summaryrefslogtreecommitdiff
path: root/src/resolve
AgeCommit message (Collapse)Author
2015-12-28resolved: add ECDSA signature supportLennart Poettering
2015-12-28resolved: split out RSA-specific code from dnssec_verify_rrset()Lennart Poettering
In preparation for ECDSA support.
2015-12-28resolved: simplify MD algorithm initialization a bitLennart Poettering
2015-12-28resolved: add SHA384 digest supportLennart Poettering
2015-12-27resolved: rename "features" variables to "feature_level"Lennart Poettering
The name "features" suggests an orthogonal bitmap or suchlike, but the variables really encode only a linear set of feature levels. The type used is already called DnsServerFeatureLevel, hence fix up the variables accordingly, too.
2015-12-27resolved: rework OPT RR generation logicLennart Poettering
This moves management of the OPT RR out of the scope management and into the server and packet management. There are now explicit calls for appending and truncating the OPT RR from a packet (dns_packet_append_opt() and dns_packet_truncate_opt()) as well as a call to do the right thing depending on a DnsServer's feature level (dns_server_adjust_opt()). This also unifies the code to pick a server between the TCP and UDP code paths, and makes sure the feature level used for the transaction is selected at the time the server is picked, and not changed until the next time we pick a server. The server selction code is now unified in dns_transaction_pick_server(). This all fixes problems when changing between UDP and TCP communication for the same server, and makes sure the UDP and TCP codepaths are more alike. It also makes sure we never keep the UDP port open when switchung to TCP, so that we don't have to handle incoming datagrams on the latter we don't expect. As the new code picks the DNS server at the time we make a connection, we don't need to invalidate the DNS server anymore when changing to the next one, thus dns_transaction_next_dns_server() has been removed.
2015-12-27resolved: reuse dns_transaction_stop() when destructing transaction objectsLennart Poettering
2015-12-27resolved: add dns_transaction_close_connection()Lennart Poettering
This new call unifies how we shut down all connection resources, such as UDP sockets, event sources, and TCP stream objects. This patch just adds the basic hook-up, this function will be used more in later commits.
2015-12-27resolved: make sure we reset the DNSSEC result when we accept a response packetLennart Poettering
2015-12-27resolved: improve some log messages a bitLennart Poettering
Indicate thar we ignore invalid messages
2015-12-27resolved: never proceed processing truncated packetsLennart Poettering
Make sure we don't end up processing packets that are truncated. Instead, actually let the TCP connection do its thing.
2015-12-27resolved: remember explicitly whether we already tried a stream connectionLennart Poettering
On LLMNR we never want to retry stream connections (since local TCP connections should work, and we don't want to unnecessarily delay operation), explicitly remember whether we already tried one, instead of deriving this from a still stored stream object. This way, we can free the stream early, without forgetting that we tried it.
2015-12-27resolved: make sure we GC stream transactions properlyLennart Poettering
Make sure to GC a transaction after dealing with a reply, even if the transaction is not complete yet.
2015-12-27resolved: ignore additional DNS responses we get while validatingLennart Poettering
No need to choke on them.
2015-12-27resolved: introduce dns_transaction_reset_answer()Lennart Poettering
Let's unify how we reset the answer data we collected, after all pretty much every time we do it incompletely so far, let's fix it.
2015-12-26resolved: don't unnecessarily allocate memory in dns_packet_append_name()Lennart Poettering
When compression support is off, there's no point in duplicating the name string. Hence, don't do it.
2015-12-26resolved: name TCP and UDP socket calls uniformlyLennart Poettering
Previously the calls for emitting DNS UDP packets were just called dns_{transacion|scope}_emit(), but the one to establish a DNS TCP connection was called dns_transaction_open_tcp(). Clean this up, and rename them dns_{transaction|scope}_emit_udp() and dns_transaction_open_tcp().
2015-12-26resolved: add an automatic downgrade to non-DNSSEC modeLennart Poettering
This adds a mode that makes resolved automatically downgrade from DNSSEC support to classic non-DNSSEC resolving if the configured DNS server is not capable of DNSSEC. Enabling this mode increases compatibility with crappy network equipment, but of course opens up the system to downgrading attacks. The new mode can be enabled by setting DNSSEC=downgrade-ok in resolved.conf. DNSSEC=yes otoh remains a "strict" mode, where DNS resolving rather fails then allow downgrading. Downgrading is done: - when the server does not support EDNS0+DO - or when the server supports it but does not augment returned RRs with RRSIGs. The latter is detected when requesting DS or SOA RRs for the root domain (which is necessary to do proofs for unsigned data)
2015-12-26resolved: no need to store return value of dns_server_possible_features()Lennart Poettering
The call already updates possible_features, it's pointless doing this in the caller a second time.
2015-12-26resolved: don't set TCP_NODELAY twice for TCP socketsLennart Poettering
We previously set it once in the scope code and once in the stream code. Remove it from the latter, as all other socket options are set in the former.
2015-12-26resolved: generate an explicit transaction error when we cannot reach server ↵Lennart Poettering
via TCP Previously, if we couldn't reach a server via UDP we'd generate an MAX_ATTEMPTS transaction result, but if we couldn't reach it via TCP we'd generate a RESOURCES transaction result. While it is OK to generate two different errors I think, "RESOURCES" is certainly a misnomer. Introduce a new transaction result "CONNECTION_FAILURE" instead.
2015-12-26resolved: deal with unsigned DS/NSEC/NSEC3 properlyLennart Poettering
Previously, we'd insist on an RRSIG for all DS/NSEC/NSEC3 RRs. With this change we don't do that anymore, but also allow unsigned DS/NSEC/NSEC3 if we can prove that the zone they are located in is unsigned.
2015-12-26resolved: log each dnssec failure, in a recognizable wayLennart Poettering
2015-12-26resolved: gather statistics about resolved namesLennart Poettering
This collects statistical data about transactions, dnssec verifications and the cache, and exposes it over the bus. The systemd-resolve-host tool learns new options to query these statistics and reset them.
2015-12-26resolved: if we accepted unauthenticated NSEC/NSEC3 RRs, use them for proofsLennart Poettering
But keep track that the proof is not authenticated.
2015-12-26resolved: don't insist on finding DNSKEYs for RRsets of zones with DNSSEC offLennart Poettering
2015-12-26resolved: be stricter when searching for a DS RR for a DNSKEY RRLennart Poettering
2015-12-26resolved: make use of dns_type_may_redirect() where possibleLennart Poettering
2015-12-26update DNSSEC TODOLennart Poettering
2015-12-26resolved: tighten search for NSEC3 RRs a bitLennart Poettering
Be stricter when searching suitable NSEC3 RRs for proof: generalize the check we use to find suitable NSEC3 RRs, in nsec3_is_good(), and add additional checks, such as checking whether all NSEC3 RRs use the same parameters, have the same suffix and so on.
2015-12-26resolved: when doing NSEC3 proof, first find right NSEC3 suffixLennart Poettering
When doing an NSEC3 proof, before detrmining whether a name is the closest encloser we first need to figure out the longest common suffix we have with any NSEC3 RR in the reply.
2015-12-26resolved: properly implement RRSIG validation of wildcarded RRsetsLennart Poettering
Note that this is still not complete, one additional step is still missing: when we verified that a wildcard RRset is properly signed, we still need to do an NSEC/NSEC3 proof that no more specific RRset exists.
2015-12-26resolved: never use data from failed transactionsLennart Poettering
Otherwise if we have an A lookup that failed DNSSEC validation, but an AAAA lookup that succeeded, we might end up using the A data, but we really should not.
2015-12-26resolved: don't choke on NSEC/NSEC3 RRs with no bitmapLennart Poettering
This might happen in some cases (empty non-terminals...) and we should not choke on it.
2015-12-26resolved: internalize string buffer of dns_resource_record_to_string()Lennart Poettering
Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-26resolved: when matching SOA RRs, don't eat up errorsLennart Poettering
2015-12-26resolved: when matching SOA RRs, honour RR classLennart Poettering
2015-12-26resolved: when looking for a SOA RR in a reply, pick the right oneLennart Poettering
If there are multiple SOA RRs, and we look for a suitable one covering our request, then make sure to pick the one that is furthest away from the root name, not just the first one we encounter.
2015-12-26resolved: when caching NXDOMAIN for an RR, make sure we flush out old ANY ↵Lennart Poettering
entries We use ANY RR keys to store NXDOMAIN information, but we previously didn't flush out old ANY RR items in the cache when adding new entries. Fix that.
2015-12-26resolved: split out a new dns_type_may_redirect() callLennart Poettering
Let's abstract which RRs shall honour CNAMEs, and which ones should not.
2015-12-20resolve: fix indentationThomas Hindoe Paaboel Andersen
2015-12-18resolved: propagate DNSSEC validation status from auxiliary transactionsLennart Poettering
Let's make sure we propagate the DNSSEC validation status from an auxiliary DNSSEC transaction back to the originating transaction, to improve the error messages we generate.
2015-12-18resolved: propagate the DNSSEC result from the transaction to the query and ↵Lennart Poettering
the the bus client It's useful to generate useful errors, so let's do that.
2015-12-18resolved: rename DNS_TRANSACTION_FAILURE → DNS_TRANSACTION_RCODE_FAILURELennart Poettering
We have many types of failure for a transaction, and DNS_TRANSACTION_FAILURE was just one specific one of them, if the server responded with a non-zero RCODE. Hence let's rename this, to indicate which kind of failure this actually refers to.
2015-12-18resolved: merge two commentsLennart Poettering
2015-12-18resolved: rename dns_cache_item_remove_and_free() → _unlink_and_free()Lennart Poettering
In most of the other call, we called similar functions that remove the data structure link-ups to other objects "unlink", hence we should here, too.
2015-12-18resolved: rename dns_cache_remove() → dns_cache_remove_by_key()Lennart Poettering
Given that we already have dns_cache_remove_by_rr() this makes clearer what the operation actually does.
2015-12-18resolved: add a call that dumps the contents of a DnsAnswer structureLennart Poettering
This is not used anywhere, but it's extremely useful when debugging.
2015-12-18resolved: rework mDNS cache-flush bit handlingLennart Poettering
This adds a new DnsAnswer item flag "DNS_ANSWER_SHARED_OWNER" which is set for mDNS RRs that lack the cache-flush bit. The cache-flush bit is removed from the DnsResourceRecord object in favour of this. This also splits out the code that removes previous entries when adding new positive ones into a new separate call dns_cache_remove_previous().
2015-12-18resolved: properly determine size of DnsAnswer objectLennart Poettering
After all we want to allow NULL DnsAnswer objects as equivalent to empty ones, hence we should use the right checks everywhere.