1. 11 Aug, 2016 8 commits
  2. 16 Jul, 2016 1 commit
  3. 30 May, 2016 1 commit
  4. 27 May, 2016 1 commit
  5. 06 May, 2016 2 commits
  6. 18 Apr, 2016 1 commit
    • Marek Vavrusa's avatar
      daemon: mode(strict|normal|permissive) · e61c48ef
      Marek Vavrusa authored
      the daemon has now three modes of strictness
      checking from strict to permissive.
      it reflects the tradeoff between resolving the
      query in as few steps as possible and security
      for insecure zones
      e61c48ef
  7. 15 Apr, 2016 1 commit
    • Marek Vavrusa's avatar
      lib/iterate: QUERY_PERMISSIVE mode · dc300136
      Marek Vavrusa authored
      in permissive mode, resolver is free to use
      (but not cache) non-mandatory glue records even
      if they're not resolvable. this is great as a 
      workaround for broken child-side zones, but
      not great for security of, well, insecure
      delegations. it's off by default.
      dc300136
  8. 14 Apr, 2016 1 commit
  9. 30 Jan, 2016 1 commit
  10. 22 Jan, 2016 1 commit
    • Marek Vavrusa's avatar
      lib/resolve: new flag ALWAYS_CUT · adaed4ba
      Marek Vavrusa authored
      when raised, a response zone cut will be recovered
      even if the response came from cache. this is
      normally not needed (and incurs additional cache
      lookups), but it may be useful for
      inspection
      adaed4ba
  11. 17 Dec, 2015 1 commit
  12. 10 Dec, 2015 1 commit
  13. 28 Oct, 2015 1 commit
  14. 15 Oct, 2015 1 commit
  15. 14 Oct, 2015 1 commit
  16. 13 Oct, 2015 1 commit
  17. 07 Oct, 2015 1 commit
  18. 06 Oct, 2015 2 commits
  19. 27 Sep, 2015 1 commit
  20. 22 Sep, 2015 1 commit
    • Marek Vavruša's avatar
      lib: proper key/ta checks in zone cut resolution · d58d3431
      Marek Vavruša authored
      this fixes problems with servers authoritative both for
      parent and child zone and vice versa
      as the DS is authoritative parent-side, a full subrequest
      is launched. this breaks some tests that don’t have
      a full referral path
      
      todo bugs:
      - non-existence proof with only SOA and no NS is not
      correctly resolved
      - revalidation in some cases causes record duplication
      - NS queries with DO=1 answered from cache are not correctly resolved, as the TA is not set at this time
      d58d3431
  21. 04 Aug, 2015 1 commit
    • Marek Vavruša's avatar
      lib/zonecut: filter private addresses from internet · c2035b1f
      Marek Vavruša authored
      zonecut should be able to hold these for testing reasons (like private
      root or zone cut), but it should filter out data from the internet
      a new flag: QUERY_ALLOW_LOCAL allows for being more permissive, and
      letting name server query local or private address ranges
      c2035b1f
  22. 03 Aug, 2015 1 commit
    • Marek Vavruša's avatar
      daemon/bindings: replaced old Lua/C bindings with LuaJIT FFI · 28565f82
      Marek Vavruša authored
      this is a first step of leaning towards LuaJIT.
      the FFI bindings are much faster, simpler and don’t abort traces
      
      daemon core scripting engine is still going to support interpreted Lua, but modules requiring library bindings (such as ‘block’) will require LuaJIT for FFI
      28565f82
  23. 30 Jul, 2015 1 commit
  24. 19 Jul, 2015 2 commits
  25. 10 Jul, 2015 1 commit
  26. 09 Jul, 2015 1 commit
  27. 05 Jul, 2015 1 commit
  28. 30 Jun, 2015 1 commit
    • Marek Vavruša's avatar
      lib/validate: pseudocode of the validation flow · da79dc09
      Marek Vavruša authored
      1. validate module must be between iterate/cache
      2. produce: copy OPT with DO=1, ask for DNSKEY if we don’t have it
      3. resolve.c: subrequest DNSKEY if asked to do it
      4. consume: check DNSKEY and set it, validate RRSIGs against it
      
      another issues:
      
      rrsigcache is copypasta of rrcache, there is one special case with storing RRSIGs which doesn’t deserve it’s own module (if the validation is off, then nothing will get written in there anyway)
      
      since the resolution is asynchronous, layers must only *ask* resolver to do subrequests for them using query flags (like when we encounter an unknown zone cut)
      da79dc09
  29. 24 Jun, 2015 1 commit
  30. 16 Jun, 2015 1 commit