| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This does some refactoring: the dns_query_process_cname() function
becomes two: dns_query_process_cname_one() and
dns_query_process_cname_many(). The former will process exactly one
CNAME chain element, the latter will follow a chain for as long as
possible within the current packet.
dns_query_process_cname_many() is mostly identical to the old
dns_query_process_cname(), and all existing code is moved over to using
that.
This is mostly preparation for the next commit, where we make direct use
of dns_query_process_cname_one().
This also renames the DNS_QUERY_RESTARTED return value to
DNS_QUERY_CNAME. That's because in the dns_query_process_cname_many()
case as before if we return this we restarted the query in case we
reached the end of the chain without a conclusive answer, as before. But
in dns_query_process_cname_one() we'll only go one step anyway, and
leave restarting if needed to the caller. Hence DNS_QUERY_RESTARTED is a
bit of a misnomer in that case.
This also gets rid of the weird tail recursion in
dns_query_process_cname() and replaces it with an explicit loop in
dns_query_process_cname_many(). The old recursion wasn't a security
issue since we put a limit on the number of CNAMEs we follow anyway, but
it's still icky to scale stack use by that.
|
| |
|
|
|
|
|
|
|
| |
Let's make things more debuggable: when debug logging is on, let's
say which client is asking for our services.
This is helpful for easily figuring out which local process might
interfere with your debugging sessions by issuing additional requests
while you try to debug a request (I am looking at you, geoclue!).
|
| |
|
|
|
| |
This is extremely useful when debugging stuff: knowing whether a result
was cached, came from network, or was synthesized.
|
| |
|
|
|
|
|
|
| |
Let's introduce a new flag that indicates whether the response was
acquired in "confidential" mode, i.e. via encrypted DNS-over-TLS, or
synthesized locally.
Fixes: #12859
|
| |
|
|
|
|
|
|
|
| |
A previous commit made sure that when one of our own packets is looped
back to us, we ignore it. But let's go one step further, and refuse
operation if we notice the server we talk to is our own. This way we
won't generate unnecessary traffic and can return a cleaner error.
Fixes: #17413
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This substantially beefs up the local DNS stub feature set in order to
allow local clients to do DNSSEC validation through the stub.
Previously we'd return NOTIMP if we'd get a DO or DO+CD lookup. With
this change we'll instead:
1. If we get DO+CD requests (i.e. DNSSEC with no local checking) we'll
proxy DNS queries and response mostly unmodified to/from upstream DNS
servers if possible (this is called "bypass" mode). We will patch in
new request IDs, (and patch them back out on reply), so that we can
sanely keep track of things. We'll also maintain a minimal local
cache for such lookups, always keeping the whole DNS packets in it
(if we reply from cache we'll patch the TTLs of all included RRs).
2. If we get DO requests without CD (i.e. DNSSEC with local checking)
we'll resolve and validate locally. In this mode we will not proxy
packets, but generate our own. We will however cache the combination
of answer RRs (along with their packet section assignments) we got
back in the cache, and use this information to generate reply packets
from the DNS stub.
In both cases: if we determine a lookup is to be answered from LLMNR or
mDNS we'll always revert to non-DNSSEC, non-proxy operation as before.
Answers will lack the DO bit then, since the data cannot be validated
via DNSSEC by the clients.
To make this logic more debuggable, this also adds query flags for
turning off RR sources. i.e. cache/network/zone/trust anchor/local
synthesis may now be disabled individually for each lookup.
The cache is substantially updated to make all this work: in addition to
caching simple RRs for lookup RR keys, we'll now cache the whole packets
and the whole combination of RRs, so that we can answer DO and DO+CD
replies sensibly according to the rules described above. This sounds
wasteful, but given that the
DnsResourceRecord/DnsResourceKey/DnsAnswer/DnsPacket
objects are all ref-counted and we try to merge references the actual
additional memory used should be limited (but this might be something to
optimize further later on).
To implement classic RR key lookups and new-style packet proxy lookups
(i.e. the ones necessary for DO+CD packet proxying, as described above)
DnsTransaction and DnsQuery objects now always maintain either a
DnsResourceKey/DnsQuestion as lookup key or a DnsPacket for "bypass"
mode.
Fixes: #4621 #17218
|
| | |
|
| |
|
|
|
|
| |
GetMulticastHosts() returns an array of hostnames/addresses discovered via
LLMNR or Multicast DNS. It does not trigger any discovery on its own.
Instead, it simply returns whatever is already in resolved's cache.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
DNSSEC validation takes the system clock into account to validate
signatures. This means if we had incorrect time and the time is then
changed to the correct one we should flush out everything and
re-validate taking the new time into account.
(This logic will also trigger after system suspend, which is not bad
either, given that quite possibly we are connected to a different
network, and thus would get different DNS data, without us noticing
otherwise via link beat).
|
| |
|
|
|
|
|
|
|
| |
This reverts commit 34136e1503cf60852051adbd8b9a002d6282b750.
Having the "%H" host name specifier in a DNSSD service name template
triggers a failed assertion during name template instantiation as
specifier_dnssd_host_name expects DnssdService in its userdata
pointer but finds NULL instead.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It can be one of "foreign", "missing", "stub", "static", "uplink",
depending on how /etc/resolv.conf is set up:
foreign → someone/something else manages /etc/resolv.conf,
systemd-resolved is just the consumer
missing → /etc/resolv.conf is missing altogether
stub/static/uplink → the file is managed by resolved, with the
well-known modes
Fixes: #17159
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Let's turn off the search domain logic if a trailing dot is specified
when looking up hostnames and RRs via the Varlink + D-Bus APIs (and thus
also when doing so via nss-resolve). (This doesn't affect lookups via
the stub, since for the any search path logic is done client side
anyway)
It might make sense to force the DNS protocol in this case too (and
disable LLMR + mDNS), but we'll leave that for a different PR — if it
even makes sense. It might also make sense to disable the logic of never
routing single-label lookups to the Internet if a trailing to is
specified, but this needs more discussion too.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
It's strictly bus-specific, hence let's move this to resolved-bus.c like
the rest of the bus specific logic.
This is also in preparation for adding an alternative varlink transport,
which needs similar functionality, but varlink instead of bus-specific.
|
| |
|
|
|
|
| |
Let's prepare for adding a new varlink interface, and thus rename the
"request" field to "bus_request", so that we can later add a
varlink_request field too.
|
| |
|
|
| |
It's unused since 90bdc8be66765df09bbc355783cee7204a5ebb31.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
No code changes, just some refactoring.
|
| |
|
|
| |
The "a" got dropped in eff7c2d3c905dec9ea4e1d5e53a0efd6af7d3d26.
|
| |\ |
|
| | | |
|
| |/
|
|
|
| |
SD_BUS_NAMES_WITH_ARGS is a less error-prone way of specifying D-Bus
method arguments.
|
| |\
| |
| | |
A few more dbus api documentation updates
|
| | |
| |
| |
| |
| |
| |
| |
| | |
It's not that I think that "hostname" is vastly superior to "host name". Quite
the opposite — the difference is small, and in some context the two-word version
does fit better. But in the tree, there are ~200 occurrences of the first, and
>1600 of the other, and consistent spelling is more important than any particular
spelling choice.
|
| |/
|
|
|
| |
The property was just added, let's replace it again. Given that it was
never released this should not be an API breakage.
|
| |
|
|
|
|
|
| |
This is useful to raise the log level for a single transaction or a few,
without affecting other state of the resolved as a restart would.
The log level can only be set, I didn't bother with having the ability
to restore the original as in pid1.
|
| | |
|
| |
|
|
|
|
| |
It's enough, complex stuff to warrant its own source file.
No other changes, just splitting out.
|
| |
|
|
|
|
|
|
|
| |
In subsequent commits, calls to if_nametoindex() will be replaced by a wrapper
that falls back to alternative name resolution over netlink. netlink support
requires libsystemd (for sd-netlink), and we don't want to add any functions
that require netlink in basic/. So stuff that calls if_nametoindex() for user
supplied interface names, and everything that depends on that, needs to be
moved.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Notifications are only sent for the top object, and not for individual
links. This should be enough for the most obvious cases where somebody
just cares about the effective set of servers.
Fixes #13721.
|
| | |
|
| |
|
|
| |
While at it, constify the argument.
|
| |
|
|
| |
That's what we do everywhere else because it leads to nicer user experience.
|
| |
|
|
|
|
|
|
|
| |
This matches what is done in networkd very closely. In fact even the
policy descriptions are all identical (with s/network/resolve), except
for the last one:
resolved has org.freedesktop.resolve1.revert while
networkd has org.freedesktop.network1.revert-ntp and
org.freedesktop.network1.revert-dns so the description is a bit different.
|
| |
|
|
| |
Just some source rearranging.
|
| | |
|
| |\
| |
| | |
Forbid dashes in hostnames and /etc/fstab parsing improvements
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
https://tools.ietf.org/html/rfc1035#section-2.3.1 says (approximately)
that only letters, numbers, and non-leading non-trailing dashes are allowed
(for entries with A/AAAA records). We set no restrictions.
hosts(5) says:
> Host names may contain only alphanumeric characters, minus signs ("-"), and
> periods ("."). They must begin with an alphabetic character and end with an
> alphanumeric character.
nss-files follows those rules, and will ignore names in /etc/hosts that do not
follow this rule.
Let's follow the documented rules for /etc/hosts. In particular, this makes us
consitent with nss-files, reducing surprises for the user.
I'm pretty sure we should apply stricter filtering to names received over DNS
and LLMNR and MDNS, but it's a bigger project, because the rules differ
depepending on which level the label appears (rules for top-level names are
stricter), and this patch takes the minimalistic approach and only changes
behaviour for /etc/hosts.
Escape syntax is also disallowed in /etc/hosts, even if the resulting character
would be allowed. Other tools that parse /etc/hosts do not support this, and
there is no need to use it because no allowed characters benefit from escaping.
|
| |/ |
|
| |
|
|
|
| |
This reverts commit 0187368cadea183e18c6d575a9d6b7f491a402af.
(systemd.conf.m4 part was already reverted in 5b5d82615011b9827466b7cd5756da35627a1608.)
|
| | |
|
