summaryrefslogtreecommitdiff
path: root/src/resolve
AgeCommit message (Collapse)Author
2016-01-17resolved: ignore invalid OPT RRs in incoming packetsLennart Poettering
This validates OPT RRs more rigorously, before honouring them: if we any of the following condition holds, we'll ignore them: a) Multiple OPT RRs in the same message b) OPT RR not owned by the root domain c) OPT RR in the wrong section (Belkin routers do this) d) OPT RR contain rfc6975 algorithm data (Belkin routers do this) e) OPT version is not 0 f) OPT payload doesn't add up with the lengths Note that d) may be an indication that the server just blindly copied OPT data from the response into the reply. RFC6975 data is only supposed to be included in queries, and we do so. It's not supposed to be included in responses (and the RFC is very clear on that). Hence if we get it back in a reply, then the server probably just copied the OPT RR.
2016-01-17resolved: update RFCs list and TODO listLennart Poettering
2016-01-17resolved: add complex test caseLennart Poettering
This new test case tries to resolve a couple of known domains, to verify the validation results. It talks to resolved via the bus, thus comprehensively testing the whole shebang. Of course, it requires network connectivity and a DNSSEC capable DNS server, hence this is a manual test.
2016-01-17resolved: complete NSEC non-existance proofsLennart Poettering
This fills in the last few gaps: - When checking if a domain is non-existing, also check that no wildcard for it exists - Ensure we don't base "covering" tests on NSEC RRs from a parent zone - Refuse to accept expanded wildcard NSEC RRs for absence proofs.
2016-01-17resolved: make sure the NSEC proof-of-non-existance check also looks for ↵Lennart Poettering
wildcard domains
2016-01-17resolved: on negative NODATA replies, properly deal with empty non-terminalsLennart Poettering
empty non-terminals generally lack NSEC RRs, which means we can deduce their existance only from the fact that there are other RRs that contain them in their suffix. Specifically, the NSEC proof for NODATA on ENTs works by sending the NSEC whose next name is a suffix of the queried name to the client. Use this information properly.
2016-01-17resolved: rename dnssec_verify_dnskey() → dnssec_verify_dnskey_by_ds()Lennart Poettering
This should clarify that this is not regular signature-based validation, but validation through DS RR fingerprints.
2016-01-17resolved: be stricter when using NSEC3Lennart Poettering
We can user signer and synthesizing source information to check that the NSEC3 RRs we want to use are actually reasonable and properly signed.
2016-01-17resolved: when validating an RRset, store information about the synthesizing ↵Lennart Poettering
source and zone in each RR Having this information available is useful when we need to check whether various RRs are suitable for proofs. This information is stored in the RRs as number of labels to skip from the beginning of the owner name to reach the synthesizing source/signer. Simple accessor calls are then added to retrieve the signer/source from the RR using this information. This also moves validation of a a number of RRSIG parameters into a new call dnssec_rrsig_prepare() that as side-effect initializes the two numeric values.
2016-01-17resolved: do not use NSEC RRs from the wrong zone for proofsLennart Poettering
When proving NODATA DS lookups we need to insist on looking at the parent zone's NSEC RR, not the child zone's. When proving any other NODATA lookups we need to insist on looking at the child zone's NSEC RR, not the parent's.
2016-01-17resolved: ignore DS RRs without generating an error if they use an ↵Lennart Poettering
unsupported digest algorithm
2016-01-17resolved: some RR types may appear only or not at all in a zone apexLennart Poettering
Add extra checks when validating with RRSIGs. This follows recommendations from: http://www.george-barwood.pwp.blueyonder.co.uk/DnsServer/NotesOnDNSSSEC.htm
2016-01-13resolved: implement the full NSEC and NSEC3 postive wildcard proofsLennart Poettering
2016-01-13resolved: refuse validating wildcard RRs for SOA, NSEC3, DNAMELennart Poettering
2016-01-13resolved: properly handles RRs in domains beginning in an asterisk labelLennart Poettering
Properly handle RRs that begin with an asterisk label. These are the unexpanded forms of wildcard domains and appear in NSEC RRs for example. We need to make sure we handle the signatures of these RRs properly, since they mostly are considered normal RRs, except that the RRSIG labels counter is one off for them, as the asterisk label is always excluded of the signature.
2016-01-13resolved: optimize dnssec_verify_rrset() a bitLennart Poettering
Let's determine the source of synthesis once instead of for each RR in the RRset.
2016-01-13resolved: allocate bounded strings on stack instead of heap, if we canLennart Poettering
2016-01-13resolved: consider inverted RRSIG validity intervals expiredLennart Poettering
2016-01-11resolved: improve query RR type error wording a bitLennart Poettering
2016-01-11resolved: don#t allow explicit queries for RRSIG RRsLennart Poettering
We wouldn't know how to validate them, since they are the signatures, and hence have no signatures.
2016-01-11resolved: refuse doing queries for known-obsolete RR typesLennart Poettering
Given how fragile DNS servers are with some DNS types, and given that we really should avoid confusing them with known-weird lookups, refuse doing lookups for known-obsolete RR types.
2016-01-11resolved: rename DnsTransaction's current_features field to ↵Lennart Poettering
current_feature_level This is a follow-up for f4461e5641d53f27d6e76e0607bdaa9c0c58c1f6.
2016-01-11resolved: split out resetting of DNS server counters into a function call of ↵Lennart Poettering
its own A suggested by Vito Caputo: https://github.com/systemd/systemd/pull/2289#discussion-diff-49276220
2016-01-11resolved: accept rightfully unsigned NSEC responsesLennart Poettering
2016-01-11resolved: rework how and when we detect whether our chosen DNS server knows ↵Lennart Poettering
DNSSEC Move detection into a set of new functions, that check whether one specific server can do DNSSEC, whether a server and a specific transaction can do DNSSEC, or whether a transaction and all its auxiliary transactions could do so. Also, do these checks both before we acquire additional RRs for the validation (so that we can skip them if the server doesn't do DNSSEC anyway), and after we acquired them all (to see if any of the lookups changed our opinion about the servers). THis also tightens the checks a bit: a server that lacks TCP support is considered incompatible with DNSSEC too.
2016-01-11resolved: cache formatted server string in DnsServer structureLennart Poettering
This makes it easier to log information about a specific DnsServer object.
2016-01-11resolved: rework server feature level logicLennart Poettering
This changes the DnsServer logic to count failed UDP and TCP failures separately. This is useful so that we don't end up downgrading the feature level from one UDP level to a lower UDP level just because a TCP connection we did because of a TC response failed. This also adds accounting of truncated packets. If we detect incoming truncated packets, and count too many failed TCP connections (which is the normal fall back if we get a trucnated UDP packet) we downgrade the feature level, given that the responses at the current levels don't get through, and we somehow need to make sure they become smaller, which they will do if we don't request DNSSEC or EDNS support. This makes resolved work much better with crappy DNS servers that do not implement TCP and only limited UDP packet sizes, but otherwise support DNSSEC RRs. They end up choking on the generally larger DNSSEC RRs and there's no way to retrieve the full data.
2016-01-11resolved: add missing case to switch statementLennart Poettering
2016-01-11resolved: log why we use TCP when UDP isn't supported by a serverLennart Poettering
2016-01-11resolved: log about truncated replies before trying again, not afterLennart Poettering
2016-01-11resolved: don't attempt to send queries for DNSSEC RR types to servers not ↵Lennart Poettering
supporting them If we already degraded the feature level below DO don't bother with sending requests for DS, DNSKEY, RRSIG, NSEC, NSEC3 or NSEC3PARAM RRs. After all, we cannot do DNSSEC validation then anyway, and we better not press a legacy server like this with such modern concepts. This also has the benefit that when we try to validate a response we received using DNSSEC, and we detect a limited server support level while doing so, all further auxiliary DNSSEC queries will fail right-away.
2016-01-11resolved: log about reasons for switching to TCPLennart Poettering
2016-01-11resolved: when we get a packet failure from a server, don't downgrade UDP to ↵Lennart Poettering
TCP or vice versa Under the assumption that packet failures (i.e. FORMERR, SERVFAIL, NOTIMP) are caused by packet contents, not used transport, we shouldn't switch between UDP and TCP when we get them, but only downgrade the higher levels down to UDP.
2016-01-11resolved: properly handle UDP ICMP errors as lost packetsLennart Poettering
UDP ICMP errors are reported to us via recvmsg() when we read a reply. Handle this properly, and consider this a lost packet, and retry the connection. This also adds some additional logging for invalid incoming packets.
2016-01-11resolved: when we get a TCP connection failure, try againLennart Poettering
Previously, when we couldn't connect to a DNS server via TCP we'd abort the whole transaction using a "connection-failure" state. This change removes that, and counts failed connections as "lost packet" events, so that we switch back to the UDP protocol again.
2016-01-11resolved: when DNS/TCP doesn't work, try DNS/UDP againLennart Poettering
If we failed to contact a DNS server via TCP, bump of the feature level to UDP again. This way we'll switch back between UDP and TCP if we fail to contact a host. Generally, we prefer UDP over TCP, which is why UDP is a higher feature level. But some servers only support UDP but not TCP hence when reaching the lowest feature level of TCP and want to downgrade from there, pick UDP again. We this keep downgrading until we reach TCP and then we cycle through UDP and TCP.
2016-01-11resolved: introduce dns_transaction_retry() and use it everywhereLennart Poettering
The code to retry transactions has been used over and over again, simplify it by replacing it by a new function.
2016-01-11resolved: set a description on all our event sourcesLennart Poettering
2016-01-11resolved: fix error propagationLennart Poettering
2016-01-11shared: make sure foo.bar and foobar result in different domain name hashesLennart Poettering
This also introduces a new macro siphash24_compress_byte() which is useful to add a single byte into the hash stream, and ports one user over to it.
2016-01-11resolved: properly look for NSEC/NSEC3 RRs when getting a positive wildcard ↵Lennart Poettering
response This implements RFC 5155, Section 8.8 and RFC 4035, Section 5.3.4: When we receive a response with an RRset generated from a wildcard we need to look for one NSEC/NSEC3 RR that proves that there's no explicit RR around before we accept the wildcard RRset as response. This patch does a couple of things: the validation calls will now identify wildcard signatures for us, and let us know the RRSIG used (so that the RRSIG's signer field let's us know what the wildcard was that generate the entry). Moreover, when iterating trough the RRsets of a response we now employ three phases instead of just two. a) in the first phase we only look for DNSKEYs RRs b) in the second phase we only look for NSEC RRs c) in the third phase we look for all kinds of RRs Phase a) is necessary, since DNSKEYs "unlock" more signatures for us, hence we shouldn't assume a key is missing until all DNSKEY RRs have been processed. Phase b) is necessary since NSECs need to be validated before we can validate wildcard RRs due to the logic explained above. Phase c) validates everything else. This phase also handles RRsets that cannot be fully validated and removes them or lets the transaction fail.
2016-01-11resolved: split up nsec3_hashed_domain() into two callsLennart Poettering
There's now nsec3_hashed_domain_format() and nsec3_hashed_domain_make(). The former takes a hash value and formats it as domain, the latter takes a domain name, hashes it and then invokes nsec3_hashed_domain_format(). This way we can reuse more code, as the formatting logic can be unified between this call and another place.
2016-01-11resolved: drop flags unused parameter from nsec3_is_goodLennart Poettering
2016-01-11resolved: when validating, first strip revoked trust anchor keys from ↵Lennart Poettering
validated keys list When validating a transaction we initially collect DNSKEY, DS, SOA RRs in the "validated_keys" list, that we need for the proofs. This includes DNSKEY and DS data from our trust anchor database. Quite possibly we learn that some of these DNSKEY/DS RRs have been revoked between the time we request and collect those additional RRs and we begin the validation step. In this case we need to make sure that the respective DS/DNSKEY RRs are removed again from our list. This patch adds that, and strips known revoked trust anchor RRs from the validated list before we begin the actual validation proof, and each time we add more DNSKEY material to it while we are doing the proof.
2016-01-11basic: introduce generic ascii_strlower_n() call and make use of it everywhereLennart Poettering
2016-01-11resolved: rework trust anchor revoke checkingLennart Poettering
Instead of first iterating through all DNSKEYs in the DnsAnswer in dns_transaction_check_revoked_trust_anchors(), and then doing that a second time in dns_trust_anchor_check_revoked(), do so only once in the former, and pass the dnskey we found directly to the latter.
2016-01-11resolved: look for revoked trust anchors before validating a messageLennart Poettering
There's not reason to wait for checking for revoked trust anchors until after validation, after all revoked DNSKEYs only need to be self-signed, but not have a full trust chain. This way, we can be sure that all trust anchor lookups we do during validation already honour that some keys might have been revoked.
2016-01-11resolved: use dns_answer_size() where appropriate to handle NULL DnsAnswerLennart Poettering
2016-01-11resolved: remove one level of indentation in dns_transaction_validate_dnssec()Lennart Poettering
Invert an "if" check, so that we can use "continue" rather than another code block indentation.
2016-01-11resolved: be less strict where the OPT pseudo-RR is placedLennart Poettering
This increases compatibility with crappy Belkin routers.