summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2016-01-03Merge pull request #2256 from poettering/dnssec10Tom Gundersen
Tenth DNSSEC patch set
2016-01-03resolve: add RFC4501 URI support to systemd-resolve-hostLennart Poettering
2016-01-03resolved: add negative trust anchro support, and add trust anchor ↵Lennart Poettering
configuration files This adds negative trust anchor support and allows reading trust anchor data from disk, from files /etc/systemd/dnssec-trust-anchors.d/*.positive and /etc/systemd/dnssec-trust-anchros.d/*.negative, as well as the matching counterparts in /usr/lib and /run. The positive trust anchor files are more or less compatible to normal DNS zone files containing DNSKEY and DS RRs. The negative trust anchor files contain only new-line separated hostnames for which to require no signing. By default no trust anchor files are installed, in which case the compiled-in root domain DS RR is used, as before. As soon as at least one positive root anchor for the root is defined via trust anchor files this buil-in DS RR is not added though.
2016-01-02resolved: fix serialization of the root domainLennart Poettering
2016-01-02resolved: only suffix RR key names with a dot if they don't have one yetLennart Poettering
2016-01-02resolved: don't accept NSEC3 iteration fields unboundedLennart Poettering
2016-01-02basic: modernize conf-files.c a bitLennart Poettering
2016-01-02resolved: explain why we don't check IP addresses/ports of incoming DNS UDP ↵Lennart Poettering
traffic
2016-01-02resolved: extend RFCs list a bitLennart Poettering
2016-01-01Merge pull request #2241 from poettering/dnssec9Tom Gundersen
Ninth DNSSEC patch set
2015-12-30Merge pull request #2229 from cjmayo/m500Martin Pitt
hwdb: move Logitech M-U0007 [M500] to 1000dpi
2015-12-29resolved: add a list of DNS-related RFCs and their implementation status in ↵Lennart Poettering
resolved
2015-12-29resolved: append RFC6975 algorithm data to EDNS OPT RRLennart Poettering
2015-12-29resolved: NSEC3 hash algorithms are distinct from DS digest algorithmsLennart Poettering
Previously, we'd use the same set of identifiers for both, but that's actually incorrect. It didn't matter much since the only NSEC3 hash algorithm defined (SHA-1) is mapped to code 1 which is also what it is encoded as in DS digests, but we really should make sure to use two distinct enumerations.
2015-12-29update DNSSEC TODOLennart Poettering
2015-12-29resolved: add comments referencing various RFCs to various placesLennart Poettering
2015-12-29resolved: include GOST in list of DNSSEC algorithmsLennart Poettering
We don't implement it, and we have no intention to, but at least mention that it exists. (This also adds a couple of other algorithms to the algorithm string list, where these strings were missing previously.)
2015-12-29resolved: use CLAMP() intsead of MIN(MAX())Lennart Poettering
2015-12-29resolved: don't allow RRs with TTL=0 and TTL!=0 in the same RRsetLennart Poettering
2015-12-29resolved: parse EDNS0 rcode extension bitsLennart Poettering
2015-12-29resolved: reset RR TTL to 0, if MSB is setLennart Poettering
RFC 2181, Section 8 suggests to treat an RR TTL with the MSB set as 0. Implement this.
2015-12-29resolved: properly handle SRV RRs with the DNS root as hostnameLennart Poettering
2015-12-29resolved: add errno mapping for BUS_ERROR_CONNECTION_FAILURELennart Poettering
This was missing when the error type was added in ac720200b7e5b80cc4985087e38f3452e5b3b080.
2015-12-29resolved: change mapping of BUS_ERROR_NO_NAME_SERVERS to ESRCHLennart Poettering
EIO is really too generic, and indicates transmission problems.
2015-12-29Merge pull request #2237 from evverx/fix-valgrind-testsLennart Poettering
build-sys: fix valgrind-tests
2015-12-29Merge pull request #2239 from evverx/fix-memory-leak-in-test-bus-marshalLennart Poettering
tests: fix memory leak in test-bus-marshal
2015-12-29tests: fix memory leak in test-bus-marshalEvgeny Vereshchagin
Fixes: ``` $ ./configure ... --enable-dbus $ make $ make valgrind-tests TESTS=test-bus-marshal ... ==25301== 51 bytes in 1 blocks are definitely lost in loss record 7 of 18 ==25301== at 0x4C2DD9F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==25301== by 0x5496B8C: ??? (in /lib/x86_64-linux-gnu/libdbus-1.so.3.14.3) ==25301== by 0x54973E3: _dbus_string_append_printf_valist (in /lib/x86_64-linux-gnu/libdbus-1.so.3.14.3) ==25301== by 0x547E5C2: _dbus_set_error_valist (in /lib/x86_64-linux-gnu/libdbus-1.so.3.14.3) ==25301== by 0x547E73E: dbus_set_error (in /lib/x86_64-linux-gnu/libdbus-1.so.3.14.3) ==25301== by 0x548969A: dbus_message_demarshal (in /lib/x86_64-linux-gnu/libdbus-1.so.3.14.3) ==25301== by 0x115C1A: main (test-bus-marshal.c:244) ==25301== ```
2015-12-29Merge pull request #2233 from kinvolk/alban/cgroup2-usernsLennart Poettering
nspawn: userns and unified cgroup: chown cgroup.events
2015-12-29build-sys: fix valgrind-testsEvgeny Vereshchagin
Fixes: ``` $ make valgrind-tests TESTS=test-acl-util GEN valgrind-tests Running test-acl-util /bin/bash: line 4: libtool: command not found ```
2015-12-28Merge pull request #2231 from phomes/resolve-misc2Tom Gundersen
Resolve misc2
2015-12-28Merge pull request #2226 from jwilk/spellingZbigniew Jędrzejewski-Szmek
man: fix typos
2015-12-28Merge pull request #2232 from poettering/dnssec8Tom Gundersen
Eigth DNSSEC patch set
2015-12-28resolved: update DNSSEC TODOLennart Poettering
2015-12-28resolved: also use RRSIG expiry for negative cachingLennart Poettering
This makes sure that we also honour the RRSIG expiry for negative caching.
2015-12-28resolved: use RRSIG expiry and original TTL for cache managementLennart Poettering
When we verified a signature, fix up the RR's TTL to the original TTL mentioned in the signature, and store the signature expiry information in the RR, too. Then, use that when adding RRs to the cache.
2015-12-28resolved: clean up dns_transaction_stop()Lennart Poettering
This renames dns_transaction_stop() to dns_transaction_stop_timeout() and makes it only about stopping the transaction timeout. This is safe, as in most occasions we call dns_transaction_stop() at the same time as dns_transaction_close_connection() anyway, which does the rest of what dns_transaction_stop() used to do. And in the one where we don't call it, it's implicitly called by the UDP emission or TCP connection code. This also closes the connections as we enter the validation phase of a transaction, so that no further messages may be received then.
2015-12-28resolved: only keep a single list of supported signature algorithmsLennart Poettering
This removes dnssec_algorithm_supported() and simply uses the algorithm_to_gcrypt() result as indication whether a DNSSEC algorithm is supported. The patch also renames "algorithm" to "md_algorithm", in a few cases, in order to avoid confusion between DNSSEC signature algorithms and gcrypt message digest algorithms.
2015-12-28resolve-host: log RR parsing errorsLennart Poettering
2015-12-28resolved: add ECDSA signature supportLennart Poettering
2015-12-28shared: relax restrictions on valid domain name characters a bitLennart Poettering
Previously, we'd not allow control characters to be embedded in domain names, even when escaped. Since cloudflare uses \000 however to implement its synthethic minimally covering NSEC RRs, we should allow them, as long as they are properly escaped.
2015-12-28nspawn: userns and unified cgroup: chown cgroup.eventsAlban Crequy
When starting a container in a new user namespace, systemd-nspawn chowns the cgroup knob files so they are usable by the container. But the cgroup knob file "cgroup.events" was missing. This file exists when the unified hierarchy is used.
2015-12-28resolved: split out RSA-specific code from dnssec_verify_rrset()Lennart Poettering
In preparation for ECDSA support.
2015-12-28resolved: simplify MD algorithm initialization a bitLennart Poettering
2015-12-28resolved: add SHA384 digest supportLennart Poettering
2015-12-28resolve-host: add error checkingThomas Hindoe Paaboel Andersen
2015-12-28resolve: remove unused variablesThomas Hindoe Paaboel Andersen
2015-12-27hwdb: Update database of Bluetooth company identifiersMarcel Holtmann
2015-12-27Merge pull request #2225 from poettering/dnssec7Tom Gundersen
Seventh DNSSEC patchset
2015-12-27hwdb: move Logitech M-U0007 [M500] to 1000dpiChris Mayo
http://www.logitech.com/en-gb/product/corded-mouse-m500
2015-12-27resolved: rename "features" variables to "feature_level"Lennart Poettering
The name "features" suggests an orthogonal bitmap or suchlike, but the variables really encode only a linear set of feature levels. The type used is already called DnsServerFeatureLevel, hence fix up the variables accordingly, too.