From 46c7a7ac874fd97e28d8d7e0be15f2bf15b2a430 Mon Sep 17 00:00:00 2001 From: Martin Pitt Date: Fri, 16 Sep 2016 10:57:06 +0200 Subject: nss-resolve: simplify error handling Handle general errors from the resolved call in _nss_resolve_gethostbyaddr2_r() the same say as in the other variants: Just "goto fail" as that does exactly the same. --- src/nss-resolve/nss-resolve.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'src/nss-resolve/nss-resolve.c') diff --git a/src/nss-resolve/nss-resolve.c b/src/nss-resolve/nss-resolve.c index 5ce10f1cbd..5db83e5d0e 100644 --- a/src/nss-resolve/nss-resolve.c +++ b/src/nss-resolve/nss-resolve.c @@ -558,9 +558,7 @@ enum nss_status _nss_resolve_gethostbyaddr2_r( goto fallback; - *errnop = -r; - *h_errnop = NO_RECOVERY; - return NSS_STATUS_UNAVAIL; + goto fail; } r = sd_bus_message_enter_container(reply, 'a', "(is)"); -- cgit v1.2.3-54-g00ecf From d7247512a904f1dd74125859d8da66166c2a6933 Mon Sep 17 00:00:00 2001 From: Martin Pitt Date: Fri, 16 Sep 2016 08:27:39 +0200 Subject: nss-resolve: return NOTFOUND instead of UNAVAIL on resolution errors It needs to be possible to tell apart "the nss-resolve module does not exist" (which can happen when running foreign-architecture programs) from "the queried DNS name failed DNSSEC validation" or other errors. So return NOTFOUND for these cases too, and only keep UNAVAIL for the cases where we cannot handle the given address family. This makes it possible to configure a fallback to "dns" without breaking DNSSEC, with "resolve [!UNAVAIL=return] dns". Add this to the manpage. This does not change behaviour if resolved is not running, as that already falls back to the "dns" glibc module. Fixes #4157 --- man/nss-resolve.xml | 4 +++- src/nss-resolve/nss-resolve.c | 9 ++++++--- 2 files changed, 9 insertions(+), 4 deletions(-) (limited to 'src/nss-resolve/nss-resolve.c') diff --git a/man/nss-resolve.xml b/man/nss-resolve.xml index 33f1f28a8c..d66e8ba521 100644 --- a/man/nss-resolve.xml +++ b/man/nss-resolve.xml @@ -85,7 +85,7 @@ group: compat mymachines systemd shadow: compat -hosts: files mymachines resolve +hosts: files mymachines resolve [!UNAVAIL=return] dns networks: files protocols: db files @@ -95,6 +95,8 @@ rpc: db files netgroup: nis + This keeps the dns module as a fallback for cases where the nss-resolve + module is not installed. diff --git a/src/nss-resolve/nss-resolve.c b/src/nss-resolve/nss-resolve.c index 5db83e5d0e..eea91e3e88 100644 --- a/src/nss-resolve/nss-resolve.c +++ b/src/nss-resolve/nss-resolve.c @@ -279,9 +279,12 @@ fallback: } fail: + /* When we arrive here, resolved runs and has answered (fallback to + * "dns" is handled earlier). So we have a definitive "no" answer and + * should not fall back to subsequent NSS modules via "UNAVAIL". */ *errnop = -r; *h_errnop = NO_RECOVERY; - return NSS_STATUS_UNAVAIL; + return NSS_STATUS_NOTFOUND; } enum nss_status _nss_resolve_gethostbyname3_r( @@ -476,7 +479,7 @@ fallback: fail: *errnop = -r; *h_errnop = NO_RECOVERY; - return NSS_STATUS_UNAVAIL; + return NSS_STATUS_NOTFOUND; } enum nss_status _nss_resolve_gethostbyaddr2_r( @@ -666,7 +669,7 @@ fallback: fail: *errnop = -r; *h_errnop = NO_RECOVERY; - return NSS_STATUS_UNAVAIL; + return NSS_STATUS_NOTFOUND; } NSS_GETHOSTBYNAME_FALLBACKS(resolve); -- cgit v1.2.3-54-g00ecf