diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-13 08:04:57 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-13 08:04:57 +0000 |
commit | 98e63d18fe85b29517ae8fb21ca94f37c7972652 (patch) | |
tree | 8de3b229d6a3a5062acdb3a970cc3c60bed6c07f | |
parent | Releasing progress-linux version 3.3.4-1.1~progress7.99u1. (diff) | |
download | knot-98e63d18fe85b29517ae8fb21ca94f37c7972652.tar.xz knot-98e63d18fe85b29517ae8fb21ca94f37c7972652.zip |
Merging upstream version 3.3.5.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
56 files changed, 1389 insertions, 464 deletions
@@ -1,3 +1,26 @@ +Knot DNS 3.3.5 (2024-03-06) +=========================== + +Features: +--------- + - knotd: new module mod-authsignal for automatic authenticated DNSSEC + bootstrapping records synthesis (Thanks to Peter Thomassen) + - kzonecheck: new optional ZONEMD verification (see option '-z') + +Improvements: +------------- + - knotd: new DNSSEC key rollover log informs about next planned key action + - knotd, kzonecheck: added limit on non-matching keys with a duplicate keytag + - knot-exporter: added counter-type variant for each metric (Thanks to Marcel Koch) + - libs: upgraded embedded libngtcp2 to 1.3.0 + - doc: various fixes and updates + +Bugfixes: +--------- + - knotd, kzonecheck: failed to validate RRSIG if there are more keys with the same keytag + - knotd, kzonecheck: failed to validate zone with more CSK keys + - libknot: insufficient check for malformed TCP header options over XDP + Knot DNS 3.3.4 (2024-01-24) =========================== @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.71 for knot 3.3.4. +# Generated by GNU Autoconf 2.71 for knot 3.3.5. # # Report bugs to <knot-dns@labs.nic.cz>. # @@ -621,8 +621,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='knot' PACKAGE_TARNAME='knot' -PACKAGE_VERSION='3.3.4' -PACKAGE_STRING='knot 3.3.4' +PACKAGE_VERSION='3.3.5' +PACKAGE_STRING='knot 3.3.5' PACKAGE_BUGREPORT='knot-dns@labs.nic.cz' PACKAGE_URL='' @@ -778,6 +778,10 @@ SHARED_MODULE_cookies_FALSE SHARED_MODULE_cookies_TRUE STATIC_MODULE_cookies_FALSE STATIC_MODULE_cookies_TRUE +SHARED_MODULE_authsignal_FALSE +SHARED_MODULE_authsignal_TRUE +STATIC_MODULE_authsignal_FALSE +STATIC_MODULE_authsignal_TRUE liburcu_PKGCONFIG liburcu_LIBS liburcu_CFLAGS @@ -978,6 +982,7 @@ enable_systemd with_socket_polling with_memory_allocator with_urcu +with_module_authsignal with_module_cookies with_module_dnsproxy with_module_dnstap @@ -1598,7 +1603,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures knot 3.3.4 to adapt to many kinds of systems. +\`configure' configures knot 3.3.5 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1669,7 +1674,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of knot 3.3.4:";; + short | recursive ) echo "Configuration of knot 3.3.5:";; esac cat <<\_ACEOF @@ -1738,6 +1743,8 @@ Optional Packages: Use specific memory allocator for the server (e.g. jemalloc) [default=auto] --with-urcu=DIR where to find userspace-rcu library + --with-module-authsignal=yes|shared|no + Build 'authsignal' module [default="yes"] --with-module-cookies=yes|shared|no Build 'cookies' module [default="yes"] --with-module-dnsproxy=yes|shared|no @@ -1916,7 +1923,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -knot configure 3.3.4 +knot configure 3.3.5 generated by GNU Autoconf 2.71 Copyright (C) 2021 Free Software Foundation, Inc. @@ -2267,7 +2274,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by knot $as_me 3.3.4, which was +It was created by knot $as_me 3.3.5, which was generated by GNU Autoconf 2.71. Invocation command line was $ $0$ac_configure_args_raw @@ -3542,7 +3549,7 @@ fi # Define the identity of the package. PACKAGE='knot' - VERSION='3.3.4' + VERSION='3.3.5' printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h @@ -5262,7 +5269,7 @@ KNOT_VERSION_MAJOR=3 KNOT_VERSION_MINOR=3 -KNOT_VERSION_PATCH=4 +KNOT_VERSION_PATCH=5 # Store ./configure parameters and CFLAGS @@ -16971,6 +16978,70 @@ doc_modules="" +# Check whether --with-module-authsignal was given. +if test ${with_module_authsignal+y} +then : + withval=$with_module_authsignal; module=$withval +else $as_nop + if test "$enable_modules" = "no" +then : + module=no +else $as_nop + module="yes" + +fi + +fi + + + doc_modules="${doc_modules}.. include:: modules/authsignal/authsignal.rst\n" + + STATIC_MODULE_authsignal=no + SHARED_MODULE_authsignal=no + case $module in #( + yes) : + STATIC_MODULE_authsignal=yes + static_modules="${static_modules}authsignal " + static_modules_declars="${static_modules_declars}extern const knotd_mod_api_t knotd_mod_api_authsignal;\n" + static_modules_init="${static_modules_init}\\\\\n\t{ &knotd_mod_api_authsignal }," ;; #( + shared) : + SHARED_MODULE_authsignal=yes + shared_modules="${shared_modules}authsignal " + if test "" = "non-shareable" +then : + as_fn_error $? "Module authsignal cannot be shared" "$LINENO" 5 +fi + if test "$enable_shared" != "yes" +then : + as_fn_error $? "Shared module authsignal requires shared libraries" "$LINENO" 5 +fi ;; #( + no) : + ;; #( + *) : + as_fn_error $? "Invalid value '$module' for --with-module-authsignal" "$LINENO" 5 + ;; #( + *) : + ;; +esac + if test "$STATIC_MODULE_authsignal" = "yes"; then + STATIC_MODULE_authsignal_TRUE= + STATIC_MODULE_authsignal_FALSE='#' +else + STATIC_MODULE_authsignal_TRUE='#' + STATIC_MODULE_authsignal_FALSE= +fi + + if test "$SHARED_MODULE_authsignal" = "yes"; then + SHARED_MODULE_authsignal_TRUE= + SHARED_MODULE_authsignal_FALSE='#' +else + SHARED_MODULE_authsignal_TRUE='#' + SHARED_MODULE_authsignal_FALSE= +fi + + + + # Check whether --with-module-cookies was given. if test ${with_module_cookies+y} then : @@ -21137,6 +21208,14 @@ if test -z "${ENABLE_XDP_TRUE}" && test -z "${ENABLE_XDP_FALSE}"; then as_fn_error $? "conditional \"ENABLE_XDP\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${STATIC_MODULE_authsignal_TRUE}" && test -z "${STATIC_MODULE_authsignal_FALSE}"; then + as_fn_error $? "conditional \"STATIC_MODULE_authsignal\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${SHARED_MODULE_authsignal_TRUE}" && test -z "${SHARED_MODULE_authsignal_FALSE}"; then + as_fn_error $? "conditional \"SHARED_MODULE_authsignal\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${STATIC_MODULE_cookies_TRUE}" && test -z "${STATIC_MODULE_cookies_FALSE}"; then as_fn_error $? "conditional \"STATIC_MODULE_cookies\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -21671,7 +21750,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by knot $as_me 3.3.4, which was +This file was extended by knot $as_me 3.3.5, which was generated by GNU Autoconf 2.71. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -21739,7 +21818,7 @@ ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ -knot config.status 3.3.4 +knot config.status 3.3.5 configured by $0, generated by GNU Autoconf 2.71, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index 4f68310..cff9690 100644 --- a/configure.ac +++ b/configure.ac @@ -2,7 +2,7 @@ AC_PREREQ([2.69]) m4_define([knot_VERSION_MAJOR], 3)dnl m4_define([knot_VERSION_MINOR], 3)dnl -m4_define([knot_VERSION_PATCH], 4)dnl Leave empty if the master branch! +m4_define([knot_VERSION_PATCH], 5)dnl Leave empty if the master branch! m4_include([m4/knot-version.m4]) AC_INIT([knot], [knot_PKG_VERSION], [knot-dns@labs.nic.cz]) @@ -405,6 +405,7 @@ static_modules_declars="" static_modules_init="" doc_modules="" +KNOT_MODULE([authsignal], "yes") KNOT_MODULE([cookies], "yes") KNOT_MODULE([dnsproxy], "yes", "non-shareable") KNOT_MODULE([dnstap], "no") diff --git a/distro/pkg/el-7/04-revert-don-t-share-PKCS-11-private-keys.patch b/distro/pkg/el-7/04-revert-don-t-share-PKCS-11-private-keys.patch index a13be90..d360433 100644 --- a/distro/pkg/el-7/04-revert-don-t-share-PKCS-11-private-keys.patch +++ b/distro/pkg/el-7/04-revert-don-t-share-PKCS-11-private-keys.patch @@ -16,12 +16,6 @@ diff --git a/src/knot/dnssec/zone-keys.c b/src/knot/dnssec/zone-keys.c index cd6bf0bb3..d5cccc759 100644 --- a/src/knot/dnssec/zone-keys.c +++ b/src/knot/dnssec/zone-keys.c -@@ -1,4 +1,4 @@ --/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> -+/* Copyright (C) 2022 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by @@ -642,21 +642,6 @@ int zone_key_calculate_ds(zone_key_t *for_key, dnssec_key_digest_t digesttype, return ret; } diff --git a/doc/configuration.rst b/doc/configuration.rst index 193bd78..55457eb 100644 --- a/doc/configuration.rst +++ b/doc/configuration.rst @@ -481,6 +481,11 @@ convenience delay the submission is started. The server publishes CDS and CDNSKE and the user shall propagate them to the parent. The server periodically checks for DS at the parent zone and when positive, finishes the rollover. +.. NOTE:: + As the key timestamp semantics differ between the automatic and manual key + management, all key timestamps set in the future, either manually or during + a key import, are ignorred (cleared). + .. _dnssec-manual-key-management: Manual key management @@ -528,22 +533,6 @@ parent zone to include a reference to the new key. This must happen within one day (in this case) including a delay required to propagate the new DS to caches. -.. WARNING:: - If you ever decide to switch from manual key management to automatic key management, - note that the automatic key management uses - :ref:`policy_zsk-lifetime` and :ref:`policy_ksk-lifetime` policy configuration - options to schedule key rollovers and it internally uses timestamps of keys differently - than in the manual case. As a consequence it might break if the ``retire`` or ``remove`` timestamps - are set for the manually generated keys currently in use. Make sure to set these timestamps - to zero using :doc:`keymgr<man_keymgr>`: - - .. code-block:: console - - $ keymgr myzone.test. set <key_id> retire=0 remove=0 - - and configure your policy suitably according to :ref:`dnssec-automatic-zsk-management` - and :ref:`dnssec-automatic-ksk-management`. - .. _dnssec-signing: Zone signing @@ -570,6 +559,7 @@ The signing is initiated on the following occasions: - Zone reload - Reaching the signature refresh period - Key set changed due to rollover event +- NSEC3 salt is changed - Received DDNS update - Forced zone re-sign via server control interface diff --git a/doc/man/knot.conf.5in b/doc/man/knot.conf.5in index 72f0a4a..a951b7c 100644 --- a/doc/man/knot.conf.5in +++ b/doc/man/knot.conf.5in @@ -67,9 +67,10 @@ the following symbols: .UNINDENT .sp The configuration consists of several fixed sections and optional module -sections. There are 16 fixed sections (\fBmodule\fP, \fBserver\fP, \fBxdp\fP, \fBcontrol\fP, +sections. There are 17 fixed sections (\fBmodule\fP, \fBserver\fP, \fBxdp\fP, \fBcontrol\fP, \fBlog\fP, \fBstatistics\fP, \fBdatabase\fP, \fBkeystore\fP, \fBkey\fP, \fBremote\fP, -\fBremotes\fP, \fBacl\fP, \fBsubmission\fP, \fBpolicy\fP, \fBtemplate\fP, \fBzone\fP). +\fBremotes\fP, \fBacl\fP, \fBsubmission\fP, \fBdnskey\-sync\fP, \fBpolicy\fP, \fBtemplate\fP, +\fBzone\fP). Module sections are prefixed with the \fBmod\-\fP prefix (e.g. \fBmod\-stats\fP). .sp Most of the sections (e.g. \fBzone\fP) are sequences of settings blocks. Each @@ -964,7 +965,7 @@ Minimum severity level for messages related to QUIC to be logged. Minimum severity level for all message types, except \fBquic\fP, to be logged. .sp \fIDefault:\fP not set -.SH STATS SECTION +.SH STATISTICS SECTION .sp Periodic server statistics dumping. .INDENT 0.0 @@ -1871,7 +1872,8 @@ More exactly, this period is measured since a ZSK is activated, and after this, a new ZSK is generated to replace it within following roll\-over. .sp -ZSK key lifetime is also influenced by propagation\-delay and dnskey\-ttl +As a consequence, in normal operation, this results in the period +of ZSK generation being \fIzsk\-lifetime + propagation\-delay + dnskey_ttl\fP\&. .sp Zero (aka infinity) value causes no ZSK rollover as a result. .UNINDENT @@ -2032,6 +2034,14 @@ Module \fI\%Onlinesign\fP doesn\(aqt support DS push. .UNINDENT .UNINDENT .sp +\fBNOTE:\fP +.INDENT 0.0 +.INDENT 3.5 +When turning this feature on while a KSK roll\-over is already running, it might +not take effect for the already\-running roll\-over. +.UNINDENT +.UNINDENT +.sp \fIDefault:\fP not set .SS dnskey\-sync .sp @@ -2567,6 +2577,8 @@ List of DNSSEC checks: .IP \(bu 2 Every zone RRSet is correctly signed by at least one present DNSKEY. .IP \(bu 2 +For every RRSIG there are at most 3 non\-matching DNSKEYs with the same keytag. +.IP \(bu 2 DNSKEY RRSet is signed by KSK. .IP \(bu 2 NSEC(3) RR exists for each name (unless opt\-out) with correct bitmap. diff --git a/doc/man/kzonecheck.1in b/doc/man/kzonecheck.1in index 380c41f..a73b66e 100644 --- a/doc/man/kzonecheck.1in +++ b/doc/man/kzonecheck.1in @@ -59,6 +59,9 @@ Zone origin. If not specified, the origin is determined from the file name Also check DNSSEC\-related records. The default is to decide based on the existence of a RRSIG for SOA. .TP +\fB\-z\fP, \fB\-\-zonemd\fP +Also check the zone hash against a ZONEMD record, which is required to exist. +.TP \fB\-t\fP, \fB\-\-time\fP \fItime\fP Current time specification. Use UNIX timestamp, YYYYMMDDHHmmSS format, or [+/\-]\fItime\fP[unit] format, where unit can be \fBY\fP, \fBM\fP, diff --git a/doc/man_kzonecheck.rst b/doc/man_kzonecheck.rst index 4a815a4..3a10863 100644 --- a/doc/man_kzonecheck.rst +++ b/doc/man_kzonecheck.rst @@ -36,6 +36,9 @@ Options Also check DNSSEC-related records. The default is to decide based on the existence of a RRSIG for SOA. +**-z**, **--zonemd** + Also check the zone hash against a ZONEMD record, which is required to exist. + **-t**, **--time** *time* Current time specification. Use UNIX timestamp, YYYYMMDDHHmmSS format, or [+/-]\ *time*\ [unit] format, where unit can be **Y**, **M**, diff --git a/doc/operation.rst b/doc/operation.rst index f953719..43e13ff 100644 --- a/doc/operation.rst +++ b/doc/operation.rst @@ -35,6 +35,13 @@ or to the corresponding manual page. Also, the server needs to create :ref:`server_rundir` and :ref:`zone_storage` directories in order to run properly. +.. NOTE:: + + Avoid editing of or other manipulation with configuration file during start + or reload of :doc:`knotd<man_knotd>` or start of :doc:`knotc<man_knotc>` + and other :doc:`utilities<utilities>` which use it. There is a risk of + malfunction or a :ref:`crash<Bus error>` otherwise. + .. _Configuration database: Configuration database @@ -199,10 +206,10 @@ Knot DNS allows you to read or change zone contents online using the server control interface. .. WARNING:: - Avoid concurrent zone access when a zone event (zone file load, refresh, - DNSSEC signing, dynamic update) is in progress or pending. In such a case - zone events must be frozen before. For more information on how to freeze the - zone read :ref:`Editing zone file`. + Avoid concurrent zone access from a third party software when a zone event + (zone file load, refresh, DNSSEC signing, dynamic update) is in progress or + pending. In such a case, zone events must be frozen before. For more + information on how to freeze the zone read :ref:`Editing zone file`. To get contents of all configured zones, or a specific zone contents, or zone records with a specific owner, or even with a specific record type:: @@ -270,9 +277,9 @@ Reading and editing the zone file safely ======================================== It's always possible to read and edit zone contents via zone file manipulation. -It may lead to confusion, however, if the zone contents are continuously being -changed by DDNS, DNSSEC signing and the like. In such a case, the safe way to -modify the zone file is to freeze zone events first:: +It may lead to confusion or even a :ref:`program crash<Bus error>`, however, if +the zone contents are continuously being changed by DDNS, DNSSEC signing and the like. +In such a case, the safe way to modify the zone file is to freeze zone events first:: $ knotc -b zone-freeze example.com. $ knotc -b zone-flush example.com. @@ -419,6 +426,9 @@ only stored in the journal. current SOA serial in the zone (not in the zone file) if manually updated! This is important to ensure consistency of the journal and outgoing IXFR. +.. NOTE:: + This mode is not suitable if the zone can be modified externally (e.g. DDNS, knotc). + Example 4 --------- @@ -436,6 +446,9 @@ the information about the last real SOA serial is preserved in case of server re The sizing of journal limits needs to be taken into consideration (see :ref:`Journal behaviour`). +.. NOTE:: + This mode is not suitable if the zone can be modified externally (e.g. DDNS, knotc). + .. _Zone bootstrap: Zone bootstrapping on secondary @@ -583,8 +596,8 @@ Automatic KSK and ZSK rollovers example Let's start with the following set of keys:: - 2021-05-10T20:50:00+0200 info: [example.com.] DNSSEC, key, tag 50613, algorithm ECDSAP256SHA256, KSK, public, active - 2021-05-10T20:50:00+0200 info: [example.com.] DNSSEC, key, tag 62932, algorithm ECDSAP256SHA256, public, active + 2024-02-14T15:20:00+0100 info: [example.com.] DNSSEC, key, tag 53594, algorithm ECDSAP256SHA256, KSK, public, active + 2024-02-14T15:20:00+0100 info: [example.com.] DNSSEC, key, tag 36185, algorithm ECDSAP256SHA256, public, active The last fields hint the key state: ``public`` denotes a key that will be presented as the DNSKEY record, ``ready`` means that CDS/CDNSKEY records were created, @@ -610,115 +623,121 @@ For demonstration purposes, the following configuration is used:: Upon the zone's KSK lifetime expiration, a new KSK is generated and the rollover continues along the lines of :rfc:`6781#section-4.1.2`:: - # KSK Rollover (50613 -> 9081) + # KSK Rollover (53594 -> 3375) - 2021-05-10T20:50:00+0200 info: [example.com.] DNSSEC, signing zone - 2021-05-10T20:50:00+0200 info: [example.com.] DNSSEC, KSK rollover started - 2021-05-10T20:50:00+0200 info: [example.com.] DNSSEC, key, tag 50613, algorithm ECDSAP256SHA256, KSK, public, active - 2021-05-10T20:50:00+0200 info: [example.com.] DNSSEC, key, tag 62932, algorithm ECDSAP256SHA256, public, active - 2021-05-10T20:50:00+0200 info: [example.com.] DNSSEC, key, tag 9081, algorithm ECDSAP256SHA256, KSK, public, active+ - 2021-05-10T20:50:00+0200 info: [example.com.] DNSSEC, signing started - 2021-05-10T20:50:00+0200 info: [example.com.] DNSSEC, successfully signed - 2021-05-10T20:50:00+0200 info: [example.com.] DNSSEC, next signing at 2021-05-10T20:50:12+0200 + 2024-02-14T15:20:00+0100 info: [example.com.] DNSSEC, signing zone + 2024-02-14T15:20:00+0100 info: [example.com.] DNSSEC, KSK rollover started + 2024-02-14T15:20:00+0100 info: [example.com.] DNSSEC, next key action, KSK tag 3375, submit at 2024-02-14T15:20:12+0100 + 2024-02-14T15:20:00+0100 info: [example.com.] DNSSEC, key, tag 53594, algorithm ECDSAP256SHA256, KSK, public, active + 2024-02-14T15:20:00+0100 info: [example.com.] DNSSEC, key, tag 36185, algorithm ECDSAP256SHA256, public, active + 2024-02-14T15:20:00+0100 info: [example.com.] DNSSEC, key, tag 3375, algorithm ECDSAP256SHA256, KSK, public, active+ + 2024-02-14T15:20:00+0100 info: [example.com.] DNSSEC, signing started + 2024-02-14T15:20:00+0100 info: [example.com.] DNSSEC, successfully signed, serial 2010111204 + 2024-02-14T15:20:00+0100 info: [example.com.] DNSSEC, next signing at 2024-02-14T15:20:12+0100 ... (propagation-delay + dnskey-ttl) ... - 2021-05-10T20:50:12+0200 info: [example.com.] DNSSEC, signing zone - 2021-05-10T20:50:12+0200 notice: [example.com.] DNSSEC, KSK submission, waiting for confirmation - 2021-05-10T20:50:12+0200 info: [example.com.] DNSSEC, key, tag 50613, algorithm ECDSAP256SHA256, KSK, public, active - 2021-05-10T20:50:12+0200 info: [example.com.] DNSSEC, key, tag 62932, algorithm ECDSAP256SHA256, public, active - 2021-05-10T20:50:12+0200 info: [example.com.] DNSSEC, key, tag 9081, algorithm ECDSAP256SHA256, KSK, public, ready, active+ - 2021-05-10T20:50:12+0200 info: [example.com.] DNSSEC, signing started - 2021-05-10T20:50:12+0200 info: [example.com.] DNSSEC, successfully signed - 2021-05-10T20:50:12+0200 info: [example.com.] DNSSEC, next signing at 2021-05-17T20:49:56+0200 + 2024-02-14T15:20:12+0100 info: [example.com.] DNSSEC, signing zone + 2024-02-14T15:20:12+0100 notice: [example.com.] DNSSEC, KSK submission, waiting for confirmation + 2024-02-14T15:20:12+0100 info: [example.com.] DNSSEC, key, tag 53594, algorithm ECDSAP256SHA256, KSK, public, active + 2024-02-14T15:20:12+0100 info: [example.com.] DNSSEC, key, tag 36185, algorithm ECDSAP256SHA256, public, active + 2024-02-14T15:20:12+0100 info: [example.com.] DNSSEC, key, tag 3375, algorithm ECDSAP256SHA256, KSK, public, ready, active+ + 2024-02-14T15:20:12+0100 info: [example.com.] DNSSEC, signing started + 2024-02-14T15:20:12+0100 info: [example.com.] DNSSEC, successfully signed, serial 2010111205 + 2024-02-14T15:20:12+0100 info: [example.com.] DNSSEC, next signing at 2024-02-28T15:19:37+0100 At this point the new KSK has to be submitted to the parent zone. Knot detects the updated parent's DS record automatically (and waits for additional period of the DS's TTL before retiring the old key) if :ref:`parent DS check<Submission section>` is configured, otherwise the operator must confirm it manually (using ``knotc zone-ksk-submitted``):: - 2021-05-10T20:50:12+0200 info: [example.com.] DS check, outgoing, remote 127.0.0.1@5300, KSK submission check: negative - 2021-05-10T20:50:14+0200 info: [example.com.] DS check, outgoing, remote 127.0.0.1@5300, KSK submission check: negative - 2021-05-10T20:50:16+0200 info: [example.com.] DS check, outgoing, remote 127.0.0.1@5300, KSK submission check: positive - 2021-05-10T20:50:16+0200 notice: [example.com.] DNSSEC, KSK submission, confirmed - 2021-05-10T20:50:16+0200 info: [example.com.] DNSSEC, signing zone - 2021-05-10T20:50:16+0200 info: [example.com.] DNSSEC, key, tag 50613, algorithm ECDSAP256SHA256, KSK, public, active+ - 2021-05-10T20:50:16+0200 info: [example.com.] DNSSEC, key, tag 62932, algorithm ECDSAP256SHA256, public, active - 2021-05-10T20:50:16+0200 info: [example.com.] DNSSEC, key, tag 9081, algorithm ECDSAP256SHA256, KSK, public, active - 2021-05-10T20:50:16+0200 info: [example.com.] DNSSEC, signing started - 2021-05-10T20:50:16+0200 info: [example.com.] DNSSEC, successfully signed - 2021-05-10T20:50:16+0200 info: [example.com.] DNSSEC, next signing at 2021-05-10T20:50:23+0200 + 2024-02-14T15:20:12+0100 info: [example.com.] DS check, outgoing, remote 127.0.0.1@5300 TCP, KSK submission check: negative + 2024-02-14T15:20:14+0100 info: [example.com.] DS check, outgoing, remote 127.0.0.1@5300 TCP/pool, KSK submission check: negative + 2024-02-14T15:20:16+0100 info: [example.com.] DS check, outgoing, remote 127.0.0.1@5300 TCP/pool, KSK submission check: positive + 2024-02-14T15:20:16+0100 notice: [example.com.] DNSSEC, KSK submission, confirmed + 2024-02-14T15:20:16+0100 info: [example.com.] DNSSEC, signing zone + 2024-02-14T15:20:16+0100 info: [example.com.] DNSSEC, key, tag 53594, algorithm ECDSAP256SHA256, KSK, public, active+ + 2024-02-14T15:20:16+0100 info: [example.com.] DNSSEC, key, tag 36185, algorithm ECDSAP256SHA256, public, active + 2024-02-14T15:20:16+0100 info: [example.com.] DNSSEC, key, tag 3375, algorithm ECDSAP256SHA256, KSK, public, active + 2024-02-14T15:20:16+0100 info: [example.com.] DNSSEC, signing started + 2024-02-14T15:20:16+0100 info: [example.com.] DNSSEC, successfully signed, serial 2010111206 + 2024-02-14T15:20:16+0100 info: [example.com.] DNSSEC, next signing at 2024-02-14T15:20:23+0100 ... (parent's DS TTL is 7 seconds) ... - 2021-05-10T20:50:23+0200 info: [example.com.] DNSSEC, signing zone - 2021-05-10T20:50:23+0200 info: [example.com.] DNSSEC, key, tag 62932, algorithm ECDSAP256SHA256, public, active - 2021-05-10T20:50:23+0200 info: [example.com.] DNSSEC, key, tag 9081, algorithm ECDSAP256SHA256, KSK, public, active - 2021-05-10T20:50:23+0200 info: [example.com.] DNSSEC, signing started - 2021-05-10T20:50:23+0200 info: [example.com.] DNSSEC, successfully signed - 2021-05-10T20:50:23+0200 info: [example.com.] DNSSEC, next signing at 2021-05-10T20:51:56+0200 + 2024-02-14T15:20:23+0100 info: [example.com.] DNSSEC, signing zone + 2024-02-14T15:20:23+0100 info: [example.com.] DNSSEC, next key action, ZSK, generate at 2024-02-14T15:21:54+0100 + 2024-02-14T15:20:23+0100 info: [example.com.] DNSSEC, key, tag 36185, algorithm ECDSAP256SHA256, public, active + 2024-02-14T15:20:23+0100 info: [example.com.] DNSSEC, key, tag 3375, algorithm ECDSAP256SHA256, KSK, public, active + 2024-02-14T15:20:23+0100 info: [example.com.] DNSSEC, signing started + 2024-02-14T15:20:23+0100 info: [example.com.] DNSSEC, successfully signed, serial 2010111207 + 2024-02-14T15:20:23+0100 info: [example.com.] DNSSEC, next signing at 2024-02-14T15:21:54+0100 Upon the zone's ZSK lifetime expiration, a new ZSK is generated and the rollover continues along the lines of :rfc:`6781#section-4.1.1`:: - # ZSK Rollover (62932 -> 33255) + # ZSK Rollover (36185 -> 38559) - 2021-05-10T20:51:56+0200 info: [example.com.] DNSSEC, signing zone - 2021-05-10T20:51:56+0200 info: [example.com.] DNSSEC, ZSK rollover started - 2021-05-10T20:51:56+0200 info: [example.com.] DNSSEC, key, tag 62932, algorithm ECDSAP256SHA256, public, active - 2021-05-10T20:51:56+0200 info: [example.com.] DNSSEC, key, tag 9081, algorithm ECDSAP256SHA256, KSK, public, active - 2021-05-10T20:51:56+0200 info: [example.com.] DNSSEC, key, tag 33255, algorithm ECDSAP256SHA256, public - 2021-05-10T20:51:56+0200 info: [example.com.] DNSSEC, signing started - 2021-05-10T20:51:56+0200 info: [example.com.] DNSSEC, successfully signed - 2021-05-10T20:51:56+0200 info: [example.com.] DNSSEC, next signing at 2021-05-10T20:52:08+0200 + 2024-02-14T15:21:54+0100 info: [example.com.] DNSSEC, signing zone + 2024-02-14T15:21:54+0100 info: [example.com.] DNSSEC, ZSK rollover started + 2024-02-14T15:21:54+0100 info: [example.com.] DNSSEC, next key action, ZSK tag 38559, replace at 2024-02-14T15:22:06+0100 + 2024-02-14T15:21:54+0100 info: [example.com.] DNSSEC, key, tag 36185, algorithm ECDSAP256SHA256, public, active + 2024-02-14T15:21:54+0100 info: [example.com.] DNSSEC, key, tag 3375, algorithm ECDSAP256SHA256, KSK, public, active + 2024-02-14T15:21:54+0100 info: [example.com.] DNSSEC, key, tag 38559, algorithm ECDSAP256SHA256, public + 2024-02-14T15:21:54+0100 info: [example.com.] DNSSEC, signing started + 2024-02-14T15:21:54+0100 info: [example.com.] DNSSEC, successfully signed, serial 2010111208 + 2024-02-14T15:21:54+0100 info: [example.com.] DNSSEC, next signing at 2024-02-14T15:22:06+0100 ... (propagation-delay + dnskey-ttl) ... - 2021-05-10T20:52:08+0200 info: [example.com.] DNSSEC, signing zone - 2021-05-10T20:52:08+0200 info: [example.com.] DNSSEC, key, tag 62932, algorithm ECDSAP256SHA256, public - 2021-05-10T20:52:08+0200 info: [example.com.] DNSSEC, key, tag 9081, algorithm ECDSAP256SHA256, KSK, public, active - 2021-05-10T20:52:08+0200 info: [example.com.] DNSSEC, key, tag 33255, algorithm ECDSAP256SHA256, public, active - 2021-05-10T20:52:08+0200 info: [example.com.] DNSSEC, signing started - 2021-05-10T20:52:08+0200 info: [example.com.] DNSSEC, successfully signed - 2021-05-10T20:52:08+0200 info: [example.com.] DNSSEC, next signing at 2021-05-10T20:52:25+0200 + 2024-02-14T15:22:06+0100 info: [example.com.] DNSSEC, signing zone + 2024-02-14T15:22:06+0100 info: [example.com.] DNSSEC, next key action, ZSK tag 36185, remove at 2024-02-14T15:22:23+0100 + 2024-02-14T15:22:06+0100 info: [example.com.] DNSSEC, key, tag 36185, algorithm ECDSAP256SHA256, public + 2024-02-14T15:22:06+0100 info: [example.com.] DNSSEC, key, tag 3375, algorithm ECDSAP256SHA256, KSK, public, active + 2024-02-14T15:22:06+0100 info: [example.com.] DNSSEC, key, tag 38559, algorithm ECDSAP256SHA256, public, active + 2024-02-14T15:22:06+0100 info: [example.com.] DNSSEC, signing started + 2024-02-14T15:22:06+0100 info: [example.com.] DNSSEC, successfully signed, serial 2010111209 + 2024-02-14T15:22:06+0100 info: [example.com.] DNSSEC, next signing at 2024-02-14T15:22:23+0100 ... (propagation-delay + zone-max-ttl) ... - 2021-05-10T20:52:25+0200 info: [example.com.] DNSSEC, signing zone - 2021-05-10T20:52:25+0200 info: [example.com.] DNSSEC, key, tag 9081, algorithm ECDSAP256SHA256, KSK, public, active - 2021-05-10T20:52:25+0200 info: [example.com.] DNSSEC, key, tag 33255, algorithm ECDSAP256SHA256, public, active - 2021-05-10T20:52:25+0200 info: [example.com.] DNSSEC, signing started - 2021-05-10T20:52:25+0200 info: [example.com.] DNSSEC, successfully signed - 2021-05-10T20:52:25+0200 info: [example.com.] DNSSEC, next signing at 2021-05-10T20:54:08+0200 - 2021-05-10T20:54:08+0200 info: [example.com.] DNSSEC, signing zone + 2024-02-14T15:22:23+0100 info: [example.com.] DNSSEC, signing zone + 2024-02-14T15:22:23+0100 info: [example.com.] DNSSEC, next key action, ZSK, generate at 2024-02-14T15:24:06+0100 + 2024-02-14T15:22:23+0100 info: [example.com.] DNSSEC, key, tag 3375, algorithm ECDSAP256SHA256, KSK, public, active + 2024-02-14T15:22:23+0100 info: [example.com.] DNSSEC, key, tag 38559, algorithm ECDSAP256SHA256, public, active + 2024-02-14T15:22:23+0100 info: [example.com.] DNSSEC, signing started + 2024-02-14T15:22:23+0100 info: [example.com.] DNSSEC, successfully signed, serial 2010111210 + 2024-02-14T15:22:23+0100 info: [example.com.] DNSSEC, next signing at 2024-02-14T15:24:06+0100 Further rollovers:: ... (zsk-lifetime - propagation-delay - zone-max-ttl) ... - # Another ZSK Rollover (33255 -> 49526) + # Another ZSK Rollover (38559 -> 59825) - 2021-05-10T20:54:08+0200 info: [example.com.] DNSSEC, signing zone - 2021-05-10T20:54:08+0200 info: [example.com.] DNSSEC, ZSK rollover started - 2021-05-10T20:54:08+0200 info: [example.com.] DNSSEC, key, tag 9081, algorithm ECDSAP256SHA256, KSK, public, active - 2021-05-10T20:54:08+0200 info: [example.com.] DNSSEC, key, tag 33255, algorithm ECDSAP256SHA256, public, active - 2021-05-10T20:54:08+0200 info: [example.com.] DNSSEC, key, tag 49526, algorithm ECDSAP256SHA256, public - 2021-05-10T20:54:08+0200 info: [example.com.] DNSSEC, signing started - 2021-05-10T20:54:08+0200 info: [example.com.] DNSSEC, successfully signed - 2021-05-10T20:54:08+0200 info: [example.com.] DNSSEC, next signing at 2021-05-10T20:54:20+0200 + 2024-02-14T15:24:06+0100 info: [example.com.] DNSSEC, signing zone + 2024-02-14T15:24:06+0100 info: [example.com.] DNSSEC, ZSK rollover started + 2024-02-14T15:24:06+0100 info: [example.com.] DNSSEC, next key action, ZSK tag 59825, replace at 2024-02-14T15:24:18+0100 + 2024-02-14T15:24:06+0100 info: [example.com.] DNSSEC, key, tag 3375, algorithm ECDSAP256SHA256, KSK, public, active + 2024-02-14T15:24:06+0100 info: [example.com.] DNSSEC, key, tag 38559, algorithm ECDSAP256SHA256, public, active + 2024-02-14T15:24:06+0100 info: [example.com.] DNSSEC, key, tag 59825, algorithm ECDSAP256SHA256, public + 2024-02-14T15:24:06+0100 info: [example.com.] DNSSEC, signing started + 2024-02-14T15:24:06+0100 info: [example.com.] DNSSEC, successfully signed, serial 2010111211 + 2024-02-14T15:24:06+0100 info: [example.com.] DNSSEC, next signing at 2024-02-14T15:24:18+0100 ... - # Another KSK Rollover (9081 -> 9179) + # Another KSK Rollover (3375 -> 50822) - 2021-05-10T20:55:00+0200 info: [example.com.] DNSSEC, signing zone - 2021-05-10T20:55:00+0200 info: [example.com.] DNSSEC, KSK rollover started - 2021-05-10T20:55:00+0200 info: [example.com.] DNSSEC, key, tag 9081, algorithm ECDSAP256SHA256, KSK, public, active - 2021-05-10T20:55:00+0200 info: [example.com.] DNSSEC, key, tag 49526, algorithm ECDSAP256SHA256, public, active - 2021-05-10T20:55:00+0200 info: [example.com.] DNSSEC, key, tag 9179, algorithm ECDSAP256SHA256, KSK, public, active+ - 2021-05-10T20:55:00+0200 info: [example.com.] DNSSEC, signing started - 2021-05-10T20:55:00+0200 info: [example.com.] DNSSEC, successfully signed - 2021-05-10T20:55:00+0200 info: [example.com.] DNSSEC, next signing at 2021-05-10T20:55:12+0200 + 2024-02-14T15:25:00+0100 info: [example.com.] DNSSEC, signing zone + 2024-02-14T15:25:00+0100 info: [example.com.] DNSSEC, KSK rollover started + 2024-02-14T15:25:00+0100 info: [example.com.] DNSSEC, next key action, KSK tag 50822, submit at 2024-02-14T15:25:12+0100 + 2024-02-14T15:25:00+0100 info: [example.com.] DNSSEC, key, tag 3375, algorithm ECDSAP256SHA256, KSK, public, active + 2024-02-14T15:25:00+0100 info: [example.com.] DNSSEC, key, tag 59825, algorithm ECDSAP256SHA256, public, active + 2024-02-14T15:25:00+0100 info: [example.com.] DNSSEC, key, tag 50822, algorithm ECDSAP256SHA256, KSK, public, active+ + 2024-02-14T15:25:00+0100 info: [example.com.] DNSSEC, signing started + 2024-02-14T15:25:00+0100 info: [example.com.] DNSSEC, successfully signed, serial 2010111214 + 2024-02-14T15:25:00+0100 info: [example.com.] DNSSEC, next signing at 2024-02-14T15:25:12+0100 ... @@ -1360,6 +1379,7 @@ Pre-requisites ethtool -K <interface> tx-vlan-offload off rx-vlan-offload off +.. _Mode XDP_optimizations: Optimizations ------------- @@ -1372,6 +1392,8 @@ Some helpful commands:: ethtool -G <interface> rx <?> tx <?> renice -n 19 -p $(pgrep '^ksoftirqd/[0-9]*$') +.. _Mode XDP_limitations: + Limitations ----------- diff --git a/doc/reference.rst b/doc/reference.rst index ad4feb9..45574dc 100644 --- a/doc/reference.rst +++ b/doc/reference.rst @@ -32,9 +32,10 @@ the following symbols: - ``|`` – Choice The configuration consists of several fixed sections and optional module -sections. There are 16 fixed sections (``module``, ``server``, ``xdp``, ``control``, +sections. There are 17 fixed sections (``module``, ``server``, ``xdp``, ``control``, ``log``, ``statistics``, ``database``, ``keystore``, ``key``, ``remote``, -``remotes``, ``acl``, ``submission``, ``policy``, ``template``, ``zone``). +``remotes``, ``acl``, ``submission``, ``dnskey-sync``, ``policy``, ``template``, +``zone``). Module sections are prefixed with the ``mod-`` prefix (e.g. ``mod-stats``). Most of the sections (e.g. ``zone``) are sequences of settings blocks. Each @@ -1045,8 +1046,8 @@ Minimum severity level for all message types, except ``quic``, to be logged. .. _stats section: -``stats`` section -================= +``statistics`` section +====================== Periodic server statistics dumping. @@ -2039,7 +2040,8 @@ A period between ZSK activation and the next rollover initiation. and after this, a new ZSK is generated to replace it within following roll-over. - ZSK key lifetime is also influenced by propagation-delay and dnskey-ttl + As a consequence, in normal operation, this results in the period + of ZSK generation being `zsk-lifetime + propagation-delay + dnskey_ttl`. Zero (aka infinity) value causes no ZSK rollover as a result. @@ -2226,6 +2228,10 @@ It's possible to manage both child and parent zones by the same Knot DNS server. .. NOTE:: Module :ref:`Onlinesign<mod-onlinesign>` doesn't support DS push. +.. NOTE:: + When turning this feature on while a KSK roll-over is already running, it might + not take effect for the already-running roll-over. + *Default:* not set .. _policy_dnskey-sync: @@ -2780,6 +2786,7 @@ is cancelled with an error, and either none or previous zone state is published. List of DNSSEC checks: - Every zone RRSet is correctly signed by at least one present DNSKEY. +- For every RRSIG there are at most 3 non-matching DNSKEYs with the same keytag. - DNSKEY RRSet is signed by KSK. - NSEC(3) RR exists for each name (unless opt-out) with correct bitmap. - Every NSEC(3) RR is linked to the lexicographically next one. diff --git a/doc/troubleshooting.rst b/doc/troubleshooting.rst index 3d7c359..5bd1d90 100644 --- a/doc/troubleshooting.rst +++ b/doc/troubleshooting.rst @@ -9,7 +9,7 @@ First of all, check the logs. Enabling at least the ``warning`` message severity may help you to identify some problems. See the :ref:`log section` for details. -.. _Submitting a bugreport: +.. _Submitting a bugreport: Reporting bugs ============== @@ -46,7 +46,7 @@ addition at least the following information: If possible, please provide a minimal configuration file and zone files which can be used to reproduce the bug. -.. _Generating backtrace: +.. _Generating backtrace: Generating backtrace ==================== @@ -108,3 +108,16 @@ If you fail to get a backtrace of a running process using the previous method, you may try the single-purpose ``pstack`` utility:: $ pstack $(pidof knotd) > backtrace.txt + +.. _Bus error: + +Crash caused by a Bus error +=========================== + +Zone files and a configuration file are usually accessed as +`mmaped <https://pubs.opengroup.org/onlinepubs/9699919799/functions/mmap.html>`_ +files. If such files are changed or truncated at the same time when those files +are being loaded/reloaded by the program, it may result in `Bus error +(SIGBUS) <https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/signal.h.html>`_ +and a program crash. If you encounter a Bus error, first check that there isn't +a concurrent write access from an external program to the respective files. diff --git a/python/knot_exporter/knot_exporter/knot_exporter.py b/python/knot_exporter/knot_exporter/knot_exporter.py index 32f3339..f106772 100755 --- a/python/knot_exporter/knot_exporter/knot_exporter.py +++ b/python/knot_exporter/knot_exporter/knot_exporter.py @@ -12,6 +12,7 @@ import libknot import libknot.control from prometheus_client.core import REGISTRY +from prometheus_client.core import CounterMetricFamily from prometheus_client.core import GaugeMetricFamily from prometheus_client.exposition import MetricsHandler @@ -71,8 +72,11 @@ class KnotCollector(object): def metric_families_append(family, labels, labels_val, data): m = metric_families.get(family, GaugeMetricFamily(family, '', labels=labels)) + c = metric_families.get(family + '_total', CounterMetricFamily(family, '', labels=labels)) m.add_metric(labels_val, data) + c.add_metric(labels_val, data) metric_families[family] = m + metric_families[family + '_total'] = c if self.collect_meminfo: # Get global metrics. diff --git a/src/Makefile.in b/src/Makefile.in index 5b04f9c..df978b4 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -137,49 +137,51 @@ host_triplet = @host@ @HAVE_DAEMON_TRUE@am__append_19 = libknotd.la @HAVE_DAEMON_TRUE@am__append_20 = knotd.pc -@STATIC_MODULE_cookies_TRUE@am__append_21 = $(knot_modules_cookies_la_SOURCES) -@SHARED_MODULE_cookies_TRUE@am__append_22 = knot/modules/cookies.la -@STATIC_MODULE_dnsproxy_TRUE@am__append_23 = $(knot_modules_dnsproxy_la_SOURCES) -@SHARED_MODULE_dnsproxy_TRUE@am__append_24 = knot/modules/dnsproxy.la -@STATIC_MODULE_dnstap_TRUE@am__append_25 = $(knot_modules_dnstap_la_SOURCES) -@STATIC_MODULE_dnstap_TRUE@am__append_26 = $(DNSTAP_CFLAGS) -@STATIC_MODULE_dnstap_TRUE@am__append_27 = $(libdnstap_LIBS) -@SHARED_MODULE_dnstap_TRUE@am__append_28 = knot/modules/dnstap.la -@STATIC_MODULE_geoip_TRUE@am__append_29 = $(knot_modules_geoip_la_SOURCES) -@STATIC_MODULE_geoip_TRUE@am__append_30 = $(libmaxminddb_CFLAGS) -@STATIC_MODULE_geoip_TRUE@am__append_31 = $(libmaxminddb_LIBS) -@SHARED_MODULE_geoip_TRUE@am__append_32 = knot/modules/geoip.la -@STATIC_MODULE_noudp_TRUE@am__append_33 = $(knot_modules_noudp_la_SOURCES) -@SHARED_MODULE_noudp_TRUE@am__append_34 = knot/modules/noudp.la -@STATIC_MODULE_onlinesign_TRUE@am__append_35 = $(knot_modules_onlinesign_la_SOURCES) -@SHARED_MODULE_onlinesign_TRUE@am__append_36 = knot/modules/onlinesign.la -@STATIC_MODULE_probe_TRUE@am__append_37 = $(knot_modules_probe_la_SOURCES) -@SHARED_MODULE_probe_TRUE@am__append_38 = knot/modules/probe.la -@STATIC_MODULE_queryacl_TRUE@am__append_39 = $(knot_modules_queryacl_la_SOURCES) -@SHARED_MODULE_queryacl_TRUE@am__append_40 = knot/modules/queryacl.la -@STATIC_MODULE_rrl_TRUE@am__append_41 = $(knot_modules_rrl_la_SOURCES) -@SHARED_MODULE_rrl_TRUE@am__append_42 = knot/modules/rrl.la -@STATIC_MODULE_stats_TRUE@am__append_43 = $(knot_modules_stats_la_SOURCES) -@SHARED_MODULE_stats_TRUE@am__append_44 = knot/modules/stats.la -@STATIC_MODULE_synthrecord_TRUE@am__append_45 = $(knot_modules_synthrecord_la_SOURCES) -@SHARED_MODULE_synthrecord_TRUE@am__append_46 = knot/modules/synthrecord.la -@STATIC_MODULE_whoami_TRUE@am__append_47 = $(knot_modules_whoami_la_SOURCES) -@SHARED_MODULE_whoami_TRUE@am__append_48 = knot/modules/whoami.la +@STATIC_MODULE_authsignal_TRUE@am__append_21 = $(knot_modules_authsignal_la_SOURCES) +@SHARED_MODULE_authsignal_TRUE@am__append_22 = knot/modules/authsignal.la +@STATIC_MODULE_cookies_TRUE@am__append_23 = $(knot_modules_cookies_la_SOURCES) +@SHARED_MODULE_cookies_TRUE@am__append_24 = knot/modules/cookies.la +@STATIC_MODULE_dnsproxy_TRUE@am__append_25 = $(knot_modules_dnsproxy_la_SOURCES) +@SHARED_MODULE_dnsproxy_TRUE@am__append_26 = knot/modules/dnsproxy.la +@STATIC_MODULE_dnstap_TRUE@am__append_27 = $(knot_modules_dnstap_la_SOURCES) +@STATIC_MODULE_dnstap_TRUE@am__append_28 = $(DNSTAP_CFLAGS) +@STATIC_MODULE_dnstap_TRUE@am__append_29 = $(libdnstap_LIBS) +@SHARED_MODULE_dnstap_TRUE@am__append_30 = knot/modules/dnstap.la +@STATIC_MODULE_geoip_TRUE@am__append_31 = $(knot_modules_geoip_la_SOURCES) +@STATIC_MODULE_geoip_TRUE@am__append_32 = $(libmaxminddb_CFLAGS) +@STATIC_MODULE_geoip_TRUE@am__append_33 = $(libmaxminddb_LIBS) +@SHARED_MODULE_geoip_TRUE@am__append_34 = knot/modules/geoip.la +@STATIC_MODULE_noudp_TRUE@am__append_35 = $(knot_modules_noudp_la_SOURCES) +@SHARED_MODULE_noudp_TRUE@am__append_36 = knot/modules/noudp.la +@STATIC_MODULE_onlinesign_TRUE@am__append_37 = $(knot_modules_onlinesign_la_SOURCES) +@SHARED_MODULE_onlinesign_TRUE@am__append_38 = knot/modules/onlinesign.la +@STATIC_MODULE_probe_TRUE@am__append_39 = $(knot_modules_probe_la_SOURCES) +@SHARED_MODULE_probe_TRUE@am__append_40 = knot/modules/probe.la +@STATIC_MODULE_queryacl_TRUE@am__append_41 = $(knot_modules_queryacl_la_SOURCES) +@SHARED_MODULE_queryacl_TRUE@am__append_42 = knot/modules/queryacl.la +@STATIC_MODULE_rrl_TRUE@am__append_43 = $(knot_modules_rrl_la_SOURCES) +@SHARED_MODULE_rrl_TRUE@am__append_44 = knot/modules/rrl.la +@STATIC_MODULE_stats_TRUE@am__append_45 = $(knot_modules_stats_la_SOURCES) +@SHARED_MODULE_stats_TRUE@am__append_46 = knot/modules/stats.la +@STATIC_MODULE_synthrecord_TRUE@am__append_47 = $(knot_modules_synthrecord_la_SOURCES) +@SHARED_MODULE_synthrecord_TRUE@am__append_48 = knot/modules/synthrecord.la +@STATIC_MODULE_whoami_TRUE@am__append_49 = $(knot_modules_whoami_la_SOURCES) +@SHARED_MODULE_whoami_TRUE@am__append_50 = knot/modules/whoami.la bin_PROGRAMS = $(am__EXEEXT_1) $(am__EXEEXT_2) sbin_PROGRAMS = $(am__EXEEXT_3) $(am__EXEEXT_4) $(am__EXEEXT_5) -@HAVE_LIBUTILS_TRUE@am__append_49 = libknotus.la -@EMBEDDED_LIBNGTCP2_TRUE@@HAVE_LIBUTILS_TRUE@am__append_50 = $(libembngtcp2_LIBS) -@HAVE_UTILS_TRUE@am__append_51 = kdig khost knsec3hash knsupdate -@HAVE_DNSTAP_TRUE@@HAVE_UTILS_TRUE@am__append_52 = $(DNSTAP_CFLAGS) -@HAVE_DNSTAP_TRUE@@HAVE_UTILS_TRUE@am__append_53 = $(libdnstap_LIBS) +@HAVE_LIBUTILS_TRUE@am__append_51 = libknotus.la +@EMBEDDED_LIBNGTCP2_TRUE@@HAVE_LIBUTILS_TRUE@am__append_52 = $(libembngtcp2_LIBS) +@HAVE_UTILS_TRUE@am__append_53 = kdig khost knsec3hash knsupdate @HAVE_DNSTAP_TRUE@@HAVE_UTILS_TRUE@am__append_54 = $(DNSTAP_CFLAGS) @HAVE_DNSTAP_TRUE@@HAVE_UTILS_TRUE@am__append_55 = $(libdnstap_LIBS) -@ENABLE_XDP_TRUE@@HAVE_UTILS_TRUE@am__append_56 = kxdpgun -@ENABLE_QUIC_TRUE@@ENABLE_XDP_TRUE@@HAVE_UTILS_TRUE@am__append_57 = $(gnutls_CFLAGS) -@ENABLE_QUIC_TRUE@@ENABLE_XDP_TRUE@@HAVE_UTILS_TRUE@am__append_58 = $(gnutls_LIBS) -@HAVE_DAEMON_TRUE@am__append_59 = knotc knotd -@HAVE_DAEMON_TRUE@@HAVE_UTILS_TRUE@am__append_60 = kzonecheck kzonesign -@HAVE_DAEMON_TRUE@@HAVE_UTILS_TRUE@am__append_61 = keymgr kjournalprint kcatalogprint +@HAVE_DNSTAP_TRUE@@HAVE_UTILS_TRUE@am__append_56 = $(DNSTAP_CFLAGS) +@HAVE_DNSTAP_TRUE@@HAVE_UTILS_TRUE@am__append_57 = $(libdnstap_LIBS) +@ENABLE_XDP_TRUE@@HAVE_UTILS_TRUE@am__append_58 = kxdpgun +@ENABLE_QUIC_TRUE@@ENABLE_XDP_TRUE@@HAVE_UTILS_TRUE@am__append_59 = $(gnutls_CFLAGS) +@ENABLE_QUIC_TRUE@@ENABLE_XDP_TRUE@@HAVE_UTILS_TRUE@am__append_60 = $(gnutls_LIBS) +@HAVE_DAEMON_TRUE@am__append_61 = knotc knotd +@HAVE_DAEMON_TRUE@@HAVE_UTILS_TRUE@am__append_62 = kzonecheck kzonesign +@HAVE_DAEMON_TRUE@@HAVE_UTILS_TRUE@am__append_63 = keymgr kjournalprint kcatalogprint subdir = src SUBDIRS = ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -247,20 +249,31 @@ am__uninstall_files_from_dir = { \ } LTLIBRARIES = $(lib_LTLIBRARIES) $(noinst_LTLIBRARIES) \ $(pkglib_LTLIBRARIES) +knot_modules_authsignal_la_LIBADD = +am__dirstamp = $(am__leading_dot)dirstamp +am_knot_modules_authsignal_la_OBJECTS = \ + knot/modules/authsignal/la-authsignal.lo +knot_modules_authsignal_la_OBJECTS = \ + $(am_knot_modules_authsignal_la_OBJECTS) +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +knot_modules_authsignal_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(knot_modules_authsignal_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +@SHARED_MODULE_authsignal_TRUE@am_knot_modules_authsignal_la_rpath = \ +@SHARED_MODULE_authsignal_TRUE@ -rpath $(pkglibdir) am__DEPENDENCIES_1 = @USE_GNUTLS_MEMSET_TRUE@am__DEPENDENCIES_2 = $(am__DEPENDENCIES_1) am__DEPENDENCIES_3 = libcontrib.la $(am__DEPENDENCIES_2) @SHARED_MODULE_cookies_TRUE@knot_modules_cookies_la_DEPENDENCIES = \ @SHARED_MODULE_cookies_TRUE@ $(am__DEPENDENCIES_3) -am__dirstamp = $(am__leading_dot)dirstamp am_knot_modules_cookies_la_OBJECTS = \ knot/modules/cookies/la-cookies.lo knot_modules_cookies_la_OBJECTS = \ $(am_knot_modules_cookies_la_OBJECTS) -AM_V_lt = $(am__v_lt_@AM_V@) -am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) -am__v_lt_0 = --silent -am__v_lt_1 = knot_modules_cookies_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ $(AM_CFLAGS) $(CFLAGS) $(knot_modules_cookies_la_LDFLAGS) \ @@ -748,6 +761,7 @@ am__libknotd_la_SOURCES_DIST = knot/catalog/catalog_db.c \ knot/zone/zonefile.c knot/zone/zonefile.h \ knot/query/quic-requestor.c knot/query/quic-requestor.h \ knot/server/quic-handler.c knot/server/quic-handler.h \ + knot/modules/authsignal/authsignal.c \ knot/modules/cookies/cookies.c \ knot/modules/dnsproxy/dnsproxy.c knot/modules/dnstap/dnstap.c \ knot/modules/geoip/geoip.c knot/modules/geoip/geodb.c \ @@ -763,33 +777,35 @@ am__libknotd_la_SOURCES_DIST = knot/catalog/catalog_db.c \ @ENABLE_QUIC_TRUE@am__objects_3 = \ @ENABLE_QUIC_TRUE@ knot/query/libknotd_la-quic-requestor.lo \ @ENABLE_QUIC_TRUE@ knot/server/libknotd_la-quic-handler.lo -am__objects_4 = knot/modules/cookies/libknotd_la-cookies.lo -@STATIC_MODULE_cookies_TRUE@am__objects_5 = $(am__objects_4) -am__objects_6 = knot/modules/dnsproxy/libknotd_la-dnsproxy.lo -@STATIC_MODULE_dnsproxy_TRUE@am__objects_7 = $(am__objects_6) -am__objects_8 = knot/modules/dnstap/libknotd_la-dnstap.lo -@STATIC_MODULE_dnstap_TRUE@am__objects_9 = $(am__objects_8) -am__objects_10 = knot/modules/geoip/libknotd_la-geoip.lo \ +am__objects_4 = knot/modules/authsignal/libknotd_la-authsignal.lo +@STATIC_MODULE_authsignal_TRUE@am__objects_5 = $(am__objects_4) +am__objects_6 = knot/modules/cookies/libknotd_la-cookies.lo +@STATIC_MODULE_cookies_TRUE@am__objects_7 = $(am__objects_6) +am__objects_8 = knot/modules/dnsproxy/libknotd_la-dnsproxy.lo +@STATIC_MODULE_dnsproxy_TRUE@am__objects_9 = $(am__objects_8) +am__objects_10 = knot/modules/dnstap/libknotd_la-dnstap.lo +@STATIC_MODULE_dnstap_TRUE@am__objects_11 = $(am__objects_10) +am__objects_12 = knot/modules/geoip/libknotd_la-geoip.lo \ knot/modules/geoip/libknotd_la-geodb.lo -@STATIC_MODULE_geoip_TRUE@am__objects_11 = $(am__objects_10) -am__objects_12 = knot/modules/noudp/libknotd_la-noudp.lo -@STATIC_MODULE_noudp_TRUE@am__objects_13 = $(am__objects_12) -am__objects_14 = knot/modules/onlinesign/libknotd_la-onlinesign.lo \ +@STATIC_MODULE_geoip_TRUE@am__objects_13 = $(am__objects_12) +am__objects_14 = knot/modules/noudp/libknotd_la-noudp.lo +@STATIC_MODULE_noudp_TRUE@am__objects_15 = $(am__objects_14) +am__objects_16 = knot/modules/onlinesign/libknotd_la-onlinesign.lo \ knot/modules/onlinesign/libknotd_la-nsec_next.lo -@STATIC_MODULE_onlinesign_TRUE@am__objects_15 = $(am__objects_14) -am__objects_16 = knot/modules/probe/libknotd_la-probe.lo -@STATIC_MODULE_probe_TRUE@am__objects_17 = $(am__objects_16) -am__objects_18 = knot/modules/queryacl/libknotd_la-queryacl.lo -@STATIC_MODULE_queryacl_TRUE@am__objects_19 = $(am__objects_18) -am__objects_20 = knot/modules/rrl/libknotd_la-rrl.lo \ +@STATIC_MODULE_onlinesign_TRUE@am__objects_17 = $(am__objects_16) +am__objects_18 = knot/modules/probe/libknotd_la-probe.lo +@STATIC_MODULE_probe_TRUE@am__objects_19 = $(am__objects_18) +am__objects_20 = knot/modules/queryacl/libknotd_la-queryacl.lo +@STATIC_MODULE_queryacl_TRUE@am__objects_21 = $(am__objects_20) +am__objects_22 = knot/modules/rrl/libknotd_la-rrl.lo \ knot/modules/rrl/libknotd_la-functions.lo -@STATIC_MODULE_rrl_TRUE@am__objects_21 = $(am__objects_20) -am__objects_22 = knot/modules/stats/libknotd_la-stats.lo -@STATIC_MODULE_stats_TRUE@am__objects_23 = $(am__objects_22) -am__objects_24 = knot/modules/synthrecord/libknotd_la-synthrecord.lo -@STATIC_MODULE_synthrecord_TRUE@am__objects_25 = $(am__objects_24) -am__objects_26 = knot/modules/whoami/libknotd_la-whoami.lo -@STATIC_MODULE_whoami_TRUE@am__objects_27 = $(am__objects_26) +@STATIC_MODULE_rrl_TRUE@am__objects_23 = $(am__objects_22) +am__objects_24 = knot/modules/stats/libknotd_la-stats.lo +@STATIC_MODULE_stats_TRUE@am__objects_25 = $(am__objects_24) +am__objects_26 = knot/modules/synthrecord/libknotd_la-synthrecord.lo +@STATIC_MODULE_synthrecord_TRUE@am__objects_27 = $(am__objects_26) +am__objects_28 = knot/modules/whoami/libknotd_la-whoami.lo +@STATIC_MODULE_whoami_TRUE@am__objects_29 = $(am__objects_28) am_libknotd_la_OBJECTS = knot/catalog/libknotd_la-catalog_db.lo \ knot/catalog/libknotd_la-catalog_update.lo \ knot/catalog/libknotd_la-generate.lo \ @@ -895,7 +911,8 @@ am_libknotd_la_OBJECTS = knot/catalog/libknotd_la-catalog_db.lo \ $(am__objects_5) $(am__objects_7) $(am__objects_9) \ $(am__objects_11) $(am__objects_13) $(am__objects_15) \ $(am__objects_17) $(am__objects_19) $(am__objects_21) \ - $(am__objects_23) $(am__objects_25) $(am__objects_27) + $(am__objects_23) $(am__objects_25) $(am__objects_27) \ + $(am__objects_29) libknotd_la_OBJECTS = $(am_libknotd_la_OBJECTS) libknotd_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ @@ -939,9 +956,9 @@ libknotus_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(libknotus_la_LDFLAGS) $(LDFLAGS) -o $@ @HAVE_LIBUTILS_TRUE@am_libknotus_la_rpath = libzscanner_la_DEPENDENCIES = $(am__DEPENDENCIES_1) -am__objects_28 = +am__objects_30 = am_libzscanner_la_OBJECTS = libzscanner/la-error.lo \ - libzscanner/la-functions.lo $(am__objects_28) + libzscanner/la-functions.lo $(am__objects_30) nodist_libzscanner_la_OBJECTS = libzscanner/la-scanner.lo libzscanner_la_OBJECTS = $(am_libzscanner_la_OBJECTS) \ $(nodist_libzscanner_la_OBJECTS) @@ -1230,6 +1247,8 @@ am__depfiles_remade = contrib/$(DEPDIR)/libcontrib_la-base32hex.Plo \ knot/journal/$(DEPDIR)/libknotd_la-journal_write.Plo \ knot/journal/$(DEPDIR)/libknotd_la-knot_lmdb.Plo \ knot/journal/$(DEPDIR)/libknotd_la-serialization.Plo \ + knot/modules/authsignal/$(DEPDIR)/la-authsignal.Plo \ + knot/modules/authsignal/$(DEPDIR)/libknotd_la-authsignal.Plo \ knot/modules/cookies/$(DEPDIR)/la-cookies.Plo \ knot/modules/cookies/$(DEPDIR)/libknotd_la-cookies.Plo \ knot/modules/dnsproxy/$(DEPDIR)/la-dnsproxy.Plo \ @@ -1434,7 +1453,8 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = $(knot_modules_cookies_la_SOURCES) \ +SOURCES = $(knot_modules_authsignal_la_SOURCES) \ + $(knot_modules_cookies_la_SOURCES) \ $(knot_modules_dnsproxy_la_SOURCES) \ $(knot_modules_dnstap_la_SOURCES) \ $(knot_modules_geoip_la_SOURCES) \ @@ -1455,7 +1475,8 @@ SOURCES = $(knot_modules_cookies_la_SOURCES) \ $(kjournalprint_SOURCES) $(knotc_SOURCES) $(knotd_SOURCES) \ $(knsec3hash_SOURCES) $(knsupdate_SOURCES) $(kxdpgun_SOURCES) \ $(kzonecheck_SOURCES) $(kzonesign_SOURCES) -DIST_SOURCES = $(knot_modules_cookies_la_SOURCES) \ +DIST_SOURCES = $(knot_modules_authsignal_la_SOURCES) \ + $(knot_modules_cookies_la_SOURCES) \ $(knot_modules_dnsproxy_la_SOURCES) \ $(knot_modules_dnstap_la_SOURCES) \ $(knot_modules_geoip_la_SOURCES) \ @@ -1546,6 +1567,7 @@ am__define_uniq_tagged_files = \ done | $(am__uniquify_input)` am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/config.h.in \ $(srcdir)/contrib/Makefile.inc $(srcdir)/knot/Makefile.inc \ + $(srcdir)/knot/modules/authsignal/Makefile.inc \ $(srcdir)/knot/modules/cookies/Makefile.inc \ $(srcdir)/knot/modules/dnsproxy/Makefile.inc \ $(srcdir)/knot/modules/dnstap/Makefile.inc \ @@ -1804,7 +1826,9 @@ EXTRA_DIST = contrib/licenses/0BSD contrib/licenses/BSD-3-Clause \ contrib/url-parser/LICENSE contrib/url-parser/README.md \ contrib/dnstap/dnstap.proto libzscanner/scanner.rl \ libzscanner/scanner_body.rl libzscanner/scanner.c.g2 \ - libzscanner/scanner.c.t0 knot/modules/cookies/cookies.rst \ + libzscanner/scanner.c.t0 \ + knot/modules/authsignal/authsignal.rst \ + knot/modules/cookies/cookies.rst \ knot/modules/dnsproxy/dnsproxy.rst \ knot/modules/dnstap/dnstap.rst knot/modules/geoip/geoip.rst \ knot/modules/noudp/noudp.rst \ @@ -1818,7 +1842,7 @@ CLEANFILES = $(am__append_5) libzscanner/scanner.c BUILT_SOURCES = $(am__append_4) libzscanner/scanner.c lib_LTLIBRARIES = libdnssec.la libknot.la libzscanner.la noinst_LTLIBRARIES = libcontrib.la $(am__append_3) $(am__append_6) \ - $(am__append_19) $(am__append_49) + $(am__append_19) $(am__append_51) pkgconfig_DATA = libdnssec.pc libknot.pc libzscanner.pc \ $(am__append_20) libcontrib_la_CPPFLAGS = $(AM_CPPFLAGS) $(CFLAG_VISIBILITY) \ @@ -2137,11 +2161,11 @@ nodist_libzscanner_la_SOURCES = \ libknotd_la_CPPFLAGS = $(AM_CPPFLAGS) $(CFLAG_VISIBILITY) \ $(libkqueue_CFLAGS) $(liburcu_CFLAGS) $(lmdb_CFLAGS) \ $(systemd_CFLAGS) $(gnutls_CFLAGS) $(libngtcp2_CFLAGS) \ - -DKNOTD_MOD_STATIC $(am__append_26) $(am__append_30) + -DKNOTD_MOD_STATIC $(am__append_28) $(am__append_32) libknotd_la_LDFLAGS = $(AM_LDFLAGS) -export-symbols-regex '^knotd_' libknotd_la_LIBADD = $(dlopen_LIBS) $(libkqueue_LIBS) $(pthread_LIBS) \ - $(libngtcp2_LIBS) $(am__append_17) $(am__append_27) \ - $(am__append_31) + $(libngtcp2_LIBS) $(am__append_17) $(am__append_29) \ + $(am__append_33) libknotd_LIBS = libknotd.la libknot.la libdnssec.la libzscanner.la \ $(libcontrib_LIBS) $(liburcu_LIBS) $(lmdb_LIBS) \ $(systemd_LIBS) $(gnutls_LIBS) @@ -2244,16 +2268,20 @@ libknotd_la_SOURCES = knot/catalog/catalog_db.c \ knot/zone/zonedb-load.h knot/zone/zonedb.c knot/zone/zonedb.h \ knot/zone/zonefile.c knot/zone/zonefile.h $(am__append_18) \ $(am__append_21) $(am__append_23) $(am__append_25) \ - $(am__append_29) $(am__append_33) $(am__append_35) \ + $(am__append_27) $(am__append_31) $(am__append_35) \ $(am__append_37) $(am__append_39) $(am__append_41) \ - $(am__append_43) $(am__append_45) $(am__append_47) + $(am__append_43) $(am__append_45) $(am__append_47) \ + $(am__append_49) KNOTD_MOD_CPPFLAGS = $(AM_CPPFLAGS) $(CFLAG_VISIBILITY) KNOTD_MOD_LDFLAGS = $(AM_LDFLAGS) -module -shared -avoid-version pkglib_LTLIBRARIES = $(am__append_22) $(am__append_24) \ - $(am__append_28) $(am__append_32) $(am__append_34) \ + $(am__append_26) $(am__append_30) $(am__append_34) \ $(am__append_36) $(am__append_38) $(am__append_40) \ $(am__append_42) $(am__append_44) $(am__append_46) \ - $(am__append_48) + $(am__append_48) $(am__append_50) +knot_modules_authsignal_la_SOURCES = knot/modules/authsignal/authsignal.c +@SHARED_MODULE_authsignal_TRUE@knot_modules_authsignal_la_LDFLAGS = $(KNOTD_MOD_LDFLAGS) +@SHARED_MODULE_authsignal_TRUE@knot_modules_authsignal_la_CPPFLAGS = $(KNOTD_MOD_CPPFLAGS) knot_modules_cookies_la_SOURCES = knot/modules/cookies/cookies.c @SHARED_MODULE_cookies_TRUE@knot_modules_cookies_la_LDFLAGS = $(KNOTD_MOD_LDFLAGS) @SHARED_MODULE_cookies_TRUE@knot_modules_cookies_la_CPPFLAGS = $(KNOTD_MOD_CPPFLAGS) @@ -2316,7 +2344,7 @@ knot_modules_whoami_la_SOURCES = knot/modules/whoami/whoami.c @HAVE_LIBUTILS_TRUE@libknotus_la_LDFLAGS = $(AM_LDFLAGS) $(LDFLAG_EXCLUDE_LIBS) @HAVE_LIBUTILS_TRUE@libknotus_la_LIBADD = $(libidn2_LIBS) \ @HAVE_LIBUTILS_TRUE@ $(libidn_LIBS) $(libnghttp2_LIBS) \ -@HAVE_LIBUTILS_TRUE@ $(libngtcp2_LIBS) $(am__append_50) +@HAVE_LIBUTILS_TRUE@ $(libngtcp2_LIBS) $(am__append_52) @HAVE_LIBUTILS_TRUE@libknotus_LIBS = libknotus.la libknot.la libdnssec.la $(libcontrib_LIBS) \ @HAVE_LIBUTILS_TRUE@ $(gnutls_LIBS) $(libedit_LIBS) @@ -2379,11 +2407,11 @@ knot_modules_whoami_la_SOURCES = knot/modules/whoami/whoami.c @HAVE_UTILS_TRUE@ utils/knsupdate/knsupdate_params.h @HAVE_UTILS_TRUE@kdig_CPPFLAGS = $(libknotus_la_CPPFLAGS) \ -@HAVE_UTILS_TRUE@ $(am__append_52) -@HAVE_UTILS_TRUE@kdig_LDADD = $(libknotus_LIBS) $(am__append_53) -@HAVE_UTILS_TRUE@khost_CPPFLAGS = $(libknotus_la_CPPFLAGS) \ @HAVE_UTILS_TRUE@ $(am__append_54) -@HAVE_UTILS_TRUE@khost_LDADD = $(libknotus_LIBS) $(am__append_55) +@HAVE_UTILS_TRUE@kdig_LDADD = $(libknotus_LIBS) $(am__append_55) +@HAVE_UTILS_TRUE@khost_CPPFLAGS = $(libknotus_la_CPPFLAGS) \ +@HAVE_UTILS_TRUE@ $(am__append_56) +@HAVE_UTILS_TRUE@khost_LDADD = $(libknotus_LIBS) $(am__append_57) @HAVE_UTILS_TRUE@knsec3hash_CPPFLAGS = $(libknotus_la_CPPFLAGS) @HAVE_UTILS_TRUE@knsec3hash_LDADD = libknot.la libdnssec.la $(libcontrib_LIBS) @HAVE_UTILS_TRUE@knsupdate_CPPFLAGS = $(libknotus_la_CPPFLAGS) @@ -2398,12 +2426,12 @@ knot_modules_whoami_la_SOURCES = knot/modules/whoami/whoami.c @ENABLE_XDP_TRUE@@HAVE_UTILS_TRUE@kxdpgun_CPPFLAGS = \ @ENABLE_XDP_TRUE@@HAVE_UTILS_TRUE@ $(libknotus_la_CPPFLAGS) \ @ENABLE_XDP_TRUE@@HAVE_UTILS_TRUE@ $(libmnl_CFLAGS) \ -@ENABLE_XDP_TRUE@@HAVE_UTILS_TRUE@ $(am__append_57) +@ENABLE_XDP_TRUE@@HAVE_UTILS_TRUE@ $(am__append_59) @ENABLE_XDP_TRUE@@HAVE_UTILS_TRUE@kxdpgun_LDADD = libknot.la \ @ENABLE_XDP_TRUE@@HAVE_UTILS_TRUE@ $(libcontrib_LIBS) \ @ENABLE_XDP_TRUE@@HAVE_UTILS_TRUE@ $(libmnl_LIBS) \ @ENABLE_XDP_TRUE@@HAVE_UTILS_TRUE@ $(pthread_LIBS) \ -@ENABLE_XDP_TRUE@@HAVE_UTILS_TRUE@ $(am__append_58) +@ENABLE_XDP_TRUE@@HAVE_UTILS_TRUE@ $(am__append_60) @HAVE_DAEMON_TRUE@knotc_SOURCES = \ @HAVE_DAEMON_TRUE@ utils/knotc/commands.c \ @HAVE_DAEMON_TRUE@ utils/knotc/commands.h \ @@ -2465,7 +2493,7 @@ all: $(BUILT_SOURCES) config.h .SUFFIXES: .SUFFIXES: .proto .pb-c.c .pb-c.h .c .lo .o .obj -$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(srcdir)/contrib/Makefile.inc $(srcdir)/libdnssec/Makefile.inc $(srcdir)/libknot/Makefile.inc $(srcdir)/libzscanner/Makefile.inc $(srcdir)/knot/Makefile.inc $(srcdir)/knot/modules/cookies/Makefile.inc $(srcdir)/knot/modules/dnsproxy/Makefile.inc $(srcdir)/knot/modules/dnstap/Makefile.inc $(srcdir)/knot/modules/geoip/Makefile.inc $(srcdir)/knot/modules/noudp/Makefile.inc $(srcdir)/knot/modules/onlinesign/Makefile.inc $(srcdir)/knot/modules/probe/Makefile.inc $(srcdir)/knot/modules/queryacl/Makefile.inc $(srcdir)/knot/modules/rrl/Makefile.inc $(srcdir)/knot/modules/stats/Makefile.inc $(srcdir)/knot/modules/synthrecord/Makefile.inc $(srcdir)/knot/modules/whoami/Makefile.inc $(srcdir)/utils/Makefile.inc $(am__configure_deps) +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(srcdir)/contrib/Makefile.inc $(srcdir)/libdnssec/Makefile.inc $(srcdir)/libknot/Makefile.inc $(srcdir)/libzscanner/Makefile.inc $(srcdir)/knot/Makefile.inc $(srcdir)/knot/modules/authsignal/Makefile.inc $(srcdir)/knot/modules/cookies/Makefile.inc $(srcdir)/knot/modules/dnsproxy/Makefile.inc $(srcdir)/knot/modules/dnstap/Makefile.inc $(srcdir)/knot/modules/geoip/Makefile.inc $(srcdir)/knot/modules/noudp/Makefile.inc $(srcdir)/knot/modules/onlinesign/Makefile.inc $(srcdir)/knot/modules/probe/Makefile.inc $(srcdir)/knot/modules/queryacl/Makefile.inc $(srcdir)/knot/modules/rrl/Makefile.inc $(srcdir)/knot/modules/stats/Makefile.inc $(srcdir)/knot/modules/synthrecord/Makefile.inc $(srcdir)/knot/modules/whoami/Makefile.inc $(srcdir)/utils/Makefile.inc $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ @@ -2485,7 +2513,7 @@ Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ esac; -$(srcdir)/contrib/Makefile.inc $(srcdir)/libdnssec/Makefile.inc $(srcdir)/libknot/Makefile.inc $(srcdir)/libzscanner/Makefile.inc $(srcdir)/knot/Makefile.inc $(srcdir)/knot/modules/cookies/Makefile.inc $(srcdir)/knot/modules/dnsproxy/Makefile.inc $(srcdir)/knot/modules/dnstap/Makefile.inc $(srcdir)/knot/modules/geoip/Makefile.inc $(srcdir)/knot/modules/noudp/Makefile.inc $(srcdir)/knot/modules/onlinesign/Makefile.inc $(srcdir)/knot/modules/probe/Makefile.inc $(srcdir)/knot/modules/queryacl/Makefile.inc $(srcdir)/knot/modules/rrl/Makefile.inc $(srcdir)/knot/modules/stats/Makefile.inc $(srcdir)/knot/modules/synthrecord/Makefile.inc $(srcdir)/knot/modules/whoami/Makefile.inc $(srcdir)/utils/Makefile.inc $(am__empty): +$(srcdir)/contrib/Makefile.inc $(srcdir)/libdnssec/Makefile.inc $(srcdir)/libknot/Makefile.inc $(srcdir)/libzscanner/Makefile.inc $(srcdir)/knot/Makefile.inc $(srcdir)/knot/modules/authsignal/Makefile.inc $(srcdir)/knot/modules/cookies/Makefile.inc $(srcdir)/knot/modules/dnsproxy/Makefile.inc $(srcdir)/knot/modules/dnstap/Makefile.inc $(srcdir)/knot/modules/geoip/Makefile.inc $(srcdir)/knot/modules/noudp/Makefile.inc $(srcdir)/knot/modules/onlinesign/Makefile.inc $(srcdir)/knot/modules/probe/Makefile.inc $(srcdir)/knot/modules/queryacl/Makefile.inc $(srcdir)/knot/modules/rrl/Makefile.inc $(srcdir)/knot/modules/stats/Makefile.inc $(srcdir)/knot/modules/synthrecord/Makefile.inc $(srcdir)/knot/modules/whoami/Makefile.inc $(srcdir)/utils/Makefile.inc $(am__empty): $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh @@ -2729,6 +2757,21 @@ clean-pkglibLTLIBRARIES: echo rm -f $${locs}; \ rm -f $${locs}; \ } +knot/modules/authsignal/$(am__dirstamp): + @$(MKDIR_P) knot/modules/authsignal + @: > knot/modules/authsignal/$(am__dirstamp) +knot/modules/authsignal/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) knot/modules/authsignal/$(DEPDIR) + @: > knot/modules/authsignal/$(DEPDIR)/$(am__dirstamp) +knot/modules/authsignal/la-authsignal.lo: \ + knot/modules/authsignal/$(am__dirstamp) \ + knot/modules/authsignal/$(DEPDIR)/$(am__dirstamp) +knot/modules/$(am__dirstamp): + @$(MKDIR_P) knot/modules + @: > knot/modules/$(am__dirstamp) + +knot/modules/authsignal.la: $(knot_modules_authsignal_la_OBJECTS) $(knot_modules_authsignal_la_DEPENDENCIES) $(EXTRA_knot_modules_authsignal_la_DEPENDENCIES) knot/modules/$(am__dirstamp) + $(AM_V_CCLD)$(knot_modules_authsignal_la_LINK) $(am_knot_modules_authsignal_la_rpath) $(knot_modules_authsignal_la_OBJECTS) $(knot_modules_authsignal_la_LIBADD) $(LIBS) knot/modules/cookies/$(am__dirstamp): @$(MKDIR_P) knot/modules/cookies @: > knot/modules/cookies/$(am__dirstamp) @@ -2738,9 +2781,6 @@ knot/modules/cookies/$(DEPDIR)/$(am__dirstamp): knot/modules/cookies/la-cookies.lo: \ knot/modules/cookies/$(am__dirstamp) \ knot/modules/cookies/$(DEPDIR)/$(am__dirstamp) -knot/modules/$(am__dirstamp): - @$(MKDIR_P) knot/modules - @: > knot/modules/$(am__dirstamp) knot/modules/cookies.la: $(knot_modules_cookies_la_OBJECTS) $(knot_modules_cookies_la_DEPENDENCIES) $(EXTRA_knot_modules_cookies_la_DEPENDENCIES) knot/modules/$(am__dirstamp) $(AM_V_CCLD)$(knot_modules_cookies_la_LINK) $(am_knot_modules_cookies_la_rpath) $(knot_modules_cookies_la_OBJECTS) $(knot_modules_cookies_la_LIBADD) $(LIBS) @@ -3700,6 +3740,9 @@ knot/query/libknotd_la-quic-requestor.lo: knot/query/$(am__dirstamp) \ knot/query/$(DEPDIR)/$(am__dirstamp) knot/server/libknotd_la-quic-handler.lo: knot/server/$(am__dirstamp) \ knot/server/$(DEPDIR)/$(am__dirstamp) +knot/modules/authsignal/libknotd_la-authsignal.lo: \ + knot/modules/authsignal/$(am__dirstamp) \ + knot/modules/authsignal/$(DEPDIR)/$(am__dirstamp) knot/modules/cookies/libknotd_la-cookies.lo: \ knot/modules/cookies/$(am__dirstamp) \ knot/modules/cookies/$(DEPDIR)/$(am__dirstamp) @@ -4034,6 +4077,8 @@ mostlyclean-compile: -rm -f knot/events/handlers/*.lo -rm -f knot/journal/*.$(OBJEXT) -rm -f knot/journal/*.lo + -rm -f knot/modules/authsignal/*.$(OBJEXT) + -rm -f knot/modules/authsignal/*.lo -rm -f knot/modules/cookies/*.$(OBJEXT) -rm -f knot/modules/cookies/*.lo -rm -f knot/modules/dnsproxy/*.$(OBJEXT) @@ -4250,6 +4295,8 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@knot/journal/$(DEPDIR)/libknotd_la-journal_write.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@knot/journal/$(DEPDIR)/libknotd_la-knot_lmdb.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@knot/journal/$(DEPDIR)/libknotd_la-serialization.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@knot/modules/authsignal/$(DEPDIR)/la-authsignal.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@knot/modules/authsignal/$(DEPDIR)/libknotd_la-authsignal.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@knot/modules/cookies/$(DEPDIR)/la-cookies.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@knot/modules/cookies/$(DEPDIR)/libknotd_la-cookies.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@knot/modules/dnsproxy/$(DEPDIR)/la-dnsproxy.Plo@am__quote@ # am--include-marker @@ -4468,6 +4515,13 @@ am--depfiles: $(am__depfiles_remade) @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< +knot/modules/authsignal/la-authsignal.lo: knot/modules/authsignal/authsignal.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(knot_modules_authsignal_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT knot/modules/authsignal/la-authsignal.lo -MD -MP -MF knot/modules/authsignal/$(DEPDIR)/la-authsignal.Tpo -c -o knot/modules/authsignal/la-authsignal.lo `test -f 'knot/modules/authsignal/authsignal.c' || echo '$(srcdir)/'`knot/modules/authsignal/authsignal.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) knot/modules/authsignal/$(DEPDIR)/la-authsignal.Tpo knot/modules/authsignal/$(DEPDIR)/la-authsignal.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='knot/modules/authsignal/authsignal.c' object='knot/modules/authsignal/la-authsignal.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(knot_modules_authsignal_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o knot/modules/authsignal/la-authsignal.lo `test -f 'knot/modules/authsignal/authsignal.c' || echo '$(srcdir)/'`knot/modules/authsignal/authsignal.c + knot/modules/cookies/la-cookies.lo: knot/modules/cookies/cookies.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(knot_modules_cookies_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT knot/modules/cookies/la-cookies.lo -MD -MP -MF knot/modules/cookies/$(DEPDIR)/la-cookies.Tpo -c -o knot/modules/cookies/la-cookies.lo `test -f 'knot/modules/cookies/cookies.c' || echo '$(srcdir)/'`knot/modules/cookies/cookies.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) knot/modules/cookies/$(DEPDIR)/la-cookies.Tpo knot/modules/cookies/$(DEPDIR)/la-cookies.Plo @@ -6246,6 +6300,13 @@ knot/server/libknotd_la-quic-handler.lo: knot/server/quic-handler.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libknotd_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o knot/server/libknotd_la-quic-handler.lo `test -f 'knot/server/quic-handler.c' || echo '$(srcdir)/'`knot/server/quic-handler.c +knot/modules/authsignal/libknotd_la-authsignal.lo: knot/modules/authsignal/authsignal.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libknotd_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT knot/modules/authsignal/libknotd_la-authsignal.lo -MD -MP -MF knot/modules/authsignal/$(DEPDIR)/libknotd_la-authsignal.Tpo -c -o knot/modules/authsignal/libknotd_la-authsignal.lo `test -f 'knot/modules/authsignal/authsignal.c' || echo '$(srcdir)/'`knot/modules/authsignal/authsignal.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) knot/modules/authsignal/$(DEPDIR)/libknotd_la-authsignal.Tpo knot/modules/authsignal/$(DEPDIR)/libknotd_la-authsignal.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='knot/modules/authsignal/authsignal.c' object='knot/modules/authsignal/libknotd_la-authsignal.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libknotd_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o knot/modules/authsignal/libknotd_la-authsignal.lo `test -f 'knot/modules/authsignal/authsignal.c' || echo '$(srcdir)/'`knot/modules/authsignal/authsignal.c + knot/modules/cookies/libknotd_la-cookies.lo: knot/modules/cookies/cookies.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libknotd_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT knot/modules/cookies/libknotd_la-cookies.lo -MD -MP -MF knot/modules/cookies/$(DEPDIR)/libknotd_la-cookies.Tpo -c -o knot/modules/cookies/libknotd_la-cookies.lo `test -f 'knot/modules/cookies/cookies.c' || echo '$(srcdir)/'`knot/modules/cookies/cookies.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) knot/modules/cookies/$(DEPDIR)/libknotd_la-cookies.Tpo knot/modules/cookies/$(DEPDIR)/libknotd_la-cookies.Plo @@ -6902,6 +6963,7 @@ clean-libtool: -rm -rf knot/events/handlers/.libs knot/events/handlers/_libs -rm -rf knot/journal/.libs knot/journal/_libs -rm -rf knot/modules/.libs knot/modules/_libs + -rm -rf knot/modules/authsignal/.libs knot/modules/authsignal/_libs -rm -rf knot/modules/cookies/.libs knot/modules/cookies/_libs -rm -rf knot/modules/dnsproxy/.libs knot/modules/dnsproxy/_libs -rm -rf knot/modules/dnstap/.libs knot/modules/dnstap/_libs @@ -7289,6 +7351,8 @@ distclean-generic: -rm -f knot/journal/$(DEPDIR)/$(am__dirstamp) -rm -f knot/journal/$(am__dirstamp) -rm -f knot/modules/$(am__dirstamp) + -rm -f knot/modules/authsignal/$(DEPDIR)/$(am__dirstamp) + -rm -f knot/modules/authsignal/$(am__dirstamp) -rm -f knot/modules/cookies/$(DEPDIR)/$(am__dirstamp) -rm -f knot/modules/cookies/$(am__dirstamp) -rm -f knot/modules/dnsproxy/$(DEPDIR)/$(am__dirstamp) @@ -7526,6 +7590,8 @@ distclean: distclean-recursive -rm -f knot/journal/$(DEPDIR)/libknotd_la-journal_write.Plo -rm -f knot/journal/$(DEPDIR)/libknotd_la-knot_lmdb.Plo -rm -f knot/journal/$(DEPDIR)/libknotd_la-serialization.Plo + -rm -f knot/modules/authsignal/$(DEPDIR)/la-authsignal.Plo + -rm -f knot/modules/authsignal/$(DEPDIR)/libknotd_la-authsignal.Plo -rm -f knot/modules/cookies/$(DEPDIR)/la-cookies.Plo -rm -f knot/modules/cookies/$(DEPDIR)/libknotd_la-cookies.Plo -rm -f knot/modules/dnsproxy/$(DEPDIR)/la-dnsproxy.Plo @@ -7891,6 +7957,8 @@ maintainer-clean: maintainer-clean-recursive -rm -f knot/journal/$(DEPDIR)/libknotd_la-journal_write.Plo -rm -f knot/journal/$(DEPDIR)/libknotd_la-knot_lmdb.Plo -rm -f knot/journal/$(DEPDIR)/libknotd_la-serialization.Plo + -rm -f knot/modules/authsignal/$(DEPDIR)/la-authsignal.Plo + -rm -f knot/modules/authsignal/$(DEPDIR)/libknotd_la-authsignal.Plo -rm -f knot/modules/cookies/$(DEPDIR)/la-cookies.Plo -rm -f knot/modules/cookies/$(DEPDIR)/libknotd_la-cookies.Plo -rm -f knot/modules/dnsproxy/$(DEPDIR)/la-dnsproxy.Plo diff --git a/src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_buf.h b/src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_buf.h index 107d413..85b5f4d 100644 --- a/src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_buf.h +++ b/src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_buf.h @@ -36,7 +36,7 @@ typedef struct ngtcp2_buf { uint8_t *begin; /* end points to the one beyond of the last byte of the buffer */ uint8_t *end; - /* pos pointers to the start of data. Typically, this points to the + /* pos points to the start of data. Typically, this points to the point that next data should be read. Initially, it points to |begin|. */ uint8_t *pos; diff --git a/src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_cc.c b/src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_cc.c index ef311ff..9ad37fb 100644 --- a/src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_cc.c +++ b/src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_cc.c @@ -27,10 +27,6 @@ #include <assert.h> #include <string.h> -#if defined(_MSC_VER) -# include <intrin.h> -#endif - #include "ngtcp2_log.h" #include "ngtcp2_macro.h" #include "ngtcp2_mem.h" @@ -235,39 +231,27 @@ void ngtcp2_cc_cubic_init(ngtcp2_cc_cubic *cubic, ngtcp2_log *log) { } uint64_t ngtcp2_cbrt(uint64_t n) { - int d; - uint64_t a; - - if (n == 0) { - return 0; - } - -#if defined(_MSC_VER) - { - unsigned long index; -# if defined(_WIN64) - if (_BitScanReverse64(&index, n)) { - d = 61 - index; - } else { - ngtcp2_unreachable(); - } -# else /* !defined(_WIN64) */ - if (_BitScanReverse(&index, (unsigned int)(n >> 32))) { - d = 31 - index; - } else { - d = 32 + 31 - _BitScanReverse(&index, (unsigned int)n); + size_t s; + uint64_t y = 0; + uint64_t b; + + for (s = 63; s > 0; s -= 3) { + y <<= 1; + b = 3 * y * (y + 1) + 1; + if ((n >> s) >= b) { + n -= b << s; + y++; } -# endif /* !defined(_WIN64) */ } -#else /* !defined(_MSC_VER) */ - d = __builtin_clzll(n); -#endif /* !defined(_MSC_VER) */ - a = 1ULL << ((64 - d) / 3 + 1); - for (; a * a * a > n;) { - a = (2 * a + n / a / a) / 3; + y <<= 1; + b = 3 * y * (y + 1) + 1; + if (n >= b) { + n -= b; + y++; } - return a; + + return y; } /* HyStart++ constants */ diff --git a/src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_conn.c b/src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_conn.c index a4873eb..c8caf47 100644 --- a/src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_conn.c +++ b/src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_conn.c @@ -3441,12 +3441,22 @@ static ngtcp2_ssize conn_write_pkt(ngtcp2_conn *conn, ngtcp2_pkt_info *pi, } switch ((*pfrc)->fr.type) { + case NGTCP2_FRAME_RESET_STREAM: + strm = + ngtcp2_conn_find_stream(conn, (*pfrc)->fr.reset_stream.stream_id); + if (strm == NULL || + !ngtcp2_strm_require_retransmit_reset_stream(strm)) { + frc = *pfrc; + *pfrc = (*pfrc)->next; + ngtcp2_frame_chain_objalloc_del(frc, &conn->frc_objalloc, conn->mem); + continue; + } + break; case NGTCP2_FRAME_STOP_SENDING: strm = ngtcp2_conn_find_stream(conn, (*pfrc)->fr.stop_sending.stream_id); if (strm == NULL || - ((strm->flags & NGTCP2_STRM_FLAG_SHUT_RD) && - ngtcp2_strm_rx_offset(strm) == strm->rx.last_offset)) { + !ngtcp2_strm_require_retransmit_stop_sending(strm)) { frc = *pfrc; *pfrc = (*pfrc)->next; ngtcp2_frame_chain_objalloc_del(frc, &conn->frc_objalloc, conn->mem); @@ -3476,10 +3486,8 @@ static ngtcp2_ssize conn_write_pkt(ngtcp2_conn *conn, ngtcp2_pkt_info *pi, case NGTCP2_FRAME_MAX_STREAM_DATA: strm = ngtcp2_conn_find_stream(conn, (*pfrc)->fr.max_stream_data.stream_id); - if (strm == NULL || - (strm->flags & - (NGTCP2_STRM_FLAG_SHUT_RD | NGTCP2_STRM_FLAG_STOP_SENDING)) || - (*pfrc)->fr.max_stream_data.max_stream_data < strm->rx.max_offset) { + if (strm == NULL || !ngtcp2_strm_require_retransmit_max_stream_data( + strm, &(*pfrc)->fr.max_stream_data)) { frc = *pfrc; *pfrc = (*pfrc)->next; ngtcp2_frame_chain_objalloc_del(frc, &conn->frc_objalloc, conn->mem); @@ -3497,8 +3505,8 @@ static ngtcp2_ssize conn_write_pkt(ngtcp2_conn *conn, ngtcp2_pkt_info *pi, case NGTCP2_FRAME_STREAM_DATA_BLOCKED: strm = ngtcp2_conn_find_stream( conn, (*pfrc)->fr.stream_data_blocked.stream_id); - if (strm == NULL || (strm->flags & NGTCP2_STRM_FLAG_SHUT_WR) || - (*pfrc)->fr.stream_data_blocked.offset != strm->tx.max_offset) { + if (strm == NULL || !ngtcp2_strm_require_retransmit_stream_data_blocked( + strm, &(*pfrc)->fr.stream_data_blocked)) { frc = *pfrc; *pfrc = (*pfrc)->next; ngtcp2_frame_chain_objalloc_del(frc, &conn->frc_objalloc, conn->mem); @@ -7145,7 +7153,7 @@ static int conn_recv_stream(ngtcp2_conn *conn, const ngtcp2_stream *fr) { return rv; } } - } else if (fr->datacnt) { + } else if (fr->datacnt && !(strm->flags & NGTCP2_STRM_FLAG_STOP_SENDING)) { rv = ngtcp2_strm_recv_reordering(strm, fr->data[0].base, fr->data[0].len, fr->offset); if (rv != 0) { @@ -7304,27 +7312,20 @@ static int conn_recv_reset_stream(ngtcp2_conn *conn, } /* Stream is reset before we create ngtcp2_strm object. */ - conn->rx.offset += fr->final_size; - ngtcp2_conn_extend_max_offset(conn, fr->final_size); - - rv = conn_call_stream_reset(conn, fr->stream_id, fr->final_size, - fr->app_error_code, NULL); + strm = ngtcp2_objalloc_strm_get(&conn->strm_objalloc); + if (strm == NULL) { + return NGTCP2_ERR_NOMEM; + } + rv = ngtcp2_conn_init_stream(conn, strm, fr->stream_id, NULL); if (rv != 0) { + ngtcp2_objalloc_strm_release(&conn->strm_objalloc, strm); return rv; } - /* There will be no activity in this stream because we got - RESET_STREAM and don't write stream data any further. This - effectively allows another new stream for peer. */ - if (bidi) { - handle_max_remote_streams_extension(&conn->remote.bidi.unsent_max_streams, - 1); - } else { - handle_max_remote_streams_extension(&conn->remote.uni.unsent_max_streams, - 1); + rv = conn_call_stream_open(conn, strm); + if (rv != 0) { + return rv; } - - return 0; } if ((strm->flags & NGTCP2_STRM_FLAG_SHUT_RD)) { @@ -7461,15 +7462,16 @@ static int conn_recv_stop_sending(ngtcp2_conn *conn, been acknowledged. */ if (!ngtcp2_strm_is_all_tx_data_fin_acked(strm) && !(strm->flags & NGTCP2_STRM_FLAG_RESET_STREAM)) { + strm->flags |= NGTCP2_STRM_FLAG_RESET_STREAM; + rv = conn_reset_stream(conn, strm, fr->app_error_code); if (rv != 0) { return rv; } } - strm->flags |= NGTCP2_STRM_FLAG_SHUT_WR | - NGTCP2_STRM_FLAG_STOP_SENDING_RECVED | - NGTCP2_STRM_FLAG_RESET_STREAM; + strm->flags |= + NGTCP2_STRM_FLAG_SHUT_WR | NGTCP2_STRM_FLAG_STOP_SENDING_RECVED; ngtcp2_strm_streamfrq_clear(strm); @@ -12533,14 +12535,15 @@ static int conn_shutdown_stream_read(ngtcp2_conn *conn, ngtcp2_strm *strm, /* Extend connection flow control window for the amount of data which are not passed to application. */ - if (!(strm->flags & (NGTCP2_STRM_FLAG_STOP_SENDING | - NGTCP2_STRM_FLAG_RESET_STREAM_RECVED))) { + if (!(strm->flags & NGTCP2_STRM_FLAG_RESET_STREAM_RECVED)) { ngtcp2_conn_extend_max_offset(conn, strm->rx.last_offset - ngtcp2_strm_rx_offset(strm)); } strm->flags |= NGTCP2_STRM_FLAG_STOP_SENDING; + ngtcp2_strm_discard_reordered_data(strm); + return conn_stop_sending(conn, strm, app_error_code); } diff --git a/src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_crypto.c b/src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_crypto.c index 2c00af5..0a3ecf6 100644 --- a/src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_crypto.c +++ b/src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_crypto.c @@ -124,6 +124,25 @@ static uint8_t *write_varint_param(uint8_t *p, ngtcp2_transport_param_id id, } /* + * zero_paramlen returns the length of a single transport parameter + * which has zero length value in its parameter. + */ +static size_t zero_paramlen(ngtcp2_transport_param_id id) { + return ngtcp2_put_uvarintlen(id) + 1; +} + +/* + * write_zero_param writes parameter |id| that has zero length value. + * It returns p + the number of bytes written. + */ +static uint8_t *write_zero_param(uint8_t *p, ngtcp2_transport_param_id id) { + p = ngtcp2_put_uvarint(p, id); + *p++ = 0; + + return p; +} + +/* * cid_paramlen returns the length of a single transport parameter * which has |cid| as value. */ @@ -235,9 +254,7 @@ ngtcp2_ssize ngtcp2_transport_params_encode_versioned( params->ack_delay_exponent); } if (params->disable_active_migration) { - len += - ngtcp2_put_uvarintlen(NGTCP2_TRANSPORT_PARAM_DISABLE_ACTIVE_MIGRATION) + - ngtcp2_put_uvarintlen(0); + len += zero_paramlen(NGTCP2_TRANSPORT_PARAM_DISABLE_ACTIVE_MIGRATION); } if (params->max_ack_delay != NGTCP2_DEFAULT_MAX_ACK_DELAY) { len += varint_paramlen(NGTCP2_TRANSPORT_PARAM_MAX_ACK_DELAY, @@ -258,8 +275,7 @@ ngtcp2_ssize ngtcp2_transport_params_encode_versioned( params->max_datagram_frame_size); } if (params->grease_quic_bit) { - len += ngtcp2_put_uvarintlen(NGTCP2_TRANSPORT_PARAM_GREASE_QUIC_BIT) + - ngtcp2_put_uvarintlen(0); + len += zero_paramlen(NGTCP2_TRANSPORT_PARAM_GREASE_QUIC_BIT); } if (params->version_info_present) { version_infolen = @@ -377,8 +393,7 @@ ngtcp2_ssize ngtcp2_transport_params_encode_versioned( } if (params->disable_active_migration) { - p = ngtcp2_put_uvarint(p, NGTCP2_TRANSPORT_PARAM_DISABLE_ACTIVE_MIGRATION); - p = ngtcp2_put_uvarint(p, 0); + p = write_zero_param(p, NGTCP2_TRANSPORT_PARAM_DISABLE_ACTIVE_MIGRATION); } if (params->max_ack_delay != NGTCP2_DEFAULT_MAX_ACK_DELAY) { @@ -404,8 +419,7 @@ ngtcp2_ssize ngtcp2_transport_params_encode_versioned( } if (params->grease_quic_bit) { - p = ngtcp2_put_uvarint(p, NGTCP2_TRANSPORT_PARAM_GREASE_QUIC_BIT); - p = ngtcp2_put_uvarint(p, 0); + p = write_zero_param(p, NGTCP2_TRANSPORT_PARAM_GREASE_QUIC_BIT); } if (params->version_info_present) { @@ -483,6 +497,22 @@ static int decode_varint_param(uint64_t *pdest, const uint8_t **pp, } /* + * decode_zero_param decodes zero length value from the buffer pointed + * by |*pp| of length |end - *pp|. The length is encoded in varint + * form. If it decodes zero length value successfully, it increments + * |*pp| by 1, and returns 0. Otherwise it returns -1. + */ +static int decode_zero_param(const uint8_t **pp, const uint8_t *end) { + if (*pp == end || **pp != 0) { + return -1; + } + + ++*pp; + + return 0; +} + +/* * decode_cid_param decodes length prefixed ngtcp2_cid from the buffer * pointed by |*pp| of length |end - *pp|. The length is encoded in * varint form. If it decodes a value successfully, it stores the @@ -701,10 +731,7 @@ int ngtcp2_transport_params_decode_versioned(int transport_params_version, params->preferred_addr_present = 1; break; case NGTCP2_TRANSPORT_PARAM_DISABLE_ACTIVE_MIGRATION: - if (decode_varint(&valuelen, &p, end) != 0) { - return NGTCP2_ERR_MALFORMED_TRANSPORT_PARAM; - } - if (valuelen != 0) { + if (decode_zero_param(&p, end) != 0) { return NGTCP2_ERR_MALFORMED_TRANSPORT_PARAM; } params->disable_active_migration = 1; @@ -751,10 +778,7 @@ int ngtcp2_transport_params_decode_versioned(int transport_params_version, } break; case NGTCP2_TRANSPORT_PARAM_GREASE_QUIC_BIT: - if (decode_varint(&valuelen, &p, end) != 0) { - return NGTCP2_ERR_MALFORMED_TRANSPORT_PARAM; - } - if (valuelen != 0) { + if (decode_zero_param(&p, end) != 0) { return NGTCP2_ERR_MALFORMED_TRANSPORT_PARAM; } params->grease_quic_bit = 1; diff --git a/src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_rtb.c b/src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_rtb.c index 6308261..5ebdce7 100644 --- a/src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_rtb.c +++ b/src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_rtb.c @@ -237,7 +237,7 @@ static ngtcp2_ssize rtb_reclaim_frame(ngtcp2_rtb *rtb, uint8_t flags, switch (frc->fr.type) { case NGTCP2_FRAME_STREAM: strm = ngtcp2_conn_find_stream(conn, fr->stream.stream_id); - if (strm == NULL) { + if (strm == NULL || (strm->flags & NGTCP2_STRM_FLAG_RESET_STREAM)) { continue; } @@ -339,26 +339,60 @@ static ngtcp2_ssize rtb_reclaim_frame(ngtcp2_rtb *rtb, uint8_t flags, return rv; } - break; + ++num_reclaimed; + + nfrc->next = *pfrc; + *pfrc = nfrc; + pfrc = &nfrc->next; + + continue; case NGTCP2_FRAME_DATAGRAM: case NGTCP2_FRAME_DATAGRAM_LEN: continue; - default: - rv = ngtcp2_frame_chain_objalloc_new(&nfrc, rtb->frc_objalloc); - if (rv != 0) { - return rv; + case NGTCP2_FRAME_RESET_STREAM: + strm = ngtcp2_conn_find_stream(conn, fr->reset_stream.stream_id); + if (strm == NULL || !ngtcp2_strm_require_retransmit_reset_stream(strm)) { + continue; } - nfrc->fr = *fr; + break; + case NGTCP2_FRAME_STOP_SENDING: + strm = ngtcp2_conn_find_stream(conn, fr->stop_sending.stream_id); + if (strm == NULL || !ngtcp2_strm_require_retransmit_stop_sending(strm)) { + continue; + } - rv = ngtcp2_bind_frame_chains(frc, nfrc, rtb->mem); - if (rv != 0) { - return rv; + break; + case NGTCP2_FRAME_MAX_STREAM_DATA: + strm = ngtcp2_conn_find_stream(conn, fr->max_stream_data.stream_id); + if (strm == NULL || !ngtcp2_strm_require_retransmit_max_stream_data( + strm, &fr->max_stream_data)) { + continue; + } + + break; + case NGTCP2_FRAME_STREAM_DATA_BLOCKED: + strm = ngtcp2_conn_find_stream(conn, fr->stream_data_blocked.stream_id); + if (strm == NULL || !ngtcp2_strm_require_retransmit_stream_data_blocked( + strm, &fr->stream_data_blocked)) { + continue; } break; } + rv = ngtcp2_frame_chain_objalloc_new(&nfrc, rtb->frc_objalloc); + if (rv != 0) { + return rv; + } + + nfrc->fr = *fr; + + rv = ngtcp2_bind_frame_chains(frc, nfrc, rtb->mem); + if (rv != 0) { + return rv; + } + ++num_reclaimed; nfrc->next = *pfrc; diff --git a/src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_strm.c b/src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_strm.c index 6bbeb8f..c00e86f 100644 --- a/src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_strm.c +++ b/src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_strm.c @@ -158,6 +158,18 @@ void ngtcp2_strm_update_rx_offset(ngtcp2_strm *strm, uint64_t offset) { ngtcp2_rob_remove_prefix(strm->rx.rob, offset); } +void ngtcp2_strm_discard_reordered_data(ngtcp2_strm *strm) { + if (strm->rx.rob == NULL) { + return; + } + + strm->rx.cont_offset = ngtcp2_strm_rx_offset(strm); + + ngtcp2_rob_free(strm->rx.rob); + ngtcp2_mem_free(strm->mem, strm->rx.rob); + strm->rx.rob = NULL; +} + void ngtcp2_strm_shutdown(ngtcp2_strm *strm, uint32_t flags) { strm->flags |= flags & NGTCP2_STRM_FLAG_SHUT_RDWR; } @@ -696,3 +708,25 @@ void ngtcp2_strm_set_app_error_code(ngtcp2_strm *strm, strm->flags |= NGTCP2_STRM_FLAG_APP_ERROR_CODE_SET; strm->app_error_code = app_error_code; } + +int ngtcp2_strm_require_retransmit_reset_stream(ngtcp2_strm *strm) { + return !ngtcp2_strm_is_all_tx_data_fin_acked(strm); +} + +int ngtcp2_strm_require_retransmit_stop_sending(ngtcp2_strm *strm) { + return !(strm->flags & NGTCP2_STRM_FLAG_SHUT_RD) || + ngtcp2_strm_rx_offset(strm) != strm->rx.last_offset; +} + +int ngtcp2_strm_require_retransmit_max_stream_data(ngtcp2_strm *strm, + ngtcp2_max_stream_data *fr) { + return fr->max_stream_data == strm->rx.max_offset && + !(strm->flags & + (NGTCP2_STRM_FLAG_SHUT_RD | NGTCP2_STRM_FLAG_STOP_SENDING)); +} + +int ngtcp2_strm_require_retransmit_stream_data_blocked( + ngtcp2_strm *strm, ngtcp2_stream_data_blocked *fr) { + return fr->offset == strm->tx.max_offset && + !(strm->flags & NGTCP2_STRM_FLAG_SHUT_WR); +} diff --git a/src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_strm.h b/src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_strm.h index 223e38f..385302a 100644 --- a/src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_strm.h +++ b/src/contrib/libngtcp2/ngtcp2/lib/ngtcp2_strm.h @@ -36,6 +36,7 @@ #include "ngtcp2_gaptr.h" #include "ngtcp2_ksl.h" #include "ngtcp2_pq.h" +#include "ngtcp2_pkt.h" typedef struct ngtcp2_frame_chain ngtcp2_frame_chain; @@ -220,6 +221,12 @@ int ngtcp2_strm_recv_reordering(ngtcp2_strm *strm, const uint8_t *data, void ngtcp2_strm_update_rx_offset(ngtcp2_strm *strm, uint64_t offset); /* + * ngtcp2_strm_discard_reordered_data discards all buffered reordered + * data. + */ +void ngtcp2_strm_discard_reordered_data(ngtcp2_strm *strm); + +/* * ngtcp2_strm_shutdown shutdowns |strm|. |flags| should be * NGTCP2_STRM_FLAG_SHUT_RD, and/or NGTCP2_STRM_FLAG_SHUT_WR. */ @@ -320,4 +327,30 @@ int ngtcp2_strm_ack_data(ngtcp2_strm *strm, uint64_t offset, uint64_t len); */ void ngtcp2_strm_set_app_error_code(ngtcp2_strm *strm, uint64_t app_error_code); +/* + * ngtcp2_strm_require_retransmit_reset_stream returns nonzero if + * RESET_STREAM frame should be retransmitted. + */ +int ngtcp2_strm_require_retransmit_reset_stream(ngtcp2_strm *strm); + +/* + * ngtcp2_strm_require_retransmit_stop_sending returns nonzero if + * STOP_SENDING frame should be retransmitted. + */ +int ngtcp2_strm_require_retransmit_stop_sending(ngtcp2_strm *strm); + +/* + * ngtcp2_strm_require_retransmit_max_stream_data returns nonzero if + * MAX_STREAM_DATA frame should be retransmitted. + */ +int ngtcp2_strm_require_retransmit_max_stream_data(ngtcp2_strm *strm, + ngtcp2_max_stream_data *fr); + +/* + * ngtcp2_strm_require_retransmit_stream_data_blocked returns nonzero + * if STREAM_DATA_BLOCKED frame frame should be retransmitted. + */ +int ngtcp2_strm_require_retransmit_stream_data_blocked( + ngtcp2_strm *strm, ngtcp2_stream_data_blocked *fr); + #endif /* NGTCP2_STRM_H */ diff --git a/src/contrib/libngtcp2/ngtcp2/version.h b/src/contrib/libngtcp2/ngtcp2/version.h index b102eae..801c6cb 100644 --- a/src/contrib/libngtcp2/ngtcp2/version.h +++ b/src/contrib/libngtcp2/ngtcp2/version.h @@ -36,7 +36,7 @@ * * Version number of the ngtcp2 library release. */ -#define NGTCP2_VERSION "1.2.0" +#define NGTCP2_VERSION "1.3.0" /** * @macro @@ -46,6 +46,6 @@ * number, 8 bits for minor and 8 bits for patch. Version 1.2.3 * becomes 0x010203. */ -#define NGTCP2_VERSION_NUM 0x010200 +#define NGTCP2_VERSION_NUM 0x010300 #endif /* VERSION_H */ diff --git a/src/knot/Makefile.inc b/src/knot/Makefile.inc index 3a20ec1..f67fe7f 100644 --- a/src/knot/Makefile.inc +++ b/src/knot/Makefile.inc @@ -239,6 +239,7 @@ KNOTD_MOD_LDFLAGS = $(AM_LDFLAGS) -module -shared -avoid-version pkglibdir = $(module_instdir) pkglib_LTLIBRARIES = +include $(srcdir)/knot/modules/authsignal/Makefile.inc include $(srcdir)/knot/modules/cookies/Makefile.inc include $(srcdir)/knot/modules/dnsproxy/Makefile.inc include $(srcdir)/knot/modules/dnstap/Makefile.inc diff --git a/src/knot/dnssec/kasp/kasp_zone.c b/src/knot/dnssec/kasp/kasp_zone.c index 58925fa..e70f21d 100644 --- a/src/knot/dnssec/kasp/kasp_zone.c +++ b/src/knot/dnssec/kasp/kasp_zone.c @@ -382,7 +382,7 @@ int kasp_zone_keys_from_rr(knot_kasp_zone_t *zone, zone->keys[i].is_pub_only = true; zone->keys[i].is_ksk = (knot_dnskey_flags(zkey) == DNSKEY_FLAGS_KSK); - zone->keys[i].is_zsk = policy_single_type_signing || !zone->keys[i].is_ksk; + zone->keys[i].is_zsk = true; // doesn't hurt in case of validation, any KSK might behave like ZSK that is published but not active zone->keys[i].timing.publish = 1; zone->keys[i].timing.active = 1; diff --git a/src/knot/dnssec/key-events.c b/src/knot/dnssec/key-events.c index ffd2ce8..ace48d5 100644 --- a/src/knot/dnssec/key-events.c +++ b/src/knot/dnssec/key-events.c @@ -293,7 +293,8 @@ typedef enum { typedef struct { roll_action_type_t type; - bool ksk; + bool ksk; // These flags seem redundant, but are needed to avoid ASAN + bool zsk; // heap-use-after-free if the key is accessed directly during key generation. knot_time_t time; knot_kasp_key_t *key; uint16_t ready_keytag; @@ -525,6 +526,7 @@ static roll_action_t next_action(kdnssec_ctx_t *ctx, zone_sign_roll_flags_t flag if (knot_time_cmp(keytime, res.time) < 0) { res.key = key; res.ksk = key->is_ksk; + res.zsk = key->is_zsk; res.time = keytime; res.type = restype; } @@ -679,6 +681,28 @@ static int exec_really_remove(kdnssec_ctx_t *ctx, knot_kasp_key_t *key) return kdnssec_delete_key(ctx, key); } +static void log_next_event(kdnssec_ctx_t *ctx, roll_action_t *next) +{ + char time_str[64] = ""; + struct tm time_gm = { 0 }; + time_t nt = next->time; + localtime_r(&nt, &time_gm); + strftime(time_str, sizeof(time_str), KNOT_LOG_TIME_FORMAT, &time_gm); + + if (next->type == GENERATE) { + const char *key_type = ctx->policy->single_type_signing ? + "CSK" : (next->ksk ? "KSK" : "ZSK"); + log_zone_info(ctx->zone->dname, "DNSSEC, next key action, %s, generate at %s", + key_type, time_str); + } else { + const char *key_type = next->ksk ? + (next->zsk ? "CSK" : "KSK") : "ZSK"; + log_zone_info(ctx->zone->dname, "DNSSEC, next key action, %s tag %hu, %s at %s", + key_type, dnssec_key_get_keytag(next->key->key), + roll_action_name(next->type), time_str); + } +} + int knot_dnssec_key_rollover(kdnssec_ctx_t *ctx, zone_sign_roll_flags_t flags, zone_sign_reschedule_t *reschedule) { @@ -848,6 +872,10 @@ int knot_dnssec_key_rollover(kdnssec_ctx_t *ctx, zone_sign_roll_flags_t flags, return knot_dnssec_key_rollover(ctx, flags, reschedule); } + if (ret == KNOT_EOK && next.time > 0) { + log_next_event(ctx, &next); + } + if (ret == KNOT_EOK && reschedule->keys_changed) { ret = kdnssec_ctx_commit(ctx); if (ret == KNOT_EOK && (ctx->dbus_event & DBUS_EVENT_KEYS_UPDATED)) { diff --git a/src/knot/dnssec/zone-sign.c b/src/knot/dnssec/zone-sign.c index 9293c02..62f809e 100644 --- a/src/knot/dnssec/zone-sign.c +++ b/src/knot/dnssec/zone-sign.c @@ -89,6 +89,9 @@ static bool apex_dnssec_changed(zone_update_t *update) /*- private API - signing of in-zone nodes -----------------------------------*/ +#define VALID_SIG_FOUND (1 << 7) +#define VALID_KEYTAG_LIMIT 3 + /*! * \brief Check if there is a valid signature for a given RR set and key. * @@ -99,7 +102,8 @@ static bool apex_dnssec_changed(zone_update_t *update) * \param policy DNSSEC policy. * \param skip_crypto All RRSIGs in this node have been verified, just check validity. * \param refresh Consider RRSIG expired when gonna expire this soon. - * \param found_invalid Out: some matching but expired%invalid RRSIG found. + * \param invalid_map Out: found valid (bit VALID_SIG_FOUND) and invalid count + * positions of RRSIG with matching algo+keytag+type. * \param at Out: RRSIG position. * * \return The signature exists and is valid. @@ -111,7 +115,7 @@ static bool valid_signature_exists(const knot_rrset_t *covered, const kdnssec_ctx_t *dnssec_ctx, knot_timediff_t refresh, bool skip_crypto, - int *found_invalid, + uint8_t *invalid_map, uint16_t *at) { assert(key); @@ -141,13 +145,16 @@ static bool valid_signature_exists(const knot_rrset_t *covered, if (at != NULL) { *at = i; } - if (found_invalid == NULL) { + if (invalid_map == NULL) { return true; } else { + invalid_map[i] |= VALID_SIG_FOUND; found_valid = true; // continue searching for invalid RRSIG } - } else if (found_invalid != NULL) { - *found_invalid = ret; + } else if (invalid_map != NULL) { + if ((++invalid_map[i] & ~VALID_SIG_FOUND) == VALID_KEYTAG_LIMIT) { + return found_valid; + } } } @@ -305,8 +312,10 @@ int knot_validate_rrsigs(const knot_rrset_t *covered, return KNOT_EINVAL; } + uint8_t val_inval_map[1 + rrsigs->rrs.count]; // Ensure the size isn't 0 (UBSAN). + memset(val_inval_map, 0, sizeof(val_inval_map)); + bool valid_exists = false; - int ret = KNOT_EOK; for (size_t i = 0; i < sign_ctx->count; i++) { const knot_kasp_key_t *key = &sign_ctx->dnssec_ctx->zone->keys[i]; if (!key_used(key->is_ksk, key->is_zsk, covered->type, @@ -316,12 +325,21 @@ int knot_validate_rrsigs(const knot_rrset_t *covered, uint16_t valid_at; if (valid_signature_exists(covered, rrsigs, key->key, sign_ctx->sign_ctxs[i], - sign_ctx->dnssec_ctx, 0, skip_crypto, &ret, &valid_at)) { + sign_ctx->dnssec_ctx, 0, skip_crypto, val_inval_map, &valid_at)) { valid_exists = true; } } - return valid_exists ? ret : KNOT_DNSSEC_ENOSIG; + for (int i = 0; i < rrsigs->rrs.count; i++) { + uint8_t val = val_inval_map[i]; + if (val > 0 && val < VALID_KEYTAG_LIMIT /* found invalid && not found valid */) { + return KNOT_DNSSEC_ENOSIG; + } else if ((val & ~VALID_SIG_FOUND) >= VALID_KEYTAG_LIMIT) { + return KNOT_DNSSEC_EKEYTAG_LIMIT; + } + } + + return valid_exists ? KNOT_EOK : KNOT_DNSSEC_ENOSIG; } /*! diff --git a/src/knot/include/module.h b/src/knot/include/module.h index 3ee1581..15a9077 100644 --- a/src/knot/include/module.h +++ b/src/knot/include/module.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) 2024 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -487,6 +487,20 @@ const knot_dname_t *knotd_qdata_zone_name(const knotd_qdata_t *qdata); */ knot_rrset_t knotd_qdata_zone_apex_rrset(const knotd_qdata_t *qdata, uint16_t type); +/*! + * Gets a rrset of the given type. + * + * \param[in] qdata Query data. + * \param[in] zone_name Optional zone name, the current one otherwise. + * \param[in] node_name Optional node name, apex otherwise. + * \param[out] out Destination rrset to store the output to. + * + * \return Error code (KNOT_ENOZONE, KNOT_EEMPTYZONE, KNOT_ENONODE), KNOT_EOK if success. + */ +int knotd_qdata_zone_rrset(const knotd_qdata_t *qdata, const knot_dname_t *zone_name, + const knot_dname_t *node_name, uint16_t type, + knot_rrset_t *out); + /*! General query processing states. */ typedef enum { KNOTD_STATE_NOOP = 0, /*!< No response. */ diff --git a/src/knot/modules/authsignal/Makefile.inc b/src/knot/modules/authsignal/Makefile.inc new file mode 100644 index 0000000..89c9683 --- /dev/null +++ b/src/knot/modules/authsignal/Makefile.inc @@ -0,0 +1,12 @@ +knot_modules_authsignal_la_SOURCES = knot/modules/authsignal/authsignal.c +EXTRA_DIST += knot/modules/authsignal/authsignal.rst + +if STATIC_MODULE_authsignal +libknotd_la_SOURCES += $(knot_modules_authsignal_la_SOURCES) +endif + +if SHARED_MODULE_authsignal +knot_modules_authsignal_la_LDFLAGS = $(KNOTD_MOD_LDFLAGS) +knot_modules_authsignal_la_CPPFLAGS = $(KNOTD_MOD_CPPFLAGS) +pkglib_LTLIBRARIES += knot/modules/authsignal.la +endif diff --git a/src/knot/modules/authsignal/authsignal.c b/src/knot/modules/authsignal/authsignal.c new file mode 100644 index 0000000..2f8cf0b --- /dev/null +++ b/src/knot/modules/authsignal/authsignal.c @@ -0,0 +1,88 @@ +/* Copyright (C) 2024 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <https://www.gnu.org/licenses/>. + */ + +#include "knot/include/module.h" + +static knotd_in_state_t signal_query(knotd_in_state_t state, knot_pkt_t *pkt, + knotd_qdata_t *qdata, knotd_mod_t *mod) +{ + assert(pkt && qdata && mod); + + // Applicable when search in zone fails. + if (!(state == KNOTD_IN_STATE_MISS || state == KNOTD_IN_STATE_NODATA)) { + return state; + } + + const unsigned name_len = knot_dname_size(qdata->name); + + // Check for prefix mismatch. + const char *prefix = "\x07_dsboot"; + const size_t prefix_len = 8; + if (name_len < prefix_len || memcmp(qdata->name, prefix, prefix_len) != 0) { + // promote NXDOMAIN to NODATA to accommodate synthesis below (= may be ENT) + qdata->rcode = KNOT_RCODE_NOERROR; + return KNOTD_IN_STATE_NODATA; + } + + // Check for qtype match + const uint16_t qtype = knot_pkt_qtype(qdata->query); + if (!(qtype == KNOT_RRTYPE_CDS || qtype == KNOT_RRTYPE_CDNSKEY)) { + // promote NXDOMAIN to NODATA to accommodate CDS/CDNSKEY synthesis + qdata->rcode = KNOT_RCODE_NOERROR; + return KNOTD_IN_STATE_NODATA; + } + + // Copy target zone name + knot_dname_storage_t target; + unsigned target_len = name_len - knot_dname_size(knotd_qdata_zone_name(qdata)) - prefix_len; + memcpy(target, qdata->name + prefix_len, target_len); + target[target_len] = '\0'; + + // Fetch CDS/CDNSKEY rrset + knot_rrset_t rrset; + int ret = knotd_qdata_zone_rrset(qdata, target, NULL, qtype, &rrset); + if (ret == KNOT_ENOZONE) { // unknown zone + return state; + } else if (ret != KNOT_EOK) { // something weird (zone empty, apex missing, ...) + qdata->rcode = KNOT_RCODE_SERVFAIL; + return KNOTD_IN_STATE_ERROR; + } else if (knot_rrset_empty(&rrset)) { // zone apex doesn't have requested type + // promote NXDOMAIN to NODATA to accommodate synthesis of other qtype + qdata->rcode = KNOT_RCODE_NOERROR; + return KNOTD_IN_STATE_NODATA; + } + + // Replace owner + rrset.owner = (knot_dname_t *)qdata->name; + + // Insert synthetic response into packet. + if (knot_pkt_put(pkt, 0, &rrset, KNOT_PF_FREE) != KNOT_EOK) { + return KNOTD_IN_STATE_ERROR; + } + + // Authoritative response. + knot_wire_set_aa(pkt->wire); + + return KNOTD_IN_STATE_HIT; +} + +int auth_signal_load(knotd_mod_t *mod) +{ + return knotd_mod_in_hook(mod, KNOTD_STAGE_ANSWER, signal_query); +} + +KNOTD_MOD_API(authsignal, KNOTD_MOD_FLAG_SCOPE_ZONE | KNOTD_MOD_FLAG_OPT_CONF, + auth_signal_load, NULL, NULL, NULL); diff --git a/src/knot/modules/authsignal/authsignal.rst b/src/knot/modules/authsignal/authsignal.rst new file mode 100644 index 0000000..01043a1 --- /dev/null +++ b/src/knot/modules/authsignal/authsignal.rst @@ -0,0 +1,41 @@ +.. _mod-authsignal: + +``authsignal`` – Automatic Authenticated DNSSEC Bootstrapping records +===================================================================== + +This module is able to synthesize records for automatic DNSSEC bootstrapping +(draft-ietf-dnsop-dnssec-bootstrapping). + +Records are synthesized only if the query can't be satisfied from the zone. + +Synthesized records also need to be signed. Typically, this would be done +using the :ref:`onlinesign<mod-onlinesign>` module. + +Example +------- + +Automatic forward records +......................... + +:: + mod-onlinesign: + - id: authsignal + nsec-bitmap: [CDS, CDNSKEY] + + zone: + - domain: example.net + dnssec-signing: on + - domain: _signal.ns1.example.com + module: [mod-authsignal, mod-onlinesign/authsignal] + +Result: + +.. code-block:: console + + $ kdig CDS _dsboot.example.net._signal.ns1.example.com. + ... + ;; QUESTION SECTION: + ;; _dsboot.example.net._signal.ns1.example.com. IN CDS + + ;; ANSWER SECTION: + _dsboot.example.net._signal.ns1.example.com. 0 IN CDS 45504 13 2 2F2D518FD9DBB2B1403F51398A9931F2832B89F0F85C146B130D383FC23584FA diff --git a/src/knot/nameserver/query_module.c b/src/knot/nameserver/query_module.c index 54a982b..f02ee1b 100644 --- a/src/knot/nameserver/query_module.c +++ b/src/knot/nameserver/query_module.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) 2024 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -666,6 +666,41 @@ knot_rrset_t knotd_qdata_zone_apex_rrset(const knotd_qdata_t *qdata, uint16_t ty } _public_ +int knotd_qdata_zone_rrset(const knotd_qdata_t *qdata, const knot_dname_t *zone_name, + const knot_dname_t *node_name, uint16_t type, + knot_rrset_t *out) +{ + if (qdata == NULL || out == NULL) { + return KNOT_EINVAL; + } + + const zone_contents_t *contents = qdata->extra->contents; + if (zone_name != NULL) { + server_t *server = qdata->params->server; + zone_t *zone = knot_zonedb_find(server->zone_db, zone_name); + if (zone == NULL) { + return KNOT_ENOZONE; + } + contents = zone->contents; + } + if (contents == NULL) { + return KNOT_EEMPTYZONE; + } + + const zone_node_t *node = contents->apex; + if (node_name != NULL) { + node = zone_contents_find_node(contents, node_name); // NSEC3 not considered. + } + if (node == NULL) { + return KNOT_ENONODE; + } + + *out = node_rrset(node, type); + + return KNOT_EOK; +} + +_public_ int knotd_mod_dnssec_init(knotd_mod_t *mod) { if (mod == NULL || mod->dnssec != NULL) { diff --git a/src/knot/query/quic-requestor.c b/src/knot/query/quic-requestor.c index 0cfb8ec..62008f9 100644 --- a/src/knot/query/quic-requestor.c +++ b/src/knot/query/quic-requestor.c @@ -87,6 +87,7 @@ static int quic_exchange(knot_quic_conn_t *conn, knot_quic_reply_t *r, int timeo if (hconn == NULL) { return KNOT_EOK; } else if (hconn != conn) { + knot_quic_cleanup(&hconn, 1); return KNOT_ESEMCHECK; } diff --git a/src/knot/zone/semantic-check.c b/src/knot/zone/semantic-check.c index 2360728..862d7a4 100644 --- a/src/knot/zone/semantic-check.c +++ b/src/knot/zone/semantic-check.c @@ -75,6 +75,8 @@ static const char *error_messages[SEM_ERR_UNKNOWN + 1] = { "missing DNSKEY", [SEM_ERR_DNSKEY_INVALID] = "invalid DNSKEY", + [SEM_ERR_DNSKEY_KEYTAG_LIMIT] = + "many DNSKEYs with equal keytag", [SEM_ERR_CDS_NONE] = "missing CDS", @@ -500,6 +502,8 @@ static sem_error_t err_dnssec2sem(int ret, uint16_t rrtype, char *info, size_t l return SEM_ERR_NSEC_RDATA_CHAIN; case KNOT_DNSSEC_ENSEC3_OPTOUT: return SEM_ERR_NSEC3_INSECURE_DELEGATION_OPT; + case KNOT_DNSSEC_EKEYTAG_LIMIT: + return SEM_ERR_DNSKEY_KEYTAG_LIMIT; default: return SEM_ERR_UNKNOWN; } diff --git a/src/knot/zone/semantic-check.h b/src/knot/zone/semantic-check.h index f92639b..6a8b3c3 100644 --- a/src/knot/zone/semantic-check.h +++ b/src/knot/zone/semantic-check.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) 2024 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -64,6 +64,7 @@ typedef enum { SEM_ERR_DNSKEY_NONE, SEM_ERR_DNSKEY_INVALID, + SEM_ERR_DNSKEY_KEYTAG_LIMIT, SEM_ERR_CDS_NONE, SEM_ERR_CDS_NOT_MATCH, diff --git a/src/libdnssec/version.h b/src/libdnssec/version.h index e1948bc..0368f18 100644 --- a/src/libdnssec/version.h +++ b/src/libdnssec/version.h @@ -18,7 +18,7 @@ #define DNSSEC_VERSION_MAJOR 3 #define DNSSEC_VERSION_MINOR 3 -#define DNSSEC_VERSION_PATCH 0x04 +#define DNSSEC_VERSION_PATCH 0x05 #define DNSSEC_VERSION_HEX ((DNSSEC_VERSION_MAJOR << 16) | \ (DNSSEC_VERSION_MINOR << 8) | \ diff --git a/src/libknot/errcode.h b/src/libknot/errcode.h index cf51b96..a9eb65c 100644 --- a/src/libknot/errcode.h +++ b/src/libknot/errcode.h @@ -174,6 +174,7 @@ enum knot_error { KNOT_NO_PUBLIC_KEY, KNOT_NO_PRIVATE_KEY, KNOT_NO_READY_KEY, + KNOT_DNSSEC_EKEYTAG_LIMIT, KNOT_ERROR_MAX = -501 }; diff --git a/src/libknot/error.c b/src/libknot/error.c index d5802f2..a148ee7 100644 --- a/src/libknot/error.c +++ b/src/libknot/error.c @@ -173,6 +173,7 @@ static const struct error errors[] = { { KNOT_NO_PUBLIC_KEY, "no public key" }, { KNOT_NO_PRIVATE_KEY, "no private key" }, { KNOT_NO_READY_KEY, "no key ready for submission" }, + { KNOT_DNSSEC_EKEYTAG_LIMIT, "many keys with equal keytag" }, /* Terminator */ { KNOT_ERROR, NULL } diff --git a/src/libknot/rrset-dump.c b/src/libknot/rrset-dump.c index 7011a65..51a52dd 100644 --- a/src/libknot/rrset-dump.c +++ b/src/libknot/rrset-dump.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) 2024 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -598,7 +598,7 @@ static void wire_text_to_str(rrset_dump_params_t *p, size_t in_len, CHECK_INMAX(in_len) // Check if quotation can ever be disabled (parser protection fallback). - if (!quote) { + if (!quote && !alpn_mode) { for (size_t i = 0; i < in_len; i++) { if (p->in[i] == ' ') { // Other WS characters are encoded. quote = true; @@ -1515,7 +1515,11 @@ static void wire_svcparam_to_str(rrset_dump_params_t *p) wire_value_list_to_str(p, wire_svcb_paramkey_to_str, p->in + val_len); break; case KNOT_SVCB_PARAM_ALPN: + dump_string(p, "\""); + CHECK_PRET wire_value_list_to_str(p, wire_text_to_str_alpn, p->in + val_len); + dump_string(p, "\""); + CHECK_PRET break; case KNOT_SVCB_PARAM_NDALPN: p->ret = -1; // must not have value diff --git a/src/libknot/rrset.h b/src/libknot/rrset.h index fdc5719..51efb74 100644 --- a/src/libknot/rrset.h +++ b/src/libknot/rrset.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) 2024 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -185,10 +185,27 @@ bool knot_rrset_is_nsec3rel(const knot_rrset_t *rr); int knot_rrset_rr_to_canonical(knot_rrset_t *rrset); /*! - * \brief Size of rrset in wire format. + * \brief Size of rrset in wire format (without compression). * * \retval size in bytes */ size_t knot_rrset_size(const knot_rrset_t *rrset); +/*! + * \brief Fast estimate of knot_rrset_size(); it can return slightly larger values. + */ +inline static size_t knot_rrset_size_estimate(const knot_rrset_t *rrset) +{ + if (rrset == NULL) { + return 0; + } + + /* 8B = TYPE + CLASS + TTL + RDLENGTH - sizeof(knot_rdata_t::len) + * We over-estimate by the count of padding bytes (<= rrset->rrs.count) */ + size_t estim = rrset->rrs.size + + rrset->rrs.count * (knot_dname_size(rrset->owner) + 8); + + return estim; +} + /*! @} */ diff --git a/src/libknot/version.h b/src/libknot/version.h index f3a9210..2f86ed7 100644 --- a/src/libknot/version.h +++ b/src/libknot/version.h @@ -18,7 +18,7 @@ #define KNOT_VERSION_MAJOR 3 #define KNOT_VERSION_MINOR 3 -#define KNOT_VERSION_PATCH 0x04 +#define KNOT_VERSION_PATCH 0x05 #define KNOT_VERSION_HEX ((KNOT_VERSION_MAJOR << 16) | \ (KNOT_VERSION_MINOR << 8) | \ diff --git a/src/libknot/xdp/protocols.h b/src/libknot/xdp/protocols.h index 1a18601..ee26e97 100644 --- a/src/libknot/xdp/protocols.h +++ b/src/libknot/xdp/protocols.h @@ -90,7 +90,7 @@ inline static void *prot_read_tcp(void *data, knot_xdp_msg_t *msg, uint16_t *src continue; } - if (opts + 1 > hdr_end || opts + opts[1] > hdr_end) { + if (opts + 1 > hdr_end || opts + opts[1] > hdr_end || opts[1] < 2) { // Malformed option. break; } diff --git a/src/libzscanner/error.c b/src/libzscanner/error.c index 8e571f9..a43db0e 100644 --- a/src/libzscanner/error.c +++ b/src/libzscanner/error.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2022 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) 2024 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -167,6 +167,8 @@ static const err_table_t err_msgs[] = { "empty comma-separated list item" ), ERR_ITEM( ZS_FILE_ACCESS, "permission denied" ), + ERR_ITEM( ZS_BAD_ALPN_BACKSLASH, + "unscaped backslash character" ), ERR_ITEM( 0, NULL ) // Terminator }; diff --git a/src/libzscanner/error.h b/src/libzscanner/error.h index f54a750..87b73a9 100644 --- a/src/libzscanner/error.h +++ b/src/libzscanner/error.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2022 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) 2024 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -96,6 +96,7 @@ enum err_codes { ZS_MISSING_SVCB_MANDATORY, ZS_EMPTY_LIST_ITEM, ZS_FILE_ACCESS, + ZS_BAD_ALPN_BACKSLASH, }; /*! diff --git a/src/libzscanner/scanner.c.g2 b/src/libzscanner/scanner.c.g2 index 66f6b1a..f97c3ae 100644 --- a/src/libzscanner/scanner.c.g2 +++ b/src/libzscanner/scanner.c.g2 @@ -40865,6 +40865,7 @@ tr1008: // Reset per-record contexts. s->long_string = false; s->comma_list = false; + s->pending_backslash = false; s->state = ZS_STATE_ERROR; @@ -40909,6 +40910,7 @@ tr1010: // Reset per-record contexts. s->long_string = false; s->comma_list = false; + s->pending_backslash = false; s->state = ZS_STATE_ERROR; @@ -41367,24 +41369,31 @@ tr1033: goto st319; tr1037: { - uint8_t *last_two = rdata_tail - 2; - uint16_t current_len = rdata_tail - s->item_length_location - 2; if (s->comma_list) { + uint8_t *last_two = rdata_tail - 2; + uint16_t current_len = rdata_tail - s->item_length_location - 2; if (last_two[1] == ',') { if (current_len <= 1) { WARN(ZS_EMPTY_LIST_ITEM); p--; {goto st307;} - } else if (last_two[0] != '\\') { // Start a new item. + } else if (last_two[0] != '\\' || !s->pending_backslash) { // Start a new item. *(s->item_length_location) = current_len; s->item_length_location = rdata_tail - 1; } else { // Remove backslash. last_two[0] = ','; rdata_tail--; + s->pending_backslash = false; } - } else if (current_len > 1 && last_two[1] == '\\') { - if (last_two[0] == '\\') { // Remove backslash. + } else if (last_two[1] == '\\') { + if (s->pending_backslash) { // Remove backslash. rdata_tail--; + s->pending_backslash = false; + } else { + s->pending_backslash = true; } + } else if (s->pending_backslash) { + WARN(ZS_BAD_ALPN_BACKSLASH); + p--; {goto st307;} } } } @@ -41416,24 +41425,31 @@ tr1045: rdata_tail++; } { - uint8_t *last_two = rdata_tail - 2; - uint16_t current_len = rdata_tail - s->item_length_location - 2; if (s->comma_list) { + uint8_t *last_two = rdata_tail - 2; + uint16_t current_len = rdata_tail - s->item_length_location - 2; if (last_two[1] == ',') { if (current_len <= 1) { WARN(ZS_EMPTY_LIST_ITEM); p--; {goto st307;} - } else if (last_two[0] != '\\') { // Start a new item. + } else if (last_two[0] != '\\' || !s->pending_backslash) { // Start a new item. *(s->item_length_location) = current_len; s->item_length_location = rdata_tail - 1; } else { // Remove backslash. last_two[0] = ','; rdata_tail--; + s->pending_backslash = false; } - } else if (current_len > 1 && last_two[1] == '\\') { - if (last_two[0] == '\\') { // Remove backslash. + } else if (last_two[1] == '\\') { + if (s->pending_backslash) { // Remove backslash. rdata_tail--; + s->pending_backslash = false; + } else { + s->pending_backslash = true; } + } else if (s->pending_backslash) { + WARN(ZS_BAD_ALPN_BACKSLASH); + p--; {goto st307;} } } } @@ -41484,24 +41500,31 @@ case 319: goto tr1032; tr1036: { - uint8_t *last_two = rdata_tail - 2; - uint16_t current_len = rdata_tail - s->item_length_location - 2; if (s->comma_list) { + uint8_t *last_two = rdata_tail - 2; + uint16_t current_len = rdata_tail - s->item_length_location - 2; if (last_two[1] == ',') { if (current_len <= 1) { WARN(ZS_EMPTY_LIST_ITEM); p--; {goto st307;} - } else if (last_two[0] != '\\') { // Start a new item. + } else if (last_two[0] != '\\' || !s->pending_backslash) { // Start a new item. *(s->item_length_location) = current_len; s->item_length_location = rdata_tail - 1; } else { // Remove backslash. last_two[0] = ','; rdata_tail--; + s->pending_backslash = false; } - } else if (current_len > 1 && last_two[1] == '\\') { - if (last_two[0] == '\\') { // Remove backslash. + } else if (last_two[1] == '\\') { + if (s->pending_backslash) { // Remove backslash. rdata_tail--; + s->pending_backslash = false; + } else { + s->pending_backslash = true; } + } else if (s->pending_backslash) { + WARN(ZS_BAD_ALPN_BACKSLASH); + p--; {goto st307;} } } } @@ -41514,24 +41537,31 @@ tr1044: rdata_tail++; } { - uint8_t *last_two = rdata_tail - 2; - uint16_t current_len = rdata_tail - s->item_length_location - 2; if (s->comma_list) { + uint8_t *last_two = rdata_tail - 2; + uint16_t current_len = rdata_tail - s->item_length_location - 2; if (last_two[1] == ',') { if (current_len <= 1) { WARN(ZS_EMPTY_LIST_ITEM); p--; {goto st307;} - } else if (last_two[0] != '\\') { // Start a new item. + } else if (last_two[0] != '\\' || !s->pending_backslash) { // Start a new item. *(s->item_length_location) = current_len; s->item_length_location = rdata_tail - 1; } else { // Remove backslash. last_two[0] = ','; rdata_tail--; + s->pending_backslash = false; } - } else if (current_len > 1 && last_two[1] == '\\') { - if (last_two[0] == '\\') { // Remove backslash. + } else if (last_two[1] == '\\') { + if (s->pending_backslash) { // Remove backslash. rdata_tail--; + s->pending_backslash = false; + } else { + s->pending_backslash = true; } + } else if (s->pending_backslash) { + WARN(ZS_BAD_ALPN_BACKSLASH); + p--; {goto st307;} } } } @@ -41551,24 +41581,31 @@ case 1409: goto st0; tr1038: { - uint8_t *last_two = rdata_tail - 2; - uint16_t current_len = rdata_tail - s->item_length_location - 2; if (s->comma_list) { + uint8_t *last_two = rdata_tail - 2; + uint16_t current_len = rdata_tail - s->item_length_location - 2; if (last_two[1] == ',') { if (current_len <= 1) { WARN(ZS_EMPTY_LIST_ITEM); p--; {goto st307;} - } else if (last_two[0] != '\\') { // Start a new item. + } else if (last_two[0] != '\\' || !s->pending_backslash) { // Start a new item. *(s->item_length_location) = current_len; s->item_length_location = rdata_tail - 1; } else { // Remove backslash. last_two[0] = ','; rdata_tail--; + s->pending_backslash = false; } - } else if (current_len > 1 && last_two[1] == '\\') { - if (last_two[0] == '\\') { // Remove backslash. + } else if (last_two[1] == '\\') { + if (s->pending_backslash) { // Remove backslash. rdata_tail--; + s->pending_backslash = false; + } else { + s->pending_backslash = true; } + } else if (s->pending_backslash) { + WARN(ZS_BAD_ALPN_BACKSLASH); + p--; {goto st307;} } } } @@ -41603,24 +41640,31 @@ tr1046: rdata_tail++; } { - uint8_t *last_two = rdata_tail - 2; - uint16_t current_len = rdata_tail - s->item_length_location - 2; if (s->comma_list) { + uint8_t *last_two = rdata_tail - 2; + uint16_t current_len = rdata_tail - s->item_length_location - 2; if (last_two[1] == ',') { if (current_len <= 1) { WARN(ZS_EMPTY_LIST_ITEM); p--; {goto st307;} - } else if (last_two[0] != '\\') { // Start a new item. + } else if (last_two[0] != '\\' || !s->pending_backslash) { // Start a new item. *(s->item_length_location) = current_len; s->item_length_location = rdata_tail - 1; } else { // Remove backslash. last_two[0] = ','; rdata_tail--; + s->pending_backslash = false; } - } else if (current_len > 1 && last_two[1] == '\\') { - if (last_two[0] == '\\') { // Remove backslash. + } else if (last_two[1] == '\\') { + if (s->pending_backslash) { // Remove backslash. rdata_tail--; + s->pending_backslash = false; + } else { + s->pending_backslash = true; } + } else if (s->pending_backslash) { + WARN(ZS_BAD_ALPN_BACKSLASH); + p--; {goto st307;} } } } @@ -41674,24 +41718,31 @@ case 1410: goto tr1032; tr1039: { - uint8_t *last_two = rdata_tail - 2; - uint16_t current_len = rdata_tail - s->item_length_location - 2; if (s->comma_list) { + uint8_t *last_two = rdata_tail - 2; + uint16_t current_len = rdata_tail - s->item_length_location - 2; if (last_two[1] == ',') { if (current_len <= 1) { WARN(ZS_EMPTY_LIST_ITEM); p--; {goto st307;} - } else if (last_two[0] != '\\') { // Start a new item. + } else if (last_two[0] != '\\' || !s->pending_backslash) { // Start a new item. *(s->item_length_location) = current_len; s->item_length_location = rdata_tail - 1; } else { // Remove backslash. last_two[0] = ','; rdata_tail--; + s->pending_backslash = false; } - } else if (current_len > 1 && last_two[1] == '\\') { - if (last_two[0] == '\\') { // Remove backslash. + } else if (last_two[1] == '\\') { + if (s->pending_backslash) { // Remove backslash. rdata_tail--; + s->pending_backslash = false; + } else { + s->pending_backslash = true; } + } else if (s->pending_backslash) { + WARN(ZS_BAD_ALPN_BACKSLASH); + p--; {goto st307;} } } } @@ -41701,24 +41752,31 @@ tr1047: rdata_tail++; } { - uint8_t *last_two = rdata_tail - 2; - uint16_t current_len = rdata_tail - s->item_length_location - 2; if (s->comma_list) { + uint8_t *last_two = rdata_tail - 2; + uint16_t current_len = rdata_tail - s->item_length_location - 2; if (last_two[1] == ',') { if (current_len <= 1) { WARN(ZS_EMPTY_LIST_ITEM); p--; {goto st307;} - } else if (last_two[0] != '\\') { // Start a new item. + } else if (last_two[0] != '\\' || !s->pending_backslash) { // Start a new item. *(s->item_length_location) = current_len; s->item_length_location = rdata_tail - 1; } else { // Remove backslash. last_two[0] = ','; rdata_tail--; + s->pending_backslash = false; } - } else if (current_len > 1 && last_two[1] == '\\') { - if (last_two[0] == '\\') { // Remove backslash. + } else if (last_two[1] == '\\') { + if (s->pending_backslash) { // Remove backslash. rdata_tail--; + s->pending_backslash = false; + } else { + s->pending_backslash = true; } + } else if (s->pending_backslash) { + WARN(ZS_BAD_ALPN_BACKSLASH); + p--; {goto st307;} } } } @@ -41866,24 +41924,31 @@ tr1048: goto st324; tr1052: { - uint8_t *last_two = rdata_tail - 2; - uint16_t current_len = rdata_tail - s->item_length_location - 2; if (s->comma_list) { + uint8_t *last_two = rdata_tail - 2; + uint16_t current_len = rdata_tail - s->item_length_location - 2; if (last_two[1] == ',') { if (current_len <= 1) { WARN(ZS_EMPTY_LIST_ITEM); p--; {goto st307;} - } else if (last_two[0] != '\\') { // Start a new item. + } else if (last_two[0] != '\\' || !s->pending_backslash) { // Start a new item. *(s->item_length_location) = current_len; s->item_length_location = rdata_tail - 1; } else { // Remove backslash. last_two[0] = ','; rdata_tail--; + s->pending_backslash = false; } - } else if (current_len > 1 && last_two[1] == '\\') { - if (last_two[0] == '\\') { // Remove backslash. + } else if (last_two[1] == '\\') { + if (s->pending_backslash) { // Remove backslash. rdata_tail--; + s->pending_backslash = false; + } else { + s->pending_backslash = true; } + } else if (s->pending_backslash) { + WARN(ZS_BAD_ALPN_BACKSLASH); + p--; {goto st307;} } } } @@ -41915,24 +41980,31 @@ tr1061: rdata_tail++; } { - uint8_t *last_two = rdata_tail - 2; - uint16_t current_len = rdata_tail - s->item_length_location - 2; if (s->comma_list) { + uint8_t *last_two = rdata_tail - 2; + uint16_t current_len = rdata_tail - s->item_length_location - 2; if (last_two[1] == ',') { if (current_len <= 1) { WARN(ZS_EMPTY_LIST_ITEM); p--; {goto st307;} - } else if (last_two[0] != '\\') { // Start a new item. + } else if (last_two[0] != '\\' || !s->pending_backslash) { // Start a new item. *(s->item_length_location) = current_len; s->item_length_location = rdata_tail - 1; } else { // Remove backslash. last_two[0] = ','; rdata_tail--; + s->pending_backslash = false; } - } else if (current_len > 1 && last_two[1] == '\\') { - if (last_two[0] == '\\') { // Remove backslash. + } else if (last_two[1] == '\\') { + if (s->pending_backslash) { // Remove backslash. rdata_tail--; + s->pending_backslash = false; + } else { + s->pending_backslash = true; } + } else if (s->pending_backslash) { + WARN(ZS_BAD_ALPN_BACKSLASH); + p--; {goto st307;} } } } @@ -42006,24 +42078,31 @@ tr1049: goto st325; tr1053: { - uint8_t *last_two = rdata_tail - 2; - uint16_t current_len = rdata_tail - s->item_length_location - 2; if (s->comma_list) { + uint8_t *last_two = rdata_tail - 2; + uint16_t current_len = rdata_tail - s->item_length_location - 2; if (last_two[1] == ',') { if (current_len <= 1) { WARN(ZS_EMPTY_LIST_ITEM); p--; {goto st307;} - } else if (last_two[0] != '\\') { // Start a new item. + } else if (last_two[0] != '\\' || !s->pending_backslash) { // Start a new item. *(s->item_length_location) = current_len; s->item_length_location = rdata_tail - 1; } else { // Remove backslash. last_two[0] = ','; rdata_tail--; + s->pending_backslash = false; } - } else if (current_len > 1 && last_two[1] == '\\') { - if (last_two[0] == '\\') { // Remove backslash. + } else if (last_two[1] == '\\') { + if (s->pending_backslash) { // Remove backslash. rdata_tail--; + s->pending_backslash = false; + } else { + s->pending_backslash = true; } + } else if (s->pending_backslash) { + WARN(ZS_BAD_ALPN_BACKSLASH); + p--; {goto st307;} } } } @@ -42055,24 +42134,31 @@ tr1062: rdata_tail++; } { - uint8_t *last_two = rdata_tail - 2; - uint16_t current_len = rdata_tail - s->item_length_location - 2; if (s->comma_list) { + uint8_t *last_two = rdata_tail - 2; + uint16_t current_len = rdata_tail - s->item_length_location - 2; if (last_two[1] == ',') { if (current_len <= 1) { WARN(ZS_EMPTY_LIST_ITEM); p--; {goto st307;} - } else if (last_two[0] != '\\') { // Start a new item. + } else if (last_two[0] != '\\' || !s->pending_backslash) { // Start a new item. *(s->item_length_location) = current_len; s->item_length_location = rdata_tail - 1; } else { // Remove backslash. last_two[0] = ','; rdata_tail--; + s->pending_backslash = false; } - } else if (current_len > 1 && last_two[1] == '\\') { - if (last_two[0] == '\\') { // Remove backslash. + } else if (last_two[1] == '\\') { + if (s->pending_backslash) { // Remove backslash. rdata_tail--; + s->pending_backslash = false; + } else { + s->pending_backslash = true; } + } else if (s->pending_backslash) { + WARN(ZS_BAD_ALPN_BACKSLASH); + p--; {goto st307;} } } } @@ -42122,24 +42208,31 @@ case 325: goto tr1032; tr1054: { - uint8_t *last_two = rdata_tail - 2; - uint16_t current_len = rdata_tail - s->item_length_location - 2; if (s->comma_list) { + uint8_t *last_two = rdata_tail - 2; + uint16_t current_len = rdata_tail - s->item_length_location - 2; if (last_two[1] == ',') { if (current_len <= 1) { WARN(ZS_EMPTY_LIST_ITEM); p--; {goto st307;} - } else if (last_two[0] != '\\') { // Start a new item. + } else if (last_two[0] != '\\' || !s->pending_backslash) { // Start a new item. *(s->item_length_location) = current_len; s->item_length_location = rdata_tail - 1; } else { // Remove backslash. last_two[0] = ','; rdata_tail--; + s->pending_backslash = false; } - } else if (current_len > 1 && last_two[1] == '\\') { - if (last_two[0] == '\\') { // Remove backslash. + } else if (last_two[1] == '\\') { + if (s->pending_backslash) { // Remove backslash. rdata_tail--; + s->pending_backslash = false; + } else { + s->pending_backslash = true; } + } else if (s->pending_backslash) { + WARN(ZS_BAD_ALPN_BACKSLASH); + p--; {goto st307;} } } } @@ -42149,24 +42242,31 @@ tr1063: rdata_tail++; } { - uint8_t *last_two = rdata_tail - 2; - uint16_t current_len = rdata_tail - s->item_length_location - 2; if (s->comma_list) { + uint8_t *last_two = rdata_tail - 2; + uint16_t current_len = rdata_tail - s->item_length_location - 2; if (last_two[1] == ',') { if (current_len <= 1) { WARN(ZS_EMPTY_LIST_ITEM); p--; {goto st307;} - } else if (last_two[0] != '\\') { // Start a new item. + } else if (last_two[0] != '\\' || !s->pending_backslash) { // Start a new item. *(s->item_length_location) = current_len; s->item_length_location = rdata_tail - 1; } else { // Remove backslash. last_two[0] = ','; rdata_tail--; + s->pending_backslash = false; } - } else if (current_len > 1 && last_two[1] == '\\') { - if (last_two[0] == '\\') { // Remove backslash. + } else if (last_two[1] == '\\') { + if (s->pending_backslash) { // Remove backslash. rdata_tail--; + s->pending_backslash = false; + } else { + s->pending_backslash = true; } + } else if (s->pending_backslash) { + WARN(ZS_BAD_ALPN_BACKSLASH); + p--; {goto st307;} } } } @@ -42187,24 +42287,31 @@ case 326: goto tr1056; tr1055: { - uint8_t *last_two = rdata_tail - 2; - uint16_t current_len = rdata_tail - s->item_length_location - 2; if (s->comma_list) { + uint8_t *last_two = rdata_tail - 2; + uint16_t current_len = rdata_tail - s->item_length_location - 2; if (last_two[1] == ',') { if (current_len <= 1) { WARN(ZS_EMPTY_LIST_ITEM); p--; {goto st307;} - } else if (last_two[0] != '\\') { // Start a new item. + } else if (last_two[0] != '\\' || !s->pending_backslash) { // Start a new item. *(s->item_length_location) = current_len; s->item_length_location = rdata_tail - 1; } else { // Remove backslash. last_two[0] = ','; rdata_tail--; + s->pending_backslash = false; } - } else if (current_len > 1 && last_two[1] == '\\') { - if (last_two[0] == '\\') { // Remove backslash. + } else if (last_two[1] == '\\') { + if (s->pending_backslash) { // Remove backslash. rdata_tail--; + s->pending_backslash = false; + } else { + s->pending_backslash = true; } + } else if (s->pending_backslash) { + WARN(ZS_BAD_ALPN_BACKSLASH); + p--; {goto st307;} } } } @@ -42214,24 +42321,31 @@ tr1064: rdata_tail++; } { - uint8_t *last_two = rdata_tail - 2; - uint16_t current_len = rdata_tail - s->item_length_location - 2; if (s->comma_list) { + uint8_t *last_two = rdata_tail - 2; + uint16_t current_len = rdata_tail - s->item_length_location - 2; if (last_two[1] == ',') { if (current_len <= 1) { WARN(ZS_EMPTY_LIST_ITEM); p--; {goto st307;} - } else if (last_two[0] != '\\') { // Start a new item. + } else if (last_two[0] != '\\' || !s->pending_backslash) { // Start a new item. *(s->item_length_location) = current_len; s->item_length_location = rdata_tail - 1; } else { // Remove backslash. last_two[0] = ','; rdata_tail--; + s->pending_backslash = false; } - } else if (current_len > 1 && last_two[1] == '\\') { - if (last_two[0] == '\\') { // Remove backslash. + } else if (last_two[1] == '\\') { + if (s->pending_backslash) { // Remove backslash. rdata_tail--; + s->pending_backslash = false; + } else { + s->pending_backslash = true; } + } else if (s->pending_backslash) { + WARN(ZS_BAD_ALPN_BACKSLASH); + p--; {goto st307;} } } } @@ -57047,6 +57161,10 @@ tr1951: } { s->comma_list = false; + if (s->pending_backslash) { + WARN(ZS_BAD_ALPN_BACKSLASH); + p--; {goto st307;} + } } { s->item_length = rdata_tail - s->item_length2_location - 2; @@ -57083,6 +57201,10 @@ tr1952: } { s->comma_list = false; + if (s->pending_backslash) { + WARN(ZS_BAD_ALPN_BACKSLASH); + p--; {goto st307;} + } } { s->item_length = rdata_tail - s->item_length2_location - 2; @@ -57126,6 +57248,10 @@ tr1953: } { s->comma_list = false; + if (s->pending_backslash) { + WARN(ZS_BAD_ALPN_BACKSLASH); + p--; {goto st307;} + } } { s->item_length = rdata_tail - s->item_length2_location - 2; @@ -57169,6 +57295,10 @@ tr1954: } { s->comma_list = false; + if (s->pending_backslash) { + WARN(ZS_BAD_ALPN_BACKSLASH); + p--; {goto st307;} + } } { s->item_length = rdata_tail - s->item_length2_location - 2; @@ -58174,6 +58304,7 @@ case 609: tr1949: { s->comma_list = true; + s->pending_backslash = false; } { if (rdata_tail < rdata_stop) { @@ -58264,6 +58395,10 @@ tr1955: } { s->comma_list = false; + if (s->pending_backslash) { + WARN(ZS_BAD_ALPN_BACKSLASH); + p--; {goto st307;} + } } { s->item_length = rdata_tail - s->item_length2_location - 2; @@ -58568,6 +58703,10 @@ tr1956: } { s->comma_list = false; + if (s->pending_backslash) { + WARN(ZS_BAD_ALPN_BACKSLASH); + p--; {goto st307;} + } } { s->item_length = rdata_tail - s->item_length2_location - 2; @@ -58919,6 +59058,10 @@ tr1957: } { s->comma_list = false; + if (s->pending_backslash) { + WARN(ZS_BAD_ALPN_BACKSLASH); + p--; {goto st307;} + } } { s->item_length = rdata_tail - s->item_length2_location - 2; @@ -59590,6 +59733,10 @@ tr2128: } { s->comma_list = false; + if (s->pending_backslash) { + WARN(ZS_BAD_ALPN_BACKSLASH); + p--; {goto st307;} + } } { s->item_length = rdata_tail - s->item_length2_location - 2; @@ -59686,6 +59833,10 @@ tr1958: } { s->comma_list = false; + if (s->pending_backslash) { + WARN(ZS_BAD_ALPN_BACKSLASH); + p--; {goto st307;} + } } { s->item_length = rdata_tail - s->item_length2_location - 2; @@ -61488,6 +61639,7 @@ case 696: tr1950: { s->comma_list = true; + s->pending_backslash = false; } { if (rdata_tail < rdata_stop) { @@ -61552,6 +61704,7 @@ case 697: tr2127: { s->comma_list = true; + s->pending_backslash = false; } { if (rdata_tail < rdata_stop) { diff --git a/src/libzscanner/scanner.c.t0 b/src/libzscanner/scanner.c.t0 index 0909496..b1b2616 100644 --- a/src/libzscanner/scanner.c.t0 +++ b/src/libzscanner/scanner.c.t0 @@ -6983,6 +6983,7 @@ _match: // Reset per-record contexts. s->long_string = false; s->comma_list = false; + s->pending_backslash = false; s->state = ZS_STATE_ERROR; @@ -7528,24 +7529,31 @@ _match: break; case 68: { - uint8_t *last_two = rdata_tail - 2; - uint16_t current_len = rdata_tail - s->item_length_location - 2; if (s->comma_list) { + uint8_t *last_two = rdata_tail - 2; + uint16_t current_len = rdata_tail - s->item_length_location - 2; if (last_two[1] == ',') { if (current_len <= 1) { WARN(ZS_EMPTY_LIST_ITEM); p--; {cs = 307;goto _again;} - } else if (last_two[0] != '\\') { // Start a new item. + } else if (last_two[0] != '\\' || !s->pending_backslash) { // Start a new item. *(s->item_length_location) = current_len; s->item_length_location = rdata_tail - 1; } else { // Remove backslash. last_two[0] = ','; rdata_tail--; + s->pending_backslash = false; } - } else if (current_len > 1 && last_two[1] == '\\') { - if (last_two[0] == '\\') { // Remove backslash. + } else if (last_two[1] == '\\') { + if (s->pending_backslash) { // Remove backslash. rdata_tail--; + s->pending_backslash = false; + } else { + s->pending_backslash = true; } + } else if (s->pending_backslash) { + WARN(ZS_BAD_ALPN_BACKSLASH); + p--; {cs = 307;goto _again;} } } } @@ -8844,11 +8852,16 @@ _match: case 292: { s->comma_list = true; + s->pending_backslash = false; } break; case 293: { s->comma_list = false; + if (s->pending_backslash) { + WARN(ZS_BAD_ALPN_BACKSLASH); + p--; {cs = 307;goto _again;} + } } break; case 294: diff --git a/src/libzscanner/scanner.h b/src/libzscanner/scanner.h index b45ca48..140b4f1 100644 --- a/src/libzscanner/scanner.h +++ b/src/libzscanner/scanner.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2021 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) 2024 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -157,6 +157,8 @@ struct zs_scanner { bool long_string; /*! Comma separated string list indication (svcb parsing). */ bool comma_list; + /*! Indication of a non-applied backslash. */ + bool pending_backslash; /*! Pointer to the actual dname storage (origin/owner/rdata). */ uint8_t *dname; diff --git a/src/libzscanner/scanner_body.rl b/src/libzscanner/scanner_body.rl index 34d51cd..a1ff46c 100644 --- a/src/libzscanner/scanner_body.rl +++ b/src/libzscanner/scanner_body.rl @@ -1,4 +1,4 @@ -/* Copyright (C) 2021 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) 2024 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -116,6 +116,7 @@ // Reset per-record contexts. s->long_string = false; s->comma_list = false; + s->pending_backslash = false; s->state = ZS_STATE_ERROR; @@ -656,24 +657,31 @@ } action _comma_list { - uint8_t *last_two = rdata_tail - 2; - uint16_t current_len = rdata_tail - s->item_length_location - 2; if (s->comma_list) { + uint8_t *last_two = rdata_tail - 2; + uint16_t current_len = rdata_tail - s->item_length_location - 2; if (last_two[1] == ',') { if (current_len <= 1) { WARN(ZS_EMPTY_LIST_ITEM); fhold; fgoto err_line; - } else if (last_two[0] != '\\') { // Start a new item. + } else if (last_two[0] != '\\' || !s->pending_backslash) { // Start a new item. *(s->item_length_location) = current_len; s->item_length_location = rdata_tail - 1; } else { // Remove backslash. last_two[0] = ','; rdata_tail--; + s->pending_backslash = false; } - } else if (current_len > 1 && last_two[1] == '\\') { - if (last_two[0] == '\\') { // Remove backslash. + } else if (last_two[1] == '\\') { + if (s->pending_backslash) { // Remove backslash. rdata_tail--; + s->pending_backslash = false; + } else { + s->pending_backslash = true; } + } else if (s->pending_backslash) { + WARN(ZS_BAD_ALPN_BACKSLASH); + fhold; fgoto err_line; } } } @@ -1800,9 +1808,14 @@ action _alpnl_init { s->comma_list = true; + s->pending_backslash = false; } action _alpnl_exit { s->comma_list = false; + if (s->pending_backslash) { + WARN(ZS_BAD_ALPN_BACKSLASH); + fhold; fgoto err_line; + } } action _mandatory_init { diff --git a/src/libzscanner/version.h b/src/libzscanner/version.h index 653d9bf..25520c7 100644 --- a/src/libzscanner/version.h +++ b/src/libzscanner/version.h @@ -18,7 +18,7 @@ #define ZSCANNER_VERSION_MAJOR 3 #define ZSCANNER_VERSION_MINOR 3 -#define ZSCANNER_VERSION_PATCH 0x04 +#define ZSCANNER_VERSION_PATCH 0x05 #define ZSCANNER_VERSION_HEX ((ZSCANNER_VERSION_MAJOR << 16) | \ (ZSCANNER_VERSION_MINOR << 8) | \ diff --git a/src/utils/kzonecheck/main.c b/src/utils/kzonecheck/main.c index 3a2b620..5fb4c73 100644 --- a/src/utils/kzonecheck/main.c +++ b/src/utils/kzonecheck/main.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) 2024 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -40,6 +40,7 @@ static void print_help(void) " -o, --origin <zone_origin> Zone name.\n" " (default filename without .zone)\n" " -d, --dnssec <on|off> Also check DNSSEC-related records.\n" + " -z, --zonemd Also check ZONEMD.\n" " -t, --time <timestamp> Current time specification.\n" " (default current UNIX time)\n" " -p, --print Print the zone on stdout.\n" @@ -66,7 +67,7 @@ static bool str2bool(const char *s) int main(int argc, char *argv[]) { const char *origin = NULL; - bool verbose = false, print = false; + bool zonemd = false, verbose = false, print = false; semcheck_optional_t optional = SEMCHECK_DNSSEC_AUTO; // default value for --dnssec knot_time_t check_time = (knot_time_t)time(NULL); @@ -75,6 +76,7 @@ int main(int argc, char *argv[]) { "origin", required_argument, NULL, 'o' }, { "time", required_argument, NULL, 't' }, { "dnssec", required_argument, NULL, 'd' }, + { "zonemd", no_argument, NULL, 'z' }, { "print", no_argument, NULL, 'p' }, { "verbose", no_argument, NULL, 'v' }, { "help", no_argument, NULL, 'h' }, @@ -87,7 +89,7 @@ int main(int argc, char *argv[]) /* Parse command line arguments */ int opt = 0; - while ((opt = getopt_long(argc, argv, "o:t:d:pvVh", opts, NULL)) != -1) { + while ((opt = getopt_long(argc, argv, "o:t:d:zpvVh", opts, NULL)) != -1) { switch (opt) { case 'o': origin = optarg; @@ -107,6 +109,9 @@ int main(int argc, char *argv[]) case 'd': optional = str2bool(optarg) ? SEMCHECK_DNSSEC_ON : SEMCHECK_DNSSEC_OFF; break; + case 'z': + zonemd = true; + break; case 't': if (knot_time_parse("YMDhms|#|+-#U|+-#", optarg, &check_time) != KNOT_EOK) { @@ -146,6 +151,15 @@ int main(int argc, char *argv[]) zonename = strdup(origin); } + knot_dname_storage_t zone; + if (knot_dname_from_str(zone, zonename, sizeof(zone)) == NULL) { + ERR2("invalid zone name"); + free(zonename); + return EXIT_FAILURE; + } + free(zonename); + knot_dname_to_lower(zone); + log_init(); log_levels_set(LOG_TARGET_STDOUT, LOG_SOURCE_ANY, 0); log_levels_set(LOG_TARGET_STDERR, LOG_SOURCE_ANY, 0); @@ -155,31 +169,14 @@ int main(int argc, char *argv[]) log_levels_add(LOG_TARGET_STDOUT, LOG_SOURCE_ANY, LOG_UPTO(LOG_DEBUG)); } - knot_dname_t *dname = knot_dname_from_str_alloc(zonename); - knot_dname_to_lower(dname); - free(zonename); - int ret = zone_check(filename, dname, optional, (time_t)check_time, print); - knot_dname_free(dname, NULL); - + int ret = zone_check(filename, zone, zonemd, optional, (time_t)check_time, print); log_close(); - - switch (ret) { - case KNOT_EOK: - if (verbose) { - INFO2("No semantic error found"); + if (ret == KNOT_EOK) { + if (verbose && !print) { + INFO2("No error found"); } return EXIT_SUCCESS; - case KNOT_EZONEINVAL: - ERR2("serious semantic error detected"); - // FALLTHROUGH - case KNOT_ESEMCHECK: - return EXIT_FAILURE; - case KNOT_EACCES: - case KNOT_EFILE: - ERR2("failed to load the zone file"); - return EXIT_FAILURE; - default: - ERR2("failed to run semantic checks (%s)", knot_strerror(ret)); + } else { return EXIT_FAILURE; } } diff --git a/src/utils/kzonecheck/zone_check.c b/src/utils/kzonecheck/zone_check.c index 542e152..2ea63b8 100644 --- a/src/utils/kzonecheck/zone_check.c +++ b/src/utils/kzonecheck/zone_check.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) 2024 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -20,6 +20,7 @@ #include "utils/kzonecheck/zone_check.h" #include "knot/zone/contents.h" +#include "knot/zone/digest.h" #include "knot/zone/zonefile.h" #include "knot/zone/zone-dump.h" #include "utils/common/msg.h" @@ -62,7 +63,7 @@ static void print_statistics(err_handler_stats_t *stats) } } -int zone_check(const char *zone_file, const knot_dname_t *zone_name, +int zone_check(const char *zone_file, const knot_dname_t *zone_name, bool zonemd, semcheck_optional_t optional, time_t time, bool print) { err_handler_stats_t stats = { @@ -71,7 +72,15 @@ int zone_check(const char *zone_file, const knot_dname_t *zone_name, zloader_t zl; int ret = zonefile_open(&zl, zone_file, zone_name, optional, time); - if (ret != KNOT_EOK) { + switch (ret) { + case KNOT_EOK: + break; + case KNOT_EACCES: + case KNOT_EFILE: + ERR2("failed to load the zone file"); + return ret; + default: + ERR2("failed to run semantic checks (%s)", knot_strerror(ret)); return ret; } zl.err_handler = (sem_handler_t *)&stats; @@ -80,21 +89,39 @@ int zone_check(const char *zone_file, const knot_dname_t *zone_name, zone_contents_t *contents = zonefile_load(&zl); zonefile_close(&zl); if (contents == NULL && !stats.handler.error) { + ERR2("failed to run semantic checks"); return KNOT_ERROR; } if (stats.error_count > 0) { print_statistics(&stats); - ret = stats.handler.error ? KNOT_EZONEINVAL : KNOT_ESEMCHECK; - if (print) { + if (stats.handler.error) { fprintf(stderr, "\n"); + ERR2("serious semantic error detected"); + ret = KNOT_EINVAL; + } else { + ret = KNOT_ESEMCHECK; + } + } + + if (zonemd) { + ret = zone_contents_digest_verify(contents); + if (ret != KNOT_EOK) { + if (stats.error_count > 0 && !stats.handler.error) { + fprintf(stderr, "\n"); + } + ERR2("invalid ZONEMD"); } } if (print) { + if (ret != KNOT_EOK) { + fprintf(stderr, "\n"); + } printf(";; Zone dump (Knot DNS %s)\n", PACKAGE_VERSION); zone_dump_text(contents, stdout, false, NULL); } + zone_contents_deep_free(contents); return ret; diff --git a/src/utils/kzonecheck/zone_check.h b/src/utils/kzonecheck/zone_check.h index 7039f16..206c27e 100644 --- a/src/utils/kzonecheck/zone_check.h +++ b/src/utils/kzonecheck/zone_check.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2023 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) 2024 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -19,5 +19,5 @@ #include "knot/zone/semantic-check.h" #include "libknot/libknot.h" -int zone_check(const char *zone_file, const knot_dname_t *zone_name, +int zone_check(const char *zone_file, const knot_dname_t *zone_name, bool zonemd, semcheck_optional_t optional, time_t time, bool print); diff --git a/tests/knot/semantic_check_data/dnskey_keytags.many b/tests/knot/semantic_check_data/dnskey_keytags.many new file mode 100644 index 0000000..efc87b6 --- /dev/null +++ b/tests/knot/semantic_check_data/dnskey_keytags.many @@ -0,0 +1,30 @@ +;; Zone dump (Knot DNS 3.4.dev0+1709028633.0c1de8c46) +example.com. 3600 SOA dns1.example.com. hostmaster.example.com. 2010111217 21600 3600 604800 86400 +example.com. 3600 NS dns1.example.com. +example.com. 3600 DNSKEY 256 3 13 Xw53weVKxFPqiBIzviMAZvRgdruTyHpHC3uYf9Twr9ug+cSyrYx4tteWUWPzsXgYnjATplJYY47KBMirTCR9BA== +example.com. 3600 DNSKEY 256 3 13 qvLsJ9NpDpzxzHg91N7Fj++5SU6H5DdAAGmAaS/FGYu9H93V1hfZ5a7QPrN5E8ZKhWWGc9Li/OULloYer3btZg== +example.com. 3600 DNSKEY 256 3 13 +qPQIbks9pY61AJkemnK89ly7IhjmdhiszwQAi3hpSybwMSWtp1LzrNna/nmX7DeDpanoZGljd8l2rjFBklYhg== +example.com. 3600 DNSKEY 257 3 13 0qemQB7NsmO+Q3EnIdMPfrlTMAJxxOAjrZVHKbtfmXmd9HUsjBOg8hI6o0h9kfMb/qM/OWJYq25C5nzwl1eJGw== +dns1.example.com. 3600 A 192.0.2.1 +;; DNSSEC signatures +example.com. 3600 RRSIG NS 13 2 3600 20440222113630 20240227100630 50687 example.com. Uc5BSG2ohqfkZaIfqa3JpsUBfv5av7j2xCd9AeGb0TyfdsTJeQPxbeSFtLCeeVt0YShGjxwUldnjxqOoZxKo9Q== +example.com. 3600 RRSIG NS 13 2 3600 20440222114545 20240227101545 50687 example.com. YTxdJfVKe4vExYay712yKVr1BTXV91/lN4yIo+NaBl/KcZUWwTgku4o4b7qQsprb6iIPueaBnbt2C6VpBXh0tw== +example.com. 3600 RRSIG NS 13 2 3600 20440222114918 20240227101918 50687 example.com. 5Tni3/OWhTSEd45fRemrnX90fpaXKg6oUnGyZ+eVqxmjfYSMDA1H0W8eTJXFGi4Tbrxn0uZeP+FzGlTvz9uj2A== +example.com. 3600 RRSIG SOA 13 2 3600 20440222115548 20240227102548 50687 example.com. DIZm9AnVxD3W3BdQ+XYY003wibKTtlesff2JJtOFqc18vLUcccG5JHfieClmTcFjQyPCVltK7sieaN5m4Deivw== +example.com. 3600 RRSIG SOA 13 2 3600 20440222115548 20240227102548 50687 example.com. h2WIMryLnmCyDr3/3lfh0UBLCGZH0RSTGN39d9dWmz2Ap2IEKdcEE6QG1pVxp23UNJo8IeawIR4Xw9emllZ2fQ== +example.com. 3600 RRSIG SOA 13 2 3600 20440222115548 20240227102548 50687 example.com. 2mEsdLT+UyNJJ5hA3Oo5ujJ0KZr/0G+Agrypl7a5ew9tZ07X7WCNw5D9orF7YlkX9TejTYijIUNWNksZyHnBfg== +example.com. 3600 RRSIG NSEC 13 2 3600 20440222113630 20240227100630 50687 example.com. akUd7/c8/sJTqB04KO3kQZwwb0i/7l8mvg10e7Somtc5nP5/gKsBpFDPGpvchZpVrlXME+eq+oRNfp3fQfBmvA== +example.com. 3600 RRSIG NSEC 13 2 3600 20440222114545 20240227101545 50687 example.com. QRn8TG6/7i15V7O+ktA3PQqlMqK8nq+4XKRCssW7tFtvZlkiIWBuwvXJVViby3bfc3+GmF+X2whJJSq3NQB2Ow== +example.com. 3600 RRSIG NSEC 13 2 3600 20440222114918 20240227101918 50687 example.com. 8rERTpgNiE11A//J4xf9t0jrECXiNoHvNZajdY8GzOkV3kCpMN9jkKw/Ppr6vkon+4CBHc7HuODQArIgfU6nUA== +example.com. 3600 RRSIG DNSKEY 13 2 3600 20440222115548 20240227102548 50687 example.com. HX2JTLzV6JLmb4SokV27+JVvejyA+FuifWaK96U2dSslvvXTWrAEqp/j3naJ0q9gjftUWUdKTOZ67FfsmH2XNg== +dns1.example.com. 3600 RRSIG A 13 3 3600 20440222113630 20240227100630 50687 example.com. Y8vvqbd55jo7zKx0uDVwaWScpGqti8sPXodjItsrN8gjA3d3A+7TVW71L9FSwww/Usl8cyXIC4ZUR5c7JIFNHQ== +dns1.example.com. 3600 RRSIG A 13 3 3600 20440222114545 20240227101545 50687 example.com. dGLOD3cxFqXoiDaMftaXGKUjK0EGloelABNLbto/+cUuxiBlwdMi9yskncK6kM4ncy1TsMM8SJXCYmbpD9lPlg== +dns1.example.com. 3600 RRSIG A 13 3 3600 20440222114918 20240227101918 50687 example.com. F2iOodkc/jF2ha5mmaEVwa4SMOtBxiipo8jqNqjiY1oXioIgdfxysSdmiY0x0IAddLhbMeUNlto3kHhK4fO5ew== +dns1.example.com. 3600 RRSIG NSEC 13 3 3600 20440222113630 20240227100630 50687 example.com. Opl4Clj6bRS/iTsJdEpJMX76XAGVt/OJQS3hRdpwDROdaskd69ENPPtdnOR0aNlG6NeMBXzH8HkMOIDv6k50kg== +dns1.example.com. 3600 RRSIG NSEC 13 3 3600 20440222114545 20240227101545 50687 example.com. wBH3KsAJkcuuO+73dUfTDGH5RnkFE8o6wfw905SV07K7G+2X4YY/SVkwNX0jp2JaQe1rWn0kvvqJSvOb/LMd1Q== +dns1.example.com. 3600 RRSIG NSEC 13 3 3600 20440222114918 20240227101918 50687 example.com. s6GL57MD/j0y+06EHspfjhp6raJW0+AoXsEIjojQJqfXyDTP1XgKQMeElB7q7oZK1Ks9aQ9mZrdo12D7yOPVkQ== +;; DNSSEC NSEC chain +example.com. 3600 NSEC dns1.example.com. NS SOA RRSIG NSEC DNSKEY +dns1.example.com. 3600 NSEC example.com. A RRSIG NSEC +;; Written 25 records +;; Time 2024-02-27 12:55:48 CET diff --git a/tests/knot/semantic_check_data/dnskey_keytags.more b/tests/knot/semantic_check_data/dnskey_keytags.more new file mode 100644 index 0000000..b6f5760 --- /dev/null +++ b/tests/knot/semantic_check_data/dnskey_keytags.more @@ -0,0 +1,24 @@ +;; Zone dump (Knot DNS 3.4.dev0+1709037013.b484eb414) +example.com. 3600 SOA dns1.example.com. hostmaster.example.com. 2010111215 21600 3600 604800 86400 +example.com. 3600 NS dns1.example.com. +example.com. 3600 DNSKEY 256 3 13 Xw53weVKxFPqiBIzviMAZvRgdruTyHpHC3uYf9Twr9ug+cSyrYx4tteWUWPzsXgYnjATplJYY47KBMirTCR9BA== +example.com. 3600 DNSKEY 256 3 13 qvLsJ9NpDpzxzHg91N7Fj++5SU6H5DdAAGmAaS/FGYu9H93V1hfZ5a7QPrN5E8ZKhWWGc9Li/OULloYer3btZg== +example.com. 3600 DNSKEY 257 3 13 0qemQB7NsmO+Q3EnIdMPfrlTMAJxxOAjrZVHKbtfmXmd9HUsjBOg8hI6o0h9kfMb/qM/OWJYq25C5nzwl1eJGw== +dns1.example.com. 3600 A 192.0.2.1 +;; DNSSEC signatures +example.com. 3600 RRSIG NS 13 2 3600 20241223152039 20240227135039 50687 example.com. +0LC6BlnPpDJoBc1siE+XPmyv589lY79MH1h2YwMtY6iEd35h2CeP6tH1l9y8kLabRCREyw0/DJaRsHNet6olQ== +example.com. 3600 RRSIG NS 13 2 3600 20440222113630 20240227100630 50687 example.com. Uc5BSG2ohqfkZaIfqa3JpsUBfv5av7j2xCd9AeGb0TyfdsTJeQPxbeSFtLCeeVt0YShGjxwUldnjxqOoZxKo9Q== +example.com. 3600 RRSIG SOA 13 2 3600 20241223152039 20240227135039 50687 example.com. baS1G2mzsLinOPmg3lqhLR/9kxJFzZnw07H0PzBBIcYGEe1myGg55+ZIJ+QR5cR13jqvHltRojL9bHWbFBCL5A== +example.com. 3600 RRSIG SOA 13 2 3600 20241223152039 20240227135039 50687 example.com. bfL8KJoz1sMRLx1MXATA5fLnNJDWtQkEugiHN1THyJUfm0oVQTfbVkrnFaUSwZHiovZ/s2rri1HNOdGnCm2wAA== +example.com. 3600 RRSIG NSEC 13 2 3600 20241223152039 20240227135039 50687 example.com. 9e8McGcJuWOtJ6mYlMOcktb1yDeNFDElLhmE3ULKSeUu+Dyyaye/rlK33qPptzXDoODQKG/0CCXRyz/nRgZ70g== +example.com. 3600 RRSIG NSEC 13 2 3600 20440222113630 20240227100630 50687 example.com. akUd7/c8/sJTqB04KO3kQZwwb0i/7l8mvg10e7Somtc5nP5/gKsBpFDPGpvchZpVrlXME+eq+oRNfp3fQfBmvA== +example.com. 3600 RRSIG DNSKEY 13 2 3600 20241223152039 20240227135039 50687 example.com. W9K24FgSjnUjv2lVyrC/ddZJfBMwkiu/NQsC2BpG2Sg69RUkI5FEnwZT7g1AfJEO+QWAqjNdZ/5iep+Lhpi3ow== +dns1.example.com. 3600 RRSIG A 13 3 3600 20241223152039 20240227135039 50687 example.com. JBBpxjsn+PETEDb//cbGfyaMuoOAuHcK6dX0MpJXTHl6WgNT05hFkfsW87BrG5VUv9Ffdg9wmECaiGQ1G4LXQA== +dns1.example.com. 3600 RRSIG A 13 3 3600 20440222113630 20240227100630 50687 example.com. Y8vvqbd55jo7zKx0uDVwaWScpGqti8sPXodjItsrN8gjA3d3A+7TVW71L9FSwww/Usl8cyXIC4ZUR5c7JIFNHQ== +dns1.example.com. 3600 RRSIG NSEC 13 3 3600 20241223152039 20240227135039 50687 example.com. Kn7GEREsUJqmgNyUKPhmlm1PRzIlhP2pORHCw+x699aDv/xtVprIT2d73SUWKW0PoCSU7SecsKiLPYx/t9ymIw== +dns1.example.com. 3600 RRSIG NSEC 13 3 3600 20440222113630 20240227100630 50687 example.com. Opl4Clj6bRS/iTsJdEpJMX76XAGVt/OJQS3hRdpwDROdaskd69ENPPtdnOR0aNlG6NeMBXzH8HkMOIDv6k50kg== +;; DNSSEC NSEC chain +example.com. 3600 NSEC dns1.example.com. NS SOA RRSIG NSEC DNSKEY +dns1.example.com. 3600 NSEC example.com. A RRSIG NSEC +;; Written 19 records +;; Time 2024-02-27 16:20:39 CET diff --git a/tests/knot/test_semantic_check.in b/tests/knot/test_semantic_check.in index cd50ef7..7675896 100644 --- a/tests/knot/test_semantic_check.in +++ b/tests/knot/test_semantic_check.in @@ -59,6 +59,7 @@ DNAME_CHILDREN="child record exists under DNAME" DNAME_MULTIPLE="multiple DNAME records" DNAME_EXTRA_NS="NS record exists beside DNAME" DNSKEY_INVALID="invalid DNSKEY" +DNSKEY_KEYTAGS="many DNSKEYs with equal keytag" DS_ALG="unknown algorithm in DS" DS_APEX="DS at the zone apex" NSEC3PARAM_FLAGS="invalid flags in NSEC3PARAM" @@ -111,6 +112,7 @@ expect_error "rrsig_rdata_ttl.signed" 0 1 "$RRSIG_UNVERIFIABLE" expect_error "duplicate.signature" 0 1 "$RRSIG_UNVERIFIABLE" expect_error "missing.signed" 0 1 "$NSEC_NONE" expect_error "dnskey_param_error.signed" 0 1 "$DNSKEY_INVALID" +expect_error "dnskey_keytags.many" 0 1 "$DNSKEY_KEYTAGS" expect_error "invalid_ds.signed" 0 2 "$DS_ALG \(keytag 60485" expect_error "cdnskey.invalid" 0 1 "$CDS_NOT_MATCH" expect_error "cdnskey.invalid.param" 0 1 "$CDS_NOT_MATCH" @@ -132,6 +134,7 @@ test_correct "glue_in_deleg.valid" test_correct "cdnskey.cds" test_correct "cdnskey.delete.both" test_correct "dname_apex_nsec3.signed" +test_correct "dnskey_keytags.more" test_correct "nsec3_optout_ent.valid" test_correct "nsec3_optout_ent.all" @@ -157,6 +160,7 @@ test_correct_no_dnssec "rrsig_rdata_ttl.signed" test_correct_no_dnssec "duplicate.signature" test_correct_no_dnssec "missing.signed" test_correct_no_dnssec "dnskey_param_error.signed" +test_correct_no_dnssec "dnskey_keytags.many" test_correct_no_dnssec "cdnskey.invalid" test_correct_no_dnssec "cdnskey.invalid.param" test_correct_no_dnssec "cdnskey.nocds" diff --git a/tests/libknot/test_rrset.c b/tests/libknot/test_rrset.c index cc67e0f..f91d143 100644 --- a/tests/libknot/test_rrset.c +++ b/tests/libknot/test_rrset.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> +/* Copyright (C) 2024 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz> This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -34,6 +34,43 @@ static bool check_rrset(const knot_rrset_t *rrset, const knot_dname_t *owner, rrset->ttl == ttl && rrset->rrs.count == 0; // We do not test rdataset here } +static void check_size(knot_rrset_t *rrset, uint8_t *rdata, size_t rdata_len) +{ + const size_t per_record_const = 10; + const size_t owner_len = knot_dname_size(rrset->owner); + assert(owner_len == 13); + + static size_t real = 0, estim = 0; + if (rdata_len > 0) { + real += owner_len + per_record_const + rdata_len; + estim += owner_len + per_record_const + rdata_len + (rdata_len & 1); + assert(real <= estim); + } + + int ret = knot_rrset_add_rdata(rrset, rdata, rdata_len, NULL); + is_int(ret, KNOT_EOK, "knot_rrset_add_rdata()"); + + is_int(real, knot_rrset_size(rrset), "knot_rrset_size()"); + is_int(estim, knot_rrset_size_estimate(rrset), "knot_rrset_size_estimate()"); +} + +static void test_rrset_size(void) +{ + knot_dname_t *owner = knot_dname_from_str_alloc("rrset.owner."); + assert(owner); + + knot_rrset_t rrset; + knot_rrset_init(&rrset, owner, KNOT_RRTYPE_TXT, KNOT_CLASS_IN, 7200); + + check_size(&rrset, (uint8_t *)"\x01""a", 2); + check_size(&rrset, (uint8_t *)"\x02""ab", 3); + check_size(&rrset, (uint8_t *)"\x03""abc", 4); + check_size(&rrset, (uint8_t *)"\x03""de", 3); + check_size(&rrset, (uint8_t *)"\x01""f", 2); + + knot_rrset_clear(&rrset, NULL); +} + int main(int argc, char *argv[]) { plan_lazy(); @@ -117,5 +154,8 @@ int main(int argc, char *argv[]) knot_rrset_free(rrset, NULL); knot_rrset_free(copy, NULL); + // Test rrset size computation functions. + test_rrset_size(); + return 0; } diff --git a/tests/libzscanner/data/57_SVCB.in b/tests/libzscanner/data/57_SVCB.in index c4ce534..78c07a6 100644 --- a/tests/libzscanner/data/57_SVCB.in +++ b/tests/libzscanner/data/57_SVCB.in @@ -10,6 +10,7 @@ $TTL 1 @ SVCB 1 . alpn="abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNabcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNabcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNabcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNabcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMN1234\053" ; Text string of maximal length (255 chars) @ SVCB 1 . alpn="part1,part2,part3\\,part4\\\\" @ SVCB 1 . alpn=part1\,\p\a\r\t2\044part3\092,part4\092\\ +@ SVCB 1 . alpn=foo\\\092,bar @ SVCB 1 . no-default-alpn @ SVCB 1 . port=0 @ SVCB 1 . port="65535" @@ -63,6 +64,11 @@ example.com. SVCB 16 foo.example.org. alpn=f\\\092oo\092,bar,h2 @ SVCB 1 . alpn= @ SVCB 1 . alpn=a, @ SVCB 1 . alpn=a,,b +@ SVCB 1 . alpn=a\ +@ SVCB 1 . alpn=a\\ +@ SVCB 1 . alpn=a\\b +@ SVCB 1 . alpn=a\\\b +@ SVCB 1 . alpn=a\\092,b @ SVCB 1 . alpn="abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNabcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNabcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNabcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNabcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMN1234\0536" ; Text string overflow (256 chars) @ SVCB 1 . no-default-alpn= @ SVCB 1 . no-default-alpn=h1 diff --git a/tests/libzscanner/data/57_SVCB.out b/tests/libzscanner/data/57_SVCB.out index a799eb7..3b701d2 100644 --- a/tests/libzscanner/data/57_SVCB.out +++ b/tests/libzscanner/data/57_SVCB.out @@ -50,6 +50,12 @@ OWNER=00 CLASS=0001 RRTTL=00000001 RTYPE=0040 +RDATA=0001000001000904666F6F5C03626172 +------ +OWNER=00 +CLASS=0001 +RRTTL=00000001 +RTYPE=0040 RDATA=00010000020000 ------ OWNER=00 @@ -242,6 +248,16 @@ WARNG=ZS_EMPTY_LIST_ITEM ------ WARNG=ZS_EMPTY_LIST_ITEM ------ +WARNG=ZS_BAD_NUMBER +------ +WARNG=ZS_BAD_ALPN_BACKSLASH +------ +WARNG=ZS_BAD_ALPN_BACKSLASH +------ +WARNG=ZS_BAD_ALPN_BACKSLASH +------ +WARNG=ZS_BAD_ALPN_BACKSLASH +------ WARNG=ZS_ITEM_OVERFLOW ------ WARNG=ZS_BAD_SVCB_PARAM |