Merge branch 'release-410' into 'master'

Release 4.1.0

See merge request knot/knot-resolver!845

NEWS

@@ -1,28 +1,32 @@
-Knot Resolver 4.x.y (2019-0m-dd)
+Knot Resolver 4.1.0 (2019-07-10)
 ================================
 
 Security
 --------
-- fix CVE-2019-10191: caching negative answer with forged QNAME+QTYPE
+- fix CVE-2019-10190: do not pass bogus negative answer to client (!827)
+- fix CVE-2019-10191: do not cache negative answer with forged QNAME+QTYPE (!839)
 
 Improvements
 ------------
+- new cache garbage collector is available and enabled by default (#257)
+  This improves cache efficiency on big installations.
+- DNS-over-HTTPS: unknown HTTP parameters are ignored to improve compatibility
+  with non-standard clients (!832)
 - DNS-over-HTTPS: answers include `access-control-allow-origin: *` (!823)
-- support named AF_UNIX stream sockets for the http module (again)
+  which allows JavaScript to use DoH endpoint.
+- http module: support named AF_UNIX stream sockets (again)
 - aggressive caching is disabled on minimal NSEC* ranges (!826)
+  This improves cache effectivity with DNSSEC black lies and also accidentally
+  works around bug in proofs-of-nonexistence from F5 BIG-IP load-balancers.
 - aarch64 support, even kernels with ARM64_VA_BITS >= 48 (#216, !797)
-  This is done by working around a LuaJIT incompatibility.
-- lua modules may omit casting parameters of layer functions (!797)
+  This is done by working around a LuaJIT incompatibility. Please report bugs.
 - lua tables for C modules are more strict by default, e.g. `nsid.foo`
   will throw an error instead of returning `nil` (!797)
-- http module: also send intermediate TLS certificate to clients,
-  if available and luaossl >= 20181207 (!819)
-- systemd: basic watchdog is now available and turned on by default (#275)
-- experimental cache garbage collector daemon is available (#257)
+- systemd: basic watchdog is now available and enabled by default (#275)
 
 Bugfixes
 --------
-- TCP to upstream: don't send wrong message length (unlikely, !816)
+- TCP to upstream: fix unlikely case of sending out wrong message length (!816)
 - http module: fix problems around maintenance of ephemeral certs (!819)
 - http module: also send intermediate TLS certificate to clients,
   if available and luaossl >= 20181207 (!819)
@@ -34,6 +38,11 @@ Bugfixes
 - cache: automatically clear stale reader locks (!844)
 
 
+Module API changes
+------------------
+- lua modules may omit casting parameters of layer functions (!797)
+
+
 Knot Resolver 4.0.0 (2019-04-18)
 ================================
 

daemon/README.rst

@@ -616,25 +616,20 @@ For more details, see ``kresd.systemd(7)``.
 Cache Garbage Collector
 =======================
 
-.. warning:: Garbage collector is experimental and subject to change in future
-   releases. This feature isn't currently turned on by default.
-
-By default, kresd uses the available cache until it's full. When more space is
+kresd daemon uses the available cache until it's full. When more space is
 required, the entire cache is dropped. To avoid starting over with an empty
 cache, a separate garbage collector daemon is available to periodically trim
 the cache instead.
 
-The cache garbage collector daemon (``kres_cache_gc``) monitors the cache usage
-and attempts to free up space when a threshold is reached. To spawn the daemon
-and configure it to run every minute, use:
+The cache garbage collector daemon (``kres-cache-gc``) monitors the cache usage
+and attempts to free up space when a threshold is reached. A garbage collector
+systemd service, ``kres-cache-gc.service`` is turned on in our upstream packages.
 
-.. code-block:: bash
+To spawn the daemon manually and configure it to run every second, use:
 
-   $ kres_cache_gc -c /var/cache/knot-resolver -d 10000
+.. code-block:: bash
 
-It's also possible to run this under systemd. However, a dedicated systemd unit
-is not currently part of the upstream package. See `message#167`_ on our
-mailing list for an example of such a unit file.
+   $ kres-cache-gc -c /var/cache/knot-resolver -d 1000
 
 
 Using CLI tools
@@ -689,4 +684,3 @@ Code reference
 .. _`real process managers`: http://blog.crocodoc.com/post/48703468992/process-managers-the-good-the-bad-and-the-ugly
 .. _`socket activation`: http://0pointer.de/blog/projects/socket-activation.html
 .. _`dnsproxy module`: https://www.knot-dns.cz/docs/2.7/html/modules.html#dnsproxy-tiny-dns-proxy
-.. _`message#167`: https://lists.nic.cz/pipermail/knot-resolver-users/2019/000167.html

distro/deb/knot-resolver.install

@@ -1,5 +1,6 @@
 etc/knot-resolver/kresd.conf
 usr/lib/systemd/system/kresd@.service lib/systemd/system/
+usr/lib/systemd/system/kres-cache-gc.service lib/systemd/system/
 usr/lib/systemd/system/kresd.target lib/systemd/system/
 usr/lib/systemd/system/kresd.socket lib/systemd/system/
 usr/lib/systemd/system/kresd-tls.socket lib/systemd/system/
@@ -30,4 +31,4 @@ usr/lib/knot-resolver/kres_modules/view.lua
 usr/lib/knot-resolver/kres_modules/workarounds.lua
 usr/sbin/kresc
 usr/sbin/kresd
-usr/sbin/kres_cache_gc
+usr/sbin/kres-cache-gc

distro/rpm/knot-resolver.spec

@@ -203,15 +203,18 @@ getent group knot-resolver >/dev/null || groupadd -r knot-resolver
 getent passwd knot-resolver >/dev/null || useradd -r -g knot-resolver -d %{_sysconfdir}/knot-resolver -s /sbin/nologin -c "Knot Resolver" knot-resolver
 
 %post
-%systemd_post 'kresd@*.service'
 %if 0%{?fedora}
+# in case socket/service files are updated
+systemctl daemon-reload
+%systemd_post 'system-kresd.slice'
 # https://fedoraproject.org/wiki/Changes/Removing_ldconfig_scriptlets
 %else
+%systemd_post 'kresd@*.service'
 /sbin/ldconfig
 %endif
 
 %preun
-%systemd_preun 'kresd@*.service' kresd.target kresd.socket kresd-tls.socket
+%systemd_preun 'kresd@*.service' kres-cache-gc.service kresd.target kresd.socket kresd-tls.socket
 
 %postun
 # NOTE: this doesn't restart the services on CentOS 7
@@ -234,6 +237,7 @@ getent passwd knot-resolver >/dev/null || useradd -r -g knot-resolver -d %{_sysc
 %attr(644,root,knot-resolver) %config(noreplace) %{_sysconfdir}/knot-resolver/root.hints
 %attr(644,root,knot-resolver) %config(noreplace) %{_sysconfdir}/knot-resolver/icann-ca.pem
 %{_unitdir}/kresd@.service
+%{_unitdir}/kres-cache-gc.service
 %{_unitdir}/kresd.target
 %dir %{_unitdir}/multi-user.target.wants
 %{_unitdir}/multi-user.target.wants/kresd.target
@@ -251,7 +255,7 @@ getent passwd knot-resolver >/dev/null || useradd -r -g knot-resolver -d %{_sysc
 %attr(750,knot-resolver,knot-resolver) %dir %{_localstatedir}/cache/%{name}
 %{_sbindir}/kresd
 %{_sbindir}/kresc
-%{_sbindir}/kres_cache_gc
+%{_sbindir}/kres-cache-gc
 %{_libdir}/libkres.so.*
 %dir %{_libdir}/knot-resolver
 %{_libdir}/knot-resolver/*.so

distro/tests/ansible-roles/knot_resolver/tasks/main.yaml

@@ -23,6 +23,8 @@
     - include: test_tls.yaml
     - include: test_dnssec.yaml
 
+    - include: test_kres_cache_gc.yaml
+
     - name: Test DoH
       block:
         - name: Install knot-resolver-module-http

distro/tests/ansible-roles/knot_resolver/tasks/test_kres_cache_gc.yaml

@@ -0,0 +1,3 @@
+---
+- name: check kres-cache-gc.service is active
+  shell: systemctl is-active -q kres-cache-gc.service

meson.build

@@ -2,7 +2,7 @@ project(
   'knot-resolver',
   ['c', 'cpp'],
   license: 'GPLv3+',
-  version: '4.0.0',
+  version: '4.1.0',
   default_options: ['c_std=gnu11', 'b_ndebug=if-release'],
   meson_version: '>=0.46',
 )

systemd/kres-cache-gc.service.in

@@ -0,0 +1,17 @@
+[Unit]
+Description=Knot Resolver Garbage Collector daemon
+Documentation=man:kresd.systemd(7)
+Documentation=man:kresd(8)
+
+[Service]
+Type=simple
+ExecStart=@sbin_dir@/kres-cache-gc -c @systemd_work_dir@ -d 1000
+User=knot-resolver
+Restart=on-failure
+RestartSec=30
+StartLimitInterval=400
+StartLimitBurst=10
+Slice=system-kresd.slice
+
+[Install]
+WantedBy=kresd.target

systemd/kresd@.service.in

@@ -2,6 +2,8 @@
 Description=Knot Resolver daemon
 Documentation=man:kresd.systemd(7)
 Documentation=man:kresd(8)
+Wants=kres-cache-gc.service
+Before=kres-cache-gc.service
 
 [Service]
 Type=notify

systemd/meson.build

@@ -30,6 +30,12 @@ if systemd_files == 'enabled'
     configuration: systemd_config,
     install_dir: systemd_unit_dir,
   )
+  kres_cache_gc_service = configure_file(
+    input: 'kres-cache-gc.service.in',
+    output: 'kres-cache-gc.service',
+    configuration: systemd_config,
+    install_dir: systemd_unit_dir,
+  )
   install_data(
     sources: [
       'kresd.socket',

systemd/nosocket/kres-cache-gc.service.in

@@ -0,0 +1,17 @@
+[Unit]
+Description=Knot Resolver Garbage Collector daemon
+Documentation=man:kresd.systemd.nosocket(7)
+Documentation=man:kresd(8)
+
+[Service]
+Type=simple
+ExecStart=@sbin_dir@/kres-cache-gc -c @systemd_work_dir@ -d 1000
+User=knot-resolver
+Restart=on-failure
+RestartSec=30
+StartLimitInterval=400
+StartLimitBurst=10
+Slice=system-kresd.slice
+
+[Install]
+WantedBy=kresd.target

systemd/nosocket/kresd@.service.in

@@ -2,6 +2,8 @@
 Description=Knot Resolver daemon
 Documentation=man:kresd.systemd.nosocket(7)
 Documentation=man:kresd(8)
+Wants=kres-cache-gc.service
+Before=kres-cache-gc.service
 
 [Service]
 Type=notify

systemd/nosocket/meson.build

@@ -7,6 +7,12 @@ kresd_service = configure_file(
   configuration: systemd_config,
   install_dir: systemd_unit_dir,
 )
+kres_cache_gc_service = configure_file(
+  input: 'kres-cache-gc.service.in',
+  output: 'kres-cache-gc.service',
+  configuration: systemd_config,
+  install_dir: systemd_unit_dir,
+)
 
 install_data(
   sources: 'kresd.target',

utils/cache_gc/db.c

@@ -43,7 +43,8 @@ int kr_gc_cache_open(const char *cache_path, struct kr_cache *kres_db,
 	snprintf(cache_data, sizeof(cache_data), "%s/data.mdb", cache_path);
 
 	struct stat st = { 0 };
-	if (stat(cache_path, &st) || !(st.st_mode & S_IFDIR) || stat(cache_data, &st)) {
+	if (stat(cache_path, &st) || !(st.st_mode & S_IFDIR)
+	    || stat(cache_data, &st)) {
 		printf("Error: %s does not exist or is not a LMDB.\n", cache_path);
 		return -ENOENT;
 	}
@@ -228,16 +229,20 @@ int kr_gc_cache_iter(knot_db_t * knot_db, kr_gc_iter_callback callback, void *ct
 		}
 #ifdef DEBUG
 		counter_kr_consistent += info.valid;
-		printf("GC %sconsistent, KR %sconsistent, size %zu, key len %zu: ",
-		       entry_type ? "" : "in", entry ? "" : "IN", (key.len + val.len),
-		       key.len);
-		debug_printbin(key.data, key.len);
-		printf("\n");
+		if (!entry_type || !entry) {	// don't log fully consistent entries
+			printf
+			    ("GC %sconsistent, KR %sconsistent, size %zu, key len %zu: ",
+			     entry_type ? "" : "in", entry ? "" : "IN",
+			     (key.len + val.len), key.len);
+			debug_printbin(key.data, key.len);
+			printf("\n");
+		}
 #endif
 		ret = callback(&key, &info, ctx);
 
 		if (ret != KNOT_EOK) {
-			printf("Error iterating database (%s).\n", knot_strerror(ret));
+			printf("Error iterating database (%s).\n",
+			       knot_strerror(ret));
 			api->iter_finish(it);
 			api->txn_abort(&txn);
 			return ret;

utils/cache_gc/db.h

@@ -10,8 +10,8 @@ int kr_gc_cache_open(const char *cache_path, struct kr_cache *kres_db,
 
 void kr_gc_cache_close(struct kr_cache *kres_db, knot_db_t * knot_db);
 
-typedef int (*kr_gc_iter_callback)(const knot_db_val_t * key, gc_record_info_t * info,
-				   void *ctx);
+typedef int (*kr_gc_iter_callback)(const knot_db_val_t * key,
+				   gc_record_info_t * info, void *ctx);
 
 int kr_gc_cache_iter(knot_db_t * knot_db, kr_gc_iter_callback callback, void *ctx);