summaryrefslogtreecommitdiff
path: root/src/resolve/resolved-dns-dnssec.c
Commit message (Collapse)AuthorAgeFilesLines
* tree-wide: drop NULL sentinel from strjoinZbigniew Jędrzejewski-Szmek2016-10-231-1/+1
| | | | | | | | | | | | | This makes strjoin and strjoina more similar and avoids the useless final argument. spatch -I . -I ./src -I ./src/basic -I ./src/basic -I ./src/shared -I ./src/shared -I ./src/network -I ./src/locale -I ./src/login -I ./src/journal -I ./src/journal -I ./src/timedate -I ./src/timesync -I ./src/nspawn -I ./src/resolve -I ./src/resolve -I ./src/systemd -I ./src/core -I ./src/core -I ./src/libudev -I ./src/udev -I ./src/udev/net -I ./src/udev -I ./src/libsystemd/sd-bus -I ./src/libsystemd/sd-event -I ./src/libsystemd/sd-login -I ./src/libsystemd/sd-netlink -I ./src/libsystemd/sd-network -I ./src/libsystemd/sd-hwdb -I ./src/libsystemd/sd-device -I ./src/libsystemd/sd-id128 -I ./src/libsystemd-network --sp-file coccinelle/strjoin.cocci --in-place $(git ls-files src/*.c) git grep -e '\bstrjoin\b.*NULL' -l|xargs sed -i -r 's/strjoin\((.*), NULL\)/strjoin(\1)/' This might have missed a few cases (spatch has a really hard time dealing with _cleanup_ macros), but that's no big issue, they can always be fixed later.
* treewide: fix typos and remove accidental repetition of wordsTorstein Husebø2016-07-111-1/+1
|
* tree-wide: remove useless NULLs from strjoinaZbigniew Jędrzejewski-Szmek2016-04-131-1/+1
| | | | The coccinelle patch didn't work in some places, I have no idea why.
* Replace DNS_RESOURCE_KEY_NAME with a version which always returns "." for rootZbigniew Jędrzejewski-Szmek2016-02-161-26/+26
| | | | | | | | This fixes formatting of root domain in debug messages: Old: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (., DNSKEY with key tag: 19036). New: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (, DNSKEY with key tag: 19036).
* Merge pull request #2589 from keszybz/resolve-tool-2Lennart Poettering2016-02-131-16/+4
|\ | | | | Better support of OPENPGPKEY, CAA, TLSA packets and tests
| * Move initialize_libgcrypt to separate fileZbigniew Jędrzejewski-Szmek2016-02-111-16/+4
| | | | | | | | | | | | It's annoying to have the exact same function in three places. It's stored in src/shared, but it's not added to the library to avoid the dependency on libgcrypt.
* | Typo fixesMichael Biebl2016-02-121-3/+3
| |
* | tree-wide: remove Emacs lines from all filesDaniel Mack2016-02-101-2/+0
| | | | | | | | | | This should be handled fine now by .dir-locals.el, so need to carry that stuff in every file.
* | treewide: fix typos and spacingTorstein Husebø2016-02-071-1/+1
|/
* resolved: allow building without libgcryptMichael Olbrich2016-01-311-0/+75
|
* resolved: make dnssec_nsec_test_enclosed() staticMichael Olbrich2016-01-311-1/+1
| | | | It's not used anywhere else.
* resolved: reorder functionsMichael Olbrich2016-01-311-62/+62
| | | | Preparation to make gcrypt optional.
* update TODOLennart Poettering2016-01-261-12/+0
| | | | | This gets rid of the private DNSSEC TODO and moves it in the main TODO dump site, as the DNSSEC implementation is pretty complete now, and the remaining bits are low-priority.
* resolved: don't insist in RRSIG metadata for NSEC3 RRs that have not been ↵Lennart Poettering2016-01-251-3/+4
| | | | | | | | authenticated In some cases we get NSEC3 RRs that have not been authenticated (because the chain of trust to the root is somewhere broken). We can use these for checking negative replies, as long as we don't claim they were ultimately authenticated. This means we need to be able to deal with NSEC3 RRs that lack RRSIG metadata.
* update DNSSEC TODOLennart Poettering2016-01-251-3/+0
|
* resolved: log each time we increase the DNSSEC verdict countersLennart Poettering2016-01-251-0/+8
| | | | Also, don't consider RRs that aren't primary to the lookups we do as relevant to the lookups.
* resolve: use different bitmap checking rules when we find an exact NSEC3 ↵Lennart Poettering2016-01-251-12/+25
| | | | | | | | | match, or just a covering enclosure If we are looking for a DS RR we need to check the NSEC3 bitmap of the parent zone's NSEC3 RR, not the one from the child. For any other RR we need to look at the child's however, hence enforce this with the bitmaps. Note that not coverign checks only the lower zone's NSEC3 bitmaps matter, hence the existing check is fine.
* update DNSSEC TODOLennart Poettering2016-01-181-3/+0
|
* resolved: rework IDNA logicLennart Poettering2016-01-181-10/+0
| | | | | | | | | | | | | | | | | | | | | | | | | Move IDNA logic out of the normal domain name processing, and into the bus frontend calls. Previously whenever comparing two domain names we'd implicitly do IDNA conversion so that "pöttering.de" and "xn--pttering-n4a.de" would be considered equal. This is problematic not only for DNSSEC, but actually also against he IDNA specs. Moreover it creates problems when encoding DNS-SD services in classic DNS. There, the specification suggests using UTF8 encoding for the actual service name, but apply IDNA encoding to the domain suffix. With this change IDNA conversion is done only: - When the user passes a non-ASCII hostname when resolving a host name using ResolveHostname() - When the user passes a non-ASCII domain suffix when resolving a service using ResolveService() No IDNA encoding is done anymore: - When the user does raw ResolveRecord() RR resolving - On the service part of a DNS-SD service name Previously, IDNA encoding was done when serializing names into packets, at a point where information whether something is a label that needs IDNA encoding or not was not available, but at a point whether it was known whether to generate a classic DNS packet (where IDNA applies), or an mDNS/LLMNR packet (where IDNA does not apply, and UTF8 is used instead for all host names). With this change each DnsQuery object will now maintain two copies of the DnsQuestion to ask: one encoded in IDNA for use with classic DNS, and one encoded in UTF8 for use with LLMNR and MulticastDNS.
* resolved: update DNSSEC TODOLennart Poettering2016-01-171-2/+3
|
* resolved: update RFCs list and TODO listLennart Poettering2016-01-171-8/+5
|
* resolved: complete NSEC non-existance proofsLennart Poettering2016-01-171-68/+161
| | | | | | | | This fills in the last few gaps: - When checking if a domain is non-existing, also check that no wildcard for it exists - Ensure we don't base "covering" tests on NSEC RRs from a parent zone - Refuse to accept expanded wildcard NSEC RRs for absence proofs.
* resolved: make sure the NSEC proof-of-non-existance check also looks for ↵Lennart Poettering2016-01-171-11/+64
| | | | wildcard domains
* resolved: on negative NODATA replies, properly deal with empty non-terminalsLennart Poettering2016-01-171-5/+58
| | | | | | empty non-terminals generally lack NSEC RRs, which means we can deduce their existance only from the fact that there are other RRs that contain them in their suffix. Specifically, the NSEC proof for NODATA on ENTs works by sending the NSEC whose next name is a suffix of the queried name to the client. Use this information properly.
* resolved: rename dnssec_verify_dnskey() → dnssec_verify_dnskey_by_ds()Lennart Poettering2016-01-171-3/+3
| | | | This should clarify that this is not regular signature-based validation, but validation through DS RR fingerprints.
* resolved: be stricter when using NSEC3Lennart Poettering2016-01-171-1/+8
| | | | | We can user signer and synthesizing source information to check that the NSEC3 RRs we want to use are actually reasonable and properly signed.
* resolved: when validating an RRset, store information about the synthesizing ↵Lennart Poettering2016-01-171-49/+109
| | | | | | | | | | | | source and zone in each RR Having this information available is useful when we need to check whether various RRs are suitable for proofs. This information is stored in the RRs as number of labels to skip from the beginning of the owner name to reach the synthesizing source/signer. Simple accessor calls are then added to retrieve the signer/source from the RR using this information. This also moves validation of a a number of RRSIG parameters into a new call dnssec_rrsig_prepare() that as side-effect initializes the two numeric values.
* resolved: do not use NSEC RRs from the wrong zone for proofsLennart Poettering2016-01-171-0/+13
| | | | | | When proving NODATA DS lookups we need to insist on looking at the parent zone's NSEC RR, not the child zone's. When proving any other NODATA lookups we need to insist on looking at the child zone's NSEC RR, not the parent's.
* resolved: ignore DS RRs without generating an error if they use an ↵Lennart Poettering2016-01-171-2/+2
| | | | unsupported digest algorithm
* resolved: some RR types may appear only or not at all in a zone apexLennart Poettering2016-01-171-6/+30
| | | | | | Add extra checks when validating with RRSIGs. This follows recommendations from: http://www.george-barwood.pwp.blueyonder.co.uk/DnsServer/NotesOnDNSSSEC.htm
* resolved: implement the full NSEC and NSEC3 postive wildcard proofsLennart Poettering2016-01-131-1/+143
|
* resolved: refuse validating wildcard RRs for SOA, NSEC3, DNAMELennart Poettering2016-01-131-0/+5
|
* resolved: properly handles RRs in domains beginning in an asterisk labelLennart Poettering2016-01-131-1/+12
| | | | | | | Properly handle RRs that begin with an asterisk label. These are the unexpanded forms of wildcard domains and appear in NSEC RRs for example. We need to make sure we handle the signatures of these RRs properly, since they mostly are considered normal RRs, except that the RRSIG labels counter is one off for them, as the asterisk label is always excluded of the signature.
* resolved: optimize dnssec_verify_rrset() a bitLennart Poettering2016-01-131-12/+16
| | | | Let's determine the source of synthesis once instead of for each RR in the RRset.
* resolved: allocate bounded strings on stack instead of heap, if we canLennart Poettering2016-01-131-6/+3
|
* resolved: consider inverted RRSIG validity intervals expiredLennart Poettering2016-01-131-1/+2
|
* resolved: properly look for NSEC/NSEC3 RRs when getting a positive wildcard ↵Lennart Poettering2016-01-111-5/+103
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | response This implements RFC 5155, Section 8.8 and RFC 4035, Section 5.3.4: When we receive a response with an RRset generated from a wildcard we need to look for one NSEC/NSEC3 RR that proves that there's no explicit RR around before we accept the wildcard RRset as response. This patch does a couple of things: the validation calls will now identify wildcard signatures for us, and let us know the RRSIG used (so that the RRSIG's signer field let's us know what the wildcard was that generate the entry). Moreover, when iterating trough the RRsets of a response we now employ three phases instead of just two. a) in the first phase we only look for DNSKEYs RRs b) in the second phase we only look for NSEC RRs c) in the third phase we look for all kinds of RRs Phase a) is necessary, since DNSKEYs "unlock" more signatures for us, hence we shouldn't assume a key is missing until all DNSKEY RRs have been processed. Phase b) is necessary since NSECs need to be validated before we can validate wildcard RRs due to the logic explained above. Phase c) validates everything else. This phase also handles RRsets that cannot be fully validated and removes them or lets the transaction fail.
* resolved: split up nsec3_hashed_domain() into two callsLennart Poettering2016-01-111-25/+30
| | | | | | | | | There's now nsec3_hashed_domain_format() and nsec3_hashed_domain_make(). The former takes a hash value and formats it as domain, the latter takes a domain name, hashes it and then invokes nsec3_hashed_domain_format(). This way we can reuse more code, as the formatting logic can be unified between this call and another place.
* resolved: drop flags unused parameter from nsec3_is_goodLennart Poettering2016-01-111-4/+4
|
* basic: introduce generic ascii_strlower_n() call and make use of it everywhereLennart Poettering2016-01-111-7/+1
|
* resolved: use dns_answer_size() where appropriate to handle NULL DnsAnswerLennart Poettering2016-01-111-1/+1
|
* resolved: rename suffix_rr → zone_rrLennart Poettering2016-01-111-7/+7
| | | | | | | The domain name for this NSEC3 RR was originally stored in a variable called "suffix", which was then renamed to "zone" in d1511b3338f431de3c95a50a9c1aca297e0c0734. Hence also rename the RR variable accordingly.
* resolved: fix NSEC3 iterations limit to what RFC5155 suggestsLennart Poettering2016-01-111-3/+5
|
* update DNSSEC TODOLennart Poettering2016-01-061-0/+2
|
* update DNSSEC TODOLennart Poettering2016-01-051-1/+2
|
* resolved,networkd: add a per-interface DNSSEC settingLennart Poettering2016-01-051-7/+0
| | | | | This adds a DNSSEC= setting to .network files, and makes resolved honour them.
* resolved: rename "downgrade-ok" mode to "allow-downgrade"Lennart Poettering2016-01-051-1/+1
| | | | | After discussing this with Tom, we figured out "allow-downgrade" sounds nicer.
* resolved: when caching negative responses, honour NSEC/NSEC3 TTLsLennart Poettering2016-01-051-11/+24
| | | | | | | | | | When storing negative responses, clamp the SOA minimum TTL (as suggested by RFC2308) to the TTL of the NSEC/NSEC3 RRs we used to prove non-existance, if it there is any. This is necessary since otherwise an attacker might put together a faked negative response for one of our question including a high-ttl SOA RR for any parent zone, and we'd use trust the TTL.
* update DNSSEC TODOLennart Poettering2016-01-041-3/+1
|
* resolved: partially implement RFC5011 Trust Anchor supportLennart Poettering2016-01-041-14/+25
| | | | | | | | | | | | | | | | | | | | | | With this patch resolved will properly handle revoked keys, but not augment the locally configured trust anchor database with newly learned keys. Specifically, resolved now refuses validating RRsets with revoked keys, and it will remove revoked keys from the configured trust anchors (only until reboot). This patch does not add logic for adding new keys to the set of trust anchors. This is a deliberate decision as this only can work with persistent disk storage, and would result in a different update logic for stateful and stateless systems. Since we have to support stateless systems anyway, and don't want to encourage two independent upgrade paths we focus on upgrading the trust anchor database via the usual OS upgrade logic. Whenever a trust anchor entry is found revoked and removed from the trust anchor a recognizable log message is written, encouraging the user to update the trust anchor or update his operating system.
View Lorry Controller Status