summaryrefslogtreecommitdiff
path: root/src/resolve/resolved-dns-rr.h
AgeCommit message (Collapse)Author
2016-01-11resolved: when validating, first strip revoked trust anchor keys from ↵Lennart Poettering
validated keys list When validating a transaction we initially collect DNSKEY, DS, SOA RRs in the "validated_keys" list, that we need for the proofs. This includes DNSKEY and DS data from our trust anchor database. Quite possibly we learn that some of these DNSKEY/DS RRs have been revoked between the time we request and collect those additional RRs and we begin the validation step. In this case we need to make sure that the respective DS/DNSKEY RRs are removed again from our list. This patch adds that, and strips known revoked trust anchor RRs from the validated list before we begin the actual validation proof, and each time we add more DNSKEY material to it while we are doing the proof.
2016-01-04resolved: fix DNSSEC canonical ordering logicLennart Poettering
When applying canonical DNSSEC ordering for an RRset only order by the wire format of the RRs' RDATA, not by the full wire formatting. The RFC isn't particularly clear about this, but this is apparently how it is done. This fixes validation of pentagon.gov's DS RRset.
2016-01-03resolved: never authenticate RRsets with revoked keysLennart Poettering
2016-01-03resolved: add negative trust anchro support, and add trust anchor ↵Lennart Poettering
configuration files This adds negative trust anchor support and allows reading trust anchor data from disk, from files /etc/systemd/dnssec-trust-anchors.d/*.positive and /etc/systemd/dnssec-trust-anchros.d/*.negative, as well as the matching counterparts in /usr/lib and /run. The positive trust anchor files are more or less compatible to normal DNS zone files containing DNSKEY and DS RRs. The negative trust anchor files contain only new-line separated hostnames for which to require no signing. By default no trust anchor files are installed, in which case the compiled-in root domain DS RR is used, as before. As soon as at least one positive root anchor for the root is defined via trust anchor files this buil-in DS RR is not added though.
2015-12-29resolved: NSEC3 hash algorithms are distinct from DS digest algorithmsLennart Poettering
Previously, we'd use the same set of identifiers for both, but that's actually incorrect. It didn't matter much since the only NSEC3 hash algorithm defined (SHA-1) is mapped to code 1 which is also what it is encoded as in DS digests, but we really should make sure to use two distinct enumerations.
2015-12-29resolved: add comments referencing various RFCs to various placesLennart Poettering
2015-12-29resolved: include GOST in list of DNSSEC algorithmsLennart Poettering
We don't implement it, and we have no intention to, but at least mention that it exists. (This also adds a couple of other algorithms to the algorithm string list, where these strings were missing previously.)
2015-12-28resolved: use RRSIG expiry and original TTL for cache managementLennart Poettering
When we verified a signature, fix up the RR's TTL to the original TTL mentioned in the signature, and store the signature expiry information in the RR, too. Then, use that when adding RRs to the cache.
2015-12-28resolved: add ECDSA signature supportLennart Poettering
2015-12-28resolved: add SHA384 digest supportLennart Poettering
2015-12-26resolved: internalize string buffer of dns_resource_record_to_string()Lennart Poettering
Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-18resolved: rework mDNS cache-flush bit handlingLennart Poettering
This adds a new DnsAnswer item flag "DNS_ANSWER_SHARED_OWNER" which is set for mDNS RRs that lack the cache-flush bit. The cache-flush bit is removed from the DnsResourceRecord object in favour of this. This also splits out the code that removes previous entries when adding new positive ones into a new separate call dns_cache_remove_previous().
2015-12-18resolved: move DNS class utilities to dns-type.c and add more helpersLennart Poettering
Let's make DNS class helpers more like DNS type helpers, let's move them from resolved-dns-rr.[ch] into dns-type.[ch]. This also adds two new calls dns_class_is_pseudo() and dns_class_is_valid_rr() which operate similar to dns_type_is_pseudo() and dns_type_is_valid_rr() but for classes instead of types. This should hopefully make handling of DNS classes and DNS types more alike.
2015-12-18resolved: add support NSEC3 proofs, as well as proofs for domains that are ↵Lennart Poettering
OK to be unsigned This large patch adds a couple of mechanisms to ensure we get NSEC3 and proof-of-unsigned support into place. Specifically: - Each item in an DnsAnswer gets two bit flags now: DNS_ANSWER_AUTHENTICATED and DNS_ANSWER_CACHEABLE. The former is necessary since DNS responses might contain signed as well as unsigned RRsets in one, and we need to remember which ones are signed and which ones aren't. The latter is necessary, since not we need to keep track which RRsets may be cached and which ones may not be, even while manipulating DnsAnswer objects. - The .n_answer_cachable of DnsTransaction is dropped now (it used to store how many of the first DnsAnswer entries are cachable), and replaced by the DNS_ANSWER_CACHABLE flag instead. - NSEC3 proofs are implemented now (lacking support for the wildcard part, to be added in a later commit). - Support for the "AD" bit has been dropped. It's unsafe, and now that we have end-to-end authentication we don't need it anymore. - An auxiliary DnsTransaction of a DnsTransactions is now kept around as least as long as the latter stays around. We no longer remove the auxiliary DnsTransaction as soon as it completed. THis is necessary, as we now are interested not only in the RRsets it acquired but also in its authentication status.
2015-12-10resolved: cache - do negative caching only on the canonical nameTom Gundersen
Apart from dropping redundant information, this fixes an issue where, due to broken DNS servers, we can only be certain of whether an apparent NODATA response is in fact an NXDOMAIN response after explicitly resolving the canonical name. This issue is outlined in RFC2308. Moreover, by caching NXDOMAIN for an existing name, we would mistakenly return NXDOMAIN for types which should not be redirected. I.e., a query for AAAA on test-nx-1.jklm.no correctly returns NXDOMAIN, but a query for CNAME should return the record and a query for DNAME should return NODATA. Note that this means we will not cache an NXDOMAIN response in the presence of redirection, meaning one redundant roundtrip in case the name is queried again.
2015-12-10resolved: chase DNSKEY/DS RRs when doing look-ups with DNSSEC enabledLennart Poettering
This adds initial support for validating RRSIG/DNSKEY/DS chains when doing lookups. Proof-of-non-existance, or proof-of-unsigned-zones is not implemented yet. With this change DnsTransaction objects will generate additional DnsTransaction objects when looking for DNSKEY or DS RRs to validate an RRSIG on a response. DnsTransaction objects are thus created for three reasons now: 1) Because a user asked for something to be resolved, i.e. requested by a DnsQuery/DnsQueryCandidate object. 2) As result of LLMNR RR probing, requested by a DnsZoneItem. 3) Because another DnsTransaction requires the requested RRs for validation of its own response. DnsTransactions are shared between all these users, and are GC automatically as soon as all of these users don't need a specific transaction anymore. To unify the handling of these three reasons for existance for a DnsTransaction, a new common naming is introduced: each DnsTransaction now tracks its "owners" via a Set* object named "notify_xyz", containing all owners to notify on completion. A new DnsTransaction state is introduced called "VALIDATING" that is entered after a response has been receieved which needs to be validated, as long as we are still waiting for the DNSKEY/DS RRs from other DnsTransactions. This patch will request the DNSKEY/DS RRs bottom-up, and then validate them top-down. Caching of RRs is now only done after verification, so that the cache is not poisoned with known invalid data. The "DnsAnswer" object gained a substantial number of new calls, since we need to add/remove RRs to it dynamically now.
2015-12-10resolved: when parsing DNS packets, handle OPT RR speciallyLennart Poettering
As soon as we encounter the OPT RR while parsing, store it in a special field in the DnsPacket structure. That way, we won't be confused if we iterate through RRs, and can check that there's really only one of these RRs around.
2015-12-08resolved: add dns_cache_export_to_packet()Daniel Mack
This new functions exports cached records of type PTR, SRV and TXT into an existing DnsPacket. This is used in order to fill in known records to mDNS queries, for known answer supression.
2015-12-08resolved: add cache flush flag to DnsResourceKeyDaniel Mack
MDNS has a 'key cache flush' flag for records which must be masked out for the parsers to do our right thing. We will also use that flag later (in a different patch) in order to alter the cache behavior.
2015-12-03resolved: rework how we allow allow queries to be dispatched to scopesLennart Poettering
Previously, we'd never do any single-label or root domain lookups via DNS, thus leaving single-label lookups to LLMNR and the search path logic in order that single-label names don't leak too easily onto the internet. With this change we open things up a bit, and only prohibit A/AAAA lookups of single-label/root domains, but allow all other lookups. This should provide similar protection, but allow us to resolve DNSKEY+DS RRs for the top-level and root domains. (This also simplifies handling of the search domain detection, and gets rid of dns_scope_has_search_domains() in favour of dns_scope_get_search_domains()).
2015-12-03resolved: optionally, allocate DnsResourceKey objects on the stackLennart Poettering
Sometimes when looking up entries in hashmaps indexed by a DnsResourceKey it is helpful not having to allocate a full DnsResourceKey dynamically just to use it as search key. Instead, optionally allow allocation of a DnsResourceKey on the stack. Resource keys allocated like that of course are subject to other lifetime cycles than the usual Resource keys, hence initialize the reference counter to to (unsigned) -1. While we are at it, remove the prototype for dns_resource_key_new_dname() which was never implemented.
2015-12-03resolved: move algorithm/digest definitions into resolved-dns-rr.hLennart Poettering
After all, they are for flags and parameters of RRs and already relevant when dealing with RRs outside of the serialization concept.
2015-12-02resolved: add code to generate the wire format for a single RRLennart Poettering
This adds dns_resource_record_to_wire_format() that generates the raw wire-format of a single DnsResourceRecord object, and caches it in the object, optionally in DNSSEC canonical form. This call is used later to generate the RR serialization of RRs to verify. This adds four new fields to DnsResourceRecord objects: - wire_format points to the buffer with the wire-format version of the RR - wire_format_size stores the size of that buffer - wire_format_rdata_offset specifies the index into the buffer where the RDATA of the RR begins (i.e. the size of the key part of the RR). - wire_format_canonical is a boolean that stores whether the cached wire format is in DNSSEC canonical form or not. Note that this patch adds a mode where a DnsPacket is allocated on the stack (instead of on the heap), so that it is cheaper to reuse the DnsPacket object for generating this wire format. After all we reuse the DnsPacket object for this, since it comes with all the dynamic memory management, and serialization calls we need anyway.
2015-12-02resolved: store DNSKEY fields flags+protocol as-isLennart Poettering
When verifying signatures we need to be able to verify the original data we got for an RR set, and that means we cannot simply drop flags bits or consider RRs invalid too eagerly. Hence, instead of parsing the DNSKEY flags store them as-is. Similar, accept the protocol field as it is, and don't consider it a parsing error if it is not 3. Of course, this means that the DNSKEY handling code later on needs to check explicit for protocol != 3.
2015-11-27resolved: add one more comment with a link to the matching RFCLennart Poettering
2015-11-25resolved: fully support DNS search domainsLennart Poettering
This adds support for searching single-label hostnames in a set of configured search domains. A new object DnsQueryCandidate is added that links queries to scopes. It keeps track of the search domain last used for a query on a specific link. Whenever a host name was unsuccessfuly resolved on a scope all its transactions are flushed out and replaced by a new set, with the next search domain appended. This also adds a new flag SD_RESOLVED_NO_SEARCH to disable search domain behaviour. The "systemd-resolve-host" tool is updated to make this configurable via --search=. Fixes #1697
2015-11-24resolved: implement client-side DNAME resolutionLennart Poettering
Most servers apparently always implicitly convert DNAME to CNAME, but some servers don't, hence implement this properly, as this is required by edns0.
2015-11-23resolved: accept TXT records with non-UTF8 stringsLennart Poettering
RFC 6763 is very clear that TXT RRs should allow arbitrary binary content, hence let's actually accept that. This also means accepting NUL bytes in the middle of strings.
2015-11-18tree-wide: sort includes in *.hThomas Hindoe Paaboel Andersen
This is a continuation of the previous include sort patch, which only sorted for .c files.
2015-09-16resolved: rr - introduce dns_resource_key_new_redirect()Tom Gundersen
Takes a key and CNAME RR and returns the canonical RR of the right type. Make use of this in dns_question_redirect().
2015-09-16resolved: rr - introduce dns_resource_key_new_cname()Tom Gundersen
Creates a new CNAME RR key with the same class and name as an existing key.
2015-08-21resolved: rework synthesizing logicLennart Poettering
With this change we'll now also generate synthesized RRs for the local LLMNR hostname (first label of system hostname), the local mDNS hostname (first label of system hostname suffixed with .local), the "gateway" hostname and all the reverse PTRs. This hence takes over part of what nss-myhostname already implemented. Local hostnames resolve to the set of local IP addresses. Since the addresses are possibly on different interfaces it is necessary to change the internal DnsAnswer object to track per-RR interface indexes, and to change the bus API to always return the interface per-address rather than per-reply. This change also patches the existing clients for resolved accordingly (nss-resolve + systemd-resolve-host). This also changes the routing logic for queries slightly: we now ensure that the local hostname is never resolved via LLMNR, thus making it trustable on the local system.
2015-07-23resolved: rr - SSHFP contains the fingerprint, not the keyTom Gundersen
Rename the field to make this clearer.
2015-07-23resolve: unify memdup() code when parsing RRsLennart Poettering
Let's make dns_packet_read_public_key() more generic by renaming it to dns_packet_read_memdup() (which more accurately describes what it does...). Then, patch all cases where we memdup() RR data to use this new call. This specifically checks for zero-length objects, and handles them gracefully. It will set zero length payload fields as a result. Special care should be taken to ensure that any code using this call can handle the returned allocated field to be NULL if the size is specified as 0!
2015-07-14resolved: rr - add NSEC3 supportTom Gundersen
Needed for DNSSEC.
2015-07-14resolved: rr - add NSEC supportTom Gundersen
Needed for DNSSEC.
2015-07-14resolved: rr - add DS supportTom Gundersen
Needed for DNSSEC.
2015-02-23remove unused includesThomas Hindoe Paaboel Andersen
This patch removes includes that are not used. The removals were found with include-what-you-use which checks if any of the symbols from a header is in use.
2014-09-15hashmap: introduce hash_ops to make struct Hashmap smallerMichal Schmidt
It is redundant to store 'hash' and 'compare' function pointers in struct Hashmap separately. The functions always comprise a pair. Store a single pointer to struct hash_ops instead. systemd keeps hundreds of hashmaps, so this saves a little bit of memory.
2014-08-03resolved: RRSIG recordsZbigniew Jędrzejewski-Szmek
2014-08-03resolved: DNSKEY recordsZbigniew Jędrzejewski-Szmek
2014-08-03resolve: add more record types and convert to gperf tableZbigniew Jędrzejewski-Szmek
We are unlikely to evert support most of them, but we can at least display the types properly. The list is taken from the IANA list. The table of number->name mappings is converted to a switch statement. gcc does a nice job of optimizing lookup (when optimization is enabled). systemd-resolve-host -t is now case insensitive.
2014-07-31resolved: properly process SSHFP RRsLennart Poettering
2014-07-31resolved: properly process SRV recordsLennart Poettering
2014-07-31resolved: provide properly named way to access SPF data in RRsLennart Poettering
2014-07-31resolved: properly process DNAME RRsLennart Poettering
2014-07-31resolved: LOC recordsZbigniew Jędrzejewski-Szmek
LOC records have a version field. So far only version 0 has been published, but if a record with a different version was encountered, our only recourse is to treat it as an unknown type. This is implemented with the 'unparseable' flag, which causes the serialization/deserialization and printing function to cause the record as a blob. The flag can be used if other packet types cannot be parsed for whatever reason.
2014-07-31resolved: SPF recordsZbigniew Jędrzejewski-Szmek
2014-07-31resolved: TXT recordsZbigniew Jędrzejewski-Szmek
2014-07-31resolved: MX recordsZbigniew Jędrzejewski-Szmek