pkt:section(kres.section.ANSWER) - local is_negative = #an_records <= 0 - return ffi.C.packet_ttl(pkt, is_negative) -end - -- Trace execution of DNS queries local function serve_doh(h, stream) local input @@ -68,7 +62,7 @@ local function serve_doh(h, stream) local cond = condition.new() local waiting, done = false, false local finish_cb = function (answer, _) - output_ttl = get_http_ttl(answer) + output_ttl = ffi.C.packet_ttl(answer) -- binary output output = ffi.string(answer.wire, answer.size) if waiting then diff --git a/modules/policy/README.rst b/modules/policy/README.rst index 0d37b1f6..202aabab 100644 --- a/modules/policy/README.rst +++ b/modules/policy/README.rst @@ -620,19 +620,6 @@ and you trust your link to it, you need to use the :func:`policy.STUB` policy instead of :func:`policy.FORWARD` to disable DNSSEC validation for those *grafted* domains. -Secondly, after disabling DNSSEC validation you have to solve another issue -caused by grafting. For example, if you grafted your own top-level domain -``example.`` onto the public DNS namespace, at some point the root server might -send proof-of-nonexistence proving e.g. that there are no other top-level -domain in between names ``events.`` and ``exchange.``, effectively proving -non-existence of ``example.``. - -These proofs-of-nonexistence protect public DNS from spoofing but break -*grafted* domains because proofs will be latter used by resolver -(when the positive records for the grafted domain timeout from cache), -effectively making grafted domain unavailable. -The easiest work-around is to disable reading from cache for grafted domains. - .. code-block:: lua :caption: Example configuration grafting domains onto public DNS namespace @@ -647,7 +634,9 @@ The easiest work-around is to disable reading from cache for grafted domains. -- validated anyway; in some of those cases adding 'NO_0X20' can also help, -- though it also lowers defenses against off-path attacks on communication -- between the two servers. - policy.add(policy.suffix(policy.FLAGS({'NO_CACHE', 'NO_EDNS'}), extraTrees)) + -- With kresd <= 5.5.3 you also needed 'NO_CACHE' flag to avoid unintentional + -- NXDOMAINs that could sometimes happen due to aggressive DNSSEC caching. + policy.add(policy.suffix(policy.FLAGS({'NO_EDNS'}), extraTrees)) policy.add(policy.suffix(policy.STUB({'2001:db8::1'}), extraTrees)) Response policy zones diff --git a/modules/policy/policy.lua b/modules/policy/policy.lua index 4eba7494..47e436f0 100644 --- a/modules/policy/policy.lua +++ b/modules/policy/policy.lua @@ -781,6 +781,7 @@ function policy.DEBUG_IF(test) local debug_finish_cb = ffi.cast('trace_callback_f', function (cbreq) jit.off(true, true) -- JIT for (C -> lua)^2 nesting isn't allowed if test(cbreq) then + policy.REQTRACE(nil, cbreq) debug_logfinish_cb(cbreq) -- unconditional version local stash = cbreq:vars()['policy_debug_stash'] @@ -797,7 +798,6 @@ function policy.DEBUG_IF(test) req:vars()['policy_debug_stash'] = {} policy.QTRACE(state, req) req:trace_chain_callbacks(debug_stashlog_cb, debug_finish_cb) - policy.REQTRACE(state, req) return end end diff --git a/modules/policy/policy.rpz.test.lua b/modules/policy/policy.rpz.test.lua index 70ef9fb6..94fb9ceb 100644 --- a/modules/policy/policy.rpz.test.lua +++ b/modules/policy/policy.rpz.test.lua @@ -7,7 +7,7 @@ local function prepare_cache() local c = kres.context().cache local passthru_addr = '\127\0\0\9' - rr_passthru = kres.rrset(todname('rpzpassthru.'), kres.type.A, kres.class.IN, 3600999999) + rr_passthru = kres.rrset(todname('rpzpassthru.'), kres.type.A, kres.class.IN, 2147483647) assert(rr_passthru:add_rdata(passthru_addr, #passthru_addr)) assert(c:insert(rr_passthru, nil, ffi.C.KR_RANK_SECURE + ffi.C.KR_RANK_AUTH)) diff --git a/modules/predict/predict.lua b/modules/predict/predict.lua index 4511fc9b..0117fd52 100644 --- a/modules/predict/predict.lua +++ b/modules/predict/predict.lua @@ -140,7 +140,7 @@ function predict.process() end function predict.init() - if predict.window > 0 then + if predict.window > 0 and predict.period > 0 then predict.current_epoch = predict.epoch() predict.ev_sample = event.after(next_event(), predict.process) end diff --git a/modules/stats/stats.c b/modules/stats/stats.c index 67b73df8..ca3a932c 100644 --- a/modules/stats/stats.c +++ b/modules/stats/stats.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2014-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/systemd/kresd.systemd.7.in b/systemd/kresd.systemd.7.in index e92613ec..a602b8e6 100644 --- a/systemd/kresd.systemd.7.in +++ b/systemd/kresd.systemd.7.in @@ -2,7 +2,7 @@ .\" .\" kresd.systemd.7 -- man page for systemd units for kresd .\" -.\" Copyright (c) 2018, CZ.NIC. All rights reserved. +.\" Copyright (c) CZ.NIC. All rights reserved. .\" .\" SPDX-License-Identifier: GPL-3.0-or-later .\" diff --git a/tests/unit/mock_cmodule.c b/tests/unit/mock_cmodule.c index 5f4b6ed2..9cc9d1af 100644 --- a/tests/unit/mock_cmodule.c +++ b/tests/unit/mock_cmodule.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2015-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/tests/unit/test.h b/tests/unit/test.h index 2c609973..9a7eb58a 100644 --- a/tests/unit/test.h +++ b/tests/unit/test.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2014-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ diff --git a/utils/client/kresc.c b/utils/client/kresc.c index 2dc107c3..16782a13 100644 --- a/utils/client/kresc.c +++ b/utils/client/kresc.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2016-2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) CZ.NIC, z.s.p.o. <knot-resolver@labs.nic.cz> * SPDX-License-Identifier: GPL-3.0-or-later */ #include <arpa/inet.h> |