summaryrefslogtreecommitdiff
path: root/src/resolve/resolved-dns-dnssec.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/resolve/resolved-dns-dnssec.c')
-rw-r--r--src/resolve/resolved-dns-dnssec.c33
1 files changed, 30 insertions, 3 deletions
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
index a32e938045..2d06775dca 100644
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@@ -25,17 +25,34 @@
#include "dns-domain.h"
#include "resolved-dns-dnssec.h"
#include "resolved-dns-packet.h"
+#include "string-table.h"
/* Open question:
*
* How does the DNSSEC canonical form of a hostname with a label
* containing a dot look like, the way DNS-SD does it?
*
+ * TODO:
+ *
+ * - Iterative validation
+ * - NSEC proof of non-existance
+ * - NSEC3 proof of non-existance
+ * - Make trust anchor store read additional DS+DNSKEY data from disk
+ * - wildcard zones compatibility
+ * - multi-label zone compatibility
+ * - DMSSEC cname/dname compatibility
+ * - per-interface DNSSEC setting
+ * - DSA support
+ * - EC support?
+ *
* */
#define VERIFY_RRS_MAX 256
#define MAX_KEY_SIZE (32*1024)
+/* Permit a maximum clock skew of 1h 10min. This should be enough to deal with DST confusion */
+#define SKEW_MAX (1*USEC_PER_HOUR + 10*USEC_PER_MINUTE)
+
/*
* The DNSSEC Chain of trust:
*
@@ -228,10 +245,14 @@ static int dnssec_rrsig_expired(DnsResourceRecord *rrsig, usec_t realtime) {
inception = rrsig->rrsig.inception * USEC_PER_SEC;
if (inception > expiration)
- return -EINVAL;
+ return -EKEYREJECTED;
- /* Permit a certain amount of clock skew of 10% of the valid time range */
+ /* Permit a certain amount of clock skew of 10% of the valid
+ * time range. This takes inspiration from unbound's
+ * resolver. */
skew = (expiration - inception) / 10;
+ if (skew > SKEW_MAX)
+ skew = SKEW_MAX;
if (inception < skew)
inception = 0;
@@ -548,7 +569,6 @@ int dnssec_verify_rrset_search(
}
int dnssec_canonicalize(const char *n, char *buffer, size_t buffer_max) {
- _cleanup_free_ char *s = NULL;
size_t c = 0;
int r;
@@ -690,3 +710,10 @@ finish:
gcry_md_close(md);
return r;
}
+
+static const char* const dnssec_mode_table[_DNSSEC_MODE_MAX] = {
+ [DNSSEC_NO] = "no",
+ [DNSSEC_TRUST] = "trust",
+ [DNSSEC_YES] = "yes",
+};
+DEFINE_STRING_TABLE_LOOKUP(dnssec_mode, DnssecMode);