summaryrefslogtreecommitdiff
path: root/src/shared/dns-domain.c
AgeCommit message (Collapse)Author
2016-01-18resolved: rework IDNA logicLennart Poettering
Move IDNA logic out of the normal domain name processing, and into the bus frontend calls. Previously whenever comparing two domain names we'd implicitly do IDNA conversion so that "pöttering.de" and "xn--pttering-n4a.de" would be considered equal. This is problematic not only for DNSSEC, but actually also against he IDNA specs. Moreover it creates problems when encoding DNS-SD services in classic DNS. There, the specification suggests using UTF8 encoding for the actual service name, but apply IDNA encoding to the domain suffix. With this change IDNA conversion is done only: - When the user passes a non-ASCII hostname when resolving a host name using ResolveHostname() - When the user passes a non-ASCII domain suffix when resolving a service using ResolveService() No IDNA encoding is done anymore: - When the user does raw ResolveRecord() RR resolving - On the service part of a DNS-SD service name Previously, IDNA encoding was done when serializing names into packets, at a point where information whether something is a label that needs IDNA encoding or not was not available, but at a point whether it was known whether to generate a classic DNS packet (where IDNA applies), or an mDNS/LLMNR packet (where IDNA does not apply, and UTF8 is used instead for all host names). With this change each DnsQuery object will now maintain two copies of the DnsQuestion to ask: one encoded in IDNA for use with classic DNS, and one encoded in UTF8 for use with LLMNR and MulticastDNS.
2016-01-18resolved add dns_name_apply_idna() to convert a domain name into its IDNA ↵Lennart Poettering
equivalent
2016-01-17resolved: on negative NODATA replies, properly deal with empty non-terminalsLennart Poettering
empty non-terminals generally lack NSEC RRs, which means we can deduce their existance only from the fact that there are other RRs that contain them in their suffix. Specifically, the NSEC proof for NODATA on ENTs works by sending the NSEC whose next name is a suffix of the queried name to the client. Use this information properly.
2016-01-17resolved: when validating an RRset, store information about the synthesizing ↵Lennart Poettering
source and zone in each RR Having this information available is useful when we need to check whether various RRs are suitable for proofs. This information is stored in the RRs as number of labels to skip from the beginning of the owner name to reach the synthesizing source/signer. Simple accessor calls are then added to retrieve the signer/source from the RR using this information. This also moves validation of a a number of RRSIG parameters into a new call dnssec_rrsig_prepare() that as side-effect initializes the two numeric values.
2016-01-13shared: reuse dns_label_unescape_undo_idna() in more placesLennart Poettering
We frequently unescape DNS label follwed by IDNA undoing. We now have a function that does that in one step, hence use it everywhere.
2016-01-13shared: simplify string concatenation with strjoin()Lennart Poettering
2016-01-13shared: port dns_name_compare_func() to make use of ascii_strcasecmp_nn()Lennart Poettering
This way we become compatible with DNS names with embedded NUL bytes.
2016-01-13shared: simplify dns_name_is_single_label() by using dns_name_parent() to ↵Lennart Poettering
skip first label
2016-01-13shared: replace a few invocations of strcasecmp() for DNS labels with ↵Lennart Poettering
ascii_strcasecmp_n() This makes our code compatible with embedded NUL bytes, as we don't care about NUL bytes anymore.
2016-01-13shared: add new dns_name_startswith() callLennart Poettering
dns_name_startswith() is to dns_name_endswith() as startswith() is to endswith().
2016-01-11shared: make sure foo.bar and foobar result in different domain name hashesLennart Poettering
This also introduces a new macro siphash24_compress_byte() which is useful to add a single byte into the hash stream, and ports one user over to it.
2016-01-11shared: simplify dns_name_hash_func() end of name detectionLennart Poettering
2016-01-11resolved: make sure domain name hash function deals nicely with NUL embedded ↵Lennart Poettering
in labels
2016-01-11basic: introduce generic ascii_strlower_n() call and make use of it everywhereLennart Poettering
2015-12-28shared: relax restrictions on valid domain name characters a bitLennart Poettering
Previously, we'd not allow control characters to be embedded in domain names, even when escaped. Since cloudflare uses \000 however to implement its synthethic minimally covering NSEC RRs, we should allow them, as long as they are properly escaped.
2015-12-27shared: fix handling of suffix "." in dns_name_compare_func()Lennart Poettering
All our other domain name handling functions make no destinction between domain names that end in a dot plus a NUL, or those just ending in a NUL. Make sure dns_name_compare_func() and dns_label_unescape_suffix() do the same.
2015-12-26shared: fix error propagation in dns_name_compare_func()Lennart Poettering
2015-12-26resolved: tighten search for NSEC3 RRs a bitLennart Poettering
Be stricter when searching suitable NSEC3 RRs for proof: generalize the check we use to find suitable NSEC3 RRs, in nsec3_is_good(), and add additional checks, such as checking whether all NSEC3 RRs use the same parameters, have the same suffix and so on.
2015-12-26resolved: properly implement RRSIG validation of wildcarded RRsetsLennart Poettering
Note that this is still not complete, one additional step is still missing: when we verified that a wildcard RRset is properly signed, we still need to do an NSEC/NSEC3 proof that no more specific RRset exists.
2015-12-18shared: add dns_name_parent() call to determine parent domain of a domainLennart Poettering
2015-12-06shared: include what we useThomas Hindoe Paaboel Andersen
The next step of a general cleanup of our includes. This one mostly adds missing includes but there are a few removals as well.
2015-12-02util-lib: update dns_name_to_wire_format() to optionally generate DNSSEC ↵Lennart Poettering
canonical names We'll need this later when putting together RR serializations to checksum.
2015-11-30dns-domain: change error codes when dealing with too short buffers to ENOBUFSLennart Poettering
Some calls used ENOBUFS to indicate too-short result buffers, others used ENOSPC. Let's unify this on ENOBUFS.
2015-11-30dns-domain: check resulting domain name length in dns_name_to_wire_format()Lennart Poettering
Let's better be safe than sorry.
2015-11-30dns-domain: make sure dns_name_to_wire_format() may properly encode the root ↵Lennart Poettering
domain The root domain consists of zero labels, and we should be able to encode that.
2015-11-30dns-domain: don't accept overly long hostnamesLennart Poettering
Make sure dns_name_normalize(), dns_name_concat(), dns_name_is_valid() do not accept/generate invalidly long hostnames, i.e. longer than 253 characters.
2015-11-30dns-domain: be more strict when encoding/decoding labelsLennart Poettering
Labels of zero length are not OK, refuse them early on. The concept of a "zero-length label" doesn't exist, a zero-length full domain name however does (representing the root domain). See RFC 2181, Section 11.
2015-11-29tree-wide: remove unused variablesThomas Hindoe Paaboel Andersen
2015-11-25dns-domain: rework dns_label_escape() to not imply memory allocationLennart Poettering
The new dns_label_escape() call now operates on a buffer passed in, similar to dns_label_unescape(). This should make decoding a bit faster, and nicer.
2015-11-25dns-domain: change dns_srv_type_is_valid() return value to boolLennart Poettering
For similar reasons as dns_name_is_root() got changed in the previous commit.
2015-11-25dns-domain: simplify dns_name_is_root() and dns_name_is_single_label()Lennart Poettering
Let's change the return value to bool. If we encounter an error while parsing, return "false" instead of the actual parsing error, after all the specified hostname does not qualify for what the function is supposed to test. Dealing with the additional error codes was always cumbersome, and easily misused, like for example in the DHCP code. Let's also rename the functions from dns_name_root() to dns_name_is_root(), to indicate that this function checks something and returns a bool. Similar for dns_name_is_signal_label().
2015-11-24resolved: implement client-side DNAME resolutionLennart Poettering
Most servers apparently always implicitly convert DNAME to CNAME, but some servers don't, hence implement this properly, as this is required by edns0.
2015-11-23dns-domain: add calls to join/split SRV/DNS-SD service domainsLennart Poettering
This adds dns_service_join() and dns_service_split() which may be used to concatenate a DNS-SD service name, am SRV service type string, and a domain name into a full resolvable DNS domain name string. If the service name is specified as NULL, only the type and domain are appended, to implement classic, non-DNS-SD SRV lookups. The reverse is dns_service_split() which takes the full name, and split it into the three components again.
2015-11-23dns-domain: add code for verifying validity of DNS-SD service names and typesLennart Poettering
2015-11-17dns-domain: add dns_name_to_wire_format()Beniamino Galvani
The function converts a domain name string to the wire format described in RFC 1035 Section 3.1.
2015-10-27util-lib: split out allocation calls into alloc-util.[ch]Lennart Poettering
2015-10-27util-lib: split out hex/dec/oct encoding/decoding into its own fileLennart Poettering
2015-10-27util-lib: split string parsing related calls from util.[ch] into parse-util.[ch]Lennart Poettering
2015-10-24util-lib: split our string related calls from util.[ch] into its own file ↵Lennart Poettering
string-util.[ch] There are more than enough calls doing string manipulations to deserve its own files, hence do something about it. This patch also sorts the #include blocks of all files that needed to be updated, according to the sorting suggestions from CODING_STYLE. Since pretty much every file needs our string manipulation functions this effectively means that most files have sorted #include blocks now. Also touches a few unrelated include files.
2015-10-05hashmap: hash_funcs - make inputs unambiguousTom Gundersen
Make sure all variable-length inputs are properly terminated or that their length is encoded in some way. This avoids ambiguity of adjacent inputs. E.g., in case of a hash function taking two strings, compressing "ab" followed by "c" is now distinct from "a" followed by "bc".
2015-10-05hashmap: refactor hash_funcTom Gundersen
All our hash functions are based on siphash24(), factor out siphash_init() and siphash24_finalize() and pass the siphash state to the hash functions rather than the hash key. This simplifies the hash functions, and in particular makes composition simpler as calling siphash24_compress() repeatedly on separate chunks of input has the same effect as first concatenating the input and then calling siphash23_compress() on the result.
2015-08-21dns-domain: add call for concatenating two domain namesLennart Poettering
This is specifically useful for appending the mDNS ".local" suffix to a single-label hostname in the most correct way. (used in later commit)
2015-07-28shared: dns-name - add dns_name_between()Tom Gundersen
Given three DNS names this function indicates if the second argument lies strictly between the first and the third according to the canonical DNS name order. Note that the order is circular, so the last name is considered to be before the first.
2015-07-28shared: dns-name - use the canonical dns name orderingTom Gundersen
The canonical DNS name ordering considers the rightmost label the most significant, we were considering it the least significant. This is important when implementing NSEC, which relies on the correct order.
2015-07-28shared: dns-name - introduce dns_label_unescape_suffix()Tom Gundersen
Intended to be called repeatedly, and returns then successive unescaped labels from the most to the least significant (left to right). This is slightly inefficient as it scans the string three times (two would be sufficient): once to find the end of the string, once to find the beginning of each label and lastly once to do the actual unescaping. The latter two could be done in one go, but that seemed unnecessarily convoluted.
2015-06-10resolve: move dns routines into sharedNick Owens