tree-wide: remove Emacs lines from all files This should be handled fine now by .dir-locals.el, so need to carry that stuff in every file.

resolved: don't follow CNAMEs originating from DNS on LLMNR Fixes: #2514

resolved: rework what ResolveHostname() with family == AF_UNSPEC means Previously, if a hostanem is resolved with AF_UNSPEC specified, this would be used as indication to resolve both an AF_INET and an AF_INET6 address. With this change this logic is altered: an AF_INET address is only resolved if there's actually a routable IPv4 address on the specific interface, and similar an AF_INET6 address is only resolved if there's a routable IPv6 address. With this in place, it's ensured that the returned data is actually connectable by applications. This logic mimics glibc's resolver behaviour. Note that if the client asks explicitly for AF_INET or AF_INET6 it will get what it asked for. This also simplifies the logic how it is determined whether a specific lookup shall take place on a scope. Specifically, the checks with dns_scope_good_key() are now moved out of the transaction code and into the query code, so that we don't even create a transaction object on a specific scope if we cannot execute the resolution on it anyway.

resolved: teach resolved the difference between "routing" and "search" domains Following the changes to expose the "routing" and "search" domain concepts in networkd, actually make resolved use them. It will now use routing domains exclusively for making DNS routing decisions, and use search domains additionally for extending single-label names.

resolved: use dns_query_reset_answer() where we can

resolved: properly propagate query candidate error We already properly propagate errors from transactions to queries. Make sure that errors that happened during handling of query candidates are propagated to the query, too.

resolved: replace DNS_TRANSACTION_RESOURCES by DNS_TRANSACTION_ERRNO Whenever we encounter an OS error we did not expect, we so far put the transaction into DNS_TRANSACTION_RESOURCES state. Rename this state to DNS_TRANSACTION_ERRNO, and save + propagate the actual system error to the caller. This should make error messages triggered by system errors much more readable by the user.

resolved: synthesize RRs for data from /etc/hosts This way the difference between lookups via NSS and our native bus API should become minimal.

resolved: properly handle LLMNR/TCP connection errors The LLMNR spec suggests to do do reverse address lookups by doing direct LLMNR/TCP connections to the indicated address, instead of doing any LLMNR multicast queries. When we do this and the peer doesn't actually implement LLMNR this will result in a TCP connection error, which we need to handle. In contrast to most LLMNR lookups this will give us a quick response on whether we can find a suitable name. Report this as new transaction state, since this should mostly be treated like an NXDOMAIN rcode, except that it's not one.

resolved: split out RR synthesis logic into its own C file Also, while we are at it, set the "authenticated" bit for everything we synthesize

resolved: move dns_type_to_af() to dns-type.c

resolve: generate a nice clean error when clients try to resolve a name when the network is down

resolved: end log messages in a full stop

resolved: never consider following a CNAME/DNAME chain for a CNAME/DNAME lookup Let's avoid thinking that a CNAME/DNAME chain traversal could be a good idea if QTYPE is already CNAME/DNAME. (Also, let's bail out early when trying to see if some RR is a suitable CNAME/DNAME for some other RR).

resolved: when following a CNAME, turn off search domains If the first step was done via a search domain, make sure the subsequent steps are not.

resolved: properly reset old collected data when following a CNAME redirect

resolved: rework IDNA logic Move IDNA logic out of the normal domain name processing, and into the bus frontend calls. Previously whenever comparing two domain names we'd implicitly do IDNA conversion so that "pöttering.de" and "xn--pttering-n4a.de" would be considered equal. This is problematic not only for DNSSEC, but actually also against he IDNA specs. Moreover it creates problems when encoding DNS-SD services in classic DNS. There, the specification suggests using UTF8 encoding for the actual service name, but apply IDNA encoding to the domain suffix. With this change IDNA conversion is done only: - When the user passes a non-ASCII hostname when resolving a host name using ResolveHostname() - When the user passes a non-ASCII domain suffix when resolving a service using ResolveService() No IDNA encoding is done anymore: - When the user does raw ResolveRecord() RR resolving - On the service part of a DNS-SD service name Previously, IDNA encoding was done when serializing names into packets, at a point where information whether something is a label that needs IDNA encoding or not was not available, but at a point whether it was known whether to generate a classic DNS packet (where IDNA applies), or an mDNS/LLMNR packet (where IDNA does not apply, and UTF8 is used instead for all host names). With this change each DnsQuery object will now maintain two copies of the DnsQuestion to ask: one encoded in IDNA for use with classic DNS, and one encoded in UTF8 for use with LLMNR and MulticastDNS.

resolved: fix logging about DNAME redirection

resolved: set a description on all our event sources

resolved: query_process_cname - make fully recursive This ensures we properly resolve the CNAME chain as far as we can, rather than only CNAME chains of length one.

resolved: never use data from failed transactions Otherwise if we have an A lookup that failed DNSSEC validation, but an AAAA lookup that succeeded, we might end up using the A data, but we really should not.

resolved: propagate the DNSSEC result from the transaction to the query and the the bus client It's useful to generate useful errors, so let's do that.

resolved: rename DNS_TRANSACTION_FAILURE → DNS_TRANSACTION_RCODE_FAILURE We have many types of failure for a transaction, and DNS_TRANSACTION_FAILURE was just one specific one of them, if the server responded with a non-zero RCODE. Hence let's rename this, to indicate which kind of failure this actually refers to.

resolved: add support NSEC3 proofs, as well as proofs for domains that are OK to be unsigned This large patch adds a couple of mechanisms to ensure we get NSEC3 and proof-of-unsigned support into place. Specifically: - Each item in an DnsAnswer gets two bit flags now: DNS_ANSWER_AUTHENTICATED and DNS_ANSWER_CACHEABLE. The former is necessary since DNS responses might contain signed as well as unsigned RRsets in one, and we need to remember which ones are signed and which ones aren't. The latter is necessary, since not we need to keep track which RRsets may be cached and which ones may not be, even while manipulating DnsAnswer objects. - The .n_answer_cachable of DnsTransaction is dropped now (it used to store how many of the first DnsAnswer entries are cachable), and replaced by the DNS_ANSWER_CACHABLE flag instead. - NSEC3 proofs are implemented now (lacking support for the wildcard part, to be added in a later commit). - Support for the "AD" bit has been dropped. It's unsafe, and now that we have end-to-end authentication we don't need it anymore. - An auxiliary DnsTransaction of a DnsTransactions is now kept around as least as long as the latter stays around. We no longer remove the auxiliary DnsTransaction as soon as it completed. THis is necessary, as we now are interested not only in the RRsets it acquired but also in its authentication status.

resolved: don't choke on NULL DNS transactions when determining query candidate state

resolved: chase DNSKEY/DS RRs when doing look-ups with DNSSEC enabled This adds initial support for validating RRSIG/DNSKEY/DS chains when doing lookups. Proof-of-non-existance, or proof-of-unsigned-zones is not implemented yet. With this change DnsTransaction objects will generate additional DnsTransaction objects when looking for DNSKEY or DS RRs to validate an RRSIG on a response. DnsTransaction objects are thus created for three reasons now: 1) Because a user asked for something to be resolved, i.e. requested by a DnsQuery/DnsQueryCandidate object. 2) As result of LLMNR RR probing, requested by a DnsZoneItem. 3) Because another DnsTransaction requires the requested RRs for validation of its own response. DnsTransactions are shared between all these users, and are GC automatically as soon as all of these users don't need a specific transaction anymore. To unify the handling of these three reasons for existance for a DnsTransaction, a new common naming is introduced: each DnsTransaction now tracks its "owners" via a Set* object named "notify_xyz", containing all owners to notify on completion. A new DnsTransaction state is introduced called "VALIDATING" that is entered after a response has been receieved which needs to be validated, as long as we are still waiting for the DNSKEY/DS RRs from other DnsTransactions. This patch will request the DNSKEY/DS RRs bottom-up, and then validate them top-down. Caching of RRs is now only done after verification, so that the cache is not poisoned with known invalid data. The "DnsAnswer" object gained a substantial number of new calls, since we need to add/remove RRs to it dynamically now.

resolved: log when we chase a CNAME RR

resolved: add a concept of "authenticated" responses This adds a new SD_RESOLVED_AUTHENTICATED flag for responses we return on the bus. When set, then the data has been authenticated. For now this mostly reflects the DNSSEC AD bit, if DNSSEC=trust is set. As soon as the client-side validation is complete it will be hooked up to this flag too. We also set this bit whenver we generated the data ourselves, for example, because it originates in our local LLMNR zone, or from the built-in trust anchor database. The "systemd-resolve-host" tool has been updated to show the flag state for the data it shows.

resolved: don't bother with picking a search domain when searching is disabled

tree-wide: remove unused variables

resolved: don't follow the global search list on local scopes It probably doesn't make sense to mix local and global configuration. Applying global search lists to local DNS servers appears unnecessary and creates problems because we'll traverse the search domains non-simultaneously on multiple scopes. Also see: https://github.com/systemd/systemd/pull/2031

resolved: store just the DnsAnswer instead of a DnsPacket as answer in DnsTransaction objects Previously we'd only store the DnsPacket in the DnsTransaction, and the DnsQuery would then take the DnsPacket's DnsAnswer and return it. With this change we already pull the DnsAnswer out inside the transaction. We still store the DnsPacket in the transaction, if we have it, since we still need to determine from which peer a response originates, to implement caching properly. However, the DnsQuery logic doesn't care anymore for the packet, it now only looks at answers and rcodes from the successfuly candidate. This also has the benefit of unifying how we propagate incoming packets, data from the local zone or the local cache.

resolved: fully support DNS search domains This adds support for searching single-label hostnames in a set of configured search domains. A new object DnsQueryCandidate is added that links queries to scopes. It keeps track of the search domain last used for a query on a specific link. Whenever a host name was unsuccessfuly resolved on a scope all its transactions are flushed out and replaced by a new set, with the next search domain appended. This also adds a new flag SD_RESOLVED_NO_SEARCH to disable search domain behaviour. The "systemd-resolve-host" tool is updated to make this configurable via --search=. Fixes #1697

resolved: don't claim DnsQuestion have to have the same names Wen DnsQuestion objects are used for DnsQuery objects all contained keys have to share the same name, but otherwise they generally don't have to, and this can actually happen in real-life because DnsPacket objects for mDNS use DnsQuestion for the question section. Hence, rename: dns_question_is_valid() to dns_question_is_valid_for_query(), since the name uniqueness check it does is only relevant when used for a query. Similar, rename dns_question_name() to dns_question_first_name(), to be more accurate, as this difference matters if we keys don#t have to share the same name.

resolved: add ResolveService() bus call for resolving SRV and DNS-SD services This also adds client-side support for this to systemd-resolve-host. Note that the ResolveService() API can deal both with DNS-SD service (consisting of service name, type and domain), as well as classic SRV services (consisting just of a type and a domain), all exposed in the same call. This patch also reworks CNAME handling in order to reuse it between hostname, RR and service lookups. In contrast to Avahi and Bonjour, this new API will actually reolve the A/AAAA RRs the SRV RRs point to in one go (unless this is explicitly disabled). This normally comes for free, as these RRs are sent along the SRV responses anyway, hence let's make use of that. This makes the API considerably easier to use, as a single ResolveService() invocation will return all necessary data to pick a server and connect() to it. Note that this only implements the DNS-SD resolving step, it does not implement DNS-SD browsing, as that makes sense primarily on mDNS, due to its continuous nature.

util-lib: split out allocation calls into alloc-util.[ch]

resolved: rr - introduce dns_resource_key_new_redirect() Takes a key and CNAME RR and returns the canonical RR of the right type. Make use of this in dns_question_redirect().

resolved: remove duplicate handling of "no servers" query result So far we handled immediate "no server" query results differently from "no server" results we ran into during operation: the former would cause the dns_query_go() call to fail with ESRCH, the later would result in the query completion callback to be called. Remove the duplicate codepaths, by always going through the completion callback. This allows us to remove quite a number of lines for handling the ESRCH. This commit should not alter behaviour at all.

resolved: always split up questions into per-RR transactions We do so for Unicast DNS and LLMNR anyway, let's also do this for mDNS, and simplify things.

resolved: only maintain one question RR key per transaction Let's simplify things and only maintain a single RR key per transaction object, instead of a full DnsQuestion. Unicast DNS and LLMNR don't support multiple questions per packet anway, and Multicast DNS suggests coalescing questions beyond a single dns query, across the whole system.

resolved: rework synthesizing logic With this change we'll now also generate synthesized RRs for the local LLMNR hostname (first label of system hostname), the local mDNS hostname (first label of system hostname suffixed with .local), the "gateway" hostname and all the reverse PTRs. This hence takes over part of what nss-myhostname already implemented. Local hostnames resolve to the set of local IP addresses. Since the addresses are possibly on different interfaces it is necessary to change the internal DnsAnswer object to track per-RR interface indexes, and to change the bus API to always return the interface per-address rather than per-reply. This change also patches the existing clients for resolved accordingly (nss-resolve + systemd-resolve-host). This also changes the routing logic for queries slightly: we now ensure that the local hostname is never resolved via LLMNR, thus making it trustable on the local system.

resolved: locally synthesize replies for "localhost" Let's make sure that clients querying resolved via the bus for A, AAAA or PTR records for "localhost" get a synthesized, local reply, so that we do not hit the network. This makes part of nss-myhostname redundant, if used in conjunction. However, given that nss-resolve shall be optional we need to keep this code in both places for now.

tree-wide: get rid of a few more explicit bus parameters

remove unused includes This patch removes includes that are not used. The removals were found with include-what-you-use which checks if any of the symbols from a header is in use.

hashmap: introduce hash_ops to make struct Hashmap smaller It is redundant to store 'hash' and 'compare' function pointers in struct Hashmap separately. The functions always comprise a pair. Store a single pointer to struct hash_ops instead. systemd keeps hundreds of hashmaps, so this saves a little bit of memory.

resolved: allow passing on which protocol, family and interface to look something up Also, return on which protocol/family/interface we found something.

resolved: destroy outstanding queries if the clients that initiated them die

resolved: never reuse transactions for probing that are already completed based on cached data

resolved: use CLOCK_BOOTTIME instead of CLOCK_MONOTONIC when aging caches and timeing out transactions That way the cache doens't get confused when the system is suspended.

resolved: implement LLMNR uniqueness verification

resolved: when we got a successful DNS reply, then only wait for other transactions on the same scope, nowhere else

resolved: follow more closely the recommend timeouts and TTLs from the LLMNR spec

resolved: only cache answer RRs, never additional or authoritative RRs of responses

resolved: the llmnr destination address check applies to queries, not to responses

resolved: add more debug logging

resolved: discard more invalid llmnr messages

resolved: when resolving an address PTR record via llmnr, make a tcp connection by default

resolve: add llmnr responder side for UDP and TCP Name defending is still missing.

resolved: most DNS servers can't handle more than one question per packet, hence let's not generate that

resolved: implement negative caching

resolved: rework logic so that we can share transactions between queries of different clients

resolved: add LLMNR support for looking up names

resolved: add DNS cache

resolved: enforce limit on concurrent outstanding queries

resolved: add CNAME lookup support

resolved: support for TCP DNS queries

resolve: add distinct bus error code for hosts that exist but lack A or AAAA records

resolved: add a DNS client stub resolver Let's turn resolved into a something truly useful: a fully asynchronous DNS stub resolver that subscribes to network changes. (More to come: caching, LLMNR, mDNS/DNS-SD, DNSSEC, IDN, NSS module)