picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Systemd/src/resolve/resolved-dns-rr.c

1821 lines
60 KiB
C
Raw Normal View History

license: LGPL-2.1+ -> LGPL-2.1-or-later
2020-11-09 05:23:58 +01:00
/* SPDX-License-Identifier: LGPL-2.1-or-later */
resolved: add a DNS client stub resolver Let's turn resolved into a something truly useful: a fully asynchronous DNS stub resolver that subscribes to network changes. (More to come: caching, LLMNR, mDNS/DNS-SD, DNSSEC, IDN, NSS module)
2014-07-16 00:26:02 +02:00
resolved: LOC records LOC records have a version field. So far only version 0 has been published, but if a record with a different version was encountered, our only recourse is to treat it as an unknown type. This is implemented with the 'unparseable' flag, which causes the serialization/deserialization and printing function to cause the record as a blob. The flag can be used if other packet types cannot be parsed for whatever reason.
2014-07-31 10:19:43 +02:00
#include <math.h>
util-lib: split out allocation calls into alloc-util.[ch]
2015-10-27 03:01:06 +01:00
#include "alloc-util.h"
resolve: move dns routines into shared
2015-06-02 20:49:43 +02:00
#include "dns-domain.h"
resolve: add more record types and convert to gperf table We are unlikely to evert support most of them, but we can at least display the types properly. The list is taken from the IANA list. The table of number->name mappings is converted to a switch statement. gcc does a nice job of optimizing lookup (when optimization is enabled). systemd-resolve-host -t is now case insensitive.
2014-08-02 01:37:16 +02:00
#include "dns-type.h"
resolve: parse CAA records
2016-01-31 22:21:00 +01:00
#include "escape.h"
util-lib: split out hex/dec/oct encoding/decoding into its own file
2015-10-26 16:41:43 +01:00
#include "hexdecoct.h"
travis: turn on nonnull-attribute on Fuzzit
2019-06-15 23:12:24 +02:00
#include "memory-util.h"
resolved: calculate and print tags for DNSKEY records
2015-02-04 23:06:33 +01:00
#include "resolved-dns-dnssec.h"
util-lib: split our string related calls from util.[ch] into its own file string-util.[ch] There are more than enough calls doing string manipulations to deserve its own files, hence do something about it. This patch also sorts the #include blocks of all files that needed to be updated, according to the sorting suggestions from CODING_STYLE. Since pretty much every file needs our string manipulation functions this effectively means that most files have sorted #include blocks now. Also touches a few unrelated include files.
2015-10-24 22:58:24 +02:00
#include "resolved-dns-packet.h"
util-lib: split out hex/dec/oct encoding/decoding into its own file
2015-10-26 16:41:43 +01:00
#include "resolved-dns-rr.h"
resolved: move algorithm/digest definitions into resolved-dns-rr.h After all, they are for flags and parameters of RRs and already relevant when dealing with RRs outside of the serialization concept.
2015-12-02 22:56:04 +01:00
#include "string-table.h"
util-lib: split our string related calls from util.[ch] into its own file string-util.[ch] There are more than enough calls doing string manipulations to deserve its own files, hence do something about it. This patch also sorts the #include blocks of all files that needed to be updated, according to the sorting suggestions from CODING_STYLE. Since pretty much every file needs our string manipulation functions this effectively means that most files have sorted #include blocks now. Also touches a few unrelated include files.
2015-10-24 22:58:24 +02:00
#include "string-util.h"
#include "strv.h"
resolved: add alignment to base64 We try to fit the lengthy key data into available space. If the other fields take less than half of the available columns, we use align everything in the remaining columns. Otherwise, we put everything after a newline, indented with 8 spaces. This is similar to dig and other tools do. $ COLUMNS=78 ./systemd-resolve -t any . . IN SOA a.root-servers.net nstld.verisign-grs.com 2016012701 1800 900 604800 86400 . IN RRSIG SOA RSASHA256 0 86400 20160206170000 20160127160000 54549 S1uhUoBAReAFi5wH/KczVDgwLb+B9Zp57dSYj9aX4XxBhKuzccIducpg0wWXhjCRAWuzY fQ/J2anm4+C4BLUTdlytPIemd42SUffQk2WGuuukI8e67nkrNF3WFtoeXQ4OchsyO24t2 rxi682Zo9ViqmXZ+MSsjWKt1jdem4noaY= . IN NS h.root-servers.net . IN NS k.root-servers.net . IN NS e.root-servers.net . IN NS c.root-servers.net . IN NS b.root-servers.net . IN NS g.root-servers.net . IN NS d.root-servers.net . IN NS f.root-servers.net . IN NS i.root-servers.net . IN NS j.root-servers.net . IN NS m.root-servers.net . IN NS a.root-servers.net . IN NS l.root-servers.net . IN RRSIG NS RSASHA256 0 518400 20160206170000 20160127160000 54549 rxhmTVKUgs72G3VzL+1JRuD0nGLIrPM+ISfmUx0eYUH5wZD5XMu2X+8PfkAsEQT1dziPs ac+zK1YZPbNgr3yGI5H/wEbK8S7DmlvO+/I9WKTLp/Zxn3yncvnTOdjFMZxkAqHbjVOm+ BFz7RjQuvCQlEJX4PQBFphgEnkiOnmMdI= . IN NSEC aaa ( NS SOA RRSIG NSEC DNSKEY ) . IN RRSIG NSEC RSASHA256 0 86400 20160206170000 20160127160000 54549 HY49/nGkUJJP1zLmH33MIKnkNH33jQ7bsAHE9itEjvC4wfAzgq8+Oh9fjYav1R1GDeJ2Z HOu3Z2uDRif10R8RsmZbxyZXJs7eHui9KcAMot1U4uKCCooC/5GImf+oUDbvaraUCMQRU D3mUzoa0BGWfxgZEDqZ55raVFT/olEgG8= . IN DNSKEY 257 3 RSASHA256 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0 O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0 NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL4 96M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1ap AzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6 dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ2 5AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1 ihz0= . IN DNSKEY 256 3 RSASHA256 AwEAAbr/RV0stAWYbmKOldjShp4AOQGOyY3ATI1NUpP4X1qBs 6lsXpc+1ABgv6zkg02IktjZrHnmD0HsElu3wqXMrT5KL1W7Sp mg0Pou9WZ8QttdTKXwrVXrASsaGI2z/pLBSnK8EdzqUrTVxY4 TEGZtxV519isM06CCMihxTn5cfFBF . IN RRSIG DNSKEY RSASHA256 0 172800 20160204235959 20160121000000 19036 XYewrVdYKRDfZptAATwT+W4zng04riExV36+z04kok09W0RmOtDlQrlrwHLlD2iN/zYpg EqGgDF5T2xlrQdNpn+PFHhypHM7NQAgLTrwmiw6mGbV0bsZN3rhFxHwW7QVUFAvo9eNVu INrjm+sArwxq3DnPkmA+3K4ikKD2iiT/jT91VYr9SHFqXXURccLjI+nmaE7m31hXcirX/ r5i3J+B4Fx4415IavSD72r7cmruocnCVjcp+ZAUKeMyW+RwigzevLz3oEcCZ4nrTpGLEj wFaVePYoP+rfdmfLfTdmkkm4APRJa2My3XOdGFlgNS1pW1pH4az5LapLE2vMO7p1aQ== -- Information acquired via protocol DNS in 14.4ms. -- Data is authenticated: no
2014-08-05 00:59:31 +02:00
#include "terminal-util.h"
resolved: add a DNS client stub resolver Let's turn resolved into a something truly useful: a fully asynchronous DNS stub resolver that subscribes to network changes. (More to come: caching, LLMNR, mDNS/DNS-SD, DNSSEC, IDN, NSS module)
2014-07-16 00:26:02 +02:00
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
DnsResourceKey* dns_resource_key_new(uint16_t class, uint16_t type, const char *name) {
DnsResourceKey *k;
size_t l;
resolved: add a DNS client stub resolver Let's turn resolved into a something truly useful: a fully asynchronous DNS stub resolver that subscribes to network changes. (More to come: caching, LLMNR, mDNS/DNS-SD, DNSSEC, IDN, NSS module)
2014-07-16 00:26:02 +02:00
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
assert(name);
l = strlen(name);
k = malloc0(sizeof(DnsResourceKey) + l + 1);
if (!k)
return NULL;
k->n_ref = 1;
k->class = class;
k->type = type;
strcpy((char*) k + sizeof(DnsResourceKey), name);
return k;
}
resolved: rr - introduce dns_resource_key_new_redirect() Takes a key and CNAME RR and returns the canonical RR of the right type. Make use of this in dns_question_redirect().
2015-09-04 01:56:23 +02:00
DnsResourceKey* dns_resource_key_new_redirect(const DnsResourceKey *key, const DnsResourceRecord *cname) {
resolved: implement client-side DNAME resolution Most servers apparently always implicitly convert DNAME to CNAME, but some servers don't, hence implement this properly, as this is required by edns0.
2015-11-24 00:18:49 +01:00
int r;
resolved: rr - introduce dns_resource_key_new_redirect() Takes a key and CNAME RR and returns the canonical RR of the right type. Make use of this in dns_question_redirect().
2015-09-04 01:56:23 +02:00
assert(key);
assert(cname);
resolved: implement client-side DNAME resolution Most servers apparently always implicitly convert DNAME to CNAME, but some servers don't, hence implement this properly, as this is required by edns0.
2015-11-24 00:18:49 +01:00
assert(IN_SET(cname->key->type, DNS_TYPE_CNAME, DNS_TYPE_DNAME));
if (cname->key->type == DNS_TYPE_CNAME)
return dns_resource_key_new(key->class, key->type, cname->cname.name);
else {
DnsResourceKey *k;
char *destination = NULL;
Replace DNS_RESOURCE_KEY_NAME with a version which always returns "." for root This fixes formatting of root domain in debug messages: Old: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (., DNSKEY with key tag: 19036). New: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (, DNSKEY with key tag: 19036).
2016-02-13 20:54:15 +01:00
r = dns_name_change_suffix(dns_resource_key_name(key), dns_resource_key_name(cname->key), cname->dname.name, &destination);
resolved: implement client-side DNAME resolution Most servers apparently always implicitly convert DNAME to CNAME, but some servers don't, hence implement this properly, as this is required by edns0.
2015-11-24 00:18:49 +01:00
if (r < 0)
return NULL;
if (r == 0)
return dns_resource_key_ref((DnsResourceKey*) key);
k = dns_resource_key_new_consume(key->class, key->type, destination);
tree-wide: use mfree more
2016-10-17 00:28:30 +02:00
if (!k)
return mfree(destination);
resolved: implement client-side DNAME resolution Most servers apparently always implicitly convert DNAME to CNAME, but some servers don't, hence implement this properly, as this is required by edns0.
2015-11-24 00:18:49 +01:00
return k;
}
resolved: rr - introduce dns_resource_key_new_redirect() Takes a key and CNAME RR and returns the canonical RR of the right type. Make use of this in dns_question_redirect().
2015-09-04 01:56:23 +02:00
}
resolved: fully support DNS search domains This adds support for searching single-label hostnames in a set of configured search domains. A new object DnsQueryCandidate is added that links queries to scopes. It keeps track of the search domain last used for a query on a specific link. Whenever a host name was unsuccessfuly resolved on a scope all its transactions are flushed out and replaced by a new set, with the next search domain appended. This also adds a new flag SD_RESOLVED_NO_SEARCH to disable search domain behaviour. The "systemd-resolve-host" tool is updated to make this configurable via --search=. Fixes #1697
2015-11-25 20:47:27 +01:00
int dns_resource_key_new_append_suffix(DnsResourceKey **ret, DnsResourceKey *key, char *name) {
DnsResourceKey *new_key;
char *joined;
int r;
assert(ret);
assert(key);
assert(name);
dns-domain: simplify dns_name_is_root() and dns_name_is_single_label() Let's change the return value to bool. If we encounter an error while parsing, return "false" instead of the actual parsing error, after all the specified hostname does not qualify for what the function is supposed to test. Dealing with the additional error codes was always cumbersome, and easily misused, like for example in the DHCP code. Let's also rename the functions from dns_name_root() to dns_name_is_root(), to indicate that this function checks something and returns a bool. Similar for dns_name_is_signal_label().
2015-11-25 21:07:17 +01:00
if (dns_name_is_root(name)) {
resolved: fully support DNS search domains This adds support for searching single-label hostnames in a set of configured search domains. A new object DnsQueryCandidate is added that links queries to scopes. It keeps track of the search domain last used for a query on a specific link. Whenever a host name was unsuccessfuly resolved on a scope all its transactions are flushed out and replaced by a new set, with the next search domain appended. This also adds a new flag SD_RESOLVED_NO_SEARCH to disable search domain behaviour. The "systemd-resolve-host" tool is updated to make this configurable via --search=. Fixes #1697
2015-11-25 20:47:27 +01:00
*ret = dns_resource_key_ref(key);
return 0;
}
resolve: reject host names with leading or trailing dashes in /etc/hosts https://tools.ietf.org/html/rfc1035#section-2.3.1 says (approximately) that only letters, numbers, and non-leading non-trailing dashes are allowed (for entries with A/AAAA records). We set no restrictions. hosts(5) says: > Host names may contain only alphanumeric characters, minus signs ("-"), and > periods ("."). They must begin with an alphabetic character and end with an > alphanumeric character. nss-files follows those rules, and will ignore names in /etc/hosts that do not follow this rule. Let's follow the documented rules for /etc/hosts. In particular, this makes us consitent with nss-files, reducing surprises for the user. I'm pretty sure we should apply stricter filtering to names received over DNS and LLMNR and MDNS, but it's a bigger project, because the rules differ depepending on which level the label appears (rules for top-level names are stricter), and this patch takes the minimalistic approach and only changes behaviour for /etc/hosts. Escape syntax is also disallowed in /etc/hosts, even if the resulting character would be allowed. Other tools that parse /etc/hosts do not support this, and there is no need to use it because no allowed characters benefit from escaping.
2018-11-21 22:58:13 +01:00
r = dns_name_concat(dns_resource_key_name(key), name, 0, &joined);
resolved: fully support DNS search domains This adds support for searching single-label hostnames in a set of configured search domains. A new object DnsQueryCandidate is added that links queries to scopes. It keeps track of the search domain last used for a query on a specific link. Whenever a host name was unsuccessfuly resolved on a scope all its transactions are flushed out and replaced by a new set, with the next search domain appended. This also adds a new flag SD_RESOLVED_NO_SEARCH to disable search domain behaviour. The "systemd-resolve-host" tool is updated to make this configurable via --search=. Fixes #1697
2015-11-25 20:47:27 +01:00
if (r < 0)
return r;
new_key = dns_resource_key_new_consume(key->class, key->type, joined);
if (!new_key) {
free(joined);
return -ENOMEM;
}
*ret = new_key;
return 0;
}
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
DnsResourceKey* dns_resource_key_new_consume(uint16_t class, uint16_t type, char *name) {
DnsResourceKey *k;
assert(name);
resolved: use structured initialization everywhere
2020-10-27 14:28:25 +01:00
k = new(DnsResourceKey, 1);
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
if (!k)
return NULL;
resolved: use structured initialization everywhere
2020-10-27 14:28:25 +01:00
*k = (DnsResourceKey) {
.n_ref = 1,
.class = class,
.type = type,
._name = name,
};
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
return k;
}
DnsResourceKey* dns_resource_key_ref(DnsResourceKey *k) {
if (!k)
return NULL;
resolved: optionally, allocate DnsResourceKey objects on the stack Sometimes when looking up entries in hashmaps indexed by a DnsResourceKey it is helpful not having to allocate a full DnsResourceKey dynamically just to use it as search key. Instead, optionally allow allocation of a DnsResourceKey on the stack. Resource keys allocated like that of course are subject to other lifetime cycles than the usual Resource keys, hence initialize the reference counter to to (unsigned) -1. While we are at it, remove the prototype for dns_resource_key_new_dname() which was never implemented.
2015-12-03 17:27:13 +01:00
/* Static/const keys created with DNS_RESOURCE_KEY_CONST will
* set this to -1, they should not be reffed/unreffed */
assert(k->n_ref != (unsigned) -1);
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
assert(k->n_ref > 0);
k->n_ref++;
return k;
}
DnsResourceKey* dns_resource_key_unref(DnsResourceKey *k) {
if (!k)
return NULL;
resolved: optionally, allocate DnsResourceKey objects on the stack Sometimes when looking up entries in hashmaps indexed by a DnsResourceKey it is helpful not having to allocate a full DnsResourceKey dynamically just to use it as search key. Instead, optionally allow allocation of a DnsResourceKey on the stack. Resource keys allocated like that of course are subject to other lifetime cycles than the usual Resource keys, hence initialize the reference counter to to (unsigned) -1. While we are at it, remove the prototype for dns_resource_key_new_dname() which was never implemented.
2015-12-03 17:27:13 +01:00
assert(k->n_ref != (unsigned) -1);
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
assert(k->n_ref > 0);
if (k->n_ref == 1) {
free(k->_name);
free(k);
} else
k->n_ref--;
return NULL;
}
Replace DNS_RESOURCE_KEY_NAME with a version which always returns "." for root This fixes formatting of root domain in debug messages: Old: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (., DNSKEY with key tag: 19036). New: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (, DNSKEY with key tag: 19036).
2016-02-13 20:54:15 +01:00
const char* dns_resource_key_name(const DnsResourceKey *key) {
const char *name;
if (!key)
return NULL;
if (key->_name)
name = key->_name;
else
name = (char*) key + sizeof(DnsResourceKey);
if (dns_name_is_root(name))
return ".";
else
return name;
}
resolved: rework how we allow allow queries to be dispatched to scopes Previously, we'd never do any single-label or root domain lookups via DNS, thus leaving single-label lookups to LLMNR and the search path logic in order that single-label names don't leak too easily onto the internet. With this change we open things up a bit, and only prohibit A/AAAA lookups of single-label/root domains, but allow all other lookups. This should provide similar protection, but allow us to resolve DNSKEY+DS RRs for the top-level and root domains. (This also simplifies handling of the search domain detection, and gets rid of dns_scope_has_search_domains() in favour of dns_scope_get_search_domains()).
2015-12-03 18:26:12 +01:00
bool dns_resource_key_is_address(const DnsResourceKey *key) {
assert(key);
/* Check if this is an A or AAAA resource key */
return key->class == DNS_CLASS_IN && IN_SET(key->type, DNS_TYPE_A, DNS_TYPE_AAAA);
}
resolved: announce DNS-SD records in mDNS scopes
2017-10-04 09:07:44 +02:00
bool dns_resource_key_is_dnssd_ptr(const DnsResourceKey *key) {
assert(key);
/* Check if this is a PTR resource key used in
Service Instance Enumeration as described in RFC6763 p4.1. */
if (key->type != DNS_TYPE_PTR)
return false;
return dns_name_endswith(dns_resource_key_name(key), "_tcp.local") ||
dns_name_endswith(dns_resource_key_name(key), "_udp.local");
}
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
int dns_resource_key_equal(const DnsResourceKey *a, const DnsResourceKey *b) {
int r;
resolved: shortcut RR comparisons if pointers match When iterating through RR lists we frequently end up comparing RRs and RR keys with themselves, hence att a minor optimization to check ptr values first, before doing a deep comparison.
2015-12-09 17:28:50 +01:00
if (a == b)
return 1;
Replace DNS_RESOURCE_KEY_NAME with a version which always returns "." for root This fixes formatting of root domain in debug messages: Old: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (., DNSKEY with key tag: 19036). New: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (, DNSKEY with key tag: 19036).
2016-02-13 20:54:15 +01:00
r = dns_name_equal(dns_resource_key_name(a), dns_resource_key_name(b));
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
if (r <= 0)
return r;
if (a->class != b->class)
return 0;
if (a->type != b->type)
return 0;
return 1;
}
resolved: add support NSEC3 proofs, as well as proofs for domains that are OK to be unsigned This large patch adds a couple of mechanisms to ensure we get NSEC3 and proof-of-unsigned support into place. Specifically: - Each item in an DnsAnswer gets two bit flags now: DNS_ANSWER_AUTHENTICATED and DNS_ANSWER_CACHEABLE. The former is necessary since DNS responses might contain signed as well as unsigned RRsets in one, and we need to remember which ones are signed and which ones aren't. The latter is necessary, since not we need to keep track which RRsets may be cached and which ones may not be, even while manipulating DnsAnswer objects. - The .n_answer_cachable of DnsTransaction is dropped now (it used to store how many of the first DnsAnswer entries are cachable), and replaced by the DNS_ANSWER_CACHABLE flag instead. - NSEC3 proofs are implemented now (lacking support for the wildcard part, to be added in a later commit). - Support for the "AD" bit has been dropped. It's unsafe, and now that we have end-to-end authentication we don't need it anymore. - An auxiliary DnsTransaction of a DnsTransactions is now kept around as least as long as the latter stays around. We no longer remove the auxiliary DnsTransaction as soon as it completed. THis is necessary, as we now are interested not only in the RRsets it acquired but also in its authentication status.
2015-12-18 14:37:06 +01:00
int dns_resource_key_match_rr(const DnsResourceKey *key, DnsResourceRecord *rr, const char *search_domain) {
resolved: fully support DNS search domains This adds support for searching single-label hostnames in a set of configured search domains. A new object DnsQueryCandidate is added that links queries to scopes. It keeps track of the search domain last used for a query on a specific link. Whenever a host name was unsuccessfuly resolved on a scope all its transactions are flushed out and replaced by a new set, with the next search domain appended. This also adds a new flag SD_RESOLVED_NO_SEARCH to disable search domain behaviour. The "systemd-resolve-host" tool is updated to make this configurable via --search=. Fixes #1697
2015-11-25 20:47:27 +01:00
int r;
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
assert(key);
assert(rr);
resolved: shortcut RR comparisons if pointers match When iterating through RR lists we frequently end up comparing RRs and RR keys with themselves, hence att a minor optimization to check ptr values first, before doing a deep comparison.
2015-12-09 17:28:50 +01:00
if (key == rr->key)
return 1;
resolved: fully support DNS search domains This adds support for searching single-label hostnames in a set of configured search domains. A new object DnsQueryCandidate is added that links queries to scopes. It keeps track of the search domain last used for a query on a specific link. Whenever a host name was unsuccessfuly resolved on a scope all its transactions are flushed out and replaced by a new set, with the next search domain appended. This also adds a new flag SD_RESOLVED_NO_SEARCH to disable search domain behaviour. The "systemd-resolve-host" tool is updated to make this configurable via --search=. Fixes #1697
2015-11-25 20:47:27 +01:00
/* Checks if an rr matches the specified key. If a search
* domain is specified, it will also be checked if the key
* with the search domain suffixed might match the RR. */
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
if (rr->key->class != key->class && key->class != DNS_CLASS_ANY)
return 0;
if (rr->key->type != key->type && key->type != DNS_TYPE_ANY)
return 0;
Replace DNS_RESOURCE_KEY_NAME with a version which always returns "." for root This fixes formatting of root domain in debug messages: Old: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (., DNSKEY with key tag: 19036). New: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (, DNSKEY with key tag: 19036).
2016-02-13 20:54:15 +01:00
r = dns_name_equal(dns_resource_key_name(rr->key), dns_resource_key_name(key));
resolved: fully support DNS search domains This adds support for searching single-label hostnames in a set of configured search domains. A new object DnsQueryCandidate is added that links queries to scopes. It keeps track of the search domain last used for a query on a specific link. Whenever a host name was unsuccessfuly resolved on a scope all its transactions are flushed out and replaced by a new set, with the next search domain appended. This also adds a new flag SD_RESOLVED_NO_SEARCH to disable search domain behaviour. The "systemd-resolve-host" tool is updated to make this configurable via --search=. Fixes #1697
2015-11-25 20:47:27 +01:00
if (r != 0)
return r;
if (search_domain) {
_cleanup_free_ char *joined = NULL;
resolve: reject host names with leading or trailing dashes in /etc/hosts https://tools.ietf.org/html/rfc1035#section-2.3.1 says (approximately) that only letters, numbers, and non-leading non-trailing dashes are allowed (for entries with A/AAAA records). We set no restrictions. hosts(5) says: > Host names may contain only alphanumeric characters, minus signs ("-"), and > periods ("."). They must begin with an alphabetic character and end with an > alphanumeric character. nss-files follows those rules, and will ignore names in /etc/hosts that do not follow this rule. Let's follow the documented rules for /etc/hosts. In particular, this makes us consitent with nss-files, reducing surprises for the user. I'm pretty sure we should apply stricter filtering to names received over DNS and LLMNR and MDNS, but it's a bigger project, because the rules differ depepending on which level the label appears (rules for top-level names are stricter), and this patch takes the minimalistic approach and only changes behaviour for /etc/hosts. Escape syntax is also disallowed in /etc/hosts, even if the resulting character would be allowed. Other tools that parse /etc/hosts do not support this, and there is no need to use it because no allowed characters benefit from escaping.
2018-11-21 22:58:13 +01:00
r = dns_name_concat(dns_resource_key_name(key), search_domain, 0, &joined);
resolved: fully support DNS search domains This adds support for searching single-label hostnames in a set of configured search domains. A new object DnsQueryCandidate is added that links queries to scopes. It keeps track of the search domain last used for a query on a specific link. Whenever a host name was unsuccessfuly resolved on a scope all its transactions are flushed out and replaced by a new set, with the next search domain appended. This also adds a new flag SD_RESOLVED_NO_SEARCH to disable search domain behaviour. The "systemd-resolve-host" tool is updated to make this configurable via --search=. Fixes #1697
2015-11-25 20:47:27 +01:00
if (r < 0)
return r;
Replace DNS_RESOURCE_KEY_NAME with a version which always returns "." for root This fixes formatting of root domain in debug messages: Old: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (., DNSKEY with key tag: 19036). New: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (, DNSKEY with key tag: 19036).
2016-02-13 20:54:15 +01:00
return dns_name_equal(dns_resource_key_name(rr->key), joined);
resolved: fully support DNS search domains This adds support for searching single-label hostnames in a set of configured search domains. A new object DnsQueryCandidate is added that links queries to scopes. It keeps track of the search domain last used for a query on a specific link. Whenever a host name was unsuccessfuly resolved on a scope all its transactions are flushed out and replaced by a new set, with the next search domain appended. This also adds a new flag SD_RESOLVED_NO_SEARCH to disable search domain behaviour. The "systemd-resolve-host" tool is updated to make this configurable via --search=. Fixes #1697
2015-11-25 20:47:27 +01:00
}
return 0;
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
}
resolved: cache - do negative caching only on the canonical name Apart from dropping redundant information, this fixes an issue where, due to broken DNS servers, we can only be certain of whether an apparent NODATA response is in fact an NXDOMAIN response after explicitly resolving the canonical name. This issue is outlined in RFC2308. Moreover, by caching NXDOMAIN for an existing name, we would mistakenly return NXDOMAIN for types which should not be redirected. I.e., a query for AAAA on test-nx-1.jklm.no correctly returns NXDOMAIN, but a query for CNAME should return the record and a query for DNAME should return NODATA. Note that this means we will not cache an NXDOMAIN response in the presence of redirection, meaning one redundant roundtrip in case the name is queried again.
2015-12-02 18:46:32 +01:00
int dns_resource_key_match_cname_or_dname(const DnsResourceKey *key, const DnsResourceKey *cname, const char *search_domain) {
resolved: fully support DNS search domains This adds support for searching single-label hostnames in a set of configured search domains. A new object DnsQueryCandidate is added that links queries to scopes. It keeps track of the search domain last used for a query on a specific link. Whenever a host name was unsuccessfuly resolved on a scope all its transactions are flushed out and replaced by a new set, with the next search domain appended. This also adds a new flag SD_RESOLVED_NO_SEARCH to disable search domain behaviour. The "systemd-resolve-host" tool is updated to make this configurable via --search=. Fixes #1697
2015-11-25 20:47:27 +01:00
int r;
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
assert(key);
resolved: cache - do negative caching only on the canonical name Apart from dropping redundant information, this fixes an issue where, due to broken DNS servers, we can only be certain of whether an apparent NODATA response is in fact an NXDOMAIN response after explicitly resolving the canonical name. This issue is outlined in RFC2308. Moreover, by caching NXDOMAIN for an existing name, we would mistakenly return NXDOMAIN for types which should not be redirected. I.e., a query for AAAA on test-nx-1.jklm.no correctly returns NXDOMAIN, but a query for CNAME should return the record and a query for DNAME should return NODATA. Note that this means we will not cache an NXDOMAIN response in the presence of redirection, meaning one redundant roundtrip in case the name is queried again.
2015-12-02 18:46:32 +01:00
assert(cname);
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
resolved: cache - do negative caching only on the canonical name Apart from dropping redundant information, this fixes an issue where, due to broken DNS servers, we can only be certain of whether an apparent NODATA response is in fact an NXDOMAIN response after explicitly resolving the canonical name. This issue is outlined in RFC2308. Moreover, by caching NXDOMAIN for an existing name, we would mistakenly return NXDOMAIN for types which should not be redirected. I.e., a query for AAAA on test-nx-1.jklm.no correctly returns NXDOMAIN, but a query for CNAME should return the record and a query for DNAME should return NODATA. Note that this means we will not cache an NXDOMAIN response in the presence of redirection, meaning one redundant roundtrip in case the name is queried again.
2015-12-02 18:46:32 +01:00
if (cname->class != key->class && key->class != DNS_CLASS_ANY)
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
return 0;
resolved: cache - do negative caching only on the canonical name Apart from dropping redundant information, this fixes an issue where, due to broken DNS servers, we can only be certain of whether an apparent NODATA response is in fact an NXDOMAIN response after explicitly resolving the canonical name. This issue is outlined in RFC2308. Moreover, by caching NXDOMAIN for an existing name, we would mistakenly return NXDOMAIN for types which should not be redirected. I.e., a query for AAAA on test-nx-1.jklm.no correctly returns NXDOMAIN, but a query for CNAME should return the record and a query for DNAME should return NODATA. Note that this means we will not cache an NXDOMAIN response in the presence of redirection, meaning one redundant roundtrip in case the name is queried again.
2015-12-02 18:46:32 +01:00
if (cname->type == DNS_TYPE_CNAME)
Replace DNS_RESOURCE_KEY_NAME with a version which always returns "." for root This fixes formatting of root domain in debug messages: Old: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (., DNSKEY with key tag: 19036). New: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (, DNSKEY with key tag: 19036).
2016-02-13 20:54:15 +01:00
r = dns_name_equal(dns_resource_key_name(key), dns_resource_key_name(cname));
resolved: cache - do negative caching only on the canonical name Apart from dropping redundant information, this fixes an issue where, due to broken DNS servers, we can only be certain of whether an apparent NODATA response is in fact an NXDOMAIN response after explicitly resolving the canonical name. This issue is outlined in RFC2308. Moreover, by caching NXDOMAIN for an existing name, we would mistakenly return NXDOMAIN for types which should not be redirected. I.e., a query for AAAA on test-nx-1.jklm.no correctly returns NXDOMAIN, but a query for CNAME should return the record and a query for DNAME should return NODATA. Note that this means we will not cache an NXDOMAIN response in the presence of redirection, meaning one redundant roundtrip in case the name is queried again.
2015-12-02 18:46:32 +01:00
else if (cname->type == DNS_TYPE_DNAME)
Replace DNS_RESOURCE_KEY_NAME with a version which always returns "." for root This fixes formatting of root domain in debug messages: Old: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (., DNSKEY with key tag: 19036). New: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (, DNSKEY with key tag: 19036).
2016-02-13 20:54:15 +01:00
r = dns_name_endswith(dns_resource_key_name(key), dns_resource_key_name(cname));
resolved: implement client-side DNAME resolution Most servers apparently always implicitly convert DNAME to CNAME, but some servers don't, hence implement this properly, as this is required by edns0.
2015-11-24 00:18:49 +01:00
else
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
return 0;
resolved: fully support DNS search domains This adds support for searching single-label hostnames in a set of configured search domains. A new object DnsQueryCandidate is added that links queries to scopes. It keeps track of the search domain last used for a query on a specific link. Whenever a host name was unsuccessfuly resolved on a scope all its transactions are flushed out and replaced by a new set, with the next search domain appended. This also adds a new flag SD_RESOLVED_NO_SEARCH to disable search domain behaviour. The "systemd-resolve-host" tool is updated to make this configurable via --search=. Fixes #1697
2015-11-25 20:47:27 +01:00
if (r != 0)
return r;
if (search_domain) {
_cleanup_free_ char *joined = NULL;
resolve: reject host names with leading or trailing dashes in /etc/hosts https://tools.ietf.org/html/rfc1035#section-2.3.1 says (approximately) that only letters, numbers, and non-leading non-trailing dashes are allowed (for entries with A/AAAA records). We set no restrictions. hosts(5) says: > Host names may contain only alphanumeric characters, minus signs ("-"), and > periods ("."). They must begin with an alphabetic character and end with an > alphanumeric character. nss-files follows those rules, and will ignore names in /etc/hosts that do not follow this rule. Let's follow the documented rules for /etc/hosts. In particular, this makes us consitent with nss-files, reducing surprises for the user. I'm pretty sure we should apply stricter filtering to names received over DNS and LLMNR and MDNS, but it's a bigger project, because the rules differ depepending on which level the label appears (rules for top-level names are stricter), and this patch takes the minimalistic approach and only changes behaviour for /etc/hosts. Escape syntax is also disallowed in /etc/hosts, even if the resulting character would be allowed. Other tools that parse /etc/hosts do not support this, and there is no need to use it because no allowed characters benefit from escaping.
2018-11-21 22:58:13 +01:00
r = dns_name_concat(dns_resource_key_name(key), search_domain, 0, &joined);
resolved: fully support DNS search domains This adds support for searching single-label hostnames in a set of configured search domains. A new object DnsQueryCandidate is added that links queries to scopes. It keeps track of the search domain last used for a query on a specific link. Whenever a host name was unsuccessfuly resolved on a scope all its transactions are flushed out and replaced by a new set, with the next search domain appended. This also adds a new flag SD_RESOLVED_NO_SEARCH to disable search domain behaviour. The "systemd-resolve-host" tool is updated to make this configurable via --search=. Fixes #1697
2015-11-25 20:47:27 +01:00
if (r < 0)
return r;
resolved: cache - do negative caching only on the canonical name Apart from dropping redundant information, this fixes an issue where, due to broken DNS servers, we can only be certain of whether an apparent NODATA response is in fact an NXDOMAIN response after explicitly resolving the canonical name. This issue is outlined in RFC2308. Moreover, by caching NXDOMAIN for an existing name, we would mistakenly return NXDOMAIN for types which should not be redirected. I.e., a query for AAAA on test-nx-1.jklm.no correctly returns NXDOMAIN, but a query for CNAME should return the record and a query for DNAME should return NODATA. Note that this means we will not cache an NXDOMAIN response in the presence of redirection, meaning one redundant roundtrip in case the name is queried again.
2015-12-02 18:46:32 +01:00
if (cname->type == DNS_TYPE_CNAME)
Replace DNS_RESOURCE_KEY_NAME with a version which always returns "." for root This fixes formatting of root domain in debug messages: Old: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (., DNSKEY with key tag: 19036). New: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (, DNSKEY with key tag: 19036).
2016-02-13 20:54:15 +01:00
return dns_name_equal(joined, dns_resource_key_name(cname));
resolved: cache - do negative caching only on the canonical name Apart from dropping redundant information, this fixes an issue where, due to broken DNS servers, we can only be certain of whether an apparent NODATA response is in fact an NXDOMAIN response after explicitly resolving the canonical name. This issue is outlined in RFC2308. Moreover, by caching NXDOMAIN for an existing name, we would mistakenly return NXDOMAIN for types which should not be redirected. I.e., a query for AAAA on test-nx-1.jklm.no correctly returns NXDOMAIN, but a query for CNAME should return the record and a query for DNAME should return NODATA. Note that this means we will not cache an NXDOMAIN response in the presence of redirection, meaning one redundant roundtrip in case the name is queried again.
2015-12-02 18:46:32 +01:00
else if (cname->type == DNS_TYPE_DNAME)
Replace DNS_RESOURCE_KEY_NAME with a version which always returns "." for root This fixes formatting of root domain in debug messages: Old: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (., DNSKEY with key tag: 19036). New: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (, DNSKEY with key tag: 19036).
2016-02-13 20:54:15 +01:00
return dns_name_endswith(joined, dns_resource_key_name(cname));
resolved: fully support DNS search domains This adds support for searching single-label hostnames in a set of configured search domains. A new object DnsQueryCandidate is added that links queries to scopes. It keeps track of the search domain last used for a query on a specific link. Whenever a host name was unsuccessfuly resolved on a scope all its transactions are flushed out and replaced by a new set, with the next search domain appended. This also adds a new flag SD_RESOLVED_NO_SEARCH to disable search domain behaviour. The "systemd-resolve-host" tool is updated to make this configurable via --search=. Fixes #1697
2015-11-25 20:47:27 +01:00
}
return 0;
resolved: chase DNSKEY/DS RRs when doing look-ups with DNSSEC enabled This adds initial support for validating RRSIG/DNSKEY/DS chains when doing lookups. Proof-of-non-existance, or proof-of-unsigned-zones is not implemented yet. With this change DnsTransaction objects will generate additional DnsTransaction objects when looking for DNSKEY or DS RRs to validate an RRSIG on a response. DnsTransaction objects are thus created for three reasons now: 1) Because a user asked for something to be resolved, i.e. requested by a DnsQuery/DnsQueryCandidate object. 2) As result of LLMNR RR probing, requested by a DnsZoneItem. 3) Because another DnsTransaction requires the requested RRs for validation of its own response. DnsTransactions are shared between all these users, and are GC automatically as soon as all of these users don't need a specific transaction anymore. To unify the handling of these three reasons for existance for a DnsTransaction, a new common naming is introduced: each DnsTransaction now tracks its "owners" via a Set* object named "notify_xyz", containing all owners to notify on completion. A new DnsTransaction state is introduced called "VALIDATING" that is entered after a response has been receieved which needs to be validated, as long as we are still waiting for the DNSKEY/DS RRs from other DnsTransactions. This patch will request the DNSKEY/DS RRs bottom-up, and then validate them top-down. Caching of RRs is now only done after verification, so that the cache is not poisoned with known invalid data. The "DnsAnswer" object gained a substantial number of new calls, since we need to add/remove RRs to it dynamically now.
2015-12-09 18:13:16 +01:00
}
int dns_resource_key_match_soa(const DnsResourceKey *key, const DnsResourceKey *soa) {
assert(soa);
assert(key);
/* Checks whether 'soa' is a SOA record for the specified key. */
resolved: when matching SOA RRs, honour RR class
2015-12-21 16:28:35 +01:00
if (soa->class != key->class)
resolved: chase DNSKEY/DS RRs when doing look-ups with DNSSEC enabled This adds initial support for validating RRSIG/DNSKEY/DS chains when doing lookups. Proof-of-non-existance, or proof-of-unsigned-zones is not implemented yet. With this change DnsTransaction objects will generate additional DnsTransaction objects when looking for DNSKEY or DS RRs to validate an RRSIG on a response. DnsTransaction objects are thus created for three reasons now: 1) Because a user asked for something to be resolved, i.e. requested by a DnsQuery/DnsQueryCandidate object. 2) As result of LLMNR RR probing, requested by a DnsZoneItem. 3) Because another DnsTransaction requires the requested RRs for validation of its own response. DnsTransactions are shared between all these users, and are GC automatically as soon as all of these users don't need a specific transaction anymore. To unify the handling of these three reasons for existance for a DnsTransaction, a new common naming is introduced: each DnsTransaction now tracks its "owners" via a Set* object named "notify_xyz", containing all owners to notify on completion. A new DnsTransaction state is introduced called "VALIDATING" that is entered after a response has been receieved which needs to be validated, as long as we are still waiting for the DNSKEY/DS RRs from other DnsTransactions. This patch will request the DNSKEY/DS RRs bottom-up, and then validate them top-down. Caching of RRs is now only done after verification, so that the cache is not poisoned with known invalid data. The "DnsAnswer" object gained a substantial number of new calls, since we need to add/remove RRs to it dynamically now.
2015-12-09 18:13:16 +01:00
return 0;
resolved: fully support DNS search domains This adds support for searching single-label hostnames in a set of configured search domains. A new object DnsQueryCandidate is added that links queries to scopes. It keeps track of the search domain last used for a query on a specific link. Whenever a host name was unsuccessfuly resolved on a scope all its transactions are flushed out and replaced by a new set, with the next search domain appended. This also adds a new flag SD_RESOLVED_NO_SEARCH to disable search domain behaviour. The "systemd-resolve-host" tool is updated to make this configurable via --search=. Fixes #1697
2015-11-25 20:47:27 +01:00
resolved: chase DNSKEY/DS RRs when doing look-ups with DNSSEC enabled This adds initial support for validating RRSIG/DNSKEY/DS chains when doing lookups. Proof-of-non-existance, or proof-of-unsigned-zones is not implemented yet. With this change DnsTransaction objects will generate additional DnsTransaction objects when looking for DNSKEY or DS RRs to validate an RRSIG on a response. DnsTransaction objects are thus created for three reasons now: 1) Because a user asked for something to be resolved, i.e. requested by a DnsQuery/DnsQueryCandidate object. 2) As result of LLMNR RR probing, requested by a DnsZoneItem. 3) Because another DnsTransaction requires the requested RRs for validation of its own response. DnsTransactions are shared between all these users, and are GC automatically as soon as all of these users don't need a specific transaction anymore. To unify the handling of these three reasons for existance for a DnsTransaction, a new common naming is introduced: each DnsTransaction now tracks its "owners" via a Set* object named "notify_xyz", containing all owners to notify on completion. A new DnsTransaction state is introduced called "VALIDATING" that is entered after a response has been receieved which needs to be validated, as long as we are still waiting for the DNSKEY/DS RRs from other DnsTransactions. This patch will request the DNSKEY/DS RRs bottom-up, and then validate them top-down. Caching of RRs is now only done after verification, so that the cache is not poisoned with known invalid data. The "DnsAnswer" object gained a substantial number of new calls, since we need to add/remove RRs to it dynamically now.
2015-12-09 18:13:16 +01:00
if (soa->type != DNS_TYPE_SOA)
return 0;
Replace DNS_RESOURCE_KEY_NAME with a version which always returns "." for root This fixes formatting of root domain in debug messages: Old: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (., DNSKEY with key tag: 19036). New: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (, DNSKEY with key tag: 19036).
2016-02-13 20:54:15 +01:00
return dns_name_endswith(dns_resource_key_name(key), dns_resource_key_name(soa));
resolved: add a DNS client stub resolver Let's turn resolved into a something truly useful: a fully asynchronous DNS stub resolver that subscribes to network changes. (More to come: caching, LLMNR, mDNS/DNS-SD, DNSSEC, IDN, NSS module)
2014-07-16 00:26:02 +02:00
}
tree-wide: make hash_ops typesafe
2018-11-27 14:25:20 +01:00
static void dns_resource_key_hash_func(const DnsResourceKey *k, struct siphash *state) {
hashmap: refactor hash_func All our hash functions are based on siphash24(), factor out siphash_init() and siphash24_finalize() and pass the siphash state to the hash functions rather than the hash key. This simplifies the hash functions, and in particular makes composition simpler as calling siphash24_compress() repeatedly on separate chunks of input has the same effect as first concatenating the input and then calling siphash23_compress() on the result.
2015-10-04 00:22:41 +02:00
assert(k);
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
Replace DNS_RESOURCE_KEY_NAME with a version which always returns "." for root This fixes formatting of root domain in debug messages: Old: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (., DNSKEY with key tag: 19036). New: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (, DNSKEY with key tag: 19036).
2016-02-13 20:54:15 +01:00
dns_name_hash_func(dns_resource_key_name(k), state);
hashmap: refactor hash_func All our hash functions are based on siphash24(), factor out siphash_init() and siphash24_finalize() and pass the siphash state to the hash functions rather than the hash key. This simplifies the hash functions, and in particular makes composition simpler as calling siphash24_compress() repeatedly on separate chunks of input has the same effect as first concatenating the input and then calling siphash23_compress() on the result.
2015-10-04 00:22:41 +02:00
siphash24_compress(&k->class, sizeof(k->class), state);
siphash24_compress(&k->type, sizeof(k->type), state);
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
}
tree-wide: make hash_ops typesafe
2018-11-27 14:25:20 +01:00
static int dns_resource_key_compare_func(const DnsResourceKey *x, const DnsResourceKey *y) {
resolve: slightly shorten dns_resource_key_compare_func()
2020-12-29 14:29:21 +01:00
int r;
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
resolve: slightly shorten dns_resource_key_compare_func()
2020-12-29 14:29:21 +01:00
r = dns_name_compare_func(dns_resource_key_name(x), dns_resource_key_name(y));
if (r != 0)
return r;
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
resolve: slightly shorten dns_resource_key_compare_func()
2020-12-29 14:29:21 +01:00
r = CMP(x->type, y->type);
if (r != 0)
return r;
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
resolve: slightly shorten dns_resource_key_compare_func()
2020-12-29 14:29:21 +01:00
return CMP(x->class, y->class);
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
}
tree-wide: make hash_ops typesafe
2018-11-27 14:25:20 +01:00
DEFINE_HASH_OPS(dns_resource_key_hash_ops, DnsResourceKey, dns_resource_key_hash_func, dns_resource_key_compare_func);
hashmap: introduce hash_ops to make struct Hashmap smaller It is redundant to store 'hash' and 'compare' function pointers in struct Hashmap separately. The functions always comprise a pair. Store a single pointer to struct hash_ops instead. systemd keeps hundreds of hashmaps, so this saves a little bit of memory.
2014-08-13 01:00:18 +02:00
Use provided buffer in dns_resource_key_to_string When the buffer is allocated on the stack we do not have to check for failure everywhere. This is especially useful in debug statements, because we can put dns_resource_key_to_string() call in the debug statement, and we do not need a seperate if (log_level >= LOG_DEBUG) for the conversion. dns_resource_key_to_string() is changed not to provide any whitespace padding. Most callers were stripping the whitespace with strstrip(), and it did not look to well anyway. systemd-resolve output is not column aligned anymore. The result of the conversion is not stored in DnsTransaction object anymore. It is used only for debugging, so it seems fine to generate it when needed. Various debug statements are extended to provide more information.
2016-02-15 00:51:55 +01:00
char* dns_resource_key_to_string(const DnsResourceKey *key, char *buf, size_t buf_size) {
Replace DNS_RESOURCE_KEY_NAME with a version which always returns "." for root This fixes formatting of root domain in debug messages: Old: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (., DNSKEY with key tag: 19036). New: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (, DNSKEY with key tag: 19036).
2016-02-13 20:54:15 +01:00
const char *c, *t;
Use provided buffer in dns_resource_key_to_string When the buffer is allocated on the stack we do not have to check for failure everywhere. This is especially useful in debug statements, because we can put dns_resource_key_to_string() call in the debug statement, and we do not need a seperate if (log_level >= LOG_DEBUG) for the conversion. dns_resource_key_to_string() is changed not to provide any whitespace padding. Most callers were stripping the whitespace with strstrip(), and it did not look to well anyway. systemd-resolve output is not column aligned anymore. The result of the conversion is not stored in DnsTransaction object anymore. It is used only for debugging, so it seems fine to generate it when needed. Various debug statements are extended to provide more information.
2016-02-15 00:51:55 +01:00
char *ans = buf;
resolved: add API for resolving specific RRs
2014-07-30 19:23:27 +02:00
resolved: add comments referencing various RFCs to various places
2015-12-29 19:27:09 +01:00
/* If we cannot convert the CLASS/TYPE into a known string,
use the format recommended by RFC 3597, Section 5. */
resolved: add API for resolving specific RRs
2014-07-30 19:23:27 +02:00
c = dns_class_to_string(key->class);
t = dns_type_to_string(key->type);
Use provided buffer in dns_resource_key_to_string When the buffer is allocated on the stack we do not have to check for failure everywhere. This is especially useful in debug statements, because we can put dns_resource_key_to_string() call in the debug statement, and we do not need a seperate if (log_level >= LOG_DEBUG) for the conversion. dns_resource_key_to_string() is changed not to provide any whitespace padding. Most callers were stripping the whitespace with strstrip(), and it did not look to well anyway. systemd-resolve output is not column aligned anymore. The result of the conversion is not stored in DnsTransaction object anymore. It is used only for debugging, so it seems fine to generate it when needed. Various debug statements are extended to provide more information.
2016-02-15 00:51:55 +01:00
snprintf(buf, buf_size, "%s %s%s%.0u %s%s%.0u",
dns_resource_key_name(key),
Replace empty ternary with helper method
2017-11-24 10:31:08 +01:00
strempty(c), c ? "" : "CLASS", c ? 0 : key->class,
resolve: fix log message
2018-06-19 14:01:57 +02:00
strempty(t), t ? "" : "TYPE", t ? 0 : key->type);
resolved: add API for resolving specific RRs
2014-07-30 19:23:27 +02:00
Use provided buffer in dns_resource_key_to_string When the buffer is allocated on the stack we do not have to check for failure everywhere. This is especially useful in debug statements, because we can put dns_resource_key_to_string() call in the debug statement, and we do not need a seperate if (log_level >= LOG_DEBUG) for the conversion. dns_resource_key_to_string() is changed not to provide any whitespace padding. Most callers were stripping the whitespace with strstrip(), and it did not look to well anyway. systemd-resolve output is not column aligned anymore. The result of the conversion is not stored in DnsTransaction object anymore. It is used only for debugging, so it seems fine to generate it when needed. Various debug statements are extended to provide more information.
2016-02-15 00:51:55 +01:00
return ans;
resolved: add API for resolving specific RRs
2014-07-30 19:23:27 +02:00
}
resolved: try to reduce number or DnsResourceKeys we keep around by merging them Quite often we read the same RR key multiple times from the same message. Try to replace them by a single object when we notice this. Do so again when we add things to the cache. This should reduce memory consumption a tiny bit.
2016-01-15 21:38:27 +01:00
bool dns_resource_key_reduce(DnsResourceKey **a, DnsResourceKey **b) {
assert(a);
assert(b);
/* Try to replace one RR key by another if they are identical, thus saving a bit of memory. Note that we do
* this only for RR keys, not for RRs themselves, as they carry a lot of additional metadata (where they come
* from, validity data, and suchlike), and cannot be replaced so easily by other RRs that have the same
* superficial data. */
if (!*a)
return false;
if (!*b)
return false;
/* We refuse merging const keys */
if ((*a)->n_ref == (unsigned) -1)
return false;
if ((*b)->n_ref == (unsigned) -1)
return false;
/* Already the same? */
if (*a == *b)
return true;
/* Are they really identical? */
if (dns_resource_key_equal(*a, *b) <= 0)
return false;
/* Keep the one which already has more references. */
if ((*a)->n_ref > (*b)->n_ref) {
dns_resource_key_unref(*b);
*b = dns_resource_key_ref(*a);
} else {
dns_resource_key_unref(*a);
*a = dns_resource_key_ref(*b);
}
return true;
}
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
DnsResourceRecord* dns_resource_record_new(DnsResourceKey *key) {
resolved: add a DNS client stub resolver Let's turn resolved into a something truly useful: a fully asynchronous DNS stub resolver that subscribes to network changes. (More to come: caching, LLMNR, mDNS/DNS-SD, DNSSEC, IDN, NSS module)
2014-07-16 00:26:02 +02:00
DnsResourceRecord *rr;
resolved: use structured initialization everywhere
2020-10-27 14:28:25 +01:00
rr = new(DnsResourceRecord, 1);
resolved: add a DNS client stub resolver Let's turn resolved into a something truly useful: a fully asynchronous DNS stub resolver that subscribes to network changes. (More to come: caching, LLMNR, mDNS/DNS-SD, DNSSEC, IDN, NSS module)
2014-07-16 00:26:02 +02:00
if (!rr)
return NULL;
resolved: use structured initialization everywhere
2020-10-27 14:28:25 +01:00
*rr = (DnsResourceRecord) {
.n_ref = 1,
.key = dns_resource_key_ref(key),
.expiry = USEC_INFINITY,
.n_skip_labels_signer = (unsigned) -1,
.n_skip_labels_source = (unsigned) -1,
};
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
resolved: add a DNS client stub resolver Let's turn resolved into a something truly useful: a fully asynchronous DNS stub resolver that subscribes to network changes. (More to come: caching, LLMNR, mDNS/DNS-SD, DNSSEC, IDN, NSS module)
2014-07-16 00:26:02 +02:00
return rr;
}
resolved: include SOA records in LLMNR replies for non-existing RRs to allow negative caching
2014-07-30 16:30:25 +02:00
DnsResourceRecord* dns_resource_record_new_full(uint16_t class, uint16_t type, const char *name) {
_cleanup_(dns_resource_key_unrefp) DnsResourceKey *key = NULL;
key = dns_resource_key_new(class, type, name);
if (!key)
return NULL;
return dns_resource_record_new(key);
}
tree-wide: use DEFINE_TRIVIAL_REF_UNREF_FUNC() macro or friends where applicable
2018-08-27 07:01:46 +02:00
static DnsResourceRecord* dns_resource_record_free(DnsResourceRecord *rr) {
assert(rr);
resolved: add a DNS client stub resolver Let's turn resolved into a something truly useful: a fully asynchronous DNS stub resolver that subscribes to network changes. (More to come: caching, LLMNR, mDNS/DNS-SD, DNSSEC, IDN, NSS module)
2014-07-16 00:26:02 +02:00
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
if (rr->key) {
resolved: SPF records
2014-08-01 03:47:51 +02:00
switch(rr->key->type) {
resolved: properly process SRV records
2014-07-31 18:23:00 +02:00
case DNS_TYPE_SRV:
free(rr->srv.name);
break;
resolved: SPF records
2014-08-01 03:47:51 +02:00
case DNS_TYPE_PTR:
case DNS_TYPE_NS:
case DNS_TYPE_CNAME:
resolved: properly process DNAME RRs
2014-07-31 18:02:24 +02:00
case DNS_TYPE_DNAME:
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
free(rr->ptr.name);
resolved: SPF records
2014-08-01 03:47:51 +02:00
break;
resolved: properly process SRV records
2014-07-31 18:23:00 +02:00
resolved: SPF records
2014-08-01 03:47:51 +02:00
case DNS_TYPE_HINFO:
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
free(rr->hinfo.cpu);
free(rr->hinfo.os);
resolved: SPF records
2014-08-01 03:47:51 +02:00
break;
resolved: properly process SRV records
2014-07-31 18:23:00 +02:00
resolved: SPF records
2014-08-01 03:47:51 +02:00
case DNS_TYPE_TXT:
resolved: properly process SRV records
2014-07-31 18:23:00 +02:00
case DNS_TYPE_SPF:
resolved: accept TXT records with non-UTF8 strings RFC 6763 is very clear that TXT RRs should allow arbitrary binary content, hence let's actually accept that. This also means accepting NUL bytes in the middle of strings.
2015-11-20 19:01:43 +01:00
dns_txt_item_free_all(rr->txt.items);
resolved: SPF records
2014-08-01 03:47:51 +02:00
break;
resolved: properly process SRV records
2014-07-31 18:23:00 +02:00
resolved: SPF records
2014-08-01 03:47:51 +02:00
case DNS_TYPE_SOA:
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
free(rr->soa.mname);
free(rr->soa.rname);
resolved: SPF records
2014-08-01 03:47:51 +02:00
break;
resolved: properly process SRV records
2014-07-31 18:23:00 +02:00
resolved: SPF records
2014-08-01 03:47:51 +02:00
case DNS_TYPE_MX:
resolved: MX records
2014-08-01 03:06:00 +02:00
free(rr->mx.exchange);
resolved: SPF records
2014-08-01 03:47:51 +02:00
break;
resolved: properly process SRV records
2014-07-31 18:23:00 +02:00
resolved: rr - add DS support Needed for DNSSEC.
2015-07-13 01:51:03 +02:00
case DNS_TYPE_DS:
free(rr->ds.digest);
break;
resolved: properly process SSHFP RRs
2014-07-31 18:41:41 +02:00
case DNS_TYPE_SSHFP:
resolved: rr - SSHFP contains the fingerprint, not the key Rename the field to make this clearer.
2015-07-23 13:09:35 +02:00
free(rr->sshfp.fingerprint);
resolved: properly process SSHFP RRs
2014-07-31 18:41:41 +02:00
break;
resolved: DNSKEY records
2014-08-03 22:05:41 +02:00
case DNS_TYPE_DNSKEY:
free(rr->dnskey.key);
break;
resolved: RRSIG records
2014-08-04 00:17:22 +02:00
case DNS_TYPE_RRSIG:
free(rr->rrsig.signer);
free(rr->rrsig.signature);
break;
resolved: rr - add NSEC support Needed for DNSSEC.
2015-07-13 01:51:03 +02:00
case DNS_TYPE_NSEC:
free(rr->nsec.next_domain_name);
bitmap_free(rr->nsec.types);
break;
resolved: rr - add NSEC3 support Needed for DNSSEC.
2015-07-13 01:51:03 +02:00
case DNS_TYPE_NSEC3:
free(rr->nsec3.next_hashed_name);
free(rr->nsec3.salt);
bitmap_free(rr->nsec3.types);
break;
resolved: LOC records LOC records have a version field. So far only version 0 has been published, but if a record with a different version was encountered, our only recourse is to treat it as an unknown type. This is implemented with the 'unparseable' flag, which causes the serialization/deserialization and printing function to cause the record as a blob. The flag can be used if other packet types cannot be parsed for whatever reason.
2014-07-31 10:19:43 +02:00
case DNS_TYPE_LOC:
resolved: SPF records
2014-08-01 03:47:51 +02:00
case DNS_TYPE_A:
case DNS_TYPE_AAAA:
break;
resolved: properly process SRV records
2014-07-31 18:23:00 +02:00
resolved: TLSA records
2015-02-02 01:17:24 +01:00
case DNS_TYPE_TLSA:
free(rr->tlsa.data);
break;
resolve: parse CAA records
2016-01-31 22:21:00 +01:00
case DNS_TYPE_CAA:
free(rr->caa.tag);
free(rr->caa.value);
break;
resolved: OPENPGPKEY records
2015-02-02 02:54:15 +01:00
case DNS_TYPE_OPENPGPKEY:
resolved: SPF records
2014-08-01 03:47:51 +02:00
default:
tree-wide: "unparseable" → "unparsable" "unparsable" is the more common spelling. We already pick "movable" over "moveable". Let's do the same with this pair.
2020-07-02 09:58:23 +02:00
if (!rr->unparsable)
resolved: fix confusion with generic data in unparsable packets Issue 5465.
2018-01-18 10:19:48 +01:00
free(rr->generic.data);
resolved: SPF records
2014-08-01 03:47:51 +02:00
}
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
tree-wide: "unparseable" → "unparsable" "unparsable" is the more common spelling. We already pick "movable" over "moveable". Let's do the same with this pair.
2020-07-02 09:58:23 +02:00
if (rr->unparsable)
resolved: fix confusion with generic data in unparsable packets Issue 5465.
2018-01-18 10:19:48 +01:00
free(rr->generic.data);
resolved: add code to generate the wire format for a single RR This adds dns_resource_record_to_wire_format() that generates the raw wire-format of a single DnsResourceRecord object, and caches it in the object, optionally in DNSSEC canonical form. This call is used later to generate the RR serialization of RRs to verify. This adds four new fields to DnsResourceRecord objects: - wire_format points to the buffer with the wire-format version of the RR - wire_format_size stores the size of that buffer - wire_format_rdata_offset specifies the index into the buffer where the RDATA of the RR begins (i.e. the size of the key part of the RR). - wire_format_canonical is a boolean that stores whether the cached wire format is in DNSSEC canonical form or not. Note that this patch adds a mode where a DnsPacket is allocated on the stack (instead of on the heap), so that it is cheaper to reuse the DnsPacket object for generating this wire format. After all we reuse the DnsPacket object for this, since it comes with all the dynamic memory management, and serialization calls we need anyway.
2015-12-02 20:58:51 +01:00
free(rr->wire_format);
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
dns_resource_key_unref(rr->key);
}
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
resolved: internalize string buffer of dns_resource_record_to_string() Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-21 16:31:29 +01:00
free(rr->to_string);
tree-wide: use mfree more
2016-10-17 00:28:30 +02:00
return mfree(rr);
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
}
tree-wide: use DEFINE_TRIVIAL_REF_UNREF_FUNC() macro or friends where applicable
2018-08-27 07:01:46 +02:00
DEFINE_TRIVIAL_REF_UNREF_FUNC(DnsResourceRecord, dns_resource_record, dns_resource_record_free);
resolve: add llmnr responder side for UDP and TCP Name defending is still missing.
2014-07-29 14:24:02 +02:00
int dns_resource_record_new_reverse(DnsResourceRecord **ret, int family, const union in_addr_union *address, const char *hostname) {
_cleanup_(dns_resource_key_unrefp) DnsResourceKey *key = NULL;
_cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL;
_cleanup_free_ char *ptr = NULL;
int r;
assert(ret);
assert(address);
assert(hostname);
r = dns_name_reverse(family, address, &ptr);
if (r < 0)
return r;
key = dns_resource_key_new_consume(DNS_CLASS_IN, DNS_TYPE_PTR, ptr);
if (!key)
return -ENOMEM;
ptr = NULL;
rr = dns_resource_record_new(key);
if (!rr)
return -ENOMEM;
rr->ptr.name = strdup(hostname);
if (!rr->ptr.name)
return -ENOMEM;
tree-wide: use TAKE_PTR() and TAKE_FD() macros
2018-04-05 07:26:26 +02:00
*ret = TAKE_PTR(rr);
resolve: add llmnr responder side for UDP and TCP Name defending is still missing.
2014-07-29 14:24:02 +02:00
return 0;
}
resolved: rework synthesizing logic With this change we'll now also generate synthesized RRs for the local LLMNR hostname (first label of system hostname), the local mDNS hostname (first label of system hostname suffixed with .local), the "gateway" hostname and all the reverse PTRs. This hence takes over part of what nss-myhostname already implemented. Local hostnames resolve to the set of local IP addresses. Since the addresses are possibly on different interfaces it is necessary to change the internal DnsAnswer object to track per-RR interface indexes, and to change the bus API to always return the interface per-address rather than per-reply. This change also patches the existing clients for resolved accordingly (nss-resolve + systemd-resolve-host). This also changes the routing logic for queries slightly: we now ensure that the local hostname is never resolved via LLMNR, thus making it trustable on the local system.
2015-08-17 23:54:08 +02:00
int dns_resource_record_new_address(DnsResourceRecord **ret, int family, const union in_addr_union *address, const char *name) {
DnsResourceRecord *rr;
assert(ret);
assert(address);
assert(family);
if (family == AF_INET) {
rr = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_A, name);
if (!rr)
return -ENOMEM;
rr->a.in_addr = address->in;
} else if (family == AF_INET6) {
rr = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_AAAA, name);
if (!rr)
return -ENOMEM;
rr->aaaa.in6_addr = address->in6;
} else
return -EAFNOSUPPORT;
*ret = rr;
return 0;
}
resolved: add macro to compare sized fields For consistency, generic.size is renamed to generic.data_size. nsec3.next_hashed_name comparison was missing a size check.
2016-01-29 00:23:59 +01:00
#define FIELD_EQUAL(a, b, field) \
((a).field ## _size == (b).field ## _size && \
travis: turn on nonnull-attribute on Fuzzit
2019-06-15 23:12:24 +02:00
memcmp_safe((a).field, (b).field, (a).field ## _size) == 0)
resolved: add macro to compare sized fields For consistency, generic.size is renamed to generic.data_size. nsec3.next_hashed_name comparison was missing a size check.
2016-01-29 00:23:59 +01:00
resolve: split the RR comparison function in two No functional change.
2019-02-27 10:27:35 +01:00
int dns_resource_record_payload_equal(const DnsResourceRecord *a, const DnsResourceRecord *b) {
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
int r;
resolve: split the RR comparison function in two No functional change.
2019-02-27 10:27:35 +01:00
/* Check if a and b are the same, but don't look at their keys */
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
tree-wide: "unparseable" → "unparsable" "unparsable" is the more common spelling. We already pick "movable" over "moveable". Let's do the same with this pair.
2020-07-02 09:58:23 +02:00
if (a->unparsable != b->unparsable)
resolved: properly compare RRs we cannot parse
2014-07-31 18:41:54 +02:00
return 0;
tree-wide: "unparseable" → "unparsable" "unparsable" is the more common spelling. We already pick "movable" over "moveable". Let's do the same with this pair.
2020-07-02 09:58:23 +02:00
switch (a->unparsable ? _DNS_TYPE_INVALID : a->key->type) {
resolved: add API for resolving specific RRs
2014-07-30 19:23:27 +02:00
resolved: properly process SRV records
2014-07-31 18:23:00 +02:00
case DNS_TYPE_SRV:
r = dns_name_equal(a->srv.name, b->srv.name);
if (r <= 0)
return r;
return a->srv.priority == b->srv.priority &&
a->srv.weight == b->srv.weight &&
a->srv.port == b->srv.port;
resolved: add API for resolving specific RRs
2014-07-30 19:23:27 +02:00
case DNS_TYPE_PTR:
case DNS_TYPE_NS:
case DNS_TYPE_CNAME:
resolved: properly process DNAME RRs
2014-07-31 18:02:24 +02:00
case DNS_TYPE_DNAME:
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
return dns_name_equal(a->ptr.name, b->ptr.name);
resolved: add API for resolving specific RRs
2014-07-30 19:23:27 +02:00
case DNS_TYPE_HINFO:
return strcaseeq(a->hinfo.cpu, b->hinfo.cpu) &&
strcaseeq(a->hinfo.os, b->hinfo.os);
resolved: SPF records
2014-08-01 03:47:51 +02:00
case DNS_TYPE_SPF: /* exactly the same as TXT */
resolve: fix NULL deref on strv comparison A strv might be NULL if it is empty. The txt.strings comparison doesn't take that into account. Introduce strv_equal() to provide a proper helper for this and fix resolve to use it. Thanks to Stanisław Pitucha <viraptor@gmail.com> for reporting this!
2014-11-27 16:08:46 +01:00
case DNS_TYPE_TXT:
resolved: accept TXT records with non-UTF8 strings RFC 6763 is very clear that TXT RRs should allow arbitrary binary content, hence let's actually accept that. This also means accepting NUL bytes in the middle of strings.
2015-11-20 19:01:43 +01:00
return dns_txt_item_equal(a->txt.items, b->txt.items);
resolved: TXT records
2014-08-01 03:36:58 +02:00
resolved: add API for resolving specific RRs
2014-07-30 19:23:27 +02:00
case DNS_TYPE_A:
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
return memcmp(&a->a.in_addr, &b->a.in_addr, sizeof(struct in_addr)) == 0;
resolved: add API for resolving specific RRs
2014-07-30 19:23:27 +02:00
case DNS_TYPE_AAAA:
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
return memcmp(&a->aaaa.in6_addr, &b->aaaa.in6_addr, sizeof(struct in6_addr)) == 0;
resolved: add API for resolving specific RRs
2014-07-30 19:23:27 +02:00
case DNS_TYPE_SOA:
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
r = dns_name_equal(a->soa.mname, b->soa.mname);
if (r <= 0)
return r;
r = dns_name_equal(a->soa.rname, b->soa.rname);
if (r <= 0)
return r;
return a->soa.serial == b->soa.serial &&
a->soa.refresh == b->soa.refresh &&
a->soa.retry == b->soa.retry &&
a->soa.expire == b->soa.expire &&
a->soa.minimum == b->soa.minimum;
resolved: properly process SRV records
2014-07-31 18:23:00 +02:00
resolved: MX records
2014-08-01 03:06:00 +02:00
case DNS_TYPE_MX:
if (a->mx.priority != b->mx.priority)
return 0;
return dns_name_equal(a->mx.exchange, b->mx.exchange);
resolved: LOC records LOC records have a version field. So far only version 0 has been published, but if a record with a different version was encountered, our only recourse is to treat it as an unknown type. This is implemented with the 'unparseable' flag, which causes the serialization/deserialization and printing function to cause the record as a blob. The flag can be used if other packet types cannot be parsed for whatever reason.
2014-07-31 10:19:43 +02:00
case DNS_TYPE_LOC:
assert(a->loc.version == b->loc.version);
return a->loc.size == b->loc.size &&
a->loc.horiz_pre == b->loc.horiz_pre &&
a->loc.vert_pre == b->loc.vert_pre &&
a->loc.latitude == b->loc.latitude &&
a->loc.longitude == b->loc.longitude &&
a->loc.altitude == b->loc.altitude;
resolved: rr - add DS support Needed for DNSSEC.
2015-07-13 01:51:03 +02:00
case DNS_TYPE_DS:
return a->ds.key_tag == b->ds.key_tag &&
a->ds.algorithm == b->ds.algorithm &&
a->ds.digest_type == b->ds.digest_type &&
resolved: add macro to compare sized fields For consistency, generic.size is renamed to generic.data_size. nsec3.next_hashed_name comparison was missing a size check.
2016-01-29 00:23:59 +01:00
FIELD_EQUAL(a->ds, b->ds, digest);
resolved: rr - add DS support Needed for DNSSEC.
2015-07-13 01:51:03 +02:00
resolved: properly process SSHFP RRs
2014-07-31 18:41:41 +02:00
case DNS_TYPE_SSHFP:
return a->sshfp.algorithm == b->sshfp.algorithm &&
a->sshfp.fptype == b->sshfp.fptype &&
resolved: add macro to compare sized fields For consistency, generic.size is renamed to generic.data_size. nsec3.next_hashed_name comparison was missing a size check.
2016-01-29 00:23:59 +01:00
FIELD_EQUAL(a->sshfp, b->sshfp, fingerprint);
resolved: properly process SSHFP RRs
2014-07-31 18:41:41 +02:00
resolved: DNSKEY records
2014-08-03 22:05:41 +02:00
case DNS_TYPE_DNSKEY:
resolved: store DNSKEY fields flags+protocol as-is When verifying signatures we need to be able to verify the original data we got for an RR set, and that means we cannot simply drop flags bits or consider RRs invalid too eagerly. Hence, instead of parsing the DNSKEY flags store them as-is. Similar, accept the protocol field as it is, and don't consider it a parsing error if it is not 3. Of course, this means that the DNSKEY handling code later on needs to check explicit for protocol != 3.
2015-12-02 20:53:10 +01:00
return a->dnskey.flags == b->dnskey.flags &&
a->dnskey.protocol == b->dnskey.protocol &&
resolved: DNSKEY records
2014-08-03 22:05:41 +02:00
a->dnskey.algorithm == b->dnskey.algorithm &&
resolved: add macro to compare sized fields For consistency, generic.size is renamed to generic.data_size. nsec3.next_hashed_name comparison was missing a size check.
2016-01-29 00:23:59 +01:00
FIELD_EQUAL(a->dnskey, b->dnskey, key);
resolved: DNSKEY records
2014-08-03 22:05:41 +02:00
resolved: RRSIG records
2014-08-04 00:17:22 +02:00
case DNS_TYPE_RRSIG:
/* do the fast comparisons first */
resolved: add macro to compare sized fields For consistency, generic.size is renamed to generic.data_size. nsec3.next_hashed_name comparison was missing a size check.
2016-01-29 00:23:59 +01:00
return a->rrsig.type_covered == b->rrsig.type_covered &&
a->rrsig.algorithm == b->rrsig.algorithm &&
a->rrsig.labels == b->rrsig.labels &&
a->rrsig.original_ttl == b->rrsig.original_ttl &&
a->rrsig.expiration == b->rrsig.expiration &&
a->rrsig.inception == b->rrsig.inception &&
a->rrsig.key_tag == b->rrsig.key_tag &&
FIELD_EQUAL(a->rrsig, b->rrsig, signature) &&
dns_name_equal(a->rrsig.signer, b->rrsig.signer);
resolved: RRSIG records
2014-08-04 00:17:22 +02:00
resolved: rr - add NSEC support Needed for DNSSEC.
2015-07-13 01:51:03 +02:00
case DNS_TYPE_NSEC:
return dns_name_equal(a->nsec.next_domain_name, b->nsec.next_domain_name) &&
bitmap_equal(a->nsec.types, b->nsec.types);
resolved: rr - add NSEC3 support Needed for DNSSEC.
2015-07-13 01:51:03 +02:00
case DNS_TYPE_NSEC3:
return a->nsec3.algorithm == b->nsec3.algorithm &&
resolved: add macro to compare sized fields For consistency, generic.size is renamed to generic.data_size. nsec3.next_hashed_name comparison was missing a size check.
2016-01-29 00:23:59 +01:00
a->nsec3.flags == b->nsec3.flags &&
a->nsec3.iterations == b->nsec3.iterations &&
FIELD_EQUAL(a->nsec3, b->nsec3, salt) &&
FIELD_EQUAL(a->nsec3, b->nsec3, next_hashed_name) &&
bitmap_equal(a->nsec3.types, b->nsec3.types);
resolved: rr - add NSEC3 support Needed for DNSSEC.
2015-07-13 01:51:03 +02:00
resolved: TLSA records
2015-02-02 01:17:24 +01:00
case DNS_TYPE_TLSA:
return a->tlsa.cert_usage == b->tlsa.cert_usage &&
a->tlsa.selector == b->tlsa.selector &&
a->tlsa.matching_type == b->tlsa.matching_type &&
resolved: add macro to compare sized fields For consistency, generic.size is renamed to generic.data_size. nsec3.next_hashed_name comparison was missing a size check.
2016-01-29 00:23:59 +01:00
FIELD_EQUAL(a->tlsa, b->tlsa, data);
resolved: TLSA records
2015-02-02 01:17:24 +01:00
resolve: parse CAA records
2016-01-31 22:21:00 +01:00
case DNS_TYPE_CAA:
return a->caa.flags == b->caa.flags &&
streq(a->caa.tag, b->caa.tag) &&
FIELD_EQUAL(a->caa, b->caa, value);
case DNS_TYPE_OPENPGPKEY:
resolved: add API for resolving specific RRs
2014-07-30 19:23:27 +02:00
default:
resolved: add macro to compare sized fields For consistency, generic.size is renamed to generic.data_size. nsec3.next_hashed_name comparison was missing a size check.
2016-01-29 00:23:59 +01:00
return FIELD_EQUAL(a->generic, b->generic, data);
resolved: add API for resolving specific RRs
2014-07-30 19:23:27 +02:00
}
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
}
resolve: split the RR comparison function in two No functional change.
2019-02-27 10:27:35 +01:00
int dns_resource_record_equal(const DnsResourceRecord *a, const DnsResourceRecord *b) {
int r;
assert(a);
assert(b);
if (a == b)
return 1;
r = dns_resource_key_equal(a->key, b->key);
if (r <= 0)
return r;
return dns_resource_record_payload_equal(a, b);
}
resolved: LOC records LOC records have a version field. So far only version 0 has been published, but if a record with a different version was encountered, our only recourse is to treat it as an unknown type. This is implemented with the 'unparseable' flag, which causes the serialization/deserialization and printing function to cause the record as a blob. The flag can be used if other packet types cannot be parsed for whatever reason.
2014-07-31 10:19:43 +02:00
static char* format_location(uint32_t latitude, uint32_t longitude, uint32_t altitude,
uint8_t size, uint8_t horiz_pre, uint8_t vert_pre) {
char *s;
char NS = latitude >= 1U<<31 ? 'N' : 'S';
char EW = longitude >= 1U<<31 ? 'E' : 'W';
int lat = latitude >= 1U<<31 ? (int) (latitude - (1U<<31)) : (int) ((1U<<31) - latitude);
int lon = longitude >= 1U<<31 ? (int) (longitude - (1U<<31)) : (int) ((1U<<31) - longitude);
double alt = altitude >= 10000000u ? altitude - 10000000u : -(double)(10000000u - altitude);
double siz = (size >> 4) * exp10((double) (size & 0xF));
double hor = (horiz_pre >> 4) * exp10((double) (horiz_pre & 0xF));
double ver = (vert_pre >> 4) * exp10((double) (vert_pre & 0xF));
if (asprintf(&s, "%d %d %.3f %c %d %d %.3f %c %.2fm %.2fm %.2fm %.2fm",
(lat / 60000 / 60),
(lat / 60000) % 60,
(lat % 60000) / 1000.,
NS,
(lon / 60000 / 60),
(lon / 60000) % 60,
(lon % 60000) / 1000.,
EW,
alt / 100.,
siz / 100.,
hor / 100.,
ver / 100.) < 0)
return NULL;
return s;
}
resolved: rr - print formated timestamps in RRSIG
2015-07-13 00:58:00 +02:00
static int format_timestamp_dns(char *buf, size_t l, time_t sec) {
struct tm tm;
assert(buf);
tree-wide: make use of new STRLEN() macro everywhere (#7639) Let's employ coccinelle to do this for us. Follow-up for #7625.
2017-12-14 19:02:29 +01:00
assert(l > STRLEN("YYYYMMDDHHmmSS"));
resolved: rr - print formated timestamps in RRSIG
2015-07-13 00:58:00 +02:00
if (!gmtime_r(&sec, &tm))
return -EINVAL;
if (strftime(buf, l, "%Y%m%d%H%M%S", &tm) <= 0)
return -EINVAL;
return 0;
}
resolved: rr - add NSEC support Needed for DNSSEC.
2015-07-13 01:51:03 +02:00
static char *format_types(Bitmap *types) {
_cleanup_strv_free_ char **strv = NULL;
_cleanup_free_ char *str = NULL;
unsigned type;
int r;
tree-wide: define iterator inside of the macro
2020-09-08 11:58:29 +02:00
BITMAP_FOREACH(type, types) {
resolved: rr - add NSEC support Needed for DNSSEC.
2015-07-13 01:51:03 +02:00
if (dns_type_to_string(type)) {
resolve: fix two minor memory leaks strv_extend() already strdup()s internally, no need to to this twice. (Also, was missing OOM check...). Use strv_consume() when we already have a string allocated whose ownership we want to pass to the strv. This fixes 50f1e641a93cacfc693b0c3d300bee5df0c8c460.
2015-07-23 03:24:08 +02:00
r = strv_extend(&strv, dns_type_to_string(type));
resolved: rr - add NSEC support Needed for DNSSEC.
2015-07-13 01:51:03 +02:00
if (r < 0)
return NULL;
} else {
char *t;
r = asprintf(&t, "TYPE%u", type);
if (r < 0)
return NULL;
resolve: fix two minor memory leaks strv_extend() already strdup()s internally, no need to to this twice. (Also, was missing OOM check...). Use strv_consume() when we already have a string allocated whose ownership we want to pass to the strv. This fixes 50f1e641a93cacfc693b0c3d300bee5df0c8c460.
2015-07-23 03:24:08 +02:00
r = strv_consume(&strv, t);
resolved: rr - add NSEC support Needed for DNSSEC.
2015-07-13 01:51:03 +02:00
if (r < 0)
return NULL;
}
}
str = strv_join(strv, " ");
if (!str)
return NULL;
tree-wide: drop NULL sentinel from strjoin This makes strjoin and strjoina more similar and avoids the useless final argument. spatch -I . -I ./src -I ./src/basic -I ./src/basic -I ./src/shared -I ./src/shared -I ./src/network -I ./src/locale -I ./src/login -I ./src/journal -I ./src/journal -I ./src/timedate -I ./src/timesync -I ./src/nspawn -I ./src/resolve -I ./src/resolve -I ./src/systemd -I ./src/core -I ./src/core -I ./src/libudev -I ./src/udev -I ./src/udev/net -I ./src/udev -I ./src/libsystemd/sd-bus -I ./src/libsystemd/sd-event -I ./src/libsystemd/sd-login -I ./src/libsystemd/sd-netlink -I ./src/libsystemd/sd-network -I ./src/libsystemd/sd-hwdb -I ./src/libsystemd/sd-device -I ./src/libsystemd/sd-id128 -I ./src/libsystemd-network --sp-file coccinelle/strjoin.cocci --in-place $(git ls-files src/*.c) git grep -e '\bstrjoin\b.*NULL' -l|xargs sed -i -r 's/strjoin\((.*), NULL\)/strjoin(\1)/' This might have missed a few cases (spatch has a really hard time dealing with _cleanup_ macros), but that's no big issue, they can always be fixed later.
2016-10-23 17:43:27 +02:00
return strjoin("( ", str, " )");
resolved: rr - add NSEC support Needed for DNSSEC.
2015-07-13 01:51:03 +02:00
}
resolved: accept TXT records with non-UTF8 strings RFC 6763 is very clear that TXT RRs should allow arbitrary binary content, hence let's actually accept that. This also means accepting NUL bytes in the middle of strings.
2015-11-20 19:01:43 +01:00
static char *format_txt(DnsTxtItem *first) {
DnsTxtItem *i;
size_t c = 1;
char *p, *s;
LIST_FOREACH(items, i, first)
c += i->length * 4 + 3;
p = s = new(char, c);
if (!s)
return NULL;
LIST_FOREACH(items, i, first) {
size_t j;
if (i != first)
*(p++) = ' ';
*(p++) = '"';
for (j = 0; j < i->length; j++) {
if (i->data[j] < ' ' || i->data[j] == '"' || i->data[j] >= 127) {
*(p++) = '\\';
*(p++) = '0' + (i->data[j] / 100);
*(p++) = '0' + ((i->data[j] / 10) % 10);
*(p++) = '0' + (i->data[j] % 10);
} else
*(p++) = i->data[j];
}
*(p++) = '"';
}
*p = 0;
return s;
}
resolved: internalize string buffer of dns_resource_record_to_string() Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-21 16:31:29 +01:00
const char *dns_resource_record_to_string(DnsResourceRecord *rr) {
Use provided buffer in dns_resource_key_to_string When the buffer is allocated on the stack we do not have to check for failure everywhere. This is especially useful in debug statements, because we can put dns_resource_key_to_string() call in the debug statement, and we do not need a seperate if (log_level >= LOG_DEBUG) for the conversion. dns_resource_key_to_string() is changed not to provide any whitespace padding. Most callers were stripping the whitespace with strstrip(), and it did not look to well anyway. systemd-resolve output is not column aligned anymore. The result of the conversion is not stored in DnsTransaction object anymore. It is used only for debugging, so it seems fine to generate it when needed. Various debug statements are extended to provide more information.
2016-02-15 00:51:55 +01:00
_cleanup_free_ char *t = NULL;
char *s, k[DNS_RESOURCE_KEY_STRING_MAX];
resolved: add API for resolving specific RRs
2014-07-30 19:23:27 +02:00
int r;
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
resolved: add API for resolving specific RRs
2014-07-30 19:23:27 +02:00
assert(rr);
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
resolved: internalize string buffer of dns_resource_record_to_string() Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-21 16:31:29 +01:00
if (rr->to_string)
return rr->to_string;
Use provided buffer in dns_resource_key_to_string When the buffer is allocated on the stack we do not have to check for failure everywhere. This is especially useful in debug statements, because we can put dns_resource_key_to_string() call in the debug statement, and we do not need a seperate if (log_level >= LOG_DEBUG) for the conversion. dns_resource_key_to_string() is changed not to provide any whitespace padding. Most callers were stripping the whitespace with strstrip(), and it did not look to well anyway. systemd-resolve output is not column aligned anymore. The result of the conversion is not stored in DnsTransaction object anymore. It is used only for debugging, so it seems fine to generate it when needed. Various debug statements are extended to provide more information.
2016-02-15 00:51:55 +01:00
dns_resource_key_to_string(rr->key, k, sizeof(k));
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
tree-wide: "unparseable" → "unparsable" "unparsable" is the more common spelling. We already pick "movable" over "moveable". Let's do the same with this pair.
2020-07-02 09:58:23 +02:00
switch (rr->unparsable ? _DNS_TYPE_INVALID : rr->key->type) {
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
resolved: properly process SRV records
2014-07-31 18:23:00 +02:00
case DNS_TYPE_SRV:
r = asprintf(&s, "%s %u %u %u %s",
k,
rr->srv.priority,
rr->srv.weight,
rr->srv.port,
strna(rr->srv.name));
if (r < 0)
resolved: internalize string buffer of dns_resource_record_to_string() Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-21 16:31:29 +01:00
return NULL;
resolved: properly process SRV records
2014-07-31 18:23:00 +02:00
break;
resolved: add API for resolving specific RRs
2014-07-30 19:23:27 +02:00
case DNS_TYPE_PTR:
case DNS_TYPE_NS:
case DNS_TYPE_CNAME:
resolved: properly process DNAME RRs
2014-07-31 18:02:24 +02:00
case DNS_TYPE_DNAME:
tree-wide: drop NULL sentinel from strjoin This makes strjoin and strjoina more similar and avoids the useless final argument. spatch -I . -I ./src -I ./src/basic -I ./src/basic -I ./src/shared -I ./src/shared -I ./src/network -I ./src/locale -I ./src/login -I ./src/journal -I ./src/journal -I ./src/timedate -I ./src/timesync -I ./src/nspawn -I ./src/resolve -I ./src/resolve -I ./src/systemd -I ./src/core -I ./src/core -I ./src/libudev -I ./src/udev -I ./src/udev/net -I ./src/udev -I ./src/libsystemd/sd-bus -I ./src/libsystemd/sd-event -I ./src/libsystemd/sd-login -I ./src/libsystemd/sd-netlink -I ./src/libsystemd/sd-network -I ./src/libsystemd/sd-hwdb -I ./src/libsystemd/sd-device -I ./src/libsystemd/sd-id128 -I ./src/libsystemd-network --sp-file coccinelle/strjoin.cocci --in-place $(git ls-files src/*.c) git grep -e '\bstrjoin\b.*NULL' -l|xargs sed -i -r 's/strjoin\((.*), NULL\)/strjoin(\1)/' This might have missed a few cases (spatch has a really hard time dealing with _cleanup_ macros), but that's no big issue, they can always be fixed later.
2016-10-23 17:43:27 +02:00
s = strjoin(k, " ", rr->ptr.name);
resolved: add API for resolving specific RRs
2014-07-30 19:23:27 +02:00
if (!s)
resolved: internalize string buffer of dns_resource_record_to_string() Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-21 16:31:29 +01:00
return NULL;
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
resolved: add API for resolving specific RRs
2014-07-30 19:23:27 +02:00
break;
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
resolved: add API for resolving specific RRs
2014-07-30 19:23:27 +02:00
case DNS_TYPE_HINFO:
tree-wide: drop NULL sentinel from strjoin This makes strjoin and strjoina more similar and avoids the useless final argument. spatch -I . -I ./src -I ./src/basic -I ./src/basic -I ./src/shared -I ./src/shared -I ./src/network -I ./src/locale -I ./src/login -I ./src/journal -I ./src/journal -I ./src/timedate -I ./src/timesync -I ./src/nspawn -I ./src/resolve -I ./src/resolve -I ./src/systemd -I ./src/core -I ./src/core -I ./src/libudev -I ./src/udev -I ./src/udev/net -I ./src/udev -I ./src/libsystemd/sd-bus -I ./src/libsystemd/sd-event -I ./src/libsystemd/sd-login -I ./src/libsystemd/sd-netlink -I ./src/libsystemd/sd-network -I ./src/libsystemd/sd-hwdb -I ./src/libsystemd/sd-device -I ./src/libsystemd/sd-id128 -I ./src/libsystemd-network --sp-file coccinelle/strjoin.cocci --in-place $(git ls-files src/*.c) git grep -e '\bstrjoin\b.*NULL' -l|xargs sed -i -r 's/strjoin\((.*), NULL\)/strjoin(\1)/' This might have missed a few cases (spatch has a really hard time dealing with _cleanup_ macros), but that's no big issue, they can always be fixed later.
2016-10-23 17:43:27 +02:00
s = strjoin(k, " ", rr->hinfo.cpu, " ", rr->hinfo.os);
resolved: add API for resolving specific RRs
2014-07-30 19:23:27 +02:00
if (!s)
resolved: internalize string buffer of dns_resource_record_to_string() Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-21 16:31:29 +01:00
return NULL;
resolved: add API for resolving specific RRs
2014-07-30 19:23:27 +02:00
break;
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
resolved: SPF records
2014-08-01 03:47:51 +02:00
case DNS_TYPE_SPF: /* exactly the same as TXT */
resolved: DNSKEY records
2014-08-03 22:05:41 +02:00
case DNS_TYPE_TXT:
resolved: accept TXT records with non-UTF8 strings RFC 6763 is very clear that TXT RRs should allow arbitrary binary content, hence let's actually accept that. This also means accepting NUL bytes in the middle of strings.
2015-11-20 19:01:43 +01:00
t = format_txt(rr->txt.items);
resolved: TXT records
2014-08-01 03:36:58 +02:00
if (!t)
resolved: internalize string buffer of dns_resource_record_to_string() Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-21 16:31:29 +01:00
return NULL;
resolved: TXT records
2014-08-01 03:36:58 +02:00
tree-wide: drop NULL sentinel from strjoin This makes strjoin and strjoina more similar and avoids the useless final argument. spatch -I . -I ./src -I ./src/basic -I ./src/basic -I ./src/shared -I ./src/shared -I ./src/network -I ./src/locale -I ./src/login -I ./src/journal -I ./src/journal -I ./src/timedate -I ./src/timesync -I ./src/nspawn -I ./src/resolve -I ./src/resolve -I ./src/systemd -I ./src/core -I ./src/core -I ./src/libudev -I ./src/udev -I ./src/udev/net -I ./src/udev -I ./src/libsystemd/sd-bus -I ./src/libsystemd/sd-event -I ./src/libsystemd/sd-login -I ./src/libsystemd/sd-netlink -I ./src/libsystemd/sd-network -I ./src/libsystemd/sd-hwdb -I ./src/libsystemd/sd-device -I ./src/libsystemd/sd-id128 -I ./src/libsystemd-network --sp-file coccinelle/strjoin.cocci --in-place $(git ls-files src/*.c) git grep -e '\bstrjoin\b.*NULL' -l|xargs sed -i -r 's/strjoin\((.*), NULL\)/strjoin(\1)/' This might have missed a few cases (spatch has a really hard time dealing with _cleanup_ macros), but that's no big issue, they can always be fixed later.
2016-10-23 17:43:27 +02:00
s = strjoin(k, " ", t);
resolved: TXT records
2014-08-01 03:36:58 +02:00
if (!s)
resolved: internalize string buffer of dns_resource_record_to_string() Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-21 16:31:29 +01:00
return NULL;
resolved: TXT records
2014-08-01 03:36:58 +02:00
break;
resolved: add API for resolving specific RRs
2014-07-30 19:23:27 +02:00
case DNS_TYPE_A: {
_cleanup_free_ char *x = NULL;
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
resolved: add API for resolving specific RRs
2014-07-30 19:23:27 +02:00
r = in_addr_to_string(AF_INET, (const union in_addr_union*) &rr->a.in_addr, &x);
if (r < 0)
resolved: internalize string buffer of dns_resource_record_to_string() Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-21 16:31:29 +01:00
return NULL;
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
tree-wide: drop NULL sentinel from strjoin This makes strjoin and strjoina more similar and avoids the useless final argument. spatch -I . -I ./src -I ./src/basic -I ./src/basic -I ./src/shared -I ./src/shared -I ./src/network -I ./src/locale -I ./src/login -I ./src/journal -I ./src/journal -I ./src/timedate -I ./src/timesync -I ./src/nspawn -I ./src/resolve -I ./src/resolve -I ./src/systemd -I ./src/core -I ./src/core -I ./src/libudev -I ./src/udev -I ./src/udev/net -I ./src/udev -I ./src/libsystemd/sd-bus -I ./src/libsystemd/sd-event -I ./src/libsystemd/sd-login -I ./src/libsystemd/sd-netlink -I ./src/libsystemd/sd-network -I ./src/libsystemd/sd-hwdb -I ./src/libsystemd/sd-device -I ./src/libsystemd/sd-id128 -I ./src/libsystemd-network --sp-file coccinelle/strjoin.cocci --in-place $(git ls-files src/*.c) git grep -e '\bstrjoin\b.*NULL' -l|xargs sed -i -r 's/strjoin\((.*), NULL\)/strjoin(\1)/' This might have missed a few cases (spatch has a really hard time dealing with _cleanup_ macros), but that's no big issue, they can always be fixed later.
2016-10-23 17:43:27 +02:00
s = strjoin(k, " ", x);
resolved: add API for resolving specific RRs
2014-07-30 19:23:27 +02:00
if (!s)
resolved: internalize string buffer of dns_resource_record_to_string() Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-21 16:31:29 +01:00
return NULL;
resolved: add API for resolving specific RRs
2014-07-30 19:23:27 +02:00
break;
}
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
resolved: DNSKEY records
2014-08-03 22:05:41 +02:00
case DNS_TYPE_AAAA:
r = in_addr_to_string(AF_INET6, (const union in_addr_union*) &rr->aaaa.in6_addr, &t);
resolved: add API for resolving specific RRs
2014-07-30 19:23:27 +02:00
if (r < 0)
resolved: internalize string buffer of dns_resource_record_to_string() Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-21 16:31:29 +01:00
return NULL;
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
tree-wide: drop NULL sentinel from strjoin This makes strjoin and strjoina more similar and avoids the useless final argument. spatch -I . -I ./src -I ./src/basic -I ./src/basic -I ./src/shared -I ./src/shared -I ./src/network -I ./src/locale -I ./src/login -I ./src/journal -I ./src/journal -I ./src/timedate -I ./src/timesync -I ./src/nspawn -I ./src/resolve -I ./src/resolve -I ./src/systemd -I ./src/core -I ./src/core -I ./src/libudev -I ./src/udev -I ./src/udev/net -I ./src/udev -I ./src/libsystemd/sd-bus -I ./src/libsystemd/sd-event -I ./src/libsystemd/sd-login -I ./src/libsystemd/sd-netlink -I ./src/libsystemd/sd-network -I ./src/libsystemd/sd-hwdb -I ./src/libsystemd/sd-device -I ./src/libsystemd/sd-id128 -I ./src/libsystemd-network --sp-file coccinelle/strjoin.cocci --in-place $(git ls-files src/*.c) git grep -e '\bstrjoin\b.*NULL' -l|xargs sed -i -r 's/strjoin\((.*), NULL\)/strjoin(\1)/' This might have missed a few cases (spatch has a really hard time dealing with _cleanup_ macros), but that's no big issue, they can always be fixed later.
2016-10-23 17:43:27 +02:00
s = strjoin(k, " ", t);
resolved: add API for resolving specific RRs
2014-07-30 19:23:27 +02:00
if (!s)
resolved: internalize string buffer of dns_resource_record_to_string() Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-21 16:31:29 +01:00
return NULL;
resolved: add API for resolving specific RRs
2014-07-30 19:23:27 +02:00
break;
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
resolved: add API for resolving specific RRs
2014-07-30 19:23:27 +02:00
case DNS_TYPE_SOA:
r = asprintf(&s, "%s %s %s %u %u %u %u %u",
k,
strna(rr->soa.mname),
strna(rr->soa.rname),
rr->soa.serial,
rr->soa.refresh,
rr->soa.retry,
rr->soa.expire,
rr->soa.minimum);
if (r < 0)
resolved: internalize string buffer of dns_resource_record_to_string() Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-21 16:31:29 +01:00
return NULL;
resolved: add API for resolving specific RRs
2014-07-30 19:23:27 +02:00
break;
resolved: MX records
2014-08-01 03:06:00 +02:00
case DNS_TYPE_MX:
r = asprintf(&s, "%s %u %s",
k,
rr->mx.priority,
rr->mx.exchange);
if (r < 0)
resolved: internalize string buffer of dns_resource_record_to_string() Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-21 16:31:29 +01:00
return NULL;
resolved: MX records
2014-08-01 03:06:00 +02:00
break;
resolved: DNSKEY records
2014-08-03 22:05:41 +02:00
case DNS_TYPE_LOC:
resolved: LOC records LOC records have a version field. So far only version 0 has been published, but if a record with a different version was encountered, our only recourse is to treat it as an unknown type. This is implemented with the 'unparseable' flag, which causes the serialization/deserialization and printing function to cause the record as a blob. The flag can be used if other packet types cannot be parsed for whatever reason.
2014-07-31 10:19:43 +02:00
assert(rr->loc.version == 0);
resolved: DNSKEY records
2014-08-03 22:05:41 +02:00
t = format_location(rr->loc.latitude,
rr->loc.longitude,
rr->loc.altitude,
rr->loc.size,
rr->loc.horiz_pre,
rr->loc.vert_pre);
if (!t)
resolved: internalize string buffer of dns_resource_record_to_string() Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-21 16:31:29 +01:00
return NULL;
resolved: LOC records LOC records have a version field. So far only version 0 has been published, but if a record with a different version was encountered, our only recourse is to treat it as an unknown type. This is implemented with the 'unparseable' flag, which causes the serialization/deserialization and printing function to cause the record as a blob. The flag can be used if other packet types cannot be parsed for whatever reason.
2014-07-31 10:19:43 +02:00
tree-wide: drop NULL sentinel from strjoin This makes strjoin and strjoina more similar and avoids the useless final argument. spatch -I . -I ./src -I ./src/basic -I ./src/basic -I ./src/shared -I ./src/shared -I ./src/network -I ./src/locale -I ./src/login -I ./src/journal -I ./src/journal -I ./src/timedate -I ./src/timesync -I ./src/nspawn -I ./src/resolve -I ./src/resolve -I ./src/systemd -I ./src/core -I ./src/core -I ./src/libudev -I ./src/udev -I ./src/udev/net -I ./src/udev -I ./src/libsystemd/sd-bus -I ./src/libsystemd/sd-event -I ./src/libsystemd/sd-login -I ./src/libsystemd/sd-netlink -I ./src/libsystemd/sd-network -I ./src/libsystemd/sd-hwdb -I ./src/libsystemd/sd-device -I ./src/libsystemd/sd-id128 -I ./src/libsystemd-network --sp-file coccinelle/strjoin.cocci --in-place $(git ls-files src/*.c) git grep -e '\bstrjoin\b.*NULL' -l|xargs sed -i -r 's/strjoin\((.*), NULL\)/strjoin(\1)/' This might have missed a few cases (spatch has a really hard time dealing with _cleanup_ macros), but that's no big issue, they can always be fixed later.
2016-10-23 17:43:27 +02:00
s = strjoin(k, " ", t);
resolved: LOC records LOC records have a version field. So far only version 0 has been published, but if a record with a different version was encountered, our only recourse is to treat it as an unknown type. This is implemented with the 'unparseable' flag, which causes the serialization/deserialization and printing function to cause the record as a blob. The flag can be used if other packet types cannot be parsed for whatever reason.
2014-07-31 10:19:43 +02:00
if (!s)
resolved: internalize string buffer of dns_resource_record_to_string() Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-21 16:31:29 +01:00
return NULL;
resolved: LOC records LOC records have a version field. So far only version 0 has been published, but if a record with a different version was encountered, our only recourse is to treat it as an unknown type. This is implemented with the 'unparseable' flag, which causes the serialization/deserialization and printing function to cause the record as a blob. The flag can be used if other packet types cannot be parsed for whatever reason.
2014-07-31 10:19:43 +02:00
break;
resolved: rr - add DS support Needed for DNSSEC.
2015-07-13 01:51:03 +02:00
case DNS_TYPE_DS:
t = hexmem(rr->ds.digest, rr->ds.digest_size);
if (!t)
resolved: internalize string buffer of dns_resource_record_to_string() Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-21 16:31:29 +01:00
return NULL;
resolved: rr - add DS support Needed for DNSSEC.
2015-07-13 01:51:03 +02:00
r = asprintf(&s, "%s %u %u %u %s",
k,
rr->ds.key_tag,
rr->ds.algorithm,
rr->ds.digest_type,
t);
if (r < 0)
resolved: internalize string buffer of dns_resource_record_to_string() Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-21 16:31:29 +01:00
return NULL;
resolved: rr - add DS support Needed for DNSSEC.
2015-07-13 01:51:03 +02:00
break;
resolved: DNSKEY records
2014-08-03 22:05:41 +02:00
case DNS_TYPE_SSHFP:
resolved: rr - SSHFP contains the fingerprint, not the key Rename the field to make this clearer.
2015-07-23 13:09:35 +02:00
t = hexmem(rr->sshfp.fingerprint, rr->sshfp.fingerprint_size);
resolved: DNSKEY records
2014-08-03 22:05:41 +02:00
if (!t)
resolved: internalize string buffer of dns_resource_record_to_string() Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-21 16:31:29 +01:00
return NULL;
resolved: properly process SSHFP RRs
2014-07-31 18:41:41 +02:00
r = asprintf(&s, "%s %u %u %s",
k,
rr->sshfp.algorithm,
rr->sshfp.fptype,
resolved: DNSKEY records
2014-08-03 22:05:41 +02:00
t);
resolved: properly process SSHFP RRs
2014-07-31 18:41:41 +02:00
if (r < 0)
resolved: internalize string buffer of dns_resource_record_to_string() Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-21 16:31:29 +01:00
return NULL;
resolved: properly process SSHFP RRs
2014-07-31 18:41:41 +02:00
break;
resolved: add identifiers for dnssec algorithms
2014-08-03 22:44:49 +02:00
case DNS_TYPE_DNSKEY: {
resolved: add negative trust anchro support, and add trust anchor configuration files This adds negative trust anchor support and allows reading trust anchor data from disk, from files /etc/systemd/dnssec-trust-anchors.d/*.positive and /etc/systemd/dnssec-trust-anchros.d/*.negative, as well as the matching counterparts in /usr/lib and /run. The positive trust anchor files are more or less compatible to normal DNS zone files containing DNSKEY and DS RRs. The negative trust anchor files contain only new-line separated hostnames for which to require no signing. By default no trust anchor files are installed, in which case the compiled-in root domain DS RR is used, as before. As soon as at least one positive root anchor for the root is defined via trust anchor files this buil-in DS RR is not added though.
2016-01-02 22:12:13 +01:00
_cleanup_free_ char *alg = NULL;
resolved: expand flags field in DNSKEY records
2015-02-03 05:49:49 +01:00
char *ss;
resolved: calculate and print tags for DNSKEY records
2015-02-04 23:06:33 +01:00
uint16_t key_tag;
key_tag = dnssec_keytag(rr, true);
resolved: add identifiers for dnssec algorithms
2014-08-03 22:44:49 +02:00
resolved: add negative trust anchro support, and add trust anchor configuration files This adds negative trust anchor support and allows reading trust anchor data from disk, from files /etc/systemd/dnssec-trust-anchors.d/*.positive and /etc/systemd/dnssec-trust-anchros.d/*.negative, as well as the matching counterparts in /usr/lib and /run. The positive trust anchor files are more or less compatible to normal DNS zone files containing DNSKEY and DS RRs. The negative trust anchor files contain only new-line separated hostnames for which to require no signing. By default no trust anchor files are installed, in which case the compiled-in root domain DS RR is used, as before. As soon as at least one positive root anchor for the root is defined via trust anchor files this buil-in DS RR is not added though.
2016-01-02 22:12:13 +01:00
r = dnssec_algorithm_to_string_alloc(rr->dnskey.algorithm, &alg);
if (r < 0)
return NULL;
resolved: add identifiers for dnssec algorithms
2014-08-03 22:44:49 +02:00
resolve: drop unnecessary %n fields from dns_resource_record_to_string() And use returned value by asprintf() instead. This hopefully fixes #11733.
2019-02-16 17:04:49 +01:00
r = asprintf(&s, "%s %u %u %s",
resolved: DNSKEY records
2014-08-03 22:05:41 +02:00
k,
resolved: store DNSKEY fields flags+protocol as-is When verifying signatures we need to be able to verify the original data we got for an RR set, and that means we cannot simply drop flags bits or consider RRs invalid too eagerly. Hence, instead of parsing the DNSKEY flags store them as-is. Similar, accept the protocol field as it is, and don't consider it a parsing error if it is not 3. Of course, this means that the DNSKEY handling code later on needs to check explicit for protocol != 3.
2015-12-02 20:53:10 +01:00
rr->dnskey.flags,
rr->dnskey.protocol,
resolve: drop unnecessary %n fields from dns_resource_record_to_string() And use returned value by asprintf() instead. This hopefully fixes #11733.
2019-02-16 17:04:49 +01:00
alg);
resolved: DNSKEY records
2014-08-03 22:05:41 +02:00
if (r < 0)
resolved: internalize string buffer of dns_resource_record_to_string() Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-21 16:31:29 +01:00
return NULL;
resolved: add alignment to base64 We try to fit the lengthy key data into available space. If the other fields take less than half of the available columns, we use align everything in the remaining columns. Otherwise, we put everything after a newline, indented with 8 spaces. This is similar to dig and other tools do. $ COLUMNS=78 ./systemd-resolve -t any . . IN SOA a.root-servers.net nstld.verisign-grs.com 2016012701 1800 900 604800 86400 . IN RRSIG SOA RSASHA256 0 86400 20160206170000 20160127160000 54549 S1uhUoBAReAFi5wH/KczVDgwLb+B9Zp57dSYj9aX4XxBhKuzccIducpg0wWXhjCRAWuzY fQ/J2anm4+C4BLUTdlytPIemd42SUffQk2WGuuukI8e67nkrNF3WFtoeXQ4OchsyO24t2 rxi682Zo9ViqmXZ+MSsjWKt1jdem4noaY= . IN NS h.root-servers.net . IN NS k.root-servers.net . IN NS e.root-servers.net . IN NS c.root-servers.net . IN NS b.root-servers.net . IN NS g.root-servers.net . IN NS d.root-servers.net . IN NS f.root-servers.net . IN NS i.root-servers.net . IN NS j.root-servers.net . IN NS m.root-servers.net . IN NS a.root-servers.net . IN NS l.root-servers.net . IN RRSIG NS RSASHA256 0 518400 20160206170000 20160127160000 54549 rxhmTVKUgs72G3VzL+1JRuD0nGLIrPM+ISfmUx0eYUH5wZD5XMu2X+8PfkAsEQT1dziPs ac+zK1YZPbNgr3yGI5H/wEbK8S7DmlvO+/I9WKTLp/Zxn3yncvnTOdjFMZxkAqHbjVOm+ BFz7RjQuvCQlEJX4PQBFphgEnkiOnmMdI= . IN NSEC aaa ( NS SOA RRSIG NSEC DNSKEY ) . IN RRSIG NSEC RSASHA256 0 86400 20160206170000 20160127160000 54549 HY49/nGkUJJP1zLmH33MIKnkNH33jQ7bsAHE9itEjvC4wfAzgq8+Oh9fjYav1R1GDeJ2Z HOu3Z2uDRif10R8RsmZbxyZXJs7eHui9KcAMot1U4uKCCooC/5GImf+oUDbvaraUCMQRU D3mUzoa0BGWfxgZEDqZ55raVFT/olEgG8= . IN DNSKEY 257 3 RSASHA256 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0 O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0 NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL4 96M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1ap AzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6 dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ2 5AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1 ihz0= . IN DNSKEY 256 3 RSASHA256 AwEAAbr/RV0stAWYbmKOldjShp4AOQGOyY3ATI1NUpP4X1qBs 6lsXpc+1ABgv6zkg02IktjZrHnmD0HsElu3wqXMrT5KL1W7Sp mg0Pou9WZ8QttdTKXwrVXrASsaGI2z/pLBSnK8EdzqUrTVxY4 TEGZtxV519isM06CCMihxTn5cfFBF . IN RRSIG DNSKEY RSASHA256 0 172800 20160204235959 20160121000000 19036 XYewrVdYKRDfZptAATwT+W4zng04riExV36+z04kok09W0RmOtDlQrlrwHLlD2iN/zYpg EqGgDF5T2xlrQdNpn+PFHhypHM7NQAgLTrwmiw6mGbV0bsZN3rhFxHwW7QVUFAvo9eNVu INrjm+sArwxq3DnPkmA+3K4ikKD2iiT/jT91VYr9SHFqXXURccLjI+nmaE7m31hXcirX/ r5i3J+B4Fx4415IavSD72r7cmruocnCVjcp+ZAUKeMyW+RwigzevLz3oEcCZ4nrTpGLEj wFaVePYoP+rfdmfLfTdmkkm4APRJa2My3XOdGFlgNS1pW1pH4az5LapLE2vMO7p1aQ== -- Information acquired via protocol DNS in 14.4ms. -- Data is authenticated: no
2014-08-05 00:59:31 +02:00
resolve: drop unnecessary %n fields from dns_resource_record_to_string() And use returned value by asprintf() instead. This hopefully fixes #11733.
2019-02-16 17:04:49 +01:00
r = base64_append(&s, r,
resolved: add alignment to base64 We try to fit the lengthy key data into available space. If the other fields take less than half of the available columns, we use align everything in the remaining columns. Otherwise, we put everything after a newline, indented with 8 spaces. This is similar to dig and other tools do. $ COLUMNS=78 ./systemd-resolve -t any . . IN SOA a.root-servers.net nstld.verisign-grs.com 2016012701 1800 900 604800 86400 . IN RRSIG SOA RSASHA256 0 86400 20160206170000 20160127160000 54549 S1uhUoBAReAFi5wH/KczVDgwLb+B9Zp57dSYj9aX4XxBhKuzccIducpg0wWXhjCRAWuzY fQ/J2anm4+C4BLUTdlytPIemd42SUffQk2WGuuukI8e67nkrNF3WFtoeXQ4OchsyO24t2 rxi682Zo9ViqmXZ+MSsjWKt1jdem4noaY= . IN NS h.root-servers.net . IN NS k.root-servers.net . IN NS e.root-servers.net . IN NS c.root-servers.net . IN NS b.root-servers.net . IN NS g.root-servers.net . IN NS d.root-servers.net . IN NS f.root-servers.net . IN NS i.root-servers.net . IN NS j.root-servers.net . IN NS m.root-servers.net . IN NS a.root-servers.net . IN NS l.root-servers.net . IN RRSIG NS RSASHA256 0 518400 20160206170000 20160127160000 54549 rxhmTVKUgs72G3VzL+1JRuD0nGLIrPM+ISfmUx0eYUH5wZD5XMu2X+8PfkAsEQT1dziPs ac+zK1YZPbNgr3yGI5H/wEbK8S7DmlvO+/I9WKTLp/Zxn3yncvnTOdjFMZxkAqHbjVOm+ BFz7RjQuvCQlEJX4PQBFphgEnkiOnmMdI= . IN NSEC aaa ( NS SOA RRSIG NSEC DNSKEY ) . IN RRSIG NSEC RSASHA256 0 86400 20160206170000 20160127160000 54549 HY49/nGkUJJP1zLmH33MIKnkNH33jQ7bsAHE9itEjvC4wfAzgq8+Oh9fjYav1R1GDeJ2Z HOu3Z2uDRif10R8RsmZbxyZXJs7eHui9KcAMot1U4uKCCooC/5GImf+oUDbvaraUCMQRU D3mUzoa0BGWfxgZEDqZ55raVFT/olEgG8= . IN DNSKEY 257 3 RSASHA256 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0 O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0 NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL4 96M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1ap AzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6 dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ2 5AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1 ihz0= . IN DNSKEY 256 3 RSASHA256 AwEAAbr/RV0stAWYbmKOldjShp4AOQGOyY3ATI1NUpP4X1qBs 6lsXpc+1ABgv6zkg02IktjZrHnmD0HsElu3wqXMrT5KL1W7Sp mg0Pou9WZ8QttdTKXwrVXrASsaGI2z/pLBSnK8EdzqUrTVxY4 TEGZtxV519isM06CCMihxTn5cfFBF . IN RRSIG DNSKEY RSASHA256 0 172800 20160204235959 20160121000000 19036 XYewrVdYKRDfZptAATwT+W4zng04riExV36+z04kok09W0RmOtDlQrlrwHLlD2iN/zYpg EqGgDF5T2xlrQdNpn+PFHhypHM7NQAgLTrwmiw6mGbV0bsZN3rhFxHwW7QVUFAvo9eNVu INrjm+sArwxq3DnPkmA+3K4ikKD2iiT/jT91VYr9SHFqXXURccLjI+nmaE7m31hXcirX/ r5i3J+B4Fx4415IavSD72r7cmruocnCVjcp+ZAUKeMyW+RwigzevLz3oEcCZ4nrTpGLEj wFaVePYoP+rfdmfLfTdmkkm4APRJa2My3XOdGFlgNS1pW1pH4az5LapLE2vMO7p1aQ== -- Information acquired via protocol DNS in 14.4ms. -- Data is authenticated: no
2014-08-05 00:59:31 +02:00
rr->dnskey.key, rr->dnskey.key_size,
8, columns());
if (r < 0)
return NULL;
resolved: expand flags field in DNSKEY records
2015-02-03 05:49:49 +01:00
r = asprintf(&ss, "%s\n"
resolve: always align flags to 8th column and print CAA flags Left-over unknown flags are printed numerically. Otherwise, it wouldn't be known what bits are remaining without knowning what the known bits are. A test case is added to verify the flag printing code: ============== src/resolve/test-data/fake-caa.pkts ============== google.com. IN CAA 0 issue "symantec.com" google.com. IN CAA 128 issue "symantec.com" -- Flags: critical google.com. IN CAA 129 issue "symantec.com" -- Flags: critical 1 google.com. IN CAA 22 issue "symantec.com" -- Flags: 22
2016-02-02 03:35:44 +01:00
" -- Flags:%s%s%s\n"
" -- Key tag: %u",
resolved: expand flags field in DNSKEY records
2015-02-03 05:49:49 +01:00
s,
rr->dnskey.flags & DNSKEY_FLAG_SEP ? " SEP" : "",
rr->dnskey.flags & DNSKEY_FLAG_REVOKE ? " REVOKE" : "",
resolved: calculate and print tags for DNSKEY records
2015-02-04 23:06:33 +01:00
rr->dnskey.flags & DNSKEY_FLAG_ZONE_KEY ? " ZONE_KEY" : "",
key_tag);
resolved: expand flags field in DNSKEY records
2015-02-03 05:49:49 +01:00
if (r < 0)
return NULL;
free(s);
s = ss;
resolved: DNSKEY records
2014-08-03 22:05:41 +02:00
break;
resolved: add identifiers for dnssec algorithms
2014-08-03 22:44:49 +02:00
}
resolved: add API for resolving specific RRs
2014-07-30 19:23:27 +02:00
resolved: RRSIG records
2014-08-04 00:17:22 +02:00
case DNS_TYPE_RRSIG: {
resolved: add negative trust anchro support, and add trust anchor configuration files This adds negative trust anchor support and allows reading trust anchor data from disk, from files /etc/systemd/dnssec-trust-anchors.d/*.positive and /etc/systemd/dnssec-trust-anchros.d/*.negative, as well as the matching counterparts in /usr/lib and /run. The positive trust anchor files are more or less compatible to normal DNS zone files containing DNSKEY and DS RRs. The negative trust anchor files contain only new-line separated hostnames for which to require no signing. By default no trust anchor files are installed, in which case the compiled-in root domain DS RR is used, as before. As soon as at least one positive root anchor for the root is defined via trust anchor files this buil-in DS RR is not added though.
2016-01-02 22:12:13 +01:00
_cleanup_free_ char *alg = NULL;
tree-wide: make use of new STRLEN() macro everywhere (#7639) Let's employ coccinelle to do this for us. Follow-up for #7625.
2017-12-14 19:02:29 +01:00
char expiration[STRLEN("YYYYMMDDHHmmSS") + 1], inception[STRLEN("YYYYMMDDHHmmSS") + 1];
resolved: add negative trust anchro support, and add trust anchor configuration files This adds negative trust anchor support and allows reading trust anchor data from disk, from files /etc/systemd/dnssec-trust-anchors.d/*.positive and /etc/systemd/dnssec-trust-anchros.d/*.negative, as well as the matching counterparts in /usr/lib and /run. The positive trust anchor files are more or less compatible to normal DNS zone files containing DNSKEY and DS RRs. The negative trust anchor files contain only new-line separated hostnames for which to require no signing. By default no trust anchor files are installed, in which case the compiled-in root domain DS RR is used, as before. As soon as at least one positive root anchor for the root is defined via trust anchor files this buil-in DS RR is not added though.
2016-01-02 22:12:13 +01:00
const char *type;
resolved: RRSIG records
2014-08-04 00:17:22 +02:00
type = dns_type_to_string(rr->rrsig.type_covered);
resolved: add negative trust anchro support, and add trust anchor configuration files This adds negative trust anchor support and allows reading trust anchor data from disk, from files /etc/systemd/dnssec-trust-anchors.d/*.positive and /etc/systemd/dnssec-trust-anchros.d/*.negative, as well as the matching counterparts in /usr/lib and /run. The positive trust anchor files are more or less compatible to normal DNS zone files containing DNSKEY and DS RRs. The negative trust anchor files contain only new-line separated hostnames for which to require no signing. By default no trust anchor files are installed, in which case the compiled-in root domain DS RR is used, as before. As soon as at least one positive root anchor for the root is defined via trust anchor files this buil-in DS RR is not added though.
2016-01-02 22:12:13 +01:00
r = dnssec_algorithm_to_string_alloc(rr->rrsig.algorithm, &alg);
if (r < 0)
return NULL;
resolved: RRSIG records
2014-08-04 00:17:22 +02:00
resolved: rr - print formated timestamps in RRSIG
2015-07-13 00:58:00 +02:00
r = format_timestamp_dns(expiration, sizeof(expiration), rr->rrsig.expiration);
if (r < 0)
resolved: internalize string buffer of dns_resource_record_to_string() Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-21 16:31:29 +01:00
return NULL;
resolved: rr - print formated timestamps in RRSIG
2015-07-13 00:58:00 +02:00
r = format_timestamp_dns(inception, sizeof(inception), rr->rrsig.inception);
if (r < 0)
resolved: internalize string buffer of dns_resource_record_to_string() Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-21 16:31:29 +01:00
return NULL;
resolved: rr - print formated timestamps in RRSIG
2015-07-13 00:58:00 +02:00
resolved: RRSIG records
2014-08-04 00:17:22 +02:00
/* TYPE?? follows
* http://tools.ietf.org/html/rfc3597#section-5 */
resolve: drop unnecessary %n fields from dns_resource_record_to_string() And use returned value by asprintf() instead. This hopefully fixes #11733.
2019-02-16 17:04:49 +01:00
r = asprintf(&s, "%s %s%.*u %s %u %u %s %s %u %s",
resolved: RRSIG records
2014-08-04 00:17:22 +02:00
k,
type ?: "TYPE",
type ? 0 : 1, type ? 0u : (unsigned) rr->rrsig.type_covered,
resolved: add negative trust anchro support, and add trust anchor configuration files This adds negative trust anchor support and allows reading trust anchor data from disk, from files /etc/systemd/dnssec-trust-anchors.d/*.positive and /etc/systemd/dnssec-trust-anchros.d/*.negative, as well as the matching counterparts in /usr/lib and /run. The positive trust anchor files are more or less compatible to normal DNS zone files containing DNSKEY and DS RRs. The negative trust anchor files contain only new-line separated hostnames for which to require no signing. By default no trust anchor files are installed, in which case the compiled-in root domain DS RR is used, as before. As soon as at least one positive root anchor for the root is defined via trust anchor files this buil-in DS RR is not added though.
2016-01-02 22:12:13 +01:00
alg,
resolved: RRSIG records
2014-08-04 00:17:22 +02:00
rr->rrsig.labels,
rr->rrsig.original_ttl,
resolved: rr - print formated timestamps in RRSIG
2015-07-13 00:58:00 +02:00
expiration,
inception,
resolved: RRSIG records
2014-08-04 00:17:22 +02:00
rr->rrsig.key_tag,
resolve: drop unnecessary %n fields from dns_resource_record_to_string() And use returned value by asprintf() instead. This hopefully fixes #11733.
2019-02-16 17:04:49 +01:00
rr->rrsig.signer);
resolved: RRSIG records
2014-08-04 00:17:22 +02:00
if (r < 0)
resolved: internalize string buffer of dns_resource_record_to_string() Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-21 16:31:29 +01:00
return NULL;
resolved: add alignment to base64 We try to fit the lengthy key data into available space. If the other fields take less than half of the available columns, we use align everything in the remaining columns. Otherwise, we put everything after a newline, indented with 8 spaces. This is similar to dig and other tools do. $ COLUMNS=78 ./systemd-resolve -t any . . IN SOA a.root-servers.net nstld.verisign-grs.com 2016012701 1800 900 604800 86400 . IN RRSIG SOA RSASHA256 0 86400 20160206170000 20160127160000 54549 S1uhUoBAReAFi5wH/KczVDgwLb+B9Zp57dSYj9aX4XxBhKuzccIducpg0wWXhjCRAWuzY fQ/J2anm4+C4BLUTdlytPIemd42SUffQk2WGuuukI8e67nkrNF3WFtoeXQ4OchsyO24t2 rxi682Zo9ViqmXZ+MSsjWKt1jdem4noaY= . IN NS h.root-servers.net . IN NS k.root-servers.net . IN NS e.root-servers.net . IN NS c.root-servers.net . IN NS b.root-servers.net . IN NS g.root-servers.net . IN NS d.root-servers.net . IN NS f.root-servers.net . IN NS i.root-servers.net . IN NS j.root-servers.net . IN NS m.root-servers.net . IN NS a.root-servers.net . IN NS l.root-servers.net . IN RRSIG NS RSASHA256 0 518400 20160206170000 20160127160000 54549 rxhmTVKUgs72G3VzL+1JRuD0nGLIrPM+ISfmUx0eYUH5wZD5XMu2X+8PfkAsEQT1dziPs ac+zK1YZPbNgr3yGI5H/wEbK8S7DmlvO+/I9WKTLp/Zxn3yncvnTOdjFMZxkAqHbjVOm+ BFz7RjQuvCQlEJX4PQBFphgEnkiOnmMdI= . IN NSEC aaa ( NS SOA RRSIG NSEC DNSKEY ) . IN RRSIG NSEC RSASHA256 0 86400 20160206170000 20160127160000 54549 HY49/nGkUJJP1zLmH33MIKnkNH33jQ7bsAHE9itEjvC4wfAzgq8+Oh9fjYav1R1GDeJ2Z HOu3Z2uDRif10R8RsmZbxyZXJs7eHui9KcAMot1U4uKCCooC/5GImf+oUDbvaraUCMQRU D3mUzoa0BGWfxgZEDqZ55raVFT/olEgG8= . IN DNSKEY 257 3 RSASHA256 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0 O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0 NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL4 96M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1ap AzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6 dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ2 5AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1 ihz0= . IN DNSKEY 256 3 RSASHA256 AwEAAbr/RV0stAWYbmKOldjShp4AOQGOyY3ATI1NUpP4X1qBs 6lsXpc+1ABgv6zkg02IktjZrHnmD0HsElu3wqXMrT5KL1W7Sp mg0Pou9WZ8QttdTKXwrVXrASsaGI2z/pLBSnK8EdzqUrTVxY4 TEGZtxV519isM06CCMihxTn5cfFBF . IN RRSIG DNSKEY RSASHA256 0 172800 20160204235959 20160121000000 19036 XYewrVdYKRDfZptAATwT+W4zng04riExV36+z04kok09W0RmOtDlQrlrwHLlD2iN/zYpg EqGgDF5T2xlrQdNpn+PFHhypHM7NQAgLTrwmiw6mGbV0bsZN3rhFxHwW7QVUFAvo9eNVu INrjm+sArwxq3DnPkmA+3K4ikKD2iiT/jT91VYr9SHFqXXURccLjI+nmaE7m31hXcirX/ r5i3J+B4Fx4415IavSD72r7cmruocnCVjcp+ZAUKeMyW+RwigzevLz3oEcCZ4nrTpGLEj wFaVePYoP+rfdmfLfTdmkkm4APRJa2My3XOdGFlgNS1pW1pH4az5LapLE2vMO7p1aQ== -- Information acquired via protocol DNS in 14.4ms. -- Data is authenticated: no
2014-08-05 00:59:31 +02:00
resolve: drop unnecessary %n fields from dns_resource_record_to_string() And use returned value by asprintf() instead. This hopefully fixes #11733.
2019-02-16 17:04:49 +01:00
r = base64_append(&s, r,
resolved: add alignment to base64 We try to fit the lengthy key data into available space. If the other fields take less than half of the available columns, we use align everything in the remaining columns. Otherwise, we put everything after a newline, indented with 8 spaces. This is similar to dig and other tools do. $ COLUMNS=78 ./systemd-resolve -t any . . IN SOA a.root-servers.net nstld.verisign-grs.com 2016012701 1800 900 604800 86400 . IN RRSIG SOA RSASHA256 0 86400 20160206170000 20160127160000 54549 S1uhUoBAReAFi5wH/KczVDgwLb+B9Zp57dSYj9aX4XxBhKuzccIducpg0wWXhjCRAWuzY fQ/J2anm4+C4BLUTdlytPIemd42SUffQk2WGuuukI8e67nkrNF3WFtoeXQ4OchsyO24t2 rxi682Zo9ViqmXZ+MSsjWKt1jdem4noaY= . IN NS h.root-servers.net . IN NS k.root-servers.net . IN NS e.root-servers.net . IN NS c.root-servers.net . IN NS b.root-servers.net . IN NS g.root-servers.net . IN NS d.root-servers.net . IN NS f.root-servers.net . IN NS i.root-servers.net . IN NS j.root-servers.net . IN NS m.root-servers.net . IN NS a.root-servers.net . IN NS l.root-servers.net . IN RRSIG NS RSASHA256 0 518400 20160206170000 20160127160000 54549 rxhmTVKUgs72G3VzL+1JRuD0nGLIrPM+ISfmUx0eYUH5wZD5XMu2X+8PfkAsEQT1dziPs ac+zK1YZPbNgr3yGI5H/wEbK8S7DmlvO+/I9WKTLp/Zxn3yncvnTOdjFMZxkAqHbjVOm+ BFz7RjQuvCQlEJX4PQBFphgEnkiOnmMdI= . IN NSEC aaa ( NS SOA RRSIG NSEC DNSKEY ) . IN RRSIG NSEC RSASHA256 0 86400 20160206170000 20160127160000 54549 HY49/nGkUJJP1zLmH33MIKnkNH33jQ7bsAHE9itEjvC4wfAzgq8+Oh9fjYav1R1GDeJ2Z HOu3Z2uDRif10R8RsmZbxyZXJs7eHui9KcAMot1U4uKCCooC/5GImf+oUDbvaraUCMQRU D3mUzoa0BGWfxgZEDqZ55raVFT/olEgG8= . IN DNSKEY 257 3 RSASHA256 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0 O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0 NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL4 96M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1ap AzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6 dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ2 5AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1 ihz0= . IN DNSKEY 256 3 RSASHA256 AwEAAbr/RV0stAWYbmKOldjShp4AOQGOyY3ATI1NUpP4X1qBs 6lsXpc+1ABgv6zkg02IktjZrHnmD0HsElu3wqXMrT5KL1W7Sp mg0Pou9WZ8QttdTKXwrVXrASsaGI2z/pLBSnK8EdzqUrTVxY4 TEGZtxV519isM06CCMihxTn5cfFBF . IN RRSIG DNSKEY RSASHA256 0 172800 20160204235959 20160121000000 19036 XYewrVdYKRDfZptAATwT+W4zng04riExV36+z04kok09W0RmOtDlQrlrwHLlD2iN/zYpg EqGgDF5T2xlrQdNpn+PFHhypHM7NQAgLTrwmiw6mGbV0bsZN3rhFxHwW7QVUFAvo9eNVu INrjm+sArwxq3DnPkmA+3K4ikKD2iiT/jT91VYr9SHFqXXURccLjI+nmaE7m31hXcirX/ r5i3J+B4Fx4415IavSD72r7cmruocnCVjcp+ZAUKeMyW+RwigzevLz3oEcCZ4nrTpGLEj wFaVePYoP+rfdmfLfTdmkkm4APRJa2My3XOdGFlgNS1pW1pH4az5LapLE2vMO7p1aQ== -- Information acquired via protocol DNS in 14.4ms. -- Data is authenticated: no
2014-08-05 00:59:31 +02:00
rr->rrsig.signature, rr->rrsig.signature_size,
8, columns());
if (r < 0)
return NULL;
resolved: RRSIG records
2014-08-04 00:17:22 +02:00
break;
}
resolved: rr - add NSEC support Needed for DNSSEC.
2015-07-13 01:51:03 +02:00
case DNS_TYPE_NSEC:
t = format_types(rr->nsec.types);
if (!t)
resolved: internalize string buffer of dns_resource_record_to_string() Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-21 16:31:29 +01:00
return NULL;
resolved: rr - add NSEC support Needed for DNSSEC.
2015-07-13 01:51:03 +02:00
r = asprintf(&s, "%s %s %s",
k,
rr->nsec.next_domain_name,
t);
if (r < 0)
resolved: internalize string buffer of dns_resource_record_to_string() Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-21 16:31:29 +01:00
return NULL;
resolved: rr - add NSEC support Needed for DNSSEC.
2015-07-13 01:51:03 +02:00
break;
resolved: rr - add NSEC3 support Needed for DNSSEC.
2015-07-13 01:51:03 +02:00
case DNS_TYPE_NSEC3: {
_cleanup_free_ char *salt = NULL, *hash = NULL;
resolve: unify memdup() code when parsing RRs Let's make dns_packet_read_public_key() more generic by renaming it to dns_packet_read_memdup() (which more accurately describes what it does...). Then, patch all cases where we memdup() RR data to use this new call. This specifically checks for zero-length objects, and handles them gracefully. It will set zero length payload fields as a result. Special care should be taken to ensure that any code using this call can handle the returned allocated field to be NULL if the size is specified as 0!
2015-07-23 04:04:19 +02:00
if (rr->nsec3.salt_size > 0) {
resolved: rr - add NSEC3 support Needed for DNSSEC.
2015-07-13 01:51:03 +02:00
salt = hexmem(rr->nsec3.salt, rr->nsec3.salt_size);
if (!salt)
resolved: internalize string buffer of dns_resource_record_to_string() Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-21 16:31:29 +01:00
return NULL;
resolved: rr - add NSEC3 support Needed for DNSSEC.
2015-07-13 01:51:03 +02:00
}
hash = base32hexmem(rr->nsec3.next_hashed_name, rr->nsec3.next_hashed_name_size, false);
if (!hash)
resolved: internalize string buffer of dns_resource_record_to_string() Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-21 16:31:29 +01:00
return NULL;
resolved: rr - add NSEC3 support Needed for DNSSEC.
2015-07-13 01:51:03 +02:00
t = format_types(rr->nsec3.types);
if (!t)
resolved: internalize string buffer of dns_resource_record_to_string() Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-21 16:31:29 +01:00
return NULL;
resolved: rr - add NSEC3 support Needed for DNSSEC.
2015-07-13 01:51:03 +02:00
r = asprintf(&s, "%s %"PRIu8" %"PRIu8" %"PRIu16" %s %s %s",
k,
rr->nsec3.algorithm,
rr->nsec3.flags,
rr->nsec3.iterations,
resolve: unify memdup() code when parsing RRs Let's make dns_packet_read_public_key() more generic by renaming it to dns_packet_read_memdup() (which more accurately describes what it does...). Then, patch all cases where we memdup() RR data to use this new call. This specifically checks for zero-length objects, and handles them gracefully. It will set zero length payload fields as a result. Special care should be taken to ensure that any code using this call can handle the returned allocated field to be NULL if the size is specified as 0!
2015-07-23 04:04:19 +02:00
rr->nsec3.salt_size > 0 ? salt : "-",
resolved: rr - add NSEC3 support Needed for DNSSEC.
2015-07-13 01:51:03 +02:00
hash,
t);
if (r < 0)
resolved: internalize string buffer of dns_resource_record_to_string() Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-21 16:31:29 +01:00
return NULL;
resolved: rr - add NSEC3 support Needed for DNSSEC.
2015-07-13 01:51:03 +02:00
break;
}
resolved: TLSA records
2015-02-02 01:17:24 +01:00
case DNS_TYPE_TLSA: {
resolved: convert TLSA fields to string Example output: _443._tcp.fedoraproject.org IN TLSA 0 0 1 GUAL5bejH7czkXcAeJ0vCiRxwMnVBsDlBMBsFtfLF8A= -- Cert. usage: CA constraint -- Selector: Full Certificate -- Matching type: SHA-256
2015-02-02 05:50:50 +01:00
const char *cert_usage, *selector, *matching_type;
resolved: TLSA records
2015-02-02 01:17:24 +01:00
resolved: convert TLSA fields to string Example output: _443._tcp.fedoraproject.org IN TLSA 0 0 1 GUAL5bejH7czkXcAeJ0vCiRxwMnVBsDlBMBsFtfLF8A= -- Cert. usage: CA constraint -- Selector: Full Certificate -- Matching type: SHA-256
2015-02-02 05:50:50 +01:00
cert_usage = tlsa_cert_usage_to_string(rr->tlsa.cert_usage);
selector = tlsa_selector_to_string(rr->tlsa.selector);
matching_type = tlsa_matching_type_to_string(rr->tlsa.matching_type);
resolve: print TLSA packets in hexadecimal https://tools.ietf.org/html/rfc6698#section-2.2 says: > The certificate association data field MUST be represented as a string > of hexadecimal characters. Whitespace is allowed within the string of > hexadecimal characters
2016-02-17 02:36:10 +01:00
t = hexmem(rr->sshfp.fingerprint, rr->sshfp.fingerprint_size);
if (!t)
resolved: TLSA records
2015-02-02 01:17:24 +01:00
return NULL;
resolved: convert TLSA fields to string Example output: _443._tcp.fedoraproject.org IN TLSA 0 0 1 GUAL5bejH7czkXcAeJ0vCiRxwMnVBsDlBMBsFtfLF8A= -- Cert. usage: CA constraint -- Selector: Full Certificate -- Matching type: SHA-256
2015-02-02 05:50:50 +01:00
resolve: print TLSA packets in hexadecimal https://tools.ietf.org/html/rfc6698#section-2.2 says: > The certificate association data field MUST be represented as a string > of hexadecimal characters. Whitespace is allowed within the string of > hexadecimal characters
2016-02-17 02:36:10 +01:00
r = asprintf(&s,
"%s %u %u %u %s\n"
resolve: always align flags to 8th column and print CAA flags Left-over unknown flags are printed numerically. Otherwise, it wouldn't be known what bits are remaining without knowning what the known bits are. A test case is added to verify the flag printing code: ============== src/resolve/test-data/fake-caa.pkts ============== google.com. IN CAA 0 issue "symantec.com" google.com. IN CAA 128 issue "symantec.com" -- Flags: critical google.com. IN CAA 129 issue "symantec.com" -- Flags: critical 1 google.com. IN CAA 22 issue "symantec.com" -- Flags: 22
2016-02-02 03:35:44 +01:00
" -- Cert. usage: %s\n"
" -- Selector: %s\n"
" -- Matching type: %s",
resolve: print TLSA packets in hexadecimal https://tools.ietf.org/html/rfc6698#section-2.2 says: > The certificate association data field MUST be represented as a string > of hexadecimal characters. Whitespace is allowed within the string of > hexadecimal characters
2016-02-17 02:36:10 +01:00
k,
rr->tlsa.cert_usage,
rr->tlsa.selector,
rr->tlsa.matching_type,
t,
resolve: always align flags to 8th column and print CAA flags Left-over unknown flags are printed numerically. Otherwise, it wouldn't be known what bits are remaining without knowning what the known bits are. A test case is added to verify the flag printing code: ============== src/resolve/test-data/fake-caa.pkts ============== google.com. IN CAA 0 issue "symantec.com" google.com. IN CAA 128 issue "symantec.com" -- Flags: critical google.com. IN CAA 129 issue "symantec.com" -- Flags: critical 1 google.com. IN CAA 22 issue "symantec.com" -- Flags: 22
2016-02-02 03:35:44 +01:00
cert_usage,
selector,
matching_type);
resolved: convert TLSA fields to string Example output: _443._tcp.fedoraproject.org IN TLSA 0 0 1 GUAL5bejH7czkXcAeJ0vCiRxwMnVBsDlBMBsFtfLF8A= -- Cert. usage: CA constraint -- Selector: Full Certificate -- Matching type: SHA-256
2015-02-02 05:50:50 +01:00
if (r < 0)
return NULL;
resolved: TLSA records
2015-02-02 01:17:24 +01:00
break;
}
resolve: parse CAA records
2016-01-31 22:21:00 +01:00
case DNS_TYPE_CAA: {
_cleanup_free_ char *value;
value = octescape(rr->caa.value, rr->caa.value_size);
if (!value)
return NULL;
resolve: always align flags to 8th column and print CAA flags Left-over unknown flags are printed numerically. Otherwise, it wouldn't be known what bits are remaining without knowning what the known bits are. A test case is added to verify the flag printing code: ============== src/resolve/test-data/fake-caa.pkts ============== google.com. IN CAA 0 issue "symantec.com" google.com. IN CAA 128 issue "symantec.com" -- Flags: critical google.com. IN CAA 129 issue "symantec.com" -- Flags: critical 1 google.com. IN CAA 22 issue "symantec.com" -- Flags: 22
2016-02-02 03:35:44 +01:00
r = asprintf(&s, "%s %u %s \"%s\"%s%s%s%.0u",
resolve: parse CAA records
2016-01-31 22:21:00 +01:00
k,
rr->caa.flags,
rr->caa.tag,
resolve: always align flags to 8th column and print CAA flags Left-over unknown flags are printed numerically. Otherwise, it wouldn't be known what bits are remaining without knowning what the known bits are. A test case is added to verify the flag printing code: ============== src/resolve/test-data/fake-caa.pkts ============== google.com. IN CAA 0 issue "symantec.com" google.com. IN CAA 128 issue "symantec.com" -- Flags: critical google.com. IN CAA 129 issue "symantec.com" -- Flags: critical 1 google.com. IN CAA 22 issue "symantec.com" -- Flags: 22
2016-02-02 03:35:44 +01:00
value,
rr->caa.flags ? "\n -- Flags:" : "",
rr->caa.flags & CAA_FLAG_CRITICAL ? " critical" : "",
rr->caa.flags & ~CAA_FLAG_CRITICAL ? " " : "",
rr->caa.flags & ~CAA_FLAG_CRITICAL);
resolve: parse CAA records
2016-01-31 22:21:00 +01:00
if (r < 0)
return NULL;
break;
}
resolved: OPENPGPKEY records
2015-02-02 02:54:15 +01:00
case DNS_TYPE_OPENPGPKEY: {
resolve: drop unnecessary %n fields from dns_resource_record_to_string() And use returned value by asprintf() instead. This hopefully fixes #11733.
2019-02-16 17:04:49 +01:00
r = asprintf(&s, "%s", k);
resolved: OPENPGPKEY records
2015-02-02 02:54:15 +01:00
if (r < 0)
return NULL;
resolve: drop unnecessary %n fields from dns_resource_record_to_string() And use returned value by asprintf() instead. This hopefully fixes #11733.
2019-02-16 17:04:49 +01:00
r = base64_append(&s, r,
resolved: add macro to compare sized fields For consistency, generic.size is renamed to generic.data_size. nsec3.next_hashed_name comparison was missing a size check.
2016-01-29 00:23:59 +01:00
rr->generic.data, rr->generic.data_size,
resolved: OPENPGPKEY records
2015-02-02 02:54:15 +01:00
8, columns());
if (r < 0)
return NULL;
break;
}
resolved: DNSKEY records
2014-08-03 22:05:41 +02:00
default:
resolved: add macro to compare sized fields For consistency, generic.size is renamed to generic.data_size. nsec3.next_hashed_name comparison was missing a size check.
2016-01-29 00:23:59 +01:00
t = hexmem(rr->generic.data, rr->generic.data_size);
resolved: DNSKEY records
2014-08-03 22:05:41 +02:00
if (!t)
resolved: internalize string buffer of dns_resource_record_to_string() Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-21 16:31:29 +01:00
return NULL;
resolved: DNSKEY records
2014-08-03 22:05:41 +02:00
resolved: add comments referencing various RFCs to various places
2015-12-29 19:27:09 +01:00
/* Format as documented in RFC 3597, Section 5 */
resolved: add macro to compare sized fields For consistency, generic.size is renamed to generic.data_size. nsec3.next_hashed_name comparison was missing a size check.
2016-01-29 00:23:59 +01:00
r = asprintf(&s, "%s \\# %zu %s", k, rr->generic.data_size, t);
resolved: improve printing of unknown RRs This implements the recommendations from RFC3597.
2015-07-14 04:32:29 +02:00
if (r < 0)
resolved: internalize string buffer of dns_resource_record_to_string() Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-21 16:31:29 +01:00
return NULL;
resolved: add API for resolving specific RRs
2014-07-30 19:23:27 +02:00
break;
resolved: DNSKEY records
2014-08-03 22:05:41 +02:00
}
resolved: add API for resolving specific RRs
2014-07-30 19:23:27 +02:00
resolved: internalize string buffer of dns_resource_record_to_string() Let's simplify usage and memory management of DnsResourceRecord's dns_resource_record_to_string() call: cache the formatted string as part of the object, and return it on subsequent calls, freeing it when the DnsResourceRecord itself is freed.
2015-12-21 16:31:29 +01:00
rr->to_string = s;
return s;
resolved: add API for resolving specific RRs
2014-07-30 19:23:27 +02:00
}
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
systemd-resolve: allow keys to be dumped in binary form $ systemd-resolve --raw --openpgp zbyszek@fedoraproject.org | pgpdump /dev/stdin
2016-01-29 00:24:28 +01:00
ssize_t dns_resource_record_payload(DnsResourceRecord *rr, void **out) {
assert(rr);
assert(out);
tree-wide: "unparseable" → "unparsable" "unparsable" is the more common spelling. We already pick "movable" over "moveable". Let's do the same with this pair.
2020-07-02 09:58:23 +02:00
switch(rr->unparsable ? _DNS_TYPE_INVALID : rr->key->type) {
systemd-resolve: allow keys to be dumped in binary form $ systemd-resolve --raw --openpgp zbyszek@fedoraproject.org | pgpdump /dev/stdin
2016-01-29 00:24:28 +01:00
case DNS_TYPE_SRV:
case DNS_TYPE_PTR:
case DNS_TYPE_NS:
case DNS_TYPE_CNAME:
case DNS_TYPE_DNAME:
case DNS_TYPE_HINFO:
case DNS_TYPE_SPF:
case DNS_TYPE_TXT:
case DNS_TYPE_A:
case DNS_TYPE_AAAA:
case DNS_TYPE_SOA:
case DNS_TYPE_MX:
case DNS_TYPE_LOC:
case DNS_TYPE_DS:
case DNS_TYPE_DNSKEY:
case DNS_TYPE_RRSIG:
case DNS_TYPE_NSEC:
case DNS_TYPE_NSEC3:
return -EINVAL;
resolve: also allow SSHFP payload to be exported
2016-02-17 02:55:23 +01:00
case DNS_TYPE_SSHFP:
*out = rr->sshfp.fingerprint;
return rr->sshfp.fingerprint_size;
systemd-resolve: allow keys to be dumped in binary form $ systemd-resolve --raw --openpgp zbyszek@fedoraproject.org | pgpdump /dev/stdin
2016-01-29 00:24:28 +01:00
case DNS_TYPE_TLSA:
*out = rr->tlsa.data;
return rr->tlsa.data_size;
case DNS_TYPE_OPENPGPKEY:
default:
*out = rr->generic.data;
return rr->generic.data_size;
}
}
resolved: add code to generate the wire format for a single RR This adds dns_resource_record_to_wire_format() that generates the raw wire-format of a single DnsResourceRecord object, and caches it in the object, optionally in DNSSEC canonical form. This call is used later to generate the RR serialization of RRs to verify. This adds four new fields to DnsResourceRecord objects: - wire_format points to the buffer with the wire-format version of the RR - wire_format_size stores the size of that buffer - wire_format_rdata_offset specifies the index into the buffer where the RDATA of the RR begins (i.e. the size of the key part of the RR). - wire_format_canonical is a boolean that stores whether the cached wire format is in DNSSEC canonical form or not. Note that this patch adds a mode where a DnsPacket is allocated on the stack (instead of on the heap), so that it is cheaper to reuse the DnsPacket object for generating this wire format. After all we reuse the DnsPacket object for this, since it comes with all the dynamic memory management, and serialization calls we need anyway.
2015-12-02 20:58:51 +01:00
int dns_resource_record_to_wire_format(DnsResourceRecord *rr, bool canonical) {
DnsPacket packet = {
.n_ref = 1,
.protocol = DNS_PROTOCOL_DNS,
.on_stack = true,
.refuse_compression = true,
.canonical_form = canonical,
};
size_t start, rds;
int r;
assert(rr);
/* Generates the RR in wire-format, optionally in the
* canonical form as discussed in the DNSSEC RFC 4034, Section
* 6.2. We allocate a throw-away DnsPacket object on the stack
* here, because we need some book-keeping for memory
* management, and can reuse the DnsPacket serializer, that
* can generate the canonical form, too, but also knows label
* compression and suchlike. */
if (rr->wire_format && rr->wire_format_canonical == canonical)
return 0;
resolved: add cache-flush bit to answers in mDNS announcements See the section 10.2 of RFC6762 for details. Signed-off-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>
2016-12-02 14:28:14 +01:00
r = dns_packet_append_rr(&packet, rr, 0, &start, &rds);
resolved: add code to generate the wire format for a single RR This adds dns_resource_record_to_wire_format() that generates the raw wire-format of a single DnsResourceRecord object, and caches it in the object, optionally in DNSSEC canonical form. This call is used later to generate the RR serialization of RRs to verify. This adds four new fields to DnsResourceRecord objects: - wire_format points to the buffer with the wire-format version of the RR - wire_format_size stores the size of that buffer - wire_format_rdata_offset specifies the index into the buffer where the RDATA of the RR begins (i.e. the size of the key part of the RR). - wire_format_canonical is a boolean that stores whether the cached wire format is in DNSSEC canonical form or not. Note that this patch adds a mode where a DnsPacket is allocated on the stack (instead of on the heap), so that it is cheaper to reuse the DnsPacket object for generating this wire format. After all we reuse the DnsPacket object for this, since it comes with all the dynamic memory management, and serialization calls we need anyway.
2015-12-02 20:58:51 +01:00
if (r < 0)
return r;
assert(start == 0);
assert(packet._data);
free(rr->wire_format);
rr->wire_format = packet._data;
rr->wire_format_size = packet.size;
rr->wire_format_rdata_offset = rds;
rr->wire_format_canonical = canonical;
packet._data = NULL;
dns_packet_unref(&packet);
return 0;
}
resolved: when validating an RRset, store information about the synthesizing source and zone in each RR Having this information available is useful when we need to check whether various RRs are suitable for proofs. This information is stored in the RRs as number of labels to skip from the beginning of the owner name to reach the synthesizing source/signer. Simple accessor calls are then added to retrieve the signer/source from the RR using this information. This also moves validation of a a number of RRSIG parameters into a new call dnssec_rrsig_prepare() that as side-effect initializes the two numeric values.
2016-01-14 18:03:03 +01:00
int dns_resource_record_signer(DnsResourceRecord *rr, const char **ret) {
const char *n;
int r;
assert(rr);
assert(ret);
/* Returns the RRset's signer, if it is known. */
if (rr->n_skip_labels_signer == (unsigned) -1)
return -ENODATA;
Replace DNS_RESOURCE_KEY_NAME with a version which always returns "." for root This fixes formatting of root domain in debug messages: Old: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (., DNSKEY with key tag: 19036). New: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (, DNSKEY with key tag: 19036).
2016-02-13 20:54:15 +01:00
n = dns_resource_key_name(rr->key);
resolved: when validating an RRset, store information about the synthesizing source and zone in each RR Having this information available is useful when we need to check whether various RRs are suitable for proofs. This information is stored in the RRs as number of labels to skip from the beginning of the owner name to reach the synthesizing source/signer. Simple accessor calls are then added to retrieve the signer/source from the RR using this information. This also moves validation of a a number of RRSIG parameters into a new call dnssec_rrsig_prepare() that as side-effect initializes the two numeric values.
2016-01-14 18:03:03 +01:00
r = dns_name_skip(n, rr->n_skip_labels_signer, &n);
if (r < 0)
return r;
if (r == 0)
return -EINVAL;
*ret = n;
return 0;
}
int dns_resource_record_source(DnsResourceRecord *rr, const char **ret) {
const char *n;
int r;
assert(rr);
assert(ret);
/* Returns the RRset's synthesizing source, if it is known. */
if (rr->n_skip_labels_source == (unsigned) -1)
return -ENODATA;
Replace DNS_RESOURCE_KEY_NAME with a version which always returns "." for root This fixes formatting of root domain in debug messages: Old: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (., DNSKEY with key tag: 19036). New: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (, DNSKEY with key tag: 19036).
2016-02-13 20:54:15 +01:00
n = dns_resource_key_name(rr->key);
resolved: when validating an RRset, store information about the synthesizing source and zone in each RR Having this information available is useful when we need to check whether various RRs are suitable for proofs. This information is stored in the RRs as number of labels to skip from the beginning of the owner name to reach the synthesizing source/signer. Simple accessor calls are then added to retrieve the signer/source from the RR using this information. This also moves validation of a a number of RRSIG parameters into a new call dnssec_rrsig_prepare() that as side-effect initializes the two numeric values.
2016-01-14 18:03:03 +01:00
r = dns_name_skip(n, rr->n_skip_labels_source, &n);
if (r < 0)
return r;
if (r == 0)
return -EINVAL;
*ret = n;
return 0;
}
int dns_resource_record_is_signer(DnsResourceRecord *rr, const char *zone) {
const char *signer;
int r;
resolved: complete NSEC non-existance proofs This fills in the last few gaps: - When checking if a domain is non-existing, also check that no wildcard for it exists - Ensure we don't base "covering" tests on NSEC RRs from a parent zone - Refuse to accept expanded wildcard NSEC RRs for absence proofs.
2016-01-15 02:21:22 +01:00
assert(rr);
resolved: when validating an RRset, store information about the synthesizing source and zone in each RR Having this information available is useful when we need to check whether various RRs are suitable for proofs. This information is stored in the RRs as number of labels to skip from the beginning of the owner name to reach the synthesizing source/signer. Simple accessor calls are then added to retrieve the signer/source from the RR using this information. This also moves validation of a a number of RRSIG parameters into a new call dnssec_rrsig_prepare() that as side-effect initializes the two numeric values.
2016-01-14 18:03:03 +01:00
r = dns_resource_record_signer(rr, &signer);
if (r < 0)
return r;
return dns_name_equal(zone, signer);
}
resolved: complete NSEC non-existance proofs This fills in the last few gaps: - When checking if a domain is non-existing, also check that no wildcard for it exists - Ensure we don't base "covering" tests on NSEC RRs from a parent zone - Refuse to accept expanded wildcard NSEC RRs for absence proofs.
2016-01-15 02:21:22 +01:00
int dns_resource_record_is_synthetic(DnsResourceRecord *rr) {
int r;
assert(rr);
/* Returns > 0 if the RR is generated from a wildcard, and is not the asterisk name itself */
if (rr->n_skip_labels_source == (unsigned) -1)
return -ENODATA;
if (rr->n_skip_labels_source == 0)
return 0;
if (rr->n_skip_labels_source > 1)
return 1;
Replace DNS_RESOURCE_KEY_NAME with a version which always returns "." for root This fixes formatting of root domain in debug messages: Old: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (., DNSKEY with key tag: 19036). New: systemd-resolved[10049]: Requesting DS to validate transaction 19313 (, DNSKEY with key tag: 19036).
2016-02-13 20:54:15 +01:00
r = dns_name_startswith(dns_resource_key_name(rr->key), "*");
resolved: complete NSEC non-existance proofs This fills in the last few gaps: - When checking if a domain is non-existing, also check that no wildcard for it exists - Ensure we don't base "covering" tests on NSEC RRs from a parent zone - Refuse to accept expanded wildcard NSEC RRs for absence proofs.
2016-01-15 02:21:22 +01:00
if (r < 0)
return r;
return !r;
}
tree-wide: make hash_ops typesafe
2018-11-27 14:25:20 +01:00
void dns_resource_record_hash_func(const DnsResourceRecord *rr, struct siphash *state) {
resolved: when validating, first strip revoked trust anchor keys from validated keys list When validating a transaction we initially collect DNSKEY, DS, SOA RRs in the "validated_keys" list, that we need for the proofs. This includes DNSKEY and DS data from our trust anchor database. Quite possibly we learn that some of these DNSKEY/DS RRs have been revoked between the time we request and collect those additional RRs and we begin the validation step. In this case we need to make sure that the respective DS/DNSKEY RRs are removed again from our list. This patch adds that, and strips known revoked trust anchor RRs from the validated list before we begin the actual validation proof, and each time we add more DNSKEY material to it while we are doing the proof.
2016-01-07 20:33:31 +01:00
assert(rr);
dns_resource_key_hash_func(rr->key, state);
tree-wide: "unparseable" → "unparsable" "unparsable" is the more common spelling. We already pick "movable" over "moveable". Let's do the same with this pair.
2020-07-02 09:58:23 +02:00
switch (rr->unparsable ? _DNS_TYPE_INVALID : rr->key->type) {
resolved: when validating, first strip revoked trust anchor keys from validated keys list When validating a transaction we initially collect DNSKEY, DS, SOA RRs in the "validated_keys" list, that we need for the proofs. This includes DNSKEY and DS data from our trust anchor database. Quite possibly we learn that some of these DNSKEY/DS RRs have been revoked between the time we request and collect those additional RRs and we begin the validation step. In this case we need to make sure that the respective DS/DNSKEY RRs are removed again from our list. This patch adds that, and strips known revoked trust anchor RRs from the validated list before we begin the actual validation proof, and each time we add more DNSKEY material to it while we are doing the proof.
2016-01-07 20:33:31 +01:00
case DNS_TYPE_SRV:
siphash24_compress(&rr->srv.priority, sizeof(rr->srv.priority), state);
siphash24_compress(&rr->srv.weight, sizeof(rr->srv.weight), state);
siphash24_compress(&rr->srv.port, sizeof(rr->srv.port), state);
dns_name_hash_func(rr->srv.name, state);
break;
case DNS_TYPE_PTR:
case DNS_TYPE_NS:
case DNS_TYPE_CNAME:
case DNS_TYPE_DNAME:
dns_name_hash_func(rr->ptr.name, state);
break;
case DNS_TYPE_HINFO:
string_hash_func(rr->hinfo.cpu, state);
string_hash_func(rr->hinfo.os, state);
break;
case DNS_TYPE_TXT:
case DNS_TYPE_SPF: {
DnsTxtItem *j;
LIST_FOREACH(items, j, rr->txt.items) {
siphash24_compress(j->data, j->length, state);
shared: make sure foo.bar and foobar result in different domain name hashes This also introduces a new macro siphash24_compress_byte() which is useful to add a single byte into the hash stream, and ports one user over to it.
2016-01-08 01:11:55 +01:00
/* Add an extra NUL byte, so that "a" followed by "b" doesn't result in the same hash as "ab"
* followed by "". */
siphash24_compress_byte(0, state);
resolved: when validating, first strip revoked trust anchor keys from validated keys list When validating a transaction we initially collect DNSKEY, DS, SOA RRs in the "validated_keys" list, that we need for the proofs. This includes DNSKEY and DS data from our trust anchor database. Quite possibly we learn that some of these DNSKEY/DS RRs have been revoked between the time we request and collect those additional RRs and we begin the validation step. In this case we need to make sure that the respective DS/DNSKEY RRs are removed again from our list. This patch adds that, and strips known revoked trust anchor RRs from the validated list before we begin the actual validation proof, and each time we add more DNSKEY material to it while we are doing the proof.
2016-01-07 20:33:31 +01:00
}
break;
}
case DNS_TYPE_A:
siphash24_compress(&rr->a.in_addr, sizeof(rr->a.in_addr), state);
break;
case DNS_TYPE_AAAA:
siphash24_compress(&rr->aaaa.in6_addr, sizeof(rr->aaaa.in6_addr), state);
break;
case DNS_TYPE_SOA:
dns_name_hash_func(rr->soa.mname, state);
dns_name_hash_func(rr->soa.rname, state);
siphash24_compress(&rr->soa.serial, sizeof(rr->soa.serial), state);
siphash24_compress(&rr->soa.refresh, sizeof(rr->soa.refresh), state);
siphash24_compress(&rr->soa.retry, sizeof(rr->soa.retry), state);
siphash24_compress(&rr->soa.expire, sizeof(rr->soa.expire), state);
siphash24_compress(&rr->soa.minimum, sizeof(rr->soa.minimum), state);
break;
case DNS_TYPE_MX:
siphash24_compress(&rr->mx.priority, sizeof(rr->mx.priority), state);
dns_name_hash_func(rr->mx.exchange, state);
break;
case DNS_TYPE_LOC:
siphash24_compress(&rr->loc.version, sizeof(rr->loc.version), state);
siphash24_compress(&rr->loc.size, sizeof(rr->loc.size), state);
siphash24_compress(&rr->loc.horiz_pre, sizeof(rr->loc.horiz_pre), state);
siphash24_compress(&rr->loc.vert_pre, sizeof(rr->loc.vert_pre), state);
siphash24_compress(&rr->loc.latitude, sizeof(rr->loc.latitude), state);
siphash24_compress(&rr->loc.longitude, sizeof(rr->loc.longitude), state);
siphash24_compress(&rr->loc.altitude, sizeof(rr->loc.altitude), state);
break;
case DNS_TYPE_SSHFP:
siphash24_compress(&rr->sshfp.algorithm, sizeof(rr->sshfp.algorithm), state);
siphash24_compress(&rr->sshfp.fptype, sizeof(rr->sshfp.fptype), state);
siphash24_compress(rr->sshfp.fingerprint, rr->sshfp.fingerprint_size, state);
break;
case DNS_TYPE_DNSKEY:
siphash24_compress(&rr->dnskey.flags, sizeof(rr->dnskey.flags), state);
siphash24_compress(&rr->dnskey.protocol, sizeof(rr->dnskey.protocol), state);
siphash24_compress(&rr->dnskey.algorithm, sizeof(rr->dnskey.algorithm), state);
siphash24_compress(rr->dnskey.key, rr->dnskey.key_size, state);
break;
case DNS_TYPE_RRSIG:
siphash24_compress(&rr->rrsig.type_covered, sizeof(rr->rrsig.type_covered), state);
siphash24_compress(&rr->rrsig.algorithm, sizeof(rr->rrsig.algorithm), state);
siphash24_compress(&rr->rrsig.labels, sizeof(rr->rrsig.labels), state);
siphash24_compress(&rr->rrsig.original_ttl, sizeof(rr->rrsig.original_ttl), state);
siphash24_compress(&rr->rrsig.expiration, sizeof(rr->rrsig.expiration), state);
siphash24_compress(&rr->rrsig.inception, sizeof(rr->rrsig.inception), state);
siphash24_compress(&rr->rrsig.key_tag, sizeof(rr->rrsig.key_tag), state);
dns_name_hash_func(rr->rrsig.signer, state);
siphash24_compress(rr->rrsig.signature, rr->rrsig.signature_size, state);
break;
case DNS_TYPE_NSEC:
dns_name_hash_func(rr->nsec.next_domain_name, state);
/* FIXME: we leave out the type bitmap here. Hash
* would be better if we'd take it into account
* too. */
break;
case DNS_TYPE_DS:
siphash24_compress(&rr->ds.key_tag, sizeof(rr->ds.key_tag), state);
siphash24_compress(&rr->ds.algorithm, sizeof(rr->ds.algorithm), state);
siphash24_compress(&rr->ds.digest_type, sizeof(rr->ds.digest_type), state);
siphash24_compress(rr->ds.digest, rr->ds.digest_size, state);
break;
case DNS_TYPE_NSEC3:
siphash24_compress(&rr->nsec3.algorithm, sizeof(rr->nsec3.algorithm), state);
siphash24_compress(&rr->nsec3.flags, sizeof(rr->nsec3.flags), state);
siphash24_compress(&rr->nsec3.iterations, sizeof(rr->nsec3.iterations), state);
siphash24_compress(rr->nsec3.salt, rr->nsec3.salt_size, state);
siphash24_compress(rr->nsec3.next_hashed_name, rr->nsec3.next_hashed_name_size, state);
/* FIXME: We leave the bitmaps out */
break;
resolved: TLSA records
2015-02-02 01:17:24 +01:00
case DNS_TYPE_TLSA:
siphash24_compress(&rr->tlsa.cert_usage, sizeof(rr->tlsa.cert_usage), state);
siphash24_compress(&rr->tlsa.selector, sizeof(rr->tlsa.selector), state);
siphash24_compress(&rr->tlsa.matching_type, sizeof(rr->tlsa.matching_type), state);
Fix hashing of TLSA packets Also add example files with TLSA and SSHFP records.
2016-01-31 22:23:00 +01:00
siphash24_compress(rr->tlsa.data, rr->tlsa.data_size, state);
resolved: TLSA records
2015-02-02 01:17:24 +01:00
break;
resolved: when validating, first strip revoked trust anchor keys from validated keys list When validating a transaction we initially collect DNSKEY, DS, SOA RRs in the "validated_keys" list, that we need for the proofs. This includes DNSKEY and DS data from our trust anchor database. Quite possibly we learn that some of these DNSKEY/DS RRs have been revoked between the time we request and collect those additional RRs and we begin the validation step. In this case we need to make sure that the respective DS/DNSKEY RRs are removed again from our list. This patch adds that, and strips known revoked trust anchor RRs from the validated list before we begin the actual validation proof, and each time we add more DNSKEY material to it while we are doing the proof.
2016-01-07 20:33:31 +01:00
resolve: parse CAA records
2016-01-31 22:21:00 +01:00
case DNS_TYPE_CAA:
siphash24_compress(&rr->caa.flags, sizeof(rr->caa.flags), state);
string_hash_func(rr->caa.tag, state);
siphash24_compress(rr->caa.value, rr->caa.value_size, state);
resolved: TLSA records
2015-02-02 01:17:24 +01:00
break;
resolved: when validating, first strip revoked trust anchor keys from validated keys list When validating a transaction we initially collect DNSKEY, DS, SOA RRs in the "validated_keys" list, that we need for the proofs. This includes DNSKEY and DS data from our trust anchor database. Quite possibly we learn that some of these DNSKEY/DS RRs have been revoked between the time we request and collect those additional RRs and we begin the validation step. In this case we need to make sure that the respective DS/DNSKEY RRs are removed again from our list. This patch adds that, and strips known revoked trust anchor RRs from the validated list before we begin the actual validation proof, and each time we add more DNSKEY material to it while we are doing the proof.
2016-01-07 20:33:31 +01:00
resolved: OPENPGPKEY records
2015-02-02 02:54:15 +01:00
case DNS_TYPE_OPENPGPKEY:
resolved: when validating, first strip revoked trust anchor keys from validated keys list When validating a transaction we initially collect DNSKEY, DS, SOA RRs in the "validated_keys" list, that we need for the proofs. This includes DNSKEY and DS data from our trust anchor database. Quite possibly we learn that some of these DNSKEY/DS RRs have been revoked between the time we request and collect those additional RRs and we begin the validation step. In this case we need to make sure that the respective DS/DNSKEY RRs are removed again from our list. This patch adds that, and strips known revoked trust anchor RRs from the validated list before we begin the actual validation proof, and each time we add more DNSKEY material to it while we are doing the proof.
2016-01-07 20:33:31 +01:00
default:
resolved: add macro to compare sized fields For consistency, generic.size is renamed to generic.data_size. nsec3.next_hashed_name comparison was missing a size check.
2016-01-29 00:23:59 +01:00
siphash24_compress(rr->generic.data, rr->generic.data_size, state);
resolved: when validating, first strip revoked trust anchor keys from validated keys list When validating a transaction we initially collect DNSKEY, DS, SOA RRs in the "validated_keys" list, that we need for the proofs. This includes DNSKEY and DS data from our trust anchor database. Quite possibly we learn that some of these DNSKEY/DS RRs have been revoked between the time we request and collect those additional RRs and we begin the validation step. In this case we need to make sure that the respective DS/DNSKEY RRs are removed again from our list. This patch adds that, and strips known revoked trust anchor RRs from the validated list before we begin the actual validation proof, and each time we add more DNSKEY material to it while we are doing the proof.
2016-01-07 20:33:31 +01:00
break;
}
}
tree-wide: make hash_ops typesafe
2018-11-27 14:25:20 +01:00
static int dns_resource_record_compare_func(const DnsResourceRecord *x, const DnsResourceRecord *y) {
int r;
resolved: when validating, first strip revoked trust anchor keys from validated keys list When validating a transaction we initially collect DNSKEY, DS, SOA RRs in the "validated_keys" list, that we need for the proofs. This includes DNSKEY and DS data from our trust anchor database. Quite possibly we learn that some of these DNSKEY/DS RRs have been revoked between the time we request and collect those additional RRs and we begin the validation step. In this case we need to make sure that the respective DS/DNSKEY RRs are removed again from our list. This patch adds that, and strips known revoked trust anchor RRs from the validated list before we begin the actual validation proof, and each time we add more DNSKEY material to it while we are doing the proof.
2016-01-07 20:33:31 +01:00
tree-wide: make hash_ops typesafe
2018-11-27 14:25:20 +01:00
r = dns_resource_key_compare_func(x->key, y->key);
if (r != 0)
return r;
resolved: when validating, first strip revoked trust anchor keys from validated keys list When validating a transaction we initially collect DNSKEY, DS, SOA RRs in the "validated_keys" list, that we need for the proofs. This includes DNSKEY and DS data from our trust anchor database. Quite possibly we learn that some of these DNSKEY/DS RRs have been revoked between the time we request and collect those additional RRs and we begin the validation step. In this case we need to make sure that the respective DS/DNSKEY RRs are removed again from our list. This patch adds that, and strips known revoked trust anchor RRs from the validated list before we begin the actual validation proof, and each time we add more DNSKEY material to it while we are doing the proof.
2016-01-07 20:33:31 +01:00
if (dns_resource_record_equal(x, y))
return 0;
resolve: use CMP() in dns_resource_record_compare_func This function doesn't really implement ordering, but CMP() is still fine to use there. Keep the comment in place, just update it slightly to indicate that.
2018-08-07 04:21:38 +02:00
/* We still use CMP() here, even though don't implement proper
* ordering, since the hashtable doesn't need ordering anyway. */
return CMP(x, y);
resolved: when validating, first strip revoked trust anchor keys from validated keys list When validating a transaction we initially collect DNSKEY, DS, SOA RRs in the "validated_keys" list, that we need for the proofs. This includes DNSKEY and DS data from our trust anchor database. Quite possibly we learn that some of these DNSKEY/DS RRs have been revoked between the time we request and collect those additional RRs and we begin the validation step. In this case we need to make sure that the respective DS/DNSKEY RRs are removed again from our list. This patch adds that, and strips known revoked trust anchor RRs from the validated list before we begin the actual validation proof, and each time we add more DNSKEY material to it while we are doing the proof.
2016-01-07 20:33:31 +01:00
}
tree-wide: make hash_ops typesafe
2018-11-27 14:25:20 +01:00
DEFINE_HASH_OPS(dns_resource_record_hash_ops, DnsResourceRecord, dns_resource_record_hash_func, dns_resource_record_compare_func);
resolved: when validating, first strip revoked trust anchor keys from validated keys list When validating a transaction we initially collect DNSKEY, DS, SOA RRs in the "validated_keys" list, that we need for the proofs. This includes DNSKEY and DS data from our trust anchor database. Quite possibly we learn that some of these DNSKEY/DS RRs have been revoked between the time we request and collect those additional RRs and we begin the validation step. In this case we need to make sure that the respective DS/DNSKEY RRs are removed again from our list. This patch adds that, and strips known revoked trust anchor RRs from the validated list before we begin the actual validation proof, and each time we add more DNSKEY material to it while we are doing the proof.
2016-01-07 20:33:31 +01:00
resolved: when using the ResolveRecord() bus call, adjust TTL for caching time When we return the full RR wire data, let's make sure the TTL included in it is adjusted by the time the RR sat in the cache. As an optimization we do this only for ResolveRecord() and not for ResolveHostname() and friends, since adjusting the TTL means copying the RR object, and we don#t want to do that if there's no reason to. (ResolveHostname() and friends don't return the TTL hence there's no reason to in that case)
2016-06-20 21:24:46 +02:00
DnsResourceRecord *dns_resource_record_copy(DnsResourceRecord *rr) {
_cleanup_(dns_resource_record_unrefp) DnsResourceRecord *copy = NULL;
DnsResourceRecord *t;
assert(rr);
copy = dns_resource_record_new(rr->key);
if (!copy)
return NULL;
copy->ttl = rr->ttl;
copy->expiry = rr->expiry;
copy->n_skip_labels_signer = rr->n_skip_labels_signer;
copy->n_skip_labels_source = rr->n_skip_labels_source;
tree-wide: "unparseable" → "unparsable" "unparsable" is the more common spelling. We already pick "movable" over "moveable". Let's do the same with this pair.
2020-07-02 09:58:23 +02:00
copy->unparsable = rr->unparsable;
resolved: when using the ResolveRecord() bus call, adjust TTL for caching time When we return the full RR wire data, let's make sure the TTL included in it is adjusted by the time the RR sat in the cache. As an optimization we do this only for ResolveRecord() and not for ResolveHostname() and friends, since adjusting the TTL means copying the RR object, and we don#t want to do that if there's no reason to. (ResolveHostname() and friends don't return the TTL hence there's no reason to in that case)
2016-06-20 21:24:46 +02:00
tree-wide: "unparseable" → "unparsable" "unparsable" is the more common spelling. We already pick "movable" over "moveable". Let's do the same with this pair.
2020-07-02 09:58:23 +02:00
switch (rr->unparsable ? _DNS_TYPE_INVALID : rr->key->type) {
resolved: when using the ResolveRecord() bus call, adjust TTL for caching time When we return the full RR wire data, let's make sure the TTL included in it is adjusted by the time the RR sat in the cache. As an optimization we do this only for ResolveRecord() and not for ResolveHostname() and friends, since adjusting the TTL means copying the RR object, and we don#t want to do that if there's no reason to. (ResolveHostname() and friends don't return the TTL hence there's no reason to in that case)
2016-06-20 21:24:46 +02:00
case DNS_TYPE_SRV:
copy->srv.priority = rr->srv.priority;
copy->srv.weight = rr->srv.weight;
copy->srv.port = rr->srv.port;
copy->srv.name = strdup(rr->srv.name);
if (!copy->srv.name)
return NULL;
break;
case DNS_TYPE_PTR:
case DNS_TYPE_NS:
case DNS_TYPE_CNAME:
case DNS_TYPE_DNAME:
copy->ptr.name = strdup(rr->ptr.name);
if (!copy->ptr.name)
return NULL;
break;
case DNS_TYPE_HINFO:
copy->hinfo.cpu = strdup(rr->hinfo.cpu);
if (!copy->hinfo.cpu)
return NULL;
copy->hinfo.os = strdup(rr->hinfo.os);
*: fix some inconsistent control statement style
2017-12-02 01:49:52 +01:00
if (!copy->hinfo.os)
resolved: when using the ResolveRecord() bus call, adjust TTL for caching time When we return the full RR wire data, let's make sure the TTL included in it is adjusted by the time the RR sat in the cache. As an optimization we do this only for ResolveRecord() and not for ResolveHostname() and friends, since adjusting the TTL means copying the RR object, and we don#t want to do that if there's no reason to. (ResolveHostname() and friends don't return the TTL hence there's no reason to in that case)
2016-06-20 21:24:46 +02:00
return NULL;
break;
case DNS_TYPE_TXT:
case DNS_TYPE_SPF:
copy->txt.items = dns_txt_item_copy(rr->txt.items);
if (!copy->txt.items)
return NULL;
break;
case DNS_TYPE_A:
copy->a = rr->a;
break;
case DNS_TYPE_AAAA:
copy->aaaa = rr->aaaa;
break;
case DNS_TYPE_SOA:
copy->soa.mname = strdup(rr->soa.mname);
if (!copy->soa.mname)
return NULL;
copy->soa.rname = strdup(rr->soa.rname);
if (!copy->soa.rname)
return NULL;
copy->soa.serial = rr->soa.serial;
copy->soa.refresh = rr->soa.refresh;
copy->soa.retry = rr->soa.retry;
copy->soa.expire = rr->soa.expire;
copy->soa.minimum = rr->soa.minimum;
break;
case DNS_TYPE_MX:
copy->mx.priority = rr->mx.priority;
copy->mx.exchange = strdup(rr->mx.exchange);
if (!copy->mx.exchange)
return NULL;
break;
case DNS_TYPE_LOC:
copy->loc = rr->loc;
break;
case DNS_TYPE_SSHFP:
copy->sshfp.algorithm = rr->sshfp.algorithm;
copy->sshfp.fptype = rr->sshfp.fptype;
copy->sshfp.fingerprint = memdup(rr->sshfp.fingerprint, rr->sshfp.fingerprint_size);
if (!copy->sshfp.fingerprint)
return NULL;
copy->sshfp.fingerprint_size = rr->sshfp.fingerprint_size;
break;
case DNS_TYPE_DNSKEY:
copy->dnskey.flags = rr->dnskey.flags;
copy->dnskey.protocol = rr->dnskey.protocol;
copy->dnskey.algorithm = rr->dnskey.algorithm;
copy->dnskey.key = memdup(rr->dnskey.key, rr->dnskey.key_size);
if (!copy->dnskey.key)
return NULL;
copy->dnskey.key_size = rr->dnskey.key_size;
break;
case DNS_TYPE_RRSIG:
copy->rrsig.type_covered = rr->rrsig.type_covered;
copy->rrsig.algorithm = rr->rrsig.algorithm;
copy->rrsig.labels = rr->rrsig.labels;
copy->rrsig.original_ttl = rr->rrsig.original_ttl;
copy->rrsig.expiration = rr->rrsig.expiration;
copy->rrsig.inception = rr->rrsig.inception;
copy->rrsig.key_tag = rr->rrsig.key_tag;
copy->rrsig.signer = strdup(rr->rrsig.signer);
if (!copy->rrsig.signer)
return NULL;
copy->rrsig.signature = memdup(rr->rrsig.signature, rr->rrsig.signature_size);
if (!copy->rrsig.signature)
return NULL;
copy->rrsig.signature_size = rr->rrsig.signature_size;
break;
case DNS_TYPE_NSEC:
copy->nsec.next_domain_name = strdup(rr->nsec.next_domain_name);
if (!copy->nsec.next_domain_name)
return NULL;
copy->nsec.types = bitmap_copy(rr->nsec.types);
if (!copy->nsec.types)
return NULL;
break;
case DNS_TYPE_DS:
copy->ds.key_tag = rr->ds.key_tag;
copy->ds.algorithm = rr->ds.algorithm;
copy->ds.digest_type = rr->ds.digest_type;
copy->ds.digest = memdup(rr->ds.digest, rr->ds.digest_size);
if (!copy->ds.digest)
return NULL;
copy->ds.digest_size = rr->ds.digest_size;
break;
case DNS_TYPE_NSEC3:
copy->nsec3.algorithm = rr->nsec3.algorithm;
copy->nsec3.flags = rr->nsec3.flags;
copy->nsec3.iterations = rr->nsec3.iterations;
copy->nsec3.salt = memdup(rr->nsec3.salt, rr->nsec3.salt_size);
if (!copy->nsec3.salt)
return NULL;
copy->nsec3.salt_size = rr->nsec3.salt_size;
copy->nsec3.next_hashed_name = memdup(rr->nsec3.next_hashed_name, rr->nsec3.next_hashed_name_size);
resolved: check return value of memdup() correctly for OOM
2020-11-03 18:06:47 +01:00
if (!copy->nsec3.next_hashed_name)
resolved: when using the ResolveRecord() bus call, adjust TTL for caching time When we return the full RR wire data, let's make sure the TTL included in it is adjusted by the time the RR sat in the cache. As an optimization we do this only for ResolveRecord() and not for ResolveHostname() and friends, since adjusting the TTL means copying the RR object, and we don#t want to do that if there's no reason to. (ResolveHostname() and friends don't return the TTL hence there's no reason to in that case)
2016-06-20 21:24:46 +02:00
return NULL;
copy->nsec3.next_hashed_name_size = rr->nsec3.next_hashed_name_size;
copy->nsec3.types = bitmap_copy(rr->nsec3.types);
if (!copy->nsec3.types)
return NULL;
break;
case DNS_TYPE_TLSA:
copy->tlsa.cert_usage = rr->tlsa.cert_usage;
copy->tlsa.selector = rr->tlsa.selector;
copy->tlsa.matching_type = rr->tlsa.matching_type;
copy->tlsa.data = memdup(rr->tlsa.data, rr->tlsa.data_size);
if (!copy->tlsa.data)
return NULL;
copy->tlsa.data_size = rr->tlsa.data_size;
break;
case DNS_TYPE_CAA:
copy->caa.flags = rr->caa.flags;
copy->caa.tag = strdup(rr->caa.tag);
if (!copy->caa.tag)
return NULL;
copy->caa.value = memdup(rr->caa.value, rr->caa.value_size);
if (!copy->caa.value)
return NULL;
copy->caa.value_size = rr->caa.value_size;
break;
case DNS_TYPE_OPT:
default:
copy->generic.data = memdup(rr->generic.data, rr->generic.data_size);
if (!copy->generic.data)
return NULL;
copy->generic.data_size = rr->generic.data_size;
break;
}
tree-wide: use TAKE_PTR() and TAKE_FD() macros
2018-04-05 07:26:26 +02:00
t = TAKE_PTR(copy);
resolved: when using the ResolveRecord() bus call, adjust TTL for caching time When we return the full RR wire data, let's make sure the TTL included in it is adjusted by the time the RR sat in the cache. As an optimization we do this only for ResolveRecord() and not for ResolveHostname() and friends, since adjusting the TTL means copying the RR object, and we don#t want to do that if there's no reason to. (ResolveHostname() and friends don't return the TTL hence there's no reason to in that case)
2016-06-20 21:24:46 +02:00
return t;
}
int dns_resource_record_clamp_ttl(DnsResourceRecord **rr, uint32_t max_ttl) {
DnsResourceRecord *old_rr, *new_rr;
uint32_t new_ttl;
assert(rr);
old_rr = *rr;
if (old_rr->key->type == DNS_TYPE_OPT)
return -EINVAL;
new_ttl = MIN(old_rr->ttl, max_ttl);
if (new_ttl == old_rr->ttl)
return 0;
if (old_rr->n_ref == 1) {
/* Patch in place */
old_rr->ttl = new_ttl;
return 1;
}
new_rr = dns_resource_record_copy(old_rr);
if (!new_rr)
return -ENOMEM;
new_rr->ttl = new_ttl;
dns_resource_record_unref(*rr);
*rr = new_rr;
return 1;
}
resolved: accept TXT records with non-UTF8 strings RFC 6763 is very clear that TXT RRs should allow arbitrary binary content, hence let's actually accept that. This also means accepting NUL bytes in the middle of strings.
2015-11-20 19:01:43 +01:00
DnsTxtItem *dns_txt_item_free_all(DnsTxtItem *i) {
DnsTxtItem *n;
if (!i)
return NULL;
n = i->items_next;
free(i);
return dns_txt_item_free_all(n);
}
bool dns_txt_item_equal(DnsTxtItem *a, DnsTxtItem *b) {
resolved: shortcut RR comparisons if pointers match When iterating through RR lists we frequently end up comparing RRs and RR keys with themselves, hence att a minor optimization to check ptr values first, before doing a deep comparison.
2015-12-09 17:28:50 +01:00
if (a == b)
return true;
resolved: accept TXT records with non-UTF8 strings RFC 6763 is very clear that TXT RRs should allow arbitrary binary content, hence let's actually accept that. This also means accepting NUL bytes in the middle of strings.
2015-11-20 19:01:43 +01:00
if (!a != !b)
return false;
if (!a)
return true;
if (a->length != b->length)
return false;
if (memcmp(a->data, b->data, a->length) != 0)
return false;
return dns_txt_item_equal(a->items_next, b->items_next);
}
resolved: move algorithm/digest definitions into resolved-dns-rr.h After all, they are for flags and parameters of RRs and already relevant when dealing with RRs outside of the serialization concept.
2015-12-02 22:56:04 +01:00
resolved: when using the ResolveRecord() bus call, adjust TTL for caching time When we return the full RR wire data, let's make sure the TTL included in it is adjusted by the time the RR sat in the cache. As an optimization we do this only for ResolveRecord() and not for ResolveHostname() and friends, since adjusting the TTL means copying the RR object, and we don#t want to do that if there's no reason to. (ResolveHostname() and friends don't return the TTL hence there's no reason to in that case)
2016-06-20 21:24:46 +02:00
DnsTxtItem *dns_txt_item_copy(DnsTxtItem *first) {
DnsTxtItem *i, *copy = NULL, *end = NULL;
LIST_FOREACH(items, i, first) {
DnsTxtItem *j;
j = memdup(i, offsetof(DnsTxtItem, data) + i->length + 1);
if (!j) {
dns_txt_item_free_all(copy);
return NULL;
}
LIST_INSERT_AFTER(items, copy, end, j);
end = j;
}
return copy;
}
resolved: inroduce dns_txt_item_new_empty() function
2017-11-24 14:24:57 +01:00
int dns_txt_item_new_empty(DnsTxtItem **ret) {
DnsTxtItem *i;
/* RFC 6763, section 6.1 suggests to treat
* empty TXT RRs as equivalent to a TXT record
* with a single empty string. */
i = malloc0(offsetof(DnsTxtItem, data) + 1); /* for safety reasons we add an extra NUL byte */
if (!i)
return -ENOMEM;
*ret = i;
return 0;
}
resolved: move algorithm/digest definitions into resolved-dns-rr.h After all, they are for flags and parameters of RRs and already relevant when dealing with RRs outside of the serialization concept.
2015-12-02 22:56:04 +01:00
static const char* const dnssec_algorithm_table[_DNSSEC_ALGORITHM_MAX_DEFINED] = {
resolved: include GOST in list of DNSSEC algorithms We don't implement it, and we have no intention to, but at least mention that it exists. (This also adds a couple of other algorithms to the algorithm string list, where these strings were missing previously.)
2015-12-29 19:09:14 +01:00
/* Mnemonics as listed on https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml */
resolved: move algorithm/digest definitions into resolved-dns-rr.h After all, they are for flags and parameters of RRs and already relevant when dealing with RRs outside of the serialization concept.
2015-12-02 22:56:04 +01:00
[DNSSEC_ALGORITHM_RSAMD5] = "RSAMD5",
[DNSSEC_ALGORITHM_DH] = "DH",
[DNSSEC_ALGORITHM_DSA] = "DSA",
[DNSSEC_ALGORITHM_ECC] = "ECC",
[DNSSEC_ALGORITHM_RSASHA1] = "RSASHA1",
[DNSSEC_ALGORITHM_DSA_NSEC3_SHA1] = "DSA-NSEC3-SHA1",
[DNSSEC_ALGORITHM_RSASHA1_NSEC3_SHA1] = "RSASHA1-NSEC3-SHA1",
[DNSSEC_ALGORITHM_RSASHA256] = "RSASHA256",
[DNSSEC_ALGORITHM_RSASHA512] = "RSASHA512",
resolved: include GOST in list of DNSSEC algorithms We don't implement it, and we have no intention to, but at least mention that it exists. (This also adds a couple of other algorithms to the algorithm string list, where these strings were missing previously.)
2015-12-29 19:09:14 +01:00
[DNSSEC_ALGORITHM_ECC_GOST] = "ECC-GOST",
[DNSSEC_ALGORITHM_ECDSAP256SHA256] = "ECDSAP256SHA256",
[DNSSEC_ALGORITHM_ECDSAP384SHA384] = "ECDSAP384SHA384",
resolve: add support for RFC 8080 (#7600) RFC 8080 describes how to use EdDSA keys and signatures in DNSSEC. It uses the curves Ed25519 and Ed448. Libgcrypt 1.8.1 does not support Ed448, so only the Ed25519 is supported at the moment. Once Libgcrypt supports Ed448, support for it can be trivially added to resolve.
2017-12-12 16:30:12 +01:00
[DNSSEC_ALGORITHM_ED25519] = "ED25519",
[DNSSEC_ALGORITHM_ED448] = "ED448",
resolved: move algorithm/digest definitions into resolved-dns-rr.h After all, they are for flags and parameters of RRs and already relevant when dealing with RRs outside of the serialization concept.
2015-12-02 22:56:04 +01:00
[DNSSEC_ALGORITHM_INDIRECT] = "INDIRECT",
[DNSSEC_ALGORITHM_PRIVATEDNS] = "PRIVATEDNS",
[DNSSEC_ALGORITHM_PRIVATEOID] = "PRIVATEOID",
};
resolved: add negative trust anchro support, and add trust anchor configuration files This adds negative trust anchor support and allows reading trust anchor data from disk, from files /etc/systemd/dnssec-trust-anchors.d/*.positive and /etc/systemd/dnssec-trust-anchros.d/*.negative, as well as the matching counterparts in /usr/lib and /run. The positive trust anchor files are more or less compatible to normal DNS zone files containing DNSKEY and DS RRs. The negative trust anchor files contain only new-line separated hostnames for which to require no signing. By default no trust anchor files are installed, in which case the compiled-in root domain DS RR is used, as before. As soon as at least one positive root anchor for the root is defined via trust anchor files this buil-in DS RR is not added though.
2016-01-02 22:12:13 +01:00
DEFINE_STRING_TABLE_LOOKUP_WITH_FALLBACK(dnssec_algorithm, int, 255);
resolved: move algorithm/digest definitions into resolved-dns-rr.h After all, they are for flags and parameters of RRs and already relevant when dealing with RRs outside of the serialization concept.
2015-12-02 22:56:04 +01:00
static const char* const dnssec_digest_table[_DNSSEC_DIGEST_MAX_DEFINED] = {
resolved: include GOST in list of DNSSEC algorithms We don't implement it, and we have no intention to, but at least mention that it exists. (This also adds a couple of other algorithms to the algorithm string list, where these strings were missing previously.)
2015-12-29 19:09:14 +01:00
/* Names as listed on https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml */
[DNSSEC_DIGEST_SHA1] = "SHA-1",
[DNSSEC_DIGEST_SHA256] = "SHA-256",
[DNSSEC_DIGEST_GOST_R_34_11_94] = "GOST_R_34.11-94",
[DNSSEC_DIGEST_SHA384] = "SHA-384",
resolved: move algorithm/digest definitions into resolved-dns-rr.h After all, they are for flags and parameters of RRs and already relevant when dealing with RRs outside of the serialization concept.
2015-12-02 22:56:04 +01:00
};
resolved: add negative trust anchro support, and add trust anchor configuration files This adds negative trust anchor support and allows reading trust anchor data from disk, from files /etc/systemd/dnssec-trust-anchors.d/*.positive and /etc/systemd/dnssec-trust-anchros.d/*.negative, as well as the matching counterparts in /usr/lib and /run. The positive trust anchor files are more or less compatible to normal DNS zone files containing DNSKEY and DS RRs. The negative trust anchor files contain only new-line separated hostnames for which to require no signing. By default no trust anchor files are installed, in which case the compiled-in root domain DS RR is used, as before. As soon as at least one positive root anchor for the root is defined via trust anchor files this buil-in DS RR is not added though.
2016-01-02 22:12:13 +01:00
DEFINE_STRING_TABLE_LOOKUP_WITH_FALLBACK(dnssec_digest, int, 255);