summaryrefslogtreecommitdiff
path: root/src/resolve/resolved-dns-answer.c
AgeCommit message (Collapse)Author
2016-01-04resolved: partially implement RFC5011 Trust Anchor supportLennart Poettering
With this patch resolved will properly handle revoked keys, but not augment the locally configured trust anchor database with newly learned keys. Specifically, resolved now refuses validating RRsets with revoked keys, and it will remove revoked keys from the configured trust anchors (only until reboot). This patch does not add logic for adding new keys to the set of trust anchors. This is a deliberate decision as this only can work with persistent disk storage, and would result in a different update logic for stateful and stateless systems. Since we have to support stateless systems anyway, and don't want to encourage two independent upgrade paths we focus on upgrading the trust anchor database via the usual OS upgrade logic. Whenever a trust anchor entry is found revoked and removed from the trust anchor a recognizable log message is written, encouraging the user to update the trust anchor or update his operating system.
2015-12-29resolved: don't allow RRs with TTL=0 and TTL!=0 in the same RRsetLennart Poettering
2015-12-26resolved: make use of dns_type_may_redirect() where possibleLennart Poettering
2015-12-26resolved: internalize string buffer of dns_resource_record_to_string()Lennart Poettering
Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-26resolved: when looking for a SOA RR in a reply, pick the right oneLennart Poettering
If there are multiple SOA RRs, and we look for a suitable one covering our request, then make sure to pick the one that is furthest away from the root name, not just the first one we encounter.
2015-12-18resolved: add a call that dumps the contents of a DnsAnswer structureLennart Poettering
This is not used anywhere, but it's extremely useful when debugging.
2015-12-18resolved: check SOA authentication state when negative cachingLennart Poettering
We should never use the TTL of an unauthenticated SOA to cache an authenticated RR.
2015-12-18resolved: add support NSEC3 proofs, as well as proofs for domains that are ↵Lennart Poettering
OK to be unsigned This large patch adds a couple of mechanisms to ensure we get NSEC3 and proof-of-unsigned support into place. Specifically: - Each item in an DnsAnswer gets two bit flags now: DNS_ANSWER_AUTHENTICATED and DNS_ANSWER_CACHEABLE. The former is necessary since DNS responses might contain signed as well as unsigned RRsets in one, and we need to remember which ones are signed and which ones aren't. The latter is necessary, since not we need to keep track which RRsets may be cached and which ones may not be, even while manipulating DnsAnswer objects. - The .n_answer_cachable of DnsTransaction is dropped now (it used to store how many of the first DnsAnswer entries are cachable), and replaced by the DNS_ANSWER_CACHABLE flag instead. - NSEC3 proofs are implemented now (lacking support for the wildcard part, to be added in a later commit). - Support for the "AD" bit has been dropped. It's unsafe, and now that we have end-to-end authentication we don't need it anymore. - An auxiliary DnsTransaction of a DnsTransactions is now kept around as least as long as the latter stays around. We no longer remove the auxiliary DnsTransaction as soon as it completed. THis is necessary, as we now are interested not only in the RRsets it acquired but also in its authentication status.
2015-12-18resolved: don't check for NULL DnsAnswer object explicitly where unnecessaryLennart Poettering
The DNS_ANSWER_FOREACH macros do this internally anyway, no need to duplicate this.
2015-12-14resolved: add basic proof of non-existance support for NSEC+NSEC3Lennart Poettering
Note that this is not complete yet, as we don't handle wildcard domains correctly, nor handle domains correctly that use empty non-terminals.
2015-12-11resolved: don't eat up errorsLennart Poettering
dns_resource_key_match_soa() and dns_resource_key_match_cname_or_dname() may return errors as negative return values. Make sure to propagate those.
2015-12-10resolved: cache - do negative caching only on the canonical nameTom Gundersen
Apart from dropping redundant information, this fixes an issue where, due to broken DNS servers, we can only be certain of whether an apparent NODATA response is in fact an NXDOMAIN response after explicitly resolving the canonical name. This issue is outlined in RFC2308. Moreover, by caching NXDOMAIN for an existing name, we would mistakenly return NXDOMAIN for types which should not be redirected. I.e., a query for AAAA on test-nx-1.jklm.no correctly returns NXDOMAIN, but a query for CNAME should return the record and a query for DNAME should return NODATA. Note that this means we will not cache an NXDOMAIN response in the presence of redirection, meaning one redundant roundtrip in case the name is queried again.
2015-12-10resolved: chase DNSKEY/DS RRs when doing look-ups with DNSSEC enabledLennart Poettering
This adds initial support for validating RRSIG/DNSKEY/DS chains when doing lookups. Proof-of-non-existance, or proof-of-unsigned-zones is not implemented yet. With this change DnsTransaction objects will generate additional DnsTransaction objects when looking for DNSKEY or DS RRs to validate an RRSIG on a response. DnsTransaction objects are thus created for three reasons now: 1) Because a user asked for something to be resolved, i.e. requested by a DnsQuery/DnsQueryCandidate object. 2) As result of LLMNR RR probing, requested by a DnsZoneItem. 3) Because another DnsTransaction requires the requested RRs for validation of its own response. DnsTransactions are shared between all these users, and are GC automatically as soon as all of these users don't need a specific transaction anymore. To unify the handling of these three reasons for existance for a DnsTransaction, a new common naming is introduced: each DnsTransaction now tracks its "owners" via a Set* object named "notify_xyz", containing all owners to notify on completion. A new DnsTransaction state is introduced called "VALIDATING" that is entered after a response has been receieved which needs to be validated, as long as we are still waiting for the DNSKEY/DS RRs from other DnsTransactions. This patch will request the DNSKEY/DS RRs bottom-up, and then validate them top-down. Caching of RRs is now only done after verification, so that the cache is not poisoned with known invalid data. The "DnsAnswer" object gained a substantial number of new calls, since we need to add/remove RRs to it dynamically now.
2015-12-10resolved: grow DnsAnswer exponentiallyLennart Poettering
When increasing the DnsAnswer array, don't operate piecemeal, grow the array exponentially. This way, the default logic for DnsAnswer allocations matches the behaviour for GREEDY_REALLOC and suchlike, and we can reduce the number of necessary allocations.
2015-12-10resolved: refuse modifying DnsAnswer objects that have more than one referenceLennart Poettering
DnsAnswer objects should be considered immutable after having passed to more than one user, i.e. with a reference counter > 1. Enforce that in code, so that we can track down misuses easier.
2015-12-10resolved: split out logic to flush DnsAnswer objectsLennart Poettering
Let's simplify things, by making this a function call of its own.
2015-11-25resolved: fully support DNS search domainsLennart Poettering
This adds support for searching single-label hostnames in a set of configured search domains. A new object DnsQueryCandidate is added that links queries to scopes. It keeps track of the search domain last used for a query on a specific link. Whenever a host name was unsuccessfuly resolved on a scope all its transactions are flushed out and replaced by a new set, with the next search domain appended. This also adds a new flag SD_RESOLVED_NO_SEARCH to disable search domain behaviour. The "systemd-resolve-host" tool is updated to make this configurable via --search=. Fixes #1697
2015-10-27util-lib: split out allocation calls into alloc-util.[ch]Lennart Poettering
2015-10-24util-lib: split our string related calls from util.[ch] into its own file ↵Lennart Poettering
string-util.[ch] There are more than enough calls doing string manipulations to deserve its own files, hence do something about it. This patch also sorts the #include blocks of all files that needed to be updated, according to the sorting suggestions from CODING_STYLE. Since pretty much every file needs our string manipulation functions this effectively means that most files have sorted #include blocks now. Also touches a few unrelated include files.
2015-09-16resolved: cache - cache what we can of negative redirect chainsTom Gundersen
When a NXDATA or a NODATA response is received for an alias it may include CNAME records from the redirect chain. We should cache the response for each of these names to avoid needless roundtrips in the future. It is not sufficient to do the negative caching only for the canonical name, as the included redirection chain is not guaranteed to be complete. In fact, only the final CNAME record from the chain is guaranteed to be included. We take care not to cache entries that redirects outside the current zone, as the SOA will then not be valid.
2015-08-21resolved: rework synthesizing logicLennart Poettering
With this change we'll now also generate synthesized RRs for the local LLMNR hostname (first label of system hostname), the local mDNS hostname (first label of system hostname suffixed with .local), the "gateway" hostname and all the reverse PTRs. This hence takes over part of what nss-myhostname already implemented. Local hostnames resolve to the set of local IP addresses. Since the addresses are possibly on different interfaces it is necessary to change the internal DnsAnswer object to track per-RR interface indexes, and to change the bus API to always return the interface per-address rather than per-reply. This change also patches the existing clients for resolved accordingly (nss-resolve + systemd-resolve-host). This also changes the routing logic for queries slightly: we now ensure that the local hostname is never resolved via LLMNR, thus making it trustable on the local system.
2015-06-10resolve: move dns routines into sharedNick Owens
2015-05-18resolved: allow DnsAnswer objects with no space for RRsLennart Poettering
They might be created as result of merged answer sets, hence accept them. http://lists.freedesktop.org/archives/systemd-devel/2015-April/030834.html
2014-07-30resolved: properly set TTL in SOA recordsLennart Poettering
2014-07-30resolved: include SOA records in LLMNR replies for non-existing RRs to allow ↵Lennart Poettering
negative caching
2014-07-30resolved: never attempt negative caching of SOA recordsLennart Poettering
2014-07-30resolved: when answer A or AAAA questions, order responses by whether ↵Lennart Poettering
addresses are link-local or not
2014-07-23resolved: most DNS servers can't handle more than one question per packet, ↵Lennart Poettering
hence let's not generate that
2014-07-23resolved: implement negative cachingLennart Poettering
2014-07-23resolved: rework logic so that we can share transactions between queries of ↵Lennart Poettering
different clients