summaryrefslogtreecommitdiff
path: root/src/resolve/resolved-dns-trust-anchor.c
Commit message (Collapse)AuthorAgeFilesLines
* nulstr-util: Declare NULSTR_FOREACH() iterator inlineDaan De Meyer2022-11-111-1/+0
|
* Rename def.h to constants.hZbigniew Jędrzejewski-Szmek2022-11-081-1/+1
| | | | | | The name "def.h" originates from before the rule of "no needless abbreviations" was established. Let's rename the file to clarify that it contains a collection of various semi-related constants.
* resolved,test-fileio: use "re" when opening filesZbigniew Jędrzejewski-Szmek2022-10-191-1/+1
| | | | | This doesn't matter too much, because neither of those programs forks, but let's dot he generally correct thing anyway.
* resolve: manage DnsAnswerItem with OrderedSetYu Watanabe2022-05-071-2/+4
| | | | | | | | | | Previously, we manage DnsAnswerItem by an array and Set, The array was used for the order of the items, and the set is used to dedup items. Let's use OrderedSet, then we can simplify the logic. This fixes dns_answer_remove_by_key() and dns_answer_remove_by_rr() which makes the set in a broken state.
* strv: make iterator in STRV_FOREACH() declaread in the loopYu Watanabe2022-03-191-1/+0
| | | | This also avoids multiple evaluations in STRV_FOREACH_BACKWARDS()
* resolved: add RFC 8375 "home.arpa" to list of default NTALennart Poettering2021-04-101-1/+4
| | | | | RFC 8375 introduced "home.arpa" as special TLD for home networks. Let's hence add it to our default list of NTAs.
* resolved: add RRSIG field to DnsAnswerItemLennart Poettering2021-02-091-2/+2
|
* license: LGPL-2.1+ -> LGPL-2.1-or-laterYu Watanabe2020-11-091-1/+1
|
* tree-wide: define iterator inside of the macroZbigniew Jędrzejewski-Szmek2020-09-081-2/+1
|
* tree-wide: use set_ensure_consume() in various placesZbigniew Jędrzejewski-Szmek2020-06-241-3/+1
| | | | No funtional change.
* tree-wide: use set_ensure_put()Zbigniew Jędrzejewski-Szmek2020-06-221-10/+2
| | | | | | | | | Patch contains a coccinelle script, but it only works in some cases. Many parts were converted by hand. Note: I did not fix errors in return value handing. This will be done separate to keep the patch comprehensible. No functional change is intended in this patch.
* basic/set: let set_put_strdup() create the set with string hash opsZbigniew Jędrzejewski-Szmek2020-05-061-2/+1
| | | | | | | | | | | | | | | | | | If we're using a set with _put_strdup(), most of the time we want to use string hash ops on the set, and free the strings when done. This defines the appropriate a new string_hash_ops_free structure to automatically free the keys when removing the set, and makes set_put_strdup() and set_put_strdupv() instantiate the set with those hash ops. hashmap_put_strdup() was already doing something similar. (It is OK to instantiate the set earlier, possibly with a different hash ops structure. set_put_strdup() will then use the existing set. It is also OK to call set_free_free() instead of set_free() on a set with string_hash_ops_free, the effect is the same, we're just overriding the override of the cleanup function.) No functional change intended.
* resolved: drop DNSSEC root key that is not valid anymoreLennart Poettering2020-01-211-10/+1
| | | | | | I guess we can drop this now, the key is no longer valid until 2019-01-11, hence there's no point in still including it in our trust anchor.
* Rename EXTRACT_QUOTES to EXTRACT_UNQUOTEZbigniew Jędrzejewski-Szmek2019-06-281-2/+2
| | | | | | Whenever I see EXTRACT_QUOTES, I'm always confused whether it means to leave the quotes in or to take them out. Let's say "unquote", like we say "cunescape".
* codespell: fix spelling errorsBen Boeckel2019-04-291-2/+2
|
* util: split out nulstr related stuff to nulstr-util.[ch]Lennart Poettering2019-03-141-0/+1
|
* util: split out sorting related calls to new sort-util.[ch]Lennart Poettering2019-03-131-1/+2
|
* resolved-dns-trust-anchor: FOREACH_LINE excorcismLennart Poettering2018-10-181-3/+11
| | | | Also, properly ignore these read errors, and say so.
* tree-wide: use typesafe_qsort()Yu Watanabe2018-09-191-5/+3
|
* resolve: fix error handling of dns_name_is_valid()Yu Watanabe2018-08-061-2/+8
|
* tree-wide: remove Lennart's copyright linesLennart Poettering2018-06-141-3/+0
| | | | | | | | | | | These lines are generally out-of-date, incomplete and unnecessary. With SPDX and git repository much more accurate and fine grained information about licensing and authorship is available, hence let's drop the per-file copyright notice. Of course, removing copyright lines of others is problematic, hence this commit only removes my own lines and leaves all others untouched. It might be nicer if sooner or later those could go away too, making git the only and accurate source of authorship information.
* tree-wide: drop 'This file is part of systemd' blurbLennart Poettering2018-06-141-2/+0
| | | | | | | | | | | | | | | | This part of the copyright blurb stems from the GPL use recommendations: https://www.gnu.org/licenses/gpl-howto.en.html The concept appears to originate in times where version control was per file, instead of per tree, and was a way to glue the files together. Ultimately, we nowadays don't live in that world anymore, and this information is entirely useless anyway, as people are very welcome to copy these files into any projects they like, and they shouldn't have to change bits that are part of our copyright header for that. hence, let's just get rid of this old cruft, and shorten our codebase a bit.
* resolved: reformat message about a revoked trust anchorZbigniew Jędrzejewski-Szmek2018-06-061-2/+3
| | | | | | | | | | | LOG_MESSAGE is just a wrapper, but it keeps the arguments indented together with the format string, so put the argument inside of the macro invocation. (No functional change.) Also use lowercase for "trust anchor" — it should either be all capitaled or not at all, and it's not a proper name, so let's make it all lowercase. Also, add a newline, to make the string more readable. "%s" can expand to something that is quite long.
* basic/log: add the log_struct terminator to macroZbigniew Jędrzejewski-Szmek2018-06-041-3/+3
| | | | | This way all callers do not need to specify it. Exhaustively tested by running test-log under valgrind ;)
* resolve: allow whitespaces in the DS digest or DNSKEY key dataYu Watanabe2018-05-111-15/+20
| | | | Fixes #3682.
* tree-wide: drop license boilerplateZbigniew Jędrzejewski-Szmek2018-04-061-13/+0
| | | | | | | | | | Files which are installed as-is (any .service and other unit files, .conf files, .policy files, etc), are left as is. My assumption is that SPDX identifiers are not yet that well known, so it's better to retain the extended header to avoid any doubt. I also kept any copyright lines. We can probably remove them, but it'd nice to obtain explicit acks from all involved authors before doing that.
* tree-wide: use TAKE_PTR() and TAKE_FD() macrosYu Watanabe2018-04-051-4/+2
|
* Add set/hashmap helpers for non-trivial freeing and use where straighforwardZbigniew Jędrzejewski-Szmek2017-11-281-11/+2
| | | | | | A macro is needed because otherwise we couldn't ensure type safety. Some simple tests are included. No functional change intended.
* Add SPDX license identifiers to source files under the LGPLZbigniew Jędrzejewski-Szmek2017-11-191-0/+1
| | | | | This follows what the kernel is doing, c.f. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5fd54ace4721fc5ce2bb5aef6318fcf17f421460.
* exec-util,conf-files: skip non-executable files in execute_directories()Lennart Poettering2017-09-131-1/+1
| | | | Fixes: #6787
* bus: include sd-{bus,messages}.h the same as other systemd headersZbigniew Jędrzejewski-Szmek2017-04-211-1/+1
| | | | | | This is our own header, we should include use the local-include syntax ("" not <>), to make it clear we are including the one from the build tree. All other includes of files from src/systemd/ use this scheme.
* resolved: add the new KSK to the built-in resolved trust anchor (#5486)Lennart Poettering2017-02-281-21/+51
| | | Fixes: #5482
* resolved: make sure configured NTAs affect subdomains tooLennart Poettering2017-02-171-1/+24
| | | | | | | | This ensures that configured NTAs exclude not only the listed domain but also all domains below it from DNSSEC validation -- except if a positive trust anchor is defined below (as suggested by RFC7647, section 1.1) Fixes: #5048
* tree-wide: add SD_ID128_MAKE_STR, remove LOG_MESSAGE_IDZbigniew Jędrzejewski-Szmek2017-02-151-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Embedding sd_id128_t's in constant strings was rather cumbersome. We had SD_ID128_CONST_STR which returned a const char[], but it had two problems: - it wasn't possible to statically concatanate this array with a normal string - gcc wasn't really able to optimize this, and generated code to perform the "conversion" at runtime. Because of this, even our own code in coredumpctl wasn't using SD_ID128_CONST_STR. Add a new macro to generate a constant string: SD_ID128_MAKE_STR. It is not as elegant as SD_ID128_CONST_STR, because it requires a repetition of the numbers, but in practice it is more convenient to use, and allows gcc to generate smarter code: $ size .libs/systemd{,-logind,-journald}{.old,} text data bss dec hex filename 1265204 149564 4808 1419576 15a938 .libs/systemd.old 1260268 149564 4808 1414640 1595f0 .libs/systemd 246805 13852 209 260866 3fb02 .libs/systemd-logind.old 240973 13852 209 255034 3e43a .libs/systemd-logind 146839 4984 34 151857 25131 .libs/systemd-journald.old 146391 4984 34 151409 24f71 .libs/systemd-journald It is also much easier to check if a certain binary uses a certain MESSAGE_ID: $ strings .libs/systemd.old|grep MESSAGE_ID MESSAGE_ID=%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x MESSAGE_ID=%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x MESSAGE_ID=%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x MESSAGE_ID=%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x $ strings .libs/systemd|grep MESSAGE_ID MESSAGE_ID=c7a787079b354eaaa9e77b371893cd27 MESSAGE_ID=b07a249cd024414a82dd00cd181378ff MESSAGE_ID=641257651c1b4ec9a8624d7a40a9e1e7 MESSAGE_ID=de5b426a63be47a7b6ac3eaac82e2f6f MESSAGE_ID=d34d037fff1847e6ae669a370e694725 MESSAGE_ID=7d4958e842da4a758f6c1cdc7b36dcc5 MESSAGE_ID=1dee0369c7fc4736b7099b38ecb46ee7 MESSAGE_ID=39f53479d3a045ac8e11786248231fbf MESSAGE_ID=be02cf6855d2428ba40df7e9d022f03d MESSAGE_ID=7b05ebc668384222baa8881179cfda54 MESSAGE_ID=9d1aaa27d60140bd96365438aad20286
* resolved: include d.f.ip6.arpa in default NTA listLennart Poettering2016-08-311-0/+3
| | | | Fixes: #4049
* Replace DNS_RESOURCE_KEY_NAME with a version which always returns "." for rootZbigniew Jędrzejewski-Szmek2016-02-161-2/+2
| | | | | | | | This fixes formatting of root domain in debug messages: Old: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (., DNSKEY with key tag: 19036). New: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (, DNSKEY with key tag: 19036).
* tree-wide: remove Emacs lines from all filesDaniel Mack2016-02-101-2/+0
| | | | | This should be handled fine now by .dir-locals.el, so need to carry that stuff in every file.
* resolved: rename dnssec_verify_dnskey() → dnssec_verify_dnskey_by_ds()Lennart Poettering2016-01-171-1/+1
| | | | This should clarify that this is not regular signature-based validation, but validation through DS RR fingerprints.
* resolved: when validating, first strip revoked trust anchor keys from ↵Lennart Poettering2016-01-111-1/+46
| | | | | | | | | | | | | | | validated keys list When validating a transaction we initially collect DNSKEY, DS, SOA RRs in the "validated_keys" list, that we need for the proofs. This includes DNSKEY and DS data from our trust anchor database. Quite possibly we learn that some of these DNSKEY/DS RRs have been revoked between the time we request and collect those additional RRs and we begin the validation step. In this case we need to make sure that the respective DS/DNSKEY RRs are removed again from our list. This patch adds that, and strips known revoked trust anchor RRs from the validated list before we begin the actual validation proof, and each time we add more DNSKEY material to it while we are doing the proof.
* resolved: rework trust anchor revoke checkingLennart Poettering2016-01-111-38/+34
| | | | | | | | Instead of first iterating through all DNSKEYs in the DnsAnswer in dns_transaction_check_revoked_trust_anchors(), and then doing that a second time in dns_trust_anchor_check_revoked(), do so only once in the former, and pass the dnskey we found directly to the latter.
* resolved: when dumping the NTA database, sort outputLennart Poettering2016-01-061-5/+21
| | | | | Now that we populate the trust database by default with a larger number of entires, we better make sure to output a more readable version.
* resolved: populate negative trust anchor by defaultLennart Poettering2016-01-061-3/+96
| | | | | | Let's increase compatibility with many private domains by default, and ship a default NTA list of wel-known private domains, where it is unlikely they will be deployed as official TLD anytime soon.
* resolved: log all OOM errorsLennart Poettering2016-01-061-2/+2
|
* resolved: reuse dns_trust_anchor_knows_domain() at another locationLennart Poettering2016-01-061-16/+17
|
* resolved: when dumping trust anchor contents, clarify when it is emptyLennart Poettering2016-01-051-7/+13
|
* resolved: also skip built-in trust anchor addition of there's a DNSKEY RR ↵Lennart Poettering2016-01-051-0/+3
| | | | | | | for the root domain defined We already skip this when the trust anchor files define a DS RR for the root domain, now also skip it if there's a DNSKEY RR.
* resolved: move trust anchor files to /etc/dnssec-trust-anchors.d/Lennart Poettering2016-01-051-1/+1
| | | | | These files are not specific to resolved really, and this is then more in-line with how /etc/sysctl.d and suchlike is handled.
* resolved: partially implement RFC5011 Trust Anchor supportLennart Poettering2016-01-041-0/+170
| | | | | | | | | | | | | | | | | | | | | | With this patch resolved will properly handle revoked keys, but not augment the locally configured trust anchor database with newly learned keys. Specifically, resolved now refuses validating RRsets with revoked keys, and it will remove revoked keys from the configured trust anchors (only until reboot). This patch does not add logic for adding new keys to the set of trust anchors. This is a deliberate decision as this only can work with persistent disk storage, and would result in a different update logic for stateful and stateless systems. Since we have to support stateless systems anyway, and don't want to encourage two independent upgrade paths we focus on upgrading the trust anchor database via the usual OS upgrade logic. Whenever a trust anchor entry is found revoked and removed from the trust anchor a recognizable log message is written, encouraging the user to update the trust anchor or update his operating system.
* resolved: refuse revoked DNSKEYs in trust anchorLennart Poettering2016-01-031-0/+8
|
* resolved: add negative trust anchro support, and add trust anchor ↵Lennart Poettering2016-01-031-9/+315
| | | | | | | | | | | | | | | | | | | | configuration files This adds negative trust anchor support and allows reading trust anchor data from disk, from files /etc/systemd/dnssec-trust-anchors.d/*.positive and /etc/systemd/dnssec-trust-anchros.d/*.negative, as well as the matching counterparts in /usr/lib and /run. The positive trust anchor files are more or less compatible to normal DNS zone files containing DNSKEY and DS RRs. The negative trust anchor files contain only new-line separated hostnames for which to require no signing. By default no trust anchor files are installed, in which case the compiled-in root domain DS RR is used, as before. As soon as at least one positive root anchor for the root is defined via trust anchor files this buil-in DS RR is not added though.
View Lorry Controller Status