summaryrefslogtreecommitdiff
path: root/src/resolve/resolved-dns-packet.c
AgeCommit message (Collapse)Author
2015-12-26resolved: don't unnecessarily allocate memory in dns_packet_append_name()Lennart Poettering
When compression support is off, there's no point in duplicating the name string. Hence, don't do it.
2015-12-26resolved: don't choke on NSEC/NSEC3 RRs with no bitmapLennart Poettering
This might happen in some cases (empty non-terminals...) and we should not choke on it.
2015-12-18resolved: rework mDNS cache-flush bit handlingLennart Poettering
This adds a new DnsAnswer item flag "DNS_ANSWER_SHARED_OWNER" which is set for mDNS RRs that lack the cache-flush bit. The cache-flush bit is removed from the DnsResourceRecord object in favour of this. This also splits out the code that removes previous entries when adding new positive ones into a new separate call dns_cache_remove_previous().
2015-12-18resolved: don't honour mDNS cache-flush bit for OPT RRsLennart Poettering
OPT RRs after all use the class field for other purposes than actually encoding a class, hence the cache flush bit doesn't apply really.
2015-12-18resolved: make use of dns_{class|type}_is_{pseudo|valid_rr}() everywhereLennart Poettering
2015-12-18resolved: refuse accepting EDNS0 OPT RRs with a non-root domainLennart Poettering
2015-12-18resolved: add support NSEC3 proofs, as well as proofs for domains that are ↵Lennart Poettering
OK to be unsigned This large patch adds a couple of mechanisms to ensure we get NSEC3 and proof-of-unsigned support into place. Specifically: - Each item in an DnsAnswer gets two bit flags now: DNS_ANSWER_AUTHENTICATED and DNS_ANSWER_CACHEABLE. The former is necessary since DNS responses might contain signed as well as unsigned RRsets in one, and we need to remember which ones are signed and which ones aren't. The latter is necessary, since not we need to keep track which RRsets may be cached and which ones may not be, even while manipulating DnsAnswer objects. - The .n_answer_cachable of DnsTransaction is dropped now (it used to store how many of the first DnsAnswer entries are cachable), and replaced by the DNS_ANSWER_CACHABLE flag instead. - NSEC3 proofs are implemented now (lacking support for the wildcard part, to be added in a later commit). - Support for the "AD" bit has been dropped. It's unsafe, and now that we have end-to-end authentication we don't need it anymore. - An auxiliary DnsTransaction of a DnsTransactions is now kept around as least as long as the latter stays around. We no longer remove the auxiliary DnsTransaction as soon as it completed. THis is necessary, as we now are interested not only in the RRsets it acquired but also in its authentication status.
2015-12-14resolved: when serializing NSEC3 windows, don't write more windows than ↵Lennart Poettering
necessary
2015-12-14resolved: constify a parameterLennart Poettering
2015-12-14resolved: apparently not all names are used in canonical form for DNSSEC ↵Lennart Poettering
validation Specifically, it appears as if the NSEC next domain name should be in the original casing rather than canonical form, when validating.
2015-12-14treewide: fix typos and indentationTorstein Husebø
2015-12-11resolved: generalize DNS RR type validity checksLennart Poettering
Check the validity of RR types as we parse or receive data from IPC clients, and use the same code for all of them.
2015-12-11resolved: refuse OPT RRs in incoming packets that are not in the additional ↵Lennart Poettering
section We later rely that the DnsAnswer object contains all RRs from the original packet, at least when it comes to the answer and authorization sections, hence we better make sure we don#t silently end up removing an OPT RR from these two sections.
2015-12-11resolved: no need to check for NULL explicitly before invoking ↵Lennart Poettering
dns_packet_unref()
2015-12-10resolved: cache - don't flush the cache of mDNS records unneccesarilyTom Gundersen
When the DNS_RESOURCE_KEY_CACHE_FLUSH flag is not set for an mDNS packet, we should not flush the cache for RRs with matching keys. However, we were unconditionally flushing the cache also for these packets. Now mark all packets as cache_flush by default, except for these mDNS packets, and respect that flag in the cache handling. This fixes 90325e8c2e559a21ef0bc2f26b844c140faf8020.
2015-12-10resolved: split out check whether reply matches our questionLennart Poettering
It's complicated enough, it deserves its own call. (Also contains some unrelated whitespace, comment and assertion changes)
2015-12-10resolved: IXFR and AXFR cannot be the type of RRs, only of RR keysLennart Poettering
Enforce this while parsing RRs.
2015-12-10resolved: when parsing DNS packets, handle OPT RR speciallyLennart Poettering
As soon as we encounter the OPT RR while parsing, store it in a special field in the DnsPacket structure. That way, we won't be confused if we iterate through RRs, and can check that there's really only one of these RRs around.
2015-12-10resolved: add support for linked packetsDaniel Mack
For mDNS, we need to support the TC bit in case the list of known answers exceed the maximum packet size. For this, add a 'more' pointer to DnsPacket for an additional packet. When a packet is unref'ed, the ->more packet is also unrefed, so it sufficient to only keep track of the 1st packet in a chain.
2015-12-10resolved: add dns_packet_set_flags()Daniel Mack
We need to support the TC bit in queries in case known answers exceed the maximum packet size. Factor out the flags compilation to dns_packet_set_flags() and make it externally available.
2015-12-08resolved: allow name compression in NSEC recordsDaniel Mack
2015-12-08resolved: add cache flush flag to DnsResourceKeyDaniel Mack
MDNS has a 'key cache flush' flag for records which must be masked out for the parsers to do our right thing. We will also use that flag later (in a different patch) in order to alter the cache behavior.
2015-12-08resolved: add packet header details for mDNSDaniel Mack
Validate mDNS queries and responses by looking at some header fields, add mDNS flags.
2015-12-03resolved: introduce a dnssec_mode setting per scopeLennart Poettering
The setting controls which kind of DNSSEC validation is done: none at all, trusting the AD bit, or client-side validation. For now, no validation is implemented, hence the setting doesn't do much yet, except of toggling the CD bit in the generated messages if full client-side validation is requested.
2015-12-03resolved: move algorithm/digest definitions into resolved-dns-rr.hLennart Poettering
After all, they are for flags and parameters of RRs and already relevant when dealing with RRs outside of the serialization concept.
2015-12-02resolved: add code to generate the wire format for a single RRLennart Poettering
This adds dns_resource_record_to_wire_format() that generates the raw wire-format of a single DnsResourceRecord object, and caches it in the object, optionally in DNSSEC canonical form. This call is used later to generate the RR serialization of RRs to verify. This adds four new fields to DnsResourceRecord objects: - wire_format points to the buffer with the wire-format version of the RR - wire_format_size stores the size of that buffer - wire_format_rdata_offset specifies the index into the buffer where the RDATA of the RR begins (i.e. the size of the key part of the RR). - wire_format_canonical is a boolean that stores whether the cached wire format is in DNSSEC canonical form or not. Note that this patch adds a mode where a DnsPacket is allocated on the stack (instead of on the heap), so that it is cheaper to reuse the DnsPacket object for generating this wire format. After all we reuse the DnsPacket object for this, since it comes with all the dynamic memory management, and serialization calls we need anyway.
2015-12-02resolved: add code to map DNSSEC digest types to strings and backLennart Poettering
2015-12-02resolved: store DNSKEY fields flags+protocol as-isLennart Poettering
When verifying signatures we need to be able to verify the original data we got for an RR set, and that means we cannot simply drop flags bits or consider RRs invalid too eagerly. Hence, instead of parsing the DNSKEY flags store them as-is. Similar, accept the protocol field as it is, and don't consider it a parsing error if it is not 3. Of course, this means that the DNSKEY handling code later on needs to check explicit for protocol != 3.
2015-12-02resolved: add RFC 5702 defined DNSSEC algorithms to tableLennart Poettering
2015-12-02resolved: simplify dns_packet_append_string()Lennart Poettering
It essentially does the same as dns_packet_append_raw_string(), hence make it a wrapper around it.
2015-11-27resolved: set the DNSSEC OK (DO) flagTom Gundersen
This indicates that we can handle DNSSEC records (per RFC3225), even if all we do is silently drop them. This feature requires EDNS0 support. As we do not yet support larger UDP packets, this feature increases the risk of getting truncated packets. Similarly to how we fall back to plain UDP if EDNS0 fails, we will fall back to plain EDNS0 if EDNS0+DO fails (with the same logic of remembering success and retrying after a grace period after failure).
2015-11-27resolved: implement minimal EDNS0 supportTom Gundersen
This is a minimal implementation of RFC6891. Only default values are used, so in reality this will be a noop. EDNS0 support is dependent on the current server's feature level, so appending the OPT pseudo RR is done when the packet is emitted, rather than when it is assembled. To handle different feature levels on retransmission, we strip off the OPT RR again after sending the packet. Similarly, to how we fall back to TCP if UDP fails, we fall back to plain UDP if EDNS0 fails (but if EDNS0 ever succeeded we never fall back again, and after a timeout we will retry EDNS0).
2015-11-27resolved: rr - add OPT pseudo-rr supportTom Gundersen
Needed for EDNS0.
2015-11-26Merge pull request #2031 from poettering/resolved-search-domainsTom Gundersen
resolved. Fully implement search domains for single-label names
2015-11-26resolved: do not reject NSEC records with empty bitmapsTom Gundersen
The assumption that no NSEC bitmap could be empty due to the presence of the bit representing the record itself turns out to be flawed. See (the admittedly experimental) RFC4956 for a counter example.
2015-11-25dns-domain: rework dns_label_escape() to not imply memory allocationLennart Poettering
The new dns_label_escape() call now operates on a buffer passed in, similar to dns_label_unescape(). This should make decoding a bit faster, and nicer.
2015-11-23resolved: accept TXT records with non-UTF8 stringsLennart Poettering
RFC 6763 is very clear that TXT RRs should allow arbitrary binary content, hence let's actually accept that. This also means accepting NUL bytes in the middle of strings.
2015-10-27util-lib: split out allocation calls into alloc-util.[ch]Lennart Poettering
2015-10-27util-lib: move string table stuff into its own string-table.[ch]Lennart Poettering
2015-08-25resolved: make packet flags logic more expressive againLennart Poettering
This partially reverts 106784ebb7b303ae471851100a773ad2aebf5b80, ad readds separate DNS_PACKET_MAKE_FLAGS() invocations for the LLMNR and DNS case. This is important since SOme flags have different names and meanings on LLMNR and on DNS and we should clarify that via the comments and how we put things together.
2015-08-25resolved: use switch-case statements for protocol detailsDaniel Mack
With more protocols to come, switch repetitive if-else blocks with a switch-case statements.
2015-08-21resolved: when passing RRs across the bus, make sure not to use name compressionLennart Poettering
We explicitly need to turn off name compression when marshalling or demarshalling RRs for bus transfer, since they otherwise refer to packet offsets that reference packets that are not transmitted themselves.
2015-08-21resolved: rework synthesizing logicLennart Poettering
With this change we'll now also generate synthesized RRs for the local LLMNR hostname (first label of system hostname), the local mDNS hostname (first label of system hostname suffixed with .local), the "gateway" hostname and all the reverse PTRs. This hence takes over part of what nss-myhostname already implemented. Local hostnames resolve to the set of local IP addresses. Since the addresses are possibly on different interfaces it is necessary to change the internal DnsAnswer object to track per-RR interface indexes, and to change the bus API to always return the interface per-address rather than per-reply. This change also patches the existing clients for resolved accordingly (nss-resolve + systemd-resolve-host). This also changes the routing logic for queries slightly: we now ensure that the local hostname is never resolved via LLMNR, thus making it trustable on the local system.
2015-08-16resolved: packet - fix typo in read_rr()Tom Gundersen
2015-07-28resolved: packet - refuse empty type bitmapsTom Gundersen
The NSEC type itself must at least be in the bitmap, so NSEC records with empty bitmaps must be bogus.
2015-07-28resolved: packet - fix read_type_window()Tom Gundersen
We were tracking the bit offset inside each byte, rather than inside the whole bitmap.
2015-07-28resolve: packet - fix append_types()Tom Gundersen
We were counting the number of bits set rather than the number of bytes they occupied.
2015-07-23resolved: packet - fix segfault in truncate()Tom Gundersen
A size_t was being accessed as a char* due to the order of arguments being inverted.
2015-07-23resolved: rr - ignore pseudo types in NSEC(3) bitmapsTom Gundersen
2015-07-23resolved: rr - fix parsing of NSEC3Tom Gundersen
We were appending rather than reading the bitmap.