2017-11-18 17:09:20 +01:00
|
|
|
/* SPDX-License-Identifier: LGPL-2.1+ */
|
2016-01-05 17:25:10 +01:00
|
|
|
#pragma once
|
|
|
|
|
2018-05-22 13:10:17 +02:00
|
|
|
#include "conf-parser.h"
|
2019-05-27 01:35:28 +02:00
|
|
|
#include "in-addr-util.h"
|
2016-01-05 17:25:10 +01:00
|
|
|
#include "macro.h"
|
|
|
|
|
2019-05-27 01:35:28 +02:00
|
|
|
/* 127.0.0.53 in native endian */
|
|
|
|
#define INADDR_DNS_STUB ((in_addr_t) 0x7f000035U)
|
|
|
|
|
2019-07-12 21:34:24 +02:00
|
|
|
typedef enum DnsCacheMode DnsCacheMode;
|
|
|
|
|
|
|
|
enum DnsCacheMode {
|
|
|
|
DNS_CACHE_MODE_NO,
|
|
|
|
DNS_CACHE_MODE_YES,
|
|
|
|
DNS_CACHE_MODE_NO_NEGATIVE,
|
|
|
|
_DNS_CACHE_MODE_MAX,
|
|
|
|
_DNS_CACHE_MODE_INVALID = 1
|
|
|
|
};
|
|
|
|
|
2016-01-05 17:25:10 +01:00
|
|
|
typedef enum ResolveSupport ResolveSupport;
|
2016-01-05 19:57:33 +01:00
|
|
|
typedef enum DnssecMode DnssecMode;
|
2018-06-13 20:26:24 +02:00
|
|
|
typedef enum DnsOverTlsMode DnsOverTlsMode;
|
2016-01-05 17:25:10 +01:00
|
|
|
|
|
|
|
enum ResolveSupport {
|
|
|
|
RESOLVE_SUPPORT_NO,
|
|
|
|
RESOLVE_SUPPORT_YES,
|
|
|
|
RESOLVE_SUPPORT_RESOLVE,
|
|
|
|
_RESOLVE_SUPPORT_MAX,
|
|
|
|
_RESOLVE_SUPPORT_INVALID = -1
|
|
|
|
};
|
|
|
|
|
2016-01-05 19:57:33 +01:00
|
|
|
enum DnssecMode {
|
|
|
|
/* No DNSSEC validation is done */
|
|
|
|
DNSSEC_NO,
|
|
|
|
|
|
|
|
/* Validate locally, if the server knows DO, but if not,
|
|
|
|
* don't. Don't trust the AD bit. If the server doesn't do
|
|
|
|
* DNSSEC properly, downgrade to non-DNSSEC operation. Of
|
|
|
|
* course, we then are vulnerable to a downgrade attack, but
|
|
|
|
* that's life and what is configured. */
|
|
|
|
DNSSEC_ALLOW_DOWNGRADE,
|
|
|
|
|
|
|
|
/* Insist on DNSSEC server support, and rather fail than downgrading. */
|
|
|
|
DNSSEC_YES,
|
|
|
|
|
|
|
|
_DNSSEC_MODE_MAX,
|
|
|
|
_DNSSEC_MODE_INVALID = -1
|
|
|
|
};
|
|
|
|
|
2018-06-13 20:26:24 +02:00
|
|
|
enum DnsOverTlsMode {
|
2018-04-27 17:50:38 +02:00
|
|
|
/* No connection is made for DNS-over-TLS */
|
2018-06-13 20:26:24 +02:00
|
|
|
DNS_OVER_TLS_NO,
|
2018-04-27 17:50:38 +02:00
|
|
|
|
|
|
|
/* Try to connect using DNS-over-TLS, but if connection fails,
|
|
|
|
* fallback to using an unencrypted connection */
|
2018-06-13 20:26:24 +02:00
|
|
|
DNS_OVER_TLS_OPPORTUNISTIC,
|
2018-04-27 17:50:38 +02:00
|
|
|
|
2019-02-18 20:41:46 +01:00
|
|
|
/* Enforce DNS-over-TLS and require valid server certificates */
|
|
|
|
DNS_OVER_TLS_YES,
|
|
|
|
|
2018-06-13 20:26:24 +02:00
|
|
|
_DNS_OVER_TLS_MODE_MAX,
|
|
|
|
_DNS_OVER_TLS_MODE_INVALID = -1
|
2018-04-27 17:50:38 +02:00
|
|
|
};
|
|
|
|
|
2018-05-22 13:10:17 +02:00
|
|
|
CONFIG_PARSER_PROTOTYPE(config_parse_resolve_support);
|
|
|
|
CONFIG_PARSER_PROTOTYPE(config_parse_dnssec_mode);
|
2018-06-13 20:26:24 +02:00
|
|
|
CONFIG_PARSER_PROTOTYPE(config_parse_dns_over_tls_mode);
|
2019-07-12 21:34:24 +02:00
|
|
|
CONFIG_PARSER_PROTOTYPE(config_parse_dns_cache_mode);
|
2016-01-05 17:25:10 +01:00
|
|
|
|
|
|
|
const char* resolve_support_to_string(ResolveSupport p) _const_;
|
|
|
|
ResolveSupport resolve_support_from_string(const char *s) _pure_;
|
2016-01-05 19:57:33 +01:00
|
|
|
|
|
|
|
const char* dnssec_mode_to_string(DnssecMode p) _const_;
|
|
|
|
DnssecMode dnssec_mode_from_string(const char *s) _pure_;
|
2018-04-27 17:50:38 +02:00
|
|
|
|
2018-06-13 20:26:24 +02:00
|
|
|
const char* dns_over_tls_mode_to_string(DnsOverTlsMode p) _const_;
|
|
|
|
DnsOverTlsMode dns_over_tls_mode_from_string(const char *s) _pure_;
|
2019-05-27 01:35:28 +02:00
|
|
|
|
|
|
|
bool dns_server_address_valid(int family, const union in_addr_union *sa);
|
2019-07-12 21:34:24 +02:00
|
|
|
|
|
|
|
const char* dns_cache_mode_to_string(DnsCacheMode p) _const_;
|
|
|
|
DnsCacheMode dns_cache_mode_from_string(const char *s) _pure_;
|