resolved: add negative trust anchro support, and add trust anchor configuration files

This adds negative trust anchor support and allows reading trust anchor data from disk, from files /etc/systemd/dnssec-trust-anchors.d/*.positive and /etc/systemd/dnssec-trust-anchros.d/*.negative, as well as the matching counterparts in /usr/lib and /run. The positive trust anchor files are more or less compatible to normal DNS zone files containing DNSKEY and DS RRs. The negative trust anchor files contain only new-line separated hostnames for which to require no signing. By default no trust anchor files are installed, in which case the compiled-in root domain DS RR is used, as before. As soon as at least one positive root anchor for the root is defined via trust anchor files this buil-in DS RR is not added though.
author: Lennart Poettering <lennart@poettering.net> 2016-01-02 22:12:13 +0100
committer: Lennart Poettering <lennart@poettering.net> 2016-01-03 12:59:26 +0100
commit: 8e54f5d90a6b9dd1ff672fb97ea98de66c49e332 (patch)
tree: 62f9c69d04c8925d7ff78aabf9755482c3e24ee7 /src/resolve/resolved-dns-transaction.c
parent: e48b9a6490222f59201615a1be25c0a46d7d79b5 (diff)
1 files changed, 35 insertions, 2 deletions
diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
index c8248761b2..9a03baa9ec 100644
--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@@ -892,7 +892,7 @@ static int dns_transaction_prepare(DnsTransaction *t, usec_t ts) {
 
         /* Check the trust anchor. Do so only on classic DNS, since DNSSEC does not apply otherwise. */
         if (t->scope->protocol == DNS_PROTOCOL_DNS) {
-                r = dns_trust_anchor_lookup(&t->scope->manager->trust_anchor, t->key, &t->answer);
+                r = dns_trust_anchor_lookup_positive(&t->scope->manager->trust_anchor, t->key, &t->answer);
                 if (r < 0)
                         return r;
                 if (r > 0) {
@@ -1270,7 +1270,7 @@ static int dns_transaction_request_dnssec_rr(DnsTransaction *t, DnsResourceKey *
                 return 0;
 
         /* Try to get the data from the trust anchor */
-        r = dns_trust_anchor_lookup(&t->scope->manager->trust_anchor, key, &a);
+        r = dns_trust_anchor_lookup_positive(&t->scope->manager->trust_anchor, key, &a);
         if (r < 0)
                 return r;
         if (r > 0) {
@@ -1328,6 +1328,14 @@ static int dns_transaction_has_unsigned_negative_answer(DnsTransaction *t) {
         if (r > 0)
                 return false;
 
+        /* Is this key explicitly listed as a negative trust anchor?
+         * If so, it's nothing we need to care about */
+        r = dns_trust_anchor_lookup_negative(&t->scope->manager->trust_anchor, DNS_RESOURCE_KEY_NAME(t->key));
+        if (r < 0)
+                return r;
+        if (r > 0)
+                return false;
+
         /* The answer does not contain any RRs that match to the
          * question. If so, let's see if there are any NSEC/NSEC3 RRs
          * included. If not, the answer is unsigned. */
@@ -1412,6 +1420,13 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) {
                 if (dns_type_is_pseudo(rr->key->type))
                         continue;
 
+                /* If this RR is in the negative trust anchor, we don't need to validate it. */
+                r = dns_trust_anchor_lookup_negative(&t->scope->manager->trust_anchor, DNS_RESOURCE_KEY_NAME(rr->key));
+                if (r < 0)
+                        return r;
+                if (r > 0)
+                        continue;
+
                 switch (rr->key->type) {
 
                 case DNS_TYPE_RRSIG: {
@@ -1756,6 +1771,12 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *
         if (dns_type_is_pseudo(rr->key->type))
                 return -EINVAL;
 
+        r = dns_trust_anchor_lookup_negative(&t->scope->manager->trust_anchor, DNS_RESOURCE_KEY_NAME(rr->key));
+        if (r < 0)
+                return r;
+        if (r > 0)
+                return false;
+
         switch (rr->key->type) {
 
         case DNS_TYPE_RRSIG:
@@ -1893,6 +1914,12 @@ static int dns_transaction_requires_nsec(DnsTransaction *t) {
         if (dns_type_is_pseudo(t->key->type))
                 return -EINVAL;
 
+        r = dns_trust_anchor_lookup_negative(&t->scope->manager->trust_anchor, DNS_RESOURCE_KEY_NAME(t->key));
+        if (r < 0)
+                return r;
+        if (r > 0)
+                return false;
+
         name = DNS_RESOURCE_KEY_NAME(t->key);
 
         if (IN_SET(t->key->type, DNS_TYPE_SOA, DNS_TYPE_NS, DNS_TYPE_DS)) {
@@ -1944,6 +1971,12 @@ static int dns_transaction_dnskey_authenticated(DnsTransaction *t, DnsResourceRe
          * the specified RRset is authenticated (i.e. has a matching
          * DS RR). */
 
+        r = dns_trust_anchor_lookup_negative(&t->scope->manager->trust_anchor, DNS_RESOURCE_KEY_NAME(rr->key));
+        if (r < 0)
+                return r;
+        if (r > 0)
+                return false;
+
         DNS_ANSWER_FOREACH(rrsig, t->answer) {
                 DnsTransaction *dt;
                 Iterator i;
author	Lennart Poettering <lennart@poettering.net>	2016-01-02 22:12:13 +0100
committer	Lennart Poettering <lennart@poettering.net>	2016-01-03 12:59:26 +0100
commit	8e54f5d90a6b9dd1ff672fb97ea98de66c49e332 (patch)
tree	62f9c69d04c8925d7ff78aabf9755482c3e24ee7 /src/resolve/resolved-dns-transaction.c
parent	e48b9a6490222f59201615a1be25c0a46d7d79b5 (diff)