platform/upstream/systemd.git
8 years agoMerge pull request #2232 from poettering/dnssec8
Tom Gundersen [Mon, 28 Dec 2015 14:05:50 +0000 (15:05 +0100)]
Merge pull request #2232 from poettering/dnssec8

Eigth DNSSEC patch set

8 years agoresolved: update DNSSEC TODO
Lennart Poettering [Mon, 28 Dec 2015 00:18:40 +0000 (01:18 +0100)]
resolved: update DNSSEC TODO

8 years agoresolved: also use RRSIG expiry for negative caching
Lennart Poettering [Mon, 28 Dec 2015 00:16:28 +0000 (01:16 +0100)]
resolved: also use RRSIG expiry for negative caching

This makes sure that we also honour the RRSIG expiry for negative
caching.

8 years agoresolved: use RRSIG expiry and original TTL for cache management
Lennart Poettering [Sun, 27 Dec 2015 23:30:56 +0000 (00:30 +0100)]
resolved: use RRSIG expiry and original TTL for cache management

When we verified a signature, fix up the RR's TTL to the original TTL
mentioned in the signature, and store the signature expiry information
in the RR, too. Then, use that when adding RRs to the cache.

8 years agoresolved: clean up dns_transaction_stop()
Lennart Poettering [Sun, 27 Dec 2015 21:58:17 +0000 (22:58 +0100)]
resolved: clean up dns_transaction_stop()

This renames dns_transaction_stop() to dns_transaction_stop_timeout()
and makes it only about stopping the transaction timeout. This is safe,
as in most occasions we call dns_transaction_stop() at the same time as
dns_transaction_close_connection() anyway, which does the rest of what
dns_transaction_stop() used to do. And in the one where we don't call
it, it's implicitly called by the UDP emission or TCP connection code.

This also closes the connections as we enter the validation phase of a
transaction, so that no further messages may be received then.

8 years agoresolved: only keep a single list of supported signature algorithms
Lennart Poettering [Sun, 27 Dec 2015 21:56:08 +0000 (22:56 +0100)]
resolved: only keep a single list of supported signature algorithms

This removes dnssec_algorithm_supported() and simply uses the
algorithm_to_gcrypt() result as indication whether a DNSSEC algorithm is
supported.

The patch also renames "algorithm" to "md_algorithm", in a few cases, in
order to avoid confusion between DNSSEC signature algorithms and gcrypt
message digest algorithms.

8 years agoresolve-host: log RR parsing errors
Lennart Poettering [Sun, 27 Dec 2015 21:22:39 +0000 (22:22 +0100)]
resolve-host: log RR parsing errors

8 years agoresolved: add ECDSA signature support
Lennart Poettering [Sun, 27 Dec 2015 20:35:00 +0000 (21:35 +0100)]
resolved: add ECDSA signature support

8 years agoshared: relax restrictions on valid domain name characters a bit
Lennart Poettering [Sun, 27 Dec 2015 20:14:29 +0000 (21:14 +0100)]
shared: relax restrictions on valid domain name characters a bit

Previously, we'd not allow control characters to be embedded in domain
names, even when escaped. Since cloudflare uses \000 however to
implement its synthethic minimally covering NSEC RRs, we should allow
them, as long as they are properly escaped.

8 years agoresolved: split out RSA-specific code from dnssec_verify_rrset()
Lennart Poettering [Sun, 27 Dec 2015 13:05:45 +0000 (14:05 +0100)]
resolved: split out RSA-specific code from dnssec_verify_rrset()

In preparation for ECDSA support.

8 years agoresolved: simplify MD algorithm initialization a bit
Lennart Poettering [Sun, 27 Dec 2015 12:07:36 +0000 (13:07 +0100)]
resolved: simplify MD algorithm initialization a bit

8 years agoresolved: add SHA384 digest support
Lennart Poettering [Sun, 27 Dec 2015 11:58:37 +0000 (12:58 +0100)]
resolved: add SHA384 digest support

8 years agohwdb: Update database of Bluetooth company identifiers
Marcel Holtmann [Sun, 27 Dec 2015 22:07:05 +0000 (23:07 +0100)]
hwdb: Update database of Bluetooth company identifiers

8 years agoMerge pull request #2225 from poettering/dnssec7
Tom Gundersen [Sun, 27 Dec 2015 20:19:28 +0000 (21:19 +0100)]
Merge pull request #2225 from poettering/dnssec7

Seventh DNSSEC patchset

8 years agoresolved: rename "features" variables to "feature_level"
Lennart Poettering [Sun, 27 Dec 2015 00:35:00 +0000 (01:35 +0100)]
resolved: rename "features" variables to "feature_level"

The name "features" suggests an orthogonal bitmap or suchlike, but the
variables really encode only a linear set of feature levels. The type
used is already called DnsServerFeatureLevel, hence fix up the variables
accordingly, too.

8 years agoresolved: rework OPT RR generation logic
Lennart Poettering [Sat, 26 Dec 2015 17:49:32 +0000 (18:49 +0100)]
resolved: rework OPT RR generation logic

This moves management of the OPT RR out of the scope management and into
the server and packet management. There are now explicit calls for
appending and truncating the OPT RR from a packet
(dns_packet_append_opt() and dns_packet_truncate_opt()) as well as a
call to do the right thing depending on a DnsServer's feature level
(dns_server_adjust_opt()).

This also unifies the code to pick a server between the TCP and UDP code
paths, and makes sure the feature level used for the transaction is
selected at the time the server is picked, and not changed until the
next time we pick a server. The server selction code is now unified in
dns_transaction_pick_server().

This all fixes problems when changing between UDP and TCP communication
for the same server, and makes sure the UDP and TCP codepaths are more
alike. It also makes sure we never keep the UDP port open when switchung
to TCP, so that we don't have to handle incoming datagrams on the latter
we don't expect.

As the new code picks the DNS server at the time we make a connection,
we don't need to invalidate the DNS server anymore when changing to the
next one, thus dns_transaction_next_dns_server() has been removed.

8 years agoresolved: reuse dns_transaction_stop() when destructing transaction objects
Lennart Poettering [Sat, 26 Dec 2015 17:48:37 +0000 (18:48 +0100)]
resolved: reuse dns_transaction_stop() when destructing transaction objects

8 years agoresolved: add dns_transaction_close_connection()
Lennart Poettering [Sat, 26 Dec 2015 13:53:17 +0000 (14:53 +0100)]
resolved: add dns_transaction_close_connection()

This new call unifies how we shut down all connection resources, such as
UDP sockets, event sources, and TCP stream objects.

This patch just adds the basic hook-up, this function will be used more
in later commits.

8 years agoresolved: make sure we reset the DNSSEC result when we accept a response packet
Lennart Poettering [Sat, 26 Dec 2015 13:39:49 +0000 (14:39 +0100)]
resolved: make sure we reset the DNSSEC result when we accept a response packet

8 years agoresolved: improve some log messages a bit
Lennart Poettering [Sat, 26 Dec 2015 13:38:37 +0000 (14:38 +0100)]
resolved: improve some log messages a bit

Indicate thar we ignore invalid messages

8 years agoresolved: never proceed processing truncated packets
Lennart Poettering [Sat, 26 Dec 2015 13:37:07 +0000 (14:37 +0100)]
resolved: never proceed processing truncated packets

Make sure we don't end up processing packets that are truncated.
Instead, actually let the TCP connection do its thing.

8 years agoresolved: remember explicitly whether we already tried a stream connection
Lennart Poettering [Sat, 26 Dec 2015 13:18:11 +0000 (14:18 +0100)]
resolved: remember explicitly whether we already tried a stream connection

On LLMNR we never want to retry stream connections (since local TCP
connections should work, and we don't want to unnecessarily delay
operation), explicitly remember whether we already tried one, instead of
deriving this from a still stored stream object. This way, we can free
the stream early, without forgetting that we tried it.

8 years agoresolved: make sure we GC stream transactions properly
Lennart Poettering [Sat, 26 Dec 2015 13:15:51 +0000 (14:15 +0100)]
resolved: make sure we GC stream transactions properly

Make sure to GC a transaction after dealing with a reply, even if the
transaction is not complete yet.

8 years agoresolved: ignore additional DNS responses we get while validating
Lennart Poettering [Sat, 26 Dec 2015 11:58:01 +0000 (12:58 +0100)]
resolved: ignore additional DNS responses we get while validating

No need to choke on them.

8 years agoresolved: introduce dns_transaction_reset_answer()
Lennart Poettering [Sat, 26 Dec 2015 11:53:08 +0000 (12:53 +0100)]
resolved: introduce dns_transaction_reset_answer()

Let's unify how we reset the answer data we collected, after all pretty
much every time we do it incompletely so far, let's fix it.

8 years agoshared: fix handling of suffix "." in dns_name_compare_func()
Lennart Poettering [Sat, 26 Dec 2015 11:43:28 +0000 (12:43 +0100)]
shared: fix handling of suffix "." in dns_name_compare_func()

All our other domain name handling functions make no destinction between
domain names that end in a dot plus a NUL, or those just ending in a
NUL. Make sure dns_name_compare_func() and dns_label_unescape_suffix()
do the same.

8 years agoshared: fix error propagation in dns_name_compare_func()
Lennart Poettering [Sat, 26 Dec 2015 11:43:03 +0000 (12:43 +0100)]
shared: fix error propagation in dns_name_compare_func()

8 years agoresolved: don't unnecessarily allocate memory in dns_packet_append_name()
Lennart Poettering [Sat, 26 Dec 2015 11:36:24 +0000 (12:36 +0100)]
resolved: don't unnecessarily allocate memory in dns_packet_append_name()

When compression support is off, there's no point in duplicating the
name string. Hence, don't do it.

8 years agoresolved: name TCP and UDP socket calls uniformly
Lennart Poettering [Fri, 25 Dec 2015 14:57:49 +0000 (15:57 +0100)]
resolved: name TCP and UDP socket calls uniformly

Previously the calls for emitting DNS UDP packets were just called
dns_{transacion|scope}_emit(), but the one to establish a DNS TCP
connection was called dns_transaction_open_tcp(). Clean this up, and
rename them dns_{transaction|scope}_emit_udp() and
dns_transaction_open_tcp().

8 years agoresolved: add an automatic downgrade to non-DNSSEC mode
Lennart Poettering [Fri, 25 Dec 2015 14:05:46 +0000 (15:05 +0100)]
resolved: add an automatic downgrade to non-DNSSEC mode

This adds a mode that makes resolved automatically downgrade from DNSSEC
support to classic non-DNSSEC resolving if the configured DNS server is
not capable of DNSSEC. Enabling this mode increases compatibility with
crappy network equipment, but of course opens up the system to
downgrading attacks.

The new mode can be enabled by setting DNSSEC=downgrade-ok in
resolved.conf. DNSSEC=yes otoh remains a "strict" mode, where DNS
resolving rather fails then allow downgrading.

Downgrading is done:

- when the server does not support EDNS0+DO
- or when the server supports it but does not augment returned RRs with
  RRSIGs. The latter is detected when requesting DS or SOA RRs for the
  root domain (which is necessary to do proofs for unsigned data)

8 years agoresolved: no need to store return value of dns_server_possible_features()
Lennart Poettering [Fri, 25 Dec 2015 14:01:37 +0000 (15:01 +0100)]
resolved: no need to store return value of dns_server_possible_features()

The call already updates possible_features, it's pointless doing this in
the caller a second time.

8 years agoresolved: don't set TCP_NODELAY twice for TCP sockets
Lennart Poettering [Fri, 25 Dec 2015 11:58:07 +0000 (12:58 +0100)]
resolved: don't set TCP_NODELAY twice for TCP sockets

We previously set it once in the scope code and once in the stream code.
Remove it from the latter, as all other socket options are set in the
former.

8 years agoresolved: generate an explicit transaction error when we cannot reach server via TCP
Lennart Poettering [Fri, 25 Dec 2015 11:54:27 +0000 (12:54 +0100)]
resolved: generate an explicit transaction error when we cannot reach server via TCP

Previously, if we couldn't reach a server via UDP we'd generate an
MAX_ATTEMPTS transaction result, but if we couldn't reach it via TCP
we'd generate a RESOURCES transaction result. While it is OK to generate
two different errors I think, "RESOURCES" is certainly a misnomer.
Introduce a new transaction result "CONNECTION_FAILURE" instead.

8 years agoresolved: deal with unsigned DS/NSEC/NSEC3 properly
Lennart Poettering [Thu, 24 Dec 2015 13:08:22 +0000 (14:08 +0100)]
resolved: deal with unsigned DS/NSEC/NSEC3 properly

Previously, we'd insist on an RRSIG for all DS/NSEC/NSEC3 RRs. With this
change we don't do that anymore, but also allow unsigned DS/NSEC/NSEC3
if we can prove that the zone they are located in is unsigned.

8 years agoresolved: log each dnssec failure, in a recognizable way
Lennart Poettering [Wed, 23 Dec 2015 23:24:10 +0000 (00:24 +0100)]
resolved: log each dnssec failure, in a recognizable way

8 years agoresolved: gather statistics about resolved names
Lennart Poettering [Wed, 23 Dec 2015 18:06:36 +0000 (19:06 +0100)]
resolved: gather statistics about resolved names

This collects statistical data about transactions, dnssec verifications
and the cache, and exposes it over the bus. The systemd-resolve-host
tool learns new options to query these statistics and reset them.

8 years agoresolved: if we accepted unauthenticated NSEC/NSEC3 RRs, use them for proofs
Lennart Poettering [Tue, 22 Dec 2015 17:22:19 +0000 (18:22 +0100)]
resolved: if we accepted unauthenticated NSEC/NSEC3 RRs, use them for proofs

But keep track that the proof is not authenticated.

8 years agoresolved: don't insist on finding DNSKEYs for RRsets of zones with DNSSEC off
Lennart Poettering [Tue, 22 Dec 2015 17:21:25 +0000 (18:21 +0100)]
resolved: don't insist on finding DNSKEYs for RRsets of zones with DNSSEC off

8 years agoresolved: be stricter when searching for a DS RR for a DNSKEY RR
Lennart Poettering [Tue, 22 Dec 2015 17:20:09 +0000 (18:20 +0100)]
resolved: be stricter when searching for a DS RR for a DNSKEY RR

8 years agoresolved: make use of dns_type_may_redirect() where possible
Lennart Poettering [Tue, 22 Dec 2015 17:19:48 +0000 (18:19 +0100)]
resolved: make use of dns_type_may_redirect() where possible

8 years agoupdate DNSSEC TODO
Lennart Poettering [Mon, 21 Dec 2015 21:07:41 +0000 (22:07 +0100)]
update DNSSEC TODO

8 years agoresolved: tighten search for NSEC3 RRs a bit
Lennart Poettering [Mon, 21 Dec 2015 20:06:29 +0000 (21:06 +0100)]
resolved: tighten search for NSEC3 RRs a bit

Be stricter when searching suitable NSEC3 RRs for proof: generalize the
check we use to find suitable NSEC3 RRs, in nsec3_is_good(), and add
additional checks, such as checking whether all NSEC3 RRs use the same
parameters, have the same suffix and so on.

8 years agoresolved: when doing NSEC3 proof, first find right NSEC3 suffix
Lennart Poettering [Mon, 21 Dec 2015 19:00:34 +0000 (20:00 +0100)]
resolved: when doing NSEC3 proof, first find right NSEC3 suffix

When doing an NSEC3 proof, before detrmining whether a name is the
closest encloser we first need to figure out the longest common suffix
we have with any NSEC3 RR in the reply.

8 years agoresolved: properly implement RRSIG validation of wildcarded RRsets
Lennart Poettering [Mon, 21 Dec 2015 18:57:34 +0000 (19:57 +0100)]
resolved: properly implement RRSIG validation of wildcarded RRsets

Note that this is still not complete, one additional step is still
missing: when we verified that a wildcard RRset is properly signed, we
still need to do an NSEC/NSEC3 proof that no more specific RRset exists.

8 years agoresolved: never use data from failed transactions
Lennart Poettering [Mon, 21 Dec 2015 18:56:05 +0000 (19:56 +0100)]
resolved: never use data from failed transactions

Otherwise if we have an A lookup that failed DNSSEC validation, but an
AAAA lookup that succeeded, we might end up using the A data, but we
really should not.

8 years agoresolved: don't choke on NSEC/NSEC3 RRs with no bitmap
Lennart Poettering [Mon, 21 Dec 2015 18:54:54 +0000 (19:54 +0100)]
resolved: don't choke on NSEC/NSEC3 RRs with no bitmap

This might happen in some cases (empty non-terminals...) and we should
not choke on it.

8 years agobitmap: don't do bitwise XOR on booleans
Lennart Poettering [Mon, 21 Dec 2015 18:53:41 +0000 (19:53 +0100)]
bitmap: don't do bitwise XOR on booleans

It's weird doing bitwise operations on booleans. Let's use the boolean
XOR (i.e. "!=") instead of the bitweise XOR (i.e. "^") on them.

8 years agoutil-lib: make sure more bitmap calls can deal with NULL objects fine
Lennart Poettering [Mon, 21 Dec 2015 18:53:15 +0000 (19:53 +0100)]
util-lib: make sure more bitmap calls can deal with NULL objects fine

8 years agoresolved: internalize string buffer of dns_resource_record_to_string()
Lennart Poettering [Mon, 21 Dec 2015 15:31:29 +0000 (16:31 +0100)]
resolved: internalize string buffer of dns_resource_record_to_string()

Let's simplify usage and memory management of DnsResourceRecord's
dns_resource_record_to_string() call: cache the formatted string as
part of the object, and return it on subsequent calls, freeing it when
the DnsResourceRecord itself is freed.

8 years agoresolved: when matching SOA RRs, don't eat up errors
Lennart Poettering [Mon, 21 Dec 2015 15:29:13 +0000 (16:29 +0100)]
resolved: when matching SOA RRs, don't eat up errors

8 years agoresolved: when matching SOA RRs, honour RR class
Lennart Poettering [Mon, 21 Dec 2015 15:28:35 +0000 (16:28 +0100)]
resolved: when matching SOA RRs, honour RR class

8 years agoresolved: when looking for a SOA RR in a reply, pick the right one
Lennart Poettering [Mon, 21 Dec 2015 15:27:13 +0000 (16:27 +0100)]
resolved: when looking for a SOA RR in a reply, pick the right one

If there are multiple SOA RRs, and we look for a suitable one covering
our request, then make sure to pick the one that is furthest away from
the root name, not just the first one we encounter.

8 years agoresolved: when caching NXDOMAIN for an RR, make sure we flush out old ANY entries
Lennart Poettering [Mon, 21 Dec 2015 15:24:58 +0000 (16:24 +0100)]
resolved: when caching NXDOMAIN for an RR, make sure we flush out old ANY entries

We use ANY RR keys to store NXDOMAIN information, but we previously
didn't flush out old ANY RR items in the cache when adding new entries.
Fix that.

8 years agoresolved: split out a new dns_type_may_redirect() call
Lennart Poettering [Mon, 21 Dec 2015 15:23:48 +0000 (16:23 +0100)]
resolved: split out a new dns_type_may_redirect() call

Let's abstract which RRs shall honour CNAMEs, and which ones should not.

8 years agoresolve-host: propagate error properly
Lennart Poettering [Mon, 21 Dec 2015 15:20:49 +0000 (16:20 +0100)]
resolve-host: propagate error properly

8 years agoMerge pull request #2224 from keszybz/analyze-verify-warning
Lennart Poettering [Sat, 26 Dec 2015 17:53:50 +0000 (18:53 +0100)]
Merge pull request #2224 from keszybz/analyze-verify-warning

manager: do not set up signals in test mode

8 years agoMerge pull request #2197 from mscherer/add_seal_config
Zbigniew Jędrzejewski-Szmek [Fri, 25 Dec 2015 16:16:18 +0000 (11:16 -0500)]
Merge pull request #2197 from mscherer/add_seal_config

Add Seal option in the configuration file for journald-remote

8 years agoMerge pull request #2223 from ssahani/lldp
Zbigniew Jędrzejewski-Szmek [Fri, 25 Dec 2015 05:38:05 +0000 (00:38 -0500)]
Merge pull request #2223 from ssahani/lldp

Closes #2223.

8 years agomanager: do not set up signals in test mode
Zbigniew Jędrzejewski-Szmek [Fri, 25 Dec 2015 05:24:16 +0000 (00:24 -0500)]
manager: do not set up signals in test mode

When we are running in test mode, we don't expect any signals.
In fact ^C should end the program. This also avoids permission
issues when running systemd-analyze verify.

8 years agoV3 LLDP: Add packet validation (system name and description)
Susant Sahani [Fri, 25 Dec 2015 05:18:23 +0000 (10:48 +0530)]
V3 LLDP: Add packet validation (system name and description)

LLDP type system name and system description should
be with in 255 characters and unique.

Let's add the validation to discard corrupt packets.

8 years agolldp: improve logging
Susant Sahani [Fri, 25 Dec 2015 05:12:43 +0000 (10:42 +0530)]
lldp: improve logging

8 years agoMerge pull request #2153 from evverx/fix-verify-for-templates
Zbigniew Jędrzejewski-Szmek [Fri, 25 Dec 2015 04:59:48 +0000 (23:59 -0500)]
Merge pull request #2153 from evverx/fix-verify-for-templates

analyze: verify verifies templates too

8 years agoMerge pull request #2216 from zonque/nameownerchanged
Lennart Poettering [Wed, 23 Dec 2015 23:46:19 +0000 (00:46 +0100)]
Merge pull request #2216 from zonque/nameownerchanged

core: re-sync bus name list after deserializing during daemon-reload

8 years agocore: re-sync bus name list after deserializing during daemon-reload
Daniel Mack [Tue, 22 Dec 2015 10:37:09 +0000 (11:37 +0100)]
core: re-sync bus name list after deserializing during daemon-reload

When the daemon reloads, it doesn not actually give up its DBus connection,
as wrongly stated in an earlier commit. However, even though the bus
connection stays open, the daemon flushes out all its internal state.

Hence, if there is a NameOwnerChanged signal after the flush and before the
deserialization, it cannot be matched against any pending unit.

To fix this, rename bus_list_names() to manager_sync_bus_names() and call
it explicitly at the end of the daemon reload operation.

8 years agoMerge pull request #2158 from keszybz/journal-decompression
Lennart Poettering [Wed, 23 Dec 2015 20:31:07 +0000 (21:31 +0100)]
Merge pull request #2158 from keszybz/journal-decompression

Journal decompression fixes

8 years agoMerge pull request #2214 from zonque/leak
Lennart Poettering [Wed, 23 Dec 2015 20:07:07 +0000 (21:07 +0100)]
Merge pull request #2214 from zonque/leak

Core: plug a memory leak in socket.c, and some related cleanups

8 years agosocket: nullify pointers after free
Daniel Mack [Tue, 22 Dec 2015 10:32:25 +0000 (11:32 +0100)]
socket: nullify pointers after free

A socket shouldn't be used after socket_done() returns, but follow the
general guideline here and avoid dangling pointers anyway.

8 years agosocket: free fdname member
Daniel Mack [Tue, 22 Dec 2015 10:03:53 +0000 (11:03 +0100)]
socket: free fdname member

Plug a small memory leak.

8 years agoMerge pull request #2202 from zonque/nameownerchanged
Lennart Poettering [Mon, 21 Dec 2015 13:24:29 +0000 (14:24 +0100)]
Merge pull request #2202 from zonque/nameownerchanged

core: fix bus name synchronization after daemon-reload

8 years agoMerge pull request #2204 from zonque/sd-event-debug
Lennart Poettering [Mon, 21 Dec 2015 13:21:29 +0000 (14:21 +0100)]
Merge pull request #2204 from zonque/sd-event-debug

sd-event: improve debugging of event source errors

8 years agosd-event: improve debugging of event source errors
Daniel Mack [Mon, 21 Dec 2015 12:03:24 +0000 (13:03 +0100)]
sd-event: improve debugging of event source errors

Printing the pointer variable really doesn't help, so drop that.

Instead, add a string lookup table for the EventSourceType enum, and print
the type of event source in case of errors.

8 years agoMerge pull request #2203 from mbiebl/man-typo-fix
Daniel Mack [Mon, 21 Dec 2015 11:09:46 +0000 (12:09 +0100)]
Merge pull request #2203 from mbiebl/man-typo-fix

man: fix typo in systemctl(1)

8 years agoman: fix typo in systemctl(1)
Michael Biebl [Mon, 21 Dec 2015 10:54:41 +0000 (11:54 +0100)]
man: fix typo in systemctl(1)

8 years agocore: fix bus name synchronization after daemon-reload
Daniel Mack [Fri, 18 Dec 2015 16:28:15 +0000 (17:28 +0100)]
core: fix bus name synchronization after daemon-reload

During daemon-reload, PID1 temporarly loses its DBus connection, so there's
a small window in which all signals sent by dbus-daemon are lost.

This is a problem, since we rely on the NameOwnerChanged signals in order to
consider a service with Type=dbus fully started or terminated, respectively.

In order to fix this, a rewrite of bus_list_names() is necessary. We used
to walk the current list of names on the bus, and blindly triggered the
bus_name_owner_change() callback on each service, providing the actual name
as current owner. This implementation has a number of problems:

* We cannot detect if the the name was moved from one owner to the other
  while we were reloading

* We don't notify services which missed the name loss signal

* Providing the actual name as current owner is a hack, as the comment also
  admits.

To fix this, this patch carries the following changes:

* Track the name of the current bus name owner, and (de-)serialize it
  during reload. This way, we can detect changes.

* In bus_list_names(), walk the list of bus names we're interested in
  first, and then see if the name is active on the bus. If it is,
  check it it's still the same as it used to be, and synthesize
  NameOwnerChanged signals for the name add and/or loss.

This should fully synchronize the current name list with the internal
state of all services.

8 years agoMerge pull request #2199 from phomes/resolve-indentation
Daniel Mack [Sun, 20 Dec 2015 18:46:19 +0000 (19:46 +0100)]
Merge pull request #2199 from phomes/resolve-indentation

resolve: fix indentation

8 years agoresolve: fix indentation
Thomas Hindoe Paaboel Andersen [Sun, 20 Dec 2015 15:58:44 +0000 (16:58 +0100)]
resolve: fix indentation

8 years agoAdd Seal option in the configuration file for journald-remote
Michael Scherer [Sun, 20 Dec 2015 12:23:33 +0000 (13:23 +0100)]
Add Seal option in the configuration file for journald-remote

While journal received remotely can be sealed, it can only be done
on the command line using --seal, so for consistency, we will
also permit to set it in the configuration file.

8 years agoMerge pull request #2190 from poettering/dnssec6
Tom Gundersen [Sun, 20 Dec 2015 01:35:44 +0000 (01:35 +0000)]
Merge pull request #2190 from poettering/dnssec6

Add DNSSEC proof of unsignedness and NSEC3 proof

8 years agoMerge pull request #2193 from ToostInc/logindbus-typo-fix
Daniel Mack [Sat, 19 Dec 2015 23:58:19 +0000 (00:58 +0100)]
Merge pull request #2193 from ToostInc/logindbus-typo-fix

Fix typo on logind-dbus.c

8 years agoFix typo on logind-dbus.c
Joost Bremmer [Sat, 19 Dec 2015 11:46:09 +0000 (12:46 +0100)]
Fix typo on logind-dbus.c

method_schedule_shutdown referenced org.freedesktop.login1.poweroff*
which is never registered in polkit.

Now refers to org.freedesktop.login1.power-off*

Signed-off-by: Joost Bremmer <toost.b@gmail.com>
8 years agoresolved: propagate DNSSEC validation status from auxiliary transactions
Lennart Poettering [Fri, 18 Dec 2015 19:21:14 +0000 (20:21 +0100)]
resolved: propagate DNSSEC validation status from auxiliary transactions

Let's make sure we propagate the DNSSEC validation status from an
auxiliary DNSSEC transaction back to the originating transaction, to
improve the error messages we generate.

8 years agoresolved: propagate the DNSSEC result from the transaction to the query and the the...
Lennart Poettering [Fri, 18 Dec 2015 19:09:30 +0000 (20:09 +0100)]
resolved: propagate the DNSSEC result from the transaction to the query and the the bus client

It's useful to generate useful errors, so let's do that.

8 years agoresolved: rename DNS_TRANSACTION_FAILURE → DNS_TRANSACTION_RCODE_FAILURE
Lennart Poettering [Fri, 18 Dec 2015 18:49:25 +0000 (19:49 +0100)]
resolved: rename DNS_TRANSACTION_FAILURE → DNS_TRANSACTION_RCODE_FAILURE

We have many types of failure for a transaction, and
DNS_TRANSACTION_FAILURE was just one specific one of them, if the server
responded with a non-zero RCODE. Hence let's rename this, to indicate
which kind of failure this actually refers to.

8 years agoresolved: merge two comments
Lennart Poettering [Fri, 18 Dec 2015 18:46:27 +0000 (19:46 +0100)]
resolved: merge two comments

8 years agoresolved: rename dns_cache_item_remove_and_free() → _unlink_and_free()
Lennart Poettering [Fri, 18 Dec 2015 18:44:15 +0000 (19:44 +0100)]
resolved: rename dns_cache_item_remove_and_free() → _unlink_and_free()

In most of the other call, we called similar functions that remove the
data structure link-ups to other objects "unlink", hence we should here,
too.

8 years agoresolved: rename dns_cache_remove() → dns_cache_remove_by_key()
Lennart Poettering [Fri, 18 Dec 2015 18:43:10 +0000 (19:43 +0100)]
resolved: rename dns_cache_remove() → dns_cache_remove_by_key()

Given that we already have dns_cache_remove_by_rr() this makes clearer
what the operation actually does.

8 years agoresolved: add a call that dumps the contents of a DnsAnswer structure
Lennart Poettering [Fri, 18 Dec 2015 18:42:02 +0000 (19:42 +0100)]
resolved: add a call that dumps the contents of a DnsAnswer structure

This is not used anywhere, but it's extremely useful when debugging.

8 years agoresolved: rework mDNS cache-flush bit handling
Lennart Poettering [Fri, 18 Dec 2015 18:32:46 +0000 (19:32 +0100)]
resolved: rework mDNS cache-flush bit handling

This adds a new DnsAnswer item flag "DNS_ANSWER_SHARED_OWNER" which is
set for mDNS RRs that lack the cache-flush bit. The cache-flush bit is
removed from the DnsResourceRecord object in favour of this.

This also splits out the code that removes previous entries when adding
new positive ones into a new separate call dns_cache_remove_previous().

8 years agoresolved: properly determine size of DnsAnswer object
Lennart Poettering [Fri, 18 Dec 2015 18:31:21 +0000 (19:31 +0100)]
resolved: properly determine size of DnsAnswer object

After all we want to allow NULL DnsAnswer objects as equivalent to empty
ones, hence we should use the right checks everywhere.

8 years agoresolved: pass out precise authenticated bit we got passed in
Lennart Poettering [Fri, 18 Dec 2015 18:29:47 +0000 (19:29 +0100)]
resolved: pass out precise authenticated bit we got passed in

Make sure the cache never altes the authenticated bit of RRs stored in
it, and drops it for RRs when passing it out again.

8 years agoresolved: don't honour mDNS cache-flush bit for OPT RRs
Lennart Poettering [Fri, 18 Dec 2015 18:27:16 +0000 (19:27 +0100)]
resolved: don't honour mDNS cache-flush bit for OPT RRs

OPT RRs after all use the class field for other purposes than actually
encoding a class, hence the cache flush bit doesn't apply really.

8 years agoresolve: optimize dns_cache_flush() a bit
Lennart Poettering [Fri, 18 Dec 2015 18:25:04 +0000 (19:25 +0100)]
resolve: optimize dns_cache_flush() a bit

Let's use dns_cache_remove() rather than
dns_cache_item_remove_and_free() to destroy the cache, since the former
requires far fewer hash table lookups.

8 years agoresolved: when receiving a TTL=0 RR, only flush that specific RR
Lennart Poettering [Fri, 18 Dec 2015 18:22:26 +0000 (19:22 +0100)]
resolved: when receiving a TTL=0 RR, only flush that specific RR

When we receieve a TTL=0 RR, then let's only flush that specific RR and
not the whole RRset.

On mDNS with RRsets that a shared-owner this is how specific RRs are
removed from the set, hence support this. And on non-mDNS the whole
RRset will already be removed much earlier in dns_cache_put() hence
there's no reason remove it again.

8 years agoresolved: optimize dns_cache_remove() a bit
Lennart Poettering [Fri, 18 Dec 2015 18:19:56 +0000 (19:19 +0100)]
resolved: optimize dns_cache_remove() a bit

8 years agoresolved: use dns_name_parent() where appropriate
Lennart Poettering [Fri, 18 Dec 2015 18:15:34 +0000 (19:15 +0100)]
resolved: use dns_name_parent() where appropriate

8 years agoresolved: check SOA authentication state when negative caching
Lennart Poettering [Fri, 18 Dec 2015 18:12:48 +0000 (19:12 +0100)]
resolved: check SOA authentication state when negative caching

We should never use the TTL of an unauthenticated SOA to cache an
authenticated RR.

8 years agoresolved: don't call dns_cache_remove() from dns_cache_put_negative()
Lennart Poettering [Fri, 18 Dec 2015 18:09:27 +0000 (19:09 +0100)]
resolved: don't call dns_cache_remove() from dns_cache_put_negative()

We call it anyway as one of the first calls in dns_cache_put(), hence
there's no reason to do this multiple times.

8 years agoresolved: bump cache size a bit
Lennart Poettering [Fri, 18 Dec 2015 18:07:31 +0000 (19:07 +0100)]
resolved: bump cache size a bit

Let's keep entries for longer and more of them. After all, due to the
DNSSEC hookup the amount of RRs we need to store is much higher now.

8 years agoresolved: make use of dns_{class|type}_is_{pseudo|valid_rr}() everywhere
Lennart Poettering [Fri, 18 Dec 2015 18:06:23 +0000 (19:06 +0100)]
resolved: make use of dns_{class|type}_is_{pseudo|valid_rr}() everywhere

8 years agoresolved: refuse accepting EDNS0 OPT RRs with a non-root domain
Lennart Poettering [Fri, 18 Dec 2015 17:57:08 +0000 (18:57 +0100)]
resolved: refuse accepting EDNS0 OPT RRs with a non-root domain