tree-wide: remove Emacs lines from all files This should be handled fine now by .dir-locals.el, so need to carry that stuff in every file.

shared: normalize the root domain to "." rather than "" Let's make sure the root domain is normalized to ".", rather than then empty string, so that there's actually something to see on screen. Normally, we don't append a trailing dot to normalized domain names, but do so in the one exception of the root domain, taking inspiration from UNIX file system paths.

resolved add dns_name_apply_idna() to convert a domain name into its IDNA equivalent

resolved: on negative NODATA replies, properly deal with empty non-terminals empty non-terminals generally lack NSEC RRs, which means we can deduce their existance only from the fact that there are other RRs that contain them in their suffix. Specifically, the NSEC proof for NODATA on ENTs works by sending the NSEC whose next name is a suffix of the queried name to the client. Use this information properly.

shared: add new dns_name_startswith() call dns_name_startswith() is to dns_name_endswith() as startswith() is to endswith().

shared: relax restrictions on valid domain name characters a bit Previously, we'd not allow control characters to be embedded in domain names, even when escaped. Since cloudflare uses \000 however to implement its synthethic minimally covering NSEC RRs, we should allow them, as long as they are properly escaped.

shared: fix handling of suffix "." in dns_name_compare_func() All our other domain name handling functions make no destinction between domain names that end in a dot plus a NUL, or those just ending in a NUL. Make sure dns_name_compare_func() and dns_label_unescape_suffix() do the same.

resolved: tighten search for NSEC3 RRs a bit Be stricter when searching suitable NSEC3 RRs for proof: generalize the check we use to find suitable NSEC3 RRs, in nsec3_is_good(), and add additional checks, such as checking whether all NSEC3 RRs use the same parameters, have the same suffix and so on.

resolved: properly implement RRSIG validation of wildcarded RRsets Note that this is still not complete, one additional step is still missing: when we verified that a wildcard RRset is properly signed, we still need to do an NSEC/NSEC3 proof that no more specific RRset exists.

util-lib: update dns_name_to_wire_format() to optionally generate DNSSEC canonical names We'll need this later when putting together RR serializations to checksum.

dns-domain: change error codes when dealing with too short buffers to ENOBUFS Some calls used ENOBUFS to indicate too-short result buffers, others used ENOSPC. Let's unify this on ENOBUFS.

dns-domain: check resulting domain name length in dns_name_to_wire_format() Let's better be safe than sorry.

dns-domain: make sure dns_name_to_wire_format() may properly encode the root domain The root domain consists of zero labels, and we should be able to encode that.

dns-domain: don't accept overly long hostnames Make sure dns_name_normalize(), dns_name_concat(), dns_name_is_valid() do not accept/generate invalidly long hostnames, i.e. longer than 253 characters.

dns-domain: be more strict when encoding/decoding labels Labels of zero length are not OK, refuse them early on. The concept of a "zero-length label" doesn't exist, a zero-length full domain name however does (representing the root domain). See RFC 2181, Section 11.

dns-domain: rework dns_label_escape() to not imply memory allocation The new dns_label_escape() call now operates on a buffer passed in, similar to dns_label_unescape(). This should make decoding a bit faster, and nicer.

dns-domain: change dns_srv_type_is_valid() return value to bool For similar reasons as dns_name_is_root() got changed in the previous commit.

dns-domain: simplify dns_name_is_root() and dns_name_is_single_label() Let's change the return value to bool. If we encounter an error while parsing, return "false" instead of the actual parsing error, after all the specified hostname does not qualify for what the function is supposed to test. Dealing with the additional error codes was always cumbersome, and easily misused, like for example in the DHCP code. Let's also rename the functions from dns_name_root() to dns_name_is_root(), to indicate that this function checks something and returns a bool. Similar for dns_name_is_signal_label().

resolved: implement client-side DNAME resolution Most servers apparently always implicitly convert DNAME to CNAME, but some servers don't, hence implement this properly, as this is required by edns0.

dns-domain: add calls to join/split SRV/DNS-SD service domains This adds dns_service_join() and dns_service_split() which may be used to concatenate a DNS-SD service name, am SRV service type string, and a domain name into a full resolvable DNS domain name string. If the service name is specified as NULL, only the type and domain are appended, to implement classic, non-DNS-SD SRV lookups. The reverse is dns_service_split() which takes the full name, and split it into the three components again.

dns-domain: add code for verifying validity of DNS-SD service names and types

dns-domain: add dns_name_to_wire_format() The function converts a domain name string to the wire format described in RFC 1035 Section 3.1.

util-lib: split out allocation calls into alloc-util.[ch]

util-lib: split our string related calls from util.[ch] into its own file string-util.[ch] There are more than enough calls doing string manipulations to deserve its own files, hence do something about it. This patch also sorts the #include blocks of all files that needed to be updated, according to the sorting suggestions from CODING_STYLE. Since pretty much every file needs our string manipulation functions this effectively means that most files have sorted #include blocks now. Also touches a few unrelated include files.

dns-domain: add call for concatenating two domain names This is specifically useful for appending the mDNS ".local" suffix to a single-label hostname in the most correct way. (used in later commit)

resolved: never attempt to resolve loopback addresses via DNS/LLMNR/mDNS We already refuse to resolve "localhost", hence we should also refuse resolving "127.0.0.1" and friends.

shared: dns-name - add dns_name_between() Given three DNS names this function indicates if the second argument lies strictly between the first and the third according to the canonical DNS name order. Note that the order is circular, so the last name is considered to be before the first.

shared: dns-name - introduce dns_label_unescape_suffix() Intended to be called repeatedly, and returns then successive unescaped labels from the most to the least significant (left to right). This is slightly inefficient as it scans the string three times (two would be sufficient): once to find the end of the string, once to find the beginning of each label and lastly once to do the actual unescaping. The latter two could be done in one go, but that seemed unnecessarily convoluted.

resolve: move dns routines into shared