summaryrefslogtreecommitdiff
path: root/src/resolve
AgeCommit message (Collapse)Author
2015-12-26resolved: split out a new dns_type_may_redirect() callLennart Poettering
Let's abstract which RRs shall honour CNAMEs, and which ones should not.
2015-12-20resolve: fix indentationThomas Hindoe Paaboel Andersen
2015-12-18resolved: propagate DNSSEC validation status from auxiliary transactionsLennart Poettering
Let's make sure we propagate the DNSSEC validation status from an auxiliary DNSSEC transaction back to the originating transaction, to improve the error messages we generate.
2015-12-18resolved: propagate the DNSSEC result from the transaction to the query and ↵Lennart Poettering
the the bus client It's useful to generate useful errors, so let's do that.
2015-12-18resolved: rename DNS_TRANSACTION_FAILURE → DNS_TRANSACTION_RCODE_FAILURELennart Poettering
We have many types of failure for a transaction, and DNS_TRANSACTION_FAILURE was just one specific one of them, if the server responded with a non-zero RCODE. Hence let's rename this, to indicate which kind of failure this actually refers to.
2015-12-18resolved: merge two commentsLennart Poettering
2015-12-18resolved: rename dns_cache_item_remove_and_free() → _unlink_and_free()Lennart Poettering
In most of the other call, we called similar functions that remove the data structure link-ups to other objects "unlink", hence we should here, too.
2015-12-18resolved: rename dns_cache_remove() → dns_cache_remove_by_key()Lennart Poettering
Given that we already have dns_cache_remove_by_rr() this makes clearer what the operation actually does.
2015-12-18resolved: add a call that dumps the contents of a DnsAnswer structureLennart Poettering
This is not used anywhere, but it's extremely useful when debugging.
2015-12-18resolved: rework mDNS cache-flush bit handlingLennart Poettering
This adds a new DnsAnswer item flag "DNS_ANSWER_SHARED_OWNER" which is set for mDNS RRs that lack the cache-flush bit. The cache-flush bit is removed from the DnsResourceRecord object in favour of this. This also splits out the code that removes previous entries when adding new positive ones into a new separate call dns_cache_remove_previous().
2015-12-18resolved: properly determine size of DnsAnswer objectLennart Poettering
After all we want to allow NULL DnsAnswer objects as equivalent to empty ones, hence we should use the right checks everywhere.
2015-12-18resolved: pass out precise authenticated bit we got passed inLennart Poettering
Make sure the cache never altes the authenticated bit of RRs stored in it, and drops it for RRs when passing it out again.
2015-12-18resolved: don't honour mDNS cache-flush bit for OPT RRsLennart Poettering
OPT RRs after all use the class field for other purposes than actually encoding a class, hence the cache flush bit doesn't apply really.
2015-12-18resolve: optimize dns_cache_flush() a bitLennart Poettering
Let's use dns_cache_remove() rather than dns_cache_item_remove_and_free() to destroy the cache, since the former requires far fewer hash table lookups.
2015-12-18resolved: when receiving a TTL=0 RR, only flush that specific RRLennart Poettering
When we receieve a TTL=0 RR, then let's only flush that specific RR and not the whole RRset. On mDNS with RRsets that a shared-owner this is how specific RRs are removed from the set, hence support this. And on non-mDNS the whole RRset will already be removed much earlier in dns_cache_put() hence there's no reason remove it again.
2015-12-18resolved: optimize dns_cache_remove() a bitLennart Poettering
2015-12-18resolved: use dns_name_parent() where appropriateLennart Poettering
2015-12-18resolved: check SOA authentication state when negative cachingLennart Poettering
We should never use the TTL of an unauthenticated SOA to cache an authenticated RR.
2015-12-18resolved: don't call dns_cache_remove() from dns_cache_put_negative()Lennart Poettering
We call it anyway as one of the first calls in dns_cache_put(), hence there's no reason to do this multiple times.
2015-12-18resolved: bump cache size a bitLennart Poettering
Let's keep entries for longer and more of them. After all, due to the DNSSEC hookup the amount of RRs we need to store is much higher now.
2015-12-18resolved: make use of dns_{class|type}_is_{pseudo|valid_rr}() everywhereLennart Poettering
2015-12-18resolved: refuse accepting EDNS0 OPT RRs with a non-root domainLennart Poettering
2015-12-18resolved: move DNS class utilities to dns-type.c and add more helpersLennart Poettering
Let's make DNS class helpers more like DNS type helpers, let's move them from resolved-dns-rr.[ch] into dns-type.[ch]. This also adds two new calls dns_class_is_pseudo() and dns_class_is_valid_rr() which operate similar to dns_type_is_pseudo() and dns_type_is_valid_rr() but for classes instead of types. This should hopefully make handling of DNS classes and DNS types more alike.
2015-12-18resolved: update TODOLennart Poettering
2015-12-18resolved: add support NSEC3 proofs, as well as proofs for domains that are ↵Lennart Poettering
OK to be unsigned This large patch adds a couple of mechanisms to ensure we get NSEC3 and proof-of-unsigned support into place. Specifically: - Each item in an DnsAnswer gets two bit flags now: DNS_ANSWER_AUTHENTICATED and DNS_ANSWER_CACHEABLE. The former is necessary since DNS responses might contain signed as well as unsigned RRsets in one, and we need to remember which ones are signed and which ones aren't. The latter is necessary, since not we need to keep track which RRsets may be cached and which ones may not be, even while manipulating DnsAnswer objects. - The .n_answer_cachable of DnsTransaction is dropped now (it used to store how many of the first DnsAnswer entries are cachable), and replaced by the DNS_ANSWER_CACHABLE flag instead. - NSEC3 proofs are implemented now (lacking support for the wildcard part, to be added in a later commit). - Support for the "AD" bit has been dropped. It's unsafe, and now that we have end-to-end authentication we don't need it anymore. - An auxiliary DnsTransaction of a DnsTransactions is now kept around as least as long as the latter stays around. We no longer remove the auxiliary DnsTransaction as soon as it completed. THis is necessary, as we now are interested not only in the RRsets it acquired but also in its authentication status.
2015-12-18resolved: refuse to add auxiliary transactions loopsLennart Poettering
Let's be safe and explicitly avoid that we add an auxiliary transaction dependency on ourselves.
2015-12-18resolved: don't check for NULL DnsAnswer object explicitly where unnecessaryLennart Poettering
The DNS_ANSWER_FOREACH macros do this internally anyway, no need to duplicate this.
2015-12-18resolved: stop timeout timer when validating transactionsLennart Poettering
We need no separate timeout anymore as soon as we received a reply, as the auxiliary transactions have their own timeouts.
2015-12-18resolved: when destroying a scope, only abort live transactionsLennart Poettering
2015-12-18resolved: make sure we don't get confused when notifying transactions while ↵Lennart Poettering
they are destroyed A failing transaction might cause other transactions to fail too, and thus the set of transactions to notify for a transaction might change while we are notifying them. Protect against that.
2015-12-18resolved: merge two bools into a bitfieldLennart Poettering
2015-12-18resolved: use right format specifier to print transaction IDLennart Poettering
2015-12-18resolved: cache stringified transaction key once per transactionLennart Poettering
We end up needing the stringified transaction key in many log messages, hence let's simplify the logic and cache it inside of the transaction: generate it the first time we need it, and reuse it afterwards. Free it when the transaction goes away. This also updated a couple of log messages to make use of this.
2015-12-18resolved: don't complain if networkd doesn't know an interface we care aboutLennart Poettering
2015-12-16resolve: remove unused variableThomas Hindoe Paaboel Andersen
2015-12-16resolve: fix indendationThomas Hindoe Paaboel Andersen
2015-12-14resolved: update DNSSEC TODOLennart Poettering
2015-12-14resolved: add basic proof of non-existance support for NSEC+NSEC3Lennart Poettering
Note that this is not complete yet, as we don't handle wildcard domains correctly, nor handle domains correctly that use empty non-terminals.
2015-12-14resolved: when serializing NSEC3 windows, don't write more windows than ↵Lennart Poettering
necessary
2015-12-14resolved: constify a parameterLennart Poettering
2015-12-14resolved: always consider NSEC/NSEC3 RRs as "primary"Lennart Poettering
It's not OK to drop these for our proof of non-existance checks.
2015-12-14resolved: don't choke on NULL DNS transactions when determining query ↵Lennart Poettering
candidate state
2015-12-14resolved: initialize libgcrypt before using itLennart Poettering
2015-12-14resolved: rework how we get the gcrypt digest algorithm ID from DNSSEC ↵Lennart Poettering
digest ids Let's move this into a function digest_to_gcrypt() that we can reuse later on when implementing NSEC3 validation.
2015-12-14resolved: apparently not all names are used in canonical form for DNSSEC ↵Lennart Poettering
validation Specifically, it appears as if the NSEC next domain name should be in the original casing rather than canonical form, when validating.
2015-12-14treewide: fix typos and indentationTorstein Husebø
2015-12-11resolved: don't eat up errorsLennart Poettering
dns_resource_key_match_soa() and dns_resource_key_match_cname_or_dname() may return errors as negative return values. Make sure to propagate those.
2015-12-11resolved: refactor DNSSEC answer validationLennart Poettering
This changes answer validation to be more accepting to unordered RRs in responses. The agorithm we now implement goes something like this: 1. populate validated keys list for this transaction from DS RRs 2. as long as the following changes the unvalidated answer list: 2a. try to validate the first RRset we find in unvalidated answer list 2b. if that worked: add to validated answer; if DNSKEY also add to validated keys list; remove from unvalidated answer. 2c. continue at 2a, with the next RRset, or restart from the beginning when we hit the end 3. as long as the following changes the unvalidated answer list: 3a. try to validate the first RRset again. This will necessarily fail, but we learn the precise error 3b. If this was a "primary" response to the question, fail the entire transaction. "Primary" in this context means that it is directly a response to the query, or a CNAME/DNAME for it. 3c. Otherwise, remove the RRset from the unvalidated answer list. Note that we the too loops in 2 + 3 are actually coded as a single one, but the dnskeys_finalized bool indicates which loop we are currently processing. Note that loop 2 does not drop any invalidated RRsets yet, that's something only loop 3 does. This is because loop 2 might still encounter additional DNSKEYS which might validate more stuff, and if we'd already have dropped those RRsets we couldn't validate those anymore. The first loop is hence a "constructive" loop, the second loop a "destructive" one: the first one validates whatever is possible, the second one then deletes whatever still isn't.
2015-12-11resolved: rework dnssec validation resultsLennart Poettering
This adds a new validation result DNSSEC_UNSUPPORTED_ALGORITHM which is returned when we encounter an unsupported crypto algorithm when trying to validate RRSIG/DNSKEY combinations. Previously we'd return ENOTSUPP in this case, but it's better to consider this a non-error DNSSEC validation result, since our reaction to this case needs to be more like in cases such as expired or missing keys: we need to keep continue validation looking for another RRSIG/DNSKEY combination that works better for us. This also reworks how dnssec_validate_rrsig_search() propagates errors from dnssec_validate_rrsig(). Previously, errors such as unsupported algorithms or expired signatures would not be propagated, but simply be returned as "missing-key".
2015-12-11resolved: rework how and when the number of answer RRs to cache is determinedLennart Poettering
Instead of figuring out how many RRs to cache right before we do so, determine this at the time we install the answer RRs, so that we can still alter this as we manipulate the answer during validation. The primary purpose of this is to pave the way so that we can drop unsigned RRsets from the answer and invalidate the number of RRs to cache at the same time.