Age | Commit message (Collapse) | Author |
|
Follow-up for #3502.
|
|
Previously, we checked only for the various SetLinkXYZ() calls on the Manager
object exposed on the bus if the specified interface is managed/unmanaged by
networkd (as we don't permit overriding DNS configuration via bus calls if
networkd owns the device), but the equivalent SetXYZ() calls on the Link object
did not have such a check. Fix that by moving the appropriate check into the
latter, as the former just calls that anyway.
|
|
And expose it in "resolve-tool --flush-caches".
|
|
|
|
changed via bus calls
This also moves log message generation into manager_write_resolv_conf(), so
that it is shorter to invoke the function, given that we have to invoke it at a
couple of additional places now.
Fixes: #3225
|
|
Make sure we can parse DNS server addresses that use the "zone id" syntax for
local link addresses, i.e. "fe80::c256:27ff:febb:12f%wlp3s0", when reading
/etc/resolv.conf.
Also make sure we spit this out correctly again when writing /etc/resolv.conf
and via the bus.
Fixes: #3359
|
|
Assorted stuff
|
|
Write comments about "too many search domains" and "Total length of all search
domains is too long" just once. Also put it on a separate line, as
resolv.conf(5) only specifies comments in a line by themselves.
This is ugly to do if write_resolv_conf_search() gets called once for every
search domain. So change it to receive the complete OrderedSet instead and do
the iteration by itself.
Add test cases to networkd-test.py.
https://launchpad.net/bugs/1588229
|
|
and make use of it everywhere
|
|
|
|
packet (#3323)
Fixes:
-bash-4.3# ss --udp -l -p
State Recv-Q Send-Q Local Address:Port Peer Address:Port
UNCONN 0 0 *:5355 *:* users:(("systemd-resolve",pid=601,fd=12))
UNCONN 0 0 :::5355 :::* users:(("systemd-resolve",pid=601,fd=14))
-bash-4.3# nping --udp -p 5355 --data-length 0 -c 1 localhost
-bash-4.3# journalctl -u systemd-resolved -b --no-hostname
...
May 21 14:59:22 systemd-resolved[601]: Event source llmnr-ipv4-udp (type io) returned error, disabling: Input/output error
...
-bash-4.3# nping --udp -p 5355 --data-length 1000 -c 1 localhost
-bash-4.3# ss --udp -l
State Recv-Q Send-Q Local Address:Port Peer Address:Port
UNCONN 2304 0 *:5355 *:*
UNCONN 0 0 :::5355 :::*
|
|
After a few link up/down events I got this warning:
May 17 22:05:10 laptop systemd-resolved[2983]: Failed to read DNS servers for interface wlp3s0, ignoring: Argument list too long
|
|
|
|
incapdns.net returns NXDOMAIN for the SOA of the zone itself but is not a
terminal. This is against the specs, but we really should be able to deal with
this.
Previously, when verifying whether an NXDOMAIN response for a SOA/NS lookup is
rightfully unsigned we'd issue a SOA lookup for the parent's domain, to derive
the state from that. If the parent SOA would get an NXDOMAIN, we'd continue
upwards, until we hit a signed top-level domain, which suggests that the domain
actually exists.
With this change whenver we need to authenticate an NXDOMAIN SOA reply, we'll
request the DS RR for the zone first, and use for validation, since that this
must be from the parent's zone, not the incorrect lower zone.
Fixes: #2894
|
|
|
|
The coccinelle patch didn't work in some places, I have no idea why.
|
|
|
|
* core/unit: extract checking of stat paths into helper function
The same code was repeated three times.
* core: treat masked files as "unchanged"
systemctl prints the "unit file changed on disk" warning
for a masked unit. I think it's better to print nothing in that
case.
When a masked unit is loaded, set mtime as 0. When checking
if a unit with mtime of 0 needs reload, check that the mask
is still in place.
* test-dnssec: fix build without gcrypt
Also reorder the test functions to follow the way they are called
from main().
|
|
CID #1349699-1349700.
|
|
- Move gcrypt.h include inside grcrypt-util.h.
- Allow gcrypt-util.[ch] to be compiled even without gcrypt.
This allows the logic in files using gcrypt to be simplified.
- Fix compilation of systemd-resolve without gcrypt.
systemd-resolved already supported that.
Fixes #2711.
|
|
|
|
https://github.com/systemd/systemd/pull/2508#issuecomment-190901170
Maybe fixes https://bugzilla.redhat.com/show_bug.cgi?id=1308771.
|
|
resolved iteration fix
|
|
|
|
|
|
tree-wide: minor formatting inconsistency cleanups
|
|
|
|
|
|
Throughout the tree there's spurious use of spaces separating ++ and --
operators from their respective operands. Make ++ and -- operator
consistent with the majority of existing uses; discard the spaces.
|
|
When a transaction is complete, and we notify its owners, make sure we deal
correctly with the requesters removing themselves from the list of owners while
we continue iterating.
This was previously already dealt with with transactions that require other
transactions for DNSSEC purposes, fix this for other possibly transaction
owners too now.
Since iterating through "Set" objects is not safe regarding removal of entries
from it, rework the logic to use two Sets, and move each entry we notified from
one set to the other set before we dispatch the notification. This move operation
requires no additional memory, and enables us to ensure that we don't notify
any object twice.
Fixes: #2676
|
|
Usually, we place the #pragma once before the copyright blurb in header files,
but in a few cases we didn't. Move those around, so that we do the same thing
everywhere.
|
|
|
|
Coverity fixes
|
|
CID #1351544, #1351545.
|
|
Better support for DANE, shell completion
|
|
|
|
https://tools.ietf.org/html/rfc6698#section-2.2 says:
> The certificate association data field MUST be represented as a string
> of hexadecimal characters. Whitespace is allowed within the string of
> hexadecimal characters
|
|
$ systemd-resolve --tlsa fedoraproject.org
_443._tcp.fedoraproject.org IN TLSA 0 0 1 GUAL5bejH7czkXcAeJ0vCiRxwMnVBsDlBMBsFtfLF8A=
-- Cert. usage: CA constraint
-- Selector: Full Certificate
-- Matching type: SHA-256
$ systemd-resolve --tlsa=tcp fedoraproject.org:443
_443._tcp.fedoraproject.org IN TLSA 0 0 1 GUAL5bejH7czkXcAeJ0vCiRxwMnVBsDlBMBsFtfLF8A=
...
$ systemd-resolve --tlsa=udp fedoraproject.org
_443._udp.fedoraproject.org: resolve call failed: '_443._udp.fedoraproject.org' not found
v2:
- use uint16_t
- refuse port 0
|
|
resolve: dumping of binary packets
|
|
DNS_TYPE_STRING_MAX causes a problem with the table autogeneration code,
change to _DNS_TYPE_STRING_MAX.
|
|
When the buffer is allocated on the stack we do not have to check for
failure everywhere. This is especially useful in debug statements, because
we can put dns_resource_key_to_string() call in the debug statement, and
we do not need a seperate if (log_level >= LOG_DEBUG) for the conversion.
dns_resource_key_to_string() is changed not to provide any whitespace
padding. Most callers were stripping the whitespace with strstrip(),
and it did not look to well anyway. systemd-resolve output is not column
aligned anymore.
The result of the conversion is not stored in DnsTransaction object
anymore. It is used only for debugging, so it seems fine to generate it
when needed.
Various debug statements are extended to provide more information.
|
|
This fixes formatting of root domain in debug messages:
Old:
systemd-resolved[10049]: Requesting DS to validate transaction 19313 (., DNSKEY with key tag: 19036).
New:
systemd-resolved[10049]: Requesting DS to validate transaction 19313 (, DNSKEY with key tag: 19036).
|
|
With two nested loops and a switch statements, it's quite hard to
understand what break and continue mean.
|
|
|
|
$ systemd-resolve --raw --openpgp zbyszek@fedoraproject.org | pgpdump /dev/stdin
|
|
The output didn't specify if the default for --cname/--search/--legend and
other options was yes or no. Change the description to be explicit about that.
Also make the --help output and man page closer.
|
|
Networkd, resolved, build-sys fixes
|
|
Most domain names we deal with are normalized anyway (since we read them that
way from DNS packets), but some might not (because they are synthesized from
unnormalized configuration or so), hence make sure to normalize all names
before passing them out to clients, to be fully deterministic.
Note that internally we are process normalized and non-normalized names the
same way, and while comparing them ignore the differences due to unnormalized
names. However, that internal implementation detail really shouldn't spill out
the clients, hence make sure to clean it all up.
|
|
authenticated
Doing DNS retrieval on non-authenticated crypt keys is useless, hence warn
loudly about it.
|
|
Let's make sure DNSSEC gets more testing, by defaulting DNSSEC to
"allow-downgrade" mode. Since distros should probably not ship DNSSEC enabled
by default add a configure switch to disable this again.
DNSSEC in "allow-downgrade" mode should mostly work without affecting user
experience. There's one exception: some captive portal systems rewrite DNS in
order to redirect HTTP traffic to the captive portal. If these systems
implement DNS servers that are otherwise DNSSEC-capable (which in fact is
pretty unlikely, but still...), then this will result in the captive portal
being inaccessible. To fix this support in NetworkManager (or any other network
management solution that does captive portal detection) is required, which
simply turns off DNSSEC during the captive portal detection, and resets it back
to the default (i.e. on) after captive portal authentication is complete.
|