diff options
author | Lennart Poettering <lennart@poettering.net> | 2015-12-25 15:05:46 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2015-12-26 19:09:11 +0100 |
commit | b652d4a2099d1c167584dcc1d179d47c58dc38a2 (patch) | |
tree | 3d597bd8be7cb96040d2d4a2cf8f08a7e685272e /src/resolve/resolved-dns-server.c | |
parent | 0e4fb6b2dedf590741220b806c92e9e68857b457 (diff) | |
download | systemd-b652d4a2099d1c167584dcc1d179d47c58dc38a2.tar.gz |
resolved: add an automatic downgrade to non-DNSSEC mode
This adds a mode that makes resolved automatically downgrade from DNSSEC
support to classic non-DNSSEC resolving if the configured DNS server is
not capable of DNSSEC. Enabling this mode increases compatibility with
crappy network equipment, but of course opens up the system to
downgrading attacks.
The new mode can be enabled by setting DNSSEC=downgrade-ok in
resolved.conf. DNSSEC=yes otoh remains a "strict" mode, where DNS
resolving rather fails then allow downgrading.
Downgrading is done:
- when the server does not support EDNS0+DO
- or when the server supports it but does not augment returned RRs with
RRSIGs. The latter is detected when requesting DS or SOA RRs for the
root domain (which is necessary to do proofs for unsigned data)
Diffstat (limited to 'src/resolve/resolved-dns-server.c')
-rw-r--r-- | src/resolve/resolved-dns-server.c | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/src/resolve/resolved-dns-server.c b/src/resolve/resolved-dns-server.c index d565f99c09..b0db5bbb16 100644 --- a/src/resolve/resolved-dns-server.c +++ b/src/resolve/resolved-dns-server.c @@ -228,9 +228,11 @@ void dns_server_packet_received(DnsServer *s, DnsServerFeatureLevel features, us assert(s); if (features == DNS_SERVER_FEATURE_LEVEL_LARGE) { - /* even if we successfully receive a reply to a request announcing - support for large packets, that does not mean we can necessarily - receive large packets. */ + /* Even if we successfully receive a reply to a + request announcing support for large packets, that + does not mean we can necessarily receive large + packets. */ + if (s->verified_features < DNS_SERVER_FEATURE_LEVEL_LARGE - 1) { s->verified_features = DNS_SERVER_FEATURE_LEVEL_LARGE - 1; assert_se(sd_event_now(s->manager->event, clock_boottime_or_monotonic(), &s->verified_usec) >= 0); @@ -278,6 +280,17 @@ void dns_server_packet_failed(DnsServer *s, DnsServerFeatureLevel features) { s->n_failed_attempts = (unsigned) -1; } +void dns_server_packet_rrsig_missing(DnsServer *s) { + _cleanup_free_ char *ip = NULL; + assert(s); + assert(s->manager); + + in_addr_to_string(s->family, &s->address, &ip); + log_warning("DNS server %s does not augment replies with RRSIG records, DNSSEC not available.", strna(ip)); + + s->rrsig_missing = true; +} + static bool dns_server_grace_period_expired(DnsServer *s) { usec_t ts; @@ -307,6 +320,7 @@ DnsServerFeatureLevel dns_server_possible_features(DnsServer *s) { s->possible_features = DNS_SERVER_FEATURE_LEVEL_BEST; s->n_failed_attempts = 0; s->verified_usec = 0; + s->rrsig_missing = false; in_addr_to_string(s->family, &s->address, &ip); log_info("Grace period over, resuming full feature set for DNS server %s", strna(ip)); |