]>
granicus.if.org Git - pdns/log
Remi Gacogne [Fri, 7 Jul 2017 15:04:05 +0000 (17:04 +0200)]
Merge pull request #5496 from rgacogne/dnsdist-lua-spoof-multi
dnsdist: Add support for returning several IPs to spoof from Lua
Remi Gacogne [Fri, 7 Jul 2017 15:03:15 +0000 (17:03 +0200)]
Merge pull request #5497 from rgacogne/dnsdist-dnsrule-tostring
dnsdist: Add `DNSRule::toString()`, fix dtors for rules and actions
Remi Gacogne [Fri, 7 Jul 2017 15:02:13 +0000 (17:02 +0200)]
Merge pull request #5502 from rgacogne/luawrapper-dont-move-sharedptr
LuaWrapper: Don't move the content of vectors, maps and unordered_maps
Peter van Dijk [Fri, 7 Jul 2017 09:42:32 +0000 (11:42 +0200)]
Merge pull request #5493 from pieterlexis/disable-snmp-stretch
Don't build with SNMP on Debian Stretch
Remi Gacogne [Fri, 7 Jul 2017 08:27:07 +0000 (10:27 +0200)]
LuaWrapper: Don't move the content of vectors, maps and unordered_maps
They might hold shared pointers, and moving them cause the source
to become empty.
luawrapper
f9c686e2fa3ad5cf5593265dda491239e32e2955
bert hubert [Thu, 6 Jul 2017 23:35:59 +0000 (01:35 +0200)]
Merge pull request #5487 from rgacogne/rec-fix-socket-per-thread
rec: Fix all work threads listening on all 'per thread' sockets
bert hubert [Thu, 6 Jul 2017 23:35:08 +0000 (01:35 +0200)]
Merge pull request #5488 from rgacogne/fix-no-packet-error
rec: Only increase `no-packet-error` on the first read
bert hubert [Thu, 6 Jul 2017 23:34:07 +0000 (01:34 +0200)]
Merge pull request #5501 from rgacogne/dnsdist-tcp-short-writes
dnsdist: Fix TCP short writes handling
Remi Gacogne [Thu, 6 Jul 2017 22:11:49 +0000 (00:11 +0200)]
dnsdist: Fix TCP short writes handling
Peter van Dijk [Thu, 6 Jul 2017 19:31:51 +0000 (21:31 +0200)]
Merge pull request #5245 from rgacogne/auth-sql-connection-reset
auth: Reconnect to the server if the My/Pg connection has been closed
Peter van Dijk [Thu, 6 Jul 2017 08:50:48 +0000 (10:50 +0200)]
Merge pull request #5492 from Habbie/rec-4.0.6-changelog
changelog+secpoll for recursor 4.0.6
Remi Gacogne [Wed, 5 Jul 2017 15:49:42 +0000 (17:49 +0200)]
dnsdist: Add support for returning several IPs to spoof from Lua
Remi Gacogne [Tue, 28 Mar 2017 07:48:54 +0000 (09:48 +0200)]
dnsdist: Add virtual dtors for DNSRule, DNSAction and DNSResponseAction
Remi Gacogne [Tue, 28 Mar 2017 07:47:49 +0000 (09:47 +0200)]
dnsdist: Add `DNSRule::toString()` Lua binding
Peter van Dijk [Tue, 4 Jul 2017 13:37:32 +0000 (15:37 +0200)]
changelog+secpoll for recursor 4.0.6
Pieter Lexis [Tue, 4 Jul 2017 14:13:07 +0000 (16:13 +0200)]
rec: Add a test for multiple libcrypto linking
Pieter Lexis [Tue, 4 Jul 2017 12:55:53 +0000 (14:55 +0200)]
Don't build with SNMP on Debian Stretch
As net snmp is linked to OpenSSL 1.0 and we link against 1.1, users get
'interesting' crashes.
Pieter Lexis [Tue, 4 Jul 2017 09:16:12 +0000 (11:16 +0200)]
Merge pull request #5466 from zeha/rec-ws-exception
API: Clean up auth/recursor code mismatches
Pieter Lexis [Tue, 4 Jul 2017 09:15:57 +0000 (11:15 +0200)]
Merge pull request #5483 from rgacogne/rec-ecs-cache-scope-test
rec: Add ECS scope handling by the cache to our regression tests
Pieter Lexis [Tue, 4 Jul 2017 09:15:46 +0000 (11:15 +0200)]
Merge pull request #5484 from rgacogne/rec-ecs-update-validation-state
rec: Use ECS when updating the validation state if needed
Pieter Lexis [Tue, 4 Jul 2017 09:15:19 +0000 (11:15 +0200)]
Merge pull request #5486 from rgacogne/rec-dnssec-skipped-sec-to-insec
rec: Handle Secure to Insecure cut on the same auth servers
Remi Gacogne [Mon, 3 Jul 2017 11:04:58 +0000 (13:04 +0200)]
rec: Only increase `no-packet-error` on the first read
We try to read as many messages as possible after being woken up,
but only the first read can count as a no-packet error.
Remi Gacogne [Mon, 3 Jul 2017 10:59:33 +0000 (12:59 +0200)]
rec: Fix all work threads listening on all 'per thread' sockets
Remi Gacogne [Mon, 3 Jul 2017 09:16:51 +0000 (11:16 +0200)]
rec: Handle Secure to Insecure cut on the same auth servers
Meaning the NS answer for the Insecure zone won't be signed and
won't have a DS denial. We will pick that up with the following
DS query, but we need to make sure the NS answer isn't considered
Bogus even though it's not signed.
Remi Gacogne [Mon, 3 Jul 2017 08:56:19 +0000 (10:56 +0200)]
rec: Fix invalid test for Secure to Insecure on the same auth servers
The answer for the NS of the insecure sub-zone have neither RRSIG nor
secure DS denial.
Remi Gacogne [Sat, 1 Jul 2017 22:12:05 +0000 (00:12 +0200)]
rec: Use ECS when updating the validation state if needed
If `use-incoming-ecs` is set and an actual ECS value was received.
Remi Gacogne [Fri, 30 Jun 2017 18:27:50 +0000 (20:27 +0200)]
rec: Add ECS scope handling by the cache in our regression tests
bert hubert [Thu, 29 Jun 2017 18:54:33 +0000 (20:54 +0200)]
Merge pull request #5477 from rgacogne/rec-ecs-tests
rec: Add ECS regression tests
bert hubert [Thu, 29 Jun 2017 18:54:14 +0000 (20:54 +0200)]
Merge pull request #5476 from rgacogne/rec-ixfr-fix
rec: Fix IXFR skipping the additions part of the last sequence
Remi Gacogne [Thu, 29 Jun 2017 17:33:53 +0000 (19:33 +0200)]
rec: Add ECS regression tests
Remi Gacogne [Thu, 29 Jun 2017 13:29:40 +0000 (15:29 +0200)]
rec: Add IXFR unit tests
bert hubert [Thu, 29 Jun 2017 14:18:05 +0000 (16:18 +0200)]
Merge pull request #5409 from ahupowerdns/ecs-stats
Ecs stats: some fun metrics. Documentation has been submitted separately to @pieterlexis
Remi Gacogne [Wed, 28 Jun 2017 16:26:33 +0000 (18:26 +0200)]
rec: Fix IXFR skipping the additions part of the last sequence
Under certain conditions, we could have skipped the additions part
of the last `IXFR` sequence, because we stopped processing records
after seeing a `SOA` record with the new serial. However, as stated
in rfc1995's "Response format" section:
"the first RR of the added RRs is the newer SOA RR"
bert hubert [Thu, 15 Jun 2017 01:15:40 +0000 (03:15 +0200)]
add some ECS metrics (UNDOCUMENTED)
bert hubert [Wed, 28 Jun 2017 13:22:35 +0000 (15:22 +0200)]
Merge pull request #5472 from rgacogne/rec-ecs-index-comment
rec: Rename the ECS cache index and add a comment on how it works
Remi Gacogne [Wed, 28 Jun 2017 08:57:49 +0000 (10:57 +0200)]
rec: Initialize MemRecursorCache::d_state in the ctor
It's always set in `MemRecursorCache::replace()`, which should be the
only place where we insert new values, but the explicit init makes
Coverity happy.
Pieter Lexis [Wed, 28 Jun 2017 06:57:27 +0000 (08:57 +0200)]
Merge pull request #5470 from stasic/patch-4
rec: changed IPv6 addr of b.root-servers.net
Remi Gacogne [Tue, 27 Jun 2017 20:32:50 +0000 (22:32 +0200)]
rec: Rename the ECS cache index and add a comment on how it works
bert hubert [Tue, 27 Jun 2017 15:41:32 +0000 (17:41 +0200)]
Merge pull request #5403 from rgacogne/rec-incoming-ecs-cache
rec: Use the incoming ECS for cache lookup if `use-incoming-edns-subnet` is set
bert hubert [Tue, 27 Jun 2017 14:18:51 +0000 (16:18 +0200)]
Merge pull request #5461 from rgacogne/rec-cache-index
rec: Add an ECS index to the cache
Remi Gacogne [Wed, 14 Jun 2017 11:31:18 +0000 (13:31 +0200)]
rec: Use the incoming ECS for cache lookup if `use-incoming-edns-subnet` is set
Otherwise we insert into the cache based on the incoming ECS but
later do the lookup based on the query's source IP.
Remi Gacogne [Tue, 27 Jun 2017 11:08:43 +0000 (13:08 +0200)]
rec: Add unit tests for the cache removal queue (back/front)
(cherry picked from commit
7e6f71937f0ac7678b81013da7538ca1e65d779a )
Remi Gacogne [Tue, 20 Jun 2017 15:09:56 +0000 (17:09 +0200)]
Remove just enough entries from the cache, not one more than asked
(cherry picked from commit
f3cb7c78abe3ad639d4583880ae9302b3be99a9e )
Remi Gacogne [Mon, 19 Jun 2017 10:51:39 +0000 (12:51 +0200)]
rec: Add a NetmaskTree-based cache index for ECS entries
The main idea is not to have to go through all the netmask-specific
entries for a given (qname/qtype), but to have to know quickly which
netmask-specific entry is the best match.
To do that we add an index containing a NetmaskTree for each
(qname,qtype), and we then know quickly which entry to get from the
"regular" cache.
Initial benchmarking results:
- inserting non-netmask-specific entries has the same performance ;
- inserting netmask-specific entries is 40% slower because of the additional insertion ;
- looking for a (qname/qtype) that has no netmask-specific entries remains the same ;
- looking for (qname/qtype) with 65k netmask-specific entries but only matching the non-netmask one is around 2000 times faster ;
- looking for (qname/qtype) with 65k netmask-specific entries and matching one is also around 2000 times faster ;
- pruning the cache is a lot slower (from 11 millions/s to 1.8 millions/s)
Remaining issues:
- ANY queries do not use the index ;
- we have to do two lookups
- removal is slower, but might still be good enough
- NetmaskTree.erase() does not compact the tree.
Ideas that didn't seem to work out:
- Storing a pointer of some kind in the NetmaskTree to save a lookup:
caused issues with our generic cache management functions (moving
entries to the front or to the back requires an iterator)
- Keeping the NMT index in the empty Netmak entry (the non-netmask
specific one) save the additional lookup when we have no ECS
entries, but made cache management very awkward because we needed
to keep the non-netmask specific entry around as a place holder
for the ECS index even if it held no data.
Arsen Stasic [Tue, 27 Jun 2017 11:02:53 +0000 (13:02 +0200)]
rec: changed IPv6 addr of b.root-servers.net
http://www.internic.net/domain/db.cache
last update: June 01, 2017
is effective since 2017-06-01
Pieter Lexis [Tue, 27 Jun 2017 10:07:12 +0000 (12:07 +0200)]
Merge pull request #5381 from kevinquinnyo/docs-queries-issue
Fix query in howtos.md doc
Pieter Lexis [Tue, 27 Jun 2017 10:06:29 +0000 (12:06 +0200)]
Merge pull request #5454 from rgacogne/dnsdist-tcp-fastopen-not-available
dnsdist: Fix TCP with Fast Open requested but unsupported
Pieter Lexis [Tue, 27 Jun 2017 10:05:25 +0000 (12:05 +0200)]
Merge pull request #5464 from rgacogne/logging-snmp
Mention the recursor's SNMP support in logging.md
bert hubert [Tue, 27 Jun 2017 07:16:48 +0000 (09:16 +0200)]
Merge pull request #5463 from rgacogne/dnssec-refactor-cl
rec: Implement "on-the-fly" DNSSEC processing
Christian Hofstaedtler [Mon, 26 Jun 2017 13:55:47 +0000 (15:55 +0200)]
auth/rec ws: sync caught serveConnection exceptions
Christian Hofstaedtler [Mon, 26 Jun 2017 13:53:59 +0000 (15:53 +0200)]
ws-recursor: remove data.clear() which is also done by arecvtcp
Remi Gacogne [Mon, 26 Jun 2017 15:17:08 +0000 (17:17 +0200)]
rec: Compute the zone cuts before trying to validate a cached entry
Remi Gacogne [Fri, 23 Jun 2017 14:23:56 +0000 (16:23 +0200)]
rec: Remove (wrong) debug message
Remi Gacogne [Fri, 23 Jun 2017 14:13:12 +0000 (16:13 +0200)]
rec: Accept NXD denial state instead of NXQ for an empty non-terminal
Remi Gacogne [Fri, 23 Jun 2017 14:12:30 +0000 (16:12 +0200)]
rec: Update validation status of records cached as Indeterminate
Remi Gacogne [Tue, 13 Jun 2017 13:16:55 +0000 (15:16 +0200)]
rec: Check that DNSKEYs have protocol set to 3
Remi Gacogne [Tue, 13 Jun 2017 13:16:14 +0000 (15:16 +0200)]
rec: Don't go Bogus on NXDomain while getting DS
Remi Gacogne [Fri, 9 Jun 2017 17:45:16 +0000 (19:45 +0200)]
rec: Fix validation issue when getting the NS returns a Bogus result
Remi Gacogne [Fri, 9 Jun 2017 14:56:17 +0000 (16:56 +0200)]
rec: Make the zone cuts and states a member variable
Remi Gacogne [Fri, 9 Jun 2017 14:30:57 +0000 (16:30 +0200)]
rec: Use a single zone cuts and states variable
Remi Gacogne [Fri, 9 Jun 2017 09:38:22 +0000 (11:38 +0200)]
rec: Add and clarify RRSIG labels checks
Remi Gacogne [Fri, 9 Jun 2017 08:37:50 +0000 (10:37 +0200)]
rec: Special names are Insecure
Remi Gacogne [Fri, 9 Jun 2017 08:34:06 +0000 (10:34 +0200)]
rec: Primed root-servers.net is Insecure
Remi Gacogne [Fri, 9 Jun 2017 08:32:53 +0000 (10:32 +0200)]
rec: Fix mixup between two unit test names
Remi Gacogne [Tue, 6 Jun 2017 10:05:39 +0000 (12:05 +0200)]
rec: Pass the zone cuts and states around
Remi Gacogne [Thu, 8 Jun 2017 20:17:44 +0000 (22:17 +0200)]
rec: Make the Interop mockup auth answer NS queries
Remi Gacogne [Mon, 22 May 2017 16:25:55 +0000 (17:25 +0100)]
rec: Don't follow CNAME when fetching DNSKEYs
Remi Gacogne [Mon, 22 May 2017 09:54:20 +0000 (11:54 +0200)]
rec: Prevent a loop while fetching DNSKEY
If some records on the DNSKEY answer are signed with the same
signer, we could end up in a DNSKEY retrieval loop since we
haven't added the DNSKEY to the cache yet.
Remi Gacogne [Mon, 22 May 2017 09:23:33 +0000 (11:23 +0200)]
rec: Fix all remaining SyncRes unit tests, remove debug log
Remi Gacogne [Thu, 18 May 2017 16:23:34 +0000 (18:23 +0200)]
rec: Fix zone cut status for Insecure/Bogus, fix some tests
Remi Gacogne [Wed, 17 May 2017 16:53:57 +0000 (18:53 +0200)]
rec: Validate lack of DS record
Remi Gacogne [Fri, 12 May 2017 16:26:36 +0000 (18:26 +0200)]
rec: Compute zone cuts and states beforehand
Remi Gacogne [Thu, 11 May 2017 09:54:45 +0000 (11:54 +0200)]
rec: Fix DS handling in unit tests
Remi Gacogne [Wed, 10 May 2017 16:08:23 +0000 (18:08 +0200)]
rec: Reply with and store DNSSEC wildcard proofs
Remi Gacogne [Tue, 9 May 2017 15:22:00 +0000 (17:22 +0200)]
rec: Add more DNSSEC unit tests (bad sig/algo, CNAME state transitions)
Remi Gacogne [Tue, 9 May 2017 15:21:21 +0000 (17:21 +0200)]
rec: Add a `nsec3-max-iterations` setting, default to 2500
Remi Gacogne [Tue, 9 May 2017 14:19:09 +0000 (16:19 +0200)]
rec: Check NSEC3 closest encloser
Remi Gacogne [Fri, 5 May 2017 17:02:40 +0000 (19:02 +0200)]
rec: Fix handling on DS denial during referral
Remi Gacogne [Wed, 3 May 2017 17:01:55 +0000 (19:01 +0200)]
rec: Add more DNSSEC tests, fixing some issues with state transition
Remi Gacogne [Tue, 2 May 2017 21:00:06 +0000 (23:00 +0200)]
rec: Fix DNSSEC issues found by adding more DNSSEC unit test
Remi Gacogne [Fri, 28 Apr 2017 11:50:13 +0000 (13:50 +0200)]
rec: Add DNSSEC tests in the SyncRes unit tests suite
Remi Gacogne [Thu, 20 Apr 2017 17:12:28 +0000 (19:12 +0200)]
auth: getKeysFor() signature changed, update toysdig
Remi Gacogne [Fri, 21 Apr 2017 09:45:56 +0000 (11:45 +0200)]
rec: Fix a typo in the DNSSEC regression tests
Remi Gacogne [Wed, 12 Apr 2017 16:18:50 +0000 (18:18 +0200)]
rec: Implement "on-the-fly" DNSSEC processing
Remi Gacogne [Fri, 14 Apr 2017 14:41:04 +0000 (16:41 +0200)]
rec: Only use non-AA data to get NS / DS / glues
Remi Gacogne [Mon, 26 Jun 2017 09:46:40 +0000 (10:46 +0100)]
Merge pull request #5460 from rgacogne/rec-doc-nxd-typo
Doc: Fix a typo in the recursor's scripting documentation
Remi Gacogne [Mon, 26 Jun 2017 07:55:49 +0000 (08:55 +0100)]
Merge pull request #5455 from pieterlexis/travis-use-auth-40-for-rec-tests
Travis: Use auth 4.0 for recursor tests
Remi Gacogne [Mon, 26 Jun 2017 07:55:01 +0000 (08:55 +0100)]
Merge pull request #5457 from Habbie/luabackend-docs
remove broken link; clarify status
Remi Gacogne [Mon, 26 Jun 2017 07:46:35 +0000 (09:46 +0200)]
Doc: Fix a typo in the recursor's scripting documentation
Remi Gacogne [Fri, 23 Jun 2017 16:22:16 +0000 (18:22 +0200)]
Mention the recursor's SNMP support in logging.md
Peter van Dijk [Fri, 23 Jun 2017 14:24:22 +0000 (16:24 +0200)]
remove broken link; clarify status
Pieter Lexis [Fri, 23 Jun 2017 09:50:12 +0000 (11:50 +0200)]
Merge pull request #5453 from pieterlexis/auth-404-changelog
Authoritative Server 4.0.4 changelog and secpoll
Pieter Lexis [Fri, 23 Jun 2017 08:43:37 +0000 (10:43 +0200)]
Travis: Use auth 4.0 for recursor tests
Remi Gacogne [Fri, 23 Jun 2017 08:38:02 +0000 (09:38 +0100)]
Merge pull request #5449 from rgacogne/dnsdist-no-fastopen-unused
dnsdist: Only declare/set `freshConn` if `MSG_FASTOPEN` is defined
Remi Gacogne [Fri, 23 Jun 2017 08:35:03 +0000 (10:35 +0200)]
dnsdist: Fix TCP with Fast Open requested but unsupported
If `tcpFastOpen` is set on a backend, we used to skip the
`connect()` call regardless of `MSG_FASTOPEN` availability.
We then tried to call `sendmsg()` (without `MSG_FASTOPEN`)
on an unconnected TCP socket, which failed.
Pieter Lexis [Fri, 23 Jun 2017 08:32:08 +0000 (10:32 +0200)]
Add Authoritative Server 4.0.4 secpoll entry
Pieter Lexis [Fri, 23 Jun 2017 08:31:24 +0000 (10:31 +0200)]
Update the Authoritative Server 4.0.4 changelog
Peter van Dijk [Thu, 22 Jun 2017 12:51:51 +0000 (14:51 +0200)]
Merge pull request #5446 from rgacogne/rec-requestor-payload-512
rec: Treat requestor's payload size lower than 512 as equal to 512
Remi Gacogne [Thu, 22 Jun 2017 09:18:04 +0000 (11:18 +0200)]
dnsdist: Only declare/set `freshConn` if `MSG_FASTOPEN` is defined
Peter van Dijk [Thu, 22 Jun 2017 09:00:46 +0000 (11:00 +0200)]
Merge pull request #5444 from Habbie/uri-5443
make URI integers 16 bits, fixes #5443