summaryrefslogtreecommitdiff
path: root/src/resolve
AgeCommit message (Collapse)Author
2016-05-04treewide: fix typos (#3187)Torstein Husebø
2016-05-02resolved: work around broken DNS zones set up by incapdns.netLennart Poettering
incapdns.net returns NXDOMAIN for the SOA of the zone itself but is not a terminal. This is against the specs, but we really should be able to deal with this. Previously, when verifying whether an NXDOMAIN response for a SOA/NS lookup is rightfully unsigned we'd issue a SOA lookup for the parent's domain, to derive the state from that. If the parent SOA would get an NXDOMAIN, we'd continue upwards, until we hit a signed top-level domain, which suggests that the domain actually exists. With this change whenver we need to authenticate an NXDOMAIN SOA reply, we'll request the DS RR for the zone first, and use for validation, since that this must be from the parent's zone, not the incorrect lower zone. Fixes: #2894
2016-04-21tree-wide: use mdash instead of a two minusesZbigniew Jędrzejewski-Szmek
2016-04-13tree-wide: remove useless NULLs from strjoinaZbigniew Jędrzejewski-Szmek
The coccinelle patch didn't work in some places, I have no idea why.
2016-04-12test-dnssec: drop unused variableLennart Poettering
2016-04-12Do not report masked units as changed (#2921)Zbigniew Jędrzejewski-Szmek
* core/unit: extract checking of stat paths into helper function The same code was repeated three times. * core: treat masked files as "unchanged" systemctl prints the "unit file changed on disk" warning for a masked unit. I think it's better to print nothing in that case. When a masked unit is loaded, set mtime as 0. When checking if a unit with mtime of 0 needs reload, check that the mask is still in place. * test-dnssec: fix build without gcrypt Also reorder the test functions to follow the way they are called from main().
2016-04-08resolved: handle oom properlyZbigniew Jędrzejewski-Szmek
CID #1349699-1349700.
2016-03-27build-sys: fix build with libgrcypt disabledZbigniew Jędrzejewski-Szmek
- Move gcrypt.h include inside grcrypt-util.h. - Allow gcrypt-util.[ch] to be compiled even without gcrypt. This allows the logic in files using gcrypt to be simplified. - Fix compilation of systemd-resolve without gcrypt. systemd-resolved already supported that. Fixes #2711.
2016-03-05tree-wide: use SET_FLAG() macro to make code more clearAlexander Kuleshov
2016-03-01selinux: always try to load the full selinux dbZbigniew Jędrzejewski-Szmek
https://github.com/systemd/systemd/pull/2508#issuecomment-190901170 Maybe fixes https://bugzilla.redhat.com/show_bug.cgi?id=1308771.
2016-02-29Merge pull request #2702 from poettering/resolved-iterate-fixZbigniew Jędrzejewski-Szmek
resolved iteration fix
2016-02-24treewide: fix typos and then/that useTorstein Husebø
2016-02-23dnssec: only run tests that require gcrypt if we have itSteven Siloti
2016-02-23Merge pull request #2724 from vcaputo/minor-formatting-cleanupsZbigniew Jędrzejewski-Szmek
tree-wide: minor formatting inconsistency cleanups
2016-02-23tree-wide: minor formatting inconsistency cleanupsVito Caputo
2016-02-23tree-wide: remove unused variablesThomas Hindoe Paaboel Andersen
2016-02-22tree-wide: make ++/-- usage consistent WRT spacingVito Caputo
Throughout the tree there's spurious use of spaces separating ++ and -- operators from their respective operands. Make ++ and -- operator consistent with the majority of existing uses; discard the spaces.
2016-02-22resolved: fix notification iteration logic when transactions are completedLennart Poettering
When a transaction is complete, and we notify its owners, make sure we deal correctly with the requesters removing themselves from the list of owners while we continue iterating. This was previously already dealt with with transactions that require other transactions for DNSSEC purposes, fix this for other possibly transaction owners too now. Since iterating through "Set" objects is not safe regarding removal of entries from it, rework the logic to use two Sets, and move each entry we notified from one set to the other set before we dispatch the notification. This move operation requires no additional memory, and enables us to ensure that we don't notify any object twice. Fixes: #2676
2016-02-20tree-wide: place #pragma once at the same place everywhereLennart Poettering
Usually, we place the #pragma once before the copyright blurb in header files, but in a few cases we didn't. Move those around, so that we do the same thing everywhere.
2016-02-20systemd-resolved: fix typo on log messageSamuel Tardieu
2016-02-19Merge pull request #2666 from keszybz/coverity-fixesZbigniew Jędrzejewski-Szmek
Coverity fixes
2016-02-19resolved: fix NULL dereference in debug stmtZbigniew Jędrzejewski-Szmek
CID #1351544, #1351545.
2016-02-19Merge pull request #2648 from keszybz/dnssec-workMartin Pitt
Better support for DANE, shell completion
2016-02-18resolve: also allow SSHFP payload to be exportedZbigniew Jędrzejewski-Szmek
2016-02-18resolve: print TLSA packets in hexadecimalZbigniew Jędrzejewski-Szmek
https://tools.ietf.org/html/rfc6698#section-2.2 says: > The certificate association data field MUST be represented as a string > of hexadecimal characters. Whitespace is allowed within the string of > hexadecimal characters
2016-02-18systemd-resolve: easy querying of TLSA recordsZbigniew Jędrzejewski-Szmek
$ systemd-resolve --tlsa fedoraproject.org _443._tcp.fedoraproject.org IN TLSA 0 0 1 GUAL5bejH7czkXcAeJ0vCiRxwMnVBsDlBMBsFtfLF8A= -- Cert. usage: CA constraint -- Selector: Full Certificate -- Matching type: SHA-256 $ systemd-resolve --tlsa=tcp fedoraproject.org:443 _443._tcp.fedoraproject.org IN TLSA 0 0 1 GUAL5bejH7czkXcAeJ0vCiRxwMnVBsDlBMBsFtfLF8A= ... $ systemd-resolve --tlsa=udp fedoraproject.org _443._udp.fedoraproject.org: resolve call failed: '_443._udp.fedoraproject.org' not found v2: - use uint16_t - refuse port 0
2016-02-17Merge pull request #2640 from keszybz/dnssec-work-3Lennart Poettering
resolve: dumping of binary packets
2016-02-16test-resolve-tables: verify that dns type/class length is within limitsZbigniew Jędrzejewski-Szmek
DNS_TYPE_STRING_MAX causes a problem with the table autogeneration code, change to _DNS_TYPE_STRING_MAX.
2016-02-16Use provided buffer in dns_resource_key_to_stringZbigniew Jędrzejewski-Szmek
When the buffer is allocated on the stack we do not have to check for failure everywhere. This is especially useful in debug statements, because we can put dns_resource_key_to_string() call in the debug statement, and we do not need a seperate if (log_level >= LOG_DEBUG) for the conversion. dns_resource_key_to_string() is changed not to provide any whitespace padding. Most callers were stripping the whitespace with strstrip(), and it did not look to well anyway. systemd-resolve output is not column aligned anymore. The result of the conversion is not stored in DnsTransaction object anymore. It is used only for debugging, so it seems fine to generate it when needed. Various debug statements are extended to provide more information.
2016-02-16Replace DNS_RESOURCE_KEY_NAME with a version which always returns "." for rootZbigniew Jędrzejewski-Szmek
This fixes formatting of root domain in debug messages: Old: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (., DNSKEY with key tag: 19036). New: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (, DNSKEY with key tag: 19036).
2016-02-16systemd-resolved: split out inner loopZbigniew Jędrzejewski-Szmek
With two nested loops and a switch statements, it's quite hard to understand what break and continue mean.
2016-02-16systemd-resolve: allow whole packets to be dumped in binary formZbigniew Jędrzejewski-Szmek
2016-02-16systemd-resolve: allow keys to be dumped in binary formZbigniew Jędrzejewski-Szmek
$ systemd-resolve --raw --openpgp zbyszek@fedoraproject.org | pgpdump /dev/stdin
2016-02-16systemd-resolve: reword --help outputZbigniew Jędrzejewski-Szmek
The output didn't specify if the default for --cname/--search/--legend and other options was yes or no. Change the description to be explicit about that. Also make the --help output and man page closer.
2016-02-16Merge pull request #2623 from poettering/networkd-fixesZbigniew Jędrzejewski-Szmek
Networkd, resolved, build-sys fixes
2016-02-16resolved: make sure to normalize all domain names returned via the busLennart Poettering
Most domain names we deal with are normalized anyway (since we read them that way from DNS packets), but some might not (because they are synthesized from unnormalized configuration or so), hence make sure to normalize all names before passing them out to clients, to be fully deterministic. Note that internally we are process normalized and non-normalized names the same way, and while comparing them ignore the differences due to unnormalized names. However, that internal implementation detail really shouldn't spill out the clients, hence make sure to clean it all up.
2016-02-16resolve: print a noisy warning if we show crypto keys that could not be ↵Lennart Poettering
authenticated Doing DNS retrieval on non-authenticated crypt keys is useless, hence warn loudly about it.
2016-02-16resolved: turn on DNSSEC by default, unless configured otherwiseLennart Poettering
Let's make sure DNSSEC gets more testing, by defaulting DNSSEC to "allow-downgrade" mode. Since distros should probably not ship DNSSEC enabled by default add a configure switch to disable this again. DNSSEC in "allow-downgrade" mode should mostly work without affecting user experience. There's one exception: some captive portal systems rewrite DNS in order to redirect HTTP traffic to the captive portal. If these systems implement DNS servers that are otherwise DNSSEC-capable (which in fact is pretty unlikely, but still...), then this will result in the captive portal being inaccessible. To fix this support in NetworkManager (or any other network management solution that does captive portal detection) is required, which simply turns off DNSSEC during the captive portal detection, and resets it back to the default (i.e. on) after captive portal authentication is complete.
2016-02-16networkd: FIONREAD is not reliable on some socketsLennart Poettering
Fixes: #2457
2016-02-13resolved: extend ResolveHostname() bus call so that it can parse IP addressesLennart Poettering
If the hostname passed to ResolveHostname() is actually an IP address that is correctly formatted as string parse it as such, avoid any DNS traffic and return the data in parsed form. This is useful for clients which can simply call the bus function now without caring about the precise formatting of specified hostnames. This mimics getaddrinfo()'s behaviour with the AI_NUMERICHOST flag set. Note that this logic is only implemented for ResolveHostname(), but not for calls such as ResolveRecord(), for which only DNS domain names may be used as input. The "authenticated" flag is set for look-ups of this type, after all no untrusted network traffic is involved.
2016-02-13resolved: rename "SearchDomains" property in the Manager interface to "Domains"Lennart Poettering
Another property name fuck-up. The property contains both search and routing domains and hence should be exposed as "Domains" rather than "SearchDomains". The counterpart in the Link object was correctly named, and the SetLinkDomains() and SetDomains() setter calls too, hence let's get this right, too. (Yepp, a minor API break actually, but given that this was so far not documented, and only 3 days public let's fix this now)
2016-02-13resolved: fix definition of SD_RESOLVED_FLAGS_MAKELennart Poettering
2016-02-13resolved: fix DNSSECSupported Link object property nameLennart Poettering
By mistake the "DNSSECSupported" bus property of the Link object got named "DNSSECSupport". Internally, it's named correctly, and the counterpart on the "Manager" object got named correctly too. Technically this rename is an API break, but given that the interface is not documented or widely announced yet, and just 3 days in a published release, let's just fix this, and hope nobody notices.
2016-02-13Merge pull request #2589 from keszybz/resolve-tool-2Lennart Poettering
Better support of OPENPGPKEY, CAA, TLSA packets and tests
2016-02-12resolve: always align flags to 8th column and print CAA flagsZbigniew Jędrzejewski-Szmek
Left-over unknown flags are printed numerically. Otherwise, it wouldn't be known what bits are remaining without knowning what the known bits are. A test case is added to verify the flag printing code: ============== src/resolve/test-data/fake-caa.pkts ============== google.com. IN CAA 0 issue "symantec.com" google.com. IN CAA 128 issue "symantec.com" -- Flags: critical google.com. IN CAA 129 issue "symantec.com" -- Flags: critical 1 google.com. IN CAA 22 issue "symantec.com" -- Flags: 22
2016-02-12resolve: parse CAA recordsZbigniew Jędrzejewski-Szmek
2016-02-12Fix hashing of TLSA packetsZbigniew Jędrzejewski-Szmek
Also add example files with TLSA and SSHFP records.
2016-02-12test-dns-packet: allow running without argumentsZbigniew Jędrzejewski-Szmek
2016-02-12test-dns-packet: add framework to read and dump packetsZbigniew Jędrzejewski-Szmek
Packets are stored in a simple format: <size> <packet-wire-format> <size> <packet-wire-format> ... Packets for some example domains are dumped, to test rr code for various record types. Currently: A AAAA CAA DNSKEY LOC MX NS NSEC OPENPGPKEY SOA SPF TXT The hashing code is executed, but results are not checked. Also build other tests in src/resolve only with --enable-resolve.
2016-02-12Typo fixesMichael Biebl