b26fa1a2fbcfee7d03b0c8fd15ec3aa64ae70b9f |
|
10-Feb-2016 |
Daniel Mack <daniel@zonque.org> |
tree-wide: remove Emacs lines from all files
This should be handled fine now by .dir-locals.el, so need to carry that
stuff in every file. |
43e6779ac2ee8a8a522350eda97311c4f8487ffe |
|
17-Jan-2016 |
Lennart Poettering <lennart@poettering.net> |
resolved: when we find a DNAME RR, don't insist in a signed CNAME RR
If we have a signed DNAME RR response, there's no need to insist on a signature for a CNAME RR response, after all it
is unlikely to be signed, given the implicit synthethis of CNAME through DNAME RRs. |
e926785a1feff01901e6298261a9f635791d3b17 |
|
13-Jan-2016 |
Lennart Poettering <lennart@poettering.net> |
resolved: implement the full NSEC and NSEC3 postive wildcard proofs |
0c8570287400ba57d3705a2f62dd26039121ea6f |
|
04-Jan-2016 |
Lennart Poettering <lennart@poettering.net> |
resolved: partially implement RFC5011 Trust Anchor support
With this patch resolved will properly handle revoked keys, but not
augment the locally configured trust anchor database with newly learned
keys.
Specifically, resolved now refuses validating RRsets with
revoked keys, and it will remove revoked keys from the configured trust
anchors (only until reboot).
This patch does not add logic for adding new keys to the set of trust
anchors. This is a deliberate decision as this only can work with
persistent disk storage, and would result in a different update logic
for stateful and stateless systems. Since we have to support stateless
systems anyway, and don't want to encourage two independent upgrade
paths we focus on upgrading the trust anchor database via the usual OS
upgrade logic.
Whenever a trust anchor entry is found revoked and removed from the
trust anchor a recognizable log message is written, encouraging the user
to update the trust anchor or update his operating system. |
7feea00bb06bca94545d5682930c11a6dee9c642 |
|
29-Dec-2015 |
Lennart Poettering <lennart@poettering.net> |
resolved: don't allow RRs with TTL=0 and TTL!=0 in the same RRset |
6b2f709364b3bb4277de3d6fa2e5b45ba3c12424 |
|
26-Dec-2015 |
Lennart Poettering <lennart@poettering.net> |
resolved: make use of dns_type_may_redirect() where possible |
7b50eb2efa122200e39646c19a29abab302f7d24 |
|
26-Dec-2015 |
Lennart Poettering <lennart@poettering.net> |
resolved: internalize string buffer of dns_resource_record_to_string()
Let's simplify usage and memory management of DnsResourceRecord's
dns_resource_record_to_string() call: cache the formatted string as
part of the object, and return it on subsequent calls, freeing it when
the DnsResourceRecord itself is freed. |
81f7fc5e841472b626698f386ed9445dac13944a |
|
26-Dec-2015 |
Lennart Poettering <lennart@poettering.net> |
resolved: when looking for a SOA RR in a reply, pick the right one
If there are multiple SOA RRs, and we look for a suitable one covering
our request, then make sure to pick the one that is furthest away from
the root name, not just the first one we encounter. |
2615691003b9d73a92590b8250a54ad135e3a33b |
|
18-Dec-2015 |
Lennart Poettering <lennart@poettering.net> |
resolved: add a call that dumps the contents of a DnsAnswer structure
This is not used anywhere, but it's extremely useful when debugging. |
fd009cd80e511587c6afae59da8aff14e5e18fa3 |
|
18-Dec-2015 |
Lennart Poettering <lennart@poettering.net> |
resolved: check SOA authentication state when negative caching
We should never use the TTL of an unauthenticated SOA to cache an
authenticated RR. |
105e151299dc1208855380be2b22d0db2d66ebc6 |
|
18-Dec-2015 |
Lennart Poettering <lennart@poettering.net> |
resolved: add support NSEC3 proofs, as well as proofs for domains that are OK to be unsigned
This large patch adds a couple of mechanisms to ensure we get NSEC3 and
proof-of-unsigned support into place. Specifically:
- Each item in an DnsAnswer gets two bit flags now:
DNS_ANSWER_AUTHENTICATED and DNS_ANSWER_CACHEABLE. The former is
necessary since DNS responses might contain signed as well as unsigned
RRsets in one, and we need to remember which ones are signed and which
ones aren't. The latter is necessary, since not we need to keep track
which RRsets may be cached and which ones may not be, even while
manipulating DnsAnswer objects.
- The .n_answer_cachable of DnsTransaction is dropped now (it used to
store how many of the first DnsAnswer entries are cachable), and
replaced by the DNS_ANSWER_CACHABLE flag instead.
- NSEC3 proofs are implemented now (lacking support for the wildcard
part, to be added in a later commit).
- Support for the "AD" bit has been dropped. It's unsafe, and now that
we have end-to-end authentication we don't need it anymore.
- An auxiliary DnsTransaction of a DnsTransactions is now kept around as
least as long as the latter stays around. We no longer remove the
auxiliary DnsTransaction as soon as it completed. THis is necessary,
as we now are interested not only in the RRsets it acquired but also
in its authentication status. |
1849cb7cb723e8ea7c13b967d056c1d3a36d9042 |
|
18-Dec-2015 |
Lennart Poettering <lennart@poettering.net> |
resolved: don't check for NULL DnsAnswer object explicitly where unnecessary
The DNS_ANSWER_FOREACH macros do this internally anyway, no need to
duplicate this. |
72667f0890372a952a7c5b8cc498ec3cf9440973 |
|
14-Dec-2015 |
Lennart Poettering <lennart@poettering.net> |
resolved: add basic proof of non-existance support for NSEC+NSEC3
Note that this is not complete yet, as we don't handle wildcard domains
correctly, nor handle domains correctly that use empty non-terminals. |
29c1519ed4899d139fa7b2079311cff6c4fb64a8 |
|
11-Dec-2015 |
Lennart Poettering <lennart@poettering.net> |
resolved: don't eat up errors
dns_resource_key_match_soa() and dns_resource_key_match_cname_or_dname()
may return errors as negative return values. Make sure to propagate
those. |
5d27351f8546530cf779847b0b04b0172c09f9d0 |
|
10-Dec-2015 |
Tom Gundersen <teg@jklm.no> |
resolved: cache - do negative caching only on the canonical name
Apart from dropping redundant information, this fixes an issue
where, due to broken DNS servers, we can only be certain of whether
an apparent NODATA response is in fact an NXDOMAIN response after
explicitly resolving the canonical name. This issue is outlined in
RFC2308. Moreover, by caching NXDOMAIN for an existing name, we
would mistakenly return NXDOMAIN for types which should not be
redirected. I.e., a query for AAAA on test-nx-1.jklm.no correctly
returns NXDOMAIN, but a query for CNAME should return the record
and a query for DNAME should return NODATA.
Note that this means we will not cache an NXDOMAIN response in the
presence of redirection, meaning one redundant roundtrip in case the
name is queried again. |
547973dea7abd6c124ff6c79fe2bbe322a7314ae |
|
10-Dec-2015 |
Lennart Poettering <lennart@poettering.net> |
resolved: chase DNSKEY/DS RRs when doing look-ups with DNSSEC enabled
This adds initial support for validating RRSIG/DNSKEY/DS chains when
doing lookups. Proof-of-non-existance, or proof-of-unsigned-zones is not
implemented yet.
With this change DnsTransaction objects will generate additional
DnsTransaction objects when looking for DNSKEY or DS RRs to validate an
RRSIG on a response. DnsTransaction objects are thus created for three
reasons now:
1) Because a user asked for something to be resolved, i.e. requested by
a DnsQuery/DnsQueryCandidate object.
2) As result of LLMNR RR probing, requested by a DnsZoneItem.
3) Because another DnsTransaction requires the requested RRs for
validation of its own response.
DnsTransactions are shared between all these users, and are GC
automatically as soon as all of these users don't need a specific
transaction anymore.
To unify the handling of these three reasons for existance for a
DnsTransaction, a new common naming is introduced: each DnsTransaction
now tracks its "owners" via a Set* object named "notify_xyz", containing
all owners to notify on completion.
A new DnsTransaction state is introduced called "VALIDATING" that is
entered after a response has been receieved which needs to be validated,
as long as we are still waiting for the DNSKEY/DS RRs from other
DnsTransactions.
This patch will request the DNSKEY/DS RRs bottom-up, and then validate
them top-down.
Caching of RRs is now only done after verification, so that the cache is
not poisoned with known invalid data.
The "DnsAnswer" object gained a substantial number of new calls, since
we need to add/remove RRs to it dynamically now. |
2f763887b8696f2fd2d577bfbd011f3b2e889c1a |
|
10-Dec-2015 |
Lennart Poettering <lennart@poettering.net> |
resolved: grow DnsAnswer exponentially
When increasing the DnsAnswer array, don't operate piecemeal, grow the
array exponentially.
This way, the default logic for DnsAnswer allocations matches the
behaviour for GREEDY_REALLOC and suchlike, and we can reduce the number
of necessary allocations. |
c296dd2eea308e9ef73eb81f31e9eeaa32c30895 |
|
10-Dec-2015 |
Lennart Poettering <lennart@poettering.net> |
resolved: refuse modifying DnsAnswer objects that have more than one reference
DnsAnswer objects should be considered immutable after having passed to
more than one user, i.e. with a reference counter > 1. Enforce that in
code, so that we can track down misuses easier. |
d42800f18e78573c81e7caa134fb9311c5a32b5f |
|
10-Dec-2015 |
Lennart Poettering <lennart@poettering.net> |
resolved: split out logic to flush DnsAnswer objects
Let's simplify things, by making this a function call of its own. |
801ad6a6a9cd8fbd58b9f9c27f20dbb3c87d47dd |
|
25-Nov-2015 |
Lennart Poettering <lennart@poettering.net> |
resolved: fully support DNS search domains
This adds support for searching single-label hostnames in a set of
configured search domains.
A new object DnsQueryCandidate is added that links queries to scopes.
It keeps track of the search domain last used for a query on a specific
link. Whenever a host name was unsuccessfuly resolved on a scope all its
transactions are flushed out and replaced by a new set, with the next
search domain appended.
This also adds a new flag SD_RESOLVED_NO_SEARCH to disable search domain
behaviour. The "systemd-resolve-host" tool is updated to make this
configurable via --search=.
Fixes #1697 |
b5efdb8af40ea759a1ea584c1bc44ecc81dd00ce |
|
27-Oct-2015 |
Lennart Poettering <lennart@poettering.net> |
util-lib: split out allocation calls into alloc-util.[ch] |
07630cea1f3a845c09309f197ac7c4f11edd3b62 |
|
24-Oct-2015 |
Lennart Poettering <lennart@poettering.net> |
util-lib: split our string related calls from util.[ch] into its own file string-util.[ch]
There are more than enough calls doing string manipulations to deserve
its own files, hence do something about it.
This patch also sorts the #include blocks of all files that needed to be
updated, according to the sorting suggestions from CODING_STYLE. Since
pretty much every file needs our string manipulation functions this
effectively means that most files have sorted #include blocks now.
Also touches a few unrelated include files. |
5eefe544efbfbbd0d0026ca28913a9e82fec187c |
|
16-Sep-2015 |
Tom Gundersen <teg@jklm.no> |
resolved: cache - cache what we can of negative redirect chains
When a NXDATA or a NODATA response is received for an alias it may
include CNAME records from the redirect chain. We should cache the
response for each of these names to avoid needless roundtrips in
the future.
It is not sufficient to do the negative caching only for the
canonical name, as the included redirection chain is not guaranteed
to be complete. In fact, only the final CNAME record from the chain
is guaranteed to be included.
We take care not to cache entries that redirects outside the current
zone, as the SOA will then not be valid. |
78c6a153c47f8d597c827bdcaf8c4e42ac87f738 |
|
21-Aug-2015 |
Lennart Poettering <lennart@poettering.net> |
resolved: rework synthesizing logic
With this change we'll now also generate synthesized RRs for the local
LLMNR hostname (first label of system hostname), the local mDNS hostname
(first label of system hostname suffixed with .local), the "gateway"
hostname and all the reverse PTRs. This hence takes over part of what
nss-myhostname already implemented.
Local hostnames resolve to the set of local IP addresses. Since the
addresses are possibly on different interfaces it is necessary to change
the internal DnsAnswer object to track per-RR interface indexes, and to
change the bus API to always return the interface per-address rather than
per-reply. This change also patches the existing clients for resolved
accordingly (nss-resolve + systemd-resolve-host).
This also changes the routing logic for queries slightly: we now ensure
that the local hostname is never resolved via LLMNR, thus making it
trustable on the local system. |
4ad7f2761da661853dcc29d542efb4727abb1101 |
|
10-Jun-2015 |
Nick Owens <nick.owens@coreos.com> |
resolve: move dns routines into shared |
084cea6cee1471d81e078bea4e7ee5f50a5dc009 |
|
18-May-2015 |
Lennart Poettering <lennart@poettering.net> |
resolved: allow DnsAnswer objects with no space for RRs
They might be created as result of merged answer sets, hence accept
them.
http://lists.freedesktop.org/archives/systemd-devel/2015-April/030834.html |
57f5ad3149b604d07816da61e6aa7dcf1cc56b64 |
|
30-Jul-2014 |
Lennart Poettering <lennart@poettering.net> |
resolved: properly set TTL in SOA records |
8bf52d3d17d364438191077d0750b8b80b5dc53a |
|
30-Jul-2014 |
Lennart Poettering <lennart@poettering.net> |
resolved: include SOA records in LLMNR replies for non-existing RRs to allow negative caching |
0f05c387597a93fa74cdf7d351fd255aca56026d |
|
30-Jul-2014 |
Lennart Poettering <lennart@poettering.net> |
resolved: never attempt negative caching of SOA records |
af93291cc4cbd2fe2fb4af7d3c56138fb39f31dc |
|
30-Jul-2014 |
Lennart Poettering <lennart@poettering.net> |
resolved: when answer A or AAAA questions, order responses by whether addresses are link-local or not |
934e9b10b4f4bfb48e21883670c7f45b6911fa9b |
|
23-Jul-2014 |
Lennart Poettering <lennart@poettering.net> |
resolved: most DNS servers can't handle more than one question per packet, hence let's not generate that |
7e8e0422aeb16f2a09a40546c61df753d10029b6 |
|
23-Jul-2014 |
Lennart Poettering <lennart@poettering.net> |
resolved: implement negative caching |
faa133f3aa7a18f26563dc5d6b95898cb315c37a |
|
23-Jul-2014 |
Lennart Poettering <lennart@poettering.net> |
resolved: rework logic so that we can share transactions between queries of different clients |