Lennart Poettering [Mon, 14 Dec 2015 20:21:59 +0000 (21:21 +0100)]
resolved: don't choke on NULL DNS transactions when determining query candidate state
Lennart Poettering [Mon, 14 Dec 2015 20:21:16 +0000 (21:21 +0100)]
resolved: initialize libgcrypt before using it
Lennart Poettering [Mon, 14 Dec 2015 20:20:05 +0000 (21:20 +0100)]
resolved: rework how we get the gcrypt digest algorithm ID from DNSSEC digest ids
Let's move this into a function digest_to_gcrypt() that we can reuse
later on when implementing NSEC3 validation.
Lennart Poettering [Fri, 11 Dec 2015 19:19:05 +0000 (20:19 +0100)]
resolved: apparently not all names are used in canonical form for DNSSEC validation
Specifically, it appears as if the NSEC next domain name should be in
the original casing rather than canonical form, when validating.
Daniel Mack [Mon, 14 Dec 2015 15:31:25 +0000 (16:31 +0100)]
Merge pull request #2165 from torstehu/fix-typo2
treewide: fix typos and indentation
Torstein Husebø [Fri, 4 Dec 2015 07:03:59 +0000 (08:03 +0100)]
treewide: fix typos and indentation
Daniel Mack [Sun, 13 Dec 2015 16:22:48 +0000 (17:22 +0100)]
Merge pull request #2152 from evverx/respect-disable-tests
build-sys: fix --disable-tests
Evgeny Vereshchagin [Sun, 13 Dec 2015 06:51:33 +0000 (06:51 +0000)]
build-sys: fix --disable-tests
Fixes:
$ ./configure ... --disable-tests
$ make
$ sudo make check
FAIL: test/udev-test.pl
PASS: test/rule-syntax-check.py
PASS: test/sysv-generator-test.py
...
Daniel Mack [Sat, 12 Dec 2015 13:03:52 +0000 (14:03 +0100)]
Merge pull request #2148 from evverx/fix-enable-smack
build-sys: fix ./configure --enable-smack
Evgeny Vereshchagin [Sat, 12 Dec 2015 06:08:25 +0000 (06:08 +0000)]
build-sys: refactor `have_smack` detection
Evgeny Vereshchagin [Sat, 12 Dec 2015 03:43:45 +0000 (03:43 +0000)]
build-sys: fix ./configure --enable-smack
Fixes:
$ ./configure ... --enable-smack
$ make src/core/load-fragment-gperf.c
$ grep -i smack src/core/load-fragment-gperf.c
{"Swap.SmackProcessLabel", config_parse_warn_compat, DISABLED_CONFIGURATION, 0},
...
should be
{"Swap.SmackProcessLabel", config_parse_exec_smack_process_label, 0, offsetof(Swap, exec_context)},
...
Tom Gundersen [Fri, 11 Dec 2015 17:38:14 +0000 (18:38 +0100)]
Merge pull request #2143 from poettering/dnssec4
Another batch of DNSSEC fixes
Lennart Poettering [Fri, 11 Dec 2015 14:10:56 +0000 (15:10 +0100)]
resolved: don't eat up errors
dns_resource_key_match_soa() and dns_resource_key_match_cname_or_dname()
may return errors as negative return values. Make sure to propagate
those.
Lennart Poettering [Fri, 11 Dec 2015 13:00:08 +0000 (14:00 +0100)]
resolved: refactor DNSSEC answer validation
This changes answer validation to be more accepting to unordered RRs in
responses. The agorithm we now implement goes something like this:
1. populate validated keys list for this transaction from DS RRs
2. as long as the following changes the unvalidated answer list:
2a. try to validate the first RRset we find in unvalidated answer
list
2b. if that worked: add to validated answer; if DNSKEY also add to
validated keys list; remove from unvalidated answer.
2c. continue at 2a, with the next RRset, or restart from the
beginning when we hit the end
3. as long as the following changes the unvalidated answer list:
3a. try to validate the first RRset again. This will necessarily
fail, but we learn the precise error
3b. If this was a "primary" response to the question, fail the
entire transaction. "Primary" in this context means that it is
directly a response to the query, or a CNAME/DNAME for it.
3c. Otherwise, remove the RRset from the unvalidated answer list.
Note that we the too loops in 2 + 3 are actually coded as a single one,
but the dnskeys_finalized bool indicates which loop we are currently
processing.
Note that loop 2 does not drop any invalidated RRsets yet, that's
something only loop 3 does. This is because loop 2 might still encounter
additional DNSKEYS which might validate more stuff, and if we'd already
have dropped those RRsets we couldn't validate those anymore. The first
loop is hence a "constructive" loop, the second loop a "destructive"
one: the first one validates whatever is possible, the second one then
deletes whatever still isn't.
Lennart Poettering [Fri, 11 Dec 2015 12:55:26 +0000 (13:55 +0100)]
resolved: rework dnssec validation results
This adds a new validation result DNSSEC_UNSUPPORTED_ALGORITHM which is
returned when we encounter an unsupported crypto algorithm when trying
to validate RRSIG/DNSKEY combinations. Previously we'd return ENOTSUPP
in this case, but it's better to consider this a non-error DNSSEC
validation result, since our reaction to this case needs to be more like
in cases such as expired or missing keys: we need to keep continue
validation looking for another RRSIG/DNSKEY combination that works
better for us.
This also reworks how dnssec_validate_rrsig_search() propagates errors
from dnssec_validate_rrsig(). Previously, errors such as unsupported
algorithms or expired signatures would not be propagated, but simply be
returned as "missing-key".
Lennart Poettering [Fri, 11 Dec 2015 12:36:25 +0000 (13:36 +0100)]
resolved: rework how and when the number of answer RRs to cache is determined
Instead of figuring out how many RRs to cache right before we do so,
determine this at the time we install the answer RRs, so that we can
still alter this as we manipulate the answer during validation.
The primary purpose of this is to pave the way so that we can drop
unsigned RRsets from the answer and invalidate the number of RRs to
cache at the same time.
Lennart Poettering [Thu, 10 Dec 2015 14:01:04 +0000 (15:01 +0100)]
resolved: generalize DNS RR type validity checks
Check the validity of RR types as we parse or receive data from IPC
clients, and use the same code for all of them.
Lennart Poettering [Thu, 10 Dec 2015 12:46:53 +0000 (13:46 +0100)]
resolved: refuse OPT RRs in incoming packets that are not in the additional section
We later rely that the DnsAnswer object contains all RRs from the
original packet, at least when it comes to the answer and authorization
sections, hence we better make sure we don#t silently end up removing an
OPT RR from these two sections.
Lennart Poettering [Thu, 10 Dec 2015 12:46:05 +0000 (13:46 +0100)]
resolved: refuse to cache ANY kind of pseudo-RR-type
Lennart Poettering [Thu, 10 Dec 2015 12:28:33 +0000 (13:28 +0100)]
resolved: no need to check for NULL explicitly before invoking dns_packet_unref()
Lennart Poettering [Thu, 10 Dec 2015 12:27:58 +0000 (13:27 +0100)]
resolved: extend list of pseudo RR types
Also, explain the situation with a longer comment.
Daniel Mack [Thu, 10 Dec 2015 19:48:42 +0000 (20:48 +0100)]
Merge pull request #2096 from teg/resolved-cache
Misc resolved cache fixes
Tom Gundersen [Thu, 10 Dec 2015 19:17:49 +0000 (20:17 +0100)]
resolved: cache - only stringify RR keys when in debug mode
This is in the fast path, so let's not do all this work unneccessarily.
Tom Gundersen [Thu, 10 Dec 2015 18:57:41 +0000 (19:57 +0100)]
resolved: cache - don't flush the cache of mDNS records unneccesarily
When the DNS_RESOURCE_KEY_CACHE_FLUSH flag is not set for an mDNS packet, we should not flush
the cache for RRs with matching keys. However, we were unconditionally flushing the cache
also for these packets.
Now mark all packets as cache_flush by default, except for these mDNS packets, and respect
that flag in the cache handling.
This fixes
90325e8c2e559a21ef0bc2f26b844c140faf8020.
Tom Gundersen [Thu, 10 Dec 2015 18:47:47 +0000 (19:47 +0100)]
TODO
Daniel Mack [Thu, 10 Dec 2015 16:40:39 +0000 (17:40 +0100)]
Merge pull request #2133 from poettering/import-drop-dkr
importd: drop dkr support
Tom Gundersen [Thu, 3 Dec 2015 20:40:06 +0000 (21:40 +0100)]
resolved: cache - rework which RR types we apply redirection to
The logic of dns_cache_get() is now:
- look up the precise key;
- look up NXDOMAIN item;
- if an RR type that may be redirected
(i.e., not CNAME, DNAME, RRSIG, NSEC, NSEC3, SIG, KEY, or
NXT) look up a correpsonding CNAME or DNAME record;
- look up a corresponding NSEC record;
Before this change we would give up before potentially finding
negative cache entries for DNAME, CNAME and NSEC records, we
would return NSEC records for aliases where we had DNAME or CNAME
records available and we would incorrectly try to redirect DNSSEC RRs.
Tom Gundersen [Thu, 3 Dec 2015 20:26:19 +0000 (21:26 +0100)]
resolved: cache - improve logging
Some DNS servers will hand out negative answers without SOA records,
these can not be cached, so log about that fact.
Tom Gundersen [Thu, 3 Dec 2015 18:53:35 +0000 (19:53 +0100)]
resolved: cache - don't cache NXDOMAIN by TYPE
An NXDOMAIN entry means there are no RRs of any type for a name,
so only cache by CLASS + NAME, rather than CLASS + NAME + TYPE.
Tom Gundersen [Wed, 2 Dec 2015 17:46:32 +0000 (18:46 +0100)]
resolved: cache - do negative caching only on the canonical name
Apart from dropping redundant information, this fixes an issue
where, due to broken DNS servers, we can only be certain of whether
an apparent NODATA response is in fact an NXDOMAIN response after
explicitly resolving the canonical name. This issue is outlined in
RFC2308. Moreover, by caching NXDOMAIN for an existing name, we
would mistakenly return NXDOMAIN for types which should not be
redirected. I.e., a query for AAAA on test-nx-1.jklm.no correctly
returns NXDOMAIN, but a query for CNAME should return the record
and a query for DNAME should return NODATA.
Note that this means we will not cache an NXDOMAIN response in the
presence of redirection, meaning one redundant roundtrip in case the
name is queried again.
Daniel Mack [Thu, 10 Dec 2015 15:54:57 +0000 (16:54 +0100)]
Merge pull request #2134 from jorgenschaefer/detect-ipv6-with-sockstat6
Use /proc/net/sockstat6 to detect IPv6 support
Lennart Poettering [Thu, 10 Dec 2015 11:40:04 +0000 (12:40 +0100)]
importd: drop dkr support
The current code is not compatible with current dkr protocols anyway,
and dkr has a different focus ("microservices") than nspawn anyway
("whole machine containers"), hence drop support for it, we cannot
reasonably keep this up to date, and it creates the impression we'd
actually care for the microservices usecase.
Lennart Poettering [Thu, 10 Dec 2015 15:49:31 +0000 (16:49 +0100)]
Merge pull request #2135 from zonque/resolved-mdns-3
resolved: more mDNS specific bits (3)
Daniel Mack [Thu, 10 Dec 2015 14:59:30 +0000 (15:59 +0100)]
resolved: make sure the packet's transaction ID is always 0 for mDNS
RFC6762, 18.1:
In multicast query messages, the Query Identifier SHOULD be set to
zero on transmission.
Daniel Mack [Thu, 10 Dec 2015 15:08:43 +0000 (16:08 +0100)]
resolved: discard any reply packet that contains a bogus name
Only .in-addr.arpa and .local are considered local in mDNS, so discard the
packet if anything else is thrown at us.
Tom Gundersen [Thu, 10 Dec 2015 14:22:18 +0000 (15:22 +0100)]
Merge pull request #2129 from poettering/dnssec3
Third DNSSEC patch series
Jorgen Schaefer [Thu, 10 Dec 2015 12:24:45 +0000 (13:24 +0100)]
Use /proc/net/sockstat6 to detect IPv6 support
The file /sys/module/ipv6 does not exist in all container
implementations (e.g. Virtuozzo). Using /proc/net/sockstat6
detects IPv6 support reliably in these environments, too.
This file does not exist when the kernel is not compiled with
IPv6 support, or if IPv6 support is disabled, so simply checking
for existence should be a suitable check.
Fixes #2059
Lennart Poettering [Thu, 10 Dec 2015 11:05:26 +0000 (12:05 +0100)]
Merge pull request #2086 from evverx/fix-journal-upload-installation
build: fix systemd-journal-upload installation
Lennart Poettering [Thu, 10 Dec 2015 10:57:08 +0000 (11:57 +0100)]
README: Recommend kinvolk regarding engineering services
They are our friends, do systemd development, hence add them.
Lennart Poettering [Thu, 10 Dec 2015 10:40:23 +0000 (11:40 +0100)]
Merge pull request #2076 from keszybz/downgrade-masked-unit-message
core: do not warn about Wants depencencies on masked units
Lennart Poettering [Thu, 10 Dec 2015 10:25:26 +0000 (11:25 +0100)]
resolved: rename dns_transaction_prepare_next_attempt()
Let's simply call it dns_transaction_prepare(), so that we have the nice
cycle for prepare() → go() → emit() → process().
After all it's pretty clear that what we prepare there, and we dont call
the others go_next_attempt(), emit_next_attempt() or
process_next_attempt().
Lennart Poettering [Thu, 10 Dec 2015 10:25:14 +0000 (11:25 +0100)]
journal: make mmap_cache_unref() a NOP when NULL is passed, like all other destructors
Lennart Poettering [Wed, 9 Dec 2015 18:08:45 +0000 (19:08 +0100)]
resolved: don't accept doing queries for invalid RR types
Lennart Poettering [Wed, 9 Dec 2015 17:13:16 +0000 (18:13 +0100)]
resolved: chase DNSKEY/DS RRs when doing look-ups with DNSSEC enabled
This adds initial support for validating RRSIG/DNSKEY/DS chains when
doing lookups. Proof-of-non-existance, or proof-of-unsigned-zones is not
implemented yet.
With this change DnsTransaction objects will generate additional
DnsTransaction objects when looking for DNSKEY or DS RRs to validate an
RRSIG on a response. DnsTransaction objects are thus created for three
reasons now:
1) Because a user asked for something to be resolved, i.e. requested by
a DnsQuery/DnsQueryCandidate object.
2) As result of LLMNR RR probing, requested by a DnsZoneItem.
3) Because another DnsTransaction requires the requested RRs for
validation of its own response.
DnsTransactions are shared between all these users, and are GC
automatically as soon as all of these users don't need a specific
transaction anymore.
To unify the handling of these three reasons for existance for a
DnsTransaction, a new common naming is introduced: each DnsTransaction
now tracks its "owners" via a Set* object named "notify_xyz", containing
all owners to notify on completion.
A new DnsTransaction state is introduced called "VALIDATING" that is
entered after a response has been receieved which needs to be validated,
as long as we are still waiting for the DNSKEY/DS RRs from other
DnsTransactions.
This patch will request the DNSKEY/DS RRs bottom-up, and then validate
them top-down.
Caching of RRs is now only done after verification, so that the cache is
not poisoned with known invalid data.
The "DnsAnswer" object gained a substantial number of new calls, since
we need to add/remove RRs to it dynamically now.
Lennart Poettering [Wed, 9 Dec 2015 17:11:28 +0000 (18:11 +0100)]
resolved: when matching up DNSKEY and DS RRs, it's fine if we don't support the DNSKEY's algorithm
As long as we support the digest we are good.
Lennart Poettering [Wed, 9 Dec 2015 17:09:06 +0000 (18:09 +0100)]
resolved: when matching up RRSIG and DNSKEY RRs, use the RRSIG's signer name, not the owner name
When the DNSKEY is in higher zone, then that's OK, and we need to check
the RRSIG's signer name against the DNSKEY hence.
Lennart Poettering [Wed, 9 Dec 2015 17:07:55 +0000 (18:07 +0100)]
resolved: fix sorting of RRsets
We actually maintain an array of pointers to RRs, not of RRs themselves,
fix the qsort() invocation accordingly.
Lennart Poettering [Wed, 9 Dec 2015 17:05:53 +0000 (18:05 +0100)]
resolved: grow DnsAnswer exponentially
When increasing the DnsAnswer array, don't operate piecemeal, grow the
array exponentially.
This way, the default logic for DnsAnswer allocations matches the
behaviour for GREEDY_REALLOC and suchlike, and we can reduce the number
of necessary allocations.
Lennart Poettering [Wed, 9 Dec 2015 17:04:03 +0000 (18:04 +0100)]
resolved: log when we chase a CNAME RR
Lennart Poettering [Wed, 9 Dec 2015 17:00:58 +0000 (18:00 +0100)]
resolved: reenable caching for LLMNR
This got borked in
547493c5ad5c82032e247609970f96be76c2d661.
Lennart Poettering [Wed, 9 Dec 2015 16:49:05 +0000 (17:49 +0100)]
resolved: split out check whether reply matches our question
It's complicated enough, it deserves its own call.
(Also contains some unrelated whitespace, comment and assertion changes)
Lennart Poettering [Wed, 9 Dec 2015 16:45:00 +0000 (17:45 +0100)]
resolved: IXFR and AXFR cannot be the type of RRs, only of RR keys
Enforce this while parsing RRs.
Lennart Poettering [Wed, 9 Dec 2015 16:43:24 +0000 (17:43 +0100)]
resolved: when parsing DNS packets, handle OPT RR specially
As soon as we encounter the OPT RR while parsing, store it in a special
field in the DnsPacket structure. That way, we won't be confused if we
iterate through RRs, and can check that there's really only one of these
RRs around.
Lennart Poettering [Wed, 9 Dec 2015 16:41:33 +0000 (17:41 +0100)]
resolved: refuse modifying DnsAnswer objects that have more than one reference
DnsAnswer objects should be considered immutable after having passed to
more than one user, i.e. with a reference counter > 1. Enforce that in
code, so that we can track down misuses easier.
Lennart Poettering [Wed, 9 Dec 2015 16:40:32 +0000 (17:40 +0100)]
resolved: fix libgcrypt error checking
libgcrypt encodes the error source in the error code, we need to mask
that away before comparing error codes.
Lennart Poettering [Wed, 9 Dec 2015 18:01:26 +0000 (19:01 +0100)]
build-sys: libgcrypt error messages make no sense without libgpg-error
Hence, pull in this library too, if we need libgcrypt.
Lennart Poettering [Wed, 9 Dec 2015 16:38:48 +0000 (17:38 +0100)]
resolved: split out logic to flush DnsAnswer objects
Let's simplify things, by making this a function call of its own.
Lennart Poettering [Wed, 9 Dec 2015 16:38:05 +0000 (17:38 +0100)]
resolved: honour RFC6761's ban on the invalid TLD
Lennart Poettering [Wed, 9 Dec 2015 16:34:55 +0000 (17:34 +0100)]
resolved: fix DNS_ANSWER_FOREACH_IFINDEX() to not collide with user defined ifindex variable
Lennart Poettering [Wed, 9 Dec 2015 16:32:47 +0000 (17:32 +0100)]
resolved: partially revert 5eefe54
Quoting @teg:
"Contrary to what the comment said, we always verify redirect chains in
full, and cache all the CNAME records. There is therefore no need to
do extra negative caching along a CNAME chain."
This simply steals @teg's commit since we'll touch the SOA matching case
in a later patch, and rather want this bit gone, so that we don't have
to "fix" it, only to remove it later on.
Lennart Poettering [Wed, 9 Dec 2015 16:29:53 +0000 (17:29 +0100)]
resolved: when outputting RRs in text form, append a trailing dot to owner names
After all, that's how this is done in DNS, and is particularly important
if we look a DS/DNSKEY RRs for the root zone itself, where the owner
name would otherwise be shown as completely empty (i.e. missing).
Lennart Poettering [Wed, 9 Dec 2015 16:28:50 +0000 (17:28 +0100)]
resolved: shortcut RR comparisons if pointers match
When iterating through RR lists we frequently end up comparing RRs and
RR keys with themselves, hence att a minor optimization to check ptr
values first, before doing a deep comparison.
Lennart Poettering [Wed, 9 Dec 2015 16:27:35 +0000 (17:27 +0100)]
resolved: fix parameter type of dns_type_is_pseudo()
DNS RR types are uint16_t after all, treat them as such.
Lennart Poettering [Thu, 10 Dec 2015 10:20:03 +0000 (11:20 +0100)]
Merge pull request #2056 from evverx/expose-soft-limits-on-the-bus
Expose soft limits on the bus
Lennart Poettering [Thu, 10 Dec 2015 10:10:30 +0000 (11:10 +0100)]
Merge pull request #2128 from zonque/resolved-mdns-2
resolved: more mDNS specific bits (2)
Daniel Mack [Wed, 9 Dec 2015 12:09:35 +0000 (13:09 +0100)]
resolved: add more linked packets for overlong known answers
For mDNS, if we're unable to stuff all known answers into the given packet,
allocate a new one, push the RR into that one and link it to the current
one.
Daniel Mack [Wed, 9 Dec 2015 11:05:38 +0000 (12:05 +0100)]
resolved: handle linked packet in dns_scope_emit()
In dns_scope_emit(), walk the list of additional packets and emit all of
them. Set the TC bit in all but the last of them.
This is specific to mDNS, so an assertion is triggered if used with other
protocols.
Daniel Mack [Wed, 9 Dec 2015 11:01:08 +0000 (12:01 +0100)]
resolved: add support for linked packets
For mDNS, we need to support the TC bit in case the list of known answers
exceed the maximum packet size.
For this, add a 'more' pointer to DnsPacket for an additional packet.
When a packet is unref'ed, the ->more packet is also unrefed, so it
sufficient to only keep track of the 1st packet in a chain.
Daniel Mack [Wed, 9 Dec 2015 10:55:54 +0000 (11:55 +0100)]
resolved: add dns_packet_set_flags()
We need to support the TC bit in queries in case known answers exceed the
maximum packet size. Factor out the flags compilation to
dns_packet_set_flags() and make it externally available.
Lennart Poettering [Wed, 9 Dec 2015 19:48:40 +0000 (20:48 +0100)]
Merge pull request #2108 from evverx/fix-distcheck-for-disable-resolved
build-sys: move "dist" parts out of conditionals
Daniel Mack [Wed, 9 Dec 2015 09:24:27 +0000 (10:24 +0100)]
resolved: llmnr, mdns: simplify error handling
sd_event_add_io() returns the error directly and does not mess with errno.
Daniel Mack [Tue, 8 Dec 2015 17:29:52 +0000 (18:29 +0100)]
resolved: don't send .local requests to DNS servers
DNS names ending with .local are specific to mDNS, so don't use them
on DNS scopes.
Daniel Mack [Wed, 9 Dec 2015 13:18:37 +0000 (14:18 +0100)]
Merge pull request #2110 from keszybz/udev-indentation
Udev indentation
Evgeny Vereshchagin [Wed, 9 Dec 2015 01:32:22 +0000 (01:32 +0000)]
build: fix systemd-journal-upload installation
Fixes:
$ ./configure ... --disable-microhttpd --enable-libcurl
--enable-sysusers
$ make && make install DESTDIR=$(pwd)/INST
$ ls INST/usr/lib/sysusers.d/
basic.conf systemd.conf
There is no a file with `systemd-journald-upload`
Evgeny Vereshchagin [Mon, 7 Dec 2015 04:31:34 +0000 (04:31 +0000)]
build-sys: move "dist" parts out of conditionals
This is a follow-up for commit
f47477332ff
Tom Gundersen [Tue, 8 Dec 2015 16:31:09 +0000 (17:31 +0100)]
Merge pull request #2115 from dvdhrm/rbtree
basic: add RB-Tree implementation
Tom Gundersen [Tue, 8 Dec 2015 16:24:09 +0000 (17:24 +0100)]
Merge pull request #2122 from zonque/resolved-mdns-1
resolved: more mDNS specific bits
Daniel Mack [Mon, 30 Nov 2015 23:53:42 +0000 (00:53 +0100)]
resolved: add dns_cache_export_to_packet()
This new functions exports cached records of type PTR, SRV and TXT into
an existing DnsPacket. This is used in order to fill in known records
to mDNS queries, for known answer supression.
Daniel Mack [Mon, 30 Nov 2015 11:47:11 +0000 (12:47 +0100)]
resolved: implement query coalescing
Implement dns_transaction_make_packet_mdns(), a special version of
dns_transaction_make_packet() for mDNS which differs in many ways:
a) We coalesce queries of currently active transaction on the scope.
This is possible because mDNS actually allows many questions in a
to be sent in a single packet and it takes some burden from the
network.
b) Both A and AAAA query keys are broadcast on both IPv4 and IPv6
scopes, because other hosts might only respond on one of their
addresses but resolve both types.
c) We discard previously sent packages (t->sent) so we can start over
and coalesce pending transactions again.
Daniel Mack [Mon, 30 Nov 2015 21:35:51 +0000 (22:35 +0100)]
resolved: add 'next_attempt_after' field to DnsTransaction
For each transaction, record when the earliest point in time when the
query packet may hit the wire. This is the same time stamp for which
the timer is scheduled in retries, except for the initial query packets
which are delayed by a random jitter. In this case, we denote that the
packet may actually be sent at the nominal time, without the jitter.
Transactions that share the same timestamp will also have identical
values in this field. It is used to coalesce pending queries in a later
patch.
Daniel Mack [Mon, 30 Nov 2015 18:06:36 +0000 (19:06 +0100)]
resolved: split dns_transaction_go()
Split some code out of dns_transaction_go() so we can re-use it later from
different context. The new function dns_transaction_prepare_next_attempt()
takes care of preparing everything so that a new packet can conditionally
be formulated for a transaction.
This patch shouldn't cause any functional change.
Daniel Mack [Thu, 3 Sep 2015 10:09:11 +0000 (12:09 +0200)]
resolved: handle more mDNS protocol details
Daniel Mack [Thu, 3 Sep 2015 10:04:31 +0000 (12:04 +0200)]
resolved: fix debug message
Daniel Mack [Sat, 11 Jul 2015 00:44:59 +0000 (20:44 -0400)]
resolved: add mDNS packet dispatcher
Add the packet dispatching routine for mDNS.
It differs to what LLMNR and DNS dispatchers do in the way it matches
incoming packets. In mDNS, we actually handle all incoming packets,
regardless whether we asked for them earlier or not.
Daniel Mack [Tue, 1 Sep 2015 15:17:27 +0000 (17:17 +0200)]
resolved: allow name compression in NSEC records
Daniel Mack [Fri, 28 Aug 2015 14:48:37 +0000 (16:48 +0200)]
resolved: handle mDNS timeouts per transaction
mDNS packet timeouts need to be handled per transaction, not per link.
Re-use the n_attempts field for this purpose, as packets timeouts should be
determined by starting at 1 second, and doubling the value on each try.
Daniel Mack [Tue, 25 Aug 2015 15:57:58 +0000 (17:57 +0200)]
resolved: short-cut jitter callbacks for LLMNR and mDNS
When a jitter callback is issued instead of sending a DNS packet directly,
on_transaction_timeout() is invoked to 'retry' the transaction. However,
this function has side effects. For once, it increases the packet loss
counter on the scope, and it also unrefs/refs the server instances.
Fix this by tracking the jitter with two bool variables. One saying that
the initial jitter has been scheduled in the first place, and one that
tells us the delay packet has been sent.
Daniel Mack [Tue, 4 Aug 2015 12:12:46 +0000 (14:12 +0200)]
resolved: flush keys when DNS_RESOURCE_KEY_CACHE_FLUSH is set
In mDNS, DNS_RESOURCE_KEY_CACHE_FLUSH denotes whether other records with the
same key should be flushed from the cache.
Daniel Mack [Tue, 24 Nov 2015 14:45:15 +0000 (15:45 +0100)]
resolved: add cache flush flag to DnsResourceKey
MDNS has a 'key cache flush' flag for records which must be masked out for
the parsers to do our right thing. We will also use that flag later (in a
different patch) in order to alter the cache behavior.
Daniel Mack [Tue, 25 Aug 2015 12:08:29 +0000 (14:08 +0200)]
resolved: add mDNS initial jitter
The logic is to kick off mDNS packets in a delayed way is mostly identical
to what LLMNR needs, except that the constants are different.
Daniel Mack [Sat, 11 Jul 2015 17:17:51 +0000 (13:17 -0400)]
resolved: create dns scopes for mDNS
Follow what LLMNR does, and create per-link DnsScope objects.
Daniel Mack [Sat, 11 Jul 2015 18:33:58 +0000 (14:33 -0400)]
resolved: add code to join/leave mDNS multicast groups
Per link, join the mDNS multicast groups when the scope is created, and
leave it again when the scope goes away.
Daniel Mack [Sat, 11 Jul 2015 00:44:46 +0000 (20:44 -0400)]
resolved: add packet header details for mDNS
Validate mDNS queries and responses by looking at some header fields,
add mDNS flags.
Daniel Mack [Fri, 10 Jul 2015 19:48:13 +0000 (15:48 -0400)]
resolved: add infrastructure for mDNS related sockets
Just hook up mDNS listeners with an empty packet dispather function,
introduce a config directive, man page updates etc.
Zbigniew Jędrzejewski-Szmek [Tue, 8 Dec 2015 04:47:45 +0000 (23:47 -0500)]
Merge pull request #2104 from evverx/rlimit-util-test
tests: add test-rlimit-util
Zbigniew Jędrzejewski-Szmek [Tue, 8 Dec 2015 04:35:19 +0000 (23:35 -0500)]
Merge pull request #2117 from evverx/remove-dist-check-python
build-sys: remove dist-check-python
Evgeny Vereshchagin [Tue, 8 Dec 2015 02:33:52 +0000 (02:33 +0000)]
build-sys: remove dist-check-python
added:
279419b379
obsoleted:
2c8849add4
Filipe Brandenburger [Mon, 7 Dec 2015 21:53:02 +0000 (13:53 -0800)]
Merge pull request #2111 from evverx/remove-unnecessary-checking
build-sys: remove unnecessary check
David Herrmann [Mon, 7 Dec 2015 17:34:05 +0000 (18:34 +0100)]
basic: add RB-Tree implementation
This adds an self-standing RB-Tree implementation to src/basic/. This
will be needed for NSEC RR lookups, since we need "close lookups", which
hashmaps (not even ordered-hashmaps) can give us in reasonable time.
Martin Pitt [Mon, 7 Dec 2015 16:35:32 +0000 (17:35 +0100)]
Merge pull request #2109 from keszybz/udev-null-deref
Udev null deref