platform/upstream/systemd.git
8 years agoresolved: move trust anchor files to /etc/dnssec-trust-anchors.d/
Lennart Poettering [Tue, 5 Jan 2016 13:18:18 +0000 (14:18 +0100)]
resolved: move trust anchor files to /etc/dnssec-trust-anchors.d/

These files are not specific to resolved really, and this is then more
in-line with how /etc/sysctl.d and suchlike is handled.

8 years agoresolved: when caching negative responses, honour NSEC/NSEC3 TTLs
Lennart Poettering [Tue, 5 Jan 2016 00:35:28 +0000 (01:35 +0100)]
resolved: when caching negative responses, honour NSEC/NSEC3 TTLs

When storing negative responses, clamp the SOA minimum TTL (as suggested
by RFC2308) to the TTL of the NSEC/NSEC3 RRs we used to prove
non-existance, if it there is any.

This is necessary since otherwise an attacker might put together a faked
negative response for one of our question including a high-ttl SOA RR
for any parent zone, and we'd use trust the TTL.

8 years agoman: add basic documentation for resolved.conf's DNSSEC= switch
Lennart Poettering [Mon, 4 Jan 2016 23:31:32 +0000 (00:31 +0100)]
man: add basic documentation for resolved.conf's DNSSEC= switch

8 years agoupdate DNSSEC TODO
Lennart Poettering [Mon, 4 Jan 2016 21:43:25 +0000 (22:43 +0100)]
update DNSSEC TODO

8 years agoresolved: explicitly handle case when the trust anchor is empty
Lennart Poettering [Mon, 4 Jan 2016 21:35:54 +0000 (22:35 +0100)]
resolved: explicitly handle case when the trust anchor is empty

Since we honour RFC5011 revoked keys it might happen we end up with an
empty trust anchor, or one where there's no entry for the root left.
With this patch the logic is changed what to do in this case.

Before this patch we'd end up requesting the root DS, which returns with
NODATA but a signed NSEC we cannot verify, since the trust anchor is
empty after all. Thus we'd return a DNSSEC result of "missing-key", as
we lack a verified version of the key.

With this patch in place, look-ups for the root DS are explicitly
recognized, and not passed on to the DNS servers. Instead, if
downgrade-ok mode is on an unsigned NODATA response is synthesized, so
that the validator code continues under the assumption the root zone was
unsigned. If downgrade-ok mode is off a new transaction failure is
generated, that makes this case recognizable.

8 years agoresolved: introduce a proper bus error for DNSSEC validation errors
Lennart Poettering [Mon, 4 Jan 2016 21:35:17 +0000 (22:35 +0100)]
resolved: introduce a proper bus error for DNSSEC validation errors

8 years agoresolved: explicitly avoid cyclic transaction dependencies
Lennart Poettering [Mon, 4 Jan 2016 21:25:38 +0000 (22:25 +0100)]
resolved: explicitly avoid cyclic transaction dependencies

We already try hard not to create cyclic transaction dependencies, where
a transaction requires another one for DNSSEC validation purposes, which
in turn (possibly indirectly) pulls in the original transaction again,
thus resulting in a cyclic dependency and ultimately a deadlock since
each transaction waits for another one forever.

So far we wanted to avoid such cyclic dependencies by only going "up the
tree" when requesting auxiliary RRs and only going from one RR type to
another, but never back. However this turned out to be insufficient.
Consider a domain that publishes one or more DNSKEY but which has no DS
for it. A request for the domain's DNSKEY triggers a request for the
domain's DS, which will then fail, but return an NSEC, signed by the
DNSKEY. To validate that we'd request the DNSKEY again. Thus a DNSKEY
request results in a DS request which results in the original DNSKEY
request again. If the original lookup had been a DS lookup we'd end up
in the same cyclic dependency, hence we cannot statically break one of
them, since both requests are of course fully valid. Hence, do full
cyclic dependency checking: each time we are about to add a dependency
to a transaction, check if the transaction is already a dependency of
the dependency (recursively down the tree).

8 years agoresolved: block transaction GC'ing while dns_transaction_request_dnssec_keys() is...
Lennart Poettering [Mon, 4 Jan 2016 21:22:47 +0000 (22:22 +0100)]
resolved: block transaction GC'ing while dns_transaction_request_dnssec_keys() is running

If any of the transactions started by
dns_transaction_request_dnssec_keys() finishes promptly without
requiring asynchronous operation this is reported back to the issuing
transaction from the same stackframe. This might ultimately result in
this transaction to be freed while we are still in its
_request_dnssec_keys() stack frame. To avoid memory corruption block the
transaction GC while in the call, and manually issue a GC after it
returned.

8 years agoupdate RFCs
Lennart Poettering [Mon, 4 Jan 2016 19:50:07 +0000 (20:50 +0100)]
update RFCs

8 years agoresolved: partially implement RFC5011 Trust Anchor support
Lennart Poettering [Mon, 4 Jan 2016 19:38:21 +0000 (20:38 +0100)]
resolved: partially implement RFC5011 Trust Anchor support

With this patch resolved will properly handle revoked keys, but not
augment the locally configured trust anchor database with newly learned
keys.

Specifically, resolved now refuses validating RRsets with
revoked keys, and it will remove revoked keys from the configured trust
anchors (only until reboot).

This patch does not add logic for adding new keys to the set of trust
anchors. This is a deliberate decision as this only can work with
persistent disk storage, and would result in a different update logic
for stateful and stateless systems.  Since we have to support stateless
systems anyway, and don't want to encourage two independent upgrade
paths we focus on upgrading the trust anchor database via the usual OS
upgrade logic.

Whenever a trust anchor entry is found revoked and removed from the
trust anchor a recognizable log message is written, encouraging the user
to update the trust anchor or update his operating system.

8 years agoresolved: fix DNSSEC canonical ordering logic
Lennart Poettering [Mon, 4 Jan 2016 19:27:45 +0000 (20:27 +0100)]
resolved: fix DNSSEC canonical ordering logic

When applying canonical DNSSEC ordering for an RRset only order by the
wire format of the RRs' RDATA, not by the full wire formatting. The RFC
isn't particularly clear about this, but this is apparently how it is
done. This fixes validation of pentagon.gov's DS RRset.

8 years agoresolved: actually make use of message ID when logging about failed DNSSEC validation
Lennart Poettering [Mon, 4 Jan 2016 19:25:55 +0000 (20:25 +0100)]
resolved: actually make use of message ID when logging about failed DNSSEC validation

8 years agoresolved: refuse revoked DNSKEYs in trust anchor
Lennart Poettering [Sun, 3 Jan 2016 16:57:44 +0000 (17:57 +0100)]
resolved: refuse revoked DNSKEYs in trust anchor

8 years agoresolved: never authenticate RRsets with revoked keys
Lennart Poettering [Sun, 3 Jan 2016 16:56:50 +0000 (17:56 +0100)]
resolved: never authenticate RRsets with revoked keys

8 years agoresolved: print a log message when we ignore an NSEC3 RR with an excessive amount...
Lennart Poettering [Sun, 3 Jan 2016 16:54:01 +0000 (17:54 +0100)]
resolved: print a log message when we ignore an NSEC3 RR with an excessive amount of iterations

8 years agoMerge pull request #2245 from ssahani/socket1
Lennart Poettering [Sun, 3 Jan 2016 13:19:37 +0000 (14:19 +0100)]
Merge pull request #2245 from ssahani/socket1

core: socket options fix SCTP_NODELAY

8 years agoMerge pull request #2254 from kelemeng/master
Lennart Poettering [Sun, 3 Jan 2016 13:19:00 +0000 (14:19 +0100)]
Merge pull request #2254 from kelemeng/master

Updated Hungarian translations

8 years agoMerge pull request #2255 from teg/resolved-fixes-2
Lennart Poettering [Sun, 3 Jan 2016 13:18:05 +0000 (14:18 +0100)]
Merge pull request #2255 from teg/resolved-fixes-2

Fixes to NSEC3 proof v2

8 years agoMerge pull request #2256 from poettering/dnssec10
Tom Gundersen [Sun, 3 Jan 2016 13:02:10 +0000 (14:02 +0100)]
Merge pull request #2256 from poettering/dnssec10

Tenth DNSSEC patch set

8 years agoresolve: add RFC4501 URI support to systemd-resolve-host
Lennart Poettering [Sun, 3 Jan 2016 11:58:26 +0000 (12:58 +0100)]
resolve: add RFC4501 URI support to systemd-resolve-host

8 years agoresolved: add negative trust anchro support, and add trust anchor configuration files
Lennart Poettering [Sat, 2 Jan 2016 21:12:13 +0000 (22:12 +0100)]
resolved: add negative trust anchro support, and add trust anchor configuration files

This adds negative trust anchor support and allows reading trust anchor
data from disk, from files
/etc/systemd/dnssec-trust-anchors.d/*.positive and
/etc/systemd/dnssec-trust-anchros.d/*.negative, as well as the matching
counterparts in /usr/lib and /run.

The positive trust anchor files are more or less compatible to normal
DNS zone files containing DNSKEY and DS RRs. The negative trust anchor
files contain only new-line separated hostnames for which to require no
signing.

By default no trust anchor files are installed, in which case the
compiled-in root domain DS RR is used, as before. As soon as at least
one positive root anchor for the root is defined via trust anchor files
this buil-in DS RR is not added though.

8 years agoresolved: dnssec - properly take wildcards into account in NESC3 proof
Tom Gundersen [Fri, 1 Jan 2016 22:39:07 +0000 (23:39 +0100)]
resolved: dnssec - properly take wildcards into account in NESC3 proof

For NXDOMAIN, it is not sufficient to prove that the next-closest
enclosure does not exist, we must also prove that there is no
wildcard domain directly below the closest enclosure which would
synthesise the name that has been requested.

For positive responses, in addition to exact matches, we should
accept wildcard ones. In that case we must first prove that
there is no precise match (i.e., that the closest encounter
is not the record itself) and secondly that the source of
synthesis exists.

8 years agoresolved: dnssec - factor out hashed domain generation
Tom Gundersen [Sun, 3 Jan 2016 08:49:58 +0000 (09:49 +0100)]
resolved: dnssec - factor out hashed domain generation

8 years agoresolved: don't conclude NODATA if CNAME exists
Tom Gundersen [Fri, 1 Jan 2016 22:07:34 +0000 (23:07 +0100)]
resolved: don't conclude NODATA if CNAME exists

Instead introduce the new return-code DNSSEC_NSEC_CNAME to indicate
this condition. See RFC 6840, Section 4.3.

8 years agoAdd initial Hungarian message catalog translation
Gabor Kelemen [Sat, 2 Jan 2016 22:17:27 +0000 (23:17 +0100)]
Add initial Hungarian message catalog translation

8 years agoUpdate Hungarian translation
Gabor Kelemen [Sat, 2 Jan 2016 22:16:52 +0000 (23:16 +0100)]
Update Hungarian translation

8 years agoresolved: fix serialization of the root domain
Lennart Poettering [Sat, 2 Jan 2016 21:11:38 +0000 (22:11 +0100)]
resolved: fix serialization of the root domain

8 years agoresolved: only suffix RR key names with a dot if they don't have one yet
Lennart Poettering [Sat, 2 Jan 2016 20:34:17 +0000 (21:34 +0100)]
resolved: only suffix RR key names with a dot if they don't have one yet

8 years agoresolved: don't accept NSEC3 iteration fields unbounded
Lennart Poettering [Sat, 2 Jan 2016 20:33:17 +0000 (21:33 +0100)]
resolved: don't accept NSEC3 iteration fields unbounded

8 years agobasic: modernize conf-files.c a bit
Lennart Poettering [Sat, 2 Jan 2016 20:32:45 +0000 (21:32 +0100)]
basic: modernize conf-files.c a bit

8 years agoresolved: explain why we don't check IP addresses/ports of incoming DNS UDP traffic
Lennart Poettering [Sat, 2 Jan 2016 14:18:23 +0000 (15:18 +0100)]
resolved: explain why we don't check IP addresses/ports of incoming DNS UDP traffic

8 years agoresolved: extend RFCs list a bit
Lennart Poettering [Sat, 2 Jan 2016 14:18:05 +0000 (15:18 +0100)]
resolved: extend RFCs list a bit

8 years agoresolved: dnssec - add reference to the algorithm we implement
Tom Gundersen [Fri, 1 Jan 2016 15:48:35 +0000 (16:48 +0100)]
resolved: dnssec - add reference to the algorithm we implement

8 years agoresolved: dnssec - prepend hashed labels to zone name
Tom Gundersen [Fri, 1 Jan 2016 21:18:24 +0000 (22:18 +0100)]
resolved: dnssec - prepend hashed labels to zone name

All hashed names consist of the hashed label prepended to the zone name, not to the
closest enclosure.

8 years agoresolved: dnssec - rename some variables
Tom Gundersen [Fri, 1 Jan 2016 21:10:55 +0000 (22:10 +0100)]
resolved: dnssec - rename some variables

Makes the NSEC3 proof somewhat simpler to follow.

8 years agoresoled: dnssec - don't refuse to verify answer due to too many unrelated RRs
Tom Gundersen [Mon, 28 Dec 2015 18:05:59 +0000 (19:05 +0100)]
resoled: dnssec - don't refuse to verify answer due to too many unrelated RRs

Let VERIFY_RRS_MAX be about the max number of RRs in an RRSet that we
actually try to verify, not about the total number of RRs in the RRSet.

8 years agoresolved: dnssec - fix off-by-one in RSA key parsing
Tom Gundersen [Mon, 28 Dec 2015 17:03:34 +0000 (18:03 +0100)]
resolved: dnssec - fix off-by-one in RSA key parsing

If the first byte of the key is zero, the key-length is stored in
the second and third byte (not first and second).

8 years agoMerge pull request #2241 from poettering/dnssec9
Tom Gundersen [Fri, 1 Jan 2016 10:19:19 +0000 (11:19 +0100)]
Merge pull request #2241 from poettering/dnssec9

Ninth DNSSEC patch set

8 years agocore: socket options fix SCTP_NODELAY
Susant Sahani [Thu, 31 Dec 2015 06:35:57 +0000 (12:05 +0530)]
core: socket options fix SCTP_NODELAY

SCTP_NODELAY is diffrent to TCP_NODELAY.
Apply proper options in case of SCTP.

8 years agoMerge pull request #2229 from cjmayo/m500
Martin Pitt [Wed, 30 Dec 2015 10:27:52 +0000 (11:27 +0100)]
Merge pull request #2229 from cjmayo/m500

hwdb: move Logitech M-U0007 [M500] to 1000dpi

8 years agoresolved: add a list of DNS-related RFCs and their implementation status in resolved
Lennart Poettering [Tue, 29 Dec 2015 20:27:11 +0000 (21:27 +0100)]
resolved: add a list of DNS-related RFCs and their implementation status in resolved

8 years agoresolved: append RFC6975 algorithm data to EDNS OPT RR
Lennart Poettering [Tue, 29 Dec 2015 19:52:27 +0000 (20:52 +0100)]
resolved: append RFC6975 algorithm data to EDNS OPT RR

8 years agoresolved: NSEC3 hash algorithms are distinct from DS digest algorithms
Lennart Poettering [Tue, 29 Dec 2015 19:50:03 +0000 (20:50 +0100)]
resolved: NSEC3 hash algorithms are distinct from DS digest algorithms

Previously, we'd use the same set of identifiers for both, but that's
actually incorrect. It didn't matter much since the only NSEC3 hash
algorithm defined (SHA-1) is mapped to code 1 which is also what it is
encoded as in DS digests, but we really should make sure to use two
distinct enumerations.

8 years agoupdate DNSSEC TODO
Lennart Poettering [Tue, 29 Dec 2015 18:27:55 +0000 (19:27 +0100)]
update DNSSEC TODO

8 years agoresolved: add comments referencing various RFCs to various places
Lennart Poettering [Tue, 29 Dec 2015 18:27:09 +0000 (19:27 +0100)]
resolved: add comments referencing various RFCs to various places

8 years agoresolved: include GOST in list of DNSSEC algorithms
Lennart Poettering [Tue, 29 Dec 2015 18:09:14 +0000 (19:09 +0100)]
resolved: include GOST in list of DNSSEC algorithms

We don't implement it, and we have no intention to, but at least mention
that it exists.

(This also adds a couple of other algorithms to the algorithm string
list, where these strings were missing previously.)

8 years agoresolved: use CLAMP() intsead of MIN(MAX())
Lennart Poettering [Tue, 29 Dec 2015 18:08:22 +0000 (19:08 +0100)]
resolved: use CLAMP() intsead of MIN(MAX())

8 years agoresolved: don't allow RRs with TTL=0 and TTL!=0 in the same RRset
Lennart Poettering [Tue, 29 Dec 2015 18:06:12 +0000 (19:06 +0100)]
resolved: don't allow RRs with TTL=0 and TTL!=0 in the same RRset

8 years agoresolved: parse EDNS0 rcode extension bits
Lennart Poettering [Tue, 29 Dec 2015 18:04:35 +0000 (19:04 +0100)]
resolved: parse EDNS0 rcode extension bits

8 years agoresolved: reset RR TTL to 0, if MSB is set
Lennart Poettering [Tue, 29 Dec 2015 18:00:53 +0000 (19:00 +0100)]
resolved: reset RR TTL to 0, if MSB is set

RFC 2181, Section 8 suggests to treat an RR TTL with the MSB set as 0.
Implement this.

8 years agoresolved: properly handle SRV RRs with the DNS root as hostname
Lennart Poettering [Tue, 29 Dec 2015 17:58:05 +0000 (18:58 +0100)]
resolved: properly handle SRV RRs with the DNS root as hostname

8 years agoresolved: add errno mapping for BUS_ERROR_CONNECTION_FAILURE
Lennart Poettering [Tue, 29 Dec 2015 17:55:58 +0000 (18:55 +0100)]
resolved: add errno mapping for BUS_ERROR_CONNECTION_FAILURE

This was missing when the error type was added in
ac720200b7e5b80cc4985087e38f3452e5b3b080.

8 years agoresolved: change mapping of BUS_ERROR_NO_NAME_SERVERS to ESRCH
Lennart Poettering [Tue, 29 Dec 2015 17:55:17 +0000 (18:55 +0100)]
resolved: change mapping of BUS_ERROR_NO_NAME_SERVERS to ESRCH

EIO is really too generic, and indicates transmission problems.

8 years agoMerge pull request #2237 from evverx/fix-valgrind-tests
Lennart Poettering [Tue, 29 Dec 2015 20:35:24 +0000 (21:35 +0100)]
Merge pull request #2237 from evverx/fix-valgrind-tests

build-sys: fix valgrind-tests

8 years agoMerge pull request #2239 from evverx/fix-memory-leak-in-test-bus-marshal
Lennart Poettering [Tue, 29 Dec 2015 20:31:29 +0000 (21:31 +0100)]
Merge pull request #2239 from evverx/fix-memory-leak-in-test-bus-marshal

tests: fix memory leak in test-bus-marshal

8 years agotests: fix memory leak in test-bus-marshal
Evgeny Vereshchagin [Tue, 29 Dec 2015 12:41:36 +0000 (12:41 +0000)]
tests: fix memory leak in test-bus-marshal

Fixes:
```
$ ./configure ... --enable-dbus
$ make
$ make valgrind-tests TESTS=test-bus-marshal
...
==25301== 51 bytes in 1 blocks are definitely lost in loss record 7 of 18
==25301==    at 0x4C2DD9F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==25301==    by 0x5496B8C: ??? (in /lib/x86_64-linux-gnu/libdbus-1.so.3.14.3)
==25301==    by 0x54973E3: _dbus_string_append_printf_valist (in /lib/x86_64-linux-gnu/libdbus-1.so.3.14.3)
==25301==    by 0x547E5C2: _dbus_set_error_valist (in /lib/x86_64-linux-gnu/libdbus-1.so.3.14.3)
==25301==    by 0x547E73E: dbus_set_error (in /lib/x86_64-linux-gnu/libdbus-1.so.3.14.3)
==25301==    by 0x548969A: dbus_message_demarshal (in /lib/x86_64-linux-gnu/libdbus-1.so.3.14.3)
==25301==    by 0x115C1A: main (test-bus-marshal.c:244)
==25301==
```

8 years agoMerge pull request #2233 from kinvolk/alban/cgroup2-userns
Lennart Poettering [Tue, 29 Dec 2015 11:39:25 +0000 (12:39 +0100)]
Merge pull request #2233 from kinvolk/alban/cgroup2-userns

nspawn: userns and unified cgroup: chown cgroup.events

8 years agobuild-sys: fix valgrind-tests
Evgeny Vereshchagin [Tue, 29 Dec 2015 07:11:53 +0000 (07:11 +0000)]
build-sys: fix valgrind-tests

Fixes:
```
$ make valgrind-tests TESTS=test-acl-util
  GEN      valgrind-tests
  Running test-acl-util
  /bin/bash: line 4: libtool: command not found
```

8 years agoMerge pull request #2231 from phomes/resolve-misc2
Tom Gundersen [Mon, 28 Dec 2015 16:27:42 +0000 (17:27 +0100)]
Merge pull request #2231 from phomes/resolve-misc2

Resolve misc2

8 years agoMerge pull request #2226 from jwilk/spelling
Zbigniew Jędrzejewski-Szmek [Mon, 28 Dec 2015 16:07:54 +0000 (11:07 -0500)]
Merge pull request #2226 from jwilk/spelling

man: fix typos

8 years agoMerge pull request #2232 from poettering/dnssec8
Tom Gundersen [Mon, 28 Dec 2015 14:05:50 +0000 (15:05 +0100)]
Merge pull request #2232 from poettering/dnssec8

Eigth DNSSEC patch set

8 years agoresolved: update DNSSEC TODO
Lennart Poettering [Mon, 28 Dec 2015 00:18:40 +0000 (01:18 +0100)]
resolved: update DNSSEC TODO

8 years agoresolved: also use RRSIG expiry for negative caching
Lennart Poettering [Mon, 28 Dec 2015 00:16:28 +0000 (01:16 +0100)]
resolved: also use RRSIG expiry for negative caching

This makes sure that we also honour the RRSIG expiry for negative
caching.

8 years agoresolved: use RRSIG expiry and original TTL for cache management
Lennart Poettering [Sun, 27 Dec 2015 23:30:56 +0000 (00:30 +0100)]
resolved: use RRSIG expiry and original TTL for cache management

When we verified a signature, fix up the RR's TTL to the original TTL
mentioned in the signature, and store the signature expiry information
in the RR, too. Then, use that when adding RRs to the cache.

8 years agoresolved: clean up dns_transaction_stop()
Lennart Poettering [Sun, 27 Dec 2015 21:58:17 +0000 (22:58 +0100)]
resolved: clean up dns_transaction_stop()

This renames dns_transaction_stop() to dns_transaction_stop_timeout()
and makes it only about stopping the transaction timeout. This is safe,
as in most occasions we call dns_transaction_stop() at the same time as
dns_transaction_close_connection() anyway, which does the rest of what
dns_transaction_stop() used to do. And in the one where we don't call
it, it's implicitly called by the UDP emission or TCP connection code.

This also closes the connections as we enter the validation phase of a
transaction, so that no further messages may be received then.

8 years agoresolved: only keep a single list of supported signature algorithms
Lennart Poettering [Sun, 27 Dec 2015 21:56:08 +0000 (22:56 +0100)]
resolved: only keep a single list of supported signature algorithms

This removes dnssec_algorithm_supported() and simply uses the
algorithm_to_gcrypt() result as indication whether a DNSSEC algorithm is
supported.

The patch also renames "algorithm" to "md_algorithm", in a few cases, in
order to avoid confusion between DNSSEC signature algorithms and gcrypt
message digest algorithms.

8 years agoresolve-host: log RR parsing errors
Lennart Poettering [Sun, 27 Dec 2015 21:22:39 +0000 (22:22 +0100)]
resolve-host: log RR parsing errors

8 years agoresolved: add ECDSA signature support
Lennart Poettering [Sun, 27 Dec 2015 20:35:00 +0000 (21:35 +0100)]
resolved: add ECDSA signature support

8 years agoshared: relax restrictions on valid domain name characters a bit
Lennart Poettering [Sun, 27 Dec 2015 20:14:29 +0000 (21:14 +0100)]
shared: relax restrictions on valid domain name characters a bit

Previously, we'd not allow control characters to be embedded in domain
names, even when escaped. Since cloudflare uses \000 however to
implement its synthethic minimally covering NSEC RRs, we should allow
them, as long as they are properly escaped.

8 years agonspawn: userns and unified cgroup: chown cgroup.events
Alban Crequy [Tue, 8 Dec 2015 00:16:07 +0000 (01:16 +0100)]
nspawn: userns and unified cgroup: chown cgroup.events

When starting a container in a new user namespace, systemd-nspawn chowns
the cgroup knob files so they are usable by the container. But the
cgroup knob file "cgroup.events" was missing. This file exists when the
unified hierarchy is used.

8 years agoresolved: split out RSA-specific code from dnssec_verify_rrset()
Lennart Poettering [Sun, 27 Dec 2015 13:05:45 +0000 (14:05 +0100)]
resolved: split out RSA-specific code from dnssec_verify_rrset()

In preparation for ECDSA support.

8 years agoresolved: simplify MD algorithm initialization a bit
Lennart Poettering [Sun, 27 Dec 2015 12:07:36 +0000 (13:07 +0100)]
resolved: simplify MD algorithm initialization a bit

8 years agoresolved: add SHA384 digest support
Lennart Poettering [Sun, 27 Dec 2015 11:58:37 +0000 (12:58 +0100)]
resolved: add SHA384 digest support

8 years agoresolve-host: add error checking
Thomas Hindoe Paaboel Andersen [Sun, 27 Dec 2015 22:57:58 +0000 (23:57 +0100)]
resolve-host: add error checking

8 years agoresolve: remove unused variables
Thomas Hindoe Paaboel Andersen [Sun, 27 Dec 2015 22:23:16 +0000 (23:23 +0100)]
resolve: remove unused variables

8 years agohwdb: Update database of Bluetooth company identifiers
Marcel Holtmann [Sun, 27 Dec 2015 22:07:05 +0000 (23:07 +0100)]
hwdb: Update database of Bluetooth company identifiers

8 years agoMerge pull request #2225 from poettering/dnssec7
Tom Gundersen [Sun, 27 Dec 2015 20:19:28 +0000 (21:19 +0100)]
Merge pull request #2225 from poettering/dnssec7

Seventh DNSSEC patchset

8 years agohwdb: move Logitech M-U0007 [M500] to 1000dpi
Chris Mayo [Sun, 27 Dec 2015 11:48:53 +0000 (11:48 +0000)]
hwdb: move Logitech M-U0007 [M500] to 1000dpi

http://www.logitech.com/en-gb/product/corded-mouse-m500

8 years agoresolved: rename "features" variables to "feature_level"
Lennart Poettering [Sun, 27 Dec 2015 00:35:00 +0000 (01:35 +0100)]
resolved: rename "features" variables to "feature_level"

The name "features" suggests an orthogonal bitmap or suchlike, but the
variables really encode only a linear set of feature levels. The type
used is already called DnsServerFeatureLevel, hence fix up the variables
accordingly, too.

8 years agoresolved: rework OPT RR generation logic
Lennart Poettering [Sat, 26 Dec 2015 17:49:32 +0000 (18:49 +0100)]
resolved: rework OPT RR generation logic

This moves management of the OPT RR out of the scope management and into
the server and packet management. There are now explicit calls for
appending and truncating the OPT RR from a packet
(dns_packet_append_opt() and dns_packet_truncate_opt()) as well as a
call to do the right thing depending on a DnsServer's feature level
(dns_server_adjust_opt()).

This also unifies the code to pick a server between the TCP and UDP code
paths, and makes sure the feature level used for the transaction is
selected at the time the server is picked, and not changed until the
next time we pick a server. The server selction code is now unified in
dns_transaction_pick_server().

This all fixes problems when changing between UDP and TCP communication
for the same server, and makes sure the UDP and TCP codepaths are more
alike. It also makes sure we never keep the UDP port open when switchung
to TCP, so that we don't have to handle incoming datagrams on the latter
we don't expect.

As the new code picks the DNS server at the time we make a connection,
we don't need to invalidate the DNS server anymore when changing to the
next one, thus dns_transaction_next_dns_server() has been removed.

8 years agoresolved: reuse dns_transaction_stop() when destructing transaction objects
Lennart Poettering [Sat, 26 Dec 2015 17:48:37 +0000 (18:48 +0100)]
resolved: reuse dns_transaction_stop() when destructing transaction objects

8 years agoresolved: add dns_transaction_close_connection()
Lennart Poettering [Sat, 26 Dec 2015 13:53:17 +0000 (14:53 +0100)]
resolved: add dns_transaction_close_connection()

This new call unifies how we shut down all connection resources, such as
UDP sockets, event sources, and TCP stream objects.

This patch just adds the basic hook-up, this function will be used more
in later commits.

8 years agoresolved: make sure we reset the DNSSEC result when we accept a response packet
Lennart Poettering [Sat, 26 Dec 2015 13:39:49 +0000 (14:39 +0100)]
resolved: make sure we reset the DNSSEC result when we accept a response packet

8 years agoresolved: improve some log messages a bit
Lennart Poettering [Sat, 26 Dec 2015 13:38:37 +0000 (14:38 +0100)]
resolved: improve some log messages a bit

Indicate thar we ignore invalid messages

8 years agoresolved: never proceed processing truncated packets
Lennart Poettering [Sat, 26 Dec 2015 13:37:07 +0000 (14:37 +0100)]
resolved: never proceed processing truncated packets

Make sure we don't end up processing packets that are truncated.
Instead, actually let the TCP connection do its thing.

8 years agoresolved: remember explicitly whether we already tried a stream connection
Lennart Poettering [Sat, 26 Dec 2015 13:18:11 +0000 (14:18 +0100)]
resolved: remember explicitly whether we already tried a stream connection

On LLMNR we never want to retry stream connections (since local TCP
connections should work, and we don't want to unnecessarily delay
operation), explicitly remember whether we already tried one, instead of
deriving this from a still stored stream object. This way, we can free
the stream early, without forgetting that we tried it.

8 years agoresolved: make sure we GC stream transactions properly
Lennart Poettering [Sat, 26 Dec 2015 13:15:51 +0000 (14:15 +0100)]
resolved: make sure we GC stream transactions properly

Make sure to GC a transaction after dealing with a reply, even if the
transaction is not complete yet.

8 years agoresolved: ignore additional DNS responses we get while validating
Lennart Poettering [Sat, 26 Dec 2015 11:58:01 +0000 (12:58 +0100)]
resolved: ignore additional DNS responses we get while validating

No need to choke on them.

8 years agoresolved: introduce dns_transaction_reset_answer()
Lennart Poettering [Sat, 26 Dec 2015 11:53:08 +0000 (12:53 +0100)]
resolved: introduce dns_transaction_reset_answer()

Let's unify how we reset the answer data we collected, after all pretty
much every time we do it incompletely so far, let's fix it.

8 years agoshared: fix handling of suffix "." in dns_name_compare_func()
Lennart Poettering [Sat, 26 Dec 2015 11:43:28 +0000 (12:43 +0100)]
shared: fix handling of suffix "." in dns_name_compare_func()

All our other domain name handling functions make no destinction between
domain names that end in a dot plus a NUL, or those just ending in a
NUL. Make sure dns_name_compare_func() and dns_label_unescape_suffix()
do the same.

8 years agoman: fix typos
Jakub Wilk [Sat, 26 Dec 2015 17:25:49 +0000 (18:25 +0100)]
man: fix typos

8 years agoshared: fix error propagation in dns_name_compare_func()
Lennart Poettering [Sat, 26 Dec 2015 11:43:03 +0000 (12:43 +0100)]
shared: fix error propagation in dns_name_compare_func()

8 years agoresolved: don't unnecessarily allocate memory in dns_packet_append_name()
Lennart Poettering [Sat, 26 Dec 2015 11:36:24 +0000 (12:36 +0100)]
resolved: don't unnecessarily allocate memory in dns_packet_append_name()

When compression support is off, there's no point in duplicating the
name string. Hence, don't do it.

8 years agoresolved: name TCP and UDP socket calls uniformly
Lennart Poettering [Fri, 25 Dec 2015 14:57:49 +0000 (15:57 +0100)]
resolved: name TCP and UDP socket calls uniformly

Previously the calls for emitting DNS UDP packets were just called
dns_{transacion|scope}_emit(), but the one to establish a DNS TCP
connection was called dns_transaction_open_tcp(). Clean this up, and
rename them dns_{transaction|scope}_emit_udp() and
dns_transaction_open_tcp().

8 years agoresolved: add an automatic downgrade to non-DNSSEC mode
Lennart Poettering [Fri, 25 Dec 2015 14:05:46 +0000 (15:05 +0100)]
resolved: add an automatic downgrade to non-DNSSEC mode

This adds a mode that makes resolved automatically downgrade from DNSSEC
support to classic non-DNSSEC resolving if the configured DNS server is
not capable of DNSSEC. Enabling this mode increases compatibility with
crappy network equipment, but of course opens up the system to
downgrading attacks.

The new mode can be enabled by setting DNSSEC=downgrade-ok in
resolved.conf. DNSSEC=yes otoh remains a "strict" mode, where DNS
resolving rather fails then allow downgrading.

Downgrading is done:

- when the server does not support EDNS0+DO
- or when the server supports it but does not augment returned RRs with
  RRSIGs. The latter is detected when requesting DS or SOA RRs for the
  root domain (which is necessary to do proofs for unsigned data)

8 years agoresolved: no need to store return value of dns_server_possible_features()
Lennart Poettering [Fri, 25 Dec 2015 14:01:37 +0000 (15:01 +0100)]
resolved: no need to store return value of dns_server_possible_features()

The call already updates possible_features, it's pointless doing this in
the caller a second time.

8 years agoresolved: don't set TCP_NODELAY twice for TCP sockets
Lennart Poettering [Fri, 25 Dec 2015 11:58:07 +0000 (12:58 +0100)]
resolved: don't set TCP_NODELAY twice for TCP sockets

We previously set it once in the scope code and once in the stream code.
Remove it from the latter, as all other socket options are set in the
former.

8 years agoresolved: generate an explicit transaction error when we cannot reach server via TCP
Lennart Poettering [Fri, 25 Dec 2015 11:54:27 +0000 (12:54 +0100)]
resolved: generate an explicit transaction error when we cannot reach server via TCP

Previously, if we couldn't reach a server via UDP we'd generate an
MAX_ATTEMPTS transaction result, but if we couldn't reach it via TCP
we'd generate a RESOURCES transaction result. While it is OK to generate
two different errors I think, "RESOURCES" is certainly a misnomer.
Introduce a new transaction result "CONNECTION_FAILURE" instead.

8 years agoresolved: deal with unsigned DS/NSEC/NSEC3 properly
Lennart Poettering [Thu, 24 Dec 2015 13:08:22 +0000 (14:08 +0100)]
resolved: deal with unsigned DS/NSEC/NSEC3 properly

Previously, we'd insist on an RRSIG for all DS/NSEC/NSEC3 RRs. With this
change we don't do that anymore, but also allow unsigned DS/NSEC/NSEC3
if we can prove that the zone they are located in is unsigned.

8 years agoresolved: log each dnssec failure, in a recognizable way
Lennart Poettering [Wed, 23 Dec 2015 23:24:10 +0000 (00:24 +0100)]
resolved: log each dnssec failure, in a recognizable way