1. 18 Apr, 2016 2 commits
    • Marek Vavrusa's avatar
      daemon: mode(strict|normal|permissive) · e61c48ef
      Marek Vavrusa authored
      the daemon has now three modes of strictness
      checking from strict to permissive.
      it reflects the tradeoff between resolving the
      query in as few steps as possible and security
      for insecure zones
      e61c48ef
    • Marek Vavrusa's avatar
      engine: clear bad scorers from RTT every 5 minutes · b64d6ce7
      Marek Vavrusa authored
      an internal timer walks RTT timer periodically and
      clears entries with bad results every 5 minutes.
      this means that a timeouted entry penalty is 
      capped to that interval, making sure that the
      bad reputation doesn't last forever
      b64d6ce7
  2. 22 Jan, 2016 1 commit
  3. 11 Jan, 2016 1 commit
  4. 23 Dec, 2015 1 commit
  5. 17 Dec, 2015 1 commit
  6. 10 Dec, 2015 1 commit
  7. 09 Dec, 2015 1 commit
  8. 06 Dec, 2015 1 commit
  9. 05 Dec, 2015 1 commit
    • Marek Vavruša's avatar
      daemon: root trust anchors automatically bootstrapped from IANA · 1af623da
      Marek Vavruša authored
      if the root key file doesn’t exist, it will be populated from root DNSKEY query, which will be validated against root trust anchors retrieved over HTTPS with IANA cert verification against built-in current IANA cert CA. it requires luasocket and luasec for it to work. trust anchors XML file signature is not checked, as there’s no facility for PKCS7 checking yet.
      1af623da
  10. 28 Nov, 2015 1 commit
  11. 27 Nov, 2015 1 commit
  12. 24 Nov, 2015 1 commit
  13. 12 Nov, 2015 1 commit
  14. 20 Oct, 2015 1 commit
  15. 18 Oct, 2015 3 commits
  16. 07 Oct, 2015 2 commits
  17. 06 Oct, 2015 1 commit
  18. 05 Oct, 2015 1 commit
  19. 22 Sep, 2015 1 commit
    • Marek Vavruša's avatar
      daemon: negative trust anchors · 9829167a
      Marek Vavruša authored
      config:
      trust_anchors.negative = { ‘bad.cz’, ‘here.com’ }
      
      all names below these NTA will not be validated
      (unless there is an island of trust below these anchors)
      9829167a
  20. 21 Sep, 2015 1 commit
  21. 15 Sep, 2015 1 commit
  22. 06 Aug, 2015 1 commit
  23. 05 Aug, 2015 1 commit
  24. 04 Aug, 2015 1 commit
  25. 03 Aug, 2015 1 commit
  26. 01 Aug, 2015 2 commits
    • Marek Vavruša's avatar
      daemon: more aggressive Lua GC, forced GC steps · 5a709411
      Marek Vavruša authored
      the memory could go through the roof with sufficiently high pps, GC now runs at 4x the speed of allocations and doesn’t wait for increase, some callbacks also perform full collection cycle on completion
      5a709411
    • Marek Vavruša's avatar
      daemon/engine: priority prefix ‘<‘ for modules · 3714f4bc
      Marek Vavruša authored
      if the configured modules name is prefixed with ‘<‘ it takes precedence before all others,
      e.g. modules = { ‘hints’, ‘<block’ }
      means that the ‘hints’ module will be executed in-order (last), and ‘block’ module layer will be called as first in query processing
      3714f4bc
  27. 30 Jul, 2015 1 commit
  28. 23 Jul, 2015 1 commit
  29. 22 Jul, 2015 1 commit
  30. 21 Jul, 2015 1 commit
  31. 30 Jun, 2015 2 commits
    • Marek Vavruša's avatar
      lib/validate: pseudocode of the validation flow · da79dc09
      Marek Vavruša authored
      1. validate module must be between iterate/cache
      2. produce: copy OPT with DO=1, ask for DNSKEY if we don’t have it
      3. resolve.c: subrequest DNSKEY if asked to do it
      4. consume: check DNSKEY and set it, validate RRSIGs against it
      
      another issues:
      
      rrsigcache is copypasta of rrcache, there is one special case with storing RRSIGs which doesn’t deserve it’s own module (if the validation is off, then nothing will get written in there anyway)
      
      since the resolution is asynchronous, layers must only *ask* resolver to do subrequests for them using query flags (like when we encounter an unknown zone cut)
      da79dc09
    • Marek Vavruša's avatar
      daemon/main: cleanup, forking and remote tty · 46122a59
      Marek Vavruša authored
      when the daemon starts in non-interactive mode, it creates a pipe in the ‘tty/<pid>’ which can be used to interact with it remotely - much wow
      
      e.g. $ socat - UNIX-CONNECT:tty/38284
      46122a59
  32. 29 Jun, 2015 1 commit
  33. 15 Jun, 2015 1 commit
  34. 13 Jun, 2015 1 commit