Age | Commit message (Collapse) | Author |
|
OK to be unsigned
This large patch adds a couple of mechanisms to ensure we get NSEC3 and
proof-of-unsigned support into place. Specifically:
- Each item in an DnsAnswer gets two bit flags now:
DNS_ANSWER_AUTHENTICATED and DNS_ANSWER_CACHEABLE. The former is
necessary since DNS responses might contain signed as well as unsigned
RRsets in one, and we need to remember which ones are signed and which
ones aren't. The latter is necessary, since not we need to keep track
which RRsets may be cached and which ones may not be, even while
manipulating DnsAnswer objects.
- The .n_answer_cachable of DnsTransaction is dropped now (it used to
store how many of the first DnsAnswer entries are cachable), and
replaced by the DNS_ANSWER_CACHABLE flag instead.
- NSEC3 proofs are implemented now (lacking support for the wildcard
part, to be added in a later commit).
- Support for the "AD" bit has been dropped. It's unsafe, and now that
we have end-to-end authentication we don't need it anymore.
- An auxiliary DnsTransaction of a DnsTransactions is now kept around as
least as long as the latter stays around. We no longer remove the
auxiliary DnsTransaction as soon as it completed. THis is necessary,
as we now are interested not only in the RRsets it acquired but also
in its authentication status.
|
|
Let's be safe and explicitly avoid that we add an auxiliary transaction
dependency on ourselves.
|
|
The DNS_ANSWER_FOREACH macros do this internally anyway, no need to
duplicate this.
|
|
We need no separate timeout anymore as soon as we received a reply, as
the auxiliary transactions have their own timeouts.
|
|
|
|
they are destroyed
A failing transaction might cause other transactions to fail too, and
thus the set of transactions to notify for a transaction might change
while we are notifying them. Protect against that.
|
|
|
|
|
|
We end up needing the stringified transaction key in many log messages,
hence let's simplify the logic and cache it inside of the transaction:
generate it the first time we need it, and reuse it afterwards. Free it
when the transaction goes away.
This also updated a couple of log messages to make use of this.
|
|
|
|
|
|
Resolve: misc cleanups
|
|
|
|
|
|
Manager status
|
|
man: fix typo in journal-remote.conf(5)
|
|
|
|
Fifth batch of DNSSEC support patches
|
|
journal-remote: add documents in the unit files
|
|
basic: ENABLE_DEBUG_HASHMAP needs <pthread.h>
|
|
this is a follow-up for commit 11c3a36649e5e5e77db499c92f3
|
|
|
|
|
|
Note that this is not complete yet, as we don't handle wildcard domains
correctly, nor handle domains correctly that use empty non-terminals.
|
|
necessary
|
|
|
|
It's not OK to drop these for our proof of non-existance checks.
|
|
candidate state
|
|
|
|
digest ids
Let's move this into a function digest_to_gcrypt() that we can reuse
later on when implementing NSEC3 validation.
|
|
validation
Specifically, it appears as if the NSEC next domain name should be in
the original casing rather than canonical form, when validating.
|
|
treewide: fix typos and indentation
|
|
|
|
Output the same message when a request to change the log level is
received over dbus and through a signal. From the user point of view
those two operations are very similar and it's easy to think that the
dbus operation didn't work when the expected message is not emitted.
Also "downgrade" the message level to info, since this is a normal
user initiated action.
|
|
This way we can only print the debug message when the status actually
changes. We also means we don't print anything when running in --user
mode, where status output is always disabled.
|
|
build-sys: fix --disable-tests
|
|
Fixes:
$ ./configure ... --disable-tests
$ make
$ sudo make check
FAIL: test/udev-test.pl
PASS: test/rule-syntax-check.py
PASS: test/sysv-generator-test.py
...
|
|
build-sys: fix ./configure --enable-smack
|
|
|
|
Fixes:
$ ./configure ... --enable-smack
$ make src/core/load-fragment-gperf.c
$ grep -i smack src/core/load-fragment-gperf.c
{"Swap.SmackProcessLabel", config_parse_warn_compat, DISABLED_CONFIGURATION, 0},
...
should be
{"Swap.SmackProcessLabel", config_parse_exec_smack_process_label, 0, offsetof(Swap, exec_context)},
...
|
|
Another batch of DNSSEC fixes
|
|
dns_resource_key_match_soa() and dns_resource_key_match_cname_or_dname()
may return errors as negative return values. Make sure to propagate
those.
|
|
This changes answer validation to be more accepting to unordered RRs in
responses. The agorithm we now implement goes something like this:
1. populate validated keys list for this transaction from DS RRs
2. as long as the following changes the unvalidated answer list:
2a. try to validate the first RRset we find in unvalidated answer
list
2b. if that worked: add to validated answer; if DNSKEY also add to
validated keys list; remove from unvalidated answer.
2c. continue at 2a, with the next RRset, or restart from the
beginning when we hit the end
3. as long as the following changes the unvalidated answer list:
3a. try to validate the first RRset again. This will necessarily
fail, but we learn the precise error
3b. If this was a "primary" response to the question, fail the
entire transaction. "Primary" in this context means that it is
directly a response to the query, or a CNAME/DNAME for it.
3c. Otherwise, remove the RRset from the unvalidated answer list.
Note that we the too loops in 2 + 3 are actually coded as a single one,
but the dnskeys_finalized bool indicates which loop we are currently
processing.
Note that loop 2 does not drop any invalidated RRsets yet, that's
something only loop 3 does. This is because loop 2 might still encounter
additional DNSKEYS which might validate more stuff, and if we'd already
have dropped those RRsets we couldn't validate those anymore. The first
loop is hence a "constructive" loop, the second loop a "destructive"
one: the first one validates whatever is possible, the second one then
deletes whatever still isn't.
|
|
This adds a new validation result DNSSEC_UNSUPPORTED_ALGORITHM which is
returned when we encounter an unsupported crypto algorithm when trying
to validate RRSIG/DNSKEY combinations. Previously we'd return ENOTSUPP
in this case, but it's better to consider this a non-error DNSSEC
validation result, since our reaction to this case needs to be more like
in cases such as expired or missing keys: we need to keep continue
validation looking for another RRSIG/DNSKEY combination that works
better for us.
This also reworks how dnssec_validate_rrsig_search() propagates errors
from dnssec_validate_rrsig(). Previously, errors such as unsupported
algorithms or expired signatures would not be propagated, but simply be
returned as "missing-key".
|
|
Instead of figuring out how many RRs to cache right before we do so,
determine this at the time we install the answer RRs, so that we can
still alter this as we manipulate the answer during validation.
The primary purpose of this is to pave the way so that we can drop
unsigned RRsets from the answer and invalidate the number of RRs to
cache at the same time.
|
|
Check the validity of RR types as we parse or receive data from IPC
clients, and use the same code for all of them.
|
|
section
We later rely that the DnsAnswer object contains all RRs from the
original packet, at least when it comes to the answer and authorization
sections, hence we better make sure we don#t silently end up removing an
OPT RR from these two sections.
|
|
|
|
dns_packet_unref()
|
|
Also, explain the situation with a longer comment.
|