resolved: add basic DNSSEC support
authorLennart Poettering <lennart@poettering.net>
Wed, 2 Dec 2015 20:20:37 +0000 (21:20 +0100)
committerLennart Poettering <lennart@poettering.net>
Wed, 2 Dec 2015 21:50:11 +0000 (22:50 +0100)
commit2b442ac87838be7c326c984d8751c96dee7258ab
tree33ba2c1c236a65daeeef6710b59c037c621cc7a1
parent4e2d538f33df8a425487aaa4facc23065a9bdaf7
resolved: add basic DNSSEC support

This adds most basic operation for doing DNSSEC validation on the
client side. However, it does not actually add the verification logic to
the resolver. Specifically, this patch only includes:

- Verifying DNSKEY RRs against a DS RRs
- Verifying RRSets against a combination of RRSIG and DNSKEY RRs
- Matching up RRSIG RRs and DNSKEY RRs
- Matching up RR keys and RRSIG RRs
- Calculating the DNSSEC key tag from a DNSKEY RR

All currently used DNSSEC combinations of SHA and RSA are implemented. Support
for MD5 hashing and DSA or EC cyphers are not. MD5 and DSA are probably
obsolete, and shouldn't be added. EC should probably be added
eventually, if it actually is deployed on the Internet.
Makefile.am
src/resolve/resolved-dns-cache.h
src/resolve/resolved-dns-dnssec.c [new file with mode: 0644]
src/resolve/resolved-dns-dnssec.h [new file with mode: 0644]
src/resolve/test-dnssec.c [new file with mode: 0644]
src/shared/dns-domain.h