summaryrefslogtreecommitdiff
path: root/src/resolve
AgeCommit message (Collapse)Author
2016-02-04resolved: correctly store interface index of RRs in cacheLennart Poettering
Fixes: #2361
2016-02-04resolved: properly turn off DNSSEC for LLMNR/mDNS scopesLennart Poettering
2016-02-04resolved: don't follow CNAMEs originating from DNS on LLMNRLennart Poettering
Fixes: #2514
2016-02-01resolve: work around clang limitationLennart Poettering
clang is apparently not smart enough to detect when a switch statement contains case statements for all possible values of the used type. Work around that. (And while we are at it, normalize indentation a bit) Fixes: #2504
2016-02-01resolved: rework what ResolveHostname() with family == AF_UNSPEC meansLennart Poettering
Previously, if a hostanem is resolved with AF_UNSPEC specified, this would be used as indication to resolve both an AF_INET and an AF_INET6 address. With this change this logic is altered: an AF_INET address is only resolved if there's actually a routable IPv4 address on the specific interface, and similar an AF_INET6 address is only resolved if there's a routable IPv6 address. With this in place, it's ensured that the returned data is actually connectable by applications. This logic mimics glibc's resolver behaviour. Note that if the client asks explicitly for AF_INET or AF_INET6 it will get what it asked for. This also simplifies the logic how it is determined whether a specific lookup shall take place on a scope. Specifically, the checks with dns_scope_good_key() are now moved out of the transaction code and into the query code, so that we don't even create a transaction object on a specific scope if we cannot execute the resolution on it anyway.
2016-02-01resolve: Silence build warning, when systemd is built without libidnTorstein Husebø
HAVE_IDN is not defined when systemd is build without it
2016-02-01resolve: fix typosTorstein Husebø
2016-01-31resolved: allow building without libgcryptMichael Olbrich
2016-01-31resolved: make dnssec_nsec_test_enclosed() staticMichael Olbrich
It's not used anywhere else.
2016-01-31resolved: reorder functionsMichael Olbrich
Preparation to make gcrypt optional.
2016-01-29resolved: log server type when switching serversZbigniew Jędrzejewski-Szmek
I'm not defining _DNS_SERVER_TYPE_MAX/INVALID as usual in the enum, because it wouldn't be used, and then gcc would complain that various enums don't test for _DNS_SERVER_TYPE_MAX. It seems better to define the macro rather than add assert_not_reached() in multiple places.
2016-01-29resolved: add macro to compare sized fieldsZbigniew Jędrzejewski-Szmek
For consistency, generic.size is renamed to generic.data_size. nsec3.next_hashed_name comparison was missing a size check.
2016-01-29resolve-host: add option to list protocolsZbigniew Jędrzejewski-Szmek
2016-01-29resolve-host: allow specifying type as TYPEnnZbigniew Jędrzejewski-Szmek
This mirrors the behaviour of host and makes the conversion to and from string symmetrical.
2016-01-29test-resolve-tables: new "test", useful to print mappingsZbigniew Jędrzejewski-Szmek
2016-01-29resolved: calculate and print tags for DNSKEY recordsZbigniew Jędrzejewski-Szmek
2016-01-28resolved: expand flags field in DNSKEY recordsZbigniew Jędrzejewski-Szmek
2016-01-28resolved: convert TLSA fields to stringZbigniew Jędrzejewski-Szmek
Example output: _443._tcp.fedoraproject.org IN TLSA 0 0 1 GUAL5bejH7czkXcAeJ0vCiRxwMnVBsDlBMBsFtfLF8A= -- Cert. usage: CA constraint -- Selector: Full Certificate -- Matching type: SHA-256
2016-01-28resolved: OPENPGPKEY recordsZbigniew Jędrzejewski-Szmek
2016-01-28resolved: TLSA recordsZbigniew Jędrzejewski-Szmek
2016-01-28resolved: add alignment to base64Zbigniew Jędrzejewski-Szmek
We try to fit the lengthy key data into available space. If the other fields take less than half of the available columns, we use align everything in the remaining columns. Otherwise, we put everything after a newline, indented with 8 spaces. This is similar to dig and other tools do. $ COLUMNS=78 ./systemd-resolve -t any . . IN SOA a.root-servers.net nstld.verisign-grs.com 2016012701 1800 900 604800 86400 . IN RRSIG SOA RSASHA256 0 86400 20160206170000 20160127160000 54549 S1uhUoBAReAFi5wH/KczVDgwLb+B9Zp57dSYj9aX4XxBhKuzccIducpg0wWXhjCRAWuzY fQ/J2anm4+C4BLUTdlytPIemd42SUffQk2WGuuukI8e67nkrNF3WFtoeXQ4OchsyO24t2 rxi682Zo9ViqmXZ+MSsjWKt1jdem4noaY= . IN NS h.root-servers.net . IN NS k.root-servers.net . IN NS e.root-servers.net . IN NS c.root-servers.net . IN NS b.root-servers.net . IN NS g.root-servers.net . IN NS d.root-servers.net . IN NS f.root-servers.net . IN NS i.root-servers.net . IN NS j.root-servers.net . IN NS m.root-servers.net . IN NS a.root-servers.net . IN NS l.root-servers.net . IN RRSIG NS RSASHA256 0 518400 20160206170000 20160127160000 54549 rxhmTVKUgs72G3VzL+1JRuD0nGLIrPM+ISfmUx0eYUH5wZD5XMu2X+8PfkAsEQT1dziPs ac+zK1YZPbNgr3yGI5H/wEbK8S7DmlvO+/I9WKTLp/Zxn3yncvnTOdjFMZxkAqHbjVOm+ BFz7RjQuvCQlEJX4PQBFphgEnkiOnmMdI= . IN NSEC aaa ( NS SOA RRSIG NSEC DNSKEY ) . IN RRSIG NSEC RSASHA256 0 86400 20160206170000 20160127160000 54549 HY49/nGkUJJP1zLmH33MIKnkNH33jQ7bsAHE9itEjvC4wfAzgq8+Oh9fjYav1R1GDeJ2Z HOu3Z2uDRif10R8RsmZbxyZXJs7eHui9KcAMot1U4uKCCooC/5GImf+oUDbvaraUCMQRU D3mUzoa0BGWfxgZEDqZ55raVFT/olEgG8= . IN DNSKEY 257 3 RSASHA256 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0 O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0 NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL4 96M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1ap AzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6 dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ2 5AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1 ihz0= . IN DNSKEY 256 3 RSASHA256 AwEAAbr/RV0stAWYbmKOldjShp4AOQGOyY3ATI1NUpP4X1qBs 6lsXpc+1ABgv6zkg02IktjZrHnmD0HsElu3wqXMrT5KL1W7Sp mg0Pou9WZ8QttdTKXwrVXrASsaGI2z/pLBSnK8EdzqUrTVxY4 TEGZtxV519isM06CCMihxTn5cfFBF . IN RRSIG DNSKEY RSASHA256 0 172800 20160204235959 20160121000000 19036 XYewrVdYKRDfZptAATwT+W4zng04riExV36+z04kok09W0RmOtDlQrlrwHLlD2iN/zYpg EqGgDF5T2xlrQdNpn+PFHhypHM7NQAgLTrwmiw6mGbV0bsZN3rhFxHwW7QVUFAvo9eNVu INrjm+sArwxq3DnPkmA+3K4ikKD2iiT/jT91VYr9SHFqXXURccLjI+nmaE7m31hXcirX/ r5i3J+B4Fx4415IavSD72r7cmruocnCVjcp+ZAUKeMyW+RwigzevLz3oEcCZ4nrTpGLEj wFaVePYoP+rfdmfLfTdmkkm4APRJa2My3XOdGFlgNS1pW1pH4az5LapLE2vMO7p1aQ== -- Information acquired via protocol DNS in 14.4ms. -- Data is authenticated: no
2016-01-28resolved: emit full path to file we failed to writeZbigniew Jędrzejewski-Szmek
Otherwise it's unclear if it's /etc/resolv.conf or some other file that is meant.
2016-01-26resolve: fix compare function for EtcHostItemThomas Hindoe Paaboel Andersen
From dd0bc0f1
2016-01-26update TODOLennart Poettering
This gets rid of the private DNSSEC TODO and moves it in the main TODO dump site, as the DNSSEC implementation is pretty complete now, and the remaining bits are low-priority.
2016-01-26resolved: prorize rtnl and sd-network event sourcesLennart Poettering
Lets make sure we always take notice of network changes before answering client requests. This way, calls like SetLinkDNS() become race-free as the specified interface index is guarantee to have been processed if it exists before we make changes to it.
2016-01-26resolved: fix the rcode to SUCCESS if we find at least one matching RR in a ↵Lennart Poettering
DNS response If we encounter NXDOMAIN, but find at least one matching RR in a response, then patch it to become SUCCESS. This should clean up handling of CNAME/DNAMEs, and makes sure broken servers and those conforming to RFC 6604 are treated the same way. The new behaviour opposes the logic suggested in RFC 6604, but given that some servers don't implement it correctly, and given that in some ways the CNAME/DNAME chains will be incomplete anyway, and given that DNSSEC generally only allows us to prove the first element of a CNAME/DNAME chain, this should simplify things for us.
2016-01-26resolved: allow configuration of routing domains in Domains=Lennart Poettering
2016-01-26resolved: teach resolved the difference between "routing" and "search" domainsLennart Poettering
Following the changes to expose the "routing" and "search" domain concepts in networkd, actually make resolved use them. It will now use routing domains exclusively for making DNS routing decisions, and use search domains additionally for extending single-label names.
2016-01-26networkd: rework Domains= settingLennart Poettering
Previously, .network files only knew a vaguely defined "Domains=" concept, for which the documentation declared it was the "DNS domain" for the network connection, without specifying what that means. With this the Domains setting is reworked, so that there are now "routing" domains and "search" domains. The former are to be used by resolved to route DNS request to specific network interfaces, the latter is to be used for searching single-label hostnames with (in addition to being used for routing). Both settings are configured in the "Domains=" setting. Normal domain names listed in it are now considered search domains (for compatibility with existing setups), while those prefixed with "~" are considered routing domains only. To route all lookups to a specific interface the routing domain "." may be used, referring to the root domain. An alternative syntax for this is the "*", as was already implemented before using the "wildcard" domain concept. This commit adds proper parsers for this new logic, and exposes this via the sd-network API. This information is not used by resolved yet, this will be added in a later commit.
2016-01-25resolved: don't consider NSEC/NSEC3 RRs as "pimary" for transactionsLennart Poettering
So far, abritrary NSEC and NSEC3 RRs were implicitly consider "primary" for any transaction, meaning we'd abort the transaction immediately if we couldn't validate it. With this patch this logic is removed, and the NSEC/NSEC3 RRs will not be considered primary anymore. This has the effect that they will be dropped from the message if they don't validate, but processing continues. This is safe to do, as they are required anyway to validate positive wildcard and negative responses, and if they are missing then, then message will be considered unsigned, which hence means the outcome is effectively the same. This is benefical in case the server sends us NSEC/NSEC3 RRs that are not directly related to the lookup we did, but simply auxiliary information. Previously, if we couldn't authenticate those RRs we'd fail the entire lookup while with this change we'll simply drop the auxiliary information and proceed without it.
2016-01-25resolved: don't insist in RRSIG metadata for NSEC3 RRs that have not been ↵Lennart Poettering
authenticated In some cases we get NSEC3 RRs that have not been authenticated (because the chain of trust to the root is somewhere broken). We can use these for checking negative replies, as long as we don't claim they were ultimately authenticated. This means we need to be able to deal with NSEC3 RRs that lack RRSIG metadata.
2016-01-25resolved: use dns_query_reset_answer() where we canLennart Poettering
2016-01-25update DNSSEC TODOLennart Poettering
2016-01-25resolved: properly propagate query candidate errorLennart Poettering
We already properly propagate errors from transactions to queries. Make sure that errors that happened during handling of query candidates are propagated to the query, too.
2016-01-25resolved: replace DNS_TRANSACTION_RESOURCES by DNS_TRANSACTION_ERRNOLennart Poettering
Whenever we encounter an OS error we did not expect, we so far put the transaction into DNS_TRANSACTION_RESOURCES state. Rename this state to DNS_TRANSACTION_ERRNO, and save + propagate the actual system error to the caller. This should make error messages triggered by system errors much more readable by the user.
2016-01-25resolved: log recognizably about DNSSEC downgradesLennart Poettering
If we downgrade from DNSSEC to non-DNSSEC mode, let's log about this in a recognizable way (i.e. with a message ID), after all, this is of major importance.
2016-01-25resolved: synthesize RRs for data from /etc/hostsLennart Poettering
This way the difference between lookups via NSS and our native bus API should become minimal.
2016-01-25resolved: when synthesizing RR responses, own the name fullyLennart Poettering
When we synthesize A/AAAA for domains like "localhost", then make sure we generate ENODATA if the user asks for RR types such a RP to be solved on the name. Previously, we'd pass the error back in that case that was generated from the usual lookup procedure.
2016-01-25resolved: properly handle LLMNR/TCP connection errorsLennart Poettering
The LLMNR spec suggests to do do reverse address lookups by doing direct LLMNR/TCP connections to the indicated address, instead of doing any LLMNR multicast queries. When we do this and the peer doesn't actually implement LLMNR this will result in a TCP connection error, which we need to handle. In contrast to most LLMNR lookups this will give us a quick response on whether we can find a suitable name. Report this as new transaction state, since this should mostly be treated like an NXDOMAIN rcode, except that it's not one.
2016-01-25resolved: fix rcode formatting string lengthLennart Poettering
Since we honour the edns rcode extension we need more than 4 bits to format it. To avoid further confusion, derive the right length from the type.
2016-01-25resolve: fix wording in resolver statistics outputLennart Poettering
Now that we count both negative and positive validation results, we shouldn't claim we just counted RRsets.
2016-01-25resolved: log each time we increase the DNSSEC verdict countersLennart Poettering
Also, don't consider RRs that aren't primary to the lookups we do as relevant to the lookups.
2016-01-25resolved: never store NSEC/NSEC3 RRs from the upper zone of a zone cut in cacheLennart Poettering
When using NSEC/NSEC3 RRs from the cache to derive existance of arbitrary RRs, we should not get confused by the fact that NSEC/NSEC3 RRs exist twice at zone cuts: once in the parent zone, and once in the child zone. For most RR types we should only consult the latter since that's where the beef is. However, for DS lookups we have to check the former. This change makes sure we never cache NSEC/NSEC3 RRs from any parent zone of a zone-cut. It also makes sure that when we look for a DS RR in the cache we never consider any cached NSEC RR, as those are now always from the child zone.
2016-01-25resolved: if we detect a message with incomplete DNSSEC data, consider this ↵Lennart Poettering
an invalid packet event
2016-01-25resolved: also collect statistics about negative DNSSEC proofsLennart Poettering
We already maintain statistics about positive DNSSEC proofs, and count them up by 1 for each validated RRset. Now, update the same counters each time we validated a negative query, so that the statistics are the combined result of all validation checks, both positive and negative.
2016-01-25resolve: use different bitmap checking rules when we find an exact NSEC3 ↵Lennart Poettering
match, or just a covering enclosure If we are looking for a DS RR we need to check the NSEC3 bitmap of the parent zone's NSEC3 RR, not the one from the child. For any other RR we need to look at the child's however, hence enforce this with the bitmaps. Note that not coverign checks only the lower zone's NSEC3 bitmaps matter, hence the existing check is fine.
2016-01-25resolve: minor strings improvementsLennart Poettering
2016-01-25resolve: rename "systemd-resolve-host" tool to simply "systemd-resolve"Lennart Poettering
The tool resolves way more than just hosts, hence give it a more generic name. This should be safe, as the tool is currently undocumented. Before we add documentation for it, let's get the name right. This also moves the C source into src/resolve/ (from src/resolve-host/), since the old name is a misnomer now. Also, since it links directly to many of the C files of resolved it really belongs into resolved's directory anyway.
2016-01-25resolved: get rid of unnecessary if checkLennart Poettering
DNS_ANSWER_FOREACH() can deal with NULL answers anyway, let's simplify our code here.
2016-01-25resolved: split out RR synthesis logic into its own C fileLennart Poettering
Also, while we are at it, set the "authenticated" bit for everything we synthesize