summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2016-01-11resolved: don't attempt to send queries for DNSSEC RR types to servers not ↵Lennart Poettering
supporting them If we already degraded the feature level below DO don't bother with sending requests for DS, DNSKEY, RRSIG, NSEC, NSEC3 or NSEC3PARAM RRs. After all, we cannot do DNSSEC validation then anyway, and we better not press a legacy server like this with such modern concepts. This also has the benefit that when we try to validate a response we received using DNSSEC, and we detect a limited server support level while doing so, all further auxiliary DNSSEC queries will fail right-away.
2016-01-11resolved: log about reasons for switching to TCPLennart Poettering
2016-01-11resolved: when we get a packet failure from a server, don't downgrade UDP to ↵Lennart Poettering
TCP or vice versa Under the assumption that packet failures (i.e. FORMERR, SERVFAIL, NOTIMP) are caused by packet contents, not used transport, we shouldn't switch between UDP and TCP when we get them, but only downgrade the higher levels down to UDP.
2016-01-11resolved: properly handle UDP ICMP errors as lost packetsLennart Poettering
UDP ICMP errors are reported to us via recvmsg() when we read a reply. Handle this properly, and consider this a lost packet, and retry the connection. This also adds some additional logging for invalid incoming packets.
2016-01-11resolved: when we get a TCP connection failure, try againLennart Poettering
Previously, when we couldn't connect to a DNS server via TCP we'd abort the whole transaction using a "connection-failure" state. This change removes that, and counts failed connections as "lost packet" events, so that we switch back to the UDP protocol again.
2016-01-11resolved: when DNS/TCP doesn't work, try DNS/UDP againLennart Poettering
If we failed to contact a DNS server via TCP, bump of the feature level to UDP again. This way we'll switch back between UDP and TCP if we fail to contact a host. Generally, we prefer UDP over TCP, which is why UDP is a higher feature level. But some servers only support UDP but not TCP hence when reaching the lowest feature level of TCP and want to downgrade from there, pick UDP again. We this keep downgrading until we reach TCP and then we cycle through UDP and TCP.
2016-01-11resolved: introduce dns_transaction_retry() and use it everywhereLennart Poettering
The code to retry transactions has been used over and over again, simplify it by replacing it by a new function.
2016-01-11resolved: set a description on all our event sourcesLennart Poettering
2016-01-11resolved: fix error propagationLennart Poettering
2016-01-11shared: make sure foo.bar and foobar result in different domain name hashesLennart Poettering
This also introduces a new macro siphash24_compress_byte() which is useful to add a single byte into the hash stream, and ports one user over to it.
2016-01-11basic: split hash functions into their own header filesLennart Poettering
The hash operations are not really that specific to hashmaps, hence split them into a .c module of their own.
2016-01-11resolved: properly look for NSEC/NSEC3 RRs when getting a positive wildcard ↵Lennart Poettering
response This implements RFC 5155, Section 8.8 and RFC 4035, Section 5.3.4: When we receive a response with an RRset generated from a wildcard we need to look for one NSEC/NSEC3 RR that proves that there's no explicit RR around before we accept the wildcard RRset as response. This patch does a couple of things: the validation calls will now identify wildcard signatures for us, and let us know the RRSIG used (so that the RRSIG's signer field let's us know what the wildcard was that generate the entry). Moreover, when iterating trough the RRsets of a response we now employ three phases instead of just two. a) in the first phase we only look for DNSKEYs RRs b) in the second phase we only look for NSEC RRs c) in the third phase we look for all kinds of RRs Phase a) is necessary, since DNSKEYs "unlock" more signatures for us, hence we shouldn't assume a key is missing until all DNSKEY RRs have been processed. Phase b) is necessary since NSECs need to be validated before we can validate wildcard RRs due to the logic explained above. Phase c) validates everything else. This phase also handles RRsets that cannot be fully validated and removes them or lets the transaction fail.
2016-01-11resolved: split up nsec3_hashed_domain() into two callsLennart Poettering
There's now nsec3_hashed_domain_format() and nsec3_hashed_domain_make(). The former takes a hash value and formats it as domain, the latter takes a domain name, hashes it and then invokes nsec3_hashed_domain_format(). This way we can reuse more code, as the formatting logic can be unified between this call and another place.
2016-01-11resolved: drop flags unused parameter from nsec3_is_goodLennart Poettering
2016-01-11resolved: when validating, first strip revoked trust anchor keys from ↵Lennart Poettering
validated keys list When validating a transaction we initially collect DNSKEY, DS, SOA RRs in the "validated_keys" list, that we need for the proofs. This includes DNSKEY and DS data from our trust anchor database. Quite possibly we learn that some of these DNSKEY/DS RRs have been revoked between the time we request and collect those additional RRs and we begin the validation step. In this case we need to make sure that the respective DS/DNSKEY RRs are removed again from our list. This patch adds that, and strips known revoked trust anchor RRs from the validated list before we begin the actual validation proof, and each time we add more DNSKEY material to it while we are doing the proof.
2016-01-11shared: simplify dns_name_hash_func() end of name detectionLennart Poettering
2016-01-11resolved: make sure domain name hash function deals nicely with NUL embedded ↵Lennart Poettering
in labels
2016-01-11basic: introduce generic ascii_strlower_n() call and make use of it everywhereLennart Poettering
2016-01-11resolved: rework trust anchor revoke checkingLennart Poettering
Instead of first iterating through all DNSKEYs in the DnsAnswer in dns_transaction_check_revoked_trust_anchors(), and then doing that a second time in dns_trust_anchor_check_revoked(), do so only once in the former, and pass the dnskey we found directly to the latter.
2016-01-11resolved: look for revoked trust anchors before validating a messageLennart Poettering
There's not reason to wait for checking for revoked trust anchors until after validation, after all revoked DNSKEYs only need to be self-signed, but not have a full trust chain. This way, we can be sure that all trust anchor lookups we do during validation already honour that some keys might have been revoked.
2016-01-11resolved: use dns_answer_size() where appropriate to handle NULL DnsAnswerLennart Poettering
2016-01-11resolved: remove one level of indentation in dns_transaction_validate_dnssec()Lennart Poettering
Invert an "if" check, so that we can use "continue" rather than another code block indentation.
2016-01-11resolved: be less strict where the OPT pseudo-RR is placedLennart Poettering
This increases compatibility with crappy Belkin routers.
2016-01-11resolved: rename suffix_rr → zone_rrLennart Poettering
The domain name for this NSEC3 RR was originally stored in a variable called "suffix", which was then renamed to "zone" in d1511b3338f431de3c95a50a9c1aca297e0c0734. Hence also rename the RR variable accordingly.
2016-01-11resolved: fix NSEC3 iterations limit to what RFC5155 suggestsLennart Poettering
2016-01-11Merge pull request #2262 from pohly/smack-networkLennart Poettering
smack: Handling network
2016-01-11Merge pull request #2294 from zonque/in_setLennart Poettering
macro.h: improve IN_SET helper macro
2016-01-11macro.h: provide a switch-case statement generator for IN_SETDaniel Mack
Rather than walking a list of valid values one-by-one, generate a switch-case statement for the IN_SET() macro. This allows the compiler to further optimize its code output, possibly by generating jump tables. This effectively decreases the binary size slightly. The implementation is based on macro overloading depending on the number of arguments. h/t to the following post: https://stackoverflow.com/questions/11761703/overloading-macro-on-number-of-arguments
2016-01-11smack: Handling networkCasey Schaufler
- Set Smack ambient to match run label - Set Smack netlabel host rules Set Smack ambient to match run label ------------------------------------ Set the Smack networking ambient label to match the run label of systemd. System services may expect to communicate with external services over IP. Setting the ambient label assigns that label to IP packets that do not include CIPSO headers. This allows systemd and the services it spawns access to unlabeled IP packets, and hence external services. A system may choose to restrict network access to particular services later in the startup process. This is easily done by resetting the ambient label elsewhere. Set Smack netlabel host rules ----------------------------- If SMACK_RUN_LABEL is defined set all other hosts to be single label hosts at the specified label. Set the loopback address to be a CIPSO host. If any netlabel host rules are defined in /etc/smack/netlabel.d install them into the smackfs netlabel interface. [Patrick Ohly: copied from https://review.tizen.org/git/?p=platform/upstream/systemd.git;a=commit;h=db4f6c9a074644aa2bf] [Patrick Ohly: adapt to write_string_file() change in "fileio: consolidate write_string_file*()"] [Patrick Ohly: create write_netlabel_rules() based on the original write_rules() that was removed in "smack: support smack access change-rule"] [Patrick Ohly: adapted to upstream code review feedback: error logging, string constants]
2016-01-10tree-wide: unify argument lists of IN_SET()Daniel Mack
The new implementation will not allow passing the same values more than once, so clean up first.
2016-01-10sd-netlink: fix assertDaniel Mack
nl->fd can be 0.
2016-01-08Merge pull request #2287 from dandedrick/journal-gatewayd-timeout-fixDaniel Mack
journal-gatewayd: timeout journal wait to allow thread cleanup
2016-01-07Merge pull request #2285 from evverx/fix-test-resolveDaniel Mack
tests: test-resolve: wait until all queries are completed
2016-01-07Merge pull request #2284 from teg/resolved-cname-2Lennart Poettering
resolved: query_process_cname - make fully recursive
2016-01-07tests: test-resolve: wait until all queries are completedEvgeny Vereshchagin
This is a follow-up for 4a134c4903dbf6ef6c6a Fixes: $ ./test-resolve 209.132.183.105:80 209.132.183.105:80 canonical name: n/a 193.99.144.85:0 [2a02:2e0:3fe:1001:7777:772e:2:85]:0 canonical name: www.heise.de Host: web.heise.de -- Serv: http $ ./test-resolve 193.99.144.85:0 [2a02:2e0:3fe:1001:7777:772e:2:85]:0 canonical name: www.heise.de Host: web.heise.de -- Serv: http $ ./test-resolve ...
2016-01-07Merge pull request #2276 from poettering/dnssec12Tom Gundersen
Twelfth DNSSEC PR
2016-01-07resolved: query_process_cname - make fully recursiveTom Gundersen
This ensures we properly resolve the CNAME chain as far as we can, rather than only CNAME chains of length one.
2016-01-06update DNSSEC TODOLennart Poettering
2016-01-06resolved: introduce support for per-interface negative trust anchorsLennart Poettering
2016-01-06nspawn: fix two typos in error messagesDaniel Mack
On errors, mention the functions that really failed.
2016-01-06Merge pull request #2137 from fbuihuu/fstab-gen-fix-device-timeoutDaniel Mack
Fstab gen fix device timeout
2016-01-06Merge pull request #2261 from evverx/fix-test-rlimit-utilDaniel Mack
tests: don't change hard limit in test-rlimit-util
2016-01-06Merge pull request #2273 from evverx/fix-possible-lost-in-test-bus-cleanupDaniel Mack
tests: use sd_bus_flush_close_unref instead of sd_bus_unref in test-bus-cleanup
2016-01-06resolved: when dumping the NTA database, sort outputLennart Poettering
Now that we populate the trust database by default with a larger number of entires, we better make sure to output a more readable version.
2016-01-06resolved: populate negative trust anchor by defaultLennart Poettering
Let's increase compatibility with many private domains by default, and ship a default NTA list of wel-known private domains, where it is unlikely they will be deployed as official TLD anytime soon.
2016-01-06resolved: log all OOM errorsLennart Poettering
2016-01-06resolved: reuse dns_trust_anchor_knows_domain() at another locationLennart Poettering
2016-01-06resolved: count unsupported dnssec algorithm as indeterminate RRsetLennart Poettering
After all, when we don't support the algorithm we cannot determine validity.
2016-01-05resolved: try to detect fritz.box-style private DNS zones, and downgrade to ↵Lennart Poettering
non-DNSSEC mode for them This adds logic to detect cases like the Fritz!Box routers which serve a private DNS domain "fritz.box" under the TLD "box" that does not exist in the root servers. If this is detected DNSSEC validation is turned off for this private domain, thus improving compatibility with such private DNS zones. This should be fairly secure as we first rely on the proof that .box does not exist before this logic is applied. Nevertheless the logic is only enabled for DNSSEC=allow-downgrade mode. This logic does not work for routers that set up a full DNS zone directly under a non-existing TLD, as in that case we cannot prove that the domain is truly non-existing according to the root servers.
2016-01-05resolved: when dumping trust anchor contents, clarify when it is emptyLennart Poettering