summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2015-12-10resolved: cache - don't flush the cache of mDNS records unneccesarilyTom Gundersen
When the DNS_RESOURCE_KEY_CACHE_FLUSH flag is not set for an mDNS packet, we should not flush the cache for RRs with matching keys. However, we were unconditionally flushing the cache also for these packets. Now mark all packets as cache_flush by default, except for these mDNS packets, and respect that flag in the cache handling. This fixes 90325e8c2e559a21ef0bc2f26b844c140faf8020.
2015-12-10TODOTom Gundersen
2015-12-10resolved: cache - rework which RR types we apply redirection toTom Gundersen
The logic of dns_cache_get() is now: - look up the precise key; - look up NXDOMAIN item; - if an RR type that may be redirected (i.e., not CNAME, DNAME, RRSIG, NSEC, NSEC3, SIG, KEY, or NXT) look up a correpsonding CNAME or DNAME record; - look up a corresponding NSEC record; Before this change we would give up before potentially finding negative cache entries for DNAME, CNAME and NSEC records, we would return NSEC records for aliases where we had DNAME or CNAME records available and we would incorrectly try to redirect DNSSEC RRs.
2015-12-10resolved: cache - improve loggingTom Gundersen
Some DNS servers will hand out negative answers without SOA records, these can not be cached, so log about that fact.
2015-12-10resolved: cache - don't cache NXDOMAIN by TYPETom Gundersen
An NXDOMAIN entry means there are no RRs of any type for a name, so only cache by CLASS + NAME, rather than CLASS + NAME + TYPE.
2015-12-10resolved: cache - do negative caching only on the canonical nameTom Gundersen
Apart from dropping redundant information, this fixes an issue where, due to broken DNS servers, we can only be certain of whether an apparent NODATA response is in fact an NXDOMAIN response after explicitly resolving the canonical name. This issue is outlined in RFC2308. Moreover, by caching NXDOMAIN for an existing name, we would mistakenly return NXDOMAIN for types which should not be redirected. I.e., a query for AAAA on test-nx-1.jklm.no correctly returns NXDOMAIN, but a query for CNAME should return the record and a query for DNAME should return NODATA. Note that this means we will not cache an NXDOMAIN response in the presence of redirection, meaning one redundant roundtrip in case the name is queried again.
2015-12-10Merge pull request #2129 from poettering/dnssec3Tom Gundersen
Third DNSSEC patch series
2015-12-10Merge pull request #2086 from evverx/fix-journal-upload-installationLennart Poettering
build: fix systemd-journal-upload installation
2015-12-10README: Recommend kinvolk regarding engineering servicesLennart Poettering
They are our friends, do systemd development, hence add them.
2015-12-10Merge pull request #2076 from keszybz/downgrade-masked-unit-messageLennart Poettering
core: do not warn about Wants depencencies on masked units
2015-12-10resolved: rename dns_transaction_prepare_next_attempt()Lennart Poettering
Let's simply call it dns_transaction_prepare(), so that we have the nice cycle for prepare() → go() → emit() → process(). After all it's pretty clear that what we prepare there, and we dont call the others go_next_attempt(), emit_next_attempt() or process_next_attempt().
2015-12-10journal: make mmap_cache_unref() a NOP when NULL is passed, like all other ↵Lennart Poettering
destructors
2015-12-10resolved: don't accept doing queries for invalid RR typesLennart Poettering
2015-12-10resolved: chase DNSKEY/DS RRs when doing look-ups with DNSSEC enabledLennart Poettering
This adds initial support for validating RRSIG/DNSKEY/DS chains when doing lookups. Proof-of-non-existance, or proof-of-unsigned-zones is not implemented yet. With this change DnsTransaction objects will generate additional DnsTransaction objects when looking for DNSKEY or DS RRs to validate an RRSIG on a response. DnsTransaction objects are thus created for three reasons now: 1) Because a user asked for something to be resolved, i.e. requested by a DnsQuery/DnsQueryCandidate object. 2) As result of LLMNR RR probing, requested by a DnsZoneItem. 3) Because another DnsTransaction requires the requested RRs for validation of its own response. DnsTransactions are shared between all these users, and are GC automatically as soon as all of these users don't need a specific transaction anymore. To unify the handling of these three reasons for existance for a DnsTransaction, a new common naming is introduced: each DnsTransaction now tracks its "owners" via a Set* object named "notify_xyz", containing all owners to notify on completion. A new DnsTransaction state is introduced called "VALIDATING" that is entered after a response has been receieved which needs to be validated, as long as we are still waiting for the DNSKEY/DS RRs from other DnsTransactions. This patch will request the DNSKEY/DS RRs bottom-up, and then validate them top-down. Caching of RRs is now only done after verification, so that the cache is not poisoned with known invalid data. The "DnsAnswer" object gained a substantial number of new calls, since we need to add/remove RRs to it dynamically now.
2015-12-10resolved: when matching up DNSKEY and DS RRs, it's fine if we don't support ↵Lennart Poettering
the DNSKEY's algorithm As long as we support the digest we are good.
2015-12-10resolved: when matching up RRSIG and DNSKEY RRs, use the RRSIG's signer ↵Lennart Poettering
name, not the owner name When the DNSKEY is in higher zone, then that's OK, and we need to check the RRSIG's signer name against the DNSKEY hence.
2015-12-10resolved: fix sorting of RRsetsLennart Poettering
We actually maintain an array of pointers to RRs, not of RRs themselves, fix the qsort() invocation accordingly.
2015-12-10resolved: grow DnsAnswer exponentiallyLennart Poettering
When increasing the DnsAnswer array, don't operate piecemeal, grow the array exponentially. This way, the default logic for DnsAnswer allocations matches the behaviour for GREEDY_REALLOC and suchlike, and we can reduce the number of necessary allocations.
2015-12-10resolved: log when we chase a CNAME RRLennart Poettering
2015-12-10resolved: reenable caching for LLMNRLennart Poettering
This got borked in 547493c5ad5c82032e247609970f96be76c2d661.
2015-12-10resolved: split out check whether reply matches our questionLennart Poettering
It's complicated enough, it deserves its own call. (Also contains some unrelated whitespace, comment and assertion changes)
2015-12-10resolved: IXFR and AXFR cannot be the type of RRs, only of RR keysLennart Poettering
Enforce this while parsing RRs.
2015-12-10resolved: when parsing DNS packets, handle OPT RR speciallyLennart Poettering
As soon as we encounter the OPT RR while parsing, store it in a special field in the DnsPacket structure. That way, we won't be confused if we iterate through RRs, and can check that there's really only one of these RRs around.
2015-12-10resolved: refuse modifying DnsAnswer objects that have more than one referenceLennart Poettering
DnsAnswer objects should be considered immutable after having passed to more than one user, i.e. with a reference counter > 1. Enforce that in code, so that we can track down misuses easier.
2015-12-10resolved: fix libgcrypt error checkingLennart Poettering
libgcrypt encodes the error source in the error code, we need to mask that away before comparing error codes.
2015-12-10build-sys: libgcrypt error messages make no sense without libgpg-errorLennart Poettering
Hence, pull in this library too, if we need libgcrypt.
2015-12-10resolved: split out logic to flush DnsAnswer objectsLennart Poettering
Let's simplify things, by making this a function call of its own.
2015-12-10resolved: honour RFC6761's ban on the invalid TLDLennart Poettering
2015-12-10resolved: fix DNS_ANSWER_FOREACH_IFINDEX() to not collide with user defined ↵Lennart Poettering
ifindex variable
2015-12-10resolved: partially revert 5eefe54Lennart Poettering
Quoting @teg: "Contrary to what the comment said, we always verify redirect chains in full, and cache all the CNAME records. There is therefore no need to do extra negative caching along a CNAME chain." This simply steals @teg's commit since we'll touch the SOA matching case in a later patch, and rather want this bit gone, so that we don't have to "fix" it, only to remove it later on.
2015-12-10resolved: when outputting RRs in text form, append a trailing dot to owner namesLennart Poettering
After all, that's how this is done in DNS, and is particularly important if we look a DS/DNSKEY RRs for the root zone itself, where the owner name would otherwise be shown as completely empty (i.e. missing).
2015-12-10resolved: shortcut RR comparisons if pointers matchLennart Poettering
When iterating through RR lists we frequently end up comparing RRs and RR keys with themselves, hence att a minor optimization to check ptr values first, before doing a deep comparison.
2015-12-10resolved: fix parameter type of dns_type_is_pseudo()Lennart Poettering
DNS RR types are uint16_t after all, treat them as such.
2015-12-10Merge pull request #2056 from evverx/expose-soft-limits-on-the-busLennart Poettering
Expose soft limits on the bus
2015-12-10Merge pull request #2128 from zonque/resolved-mdns-2Lennart Poettering
resolved: more mDNS specific bits (2)
2015-12-10resolved: add more linked packets for overlong known answersDaniel Mack
For mDNS, if we're unable to stuff all known answers into the given packet, allocate a new one, push the RR into that one and link it to the current one.
2015-12-10resolved: handle linked packet in dns_scope_emit()Daniel Mack
In dns_scope_emit(), walk the list of additional packets and emit all of them. Set the TC bit in all but the last of them. This is specific to mDNS, so an assertion is triggered if used with other protocols.
2015-12-10resolved: add support for linked packetsDaniel Mack
For mDNS, we need to support the TC bit in case the list of known answers exceed the maximum packet size. For this, add a 'more' pointer to DnsPacket for an additional packet. When a packet is unref'ed, the ->more packet is also unrefed, so it sufficient to only keep track of the 1st packet in a chain.
2015-12-10resolved: add dns_packet_set_flags()Daniel Mack
We need to support the TC bit in queries in case known answers exceed the maximum packet size. Factor out the flags compilation to dns_packet_set_flags() and make it externally available.
2015-12-09Merge pull request #2108 from evverx/fix-distcheck-for-disable-resolvedLennart Poettering
build-sys: move "dist" parts out of conditionals
2015-12-09resolved: llmnr, mdns: simplify error handlingDaniel Mack
sd_event_add_io() returns the error directly and does not mess with errno.
2015-12-09resolved: don't send .local requests to DNS serversDaniel Mack
DNS names ending with .local are specific to mDNS, so don't use them on DNS scopes.
2015-12-09Merge pull request #2110 from keszybz/udev-indentationDaniel Mack
Udev indentation
2015-12-09build: fix systemd-journal-upload installationEvgeny Vereshchagin
Fixes: $ ./configure ... --disable-microhttpd --enable-libcurl --enable-sysusers $ make && make install DESTDIR=$(pwd)/INST $ ls INST/usr/lib/sysusers.d/ basic.conf systemd.conf There is no a file with `systemd-journald-upload`
2015-12-08build-sys: move "dist" parts out of conditionalsEvgeny Vereshchagin
This is a follow-up for commit f47477332ff
2015-12-08Merge pull request #2115 from dvdhrm/rbtreeTom Gundersen
basic: add RB-Tree implementation
2015-12-08Merge pull request #2122 from zonque/resolved-mdns-1Tom Gundersen
resolved: more mDNS specific bits
2015-12-08resolved: add dns_cache_export_to_packet()Daniel Mack
This new functions exports cached records of type PTR, SRV and TXT into an existing DnsPacket. This is used in order to fill in known records to mDNS queries, for known answer supression.
2015-12-08resolved: implement query coalescingDaniel Mack
Implement dns_transaction_make_packet_mdns(), a special version of dns_transaction_make_packet() for mDNS which differs in many ways: a) We coalesce queries of currently active transaction on the scope. This is possible because mDNS actually allows many questions in a to be sent in a single packet and it takes some burden from the network. b) Both A and AAAA query keys are broadcast on both IPv4 and IPv6 scopes, because other hosts might only respond on one of their addresses but resolve both types. c) We discard previously sent packages (t->sent) so we can start over and coalesce pending transactions again.
2015-12-08resolved: add 'next_attempt_after' field to DnsTransactionDaniel Mack
For each transaction, record when the earliest point in time when the query packet may hit the wire. This is the same time stamp for which the timer is scheduled in retries, except for the initial query packets which are delayed by a random jitter. In this case, we denote that the packet may actually be sent at the nominal time, without the jitter. Transactions that share the same timestamp will also have identical values in this field. It is used to coalesce pending queries in a later patch.