diff options
Diffstat (limited to 'src/resolve')
| -rw-r--r-- | src/resolve/resolved-conf.c | 69 | ||||
| -rw-r--r-- | src/resolve/resolved-conf.h | 1 | ||||
| -rw-r--r-- | src/resolve/resolved-dns-dnssec.c | 12 | ||||
| -rw-r--r-- | src/resolve/resolved-dns-dnssec.h | 21 | ||||
| -rw-r--r-- | src/resolve/resolved-dns-scope.c | 17 | ||||
| -rw-r--r-- | src/resolve/resolved-dns-transaction.c | 135 | ||||
| -rw-r--r-- | src/resolve/resolved-dns-trust-anchor.c | 180 | ||||
| -rw-r--r-- | src/resolve/resolved-gperf.gperf | 11 | ||||
| -rw-r--r-- | src/resolve/resolved-link.c | 162 | ||||
| -rw-r--r-- | src/resolve/resolved-link.h | 7 | ||||
| -rw-r--r-- | src/resolve/resolved-llmnr.c | 4 | ||||
| -rw-r--r-- | src/resolve/resolved-manager.c | 15 | ||||
| -rw-r--r-- | src/resolve/resolved-manager.h | 18 | ||||
| -rw-r--r-- | src/resolve/resolved-mdns.c | 4 | ||||
| -rw-r--r-- | src/resolve/resolved.c | 6 | ||||
| -rw-r--r-- | src/resolve/resolved.conf.in | 1 | 
16 files changed, 453 insertions, 210 deletions
| diff --git a/src/resolve/resolved-conf.c b/src/resolve/resolved-conf.c index 1b2f3e336e..88df7534c4 100644 --- a/src/resolve/resolved-conf.c +++ b/src/resolve/resolved-conf.c @@ -200,75 +200,6 @@ int config_parse_search_domains(          return 0;  } -int config_parse_support( -                const char *unit, -                const char *filename, -                unsigned line, -                const char *section, -                unsigned section_line, -                const char *lvalue, -                int ltype, -                const char *rvalue, -                void *data, -                void *userdata) { - -        Support support, *v = data; -        int r; - -        assert(filename); -        assert(lvalue); -        assert(rvalue); - -        support = support_from_string(rvalue); -        if (support < 0) { -                r = parse_boolean(rvalue); -                if (r < 0) { -                        log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse support level '%s'. Ignoring.", rvalue); -                        return 0; -                } - -                support = r ? SUPPORT_YES : SUPPORT_NO; -        } - -        *v = support; -        return 0; -} - -int config_parse_dnssec( -                const char *unit, -                const char *filename, -                unsigned line, -                const char *section, -                unsigned section_line, -                const char *lvalue, -                int ltype, -                const char *rvalue, -                void *data, -                void *userdata) { - -        Manager *m = data; -        DnssecMode mode; -        int r; - -        assert(filename); -        assert(lvalue); -        assert(rvalue); - -        mode = dnssec_mode_from_string(rvalue); -        if (mode < 0) { -                r = parse_boolean(rvalue); -                if (r < 0) { -                        log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse DNSSEC mode '%s'. Ignoring.", rvalue); -                        return 0; -                } - -                mode = r ? DNSSEC_YES : DNSSEC_NO; -        } - -        m->unicast_scope->dnssec_mode = mode; -        return 0; -} -  int manager_parse_config_file(Manager *m) {          int r; diff --git a/src/resolve/resolved-conf.h b/src/resolve/resolved-conf.h index 668ea02bba..b4ef1b0378 100644 --- a/src/resolve/resolved-conf.h +++ b/src/resolve/resolved-conf.h @@ -35,5 +35,4 @@ const struct ConfigPerfItem* resolved_gperf_lookup(const char *key, unsigned len  int config_parse_dns_servers(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);  int config_parse_search_domains(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata); -int config_parse_support(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);  int config_parse_dnssec(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata); diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c index 32d4834aa1..51fe710795 100644 --- a/src/resolve/resolved-dns-dnssec.c +++ b/src/resolve/resolved-dns-dnssec.c @@ -39,7 +39,10 @@   *   - multi-label zone compatibility   *   - cname/dname compatibility   *   - nxdomain on qname - *   - per-interface DNSSEC setting + *   - workable hack for the .corp, .home, .box case + *   - bus calls to override DNSEC setting per interface + *   - log all DNSSEC downgrades + *   - enable by default   *   * */ @@ -1566,13 +1569,6 @@ int dnssec_test_nsec(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *r          return 0;  } -static const char* const dnssec_mode_table[_DNSSEC_MODE_MAX] = { -        [DNSSEC_NO] = "no", -        [DNSSEC_DOWNGRADE_OK] = "downgrade-ok", -        [DNSSEC_YES] = "yes", -}; -DEFINE_STRING_TABLE_LOOKUP(dnssec_mode, DnssecMode); -  static const char* const dnssec_result_table[_DNSSEC_RESULT_MAX] = {          [DNSSEC_VALIDATED] = "validated",          [DNSSEC_INVALID] = "invalid", diff --git a/src/resolve/resolved-dns-dnssec.h b/src/resolve/resolved-dns-dnssec.h index 94d0b23f80..6977faca75 100644 --- a/src/resolve/resolved-dns-dnssec.h +++ b/src/resolve/resolved-dns-dnssec.h @@ -28,24 +28,6 @@ typedef enum DnssecResult DnssecResult;  #include "resolved-dns-answer.h"  #include "resolved-dns-rr.h" -enum DnssecMode { -        /* No DNSSEC validation is done */ -        DNSSEC_NO, - -        /* Validate locally, if the server knows DO, but if not, -         * don't. Don't trust the AD bit. If the server doesn't do -         * DNSSEC properly, downgrade to non-DNSSEC operation. Of -         * course, we then are vulnerable to a downgrade attack, but -         * that's life and what is configured. */ -        DNSSEC_DOWNGRADE_OK, - -        /* Insist on DNSSEC server support, and rather fail than downgrading. */ -        DNSSEC_YES, - -        _DNSSEC_MODE_MAX, -        _DNSSEC_MODE_INVALID = -1 -}; -  enum DnssecResult {          /* These four are returned by dnssec_verify_rrset() */          DNSSEC_VALIDATED, @@ -101,8 +83,5 @@ typedef enum DnssecNsecResult {  int dnssec_test_nsec(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *result, bool *authenticated, uint32_t *ttl); -const char* dnssec_mode_to_string(DnssecMode m) _const_; -DnssecMode dnssec_mode_from_string(const char *s) _pure_; -  const char* dnssec_result_to_string(DnssecResult m) _const_;  DnssecResult dnssec_result_from_string(const char *s) _pure_; diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c index 13be2a3792..c96bed04b0 100644 --- a/src/resolve/resolved-dns-scope.c +++ b/src/resolve/resolved-dns-scope.c @@ -57,6 +57,23 @@ int dns_scope_new(Manager *m, DnsScope **ret, Link *l, DnsProtocol protocol, int          s->family = family;          s->resend_timeout = MULTICAST_RESEND_TIMEOUT_MIN_USEC; +        s->dnssec_mode = _DNSSEC_MODE_INVALID; + +        if (protocol == DNS_PROTOCOL_DNS) { +                /* Copy DNSSEC mode from the link if it is set there, +                 * otherwise take the manager's DNSSEC mode. Note that +                 * we copy this only at scope creation time, and do +                 * not update it from the on, even if the setting +                 * changes. */ + +                if (l) +                        s->dnssec_mode = l->dnssec_mode; +                if (s->dnssec_mode == _DNSSEC_MODE_INVALID) +                        s->dnssec_mode = m->dnssec_mode; +                if (s->dnssec_mode == _DNSSEC_MODE_INVALID) +                        s->dnssec_mode = DNSSEC_NO; +        } +          LIST_PREPEND(scopes, m->dns_scopes, s);          dns_scope_llmnr_membership(s, true); diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c index 870b7586fd..f5171a940f 100644 --- a/src/resolve/resolved-dns-transaction.c +++ b/src/resolve/resolved-dns-transaction.c @@ -939,7 +939,7 @@ static int dns_transaction_prepare(DnsTransaction *t, usec_t ts) {                           * this means we cannot do any DNSSEC logic                           * anymore. */ -                        if (t->scope->dnssec_mode == DNSSEC_DOWNGRADE_OK) { +                        if (t->scope->dnssec_mode == DNSSEC_ALLOW_DOWNGRADE) {                                  /* We are in downgrade mode. In this                                   * case, synthesize an unsigned empty                                   * response, so that the any lookup @@ -1284,13 +1284,13 @@ static int dns_transaction_find_cyclic(DnsTransaction *t, DnsTransaction *aux) {          if (t == aux)                  return 1; -        SET_FOREACH(n, aux->notify_transactions, i) { +        SET_FOREACH(n, aux->dnssec_transactions, i) {                  r = dns_transaction_find_cyclic(t, n);                  if (r != 0)                          return r;          } -        return r; +        return 0;  }  static int dns_transaction_add_dnssec_transaction(DnsTransaction *t, DnsResourceKey *key, DnsTransaction **ret) { @@ -1406,6 +1406,25 @@ static int dns_transaction_has_positive_answer(DnsTransaction *t, DnsAnswerFlags          return false;  } +static int dns_transaction_negative_trust_anchor_lookup(DnsTransaction *t, const char *name) { +        int r; + +        assert(t); + +        /* Check whether the specified name is in the the NTA +         * database, either in the global one, or the link-local +         * one. */ + +        r = dns_trust_anchor_lookup_negative(&t->scope->manager->trust_anchor, name); +        if (r != 0) +                return r; + +        if (!t->scope->link) +                return 0; + +        return set_contains(t->scope->link->dnssec_negative_trust_anchors, name); +} +  static int dns_transaction_has_unsigned_negative_answer(DnsTransaction *t) {          int r; @@ -1422,7 +1441,7 @@ static int dns_transaction_has_unsigned_negative_answer(DnsTransaction *t) {          /* Is this key explicitly listed as a negative trust anchor?           * If so, it's nothing we need to care about */ -        r = dns_trust_anchor_lookup_negative(&t->scope->manager->trust_anchor, DNS_RESOURCE_KEY_NAME(t->key)); +        r = dns_transaction_negative_trust_anchor_lookup(t, DNS_RESOURCE_KEY_NAME(t->key));          if (r < 0)                  return r;          if (r > 0) @@ -1513,7 +1532,7 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t) {                          continue;                  /* If this RR is in the negative trust anchor, we don't need to validate it. */ -                r = dns_trust_anchor_lookup_negative(&t->scope->manager->trust_anchor, DNS_RESOURCE_KEY_NAME(rr->key)); +                r = dns_transaction_negative_trust_anchor_lookup(t, DNS_RESOURCE_KEY_NAME(rr->key));                  if (r < 0)                          return r;                  if (r > 0) @@ -1863,7 +1882,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *          if (dns_type_is_pseudo(rr->key->type))                  return -EINVAL; -        r = dns_trust_anchor_lookup_negative(&t->scope->manager->trust_anchor, DNS_RESOURCE_KEY_NAME(rr->key)); +        r = dns_transaction_negative_trust_anchor_lookup(t, DNS_RESOURCE_KEY_NAME(rr->key));          if (r < 0)                  return r;          if (r > 0) @@ -1989,6 +2008,66 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *          }}  } +static int dns_transaction_in_private_tld(DnsTransaction *t, const DnsResourceKey *key) { +        DnsTransaction *dt; +        const char *tld; +        Iterator i; +        int r; + +        /* If DNSSEC downgrade mode is on, checks whether the +         * specified RR is one level below a TLD we have proven not to +         * exist. In such a case we assume that this is a private +         * domain, and permit it. +         * +         * This detects cases like the Fritz!Box router networks. Each +         * Fritz!Box router serves a private "fritz.box" zone, in the +         * non-existing TLD "box". Requests for the "fritz.box" domain +         * are served by the router itself, while requests for the +         * "box" domain will result in NXDOMAIN. +         * +         * Note that this logic is unable to detect cases where a +         * router serves a private DNS zone directly under +         * non-existing TLD. In such a case we cannot detect whether +         * the TLD is supposed to exist or not, as all requests we +         * make for it will be answered by the router's zone, and not +         * by the root zone. */ + +        assert(t); + +        if (t->scope->dnssec_mode != DNSSEC_ALLOW_DOWNGRADE) +                return false; /* In strict DNSSEC mode what doesn't exist, doesn't exist */ + +        tld = DNS_RESOURCE_KEY_NAME(key); +        r = dns_name_parent(&tld); +        if (r < 0) +                return r; +        if (r == 0) +                return false; /* Already the root domain */ + +        if (!dns_name_is_single_label(tld)) +                return false; + +        SET_FOREACH(dt, t->dnssec_transactions, i) { + +                if (dt->key->class != key->class) +                        continue; + +                r = dns_name_equal(DNS_RESOURCE_KEY_NAME(dt->key), tld); +                if (r < 0) +                        return r; +                if (r == 0) +                        continue; + +                /* We found an auxiliary lookup we did for the TLD. If +                 * that returned with NXDOMAIN, we know the TLD didn't +                 * exist, and hence this might be a private zone. */ + +                return dt->answer_rcode == DNS_RCODE_NXDOMAIN; +        } + +        return false; +} +  static int dns_transaction_requires_nsec(DnsTransaction *t) {          DnsTransaction *dt;          const char *name; @@ -2006,12 +2085,24 @@ static int dns_transaction_requires_nsec(DnsTransaction *t) {          if (dns_type_is_pseudo(t->key->type))                  return -EINVAL; -        r = dns_trust_anchor_lookup_negative(&t->scope->manager->trust_anchor, DNS_RESOURCE_KEY_NAME(t->key)); +        r = dns_transaction_negative_trust_anchor_lookup(t, DNS_RESOURCE_KEY_NAME(t->key));          if (r < 0)                  return r;          if (r > 0)                  return false; +        r = dns_transaction_in_private_tld(t, t->key); +        if (r < 0) +                return r; +        if (r > 0) { +                /* The lookup is from a TLD that is proven not to +                 * exist, and we are in downgrade mode, hence ignore +                 * that fact that we didn't get any NSEC RRs.*/ + +                log_info("Detected a negative query %s in a private DNS zone, permitting unsigned response.", dns_transaction_key_string(t)); +                return false; +        } +          name = DNS_RESOURCE_KEY_NAME(t->key);          if (IN_SET(t->key->type, DNS_TYPE_SOA, DNS_TYPE_NS, DNS_TYPE_DS)) { @@ -2063,7 +2154,7 @@ static int dns_transaction_dnskey_authenticated(DnsTransaction *t, DnsResourceRe           * the specified RRset is authenticated (i.e. has a matching           * DS RR). */ -        r = dns_trust_anchor_lookup_negative(&t->scope->manager->trust_anchor, DNS_RESOURCE_KEY_NAME(rr->key)); +        r = dns_transaction_negative_trust_anchor_lookup(t, DNS_RESOURCE_KEY_NAME(rr->key));          if (r < 0)                  return r;          if (r > 0) @@ -2266,7 +2357,7 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {                                                  dns_server_packet_rrsig_missing(t->server); -                                                if (t->scope->dnssec_mode == DNSSEC_DOWNGRADE_OK) { +                                                if (t->scope->dnssec_mode == DNSSEC_ALLOW_DOWNGRADE) {                                                          /* Downgrading is OK? If so, just consider the information unsigned */ @@ -2283,6 +2374,27 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {                                                  t->answer_dnssec_result = DNSSEC_INCOMPATIBLE_SERVER;                                                  return 0;                                          } + +                                        r = dns_transaction_in_private_tld(t, rr->key); +                                        if (r < 0) +                                                return r; +                                        if (r > 0) { +                                                _cleanup_free_ char *s = NULL; + +                                                /* The data is from a TLD that is proven not to exist, and we are in downgrade +                                                 * mode, hence ignore the fact that this was not signed. */ + +                                                (void) dns_resource_key_to_string(rr->key, &s); +                                                log_info("Detected RRset %s is in a private DNS zone, permitting unsigned RRs.", strna(s ? strstrip(s) : NULL)); + +                                                r = dns_answer_move_by_key(&validated, &t->answer, rr->key, 0); +                                                if (r < 0) +                                                        return r; + +                                                t->scope->manager->n_dnssec_insecure++; +                                                changed = true; +                                                break; +                                        }                                  }                                  if (IN_SET(result, @@ -2311,10 +2423,9 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {                                  if (IN_SET(result,                                             DNSSEC_INVALID,                                             DNSSEC_SIGNATURE_EXPIRED, -                                           DNSSEC_NO_SIGNATURE, -                                           DNSSEC_UNSUPPORTED_ALGORITHM)) +                                           DNSSEC_NO_SIGNATURE))                                          t->scope->manager->n_dnssec_bogus++; -                                else +                                else /* DNSSEC_MISSING_KEY or DNSSEC_UNSUPPORTED_ALGORITHM */                                          t->scope->manager->n_dnssec_indeterminate++;                                  r = dns_transaction_is_primary_response(t, rr); diff --git a/src/resolve/resolved-dns-trust-anchor.c b/src/resolve/resolved-dns-trust-anchor.c index 53b49b091a..9f8b76ebe2 100644 --- a/src/resolve/resolved-dns-trust-anchor.c +++ b/src/resolve/resolved-dns-trust-anchor.c @@ -42,7 +42,18 @@ static const uint8_t root_digest[] =          { 0x49, 0xAA, 0xC1, 0x1D, 0x7B, 0x6F, 0x64, 0x46, 0x70, 0x2E, 0x54, 0xA1, 0x60, 0x73, 0x71, 0x60,            0x7A, 0x1A, 0x41, 0x85, 0x52, 0x00, 0xFD, 0x2C, 0xE1, 0xCD, 0xDE, 0x32, 0xF2, 0x4E, 0x8F, 0xB5 }; -static int dns_trust_anchor_add_builtin(DnsTrustAnchor *d) { +static bool dns_trust_anchor_knows_domain_positive(DnsTrustAnchor *d, const char *name) { +        assert(d); + +        /* Returns true if there's an entry for the specified domain +         * name in our trust anchor */ + +        return +                hashmap_contains(d->positive_by_key, &DNS_RESOURCE_KEY_CONST(DNS_CLASS_IN, DNS_TYPE_DNSKEY, name)) || +                hashmap_contains(d->positive_by_key, &DNS_RESOURCE_KEY_CONST(DNS_CLASS_IN, DNS_TYPE_DS, name)); +} + +static int dns_trust_anchor_add_builtin_positive(DnsTrustAnchor *d) {          _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL;          _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;          int r; @@ -53,10 +64,11 @@ static int dns_trust_anchor_add_builtin(DnsTrustAnchor *d) {          if (r < 0)                  return r; -        if (hashmap_get(d->positive_by_key, &DNS_RESOURCE_KEY_CONST(DNS_CLASS_IN, DNS_TYPE_DS, "."))) -                return 0; - -        if (hashmap_get(d->positive_by_key, &DNS_RESOURCE_KEY_CONST(DNS_CLASS_IN, DNS_TYPE_DNSKEY, "."))) +        /* Only add the built-in trust anchor if there's neither a DS +         * nor a DNSKEY defined for the root domain. That way users +         * have an easy way to override the root domain DS/DNSKEY +         * data. */ +        if (dns_trust_anchor_knows_domain_positive(d, "."))                  return 0;          /* Add the RR from https://data.iana.org/root-anchors/root-anchors.xml */ @@ -88,6 +100,95 @@ static int dns_trust_anchor_add_builtin(DnsTrustAnchor *d) {          return 0;  } +static int dns_trust_anchor_add_builtin_negative(DnsTrustAnchor *d) { + +        static const char private_domains[] = +                /* RFC 6761 says that .test is a special domain for +                 * testing and not to be installed in the root zone */ +                "test\0" + +                /* RFC 6761 says that these reverse IP lookup ranges +                 * are for private addresses, and hence should not +                 * show up in the root zone */ +                "10.in-addr.arpa\0" +                "16.172.in-addr.arpa\0" +                "17.172.in-addr.arpa\0" +                "18.172.in-addr.arpa\0" +                "19.172.in-addr.arpa\0" +                "20.172.in-addr.arpa\0" +                "21.172.in-addr.arpa\0" +                "22.172.in-addr.arpa\0" +                "23.172.in-addr.arpa\0" +                "24.172.in-addr.arpa\0" +                "25.172.in-addr.arpa\0" +                "26.172.in-addr.arpa\0" +                "27.172.in-addr.arpa\0" +                "28.172.in-addr.arpa\0" +                "29.172.in-addr.arpa\0" +                "30.172.in-addr.arpa\0" +                "31.172.in-addr.arpa\0" +                "168.192.in-addr.arpa\0" + +                /* RFC 6762 reserves the .local domain for Multicast +                 * DNS, it hence cannot appear in the root zone. (Note +                 * that we by default do not route .local traffic to +                 * DNS anyway, except when a configured search domain +                 * suggests so.) */ +                "local\0" + +                /* These two are well known, popular private zone +                 * TLDs, that are blocked from delegation, according +                 * to: +                 * http://icannwiki.com/Name_Collision#NGPC_Resolution +                 * +                 * There's also ongoing work on making this official +                 * in an RRC: +                 * https://www.ietf.org/archive/id/draft-chapin-additional-reserved-tlds-02.txt */ +                "home\0" +                "corp\0" + +                /* The following four TLDs are suggested for private +                 * zones in RFC 6762, Appendix G, and are hence very +                 * unlikely to be made official TLDs any day soon */ +                "lan\0" +                "intranet\0" +                "internal\0" +                "private\0"; + +        const char *name; +        int r; + +        assert(d); + +        /* Only add the built-in trust anchor if there's no negative +         * trust anchor defined at all. This enables easy overriding +         * of negative trust anchors. */ + +        if (set_size(d->negative_by_name) > 0) +                return 0; + +        r = set_ensure_allocated(&d->negative_by_name, &dns_name_hash_ops); +        if (r < 0) +                return r; + +        /* We add a couple of domains as default negative trust +         * anchors, where it's very unlikely they will be installed in +         * the root zone. If they exist they must be private, and thus +         * unsigned. */ + +        NULSTR_FOREACH(name, private_domains) { + +                if (dns_trust_anchor_knows_domain_positive(d, name)) +                        continue; + +                r = set_put_strdup(d->negative_by_name, name); +                if (r < 0) +                        return r; +        } + +        return 0; +} +  static int dns_trust_anchor_load_positive(DnsTrustAnchor *d, const char *path, unsigned line, const char *s) {          _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL;          _cleanup_free_ char *domain = NULL, *class = NULL, *type = NULL; @@ -236,7 +337,7 @@ static int dns_trust_anchor_load_positive(DnsTrustAnchor *d, const char *path, u          r = hashmap_ensure_allocated(&d->positive_by_key, &dns_resource_key_hash_ops);          if (r < 0) -                return r; +                return log_oom();          old_answer = hashmap_get(d->positive_by_key, rr->key);          answer = dns_answer_ref(old_answer); @@ -279,7 +380,7 @@ static int dns_trust_anchor_load_negative(DnsTrustAnchor *d, const char *path, u          r = set_ensure_allocated(&d->negative_by_name, &dns_name_hash_ops);          if (r < 0) -                return r; +                return log_oom();          r = set_put(d->negative_by_name, domain);          if (r < 0) @@ -340,27 +441,49 @@ static int dns_trust_anchor_load_files(          return 0;  } -static void dns_trust_anchor_dump(DnsTrustAnchor *d) { +static int domain_name_cmp(const void *a, const void *b) { +        char **x = (char**) a, **y = (char**) b; + +        return dns_name_compare_func(*x, *y); +} + +static int dns_trust_anchor_dump(DnsTrustAnchor *d) {          DnsAnswer *a;          Iterator i;          assert(d); -        log_info("Positive Trust Anchors:"); -        HASHMAP_FOREACH(a, d->positive_by_key, i) { -                DnsResourceRecord *rr; +        if (hashmap_isempty(d->positive_by_key)) +                log_info("No positive trust anchors defined."); +        else { +                log_info("Positive Trust Anchors:"); +                HASHMAP_FOREACH(a, d->positive_by_key, i) { +                        DnsResourceRecord *rr; -                DNS_ANSWER_FOREACH(rr, a) -                        log_info("%s", dns_resource_record_to_string(rr)); +                        DNS_ANSWER_FOREACH(rr, a) +                                log_info("%s", dns_resource_record_to_string(rr)); +                }          } -        if (!set_isempty(d->negative_by_name)) { -                char *n; -                log_info("Negative trust anchors:"); +        if (set_isempty(d->negative_by_name)) +                log_info("No negative trust anchors defined."); +        else { +                _cleanup_free_ char **l = NULL, *j = NULL; + +                l = set_get_strv(d->negative_by_name); +                if (!l) +                        return log_oom(); + +                qsort_safe(l, set_size(d->negative_by_name), sizeof(char*), domain_name_cmp); + +                j = strv_join(l, " "); +                if (!j) +                        return log_oom(); -                SET_FOREACH(n, d->negative_by_name, i) -                        log_info("%s%s", n, endswith(n, ".") ? "" : "."); +                log_info("Negative trust anchors: %s", j);          } + +        return 0;  }  int dns_trust_anchor_load(DnsTrustAnchor *d) { @@ -373,9 +496,13 @@ int dns_trust_anchor_load(DnsTrustAnchor *d) {          (void) dns_trust_anchor_load_files(d, ".negative", dns_trust_anchor_load_negative);          /* However, if the built-in DS fails, then we have a problem. */ -        r = dns_trust_anchor_add_builtin(d); +        r = dns_trust_anchor_add_builtin_positive(d); +        if (r < 0) +                return log_error_errno(r, "Failed to add built-in positive trust anchor: %m"); + +        r = dns_trust_anchor_add_builtin_negative(d);          if (r < 0) -                return log_error_errno(r, "Failed to add trust anchor built-in: %m"); +                return log_error_errno(r, "Failed to add built-in negative trust anchor: %m");          dns_trust_anchor_dump(d); @@ -516,17 +643,6 @@ static int dns_trust_anchor_check_revoked_one(DnsTrustAnchor *d, DnsResourceReco          return 0;  } -static bool dns_trust_anchor_knows_domain(DnsTrustAnchor *d, const char *name) { -        assert(d); - -        /* Returns true if there's an entry for the specified domain -         * name in our trust anchor */ - -        return -                hashmap_contains(d->positive_by_key, &DNS_RESOURCE_KEY_CONST(DNS_CLASS_IN, DNS_TYPE_DNSKEY, name)) || -                hashmap_contains(d->positive_by_key, &DNS_RESOURCE_KEY_CONST(DNS_CLASS_IN, DNS_TYPE_DS, name)); -} -  int dns_trust_anchor_check_revoked(DnsTrustAnchor *d, DnsAnswer *rrs, const DnsResourceKey *key) {          DnsResourceRecord *dnskey;          int r; @@ -556,7 +672,7 @@ int dns_trust_anchor_check_revoked(DnsTrustAnchor *d, DnsAnswer *rrs, const DnsR                  /* Could this be interesting to us at all? If not,                   * there's no point in looking for and verifying a                   * self-signed RRSIG. */ -                if (!dns_trust_anchor_knows_domain(d, DNS_RESOURCE_KEY_NAME(dnskey->key))) +                if (!dns_trust_anchor_knows_domain_positive(d, DNS_RESOURCE_KEY_NAME(dnskey->key)))                          continue;                  /* Look for a self-signed RRSIG */ diff --git a/src/resolve/resolved-gperf.gperf b/src/resolve/resolved-gperf.gperf index c815eae850..c5ad04afd7 100644 --- a/src/resolve/resolved-gperf.gperf +++ b/src/resolve/resolved-gperf.gperf @@ -14,8 +14,9 @@ struct ConfigPerfItem;  %struct-type  %includes  %% -Resolve.DNS,          config_parse_dns_servers,    DNS_SERVER_SYSTEM,   0 -Resolve.FallbackDNS,  config_parse_dns_servers,    DNS_SERVER_FALLBACK, 0 -Resolve.Domains,      config_parse_search_domains, 0,                   0 -Resolve.LLMNR,        config_parse_support,        0,                   offsetof(Manager, llmnr_support) -Resolve.DNSSEC,       config_parse_dnssec,         0,                   0 +Resolve.DNS,          config_parse_dns_servers,     DNS_SERVER_SYSTEM,   0 +Resolve.FallbackDNS,  config_parse_dns_servers,     DNS_SERVER_FALLBACK, 0 +Resolve.Domains,      config_parse_search_domains,  0,                   0 +Resolve.LLMNR,        config_parse_resolve_support, 0,                   offsetof(Manager, llmnr_support) +Resolve.MulticastDNS, config_parse_resolve_support, 0,                   offsetof(Manager, mdns_support) +Resolve.DNSSEC,       config_parse_dnssec_mode,     0,                   offsetof(Manager, dnssec_mode) diff --git a/src/resolve/resolved-link.c b/src/resolve/resolved-link.c index 0fe2bb30bd..30838ef8cc 100644 --- a/src/resolve/resolved-link.c +++ b/src/resolve/resolved-link.c @@ -46,7 +46,9 @@ int link_new(Manager *m, Link **ret, int ifindex) {                  return -ENOMEM;          l->ifindex = ifindex; -        l->llmnr_support = SUPPORT_YES; +        l->llmnr_support = RESOLVE_SUPPORT_YES; +        l->mdns_support = RESOLVE_SUPPORT_NO; +        l->dnssec_mode = _DNSSEC_MODE_INVALID;          r = hashmap_put(m->links, INT_TO_PTR(ifindex), l);          if (r < 0) @@ -65,7 +67,7 @@ Link *link_free(Link *l) {          if (!l)                  return NULL; -        dns_server_unlink_marked(l->dns_servers); +        dns_server_unlink_all(l->dns_servers);          dns_search_domain_unlink_all(l->search_domains);          while (l->addresses) @@ -80,6 +82,8 @@ Link *link_free(Link *l) {          dns_scope_free(l->mdns_ipv4_scope);          dns_scope_free(l->mdns_ipv6_scope); +        set_free_free(l->dnssec_negative_trust_anchors); +          free(l);          return NULL;  } @@ -99,8 +103,8 @@ static void link_allocate_scopes(Link *l) {                  l->unicast_scope = dns_scope_free(l->unicast_scope);          if (link_relevant(l, AF_INET) && -            l->llmnr_support != SUPPORT_NO && -            l->manager->llmnr_support != SUPPORT_NO) { +            l->llmnr_support != RESOLVE_SUPPORT_NO && +            l->manager->llmnr_support != RESOLVE_SUPPORT_NO) {                  if (!l->llmnr_ipv4_scope) {                          r = dns_scope_new(l->manager, &l->llmnr_ipv4_scope, l, DNS_PROTOCOL_LLMNR, AF_INET);                          if (r < 0) @@ -110,8 +114,8 @@ static void link_allocate_scopes(Link *l) {                  l->llmnr_ipv4_scope = dns_scope_free(l->llmnr_ipv4_scope);          if (link_relevant(l, AF_INET6) && -            l->llmnr_support != SUPPORT_NO && -            l->manager->llmnr_support != SUPPORT_NO && +            l->llmnr_support != RESOLVE_SUPPORT_NO && +            l->manager->llmnr_support != RESOLVE_SUPPORT_NO &&              socket_ipv6_is_supported()) {                  if (!l->llmnr_ipv6_scope) {                          r = dns_scope_new(l->manager, &l->llmnr_ipv6_scope, l, DNS_PROTOCOL_LLMNR, AF_INET6); @@ -122,8 +126,8 @@ static void link_allocate_scopes(Link *l) {                  l->llmnr_ipv6_scope = dns_scope_free(l->llmnr_ipv6_scope);          if (link_relevant(l, AF_INET) && -            l->mdns_support != SUPPORT_NO && -            l->manager->mdns_support != SUPPORT_NO) { +            l->mdns_support != RESOLVE_SUPPORT_NO && +            l->manager->mdns_support != RESOLVE_SUPPORT_NO) {                  if (!l->mdns_ipv4_scope) {                          r = dns_scope_new(l->manager, &l->mdns_ipv4_scope, l, DNS_PROTOCOL_MDNS, AF_INET);                          if (r < 0) @@ -133,8 +137,8 @@ static void link_allocate_scopes(Link *l) {                  l->mdns_ipv4_scope = dns_scope_free(l->mdns_ipv4_scope);          if (link_relevant(l, AF_INET6) && -            l->mdns_support != SUPPORT_NO && -            l->manager->mdns_support != SUPPORT_NO) { +            l->mdns_support != RESOLVE_SUPPORT_NO && +            l->manager->mdns_support != RESOLVE_SUPPORT_NO) {                  if (!l->mdns_ipv6_scope) {                          r = dns_scope_new(l->manager, &l->mdns_ipv6_scope, l, DNS_PROTOCOL_MDNS, AF_INET6);                          if (r < 0) @@ -233,22 +237,107 @@ static int link_update_llmnr_support(Link *l) {          if (r < 0)                  goto clear; -        r = parse_boolean(b); -        if (r < 0) { -                if (streq(b, "resolve")) -                        l->llmnr_support = SUPPORT_RESOLVE; -                else -                        goto clear; +        l->llmnr_support = resolve_support_from_string(b); +        if (l->llmnr_support < 0) { +                r = -EINVAL; +                goto clear; +        } -        } else if (r > 0) -                l->llmnr_support = SUPPORT_YES; -        else -                l->llmnr_support = SUPPORT_NO; +        return 0; + +clear: +        l->llmnr_support = RESOLVE_SUPPORT_YES; +        return r; +} + +static int link_update_mdns_support(Link *l) { +        _cleanup_free_ char *b = NULL; +        int r; + +        assert(l); + +        r = sd_network_link_get_mdns(l->ifindex, &b); +        if (r == -ENODATA) { +                r = 0; +                goto clear; +        } +        if (r < 0) +                goto clear; + +        l->mdns_support = resolve_support_from_string(b); +        if (l->mdns_support < 0) { +                r = -EINVAL; +                goto clear; +        }          return 0;  clear: -        l->llmnr_support = SUPPORT_YES; +        l->mdns_support = RESOLVE_SUPPORT_NO; +        return r; +} + +static int link_update_dnssec_mode(Link *l) { +        _cleanup_free_ char *m = NULL; +        int r; + +        assert(l); + +        r = sd_network_link_get_dnssec(l->ifindex, &m); +        if (r == -ENODATA) { +                r = 0; +                goto clear; +        } +        if (r < 0) +                goto clear; + +        l->dnssec_mode = dnssec_mode_from_string(m); +        if (l->dnssec_mode < 0) { +                r = -EINVAL; +                goto clear; +        } + +        return 0; + +clear: +        l->dnssec_mode = _DNSSEC_MODE_INVALID; +        return r; +} + +static int link_update_dnssec_negative_trust_anchors(Link *l) { +        _cleanup_strv_free_ char **ntas = NULL; +        _cleanup_set_free_free_ Set *ns = NULL; +        char **i; +        int r; + +        assert(l); + +        r = sd_network_link_get_dnssec_negative_trust_anchors(l->ifindex, &ntas); +        if (r == -ENODATA) { +                r = 0; +                goto clear; +        } +        if (r < 0) +                goto clear; + +        ns = set_new(&dns_name_hash_ops); +        if (!ns) +                return -ENOMEM; + +        STRV_FOREACH(i, ntas) { +                r = set_put_strdup(ns, *i); +                if (r < 0) +                        return r; +        } + +        set_free_free(l->dnssec_negative_trust_anchors); +        l->dnssec_negative_trust_anchors = ns; +        ns = NULL; + +        return 0; + +clear: +        l->dnssec_negative_trust_anchors = set_free_free(l->dnssec_negative_trust_anchors);          return r;  } @@ -299,14 +388,31 @@ int link_update_monitor(Link *l) {          assert(l); -        link_update_dns_servers(l); -        link_update_llmnr_support(l); -        link_allocate_scopes(l); +        r = link_update_dns_servers(l); +        if (r < 0) +                log_warning_errno(r, "Failed to read DNS servers for interface %s, ignoring: %m", l->name); + +        r = link_update_llmnr_support(l); +        if (r < 0) +                log_warning_errno(r, "Failed to read LLMNR support for interface %s, ignoring: %m", l->name); + +        r = link_update_mdns_support(l); +        if (r < 0) +                log_warning_errno(r, "Failed to read mDNS support for interface %s, ignoring: %m", l->name); + +        r = link_update_dnssec_mode(l); +        if (r < 0) +                log_warning_errno(r, "Failed to read DNSSEC mode for interface %s, ignoring: %m", l->name); + +        r = link_update_dnssec_negative_trust_anchors(l); +        if (r < 0) +                log_warning_errno(r, "Failed to read DNSSEC negative trust anchors for interface %s, ignoring: %m", l->name);          r = link_update_search_domains(l);          if (r < 0)                  log_warning_errno(r, "Failed to read search domains for interface %s, ignoring: %m", l->name); +        link_allocate_scopes(l);          link_add_rrs(l, false);          return 0; @@ -459,8 +565,8 @@ void link_address_add_rrs(LinkAddress *a, bool force_remove) {                  if (!force_remove &&                      link_address_relevant(a) &&                      a->link->llmnr_ipv4_scope && -                    a->link->llmnr_support == SUPPORT_YES && -                    a->link->manager->llmnr_support == SUPPORT_YES) { +                    a->link->llmnr_support == RESOLVE_SUPPORT_YES && +                    a->link->manager->llmnr_support == RESOLVE_SUPPORT_YES) {                          if (!a->link->manager->llmnr_host_ipv4_key) {                                  a->link->manager->llmnr_host_ipv4_key = dns_resource_key_new(DNS_CLASS_IN, DNS_TYPE_A, a->link->manager->llmnr_hostname); @@ -516,8 +622,8 @@ void link_address_add_rrs(LinkAddress *a, bool force_remove) {                  if (!force_remove &&                      link_address_relevant(a) &&                      a->link->llmnr_ipv6_scope && -                    a->link->llmnr_support == SUPPORT_YES && -                    a->link->manager->llmnr_support == SUPPORT_YES) { +                    a->link->llmnr_support == RESOLVE_SUPPORT_YES && +                    a->link->manager->llmnr_support == RESOLVE_SUPPORT_YES) {                          if (!a->link->manager->llmnr_host_ipv6_key) {                                  a->link->manager->llmnr_host_ipv6_key = dns_resource_key_new(DNS_CLASS_IN, DNS_TYPE_AAAA, a->link->manager->llmnr_hostname); diff --git a/src/resolve/resolved-link.h b/src/resolve/resolved-link.h index a3b406bbc2..db0e51da04 100644 --- a/src/resolve/resolved-link.h +++ b/src/resolve/resolved-link.h @@ -25,6 +25,7 @@  #include "in-addr-util.h"  #include "ratelimit.h" +#include "resolve-util.h"  typedef struct Link Link;  typedef struct LinkAddress LinkAddress; @@ -66,8 +67,10 @@ struct Link {          LIST_HEAD(DnsSearchDomain, search_domains);          unsigned n_search_domains; -        Support llmnr_support; -        Support mdns_support; +        ResolveSupport llmnr_support; +        ResolveSupport mdns_support; +        DnssecMode dnssec_mode; +        Set *dnssec_negative_trust_anchors;          DnsScope *unicast_scope;          DnsScope *llmnr_ipv4_scope; diff --git a/src/resolve/resolved-llmnr.c b/src/resolve/resolved-llmnr.c index 182c6e45ea..dd4d9508ba 100644 --- a/src/resolve/resolved-llmnr.c +++ b/src/resolve/resolved-llmnr.c @@ -47,7 +47,7 @@ int manager_llmnr_start(Manager *m) {          assert(m); -        if (m->llmnr_support == SUPPORT_NO) +        if (m->llmnr_support == RESOLVE_SUPPORT_NO)                  return 0;          r = manager_llmnr_ipv4_udp_fd(m); @@ -80,7 +80,7 @@ int manager_llmnr_start(Manager *m) {  eaddrinuse:          log_warning("There appears to be another LLMNR responder running. Turning off LLMNR support."); -        m->llmnr_support = SUPPORT_NO; +        m->llmnr_support = RESOLVE_SUPPORT_NO;          manager_llmnr_stop(m);          return 0; diff --git a/src/resolve/resolved-manager.c b/src/resolve/resolved-manager.c index 20955b3f6b..b32bad456b 100644 --- a/src/resolve/resolved-manager.c +++ b/src/resolve/resolved-manager.c @@ -476,7 +476,9 @@ int manager_new(Manager **ret) {          m->mdns_ipv4_fd = m->mdns_ipv6_fd = -1;          m->hostname_fd = -1; -        m->llmnr_support = SUPPORT_YES; +        m->llmnr_support = RESOLVE_SUPPORT_YES; +        m->mdns_support = RESOLVE_SUPPORT_NO; +        m->dnssec_mode = DNSSEC_NO;          m->read_resolv_conf = true;          m->need_builtin_fallbacks = true; @@ -484,6 +486,10 @@ int manager_new(Manager **ret) {          if (r < 0)                  return r; +        r = manager_parse_config_file(m); +        if (r < 0) +                return r; +          r = sd_event_default(&m->event);          if (r < 0)                  return r; @@ -1163,10 +1169,3 @@ int manager_compile_search_domains(Manager *m, OrderedSet **domains) {          return 0;  } - -static const char* const support_table[_SUPPORT_MAX] = { -        [SUPPORT_NO] = "no", -        [SUPPORT_YES] = "yes", -        [SUPPORT_RESOLVE] = "resolve", -}; -DEFINE_STRING_TABLE_LOOKUP(support, Support); diff --git a/src/resolve/resolved-manager.h b/src/resolve/resolved-manager.h index dd85d3ba47..1907d2e1bc 100644 --- a/src/resolve/resolved-manager.h +++ b/src/resolve/resolved-manager.h @@ -28,17 +28,9 @@  #include "hashmap.h"  #include "list.h"  #include "ordered-set.h" +#include "resolve-util.h"  typedef struct Manager Manager; -typedef enum Support Support; - -enum Support { -        SUPPORT_NO, -        SUPPORT_YES, -        SUPPORT_RESOLVE, -        _SUPPORT_MAX, -        _SUPPORT_INVALID = -1 -};  #include "resolved-dns-query.h"  #include "resolved-dns-search-domain.h" @@ -53,8 +45,9 @@ enum Support {  struct Manager {          sd_event *event; -        Support llmnr_support; -        Support mdns_support; +        ResolveSupport llmnr_support; +        ResolveSupport mdns_support; +        DnssecMode dnssec_mode;          /* Network */          Hashmap *links; @@ -165,6 +158,3 @@ int manager_is_own_hostname(Manager *m, const char *name);  int manager_compile_dns_servers(Manager *m, OrderedSet **servers);  int manager_compile_search_domains(Manager *m, OrderedSet **domains); - -const char* support_to_string(Support p) _const_; -int support_from_string(const char *s) _pure_; diff --git a/src/resolve/resolved-mdns.c b/src/resolve/resolved-mdns.c index 7c1012f4ea..d5b253d4f5 100644 --- a/src/resolve/resolved-mdns.c +++ b/src/resolve/resolved-mdns.c @@ -42,7 +42,7 @@ int manager_mdns_start(Manager *m) {          assert(m); -        if (m->mdns_support == SUPPORT_NO) +        if (m->mdns_support == RESOLVE_SUPPORT_NO)                  return 0;          r = manager_mdns_ipv4_fd(m); @@ -63,7 +63,7 @@ int manager_mdns_start(Manager *m) {  eaddrinuse:          log_warning("There appears to be another mDNS responder running. Turning off mDNS support."); -        m->mdns_support = SUPPORT_NO; +        m->mdns_support = RESOLVE_SUPPORT_NO;          manager_mdns_stop(m);          return 0; diff --git a/src/resolve/resolved.c b/src/resolve/resolved.c index be406b71fe..472bb32764 100644 --- a/src/resolve/resolved.c +++ b/src/resolve/resolved.c @@ -81,12 +81,6 @@ int main(int argc, char *argv[]) {                  goto finish;          } -        r = manager_parse_config_file(m); -        if (r < 0) { -                log_error_errno(r, "Failed to parse configuration file: %m"); -                goto finish; -        } -          r = manager_start(m);          if (r < 0) {                  log_error_errno(r, "Failed to start manager: %m"); diff --git a/src/resolve/resolved.conf.in b/src/resolve/resolved.conf.in index efc9c6733a..0ba572d113 100644 --- a/src/resolve/resolved.conf.in +++ b/src/resolve/resolved.conf.in @@ -16,4 +16,5 @@  #FallbackDNS=@DNS_SERVERS@  #Domains=  #LLMNR=yes +#MulticastDNS=no  #DNSSEC=no | 
