summaryrefslogtreecommitdiff
path: root/src/resolve/resolved-dns-cache.c
AgeCommit message (Collapse)Author
2017-02-24Fix missing space in comments (#5439)AsciiWolf
2017-02-17resolved: initialize all return values on successful exit of dns_cache_lookup()Lennart Poettering
Following our coding style on success we should initialize all return parameters of a function. We missed to cases for dns_cache_lookup() (but covered all others), fix them too.
2017-02-17resolved: cache SERVFAIL responses for 30sLennart Poettering
Some domains (such as us.ynuf.alipay.com) almost appear as if they actively want to sabotage our DNSSEC work. Specifically, they unconditionally return SERVFAIL on SOA lookups and always only after a 1s delay (at least). This is pretty bad for our validation logic, as we use SOA lookups to distuingish zones from non-terminal names. Moreover, SERVFAIL is an error that is typically returned if we send requests a server doesn't grok, and thus is reason for us to downgrade our protocol and try again. In case of these zones this means we'll accept the SERVFAIL response only after a full iterative downgrade to our lowest feature level: TCP. In combination with the 1s delays this has the effect of making us hit our transaction timeout way to easily. As first attempt to improve the situation: let's start caching SERVFAIL responses in our cache, after the full downgrade for a short period of time. Conceptually this is exposed as "weird rcode" caching, but for now we only consider SERVFAIL a "weird rcode" worthy of caching. Later on we might want to add more.
2017-01-19resolved: add cache-flush bit to answers in mDNS announcementsDmitry Rozhkov
See the section 10.2 of RFC6762 for details. Signed-off-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
2016-07-11treewide: fix typos and remove accidental repetition of wordsTorstein Husebø
2016-06-24Merge pull request #3594 from poettering/resolved-servfailMartin Pitt
resolved fixes for handling SERVFAIL errors from servers
2016-06-23resolved: when caching replies, check rcode earlierLennart Poettering
This way we don't log complaints about packets without SOA in case we are not caching it anyway because the rcode is not SUCCESS or NXDOMAIN...
2016-06-21resolved: when using the ResolveRecord() bus call, adjust TTL for caching timeLennart Poettering
When we return the full RR wire data, let's make sure the TTL included in it is adjusted by the time the RR sat in the cache. As an optimization we do this only for ResolveRecord() and not for ResolveHostname() and friends, since adjusting the TTL means copying the RR object, and we don#t want to do that if there's no reason to. (ResolveHostname() and friends don't return the TTL hence there's no reason to in that case)
2016-02-22tree-wide: make ++/-- usage consistent WRT spacingVito Caputo
Throughout the tree there's spurious use of spaces separating ++ and -- operators from their respective operands. Make ++ and -- operator consistent with the majority of existing uses; discard the spaces.
2016-02-19resolved: fix NULL dereference in debug stmtZbigniew Jędrzejewski-Szmek
CID #1351544, #1351545.
2016-02-16Use provided buffer in dns_resource_key_to_stringZbigniew Jędrzejewski-Szmek
When the buffer is allocated on the stack we do not have to check for failure everywhere. This is especially useful in debug statements, because we can put dns_resource_key_to_string() call in the debug statement, and we do not need a seperate if (log_level >= LOG_DEBUG) for the conversion. dns_resource_key_to_string() is changed not to provide any whitespace padding. Most callers were stripping the whitespace with strstrip(), and it did not look to well anyway. systemd-resolve output is not column aligned anymore. The result of the conversion is not stored in DnsTransaction object anymore. It is used only for debugging, so it seems fine to generate it when needed. Various debug statements are extended to provide more information.
2016-02-16Replace DNS_RESOURCE_KEY_NAME with a version which always returns "." for rootZbigniew Jędrzejewski-Szmek
This fixes formatting of root domain in debug messages: Old: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (., DNSKEY with key tag: 19036). New: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (, DNSKEY with key tag: 19036).
2016-02-10tree-wide: remove Emacs lines from all filesDaniel Mack
This should be handled fine now by .dir-locals.el, so need to carry that stuff in every file.
2016-02-04resolved: correctly store interface index of RRs in cacheLennart Poettering
Fixes: #2361
2016-01-25resolved: never store NSEC/NSEC3 RRs from the upper zone of a zone cut in cacheLennart Poettering
When using NSEC/NSEC3 RRs from the cache to derive existance of arbitrary RRs, we should not get confused by the fact that NSEC/NSEC3 RRs exist twice at zone cuts: once in the parent zone, and once in the child zone. For most RR types we should only consult the latter since that's where the beef is. However, for DS lookups we have to check the former. This change makes sure we never cache NSEC/NSEC3 RRs from any parent zone of a zone-cut. It also makes sure that when we look for a DS RR in the cache we never consider any cached NSEC RR, as those are now always from the child zone.
2016-01-17resolved: try to reduce number or DnsResourceKeys we keep around by merging themLennart Poettering
Quite often we read the same RR key multiple times from the same message. Try to replace them by a single object when we notice this. Do so again when we add things to the cache. This should reduce memory consumption a tiny bit.
2016-01-05resolved: when caching negative responses, honour NSEC/NSEC3 TTLsLennart Poettering
When storing negative responses, clamp the SOA minimum TTL (as suggested by RFC2308) to the TTL of the NSEC/NSEC3 RRs we used to prove non-existance, if it there is any. This is necessary since otherwise an attacker might put together a faked negative response for one of our question including a high-ttl SOA RR for any parent zone, and we'd use trust the TTL.
2015-12-29resolved: add comments referencing various RFCs to various placesLennart Poettering
2015-12-28resolved: also use RRSIG expiry for negative cachingLennart Poettering
This makes sure that we also honour the RRSIG expiry for negative caching.
2015-12-28resolved: use RRSIG expiry and original TTL for cache managementLennart Poettering
When we verified a signature, fix up the RR's TTL to the original TTL mentioned in the signature, and store the signature expiry information in the RR, too. Then, use that when adding RRs to the cache.
2015-12-26resolved: gather statistics about resolved namesLennart Poettering
This collects statistical data about transactions, dnssec verifications and the cache, and exposes it over the bus. The systemd-resolve-host tool learns new options to query these statistics and reset them.
2015-12-26resolved: internalize string buffer of dns_resource_record_to_string()Lennart Poettering
Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-26resolved: when caching NXDOMAIN for an RR, make sure we flush out old ANY ↵Lennart Poettering
entries We use ANY RR keys to store NXDOMAIN information, but we previously didn't flush out old ANY RR items in the cache when adding new entries. Fix that.
2015-12-26resolved: split out a new dns_type_may_redirect() callLennart Poettering
Let's abstract which RRs shall honour CNAMEs, and which ones should not.
2015-12-18resolved: merge two commentsLennart Poettering
2015-12-18resolved: rename dns_cache_item_remove_and_free() → _unlink_and_free()Lennart Poettering
In most of the other call, we called similar functions that remove the data structure link-ups to other objects "unlink", hence we should here, too.
2015-12-18resolved: rename dns_cache_remove() → dns_cache_remove_by_key()Lennart Poettering
Given that we already have dns_cache_remove_by_rr() this makes clearer what the operation actually does.
2015-12-18resolved: rework mDNS cache-flush bit handlingLennart Poettering
This adds a new DnsAnswer item flag "DNS_ANSWER_SHARED_OWNER" which is set for mDNS RRs that lack the cache-flush bit. The cache-flush bit is removed from the DnsResourceRecord object in favour of this. This also splits out the code that removes previous entries when adding new positive ones into a new separate call dns_cache_remove_previous().
2015-12-18resolved: properly determine size of DnsAnswer objectLennart Poettering
After all we want to allow NULL DnsAnswer objects as equivalent to empty ones, hence we should use the right checks everywhere.
2015-12-18resolved: pass out precise authenticated bit we got passed inLennart Poettering
Make sure the cache never altes the authenticated bit of RRs stored in it, and drops it for RRs when passing it out again.
2015-12-18resolve: optimize dns_cache_flush() a bitLennart Poettering
Let's use dns_cache_remove() rather than dns_cache_item_remove_and_free() to destroy the cache, since the former requires far fewer hash table lookups.
2015-12-18resolved: when receiving a TTL=0 RR, only flush that specific RRLennart Poettering
When we receieve a TTL=0 RR, then let's only flush that specific RR and not the whole RRset. On mDNS with RRsets that a shared-owner this is how specific RRs are removed from the set, hence support this. And on non-mDNS the whole RRset will already be removed much earlier in dns_cache_put() hence there's no reason remove it again.
2015-12-18resolved: optimize dns_cache_remove() a bitLennart Poettering
2015-12-18resolved: use dns_name_parent() where appropriateLennart Poettering
2015-12-18resolved: check SOA authentication state when negative cachingLennart Poettering
We should never use the TTL of an unauthenticated SOA to cache an authenticated RR.
2015-12-18resolved: don't call dns_cache_remove() from dns_cache_put_negative()Lennart Poettering
We call it anyway as one of the first calls in dns_cache_put(), hence there's no reason to do this multiple times.
2015-12-18resolved: bump cache size a bitLennart Poettering
Let's keep entries for longer and more of them. After all, due to the DNSSEC hookup the amount of RRs we need to store is much higher now.
2015-12-18resolved: make use of dns_{class|type}_is_{pseudo|valid_rr}() everywhereLennart Poettering
2015-12-18resolved: add support NSEC3 proofs, as well as proofs for domains that are ↵Lennart Poettering
OK to be unsigned This large patch adds a couple of mechanisms to ensure we get NSEC3 and proof-of-unsigned support into place. Specifically: - Each item in an DnsAnswer gets two bit flags now: DNS_ANSWER_AUTHENTICATED and DNS_ANSWER_CACHEABLE. The former is necessary since DNS responses might contain signed as well as unsigned RRsets in one, and we need to remember which ones are signed and which ones aren't. The latter is necessary, since not we need to keep track which RRsets may be cached and which ones may not be, even while manipulating DnsAnswer objects. - The .n_answer_cachable of DnsTransaction is dropped now (it used to store how many of the first DnsAnswer entries are cachable), and replaced by the DNS_ANSWER_CACHABLE flag instead. - NSEC3 proofs are implemented now (lacking support for the wildcard part, to be added in a later commit). - Support for the "AD" bit has been dropped. It's unsafe, and now that we have end-to-end authentication we don't need it anymore. - An auxiliary DnsTransaction of a DnsTransactions is now kept around as least as long as the latter stays around. We no longer remove the auxiliary DnsTransaction as soon as it completed. THis is necessary, as we now are interested not only in the RRsets it acquired but also in its authentication status.
2015-12-16resolve: remove unused variableThomas Hindoe Paaboel Andersen
2015-12-11resolved: refuse to cache ANY kind of pseudo-RR-typeLennart Poettering
2015-12-10resolved: cache - only stringify RR keys when in debug modeTom Gundersen
This is in the fast path, so let's not do all this work unneccessarily.
2015-12-10resolved: cache - don't flush the cache of mDNS records unneccesarilyTom Gundersen
When the DNS_RESOURCE_KEY_CACHE_FLUSH flag is not set for an mDNS packet, we should not flush the cache for RRs with matching keys. However, we were unconditionally flushing the cache also for these packets. Now mark all packets as cache_flush by default, except for these mDNS packets, and respect that flag in the cache handling. This fixes 90325e8c2e559a21ef0bc2f26b844c140faf8020.
2015-12-10resolved: cache - rework which RR types we apply redirection toTom Gundersen
The logic of dns_cache_get() is now: - look up the precise key; - look up NXDOMAIN item; - if an RR type that may be redirected (i.e., not CNAME, DNAME, RRSIG, NSEC, NSEC3, SIG, KEY, or NXT) look up a correpsonding CNAME or DNAME record; - look up a corresponding NSEC record; Before this change we would give up before potentially finding negative cache entries for DNAME, CNAME and NSEC records, we would return NSEC records for aliases where we had DNAME or CNAME records available and we would incorrectly try to redirect DNSSEC RRs.
2015-12-10resolved: cache - improve loggingTom Gundersen
Some DNS servers will hand out negative answers without SOA records, these can not be cached, so log about that fact.
2015-12-10resolved: cache - don't cache NXDOMAIN by TYPETom Gundersen
An NXDOMAIN entry means there are no RRs of any type for a name, so only cache by CLASS + NAME, rather than CLASS + NAME + TYPE.
2015-12-10resolved: cache - do negative caching only on the canonical nameTom Gundersen
Apart from dropping redundant information, this fixes an issue where, due to broken DNS servers, we can only be certain of whether an apparent NODATA response is in fact an NXDOMAIN response after explicitly resolving the canonical name. This issue is outlined in RFC2308. Moreover, by caching NXDOMAIN for an existing name, we would mistakenly return NXDOMAIN for types which should not be redirected. I.e., a query for AAAA on test-nx-1.jklm.no correctly returns NXDOMAIN, but a query for CNAME should return the record and a query for DNAME should return NODATA. Note that this means we will not cache an NXDOMAIN response in the presence of redirection, meaning one redundant roundtrip in case the name is queried again.
2015-12-10resolved: chase DNSKEY/DS RRs when doing look-ups with DNSSEC enabledLennart Poettering
This adds initial support for validating RRSIG/DNSKEY/DS chains when doing lookups. Proof-of-non-existance, or proof-of-unsigned-zones is not implemented yet. With this change DnsTransaction objects will generate additional DnsTransaction objects when looking for DNSKEY or DS RRs to validate an RRSIG on a response. DnsTransaction objects are thus created for three reasons now: 1) Because a user asked for something to be resolved, i.e. requested by a DnsQuery/DnsQueryCandidate object. 2) As result of LLMNR RR probing, requested by a DnsZoneItem. 3) Because another DnsTransaction requires the requested RRs for validation of its own response. DnsTransactions are shared between all these users, and are GC automatically as soon as all of these users don't need a specific transaction anymore. To unify the handling of these three reasons for existance for a DnsTransaction, a new common naming is introduced: each DnsTransaction now tracks its "owners" via a Set* object named "notify_xyz", containing all owners to notify on completion. A new DnsTransaction state is introduced called "VALIDATING" that is entered after a response has been receieved which needs to be validated, as long as we are still waiting for the DNSKEY/DS RRs from other DnsTransactions. This patch will request the DNSKEY/DS RRs bottom-up, and then validate them top-down. Caching of RRs is now only done after verification, so that the cache is not poisoned with known invalid data. The "DnsAnswer" object gained a substantial number of new calls, since we need to add/remove RRs to it dynamically now.
2015-12-10resolved: partially revert 5eefe54Lennart Poettering
Quoting @teg: "Contrary to what the comment said, we always verify redirect chains in full, and cache all the CNAME records. There is therefore no need to do extra negative caching along a CNAME chain." This simply steals @teg's commit since we'll touch the SOA matching case in a later patch, and rather want this bit gone, so that we don't have to "fix" it, only to remove it later on.
2015-12-10resolved: add more linked packets for overlong known answersDaniel Mack
For mDNS, if we're unable to stuff all known answers into the given packet, allocate a new one, push the RR into that one and link it to the current one.