Merge !1678: misc 5.x backports

Author: vcunat

.gitlab-ci.yml

@@ -20,7 +20,7 @@ variables:
   # IMAGE_TAG is a Git branch/tag name from https://gitlab.nic.cz/knot/knot-resolver-ci
   # In general, keep it pointing to a tag - use a branch only for development.
   # More info in the knot-resolver-ci repository.
-  IMAGE_TAG: 'v20240506'
+  IMAGE_TAG: 'v20250324'
   IMAGE_PREFIX: '$CI_REGISTRY/knot/knot-resolver-ci'
 
 image: $IMAGE_PREFIX/debian12-knot_3_3:$IMAGE_TAG
@@ -325,12 +325,10 @@ trivial_checks: # aggregated to save some processing
     - ci/no_assert_check.sh
     - ci/deckard_commit_check.sh
 
-lint:other:
+lint:luacheck:
   <<: *sanity
   script:
     - meson build_ci_lint &>/dev/null
-    - ninja -C build_ci* pylint
-    - ninja -C build_ci* flake8
     - ninja -C build_ci* luacheck
 
 lint:pedantic:
@@ -873,6 +871,10 @@ pkg:make-archive:
     - apkg build-dep
     - apkg make-archive
 
+pkg:debian-13:
+  <<: *pkg_test_deb
+  image: $CI_REGISTRY/packaging/apkg/full/debian-13
+
 pkg:debian-12:
   <<: *pkg_test_deb
   <<: *enable_repo_build
@@ -883,6 +885,10 @@ pkg:debian-11:
   <<: *enable_repo_build
   image: $CI_REGISTRY/packaging/apkg/full/debian-11
 
+pkg:ubuntu-25.04:
+  <<: *pkg_test_deb
+  image: $CI_REGISTRY/packaging/apkg/full/ubuntu-25.04
+
 pkg:ubuntu-24.04:
   <<: *pkg_test_deb
   image: $CI_REGISTRY/packaging/apkg/full/ubuntu-24.04

NEWS

@@ -5,6 +5,15 @@ Bugfixes
 --------
 - daemon/http: DoH stream got stuck after returning an error code (!1652)
 
+Improvements
+------------
+- tests: disable problematic config.http test (#925, !1678)
+- validator: accept a confusing NODATA proof with insecure delegation (!1678)
+
+Bugfixes
+--------
+- stats: request latency was very incorrect in some cases (!1678)
+
 
 Knot Resolver 5.7.4 (2024-07-23)
 ================================

daemon/lua/kres-gen-32.lua

@@ -634,6 +634,7 @@ typedef struct zs_scanner {
 	uint8_t addr[16];
 	_Bool long_string;
 	_Bool comma_list;
+	_Bool pending_backslash;
 	uint8_t *dname;
 	uint32_t *dname_length;
 	uint32_t dname_tmp_length;

doc/conf.py

@@ -16,7 +16,7 @@
 extensions = ['sphinx.ext.todo', 'sphinx.ext.viewcode', 'breathe']
 
 theme_major = sphinx_rtd_theme.__version__.partition('.')[0]
-if theme_major == '2':
+if theme_major >= '2':
     extensions.append('sphinxcontrib.jquery')
 
 # Breathe configuration

lib/dnssec/nsec.c

@@ -161,10 +161,16 @@ int kr_nsec_bitmap_nodata_check(const uint8_t *bm, uint16_t bm_size, uint16_t ty
 		break;
 	default:
 		/* Parent-side delegation record isn't authoritative for non-DS;
-		 * see RFC6840 4.1. */
+		 * see RFC6840 4.1.
+		 *
+		 * Additionally, we signal if the NODATA would belong
+		 * to an *insecure* child zone.
+		 */
 		if (dnssec_nsec_bitmap_contains(bm, bm_size, KNOT_RRTYPE_NS)
 		    && !dnssec_nsec_bitmap_contains(bm, bm_size, KNOT_RRTYPE_SOA)) {
-			return NO_PROOF;
+			return dnssec_nsec_bitmap_contains(bm, bm_size, KNOT_RRTYPE_DS)
+				? NO_PROOF
+				: KNOT_EDOWNGRADED;
 		}
 		/* LATER(opt): perhaps short-circuit test if we repeat it here. */
 	}
@@ -218,9 +224,12 @@ int kr_nsec_negative(const ranked_rr_array_t *rrrs, uint32_t qry_uid,
 			&& kr_rank_test(rrrs->at[i]->rank, KR_RANK_SECURE);
 		if (!ok) continue;
 		const int covers = nsec_covers(nsec, sname);
-		if (covers == abs(EEXIST)
-		    && no_data_response_check_rrtype(nsec, stype) == 0) {
-			return PKT_NODATA; // proven NODATA by matching NSEC
+		if (covers == abs(EEXIST)) {
+			int ret = no_data_response_check_rrtype(nsec, stype);
+			if (ret == 0)
+				return PKT_NODATA; // proven NODATA by matching NSEC
+			if (ret == KNOT_EDOWNGRADED)
+				return ret;
 		}
 		if (covers != 0) continue;
 

lib/dnssec/nsec.h

@@ -8,6 +8,8 @@
 
 #include "lib/layer/iterate.h"
 
+#define KNOT_EDOWNGRADED (KNOT_ERROR_MIN - 1)
+
 /**
  * Check bitmap that child names are contained in the same zone.
  * @note see RFC6840 4.1.
@@ -25,6 +27,7 @@ int kr_nsec_children_in_zone_check(const uint8_t *bm, uint16_t bm_size);
  * @param owner   NSEC record owner.
  * @note This includes special checks for zone cuts, e.g. from RFC 6840 sec. 4.
  * @return 0, abs(ENOENT) (no proof), kr_error(EINVAL)
+ *   KNOT_EDOWNGRADED: special case where the RR would be in an insecure child zone.
  */
 int kr_nsec_bitmap_nodata_check(const uint8_t *bm, uint16_t bm_size, uint16_t type, const knot_dname_t *owner);
 
@@ -44,6 +47,7 @@ int kr_nsec_wildcard_answer_response_check(const knot_pkt_t *pkt, knot_section_t
  * @param rrrs       list of RRs to search; typically kr_request::auth_selected
  * @param qry_uid    only consider NSECs from this packet, for better efficiency
  * @return           negative error code, or PKT_NXDOMAIN | PKT_NODATA (both for NXDOMAIN)
+ *                   KNOT_EDOWNGRADED: special case where the RR would be in an insecure child zone.
  */
 int kr_nsec_negative(const ranked_rr_array_t *rrrs, uint32_t qry_uid,
 			const knot_dname_t *sname, uint16_t stype);

lib/dnssec/nsec3.c

@@ -507,6 +507,7 @@ int kr_nsec3_name_error_response_check(const knot_pkt_t *pkt, knot_section_t sec
  * @param sname      Name to be checked.
  * @param stype      Type to be checked.
  * @return           0 or error code.
+ *                   KNOT_EDOWNGRADED: special case where the RR would be in an insecure child zone.
  * @note             This does NOT check the opt-out case if type is DS;
  *                   see RFC 5155 8.6.
  */
@@ -528,8 +529,9 @@ static int nodata_find(const knot_pkt_t *pkt, knot_section_t section_id,
 
 		const uint8_t *bm = knot_nsec3_bitmap(nsec3->rrs.rdata);
 		uint16_t bm_size = knot_nsec3_bitmap_len(nsec3->rrs.rdata);
-		if (kr_nsec_bitmap_nodata_check(bm, bm_size, type, nsec3->owner) == kr_ok())
-			return kr_ok();
+		int ret = kr_nsec_bitmap_nodata_check(bm, bm_size, type, nsec3->owner);
+		if (ret == kr_ok() || ret == KNOT_EDOWNGRADED)
+			return ret;
 	}
 
 	return kr_error(ENOENT);
@@ -602,8 +604,8 @@ int kr_nsec3_no_data(const knot_pkt_t *pkt, knot_section_t section_id,
 {
 	/* DS record may be also matched by an existing NSEC3 RR. */
 	int ret = nodata_find(pkt, section_id, sname, stype);
-	if (ret == 0) {
-		/* Satisfies RFC5155 8.5 and 8.6, both first paragraph. */
+	if (ret == 0 || ret == KNOT_EDOWNGRADED) {
+		/* If 0, satisfies RFC5155 8.5 and 8.6, both first paragraph. */
 		return ret;
 	}
 

lib/dnssec/nsec3.h

@@ -87,6 +87,8 @@ int kr_nsec3_wildcard_answer_response_check(const knot_pkt_t *pkt, knot_section_
  * @return           0 or error code:
  *                   DNSSEC_NOT_FOUND - neither ds nor nsec records
  *                   were not found.
+ *                   KNOT_EDOWNGRADED - special case where
+ *                     the RR would be in an insecure child zone.
  *                   KNOT_ERANGE - denial of existence can't be proven
  *                   due to opt-out, otherwise - bogus.
  */

lib/layer/validate.c

@@ -144,8 +144,6 @@ static bool maybe_downgrade_nsec3(const ranked_rr_array_entry_t *e, struct kr_qu
 	return true;
 }
 
-#define KNOT_EDOWNGRADED (KNOT_ERROR_MIN - 1)
-
 static int validate_section(kr_rrset_validation_ctx_t *vctx, struct kr_query *qry,
 			    knot_mm_t *pool)
 {
@@ -1271,6 +1269,12 @@ static int validate(kr_layer_t *ctx, knot_pkt_t *pkt)
 					 * we must continue, validate NSEC\NSEC3 and
 					 * call update_parent_keys() to mark
 					 * parent queries as insecure */
+				} else if (ret == KNOT_EDOWNGRADED) { // either NSEC3 or NSEC
+					VERBOSE_MSG(qry, "<= DNSSEC downgraded by a weird proof confusing NODATA with insecure delegation\n");
+					qry->flags.DNSSEC_WANT = false;
+					qry->flags.DNSSEC_INSECURE = true;
+					rank_records(qry, true, KR_RANK_INSECURE, qry->sname);
+					mark_insecure_parents(qry);
 				} else {
 					VERBOSE_MSG(qry, "<= bad NODATA proof\n");
 					kr_request_set_extended_error(req, KNOT_EDNS_EDE_NSEC_MISS, "AHXI");

lib/rplan.c

@@ -157,6 +157,8 @@ static struct kr_query *kr_rplan_push_query(struct kr_rplan *rplan,
 	qry->request = rplan->request;
 
 	gettimeofday(&qry->timestamp, NULL);
+	if (!parent)  // start of kr_request; let's make the stamp more precise
+		uv_update_time(uv_default_loop());
 	qry->timestamp_mono = kr_now();
 	qry->creation_time_mono = parent ? parent->creation_time_mono : qry->timestamp_mono;
 	kr_zonecut_init(&qry->zone_cut, (const uint8_t *)"", rplan->pool);

lib/rplan.h

@@ -98,7 +98,7 @@ struct kr_query {
 				 * ancestor if it is a subquery. */
 	uint64_t timestamp_mono; /**< Time of query created or time of
 	                           * query to upstream resolver (milliseconds). */
-	struct timeval timestamp; /**< Real time for TTL+DNSSEC checks (.tv_sec only). */
+	struct timeval timestamp; /**< Creation real time.  For TTL+DNSSEC checks we use .tv_sec only. */
 	struct kr_zonecut zone_cut;
 	struct kr_layer_pickle *deferred;
 

meson.build

@@ -278,8 +278,6 @@ install_data(
 message('--- lint dependencies ---')
 clangtidy = find_program('clang-tidy', required: false)
 luacheck = find_program('luacheck', required: false)
-flake8 = find_program('flake8', required: false)
-pylint_run = find_program('scripts/run-pylint.sh')
 message('-------------------------')
 
 if clangtidy.found()
@@ -306,22 +304,6 @@ if luacheck.found()
   )
 endif
 
-if flake8.found()
-  run_target(
-    'flake8',
-    command: [
-      flake8,
-      '--max-line-length=100',
-      meson.source_root() / 'tests' / 'pytests',
-    ],
-  )
-endif
-
-run_target(
-  'pylint',
-  command: pylint_run,
-)
-
 
 # Summary message
 # NOTE: ternary operator in format() not supported

modules/http/meson.build

@@ -19,7 +19,7 @@ lua_mod_src += [
 ]
 
 config_tests += [
-  ['http', files('http.test.lua')],
+  #['http', files('http.test.lua')],  # https://gitlab.nic.cz/knot/knot-resolver/-/issues/925
   ['http.doh', files('http_doh.test.lua')],
   ['http.tls', files('test_tls/tls.test.lua'), ['skip_asan']],
 ]

modules/stats/stats.c

@@ -248,9 +248,14 @@ static int collect(kr_layer_t *ctx)
 	collect_answer(data, param->answer);
 	/* Count cached and unresolved */
 	if (rplan->resolved.len > 0) {
-		/* Histogram of answer latency. */
-		struct kr_query *first = rplan->resolved.at[0];
-		uint64_t elapsed = kr_now() - first->timestamp_mono;
+		/* Histogram of answer latency.
+		 *
+		 * We update the notion of time.  Once per .finish isn't that expensive.
+		 * defer_* also updates this if active, but not in ideal moment for stats.
+		 */
+		uv_update_time(uv_default_loop());
+		uint64_t elapsed = kr_now() - rplan->initial->creation_time_mono;
+
 		stat_const_add(data, metric_answer_sum_ms, elapsed);
 		if (elapsed <= 1) {
 			stat_const_add(data, metric_answer_1ms, 1);