picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Systemd/src/resolve/resolved-dns-rr.h

343 lines
13 KiB
C
Raw Normal View History

license: LGPL-2.1+ -> LGPL-2.1-or-later
2020-11-09 05:23:58 +01:00
/* SPDX-License-Identifier: LGPL-2.1-or-later */
resolved: add a DNS client stub resolver Let's turn resolved into a something truly useful: a fully asynchronous DNS stub resolver that subscribes to network changes. (More to come: caching, LLMNR, mDNS/DNS-SD, DNSSEC, IDN, NSS module)
2014-07-16 00:26:02 +02:00
#pragma once
#include <netinet/in.h>
resolved: rr - add NSEC support Needed for DNSSEC.
2015-07-13 01:51:03 +02:00
#include "bitmap.h"
tree-wide: sort includes in *.h This is a continuation of the previous include sort patch, which only sorted for .c files.
2015-11-18 22:46:33 +01:00
#include "dns-type.h"
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
#include "hashmap.h"
resolve: add llmnr responder side for UDP and TCP Name defending is still missing.
2014-07-29 14:24:02 +02:00
#include "in-addr-util.h"
resolved: accept TXT records with non-UTF8 strings RFC 6763 is very clear that TXT RRs should allow arbitrary binary content, hence let's actually accept that. This also means accepting NUL bytes in the middle of strings.
2015-11-20 19:01:43 +01:00
#include "list.h"
Replace DNS_RESOURCE_KEY_NAME with a version which always returns "." for root This fixes formatting of root domain in debug messages: Old: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (., DNSKEY with key tag: 19036). New: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (, DNSKEY with key tag: 19036).
2016-02-13 20:54:15 +01:00
#include "string-util.h"
headers: remove unneeded includes from util.h This means we need to include many more headers in various files that simply included util.h before, but it seems cleaner to do it this way.
2019-03-27 11:32:41 +01:00
#include "time-util.h"
resolved: add a DNS client stub resolver Let's turn resolved into a something truly useful: a fully asynchronous DNS stub resolver that subscribes to network changes. (More to come: caching, LLMNR, mDNS/DNS-SD, DNSSEC, IDN, NSS module)
2014-07-16 00:26:02 +02:00
typedef struct DnsResourceKey DnsResourceKey;
typedef struct DnsResourceRecord DnsResourceRecord;
resolved: accept TXT records with non-UTF8 strings RFC 6763 is very clear that TXT RRs should allow arbitrary binary content, hence let's actually accept that. This also means accepting NUL bytes in the middle of strings.
2015-11-20 19:01:43 +01:00
typedef struct DnsTxtItem DnsTxtItem;
resolved: add a DNS client stub resolver Let's turn resolved into a something truly useful: a fully asynchronous DNS stub resolver that subscribes to network changes. (More to come: caching, LLMNR, mDNS/DNS-SD, DNSSEC, IDN, NSS module)
2014-07-16 00:26:02 +02:00
resolved: move algorithm/digest definitions into resolved-dns-rr.h After all, they are for flags and parameters of RRs and already relevant when dealing with RRs outside of the serialization concept.
2015-12-02 22:56:04 +01:00
/* DNSKEY RR flags */
#define DNSKEY_FLAG_SEP (UINT16_C(1) << 0)
resolved: never authenticate RRsets with revoked keys
2016-01-03 17:56:50 +01:00
#define DNSKEY_FLAG_REVOKE (UINT16_C(1) << 7)
#define DNSKEY_FLAG_ZONE_KEY (UINT16_C(1) << 8)
resolved: move algorithm/digest definitions into resolved-dns-rr.h After all, they are for flags and parameters of RRs and already relevant when dealing with RRs outside of the serialization concept.
2015-12-02 22:56:04 +01:00
resolved: add cache flush flag to DnsResourceKey MDNS has a 'key cache flush' flag for records which must be masked out for the parsers to do our right thing. We will also use that flag later (in a different patch) in order to alter the cache behavior.
2015-11-24 15:45:15 +01:00
/* mDNS RR flags */
#define MDNS_RR_CACHE_FLUSH (UINT16_C(1) << 15)
resolved: move algorithm/digest definitions into resolved-dns-rr.h After all, they are for flags and parameters of RRs and already relevant when dealing with RRs outside of the serialization concept.
2015-12-02 22:56:04 +01:00
/* DNSSEC algorithm identifiers, see
* http://tools.ietf.org/html/rfc4034#appendix-A.1 and
* https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml */
enum {
DNSSEC_ALGORITHM_RSAMD5 = 1,
DNSSEC_ALGORITHM_DH,
DNSSEC_ALGORITHM_DSA,
DNSSEC_ALGORITHM_ECC,
DNSSEC_ALGORITHM_RSASHA1,
DNSSEC_ALGORITHM_DSA_NSEC3_SHA1,
DNSSEC_ALGORITHM_RSASHA1_NSEC3_SHA1,
resolved: include GOST in list of DNSSEC algorithms We don't implement it, and we have no intention to, but at least mention that it exists. (This also adds a couple of other algorithms to the algorithm string list, where these strings were missing previously.)
2015-12-29 19:09:14 +01:00
DNSSEC_ALGORITHM_RSASHA256 = 8, /* RFC 5702 */
DNSSEC_ALGORITHM_RSASHA512 = 10, /* RFC 5702 */
DNSSEC_ALGORITHM_ECC_GOST = 12, /* RFC 5933 */
resolved: add ECDSA signature support
2015-12-27 21:35:00 +01:00
DNSSEC_ALGORITHM_ECDSAP256SHA256 = 13, /* RFC 6605 */
DNSSEC_ALGORITHM_ECDSAP384SHA384 = 14, /* RFC 6605 */
resolve: add support for RFC 8080 (#7600) RFC 8080 describes how to use EdDSA keys and signatures in DNSSEC. It uses the curves Ed25519 and Ed448. Libgcrypt 1.8.1 does not support Ed448, so only the Ed25519 is supported at the moment. Once Libgcrypt supports Ed448, support for it can be trivially added to resolve.
2017-12-12 16:30:12 +01:00
DNSSEC_ALGORITHM_ED25519 = 15, /* RFC 8080 */
DNSSEC_ALGORITHM_ED448 = 16, /* RFC 8080 */
resolved: move algorithm/digest definitions into resolved-dns-rr.h After all, they are for flags and parameters of RRs and already relevant when dealing with RRs outside of the serialization concept.
2015-12-02 22:56:04 +01:00
DNSSEC_ALGORITHM_INDIRECT = 252,
DNSSEC_ALGORITHM_PRIVATEDNS,
DNSSEC_ALGORITHM_PRIVATEOID,
_DNSSEC_ALGORITHM_MAX_DEFINED
};
/* DNSSEC digest identifiers, see
* https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml */
enum {
DNSSEC_DIGEST_SHA1 = 1,
resolved: include GOST in list of DNSSEC algorithms We don't implement it, and we have no intention to, but at least mention that it exists. (This also adds a couple of other algorithms to the algorithm string list, where these strings were missing previously.)
2015-12-29 19:09:14 +01:00
DNSSEC_DIGEST_SHA256 = 2, /* RFC 4509 */
DNSSEC_DIGEST_GOST_R_34_11_94 = 3, /* RFC 5933 */
DNSSEC_DIGEST_SHA384 = 4, /* RFC 6605 */
resolved: move algorithm/digest definitions into resolved-dns-rr.h After all, they are for flags and parameters of RRs and already relevant when dealing with RRs outside of the serialization concept.
2015-12-02 22:56:04 +01:00
_DNSSEC_DIGEST_MAX_DEFINED
};
resolved: NSEC3 hash algorithms are distinct from DS digest algorithms Previously, we'd use the same set of identifiers for both, but that's actually incorrect. It didn't matter much since the only NSEC3 hash algorithm defined (SHA-1) is mapped to code 1 which is also what it is encoded as in DS digests, but we really should make sure to use two distinct enumerations.
2015-12-29 20:50:03 +01:00
/* DNSSEC NSEC3 hash algorithms, see
* https://www.iana.org/assignments/dnssec-nsec3-parameters/dnssec-nsec3-parameters.xhtml */
enum {
NSEC3_ALGORITHM_SHA1 = 1,
_NSEC3_ALGORITHM_MAX_DEFINED
};
resolved: add a DNS client stub resolver Let's turn resolved into a something truly useful: a fully asynchronous DNS stub resolver that subscribes to network changes. (More to come: caching, LLMNR, mDNS/DNS-SD, DNSSEC, IDN, NSS module)
2014-07-16 00:26:02 +02:00
struct DnsResourceKey {
resolved: try to reduce number or DnsResourceKeys we keep around by merging them Quite often we read the same RR key multiple times from the same message. Try to replace them by a single object when we notice this. Do so again when we add things to the cache. This should reduce memory consumption a tiny bit.
2016-01-15 21:38:27 +01:00
unsigned n_ref; /* (unsigned -1) for const keys, see below */
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
uint16_t class, type;
treewide: fix typos and then/that use
2016-02-08 13:27:22 +01:00
char *_name; /* don't access directly, use dns_resource_key_name()! */
resolved: add a DNS client stub resolver Let's turn resolved into a something truly useful: a fully asynchronous DNS stub resolver that subscribes to network changes. (More to come: caching, LLMNR, mDNS/DNS-SD, DNSSEC, IDN, NSS module)
2014-07-16 00:26:02 +02:00
};
resolved: optionally, allocate DnsResourceKey objects on the stack Sometimes when looking up entries in hashmaps indexed by a DnsResourceKey it is helpful not having to allocate a full DnsResourceKey dynamically just to use it as search key. Instead, optionally allow allocation of a DnsResourceKey on the stack. Resource keys allocated like that of course are subject to other lifetime cycles than the usual Resource keys, hence initialize the reference counter to to (unsigned) -1. While we are at it, remove the prototype for dns_resource_key_new_dname() which was never implemented.
2015-12-03 17:27:13 +01:00
/* Creates a temporary resource key. This is only useful to quickly
* look up something, without allocating a full DnsResourceKey object
* for it. Note that it is not OK to take references to this kind of
* resource key object. */
#define DNS_RESOURCE_KEY_CONST(c, t, n) \
((DnsResourceKey) { \
.n_ref = (unsigned) -1, \
.class = c, \
.type = t, \
._name = (char*) n, \
})
resolved: accept TXT records with non-UTF8 strings RFC 6763 is very clear that TXT RRs should allow arbitrary binary content, hence let's actually accept that. This also means accepting NUL bytes in the middle of strings.
2015-11-20 19:01:43 +01:00
struct DnsTxtItem {
size_t length;
LIST_FIELDS(DnsTxtItem, items);
uint8_t data[];
};
resolved: add a DNS client stub resolver Let's turn resolved into a something truly useful: a fully asynchronous DNS stub resolver that subscribes to network changes. (More to come: caching, LLMNR, mDNS/DNS-SD, DNSSEC, IDN, NSS module)
2014-07-16 00:26:02 +02:00
struct DnsResourceRecord {
unsigned n_ref;
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
DnsResourceKey *key;
resolved: when validating an RRset, store information about the synthesizing source and zone in each RR Having this information available is useful when we need to check whether various RRs are suitable for proofs. This information is stored in the RRs as number of labels to skip from the beginning of the owner name to reach the synthesizing source/signer. Simple accessor calls are then added to retrieve the signer/source from the RR using this information. This also moves validation of a a number of RRSIG parameters into a new call dnssec_rrsig_prepare() that as side-effect initializes the two numeric values.
2016-01-14 18:03:03 +01:00
resolved: internalize string buffer of dns_resource_record_to_string() Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-21 16:31:29 +01:00
char *to_string;
resolved: when validating an RRset, store information about the synthesizing source and zone in each RR Having this information available is useful when we need to check whether various RRs are suitable for proofs. This information is stored in the RRs as number of labels to skip from the beginning of the owner name to reach the synthesizing source/signer. Simple accessor calls are then added to retrieve the signer/source from the RR using this information. This also moves validation of a a number of RRSIG parameters into a new call dnssec_rrsig_prepare() that as side-effect initializes the two numeric values.
2016-01-14 18:03:03 +01:00
resolved: add a DNS client stub resolver Let's turn resolved into a something truly useful: a fully asynchronous DNS stub resolver that subscribes to network changes. (More to come: caching, LLMNR, mDNS/DNS-SD, DNSSEC, IDN, NSS module)
2014-07-16 00:26:02 +02:00
uint32_t ttl;
resolved: use RRSIG expiry and original TTL for cache management When we verified a signature, fix up the RR's TTL to the original TTL mentioned in the signature, and store the signature expiry information in the RR, too. Then, use that when adding RRs to the cache.
2015-12-28 00:30:56 +01:00
usec_t expiry; /* RRSIG signature expiry */
resolved: when validating an RRset, store information about the synthesizing source and zone in each RR Having this information available is useful when we need to check whether various RRs are suitable for proofs. This information is stored in the RRs as number of labels to skip from the beginning of the owner name to reach the synthesizing source/signer. Simple accessor calls are then added to retrieve the signer/source from the RR using this information. This also moves validation of a a number of RRSIG parameters into a new call dnssec_rrsig_prepare() that as side-effect initializes the two numeric values.
2016-01-14 18:03:03 +01:00
/* How many labels to strip to determine "signer" of the RRSIG (aka, the zone). -1 if not signed. */
unsigned n_skip_labels_signer;
/* How many labels to strip to determine "synthesizing source" of this RR, i.e. the wildcard's immediate parent. -1 if not signed. */
unsigned n_skip_labels_source;
tree-wide: "unparseable" → "unparsable" "unparsable" is the more common spelling. We already pick "movable" over "moveable". Let's do the same with this pair.
2020-07-02 09:58:23 +02:00
bool unparsable:1;
resolved: when validating an RRset, store information about the synthesizing source and zone in each RR Having this information available is useful when we need to check whether various RRs are suitable for proofs. This information is stored in the RRs as number of labels to skip from the beginning of the owner name to reach the synthesizing source/signer. Simple accessor calls are then added to retrieve the signer/source from the RR using this information. This also moves validation of a a number of RRSIG parameters into a new call dnssec_rrsig_prepare() that as side-effect initializes the two numeric values.
2016-01-14 18:03:03 +01:00
resolved: add code to generate the wire format for a single RR This adds dns_resource_record_to_wire_format() that generates the raw wire-format of a single DnsResourceRecord object, and caches it in the object, optionally in DNSSEC canonical form. This call is used later to generate the RR serialization of RRs to verify. This adds four new fields to DnsResourceRecord objects: - wire_format points to the buffer with the wire-format version of the RR - wire_format_size stores the size of that buffer - wire_format_rdata_offset specifies the index into the buffer where the RDATA of the RR begins (i.e. the size of the key part of the RR). - wire_format_canonical is a boolean that stores whether the cached wire format is in DNSSEC canonical form or not. Note that this patch adds a mode where a DnsPacket is allocated on the stack (instead of on the heap), so that it is cheaper to reuse the DnsPacket object for generating this wire format. After all we reuse the DnsPacket object for this, since it comes with all the dynamic memory management, and serialization calls we need anyway.
2015-12-02 20:58:51 +01:00
bool wire_format_canonical:1;
void *wire_format;
size_t wire_format_size;
size_t wire_format_rdata_offset;
resolved: when validating an RRset, store information about the synthesizing source and zone in each RR Having this information available is useful when we need to check whether various RRs are suitable for proofs. This information is stored in the RRs as number of labels to skip from the beginning of the owner name to reach the synthesizing source/signer. Simple accessor calls are then added to retrieve the signer/source from the RR using this information. This also moves validation of a a number of RRSIG parameters into a new call dnssec_rrsig_prepare() that as side-effect initializes the two numeric values.
2016-01-14 18:03:03 +01:00
resolved: add a DNS client stub resolver Let's turn resolved into a something truly useful: a fully asynchronous DNS stub resolver that subscribes to network changes. (More to come: caching, LLMNR, mDNS/DNS-SD, DNSSEC, IDN, NSS module)
2014-07-16 00:26:02 +02:00
union {
struct {
void *data;
resolved: add macro to compare sized fields For consistency, generic.size is renamed to generic.data_size. nsec3.next_hashed_name comparison was missing a size check.
2016-01-29 00:23:59 +01:00
size_t data_size;
resolved: when parsing DNS packets, handle OPT RR specially As soon as we encounter the OPT RR while parsing, store it in a special field in the DnsPacket structure. That way, we won't be confused if we iterate through RRs, and can check that there's really only one of these RRs around.
2015-12-09 17:43:24 +01:00
} generic, opt;
resolved: add a DNS client stub resolver Let's turn resolved into a something truly useful: a fully asynchronous DNS stub resolver that subscribes to network changes. (More to come: caching, LLMNR, mDNS/DNS-SD, DNSSEC, IDN, NSS module)
2014-07-16 00:26:02 +02:00
resolved: properly process SRV records
2014-07-31 18:23:00 +02:00
struct {
uint16_t priority;
uint16_t weight;
uint16_t port;
char *name;
} srv;
resolved: add a DNS client stub resolver Let's turn resolved into a something truly useful: a fully asynchronous DNS stub resolver that subscribes to network changes. (More to come: caching, LLMNR, mDNS/DNS-SD, DNSSEC, IDN, NSS module)
2014-07-16 00:26:02 +02:00
struct {
char *name;
resolved: properly process DNAME RRs
2014-07-31 18:02:24 +02:00
} ptr, ns, cname, dname;
resolved: add a DNS client stub resolver Let's turn resolved into a something truly useful: a fully asynchronous DNS stub resolver that subscribes to network changes. (More to come: caching, LLMNR, mDNS/DNS-SD, DNSSEC, IDN, NSS module)
2014-07-16 00:26:02 +02:00
struct {
char *cpu;
char *os;
} hinfo;
resolved: TXT records
2014-08-01 03:36:58 +02:00
struct {
resolved: accept TXT records with non-UTF8 strings RFC 6763 is very clear that TXT RRs should allow arbitrary binary content, hence let's actually accept that. This also means accepting NUL bytes in the middle of strings.
2015-11-20 19:01:43 +01:00
DnsTxtItem *items;
resolved: provide properly named way to access SPF data in RRs
2014-07-31 18:03:09 +02:00
} txt, spf;
resolved: add a DNS client stub resolver Let's turn resolved into a something truly useful: a fully asynchronous DNS stub resolver that subscribes to network changes. (More to come: caching, LLMNR, mDNS/DNS-SD, DNSSEC, IDN, NSS module)
2014-07-16 00:26:02 +02:00
struct {
struct in_addr in_addr;
} a;
struct {
struct in6_addr in6_addr;
} aaaa;
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
struct {
char *mname;
char *rname;
uint32_t serial;
uint32_t refresh;
uint32_t retry;
uint32_t expire;
uint32_t minimum;
} soa;
resolved: MX records
2014-08-01 03:06:00 +02:00
struct {
uint16_t priority;
char *exchange;
} mx;
resolved: LOC records LOC records have a version field. So far only version 0 has been published, but if a record with a different version was encountered, our only recourse is to treat it as an unknown type. This is implemented with the 'unparseable' flag, which causes the serialization/deserialization and printing function to cause the record as a blob. The flag can be used if other packet types cannot be parsed for whatever reason.
2014-07-31 10:19:43 +02:00
resolved: add comments referencing various RFCs to various places
2015-12-29 19:27:09 +01:00
/* https://tools.ietf.org/html/rfc1876 */
resolved: LOC records LOC records have a version field. So far only version 0 has been published, but if a record with a different version was encountered, our only recourse is to treat it as an unknown type. This is implemented with the 'unparseable' flag, which causes the serialization/deserialization and printing function to cause the record as a blob. The flag can be used if other packet types cannot be parsed for whatever reason.
2014-07-31 10:19:43 +02:00
struct {
uint8_t version;
uint8_t size;
uint8_t horiz_pre;
uint8_t vert_pre;
uint32_t latitude;
uint32_t longitude;
uint32_t altitude;
} loc;
resolved: properly process SSHFP RRs
2014-07-31 18:41:41 +02:00
resolved: rr - SSHFP contains the fingerprint, not the key Rename the field to make this clearer.
2015-07-23 13:09:35 +02:00
/* https://tools.ietf.org/html/rfc4255#section-3.1 */
resolved: properly process SSHFP RRs
2014-07-31 18:41:41 +02:00
struct {
uint8_t algorithm;
uint8_t fptype;
resolved: rr - SSHFP contains the fingerprint, not the key Rename the field to make this clearer.
2015-07-23 13:09:35 +02:00
void *fingerprint;
size_t fingerprint_size;
resolved: properly process SSHFP RRs
2014-07-31 18:41:41 +02:00
} sshfp;
resolved: DNSKEY records
2014-08-03 22:05:41 +02:00
/* http://tools.ietf.org/html/rfc4034#section-2.1 */
struct {
resolved: store DNSKEY fields flags+protocol as-is When verifying signatures we need to be able to verify the original data we got for an RR set, and that means we cannot simply drop flags bits or consider RRs invalid too eagerly. Hence, instead of parsing the DNSKEY flags store them as-is. Similar, accept the protocol field as it is, and don't consider it a parsing error if it is not 3. Of course, this means that the DNSKEY handling code later on needs to check explicit for protocol != 3.
2015-12-02 20:53:10 +01:00
uint16_t flags;
uint8_t protocol;
resolved: DNSKEY records
2014-08-03 22:05:41 +02:00
uint8_t algorithm;
void* key;
size_t key_size;
} dnskey;
resolved: RRSIG records
2014-08-04 00:17:22 +02:00
/* http://tools.ietf.org/html/rfc4034#section-3.1 */
struct {
uint16_t type_covered;
uint8_t algorithm;
uint8_t labels;
uint32_t original_ttl;
uint32_t expiration;
uint32_t inception;
uint16_t key_tag;
char *signer;
void *signature;
size_t signature_size;
} rrsig;
resolved: rr - add NSEC support Needed for DNSSEC.
2015-07-13 01:51:03 +02:00
resolved: add one more comment with a link to the matching RFC
2015-11-27 19:22:35 +01:00
/* https://tools.ietf.org/html/rfc4034#section-4.1 */
resolved: rr - add NSEC support Needed for DNSSEC.
2015-07-13 01:51:03 +02:00
struct {
char *next_domain_name;
Bitmap *types;
} nsec;
resolved: rr - add NSEC3 support Needed for DNSSEC.
2015-07-13 01:51:03 +02:00
resolved: add comments referencing various RFCs to various places
2015-12-29 19:27:09 +01:00
/* https://tools.ietf.org/html/rfc4034#section-5.1 */
struct {
uint16_t key_tag;
uint8_t algorithm;
uint8_t digest_type;
void *digest;
size_t digest_size;
} ds;
resolved: rr - add NSEC3 support Needed for DNSSEC.
2015-07-13 01:51:03 +02:00
struct {
uint8_t algorithm;
uint8_t flags;
uint16_t iterations;
void *salt;
size_t salt_size;
void *next_hashed_name;
size_t next_hashed_name_size;
Bitmap *types;
} nsec3;
resolved: TLSA records
2015-02-02 01:17:24 +01:00
/* https://tools.ietf.org/html/draft-ietf-dane-protocol-23 */
struct {
uint8_t cert_usage;
uint8_t selector;
uint8_t matching_type;
void *data;
size_t data_size;
} tlsa;
resolve: parse CAA records
2016-01-31 22:21:00 +01:00
/* https://tools.ietf.org/html/rfc6844 */
struct {
uint8_t flags;
char *tag;
void *value;
size_t value_size;
} caa;
resolved: add a DNS client stub resolver Let's turn resolved into a something truly useful: a fully asynchronous DNS stub resolver that subscribes to network changes. (More to come: caching, LLMNR, mDNS/DNS-SD, DNSSEC, IDN, NSS module)
2014-07-16 00:26:02 +02:00
};
};
tree-wide: use typesafe_qsort()
2018-09-18 01:39:24 +02:00
static inline const void* DNS_RESOURCE_RECORD_RDATA(const DnsResourceRecord *rr) {
resolved: fix DNSSEC canonical ordering logic When applying canonical DNSSEC ordering for an RRset only order by the wire format of the RRs' RDATA, not by the full wire formatting. The RFC isn't particularly clear about this, but this is apparently how it is done. This fixes validation of pentagon.gov's DS RRset.
2016-01-04 20:27:45 +01:00
if (!rr)
return NULL;
if (!rr->wire_format)
return NULL;
assert(rr->wire_format_rdata_offset <= rr->wire_format_size);
return (uint8_t*) rr->wire_format + rr->wire_format_rdata_offset;
}
tree-wide: use typesafe_qsort()
2018-09-18 01:39:24 +02:00
static inline size_t DNS_RESOURCE_RECORD_RDATA_SIZE(const DnsResourceRecord *rr) {
resolved: fix DNSSEC canonical ordering logic When applying canonical DNSSEC ordering for an RRset only order by the wire format of the RRs' RDATA, not by the full wire formatting. The RFC isn't particularly clear about this, but this is apparently how it is done. This fixes validation of pentagon.gov's DS RRset.
2016-01-04 20:27:45 +01:00
if (!rr)
return 0;
if (!rr->wire_format)
return 0;
assert(rr->wire_format_rdata_offset <= rr->wire_format_size);
return rr->wire_format_size - rr->wire_format_rdata_offset;
}
tree-wide: use typesafe_qsort()
2018-09-18 01:39:24 +02:00
static inline uint8_t DNS_RESOURCE_RECORD_OPT_VERSION_SUPPORTED(const DnsResourceRecord *rr) {
resolved: respond to local resolver requests on 127.0.0.53:53 In order to improve compatibility with local clients that speak DNS directly (and do not use NSS or our bus API) listen locally on 127.0.0.53:53 and process any queries made that way. Note that resolved does not implement a full DNS server on this port, but simply enough to allow normal, local clients to resolve RRs through resolved. Specifically it does not implement queries without the RD bit set (these are requests where recursive lookups are explicitly disabled), and neither queries with DNSSEC DO set in combination with DNSSEC CD (i.e. DNSSEC lookups with validation turned off). It also refuses zone transfers and obsolete RR types. All lookups done this way will be rejected with a clean error code, so that the client side can repeat the query with a reduced feature set. The code will set the DNSSEC AD flag however, depending on whether the data resolved has been validated (or comes from a local, trusted source). Lookups made via this mechanisms are propagated to LLMNR and mDNS as necessary, but this is only partially useful as DNS packets cannot carry IP scope data (i.e. the ifindex), and hence link-local addresses returned cannot be used properly (and given that LLMNR/mDNS are mostly about link-local communication this is quite a limitation). Also, given that DNS tends to use IDNA for non-ASCII names, while LLMNR/mDNS uses UTF-8 lookups cannot be mapped 1:1. In general this should improve compatibility with clients bypassing NSS but it is highly recommended for clients to instead use NSS or our native bus API. This patch also beefs up the DnsStream logic, as it reuses the code for local TCP listening. DnsStream now provides proper reference counting for its objects. In order to avoid feedback loops resolved will no silently ignore 127.0.0.53 specified as DNS server when reading configuration. resolved listens on 127.0.0.53:53 instead of 127.0.0.1:53 in order to leave the latter free for local, external DNS servers or forwarders. This also changes the "etc.conf" tmpfiles snippet to create a symlink from /etc/resolv.conf to /usr/lib/systemd/resolv.conf by default, thus making this stub the default mode of operation if /etc is not populated.
2016-06-21 00:58:47 +02:00
assert(rr);
assert(rr->key->type == DNS_TYPE_OPT);
return ((rr->ttl >> 16) & 0xFF) == 0;
}
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
DnsResourceKey* dns_resource_key_new(uint16_t class, uint16_t type, const char *name);
resolved: rr - introduce dns_resource_key_new_redirect() Takes a key and CNAME RR and returns the canonical RR of the right type. Make use of this in dns_question_redirect().
2015-09-04 01:56:23 +02:00
DnsResourceKey* dns_resource_key_new_redirect(const DnsResourceKey *key, const DnsResourceRecord *cname);
resolved: fully support DNS search domains This adds support for searching single-label hostnames in a set of configured search domains. A new object DnsQueryCandidate is added that links queries to scopes. It keeps track of the search domain last used for a query on a specific link. Whenever a host name was unsuccessfuly resolved on a scope all its transactions are flushed out and replaced by a new set, with the next search domain appended. This also adds a new flag SD_RESOLVED_NO_SEARCH to disable search domain behaviour. The "systemd-resolve-host" tool is updated to make this configurable via --search=. Fixes #1697
2015-11-25 20:47:27 +01:00
int dns_resource_key_new_append_suffix(DnsResourceKey **ret, DnsResourceKey *key, char *name);
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
DnsResourceKey* dns_resource_key_new_consume(uint16_t class, uint16_t type, char *name);
DnsResourceKey* dns_resource_key_ref(DnsResourceKey *key);
DnsResourceKey* dns_resource_key_unref(DnsResourceKey *key);
Replace DNS_RESOURCE_KEY_NAME with a version which always returns "." for root This fixes formatting of root domain in debug messages: Old: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (., DNSKEY with key tag: 19036). New: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (, DNSKEY with key tag: 19036).
2016-02-13 20:54:15 +01:00
const char* dns_resource_key_name(const DnsResourceKey *key);
resolved: rework how we allow allow queries to be dispatched to scopes Previously, we'd never do any single-label or root domain lookups via DNS, thus leaving single-label lookups to LLMNR and the search path logic in order that single-label names don't leak too easily onto the internet. With this change we open things up a bit, and only prohibit A/AAAA lookups of single-label/root domains, but allow all other lookups. This should provide similar protection, but allow us to resolve DNSKEY+DS RRs for the top-level and root domains. (This also simplifies handling of the search domain detection, and gets rid of dns_scope_has_search_domains() in favour of dns_scope_get_search_domains()).
2015-12-03 18:26:12 +01:00
bool dns_resource_key_is_address(const DnsResourceKey *key);
resolved: announce DNS-SD records in mDNS scopes
2017-10-04 09:07:44 +02:00
bool dns_resource_key_is_dnssd_ptr(const DnsResourceKey *key);
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
int dns_resource_key_equal(const DnsResourceKey *a, const DnsResourceKey *b);
resolved: add support NSEC3 proofs, as well as proofs for domains that are OK to be unsigned This large patch adds a couple of mechanisms to ensure we get NSEC3 and proof-of-unsigned support into place. Specifically: - Each item in an DnsAnswer gets two bit flags now: DNS_ANSWER_AUTHENTICATED and DNS_ANSWER_CACHEABLE. The former is necessary since DNS responses might contain signed as well as unsigned RRsets in one, and we need to remember which ones are signed and which ones aren't. The latter is necessary, since not we need to keep track which RRsets may be cached and which ones may not be, even while manipulating DnsAnswer objects. - The .n_answer_cachable of DnsTransaction is dropped now (it used to store how many of the first DnsAnswer entries are cachable), and replaced by the DNS_ANSWER_CACHABLE flag instead. - NSEC3 proofs are implemented now (lacking support for the wildcard part, to be added in a later commit). - Support for the "AD" bit has been dropped. It's unsafe, and now that we have end-to-end authentication we don't need it anymore. - An auxiliary DnsTransaction of a DnsTransactions is now kept around as least as long as the latter stays around. We no longer remove the auxiliary DnsTransaction as soon as it completed. THis is necessary, as we now are interested not only in the RRsets it acquired but also in its authentication status.
2015-12-18 14:37:06 +01:00
int dns_resource_key_match_rr(const DnsResourceKey *key, DnsResourceRecord *rr, const char *search_domain);
resolved: cache - do negative caching only on the canonical name Apart from dropping redundant information, this fixes an issue where, due to broken DNS servers, we can only be certain of whether an apparent NODATA response is in fact an NXDOMAIN response after explicitly resolving the canonical name. This issue is outlined in RFC2308. Moreover, by caching NXDOMAIN for an existing name, we would mistakenly return NXDOMAIN for types which should not be redirected. I.e., a query for AAAA on test-nx-1.jklm.no correctly returns NXDOMAIN, but a query for CNAME should return the record and a query for DNAME should return NODATA. Note that this means we will not cache an NXDOMAIN response in the presence of redirection, meaning one redundant roundtrip in case the name is queried again.
2015-12-02 18:46:32 +01:00
int dns_resource_key_match_cname_or_dname(const DnsResourceKey *key, const DnsResourceKey *cname, const char *search_domain);
resolved: chase DNSKEY/DS RRs when doing look-ups with DNSSEC enabled This adds initial support for validating RRSIG/DNSKEY/DS chains when doing lookups. Proof-of-non-existance, or proof-of-unsigned-zones is not implemented yet. With this change DnsTransaction objects will generate additional DnsTransaction objects when looking for DNSKEY or DS RRs to validate an RRSIG on a response. DnsTransaction objects are thus created for three reasons now: 1) Because a user asked for something to be resolved, i.e. requested by a DnsQuery/DnsQueryCandidate object. 2) As result of LLMNR RR probing, requested by a DnsZoneItem. 3) Because another DnsTransaction requires the requested RRs for validation of its own response. DnsTransactions are shared between all these users, and are GC automatically as soon as all of these users don't need a specific transaction anymore. To unify the handling of these three reasons for existance for a DnsTransaction, a new common naming is introduced: each DnsTransaction now tracks its "owners" via a Set* object named "notify_xyz", containing all owners to notify on completion. A new DnsTransaction state is introduced called "VALIDATING" that is entered after a response has been receieved which needs to be validated, as long as we are still waiting for the DNSKEY/DS RRs from other DnsTransactions. This patch will request the DNSKEY/DS RRs bottom-up, and then validate them top-down. Caching of RRs is now only done after verification, so that the cache is not poisoned with known invalid data. The "DnsAnswer" object gained a substantial number of new calls, since we need to add/remove RRs to it dynamically now.
2015-12-09 18:13:16 +01:00
int dns_resource_key_match_soa(const DnsResourceKey *key, const DnsResourceKey *soa);
Use provided buffer in dns_resource_key_to_string When the buffer is allocated on the stack we do not have to check for failure everywhere. This is especially useful in debug statements, because we can put dns_resource_key_to_string() call in the debug statement, and we do not need a seperate if (log_level >= LOG_DEBUG) for the conversion. dns_resource_key_to_string() is changed not to provide any whitespace padding. Most callers were stripping the whitespace with strstrip(), and it did not look to well anyway. systemd-resolve output is not column aligned anymore. The result of the conversion is not stored in DnsTransaction object anymore. It is used only for debugging, so it seems fine to generate it when needed. Various debug statements are extended to provide more information.
2016-02-15 00:51:55 +01:00
/* _DNS_{CLASS,TYPE}_STRING_MAX include one byte for NUL, which we use for space instead below.
* DNS_HOSTNAME_MAX does not include the NUL byte, so we need to add 1. */
#define DNS_RESOURCE_KEY_STRING_MAX (_DNS_CLASS_STRING_MAX + _DNS_TYPE_STRING_MAX + DNS_HOSTNAME_MAX + 1)
char* dns_resource_key_to_string(const DnsResourceKey *key, char *buf, size_t buf_size);
systemd-resolve: allow keys to be dumped in binary form $ systemd-resolve --raw --openpgp zbyszek@fedoraproject.org | pgpdump /dev/stdin
2016-01-29 00:24:28 +01:00
ssize_t dns_resource_record_payload(DnsResourceRecord *rr, void **out);
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
DEFINE_TRIVIAL_CLEANUP_FUNC(DnsResourceKey*, dns_resource_key_unref);
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
resolved: add dns_cache_export_to_packet() This new functions exports cached records of type PTR, SRV and TXT into an existing DnsPacket. This is used in order to fill in known records to mDNS queries, for known answer supression.
2015-12-01 00:53:42 +01:00
static inline bool dns_key_is_shared(const DnsResourceKey *key) {
return IN_SET(key->type, DNS_TYPE_PTR);
}
resolved: try to reduce number or DnsResourceKeys we keep around by merging them Quite often we read the same RR key multiple times from the same message. Try to replace them by a single object when we notice this. Do so again when we add things to the cache. This should reduce memory consumption a tiny bit.
2016-01-15 21:38:27 +01:00
bool dns_resource_key_reduce(DnsResourceKey **a, DnsResourceKey **b);
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
DnsResourceRecord* dns_resource_record_new(DnsResourceKey *key);
resolved: include SOA records in LLMNR replies for non-existing RRs to allow negative caching
2014-07-30 16:30:25 +02:00
DnsResourceRecord* dns_resource_record_new_full(uint16_t class, uint16_t type, const char *name);
resolved: add a DNS client stub resolver Let's turn resolved into a something truly useful: a fully asynchronous DNS stub resolver that subscribes to network changes. (More to come: caching, LLMNR, mDNS/DNS-SD, DNSSEC, IDN, NSS module)
2014-07-16 00:26:02 +02:00
DnsResourceRecord* dns_resource_record_ref(DnsResourceRecord *rr);
DnsResourceRecord* dns_resource_record_unref(DnsResourceRecord *rr);
resolve: add llmnr responder side for UDP and TCP Name defending is still missing.
2014-07-29 14:24:02 +02:00
int dns_resource_record_new_reverse(DnsResourceRecord **ret, int family, const union in_addr_union *address, const char *name);
resolved: rework synthesizing logic With this change we'll now also generate synthesized RRs for the local LLMNR hostname (first label of system hostname), the local mDNS hostname (first label of system hostname suffixed with .local), the "gateway" hostname and all the reverse PTRs. This hence takes over part of what nss-myhostname already implemented. Local hostnames resolve to the set of local IP addresses. Since the addresses are possibly on different interfaces it is necessary to change the internal DnsAnswer object to track per-RR interface indexes, and to change the bus API to always return the interface per-address rather than per-reply. This change also patches the existing clients for resolved accordingly (nss-resolve + systemd-resolve-host). This also changes the routing logic for queries slightly: we now ensure that the local hostname is never resolved via LLMNR, thus making it trustable on the local system.
2015-08-17 23:54:08 +02:00
int dns_resource_record_new_address(DnsResourceRecord **ret, int family, const union in_addr_union *address, const char *name);
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
int dns_resource_record_equal(const DnsResourceRecord *a, const DnsResourceRecord *b);
resolve: split the RR comparison function in two No functional change.
2019-02-27 10:27:35 +01:00
int dns_resource_record_payload_equal(const DnsResourceRecord *a, const DnsResourceRecord *b);
resolved: internalize string buffer of dns_resource_record_to_string() Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-21 16:31:29 +01:00
const char* dns_resource_record_to_string(DnsResourceRecord *rr);
resolved: when using the ResolveRecord() bus call, adjust TTL for caching time When we return the full RR wire data, let's make sure the TTL included in it is adjusted by the time the RR sat in the cache. As an optimization we do this only for ResolveRecord() and not for ResolveHostname() and friends, since adjusting the TTL means copying the RR object, and we don#t want to do that if there's no reason to. (ResolveHostname() and friends don't return the TTL hence there's no reason to in that case)
2016-06-20 21:24:46 +02:00
DnsResourceRecord *dns_resource_record_copy(DnsResourceRecord *rr);
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
DEFINE_TRIVIAL_CLEANUP_FUNC(DnsResourceRecord*, dns_resource_record_unref);
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
resolved: add code to generate the wire format for a single RR This adds dns_resource_record_to_wire_format() that generates the raw wire-format of a single DnsResourceRecord object, and caches it in the object, optionally in DNSSEC canonical form. This call is used later to generate the RR serialization of RRs to verify. This adds four new fields to DnsResourceRecord objects: - wire_format points to the buffer with the wire-format version of the RR - wire_format_size stores the size of that buffer - wire_format_rdata_offset specifies the index into the buffer where the RDATA of the RR begins (i.e. the size of the key part of the RR). - wire_format_canonical is a boolean that stores whether the cached wire format is in DNSSEC canonical form or not. Note that this patch adds a mode where a DnsPacket is allocated on the stack (instead of on the heap), so that it is cheaper to reuse the DnsPacket object for generating this wire format. After all we reuse the DnsPacket object for this, since it comes with all the dynamic memory management, and serialization calls we need anyway.
2015-12-02 20:58:51 +01:00
int dns_resource_record_to_wire_format(DnsResourceRecord *rr, bool canonical);
resolved: when validating an RRset, store information about the synthesizing source and zone in each RR Having this information available is useful when we need to check whether various RRs are suitable for proofs. This information is stored in the RRs as number of labels to skip from the beginning of the owner name to reach the synthesizing source/signer. Simple accessor calls are then added to retrieve the signer/source from the RR using this information. This also moves validation of a a number of RRSIG parameters into a new call dnssec_rrsig_prepare() that as side-effect initializes the two numeric values.
2016-01-14 18:03:03 +01:00
int dns_resource_record_signer(DnsResourceRecord *rr, const char **ret);
int dns_resource_record_source(DnsResourceRecord *rr, const char **ret);
int dns_resource_record_is_signer(DnsResourceRecord *rr, const char *zone);
resolved: complete NSEC non-existance proofs This fills in the last few gaps: - When checking if a domain is non-existing, also check that no wildcard for it exists - Ensure we don't base "covering" tests on NSEC RRs from a parent zone - Refuse to accept expanded wildcard NSEC RRs for absence proofs.
2016-01-15 02:21:22 +01:00
int dns_resource_record_is_synthetic(DnsResourceRecord *rr);
resolved: when validating an RRset, store information about the synthesizing source and zone in each RR Having this information available is useful when we need to check whether various RRs are suitable for proofs. This information is stored in the RRs as number of labels to skip from the beginning of the owner name to reach the synthesizing source/signer. Simple accessor calls are then added to retrieve the signer/source from the RR using this information. This also moves validation of a a number of RRSIG parameters into a new call dnssec_rrsig_prepare() that as side-effect initializes the two numeric values.
2016-01-14 18:03:03 +01:00
resolved: when using the ResolveRecord() bus call, adjust TTL for caching time When we return the full RR wire data, let's make sure the TTL included in it is adjusted by the time the RR sat in the cache. As an optimization we do this only for ResolveRecord() and not for ResolveHostname() and friends, since adjusting the TTL means copying the RR object, and we don#t want to do that if there's no reason to. (ResolveHostname() and friends don't return the TTL hence there's no reason to in that case)
2016-06-20 21:24:46 +02:00
int dns_resource_record_clamp_ttl(DnsResourceRecord **rr, uint32_t max_ttl);
resolved: accept TXT records with non-UTF8 strings RFC 6763 is very clear that TXT RRs should allow arbitrary binary content, hence let's actually accept that. This also means accepting NUL bytes in the middle of strings.
2015-11-20 19:01:43 +01:00
DnsTxtItem *dns_txt_item_free_all(DnsTxtItem *i);
bool dns_txt_item_equal(DnsTxtItem *a, DnsTxtItem *b);
resolved: when using the ResolveRecord() bus call, adjust TTL for caching time When we return the full RR wire data, let's make sure the TTL included in it is adjusted by the time the RR sat in the cache. As an optimization we do this only for ResolveRecord() and not for ResolveHostname() and friends, since adjusting the TTL means copying the RR object, and we don#t want to do that if there's no reason to. (ResolveHostname() and friends don't return the TTL hence there's no reason to in that case)
2016-06-20 21:24:46 +02:00
DnsTxtItem *dns_txt_item_copy(DnsTxtItem *i);
resolved: inroduce dns_txt_item_new_empty() function
2017-11-24 14:24:57 +01:00
int dns_txt_item_new_empty(DnsTxtItem **ret);
resolved: accept TXT records with non-UTF8 strings RFC 6763 is very clear that TXT RRs should allow arbitrary binary content, hence let's actually accept that. This also means accepting NUL bytes in the middle of strings.
2015-11-20 19:01:43 +01:00
tree-wide: make hash_ops typesafe
2018-11-27 14:25:20 +01:00
void dns_resource_record_hash_func(const DnsResourceRecord *i, struct siphash *state);
resolve: slightly optimize dns_answer_add() Previously, dns_answer_add() was O(n^2). With this change dns_packet_extract() becomes ~15 times faster for some extremal case. Before: ``` $ time ./fuzz-dns-packet ~/downloads/clusterfuzz-testcase-minimized-fuzz-dns-packet-5631106733047808 /home/watanabe/downloads/clusterfuzz-testcase-minimized-fuzz-dns-packet-5631106733047808... ok real 0m15.453s user 0m15.430s sys 0m0.007s ``` After: ``` $ time ./fuzz-dns-packet ~/downloads/clusterfuzz-testcase-minimized-fuzz-dns-packet-5631106733047808 /home/watanabe/downloads/clusterfuzz-testcase-minimized-fuzz-dns-packet-5631106733047808... ok real 0m0.831s user 0m0.824s sys 0m0.006s ``` Hopefully fixes oss-fuzz#19227. https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19227
2020-12-29 15:50:54 +01:00
int dns_resource_record_compare_func(const DnsResourceRecord *x, const DnsResourceRecord *y);
test-dns-packet: add framework to read and dump packets Packets are stored in a simple format: <size> <packet-wire-format> <size> <packet-wire-format> ... Packets for some example domains are dumped, to test rr code for various record types. Currently: A AAAA CAA DNSKEY LOC MX NS NSEC OPENPGPKEY SOA SPF TXT The hashing code is executed, but results are not checked. Also build other tests in src/resolve only with --enable-resolve.
2016-01-31 06:10:42 +01:00
hashmap: introduce hash_ops to make struct Hashmap smaller It is redundant to store 'hash' and 'compare' function pointers in struct Hashmap separately. The functions always comprise a pair. Store a single pointer to struct hash_ops instead. systemd keeps hundreds of hashmaps, so this saves a little bit of memory.
2014-08-13 01:00:18 +02:00
extern const struct hash_ops dns_resource_key_hash_ops;
resolved: when validating, first strip revoked trust anchor keys from validated keys list When validating a transaction we initially collect DNSKEY, DS, SOA RRs in the "validated_keys" list, that we need for the proofs. This includes DNSKEY and DS data from our trust anchor database. Quite possibly we learn that some of these DNSKEY/DS RRs have been revoked between the time we request and collect those additional RRs and we begin the validation step. In this case we need to make sure that the respective DS/DNSKEY RRs are removed again from our list. This patch adds that, and strips known revoked trust anchor RRs from the validated list before we begin the actual validation proof, and each time we add more DNSKEY material to it while we are doing the proof.
2016-01-07 20:33:31 +01:00
extern const struct hash_ops dns_resource_record_hash_ops;
resolved: move algorithm/digest definitions into resolved-dns-rr.h After all, they are for flags and parameters of RRs and already relevant when dealing with RRs outside of the serialization concept.
2015-12-02 22:56:04 +01:00
resolved: add negative trust anchro support, and add trust anchor configuration files This adds negative trust anchor support and allows reading trust anchor data from disk, from files /etc/systemd/dnssec-trust-anchors.d/*.positive and /etc/systemd/dnssec-trust-anchros.d/*.negative, as well as the matching counterparts in /usr/lib and /run. The positive trust anchor files are more or less compatible to normal DNS zone files containing DNSKEY and DS RRs. The negative trust anchor files contain only new-line separated hostnames for which to require no signing. By default no trust anchor files are installed, in which case the compiled-in root domain DS RR is used, as before. As soon as at least one positive root anchor for the root is defined via trust anchor files this buil-in DS RR is not added though.
2016-01-02 22:12:13 +01:00
int dnssec_algorithm_to_string_alloc(int i, char **ret);
resolved: move algorithm/digest definitions into resolved-dns-rr.h After all, they are for flags and parameters of RRs and already relevant when dealing with RRs outside of the serialization concept.
2015-12-02 22:56:04 +01:00
int dnssec_algorithm_from_string(const char *s) _pure_;
resolved: add negative trust anchro support, and add trust anchor configuration files This adds negative trust anchor support and allows reading trust anchor data from disk, from files /etc/systemd/dnssec-trust-anchors.d/*.positive and /etc/systemd/dnssec-trust-anchros.d/*.negative, as well as the matching counterparts in /usr/lib and /run. The positive trust anchor files are more or less compatible to normal DNS zone files containing DNSKEY and DS RRs. The negative trust anchor files contain only new-line separated hostnames for which to require no signing. By default no trust anchor files are installed, in which case the compiled-in root domain DS RR is used, as before. As soon as at least one positive root anchor for the root is defined via trust anchor files this buil-in DS RR is not added though.
2016-01-02 22:12:13 +01:00
int dnssec_digest_to_string_alloc(int i, char **ret);
resolved: move algorithm/digest definitions into resolved-dns-rr.h After all, they are for flags and parameters of RRs and already relevant when dealing with RRs outside of the serialization concept.
2015-12-02 22:56:04 +01:00
int dnssec_digest_from_string(const char *s) _pure_;