diff -Nru knot-resolver-5.2.1/AUTHORS knot-resolver-5.3.1/AUTHORS --- knot-resolver-5.2.1/AUTHORS 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/AUTHORS 2021-03-31 15:15:36.000000000 +0000 @@ -20,6 +20,7 @@ David Beitey Grigorii Demidov Hasnat +Héctor Molinero Fernández Ivana Krumlová Jakub Ružička Jan Hák @@ -40,6 +41,7 @@ Michal Lupečka Ondřej Surý Paul Hoffman +Pavel Doležal Pavel Valach Peter Keresztes Schmidt Petr Špaček diff -Nru knot-resolver-5.2.1/bench/bench_lru.c knot-resolver-5.3.1/bench/bench_lru.c --- knot-resolver-5.2.1/bench/bench_lru.c 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/bench/bench_lru.c 2021-03-31 15:15:36.000000000 +0000 @@ -11,7 +11,7 @@ #include "contrib/ucw/lib.h" #include "daemon/engine.h" -#include "lib/nsrep.h" +#include "lib/selection.h" typedef kr_nsrep_lru_t lru_bench_t; diff -Nru knot-resolver-5.2.1/ci/debian-buster/Dockerfile knot-resolver-5.3.1/ci/debian-buster/Dockerfile --- knot-resolver-5.2.1/ci/debian-buster/Dockerfile 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/ci/debian-buster/Dockerfile 2021-03-31 15:15:36.000000000 +0000 @@ -15,7 +15,18 @@ # RUN apt-get upgrade -y -qqq # Knot and Knot Resolver dependecies -RUN apt-get install -y -qqq git make cmake pkg-config build-essential bsdmainutils libtool autoconf liburcu-dev libgnutls28-dev libedit-dev liblmdb-dev libcap-ng-dev libsystemd-dev libidn11-dev protobuf-c-compiler libfstrm-dev libuv1-dev libcmocka-dev libluajit-5.1-dev lua-http meson libssl-dev libnghttp2-dev libelf-dev +RUN apt-get install -y -qqq git make cmake pkg-config meson \ + build-essential bsdmainutils libtool autoconf libcmocka-dev \ + liburcu-dev libgnutls28-dev libedit-dev liblmdb-dev libcap-ng-dev libsystemd-dev \ + libelf-dev libidn11-dev libuv1-dev \ + libluajit-5.1-dev lua-http libssl-dev libnghttp2-dev + +# Build and testing deps for Resolver's dnstap module (go stuff is just for testing) +RUN apt-get install -y -qqq \ + protobuf-c-compiler libprotobuf-c-dev libfstrm-dev \ + golang-any +RUN bash -c "go get github.com/{FiloSottile/gvt,cloudflare/dns,dnstap/golang-dnstap}" + # documentation dependecies RUN apt-get install -y -qqq doxygen python3-sphinx python3-breathe python3-sphinx-rtd-theme @@ -118,3 +129,15 @@ RUN apt-get install -y -qqq locales RUN sed -i "/en_US.UTF-8/ s/^#\(.*\)/\1/" /etc/locale.gen RUN locale-gen + +# SonarCloud scanner +RUN wget -O /var/opt/wrapper.zip https://sonarcloud.io/static/cpp/build-wrapper-linux-x86.zip +RUN wget -O /var/opt/scanner.zip https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.4.0.2170-linux.zip +RUN unzip -d /var/opt /var/opt/wrapper.zip +RUN unzip -d /var/opt /var/opt/scanner.zip +ENV PATH "$PATH:/var/opt/build-wrapper-linux-x86:/var/opt/sonar-scanner-4.4.0.2170-linux/bin" + +# let's get newer meson from backports +RUN echo 'deb http://deb.debian.org/debian buster-backports main' > /etc/apt/sources.list.d/backports.list +RUN apt-get update -qq +RUN apt-get -t buster-backports install -y -qqq meson diff -Nru knot-resolver-5.2.1/contrib/mempattern.c knot-resolver-5.3.1/contrib/mempattern.c --- knot-resolver-5.2.1/contrib/mempattern.c 1970-01-01 00:00:00.000000000 +0000 +++ knot-resolver-5.3.1/contrib/mempattern.c 2021-03-31 15:15:36.000000000 +0000 @@ -0,0 +1,151 @@ +/* Copyright (C) 2017 CZ.NIC, z.s.p.o. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + */ + +#include + +#include "contrib/mempattern.h" +#include "contrib/ucw/mempool.h" + +static void mm_nofree(void *p) +{ + /* nop */ +} + +static void *mm_malloc(void *ctx, size_t n) +{ + (void)ctx; + return malloc(n); +} + +void *mm_alloc(knot_mm_t *mm, size_t size) +{ + if (mm) { + return mm->alloc(mm->ctx, size); + } else { + return malloc(size); + } +} + +void *mm_calloc(knot_mm_t *mm, size_t nmemb, size_t size) +{ + if (nmemb == 0 || size == 0) { + return NULL; + } + if (mm) { + size_t total_size = nmemb * size; + if (total_size / nmemb != size) { // Overflow check + return NULL; + } + void *mem = mm_alloc(mm, total_size); + if (mem == NULL) { + return NULL; + } + return memset(mem, 0, total_size); + } else { + return calloc(nmemb, size); + } +} + +void *mm_realloc(knot_mm_t *mm, void *what, size_t size, size_t prev_size) +{ + if (mm) { + void *p = mm->alloc(mm->ctx, size); + if (p == NULL) { + return NULL; + } else { + if (what) { + memcpy(p, what, + prev_size < size ? prev_size : size); + } + mm_free(mm, what); + return p; + } + } else { + return realloc(what, size); + } +} + +char *mm_strdup(knot_mm_t *mm, const char *s) +{ + if (s == NULL) { + return NULL; + } + if (mm) { + size_t len = strlen(s) + 1; + void *mem = mm_alloc(mm, len); + if (mem == NULL) { + return NULL; + } + return memcpy(mem, s, len); + } else { + return strdup(s); + } +} + +void mm_free(knot_mm_t *mm, void *what) +{ + if (mm) { + if (mm->free) { + mm->free(what); + } + } else { + free(what); + } +} + +void mm_ctx_init(knot_mm_t *mm) +{ + mm->ctx = NULL; + mm->alloc = mm_malloc; + mm->free = free; +} + +void mm_ctx_mempool(knot_mm_t *mm, size_t chunk_size) +{ + mm->ctx = mp_new(chunk_size); + mm->alloc = (knot_mm_alloc_t)mp_alloc; + mm->free = mm_nofree; +} + + +/* Code in addition to Knot's mempattern. */ + +void *mm_malloc_aligned(void *ctx, size_t n) +{ + size_t alignment = (size_t)ctx; + void *res; + int err = posix_memalign(&res, alignment, n); + if (err == 0) { + return res; + } else { + assert(err == -1 && errno == ENOMEM); + return NULL; + } +} + +knot_mm_t * mm_ctx_mempool2(size_t chunk_size) +{ + knot_mm_t pool_tmp; + mm_ctx_mempool(&pool_tmp, chunk_size); + knot_mm_t *pool = mm_alloc(&pool_tmp, sizeof(*pool)); + if (!pool) { + mp_delete(pool_tmp.ctx); + return NULL; + } + memcpy(pool, &pool_tmp, sizeof(*pool)); + return pool; +} + diff -Nru knot-resolver-5.2.1/contrib/mempattern.h knot-resolver-5.3.1/contrib/mempattern.h --- knot-resolver-5.2.1/contrib/mempattern.h 1970-01-01 00:00:00.000000000 +0000 +++ knot-resolver-5.3.1/contrib/mempattern.h 2021-03-31 15:15:36.000000000 +0000 @@ -0,0 +1,83 @@ +/* Copyright (C) 2018 CZ.NIC, z.s.p.o. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + */ + +/*! + * \brief Memory allocation related functions. + */ + +#pragma once + +#include +#include "lib/defines.h" +#include +#include + +/*! \brief Default memory block size. */ +#define MM_DEFAULT_BLKSIZE 4096 + +/*! \brief Allocs using 'mm' if any, uses system malloc() otherwise. */ +KR_EXPORT +void *mm_alloc(knot_mm_t *mm, size_t size); + +/*! \brief Callocs using 'mm' if any, uses system calloc() otherwise. */ +void *mm_calloc(knot_mm_t *mm, size_t nmemb, size_t size); + +/*! \brief Reallocs using 'mm' if any, uses system realloc() otherwise. */ +KR_EXPORT +void *mm_realloc(knot_mm_t *mm, void *what, size_t size, size_t prev_size); + +/*! \brief Strdups using 'mm' if any, uses system strdup() otherwise. */ +char *mm_strdup(knot_mm_t *mm, const char *s); + +/*! \brief Free using 'mm' if any, uses system free() otherwise. */ +KR_EXPORT +void mm_free(knot_mm_t *mm, void *what); + +/*! \brief Initialize default memory allocation context. */ +void mm_ctx_init(knot_mm_t *mm); + +/*! \brief Memory pool context. */ +void mm_ctx_mempool(knot_mm_t *mm, size_t chunk_size); + + +/* API in addition to Knot's mempattern. */ + +/*! \brief Readability: avoid const-casts in code. */ +static inline void free_const(const void *what) +{ + free((void *)what); +} + +/*! \brief posix_memalign() wrapper. */ +void *mm_malloc_aligned(void *ctx, size_t n); + +/*! \brief Initialize mm with malloc+free with specified alignment (a power of two). */ +static inline void mm_ctx_init_aligned(knot_mm_t *mm, size_t alignment) +{ + assert(__builtin_popcount(alignment) == 1); + mm_ctx_init(mm); + mm->ctx = (uint8_t *)NULL + alignment; /*< roundabout to satisfy linters */ + /* posix_memalign() doesn't allow alignment < sizeof(void*), + * and there's no point in using it for small values anyway, + * as plain malloc() guarantees at least max_align_t. */ + if (alignment > sizeof(max_align_t)) { + mm->alloc = mm_malloc_aligned; + } +} + +/*! \brief New memory pool context, allocated on itself. */ +KR_EXPORT knot_mm_t * mm_ctx_mempool2(size_t chunk_size); + diff -Nru knot-resolver-5.2.1/contrib/meson.build knot-resolver-5.3.1/contrib/meson.build --- knot-resolver-5.2.1/contrib/meson.build 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/contrib/meson.build 2021-03-31 15:15:36.000000000 +0000 @@ -6,6 +6,7 @@ 'ccan/json/json.c', 'ucw/mempool.c', 'ucw/mempool-fmt.c', + 'mempattern.c', 'murmurhash3/murmurhash3.c', 'base32hex.c', 'base64.c', diff -Nru knot-resolver-5.2.1/daemon/bindings/cache.c knot-resolver-5.3.1/daemon/bindings/cache.c --- knot-resolver-5.2.1/daemon/bindings/cache.c 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/daemon/bindings/cache.c 2021-03-31 15:15:36.000000000 +0000 @@ -268,8 +268,6 @@ /* Clear reputation tables */ struct kr_context *ctx = &the_worker->engine->resolver; - lru_reset(ctx->cache_rtt); - lru_reset(ctx->cache_rep); lru_reset(ctx->cache_cookie); lua_pushboolean(L, true); return 1; diff -Nru knot-resolver-5.2.1/daemon/bindings/impl.c knot-resolver-5.3.1/daemon/bindings/impl.c --- knot-resolver-5.2.1/daemon/bindings/impl.c 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/daemon/bindings/impl.c 2021-03-31 15:15:36.000000000 +0000 @@ -43,7 +43,7 @@ struct dirent *entry; int lua_i = 1; while ((entry = readdir(dir)) != NULL) { - if (strcmp(entry->d_name, ".") && strcmp(entry->d_name, "..")) { + if (strcmp(entry->d_name, ".") != 0 && strcmp(entry->d_name, "..") != 0) { lua_pushstring(L, entry->d_name); lua_rawseti(L, -2, lua_i++); } diff -Nru knot-resolver-5.2.1/daemon/bindings/net_client.rst knot-resolver-5.3.1/daemon/bindings/net_client.rst --- knot-resolver-5.2.1/daemon/bindings/net_client.rst 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/daemon/bindings/net_client.rst 2021-03-31 15:15:36.000000000 +0000 @@ -8,7 +8,7 @@ IPv4 and IPv6 protocols are used by default. For performance reasons it is recommended to explicitly disable protocols which are not available -on your system. +on your system, though the impact of IPv6 outage is lowered since release 5.3.0. .. envvar:: net.ipv4 = true|false diff -Nru knot-resolver-5.2.1/daemon/cache.test/insert_ns.test.integr/kresd_config.j2 knot-resolver-5.3.1/daemon/cache.test/insert_ns.test.integr/kresd_config.j2 --- knot-resolver-5.2.1/daemon/cache.test/insert_ns.test.integr/kresd_config.j2 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/daemon/cache.test/insert_ns.test.integr/kresd_config.j2 2021-03-31 15:15:36.000000000 +0000 @@ -8,6 +8,7 @@ -- insert NS record pointing to a non-delegated DNS server cache.open(1*MB) cache.clear() +trust_anchors.remove('.') local ffi = require('ffi') local c = kres.context().cache @@ -52,6 +53,17 @@ net = { '{{SELF_ADDR}}' } +{% if DO_IP6 == "true" %} +net.ipv6 = true +{% else %} +net.ipv6 = false +{% endif %} + +{% if DO_IP4 == "true" %} +net.ipv4 = true +{% else %} +net.ipv4 = false +{% endif %} {% if QMIN == "false" %} option('NO_MINIMIZE', true) diff -Nru knot-resolver-5.2.1/daemon/cache.test/insert_ns.test.integr/nondelegated_auth.rpl knot-resolver-5.3.1/daemon/cache.test/insert_ns.test.integr/nondelegated_auth.rpl --- knot-resolver-5.2.1/daemon/cache.test/insert_ns.test.integr/nondelegated_auth.rpl 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/daemon/cache.test/insert_ns.test.integr/nondelegated_auth.rpl 2021-03-31 15:15:36.000000000 +0000 @@ -3,6 +3,7 @@ ; target-fetch-policy: "0 0 0 0 0" ; name: "." stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. + do-ip6: no CONFIG_END SCENARIO_BEGIN Delegation explicitly added into cache must be followed diff -Nru knot-resolver-5.2.1/daemon/engine.c knot-resolver-5.3.1/daemon/engine.c --- knot-resolver-5.2.1/daemon/engine.c 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/daemon/engine.c 2021-03-31 15:15:36.000000000 +0000 @@ -22,8 +22,7 @@ #include "kresconfig.h" #include "daemon/engine.h" #include "daemon/ffimodule.h" -#include "daemon/worker.h" -#include "lib/nsrep.h" +#include "lib/selection.h" #include "lib/cache/api.h" #include "lib/defines.h" #include "lib/cache/cdb_lmdb.h" @@ -378,29 +377,30 @@ static int init_resolver(struct engine *engine) { - /* Note: it had been zored by engine_init(). */ + /* Note: whole *engine had been zeroed by engine_init(). */ + struct kr_context * const ctx = &engine->resolver; + /* Default options (request flags). */ + ctx->options.REORDER_RR = true; + /* Open resolution context */ - engine->resolver.trust_anchors = map_make(NULL); - engine->resolver.negative_anchors = map_make(NULL); - engine->resolver.pool = engine->pool; - engine->resolver.modules = &engine->modules; - engine->resolver.cache_rtt_tout_retry_interval = KR_NS_TIMEOUT_RETRY_INTERVAL; + ctx->trust_anchors = map_make(NULL); + ctx->negative_anchors = map_make(NULL); + ctx->pool = engine->pool; + ctx->modules = &engine->modules; + ctx->cache_rtt_tout_retry_interval = KR_NS_TIMEOUT_RETRY_INTERVAL; /* Create OPT RR */ - engine->resolver.downstream_opt_rr = mm_alloc(engine->pool, sizeof(knot_rrset_t)); - engine->resolver.upstream_opt_rr = mm_alloc(engine->pool, sizeof(knot_rrset_t)); - if (!engine->resolver.downstream_opt_rr || !engine->resolver.upstream_opt_rr) { + ctx->downstream_opt_rr = mm_alloc(engine->pool, sizeof(knot_rrset_t)); + ctx->upstream_opt_rr = mm_alloc(engine->pool, sizeof(knot_rrset_t)); + if (!ctx->downstream_opt_rr || !ctx->upstream_opt_rr) { return kr_error(ENOMEM); } - knot_edns_init(engine->resolver.downstream_opt_rr, KR_EDNS_PAYLOAD, 0, KR_EDNS_VERSION, engine->pool); - knot_edns_init(engine->resolver.upstream_opt_rr, KR_EDNS_PAYLOAD, 0, KR_EDNS_VERSION, engine->pool); + knot_edns_init(ctx->downstream_opt_rr, KR_EDNS_PAYLOAD, 0, KR_EDNS_VERSION, engine->pool); + knot_edns_init(ctx->upstream_opt_rr, KR_EDNS_PAYLOAD, 0, KR_EDNS_VERSION, engine->pool); /* Use default TLS padding */ - engine->resolver.tls_padding = -1; + ctx->tls_padding = -1; /* Empty init; filled via ./lua/postconfig.lua */ - kr_zonecut_init(&engine->resolver.root_hints, (const uint8_t *)"", engine->pool); - /* Open NS rtt + reputation cache */ - lru_create(&engine->resolver.cache_rtt, LRU_RTT_SIZE, NULL, NULL); - lru_create(&engine->resolver.cache_rep, LRU_REP_SIZE, NULL, NULL); - lru_create(&engine->resolver.cache_cookie, LRU_COOKIES_SIZE, NULL, NULL); + kr_zonecut_init(&ctx->root_hints, (const uint8_t *)"", engine->pool); + lru_create(&ctx->cache_cookie, LRU_COOKIES_SIZE, NULL, NULL); /* Load basic modules */ engine_register(engine, "iterate", NULL, NULL); @@ -578,8 +578,6 @@ kr_cache_close(&engine->resolver.cache); /* The LRUs are currently malloc-ated and need to be freed. */ - lru_free(engine->resolver.cache_rtt); - lru_free(engine->resolver.cache_rep); lru_free(engine->resolver.cache_cookie); network_deinit(&engine->net); diff -Nru knot-resolver-5.2.1/daemon/ffimodule.c knot-resolver-5.3.1/daemon/ffimodule.c --- knot-resolver-5.2.1/daemon/ffimodule.c 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/daemon/ffimodule.c 2021-03-31 15:15:36.000000000 +0000 @@ -257,9 +257,8 @@ * reserve slots after it for references to Lua callbacks. */ const size_t api_length = offsetof(kr_layer_api_t, cb_slots) + (SLOT_count * sizeof(module->layer->cb_slots[0])); - kr_layer_api_t *api = malloc(api_length); + kr_layer_api_t *api = calloc(1, api_length); if (api) { - memset(api, 0, api_length); LAYER_REGISTER(L, api, begin); LAYER_REGISTER(L, api, finish); LAYER_REGISTER(L, api, consume); diff -Nru knot-resolver-5.2.1/daemon/http.c knot-resolver-5.3.1/daemon/http.c --- knot-resolver-5.2.1/daemon/http.c 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/daemon/http.c 2021-03-31 15:15:36.000000000 +0000 @@ -362,7 +362,7 @@ queue_push(ctx->streams, stream_id); } - memcpy(ctx->buf + ctx->buf_pos, data, len); + memmove(ctx->buf + ctx->buf_pos, data, len); ctx->buf_pos += len; return 0; } @@ -387,11 +387,11 @@ if (process_uri_path(ctx, ctx->uri_path, stream_id) < 0) { refuse_stream(h2, stream_id); } - free(ctx->uri_path); - ctx->uri_path = NULL; } ctx->incomplete_stream = -1; ctx->current_method = HTTP_METHOD_NONE; + free(ctx->uri_path); + ctx->uri_path = NULL; len = ctx->buf_pos - sizeof(uint16_t); if (len <= 0 || len > KNOT_WIRE_MAX_PKTSIZE) { @@ -417,6 +417,8 @@ return; data->on_write(data->req, status); + + free(data); } /* diff -Nru knot-resolver-5.2.1/daemon/io.c knot-resolver-5.3.1/daemon/io.c --- knot-resolver-5.2.1/daemon/io.c 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/daemon/io.c 2021-03-31 15:15:36.000000000 +0000 @@ -735,16 +735,10 @@ } struct io_stream_data *io_tty_alloc_data() { - knot_mm_t _pool = { - .ctx = mp_new(4096), - .alloc = (knot_mm_alloc_t) mp_alloc, - }; - knot_mm_t *pool = mm_alloc(&_pool, sizeof(*pool)); + knot_mm_t *pool = mm_ctx_mempool2(MM_DEFAULT_BLKSIZE); if (!pool) { return NULL; } - memcpy(pool, &_pool, sizeof(*pool)); - struct io_stream_data *data = mm_alloc(pool, sizeof(struct io_stream_data)); data->buf = mp_start(pool->ctx, 512); @@ -814,7 +808,11 @@ assert(xhd && xhd->session && xhd->socket); uint32_t rcvd; knot_xdp_msg_t msgs[XDP_RX_BATCH_SIZE]; - int ret = knot_xdp_recv(xhd->socket, msgs, XDP_RX_BATCH_SIZE, &rcvd); + int ret = knot_xdp_recv(xhd->socket, msgs, XDP_RX_BATCH_SIZE, &rcvd + #if KNOT_VERSION_HEX >= 0x030100 + , NULL + #endif + ); if (ret == KNOT_EOK) { kr_log_verbose("[xdp] poll triggered, processing a batch of %d packets\n", (int)rcvd); @@ -886,7 +884,12 @@ xdp_handle_data_t *xhd = malloc(sizeof(*xhd)); if (!xhd) return kr_error(ENOMEM); - const int port = ep->port ? ep->port : KNOT_XDP_LISTEN_PORT_ALL; + const int port = ep->port ? ep->port : // all ports otherwise + #if KNOT_VERSION_HEX >= 0x030100 + (KNOT_XDP_LISTEN_PORT_PASS | 0); + #else + KNOT_XDP_LISTEN_PORT_ALL; + #endif xhd->socket = NULL; // needed for some reason int ret = knot_xdp_init(&xhd->socket, ifname, ep->nic_queue, port, KNOT_XDP_LOAD_BPF_MAYBE); diff -Nru knot-resolver-5.2.1/daemon/lua/kres-gen.lua knot-resolver-5.3.1/daemon/lua/kres-gen.lua --- knot-resolver-5.2.1/daemon/lua/kres-gen.lua 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/daemon/lua/kres-gen.lua 2021-03-31 15:15:36.000000000 +0000 @@ -7,6 +7,22 @@ extern const knot_dump_style_t KNOT_DUMP_STYLE_DEFAULT; struct kr_cdb_api {}; struct lru {}; +typedef enum {KNOT_ANSWER, KNOT_AUTHORITY, KNOT_ADDITIONAL} knot_section_t; +typedef struct { + uint16_t pos; + uint16_t flags; + uint16_t compress_ptr[16]; +} knot_rrinfo_t; +typedef unsigned char knot_dname_t; +typedef struct { + uint16_t len; + uint8_t data[]; +} knot_rdata_t; +typedef struct { + uint16_t count; + uint32_t size; + knot_rdata_t *rdata; +} knot_rdataset_t; typedef struct knot_mm { void *ctx, *alloc, *free; @@ -17,13 +33,7 @@ typedef void (*trace_log_f) (const struct kr_request *, const char *); typedef void (*trace_callback_f)(struct kr_request *); typedef uint8_t * (*alloc_wire_f)(struct kr_request *req, uint16_t *maxlen); -typedef enum {KNOT_ANSWER, KNOT_AUTHORITY, KNOT_ADDITIONAL} knot_section_t; -typedef struct { - uint16_t pos; - uint16_t flags; - uint16_t compress_ptr[16]; -} knot_rrinfo_t; -typedef unsigned char knot_dname_t; +typedef bool (*addr_info_f)(struct sockaddr*); typedef struct { knot_dname_t *_owner; uint32_t _ttl; @@ -83,7 +93,6 @@ typedef struct trie trie_t; struct kr_qflags { _Bool NO_MINIMIZE : 1; - _Bool NO_THROTTLE : 1; _Bool NO_IPV6 : 1; _Bool NO_IPV4 : 1; _Bool TCP : 1; @@ -91,7 +100,7 @@ _Bool AWAIT_IPV4 : 1; _Bool AWAIT_IPV6 : 1; _Bool AWAIT_CUT : 1; - _Bool SAFEMODE : 1; + _Bool NO_EDNS : 1; _Bool CACHED : 1; _Bool NO_CACHE : 1; _Bool EXPIRING : 1; @@ -136,6 +145,11 @@ size_t len; size_t cap; } ranked_rr_array_t; +typedef struct { + union inaddr *at; + size_t len; + size_t cap; +} inaddr_array_t; struct kr_zonecut { knot_dname_t *name; knot_rrset_t *key; @@ -177,7 +191,7 @@ } qsource; struct { unsigned int rtt; - const struct sockaddr *addr; + const struct kr_transport *transport; } upstream; struct kr_qflags options; int state; @@ -193,6 +207,12 @@ int vars_ref; knot_mm_t pool; unsigned int uid; + struct { + addr_info_f is_tls_capable; + addr_info_f is_tcp_connected; + addr_info_f is_tcp_waiting; + inaddr_array_t forwarding_targets; + } selection_context; unsigned int count_no_nsaddr; unsigned int count_fail_row; alloc_wire_f alloc_wire_cb; @@ -262,19 +282,19 @@ void *lib; void *data; }; +struct kr_server_selection { + _Bool initialized; + void (*choose_transport)(struct kr_query *, struct kr_transport **); + void (*update_rtt)(struct kr_query *, const struct kr_transport *, unsigned int); + void (*error)(struct kr_query *, const struct kr_transport *, enum kr_selection_error); + struct local_state *local_state; +}; kr_layer_t kr_layer_t_static; typedef int32_t (*kr_stale_cb)(int32_t ttl, const knot_dname_t *owner, uint16_t type, const struct kr_query *qry); void kr_rrset_init(knot_rrset_t *rrset, knot_dname_t *owner, uint16_t type, uint16_t rclass, uint32_t ttl); -struct kr_nsrep { - unsigned int score; - unsigned int reputation; - const knot_dname_t *name; - struct kr_context *ctx; - /* beware: hidden stub, to avoid hardcoding sockaddr lengths */ -}; struct kr_query { struct kr_query *parent; knot_dname_t *sname; @@ -295,7 +315,7 @@ struct kr_query *cname_parent; struct kr_request *request; kr_stale_cb stale_cb; - struct kr_nsrep ns; + struct kr_server_selection server_selection; }; struct kr_context { struct kr_qflags options; @@ -305,8 +325,13 @@ map_t negative_anchors; struct kr_zonecut root_hints; struct kr_cache cache; + unsigned int cache_rtt_tout_retry_interval; char _stub[]; }; +struct kr_transport { + knot_dname_t *ns_name; + /* beware: hidden stub, to avoid hardcoding sockaddr lengths */ +}; const char *knot_strerror(int); knot_dname_t *knot_dname_copy(const knot_dname_t *, knot_mm_t *); knot_dname_t *knot_dname_from_str(uint8_t *, const char *, size_t); @@ -336,7 +361,7 @@ int kr_rplan_pop(struct kr_rplan *, struct kr_query *); struct kr_query *kr_rplan_resolved(struct kr_rplan *); struct kr_query *kr_rplan_last(struct kr_rplan *); -int kr_nsrep_set(struct kr_query *, size_t, const struct sockaddr *); +int kr_forward_add_target(struct kr_request *, const struct sockaddr *); void kr_log_req(const struct kr_request * const, uint32_t, const unsigned int, const char *, const char *, ...); void kr_log_q(const struct kr_query * const, const char *, const char *, ...); int kr_make_query(struct kr_query *, knot_pkt_t *); diff -Nru knot-resolver-5.2.1/daemon/lua/kres-gen.sh knot-resolver-5.3.1/daemon/lua/kres-gen.sh --- knot-resolver-5.2.1/daemon/lua/kres-gen.sh 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/daemon/lua/kres-gen.sh 2021-03-31 15:15:36.000000000 +0000 @@ -60,6 +60,14 @@ struct lru {}; " +${CDEFS} ${LIBKRES} types <<-EOF + knot_section_t + knot_rrinfo_t + knot_dname_t + knot_rdata_t + knot_rdataset_t +EOF + # The generator doesn't work well with typedefs of functions. printf " typedef struct knot_mm { @@ -71,16 +79,9 @@ typedef void (*trace_log_f) (const struct kr_request *, const char *); typedef void (*trace_callback_f)(struct kr_request *); typedef uint8_t * (*alloc_wire_f)(struct kr_request *req, uint16_t *maxlen); +typedef bool (*addr_info_f)(struct sockaddr*); " -${CDEFS} ${LIBKRES} types <<-EOF - knot_section_t - knot_rrinfo_t - knot_dname_t - #knot_rdata_t - #knot_rdataset_t -EOF - genResType() { echo "$1" | ${CDEFS} ${LIBKRES} types } @@ -108,6 +109,7 @@ struct kr_qflags ranked_rr_array_entry_t ranked_rr_array_t + inaddr_array_t struct kr_zonecut kr_qarray_t struct kr_rplan @@ -124,6 +126,7 @@ # lib/module.h struct kr_prop struct kr_module + struct kr_server_selection EOF # a static variable; the line might not be simple to generate @@ -139,14 +142,15 @@ ## Some definitions would need too many deps, so shorten them. -genResType "struct kr_nsrep" | sed '/union/,$ d' -printf "\t/* beware: hidden stub, to avoid hardcoding sockaddr lengths */\n};\n" - genResType "struct kr_query" -genResType "struct kr_context" | sed '/kr_nsrep_rtt_lru_t/,$ d' +genResType "struct kr_context" | sed '/module_array_t/,$ d' printf "\tchar _stub[];\n};\n" + +echo "struct kr_transport" | ${CDEFS} ${KRESD} types | sed '/union /,$ d' +printf "\t/* beware: hidden stub, to avoid hardcoding sockaddr lengths */\n};\n" + ## libknot API ${CDEFS} libknot functions <<-EOF # Utils @@ -188,8 +192,8 @@ kr_rplan_pop kr_rplan_resolved kr_rplan_last -# Nameservers - kr_nsrep_set +# Forwarding + kr_forward_add_target # Utils kr_log_req kr_log_q @@ -277,6 +281,7 @@ echo "struct qr_task" | ${CDEFS} ${KRESD} types | sed '/pktbuf/,$ d' printf "\t/* beware: hidden stub, to avoid qr_tasklist_t */\n};\n" + ${CDEFS} ${KRESD} functions <<-EOF worker_resolve_exec worker_resolve_mk_pkt diff -Nru knot-resolver-5.2.1/daemon/lua/kres.lua knot-resolver-5.3.1/daemon/lua/kres.lua --- knot-resolver-5.2.1/daemon/lua/kres.lua 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/daemon/lua/kres.lua 2021-03-31 15:15:36.000000000 +0000 @@ -46,6 +46,7 @@ uint16_t sa_family; uint8_t _stub[]; /* Do not touch */ }; + struct knot_error { int code; }; @@ -59,40 +60,6 @@ int gettimeofday(struct timeval *tv, struct timezone *tz); ]] - --- TMP: compatibility with both libknot 2.8 and 2.9 -local knot_rdataset_t_cdef -local sover_pos = string.find(libknot_SONAME, '%d') -if not sover_pos then - error('unexpected libknot soname: ' .. libknot_SONAME) -end -local sover = string.sub(libknot_SONAME, sover_pos , sover_pos) -if sover == '9' then - knot_rdataset_t_cdef = [[ - typedef struct { - uint16_t count; - knot_rdata_t *rdata; - } knot_rdataset_t; - ]] -elseif sover == '1' then -- it's 10 really, but this is simpler - knot_rdataset_t_cdef = [[ - typedef struct { - uint16_t count; - uint32_t size; - knot_rdata_t *rdata; - } knot_rdataset_t; - ]] -else - error('unexpected libknot version: ' .. sover) -end -ffi.cdef([[ - typedef struct { - uint16_t len; - uint8_t data[]; - } knot_rdata_t; - ]] .. knot_rdataset_t_cdef) - - require('kres-gen') -- Error code representation diff -Nru knot-resolver-5.2.1/daemon/main.c knot-resolver-5.3.1/daemon/main.c --- knot-resolver-5.2.1/daemon/main.c 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/daemon/main.c 2021-03-31 15:15:36.000000000 +0000 @@ -485,10 +485,8 @@ kr_crypto_init(); /* Create a server engine. */ - knot_mm_t pool = { - .ctx = mp_new (4096), - .alloc = (knot_mm_alloc_t) mp_alloc - }; + knot_mm_t pool; + mm_ctx_mempool(&pool, MM_DEFAULT_BLKSIZE); static struct engine engine; ret = engine_init(&engine, &pool); if (ret != 0) { diff -Nru knot-resolver-5.2.1/daemon/udp_queue.c knot-resolver-5.3.1/daemon/udp_queue.c --- knot-resolver-5.2.1/daemon/udp_queue.c 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/daemon/udp_queue.c 2021-03-31 15:15:36.000000000 +0000 @@ -76,19 +76,6 @@ int sent_len = sendmmsg(fd, q->msgvec, q->len, 0); /* ATM we don't really do anything about failures. */ int err = sent_len < 0 ? errno : EAGAIN /* unknown error, really */; - if (unlikely(sent_len != q->len)) { - if (err != EWOULDBLOCK) { - kr_log_error("ERROR: udp sendmmsg() sent %d / %d; %s\n", - sent_len, q->len, strerror(err)); - } else { - const uint64_t stamp_now = kr_now(); - static uint64_t stamp_last = 0; - if (stamp_now > stamp_last + 60*1000) { - kr_log_info("WARNING: dropped UDP reply packet(s) due to network overload (reported at most once per minute)\n"); - stamp_last = stamp_now; - } - } - } for (int i = 0; i < q->len; ++i) { qr_task_on_send(q->items[i].task, NULL, i < sent_len ? 0 : err); worker_task_unref(q->items[i].task); diff -Nru knot-resolver-5.2.1/daemon/worker.c knot-resolver-5.3.1/daemon/worker.c --- knot-resolver-5.2.1/daemon/worker.c 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/daemon/worker.c 2021-03-31 15:15:36.000000000 +0000 @@ -83,15 +83,15 @@ qr_tasklist_t waiting; struct session *pending[MAX_PENDING]; uint16_t pending_count; - uint16_t addrlist_count; - uint16_t addrlist_turn; uint16_t timeouts; uint16_t iter_count; - struct sockaddr *addrlist; uint32_t refs; bool finished : 1; bool leading : 1; uint64_t creation_time; + uint64_t send_time; + uint64_t recv_time; + struct kr_transport *transport; }; @@ -120,15 +120,15 @@ const struct sockaddr *addr, knot_pkt_t *pkt); static int qr_task_finalize(struct qr_task *task, int state); static void qr_task_complete(struct qr_task *task); -static struct session* worker_find_tcp_connected(struct worker_ctx *worker, +struct session* worker_find_tcp_connected(struct worker_ctx *worker, const struct sockaddr *addr); static int worker_add_tcp_waiting(struct worker_ctx *worker, const struct sockaddr *addr, struct session *session); -static struct session* worker_find_tcp_waiting(struct worker_ctx *worker, +struct session* worker_find_tcp_waiting(struct worker_ctx *worker, const struct sockaddr *addr); static void on_tcp_connect_timeout(uv_timer_t *timer); -static void on_retransmit(uv_timer_t *req); +static void on_udp_timeout(uv_timer_t *timer); static void subreq_finalize(struct qr_task *task, const struct sockaddr *packet_source, knot_pkt_t *pkt); @@ -275,8 +275,13 @@ assert(handle->type == UV_POLL); xdp_handle_data_t *xhd = handle->data; knot_xdp_msg_t out; - int ret = knot_xdp_send_alloc(xhd->socket, ctx->source.addr.ip.sa_family == AF_INET6, - &out, NULL); + bool ipv6 = ctx->source.addr.ip.sa_family == AF_INET6; + int ret = knot_xdp_send_alloc(xhd->socket, + #if KNOT_VERSION_HEX >= 0x030100 + ipv6 ? KNOT_XDP_MSG_IPV6 : 0, &out); + #else + ipv6, &out, NULL); + #endif if (ret != KNOT_EOK) { assert(ret == KNOT_ENOMEM); *maxlen = 0; @@ -310,6 +315,19 @@ kr_log_verbose("[xdp] freed unsent buffer, ret = %d\n", ret); } #endif +/* Helper functions for transport selection */ +static inline bool is_tls_capable(struct sockaddr *address) { + tls_client_param_t *tls_entry = tls_client_param_get(the_worker->engine->net.tls_client_params, address); + return tls_entry; +} + +static inline bool is_tcp_connected(struct sockaddr *address) { + return worker_find_tcp_connected(the_worker, address); +} + +static inline bool is_tcp_waiting(struct sockaddr *address) { + return worker_find_tcp_waiting(the_worker, address); +} /** Create and initialize a request_ctx (on a fresh mempool). * @@ -330,14 +348,12 @@ }; /* Create request context */ - struct request_ctx *ctx = mm_alloc(&pool, sizeof(*ctx)); + struct request_ctx *ctx = mm_calloc(&pool, 1, sizeof(*ctx)); if (!ctx) { pool_release(worker, pool.ctx); return NULL; } - memset(ctx, 0, sizeof(*ctx)); - /* TODO Relocate pool to struct request */ ctx->worker = worker; if (session) { @@ -383,6 +399,12 @@ req->qsource.dst_addr = &ctx->source.dst_addr.ip; } + req->selection_context.is_tls_capable = is_tls_capable; + req->selection_context.is_tcp_connected = is_tcp_connected; + req->selection_context.is_tcp_waiting = is_tcp_waiting; + array_init(req->selection_context.forwarding_targets); + array_reserve_mm(req->selection_context.forwarding_targets, 1, kr_memreserve, &req->pool); + worker->stats.rconcurrent += 1; return ctx; @@ -415,10 +437,6 @@ struct engine *engine = worker->engine; kr_resolve_begin(req, &engine->resolver); worker->stats.queries += 1; - /* Throttle outbound queries only when high pressure */ - if (worker->stats.concurrent < QUERY_RATE_THRESHOLD) { - req->options.NO_THROTTLE = true; - } return kr_ok(); } @@ -465,11 +483,10 @@ } /* Create resolution task */ - struct qr_task *task = mm_alloc(&ctx->req.pool, sizeof(*task)); + struct qr_task *task = mm_calloc(&ctx->req.pool, 1, sizeof(*task)); if (!task) { return NULL; } - memset(task, 0, sizeof(*task)); /* avoid accidentally unintialized fields */ /* Create packet buffers for answer and subrequests */ knot_pkt_t *pktbuf = knot_pkt_new(NULL, pktbuf_max, &ctx->req.pool); @@ -559,7 +576,6 @@ /* This is called when we send subrequest / answer */ int qr_task_on_send(struct qr_task *task, const uv_handle_t *handle, int status) { - if (task->finished) { assert(task->leading == false); qr_task_complete(task); @@ -572,26 +588,17 @@ assert(s); if (handle->type == UV_UDP && session_flags(s)->outgoing) { - /* Start the timeout timer for UDP here, since this is the closest - * to the wire we can get. */ - struct kr_request *req = &task->ctx->req; - /* Check current query NSLIST */ - struct kr_query *qry = array_tail(req->rplan.pending); + // This should ensure that we are only dealing with our question to upstream + assert(!knot_wire_get_qr(task->pktbuf->wire)); + // start the timer + struct kr_query *qry = array_tail(task->ctx->req.rplan.pending); assert(qry != NULL); - /* Retransmit at default interval, or more frequently if the mean - * RTT of the server is better. If the server is glued, use default rate. */ - size_t timeout = qry->ns.score; - if (timeout > KR_NS_GLUED) { - /* We don't have information about variance in RTT, expect +10ms */ - timeout = MIN(qry->ns.score + 10, KR_CONN_RETRY); - } else { - timeout = KR_CONN_RETRY; - } - - int ret = session_timer_start(s, on_retransmit, timeout, 0); + (void)qry; + size_t timeout = task->transport->timeout; + int ret = session_timer_start(s, on_udp_timeout, timeout, 0); /* Start next step with timeout, fatal if can't start a timer. */ if (ret != 0) { - subreq_finalize(task, &qry->ns.addr->ip, task->pktbuf); + subreq_finalize(task, &task->transport->address.ip, task->pktbuf); qr_task_finalize(task, KR_STATE_FAIL); } } @@ -681,6 +688,9 @@ qr_task_ref(task); struct worker_ctx *worker = ctx->worker; + /* Note time for upstream RTT */ + task->send_time = kr_now(); + task->recv_time = 0; // task structure is being reused so we have to zero this out here /* Send using given protocol */ assert(!session_flags(session)->closing); if (session_flags(session)->has_http) { @@ -793,11 +803,9 @@ if (status) { struct qr_task *task = session_waitinglist_get(session); if (task) { - struct kr_qflags *options = &task->ctx->req.options; - unsigned score = options->FORWARD || options->STUB ? KR_NS_FWD_DEAD : KR_NS_DEAD; - kr_nsrep_update_rtt(NULL, peer, score, - the_worker->engine->resolver.cache_rtt, - KR_NS_UPDATE_NORESET); + // TLS handshake failed, report it to server selection + struct kr_query *qry = array_tail(task->ctx->req.rplan.pending); + qry->server_selection.error(qry, task->transport, KR_SELECTION_TLS_HANDSHAKE_FAILED); } #ifndef NDEBUG else { @@ -973,13 +981,10 @@ struct qr_task *task = session_waitinglist_get(session); if (task && status != UV_ETIMEDOUT) { /* Penalize upstream. - * In case of UV_ETIMEDOUT upstream has been - * already penalized in on_tcp_connect_timeout() */ - struct kr_qflags *options = &task->ctx->req.options; - unsigned score = options->FORWARD || options->STUB ? KR_NS_FWD_DEAD : KR_NS_DEAD; - kr_nsrep_update_rtt(NULL, peer, score, - worker->engine->resolver.cache_rtt, - KR_NS_UPDATE_NORESET); + * In case of UV_ETIMEDOUT upstream has been + * already penalized in on_tcp_connect_timeout() */ + struct kr_query *qry = array_tail(task->ctx->req.rplan.pending); + qry->server_selection.error(qry, task->transport, KR_SELECTION_TCP_CONNECT_FAILED); } assert(session_tasklist_is_empty(session)); session_waitinglist_retry(session, false); @@ -1061,10 +1066,7 @@ peer_str ? peer_str : ""); } - unsigned score = qry->flags.FORWARD || qry->flags.STUB ? KR_NS_FWD_DEAD : KR_NS_DEAD; - kr_nsrep_update_rtt(NULL, peer, score, - worker->engine->resolver.cache_rtt, - KR_NS_UPDATE_NORESET); + qry->server_selection.error(qry, task->transport, KR_SELECTION_TCP_CONNECT_TIMEOUT); worker->stats.timeout += session_waitinglist_get_len(session); session_waitinglist_retry(session, true); @@ -1089,34 +1091,28 @@ uv_timer_stop(timer); - /* Penalize all tried nameservers with a timeout. */ struct qr_task *task = session_tasklist_get_first(session); struct worker_ctx *worker = task->ctx->worker; + if (task->leading && task->pending_count > 0) { struct kr_query *qry = array_tail(task->ctx->req.rplan.pending); - struct sockaddr_in6 *addrlist = (struct sockaddr_in6 *)task->addrlist; - for (uint16_t i = 0; i < MIN(task->pending_count, task->addrlist_count); ++i) { - struct sockaddr *choice = (struct sockaddr *)(&addrlist[i]); - WITH_VERBOSE(qry) { - char *addr_str = kr_straddr(choice); - VERBOSE_MSG(qry, "=> server: '%s' flagged as 'bad'\n", addr_str ? addr_str : ""); - } - unsigned score = qry->flags.FORWARD || qry->flags.STUB ? KR_NS_FWD_DEAD : KR_NS_DEAD; - kr_nsrep_update_rtt(&qry->ns, choice, score, - worker->engine->resolver.cache_rtt, - KR_NS_UPDATE_NORESET); - } + qry->server_selection.error(qry, task->transport, KR_SELECTION_QUERY_TIMEOUT); } + task->timeouts += 1; worker->stats.timeout += 1; qr_task_step(task, NULL, NULL); } -static uv_handle_t *retransmit(struct qr_task *task) +static uv_handle_t *transmit(struct qr_task *task) { uv_handle_t *ret = NULL; - if (task && task->addrlist && task->addrlist_count > 0) { - struct sockaddr_in6 *choice = &((struct sockaddr_in6 *)task->addrlist)[task->addrlist_turn]; + + if (task) { + struct kr_transport* transport = task->transport; + + struct sockaddr_in6 *choice = (struct sockaddr_in6 *)&transport->address; + if (!choice) { return ret; } @@ -1125,7 +1121,7 @@ } /* Checkout answer before sending it */ struct request_ctx *ctx = task->ctx; - if (kr_resolve_checkout(&ctx->req, NULL, (struct sockaddr *)choice, SOCK_DGRAM, task->pktbuf) != 0) { + if (kr_resolve_checkout(&ctx->req, NULL, transport, task->pktbuf) != 0) { return ret; } ret = ioreq_spawn(ctx->worker, SOCK_DGRAM, choice->sin6_family, false, false); @@ -1144,31 +1140,12 @@ } else { task->pending[task->pending_count] = session; task->pending_count += 1; - task->addrlist_turn = (task->addrlist_turn + 1) % - task->addrlist_count; /* Round robin */ session_start_read(session); /* Start reading answer */ } } return ret; } -static void on_retransmit(uv_timer_t *req) -{ - struct session *session = req->data; - assert(session_tasklist_get_len(session) == 1); - - uv_timer_stop(req); - struct qr_task *task = session_tasklist_get_first(session); - if (retransmit(task) == NULL) { - /* Not possible to spawn request, start timeout timer with remaining deadline. */ - struct kr_qflags *options = &task->ctx->req.options; - uint64_t timeout = options->FORWARD || options->STUB ? KR_NS_FWD_TIMEOUT / 2 : - KR_CONN_RTT_MAX - task->pending_count * KR_CONN_RETRY; - uv_timer_start(req, on_udp_timeout, timeout, 0); - } else { - uv_timer_start(req, on_retransmit, KR_CONN_RETRY, 0); - } -} static void subreq_finalize(struct qr_task *task, const struct sockaddr *packet_source, knot_pkt_t *pkt) { @@ -1196,6 +1173,12 @@ struct kr_query *qry = array_tail(follower->ctx->req.rplan.pending); qry->id = leader_qry->id; qry->secret = leader_qry->secret; + + // Note that this transport may not be present in `leader_qry`'s server selection + follower->transport = task->transport; + if(follower->transport) { + follower->transport->deduplicated = true; + } leader_qry->secret = 0; /* Next will be already decoded */ } qr_task_step(follower, packet_source, pkt); @@ -1369,7 +1352,7 @@ return kr_ok(); /* Will be notified when outgoing query finishes. */ } /* Start transmitting */ - uv_handle_t *handle = retransmit(task); + uv_handle_t *handle = transmit(task); if (handle == NULL) { subreq_finalize(task, packet_source, packet); return qr_task_finalize(task, KR_STATE_FAIL); @@ -1517,15 +1500,7 @@ worker_del_tcp_waiting(worker, addr); free(conn); session_close(session); - unsigned score = qry->flags.FORWARD || qry->flags.STUB ? KR_NS_FWD_DEAD : KR_NS_DEAD; - kr_nsrep_update_rtt(NULL, peer, score, - worker->engine->resolver.cache_rtt, - KR_NS_UPDATE_NORESET); - WITH_VERBOSE (qry) { - const char *peer_str = kr_straddr(peer); - kr_log_verbose( "[wrkr]=> connect to '%s' failed (%s), flagged as 'bad'\n", - peer_str ? peer_str : "", uv_strerror(ret)); - } + qry->server_selection.error(qry, task->transport, KR_SELECTION_TCP_CONNECT_FAILED); return kr_error(EAGAIN); } @@ -1549,7 +1524,7 @@ assert(task->pending_count == 0); /* target */ - const struct sockaddr *addr = task->addrlist; + const struct sockaddr *addr = &task->transport->address.ip; if (addr->sa_family == AF_UNSPEC) { /* Target isn't defined. Finalize task with SERVFAIL. * Although task->pending_count is zero, there are can be followers, @@ -1559,8 +1534,7 @@ } /* Checkout task before connecting */ struct request_ctx *ctx = task->ctx; - if (kr_resolve_checkout(&ctx->req, NULL, (struct sockaddr *)addr, - SOCK_STREAM, task->pktbuf) != 0) { + if (kr_resolve_checkout(&ctx->req, NULL, task->transport, task->pktbuf) != 0) { subreq_finalize(task, packet_source, packet); return qr_task_finalize(task, KR_STATE_FAIL); } @@ -1609,10 +1583,6 @@ assert(ctx); struct kr_request *req = &ctx->req; struct worker_ctx *worker = ctx->worker; - int sock_type = -1; - task->addrlist = NULL; - task->addrlist_count = 0; - task->addrlist_turn = 0; if (worker->too_many_open) { /* */ @@ -1623,22 +1593,29 @@ } else { if (packet && kr_rplan_empty(rplan)) { /* new query; TODO - make this detection more obvious */ - kr_resolve_consume(req, packet_source, packet); + kr_resolve_consume(req, &task->transport, packet); } return qr_task_finalize(task, KR_STATE_FAIL); } } - int state = kr_resolve_consume(req, packet_source, packet); + // Report network RTT back to server selection + if (packet && task->send_time && task->recv_time) { + struct kr_query *qry = array_tail(req->rplan.pending); + qry->server_selection.update_rtt(qry, task->transport, task->recv_time - task->send_time); + } + + int state = kr_resolve_consume(req, &task->transport, packet); + + task->transport = NULL; while (state == KR_STATE_PRODUCE) { - state = kr_resolve_produce(req, &task->addrlist, - &sock_type, task->pktbuf); + state = kr_resolve_produce(req, &task->transport, task->pktbuf); if (unlikely(++task->iter_count > KR_ITER_LIMIT || task->timeouts >= KR_TIMEOUT_LIMIT)) { #ifndef NOVERBOSELOG struct kr_rplan *rplan = &req->rplan; - struct kr_query *last = kr_rplan_last(rplan); + struct kr_query *last = kr_rplan_last(rplan); if (task->iter_count > KR_ITER_LIMIT) { VERBOSE_MSG(last, "canceling query due to exceeded iteration count limit of %d\n", KR_ITER_LIMIT); } @@ -1654,47 +1631,21 @@ /* We're done, no more iterations needed */ if (state & (KR_STATE_DONE|KR_STATE_FAIL)) { return qr_task_finalize(task, state); - } else if (!task->addrlist || sock_type < 0) { + } else if (!task->transport || !task->transport->protocol) { return qr_task_step(task, NULL, NULL); } - /* Count available address choices */ - struct sockaddr_in6 *choice = (struct sockaddr_in6 *)task->addrlist; - for (size_t i = 0; i < KR_NSREP_MAXADDR && choice->sin6_family != AF_UNSPEC; ++i) { - task->addrlist_count += 1; - choice += 1; - } - - /* Upgrade to TLS if the upstream address is configured as DoT capable. */ - if (task->addrlist_count > 0 && kr_inaddr_port(task->addrlist) == KR_DNS_PORT) { - /* TODO if there are multiple addresses (task->addrlist_count > 1) - * check all of them. */ - struct network *net = &worker->engine->net; - /* task->addrlist has to contain TLS port before tls_client_param_get() call */ - kr_inaddr_set_port(task->addrlist, KR_DNS_TLS_PORT); - tls_client_param_t *tls_entry = - tls_client_param_get(net->tls_client_params, task->addrlist); - if (tls_entry) { - packet_source = NULL; - sock_type = SOCK_STREAM; - /* TODO in this case in tcp_task_make_connection() will be performed - * redundant map_get() call. */ - } else { - /* The function is fairly cheap, so we just change there and back. */ - kr_inaddr_set_port(task->addrlist, KR_DNS_PORT); - } - } - - int ret = 0; - if (sock_type == SOCK_DGRAM) { - /* Start fast retransmit with UDP. */ - ret = udp_task_step(task, packet_source, packet); - } else { - /* TCP. Connect to upstream or send the query if connection already exists. */ - assert (sock_type == SOCK_STREAM); - ret = tcp_task_step(task, packet_source, packet); + switch (task->transport->protocol) + { + case KR_TRANSPORT_UDP: + return udp_task_step(task, packet_source, packet); + case KR_TRANSPORT_TCP: // fall through + case KR_TRANSPORT_TLS: + return tcp_task_step(task, packet_source, packet); + default: + assert(0); + return kr_error(EINVAL); } - return ret; } static int parse_packet(knot_pkt_t *query) @@ -1791,12 +1742,15 @@ } assert(!session_flags(session)->closing); addr = peer; + /* Note recieve time for RTT calculation */ + task->recv_time = kr_now(); } assert(uv_is_closing(session_get_handle(session)) == false); /* Packet was successfully parsed. * Task was created (found). */ session_touch(session); + /* Consume input and produce next message */ return qr_task_step(task, addr, pkt); } @@ -1851,7 +1805,7 @@ return map_del_tcp_session(&worker->tcp_connected, addr); } -static struct session* worker_find_tcp_connected(struct worker_ctx *worker, +struct session* worker_find_tcp_connected(struct worker_ctx *worker, const struct sockaddr* addr) { return map_find_tcp_session(&worker->tcp_connected, addr); @@ -1877,7 +1831,7 @@ return map_del_tcp_session(&worker->tcp_waiting, addr); } -static struct session* worker_find_tcp_waiting(struct worker_ctx *worker, +struct session* worker_find_tcp_waiting(struct worker_ctx *worker, const struct sockaddr* addr) { return map_find_tcp_session(&worker->tcp_waiting, addr); @@ -1951,12 +1905,9 @@ return kr_ok(); } -knot_pkt_t * worker_resolve_mk_pkt(const char *qname_str, uint16_t qtype, uint16_t qclass, +knot_pkt_t *worker_resolve_mk_pkt_dname(knot_dname_t *qname, uint16_t qtype, uint16_t qclass, const struct kr_qflags *options) { - uint8_t qname[KNOT_DNAME_MAXLEN]; - if (!knot_dname_from_str(qname, qname_str, sizeof(qname))) - return NULL; knot_pkt_t *pkt = knot_pkt_new(NULL, KNOT_EDNS_MAX_UDP_PAYLOAD, NULL); if (!pkt) return NULL; @@ -1991,6 +1942,15 @@ return pkt; } +knot_pkt_t *worker_resolve_mk_pkt(const char *qname_str, uint16_t qtype, uint16_t qclass, + const struct kr_qflags *options) +{ + uint8_t qname[KNOT_DNAME_MAXLEN]; + if (!knot_dname_from_str(qname, qname_str, sizeof(qname))) + return NULL; + return worker_resolve_mk_pkt_dname(qname, qtype, qclass, options); +} + struct qr_task *worker_resolve_start(knot_pkt_t *query, struct kr_qflags options) { struct worker_ctx *worker = the_worker; @@ -2149,8 +2109,7 @@ return kr_error(ENOMEM); } - worker->pkt_pool.ctx = mp_new (4 * sizeof(knot_pkt_t)); - worker->pkt_pool.alloc = (knot_mm_alloc_t) mp_alloc; + mm_ctx_mempool(&worker->pkt_pool, 4 * sizeof(knot_pkt_t)); return kr_ok(); } diff -Nru knot-resolver-5.2.1/daemon/worker.h knot-resolver-5.3.1/daemon/worker.h --- knot-resolver-5.2.1/daemon/worker.h 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/daemon/worker.h 2021-03-31 15:15:36.000000000 +0000 @@ -47,6 +47,9 @@ */ int worker_end_tcp(struct session *session); +KR_EXPORT knot_pkt_t *worker_resolve_mk_pkt_dname(knot_dname_t *qname, uint16_t qtype, uint16_t qclass, + const struct kr_qflags *options); + /** * Create a packet suitable for worker_resolve_start(). All in malloc() memory. */ @@ -96,6 +99,10 @@ const struct sockaddr *addr); int worker_del_tcp_waiting(struct worker_ctx *worker, const struct sockaddr* addr); +struct session* worker_find_tcp_waiting(struct worker_ctx *worker, + const struct sockaddr* addr); +struct session* worker_find_tcp_connected(struct worker_ctx *worker, + const struct sockaddr* addr); knot_pkt_t *worker_task_get_pktbuf(const struct qr_task *task); struct request_ctx *worker_task_get_request(struct qr_task *task); @@ -136,7 +143,7 @@ /** @cond internal */ /** Number of request within timeout window. */ -#define MAX_PENDING KR_NSREP_MAXADDR +#define MAX_PENDING 4 /** Maximum response time from TCP upstream, milliseconds */ #define MAX_TCP_INACTIVITY (KR_RESOLVE_TIME_LIMIT + KR_CONN_RTT_MAX) diff -Nru knot-resolver-5.2.1/daemon/zimport.c knot-resolver-5.3.1/daemon/zimport.c --- knot-resolver-5.2.1/daemon/zimport.c 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/daemon/zimport.c 2021-03-31 15:15:36.000000000 +0000 @@ -33,6 +33,7 @@ */ #include /* PRIu64 */ +#include #include #include #include @@ -78,7 +79,7 @@ * @return pointer to zone import context or NULL. */ static zone_import_ctx_t *zi_ctx_alloc() { - return (zone_import_ctx_t *)malloc(sizeof(zone_import_ctx_t)); + return calloc(1, sizeof(zone_import_ctx_t)); } /** @internal Free zone import context. */ @@ -139,7 +140,6 @@ zi_ctx_free(z_import); return NULL; } - memset(z_import, 0, sizeof(*z_import)); z_import->pool.ctx = mp; z_import->worker = worker; int ret = zi_reset(z_import, 0); @@ -346,8 +346,7 @@ knot_pkt_put_question(answer, dname, rrclass, rrtype); knot_pkt_begin(answer, KNOT_ANSWER); - struct kr_qflags options; - memset(&options, 0, sizeof(options)); + struct kr_qflags options = { 0 }; options.DNSSEC_WANT = true; options.NO_MINIMIZE = true; diff -Nru knot-resolver-5.2.1/debian/changelog knot-resolver-5.3.1/debian/changelog --- knot-resolver-5.2.1/debian/changelog 2020-12-15 08:56:25.000000000 +0000 +++ knot-resolver-5.3.1/debian/changelog 2021-04-12 05:59:28.000000000 +0000 @@ -1,3 +1,24 @@ +knot-resolver (5.3.1-1) unstable; urgency=medium + + [ Jakub Ružička ] + * New upstream release + + [ Santiago Ruano Rincón ] + * Fix unaligned access and SIGBUS on armhf, and then the autopkgtest on + armhf at ci.debian.net (Closes: #918248) + + -- Santiago Ruano Rincón Mon, 12 Apr 2021 07:59:28 +0200 + +knot-resolver (5.3.0-1) unstable; urgency=medium + + [ Jakub Ružička ] + * New upstream release + + [ Santiago Ruano Rincón ] + * Add Portuguese debconf template translation (Closes: #982329) + + -- Jakub Ružička Wed, 03 Mar 2021 15:11:51 +0100 + knot-resolver (5.2.1-1) unstable; urgency=medium * New upstream release diff -Nru knot-resolver-5.2.1/debian/patches/0001-treewide-fix-unaligned-access.patch knot-resolver-5.3.1/debian/patches/0001-treewide-fix-unaligned-access.patch --- knot-resolver-5.2.1/debian/patches/0001-treewide-fix-unaligned-access.patch 1970-01-01 00:00:00.000000000 +0000 +++ knot-resolver-5.3.1/debian/patches/0001-treewide-fix-unaligned-access.patch 2021-04-12 05:59:28.000000000 +0000 @@ -0,0 +1,117 @@ +From ce48e5a8da49d25f5490cc1be6a54f8d9db5f520 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= +Date: Tue, 6 Apr 2021 17:28:52 +0200 +Subject: [PATCH] treewide: fix unaligned access + +Some less common HW (not x86, usually ARM) doesn't tolerate unaligned +access to memory and it's breakage of C as well. + +It's easiest to check by meson's -Db_sanitize=undefined (on any HW). +I pushed millions of real-life QNAME+QTYPE queries over UDP in default +mode and the sanitizer seems clear now. +--- + lib/cache/impl.h | 16 +++++++++++----- + lib/cache/nsec1.c | 14 ++++++++++---- + lib/layer/iterate.c | 4 +++- + lib/selection.c | 4 ++-- + 4 files changed, 26 insertions(+), 12 deletions(-) + +diff --git a/lib/cache/impl.h b/lib/cache/impl.h +index b884c361..fca8653c 100644 +--- a/lib/cache/impl.h ++++ b/lib/cache/impl.h +@@ -45,7 +45,10 @@ struct entry_h { + bool has_optout : 1; /**< Only for packets; persisted DNSSEC_OPTOUT. */ + uint8_t _pad; /**< We need even alignment for data now. */ + uint8_t data[]; +-}; ++/* Well, we don't really need packing or alignment changes, ++ * but due to LMDB the whole structure may not be stored at an aligned address, ++ * and we need compilers (for non-x86) to know it to avoid SIGBUS (test: UBSAN). */ ++} __attribute__ ((packed,aligned(1))); + struct entry_apex; + + /** Check basic consistency of entry_h for 'E' entries, not looking into ->data. +@@ -303,10 +306,13 @@ static inline int rdataset_dematerialized_size(const uint8_t *data, uint16_t *rd + assert(sizeof(count) == KR_CACHE_RR_COUNT_SIZE); + memcpy(&count, data, sizeof(count)); + const uint8_t *rdata = data + sizeof(count); +- if (rdataset_count) +- *rdataset_count = count; +- for (int i = 0; i < count; ++i) +- rdata += knot_rdata_size(((knot_rdata_t *)rdata)->len); ++ if (rdataset_count) // memcpy is safe for unaligned case (on non-x86) ++ memcpy(rdataset_count, &count, sizeof(count)); ++ for (int i = 0; i < count; ++i) { ++ __typeof__(((knot_rdata_t *)NULL)->len) len; // memcpy as above ++ memcpy(&len, rdata + offsetof(knot_rdata_t, len), sizeof(len)); ++ rdata += knot_rdata_size(len); ++ } + return rdata - (data + sizeof(count)); + } + +diff --git a/lib/cache/nsec1.c b/lib/cache/nsec1.c +index 3985ca3b..ed242ca8 100644 +--- a/lib/cache/nsec1.c ++++ b/lib/cache/nsec1.c +@@ -197,8 +197,14 @@ static const char * find_leq_NSEC1(struct kr_cache *cache, const struct kr_query + /* We know it starts before sname, so let's check the other end. + * 1. construct the key for the next name - kwz_hi. */ + /* it's *full* name ATM */ +- const knot_rdata_t *next = (const knot_rdata_t *) +- (eh->data + KR_CACHE_RR_COUNT_SIZE); ++ /* Technical complication: memcpy is safe for unaligned case (on non-x86) */ ++ __typeof__(((knot_rdata_t *)NULL)->len) next_len; ++ const uint8_t *next_data; ++ { /* next points to knot_rdata_t but possibly unaligned */ ++ const uint8_t *next = eh->data + KR_CACHE_RR_COUNT_SIZE; ++ memcpy(&next_len, next + offsetof(knot_rdata_t, len), sizeof(next_len)); ++ next_data = next + offsetof(knot_rdata_t, data); ++ } + if (KR_CACHE_RR_COUNT_SIZE != 2 || get_uint16(eh->data) == 0) { + assert(false); + return "ERROR"; +@@ -220,8 +226,8 @@ static const char * find_leq_NSEC1(struct kr_cache *cache, const struct kr_query + /* Lower-case chs; see also RFC 6840 5.1. + * LATER(optim.): we do lots of copying etc. */ + knot_dname_t lower_buf[KNOT_DNAME_MAXLEN]; +- ret = knot_dname_to_wire(lower_buf, next->data, +- MIN(next->len, KNOT_DNAME_MAXLEN)); ++ ret = knot_dname_to_wire(lower_buf, next_data, ++ MIN(next_len, KNOT_DNAME_MAXLEN)); + if (ret < 0) { /* _ESPACE */ + return "range search found record with incorrect contents"; + } +diff --git a/lib/layer/iterate.c b/lib/layer/iterate.c +index 94342cfb..8fa8010e 100644 +--- a/lib/layer/iterate.c ++++ b/lib/layer/iterate.c +@@ -132,7 +132,9 @@ static bool is_valid_addr(const uint8_t *addr, size_t len) + { + if (len == sizeof(struct in_addr)) { + /* Filter ANY and 127.0.0.0/8 */ +- uint32_t ip_host = ntohl(*(const uint32_t *)(addr)); ++ uint32_t ip_host; /* Memcpy is safe for unaligned case (on non-x86) */ ++ memcpy(&ip_host, addr, sizeof(ip_host)); ++ ip_host = ntohl(ip_host); + if (ip_host == 0 || (ip_host & 0xff000000) == 0x7f000000) { + return false; + } +diff --git a/lib/selection.c b/lib/selection.c +index 56530cba..4b516bb8 100644 +--- a/lib/selection.c ++++ b/lib/selection.c +@@ -155,8 +155,8 @@ struct rtt_state get_rtt_state(const uint8_t *ip, size_t len, + } else if (value.len != sizeof(struct rtt_state)) { + assert(false); // shouldn't happen but let's be more robust + state = default_rtt_state; +- } else { +- state = *(struct rtt_state *)value.data; ++ } else { // memcpy is safe for unaligned case (on non-x86) ++ memcpy(&state, value.data, sizeof(state)); + } + + free(key.data); +-- +2.31.0 + diff -Nru knot-resolver-5.2.1/debian/patches/series knot-resolver-5.3.1/debian/patches/series --- knot-resolver-5.2.1/debian/patches/series 2020-12-14 10:42:51.000000000 +0000 +++ knot-resolver-5.3.1/debian/patches/series 2021-04-12 05:59:28.000000000 +0000 @@ -0,0 +1 @@ +0001-treewide-fix-unaligned-access.patch diff -Nru knot-resolver-5.2.1/debian/po/pt.po knot-resolver-5.3.1/debian/po/pt.po --- knot-resolver-5.2.1/debian/po/pt.po 1970-01-01 00:00:00.000000000 +0000 +++ knot-resolver-5.3.1/debian/po/pt.po 2021-04-08 19:03:16.000000000 +0000 @@ -0,0 +1,71 @@ +# Translation of knot-resolver debconf messages to European Portuguese +# Copyright (C) 2021 THE knot-resolver'S COPYRIGHT HOLDER +# This file is distributed under the same license as the knot-resolver package. +# +# Américo Monteiro , 2021. +msgid "" +msgstr "" +"Project-Id-Version: knot-resolver_5.2.1-1\n" +"Report-Msgid-Bugs-To: knot-resolver@packages.debian.org\n" +"POT-Creation-Date: 2020-09-14 11:52+0200\n" +"PO-Revision-Date: 2021-02-08 21:59+0000\n" +"Last-Translator: Américo Monteiro \n" +"Language-Team: Portuguese <>\n" +"Language: pt\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" +"X-Generator: Lokalize 2.0\n" + +#. Type: note +#. Description +#: ../knot-resolver.templates:1001 +msgid "Upgrading from Knot Resolver < 5.x" +msgstr "Actualizar a partir de Knot Resolver < 5.x" + +#. Type: note +#. Description +#: ../knot-resolver.templates:1001 +msgid "Knot Resolver configuration file requires manual upgrade." +msgstr "" +"O ficheiro de configuração do Knot Resolver requer actualização manual." + +#. Type: note +#. Description +#: ../knot-resolver.templates:1001 +msgid "" +"Up to Knot Resolver 4.x, network interface bindings and service start were " +"done by default via systemd sockets. These systemd sockets are no longer " +"supported, and upgrading from a 3.x version (as in Debian Buster) requires " +"manual action to (re)enable the service." +msgstr "" +"Até ao Knot Resolver 4.x, as uniões de interface de rede e o arranque do " +"serviço eram feitos por predefinição via sockets do systemd. Estes sockets " +"do systemd não são mais suportados, e actualizar a partir de uma versão 3.x " +"(como em Debian Buster) requer acção manual para (re)activar o serviço." + +#. Type: note +#. Description +#: ../knot-resolver.templates:1001 +msgid "" +"Please refer to kresd.systemd(7) and to the /usr/share/doc/knot-resolver/" +"upgrading.html file (from knot-resolver-doc). An online version of the " +"latter is available at https://knot-resolver.readthedocs.io/en/stable/" +"upgrading.html#x-to-5-x" +msgstr "" +"Por favor consulte kresd.systemd(7) e o ficheiro /usr/share/doc/knot-resolver/" +"upgrading.html (de knot-resolver-doc). Está disponível uma versão online " +"mais recente em https://knot-resolver.readthedocs.io/en/stable/" +"upgrading.html#x-to-5-x" + +#. Type: note +#. Description +#: ../knot-resolver.templates:1001 +msgid "" +"For convenience, a suggested networking configuration can be found in the " +"file /var/lib/knot-resolver/.upgrade-4-to-5/kresd.conf.net" +msgstr "" +"Para conveniência, pode ser encontrada uma configuração de rede sugerida " +"no ficheiro /var/lib/knot-resolver/.upgrade-4-to-5/kresd.conf.net" + diff -Nru knot-resolver-5.2.1/distro/deb/changelog knot-resolver-5.3.1/distro/deb/changelog --- knot-resolver-5.2.1/distro/deb/changelog 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/distro/deb/changelog 2021-03-31 15:15:36.000000000 +0000 @@ -1,4 +1,4 @@ -knot-resolver (__VERSION__-1) unstable; urgency=medium +knot-resolver (__VERSION__-cznic.1) unstable; urgency=medium * move changelog to OBS * see NEWS or https://knot-resolver.cz diff -Nru knot-resolver-5.2.1/distro/deb/control knot-resolver-5.3.1/distro/deb/control --- knot-resolver-5.2.1/distro/deb/control 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/distro/deb/control 2021-03-31 15:15:36.000000000 +0000 @@ -8,18 +8,21 @@ debhelper (>= 9~), libcmocka-dev (>= 1.0.0), libedit-dev, + libfstrm-dev, libgnutls28-dev, - libknot-dev (>= 2.8), + libknot-dev (>= 2.9), liblmdb-dev, libluajit-5.1-dev, libnghttp2-dev, + libprotobuf-c-dev, libsystemd-dev (>= 227) [linux-any], libcap-ng-dev, libuv1-dev, luajit, pkg-config, - meson (>= 0.46), + meson (>= 0.49), doxygen, + protobuf-c-compiler, python3-breathe, python3-sphinx, python3-sphinx-rtd-theme, @@ -74,6 +77,26 @@ This package provides the debug symbols for Knot Resolver needed for properly debugging errors in Knot Resolver with gdb. +Package: knot-resolver-module-dnstap +Architecture: any +Multi-Arch: same +Depends: + knot-resolver (= ${binary:Version}), + libfstrm0, + libprotobuf-c1, + ${misc:Depends}, + ${shlibs:Depends}, +Description: dnstap module for Knot Resolver + The Knot Resolver is a caching full resolver implementation + written in C and LuaJIT, including both a resolver library and a + daemon. Modular architecture of the library keeps the core tiny and + efficient, and provides a state-machine like API for + extensions. There are three built-in modules - iterator, cache, + validator, and many external. + . + This package contains dnstap module for logging DNS responses + to a unix socket in dnstap format. + Package: knot-resolver-module-http Architecture: all Depends: diff -Nru knot-resolver-5.2.1/distro/deb/knot-resolver.install knot-resolver-5.3.1/distro/deb/knot-resolver.install --- knot-resolver-5.2.1/distro/deb/knot-resolver.install 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/distro/deb/knot-resolver.install 2021-03-31 15:15:36.000000000 +0000 @@ -6,7 +6,12 @@ usr/lib/tmpfiles.d/knot-resolver.conf usr/lib/knot-resolver/*.so usr/lib/knot-resolver/*.lua -usr/lib/knot-resolver/kres_modules/*.so +usr/lib/knot-resolver/kres_modules/bogus_log.so +usr/lib/knot-resolver/kres_modules/edns_keepalive.so +usr/lib/knot-resolver/kres_modules/hints.so +usr/lib/knot-resolver/kres_modules/nsid.so +usr/lib/knot-resolver/kres_modules/refuse_nord.so +usr/lib/knot-resolver/kres_modules/stats.so usr/lib/knot-resolver/kres_modules/daf.lua usr/lib/knot-resolver/kres_modules/daf/* usr/lib/knot-resolver/kres_modules/detect_time_jump.lua diff -Nru knot-resolver-5.2.1/distro/deb/knot-resolver-module-dnstap.install knot-resolver-5.3.1/distro/deb/knot-resolver-module-dnstap.install --- knot-resolver-5.2.1/distro/deb/knot-resolver-module-dnstap.install 1970-01-01 00:00:00.000000000 +0000 +++ knot-resolver-5.3.1/distro/deb/knot-resolver-module-dnstap.install 2021-03-31 15:15:36.000000000 +0000 @@ -0,0 +1 @@ +usr/lib/knot-resolver/kres_modules/dnstap.so diff -Nru knot-resolver-5.2.1/distro/deb/knot-resolver-module-http.postinst knot-resolver-5.3.1/distro/deb/knot-resolver-module-http.postinst --- knot-resolver-5.2.1/distro/deb/knot-resolver-module-http.postinst 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/distro/deb/knot-resolver-module-http.postinst 1970-01-01 00:00:00.000000000 +0000 @@ -1,7 +0,0 @@ -#!/bin/sh -# SPDX-License-Identifier: GPL-3.0-or-later -set -e - -if [ "$1" = "configure" ]; then - systemctl daemon-reload || true -fi diff -Nru knot-resolver-5.2.1/distro/deb/rules knot-resolver-5.3.1/distro/deb/rules --- knot-resolver-5.2.1/distro/deb/rules 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/distro/deb/rules 2021-03-31 15:15:36.000000000 +0000 @@ -27,6 +27,7 @@ -Ddoc=enabled \ -Dsystemd_files=enabled \ -Dclient=enabled \ + -Ddnstap=enabled \ -Dkeyfile_default=/usr/share/dns/root.key \ -Droot_hints=/usr/share/dns/root.hints \ -Dinstall_kresd_conf=enabled \ diff -Nru knot-resolver-5.2.1/distro/rpm/knot-resolver.spec knot-resolver-5.3.1/distro/rpm/knot-resolver.spec --- knot-resolver-5.2.1/distro/rpm/knot-resolver.spec 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/distro/rpm/knot-resolver.spec 2021-03-31 15:15:36.000000000 +0000 @@ -10,7 +10,7 @@ Name: knot-resolver Version: %{VERSION} -Release: 1%{?dist} +Release: cznic.1%{?dist} Summary: Caching full DNS Resolver License: GPL-3.0-or-later @@ -42,9 +42,9 @@ BuildRequires: pkgconfig(cmocka) BuildRequires: pkgconfig(gnutls) BuildRequires: pkgconfig(libedit) -BuildRequires: pkgconfig(libknot) >= 2.8 -BuildRequires: pkgconfig(libzscanner) >= 2.8 -BuildRequires: pkgconfig(libdnssec) >= 2.8 +BuildRequires: pkgconfig(libknot) >= 2.9 +BuildRequires: pkgconfig(libzscanner) >= 2.9 +BuildRequires: pkgconfig(libdnssec) >= 2.9 BuildRequires: pkgconfig(libnghttp2) BuildRequires: pkgconfig(libsystemd) BuildRequires: pkgconfig(libcap-ng) @@ -54,6 +54,13 @@ Requires: systemd Requires(post): systemd +# dnstap module dependencies +# SUSE is missing protoc-c protobuf compiler +%if "x%{?suse_version}" == "x" +BuildRequires: pkgconfig(libfstrm) +BuildRequires: pkgconfig(libprotobuf-c) +%endif + # Distro-dependent dependencies %if 0%{?rhel} == 7 BuildRequires: lmdb-devel @@ -124,6 +131,17 @@ %endif %if "x%{?suse_version}" == "x" +%package module-dnstap +Summary: dnstap module for Knot Resolver +Requires: %{name} = %{version}-%{release} + +%description module-dnstap +dnstap module for Knot Resolver supports logging DNS responses to a unix socket +in dnstap format using fstrm framing library. This logging is useful if you +need effectivelly log all DNS traffic. +%endif + +%if "x%{?suse_version}" == "x" %package module-http Summary: HTTP module for Knot Resolver Requires: %{name} = %{version}-%{release} @@ -158,6 +176,9 @@ %endif -Dsystemd_files=enabled \ -Dclient=enabled \ +%if "x%{?suse_version}" == "x" + -Ddnstap=enabled \ +%endif -Dunit_tests=enabled \ -Dmanaged_ta=enabled \ -Dkeyfile_default="%{_sharedstatedir}/knot-resolver/root.keys" \ @@ -299,7 +320,12 @@ %{_libdir}/knot-resolver/*.so %{_libdir}/knot-resolver/*.lua %dir %{_libdir}/knot-resolver/kres_modules -%{_libdir}/knot-resolver/kres_modules/*.so +%{_libdir}/knot-resolver/kres_modules/bogus_log.so +%{_libdir}/knot-resolver/kres_modules/edns_keepalive.so +%{_libdir}/knot-resolver/kres_modules/hints.so +%{_libdir}/knot-resolver/kres_modules/nsid.so +%{_libdir}/knot-resolver/kres_modules/refuse_nord.so +%{_libdir}/knot-resolver/kres_modules/stats.so %{_libdir}/knot-resolver/kres_modules/daf %{_libdir}/knot-resolver/kres_modules/daf.lua %{_libdir}/knot-resolver/kres_modules/detect_time_jump.lua @@ -339,6 +365,11 @@ %endif %if "x%{?suse_version}" == "x" +%files module-dnstap +%{_libdir}/knot-resolver/kres_modules/dnstap.so +%endif + +%if "x%{?suse_version}" == "x" %files module-http %{_libdir}/knot-resolver/debug_opensslkeylog.so %{_libdir}/knot-resolver/kres_modules/http diff -Nru knot-resolver-5.2.1/distro/tests/ansible-roles/knot_resolver/tasks/configure_dnstap.yaml knot-resolver-5.3.1/distro/tests/ansible-roles/knot_resolver/tasks/configure_dnstap.yaml --- knot-resolver-5.2.1/distro/tests/ansible-roles/knot_resolver/tasks/configure_dnstap.yaml 1970-01-01 00:00:00.000000000 +0000 +++ knot-resolver-5.3.1/distro/tests/ansible-roles/knot_resolver/tasks/configure_dnstap.yaml 2021-03-31 15:15:36.000000000 +0000 @@ -0,0 +1,10 @@ +--- +# SPDX-License-Identifier: GPL-3.0-or-later +- name: dnstap_config set up kresd.conf + blockinfile: + marker: -- {mark} ANSIBLE MANAGED BLOCK + block: | + modules.load('dnstap') + assert(dnstap) + path: /etc/knot-resolver/kresd.conf + insertbefore: BOF diff -Nru knot-resolver-5.2.1/distro/tests/ansible-roles/knot_resolver/tasks/main.yaml knot-resolver-5.3.1/distro/tests/ansible-roles/knot_resolver/tasks/main.yaml --- knot-resolver-5.2.1/distro/tests/ansible-roles/knot_resolver/tasks/main.yaml 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/distro/tests/ansible-roles/knot_resolver/tasks/main.yaml 2021-03-31 15:15:36.000000000 +0000 @@ -46,6 +46,16 @@ - include: test_doh.yaml when: distro in ["Fedora", "Debian", "CentOS"] or (distro == "Ubuntu" and ansible_distribution_major_version|int >= 18) + - name: Test dnstap module + block: + - name: Install knot-resolver-module-dnstap + package: + name: knot-resolver-module-dnstap + state: latest + - include: configure_dnstap.yaml + - include: restart_kresd.yaml + when: distro in ["Fedora", "Debian", "CentOS", "Ubuntu"] + always: - name: Get installed package version diff -Nru knot-resolver-5.2.1/doc/build.rst knot-resolver-5.3.1/doc/build.rst --- knot-resolver-5.2.1/doc/build.rst 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/doc/build.rst 2021-03-31 15:15:36.000000000 +0000 @@ -30,10 +30,10 @@ :header: "Requirement", "Notes" "ninja", "*build only*" - "meson >= 0.46", "*build only* [#]_" + "meson >= 0.49", "*build only* [#]_" "C and C++ compiler", "*build only* [#]_" "`pkg-config`_", "*build only* [#]_" - "libknot_ 2.8+", "Knot DNS libraries" + "libknot_ 2.9+", "Knot DNS libraries" "LuaJIT_ 2.0+", "Embedded scripting language" "libuv_ 1.7+", "Multiplatform I/O and services" "lmdb", "Memory-mapped database for cache" @@ -64,7 +64,7 @@ "`clang-tidy`_", "``lint-c``", "Syntax and static analysis checker for C." "luacov_", "``check-config``", "Code coverage analysis for Lua modules." -.. [#] If ``meson >= 0.46`` isn't available for your distro, check backports +.. [#] If ``meson >= 0.49`` isn't available for your distro, check backports repository or use python pip to install it. .. [#] Requires ``__attribute__((cleanup))`` and ``-MMD -MP`` for dependency file generation. We test GCC and Clang, and ICC is likely to work as well. diff -Nru knot-resolver-5.2.1/doc/config-answer-reordering.rst knot-resolver-5.3.1/doc/config-answer-reordering.rst --- knot-resolver-5.2.1/doc/config-answer-reordering.rst 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/doc/config-answer-reordering.rst 2021-03-31 15:15:36.000000000 +0000 @@ -13,5 +13,5 @@ :return: The (new) value of the option If set, resolver will vary the order of resource records within RR sets. - It is disabled by default. + It is enabled by default since 5.3.0. diff -Nru knot-resolver-5.2.1/doc/config-network-forwarding.rst knot-resolver-5.3.1/doc/config-network-forwarding.rst --- knot-resolver-5.2.1/doc/config-network-forwarding.rst 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/doc/config-network-forwarding.rst 2021-03-31 15:15:36.000000000 +0000 @@ -8,13 +8,13 @@ Main use-cases are: - Building a tree structure of DNS resolvers to improve performance (by improving cache hit rate). - - Accessing domains which are not available using recursion (e.g. if internal company servers return different anusers than public ones). + - Accessing domains which are not available using recursion (e.g. if internal company servers return different answers than public ones). - Forwarding through a central DNS traffic filter. Forwarding implementation in Knot Resolver has following properties: - Answers from *upstream* servers are cached. - - Answers from *upstream* servers are locally DNSSEC-validated, unless ``policy.STUB`` is used. + - Answers from *upstream* servers are locally DNSSEC-validated, unless :func:`policy.STUB` is used. - Resolver automatically selects which IP address from given set of IP addresses will be used (based on performance characteristics). - Forwarding can use either unencrypted DNS protocol, or :ref:`tls-forwarding`. diff -Nru knot-resolver-5.2.1/doc/daemon-bindings-net_client.rst knot-resolver-5.3.1/doc/daemon-bindings-net_client.rst --- knot-resolver-5.2.1/doc/daemon-bindings-net_client.rst 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/doc/daemon-bindings-net_client.rst 2021-03-31 15:15:36.000000000 +0000 @@ -8,7 +8,7 @@ IPv4 and IPv6 protocols are used by default. For performance reasons it is recommended to explicitly disable protocols which are not available -on your system. +on your system, though the impact of IPv6 outage is lowered since release 5.3.0. .. envvar:: net.ipv4 = true|false diff -Nru knot-resolver-5.2.1/doc/lib.rst knot-resolver-5.3.1/doc/lib.rst --- knot-resolver-5.2.1/doc/lib.rst 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/doc/lib.rst 2021-03-31 15:15:36.000000000 +0000 @@ -33,12 +33,15 @@ .. doxygenfile:: cache/api.h :project: libkres +.. doxygenfile:: cache/impl.h + :project: libkres + .. _lib_api_nameservers: Nameservers ----------- -.. doxygenfile:: nsrep.h +.. doxygenfile:: selection.h :project: libkres .. doxygenfile:: zonecut.h :project: libkres diff -Nru knot-resolver-5.2.1/doc/modules-daf.rst knot-resolver-5.3.1/doc/modules-daf.rst --- knot-resolver-5.2.1/doc/modules-daf.rst 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/doc/modules-daf.rst 2021-03-31 15:15:36.000000000 +0000 @@ -55,6 +55,9 @@ -- Delete a rule daf.del(2) + -- Delete all rules and start from scratch + daf.clear() + .. warning:: Only the first matching rule's action is executed. Defining additional actions for the same matching rule, e.g. ``src = 127.0.0.1/8``, will have no effect. diff -Nru knot-resolver-5.2.1/doc/modules-dns64.rst knot-resolver-5.3.1/doc/modules-dns64.rst --- knot-resolver-5.2.1/doc/modules-dns64.rst 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/doc/modules-dns64.rst 2021-03-31 15:15:36.000000000 +0000 @@ -8,7 +8,7 @@ The module for :rfc:`6147` DNS64 AAAA-from-A record synthesis, it is used to enable client-server communication between an IPv6-only client and an IPv4-only server. See the well written `introduction`_ in the PowerDNS documentation. If no address is passed (i.e. ``nil``), the well-known prefix ``64:ff9b::`` is used. -.. warning:: The module currently won't work well with :ref:`policy.STUB `. +.. warning:: The module currently won't work well with :func:`policy.STUB`. Also, the IPv6 passed in configuration is assumed to be ``/96``, and PTR synthesis and "exclusion prefixes" aren't implemented. diff -Nru knot-resolver-5.2.1/doc/modules-dnstap.rst knot-resolver-5.3.1/doc/modules-dnstap.rst --- knot-resolver-5.2.1/doc/modules-dnstap.rst 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/doc/modules-dnstap.rst 2021-03-31 15:15:36.000000000 +0000 @@ -5,22 +5,30 @@ Dnstap (traffic collection) =========================== -The ``dnstap`` module supports logging DNS responses to a unix socket -in `dnstap format `_ using fstrm framing library. +The ``dnstap`` module supports logging DNS requests and responses to a unix +socket in `dnstap format `_ using fstrm framing library. This logging is useful if you need effectivelly log all DNS traffic. The unix socket and the socket reader must be present before starting resolver instances. Tunables: -* ``socket_path``: the the unix socket file where dnstap messages will be sent -* ``log_responses``: if ``true`` responses in wire format will be logged +* ``socket_path``: the unix socket file where dnstap messages will be sent +* ``identity``: identity string as typically returned by an "NSID" (RFC 5001) query, empty by default +* ``version``: version string of the resolver, defaulting to "Knot Resolver major.minor.patch" +* ``client.log_queries``: if ``true`` queries from downstream in wire format will be logged +* ``client.log_responses``: if ``true`` responses to downstream in wire format will be logged .. code-block:: lua modules = { dnstap = { socket_path = "/tmp/dnstap.sock", - log_responses = true + identity = nsid.name() or "", + version = "My Custom Knot Resolver " .. package_version(), + client = { + log_queries = true, + log_responses = true, + }, } } diff -Nru knot-resolver-5.2.1/doc/modules-hints.rst knot-resolver-5.3.1/doc/modules-hints.rst --- knot-resolver-5.2.1/doc/modules-hints.rst 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/doc/modules-hints.rst 2021-03-31 15:15:36.000000000 +0000 @@ -33,7 +33,7 @@ hints['foo.bar'] = '127.0.0.1' .. note:: The :ref:`policy ` module applies before hints, meaning e.g. that hints for special names (:rfc:`6761#section-6`) like ``localhost`` or ``test`` will get shadowed by policy rules by default. - That can be worked around e.g. by explicit ``policy.PASS`` action. + That can be worked around e.g. by explicit :any:`policy.PASS` action. Properties ---------- diff -Nru knot-resolver-5.2.1/doc/modules-policy.rst knot-resolver-5.3.1/doc/modules-policy.rst --- knot-resolver-5.2.1/doc/modules-policy.rst 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/doc/modules-policy.rst 2021-03-31 15:15:36.000000000 +0000 @@ -13,11 +13,11 @@ Each policy *rule* has two parts: a *filter* and an *action*. A *filter* selects which queries will be affected by the policy, and *action* which modifies queries matching the associated filter. -Typically a rule is defined as follows: ``filter(action(action parameters), filter parameters)``. For example, a filter can be ``suffix`` which matches queries whose suffix part is in specified set, and one of possible actions is ``DENY``, which denies resolution. These are combined together into ``policy.suffix(policy.DENY, {todname('badguy.example.')})``. The rule is effective when it is added into rule table using ``policy.add()``, please see examples below. +Typically a rule is defined as follows: ``filter(action(action parameters), filter parameters)``. For example, a filter can be ``suffix`` which matches queries whose suffix part is in specified set, and one of possible actions is :any:`policy.DENY`, which denies resolution. These are combined together into ``policy.suffix(policy.DENY, {todname('badguy.example.')})``. The rule is effective when it is added into rule table using ``policy.add()``, please see examples below. This module is enabled by default because it implements mandatory :rfc:`6761` logic. When no rule applies to a query, built-in rules for `special-use `_ and `locally-served `_ domain names are applied. -These rules can be overriden by action :func:`policy.PASS`. For debugging purposes you can also add ``modules.unload('policy')`` to your config to unload the module. +These rules can be overriden by action :any:`policy.PASS`. For debugging purposes you can also add ``modules.unload('policy')`` to your config to unload the module. Filters @@ -80,7 +80,7 @@ end This custom filter can be used as any other built-in filter. -For example this applies our custom filter and executes action :func:`policy.DENY` on all queries of type `HINFO`: +For example this applies our custom filter and executes action :any:`policy.DENY` on all queries of type `HINFO`: .. code-block:: lua @@ -221,7 +221,7 @@ .. py:data:: DEBUG_CACHE_MISS - Enable extra verbose logging but print logs only for requests which required information which was not available locally (i.e. requests which forced resolver to communicate over network). Intended usage is for debugging problems with remote servers. This action typically produces less logs than :func:`policy.DEBUG_ALWAYS` but all caveats from :func:`policy.DEBUG_IF` apply as well. + Enable extra verbose logging but print logs only for requests which required information which was not available locally (i.e. requests which forced resolver to communicate over network). Intended usage is for debugging problems with remote servers. This action typically produces less logs than :any:`policy.DEBUG_ALWAYS` but all caveats from :func:`policy.DEBUG_IF` apply as well. .. code-block:: lua @@ -302,7 +302,7 @@ .. function:: FORWARD(ip_address) FORWARD({ ip_address, [ip_address, ...] }) - Forward cache-miss queries to specified IP addresses via DNS-over-UDP, DNSSEC validate received answers and cache them. Target IP addresses are expected to be DNS resolvers. + Forward cache-miss queries to specified IP addresses (without encryption), DNSSEC validate received answers and cache them. Target IP addresses are expected to be DNS resolvers. .. code-block:: lua @@ -320,7 +320,7 @@ Similar to :func:`policy.FORWARD` but *without* attempting DNSSEC validation. Each request may be either answered from cache or simply sent to one of the IPs with proxying back the answer. - This mode supports only DNS-over-UDP and should be used only for `Replacing part of the DNS tree`_. + This mode does not support encryption and should be used only for `Replacing part of the DNS tree`_. Use :func:`policy.FORWARD` mode if possible. .. code-block:: lua @@ -332,13 +332,18 @@ policy.STUB('192.0.2.1@5353'), {todname('1.168.192.in-addr.arpa')})) +.. note:: Forwarding targets must support + `EDNS `_ and + `0x20 randomization `_. + + .. _tls-forwarding: Forwarding over TLS protocol (DNS-over-TLS) ------------------------------------------- .. function:: TLS_FORWARD( { {ip_address, authentication}, [...] } ) - Same as :func:`FORWARD` but send query over DNS-over-TLS protocol (encrypted). + Same as :func:`policy.FORWARD` but send query over DNS-over-TLS protocol (encrypted). Each target IP address needs explicit configuration how to validate TLS certificate so each IP address is configured by pair: ``{ip_address, authentication}``. See sections below for more details. @@ -346,7 +351,7 @@ Policy :func:`policy.TLS_FORWARD` allows you to forward queries using `Transport Layer Security`_ protocol, which hides the content of your queries from an attacker observing the network traffic. Further details about this protocol can be found in :rfc:`7858` and `IETF draft dprive-dtls-and-tls-profiles`_. -Queries affected by `TLS_FORWARD` policy will always be resolved over TLS connection. Knot Resolver does not implement fallback to non-TLS connection, so if TLS connection cannot be established or authenticated according to the configuration, the resolution will fail. +Queries affected by :func:`policy.TLS_FORWARD` will always be resolved over TLS connection. Knot Resolver does not implement fallback to non-TLS connection, so if TLS connection cannot be established or authenticated according to the configuration, the resolution will fail. To test this feature you need to either :ref:`configure Knot Resolver as DNS-over-TLS server `, or pick some public DNS-over-TLS server. Please see `DNS Privacy Project`_ homepage for list of public servers. @@ -532,7 +537,7 @@ 'internal.example.com.', '2.0.192.in-addr.arpa.' -- this applies to reverse DNS tree as well }) - -- Beware: the rule order is important, as STUB is not a chain action. + -- Beware: the rule order is important, as policy.STUB is not a chain action. policy.add(policy.suffix(policy.FLAGS({'NO_CACHE'}), extraTrees)) policy.add(policy.suffix(policy.STUB({'2001:db8::1'}), extraTrees)) @@ -567,20 +572,20 @@ .. csv-table:: :header: "RPZ Right Hand Side", "Knot Resolver Action", "BIND Compatibility" - "``.``", "``action`` is used", "compatible if ``action`` is :func:`policy.DENY`" + "``.``", "``action`` is used", "compatible if ``action`` is :any:`policy.DENY`" "``*.``", ":func:`policy.ANSWER`", "yes" - "``rpz-passthru.``", ":func:`policy.PASS`", "yes" - "``rpz-tcp-only.``", ":func:`policy.TC`", "yes" - "``rpz-drop.``", ":func:`policy.DROP`", "no [#]_" + "``rpz-passthru.``", ":any:`policy.PASS`", "yes" + "``rpz-tcp-only.``", ":any:`policy.TC`", "yes" + "``rpz-drop.``", ":any:`policy.DROP`", "no [#]_" "fake A/AAAA", ":func:`policy.ANSWER`", "yes" "fake CNAME", "not supported", "no" - .. [#] Our :func:`policy.DROP` returns *SERVFAIL* answer (for historical reasons). + .. [#] Our :any:`policy.DROP` returns *SERVFAIL* answer (for historical reasons). .. function:: rpz(action, path, [watch = true]) - :param action: the default action for match in the zone; typically you want :func:`policy.DENY` + :param action: the default action for match in the zone; typically you want :any:`policy.DENY` :param path: path to zone file :param watch: boolean, if true, the file will be reloaded on file change diff -Nru knot-resolver-5.2.1/doc/modules-predict.rst knot-resolver-5.3.1/doc/modules-predict.rst --- knot-resolver-5.2.1/doc/modules-predict.rst 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/doc/modules-predict.rst 2021-03-31 15:15:36.000000000 +0000 @@ -5,12 +5,32 @@ Prefetching records =================== -The module refreshes records that are about to expire when they're used (having less than 1% of original TTL). -This improves latency for frequently used records, as they are fetched in advance. +The ``predict`` module helps to keep the cache hot by prefetching records. +It can utilize two independent mechanisms to select the records which should be refreshed: +expiring records and prediction. -It is also able to learn usage patterns and repetitive queries that the server makes. For example, if -it makes a query every day at 18:00, the resolver expects that it is needed by that time and prefetches it -ahead of time. This is helpful to minimize the perceived latency and keeps the cache hot. +Expiring records +---------------- + +This mechanism is always active when the predict module is loaded and it is not configurable. + +Any time the resolver answers with records that are about to expire, +they get refreshed. (see :c:func:`is_expiring`) +That improves latency for records which get frequently queried, relatively to their TTL. + +Prediction +---------- + +The predict module can also learn usage patterns and repetitive queries, +though this mechanism is basically a prototype. + +For example, if it makes a query every day at 18:00, +the resolver expects that it is needed by that time and prefetches it ahead of time. +This is helpful to minimize the perceived latency and keeps the cache hot. + +You can disable prediction by configuring ``period = 0``. +Otherwise it will load the required :ref:`stats ` module if not present, +and it will use its :func:`stats.frequent` table and clear it periodically. .. tip:: The tracking window and period length determine memory requirements. If you have a server with relatively fast query turnover, keep the period low (hour for start) and shorter tracking window (5 minutes). For personal slower resolver, keep the tracking window longer (i.e. 30 minutes) and period longer (a day), as the habitual queries occur daily. Experiment to get the best results. @@ -26,12 +46,7 @@ } } -Defaults are 15 minutes window, 6 hours period. - -.. tip:: Use period 0 to turn off prediction and just do prefetching of expiring records. - That works even without the :ref:`stats ` module. - -.. note:: Otherwise this module requires :ref:`stats ` module and loads it if not present. +Defaults are as above: 15 minutes window, 6 hours period. Exported metrics ---------------- diff -Nru knot-resolver-5.2.1/doc/modules-prefill.rst knot-resolver-5.3.1/doc/modules-prefill.rst --- knot-resolver-5.2.1/doc/modules-prefill.rst 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/doc/modules-prefill.rst 2021-03-31 15:15:36.000000000 +0000 @@ -13,14 +13,14 @@ .. code-block:: lua - modules.load('prefill') - prefill.config({ - ['.'] = { - url = 'https://www.internic.net/domain/root.zone', - interval = 86400 -- seconds - ca_file = '/etc/pki/tls/certs/ca-bundle.crt', -- optional - } - }) + modules.load('prefill') + prefill.config({ + ['.'] = { + url = 'https://www.internic.net/domain/root.zone', + interval = 86400, -- seconds + ca_file = '/etc/pki/tls/certs/ca-bundle.crt', -- optional + } + }) This configuration downloads the zone file from URL `https://www.internic.net/domain/root.zone` and imports it into the cache every 86400 seconds (1 day). The HTTPS connection is authenticated using a CA certificate from file `/etc/pki/tls/certs/ca-bundle.crt` and signed zone content is validated using DNSSEC. diff -Nru knot-resolver-5.2.1/doc/modules-stats.rst knot-resolver-5.3.1/doc/modules-stats.rst --- knot-resolver-5.2.1/doc/modules-stats.rst 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/doc/modules-stats.rst 2021-03-31 15:15:36.000000000 +0000 @@ -173,13 +173,19 @@ Return nominal value of given metric. -.. function:: stats.set(key, val) - - :param string key: i.e. ``"answer.total"`` - :param number val: i.e. ``5`` +.. function:: stats.set('key val') Set nominal value of given metric. +Example: + +.. code-block:: lua + + stats.set('answer.total 5') + -- or syntactic sugar + stats['answer.total'] = 5 + + .. function:: stats.list([prefix]) :param string prefix: optional metric prefix, i.e. ``"answer"`` shows only metrics beginning with "answer" diff -Nru knot-resolver-5.2.1/doc/modules-view.rst knot-resolver-5.3.1/doc/modules-view.rst --- knot-resolver-5.2.1/doc/modules-view.rst 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/doc/modules-view.rst 2021-03-31 15:15:36.000000000 +0000 @@ -52,7 +52,7 @@ view:addr('192.168.1.0/24', policy.rpz(policy.PASS, 'whitelist.rpz')) -- Do not try this - it will pollute cache and surprise you! -- view:addr('10.0.0.0/8', policy.all(policy.FORWARD('2001:DB8::1'))) - -- Drop everything that hasn't matched + -- Drop all IPv4 that hasn't matched view:addr('0.0.0.0/0', policy.all(policy.DROP)) Rule order @@ -75,15 +75,15 @@ .. function:: view:addr(subnet, rule) - :param subnet: client subnet, i.e. ``10.0.0.1`` - :param rule: added rule, i.e. ``policy.pattern(policy.DENY, '[0-9]+\2cz')`` + :param subnet: client subnet, e.g. ``10.0.0.1`` + :param rule: added rule, e.g. ``policy.pattern(policy.DENY, '[0-9]+\2cz')`` Apply rule to clients in given subnet. .. function:: view:tsig(key, rule) - :param key: client TSIG key domain name, i.e. ``\5mykey`` - :param rule: added rule, i.e. ``policy.pattern(policy.DENY, '[0-9]+\2cz')`` + :param key: client TSIG key domain name, e.g. ``\5mykey`` + :param rule: added rule, e.g. ``policy.pattern(policy.DENY, '[0-9]+\2cz')`` Apply rule to clients with given TSIG key. diff -Nru knot-resolver-5.2.1/doc/quickstart-install.rst knot-resolver-5.3.1/doc/quickstart-install.rst --- knot-resolver-5.2.1/doc/quickstart-install.rst 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/doc/quickstart-install.rst 2021-03-31 15:15:36.000000000 +0000 @@ -65,12 +65,10 @@ **Arch Linux** -Use -`knot-resolver `_ -package from AUR_. +.. code-block:: bash + + $ sudo pacman -S knot-resolver **openSUSE Leap / Tumbleweed** Add the `OBS `_ package repository `home:CZ-NIC:knot-resolver-latest `_ to your system. - -.. _AUR: https://wiki.archlinux.org/index.php/Arch_User_Repository diff -Nru knot-resolver-5.2.1/doc/upgrading.rst knot-resolver-5.3.1/doc/upgrading.rst --- knot-resolver-5.2.1/doc/upgrading.rst 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/doc/upgrading.rst 2021-03-31 15:15:36.000000000 +0000 @@ -30,6 +30,19 @@ .. _`supervisord`: http://supervisord.org/ +5.2 to 5.3 +========== + +Configuration file +------------------ + +* Module ``dnstap``: option ``log_responses`` has been moved inside a new ``client`` section. Refer to the configuration example in :ref:`mod-dnstap`. + +Packagers & Developers +---------------------- + +* Knot DNS >= 2.9 is required. + 5.1 to 5.2 ========== diff -Nru knot-resolver-5.2.1/Dockerfile knot-resolver-5.3.1/Dockerfile --- knot-resolver-5.2.1/Dockerfile 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/Dockerfile 2021-03-31 15:15:36.000000000 +0000 @@ -8,7 +8,7 @@ libgnutls28-dev libprotobuf-dev libprotobuf-c-dev libfstrm-dev ENV KNOT_RESOLVER_BUILD_DEPS build-essential pkg-config bsdmainutils liblmdb-dev \ libluajit-5.1-dev libuv1-dev libprotobuf-dev libprotobuf-c-dev \ - libfstrm-dev luajit lua-http libssl-dev libnghttp2-dev + libfstrm-dev luajit lua-http libssl-dev libnghttp2-dev protobuf-c-compiler ENV BUILDENV_DEPS ${KNOT_DNS_BUILD_DEPS} ${KNOT_RESOLVER_BUILD_DEPS} RUN echo "deb http://deb.debian.org/debian stretch-backports main" > /etc/apt/sources.list.d/backports.list RUN apt-get update -qq && \ @@ -38,11 +38,12 @@ ENV KNOT_DNS_RUNTIME_DEPS libgnutls30 ENV KNOT_RESOLVER_RUNTIME_DEPS liblmdb0 luajit libluajit-5.1-2 libuv1 lua-http libnghttp2-14 ENV KNOT_RESOLVER_RUNTIME_DEPS_HTTP lua-http lua-mmdb -ENV KNOT_RESOLVER_RUNTIME_DEPS_EXTRA libfstrm0 lua-cqueues +ENV KNOT_RESOLVER_RUNTIME_DEPS_EXTRA lua-cqueues +ENV KNOT_RESOLVER_RUNTIME_DEPS_DNSTAP libfstrm0 libprotobuf-c1 ENV KNOT_RESOLVER_RUNTIME_DEPS_SSL ca-certificates ENV RUNTIME_DEPS ${KNOT_DNS_RUNTIME_DEPS} ${KNOT_RESOLVER_RUNTIME_DEPS} \ ${KNOT_RESOLVER_RUNTIME_DEPS_HTTP} ${KNOT_RESOLVER_RUNTIME_DEPS_EXTRA} \ - ${KNOT_RESOLVER_RUNTIME_DEPS_SSL} + ${KNOT_RESOLVER_RUNTIME_DEPS_SSL} ${KNOT_RESOLVER_RUNTIME_DEPS_DNSTAP} RUN apt-get update -qq && \ apt-get install -y -qqq ${RUNTIME_DEPS} && \ apt-get clean && \ diff -Nru knot-resolver-5.2.1/lib/cache/api.c knot-resolver-5.3.1/lib/cache/api.c --- knot-resolver-5.2.1/lib/cache/api.c 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/lib/cache/api.c 2021-03-31 15:15:36.000000000 +0000 @@ -23,6 +23,7 @@ #include "lib/cache/api.h" #include "lib/cache/cdb_lmdb.h" #include "lib/defines.h" +#include "lib/dnssec/nsec3.h" #include "lib/generic/trie.h" #include "lib/resolve.h" #include "lib/rplan.h" @@ -40,7 +41,7 @@ /** Cache version */ -static const uint16_t CACHE_VERSION = 5; +static const uint16_t CACHE_VERSION = 6; /** Key size */ #define KEY_HSIZE (sizeof(uint8_t) + sizeof(uint16_t)) #define KEY_SIZE (KEY_HSIZE + KNOT_DNAME_MAXLEN) @@ -514,6 +515,13 @@ } return kr_ok(); } + if (rr->type == KNOT_RRTYPE_NSEC3 && rr->rrs.count + && knot_nsec3_iters(rr->rrs.rdata) > KR_NSEC3_MAX_ITERATIONS) { + /* This shouldn't happen often, thanks to downgrades during validation. */ + VERBOSE_MSG(qry, "=> skipping NSEC3 with too many iterations\n"); + return kr_ok(); + } + assert(stash_rrset_precond(rr, qry) > 0); if (!cache) { assert(!EINVAL); diff -Nru knot-resolver-5.2.1/lib/cache/entry_rr.c knot-resolver-5.3.1/lib/cache/entry_rr.c --- knot-resolver-5.2.1/lib/cache/entry_rr.c 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/lib/cache/entry_rr.c 2021-03-31 15:15:36.000000000 +0000 @@ -24,9 +24,8 @@ memcpy(data, &rr_count, sizeof(rr_count)); data += sizeof(rr_count); if (rr_count) { - size_t size = knot_rdataset_size(rds); - memcpy(data, rds->rdata, size); - data += size; + memcpy(data, rds->rdata, rds->size); + data += rds->size; } //VERBOSE_MSG(NULL, "dematerialized to %d B\n", (int)(data - data0)); (void)data; @@ -45,12 +44,9 @@ const uint8_t *d = data; /* iterates over the cache data */ /* First sum up the sizes for wire format length. */ /* TODO: we might overrun here already, but we need to trust cache anyway...*/ - const uint32_t rds_size = rdataset_dematerialized_size(d, &rds->count); + rds->size = rdataset_dematerialized_size(d, &rds->count); d += KR_CACHE_RR_COUNT_SIZE; - #if KNOT_VERSION_HEX >= 0x020900 - rds->size = rds_size; - #endif - if (d + rds_size > data_bound) { + if (d + rds->size > data_bound) { VERBOSE_MSG(NULL, "materialize: EILSEQ!\n"); return kr_error(EILSEQ); } @@ -58,12 +54,12 @@ rds->rdata = NULL; return d - data; } - rds->rdata = mm_alloc(pool, rds_size); + rds->rdata = mm_alloc(pool, rds->size); if (!rds->rdata) { return kr_error(ENOMEM); } - memcpy(rds->rdata, d, rds_size); - d += rds_size; + memcpy(rds->rdata, d, rds->size); + d += rds->size; //VERBOSE_MSG(NULL, "materialized from %d B\n", (int)(d - data)); return d - data; } diff -Nru knot-resolver-5.2.1/lib/cache/impl.h knot-resolver-5.3.1/lib/cache/impl.h --- knot-resolver-5.2.1/lib/cache/impl.h 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/lib/cache/impl.h 2021-03-31 15:15:36.000000000 +0000 @@ -292,7 +292,7 @@ /** Compute size of serialized rdataset. NULL is accepted as empty set. */ static inline int rdataset_dematerialize_size(const knot_rdataset_t *rds) { - return KR_CACHE_RR_COUNT_SIZE + (rds == NULL ? 0 : knot_rdataset_size(rds)); + return KR_CACHE_RR_COUNT_SIZE + (rds == NULL ? 0 : rds->size); } /** Analyze the length of a dematerialized rdataset. diff -Nru knot-resolver-5.2.1/lib/cache/knot_pkt.c knot-resolver-5.3.1/lib/cache/knot_pkt.c --- knot-resolver-5.2.1/lib/cache/knot_pkt.c 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/lib/cache/knot_pkt.c 2021-03-31 15:15:36.000000000 +0000 @@ -48,11 +48,10 @@ } /* Allocate pkt->rr_info to be certain, but just leave it zeroed. */ mm_free(&pkt->mm, pkt->rr_info); - pkt->rr_info = mm_alloc(&pkt->mm, sizeof(pkt->rr_info[0]) * pkt->rrset_allocd); + pkt->rr_info = mm_calloc(&pkt->mm, pkt->rrset_allocd, sizeof(pkt->rr_info[0])); if (!pkt->rr_info) { return kr_error(ENOMEM); } - memset(pkt->rr_info, 0, sizeof(pkt->rr_info[0]) * pkt->rrset_allocd); return kr_ok(); } diff -Nru knot-resolver-5.2.1/lib/cache/nsec3.c knot-resolver-5.3.1/lib/cache/nsec3.c --- knot-resolver-5.2.1/lib/cache/nsec3.c 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/lib/cache/nsec3.c 2021-03-31 15:15:36.000000000 +0000 @@ -10,6 +10,7 @@ #include "contrib/base32hex.h" #include "lib/dnssec/nsec.h" +#include "lib/dnssec/nsec3.h" #include "lib/layer/iterate.h" #include @@ -88,6 +89,11 @@ .data = (uint8_t *)/*const-cast*/name, }; + if (nsec_p->libknot.iterations > KR_NSEC3_MAX_ITERATIONS) { + /* This is mainly defensive; it shouldn't happen thanks to downgrades. */ + assert(false); + return VAL_EMPTY; + } #if 0 // LATER(optim.): this requires a patched libdnssec - tries to realloc() dnssec_binary_t hash = { .size = KR_CACHE_KEY_MAXLEN - val.len, diff -Nru knot-resolver-5.2.1/lib/cache/overflow.test.integr/kresd_config.j2 knot-resolver-5.3.1/lib/cache/overflow.test.integr/kresd_config.j2 --- knot-resolver-5.2.1/lib/cache/overflow.test.integr/kresd_config.j2 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/lib/cache/overflow.test.integr/kresd_config.j2 2021-03-31 15:15:36.000000000 +0000 @@ -5,6 +5,9 @@ trust_anchors.add_file('{{TAF}}') {% endfor %} +modules.load("hints") +hints.root({['{{ROOT_NAME}}'] = '{{ROOT_ADDR}}'}) + {% raw %} -- Disable RFC5011 TA update if ta_update then @@ -33,6 +36,18 @@ {% endraw %} +{% if DO_IP6 == "true" %} +net.ipv6 = true +{% else %} +net.ipv6 = false +{% endif %} + +{% if DO_IP4 == "true" %} +net.ipv4 = true +{% else %} +net.ipv4 = false +{% endif %} + -- both instances listen on both addresses -- so queries get distributed between them randomly net.listen('{{programs[0]["address"]}}') diff -Nru knot-resolver-5.2.1/lib/cache/overflow.test.integr/world_cz_lidovky_www.rpl knot-resolver-5.3.1/lib/cache/overflow.test.integr/world_cz_lidovky_www.rpl --- knot-resolver-5.2.1/lib/cache/overflow.test.integr/world_cz_lidovky_www.rpl 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/lib/cache/overflow.test.integr/world_cz_lidovky_www.rpl 1970-01-01 00:00:00.000000000 +0000 @@ -1,1114 +0,0 @@ -# -- SPDX-License-Identifier: GPL-3.0-or-later -stub-addr: 2001:dc3::35 -val-override-date: "20170228130000" -trust-anchor: ". 172800 IN DS 19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5" -CONFIG_END - -SCENARIO_BEGIN Real-world DNS tree with repeated queries. Intended use is to test background tasks specified in Lua config. - -;root -RANGE_BEGIN 0 10000 - ADDRESS 2001:dc3::35 - ADDRESS 198.41.0.4 - ADDRESS 192.228.79.201 - ADDRESS 192.33.4.12 - ADDRESS 199.7.91.13 - ADDRESS 192.203.230.10 - ADDRESS 192.5.5.241 - ADDRESS 192.112.36.4 - ADDRESS 198.97.190.53 - ADDRESS 192.36.148.17 - ADDRESS 192.58.128.30 - ADDRESS 193.0.14.129 - ADDRESS 199.7.83.42 - ADDRESS 202.12.27.33 - ADDRESS 2001:503:ba3e::2:30 - ADDRESS 2001:500:84::b - ADDRESS 2001:500:2::c - ADDRESS 2001:500:2d::d - ADDRESS 2001:500:a8::e - ADDRESS 2001:500:2f::f - ADDRESS 2001:500:12::d0d - ADDRESS 2001:500:1::53 - ADDRESS 2001:7fe::53 - ADDRESS 2001:503:c27::2:30 - ADDRESS 2001:7fd::1 - ADDRESS 2001:500:9f::42 - ADDRESS 2001:dc3::35 - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id - REPLY QR AA RD DO NOERROR - SECTION QUESTION - . IN DS - SECTION AUTHORITY - . 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2017022701 1800 900 604800 86400 - . 86400 IN RRSIG SOA 8 0 86400 20170312170000 20170227160000 61045 . GhyRFKg8xu/asiFmIMifBOFUeJlL++ncqDoBLbYoviben3WNrdU7vJxZ Cm3EZ8HEYr2gFFkupaHBZt+P6GdX9lU8aw7yOZ8ZXV48S209Jo3PkHxH iVOtaC7QzkJPiZUgh06MuWgQoeNJSVqGTCy+TlTlMLqGndNcpT0rkX7H 0gCcuaZcBv0nqEPKqZeq8XFVIfiaUCKz/kkkO0vgP9euN+WT+68hng4F oIQ0eAPIUL6XBW2uWubWS2Yd8C+g/++qeLnte7QYF+9By5HuN6fXskba 0uph3gzjWArn+SYQhEWyqbS6wb0LloAawt9LW7neJYOMFhlU1AOScGjn e8rfBw== - . 86400 IN NSEC aaa. NS SOA RRSIG NSEC DNSKEY - . 86400 IN RRSIG NSEC 8 0 86400 20170312170000 20170227160000 61045 . MLiCUaeASll0V1x0imORnQodzd/6LuDpa8XfebmNE7eGMda62HCK9kB2 I5Yvcc6naw1nzJVSVNIjDQyAKHgSWy457vwvWbEdCuD5XS8A1/drP13x pfP91XG3qPswx3u1i4cLSTO5VJi1lup1Qr1UrN54kNbRp2sS65VKXOH4 4I6bwA1CBOmU6EHlyI2nymZDqCRaTdWjyoYSZ1zkucSjEgn8GtyniNiS p7AfNLnnJ6poKSCcOj2hSQTb58i7B7TJt/JQWb6ko12rcSEVxZljhqHc XzR+i8Bgfpj9ha83tcZwDFQQy4mKjSkboOEoRe8Z5qKIb5DF0wn0vB+M LClQJg== - ENTRY_END - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id - REPLY QR AA RD DO NOERROR - SECTION QUESTION - . IN NS - SECTION ANSWER - . 518400 IN NS m.root-servers.net. - . 518400 IN NS k.root-servers.net. - . 518400 IN NS a.root-servers.net. - . 518400 IN NS l.root-servers.net. - . 518400 IN NS j.root-servers.net. - . 518400 IN NS i.root-servers.net. - . 518400 IN NS e.root-servers.net. - . 518400 IN NS b.root-servers.net. - . 518400 IN NS h.root-servers.net. - . 518400 IN NS d.root-servers.net. - . 518400 IN NS c.root-servers.net. - . 518400 IN NS f.root-servers.net. - . 518400 IN NS g.root-servers.net. - . 518400 IN RRSIG NS 8 0 518400 20170312170000 20170227160000 61045 . iqk4z3W6lGfSgvbPGl4JPVDca+21mXayctqY0FO1a9YhCSxLQGsV/0eK IfYOGHMCBr2szIactoznQgFybjNG/I5bKo+EU4U0tNNVwrUHWTMsAraQ yIS/efPZyKAHSzKZjlcRVOFbFPA/DWp6JzMhfXaBYMLcsA8ZT/CwCnxF a7wInMupWskMwXXhTgGci+PJVKm+TK5hEtYYnb3Ny2lxoWtTPJuZufM9 1xg2YXs6njo1gKzj3zaTwpndeBbYN78ZfETmPsjyr7X144v9qe7qygCO dTjy+cly1JG1prI9yHaU5zJk3X9VcvWWRR3ACQOFfzthFqyEoHjQmEBe XQHCRg== - SECTION ADDITIONAL - a.root-servers.net. 3600000 IN A 198.41.0.4 - b.root-servers.net. 3600000 IN A 192.228.79.201 - c.root-servers.net. 3600000 IN A 192.33.4.12 - d.root-servers.net. 3600000 IN A 199.7.91.13 - e.root-servers.net. 3600000 IN A 192.203.230.10 - f.root-servers.net. 3600000 IN A 192.5.5.241 - g.root-servers.net. 3600000 IN A 192.112.36.4 - h.root-servers.net. 3600000 IN A 198.97.190.53 - i.root-servers.net. 3600000 IN A 192.36.148.17 - j.root-servers.net. 3600000 IN A 192.58.128.30 - k.root-servers.net. 3600000 IN A 193.0.14.129 - l.root-servers.net. 3600000 IN A 199.7.83.42 - m.root-servers.net. 3600000 IN A 202.12.27.33 - a.root-servers.net. 3600000 IN AAAA 2001:503:ba3e::2:30 - b.root-servers.net. 3600000 IN AAAA 2001:500:84::b - c.root-servers.net. 3600000 IN AAAA 2001:500:2::c - d.root-servers.net. 3600000 IN AAAA 2001:500:2d::d - e.root-servers.net. 3600000 IN AAAA 2001:500:a8::e - f.root-servers.net. 3600000 IN AAAA 2001:500:2f::f - g.root-servers.net. 3600000 IN AAAA 2001:500:12::d0d - h.root-servers.net. 3600000 IN AAAA 2001:500:1::53 - i.root-servers.net. 3600000 IN AAAA 2001:7fe::53 - j.root-servers.net. 3600000 IN AAAA 2001:503:c27::2:30 - k.root-servers.net. 3600000 IN AAAA 2001:7fd::1 - l.root-servers.net. 3600000 IN AAAA 2001:500:9f::42 - m.root-servers.net. 3600000 IN AAAA 2001:dc3::35 - ENTRY_END - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id - REPLY QR AA RD DO NOERROR - SECTION QUESTION - . IN DNSKEY - SECTION ANSWER - . 172800 IN DNSKEY 256 3 8 AwEAAYvgWbYkpeGgdPKaKTJU3Us4YSTRgy7+dzvfArIhi2tKoZ/WR1Df w883SOU6Uw7tpVRkLarN0oIMK/xbOBD1DcXnyfElBwKsz4sVVWmfyr/x +igD/UjrcJ5zEBUrUmVtHyjar7ccaVc1/3ntkhZjI1hcungAlOhPhHlk MeX+5Azx6GdX//An5OgrdyH3o/JmOPMDX1mt806JI/hf0EwAp1pBwo5e 8SrSuR1tD3sgNjr6IzCdrKSgqi92z49zcdis3EaY199WFW60DCS7ydu+ +T5Xa+GyOw1quagwf/JUC/mEpeBQYWrnpkBbpDB3sy4+P2i8iCvavehb RyVm9U0MlIc= - . 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= - . 172800 IN RRSIG DNSKEY 8 0 172800 20170313000000 20170220000000 19036 . Dgzxpg2Lr39HXuHwuJWYCGySxsm92RY8TRuSOstPVcHc7we0d4pW7Znt 33j9fzrxdvoVFAvqSioilVKiOY49M8N+sXcsfTK3cnh7ijTA7suXd4ht TClLN7Dn+ZAjhoyjLm5hf7P/jL0K9KKcOqEqS+uqX3W2WeCvUwT3BY6A t2r+pKSVnoX0uFWJX+mmCh4veYW3eoBzAqwAVbCE5hl2tVbf/vzpa8eW kHegVmm5smKzK2ciYOqExl3FtLgf6dp+HTpruS2oN1JPxm4f1IZhVwT0 pSEu8OUNOV8WSbLn3P9aUpq894Tf1i0/AEtFtx2tRCdw3lSKOugfneo0 PYo1JQ== - ENTRY_END - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id - REPLY QR RD DO NOERROR - SECTION QUESTION - cz. IN DS - SECTION ANSWER - cz. 86400 IN DS 54576 10 2 397E50C85EDE9CDE33F363A9E66FD1B216D788F8DD438A57A423A386 869C8F06 - cz. 86400 IN RRSIG DS 8 1 86400 20170312170000 20170227160000 61045 . irp/lUXakeZMwVjkZQOOt6xAB2Fcglo7nxmUkHBFjsB5lp61Pg6eyt8u xvGrTdv4mv6PH5q0c7bfKo0Ngtedbq8gZ6VHXfcKUU7vP5BUmePWPyvf khKcafAO7D2wIw9gKxPB0syd3woUP7PlQ1Rg/rUMwDnEXtS7zEqzrVbb VkjdqvdgLUsInAc9zdP72qRp9cJhuoRm0nco1uo2ZLUC04poGxSNzXTw hKhngqHDTqD1nr/Wnq7uXtmLyvFelICSpSHmkrCxnou7EtPybC+W+fna f8o7FebZBnB71t5d8s2kxlb+KrWXUMv8VOdZdZTQTN8M5LeKSBL7RnXM 1FbCiQ== - ENTRY_END - - ENTRY_BEGIN - MATCH opcode subdomain - ADJUST copy_id copy_query - REPLY QR RD DO NOERROR - SECTION QUESTION - CZ. IN NS - SECTION AUTHORITY - cz. 172800 IN NS b.ns.nic.cz. - cz. 172800 IN NS a.ns.nic.cz. - cz. 172800 IN NS c.ns.nic.cz. - cz. 172800 IN NS d.ns.nic.cz. - cz. 86400 IN DS 54576 10 2 397E50C85EDE9CDE33F363A9E66FD1B216D788F8DD438A57A423A386 869C8F06 - cz. 86400 IN RRSIG DS 8 1 86400 20170312170000 20170227160000 61045 . irp/lUXakeZMwVjkZQOOt6xAB2Fcglo7nxmUkHBFjsB5lp61Pg6eyt8u xvGrTdv4mv6PH5q0c7bfKo0Ngtedbq8gZ6VHXfcKUU7vP5BUmePWPyvf khKcafAO7D2wIw9gKxPB0syd3woUP7PlQ1Rg/rUMwDnEXtS7zEqzrVbb VkjdqvdgLUsInAc9zdP72qRp9cJhuoRm0nco1uo2ZLUC04poGxSNzXTw hKhngqHDTqD1nr/Wnq7uXtmLyvFelICSpSHmkrCxnou7EtPybC+W+fna f8o7FebZBnB71t5d8s2kxlb+KrWXUMv8VOdZdZTQTN8M5LeKSBL7RnXM 1FbCiQ== - SECTION ADDITIONAL - a.ns.nic.cz. 155678 IN A 194.0.12.1 - b.ns.nic.cz. 155678 IN A 194.0.13.1 - c.ns.nic.cz. 153044 IN A 194.0.14.1 - d.ns.nic.cz. 153044 IN A 193.29.206.1 - a.ns.nic.cz. 153051 IN AAAA 2001:678:f::1 - b.ns.nic.cz. 153051 IN AAAA 2001:678:10::1 - c.ns.nic.cz. 155678 IN AAAA 2001:678:11::1 - d.ns.nic.cz. 155678 IN AAAA 2001:678:1::1 - ENTRY_END - - - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id - REPLY QR RD DO NOERROR - SECTION QUESTION - net. IN DS - SECTION ANSWER - net. 86400 IN DS 35886 8 2 7862B27F5F516EBE19680444D4CE5E762981931842C465F00236401D 8BD973EE - net. 86400 IN RRSIG DS 8 1 86400 20170312170000 20170227160000 61045 . bRSoCpmN/6LhmSB7i68N0zO08WwVikjm6HhOyZMhyjF4sfAaDoeTMs5E XjflCZMly1SP8CwkK6Wz6Ozb8nMUHEsYOhASVBkYC/ImBpqIV5LxaCbW 4L7g5Mwam0MBZb4hybI7JUyuiRONVy3YYk+eUvyf4/flu3Cl14a36LYv 2In/ECg9sV8cMOrYs722vigvzH5eHLIZTOhGBE2//uH8pw1YnMW9sYRj f5algDGge4hZvi0ieQyzfT3UqmQEmZZCz+vdlPtgKqIj6+I+V+SZOB2d aBkb/0NrWIx+iE+fqP6jx7I2HCobVnYUvJjL/t6O1shC4mxcDghLLUpf fSnEag== - ENTRY_END - - ENTRY_BEGIN - MATCH opcode subdomain - ADJUST copy_id copy_query - REPLY QR RD DO NOERROR - SECTION QUESTION - net. IN NS - SECTION AUTHORITY - net. 172800 IN NS j.gtld-servers.net. - net. 172800 IN NS e.gtld-servers.net. - net. 172800 IN NS c.gtld-servers.net. - net. 172800 IN NS m.gtld-servers.net. - net. 172800 IN NS d.gtld-servers.net. - net. 172800 IN NS i.gtld-servers.net. - net. 172800 IN NS a.gtld-servers.net. - net. 172800 IN NS g.gtld-servers.net. - net. 172800 IN NS h.gtld-servers.net. - net. 172800 IN NS b.gtld-servers.net. - net. 172800 IN NS k.gtld-servers.net. - net. 172800 IN NS f.gtld-servers.net. - net. 172800 IN NS l.gtld-servers.net. - net. 86400 IN DS 35886 8 2 7862B27F5F516EBE19680444D4CE5E762981931842C465F00236401D 8BD973EE - net. 86400 IN RRSIG DS 8 1 86400 20170312170000 20170227160000 61045 . bRSoCpmN/6LhmSB7i68N0zO08WwVikjm6HhOyZMhyjF4sfAaDoeTMs5E XjflCZMly1SP8CwkK6Wz6Ozb8nMUHEsYOhASVBkYC/ImBpqIV5LxaCbW 4L7g5Mwam0MBZb4hybI7JUyuiRONVy3YYk+eUvyf4/flu3Cl14a36LYv 2In/ECg9sV8cMOrYs722vigvzH5eHLIZTOhGBE2//uH8pw1YnMW9sYRj f5algDGge4hZvi0ieQyzfT3UqmQEmZZCz+vdlPtgKqIj6+I+V+SZOB2d aBkb/0NrWIx+iE+fqP6jx7I2HCobVnYUvJjL/t6O1shC4mxcDghLLUpf fSnEag== - SECTION ADDITIONAL - a.gtld-servers.net. 172800 IN A 192.5.6.30 - b.gtld-servers.net. 172800 IN A 192.33.14.30 - c.gtld-servers.net. 172800 IN A 192.26.92.30 - d.gtld-servers.net. 172800 IN A 192.31.80.30 - e.gtld-servers.net. 172800 IN A 192.12.94.30 - f.gtld-servers.net. 172800 IN A 192.35.51.30 - g.gtld-servers.net. 172800 IN A 192.42.93.30 - h.gtld-servers.net. 172800 IN A 192.54.112.30 - i.gtld-servers.net. 172800 IN A 192.43.172.30 - j.gtld-servers.net. 172800 IN A 192.48.79.30 - k.gtld-servers.net. 172800 IN A 192.52.178.30 - l.gtld-servers.net. 172800 IN A 192.41.162.30 - m.gtld-servers.net. 172800 IN A 192.55.83.30 - a.gtld-servers.net. 172800 IN AAAA 2001:503:a83e::2:30 - b.gtld-servers.net. 172800 IN AAAA 2001:503:231d::2:30 - ENTRY_END - - -RANGE_END - -;cz -RANGE_BEGIN 0 10000 - ADDRESS 194.0.12.1 - ADDRESS 194.0.13.1 - ADDRESS 194.0.14.1 - ADDRESS 193.29.206.1 - ADDRESS 2001:678:f::1 - ADDRESS 2001:678:10::1 - ADDRESS 2001:678:11::1 - ADDRESS 2001:678:1::1 - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id - REPLY QR RD DO NOERROR - SECTION QUESTION - nic.cz. IN DS - SECTION ANSWER - nic.cz. 14400 IN DS 61281 13 2 4104D40C8FE2030BF7A09A199FCF37B36F7EC8DDD16F5A84F2E61C24 8D3AFD0F - nic.cz. 14400 IN RRSIG DS 10 2 14400 20170312221837 20170228130956 58211 cz. LKiLo/EqBTsv1e6s8p5UfN/qZfd3Dnf5XGO11vW2pELybdmmpD5clR/v mz+cc4zxLiQAxDnBpdUPAPdxcPlILa5mjMfJy2ExsQOZhcbIUInRala6 GhBfGy3bnniJkJCu7sAIsf+HyDM92pFSql67ErS0ROERBhSRVbfunEBy FCo= - ENTRY_END - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id - REPLY QR RD DO AA NOERROR - SECTION QUESTION - a.ns.nic.cz. IN A - SECTION ANSWER - a.ns.nic.cz. 1800 IN A 194.0.12.1 - a.ns.nic.cz. 1800 IN RRSIG A 13 4 1800 20170314061428 20170228072511 16836 nic.cz. rJsAWa5cYGooRzu5+jRW5m4ebYHPkHRBwrLT5P7lIkT5VkcoIRYMcdYf gr+pXJFM9IduSZJXfomumKyOYHts7Q== - ENTRY_END - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id - REPLY QR RD DO AA NOERROR - SECTION QUESTION - b.ns.nic.cz. IN A - SECTION ANSWER - b.ns.nic.cz. 1800 IN A 194.0.13.1 - b.ns.nic.cz. 1800 IN RRSIG A 13 4 1800 20170314044412 20170228072511 16836 nic.cz. 6dOVqiXZgfp1fltylhOAYvfILWCGu61cpabseUNTmb20TZR1GuI5ueTS lmYa93o46M+01ATfrkwBWZC065G8yg== - ENTRY_END - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id - REPLY QR RD DO AA NOERROR - SECTION QUESTION - c.ns.nic.cz. IN A - SECTION ANSWER - c.ns.nic.cz. 1800 IN A 194.0.14.1 - c.ns.nic.cz. 1800 IN RRSIG A 13 4 1800 20170314015427 20170228072511 16836 nic.cz. 824yJyP2dWJ7phi63r1/24v0SbzU9FVi7b8IkXIrQ+3aCTyXKugE8l8C qLz6qwulzu2aG+8SyfvenXDSySqiqQ== - ENTRY_END - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id - REPLY QR RD DO AA NOERROR - SECTION QUESTION - d.ns.nic.cz. IN A - SECTION ANSWER - d.ns.nic.cz. 1800 IN A 193.29.206.1 - d.ns.nic.cz. 1800 IN RRSIG A 13 4 1800 20170313233915 20170228072511 16836 nic.cz. KAlDHStrGzdtoBe9epn87lsggg6vVvHPGMPv/njWSTns7BX0//fTxfOc iOXdutsQhq/8Z2o87pKzE2F9FbE6Hw== - ENTRY_END - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id - REPLY QR RD DO AA NOERROR - SECTION QUESTION - a.ns.nic.cz. IN AAAA - SECTION ANSWER - a.ns.nic.cz. 1800 IN AAAA 2001:678:f::1 - a.ns.nic.cz. 1800 IN RRSIG AAAA 13 4 1800 20170313215345 20170228072511 16836 nic.cz. GMmWVeCiIzq2kt4VmsDXGSaAWMtDB78+Yz7qgEqu5C1PAUUBQo4o5lU/ igGhIJHk2BSljJxjaL+LlnW3uOeCDQ== - ENTRY_END - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id - REPLY QR RD DO AA NOERROR - SECTION QUESTION - b.ns.nic.cz. IN AAAA - SECTION ANSWER - b.ns.nic.cz. 1800 IN AAAA 2001:678:10::1 - b.ns.nic.cz. 1800 IN RRSIG AAAA 13 4 1800 20170314011606 20170228072511 16836 nic.cz. ALfV0l2a4D1CITaZdP5k5Mc+uTZ1dSb3SRm1Z+AQmeQLKI7YrFlOCuUa q90yMQnG+0GMS4uwSmIcT3V2cjpBXw== - ENTRY_END - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id - REPLY QR RD DO AA NOERROR - SECTION QUESTION - c.ns.nic.cz. IN AAAA - SECTION ANSWER - c.ns.nic.cz. 1800 IN AAAA 2001:678:11::1 - c.ns.nic.cz. 1800 IN RRSIG AAAA 13 4 1800 20170313184936 20170228072511 16836 nic.cz. U/tpYchWTle9loCW8fPIMoF3zto86UmFFCSnU7sFG9Qxk4I8fNUro1nT fAeJlrI7L7Yx9qlJTAllzrPjuw+3IA== - ENTRY_END - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id - REPLY QR RD DO AA NOERROR - SECTION QUESTION - d.ns.nic.cz. IN AAAA - SECTION ANSWER - d.ns.nic.cz. 1800 IN AAAA 2001:678:1::1 - d.ns.nic.cz. 1800 IN RRSIG AAAA 13 4 1800 20170313124110 20170228072511 16836 nic.cz. kOI6MVJDSexQQ6uGT7KBjrTB2PDs49Cm65heInzMGZ20R75wO0JhSlce /T+Rpw3R0XpBre39h2DF7yBgePr+qg== - ENTRY_END - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id - REPLY QR RD DO AA NOERROR - SECTION QUESTION - cz. IN NS - SECTION ANSWER - cz. 14400 IN NS a.ns.nic.cz. - cz. 14400 IN NS b.ns.nic.cz. - cz. 14400 IN NS d.ns.nic.cz. - cz. 14400 IN NS c.ns.nic.cz. - cz. 14400 IN RRSIG NS 10 1 14400 20170307183707 20170222123920 58211 cz. Ma2XNvMziL3GtyLXtKcCBBG12+r7Uor3OFTw6c7Txk573/Y33IMnbN6B iKz0hZw0XK5c6nHciMEDkH2K772fcskHjEnOg+bJMBJlUmqskbVBmwpZ Dd156QC9OIfcE6yJYa6Y1jOegpgCaZLXRDOZodtvvTkYWNP/D01cmsF6 U+4= - ENTRY_END - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id copy_query - REPLY QR AA RD DO NOERROR - SECTION QUESTION - CZ. IN DNSKEY - SECTION ANSWER - cz. 18000 IN DNSKEY 256 3 10 AwEAAdWL2Br92Vx0dLEOOB8y02ss8LtKIyGlLJ2ymJ02WqR3AAEEZN0f NPKF77kdKsjlG8DlzmSIOR12aa9EhpXqyHOwWI0kHOMJVnn6ZKFIAl71 JP/dYIcshYUxKZZMe+zEAUrVtzlLVDtM6cDOPDuBNa1ujYec3eJl9Ipq eUEG6gAH - cz. 18000 IN DNSKEY 257 3 10 AwEAAay0hi4HN2r/BqMQTpIPIVDyjmyF+9ZWvr5Lewx+q+947o/GrRv4 FGFfkZxf9CFfYVUf0jG5Yq4i06pGVNwJl81HS9Ux2oeHRXUvgtLnl5He RVLL+zgI5byx9HSNr4bPO8ZEn5OjoayhkNyGSFr4VWrzQk/K02vLP4d1 cCEzUQy30eyZto2/tG5ZwCU/iRkS1PJOcOW98hiFIfFDZv1XjbEpqEYh T2PATs6rt+BKwSHKGISmg1PNdg+y0rItemYMWr1f9BGAdtTWoPCPCYPj OZMPoIyA4tMscD+ww54Jf/QNoHccY4hO1yHiuAXG7SUn8jo0IKQ9W7JJ xES0aqFCX/0= - cz. 18000 IN RRSIG DNSKEY 10 1 18000 20170304000000 20170218000000 54576 cz. paDUYJRI+4qBfPaGBy7nVMQnsp2hQQdiWWMnNunhfemFYi9MtXE2VTG3 DDL4Kue3ImSko/BxCRqHxHq5Sdf4LNexFWqFUlz4CjVeFobGTmmgOlak Sm2WygfZsO3w1OeO5cDCZTbi6XAhkr1cL3sgJR+/aOKIGUs8uIk1pZ5H WGNB1waF7Euxe+joEFtoj2/Tk7G7AlD1/Hw+pw5AkLTNawpHJF1/vnfT mPxdPHhJYCHlQdBE9dLkqQk7swnxMegBiUCeRd7SRiGq+1wubYsGirwl RZfYQpcqMnLH/1KITlVkKNYKnUGLjej4XRCDZOe3j8geIyS7WCJ5OPnU Lw0KDA== - cz. 18000 IN RRSIG DNSKEY 10 1 18000 20170313144128 20170228113958 58211 cz. xSEKl8ttuDR9Q3YjtVX+dPfdtwd4OG6rooml9TDIKNlND9LRTceRnpEH EsxUumTrRfWh8P4HWZF+B7hdm8qvcxAS3X3TYT4T7fKV5AFQbbMh+fv9 nut2RcZF40/x/0Hxh6QPLAtMDZs4W8IovQnpiTw8am9UoJNP+tT+dsgw ndA= - ENTRY_END - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id copy_query - REPLY QR AA RD DO NOERROR - SECTION QUESTION - nic.cz. IN DNSKEY - SECTION ANSWER - nic.cz. 1800 IN DNSKEY 256 3 13 vtFRotT17dIOLFIWi8BVFpHu8Thf/BrslFNNWlH2PPucF1rec69vuJi2 MswwoRtYQpRehbsjsjJ7kxXlTtfaFw== - nic.cz. 1800 IN DNSKEY 257 3 13 LM4zvjUgZi2XZKsYooDE0HFYGfWp242fKB+O8sLsuox8S6MJTowY8lBD jZD7JKbmaNot3+1H8zU9TrDzWmmHwQ== - nic.cz. 1800 IN RRSIG DNSKEY 13 2 1800 20170313103655 20170228072511 61281 nic.cz. mA899bEiTCULWpuF2JpVSm3wyHWmHIYuRMJj2X2E0AUhdbX2zhuSun8q EjKpr/0FfZCmlJIEC6dXmjIV+X0jhg== - nic.cz. 1800 IN RRSIG DNSKEY 13 2 1800 20170313194411 20170228072511 16836 nic.cz. iYJgEoykgdz6aqrE1DwM6fyWUFI2pDShqgfg7TiMaunyuvi2JwUaSbEq Ifm2aO5gF7bqSQjM+Y0NOzZ5nAUKrg== - ENTRY_END - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id - REPLY QR RD DO NOERROR - SECTION QUESTION - lidovky.cz. IN DS - SECTION ANSWER - lidovky.cz. 14400 IN DS 1901 8 2 1ED680FFBD77C4845A9BE15286FC73A756B6E4150C65DBC52EE4799B 641DFCE3 - lidovky.cz. 14400 IN DS 4555 8 2 E4B03345B8E0EB3CD9208D2FA60F835A1E391CC485E84CBF3CB1136B D7748913 - lidovky.cz. 14400 IN RRSIG DS 10 2 14400 20170312182850 20170228113958 58211 cz. yw/iboH4hKxLOv+0Mbyvp4rnT14IxkiOpk6kW7ANJI2AGoBa5L7oGy6F 4eEuc2AZKrn/FP2OZL8mItt0hBCucHpaBeRyx8n78pCuMnEaYs/Buxro 0S/bpkMhTRTTJCQ2uwKHAAfi2Q3PC1CWLKB8p7MbN21JlC3S7ANu0DgL 4Ro= - ENTRY_END - - ENTRY_BEGIN - MATCH opcode subdomain - ADJUST copy_id copy_query - REPLY QR RD DO NOERROR - SECTION QUESTION - lidovky.cz. IN NS - SECTION AUTHORITY - lidovky.cz. 14400 IN NS ns.mafra.cz. - lidovky.cz. 14400 IN NS ns.mafracz.net. - lidovky.cz. 14400 IN NS ns2.mafra.cz. - lidovky.cz. 14400 IN DS 1901 8 2 1ED680FFBD77C4845A9BE15286FC73A756B6E4150C65DBC52EE4799B 641DFCE3 - lidovky.cz. 14400 IN DS 4555 8 2 E4B03345B8E0EB3CD9208D2FA60F835A1E391CC485E84CBF3CB1136B D7748913 - lidovky.cz. 14400 IN RRSIG DS 10 2 14400 20170312182850 20170228113958 58211 cz. yw/iboH4hKxLOv+0Mbyvp4rnT14IxkiOpk6kW7ANJI2AGoBa5L7oGy6F 4eEuc2AZKrn/FP2OZL8mItt0hBCucHpaBeRyx8n78pCuMnEaYs/Buxro 0S/bpkMhTRTTJCQ2uwKHAAfi2Q3PC1CWLKB8p7MbN21JlC3S7ANu0DgL 4Ro= - SECTION ADDITIONAL - ns.mafra.cz. 18000 IN A 194.79.53.77 - ns2.mafra.cz. 18000 IN A 194.79.55.77 - ENTRY_END - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id - REPLY QR RD DO NOERROR - SECTION QUESTION - mafra.cz. IN DS - SECTION AUTHORITY - cz. 900 IN SOA a.ns.nic.cz. hostmaster.nic.cz. 1488285598 900 300 604800 900 - cz. 900 IN RRSIG SOA 10 1 14400 20170314055727 20170228113958 58211 cz. LBUALMOXd40KawVmUNWNlfMbeR0LDwNI5DPu9HqF8rtWCtHxReSGPrYs lyaL6gzVOn+i9Zikolj2arR+XPrb3vDMBjhh1AhP83p6Dfk4z0nEeaVy bJBdCSrcXcOi72RXY1QpO6lfhkpW2rhYtKS0Pq0rPVSF6rFVSLMavD82 X9s= - NP199O12UJ32S0N5CTA47VUUQK1B2N6P.cz. 900 IN NSEC3 1 0 10 34817B0B5673BB5D NP19M6SR9GQ4GR722R31PHMCCMV2L47C NS - NP199O12UJ32S0N5CTA47VUUQK1B2N6P.cz. 900 IN RRSIG NSEC3 10 2 900 20170309110321 20170224213957 58211 cz. Brz4hpl2jq+rhJlu9tZ6Ij0Ru4+2Yyw5a4OVgN4/umq/9jPn2dWgnOPS 6Mk5WIC9Yun9ZIvncS3oE1dRhXAF+nGZS9jr1tdXLx+1Sow4o0nP8cxw 8Sl8BVjBkDpVSZfGVMN06NjJub57uw5nDF3E/AjoCYDxnb0UrVmIGCUb h7A= - ENTRY_END - - ENTRY_BEGIN - MATCH opcode subdomain - ADJUST copy_id copy_query - REPLY QR RD DO NOERROR - SECTION QUESTION - mafra.cz. IN NS - SECTION AUTHORITY - mafra.cz. 14400 IN NS ns.mafra.cz. - mafra.cz. 14400 IN NS ns.mafracz.net. - mafra.cz. 14400 IN NS ns2.mafra.cz. - np199o12uj32s0n5cta47vuuqk1b2n6p.cz. 900 IN NSEC3 1 0 10 34817B0B5673BB5D NP19M6SR9GQ4GR722R31PHMCCMV2L47C NS - np199o12uj32s0n5cta47vuuqk1b2n6p.cz. 900 IN RRSIG NSEC3 10 2 900 20170309110321 20170224213957 58211 cz. Brz4hpl2jq+rhJlu9tZ6Ij0Ru4+2Yyw5a4OVgN4/umq/9jPn2dWgnOPS 6Mk5WIC9Yun9ZIvncS3oE1dRhXAF+nGZS9jr1tdXLx+1Sow4o0nP8cxw 8Sl8BVjBkDpVSZfGVMN06NjJub57uw5nDF3E/AjoCYDxnb0UrVmIGCUb h7A= - SECTION ADDITIONAL - ns.mafra.cz. 7275 IN A 194.79.53.77 - ns2.mafra.cz. 7275 IN A 194.79.55.77 - ENTRY_END - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id - REPLY QR RD DO NOERROR - SECTION QUESTION - idnes.cz. IN DS - SECTION AUTHORITY - cz. 900 IN SOA a.ns.nic.cz. hostmaster.nic.cz. 1488285598 900 300 604800 900 - cz. 900 IN RRSIG SOA 10 1 14400 20170314055727 20170228113958 58211 cz. LBUALMOXd40KawVmUNWNlfMbeR0LDwNI5DPu9HqF8rtWCtHxReSGPrYs lyaL6gzVOn+i9Zikolj2arR+XPrb3vDMBjhh1AhP83p6Dfk4z0nEeaVy bJBdCSrcXcOi72RXY1QpO6lfhkpW2rhYtKS0Pq0rPVSF6rFVSLMavD82 X9s= - AUOICN1434M9JOGSCEGTCFV7NUDKO603.cz. 900 IN NSEC3 1 0 10 34817B0B5673BB5D AUOJ570J8RB3057RHUJ1DAGMCO1GAUDH NS - AUOICN1434M9JOGSCEGTCFV7NUDKO603.cz. 900 IN RRSIG NSEC3 10 2 900 20170313031226 20170227134003 58211 cz. CMvsPy0Ce7UR692R7jMat7E9Mm2DHTcZz7b5PlwsNX3i+41Ymlh1TeAs utrGbJUR+cdKQStzN6uNsxGQ84zFmeqOvMKtZBbvdavQbXtDfwTuEplX XolQ82j/0wVYCkpYANkLmyLrwbbZxJ4sSb1sbVRtMN0daeE6y3OleQDk 2Uw= - ENTRY_END - - ENTRY_BEGIN - MATCH opcode subdomain - ADJUST copy_id copy_query - REPLY QR RD DO NOERROR - SECTION QUESTION - idnes.cz. IN NS - SECTION AUTHORITY - idnes.cz. 14400 IN NS ns.mafra.cz. - idnes.cz. 14400 IN NS ns.mafracz.net. - idnes.cz. 14400 IN NS ns2.mafra.cz. - auoicn1434m9jogscegtcfv7nudko603.cz. 900 IN NSEC3 1 0 10 34817B0B5673BB5D AUOJ570J8RB3057RHUJ1DAGMCO1GAUDH NS - auoicn1434m9jogscegtcfv7nudko603.cz. 900 IN RRSIG NSEC3 10 2 900 20170313031226 20170227134003 58211 cz. CMvsPy0Ce7UR692R7jMat7E9Mm2DHTcZz7b5PlwsNX3i+41Ymlh1TeAs utrGbJUR+cdKQStzN6uNsxGQ84zFmeqOvMKtZBbvdavQbXtDfwTuEplX XolQ82j/0wVYCkpYANkLmyLrwbbZxJ4sSb1sbVRtMN0daeE6y3OleQDk 2Uw= - SECTION ADDITIONAL - ns.mafra.cz. 18000 IN A 194.79.53.77 - ns2.mafra.cz. 18000 IN A 194.79.55.77 - ENTRY_END - -RANGE_END - -;net -RANGE_BEGIN 0 10000 - ADDRESS 192.5.6.30 - ADDRESS 192.33.14.30 - ADDRESS 192.26.92.30 - ADDRESS 192.31.80.30 - ADDRESS 192.12.94.30 - ADDRESS 192.35.51.30 - ADDRESS 192.42.93.30 - ADDRESS 192.54.112.30 - ADDRESS 192.43.172.30 - ADDRESS 192.48.79.30 - ADDRESS 192.52.178.30 - ADDRESS 192.41.162.30 - ADDRESS 192.55.83.30 - ADDRESS 2001:503:a83e::2:30 - ADDRESS 2001:503:231d::2:30 - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id copy_query - REPLY QR AA RD DO NOERROR - SECTION QUESTION - net. IN DNSKEY - SECTION ANSWER - net. 86400 IN DNSKEY 257 3 8 AQOYBnzqWXIEj6mlgXg4LWC0HP2n8eK8XqgHlmJ/69iuIHsa1TrHDG6T cOra/pyeGKwH0nKZhTmXSuUFGh9BCNiwVDuyyb6OBGy2Nte9Kr8NwWg4 q+zhSoOf4D+gC9dEzg0yFdwT0DKEvmNPt0K4jbQDS4Yimb+uPKuF6yie WWrPYYCrv8C9KC8JMze2uT6NuWBfsl2fDUoV4l65qMww06D7n+p7Rbdw WkAZ0fA63mXVXBZF6kpDtsYD7SUB9jhhfLQE/r85bvg3FaSs5Wi2BaqN 06SzGWI1DHu7axthIOeHwg00zxlhTpoYCH0ldoQz+S65zWYi/fRJiyLS Bb6JZOvn - net. 86400 IN DNSKEY 256 3 8 AQPMYWRP6GrTFoGFNQyuta0p4VYHr5Ox7yOl0Zv5ejOeRUnmoVgvHUR0 8lmmKEnBBPPZ89f/spt8VQ3GFUAbjJVzlcF5dQbY26YO/XKNcB2dlCEy quowoOQYsbASUj91c0IfFXAbK10reyShzaUi76p2VG5f0tjq/iC4iMZJ yxcpRQ== - net. 86400 IN RRSIG DNSKEY 8 1 86400 20170306173857 20170219173357 35886 net. Vvmjg9riU5c81z+4GEMSV4kEHf0ds2lxyD/UmGB4Vjtu0S71KldD4hh2 nA086G2Ssl1gBFEcVkLdPPpvh/c39mSITollT43u55pBLGQQcRXqPL6X 5xjlsOayD4QfwszBn5/5QTSD9pB5D9AsGQARlQTa0Vp1O9ruFDq0BuVQ F4P2QkNaxM6T+QZdFtqFOe6n3H+Qn0/TEvbM72w0hIBr1po3aSZuJleN SR3Wbubs1H7p1E6a6FH2+rRb3t7Q5DWNT/P5kZU0j+JB1PRknSwWCv7n orxIfhoYuFqU8Gw9w5KSw+Qtc7AjxlawQSAAZPLaq9ZL2cEKkeUrEGTD V41adg== - ENTRY_END - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id - REPLY QR RD DO NOERROR - SECTION QUESTION - net. IN DS - SECTION ANSWER - net. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1488288307 1800 900 604800 86400 - net. 900 IN RRSIG SOA 8 1 900 20170307132507 20170228121507 16757 net. aeKdMkRb/POrt2pw0h0O8fN8EUXFXJlPHu/aHtIihIEkj85ZpCNrEOxr Zg5jkYtPXQwx+X0cnD/uNMEWPOD3vNW3Ap9Y01RlFBzvlBHeH4YA09tr ElBPqkzN6bNrNJi3V/yJjV2dy7IUvqDO9M5cQEuPHIED2sIh1FATmB6b KMs= - A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 86400 IN NSEC3 1 1 0 - A1RUUFFJKCT2Q54P78F8EJGJ8JBK7I8B NS SOA RRSIG DNSKEY NSEC3PARAM - A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 86400 IN RRSIG NSEC3 8 2 86400 20170306061207 20170227050207 16757 net. s53ftACmRAtcKkfowIENgWkCuHNoyesDp5kz1g62Uxm9v03ig4TkMMBW cUMvLFCp1XpmiOx9MX5klfJgFrhQPYmaRBuQaI3nrH6B57kjsphtJYvc B6wyRGPHAg+oNecZqQbUBEkzBrppoe4a5nhlOkLgbHKb5qPbN0tV5wBu x5c= - ENTRY_END - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id - REPLY QR RD DO AA NOERROR - SECTION QUESTION - net. IN NS - SECTION ANSWER - net. 172800 IN NS i.gtld-servers.net. - net. 172800 IN NS e.gtld-servers.net. - net. 172800 IN NS h.gtld-servers.net. - net. 172800 IN NS b.gtld-servers.net. - net. 172800 IN NS a.gtld-servers.net. - net. 172800 IN NS j.gtld-servers.net. - net. 172800 IN NS f.gtld-servers.net. - net. 172800 IN NS m.gtld-servers.net. - net. 172800 IN NS l.gtld-servers.net. - net. 172800 IN NS g.gtld-servers.net. - net. 172800 IN NS k.gtld-servers.net. - net. 172800 IN NS c.gtld-servers.net. - net. 172800 IN NS d.gtld-servers.net. - net. 172800 IN RRSIG NS 8 1 172800 20170304061505 20170225050505 16757 net. Pq4fze7lagq5NaKm7P4plOCY4gbFH3ZqZPvWIMojqNgHmoboqXWpth7R s2th1NzR7fxTvxngwVFlO7tR2Sf19epNimuJHEkxAKceLtSfdwxilfMz WvPq5/2tCINU8xo/SOC13ST4zq3PUi+VfPYbRF+5SakOTkU/6m1+9hlo ixo= - SECTION ADDITIONAL - a.gtld-servers.net. 172800 IN A 192.5.6.30 - b.gtld-servers.net. 172800 IN A 192.33.14.30 - c.gtld-servers.net. 172800 IN A 192.26.92.30 - d.gtld-servers.net. 172800 IN A 192.31.80.30 - e.gtld-servers.net. 172800 IN A 192.12.94.30 - f.gtld-servers.net. 172800 IN A 192.35.51.30 - g.gtld-servers.net. 172800 IN A 192.42.93.30 - h.gtld-servers.net. 172800 IN A 192.54.112.30 - i.gtld-servers.net. 172800 IN A 192.43.172.30 - j.gtld-servers.net. 172800 IN A 192.48.79.30 - k.gtld-servers.net. 172800 IN A 192.52.178.30 - l.gtld-servers.net. 172800 IN A 192.41.162.30 - m.gtld-servers.net. 172800 IN A 192.55.83.30 - a.gtld-servers.net. 172800 IN AAAA 2001:503:a83e::2:30 - b.gtld-servers.net. 172800 IN AAAA 2001:503:231d::2:30 - ENTRY_END - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id - REPLY QR RD DO NOERROR - SECTION QUESTION - root-servers.net. IN DS - SECTION AUTHORITY - A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 86400 IN NSEC3 1 1 0 - A1RUUFFJKCT2Q54P78F8EJGJ8JBK7I8B NS SOA RRSIG DNSKEY NSEC3PARAM - A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 86400 IN RRSIG NSEC3 8 2 86400 20170306061207 20170227050207 16757 net. s53ftACmRAtcKkfowIENgWkCuHNoyesDp5kz1g62Uxm9v03ig4TkMMBW cUMvLFCp1XpmiOx9MX5klfJgFrhQPYmaRBuQaI3nrH6B57kjsphtJYvc B6wyRGPHAg+oNecZqQbUBEkzBrppoe4a5nhlOkLgbHKb5qPbN0tV5wBu x5c= - net. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1488288412 1800 900 604800 86400 - net. 900 IN RRSIG SOA 8 1 900 20170307132652 20170228121652 16757 net. VnpLNPVwJO8pW1+aHC5jGq17aTVQuWMfu7igBcig9XG9li1wVBtawqaB zpiT8zoUWa76qkydyhuKWNjR895eLQz1Ql0cboW8GIddDFfKacpEP9nr QWwqjiMltfXn+iGiumrDbxwHKvwllXhOIShR5uAT640UcJ7QMhrq2jrJ V+Y= - T2UFL481TTPOHR68HR18DHJAFU935MJU.net. 86400 IN NSEC3 1 1 0 - T2UKCT9K5I0UHV7B3M3NA6JAIGDJM0GR NS DS RRSIG - T2UFL481TTPOHR68HR18DHJAFU935MJU.net. 86400 IN RRSIG NSEC3 8 2 86400 20170307061346 20170228050346 16757 net. KpGr8ZrjFGZ2q39FPpGe9SBR4hJ1e8L9oyvO5JS7Eh4LVdjwsD8B13nQ 7iv6jdCWVIWXh41fB4dcCUvLYqd9d75bACQ4JQVR3ycON9Qwt2XiUyVk iBYm7cp9C78+Uj0/P3TClk90GtZaAb3+JXUZZvrK08HnivVtmTta1Laj TVk= - ENTRY_END - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id - REPLY QR RD DO NOERROR - SECTION QUESTION - gtld-servers.net. IN DS - SECTION AUTHORITY - A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 86400 IN NSEC3 1 1 0 - A1RUUFFJKCT2Q54P78F8EJGJ8JBK7I8B NS SOA RRSIG DNSKEY NSEC3PARAM - A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 86400 IN RRSIG NSEC3 8 2 86400 20170306061207 20170227050207 16757 net. s53ftACmRAtcKkfowIENgWkCuHNoyesDp5kz1g62Uxm9v03ig4TkMMBW cUMvLFCp1XpmiOx9MX5klfJgFrhQPYmaRBuQaI3nrH6B57kjsphtJYvc B6wyRGPHAg+oNecZqQbUBEkzBrppoe4a5nhlOkLgbHKb5qPbN0tV5wBu x5c= - net. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1488288457 1800 900 604800 86400 - net. 900 IN RRSIG SOA 8 1 900 20170307132737 20170228121737 16757 net. x5j/Iiv9Bey7T4FSeICdJrAyn5tEubHlhQXGmjM4KAVEq1CybM70rL7s HrwAhyiC/9RobYaMhM4fxmji3h8vWYbWauGMZ5XXmRGL66jE6Zq/M99v zk7RDnedNS+vPAv49PJ5aICGs4hfapPg3Kwf/KKwDzzvactaRYPvptLX u74= - 5QD8VL68T2I9KOBD32KJ8LJVH5OH2PQ0.net. 86400 IN NSEC3 1 1 0 - 5QDPPOTUK27KKP9LIGTRB0K1CBVM9CIM NS DS RRSIG - 5QD8VL68T2I9KOBD32KJ8LJVH5OH2PQ0.net. 86400 IN RRSIG NSEC3 8 2 86400 20170306060531 20170227045531 16757 net. uV9O+X7Vk1+dgIdqY2qE5RvN4B4Nv+xDLjd5V30sapNI8ARrA8d9pEVY qGNU5tF8+VT3lukCjvfgfopyTjw+SO+x4fwpZenmehwgNFkMHYWAv/1l xrdZHw60JMa/jWy+Rtdqi2uBJMGldGEIiuLEHgkKAjub2wtdiEkl2Azo AeY= - ENTRY_END - - ENTRY_BEGIN - MATCH opcode qtype subdomain - ADJUST copy_id copy_query - REPLY QR RD DO NOERROR - SECTION QUESTION - gtld-servers.net. IN NS - - SECTION AUTHORITY - gtld-servers.net. 172800 IN NS av1.nstld.com. - gtld-servers.net. 172800 IN NS av2.nstld.com. - gtld-servers.net. 172800 IN NS av3.nstld.com. - gtld-servers.net. 172800 IN NS av4.nstld.com. - A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 86400 IN NSEC3 1 1 0 - A1RUUFFJKCT2Q54P78F8EJGJ8JBK7I8B NS SOA RRSIG DNSKEY NSEC3PARAM - A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 86400 IN RRSIG NSEC3 8 2 86400 20170306061207 20170227050207 16757 net. s53ftACmRAtcKkfowIENgWkCuHNoyesDp5kz1g62Uxm9v03ig4TkMMBW cUMvLFCp1XpmiOx9MX5klfJgFrhQPYmaRBuQaI3nrH6B57kjsphtJYvc B6wyRGPHAg+oNecZqQbUBEkzBrppoe4a5nhlOkLgbHKb5qPbN0tV5wBu x5c= - 5QD8VL68T2I9KOBD32KJ8LJVH5OH2PQ0.net. 86400 IN NSEC3 1 1 0 - 5QDPPOTUK27KKP9LIGTRB0K1CBVM9CIM NS DS RRSIG - 5QD8VL68T2I9KOBD32KJ8LJVH5OH2PQ0.net. 86400 IN RRSIG NSEC3 8 2 86400 20170306060531 20170227045531 16757 net. uV9O+X7Vk1+dgIdqY2qE5RvN4B4Nv+xDLjd5V30sapNI8ARrA8d9pEVY qGNU5tF8+VT3lukCjvfgfopyTjw+SO+x4fwpZenmehwgNFkMHYWAv/1l xrdZHw60JMa/jWy+Rtdqi2uBJMGldGEIiuLEHgkKAjub2wtdiEkl2Azo AeY= - - SECTION ADDITIONAL - av1.nstld.com. 172800 IN A 192.42.177.30 - av1.nstld.com. 172800 IN AAAA 2001:500:124::30 - av2.nstld.com. 172800 IN A 192.42.178.30 - av2.nstld.com. 172800 IN AAAA 2001:500:125::30 - av3.nstld.com. 172800 IN A 192.82.133.30 - av3.nstld.com. 172800 IN AAAA 2001:500:126::30 - av4.nstld.com. 172800 IN A 192.82.134.30 - av4.nstld.com. 172800 IN AAAA 2001:500:127::30 - ENTRY_END - - ENTRY_BEGIN - MATCH opcode qname qtype - ADJUST copy_id - REPLY QR RD DO NOERROR - SECTION QUESTION - a.gtld-servers.net. IN A - SECTION ANSWER - a.gtld-servers.net. 172800 IN A 192.5.6.30 - ENTRY_END - - ENTRY_BEGIN - MATCH opcode subdomain - ADJUST copy_id copy_query - REPLY QR RD DO NOERROR - SECTION QUESTION - gtld-servers.net. IN A - SECTION AUTHORITY - gtld-servers.net. 86400 IN SOA av4.nstld.com. nstld.verisign-grs.com. 2016101000 3600 900 1209600 86400 - ENTRY_END - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id copy_query - REPLY QR RD DO NOERROR - SECTION QUESTION - a.root-servers.net. IN A - SECTION AUTHORITY - root-servers.net. 172800 IN NS a.root-servers.net. - SECTION ADDITIONAL - a.root-servers.net. 3600000 IN A 198.41.0.4 - ENTRY_END - - ENTRY_BEGIN - MATCH opcode subdomain - ADJUST copy_id copy_query - REPLY QR RD DO NOERROR - SECTION QUESTION - root-servers.net. IN AAAA - SECTION AUTHORITY - root-servers.net. 172800 IN NS a.root-servers.net. - SECTION ADDITIONAL - a.root-servers.net. 172800 IN A 198.41.0.4 - ENTRY_END - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id - REPLY QR RD DO NOERROR - SECTION QUESTION - mafracz.net. IN DS - SECTION AUTHORITY - A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 86400 IN NSEC3 1 1 0 - A1RUUFFJKCT2Q54P78F8EJGJ8JBK7I8B NS SOA RRSIG DNSKEY NSEC3PARAM - A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 86400 IN RRSIG NSEC3 8 2 86400 20170306061207 20170227050207 16757 net. s53ftACmRAtcKkfowIENgWkCuHNoyesDp5kz1g62Uxm9v03ig4TkMMBW cUMvLFCp1XpmiOx9MX5klfJgFrhQPYmaRBuQaI3nrH6B57kjsphtJYvc B6wyRGPHAg+oNecZqQbUBEkzBrppoe4a5nhlOkLgbHKb5qPbN0tV5wBu x5c= - net. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1488288547 1800 900 604800 86400 - net. 900 IN RRSIG SOA 8 1 900 20170307132907 20170228121907 16757 net. y7pu7BBxAqE7l+JB4PIg/2l+WPgeOrSo+TRo2vKqVJFa03GttNi4BlWH s0sT3t4Mr0nvWxNf7PlUUct7KFssGGCu6kXC3RiZsXDaTeAnHjAfk9rg v/z6PM7fU3shLjEXDuIY9GtPAw65nbSeK1Sai/3gWUOnlxo1J2r3VXl3 cfE= - P61KBBD5BIIR8OO46HQUMTGEQAU7RAQJ.net. 86400 IN NSEC3 1 1 0 - P61TM41BB9FNGTRQ6D1PPAU0E9MD6S63 NS DS RRSIG - P61KBBD5BIIR8OO46HQUMTGEQAU7RAQJ.net. 86400 IN RRSIG NSEC3 8 2 86400 20170304061336 20170225050336 16757 net. QKFFK4L57Pzylgc3d/9Z5R++Cqxx5agyEG6HPcGtjCSslA7DEj+qULoy TTWNBpgzPgwwrZy0BdNYBZdC3rpdfiJqCidVXe7bRfUQDHY4NJiuouOv jLGxYf/k8gqKAElV9CriTBkkjALwXdlDvCSMnhczMlu0409YoL3XKBdE TCc= - ENTRY_END - - ENTRY_BEGIN - MATCH opcode subdomain - ADJUST copy_id copy_query - REPLY QR RD DO NOERROR - SECTION QUESTION - mafracz.net. IN NS - SECTION AUTHORITY - mafracz.net. 172800 IN NS ns.mafra.cz. - mafracz.net. 172800 IN NS ns2.mafra.cz. - mafracz.net. 172800 IN NS ns.mafracz.net. - A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 86400 IN NSEC3 1 1 0 - A1RUUFFJKCT2Q54P78F8EJGJ8JBK7I8B NS SOA RRSIG DNSKEY NSEC3PARAM - A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 86400 IN RRSIG NSEC3 8 2 86400 20170306061207 20170227050207 16757 net. s53ftACmRAtcKkfowIENgWkCuHNoyesDp5kz1g62Uxm9v03ig4TkMMBW cUMvLFCp1XpmiOx9MX5klfJgFrhQPYmaRBuQaI3nrH6B57kjsphtJYvc B6wyRGPHAg+oNecZqQbUBEkzBrppoe4a5nhlOkLgbHKb5qPbN0tV5wBu x5c= - P61KBBD5BIIR8OO46HQUMTGEQAU7RAQJ.net. 86400 IN NSEC3 1 1 0 - P61TM41BB9FNGTRQ6D1PPAU0E9MD6S63 NS DS RRSIG - P61KBBD5BIIR8OO46HQUMTGEQAU7RAQJ.net. 86400 IN RRSIG NSEC3 8 2 86400 20170304061336 20170225050336 16757 net. QKFFK4L57Pzylgc3d/9Z5R++Cqxx5agyEG6HPcGtjCSslA7DEj+qULoy TTWNBpgzPgwwrZy0BdNYBZdC3rpdfiJqCidVXe7bRfUQDHY4NJiuouOv jLGxYf/k8gqKAElV9CriTBkkjALwXdlDvCSMnhczMlu0409YoL3XKBdE TCc= - SECTION ADDITIONAL - ns.mafracz.net. 165236 IN A 185.17.118.250 - ENTRY_END -RANGE_END - - -RANGE_BEGIN 0 10000 - ADDRESS 194.79.53.77 - ADDRESS 185.17.118.250 - ADDRESS 194.79.55.77 - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id copy_query - REPLY QR AA RD DO NOERROR - SECTION QUESTION - ns.mafracz.net. IN A - SECTION ANSWER - ns.mafracz.net. 600 IN A 185.17.118.250 - SECTION AUTHORITY - mafracz.net. 600 IN NS ns2.mafra.cz. - mafracz.net. 600 IN NS ns.mafracz.net. - mafracz.net. 600 IN NS ns.mafra.cz. - SECTION ADDITIONAL - ns.mafra.cz. 300 IN A 194.79.53.77 - ns2.mafra.cz. 300 IN A 194.79.55.77 - ENTRY_END - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id copy_query - REPLY QR AA RD DO NOERROR - SECTION QUESTION - lidovky.cz. IN DNSKEY - SECTION ANSWER - lidovky.cz. 3600 IN DNSKEY 256 3 8 AwEAAb8GYuVqOqVTYuppOCtctAHJ38tuSVriiptyQcxdZsU7U7s2XFVp QAuTxxoBOuvJZLMLXNikOki1KCnQx030Zz73AFx8tiPS6rFzR71TJXTC HlpwDnnK3rkdsu6Ay85cLiRtFpgW1D1WPi5oCJWGs4dJ8L5mcoIYikZt 99cfDKY/ - lidovky.cz. 3600 IN DNSKEY 256 3 8 AwEAActfDtlHpl0/2f9qMqDt5uslMzxKDNf4FGklmcG+OO2HuhOhnQVx arB6lYxIKofy+uOvUhyGxlxCq08bVKueBpAt0x5kLMAwhc6zmn8niIE6 +UZxLg7+r2ojLTl0qQ2sMoG6ryo4/1GCEwh/TjJp8PuAzE0Q7yQOE6ed jZkWjraJ - lidovky.cz. 3600 IN DNSKEY 257 3 8 AwEAAeFABHDi1QXB2WaYeLP07RzSfn9IIjMFrL6+obHNgMpY32skT0fX +4YiF1vrAwI3FyvqvLERcUqZl3kMFk/mBDEBcCCP8osbndEUEEg2fVkZ gPDVWT3nCBMXRRuXmddn+L7o18wTUTBbLCxCT22ROOqahUyDEHvHpUbq LTbY+GGnSNzAD9/BWFdMIGOKzQ8oYFFyWDGZYAcznojZO7gvpduw3slg t3YLv4iDxMIgFokCw+qQhf42xtmox7H6KfCaW59PdFfRRAc20JfpGxJ4 m2PAuuacgOoVkqRLqprJ0/NCmMJgQZ3yKQWe2QWfRP9lhmF9HXAVukyy Yh3+JaqulxM= - lidovky.cz. 3600 IN RRSIG DNSKEY 8 2 3600 20170305034217 20170226010009 1901 lidovky.cz. ElBtNV7iyYIWDExYkKJ+pwwIcSwJ6kXfiT3yFiwp43CqXg9KxMK55UBe nCToid81/xgGQmSnmHw8w5LQXs5CjiIamoMYCX0SCie0FsfvFx1871np CvzTeSr4U876wnZVAjmM/FnDP63/4SgIICZpMb3P/MU7M+zr93JgOMXs E0Zp4uR6puh7a52VMRBLBIEx4L8mw2TW3VU9an2FD5r6GnAqI5YqEY8P FpHdkb243AvB3rZBWtDiKFSzD+WsrqrDOL3lmA/Jcb5GcxA2CGxfTSCJ +ndebgdkFSwPXQxW7FQwdS4mTuPixdzonq8XtljLZSomyJ0mnepn0j7k lwklow== - ENTRY_END - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id - REPLY QR AA RD DO NOERROR - SECTION QUESTION - lidovky.cz. IN A - SECTION ANSWER - lidovky.cz. 300 IN A 185.17.119.32 - lidovky.cz. 300 IN RRSIG A 8 2 300 20170306080352 20170227090009 61408 lidovky.cz. rDSYYHIlE4Drq4/QLXrTDk+oeY6nh+W0p7cSeH9BGojdE4qIHjWUDjOS C4sEQpZtgG6EKO5j6P2+8bJ/3SmWdFT2GPHgP5eeRHPoo3iaGQMxXebD pbyVHtN//Gb577ycKcbNys/loflzhTWL2K1QXIHk53iWOTlDBg6uJcqi HsI= - SECTION AUTHORITY - lidovky.cz. 300 IN NS ns2.mafra.cz. - lidovky.cz. 300 IN NS ns.mafracz.net. - lidovky.cz. 300 IN NS ns.mafra.cz. - lidovky.cz. 300 IN RRSIG NS 8 2 300 20170304164701 20170225230009 61408 lidovky.cz. QmaLuzIDTiB/QbIgyxPRTVGFG/P5wFyrzlBtK7LIUsVIk8wuM9GudvQx weBiLPbaj28YypIdkS/z12sIawYenv4R9lswSVCOqT2H1KhXMtbW+BMk p5bCyr1mEJfceas6td4gywOydtfjYwU7WBvFPpMszP22p7jrizeQQpNB dK4= - SECTION ADDITIONAL - ns.mafra.cz. 300 IN A 194.79.53.77 - ns.mafracz.net. 600 IN A 185.17.118.250 - ns2.mafra.cz. 300 IN A 194.79.55.77 - ENTRY_END - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id - REPLY QR AA RD DO NOERROR - SECTION QUESTION - www.lidovky.cz. IN A - SECTION ANSWER - www.lidovky.cz. 300 IN CNAME c23.idnes.cz. - www.lidovky.cz. 300 IN RRSIG CNAME 8 3 300 20170305033947 20170226030009 61408 lidovky.cz. VyqkB8Fzxs+LTz9WDKLMmbyrtq+V/5R1sYfYBQJPuVa3pJ1vX2I5M6XK n7TDu9gsW2v+zquOps/8aL/e/+R8ivEJomYzdnvH3EwfgT9WCOYJtlUL +sIq8eu45jXTVsFVLa0Fy5LKeFcfic+4C6AG676o5VSucVJLTWiftW47 RPA= - c23.idnes.cz. 300 IN A 185.17.119.54 - SECTION AUTHORITY - idnes.cz. 300 IN NS ns.mafra.cz. - idnes.cz. 300 IN NS ns2.mafra.cz. - idnes.cz. 300 IN NS ns.mafracz.net. - SECTION ADDITIONAL - ns.mafra.cz. 300 IN A 194.79.53.77 - ns.mafracz.net. 600 IN A 185.17.118.250 - ns2.mafra.cz. 300 IN A 194.79.55.77 - ENTRY_END - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id - REPLY QR AA RD DO NOERROR - SECTION QUESTION - c23.idnes.cz. IN A - SECTION ANSWER - c23.idnes.cz. 300 IN A 185.17.119.54 - SECTION AUTHORITY - idnes.cz. 300 IN NS ns.mafra.cz. - idnes.cz. 300 IN NS ns2.mafra.cz. - idnes.cz. 300 IN NS ns.mafracz.net. - SECTION ADDITIONAL - ns.mafra.cz. 300 IN A 194.79.53.77 - ns.mafracz.net. 600 IN A 185.17.118.250 - ns2.mafra.cz. 300 IN A 194.79.55.77 - ENTRY_END - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id - REPLY QR AA RD DO NOERROR - SECTION QUESTION - ns2.mafra.cz. IN A - SECTION ANSWER - ns2.mafra.cz. 300 IN A 194.79.55.77 - SECTION AUTHORITY - mafra.cz. 300 IN NS ns.mafra.cz. - mafra.cz. 300 IN NS ns2.mafra.cz. - mafra.cz. 300 IN NS ns.mafracz.net. - SECTION ADDITIONAL - ns.mafra.cz. 300 IN A 194.79.53.77 - ns.mafracz.net. 600 IN A 185.17.118.250 - ENTRY_END - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id - REPLY QR AA RD DO NOERROR - SECTION QUESTION - ns.mafra.cz. IN A - SECTION ANSWER - ns.mafra.cz. 300 IN A 194.79.53.77 - SECTION AUTHORITY - mafra.cz. 300 IN NS ns.mafra.cz. - mafra.cz. 300 IN NS ns2.mafra.cz. - mafra.cz. 300 IN NS ns.mafracz.net. - SECTION ADDITIONAL - ns2.mafra.cz. 300 IN A 194.79.55.77 - ns.mafracz.net. 600 IN A 185.17.118.250 - ENTRY_END - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id - REPLY QR RD DO AA NOERROR - SECTION QUESTION - lidovky.cz. IN NS - SECTION ANSWER - lidovky.cz. 300 IN NS ns.mafra.cz. - lidovky.cz. 300 IN NS ns2.mafra.cz. - lidovky.cz. 300 IN NS ns.mafracz.net. - lidovky.cz. 300 IN RRSIG NS 8 2 300 20170304164701 20170225230009 61408 lidovky.cz. QmaLuzIDTiB/QbIgyxPRTVGFG/P5wFyrzlBtK7LIUsVIk8wuM9GudvQx weBiLPbaj28YypIdkS/z12sIawYenv4R9lswSVCOqT2H1KhXMtbW+BMk p5bCyr1mEJfceas6td4gywOydtfjYwU7WBvFPpMszP22p7jrizeQQpNB dK4= - SECTION ADDITIONAL - ns.mafra.cz. 300 IN A 194.79.53.77 - ns.mafracz.net. 600 IN A 185.17.118.250 - ns2.mafra.cz. 300 IN A 194.79.55.77 - ENTRY_END - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id - REPLY QR RD DO AA NOERROR - SECTION QUESTION - mafra.cz. IN NS - SECTION ANSWER - mafra.cz. 300 IN NS ns.mafra.cz. - mafra.cz. 300 IN NS ns2.mafra.cz. - mafra.cz. 300 IN NS ns.mafracz.net. - SECTION ADDITIONAL - ns.mafra.cz. 300 IN A 194.79.53.77 - ns.mafracz.net. 600 IN A 185.17.118.250 - ns2.mafra.cz. 300 IN A 194.79.55.77 - ENTRY_END - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id - REPLY QR RD DO AA NOERROR - SECTION QUESTION - mafracz.net. IN NS - SECTION ANSWER - mafracz.net. 300 IN NS ns.mafra.cz. - mafracz.net. 300 IN NS ns2.mafra.cz. - mafracz.net. 300 IN NS ns.mafracz.net. - SECTION ADDITIONAL - ns.mafra.cz. 300 IN A 194.79.53.77 - ns.mafracz.net. 600 IN A 185.17.118.250 - ns2.mafra.cz. 300 IN A 194.79.55.77 - ENTRY_END - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id - REPLY QR RD DO AA NOERROR - SECTION QUESTION - idnes.cz. IN NS - SECTION ANSWER - idnes.cz. 300 IN NS ns2.mafra.cz. - idnes.cz. 300 IN NS ns.mafracz.net. - idnes.cz. 300 IN NS ns.mafra.cz. - - SECTION ADDITIONAL - ns.mafra.cz. 300 IN A 194.79.53.77 - ns.mafracz.net. 600 IN A 185.17.118.250 - ns2.mafra.cz. 300 IN A 194.79.55.77 - ENTRY_END - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id - REPLY QR RD DO NOERROR - SECTION QUESTION - ns.mafra.cz. IN AAAA - SECTION AUTHORITY - mafra.cz. 291 IN SOA ns.mafra.cz. hostmaster.mafra.cz. 2017021601 3600 600 1209600 600 - ENTRY_END - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id - REPLY QR RD DO NOERROR - SECTION QUESTION - ns2.mafra.cz. IN AAAA - SECTION AUTHORITY - mafra.cz. 291 IN SOA ns.mafra.cz. hostmaster.mafra.cz. 2017021601 3600 600 1209600 600 - ENTRY_END - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id - REPLY QR RD DO NOERROR - SECTION QUESTION - ns.mafracz.net. IN AAAA - SECTION AUTHORITY - mafracz.net. 600 IN SOA ns.mafracz.net. hostmaster.mafra.cz. 2015061701 3600 600 86400 3600 - ENTRY_END - -RANGE_END - -STEP 1011 QUERY -ENTRY_BEGIN - REPLY RD DO - SECTION QUESTION - ns.mafra.cz. IN A -ENTRY_END - -STEP 1012 CHECK_ANSWER -ENTRY_BEGIN - MATCH rcode question answer flags - REPLY QR RD RA NOERROR - SECTION QUESTION - ns.mafra.cz. IN A - SECTION ANSWER - ns.mafra.cz. 300 IN A 194.79.53.77 -ENTRY_END - - -STEP 1021 QUERY -ENTRY_BEGIN - REPLY RD DO - SECTION QUESTION - ns.mafracz.net. IN A -ENTRY_END - -STEP 1022 CHECK_ANSWER -ENTRY_BEGIN - MATCH rcode question answer flags - REPLY QR RD RA NOERROR - SECTION QUESTION - ns.mafracz.net. IN A - SECTION ANSWER - ns.mafracz.net. 600 IN A 185.17.118.250 -ENTRY_END - - -STEP 1031 QUERY -ENTRY_BEGIN - REPLY RD DO - SECTION QUESTION - www.lidovky.cz IN A -ENTRY_END - -STEP 1032 CHECK_ANSWER -ENTRY_BEGIN - MATCH rcode question answer flags - REPLY QR RD RA NOERROR - SECTION QUESTION - www.lidovky.cz IN A - SECTION ANSWER - www.lidovky.cz. 251 IN CNAME c23.idnes.cz. - www.lidovky.cz. 251 IN RRSIG CNAME 8 3 300 20170305033947 20170226030009 61408 lidovky.cz. VyqkB8Fzxs+LTz9WDKLMmbyrtq+V/5R1sYfYBQJPuVa3pJ1vX2I5M6XK n7TDu9gsW2v+zquOps/8aL/e/+R8ivEJomYzdnvH3EwfgT9WCOYJtlUL +sIq8eu45jXTVsFVLa0Fy5LKeFcfic+4C6AG676o5VSucVJLTWiftW47 RPA= - c23.idnes.cz. 251 IN A 185.17.119.54 -ENTRY_END - - -STEP 2011 QUERY -ENTRY_BEGIN - REPLY RD DO - SECTION QUESTION - ns.mafra.cz. IN A -ENTRY_END - -STEP 2012 CHECK_ANSWER -ENTRY_BEGIN - MATCH rcode question answer flags - REPLY QR RD RA NOERROR - SECTION QUESTION - ns.mafra.cz. IN A - SECTION ANSWER - ns.mafra.cz. 300 IN A 194.79.53.77 -ENTRY_END - - -STEP 2021 QUERY -ENTRY_BEGIN - REPLY RD DO - SECTION QUESTION - ns.mafracz.net. IN A -ENTRY_END - -STEP 2022 CHECK_ANSWER -ENTRY_BEGIN - MATCH rcode question answer flags - REPLY QR RD RA NOERROR - SECTION QUESTION - ns.mafracz.net. IN A - SECTION ANSWER - ns.mafracz.net. 600 IN A 185.17.118.250 -ENTRY_END - - -STEP 2031 QUERY -ENTRY_BEGIN - REPLY RD DO - SECTION QUESTION - www.lidovky.cz IN A -ENTRY_END - -STEP 2032 CHECK_ANSWER -ENTRY_BEGIN - MATCH rcode question answer flags - REPLY QR RD RA NOERROR - SECTION QUESTION - www.lidovky.cz IN A - SECTION ANSWER - www.lidovky.cz. 251 IN CNAME c23.idnes.cz. - www.lidovky.cz. 251 IN RRSIG CNAME 8 3 300 20170305033947 20170226030009 61408 lidovky.cz. VyqkB8Fzxs+LTz9WDKLMmbyrtq+V/5R1sYfYBQJPuVa3pJ1vX2I5M6XK n7TDu9gsW2v+zquOps/8aL/e/+R8ivEJomYzdnvH3EwfgT9WCOYJtlUL +sIq8eu45jXTVsFVLa0Fy5LKeFcfic+4C6AG676o5VSucVJLTWiftW47 RPA= - c23.idnes.cz. 251 IN A 185.17.119.54 -ENTRY_END - - -STEP 3011 QUERY -ENTRY_BEGIN - REPLY RD DO - SECTION QUESTION - ns.mafra.cz. IN A -ENTRY_END - -STEP 3012 CHECK_ANSWER -ENTRY_BEGIN - MATCH rcode question answer flags - REPLY QR RD RA NOERROR - SECTION QUESTION - ns.mafra.cz. IN A - SECTION ANSWER - ns.mafra.cz. 300 IN A 194.79.53.77 -ENTRY_END - - -STEP 3021 QUERY -ENTRY_BEGIN - REPLY RD DO - SECTION QUESTION - ns.mafracz.net. IN A -ENTRY_END - -STEP 3022 CHECK_ANSWER -ENTRY_BEGIN - MATCH rcode question answer flags - REPLY QR RD RA NOERROR - SECTION QUESTION - ns.mafracz.net. IN A - SECTION ANSWER - ns.mafracz.net. 600 IN A 185.17.118.250 -ENTRY_END - - -STEP 3031 QUERY -ENTRY_BEGIN - REPLY RD DO - SECTION QUESTION - www.lidovky.cz IN A -ENTRY_END - -STEP 3032 CHECK_ANSWER -ENTRY_BEGIN - MATCH rcode question answer flags - REPLY QR RD RA NOERROR - SECTION QUESTION - www.lidovky.cz IN A - SECTION ANSWER - www.lidovky.cz. 251 IN CNAME c23.idnes.cz. - www.lidovky.cz. 251 IN RRSIG CNAME 8 3 300 20170305033947 20170226030009 61408 lidovky.cz. VyqkB8Fzxs+LTz9WDKLMmbyrtq+V/5R1sYfYBQJPuVa3pJ1vX2I5M6XK n7TDu9gsW2v+zquOps/8aL/e/+R8ivEJomYzdnvH3EwfgT9WCOYJtlUL +sIq8eu45jXTVsFVLa0Fy5LKeFcfic+4C6AG676o5VSucVJLTWiftW47 RPA= - c23.idnes.cz. 251 IN A 185.17.119.54 -ENTRY_END - - -STEP 4011 QUERY -ENTRY_BEGIN - REPLY RD DO - SECTION QUESTION - ns.mafra.cz. IN A -ENTRY_END - -STEP 4012 CHECK_ANSWER -ENTRY_BEGIN - MATCH rcode question answer flags - REPLY QR RD RA NOERROR - SECTION QUESTION - ns.mafra.cz. IN A - SECTION ANSWER - ns.mafra.cz. 300 IN A 194.79.53.77 -ENTRY_END - - -STEP 4021 QUERY -ENTRY_BEGIN - REPLY RD DO - SECTION QUESTION - ns.mafracz.net. IN A -ENTRY_END - -STEP 4022 CHECK_ANSWER -ENTRY_BEGIN - MATCH rcode question answer flags - REPLY QR RD RA NOERROR - SECTION QUESTION - ns.mafracz.net. IN A - SECTION ANSWER - ns.mafracz.net. 600 IN A 185.17.118.250 -ENTRY_END - - -STEP 4031 QUERY -ENTRY_BEGIN - REPLY RD DO - SECTION QUESTION - www.lidovky.cz IN A -ENTRY_END - -STEP 4032 CHECK_ANSWER -ENTRY_BEGIN - MATCH rcode question answer flags - REPLY QR RD RA NOERROR - SECTION QUESTION - www.lidovky.cz IN A - SECTION ANSWER - www.lidovky.cz. 251 IN CNAME c23.idnes.cz. - www.lidovky.cz. 251 IN RRSIG CNAME 8 3 300 20170305033947 20170226030009 61408 lidovky.cz. VyqkB8Fzxs+LTz9WDKLMmbyrtq+V/5R1sYfYBQJPuVa3pJ1vX2I5M6XK n7TDu9gsW2v+zquOps/8aL/e/+R8ivEJomYzdnvH3EwfgT9WCOYJtlUL +sIq8eu45jXTVsFVLa0Fy5LKeFcfic+4C6AG676o5VSucVJLTWiftW47 RPA= - c23.idnes.cz. 251 IN A 185.17.119.54 -ENTRY_END - -SCENARIO_END diff -Nru knot-resolver-5.2.1/lib/cache/overflow.test.integr/world_cz_vutbr_www.rpl knot-resolver-5.3.1/lib/cache/overflow.test.integr/world_cz_vutbr_www.rpl --- knot-resolver-5.2.1/lib/cache/overflow.test.integr/world_cz_vutbr_www.rpl 1970-01-01 00:00:00.000000000 +0000 +++ knot-resolver-5.3.1/lib/cache/overflow.test.integr/world_cz_vutbr_www.rpl 2021-03-31 15:15:36.000000000 +0000 @@ -0,0 +1,298 @@ +do-ip4: no + +; test with real world Internet data +; attempt to resolve www.vutbr.cz. A leads to CNAME piranha.ro.vutbr.cz. +; sub-trees vutbr.cz and ro.vutbr.cz. are in separate zones +; hosted on the same servers with different DNSKEYs + +val-override-date: 20170124180319 +trust-anchor: ". 172800 IN DS 19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5" +stub-addr: 2001:dc3::35 +CONFIG_END + +SCENARIO_BEGIN www.vutbr.cz. CNAME kresd issue #130 + +; DNS root ; M.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 2001:dc3::35 + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA DO NOERROR +SECTION QUESTION +. IN DNSKEY +SECTION ANSWER +. 16567 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= +. 16567 IN DNSKEY 256 3 8 AwEAAYvgWbYkpeGgdPKaKTJU3Us4YSTRgy7+dzvfArIhi2tKoZ/WR1Df w883SOU6Uw7tpVRkLarN0oIMK/xbOBD1DcXnyfElBwKsz4sVVWmfyr/x +igD/UjrcJ5zEBUrUmVtHyjar7ccaVc1/3ntkhZjI1hcungAlOhPhHlk MeX+5Azx6GdX//An5OgrdyH3o/JmOPMDX1mt806JI/hf0EwAp1pBwo5e 8SrSuR1tD3sgNjr6IzCdrKSgqi92z49zcdis3EaY199WFW60DCS7ydu+ +T5Xa+GyOw1quagwf/JUC/mEpeBQYWrnpkBbpDB3sy4+P2i8iCvavehb RyVm9U0MlIc= +. 16567 IN RRSIG DNSKEY 8 0 172800 20170201000000 20170111000000 19036 . Sh+EpofvZgk3J9szMD2B94FxFgyIUKz3hkbCjgWSTqPQyhqNgqVU8QlS EtOo8YLmS4AX98eit5Gmmb2ObpkGoXBmAzu5w/Qt5WsGsWzLQhYrsy9s lDmFQ2JKUoCyfdwqhlJ8VxjzdFdMUiVl+/GPnv4yjxjM8Ke3VAtBkn6n BO7JkcxxOfcgZdZ4MuvSr40K/SenZE+JlLLL1LF4TMCGqaZTTdOx6kFF KSSgy2AS884htWcK0tnwRc630g6nAI2wdvjlRLBeisbfXanI4v8iiPyT FnMmnV7wJGWJ4gtRJ0UH3u5RWXUPZ+s1tKytk3slXbLyQ9xkEDveuD+h b659gQ== +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR DO NOERROR +SECTION QUESTION +cz. IN NS +SECTION AUTHORITY +cz. 172800 IN NS d.ns.nic.cz. +cz. 172800 IN NS a.ns.nic.cz. +cz. 172800 IN NS c.ns.nic.cz. +cz. 172800 IN NS b.ns.nic.cz. +cz. 86400 IN DS 54576 10 2 397E50C85EDE9CDE33F363A9E66FD1B216D788F8DD438A57A423A386 869C8F06 +cz. 86400 IN RRSIG DS 8 1 86400 20170202170000 20170120160000 61045 . ig2BBmA1kOuTqhVogqLciH40Ina7BCrG/fcaNARSWoaFHGOcC/7KsBZO uMttn/hKDJkH3RPsed2Oswl9bXZ+zrhjeXluUqC0zmsUJDBkS+AkiFJL HCpMSIZaXu/w1ZMADGfyQXl7XWCRbl+eyXi2eTG0SdLtRHNhm3CGJP3C xjzVuOTr9oPEyL0U81jhhlJPCFe8xDD441wLLzpEuVX8VP9N2S1QnIjO BhCEE9OTkPgpS7fMPEl0Yq2gfpRl+DCw1Dd0VB3Hh5M3hmrXuFqNYZQK b0JqDFGYhzvcpUs3EiB9IG7rJt51n6pxCTek1M2w+s6mLYzawVfq+b1Q uQD98A== +SECTION ADDITIONAL +a.ns.nic.cz. 172800 IN A 194.0.12.1 +b.ns.nic.cz. 172800 IN A 194.0.13.1 +c.ns.nic.cz. 172800 IN A 194.0.14.1 +d.ns.nic.cz. 172800 IN A 193.29.206.1 +a.ns.nic.cz. 172800 IN AAAA 2001:678:f::1 +b.ns.nic.cz. 172800 IN AAAA 2001:678:10::1 +c.ns.nic.cz. 172800 IN AAAA 2001:678:11::1 +d.ns.nic.cz. 172800 IN AAAA 2001:678:1::1 +ENTRY_END +; end of M.ROOT-SERVERS.NET. +RANGE_END + + +; domains: cz. ; ?.ns.nic.cz. +RANGE_BEGIN 0 100 + ADDRESS 194.0.12.1 + ADDRESS 194.0.13.1 + ADDRESS 194.0.14.1 + ADDRESS 193.29.206.1 + ADDRESS 2001:678:f::1 + ADDRESS 2001:678:10::1 + ADDRESS 2001:678:11::1 + ADDRESS 2001:678:1::1 + + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA RD NOERROR +SECTION QUESTION +cz. IN DNSKEY +SECTION ANSWER +cz. 18000 IN DNSKEY 256 3 10 AwEAAc9e2YFnG56xtTXu42GLGAkwsrFOBBwOZphNat7HQdBmfi0CbmDf oywCUsaSkObNmm+Zu9MYLNJDHsD+vxsZbtHClpYaSEhMEmHrbnj0BMPV A6hwY6YDGFhKudJ62RmB/rmhQ3iwmICsEdRn2w5fu1rHZv8UJOUMkeWd 6GA48mW3 +cz. 18000 IN DNSKEY 256 3 10 AwEAAdWL2Br92Vx0dLEOOB8y02ss8LtKIyGlLJ2ymJ02WqR3AAEEZN0f NPKF77kdKsjlG8DlzmSIOR12aa9EhpXqyHOwWI0kHOMJVnn6ZKFIAl71 JP/dYIcshYUxKZZMe+zEAUrVtzlLVDtM6cDOPDuBNa1ujYec3eJl9Ipq eUEG6gAH +cz. 18000 IN DNSKEY 257 3 10 AwEAAay0hi4HN2r/BqMQTpIPIVDyjmyF+9ZWvr5Lewx+q+947o/GrRv4 FGFfkZxf9CFfYVUf0jG5Yq4i06pGVNwJl81HS9Ux2oeHRXUvgtLnl5He RVLL+zgI5byx9HSNr4bPO8ZEn5OjoayhkNyGSFr4VWrzQk/K02vLP4d1 cCEzUQy30eyZto2/tG5ZwCU/iRkS1PJOcOW98hiFIfFDZv1XjbEpqEYh T2PATs6rt+BKwSHKGISmg1PNdg+y0rItemYMWr1f9BGAdtTWoPCPCYPj OZMPoIyA4tMscD+ww54Jf/QNoHccY4hO1yHiuAXG7SUn8jo0IKQ9W7JJ xES0aqFCX/0= +cz. 18000 IN RRSIG DNSKEY 10 1 18000 20170127000000 20170120000000 54576 cz. Fdl//hMdLoZq8//gLt/+3a7LfWqB5/psW9YR3AWNPQGfvrEAcKRBcah+ ikbSCmpAZ6j834xZP1zPd5xMoN33PGXf23iqcgjHvUn50Uq48KRBVYwU H885xNJBl/Po0N8STeG0WNZz2mbUbBbPCGN7CI5yl08usvqOvf2fV8+D 0m//+Fa1cWaqMXpHc6OnhWZ+BN4VdcxxwNbGhH2TZxyiGEMMscEGoIxn yL1pVY8T93LOMwQmuFJ71f8Scij3vYouW/mNuEma/UUZM1bEn8vR1UrP /6JTGPGTG+snHvCxiVtAxCNnqoIJDD+xuonpZLeKN5XU7UDMZPDTtSgX vtzjww== +cz. 18000 IN RRSIG DNSKEY 10 1 18000 20170205002523 20170123080953 58211 cz. MZ6KTtQisTde4iOBH6oasl7bVrRM5ly7Yxdv2l+2gk1YYk4zX6L3m6oB P26SKi+fj8pM77775bRK7uCI9FlyqXa3MJclLU/GmnRANm6T4sSdz0zs F3FK4UfUmHnzdnWXWTnueDfIZr44yF1y1+4I3E96/9/nEYGO+xsifvIj iks= +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR DO NOERROR +SECTION QUESTION +vutbr.cz. IN NS +SECTION AUTHORITY +vutbr.cz. 18000 IN NS pipit.cis.vutbr.cz. +vutbr.cz. 18000 IN NS rhino.cis.vutbr.cz. +vutbr.cz. 18000 IN DS 5512 5 2 78510F9433A4D536A5B9099193E9D58EE5B5CF71F14D983B4DA2EB16 29CFA1E9 +vutbr.cz. 18000 IN RRSIG DS 10 2 18000 20170204213601 20170123080953 58211 cz. lXNBswz/r/1NY7VQq+BlisC+1yqFmUBIaF30L8XDAbiHLcj/AIj0dEy6 PlBlkEeDAi4W9DvR0jo9LjHvFFJLs54cuEEd3pHTdlw8x0dLd1X7Zkh7 cezfAt2EEqdux/ce/sc86lUKOpLnDtry2piWwVf2EqFg9NlW4cHTm78U gsY= +SECTION ADDITIONAL +pipit.cis.vutbr.cz. 18000 IN A 77.93.219.110 +rhino.cis.vutbr.cz. 18000 IN A 147.229.3.10 +pipit.cis.vutbr.cz. 18000 IN AAAA 2a01:430:120::4d5d:db6e +rhino.cis.vutbr.cz. 18000 IN AAAA 2001:67c:1220:e000::93e5:30a +ENTRY_END + +; end of domain cz.: servers ?.ns.nic.cz. +RANGE_END + + +; domains: vutbr.cz. + ro.vutbr.cz. +; servers: pipit.cis.vutbr.cz. + rhino.cis.vutbr.cz. + shark.ro.vutbr.cz. +; shark.ro.vutbr.cz. in fact serves both domains but is listed only in ro.vutbr.cz NS +RANGE_BEGIN 0 100 + ADDRESS 77.93.219.110 + ADDRESS 147.229.3.10 + ADDRESS 147.229.2.59 + ADDRESS 2a01:430:120::4d5d:db6e + ADDRESS 2001:67c:1220:e000::93e5:30a + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA DO +SECTION QUESTION +vutbr.cz. IN NS +SECTION ANSWER +vutbr.cz. 28800 IN NS rhino.cis.vutbr.cz. +vutbr.cz. 28800 IN NS pipit.cis.vutbr.cz. +vutbr.cz. 28800 IN RRSIG NS 5 2 28800 20170216060902 20170117060902 39756 vutbr.cz. y6Jj5vfvdlLeecB/++/qyhjCzfnFJyY1sX1Ja+wV0ulq3laeCVV7ICXh PKG+CjHUu/nDOrzT9QJP4qxYDCANneI0yxI82XKhhoTN5O/TxyWH/DyT k8JarRoMooHv2RwKd8jtLIxvj1SaJ+AvlP0pOPraaVgbHtn1SJ4ubxQD cFc= +SECTION ADDITIONAL +pipit.cis.vutbr.cz. 86400 IN A 77.93.219.110 +pipit.cis.vutbr.cz. 86400 IN AAAA 2a01:430:120::4d5d:db6e +rhino.cis.vutbr.cz. 86400 IN A 147.229.3.10 +rhino.cis.vutbr.cz. 86400 IN AAAA 2001:67c:1220:e000::93e5:30a +pipit.cis.vutbr.cz. 86400 IN RRSIG A 5 4 86400 20170204080646 20170105080646 28257 cis.vutbr.cz. Cz9etHnEOQTzu+6rYJEqx/SQ1tQgPOCyf8HSj4KOsx89jtgiHNC6pep6 ZE0SphMGAs3jC/uGIhlaFNZ3i38OQIMuqwacbz+XZyW5bByvV3QZrhqh dFxMDfmPuNiCAT3crFpUkvVW1OE3YfGHzZGXX7JP5wb1b8A3X6Qih7fV +nQ= +pipit.cis.vutbr.cz. 86400 IN RRSIG AAAA 5 4 86400 20170204080646 20170105080646 28257 cis.vutbr.cz. piafjh6my2fooZRrzwCu9RQ95gYaMQkhIkDaGX/fT6wXzSdmgFZkS1Nl EMIKdDCQaPrLGMG3p32ptMkAm4esPekeyNtLSMBtXwZyUkgEGn6h1QM2 Yr3TOo8cixfk5nmRRdlYadf5krLb8yI9exiqeymgEQLa1YNRz/bWArlX bn8= +rhino.cis.vutbr.cz. 86400 IN RRSIG A 5 4 86400 20170204080646 20170105080646 28257 cis.vutbr.cz. X/tDf8e3JEV0LxiItfpQnBzeaRIq693VG8d30iCH4/1I0uqyCfxboWmm /CBpn9A8MCJu9NEEv+4+povNlfUfqi2yjsqJEVj8ztHxD4g9cc284Cv6 ySjxrSZ9axVqoaopEXujiTwwWJUFcgF6pxqyXVksW7sgKJrboM4VSlQD +Sw= +rhino.cis.vutbr.cz. 86400 IN RRSIG AAAA 5 4 86400 20170204080646 20170105080646 28257 cis.vutbr.cz. T3Yf5PAkSeJtoOH90ea9zZBG9FC3iFhiCSerDn6d9up8GRfzxDsavYJC zQu+3vnOySySn+3TMzQSSFcWdJC2iO7ulaDGr177Gof9QJbKSVSMW7jt YDE2f4/R4Go3NZVwjk/HfpCInoR6pHNA1s/9hMnWtiVopmBdfzyd3/sW YOU= +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA DO +SECTION QUESTION +vutbr.cz. IN DNSKEY +SECTION ANSWER +vutbr.cz. 28800 IN DNSKEY 256 3 5 AwEAAfwRRuGjpt9v4fzuIWFA9MtGfxDrIKhoFA7DNq6B+iCOoQb6t0HZ I9lGDUSR5DRswDGP569NJ/uVD4tJxGnaK2SBQVxIu+bEP1Ouzk+O43iO 8odw50NBWetljjNDP32B3zHpgJRpxyEqzDQaQ6B4Zer6sDZm9wo5SVJe r9LjJV9p +vutbr.cz. 28800 IN DNSKEY 257 3 5 AwEAAfhR+s/4SLZZNA+kD2u1UgYBUu+X3Avi60QCaE1o2STterM405s8 mWMWJOlZGtjjIky3TEMxQ0+ZtMbEeJu2wNDLdV/XglX+pJAjyy728WJH 4u2/gJR8ZWsEIc0Jwb4FjwmBiF2Koz0SGVvrzEZ9T1H7dHq2X6f8KzYB otJyrAIWr9tZi/9tHrngZJ5wXELmMPWCfEFapdQMoKWoNvzrMYFli17R Mz7gJzCmNxMRV8/WkjsNPgYsTKpsAT8qEsXiTN9987AIKPHvc5j+/njq +fTXdOqGVpIgSiso+qJMddEMBcu/MBBYVFOwRQe1ez2tMwIX7y5mwDvK 0wsmyRvHugfFuxSnfiJvQr05kSnj0wxD9s9LNhrF4PocrcYqnBN/lBx9 D6633jJ3zT3T5Foe/Vj9A/X7F2oN6FOkdwO+YSEUot980pJQut6DR22U P4bLakyDMiTdOQ31c/dRIoTsccxw+838pXFyEPgiqOHRSeN/w9km6BID cl+32Xq97kXSMQH6AxOUsx9/Mxdj7ISwbS4utaAWoP460+TMcnfJfWfB NEWhuFvnfB9l63ZjZToB2PUVhrTxRwKUlfMLegSJKoZfiae82kK1pN4x FYyquKSykm/oXsM2w4OQvpqGcTwAXzZ5s95J45f7PsCap0bscGKumxsH cDswWpUz/UVosIrr +vutbr.cz. 28800 IN RRSIG DNSKEY 5 2 28800 20170216060902 20170117060902 5512 vutbr.cz. QHw07MAjA4NFi3On8zaMw/q4IuADXVp4TODfK5PHb8OUIX2Yy+bKLrSX /Cc9ClWUpE69x80F9dFEeRZGJiYOwstNQGQVeq/EKNytm1XmhS8cp3SW CYHBpLjZGPrlhvqPhWd0S4vqPNiD8hDzgFAgaCNfwXDDKXhF2/qtpQ0V pDnytMP6pNPLPMpF2hzaLfCMzABShxcEOAr7+KTbxbffOik4YneG8seu XDtBvCVjP8lJcSU+q+UbotLnjyOgn8vV8pliTNqcvRsJTdtvTlJKHu8B iLkFeCE1DpRhyrVT5zC9NSOcoIv7tau2NE2oUPgtRzK76el6i9L9LcSs G+59j02AINefpAtc6W2khmTnGthibeOy/F9FuFkXUy6AmqIdNszMAj++ 8Mzv3A1OHfsfpIS3tLmC4drhdSHr2ab0Pe0lYQq2a9FSeQzSk6s9gwwZ gMVPVQHbouyvn6BCHaRVDjTV8GPKlk3C8GNaHcHb1hAGSPpw3kqL41dd K92Un4tLIoOYomxUYoyMtyxxwddXyR7ivToUHF7e/yv8MACMEo72N9sf y4zLEqkL1mJ1pCp3csI1bKaaA/c7sqb7PX93iqvoY06k55Pd7kT+lAF1 7QvXGg4U1kDrwytQPyocN8wmsX3//CpWUD07v8fCUqKOcIrVNGnoPmPC PpNe3AtpJoE= +vutbr.cz. 28800 IN RRSIG DNSKEY 5 2 28800 20170216060902 20170117060902 39756 vutbr.cz. CNDE7Ht7xm8Jo9tuOlJ8N9+vI/Htfpk53MI0HG7B1EZJws/yEV7YFOOL SIAt3rzu1OHjaxr4CG/baqGRPtsaWSBHuLSdSduivxXw8xiQcMKzP6Cz 7xhJkQZxzDJ4oO5L2K2zWHcAJ8lfP1/3NHHoH1p2RATLN5sI7ofQE//W +ck= +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA DO +SECTION QUESTION +www.vutbr.cz. IN A +SECTION ANSWER +www.vutbr.cz. 300 IN CNAME piranha.ro.vutbr.cz. +www.vutbr.cz. 300 IN RRSIG CNAME 5 3 300 20170216060902 20170117060902 39756 vutbr.cz. 9B3UC5SOEw1+yKlYlOTINEuNq0Kdglywc5IYJwzeSzQ3ykptzZo3ABSy bYhTqImVkhm/4NFM9/4HWMHPDzTmrWS0mCI/ljCd/oe/PxW/uESvo4P5 EQzlcuH6xBzc1KdEFAJOSmRzFjj3vyK1QN3k/c+1y2oMFOYOR2oOzCw+ MIE= +piranha.ro.vutbr.cz. 3600 IN A 147.229.2.90 +piranha.ro.vutbr.cz. 3600 IN RRSIG A 5 4 3600 20170222120032 20170123120032 12150 ro.vutbr.cz. Jz8bcAADQjCKTCcF70IK1aHGQlM4ukyN0myABlxoPaqid1mHX5jwR91b kdQmUAh2xDitlgRLbFjbUUgmjSPzQ5Qt7GAFUsVmqxvjbOLZjqHER1dh zmiWO0fDvvP647Osv3RiAP822rNUJcJrUBZU9LmeP05gwIHcpJrhdVBT b7I= +SECTION AUTHORITY +ro.vutbr.cz. 86400 IN NS shark.ro.vutbr.cz. +ro.vutbr.cz. 86400 IN NS rhino.cis.vutbr.cz. +ro.vutbr.cz. 86400 IN NS pipit.cis.vutbr.cz. +ro.vutbr.cz. 86400 IN RRSIG NS 5 3 86400 20170222120032 20170123120032 12150 ro.vutbr.cz. HAQ8A+QNsS1WIXdW/fbT3jP+IxObBBvgUmvzsmJBXo8HMtnMAcuCQGmB 2JBQsQethQXsdyLnMK8to/5A9VRkqkAa7edxUoy7SdDi/mzGeLAVhF+5 kXSPD6t1vjiNdnIYAMpiOQbodCGxAnq6jnNyrjEzffdq3qw+5IkFNdG4 7Pw= +SECTION ADDITIONAL +rhino.cis.vutbr.cz. 83217 IN A 147.229.3.10 +rhino.cis.vutbr.cz. 83217 IN AAAA 2001:67c:1220:e000::93e5:30a +shark.ro.vutbr.cz. 3600 IN A 147.229.2.59 +pipit.cis.vutbr.cz. 14794 IN A 77.93.219.110 +pipit.cis.vutbr.cz. 14794 IN AAAA 2a01:430:120::4d5d:db6e +rhino.cis.vutbr.cz. 83217 IN RRSIG A 5 4 86400 20170204080646 20170105080646 28257 cis.vutbr.cz. X/tDf8e3JEV0LxiItfpQnBzeaRIq693VG8d30iCH4/1I0uqyCfxboWmm /CBpn9A8MCJu9NEEv+4+povNlfUfqi2yjsqJEVj8ztHxD4g9cc284Cv6 ySjxrSZ9axVqoaopEXujiTwwWJUFcgF6pxqyXVksW7sgKJrboM4VSlQD +Sw= +rhino.cis.vutbr.cz. 83217 IN RRSIG AAAA 5 4 86400 20170204080646 20170105080646 28257 cis.vutbr.cz. T3Yf5PAkSeJtoOH90ea9zZBG9FC3iFhiCSerDn6d9up8GRfzxDsavYJC zQu+3vnOySySn+3TMzQSSFcWdJC2iO7ulaDGr177Gof9QJbKSVSMW7jt YDE2f4/R4Go3NZVwjk/HfpCInoR6pHNA1s/9hMnWtiVopmBdfzyd3/sW YOU= +shark.ro.vutbr.cz. 3600 IN RRSIG A 5 4 3600 20170222120032 20170123120032 12150 ro.vutbr.cz. SmhgyF48yX/6yH7AdSmGX60NL/xaiKH/oAzB0rnPfQZ6j+UfV57ginVV lj798K9A8jjucUpqE8ua2mZ6/aOhpqlV2iI0CZXG44zOupsCY1/OXBDx YNetBcjoXDQCBQRLLLEUL5FerDVxqT74ngdLdKubwRdrB0TLQlvpBr+F Tc8= +pipit.cis.vutbr.cz. 85923 IN RRSIG A 5 4 86400 20170204080646 20170105080646 28257 cis.vutbr.cz. Cz9etHnEOQTzu+6rYJEqx/SQ1tQgPOCyf8HSj4KOsx89jtgiHNC6pep6 ZE0SphMGAs3jC/uGIhlaFNZ3i38OQIMuqwacbz+XZyW5bByvV3QZrhqh dFxMDfmPuNiCAT3crFpUkvVW1OE3YfGHzZGXX7JP5wb1b8A3X6Qih7fV +nQ= +pipit.cis.vutbr.cz. 85923 IN RRSIG AAAA 5 4 86400 20170204080646 20170105080646 28257 cis.vutbr.cz. piafjh6my2fooZRrzwCu9RQ95gYaMQkhIkDaGX/fT6wXzSdmgFZkS1Nl EMIKdDCQaPrLGMG3p32ptMkAm4esPekeyNtLSMBtXwZyUkgEGn6h1QM2 Yr3TOo8cixfk5nmRRdlYadf5krLb8yI9exiqeymgEQLa1YNRz/bWArlX bn8= +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA DO +SECTION QUESTION +ro.vutbr.cz. IN NS +SECTION ANSWER +ro.vutbr.cz. 86400 IN NS pipit.cis.vutbr.cz. +ro.vutbr.cz. 86400 IN NS rhino.cis.vutbr.cz. +ro.vutbr.cz. 86400 IN NS shark.ro.vutbr.cz. +ro.vutbr.cz. 86400 IN RRSIG NS 5 3 86400 20170222120032 20170123120032 12150 ro.vutbr.cz. HAQ8A+QNsS1WIXdW/fbT3jP+IxObBBvgUmvzsmJBXo8HMtnMAcuCQGmB 2JBQsQethQXsdyLnMK8to/5A9VRkqkAa7edxUoy7SdDi/mzGeLAVhF+5 kXSPD6t1vjiNdnIYAMpiOQbodCGxAnq6jnNyrjEzffdq3qw+5IkFNdG4 7Pw= +SECTION ADDITIONAL +rhino.cis.vutbr.cz. 86400 IN A 147.229.3.10 +rhino.cis.vutbr.cz. 86400 IN AAAA 2001:67c:1220:e000::93e5:30a +shark.ro.vutbr.cz. 3600 IN A 147.229.2.59 +pipit.cis.vutbr.cz. 86400 IN A 77.93.219.110 +pipit.cis.vutbr.cz. 86400 IN AAAA 2a01:430:120::4d5d:db6e +rhino.cis.vutbr.cz. 86400 IN RRSIG A 5 4 86400 20170204080646 20170105080646 28257 cis.vutbr.cz. X/tDf8e3JEV0LxiItfpQnBzeaRIq693VG8d30iCH4/1I0uqyCfxboWmm /CBpn9A8MCJu9NEEv+4+povNlfUfqi2yjsqJEVj8ztHxD4g9cc284Cv6 ySjxrSZ9axVqoaopEXujiTwwWJUFcgF6pxqyXVksW7sgKJrboM4VSlQD +Sw= +rhino.cis.vutbr.cz. 86400 IN RRSIG AAAA 5 4 86400 20170204080646 20170105080646 28257 cis.vutbr.cz. T3Yf5PAkSeJtoOH90ea9zZBG9FC3iFhiCSerDn6d9up8GRfzxDsavYJC zQu+3vnOySySn+3TMzQSSFcWdJC2iO7ulaDGr177Gof9QJbKSVSMW7jt YDE2f4/R4Go3NZVwjk/HfpCInoR6pHNA1s/9hMnWtiVopmBdfzyd3/sW YOU= +shark.ro.vutbr.cz. 3600 IN RRSIG A 5 4 3600 20170222120032 20170123120032 12150 ro.vutbr.cz. SmhgyF48yX/6yH7AdSmGX60NL/xaiKH/oAzB0rnPfQZ6j+UfV57ginVV lj798K9A8jjucUpqE8ua2mZ6/aOhpqlV2iI0CZXG44zOupsCY1/OXBDx YNetBcjoXDQCBQRLLLEUL5FerDVxqT74ngdLdKubwRdrB0TLQlvpBr+F Tc8= +pipit.cis.vutbr.cz. 86400 IN RRSIG A 5 4 86400 20170204080646 20170105080646 28257 cis.vutbr.cz. Cz9etHnEOQTzu+6rYJEqx/SQ1tQgPOCyf8HSj4KOsx89jtgiHNC6pep6 ZE0SphMGAs3jC/uGIhlaFNZ3i38OQIMuqwacbz+XZyW5bByvV3QZrhqh dFxMDfmPuNiCAT3crFpUkvVW1OE3YfGHzZGXX7JP5wb1b8A3X6Qih7fV +nQ= +pipit.cis.vutbr.cz. 86400 IN RRSIG AAAA 5 4 86400 20170204080646 20170105080646 28257 cis.vutbr.cz. piafjh6my2fooZRrzwCu9RQ95gYaMQkhIkDaGX/fT6wXzSdmgFZkS1Nl EMIKdDCQaPrLGMG3p32ptMkAm4esPekeyNtLSMBtXwZyUkgEGn6h1QM2 Yr3TOo8cixfk5nmRRdlYadf5krLb8yI9exiqeymgEQLa1YNRz/bWArlX bn8= +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA DO +SECTION QUESTION +ro.vutbr.cz. IN DS +SECTION ANSWER +ro.vutbr.cz. 28800 IN DS 16627 5 2 1AEE56EAF9D01A51C8C524E55A7FAE0E27207911F0FA6126052CE5B3 39335FC8 +ro.vutbr.cz. 28800 IN DS 16627 5 1 BFDFD0FB1EDFCEBFB9ECB13C93F9CA65755217BA +ro.vutbr.cz. 28800 IN RRSIG DS 5 3 28800 20170216060902 20170117060902 39756 vutbr.cz. OOJfGI14bRHqeWhRLMOa75pfHo+clR4rMJpvO3PPjmheownqy2awA7u3 xR5FJko7A6e+difoJdAWCMzN7x1qcrd1htOOKOc7wtcb+QC2JH8B/e0G 0gNPw2UKsFL1Qw9HQkSqxyIaCGg3nMLO1hh3AVccZadw2f/jLpAzw5/1 pLA= +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA DO +SECTION QUESTION +ro.vutbr.cz. IN DNSKEY +SECTION ANSWER +ro.vutbr.cz. 3600 IN DNSKEY 256 3 5 AwEAAb4tyN4pqltB48s1xQS3ZPXnTZJMvgXxiouXU9xtzj4wnhjhZp45 H7ozslWuksrwQWhZ8AASAD5kPFbQRbwpQ7xbEb3xdKHaWCFpyRCTkrqa ZQZQy4gaVqO+oRW42dIQ9K08A/WfvRuRDtw3VWDATp9pUkgpvb1n6+lp 71YK19RX +ro.vutbr.cz. 3600 IN DNSKEY 257 3 5 AwEAAef6bqTAl94KddNHvit41gw6QBKkiYjUeS+UP58VHybV29RC7sSE +rYmkXabaMOLmoqMQRMepBEaUdM5OoZBWibHrPAbG0Wf+vlMOoWD5+EC 2mCxrUntIlOuS4XpMTh22+l0k1xSPiMGKjY0BDR95Iu3dDezCVl9PkPp tHj/rAnRTH7Q0fH9Mip8sigosd/CmsoY03I0AcZT4z1+XpGsq5Npxwtj 7cz0SRTI/eV5nynNYK+vr6kOfU1fw7p8/wxIfXkks0Xy8ktXa26DFdw1 RoqVlTS1s1diFyF5niCOT6Ei2kAlf0fggZJBypwoK+6J42wwD2OhORX+ lKrhooaN4TU9AcHwgv25XTXhUq4tYh+veazdXNWDjEb3ZyLM8fKERCa9 YtDBFoHM7yFOHbsOhHKMn8F6T2Boi73hU/+wspjL/n8taKevyyygGg+U g4ugo2pTIouAs5DNnv+nUrpctcKZ5nMEUVl+3XBsXplIyz9QEKHWdFzL gyfIZEok8WdYHebcIy1vJrxzqCNw9ixnTn+OK1lwlMToVH1AGpvRKRPo wGSFaIrDyXxKul34j2jEhP9TWRcJqncy166Ueu3c0BKmclM29N8jeWbP 3TqRJ3RRxNj/vk6c/UGmmrHEz8YdNp2L0hv3JgItr2GujCvPApUvLNPW C7DSErQ3JsjV3gah +ro.vutbr.cz. 3600 IN RRSIG DNSKEY 5 3 3600 20170222120032 20170123120032 12150 ro.vutbr.cz. pN+8YElj24dhtnOQ20sjWxJTjx+FLTMrPms1lWIJKZtp2evQBG5AnAep 6w0QeMUTIh9ter58Dh6wu2IN4uA1h3ThxnSgwLraOChUFBtPTO8h5y8J mAq4KXSfqbEcHzZO/nBAtxSUk7aUz7yWf09xE+iozW3ORRWIXovMYci5 eEw= +ro.vutbr.cz. 3600 IN RRSIG DNSKEY 5 3 3600 20170222120032 20170123120032 16627 ro.vutbr.cz. DSaIAl+iyToM8+ai9xuRVcRshYyI66XHWkOz0XEbIAwbc8aEMEeFCA91 1vpuBb6H92MXvM8hYsBhZHNIA0ApoIE4bdyEGZY05XN3GYgJ4BEhXJVM RR+inJf+vGGqdlRP6F2sPO+rCqfxWBvSoUFU7DpCpkl7hz2Ex0Clm9C9 YnWgL+tGmAH33s2Y8lTA3hG/0W0NxD5zy1LiyDa8Ls3vV4MC6gVxyloT Capd8FkDL9PmgW0gMRNtIWmc5Hw+j/HRMoy+oRCe8PIfUL/Dpx3iTAH8 iN3wV8apV2uPa0L8QgpixK4Tc87aSainCopVY+NOc5t0HErUzj8i7qA9 J/cRtQvlUzln5vBsrQsVIzIeNV4o8/cM3zFyfdKkHh1tWYKLJKkjfXc5 +7VMvF8PnoHceT/Zr2gCc8tnygRobypzgqy3p69bRJqiT0/eCAgpGusV 1DCOJY0sdiGDZEtpqeINbAgGKAMmmNwjIwYSFowRzdawip1wNd+90RhI +8hvx8Sc5+K5Mom2BF2wGHf/2Kv/ArzyXxqqcNozM61L1AjxIsBHjnLZ TzPlLntmiHUVaqET9Yc3G0K/RdsIpqz4M79N0BX66a58x2a3fLqQdrEC QshZPNxk2S4eCsrVRjHvU4a7e74Rbf/zXp89Y+jmwBbDMdnp+2/h9s6U J0sEBCYyo9M= +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA DO +SECTION QUESTION +piranha.ro.vutbr.cz. IN A +SECTION ANSWER +piranha.ro.vutbr.cz. 3600 IN A 147.229.2.90 +piranha.ro.vutbr.cz. 3600 IN RRSIG A 5 4 3600 20170222120032 20170123120032 12150 ro.vutbr.cz. Jz8bcAADQjCKTCcF70IK1aHGQlM4ukyN0myABlxoPaqid1mHX5jwR91b kdQmUAh2xDitlgRLbFjbUUgmjSPzQ5Qt7GAFUsVmqxvjbOLZjqHER1dh zmiWO0fDvvP647Osv3RiAP822rNUJcJrUBZU9LmeP05gwIHcpJrhdVBT b7I= +SECTION AUTHORITY +ro.vutbr.cz. 86400 IN NS shark.ro.vutbr.cz. +ro.vutbr.cz. 86400 IN NS rhino.cis.vutbr.cz. +ro.vutbr.cz. 86400 IN NS pipit.cis.vutbr.cz. +ro.vutbr.cz. 86400 IN RRSIG NS 5 3 86400 20170222120032 20170123120032 12150 ro.vutbr.cz. HAQ8A+QNsS1WIXdW/fbT3jP+IxObBBvgUmvzsmJBXo8HMtnMAcuCQGmB 2JBQsQethQXsdyLnMK8to/5A9VRkqkAa7edxUoy7SdDi/mzGeLAVhF+5 kXSPD6t1vjiNdnIYAMpiOQbodCGxAnq6jnNyrjEzffdq3qw+5IkFNdG4 7Pw= +SECTION ADDITIONAL +rhino.cis.vutbr.cz. 86400 IN A 147.229.3.10 +rhino.cis.vutbr.cz. 86400 IN AAAA 2001:67c:1220:e000::93e5:30a +shark.ro.vutbr.cz. 3600 IN A 147.229.2.59 +pipit.cis.vutbr.cz. 86400 IN A 77.93.219.110 +pipit.cis.vutbr.cz. 86400 IN AAAA 2a01:430:120::4d5d:db6e +rhino.cis.vutbr.cz. 86400 IN RRSIG A 5 4 86400 20170204080646 20170105080646 28257 cis.vutbr.cz. X/tDf8e3JEV0LxiItfpQnBzeaRIq693VG8d30iCH4/1I0uqyCfxboWmm /CBpn9A8MCJu9NEEv+4+povNlfUfqi2yjsqJEVj8ztHxD4g9cc284Cv6 ySjxrSZ9axVqoaopEXujiTwwWJUFcgF6pxqyXVksW7sgKJrboM4VSlQD +Sw= +rhino.cis.vutbr.cz. 86400 IN RRSIG AAAA 5 4 86400 20170204080646 20170105080646 28257 cis.vutbr.cz. T3Yf5PAkSeJtoOH90ea9zZBG9FC3iFhiCSerDn6d9up8GRfzxDsavYJC zQu+3vnOySySn+3TMzQSSFcWdJC2iO7ulaDGr177Gof9QJbKSVSMW7jt YDE2f4/R4Go3NZVwjk/HfpCInoR6pHNA1s/9hMnWtiVopmBdfzyd3/sW YOU= +shark.ro.vutbr.cz. 3600 IN RRSIG A 5 4 3600 20170222120032 20170123120032 12150 ro.vutbr.cz. SmhgyF48yX/6yH7AdSmGX60NL/xaiKH/oAzB0rnPfQZ6j+UfV57ginVV lj798K9A8jjucUpqE8ua2mZ6/aOhpqlV2iI0CZXG44zOupsCY1/OXBDx YNetBcjoXDQCBQRLLLEUL5FerDVxqT74ngdLdKubwRdrB0TLQlvpBr+F Tc8= +pipit.cis.vutbr.cz. 86400 IN RRSIG A 5 4 86400 20170204080646 20170105080646 28257 cis.vutbr.cz. Cz9etHnEOQTzu+6rYJEqx/SQ1tQgPOCyf8HSj4KOsx89jtgiHNC6pep6 ZE0SphMGAs3jC/uGIhlaFNZ3i38OQIMuqwacbz+XZyW5bByvV3QZrhqh dFxMDfmPuNiCAT3crFpUkvVW1OE3YfGHzZGXX7JP5wb1b8A3X6Qih7fV +nQ= +pipit.cis.vutbr.cz. 86400 IN RRSIG AAAA 5 4 86400 20170204080646 20170105080646 28257 cis.vutbr.cz. piafjh6my2fooZRrzwCu9RQ95gYaMQkhIkDaGX/fT6wXzSdmgFZkS1Nl EMIKdDCQaPrLGMG3p32ptMkAm4esPekeyNtLSMBtXwZyUkgEGn6h1QM2 Yr3TOo8cixfk5nmRRdlYadf5krLb8yI9exiqeymgEQLa1YNRz/bWArlX bn8= +ENTRY_END + +; end of pipit.cis.vutbr.cz. & rhino.cis.vutbr.cz. +RANGE_END + + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.vutbr.cz. IN A +ENTRY_END + +; recursion happens here. +STEP 10 CHECK_ANSWER +ENTRY_BEGIN +MATCH flags rcode question answer +REPLY QR RD RA NOERROR +SECTION QUESTION +www.vutbr.cz. IN A +SECTION ANSWER +www.vutbr.cz. IN CNAME piranha.ro.vutbr.cz. +piranha.ro.vutbr.cz. IN A 147.229.2.90 +ENTRY_END + +STEP 20 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +www.vutbr.cz. IN A +ENTRY_END + +STEP 21 CHECK_ANSWER +ENTRY_BEGIN +MATCH flags rcode question answer +REPLY QR RD RA AD NOERROR +SECTION QUESTION +www.vutbr.cz. IN A +SECTION ANSWER +www.vutbr.cz. IN CNAME piranha.ro.vutbr.cz. +www.vutbr.cz. IN RRSIG CNAME 5 3 300 20170216060902 20170117060902 39756 vutbr.cz. 9B3UC5SOEw1+yKlYlOTINEuNq0Kdglywc5IYJwzeSzQ3ykptzZo3ABSy bYhTqImVkhm/4NFM9/4HWMHPDzTmrWS0mCI/ljCd/oe/PxW/uESvo4P5 EQzlcuH6xBzc1KdEFAJOSmRzFjj3vyK1QN3k/c+1y2oMFOYOR2oOzCw+ MIE= +piranha.ro.vutbr.cz. IN A 147.229.2.90 +piranha.ro.vutbr.cz. 3600 IN RRSIG A 5 4 3600 20170222120032 20170123120032 12150 ro.vutbr.cz. Jz8bcAADQjCKTCcF70IK1aHGQlM4ukyN0myABlxoPaqid1mHX5jwR91b kdQmUAh2xDitlgRLbFjbUUgmjSPzQ5Qt7GAFUsVmqxvjbOLZjqHER1dh zmiWO0fDvvP647Osv3RiAP822rNUJcJrUBZU9LmeP05gwIHcpJrhdVBT b7I= +ENTRY_END + +SCENARIO_END diff -Nru knot-resolver-5.2.1/lib/cache/test.integr/kresd_config.j2 knot-resolver-5.3.1/lib/cache/test.integr/kresd_config.j2 --- knot-resolver-5.2.1/lib/cache/test.integr/kresd_config.j2 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/lib/cache/test.integr/kresd_config.j2 2021-03-31 15:15:36.000000000 +0000 @@ -27,10 +27,22 @@ _hint_root_file('hints') cache.size = 2*MB verbose(true) +policy.add(policy.all(policy.DEBUG_ALWAYS)) {% endraw %} net = { '{{SELF_ADDR}}' } +{% if DO_IP6 == "true" %} +net.ipv6 = true +{% else %} +net.ipv6 = false +{% endif %} + +{% if DO_IP4 == "true" %} +net.ipv4 = true +{% else %} +net.ipv4 = false +{% endif %} {% if QMIN == "false" %} option('NO_MINIMIZE', true) diff -Nru knot-resolver-5.2.1/lib/defines.h knot-resolver-5.3.1/lib/defines.h --- knot-resolver-5.2.1/lib/defines.h 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/lib/defines.h 2021-03-31 15:15:36.000000000 +0000 @@ -50,7 +50,7 @@ #define KR_ITER_LIMIT 100 /* Built-in iterator limit */ #define KR_RESOLVE_TIME_LIMIT 10000 /* Upper limit for resolution time of single query, ms */ #define KR_CNAME_CHAIN_LIMIT 13 /* Built-in maximum CNAME chain length */ -#define KR_TIMEOUT_LIMIT 4 /* Maximum number of retries after timeout. */ +#define KR_TIMEOUT_LIMIT 10 /* Maximum number of retries after timeout. */ #define KR_QUERY_NSRETRY_LIMIT 4 /* Maximum number of retries per query. */ #define KR_COUNT_NO_NSADDR_LIMIT 5 #define KR_CONSUME_FAIL_ROW_LIMIT 3 /* Maximum number of KR_STATE_FAIL in a row. */ diff -Nru knot-resolver-5.2.1/lib/dnssec/nsec3.c knot-resolver-5.3.1/lib/dnssec/nsec3.c --- knot-resolver-5.2.1/lib/dnssec/nsec3.c 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/lib/dnssec/nsec3.c 2021-03-31 15:15:36.000000000 +0000 @@ -69,6 +69,10 @@ assert(hash && params); if (!name) return kr_error(EINVAL); + if (params->iterations > KR_NSEC3_MAX_ITERATIONS) { + assert(false); // This if is mainly defensive; it shouldn't happen. + return kr_error(EINVAL); + } dnssec_binary_t dname = { .size = knot_dname_size(name), diff -Nru knot-resolver-5.2.1/lib/dnssec/nsec3.h knot-resolver-5.3.1/lib/dnssec/nsec3.h --- knot-resolver-5.2.1/lib/dnssec/nsec3.h 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/lib/dnssec/nsec3.h 2021-03-31 15:15:36.000000000 +0000 @@ -6,6 +6,18 @@ #include +/** High numbers in NSEC3 iterations don't really help security + * + * ...so we avoid doing all the work. The value is a current compromise; + * zones shooting over get downgraded to insecure status. + * + * Original restriction wasn't that strict: + https://datatracker.ietf.org/doc/html/rfc5155#section-10.3 + * but there is discussion about officially lowering the limits: + https://tools.ietf.org/id/draft-hardaker-dnsop-nsec3-guidance-02.html#section-2.3 + */ +#define KR_NSEC3_MAX_ITERATIONS 150 + /** * Name error response check (RFC5155 7.2.2). * @note No RRSIGs are validated. diff -Nru knot-resolver-5.2.1/lib/generic/lru.c knot-resolver-5.3.1/lib/generic/lru.c --- knot-resolver-5.2.1/lib/generic/lru.c 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/lib/generic/lru.c 2021-03-31 15:15:36.000000000 +0000 @@ -119,7 +119,7 @@ mm_ctx_init_aligned(&mm_array_default, alignof(struct lru)); mm_array = &mm_array_default; } - assert(mm_array->alloc != mm_malloc && mm_array->alloc != (knot_mm_alloc_t)mp_alloc); + assert(mm_array->alloc && mm_array->alloc != (knot_mm_alloc_t)mp_alloc); size_t size = offsetof(struct lru, groups[group_count]); struct lru *lru = mm_alloc(mm_array, size); diff -Nru knot-resolver-5.2.1/lib/layer/iterate.c knot-resolver-5.3.1/lib/layer/iterate.c --- knot-resolver-5.2.1/lib/layer/iterate.c 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/lib/layer/iterate.c 2021-03-31 15:15:36.000000000 +0000 @@ -29,7 +29,7 @@ #include "lib/resolve.h" #include "lib/rplan.h" #include "lib/defines.h" -#include "lib/nsrep.h" +#include "lib/selection.h" #include "lib/module.h" #include "lib/dnssec/ta.h" @@ -98,7 +98,7 @@ } #ifndef STRICT_MODE - /* Last resort to work around broken auths, if the zone cut is at/parent of the QNAME. */ + /* Last resort to work around broken auths, if the zone cut is at the QNAME. */ if (knot_dname_is_equal(query->zone_cut.name, knot_pkt_qname(answer))) { return true; } @@ -213,10 +213,12 @@ if ((rr->type == KNOT_RRTYPE_A) && (req->ctx->options.NO_IPV4)) { + QVERBOSE_MSG(qry, "<= skipping IPv4 glue due to network settings\n"); continue; } if ((rr->type == KNOT_RRTYPE_AAAA) && (req->ctx->options.NO_IPV6)) { + QVERBOSE_MSG(qry, "<= skipping IPv6 glue due to network settings\n"); continue; } (void) update_nsaddr(rr, req->current_query, glue_cnt); @@ -258,6 +260,7 @@ && knot_dname_in_bailiwick(qry->sname, rr->owner) >= 0; if (!ok) { VERBOSE_MSG("<= authority: ns outside bailiwick\n"); + qry->server_selection.error(qry, req->upstream.transport, KR_SELECTION_LAME_DELEGATION); #ifdef STRICT_MODE return KR_STATE_FAIL; #else @@ -632,10 +635,11 @@ { const knot_dname_t *cname = NULL; int state = unroll_cname(pkt, req, true, &cname); + struct kr_query *query = req->current_query; if (state != kr_ok()) { + query->server_selection.error(query, req->upstream.transport, KR_SELECTION_BAD_CNAME); return KR_STATE_FAIL; } - struct kr_query *query = req->current_query; if (!(query->flags.CACHED)) { /* If not cached (i.e. got from upstream) * make sure that this is not an authoritative answer @@ -721,6 +725,7 @@ if (!is_authoritative(pkt, query)) { if (!(query->flags.FORWARD) && pkt_class & (PKT_NXDOMAIN|PKT_NODATA)) { + query->server_selection.error(query, req->upstream.transport, KR_SELECTION_LAME_DELEGATION); VERBOSE_MSG("<= lame response: non-auth sent negative response\n"); return KR_STATE_FAIL; } @@ -730,6 +735,7 @@ /* Process answer type */ int state = unroll_cname(pkt, req, false, &cname); if (state != kr_ok()) { + query->server_selection.error(query, req->upstream.transport, KR_SELECTION_BAD_CNAME); return state; } /* Make sure that this is an authoritative answer (even with AA=0) for other layers */ @@ -760,6 +766,7 @@ q->stype == query->stype && knot_dname_is_equal(q->sname, cname)) { VERBOSE_MSG("<= cname chain loop\n"); + query->server_selection.error(query, req->upstream.transport, KR_SELECTION_BAD_CNAME); return KR_STATE_FAIL; } } @@ -772,17 +779,12 @@ /* Copy transitive flags from original query to CNAME followup. */ next->flags.TRACE = query->flags.TRACE; next->flags.ALWAYS_CUT = query->flags.ALWAYS_CUT; - next->flags.NO_MINIMIZE = query->flags.NO_MINIMIZE; - next->flags.NO_THROTTLE = query->flags.NO_THROTTLE; + + /* Original query might have turned minimization off, revert. */ + next->flags.NO_MINIMIZE = req->options.NO_MINIMIZE; if (query->flags.FORWARD) { next->forward_flags.CNAME = true; - if (query->parent == NULL) { - state = kr_nsrep_copy_set(&next->ns, &query->ns); - if (state != kr_ok()) { - return KR_STATE_FAIL; - } - } } next->cname_parent = query; /* Want DNSSEC if and only if it's posible to secure @@ -872,14 +874,6 @@ return finalize_answer(pkt, req); } - -/** Error handling, RFC1034 5.3.3, 4d. - * NOTE: returing this does not prevent further queries (by itself). */ -static int resolve_error(knot_pkt_t *pkt, struct kr_request *req) -{ - return KR_STATE_FAIL; -} - /* State-less single resolution iteration step, not needed. */ static int reset(kr_layer_t *ctx) { return KR_STATE_PRODUCE; } @@ -973,23 +967,22 @@ return KR_STATE_CONSUME; } -static int resolve_badmsg(knot_pkt_t *pkt, struct kr_request *req, struct kr_query *query) +static bool satisfied_by_additional(const struct kr_query *qry) { - -#ifndef STRICT_MODE - /* Work around broken auths/load balancers */ - if (query->flags.SAFEMODE) { - return resolve_error(pkt, req); - } else if (query->flags.NO_MINIMIZE) { - query->flags.SAFEMODE = true; - return KR_STATE_DONE; - } else { - query->flags.NO_MINIMIZE = true; - return KR_STATE_DONE; + const bool prereq = !qry->flags.STUB && !qry->flags.FORWARD && qry->flags.NONAUTH; + if (!prereq) + return false; + const struct kr_request *req = qry->request; + for (ssize_t i = req->add_selected.len - 1; i >= 0; --i) { + ranked_rr_array_entry_t *entry = req->add_selected.at[i]; + if (entry->qry_uid != qry->uid) + break; + if (entry->rr->type == qry->stype + && knot_dname_is_equal(entry->rr->owner, qry->sname)) { + return true; + } } -#else - return resolve_error(pkt, req); -#endif + return false; } /** Resolve input query or continue resolution with followups. @@ -1023,32 +1016,39 @@ #ifdef STRICT_MODE if (pkt->parsed < pkt->size) { VERBOSE_MSG("<= pkt contains excessive data\n"); - return resolve_badmsg(pkt, req, query); + return KR_STATE_FAIL; } else #endif if (pkt->parsed <= KNOT_WIRE_HEADER_SIZE) { + if (pkt->parsed == KNOT_WIRE_HEADER_SIZE && knot_wire_get_rcode(pkt->wire) == KNOT_RCODE_FORMERR) { + /* This is a special case where we get valid header with FORMERR and nothing else. + * This happens on some authoritatives which don't support EDNS and don't + * bother copying the SECTION QUESTION. */ + query->server_selection.error(query, req->upstream.transport, KR_SELECTION_FORMERR); + return KR_STATE_FAIL; + } VERBOSE_MSG("<= malformed response (parsed %d)\n", (int)pkt->parsed); - return resolve_badmsg(pkt, req, query); + query->server_selection.error(query, req->upstream.transport, KR_SELECTION_MALFORMED); + return KR_STATE_FAIL; } else if (!is_paired_to_query(pkt, query)) { WITH_VERBOSE(query) { const char *ns_str = - req->upstream.addr ? kr_straddr(req->upstream.addr) : "(internal)"; + req->upstream.transport ? kr_straddr(&req->upstream.transport->address.ip) : "(internal)"; VERBOSE_MSG("<= ignoring mismatching response from %s\n", ns_str ? ns_str : "(kr_straddr failed)"); } - /* Force TCP, to work around authoritatives messing up question - * without yielding to spoofed responses. */ - query->flags.TCP = true; - return resolve_badmsg(pkt, req, query); + query->server_selection.error(query, req->upstream.transport, KR_SELECTION_MISMATCHED); + return KR_STATE_FAIL; } else if (knot_wire_get_tc(pkt->wire)) { VERBOSE_MSG("<= truncated response, failover to TCP\n"); if (query) { /* Fail if already on TCP. */ - if (query->flags.TCP) { + if (req->upstream.transport->protocol != KR_TRANSPORT_UDP) { VERBOSE_MSG("<= TC=1 with TCP, bailing out\n"); - return resolve_error(pkt, req); + query->server_selection.error(query, req->upstream.transport, KR_SELECTION_TRUNCATED); + return KR_STATE_FAIL; } - query->flags.TCP = true; + query->server_selection.error(query, req->upstream.transport, KR_SELECTION_TRUNCATED); } return KR_STATE_CONSUME; } @@ -1061,30 +1061,62 @@ const knot_lookup_t *rcode = knot_lookup_by_id(knot_rcode_names, knot_wire_get_rcode(pkt->wire)); #endif + // We can't return directly from the switch because we have to give feedback to server selection first + int ret = 0; + int selection_error = KR_SELECTION_OK; + /* Check response code. */ switch(knot_wire_get_rcode(pkt->wire)) { case KNOT_RCODE_NOERROR: case KNOT_RCODE_NXDOMAIN: break; /* OK */ case KNOT_RCODE_YXDOMAIN: /* Basically a successful answer; name just doesn't fit. */ - if (!kr_request_ensure_answer(req)) - return req->state; + if (!kr_request_ensure_answer(req)) { + ret = req->state; + } knot_wire_set_rcode(req->answer->wire, KNOT_RCODE_YXDOMAIN); break; case KNOT_RCODE_REFUSED: + if (query->flags.STUB) { + /* just pass answer through if in stub mode */ + break; + } + ret = KR_STATE_FAIL; + selection_error = KR_SELECTION_REFUSED; + break; case KNOT_RCODE_SERVFAIL: if (query->flags.STUB) { /* just pass answer through if in stub mode */ break; } - /* fall through */ + ret = KR_STATE_FAIL; + selection_error = KR_SELECTION_SERVFAIL; + break; case KNOT_RCODE_FORMERR: + ret = KR_STATE_FAIL; + if (knot_pkt_has_edns(pkt)) { + selection_error = KR_SELECTION_FORMERR_EDNS; + } else { + selection_error = KR_SELECTION_FORMERR; + } + break; case KNOT_RCODE_NOTIMPL: - VERBOSE_MSG("<= rcode: %s\n", rcode ? rcode->name : "??"); - return resolve_badmsg(pkt, req, query); + ret = KR_STATE_FAIL; + selection_error = KR_SELECTION_NOTIMPL; + break; default: + ret = KR_STATE_FAIL; + selection_error = KR_SELECTION_OTHER_RCODE; + break; + } + + if (query->server_selection.initialized) { + query->server_selection.error(query, req->upstream.transport, selection_error); + } + + if (ret) { VERBOSE_MSG("<= rcode: %s\n", rcode ? rcode->name : "??"); - return resolve_error(pkt, req); + return ret; } int state; @@ -1103,7 +1135,19 @@ break; case KR_STATE_DONE: /* Referral */ state = process_referral_answer(pkt,req); - VERBOSE_MSG("<= referral response, follow\n"); + if (satisfied_by_additional(query)) { /* This is a little hacky. + * We found sufficient information in ADDITIONAL section + * and it was selected for caching in this CONSUME round. + * To make iterator accept the record in a simple way, + * we trigger another cache *reading* attempt + * for the subsequent PRODUCE round. + */ + assert(query->flags.NONAUTH); + query->flags.CACHE_TRIED = false; + VERBOSE_MSG("<= referral response, but cache should stop us short now\n"); + } else { + VERBOSE_MSG("<= referral response, follow\n"); + } break; default: break; @@ -1115,7 +1159,7 @@ (void)0; ranked_rr_array_t *selected[] = kr_request_selected(req); for (knot_section_t i = KNOT_ANSWER; i <= KNOT_ADDITIONAL; ++i) { - int ret = kr_ranked_rrarray_finalize(selected[i], query->uid, &req->pool); + ret = kr_ranked_rrarray_finalize(selected[i], query->uid, &req->pool); if (unlikely(ret)) { return KR_STATE_FAIL; } diff -Nru knot-resolver-5.2.1/lib/layer/test.integr/iter_cname_length.rpl knot-resolver-5.3.1/lib/layer/test.integr/iter_cname_length.rpl --- knot-resolver-5.2.1/lib/layer/test.integr/iter_cname_length.rpl 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/lib/layer/test.integr/iter_cname_length.rpl 2021-03-31 15:15:36.000000000 +0000 @@ -1,3 +1,4 @@ +do-ip6: no ; config options ; SPDX-License-Identifier: GPL-3.0-or-later stub-addr: 193.0.14.129 # k.root-servers.net. diff -Nru knot-resolver-5.2.1/lib/layer/test.integr/iter_limit_bad_glueless.rpl knot-resolver-5.3.1/lib/layer/test.integr/iter_limit_bad_glueless.rpl --- knot-resolver-5.2.1/lib/layer/test.integr/iter_limit_bad_glueless.rpl 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/lib/layer/test.integr/iter_limit_bad_glueless.rpl 2021-03-31 15:15:36.000000000 +0000 @@ -1,3 +1,4 @@ +do-ip6: no ; config options ; target-fetch-policy: "0 0 0 0 0" ; name: "." diff -Nru knot-resolver-5.2.1/lib/layer/test.integr/iter_limit_refuse.rpl knot-resolver-5.3.1/lib/layer/test.integr/iter_limit_refuse.rpl --- knot-resolver-5.2.1/lib/layer/test.integr/iter_limit_refuse.rpl 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/lib/layer/test.integr/iter_limit_refuse.rpl 2021-03-31 15:15:36.000000000 +0000 @@ -1,3 +1,4 @@ +do-ip6: no ; config options ;server: stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. @@ -7,7 +8,7 @@ ; K.ROOT-SERVERS.NET. RANGE_BEGIN 0 100 - ADDRESS 193.0.14.129 + ADDRESS 193.0.14.129 ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id diff -Nru knot-resolver-5.2.1/lib/layer/test.integr/kresd_config.j2 knot-resolver-5.3.1/lib/layer/test.integr/kresd_config.j2 --- knot-resolver-5.2.1/lib/layer/test.integr/kresd_config.j2 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/lib/layer/test.integr/kresd_config.j2 2021-03-31 15:15:36.000000000 +0000 @@ -67,6 +67,18 @@ net = { '{{SELF_ADDR}}' } +{% if DO_IP6 == "true" %} +net.ipv6 = true +{% else %} +net.ipv6 = false +{% endif %} + +{% if DO_IP4 == "true" %} +net.ipv4 = true +{% else %} +net.ipv4 = false +{% endif %} + {% if QMIN == "false" %} option('NO_MINIMIZE', true) diff -Nru knot-resolver-5.2.1/lib/layer/validate.c knot-resolver-5.3.1/lib/layer/validate.c --- knot-resolver-5.2.1/lib/layer/validate.c 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/lib/layer/validate.c 2021-03-31 15:15:36.000000000 +0000 @@ -23,6 +23,7 @@ #include "lib/utils.h" #include "lib/defines.h" #include "lib/module.h" +#include "lib/selection.h" #define VERBOSE_MSG(qry, ...) QRVERBOSE(qry, "vldr", __VA_ARGS__) @@ -108,7 +109,42 @@ * to avoid any possible over-read in cn_target. */ } -static int validate_section(kr_rrset_validation_ctx_t *vctx, const struct kr_query *qry, +static void mark_insecure_parents(const struct kr_query *qry); +static void rank_records(struct kr_query *qry, bool any_rank, enum kr_rank rank_to_set, + const knot_dname_t *bailiwick); + +static bool maybe_downgrade_nsec3(const ranked_rr_array_entry_t *e, struct kr_query *qry, + const kr_rrset_validation_ctx_t *vctx) +{ + bool required_conditions = + e->rr->type == KNOT_RRTYPE_NSEC3 + && kr_rank_test(e->rank, KR_RANK_SECURE) + // extra careful: avoid downgrade if SNAME isn't in bailiwick of signer + && knot_dname_in_bailiwick(qry->sname, vctx->zone_name) >= 0; + if (!required_conditions) + return false; + + const knot_rdataset_t *rrs = &e->rr->rrs; + knot_rdata_t *rd = rrs->rdata; + for (int j = 0; j < rrs->count; ++j, rd = knot_rdataset_next(rd)) { + if (knot_nsec3_iters(rd) > KR_NSEC3_MAX_ITERATIONS) + goto do_downgrade; + } + return false; + +do_downgrade: // we do this deep inside calls because of having signer name available + VERBOSE_MSG(qry, "<= DNSSEC downgraded due to NSEC3 iterations %d > %d\n", + (int)knot_nsec3_iters(rd), (int)KR_NSEC3_MAX_ITERATIONS); + qry->flags.DNSSEC_WANT = false; + qry->flags.DNSSEC_INSECURE = true; + rank_records(qry, true, KR_RANK_INSECURE, vctx->zone_name); + mark_insecure_parents(qry); + return true; +} + +#define KNOT_EDOWNGRADED (KNOT_ERROR_MIN - 1) + +static int validate_section(kr_rrset_validation_ctx_t *vctx, struct kr_query *qry, knot_mm_t *pool) { if (!vctx) { @@ -169,6 +205,10 @@ if (validation_result == kr_ok()) { kr_rank_set(&entry->rank, KR_RANK_SECURE); + /* Downgrade zone to insecure if certain NSEC3 record occurs. */ + if (unlikely(maybe_downgrade_nsec3(entry, qry, vctx))) + return kr_error(KNOT_EDOWNGRADED); + } else if (kr_rank_test(rank_orig, KR_RANK_TRY)) { /* RFC 4035 section 2.2: * NS RRsets that appear at delegation points (...) @@ -349,7 +389,7 @@ return NULL; } } - return new_ds; + return new_ds; } static void mark_insecure_parents(const struct kr_query *qry) @@ -834,15 +874,14 @@ } /** Change ranks of RRs from this single iteration: - * _INITIAL or _TRY or _MISSING -> rank_to_set. + * _INITIAL or _TRY or _MISSING -> rank_to_set. Or any rank, if any_rank == true. * * Optionally do this only in a `bailiwick` (if not NULL). * Iterator shouldn't have selected such records, but we check to be sure. */ -static void rank_records(kr_layer_t *ctx, enum kr_rank rank_to_set, +static void rank_records(struct kr_query *qry, bool any_rank, enum kr_rank rank_to_set, const knot_dname_t *bailiwick) { - struct kr_request *req = ctx->req; - struct kr_query *qry = req->current_query; + struct kr_request *req = qry->request; ranked_rr_array_t *ptrs[2] = { &req->answ_selected, &req->auth_selected }; for (size_t i = 0; i < 2; ++i) { ranked_rr_array_t *arr = ptrs[i]; @@ -930,9 +969,8 @@ } /* Pass-through if user doesn't want secure answer or stub. */ - /* @todo: Validating stub resolver mode. */ if (qry->flags.STUB) { - rank_records(ctx, KR_RANK_OMIT, NULL); + rank_records(qry, false, KR_RANK_OMIT, NULL); return ctx->state; } uint8_t pkt_rcode = knot_wire_get_rcode(pkt->wire); @@ -953,7 +991,7 @@ if (!(qry->flags.DNSSEC_WANT)) { const bool is_insec = qry->flags.CACHED && qry->flags.DNSSEC_INSECURE; if ((qry->flags.DNSSEC_INSECURE)) { - rank_records(ctx, KR_RANK_INSECURE, qry->zone_cut.name); + rank_records(qry, true, KR_RANK_INSECURE, qry->zone_cut.name); } if (is_insec && qry->parent != NULL) { /* We have got insecure answer from cache. @@ -975,7 +1013,7 @@ if (knot_wire_get_cd(req->qsource.packet->wire)) { check_wildcard(ctx); wildcard_adjust_to_wire(req, qry); - rank_records(ctx, KR_RANK_OMIT, NULL); + rank_records(qry, false, KR_RANK_OMIT, NULL); return ctx->state; } /* Answer for RRSIG may not set DO=1, but all records MUST still validate. */ @@ -1020,7 +1058,7 @@ /* ^ the message is a bit imprecise to avoid being too verbose */ qry->flags.DNSSEC_WANT = false; qry->flags.DNSSEC_INSECURE = true; - rank_records(ctx, KR_RANK_INSECURE, qry->zone_cut.name); + rank_records(qry, true, KR_RANK_INSECURE, qry->zone_cut.name); mark_insecure_parents(qry); return KR_STATE_DONE; } @@ -1036,6 +1074,35 @@ } } + /* Validate all records, fail as bogus if it doesn't match. + * Do not revalidate data from cache, as it's already trusted. + * TTLs of RRsets may get lowered. */ + if (!(qry->flags.CACHED)) { + ret = validate_records(req, pkt, req->rplan.pool, has_nsec3); + if (ret == KNOT_EDOWNGRADED) { + return KR_STATE_DONE; + } else if (ret != 0) { + /* something exceptional - no DNS key, empty pointers etc + * normally it shoudn't happen */ + VERBOSE_MSG(qry, "<= couldn't validate RRSIGs\n"); + qry->flags.DNSSEC_BOGUS = true; + return KR_STATE_FAIL; + } + /* check validation state and spawn subrequests */ + if (!req->answ_validated) { + ret = check_validation_result(ctx, pkt, &req->answ_selected); + if (ret != KR_STATE_DONE) { + return ret; + } + } + if (!req->auth_validated) { + ret = check_validation_result(ctx, pkt, &req->auth_selected); + if (ret != KR_STATE_DONE) { + return ret; + } + } + } + /* Validate non-existence proof if not positive answer. * In case of CNAME, iterator scheduled a sibling query for the target, * so we just drop the negative piece of information and don't try to prove it. @@ -1094,33 +1161,6 @@ } } - /* Validate all records, fail as bogus if it doesn't match. - * Do not revalidate data from cache, as it's already trusted. - * TTLs of RRsets may get lowered. */ - if (!(qry->flags.CACHED)) { - ret = validate_records(req, pkt, req->rplan.pool, has_nsec3); - if (ret != 0) { - /* something exceptional - no DNS key, empty pointers etc - * normally it shoudn't happen */ - VERBOSE_MSG(qry, "<= couldn't validate RRSIGs\n"); - qry->flags.DNSSEC_BOGUS = true; - return KR_STATE_FAIL; - } - /* check validation state and spawn subrequests */ - if (!req->answ_validated) { - ret = check_validation_result(ctx, pkt, &req->answ_selected); - if (ret != KR_STATE_DONE) { - return ret; - } - } - if (!req->auth_validated) { - ret = check_validation_result(ctx, pkt, &req->auth_selected); - if (ret != KR_STATE_DONE) { - return ret; - } - } - } - wildcard_adjust_to_wire(req, qry); /* Check and update current delegation point security status. */ @@ -1190,11 +1230,22 @@ return ctx->state; } +static int validate_wrapper(kr_layer_t *ctx, knot_pkt_t *pkt) { + // Wrapper for now. + int ret = validate(ctx, pkt); + struct kr_request *req = ctx->req; + struct kr_query *qry = req->current_query; + if (ret & KR_STATE_FAIL && qry->flags.DNSSEC_BOGUS) + qry->server_selection.error(qry, req->upstream.transport, KR_SELECTION_DNSSEC_ERROR); + return ret; +} + + /** Module implementation. */ int validate_init(struct kr_module *self) { static const kr_layer_api_t layer = { - .consume = &validate, + .consume = &validate_wrapper, .answer_finalize = &hide_bogus, }; self->layer = &layer; diff -Nru knot-resolver-5.2.1/lib/meson.build knot-resolver-5.3.1/lib/meson.build --- knot-resolver-5.2.1/lib/meson.build 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/lib/meson.build 2021-03-31 15:15:36.000000000 +0000 @@ -24,9 +24,11 @@ 'layer/iterate.c', 'layer/validate.c', 'module.c', - 'nsrep.c', 'resolve.c', 'rplan.c', + 'selection.c', + 'selection_forward.c', + 'selection_iter.c', 'utils.c', 'zonecut.c', ]) @@ -52,9 +54,11 @@ 'layer.h', 'layer/iterate.h', 'module.h', - 'nsrep.h', 'resolve.h', 'rplan.h', + 'selection.h', + 'selection_forward.h', + 'selection_iter.h', 'utils.h', 'zonecut.h', ]) diff -Nru knot-resolver-5.2.1/lib/module.h knot-resolver-5.3.1/lib/module.h --- knot-resolver-5.2.1/lib/module.h 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/lib/module.h 2021-03-31 15:15:36.000000000 +0000 @@ -23,7 +23,7 @@ */ #define KR_MODULE_EXPORT(module) \ KR_EXPORT uint32_t module ## _api() { return KR_MODULE_API; } -#define KR_MODULE_API ((uint32_t) 0x20200427) +#define KR_MODULE_API ((uint32_t) 0x20210125) typedef uint32_t (module_api_cb)(void); diff -Nru knot-resolver-5.2.1/lib/nsrep.c knot-resolver-5.3.1/lib/nsrep.c --- knot-resolver-5.2.1/lib/nsrep.c 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/lib/nsrep.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,570 +0,0 @@ -/* Copyright (C) 2014-2017 CZ.NIC, z.s.p.o. - * SPDX-License-Identifier: GPL-3.0-or-later - */ - -#include -#include -#include -#include - -#include - -#include "lib/nsrep.h" -#include "lib/rplan.h" -#include "lib/resolve.h" -#include "lib/defines.h" -#include "lib/generic/pack.h" -#include "contrib/ucw/lib.h" - -/** Some built-in unfairness ... */ -#ifndef FAVOUR_IPV6 -#define FAVOUR_IPV6 20 /* 20ms bonus for v6 */ -#endif - -/** @internal Macro to set address structure. */ -#define ADDR_SET(sa, family, addr, len, port) do {\ - memcpy(&sa ## _addr, (addr), (len)); \ - sa ## _family = (family); \ - sa ## _port = htons(port); \ -} while (0) - -/** Update nameserver representation with current name/address pair. */ -static void update_nsrep(struct kr_nsrep *ns, size_t pos, uint8_t *addr, size_t addr_len, int port) -{ - if (addr == NULL) { - ns->addr[pos].ip.sa_family = AF_UNSPEC; - return; - } - - /* Rotate previous addresses to the right. */ - memmove(ns->addr + pos + 1, ns->addr + pos, (KR_NSREP_MAXADDR - pos - 1) * sizeof(ns->addr[0])); - - switch(addr_len) { - case sizeof(struct in_addr): - ADDR_SET(ns->addr[pos].ip4.sin, AF_INET, addr, addr_len, port); break; - case sizeof(struct in6_addr): - ADDR_SET(ns->addr[pos].ip6.sin6, AF_INET6, addr, addr_len, port); break; - default: assert(0); break; - } -} - -static void update_nsrep_set(struct kr_nsrep *ns, const knot_dname_t *name, uint8_t *addr[], unsigned score) -{ - /* NSLIST is not empty, empty NS cannot be a leader. */ - if (!addr[0] && ns->addr[0].ip.sa_family != AF_UNSPEC) { - return; - } - /* Set new NS leader */ - ns->name = name; - ns->score = score; - for (size_t i = 0; i < KR_NSREP_MAXADDR; ++i) { - if (addr[i]) { - void *addr_val = pack_obj_val(addr[i]); - size_t len = pack_obj_len(addr[i]); - update_nsrep(ns, i, addr_val, len, KR_DNS_PORT); - } else { - break; - } - } -} - -#undef ADDR_SET - -/** - * \param addr_set pack with one IP address per element */ -static unsigned eval_addr_set(const pack_t *addr_set, struct kr_context *ctx, - struct kr_qflags opts, unsigned score, uint8_t *addr[]) -{ - kr_nsrep_rtt_lru_t *rtt_cache = ctx->cache_rtt; - kr_nsrep_rtt_lru_entry_t *rtt_cache_entry_ptr[KR_NSREP_MAXADDR] = { NULL, }; - assert (KR_NSREP_MAXADDR >= 2); - unsigned rtt_cache_entry_score[KR_NSREP_MAXADDR] = { score, KR_NS_MAX_SCORE + 1, }; - uint64_t now = kr_now(); - - /* Name server is better candidate if it has address record. */ - for (uint8_t *it = pack_head(*addr_set); it != pack_tail(*addr_set); - it = pack_obj_next(it)) { - void *val = pack_obj_val(it); - size_t len = pack_obj_len(it); - unsigned favour = 0; - bool is_valid = false; - /* Check if the address isn't disabled. */ - if (len == sizeof(struct in6_addr)) { - is_valid = !(opts.NO_IPV6); - favour = FAVOUR_IPV6; - } else if (len == sizeof(struct in_addr)) { - is_valid = !(opts.NO_IPV4); - } else { - assert(!EINVAL); - is_valid = false; - } - - if (!is_valid) { - continue; - } - - /* Get score for the current address. */ - kr_nsrep_rtt_lru_entry_t *cached = rtt_cache ? - lru_get_try(rtt_cache, val, len) : - NULL; - unsigned cur_addr_score = KR_NS_GLUED; - if (cached) { - cur_addr_score = cached->score; - if (cached->score >= KR_NS_TIMEOUT) { - /* If NS once was marked as "timeouted", - * it won't participate in NS elections - * at least ctx->cache_rtt_tout_retry_interval milliseconds. */ - uint64_t elapsed = now - cached->tout_timestamp; - elapsed = elapsed > UINT_MAX ? UINT_MAX : elapsed; - if (elapsed > ctx->cache_rtt_tout_retry_interval) { - /* Select this NS for probing in this particular query, - * but don't change the cached score. - * For other queries this NS will remain "timeouted". */ - cur_addr_score = KR_NS_LONG - 1; - } - } - } - - /* We can't always use favour. If these conditions held: - * - * rtt_cache_entry_score[i] < KR_NS_TIMEOUT - * rtt_cache_entry_score[i] + favour > KR_NS_TIMEOUT - * cur_addr_score < rtt_cache_entry_score[i] + favour - * - * we would prefer "certainly dead" cur_addr_score - * instead of "almost dead but alive" rtt_cache_entry_score[i] - */ - const unsigned cur_favour = cur_addr_score < KR_NS_TIMEOUT ? favour : 0; - for (size_t i = 0; i < KR_NSREP_MAXADDR; ++i) { - if (cur_addr_score >= rtt_cache_entry_score[i] + cur_favour) - continue; - - /* Shake down previous contenders */ - for (size_t j = KR_NSREP_MAXADDR - 1; j > i; --j) { - addr[j] = addr[j - 1]; - rtt_cache_entry_ptr[j] = rtt_cache_entry_ptr[j - 1]; - rtt_cache_entry_score[j] = rtt_cache_entry_score[j - 1]; - } - addr[i] = it; - rtt_cache_entry_score[i] = cur_addr_score; - rtt_cache_entry_ptr[i] = cached; - break; - } - } - - /* At this point, rtt_cache_entry_ptr contains up to KR_NSREP_MAXADDR - * pointers to the rtt cache entries with the best scores for the given addr_set. - * Check if there are timeouted NS. */ - - for (size_t i = 0; i < KR_NSREP_MAXADDR; ++i) { - if (rtt_cache_entry_ptr[i] == NULL) - continue; - if (rtt_cache_entry_ptr[i]->score < KR_NS_TIMEOUT) - continue; - - uint64_t elapsed = now - rtt_cache_entry_ptr[i]->tout_timestamp; - elapsed = elapsed > UINT_MAX ? UINT_MAX : elapsed; - if (elapsed <= ctx->cache_rtt_tout_retry_interval) - continue; - - /* rtt_cache_entry_ptr[i] points to "timeouted" rtt cache entry. - * The period of the ban on participation in elections has expired. */ - - if (VERBOSE_STATUS) { - void *val = pack_obj_val(addr[i]); - size_t len = pack_obj_len(addr[i]); - char sa_str[INET6_ADDRSTRLEN]; - int af = (len == sizeof(struct in6_addr)) ? AF_INET6 : AF_INET; - inet_ntop(af, val, sa_str, sizeof(sa_str)); - kr_log_verbose("[ ][nsre] probing timeouted NS: %s, score %i\n", - sa_str, rtt_cache_entry_ptr[i]->score); - } - - rtt_cache_entry_ptr[i]->tout_timestamp = now; - } - - return rtt_cache_entry_score[0]; -} - -static int eval_nsrep(const knot_dname_t *owner, const pack_t *addr_set, struct kr_query *qry) -{ - struct kr_nsrep *ns = &qry->ns; - struct kr_context *ctx = ns->ctx; - unsigned score = KR_NS_MAX_SCORE; - unsigned reputation = 0; - uint8_t *addr_choice[KR_NSREP_MAXADDR] = { NULL, }; - - /* Fetch NS reputation */ - if (ctx->cache_rep) { - unsigned *cached = lru_get_try(ctx->cache_rep, (const char *)owner, - knot_dname_size(owner)); - if (cached) { - reputation = *cached; - } - } - - /* Favour nameservers with unknown addresses to probe them, - * otherwise discover the current best address for the NS. */ - if (addr_set->len == 0) { - score = KR_NS_UNKNOWN; - /* If the server doesn't have IPv6, give it disadvantage. */ - if (reputation & KR_NS_NOIP6) { - score += FAVOUR_IPV6; - /* If the server is unknown but has rep record, treat it as timeouted */ - if (reputation & KR_NS_NOIP4) { - score = KR_NS_UNKNOWN; - /* Try to start with clean slate */ - if (!(qry->flags.NO_IPV6)) { - reputation &= ~KR_NS_NOIP6; - } - if (!(qry->flags.NO_IPV4)) { - reputation &= ~KR_NS_NOIP4; - } - } - } - } else { - score = eval_addr_set(addr_set, ctx, qry->flags, score, addr_choice); - } - - /* Probabilistic bee foraging strategy (naive). - * The fastest NS is preferred by workers until it is depleted (timeouts or degrades), - * at the same time long distance scouts probe other sources (low probability). - * Servers on TIMEOUT will not have probed at all. - * Servers with score above KR_NS_LONG will have periodically removed from - * reputation cache, so that kresd can reprobe them. */ - if (score >= KR_NS_TIMEOUT) { - return kr_ok(); - } else if (score <= ns->score && - (score < KR_NS_LONG || qry->flags.NO_THROTTLE)) { - update_nsrep_set(ns, owner, addr_choice, score); - ns->reputation = reputation; - } else if (kr_rand_coin(1, 10) && - !kr_rand_coin(score, KR_NS_MAX_SCORE)) { - /* With 10% chance probe server with a probability - * given by its RTT / MAX_RTT. */ - update_nsrep_set(ns, owner, addr_choice, score); - ns->reputation = reputation; - return 1; /* Stop evaluation */ - } else if (ns->score > KR_NS_MAX_SCORE) { - /* Check if any server was already selected. - * If no, pick current server and continue evaluation. */ - update_nsrep_set(ns, owner, addr_choice, score); - ns->reputation = reputation; - } - - return kr_ok(); -} - -int kr_nsrep_set(struct kr_query *qry, size_t index, const struct sockaddr *sock) -{ - if (!qry) { - return kr_error(EINVAL); - } - if (index >= KR_NSREP_MAXADDR) { - return kr_error(ENOSPC); - } - - if (!sock) { - qry->ns.name = (const uint8_t *)""; - qry->ns.addr[index].ip.sa_family = AF_UNSPEC; - return kr_ok(); - } - - switch (sock->sa_family) { - case AF_INET: - if (qry->flags.NO_IPV4) { - return kr_error(ENOENT); - } - qry->ns.addr[index].ip4 = *(const struct sockaddr_in *)sock; - break; - case AF_INET6: - if (qry->flags.NO_IPV6) { - return kr_error(ENOENT); - } - qry->ns.addr[index].ip6 = *(const struct sockaddr_in6 *)sock; - break; - default: - qry->ns.addr[index].ip.sa_family = AF_UNSPEC; - return kr_error(EINVAL); - } - - qry->ns.name = (const uint8_t *)""; - /* Reset score on first entry */ - if (index == 0) { - qry->ns.score = KR_NS_UNKNOWN; - qry->ns.reputation = 0; - } - - /* Retrieve RTT from cache */ - struct kr_context *ctx = qry->ns.ctx; - kr_nsrep_rtt_lru_entry_t *rtt_cache_entry = ctx - ? lru_get_try(ctx->cache_rtt, kr_inaddr(sock), kr_family_len(sock->sa_family)) - : NULL; - if (rtt_cache_entry) { - qry->ns.score = MIN(qry->ns.score, rtt_cache_entry->score); - } - - return kr_ok(); -} - -#define ELECT_INIT(ns, ctx_) do { \ - (ns)->ctx = (ctx_); \ - (ns)->addr[0].ip.sa_family = AF_UNSPEC; \ - (ns)->reputation = 0; \ - (ns)->score = KR_NS_MAX_SCORE + 1; \ -} while (0) - -int kr_nsrep_elect(struct kr_query *qry, struct kr_context *ctx) -{ - if (!qry || !ctx) { - //assert(!EINVAL); - return kr_error(EINVAL); - } - - // First we dump the nsset into a temporary array - const int nsset_len = trie_weight(qry->zone_cut.nsset); - struct { - const knot_dname_t *name; - const pack_t *addrs; - } nsset[nsset_len]; - - trie_it_t *it; - int i = 0; - for (it = trie_it_begin(qry->zone_cut.nsset); !trie_it_finished(it); - trie_it_next(it), ++i) { - /* we trust it's a correct dname */ - nsset[i].name = (const knot_dname_t *)trie_it_key(it, NULL); - nsset[i].addrs = (const pack_t *)*trie_it_val(it); - } - trie_it_free(it); - assert(i == nsset_len); - - // Now we sort it randomly, by select-sort. - for (i = 0; i < nsset_len - 1; ++i) { - // The winner for position i will be uniformly chosen from indices >= i - const int j = i + kr_rand_bytes(1) % (nsset_len - i); - // Now we swap the winner with index i - if (i == j) continue; - __typeof__((nsset[i])) tmp = nsset[i]; - nsset[i] = nsset[j]; - nsset[j] = tmp; - } - - // Finally we run the original algorithm, in this randomized order. - struct kr_nsrep *ns = &qry->ns; - ELECT_INIT(ns, ctx); - int ret = kr_ok(); - for (i = 0; i < nsset_len; ++i) { - ret = eval_nsrep(nsset[i].name, nsset[i].addrs, qry); - if (ret) break; - } - - if (qry->ns.score <= KR_NS_MAX_SCORE && qry->ns.score >= KR_NS_LONG) { - /* This is a low-reliability probe, - * go with TCP to get ICMP reachability check. */ - qry->flags.TCP = true; - } - return ret; -} - -int kr_nsrep_elect_addr(struct kr_query *qry, struct kr_context *ctx) -{ - if (!qry || !ctx) { - //assert(!EINVAL); - return kr_error(EINVAL); - } - - /* Get address list for this NS */ - struct kr_nsrep *ns = &qry->ns; - ELECT_INIT(ns, ctx); - pack_t *addr_set = kr_zonecut_find(&qry->zone_cut, ns->name); - if (!addr_set) { - return kr_error(ENOENT); - } - /* Evaluate addr list */ - uint8_t *addr_choice[KR_NSREP_MAXADDR] = { NULL, }; - unsigned score = eval_addr_set(addr_set, ctx, qry->flags, ns->score, addr_choice); - update_nsrep_set(ns, ns->name, addr_choice, score); - return kr_ok(); -} - -#undef ELECT_INIT - -int kr_nsrep_update_rtt(struct kr_nsrep *ns, const struct sockaddr *addr, - unsigned score, kr_nsrep_rtt_lru_t *cache, int umode) -{ - if (!cache || umode > KR_NS_MAX || umode < 0) { - return kr_error(EINVAL); - } - - /* Get `addr`, and later its raw string. */ - if (addr) { - /* Caller provided specific address, OK. */ - } else if (ns != NULL) { - addr = &ns->addr[0].ip; - } else { - assert(false && "kr_nsrep_update_rtt: don't know what address to update"); - return kr_error(EINVAL); - } - const char *addr_in = kr_inaddr(addr); - size_t addr_len = kr_inaddr_len(addr); - if (!addr_in || addr_len <= 0) { - assert(false && "kr_nsrep_update_rtt: incorrect address"); - return kr_error(EINVAL); - } - - bool is_new_entry = false; - kr_nsrep_rtt_lru_entry_t *cur = lru_get_new(cache, addr_in, addr_len, - (&is_new_entry)); - if (!cur) { - return kr_ok(); - } - if (score <= KR_NS_GLUED) { - score = KR_NS_GLUED + 1; - } - /* If there's nothing to update, we reset it unless KR_NS_UPDATE_NORESET - * mode was requested. New items are zeroed by LRU automatically. */ - if (is_new_entry && umode != KR_NS_UPDATE_NORESET) { - umode = KR_NS_RESET; - } - unsigned new_score = 0; - /* Update score, by default smooth over last two measurements. */ - switch (umode) { - case KR_NS_UPDATE: - case KR_NS_UPDATE_NORESET: - new_score = (cur->score + score) / 2; break; - case KR_NS_RESET: new_score = score; break; - case KR_NS_ADD: new_score = MIN(KR_NS_MAX_SCORE - 1, cur->score + score); break; - case KR_NS_MAX: new_score = MAX(cur->score, score); break; - default: return kr_error(EINVAL); - } - /* Score limits */ - if (new_score > KR_NS_MAX_SCORE) { - new_score = KR_NS_MAX_SCORE; - } - if (new_score >= KR_NS_TIMEOUT && cur->score < KR_NS_TIMEOUT) { - /* Set the timestamp only when NS became "timeouted" */ - cur->tout_timestamp = kr_now(); - } - cur->score = new_score; - return kr_ok(); -} - -int kr_nsrep_update_rep(struct kr_nsrep *ns, unsigned reputation, kr_nsrep_lru_t *cache) -{ - if (!ns || !cache ) { - return kr_error(EINVAL); - } - - /* Store in the struct */ - ns->reputation = reputation; - /* Store reputation in the LRU cache */ - unsigned *cur = lru_get_new(cache, (const char *)ns->name, - knot_dname_size(ns->name), NULL); - if (cur) { - *cur = reputation; - } - return kr_ok(); -} - -int kr_nsrep_copy_set(struct kr_nsrep *dst, const struct kr_nsrep *src) -{ - if (!dst || !src ) { - return kr_error(EINVAL); - } - - memcpy(dst, src, sizeof(struct kr_nsrep)); - dst->name = (const uint8_t *)""; - dst->score = KR_NS_UNKNOWN; - dst->reputation = 0; - - return kr_ok(); -} - -int kr_nsrep_sort(struct kr_nsrep *ns, struct kr_context *ctx) -{ - if (!ns || !ctx) { - assert(false); - return kr_error(EINVAL); - } - - kr_nsrep_rtt_lru_t *rtt_cache = ctx->cache_rtt; - - ns->reputation = 0; - ns->score = KR_NS_MAX_SCORE + 1; - - if (ns->addr[0].ip.sa_family == AF_UNSPEC) { - return kr_error(EINVAL); - } - - /* Compute the scores. Unfortunately there's no space for scores - * along the addresses. */ - unsigned scores[KR_NSREP_MAXADDR]; - int i; - bool timeouted_address_is_already_selected = false; - for (i = 0; i < KR_NSREP_MAXADDR; ++i) { - const struct sockaddr *sa = &ns->addr[i].ip; - if (sa->sa_family == AF_UNSPEC) { - break; - } - kr_nsrep_rtt_lru_entry_t *rtt_cache_entry = lru_get_try(rtt_cache, - kr_inaddr(sa), - kr_family_len(sa->sa_family)); - if (!rtt_cache_entry) { - scores[i] = 1; /* prefer unknown to probe RTT */ - } else if (rtt_cache_entry->score < KR_NS_FWD_TIMEOUT) { - /* some probability to bump bad ones up for re-probe */ - scores[i] = rtt_cache_entry->score; - /* The lower the rtt, the more likely it will be selected. */ - if (!kr_rand_coin(rtt_cache_entry->score, KR_NS_FWD_TIMEOUT)) { - scores[i] = 1; - } - } else { - uint64_t now = kr_now(); - uint64_t elapsed = now - rtt_cache_entry->tout_timestamp; - scores[i] = KR_NS_MAX_SCORE + 1; - elapsed = elapsed > UINT_MAX ? UINT_MAX : elapsed; - if (elapsed > ctx->cache_rtt_tout_retry_interval && - !timeouted_address_is_already_selected) { - scores[i] = 1; - rtt_cache_entry->tout_timestamp = now; - timeouted_address_is_already_selected = true; - } - } - - /* Give advantage to IPv6. */ - if (scores[i] <= KR_NS_MAX_SCORE && sa->sa_family == AF_INET) { - scores[i] += FAVOUR_IPV6; - } - - if (VERBOSE_STATUS) { - kr_log_verbose("[ ][nsre] score %d for %s;\t cached RTT: %d\n", - scores[i], kr_straddr(sa), - rtt_cache_entry ? rtt_cache_entry->score : -1); - } - } - - /* Select-sort the addresses. */ - const int count = i; - for (i = 0; i < count - 1; ++i) { - /* find min from i onwards */ - int min_i = i; - for (int j = i + 1; j < count; ++j) { - if (scores[j] < scores[min_i]) { - min_i = j; - } - } - /* swap the indices */ - if (min_i != i) { - SWAP(scores[min_i], scores[i]); - SWAP(ns->addr[min_i], ns->addr[i]); - } - } - - if (count > 0) { - ns->score = scores[0]; - ns->reputation = 0; - } - - return kr_ok(); -} diff -Nru knot-resolver-5.2.1/lib/nsrep.h knot-resolver-5.3.1/lib/nsrep.h --- knot-resolver-5.2.1/lib/nsrep.h 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/lib/nsrep.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,176 +0,0 @@ -/* Copyright (C) 2014-2017 CZ.NIC, z.s.p.o. - * SPDX-License-Identifier: GPL-3.0-or-later - */ - -#pragma once - -#include -#include -#include -#include - -#include "lib/defines.h" -#include "lib/generic/lru.h" - -struct kr_query; - -/** - * NS RTT score (special values). - * @note RTT is measured in milliseconds. - */ -enum kr_ns_score { - KR_NS_MAX_SCORE = 20 * KR_CONN_RTT_MAX, /* max possible value */ - KR_NS_FWD_TIMEOUT = (95 * 10000) / 100, /* timeout for upstream recursor, - * 95 percents from max resolution time */ - KR_NS_TIMEOUT = (95 * KR_CONN_RTT_MAX) / 100, /* timeout for upstream auth */ - KR_NS_LONG = (3 * KR_NS_TIMEOUT) / 4, - KR_NS_UNKNOWN = KR_NS_TIMEOUT / 2, - KR_NS_PENALTY = 100, - KR_NS_GLUED = 10 -}; - -/** - * See kr_nsrep_update_rtt() - */ -#define KR_NS_DEAD (((KR_NS_TIMEOUT * 4) + 3) / 3) -#define KR_NS_FWD_DEAD (((KR_NS_FWD_TIMEOUT * 4) + 3) / 3) - -/** If once NS was marked as "timeouted", it won't participate in NS elections - * at least KR_NS_TIMEOUT_RETRY_INTERVAL milliseconds (now: one second). */ -#define KR_NS_TIMEOUT_RETRY_INTERVAL 1000 - -/** - * NS QoS flags. - */ -enum kr_ns_rep { - KR_NS_NOIP4 = 1 << 0, /**< NS has no IPv4 */ - KR_NS_NOIP6 = 1 << 1, /**< NS has no IPv6 */ - KR_NS_NOEDNS = 1 << 2 /**< NS has no EDNS support */ -}; - -/** - * NS RTT update modes. - * First update is always KR_NS_RESET unless - * KR_NS_UPDATE_NORESET mode had choosen. - */ -enum kr_ns_update_mode { - KR_NS_UPDATE = 0, /**< Update as smooth over last two measurements */ - KR_NS_UPDATE_NORESET, /**< Same as KR_NS_UPDATE, but disable fallback to - * KR_NS_RESET on newly added entries. - * Zero is used as initial value. */ - KR_NS_RESET, /**< Set to given value */ - KR_NS_ADD, /**< Increment current value */ - KR_NS_MAX /**< Set to maximum of current/proposed value. */ -}; - -struct kr_nsrep_rtt_lru_entry { - unsigned score; /* combined rtt */ - uint64_t tout_timestamp; /* The time when score became - * greater or equal then KR_NS_TIMEOUT. - * Is meaningful only when score >= KR_NS_TIMEOUT */ -}; - -typedef struct kr_nsrep_rtt_lru_entry kr_nsrep_rtt_lru_entry_t; - -/** - * NS QoS tracking. - */ -typedef lru_t(kr_nsrep_rtt_lru_entry_t) kr_nsrep_rtt_lru_t; - -/** - * NS reputation tracking. - */ -typedef lru_t(unsigned) kr_nsrep_lru_t; - -/* Maximum count of addresses probed in one go (last is left empty) */ -#define KR_NSREP_MAXADDR 4 - -/** - * Name server representation. - * Contains extra information about the name server, e.g. score - * or other metadata. - */ -struct kr_nsrep -{ - unsigned score; /**< NS score */ - unsigned reputation; /**< NS reputation */ - const knot_dname_t *name; /**< NS name */ - struct kr_context *ctx; /**< Resolution context */ - union inaddr addr[KR_NSREP_MAXADDR]; /**< NS address(es) */ -}; - -/** - * Set given NS address. (Very low-level access to the list.) - * @param qry updated query - * @param index index of the updated target - * @param sock socket address to use (sockaddr_in or sockaddr_in6 or NULL) - * @return 0 or an error code, in particular kr_error(ENOENT) for net.ipvX - */ -KR_EXPORT -int kr_nsrep_set(struct kr_query *qry, size_t index, const struct sockaddr *sock); - -/** - * Elect best nameserver/address pair from the nsset. - * @param qry updated query - * @param ctx resolution context - * @return 0 or an error code - */ -KR_EXPORT -int kr_nsrep_elect(struct kr_query *qry, struct kr_context *ctx); - -/** - * Elect best nameserver/address pair from the nsset. - * @param qry updated query - * @param ctx resolution context - * @return 0 or an error code - */ -KR_EXPORT -int kr_nsrep_elect_addr(struct kr_query *qry, struct kr_context *ctx); - -/** - * Update NS address RTT information. - * - * @brief In KR_NS_UPDATE mode reputation is smoothed over last N measurements. - * - * @param ns updated NS representation - * @param addr chosen address (NULL for first) - * @param score new score (i.e. RTT), see enum kr_ns_score - * @param cache RTT LRU cache - * @param umode update mode (KR_NS_UPDATE or KR_NS_RESET or KR_NS_ADD) - * @return 0 on success, error code on failure - */ -KR_EXPORT -int kr_nsrep_update_rtt(struct kr_nsrep *ns, const struct sockaddr *addr, - unsigned score, kr_nsrep_rtt_lru_t *cache, int umode); - -/** - * Update NSSET reputation information. - * - * @param ns updated NS representation - * @param reputation combined reputation flags, see enum kr_ns_rep - * @param cache LRU cache - * @return 0 on success, error code on failure - */ -KR_EXPORT -int kr_nsrep_update_rep(struct kr_nsrep *ns, unsigned reputation, kr_nsrep_lru_t *cache); -/** - * Copy NSSET reputation information and resets score. - * - * @param dst updated NS representation - * @param src source NS representation - * @return 0 on success, error code on failure - */ -int kr_nsrep_copy_set(struct kr_nsrep *dst, const struct kr_nsrep *src); - -/** - * Sort addresses in the query nsrep list by cached RTT. - * if RTT is greater then KR_NS_TIMEOUT, address will placed at the beginning of the - * nsrep list once in cache.ns_tout() milliseconds. Otherwise it will be sorted - * as if it has cached RTT equal to KR_NS_MAX_SCORE + 1. - * @param ns updated kr_nsrep - * @param ctx name resolution context. - * @return 0 or an error code - * @note ns reputation is zeroed and score is set to KR_NS_MAX_SCORE + 1. - */ -KR_EXPORT -int kr_nsrep_sort(struct kr_nsrep *ns, struct kr_context *ctx); diff -Nru knot-resolver-5.2.1/lib/resolve.c knot-resolver-5.3.1/lib/resolve.c --- knot-resolver-5.2.1/lib/resolve.c 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/lib/resolve.c 2021-03-31 15:15:36.000000000 +0000 @@ -11,6 +11,7 @@ #include #include #include +#include #include "kresconfig.h" #include "lib/resolve.h" #include "lib/layer.h" @@ -110,6 +111,12 @@ struct kr_layer layer = {.state = (r)->state, .api = mod->layer, .req = (r)}; \ if (layer.api && layer.api->func) { \ (r)->state = layer.api->func(&layer, ##__VA_ARGS__); \ + /* It's an easy mistake to return error code, for example. */ \ + /* (though we could allow such an overload later) */ \ + if (unlikely(!kr_state_consistent((r)->state))) { \ + assert(!EINVAL); \ + (r)->state = KR_STATE_FAIL; \ + } else \ if ((r)->state == KR_STATE_YIELD) { \ func ## _yield(&layer, ##__VA_ARGS__); \ break; \ @@ -147,7 +154,7 @@ return; } assert(qname); - const int len = knot_dname_size(qname) - 2; /* Skip first, last label. */ + const int len = knot_dname_size(qname) - 2; /* Skip first, last label. First is length, last is always root */ for (int i = 0; i < len; ++i) { /* Note: this relies on the fact that correct label lengths * can't pass the isletter() test (by "luck"). */ @@ -157,23 +164,6 @@ } } -/** Invalidate current NS/addr pair. */ -static int invalidate_ns(struct kr_rplan *rplan, struct kr_query *qry) -{ - if (qry->ns.addr[0].ip.sa_family != AF_UNSPEC) { - const char *addr = kr_inaddr(&qry->ns.addr[0].ip); - int addr_len = kr_inaddr_len(&qry->ns.addr[0].ip); - int ret = kr_zonecut_del(&qry->zone_cut, qry->ns.name, addr, addr_len); - /* Also remove it from the qry->ns.addr array. - * That's useful at least for STUB and FORWARD modes. */ - memmove(qry->ns.addr, qry->ns.addr + 1, - sizeof(qry->ns.addr[0]) * (KR_NSREP_MAXADDR - 1)); - return ret; - } else { - return kr_zonecut_del_all(&qry->zone_cut, qry->ns.name); - } -} - /** This turns of QNAME minimisation if there is a non-terminal between current zone cut, and name target. * It save several minimization steps, as the zone cut is likely final one. */ @@ -310,71 +300,6 @@ return KR_STATE_PRODUCE; } -static int ns_resolve_addr(struct kr_query *qry, struct kr_request *req) -{ - struct kr_rplan *rplan = &req->rplan; - struct kr_context *ctx = req->ctx; - - - /* Start NS queries from root, to avoid certain cases - * where a NS drops out of cache and the rest is unavailable, - * this would lead to dependency loop in current zone cut. - * Prefer IPv6 and continue with IPv4 if not available. - */ - uint16_t next_type = 0; - if (!(qry->flags.AWAIT_IPV6) && - !(ctx->options.NO_IPV6)) { - next_type = KNOT_RRTYPE_AAAA; - qry->flags.AWAIT_IPV6 = true; - } else if (!(qry->flags.AWAIT_IPV4) && - !(ctx->options.NO_IPV4)) { - next_type = KNOT_RRTYPE_A; - qry->flags.AWAIT_IPV4 = true; - /* Hmm, no useable IPv6 then. */ - qry->ns.reputation |= KR_NS_NOIP6; - kr_nsrep_update_rep(&qry->ns, qry->ns.reputation, ctx->cache_rep); - } - /* Bail out if the query is already pending or dependency loop. */ - if (!next_type || kr_rplan_satisfies(qry->parent, qry->ns.name, KNOT_CLASS_IN, next_type)) { - /* Fall back to SBELT if root server query fails. */ - if (!next_type && qry->zone_cut.name[0] == '\0') { - VERBOSE_MSG(qry, "=> fallback to root hints\n"); - kr_zonecut_set_sbelt(ctx, &qry->zone_cut); - qry->flags.NO_THROTTLE = true; /* Pick even bad SBELT servers */ - return kr_error(EAGAIN); - } - /* No IPv4 nor IPv6, flag server as unusable. */ - ++req->count_no_nsaddr; - VERBOSE_MSG(qry, "=> unresolvable NS address, bailing out (counter: %u)\n", - req->count_no_nsaddr); - qry->ns.reputation |= KR_NS_NOIP4 | KR_NS_NOIP6; - kr_nsrep_update_rep(&qry->ns, qry->ns.reputation, ctx->cache_rep); - invalidate_ns(rplan, qry); - return kr_error(EHOSTUNREACH); - } - /* Push new query to the resolution plan */ - struct kr_query *next = - kr_rplan_push(rplan, qry, qry->ns.name, KNOT_CLASS_IN, next_type); - if (!next) { - return kr_error(ENOMEM); - } - next->flags.NONAUTH = true; - - /* At the root level with no NS addresses, add SBELT subrequest. */ - int ret = 0; - if (qry->zone_cut.name[0] == '\0') { - ret = kr_zonecut_set_sbelt(ctx, &next->zone_cut); - if (ret == 0) { /* Copy TA and key since it's the same cut to avoid lookup. */ - kr_zonecut_copy_trust(&next->zone_cut, &qry->zone_cut); - kr_zonecut_set_sbelt(ctx, &qry->zone_cut); /* Add SBELT to parent in case query fails. */ - qry->flags.NO_THROTTLE = true; /* Pick even bad SBELT servers */ - } - } else { - next->flags.AWAIT_CUT = true; - } - return ret; -} - static int edns_put(knot_pkt_t *pkt, bool reclaim) { if (!pkt->opt_rr) { @@ -681,7 +606,7 @@ static int query_finalize(struct kr_request *request, struct kr_query *qry, knot_pkt_t *pkt) { knot_pkt_begin(pkt, KNOT_ADDITIONAL); - if (qry->flags.SAFEMODE) + if (qry->flags.NO_EDNS) return kr_ok(); /* Remove any EDNS records from any previous iteration. */ int ret = edns_erase_and_reserve(pkt); @@ -776,7 +701,7 @@ return request->state; } -knot_pkt_t * kr_request_ensure_answer(struct kr_request *request) +knot_pkt_t *kr_request_ensure_answer(struct kr_request *request) { if (request->answer) return request->answer; @@ -839,84 +764,6 @@ return request->answer = NULL; } -KR_PURE static bool kr_inaddr_equal(const struct sockaddr *a, const struct sockaddr *b) -{ - const int a_len = kr_inaddr_len(a); - const int b_len = kr_inaddr_len(b); - return a_len == b_len && memcmp(kr_inaddr(a), kr_inaddr(b), a_len) == 0; -} - -static void update_nslist_rtt(struct kr_context *ctx, struct kr_query *qry, const struct sockaddr *src) -{ - /* Do not track in safe mode. */ - if (qry->flags.SAFEMODE) { - return; - } - - /* Calculate total resolution time from the time the query was generated. */ - uint64_t elapsed = kr_now() - qry->timestamp_mono; - elapsed = elapsed > UINT_MAX ? UINT_MAX : elapsed; - - /* NSs in the preference list prior to the one who responded will be penalised - * with the RETRY timer interval. This is because we know they didn't respond - * for N retries, so their RTT must be at least N * RETRY. - * The NS in the preference list that responded will have RTT relative to the - * time when the query was sent out, not when it was originated. - */ - for (size_t i = 0; i < KR_NSREP_MAXADDR; ++i) { - const struct sockaddr *addr = &qry->ns.addr[i].ip; - if (addr->sa_family == AF_UNSPEC) { - break; - } - /* If this address is the source of the answer, update its RTT */ - if (kr_inaddr_equal(src, addr)) { - kr_nsrep_update_rtt(&qry->ns, addr, elapsed, ctx->cache_rtt, KR_NS_UPDATE); - WITH_VERBOSE(qry) { - char addr_str[INET6_ADDRSTRLEN]; - inet_ntop(addr->sa_family, kr_inaddr(addr), addr_str, sizeof(addr_str)); - VERBOSE_MSG(qry, "<= server: '%s' rtt: %"PRIu64" ms\n", - addr_str, elapsed); - } - } else { - /* Response didn't come from this IP, but we know the RTT must be at least - * several RETRY timer tries, e.g. if we have addresses [a, b, c] and we have - * tried [a, b] when the answer from 'a' came after 350ms, then we know - * that 'b' didn't respond for at least 350 - (1 * 300) ms. We can't say that - * its RTT is 50ms, but we can say that its score shouldn't be less than 50. */ - kr_nsrep_update_rtt(&qry->ns, addr, elapsed, ctx->cache_rtt, KR_NS_MAX); - WITH_VERBOSE(qry) { - char addr_str[INET6_ADDRSTRLEN]; - inet_ntop(addr->sa_family, kr_inaddr(addr), addr_str, sizeof(addr_str)); - VERBOSE_MSG(qry, "<= server: '%s' rtt: >= %"PRIu64" ms\n", - addr_str, elapsed); - } - } - /* Subtract query start time from elapsed time */ - if (elapsed < KR_CONN_RETRY) { - break; - } - elapsed = elapsed - KR_CONN_RETRY; - } -} - -static void update_nslist_score(struct kr_request *request, struct kr_query *qry, const struct sockaddr *src, knot_pkt_t *packet) -{ - struct kr_context *ctx = request->ctx; - /* On successful answer, update preference list RTT and penalise timer */ - if (!(request->state & KR_STATE_FAIL)) { - /* Update RTT information for preference list */ - update_nslist_rtt(ctx, qry, src); - /* Do not complete NS address resolution on soft-fail. */ - const int rcode = packet ? knot_wire_get_rcode(packet->wire) : 0; - if (rcode != KNOT_RCODE_SERVFAIL && rcode != KNOT_RCODE_REFUSED) { - qry->flags.AWAIT_IPV6 = false; - qry->flags.AWAIT_IPV4 = false; - } else { /* Penalize SERVFAILs. */ - kr_nsrep_update_rtt(&qry->ns, src, KR_NS_PENALTY, ctx->cache_rtt, KR_NS_ADD); - } - } -} - static bool resolution_time_exceeded(struct kr_query *qry, uint64_t now) { uint64_t resolving_time = now - qry->creation_time_mono; @@ -929,7 +776,7 @@ return false; } -int kr_resolve_consume(struct kr_request *request, const struct sockaddr *src, knot_pkt_t *packet) +int kr_resolve_consume(struct kr_request *request, struct kr_transport **transport, knot_pkt_t *packet) { struct kr_rplan *rplan = &request->rplan; @@ -946,11 +793,7 @@ } bool tried_tcp = (qry->flags.TCP); if (!packet || packet->size == 0) { - if (tried_tcp) { - request->state = KR_STATE_FAIL; - } else { - qry->flags.TCP = true; - } + return KR_STATE_PRODUCE; } else { /* Packet cleared, derandomize QNAME. */ knot_dname_t *qname_raw = knot_pkt_qname(packet); @@ -963,25 +806,29 @@ } else { /* Fill in source and latency information. */ request->upstream.rtt = kr_now() - qry->timestamp_mono; - request->upstream.addr = src; + request->upstream.transport = transport ? *transport : NULL; ITERATE_LAYERS(request, qry, consume, packet); /* Clear temporary information */ - request->upstream.addr = NULL; + request->upstream.transport = NULL; request->upstream.rtt = 0; } } - /* Track RTT for iterative answers */ - if (src && !(qry->flags.CACHED)) { - update_nslist_score(request, qry, src, packet); + if (transport && !qry->flags.CACHED) { + if (!(request->state & KR_STATE_FAIL)) { + /* Do not complete NS address resolution on soft-fail. */ + const int rcode = packet ? knot_wire_get_rcode(packet->wire) : 0; + if (rcode != KNOT_RCODE_SERVFAIL && rcode != KNOT_RCODE_REFUSED) { + qry->flags.AWAIT_IPV6 = false; + qry->flags.AWAIT_IPV4 = false; + } + } } - /* Resolution failed, invalidate current NS. */ + if (request->state & KR_STATE_FAIL) { - invalidate_ns(rplan, qry); qry->flags.RESOLVED = false; } - /* For multiple errors in a row; invalidate_ns() is not enough. */ if (!qry->flags.CACHED) { if (request->state & KR_STATE_FAIL) { if (++request->count_fail_row > KR_CONSUME_FAIL_ROW_LIMIT) { @@ -991,6 +838,10 @@ "bail out (mitigation for NXNSAttack " "CVE-2020-12667)\n"); } + if (!qry->flags.NO_NS_FOUND) { + qry->flags.NO_NS_FOUND = true; + return KR_STATE_PRODUCE; + } return KR_STATE_FAIL; } } else { @@ -1016,7 +867,12 @@ /* Do not finish with bogus answer. */ if (qry->flags.DNSSEC_BOGUS) { - return KR_STATE_FAIL; + if (qry->flags.FORWARD || qry->flags.STUB) { + return KR_STATE_FAIL; + } + /* Other servers might not have broken DNSSEC. */ + qry->flags.DNSSEC_BOGUS = false; + return KR_STATE_PRODUCE; } return kr_rplan_empty(&request->rplan) ? KR_STATE_DONE : KR_STATE_PRODUCE; @@ -1368,17 +1224,79 @@ return trust_chain_check(request, qry); } -int kr_resolve_produce(struct kr_request *request, struct sockaddr **dst, int *type, knot_pkt_t *packet) + +static int ns_resolve_addr(struct kr_query *qry, struct kr_request *param, struct kr_transport *transport, uint16_t next_type) +{ + struct kr_rplan *rplan = ¶m->rplan; + struct kr_context *ctx = param->ctx; + + + /* Start NS queries from root, to avoid certain cases + * where a NS drops out of cache and the rest is unavailable, + * this would lead to dependency loop in current zone cut. + */ + + /* Bail out if the query is already pending or dependency loop. */ + if (!next_type || kr_rplan_satisfies(qry->parent, transport->ns_name, KNOT_CLASS_IN, next_type)) { + /* Fall back to SBELT if root server query fails. */ + if (!next_type && qry->zone_cut.name[0] == '\0') { + VERBOSE_MSG(qry, "=> fallback to root hints\n"); + kr_zonecut_set_sbelt(ctx, &qry->zone_cut); + return kr_error(EAGAIN); + } + /* No IPv4 nor IPv6, flag server as unusable. */ + VERBOSE_MSG(qry, "=> unresolvable NS address, bailing out\n"); + kr_zonecut_del_all(&qry->zone_cut, transport->ns_name); + return kr_error(EHOSTUNREACH); + } + /* Push new query to the resolution plan */ + struct kr_query *next = + kr_rplan_push(rplan, qry, transport->ns_name, KNOT_CLASS_IN, next_type); + if (!next) { + return kr_error(ENOMEM); + } + next->flags.NONAUTH = true; + + /* At the root level with no NS addresses, add SBELT subrequest. */ + int ret = 0; + if (qry->zone_cut.name[0] == '\0') { + ret = kr_zonecut_set_sbelt(ctx, &next->zone_cut); + if (ret == 0) { /* Copy TA and key since it's the same cut to avoid lookup. */ + kr_zonecut_copy_trust(&next->zone_cut, &qry->zone_cut); + kr_zonecut_set_sbelt(ctx, &qry->zone_cut); /* Add SBELT to parent in case query fails. */ + } + } else { + next->flags.AWAIT_CUT = true; + } + + if (ret == 0) { + if (next_type == KNOT_RRTYPE_AAAA) { + qry->flags.AWAIT_IPV6 = true; + } else { + qry->flags.AWAIT_IPV4 = true; + } + } + + return ret; +} + +int kr_resolve_produce(struct kr_request *request, struct kr_transport **transport, knot_pkt_t *packet) { struct kr_rplan *rplan = &request->rplan; - unsigned ns_election_iter = 0; /* No query left for resolution */ if (kr_rplan_empty(rplan)) { return KR_STATE_FAIL; } - /* If we have deferred answers, resume them. */ + struct kr_query *qry = array_tail(rplan->pending); + + /* Initialize server selection */ + if (!qry->server_selection.initialized) { + kr_server_selection_init(qry); + } + + /* If we have deferred answers, resume them. */ if (qry->deferred != NULL) { /* @todo: Refactoring validator, check trust chain before resuming. */ int state = 0; @@ -1456,73 +1374,42 @@ } } -ns_election: - - if (unlikely(request->count_no_nsaddr >= KR_COUNT_NO_NSADDR_LIMIT)) { - VERBOSE_MSG(qry, "=> too many unresolvable NSs, bail out " - "(mitigation for NXNSAttack CVE-2020-12667)\n"); - return KR_STATE_FAIL; - } - /* If the query has already selected a NS and is waiting for IPv4/IPv6 record, - * elect best address only, otherwise elect a completely new NS. - */ - if(++ns_election_iter >= KR_ITER_LIMIT) { - VERBOSE_MSG(qry, "=> couldn't converge NS selection, bail out\n"); - return KR_STATE_FAIL; - } const struct kr_qflags qflg = qry->flags; const bool retry = qflg.TCP || qflg.BADCOOKIE_AGAIN; - if (qflg.AWAIT_IPV4 || qflg.AWAIT_IPV6) { - kr_nsrep_elect_addr(qry, request->ctx); - } else if (qflg.FORWARD || qflg.STUB) { - kr_nsrep_sort(&qry->ns, request->ctx); - if (qry->ns.score > KR_NS_MAX_SCORE) { - /* At the moment all NS have bad reputation. - * But there can be existing connections*/ - VERBOSE_MSG(qry, "=> no valid NS left\n"); - return KR_STATE_FAIL; - } - } else if (!qry->ns.name || !retry) { /* Keep NS when requerying/stub/badcookie. */ + if (!qflg.FORWARD && !qflg.STUB && !retry) { /* Keep NS when requerying/stub/badcookie. */ /* Root DNSKEY must be fetched from the hints to avoid chicken and egg problem. */ if (qry->sname[0] == '\0' && qry->stype == KNOT_RRTYPE_DNSKEY) { kr_zonecut_set_sbelt(request->ctx, &qry->zone_cut); - qry->flags.NO_THROTTLE = true; /* Pick even bad SBELT servers */ } - kr_nsrep_elect(qry, request->ctx); - if (qry->ns.score > KR_NS_MAX_SCORE) { - if (kr_zonecut_is_empty(&qry->zone_cut)) { - VERBOSE_MSG(qry, "=> no NS with an address\n"); - } else { - VERBOSE_MSG(qry, "=> no valid NS left\n"); - } - if (!qry->flags.NO_NS_FOUND) { - qry->flags.NO_NS_FOUND = true; - } else { - ITERATE_LAYERS(request, qry, reset); - kr_rplan_pop(rplan, qry); - } + } + + qry->server_selection.choose_transport(qry, transport); + + if (*transport == NULL) { + /* Properly signal to serve_stale module. */ + if (qry->flags.NO_NS_FOUND) { + ITERATE_LAYERS(request, qry, reset); + kr_rplan_pop(rplan, qry); + return KR_STATE_FAIL; + } else { + /* FIXME: This is probably quite inefficient: + * we go through the whole qr_task_step loop just because of the serve_stale + * module which might not even be loaded. */ + qry->flags.NO_NS_FOUND = true; return KR_STATE_PRODUCE; } } - /* Resolve address records */ - if (qry->ns.addr[0].ip.sa_family == AF_UNSPEC) { - int ret = ns_resolve_addr(qry, request); - if (ret != 0) { - qry->flags.AWAIT_IPV6 = false; - qry->flags.AWAIT_IPV4 = false; - qry->flags.TCP = false; - qry->ns.name = NULL; - goto ns_election; /* Must try different NS */ - } + if ((*transport)->protocol == KR_TRANSPORT_RESOLVE_A || (*transport)->protocol == KR_TRANSPORT_RESOLVE_AAAA) { + uint16_t type = (*transport)->protocol == KR_TRANSPORT_RESOLVE_A ? KNOT_RRTYPE_A : KNOT_RRTYPE_AAAA; + ns_resolve_addr(qry, qry->request, *transport, type); ITERATE_LAYERS(request, qry, reset); return KR_STATE_PRODUCE; } - /* Randomize query case (if not in safe mode or turned off) */ - qry->secret = (qry->flags.SAFEMODE || qry->flags.NO_0X20) - ? 0 : kr_rand_bytes(sizeof(qry->secret)); + /* Randomize query case (if not in not turned off) */ + qry->secret = qry->flags.NO_0X20 ? 0 : kr_rand_bytes(sizeof(qry->secret)); knot_dname_t *qname_raw = knot_pkt_qname(packet); randomized_qname_case(qname_raw, qry->secret); @@ -1531,8 +1418,6 @@ * kr_resolve_checkout(). */ qry->timestamp_mono = kr_now(); - *dst = &qry->ns.addr[0].ip; - *type = (qry->flags.TCP) ? SOCK_STREAM : SOCK_DGRAM; return request->state; } @@ -1569,7 +1454,7 @@ #endif /* ENABLE_COOKIES */ int kr_resolve_checkout(struct kr_request *request, const struct sockaddr *src, - struct sockaddr *dst, int type, knot_pkt_t *packet) + struct kr_transport *transport, knot_pkt_t *packet) { /* @todo: Update documentation if this function becomes approved. */ @@ -1593,7 +1478,7 @@ * actual cookie. If we don't know the server address then we * also don't know the actual cookie size. */ - if (!outbound_request_update_cookies(request, src, dst)) { + if (!outbound_request_update_cookies(request, src, &transport->address.ip)) { return kr_error(EINVAL); } } @@ -1610,8 +1495,20 @@ /* Run the checkout layers and cancel on failure. * The checkout layer doesn't persist the state, so canceled subrequests * don't affect the resolution or rest of the processing. */ + int type = -1; + switch(transport->protocol) { + case KR_TRANSPORT_UDP: + type = SOCK_DGRAM; + break; + case KR_TRANSPORT_TCP: + case KR_TRANSPORT_TLS: + type = SOCK_STREAM; + break; + default: + assert(0); + } int state = request->state; - ITERATE_LAYERS(request, qry, checkout, packet, dst, type); + ITERATE_LAYERS(request, qry, checkout, packet, &transport->address.ip, type); if (request->state & KR_STATE_FAIL) { request->state = state; /* Restore */ return kr_error(ECANCELED); @@ -1624,7 +1521,7 @@ } /* Write down OPT unless in safemode */ - if (!(qry->flags.SAFEMODE)) { + if (!(qry->flags.NO_EDNS)) { ret = edns_put(packet, true); if (ret != 0) { return kr_error(EINVAL); @@ -1634,26 +1531,17 @@ WITH_VERBOSE(qry) { KR_DNAME_GET_STR(qname_str, knot_pkt_qname(packet)); + KR_DNAME_GET_STR(ns_name, transport->ns_name); KR_DNAME_GET_STR(zonecut_str, qry->zone_cut.name); KR_RRTYPE_GET_STR(type_str, knot_pkt_qtype(packet)); + const char *ns_str = kr_straddr(&transport->address.ip); - for (size_t i = 0; i < KR_NSREP_MAXADDR; ++i) { - struct sockaddr *addr = &qry->ns.addr[i].ip; - if (addr->sa_family == AF_UNSPEC) { - break; - } - if (!kr_inaddr_equal(dst, addr)) { - continue; - } - const char *ns_str = kr_straddr(addr); - VERBOSE_MSG(qry, - "=> id: '%05u' querying: '%s' score: %u zone cut: '%s' " + VERBOSE_MSG(qry, + "=> id: '%05u' querying: '%s'@'%s' zone cut: '%s' " "qname: '%s' qtype: '%s' proto: '%s'\n", - qry->id, ns_str ? ns_str : "", qry->ns.score, zonecut_str, + qry->id, ns_name, ns_str ? ns_str : "", zonecut_str, qname_str, type_str, (qry->flags.TCP) ? "tcp" : "udp"); - - break; - }} + } return kr_ok(); } diff -Nru knot-resolver-5.2.1/lib/resolve.h knot-resolver-5.3.1/lib/resolve.h --- knot-resolver-5.2.1/lib/resolve.h 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/lib/resolve.h 2021-03-31 15:15:36.000000000 +0000 @@ -13,7 +13,7 @@ #include "lib/layer.h" #include "lib/generic/map.h" #include "lib/generic/array.h" -#include "lib/nsrep.h" +#include "lib/selection.h" #include "lib/rplan.h" #include "lib/module.h" #include "lib/cache/api.h" @@ -149,6 +149,7 @@ */ struct kr_context { + /** Default kr_request flags. For startup defaults see init_resolver() */ struct kr_qflags options; /** Default EDNS towards *both* clients and upstream. @@ -161,9 +162,7 @@ map_t negative_anchors; struct kr_zonecut root_hints; struct kr_cache cache; - kr_nsrep_rtt_lru_t *cache_rtt; unsigned cache_rtt_tout_retry_interval; - kr_nsrep_lru_t *cache_rep; module_array_t *modules; /* The cookie context structure should not be held within the cookies * module because of better access. */ @@ -182,6 +181,10 @@ bool xdp:1; /**< true if the request is on AF_XDP; only meaningful if (dst_addr). */ }; +typedef bool (*addr_info_f)(struct sockaddr*); +typedef void (*async_resolution_f)(knot_dname_t*, enum knot_rr_type); +typedef array_t(union inaddr) inaddr_array_t; + /** * Name resolution request. * @@ -210,7 +213,7 @@ } qsource; struct { unsigned rtt; /**< Current upstream RTT */ - const struct sockaddr *addr; /**< Current upstream address */ + const struct kr_transport *transport; /**< Current upstream transport */ } upstream; /**< Upstream information, valid only in consume() phase */ struct kr_qflags options; int state; @@ -235,6 +238,12 @@ int vars_ref; /**< Reference to per-request variable table. LUA_NOREF if not set. */ knot_mm_t pool; unsigned int uid; /**< for logging purposes only */ + struct { + addr_info_f is_tls_capable; + addr_info_f is_tcp_connected; + addr_info_f is_tcp_waiting; + inaddr_array_t forwarding_targets; /**< When forwarding, possible targets are put here */ + } selection_context; unsigned int count_no_nsaddr; unsigned int count_fail_row; alloc_wire_f alloc_wire_cb; /**< CB to allocate answer wire (can be NULL). */ @@ -281,7 +290,7 @@ * @return any state */ KR_EXPORT -int kr_resolve_consume(struct kr_request *request, const struct sockaddr *src, knot_pkt_t *packet); +int kr_resolve_consume(struct kr_request *request, struct kr_transport **transport, knot_pkt_t *packet); /** * Produce either next additional query or finish. @@ -297,7 +306,7 @@ * @return any state */ KR_EXPORT -int kr_resolve_produce(struct kr_request *request, struct sockaddr **dst, int *type, knot_pkt_t *packet); +int kr_resolve_produce(struct kr_request *request, struct kr_transport **transport, knot_pkt_t *packet); /** * Finalises the outbound query packet with the knowledge of the IP addresses. @@ -313,7 +322,7 @@ */ KR_EXPORT int kr_resolve_checkout(struct kr_request *request, const struct sockaddr *src, - struct sockaddr *dst, int type, knot_pkt_t *packet); + struct kr_transport *transport, knot_pkt_t *packet); /** * Finish resolution and commit results if the state is DONE. @@ -343,4 +352,3 @@ */ KR_EXPORT KR_PURE knot_mm_t *kr_resolve_pool(struct kr_request *request); - diff -Nru knot-resolver-5.2.1/lib/rplan.c knot-resolver-5.3.1/lib/rplan.c --- knot-resolver-5.2.1/lib/rplan.c 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/lib/rplan.c 2021-03-31 15:15:36.000000000 +0000 @@ -69,12 +69,11 @@ static struct kr_query *query_create(knot_mm_t *pool, const knot_dname_t *name, uint32_t uid) { - struct kr_query *qry = mm_alloc(pool, sizeof(struct kr_query)); + struct kr_query *qry = mm_calloc(pool, 1, sizeof(*qry)); if (qry == NULL) { return NULL; } - memset(qry, 0, sizeof(struct kr_query)); if (name != NULL) { qry->sname = knot_dname_copy(name, pool); if (qry->sname == NULL) { @@ -159,22 +158,13 @@ qry->flags = rplan->request->options; qry->parent = parent; qry->request = rplan->request; - qry->ns.ctx = rplan->request->ctx; - qry->ns.addr[0].ip.sa_family = AF_UNSPEC; + gettimeofday(&qry->timestamp, NULL); qry->timestamp_mono = kr_now(); qry->creation_time_mono = parent ? parent->creation_time_mono : qry->timestamp_mono; kr_zonecut_init(&qry->zone_cut, (const uint8_t *)"", rplan->pool); qry->reorder = qry->flags.REORDER_RR ? kr_rand_bytes(sizeof(qry->reorder)) : 0; - /* When forwarding, keep the nameserver addresses. */ - if (parent && parent->flags.FORWARD && qry->flags.FORWARD) { - ret = kr_nsrep_copy_set(&qry->ns, &parent->ns); - if (ret) { - query_free(rplan->pool, qry); - return NULL; - } - } assert((rplan->pending.len == 0 && rplan->resolved.len == 0) == (rplan->initial == NULL)); diff -Nru knot-resolver-5.2.1/lib/rplan.h knot-resolver-5.3.1/lib/rplan.h --- knot-resolver-5.2.1/lib/rplan.h 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/lib/rplan.h 2021-03-31 15:15:36.000000000 +0000 @@ -8,26 +8,25 @@ #include #include +#include "lib/selection.h" #include "lib/cache/api.h" #include "lib/zonecut.h" -#include "lib/nsrep.h" /** Query flags */ struct kr_qflags { bool NO_MINIMIZE : 1; /**< Don't minimize QNAME. */ - bool NO_THROTTLE : 1; /**< No query/slow NS throttling. */ bool NO_IPV6 : 1; /**< Disable IPv6 */ bool NO_IPV4 : 1; /**< Disable IPv4 */ - bool TCP : 1; /**< Use TCP for this query. */ + bool TCP : 1; /**< Use TCP (or TLS) for this query. */ bool RESOLVED : 1; /**< Query is resolved. Note that kr_query gets * RESOLVED before following a CNAME chain; see .CNAME. */ bool AWAIT_IPV4 : 1; /**< Query is waiting for A address. */ bool AWAIT_IPV6 : 1; /**< Query is waiting for AAAA address. */ bool AWAIT_CUT : 1; /**< Query is waiting for zone cut lookup */ - bool SAFEMODE : 1; /**< Don't use fancy stuff (EDNS, 0x20, ...) */ + bool NO_EDNS : 1; /**< Don't use EDNS. */ bool CACHED : 1; /**< Query response is cached. */ bool NO_CACHE : 1; /**< No cache for lookup; exception: finding NSs and subqueries. */ - bool EXPIRING : 1; /**< Query response is cached, but expiring. */ + bool EXPIRING : 1; /**< Query response is cached but expiring. See is_expiring(). */ bool ALLOW_LOCAL : 1; /**< Allow queries to local or private address ranges. */ bool DNSSEC_WANT : 1; /**< Want DNSSEC secured answer; exception: +cd, * i.e. knot_wire_get_cd(request->qsource.packet->wire) */ @@ -101,8 +100,7 @@ struct kr_query *cname_parent; struct kr_request *request; /**< Parent resolution request. */ kr_stale_cb stale_cb; /**< See the type */ - /* Beware: this must remain the last, because of lua bindings. */ - struct kr_nsrep ns; + struct kr_server_selection server_selection; }; /** @cond internal Array of queries. */ diff -Nru knot-resolver-5.2.1/lib/selection.c knot-resolver-5.3.1/lib/selection.c --- knot-resolver-5.2.1/lib/selection.c 1970-01-01 00:00:00.000000000 +0000 +++ knot-resolver-5.3.1/lib/selection.c 2021-03-31 15:15:36.000000000 +0000 @@ -0,0 +1,751 @@ +#include + +#include "lib/selection.h" +#include "lib/selection_forward.h" +#include "lib/selection_iter.h" +#include "lib/generic/pack.h" +#include "lib/generic/trie.h" +#include "lib/rplan.h" +#include "lib/cache/api.h" +#include "lib/resolve.h" + +#include "daemon/worker.h" +#include "daemon/tls.h" + +#include "lib/utils.h" + +#define VERBOSE_MSG(qry, ...) QRVERBOSE((qry), "slct", __VA_ARGS__) + +#define DEFAULT_TIMEOUT 400 +#define MAX_TIMEOUT 10000 +#define EXPLORE_TIMEOUT_COEFFICIENT 2 +#define MAX_BACKOFF 5 +#define MINIMAL_TIMEOUT_ADDITION 20 + +/* After TCP_TIMEOUT_THRESHOLD timeouts one transport, we'll switch to TCP. */ +#define TCP_TIMEOUT_THRESHOLD 2 +/* If the expected RTT is over TCP_RTT_THRESHOLD we switch to TCP instead. */ +#define TCP_RTT_THRESHOLD 2000 + +/* Define ε for ε-greedy algorithm (see select_transport) + * as ε=EPSILON_NOMIN/EPSILON_DENOM */ +#define EPSILON_NOMIN 1 +#define EPSILON_DENOM 20 + +static const char *kr_selection_error_str(enum kr_selection_error err) { + switch (err) { + #define X(ENAME) case KR_SELECTION_ ## ENAME: return #ENAME + X(OK); + X(QUERY_TIMEOUT); + X(TLS_HANDSHAKE_FAILED); + X(TCP_CONNECT_FAILED); + X(TCP_CONNECT_TIMEOUT); + X(REFUSED); + X(SERVFAIL); + X(FORMERR); + X(FORMERR_EDNS); + X(NOTIMPL); + X(OTHER_RCODE); + X(MALFORMED); + X(MISMATCHED); + X(TRUNCATED); + X(DNSSEC_ERROR); + X(LAME_DELEGATION); + X(BAD_CNAME); + case KR_SELECTION_NUMBER_OF_ERRORS: break; // not a valid code + #undef X + } + assert(false); // we want to define all; compiler helps by -Wswitch (no default:) + return NULL; +} + + +/* Simple detection of IPv6 being broken. + * + * We follow all IPv6 timeouts and successes. Consider it broken iff we've had + * timeouts on several different IPv6 prefixes since the last IPv6 success. + * Note: unlike the rtt_state, this happens only per-process (for simplicity). + * + * ## NO6_PREFIX_* choice + * For our practical use we choose primarily based on root and typical TLD servers. + * Looking at *.{root,gtld}-servers.net, we have 7/26 AAAAs in 2001:500:00**:: + * but adding one more byte makes these completely unique, so we choose /48. + * As distribution to ASs seems to be on shorter prefixes (RIPE: /32 -- /24?), + * we wait for several distinct prefixes. + */ + +#define NO6_PREFIX_COUNT 6 +#define NO6_PREFIX_BYTES (48/8) +static struct { + int len_used; + uint8_t addr_prefixes[NO6_PREFIX_COUNT][NO6_PREFIX_BYTES]; +} no6_est = { .len_used = 0 }; + +static inline bool no6_is_bad(void) +{ + return no6_est.len_used == NO6_PREFIX_COUNT; +} + +static void no6_timeouted(const struct kr_query *qry, const uint8_t *addr) +{ + if (no6_is_bad()) { // we can't get worse + VERBOSE_MSG(qry, "NO6: timeouted, but bad already\n"); + return; + } + // If we have the address already, do nothing. + for (int i = 0; i < no6_est.len_used; ++i) { + if (memcmp(addr, no6_est.addr_prefixes[i], NO6_PREFIX_BYTES) == 0) { + VERBOSE_MSG(qry, "NO6: timeouted, repeated prefix, timeouts %d/%d\n", + no6_est.len_used, (int)NO6_PREFIX_COUNT); + return; + } + } + // Append! + memcpy(no6_est.addr_prefixes[no6_est.len_used++], addr, NO6_PREFIX_BYTES); + VERBOSE_MSG(qry, "NO6: timeouted, appended, timeouts %d/%d\n", + no6_est.len_used, (int)NO6_PREFIX_COUNT); +} + +static inline void no6_success(const struct kr_query *qry) +{ + if (no6_est.len_used) { + VERBOSE_MSG(qry, "NO6: success, zeroing %d/%d\n", + no6_est.len_used, (int)NO6_PREFIX_COUNT); + } + no6_est.len_used = 0; +} + + +/* Simple cache interface follows */ + +static knot_db_val_t cache_key(const uint8_t *ip, size_t len) +{ + // CACHE_KEY_DEF: '\0' + 'S' + raw IP + const size_t key_len = len + 2; + uint8_t *key_data = malloc(key_len); + key_data[0] = '\0'; + key_data[1] = 'S'; + memcpy(key_data + 2, ip, len); + knot_db_val_t key = { + .len = key_len, + .data = key_data, + }; + return key; +} + +/* First value of timeout will be calculated as SRTT+4*VARIANCE + * by calc_timeout(), so it'll be equal to DEFAULT_TIMEOUT. */ +static const struct rtt_state default_rtt_state = { .srtt = 0, + .variance = DEFAULT_TIMEOUT / 4, + .consecutive_timeouts = 0, + .dead_since = 0 }; + +struct rtt_state get_rtt_state(const uint8_t *ip, size_t len, + struct kr_cache *cache) +{ + struct rtt_state state; + knot_db_val_t value; + knot_db_t *db = cache->db; + struct kr_cdb_stats *stats = &cache->stats; + + knot_db_val_t key = cache_key(ip, len); + + if (cache->api->read(db, stats, &key, &value, 1)) { + state = default_rtt_state; + } else if (value.len != sizeof(struct rtt_state)) { + assert(false); // shouldn't happen but let's be more robust + state = default_rtt_state; + } else { + state = *(struct rtt_state *)value.data; + } + + free(key.data); + return state; +} + +int put_rtt_state(const uint8_t *ip, size_t len, struct rtt_state state, + struct kr_cache *cache) +{ + knot_db_t *db = cache->db; + struct kr_cdb_stats *stats = &cache->stats; + + knot_db_val_t key = cache_key(ip, len); + knot_db_val_t value = { .len = sizeof(struct rtt_state), + .data = &state }; + + int ret = cache->api->write(db, stats, &key, &value, 1); + cache->api->commit(db, stats); + + free(key.data); + return ret; +} + +void bytes_to_ip(uint8_t *bytes, size_t len, uint16_t port, union inaddr *dst) +{ + switch (len) { + case sizeof(struct in_addr): + dst->ip4.sin_family = AF_INET; + memcpy(&dst->ip4.sin_addr, bytes, len); + dst->ip4.sin_port = htons(port); + break; + case sizeof(struct in6_addr): + memset(&dst->ip6, 0, sizeof(dst->ip6)); // avoid uninit surprises + dst->ip6.sin6_family = AF_INET6; + memcpy(&dst->ip6.sin6_addr, bytes, len); + dst->ip6.sin6_port = htons(port); + break; + default: + assert(0); + } +} + +uint8_t *ip_to_bytes(const union inaddr *src, size_t len) +{ + switch (len) { + case sizeof(struct in_addr): + return (uint8_t *)&src->ip4.sin_addr; + case sizeof(struct in6_addr): + return (uint8_t *)&src->ip6.sin6_addr; + default: + assert(0); + return NULL; + } +} + +static bool no_rtt_info(struct rtt_state s) +{ + return s.srtt == 0 && s.consecutive_timeouts == 0; +} + +static unsigned back_off_timeout(uint32_t to, int pow) +{ + pow = MIN(pow, MAX_BACKOFF); + to <<= pow; + return MIN(to, MAX_TIMEOUT); +} + +/* This is verbatim (minus the default timeout value and minimal variance) + * RFC6298, sec. 2. */ +static unsigned calc_timeout(struct rtt_state state) +{ + int32_t timeout = state.srtt + MAX(4 * state.variance, MINIMAL_TIMEOUT_ADDITION); + return back_off_timeout(timeout, state.consecutive_timeouts); +} + +/* This is verbatim RFC6298, sec. 2. */ +static struct rtt_state calc_rtt_state(struct rtt_state old, unsigned new_rtt) +{ + if (no_rtt_info(old)) { + return (struct rtt_state){ new_rtt, new_rtt / 2, 0 }; + } + + struct rtt_state ret = { 0 }; + ret.variance = (3 * old.variance + abs(old.srtt - (int32_t)new_rtt) + + 2/*rounding*/) / 4; + ret.srtt = (7 * old.srtt + new_rtt + 4/*rounding*/) / 8; + + return ret; +} + +/** + * @internal Invalidate addresses which should be considered dead + */ +static void invalidate_dead_upstream(struct address_state *state, + unsigned int retry_timeout) +{ + struct rtt_state *rs = &state->rtt_state; + if (rs->consecutive_timeouts >= KR_NS_TIMEOUT_ROW_DEAD) { + uint64_t now = kr_now(); + if (now < rs->dead_since) { + // broken continuity of timestamp (reboot, different machine, etc.) + *rs = default_rtt_state; + } else if (now < rs->dead_since + retry_timeout) { + // period when we don't want to use the address + state->generation = -1; + } else { + assert(now >= rs->dead_since + retry_timeout); + // we allow to retry the server now + // TODO: perhaps tweak *rs? + } + } +} + +/** + * @internal Check if IP address is TLS capable. + * + * @p req has to have the selection_context properly initiazed. + */ +static void check_tls_capable(struct address_state *address_state, + struct kr_request *req, struct sockaddr *address) +{ + address_state->tls_capable = + req->selection_context.is_tls_capable ? + req->selection_context.is_tls_capable(address) : + false; +} + +#if 0 +/* TODO: uncomment these once we actually use the information it collects. */ +/** + * Check if there is a existing TCP connection to this address. + * + * @p req has to have the selection_context properly initiazed. + */ +void check_tcp_connections(struct address_state *address_state, struct kr_request *req, struct sockaddr *address) { + address_state->tcp_connected = req->selection_context.is_tcp_connected ? req->selection_context.is_tcp_connected(address) : false; + address_state->tcp_waiting = req->selection_context.is_tcp_waiting ? req->selection_context.is_tcp_waiting(address) : false; +} +#endif + +/** + * @internal Invalidate address if the respective IP version is disabled. + */ +static void check_network_settings(struct address_state *address_state, + size_t address_len, bool no_ipv4, bool no_ipv6) +{ + if (no_ipv4 && address_len == sizeof(struct in_addr)) { + address_state->generation = -1; + } + if (no_ipv6 && address_len == sizeof(struct in6_addr)) { + address_state->generation = -1; + } +} + +void update_address_state(struct address_state *state, union inaddr *address, + size_t address_len, struct kr_query *qry) +{ + check_tls_capable(state, qry->request, &address->ip); + /* TODO: uncomment this once we actually use the information it collects + check_tcp_connections(address_state, qry->request, &address->ip); + */ + check_network_settings(state, address_len, qry->flags.NO_IPV4, + qry->flags.NO_IPV6); + state->rtt_state = + get_rtt_state(ip_to_bytes(address, address_len), + address_len, &qry->request->ctx->cache); + invalidate_dead_upstream( + state, qry->request->ctx->cache_rtt_tout_retry_interval); +#ifdef SELECTION_CHOICE_LOGGING + // This is sometimes useful for debugging, but usually too verbose + WITH_VERBOSE(qry) + { + const char *ns_str = kr_straddr(&address->ip); + VERBOSE_MSG(qry, "rtt of %s is %d, variance is %d\n", ns_str, + state->rtt_state.srtt, state->rtt_state.variance); + } +#endif +} + +static int cmp_choices(const void *a, const void *b) +{ + const struct choice *a_ = a; + const struct choice *b_ = b; + + int diff; + /* Prefer IPv4 if IPv6 appears to be generally broken. */ + diff = (int)a_->address_len - (int)b_->address_len; + if (diff && no6_is_bad()) { + return diff; + } + /* Address with no RTT information is better than address + * with some information. */ + if ((diff = no_rtt_info(b_->address_state->rtt_state) - + no_rtt_info(a_->address_state->rtt_state))) { + return diff; + } + /* Address with less errors is better. */ + if ((diff = a_->address_state->error_count - + b_->address_state->error_count)) { + return diff; + } + /* Address with smaller expected timeout is better. */ + if ((diff = calc_timeout(a_->address_state->rtt_state) - + calc_timeout(b_->address_state->rtt_state))) { + return diff; + } + return 0; +} + +/* Fisher-Yates shuffle of the choices */ +static void shuffle_choices(struct choice choices[], int choices_len) +{ + struct choice tmp; + for (int i = choices_len - 1; i > 0; i--) { + int j = kr_rand_bytes(1) % (i + 1); + tmp = choices[i]; + choices[i] = choices[j]; + choices[j] = tmp; + } +} + +/* Performs the actual selection (currently variation on epsilon-greedy). */ +struct kr_transport *select_transport(struct choice choices[], int choices_len, + struct to_resolve unresolved[], + int unresolved_len, int timeouts, + struct knot_mm *mempool, bool tcp, + size_t *choice_index) +{ + if (!choices_len && !unresolved_len) { + /* There is nothing to choose from */ + return NULL; + } + + struct kr_transport *transport = mm_calloc(mempool, 1, sizeof(*transport)); + + /* Shuffle, so we choose fairly between choices with same attributes. */ + shuffle_choices(choices, choices_len); + /* If there are some addresses with no rtt_info we try them + * first (see cmp_choices). So unknown servers are chosen + * *before* the best know server. This ensures that every option + * is tried before going back to some that was tried before. */ + qsort(choices, choices_len, sizeof(struct choice), cmp_choices); + struct choice *best = &choices[0]; + struct choice *chosen; + + const bool explore = choices_len == 0 || kr_rand_coin(EPSILON_NOMIN, EPSILON_DENOM); + if (explore) { + /* "EXPLORE": + * randomly choose some option + * (including resolution of some new name). */ + int index = kr_rand_bytes(1) % (choices_len + unresolved_len); + if (index < unresolved_len) { + // We will resolve a new NS name + *transport = (struct kr_transport){ + .protocol = unresolved[index].type, + .ns_name = unresolved[index].name + }; + return transport; + } else { + chosen = &choices[index - unresolved_len]; + } + } else { + /* "EXPLOIT": + * choose a resolved address which seems best right now. */ + chosen = best; + if (no6_is_bad()) + VERBOSE_MSG(NULL, "NO6: is KO [exploit]\n"); + } + + /* Don't try the same server again when there are other choices to be explored */ + if (chosen->address_state->error_count && unresolved_len) { + int index = kr_rand_bytes(1) % unresolved_len; + *transport = (struct kr_transport){ + .ns_name = unresolved[index].name, + .protocol = unresolved[index].type, + }; + return transport; + } + + unsigned timeout; + if (no_rtt_info(chosen->address_state->rtt_state)) { + /* Exponential back-off when retrying after timeout and choosing + * an unknown server. */ + timeout = back_off_timeout(DEFAULT_TIMEOUT, timeouts); + } else { + timeout = calc_timeout(chosen->address_state->rtt_state); + if (explore) { + /* When trying a random server, we cap the timeout to EXPLORE_TIMEOUT_COEFFICIENT + * times the timeout for the best server. This is done so we don't spend + * unreasonable amounts of time probing really bad servers while still + * checking once in a while for e.g. big network change etc. + * We also note this capping was done and don't punish the bad server + * further if it fails to answer in the capped timeout. */ + unsigned best_timeout = calc_timeout(best->address_state->rtt_state); + if (timeout > best_timeout * EXPLORE_TIMEOUT_COEFFICIENT) { + timeout = best_timeout * EXPLORE_TIMEOUT_COEFFICIENT; + transport->timeout_capped = true; + } + } + } + + enum kr_transport_protocol protocol; + if (chosen->address_state->tls_capable) { + protocol = KR_TRANSPORT_TLS; + } else if (tcp || + chosen->address_state->errors[KR_SELECTION_QUERY_TIMEOUT] >= TCP_TIMEOUT_THRESHOLD || + timeout > TCP_RTT_THRESHOLD) { + protocol = KR_TRANSPORT_TCP; + } else { + protocol = KR_TRANSPORT_UDP; + } + + *transport = (struct kr_transport){ + .ns_name = chosen->address_state->ns_name, + .protocol = protocol, + .timeout = timeout, + }; + + int port = chosen->port; + if (!port) { + switch (transport->protocol) { + case KR_TRANSPORT_TLS: + port = KR_DNS_TLS_PORT; + break; + case KR_TRANSPORT_UDP: + case KR_TRANSPORT_TCP: + port = KR_DNS_PORT; + break; + default: + assert(0); + return NULL; + } + } + + switch (chosen->address_len) + { + case sizeof(struct in_addr): + transport->address.ip4 = chosen->address.ip4; + transport->address.ip4.sin_port = htons(port); + break; + case sizeof(struct in6_addr): + transport->address.ip6 = chosen->address.ip6; + transport->address.ip6.sin6_port = htons(port); + break; + default: + assert(0); + return NULL; + } + + transport->address_len = chosen->address_len; + + if (choice_index) { + *choice_index = chosen->address_state->choice_array_index; + } + + return transport; +} + +void update_rtt(struct kr_query *qry, struct address_state *addr_state, + const struct kr_transport *transport, unsigned rtt) +{ + if (!transport || !addr_state) { + /* Answers from cache have NULL transport, ignore them. */ + return; + } + + struct kr_cache *cache = &qry->request->ctx->cache; + + uint8_t *address = ip_to_bytes(&transport->address, transport->address_len); + /* This construct is a bit racy since the global state may change + * between calls to `get_rtt_state` and `put_rtt_state` but we don't + * care that much since it is rare and we only risk slightly suboptimal + * transport choice. */ + struct rtt_state cur_rtt_state = + get_rtt_state(address, transport->address_len, cache); + struct rtt_state new_rtt_state = calc_rtt_state(cur_rtt_state, rtt); + put_rtt_state(address, transport->address_len, new_rtt_state, cache); + + if (transport->address_len == sizeof(struct in6_addr)) + no6_success(qry); + + WITH_VERBOSE(qry) + { + KR_DNAME_GET_STR(ns_name, transport->ns_name); + KR_DNAME_GET_STR(zonecut_str, qry->zone_cut.name); + const char *ns_str = kr_straddr(&transport->address.ip); + + VERBOSE_MSG( + qry, + "=> id: '%05u' updating: '%s'@'%s' zone cut: '%s'" + " with rtt %u to srtt: %d and variance: %d \n", + qry->id, ns_name, ns_str ? ns_str : "", zonecut_str, + rtt, new_rtt_state.srtt, new_rtt_state.variance); + } +} + +static void cache_timeout(const struct kr_query *qry, const struct kr_transport *transport, + struct address_state *addr_state, struct kr_cache *cache) +{ + if (transport->deduplicated) { + /* Transport was chosen by a different query, that one will + * cache the result. */ + return; + } + + uint8_t *address = ip_to_bytes(&transport->address, transport->address_len); + if (transport->address_len == sizeof(struct in6_addr)) + no6_timeouted(qry, address); + + struct rtt_state old_state = addr_state->rtt_state; + struct rtt_state cur_state = + get_rtt_state(address, transport->address_len, cache); + + /* We could lose some update from some other process by doing this, + * but at least timeout count can't blow up. */ + if (cur_state.consecutive_timeouts == old_state.consecutive_timeouts) { + if (++cur_state.consecutive_timeouts >= + KR_NS_TIMEOUT_ROW_DEAD) { + cur_state.dead_since = kr_now(); + } + put_rtt_state(address, transport->address_len, cur_state, cache); + } else { + /* `get_rtt_state` opens a cache transaction, we have to end it. */ + kr_cache_commit(cache); + } +} + +void error(struct kr_query *qry, struct address_state *addr_state, + const struct kr_transport *transport, + enum kr_selection_error sel_error) +{ + if (!transport || !addr_state) { + /* Answers from cache have NULL transport, ignore them. */ + return; + } + + switch (sel_error) { + case KR_SELECTION_OK: + return; + case KR_SELECTION_TCP_CONNECT_FAILED: + case KR_SELECTION_TCP_CONNECT_TIMEOUT: + qry->server_selection.local_state->force_udp = true; + qry->flags.NO_0X20 = false; + /* Connection and handshake failures have properties similar + * to UDP timeouts, so we handle them (almost) the same way. */ + /* fall-through */ + case KR_SELECTION_TLS_HANDSHAKE_FAILED: + case KR_SELECTION_QUERY_TIMEOUT: + qry->server_selection.local_state->timeouts++; + /* Make sure that the query was chosen by this query and timeout wasn't capped + * (see kr_transport::timeout_capped for details). */ + if (!transport->deduplicated && !transport->timeout_capped) { + cache_timeout(qry, transport, addr_state, + &qry->request->ctx->cache); + } + break; + case KR_SELECTION_FORMERR: + if (qry->flags.NO_EDNS) { + addr_state->broken = true; + } else { + qry->flags.NO_EDNS = true; + } + break; + case KR_SELECTION_FORMERR_EDNS: + addr_state->broken = true; + break; + case KR_SELECTION_MISMATCHED: + if (qry->flags.NO_0X20 && qry->flags.TCP) { + addr_state->broken = true; + } else { + qry->flags.TCP = true; + qry->flags.NO_0X20 = true; + } + break; + case KR_SELECTION_TRUNCATED: + if (transport->protocol == KR_TRANSPORT_UDP) { + qry->server_selection.local_state->truncated = true; + /* TC=1 over UDP is not an error, so we compensate. */ + addr_state->error_count--; + } else { + addr_state->broken = true; + } + break; + case KR_SELECTION_REFUSED: + case KR_SELECTION_SERVFAIL: + if (qry->flags.NO_MINIMIZE && qry->flags.NO_0X20 && qry->flags.TCP) { + addr_state->broken = true; + } else if (qry->flags.NO_MINIMIZE) { + qry->flags.NO_0X20 = true; + qry->flags.TCP = true; + } else { + qry->flags.NO_MINIMIZE = true; + } + break; + case KR_SELECTION_LAME_DELEGATION: + if (qry->flags.NO_MINIMIZE) { + /* Lame delegations are weird, they breed more lame delegations on broken + * zones since trying another server from the same set usualy doesn't help. + * We force resolution of another NS name in hope of getting somewhere. */ + qry->server_selection.local_state->force_resolve = true; + addr_state->broken = true; + } else { + qry->flags.NO_MINIMIZE = true; + } + break; + case KR_SELECTION_NOTIMPL: + case KR_SELECTION_OTHER_RCODE: + case KR_SELECTION_DNSSEC_ERROR: + case KR_SELECTION_BAD_CNAME: + case KR_SELECTION_MALFORMED: + /* These errors are fatal, no point in trying this server again. */ + addr_state->broken = true; + break; + default: + assert(0); + break; + } + + addr_state->error_count++; + addr_state->errors[sel_error]++; + + WITH_VERBOSE(qry) + { + KR_DNAME_GET_STR(ns_name, transport->ns_name); + KR_DNAME_GET_STR(zonecut_str, qry->zone_cut.name); + const char *ns_str = kr_straddr(&transport->address.ip); + const char *err_str = kr_selection_error_str(sel_error); + + VERBOSE_MSG( + qry, + "=> id: '%05u' noting selection error: '%s'@'%s' zone cut: '%s' error: %d %s\n", + qry->id, ns_name, ns_str ? ns_str : "", zonecut_str, + sel_error, err_str ? err_str : "??"); + } +} + +void kr_server_selection_init(struct kr_query *qry) +{ + struct knot_mm *mempool = &qry->request->pool; + struct local_state *local_state = mm_calloc(mempool, 1, sizeof(*local_state)); + + if (qry->flags.FORWARD || qry->flags.STUB) { + qry->server_selection = (struct kr_server_selection){ + .initialized = true, + .choose_transport = forward_choose_transport, + .update_rtt = forward_update_rtt, + .error = forward_error, + .local_state = local_state, + }; + forward_local_state_alloc( + mempool, &qry->server_selection.local_state->private, + qry->request); + } else { + qry->server_selection = (struct kr_server_selection){ + .initialized = true, + .choose_transport = iter_choose_transport, + .update_rtt = iter_update_rtt, + .error = iter_error, + .local_state = local_state, + }; + iter_local_state_alloc( + mempool, &qry->server_selection.local_state->private); + } +} + +int kr_forward_add_target(struct kr_request *req, const struct sockaddr *sock) +{ + if (!req->selection_context.forwarding_targets.at) { + return kr_error(EINVAL); + } + + union inaddr address; + + switch (sock->sa_family) { + case AF_INET: + if (req->options.NO_IPV4) + return kr_error(EINVAL); + address.ip4 = *(const struct sockaddr_in *)sock; + break; + case AF_INET6: + if (req->options.NO_IPV6) + return kr_error(EINVAL); + address.ip6 = *(const struct sockaddr_in6 *)sock; + break; + default: + return kr_error(EINVAL); + } + + array_push_mm(req->selection_context.forwarding_targets, address, + kr_memreserve, &req->pool); + return kr_ok(); +} diff -Nru knot-resolver-5.2.1/lib/selection_forward.c knot-resolver-5.3.1/lib/selection_forward.c --- knot-resolver-5.2.1/lib/selection_forward.c 1970-01-01 00:00:00.000000000 +0000 +++ knot-resolver-5.3.1/lib/selection_forward.c 2021-03-31 15:15:36.000000000 +0000 @@ -0,0 +1,129 @@ +/* Copyright (C) 2014-2020 CZ.NIC, z.s.p.o. + * SPDX-License-Identifier: GPL-3.0-or-later + */ + +#include "lib/selection_forward.h" +#include "lib/resolve.h" + +#define VERBOSE_MSG(qry, ...) QRVERBOSE((qry), "slct", __VA_ARGS__) + +#define FORWARDING_TIMEOUT 2000 + +struct forward_local_state { + inaddr_array_t *targets; + struct address_state *addr_states; + /** Index of last choice in the targets array, used for error reporting. */ + size_t last_choice_index; +}; + +void forward_local_state_alloc(struct knot_mm *mm, void **local_state, + struct kr_request *req) +{ + assert(req->selection_context.forwarding_targets.at); + *local_state = mm_calloc(mm, 1, sizeof(struct forward_local_state)); + + struct forward_local_state *forward_state = *local_state; + forward_state->targets = &req->selection_context.forwarding_targets; + + forward_state->addr_states = mm_calloc(mm, forward_state->targets->len, + sizeof(struct address_state)); +} + +void forward_choose_transport(struct kr_query *qry, + struct kr_transport **transport) +{ + struct forward_local_state *local_state = + qry->server_selection.local_state->private; + struct choice choices[local_state->targets->len]; + int valid = 0; + + for (int i = 0; i < local_state->targets->len; i++) { + union inaddr *address = &local_state->targets->at[i]; + size_t addr_len; + uint16_t port; + switch (address->ip.sa_family) { + case AF_INET: + port = ntohs(address->ip4.sin_port); + addr_len = sizeof(struct in_addr); + break; + case AF_INET6: + port = ntohs(address->ip6.sin6_port); + addr_len = sizeof(struct in6_addr); + break; + default: + assert(0); + *transport = NULL; + return; + } + + struct address_state *addr_state = &local_state->addr_states[i]; + addr_state->ns_name = (knot_dname_t *)""; + + update_address_state(addr_state, address, addr_len, qry); + + if (addr_state->generation == -1) { + continue; + } + addr_state->choice_array_index = i; + + choices[valid++] = (struct choice){ + .address = *address, + .address_len = addr_len, + .address_state = addr_state, + .port = port, + }; + } + + bool tcp = qry->flags.TCP || qry->server_selection.local_state->truncated; + *transport = + select_transport(choices, valid, NULL, 0, + qry->server_selection.local_state->timeouts, + &qry->request->pool, tcp, + &local_state->last_choice_index); + if (*transport) { + /* Set static timeout for forwarding; there is no point in this + * being dynamic since the RTT of a packet to forwarding target + * says nothing about the network RTT of said target, since + * it is doing resolution upstream. */ + (*transport)->timeout = FORWARDING_TIMEOUT; + /* Try to avoid TCP in STUB case. It seems better for common use cases. */ + if (qry->flags.STUB && !tcp && (*transport)->protocol == KR_TRANSPORT_TCP) + (*transport)->protocol = KR_TRANSPORT_UDP; + /* We need to propagate this to flags since it's used in other + * parts of the resolver (e.g. logging and stats). */ + qry->flags.TCP = (*transport)->protocol == KR_TRANSPORT_TCP + || (*transport)->protocol == KR_TRANSPORT_TLS; + } +} + +void forward_error(struct kr_query *qry, const struct kr_transport *transport, + enum kr_selection_error sel_error) +{ + if (!qry->server_selection.initialized) { + return; + } + struct forward_local_state *local_state = + qry->server_selection.local_state->private; + struct address_state *addr_state = + &local_state->addr_states[local_state->last_choice_index]; + error(qry, addr_state, transport, sel_error); +} + +void forward_update_rtt(struct kr_query *qry, + const struct kr_transport *transport, unsigned rtt) +{ + if (!qry->server_selection.initialized) { + return; + } + + if (!transport) { + return; + } + + struct forward_local_state *local_state = + qry->server_selection.local_state->private; + struct address_state *addr_state = + &local_state->addr_states[local_state->last_choice_index]; + + update_rtt(qry, addr_state, transport, rtt); +} diff -Nru knot-resolver-5.2.1/lib/selection_forward.h knot-resolver-5.3.1/lib/selection_forward.h --- knot-resolver-5.2.1/lib/selection_forward.h 1970-01-01 00:00:00.000000000 +0000 +++ knot-resolver-5.3.1/lib/selection_forward.h 2021-03-31 15:15:36.000000000 +0000 @@ -0,0 +1,17 @@ +/* Copyright (C) 2014-2020 CZ.NIC, z.s.p.o. + * SPDX-License-Identifier: GPL-3.0-or-later + */ + +#pragma once + +#include "lib/selection.h" +#include "lib/resolve.h" + +void forward_local_state_alloc(struct knot_mm *mm, void **local_state, + struct kr_request *req); +void forward_choose_transport(struct kr_query *qry, + struct kr_transport **transport); +void forward_error(struct kr_query *qry, const struct kr_transport *transport, + enum kr_selection_error sel_error); +void forward_update_rtt(struct kr_query *qry, + const struct kr_transport *transport, unsigned rtt); \ No newline at end of file diff -Nru knot-resolver-5.2.1/lib/selection.h knot-resolver-5.3.1/lib/selection.h --- knot-resolver-5.2.1/lib/selection.h 1970-01-01 00:00:00.000000000 +0000 +++ knot-resolver-5.3.1/lib/selection.h 2021-03-31 15:15:36.000000000 +0000 @@ -0,0 +1,259 @@ +/* Copyright (C) 2014-2020 CZ.NIC, z.s.p.o. + * SPDX-License-Identifier: GPL-3.0-or-later + */ + +#pragma once + +/** + * @file selection.h + * Provides server selection API (see `kr_server_selection`) + * and functions common to both implementations. + */ + +#include "lib/cache/api.h" + +/* After KR_NS_TIMEOUT_ROW_DEAD consecutive timeouts, we consider the upstream IP dead for KR_NS_TIMEOUT_RETRY_INTERVAL ms */ +#define KR_NS_TIMEOUT_ROW_DEAD 4 +#define KR_NS_TIMEOUT_RETRY_INTERVAL 1000 + +/** + * These errors are to be reported as feedback to server selection. + * See `kr_server_selection::error` for more details. + */ +enum kr_selection_error { + KR_SELECTION_OK = 0, + + // Network errors + KR_SELECTION_QUERY_TIMEOUT, + KR_SELECTION_TLS_HANDSHAKE_FAILED, + KR_SELECTION_TCP_CONNECT_FAILED, + KR_SELECTION_TCP_CONNECT_TIMEOUT, + + // RCODEs + KR_SELECTION_REFUSED, + KR_SELECTION_SERVFAIL, + KR_SELECTION_FORMERR, /// inside an answer without an OPT record + KR_SELECTION_FORMERR_EDNS, /// with an OPT record + KR_SELECTION_NOTIMPL, + KR_SELECTION_OTHER_RCODE, + + // DNS errors + KR_SELECTION_MALFORMED, + /** Name or type mismatch. */ + KR_SELECTION_MISMATCHED, + KR_SELECTION_TRUNCATED, + KR_SELECTION_DNSSEC_ERROR, + KR_SELECTION_LAME_DELEGATION, + /** Too long chain, or a cycle. */ + KR_SELECTION_BAD_CNAME, + + /** Leave this last, as it is used as array size. */ + KR_SELECTION_NUMBER_OF_ERRORS +}; + +enum kr_transport_protocol { + /** Selected name with no IPv4 address, it has to be resolved first. */ + KR_TRANSPORT_RESOLVE_A, + /** Selected name with no IPv6 address, it has to be resolved first. */ + KR_TRANSPORT_RESOLVE_AAAA, + KR_TRANSPORT_UDP, + KR_TRANSPORT_TCP, + KR_TRANSPORT_TLS, +}; + +/** + * Output of the selection algorithm. + */ +struct kr_transport { + knot_dname_t *ns_name; /**< Set to "." for forwarding targets.*/ + union inaddr address; + size_t address_len; + enum kr_transport_protocol protocol; + unsigned timeout; /**< Timeout in ms to be set for UDP transmission. */ + /** Timeout was capped to a maximum value based on the other candidates + * when choosing this transport. The timeout therefore can be much lower + * than what we expect it to be. We basically probe the server for a sudden + * network change but we expect it to timeout in most cases. We have to keep + * this in mind when noting the timeout in cache. */ + bool timeout_capped; + /** True iff transport was set in worker.c:subreq_finalize, + * that means it may be different from the one originally chosen one.*/ + bool deduplicated; +}; + +struct local_state { + int timeouts; /**< Number of timeouts that occured resolving this query.*/ + bool truncated; /**< Query was truncated, switch to TCP. */ + /** Force resolution of a new NS name (if possible) + * Done by selection.c:error in some cases. */ + bool force_resolve; + /** Used to work around auths with broken TCP. */ + bool force_udp; + void *private; /**< Inner state of the implementation.*/ +}; + +/** + * Specifies a API for selecting transports and giving feedback on the choices. + * + * The function pointers are to be used throughout resolver when some information about + * the transport is obtained. E.g. RTT in `worker.c` or RCODE in `iterate.c`,… + */ +struct kr_server_selection { + bool initialized; + /** + * Puts a pointer to next transport of @p qry to @p transport . + * + * Allocates new kr_transport in request's mempool, chooses transport to be used for this query. + * Selection may fail, so @p transport can be set to NULL. + * + * @param transport to be filled with pointer to the chosen transport or NULL on failure + */ + void (*choose_transport)(struct kr_query *qry, + struct kr_transport **transport); + /** Report back the RTT of network operation for transport in ms. */ + void (*update_rtt)(struct kr_query *qry, + const struct kr_transport *transport, unsigned rtt); + /** Report back error encourtered with the chosen transport. See `enum kr_selection` */ + void (*error)(struct kr_query *qry, + const struct kr_transport *transport, + enum kr_selection_error error); + + struct local_state *local_state; +}; + +/** + * @brief Initialize the server selection API for @p qry. + * + * The implementation is to be chosen based on qry->flags. + */ +KR_EXPORT +void kr_server_selection_init(struct kr_query *qry); + +/** + * @brief Add forwarding target to request. + * + * This is exposed to Lua in order to add forwarding targets to request. + * These are then shared by all the queries in said request. + */ +KR_EXPORT +int kr_forward_add_target(struct kr_request *req, const struct sockaddr *sock); + + + + + +/* Below are internal parts shared by ./selection_{forward,iter}.c */ + +/** + * To be held per IP address in the global LMDB cache + */ +struct rtt_state { + int32_t srtt; /**< Smoothed RTT, i.e. an estimate of round-trip time. */ + int32_t variance; /**< An estimate of RTT's standard derivation (not variance). */ + /** Note: some TCP and TLS failures are also considered as timeouts. */ + int32_t consecutive_timeouts; + /** Timestamp of pronouncing this IP bad based on KR_NS_TIMEOUT_ROW_DEAD */ + uint64_t dead_since; +}; + +/** + * @brief To be held per IP address and locally "inside" query. + */ +struct address_state { + /** Used to distinguish old and valid records in local_state; -1 means unusable IP. */ + unsigned int generation; + struct rtt_state rtt_state; + knot_dname_t *ns_name; + bool tls_capable : 1; + /* TODO: uncomment these once we actually use this information in selection + bool tcp_waiting : 1; + bool tcp_connected : 1; + */ + int choice_array_index; + int error_count; + bool broken; + int errors[KR_SELECTION_NUMBER_OF_ERRORS]; +}; + +/** + * @brief Array of these is one of inputs for the actual selection algorithm (`select_transport`) + */ +struct choice { + union inaddr address; + size_t address_len; + struct address_state *address_state; + /** used to overwrite the port number; + * if zero, `select_transport` determines it. */ + uint16_t port; +}; + +/** + * @brief Array of these is description of names to be resolved (i.e. name without some address) + */ +struct to_resolve { + knot_dname_t *name; + /** Either KR_TRANSPORT_RESOLVE_A or KR_TRANSPORT_RESOLVE_AAAA is valid here. */ + enum kr_transport_protocol type; +}; + +/** + * @brief Based on passed choices, choose the next transport. + * + * Common function to both implementations (iteration and forwarding). + * The `*_choose_transport` functions from `selection_*.h` preprocess the input for this one. + * + * @param choices Options to choose from, see struct above + * @param unresolved Array of names that can be resolved (i.e. no A/AAAA record) + * @param timeouts Number of timeouts that occured in this query (used for exponential backoff) + * @param mempool Memory context of current request + * @param tcp Force TCP as transport protocol + * @param[out] choice_index Optionally index of the chosen transport in the @p choices array. + * @return Chosen transport (on mempool) or NULL when no choice is viable + */ +struct kr_transport *select_transport(struct choice choices[], int choices_len, + struct to_resolve unresolved[], + int unresolved_len, int timeouts, + struct knot_mm *mempool, bool tcp, + size_t *choice_index); + +/** + * Common part of RTT feedback mechanism. Notes RTT to global cache. + */ +void update_rtt(struct kr_query *qry, struct address_state *addr_state, + const struct kr_transport *transport, unsigned rtt); + +/** + * Common part of error feedback mechanism. + */ +void error(struct kr_query *qry, struct address_state *addr_state, + const struct kr_transport *transport, + enum kr_selection_error sel_error); + +/** + * Get RTT state from cache. Returns `default_rtt_state` on unknown addresses. + * + * Note that this opens a cache transaction which is usually closed by calling + * `put_rtt_state`, i.e. callee is responsible for its closing + * (e.g. calling kr_cache_commit). + */ +struct rtt_state get_rtt_state(const uint8_t *ip, size_t len, + struct kr_cache *cache); + +int put_rtt_state(const uint8_t *ip, size_t len, struct rtt_state state, + struct kr_cache *cache); + +/** + * @internal Helper function for conversion between different IP representations. + */ +void bytes_to_ip(uint8_t *bytes, size_t len, uint16_t port, union inaddr *dst); + +/** + * @internal Helper function for conversion between different IP representations. + */ +uint8_t *ip_to_bytes(const union inaddr *src, size_t len); + +/** + * @internal Fetch per-address information from various sources. + */ +void update_address_state(struct address_state *state, union inaddr *address, + size_t address_len, struct kr_query *qry); diff -Nru knot-resolver-5.2.1/lib/selection_iter.c knot-resolver-5.3.1/lib/selection_iter.c --- knot-resolver-5.2.1/lib/selection_iter.c 1970-01-01 00:00:00.000000000 +0000 +++ knot-resolver-5.3.1/lib/selection_iter.c 2021-03-31 15:15:36.000000000 +0000 @@ -0,0 +1,358 @@ +/* Copyright (C) 2014-2020 CZ.NIC, z.s.p.o. + * SPDX-License-Identifier: GPL-3.0-or-later + */ + +#include "lib/selection_iter.h" +#include "lib/selection.h" + +#include "lib/generic/trie.h" +#include "lib/generic/pack.h" +#include "lib/zonecut.h" +#include "lib/resolve.h" + +#define VERBOSE_MSG(qry, ...) QRVERBOSE((qry), "slct", __VA_ARGS__) + +/// To be held per query and locally. Allocations are in the kr_request's mempool. +struct iter_local_state { + trie_t *names; /// knot_dname_t -> struct iter_name_state * + trie_t *addresses; /// IP address -> struct address_state * + knot_dname_t *zonecut; + /** Used to distinguish old and valid records in tries. */ + unsigned int generation; + enum kr_selection_error last_error; + unsigned int no_ns_addr_count; +}; + +enum record_state { RECORD_UNKNOWN, RECORD_RESOLVED, RECORD_TRIED }; + +// To be held per NS name and locally +struct iter_name_state { + unsigned int generation; + enum record_state a_state; + enum record_state aaaa_state; +}; + +void iter_local_state_alloc(struct knot_mm *mm, void **local_state) +{ + *local_state = mm_calloc(mm, 1, sizeof(struct iter_local_state)); +} + +static struct address_state *get_address_state(struct iter_local_state *local_state, + const struct kr_transport *transport) +{ + if (!transport) { + return NULL; + } + + uint8_t *address = ip_to_bytes(&transport->address, transport->address_len); + trie_val_t *address_state = trie_get_try(local_state->addresses, (char *)address, + transport->address_len); + if (!address_state) { + assert(transport->deduplicated); + /* Transport was chosen by a different query. */ + return NULL; + } + return *address_state; +} + +static void unpack_state_from_zonecut(struct iter_local_state *local_state, + struct kr_query *qry) +{ + struct kr_zonecut *zonecut = &qry->zone_cut; + struct knot_mm *mm = &qry->request->pool; + + bool zcut_changed = false; + if (local_state->names == NULL || local_state->addresses == NULL) { + /* Local state initialization. */ + memset(local_state, 0, sizeof(struct iter_local_state)); + local_state->names = trie_create(mm); + local_state->addresses = trie_create(mm); + } else { + zcut_changed = !knot_dname_is_equal(zonecut->name, local_state->zonecut); + } + local_state->zonecut = zonecut->name; + local_state->generation++; + + if (zcut_changed) { + local_state->no_ns_addr_count = 0; + } + + trie_it_t *it; + const unsigned int current_generation = local_state->generation; + + for (it = trie_it_begin(zonecut->nsset); !trie_it_finished(it); trie_it_next(it)) { + knot_dname_t *dname = (knot_dname_t *)trie_it_key(it, NULL); + pack_t *addresses = *trie_it_val(it); + + trie_val_t *val = trie_get_ins(local_state->names, (char *)dname, + knot_dname_size(dname)); + if (!*val) { + /* We encountered this name for the first time. */ + *val = mm_calloc(mm, 1, sizeof(struct iter_name_state)); + } + struct iter_name_state *name_state = *val; + name_state->generation = current_generation; + + if (zcut_changed) { + /* Set name as unresolved as they might have fallen out + * of cache (TTL expired). */ + name_state->a_state = RECORD_UNKNOWN; + name_state->aaaa_state = RECORD_UNKNOWN; + } + + /* Iterate over all addresses of this NS (if any). */ + for (uint8_t *obj = pack_head(*addresses); obj != pack_tail(*addresses); + obj = pack_obj_next(obj)) { + uint8_t *address = pack_obj_val(obj); + size_t address_len = pack_obj_len(obj); + trie_val_t *tval = trie_get_ins(local_state->addresses, + (char *)address, + address_len); + if (!*tval) { + /* We have have not seen this address before. */ + *tval = mm_calloc(mm, 1, sizeof(struct address_state)); + } + struct address_state *address_state = *tval; + address_state->generation = current_generation; + address_state->ns_name = dname; + + if (address_len == sizeof(struct in_addr)) { + name_state->a_state = RECORD_RESOLVED; + } else if (address_len == sizeof(struct in6_addr)) { + name_state->aaaa_state = RECORD_RESOLVED; + } + union inaddr tmp_address; + bytes_to_ip(address, address_len, 0, &tmp_address); + update_address_state(address_state, &tmp_address, address_len, qry); + } + } + trie_it_free(it); +} + +static int get_valid_addresses(struct iter_local_state *local_state, + struct choice choices[]) +{ + unsigned count = 0; + trie_it_t *it; + for (it = trie_it_begin(local_state->addresses); !trie_it_finished(it); + trie_it_next(it)) { + size_t address_len; + uint8_t *address = (uint8_t *)trie_it_key(it, &address_len); + struct address_state *address_state = *trie_it_val(it); + if (address_state->generation == local_state->generation && + !address_state->broken) { + choices[count] = (struct choice){ + .address_len = address_len, + .address_state = address_state, + }; + bytes_to_ip(address, address_len, 0, &choices[count].address); + count++; + } + } + trie_it_free(it); + return count; +} + +static int get_resolvable_names(struct iter_local_state *local_state, + struct to_resolve resolvable[], struct kr_query *qry) +{ + /* Further resolution is not possible until we get `. DNSKEY` record; + * we have to choose one of the known addresses here. */ + if (qry->sname[0] == '\0' && qry->stype == KNOT_RRTYPE_DNSKEY) { + return 0; + } + + unsigned count = 0; + trie_it_t *it; + for (it = trie_it_begin(local_state->names); !trie_it_finished(it); + trie_it_next(it)) { + struct iter_name_state *name_state = *trie_it_val(it); + if (name_state->generation != local_state->generation) + continue; + + knot_dname_t *name = (knot_dname_t *)trie_it_key(it, NULL); + if (qry->stype == KNOT_RRTYPE_DNSKEY && + knot_dname_in_bailiwick(name, qry->sname) > 0) { + /* Resolving `domain. DNSKEY` can't trigger the + * resolution of `sub.domain. A/AAAA` since it + * will cause a cycle. */ + continue; + } + + /* FIXME: kr_rplan_satisfies(qry,…) should have been here, but this leads to failures on + * iter_ns_badip.rpl, this is because the test requires the resolver to switch to parent + * side after a record in cache expires. Only way to do this in the current zonecut setup is + * to requery the same query twice in the row. So we have to allow that and only check the + * rplan from parent upwards. + */ + bool a_in_rplan = kr_rplan_satisfies(qry->parent, name, + KNOT_CLASS_IN, KNOT_RRTYPE_A); + bool aaaa_in_rplan = kr_rplan_satisfies(qry->parent, name, + KNOT_CLASS_IN, KNOT_RRTYPE_AAAA); + + if (name_state->a_state == RECORD_UNKNOWN && + !qry->flags.NO_IPV4 && !a_in_rplan) { + resolvable[count++] = (struct to_resolve){ + name, KR_TRANSPORT_RESOLVE_A + }; + } + + if (name_state->aaaa_state == RECORD_UNKNOWN && + !qry->flags.NO_IPV6 && !aaaa_in_rplan) { + resolvable[count++] = (struct to_resolve){ + name, KR_TRANSPORT_RESOLVE_AAAA + }; + } + } + trie_it_free(it); + return count; +} + +static void update_name_state(knot_dname_t *name, enum kr_transport_protocol type, + trie_t *names) +{ + size_t name_len = knot_dname_size(name); + trie_val_t *val = trie_get_try(names, (char *)name, name_len); + + if (!val) { + return; + } + + struct iter_name_state *name_state = (struct iter_name_state *)*val; + switch (type) { + case KR_TRANSPORT_RESOLVE_A: + name_state->a_state = RECORD_TRIED; + break; + case KR_TRANSPORT_RESOLVE_AAAA: + name_state->aaaa_state = RECORD_TRIED; + break; + default: + assert(0); + } +} + +void iter_choose_transport(struct kr_query *qry, struct kr_transport **transport) +{ + struct knot_mm *mempool = &qry->request->pool; + struct iter_local_state *local_state = + (struct iter_local_state *) + qry->server_selection.local_state->private; + + unpack_state_from_zonecut(local_state, qry); + + struct choice choices[trie_weight(local_state->addresses)]; + /* We may try to resolve A and AAAA record for each name, so therefore + * 2*trie_weight(…) is here. */ + struct to_resolve resolvable[2 * trie_weight(local_state->names)]; + + // Filter valid addresses and names from the tries + int choices_len = get_valid_addresses(local_state, choices); + int resolvable_len = get_resolvable_names(local_state, resolvable, qry); + + if (qry->server_selection.local_state->force_resolve && resolvable_len) { + choices_len = 0; + qry->server_selection.local_state->force_resolve = false; + } + + bool tcp = qry->flags.TCP || qry->server_selection.local_state->truncated; + *transport = select_transport(choices, choices_len, resolvable, resolvable_len, + qry->server_selection.local_state->timeouts, + mempool, tcp, NULL); + bool nxnsattack_mitigation = false; + + if (*transport) { + switch ((*transport)->protocol) { + case KR_TRANSPORT_RESOLVE_A: + case KR_TRANSPORT_RESOLVE_AAAA: + if (++local_state->no_ns_addr_count > KR_COUNT_NO_NSADDR_LIMIT) { + *transport = NULL; + nxnsattack_mitigation = true; + break; + } + /* Note that we tried resolving this name to not try it again. */ + update_name_state((*transport)->ns_name, (*transport)->protocol, local_state->names); + break; + case KR_TRANSPORT_TLS: + case KR_TRANSPORT_TCP: + /* We need to propagate this to flags since it's used in + * other parts of the resolver. */ + qry->flags.TCP = true; + case KR_TRANSPORT_UDP: /* fall through */ + local_state->no_ns_addr_count = 0; + break; + default: + assert(0); + break; + } + + if (*transport && + (*transport)->protocol == KR_TRANSPORT_TCP && + !qry->server_selection.local_state->truncated && + qry->server_selection.local_state->force_udp) { + // Last chance on broken TCP. + (*transport)->protocol = KR_TRANSPORT_UDP; + qry->flags.TCP = false; + } + } + + if (*transport == NULL && local_state->last_error == KR_SELECTION_DNSSEC_ERROR) { + /* Last selected server had broken DNSSEC and now we have no more + * servers to ask. We signal this to the rest of resolver by + * setting DNSSEC_BOGUS flag. */ + qry->flags.DNSSEC_BOGUS = true; + } + + WITH_VERBOSE(qry) + { + KR_DNAME_GET_STR(zonecut_str, qry->zone_cut.name); + if (*transport) { + KR_DNAME_GET_STR(ns_name, (*transport)->ns_name); + const enum kr_transport_protocol proto = *transport ? (*transport)->protocol : -1; + const char *ns_str = kr_straddr(&(*transport)->address.ip); + const char *ip_version; + switch (proto) + { + case KR_TRANSPORT_RESOLVE_A: + case KR_TRANSPORT_RESOLVE_AAAA: + ip_version = (proto == KR_TRANSPORT_RESOLVE_A) ? "A" : "AAAA"; + VERBOSE_MSG(qry, "=> id: '%05u' choosing to resolve %s: '%s' zone cut: '%s'\n", + qry->id, ip_version, ns_name, zonecut_str); + break; + default: + VERBOSE_MSG(qry, "=> id: '%05u' choosing: '%s'@'%s'" + " with timeout %u ms zone cut: '%s'\n", + qry->id, ns_name, ns_str ? ns_str : "", + (*transport)->timeout, zonecut_str); + break; + } + } else { + const char *nxns_msg = nxnsattack_mitigation + ? " (stopped due to mitigation for NXNSAttack CVE-2020-12667)" : ""; + VERBOSE_MSG(qry, "=> id: '%05u' no suitable transport, zone cut: '%s'%s\n", + qry->id, zonecut_str, nxns_msg ); + } + } +} + +void iter_error(struct kr_query *qry, const struct kr_transport *transport, + enum kr_selection_error sel_error) +{ + if (!qry->server_selection.initialized) { + return; + } + struct iter_local_state *local_state = qry->server_selection.local_state->private; + struct address_state *addr_state = get_address_state(local_state, transport); + local_state->last_error = sel_error; + error(qry, addr_state, transport, sel_error); +} + +void iter_update_rtt(struct kr_query *qry, const struct kr_transport *transport, + unsigned rtt) +{ + if (!qry->server_selection.initialized) { + return; + } + struct iter_local_state *local_state = qry->server_selection.local_state->private; + struct address_state *addr_state = get_address_state(local_state, transport); + update_rtt(qry, addr_state, transport, rtt); +} diff -Nru knot-resolver-5.2.1/lib/selection_iter.h knot-resolver-5.3.1/lib/selection_iter.h --- knot-resolver-5.2.1/lib/selection_iter.h 1970-01-01 00:00:00.000000000 +0000 +++ knot-resolver-5.3.1/lib/selection_iter.h 2021-03-31 15:15:36.000000000 +0000 @@ -0,0 +1,14 @@ +/* Copyright (C) 2014-2020 CZ.NIC, z.s.p.o. + * SPDX-License-Identifier: GPL-3.0-or-later + */ + +#pragma once + +#include "lib/selection.h" + +void iter_local_state_alloc(struct knot_mm *mm, void **local_state); +void iter_choose_transport(struct kr_query *qry, struct kr_transport **transport); +void iter_error(struct kr_query *qry, const struct kr_transport *transport, + enum kr_selection_error sel_error); +void iter_update_rtt(struct kr_query *qry, const struct kr_transport *transport, + unsigned rtt); diff -Nru knot-resolver-5.2.1/lib/utils.c knot-resolver-5.3.1/lib/utils.c --- knot-resolver-5.2.1/lib/utils.c 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/lib/utils.c 2021-03-31 15:15:36.000000000 +0000 @@ -11,7 +11,7 @@ #include "lib/defines.h" #include "lib/generic/array.h" #include "lib/module.h" -#include "lib/nsrep.h" +#include "lib/selection.h" #include "lib/resolve.h" #include @@ -39,43 +39,6 @@ /* Logging & debugging */ bool kr_verbose_status = false; -void *mm_realloc(knot_mm_t *mm, void *what, size_t size, size_t prev_size) -{ - if (mm) { - void *p = mm->alloc(mm->ctx, size); - if (p == NULL) { - return NULL; - } else { - if (what) { - memcpy(p, what, - prev_size < size ? prev_size : size); - } - mm_free(mm, what); - return p; - } - } else { - return realloc(what, size); - } -} - -void *mm_malloc(void *ctx, size_t n) -{ - (void)ctx; - return malloc(n); -} -void *mm_malloc_aligned(void *ctx, size_t n) -{ - size_t alignment = (size_t)ctx; - void *res; - int err = posix_memalign(&res, alignment, n); - if (err == 0) { - return res; - } else { - assert(err == -1 && errno == ENOMEM); - return NULL; - } -} - /* * Macros. */ @@ -536,7 +499,7 @@ } /* Parse address */ int ret = inet_pton(family, addr_str, dst); - if (ret < 0) { + if (ret != 1) { return kr_error(EILSEQ); } @@ -577,7 +540,7 @@ struct sockaddr_storage ss; int family = kr_straddr_family(addr); - if (family == kr_error(EINVAL) || !inet_pton(family, addr, &ss)) { + if (family == kr_error(EINVAL) || inet_pton(family, addr, &ss) != 1) { return kr_error(EINVAL); } @@ -789,11 +752,10 @@ return kr_error(ret); } - ranked_rr_array_entry_t *entry = mm_alloc(pool, sizeof(ranked_rr_array_entry_t)); + ranked_rr_array_entry_t *entry = mm_calloc(pool, 1, sizeof(*entry)); if (!entry) { return kr_error(ENOMEM); } - memset(entry, 0, sizeof(*entry)); /* default all to zeros */ knot_rrset_t *rr_new = knot_rrset_new(rr->owner, rr->type, rr->rclass, rr->ttl, pool); if (!rr_new) { @@ -862,19 +824,16 @@ } } /* Prepare rdataset, except rdata contents. */ - int size_sum = 0; + knot_rdataset_t *rds = &stashed->rr->rrs; + rds->size = 0; for (int i = 0; i < ra->len; ++i) { if (ra->at[i]) { - size_sum += knot_rdata_size(ra->at[i]->len); + rds->size += knot_rdata_size(ra->at[i]->len); } } - knot_rdataset_t *rds = &stashed->rr->rrs; rds->count = ra->len - dup_count; - #if KNOT_VERSION_HEX >= 0x020900 - rds->size = size_sum; - #endif - if (size_sum) { - rds->rdata = mm_alloc(pool, size_sum); + if (rds->size) { + rds->rdata = mm_alloc(pool, rds->size); if (!rds->rdata) { return kr_error(ENOMEM); } @@ -884,13 +843,13 @@ /* Everything is ready; now just copy all the rdata. */ uint8_t *raw_it = (uint8_t *)rds->rdata; for (int i = 0; i < ra->len; ++i) { - if (ra->at[i] && size_sum/*linters*/) { + if (ra->at[i] && rds->size/*linters*/) { const int size = knot_rdata_size(ra->at[i]->len); memcpy(raw_it, ra->at[i], size); raw_it += size; } } - assert(raw_it == (uint8_t *)rds->rdata + size_sum); + assert(raw_it == (uint8_t *)rds->rdata + rds->size); } stashed->in_progress = false; } diff -Nru knot-resolver-5.2.1/lib/utils.h knot-resolver-5.3.1/lib/utils.h --- knot-resolver-5.2.1/lib/utils.h 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/lib/utils.h 2021-03-31 15:15:36.000000000 +0000 @@ -23,8 +23,9 @@ #include #include "kresconfig.h" -#include "lib/generic/array.h" +#include "contrib/mempattern.h" #include "lib/defines.h" +#include "lib/generic/array.h" struct kr_query; struct kr_request; @@ -110,59 +111,8 @@ #define static_assert(cond, msg) #endif -/** @cond Memory alloc routines */ - -/** Readability: avoid const-casts in code. */ -static inline void free_const(const void *what) -{ - free((void *)what); -} - -static inline void *mm_alloc(knot_mm_t *mm, size_t size) -{ - if (mm) return mm->alloc(mm->ctx, size); - else return malloc(size); -} -static inline void mm_free(knot_mm_t *mm, const void *what) -{ - if (mm) { - if (mm->free) - mm->free((void *)what); - } - else free_const(what); -} - -/** Realloc implementation using memory context. */ -KR_EXPORT -void *mm_realloc(knot_mm_t *mm, void *what, size_t size, size_t prev_size); - -/** Trivial malloc() wrapper. */ -void *mm_malloc(void *ctx, size_t n); -/** posix_memalign() wrapper. */ -void *mm_malloc_aligned(void *ctx, size_t n); - -/** Initialize mm with standard malloc+free. */ -static inline void mm_ctx_init(knot_mm_t *mm) -{ - mm->ctx = NULL; - mm->alloc = mm_malloc; - mm->free = free; -} - -/** Initialize mm with malloc+free with higher alignment (a power of two). */ -static inline void mm_ctx_init_aligned(knot_mm_t *mm, size_t alignment) -{ - assert(__builtin_popcount(alignment) == 1); - mm->ctx = (uint8_t *)NULL + alignment; /*< roundabout to satisfy linters */ - /* posix_memalign() doesn't allow alignment < sizeof(void*), - * and there's no point in using it for small values anyway, - * as plain malloc() guarantees at least max_align_t. - * Nitpick: we might use that type when assuming C11. */ - mm->alloc = alignment > sizeof(void*) ? mm_malloc_aligned : mm_malloc; - mm->free = free; -} - -/* @endcond */ +// Use this for alocations with mm. +// Use mm_alloc for alocations into mempool /** A strcmp() variant directly usable for qsort() on an array of strings. */ static inline int strcmp_p(const void *p1, const void *p2) diff -Nru knot-resolver-5.2.1/lib/zonecut.c knot-resolver-5.3.1/lib/zonecut.c --- knot-resolver-5.2.1/lib/zonecut.c 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/lib/zonecut.c 2021-03-31 15:15:36.000000000 +0000 @@ -322,7 +322,7 @@ /* Reserve memory in *addrs. Implementation detail: * pack_t cares for lengths, so we don't store those in the data. */ - const size_t pack_extra_size = knot_rdataset_size(&cached_rr.rrs) + const size_t pack_extra_size = cached_rr.rrs.size - cached_rr.rrs.count * offsetof(knot_rdata_t, len); int ret = pack_reserve_mm(*addrs, cached_rr.rrs.count, pack_extra_size, kr_memreserve, mm_pool); @@ -337,17 +337,8 @@ (int)rd->len, (int)rrtype); continue; } - /* Check RTT cache - whether the IP is usable or not. */ - kr_nsrep_rtt_lru_entry_t *rtt_e = ctx->cache_rtt - ? lru_get_try(ctx->cache_rtt, (const char *)rd->data, rd->len) - : NULL; - const bool unusable = rtt_e && rtt_e->score >= KR_NS_TIMEOUT - && qry->creation_time_mono - < rtt_e->tout_timestamp + ctx->cache_rtt_tout_retry_interval; - if (!unusable) { - result = AI_OK; - ++usable_cnt; - } + result = AI_OK; + ++usable_cnt; ret = pack_obj_push(addrs, rd->data, rd->len); assert(!ret); /* didn't fit because of incorrectly reserved memory */ @@ -413,16 +404,10 @@ pack_init(**pack); addrset_info_t infos[2]; + /* Fetch NS reputation and decide whether to prefetch A/AAAA records. */ - unsigned *cached = lru_get_try(ctx->cache_rep, - (const char *)ns_name, ns_size); - unsigned reputation = (cached) ? *cached : 0; - infos[0] = (reputation & KR_NS_NOIP4) || qry->flags.NO_IPV4 - ? AI_REPUT - : fetch_addr(*pack, ns_name, KNOT_RRTYPE_A, cut->pool, qry); - infos[1] = (reputation & KR_NS_NOIP6) || qry->flags.NO_IPV6 - ? AI_REPUT - : fetch_addr(*pack, ns_name, KNOT_RRTYPE_AAAA, cut->pool, qry); + infos[0] = fetch_addr(*pack, ns_name, KNOT_RRTYPE_A, cut->pool, qry); + infos[1] = fetch_addr(*pack, ns_name, KNOT_RRTYPE_AAAA, cut->pool, qry); #if 0 /* rather unlikely to be useful unless changing some zcut code */ WITH_VERBOSE(qry) { diff -Nru knot-resolver-5.2.1/lib/zonecut.h knot-resolver-5.3.1/lib/zonecut.h --- knot-resolver-5.2.1/lib/zonecut.h 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/lib/zonecut.h 2021-03-31 15:15:36.000000000 +0000 @@ -10,14 +10,6 @@ #include "lib/generic/trie.h" -/* TMP: compatibility for using libknot 2.8 API with 2.9. */ -#if KNOT_VERSION_HEX >= 0x020900 -static inline size_t knot_rdataset_size(const knot_rdataset_t *rrs) -{ - return rrs->size; -} -#endif - struct kr_rplan; struct kr_context; @@ -127,7 +119,7 @@ * * @note This can be used for membership test, a non-null pack is returned * if the nameserver name exists. - * + * * @param cut * @param ns name server name * @return pack of addresses or NULL diff -Nru knot-resolver-5.2.1/.mailmap knot-resolver-5.3.1/.mailmap --- knot-resolver-5.2.1/.mailmap 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/.mailmap 2021-03-31 15:15:36.000000000 +0000 @@ -32,6 +32,7 @@ Ondřej Surý Paul Hoffman Paul Hoffman +Pavel Doležal Pavel Valach Petr Špaček rickhg12hs diff -Nru knot-resolver-5.2.1/meson.build knot-resolver-5.3.1/meson.build --- knot-resolver-5.2.1/meson.build 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/meson.build 2021-03-31 15:15:36.000000000 +0000 @@ -4,7 +4,7 @@ 'knot-resolver', ['c', 'cpp'], license: 'GPLv3+', - version: '5.2.1', + version: '5.3.1', default_options: ['c_std=gnu11', 'b_ndebug=if-release'], meson_version: '>=0.49', ) @@ -18,7 +18,7 @@ message('--- required dependencies ---') -knot_version = '>=2.8' +knot_version = '>=2.9' libknot = dependency('libknot', version: knot_version) libdnssec = dependency('libdnssec', version: knot_version) libzscanner = dependency('libzscanner', version: knot_version) diff -Nru knot-resolver-5.2.1/modules/bogus_log/bogus_log.c knot-resolver-5.3.1/modules/bogus_log/bogus_log.c --- knot-resolver-5.2.1/modules/bogus_log/bogus_log.c 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/modules/bogus_log/bogus_log.c 2021-03-31 15:15:36.000000000 +0000 @@ -112,11 +112,10 @@ }; module->props = props; - struct stat_data *data = malloc(sizeof(*data)); + struct stat_data *data = calloc(1, sizeof(*data)); if (!data) { return kr_error(ENOMEM); } - memset(data, 0, sizeof(*data)); module->data = data; lru_create(&data->frequent, FREQUENT_COUNT, NULL, NULL); return kr_ok(); diff -Nru knot-resolver-5.2.1/modules/daf/daf.lua knot-resolver-5.3.1/modules/daf/daf.lua --- knot-resolver-5.2.1/modules/daf/daf.lua 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/modules/daf/daf.lua 2021-03-31 15:15:36.000000000 +0000 @@ -194,6 +194,15 @@ return nil end +-- @function Remove all rules +function M.clear() + for _, r in ipairs(M.rules) do + policy.del(r.rule.id) + end + M.rules = {} + return true +end + -- @function Find a rule function M.get(id) for _, r in ipairs(M.rules) do diff -Nru knot-resolver-5.2.1/modules/daf/README.rst knot-resolver-5.3.1/modules/daf/README.rst --- knot-resolver-5.2.1/modules/daf/README.rst 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/modules/daf/README.rst 2021-03-31 15:15:36.000000000 +0000 @@ -55,6 +55,9 @@ -- Delete a rule daf.del(2) + -- Delete all rules and start from scratch + daf.clear() + .. warning:: Only the first matching rule's action is executed. Defining additional actions for the same matching rule, e.g. ``src = 127.0.0.1/8``, will have no effect. diff -Nru knot-resolver-5.2.1/modules/dns64/README.rst knot-resolver-5.3.1/modules/dns64/README.rst --- knot-resolver-5.2.1/modules/dns64/README.rst 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/modules/dns64/README.rst 2021-03-31 15:15:36.000000000 +0000 @@ -8,7 +8,7 @@ The module for :rfc:`6147` DNS64 AAAA-from-A record synthesis, it is used to enable client-server communication between an IPv6-only client and an IPv4-only server. See the well written `introduction`_ in the PowerDNS documentation. If no address is passed (i.e. ``nil``), the well-known prefix ``64:ff9b::`` is used. -.. warning:: The module currently won't work well with :ref:`policy.STUB `. +.. warning:: The module currently won't work well with :func:`policy.STUB`. Also, the IPv6 passed in configuration is assumed to be ``/96``, and PTR synthesis and "exclusion prefixes" aren't implemented. diff -Nru knot-resolver-5.2.1/modules/dnstap/dnstap.c knot-resolver-5.3.1/modules/dnstap/dnstap.c --- knot-resolver-5.2.1/modules/dnstap/dnstap.c 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/modules/dnstap/dnstap.c 2021-03-31 15:15:36.000000000 +0000 @@ -16,6 +16,10 @@ #define DEBUG_MSG(fmt, ...) kr_log_verbose("[dnstap] " fmt, ##__VA_ARGS__); #define CFG_SOCK_PATH "socket_path" +#define CFG_IDENTITY_STRING "identity" +#define CFG_VERSION_STRING "version" +#define CFG_LOG_CLIENT_PKT "client" +#define CFG_LOG_QR_PKT "log_queries" #define CFG_LOG_RESP_PKT "log_responses" #define DEFAULT_SOCK_PATH "/tmp/dnstap.sock" #define DNSTAP_CONTENT_TYPE "protobuf:dnstap.Dnstap" @@ -24,8 +28,22 @@ #define auto_destroy_uopts __attribute__((cleanup(fstrm_unix_writer_options_destroy))) #define auto_destroy_wopts __attribute__((cleanup(fstrm_writer_options_destroy))) +/* + * Internal processing phase + * Distinguishes whether query or response should be processed + */ +enum dnstap_log_phase { + CLIENT_QUERY_PHASE = 0, + CLIENT_RESPONSE_PHASE, +}; + /* Internal data structure */ struct dnstap_data { + char *identity; + size_t identity_len; + char *version; + size_t version_len; + bool log_qr_pkt; bool log_resp_pkt; struct fstrm_iothr *iothread; struct fstrm_iothr_queue *ioq; @@ -75,31 +93,32 @@ *has_port = true; } -/* dnstap_log prepares dnstap message and sent it to fstrm */ -static int dnstap_log(kr_layer_t *ctx) { +/* dnstap_log prepares dnstap message and sends it to fstrm + * + * Return codes are kr_error(E*) and unused for now. + */ +static int dnstap_log(kr_layer_t *ctx, enum dnstap_log_phase phase) { const struct kr_request *req = ctx->req; const struct kr_module *module = ctx->api->data; const struct kr_rplan *rplan = &req->rplan; const struct dnstap_data *dnstap_dt = module->data; + if (!req->qsource.addr) { + return kr_ok(); + } + /* check if we have a valid iothread */ if (!dnstap_dt->iothread || !dnstap_dt->ioq) { DEBUG_MSG("dnstap_dt->iothread or dnstap_dt->ioq is NULL\n"); return kr_error(EFAULT); } - /* current time */ - struct timeval now; - gettimeofday(&now, NULL); - /* Create dnstap message */ Dnstap__Message m; memset(&m, 0, sizeof(m)); m.base.descriptor = &dnstap__message__descriptor; - /* Only handling response */ - m.type = DNSTAP__MESSAGE__TYPE__RESOLVER_RESPONSE; if (req->qsource.addr) { set_address(req->qsource.addr, @@ -110,7 +129,11 @@ } if (req->qsource.dst_addr) { - if (req->qsource.flags.tcp) { + if (req->qsource.flags.http) { + m.socket_protocol = DNSTAP__SOCKET_PROTOCOL__DOH; + } else if (req->qsource.flags.tls) { + m.socket_protocol = DNSTAP__SOCKET_PROTOCOL__DOT; + } else if (req->qsource.flags.tcp) { m.socket_protocol = DNSTAP__SOCKET_PROTOCOL__TCP; } else { m.socket_protocol = DNSTAP__SOCKET_PROTOCOL__UDP; @@ -134,51 +157,66 @@ } } - if (dnstap_dt->log_resp_pkt) { - const knot_pkt_t *rpkt = req->answer; - m.has_response_message = rpkt != NULL; - if (rpkt != NULL) { - m.response_message.len = rpkt->size; - m.response_message.data = (uint8_t *)rpkt->wire; + if (phase == CLIENT_QUERY_PHASE) { + m.type = DNSTAP__MESSAGE__TYPE__CLIENT_QUERY; + + if (dnstap_dt->log_qr_pkt) { + const knot_pkt_t *qpkt = req->qsource.packet; + m.has_query_message = qpkt != NULL; + if (qpkt != NULL) { + m.query_message.len = qpkt->size; + m.query_message.data = (uint8_t *)qpkt->wire; + } } - } - /* set query time to the timestamp of the first kr_query - * set response time to now - */ - if (rplan->resolved.len > 0) { - struct kr_query *first = rplan->resolved.at[0]; - - m.query_time_sec = first->timestamp.tv_sec; - m.has_query_time_sec = true; - m.query_time_nsec = first->timestamp.tv_usec * 1000; - m.has_query_time_nsec = true; - } - - /* Response time */ - m.response_time_sec = now.tv_sec; - m.has_response_time_sec = true; - m.response_time_nsec = now.tv_usec * 1000; - m.has_response_time_nsec = true; - - /* Query Zone */ - if (rplan->resolved.len > 0) { - struct kr_query *last = array_tail(rplan->resolved); - /* Only add query_zone when not answered from cache */ - if (!(last->flags.CACHED)) { - const knot_dname_t *zone_cut_name = last->zone_cut.name; - if (zone_cut_name != NULL) { - m.query_zone.data = (uint8_t *)zone_cut_name; - m.query_zone.len = knot_dname_size(zone_cut_name); - m.has_query_zone = true; + /* set query time to the timestamp of the first kr_query */ + if (rplan->initial) { + struct kr_query *first = rplan->initial; + + m.query_time_sec = first->timestamp.tv_sec; + m.has_query_time_sec = true; + m.query_time_nsec = first->timestamp.tv_usec * 1000; + m.has_query_time_nsec = true; + } + } else if (phase == CLIENT_RESPONSE_PHASE) { + m.type = DNSTAP__MESSAGE__TYPE__CLIENT_RESPONSE; + + /* current time */ + struct timeval now; + gettimeofday(&now, NULL); + + if (dnstap_dt->log_resp_pkt) { + const knot_pkt_t *rpkt = req->answer; + m.has_response_message = rpkt != NULL; + if (rpkt != NULL) { + m.response_message.len = rpkt->size; + m.response_message.data = rpkt->wire; } } + + /* Set response time to now */ + m.response_time_sec = now.tv_sec; + m.has_response_time_sec = true; + m.response_time_nsec = now.tv_usec * 1000; + m.has_response_time_nsec = true; } /* Create a dnstap Message */ Dnstap__Dnstap dnstap = DNSTAP__DNSTAP__INIT; dnstap.type = DNSTAP__DNSTAP__TYPE__MESSAGE; - dnstap.message = (Dnstap__Message *)&m; + dnstap.message = &m; + + if (dnstap_dt->identity) { + dnstap.identity.data = (uint8_t*)dnstap_dt->identity; + dnstap.identity.len = dnstap_dt->identity_len; + dnstap.has_identity = true; + } + + if (dnstap_dt->version) { + dnstap.version.data = (uint8_t*)dnstap_dt->version; + dnstap.version.len = dnstap_dt->version_len; + dnstap.has_version = true; + } /* Pack the message */ uint8_t *frame = NULL; @@ -197,24 +235,36 @@ return kr_error(EBUSY); } + return kr_ok(); +} + +/* dnstap_log_query prepares dnstap CLIENT_QUERY message and sends it to fstrm */ +static int dnstap_log_query(kr_layer_t *ctx) { + dnstap_log(ctx, CLIENT_QUERY_PHASE); + return ctx->state; +} + +/* dnstap_log_response prepares dnstap CLIENT_RESPONSE message and sends it to fstrm */ +static int dnstap_log_response(kr_layer_t *ctx) { + dnstap_log(ctx, CLIENT_RESPONSE_PHASE); return ctx->state; } KR_EXPORT int dnstap_init(struct kr_module *module) { static kr_layer_api_t layer = { - .finish = &dnstap_log, + .begin = &dnstap_log_query, + .finish = &dnstap_log_response, }; /* Store module reference */ layer.data = module; module->layer = &layer; /* allocated memory for internal data */ - struct dnstap_data *data = malloc(sizeof(*data)); + struct dnstap_data *data = calloc(1, sizeof(*data)); if (!data) { return kr_error(ENOMEM); } - memset(data, 0, sizeof(*data)); /* save pointer to internal struct in module for future reference */ module->data = data; @@ -226,6 +276,9 @@ struct dnstap_data *data = module->data; /* Free allocated memory */ if (data) { + free(data->identity); + free(data->version); + fstrm_iothr_destroy(&data->iothread); DEBUG_MSG("fstrm iothread destroyed\n"); free(data); @@ -318,11 +371,46 @@ sock_path = strndup(DEFAULT_SOCK_PATH, PATH_MAX); } - /* logRespPkt key */ - node = json_find_member(root_node, CFG_LOG_RESP_PKT); + /* identity string key */ + node = json_find_member(root_node, CFG_IDENTITY_STRING); + if (!node || find_string(node, &data->identity, KR_EDNS_PAYLOAD) != kr_ok()) { + data->identity = NULL; + data->identity_len = 0; + } else { + data->identity_len = strlen(data->identity); + } + + /* version string key */ + node = json_find_member(root_node, CFG_VERSION_STRING); + if (!node || find_string(node, &data->version, KR_EDNS_PAYLOAD) != kr_ok()) { + data->version = strdup("Knot Resolver " PACKAGE_VERSION); + if (data->version) { + data->version_len = strlen(data->version); + } + } else { + data->version_len = strlen(data->version); + } + + node = json_find_member(root_node, CFG_LOG_CLIENT_PKT); if (node) { - data->log_resp_pkt = find_bool(node); + JsonNode *subnode; + /* logRespPkt key */ + subnode = json_find_member(node, CFG_LOG_RESP_PKT); + if (subnode) { + data->log_resp_pkt = find_bool(subnode); + } else { + data->log_resp_pkt = false; + } + + /* logQrPkt key */ + subnode = json_find_member(node, CFG_LOG_QR_PKT); + if (subnode) { + data->log_qr_pkt = find_bool(subnode); + } else { + data->log_qr_pkt = false; + } } else { + data->log_qr_pkt = false; data->log_resp_pkt = false; } diff -Nru knot-resolver-5.2.1/modules/dnstap/dnstap.proto knot-resolver-5.3.1/modules/dnstap/dnstap.proto --- knot-resolver-5.2.1/modules/dnstap/dnstap.proto 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/modules/dnstap/dnstap.proto 2021-03-31 15:15:36.000000000 +0000 @@ -49,11 +49,12 @@ INET6 = 2; // IPv6 (RFC 2460) } -// SocketProtocol: the transport protocol of a socket. This specifies how to -// interpret "transport port" fields. +// SocketProtocol: the protocol used to transport a DNS message. enum SocketProtocol { - UDP = 1; // User Datagram Protocol (RFC 768) - TCP = 2; // Transmission Control Protocol (RFC 793) + UDP = 1; // DNS over UDP transport (RFC 1035 section 4.2.1) + TCP = 2; // DNS over TCP transport (RFC 1035 section 4.2.2) + DOT = 3; // DNS over TLS (RFC 7858) + DOH = 4; // DNS over HTTPS (RFC 8484) } // Message: a wire-format (RFC 1035 section 4) DNS message and associated @@ -159,6 +160,16 @@ // TOOL_RESPONSE is a DNS response message received by a DNS software // tool from a DNS server, from the perspective of the tool. TOOL_RESPONSE = 12; + + // UPDATE_QUERY is a DNS update query message received from a resolver + // by an authoritative name server, from the perspective of the + // authoritative name server. + UPDATE_QUERY = 13; + + // UPDATE_RESPONSE is a DNS update response message sent from an + // authoritative name server to a resolver, from the perspective of the + // authoritative name server. + UPDATE_RESPONSE = 14; } // One of the Type values described above. diff -Nru knot-resolver-5.2.1/modules/dnstap/meson.build knot-resolver-5.3.1/modules/dnstap/meson.build --- knot-resolver-5.2.1/modules/dnstap/meson.build 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/modules/dnstap/meson.build 2021-03-31 15:15:36.000000000 +0000 @@ -32,6 +32,7 @@ '--proto_path', meson.current_source_dir(), meson.current_source_dir() / 'dnstap.proto', ], + input: [ 'dnstap.proto' ], output: [ 'dnstap.pb-c.h', 'dnstap.pb-c.c', diff -Nru knot-resolver-5.2.1/modules/dnstap/README.rst knot-resolver-5.3.1/modules/dnstap/README.rst --- knot-resolver-5.2.1/modules/dnstap/README.rst 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/modules/dnstap/README.rst 2021-03-31 15:15:36.000000000 +0000 @@ -5,22 +5,30 @@ Dnstap (traffic collection) =========================== -The ``dnstap`` module supports logging DNS responses to a unix socket -in `dnstap format `_ using fstrm framing library. +The ``dnstap`` module supports logging DNS requests and responses to a unix +socket in `dnstap format `_ using fstrm framing library. This logging is useful if you need effectivelly log all DNS traffic. The unix socket and the socket reader must be present before starting resolver instances. Tunables: -* ``socket_path``: the the unix socket file where dnstap messages will be sent -* ``log_responses``: if ``true`` responses in wire format will be logged +* ``socket_path``: the unix socket file where dnstap messages will be sent +* ``identity``: identity string as typically returned by an "NSID" (RFC 5001) query, empty by default +* ``version``: version string of the resolver, defaulting to "Knot Resolver major.minor.patch" +* ``client.log_queries``: if ``true`` queries from downstream in wire format will be logged +* ``client.log_responses``: if ``true`` responses to downstream in wire format will be logged .. code-block:: lua modules = { dnstap = { socket_path = "/tmp/dnstap.sock", - log_responses = true + identity = nsid.name() or "", + version = "My Custom Knot Resolver " .. package_version(), + client = { + log_queries = true, + log_responses = true, + }, } } diff -Nru knot-resolver-5.2.1/modules/edns_keepalive/edns_keepalive.c knot-resolver-5.3.1/modules/edns_keepalive/edns_keepalive.c --- knot-resolver-5.2.1/modules/edns_keepalive/edns_keepalive.c 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/modules/edns_keepalive/edns_keepalive.c 2021-03-31 15:15:36.000000000 +0000 @@ -24,11 +24,7 @@ const bool ka_want = req->qsource.flags.tcp && src_opt != NULL && - knot_edns_get_option(src_opt, KNOT_EDNS_OPTION_TCP_KEEPALIVE - #if KNOT_VERSION_HEX >= 0x020900 - , NULL - #endif - ) && + knot_edns_get_option(src_opt, KNOT_EDNS_OPTION_TCP_KEEPALIVE, NULL) && answ_opt != NULL; if (!ka_want) { return ctx->state; diff -Nru knot-resolver-5.2.1/modules/hints/hints.c knot-resolver-5.3.1/modules/hints/hints.c --- knot-resolver-5.2.1/modules/hints/hints.c 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/modules/hints/hints.c 2021-03-31 15:15:36.000000000 +0000 @@ -175,7 +175,7 @@ memset(sa, 0, sizeof(*sa)); sa->ip.sa_family = family; char *addr_bytes = (/*const*/char *)kr_inaddr(&sa->ip); - if (inet_pton(family, addr, addr_bytes) < 1) { + if (inet_pton(family, addr, addr_bytes) != 1) { return kr_error(EILSEQ); } return 0; @@ -619,17 +619,10 @@ }; module->props = props; - /* Create pool and copy itself */ - knot_mm_t _pool = { - .ctx = mp_new(4096), - .alloc = (knot_mm_alloc_t) mp_alloc - }; - knot_mm_t *pool = mm_alloc(&_pool, sizeof(*pool)); + knot_mm_t *pool = mm_ctx_mempool2(MM_DEFAULT_BLKSIZE); if (!pool) { return kr_error(ENOMEM); } - memcpy(pool, &_pool, sizeof(*pool)); - struct hints_data *data = mm_alloc(pool, sizeof(struct hints_data)); if (!data) { mp_delete(pool->ctx); diff -Nru knot-resolver-5.2.1/modules/hints/README.rst knot-resolver-5.3.1/modules/hints/README.rst --- knot-resolver-5.2.1/modules/hints/README.rst 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/modules/hints/README.rst 2021-03-31 15:15:36.000000000 +0000 @@ -33,7 +33,7 @@ hints['foo.bar'] = '127.0.0.1' .. note:: The :ref:`policy ` module applies before hints, meaning e.g. that hints for special names (:rfc:`6761#section-6`) like ``localhost`` or ``test`` will get shadowed by policy rules by default. - That can be worked around e.g. by explicit ``policy.PASS`` action. + That can be worked around e.g. by explicit :any:`policy.PASS` action. Properties ---------- diff -Nru knot-resolver-5.2.1/modules/http/http_trace.lua knot-resolver-5.3.1/modules/http/http_trace.lua --- knot-resolver-5.2.1/modules/http/http_trace.lua 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/modules/http/http_trace.lua 2021-03-31 15:15:36.000000000 +0000 @@ -23,6 +23,7 @@ -- Create logging handler callback local buffer = {} local buffer_log_cb = ffi.cast('trace_log_f', function (_, msg) + jit.off(true, true) -- JIT for (C -> lua)^2 nesting isn't allowed table.insert(buffer, ffi.string(msg)) end) @@ -32,6 +33,7 @@ local cond = condition.new() local waiting, done = false, false local finish_cb = ffi.cast('trace_callback_f', function (req) + jit.off(true, true) -- JIT for (C -> lua)^2 nesting isn't allowed table.insert(buffer, req:selected_tostring()) if waiting then cond:signal() diff -Nru knot-resolver-5.2.1/modules/http/prometheus.lua knot-resolver-5.3.1/modules/http/prometheus.lua --- knot-resolver-5.2.1/modules/http/prometheus.lua 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/modules/http/prometheus.lua 2021-03-31 15:15:36.000000000 +0000 @@ -95,6 +95,35 @@ end end +-- Transform metrics from Graphite to Prometheus format +-- See: https://gitlab.nic.cz/knot/knot-resolver/-/issues/650 +-- E.g.: +-- worker.ipv4 -> worker_ipv4 +-- answer.blocked;stype=A -> answer_blocked{stype="A"} +local function get_metric(key) + local key_index, key_len, key_tag = 0, #key, 0 + return select(1, key:gsub('.', function (c) + key_index = key_index + 1 + if key_tag == 0 then + if c == '.' then return '_' end + if c == ';' then key_tag = 1; return '{' end + elseif key_tag == 1 then + if key_index == key_len then + if c == '=' then return '=""}' + else return c .. '"}' end + end + if c == '=' then key_tag = 2; return '="' end + elseif key_tag == 2 then + if key_index == key_len then + if c == ';' then return '"}' + else return c .. '"}' end + end + if c == ';' then key_tag = 1; return '",' end + end + return nil + end)) +end + -- Render stats in Prometheus text format local function serve_prometheus() -- First aggregate metrics list and print counters @@ -102,7 +131,7 @@ local latency = {} local counter = '# TYPE %s counter\n%s %f' for k,v in pairs(slist) do - k = select(1, k:gsub('%.', '_')) + k = get_metric(k) -- Aggregate histograms local band = k:match('answer_([%d]+)ms') if band then @@ -112,7 +141,8 @@ -- Counter as a fallback else local key = M.namespace .. k - table.insert(render, string.format(counter, key, key, v)) + local name, label = key:match('^([^{]+)(.*)$') + table.insert(render, string.format(counter, name, name .. label, v)) end end -- Fill in latency histogram diff -Nru knot-resolver-5.2.1/modules/nsid/nsid.c knot-resolver-5.3.1/modules/nsid/nsid.c --- knot-resolver-5.2.1/modules/nsid/nsid.c 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/modules/nsid/nsid.c 2021-03-31 15:15:36.000000000 +0000 @@ -30,11 +30,7 @@ if (src_opt == NULL) return ctx->state; - const uint8_t *req_nsid = knot_edns_get_option(src_opt, KNOT_EDNS_OPTION_NSID - #if KNOT_VERSION_HEX >= 0x020900 - , NULL - #endif - ); + const uint8_t *req_nsid = knot_edns_get_option(src_opt, KNOT_EDNS_OPTION_NSID, NULL); /* NSID option must be explicitly requested */ if (req_nsid == NULL) return ctx->state; diff -Nru knot-resolver-5.2.1/modules/policy/policy.lua knot-resolver-5.3.1/modules/policy/policy.lua --- knot-resolver-5.2.1/modules/policy/policy.lua 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/modules/policy/policy.lua 2021-03-31 15:15:36.000000000 +0000 @@ -77,18 +77,13 @@ end -- Override the list of nameservers (forwarders) -local function set_nslist(qry, list) +local function set_nslist(req, list) local ns_i = 0 for _, ns in ipairs(list) do - -- kr_nsrep_set() can return kr_error(ENOENT), it's OK - if ffi.C.kr_nsrep_set(qry, ns_i, ns) == 0 then + if ffi.C.kr_forward_add_target(req, ns) == 0 then ns_i = ns_i + 1 end end - -- If less than maximum NSs, insert guard to terminate the list - if ns_i < 3 then - assert(ffi.C.kr_nsrep_set(qry, ns_i, nil) == 0); - end if ns_i == 0 then -- would use assert() but don't want to compose the message if not triggered error('no usable address in NS set (check net.ipv4 and ' @@ -102,7 +97,6 @@ if type(target) == 'table' then for _, v in pairs(target) do table.insert(list, addr2sock(v, 53)) - assert(#list <= 4, 'at most 4 STUB targets are supported') end else table.insert(list, addr2sock(target, 53)) @@ -112,7 +106,7 @@ -- Switch mode to stub resolver, do not track origin zone cut since it's not real authority NS qry.flags.STUB = true qry.flags.ALWAYS_CUT = false - set_nslist(qry, list) + set_nslist(req, list) return state end end @@ -123,7 +117,6 @@ if type(target) == 'table' then for _, v in pairs(target) do table.insert(list, addr2sock(v, 53)) - assert(#list <= 4, 'at most 4 FORWARD targets are supported') end else table.insert(list, addr2sock(target, 53)) @@ -136,7 +129,7 @@ qry.flags.ALWAYS_CUT = false qry.flags.NO_MINIMIZE = true qry.flags.AWAIT_CUT = true - set_nslist(qry, list) + set_nslist(req, list) return state end end @@ -145,8 +138,6 @@ function policy.TLS_FORWARD(targets) if type(targets) ~= 'table' or #targets < 1 then error('TLS_FORWARD argument must be a non-empty table') - elseif #targets > 4 then - error('TLS_FORWARD supports at most four targets (in a single call)') end local sockaddr_c_set = {} @@ -182,7 +173,7 @@ qry.flags.AWAIT_CUT = true req.options.TCP = true qry.flags.TCP = true - set_nslist(qry, nslist) + set_nslist(req, nslist) return state end end @@ -209,25 +200,40 @@ end end +local function mkauth_soa(answer, dname, mname, ttl) + if mname == nil then + mname = dname + end + return answer:put(dname, ttl or 10800, answer:qclass(), kres.type.SOA, + mname .. '\6nobody\7invalid\0\0\0\0\1\0\0\14\16\0\0\4\176\0\9\58\128\0\0\42\48') +end + -- Create answer with passed arguments function policy.ANSWER(rtable, nodata) return function(_, req) local qry = req:current() - local answer = req:ensure_answer() - if answer == nil then return nil end local data = rtable[qry.stype] + if data == nil and nodata ~= true then + return nil + end + -- now we're certain we want to generate an answer + local answer = req:ensure_answer() + if answer == nil then return nil end ffi.C.kr_pkt_make_auth_header(answer) + local ttl = (data or {}).ttl or 1 + answer:rcode(kres.rcode.NOERROR) - if data == nil then - if nodata == true then - answer:rcode(kres.rcode.NOERROR) - return kres.DONE + if data == nil then -- want NODATA, i.e. just a SOA + answer:begin(kres.section.AUTHORITY) + local soa = rtable[kres.type.SOA] + if soa ~= nil then + answer:put(qry.sname, soa.ttl or ttl, qry.sclass, kres.type.SOA, + soa.rdata[1] or soa.rdata) + else + mkauth_soa(answer, kres.dname2wire(qry.sname), nil, ttl) end else - local ttl = data.ttl or 1 - - answer:rcode(kres.rcode.NOERROR) answer:begin(kres.section.ANSWER) if type(data.rdata) == 'table' then for _, rdato in ipairs(data.rdata) do @@ -236,20 +242,11 @@ else answer:put(qry.sname, ttl, qry.sclass, qry.stype, data.rdata) end - - return kres.DONE end + return kres.DONE end end -local function mkauth_soa(answer, dname, mname) - if mname == nil then - mname = dname - end - return answer:put(dname, 10800, answer:qclass(), kres.type.SOA, - mname .. '\6nobody\7invalid\0\0\0\0\1\0\0\14\16\0\0\4\176\0\9\58\128\0\0\42\48') -end - local dname_localhost = todname('localhost.') -- Rule for localhost. zone; see RFC6303, sec. 3 diff -Nru knot-resolver-5.2.1/modules/policy/README.rst knot-resolver-5.3.1/modules/policy/README.rst --- knot-resolver-5.2.1/modules/policy/README.rst 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/modules/policy/README.rst 2021-03-31 15:15:36.000000000 +0000 @@ -13,11 +13,11 @@ Each policy *rule* has two parts: a *filter* and an *action*. A *filter* selects which queries will be affected by the policy, and *action* which modifies queries matching the associated filter. -Typically a rule is defined as follows: ``filter(action(action parameters), filter parameters)``. For example, a filter can be ``suffix`` which matches queries whose suffix part is in specified set, and one of possible actions is ``DENY``, which denies resolution. These are combined together into ``policy.suffix(policy.DENY, {todname('badguy.example.')})``. The rule is effective when it is added into rule table using ``policy.add()``, please see examples below. +Typically a rule is defined as follows: ``filter(action(action parameters), filter parameters)``. For example, a filter can be ``suffix`` which matches queries whose suffix part is in specified set, and one of possible actions is :any:`policy.DENY`, which denies resolution. These are combined together into ``policy.suffix(policy.DENY, {todname('badguy.example.')})``. The rule is effective when it is added into rule table using ``policy.add()``, please see examples below. This module is enabled by default because it implements mandatory :rfc:`6761` logic. When no rule applies to a query, built-in rules for `special-use `_ and `locally-served `_ domain names are applied. -These rules can be overriden by action :func:`policy.PASS`. For debugging purposes you can also add ``modules.unload('policy')`` to your config to unload the module. +These rules can be overriden by action :any:`policy.PASS`. For debugging purposes you can also add ``modules.unload('policy')`` to your config to unload the module. Filters @@ -80,7 +80,7 @@ end This custom filter can be used as any other built-in filter. -For example this applies our custom filter and executes action :func:`policy.DENY` on all queries of type `HINFO`: +For example this applies our custom filter and executes action :any:`policy.DENY` on all queries of type `HINFO`: .. code-block:: lua @@ -221,7 +221,7 @@ .. py:data:: DEBUG_CACHE_MISS - Enable extra verbose logging but print logs only for requests which required information which was not available locally (i.e. requests which forced resolver to communicate over network). Intended usage is for debugging problems with remote servers. This action typically produces less logs than :func:`policy.DEBUG_ALWAYS` but all caveats from :func:`policy.DEBUG_IF` apply as well. + Enable extra verbose logging but print logs only for requests which required information which was not available locally (i.e. requests which forced resolver to communicate over network). Intended usage is for debugging problems with remote servers. This action typically produces less logs than :any:`policy.DEBUG_ALWAYS` but all caveats from :func:`policy.DEBUG_IF` apply as well. .. code-block:: lua @@ -302,7 +302,7 @@ .. function:: FORWARD(ip_address) FORWARD({ ip_address, [ip_address, ...] }) - Forward cache-miss queries to specified IP addresses via DNS-over-UDP, DNSSEC validate received answers and cache them. Target IP addresses are expected to be DNS resolvers. + Forward cache-miss queries to specified IP addresses (without encryption), DNSSEC validate received answers and cache them. Target IP addresses are expected to be DNS resolvers. .. code-block:: lua @@ -320,7 +320,7 @@ Similar to :func:`policy.FORWARD` but *without* attempting DNSSEC validation. Each request may be either answered from cache or simply sent to one of the IPs with proxying back the answer. - This mode supports only DNS-over-UDP and should be used only for `Replacing part of the DNS tree`_. + This mode does not support encryption and should be used only for `Replacing part of the DNS tree`_. Use :func:`policy.FORWARD` mode if possible. .. code-block:: lua @@ -332,13 +332,18 @@ policy.STUB('192.0.2.1@5353'), {todname('1.168.192.in-addr.arpa')})) +.. note:: Forwarding targets must support + `EDNS `_ and + `0x20 randomization `_. + + .. _tls-forwarding: Forwarding over TLS protocol (DNS-over-TLS) ------------------------------------------- .. function:: TLS_FORWARD( { {ip_address, authentication}, [...] } ) - Same as :func:`FORWARD` but send query over DNS-over-TLS protocol (encrypted). + Same as :func:`policy.FORWARD` but send query over DNS-over-TLS protocol (encrypted). Each target IP address needs explicit configuration how to validate TLS certificate so each IP address is configured by pair: ``{ip_address, authentication}``. See sections below for more details. @@ -346,7 +351,7 @@ Policy :func:`policy.TLS_FORWARD` allows you to forward queries using `Transport Layer Security`_ protocol, which hides the content of your queries from an attacker observing the network traffic. Further details about this protocol can be found in :rfc:`7858` and `IETF draft dprive-dtls-and-tls-profiles`_. -Queries affected by `TLS_FORWARD` policy will always be resolved over TLS connection. Knot Resolver does not implement fallback to non-TLS connection, so if TLS connection cannot be established or authenticated according to the configuration, the resolution will fail. +Queries affected by :func:`policy.TLS_FORWARD` will always be resolved over TLS connection. Knot Resolver does not implement fallback to non-TLS connection, so if TLS connection cannot be established or authenticated according to the configuration, the resolution will fail. To test this feature you need to either :ref:`configure Knot Resolver as DNS-over-TLS server `, or pick some public DNS-over-TLS server. Please see `DNS Privacy Project`_ homepage for list of public servers. @@ -532,7 +537,7 @@ 'internal.example.com.', '2.0.192.in-addr.arpa.' -- this applies to reverse DNS tree as well }) - -- Beware: the rule order is important, as STUB is not a chain action. + -- Beware: the rule order is important, as policy.STUB is not a chain action. policy.add(policy.suffix(policy.FLAGS({'NO_CACHE'}), extraTrees)) policy.add(policy.suffix(policy.STUB({'2001:db8::1'}), extraTrees)) @@ -567,20 +572,20 @@ .. csv-table:: :header: "RPZ Right Hand Side", "Knot Resolver Action", "BIND Compatibility" - "``.``", "``action`` is used", "compatible if ``action`` is :func:`policy.DENY`" + "``.``", "``action`` is used", "compatible if ``action`` is :any:`policy.DENY`" "``*.``", ":func:`policy.ANSWER`", "yes" - "``rpz-passthru.``", ":func:`policy.PASS`", "yes" - "``rpz-tcp-only.``", ":func:`policy.TC`", "yes" - "``rpz-drop.``", ":func:`policy.DROP`", "no [#]_" + "``rpz-passthru.``", ":any:`policy.PASS`", "yes" + "``rpz-tcp-only.``", ":any:`policy.TC`", "yes" + "``rpz-drop.``", ":any:`policy.DROP`", "no [#]_" "fake A/AAAA", ":func:`policy.ANSWER`", "yes" "fake CNAME", "not supported", "no" - .. [#] Our :func:`policy.DROP` returns *SERVFAIL* answer (for historical reasons). + .. [#] Our :any:`policy.DROP` returns *SERVFAIL* answer (for historical reasons). .. function:: rpz(action, path, [watch = true]) - :param action: the default action for match in the zone; typically you want :func:`policy.DENY` + :param action: the default action for match in the zone; typically you want :any:`policy.DENY` :param path: path to zone file :param watch: boolean, if true, the file will be reloaded on file change diff -Nru knot-resolver-5.2.1/modules/predict/README.rst knot-resolver-5.3.1/modules/predict/README.rst --- knot-resolver-5.2.1/modules/predict/README.rst 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/modules/predict/README.rst 2021-03-31 15:15:36.000000000 +0000 @@ -5,12 +5,32 @@ Prefetching records =================== -The module refreshes records that are about to expire when they're used (having less than 1% of original TTL). -This improves latency for frequently used records, as they are fetched in advance. +The ``predict`` module helps to keep the cache hot by prefetching records. +It can utilize two independent mechanisms to select the records which should be refreshed: +expiring records and prediction. -It is also able to learn usage patterns and repetitive queries that the server makes. For example, if -it makes a query every day at 18:00, the resolver expects that it is needed by that time and prefetches it -ahead of time. This is helpful to minimize the perceived latency and keeps the cache hot. +Expiring records +---------------- + +This mechanism is always active when the predict module is loaded and it is not configurable. + +Any time the resolver answers with records that are about to expire, +they get refreshed. (see :c:func:`is_expiring`) +That improves latency for records which get frequently queried, relatively to their TTL. + +Prediction +---------- + +The predict module can also learn usage patterns and repetitive queries, +though this mechanism is basically a prototype. + +For example, if it makes a query every day at 18:00, +the resolver expects that it is needed by that time and prefetches it ahead of time. +This is helpful to minimize the perceived latency and keeps the cache hot. + +You can disable prediction by configuring ``period = 0``. +Otherwise it will load the required :ref:`stats ` module if not present, +and it will use its :func:`stats.frequent` table and clear it periodically. .. tip:: The tracking window and period length determine memory requirements. If you have a server with relatively fast query turnover, keep the period low (hour for start) and shorter tracking window (5 minutes). For personal slower resolver, keep the tracking window longer (i.e. 30 minutes) and period longer (a day), as the habitual queries occur daily. Experiment to get the best results. @@ -26,12 +46,7 @@ } } -Defaults are 15 minutes window, 6 hours period. - -.. tip:: Use period 0 to turn off prediction and just do prefetching of expiring records. - That works even without the :ref:`stats ` module. - -.. note:: Otherwise this module requires :ref:`stats ` module and loads it if not present. +Defaults are as above: 15 minutes window, 6 hours period. Exported metrics ---------------- diff -Nru knot-resolver-5.2.1/modules/prefill/README.rst knot-resolver-5.3.1/modules/prefill/README.rst --- knot-resolver-5.2.1/modules/prefill/README.rst 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/modules/prefill/README.rst 2021-03-31 15:15:36.000000000 +0000 @@ -13,14 +13,14 @@ .. code-block:: lua - modules.load('prefill') - prefill.config({ - ['.'] = { - url = 'https://www.internic.net/domain/root.zone', - interval = 86400 -- seconds - ca_file = '/etc/pki/tls/certs/ca-bundle.crt', -- optional - } - }) + modules.load('prefill') + prefill.config({ + ['.'] = { + url = 'https://www.internic.net/domain/root.zone', + interval = 86400, -- seconds + ca_file = '/etc/pki/tls/certs/ca-bundle.crt', -- optional + } + }) This configuration downloads the zone file from URL `https://www.internic.net/domain/root.zone` and imports it into the cache every 86400 seconds (1 day). The HTTPS connection is authenticated using a CA certificate from file `/etc/pki/tls/certs/ca-bundle.crt` and signed zone content is validated using DNSSEC. diff -Nru knot-resolver-5.2.1/modules/rebinding/rebinding.lua knot-resolver-5.3.1/modules/rebinding/rebinding.lua --- knot-resolver-5.2.1/modules/rebinding/rebinding.lua 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/modules/rebinding/rebinding.lua 2021-03-31 15:15:36.000000000 +0000 @@ -109,9 +109,7 @@ end if verbose() then ffi.C.kr_log_q(qry, 'rebinding', - 'blocking blacklisted IP in RR \'%s\' received from IP %s\n', - kres.rr2str(bad_rr), - tostring(kres.sockaddr_t(req.upstream.addr))) + 'blocking blacklisted IP in RR \'%s\'\n', kres.rr2str(bad_rr)) end return state end diff -Nru knot-resolver-5.2.1/modules/rebinding/test.integr/kresd_config.j2 knot-resolver-5.3.1/modules/rebinding/test.integr/kresd_config.j2 --- knot-resolver-5.2.1/modules/rebinding/test.integr/kresd_config.j2 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/modules/rebinding/test.integr/kresd_config.j2 2021-03-31 15:15:36.000000000 +0000 @@ -28,6 +28,7 @@ _hint_root_file('hints') cache.size = 2*MB verbose(true) +net.ipv6 = false {% endraw %} net = { '{{SELF_ADDR}}' } diff -Nru knot-resolver-5.2.1/modules/serve_stale/test.integr/kresd_config.j2 knot-resolver-5.3.1/modules/serve_stale/test.integr/kresd_config.j2 --- knot-resolver-5.2.1/modules/serve_stale/test.integr/kresd_config.j2 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/modules/serve_stale/test.integr/kresd_config.j2 2021-03-31 15:15:36.000000000 +0000 @@ -30,6 +30,18 @@ verbose(true) {% endraw %} +{% if DO_IP6 == "true" %} +net.ipv6 = true +{% else %} +net.ipv6 = false +{% endif %} + +{% if DO_IP4 == "true" %} +net.ipv4 = true +{% else %} +net.ipv4 = false +{% endif %} + net = { '{{SELF_ADDR}}' } diff -Nru knot-resolver-5.2.1/modules/serve_stale/test.integr/module_serve_stale.rpl knot-resolver-5.3.1/modules/serve_stale/test.integr/module_serve_stale.rpl --- knot-resolver-5.2.1/modules/serve_stale/test.integr/module_serve_stale.rpl 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/modules/serve_stale/test.integr/module_serve_stale.rpl 2021-03-31 15:15:36.000000000 +0000 @@ -1,3 +1,4 @@ +do-ip6: no ; SPDX-License-Identifier: GPL-3.0-or-later ; config options stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. diff -Nru knot-resolver-5.2.1/modules/stats/README.rst knot-resolver-5.3.1/modules/stats/README.rst --- knot-resolver-5.2.1/modules/stats/README.rst 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/modules/stats/README.rst 2021-03-31 15:15:36.000000000 +0000 @@ -173,13 +173,19 @@ Return nominal value of given metric. -.. function:: stats.set(key, val) - - :param string key: i.e. ``"answer.total"`` - :param number val: i.e. ``5`` +.. function:: stats.set('key val') Set nominal value of given metric. +Example: + +.. code-block:: lua + + stats.set('answer.total 5') + -- or syntactic sugar + stats['answer.total'] = 5 + + .. function:: stats.list([prefix]) :param string prefix: optional metric prefix, i.e. ``"answer"`` shows only metrics beginning with "answer" diff -Nru knot-resolver-5.2.1/modules/stats/stats.c knot-resolver-5.3.1/modules/stats/stats.c --- knot-resolver-5.2.1/modules/stats/stats.c 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/modules/stats/stats.c 2021-03-31 15:15:36.000000000 +0000 @@ -147,7 +147,7 @@ { struct kr_request *req = ctx->req; struct kr_query *qry = req->current_query; - if (qry->flags.CACHED || !req->upstream.addr) { + if (qry->flags.CACHED || !req->upstream.transport) { return ctx->state; } @@ -158,11 +158,11 @@ /* Socket address is encoded into sockaddr_in6 struct that * unions with sockaddr_in and differ in sa_family */ struct sockaddr_in6 *e = &data->upstreams.q.at[data->upstreams.head]; - const struct sockaddr *src = req->upstream.addr; - switch (src->sa_family) { - case AF_INET: memcpy(e, src, sizeof(struct sockaddr_in)); break; - case AF_INET6: memcpy(e, src, sizeof(struct sockaddr_in6)); break; - default: return ctx->state; + const union inaddr *src = &req->upstream.transport->address; + switch (src->ip.sa_family) { + case AF_INET: memcpy(e, &src->ip4, sizeof(src->ip4)); break; + case AF_INET6: memcpy(e, &src->ip6, sizeof(src->ip6)); break; + default: return ctx->state; } /* Replace port number with the RTT information (cap is UINT16_MAX milliseconds) */ e->sin6_rtt = req->upstream.rtt; @@ -473,11 +473,10 @@ }; module->props = props; - struct stat_data *data = malloc(sizeof(*data)); + struct stat_data *data = calloc(1, sizeof(*data)); if (!data) { return kr_error(ENOMEM); } - memset(data, 0, sizeof(*data)); data->map = map_make(NULL); module->data = data; lru_create(&data->queries.frequent, FREQUENT_COUNT, NULL, NULL); diff -Nru knot-resolver-5.2.1/modules/ta_update/ta_update.test.integr/kresd_config.j2 knot-resolver-5.3.1/modules/ta_update/ta_update.test.integr/kresd_config.j2 --- knot-resolver-5.2.1/modules/ta_update/ta_update.test.integr/kresd_config.j2 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/modules/ta_update/ta_update.test.integr/kresd_config.j2 2021-03-31 15:15:36.000000000 +0000 @@ -21,11 +21,13 @@ end policy.add(policy.suffix(policy.PASS, {todname('test.')})) -_hint_root_file('hints') cache.size = 2*MB verbose(true) {% endraw %} +modules.load('hints') +hints.root({['{{ROOT_NAME}}'] = '{{ROOT_ADDR}}'}) + net = { '{{SELF_ADDR}}' } diff -Nru knot-resolver-5.2.1/modules/ta_update/ta_update.test.integr/rfc5011/pydnstest/scenario.py knot-resolver-5.3.1/modules/ta_update/ta_update.test.integr/rfc5011/pydnstest/scenario.py --- knot-resolver-5.2.1/modules/ta_update/ta_update.test.integr/rfc5011/pydnstest/scenario.py 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/modules/ta_update/ta_update.test.integr/rfc5011/pydnstest/scenario.py 2021-03-31 15:15:38.000000000 +0000 @@ -757,9 +757,11 @@ trust_anchor_files = {} negative_ta_list = [] stub_addr = None + stub_name = "k.root-servers.net" override_timestamp = None forward_addr = None - + do_ip6 = True + do_ip4 = True features = {} feature_list_delimiter = ';' feature_pair_delimiter = '=' @@ -798,6 +800,8 @@ override_timestamp = calendar.timegm(override_date) elif k == 'stub-addr': stub_addr = v.strip('"\'') + elif k == 'stub-name': + stub_name = v elif k == 'features': feature_list = v.split(feature_list_delimiter) try: @@ -827,6 +831,10 @@ sockfamily = socket.AF_INET6 elif k == 'forward-addr': # currently forwards everything forward_addr = v.strip('"\'') + elif k == 'do-ip4': + do_ip4 = str2bool(v) + elif k == 'do-ip6': + do_ip6 = str2bool(v) else: raise NotImplementedError('unsupported CONFIG key "%s"' % k) @@ -840,9 +848,12 @@ "TRUST_ANCHORS": trust_anchor_list, "TRUST_ANCHOR_FILES": trust_anchor_files, "FORWARD_ADDR": forward_addr, + "DO_IP6": str(do_ip6).lower(), + "DO_IP4": str(do_ip4).lower(), } if stub_addr: ctx['ROOT_ADDR'] = stub_addr + ctx['ROOT_NAME'] = stub_name # determine and verify socket family for specified root address gai = socket.getaddrinfo(stub_addr, 53, sockfamily, 0, socket.IPPROTO_UDP, socket.AI_NUMERICHOST) diff -Nru knot-resolver-5.2.1/modules/ta_update/ta_update.test.integr/rfc5011/pydnstest/testserver.py knot-resolver-5.3.1/modules/ta_update/ta_update.test.integr/rfc5011/pydnstest/testserver.py --- knot-resolver-5.2.1/modules/ta_update/ta_update.test.integr/rfc5011/pydnstest/testserver.py 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/modules/ta_update/ta_update.test.integr/rfc5011/pydnstest/testserver.py 2021-03-31 15:15:38.000000000 +0000 @@ -180,9 +180,9 @@ for srv_sock in self.srv_socks: if (srv_sock.family == family - and srv_sock.getsockname() == address + and srv_sock.getsockname()[:2] == address and srv_sock.proto == proto): - return srv_sock.getsockname() + return sock = socket.socket(family, socktype, proto) sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) @@ -195,25 +195,23 @@ # A lot of addresses are added to the interface while runnning from Deckard in # the small amount of time which caused ocassional hiccups while binding to them # right afterwards in testing. Therefore, we retry a few times. - ex = None + final_ex = None for i in range(self.RETRIES_ON_BIND): try: sock.bind(address) break - except OSError as e: + except OSError as ex: # Exponential backoff time.sleep((2 ** i) + random.random()) - ex = e + final_ex = ex continue else: - print(ex, address) - raise ex + print(final_ex, address) + raise final_ex if proto == socket.IPPROTO_TCP: sock.listen(5) self.srv_socks.append(sock) - sockname = sock.getsockname() - return sockname, proto def _bind_sockets(self): """ @@ -224,6 +222,7 @@ for addr in r.addresses: family = socket.AF_INET6 if ':' in addr else socket.AF_INET self.start_srv((addr, 53), family) + self.start_srv((addr, 53), family, proto=socket.IPPROTO_TCP) # Bind addresses in ad-hoc REPLYs for s in self.scenario.steps: @@ -236,8 +235,12 @@ for rd in rr: if rd.rdtype == dns.rdatatype.A: self.start_srv((rd.address, 53), socket.AF_INET) + self.start_srv((rd.address, 53), socket.AF_INET, + proto=socket.IPPROTO_TCP) elif rd.rdtype == dns.rdatatype.AAAA: self.start_srv((rd.address, 53), socket.AF_INET6) + self.start_srv((rd.address, 53), socket.AF_INET6, + proto=socket.IPPROTO_TCP) def play(self, subject_addr): self.scenario.play({'': (subject_addr, 53)}) diff -Nru knot-resolver-5.2.1/modules/ta_update/ta_update.test.integr/rfc5011-monotonictime.rpl knot-resolver-5.3.1/modules/ta_update/ta_update.test.integr/rfc5011-monotonictime.rpl --- knot-resolver-5.2.1/modules/ta_update/ta_update.test.integr/rfc5011-monotonictime.rpl 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/modules/ta_update/ta_update.test.integr/rfc5011-monotonictime.rpl 2021-03-31 15:15:36.000000000 +0000 @@ -1,4 +1,5 @@ stub-addr: 2001:503:ba3e::2:30 +stub-name: rootns. trust-anchor: . IN DS 1867 8 2 EBF6C553C9DDABFB3522DFD4E62A857D9E00E373686C3479064B46BF6E43AC5E val-override-date: 20170701000000 query-minimization: off diff -Nru knot-resolver-5.2.1/modules/ta_update/ta_update.unmanagedkey.test.integr/kresd_config.j2 knot-resolver-5.3.1/modules/ta_update/ta_update.unmanagedkey.test.integr/kresd_config.j2 --- knot-resolver-5.2.1/modules/ta_update/ta_update.unmanagedkey.test.integr/kresd_config.j2 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/modules/ta_update/ta_update.unmanagedkey.test.integr/kresd_config.j2 2021-03-31 15:15:36.000000000 +0000 @@ -37,11 +37,13 @@ end policy.add(policy.suffix(policy.PASS, {todname('test.')})) -_hint_root_file('hints') cache.size = 2*MB verbose(true) {% endraw %} +modules.load('hints') +hints.root({['{{ROOT_NAME}}'] = '{{ROOT_ADDR}}'}) + net = { '{{SELF_ADDR}}' } diff -Nru knot-resolver-5.2.1/modules/ta_update/ta_update.unmanagedkey.test.integr/rfc5011/pydnstest/scenario.py knot-resolver-5.3.1/modules/ta_update/ta_update.unmanagedkey.test.integr/rfc5011/pydnstest/scenario.py --- knot-resolver-5.2.1/modules/ta_update/ta_update.unmanagedkey.test.integr/rfc5011/pydnstest/scenario.py 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/modules/ta_update/ta_update.unmanagedkey.test.integr/rfc5011/pydnstest/scenario.py 2021-03-31 15:15:38.000000000 +0000 @@ -757,9 +757,11 @@ trust_anchor_files = {} negative_ta_list = [] stub_addr = None + stub_name = "k.root-servers.net" override_timestamp = None forward_addr = None - + do_ip6 = True + do_ip4 = True features = {} feature_list_delimiter = ';' feature_pair_delimiter = '=' @@ -798,6 +800,8 @@ override_timestamp = calendar.timegm(override_date) elif k == 'stub-addr': stub_addr = v.strip('"\'') + elif k == 'stub-name': + stub_name = v elif k == 'features': feature_list = v.split(feature_list_delimiter) try: @@ -827,6 +831,10 @@ sockfamily = socket.AF_INET6 elif k == 'forward-addr': # currently forwards everything forward_addr = v.strip('"\'') + elif k == 'do-ip4': + do_ip4 = str2bool(v) + elif k == 'do-ip6': + do_ip6 = str2bool(v) else: raise NotImplementedError('unsupported CONFIG key "%s"' % k) @@ -840,9 +848,12 @@ "TRUST_ANCHORS": trust_anchor_list, "TRUST_ANCHOR_FILES": trust_anchor_files, "FORWARD_ADDR": forward_addr, + "DO_IP6": str(do_ip6).lower(), + "DO_IP4": str(do_ip4).lower(), } if stub_addr: ctx['ROOT_ADDR'] = stub_addr + ctx['ROOT_NAME'] = stub_name # determine and verify socket family for specified root address gai = socket.getaddrinfo(stub_addr, 53, sockfamily, 0, socket.IPPROTO_UDP, socket.AI_NUMERICHOST) diff -Nru knot-resolver-5.2.1/modules/ta_update/ta_update.unmanagedkey.test.integr/rfc5011/pydnstest/testserver.py knot-resolver-5.3.1/modules/ta_update/ta_update.unmanagedkey.test.integr/rfc5011/pydnstest/testserver.py --- knot-resolver-5.2.1/modules/ta_update/ta_update.unmanagedkey.test.integr/rfc5011/pydnstest/testserver.py 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/modules/ta_update/ta_update.unmanagedkey.test.integr/rfc5011/pydnstest/testserver.py 2021-03-31 15:15:38.000000000 +0000 @@ -180,9 +180,9 @@ for srv_sock in self.srv_socks: if (srv_sock.family == family - and srv_sock.getsockname() == address + and srv_sock.getsockname()[:2] == address and srv_sock.proto == proto): - return srv_sock.getsockname() + return sock = socket.socket(family, socktype, proto) sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) @@ -195,25 +195,23 @@ # A lot of addresses are added to the interface while runnning from Deckard in # the small amount of time which caused ocassional hiccups while binding to them # right afterwards in testing. Therefore, we retry a few times. - ex = None + final_ex = None for i in range(self.RETRIES_ON_BIND): try: sock.bind(address) break - except OSError as e: + except OSError as ex: # Exponential backoff time.sleep((2 ** i) + random.random()) - ex = e + final_ex = ex continue else: - print(ex, address) - raise ex + print(final_ex, address) + raise final_ex if proto == socket.IPPROTO_TCP: sock.listen(5) self.srv_socks.append(sock) - sockname = sock.getsockname() - return sockname, proto def _bind_sockets(self): """ @@ -224,6 +222,7 @@ for addr in r.addresses: family = socket.AF_INET6 if ':' in addr else socket.AF_INET self.start_srv((addr, 53), family) + self.start_srv((addr, 53), family, proto=socket.IPPROTO_TCP) # Bind addresses in ad-hoc REPLYs for s in self.scenario.steps: @@ -236,8 +235,12 @@ for rd in rr: if rd.rdtype == dns.rdatatype.A: self.start_srv((rd.address, 53), socket.AF_INET) + self.start_srv((rd.address, 53), socket.AF_INET, + proto=socket.IPPROTO_TCP) elif rd.rdtype == dns.rdatatype.AAAA: self.start_srv((rd.address, 53), socket.AF_INET6) + self.start_srv((rd.address, 53), socket.AF_INET6, + proto=socket.IPPROTO_TCP) def play(self, subject_addr): self.scenario.play({'': (subject_addr, 53)}) diff -Nru knot-resolver-5.2.1/modules/ta_update/ta_update.unmanagedkey.test.integr/unmanagedkey-missing-monotonictime.rpl knot-resolver-5.3.1/modules/ta_update/ta_update.unmanagedkey.test.integr/unmanagedkey-missing-monotonictime.rpl --- knot-resolver-5.2.1/modules/ta_update/ta_update.unmanagedkey.test.integr/unmanagedkey-missing-monotonictime.rpl 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/modules/ta_update/ta_update.unmanagedkey.test.integr/unmanagedkey-missing-monotonictime.rpl 2021-03-31 15:15:36.000000000 +0000 @@ -1,4 +1,5 @@ stub-addr: 2001:503:ba3e::2:30 +stub-name: rootns. trust-anchor: . IN DS 15116 8 2 6743F544CF087FE23094D4FC1305F6B9C4EEFA2025B4FC348A622CE202F5DD4B trust-anchor: . IN DS 45050 8 2 DB11ECB4E98390817B2D4BBBE73D7FDFE7ECC418E006EEF6EA05044E565A3733 val-override-date: 20170701000000 diff -Nru knot-resolver-5.2.1/modules/ta_update/ta_update.unmanagedkey.test.integr/unmanagedkey-present-monotonictime.rpl knot-resolver-5.3.1/modules/ta_update/ta_update.unmanagedkey.test.integr/unmanagedkey-present-monotonictime.rpl --- knot-resolver-5.2.1/modules/ta_update/ta_update.unmanagedkey.test.integr/unmanagedkey-present-monotonictime.rpl 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/modules/ta_update/ta_update.unmanagedkey.test.integr/unmanagedkey-present-monotonictime.rpl 2021-03-31 15:15:36.000000000 +0000 @@ -1,4 +1,5 @@ stub-addr: 2001:503:ba3e::2:30 +stub-name: rootns. trust-anchor: . IN DS 63640 8 2 00EBC5520847A812819359F554C1701C9BDA488A6111BBC4ACC47A32980C1FB8 val-override-date: 20170701000000 query-minimization: off diff -Nru knot-resolver-5.2.1/modules/ta_update/ta_update.unmanagedkey.test.integr/unmanagedkey-revoke-monotonictime.rpl knot-resolver-5.3.1/modules/ta_update/ta_update.unmanagedkey.test.integr/unmanagedkey-revoke-monotonictime.rpl --- knot-resolver-5.2.1/modules/ta_update/ta_update.unmanagedkey.test.integr/unmanagedkey-revoke-monotonictime.rpl 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/modules/ta_update/ta_update.unmanagedkey.test.integr/unmanagedkey-revoke-monotonictime.rpl 2021-03-31 15:15:36.000000000 +0000 @@ -1,4 +1,5 @@ stub-addr: 2001:503:ba3e::2:30 +stub-name: rootns. trust-anchor: . IN DS 5191 8 2 78DE555142AECCBFE1F4F24A9053F7A3C8BAAB2891DBB80D0CDD29534A44C3AA trust-anchor: . IN DS 24784 8 2 5448342C83F1CCB31F966A835897DF1484B12074AB535B2CB84CFD8E2E792B28 val-override-date: 20170701000000 diff -Nru knot-resolver-5.2.1/modules/view/README.rst knot-resolver-5.3.1/modules/view/README.rst --- knot-resolver-5.2.1/modules/view/README.rst 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/modules/view/README.rst 2021-03-31 15:15:36.000000000 +0000 @@ -52,7 +52,7 @@ view:addr('192.168.1.0/24', policy.rpz(policy.PASS, 'whitelist.rpz')) -- Do not try this - it will pollute cache and surprise you! -- view:addr('10.0.0.0/8', policy.all(policy.FORWARD('2001:DB8::1'))) - -- Drop everything that hasn't matched + -- Drop all IPv4 that hasn't matched view:addr('0.0.0.0/0', policy.all(policy.DROP)) Rule order @@ -75,15 +75,15 @@ .. function:: view:addr(subnet, rule) - :param subnet: client subnet, i.e. ``10.0.0.1`` - :param rule: added rule, i.e. ``policy.pattern(policy.DENY, '[0-9]+\2cz')`` + :param subnet: client subnet, e.g. ``10.0.0.1`` + :param rule: added rule, e.g. ``policy.pattern(policy.DENY, '[0-9]+\2cz')`` Apply rule to clients in given subnet. .. function:: view:tsig(key, rule) - :param key: client TSIG key domain name, i.e. ``\5mykey`` - :param rule: added rule, i.e. ``policy.pattern(policy.DENY, '[0-9]+\2cz')`` + :param key: client TSIG key domain name, e.g. ``\5mykey`` + :param rule: added rule, e.g. ``policy.pattern(policy.DENY, '[0-9]+\2cz')`` Apply rule to clients with given TSIG key. diff -Nru knot-resolver-5.2.1/modules/view/view.lua knot-resolver-5.3.1/modules/view/view.lua --- knot-resolver-5.2.1/modules/view/view.lua 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/modules/view/view.lua 2021-03-31 15:15:36.000000000 +0000 @@ -24,6 +24,9 @@ local subnet_cd = ffi.new('char[16]') local family = C.kr_straddr_family(subnet) local bitlen = C.kr_straddr_subnet(subnet_cd, subnet) + if bitlen < 0 then + error(string.format('failed to parse subnet %s', subnet)) + end local t = {family, subnet_cd, bitlen, rules} table.insert(dst and view.dst or view.src, t) return t diff -Nru knot-resolver-5.2.1/modules/watchdog/watchdog.lua knot-resolver-5.3.1/modules/watchdog/watchdog.lua --- knot-resolver-5.2.1/modules/watchdog/watchdog.lua 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/modules/watchdog/watchdog.lua 2021-03-31 15:15:36.000000000 +0000 @@ -23,6 +23,7 @@ local function add_tracer(logbuf) return function (req) local function qrylogger(_, msg) + jit.off(true, true) -- JIT for (C -> lua)^2 nesting isn't allowed table.insert(logbuf, ffi.string(msg)) end req.trace_log = ffi.cast('trace_log_f', qrylogger) diff -Nru knot-resolver-5.2.1/NEWS knot-resolver-5.3.1/NEWS --- knot-resolver-5.2.1/NEWS 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/NEWS 2021-03-31 15:15:36.000000000 +0000 @@ -1,3 +1,47 @@ +Knot Resolver 5.3.1 (2021-03-31) +================================ + +Improvements +------------ +- policy.STUB: try to avoid TCP (compared to 5.3.0; !1155) +- validator: downgrade NSEC3 records with too many iterations (>150; !1160) +- additional improvements to nameserver selection algorithm (!1154, !1150) + +Bugfixes +-------- +- dnstap module: don't break request resolution on dnstap errors (!1147) +- cache garbage collector: fix crashes introduced in 5.3.0 (!1153) +- policy.TLS_FORWARD: better avoid dead addresses (#671, !1156) + + +Knot Resolver 5.3.0 (2021-02-25) +================================ + +Improvements +------------ +- more consistency in using parent-side records for NS addresses (!1097) +- better algorithm for choosing nameservers (!1030, !1126, !1140, !1141, !1143) +- daf module: add daf.clear() (!1114) +- dnstap module: more features and don't log internal requests (!1103) +- dnstap module: include in upstream packages and Docker image (!1110, !1118) +- randomize record order by default, i.e. reorder_RR(true) (!1124) +- prometheus module: transform graphite tags into prometheus labels (!1109) +- avoid excessive logging of UDP replies with sendmmsg (!1138) + +Bugfixes +-------- +- view: fail config if bad subnet is specified (!1112) +- doh2: fix memory leak (!1117) +- policy.ANSWER: minor fixes, mainly around NODATA answers (!1129) +- http, watchdog modules: fix stability problems (!1136) + +Incompatible changes +-------------------- +- dnstap module: `log_responses` option gets nested under `client`; + see new docs for config example (!1103) +- libknot >= 2.9 is required + + Knot Resolver 5.2.1 (2020-12-09) ================================ diff -Nru knot-resolver-5.2.1/README.md knot-resolver-5.3.1/README.md --- knot-resolver-5.2.1/README.md 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/README.md 2021-03-31 15:15:36.000000000 +0000 @@ -30,7 +30,7 @@ [Debian testing](https://packages.debian.org/testing/knot-resolver), [Debian unstable](https://packages.debian.org/sid/knot-resolver) * [Ubuntu](https://packages.ubuntu.com/bionic/knot-resolver) -* [Arch Linux (AUR)](https://aur.archlinux.org/packages/knot-resolver) +* [Arch Linux](https://archlinux.org/packages/community/x86_64/knot-resolver/) ### Building from sources diff -Nru knot-resolver-5.2.1/scripts/get-scanbuild-args.sh knot-resolver-5.3.1/scripts/get-scanbuild-args.sh --- knot-resolver-5.2.1/scripts/get-scanbuild-args.sh 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/scripts/get-scanbuild-args.sh 1970-01-01 00:00:00.000000000 +0000 @@ -1,52 +0,0 @@ -#!/bin/bash -# SPDX-License-Identifier: GPL-3.0-or-later -set -o errexit -o nounset - -# following checkers are disabled on purpose: -# Clann does not suppor attribute cleanup and this is causing false positives in following checkers: -# unix.Malloc -# alpha.unix.SimpleStream -# alpha.unix.Stream -# https://bugs.llvm.org/show_bug.cgi?id=3888 - -# These are disabled for other reasons: -# alpha.clone.CloneChecker # way too many false positives -# alpha.core.CastToStruct # we use this pattern too much, hard to avoid in many cases -# alpha.deadcode.UnreachableCode # false positives/flags sanity checks depending on implementation details -# alpha.security.MallocOverflow # not smart enough to infer max values from data types - -cat <<-EOF --disable-checker unix.Malloc \ --enable-checker alpha.core.BoolAssignment \ --enable-checker alpha.core.CallAndMessageUnInitRefArg \ --enable-checker alpha.core.CastSize \ --enable-checker alpha.core.Conversion \ --enable-checker alpha.core.DynamicTypeChecker \ --enable-checker alpha.core.FixedAddr \ --enable-checker alpha.core.IdenticalExpr \ --enable-checker alpha.core.PointerArithm \ --enable-checker alpha.core.PointerSub \ --enable-checker alpha.core.SizeofPtr \ --enable-checker alpha.core.TestAfterDivZero \ --enable-checker alpha.cplusplus.IteratorRange \ --enable-checker alpha.cplusplus.MisusedMovedObject \ --enable-checker alpha.security.ArrayBound \ --enable-checker alpha.security.ArrayBoundV2 \ --enable-checker alpha.security.ReturnPtrRange \ --enable-checker alpha.security.taint.TaintPropagation \ --enable-checker alpha.unix.BlockInCriticalSection \ --enable-checker alpha.unix.Chroot \ --enable-checker alpha.unix.PthreadLock \ --enable-checker alpha.unix.cstring.BufferOverlap \ --enable-checker alpha.unix.cstring.NotNullTerminated \ --enable-checker alpha.unix.cstring.OutOfBounds \ --enable-checker nullability.NullableDereferenced \ --enable-checker nullability.NullablePassedToNonnull \ --enable-checker nullability.NullableReturnedFromNonnull \ --enable-checker optin.performance.Padding \ --enable-checker optin.portability.UnixAPI \ --enable-checker security.FloatLoopCounter \ --enable-checker valist.CopyToSelf \ --enable-checker valist.Uninitialized \ --enable-checker valist.Unterminated -EOF diff -Nru knot-resolver-5.2.1/scripts/run-scanbuild-with-args.sh knot-resolver-5.3.1/scripts/run-scanbuild-with-args.sh --- knot-resolver-5.2.1/scripts/run-scanbuild-with-args.sh 1970-01-01 00:00:00.000000000 +0000 +++ knot-resolver-5.3.1/scripts/run-scanbuild-with-args.sh 2021-03-31 15:15:36.000000000 +0000 @@ -0,0 +1,52 @@ +#!/bin/bash +# SPDX-License-Identifier: GPL-3.0-or-later +set -o errexit -o nounset + +# following checkers are disabled on purpose: +# Clann does not suppor attribute cleanup and this is causing false positives in following checkers: +# unix.Malloc +# alpha.unix.SimpleStream +# alpha.unix.Stream +# https://bugs.llvm.org/show_bug.cgi?id=3888 + +# These are disabled for other reasons: +# alpha.clone.CloneChecker # way too many false positives +# alpha.core.CastToStruct # we use this pattern too much, hard to avoid in many cases +# alpha.deadcode.UnreachableCode # false positives/flags sanity checks depending on implementation details +# alpha.security.MallocOverflow # not smart enough to infer max values from data types + +exec scan-build --status-bugs -no-failure-reports \ +-disable-checker unix.Malloc \ +-enable-checker alpha.core.BoolAssignment \ +-enable-checker alpha.core.CallAndMessageUnInitRefArg \ +-enable-checker alpha.core.CastSize \ +-enable-checker alpha.core.Conversion \ +-enable-checker alpha.core.DynamicTypeChecker \ +-enable-checker alpha.core.FixedAddr \ +-enable-checker alpha.core.IdenticalExpr \ +-enable-checker alpha.core.PointerArithm \ +-enable-checker alpha.core.PointerSub \ +-enable-checker alpha.core.SizeofPtr \ +-enable-checker alpha.core.TestAfterDivZero \ +-enable-checker alpha.cplusplus.IteratorRange \ +-enable-checker alpha.cplusplus.MisusedMovedObject \ +-enable-checker alpha.security.ArrayBound \ +-enable-checker alpha.security.ArrayBoundV2 \ +-enable-checker alpha.security.ReturnPtrRange \ +-enable-checker alpha.security.taint.TaintPropagation \ +-enable-checker alpha.unix.BlockInCriticalSection \ +-enable-checker alpha.unix.Chroot \ +-enable-checker alpha.unix.PthreadLock \ +-enable-checker alpha.unix.cstring.BufferOverlap \ +-enable-checker alpha.unix.cstring.NotNullTerminated \ +-enable-checker alpha.unix.cstring.OutOfBounds \ +-enable-checker nullability.NullableDereferenced \ +-enable-checker nullability.NullablePassedToNonnull \ +-enable-checker nullability.NullableReturnedFromNonnull \ +-enable-checker optin.performance.Padding \ +-enable-checker optin.portability.UnixAPI \ +-enable-checker security.FloatLoopCounter \ +-enable-checker valist.CopyToSelf \ +-enable-checker valist.Uninitialized \ +-enable-checker valist.Unterminated \ +"$@" diff -Nru knot-resolver-5.2.1/tests/config/test_utils.lua knot-resolver-5.3.1/tests/config/test_utils.lua --- knot-resolver-5.2.1/tests/config/test_utils.lua 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/tests/config/test_utils.lua 2021-03-31 15:15:36.000000000 +0000 @@ -111,7 +111,7 @@ end ) - for delay = 0.1, 4, 0.5 do -- total max 14.9s in 8 steps + for delay = 0.1, 5, 0.5 do -- total max 23.5s in 9 steps if done then return end worker.sleep(delay) end diff -Nru knot-resolver-5.2.1/tests/dnstap/meson.build knot-resolver-5.3.1/tests/dnstap/meson.build --- knot-resolver-5.2.1/tests/dnstap/meson.build 1970-01-01 00:00:00.000000000 +0000 +++ knot-resolver-5.3.1/tests/dnstap/meson.build 2021-03-31 15:15:36.000000000 +0000 @@ -0,0 +1,11 @@ + +# note: it will be skipped if 'go' is missing (and marked so) +test('dnstap', + find_program('./src/dnstap-test/run.sh'), + args: [ sbin_dir / 'kresd' ], + suite: [ 'postinstall', 'dnstap' ], + timeout: 120, # it may need to fetch go packages, etc. + # it takes relatively long time + kwargs: meson.version().version_compare('<0.52') ? {} : { 'priority': 5 }, +) + diff -Nru knot-resolver-5.2.1/tests/dnstap/src/dnstap-test/config knot-resolver-5.3.1/tests/dnstap/src/dnstap-test/config --- knot-resolver-5.2.1/tests/dnstap/src/dnstap-test/config 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/tests/dnstap/src/dnstap-test/config 2021-03-31 15:15:36.000000000 +0000 @@ -1,10 +1,12 @@ -- SPDX-License-Identifier: GPL-3.0-or-later -verbose(true) modules = { 'hints', dnstap = { - socket_path = "/tmp/dnstap.sock", - log_responses = true, + socket_path = "dnstap.sock", + client = { + log_queries = true, + log_responses = true, + } } } hints['fake1.localdomain'] = '1.2.3.4' diff -Nru knot-resolver-5.2.1/tests/dnstap/src/dnstap-test/dnstap.mk knot-resolver-5.3.1/tests/dnstap/src/dnstap-test/dnstap.mk --- knot-resolver-5.2.1/tests/dnstap/src/dnstap-test/dnstap.mk 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/tests/dnstap/src/dnstap-test/dnstap.mk 1970-01-01 00:00:00.000000000 +0000 @@ -1,19 +0,0 @@ -# dnstap tests -GOPATH := $(abspath tests/dnstap) -DNSTAP_TEST := dnstap-test -DNSTAP_PATH := $(GOPATH)/src/$(DNSTAP_TEST) -CONFIG := $(DNSTAP_PATH)/config -CMD := daemon/kresd -ZONES := "fake1.localdomain,fake2.localdomain,fake3.localdomain" -TIMEOUT := 60s -check-dnstap: daemon - @echo "Checking dnstap functionality" - GOPATH=$(GOPATH) go get -u github.com/FiloSottile/gvt - cd $(DNSTAP_PATH) && $(GOPATH)/bin/gvt restore - GOPATH=$(GOPATH) go install $(DNSTAP_TEST) - $(GOPATH)/bin/$(DNSTAP_TEST) -c $(CONFIG) -cmd $(CMD) -q $(ZONES) -t $(TIMEOUT) - -clean-dnstap: - rm -rf $(GOPATH)/{bin,pkg,src/dnstap-test/vendor/github.com,src/github.com} - -.PHONY: check-dnstap clean-dnstap diff -Nru knot-resolver-5.2.1/tests/dnstap/src/dnstap-test/main.go knot-resolver-5.3.1/tests/dnstap/src/dnstap-test/main.go --- knot-resolver-5.2.1/tests/dnstap/src/dnstap-test/main.go 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/tests/dnstap/src/dnstap-test/main.go 2021-03-31 15:15:36.000000000 +0000 @@ -17,14 +17,9 @@ "time" ) -const ( - kresdWorkDir = "/tmp/" -) - var ( kresdArgs = []string{ - "-f1", - "-v", + "-n", "-q", } ) @@ -35,18 +30,25 @@ if err := proto.Unmarshal(b, dt); err != nil { return name, err } + + var msg_raw []byte m := dt.Message - if *m.Type != dnstap.Message_RESOLVER_RESPONSE { - return name, fmt.Errorf("incorrect message type") + if *m.Type == dnstap.Message_CLIENT_QUERY { + msg_raw = m.QueryMessage + } else if *m.Type == dnstap.Message_CLIENT_RESPONSE { + msg_raw = m.ResponseMessage + } else { + return name, fmt.Errorf("incorrect message type: %v", *m.Type) } - if m.ResponseMessage == nil { + + if msg_raw == nil { return name, fmt.Errorf("no message payload") } - if err := dns.IsMsg(m.ResponseMessage); err != nil { + if err := dns.IsMsg(msg_raw); err != nil { return name, err } var msg dns.Msg - if err := msg.Unpack(m.ResponseMessage); err != nil { + if err := msg.Unpack(msg_raw); err != nil { return name, err } if len(msg.Question) < 1 { @@ -74,7 +76,6 @@ func runKresd(ctx context.Context, path, configFile string, grace time.Duration) (chan bool, error) { ch := make(chan bool) kresdArgs = append(kresdArgs, "-c"+configFile) - kresdArgs = append(kresdArgs, kresdWorkDir) // we have 1 object in ExtraFiles with index 0 // child fd will be 3 + i = 3 kresdArgs = append(kresdArgs, "-S3") @@ -144,8 +145,8 @@ func main() { var ( - unixSocket = flag.String("u", "/tmp/dnstap.sock", "dnstap socket") - kresdPath = flag.String("cmd", "daemon/kresd", "kresd path") + unixSocket = flag.String("u", "dnstap.sock", "dnstap socket") + kresdPath = flag.String("cmd", "kresd", "kresd path") configFile = flag.String("c", "config", "config file") qnames = flag.String("q", ".", "list of comma separated zones") grace = flag.String("g", "1s", "Time to wait for daemon start") @@ -218,21 +219,22 @@ log.Printf("Response: %v", resp) } - // Check dnstap output - o := <-output - if *debug { - log.Printf("raw dnstap:%v", o) - } - dtName, err := qnameFromFrame(o) - if err != nil { - log.Printf("%v\n", err) - os.Exit(1) - } - if fqdn != dtName { - log.Printf("expected %v got %v", fqdn, dtName) - os.Exit(1) // Test failed + for range "QR" { // Checking Query and Response is the same ATM + o := <-output + if *debug { + log.Printf("raw dnstap:%v", o) + } + dtName, err := qnameFromFrame(o) + if err != nil { + log.Printf("%v\n", err) + os.Exit(1) + } + if fqdn != dtName { + log.Printf("expected %v got %v", fqdn, dtName) + os.Exit(1) // Test failed + } + log.Printf("matched qname: %v", dtName) } - log.Printf("matched qname: %v", dtName) } cancel() // Send signal to close daemon }() diff -Nru knot-resolver-5.2.1/tests/dnstap/src/dnstap-test/run.sh knot-resolver-5.3.1/tests/dnstap/src/dnstap-test/run.sh --- knot-resolver-5.2.1/tests/dnstap/src/dnstap-test/run.sh 1970-01-01 00:00:00.000000000 +0000 +++ knot-resolver-5.3.1/tests/dnstap/src/dnstap-test/run.sh 2021-03-31 15:15:36.000000000 +0000 @@ -0,0 +1,31 @@ +#!/bin/bash +set -e +KRESD_CMD=$1 +MESON_BUILD_ROOT=$(pwd) +mkdir -p tests/dnstap +export GOPATH=$MESON_BUILD_ROOT/tests/dnstap +cd "$(dirname $0)" +DNSTAP_TEST=dnstap-test + +if [ -z "$GITLAB_CI" ]; then + type -P go >/dev/null || exit 77 + echo "Building the dnstap test and its dependencies..." + # some packages may be missing on the system right now + go get github.com/{FiloSottile/gvt,cloudflare/dns,dnstap/golang-dnstap} +else + # In CI we've prebuilt dependencies into the default GOPATH. + # We're in a scratch container, so we just add the dnstap test inside. + export GOPATH=/root/go +fi +DTAP=$GOPATH/src/$DNSTAP_TEST +rm -f $DTAP && ln -s $(realpath ..)/$DNSTAP_TEST $DTAP +go install $DNSTAP_TEST + + +CONFIG=$(realpath ./config) +ZONES="fake1.localdomain,fake2.localdomain,fake3.localdomain" +TIMEOUT=60s +GRACE=5s +cd $MESON_BUILD_ROOT/tests/dnstap # don't leave stuff like *.mdb in ./. +$GOPATH/bin/$DNSTAP_TEST -c $CONFIG -cmd $KRESD_CMD -q $ZONES -t $TIMEOUT -g $GRACE -d + diff -Nru knot-resolver-5.2.1/tests/integration/deckard/pydnstest/scenario.py knot-resolver-5.3.1/tests/integration/deckard/pydnstest/scenario.py --- knot-resolver-5.2.1/tests/integration/deckard/pydnstest/scenario.py 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/pydnstest/scenario.py 2021-03-31 15:15:38.000000000 +0000 @@ -757,9 +757,11 @@ trust_anchor_files = {} negative_ta_list = [] stub_addr = None + stub_name = "k.root-servers.net" override_timestamp = None forward_addr = None - + do_ip6 = True + do_ip4 = True features = {} feature_list_delimiter = ';' feature_pair_delimiter = '=' @@ -798,6 +800,8 @@ override_timestamp = calendar.timegm(override_date) elif k == 'stub-addr': stub_addr = v.strip('"\'') + elif k == 'stub-name': + stub_name = v elif k == 'features': feature_list = v.split(feature_list_delimiter) try: @@ -827,6 +831,10 @@ sockfamily = socket.AF_INET6 elif k == 'forward-addr': # currently forwards everything forward_addr = v.strip('"\'') + elif k == 'do-ip4': + do_ip4 = str2bool(v) + elif k == 'do-ip6': + do_ip6 = str2bool(v) else: raise NotImplementedError('unsupported CONFIG key "%s"' % k) @@ -840,9 +848,12 @@ "TRUST_ANCHORS": trust_anchor_list, "TRUST_ANCHOR_FILES": trust_anchor_files, "FORWARD_ADDR": forward_addr, + "DO_IP6": str(do_ip6).lower(), + "DO_IP4": str(do_ip4).lower(), } if stub_addr: ctx['ROOT_ADDR'] = stub_addr + ctx['ROOT_NAME'] = stub_name # determine and verify socket family for specified root address gai = socket.getaddrinfo(stub_addr, 53, sockfamily, 0, socket.IPPROTO_UDP, socket.AI_NUMERICHOST) diff -Nru knot-resolver-5.2.1/tests/integration/deckard/pydnstest/testserver.py knot-resolver-5.3.1/tests/integration/deckard/pydnstest/testserver.py --- knot-resolver-5.2.1/tests/integration/deckard/pydnstest/testserver.py 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/pydnstest/testserver.py 2021-03-31 15:15:38.000000000 +0000 @@ -180,9 +180,9 @@ for srv_sock in self.srv_socks: if (srv_sock.family == family - and srv_sock.getsockname() == address + and srv_sock.getsockname()[:2] == address and srv_sock.proto == proto): - return srv_sock.getsockname() + return sock = socket.socket(family, socktype, proto) sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) @@ -195,25 +195,23 @@ # A lot of addresses are added to the interface while runnning from Deckard in # the small amount of time which caused ocassional hiccups while binding to them # right afterwards in testing. Therefore, we retry a few times. - ex = None + final_ex = None for i in range(self.RETRIES_ON_BIND): try: sock.bind(address) break - except OSError as e: + except OSError as ex: # Exponential backoff time.sleep((2 ** i) + random.random()) - ex = e + final_ex = ex continue else: - print(ex, address) - raise ex + print(final_ex, address) + raise final_ex if proto == socket.IPPROTO_TCP: sock.listen(5) self.srv_socks.append(sock) - sockname = sock.getsockname() - return sockname, proto def _bind_sockets(self): """ @@ -224,6 +222,7 @@ for addr in r.addresses: family = socket.AF_INET6 if ':' in addr else socket.AF_INET self.start_srv((addr, 53), family) + self.start_srv((addr, 53), family, proto=socket.IPPROTO_TCP) # Bind addresses in ad-hoc REPLYs for s in self.scenario.steps: @@ -236,8 +235,12 @@ for rd in rr: if rd.rdtype == dns.rdatatype.A: self.start_srv((rd.address, 53), socket.AF_INET) + self.start_srv((rd.address, 53), socket.AF_INET, + proto=socket.IPPROTO_TCP) elif rd.rdtype == dns.rdatatype.AAAA: self.start_srv((rd.address, 53), socket.AF_INET6) + self.start_srv((rd.address, 53), socket.AF_INET6, + proto=socket.IPPROTO_TCP) def play(self, subject_addr): self.scenario.play({'': (subject_addr, 53)}) diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/black_data.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/black_data.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/black_data.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/black_data.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: @@ -16,7 +18,7 @@ ; K.ROOT-SERVERS.NET. RANGE_BEGIN 0 100 - ADDRESS 193.0.14.129 + ADDRESS 193.0.14.129 ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id @@ -104,10 +106,10 @@ SECTION ANSWER example.com. IN NS ns.example.com. example.com. IN NS ns.blabla.com. -example.com. 3600 IN RRSIG NS 7 2 3600 20181230101749 20181130101749 34385 example.com. hMeEUjDsEFCHHAzHnCKeBg1j9lMvQROaOx8I0mLqMvuLWaxcjpkxNL5W J4GOZbQuAZRQSCPUpZoR6PXazY/2Iiqaa6VsHBKYlUKOMkqOJBkEs19L PCFUlTFZ8Ayv4eN6OR2BzDdHv0o38Cu6OBQul/hyEmpIX2g03aO1cpGT 3s0= ;{id = 2854} +example.com. 3600 IN RRSIG NS 7 2 3600 20181230101749 20181130101749 34385 example.com. INVALIDsEFCHHAzHnCKeBg1j9lMvQROaOx8I0mLqMvuLWaxcjpkxNL5W J4GOZbQuAZRQSCPUpZoR6PXazY/2Iiqaa6VsHBKYlUKOMkqOJBkEs19L PCFUlTFZ8Ayv4eN6OR2BzDdHv0o38Cu6OBQul/hyEmpIX2g03aO1cpGT 3s0= ;{id = 2854} SECTION ADDITIONAL ns.example.com. IN A 1.2.3.4 -ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101749 20181130101749 34385 example.com. GoDRZGoKPMI48wT/JYtif460cxOjvcdpRm+mjHsKQ9GrMPf3lCuWfY9H 1cB5eeo0yxUW7euIOiKgMD9zsKaafoca1VxXgRp4DaBGgEu59AQI8ot1 FRqYwKUme8v723ZcTpaW4g2e3x2MdVs5F8HtNAII+u+MbPAhNBCzy7rk GbM= ;{id = 2854} +ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101749 20181130101749 34385 example.com. INVALIDKPMI48wT/JYtif460cxOjvcdpRm+mjHsKQ9GrMPf3lCuWfY9H 1cB5eeo0yxUW7euIOiKgMD9zsKaafoca1VxXgRp4DaBGgEu59AQI8ot1 FRqYwKUme8v723ZcTpaW4g2e3x2MdVs5F8HtNAII+u+MbPAhNBCzy7rk GbM= ;{id = 2854} ENTRY_END ENTRY_BEGIN @@ -118,7 +120,7 @@ ns.example.com. IN A SECTION ANSWER ns.example.com. IN A 1.2.3.4 -ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101749 20181130101749 34385 example.com. GoDRZGoKPMI48wT/JYtif460cxOjvcdpRm+mjHsKQ9GrMPf3lCuWfY9H 1cB5eeo0yxUW7euIOiKgMD9zsKaafoca1VxXgRp4DaBGgEu59AQI8ot1 FRqYwKUme8v723ZcTpaW4g2e3x2MdVs5F8HtNAII+u+MbPAhNBCzy7rk GbM= ;{id = 2854} +ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101749 20181130101749 34385 example.com. INVALIDKPMI48wT/JYtif460cxOjvcdpRm+mjHsKQ9GrMPf3lCuWfY9H 1cB5eeo0yxUW7euIOiKgMD9zsKaafoca1VxXgRp4DaBGgEu59AQI8ot1 FRqYwKUme8v723ZcTpaW4g2e3x2MdVs5F8HtNAII+u+MbPAhNBCzy7rk GbM= ;{id = 2854} SECTION ADDITIONAL ENTRY_END @@ -131,7 +133,7 @@ SECTION ANSWER SECTION ADDITIONAL ns.example.com. IN NSEC oof.example.com. NSEC RRSIG A -ns.example.com. 3600 IN RRSIG NSEC 7 3 3600 20181230101749 20181130101749 34385 example.com. F5OQnNGBxu5PjpUClx48y03pqOFnKIVYDzCdVWquRlXj3kaIDgHipesg oTs2e7cd9/P6MtSRWumr9FQNs1+L0gcfs/YIzuHBeoBH3LG5zZ4qpbs9 Z1Ay7yrxLIritwayyQnZMd9hlUFYLzNLxpL1cjMl/865r0lA3aVajmcv SYc= ;{id = 2854} +ns.example.com. 3600 IN RRSIG NSEC 7 3 3600 20181230101749 20181130101749 34385 example.com. INVALIDBxu5PjpUClx48y03pqOFnKIVYDzCdVWquRlXj3kaIDgHipesg oTs2e7cd9/P6MtSRWumr9FQNs1+L0gcfs/YIzuHBeoBH3LG5zZ4qpbs9 Z1Ay7yrxLIritwayyQnZMd9hlUFYLzNLxpL1cjMl/865r0lA3aVajmcv SYc= ;{id = 2854} ENTRY_END ; response to DNSKEY priming query @@ -164,14 +166,14 @@ www.example.com. IN A SECTION ANSWER www.example.com. IN A 10.20.30.40 -www.example.com. 3600 IN RRSIG A 7 3 3600 20181230101749 20181130101749 34385 example.com. aFxyCGziQusXsW6tz5yQdklAv+PvoEHP1cC8IkJqo9YnMcSdoFHbZALs XFlbNRl2uwPnthKOIPZf89/pXNX3o19aq4LzfPOEiOkylboTiKmgLVyi WhqYKkJtK1B9SVn/dZN4VnmSNtrcmHi5EERl/aTEM7nfIT3jG4a/ORz6 IHY= ;{id = 2854} +www.example.com. 3600 IN RRSIG A 7 3 3600 20181230101749 20181130101749 34385 example.com. INVALIDiQusXsW6tz5yQdklAv+PvoEHP1cC8IkJqo9YnMcSdoFHbZALs XFlbNRl2uwPnthKOIPZf89/pXNX3o19aq4LzfPOEiOkylboTiKmgLVyi WhqYKkJtK1B9SVn/dZN4VnmSNtrcmHi5EERl/aTEM7nfIT3jG4a/ORz6 IHY= ;{id = 2854} SECTION AUTHORITY example.com. IN NS ns.example.com. example.com. IN NS ns.blabla.com. -example.com. 3600 IN RRSIG NS 7 2 3600 20181230101749 20181130101749 34385 example.com. hMeEUjDsEFCHHAzHnCKeBg1j9lMvQROaOx8I0mLqMvuLWaxcjpkxNL5W J4GOZbQuAZRQSCPUpZoR6PXazY/2Iiqaa6VsHBKYlUKOMkqOJBkEs19L PCFUlTFZ8Ayv4eN6OR2BzDdHv0o38Cu6OBQul/hyEmpIX2g03aO1cpGT 3s0= ;{id = 2854} +example.com. 3600 IN RRSIG NS 7 2 3600 20181230101749 20181130101749 34385 example.com. INVALIDsEFCHHAzHnCKeBg1j9lMvQROaOx8I0mLqMvuLWaxcjpkxNL5W J4GOZbQuAZRQSCPUpZoR6PXazY/2Iiqaa6VsHBKYlUKOMkqOJBkEs19L PCFUlTFZ8Ayv4eN6OR2BzDdHv0o38Cu6OBQul/hyEmpIX2g03aO1cpGT 3s0= ;{id = 2854} SECTION ADDITIONAL ns.example.com. IN A 1.2.3.4 -ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101749 20181130101749 34385 example.com. GoDRZGoKPMI48wT/JYtif460cxOjvcdpRm+mjHsKQ9GrMPf3lCuWfY9H 1cB5eeo0yxUW7euIOiKgMD9zsKaafoca1VxXgRp4DaBGgEu59AQI8ot1 FRqYwKUme8v723ZcTpaW4g2e3x2MdVs5F8HtNAII+u+MbPAhNBCzy7rk GbM= ;{id = 2854} +ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101749 20181130101749 34385 example.com. INVALIDKPMI48wT/JYtif460cxOjvcdpRm+mjHsKQ9GrMPf3lCuWfY9H 1cB5eeo0yxUW7euIOiKgMD9zsKaafoca1VxXgRp4DaBGgEu59AQI8ot1 FRqYwKUme8v723ZcTpaW4g2e3x2MdVs5F8HtNAII+u+MbPAhNBCzy7rk GbM= ;{id = 2854} ENTRY_END RANGE_END @@ -245,14 +247,14 @@ www.example.com. IN A SECTION ANSWER www.example.com. IN A 10.20.30.40 -ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101749 20181130101749 34385 example.com. GoDRZGoKPMI48wT/JYtif460cxOjvcdpRm+mjHsKQ9GrMPf3lCuWfY9H 1cB5eeo0yxUW7euIOiKgMD9zsKaafoca1VxXgRp4DaBGgEu59AQI8ot1 FRqYwKUme8v723ZcTpaW4g2e3x2MdVs5F8HtNAII+u+MbPAhNBCzy7rk GbM= ;{id = 2854} +www.example.com. 3600 IN RRSIG A 7 3 3600 20181230101749 20181130101749 34385 example.com. aFxyCGziQusXsW6tz5yQdklAv+PvoEHP1cC8IkJqo9YnMcSdoFHbZALs XFlbNRl2uwPnthKOIPZf89/pXNX3o19aq4LzfPOEiOkylboTiKmgLVyi WhqYKkJtK1B9SVn/dZN4VnmSNtrcmHi5EERl/aTEM7nfIT3jG4a/ORz6 IHY= ;{id = 2854} SECTION AUTHORITY example.com. IN NS ns.example.com. example.com. IN NS ns.blabla.com. example.com. 3600 IN RRSIG NS 7 2 3600 20181230101749 20181130101749 34385 example.com. hMeEUjDsEFCHHAzHnCKeBg1j9lMvQROaOx8I0mLqMvuLWaxcjpkxNL5W J4GOZbQuAZRQSCPUpZoR6PXazY/2Iiqaa6VsHBKYlUKOMkqOJBkEs19L PCFUlTFZ8Ayv4eN6OR2BzDdHv0o38Cu6OBQul/hyEmpIX2g03aO1cpGT 3s0= ;{id = 2854} SECTION ADDITIONAL ns.example.com. IN A 1.2.3.4 -www.example.com. 3600 IN RRSIG A 7 3 3600 20181230101749 20181130101749 34385 example.com. aFxyCGziQusXsW6tz5yQdklAv+PvoEHP1cC8IkJqo9YnMcSdoFHbZALs XFlbNRl2uwPnthKOIPZf89/pXNX3o19aq4LzfPOEiOkylboTiKmgLVyi WhqYKkJtK1B9SVn/dZN4VnmSNtrcmHi5EERl/aTEM7nfIT3jG4a/ORz6 IHY= ;{id = 2854} +ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101749 20181130101749 34385 example.com. GoDRZGoKPMI48wT/JYtif460cxOjvcdpRm+mjHsKQ9GrMPf3lCuWfY9H 1cB5eeo0yxUW7euIOiKgMD9zsKaafoca1VxXgRp4DaBGgEu59AQI8ot1 FRqYwKUme8v723ZcTpaW4g2e3x2MdVs5F8HtNAII+u+MbPAhNBCzy7rk GbM= ;{id = 2854} ENTRY_END RANGE_END diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/black_dnskey.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/black_dnskey.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/black_dnskey.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/black_dnskey.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: @@ -18,7 +20,7 @@ ; K.ROOT-SERVERS.NET. RANGE_BEGIN 0 100 - ADDRESS 193.0.14.129 + ADDRESS 193.0.14.129 ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id @@ -126,10 +128,10 @@ SECTION ANSWER example.com. IN NS ns.example.com. example.com. IN NS ns.blabla.com. -example.com. 3600 IN RRSIG NS 7 2 3600 20181230101751 20181130101751 62867 example.com. l15h4pHl98ot8mRBklpnoFYwYmqmoz/iWC/tS8q0bkurxZivPdmvt63C DjHpH8vv36fnO0s89btfC3eIBnDX5miuaiLbxqINmxpxDYgy3/TN+DWT VfjiWAPfaFkfwedx8oHHWwO0O7DEjrnbaqTI+5BJW7LOVYSMLNx7nFjg 490= ;{id = 2854} +example.com. 3600 IN RRSIG NS 7 2 3600 20181230101751 20181130101751 62867 example.com. INVALIDl98ot8mRBklpnoFYwYmqmoz/iWC/tS8q0bkurxZivPdmvt63C DjHpH8vv36fnO0s89btfC3eIBnDX5miuaiLbxqINmxpxDYgy3/TN+DWT VfjiWAPfaFkfwedx8oHHWwO0O7DEjrnbaqTI+5BJW7LOVYSMLNx7nFjg 490= ;{id = 2854} SECTION ADDITIONAL ns.example.com. IN A 1.2.3.4 -ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101751 20181130101751 62867 example.com. nJSkzyA17he6wGm7+lLbzVsblvW+zsWx5LctUfEeHOkaJ6YqvrZ2yuKl ePHbVN5yO5czQEHa8arTAhh6lSZNFAz1QijkCX/HW8VHzQgUnCjncAvE nf6ab3vVx25Ggr5E3TqJnyH62AP0qZbTZfc3dBYT1F9tQC5LUebW8Xes EBU= ;{id = 2854} +ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101751 20181130101751 62867 example.com. INVALID17he6wGm7+lLbzVsblvW+zsWx5LctUfEeHOkaJ6YqvrZ2yuKl ePHbVN5yO5czQEHa8arTAhh6lSZNFAz1QijkCX/HW8VHzQgUnCjncAvE nf6ab3vVx25Ggr5E3TqJnyH62AP0qZbTZfc3dBYT1F9tQC5LUebW8Xes EBU= ;{id = 2854} ENTRY_END ENTRY_BEGIN @@ -140,7 +142,7 @@ ns.example.com. IN A SECTION ANSWER ns.example.com. IN A 1.2.3.4 -ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101751 20181130101751 62867 example.com. nJSkzyA17he6wGm7+lLbzVsblvW+zsWx5LctUfEeHOkaJ6YqvrZ2yuKl ePHbVN5yO5czQEHa8arTAhh6lSZNFAz1QijkCX/HW8VHzQgUnCjncAvE nf6ab3vVx25Ggr5E3TqJnyH62AP0qZbTZfc3dBYT1F9tQC5LUebW8Xes EBU= ;{id = 2854} +ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101751 20181130101751 62867 example.com. INVALID17he6wGm7+lLbzVsblvW+zsWx5LctUfEeHOkaJ6YqvrZ2yuKl ePHbVN5yO5czQEHa8arTAhh6lSZNFAz1QijkCX/HW8VHzQgUnCjncAvE nf6ab3vVx25Ggr5E3TqJnyH62AP0qZbTZfc3dBYT1F9tQC5LUebW8Xes EBU= ;{id = 2854} SECTION ADDITIONAL ENTRY_END @@ -153,7 +155,7 @@ SECTION ANSWER SECTION ADDITIONAL ns.example.com. IN NSEC oof.example.com. NSEC RRSIG A -ns.example.com. 3600 IN RRSIG NSEC 7 3 3600 20181230101751 20181130101751 62867 example.com. RHlNZwaJDQlK7ptDtIq0/V+QBXNIv0F5NTYnJoxDRmUdE3dMqsTxS6jC RIV6U2T609yLL+6elv4WtkLyfSVLlN/DO1TAPzPeWstx5VHvPS3beBn7 0FmcTWvj7vEJlmVfQEn8KeEDsOrThvBCgGjHJ/ottlz0VCL4KHJQfqXx ewA= ;{id = 2854} +ns.example.com. 3600 IN RRSIG NSEC 7 3 3600 20181230101751 20181130101751 62867 example.com. INVALIDJDQlK7ptDtIq0/V+QBXNIv0F5NTYnJoxDRmUdE3dMqsTxS6jC RIV6U2T609yLL+6elv4WtkLyfSVLlN/DO1TAPzPeWstx5VHvPS3beBn7 0FmcTWvj7vEJlmVfQEn8KeEDsOrThvBCgGjHJ/ottlz0VCL4KHJQfqXx ewA= ;{id = 2854} ENTRY_END ; response to DNSKEY priming query @@ -185,14 +187,14 @@ www.example.com. IN A SECTION ANSWER www.example.com. IN A 10.20.30.40 -www.example.com. 3600 IN RRSIG A 7 3 3600 20181230101751 20181130101751 62867 example.com. byNMYNt2pVPZe/Or/iLKGuxmkYlSzh2T+zq2SUMbgDKBgAXQGeZaYHIm ypvZzbmxGtXJfFK0vT1VexagQasf8WSGbZD5O3B8oSDuQ+0Dos9JYRBp q16dhOU+rGgBaBDPfF1WNP2V9kmMRkYOP+3MhxRyynywzIrlu+uMb5sw EOI= ;{id = 2854} +www.example.com. 3600 IN RRSIG A 7 3 3600 20181230101751 20181130101751 62867 example.com. INVALID2pVPZe/Or/iLKGuxmkYlSzh2T+zq2SUMbgDKBgAXQGeZaYHIm ypvZzbmxGtXJfFK0vT1VexagQasf8WSGbZD5O3B8oSDuQ+0Dos9JYRBp q16dhOU+rGgBaBDPfF1WNP2V9kmMRkYOP+3MhxRyynywzIrlu+uMb5sw EOI= ;{id = 2854} SECTION AUTHORITY example.com. IN NS ns.example.com. example.com. IN NS ns.blabla.com. -example.com. 3600 IN RRSIG NS 7 2 3600 20181230101751 20181130101751 62867 example.com. l15h4pHl98ot8mRBklpnoFYwYmqmoz/iWC/tS8q0bkurxZivPdmvt63C DjHpH8vv36fnO0s89btfC3eIBnDX5miuaiLbxqINmxpxDYgy3/TN+DWT VfjiWAPfaFkfwedx8oHHWwO0O7DEjrnbaqTI+5BJW7LOVYSMLNx7nFjg 490= ;{id = 2854} +example.com. 3600 IN RRSIG NS 7 2 3600 20181230101751 20181130101751 62867 example.com. INVALIDl98ot8mRBklpnoFYwYmqmoz/iWC/tS8q0bkurxZivPdmvt63C DjHpH8vv36fnO0s89btfC3eIBnDX5miuaiLbxqINmxpxDYgy3/TN+DWT VfjiWAPfaFkfwedx8oHHWwO0O7DEjrnbaqTI+5BJW7LOVYSMLNx7nFjg 490= ;{id = 2854} SECTION ADDITIONAL ns.example.com. IN A 1.2.3.4 -ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101751 20181130101751 62867 example.com. nJSkzyA17he6wGm7+lLbzVsblvW+zsWx5LctUfEeHOkaJ6YqvrZ2yuKl ePHbVN5yO5czQEHa8arTAhh6lSZNFAz1QijkCX/HW8VHzQgUnCjncAvE nf6ab3vVx25Ggr5E3TqJnyH62AP0qZbTZfc3dBYT1F9tQC5LUebW8Xes EBU= ;{id = 2854} +ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101751 20181130101751 62867 example.com. INVALID17he6wGm7+lLbzVsblvW+zsWx5LctUfEeHOkaJ6YqvrZ2yuKl ePHbVN5yO5czQEHa8arTAhh6lSZNFAz1QijkCX/HW8VHzQgUnCjncAvE nf6ab3vVx25Ggr5E3TqJnyH62AP0qZbTZfc3dBYT1F9tQC5LUebW8Xes EBU= ;{id = 2854} ENTRY_END ; DS request @@ -203,7 +205,7 @@ SECTION QUESTION sub.example.com. IN DS SECTION ANSWER -sub.example.com. 3600 IN DS 12981 5 1 626AD6C14D2BE93B5EDF1C8A2FFCBC5447666CF3 +sub.example.com. 3600 IN DS 12981 5 1 626AD6C14D2BE93B5EDF1C8A2FFCBC5447666CF3 sub.example.com. 3600 IN RRSIG DS 7 3 3600 20181230101751 20181130101751 62867 example.com. bwKyS7x0t/By9YxMmwnJSIkMZEYQu7MPW4MmIZqB6/2amawL0r16mBKe fhuamuH2CdYvzoSdYqjk4+8xZ9YyhzLI4Fmd4nE2XznoCDc+/GG4QH4R eH3e+GEXtyRnmZgANk845pYYJ2n4TcE3F3OwG7AIP6ol8I8k17g9RfGT w2I= ;{id = 2854} ;sub.example.com. 3600 IN RRSIG DS 3 3 3600 20030926134150 20030829134150 2854 example.com. AAT/7XwtMjHiT1GFHfV6Wvv4n+oOkqxllNdf9bLnpTHw/8h586yBgwg= ;{id = 2854} ENTRY_END @@ -217,7 +219,7 @@ SECTION AUTHORITY sub.example.com. IN NS ns.sub.example.com. sub.example.com. IN NS ns.foo.com. -sub.example.com. 3600 IN DS 12981 5 1 626AD6C14D2BE93B5EDF1C8A2FFCBC5447666CF3 +sub.example.com. 3600 IN DS 12981 5 1 626AD6C14D2BE93B5EDF1C8A2FFCBC5447666CF3 sub.example.com. 3600 IN RRSIG DS 7 3 3600 20181230101751 20181130101751 62867 example.com. bwKyS7x0t/By9YxMmwnJSIkMZEYQu7MPW4MmIZqB6/2amawL0r16mBKe fhuamuH2CdYvzoSdYqjk4+8xZ9YyhzLI4Fmd4nE2XznoCDc+/GG4QH4R eH3e+GEXtyRnmZgANk845pYYJ2n4TcE3F3OwG7AIP6ol8I8k17g9RfGT w2I= ;{id = 2854} ;sub.example.com. 3600 IN RRSIG DS 3 3 3600 20030926134150 20030829134150 2854 example.com. AAT/7XwtMjHiT1GFHfV6Wvv4n+oOkqxllNdf9bLnpTHw/8h586yBgwg= ;{id = 2854} SECTION ADDITIONAL @@ -295,14 +297,14 @@ www.example.com. IN A SECTION ANSWER www.example.com. IN A 10.20.30.40 -ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101751 20181130101751 62867 example.com. nJSkzyA17he6wGm7+lLbzVsblvW+zsWx5LctUfEeHOkaJ6YqvrZ2yuKl ePHbVN5yO5czQEHa8arTAhh6lSZNFAz1QijkCX/HW8VHzQgUnCjncAvE nf6ab3vVx25Ggr5E3TqJnyH62AP0qZbTZfc3dBYT1F9tQC5LUebW8Xes EBU= ;{id = 2854} +www.example.com. 3600 IN RRSIG A 7 3 3600 20181230101751 20181130101751 62867 example.com. byNMYNt2pVPZe/Or/iLKGuxmkYlSzh2T+zq2SUMbgDKBgAXQGeZaYHIm ypvZzbmxGtXJfFK0vT1VexagQasf8WSGbZD5O3B8oSDuQ+0Dos9JYRBp q16dhOU+rGgBaBDPfF1WNP2V9kmMRkYOP+3MhxRyynywzIrlu+uMb5sw EOI= ;{id = 2854} SECTION AUTHORITY example.com. IN NS ns.example.com. example.com. IN NS ns.blabla.com. example.com. 3600 IN RRSIG NS 7 2 3600 20181230101751 20181130101751 62867 example.com. l15h4pHl98ot8mRBklpnoFYwYmqmoz/iWC/tS8q0bkurxZivPdmvt63C DjHpH8vv36fnO0s89btfC3eIBnDX5miuaiLbxqINmxpxDYgy3/TN+DWT VfjiWAPfaFkfwedx8oHHWwO0O7DEjrnbaqTI+5BJW7LOVYSMLNx7nFjg 490= ;{id = 2854} SECTION ADDITIONAL ns.example.com. IN A 1.2.3.4 -www.example.com. 3600 IN RRSIG A 7 3 3600 20181230101751 20181130101751 62867 example.com. byNMYNt2pVPZe/Or/iLKGuxmkYlSzh2T+zq2SUMbgDKBgAXQGeZaYHIm ypvZzbmxGtXJfFK0vT1VexagQasf8WSGbZD5O3B8oSDuQ+0Dos9JYRBp q16dhOU+rGgBaBDPfF1WNP2V9kmMRkYOP+3MhxRyynywzIrlu+uMb5sw EOI= ;{id = 2854} +ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101751 20181130101751 62867 example.com. nJSkzyA17he6wGm7+lLbzVsblvW+zsWx5LctUfEeHOkaJ6YqvrZ2yuKl ePHbVN5yO5czQEHa8arTAhh6lSZNFAz1QijkCX/HW8VHzQgUnCjncAvE nf6ab3vVx25Ggr5E3TqJnyH62AP0qZbTZfc3dBYT1F9tQC5LUebW8Xes EBU= ;{id = 2854} ENTRY_END ; DS request @@ -313,7 +315,7 @@ SECTION QUESTION sub.example.com. IN DS SECTION ANSWER -sub.example.com. 3600 IN DS 12981 5 1 626AD6C14D2BE93B5EDF1C8A2FFCBC5447666CF3 +sub.example.com. 3600 IN DS 12981 5 1 626AD6C14D2BE93B5EDF1C8A2FFCBC5447666CF3 sub.example.com. 3600 IN RRSIG DS 7 3 3600 20181230101751 20181130101751 62867 example.com. bwKyS7x0t/By9YxMmwnJSIkMZEYQu7MPW4MmIZqB6/2amawL0r16mBKe fhuamuH2CdYvzoSdYqjk4+8xZ9YyhzLI4Fmd4nE2XznoCDc+/GG4QH4R eH3e+GEXtyRnmZgANk845pYYJ2n4TcE3F3OwG7AIP6ol8I8k17g9RfGT w2I= ;{id = 2854} ENTRY_END @@ -326,7 +328,7 @@ SECTION AUTHORITY sub.example.com. IN NS ns.sub.example.com. sub.example.com. IN NS ns.foo.com. -sub.example.com. 3600 IN DS 12981 5 1 626AD6C14D2BE93B5EDF1C8A2FFCBC5447666CF3 +sub.example.com. 3600 IN DS 12981 5 1 626AD6C14D2BE93B5EDF1C8A2FFCBC5447666CF3 sub.example.com. 3600 IN RRSIG DS 7 3 3600 20181230101751 20181130101751 62867 example.com. bwKyS7x0t/By9YxMmwnJSIkMZEYQu7MPW4MmIZqB6/2amawL0r16mBKe fhuamuH2CdYvzoSdYqjk4+8xZ9YyhzLI4Fmd4nE2XznoCDc+/GG4QH4R eH3e+GEXtyRnmZgANk845pYYJ2n4TcE3F3OwG7AIP6ol8I8k17g9RfGT w2I= ;{id = 2854} SECTION ADDITIONAL ns.sub.example.com. IN A 1.2.4.6 @@ -345,7 +347,7 @@ sub.example.com. IN DNSKEY SECTION ANSWER sub.example.com. 3600 IN DNSKEY 256 3 5 AwEAAbrzxhWzLVhOSmsCj1rysaYFaF6NLfPmXdhjppCOzDb2LxQUZ5tE yiTKViI/ZUSMDKKLk1IdDGpIniYzx3vrUQ7KzA+p8p/XR3qvD8T496Us mdAB/8Dflk5mK36kRCBp5GEKI+yz1R5Z5VolpZFnIuRLB/hXJlt7EzDz zcFMIgzT ;{id = 30899 (zsk), size = 512b} -sub.example.com. 3600 IN RRSIG DNSKEY 5 3 3600 20181230101751 20181130101751 12981 sub.example.com. piLZqA+rmQur/BRNwZ5dVdqehHNP4Egt16bO/qdYL7UE/GRfwWWImAKQ Z924Lmk7qrZfF8+a16+R6YgVQJoUX+qqVNSdjTyC4NT0IKx82qdamZSZ dTVktU5cCeE5A1WhXQHq4zcwO+EQaCyOEUf+X+wMtYkGQBjpcWP5rui8 KPM= ;{id = 30899} +sub.example.com. 3600 IN RRSIG DNSKEY 5 3 3600 20181230101751 20181130101751 12981 sub.example.com. INVALIDrmQur/BRNwZ5dVdqehHNP4Egt16bO/qdYL7UE/GRfwWWImAKQ Z924Lmk7qrZfF8+a16+R6YgVQJoUX+qqVNSdjTyC4NT0IKx82qdamZSZ dTVktU5cCeE5A1WhXQHq4zcwO+EQaCyOEUf+X+wMtYkGQBjpcWP5rui8 KPM= ;{id = 30899} ENTRY_END ENTRY_BEGIN @@ -357,10 +359,10 @@ SECTION ANSWER sub.example.com. IN NS ns.sub.example.com. sub.example.com. IN NS ns.foo.com. -sub.example.com. 3600 IN RRSIG NS 5 3 3600 20181230101751 20181130101751 12981 sub.example.com. YVs4zyrUqmkkbSsCNDKsisAfl4+R/0Ozg8kLqlWjwkd7QTcfu4WsOZUk johg9ESaatO13/isxiqa3W2dD6W+68LnxSflkppanaMBZYRfMmiFf3Fr u3tf4cNFk7KoGt7WL4svoeW8qnkxyKZk16ro6whu6RGO7tpv+mXrIvLZ /1A= ;{id = 30899} +sub.example.com. 3600 IN RRSIG NS 5 3 3600 20181230101751 20181130101751 12981 sub.example.com. INVALIDUqmkkbSsCNDKsisAfl4+R/0Ozg8kLqlWjwkd7QTcfu4WsOZUk johg9ESaatO13/isxiqa3W2dD6W+68LnxSflkppanaMBZYRfMmiFf3Fr u3tf4cNFk7KoGt7WL4svoeW8qnkxyKZk16ro6whu6RGO7tpv+mXrIvLZ /1A= ;{id = 30899} SECTION ADDITIONAL ns.sub.example.com. IN A 1.2.4.6 -ns.sub.example.com. 3600 IN RRSIG A 5 4 3600 20181230101751 20181130101751 12981 sub.example.com. nhOqrjoDipjtxEH1NcbqQ9whB09kjjWlrYPNoRx9M1Es7x67D5JLvLdP MaCo//BnF9COEXFwlAq/Gg+MJ2I7ge7b+kJMYFxoSUSg+6zD8pP5RuOv 6wxdc+OtTuB/zY3qNpwQZPGhJC5ruBRFQuPsX8JXJXwHAadZcQ3KX+Vq xQc= ;{id = 30899} +ns.sub.example.com. 3600 IN RRSIG A 5 4 3600 20181230101751 20181130101751 12981 sub.example.com. INVALIDDipjtxEH1NcbqQ9whB09kjjWlrYPNoRx9M1Es7x67D5JLvLdP MaCo//BnF9COEXFwlAq/Gg+MJ2I7ge7b+kJMYFxoSUSg+6zD8pP5RuOv 6wxdc+OtTuB/zY3qNpwQZPGhJC5ruBRFQuPsX8JXJXwHAadZcQ3KX+Vq xQc= ;{id = 30899} ENTRY_END ENTRY_BEGIN @@ -371,7 +373,7 @@ ns.sub.example.com. IN A SECTION ANSWER ns.sub.example.com. IN A 1.2.4.6 -ns.sub.example.com. 3600 IN RRSIG A 5 4 3600 20181230101751 20181130101751 12981 sub.example.com. nhOqrjoDipjtxEH1NcbqQ9whB09kjjWlrYPNoRx9M1Es7x67D5JLvLdP MaCo//BnF9COEXFwlAq/Gg+MJ2I7ge7b+kJMYFxoSUSg+6zD8pP5RuOv 6wxdc+OtTuB/zY3qNpwQZPGhJC5ruBRFQuPsX8JXJXwHAadZcQ3KX+Vq xQc= ;{id = 30899} +ns.sub.example.com. 3600 IN RRSIG A 5 4 3600 20181230101751 20181130101751 12981 sub.example.com. INVALIDDipjtxEH1NcbqQ9whB09kjjWlrYPNoRx9M1Es7x67D5JLvLdP MaCo//BnF9COEXFwlAq/Gg+MJ2I7ge7b+kJMYFxoSUSg+6zD8pP5RuOv 6wxdc+OtTuB/zY3qNpwQZPGhJC5ruBRFQuPsX8JXJXwHAadZcQ3KX+Vq xQc= ;{id = 30899} ENTRY_END ENTRY_BEGIN @@ -382,9 +384,9 @@ ns.sub.example.com. IN AAAA SECTION AUTHORITY ns.sub.example.com. IN NSEC nt.sub.example.com. NSEC RRSIG A -ns.sub.example.com. 3600 IN RRSIG NSEC 5 4 5 20181230101751 20181130101751 12981 sub.example.com. ESWHtKvRk0CTvXrjV0AGQ0GM3ygY020B+A4GrVPsZa6DwqnTCff13R1M SQ8u+yl71YPh+5HFMbIOFdYoPMSPvU3FyOCwPK/4Mo0z86QT5nkjx6X3 T4YLX+LRfLJ+sqJtRIyA7Mjg7xIratVCa+RYrxbYbXHwSkBScQDKdew9 g5E= ;{id = 30899} +ns.sub.example.com. 3600 IN RRSIG NSEC 5 4 5 20181230101751 20181130101751 12981 sub.example.com. INVALIDRk0CTvXrjV0AGQ0GM3ygY020B+A4GrVPsZa6DwqnTCff13R1M SQ8u+yl71YPh+5HFMbIOFdYoPMSPvU3FyOCwPK/4Mo0z86QT5nkjx6X3 T4YLX+LRfLJ+sqJtRIyA7Mjg7xIratVCa+RYrxbYbXHwSkBScQDKdew9 g5E= ;{id = 30899} sub.example.com. IN SOA sub.example.com. hostmaster.sub.example.com. 1 2 3 4 5 -sub.example.com. 3600 IN RRSIG SOA 5 3 3600 20181230101751 20181130101751 12981 sub.example.com. HGuneHQjhKCum7m/PdpryrXY4ASNLfnZS38i+CnJXopIY8CWfaRDeU/k fpj9cBRzGafJAbef4ePxLqTNgWsmzQPZaIFsVIu/vjTMj5JVYmHYcvk/ SyAcQzGV4iqes/8T9z7iQTpDbWH3bD8vZdccdTRAfWi1Tl6t4+phCYVj lAI= ;{id = 30899} +sub.example.com. 3600 IN RRSIG SOA 5 3 3600 20181230101751 20181130101751 12981 sub.example.com. INVALIDjhKCum7m/PdpryrXY4ASNLfnZS38i+CnJXopIY8CWfaRDeU/k fpj9cBRzGafJAbef4ePxLqTNgWsmzQPZaIFsVIu/vjTMj5JVYmHYcvk/ SyAcQzGV4iqes/8T9z7iQTpDbWH3bD8vZdccdTRAfWi1Tl6t4+phCYVj lAI= ;{id = 30899} ENTRY_END ENTRY_BEGIN @@ -395,7 +397,7 @@ www.sub.example.com. IN A SECTION ANSWER www.sub.example.com. IN A 10.20.30.40 -www.sub.example.com. 3600 IN RRSIG A 5 4 3600 20181230101751 20181130101751 12981 sub.example.com. YYrHYSUaXA+cM1tLnfVLmVuZPugapKRSUYG/DrYzm0UQ08nuvptESpcz 6ZAP5DP9oPuoHiwPd+rvdwOtX3dWj1BfPDQ0RfAlkHMPXR2Sez3p5kI7 XNuo/FDMs337F52eij9iWSDTzgzeeBusqJPfJMRwao1THKAmDbFsvTne qpQ= ;{id = 30899} +www.sub.example.com. 3600 IN RRSIG A 5 4 3600 20181230101751 20181130101751 12981 sub.example.com. INVALIDaXA+cM1tLnfVLmVuZPugapKRSUYG/DrYzm0UQ08nuvptESpcz 6ZAP5DP9oPuoHiwPd+rvdwOtX3dWj1BfPDQ0RfAlkHMPXR2Sez3p5kI7 XNuo/FDMs337F52eij9iWSDTzgzeeBusqJPfJMRwao1THKAmDbFsvTne qpQ= ;{id = 30899} ENTRY_END RANGE_END diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/black_ds.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/black_ds.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/black_ds.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/black_ds.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: @@ -16,7 +18,7 @@ ; K.ROOT-SERVERS.NET. RANGE_BEGIN 0 100 - ADDRESS 193.0.14.129 + ADDRESS 193.0.14.129 ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id @@ -90,6 +92,17 @@ ns.example.com. IN A 1.2.3.4 ; no ns.blabla.com, try that later ENTRY_END + +; Mark foo.com. tree as nonexistent since resolvers can ask for it +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NXDOMAIN +SECTION QUESTION +foo.com. IN NS +SECTION AUTHORITY +com. IN SOA com. com. 2009100100 28800 7200 604800 3600 +ENTRY_END RANGE_END ; ns.example.com. @@ -104,10 +117,10 @@ SECTION ANSWER example.com. IN NS ns.example.com. example.com. IN NS ns.blabla.com. -example.com. 3600 IN RRSIG NS 7 2 3600 20181230101755 20181130101755 14258 example.com. TNep4HmQC9pyzvYZmfK3dtYLZ1wsDoVp9IuIe+Wsg94hQLWoVOnWCka1 u5KkOHalzUtwKA8bhO9PxViMkuxJzzUFNmuKVA+bZHi1wCvD5jgkC1Lq YN+ZKno6BS3LIQb9DoEHsgwuTz96K18+dXw8An9SAL2ovo+1UCb8p576 jY4= ;{id = 2854} +example.com. 3600 IN RRSIG NS 7 2 3600 20181230101755 20181130101755 14258 example.com. INVALIDQC9pyzvYZmfK3dtYLZ1wsDoVp9IuIe+Wsg94hQLWoVOnWCka1 u5KkOHalzUtwKA8bhO9PxViMkuxJzzUFNmuKVA+bZHi1wCvD5jgkC1Lq YN+ZKno6BS3LIQb9DoEHsgwuTz96K18+dXw8An9SAL2ovo+1UCb8p576 jY4= ;{id = 2854} SECTION ADDITIONAL ns.example.com. IN A 1.2.3.4 -ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101755 20181130101755 14258 example.com. IwIqfkUTC6i4BvdOLg51xRwq6PBThrC54g5XrEAizTg9H7w55qbEes/9 +ojie/elleI3WydgCNbSFC4Ax/4wsmOF4RwN0qbG0s38FHZVtuI5PANs QB40JZJftnaW2KVSyr5WiwyaRJFsootBULdUF3XjGG89oo+EF7gnm2Tz GhI= ;{id = 2854} +ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101755 20181130101755 14258 example.com. INVALIDTC6i4BvdOLg51xRwq6PBThrC54g5XrEAizTg9H7w55qbEes/9 +ojie/elleI3WydgCNbSFC4Ax/4wsmOF4RwN0qbG0s38FHZVtuI5PANs QB40JZJftnaW2KVSyr5WiwyaRJFsootBULdUF3XjGG89oo+EF7gnm2Tz GhI= ;{id = 2854} ENTRY_END ENTRY_BEGIN @@ -118,7 +131,7 @@ ns.example.com. IN A SECTION ANSWER ns.example.com. IN A 1.2.3.4 -ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101755 20181130101755 14258 example.com. IwIqfkUTC6i4BvdOLg51xRwq6PBThrC54g5XrEAizTg9H7w55qbEes/9 +ojie/elleI3WydgCNbSFC4Ax/4wsmOF4RwN0qbG0s38FHZVtuI5PANs QB40JZJftnaW2KVSyr5WiwyaRJFsootBULdUF3XjGG89oo+EF7gnm2Tz GhI= ;{id = 2854} +ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101755 20181130101755 14258 example.com. INVALIDTC6i4BvdOLg51xRwq6PBThrC54g5XrEAizTg9H7w55qbEes/9 +ojie/elleI3WydgCNbSFC4Ax/4wsmOF4RwN0qbG0s38FHZVtuI5PANs QB40JZJftnaW2KVSyr5WiwyaRJFsootBULdUF3XjGG89oo+EF7gnm2Tz GhI= ;{id = 2854} SECTION ADDITIONAL ENTRY_END @@ -131,7 +144,7 @@ SECTION ANSWER SECTION ADDITIONAL ns.example.com. IN NSEC oof.example.com. NSEC RRSIG A -ns.example.com. 3600 IN RRSIG NSEC 7 3 3600 20181230101755 20181130101755 14258 example.com. MdF5+Lt55oT5mRBOVu3pgdzPpDcXGj/B1OmH/ZKM+M/PavxyoI74HUXX 2MJUaa4D0T2t5EuvFnie54ts6+yQbOqqVAw7/0wEDjnG0x7AyGMocsI9 sncRGe5cF4DAidhLaXUjEh7isWTaMK4x7CZUMSSgQCM1iBnhzh78XIBy aEo= ;{id = 2854} +ns.example.com. 3600 IN RRSIG NSEC 7 3 3600 20181230101755 20181130101755 14258 example.com. INVALID55oT5mRBOVu3pgdzPpDcXGj/B1OmH/ZKM+M/PavxyoI74HUXX 2MJUaa4D0T2t5EuvFnie54ts6+yQbOqqVAw7/0wEDjnG0x7AyGMocsI9 sncRGe5cF4DAidhLaXUjEh7isWTaMK4x7CZUMSSgQCM1iBnhzh78XIBy aEo= ;{id = 2854} ENTRY_END ; response to DNSKEY priming query @@ -163,14 +176,14 @@ www.example.com. IN A SECTION ANSWER www.example.com. IN A 10.20.30.40 -www.example.com. 3600 IN RRSIG A 7 3 3600 20181230101755 20181130101755 14258 example.com. OIh7nTI2GlTjlgoOmmH3XWO69HN9yK61kg9JS3oFNJcWhTUolF/YwFTV 4NL3xYixn2XVRh7YppvYqviK8C5fxP8kYnNn2gijdWC19bTqbjON/d7f n79Fj6yHjQWftVVIclF+d2o7yDhjwPwtsako8FMbeYFcQ+QdSMTvLw8D czE= ;{id = 2854} +www.example.com. 3600 IN RRSIG A 7 3 3600 20181230101755 20181130101755 14258 example.com. INVALID2GlTjlgoOmmH3XWO69HN9yK61kg9JS3oFNJcWhTUolF/YwFTV 4NL3xYixn2XVRh7YppvYqviK8C5fxP8kYnNn2gijdWC19bTqbjON/d7f n79Fj6yHjQWftVVIclF+d2o7yDhjwPwtsako8FMbeYFcQ+QdSMTvLw8D czE= ;{id = 2854} SECTION AUTHORITY example.com. IN NS ns.example.com. example.com. IN NS ns.blabla.com. -example.com. 3600 IN RRSIG NS 7 2 3600 20181230101755 20181130101755 14258 example.com. TNep4HmQC9pyzvYZmfK3dtYLZ1wsDoVp9IuIe+Wsg94hQLWoVOnWCka1 u5KkOHalzUtwKA8bhO9PxViMkuxJzzUFNmuKVA+bZHi1wCvD5jgkC1Lq YN+ZKno6BS3LIQb9DoEHsgwuTz96K18+dXw8An9SAL2ovo+1UCb8p576 jY4= ;{id = 2854} +example.com. 3600 IN RRSIG NS 7 2 3600 20181230101755 20181130101755 14258 example.com. INVALIDQC9pyzvYZmfK3dtYLZ1wsDoVp9IuIe+Wsg94hQLWoVOnWCka1 u5KkOHalzUtwKA8bhO9PxViMkuxJzzUFNmuKVA+bZHi1wCvD5jgkC1Lq YN+ZKno6BS3LIQb9DoEHsgwuTz96K18+dXw8An9SAL2ovo+1UCb8p576 jY4= ;{id = 2854} SECTION ADDITIONAL ns.example.com. IN A 1.2.3.4 -ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101755 20181130101755 14258 example.com. IwIqfkUTC6i4BvdOLg51xRwq6PBThrC54g5XrEAizTg9H7w55qbEes/9 +ojie/elleI3WydgCNbSFC4Ax/4wsmOF4RwN0qbG0s38FHZVtuI5PANs QB40JZJftnaW2KVSyr5WiwyaRJFsootBULdUF3XjGG89oo+EF7gnm2Tz GhI= ;{id = 2854} +ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101755 20181130101755 14258 example.com. INVALIDTC6i4BvdOLg51xRwq6PBThrC54g5XrEAizTg9H7w55qbEes/9 +ojie/elleI3WydgCNbSFC4Ax/4wsmOF4RwN0qbG0s38FHZVtuI5PANs QB40JZJftnaW2KVSyr5WiwyaRJFsootBULdUF3XjGG89oo+EF7gnm2Tz GhI= ;{id = 2854} ENTRY_END ; DS request @@ -181,8 +194,8 @@ SECTION QUESTION sub.example.com. IN DS SECTION ANSWER -sub.example.com. 3600 IN DS 34461 5 1 40F060ED2F80CC6C1D7DC32A7A8926D15E2F96C7 -sub.example.com. 3600 IN RRSIG DS 7 3 3600 20181230101755 20181130101755 14258 example.com. Mf7vpHZblSANjCrSIUHXdZ4a8gKy8OXu7TQH9r/CSJ5y01ha9IMgHwEt i5bmQRTPAZjp0DsmFQZAyqW6zu9HXI4o/dtvg1kqNJnQQoGmlKv87OG6 +yVuydaRudH17v9ETVxlaGg+qdYdN+RtlpDcfb5VQvUMXX4xT01gVLtc wLY= ;{id = 2854} +sub.example.com. 3600 IN DS 34461 5 1 40F060ED2F80CC6C1D7DC32A7A8926D15E2F96C7 +sub.example.com. 3600 IN RRSIG DS 7 3 3600 20181230101755 20181130101755 14258 example.com. INVALIDblSANjCrSIUHXdZ4a8gKy8OXu7TQH9r/CSJ5y01ha9IMgHwEt i5bmQRTPAZjp0DsmFQZAyqW6zu9HXI4o/dtvg1kqNJnQQoGmlKv87OG6 +yVuydaRudH17v9ETVxlaGg+qdYdN+RtlpDcfb5VQvUMXX4xT01gVLtc wLY= ;{id = 2854} ENTRY_END ENTRY_BEGIN @@ -194,8 +207,8 @@ SECTION AUTHORITY sub.example.com. IN NS ns.sub.example.com. sub.example.com. IN NS ns.foo.com. -sub.example.com. 3600 IN DS 34461 5 1 40F060ED2F80CC6C1D7DC32A7A8926D15E2F96C7 -sub.example.com. 3600 IN RRSIG DS 7 3 3600 20181230101755 20181130101755 14258 example.com. Mf7vpHZblSANjCrSIUHXdZ4a8gKy8OXu7TQH9r/CSJ5y01ha9IMgHwEt i5bmQRTPAZjp0DsmFQZAyqW6zu9HXI4o/dtvg1kqNJnQQoGmlKv87OG6 +yVuydaRudH17v9ETVxlaGg+qdYdN+RtlpDcfb5VQvUMXX4xT01gVLtc wLY= ;{id = 2854} +sub.example.com. 3600 IN DS 34461 5 1 40F060ED2F80CC6C1D7DC32A7A8926D15E2F96C7 +sub.example.com. 3600 IN RRSIG DS 7 3 3600 20181230101755 20181130101755 14258 example.com. INVALIDblSANjCrSIUHXdZ4a8gKy8OXu7TQH9r/CSJ5y01ha9IMgHwEt i5bmQRTPAZjp0DsmFQZAyqW6zu9HXI4o/dtvg1kqNJnQQoGmlKv87OG6 +yVuydaRudH17v9ETVxlaGg+qdYdN+RtlpDcfb5VQvUMXX4xT01gVLtc wLY= ;{id = 2854} SECTION ADDITIONAL ns.sub.example.com. IN A 1.2.4.6 ENTRY_END @@ -271,14 +284,14 @@ www.example.com. IN A SECTION ANSWER www.example.com. IN A 10.20.30.40 -ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101755 20181130101755 14258 example.com. IwIqfkUTC6i4BvdOLg51xRwq6PBThrC54g5XrEAizTg9H7w55qbEes/9 +ojie/elleI3WydgCNbSFC4Ax/4wsmOF4RwN0qbG0s38FHZVtuI5PANs QB40JZJftnaW2KVSyr5WiwyaRJFsootBULdUF3XjGG89oo+EF7gnm2Tz GhI= ;{id = 2854} +www.example.com. 3600 IN RRSIG A 7 3 3600 20181230101755 20181130101755 14258 example.com. OIh7nTI2GlTjlgoOmmH3XWO69HN9yK61kg9JS3oFNJcWhTUolF/YwFTV 4NL3xYixn2XVRh7YppvYqviK8C5fxP8kYnNn2gijdWC19bTqbjON/d7f n79Fj6yHjQWftVVIclF+d2o7yDhjwPwtsako8FMbeYFcQ+QdSMTvLw8D czE= ;{id = 2854} SECTION AUTHORITY example.com. IN NS ns.example.com. example.com. IN NS ns.blabla.com. example.com. 3600 IN RRSIG NS 7 2 3600 20181230101755 20181130101755 14258 example.com. TNep4HmQC9pyzvYZmfK3dtYLZ1wsDoVp9IuIe+Wsg94hQLWoVOnWCka1 u5KkOHalzUtwKA8bhO9PxViMkuxJzzUFNmuKVA+bZHi1wCvD5jgkC1Lq YN+ZKno6BS3LIQb9DoEHsgwuTz96K18+dXw8An9SAL2ovo+1UCb8p576 jY4= ;{id = 2854} SECTION ADDITIONAL ns.example.com. IN A 1.2.3.4 -www.example.com. 3600 IN RRSIG A 7 3 3600 20181230101755 20181130101755 14258 example.com. OIh7nTI2GlTjlgoOmmH3XWO69HN9yK61kg9JS3oFNJcWhTUolF/YwFTV 4NL3xYixn2XVRh7YppvYqviK8C5fxP8kYnNn2gijdWC19bTqbjON/d7f n79Fj6yHjQWftVVIclF+d2o7yDhjwPwtsako8FMbeYFcQ+QdSMTvLw8D czE= ;{id = 2854} +ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101755 20181130101755 14258 example.com. IwIqfkUTC6i4BvdOLg51xRwq6PBThrC54g5XrEAizTg9H7w55qbEes/9 +ojie/elleI3WydgCNbSFC4Ax/4wsmOF4RwN0qbG0s38FHZVtuI5PANs QB40JZJftnaW2KVSyr5WiwyaRJFsootBULdUF3XjGG89oo+EF7gnm2Tz GhI= ;{id = 2854} ENTRY_END ; DS request @@ -289,7 +302,7 @@ SECTION QUESTION sub.example.com. IN DS SECTION ANSWER -sub.example.com. 3600 IN DS 34461 5 1 40F060ED2F80CC6C1D7DC32A7A8926D15E2F96C7 +sub.example.com. 3600 IN DS 34461 5 1 40F060ED2F80CC6C1D7DC32A7A8926D15E2F96C7 sub.example.com. 3600 IN RRSIG DS 7 3 3600 20181230101755 20181130101755 14258 example.com. Mf7vpHZblSANjCrSIUHXdZ4a8gKy8OXu7TQH9r/CSJ5y01ha9IMgHwEt i5bmQRTPAZjp0DsmFQZAyqW6zu9HXI4o/dtvg1kqNJnQQoGmlKv87OG6 +yVuydaRudH17v9ETVxlaGg+qdYdN+RtlpDcfb5VQvUMXX4xT01gVLtc wLY= ;{id = 2854} ENTRY_END @@ -302,7 +315,7 @@ SECTION AUTHORITY sub.example.com. IN NS ns.sub.example.com. sub.example.com. IN NS ns.foo.com. -sub.example.com. 3600 IN DS 34461 5 1 40F060ED2F80CC6C1D7DC32A7A8926D15E2F96C7 +sub.example.com. 3600 IN DS 34461 5 1 40F060ED2F80CC6C1D7DC32A7A8926D15E2F96C7 sub.example.com. 3600 IN RRSIG DS 7 3 3600 20181230101755 20181130101755 14258 example.com. Mf7vpHZblSANjCrSIUHXdZ4a8gKy8OXu7TQH9r/CSJ5y01ha9IMgHwEt i5bmQRTPAZjp0DsmFQZAyqW6zu9HXI4o/dtvg1kqNJnQQoGmlKv87OG6 +yVuydaRudH17v9ETVxlaGg+qdYdN+RtlpDcfb5VQvUMXX4xT01gVLtc wLY= ;{id = 2854} SECTION ADDITIONAL ns.sub.example.com. IN A 1.2.4.6 diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/black_ent.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/black_ent.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/black_ent.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/black_ent.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: @@ -18,7 +20,7 @@ ; K.ROOT-SERVERS.NET. RANGE_BEGIN 0 100 - ADDRESS 193.0.14.129 + ADDRESS 193.0.14.129 ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id @@ -92,6 +94,17 @@ ns.example.com. IN A 1.2.3.4 ; no ns.blabla.com, try that later ENTRY_END + +; Mark foo.com. tree as nonexistent since resolvers can ask for it +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NXDOMAIN +SECTION QUESTION +foo.com. IN NS +SECTION AUTHORITY +com. IN SOA com. com. 2009100100 28800 7200 604800 3600 +ENTRY_END RANGE_END ; ns.example.com. @@ -106,10 +119,10 @@ SECTION ANSWER example.com. IN NS ns.example.com. example.com. IN NS ns.blabla.com. -example.com. 3600 IN RRSIG NS 7 2 3600 20181230101756 20181130101756 5459 example.com. MGpbBGEQk6CQ0GBHNByUfF9s7kXOl2Qflh74erA5oFkrlK0/fJFRAkMb Edgmrs4FjvrlJJ1Gi5BWqv0avoyPUWVhwYz15VhjJjXP6jLuVn1j/EnT J5t55UU6hGf2R9NHvLRdeebJDOMryVW+1r9UWQYuabdCkxtnT+xcw9Or nDs= ;{id = 2854} +example.com. 3600 IN RRSIG NS 7 2 3600 20181230101756 20181130101756 5459 example.com. INVALIDQk6CQ0GBHNByUfF9s7kXOl2Qflh74erA5oFkrlK0/fJFRAkMb Edgmrs4FjvrlJJ1Gi5BWqv0avoyPUWVhwYz15VhjJjXP6jLuVn1j/EnT J5t55UU6hGf2R9NHvLRdeebJDOMryVW+1r9UWQYuabdCkxtnT+xcw9Or nDs= ;{id = 2854} SECTION ADDITIONAL ns.example.com. IN A 1.2.3.4 -ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101756 20181130101756 5459 example.com. aAhY236a0BQlJUnglecaUzphiHPw9ozBTu5v4Lx2ppQLqUZf4AXPgetm 5WjHUVJIqU9e0AwyHiqq3vKK6kDrUcdtI3Ygyn9O5WgCeGUd1UNXrx9h 2SLESwVt5MWFfFP3M0vKwgWrvWS4eZKD6Uc1VUm5tzIo5VRb6Q839qGw yKU= ;{id = 2854} +ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101756 20181130101756 5459 example.com. INVALIDa0BQlJUnglecaUzphiHPw9ozBTu5v4Lx2ppQLqUZf4AXPgetm 5WjHUVJIqU9e0AwyHiqq3vKK6kDrUcdtI3Ygyn9O5WgCeGUd1UNXrx9h 2SLESwVt5MWFfFP3M0vKwgWrvWS4eZKD6Uc1VUm5tzIo5VRb6Q839qGw yKU= ;{id = 2854} ENTRY_END ENTRY_BEGIN @@ -120,7 +133,7 @@ ns.example.com. IN A SECTION ANSWER ns.example.com. IN A 1.2.3.4 -ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101756 20181130101756 5459 example.com. aAhY236a0BQlJUnglecaUzphiHPw9ozBTu5v4Lx2ppQLqUZf4AXPgetm 5WjHUVJIqU9e0AwyHiqq3vKK6kDrUcdtI3Ygyn9O5WgCeGUd1UNXrx9h 2SLESwVt5MWFfFP3M0vKwgWrvWS4eZKD6Uc1VUm5tzIo5VRb6Q839qGw yKU= ;{id = 2854} +ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101756 20181130101756 5459 example.com. INVALIDa0BQlJUnglecaUzphiHPw9ozBTu5v4Lx2ppQLqUZf4AXPgetm 5WjHUVJIqU9e0AwyHiqq3vKK6kDrUcdtI3Ygyn9O5WgCeGUd1UNXrx9h 2SLESwVt5MWFfFP3M0vKwgWrvWS4eZKD6Uc1VUm5tzIo5VRb6Q839qGw yKU= ;{id = 2854} SECTION ADDITIONAL ENTRY_END @@ -133,7 +146,7 @@ SECTION ANSWER SECTION ADDITIONAL ns.example.com. IN NSEC oof.example.com. NSEC RRSIG A -ns.example.com. 3600 IN RRSIG NSEC 7 3 3600 20181230101756 20181130101756 5459 example.com. WM9C+vSGlYtmk/wVLfWyqGwo4vbo8fGaD7DoGnJGFpICmoM8v7mcs4Pd UyZv9CPBMy9gYNM1wWcNVofQu2IC5gUgEpkuhluJji5BeocqOGzIuHW+ AVIHJjN4m9z12swsCrAq71vO+UEfWqPO4JOu40vVkSsDiaINYd8FRWkr yfg= ;{id = 2854} +ns.example.com. 3600 IN RRSIG NSEC 7 3 3600 20181230101756 20181130101756 5459 example.com. INVALIDGlYtmk/wVLfWyqGwo4vbo8fGaD7DoGnJGFpICmoM8v7mcs4Pd UyZv9CPBMy9gYNM1wWcNVofQu2IC5gUgEpkuhluJji5BeocqOGzIuHW+ AVIHJjN4m9z12swsCrAq71vO+UEfWqPO4JOu40vVkSsDiaINYd8FRWkr yfg= ;{id = 2854} ENTRY_END ; response to DNSKEY priming query @@ -146,7 +159,7 @@ SECTION ANSWER example.com. 3600 IN DNSKEY 256 3 7 AwEAAaQAmPhsPdOjFE6SGc95hYvPxUHoNkUetYpu81j7j9WXUsvn8Y6M DrHOnLrVd9uV7+1Aj2nkLY+6BvLxsPcp3yBO7UPB6Mv1ZfYCP0D7qCcs Jg6NjLWD5+2owvglTk7XveTztZLFIgDGo2sxZ4/wKE2fhsmh6/Hn7GiW ySEwHURb ;{id = 2854 (zsk), size = 1688b} ; make priming query succeed -example.com. 3600 IN RRSIG DNSKEY 7 2 3600 20181230101756 20181130101756 5459 example.com. Pfl3n2c2oppL26sSLAFSTTkOken2ZlU+bJwpH3ipCz6BTCIm8zHjk/u7 IPyX6RiKEgVwUKEoNIXSYxkZg4Q2OHOINwRhARgQR5XOZaVN9s4acmYK yPcZHteq2YChTbLreIj4xGgoIIzW9G3e98FAvgzMyMw7b8s6678hLA7S EW8= ;{id = 2854} +example.com. 3600 IN RRSIG DNSKEY 7 2 3600 20181230101756 20181130101756 5459 example.com. INVALID2oppL26sSLAFSTTkOken2ZlU+bJwpH3ipCz6BTCIm8zHjk/u7 IPyX6RiKEgVwUKEoNIXSYxkZg4Q2OHOINwRhARgQR5XOZaVN9s4acmYK yPcZHteq2YChTbLreIj4xGgoIIzW9G3e98FAvgzMyMw7b8s6678hLA7S EW8= ;{id = 2854} ;example.com. 3600 IN RRSIG DNSKEY 3 2 3600 20030926134150 20030829134150 2854 example.com. AG21xE8CFQzTq6XtHErg28b9EAmqPsoYCUcFPEAoAjFybM6AY4/bMOo= ;{id = 2854} SECTION AUTHORITY ;example.com. IN NS ns.example.com. @@ -165,14 +178,14 @@ www.example.com. IN A SECTION ANSWER www.example.com. IN A 10.20.30.40 -www.example.com. 3600 IN RRSIG A 7 3 3600 20181230101756 20181130101756 5459 example.com. UJ98Ev1G8XsVXX6xqSkSeqhDauNtAK1fnTgt1qdGf1+TFJuqPjHmEBr3 I8u381FKJaGPF2ZKH+A5oSPy6jPLQLe4TipFgnTZptq4IZ53holOKlx9 RSjz5kovs5wYafSeBBM+cjX6LJogyP8vrnPuSJ/Z8Uk2+Ojhd1j7sR2C PwY= ;{id = 2854} +www.example.com. 3600 IN RRSIG A 7 3 3600 20181230101756 20181130101756 5459 example.com. INVALIDG8XsVXX6xqSkSeqhDauNtAK1fnTgt1qdGf1+TFJuqPjHmEBr3 I8u381FKJaGPF2ZKH+A5oSPy6jPLQLe4TipFgnTZptq4IZ53holOKlx9 RSjz5kovs5wYafSeBBM+cjX6LJogyP8vrnPuSJ/Z8Uk2+Ojhd1j7sR2C PwY= ;{id = 2854} SECTION AUTHORITY example.com. IN NS ns.example.com. example.com. IN NS ns.blabla.com. -example.com. 3600 IN RRSIG NS 7 2 3600 20181230101756 20181130101756 5459 example.com. MGpbBGEQk6CQ0GBHNByUfF9s7kXOl2Qflh74erA5oFkrlK0/fJFRAkMb Edgmrs4FjvrlJJ1Gi5BWqv0avoyPUWVhwYz15VhjJjXP6jLuVn1j/EnT J5t55UU6hGf2R9NHvLRdeebJDOMryVW+1r9UWQYuabdCkxtnT+xcw9Or nDs= ;{id = 2854} +example.com. 3600 IN RRSIG NS 7 2 3600 20181230101756 20181130101756 5459 example.com. INVALIDQk6CQ0GBHNByUfF9s7kXOl2Qflh74erA5oFkrlK0/fJFRAkMb Edgmrs4FjvrlJJ1Gi5BWqv0avoyPUWVhwYz15VhjJjXP6jLuVn1j/EnT J5t55UU6hGf2R9NHvLRdeebJDOMryVW+1r9UWQYuabdCkxtnT+xcw9Or nDs= ;{id = 2854} SECTION ADDITIONAL ns.example.com. IN A 1.2.3.4 -ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101756 20181130101756 5459 example.com. aAhY236a0BQlJUnglecaUzphiHPw9ozBTu5v4Lx2ppQLqUZf4AXPgetm 5WjHUVJIqU9e0AwyHiqq3vKK6kDrUcdtI3Ygyn9O5WgCeGUd1UNXrx9h 2SLESwVt5MWFfFP3M0vKwgWrvWS4eZKD6Uc1VUm5tzIo5VRb6Q839qGw yKU= ;{id = 2854} +ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101756 20181130101756 5459 example.com. INVALIDa0BQlJUnglecaUzphiHPw9ozBTu5v4Lx2ppQLqUZf4AXPgetm 5WjHUVJIqU9e0AwyHiqq3vKK6kDrUcdtI3Ygyn9O5WgCeGUd1UNXrx9h 2SLESwVt5MWFfFP3M0vKwgWrvWS4eZKD6Uc1VUm5tzIo5VRb6Q839qGw yKU= ;{id = 2854} ENTRY_END ; ENT request @@ -184,10 +197,10 @@ sub.example.com. IN DS SECTION AUTHORITY rub.example.com. IN NSEC sub.sub.example.com. RRSIG NSEC A -rub.example.com. 3600 IN RRSIG NSEC 7 3 3600 20181230101756 20181130101756 5459 example.com. LxXDGCPOA5KoYz7wy2512fZqTzWTdfRdL2VQU6+v+k39hMpVvBbRbW3R 8X1YFrbl+gKMbzhtH3kKkjibwlKethd71p8xZKwIw4df1u3kdJygijuH +BvwG6jCIzF8wBLh8Uuv14KJOybmqJXzUdVKAU9MyQNvnfJk+Ekdj/sY MEw= ;{id = 2854} +rub.example.com. 3600 IN RRSIG NSEC 7 3 3600 20181230101756 20181130101756 5459 example.com. INVALIDOA5KoYz7wy2512fZqTzWTdfRdL2VQU6+v+k39hMpVvBbRbW3R 8X1YFrbl+gKMbzhtH3kKkjibwlKethd71p8xZKwIw4df1u3kdJygijuH +BvwG6jCIzF8wBLh8Uuv14KJOybmqJXzUdVKAU9MyQNvnfJk+Ekdj/sY MEw= ;{id = 2854} ; extraneous DS sub.sub.example.com. IN NSEC tub.example.com. RRSIG NSEC DS -sub.sub.example.com. 3600 IN RRSIG NSEC 7 4 3600 20181230101756 20181130101756 5459 example.com. RoMochVq8vIslggd50/mnc5rV+OKchIZPUdrVjVpGZjsieh50UoM1+bV ChGrxwDNUYvs7vzztSaZ+oyBErPiGzkK6/nUQ5P8fhxMyPMaFrCNtHCC +tZsImjSbiwVm3bLpdcoNEDRHjiVb0Y7ztScMQji2QyN6iFLPrXXXNaW HXU= ;{id = 2854} +sub.sub.example.com. 3600 IN RRSIG NSEC 7 4 3600 20181230101756 20181130101756 5459 example.com. INVALIDq8vIslggd50/mnc5rV+OKchIZPUdrVjVpGZjsieh50UoM1+bV ChGrxwDNUYvs7vzztSaZ+oyBErPiGzkK6/nUQ5P8fhxMyPMaFrCNtHCC +tZsImjSbiwVm3bLpdcoNEDRHjiVb0Y7ztScMQji2QyN6iFLPrXXXNaW HXU= ;{id = 2854} ENTRY_END ; DS request @@ -198,8 +211,8 @@ SECTION QUESTION sub.sub.example.com. IN DS SECTION ANSWER -sub.sub.example.com. 3600 IN DS 14511 5 1 9C23483B120C7BCAB7E9BD00BCA7F30B38F92E1A -sub.sub.example.com. 3600 IN RRSIG DS 7 4 3600 20181230101756 20181130101756 5459 example.com. jkShmezNgvdoBxXKSiTVnmofgublfIQPCqrHwEDMCzs1WbIJWWEmzmxX 7dzupiSnVPlVQfKLXzEbSqM/QGxmU/bBn2lUAYNLpM2kFm85TVEXCLf8 u12NeWbBupsr1UctfzF2WtaUGxVfDZ+J86ka3qqQnmYYYAbz4MlnKvyQ p5c= ;{id = 2854} +sub.sub.example.com. 3600 IN DS 14511 5 1 9C23483B120C7BCAB7E9BD00BCA7F30B38F92E1A +sub.sub.example.com. 3600 IN RRSIG DS 7 4 3600 20181230101756 20181130101756 5459 example.com. INVALIDNgvdoBxXKSiTVnmofgublfIQPCqrHwEDMCzs1WbIJWWEmzmxX 7dzupiSnVPlVQfKLXzEbSqM/QGxmU/bBn2lUAYNLpM2kFm85TVEXCLf8 u12NeWbBupsr1UctfzF2WtaUGxVfDZ+J86ka3qqQnmYYYAbz4MlnKvyQ p5c= ;{id = 2854} ENTRY_END ENTRY_BEGIN @@ -211,8 +224,8 @@ SECTION AUTHORITY sub.sub.example.com. IN NS ns.sub.sub.example.com. sub.sub.example.com. IN NS ns.foo.com. -sub.sub.example.com. 3600 IN DS 14511 5 1 9C23483B120C7BCAB7E9BD00BCA7F30B38F92E1A -sub.sub.example.com. 3600 IN RRSIG DS 7 4 3600 20181230101756 20181130101756 5459 example.com. jkShmezNgvdoBxXKSiTVnmofgublfIQPCqrHwEDMCzs1WbIJWWEmzmxX 7dzupiSnVPlVQfKLXzEbSqM/QGxmU/bBn2lUAYNLpM2kFm85TVEXCLf8 u12NeWbBupsr1UctfzF2WtaUGxVfDZ+J86ka3qqQnmYYYAbz4MlnKvyQ p5c= ;{id = 2854} +sub.sub.example.com. 3600 IN DS 14511 5 1 9C23483B120C7BCAB7E9BD00BCA7F30B38F92E1A +sub.sub.example.com. 3600 IN RRSIG DS 7 4 3600 20181230101756 20181130101756 5459 example.com. INVALIDNgvdoBxXKSiTVnmofgublfIQPCqrHwEDMCzs1WbIJWWEmzmxX 7dzupiSnVPlVQfKLXzEbSqM/QGxmU/bBn2lUAYNLpM2kFm85TVEXCLf8 u12NeWbBupsr1UctfzF2WtaUGxVfDZ+J86ka3qqQnmYYYAbz4MlnKvyQ p5c= ;{id = 2854} SECTION ADDITIONAL ns.sub.sub.example.com. IN A 1.2.4.6 ENTRY_END @@ -321,7 +334,7 @@ SECTION QUESTION sub.sub.example.com. IN DS SECTION ANSWER -sub.sub.example.com. 3600 IN DS 14511 5 1 9C23483B120C7BCAB7E9BD00BCA7F30B38F92E1A +sub.sub.example.com. 3600 IN DS 14511 5 1 9C23483B120C7BCAB7E9BD00BCA7F30B38F92E1A sub.sub.example.com. 3600 IN RRSIG DS 7 4 3600 20181230101756 20181130101756 5459 example.com. jkShmezNgvdoBxXKSiTVnmofgublfIQPCqrHwEDMCzs1WbIJWWEmzmxX 7dzupiSnVPlVQfKLXzEbSqM/QGxmU/bBn2lUAYNLpM2kFm85TVEXCLf8 u12NeWbBupsr1UctfzF2WtaUGxVfDZ+J86ka3qqQnmYYYAbz4MlnKvyQ p5c= ;{id = 2854} ENTRY_END @@ -335,7 +348,7 @@ SECTION AUTHORITY sub.sub.example.com. IN NS ns.sub.sub.example.com. sub.sub.example.com. IN NS ns.foo.com. -sub.sub.example.com. 3600 IN DS 14511 5 1 9C23483B120C7BCAB7E9BD00BCA7F30B38F92E1A +sub.sub.example.com. 3600 IN DS 14511 5 1 9C23483B120C7BCAB7E9BD00BCA7F30B38F92E1A sub.sub.example.com. 3600 IN RRSIG DS 7 4 3600 20181230101756 20181130101756 5459 example.com. jkShmezNgvdoBxXKSiTVnmofgublfIQPCqrHwEDMCzs1WbIJWWEmzmxX 7dzupiSnVPlVQfKLXzEbSqM/QGxmU/bBn2lUAYNLpM2kFm85TVEXCLf8 u12NeWbBupsr1UctfzF2WtaUGxVfDZ+J86ka3qqQnmYYYAbz4MlnKvyQ p5c= ;{id = 2854} SECTION ADDITIONAL ns.sub.sub.example.com. IN A 1.2.4.6 diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/black_prime.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/black_prime.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/black_prime.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/black_prime.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: @@ -18,7 +20,7 @@ ; K.ROOT-SERVERS.NET. RANGE_BEGIN 0 100 - ADDRESS 193.0.14.129 + ADDRESS 193.0.14.129 ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id @@ -106,10 +108,10 @@ SECTION ANSWER example.com. IN NS ns.example.com. example.com. IN NS ns.blabla.com. -example.com. 3600 IN RRSIG NS 7 2 3600 20181230101800 20181130101800 62942 example.com. qmB12jqvKtMSxWX+8K3dKRRvFHxAcxe0bHtpZjiFn9dpUpsvo/CZ2nSV rrZ53C6WRIKA0i7Z2Q7CzeKjnOpXqVXfZ2rZyFaWQs23AbXLAIhpoG+7 g+9xCRkXED5kgkCjsyg5CmzFx5G68bZj9IOZNna/ZNfij8vaiJPO3IW9 mmM= ;{id = 2854} +example.com. 3600 IN RRSIG NS 7 2 3600 20181230101800 20181130101800 62942 example.com. INVALIDvKtMSxWX+8K3dKRRvFHxAcxe0bHtpZjiFn9dpUpsvo/CZ2nSV rrZ53C6WRIKA0i7Z2Q7CzeKjnOpXqVXfZ2rZyFaWQs23AbXLAIhpoG+7 g+9xCRkXED5kgkCjsyg5CmzFx5G68bZj9IOZNna/ZNfij8vaiJPO3IW9 mmM= ;{id = 2854} SECTION ADDITIONAL ns.example.com. IN A 1.2.3.4 -ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101800 20181130101800 62942 example.com. KDQYC0xU8LVsNTK2uldzRU89po6ti/vnp94h9lo7TYI7Z+lGtBIXK23H nFL4/DBbcAChUB0xTeXRm6LHt3lI2M/cpGCQ7fcByBzv7cFDeIuJ3BZ9 ufbJBkmTmw9292zjMoDqP+9tGgSIDV3amJdP39C0VC1qhOjG+crIlEKB XIg= ;{id = 2854} +ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101800 20181130101800 62942 example.com. INVALIDU8LVsNTK2uldzRU89po6ti/vnp94h9lo7TYI7Z+lGtBIXK23H nFL4/DBbcAChUB0xTeXRm6LHt3lI2M/cpGCQ7fcByBzv7cFDeIuJ3BZ9 ufbJBkmTmw9292zjMoDqP+9tGgSIDV3amJdP39C0VC1qhOjG+crIlEKB XIg= ;{id = 2854} ENTRY_END ENTRY_BEGIN @@ -120,7 +122,7 @@ ns.example.com. IN A SECTION ANSWER ns.example.com. IN A 1.2.3.4 -ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101800 20181130101800 62942 example.com. KDQYC0xU8LVsNTK2uldzRU89po6ti/vnp94h9lo7TYI7Z+lGtBIXK23H nFL4/DBbcAChUB0xTeXRm6LHt3lI2M/cpGCQ7fcByBzv7cFDeIuJ3BZ9 ufbJBkmTmw9292zjMoDqP+9tGgSIDV3amJdP39C0VC1qhOjG+crIlEKB XIg= ;{id = 2854} +ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101800 20181130101800 62942 example.com. INVALIDU8LVsNTK2uldzRU89po6ti/vnp94h9lo7TYI7Z+lGtBIXK23H nFL4/DBbcAChUB0xTeXRm6LHt3lI2M/cpGCQ7fcByBzv7cFDeIuJ3BZ9 ufbJBkmTmw9292zjMoDqP+9tGgSIDV3amJdP39C0VC1qhOjG+crIlEKB XIg= ;{id = 2854} SECTION ADDITIONAL ENTRY_END @@ -133,7 +135,7 @@ SECTION ANSWER SECTION ADDITIONAL ns.example.com. IN NSEC oof.example.com. NSEC RRSIG A -ns.example.com. 3600 IN RRSIG NSEC 7 3 3600 20181230101800 20181130101800 62942 example.com. j4fGEdXawCQcg5K+EPIlU4ekUeIqvDSxV7ZaPsC2P4IxJaLpCUMQJk54 aF+XCCpedBTbAoe8WBws/mxySdY2CYt0WfUjUhl6hWt+sINX8XXoH87O NKidHTC7z+/lzzEYoqMEJxCc7KdNxM3Y+6QaHshZzg4NYFiw5P62oOev NaE= ;{id = 2854} +ns.example.com. 3600 IN RRSIG NSEC 7 3 3600 20181230101800 20181130101800 62942 example.com. INVALIDawCQcg5K+EPIlU4ekUeIqvDSxV7ZaPsC2P4IxJaLpCUMQJk54 aF+XCCpedBTbAoe8WBws/mxySdY2CYt0WfUjUhl6hWt+sINX8XXoH87O NKidHTC7z+/lzzEYoqMEJxCc7KdNxM3Y+6QaHshZzg4NYFiw5P62oOev NaE= ;{id = 2854} ENTRY_END ; response to DNSKEY priming query @@ -145,14 +147,14 @@ example.com. IN DNSKEY SECTION ANSWER example.com. 3600 IN DNSKEY 256 3 7 AwEAAdBMHE0Pz/DMrzxL+gmpcUrQJr7lLVUreB+a1rQrMicGVF/5/88V Hu+kDKaPvRHq4x22Ja8ZMmiNrfozQWoszAzhMlupQX1vXF44aSZbElqZ DNYhLyIaC8xBUPJ3qrcBPZOILu/2ylTx3xXfSPDVoX2L8fqODOOIjCim lumwbb5H ;{id = 2854 (zsk), size = 1688b} -example.com. 3600 IN RRSIG DNSKEY 7 2 3600 20181230101800 20181130101800 62942 example.com. KECGylKgZL/1kcEKkulqQF7XlT8kCswdtvH3coWkCBGGprMYZ5sJKGP9 mk8lcEXG9vXujUz++YtJ2l1U23MMAr8stnoJ0xRlTMO2VwoLlTnW68ng F12n5eeQs7GNq1hDz6xnLAF0flpI8qfTIABqnw8M7LmYoqEbwNHPtVDt nfE= ;{id = 2854} +example.com. 3600 IN RRSIG DNSKEY 7 2 3600 20181230101800 20181130101800 62942 example.com. INVALIDgZL/1kcEKkulqQF7XlT8kCswdtvH3coWkCBGGprMYZ5sJKGP9 mk8lcEXG9vXujUz++YtJ2l1U23MMAr8stnoJ0xRlTMO2VwoLlTnW68ng F12n5eeQs7GNq1hDz6xnLAF0flpI8qfTIABqnw8M7LmYoqEbwNHPtVDt nfE= ;{id = 2854} SECTION AUTHORITY example.com. IN NS ns.example.com. example.com. IN NS ns.blabla.com. -example.com. 3600 IN RRSIG NS 7 2 3600 20181230101800 20181130101800 62942 example.com. qmB12jqvKtMSxWX+8K3dKRRvFHxAcxe0bHtpZjiFn9dpUpsvo/CZ2nSV rrZ53C6WRIKA0i7Z2Q7CzeKjnOpXqVXfZ2rZyFaWQs23AbXLAIhpoG+7 g+9xCRkXED5kgkCjsyg5CmzFx5G68bZj9IOZNna/ZNfij8vaiJPO3IW9 mmM= ;{id = 2854} +example.com. 3600 IN RRSIG NS 7 2 3600 20181230101800 20181130101800 62942 example.com. INVALIDvKtMSxWX+8K3dKRRvFHxAcxe0bHtpZjiFn9dpUpsvo/CZ2nSV rrZ53C6WRIKA0i7Z2Q7CzeKjnOpXqVXfZ2rZyFaWQs23AbXLAIhpoG+7 g+9xCRkXED5kgkCjsyg5CmzFx5G68bZj9IOZNna/ZNfij8vaiJPO3IW9 mmM= ;{id = 2854} SECTION ADDITIONAL ns.example.com. IN A 1.2.3.4 -ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101800 20181130101800 62942 example.com. KDQYC0xU8LVsNTK2uldzRU89po6ti/vnp94h9lo7TYI7Z+lGtBIXK23H nFL4/DBbcAChUB0xTeXRm6LHt3lI2M/cpGCQ7fcByBzv7cFDeIuJ3BZ9 ufbJBkmTmw9292zjMoDqP+9tGgSIDV3amJdP39C0VC1qhOjG+crIlEKB XIg= ;{id = 2854} +ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101800 20181130101800 62942 example.com. INVALIDU8LVsNTK2uldzRU89po6ti/vnp94h9lo7TYI7Z+lGtBIXK23H nFL4/DBbcAChUB0xTeXRm6LHt3lI2M/cpGCQ7fcByBzv7cFDeIuJ3BZ9 ufbJBkmTmw9292zjMoDqP+9tGgSIDV3amJdP39C0VC1qhOjG+crIlEKB XIg= ;{id = 2854} ENTRY_END ; response to query of interest @@ -164,14 +166,14 @@ www.example.com. IN A SECTION ANSWER www.example.com. IN A 10.20.30.40 -www.example.com. 3600 IN RRSIG A 7 3 3600 20181230101800 20181130101800 62942 example.com. cN4kzlqQDlhENCeWp7RaqU6N0CaVPCgOJLpdkVh7+Q6swyKe/Ponmgia SZ44kBtXXt91EIsaJgDU/Rhwq7zCmHT1XOHGNdNjPfHdOAOjtL42rVKU lnhS0rjcFn4SN9zgE1kiQIiu3zgIlkimNaL6JqgtUpbaIrTE6Ol9PMWU 6v8= ;{id = 2854} +www.example.com. 3600 IN RRSIG A 7 3 3600 20181230101800 20181130101800 62942 example.com. INVALIDQDlhENCeWp7RaqU6N0CaVPCgOJLpdkVh7+Q6swyKe/Ponmgia SZ44kBtXXt91EIsaJgDU/Rhwq7zCmHT1XOHGNdNjPfHdOAOjtL42rVKU lnhS0rjcFn4SN9zgE1kiQIiu3zgIlkimNaL6JqgtUpbaIrTE6Ol9PMWU 6v8= ;{id = 2854} SECTION AUTHORITY example.com. IN NS ns.example.com. example.com. IN NS ns.blabla.com. -example.com. 3600 IN RRSIG NS 7 2 3600 20181230101800 20181130101800 62942 example.com. qmB12jqvKtMSxWX+8K3dKRRvFHxAcxe0bHtpZjiFn9dpUpsvo/CZ2nSV rrZ53C6WRIKA0i7Z2Q7CzeKjnOpXqVXfZ2rZyFaWQs23AbXLAIhpoG+7 g+9xCRkXED5kgkCjsyg5CmzFx5G68bZj9IOZNna/ZNfij8vaiJPO3IW9 mmM= ;{id = 2854} +example.com. 3600 IN RRSIG NS 7 2 3600 20181230101800 20181130101800 62942 example.com. INVALIDvKtMSxWX+8K3dKRRvFHxAcxe0bHtpZjiFn9dpUpsvo/CZ2nSV rrZ53C6WRIKA0i7Z2Q7CzeKjnOpXqVXfZ2rZyFaWQs23AbXLAIhpoG+7 g+9xCRkXED5kgkCjsyg5CmzFx5G68bZj9IOZNna/ZNfij8vaiJPO3IW9 mmM= ;{id = 2854} SECTION ADDITIONAL ns.example.com. IN A 1.2.3.4 -ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101800 20181130101800 62942 example.com. KDQYC0xU8LVsNTK2uldzRU89po6ti/vnp94h9lo7TYI7Z+lGtBIXK23H nFL4/DBbcAChUB0xTeXRm6LHt3lI2M/cpGCQ7fcByBzv7cFDeIuJ3BZ9 ufbJBkmTmw9292zjMoDqP+9tGgSIDV3amJdP39C0VC1qhOjG+crIlEKB XIg= ;{id = 2854} +ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101800 20181130101800 62942 example.com. INVALIDU8LVsNTK2uldzRU89po6ti/vnp94h9lo7TYI7Z+lGtBIXK23H nFL4/DBbcAChUB0xTeXRm6LHt3lI2M/cpGCQ7fcByBzv7cFDeIuJ3BZ9 ufbJBkmTmw9292zjMoDqP+9tGgSIDV3amJdP39C0VC1qhOjG+crIlEKB XIg= ;{id = 2854} ENTRY_END RANGE_END @@ -245,14 +247,14 @@ www.example.com. IN A SECTION ANSWER www.example.com. IN A 10.20.30.40 -ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101800 20181130101800 62942 example.com. KDQYC0xU8LVsNTK2uldzRU89po6ti/vnp94h9lo7TYI7Z+lGtBIXK23H nFL4/DBbcAChUB0xTeXRm6LHt3lI2M/cpGCQ7fcByBzv7cFDeIuJ3BZ9 ufbJBkmTmw9292zjMoDqP+9tGgSIDV3amJdP39C0VC1qhOjG+crIlEKB XIg= ;{id = 2854} +www.example.com. 3600 IN RRSIG A 7 3 3600 20181230101800 20181130101800 62942 example.com. cN4kzlqQDlhENCeWp7RaqU6N0CaVPCgOJLpdkVh7+Q6swyKe/Ponmgia SZ44kBtXXt91EIsaJgDU/Rhwq7zCmHT1XOHGNdNjPfHdOAOjtL42rVKU lnhS0rjcFn4SN9zgE1kiQIiu3zgIlkimNaL6JqgtUpbaIrTE6Ol9PMWU 6v8= ;{id = 2854} SECTION AUTHORITY example.com. IN NS ns.example.com. example.com. IN NS ns.blabla.com. example.com. 3600 IN RRSIG NS 7 2 3600 20181230101800 20181130101800 62942 example.com. qmB12jqvKtMSxWX+8K3dKRRvFHxAcxe0bHtpZjiFn9dpUpsvo/CZ2nSV rrZ53C6WRIKA0i7Z2Q7CzeKjnOpXqVXfZ2rZyFaWQs23AbXLAIhpoG+7 g+9xCRkXED5kgkCjsyg5CmzFx5G68bZj9IOZNna/ZNfij8vaiJPO3IW9 mmM= ;{id = 2854} SECTION ADDITIONAL ns.example.com. IN A 1.2.3.4 -www.example.com. 3600 IN RRSIG A 7 3 3600 20181230101800 20181130101800 62942 example.com. cN4kzlqQDlhENCeWp7RaqU6N0CaVPCgOJLpdkVh7+Q6swyKe/Ponmgia SZ44kBtXXt91EIsaJgDU/Rhwq7zCmHT1XOHGNdNjPfHdOAOjtL42rVKU lnhS0rjcFn4SN9zgE1kiQIiu3zgIlkimNaL6JqgtUpbaIrTE6Ol9PMWU 6v8= ;{id = 2854} +ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101800 20181130101800 62942 example.com. KDQYC0xU8LVsNTK2uldzRU89po6ti/vnp94h9lo7TYI7Z+lGtBIXK23H nFL4/DBbcAChUB0xTeXRm6LHt3lI2M/cpGCQ7fcByBzv7cFDeIuJ3BZ9 ufbJBkmTmw9292zjMoDqP+9tGgSIDV3amJdP39C0VC1qhOjG+crIlEKB XIg= ;{id = 2854} ENTRY_END RANGE_END diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_badglue.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_badglue.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_badglue.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_badglue.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + stub-addr: 1.1.1.1 CONFIG_END diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_badraw.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_badraw.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_badraw.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_badraw.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; name: "." stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. CONFIG_END @@ -18622,78 +18624,216 @@ b8a7ad225011fae2aa350000000000000000 ENTRY_END -STEP 40010 QUERY + + +; finally we check basic function by a copy of ./iter_resolve.rpl (steps +123000) +RANGE_BEGIN 123000 123100 + ADDRESS 193.0.14.129 ENTRY_BEGIN -REPLY RD +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR SECTION QUESTION -cz. IN A +. IN NS +SECTION ANSWER +. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. IN A 193.0.14.129 ENTRY_END -; copy of iter_formerr.rpl -; root prime -STEP 40030 REPLY +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +com. IN A +SECTION AUTHORITY +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END + +; net. +ENTRY_BEGIN +MATCH opcode qname +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +net. IN NS +SECTION AUTHORITY +. IN SOA . . 0 0 0 0 0 +ENTRY_END + +; root-servers.net. ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id -REPLY QR AA NOERROR +REPLY QR NOERROR SECTION QUESTION -. IN NS +root-servers.net. IN NS +SECTION ANSWER +root-servers.net. IN NS k.root-servers.net. +SECTION ADDITIONAL +k.root-servers.net. IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qname +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +root-servers.net. IN A +SECTION AUTHORITY +root-servers.net. IN SOA . . 0 0 0 0 0 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +k.root-servers.net. IN A +SECTION ANSWER +k.root-servers.net. IN A 193.0.14.129 +SECTION ADDITIONAL +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +k.root-servers.net. IN AAAA +SECTION AUTHORITY +root-servers.net. IN SOA . . 0 0 0 0 0 +ENTRY_END + +; gtld-servers.net. +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +gtld-servers.net. IN NS SECTION ANSWER -. IN NS K.ROOT-SERVERS.NET. +gtld-servers.net. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qname +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +gtld-servers.net. IN A +SECTION AUTHORITY +gtld-servers.net. IN SOA . . 0 0 0 0 0 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +a.gtld-servers.net. IN A +SECTION ANSWER +a.gtld-servers.net. IN A 192.5.6.30 SECTION ADDITIONAL -K.ROOT-SERVERS.NET. IN A 193.0.14.129 ENTRY_END -; query sent to root server -STEP 40050 REPLY ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION -cz. IN A +a.gtld-servers.net. IN AAAA SECTION AUTHORITY -cz. IN NS ns1.cz. +gtld-servers.net. IN SOA . . 0 0 0 0 0 +ENTRY_END + + + +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 123000 123100 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION ANSWER +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +example.com. IN A +SECTION AUTHORITY +example.com. IN NS ns.example.com. SECTION ADDITIONAL -ns1.cz. IN A 168.192.2.2 +ns.example.com. IN A 1.2.3.4 ENTRY_END +RANGE_END -; this is the formerr answer -STEP 40060 REPLY +; ns.example.com. +RANGE_BEGIN 123000 123100 + ADDRESS 1.2.3.4 ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id -REPLY QR AA FORMERR +REPLY QR NOERROR SECTION QUESTION -cz. IN A +example.com. IN NS SECTION ANSWER +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 ENTRY_END -; this is the correct answer -STEP 40070 REPLY ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id -REPLY QR AA NOERROR +REPLY QR NOERROR SECTION QUESTION -cz. IN A +www.example.com. IN A SECTION ANSWER -cz. IN A 10.20.30.40 +www.example.com. IN A 10.20.30.40 SECTION AUTHORITY -cz. IN NS ns1.cz. +example.com. IN NS ns.example.com. SECTION ADDITIONAL -ns1.cz. IN A 168.192.2.2 +ns.example.com. IN A 1.2.3.4 +ENTRY_END +RANGE_END + +STEP 123001 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A ENTRY_END -; is the final answer correct? -STEP 40100 CHECK_ANSWER +; recursion happens here. +STEP 123010 CHECK_ANSWER ENTRY_BEGIN MATCH all -REPLY QR RD RA +REPLY QR RD RA NOERROR SECTION QUESTION -cz. IN A +www.example.com. IN A SECTION ANSWER -cz. IN A 10.20.30.40 +www.example.com. IN A 10.20.30.40 +;SECTION AUTHORITY +;example.com. IN NS ns.example.com. +;SECTION ADDITIONAL +;ns.example.com. IN A 1.2.3.4 ENTRY_END SCENARIO_END diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_cname_badauth.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_cname_badauth.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_cname_badauth.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_cname_badauth.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; target-fetch-policy: "3 2 1 0 0" ; name: "." diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_cname_cache.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_cname_cache.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_cname_cache.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_cname_cache.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; target-fetch-policy: "0 0 0 0 0" ; name: "." @@ -16,7 +18,7 @@ ; K.ROOT-SERVERS.NET. RANGE_BEGIN 0 100 - ADDRESS 193.0.14.129 + ADDRESS 193.0.14.129 ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id @@ -92,7 +94,7 @@ ;;; but really a CNAME in child server ns.example.com. 1 IN A 1.2.3.4 ns2.example.com. IN A 1.2.3.5 -ns2.example.com. IN AAAA 2002::5 +ns2.example.com. IN A 2.0.2.5 ENTRY_END ; lame answers back to root for .nl (.com server not authoritative for .nl) @@ -207,7 +209,7 @@ RANGE_BEGIN 0 100 ADDRESS 1.2.3.5 ENTRY_BEGIN -MATCH opcode +MATCH opcode ADJUST copy_id copy_query REPLY QR SERVFAIL SECTION QUESTION @@ -219,9 +221,9 @@ ; ns2.example.com "example.com" ; bad failing server RANGE_BEGIN 0 100 - ADDRESS 2002::5 + ADDRESS 2.0.2.5 ENTRY_BEGIN -MATCH opcode +MATCH opcode ADJUST copy_id copy_query REPLY QR SERVFAIL SECTION QUESTION @@ -230,7 +232,7 @@ ENTRY_END RANGE_END -; get cname in cache. use MX query +; get cname in cache. use MX query STEP 1 QUERY ENTRY_BEGIN REPLY RD diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_cname_double.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_cname_double.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_cname_double.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_cname_double.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; target-fetch-policy: "0 0 0 0 0" ; name: "." diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_cname_nx.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_cname_nx.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_cname_nx.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_cname_nx.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; target-fetch-policy: "0 0 0 0 0" ; name: "." diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_cname_qnamecopy.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_cname_qnamecopy.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_cname_qnamecopy.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_cname_qnamecopy.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; target-fetch-policy: "0 0 0 0 0" ; name: "." diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_cycle_noh.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_cycle_noh.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_cycle_noh.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_cycle_noh.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options harden-glue: "no" ; target-fetch-policy: "0 0 0 0 0" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_cycle.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_cycle.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_cycle.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_cycle.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; target-fetch-policy: "0 0 0 0 0" ; name: "." diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_dname_insec.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_dname_insec.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_dname_insec.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_dname_insec.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. CONFIG_END @@ -1002,6 +1004,16 @@ SECTION ANSWER ENTRY_END +; empty non-terminal for QNAME minimization +ENTRY_BEGIN +MATCH opcode qname +ADJUST copy_id copy_query +REPLY QR AA NOERROR +SECTION QUESTION +b.example.net. IN NS +SECTION ANSWER +ENTRY_END + ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_dnsseclame_ds_ok.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_dnsseclame_ds_ok.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_dnsseclame_ds_ok.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_dnsseclame_ds_ok.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ;server: trust-anchor: "example.com. 3600 IN DS 8378 7 1 0FCD3F3031F437036CA53411FD4B43BAB303B450 " diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_dnsseclame_ta_ok.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_dnsseclame_ta_ok.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_dnsseclame_ta_ok.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_dnsseclame_ta_ok.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ;server: trust-anchor: "example.com. 3600 IN DS 63215 7 1 9B2A4B4CE971A6D1A2DFD23C03467F053F1D2D9C " diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_domain_sale_nschange.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_domain_sale_nschange.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_domain_sale_nschange.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_domain_sale_nschange.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; target-fetch-policy: "0 0 0 0 0" ; name: "." diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_domain_sale.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_domain_sale.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_domain_sale.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_domain_sale.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; target-fetch-policy: "0 0 0 0 0" ; name: "." diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_donotq127.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_donotq127.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_donotq127.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_donotq127.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; name: "." stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_ds_locate_ns_nosoa.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_ds_locate_ns_nosoa.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_ds_locate_ns_nosoa.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_ds_locate_ns_nosoa.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ;server: ; target-fetch-policy: "0 0 0 0 0" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_ds_locate_ns.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_ds_locate_ns.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_ds_locate_ns.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_ds_locate_ns.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ;server: ; target-fetch-policy: "0 0 0 0 0" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_escape_bailiwick.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_escape_bailiwick.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_escape_bailiwick.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_escape_bailiwick.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + stub-addr: 193.0.14.129 CONFIG_END SCENARIO_BEGIN Test a case where parent NS advertises non-existent zone cut, and the final NS tries to answer from its parent's zone cut. diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_formerr.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_formerr.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_formerr.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_formerr.rpl 1970-01-01 00:00:00.000000000 +0000 @@ -1,83 +0,0 @@ -; config options -; harden-referral-path: no -; target-fetch-policy: "0 0 0 0 0" -; name: "." - stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. -CONFIG_END - -SCENARIO_BEGIN Disable EDNS0 and fancy stuff when the server replies with FORMERR. - -STEP 10 QUERY -ENTRY_BEGIN -REPLY RD -SECTION QUESTION -cz. IN A -ENTRY_END - -; root prime -STEP 30 REPLY -ENTRY_BEGIN -MATCH opcode qtype qname -ADJUST copy_id -REPLY QR AA NOERROR -SECTION QUESTION -. IN NS -SECTION ANSWER -. IN NS K.ROOT-SERVERS.NET. -SECTION ADDITIONAL -K.ROOT-SERVERS.NET. IN A 193.0.14.129 -ENTRY_END - -; query sent to root server -STEP 50 REPLY -ENTRY_BEGIN -MATCH opcode qtype qname -ADJUST copy_id -REPLY QR NOERROR -SECTION QUESTION -cz. IN A -SECTION AUTHORITY -cz. IN NS ns1.cz. -SECTION ADDITIONAL -ns1.cz. IN A 168.192.2.2 -ENTRY_END - -; this is the formerr answer -STEP 60 REPLY -ENTRY_BEGIN -MATCH opcode qtype qname -ADJUST copy_id -REPLY QR AA FORMERR -SECTION QUESTION -cz. IN A -SECTION ANSWER -ENTRY_END - -; this is the correct answer -STEP 70 REPLY -ENTRY_BEGIN -MATCH opcode qtype qname -ADJUST copy_id -REPLY QR AA NOERROR -SECTION QUESTION -cz. IN A -SECTION ANSWER -cz. IN A 10.20.30.40 -SECTION AUTHORITY -cz. IN NS ns1.cz. -SECTION ADDITIONAL -ns1.cz. IN A 168.192.2.2 -ENTRY_END - -; is the final answer correct? -STEP 100 CHECK_ANSWER -ENTRY_BEGIN -MATCH all -REPLY QR RD RA -SECTION QUESTION -cz. IN A -SECTION ANSWER -cz. IN A 10.20.30.40 -ENTRY_END - -SCENARIO_END diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_hint_lame.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_hint_lame.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_hint_lame.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_hint_lame.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; target-fetch-policy: "0 0 0 0 0" ; name: "." @@ -125,6 +127,16 @@ ADJUST copy_id REPLY QR NOERROR SECTION QUESTION +ns.example.com IN A +SECTION ANSWER +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION www.example.com. IN A SECTION ANSWER www.example.com. IN A 10.20.30.40 @@ -145,7 +157,7 @@ ; recursion happens here. STEP 10 CHECK_ANSWER ENTRY_BEGIN -MATCH flags rcode question +MATCH flags rcode question answer REPLY QR RD RA NOERROR SECTION QUESTION www.example.com. IN A diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_lame_aaaa.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_lame_aaaa.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_lame_aaaa.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_lame_aaaa.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; target-fetch-policy: "0 0 0 0 0" ; name: "." diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_lame_noaa.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_lame_noaa.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_lame_noaa.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_lame_noaa.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; harden-referral-path: no ; target-fetch-policy: "0 0 0 0 0" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_lame_nosoa.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_lame_nosoa.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_lame_nosoa.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_lame_nosoa.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; target-fetch-policy: "0 0 0 0 0" ; name: "." diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_lame_root.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_lame_root.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_lame_root.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_lame_root.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + stub-addr: 193.0.14.129 CONFIG_END SCENARIO_BEGIN Test iterative resolve with lame root. diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_lamescrub.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_lamescrub.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_lamescrub.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_lamescrub.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; name: "." stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_minim_a_nxdomain.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_minim_a_nxdomain.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_minim_a_nxdomain.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_minim_a_nxdomain.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; target-fetch-policy: "0 0 0 0 0" query-minimization: on diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_minim_a.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_minim_a.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_minim_a.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_minim_a.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; target-fetch-policy: "0 0 0 0 0" query-minimization: on diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_minim_nonempty.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_minim_nonempty.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_minim_nonempty.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_minim_nonempty.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; target-fetch-policy: "0 0 0 0 0" query-minimization: on diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_minim_ns.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_minim_ns.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_minim_ns.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_minim_ns.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; target-fetch-policy: "0 0 0 0 0" query-minimization: on diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_minmaxttl.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_minmaxttl.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_minmaxttl.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_minmaxttl.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options features: min_ttl = 300 features: max_ttl = 600 diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_mod.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_mod.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_mod.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_mod.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; target-fetch-policy: "0 0 0 0 0" ; module-config: "iterator" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_multiple_A.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_multiple_A.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_multiple_A.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_multiple_A.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_ns_badaa.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_ns_badaa.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_ns_badaa.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_ns_badaa.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; target-fetch-policy: "3 2 1 0 0" ; name: "." diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_ns_badglue.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_ns_badglue.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_ns_badglue.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_ns_badglue.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; target-fetch-policy: "3 2 1 0 0" ; name: "." diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_ns_badip.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_ns_badip.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_ns_badip.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_ns_badip.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -8,7 +8,7 @@ ; K.ROOT-SERVERS.NET. RANGE_BEGIN 0 100 - ADDRESS 193.0.14.129 + ADDRESS 193.0.14.129 ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id @@ -22,6 +22,15 @@ ENTRY_END ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +K.ROOT-SERVERS.NET. IN AAAA +SECTION ANSWER +ENTRY_END + +ENTRY_BEGIN MATCH opcode subdomain ADJUST copy_id copy_query REPLY QR NOERROR @@ -34,7 +43,7 @@ ENTRY_BEGIN MATCH opcode qname ADJUST copy_id copy_query -REPLY QR NOERROR +REPLY QR AA NOERROR SECTION QUESTION net. IN A SECTION ANSWER @@ -52,7 +61,7 @@ ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id copy_query -REPLY QR NOERROR +REPLY QR AA NOERROR SECTION QUESTION a.gtld-servers.net. IN A SECTION ANSWER diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_ns_noglue.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_ns_noglue.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_ns_noglue.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_ns_noglue.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; target-fetch-policy: "3 2 1 0 0" ; name: "." diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_ns_spoof.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_ns_spoof.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_ns_spoof.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_ns_spoof.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; harden-referral-path: yes ; target-fetch-policy: "0 0 0 0 0" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_pc_aaaa.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_pc_aaaa.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_pc_aaaa.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_pc_aaaa.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -9,7 +9,7 @@ ; K.ROOT-SERVERS.NET. RANGE_BEGIN 0 100 - ADDRESS 193.0.14.129 + ADDRESS 193.0.14.129 ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id @@ -23,6 +23,15 @@ ENTRY_END ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +K.ROOT-SERVERS.NET. IN AAAA +SECTION ANSWER +ENTRY_END + +ENTRY_BEGIN MATCH opcode subdomain ADJUST copy_id copy_query REPLY QR NOERROR @@ -34,6 +43,18 @@ a.gtld-servers.net. IN A 192.5.6.30 ENTRY_END +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +net. IN NS +SECTION AUTHORITY +net. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END + RANGE_END ; a.gtld-servers.net. @@ -56,6 +77,39 @@ ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION +ROOT-SERVERS.NET IN NS +SECTION ANSWER +ROOT-SERVERS.NET. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +a.gtld-servers.net. IN AAAA +SECTION ANSWER +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +gtld-servers.net. IN NS +SECTION AUTHORITY +gtld-servers.net. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION example.com. IN NS SECTION AUTHORITY example.com. IN NS ns.example.com. @@ -151,7 +205,7 @@ RANGE_BEGIN 0 100 ADDRESS 2002:b44d::55 ENTRY_BEGIN -MATCH opcode +MATCH opcode ADJUST copy_id copy_query REPLY QR SERVFAIL SECTION QUESTION diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_pc_a.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_pc_a.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_pc_a.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_pc_a.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; target-fetch-policy: "0 0 0 0 0" ; name: "." diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_pcdiff.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_pcdiff.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_pcdiff.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_pcdiff.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ;server: ; target-fetch-policy: "0 0 0 0 0" @@ -12,7 +14,7 @@ ; K.ROOT-SERVERS.NET. RANGE_BEGIN 0 100 - ADDRESS 193.0.14.129 + ADDRESS 193.0.14.129 ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id @@ -177,7 +179,7 @@ RANGE_BEGIN 0 100 ADDRESS 1.2.3.55 ENTRY_BEGIN -MATCH opcode +MATCH opcode ADJUST copy_id copy_query REPLY QR SERVFAIL SECTION QUESTION diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_pcdirect.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_pcdirect.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_pcdirect.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_pcdirect.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; target-fetch-policy: "0 0 0 0 0" ; name: "." diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_pcnamechrec.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_pcnamechrec.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_pcnamechrec.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_pcnamechrec.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; target-fetch-policy: "0 0 0 0 0" ; name: "." diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_pcnamech.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_pcnamech.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_pcnamech.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_pcnamech.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; target-fetch-policy: "0 0 0 0 0" ; name: "." diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_pcnamerec.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_pcnamerec.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_pcnamerec.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_pcnamerec.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ;server: ; target-fetch-policy: "0 0 0 0 0" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_pcname.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_pcname.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_pcname.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_pcname.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; target-fetch-policy: "0 0 0 0 0" ; name: "." diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_pcttl.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_pcttl.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_pcttl.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_pcttl.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; target-fetch-policy: "0 0 0 0 0" ; do-ip6: no diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_reclame_one.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_reclame_one.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_reclame_one.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_reclame_one.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; target-fetch-policy: "0 0 0 0 0" ; name: "." diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_reclame_two.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_reclame_two.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_reclame_two.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_reclame_two.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; target-fetch-policy: "0 0 0 0 0" ; name: "." diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_recurse.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_recurse.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_recurse.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_recurse.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; target-fetch-policy: "0 0 0 0 0" ; name: "." diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_req_qname.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_req_qname.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_req_qname.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_req_qname.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ;server: ; target-fetch-policy: "0 0 0 0 0" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_resolve.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_resolve.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_resolve.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_resolve.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; target-fetch-policy: "0 0 0 0 0" ; name: "." diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_tcbit.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_tcbit.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_tcbit.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_tcbit.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; harden-referral-path: no ; target-fetch-policy: "0 0 0 0 0" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_timeouted_ns.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_timeouted_ns.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_timeouted_ns.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_timeouted_ns.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. CONFIG_END diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_unexpectedrrtype.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_unexpectedrrtype.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_unexpectedrrtype.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_unexpectedrrtype.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + stub-addr: 1.1.1.1 CONFIG_END diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_validate_child_zone_noaddr.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_validate_child_zone_noaddr.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_validate_child_zone_noaddr.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_validate_child_zone_noaddr.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ;server: trust-anchor: ". 3600 IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_validate_extradata.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_validate_extradata.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_validate_extradata.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_validate_extradata.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ;server: trust-anchor: ". 3600 IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_validate_nsec_nxdomain.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_validate_nsec_nxdomain.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_validate_nsec_nxdomain.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_validate_nsec_nxdomain.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ;server: trust-anchor: ". 3600 IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_validate.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_validate.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/iter_validate.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/iter_validate.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ;server: trust-anchor: ". 3600 IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/module_dns64.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/module_dns64.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/module_dns64.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/module_dns64.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. features: dns64_prefix = fe80::21b:aabb:0:0 diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/module_hint_static.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/module_hint_static.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/module_hint_static.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/module_hint_static.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. features: static_hint_name = www.nic.cz diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/module_policy_deny_all.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/module_policy_deny_all.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/module_policy_deny_all.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/module_policy_deny_all.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options stub-addr: 1.2.3.4 trust-anchor: "example.com. IN DS 438 10 2 33F8133EB48EDB093839E985600EB7B7009EB5AC312D11CCA9007F6B 71D94D7B" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/module_policy_deny_suff_comm.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/module_policy_deny_suff_comm.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/module_policy_deny_suff_comm.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/module_policy_deny_suff_comm.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options stub-addr: 1.2.3.4 trust-anchor: "example.com. IN DS 438 10 2 33F8133EB48EDB093839E985600EB7B7009EB5AC312D11CCA9007F6B 71D94D7B" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/module_policy_deny_suff_patt.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/module_policy_deny_suff_patt.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/module_policy_deny_suff_patt.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/module_policy_deny_suff_patt.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options stub-addr: 1.2.3.4 feature-list: policy=policy:add(policy.suffix(policy.DENY, {todname('nic.cz')})) diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/module_policy_drop.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/module_policy_drop.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/module_policy_drop.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/module_policy_drop.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. feature-list: policy=policy:add(policy.suffix(policy.DROP, {todname('example.cz')})) diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/module_policy_forward.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/module_policy_forward.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/module_policy_forward.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/module_policy_forward.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options stub-addr: 1.2.3.4 feature-list: policy=policy:add(policy.suffix(policy.FORWARD('1.2.3.4'), {todname('example.cz')})) diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/module_policy_pass_deny.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/module_policy_pass_deny.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/module_policy_pass_deny.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/module_policy_pass_deny.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options stub-addr: 1.2.3.4 feature-list: policy=policy:add(policy.pattern(policy.PASS, todname('dummy.example.cz'))) diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/module_policy_tc.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/module_policy_tc.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/module_policy_tc.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/module_policy_tc.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. feature-list: policy=policy:add(policy.suffix(policy.TC, {todname('example.cz')})) diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/module_renumber.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/module_renumber.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/module_renumber.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/module_renumber.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. features: renumber_src = 1.2.3.0/24; renumber_dst = 4.5.6.0 diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/module_workarounds_disable_0x20.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/module_workarounds_disable_0x20.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/module_workarounds_disable_0x20.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/module_workarounds_disable_0x20.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options features: workarounds = true stub-addr: 1.1.1.1 diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/nsec3_aggr_cache.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/nsec3_aggr_cache.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/nsec3_aggr_cache.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/nsec3_aggr_cache.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,12 +1,13 @@ +do-ip4: no trust-anchor: ". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5" trust-anchor: ". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D" val-override-date: 20180727104904 - stub-addr: 192.36.148.17 + stub-addr: 2001:7fe::53 CONFIG_END SCENARIO_BEGIN qlist -; Scope ". +; Scope ". ; Server names: ; f.root-servers.net. @@ -52,7 +53,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION . IN NS @@ -103,7 +104,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION . IN DNSKEY @@ -117,7 +118,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR RD NOERROR SECTION QUESTION cz. IN NULL @@ -142,7 +143,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR RD NOERROR SECTION QUESTION cz. IN DNSKEY @@ -167,7 +168,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION cz. IN DS @@ -179,7 +180,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR RD NOERROR SECTION QUESTION cz. IN A @@ -204,7 +205,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR RD NOERROR SECTION QUESTION net. IN A @@ -256,7 +257,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR RD NOERROR SECTION QUESTION net. IN DNSKEY @@ -308,7 +309,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION net. IN DS @@ -320,7 +321,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION f.root-servers.net. IN A @@ -371,7 +372,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION f.root-servers.net. IN DNSKEY @@ -382,7 +383,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION f.root-servers.net. IN NS @@ -393,7 +394,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION f.root-servers.net. IN DS @@ -404,7 +405,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION f.root-servers.net. IN AAAA @@ -455,7 +456,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION a.root-servers.net. IN A @@ -506,7 +507,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION a.root-servers.net. IN DNSKEY @@ -517,7 +518,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION a.root-servers.net. IN NS @@ -528,7 +529,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION a.root-servers.net. IN DS @@ -539,7 +540,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION a.root-servers.net. IN AAAA @@ -590,7 +591,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION j.root-servers.net. IN A @@ -641,7 +642,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION j.root-servers.net. IN DNSKEY @@ -652,7 +653,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION j.root-servers.net. IN NS @@ -663,7 +664,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION j.root-servers.net. IN DS @@ -674,7 +675,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION j.root-servers.net. IN AAAA @@ -725,7 +726,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION e.root-servers.net. IN A @@ -776,7 +777,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION e.root-servers.net. IN DNSKEY @@ -787,7 +788,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION e.root-servers.net. IN NS @@ -798,7 +799,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION e.root-servers.net. IN DS @@ -809,7 +810,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION e.root-servers.net. IN AAAA @@ -860,7 +861,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION i.root-servers.net. IN A @@ -911,7 +912,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION i.root-servers.net. IN DNSKEY @@ -922,7 +923,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION i.root-servers.net. IN NS @@ -933,7 +934,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION i.root-servers.net. IN DS @@ -944,7 +945,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION i.root-servers.net. IN AAAA @@ -995,7 +996,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION d.root-servers.net. IN A @@ -1046,7 +1047,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION d.root-servers.net. IN DNSKEY @@ -1057,7 +1058,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION d.root-servers.net. IN NS @@ -1068,7 +1069,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION d.root-servers.net. IN DS @@ -1079,7 +1080,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION d.root-servers.net. IN AAAA @@ -1130,7 +1131,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION m.root-servers.net. IN A @@ -1181,7 +1182,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION m.root-servers.net. IN DNSKEY @@ -1192,7 +1193,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION m.root-servers.net. IN NS @@ -1203,7 +1204,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION m.root-servers.net. IN DS @@ -1214,7 +1215,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION m.root-servers.net. IN AAAA @@ -1265,7 +1266,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION h.root-servers.net. IN A @@ -1316,7 +1317,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION h.root-servers.net. IN DNSKEY @@ -1327,7 +1328,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION h.root-servers.net. IN NS @@ -1338,7 +1339,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION h.root-servers.net. IN DS @@ -1349,7 +1350,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION h.root-servers.net. IN AAAA @@ -1400,7 +1401,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION c.root-servers.net. IN A @@ -1451,7 +1452,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION c.root-servers.net. IN DNSKEY @@ -1462,7 +1463,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION c.root-servers.net. IN NS @@ -1473,7 +1474,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION c.root-servers.net. IN DS @@ -1484,7 +1485,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION c.root-servers.net. IN AAAA @@ -1535,7 +1536,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION l.root-servers.net. IN A @@ -1586,7 +1587,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION l.root-servers.net. IN DNSKEY @@ -1597,7 +1598,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION l.root-servers.net. IN NS @@ -1608,7 +1609,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION l.root-servers.net. IN DS @@ -1619,7 +1620,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION l.root-servers.net. IN AAAA @@ -1670,7 +1671,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION g.root-servers.net. IN A @@ -1721,7 +1722,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION g.root-servers.net. IN DNSKEY @@ -1732,7 +1733,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION g.root-servers.net. IN NS @@ -1743,7 +1744,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION g.root-servers.net. IN DS @@ -1754,7 +1755,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION g.root-servers.net. IN AAAA @@ -1805,7 +1806,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION b.root-servers.net. IN A @@ -1856,7 +1857,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION b.root-servers.net. IN DNSKEY @@ -1867,7 +1868,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION b.root-servers.net. IN NS @@ -1878,7 +1879,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION b.root-servers.net. IN DS @@ -1889,7 +1890,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION b.root-servers.net. IN AAAA @@ -1940,7 +1941,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION k.root-servers.net. IN A @@ -1991,7 +1992,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION k.root-servers.net. IN DNSKEY @@ -2002,7 +2003,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION k.root-servers.net. IN NS @@ -2013,7 +2014,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION k.root-servers.net. IN DS @@ -2024,7 +2025,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION k.root-servers.net. IN AAAA @@ -2075,7 +2076,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR RD NOERROR SECTION QUESTION com. IN A @@ -2127,7 +2128,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR RD NOERROR SECTION QUESTION com. IN DNSKEY @@ -2179,7 +2180,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION com. IN DS @@ -2191,7 +2192,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION root-servers.net. IN DNSKEY @@ -2382,7 +2383,7 @@ RANGE_END -; Scope "com. +; Scope "com. ; Server names: ; a.gtld-servers.net. @@ -2428,7 +2429,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR RD NOERROR SECTION QUESTION root-servers.net. IN A @@ -2482,7 +2483,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR RD NOERROR SECTION QUESTION root-servers.net. IN DNSKEY @@ -2536,7 +2537,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION root-servers.net. IN DS @@ -2552,7 +2553,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR RD NOERROR SECTION QUESTION gtld-servers.net. IN A @@ -2579,7 +2580,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR RD NOERROR SECTION QUESTION gtld-servers.net. IN DNSKEY @@ -2606,7 +2607,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION gtld-servers.net. IN DS @@ -2622,7 +2623,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR RD NOERROR SECTION QUESTION nstld.com. IN A @@ -2649,7 +2650,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR RD NOERROR SECTION QUESTION nstld.com. IN DNSKEY @@ -2676,7 +2677,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION nstld.com. IN DS @@ -2692,7 +2693,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION net. IN DNSKEY @@ -2705,7 +2706,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION com. IN DNSKEY @@ -2929,7 +2930,7 @@ RANGE_END -; Scope "nstld.com. +; Scope "nstld.com. ; Server names: ; av1.nstld.com. @@ -2948,7 +2949,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION a.gtld-servers.net. IN A @@ -2964,7 +2965,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION a.gtld-servers.net. IN DNSKEY @@ -2975,7 +2976,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION a.gtld-servers.net. IN NS @@ -2986,7 +2987,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION a.gtld-servers.net. IN DS @@ -2997,7 +2998,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION a.gtld-servers.net. IN AAAA @@ -3013,7 +3014,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION j.gtld-servers.net. IN A @@ -3029,7 +3030,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION j.gtld-servers.net. IN DNSKEY @@ -3040,7 +3041,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION j.gtld-servers.net. IN NS @@ -3051,7 +3052,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION j.gtld-servers.net. IN DS @@ -3062,7 +3063,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION j.gtld-servers.net. IN AAAA @@ -3078,7 +3079,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION e.gtld-servers.net. IN A @@ -3094,7 +3095,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION e.gtld-servers.net. IN DNSKEY @@ -3105,7 +3106,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION e.gtld-servers.net. IN NS @@ -3116,7 +3117,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION e.gtld-servers.net. IN DS @@ -3127,7 +3128,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION e.gtld-servers.net. IN AAAA @@ -3143,7 +3144,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION i.gtld-servers.net. IN A @@ -3159,7 +3160,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION i.gtld-servers.net. IN DNSKEY @@ -3170,7 +3171,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION i.gtld-servers.net. IN NS @@ -3181,7 +3182,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION i.gtld-servers.net. IN DS @@ -3192,7 +3193,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION i.gtld-servers.net. IN AAAA @@ -3208,7 +3209,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION d.gtld-servers.net. IN A @@ -3224,7 +3225,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION d.gtld-servers.net. IN DNSKEY @@ -3235,7 +3236,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION d.gtld-servers.net. IN NS @@ -3246,7 +3247,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION d.gtld-servers.net. IN DS @@ -3257,7 +3258,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION d.gtld-servers.net. IN AAAA @@ -3273,7 +3274,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION m.gtld-servers.net. IN A @@ -3289,7 +3290,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION m.gtld-servers.net. IN DNSKEY @@ -3300,7 +3301,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION m.gtld-servers.net. IN NS @@ -3311,7 +3312,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION m.gtld-servers.net. IN DS @@ -3322,7 +3323,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION m.gtld-servers.net. IN AAAA @@ -3338,7 +3339,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION h.gtld-servers.net. IN A @@ -3354,7 +3355,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION h.gtld-servers.net. IN DNSKEY @@ -3365,7 +3366,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION h.gtld-servers.net. IN NS @@ -3376,7 +3377,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION h.gtld-servers.net. IN DS @@ -3387,7 +3388,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION h.gtld-servers.net. IN AAAA @@ -3403,7 +3404,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION c.gtld-servers.net. IN A @@ -3419,7 +3420,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION c.gtld-servers.net. IN DNSKEY @@ -3430,7 +3431,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION c.gtld-servers.net. IN NS @@ -3441,7 +3442,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION c.gtld-servers.net. IN DS @@ -3452,7 +3453,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION c.gtld-servers.net. IN AAAA @@ -3468,7 +3469,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION l.gtld-servers.net. IN A @@ -3484,7 +3485,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION l.gtld-servers.net. IN DNSKEY @@ -3495,7 +3496,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION l.gtld-servers.net. IN NS @@ -3506,7 +3507,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION l.gtld-servers.net. IN DS @@ -3517,7 +3518,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION l.gtld-servers.net. IN AAAA @@ -3533,7 +3534,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION g.gtld-servers.net. IN A @@ -3549,7 +3550,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION g.gtld-servers.net. IN DNSKEY @@ -3560,7 +3561,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION g.gtld-servers.net. IN NS @@ -3571,7 +3572,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION g.gtld-servers.net. IN DS @@ -3582,7 +3583,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION g.gtld-servers.net. IN AAAA @@ -3598,7 +3599,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION b.gtld-servers.net. IN A @@ -3614,7 +3615,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION b.gtld-servers.net. IN DNSKEY @@ -3625,7 +3626,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION b.gtld-servers.net. IN NS @@ -3636,7 +3637,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION b.gtld-servers.net. IN DS @@ -3647,7 +3648,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION b.gtld-servers.net. IN AAAA @@ -3663,7 +3664,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION k.gtld-servers.net. IN A @@ -3679,7 +3680,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION k.gtld-servers.net. IN DNSKEY @@ -3690,7 +3691,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION k.gtld-servers.net. IN NS @@ -3701,7 +3702,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION k.gtld-servers.net. IN DS @@ -3712,7 +3713,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION k.gtld-servers.net. IN AAAA @@ -3728,7 +3729,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION f.gtld-servers.net. IN A @@ -3744,7 +3745,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION f.gtld-servers.net. IN DNSKEY @@ -3755,7 +3756,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION f.gtld-servers.net. IN NS @@ -3766,7 +3767,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION f.gtld-servers.net. IN DS @@ -3777,7 +3778,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION f.gtld-servers.net. IN AAAA @@ -3793,7 +3794,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av1.nstld.com. IN A @@ -3817,7 +3818,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av1.nstld.com. IN DNSKEY @@ -3828,7 +3829,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av1.nstld.com. IN NS @@ -3839,7 +3840,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av1.nstld.com. IN DS @@ -3850,7 +3851,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av1.nstld.com. IN AAAA @@ -3874,7 +3875,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av2.nstld.com. IN A @@ -3898,7 +3899,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av2.nstld.com. IN DNSKEY @@ -3909,7 +3910,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av2.nstld.com. IN NS @@ -3920,7 +3921,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av2.nstld.com. IN DS @@ -3931,7 +3932,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av2.nstld.com. IN AAAA @@ -3955,7 +3956,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av3.nstld.com. IN A @@ -3979,7 +3980,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av3.nstld.com. IN DNSKEY @@ -3990,7 +3991,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av3.nstld.com. IN NS @@ -4001,7 +4002,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av3.nstld.com. IN DS @@ -4012,7 +4013,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av3.nstld.com. IN AAAA @@ -4036,7 +4037,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av4.nstld.com. IN A @@ -4060,7 +4061,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av4.nstld.com. IN DNSKEY @@ -4071,7 +4072,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av4.nstld.com. IN NS @@ -4082,7 +4083,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av4.nstld.com. IN DS @@ -4093,7 +4094,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av4.nstld.com. IN AAAA @@ -4117,7 +4118,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION gtld-servers.net. IN DNSKEY @@ -4128,7 +4129,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION nstld.com. IN DNSKEY @@ -4177,7 +4178,7 @@ RANGE_END -; Scope "cz. +; Scope "cz. ; Server names: ; b.ns.nic.cz. @@ -4196,7 +4197,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION knot-resolver.cz. IN NULL @@ -4210,7 +4211,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION knot-resolver.cz. IN DNSKEY @@ -4223,7 +4224,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION knot-resolver.cz. IN DS @@ -4235,7 +4236,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION knot-resolver.cz. IN A @@ -4247,7 +4248,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION knot-resolver.cz. IN AAAA @@ -4259,7 +4260,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION nic.cz. IN A @@ -4271,7 +4272,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION nic.cz. IN DNSKEY @@ -4285,7 +4286,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION nic.cz. IN DS @@ -4297,7 +4298,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NXDOMAIN SECTION QUESTION knot-s-01.nic.cz. IN A @@ -4315,7 +4316,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NXDOMAIN SECTION QUESTION knot-s-01.nic.cz. IN DNSKEY @@ -4333,7 +4334,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NXDOMAIN SECTION QUESTION knot-s-01.nic.cz. IN NS @@ -4351,7 +4352,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NXDOMAIN SECTION QUESTION knot-s-01.nic.cz. IN DS @@ -4369,7 +4370,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NXDOMAIN SECTION QUESTION knot-s-01.nic.cz. IN AAAA @@ -4387,7 +4388,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NXDOMAIN SECTION QUESTION nonexistent1123.knot-resolver.cz. IN A @@ -4403,7 +4404,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NXDOMAIN SECTION QUESTION nonexistent1123.knot-resolver.cz. IN DNSKEY @@ -4419,7 +4420,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NXDOMAIN SECTION QUESTION nonexistent1123.knot-resolver.cz. IN NS @@ -4435,7 +4436,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NXDOMAIN SECTION QUESTION nonexistent1123.knot-resolver.cz. IN DS @@ -4451,7 +4452,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NXDOMAIN SECTION QUESTION nonexistent1123.knot-resolver.cz. IN AAAA @@ -4467,7 +4468,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION labs.nic.cz. IN A @@ -4479,7 +4480,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION labs.nic.cz. IN DNSKEY @@ -4492,7 +4493,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION labs.nic.cz. IN DS @@ -4504,7 +4505,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION nonexistent7.labs.nic.cz. IN A @@ -4521,7 +4522,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION nonexistent7.labs.nic.cz. IN DNSKEY @@ -4540,7 +4541,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION nonexistent7.labs.nic.cz. IN NS @@ -4559,7 +4560,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION nonexistent7.labs.nic.cz. IN DS @@ -4578,7 +4579,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION nonexistent7.labs.nic.cz. IN AAAA @@ -4595,7 +4596,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION gitlab.labs.nic.cz. IN A @@ -4607,7 +4608,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION gitlab.labs.nic.cz. IN DNSKEY @@ -4621,7 +4622,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION gitlab.labs.nic.cz. IN NS @@ -4635,7 +4636,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION gitlab.labs.nic.cz. IN DS @@ -4649,7 +4650,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION gitlab.labs.nic.cz. IN AAAA @@ -4661,7 +4662,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION ns.nic.cz. IN A @@ -4675,7 +4676,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION ns.nic.cz. IN DNSKEY @@ -4689,7 +4690,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION ns.nic.cz. IN NS @@ -4703,7 +4704,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION ns.nic.cz. IN DS @@ -4717,7 +4718,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION a.ns.nic.cz. IN A @@ -4729,7 +4730,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION a.ns.nic.cz. IN DNSKEY @@ -4743,7 +4744,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION a.ns.nic.cz. IN NS @@ -4757,7 +4758,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION a.ns.nic.cz. IN DS @@ -4771,7 +4772,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION a.ns.nic.cz. IN AAAA @@ -4783,7 +4784,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION b.ns.nic.cz. IN A @@ -4795,7 +4796,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION b.ns.nic.cz. IN DNSKEY @@ -4809,7 +4810,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION b.ns.nic.cz. IN NS @@ -4823,7 +4824,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION b.ns.nic.cz. IN DS @@ -4837,7 +4838,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION b.ns.nic.cz. IN AAAA @@ -4849,7 +4850,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION c.ns.nic.cz. IN A @@ -4861,7 +4862,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION c.ns.nic.cz. IN DNSKEY @@ -4875,7 +4876,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION c.ns.nic.cz. IN NS @@ -4889,7 +4890,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION c.ns.nic.cz. IN DS @@ -4903,7 +4904,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION c.ns.nic.cz. IN AAAA @@ -4915,7 +4916,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION d.ns.nic.cz. IN A @@ -4927,7 +4928,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION d.ns.nic.cz. IN DNSKEY @@ -4941,7 +4942,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION d.ns.nic.cz. IN NS @@ -4955,7 +4956,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION d.ns.nic.cz. IN DS @@ -4969,7 +4970,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION d.ns.nic.cz. IN AAAA @@ -4981,7 +4982,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION cz. IN DNSKEY diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/nsec3_wildcard_no_data_response.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/nsec3_wildcard_no_data_response.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/nsec3_wildcard_no_data_response.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/nsec3_wildcard_no_data_response.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ;server: stub-addr: 193.0.14.129 diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/nsec_aggr_cache.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/nsec_aggr_cache.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/nsec_aggr_cache.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/nsec_aggr_cache.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -2,11 +2,12 @@ trust-anchor: ". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D" val-override-date: 20180727184403 stub-addr: 2001:7fe::53 + do-ip4: no CONFIG_END SCENARIO_BEGIN qlist -; Scope ". +; Scope ". ; Server names: ; f.root-servers.net. @@ -52,7 +53,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION hm. IN DS @@ -66,7 +67,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR RD NOERROR SECTION QUESTION hm. IN DNSKEY @@ -80,12 +81,15 @@ ns1.registry.hm. 172800 IN A 208.70.79.25 ns2.registry.hm. 172800 IN A 208.70.79.24 ns3.registry.hm. 172800 IN A 128.199.180.188 +ns1.registry.hm. 172800 IN AAAA 1::1 +ns2.registry.hm. 172800 IN AAAA 1::2 +ns3.registry.hm. 172800 IN AAAA 1::3 ENTRY_END ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR RD NOERROR SECTION QUESTION hm. IN A @@ -99,12 +103,15 @@ ns1.registry.hm. 172800 IN A 208.70.79.25 ns2.registry.hm. 172800 IN A 208.70.79.24 ns3.registry.hm. 172800 IN A 128.199.180.188 +ns1.registry.hm. 172800 IN AAAA 1::1 +ns2.registry.hm. 172800 IN AAAA 1::2 +ns3.registry.hm. 172800 IN AAAA 1::3 ENTRY_END ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR RD NOERROR SECTION QUESTION hm. IN SOA @@ -118,12 +125,15 @@ ns1.registry.hm. 172800 IN A 208.70.79.25 ns2.registry.hm. 172800 IN A 208.70.79.24 ns3.registry.hm. 172800 IN A 128.199.180.188 +ns1.registry.hm. 172800 IN AAAA 1::1 +ns2.registry.hm. 172800 IN AAAA 1::2 +ns3.registry.hm. 172800 IN AAAA 1::3 ENTRY_END ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NXDOMAIN SECTION QUESTION sk2. IN DS @@ -139,7 +149,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NXDOMAIN SECTION QUESTION sk2. IN DNSKEY @@ -155,7 +165,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NXDOMAIN SECTION QUESTION sk2. IN NS @@ -171,7 +181,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NXDOMAIN SECTION QUESTION sk2. IN A @@ -187,7 +197,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NXDOMAIN SECTION QUESTION sk2. IN AAAA @@ -203,7 +213,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR RD NOERROR SECTION QUESTION cz. IN TYPE65535 @@ -228,7 +238,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR RD NOERROR SECTION QUESTION cz. IN DNSKEY @@ -253,7 +263,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION cz. IN DS @@ -265,7 +275,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR RD NOERROR SECTION QUESTION cz. IN A @@ -290,7 +300,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR RD NOERROR SECTION QUESTION net. IN A @@ -342,7 +352,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR RD NOERROR SECTION QUESTION net. IN DNSKEY @@ -394,7 +404,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION net. IN DS @@ -406,7 +416,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION f.root-servers.net. IN A @@ -457,7 +467,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION f.root-servers.net. IN DNSKEY @@ -468,7 +478,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION f.root-servers.net. IN NS @@ -479,7 +489,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION f.root-servers.net. IN DS @@ -490,7 +500,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION f.root-servers.net. IN AAAA @@ -541,7 +551,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION a.root-servers.net. IN A @@ -592,7 +602,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION a.root-servers.net. IN DNSKEY @@ -603,7 +613,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION a.root-servers.net. IN NS @@ -614,7 +624,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION a.root-servers.net. IN DS @@ -625,7 +635,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION a.root-servers.net. IN AAAA @@ -676,7 +686,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION j.root-servers.net. IN A @@ -727,7 +737,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION j.root-servers.net. IN DNSKEY @@ -738,7 +748,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION j.root-servers.net. IN NS @@ -749,7 +759,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION j.root-servers.net. IN DS @@ -760,7 +770,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION j.root-servers.net. IN AAAA @@ -811,7 +821,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION e.root-servers.net. IN A @@ -862,7 +872,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION e.root-servers.net. IN DNSKEY @@ -873,7 +883,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION e.root-servers.net. IN NS @@ -884,7 +894,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION e.root-servers.net. IN DS @@ -895,7 +905,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION e.root-servers.net. IN AAAA @@ -946,7 +956,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION i.root-servers.net. IN A @@ -997,7 +1007,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION i.root-servers.net. IN DNSKEY @@ -1008,7 +1018,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION i.root-servers.net. IN NS @@ -1019,7 +1029,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION i.root-servers.net. IN DS @@ -1030,7 +1040,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION i.root-servers.net. IN AAAA @@ -1081,7 +1091,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION d.root-servers.net. IN A @@ -1132,7 +1142,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION d.root-servers.net. IN DNSKEY @@ -1143,7 +1153,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION d.root-servers.net. IN NS @@ -1154,7 +1164,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION d.root-servers.net. IN DS @@ -1165,7 +1175,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION d.root-servers.net. IN AAAA @@ -1216,7 +1226,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION m.root-servers.net. IN A @@ -1267,7 +1277,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION m.root-servers.net. IN DNSKEY @@ -1278,7 +1288,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION m.root-servers.net. IN NS @@ -1289,7 +1299,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION m.root-servers.net. IN DS @@ -1300,7 +1310,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION m.root-servers.net. IN AAAA @@ -1351,7 +1361,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION h.root-servers.net. IN A @@ -1402,7 +1412,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION h.root-servers.net. IN DNSKEY @@ -1413,7 +1423,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION h.root-servers.net. IN NS @@ -1424,7 +1434,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION h.root-servers.net. IN DS @@ -1435,7 +1445,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION h.root-servers.net. IN AAAA @@ -1486,7 +1496,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION c.root-servers.net. IN A @@ -1537,7 +1547,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION c.root-servers.net. IN DNSKEY @@ -1548,7 +1558,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION c.root-servers.net. IN NS @@ -1559,7 +1569,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION c.root-servers.net. IN DS @@ -1570,7 +1580,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION c.root-servers.net. IN AAAA @@ -1621,7 +1631,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION l.root-servers.net. IN A @@ -1672,7 +1682,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION l.root-servers.net. IN DNSKEY @@ -1683,7 +1693,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION l.root-servers.net. IN NS @@ -1694,7 +1704,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION l.root-servers.net. IN DS @@ -1705,7 +1715,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION l.root-servers.net. IN AAAA @@ -1756,7 +1766,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION g.root-servers.net. IN A @@ -1807,7 +1817,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION g.root-servers.net. IN DNSKEY @@ -1818,7 +1828,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION g.root-servers.net. IN NS @@ -1829,7 +1839,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION g.root-servers.net. IN DS @@ -1840,7 +1850,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION g.root-servers.net. IN AAAA @@ -1891,7 +1901,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION b.root-servers.net. IN A @@ -1942,7 +1952,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION b.root-servers.net. IN DNSKEY @@ -1953,7 +1963,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION b.root-servers.net. IN NS @@ -1964,7 +1974,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION b.root-servers.net. IN DS @@ -1975,7 +1985,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION b.root-servers.net. IN AAAA @@ -2026,7 +2036,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION k.root-servers.net. IN A @@ -2077,7 +2087,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION k.root-servers.net. IN DNSKEY @@ -2088,7 +2098,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION k.root-servers.net. IN NS @@ -2099,7 +2109,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION k.root-servers.net. IN DS @@ -2110,7 +2120,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION k.root-servers.net. IN AAAA @@ -2161,7 +2171,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR RD NOERROR SECTION QUESTION com. IN A @@ -2213,7 +2223,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR RD NOERROR SECTION QUESTION com. IN DNSKEY @@ -2265,7 +2275,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION com. IN DS @@ -2277,7 +2287,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION . IN NS @@ -2328,7 +2338,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION . IN DNSKEY @@ -2342,7 +2352,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION root-servers.net. IN DNSKEY @@ -2417,6 +2427,9 @@ ns1.registry.hm. 172800 IN A 208.70.79.25 ns2.registry.hm. 172800 IN A 208.70.79.24 ns3.registry.hm. 172800 IN A 128.199.180.188 +ns1.registry.hm. 172800 IN AAAA 1::1 +ns2.registry.hm. 172800 IN AAAA 1::2 +ns3.registry.hm. 172800 IN AAAA 1::3 ENTRY_END @@ -2551,7 +2564,7 @@ RANGE_END -; Scope "com. +; Scope "com. ; Server names: ; a.gtld-servers.net. @@ -2597,7 +2610,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR RD NOERROR SECTION QUESTION root-servers.net. IN A @@ -2651,7 +2664,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR RD NOERROR SECTION QUESTION root-servers.net. IN DNSKEY @@ -2705,7 +2718,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION root-servers.net. IN DS @@ -2721,7 +2734,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR RD NOERROR SECTION QUESTION gtld-servers.net. IN A @@ -2748,7 +2761,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR RD NOERROR SECTION QUESTION gtld-servers.net. IN DNSKEY @@ -2775,7 +2788,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION gtld-servers.net. IN DS @@ -2791,7 +2804,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR RD NOERROR SECTION QUESTION nstld.com. IN A @@ -2818,7 +2831,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR RD NOERROR SECTION QUESTION nstld.com. IN DNSKEY @@ -2845,7 +2858,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION nstld.com. IN DS @@ -2861,7 +2874,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION net. IN DNSKEY @@ -2874,7 +2887,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION com. IN DNSKEY @@ -3098,7 +3111,7 @@ RANGE_END -; Scope "nstld.com. +; Scope "nstld.com. ; Server names: ; av1.nstld.com. @@ -3117,7 +3130,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION a.gtld-servers.net. IN A @@ -3133,7 +3146,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION a.gtld-servers.net. IN DNSKEY @@ -3144,7 +3157,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION a.gtld-servers.net. IN NS @@ -3155,7 +3168,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION a.gtld-servers.net. IN DS @@ -3166,7 +3179,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION a.gtld-servers.net. IN AAAA @@ -3182,7 +3195,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION j.gtld-servers.net. IN A @@ -3198,7 +3211,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION j.gtld-servers.net. IN DNSKEY @@ -3209,7 +3222,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION j.gtld-servers.net. IN NS @@ -3220,7 +3233,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION j.gtld-servers.net. IN DS @@ -3231,7 +3244,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION j.gtld-servers.net. IN AAAA @@ -3247,7 +3260,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION e.gtld-servers.net. IN A @@ -3263,7 +3276,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION e.gtld-servers.net. IN DNSKEY @@ -3274,7 +3287,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION e.gtld-servers.net. IN NS @@ -3285,7 +3298,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION e.gtld-servers.net. IN DS @@ -3296,7 +3309,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION e.gtld-servers.net. IN AAAA @@ -3312,7 +3325,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION i.gtld-servers.net. IN A @@ -3328,7 +3341,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION i.gtld-servers.net. IN DNSKEY @@ -3339,7 +3352,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION i.gtld-servers.net. IN NS @@ -3350,7 +3363,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION i.gtld-servers.net. IN DS @@ -3361,7 +3374,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION i.gtld-servers.net. IN AAAA @@ -3377,7 +3390,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION d.gtld-servers.net. IN A @@ -3393,7 +3406,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION d.gtld-servers.net. IN DNSKEY @@ -3404,7 +3417,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION d.gtld-servers.net. IN NS @@ -3415,7 +3428,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION d.gtld-servers.net. IN DS @@ -3426,7 +3439,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION d.gtld-servers.net. IN AAAA @@ -3442,7 +3455,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION m.gtld-servers.net. IN A @@ -3458,7 +3471,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION m.gtld-servers.net. IN DNSKEY @@ -3469,7 +3482,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION m.gtld-servers.net. IN NS @@ -3480,7 +3493,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION m.gtld-servers.net. IN DS @@ -3491,7 +3504,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION m.gtld-servers.net. IN AAAA @@ -3507,7 +3520,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION h.gtld-servers.net. IN A @@ -3523,7 +3536,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION h.gtld-servers.net. IN DNSKEY @@ -3534,7 +3547,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION h.gtld-servers.net. IN NS @@ -3545,7 +3558,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION h.gtld-servers.net. IN DS @@ -3556,7 +3569,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION h.gtld-servers.net. IN AAAA @@ -3572,7 +3585,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION c.gtld-servers.net. IN A @@ -3588,7 +3601,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION c.gtld-servers.net. IN DNSKEY @@ -3599,7 +3612,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION c.gtld-servers.net. IN NS @@ -3610,7 +3623,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION c.gtld-servers.net. IN DS @@ -3621,7 +3634,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION c.gtld-servers.net. IN AAAA @@ -3637,7 +3650,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION l.gtld-servers.net. IN A @@ -3653,7 +3666,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION l.gtld-servers.net. IN DNSKEY @@ -3664,7 +3677,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION l.gtld-servers.net. IN NS @@ -3675,7 +3688,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION l.gtld-servers.net. IN DS @@ -3686,7 +3699,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION l.gtld-servers.net. IN AAAA @@ -3702,7 +3715,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION g.gtld-servers.net. IN A @@ -3718,7 +3731,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION g.gtld-servers.net. IN DNSKEY @@ -3729,7 +3742,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION g.gtld-servers.net. IN NS @@ -3740,7 +3753,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION g.gtld-servers.net. IN DS @@ -3751,7 +3764,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION g.gtld-servers.net. IN AAAA @@ -3767,7 +3780,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION b.gtld-servers.net. IN A @@ -3783,7 +3796,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION b.gtld-servers.net. IN DNSKEY @@ -3794,7 +3807,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION b.gtld-servers.net. IN NS @@ -3805,7 +3818,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION b.gtld-servers.net. IN DS @@ -3816,7 +3829,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION b.gtld-servers.net. IN AAAA @@ -3832,7 +3845,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION k.gtld-servers.net. IN A @@ -3848,7 +3861,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION k.gtld-servers.net. IN DNSKEY @@ -3859,7 +3872,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION k.gtld-servers.net. IN NS @@ -3870,7 +3883,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION k.gtld-servers.net. IN DS @@ -3881,7 +3894,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION k.gtld-servers.net. IN AAAA @@ -3897,7 +3910,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION f.gtld-servers.net. IN A @@ -3913,7 +3926,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION f.gtld-servers.net. IN DNSKEY @@ -3924,7 +3937,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION f.gtld-servers.net. IN NS @@ -3935,7 +3948,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION f.gtld-servers.net. IN DS @@ -3946,7 +3959,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION f.gtld-servers.net. IN AAAA @@ -3962,7 +3975,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av1.nstld.com. IN A @@ -3986,7 +3999,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av1.nstld.com. IN DNSKEY @@ -3997,7 +4010,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av1.nstld.com. IN NS @@ -4008,7 +4021,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av1.nstld.com. IN DS @@ -4019,7 +4032,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av1.nstld.com. IN AAAA @@ -4043,7 +4056,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av2.nstld.com. IN A @@ -4067,7 +4080,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av2.nstld.com. IN DNSKEY @@ -4078,7 +4091,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av2.nstld.com. IN NS @@ -4089,7 +4102,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av2.nstld.com. IN DS @@ -4100,7 +4113,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av2.nstld.com. IN AAAA @@ -4124,7 +4137,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av3.nstld.com. IN A @@ -4148,7 +4161,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av3.nstld.com. IN DNSKEY @@ -4159,7 +4172,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av3.nstld.com. IN NS @@ -4170,7 +4183,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av3.nstld.com. IN DS @@ -4181,7 +4194,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av3.nstld.com. IN AAAA @@ -4205,7 +4218,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av4.nstld.com. IN A @@ -4229,7 +4242,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av4.nstld.com. IN DNSKEY @@ -4240,7 +4253,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av4.nstld.com. IN NS @@ -4251,7 +4264,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av4.nstld.com. IN DS @@ -4262,7 +4275,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION av4.nstld.com. IN AAAA @@ -4286,7 +4299,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION gtld-servers.net. IN DNSKEY @@ -4297,7 +4310,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION nstld.com. IN DNSKEY @@ -4346,7 +4359,7 @@ RANGE_END -; Scope "cz. +; Scope "cz. ; Server names: ; b.ns.nic.cz. @@ -4366,7 +4379,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR RD NOERROR SECTION QUESTION root.cz. IN TYPE65535 @@ -4383,7 +4396,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR RD NOERROR SECTION QUESTION root.cz. IN DNSKEY @@ -4400,7 +4413,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION root.cz. IN DS @@ -4412,7 +4425,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR RD NOERROR SECTION QUESTION iinfo.cz. IN A @@ -4429,7 +4442,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR RD NOERROR SECTION QUESTION iinfo.cz. IN DNSKEY @@ -4446,7 +4459,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION iinfo.cz. IN DS @@ -4458,7 +4471,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR RD NOERROR SECTION QUESTION root.cz. IN A @@ -4475,7 +4488,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION nic.cz. IN A @@ -4487,7 +4500,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION nic.cz. IN DNSKEY @@ -4501,7 +4514,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION nic.cz. IN DS @@ -4513,7 +4526,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION ns.nic.cz. IN A @@ -4527,7 +4540,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION ns.nic.cz. IN DNSKEY @@ -4541,7 +4554,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION ns.nic.cz. IN NS @@ -4555,7 +4568,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION ns.nic.cz. IN DS @@ -4569,7 +4582,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION a.ns.nic.cz. IN A @@ -4597,7 +4610,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION a.ns.nic.cz. IN DNSKEY @@ -4611,7 +4624,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION a.ns.nic.cz. IN NS @@ -4625,7 +4638,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION a.ns.nic.cz. IN DS @@ -4639,7 +4652,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION a.ns.nic.cz. IN AAAA @@ -4667,7 +4680,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION b.ns.nic.cz. IN A @@ -4679,7 +4692,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION b.ns.nic.cz. IN DNSKEY @@ -4693,7 +4706,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION b.ns.nic.cz. IN NS @@ -4707,7 +4720,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION b.ns.nic.cz. IN DS @@ -4721,7 +4734,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION b.ns.nic.cz. IN AAAA @@ -4733,7 +4746,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION c.ns.nic.cz. IN A @@ -4763,7 +4776,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION c.ns.nic.cz. IN DNSKEY @@ -4777,7 +4790,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION c.ns.nic.cz. IN NS @@ -4791,7 +4804,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION c.ns.nic.cz. IN DS @@ -4805,7 +4818,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION c.ns.nic.cz. IN AAAA @@ -4835,7 +4848,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION d.ns.nic.cz. IN A @@ -4863,7 +4876,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION d.ns.nic.cz. IN DNSKEY @@ -4877,7 +4890,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION d.ns.nic.cz. IN NS @@ -4891,7 +4904,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION d.ns.nic.cz. IN DS @@ -4905,7 +4918,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION d.ns.nic.cz. IN AAAA @@ -4933,7 +4946,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR RD NOERROR SECTION QUESTION adminit.cz. IN A @@ -4951,7 +4964,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR RD NOERROR SECTION QUESTION adminit.cz. IN DNSKEY @@ -4969,7 +4982,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION adminit.cz. IN DS @@ -4983,7 +4996,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION cz. IN DNSKEY @@ -5099,7 +5112,7 @@ RANGE_END -; Scope "root.cz. +; Scope "root.cz. ; Server names: ; ns6.adminit.cz. @@ -5112,7 +5125,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION root.cz. IN A @@ -5135,7 +5148,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION root.cz. IN AAAA @@ -5158,7 +5171,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION root.cz. IN TYPE65535 @@ -5172,7 +5185,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION ns.iinfo.cz. IN A @@ -5193,7 +5206,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION ns.iinfo.cz. IN DNSKEY @@ -5207,7 +5220,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION ns.iinfo.cz. IN NS @@ -5221,7 +5234,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION ns.iinfo.cz. IN DS @@ -5235,7 +5248,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION ns.iinfo.cz. IN AAAA @@ -5256,7 +5269,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION blog.root.cz. IN A @@ -5281,7 +5294,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION blog.root.cz. IN DNSKEY @@ -5297,7 +5310,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION blog.root.cz. IN DS @@ -5314,7 +5327,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION random1.blog.root.cz. IN A @@ -5343,7 +5356,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION random1.blog.root.cz. IN DNSKEY @@ -5364,7 +5377,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION random1.blog.root.cz. IN DS @@ -5385,7 +5398,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION random1.blog.root.cz. IN AAAA @@ -5414,7 +5427,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION blog.root.cz. IN AAAA @@ -5439,7 +5452,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION blog.root.cz. IN TYPE65535 @@ -5456,7 +5469,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION random1.blog.root.cz. IN TYPE65535 @@ -5477,7 +5490,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION ns6.adminit.cz. IN A @@ -5497,7 +5510,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION ns6.adminit.cz. IN DNSKEY @@ -5508,7 +5521,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION ns6.adminit.cz. IN NS @@ -5519,7 +5532,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION ns6.adminit.cz. IN DS @@ -5530,7 +5543,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION ns6.adminit.cz. IN AAAA @@ -5550,7 +5563,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION ns.adminit.cz. IN A @@ -5569,7 +5582,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION ns.adminit.cz. IN DNSKEY @@ -5580,7 +5593,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION ns.adminit.cz. IN NS @@ -5591,7 +5604,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION ns.adminit.cz. IN DS @@ -5602,7 +5615,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION ns.adminit.cz. IN AAAA @@ -5613,7 +5626,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION root.cz. IN DNSKEY @@ -5627,7 +5640,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION iinfo.cz. IN DNSKEY @@ -5641,7 +5654,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION adminit.cz. IN DNSKEY @@ -5760,7 +5773,7 @@ RANGE_END -; Scope "hm. +; Scope "hm. ; Server names: ; ns1.registry.hm. @@ -5770,10 +5783,13 @@ ADDRESS 208.70.79.24 ADDRESS 208.70.79.25 ADDRESS 128.199.180.188 + ADDRESS 1::1 + ADDRESS 1::2 + ADDRESS 1::3 ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION hm. IN A @@ -5784,7 +5800,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION hm. IN DS @@ -5795,7 +5811,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION hm. IN AAAA @@ -5806,7 +5822,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION registry.hm. IN A @@ -5817,15 +5833,18 @@ registry.hm. 86400 IN NS ns2.registry.hm. registry.hm. 86400 IN NS ns3.registry.hm. SECTION ADDITIONAL -ns1.registry.hm. 86400 IN A 208.70.79.25 -ns2.registry.hm. 86400 IN A 208.70.79.24 -ns3.registry.hm. 86400 IN A 128.199.180.188 +ns1.registry.hm. 172800 IN A 208.70.79.25 +ns2.registry.hm. 172800 IN A 208.70.79.24 +ns3.registry.hm. 172800 IN A 128.199.180.188 +ns1.registry.hm. 172800 IN AAAA 1::1 +ns2.registry.hm. 172800 IN AAAA 1::2 +ns3.registry.hm. 172800 IN AAAA 1::3 ENTRY_END ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION registry.hm. IN DNSKEY @@ -5836,7 +5855,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION registry.hm. IN DS @@ -5847,7 +5866,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION ns1.registry.hm. IN A @@ -5858,14 +5877,18 @@ registry.hm. 86400 IN NS ns2.registry.hm. registry.hm. 86400 IN NS ns3.registry.hm. SECTION ADDITIONAL -ns2.registry.hm. 86400 IN A 208.70.79.24 -ns3.registry.hm. 86400 IN A 128.199.180.188 +ns1.registry.hm. 172800 IN A 208.70.79.25 +ns2.registry.hm. 172800 IN A 208.70.79.24 +ns3.registry.hm. 172800 IN A 128.199.180.188 +ns1.registry.hm. 172800 IN AAAA 1::1 +ns2.registry.hm. 172800 IN AAAA 1::2 +ns3.registry.hm. 172800 IN AAAA 1::3 ENTRY_END ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION ns1.registry.hm. IN DNSKEY @@ -5876,7 +5899,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION ns1.registry.hm. IN NS @@ -5887,7 +5910,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION ns1.registry.hm. IN DS @@ -5898,18 +5921,18 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION ns1.registry.hm. IN AAAA SECTION AUTHORITY -registry.hm. 3600 IN SOA ns1.registry.hm. hostmaster.registry.hm. 2015072302 10800 3600 604800 3600 +ns1.registry.hm. 86400 IN AAAA 1::1 ENTRY_END ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION hm. IN SOA @@ -5920,15 +5943,18 @@ hm. 86400 IN NS ns2.registry.hm. hm. 86400 IN NS ns3.registry.hm. SECTION ADDITIONAL -ns1.registry.hm. 86400 IN A 208.70.79.25 -ns2.registry.hm. 86400 IN A 208.70.79.24 -ns3.registry.hm. 86400 IN A 128.199.180.188 +ns1.registry.hm. 172800 IN A 208.70.79.25 +ns2.registry.hm. 172800 IN A 208.70.79.24 +ns3.registry.hm. 172800 IN A 128.199.180.188 +ns1.registry.hm. 172800 IN AAAA 1::1 +ns2.registry.hm. 172800 IN AAAA 1::2 +ns3.registry.hm. 172800 IN AAAA 1::3 ENTRY_END ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION ns2.registry.hm. IN A @@ -5939,14 +5965,18 @@ registry.hm. 86400 IN NS ns2.registry.hm. registry.hm. 86400 IN NS ns3.registry.hm. SECTION ADDITIONAL -ns1.registry.hm. 86400 IN A 208.70.79.25 -ns3.registry.hm. 86400 IN A 128.199.180.188 +ns1.registry.hm. 172800 IN A 208.70.79.25 +ns2.registry.hm. 172800 IN A 208.70.79.24 +ns3.registry.hm. 172800 IN A 128.199.180.188 +ns1.registry.hm. 172800 IN AAAA 1::1 +ns2.registry.hm. 172800 IN AAAA 1::2 +ns3.registry.hm. 172800 IN AAAA 1::3 ENTRY_END ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION ns2.registry.hm. IN DNSKEY @@ -5957,7 +5987,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION ns2.registry.hm. IN NS @@ -5968,7 +5998,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION ns2.registry.hm. IN DS @@ -5979,18 +6009,18 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION ns2.registry.hm. IN AAAA SECTION AUTHORITY -registry.hm. 3600 IN SOA ns1.registry.hm. hostmaster.registry.hm. 2015072302 10800 3600 604800 3600 +ns2.registry.hm. 86400 IN AAAA 1::2 ENTRY_END ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION ns3.registry.hm. IN A @@ -6001,14 +6031,18 @@ registry.hm. 86400 IN NS ns2.registry.hm. registry.hm. 86400 IN NS ns3.registry.hm. SECTION ADDITIONAL -ns1.registry.hm. 86400 IN A 208.70.79.25 -ns2.registry.hm. 86400 IN A 208.70.79.24 +ns1.registry.hm. 172800 IN A 208.70.79.25 +ns2.registry.hm. 172800 IN A 208.70.79.24 +ns3.registry.hm. 172800 IN A 128.199.180.188 +ns1.registry.hm. 172800 IN AAAA 1::1 +ns2.registry.hm. 172800 IN AAAA 1::2 +ns3.registry.hm. 172800 IN AAAA 1::3 ENTRY_END ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION ns3.registry.hm. IN DNSKEY @@ -6019,7 +6053,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION ns3.registry.hm. IN NS @@ -6030,7 +6064,7 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION ns3.registry.hm. IN DS @@ -6041,18 +6075,18 @@ ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION ns3.registry.hm. IN AAAA SECTION AUTHORITY -registry.hm. 3600 IN SOA ns1.registry.hm. hostmaster.registry.hm. 2015072302 10800 3600 604800 3600 +ns3.registry.hm. 86400 IN AAAA 1::3 ENTRY_END ENTRY_BEGIN MATCH qname qtype -ADJUST copy_id +ADJUST copy_id REPLY QR AA RD NOERROR SECTION QUESTION hm. IN DNSKEY @@ -6072,9 +6106,12 @@ registry.hm. 86400 IN NS ns2.registry.hm. registry.hm. 86400 IN NS ns3.registry.hm. SECTION ADDITIONAL -ns1.registry.hm. 86400 IN A 208.70.79.25 -ns2.registry.hm. 86400 IN A 208.70.79.24 -ns3.registry.hm. 86400 IN A 128.199.180.188 +ns1.registry.hm. 172800 IN A 208.70.79.25 +ns2.registry.hm. 172800 IN A 208.70.79.24 +ns3.registry.hm. 172800 IN A 128.199.180.188 +ns1.registry.hm. 172800 IN AAAA 1::1 +ns2.registry.hm. 172800 IN AAAA 1::2 +ns3.registry.hm. 172800 IN AAAA 1::3 ENTRY_END @@ -6089,9 +6126,12 @@ hm. 86400 IN NS ns2.registry.hm. hm. 86400 IN NS ns3.registry.hm. SECTION ADDITIONAL -ns1.registry.hm. 86400 IN A 208.70.79.25 -ns2.registry.hm. 86400 IN A 208.70.79.24 -ns3.registry.hm. 86400 IN A 128.199.180.188 +ns1.registry.hm. 172800 IN A 208.70.79.25 +ns2.registry.hm. 172800 IN A 208.70.79.24 +ns3.registry.hm. 172800 IN A 128.199.180.188 +ns1.registry.hm. 172800 IN AAAA 1::1 +ns2.registry.hm. 172800 IN AAAA 1::2 +ns3.registry.hm. 172800 IN AAAA 1::3 ENTRY_END diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/nsec_name_error_response-part2.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/nsec_name_error_response-part2.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/nsec_name_error_response-part2.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/nsec_name_error_response-part2.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ;server: trust-anchor: ". 3600 IN DS 17272 13 4 B87AD8C76DC2244E7AA57285057BF533F2E248CC8D7E1A071D8A3837A711A5EA705C4707E6E8911DA653BE1AE019927B" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/nsec_name_error_response.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/nsec_name_error_response.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/nsec_name_error_response.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/nsec_name_error_response.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ;server: trust-anchor: ". 3600 IN DS 17272 13 4 B87AD8C76DC2244E7AA57285057BF533F2E248CC8D7E1A071D8A3837A711A5EA705C4707E6E8911DA653BE1AE019927B" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/nsec_no_data_response.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/nsec_no_data_response.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/nsec_no_data_response.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/nsec_no_data_response.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ;server: trust-anchor: ". 3600 IN DS 17272 13 4 B87AD8C76DC2244E7AA57285057BF533F2E248CC8D7E1A071D8A3837A711A5EA705C4707E6E8911DA653BE1AE019927B" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/nsec_ref_to_unsigned1.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/nsec_ref_to_unsigned1.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/nsec_ref_to_unsigned1.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/nsec_ref_to_unsigned1.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/nsec_ref_to_unsigned2.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/nsec_ref_to_unsigned2.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/nsec_ref_to_unsigned2.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/nsec_ref_to_unsigned2.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/nsec_ref_to_unsigned3.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/nsec_ref_to_unsigned3.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/nsec_ref_to_unsigned3.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/nsec_ref_to_unsigned3.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/nsec_wildcard_answer_response.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/nsec_wildcard_answer_response.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/nsec_wildcard_answer_response.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/nsec_wildcard_answer_response.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ;server: trust-anchor: ". IN DS 41524 8 2 5175938255D97A88F9D16A5A46ED3AE373441DF5058C1666D953005D A6BD57F3" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/nsec_wildcard_no_data_response-part2.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/nsec_wildcard_no_data_response-part2.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/nsec_wildcard_no_data_response-part2.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/nsec_wildcard_no_data_response-part2.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ;server: trust-anchor: "nsec.example. IN DS 41524 8 2 D6B102667845D6CDDC05B44466426D9CCC189989BF67ADB23605EED0 BFE2A443" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/nsec_wildcard_no_data_response.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/nsec_wildcard_no_data_response.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/nsec_wildcard_no_data_response.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/nsec_wildcard_no_data_response.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ;server: trust-anchor: "nsec.example. IN DS 41524 8 2 D6B102667845D6CDDC05B44466426D9CCC189989BF67ADB23605EED0 BFE2A443" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_adbit.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_adbit.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_adbit.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_adbit.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_adcopy.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_adcopy.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_adcopy.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_adcopy.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_ad_qtype_ds.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_ad_qtype_ds.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_ad_qtype_ds.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_ad_qtype_ds.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options stub-addr: 193.0.14.129 trust-anchor: ". IN DS 49060 8 2 E7B1EB56D7D5791B3D45630FEAA9C823DB84B385ACEEAC5F44DD0888 5C36700F" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_anchor_nx_nosig.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_anchor_nx_nosig.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_anchor_nx_nosig.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_anchor_nx_nosig.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_ans_dsent.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_ans_dsent.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_ans_dsent.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_ans_dsent.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_ans_nx.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_ans_nx.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_ans_nx.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_ans_nx.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_bogus_nodata.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_bogus_nodata.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_bogus_nodata.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_bogus_nodata.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options stub-addr: 193.0.14.129 trust-anchor: ". IN DS 9352 8 2 14FBAADCF21A64138B28F41424812B0A2BDEEF443F5680D6CF337F72 B556998C " diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_cname_loop1_3.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_cname_loop1_3.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_cname_loop1_3.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_cname_loop1_3.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_cname_loop1.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_cname_loop1.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_cname_loop1.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_cname_loop1.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_cname_loop3.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_cname_loop3.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_cname_loop3.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_cname_loop3.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_cname_new_signer.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_cname_new_signer.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_cname_new_signer.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_cname_new_signer.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_cnamenx_dblnsec.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_cnamenx_dblnsec.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_cnamenx_dblnsec.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_cnamenx_dblnsec.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_cname_oob.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_cname_oob.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_cname_oob.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_cname_oob.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_cnameqtype.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_cnameqtype.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_cnameqtype.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_cnameqtype.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_cname_to_unsigned_fake_rrsig.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_cname_to_unsigned_fake_rrsig.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_cname_to_unsigned_fake_rrsig.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_cname_to_unsigned_fake_rrsig.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_cname_to_unsigned.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_cname_to_unsigned.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_cname_to_unsigned.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_cname_to_unsigned.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_cname_trust_domains.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_cname_trust_domains.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_cname_trust_domains.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_cname_trust_domains.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com and example.net; example.org is insecure trust-anchor: "example.com. 3600 IN DS 11901 7 1 4b5c9e50ad931b35fc507e0a20d141a056c19227" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_deleg_nons.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_deleg_nons.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_deleg_nons.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_deleg_nons.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_dname_bogus.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_dname_bogus.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_dname_bogus.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_dname_bogus.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,7 +1,10 @@ +do-ip6: no + ; config options trust-anchor: ". IN DS 37471 5 1 da74e4e0fe4067c2afd1d4a3cceb852a3c0d4401" stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. val-override-date: "20170301000000" +domain-insecure: net. CONFIG_END SCENARIO_BEGIN Test DNAME validation @@ -9,6 +12,28 @@ ; all the data are on the "root servers" RANGE_BEGIN 0 10000000 ADDRESS 193.0.14.129 + +ENTRY_BEGIN +MATCH qname qtype +ADJUST copy_id copy_query +REPLY QR AA NOERROR +SECTION QUESTION +net. IN NS +SECTION ANSWER +net. 3600 IN NS K.ROOT-SERVERS.NET. +ENTRY_END + +ENTRY_BEGIN +MATCH qname qtype +ADJUST copy_id copy_query +REPLY QR AA NOERROR +SECTION QUESTION +root-servers.net. IN NS +SECTION AUTHORITY +. 86400 IN SOA . . 2017021500 1800 900 604800 86400 +. 86400 IN RRSIG SOA 5 0 86400 20170315140518 20170215140518 37471 . drrv7SjrOkuNwlILiziPxHTuIKs/tO2WcVEdipA/LNkt0h09zuWbr3Rk5gtEDTSECbZEXYTa4YaeJs3ODmikzVaJd5EVLsDdGnV3mZ/w7WYHA0Uc1GH5HZm1uQwA4DlwY5e5Ry80pIhInZ1Lqiz1ut9yWbHzODdcUOdpE+XiPzYCKR1hRWi099dIQtDhZYottvQNXXmsJDY41PwvWaxqbXGYgiQCX3cN/W5PM0hs7xMxAjanKh32PXKcHSfTeko87BvERMZnibc2O8efl7S62Zp68Q4guMfe4P++ue22PctjwfeR5nDi31c3+USi63ujrKSDGujaIsIMyIHNFm1/zQ== +ENTRY_END + ENTRY_BEGIN MATCH qname qtype opcode ADJUST copy_id diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_dname.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_dname.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_dname.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_dname.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options trust-anchor: ". IN DS 37471 5 1 da74e4e0fe4067c2afd1d4a3cceb852a3c0d4401" stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_ds_afterprime.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_ds_afterprime.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_ds_afterprime.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_ds_afterprime.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_ds_cname.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_ds_cname.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_ds_cname.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_ds_cname.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_ds_cnamesub.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_ds_cnamesub.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_ds_cnamesub.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_ds_cnamesub.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: @@ -71,6 +73,15 @@ ENTRY_END ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.example.com. IN AAAA +SECTION ANSWER +ENTRY_END + +ENTRY_BEGIN MATCH opcode subdomain ADJUST copy_id copy_query REPLY QR NOERROR @@ -83,15 +94,6 @@ ENTRY_END ENTRY_BEGIN -MATCH opcode qtype qname -ADJUST copy_id -REPLY QR AA NOERROR -SECTION QUESTION -ns.example.com. IN AAAA -SECTION ANSWER -ENTRY_END - -ENTRY_BEGIN MATCH opcode subdomain ADJUST copy_id copy_query REPLY QR AA NOERROR diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_faildnskey.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_faildnskey.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_faildnskey.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_faildnskey.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_mal_wc.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_mal_wc.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_mal_wc.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_mal_wc.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_negcache_ds.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_negcache_ds.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_negcache_ds.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_negcache_ds.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_noadwhennodo.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_noadwhennodo.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_noadwhennodo.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_noadwhennodo.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: @@ -142,10 +144,6 @@ www.example.com. IN A SECTION ANSWER www.example.com. IN A 10.20.30.40 -SECTION AUTHORITY -example.com. IN NS ns.example.com. -SECTION ADDITIONAL -ns.example.com. IN A 1.2.3.4 ENTRY_END SCENARIO_END diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nodata_hasdata.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nodata_hasdata.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nodata_hasdata.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nodata_hasdata.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nodatawc_badce.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nodatawc_badce.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nodatawc_badce.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nodatawc_badce.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nodata_zonecut.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nodata_zonecut.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nodata_zonecut.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nodata_zonecut.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nokeyprime.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nokeyprime.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nokeyprime.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nokeyprime.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_b1_nameerror_noce.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_b1_nameerror_noce.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_b1_nameerror_noce.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_b1_nameerror_noce.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ;server: trust-anchor: "example. DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= )" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_b1_nameerror_nonc.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_b1_nameerror_nonc.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_b1_nameerror_nonc.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_b1_nameerror_nonc.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ;server: trust-anchor: "example. DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm 3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= )" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_b1_nameerror_nowc.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_b1_nameerror_nowc.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_b1_nameerror_nowc.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_b1_nameerror_nowc.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ;server: trust-anchor: "example. DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= )" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_b1_nameerror.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_b1_nameerror.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_b1_nameerror.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_b1_nameerror.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ;server: trust-anchor: "example. DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= )" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_b21_nodataent.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_b21_nodataent.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_b21_nodataent.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_b21_nodataent.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ;server: trust-anchor: "example. DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= )" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_b21_nodataent_wr.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_b21_nodataent_wr.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_b21_nodataent_wr.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_b21_nodataent_wr.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ;server: trust-anchor: "example. DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= )" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_b2_nodata_nons.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_b2_nodata_nons.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_b2_nodata_nons.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_b2_nodata_nons.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ;server: trust-anchor: "example. DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= )" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_b2_nodata.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_b2_nodata.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_b2_nodata.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_b2_nodata.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ;server: trust-anchor: "example. DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= )" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_b3_optout_negcache.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_b3_optout_negcache.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_b3_optout_negcache.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_b3_optout_negcache.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ;server: trust-anchor: "example. DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= )" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_b3_optout_noce.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_b3_optout_noce.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_b3_optout_noce.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_b3_optout_noce.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ;server: trust-anchor: "example. DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= )" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_b3_optout_nonc.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_b3_optout_nonc.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_b3_optout_nonc.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_b3_optout_nonc.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ;server: trust-anchor: "example. DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= )" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_b3_optout.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_b3_optout.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_b3_optout.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_b3_optout.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ;server: trust-anchor: "example. DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= )" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_b4_wild.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_b4_wild.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_b4_wild.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_b4_wild.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ;server: trust-anchor: "example. DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= )" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_b5_wcnodata_noce.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_b5_wcnodata_noce.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_b5_wcnodata_noce.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_b5_wcnodata_noce.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ;server: trust-anchor: "example. DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= )" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_b5_wcnodata_nonc.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_b5_wcnodata_nonc.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_b5_wcnodata_nonc.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_b5_wcnodata_nonc.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ;server: trust-anchor: "example. DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= )" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_b5_wcnodata_nowc.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_b5_wcnodata_nowc.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_b5_wcnodata_nowc.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_b5_wcnodata_nowc.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ;server: trust-anchor: "example. DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= )" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_b5_wcnodata.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_b5_wcnodata.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_b5_wcnodata.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_b5_wcnodata.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ;server: trust-anchor: "example. DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= )" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_cnametocnamewctoposwc.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_cnametocnamewctoposwc.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_cnametocnamewctoposwc.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_cnametocnamewctoposwc.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_entnodata_optout_badopt.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_entnodata_optout_badopt.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_entnodata_optout_badopt.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_entnodata_optout_badopt.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_nods_badsig.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_nods_badsig.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_nods_badsig.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_nods_badsig.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_nods_soa.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_nods_soa.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_nods_soa.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_nods_soa.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_noopt_ref.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_noopt_ref.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_noopt_ref.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_noopt_ref.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_optout_ad.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_optout_ad.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_optout_ad.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_optout_ad.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_optout_ns_ad.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_optout_ns_ad.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_optout_ns_ad.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_optout_ns_ad.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options stub-addr: 193.0.14.129 trust-anchor: ". IN DS 49060 8 2 E7B1EB56D7D5791B3D45630FEAA9C823DB84B385ACEEAC5F44DD08885C36700F" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_optout_unsec_cache.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_optout_unsec_cache.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nsec3_optout_unsec_cache.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nsec3_optout_unsec_cache.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options trust-anchor: ". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5" val-override-date: "20160220000000" diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nx_nodeny.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nx_nodeny.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nx_nodeny.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nx_nodeny.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nx_nowc.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nx_nowc.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nx_nowc.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nx_nowc.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nx.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nx.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_nx.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_nx.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_positive_nosigs.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_positive_nosigs.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_positive_nosigs.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_positive_nosigs.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_pos_truncns.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_pos_truncns.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_pos_truncns.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_pos_truncns.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_qds_oneanc.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_qds_oneanc.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_qds_oneanc.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_qds_oneanc.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: @@ -211,12 +213,12 @@ SECTION ANSWER sub.example.com. 3600 IN DS 36540 5 1 040C7E6D3E183A894CDECC56F6A33086409692F2 sub.example.com. 3600 IN RRSIG DS 7 3 3600 20181230101911 20181130101911 34694 example.com. t8Ktq66BvanAwL00D3hzwIIJQXJ6NzsTBzi0Um8bESfFdxlN2WIjSVd5 hfNruVRDEsTCDlOd2r6cG3Q003NGDn7ulOUR8RLL29a4Tj9YkIJnizEw WrMUhdUU9CqbxZSq8aAKO8tIoI56NfK8FqYObZKR4aqXHOBPf0QkvPKr i+E= ;{id = 2854} -SECTION AUTHORITY -example.com. IN NS ns.example.com. -example.com. 3600 IN RRSIG NS 7 2 3600 20181230101911 20181130101911 34694 example.com. u92Oy+hcQjhnkA7+giV6gJlDovDUmmUrhwN3ayf9/de3EFymsGWns3rW uVBy9p9MiGuq5Gh1eBGYgBLsuxYjVQfiF3iqoXldc1La7VjmR+5YzTw0 CnTiabybAXUnEOLlyonnbCeNhN9cvn6nYLN87yPSRuzGeB2T3aFXgkUk p20= ;{id = 2854} -SECTION ADDITIONAL -ns.example.com. IN A 1.2.3.4 -ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101911 20181130101911 34694 example.com. a/cISMkpWJgOLQuAmo05DxcjxUwsets7jV2y+rYMkFn+KZh7pjUDRTvd 52pCzgWlDJPVKrBcNRUQn8D1xVwp+MO/4MjonQRuhGORwdsbuqfMD55+ zeAgEJGGi7ygt5/kFr2gioZejqj1A236IXbLfFiLTmlHtV1Y2A/mvWsP cTA= ;{id = 2854} +;SECTION AUTHORITY +;example.com. IN NS ns.example.com. +;example.com. 3600 IN RRSIG NS 7 2 3600 20181230101911 20181130101911 34694 example.com. u92Oy+hcQjhnkA7+giV6gJlDovDUmmUrhwN3ayf9/de3EFymsGWns3rW uVBy9p9MiGuq5Gh1eBGYgBLsuxYjVQfiF3iqoXldc1La7VjmR+5YzTw0 CnTiabybAXUnEOLlyonnbCeNhN9cvn6nYLN87yPSRuzGeB2T3aFXgkUk p20= ;{id = 2854} +;SECTION ADDITIONAL +;ns.example.com. IN A 1.2.3.4 +;ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101911 20181130101911 34694 example.com. a/cISMkpWJgOLQuAmo05DxcjxUwsets7jV2y+rYMkFn+KZh7pjUDRTvd 52pCzgWlDJPVKrBcNRUQn8D1xVwp+MO/4MjonQRuhGORwdsbuqfMD55+ zeAgEJGGi7ygt5/kFr2gioZejqj1A236IXbLfFiLTmlHtV1Y2A/mvWsP cTA= ;{id = 2854} ENTRY_END SCENARIO_END diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_qds_twoanc.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_qds_twoanc.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_qds_twoanc.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_qds_twoanc.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: @@ -212,12 +214,12 @@ SECTION ANSWER sub.example.com. 3600 IN DS 42960 5 1 C430C3DFF8F700A924DB9F0EB1589D47E804631B sub.example.com. 3600 IN RRSIG DS 7 3 3600 20181230101913 20181130101913 56744 example.com. G/ri3P6noC+ftYdFA35MrhZv0D/gHUISBYSuLVBir2+Bt9JukeVhqd9i zdjSXCIrxUdJUaPwSSEyLHvVOXJpR8SdtjnHR97YcxM69RSoinBpvBc4 Ey1ahaG1pOH12ipqVIwkJRIlh9C08sdyFTDALw4MwHVd8P+K+oSTEpO/ 0V4= ;{id = 2854} -SECTION AUTHORITY -example.com. IN NS ns.example.com. -example.com. 3600 IN RRSIG NS 7 2 3600 20181230101913 20181130101913 56744 example.com. PbI0TTbOc1OZsplLREnmRXl3zYbj4CMIk7LgavRNp9+diDWksiR1nxWo szKMYfwjN6dxlwowAgL+frC6esvLvbV5BeDhR+emsf4ayKO6OSrCHJUK 5af7jtKkrLYuVCn3Ad1RZxlecv9IIJc6cjUg5FMm3+Riuq/PrekrDZqz Si0= ;{id = 2854} -SECTION ADDITIONAL -ns.example.com. IN A 1.2.3.4 -ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101913 20181130101913 56744 example.com. KgRA0DGIjVXsmx+oLWqWNrDhoTI4doL+wm1+BufgJkfcm8LstWnCre+M sY6rV9o+DM5RvtPj+5pwhrgAMJqaLgMTrEXCWsbFvEQU1jLhYpLRNJ5L 69AMOtfVUquxrdviPcXjzR8VbB+KvH5Vg1NlsuNlxtMbqS3Lex10LKlU NA0= ;{id = 2854} +;SECTION AUTHORITY +;example.com. IN NS ns.example.com. +;example.com. 3600 IN RRSIG NS 7 2 3600 20181230101913 20181130101913 56744 example.com. PbI0TTbOc1OZsplLREnmRXl3zYbj4CMIk7LgavRNp9+diDWksiR1nxWo szKMYfwjN6dxlwowAgL+frC6esvLvbV5BeDhR+emsf4ayKO6OSrCHJUK 5af7jtKkrLYuVCn3Ad1RZxlecv9IIJc6cjUg5FMm3+Riuq/PrekrDZqz Si0= ;{id = 2854} +;SECTION ADDITIONAL +;ns.example.com. IN A 1.2.3.4 +;ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101913 20181130101913 56744 example.com. KgRA0DGIjVXsmx+oLWqWNrDhoTI4doL+wm1+BufgJkfcm8LstWnCre+M sY6rV9o+DM5RvtPj+5pwhrgAMJqaLgMTrEXCWsbFvEQU1jLhYpLRNJ5L 69AMOtfVUquxrdviPcXjzR8VbB+KvH5Vg1NlsuNlxtMbqS3Lex10LKlU NA0= ;{id = 2854} ENTRY_END SCENARIO_END diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_referral_nods.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_referral_nods.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_referral_nods.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_referral_nods.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_root_ds.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_root_ds.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_root_ds.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_root_ds.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + stub-addr: 198.41.0.4 # a.root-servers.net trust-anchor: . 172800 IN DS 19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5 val-override-date: 20180410000000 diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_rrsig.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_rrsig.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_rrsig.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_rrsig.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: @@ -158,12 +160,12 @@ www.example.com. IN RRSIG SECTION ANSWER www.example.com. 3600 IN RRSIG A 7 3 3600 20181230101918 20181130101918 23027 example.com. AudSERijN/0vKfjRw0R0ER2ogfWxZlSQeRKnZSrqS0NXALQjkl0AosJO sMMdZZ3j3JOVqlrDTRFUtHgYl7BKgsy0srbE7RDsgFTjMmGAcgTZE6i1 lv+At+P93kZJemNpIypOTs0AlU8IoU/p+VnmQ8MIQ+lCxNIOQFTLRR3S Cn0= ;{id = 2854} -SECTION AUTHORITY -example.com. IN NS ns.example.com. -example.com. 3600 IN RRSIG NS 7 2 3600 20181230101918 20181130101918 23027 example.com. NL1XpsE+Edp+/XshOxsDvyADfCIu99Un1DSLAYU9kmVa+6GZMgIQchPl lRcC3YboPLAGp05RP24XBk/GB6pwlLCjg8BgxdJ6nwAXSUwHYTHFs/vk BMyGIbMgYp9PlB80GHSVUV9NK5A2QpIVnLLxuWXz+T3x8+HDAVa4X6mo n3M= ;{id = 2854} -SECTION ADDITIONAL -ns.example.com. IN A 1.2.3.4 -ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101918 20181130101918 23027 example.com. VW19ITdySwfn5/PP9dW5rzbKtvFs3F1LpMXcMLgPYriNM2t3xsGQZa+T qRlUERcaUPrmgLtMQJgClTg/Pd9wdn9TZmAt6gtd9PDfWe2n3r4SugCR BxJ9QHaYCCSpNOrir5CyblUpefP48VP+glDm0H3+rlSjjbG2K9bgHsKT 0iM= ;{id = 2854} +;SECTION AUTHORITY +;example.com. IN NS ns.example.com. +;example.com. 3600 IN RRSIG NS 7 2 3600 20181230101918 20181130101918 23027 example.com. NL1XpsE+Edp+/XshOxsDvyADfCIu99Un1DSLAYU9kmVa+6GZMgIQchPl lRcC3YboPLAGp05RP24XBk/GB6pwlLCjg8BgxdJ6nwAXSUwHYTHFs/vk BMyGIbMgYp9PlB80GHSVUV9NK5A2QpIVnLLxuWXz+T3x8+HDAVa4X6mo n3M= ;{id = 2854} +;SECTION ADDITIONAL +;ns.example.com. IN A 1.2.3.4 +;ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101918 20181130101918 23027 example.com. VW19ITdySwfn5/PP9dW5rzbKtvFs3F1LpMXcMLgPYriNM2t3xsGQZa+T qRlUERcaUPrmgLtMQJgClTg/Pd9wdn9TZmAt6gtd9PDfWe2n3r4SugCR BxJ9QHaYCCSpNOrir5CyblUpefP48VP+glDm0H3+rlSjjbG2K9bgHsKT 0iM= ;{id = 2854} ENTRY_END SCENARIO_END diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_secds_nosig.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_secds_nosig.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_secds_nosig.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_secds_nosig.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_secds.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_secds.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_secds.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_secds.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_ta_sentinel_insecure.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_ta_sentinel_insecure.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_ta_sentinel_insecure.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_ta_sentinel_insecure.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,4 +1,5 @@ stub-addr: 2001:503:ba3e::2:30 +stub-name: rootns. trust-anchor: . IN DS 48409 8 2 3D63A0C25BCE86621DE63636F11B35B908EFE8E9381E0E3E9DEFD89EA952C27D val-override-date: 20180601000000 ; avoid the mess with one server for both "." and "unsigned." diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_ta_sentinel_nokey.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_ta_sentinel_nokey.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_ta_sentinel_nokey.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_ta_sentinel_nokey.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,4 +1,5 @@ stub-addr: 2001:503:ba3e::2:30 +stub-name: rootns. ; no trust-anchor for the root domain val-override-date: 20180601000000 query-minimization: off diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_ta_sentinel.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_ta_sentinel.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_ta_sentinel.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_ta_sentinel.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,4 +1,5 @@ stub-addr: 2001:503:ba3e::2:30 +stub-name: rootns. trust-anchor: . IN DS 48409 8 2 3D63A0C25BCE86621DE63636F11B35B908EFE8E9381E0E3E9DEFD89EA952C27D trust-anchor: example. IN DS 4759 8 2 3384CAE149834F17054DD9150E8C33D3979C4092F5C1B8D35E17A3C36A83810F val-override-date: 20180601000000 diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_unalgo_ds.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_unalgo_ds.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_unalgo_ds.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_unalgo_ds.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_unknown_algorithm_insecure.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_unknown_algorithm_insecure.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_unknown_algorithm_insecure.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_unknown_algorithm_insecure.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,5 +1,6 @@ stub-addr: 198.41.0.4 trust-anchor: . IN DS 17002 8 2 775F52082C6A93154F15799C7BC9A47C0DA27C9828BA1EBAEAE5C1F685E69839 +stub-name: rootns. query-minimization: no val-override-date: 20170801000000 CONFIG_END diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_unsecds_negcache.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_unsecds_negcache.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_unsecds_negcache.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_unsecds_negcache.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_unsecds_qtypeds.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_unsecds_qtypeds.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_unsecds_qtypeds.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_unsecds_qtypeds.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_unsecds.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_unsecds.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_unsecds.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_unsecds.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_wild_pos_multi.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_wild_pos_multi.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_wild_pos_multi.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_wild_pos_multi.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -6,6 +6,7 @@ ;stub-zone: ; name: "." stub-addr: 10.1.1.1 # ns. + stub-name: ns. CONFIG_END SCENARIO_BEGIN Test validation of wildcard responses with multiple synthesized RRs. diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_wild_pos.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_wild_pos.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/val_wild_pos.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/val_wild_pos.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip6: no + ; config options ; The island of trust is at example.com ;server: @@ -150,12 +152,12 @@ SECTION ANSWER *.example.com. IN A 10.20.30.40 *.example.com. 3600 IN RRSIG A 7 2 3600 20181230101928 20181130101928 38075 example.com. RkzaVAFptvrjbFcVTye2cG720T9sstFdEh6rfTb4kDDi36GlKsrWa2hZ XtXLGYf2VisO/ronIOFTN+OpqHEN4zcsft3gRAWN+v2irAWDPD4WRVKh 1DNdJMKi2fDq2A39oe15ZwyjTc+owev5RONrMZBoUdgVb0lzhri2LNgF dgY= ;{id = 2854} -SECTION AUTHORITY -example.com. IN NS ns.example.com. -example.com. 3600 IN RRSIG NS 7 2 3600 20181230101928 20181130101928 38075 example.com. VLjbRTUiJ9qkucaMzZrX8yOwPmvBGeu2yv97i60m+eb8rn/9aXHCft8S 1oD4UTjZzNQCKcWr8nnPKFUSdf78Wnjrt3aVBFbCUYKsdz6Ru94O+kWf VUgCWLdL5vrWHgBp22KyFMNmT5jl+u6pBCYfeUR6DQNgMcB/Xk6TIp6P 3xs= ;{id = 2854} -SECTION ADDITIONAL -ns.example.com. IN A 1.2.3.4 -ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101928 20181130101928 38075 example.com. EcQ0T61tBc0Wv3hnZhRO2rf8gvyX3ERzKQy/f7c881D+30gj/7f5t1G2 mNNgeORipwMdxXtimHy3aE2zPycWlYO0ixp4UTztDcePRLPKOmyF4JRZ svMiaBK65fuuBjiG8Ul5QkgBJldObCcFIYo1GjX9L6o3I3zdU3O3DsbP 1ts= ;{id = 2854} +;SECTION AUTHORITY +;example.com. IN NS ns.example.com. +;example.com. 3600 IN RRSIG NS 7 2 3600 20181230101928 20181130101928 38075 example.com. VLjbRTUiJ9qkucaMzZrX8yOwPmvBGeu2yv97i60m+eb8rn/9aXHCft8S 1oD4UTjZzNQCKcWr8nnPKFUSdf78Wnjrt3aVBFbCUYKsdz6Ru94O+kWf VUgCWLdL5vrWHgBp22KyFMNmT5jl+u6pBCYfeUR6DQNgMcB/Xk6TIp6P 3xs= ;{id = 2854} +;SECTION ADDITIONAL +;ns.example.com. IN A 1.2.3.4 +;ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101928 20181130101928 38075 example.com. EcQ0T61tBc0Wv3hnZhRO2rf8gvyX3ERzKQy/f7c881D+30gj/7f5t1G2 mNNgeORipwMdxXtimHy3aE2zPycWlYO0ixp4UTztDcePRLPKOmyF4JRZ svMiaBK65fuuBjiG8Ul5QkgBJldObCcFIYo1GjX9L6o3I3zdU3O3DsbP 1ts= ;{id = 2854} ENTRY_END SCENARIO_END diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/world_cz_lidovky_www.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/world_cz_lidovky_www.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/world_cz_lidovky_www.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/world_cz_lidovky_www.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,6 +1,9 @@ -stub-addr: 2001:dc3::35 +; FIXME: This uses built-in root hints, if they change this will break forever val-override-date: "20170228130000" +; workarround to avoid regenerating test for the new server selection: +domain-insecure: net. trust-anchor: ". 172800 IN DS 19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5" +query-minimization: off CONFIG_END SCENARIO_BEGIN www.lidovky.cz CNAME c23.idnes.cz points from signed domain into unsigned domain hosted on the same server. The result must be NOERROR without AD flag. @@ -37,6 +40,26 @@ ENTRY_BEGIN MATCH opcode qtype qname + ADJUST copy_id + REPLY QR AA NOERROR + SECTION QUESTION + k.root-servers.net IN A + SECTION ANSWER + k.root-servers.net 3600000 IN A 193.0.14.129 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR AA NOERROR + SECTION QUESTION + k.root-servers.net IN AAAA + SECTION ANSWER + k.root-servers.net 3600000 IN AAAA 2001:7fd::1 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype qname ADJUST copy_id REPLY QR AA RD DO NOERROR SECTION QUESTION diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/world_cz_rhybar.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/world_cz_rhybar.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/world_cz_rhybar.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/world_cz_rhybar.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip4: no + ; test with real world Internet data ; attempt to resolve www.rhybar.cz. A with CD first to populate BAD cache ; and then try to resolve without any DNSSEC flag to see if it validates diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/world_cz_turris_api.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/world_cz_turris_api.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/world_cz_turris_api.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/world_cz_turris_api.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip4: no + val-override-date: 20170213100700 trust-anchor: ". 172800 IN DS 19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5" stub-addr: 2001:dc3::35 diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/world_cz_vutbr_www.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/world_cz_vutbr_www.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/world_cz_vutbr_www.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/world_cz_vutbr_www.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -1,3 +1,5 @@ +do-ip4: no + ; test with real world Internet data ; attempt to resolve www.vutbr.cz. A leads to CNAME piranha.ro.vutbr.cz. ; sub-trees vutbr.cz and ro.vutbr.cz. are in separate zones diff -Nru knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/world_mx_nic_www.rpl knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/world_mx_nic_www.rpl --- knot-resolver-5.2.1/tests/integration/deckard/sets/resolver/world_mx_nic_www.rpl 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/sets/resolver/world_mx_nic_www.rpl 2021-03-31 15:15:38.000000000 +0000 @@ -6,6 +6,12 @@ val-override-date: 20170124180319 trust-anchor: ". 172800 IN DS 19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5" stub-addr: 2001:dc3::35 +stub-name: m.root-servers.net +; we have added missing A/AAAA records for NS names too late +; when validity of original RRSIGs expired +; => we disable validation for mx. NS names to avoid need to resign whole test +domain-insecure: mx-ns.mx. +do-ip4: false CONFIG_END SCENARIO_BEGIN www.nic.mx. CNAME kresd issue #144 @@ -17,6 +23,58 @@ ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +m.root-servers.net. IN AAAA +SECTION ANSWER +m.root-servers.net. 3600 IN AAAA 2001:dc3::35 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +m.root-servers.net. IN A +SECTION ANSWER +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +net. IN NS +SECTION ANSWER +net. 3600 IN NS m.root-servers.net. +SECTION ADDITIONAL +m.root-servers.net. 3600 IN AAAA 2001:dc3::35 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +root-servers.net. IN NS +SECTION ANSWER +root-servers.net. 3600 IN NS m.root-servers.net. +SECTION ADDITIONAL +m.root-servers.net. 3600 IN AAAA 2001:dc3::35 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +net. IN DS +SECTION ANSWER +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id REPLY QR AA DO NOERROR SECTION QUESTION . IN DNSKEY @@ -50,6 +108,11 @@ x.mx-ns.mx. 172800 IN A 201.131.252.1 c.mx-ns.mx. 172800 IN AAAA 2001:1258::1 m.mx-ns.mx. 172800 IN AAAA 2001:13c7:7000::1 +; added AAAA records to stop resolver from asking for them later +o.mx-ns.mx. 172800 IN AAAA 2001:1258::1 +i.mx-ns.mx. 172800 IN AAAA 2001:1258::1 +x.mx-ns.mx. 172800 IN AAAA 2001:1258::1 +e.mx-ns.mx. 172800 IN AAAA 2001:1258::1 ENTRY_END ; end of M.ROOT-SERVERS.NET. RANGE_END @@ -66,6 +129,79 @@ ADDRESS 2001:13c7:7000::1 ENTRY_BEGIN +MATCH opcode qname qtype +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +mx-ns.mx. IN NS +SECTION ANSWER +mx-ns.mx. 172800 IN NS c.mx-ns.mx. +mx-ns.mx. 172800 IN NS m.mx-ns.mx. +mx-ns.mx. 172800 IN NS e.mx-ns.mx. +mx-ns.mx. 172800 IN NS i.mx-ns.mx. +mx-ns.mx. 172800 IN NS o.mx-ns.mx. +mx-ns.mx. 172800 IN NS x.mx-ns.mx. +SECTION ADDITIONAL +c.mx-ns.mx. 172800 IN A 192.100.224.1 +e.mx-ns.mx. 172800 IN A 189.201.244.1 +i.mx-ns.mx. 172800 IN A 207.248.68.1 +m.mx-ns.mx. 172800 IN A 200.94.176.1 +o.mx-ns.mx. 172800 IN A 200.23.1.1 +x.mx-ns.mx. 172800 IN A 201.131.252.1 +o.mx-ns.mx. 172800 IN AAAA 2001:1258::1 +i.mx-ns.mx. 172800 IN AAAA 2001:1258::1 +x.mx-ns.mx. 172800 IN AAAA 2001:1258::1 +e.mx-ns.mx. 172800 IN AAAA 2001:1258::1 +c.mx-ns.mx. 172800 IN AAAA 2001:1258::1 +m.mx-ns.mx. 172800 IN AAAA 2001:13c7:7000::1 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qname qtype +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +mx-ns.mx. IN DS +SECTION ANSWER +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qname qtype +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +i.mx-ns.mx. IN AAAA +SECTION ANSWER +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qname qtype +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +e.mx-ns.mx. IN AAAA +SECTION ANSWER +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qname qtype +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +x.mx-ns.mx. IN AAAA +SECTION ANSWER +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qname qtype +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +o.mx-ns.mx. IN AAAA +SECTION ANSWER +ENTRY_END + +ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR AA RD NOERROR diff -Nru knot-resolver-5.2.1/tests/integration/deckard/template/hints_zone.j2 knot-resolver-5.3.1/tests/integration/deckard/template/hints_zone.j2 --- knot-resolver-5.2.1/tests/integration/deckard/template/hints_zone.j2 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/template/hints_zone.j2 2021-03-31 15:15:38.000000000 +0000 @@ -1,9 +1,9 @@ ; This file holds the information on root name servers needed to ; initialize cache of Internet domain name servers -. 3600000 NS K.ROOT-SERVERS.NET. +. 3600000 NS {{ROOT_NAME}} {% if ':' in ROOT_ADDR %} -K.ROOT-SERVERS.NET. 3600000 AAAA {{ROOT_ADDR}} +{{ROOT_NAME}} 3600000 AAAA {{ROOT_ADDR}} {% else %} -K.ROOT-SERVERS.NET. 3600000 A {{ROOT_ADDR}} +{{ROOT_NAME}} 3600000 A {{ROOT_ADDR}} {% endif %} diff -Nru knot-resolver-5.2.1/tests/integration/deckard/template/kresd.j2 knot-resolver-5.3.1/tests/integration/deckard/template/kresd.j2 --- knot-resolver-5.2.1/tests/integration/deckard/template/kresd.j2 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/template/kresd.j2 2021-03-31 15:15:38.000000000 +0000 @@ -19,11 +19,7 @@ policy.add(policy.all(policy.FORWARD('{{FORWARD_ADDR}}'))) {% endif %} cache.size = 2*MB - -{% if ROOT_ADDR %} -hints.root({['k.root-servers.net'] = '{{ROOT_ADDR}}'}) -{% endif %} - +hints.root({['{{ROOT_NAME}}'] = '{{ROOT_ADDR}}'}) {% if QMIN == "false" %} option('NO_MINIMIZE', true) {% else %} @@ -40,8 +36,6 @@ {% else %} mode('permissive') {% endif %} --- Always retry failing resolver -option('NO_THROTTLE', true) -- make sure that value specified at compile-time does not break tests trust_anchors.remove('.') @@ -54,6 +48,17 @@ {% endfor %} }) +{% if DO_IP6 == "true" %} +net.ipv6 = true +{% else %} +net.ipv6 = false +{% endif %} + +{% if DO_IP4 == "true" %} +net.ipv4 = true +{% else %} +net.ipv4 = false +{% endif %} {% if FEATURES.min_ttl is defined %} cache.min_ttl({{FEATURES.min_ttl}}) diff -Nru knot-resolver-5.2.1/tests/integration/deckard/template/unbound.j2 knot-resolver-5.3.1/tests/integration/deckard/template/unbound.j2 --- knot-resolver-5.2.1/tests/integration/deckard/template/unbound.j2 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/template/unbound.j2 2021-03-31 15:15:38.000000000 +0000 @@ -200,7 +200,17 @@ # do-ip4: yes # Enable IPv6, "yes" or "no". - # do-ip6: yes + {% if DO_IP6 == "true" %} + do-ip6: yes + {% else %} + do-ip6: no + {% endif %} + + {% if DO_IP4 == "true" %} + do-ip4: yes + {% else %} + do-ip4: no + {% endif %} # Enable UDP, "yes" or "no". # NOTE: if setting up an unbound on tls443 for public use, you might want to diff -Nru knot-resolver-5.2.1/tests/integration/deckard/tools/pydnstest/scenario.py knot-resolver-5.3.1/tests/integration/deckard/tools/pydnstest/scenario.py --- knot-resolver-5.2.1/tests/integration/deckard/tools/pydnstest/scenario.py 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/tools/pydnstest/scenario.py 2021-03-31 15:15:38.000000000 +0000 @@ -757,9 +757,11 @@ trust_anchor_files = {} negative_ta_list = [] stub_addr = None + stub_name = "k.root-servers.net" override_timestamp = None forward_addr = None - + do_ip6 = True + do_ip4 = True features = {} feature_list_delimiter = ';' feature_pair_delimiter = '=' @@ -798,6 +800,8 @@ override_timestamp = calendar.timegm(override_date) elif k == 'stub-addr': stub_addr = v.strip('"\'') + elif k == 'stub-name': + stub_name = v elif k == 'features': feature_list = v.split(feature_list_delimiter) try: @@ -827,6 +831,10 @@ sockfamily = socket.AF_INET6 elif k == 'forward-addr': # currently forwards everything forward_addr = v.strip('"\'') + elif k == 'do-ip4': + do_ip4 = str2bool(v) + elif k == 'do-ip6': + do_ip6 = str2bool(v) else: raise NotImplementedError('unsupported CONFIG key "%s"' % k) @@ -840,9 +848,12 @@ "TRUST_ANCHORS": trust_anchor_list, "TRUST_ANCHOR_FILES": trust_anchor_files, "FORWARD_ADDR": forward_addr, + "DO_IP6": str(do_ip6).lower(), + "DO_IP4": str(do_ip4).lower(), } if stub_addr: ctx['ROOT_ADDR'] = stub_addr + ctx['ROOT_NAME'] = stub_name # determine and verify socket family for specified root address gai = socket.getaddrinfo(stub_addr, 53, sockfamily, 0, socket.IPPROTO_UDP, socket.AI_NUMERICHOST) diff -Nru knot-resolver-5.2.1/tests/integration/deckard/tools/pydnstest/testserver.py knot-resolver-5.3.1/tests/integration/deckard/tools/pydnstest/testserver.py --- knot-resolver-5.2.1/tests/integration/deckard/tools/pydnstest/testserver.py 2020-12-09 09:44:31.000000000 +0000 +++ knot-resolver-5.3.1/tests/integration/deckard/tools/pydnstest/testserver.py 2021-03-31 15:15:38.000000000 +0000 @@ -180,9 +180,9 @@ for srv_sock in self.srv_socks: if (srv_sock.family == family - and srv_sock.getsockname() == address + and srv_sock.getsockname()[:2] == address and srv_sock.proto == proto): - return srv_sock.getsockname() + return sock = socket.socket(family, socktype, proto) sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) @@ -195,25 +195,23 @@ # A lot of addresses are added to the interface while runnning from Deckard in # the small amount of time which caused ocassional hiccups while binding to them # right afterwards in testing. Therefore, we retry a few times. - ex = None + final_ex = None for i in range(self.RETRIES_ON_BIND): try: sock.bind(address) break - except OSError as e: + except OSError as ex: # Exponential backoff time.sleep((2 ** i) + random.random()) - ex = e + final_ex = ex continue else: - print(ex, address) - raise ex + print(final_ex, address) + raise final_ex if proto == socket.IPPROTO_TCP: sock.listen(5) self.srv_socks.append(sock) - sockname = sock.getsockname() - return sockname, proto def _bind_sockets(self): """ @@ -224,6 +222,7 @@ for addr in r.addresses: family = socket.AF_INET6 if ':' in addr else socket.AF_INET self.start_srv((addr, 53), family) + self.start_srv((addr, 53), family, proto=socket.IPPROTO_TCP) # Bind addresses in ad-hoc REPLYs for s in self.scenario.steps: @@ -236,8 +235,12 @@ for rd in rr: if rd.rdtype == dns.rdatatype.A: self.start_srv((rd.address, 53), socket.AF_INET) + self.start_srv((rd.address, 53), socket.AF_INET, + proto=socket.IPPROTO_TCP) elif rd.rdtype == dns.rdatatype.AAAA: self.start_srv((rd.address, 53), socket.AF_INET6) + self.start_srv((rd.address, 53), socket.AF_INET6, + proto=socket.IPPROTO_TCP) def play(self, subject_addr): self.scenario.play({'': (subject_addr, 53)}) diff -Nru knot-resolver-5.2.1/tests/meson.build knot-resolver-5.3.1/tests/meson.build --- knot-resolver-5.2.1/tests/meson.build 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/tests/meson.build 2021-03-31 15:15:36.000000000 +0000 @@ -47,6 +47,9 @@ subdir('pytests') subdir('integration') + if build_dnstap + subdir('dnstap') + endif foreach py3_dep : py3_deps py3_import = run_command(python3, '-c', 'import @0@'.format(py3_dep[0])) diff -Nru knot-resolver-5.2.1/tests/unit/meson.build knot-resolver-5.3.1/tests/unit/meson.build --- knot-resolver-5.2.1/tests/unit/meson.build 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/tests/unit/meson.build 2021-03-31 15:15:36.000000000 +0000 @@ -29,5 +29,7 @@ 'unit.' + unit_test[0], exec_test, suite: 'unit', + # they take very short time + kwargs: meson.version().version_compare('<0.52') ? {} : { 'priority': -5 }, ) endforeach diff -Nru knot-resolver-5.2.1/tests/unit/test.h knot-resolver-5.3.1/tests/unit/test.h --- knot-resolver-5.2.1/tests/unit/test.h 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/tests/unit/test.h 2021-03-31 15:15:36.000000000 +0000 @@ -85,7 +85,7 @@ */ static inline void test_random_rr(knot_rrset_t *rr, uint32_t ttl) { - static uint8_t owner_buf[KNOT_DNAME_MAXLEN]; + static uint8_t owner_buf[KNOT_DNAME_MAXLEN] = { 0 }; static uint8_t rdata_buf[65535]; knot_rdata_t *rdata = (knot_rdata_t *)rdata_buf; @@ -93,7 +93,6 @@ uint8_t tmp_buf[KNOT_DNAME_MAXLEN]; /* Create random label. */ - memset(owner_buf, 0, sizeof(owner_buf)); uint8_t label_len = num % KNOT_DNAME_MAXLABELLEN; owner_buf[0] = label_len; test_randstr((char *)(owner_buf + 1), label_len); diff -Nru knot-resolver-5.2.1/utils/cache_gc/db.c knot-resolver-5.3.1/utils/cache_gc/db.c --- knot-resolver-5.2.1/utils/cache_gc/db.c 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/utils/cache_gc/db.c 2021-03-31 15:15:36.000000000 +0000 @@ -78,8 +78,10 @@ } else { /* find the first double zero in the key */ for (i = 2; kd[i - 1] || kd[i - 2]; ++i) { - if (i >= key.len) + if (i >= key.len) { + // TODO: assert(!EINVAL) -> kr_assume() return NULL; + } } } // the next character can be used for classification @@ -94,7 +96,10 @@ return &NSEC1; case '3': return &NSEC3; + case 'S': // the rtt_state entries are considered inconsistent, at least for now + return NULL; default: + assert(!EINVAL); return NULL; } } @@ -206,6 +211,8 @@ entry = val2entry(val, *entry_type); } /* TODO: perhaps improve some details around here: + * - rtt_state entries are considered gc_inconsistent; + * therefore they'll be the first to get freed (see kr_gc_categorize()) * - xNAME have .rrtype NS * - DNAME hidden on NS name will not be considered here * - if zone has NSEC* meta-data but no NS, it will be seen diff -Nru knot-resolver-5.2.1/utils/cache_gc/db.h knot-resolver-5.3.1/utils/cache_gc/db.h --- knot-resolver-5.2.1/utils/cache_gc/db.h 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/utils/cache_gc/db.h 2021-03-31 15:15:36.000000000 +0000 @@ -21,6 +21,11 @@ int kr_gc_cache_iter(knot_db_t * knot_db, const kr_cache_gc_cfg_t *cfg, kr_gc_iter_callback callback, void *ctx); +/** Return RR type corresponding to the key or NULL. + * + * NULL is returned on unexpected values (those also trigger assertion) + * and on other kinds of data in cache (e.g. struct rtt_state). + */ const uint16_t *kr_gc_key_consistent(knot_db_val_t key); /** Printf a *binary* string in a human-readable way. */ diff -Nru knot-resolver-5.2.1/utils/cache_gc/kr_cache_gc.c knot-resolver-5.3.1/utils/cache_gc/kr_cache_gc.c --- knot-resolver-5.2.1/utils/cache_gc/kr_cache_gc.c 2020-12-09 09:44:29.000000000 +0000 +++ knot-resolver-5.3.1/utils/cache_gc/kr_cache_gc.c 2021-03-31 15:15:36.000000000 +0000 @@ -277,8 +277,8 @@ case KNOT_EOK: deleted_records++; const uint16_t *entry_type = kr_gc_key_consistent(**i); - assert(entry_type != NULL); - rrtypelist_add(&deleted_rrtypes, *entry_type); + if (entry_type != NULL) // some "inconsistent" entries are OK + rrtypelist_add(&deleted_rrtypes, *entry_type); break; case KNOT_ENOENT: already_gone++;