summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/basic/missing.h8
-rw-r--r--src/core/timer.c2
-rw-r--r--src/network/networkd-manager.c19
-rw-r--r--src/resolve/dns-type.c17
-rw-r--r--src/resolve/dns-type.h1
-rw-r--r--src/resolve/resolve-tool.c17
-rw-r--r--src/resolve/resolved-bus.c34
-rw-r--r--src/resolve/resolved-manager.c2
-rw-r--r--src/resolve/resolved.conf.in2
-rw-r--r--src/udev/udevd.c2
10 files changed, 81 insertions, 23 deletions
diff --git a/src/basic/missing.h b/src/basic/missing.h
index 4d3764c022..f3d32362bd 100644
--- a/src/basic/missing.h
+++ b/src/basic/missing.h
@@ -167,7 +167,7 @@ static inline int pivot_root(const char *new_root, const char *put_old) {
# endif
#endif
-#ifndef HAVE_MEMFD_CREATE
+#if !HAVE_DECL_MEMFD_CREATE
static inline int memfd_create(const char *name, unsigned int flags) {
return syscall(__NR_memfd_create, name, flags);
}
@@ -1089,7 +1089,7 @@ static inline int kcmp(pid_t pid1, pid_t pid2, int type, unsigned long idx1, uns
#define INPUT_PROP_ACCELEROMETER 0x06
#endif
-#if !HAVE_DECL_KEY_SERIAL_T
+#ifndef HAVE_KEY_SERIAL_T
typedef int32_t key_serial_t;
#endif
@@ -1160,11 +1160,11 @@ static inline key_serial_t request_key(const char *type, const char *description
#ifndef IF_OPER_UP
#define IF_OPER_UP 6
-#ifndef HAVE_DECL_CHAR32_T
+#ifndef HAVE_CHAR32_T
#define char32_t uint32_t
#endif
-#ifndef HAVE_DECL_CHAR16_T
+#ifndef HAVE_CHAR16_T
#define char16_t uint16_t
#endif
diff --git a/src/core/timer.c b/src/core/timer.c
index 6f3e6a8db3..3d0bae16e5 100644
--- a/src/core/timer.c
+++ b/src/core/timer.c
@@ -334,7 +334,7 @@ static void add_random(Timer *t, usec_t *v) {
usec_t add;
assert(t);
- assert(*v);
+ assert(v);
if (t->random_usec == 0)
return;
diff --git a/src/network/networkd-manager.c b/src/network/networkd-manager.c
index b527191a5a..b8cb7f875d 100644
--- a/src/network/networkd-manager.c
+++ b/src/network/networkd-manager.c
@@ -1091,22 +1091,19 @@ static bool manager_check_idle(void *userdata) {
assert(m);
+ /* Check whether we are idle now. The only case when we decide to be idle is when there's only a loopback
+ * device around, for which we have no configuration, and which already left the PENDING state. In all other
+ * cases we are not idle. */
+
HASHMAP_FOREACH(link, m->links, i) {
- /* we are not woken on udev activity, so let's just wait for the
- * pending udev event */
+ /* We are not woken on udev activity, so let's just wait for the pending udev event */
if (link->state == LINK_STATE_PENDING)
return false;
- if (!link->network)
- continue;
+ if ((link->flags & IFF_LOOPBACK) == 0)
+ return false;
- /* we are not woken on netork activity, so let's stay around */
- if (link_lldp_enabled(link) ||
- link_ipv4ll_enabled(link) ||
- link_dhcp4_server_enabled(link) ||
- link_dhcp4_enabled(link) ||
- link_dhcp6_enabled(link) ||
- link_ipv6_accept_ra_enabled(link))
+ if (link->network)
return false;
}
diff --git a/src/resolve/dns-type.c b/src/resolve/dns-type.c
index b2f479cae5..78d9d5733f 100644
--- a/src/resolve/dns-type.c
+++ b/src/resolve/dns-type.c
@@ -193,6 +193,23 @@ bool dns_type_is_obsolete(uint16_t type) {
DNS_TYPE_NULL);
}
+bool dns_type_needs_authentication(uint16_t type) {
+
+ /* Returns true for all (non-obsolete) RR types where records are not useful if they aren't
+ * authenticated. I.e. everything that contains crypto keys. */
+
+ return IN_SET(type,
+ DNS_TYPE_CERT,
+ DNS_TYPE_SSHFP,
+ DNS_TYPE_IPSECKEY,
+ DNS_TYPE_DS,
+ DNS_TYPE_DNSKEY,
+ DNS_TYPE_TLSA,
+ DNS_TYPE_CDNSKEY,
+ DNS_TYPE_OPENPGPKEY,
+ DNS_TYPE_CAA);
+}
+
int dns_type_to_af(uint16_t t) {
switch (t) {
diff --git a/src/resolve/dns-type.h b/src/resolve/dns-type.h
index f18ac6eef3..fb7babf12a 100644
--- a/src/resolve/dns-type.h
+++ b/src/resolve/dns-type.h
@@ -132,6 +132,7 @@ bool dns_type_is_dnssec(uint16_t type);
bool dns_type_is_obsolete(uint16_t type);
bool dns_type_may_wildcard(uint16_t type);
bool dns_type_apex_only(uint16_t type);
+bool dns_type_needs_authentication(uint16_t type);
int dns_type_to_af(uint16_t t);
bool dns_class_is_pseudo(uint16_t class);
diff --git a/src/resolve/resolve-tool.c b/src/resolve/resolve-tool.c
index 9aade8e490..c1be03fbb2 100644
--- a/src/resolve/resolve-tool.c
+++ b/src/resolve/resolve-tool.c
@@ -339,6 +339,7 @@ static int resolve_record(sd_bus *bus, const char *name, uint16_t class, uint16_
uint64_t flags;
int r;
usec_t ts;
+ bool needs_authentication = false;
assert(name);
@@ -421,6 +422,10 @@ static int resolve_record(sd_bus *bus, const char *name, uint16_t class, uint16_
log_warning_errno(errno, "Failed to resolve interface name for index %i: %m", ifindex);
printf("%s%s%s\n", s, isempty(ifname) ? "" : " # interface ", ifname);
+
+ if (dns_type_needs_authentication(t))
+ needs_authentication = true;
+
n++;
}
if (r < 0)
@@ -441,6 +446,18 @@ static int resolve_record(sd_bus *bus, const char *name, uint16_t class, uint16_
print_source(flags, ts);
+ if ((flags & SD_RESOLVED_AUTHENTICATED) == 0 && needs_authentication) {
+ fflush(stdout);
+
+ fprintf(stderr, "\n%s"
+ "WARNING: The resources shown contain cryptographic key data which could not be\n"
+ " authenticated. It is not suitable to authenticate any communication.\n"
+ " This is usually indication that DNSSEC authentication was not enabled\n"
+ " or is not available for the selected protocol or DNS servers.%s\n",
+ ansi_highlight_red(),
+ ansi_normal());
+ }
+
return 0;
}
diff --git a/src/resolve/resolved-bus.c b/src/resolve/resolved-bus.c
index 6f08c43327..2d94baeb7e 100644
--- a/src/resolve/resolved-bus.c
+++ b/src/resolve/resolved-bus.c
@@ -140,6 +140,7 @@ static int append_address(sd_bus_message *reply, DnsResourceRecord *rr, int ifin
static void bus_method_resolve_hostname_complete(DnsQuery *q) {
_cleanup_(dns_resource_record_unrefp) DnsResourceRecord *canonical = NULL;
_cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL;
+ _cleanup_free_ char *normalized = NULL;
DnsResourceRecord *rr;
unsigned added = 0;
int ifindex, r;
@@ -199,11 +200,17 @@ static void bus_method_resolve_hostname_complete(DnsQuery *q) {
if (r < 0)
goto finish;
+ /* The key names are not necessarily normalized, make sure that they are when we return them to our bus
+ * clients. */
+ r = dns_name_normalize(DNS_RESOURCE_KEY_NAME(canonical->key), &normalized);
+ if (r < 0)
+ goto finish;
+
/* Return the precise spelling and uppercasing and CNAME target reported by the server */
assert(canonical);
r = sd_bus_message_append(
reply, "st",
- DNS_RESOURCE_KEY_NAME(canonical->key),
+ normalized,
SD_RESOLVED_FLAGS_MAKE(q->answer_protocol, q->answer_family, q->answer_authenticated));
if (r < 0)
goto finish;
@@ -395,13 +402,19 @@ static void bus_method_resolve_address_complete(DnsQuery *q) {
question = dns_query_question_for_protocol(q, q->answer_protocol);
DNS_ANSWER_FOREACH_IFINDEX(rr, ifindex, q->answer) {
+ _cleanup_free_ char *normalized = NULL;
+
r = dns_question_matches_rr(question, rr, NULL);
if (r < 0)
goto finish;
if (r == 0)
continue;
- r = sd_bus_message_append(reply, "(is)", ifindex, rr->ptr.name);
+ r = dns_name_normalize(rr->ptr.name, &normalized);
+ if (r < 0)
+ goto finish;
+
+ r = sd_bus_message_append(reply, "(is)", ifindex, normalized);
if (r < 0)
goto finish;
@@ -671,6 +684,7 @@ fail:
static int append_srv(DnsQuery *q, sd_bus_message *reply, DnsResourceRecord *rr) {
_cleanup_(dns_resource_record_unrefp) DnsResourceRecord *canonical = NULL;
+ _cleanup_free_ char *normalized = NULL;
DnsQuery *aux;
int r;
@@ -727,10 +741,14 @@ static int append_srv(DnsQuery *q, sd_bus_message *reply, DnsResourceRecord *rr)
if (r < 0)
return r;
+ r = dns_name_normalize(rr->srv.name, &normalized);
+ if (r < 0)
+ return r;
+
r = sd_bus_message_append(
reply,
"qqqs",
- rr->srv.priority, rr->srv.weight, rr->srv.port, rr->srv.name);
+ rr->srv.priority, rr->srv.weight, rr->srv.port, normalized);
if (r < 0)
return r;
@@ -776,9 +794,17 @@ static int append_srv(DnsQuery *q, sd_bus_message *reply, DnsResourceRecord *rr)
if (r < 0)
return r;
+ if (canonical) {
+ normalized = mfree(normalized);
+
+ r = dns_name_normalize(DNS_RESOURCE_KEY_NAME(canonical->key), &normalized);
+ if (r < 0)
+ return r;
+ }
+
/* Note that above we appended the hostname as encoded in the
* SRV, and here the canonical hostname this maps to. */
- r = sd_bus_message_append(reply, "s", canonical ? DNS_RESOURCE_KEY_NAME(canonical->key) : rr->srv.name);
+ r = sd_bus_message_append(reply, "s", normalized);
if (r < 0)
return r;
diff --git a/src/resolve/resolved-manager.c b/src/resolve/resolved-manager.c
index 7f9073448a..49e378614e 100644
--- a/src/resolve/resolved-manager.c
+++ b/src/resolve/resolved-manager.c
@@ -485,7 +485,7 @@ int manager_new(Manager **ret) {
m->llmnr_support = RESOLVE_SUPPORT_YES;
m->mdns_support = RESOLVE_SUPPORT_NO;
- m->dnssec_mode = DNSSEC_NO;
+ m->dnssec_mode = DEFAULT_DNSSEC_MODE;
m->read_resolv_conf = true;
m->need_builtin_fallbacks = true;
m->etc_hosts_last = m->etc_hosts_mtime = USEC_INFINITY;
diff --git a/src/resolve/resolved.conf.in b/src/resolve/resolved.conf.in
index efc9c6733a..a288588924 100644
--- a/src/resolve/resolved.conf.in
+++ b/src/resolve/resolved.conf.in
@@ -16,4 +16,4 @@
#FallbackDNS=@DNS_SERVERS@
#Domains=
#LLMNR=yes
-#DNSSEC=no
+#DNSSEC=@DEFAULT_DNSSEC_MODE@
diff --git a/src/udev/udevd.c b/src/udev/udevd.c
index 2c1c4a967b..bb92f16352 100644
--- a/src/udev/udevd.c
+++ b/src/udev/udevd.c
@@ -1715,7 +1715,7 @@ int main(int argc, char *argv[]) {
by PID1. otherwise we are not guaranteed to have a dedicated cgroup */
r = cg_pid_get_path(SYSTEMD_CGROUP_CONTROLLER, 0, &cgroup);
if (r < 0) {
- if (r == -ENOENT || r == -ENOEXEC)
+ if (r == -ENOENT || r == -ENOMEDIUM)
log_debug_errno(r, "did not find dedicated cgroup: %m");
else
log_warning_errno(r, "failed to get cgroup: %m");