| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Fixes: #611
|
| | |
|
| |
|
|
| |
Resolvers must answer queries even if the shared cache overflown during query processing.
|
| | |
|
| |
|
|
|
|
| |
Branch on Deckard tree tracked in this repository was left unmerged in
Deckard. The two trees therefore diverged and broke CI in knot-resolver
repo on a few commits retroactively.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is about situations when validator *thinks* it's in a signed zone
but an unsigned answer comes in. The assumption was that RRSIGs didn't
make it through some middle-boxes and it retried with explicit QTYPE=RRSIG.
There were two issues with that.
1. It seems that in most cases the cause of the situation is that
we skipped over a zone cut that transitioned to insecure state,
so the signatures correctly don't exist.
2. An explicit RRSIG query appears to be more trouble than worth;
it seems reasonable for servers not to answer it (fully);
see RFC 8482 sect. 7.
The new approach simply tries to find a proof that the name is insecure,
by spawning a QTYPE=DS sub-query on that name. That fixes some
real-life cases; usually this happens in iteration mode where one IP
address serves zones on both sides of a cut that transitions to insecure.
For details see new comments in that rrsig_not_found() function.
The change resulted in the iterator fallback not making sense anymore
so it was removed.
|
| | |
|
| |
|
|
|
|
| |
New Deckard repo without conflicting iter_refused.rpl test
does not contain libswrap and libfaketime anymore
so I had to remove hacks in build system for these.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
MISSING triggers re-query to auth in attempt to find missing RRSIGs.
It causes reduntant queries and also puts some BOGUS RRsets in answers.
(It sounds bad but we were correctly setting rcode=SERVFAIL and AD=0
even before this commit.)
Formerly RRSIG ranks did not reflect results of validation.
Now we mark them as BOGUS and upgrade them to SECURE if they validate.
New validator phase answer_finalize prevents BOGUS RRsets from being
put even into SERVFAIL answers.
Closes: #396
|
| | |
|
| | |
|
| |
|
|
| |
I don't know why exactly it fails ... let's unblock release.
|
| |
|
|
|
|
| |
Deckard does not support these and it leads to confusing errors.
In long term we need to migrate Deckard to different network backend:
https://gitlab.labs.nic.cz/knot/deckard/issues/42
|
| |
|
|
|
| |
These files did not have GNU GPL v3 boilderplate in them so
I've added machine readable tag with appropriate license.
|
| |
|
|
| |
Now we hopefully won't need to touch it for a long time.
|
| | |
|
| |
|
|
|
| |
Previous version would add the TA and then print error message, which is
not expected.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
