summaryrefslogtreecommitdiff
path: root/src/resolve
AgeCommit message (Collapse)Author
2016-06-10resolved: move verification that link is unmanaged into the proper bus callsLennart Poettering
Previously, we checked only for the various SetLinkXYZ() calls on the Manager object exposed on the bus if the specified interface is managed/unmanaged by networkd (as we don't permit overriding DNS configuration via bus calls if networkd owns the device), but the equivalent SetXYZ() calls on the Link object did not have such a check. Fix that by moving the appropriate check into the latter, as the former just calls that anyway.
2016-06-10resolved: also add a way to flush all caches via the busLennart Poettering
And expose it in "resolve-tool --flush-caches".
2016-06-10resolved: flush all caches if SIGUSR2 is receivedLennart Poettering
2016-06-06resolved: also rewrite private /etc/resolv.conf when configuration is ↵Lennart Poettering
changed via bus calls This also moves log message generation into manager_write_resolv_conf(), so that it is shorter to invoke the function, given that we have to invoke it at a couple of additional places now. Fixes: #3225
2016-06-06resolved: support IPv6 DNS servers on the local linkLennart Poettering
Make sure we can parse DNS server addresses that use the "zone id" syntax for local link addresses, i.e. "fe80::c256:27ff:febb:12f%wlp3s0", when reading /etc/resolv.conf. Also make sure we spit this out correctly again when writing /etc/resolv.conf and via the bus. Fixes: #3359
2016-06-04Merge pull request #3392 from poettering/assorted-stuffZbigniew Jędrzejewski-Szmek
Assorted stuff
2016-06-03resolved: fix comments in resolve.conf for search domain overflows (#3422)Martin Pitt
Write comments about "too many search domains" and "Total length of all search domains is too long" just once. Also put it on a separate line, as resolv.conf(5) only specifies comments in a line by themselves. This is ugly to do if write_resolv_conf_search() gets called once for every search domain. So change it to receive the complete OrderedSet instead and do the iteration by itself. Add test cases to networkd-test.py. https://launchpad.net/bugs/1588229
2016-05-30util-lib: make localed's nonempty() generic, rename it to empty_to_null() ↵Lennart Poettering
and make use of it everywhere
2016-05-26resolve/test-dns-packet: Fix unaligned access in test_packet_from_file().John Paul Adrian Glaubitz
2016-05-23resolved: don't stop handle messages after receiving a zero length UDP ↵Evgeny Vereshchagin
packet (#3323) Fixes: -bash-4.3# ss --udp -l -p State Recv-Q Send-Q Local Address:Port Peer Address:Port UNCONN 0 0 *:5355 *:* users:(("systemd-resolve",pid=601,fd=12)) UNCONN 0 0 :::5355 :::* users:(("systemd-resolve",pid=601,fd=14)) -bash-4.3# nping --udp -p 5355 --data-length 0 -c 1 localhost -bash-4.3# journalctl -u systemd-resolved -b --no-hostname ... May 21 14:59:22 systemd-resolved[601]: Event source llmnr-ipv4-udp (type io) returned error, disabling: Input/output error ... -bash-4.3# nping --udp -p 5355 --data-length 1000 -c 1 localhost -bash-4.3# ss --udp -l State Recv-Q Send-Q Local Address:Port Peer Address:Port UNCONN 2304 0 *:5355 *:* UNCONN 0 0 :::5355 :::*
2016-05-20resolved: fix accounting of dns serves on a link (#3291)Zbigniew Jędrzejewski-Szmek
After a few link up/down events I got this warning: May 17 22:05:10 laptop systemd-resolved[2983]: Failed to read DNS servers for interface wlp3s0, ignoring: Argument list too long
2016-05-04treewide: fix typos (#3187)Torstein Husebø
2016-05-02resolved: work around broken DNS zones set up by incapdns.netLennart Poettering
incapdns.net returns NXDOMAIN for the SOA of the zone itself but is not a terminal. This is against the specs, but we really should be able to deal with this. Previously, when verifying whether an NXDOMAIN response for a SOA/NS lookup is rightfully unsigned we'd issue a SOA lookup for the parent's domain, to derive the state from that. If the parent SOA would get an NXDOMAIN, we'd continue upwards, until we hit a signed top-level domain, which suggests that the domain actually exists. With this change whenver we need to authenticate an NXDOMAIN SOA reply, we'll request the DS RR for the zone first, and use for validation, since that this must be from the parent's zone, not the incorrect lower zone. Fixes: #2894
2016-04-21tree-wide: use mdash instead of a two minusesZbigniew Jędrzejewski-Szmek
2016-04-13tree-wide: remove useless NULLs from strjoinaZbigniew Jędrzejewski-Szmek
The coccinelle patch didn't work in some places, I have no idea why.
2016-04-12test-dnssec: drop unused variableLennart Poettering
2016-04-12Do not report masked units as changed (#2921)Zbigniew Jędrzejewski-Szmek
* core/unit: extract checking of stat paths into helper function The same code was repeated three times. * core: treat masked files as "unchanged" systemctl prints the "unit file changed on disk" warning for a masked unit. I think it's better to print nothing in that case. When a masked unit is loaded, set mtime as 0. When checking if a unit with mtime of 0 needs reload, check that the mask is still in place. * test-dnssec: fix build without gcrypt Also reorder the test functions to follow the way they are called from main().
2016-04-08resolved: handle oom properlyZbigniew Jędrzejewski-Szmek
CID #1349699-1349700.
2016-03-27build-sys: fix build with libgrcypt disabledZbigniew Jędrzejewski-Szmek
- Move gcrypt.h include inside grcrypt-util.h. - Allow gcrypt-util.[ch] to be compiled even without gcrypt. This allows the logic in files using gcrypt to be simplified. - Fix compilation of systemd-resolve without gcrypt. systemd-resolved already supported that. Fixes #2711.
2016-03-05tree-wide: use SET_FLAG() macro to make code more clearAlexander Kuleshov
2016-03-01selinux: always try to load the full selinux dbZbigniew Jędrzejewski-Szmek
https://github.com/systemd/systemd/pull/2508#issuecomment-190901170 Maybe fixes https://bugzilla.redhat.com/show_bug.cgi?id=1308771.
2016-02-29Merge pull request #2702 from poettering/resolved-iterate-fixZbigniew Jędrzejewski-Szmek
resolved iteration fix
2016-02-24treewide: fix typos and then/that useTorstein Husebø
2016-02-23dnssec: only run tests that require gcrypt if we have itSteven Siloti
2016-02-23Merge pull request #2724 from vcaputo/minor-formatting-cleanupsZbigniew Jędrzejewski-Szmek
tree-wide: minor formatting inconsistency cleanups
2016-02-23tree-wide: minor formatting inconsistency cleanupsVito Caputo
2016-02-23tree-wide: remove unused variablesThomas Hindoe Paaboel Andersen
2016-02-22tree-wide: make ++/-- usage consistent WRT spacingVito Caputo
Throughout the tree there's spurious use of spaces separating ++ and -- operators from their respective operands. Make ++ and -- operator consistent with the majority of existing uses; discard the spaces.
2016-02-22resolved: fix notification iteration logic when transactions are completedLennart Poettering
When a transaction is complete, and we notify its owners, make sure we deal correctly with the requesters removing themselves from the list of owners while we continue iterating. This was previously already dealt with with transactions that require other transactions for DNSSEC purposes, fix this for other possibly transaction owners too now. Since iterating through "Set" objects is not safe regarding removal of entries from it, rework the logic to use two Sets, and move each entry we notified from one set to the other set before we dispatch the notification. This move operation requires no additional memory, and enables us to ensure that we don't notify any object twice. Fixes: #2676
2016-02-20tree-wide: place #pragma once at the same place everywhereLennart Poettering
Usually, we place the #pragma once before the copyright blurb in header files, but in a few cases we didn't. Move those around, so that we do the same thing everywhere.
2016-02-20systemd-resolved: fix typo on log messageSamuel Tardieu
2016-02-19Merge pull request #2666 from keszybz/coverity-fixesZbigniew Jędrzejewski-Szmek
Coverity fixes
2016-02-19resolved: fix NULL dereference in debug stmtZbigniew Jędrzejewski-Szmek
CID #1351544, #1351545.
2016-02-19Merge pull request #2648 from keszybz/dnssec-workMartin Pitt
Better support for DANE, shell completion
2016-02-18resolve: also allow SSHFP payload to be exportedZbigniew Jędrzejewski-Szmek
2016-02-18resolve: print TLSA packets in hexadecimalZbigniew Jędrzejewski-Szmek
https://tools.ietf.org/html/rfc6698#section-2.2 says: > The certificate association data field MUST be represented as a string > of hexadecimal characters. Whitespace is allowed within the string of > hexadecimal characters
2016-02-18systemd-resolve: easy querying of TLSA recordsZbigniew Jędrzejewski-Szmek
$ systemd-resolve --tlsa fedoraproject.org _443._tcp.fedoraproject.org IN TLSA 0 0 1 GUAL5bejH7czkXcAeJ0vCiRxwMnVBsDlBMBsFtfLF8A= -- Cert. usage: CA constraint -- Selector: Full Certificate -- Matching type: SHA-256 $ systemd-resolve --tlsa=tcp fedoraproject.org:443 _443._tcp.fedoraproject.org IN TLSA 0 0 1 GUAL5bejH7czkXcAeJ0vCiRxwMnVBsDlBMBsFtfLF8A= ... $ systemd-resolve --tlsa=udp fedoraproject.org _443._udp.fedoraproject.org: resolve call failed: '_443._udp.fedoraproject.org' not found v2: - use uint16_t - refuse port 0
2016-02-17Merge pull request #2640 from keszybz/dnssec-work-3Lennart Poettering
resolve: dumping of binary packets
2016-02-16test-resolve-tables: verify that dns type/class length is within limitsZbigniew Jędrzejewski-Szmek
DNS_TYPE_STRING_MAX causes a problem with the table autogeneration code, change to _DNS_TYPE_STRING_MAX.
2016-02-16Use provided buffer in dns_resource_key_to_stringZbigniew Jędrzejewski-Szmek
When the buffer is allocated on the stack we do not have to check for failure everywhere. This is especially useful in debug statements, because we can put dns_resource_key_to_string() call in the debug statement, and we do not need a seperate if (log_level >= LOG_DEBUG) for the conversion. dns_resource_key_to_string() is changed not to provide any whitespace padding. Most callers were stripping the whitespace with strstrip(), and it did not look to well anyway. systemd-resolve output is not column aligned anymore. The result of the conversion is not stored in DnsTransaction object anymore. It is used only for debugging, so it seems fine to generate it when needed. Various debug statements are extended to provide more information.
2016-02-16Replace DNS_RESOURCE_KEY_NAME with a version which always returns "." for rootZbigniew Jędrzejewski-Szmek
This fixes formatting of root domain in debug messages: Old: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (., DNSKEY with key tag: 19036). New: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (, DNSKEY with key tag: 19036).
2016-02-16systemd-resolved: split out inner loopZbigniew Jędrzejewski-Szmek
With two nested loops and a switch statements, it's quite hard to understand what break and continue mean.
2016-02-16systemd-resolve: allow whole packets to be dumped in binary formZbigniew Jędrzejewski-Szmek
2016-02-16systemd-resolve: allow keys to be dumped in binary formZbigniew Jędrzejewski-Szmek
$ systemd-resolve --raw --openpgp zbyszek@fedoraproject.org | pgpdump /dev/stdin
2016-02-16systemd-resolve: reword --help outputZbigniew Jędrzejewski-Szmek
The output didn't specify if the default for --cname/--search/--legend and other options was yes or no. Change the description to be explicit about that. Also make the --help output and man page closer.
2016-02-16Merge pull request #2623 from poettering/networkd-fixesZbigniew Jędrzejewski-Szmek
Networkd, resolved, build-sys fixes
2016-02-16resolved: make sure to normalize all domain names returned via the busLennart Poettering
Most domain names we deal with are normalized anyway (since we read them that way from DNS packets), but some might not (because they are synthesized from unnormalized configuration or so), hence make sure to normalize all names before passing them out to clients, to be fully deterministic. Note that internally we are process normalized and non-normalized names the same way, and while comparing them ignore the differences due to unnormalized names. However, that internal implementation detail really shouldn't spill out the clients, hence make sure to clean it all up.
2016-02-16resolve: print a noisy warning if we show crypto keys that could not be ↵Lennart Poettering
authenticated Doing DNS retrieval on non-authenticated crypt keys is useless, hence warn loudly about it.
2016-02-16resolved: turn on DNSSEC by default, unless configured otherwiseLennart Poettering
Let's make sure DNSSEC gets more testing, by defaulting DNSSEC to "allow-downgrade" mode. Since distros should probably not ship DNSSEC enabled by default add a configure switch to disable this again. DNSSEC in "allow-downgrade" mode should mostly work without affecting user experience. There's one exception: some captive portal systems rewrite DNS in order to redirect HTTP traffic to the captive portal. If these systems implement DNS servers that are otherwise DNSSEC-capable (which in fact is pretty unlikely, but still...), then this will result in the captive portal being inaccessible. To fix this support in NetworkManager (or any other network management solution that does captive portal detection) is required, which simply turns off DNSSEC during the captive portal detection, and resets it back to the default (i.e. on) after captive portal authentication is complete.
2016-02-16networkd: FIONREAD is not reliable on some socketsLennart Poettering
Fixes: #2457