summaryrefslogtreecommitdiffstats
path: root/modules (follow)
Commit message (Collapse)AuthorAgeFilesLines
* doh debug: log timestamp of each OPENSSLKEYLOGFILE openingPetr Špaček2019-11-201-1/+1
| | | | Wireshark 3.0.5 is able to deal with # comments in middle of log file.
* doh debug: create OPENSSLKEYLOGFILE accessible only by process ownerPetr Špaček2019-11-201-1/+1
|
* doh debug: log timestamp of OPENSSLKEYLOGFILE creationPetr Špaček2019-11-201-5/+6
|
* doh debug: build and install OpenSSL SSLKEYLOGFILE helper libraryPetr Špaček2019-11-201-0/+11
| | | | | It is not used in any way by default, enabling it requires manual LD_PRELOAD= trickery as described in the source file.
* doh debug: avoid warning about _GNU_SOURCE redefinitionPetr Špaček2019-11-201-1/+4
|
* doh debug: use more descriptive name debug_opensslkeylogPetr Špaček2019-11-201-0/+0
|
* doh debug: rename SSLKEYLOG environment variable to OPENSSLKEYLOGPetr Špaček2019-11-201-1/+1
| | | | | | | This avoids conflict between GnuTLS's built-in SSLKEYLOG and our hack for OpenSSL. This would be important for instances which run DNS-over-TLS using built-in GnuTLS and at the same time DNS-over-HTTPS using lua-http (based on OpenSSL).
* doh debug: add helper library with OpenSSL SSLKEYLOGFILE= supportPetr Špaček2019-11-201-0/+362
| | | | | | | | Original file is GNU GPLv3+ licensed and was copied from https://git.lekensteyn.nl/peter/wireshark-notes/plain/src/sslkeylog.c blob: 370668907056f769e2d09bf7bd2e768249049f8f commit: de25eb75c8d90282ba90396218210c4601603347 Copyright (C) 2014 Peter Wu <peter@lekensteyn.nl>
* modules/watchdog: use abort() for restartsVladimír Čunát2019-10-232-4/+5
| | | | | Motivation: core-dump might be very useful, and in this case there are even very useful pointers on the C stack.
* tweak conditionals to work with knot 3.0.devVladimír Čunát2019-10-212-2/+2
| | | | I didn't plan this well ahead :-/
* http: fix parallel execution of HTTP tests with SO_REUSEPORTPetr Špaček2019-10-092-2/+2
| | | | | We have to use disjoint port ranges for individual test, otherwise parallel test execution leads to unpredictable results.
* http: fix SO_REUSEPORT for HTTP socketsPetr Špaček2019-10-081-1/+1
| | | | | lua-cqueues.socket.fdopen() resets the reuseport flag, so binding Nth instance without systemd socket activation failed
* watchdog rewritePetr Špaček2019-10-086-115/+177
| | | | | The watchdog module now can be loaded without systemd, has customisable callbacks, and can do real DNS queries and check their results.
* modules/sd_watchdog nitpick: fix printf on some systemsVladimír Čunát2019-10-021-1/+1
| | | | The integer length didn't match on normal 32-bit linux.
* modules/policy: DENY home.arpa. and local. domainsVladimír Čunát2019-09-201-0/+3
| | | | | | | | | | | - home.arpa.: 4. from https://tools.ietf.org/html/rfc8375#section-4 - local.: 4. from https://tools.ietf.org/html/rfc6762#section-22.1 Well, it's just an approximation... if the user specifies a forwarding policy, any special names will also get forwarded, even though the RFC says not to. And this code will also reply NXDOMAIN to home.arpa. DS. Some of these DENY rules are perhaps unnecessary, but for now we keep the same approach. For arguments see the MR 855 thread and linked ML.
* libknot compatibility: knot_edns_get_option()Vladimír Čunát2019-09-202-2/+10
|
* prefill module: allow a different module-loading styleVladimír Čunát2019-09-171-1/+2
| | | | | Otherwise plain `modules = { 'prefill' }` will error out, which is surprising wrt. to style used/allowed by other modules.
* modules/prefill: resigned expired RRSIGS in test zonesIvana Krumlova2019-08-224-91/+95
| | | | Fixes: #496
* rebinding: change/fix when triggered inside sub-queryVladimír Čunát2019-08-121-1/+8
| | | | | | | | | | This avoids getting into an inconsistent state of the request (assert), and it also allows some real-life cases to succeed without using a forbidden address in any way (even though they *are* weird). I can still imagine weird setups where a request gets failed even though it would be resolvable without *using* a forbidden address, but none of these seem reasonable anyway (or common in practice).
* rebinding nitpick: respect ALLOW_LOCAL flagVladimír Čunát2019-08-121-1/+1
| | | | | Some people might want the rebinding module generally but still use policy to allow local addresses in some specific cases.
* modules/prefill: temporarily disable prefill testsTomas Krizek2019-08-091-1/+2
| | | | Related #496
* doc: add Quick Reference section to User guideTomas Krizek2019-08-051-0/+2
|
* modules/policy: add slice_randomize_psl() testTomas Krizek2019-08-052-0/+108
|
* modules/policy: basic test_slice testTomas Krizek2019-08-051-1/+8
|
* modules/policy: document policy.slice()Tomas Krizek2019-08-051-0/+78
|
* modules/policy: add policy.slice() functionTomas Krizek2019-08-051-0/+63
|
* modules/stats: adjust testTomas Krizek2019-07-241-0/+3
|
* modules/refuse_nord: document usageTomas Krizek2019-07-242-0/+15
|
* modules/refuse_nord: add testTomas Krizek2019-07-244-0/+93
|
* modules/refuse_nord: refuse queries without RD bit setTomas Krizek2019-07-243-0/+52
| | | | | Refusing to answer queries without RD bit makes it harder to read what data is present in resolver's cache.
* doc: document TLS_FORWARD issues with some public DNS providersTomas Krizek2019-07-101-0/+6
|
* rebinding: clarify comment about *_selected arraysPetr Špaček2019-07-101-0/+2
|
* rebinding: log each blocked request only in verbose modePetr Špaček2019-07-101-3/+8
| | | | Also the log now uses the same format query UID format as elsewhere.
* rebinding: stop iteration after encountering a filtered addressPetr Špaček2019-07-101-1/+1
| | | | | | | | | | State FAIL does not stop iteration because kr_resolve_consume() resets RESOLVED flag on failed attempts. This causes excessive attempts, basically forcing kresd to try all authoritative servers before giving up. This excessive iteration also caused crash on assert in answer_fail function.
* prefill: tests for zone importIvana Krumlová2019-07-098-0/+250
|
* treewide nitpick: more sensitive detection of KR_STATE_FAILVladimír Čunát2019-06-252-3/+3
| | | | | I don't know any particular case where the bit-test would succeed and equality wouldn't, but it seems better to take no chances.
* modules/http: tests for DoHIvana Krumlová2019-06-251-80/+154
|
* modules/http: new DOH tests for GETIvana Krumlová2019-06-251-1/+42
|
* modules/http: ignorring other GET parametersIvana Krumlová2019-06-251-1/+4
|
* modules/sd_watchdog: deinit correctnessVladimír Čunát2019-06-241-3/+17
| | | | and slightly better error reporting.
* modules/sd_watchdog nitpicks: simplifyVladimír Čunát2019-06-241-7/+1
|
* modules/sd_watchdog nitpick: detect more errorsVladimír Čunát2019-06-241-2/+7
|
* modules/sd_watchdog: new module for systemd watchdog supportTomas Krizek2019-06-244-1/+102
|
* doc: improve DNSBL warning for rebinding moduleTomas Krizek2019-06-191-2/+4
|
* modules/http ephemeral cert: update before expirationVladimír Čunát2019-06-181-2/+2
| | | | | Instead of three days after. This bug was not introduced by the recent commits moving the code.
* http/test_tls: add test for chain certificatesTomas Krizek2019-06-181-1/+27
|
* http/test_tls: add new certificates issued by custom CATomas Krizek2019-06-184-17/+106
| | | | | | | | ca.crt is cert from root CA test.crt is cert issued by intermediate CA chain.crt contains issued cert and intermediate CA cert issued for: kr.local, 127.0.0.1
* modules/http: fixes around maintenance of ephemeral certsVladimír Čunát2019-06-183-29/+49
| | | | | | | | | | The cert was updated only once :-/ Now it's updated until the http module is unloaded. Also, each socket would create its own ephemeral certificate, so now that's all shared within the process. Technically we could synchronise even multiple instances, based on the files, but that would be much more complex, and it seems an unlikely combination to deploy.
* modules/http: also send intermediate TLS certificateVladimír Čunát2019-06-174-105/+176
| | | | | | - separate certificate handling into a new file (+ rename the functions) - handle a list of certs instead of a single one - minor nitpicks
* modules, docs: omit casting parameters of lua layersVladimír Čunát2019-06-1316-36/+10
| | | | | Thanks to changes in this branch the functions are called with correctly typed parameters already, so these weird casts can be deleted.
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-19 05:56:56 +0100