summaryrefslogtreecommitdiff
path: root/src/resolve/resolved-dns-answer.h
AgeCommit message (Collapse)Author
2015-12-10resolved: cache - do negative caching only on the canonical nameTom Gundersen
Apart from dropping redundant information, this fixes an issue where, due to broken DNS servers, we can only be certain of whether an apparent NODATA response is in fact an NXDOMAIN response after explicitly resolving the canonical name. This issue is outlined in RFC2308. Moreover, by caching NXDOMAIN for an existing name, we would mistakenly return NXDOMAIN for types which should not be redirected. I.e., a query for AAAA on test-nx-1.jklm.no correctly returns NXDOMAIN, but a query for CNAME should return the record and a query for DNAME should return NODATA. Note that this means we will not cache an NXDOMAIN response in the presence of redirection, meaning one redundant roundtrip in case the name is queried again.
2015-12-10resolved: chase DNSKEY/DS RRs when doing look-ups with DNSSEC enabledLennart Poettering
This adds initial support for validating RRSIG/DNSKEY/DS chains when doing lookups. Proof-of-non-existance, or proof-of-unsigned-zones is not implemented yet. With this change DnsTransaction objects will generate additional DnsTransaction objects when looking for DNSKEY or DS RRs to validate an RRSIG on a response. DnsTransaction objects are thus created for three reasons now: 1) Because a user asked for something to be resolved, i.e. requested by a DnsQuery/DnsQueryCandidate object. 2) As result of LLMNR RR probing, requested by a DnsZoneItem. 3) Because another DnsTransaction requires the requested RRs for validation of its own response. DnsTransactions are shared between all these users, and are GC automatically as soon as all of these users don't need a specific transaction anymore. To unify the handling of these three reasons for existance for a DnsTransaction, a new common naming is introduced: each DnsTransaction now tracks its "owners" via a Set* object named "notify_xyz", containing all owners to notify on completion. A new DnsTransaction state is introduced called "VALIDATING" that is entered after a response has been receieved which needs to be validated, as long as we are still waiting for the DNSKEY/DS RRs from other DnsTransactions. This patch will request the DNSKEY/DS RRs bottom-up, and then validate them top-down. Caching of RRs is now only done after verification, so that the cache is not poisoned with known invalid data. The "DnsAnswer" object gained a substantial number of new calls, since we need to add/remove RRs to it dynamically now.
2015-12-10resolved: fix DNS_ANSWER_FOREACH_IFINDEX() to not collide with user defined ↵Lennart Poettering
ifindex variable
2015-12-02resolved: make sure DNS_ANSWER_FOREACH() can be nestedLennart Poettering
Change the iterator counter so that a different varable is used for each invocation of the macro, so that it may be nested.
2015-11-25resolved: fully support DNS search domainsLennart Poettering
This adds support for searching single-label hostnames in a set of configured search domains. A new object DnsQueryCandidate is added that links queries to scopes. It keeps track of the search domain last used for a query on a specific link. Whenever a host name was unsuccessfuly resolved on a scope all its transactions are flushed out and replaced by a new set, with the next search domain appended. This also adds a new flag SD_RESOLVED_NO_SEARCH to disable search domain behaviour. The "systemd-resolve-host" tool is updated to make this configurable via --search=. Fixes #1697
2015-11-23resolved: add ResolveService() bus call for resolving SRV and DNS-SD servicesLennart Poettering
This also adds client-side support for this to systemd-resolve-host. Note that the ResolveService() API can deal both with DNS-SD service (consisting of service name, type and domain), as well as classic SRV services (consisting just of a type and a domain), all exposed in the same call. This patch also reworks CNAME handling in order to reuse it between hostname, RR and service lookups. In contrast to Avahi and Bonjour, this new API will actually reolve the A/AAAA RRs the SRV RRs point to in one go (unless this is explicitly disabled). This normally comes for free, as these RRs are sent along the SRV responses anyway, hence let's make use of that. This makes the API considerably easier to use, as a single ResolveService() invocation will return all necessary data to pick a server and connect() to it. Note that this only implements the DNS-SD resolving step, it does not implement DNS-SD browsing, as that makes sense primarily on mDNS, due to its continuous nature.
2015-09-16resolved: cache - cache what we can of negative redirect chainsTom Gundersen
When a NXDATA or a NODATA response is received for an alias it may include CNAME records from the redirect chain. We should cache the response for each of these names to avoid needless roundtrips in the future. It is not sufficient to do the negative caching only for the canonical name, as the included redirection chain is not guaranteed to be complete. In fact, only the final CNAME record from the chain is guaranteed to be included. We take care not to cache entries that redirects outside the current zone, as the SOA will then not be valid.
2015-08-21resolved: rework synthesizing logicLennart Poettering
With this change we'll now also generate synthesized RRs for the local LLMNR hostname (first label of system hostname), the local mDNS hostname (first label of system hostname suffixed with .local), the "gateway" hostname and all the reverse PTRs. This hence takes over part of what nss-myhostname already implemented. Local hostnames resolve to the set of local IP addresses. Since the addresses are possibly on different interfaces it is necessary to change the internal DnsAnswer object to track per-RR interface indexes, and to change the bus API to always return the interface per-address rather than per-reply. This change also patches the existing clients for resolved accordingly (nss-resolve + systemd-resolve-host). This also changes the routing logic for queries slightly: we now ensure that the local hostname is never resolved via LLMNR, thus making it trustable on the local system.
2014-07-30resolved: properly set TTL in SOA recordsLennart Poettering
2014-07-30resolved: include SOA records in LLMNR replies for non-existing RRs to allow ↵Lennart Poettering
negative caching
2014-07-30resolved: when answer A or AAAA questions, order responses by whether ↵Lennart Poettering
addresses are link-local or not
2014-07-23resolved: most DNS servers can't handle more than one question per packet, ↵Lennart Poettering
hence let's not generate that
2014-07-23resolved: implement negative cachingLennart Poettering
2014-07-23resolved: rework logic so that we can share transactions between queries of ↵Lennart Poettering
different clients