summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2015-12-28resolved: update DNSSEC TODOLennart Poettering
2015-12-28resolved: also use RRSIG expiry for negative cachingLennart Poettering
This makes sure that we also honour the RRSIG expiry for negative caching.
2015-12-28resolved: use RRSIG expiry and original TTL for cache managementLennart Poettering
When we verified a signature, fix up the RR's TTL to the original TTL mentioned in the signature, and store the signature expiry information in the RR, too. Then, use that when adding RRs to the cache.
2015-12-28resolved: clean up dns_transaction_stop()Lennart Poettering
This renames dns_transaction_stop() to dns_transaction_stop_timeout() and makes it only about stopping the transaction timeout. This is safe, as in most occasions we call dns_transaction_stop() at the same time as dns_transaction_close_connection() anyway, which does the rest of what dns_transaction_stop() used to do. And in the one where we don't call it, it's implicitly called by the UDP emission or TCP connection code. This also closes the connections as we enter the validation phase of a transaction, so that no further messages may be received then.
2015-12-28resolved: only keep a single list of supported signature algorithmsLennart Poettering
This removes dnssec_algorithm_supported() and simply uses the algorithm_to_gcrypt() result as indication whether a DNSSEC algorithm is supported. The patch also renames "algorithm" to "md_algorithm", in a few cases, in order to avoid confusion between DNSSEC signature algorithms and gcrypt message digest algorithms.
2015-12-28resolve-host: log RR parsing errorsLennart Poettering
2015-12-28resolved: add ECDSA signature supportLennart Poettering
2015-12-28shared: relax restrictions on valid domain name characters a bitLennart Poettering
Previously, we'd not allow control characters to be embedded in domain names, even when escaped. Since cloudflare uses \000 however to implement its synthethic minimally covering NSEC RRs, we should allow them, as long as they are properly escaped.
2015-12-28resolved: split out RSA-specific code from dnssec_verify_rrset()Lennart Poettering
In preparation for ECDSA support.
2015-12-28resolved: simplify MD algorithm initialization a bitLennart Poettering
2015-12-28resolved: add SHA384 digest supportLennart Poettering
2015-12-27Merge pull request #2225 from poettering/dnssec7Tom Gundersen
Seventh DNSSEC patchset
2015-12-27resolved: rename "features" variables to "feature_level"Lennart Poettering
The name "features" suggests an orthogonal bitmap or suchlike, but the variables really encode only a linear set of feature levels. The type used is already called DnsServerFeatureLevel, hence fix up the variables accordingly, too.
2015-12-27resolved: rework OPT RR generation logicLennart Poettering
This moves management of the OPT RR out of the scope management and into the server and packet management. There are now explicit calls for appending and truncating the OPT RR from a packet (dns_packet_append_opt() and dns_packet_truncate_opt()) as well as a call to do the right thing depending on a DnsServer's feature level (dns_server_adjust_opt()). This also unifies the code to pick a server between the TCP and UDP code paths, and makes sure the feature level used for the transaction is selected at the time the server is picked, and not changed until the next time we pick a server. The server selction code is now unified in dns_transaction_pick_server(). This all fixes problems when changing between UDP and TCP communication for the same server, and makes sure the UDP and TCP codepaths are more alike. It also makes sure we never keep the UDP port open when switchung to TCP, so that we don't have to handle incoming datagrams on the latter we don't expect. As the new code picks the DNS server at the time we make a connection, we don't need to invalidate the DNS server anymore when changing to the next one, thus dns_transaction_next_dns_server() has been removed.
2015-12-27resolved: reuse dns_transaction_stop() when destructing transaction objectsLennart Poettering
2015-12-27resolved: add dns_transaction_close_connection()Lennart Poettering
This new call unifies how we shut down all connection resources, such as UDP sockets, event sources, and TCP stream objects. This patch just adds the basic hook-up, this function will be used more in later commits.
2015-12-27resolved: make sure we reset the DNSSEC result when we accept a response packetLennart Poettering
2015-12-27resolved: improve some log messages a bitLennart Poettering
Indicate thar we ignore invalid messages
2015-12-27resolved: never proceed processing truncated packetsLennart Poettering
Make sure we don't end up processing packets that are truncated. Instead, actually let the TCP connection do its thing.
2015-12-27resolved: remember explicitly whether we already tried a stream connectionLennart Poettering
On LLMNR we never want to retry stream connections (since local TCP connections should work, and we don't want to unnecessarily delay operation), explicitly remember whether we already tried one, instead of deriving this from a still stored stream object. This way, we can free the stream early, without forgetting that we tried it.
2015-12-27resolved: make sure we GC stream transactions properlyLennart Poettering
Make sure to GC a transaction after dealing with a reply, even if the transaction is not complete yet.
2015-12-27resolved: ignore additional DNS responses we get while validatingLennart Poettering
No need to choke on them.
2015-12-27resolved: introduce dns_transaction_reset_answer()Lennart Poettering
Let's unify how we reset the answer data we collected, after all pretty much every time we do it incompletely so far, let's fix it.
2015-12-27shared: fix handling of suffix "." in dns_name_compare_func()Lennart Poettering
All our other domain name handling functions make no destinction between domain names that end in a dot plus a NUL, or those just ending in a NUL. Make sure dns_name_compare_func() and dns_label_unescape_suffix() do the same.
2015-12-26shared: fix error propagation in dns_name_compare_func()Lennart Poettering
2015-12-26resolved: don't unnecessarily allocate memory in dns_packet_append_name()Lennart Poettering
When compression support is off, there's no point in duplicating the name string. Hence, don't do it.
2015-12-26resolved: name TCP and UDP socket calls uniformlyLennart Poettering
Previously the calls for emitting DNS UDP packets were just called dns_{transacion|scope}_emit(), but the one to establish a DNS TCP connection was called dns_transaction_open_tcp(). Clean this up, and rename them dns_{transaction|scope}_emit_udp() and dns_transaction_open_tcp().
2015-12-26resolved: add an automatic downgrade to non-DNSSEC modeLennart Poettering
This adds a mode that makes resolved automatically downgrade from DNSSEC support to classic non-DNSSEC resolving if the configured DNS server is not capable of DNSSEC. Enabling this mode increases compatibility with crappy network equipment, but of course opens up the system to downgrading attacks. The new mode can be enabled by setting DNSSEC=downgrade-ok in resolved.conf. DNSSEC=yes otoh remains a "strict" mode, where DNS resolving rather fails then allow downgrading. Downgrading is done: - when the server does not support EDNS0+DO - or when the server supports it but does not augment returned RRs with RRSIGs. The latter is detected when requesting DS or SOA RRs for the root domain (which is necessary to do proofs for unsigned data)
2015-12-26resolved: no need to store return value of dns_server_possible_features()Lennart Poettering
The call already updates possible_features, it's pointless doing this in the caller a second time.
2015-12-26resolved: don't set TCP_NODELAY twice for TCP socketsLennart Poettering
We previously set it once in the scope code and once in the stream code. Remove it from the latter, as all other socket options are set in the former.
2015-12-26resolved: generate an explicit transaction error when we cannot reach server ↵Lennart Poettering
via TCP Previously, if we couldn't reach a server via UDP we'd generate an MAX_ATTEMPTS transaction result, but if we couldn't reach it via TCP we'd generate a RESOURCES transaction result. While it is OK to generate two different errors I think, "RESOURCES" is certainly a misnomer. Introduce a new transaction result "CONNECTION_FAILURE" instead.
2015-12-26resolved: deal with unsigned DS/NSEC/NSEC3 properlyLennart Poettering
Previously, we'd insist on an RRSIG for all DS/NSEC/NSEC3 RRs. With this change we don't do that anymore, but also allow unsigned DS/NSEC/NSEC3 if we can prove that the zone they are located in is unsigned.
2015-12-26resolved: log each dnssec failure, in a recognizable wayLennart Poettering
2015-12-26resolved: gather statistics about resolved namesLennart Poettering
This collects statistical data about transactions, dnssec verifications and the cache, and exposes it over the bus. The systemd-resolve-host tool learns new options to query these statistics and reset them.
2015-12-26resolved: if we accepted unauthenticated NSEC/NSEC3 RRs, use them for proofsLennart Poettering
But keep track that the proof is not authenticated.
2015-12-26resolved: don't insist on finding DNSKEYs for RRsets of zones with DNSSEC offLennart Poettering
2015-12-26resolved: be stricter when searching for a DS RR for a DNSKEY RRLennart Poettering
2015-12-26resolved: make use of dns_type_may_redirect() where possibleLennart Poettering
2015-12-26update DNSSEC TODOLennart Poettering
2015-12-26resolved: tighten search for NSEC3 RRs a bitLennart Poettering
Be stricter when searching suitable NSEC3 RRs for proof: generalize the check we use to find suitable NSEC3 RRs, in nsec3_is_good(), and add additional checks, such as checking whether all NSEC3 RRs use the same parameters, have the same suffix and so on.
2015-12-26resolved: when doing NSEC3 proof, first find right NSEC3 suffixLennart Poettering
When doing an NSEC3 proof, before detrmining whether a name is the closest encloser we first need to figure out the longest common suffix we have with any NSEC3 RR in the reply.
2015-12-26resolved: properly implement RRSIG validation of wildcarded RRsetsLennart Poettering
Note that this is still not complete, one additional step is still missing: when we verified that a wildcard RRset is properly signed, we still need to do an NSEC/NSEC3 proof that no more specific RRset exists.
2015-12-26resolved: never use data from failed transactionsLennart Poettering
Otherwise if we have an A lookup that failed DNSSEC validation, but an AAAA lookup that succeeded, we might end up using the A data, but we really should not.
2015-12-26resolved: don't choke on NSEC/NSEC3 RRs with no bitmapLennart Poettering
This might happen in some cases (empty non-terminals...) and we should not choke on it.
2015-12-26bitmap: don't do bitwise XOR on booleansLennart Poettering
It's weird doing bitwise operations on booleans. Let's use the boolean XOR (i.e. "!=") instead of the bitweise XOR (i.e. "^") on them.
2015-12-26util-lib: make sure more bitmap calls can deal with NULL objects fineLennart Poettering
2015-12-26resolved: internalize string buffer of dns_resource_record_to_string()Lennart Poettering
Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-26resolved: when matching SOA RRs, don't eat up errorsLennart Poettering
2015-12-26resolved: when matching SOA RRs, honour RR classLennart Poettering
2015-12-26resolved: when looking for a SOA RR in a reply, pick the right oneLennart Poettering
If there are multiple SOA RRs, and we look for a suitable one covering our request, then make sure to pick the one that is furthest away from the root name, not just the first one we encounter.