Lennart Poettering [Sat, 26 Dec 2015 11:36:24 +0000 (12:36 +0100)]
resolved: don't unnecessarily allocate memory in dns_packet_append_name()
When compression support is off, there's no point in duplicating the
name string. Hence, don't do it.
Lennart Poettering [Fri, 25 Dec 2015 14:57:49 +0000 (15:57 +0100)]
resolved: name TCP and UDP socket calls uniformly
Previously the calls for emitting DNS UDP packets were just called
dns_{transacion|scope}_emit(), but the one to establish a DNS TCP
connection was called dns_transaction_open_tcp(). Clean this up, and
rename them dns_{transaction|scope}_emit_udp() and
dns_transaction_open_tcp().
Lennart Poettering [Fri, 25 Dec 2015 14:05:46 +0000 (15:05 +0100)]
resolved: add an automatic downgrade to non-DNSSEC mode
This adds a mode that makes resolved automatically downgrade from DNSSEC
support to classic non-DNSSEC resolving if the configured DNS server is
not capable of DNSSEC. Enabling this mode increases compatibility with
crappy network equipment, but of course opens up the system to
downgrading attacks.
The new mode can be enabled by setting DNSSEC=downgrade-ok in
resolved.conf. DNSSEC=yes otoh remains a "strict" mode, where DNS
resolving rather fails then allow downgrading.
Downgrading is done:
- when the server does not support EDNS0+DO
- or when the server supports it but does not augment returned RRs with
RRSIGs. The latter is detected when requesting DS or SOA RRs for the
root domain (which is necessary to do proofs for unsigned data)
Lennart Poettering [Fri, 25 Dec 2015 14:01:37 +0000 (15:01 +0100)]
resolved: no need to store return value of dns_server_possible_features()
The call already updates possible_features, it's pointless doing this in
the caller a second time.
Lennart Poettering [Fri, 25 Dec 2015 11:58:07 +0000 (12:58 +0100)]
resolved: don't set TCP_NODELAY twice for TCP sockets
We previously set it once in the scope code and once in the stream code.
Remove it from the latter, as all other socket options are set in the
former.
Lennart Poettering [Fri, 25 Dec 2015 11:54:27 +0000 (12:54 +0100)]
resolved: generate an explicit transaction error when we cannot reach server via TCP
Previously, if we couldn't reach a server via UDP we'd generate an
MAX_ATTEMPTS transaction result, but if we couldn't reach it via TCP
we'd generate a RESOURCES transaction result. While it is OK to generate
two different errors I think, "RESOURCES" is certainly a misnomer.
Introduce a new transaction result "CONNECTION_FAILURE" instead.
Lennart Poettering [Thu, 24 Dec 2015 13:08:22 +0000 (14:08 +0100)]
resolved: deal with unsigned DS/NSEC/NSEC3 properly
Previously, we'd insist on an RRSIG for all DS/NSEC/NSEC3 RRs. With this
change we don't do that anymore, but also allow unsigned DS/NSEC/NSEC3
if we can prove that the zone they are located in is unsigned.
Lennart Poettering [Wed, 23 Dec 2015 23:24:10 +0000 (00:24 +0100)]
resolved: log each dnssec failure, in a recognizable way
Lennart Poettering [Wed, 23 Dec 2015 18:06:36 +0000 (19:06 +0100)]
resolved: gather statistics about resolved names
This collects statistical data about transactions, dnssec verifications
and the cache, and exposes it over the bus. The systemd-resolve-host
tool learns new options to query these statistics and reset them.
Lennart Poettering [Tue, 22 Dec 2015 17:22:19 +0000 (18:22 +0100)]
resolved: if we accepted unauthenticated NSEC/NSEC3 RRs, use them for proofs
But keep track that the proof is not authenticated.
Lennart Poettering [Tue, 22 Dec 2015 17:21:25 +0000 (18:21 +0100)]
resolved: don't insist on finding DNSKEYs for RRsets of zones with DNSSEC off
Lennart Poettering [Tue, 22 Dec 2015 17:20:09 +0000 (18:20 +0100)]
resolved: be stricter when searching for a DS RR for a DNSKEY RR
Lennart Poettering [Tue, 22 Dec 2015 17:19:48 +0000 (18:19 +0100)]
resolved: make use of dns_type_may_redirect() where possible
Lennart Poettering [Mon, 21 Dec 2015 21:07:41 +0000 (22:07 +0100)]
update DNSSEC TODO
Lennart Poettering [Mon, 21 Dec 2015 20:06:29 +0000 (21:06 +0100)]
resolved: tighten search for NSEC3 RRs a bit
Be stricter when searching suitable NSEC3 RRs for proof: generalize the
check we use to find suitable NSEC3 RRs, in nsec3_is_good(), and add
additional checks, such as checking whether all NSEC3 RRs use the same
parameters, have the same suffix and so on.
Lennart Poettering [Mon, 21 Dec 2015 19:00:34 +0000 (20:00 +0100)]
resolved: when doing NSEC3 proof, first find right NSEC3 suffix
When doing an NSEC3 proof, before detrmining whether a name is the
closest encloser we first need to figure out the longest common suffix
we have with any NSEC3 RR in the reply.
Lennart Poettering [Mon, 21 Dec 2015 18:57:34 +0000 (19:57 +0100)]
resolved: properly implement RRSIG validation of wildcarded RRsets
Note that this is still not complete, one additional step is still
missing: when we verified that a wildcard RRset is properly signed, we
still need to do an NSEC/NSEC3 proof that no more specific RRset exists.
Lennart Poettering [Mon, 21 Dec 2015 18:56:05 +0000 (19:56 +0100)]
resolved: never use data from failed transactions
Otherwise if we have an A lookup that failed DNSSEC validation, but an
AAAA lookup that succeeded, we might end up using the A data, but we
really should not.
Lennart Poettering [Mon, 21 Dec 2015 18:54:54 +0000 (19:54 +0100)]
resolved: don't choke on NSEC/NSEC3 RRs with no bitmap
This might happen in some cases (empty non-terminals...) and we should
not choke on it.
Lennart Poettering [Mon, 21 Dec 2015 18:53:41 +0000 (19:53 +0100)]
bitmap: don't do bitwise XOR on booleans
It's weird doing bitwise operations on booleans. Let's use the boolean
XOR (i.e. "!=") instead of the bitweise XOR (i.e. "^") on them.
Lennart Poettering [Mon, 21 Dec 2015 18:53:15 +0000 (19:53 +0100)]
util-lib: make sure more bitmap calls can deal with NULL objects fine
Lennart Poettering [Mon, 21 Dec 2015 15:31:29 +0000 (16:31 +0100)]
resolved: internalize string buffer of dns_resource_record_to_string()
Let's simplify usage and memory management of DnsResourceRecord's
dns_resource_record_to_string() call: cache the formatted string as
part of the object, and return it on subsequent calls, freeing it when
the DnsResourceRecord itself is freed.
Lennart Poettering [Mon, 21 Dec 2015 15:29:13 +0000 (16:29 +0100)]
resolved: when matching SOA RRs, don't eat up errors
Lennart Poettering [Mon, 21 Dec 2015 15:28:35 +0000 (16:28 +0100)]
resolved: when matching SOA RRs, honour RR class
Lennart Poettering [Mon, 21 Dec 2015 15:27:13 +0000 (16:27 +0100)]
resolved: when looking for a SOA RR in a reply, pick the right one
If there are multiple SOA RRs, and we look for a suitable one covering
our request, then make sure to pick the one that is furthest away from
the root name, not just the first one we encounter.
Lennart Poettering [Mon, 21 Dec 2015 15:24:58 +0000 (16:24 +0100)]
resolved: when caching NXDOMAIN for an RR, make sure we flush out old ANY entries
We use ANY RR keys to store NXDOMAIN information, but we previously
didn't flush out old ANY RR items in the cache when adding new entries.
Fix that.
Lennart Poettering [Mon, 21 Dec 2015 15:23:48 +0000 (16:23 +0100)]
resolved: split out a new dns_type_may_redirect() call
Let's abstract which RRs shall honour CNAMEs, and which ones should not.
Lennart Poettering [Mon, 21 Dec 2015 15:20:49 +0000 (16:20 +0100)]
resolve-host: propagate error properly
Zbigniew Jędrzejewski-Szmek [Fri, 25 Dec 2015 16:16:18 +0000 (11:16 -0500)]
Merge pull request #2197 from mscherer/add_seal_config
Add Seal option in the configuration file for journald-remote
Zbigniew Jędrzejewski-Szmek [Fri, 25 Dec 2015 05:38:05 +0000 (00:38 -0500)]
Merge pull request #2223 from ssahani/lldp
Closes #2223.
Susant Sahani [Fri, 25 Dec 2015 05:18:23 +0000 (10:48 +0530)]
V3 LLDP: Add packet validation (system name and description)
LLDP type system name and system description should
be with in 255 characters and unique.
Let's add the validation to discard corrupt packets.
Susant Sahani [Fri, 25 Dec 2015 05:12:43 +0000 (10:42 +0530)]
lldp: improve logging
Zbigniew Jędrzejewski-Szmek [Fri, 25 Dec 2015 04:59:48 +0000 (23:59 -0500)]
Merge pull request #2153 from evverx/fix-verify-for-templates
analyze: verify verifies templates too
Lennart Poettering [Wed, 23 Dec 2015 23:46:19 +0000 (00:46 +0100)]
Merge pull request #2216 from zonque/nameownerchanged
core: re-sync bus name list after deserializing during daemon-reload
Daniel Mack [Tue, 22 Dec 2015 10:37:09 +0000 (11:37 +0100)]
core: re-sync bus name list after deserializing during daemon-reload
When the daemon reloads, it doesn not actually give up its DBus connection,
as wrongly stated in an earlier commit. However, even though the bus
connection stays open, the daemon flushes out all its internal state.
Hence, if there is a NameOwnerChanged signal after the flush and before the
deserialization, it cannot be matched against any pending unit.
To fix this, rename bus_list_names() to manager_sync_bus_names() and call
it explicitly at the end of the daemon reload operation.
Lennart Poettering [Wed, 23 Dec 2015 20:31:07 +0000 (21:31 +0100)]
Merge pull request #2158 from keszybz/journal-decompression
Journal decompression fixes
Lennart Poettering [Wed, 23 Dec 2015 20:07:07 +0000 (21:07 +0100)]
Merge pull request #2214 from zonque/leak
Core: plug a memory leak in socket.c, and some related cleanups
Daniel Mack [Tue, 22 Dec 2015 10:32:25 +0000 (11:32 +0100)]
socket: nullify pointers after free
A socket shouldn't be used after socket_done() returns, but follow the
general guideline here and avoid dangling pointers anyway.
Daniel Mack [Tue, 22 Dec 2015 10:03:53 +0000 (11:03 +0100)]
socket: free fdname member
Plug a small memory leak.
Lennart Poettering [Mon, 21 Dec 2015 13:24:29 +0000 (14:24 +0100)]
Merge pull request #2202 from zonque/nameownerchanged
core: fix bus name synchronization after daemon-reload
Lennart Poettering [Mon, 21 Dec 2015 13:21:29 +0000 (14:21 +0100)]
Merge pull request #2204 from zonque/sd-event-debug
sd-event: improve debugging of event source errors
Daniel Mack [Mon, 21 Dec 2015 12:03:24 +0000 (13:03 +0100)]
sd-event: improve debugging of event source errors
Printing the pointer variable really doesn't help, so drop that.
Instead, add a string lookup table for the EventSourceType enum, and print
the type of event source in case of errors.
Daniel Mack [Mon, 21 Dec 2015 11:09:46 +0000 (12:09 +0100)]
Merge pull request #2203 from mbiebl/man-typo-fix
man: fix typo in systemctl(1)
Michael Biebl [Mon, 21 Dec 2015 10:54:41 +0000 (11:54 +0100)]
man: fix typo in systemctl(1)
Daniel Mack [Fri, 18 Dec 2015 16:28:15 +0000 (17:28 +0100)]
core: fix bus name synchronization after daemon-reload
During daemon-reload, PID1 temporarly loses its DBus connection, so there's
a small window in which all signals sent by dbus-daemon are lost.
This is a problem, since we rely on the NameOwnerChanged signals in order to
consider a service with Type=dbus fully started or terminated, respectively.
In order to fix this, a rewrite of bus_list_names() is necessary. We used
to walk the current list of names on the bus, and blindly triggered the
bus_name_owner_change() callback on each service, providing the actual name
as current owner. This implementation has a number of problems:
* We cannot detect if the the name was moved from one owner to the other
while we were reloading
* We don't notify services which missed the name loss signal
* Providing the actual name as current owner is a hack, as the comment also
admits.
To fix this, this patch carries the following changes:
* Track the name of the current bus name owner, and (de-)serialize it
during reload. This way, we can detect changes.
* In bus_list_names(), walk the list of bus names we're interested in
first, and then see if the name is active on the bus. If it is,
check it it's still the same as it used to be, and synthesize
NameOwnerChanged signals for the name add and/or loss.
This should fully synchronize the current name list with the internal
state of all services.
Daniel Mack [Sun, 20 Dec 2015 18:46:19 +0000 (19:46 +0100)]
Merge pull request #2199 from phomes/resolve-indentation
resolve: fix indentation
Thomas Hindoe Paaboel Andersen [Sun, 20 Dec 2015 15:58:44 +0000 (16:58 +0100)]
resolve: fix indentation
Michael Scherer [Sun, 20 Dec 2015 12:23:33 +0000 (13:23 +0100)]
Add Seal option in the configuration file for journald-remote
While journal received remotely can be sealed, it can only be done
on the command line using --seal, so for consistency, we will
also permit to set it in the configuration file.
Tom Gundersen [Sun, 20 Dec 2015 01:35:44 +0000 (01:35 +0000)]
Merge pull request #2190 from poettering/dnssec6
Add DNSSEC proof of unsignedness and NSEC3 proof
Daniel Mack [Sat, 19 Dec 2015 23:58:19 +0000 (00:58 +0100)]
Merge pull request #2193 from ToostInc/logindbus-typo-fix
Fix typo on logind-dbus.c
Joost Bremmer [Sat, 19 Dec 2015 11:46:09 +0000 (12:46 +0100)]
Fix typo on logind-dbus.c
method_schedule_shutdown referenced org.freedesktop.login1.poweroff*
which is never registered in polkit.
Now refers to org.freedesktop.login1.power-off*
Signed-off-by: Joost Bremmer <toost.b@gmail.com>
Lennart Poettering [Fri, 18 Dec 2015 19:21:14 +0000 (20:21 +0100)]
resolved: propagate DNSSEC validation status from auxiliary transactions
Let's make sure we propagate the DNSSEC validation status from an
auxiliary DNSSEC transaction back to the originating transaction, to
improve the error messages we generate.
Lennart Poettering [Fri, 18 Dec 2015 19:09:30 +0000 (20:09 +0100)]
resolved: propagate the DNSSEC result from the transaction to the query and the the bus client
It's useful to generate useful errors, so let's do that.
Lennart Poettering [Fri, 18 Dec 2015 18:49:25 +0000 (19:49 +0100)]
resolved: rename DNS_TRANSACTION_FAILURE → DNS_TRANSACTION_RCODE_FAILURE
We have many types of failure for a transaction, and
DNS_TRANSACTION_FAILURE was just one specific one of them, if the server
responded with a non-zero RCODE. Hence let's rename this, to indicate
which kind of failure this actually refers to.
Lennart Poettering [Fri, 18 Dec 2015 18:46:27 +0000 (19:46 +0100)]
resolved: merge two comments
Lennart Poettering [Fri, 18 Dec 2015 18:44:15 +0000 (19:44 +0100)]
resolved: rename dns_cache_item_remove_and_free() → _unlink_and_free()
In most of the other call, we called similar functions that remove the
data structure link-ups to other objects "unlink", hence we should here,
too.
Lennart Poettering [Fri, 18 Dec 2015 18:43:10 +0000 (19:43 +0100)]
resolved: rename dns_cache_remove() → dns_cache_remove_by_key()
Given that we already have dns_cache_remove_by_rr() this makes clearer
what the operation actually does.
Lennart Poettering [Fri, 18 Dec 2015 18:42:02 +0000 (19:42 +0100)]
resolved: add a call that dumps the contents of a DnsAnswer structure
This is not used anywhere, but it's extremely useful when debugging.
Lennart Poettering [Fri, 18 Dec 2015 18:32:46 +0000 (19:32 +0100)]
resolved: rework mDNS cache-flush bit handling
This adds a new DnsAnswer item flag "DNS_ANSWER_SHARED_OWNER" which is
set for mDNS RRs that lack the cache-flush bit. The cache-flush bit is
removed from the DnsResourceRecord object in favour of this.
This also splits out the code that removes previous entries when adding
new positive ones into a new separate call dns_cache_remove_previous().
Lennart Poettering [Fri, 18 Dec 2015 18:31:21 +0000 (19:31 +0100)]
resolved: properly determine size of DnsAnswer object
After all we want to allow NULL DnsAnswer objects as equivalent to empty
ones, hence we should use the right checks everywhere.
Lennart Poettering [Fri, 18 Dec 2015 18:29:47 +0000 (19:29 +0100)]
resolved: pass out precise authenticated bit we got passed in
Make sure the cache never altes the authenticated bit of RRs stored in
it, and drops it for RRs when passing it out again.
Lennart Poettering [Fri, 18 Dec 2015 18:27:16 +0000 (19:27 +0100)]
resolved: don't honour mDNS cache-flush bit for OPT RRs
OPT RRs after all use the class field for other purposes than actually
encoding a class, hence the cache flush bit doesn't apply really.
Lennart Poettering [Fri, 18 Dec 2015 18:25:04 +0000 (19:25 +0100)]
resolve: optimize dns_cache_flush() a bit
Let's use dns_cache_remove() rather than
dns_cache_item_remove_and_free() to destroy the cache, since the former
requires far fewer hash table lookups.
Lennart Poettering [Fri, 18 Dec 2015 18:22:26 +0000 (19:22 +0100)]
resolved: when receiving a TTL=0 RR, only flush that specific RR
When we receieve a TTL=0 RR, then let's only flush that specific RR and
not the whole RRset.
On mDNS with RRsets that a shared-owner this is how specific RRs are
removed from the set, hence support this. And on non-mDNS the whole
RRset will already be removed much earlier in dns_cache_put() hence
there's no reason remove it again.
Lennart Poettering [Fri, 18 Dec 2015 18:19:56 +0000 (19:19 +0100)]
resolved: optimize dns_cache_remove() a bit
Lennart Poettering [Fri, 18 Dec 2015 18:15:34 +0000 (19:15 +0100)]
resolved: use dns_name_parent() where appropriate
Lennart Poettering [Fri, 18 Dec 2015 18:12:48 +0000 (19:12 +0100)]
resolved: check SOA authentication state when negative caching
We should never use the TTL of an unauthenticated SOA to cache an
authenticated RR.
Lennart Poettering [Fri, 18 Dec 2015 18:09:27 +0000 (19:09 +0100)]
resolved: don't call dns_cache_remove() from dns_cache_put_negative()
We call it anyway as one of the first calls in dns_cache_put(), hence
there's no reason to do this multiple times.
Lennart Poettering [Fri, 18 Dec 2015 18:07:31 +0000 (19:07 +0100)]
resolved: bump cache size a bit
Let's keep entries for longer and more of them. After all, due to the
DNSSEC hookup the amount of RRs we need to store is much higher now.
Lennart Poettering [Fri, 18 Dec 2015 18:06:23 +0000 (19:06 +0100)]
resolved: make use of dns_{class|type}_is_{pseudo|valid_rr}() everywhere
Lennart Poettering [Fri, 18 Dec 2015 17:57:08 +0000 (18:57 +0100)]
resolved: refuse accepting EDNS0 OPT RRs with a non-root domain
Lennart Poettering [Fri, 18 Dec 2015 17:53:11 +0000 (18:53 +0100)]
resolved: move DNS class utilities to dns-type.c and add more helpers
Let's make DNS class helpers more like DNS type helpers, let's move them
from resolved-dns-rr.[ch] into dns-type.[ch].
This also adds two new calls dns_class_is_pseudo() and
dns_class_is_valid_rr() which operate similar to dns_type_is_pseudo()
and dns_type_is_valid_rr() but for classes instead of types.
This should hopefully make handling of DNS classes and DNS types more
alike.
Lennart Poettering [Fri, 18 Dec 2015 13:48:24 +0000 (14:48 +0100)]
resolved: update TODO
Lennart Poettering [Fri, 18 Dec 2015 13:37:06 +0000 (14:37 +0100)]
resolved: add support NSEC3 proofs, as well as proofs for domains that are OK to be unsigned
This large patch adds a couple of mechanisms to ensure we get NSEC3 and
proof-of-unsigned support into place. Specifically:
- Each item in an DnsAnswer gets two bit flags now:
DNS_ANSWER_AUTHENTICATED and DNS_ANSWER_CACHEABLE. The former is
necessary since DNS responses might contain signed as well as unsigned
RRsets in one, and we need to remember which ones are signed and which
ones aren't. The latter is necessary, since not we need to keep track
which RRsets may be cached and which ones may not be, even while
manipulating DnsAnswer objects.
- The .n_answer_cachable of DnsTransaction is dropped now (it used to
store how many of the first DnsAnswer entries are cachable), and
replaced by the DNS_ANSWER_CACHABLE flag instead.
- NSEC3 proofs are implemented now (lacking support for the wildcard
part, to be added in a later commit).
- Support for the "AD" bit has been dropped. It's unsafe, and now that
we have end-to-end authentication we don't need it anymore.
- An auxiliary DnsTransaction of a DnsTransactions is now kept around as
least as long as the latter stays around. We no longer remove the
auxiliary DnsTransaction as soon as it completed. THis is necessary,
as we now are interested not only in the RRsets it acquired but also
in its authentication status.
Lennart Poettering [Fri, 18 Dec 2015 13:33:59 +0000 (14:33 +0100)]
resolved: refuse to add auxiliary transactions loops
Let's be safe and explicitly avoid that we add an auxiliary transaction
dependency on ourselves.
Lennart Poettering [Fri, 18 Dec 2015 13:29:32 +0000 (14:29 +0100)]
resolved: don't check for NULL DnsAnswer object explicitly where unnecessary
The DNS_ANSWER_FOREACH macros do this internally anyway, no need to
duplicate this.
Lennart Poettering [Fri, 18 Dec 2015 13:26:48 +0000 (14:26 +0100)]
resolved: stop timeout timer when validating transactions
We need no separate timeout anymore as soon as we received a reply, as
the auxiliary transactions have their own timeouts.
Lennart Poettering [Fri, 18 Dec 2015 13:26:02 +0000 (14:26 +0100)]
resolved: when destroying a scope, only abort live transactions
Lennart Poettering [Fri, 18 Dec 2015 13:23:48 +0000 (14:23 +0100)]
resolved: make sure we don't get confused when notifying transactions while they are destroyed
A failing transaction might cause other transactions to fail too, and
thus the set of transactions to notify for a transaction might change
while we are notifying them. Protect against that.
Lennart Poettering [Fri, 18 Dec 2015 13:22:46 +0000 (14:22 +0100)]
resolved: merge two bools into a bitfield
Lennart Poettering [Fri, 18 Dec 2015 13:22:14 +0000 (14:22 +0100)]
resolved: use right format specifier to print transaction ID
Lennart Poettering [Fri, 18 Dec 2015 13:20:03 +0000 (14:20 +0100)]
resolved: cache stringified transaction key once per transaction
We end up needing the stringified transaction key in many log messages,
hence let's simplify the logic and cache it inside of the transaction:
generate it the first time we need it, and reuse it afterwards. Free it
when the transaction goes away.
This also updated a couple of log messages to make use of this.
Lennart Poettering [Fri, 18 Dec 2015 13:16:48 +0000 (14:16 +0100)]
resolved: don't complain if networkd doesn't know an interface we care about
Lennart Poettering [Fri, 18 Dec 2015 13:16:03 +0000 (14:16 +0100)]
shared: add dns_name_parent() call to determine parent domain of a domain
Daniel Mack [Wed, 16 Dec 2015 19:14:36 +0000 (20:14 +0100)]
Merge pull request #2180 from phomes/resolve-misc
Resolve: misc cleanups
Thomas Hindoe Paaboel Andersen [Wed, 16 Dec 2015 18:33:20 +0000 (19:33 +0100)]
resolve: remove unused variable
Thomas Hindoe Paaboel Andersen [Wed, 16 Dec 2015 18:26:16 +0000 (19:26 +0100)]
resolve: fix indendation
Daniel Mack [Tue, 15 Dec 2015 14:57:19 +0000 (15:57 +0100)]
Merge pull request #2157 from keszybz/manager-status
Manager status
Daniel Mack [Tue, 15 Dec 2015 14:56:19 +0000 (15:56 +0100)]
Merge pull request #2174 from yuwata/journal-remote-man
man: fix typo in journal-remote.conf(5)
Yu Watanabe [Tue, 15 Dec 2015 14:24:28 +0000 (23:24 +0900)]
man: fix typo in journal-remote.conf(5)
Tom Gundersen [Tue, 15 Dec 2015 12:25:22 +0000 (12:25 +0000)]
Merge pull request #2168 from poettering/dnssec5
Fifth batch of DNSSEC support patches
Daniel Mack [Tue, 15 Dec 2015 10:33:57 +0000 (11:33 +0100)]
Merge pull request #2169 from yuwata/journal-remote-unit-doc
journal-remote: add documents in the unit files
Daniel Mack [Tue, 15 Dec 2015 09:33:38 +0000 (10:33 +0100)]
Merge pull request #2172 from evverx/fix-enable-hashmap
basic: ENABLE_DEBUG_HASHMAP needs <pthread.h>
Henrik Kaare Poulsen [Sun, 13 Dec 2015 18:31:05 +0000 (19:31 +0100)]
basic: ENABLE_DEBUG_HASHMAP needs <pthread.h>
this is a follow-up for commit
11c3a36649e5e5e77db499c92f3
Yu Watanabe [Tue, 15 Dec 2015 01:51:12 +0000 (10:51 +0900)]
journal-remote: add documents in the unit files
Lennart Poettering [Mon, 14 Dec 2015 20:32:17 +0000 (21:32 +0100)]
resolved: update DNSSEC TODO
Lennart Poettering [Mon, 14 Dec 2015 20:26:42 +0000 (21:26 +0100)]
resolved: add basic proof of non-existance support for NSEC+NSEC3
Note that this is not complete yet, as we don't handle wildcard domains
correctly, nor handle domains correctly that use empty non-terminals.
Lennart Poettering [Mon, 14 Dec 2015 20:26:15 +0000 (21:26 +0100)]
resolved: when serializing NSEC3 windows, don't write more windows than necessary
Lennart Poettering [Mon, 14 Dec 2015 20:23:54 +0000 (21:23 +0100)]
resolved: constify a parameter
Lennart Poettering [Mon, 14 Dec 2015 20:22:40 +0000 (21:22 +0100)]
resolved: always consider NSEC/NSEC3 RRs as "primary"
It's not OK to drop these for our proof of non-existance checks.