summaryrefslogtreecommitdiff
path: root/src/resolve
AgeCommit message (Collapse)Author
2015-12-10resolved: chase DNSKEY/DS RRs when doing look-ups with DNSSEC enabledLennart Poettering
This adds initial support for validating RRSIG/DNSKEY/DS chains when doing lookups. Proof-of-non-existance, or proof-of-unsigned-zones is not implemented yet. With this change DnsTransaction objects will generate additional DnsTransaction objects when looking for DNSKEY or DS RRs to validate an RRSIG on a response. DnsTransaction objects are thus created for three reasons now: 1) Because a user asked for something to be resolved, i.e. requested by a DnsQuery/DnsQueryCandidate object. 2) As result of LLMNR RR probing, requested by a DnsZoneItem. 3) Because another DnsTransaction requires the requested RRs for validation of its own response. DnsTransactions are shared between all these users, and are GC automatically as soon as all of these users don't need a specific transaction anymore. To unify the handling of these three reasons for existance for a DnsTransaction, a new common naming is introduced: each DnsTransaction now tracks its "owners" via a Set* object named "notify_xyz", containing all owners to notify on completion. A new DnsTransaction state is introduced called "VALIDATING" that is entered after a response has been receieved which needs to be validated, as long as we are still waiting for the DNSKEY/DS RRs from other DnsTransactions. This patch will request the DNSKEY/DS RRs bottom-up, and then validate them top-down. Caching of RRs is now only done after verification, so that the cache is not poisoned with known invalid data. The "DnsAnswer" object gained a substantial number of new calls, since we need to add/remove RRs to it dynamically now.
2015-12-10resolved: when matching up DNSKEY and DS RRs, it's fine if we don't support ↵Lennart Poettering
the DNSKEY's algorithm As long as we support the digest we are good.
2015-12-10resolved: when matching up RRSIG and DNSKEY RRs, use the RRSIG's signer ↵Lennart Poettering
name, not the owner name When the DNSKEY is in higher zone, then that's OK, and we need to check the RRSIG's signer name against the DNSKEY hence.
2015-12-10resolved: fix sorting of RRsetsLennart Poettering
We actually maintain an array of pointers to RRs, not of RRs themselves, fix the qsort() invocation accordingly.
2015-12-10resolved: grow DnsAnswer exponentiallyLennart Poettering
When increasing the DnsAnswer array, don't operate piecemeal, grow the array exponentially. This way, the default logic for DnsAnswer allocations matches the behaviour for GREEDY_REALLOC and suchlike, and we can reduce the number of necessary allocations.
2015-12-10resolved: log when we chase a CNAME RRLennart Poettering
2015-12-10resolved: reenable caching for LLMNRLennart Poettering
This got borked in 547493c5ad5c82032e247609970f96be76c2d661.
2015-12-10resolved: split out check whether reply matches our questionLennart Poettering
It's complicated enough, it deserves its own call. (Also contains some unrelated whitespace, comment and assertion changes)
2015-12-10resolved: IXFR and AXFR cannot be the type of RRs, only of RR keysLennart Poettering
Enforce this while parsing RRs.
2015-12-10resolved: when parsing DNS packets, handle OPT RR speciallyLennart Poettering
As soon as we encounter the OPT RR while parsing, store it in a special field in the DnsPacket structure. That way, we won't be confused if we iterate through RRs, and can check that there's really only one of these RRs around.
2015-12-10resolved: refuse modifying DnsAnswer objects that have more than one referenceLennart Poettering
DnsAnswer objects should be considered immutable after having passed to more than one user, i.e. with a reference counter > 1. Enforce that in code, so that we can track down misuses easier.
2015-12-10resolved: fix libgcrypt error checkingLennart Poettering
libgcrypt encodes the error source in the error code, we need to mask that away before comparing error codes.
2015-12-10resolved: split out logic to flush DnsAnswer objectsLennart Poettering
Let's simplify things, by making this a function call of its own.
2015-12-10resolved: honour RFC6761's ban on the invalid TLDLennart Poettering
2015-12-10resolved: fix DNS_ANSWER_FOREACH_IFINDEX() to not collide with user defined ↵Lennart Poettering
ifindex variable
2015-12-10resolved: partially revert 5eefe54Lennart Poettering
Quoting @teg: "Contrary to what the comment said, we always verify redirect chains in full, and cache all the CNAME records. There is therefore no need to do extra negative caching along a CNAME chain." This simply steals @teg's commit since we'll touch the SOA matching case in a later patch, and rather want this bit gone, so that we don't have to "fix" it, only to remove it later on.
2015-12-10resolved: when outputting RRs in text form, append a trailing dot to owner namesLennart Poettering
After all, that's how this is done in DNS, and is particularly important if we look a DS/DNSKEY RRs for the root zone itself, where the owner name would otherwise be shown as completely empty (i.e. missing).
2015-12-10resolved: shortcut RR comparisons if pointers matchLennart Poettering
When iterating through RR lists we frequently end up comparing RRs and RR keys with themselves, hence att a minor optimization to check ptr values first, before doing a deep comparison.
2015-12-10resolved: fix parameter type of dns_type_is_pseudo()Lennart Poettering
DNS RR types are uint16_t after all, treat them as such.
2015-12-10resolved: add more linked packets for overlong known answersDaniel Mack
For mDNS, if we're unable to stuff all known answers into the given packet, allocate a new one, push the RR into that one and link it to the current one.
2015-12-10resolved: handle linked packet in dns_scope_emit()Daniel Mack
In dns_scope_emit(), walk the list of additional packets and emit all of them. Set the TC bit in all but the last of them. This is specific to mDNS, so an assertion is triggered if used with other protocols.
2015-12-10resolved: add support for linked packetsDaniel Mack
For mDNS, we need to support the TC bit in case the list of known answers exceed the maximum packet size. For this, add a 'more' pointer to DnsPacket for an additional packet. When a packet is unref'ed, the ->more packet is also unrefed, so it sufficient to only keep track of the 1st packet in a chain.
2015-12-10resolved: add dns_packet_set_flags()Daniel Mack
We need to support the TC bit in queries in case known answers exceed the maximum packet size. Factor out the flags compilation to dns_packet_set_flags() and make it externally available.
2015-12-09resolved: llmnr, mdns: simplify error handlingDaniel Mack
sd_event_add_io() returns the error directly and does not mess with errno.
2015-12-09resolved: don't send .local requests to DNS serversDaniel Mack
DNS names ending with .local are specific to mDNS, so don't use them on DNS scopes.
2015-12-08resolved: add dns_cache_export_to_packet()Daniel Mack
This new functions exports cached records of type PTR, SRV and TXT into an existing DnsPacket. This is used in order to fill in known records to mDNS queries, for known answer supression.
2015-12-08resolved: implement query coalescingDaniel Mack
Implement dns_transaction_make_packet_mdns(), a special version of dns_transaction_make_packet() for mDNS which differs in many ways: a) We coalesce queries of currently active transaction on the scope. This is possible because mDNS actually allows many questions in a to be sent in a single packet and it takes some burden from the network. b) Both A and AAAA query keys are broadcast on both IPv4 and IPv6 scopes, because other hosts might only respond on one of their addresses but resolve both types. c) We discard previously sent packages (t->sent) so we can start over and coalesce pending transactions again.
2015-12-08resolved: add 'next_attempt_after' field to DnsTransactionDaniel Mack
For each transaction, record when the earliest point in time when the query packet may hit the wire. This is the same time stamp for which the timer is scheduled in retries, except for the initial query packets which are delayed by a random jitter. In this case, we denote that the packet may actually be sent at the nominal time, without the jitter. Transactions that share the same timestamp will also have identical values in this field. It is used to coalesce pending queries in a later patch.
2015-12-08resolved: split dns_transaction_go()Daniel Mack
Split some code out of dns_transaction_go() so we can re-use it later from different context. The new function dns_transaction_prepare_next_attempt() takes care of preparing everything so that a new packet can conditionally be formulated for a transaction. This patch shouldn't cause any functional change.
2015-12-08resolved: handle more mDNS protocol detailsDaniel Mack
2015-12-08resolved: fix debug messageDaniel Mack
2015-12-08resolved: add mDNS packet dispatcherDaniel Mack
Add the packet dispatching routine for mDNS. It differs to what LLMNR and DNS dispatchers do in the way it matches incoming packets. In mDNS, we actually handle all incoming packets, regardless whether we asked for them earlier or not.
2015-12-08resolved: allow name compression in NSEC recordsDaniel Mack
2015-12-08resolved: handle mDNS timeouts per transactionDaniel Mack
mDNS packet timeouts need to be handled per transaction, not per link. Re-use the n_attempts field for this purpose, as packets timeouts should be determined by starting at 1 second, and doubling the value on each try.
2015-12-08resolved: short-cut jitter callbacks for LLMNR and mDNSDaniel Mack
When a jitter callback is issued instead of sending a DNS packet directly, on_transaction_timeout() is invoked to 'retry' the transaction. However, this function has side effects. For once, it increases the packet loss counter on the scope, and it also unrefs/refs the server instances. Fix this by tracking the jitter with two bool variables. One saying that the initial jitter has been scheduled in the first place, and one that tells us the delay packet has been sent.
2015-12-08resolved: flush keys when DNS_RESOURCE_KEY_CACHE_FLUSH is setDaniel Mack
In mDNS, DNS_RESOURCE_KEY_CACHE_FLUSH denotes whether other records with the same key should be flushed from the cache.
2015-12-08resolved: add cache flush flag to DnsResourceKeyDaniel Mack
MDNS has a 'key cache flush' flag for records which must be masked out for the parsers to do our right thing. We will also use that flag later (in a different patch) in order to alter the cache behavior.
2015-12-08resolved: add mDNS initial jitterDaniel Mack
The logic is to kick off mDNS packets in a delayed way is mostly identical to what LLMNR needs, except that the constants are different.
2015-12-08resolved: create dns scopes for mDNSDaniel Mack
Follow what LLMNR does, and create per-link DnsScope objects.
2015-12-08resolved: add code to join/leave mDNS multicast groupsDaniel Mack
Per link, join the mDNS multicast groups when the scope is created, and leave it again when the scope goes away.
2015-12-08resolved: add packet header details for mDNSDaniel Mack
Validate mDNS queries and responses by looking at some header fields, add mDNS flags.
2015-12-08resolved: add infrastructure for mDNS related socketsDaniel Mack
Just hook up mDNS listeners with an empty packet dispather function, introduce a config directive, man page updates etc.
2015-12-06resolve: remove unused variableThomas Hindoe Paaboel Andersen
2015-12-03resolved: update DNSSEC TODO list a bitLennart Poettering
2015-12-03resolved: add a concept of "authenticated" responsesLennart Poettering
This adds a new SD_RESOLVED_AUTHENTICATED flag for responses we return on the bus. When set, then the data has been authenticated. For now this mostly reflects the DNSSEC AD bit, if DNSSEC=trust is set. As soon as the client-side validation is complete it will be hooked up to this flag too. We also set this bit whenver we generated the data ourselves, for example, because it originates in our local LLMNR zone, or from the built-in trust anchor database. The "systemd-resolve-host" tool has been updated to show the flag state for the data it shows.
2015-12-03resolved: when synthesizing NODATA from cached NSEC bitmaps, honour CNAME/DNAMELennart Poettering
When an RR type is not set in an NSEC, then the CNAME/DNAME types might still be, hence check them too. Otherwise we might end up refusing resolving of CNAME'd RRs if we cached an NSEC before.
2015-12-03resolved: maintain a short TODO list for DNSSEC support in the dnssec C ↵Lennart Poettering
files for now
2015-12-03resolved: introduce a dnssec_mode setting per scopeLennart Poettering
The setting controls which kind of DNSSEC validation is done: none at all, trusting the AD bit, or client-side validation. For now, no validation is implemented, hence the setting doesn't do much yet, except of toggling the CD bit in the generated messages if full client-side validation is requested.
2015-12-03resolved: add a limit on the max DNSSEC RRSIG expiry skew we allowLennart Poettering
2015-12-03resolved: add a simple trust anchor database as additional RR sourceLennart Poettering
When doing DNSSEC lookups we need to know one or more DS or DNSKEY RRs as trust anchors to validate lookups. With this change we add a compiled-in trust anchor database, serving the root DS key as of today, retrieved from: https://data.iana.org/root-anchors/root-anchors.xml The interface is kept generic, so that additional DS or DNSKEY RRs may be served via the same interface, for example by provisioning them locally in external files to support "islands" of security. The trust anchor database becomes the fourth source of RRs we maintain, besides, the network, the local cache, and the local zone.