From 413b05ccac40a9d53d278a3a17061286ea44e26d Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 24 Oct 2016 18:49:27 +0200
Subject: resolved: properly check for the root domain

Fix-up for #4164
---
 src/resolve/resolved-dns-server.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/resolve/resolved-dns-server.c b/src/resolve/resolved-dns-server.c
index 7282848e35..22c64e8491 100644
--- a/src/resolve/resolved-dns-server.c
+++ b/src/resolve/resolved-dns-server.c
@@ -575,8 +575,7 @@ void dns_server_warn_downgrade(DnsServer *server) {
         server->warned_downgrade = true;
 }
 
-bool dns_server_limited_domains(DnsServer *server)
-{
+bool dns_server_limited_domains(DnsServer *server) {
         DnsSearchDomain *domain;
         bool domain_restricted = false;
 
@@ -589,7 +588,7 @@ bool dns_server_limited_domains(DnsServer *server)
                 if (domain->route_only) {
                         domain_restricted = true;
                         /* ~. means "any domain", thus it is a global server */
-                        if (streq(DNS_SEARCH_DOMAIN_NAME(domain), "."))
+                        if (dns_name_is_root(DNS_SEARCH_DOMAIN_NAME(domain)))
                                 return false;
                 }
 
-- 
cgit v1.2.3-54-g00ecf


From 344874fcd0a3fc1f9bc6cdf34ecaf537c10a3ad3 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 24 Oct 2016 18:50:43 +0200
Subject: nss-resolve: be a bit more careful with returning NSS_STATUS_NOTFOUND

Let's tighten the cases when our module returns NSS_STATUS_NOTFOUND. Let's do
so only if we actually managed to talk to resolved. In all other cases stick to
NSS_STATUS_UNAVAIL as before, as it clearly indicates that our module or the
system is borked, and the "dns" fallback should really take place.

In particular this fixes the 2nd-level fallback from our own dlopen() based
fallback handling. In this case we really should return UNAVAIL so that the
caller can apply its own fallback still.

Fix-up for d7247512a904f1dd74125859d8da66166c2a6933.

Note that our own dlopen() based fallback is pretty much redundant now if
nsswitch.conf is configured like this:

   hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname

In a future release we should probably drop our internal fallback then, in
favour of this nsswitch.conf-based one.
---
 src/nss-resolve/nss-resolve.c | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

(limited to 'src')

diff --git a/src/nss-resolve/nss-resolve.c b/src/nss-resolve/nss-resolve.c
index eea91e3e88..d46a3afe91 100644
--- a/src/nss-resolve/nss-resolve.c
+++ b/src/nss-resolve/nss-resolve.c
@@ -121,6 +121,7 @@ enum nss_status _nss_resolve_gethostbyname4_r(
         _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
         struct gaih_addrtuple *r_tuple, *r_tuple_first = NULL;
         _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
+        enum nss_status ret = NSS_STATUS_UNAVAIL;
         const char *canonical = NULL;
         size_t l, ms, idx;
         char *r_name;
@@ -167,6 +168,10 @@ enum nss_status _nss_resolve_gethostbyname4_r(
                 if (bus_error_shall_fallback(&error))
                         goto fallback;
 
+                /* Treat all other error conditions as NOTFOUND, and fail. This includes DNSSEC errors and
+                   suchlike. (We don't use UNAVAIL in this case so that the nsswitch.conf configuration can distuingish
+                   such executed but negative replies from complete failure to talk to resolved. */
+                ret = NSS_STATUS_NOTFOUND;
                 goto fail;
         }
 
@@ -279,12 +284,9 @@ fallback:
         }
 
 fail:
-        /* When we arrive here, resolved runs and has answered (fallback to
-         * "dns" is handled earlier). So we have a definitive "no" answer and
-         * should not fall back to subsequent NSS modules via "UNAVAIL". */
         *errnop = -r;
         *h_errnop = NO_RECOVERY;
-        return NSS_STATUS_NOTFOUND;
+        return ret;
 }
 
 enum nss_status _nss_resolve_gethostbyname3_r(
@@ -300,6 +302,7 @@ enum nss_status _nss_resolve_gethostbyname3_r(
         _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
         char *r_name, *r_aliases, *r_addr, *r_addr_list;
         _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
+        enum nss_status ret = NSS_STATUS_UNAVAIL;
         size_t l, idx, ms, alen;
         const char *canonical;
         int c, r, i = 0;
@@ -353,6 +356,7 @@ enum nss_status _nss_resolve_gethostbyname3_r(
                 if (bus_error_shall_fallback(&error))
                         goto fallback;
 
+                ret = NSS_STATUS_NOTFOUND;
                 goto fail;
         }
 
@@ -479,7 +483,7 @@ fallback:
 fail:
         *errnop = -r;
         *h_errnop = NO_RECOVERY;
-        return NSS_STATUS_NOTFOUND;
+        return ret;
 }
 
 enum nss_status _nss_resolve_gethostbyaddr2_r(
@@ -494,6 +498,7 @@ enum nss_status _nss_resolve_gethostbyaddr2_r(
         _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
         char *r_name, *r_aliases, *r_addr, *r_addr_list;
         _cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
+        enum nss_status ret = NSS_STATUS_UNAVAIL;
         unsigned c = 0, i = 0;
         size_t ms = 0, idx;
         const char *n;
@@ -560,7 +565,7 @@ enum nss_status _nss_resolve_gethostbyaddr2_r(
                 if (bus_error_shall_fallback(&error))
                         goto fallback;
 
-
+                ret = NSS_STATUS_NOTFOUND;
                 goto fail;
         }
 
@@ -669,7 +674,7 @@ fallback:
 fail:
         *errnop = -r;
         *h_errnop = NO_RECOVERY;
-        return NSS_STATUS_NOTFOUND;
+        return ret;
 }
 
 NSS_GETHOSTBYNAME_FALLBACKS(resolve);
-- 
cgit v1.2.3-54-g00ecf