├── distro ├── pkg │ ├── deb │ │ ├── compat │ │ ├── clean │ │ ├── source │ │ │ └── format │ │ ├── knot-resolver6.dirs │ │ ├── knot-resolver6-module-dnstap.install │ │ ├── knot-resolver6.manpages │ │ ├── knot-resolver6.links │ │ ├── knot-resolver6-dev.install │ │ ├── knot-resolver6.docs │ │ ├── not-installed │ │ ├── knot-resolver6-module-http.lintian-overrides │ │ ├── changelog │ │ ├── knot-resolver6.postrm │ │ ├── knot-resolver6-module-http.install │ │ ├── knot-resolver6-module-http.links │ │ ├── knot-resolver6.lintian-overrides │ │ └── knot-resolver6.postinst │ └── nix │ │ └── top-level.nix └── config │ └── apkg.toml ├── contrib ├── ucw │ ├── LICENSE │ └── libucw.spdx ├── murmurhash3 │ ├── LICENSE │ ├── murmurhash3.h │ └── murmurhash3.spdx ├── ccan │ ├── compiler │ │ ├── LICENSE │ │ └── compiler.spdx │ ├── json │ │ ├── LICENSE │ │ └── json.spdx │ └── asprintf │ │ ├── LICENSE │ │ └── asprintf.spdx ├── config.h ├── base64.spdx ├── base32hex.spdx ├── meson.build └── cleanup.h ├── etc ├── config │ ├── .gitignore │ ├── config.test-rate-limiting.yaml │ ├── config.test-defer.yaml │ ├── config.yaml │ ├── config.dev.yaml │ ├── config.migrate-test2.yaml │ ├── config.test-forward.yaml │ ├── config.example.personal.yaml │ ├── config.example.docker.yaml │ ├── config.personal │ ├── config.internal │ ├── config.example.internal.yaml │ ├── config.test-local-data.yaml │ ├── meson.build │ └── config.migrate-test.yaml ├── root.keys └── meson.build ├── modules ├── prefill │ └── prefill.test │ │ ├── empty.zone │ │ ├── random.zone │ │ ├── testroot.zone.unsigned │ │ └── example.com.zone ├── ta_update │ ├── ta_update.unmanagedkey.test.integr │ │ ├── rfc5011 │ │ └── deckard.yaml │ ├── ta_update.test.integr │ │ ├── rfc5011 │ │ │ ├── pydnstest │ │ │ ├── unsigned_ok.db │ │ │ ├── unsigned_check.db │ │ │ ├── empty.rpl │ │ │ ├── README │ │ │ └── knot.root.conf │ │ └── deckard.yaml │ ├── root.keys │ └── meson.build ├── hints │ ├── tests │ │ ├── hints.test.hosts │ │ └── hints_test.zone │ └── meson.build ├── http │ ├── static │ │ ├── favicon.ico │ │ ├── glyphicons-halflings-regular.woff2 │ │ ├── epoch.spdx │ │ ├── bootstrap.min.js.spdx │ │ ├── selectize.spdx │ │ ├── jquery.spdx │ │ ├── bootstrap-theme.min.css.spdx │ │ ├── datamaps.world.min.spdx │ │ ├── dygraph.min.js.spdx │ │ ├── topojson.spdx │ │ ├── d3.spdx │ │ ├── bootstrap.min.css.spdx │ │ ├── glyphicons-halflings-regular.spdx │ │ └── kresd.css │ └── test_tls │ │ ├── broken.crt │ │ └── broken.key ├── experimental_dot_auth │ └── meson.build ├── policy │ ├── policy.test.rpz.soa │ ├── test.integr │ │ ├── deckard.yaml │ │ └── refuse.rpl │ ├── noipv6.test.integr │ │ ├── deckard.yaml │ │ └── broken-ipv6.rpl │ ├── noipvx.test.integr │ │ ├── deckard.yaml │ │ └── broken-ipvx.rpl │ └── policy.test.rpz ├── view │ ├── meson.build │ ├── addr.test.integr │ │ └── deckard.yaml │ └── tsig.test.integr │ │ └── deckard.yaml ├── workarounds │ ├── README.rst │ └── workarounds.lua ├── daf │ ├── test.integr │ │ ├── deckard.yaml │ │ └── module_daf.rpl │ └── meson.build ├── stats │ ├── test.integr │ │ └── deckard.yaml │ └── meson.build ├── rebinding │ └── test.integr │ │ └── deckard.yaml ├── refuse_nord │ ├── test.integr │ │ ├── deckard.yaml │ │ └── refuse_nord.rpl │ ├── README.rst │ └── meson.build ├── serve_stale │ ├── test.integr │ │ └── deckard.yaml │ └── README.rst ├── bogus_log │ ├── test.integr │ │ └── deckard.yaml │ └── meson.build ├── nsid │ ├── meson.build │ ├── nsid.test.lua │ └── README.rst ├── edns_keepalive │ ├── meson.build │ └── README.rst ├── extended_error │ └── meson.build ├── cookies │ ├── cookiemonster.h │ └── cookiectl.h ├── prefetch │ ├── README.rst │ └── prefetch.lua ├── rfc7706.rst ├── priming │ └── README.rst ├── ta_sentinel │ └── README.rst ├── detect_time_jump │ └── README.rst └── detect_time_skew │ └── README.rst ├── python └── knot_resolver │ ├── manager │ ├── __init__.py │ ├── __main__.py │ ├── exceptions.py │ ├── files │ │ ├── __init__.py │ │ └── reload.py │ └── metrics │ │ └── __init__.py │ ├── utils │ ├── compat │ │ ├── __init__.py │ │ └── typing.py │ ├── modeling │ │ ├── base_generic_type_wrapper.py │ │ └── __init__.py │ ├── etag.py │ ├── custom_atexit.py │ └── which.py │ ├── client │ ├── __main__.py │ ├── __init__.py │ └── commands │ │ └── help.py │ ├── datamodel │ ├── __init__.py │ ├── templates │ │ ├── defer.lua.j2 │ │ ├── macros │ │ │ ├── cache_macros.lua.j2 │ │ │ └── view_macros.lua.j2 │ │ ├── forward.lua.j2 │ │ ├── rate_limiting.lua.j2 │ │ ├── dns64.lua.j2 │ │ ├── views.lua.j2 │ │ └── cache.lua.j2 │ ├── defer_schema.py │ ├── management_schema.py │ ├── dns64_schema.py │ ├── lua_schema.py │ └── monitoring_schema.py │ ├── exceptions.py │ ├── __init__.py │ ├── meson.build │ └── controller │ └── exceptions.py ├── utils ├── cache_gc │ ├── .gitignore │ ├── categories.h │ ├── README.rst │ ├── meson.build │ └── test.integr │ │ └── deckard.yaml ├── meson.build └── shell-completion │ ├── client.fish │ ├── meson.build │ └── client.bash ├── .gitattributes ├── doc ├── dev │ ├── modules-daf.rst │ ├── modules-http.rst │ ├── modules-nsid.rst │ ├── modules-rfc7706.rst │ ├── modules-view.rst │ ├── architecture-kresd.rst │ ├── daemon-scripting.rst │ ├── modules-dns64.rst │ ├── modules-dnstap.rst │ ├── modules-hints.rst │ ├── modules-http-trace.rst │ ├── modules-policy.rst │ ├── modules-stats.rst │ ├── systemd-multiinst.rst │ ├── layered-protocols.rst │ ├── modules-bogus_log.rst │ ├── modules-prefill.rst │ ├── modules-priming.rst │ ├── modules-rebinding.rst │ ├── modules-renumber.rst │ ├── modules-watchdog.rst │ ├── daemon-bindings-cache.rst │ ├── daemon-bindings-worker.rst │ ├── modules-refuse_nord.rst │ ├── modules-serve_stale.rst │ ├── modules-ta_sentinel.rst │ ├── modules-edns_keepalive.rst │ ├── daemon-bindings-net_client.rst │ ├── daemon-bindings-net_server.rst │ ├── daemon-bindings-net_tlssrv.rst │ ├── daemon-bindings-net_xdpsrv.rst │ ├── modules-detect_time_jump.rst │ ├── modules-detect_time_skew.rst │ ├── modules-http-custom-services.rst │ ├── modules-ta_signal_query.rst │ ├── daemon-bindings-net_buffering.rst │ ├── daemon-bindings-net_dns_tweaks.rst │ ├── modules-experimental_dot_auth.rst │ ├── flowcharts │ │ ├── task_ERD.dia │ │ ├── tcp_task.dia │ │ ├── udp_task.dia │ │ └── io_and_worker.dia │ ├── modules_api.rst │ ├── worker_api.rst │ ├── rename_ln.sh │ ├── logging_api.rst │ ├── infra-warning.rst │ ├── cache-prefetch.rst │ ├── config-lua-experimental.rst │ ├── config-lua-dnssec.rst │ ├── config-answer-reordering.rst │ ├── architecture-gc.rst │ └── Doxyfile ├── resolution.png ├── _static │ ├── package.json │ └── css │ │ ├── main.css │ │ ├── user.css │ │ └── dev.css ├── requirements.txt └── user │ ├── deployment-advanced.rst │ ├── developer.rst │ ├── config-refuse-no-rd.rst │ ├── deployment-warning.rst │ ├── config-reordering.rst │ ├── config-rfc7706.rst │ ├── deployment-systemd.rst │ ├── config-priming.rst │ ├── config-nsid.rst │ ├── config-serve-stale.rst │ ├── config-edns-keepalive.rst │ ├── config-fallback.rst │ ├── config-ta-sentinel.rst │ ├── deployment-manual.rst │ ├── config-time-jump-detection.rst │ ├── config-time-skew-detection.rst │ └── gettingstarted-install.rst ├── tests ├── unit │ ├── packaging │ │ ├── debian │ │ │ └── 10 │ │ │ │ └── builddeps │ │ └── test.sh │ ├── mock_cmodule.c │ └── meson.build ├── packaging │ ├── manpage.sh │ ├── kresctl.sh │ ├── knot-resolver.sh │ ├── README.md │ └── interactive │ │ ├── schema.sh │ │ ├── etag.sh │ │ ├── cache-clear.sh │ │ ├── workers.sh │ │ ├── reload.sh │ │ ├── renew.sh │ │ └── metrics.sh ├── .gitignore ├── pytests │ ├── requirements.txt │ ├── certs │ │ ├── tt-certgen.sh │ │ └── tt-certgen-expired.sh │ ├── test_edns.py │ └── proxy │ │ └── tls-proxy.h ├── manager │ ├── __init__.py │ ├── test_knot_resolver_manager.py │ ├── datamodel │ │ ├── test_lua_schema.py │ │ ├── test_management_schema.py │ │ └── templates │ │ │ └── test_cache_macros.py │ ├── utils │ │ ├── modeling │ │ │ ├── test_etag.py │ │ │ ├── test_query.py │ │ │ ├── test_renaming.py │ │ │ ├── test_types.py │ │ │ └── test_parsing.py │ │ └── test_functional.py │ └── test_config_store.py ├── lib-includes.cpp ├── dnstap │ ├── src │ │ └── dnstap-test │ │ │ ├── go.mod │ │ │ ├── config │ │ │ └── run.sh │ └── meson.build └── integration │ └── hints_zone.j2 ├── .python-version ├── ci ├── respdiff │ ├── restart-bind.sh │ ├── restart-unbound.sh │ ├── restart-kresd.sh │ ├── start-resolvers.sh │ └── kresd.config ├── no_assert_check.sh ├── fix-meson-junit.sh └── deckard_commit_check.sh ├── daemon ├── lua │ ├── trust_anchors.test │ │ ├── root.keys │ │ ├── x509 │ │ │ ├── ca.tmpl │ │ │ ├── wrongca.tmpl │ │ │ ├── server.tmpl │ │ │ └── gen.sh │ │ ├── regen.sh │ │ ├── ok1.xml │ │ ├── unsupp_xml_v11.xml │ │ ├── unsupp_nonroot.xml │ │ ├── ok2.xml │ │ ├── ok1_notyet1.xml │ │ ├── ok1_expired1.xml │ │ ├── err_attr_validfrom_missing.xml │ │ ├── ok0_badtimes.xml │ │ ├── err_attr_validfrom_invalid.xml │ │ ├── err_attr_extra_attr.xml │ │ ├── err_elem_missing.xml │ │ ├── err_multi_ta.xml │ │ └── err_elem_extra.xml │ ├── distro-preconfig.lua.in │ └── map.test.integr │ │ └── deckard.yaml ├── proxyv2.test │ ├── dnsdist_config.j2 │ └── deckard.yaml ├── bindings │ └── api.h ├── cache.test │ └── insert_ns.test.integr │ │ └── deckard.yaml ├── udp_queue.h ├── zimport.test │ ├── tz-rfc-a1.zone │ └── tz-rfc-a1-bad.zone ├── ratelimiting.h └── ffimodule.h ├── poe ├── lib ├── cache │ ├── util.h │ ├── test.integr │ │ └── deckard.yaml │ ├── cdb_lmdb.h │ └── overflow.test.integr │ │ └── deckard.yaml ├── layer │ ├── validate.test.integr │ │ └── deckard.yaml │ ├── test.integr │ │ └── deckard.yaml │ ├── cache.c │ └── iterate.h ├── proto.c ├── generic │ └── trie.spdx ├── selection_iter.h ├── cookies │ ├── alg_sha.h │ ├── nonce.c │ └── nonce.h ├── selection_forward.h └── kru-generic.c ├── CodingStyle ├── scripts ├── meson │ ├── test-integration-prepare.sh │ ├── bench.sh │ ├── make-doc.sh │ └── test-config.sh ├── poe-tasks │ ├── gen-setuppy │ ├── test-unit │ ├── kresctl │ ├── test-examples │ ├── docs │ ├── test-migrate │ ├── gen-schema │ ├── gen-constantspy │ ├── run-debug │ ├── configure │ ├── fix-format │ ├── clean │ ├── run │ └── check-code ├── lib │ ├── get-date.sh │ └── upstream-version.sh ├── doh_b64encode_query.py ├── ci │ ├── build-in-obs.sh │ └── enable-repo-cznic-labs.sh ├── README.md ├── update-root-hints.sh └── kresd.apparmor ├── systemd ├── kresd.target ├── sysusers.d │ └── knot-resolver.conf.in ├── tmpfiles.d │ └── knot-resolver.conf.in ├── kres-cache-gc.service.in ├── README.rst ├── knot-resolver.service.in └── kresd@.service.in ├── .readthedocs.yaml ├── security.txt ├── .dir-locals.el ├── .gitmodules ├── bench └── meson.build └── CONTRIBUTING.md /distro/pkg/deb/compat: -------------------------------------------------------------------------------- 1 | 12 2 | -------------------------------------------------------------------------------- /contrib/ucw/LICENSE: -------------------------------------------------------------------------------- 1 | ../licenses/LGPL2 -------------------------------------------------------------------------------- /distro/pkg/deb/clean: -------------------------------------------------------------------------------- 1 | build_deb/ 2 | -------------------------------------------------------------------------------- /contrib/murmurhash3/LICENSE: -------------------------------------------------------------------------------- 1 | ../licenses/CC0 -------------------------------------------------------------------------------- /etc/config/.gitignore: -------------------------------------------------------------------------------- 1 | runtime/ 2 | cache/ -------------------------------------------------------------------------------- /modules/prefill/prefill.test/empty.zone: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /python/knot_resolver/manager/__init__.py: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /contrib/ccan/compiler/LICENSE: -------------------------------------------------------------------------------- 1 | ../../licenses/CC0 -------------------------------------------------------------------------------- /contrib/ccan/json/LICENSE: -------------------------------------------------------------------------------- 1 | ../../licenses/BSD-MIT -------------------------------------------------------------------------------- /distro/pkg/deb/source/format: -------------------------------------------------------------------------------- 1 | 3.0 (quilt) 2 | -------------------------------------------------------------------------------- /utils/cache_gc/.gitignore: -------------------------------------------------------------------------------- 1 | kres_cache_gc 2 | 3 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | *.c diff=cpp 2 | *.cpp diff=cpp 3 | -------------------------------------------------------------------------------- /contrib/ccan/asprintf/LICENSE: -------------------------------------------------------------------------------- 1 | ../../licenses/BSD-MIT -------------------------------------------------------------------------------- /doc/dev/modules-daf.rst: -------------------------------------------------------------------------------- 1 | ../../modules/daf/README.rst -------------------------------------------------------------------------------- /doc/dev/modules-http.rst: -------------------------------------------------------------------------------- 1 | ../../modules/http/README.rst -------------------------------------------------------------------------------- /doc/dev/modules-nsid.rst: -------------------------------------------------------------------------------- 1 | ../../modules/nsid/README.rst -------------------------------------------------------------------------------- /doc/dev/modules-rfc7706.rst: -------------------------------------------------------------------------------- 1 | ../../modules/rfc7706.rst -------------------------------------------------------------------------------- /doc/dev/modules-view.rst: -------------------------------------------------------------------------------- 1 | ../../modules/view/README.rst -------------------------------------------------------------------------------- /doc/dev/architecture-kresd.rst: -------------------------------------------------------------------------------- 1 | ***** 2 | kresd 3 | ***** -------------------------------------------------------------------------------- /doc/dev/daemon-scripting.rst: -------------------------------------------------------------------------------- 1 | ../../daemon/scripting.rst -------------------------------------------------------------------------------- /doc/dev/modules-dns64.rst: -------------------------------------------------------------------------------- 1 | ../../modules/dns64/README.rst -------------------------------------------------------------------------------- /doc/dev/modules-dnstap.rst: -------------------------------------------------------------------------------- 1 | ../../modules/dnstap/README.rst -------------------------------------------------------------------------------- /doc/dev/modules-hints.rst: -------------------------------------------------------------------------------- 1 | ../../modules/hints/README.rst -------------------------------------------------------------------------------- /doc/dev/modules-http-trace.rst: -------------------------------------------------------------------------------- 1 | ../../modules/http/trace.rst -------------------------------------------------------------------------------- /doc/dev/modules-policy.rst: -------------------------------------------------------------------------------- 1 | ../../modules/policy/README.rst -------------------------------------------------------------------------------- /doc/dev/modules-stats.rst: -------------------------------------------------------------------------------- 1 | ../../modules/stats/README.rst -------------------------------------------------------------------------------- /doc/dev/systemd-multiinst.rst: -------------------------------------------------------------------------------- 1 | ../../systemd/multiinst.rst -------------------------------------------------------------------------------- /tests/unit/packaging/debian/10/builddeps: -------------------------------------------------------------------------------- 1 | libcmocka-dev 2 | -------------------------------------------------------------------------------- /doc/dev/layered-protocols.rst: -------------------------------------------------------------------------------- 1 | ../../daemon/layered-protocols.rst -------------------------------------------------------------------------------- /doc/dev/modules-bogus_log.rst: -------------------------------------------------------------------------------- 1 | ../../modules/bogus_log/README.rst -------------------------------------------------------------------------------- /doc/dev/modules-prefill.rst: -------------------------------------------------------------------------------- 1 | ../../modules/prefill/README.rst -------------------------------------------------------------------------------- /doc/dev/modules-priming.rst: -------------------------------------------------------------------------------- 1 | ../../modules/priming/README.rst -------------------------------------------------------------------------------- /doc/dev/modules-rebinding.rst: -------------------------------------------------------------------------------- 1 | ../../modules/rebinding/README.rst -------------------------------------------------------------------------------- /doc/dev/modules-renumber.rst: -------------------------------------------------------------------------------- 1 | ../../modules/renumber/README.rst -------------------------------------------------------------------------------- /doc/dev/modules-watchdog.rst: -------------------------------------------------------------------------------- 1 | ../../modules/watchdog/README.rst -------------------------------------------------------------------------------- /doc/dev/daemon-bindings-cache.rst: -------------------------------------------------------------------------------- 1 | ../../daemon/bindings/cache.rst -------------------------------------------------------------------------------- /doc/dev/daemon-bindings-worker.rst: -------------------------------------------------------------------------------- 1 | ../../daemon/bindings/worker.rst -------------------------------------------------------------------------------- /doc/dev/modules-refuse_nord.rst: -------------------------------------------------------------------------------- 1 | ../../modules/refuse_nord/README.rst -------------------------------------------------------------------------------- /doc/dev/modules-serve_stale.rst: -------------------------------------------------------------------------------- 1 | ../../modules/serve_stale/README.rst -------------------------------------------------------------------------------- /doc/dev/modules-ta_sentinel.rst: -------------------------------------------------------------------------------- 1 | ../../modules/ta_sentinel/README.rst -------------------------------------------------------------------------------- /doc/dev/modules-edns_keepalive.rst: -------------------------------------------------------------------------------- 1 | ../../modules/edns_keepalive/README.rst -------------------------------------------------------------------------------- /doc/dev/daemon-bindings-net_client.rst: -------------------------------------------------------------------------------- 1 | ../../daemon/bindings/net_client.rst -------------------------------------------------------------------------------- /doc/dev/daemon-bindings-net_server.rst: -------------------------------------------------------------------------------- 1 | ../../daemon/bindings/net_server.rst -------------------------------------------------------------------------------- /doc/dev/daemon-bindings-net_tlssrv.rst: -------------------------------------------------------------------------------- 1 | ../../daemon/bindings/net_tlssrv.rst -------------------------------------------------------------------------------- /doc/dev/daemon-bindings-net_xdpsrv.rst: -------------------------------------------------------------------------------- 1 | ../../daemon/bindings/net_xdpsrv.rst -------------------------------------------------------------------------------- /doc/dev/modules-detect_time_jump.rst: -------------------------------------------------------------------------------- 1 | ../../modules/detect_time_jump/README.rst -------------------------------------------------------------------------------- /doc/dev/modules-detect_time_skew.rst: -------------------------------------------------------------------------------- 1 | ../../modules/detect_time_skew/README.rst -------------------------------------------------------------------------------- /doc/dev/modules-http-custom-services.rst: -------------------------------------------------------------------------------- 1 | ../../modules/http/custom_services.rst -------------------------------------------------------------------------------- /doc/dev/modules-ta_signal_query.rst: -------------------------------------------------------------------------------- 1 | ../../modules/ta_signal_query/README.rst -------------------------------------------------------------------------------- /doc/dev/daemon-bindings-net_buffering.rst: -------------------------------------------------------------------------------- 1 | ../../daemon/bindings/net_buffering.rst -------------------------------------------------------------------------------- /doc/dev/daemon-bindings-net_dns_tweaks.rst: -------------------------------------------------------------------------------- 1 | ../../daemon/bindings/net_dns_tweaks.rst -------------------------------------------------------------------------------- /etc/config/config.test-rate-limiting.yaml: -------------------------------------------------------------------------------- 1 | rate-limiting: 2 | rate-limit: 20 3 | -------------------------------------------------------------------------------- /tests/packaging/manpage.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -e 4 | 5 | man -w kresctl 6 | -------------------------------------------------------------------------------- /doc/dev/modules-experimental_dot_auth.rst: -------------------------------------------------------------------------------- 1 | ../../modules/experimental_dot_auth/README.rst -------------------------------------------------------------------------------- /etc/config/config.test-defer.yaml: -------------------------------------------------------------------------------- 1 | defer: 2 | enable: true 3 | log-period: 1s 4 | -------------------------------------------------------------------------------- /distro/pkg/deb/knot-resolver6.dirs: -------------------------------------------------------------------------------- 1 | /var/cache/knot-resolver 2 | /var/lib/knot-resolver 3 | -------------------------------------------------------------------------------- /doc/resolution.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CZ-NIC/knot-resolver/HEAD/doc/resolution.png -------------------------------------------------------------------------------- /modules/ta_update/ta_update.unmanagedkey.test.integr/rfc5011: -------------------------------------------------------------------------------- 1 | ../ta_update.test.integr/rfc5011 -------------------------------------------------------------------------------- /.python-version: -------------------------------------------------------------------------------- 1 | 3.8.20 2 | 3.9.25 3 | 3.10.19 4 | 3.11.14 5 | 3.12.12 6 | 3.13.10 7 | 3.14.1 8 | -------------------------------------------------------------------------------- /distro/pkg/deb/knot-resolver6-module-dnstap.install: -------------------------------------------------------------------------------- 1 | usr/lib/knot-resolver/kres_modules/dnstap.so 2 | -------------------------------------------------------------------------------- /modules/hints/tests/hints.test.hosts: -------------------------------------------------------------------------------- 1 | 192.0.2.1 myname.lan # badname.lan and the rest of the comment 2 | -------------------------------------------------------------------------------- /tests/.gitignore: -------------------------------------------------------------------------------- 1 | *.pyc 2 | tmp* 3 | test_cache 4 | test_context 5 | test_resolve 6 | test_rplan 7 | -------------------------------------------------------------------------------- /tests/pytests/requirements.txt: -------------------------------------------------------------------------------- 1 | dnspython 2 | jinja2 3 | pytest 4 | pytest-html 5 | pytest-xdist 6 | -------------------------------------------------------------------------------- /distro/pkg/deb/knot-resolver6.manpages: -------------------------------------------------------------------------------- 1 | usr/share/man/man8/kresctl.8* 2 | usr/share/man/man8/kresd.8* 3 | -------------------------------------------------------------------------------- /modules/ta_update/ta_update.test.integr/rfc5011/pydnstest: -------------------------------------------------------------------------------- 1 | ../../../../tests/integration/deckard/pydnstest -------------------------------------------------------------------------------- /doc/_static/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "dependencies": { 3 | "@adobe/jsonschema2md": "^7.1.5" 4 | } 5 | } 6 | -------------------------------------------------------------------------------- /ci/respdiff/restart-bind.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # SPDX-License-Identifier: GPL-3.0-or-later 3 | service named restart 4 | -------------------------------------------------------------------------------- /doc/dev/flowcharts/task_ERD.dia: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CZ-NIC/knot-resolver/HEAD/doc/dev/flowcharts/task_ERD.dia -------------------------------------------------------------------------------- /doc/dev/flowcharts/tcp_task.dia: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CZ-NIC/knot-resolver/HEAD/doc/dev/flowcharts/tcp_task.dia -------------------------------------------------------------------------------- /doc/dev/flowcharts/udp_task.dia: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CZ-NIC/knot-resolver/HEAD/doc/dev/flowcharts/udp_task.dia -------------------------------------------------------------------------------- /doc/requirements.txt: -------------------------------------------------------------------------------- 1 | Sphinx>=3.0.0 2 | sphinx-tabs 3 | breathe 4 | json-schema-for-humans 5 | sphinx_rtd_theme 6 | -------------------------------------------------------------------------------- /modules/http/static/favicon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CZ-NIC/knot-resolver/HEAD/modules/http/static/favicon.ico -------------------------------------------------------------------------------- /modules/ta_update/root.keys: -------------------------------------------------------------------------------- 1 | . IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D 2 | -------------------------------------------------------------------------------- /modules/http/test_tls/broken.crt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CZ-NIC/knot-resolver/HEAD/modules/http/test_tls/broken.crt -------------------------------------------------------------------------------- /modules/http/test_tls/broken.key: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CZ-NIC/knot-resolver/HEAD/modules/http/test_tls/broken.key -------------------------------------------------------------------------------- /python/knot_resolver/utils/compat/__init__.py: -------------------------------------------------------------------------------- 1 | from . import asyncio, typing 2 | 3 | __all__ = ["asyncio", "typing"] 4 | -------------------------------------------------------------------------------- /ci/respdiff/restart-unbound.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # SPDX-License-Identifier: GPL-3.0-or-later 3 | 4 | service unbound restart 5 | -------------------------------------------------------------------------------- /daemon/lua/trust_anchors.test/root.keys: -------------------------------------------------------------------------------- 1 | . IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D 2 | -------------------------------------------------------------------------------- /doc/dev/flowcharts/io_and_worker.dia: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CZ-NIC/knot-resolver/HEAD/doc/dev/flowcharts/io_and_worker.dia -------------------------------------------------------------------------------- /daemon/lua/trust_anchors.test/x509/ca.tmpl: -------------------------------------------------------------------------------- 1 | cn = Knot Resolver testing CA 2 | ca 3 | cert_signing_key 4 | expiration_days = -1 5 | -------------------------------------------------------------------------------- /daemon/lua/trust_anchors.test/x509/wrongca.tmpl: -------------------------------------------------------------------------------- 1 | cn = Another unrelated CA 2 | ca 3 | cert_signing_key 4 | expiration_days = -1 5 | -------------------------------------------------------------------------------- /etc/config/config.yaml: -------------------------------------------------------------------------------- 1 | workers: 2 2 | network: 3 | listen: 4 | - interface: 127.0.0.1@53 5 | logging: 6 | level: info 7 | -------------------------------------------------------------------------------- /tests/unit/packaging/test.sh: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-3.0-or-later 2 | test -e build_packaging/tests/unit/mock_cmodule.so 3 | -------------------------------------------------------------------------------- /modules/prefill/prefill.test/random.zone: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CZ-NIC/knot-resolver/HEAD/modules/prefill/prefill.test/random.zone -------------------------------------------------------------------------------- /python/knot_resolver/client/__main__.py: -------------------------------------------------------------------------------- 1 | from knot_resolver.client.main import main 2 | 3 | if __name__ == "__main__": 4 | main() 5 | -------------------------------------------------------------------------------- /modules/hints/tests/hints_test.zone: -------------------------------------------------------------------------------- 1 | ; SPDX-License-Identifier: GPL-3.0-or-later 2 | A.ROOT-SERVERS.NET. 3600000 A 10.0.0.1 3 | -------------------------------------------------------------------------------- /python/knot_resolver/manager/__main__.py: -------------------------------------------------------------------------------- 1 | from knot_resolver.manager.main import main 2 | 3 | if __name__ == "__main__": 4 | main() 5 | -------------------------------------------------------------------------------- /doc/dev/modules_api.rst: -------------------------------------------------------------------------------- 1 | .. SPDX-License-Identifier: GPL-3.0-or-later 2 | 3 | .. _modules: 4 | 5 | .. include:: ../../modules/README.rst 6 | 7 | -------------------------------------------------------------------------------- /distro/pkg/deb/knot-resolver6.links: -------------------------------------------------------------------------------- 1 | usr/lib/systemd/system/knot-resolver.service usr/lib/systemd/system/multi-user.target.wants/knot-resolver.service 2 | -------------------------------------------------------------------------------- /poe: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | script_dir="$(dirname "$(readlink -f "$0")")" 4 | exec poetry --directory "$script_dir" run -- poe --root "$script_dir" "$@" 5 | -------------------------------------------------------------------------------- /lib/cache/util.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: GPL-3.0-or-later */ 2 | #include 3 | 4 | uint32_t packet_ttl(const knot_pkt_t *pkt); 5 | -------------------------------------------------------------------------------- /distro/pkg/deb/knot-resolver6-dev.install: -------------------------------------------------------------------------------- 1 | usr/include/libkres/*.h 2 | usr/lib/*.so 3 | usr/lib/pkgconfig/libkres.pc usr/lib/${DEB_HOST_MULTIARCH}/pkgconfig 4 | -------------------------------------------------------------------------------- /distro/pkg/deb/knot-resolver6.docs: -------------------------------------------------------------------------------- 1 | README.md 2 | usr/share/doc/knot-resolver/AUTHORS 3 | usr/share/doc/knot-resolver/NEWS 4 | usr/share/doc/knot-resolver/examples 5 | -------------------------------------------------------------------------------- /doc/_static/css/main.css: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: GPL-3.0-or-later */ 2 | @import "theme.css"; 3 | 4 | table.docutils blockquote { 5 | margin-left: 0; 6 | } 7 | -------------------------------------------------------------------------------- /modules/http/static/glyphicons-halflings-regular.woff2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CZ-NIC/knot-resolver/HEAD/modules/http/static/glyphicons-halflings-regular.woff2 -------------------------------------------------------------------------------- /python/knot_resolver/manager/exceptions.py: -------------------------------------------------------------------------------- 1 | from knot_resolver import KresBaseException 2 | 3 | 4 | class KresManagerException(KresBaseException): 5 | pass 6 | -------------------------------------------------------------------------------- /doc/dev/worker_api.rst: -------------------------------------------------------------------------------- 1 | .. SPDX-License-Identifier: GPL-3.0-or-later 2 | 3 | Worker API reference 4 | ==================== 5 | 6 | .. doxygenfile:: daemon/worker.h 7 | 8 | -------------------------------------------------------------------------------- /python/knot_resolver/datamodel/__init__.py: -------------------------------------------------------------------------------- 1 | from .config_schema import KresConfig, kres_config_json_schema 2 | 3 | __all__ = ["KresConfig", "kres_config_json_schema"] 4 | -------------------------------------------------------------------------------- /tests/packaging/kresctl.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # fail fast 4 | set -e 5 | 6 | # We expect `kresctl` command to exist in $PATH 7 | command -v kresctl > /dev/null 8 | -------------------------------------------------------------------------------- /ci/no_assert_check.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | grep '\' -- $(git ls-files | grep '\.[hc]$' | grep -vE '^(contrib|bench|tests|daemon/ratelimiting.test)/|^lib/kru') 3 | test $? -eq 1 4 | -------------------------------------------------------------------------------- /doc/dev/rename_ln.sh: -------------------------------------------------------------------------------- 1 | 2 | for name in $(find . -type l -name "modules-*"); do 3 | tgt=`readlink "$name"` 4 | ln -f -s ../$tgt $name 5 | done 6 | 7 | 8 | 9 | 10 | -------------------------------------------------------------------------------- /python/knot_resolver/exceptions.py: -------------------------------------------------------------------------------- 1 | class KresBaseException(Exception): # noqa: N818 2 | """ 3 | Base class for all custom exceptions we use in Knot Resolver. 4 | """ 5 | -------------------------------------------------------------------------------- /etc/root.keys: -------------------------------------------------------------------------------- 1 | . IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D 2 | . IN DS 38696 8 2 683D2D0ACB8C9B712A1948B27F741219298D0A450D612C483AF444A4C0FB2B16 3 | -------------------------------------------------------------------------------- /python/knot_resolver/__init__.py: -------------------------------------------------------------------------------- 1 | from .constants import VERSION 2 | from .exceptions import KresBaseException 3 | 4 | __version__ = VERSION 5 | 6 | __all__ = ["KresBaseException"] 7 | -------------------------------------------------------------------------------- /python/knot_resolver/manager/files/__init__.py: -------------------------------------------------------------------------------- 1 | from .reload import files_reload 2 | from .watchdog import init_files_watchdog 3 | 4 | __all__ = ["files_reload", "init_files_watchdog"] 5 | -------------------------------------------------------------------------------- /tests/packaging/knot-resolver.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # fail fast 4 | set -e 5 | 6 | # We expect `kresctl` command to exist in $PATH 7 | command -v knot-resolver > /dev/null 8 | -------------------------------------------------------------------------------- /doc/user/deployment-advanced.rst: -------------------------------------------------------------------------------- 1 | ******** 2 | Advanced 3 | ******** 4 | 5 | .. toctree:: 6 | :maxdepth: 2 7 | 8 | deployment-advanced-no-manager 9 | deployment-advanced-no-systemd -------------------------------------------------------------------------------- /utils/meson.build: -------------------------------------------------------------------------------- 1 | # utils 2 | # SPDX-License-Identifier: GPL-3.0-or-later 3 | 4 | build_utils = get_option('utils') != 'disabled' 5 | 6 | subdir('cache_gc') 7 | subdir('shell-completion') 8 | -------------------------------------------------------------------------------- /CodingStyle: -------------------------------------------------------------------------------- 1 | # Style 2 | 3 | Linux kernel [coding style][lkstyle], same practices for API documentation. 4 | 5 | [lkstyle]: https://www.kernel.org/doc/Documentation/process/coding-style.rst 6 | -------------------------------------------------------------------------------- /modules/experimental_dot_auth/meson.build: -------------------------------------------------------------------------------- 1 | # LUA module: experimental_dot_auth 2 | # SPDX-License-Identifier: GPL-3.0-or-later 3 | 4 | lua_mod_src += [ 5 | files('experimental_dot_auth.lua'), 6 | ] 7 | 8 | -------------------------------------------------------------------------------- /utils/shell-completion/client.fish: -------------------------------------------------------------------------------- 1 | function __kresctl_completion 2 | set -l args (commandline -pco) 3 | eval command kresctl $args 4 | end 5 | 6 | complete -c kresctl -a '(__kresctl_completion)' -f -------------------------------------------------------------------------------- /distro/pkg/deb/not-installed: -------------------------------------------------------------------------------- 1 | usr/lib/knot-resolver/kres_modules/etcd.lua 2 | usr/lib/knot-resolver/kres_modules/http/LICENSE 3 | usr/lib/sysusers.d/knot-resolver.conf 4 | usr/share/doc/knot-resolver/COPYING 5 | -------------------------------------------------------------------------------- /tests/manager/__init__.py: -------------------------------------------------------------------------------- 1 | from pathlib import Path 2 | 3 | from knot_resolver.datamodel.globals import Context, set_global_validation_context 4 | 5 | set_global_validation_context(Context(Path("."), False)) 6 | -------------------------------------------------------------------------------- /ci/fix-meson-junit.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | sed 's||\n|g' -i "$@" 3 | sed -e '//,/<\/testcase>/s/<\(\/\?\)system-\(out\|err\)>/<\1failure>/g' \ 4 | -e 's///g' \ 5 | -i "$@" 6 | -------------------------------------------------------------------------------- /daemon/lua/trust_anchors.test/x509/server.tmpl: -------------------------------------------------------------------------------- 1 | organization = Fake DNS root org test server 2 | cn = localhost 3 | tls_www_server 4 | encryption_key 5 | signing_key 6 | dns_name = localhost 7 | expiration_days = -1 8 | -------------------------------------------------------------------------------- /distro/pkg/deb/knot-resolver6-module-http.lintian-overrides: -------------------------------------------------------------------------------- 1 | # UPSTREAM: intended 2 | knot-resolver6-module-http: font-in-non-font-package 3 | # UPSTREAM: intended 4 | knot-resolver6-module-http: font-outside-font-dir 5 | -------------------------------------------------------------------------------- /python/knot_resolver/manager/metrics/__init__.py: -------------------------------------------------------------------------------- 1 | from .collect import report_json 2 | from .prometheus import init_prometheus, report_prometheus 3 | 4 | __all__ = ["init_prometheus", "report_json", "report_prometheus"] 5 | -------------------------------------------------------------------------------- /modules/policy/policy.test.rpz.soa: -------------------------------------------------------------------------------- 1 | test2domain. SOA nonexistent.test2domain. test2domain. 1 12h 15m 3w 2h 2 | NS nonexistent.test2domain. 3 | 4 | nxdomain-fqdn.test2domain. CNAME . 5 | nodata-fqdn.test2domain. CNAME *. 6 | -------------------------------------------------------------------------------- /python/knot_resolver/client/__init__.py: -------------------------------------------------------------------------------- 1 | from pathlib import Path 2 | 3 | from knot_resolver.datamodel.globals import Context, set_global_validation_context 4 | 5 | set_global_validation_context(Context(Path("."), False)) 6 | -------------------------------------------------------------------------------- /doc/dev/logging_api.rst: -------------------------------------------------------------------------------- 1 | .. SPDX-License-Identifier: GPL-3.0-or-later 2 | 3 | Logging API reference 4 | ===================== 5 | 6 | .. _config_log_groups: 7 | 8 | .. doxygenfile:: lib/log.h 9 | :project: libkres 10 | -------------------------------------------------------------------------------- /modules/prefill/prefill.test/testroot.zone.unsigned: -------------------------------------------------------------------------------- 1 | ; SPDX-License-Identifier: GPL-3.0-or-later 2 | . 86400 SOA rootns. you.test. 2017071101 1800 900 604800 86400 3 | . 86400 NS rootns. 4 | a.b.subtree1. 86400 AAAA 2001:db8:: 5 | -------------------------------------------------------------------------------- /tests/packaging/README.md: -------------------------------------------------------------------------------- 1 | # Packaging tests 2 | 3 | ## Distro tests 4 | 5 | Tests in this directory are part of the distro tests included in the `distro/tests/extra/all/control` file and can be run with the `apkg test` command. 6 | -------------------------------------------------------------------------------- /tests/pytests/certs/tt-certgen.sh: -------------------------------------------------------------------------------- 1 | # !/bin/sh 2 | # SPDX-License-Identifier: GPL-3.0-or-later 3 | 4 | openssl req -config tt.conf -new -x509 -newkey rsa:2048 -nodes -keyout tt.key.pem -sha256 -out tt.cert.pem -days 20000 5 | 6 | -------------------------------------------------------------------------------- /distro/pkg/deb/changelog: -------------------------------------------------------------------------------- 1 | knot-resolver ({{ version }}-cznic.{{ release }}) unstable; urgency=medium 2 | 3 | * upstream package 4 | * see NEWS or https://knot-resolver.cz 5 | 6 | -- Jakub Ružička {{ now }} 7 | -------------------------------------------------------------------------------- /scripts/meson/test-integration-prepare.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # SPDX-License-Identifier: GPL-3.0-or-later 3 | set -o errexit -o nounset 4 | 5 | cd "${1}" 6 | 7 | git submodule update --init --recursive 8 | make depend &>/dev/null 9 | -------------------------------------------------------------------------------- /distro/pkg/deb/knot-resolver6.postrm: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # SPDX-License-Identifier: GPL-3.0-or-later 3 | set -e 4 | 5 | if [ "$1" = "remove" ]; then 6 | deb-systemd-invoke stop system-kresd.slice || true 7 | fi 8 | 9 | #DEBHELPER# 10 | -------------------------------------------------------------------------------- /etc/config/config.dev.yaml: -------------------------------------------------------------------------------- 1 | workers: 1 2 | logging: 3 | level: notice 4 | groups: 5 | - manager 6 | - supervisord 7 | network: 8 | listen: 9 | - interface: 127.0.0.1@5335 10 | # management: 11 | # interface: 127.0.0.1@5000 12 | -------------------------------------------------------------------------------- /scripts/poe-tasks/gen-setuppy: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # ensure consistent behaviour 4 | src_dir="$(dirname "$(realpath "$0")")" 5 | source $src_dir/utils/_env.sh 6 | 7 | # create setup.py 8 | python scripts/poe-tasks/utils/create_setup.py > setup.py 9 | -------------------------------------------------------------------------------- /doc/dev/infra-warning.rst: -------------------------------------------------------------------------------- 1 | .. warning:: 2 | 3 | This section documents semi-public parts of the internal infrastructure for 4 | `CZ.NIC `_ developers. It is probably not very useful to 5 | external users (but do feel free to study). 6 | -------------------------------------------------------------------------------- /systemd/kresd.target: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: CC0-1.0 2 | [Unit] 3 | Description=Knot Resolver daemons 4 | Documentation=man:kresd.systemd(7) 5 | Documentation=man:kresd(8) 6 | After=network-online.target 7 | 8 | [Install] 9 | WantedBy=multi-user.target 10 | -------------------------------------------------------------------------------- /tests/lib-includes.cpp: -------------------------------------------------------------------------------- 1 | 2 | extern "C" { 3 | #include "lib/utils.h" 4 | #include "lib/resolve.h" 5 | #include "lib/module.h" 6 | #include "lib/layer.h" 7 | #include "lib/rplan.h" 8 | #include "lib/rules/api.h" 9 | } 10 | 11 | int main() 12 | { 13 | } 14 | -------------------------------------------------------------------------------- /contrib/config.h: -------------------------------------------------------------------------------- 1 | /* Dummy file, no real configuration here 2 | * SPDX-License-Identifier: GPL-3.0-or-later */ 3 | #define HAVE_ATTRIBUTE_COLD 1 4 | #define HAVE_ATTRIBUTE_NORETURN 1 5 | #define HAVE_ATTRIBUTE_PURE 1 6 | #define HAVE_ATTRIBUTE_UNUSED 1 7 | #define HAVE_ATTRIBUTE_NONNULL 1 8 | -------------------------------------------------------------------------------- /lib/layer/validate.test.integr/deckard.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-3.0-or-later 2 | programs: 3 | - name: kresd 4 | binary: kresd 5 | additional: 6 | - -n 7 | templates: 8 | - lib/layer/validate.test.integr/kresd_config.j2 9 | configs: 10 | - config 11 | -------------------------------------------------------------------------------- /modules/ta_update/ta_update.test.integr/rfc5011/unsigned_ok.db: -------------------------------------------------------------------------------- 1 | . 86400 IN SOA rootns. you.test. 2017071100 1800 900 604800 86400 2 | 3 | . 518400 IN NS rootns. 4 | 5 | rootns. 518400 IN A 198.41.0.4 6 | rootns. 518400 IN AAAA 2001:503:ba3e::2:30 7 | 8 | test. 1 IN TXT "it works" 9 | -------------------------------------------------------------------------------- /.readthedocs.yaml: -------------------------------------------------------------------------------- 1 | version: 2 2 | 3 | build: 4 | os: ubuntu-22.04 5 | tools: 6 | python: "3.11" 7 | 8 | sphinx: 9 | configuration: doc/conf.py 10 | 11 | python: 12 | install: 13 | - requirements: doc/requirements.txt 14 | 15 | formats: 16 | - pdf 17 | - epub 18 | -------------------------------------------------------------------------------- /contrib/murmurhash3/murmurhash3.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: CC0-1.0 2 | * Source: https://github.com/aappleby/smhasher/blob/master/src/MurmurHash3.cpp */ 3 | 4 | #pragma once 5 | 6 | #include 7 | #include 8 | 9 | uint32_t hash(const char* data, size_t len); 10 | -------------------------------------------------------------------------------- /tests/dnstap/src/dnstap-test/go.mod: -------------------------------------------------------------------------------- 1 | module gitlab.nic.cz/knot/knot-resolver/tests/dnstap-test 2 | 3 | go 1.15 4 | 5 | require ( 6 | github.com/cloudflare/dns v0.0.0-20151007113418-e20ffa3da443 7 | github.com/dnstap/golang-dnstap v0.4.0 8 | google.golang.org/protobuf v1.30.0 9 | ) 10 | -------------------------------------------------------------------------------- /modules/ta_update/ta_update.test.integr/rfc5011/unsigned_check.db: -------------------------------------------------------------------------------- 1 | . 86400 IN SOA rootns. you.test. 2017071100 1800 900 604800 86400 2 | 3 | . 518400 IN NS rootns. 4 | 5 | rootns. 518400 IN A 198.41.0.4 6 | rootns. 518400 IN AAAA 2001:503:ba3e::2:30 7 | 8 | test. 1 IN TXT "check and change answer" 9 | -------------------------------------------------------------------------------- /python/knot_resolver/utils/modeling/base_generic_type_wrapper.py: -------------------------------------------------------------------------------- 1 | from typing import Generic, TypeVar 2 | 3 | from .base_value_type import BaseTypeABC 4 | 5 | T = TypeVar("T") 6 | 7 | 8 | class BaseGenericTypeWrapper(Generic[T], BaseTypeABC): # pylint: disable=abstract-method 9 | pass 10 | -------------------------------------------------------------------------------- /scripts/poe-tasks/test-unit: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # ensure consistent behaviour 4 | src_dir="$(dirname "$(realpath "$0")")" 5 | source $src_dir/utils/_env.sh 6 | 7 | # run pytest 8 | env PYTHONPATH=. pytest --junitxml=unit.junit.xml --cov=python/knot_resolver --show-capture=all tests/manager 9 | -------------------------------------------------------------------------------- /systemd/sysusers.d/knot-resolver.conf.in: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: CC0-1.0 2 | # sysusers.d(5) file for knot-resolver (kresd) 3 | #Type Name ID GECOS Home directory Shell 4 | u @user@ - "Knot Resolver Daemon User" 5 | g @group@ 6 | -------------------------------------------------------------------------------- /daemon/lua/trust_anchors.test/regen.sh: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-3.0-or-later 2 | for F in *.xml; do sed -i "s/TrustAnchor id=\"[^\"]*\"/TrustAnchor id=\"$(uuidgen | tr '[[:lower:]]' '[[:upper:]]')\"/" $F; done 3 | for F in *.xml; do sed -i "s#source=\"[^\"]*\"#source=\"https://localhost/$F\"#" $F; done 4 | -------------------------------------------------------------------------------- /doc/user/developer.rst: -------------------------------------------------------------------------------- 1 | .. SPDX-License-Identifier: GPL-3.0-or-later 2 | 3 | .. _developer: 4 | 5 | *********************** 6 | Developer documentation 7 | *********************** 8 | 9 | For simplicity of this user documentation, `the developer documentation <./dev/index.html>`_ is separated. 10 | -------------------------------------------------------------------------------- /etc/config/config.migrate-test2.yaml: -------------------------------------------------------------------------------- 1 | 2 | cache: 3 | garbage-collector: false 4 | prefetch: 5 | prediction: null 6 | 7 | dns64: true 8 | 9 | dnssec: false 10 | 11 | logging: 12 | dnstap: null 13 | 14 | monitoring: 15 | graphite: false 16 | 17 | network: 18 | proxy-protocol: null 19 | -------------------------------------------------------------------------------- /security.txt: -------------------------------------------------------------------------------- 1 | Please report security issues that require encryption to the following e-mail 2 | address. 3 | 4 | vladimir.cunat@nic.cz 5 | 6 | You can obtain our PGP keys from: 7 | https://secure.nic.cz/files/knot-resolver/kresd-keyblock.asc 8 | 9 | More info: https://www.knot-resolver.cz/contact 10 | -------------------------------------------------------------------------------- /.dir-locals.el: -------------------------------------------------------------------------------- 1 | ;; emacs local configuration settings for knot-resolver source 2 | ;; surmised by dkg on 2016-04-02 23:46:50-0300 3 | ;; SPDX-License-Identifier: GPL-3.0-or-later 4 | 5 | ((c-mode 6 | (indent-tabs-mode . t) 7 | (tab-width . 8) 8 | (c-basic-offset . 8) 9 | (c-file-style . "linux")) 10 | ) 11 | -------------------------------------------------------------------------------- /modules/prefill/prefill.test/example.com.zone: -------------------------------------------------------------------------------- 1 | ; SPDX-License-Identifier: GPL-3.0-or-later 2 | $ORIGIN example.com. 3 | $TTL 3600 4 | 5 | @ SOA dns1.example.com. hostmaster.example.com. ( 6 | 2010111213 ; serial 7 | 6h ; refresh 8 | 1h ; retry 9 | 1w ; expire 10 | 1d ) ; minimum 11 | 12 | NS dns1 13 | -------------------------------------------------------------------------------- /ci/respdiff/restart-kresd.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # SPDX-License-Identifier: GPL-3.0-or-later 3 | 4 | exec > /dev/null 5 | exec 2>&1 6 | 7 | killall -w kresd 8 | rm -f '*.mdb' 9 | $PREFIX/sbin/kresd -n -q -c $(pwd)/ci/respdiff/kresd.config &>>kresd.log & 10 | 11 | # wait until socket is receiving connections 12 | sleep 1 13 | -------------------------------------------------------------------------------- /python/knot_resolver/utils/compat/typing.py: -------------------------------------------------------------------------------- 1 | # The 'typing.Pattern' is deprecated since python 3.8 and is removed in version 3.12. 2 | # https://docs.python.org/3.9/library/typing.html#typing.Pattern 3 | try: 4 | from typing import Pattern 5 | except ImportError: 6 | from re import Pattern 7 | 8 | __all__ = ["Pattern"] 9 | -------------------------------------------------------------------------------- /daemon/proxyv2.test/dnsdist_config.j2: -------------------------------------------------------------------------------- 1 | -- vim:syntax=lua 2 | setLocal('{{SELF_ADDR}}') 3 | setVerboseHealthChecks(true) 4 | setServerPolicy(firstAvailable) 5 | 6 | local server = newServer({ 7 | address="{{PROGRAMS['kresd']['address']}}", 8 | useProxyProtocol=true, 9 | checkName="example.cz." 10 | }) 11 | server:setUp() 12 | -------------------------------------------------------------------------------- /modules/view/meson.build: -------------------------------------------------------------------------------- 1 | # LUA module: view 2 | # SPDX-License-Identifier: GPL-3.0-or-later 3 | 4 | lua_mod_src += [ 5 | files('view.lua'), 6 | ] 7 | 8 | integr_tests += [ 9 | ['view.tsig', meson.current_source_dir() / 'tsig.test.integr'], 10 | ['view.addr', meson.current_source_dir() / 'addr.test.integr'], 11 | ] 12 | -------------------------------------------------------------------------------- /tests/manager/test_knot_resolver_manager.py: -------------------------------------------------------------------------------- 1 | import toml 2 | 3 | from knot_resolver import __version__ 4 | 5 | 6 | def test_version(): 7 | with open("pyproject.toml", "r") as f: 8 | pyproject = toml.load(f) 9 | 10 | version = pyproject["tool"]["poetry"]["version"] 11 | assert __version__ == version 12 | -------------------------------------------------------------------------------- /modules/workarounds/README.rst: -------------------------------------------------------------------------------- 1 | .. SPDX-License-Identifier: GPL-3.0-or-later 2 | 3 | .. _mod-workarounds: 4 | 5 | Module `workarounds` tweaks resolver behavior on specific broken sub-domains. 6 | Currently it mainly disables case randomization. 7 | 8 | .. code-block:: lua 9 | 10 | modules.load('workarounds < iterate') 11 | 12 | -------------------------------------------------------------------------------- /scripts/poe-tasks/kresctl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # ensure consistent behaviour 4 | src_dir="$(dirname "$(realpath "$0")")" 5 | source $src_dir/utils/_env.sh 6 | 7 | echo 8 | is_build_dev_dir_configured 9 | echo 10 | 11 | # run knot-resolver client 12 | python3 -m knot_resolver.client --config "$KRES_DEV_CONFIG_FILE" "$@" 13 | -------------------------------------------------------------------------------- /modules/daf/test.integr/deckard.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-3.0-or-later 2 | programs: 3 | - name: kresd 4 | binary: kresd 5 | additional: 6 | - --noninteractive 7 | templates: 8 | - modules/daf/test.integr/kresd_config.j2 9 | - tests/integration/hints_zone.j2 10 | configs: 11 | - config 12 | - hints 13 | -------------------------------------------------------------------------------- /modules/policy/test.integr/deckard.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-3.0-or-later 2 | programs: 3 | - name: kresd 4 | binary: kresd 5 | additional: 6 | - --noninteractive 7 | templates: 8 | - modules/policy/test.integr/kresd_config.j2 9 | - tests/integration/hints_zone.j2 10 | configs: 11 | - config 12 | - hints 13 | -------------------------------------------------------------------------------- /modules/stats/test.integr/deckard.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-3.0-or-later 2 | programs: 3 | - name: kresd 4 | binary: kresd 5 | additional: 6 | - --noninteractive 7 | templates: 8 | - modules/stats/test.integr/kresd_config.j2 9 | - tests/integration/hints_zone.j2 10 | configs: 11 | - config 12 | - hints 13 | -------------------------------------------------------------------------------- /python/knot_resolver/utils/etag.py: -------------------------------------------------------------------------------- 1 | import base64 2 | import json 3 | from hashlib import blake2b 4 | from typing import Any 5 | 6 | 7 | def structural_etag(obj: Any) -> str: 8 | m = blake2b(digest_size=15) 9 | m.update(json.dumps(obj, sort_keys=True).encode("utf8")) 10 | return base64.urlsafe_b64encode(m.digest()).decode("utf8") 11 | -------------------------------------------------------------------------------- /modules/rebinding/test.integr/deckard.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-3.0-or-later 2 | programs: 3 | - name: kresd 4 | binary: kresd 5 | additional: 6 | - --noninteractive 7 | templates: 8 | - modules/rebinding/test.integr/kresd_config.j2 9 | - tests/integration/hints_zone.j2 10 | configs: 11 | - config 12 | - hints 13 | -------------------------------------------------------------------------------- /modules/view/addr.test.integr/deckard.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-3.0-or-later 2 | programs: 3 | - name: kresd 4 | binary: kresd 5 | additional: 6 | - --noninteractive 7 | templates: 8 | - modules/view/addr.test.integr/kresd_config.j2 9 | - tests/integration/hints_zone.j2 10 | configs: 11 | - config 12 | - hints 13 | -------------------------------------------------------------------------------- /modules/view/tsig.test.integr/deckard.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-3.0-or-later 2 | programs: 3 | - name: kresd 4 | binary: kresd 5 | additional: 6 | - --noninteractive 7 | templates: 8 | - modules/view/tsig.test.integr/kresd_config.j2 9 | - tests/integration/hints_zone.j2 10 | configs: 11 | - config 12 | - hints 13 | -------------------------------------------------------------------------------- /daemon/bindings/api.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) CZ.NIC, z.s.p.o. 2 | * SPDX-License-Identifier: GPL-3.0-or-later 3 | */ 4 | 5 | #pragma once 6 | 7 | #include 8 | 9 | /** Make all the bindings accessible from the lua state, 10 | * .i.e. define those lua tables. */ 11 | void kr_bindings_register(lua_State *L); 12 | 13 | -------------------------------------------------------------------------------- /lib/cache/test.integr/deckard.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-3.0-or-later 2 | programs: 3 | - name: kresd 4 | binary: kresd 5 | additional: 6 | - --noninteractive 7 | templates: 8 | - lib/cache/test.integr/kresd_config.j2 9 | - tests/integration/hints_zone.j2 10 | configs: 11 | - config 12 | - hints 13 | noclean: True 14 | -------------------------------------------------------------------------------- /lib/layer/test.integr/deckard.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-3.0-or-later 2 | programs: 3 | - name: kresd 4 | binary: kresd 5 | additional: 6 | - --noninteractive 7 | templates: 8 | - lib/layer/test.integr/kresd_config.j2 9 | - tests/integration/hints_zone.j2 10 | configs: 11 | - config 12 | - hints 13 | noclean: True 14 | -------------------------------------------------------------------------------- /modules/refuse_nord/test.integr/deckard.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-3.0-or-later 2 | programs: 3 | - name: kresd 4 | binary: kresd 5 | additional: 6 | - --noninteractive 7 | templates: 8 | - modules/refuse_nord/test.integr/kresd_config.j2 9 | - tests/integration/hints_zone.j2 10 | configs: 11 | - config 12 | - hints 13 | -------------------------------------------------------------------------------- /modules/serve_stale/test.integr/deckard.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-3.0-or-later 2 | programs: 3 | - name: kresd 4 | binary: kresd 5 | additional: 6 | - --noninteractive 7 | templates: 8 | - modules/serve_stale/test.integr/kresd_config.j2 9 | - tests/integration/hints_zone.j2 10 | configs: 11 | - config 12 | - hints 13 | -------------------------------------------------------------------------------- /scripts/poe-tasks/test-examples: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # ensure consistent behaviour 4 | src_dir="$(dirname "$(realpath "$0")")" 5 | source $src_dir/utils/_env.sh 6 | 7 | # validate all configuration examples 8 | for example in $PWD/etc/config/config.example.*.yaml; 9 | do 10 | python3 -m knot_resolver.client validate $example; 11 | done 12 | -------------------------------------------------------------------------------- /modules/policy/noipv6.test.integr/deckard.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-3.0-or-later 2 | programs: 3 | - name: kresd 4 | binary: kresd 5 | additional: 6 | - --noninteractive 7 | templates: 8 | - modules/policy/noipv6.test.integr/kresd_config.j2 9 | - tests/integration/hints_zone.j2 10 | configs: 11 | - config 12 | - hints 13 | -------------------------------------------------------------------------------- /modules/policy/noipvx.test.integr/deckard.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-3.0-or-later 2 | programs: 3 | - name: kresd 4 | binary: kresd 5 | additional: 6 | - --noninteractive 7 | templates: 8 | - modules/policy/noipvx.test.integr/kresd_config.j2 9 | - tests/integration/hints_zone.j2 10 | configs: 11 | - config 12 | - hints 13 | -------------------------------------------------------------------------------- /distro/pkg/nix/top-level.nix: -------------------------------------------------------------------------------- 1 | with import {}; 2 | 3 | (callPackage ./. { 4 | }).overrideAttrs (attrs: { 5 | src = ./knot-resolver-{{ version }}.tar.xz; 6 | 7 | # This just breaks in our GitLab CI (not locally and not on hydra.nixos.org) 8 | installCheckPhase = '' 9 | meson test --print-errorlogs --no-suite snowflake 10 | ''; 11 | }) 12 | 13 | -------------------------------------------------------------------------------- /tests/dnstap/meson.build: -------------------------------------------------------------------------------- 1 | 2 | # note: it will be skipped if 'go' is missing (and marked so) 3 | test('dnstap', 4 | find_program('./src/dnstap-test/run.sh'), 5 | args: [ sbin_dir / 'kresd' ], 6 | suite: [ 'postinstall', 'dnstap' ], 7 | timeout: 120, # it may need to fetch go packages, etc. 8 | priority: 5, # it takes relatively long time 9 | ) 10 | 11 | -------------------------------------------------------------------------------- /modules/bogus_log/test.integr/deckard.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-3.0-or-later 2 | programs: 3 | - name: kresd 4 | binary: kresd 5 | additional: 6 | - --noninteractive 7 | templates: 8 | - modules/bogus_log/test.integr/kresd_config.j2 9 | - tests/integration/hints_zone.j2 10 | configs: 11 | - config 12 | - hints 13 | noclean: True 14 | -------------------------------------------------------------------------------- /modules/ta_update/ta_update.test.integr/deckard.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-3.0-or-later 2 | programs: 3 | - name: kresd 4 | binary: kresd 5 | additional: 6 | - --noninteractive 7 | templates: 8 | - modules/ta_update/ta_update.test.integr/kresd_config.j2 9 | - tests/integration/hints_zone.j2 10 | configs: 11 | - config 12 | - hints 13 | -------------------------------------------------------------------------------- /tests/manager/datamodel/test_lua_schema.py: -------------------------------------------------------------------------------- 1 | from pytest import raises 2 | 3 | from knot_resolver.datamodel.lua_schema import LuaSchema 4 | from knot_resolver.utils.modeling.exceptions import DataValidationError 5 | 6 | 7 | def test_invalid(): 8 | with raises(DataValidationError): 9 | LuaSchema({"script": "-- lua script", "script-file": "path/to/file"}) 10 | -------------------------------------------------------------------------------- /utils/cache_gc/categories.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: GPL-3.0-or-later */ 2 | #pragma once 3 | 4 | #include "kr_cache_gc.h" 5 | #include "lib/cache/top.h" 6 | 7 | typedef uint8_t category_t; 8 | 9 | #define CATEGORIES 100 // number of categories 10 | 11 | category_t kr_gc_categorize(struct kr_cache_top *top, gc_record_info_t * info, void *key, size_t key_len); 12 | -------------------------------------------------------------------------------- /doc/dev/cache-prefetch.rst: -------------------------------------------------------------------------------- 1 | .. SPDX-License-Identifier: GPL-3.0-or-later 2 | 3 | .. _cache-prefetch: 4 | 5 | Prefetching cache records 6 | ========================= 7 | 8 | Following modules and configuration help to keep the cache hot by prefetching records. 9 | 10 | .. include:: ../../modules/prefetch/README.rst 11 | 12 | .. include:: ../../modules/predict/README.rst 13 | -------------------------------------------------------------------------------- /tests/packaging/interactive/schema.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -e 4 | 5 | kresctl schema > /dev/null 6 | if [ "$?" -ne "0" ]; then 7 | echo "Failed to generate JSON schema with 'kresctl'" 8 | exit 1 9 | fi 10 | 11 | kresctl schema --live > /dev/null 12 | if [ "$?" -ne "0" ]; then 13 | echo "Failed to get JSON schema from the running resolver" 14 | exit 1 15 | fi 16 | -------------------------------------------------------------------------------- /python/knot_resolver/datamodel/templates/defer.lua.j2: -------------------------------------------------------------------------------- 1 | {% from 'macros/common_macros.lua.j2' import boolean %} 2 | 3 | {% if cfg.defer.enable and disable_defer is not defined -%} 4 | assert(C.defer_init( 5 | '{{ cfg.rundir }}/defer', 6 | {{ cfg.defer.log_period.millis() }}, 7 | {{ cfg.workers }}) == 0) 8 | {% else %} 9 | assert(C.defer_init(nil, 0, 0) == 0) 10 | {%- endif %} 11 | -------------------------------------------------------------------------------- /scripts/poe-tasks/docs: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # ensure consistent behaviour 4 | src_dir="$(dirname "$(realpath "$0")")" 5 | source $src_dir/utils/_env.sh 6 | 7 | meson_setup_configure -Ddoc=enabled 8 | 9 | echo ---------------------------------- 10 | echo Building documentation using ninja 11 | echo ---------------------------------- 12 | ninja -C $build_dir doc 13 | echo 14 | -------------------------------------------------------------------------------- /distro/pkg/deb/knot-resolver6-module-http.install: -------------------------------------------------------------------------------- 1 | usr/lib/knot-resolver/kres_modules/http*.lua 2 | usr/lib/knot-resolver/kres_modules/http/*.css 3 | usr/lib/knot-resolver/kres_modules/http/*.ico 4 | usr/lib/knot-resolver/kres_modules/http/*.js 5 | usr/lib/knot-resolver/kres_modules/http/*.tpl 6 | usr/lib/knot-resolver/kres_modules/http/*.woff2 7 | usr/lib/knot-resolver/kres_modules/prometheus.lua 8 | -------------------------------------------------------------------------------- /tests/dnstap/src/dnstap-test/config: -------------------------------------------------------------------------------- 1 | -- SPDX-License-Identifier: GPL-3.0-or-later 2 | modules = { 3 | 'hints', 4 | dnstap = { 5 | socket_path = "dnstap.sock", 6 | client = { 7 | log_queries = true, 8 | log_responses = true, 9 | } 10 | } 11 | } 12 | hints['fake1.localdomain'] = '1.2.3.4' 13 | hints['fake2.localdomain'] = '1.2.3.5' 14 | hints['fake3.localdomain'] = '1.2.3.6' 15 | -------------------------------------------------------------------------------- /daemon/cache.test/insert_ns.test.integr/deckard.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-3.0-or-later 2 | 3 | programs: 4 | - name: kresd 5 | binary: kresd 6 | additional: 7 | - --noninteractive 8 | templates: 9 | - daemon/cache.test/insert_ns.test.integr/kresd_config.j2 10 | - tests/integration/hints_zone.j2 11 | configs: 12 | - config 13 | - hints 14 | noclean: True 15 | -------------------------------------------------------------------------------- /modules/ta_update/ta_update.test.integr/rfc5011/empty.rpl: -------------------------------------------------------------------------------- 1 | stub-addr: 127.0.0.10 2 | CONFIG_END 3 | 4 | SCENARIO_BEGIN empty replies 5 | 6 | RANGE_BEGIN 0 100 7 | ADDRESS 127.0.0.10 8 | ENTRY_BEGIN 9 | MATCH subdomain 10 | ADJUST copy_id copy_query 11 | SECTION QUESTION 12 | . IN A 13 | ENTRY_END 14 | RANGE_END 15 | 16 | STEP 1 QUERY 17 | ENTRY_BEGIN 18 | ENTRY_END 19 | 20 | SCENARIO_END 21 | -------------------------------------------------------------------------------- /modules/ta_update/ta_update.unmanagedkey.test.integr/deckard.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-3.0-or-later 2 | programs: 3 | - name: kresd 4 | binary: kresd 5 | additional: 6 | - --noninteractive 7 | templates: 8 | - modules/ta_update/ta_update.unmanagedkey.test.integr/kresd_config.j2 9 | - tests/integration/hints_zone.j2 10 | configs: 11 | - config 12 | - hints 13 | -------------------------------------------------------------------------------- /ci/respdiff/start-resolvers.sh: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-3.0-or-later 2 | 3 | #run unbound 4 | service unbound start && service unbound status; 5 | # dig @localhost -p 53535 6 | 7 | #run bind 8 | service named start && service named status; 9 | # dig @localhost -p 53533 10 | 11 | #run kresd 12 | $PREFIX/sbin/kresd -n -q -c $(pwd)/ci/respdiff/kresd.config &>kresd.log & 13 | # dig @localhost -p 5353 14 | -------------------------------------------------------------------------------- /doc/dev/config-lua-experimental.rst: -------------------------------------------------------------------------------- 1 | .. SPDX-License-Identifier: GPL-3.0-or-later 2 | 3 | ********************* 4 | Experimental features 5 | ********************* 6 | 7 | Following functionality and APIs are in continuous development. 8 | Features in this section may changed, replaced or dropped in any release. 9 | 10 | .. toctree:: 11 | :maxdepth: 1 12 | 13 | daemon-scripting 14 | modules-experimental_dot_auth 15 | -------------------------------------------------------------------------------- /utils/shell-completion/meson.build: -------------------------------------------------------------------------------- 1 | # CLI completion for bash-shell 2 | install_data( 3 | sources: 'client.bash', 4 | rename: 'kresctl', 5 | install_dir: completion_dir / 'bash-completion' / 'completions' 6 | ) 7 | 8 | # CLI completion for fish-shell 9 | # install_data( 10 | # sources: 'client.fish', 11 | # rename: 'kresctl.fish', 12 | # install_dir: completion_dir / 'fish' / 'completions' 13 | # ) 14 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "tests/integration/deckard"] 2 | path = tests/integration/deckard 3 | url = https://gitlab.nic.cz/knot/deckard.git 4 | [submodule "modules/policy/lua-aho-corasick"] 5 | path = modules/policy/lua-aho-corasick 6 | url = https://gitlab.nic.cz/knot/3rdparty/lua-aho-corasick.git 7 | [submodule "tests/config/tapered"] 8 | path = tests/config/tapered 9 | url = https://gitlab.nic.cz/knot/3rdparty/lua-tapered.git 10 | -------------------------------------------------------------------------------- /scripts/poe-tasks/test-migrate: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # ensure consistent behaviour 4 | src_dir="$(dirname "$(realpath "$0")")" 5 | source $src_dir/utils/_env.sh 6 | 7 | # migrate all testing configuration 8 | for config in $PWD/etc/config/config.migrate-test*.yaml; 9 | do 10 | python3 -m knot_resolver.client migrate $config migrated.yaml; 11 | python3 -m knot_resolver.client validate migrated.yaml; 12 | check_rv $? 13 | done 14 | -------------------------------------------------------------------------------- /scripts/meson/bench.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # SPDX-License-Identifier: GPL-3.0-or-later 3 | set -o errexit -o nounset 4 | 5 | # Run benchmark 6 | cd "${MESON_SOURCE_ROOT}" 7 | 8 | echo "Test LRU with increasing overfill, misses should increase ~ linearly" 9 | 10 | for num in 65536 32768 16384 8192 4096; do 11 | "${MESON_BUILD_ROOT}/${MESON_SUBDIR}/bench_lru" 23 "${MESON_SOURCE_ROOT}/${MESON_SUBDIR}/bench_lru_set1.tsv" - "${num}" 12 | done 13 | -------------------------------------------------------------------------------- /systemd/tmpfiles.d/knot-resolver.conf.in: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: CC0-1.0 2 | # tmpfiles.d(5) directories for knot-resolver (kresd) 3 | #Type Path Mode UID GID Age Argument 4 | d @run_dir@ 0750 @user@ @group@ - - 5 | d @systemd_work_dir@ 0750 @user@ @group@ - - 6 | d @systemd_cache_dir@ 0750 @user@ @group@ - - 7 | -------------------------------------------------------------------------------- /contrib/ucw/libucw.spdx: -------------------------------------------------------------------------------- 1 | SPDXVersion: SPDX-2.1 2 | DataLicense: CC0-1.0 3 | SPDXID: SPDXRef-DOCUMENT 4 | DocumentName: libucw 5 | DocumentNamespace: http://spdx.org/spdxdocs/spdx-v2.1-c3d39e26-6b71-46d4-88ea-e52750932ff3 6 | 7 | PackageName: libucw 8 | PackageDownloadLocation: git://git.ucw.cz/libucw.git@f1bde7104b04d5254d1d1d7dcc8de790a43a416f#ucw/ 9 | PackageOriginator: Organization: United Computer Wizards 10 | PackageLicenseDeclared: LGPL-2.1-or-later 11 | -------------------------------------------------------------------------------- /daemon/lua/trust_anchors.test/ok1.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | . 4 | 5 | 2 6 | 8 7 | 2 8 | 1111111111111111111111111111111111111111111111111111111111111111 9 | 10 | 11 | -------------------------------------------------------------------------------- /scripts/lib/get-date.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # SPDX-License-Identifier: GPL-3.0-or-later 3 | set -o nounset 4 | cd "$(dirname $0)/../.." 5 | 6 | # Get date from NEWS if possible (regular release) 7 | DATE=$(head -n1 < NEWS | sed 's/.*(\(.*\)).*/\1/' | grep -E '^[0-9]{4}-[0-9]{2}-[0-9]{2}$$') 8 | 9 | if [[ $? -ne 0 ]]; then 10 | # or use last modification time of NEWS (dev versions) 11 | DATE=$(date -u -r NEWS +%F) 12 | fi 13 | 14 | echo -n $DATE 15 | -------------------------------------------------------------------------------- /tests/packaging/interactive/etag.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -e 4 | 5 | socket_opt="--unix-socket /run/knot-resolver/kres-api.sock" 6 | 7 | etag="$(curl --silent $socket_opt --fail http://localhost:5000/v1/config -o /dev/null -v 2>&1 | grep ETag | sed 's/< ETag: //;s/\s//')" 8 | 9 | status=$(curl --silent $socket_opt --fail http://localhost:5000/v1/config --header "If-None-Match: $etag" -w "%{http_code}" -o /dev/null) 10 | test "$status" -eq 304 11 | -------------------------------------------------------------------------------- /lib/proto.c: -------------------------------------------------------------------------------- 1 | /* Copyright (C) CZ.NIC, z.s.p.o. 2 | * SPDX-License-Identifier: GPL-3.0-or-later 3 | */ 4 | 5 | #include "lib/proto.h" 6 | 7 | const char *kr_proto_name(enum kr_proto p) 8 | { 9 | switch (p) { 10 | case KR_PROTO_INTERNAL: 11 | return "INTERNAL"; 12 | #define XX(cid, vid, name) case KR_PROTO_##cid: \ 13 | return (name); 14 | KR_PROTO_MAP(XX) 15 | #undef XX 16 | default: 17 | return "(default)"; 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /tests/unit/mock_cmodule.c: -------------------------------------------------------------------------------- 1 | /* Copyright (C) CZ.NIC, z.s.p.o. 2 | * SPDX-License-Identifier: GPL-3.0-or-later 3 | */ 4 | 5 | #include "lib/module.h" 6 | 7 | /* 8 | * Mock module implementation. 9 | */ 10 | 11 | int mock_cmodule_init(struct kr_module *module) 12 | { 13 | return kr_ok(); 14 | } 15 | 16 | int mock_cmodule_deinit(struct kr_module *module) 17 | { 18 | return kr_ok(); 19 | } 20 | 21 | KR_MODULE_EXPORT(mock_cmodule) 22 | -------------------------------------------------------------------------------- /modules/daf/meson.build: -------------------------------------------------------------------------------- 1 | # LUA module: daf 2 | # SPDX-License-Identifier: GPL-3.0-or-later 3 | 4 | config_tests += [ 5 | ['daf', files('daf.test.lua')], 6 | ['daf_http', files('daf_http.test.lua')], 7 | ] 8 | 9 | integr_tests += [ 10 | ['daf', meson.current_source_dir() / 'test.integr'], 11 | ] 12 | 13 | lua_mod_src += [ 14 | files('daf.lua'), 15 | ] 16 | 17 | # install daf.js 18 | install_data( 19 | 'daf.js', 20 | install_dir: modules_dir / 'daf', 21 | ) 22 | -------------------------------------------------------------------------------- /modules/http/static/epoch.spdx: -------------------------------------------------------------------------------- 1 | SPDXVersion: SPDX-2.1 2 | DataLicense: CC0-1.0 3 | SPDXID: SPDXRef-DOCUMENT 4 | DocumentName: epoch 5 | DocumentNamespace: http://spdx.org/spdxdocs/spdx-v2.1-4efd8b6e-174f-48e4-a228-3059f191c7e8 6 | 7 | PackageName: epoch 8 | PackageVersion: 0.8.3 9 | PackageDownloadLocation: git+https://github.com/epochjs/epoch.git@47aef0a5aa8458bdd5011d108ab92a560215bc57#dist/ 10 | PackageOriginator: Organization: Fastly 11 | PackageLicenseDeclared: MIT 12 | -------------------------------------------------------------------------------- /python/knot_resolver/datamodel/templates/macros/cache_macros.lua.j2: -------------------------------------------------------------------------------- 1 | {% from 'macros/common_macros.lua.j2' import boolean, quotes, qtype_table %} 2 | 3 | 4 | {% macro cache_clear(params) -%} 5 | cache.clear( 6 | {{- quotes(params.name) if params.name else 'nil' -}}, 7 | {{- boolean(params.exact_name) -}}, 8 | {{- qtype_table(params.rr_type) if params.rr_type else 'nil' -}}, 9 | {{- params.chunk_size if not params.exact_name else 'nil' -}} 10 | ) 11 | {%- endmacro %} 12 | -------------------------------------------------------------------------------- /scripts/poe-tasks/gen-schema: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # ensure consistent behaviour 4 | src_dir="$(dirname "$(realpath "$0")")" 5 | source $src_dir/utils/_env.sh 6 | 7 | schema_file="$gitroot/doc/_static/config.schema.json" 8 | 9 | meson_setup_configure > /dev/null 10 | cp $build_dir/python/knot_resolver/constants.py $gitroot/python/knot_resolver/constants.py 11 | python -m knot_resolver.client schema > $schema_file 12 | 13 | echo New JSON schema saved to $schema_file -------------------------------------------------------------------------------- /tests/integration/hints_zone.j2: -------------------------------------------------------------------------------- 1 | ; SPDX-License-Identifier: GPL-3.0-or-later 2 | ; This file holds the information on root name servers needed to 3 | ; initialize cache of Internet domain name servers 4 | 5 | . 3600000 NS K.ROOT-SERVERS.NET. 6 | {% if ':' in ROOT_ADDR %} 7 | K.ROOT-SERVERS.NET. 3600000 AAAA {{ROOT_ADDR}} 8 | {% else %} 9 | K.ROOT-SERVERS.NET. 3600000 A {{ROOT_ADDR}} 10 | {% endif %} 11 | -------------------------------------------------------------------------------- /daemon/lua/trust_anchors.test/unsupp_xml_v11.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | . 4 | 5 | 2 6 | 8 7 | 2 8 | 1111111111111111111111111111111111111111111111111111111111111111 9 | 10 | 11 | -------------------------------------------------------------------------------- /python/knot_resolver/utils/modeling/__init__.py: -------------------------------------------------------------------------------- 1 | from .base_generic_type_wrapper import BaseGenericTypeWrapper 2 | from .base_schema import BaseSchema, ConfigSchema 3 | from .base_value_type import BaseValueType 4 | from .parsing import parse_json, parse_yaml, try_to_parse 5 | 6 | __all__ = [ 7 | "BaseGenericTypeWrapper", 8 | "BaseValueType", 9 | "BaseSchema", 10 | "ConfigSchema", 11 | "parse_yaml", 12 | "parse_json", 13 | "try_to_parse", 14 | ] 15 | -------------------------------------------------------------------------------- /contrib/ccan/json/json.spdx: -------------------------------------------------------------------------------- 1 | SPDXVersion: SPDX-2.1 2 | DataLicense: CC0-1.0 3 | SPDXID: SPDXRef-DOCUMENT 4 | DocumentName: ccan-json 5 | DocumentNamespace: http://spdx.org/spdxdocs/spdx-v2.1-d9b4db4c-062f-4add-89b6-f603224f5a2c 6 | 7 | PackageName: json 8 | PackageDownloadLocation: git+https://github.com/rustyrussell/ccan@f4eb3a18caf946ee6cc2cb57e2a0c6a6f115157f#ccan/json 9 | PackageOriginator: Person: Joseph A. Adams (joeyadams3.14159@gmail.com) 10 | PackageLicenseDeclared: MIT 11 | -------------------------------------------------------------------------------- /daemon/lua/trust_anchors.test/unsupp_nonroot.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | test. 4 | 5 | 2 6 | 8 7 | 2 8 | 1111111111111111111111111111111111111111111111111111111111111111 9 | 10 | 11 | -------------------------------------------------------------------------------- /distro/config/apkg.toml: -------------------------------------------------------------------------------- 1 | [project] 2 | name = "knot-resolver" 3 | # needed for make-archive 4 | make_archive_script = "scripts/make-archive.sh" 5 | 6 | [upstream] 7 | # needed for get-archive 8 | archive_url = "https://secure.nic.cz/files/knot-resolver/knot-resolver-{{ version }}.tar.xz" 9 | signature_url = "https://secure.nic.cz/files/knot-resolver/knot-resolver-{{ version }}.tar.xz.asc" 10 | version_script = "scripts/lib/upstream-version.sh" 11 | 12 | [apkg] 13 | compat = 6 14 | -------------------------------------------------------------------------------- /bench/meson.build: -------------------------------------------------------------------------------- 1 | # bench 2 | # SPDX-License-Identifier: GPL-3.0-or-later 3 | 4 | bench_lru_src = files([ 5 | 'bench_lru.c', 6 | ]) 7 | 8 | cc = meson.get_compiler('c') 9 | m_dep = cc.find_library('m', required : false) 10 | 11 | bench_lru = executable( 12 | 'bench_lru', 13 | bench_lru_src, 14 | dependencies: [ 15 | contrib_dep, 16 | libkres_dep, 17 | m_dep, 18 | ], 19 | ) 20 | 21 | run_target( 22 | 'bench', 23 | command: '../scripts/meson/bench.sh', 24 | ) 25 | -------------------------------------------------------------------------------- /modules/nsid/meson.build: -------------------------------------------------------------------------------- 1 | # C module: nsid 2 | # SPDX-License-Identifier: GPL-3.0-or-later 3 | 4 | nsid_src = files([ 5 | 'nsid.c', 6 | ]) 7 | c_src_lint += nsid_src 8 | 9 | nsid_mod = shared_module( 10 | 'nsid', 11 | nsid_src, 12 | dependencies: mod_deps, 13 | include_directories: mod_inc_dir, 14 | name_prefix: '', 15 | install: true, 16 | install_dir: modules_dir, 17 | link_with: kresd, 18 | ) 19 | 20 | config_tests += [ 21 | ['nsid', files('nsid.test.lua')], 22 | ] 23 | -------------------------------------------------------------------------------- /contrib/ccan/asprintf/asprintf.spdx: -------------------------------------------------------------------------------- 1 | SPDXVersion: SPDX-2.1 2 | DataLicense: CC0-1.0 3 | SPDXID: SPDXRef-DOCUMENT 4 | DocumentName: ccan-asprintf 5 | DocumentNamespace: http://spdx.org/spdxdocs/spdx-v2.1-40d4b71d-00e9-4e75-b6da-559203e6b815 6 | 7 | PackageName: asprintf 8 | PackageDownloadLocation: git+https://github.com/rustyrussell/ccan@fb1dfd092940905883ea6473162f5f6e36624da2#ccan/asprintf 9 | PackageOriginator: Person: Rusty Russell (rusty@rustcorp.com.au) 10 | PackageLicenseDeclared: MIT 11 | -------------------------------------------------------------------------------- /contrib/murmurhash3/murmurhash3.spdx: -------------------------------------------------------------------------------- 1 | SPDXVersion: SPDX-2.1 2 | DataLicense: CC0-1.0 3 | SPDXID: SPDXRef-DOCUMENT 4 | DocumentName: ccan-json 5 | DocumentNamespace: http://spdx.org/spdxdocs/spdx-v2.1-d9b4db4c-062f-4add-89b6-f603224f5a2c 6 | 7 | PackageName: json 8 | PackageDownloadLocation: git+https://github.com/aappleby/smhasher.git@73e075b203d9c76cd1e20d6c8907c2983d653f33#MurmurHash3.cpp 9 | PackageOriginator: Person: Austin Appleby (aappleby@gmail.com) 10 | PackageLicenseDeclared: CC0-1.0 11 | -------------------------------------------------------------------------------- /modules/edns_keepalive/meson.build: -------------------------------------------------------------------------------- 1 | # C module: edns_keepalive 2 | # SPDX-License-Identifier: GPL-3.0-or-later 3 | 4 | edns_keepalive_src = files([ 5 | 'edns_keepalive.c', 6 | ]) 7 | c_src_lint += edns_keepalive_src 8 | 9 | edns_keepalive_mod = shared_module( 10 | 'edns_keepalive', 11 | edns_keepalive_src, 12 | dependencies: mod_deps, 13 | include_directories: mod_inc_dir, 14 | name_prefix: '', 15 | install: true, 16 | install_dir: modules_dir, 17 | link_with: kresd, 18 | ) 19 | -------------------------------------------------------------------------------- /modules/extended_error/meson.build: -------------------------------------------------------------------------------- 1 | # C module: extended_error 2 | # SPDX-License-Identifier: GPL-3.0-or-later 3 | 4 | extended_error_src = files([ 5 | 'extended_error.c', 6 | ]) 7 | c_src_lint += extended_error_src 8 | 9 | extended_error_mod = shared_module( 10 | 'extended_error', 11 | extended_error_src, 12 | dependencies: mod_deps, 13 | include_directories: mod_inc_dir, 14 | name_prefix: '', 15 | install: true, 16 | install_dir: modules_dir, 17 | link_with: kresd, 18 | ) 19 | -------------------------------------------------------------------------------- /scripts/poe-tasks/gen-constantspy: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # ensure consistent behaviour 4 | src_dir="$(dirname "$(realpath "$0")")" 5 | source $src_dir/utils/_env.sh 6 | 7 | echo 8 | meson_setup_configure 9 | echo 10 | echo ----------------------------------------------- 11 | echo Copying constants.py module configured by Meson 12 | echo ----------------------------------------------- 13 | cp -v $build_dir/python/knot_resolver/constants.py $gitroot/python/knot_resolver/constants.py 14 | echo -------------------------------------------------------------------------------- /scripts/poe-tasks/run-debug: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # ensure consistent behaviour 4 | src_dir="$(dirname "$(realpath "$0")")" 5 | source $src_dir/utils/_env.sh 6 | 7 | echo The debug server will be listening on port localhost:5678 8 | echo Use VSCode remote attach feature to connect to the debug server 9 | echo The manager will start after you connect 10 | echo API will be running on port 5000 11 | echo ---------------------------------------- 12 | 13 | KRES_DEBUG_MANAGER=1 poe run $@ 14 | -------------------------------------------------------------------------------- /contrib/ccan/compiler/compiler.spdx: -------------------------------------------------------------------------------- 1 | SPDXVersion: SPDX-2.1 2 | DataLicense: CC0-1.0 3 | SPDXID: SPDXRef-DOCUMENT 4 | DocumentName: ccan-compiler 5 | DocumentNamespace: http://spdx.org/spdxdocs/spdx-v2.1-1569e849-880d-4ce7-ba3e-f4aaec8fce52 6 | 7 | PackageName: compiler 8 | PackageDownloadLocation: git+https://github.com/rustyrussell/ccan@23e96f89d54b8d5c4675284bbcd44fba68d8f826#ccan/compiler 9 | PackageOriginator: Person: Rusty Russell (rusty@rustcorp.com.au) 10 | PackageLicenseDeclared: CC0-1.0 11 | -------------------------------------------------------------------------------- /lib/generic/trie.spdx: -------------------------------------------------------------------------------- 1 | SPDXVersion: SPDX-2.1 2 | DataLicense: CC0-1.0 3 | SPDXID: SPDXRef-DOCUMENT 4 | DocumentName: knotdns-trie 5 | DocumentNamespace: http://spdx.org/spdxdocs/spdx-v2.1-f99c0e11-6afb-46ce-af96-0955a83957bb 6 | 7 | PackageName: knotdns-trie 8 | PackageDownloadLocation: git+https://gitlab.nic.cz/knot/knot-dns.git@68352fc969bc04aa4aa8203e113ce747d887f410#src/contrib/qp-trie/trie.c 9 | PackageOriginator: Organization: Knot DNS contributors 10 | PackageLicenseDeclared: GPL-3.0-or-later 11 | -------------------------------------------------------------------------------- /scripts/poe-tasks/configure: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # ensure consistent behaviour 4 | src_dir="$(dirname "$(realpath "$0")")" 5 | source $src_dir/utils/_env.sh 6 | 7 | echo 8 | meson_setup_configure_dev 9 | echo 10 | echo ----------------------------------------------- 11 | echo Copying constants.py module configured by Meson 12 | echo ----------------------------------------------- 13 | cp -v $build_dev_dir/python/knot_resolver/constants.py $gitroot/python/knot_resolver/constants.py 14 | echo 15 | -------------------------------------------------------------------------------- /tests/manager/utils/modeling/test_etag.py: -------------------------------------------------------------------------------- 1 | from pyparsing import empty 2 | 3 | from knot_resolver.utils.etag import structural_etag 4 | 5 | 6 | def test_etag(): 7 | empty1 = {} 8 | empty2 = {} 9 | 10 | assert structural_etag(empty1) == structural_etag(empty2) 11 | 12 | something1 = {"something": 1} 13 | something2 = {"something": 2} 14 | assert structural_etag(empty1) != structural_etag(something1) 15 | assert structural_etag(something1) != structural_etag(something2) 16 | -------------------------------------------------------------------------------- /contrib/base64.spdx: -------------------------------------------------------------------------------- 1 | SPDXVersion: SPDX-2.1 2 | DataLicense: CC0-1.0 3 | SPDXID: SPDXRef-DOCUMENT 4 | DocumentName: knotdns-base64 5 | DocumentNamespace: http://spdx.org/spdxdocs/spdx-v2.1-669dfa8c-3b50-425f-92fc-9b7ce18999f2 6 | 7 | PackageName: knotdns-base64 8 | PackageDownloadLocation: git+https://gitlab.nic.cz/knot/knot-dns.git@2b3c828a4cb8d9595318552483d4947345426c30#src/libknot/internal/base64.c 9 | PackageOriginator: Organization: Knot DNS contributors 10 | PackageLicenseDeclared: GPL-3.0-or-later 11 | -------------------------------------------------------------------------------- /python/knot_resolver/datamodel/defer_schema.py: -------------------------------------------------------------------------------- 1 | from knot_resolver.datamodel.types import TimeUnit 2 | from knot_resolver.utils.modeling import ConfigSchema 3 | 4 | 5 | class DeferSchema(ConfigSchema): 6 | """ 7 | Configuration of request prioritization (defer). 8 | 9 | --- 10 | enable: Use request prioritization. 11 | log_period: Minimal time between two log messages, or '0s' to disable. 12 | """ 13 | 14 | enable: bool = False 15 | log_period: TimeUnit = TimeUnit("0s") 16 | -------------------------------------------------------------------------------- /lib/cache/cdb_lmdb.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) CZ.NIC, z.s.p.o. 2 | * SPDX-License-Identifier: GPL-3.0-or-later 3 | */ 4 | 5 | #pragma once 6 | 7 | #include "lib/cache/cdb_api.h" 8 | #include "lib/defines.h" 9 | 10 | /** Get API implementation for LMDB. */ 11 | KR_EXPORT KR_CONST 12 | const struct kr_cdb_api *kr_cdb_lmdb(void); 13 | 14 | /** Create a pointer for knot_db_lmdb_api. You free() it to release it. */ 15 | KR_EXPORT 16 | knot_db_t *kr_cdb_pt2knot_db_t(kr_cdb_pt db); 17 | 18 | -------------------------------------------------------------------------------- /modules/hints/meson.build: -------------------------------------------------------------------------------- 1 | # C module: hints 2 | # SPDX-License-Identifier: GPL-3.0-or-later 3 | 4 | hints_src = files([ 5 | 'hints.c', 6 | ]) 7 | c_src_lint += hints_src 8 | 9 | hints_mod = shared_module( 10 | 'hints', 11 | hints_src, 12 | dependencies: mod_deps, 13 | include_directories: mod_inc_dir, 14 | name_prefix: '', 15 | install: true, 16 | install_dir: modules_dir, 17 | link_with: kresd, 18 | ) 19 | 20 | config_tests += [ 21 | ['hints', files('tests/hints.test.lua')], 22 | ] 23 | -------------------------------------------------------------------------------- /systemd/kres-cache-gc.service.in: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: CC0-1.0 2 | [Unit] 3 | Description=Knot Resolver Garbage Collector daemon 4 | Documentation=man:kresd.systemd(7) 5 | Documentation=man:kresd(8) 6 | 7 | [Service] 8 | Type=simple 9 | ExecStart=@sbin_dir@/kres-cache-gc -c @systemd_cache_dir@ -d 1000 10 | User=@user@ 11 | Group=@group@ 12 | Restart=on-failure 13 | RestartSec=30 14 | StartLimitInterval=400 15 | StartLimitBurst=10 16 | Slice=system-kresd.slice 17 | 18 | [Install] 19 | WantedBy=kresd.target 20 | -------------------------------------------------------------------------------- /contrib/base32hex.spdx: -------------------------------------------------------------------------------- 1 | SPDXVersion: SPDX-2.1 2 | DataLicense: CC0-1.0 3 | SPDXID: SPDXRef-DOCUMENT 4 | DocumentName: knotdns-base32hex 5 | DocumentNamespace: http://spdx.org/spdxdocs/spdx-v2.1-4f29f08d-5fbf-4793-934c-9a6a2e6d5517 6 | 7 | PackageName: knotdns-base32hex 8 | PackageDownloadLocation: git+https://gitlab.nic.cz/knot/knot-dns.git@2b3c828a4cb8d9595318552483d4947345426c30#src/libknot/internal/base32hex.c 9 | PackageOriginator: Organization: Knot DNS contributors 10 | PackageLicenseDeclared: GPL-3.0-or-later 11 | -------------------------------------------------------------------------------- /modules/http/static/bootstrap.min.js.spdx: -------------------------------------------------------------------------------- 1 | SPDXVersion: SPDX-2.1 2 | DataLicense: CC0-1.0 3 | SPDXID: SPDXRef-DOCUMENT 4 | DocumentName: bootstrap.js 5 | DocumentNamespace: http://spdx.org/spdxdocs/spdx-v2.1-6797c679-d14a-4524-abe4-a668e07f213f 6 | 7 | PackageName: bootstrap.js 8 | PackageVersion: 3.3.6 9 | PackageDownloadLocation: git+https://github.com/twbs/bootstrap.git@81df608a40bf0629a1dc08e584849bb1e43e0b7a#dist/js/bootstrap.min.js 10 | PackageOriginator: Organization: Twitter 11 | PackageLicenseDeclared: MIT 12 | -------------------------------------------------------------------------------- /tests/packaging/interactive/cache-clear.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # clear full cache 4 | kresctl cache clear > /dev/null 5 | if [ "$?" -ne "0" ]; then 6 | echo "Could not clear full cache" 7 | exit 1 8 | fi 9 | 10 | # clear just example.com. AAAA record, get JSON output 11 | kresctl cache clear --json --exact-name --rr-type AAAA example.com. | python3 -m json.tool > /dev/null 12 | if [ "$?" -ne "0" ]; then 13 | echo "Could not clear example.com. AAAA record or output is not a valid JSON" 14 | exit 1 15 | fi 16 | -------------------------------------------------------------------------------- /tests/packaging/interactive/workers.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | expected_workers="5" 4 | 5 | kresctl config set -p /workers "$expected_workers" 6 | if [ "$?" -ne "0" ]; then 7 | echo "Could not configure $expected_workers workers" 8 | exit 1 9 | fi 10 | 11 | actual_processes="$(pidof kresd | wc -w)" 12 | if [ "$actual_processes" -ne "$expected_workers" ]; then 13 | echo "Incorrect number of workers" 14 | echo "(actual) != (expected)" 15 | echo "$actual_processes != $expected_workers" 16 | exit 1 17 | fi 18 | -------------------------------------------------------------------------------- /modules/cookies/cookiemonster.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) CZ.NIC, z.s.p.o. 2 | * SPDX-License-Identifier: GPL-3.0-or-later 3 | */ 4 | 5 | #pragma once 6 | 7 | #include 8 | 9 | #include "lib/layer.h" 10 | 11 | /** Checks cookies of inbound requests. It's for kr_layer_api_t::begin. */ 12 | int check_request(kr_layer_t *ctx); 13 | 14 | /** Checks cookies of received responses. It's for kr_layer_api_t::consume. */ 15 | int check_response(kr_layer_t *ctx, knot_pkt_t *pkt); 16 | -------------------------------------------------------------------------------- /modules/stats/meson.build: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-3.0-or-later 2 | # C module: stats 3 | 4 | stats_src = files([ 5 | 'stats.c', 6 | ]) 7 | c_src_lint += stats_src 8 | 9 | integr_tests += [ 10 | ['stats', meson.current_source_dir() / 'test.integr'], 11 | ] 12 | 13 | 14 | stats_mod = shared_module( 15 | 'stats', 16 | stats_src, 17 | dependencies: mod_deps, 18 | include_directories: mod_inc_dir, 19 | name_prefix: '', 20 | install: true, 21 | install_dir: modules_dir, 22 | link_with: kresd, 23 | ) 24 | -------------------------------------------------------------------------------- /modules/http/static/selectize.spdx: -------------------------------------------------------------------------------- 1 | SPDXVersion: SPDX-2.1 2 | DataLicense: CC0-1.0 3 | SPDXID: SPDXRef-DOCUMENT 4 | DocumentName: selectize.js 5 | DocumentNamespace: http://spdx.org/spdxdocs/spdx-v2.1-5ffbfb08-4009-4a41-bc96-16adb5f2b632 6 | 7 | PackageName: selectize.js 8 | PackageVersion: 0.12.6 9 | PackageDownloadLocation: git+https://github.com/selectize/selectize.js.git@eb0fca364f9bd6864ae197ea58c853f2717052a9#dist/ 10 | PackageOriginator: Person: Jonathan Allard (jonathan@allard.io) 11 | PackageLicenseDeclared: Apache-2.0 12 | -------------------------------------------------------------------------------- /doc/user/config-refuse-no-rd.rst: -------------------------------------------------------------------------------- 1 | .. SPDX-License-Identifier: GPL-3.0-or-later 2 | 3 | .. _config-refuse-no-rd: 4 | 5 | Refuse queries without RD bit 6 | ============================= 7 | 8 | This module ensures all queries without RD (recursion desired) bit set in query 9 | are answered with REFUSED. This prevents snooping on the resolver's cache content. 10 | 11 | It is enabled by default. If you don't like this behavior, you can disable it: 12 | 13 | .. code-block:: yaml 14 | 15 | options: 16 | refuse-no-rd: false 17 | -------------------------------------------------------------------------------- /modules/http/static/jquery.spdx: -------------------------------------------------------------------------------- 1 | SPDXVersion: SPDX-2.1 2 | DataLicense: CC0-1.0 3 | SPDXID: SPDXRef-DOCUMENT 4 | DocumentName: jquery 5 | DocumentNamespace: http://spdx.org/spdxdocs/spdx-v2.1-d1bf4e73-cd79-434a-ba6c-834967690525 6 | 7 | PackageName: jquery 8 | PackageVersion: 2.1.4 9 | PackageDownloadLocation: https://code.jquery.com/jquery-2.1.4.min.js 10 | PackageChecksum: SHA256: f16ab224bb962910558715c82f58c10c3ed20f153ddfaa199029f141b5b0255c 11 | PackageOriginator: Organization: jQuery Foundation 12 | PackageLicenseDeclared: MIT 13 | -------------------------------------------------------------------------------- /modules/refuse_nord/README.rst: -------------------------------------------------------------------------------- 1 | .. SPDX-License-Identifier: GPL-3.0-or-later 2 | 3 | .. _mod-refuse_nord: 4 | 5 | Refuse queries without RD bit 6 | ============================= 7 | 8 | This module ensures all queries without RD (recursion desired) bit set in query 9 | are answered with REFUSED. This prevents snooping on the resolver's cache content. 10 | 11 | The module is loaded by default. If you'd like to disable this behavior, you can 12 | unload it: 13 | 14 | .. code-block:: lua 15 | 16 | modules.unload('refuse_nord') 17 | -------------------------------------------------------------------------------- /modules/http/static/bootstrap-theme.min.css.spdx: -------------------------------------------------------------------------------- 1 | SPDXVersion: SPDX-2.1 2 | DataLicense: CC0-1.0 3 | SPDXID: SPDXRef-DOCUMENT 4 | DocumentName: bootstrap-theme 5 | DocumentNamespace: http://spdx.org/spdxdocs/spdx-v2.1-2794db89-37c2-415b-b1bd-d66b445c5202 6 | 7 | PackageName: bootstrap-theme 8 | PackageVersion: 3.3.6 9 | PackageDownloadLocation: git+https://github.com/twbs/bootstrap.git@81df608a40bf0629a1dc08e584849bb1e43e0b7a#dist/css/bootstrap-theme.min.css 10 | PackageOriginator: Organization: Twitter 11 | PackageLicenseDeclared: MIT 12 | -------------------------------------------------------------------------------- /modules/http/static/datamaps.world.min.spdx: -------------------------------------------------------------------------------- 1 | SPDXVersion: SPDX-2.1 2 | DataLicense: CC0-1.0 3 | SPDXID: SPDXRef-DOCUMENT 4 | DocumentName: datamaps 5 | DocumentNamespace: http://spdx.org/spdxdocs/spdx-v2.1-b0f0e722-a8b4-4961-825d-7392f165a0be 6 | 7 | PackageName: datamaps 8 | PackageVersion: 0.3.7 9 | PackageDownloadLocation: git+https://github.com/markmarkoh/datamaps.git@37beb5995b8489906e070ec6002c7f7d84b17c7a/datamaps.world.min.js 10 | PackageOriginator: Person: Mark DiMarco (mark.dimarco@gmail.com) 11 | PackageLicenseDeclared: MIT 12 | -------------------------------------------------------------------------------- /modules/policy/policy.test.rpz: -------------------------------------------------------------------------------- 1 | $ORIGIN testdomain. 2 | $TTL 30 3 | testdomain. SOA nonexistent.testdomain. testdomain. 1 12h 15m 3w 2h 4 | NS nonexistent.testdomain. 5 | 6 | nxdomain CNAME . 7 | nodata CNAME *. 8 | *.nxdomain CNAME *. 9 | rpzdrop CNAME rpz-drop. 10 | rpzpassthru CNAME rpz-passthru. 11 | rra A 192.168.5.5 12 | rra-zonename-suffix A 192.168.6.6 13 | testdomain.rra.testdomain. A 192.168.7.7 14 | CaSe.SeNSiTiVe A 192.168.8.8 15 | 16 | two.records AAAA 2001:db8::2 17 | two.records AAAA 2001:db8::1 18 | 19 | -------------------------------------------------------------------------------- /doc/user/deployment-warning.rst: -------------------------------------------------------------------------------- 1 | .. warning:: 2 | 3 | This page is intended for experienced users only. If you follow these 4 | instructions, you are not protected from footguns elimited with the 5 | introduction of the ``kres-manager``. However, if you want to continue 6 | using Knot Resolver the same as before the version ``6.0.0`` this is a chapter 7 | for you. 8 | 9 | For new and less experienced users, we recommend using the newer approach 10 | starting in the :ref:`Getting Started ` chapter. -------------------------------------------------------------------------------- /modules/bogus_log/meson.build: -------------------------------------------------------------------------------- 1 | # C module: bogus_log 2 | # SPDX-License-Identifier: GPL-3.0-or-later 3 | 4 | bogus_log_src = files([ 5 | 'bogus_log.c', 6 | ]) 7 | c_src_lint += bogus_log_src 8 | 9 | bogus_log_mod = shared_module( 10 | 'bogus_log', 11 | bogus_log_src, 12 | dependencies: mod_deps, 13 | include_directories: mod_inc_dir, 14 | name_prefix: '', 15 | install: true, 16 | install_dir: modules_dir, 17 | link_with: kresd, 18 | ) 19 | 20 | integr_tests += [ 21 | ['bogus_log', meson.current_source_dir() / 'test.integr'], 22 | ] 23 | -------------------------------------------------------------------------------- /modules/http/static/dygraph.min.js.spdx: -------------------------------------------------------------------------------- 1 | SPDXVersion: SPDX-2.1 2 | DataLicense: CC0-1.0 3 | SPDXID: SPDXRef-DOCUMENT 4 | DocumentName: dygraph 5 | DocumentNamespace: http://spdx.org/spdxdocs/spdx-v2.1-4433b214-29e7-41ba-afa9-5d06f5e643e1 6 | 7 | PackageName: dygraph 8 | PackageVersion: 2.1.0 9 | PackageDownloadLocation: http://dygraphs.com/2.1.0/dygraph.min.js 10 | PackageChecksum: SHA256: f3b2eafa9250129f3cadf4eef279dd3ede862d4f2fa193094ea7aff3bd231303 11 | PackageOriginator: Person: Dan Vanderkam (danvdk@gmail.com) 12 | PackageLicenseDeclared: MIT 13 | -------------------------------------------------------------------------------- /lib/layer/cache.c: -------------------------------------------------------------------------------- 1 | /* Copyright (C) CZ.NIC, z.s.p.o. 2 | * SPDX-License-Identifier: GPL-3.0-or-later 3 | */ 4 | 5 | #include "lib/module.h" 6 | #include "lib/cache/api.h" 7 | 8 | /** Module implementation. */ 9 | int cache_init(struct kr_module *self) 10 | { 11 | static const kr_layer_api_t layer = { 12 | .produce = &cache_peek, 13 | .consume = &cache_stash, 14 | }; 15 | self->layer = &layer; 16 | return kr_ok(); 17 | } 18 | 19 | KR_MODULE_EXPORT(cache) /* useless for builtin module, but let's be consistent */ 20 | 21 | -------------------------------------------------------------------------------- /distro/pkg/deb/knot-resolver6-module-http.links: -------------------------------------------------------------------------------- 1 | usr/share/javascript/bootstrap/css/bootstrap-theme.min.css usr/lib/knot-resolver/kres_modules/http/bootstrap-theme.min.css 2 | usr/share/javascript/bootstrap/css/bootstrap.min.css usr/lib/knot-resolver/kres_modules/http/bootstrap.min.css 3 | usr/share/javascript/bootstrap/js/bootstrap.min.js usr/lib/knot-resolver/kres_modules/http/bootstrap.min.js 4 | usr/share/javascript/d3/d3.min.js usr/lib/knot-resolver/kres_modules/http/d3.js 5 | usr/share/javascript/jquery/jquery.min.js usr/lib/knot-resolver/kres_modules/http/jquery.js 6 | -------------------------------------------------------------------------------- /modules/http/static/topojson.spdx: -------------------------------------------------------------------------------- 1 | SPDXVersion: SPDX-2.1 2 | DataLicense: CC0-1.0 3 | SPDXID: SPDXRef-DOCUMENT 4 | DocumentName: topojson 5 | DocumentNamespace: http://spdx.org/spdxdocs/spdx-v2.1-2a02fcb5-2889-42c1-ac6a-2674fb1b7be0 6 | 7 | PackageName: topojson 8 | PackageVersion: 1.6.9 9 | PackageDownloadLocation: https://unpkg.com/topojson@1.6.9/topojson.min.js 10 | PackageChecksum: SHA256: 091bee8a099772d9a377ddbb4f2a43a026c4877e986d6c6a9291daf043b0b37e 11 | PackageOriginator: Person: Michael Bostock (mike@ocks.org) 12 | PackageLicenseDeclared: BSD-3-Clause 13 | -------------------------------------------------------------------------------- /modules/refuse_nord/test.integr/refuse_nord.rpl: -------------------------------------------------------------------------------- 1 | ; SPDX-License-Identifier: GPL-3.0-or-later 2 | ; config options 3 | stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 4 | CONFIG_END 5 | 6 | SCENARIO_BEGIN Test refuse queries without RD bit 7 | 8 | STEP 10 QUERY 9 | ENTRY_BEGIN 10 | ; RD bit is cleared 11 | SECTION QUESTION 12 | www.example.com IN A 13 | ENTRY_END 14 | 15 | STEP 20 CHECK_ANSWER 16 | ENTRY_BEGIN 17 | MATCH all answer 18 | REPLY QR RA REFUSED 19 | SECTION QUESTION 20 | www.example.com IN A 21 | SECTION ANSWER 22 | ENTRY_END 23 | 24 | SCENARIO_END 25 | -------------------------------------------------------------------------------- /modules/http/static/d3.spdx: -------------------------------------------------------------------------------- 1 | SPDXVersion: SPDX-2.1 2 | DataLicense: CC0-1.0 3 | SPDXID: SPDXRef-DOCUMENT 4 | DocumentName: d3js 5 | DocumentNamespace: http://spdx.org/spdxdocs/spdx-v2.1-d849c611-6d18-4c73-9318-f01eab74a036 6 | 7 | PackageName: d3js 8 | PackageVersion: 3.5.6 9 | PackageDownloadLocation: https://github.com/d3/d3/releases/download/v3.5.6/d3.zip#d3.min.js 10 | PackageChecksum: SHA256: 3865a5ee7b9f91126f2ef1121a7635e57bd820c9dbc384c2c48626b93a13d3f6 11 | PackageOriginator: Person: Michael Bostock (mike@ocks.org) 12 | PackageLicenseDeclared: BSD-3-Clause 13 | -------------------------------------------------------------------------------- /modules/refuse_nord/meson.build: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-3.0-or-later 2 | # C module: refuse_nord 3 | 4 | integr_tests += [ 5 | ['refuse_nord', meson.current_source_dir() / 'test.integr'], 6 | ] 7 | 8 | refuse_nord_src = files([ 9 | 'refuse_nord.c', 10 | ]) 11 | c_src_lint += refuse_nord_src 12 | 13 | refuse_nord_mod = shared_module( 14 | 'refuse_nord', 15 | refuse_nord_src, 16 | dependencies: mod_deps, 17 | include_directories: mod_inc_dir, 18 | name_prefix: '', 19 | install: true, 20 | install_dir: modules_dir, 21 | link_with: kresd, 22 | ) 23 | -------------------------------------------------------------------------------- /modules/http/static/bootstrap.min.css.spdx: -------------------------------------------------------------------------------- 1 | SPDXVersion: SPDX-2.1 2 | DataLicense: CC0-1.0 3 | SPDXID: SPDXRef-DOCUMENT 4 | DocumentName: bootswatch-yeti-bootstrap.min.css 5 | DocumentNamespace: http://spdx.org/spdxdocs/spdx-v2.1-da039738-1b9b-430a-984b-a97d1415ad0f 6 | 7 | PackageName: bootswatch-yeti-bootstrap.min.css 8 | PackageVersion: 3.3.6+2 9 | PackageDownloadLocation: git+https://github.com/twbs/bootstrap.git@a78dc3aed640a35914361b837ce24573a0515e19#yeti/bootstrap.min.css 10 | PackageOriginator: Person: Thomas Park (thomas@thomaspark.co) 11 | PackageLicenseDeclared: MIT 12 | -------------------------------------------------------------------------------- /modules/ta_update/ta_update.test.integr/rfc5011/README: -------------------------------------------------------------------------------- 1 | Start with `genkeyszones.sh` and generate DNSSEC keys + signed versions of `unsigned_*.db`. 2 | Then use `dns2rpl.py` to run Knot DNS server with signed zone 3 | and to generate RPL file from server's answers. 4 | 5 | Generate RFC5011 test: 6 | `dns2rpl.py`. 7 | `./genkeyszones.sh` 8 | 9 | Generate unmanaged keys tests: 10 | `./genkeyszones.sh <--unmanaged_key-presens|--unmanagedkey-missing|--unmanagedkey-revoke>` 11 | `VARIANT="unmanaged_key" ./dns2rpl.py` 12 | 13 | See comments in script headers to further details. 14 | -------------------------------------------------------------------------------- /python/knot_resolver/datamodel/templates/forward.lua.j2: -------------------------------------------------------------------------------- 1 | {% from 'macros/forward_macros.lua.j2' import policy_rule_forward_add, forward_servers %} 2 | 3 | {% if cfg.forward %} 4 | {% for fwd in cfg.forward %} 5 | {% for subtree in fwd.subtree %} 6 | {{ policy_rule_forward_add(subtree,fwd.options,fwd.servers) }} 7 | {% endfor %} 8 | {% endfor %} 9 | {% endif %} 10 | 11 | 12 | {% if cfg.fallback and cfg.fallback.enable %} 13 | modules.load('fallback') 14 | fallback.config({ 15 | targets = {{ forward_servers(cfg.fallback.servers) }}, 16 | options = {}, 17 | }) 18 | {% endif %} 19 | -------------------------------------------------------------------------------- /python/knot_resolver/datamodel/templates/rate_limiting.lua.j2: -------------------------------------------------------------------------------- 1 | {% from 'macros/common_macros.lua.j2' import boolean %} 2 | 3 | {% if cfg.rate_limiting.enable %} 4 | assert( 5 | C.ratelimiting_init( 6 | '{{ cfg.rundir }}/ratelimiting', 7 | {{ cfg.rate_limiting.capacity }}, 8 | {{ cfg.rate_limiting.instant_limit }}, 9 | {{ cfg.rate_limiting.rate_limit }}, 10 | {{ cfg.rate_limiting.slip }}, 11 | {{ cfg.rate_limiting.log_period.millis() }}, 12 | {{ boolean(cfg.rate_limiting.dry_run) }} 13 | ) == 0 14 | ) 15 | {% endif %} 16 | -------------------------------------------------------------------------------- /scripts/lib/upstream-version.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # SPDX-License-Identifier: GPL-3.0-or-later 3 | # 4 | # Return latest upstream version of Knot Resolver 5 | # 6 | # This script is used by apkg to detect latest upstream version, test with: 7 | # 8 | # apkg info upstream-version 9 | # apkg get-archive 10 | # 11 | # It must only output valid YAML to stdout! 12 | set -o errexit 13 | 14 | REPO=https://gitlab.nic.cz/knot/knot-resolver.git 15 | 16 | VERSION=$(git ls-remote --tags --refs $REPO | cut -f2- | sed -n "s#^refs/tags/v##p" | sort -V | tail -1) 17 | echo "version: $VERSION" 18 | -------------------------------------------------------------------------------- /distro/pkg/deb/knot-resolver6.lintian-overrides: -------------------------------------------------------------------------------- 1 | # this library is only shared within kresd 2 | knot-resolver6: package-name-doesnt-match-sonames libkres9 3 | # this library is only shared within kresd, no need for symbols 4 | knot-resolver6: no-symbols-control-file usr/lib/libkres.so.9 5 | # it's a module 6 | knot-resolver6: shared-library-lacks-prerequisites [usr/lib/knot-resolver/kres_modules/refuse_nord.so] 7 | # no init.d support 8 | knot-resolver6: package-supports-alternative-init-but-no-init.d-script 9 | # UPSTREAM: no docs build yet due to missing deps 10 | knot-resolver6: no-manual-page 11 | -------------------------------------------------------------------------------- /lib/cache/overflow.test.integr/deckard.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-3.0-or-later 2 | programs: 3 | - name: kresd1 4 | binary: kresd 5 | additional: 6 | - -n 7 | templates: 8 | - lib/cache/overflow.test.integr/kresd_config.j2 9 | - tests/config/test_dns_generators.lua 10 | configs: 11 | - config 12 | - dns_gen.lua 13 | - name: kresd2 14 | binary: kresd 15 | additional: 16 | - -n 17 | templates: 18 | - lib/cache/overflow.test.integr/kresd_config.j2 19 | - tests/config/test_dns_generators.lua 20 | configs: 21 | - config 22 | - dns_gen.lua 23 | -------------------------------------------------------------------------------- /lib/selection_iter.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) CZ.NIC, z.s.p.o. 2 | * SPDX-License-Identifier: GPL-3.0-or-later 3 | */ 4 | 5 | #pragma once 6 | 7 | #include "lib/selection.h" 8 | 9 | void iter_local_state_alloc(struct knot_mm *mm, void **local_state); 10 | void iter_choose_transport(struct kr_query *qry, struct kr_transport **transport); 11 | void iter_error(struct kr_query *qry, const struct kr_transport *transport, 12 | enum kr_selection_error sel_error); 13 | void iter_update_rtt(struct kr_query *qry, const struct kr_transport *transport, 14 | unsigned rtt); 15 | -------------------------------------------------------------------------------- /modules/http/static/glyphicons-halflings-regular.spdx: -------------------------------------------------------------------------------- 1 | SPDXVersion: SPDX-2.1 2 | DataLicense: CC0-1.0 3 | SPDXID: SPDXRef-DOCUMENT 4 | DocumentName: bootstrap-glyphicons-halflings-regular 5 | DocumentNamespace: http://spdx.org/spdxdocs/spdx-v2.1-5fdae9d2-c79e-4242-8a82-0909ddd93ae3 6 | 7 | PackageName: bootstrap-glyphicons-halflings-regular 8 | PackageVersion: 3.3.6 9 | PackageDownloadLocation: git+https://github.com/twbs/bootstrap.git@81df608a40bf0629a1dc08e584849bb1e43e0b7a#dist/fonts/glyphicons-halflings-regular.woff2 10 | PackageOriginator: Organization: Twitter 11 | PackageLicenseDeclared: MIT 12 | -------------------------------------------------------------------------------- /etc/config/config.test-forward.yaml: -------------------------------------------------------------------------------- 1 | forward: 2 | - subtree: '.' 3 | options: 4 | dnssec: true 5 | authoritative: false 6 | servers: 7 | - address: [2001:148f:fffe::1, 185.43.135.1] 8 | transport: tls 9 | hostname: odvr.nic.cz 10 | - address: [ 192.0.2.1, 192.0.2.2 ] 11 | transport: tls 12 | pin-sha256: 13 | - d6qzRu9zOECb90Uez27xWltNsj0e1Md7GkYYkVoZWmM= 14 | - E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g= 15 | - subtree: 1.168.192.in-addr.arpa 16 | options: 17 | dnssec: false 18 | servers: [ 192.0.2.1@5335 ] 19 | -------------------------------------------------------------------------------- /lib/cookies/alg_sha.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) CZ.NIC, z.s.p.o. 2 | * SPDX-License-Identifier: GPL-3.0-or-later 3 | */ 4 | 5 | #pragma once 6 | 7 | #include 8 | #include 9 | 10 | #include "lib/defines.h" 11 | 12 | /* These structures are not meant to be part of public interface. */ 13 | 14 | /** HMAC-SHA256-64 client cookie algorithm. */ 15 | extern const struct knot_cc_alg knot_cc_alg_hmac_sha256_64; 16 | 17 | /** HMAC-SHA256-64 server cookie algorithm. */ 18 | extern const struct knot_sc_alg knot_sc_alg_hmac_sha256_64; 19 | -------------------------------------------------------------------------------- /python/knot_resolver/meson.build: -------------------------------------------------------------------------------- 1 | # python 2 | # SPDX-License-Identifier: GPL-3.0-or-later 3 | 4 | constants_config = configuration_data() 5 | constants_config.set('version', meson.project_version()) 6 | constants_config.set('user', user) 7 | constants_config.set('group', group) 8 | constants_config.set('run_dir', run_dir) 9 | constants_config.set('etc_dir', etc_dir) 10 | constants_config.set('sbin_dir', sbin_dir) 11 | constants_config.set('cache_dir', systemd_cache_dir) 12 | 13 | configure_file( 14 | input: 'constants.py.in', 15 | output: 'constants.py', 16 | configuration: constants_config, 17 | ) 18 | -------------------------------------------------------------------------------- /python/knot_resolver/utils/custom_atexit.py: -------------------------------------------------------------------------------- 1 | """ 2 | Custom replacement for standard module `atexit`. We use `atexit` behind the scenes, we just add the option 3 | to invoke the exit functions manually. 4 | """ 5 | 6 | import atexit 7 | from typing import Callable, List 8 | 9 | _at_exit_functions: List[Callable[[], None]] = [] 10 | 11 | 12 | def register(func: Callable[[], None]) -> None: 13 | _at_exit_functions.append(func) 14 | atexit.register(func) 15 | 16 | 17 | def run_callbacks() -> None: 18 | for func in _at_exit_functions: 19 | func() 20 | atexit.unregister(func) 21 | -------------------------------------------------------------------------------- /distro/pkg/deb/knot-resolver6.postinst: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # SPDX-License-Identifier: GPL-3.0-or-later 3 | set -e 4 | 5 | if [ "$1" = "configure" ]; then 6 | adduser --quiet --system --group --no-create-home --home /var/cache/knot-resolver knot-resolver 7 | fi 8 | 9 | if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then 10 | systemctl daemon-reload || true 11 | systemd-tmpfiles --create /usr/lib/tmpfiles.d/knot-resolver.conf || true 12 | deb-systemd-invoke try-restart knot-resolver.service || true 13 | fi 14 | 15 | #DEBHELPER# 16 | -------------------------------------------------------------------------------- /lib/cookies/nonce.c: -------------------------------------------------------------------------------- 1 | /* Copyright (C) CZ.NIC, z.s.p.o. 2 | * SPDX-License-Identifier: GPL-3.0-or-later 3 | */ 4 | 5 | #include 6 | #include "lib/cookies/nonce.h" 7 | 8 | uint16_t kr_nonce_write_wire(uint8_t *buf, uint16_t buf_len, 9 | const struct kr_nonce_input *input) 10 | { 11 | if (!buf || buf_len < KR_NONCE_LEN || !input) { 12 | return 0; 13 | } 14 | 15 | knot_wire_write_u32(buf, input->rand); 16 | knot_wire_write_u32(buf + sizeof(uint32_t), input->time); 17 | buf_len = 2 * sizeof(uint32_t); 18 | 19 | return buf_len; 20 | } 21 | -------------------------------------------------------------------------------- /modules/prefetch/README.rst: -------------------------------------------------------------------------------- 1 | .. SPDX-License-Identifier: GPL-3.0-or-later 2 | 3 | .. _mod-prefetch: 4 | 5 | Expiring records 6 | ---------------- 7 | 8 | The ``prefetch`` module helps to keep the cache hot by prefetching expiring records. 9 | 10 | This mechanism is activated when the module is loaded and it is not configurable. 11 | 12 | .. code-block:: lua 13 | 14 | modules.load('prefetch') 15 | 16 | 17 | Any time the resolver answers with records that are about to expire, they get refreshed. (see :c:func:`is_expiring`) 18 | That improves latency for records which get frequently queried, relatively to their TTL. 19 | -------------------------------------------------------------------------------- /doc/user/config-reordering.rst: -------------------------------------------------------------------------------- 1 | .. SPDX-License-Identifier: GPL-3.0-or-later 2 | 3 | Answer reordering 4 | ================= 5 | 6 | Certain clients are "dumb" and always connect to first IP address or name found 7 | in a DNS answer received from resolver instead of picking randomly. 8 | As a workaround for such broken clients it is possible to randomize 9 | order of records in DNS answers sent by resolver: 10 | 11 | .. option:: options/reorder-rrset: true|false 12 | 13 | :default: true 14 | 15 | If set, resolver will vary the order of resource records within RR sets. 16 | It is enabled by default since 5.3.0. 17 | -------------------------------------------------------------------------------- /etc/config/config.example.personal.yaml: -------------------------------------------------------------------------------- 1 | # Refer to manual: https://www.knot-resolver.cz/documentation/latest/ 2 | 3 | network: 4 | listen: 5 | # unencrypted DNS on port 53 6 | - interface: &interfaces 7 | - 127.0.0.1 8 | - "::1" 9 | # DNS over TLS on port 853 10 | - interface: *interfaces 11 | kind: dot 12 | # DNS over HTTPS on port 443 13 | # - interface: *interfaces 14 | # kind: doh2 15 | 16 | cache: 17 | size-max: 100M 18 | # prefetch expiring/frequent records 19 | prefetch: 20 | expiring: true 21 | prediction: 22 | period: 24 23 | window: 15m 24 | -------------------------------------------------------------------------------- /tests/manager/utils/modeling/test_query.py: -------------------------------------------------------------------------------- 1 | from pytest import raises 2 | 3 | from knot_resolver.utils.modeling.query import query 4 | 5 | 6 | def test_example_from_spec(): 7 | # source of the example: https://jsonpatch.com/ 8 | original = {"baz": "qux", "foo": "bar"} 9 | patch = [ 10 | {"op": "replace", "path": "/baz", "value": "boo"}, 11 | {"op": "add", "path": "/hello", "value": ["world"]}, 12 | {"op": "remove", "path": "/foo"}, 13 | ] 14 | expected = {"baz": "boo", "hello": ["world"]} 15 | 16 | result, _ = query(original, "patch", "", patch) 17 | 18 | assert result == expected 19 | -------------------------------------------------------------------------------- /doc/dev/config-lua-dnssec.rst: -------------------------------------------------------------------------------- 1 | .. SPDX-License-Identifier: GPL-3.0-or-later 2 | 3 | .. _dnssec-config: 4 | 5 | ************************* 6 | DNSSEC, data verification 7 | ************************* 8 | 9 | Good news! Knot Resolver uses secure configuration by default, and this configuration 10 | should not be changed unless absolutely necessary, so feel free to skip over this section. 11 | 12 | .. include:: ../../daemon/lua/trust_anchors.rst 13 | 14 | DNSSEC is main technology to protect data, but it is also possible to change how strictly 15 | resolver checks data from insecure DNS zones: 16 | 17 | .. include:: ../../lib/layer/mode.rst 18 | -------------------------------------------------------------------------------- /modules/rfc7706.rst: -------------------------------------------------------------------------------- 1 | .. SPDX-License-Identifier: GPL-3.0-or-later 2 | 3 | Root on loopback (RFC 7706) 4 | --------------------------- 5 | Knot Resolver developers think that literal implementation of :rfc:`7706` 6 | ("Decreasing Access Time to Root Servers by Running One on Loopback") 7 | is a bad idea so it is not implemented in the form envisioned by the RFC. 8 | 9 | You can get the very similar effect without its downsides by combining 10 | :ref:`mod-prefill` and :ref:`mod-serve_stale` modules with Aggressive Use 11 | of DNSSEC-Validated Cache (:rfc:`8198`) behavior which is enabled 12 | automatically together with DNSSEC validation. 13 | -------------------------------------------------------------------------------- /python/knot_resolver/manager/files/reload.py: -------------------------------------------------------------------------------- 1 | import logging 2 | 3 | from knot_resolver.controller.registered_workers import command_registered_workers 4 | from knot_resolver.datamodel import KresConfig 5 | 6 | logger = logging.getLogger(__name__) 7 | 8 | 9 | async def files_reload(config: KresConfig, force: bool = False) -> None: 10 | cert_file = config.network.tls.cert_file 11 | key_file = config.network.tls.key_file 12 | 13 | if cert_file and key_file: 14 | logger.info("TLS cert files reload triggered") 15 | 16 | cmd = f"net.tls('{cert_file}', '{key_file}')" 17 | await command_registered_workers(cmd) 18 | -------------------------------------------------------------------------------- /ci/deckard_commit_check.sh: -------------------------------------------------------------------------------- 1 | DECKARD_COMMIT=$(git ls-tree HEAD:tests/integration/ | grep commit | grep deckard | cut -f1 | cut -f3 '-d ') 2 | DECKARD_PATH="tests/integration/deckard" 3 | pushd $DECKARD_PATH > /dev/null 4 | if git merge-base --is-ancestor $DECKARD_COMMIT origin/master; then 5 | echo "Deckard submodule commit is on in its master branch. All good in the hood." 6 | exit 0 7 | else 8 | echo "Deckard submodule commit $DECKARD_COMMIT is not in Deckard's master branch." 9 | echo "This WILL cause CI breakages so make sure your changes in Deckard are merged" 10 | echo "or point the submodule to another commit." 11 | exit 1 12 | fi 13 | 14 | -------------------------------------------------------------------------------- /daemon/proxyv2.test/deckard.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-3.0-or-later 2 | # 3 | programs: 4 | - name: dnsdist 5 | binary: dnsdist 6 | additional: 7 | - --verbose 8 | - --supervised 9 | - --config 10 | - dnsdist.conf 11 | ignore_exit_code: True 12 | templates: 13 | - daemon/proxyv2.test/dnsdist_config.j2 14 | configs: 15 | - dnsdist.conf 16 | - name: kresd 17 | binary: kresd 18 | additional: 19 | - --noninteractive 20 | templates: 21 | - daemon/proxyv2.test/kresd_config.j2 22 | - tests/integration/hints_zone.j2 23 | configs: 24 | - config 25 | - hints 26 | -------------------------------------------------------------------------------- /doc/user/config-rfc7706.rst: -------------------------------------------------------------------------------- 1 | .. SPDX-License-Identifier: GPL-3.0-or-later 2 | 3 | Root on loopback (RFC 7706) 4 | --------------------------- 5 | Knot Resolver developers think that literal implementation of :rfc:`7706` 6 | ("Decreasing Access Time to Root Servers by Running One on Loopback") 7 | is a bad idea so it is not implemented in the form envisioned by the RFC. 8 | 9 | You can get the very similar effect without its downsides by combining 10 | :ref:`config-cache-prefill` and :ref:`config-serve-stale` modules with Aggressive Use 11 | of DNSSEC-Validated Cache (:rfc:`8198`) behavior which is enabled 12 | automatically together with DNSSEC validation. 13 | -------------------------------------------------------------------------------- /utils/cache_gc/README.rst: -------------------------------------------------------------------------------- 1 | .. SPDX-License-Identifier: GPL-3.0-or-later 2 | 3 | .. _garbage-collector: 4 | 5 | Garbage Collector 6 | ----------------- 7 | 8 | .. note:: When using systemd, ``kres-cache-gc.service`` is enabled by default 9 | and does not need any manual configuration. 10 | 11 | Knot Resolver employs a separate garbage collector daemon which periodically 12 | trims the cache to keep its size below size limit configured using 13 | :envvar:`cache.size`. 14 | 15 | To execute the daemon manually, you can use the following command to run it 16 | every second: 17 | 18 | .. code-block:: bash 19 | 20 | $ kres-cache-gc -c /var/cache/knot-resolver -d 1000 21 | -------------------------------------------------------------------------------- /modules/ta_update/ta_update.test.integr/rfc5011/knot.root.conf: -------------------------------------------------------------------------------- 1 | # 2 | # Minimal configuration file for Knot DNS server used by dns2rpl.py. 3 | # 4 | 5 | server: 6 | # Listen on all configured IPv4 interfaces. 7 | listen: 0.0.0.0@5335 8 | # Listen on all configured IPv6 interfaces. 9 | listen: ::@5335 10 | # User for running the server. 11 | # user: knot:knot 12 | # Log info and more serious events to syslog. 13 | log: 14 | - target: stderr 15 | any: debug 16 | 17 | template: 18 | # - id: default 19 | # storage: "/usr/local/var/lib/knot" 20 | 21 | zone: 22 | # Master zone. 23 | - domain: . 24 | storage: "." 25 | file: "root.db" 26 | 27 | -------------------------------------------------------------------------------- /python/knot_resolver/controller/exceptions.py: -------------------------------------------------------------------------------- 1 | from typing import List 2 | 3 | from knot_resolver import KresBaseException 4 | 5 | 6 | class SubprocessControllerError(KresBaseException): 7 | pass 8 | 9 | 10 | class SubprocessControllerExecError(Exception): 11 | """ 12 | Exception that is used to deliberately terminate system startup 13 | and make exec() of something else. This is used by the subprocess controller 14 | as supervisord to run as the top-level process in a process tree hierarchy. 15 | """ 16 | 17 | def __init__(self, exec_args: List[str], *args: object) -> None: 18 | self.exec_args = exec_args 19 | super().__init__(*args) 20 | -------------------------------------------------------------------------------- /systemd/README.rst: -------------------------------------------------------------------------------- 1 | .. SPDX-License-Identifier: GPL-3.0-or-later 2 | 3 | Notes for packagers 4 | ------------------- 5 | * The supported 6.x style only has a single systemd unit: knot-resolver.service. 6 | The others are legacy from older versions. 7 | 8 | * kresd.target should be enabled by default by linking it to systemd lib/ 9 | directory. Instances of kresd@.service are then added manually to 10 | kresd.target when the user enables them. 11 | * Distributions using systemd-sysv-generator should mask kresd.service to 12 | be consistent with other distributions. Any use of kresd.service instead of 13 | kresd@N.service is discouraged to avoid confusing the users. 14 | -------------------------------------------------------------------------------- /lib/selection_forward.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) CZ.NIC, z.s.p.o. 2 | * SPDX-License-Identifier: GPL-3.0-or-later 3 | */ 4 | 5 | #pragma once 6 | 7 | #include "lib/selection.h" 8 | #include "lib/resolve.h" 9 | 10 | void forward_local_state_alloc(struct knot_mm *mm, void **local_state, 11 | struct kr_request *req); 12 | void forward_choose_transport(struct kr_query *qry, 13 | struct kr_transport **transport); 14 | void forward_error(struct kr_query *qry, const struct kr_transport *transport, 15 | enum kr_selection_error sel_error); 16 | void forward_update_rtt(struct kr_query *qry, 17 | const struct kr_transport *transport, unsigned rtt); 18 | -------------------------------------------------------------------------------- /scripts/meson/make-doc.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # SPDX-License-Identifier: GPL-3.0-or-later 3 | set -o errexit -o nounset 4 | cd "$(dirname "${0}")/../.." 5 | 6 | # convert JSON schema to html 7 | generate-schema-doc --config expand_buttons=true doc/_static/config.schema.json doc/_static/schema_doc.html 8 | 9 | # generating the user documentation 10 | SPHINX=$(type -P sphinx-build-3 sphinx-build | head -n1) 11 | rm -rf doc/html 12 | "$SPHINX" "$@" -b html -d doc/user/.doctrees doc/user doc/html 13 | 14 | pushd doc/dev 15 | doxygen 16 | popd 17 | 18 | # generating the developer documentation 19 | rm -rf doc/html/dev 20 | "$SPHINX" "$@" -b html -d doc/dev/.doctrees doc/dev doc/html/dev 21 | -------------------------------------------------------------------------------- /modules/daf/test.integr/module_daf.rpl: -------------------------------------------------------------------------------- 1 | ; SPDX-License-Identifier: GPL-3.0-or-later 2 | ; config options 3 | ; target-fetch-policy: "0 0 0 0 0" 4 | ; module-config: "iterator" 5 | ; name: "." 6 | stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 7 | CONFIG_END 8 | 9 | SCENARIO_BEGIN Test DNS Application Firewall 10 | 11 | STEP 11 QUERY 12 | ENTRY_BEGIN 13 | REPLY RD 14 | SECTION QUESTION 15 | hints.net. IN A 16 | ENTRY_END 17 | 18 | ; test rewrite rule applies to hints 19 | STEP 12 CHECK_ANSWER 20 | ENTRY_BEGIN 21 | MATCH all 22 | REPLY QR RD RA NOERROR 23 | SECTION QUESTION 24 | hints.net. IN A 25 | SECTION ANSWER 26 | hints.net. IN A 192.0.2.101 27 | ENTRY_END 28 | 29 | 30 | SCENARIO_END 31 | -------------------------------------------------------------------------------- /scripts/poe-tasks/fix-format: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # ensure consistent behaviour 4 | src_dir="$(dirname "$(realpath "$0")")" 5 | source $src_dir/utils/_env.sh 6 | 7 | dirs="python/knot_resolver/ tests/manager scripts/poe-tasks/utils/create_setup.py" 8 | 9 | # sort python import 10 | echo -e "${yellow}Sorting Python imports using ruff...${reset}" 11 | ruff check --select I --fix $dirs 12 | check_rv $? 13 | echo 14 | 15 | # format python code 16 | echo -e "${yellow}Formatting Python code using ruff...${reset}" 17 | ruff format $dirs 18 | check_rv $? 19 | echo 20 | 21 | # fancy messages at the end :) 22 | fancy_message 23 | 24 | # exit with the aggregate return value 25 | exit $aggregated_rv 26 | -------------------------------------------------------------------------------- /tests/pytests/certs/tt-certgen-expired.sh: -------------------------------------------------------------------------------- 1 | # !/bin/bash 2 | # SPDX-License-Identifier: GPL-3.0-or-later 3 | 4 | if [ ! -d ./demoCA ]; then 5 | mkdir ./demoCA 6 | fi 7 | if [ ! -d ./demoCA/newcerts ]; then 8 | mkdir ./demoCA/newcerts 9 | fi 10 | touch ./demoCA/index.txt 11 | touch ./demoCA/index.txt.attr 12 | if [ ! -f ./demoCA/serial ]; then 13 | echo 01 > ./demoCA/serial 14 | fi 15 | 16 | openssl genrsa -out tt-expired.key.pem 2048 17 | openssl req -config tt.conf -new -key tt-expired.key.pem -out tt-expired.csr.pem 18 | openssl ca -config tt.conf -selfsign -keyfile tt-expired.key.pem -out tt-expired.cert.pem -in tt-expired.csr.pem -startdate 19700101000000Z -enddate 19700101000000Z 19 | 20 | -------------------------------------------------------------------------------- /contrib/meson.build: -------------------------------------------------------------------------------- 1 | # contrib 2 | # SPDX-License-Identifier: GPL-3.0-or-later 3 | 4 | contrib_src = files([ 5 | 'ccan/asprintf/asprintf.c', 6 | 'ccan/json/json.c', 7 | 'ucw/mempool.c', 8 | 'ucw/mempool-fmt.c', 9 | 'mempattern.c', 10 | 'murmurhash3/murmurhash3.c', 11 | 'base32hex.c', 12 | 'base64.c', 13 | 'base64url.c', 14 | 'openbsd/siphash.c', 15 | ]) 16 | 17 | contrib_inc = include_directories('.', '..') 18 | 19 | contrib_lib = static_library( 20 | 'contrib', 21 | contrib_src, 22 | include_directories: contrib_inc, 23 | dependencies: libknot, 24 | ) 25 | 26 | contrib_dep = declare_dependency( 27 | include_directories: contrib_inc, 28 | link_with: contrib_lib, 29 | ) 30 | -------------------------------------------------------------------------------- /daemon/lua/trust_anchors.test/ok2.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | . 4 | 5 | 1 6 | 8 7 | 2 8 | 1111111111111111111111111111111111111111111111111111111111111111 9 | 10 | 11 | 2 12 | 8 13 | 2 14 | 2222222222222222222222222222222222222222222222222222222222222222 15 | 16 | 17 | -------------------------------------------------------------------------------- /daemon/udp_queue.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) CZ.NIC, z.s.p.o. 2 | * SPDX-License-Identifier: GPL-3.0-or-later 3 | */ 4 | 5 | #pragma once 6 | 7 | #include 8 | struct kr_request; 9 | struct qr_task; 10 | 11 | typedef void (*udp_queue_cb)(int status, void *baton); 12 | 13 | /** Initialize the global state for udp_queue. */ 14 | int udp_queue_init_global(uv_loop_t *loop); 15 | 16 | /** Send req->answer via UDP, possibly not immediately. */ 17 | void udp_queue_push(int fd, const struct sockaddr *sa, char *buf, size_t buf_len, 18 | udp_queue_cb cb, void *baton); 19 | 20 | /** Send all queued packets immediatelly. */ 21 | void udp_queue_send_all(void); 22 | -------------------------------------------------------------------------------- /modules/ta_update/meson.build: -------------------------------------------------------------------------------- 1 | # LUA module: ta_update 2 | # SPDX-License-Identifier: GPL-3.0-or-later 3 | 4 | config_tests += [ 5 | ['ta_update', files('ta_update.test.lua'), ['snowflake']], 6 | ] 7 | 8 | integr_tests += [ 9 | # NOTE: ta_update may pass in cases when it should fail due to race conditions 10 | # To ensure reliability, deckard should introduce a time wait 11 | ['ta_update', meson.current_source_dir() / 'ta_update.test.integr'], 12 | ['ta_update.unmanagedkey', meson.current_source_dir() / 'ta_update.unmanagedkey.test.integr'], 13 | ] 14 | 15 | lua_mod_src += [ 16 | files('ta_update.lua'), 17 | ] 18 | 19 | install_data( 20 | install_dir: modules_dir / 'ta_update', 21 | ) 22 | -------------------------------------------------------------------------------- /python/knot_resolver/utils/which.py: -------------------------------------------------------------------------------- 1 | import functools 2 | import os 3 | from pathlib import Path 4 | 5 | 6 | @functools.lru_cache(maxsize=16) 7 | def which(binary_name: str) -> Path: 8 | """ 9 | Given a name of an executable, search $PATH and return 10 | the absolute path of that executable. The results of this function 11 | are LRU cached. 12 | 13 | If not found, throws an RuntimeError. 14 | """ 15 | 16 | possible_directories = os.get_exec_path() 17 | for dr in possible_directories: 18 | p = Path(dr, binary_name) 19 | if p.exists(): 20 | return p.absolute() 21 | 22 | raise RuntimeError(f"Executable {binary_name} was not found in $PATH") 23 | -------------------------------------------------------------------------------- /daemon/lua/trust_anchors.test/x509/gen.sh: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-3.0-or-later 2 | 3 | # CA 4 | certtool --generate-privkey > ca-key.pem 5 | certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca.pem 6 | 7 | # server cert signed by CA above 8 | certtool --generate-privkey > server-key.pem 9 | certtool --generate-certificate --load-privkey server-key.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem --template server.tmpl --outfile server.pem 10 | 11 | # wrong CA - unrelated to others 12 | certtool --generate-privkey > wrongca-key.pem 13 | certtool --generate-self-signed --load-privkey wrongca-key.pem --template wrongca.tmpl --outfile wrongca.pem 14 | -------------------------------------------------------------------------------- /doc/user/deployment-systemd.rst: -------------------------------------------------------------------------------- 1 | ******* 2 | Systemd 3 | ******* 4 | 5 | In the default installation, Knot Resolver contains systemd integration and starting it on such system usually involves only one command. 6 | 7 | .. code-block:: bash 8 | 9 | systemctl enable --now knot-resolver.service 10 | 11 | 12 | If you don't have systemd service file for Knot Resolver already installed in your system, you can create one manually with the folling content: 13 | 14 | 15 | .. literalinclude:: ../../systemd/knot-resolver.service.in 16 | :language: systemd 17 | 18 | .. note:: 19 | 20 | Replace words surrounded by ``@`` to some real values (i.e. ``@user@`` to a user you want Knot Resolver to run as). 21 | -------------------------------------------------------------------------------- /python/knot_resolver/datamodel/templates/dns64.lua.j2: -------------------------------------------------------------------------------- 1 | {% from 'macros/common_macros.lua.j2' import string_table %} 2 | 3 | {% if cfg.dns64.enable %} 4 | 5 | -- Enable DNS64 by loading module 6 | modules.load('dns64') 7 | 8 | -- Configure DNS64 module 9 | dns64.config({ 10 | prefix = '{{ cfg.dns64.prefix.to_std().network_address|string }}', 11 | {% if cfg.dns64.reverse_ttl %} 12 | rev_ttl = {{ cfg.dns64.reverse_ttl.seconds() }}, 13 | {% endif %} 14 | {% if cfg.dns64.exclude_subnets %} 15 | exclude_subnets = {{ string_table(cfg.dns64.exclude_subnets) }}, 16 | {% endif %} 17 | }) 18 | 19 | {% else %} 20 | 21 | -- Disable DNS64 by unloading module 22 | -- modules.unload('dns64') 23 | 24 | {% endif %} -------------------------------------------------------------------------------- /daemon/lua/trust_anchors.test/ok1_notyet1.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | . 4 | 5 | 1 6 | 8 7 | 2 8 | 1111111111111111111111111111111111111111111111111111111111111111 9 | 10 | 11 | 2 12 | 8 13 | 2 14 | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 15 | 16 | 17 | -------------------------------------------------------------------------------- /daemon/zimport.test/tz-rfc-a1.zone: -------------------------------------------------------------------------------- 1 | $ORIGIN example. 2 | example. 86400 IN SOA ns1 admin 2018031900 ( 3 | 1800 900 604800 86400 ) 4 | 86400 IN NS ns1 5 | 86400 IN NS ns2 6 | 86400 IN ZONEMD 2018031900 1 1 ( 7 | c68090d90a7aed71 8 | 6bc459f9340e3d7c 9 | 1370d4d24b7e2fc3 10 | a1ddc0b9a87153b9 11 | a9713b3c9ae5cc27 12 | 777f98b8e730044c ) 13 | ns1 3600 IN A 203.0.113.63 14 | ns2 3600 IN AAAA 2001:db8::63 15 | -------------------------------------------------------------------------------- /daemon/zimport.test/tz-rfc-a1-bad.zone: -------------------------------------------------------------------------------- 1 | $ORIGIN example. 2 | example. 86400 IN SOA ns1 admin 2018031900 ( 3 | 1800 900 604800 86400 ) 4 | 86400 IN NS ns1 5 | 86400 IN NS ns2 6 | 86400 IN ZONEMD 2018031900 1 1 ( 7 | BAAAAAAADa7aed71 8 | 6bc459f9340e3d7c 9 | 1370d4d24b7e2fc3 10 | a1ddc0b9a87153b9 11 | a9713b3c9ae5cc27 12 | 777f98b8e730044c ) 13 | ns1 3600 IN A 203.0.113.63 14 | ns2 3600 IN AAAA 2001:db8::63 15 | -------------------------------------------------------------------------------- /etc/config/config.example.docker.yaml: -------------------------------------------------------------------------------- 1 | workers: 2 2 | logging: 3 | level: info 4 | network: 5 | listen: 6 | - interface: lo@53 7 | - interface: lo@853 8 | kind: dot 9 | - interface: lo@443 10 | kind: doh2 11 | 12 | # By default, there is no need to expose the management API outside the container. 13 | # But if for some reason it is needed, use port 5000, which is intended for that. 14 | # You can access the API with 'kresctl' installed inside the container using 'docker exec'. 15 | # For example: $ docker exec -it CONTANER_ID kresctl reload 16 | # See more in documentation: https://www.knot-resolver.cz/documentation/latest/deployment-docker.html 17 | 18 | # management: 19 | # interface: 127.0.0.1@5000 20 | -------------------------------------------------------------------------------- /modules/serve_stale/README.rst: -------------------------------------------------------------------------------- 1 | .. SPDX-License-Identifier: GPL-3.0-or-later 2 | 3 | .. _mod-serve_stale: 4 | 5 | Serve stale 6 | =========== 7 | 8 | Demo module that allows using timed-out records in case kresd is 9 | unable to contact upstream servers. 10 | 11 | By default it allows stale-ness by up to one day, 12 | after roughly four seconds trying to contact the servers. 13 | It's quite configurable/flexible; see the beginning of the module source for details. 14 | See also the RFC draft_ (not fully followed) and :any:`cache.ns_tout`. 15 | 16 | Running 17 | ------- 18 | .. code-block:: lua 19 | 20 | modules = { 'serve_stale < cache' } 21 | 22 | .. _draft: https://tools.ietf.org/html/draft-ietf-dnsop-serve-stale-00 23 | 24 | -------------------------------------------------------------------------------- /doc/_static/css/user.css: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: GPL-3.0-or-later */ 2 | 3 | .wy-side-nav-search { 4 | background-color: #00a2e2; /* From logo manual */ 5 | } 6 | .wy-side-nav-search input[type=text] { 7 | border-color: #45bfff; 8 | } 9 | .wy-side-nav-search div.version { 10 | color: hsla(0,0%,100%,0.4); 11 | } 12 | .wy-nav-top { 13 | background-color: #00a2e2; 14 | } 15 | 16 | .wy-nav-content-wrap a { 17 | color: #00619c; 18 | } 19 | .wy-nav-content-wrap a:hover { 20 | color: #00a2e2; 21 | } 22 | .wy-nav-content-wrap a:visited { 23 | color: #00619c; 24 | } 25 | .wy-nav-content-wrap a:visited:hover { 26 | color: #00a2e2; 27 | } 28 | 29 | .wy-menu-vertical p.caption { 30 | color: #00a2e2; 31 | } 32 | -------------------------------------------------------------------------------- /doc/user/config-priming.rst: -------------------------------------------------------------------------------- 1 | .. SPDX-License-Identifier: GPL-3.0-or-later 2 | 3 | .. _config-priming: 4 | 5 | Priming 6 | ======= 7 | 8 | Initializing a DNS Resolver with Priming Queries implemented 9 | according to :rfc:`8109`. Purpose of this is to keep up-to-date list of 10 | root DNS servers and associated IP addresses. 11 | 12 | Result of successful priming query replaces root hints distributed with 13 | the resolver software. Unlike other DNS resolvers, Knot Resolver caches 14 | result of priming query on disk and keeps the data between restarts until 15 | TTL expires. 16 | 17 | Priming is enabled by default; you may disable it in configuration file. 18 | 19 | .. code-block:: yaml 20 | 21 | options: 22 | priming: false 23 | -------------------------------------------------------------------------------- /modules/priming/README.rst: -------------------------------------------------------------------------------- 1 | .. SPDX-License-Identifier: GPL-3.0-or-later 2 | 3 | .. _mod-priming: 4 | 5 | Priming module 6 | ============== 7 | 8 | The module for Initializing a DNS Resolver with Priming Queries implemented 9 | according to :rfc:`8109`. Purpose of the module is to keep up-to-date list of 10 | root DNS servers and associated IP addresses. 11 | 12 | Result of successful priming query replaces root hints distributed with 13 | the resolver software. Unlike other DNS resolvers, Knot Resolver caches 14 | result of priming query on disk and keeps the data between restarts until 15 | TTL expires. 16 | 17 | This module is enabled by default; you may disable it by adding 18 | ``modules.unload('priming')`` to your configuration. 19 | -------------------------------------------------------------------------------- /tests/manager/utils/test_functional.py: -------------------------------------------------------------------------------- 1 | from knot_resolver.utils.functional import all_matches, contains_element_matching, foldl 2 | 3 | 4 | def test_foldl(): 5 | lst = list(range(10)) 6 | 7 | assert foldl(lambda x, y: x + y, 0, lst) == sum(range(10)) 8 | assert foldl(lambda x, y: x + y, 55, lst) == sum(range(10)) + 55 9 | 10 | 11 | def test_containsElementMatching(): 12 | lst = list(range(10)) 13 | 14 | assert contains_element_matching(lambda e: e == 5, lst) 15 | assert not contains_element_matching(lambda e: e == 11, lst) 16 | 17 | 18 | def test_matches_all(): 19 | lst = list(range(10)) 20 | 21 | assert all_matches(lambda x: x >= 0, lst) 22 | assert not all_matches(lambda x: x % 2 == 0, lst) 23 | -------------------------------------------------------------------------------- /daemon/lua/distro-preconfig.lua.in: -------------------------------------------------------------------------------- 1 | -- SPDX-License-Identifier: GPL-3.0-or-later 2 | log_target('syslog') -- assume running as OS service 3 | 4 | local ffi = require('ffi') 5 | local id = os.getenv('SYSTEMD_INSTANCE') 6 | if not id then 7 | log_warn(ffi.C.LOG_GRP_SYSTEM, 'environment variable $SYSTEMD_INSTANCE not set') 8 | else 9 | -- Bind to control socket in run_dir 10 | worker.control_path = '@run_dir@/control/' 11 | local path = worker.control_path..id 12 | local ok, err = pcall(net.listen, path, nil, { kind = 'control' }) 13 | if not ok then 14 | log_warn(ffi.C.LOG_GRP_NETWORK, 'bind to '..path..' failed '..err) 15 | end 16 | end 17 | 18 | -- Set cache location 19 | rawset(cache, 'current_storage', 'lmdb://@systemd_cache_dir@') 20 | -------------------------------------------------------------------------------- /doc/_static/css/dev.css: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: GPL-3.0-or-later */ 2 | 3 | .wy-side-nav-search { 4 | background-color: #b92929; /* RED FOR DEVELOPERS :-) */ 5 | } 6 | .wy-side-nav-search input[type=text] { 7 | border-color: #a42424; 8 | } 9 | .wy-side-nav-search div.version { 10 | color: hsla(0,0%,100%,0.4); 11 | } 12 | .wy-nav-top { 13 | background-color: #b92929; 14 | } 15 | 16 | .wy-nav-content-wrap a { 17 | color: #b92929; 18 | } 19 | .wy-nav-content-wrap a:hover { 20 | color: #d13030; 21 | } 22 | .wy-nav-content-wrap a:visited { 23 | color: #780001; 24 | } 25 | .wy-nav-content-wrap a:visited:hover { 26 | color: #d13030; 27 | } 28 | 29 | .wy-menu-vertical p.caption { 30 | color: #d95555; 31 | } 32 | -------------------------------------------------------------------------------- /modules/nsid/nsid.test.lua: -------------------------------------------------------------------------------- 1 | -- SPDX-License-Identifier: GPL-3.0-or-later 2 | -- disable networking so we can get SERVFAIL immediately 3 | net.ipv4 = false 4 | net.ipv6 = false 5 | 6 | -- test for nsid.name() interface 7 | local function test_nsid_name() 8 | if nsid then 9 | modules.unload('nsid') 10 | end 11 | modules.load('nsid') 12 | same(nsid.name(), nil, 'NSID modes not provide default NSID value') 13 | same(nsid.name('123456'), '123456', 'NSID value can be changed') 14 | same(nsid.name(), '123456', 'NSID module remembers configured NSID value') 15 | modules.unload('nsid') 16 | modules.load('nsid') 17 | same(nsid.name(), nil, 'NSID module reload removes configured value') 18 | end 19 | 20 | return { 21 | test_nsid_name, 22 | } 23 | -------------------------------------------------------------------------------- /doc/dev/config-answer-reordering.rst: -------------------------------------------------------------------------------- 1 | .. SPDX-License-Identifier: GPL-3.0-or-later 2 | 3 | Answer reordering 4 | ================= 5 | Certain clients are "dumb" and always connect to first IP address or name found 6 | in a DNS answer received from resolver instead of picking randomly. 7 | As a workaround for such broken clients it is possible to randomize 8 | order of records in DNS answers sent by resolver: 9 | 10 | .. function:: reorder_RR([true | false]) 11 | 12 | :param boolean new_value: ``true`` to enable or ``false`` to disable randomization *(optional)* 13 | :return: The (new) value of the option 14 | 15 | If set, resolver will vary the order of resource records within RR sets. 16 | It is enabled by default since 5.3.0. 17 | 18 | -------------------------------------------------------------------------------- /modules/policy/noipvx.test.integr/broken-ipvx.rpl: -------------------------------------------------------------------------------- 1 | ; config options 2 | ; SPDX-License-Identifier: GPL-3.0-or-later 3 | stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 4 | CONFIG_END 5 | 6 | SCENARIO_BEGIN Test that neither IPv6 nor IPv4 is used by kresd :-) 7 | 8 | RANGE_BEGIN 0 100 9 | ADDRESS ::1:2:3:4 10 | RANGE_END 11 | 12 | RANGE_BEGIN 0 100 13 | ADDRESS 1.2.3.4 14 | RANGE_END 15 | 16 | 17 | STEP 10 QUERY 18 | ENTRY_BEGIN 19 | REPLY RD AD 20 | SECTION QUESTION 21 | www.test.org A 22 | ENTRY_END 23 | 24 | STEP 20 CHECK_ANSWER 25 | ENTRY_BEGIN 26 | MATCH all answer 27 | REPLY QR RD RA SERVFAIL 28 | SECTION QUESTION 29 | www.test.org A 30 | SECTION ANSWER 31 | SECTION AUTHORITY 32 | SECTION ADDITIONAL 33 | ENTRY_END 34 | 35 | SCENARIO_END 36 | -------------------------------------------------------------------------------- /doc/user/config-nsid.rst: -------------------------------------------------------------------------------- 1 | .. SPDX-License-Identifier: GPL-3.0-or-later 2 | 3 | .. _config-nsid: 4 | 5 | Name Server Identifier (NSID) 6 | ============================= 7 | 8 | Knot Resolver provides server-side support for :rfc:`5001` 9 | which allows DNS clients to request resolver to send back its NSID 10 | along with the reply to a DNS request. 11 | This is useful for debugging larger resolver farms 12 | (e.g. when using multiple instances of Knot Resolver, anycast or load balancers). 13 | 14 | NSID value can be configured in the resolver's configuration file: 15 | 16 | .. code-block:: yaml 17 | 18 | nsid: kres1 19 | 20 | .. note:: 21 | 22 | When running with multiple workers, each worker adds its own identifier to the end of the NSID. 23 | -------------------------------------------------------------------------------- /contrib/cleanup.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) CZ.NIC, z.s.p.o. 2 | * SPDX-License-Identifier: GPL-3.0-or-later 3 | */ 4 | /** 5 | * Cleanup attributes. 6 | * @cond internal 7 | */ 8 | #pragma once 9 | #include 10 | #include 11 | #include 12 | 13 | #define auto_free __attribute__((cleanup(_cleanup_free))) 14 | static inline void _cleanup_free(const void *p) { 15 | free(*(char **)p); 16 | } 17 | #define auto_close __attribute__((cleanup(_cleanup_close))) 18 | static inline void _cleanup_close(int *p) { 19 | if (*p != -1) close(*p); 20 | } 21 | #define auto_fclose __attribute__((cleanup(_cleanup_fclose))) 22 | static inline void _cleanup_fclose(FILE **p) { 23 | if (*p) fclose(*p); 24 | } 25 | /* @endcond */ 26 | -------------------------------------------------------------------------------- /daemon/lua/trust_anchors.test/ok1_expired1.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | . 4 | 5 | 1 6 | 8 7 | 2 8 | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 9 | 10 | 11 | 2 12 | 8 13 | 2 14 | 1111111111111111111111111111111111111111111111111111111111111111 15 | 16 | 17 | -------------------------------------------------------------------------------- /daemon/lua/trust_anchors.test/err_attr_validfrom_missing.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | . 4 | 5 | 19036 6 | 8 7 | 2 8 | 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 9 | 10 | 11 | 20326 12 | 8 13 | 2 14 | E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D 15 | 16 | 17 | -------------------------------------------------------------------------------- /doc/user/config-serve-stale.rst: -------------------------------------------------------------------------------- 1 | .. SPDX-License-Identifier: GPL-3.0-or-later 2 | 3 | .. _config-serve-stale: 4 | 5 | Serve stale 6 | =========== 7 | 8 | This allows using timed-out records in case the resolver is unable to contact upstream servers. 9 | 10 | By default it allows stale-ness by up to one day, 11 | after roughly four seconds trying to contact the servers. 12 | It's quite configurable/flexible; see the beginning of the module source for details. 13 | See also the RFC draft_ (not fully followed) and :option:`cache/ns-timeout >`. 14 | 15 | Running 16 | ------- 17 | 18 | .. code-block:: yaml 19 | 20 | options: 21 | serve-stale: true 22 | 23 | .. _draft: https://tools.ietf.org/html/draft-ietf-dnsop-serve-stale-00 24 | -------------------------------------------------------------------------------- /lib/layer/iterate.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) CZ.NIC, z.s.p.o. 2 | * SPDX-License-Identifier: GPL-3.0-or-later 3 | */ 4 | 5 | #pragma once 6 | 7 | #include "lib/layer.h" 8 | #include "lib/rplan.h" 9 | 10 | /* Packet classification. */ 11 | enum { 12 | PKT_NOERROR = 1 << 0, /* Positive response */ 13 | PKT_NODATA = 1 << 1, /* No data response */ 14 | PKT_NXDOMAIN = 1 << 2, /* Negative response */ 15 | PKT_REFUSED = 1 << 3, /* Refused response */ 16 | PKT_ERROR = 1 << 4 /* Bad message */ 17 | }; 18 | 19 | /** Classify response by type. */ 20 | KR_EXPORT 21 | int kr_response_classify(const knot_pkt_t *pkt); 22 | 23 | /** Make next iterative query. */ 24 | KR_EXPORT 25 | int kr_make_query(struct kr_query *query, knot_pkt_t *pkt); 26 | -------------------------------------------------------------------------------- /python/knot_resolver/datamodel/templates/macros/view_macros.lua.j2: -------------------------------------------------------------------------------- 1 | {%- macro get_proto_set(protocols) -%} 2 | 0 3 | {%- for p in protocols or [] -%} 4 | + 2^C.KR_PROTO_{{ p.upper() }} 5 | {%- endfor -%} 6 | {%- endmacro -%} 7 | 8 | {% macro view_flags(options) -%} 9 | {% if not options.minimize -%} 10 | "NO_MINIMIZE", 11 | {%- endif %} 12 | {% if not options.dns64 -%} 13 | "DNS64_DISABLE", 14 | {%- endif %} 15 | {% if not options.fallback -%} 16 | "FALLBACK_DISABLE", 17 | {%- endif %} 18 | {%- endmacro %} 19 | 20 | {% macro view_answer(answer) -%} 21 | {%- if answer == 'allow' -%} 22 | policy.TAGS_ASSIGN({}) 23 | {%- elif answer == 'refused' -%} 24 | 'policy.REFUSE' 25 | {%- elif answer == 'noanswer' -%} 26 | 'policy.NO_ANSWER' 27 | {%- endif -%} 28 | {%- endmacro %} 29 | -------------------------------------------------------------------------------- /scripts/doh_b64encode_query.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import argparse 3 | import base64 4 | 5 | import dns 6 | import dns.message 7 | 8 | 9 | def main(): 10 | parser = argparse.ArgumentParser( 11 | description='Convert query name and type to base64 URL-encoded form') 12 | parser.add_argument('qname', type=str, help='query name') 13 | parser.add_argument('qtype', type=str, help='query type') 14 | args = parser.parse_args() 15 | 16 | msg = dns.message.make_query(args.qname, args.qtype, dns.rdataclass.IN) 17 | msg.id = 0 18 | wire = msg.to_wire() 19 | encoded = base64.urlsafe_b64encode(wire) 20 | printable = encoded.decode('utf-8') 21 | 22 | print(printable) 23 | 24 | 25 | if __name__ == '__main__': 26 | main() 27 | -------------------------------------------------------------------------------- /tests/packaging/interactive/reload.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -e 4 | 5 | function count_errors(){ 6 | echo "$(journalctl -u knot-resolver.service | grep -c error)" 7 | } 8 | 9 | function count_apply(){ 10 | echo "$(journalctl -u knot-resolver.service | grep -c "Config applied successfully to all workers")" 11 | } 12 | 13 | err_count=$(count_errors) 14 | rel_count=$(count_apply) 15 | 16 | kresctl reload 17 | sleep 6 18 | if [ $(count_errors) -ne $err_count ] || [ $(count_apply) -ne $rel_count ]; then 19 | echo "Failed to reload." 20 | exit 1 21 | fi 22 | 23 | kresctl reload --force 24 | sleep 6 25 | if [ $(count_errors) -ne $err_count ] || [ $(count_apply) -eq $rel_count ]; then 26 | echo "Failed to force a reload." 27 | exit 1 28 | fi 29 | -------------------------------------------------------------------------------- /systemd/knot-resolver.service.in: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Knot Resolver Manager 3 | Documentation=man:knot-resolver.systemd(7) 4 | Wants=network-online.target 5 | After=network-online.target 6 | Before=nss-lookup.target 7 | Wants=nss-lookup.target 8 | 9 | [Service] 10 | Type=notify 11 | TimeoutStartSec=600s 12 | ExecStart=@bin_dir@/knot-resolver --config=@etc_dir@/config.yaml 13 | Environment=KRES_LOGGING_TARGET=syslog 14 | ExecReload=@bin_dir@/kresctl --config=@etc_dir@/config.yaml reload 15 | KillSignal=SIGINT 16 | WorkingDirectory=@systemd_work_dir@ 17 | User=@user@ 18 | Group=@group@ 19 | CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETPCAP 20 | AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_SETPCAP 21 | OOMPolicy=continue 22 | 23 | [Install] 24 | WantedBy=multi-user.target 25 | -------------------------------------------------------------------------------- /doc/user/config-edns-keepalive.rst: -------------------------------------------------------------------------------- 1 | .. SPDX-License-Identifier: GPL-3.0-or-later 2 | 3 | .. _config-edns-keepalive: 4 | 5 | EDNS keepalive 6 | ============== 7 | 8 | Implementation of :rfc:`7828` for *clients* 9 | connecting to Knot Resolver via TCP and TLS. 10 | It just allows clients to discover the connection timeout, 11 | client connections are always timed-out the same way *regardless* 12 | of clients sending the EDNS option. 13 | 14 | When connecting to servers, Knot Resolver does not send this EDNS option. 15 | It still attempts to reuse established connections intelligently. 16 | 17 | It is enabled by default. For debugging purposes it can be 18 | disabled in configuration file. 19 | 20 | .. code-block:: yaml 21 | 22 | options: 23 | edns-tcp-keepalive: false 24 | -------------------------------------------------------------------------------- /scripts/ci/build-in-obs.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # SPDX-License-Identifier: GPL-3.0-or-later 3 | # 4 | # Push packaging files to OBS 5 | # 6 | # Example usage: 7 | # 1. ./scripts/ci/make-obs.sh 8 | # 2. ./scripts/ci/build-in-obs.sh knot-resolver-latest 9 | set -o errexit -o nounset -o xtrace 10 | 11 | pkgdir='pkg/obs' 12 | 13 | project=home:CZ-NIC:$1 14 | package=knot-resolver 15 | 16 | if ! [[ "$1" == *-devel || "$1" == *-testing ]]; then 17 | read -p "Pushing to '$project', are you sure? [y/N]: " yn 18 | case $yn in 19 | [Yy]* ) 20 | ;; 21 | * ) 22 | exit 1 23 | esac 24 | fi 25 | 26 | osc co "${project}" "${package}" 27 | pushd "${project}/${package}" 28 | osc del * ||: 29 | cp -r ../../${pkgdir}/* ./ 30 | osc addremove 31 | osc ci -n 32 | popd 33 | -------------------------------------------------------------------------------- /etc/meson.build: -------------------------------------------------------------------------------- 1 | # etc 2 | # SPDX-License-Identifier: GPL-3.0-or-later 3 | 4 | etc_files = [] 5 | 6 | if install_root_hints 7 | etc_files += 'root.hints' 8 | endif 9 | 10 | if managed_ta 11 | etc_files += 'icann-ca.pem' 12 | endif 13 | 14 | if install_root_keys 15 | root_keys_path = keyfile_default.split('/') 16 | root_keys_filename = root_keys_path[-1] 17 | root_keys_dir = [] 18 | foreach el : root_keys_path 19 | if el != root_keys_filename 20 | root_keys_dir += el 21 | endif 22 | endforeach 23 | install_data( 24 | sources: 'root.keys', 25 | rename: root_keys_filename, 26 | install_dir: '/'.join(root_keys_dir) 27 | ) 28 | endif 29 | 30 | subdir('config') 31 | 32 | install_data( 33 | sources: etc_files, 34 | install_dir: etc_dir 35 | ) 36 | -------------------------------------------------------------------------------- /modules/prefetch/prefetch.lua: -------------------------------------------------------------------------------- 1 | -- SPDX-License-Identifier: GPL-3.0-or-later 2 | -- Speculative prefetching for repetitive and soon-expiring records to reduce latency. 3 | -- @module prefetch 4 | local prefetch = {} 5 | 6 | 7 | prefetch.layer = { 8 | -- Prefetch all expiring (sub-)queries immediately after the request finishes. 9 | -- Doing that immediately is simplest and avoids creating (new) large bursts of activity. 10 | finish = function (_, req) 11 | local qrys = req.rplan.resolved 12 | for i = 0, (tonumber(qrys.len) - 1) do -- size_t doesn't work for some reason 13 | local qry = qrys.at[i] 14 | if qry.flags.EXPIRING == true then 15 | resolve(kres.dname2str(qry.sname), qry.stype, qry.sclass, {'NO_CACHE'}) 16 | end 17 | end 18 | end 19 | } 20 | 21 | return prefetch 22 | -------------------------------------------------------------------------------- /python/knot_resolver/datamodel/management_schema.py: -------------------------------------------------------------------------------- 1 | from typing import Optional 2 | 3 | from knot_resolver.datamodel.types import IPAddressPort, WritableFilePath 4 | from knot_resolver.utils.modeling import ConfigSchema 5 | 6 | 7 | class ManagementSchema(ConfigSchema): 8 | """ 9 | Configuration of management HTTP API. 10 | 11 | --- 12 | unix_socket: Path to unix domain socket to listen to. 13 | interface: IP address and port number to listen to. 14 | """ 15 | 16 | unix_socket: Optional[WritableFilePath] = None 17 | interface: Optional[IPAddressPort] = None 18 | 19 | def _validate(self) -> None: 20 | if bool(self.unix_socket) == bool(self.interface): 21 | raise ValueError("One of 'interface' or 'unix-socket' must be configured.") 22 | -------------------------------------------------------------------------------- /scripts/README.md: -------------------------------------------------------------------------------- 1 | # Knot Resolver scripts 2 | 3 | These are auxillary scripts used for Knot Resolver development. 4 | 5 | The scripts in the root of this directory are meant to be executed directly by 6 | developers. Some may also be run by automated tools. 7 | 8 | There are also the following subdirectories. The scripts in these are *only 9 | ever* meant to be run by automated tools: 10 | 11 | - `ci`: specific to the CI/CD pipeline 12 | - `lib`: (potentially) generally useful scripts to be called by other scripts 13 | - `meson`: specific to the build system 14 | - `poe-tasks`: run by the `poe` script in the repository root 15 | - `utils`: scripts additionally called by the `poe` tasks 16 | 17 | For more information about each script, see its content for explanatory 18 | comments. 19 | -------------------------------------------------------------------------------- /scripts/update-root-hints.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # SPDX-License-Identifier: GPL-3.0-or-later 3 | set -o nounset -o xtrace 4 | 5 | TEMP_FILE=/tmp/root.hints 6 | HINTS_FILE=etc/root.hints 7 | 8 | # download latest root hints 9 | wget -O ${TEMP_FILE} https://www.internic.net/domain/named.root 10 | 11 | # strip comments for diff 12 | sed '/^;/d' ${TEMP_FILE} > ${TEMP_FILE}.clean 13 | sed '/^;/d' ${HINTS_FILE} > ${HINTS_FILE}.clean 14 | 15 | # check for changes 16 | diff ${TEMP_FILE}.clean ${HINTS_FILE}.clean >/dev/null 17 | CHANGED=$? 18 | 19 | if [ $CHANGED -ne 0 ]; then 20 | # update root.hints 21 | mv ${TEMP_FILE} ${HINTS_FILE} 22 | fi 23 | 24 | # cleanup 25 | rm -f ${TEMP_FILE} ${TEMP_FILE}.clean ${HINTS_FILE}.clean 26 | 27 | # signal change with exit code 28 | exit $CHANGED 29 | -------------------------------------------------------------------------------- /daemon/lua/trust_anchors.test/ok0_badtimes.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | . 4 | 5 | 1 6 | 8 7 | 2 8 | EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE 9 | 10 | 11 | 2 12 | 8 13 | 2 14 | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 15 | 16 | 17 | -------------------------------------------------------------------------------- /tests/pytests/test_edns.py: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-3.0-or-later 2 | """EDNS tests""" 3 | 4 | import dns 5 | import pytest 6 | 7 | import utils 8 | 9 | 10 | @pytest.mark.parametrize('dname, code, text', [ 11 | ('deny.test.', dns.edns.EDECode.BLOCKED, 'CR36'), 12 | ('refuse.test.', dns.edns.EDECode.PROHIBITED, 'EIM4'), 13 | ('forge.test.', dns.edns.EDECode.FORGED_ANSWER, '5DO5'), 14 | ]) 15 | def test_edns_ede(kresd_sock, dname, code, text): 16 | """Check that kresd responds with EDNS EDE codes in selected cases.""" 17 | buff, msgid = utils.get_msgbuff(dname) 18 | kresd_sock.sendall(buff) 19 | answer = utils.receive_parse_answer(kresd_sock) 20 | assert answer.id == msgid 21 | assert answer.options[0].code == code 22 | assert answer.options[0].text == text 23 | -------------------------------------------------------------------------------- /daemon/lua/trust_anchors.test/err_attr_validfrom_invalid.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | . 4 | 5 | 19036 6 | 8 7 | 2 8 | 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 9 | 10 | 11 | 20326 12 | 8 13 | 2 14 | E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D 15 | 16 | 17 | -------------------------------------------------------------------------------- /modules/edns_keepalive/README.rst: -------------------------------------------------------------------------------- 1 | .. SPDX-License-Identifier: GPL-3.0-or-later 2 | 3 | .. _mod-edns_keepalive: 4 | 5 | EDNS keepalive 6 | ============== 7 | 8 | The ``edns_keepalive`` module implements :rfc:`7828` for *clients* 9 | connecting to Knot Resolver via TCP and TLS. 10 | The module just allows clients to discover the connection timeout, 11 | client connections are always timed-out the same way *regardless* 12 | of clients sending the EDNS option. 13 | 14 | When connecting to servers, Knot Resolver does not send this EDNS option. 15 | It still attempts to reuse established connections intelligently. 16 | 17 | This module is loaded by default. For debugging purposes it can be 18 | unloaded using standard means: 19 | 20 | .. code-block:: lua 21 | 22 | modules.unload('edns_keepalive') 23 | -------------------------------------------------------------------------------- /daemon/lua/trust_anchors.test/err_attr_extra_attr.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | . 4 | 5 | 19036 6 | 8 7 | 2 8 | 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 9 | 10 | 11 | 20326 12 | 8 13 | 2 14 | E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D 15 | 16 | 17 | -------------------------------------------------------------------------------- /daemon/lua/trust_anchors.test/err_elem_missing.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | . 4 | 5 | 19036 6 | 8 7 | 2 8 | 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 9 | 10 | 11 | 20326 12 | 8 13 | 14 | E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D 15 | 16 | 17 | -------------------------------------------------------------------------------- /python/knot_resolver/datamodel/dns64_schema.py: -------------------------------------------------------------------------------- 1 | from typing import List, Optional 2 | 3 | from knot_resolver.datamodel.types import IPv6Network, IPv6Network96, TimeUnit 4 | from knot_resolver.utils.modeling import ConfigSchema 5 | 6 | 7 | class Dns64Schema(ConfigSchema): 8 | """ 9 | DNS64 (RFC 6147) configuration. 10 | 11 | --- 12 | enable: Enable/disable DNS64. 13 | prefix: IPv6 prefix to be used for synthesizing AAAA records. 14 | reverse_ttl: TTL in CNAME generated in the reverse 'ip6.arpa.' subtree. 15 | exclude_subnets: IPv6 subnets that are disallowed in answer. 16 | """ 17 | 18 | enable: bool = False 19 | prefix: IPv6Network96 = IPv6Network96("64:ff9b::/96") 20 | reverse_ttl: Optional[TimeUnit] = None 21 | exclude_subnets: Optional[List[IPv6Network]] = None 22 | -------------------------------------------------------------------------------- /doc/dev/architecture-gc.rst: -------------------------------------------------------------------------------- 1 | ******** 2 | cache-gc 3 | ******** 4 | 5 | The garbage collector is a simple component that keeps the shared cache from filling up. 6 | Every second it estimates the cache usage and if it is over 80%, it deletes records to free up 10%. 7 | These parameters are configurable. 8 | 9 | The freeing happens in a few passes. First all items are classified by their estimated usefulness, in a simple way based on remaining TTL, type, etc. 10 | From this histogram, it's calculated which "level of usefulness" will become the threshold, so that roughly the planned total size will be freed. 11 | Then all items are passed to collect the set of keys to be deleted, and finally the deletion is performed. 12 | Since longer transactions can cause problems in the LMDB cache, all passes are split into short batches. 13 | -------------------------------------------------------------------------------- /utils/shell-completion/client.bash: -------------------------------------------------------------------------------- 1 | #/usr/bin/env bash 2 | 3 | _kresctl_completion() 4 | { 5 | COMPREPLY=() 6 | local args="" 7 | local words="" 8 | local cur="${COMP_WORDS[COMP_CWORD]}" 9 | local opts=$(kresctl completion --bash --args "${COMP_WORDS[@]:1}") 10 | 11 | # filter special opts 12 | for opt in $opts 13 | do 14 | if [[ "$opt" == "#dirnames#" ]]; then 15 | args="$args${args:+ }-d" 16 | elif [[ "$opt" == "#filenames#" ]]; then 17 | args="$args${args:+ }-f" 18 | elif [[ "$opt" == "#nospace#" ]]; then 19 | compopt -o nospace 20 | else 21 | words="$words${words:+ }$opt" 22 | fi 23 | done 24 | 25 | COMPREPLY=($(compgen $args -W "${words}" -- "${cur}")) 26 | return 0 27 | } 28 | 29 | complete -o nosort -F _kresctl_completion kresctl 30 | -------------------------------------------------------------------------------- /etc/config/config.personal: -------------------------------------------------------------------------------- 1 | -- SPDX-License-Identifier: CC0-1.0 2 | -- vim:syntax=lua:set ts=4 sw=4: 3 | -- Refer to manual: https://www.knot-resolver.cz/documentation/latest/ 4 | 5 | -- Network interface configuration 6 | net.listen('127.0.0.1', 53, { kind = 'dns' }) 7 | net.listen('127.0.0.1', 853, { kind = 'tls' }) 8 | --net.listen('127.0.0.1', 443, { kind = 'doh2' }) 9 | net.listen('::1', 53, { kind = 'dns', freebind = true }) 10 | net.listen('::1', 853, { kind = 'tls', freebind = true }) 11 | --net.listen('::1', 443, { kind = 'doh2' }) 12 | 13 | -- Load useful modules 14 | modules = { 15 | 'hints > iterate', -- Allow loading /etc/hosts or custom root hints 16 | 'stats', -- Track internal statistics 17 | 'predict', -- Prefetch expiring/frequent records 18 | } 19 | 20 | -- Cache size 21 | cache.size = 100 * MB 22 | -------------------------------------------------------------------------------- /doc/user/config-fallback.rst: -------------------------------------------------------------------------------- 1 | .. SPDX-License-Identifier: GPL-3.0-or-later 2 | 3 | .. _config-fallback: 4 | 5 | Fallback on resolution failure 6 | ============================== 7 | 8 | This allows switching to a fallback forwarding configuration on queries where the resolver is unable to contact upstream servers. 9 | 10 | .. code-block:: yaml 11 | 12 | fallback: 13 | enable: true 14 | servers: 15 | - address: [ 2001:148f:fffe::1, 193.17.47.1 ] 16 | transport: tls 17 | hostname: odvr.nic.cz 18 | 19 | The ``servers:`` has the same schema as in :ref:`forwarding `. 20 | 21 | If you use fallback within a fleet of servers, 22 | you will probably want to avoid queries cycling in there, 23 | i.e. disable the fallback option for them in :ref:`views `. 24 | -------------------------------------------------------------------------------- /etc/config/config.internal: -------------------------------------------------------------------------------- 1 | -- SPDX-License-Identifier: CC0-1.0 2 | -- vim:syntax=lua:set ts=4 sw=4: 3 | -- Config file example usable for multi-user ISP resolver 4 | -- Refer to manual: https://www.knot-resolver.cz/documentation/latest/ 5 | 6 | -- Network interface configuration 7 | net.listen('127.0.0.1', 53, { kind = 'dns' }) 8 | net.listen('::1', 53, { kind = 'dns'}) 9 | net.listen('127.0.0.1', 853, { kind = 'tls' }) 10 | net.listen('::1', 853, { kind = 'tls' }) 11 | net.listen('127.0.0.1', 443, { kind = 'doh2' }) 12 | net.listen('::1', 443, { kind = 'doh2' }) 13 | 14 | -- define list of internal-only domains 15 | internalDomains = policy.todnames({'company.example', 'internal.example'}) 16 | 17 | -- forward all queries below 'internalDomains' to '192.168.1.2' 18 | policy.add(policy.suffix(policy.FORWARD({'192.168.1.2'}), internalDomains)) 19 | -------------------------------------------------------------------------------- /scripts/kresd.apparmor: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | /usr/sbin/kresd { 4 | #include 5 | #include 6 | #include 7 | capability net_bind_service, 8 | capability setgid, 9 | capability setuid, 10 | # seems to be needed during start to read /var/lib/knot-resolver 11 | # while we still run as root. 12 | capability dac_override, 13 | 14 | network tcp, 15 | network udp, 16 | 17 | /proc/sys/net/core/somaxconn r, 18 | /etc/knot-resolver/* r, 19 | /var/lib/knot-resolver/ r, 20 | /var/lib/knot-resolver/** rwlk, 21 | 22 | # modules 23 | /usr/lib{,64}/kdns_modules/*.lua r, 24 | /usr/lib{,64}/kdns_modules/*.so rm, 25 | 26 | # Site-specific additions and overrides. See local/README for details. 27 | #include 28 | } 29 | 30 | -------------------------------------------------------------------------------- /utils/cache_gc/meson.build: -------------------------------------------------------------------------------- 1 | ## utils/cache_gc 2 | # SPDX-License-Identifier: GPL-3.0-or-later 3 | 4 | cache_gc_src = files([ 5 | 'categories.c', 6 | 'db.c', 7 | 'kr_cache_gc.c', 8 | 'main.c', 9 | ]) 10 | c_src_lint += cache_gc_src 11 | 12 | if build_utils 13 | cache_gc = executable( 14 | 'kres-cache-gc', 15 | cache_gc_src, 16 | dependencies: [ 17 | kresconfig_dep, 18 | contrib_dep, 19 | libkres_dep, 20 | libknot, 21 | libuv, 22 | lmdb, 23 | ], 24 | install: true, 25 | install_dir: get_option('sbindir'), 26 | install_rpath: rpath, 27 | ) 28 | 29 | integr_tests += [ 30 | ['gc_cache_overflow', meson.current_source_dir() / 'test.integr'], 31 | ] 32 | endif 33 | 34 | summary({'kres-cache-gc': build_utils, 35 | }, section: 'Optional components', bool_yn: true) 36 | -------------------------------------------------------------------------------- /etc/config/config.example.internal.yaml: -------------------------------------------------------------------------------- 1 | # Refer to manual: https://www.knot-resolver.cz/documentation/latest/ 2 | 3 | network: 4 | listen: 5 | # unencrypted DNS on port 53 6 | - interface: &interfaces 7 | - 127.0.0.1 8 | - "::1" 9 | # DNS over TLS on port 853 10 | - interface: *interfaces 11 | kind: dot 12 | # DNS over HTTPS on port 443 13 | - interface: *interfaces 14 | kind: doh2 15 | 16 | forward: 17 | # define list of internal-only domains 18 | - subtree: 19 | - company.example 20 | - internal.example 21 | # forward all queries belonging to domains in the list above to IP address '192.0.2.44' 22 | servers: 23 | - 192.0.2.44 24 | # common options configuration for internal-only domains 25 | options: 26 | authoritative: true 27 | dnssec: false 28 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | Contributing 2 | ============ 3 | 4 | Please file issues and merge requests against the upstream repository: 5 | 6 | [https://gitlab.nic.cz/knot/knot-resolver](https://gitlab.nic.cz/knot/knot-resolver) 7 | 8 | Opening a merge request on gitlab.nic.cz 9 | ---------------------------------------- 10 | 11 | Unfortunately, due to administrative policy, forking is disabled by default. To 12 | be able to fork, please send us an e-mail with your username to knot-resolver@labs.nic.cz 13 | 14 | We apologize for the inconvenience and if you can't be bothered, please 15 | consider alternate ways of contributing, such as: 16 | 17 | - Opening a pull request on [github.com](https://github.com/CZ-NIC/knot-resolver). 18 | We'll take care of it and move it to our upstream. 19 | - Sending a patch to the users list: knot-resolver-users@lists.nic.cz 20 | -------------------------------------------------------------------------------- /modules/workarounds/workarounds.lua: -------------------------------------------------------------------------------- 1 | -- SPDX-License-Identifier: GPL-3.0-or-later 2 | -- Load dependent module 3 | if not policy then modules.load('policy') end 4 | 5 | local M = {} -- the module 6 | 7 | function M.init() 8 | policy.add(policy.suffix(policy.FLAGS('NO_0X20'), { 9 | -- https://github.com/DNS-OARC/dns-violations/blob/master/2017/DVE-2017-0003.md 10 | todname('avqs.mcafee.com'), todname('avts.mcafee.com'), 11 | 12 | -- https://github.com/DNS-OARC/dns-violations/blob/master/2017/DVE-2017-0006.md 13 | -- Obtained via a reverse search on {ns1,ns3}.panthercdn.com. 14 | todname('cdnga.com'), todname('cdngc.com'), todname('cdngd.com'), 15 | todname('cdngl.com'), todname('cdngm.com'), 16 | todname('cdngc.net'), todname('panthercdn.com'), 17 | 18 | todname('magazine-fashion.net.'), 19 | })) 20 | end 21 | 22 | return M 23 | 24 | -------------------------------------------------------------------------------- /scripts/poe-tasks/clean: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # ensure consistent behaviour 4 | src_dir="$(dirname "$(realpath "$0")")" 5 | source $src_dir/utils/_env.sh 6 | 7 | echo 8 | echo -------------------------------------------- 9 | echo Removing mypy, pytest and other cached files 10 | echo -------------------------------------------- 11 | rm -vrf .coverage .mypy_cache .pytest_cache 12 | echo 13 | echo ------------------------------------------ 14 | echo Removing Meson build directories and files 15 | echo ------------------------------------------ 16 | rm -vrf "$build_dir" "$build_dev_dir" "$KRES_DEV_INSTALL_DIR" build dist 17 | echo 18 | echo ------------------------------------------ 19 | echo Removing __pycache__ directories and files 20 | echo ------------------------------------------ 21 | find . -type d -name '__pycache__' -prune -exec rm -vrf {} + 22 | echo -------------------------------------------------------------------------------- /daemon/lua/trust_anchors.test/err_multi_ta.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | . 4 | 5 | 2 6 | 8 7 | 2 8 | 1111111111111111111111111111111111111111111111111111111111111111 9 | 10 | 11 | 12 | test. 13 | 14 | 2 15 | 8 16 | 2 17 | 1111111111111111111111111111111111111111111111111111111111111111 18 | 19 | 20 | -------------------------------------------------------------------------------- /scripts/meson/test-config.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # SPDX-License-Identifier: GPL-3.0-or-later 3 | # Utility script used by meson to run config tests post installation 4 | set -o nounset -o errexit 5 | 6 | # if anything fails during test setup, use exit code 77 to mark it as skipped 7 | function skip { 8 | exit 77 9 | } 10 | trap skip ERR 11 | 12 | TEST_DIR="$(dirname ${TEST_FILE})" 13 | TMP_RUNDIR="$(mktemp -d)" 14 | 15 | function finish { 16 | if [[ "$(jobs -p)" != "" ]] 17 | then 18 | echo "SIGKILLing leftover processes:" 19 | jobs -l 20 | kill -s SIGKILL $(jobs -p) 21 | fi 22 | rm -rf "${TMP_RUNDIR}" 23 | } 24 | trap finish EXIT 25 | 26 | cp -a "${TEST_DIR}/"* "${TMP_RUNDIR}/" 27 | cd "${TMP_RUNDIR}" 28 | 29 | which kresd || (echo "kresd not executable!"; exit 77) 30 | trap ERR # get actual kresd error code from now on 31 | 32 | kresd "$@" 33 | -------------------------------------------------------------------------------- /ci/respdiff/kresd.config: -------------------------------------------------------------------------------- 1 | -- SPDX-License-Identifier: GPL-3.0-or-later 2 | -- Refer to manual: https://www.knot-resolver.cz/documentation/latest/ 3 | -- Listen on localhost and external interface 4 | net.listen('127.0.0.1', 5353) 5 | net.listen('127.0.0.1', 8853, { tls = true }) 6 | net.ipv6=false 7 | 8 | -- Auto-maintain root TA 9 | trust_anchors.add_file('.local/etc/knot-resolver/root.keys') 10 | 11 | cache.size = 1024 * MB 12 | 13 | -- Load Useful modules 14 | modules = { 15 | 'workarounds < iterate', 16 | 'policy', -- Block queries to local zones/bad sites 17 | 'view', -- Views for certain clients 18 | 'hints > iterate', -- Allow loading /etc/hosts or custom root hints 19 | 'stats', -- Track internal statistics 20 | } 21 | 22 | -- avoid TC flags returned to respdiff 23 | local _, up_bs = net.bufsize() 24 | net.bufsize(4096, up_bs) 25 | 26 | log_level('debug') 27 | -------------------------------------------------------------------------------- /daemon/lua/trust_anchors.test/err_elem_extra.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | . 4 | 5 | 19036 6 | 8 7 | 2 8 | 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 9 | 10 | 11 | 20326 12 | 8 13 | 2 14 | E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D 15 | E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D 16 | 17 | 18 | -------------------------------------------------------------------------------- /etc/config/config.test-local-data.yaml: -------------------------------------------------------------------------------- 1 | views: 2 | - subnets: [127.0.0.0/24] 3 | tags: [t01, t02] 4 | options: 5 | dns64: false 6 | - subnets: [0.0.0.0/0, "::/0"] 7 | answer: refused 8 | - subnets: [10.0.10.0/24] 9 | answer: allow 10 | 11 | local-data: 12 | ttl: 60m 13 | nodata: false 14 | addresses: 15 | foo.bar: 127.0.0.1 16 | addresses-files: 17 | - /etc/hosts 18 | records: | 19 | example.net. TXT "foo bar" 20 | A 192.168.2.3 21 | A 192.168.2.4 22 | local.example.org AAAA ::1 23 | rules: 24 | - name: custom.example 25 | address: 1.2.3.4 26 | nodata: true 27 | tags: [t01] 28 | - subtree: empty 29 | tags: [ t02 ] 30 | name: [ example1.org ] 31 | - subtree: nxdomain 32 | name: [ sub4.example.org ] 33 | rpz: 34 | - file: blocklist.rpz 35 | tags: [t01, t02] 36 | -------------------------------------------------------------------------------- /python/knot_resolver/datamodel/lua_schema.py: -------------------------------------------------------------------------------- 1 | from typing import Optional 2 | 3 | from knot_resolver.datamodel.types import ReadableFile 4 | from knot_resolver.utils.modeling import ConfigSchema 5 | 6 | 7 | class LuaSchema(ConfigSchema): 8 | """ 9 | Custom Lua configuration. 10 | 11 | --- 12 | script_only: Ignore declarative configuration and use only Lua script or file defined in this section. 13 | script: Custom Lua configuration script. 14 | script_file: Path to file that contains Lua configuration script. 15 | """ 16 | 17 | script_only: bool = False 18 | script: Optional[str] = None 19 | script_file: Optional[ReadableFile] = None 20 | 21 | def _validate(self) -> None: 22 | if self.script and self.script_file: 23 | raise ValueError("'lua.script' and 'lua.script-file' are both defined, only one can be used") 24 | -------------------------------------------------------------------------------- /tests/manager/datamodel/test_management_schema.py: -------------------------------------------------------------------------------- 1 | from typing import Any, Dict, Optional 2 | 3 | import pytest 4 | 5 | from knot_resolver.datamodel.management_schema import ManagementSchema 6 | from knot_resolver.utils.modeling.exceptions import DataValidationError 7 | 8 | 9 | @pytest.mark.parametrize("val", [{"interface": "::1@53"}, {"unix-socket": "/tmp/socket"}]) 10 | def test_management_valid(val: Dict[str, Any]): 11 | o = ManagementSchema(val) 12 | if o.interface: 13 | assert str(o.interface) == val["interface"] 14 | if o.unix_socket: 15 | assert str(o.unix_socket) == val["unix-socket"] 16 | 17 | 18 | @pytest.mark.parametrize("val", [None, {"interface": "::1@53", "unix-socket": "/tmp/socket"}]) 19 | def test_management_invalid(val: Optional[Dict[str, Any]]): 20 | with pytest.raises(DataValidationError): 21 | ManagementSchema(val) 22 | -------------------------------------------------------------------------------- /tests/packaging/interactive/renew.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -e 4 | 5 | function count_errors(){ 6 | echo "$(journalctl -u knot-resolver.service | grep -c error)" 7 | } 8 | 9 | function count_apply(){ 10 | echo "$(journalctl -u knot-resolver.service | grep -c "Config applied successfully to all workers")" 11 | } 12 | 13 | err_count=$(count_errors) 14 | rel_count=$(count_apply) 15 | 16 | curl -X POST --unix-socket /run/knot-resolver/kres-api.sock http://api/renew 17 | sleep 6 18 | if [ $(count_errors) -ne $err_count ] || [ $(count_apply) -ne $rel_count ]; then 19 | echo "Failed to renew." 20 | exit 1 21 | fi 22 | 23 | curl -X POST --unix-socket /run/knot-resolver/kres-api.sock http://api/renew/force 24 | sleep 6 25 | if [ $(count_errors) -ne $err_count ] || [ $(count_apply) -eq $rel_count ]; then 26 | echo "Failed to force a renew." 27 | exit 1 28 | fi 29 | -------------------------------------------------------------------------------- /modules/http/static/kresd.css: -------------------------------------------------------------------------------- 1 | /* 2 | * Base structure 3 | * SPDX-License-Identifier: GPL-3.0-or-later 4 | */ 5 | 6 | /* Move down content because we have a fixed navbar that is 50px tall */ 7 | body { 8 | padding-top: 50px; 9 | } 10 | 11 | /* 12 | * Tags and labels. 13 | */ 14 | .tag { 15 | margin: 0 3px 3px 0; 16 | } 17 | 18 | .tag-default { 19 | background-color: #efefef !important; 20 | color: #000 !important; 21 | } 22 | 23 | .tag-warning { 24 | background-color: #f0ad4e !important; 25 | border-color: #eea236 !important; 26 | color: #fff !important; 27 | } 28 | .tag-success { 29 | background-color: #5cb85c !important; 30 | border-color: #4cae4c !important; 31 | color: #fff !important; 32 | } 33 | 34 | .spark { 35 | display: inline-block; 36 | } 37 | 38 | .spark-legend { 39 | display: inline-block; 40 | } 41 | 42 | .dygraph-legend { 43 | text-align: right; 44 | } 45 | -------------------------------------------------------------------------------- /doc/user/config-ta-sentinel.rst: -------------------------------------------------------------------------------- 1 | .. SPDX-License-Identifier: GPL-3.0-or-later 2 | 3 | .. _config-ta_sentinel: 4 | 5 | Sentinel for Detecting Trusted Root Keys 6 | ======================================== 7 | 8 | Root Key Trust Anchor Sentinel for DNSSEC according to standard :rfc:`8509`. 9 | 10 | This feature allows users of DNSSEC validating resolver to detect which root keys 11 | are configured in resolver's chain of trust. The data from such 12 | signaling are necessary to monitor the progress of the DNSSEC root key rollover 13 | and to detect potential breakage before it affect users. One example of research enabled by this module `is available here `_. 14 | 15 | The sentinel is enabled by default and we urge users not to disable it unless absolutely necessary. 16 | 17 | .. code-block:: yaml 18 | 19 | dnssec: 20 | trust-anchor-sentinel: false 21 | -------------------------------------------------------------------------------- /daemon/ratelimiting.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) CZ.NIC, z.s.p.o. 2 | * SPDX-License-Identifier: GPL-3.0-or-later 3 | */ 4 | 5 | #include 6 | #include "lib/defines.h" 7 | #include "lib/utils.h" 8 | struct kr_request; 9 | 10 | /** Initialize rate-limiting with shared mmapped memory. 11 | * The existing data are used if another instance is already using the file 12 | * and it was initialized with the same parameters; it fails on mismatch. */ 13 | KR_EXPORT 14 | int ratelimiting_init(const char *mmap_file, size_t capacity, uint32_t instant_limit, 15 | uint32_t rate_limit, uint16_t slip, uint32_t log_period, bool dry_run); 16 | 17 | /** Do rate-limiting, during knot_layer_api::begin. */ 18 | KR_EXPORT 19 | bool ratelimiting_request_begin(struct kr_request *req); 20 | 21 | /** Remove mmapped file data if not used by other processes. */ 22 | KR_EXPORT 23 | void ratelimiting_deinit(void); 24 | -------------------------------------------------------------------------------- /doc/dev/Doxyfile: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-3.0-or-later 2 | PROJECT_NAME = Knot Resolver library 3 | GENERATE_HTML = NO 4 | GENERATE_XML = YES 5 | GENERATE_LATEX = NO 6 | GENERATE_MAN = NO 7 | GENERATE_RTF = NO 8 | CASE_SENSE_NAMES = NO 9 | INPUT = ../../lib ../../daemon 10 | FILE_PATTERNS = *.h 11 | QUIET = YES 12 | RECURSIVE = YES 13 | JAVADOC_AUTOBRIEF = YES 14 | AUTOLINK_SUPPORT = YES 15 | XML_OUTPUT = doxyxml 16 | HIDE_UNDOC_MEMBERS = YES 17 | HIDE_UNDOC_CLASSES = YES 18 | OPTIMIZE_OUTPUT_FOR_C = YES 19 | ENABLE_PREPROCESSING = YES 20 | MACRO_EXPANSION = YES 21 | EXPAND_ONLY_PREDEF = YES 22 | PREDEFINED = NDEBUG KR_CONST= KR_EXPORT= KR_PURE= lru_t(type)=see_source_code KR_PRINTF(n)= KR_COLD= array_t(type)=see_source_code __attribute__(x)= 23 | EXCLUDE_SYMBOLS = static_assert uint set_walk_cb module_api_cb kr_prop_cb kr_straddr_split 24 | -------------------------------------------------------------------------------- /tests/dnstap/src/dnstap-test/run.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -e 3 | KRESD_CMD=$1 4 | MESON_BUILD_ROOT=$(pwd) 5 | mkdir -p tests/dnstap 6 | export GOPATH=$MESON_BUILD_ROOT/tests/dnstap 7 | echo "$GOPATH" 8 | cd "$(dirname $0)" 9 | DNSTAP_TEST=dnstap-test 10 | 11 | go mod tidy 12 | 13 | type -P go >/dev/null || exit 77 14 | echo "Building the dnstap test and its dependencies..." 15 | # some packages may be missing on the system right now 16 | go get . 17 | 18 | DTAP_DIR="$GOPATH/src" 19 | DTAP="$DTAP_DIR/$DNSTAP_TEST" 20 | mkdir -p "$DTAP_DIR" 21 | rm -f $DTAP && ln -s $(realpath ..)/$DNSTAP_TEST $DTAP 22 | go install . 23 | 24 | 25 | CONFIG=$(realpath ./config) 26 | ZONES="fake1.localdomain,fake2.localdomain,fake3.localdomain" 27 | TIMEOUT=60s 28 | GRACE=5s 29 | cd $MESON_BUILD_ROOT/tests/dnstap # don't leave stuff like *.mdb in ./. 30 | $GOPATH/bin/$DNSTAP_TEST -c $CONFIG -cmd $KRESD_CMD -q $ZONES -t $TIMEOUT -g $GRACE -d 31 | 32 | -------------------------------------------------------------------------------- /utils/cache_gc/test.integr/deckard.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-3.0-or-later 2 | programs: 3 | - name: kresd1 4 | binary: kresd 5 | additional: 6 | - -n 7 | - ../kresd1/ 8 | templates: 9 | - lib/cache/overflow.test.integr/kresd_config.j2 10 | - tests/config/test_dns_generators.lua 11 | configs: 12 | - config 13 | - dns_gen.lua 14 | - name: kresd2 15 | binary: kresd 16 | additional: 17 | - -n 18 | - ../kresd1/ 19 | templates: 20 | - lib/cache/overflow.test.integr/kresd_config.j2 21 | - tests/config/test_dns_generators.lua 22 | configs: 23 | - config 24 | - dns_gen.lua 25 | - name: gc 26 | binary: kres-cache-gc 27 | additional: 28 | # small cache needs shorter RW transactions and larger "percentages" 29 | - -l8 30 | - -u50 31 | - -f20 32 | - -d1 33 | - -c 34 | - ../kresd1/ 35 | conncheck: False 36 | templates: [] 37 | configs: [] 38 | -------------------------------------------------------------------------------- /tests/pytests/proxy/tls-proxy.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | /* SPDX-License-Identifier: GPL-3.0-or-later */ 3 | 4 | #define __STDC_FORMAT_MACROS 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | struct args { 11 | const char *local_addr; 12 | uint16_t local_port; 13 | const char *upstream; 14 | uint16_t upstream_port; 15 | 16 | bool rehandshake; 17 | bool close_connection; 18 | bool accept_only; 19 | bool tls_13; 20 | 21 | uint64_t close_timeout; 22 | uint32_t max_conn_sequence; 23 | 24 | const char *cert_file; 25 | const char *key_file; 26 | }; 27 | 28 | struct tls_proxy_ctx; 29 | 30 | struct tls_proxy_ctx *tls_proxy_allocate(void); 31 | void tls_proxy_free(struct tls_proxy_ctx *proxy); 32 | int tls_proxy_init(struct tls_proxy_ctx *proxy, const struct args *a); 33 | int tls_proxy_start_listen(struct tls_proxy_ctx *proxy); 34 | int tls_proxy_run(struct tls_proxy_ctx *proxy); 35 | -------------------------------------------------------------------------------- /systemd/kresd@.service.in: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: CC0-1.0 2 | [Unit] 3 | Description=Knot Resolver daemon 4 | Documentation=man:kresd.systemd(7) 5 | Documentation=man:kresd(8) 6 | Wants=kres-cache-gc.service 7 | Before=kres-cache-gc.service 8 | Wants=network-online.target 9 | After=network-online.target 10 | Before=nss-lookup.target 11 | Wants=nss-lookup.target 12 | 13 | [Service] 14 | Type=notify 15 | Environment="SYSTEMD_INSTANCE=%i" 16 | WorkingDirectory=@systemd_work_dir@ 17 | ExecStart=@sbin_dir@/kresd -c @lib_dir@/distro-preconfig.lua -c @etc_dir@/kresd.conf -n 18 | ExecStopPost=/usr/bin/env rm -f "@run_dir@/control/%i" 19 | User=@user@ 20 | Group=@group@ 21 | CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETPCAP 22 | AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_SETPCAP 23 | TimeoutStopSec=10s 24 | WatchdogSec=10s 25 | Restart=on-abnormal 26 | LimitNOFILE=524288 27 | Slice=system-kresd.slice 28 | 29 | [Install] 30 | WantedBy=kresd.target 31 | -------------------------------------------------------------------------------- /modules/ta_sentinel/README.rst: -------------------------------------------------------------------------------- 1 | .. SPDX-License-Identifier: GPL-3.0-or-later 2 | 3 | .. _mod-ta_sentinel: 4 | 5 | Sentinel for Detecting Trusted Root Keys 6 | ======================================== 7 | 8 | The module ``ta_sentinel`` implements A Root Key Trust Anchor Sentinel for DNSSEC 9 | according to standard :rfc:`8509`. 10 | 11 | This feature allows users of DNSSEC validating resolver to detect which root keys 12 | are configured in resolver's chain of trust. The data from such 13 | signaling are necessary to monitor the progress of the DNSSEC root key rollover 14 | and to detect potential breakage before it affect users. One example of research enabled by this module `is available here `_. 15 | 16 | This module is enabled by default and we urge users not to disable it. 17 | If it is absolutely necessary you may add ``modules.unload('ta_sentinel')`` 18 | to your configuration to disable it. 19 | -------------------------------------------------------------------------------- /modules/policy/noipv6.test.integr/broken-ipv6.rpl: -------------------------------------------------------------------------------- 1 | ; config options 2 | ; SPDX-License-Identifier: GPL-3.0-or-later 3 | stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 4 | CONFIG_END 5 | 6 | SCENARIO_BEGIN Test that IPv6 is not used by kresd. 7 | 8 | RANGE_BEGIN 0 100 9 | ADDRESS ::1:2:3:4 10 | RANGE_END 11 | 12 | RANGE_BEGIN 0 100 13 | ADDRESS 1.2.3.4 14 | 15 | ENTRY_BEGIN 16 | MATCH opcode qtype qname 17 | ADJUST copy_id 18 | REPLY QR NOERROR 19 | SECTION QUESTION 20 | www.test.org A 21 | SECTION ANSWER 22 | www.test.org 3600 A 4.3.2.1 23 | ENTRY_END 24 | 25 | RANGE_END 26 | 27 | 28 | STEP 10 QUERY 29 | ENTRY_BEGIN 30 | REPLY RD AD 31 | SECTION QUESTION 32 | www.test.org A 33 | ENTRY_END 34 | 35 | STEP 20 CHECK_ANSWER 36 | ENTRY_BEGIN 37 | MATCH all answer 38 | REPLY QR RD RA NOERROR 39 | SECTION QUESTION 40 | www.test.org A 41 | SECTION ANSWER 42 | www.test.org 3600 A 4.3.2.1 43 | SECTION AUTHORITY 44 | SECTION ADDITIONAL 45 | ENTRY_END 46 | 47 | SCENARIO_END 48 | -------------------------------------------------------------------------------- /python/knot_resolver/client/commands/help.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | from typing import List, Tuple, Type 3 | 4 | from knot_resolver.client.command import Command, CommandArgs, CompWords, comp_get_words, register_command 5 | 6 | 7 | @register_command 8 | class HelpCommand(Command): 9 | def __init__(self, namespace: argparse.Namespace) -> None: 10 | super().__init__(namespace) 11 | 12 | def run(self, args: CommandArgs) -> None: 13 | args.parser.print_help() 14 | 15 | @staticmethod 16 | def completion(args: List[str], parser: argparse.ArgumentParser) -> CompWords: 17 | return comp_get_words(args, parser) 18 | 19 | @staticmethod 20 | def register_args_subparser( 21 | subparser: "argparse._SubParsersAction[argparse.ArgumentParser]", 22 | ) -> Tuple[argparse.ArgumentParser, "Type[Command]"]: 23 | stop = subparser.add_parser("help", help="show this help message and exit") 24 | return stop, HelpCommand 25 | -------------------------------------------------------------------------------- /tests/manager/utils/modeling/test_renaming.py: -------------------------------------------------------------------------------- 1 | from knot_resolver.utils.modeling.renaming import renamed 2 | 3 | 4 | def test_all(): 5 | ref = { 6 | "awesome-customers": [{"name": "John", "home-address": "London"}, {"name": "Bob", "home-address": "Prague"}], 7 | "storage": {"bobby-pin": 5, "can-opener": 0, "laptop": 1}, 8 | } 9 | 10 | rnm = renamed(ref) 11 | assert rnm["awesome_customers"][0]["home_address"] == "London" 12 | assert rnm["awesome_customers"][1:][0]["home_address"] == "Prague" 13 | assert set(rnm["storage"].items()) == set((("can_opener", 0), ("bobby_pin", 5), ("laptop", 1))) 14 | assert set(rnm["storage"].keys()) == set(("bobby_pin", "can_opener", "laptop")) 15 | 16 | 17 | def test_nested_init(): 18 | val = renamed(renamed(({"ke-y": "val-ue"}))) 19 | assert val["ke_y"] == "val-ue" 20 | 21 | 22 | def test_original(): 23 | obj = renamed(({"ke-y": "val-ue"})).original() 24 | assert obj["ke-y"] == "val-ue" 25 | -------------------------------------------------------------------------------- /modules/detect_time_jump/README.rst: -------------------------------------------------------------------------------- 1 | .. SPDX-License-Identifier: GPL-3.0-or-later 2 | 3 | .. _mod-detect_time_jump: 4 | 5 | Detect discontinuous jumps in the system time 6 | ============================================= 7 | 8 | This module detect discontinuous jumps in the system time when resolver 9 | is running. It clears cache when a significant backward time jumps occurs. 10 | 11 | Time jumps are usually created by NTP time change or by admin intervention. 12 | These change can affect cache records as they store timestamp and TTL in real 13 | time. 14 | 15 | If you want to preserve cache during time travel you should disable 16 | this module by ``modules.unload('detect_time_jump')``. 17 | 18 | Due to the way monotonic system time works on typical systems, 19 | suspend-resume cycles will be perceived as forward time jumps, 20 | but this direction of shift does not have the risk of using records 21 | beyond their intended TTL, so forward jumps do not cause erasing the cache. 22 | 23 | -------------------------------------------------------------------------------- /doc/user/deployment-manual.rst: -------------------------------------------------------------------------------- 1 | ****** 2 | Manual 3 | ****** 4 | 5 | The Knot Resolver can be started with the command ``knot-resolver``. You can provide an optional argument ``--config path/to/config.yaml`` to load a different than default configuration file. 6 | 7 | The resolver does not have any external runtime dependencies and it should be able to run in most environments. It should be possible to wrap it with any container technology. 8 | 9 | 10 | Multiple instances on a single server 11 | ===================================== 12 | 13 | The only limitation for running multiple instances of Knot Resolver is that all instances must have a different runtime directory. There are however safeguards in place that should prevent accidental runtime directory conflicts. 14 | 15 | It is possible to share cache between multiple instances, just make sure that all instances have the same cache config and there is only a single garbage collector running (disable it in all but one config file). 16 | -------------------------------------------------------------------------------- /modules/policy/test.integr/refuse.rpl: -------------------------------------------------------------------------------- 1 | ; SPDX-License-Identifier: GPL-3.0-or-later 2 | ; config options 3 | stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 4 | CONFIG_END 5 | 6 | SCENARIO_BEGIN Test refuse policy 7 | 8 | STEP 10 QUERY 9 | ENTRY_BEGIN 10 | REPLY RD AD 11 | SECTION QUESTION 12 | www.refuse.example.com. IN A 13 | ENTRY_END 14 | 15 | STEP 20 CHECK_ANSWER 16 | ENTRY_BEGIN 17 | MATCH all answer 18 | ; AD must not be set in the answer 19 | REPLY QR RD RA REFUSED 20 | SECTION QUESTION 21 | www.refuse.example.com. IN A 22 | SECTION ANSWER 23 | ENTRY_END 24 | 25 | STEP 30 QUERY 26 | ENTRY_BEGIN 27 | REPLY RD AD 28 | SECTION QUESTION 29 | example.com. IN A 30 | ENTRY_END 31 | 32 | STEP 40 CHECK_ANSWER 33 | ENTRY_BEGIN 34 | MATCH all answer 35 | REPLY QR RD AA RA NXDOMAIN 36 | SECTION QUESTION 37 | example.com. IN A 38 | SECTION ANSWER 39 | SECTION AUTHORITY 40 | example.com. 10800 IN SOA example.com. nobody.invalid. 1 3600 1200 604800 10800 41 | ENTRY_END 42 | 43 | 44 | SCENARIO_END 45 | -------------------------------------------------------------------------------- /tests/manager/datamodel/templates/test_cache_macros.py: -------------------------------------------------------------------------------- 1 | from typing import Any 2 | 3 | import pytest 4 | 5 | from knot_resolver.datamodel.cache_schema import CacheClearRPCSchema 6 | from knot_resolver.datamodel.templates import template_from_str 7 | 8 | 9 | @pytest.mark.parametrize( 10 | "val,res", 11 | [ 12 | ({}, "cache.clear(nil,false,nil,100)"), 13 | ({"chunk-size": 200}, "cache.clear(nil,false,nil,200)"), 14 | ({"name": "example.com.", "exact-name": True}, "cache.clear('example.com.',true,nil,nil)"), 15 | ( 16 | {"name": "example.com.", "exact-name": True, "rr-type": "AAAA"}, 17 | "cache.clear('example.com.',true,kres.type.AAAA,nil)", 18 | ), 19 | ], 20 | ) 21 | def test_cache_clear(val: Any, res: Any): 22 | tmpl_str = "{% from 'macros/cache_macros.lua.j2' import cache_clear %}{{ cache_clear(x) }}" 23 | 24 | tmpl = template_from_str(tmpl_str) 25 | assert tmpl.render(x=CacheClearRPCSchema(val)) == res 26 | -------------------------------------------------------------------------------- /etc/config/meson.build: -------------------------------------------------------------------------------- 1 | # etc: config examples 2 | # SPDX-License-Identifier: GPL-3.0-or-later 3 | 4 | # Install config examples 5 | example_configs = [ 6 | 'config.cluster', 7 | 'config.docker', 8 | 'config.isp', 9 | 'config.internal', 10 | 'config.privacy', 11 | 'config.personal', 12 | 'config.splitview', 13 | ] 14 | 15 | install_data( 16 | sources: example_configs, 17 | install_dir: examples_dir, 18 | ) 19 | 20 | 21 | # kresd.conf 22 | install_kresd_conf = get_option('install_kresd_conf') == 'enabled' 23 | if get_option('install_kresd_conf') == 'auto' 24 | if run_command(['test', '-r', etc_dir / 'kresd.conf'], check: false).returncode() == 1 25 | install_kresd_conf = true 26 | endif 27 | endif 28 | 29 | if install_kresd_conf 30 | install_data( 31 | sources: 'config.personal', 32 | rename: 'kresd.conf', 33 | install_dir: etc_dir, 34 | ) 35 | endif 36 | 37 | summary({'install kresd.conf': install_kresd_conf, 38 | }, section: 'Paths', bool_yn: true) 39 | -------------------------------------------------------------------------------- /tests/packaging/interactive/metrics.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -e 4 | 5 | curl --silent --fail --unix-socket /run/knot-resolver/kres-api.sock http://localhost/metrics > /dev/null 6 | 7 | kresctl metrics > /dev/null 8 | if [ "$?" -ne "0" ]; then 9 | echo "Could not get metrics in JSON format" 10 | exit 1 11 | fi 12 | 13 | kresctl metrics --prometheus > /dev/null 14 | if [ "$?" -ne "0" ]; then 15 | echo "Could not get metrics in Prometheus format" 16 | exit 1 17 | fi 18 | 19 | json_count=$(kresctl metrics | grep --invert-match '{\|}' --count) 20 | prometheus_count=$(kresctl metrics --prometheus | grep --invert-match '^#' | grep '^resolver' --count) 21 | worker_count=$(kresctl metrics | grep --fixed-strings 'kresd:' --count) 22 | # Prometheus additionally contains resolver_response_latency_count and resolver_metrics_loaded 23 | if [ $(($json_count + 2 * $worker_count)) -ne $prometheus_count ]; then 24 | echo "JSON and Prometheus have different number of base metrics" 25 | exit 1 26 | fi 27 | -------------------------------------------------------------------------------- /tests/manager/test_config_store.py: -------------------------------------------------------------------------------- 1 | import pytest 2 | 3 | from knot_resolver.datamodel.config_schema import KresConfig 4 | from knot_resolver.manager.config_store import ConfigStore, only_on_real_changes_update 5 | 6 | 7 | @pytest.mark.asyncio # type: ignore 8 | async def test_only_once(): 9 | count = 0 10 | 11 | @only_on_real_changes_update(lambda config: config.logging.level) 12 | async def change_callback(config: KresConfig, force: bool = False) -> None: 13 | nonlocal count 14 | count += 1 15 | 16 | config = KresConfig() 17 | store = ConfigStore(config) 18 | 19 | await store.register_on_change_callback(change_callback) 20 | assert count == 1 21 | 22 | config = KresConfig() 23 | config.logging.level = "crit" 24 | await store.update(config) 25 | assert count == 2 26 | 27 | config = KresConfig() 28 | config.lua.script_only = True 29 | config.lua.script = "meaningless value" 30 | await store.update(config) 31 | assert count == 2 32 | -------------------------------------------------------------------------------- /tests/manager/utils/modeling/test_types.py: -------------------------------------------------------------------------------- 1 | from typing import Any, Dict, List, Literal, Tuple, Union 2 | 3 | import pytest 4 | 5 | from knot_resolver.utils.modeling import BaseSchema 6 | from knot_resolver.utils.modeling.types import is_list, is_literal 7 | 8 | types = [ 9 | bool, 10 | int, 11 | str, 12 | Dict[Any, Any], 13 | Tuple[Any, Any], 14 | Union[str, int], 15 | BaseSchema, 16 | ] 17 | literal_types = [Literal[5], Literal["test"], Literal[False]] 18 | 19 | 20 | @pytest.mark.parametrize("val", types) 21 | def test_is_list_true(val: Any): 22 | assert is_list(List[val]) 23 | 24 | 25 | @pytest.mark.parametrize("val", types) 26 | def test_is_list_false(val: Any): 27 | assert not is_list(val) 28 | 29 | 30 | @pytest.mark.parametrize("val", literal_types) 31 | def test_is_literal_true(val: Any): 32 | assert is_literal(Literal[val]) 33 | 34 | 35 | @pytest.mark.parametrize("val", types) 36 | def test_is_literal_false(val: Any): 37 | assert not is_literal(val) 38 | -------------------------------------------------------------------------------- /doc/user/config-time-jump-detection.rst: -------------------------------------------------------------------------------- 1 | .. SPDX-License-Identifier: GPL-3.0-or-later 2 | 3 | .. _config-time-jump-detection: 4 | 5 | Detect discontinuous jumps in the system time 6 | ============================================= 7 | 8 | Detect discontinuous jumps in the system time when resolver 9 | is running. It clears cache when a significant backward time jumps occurs. 10 | 11 | Time jumps are usually created by NTP time change or by admin intervention. 12 | These change can affect cache records as they store timestamp and TTL in real 13 | time. 14 | 15 | If you want to preserve cache during time travel you should disable it: 16 | 17 | .. code-block:: yaml 18 | 19 | options: 20 | time-jump-detection: false 21 | 22 | Due to the way monotonic system time works on typical systems, 23 | suspend-resume cycles will be perceived as forward time jumps, 24 | but this direction of shift does not have the risk of using records 25 | beyond their intended TTL, so forward jumps do not cause erasing the cache. 26 | 27 | -------------------------------------------------------------------------------- /lib/cookies/nonce.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) CZ.NIC, z.s.p.o. 2 | * SPDX-License-Identifier: GPL-3.0-or-later 3 | */ 4 | 5 | #pragma once 6 | 7 | #include "lib/defines.h" 8 | 9 | /* RFC7873 Appendix B.2 mentions an algorithm using two values before the 10 | * actual server cookie hash. */ 11 | 12 | /** Nonce value length. */ 13 | #define KR_NONCE_LEN 8 14 | 15 | /** Input data to generate nonce from. */ 16 | struct kr_nonce_input { 17 | uint32_t rand; /**< some random value */ 18 | uint32_t time; /**< time stamp */ 19 | }; 20 | 21 | /** 22 | * @brief Writes server cookie nonce value into given buffer. 23 | * 24 | * @param buf buffer to write nonce data in wire format into 25 | * @param buf_len buffer size 26 | * @param input data to generate wire data from 27 | * @return non-zero size of written data on success, 0 on failure 28 | */ 29 | KR_EXPORT 30 | uint16_t kr_nonce_write_wire(uint8_t *buf, uint16_t buf_len, 31 | const struct kr_nonce_input *input); 32 | -------------------------------------------------------------------------------- /python/knot_resolver/datamodel/templates/views.lua.j2: -------------------------------------------------------------------------------- 1 | {% from 'macros/common_macros.lua.j2' import quotes %} 2 | {% from 'macros/view_macros.lua.j2' import get_proto_set, view_flags, view_answer %} 3 | {% from 'macros/policy_macros.lua.j2' import policy_flags, policy_tags_assign, policy_price_factor %} 4 | 5 | {% if cfg.views %} 6 | {% for view in cfg.views %} 7 | {% for subnet in view.subnets %} 8 | 9 | assert(C.kr_view_insert_action('{{ subnet }}', '{{ view.dst_subnet or '' }}', 10 | {{ get_proto_set(view.protocols) }}, policy.COMBINE({ 11 | {%- set flags = view_flags(view.options) -%} 12 | {% if flags %} 13 | {{ quotes(policy_flags(flags)) }}, 14 | {%- endif %} 15 | {% if view.options.price_factor|float != 1.0 %} 16 | {{ quotes(policy_price_factor(view.options.price_factor)) }}, 17 | {%- endif %} 18 | {% if view.tags %} 19 | {{ policy_tags_assign(view.tags) }}, 20 | {% elif view.answer %} 21 | {{ view_answer(view.answer) }}, 22 | {%- endif %} 23 | })) == 0) 24 | 25 | {% endfor %} 26 | {% endfor %} 27 | {% endif %} 28 | -------------------------------------------------------------------------------- /tests/unit/meson.build: -------------------------------------------------------------------------------- 1 | # tests: unit 2 | # SPDX-License-Identifier: GPL-3.0-or-later 3 | 4 | # mock module for test_module 5 | mock_cmodule_src = files([ 6 | 'mock_cmodule.c', 7 | ]) 8 | 9 | mock_cmodule_mod = shared_module( 10 | 'mock_cmodule', 11 | mock_cmodule_src, 12 | name_prefix: '', 13 | dependencies: mod_deps, 14 | include_directories: mod_inc_dir, 15 | ) 16 | 17 | # executables with tests 18 | foreach unit_test : unit_tests 19 | exec_test = executable( 20 | unit_test[0], 21 | unit_test[1], 22 | dependencies: [ 23 | kresd_deps, 24 | cmocka, 25 | contrib_dep, 26 | libknot, 27 | libkres_dep, 28 | libuv, 29 | lmdb, 30 | libdnssec, 31 | libm, 32 | ], 33 | ) 34 | 35 | # additional suites 36 | extra_suites = unit_test.length() >= 3 ? unit_test[2] : [] 37 | 38 | test( 39 | 'unit.' + unit_test[0], 40 | exec_test, 41 | suite: [ 'unit' ] + extra_suites, 42 | priority: -5, # they take very short time 43 | ) 44 | endforeach 45 | -------------------------------------------------------------------------------- /daemon/lua/map.test.integr/deckard.yaml: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: GPL-3.0-or-later 2 | programs: 3 | - name: kresd3 4 | binary: kresd 5 | additional: 6 | - --noninteractive 7 | templates: 8 | - daemon/lua/map.test.integr/kresd_config.j2 9 | - tests/integration/hints_zone.j2 10 | - tests/config/tapered/src/tapered.lua 11 | configs: 12 | - config 13 | - hints 14 | - tapered.lua 15 | - name: kresd2 16 | binary: kresd 17 | additional: 18 | - --noninteractive 19 | templates: 20 | - daemon/lua/map.test.integr/kresd_config.j2 21 | - tests/integration/hints_zone.j2 22 | - tests/config/tapered/src/tapered.lua 23 | configs: 24 | - config 25 | - hints 26 | - tapered.lua 27 | - name: kresd1 28 | binary: kresd 29 | additional: 30 | - --noninteractive 31 | templates: 32 | - daemon/lua/map.test.integr/kresd_config.j2 33 | - tests/integration/hints_zone.j2 34 | - tests/config/tapered/src/tapered.lua 35 | configs: 36 | - config 37 | - hints 38 | - tapered.lua 39 | -------------------------------------------------------------------------------- /modules/detect_time_skew/README.rst: -------------------------------------------------------------------------------- 1 | .. SPDX-License-Identifier: GPL-3.0-or-later 2 | 3 | .. _mod-detect_time_skew: 4 | 5 | System time skew detector 6 | ========================= 7 | 8 | This module compares local system time with inception and expiration time 9 | bounds in DNSSEC signatures for ``. NS`` records. If the local system time is 10 | outside of these bounds, it is likely a misconfiguration which will cause 11 | all DNSSEC validation (and resolution) to fail. 12 | 13 | In case of mismatch, a warning message will be logged to help with 14 | further diagnostics. 15 | 16 | .. warning:: Information printed by this module can be forged by a network attacker! 17 | System administrator MUST verify values printed by this module and 18 | fix local system time using a trusted source. 19 | 20 | This module is useful for debugging purposes. It runs only once during resolver 21 | start does not anything after that. It is enabled by default. 22 | You may disable the module by appending 23 | ``modules.unload('detect_time_skew')`` to your configuration. 24 | -------------------------------------------------------------------------------- /modules/nsid/README.rst: -------------------------------------------------------------------------------- 1 | .. SPDX-License-Identifier: GPL-3.0-or-later 2 | 3 | .. _mod-nsid: 4 | 5 | Name Server Identifier (NSID) 6 | ============================= 7 | 8 | Module ``nsid`` provides server-side support for :rfc:`5001` 9 | which allows DNS clients to request resolver to send back its NSID 10 | along with the reply to a DNS request. 11 | This is useful for debugging larger resolver farms 12 | (e.g. when using :ref:`systemd-multiple-instances`, anycast or load balancers). 13 | 14 | NSID value can be configured in the resolver's configuration file: 15 | 16 | .. code-block:: lua 17 | 18 | modules.load('nsid') 19 | nsid.name('instance 1') 20 | 21 | .. tip:: When dealing with Knot Resolver running in `multiple instances` 22 | managed with systemd see :ref:`instance-specific-configuration`. 23 | 24 | You can also obtain configured NSID value: 25 | 26 | .. code-block:: lua 27 | 28 | > nsid.name() 29 | 'instance 1' 30 | 31 | The module can be disabled at run-time: 32 | 33 | .. code-block:: lua 34 | 35 | modules.unload('nsid') 36 | -------------------------------------------------------------------------------- /lib/kru-generic.c: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2024 CZ.NIC, z.s.p.o. 2 | 3 | This program is free software: you can redistribute it and/or modify 4 | it under the terms of the GNU General Public License as published by 5 | the Free Software Foundation, either version 3 of the License, or 6 | (at your option) any later version. 7 | 8 | This program is distributed in the hope that it will be useful, 9 | but WITHOUT ANY WARRANTY; without even the implied warranty of 10 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 11 | GNU General Public License for more details. 12 | 13 | You should have received a copy of the GNU General Public License 14 | along with this program. If not, see . 15 | */ 16 | 17 | #include "lib/defines.h" 18 | #include "./kru.inc.c" // NOLINT(bugprone-suspicious-include) 19 | 20 | KR_EXPORT 21 | const struct kru_api KRU_GENERIC = KRU_API_INITIALIZER; 22 | 23 | KR_EXPORT 24 | struct kru_api KRU = KRU_API_INITIALIZER; // generic version is the default 25 | -------------------------------------------------------------------------------- /doc/user/config-time-skew-detection.rst: -------------------------------------------------------------------------------- 1 | .. SPDX-License-Identifier: GPL-3.0-or-later 2 | 3 | .. _config-time-skew-detection: 4 | 5 | System time skew detector 6 | ========================= 7 | 8 | This module compares local system time with inception and expiration time 9 | bounds in DNSSEC signatures for ``. NS`` records. If the local system time is 10 | outside of these bounds, it is likely a misconfiguration which will cause 11 | all DNSSEC validation (and resolution) to fail. 12 | 13 | In case of mismatch, a warning message will be logged to help with 14 | further diagnostics. 15 | 16 | .. warning:: 17 | 18 | Information printed by this module can be forged by a network attacker! 19 | System administrator MUST verify values printed by this module and 20 | fix local system time using a trusted source. 21 | 22 | This module is useful for debugging purposes. It runs only once during resolver 23 | start does not anything after that. It is enabled by default. 24 | You may disable in configuration file. 25 | 26 | .. code-block:: yaml 27 | 28 | dnssec: 29 | time-skew-detection: false 30 | -------------------------------------------------------------------------------- /modules/cookies/cookiectl.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) CZ.NIC, z.s.p.o. 2 | * SPDX-License-Identifier: GPL-3.0-or-later 3 | */ 4 | 5 | #pragma once 6 | 7 | #include "lib/cookies/control.h" 8 | 9 | /** 10 | * @brief Sets cookie control context structure. 11 | * @param ctx cookie control context 12 | * @param args JSON string describing configuration changes 13 | * @return true if changes successfully applied 14 | */ 15 | bool config_apply(struct kr_cookie_ctx *ctx, const char *args); 16 | 17 | /** 18 | * @brief Reads cookie control context structure. 19 | * @param ctx cookie control context 20 | * @return JSON string or NULL on error 21 | */ 22 | char *config_read(struct kr_cookie_ctx *ctx); 23 | 24 | /** 25 | * @brief Initialises cookie control context to default values. 26 | * @param ctx cookie control context 27 | * @return kr_ok() or error code 28 | */ 29 | int config_init(struct kr_cookie_ctx *ctx); 30 | 31 | /** 32 | * @brief Clears the cookie control context. 33 | * @param ctx cookie control context 34 | */ 35 | void config_deinit(struct kr_cookie_ctx *ctx); 36 | -------------------------------------------------------------------------------- /python/knot_resolver/datamodel/monitoring_schema.py: -------------------------------------------------------------------------------- 1 | from typing import Literal, Union 2 | 3 | from knot_resolver.datamodel.types import DomainName, EscapedStr, IPAddress, PortNumber, TimeUnit 4 | from knot_resolver.utils.modeling import ConfigSchema 5 | 6 | 7 | class GraphiteSchema(ConfigSchema): 8 | enable: bool = False 9 | host: Union[None, IPAddress, DomainName] = None 10 | port: PortNumber = PortNumber(2003) 11 | prefix: EscapedStr = EscapedStr("") 12 | interval: TimeUnit = TimeUnit("5s") 13 | tcp: bool = False 14 | 15 | def _validate(self) -> None: 16 | if self.enable and not self.host: 17 | raise ValueError("'host' option must be configured to enable graphite bridge") 18 | 19 | 20 | class MonitoringSchema(ConfigSchema): 21 | """ 22 | --- 23 | metrics: configures, whether metrics/statistics will be collected by the resolver 24 | graphite: optionally configures where should graphite metrics be sent to 25 | """ 26 | 27 | metrics: Literal["manager-only", "lazy", "always"] = "lazy" 28 | graphite: GraphiteSchema = GraphiteSchema() 29 | -------------------------------------------------------------------------------- /python/knot_resolver/datamodel/templates/cache.lua.j2: -------------------------------------------------------------------------------- 1 | cache.open({{ cfg.cache.size_max.bytes() }}, 'lmdb://{{ cfg.cache.storage }}') 2 | cache.min_ttl({{ cfg.cache.ttl_min.seconds() }}) 3 | cache.max_ttl({{ cfg.cache.ttl_max.seconds() }}) 4 | cache.ns_tout({{ cfg.cache.ns_timeout.millis() }}) 5 | 6 | {% if cfg.cache.prefill %} 7 | -- cache.prefill 8 | modules.load('prefill') 9 | prefill.config({ 10 | {% for item in cfg.cache.prefill %} 11 | ['{{ item.origin.punycode() }}'] = { 12 | url = '{{ item.url }}', 13 | interval = {{ item.refresh_interval.seconds() }}, 14 | {{ "ca_file = '" + item.ca_file|string + "'," if item.ca_file }} 15 | } 16 | {% endfor %} 17 | }) 18 | {% endif %} 19 | 20 | {% if cfg.cache.prefetch.expiring %} 21 | -- cache.prefetch.expiring 22 | modules.load('prefetch') 23 | {% endif %} 24 | 25 | {% if cfg.cache.prefetch.prediction.enable %} 26 | -- cache.prefetch.prediction 27 | modules.load('predict') 28 | predict.config({ 29 | window = {{ cfg.cache.prefetch.prediction.window.minutes() }}, 30 | period = {{ cfg.cache.prefetch.prediction.period }}, 31 | }) 32 | {% endif %} 33 | -------------------------------------------------------------------------------- /scripts/ci/enable-repo-cznic-labs.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # enable CZ.NIC Labs Debian/Ubuntu repos - see https://pkg.labs.nic.cz/doc/ 3 | set -e 4 | 5 | REPO=$1 6 | if [ -z "${REPO}" ]; then 7 | echo "usage: $0 REPOSITORY" 8 | echo -e "\nPlease see: https://pkg.labs.nic.cz/doc/" 9 | exit 1 10 | fi 11 | if [ "$(whoami)" != "root" ]; then 12 | echo "ERROR: this script must be run as ROOT" 13 | echo -e "\nTry running with sudo:\n\n sudo $0\n" 14 | exit 2 15 | fi 16 | 17 | # update apt metadata and install requirements 18 | apt-get update 19 | apt-get install -y apt-transport-https ca-certificates lsb-release wget 20 | 21 | DISTRO=$(lsb_release -si | tr '[:upper:]' '[:lower:]') 22 | CODENAME=$(lsb_release -sc) 23 | 24 | echo "Enabling $REPO repo on $DISTRO $CODENAME..." 25 | # get repo signing key 26 | wget -O /usr/share/keyrings/cznic-labs-pkg.gpg https://pkg.labs.nic.cz/gpg 27 | # create repo entry 28 | echo "deb [signed-by=/usr/share/keyrings/cznic-labs-pkg.gpg] https://pkg.labs.nic.cz/$REPO $CODENAME main" > /etc/apt/sources.list.d/cznic-labs-$REPO.list 29 | # update apt metadata from the new repo 30 | apt-get update 31 | -------------------------------------------------------------------------------- /scripts/poe-tasks/run: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # ensure consistent behaviour 4 | src_dir="$(dirname "$(realpath "$0")")" 5 | source $src_dir/utils/_env.sh 6 | 7 | echo 8 | ninja_dev_install 9 | echo 10 | 11 | echo ------------------------------------ 12 | echo Creating missing runtime directories 13 | echo ------------------------------------ 14 | mkdir -vp $KRES_DEV_INSTALL_DIR/run/knot-resolver $KRES_DEV_INSTALL_DIR/var/cache/knot-resolver 15 | echo 16 | echo --------------------------------------- 17 | echo Building Python komponents using Poetry 18 | echo --------------------------------------- 19 | poetry build 20 | # copy native modules from build directory to source directory 21 | shopt -s globstar 22 | shopt -s nullglob 23 | for d in build/lib*; do 24 | for f in "python/$d/"**/*.so; do 25 | cp -v "$f" ${f#"python/$d/"} 26 | done 27 | done 28 | shopt -u globstar 29 | shopt -u nullglob 30 | 31 | echo 32 | echo -------------------------------------- 33 | echo Starting Knot Resolver wit the Manager 34 | echo -------------------------------------- 35 | python3 -m knot_resolver.manager --config "$KRES_DEV_CONFIG_FILE" "$@" 36 | -------------------------------------------------------------------------------- /scripts/poe-tasks/check-code: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # ensure consistent behaviour 4 | src_dir="$(dirname "$(realpath "$0")")" 5 | source $src_dir/utils/_env.sh 6 | 7 | # stop failing early, because we wouldn't do anything else than fail 8 | set +e 9 | 10 | # dirs to check 11 | dirs="python/knot_resolver/ tests/manager scripts/poe-tasks/utils/create_setup.py" 12 | 13 | # check imports 14 | echo -e "${yellow}Checking Python imports using Ruff...${reset}" 15 | ruff check --select I $dirs 16 | check_rv $? 17 | echo 18 | 19 | # check format 20 | echo -e "${yellow}Checking code format using Ruff formatter...${reset}" 21 | ruff format --diff $dirs 22 | check_rv $? 23 | echo 24 | 25 | # run static code analysis 26 | echo -e "${yellow}Running static code analysis using Ruff linter...${reset}" 27 | ruff check python/knot_resolver/ tests/pytests 28 | check_rv $? 29 | echo 30 | 31 | # check typings 32 | echo -e "${yellow}Checking typings using Mypy...${reset}" 33 | mypy python/knot_resolver/ 34 | check_rv $? 35 | echo 36 | 37 | # fancy messages at the end :) 38 | fancy_message 39 | 40 | # exit with the aggregate return value 41 | exit $aggregated_rv 42 | -------------------------------------------------------------------------------- /etc/config/config.migrate-test.yaml: -------------------------------------------------------------------------------- 1 | cache: 2 | garbage-collector: 3 | interval: 2s 4 | prefetch: 5 | prediction: 6 | window: 15m 7 | period: 24 8 | 9 | defer: 10 | enabled: true 11 | 12 | dns64: 13 | rev-ttl: 1d 14 | 15 | dnssec: 16 | refresh-time: 10m 17 | hold-down-time: 30d 18 | time-skew-detection: true 19 | keep-removed: 10 20 | trust-anchor-sentinel: true 21 | trust-anchor-signal-query: true 22 | 23 | local-data: 24 | root-fallback-addresses: 25 | j.root-servers.net.: 26 | - 2001:503:c27::2:30 27 | - 192.58.128.30 28 | root-fallback-addresses-files: 29 | - rfa.zone 30 | 31 | logging: 32 | dnstap: 33 | unix-socket: dnstap.sock 34 | dnssec-bogus: true 35 | debugging: 36 | assertion-abort: false 37 | assertion-fork: 5m 38 | 39 | monitoring: 40 | enabled: always 41 | graphite: 42 | host: 127.0.0.1 43 | 44 | network: 45 | proxy-protocol: 46 | allow: [172.22.0.1] 47 | tls: 48 | auto-discovery: true 49 | files-watchdog: true 50 | 51 | webmgmt: 52 | interface: 127.0.0.1@5001 53 | 54 | max-workers: 64 55 | 56 | rate-limiting: 57 | rate-limit: 100 58 | -------------------------------------------------------------------------------- /tests/manager/utils/modeling/test_parsing.py: -------------------------------------------------------------------------------- 1 | import copy 2 | from typing import Any, Dict 3 | 4 | import pytest 5 | from pytest import raises 6 | 7 | from knot_resolver.utils.modeling.exceptions import DataValidationError 8 | from knot_resolver.utils.modeling.parsing import data_combine 9 | 10 | # default data 11 | data_default = {"key1": {"inner11": False}} 12 | 13 | 14 | @pytest.mark.parametrize( 15 | "val,res", 16 | [ 17 | ({"key2": "value"}, {"key1": {"inner11": False}, "key2": "value"}), 18 | ({"key2": {"inner21": True}}, {"key1": {"inner11": False}, "key2": {"inner21": True}}), 19 | ({"key1": {"inner12": 5}}, {"key1": {"inner11": False, "inner12": 5}}), 20 | ], 21 | ) 22 | def test_data_combine_valid(val: Dict[Any, Any], res: Dict[Any, Any]) -> None: 23 | data = copy.deepcopy(data_default) 24 | assert data_combine(data, val) == res 25 | 26 | 27 | @pytest.mark.parametrize("val", [{"key1": "value"}, {"key1": {"inner11": False}}]) 28 | def test_data_combine_invalid(val: Dict[Any, Any]) -> None: 29 | data = copy.deepcopy(data_default) 30 | with raises(DataValidationError): 31 | data_combine(data, val) 32 | -------------------------------------------------------------------------------- /daemon/ffimodule.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) CZ.NIC, z.s.p.o. 2 | * SPDX-License-Identifier: GPL-3.0-or-later 3 | */ 4 | 5 | #pragma once 6 | 7 | #include "lib/defines.h" 8 | #include "lib/layer.h" 9 | #include 10 | struct engine; 11 | struct kr_module; 12 | 13 | /** 14 | * Register Lua module as a FFI module. 15 | * This fabricates a standard module interface, 16 | * that trampolines to the Lua module methods. 17 | * 18 | * @note Lua module is loaded in it's own coroutine, 19 | * so it's possible to yield and resume at arbitrary 20 | * places except deinit() 21 | * 22 | * @param engine daemon engine 23 | * @param module prepared module 24 | * @param name module name 25 | * @return 0 or an error 26 | */ 27 | int ffimodule_register_lua(struct kr_module *module, const char *name); 28 | 29 | int ffimodule_init(lua_State *L); 30 | void ffimodule_deinit(lua_State *L); 31 | 32 | /** Static storage for faster passing of layer function parameters to lua callbacks. 33 | * 34 | * We don't need to declare it in a header, but let's give it visibility. */ 35 | KR_EXPORT extern kr_layer_t kr_layer_t_static; 36 | 37 | -------------------------------------------------------------------------------- /doc/user/gettingstarted-install.rst: -------------------------------------------------------------------------------- 1 | .. SPDX-License-Identifier: GPL-3.0-or-later 2 | 3 | .. _gettingstarted-install: 4 | 5 | ************ 6 | Installation 7 | ************ 8 | 9 | Some Linux distributions contain Knot Resolver in their official repositories, 10 | but their policies usually don't allow keeping it up to date. 11 | Therefore we recommend to use upstream repositories which have the **latest stable version** of Knot Resolver. 12 | 13 | Please, follow the instructions for your packaging system: 14 | 15 | .. tabs:: 16 | 17 | .. tab:: Debian/Ubuntu 18 | 19 | Please follow https://pkg.labs.nic.cz/doc/?project=knot-resolver 20 | 21 | .. tab:: .rpm 22 | 23 | Please follow https://copr.fedorainfracloud.org/coprs/g/cznic/knot-resolver/ 24 | 25 | .. tab:: Docker 26 | 27 | DockerHub page: https://hub.docker.com/r/cznic/knot-resolver 28 | 29 | .. code:: bash 30 | 31 | sudo docker run -ti --net=host docker.io/cznic/knot-resolver:6 32 | 33 | If for some reason you need to install Knot Resolver **from sources**, 34 | check out `building from sources <./dev/build.html>`_ section in developer documentation. 35 | --------------------------------------------------------------------------------