tree-wide: remove Emacs lines from all files This should be handled fine now by .dir-locals.el, so need to carry that stuff in every file.

resolved: rework what ResolveHostname() with family == AF_UNSPEC means Previously, if a hostanem is resolved with AF_UNSPEC specified, this would be used as indication to resolve both an AF_INET and an AF_INET6 address. With this change this logic is altered: an AF_INET address is only resolved if there's actually a routable IPv4 address on the specific interface, and similar an AF_INET6 address is only resolved if there's a routable IPv6 address. With this in place, it's ensured that the returned data is actually connectable by applications. This logic mimics glibc's resolver behaviour. Note that if the client asks explicitly for AF_INET or AF_INET6 it will get what it asked for. This also simplifies the logic how it is determined whether a specific lookup shall take place on a scope. Specifically, the checks with dns_scope_good_key() are now moved out of the transaction code and into the query code, so that we don't even create a transaction object on a specific scope if we cannot execute the resolution on it anyway.

networkd: rework Domains= setting Previously, .network files only knew a vaguely defined "Domains=" concept, for which the documentation declared it was the "DNS domain" for the network connection, without specifying what that means. With this the Domains setting is reworked, so that there are now "routing" domains and "search" domains. The former are to be used by resolved to route DNS request to specific network interfaces, the latter is to be used for searching single-label hostnames with (in addition to being used for routing). Both settings are configured in the "Domains=" setting. Normal domain names listed in it are now considered search domains (for compatibility with existing setups), while those prefixed with "~" are considered routing domains only. To route all lookups to a specific interface the routing domain "." may be used, referring to the root domain. An alternative syntax for this is the "*", as was already implemented before using the "wildcard" domain concept. This commit adds proper parsers for this new logic, and exposes this via the sd-network API. This information is not used by resolved yet, this will be added in a later commit.

resolved: synthesize RRs for data from /etc/hosts This way the difference between lookups via NSS and our native bus API should become minimal.

resolved: log each time we increase the DNSSEC verdict counters Also, don't consider RRs that aren't primary to the lookups we do as relevant to the lookups.

resolved: rework DNSSECSupported property Not only report whether the server actually supports DNSSEC, but also first check whether DNSSEC is actually enabled for it in our local configuration. Also, export a per-link DNSSECSupported property in addition to the existing manager-wide property.

resolved,networkd: add a per-interface DNSSEC setting This adds a DNSSEC= setting to .network files, and makes resolved honour them.

resolved,networkd: unify ResolveSupport enum networkd previously knew an enum "ResolveSupport" for configuring per-interface LLMNR support, resolved had a similar enum just called "Support", with the same value and similar pasers. Unify this, call the enum ResolveSupport, and port both daemons to it.

resolved: gather statistics about resolved names This collects statistical data about transactions, dnssec verifications and the cache, and exposes it over the bus. The systemd-resolve-host tool learns new options to query these statistics and reset them.

resolved: add infrastructure for mDNS related sockets Just hook up mDNS listeners with an empty packet dispather function, introduce a config directive, man page updates etc.

resolved: add a simple trust anchor database as additional RR source When doing DNSSEC lookups we need to know one or more DS or DNSKEY RRs as trust anchors to validate lookups. With this change we add a compiled-in trust anchor database, serving the root DS key as of today, retrieved from: https://data.iana.org/root-anchors/root-anchors.xml The interface is kept generic, so that additional DS or DNSKEY RRs may be served via the same interface, for example by provisioning them locally in external files to support "islands" of security. The trust anchor database becomes the fourth source of RRs we maintain, besides, the network, the local cache, and the local zone.

resolved: split out calls to compile full list of dns servers and search domains Let's split this out from the resolv.conf parser, so that this becomes generically useful.

resolved: enforce a maximum limit on both dns servers and search domains

resolved: add a generic DnsSearchDomain concept With this change, we add a new object to resolved, "DnsSearchDomain=" which wraps a search domain. This is then used to introduce a global search domain list, in addition to the existing per-link search domain list which is reword to make use of this new object too. This is preparation for implement proper unicast DNS search domain support.

resolved: make sure FallbackDNS= overrides built-in servers, doesn't extend them Closes #342.

resolved: move dns server picking code from resolved-manager.c to resolved-dns-server.c

resolved: split out all code dealing with /etc/resolv.conf into its own .c file No functional changes.

resolved: unify code for parsing dns server information Let's use the same parser when parsing dns server information from /etc/resolv.conf and our native configuration file. Also, move all code that manages lists of dns servers to a single place. resolved-dns-server.c

tree-wide: sort includes in *.h This is a continuation of the previous include sort patch, which only sorted for .c files.

resolved: dump cache and zone contents to syslog on SIGUSR1

resolved: rework synthesizing logic With this change we'll now also generate synthesized RRs for the local LLMNR hostname (first label of system hostname), the local mDNS hostname (first label of system hostname suffixed with .local), the "gateway" hostname and all the reverse PTRs. This hence takes over part of what nss-myhostname already implemented. Local hostnames resolve to the set of local IP addresses. Since the addresses are possibly on different interfaces it is necessary to change the internal DnsAnswer object to track per-RR interface indexes, and to change the bus API to always return the interface per-address rather than per-reply. This change also patches the existing clients for resolved accordingly (nss-resolve + systemd-resolve-host). This also changes the routing logic for queries slightly: we now ensure that the local hostname is never resolved via LLMNR, thus making it trustable on the local system.

resolved: scope - write() unicast DNS packets As we have connect()ed to the desired DNS server, we no longer need to pass control messages manually when sending packets. Simplify the logic accordingly.

resolved: use one UDP socket per transaction We used to have one global socket, use one per transaction instead. This has the side-effect of giving us a random UDP port per transaction, and hence increasing the entropy and making cache poisoining significantly harder to achieve. We still reuse the same port number for packets belonging to the same transaction (resent packets).

resolved: move LLMNR related functions into separate file

sd-netlink: rename from sd-rtnl

remove unused includes This patch removes includes that are not used. The removals were found with include-what-you-use which checks if any of the symbols from a header is in use.

resolved: simplify detection of packets from the loopback device We can simplify our code quite a bit if we explicitly check for the ifindex being 1 on Linux as a loopback check. Apparently, this is hardcoded on Linux on the kernel, and effectively exported to userspace via rtnl and such, hence we should be able to rely on it.

resolved: unify logic how we flush out DNS servers we learnt

resolved: verify all RRs when we come back from suspend

resolved: implement full LLMNR conflict detection logic

resolved: read the per-interface LLMNR setting from networkd and act on it

resolved: when there's already somebody listening on the LLMNR ports, simple disable LLMNR and warn, but continue This allows us to run resolved inside an nspawn container that shares the network namespace with the host, if there's already an instance running.

resolved: flush cache each time we change to a different DNS server

resolved: read the system /etc/resolv.conf unless we wrote it ourselves This way we integrate nicely with foreign network management stacks, such as NM.

resolved: rename resolved.h to resolved-manager.h After all it pretty much exlcusively containers definitions about the "Manager" object, hence let's call this the most obvious way.