b26fa1a2fbcfee7d03b0c8fd15ec3aa64ae70b9f |
|
10-Feb-2016 |
Daniel Mack <daniel@zonque.org> |
tree-wide: remove Emacs lines from all files
This should be handled fine now by .dir-locals.el, so need to carry that
stuff in every file. |
7b50eb2efa122200e39646c19a29abab302f7d24 |
|
26-Dec-2015 |
Lennart Poettering <lennart@poettering.net> |
resolved: internalize string buffer of dns_resource_record_to_string()
Let's simplify usage and memory management of DnsResourceRecord's
dns_resource_record_to_string() call: cache the formatted string as
part of the object, and return it on subsequent calls, freeing it when
the DnsResourceRecord itself is freed. |
222148b66d1abf5b05c9d803472a9368331dae53 |
|
18-Dec-2015 |
Lennart Poettering <lennart@poettering.net> |
resolved: make use of dns_{class|type}_is_{pseudo|valid_rr}() everywhere |
105e151299dc1208855380be2b22d0db2d66ebc6 |
|
18-Dec-2015 |
Lennart Poettering <lennart@poettering.net> |
resolved: add support NSEC3 proofs, as well as proofs for domains that are OK to be unsigned
This large patch adds a couple of mechanisms to ensure we get NSEC3 and
proof-of-unsigned support into place. Specifically:
- Each item in an DnsAnswer gets two bit flags now:
DNS_ANSWER_AUTHENTICATED and DNS_ANSWER_CACHEABLE. The former is
necessary since DNS responses might contain signed as well as unsigned
RRsets in one, and we need to remember which ones are signed and which
ones aren't. The latter is necessary, since not we need to keep track
which RRsets may be cached and which ones may not be, even while
manipulating DnsAnswer objects.
- The .n_answer_cachable of DnsTransaction is dropped now (it used to
store how many of the first DnsAnswer entries are cachable), and
replaced by the DNS_ANSWER_CACHABLE flag instead.
- NSEC3 proofs are implemented now (lacking support for the wildcard
part, to be added in a later commit).
- Support for the "AD" bit has been dropped. It's unsafe, and now that
we have end-to-end authentication we don't need it anymore.
- An auxiliary DnsTransaction of a DnsTransactions is now kept around as
least as long as the latter stays around. We no longer remove the
auxiliary DnsTransaction as soon as it completed. THis is necessary,
as we now are interested not only in the RRsets it acquired but also
in its authentication status. |
547973dea7abd6c124ff6c79fe2bbe322a7314ae |
|
10-Dec-2015 |
Lennart Poettering <lennart@poettering.net> |
resolved: chase DNSKEY/DS RRs when doing look-ups with DNSSEC enabled
This adds initial support for validating RRSIG/DNSKEY/DS chains when
doing lookups. Proof-of-non-existance, or proof-of-unsigned-zones is not
implemented yet.
With this change DnsTransaction objects will generate additional
DnsTransaction objects when looking for DNSKEY or DS RRs to validate an
RRSIG on a response. DnsTransaction objects are thus created for three
reasons now:
1) Because a user asked for something to be resolved, i.e. requested by
a DnsQuery/DnsQueryCandidate object.
2) As result of LLMNR RR probing, requested by a DnsZoneItem.
3) Because another DnsTransaction requires the requested RRs for
validation of its own response.
DnsTransactions are shared between all these users, and are GC
automatically as soon as all of these users don't need a specific
transaction anymore.
To unify the handling of these three reasons for existance for a
DnsTransaction, a new common naming is introduced: each DnsTransaction
now tracks its "owners" via a Set* object named "notify_xyz", containing
all owners to notify on completion.
A new DnsTransaction state is introduced called "VALIDATING" that is
entered after a response has been receieved which needs to be validated,
as long as we are still waiting for the DNSKEY/DS RRs from other
DnsTransactions.
This patch will request the DNSKEY/DS RRs bottom-up, and then validate
them top-down.
Caching of RRs is now only done after verification, so that the cache is
not poisoned with known invalid data.
The "DnsAnswer" object gained a substantial number of new calls, since
we need to add/remove RRs to it dynamically now. |
1b4f6e79ec51a57003896a0b605fba427b4a98d2 |
|
03-Dec-2015 |
Lennart Poettering <lennart@poettering.net> |
resolved: optionally, allocate DnsResourceKey objects on the stack
Sometimes when looking up entries in hashmaps indexed by a
DnsResourceKey it is helpful not having to allocate a full
DnsResourceKey dynamically just to use it as search key. Instead,
optionally allow allocation of a DnsResourceKey on the stack. Resource
keys allocated like that of course are subject to other lifetime cycles
than the usual Resource keys, hence initialize the reference counter to
to (unsigned) -1.
While we are at it, remove the prototype for
dns_resource_key_new_dname() which was never implemented. |
801ad6a6a9cd8fbd58b9f9c27f20dbb3c87d47dd |
|
25-Nov-2015 |
Lennart Poettering <lennart@poettering.net> |
resolved: fully support DNS search domains
This adds support for searching single-label hostnames in a set of
configured search domains.
A new object DnsQueryCandidate is added that links queries to scopes.
It keeps track of the search domain last used for a query on a specific
link. Whenever a host name was unsuccessfuly resolved on a scope all its
transactions are flushed out and replaced by a new set, with the next
search domain appended.
This also adds a new flag SD_RESOLVED_NO_SEARCH to disable search domain
behaviour. The "systemd-resolve-host" tool is updated to make this
configurable via --search=.
Fixes #1697 |
5032b16dfe395112d72798581664992429f90d17 |
|
18-Nov-2015 |
Lennart Poettering <lennart@poettering.net> |
resolved: simplify dns zone logic: take a single key when looking up entries
Instead of taking a DnsQuestion object (i.e. an array of keys) only take
a single key. This simplifies things a bit, and as DNS/LLMNR require a
single question per query message was unnecessary anyway.
This mimics a similar change that was done a while ago for the dns cache
logic. |
b5efdb8af40ea759a1ea584c1bc44ecc81dd00ce |
|
27-Oct-2015 |
Lennart Poettering <lennart@poettering.net> |
util-lib: split out allocation calls into alloc-util.[ch] |
07630cea1f3a845c09309f197ac7c4f11edd3b62 |
|
24-Oct-2015 |
Lennart Poettering <lennart@poettering.net> |
util-lib: split our string related calls from util.[ch] into its own file string-util.[ch]
There are more than enough calls doing string manipulations to deserve
its own files, hence do something about it.
This patch also sorts the #include blocks of all files that needed to be
updated, according to the sorting suggestions from CODING_STYLE. Since
pretty much every file needs our string manipulation functions this
effectively means that most files have sorted #include blocks now.
Also touches a few unrelated include files. |
525d3cc746a037e8cc6b2e0ebaaf76a51856fa6b |
|
09-Sep-2015 |
Lennart Poettering <lennart@poettering.net> |
tree-wide: take benefit of the fact that hashmap_free() returns NULL
And set_free() too.
Another Coccinelle patch. |
4d506d6bb757af3b99e0876234c465e6898c5ea4 |
|
26-Aug-2015 |
Lennart Poettering <lennart@poettering.net> |
resolved: dump cache and zone contents to syslog on SIGUSR1 |
f52e61da047d7fc74e83f12dbbf87e0cbcc51c73 |
|
21-Aug-2015 |
Lennart Poettering <lennart@poettering.net> |
resolved: only maintain one question RR key per transaction
Let's simplify things and only maintain a single RR key per transaction
object, instead of a full DnsQuestion. Unicast DNS and LLMNR don't
support multiple questions per packet anway, and Multicast DNS suggests
coalescing questions beyond a single dns query, across the whole system. |
78c6a153c47f8d597c827bdcaf8c4e42ac87f738 |
|
21-Aug-2015 |
Lennart Poettering <lennart@poettering.net> |
resolved: rework synthesizing logic
With this change we'll now also generate synthesized RRs for the local
LLMNR hostname (first label of system hostname), the local mDNS hostname
(first label of system hostname suffixed with .local), the "gateway"
hostname and all the reverse PTRs. This hence takes over part of what
nss-myhostname already implemented.
Local hostnames resolve to the set of local IP addresses. Since the
addresses are possibly on different interfaces it is necessary to change
the internal DnsAnswer object to track per-RR interface indexes, and to
change the bus API to always return the interface per-address rather than
per-reply. This change also patches the existing clients for resolved
accordingly (nss-resolve + systemd-resolve-host).
This also changes the routing logic for queries slightly: we now ensure
that the local hostname is never resolved via LLMNR, thus making it
trustable on the local system. |
4ad7f2761da661853dcc29d542efb4727abb1101 |
|
10-Jun-2015 |
Nick Owens <nick.owens@coreos.com> |
resolve: move dns routines into shared |
da927ba997d68401563b927f92e6e40e021a8e5c |
|
28-Nov-2014 |
Michal Schmidt <mschmidt@redhat.com> |
treewide: no need to negate errno for log_*_errno()
It corrrectly handles both positive and negative errno values. |
0a1beeb64207eaa88ab9236787b1cbc2f704ae14 |
|
28-Nov-2014 |
Michal Schmidt <mschmidt@redhat.com> |
treewide: auto-convert the simple cases to log_*_errno()
As a followup to 086891e5c1 "log: add an "error" parameter to all
low-level logging calls and intrdouce log_error_errno() as log calls
that take error numbers", use sed to convert the simple cases to use
the new macros:
find . -name '*.[ch]' | xargs sed -r -i -e \
's/log_(debug|info|notice|warning|error|emergency)\("(.*)%s"(.*), strerror\(-([a-zA-Z_]+)\)\);/log_\1_errno(-\4, "\2%m"\3);/'
Multi-line log_*() invocations are not covered.
And we also should add log_unit_*_errno(). |
d5099efc47d4e6ac60816b5381a5f607ab03f06e |
|
15-Sep-2014 |
Michal Schmidt <mschmidt@redhat.com> |
hashmap: introduce hash_ops to make struct Hashmap smaller
It is redundant to store 'hash' and 'compare' function pointers in
struct Hashmap separately. The functions always comprise a pair.
Store a single pointer to struct hash_ops instead.
systemd keeps hundreds of hashmaps, so this saves a little bit of
memory. |
bf1594f54ea4b49eee95a16796ec11c55314b2a4 |
|
12-Aug-2014 |
Thomas Hindoe Paaboel Andersen <phomes@gmail.com> |
resolved: initialize counter
introduced in: a407657425a3e47fd2b559cd3bc800f791303f63 |
4d91eec42d3ba547c4e2578df0d6fd568075647b |
|
11-Aug-2014 |
Lennart Poettering <lennart@poettering.net> |
resolved: actually, the peer with the lower IP address wins conflicts |
3ef64445cdf12d7703aa79b39f3c170037d587c7 |
|
11-Aug-2014 |
Lennart Poettering <lennart@poettering.net> |
resolved: make sure we don't mark the wrong zone RRs conflicting |
2fb3034cb21c745ed4f9aa4cba57563f7f071466 |
|
11-Aug-2014 |
Lennart Poettering <lennart@poettering.net> |
resolved: be a bit more communicative about conflicts |
902bb5d8abb2a7d258741828d212ca549ab16950 |
|
11-Aug-2014 |
Lennart Poettering <lennart@poettering.net> |
resolved: verify all RRs when we come back from suspend |
a407657425a3e47fd2b559cd3bc800f791303f63 |
|
11-Aug-2014 |
Lennart Poettering <lennart@poettering.net> |
resolved: implement full LLMNR conflict detection logic |
3ef77d0476046a660c1b4704140797c447e6ce3a |
|
11-Aug-2014 |
Lennart Poettering <lennart@poettering.net> |
resolved: properly check return value of dns_resource_record_equal() |
d84b686f06a7f724c12dcace0ab5cb82d01885f9 |
|
05-Aug-2014 |
Lennart Poettering <lennart@poettering.net> |
resolved: stop the prober when we detect a conflict in LLMNR |
60eb3f7cf1b9c183559ce5c9a21cf2cfd6e6da05 |
|
05-Aug-2014 |
Lennart Poettering <lennart@poettering.net> |
resolved: don't override zone item state after starting the probe
After all, the probe might be finished immeidately (due to resources,
...), and we shouldn't then set the state back to probing. |
dc4d47e2c79aafa3ef646e32ff3422c4ce935c1b |
|
05-Aug-2014 |
Lennart Poettering <lennart@poettering.net> |
resolved: never reuse transactions for probing that are already completed based on cached data |
cd1b20f90abb1e49d60d8c3f4a7665ca93bea436 |
|
05-Aug-2014 |
Lennart Poettering <lennart@poettering.net> |
resolved: if there's already an RR established that has the same name of an RR to be established, skip probing the name
After all, what has been probed once, doesn't need to be probed again. |
ec2c5e4398f9d65e5dfe61530f2556224733d1e6 |
|
31-Jul-2014 |
Lennart Poettering <lennart@poettering.net> |
resolved: implement LLMNR uniqueness verification |
57f5ad3149b604d07816da61e6aa7dcf1cc56b64 |
|
30-Jul-2014 |
Lennart Poettering <lennart@poettering.net> |
resolved: properly set TTL in SOA records |
8bf52d3d17d364438191077d0750b8b80b5dc53a |
|
30-Jul-2014 |
Lennart Poettering <lennart@poettering.net> |
resolved: include SOA records in LLMNR replies for non-existing RRs to allow negative caching |
d532366133a29136ad2dd95cb9268c7bbbb4d3ee |
|
30-Jul-2014 |
Lennart Poettering <lennart@poettering.net> |
resolved: respond to ANY queries from our zone |
1d3b690fbd9a89491d938188582a8031d91ebbc8 |
|
30-Jul-2014 |
Lennart Poettering <lennart@poettering.net> |
resolved: don't allow adding of ANY class/type RRs to local zones |
623a4c97b9175f95c4b1c6fc34e36c56f1e4ddbf |
|
29-Jul-2014 |
Lennart Poettering <lennart@poettering.net> |
resolve: add llmnr responder side for UDP and TCP
Name defending is still missing. |