summaryrefslogtreecommitdiff
path: root/src/resolve/resolved-dns-dnssec.c
AgeCommit message (Collapse)Author
2015-12-10resolved: fix libgcrypt error checkingLennart Poettering
libgcrypt encodes the error source in the error code, we need to mask that away before comparing error codes.
2015-12-06resolve: remove unused variableThomas Hindoe Paaboel Andersen
2015-12-03resolved: update DNSSEC TODO list a bitLennart Poettering
2015-12-03resolved: maintain a short TODO list for DNSSEC support in the dnssec C ↵Lennart Poettering
files for now
2015-12-03resolved: introduce a dnssec_mode setting per scopeLennart Poettering
The setting controls which kind of DNSSEC validation is done: none at all, trusting the AD bit, or client-side validation. For now, no validation is implemented, hence the setting doesn't do much yet, except of toggling the CD bit in the generated messages if full client-side validation is requested.
2015-12-03resolved: add a limit on the max DNSSEC RRSIG expiry skew we allowLennart Poettering
2015-12-03resolved: make expiration error recognizableLennart Poettering
2015-12-03resolved: support the RSASHA1_NSEC3_SHA1 pseudo-algorithmLennart Poettering
RSASHA1_NSEC3_SHA1 is an alias for RSASHA1, used to do NSEC3 feature negotiation. While verifying RRsets there's no difference, hence support it here.
2015-12-03resolved: don't accept expired RRSIGsLennart Poettering
2015-12-02resolved: add basic DNSSEC supportLennart Poettering
This adds most basic operation for doing DNSSEC validation on the client side. However, it does not actually add the verification logic to the resolver. Specifically, this patch only includes: - Verifying DNSKEY RRs against a DS RRs - Verifying RRSets against a combination of RRSIG and DNSKEY RRs - Matching up RRSIG RRs and DNSKEY RRs - Matching up RR keys and RRSIG RRs - Calculating the DNSSEC key tag from a DNSKEY RR All currently used DNSSEC combinations of SHA and RSA are implemented. Support for MD5 hashing and DSA or EC cyphers are not. MD5 and DSA are probably obsolete, and shouldn't be added. EC should probably be added eventually, if it actually is deployed on the Internet.