summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2015-12-14resolved: add basic proof of non-existance support for NSEC+NSEC3Lennart Poettering
Note that this is not complete yet, as we don't handle wildcard domains correctly, nor handle domains correctly that use empty non-terminals.
2015-12-14resolved: when serializing NSEC3 windows, don't write more windows than ↵Lennart Poettering
necessary
2015-12-14resolved: constify a parameterLennart Poettering
2015-12-14resolved: always consider NSEC/NSEC3 RRs as "primary"Lennart Poettering
It's not OK to drop these for our proof of non-existance checks.
2015-12-14resolved: don't choke on NULL DNS transactions when determining query ↵Lennart Poettering
candidate state
2015-12-14resolved: initialize libgcrypt before using itLennart Poettering
2015-12-14resolved: rework how we get the gcrypt digest algorithm ID from DNSSEC ↵Lennart Poettering
digest ids Let's move this into a function digest_to_gcrypt() that we can reuse later on when implementing NSEC3 validation.
2015-12-14resolved: apparently not all names are used in canonical form for DNSSEC ↵Lennart Poettering
validation Specifically, it appears as if the NSEC next domain name should be in the original casing rather than canonical form, when validating.
2015-12-14Merge pull request #2165 from torstehu/fix-typo2Daniel Mack
treewide: fix typos and indentation
2015-12-14treewide: fix typos and indentationTorstein Husebø
2015-12-13Merge pull request #2152 from evverx/respect-disable-testsDaniel Mack
build-sys: fix --disable-tests
2015-12-13build-sys: fix --disable-testsEvgeny Vereshchagin
Fixes: $ ./configure ... --disable-tests $ make $ sudo make check FAIL: test/udev-test.pl PASS: test/rule-syntax-check.py PASS: test/sysv-generator-test.py ...
2015-12-12Merge pull request #2148 from evverx/fix-enable-smackDaniel Mack
build-sys: fix ./configure --enable-smack
2015-12-12build-sys: refactor `have_smack` detectionEvgeny Vereshchagin
2015-12-12build-sys: fix ./configure --enable-smackEvgeny Vereshchagin
Fixes: $ ./configure ... --enable-smack $ make src/core/load-fragment-gperf.c $ grep -i smack src/core/load-fragment-gperf.c {"Swap.SmackProcessLabel", config_parse_warn_compat, DISABLED_CONFIGURATION, 0}, ... should be {"Swap.SmackProcessLabel", config_parse_exec_smack_process_label, 0, offsetof(Swap, exec_context)}, ...
2015-12-11Merge pull request #2143 from poettering/dnssec4Tom Gundersen
Another batch of DNSSEC fixes
2015-12-11resolved: don't eat up errorsLennart Poettering
dns_resource_key_match_soa() and dns_resource_key_match_cname_or_dname() may return errors as negative return values. Make sure to propagate those.
2015-12-11resolved: refactor DNSSEC answer validationLennart Poettering
This changes answer validation to be more accepting to unordered RRs in responses. The agorithm we now implement goes something like this: 1. populate validated keys list for this transaction from DS RRs 2. as long as the following changes the unvalidated answer list: 2a. try to validate the first RRset we find in unvalidated answer list 2b. if that worked: add to validated answer; if DNSKEY also add to validated keys list; remove from unvalidated answer. 2c. continue at 2a, with the next RRset, or restart from the beginning when we hit the end 3. as long as the following changes the unvalidated answer list: 3a. try to validate the first RRset again. This will necessarily fail, but we learn the precise error 3b. If this was a "primary" response to the question, fail the entire transaction. "Primary" in this context means that it is directly a response to the query, or a CNAME/DNAME for it. 3c. Otherwise, remove the RRset from the unvalidated answer list. Note that we the too loops in 2 + 3 are actually coded as a single one, but the dnskeys_finalized bool indicates which loop we are currently processing. Note that loop 2 does not drop any invalidated RRsets yet, that's something only loop 3 does. This is because loop 2 might still encounter additional DNSKEYS which might validate more stuff, and if we'd already have dropped those RRsets we couldn't validate those anymore. The first loop is hence a "constructive" loop, the second loop a "destructive" one: the first one validates whatever is possible, the second one then deletes whatever still isn't.
2015-12-11resolved: rework dnssec validation resultsLennart Poettering
This adds a new validation result DNSSEC_UNSUPPORTED_ALGORITHM which is returned when we encounter an unsupported crypto algorithm when trying to validate RRSIG/DNSKEY combinations. Previously we'd return ENOTSUPP in this case, but it's better to consider this a non-error DNSSEC validation result, since our reaction to this case needs to be more like in cases such as expired or missing keys: we need to keep continue validation looking for another RRSIG/DNSKEY combination that works better for us. This also reworks how dnssec_validate_rrsig_search() propagates errors from dnssec_validate_rrsig(). Previously, errors such as unsupported algorithms or expired signatures would not be propagated, but simply be returned as "missing-key".
2015-12-11resolved: rework how and when the number of answer RRs to cache is determinedLennart Poettering
Instead of figuring out how many RRs to cache right before we do so, determine this at the time we install the answer RRs, so that we can still alter this as we manipulate the answer during validation. The primary purpose of this is to pave the way so that we can drop unsigned RRsets from the answer and invalidate the number of RRs to cache at the same time.
2015-12-11resolved: generalize DNS RR type validity checksLennart Poettering
Check the validity of RR types as we parse or receive data from IPC clients, and use the same code for all of them.
2015-12-11resolved: refuse OPT RRs in incoming packets that are not in the additional ↵Lennart Poettering
section We later rely that the DnsAnswer object contains all RRs from the original packet, at least when it comes to the answer and authorization sections, hence we better make sure we don#t silently end up removing an OPT RR from these two sections.
2015-12-11resolved: refuse to cache ANY kind of pseudo-RR-typeLennart Poettering
2015-12-11resolved: no need to check for NULL explicitly before invoking ↵Lennart Poettering
dns_packet_unref()
2015-12-11resolved: extend list of pseudo RR typesLennart Poettering
Also, explain the situation with a longer comment.
2015-12-10Merge pull request #2096 from teg/resolved-cacheDaniel Mack
Misc resolved cache fixes
2015-12-10resolved: cache - only stringify RR keys when in debug modeTom Gundersen
This is in the fast path, so let's not do all this work unneccessarily.
2015-12-10resolved: cache - don't flush the cache of mDNS records unneccesarilyTom Gundersen
When the DNS_RESOURCE_KEY_CACHE_FLUSH flag is not set for an mDNS packet, we should not flush the cache for RRs with matching keys. However, we were unconditionally flushing the cache also for these packets. Now mark all packets as cache_flush by default, except for these mDNS packets, and respect that flag in the cache handling. This fixes 90325e8c2e559a21ef0bc2f26b844c140faf8020.
2015-12-10TODOTom Gundersen
2015-12-10Merge pull request #2133 from poettering/import-drop-dkrDaniel Mack
importd: drop dkr support
2015-12-10resolved: cache - rework which RR types we apply redirection toTom Gundersen
The logic of dns_cache_get() is now: - look up the precise key; - look up NXDOMAIN item; - if an RR type that may be redirected (i.e., not CNAME, DNAME, RRSIG, NSEC, NSEC3, SIG, KEY, or NXT) look up a correpsonding CNAME or DNAME record; - look up a corresponding NSEC record; Before this change we would give up before potentially finding negative cache entries for DNAME, CNAME and NSEC records, we would return NSEC records for aliases where we had DNAME or CNAME records available and we would incorrectly try to redirect DNSSEC RRs.
2015-12-10resolved: cache - improve loggingTom Gundersen
Some DNS servers will hand out negative answers without SOA records, these can not be cached, so log about that fact.
2015-12-10resolved: cache - don't cache NXDOMAIN by TYPETom Gundersen
An NXDOMAIN entry means there are no RRs of any type for a name, so only cache by CLASS + NAME, rather than CLASS + NAME + TYPE.
2015-12-10resolved: cache - do negative caching only on the canonical nameTom Gundersen
Apart from dropping redundant information, this fixes an issue where, due to broken DNS servers, we can only be certain of whether an apparent NODATA response is in fact an NXDOMAIN response after explicitly resolving the canonical name. This issue is outlined in RFC2308. Moreover, by caching NXDOMAIN for an existing name, we would mistakenly return NXDOMAIN for types which should not be redirected. I.e., a query for AAAA on test-nx-1.jklm.no correctly returns NXDOMAIN, but a query for CNAME should return the record and a query for DNAME should return NODATA. Note that this means we will not cache an NXDOMAIN response in the presence of redirection, meaning one redundant roundtrip in case the name is queried again.
2015-12-10Merge pull request #2134 from jorgenschaefer/detect-ipv6-with-sockstat6Daniel Mack
Use /proc/net/sockstat6 to detect IPv6 support
2015-12-10importd: drop dkr supportLennart Poettering
The current code is not compatible with current dkr protocols anyway, and dkr has a different focus ("microservices") than nspawn anyway ("whole machine containers"), hence drop support for it, we cannot reasonably keep this up to date, and it creates the impression we'd actually care for the microservices usecase.
2015-12-10Merge pull request #2135 from zonque/resolved-mdns-3Lennart Poettering
resolved: more mDNS specific bits (3)
2015-12-10resolved: make sure the packet's transaction ID is always 0 for mDNSDaniel Mack
RFC6762, 18.1: In multicast query messages, the Query Identifier SHOULD be set to zero on transmission.
2015-12-10resolved: discard any reply packet that contains a bogus nameDaniel Mack
Only .in-addr.arpa and .local are considered local in mDNS, so discard the packet if anything else is thrown at us.
2015-12-10Merge pull request #2129 from poettering/dnssec3Tom Gundersen
Third DNSSEC patch series
2015-12-10Use /proc/net/sockstat6 to detect IPv6 supportJorgen Schaefer
The file /sys/module/ipv6 does not exist in all container implementations (e.g. Virtuozzo). Using /proc/net/sockstat6 detects IPv6 support reliably in these environments, too. This file does not exist when the kernel is not compiled with IPv6 support, or if IPv6 support is disabled, so simply checking for existence should be a suitable check. Fixes #2059
2015-12-10Merge pull request #2086 from evverx/fix-journal-upload-installationLennart Poettering
build: fix systemd-journal-upload installation
2015-12-10README: Recommend kinvolk regarding engineering servicesLennart Poettering
They are our friends, do systemd development, hence add them.
2015-12-10Merge pull request #2076 from keszybz/downgrade-masked-unit-messageLennart Poettering
core: do not warn about Wants depencencies on masked units
2015-12-10resolved: rename dns_transaction_prepare_next_attempt()Lennart Poettering
Let's simply call it dns_transaction_prepare(), so that we have the nice cycle for prepare() → go() → emit() → process(). After all it's pretty clear that what we prepare there, and we dont call the others go_next_attempt(), emit_next_attempt() or process_next_attempt().
2015-12-10journal: make mmap_cache_unref() a NOP when NULL is passed, like all other ↵Lennart Poettering
destructors
2015-12-10resolved: don't accept doing queries for invalid RR typesLennart Poettering
2015-12-10resolved: chase DNSKEY/DS RRs when doing look-ups with DNSSEC enabledLennart Poettering
This adds initial support for validating RRSIG/DNSKEY/DS chains when doing lookups. Proof-of-non-existance, or proof-of-unsigned-zones is not implemented yet. With this change DnsTransaction objects will generate additional DnsTransaction objects when looking for DNSKEY or DS RRs to validate an RRSIG on a response. DnsTransaction objects are thus created for three reasons now: 1) Because a user asked for something to be resolved, i.e. requested by a DnsQuery/DnsQueryCandidate object. 2) As result of LLMNR RR probing, requested by a DnsZoneItem. 3) Because another DnsTransaction requires the requested RRs for validation of its own response. DnsTransactions are shared between all these users, and are GC automatically as soon as all of these users don't need a specific transaction anymore. To unify the handling of these three reasons for existance for a DnsTransaction, a new common naming is introduced: each DnsTransaction now tracks its "owners" via a Set* object named "notify_xyz", containing all owners to notify on completion. A new DnsTransaction state is introduced called "VALIDATING" that is entered after a response has been receieved which needs to be validated, as long as we are still waiting for the DNSKEY/DS RRs from other DnsTransactions. This patch will request the DNSKEY/DS RRs bottom-up, and then validate them top-down. Caching of RRs is now only done after verification, so that the cache is not poisoned with known invalid data. The "DnsAnswer" object gained a substantial number of new calls, since we need to add/remove RRs to it dynamically now.
2015-12-10resolved: when matching up DNSKEY and DS RRs, it's fine if we don't support ↵Lennart Poettering
the DNSKEY's algorithm As long as we support the digest we are good.
2015-12-10resolved: when matching up RRSIG and DNSKEY RRs, use the RRSIG's signer ↵Lennart Poettering
name, not the owner name When the DNSKEY is in higher zone, then that's OK, and we need to check the RRSIG's signer name against the DNSKEY hence.