Commit graph

406 commits

Author SHA1 Message Date
Daniel Mack 124602aea8 resolved: add mDNS packet dispatcher
Add the packet dispatching routine for mDNS.

It differs to what LLMNR and DNS dispatchers do in the way it matches
incoming packets. In mDNS, we actually handle all incoming packets,
regardless whether we asked for them earlier or not.
2015-12-08 16:51:40 +01:00
Daniel Mack d84e543d92 resolved: allow name compression in NSEC records 2015-12-08 16:51:40 +01:00
Daniel Mack 11a27c2ec1 resolved: handle mDNS timeouts per transaction
mDNS packet timeouts need to be handled per transaction, not per link.
Re-use the n_attempts field for this purpose, as packets timeouts should be
determined by starting at 1 second, and doubling the value on each try.
2015-12-08 16:51:40 +01:00
Daniel Mack ef7ce6df4d resolved: short-cut jitter callbacks for LLMNR and mDNS
When a jitter callback is issued instead of sending a DNS packet directly,
on_transaction_timeout() is invoked to 'retry' the transaction. However,
this function has side effects. For once, it increases the packet loss
counter on the scope, and it also unrefs/refs the server instances.

Fix this by tracking the jitter with two bool variables. One saying that
the initial jitter has been scheduled in the first place, and one that
tells us the delay packet has been sent.
2015-12-08 16:51:40 +01:00
Daniel Mack 90325e8c2e resolved: flush keys when DNS_RESOURCE_KEY_CACHE_FLUSH is set
In mDNS, DNS_RESOURCE_KEY_CACHE_FLUSH denotes whether other records with the
same key should be flushed from the cache.
2015-12-08 16:51:39 +01:00
Daniel Mack 23502de3b0 resolved: add cache flush flag to DnsResourceKey
MDNS has a 'key cache flush' flag for records which must be masked out for
the parsers to do our right thing. We will also use that flag later (in a
different patch) in order to alter the cache behavior.
2015-12-08 16:41:45 +01:00
Daniel Mack ea12bcc789 resolved: add mDNS initial jitter
The logic is to kick off mDNS packets in a delayed way is mostly identical
to what LLMNR needs, except that the constants are different.
2015-12-08 16:41:45 +01:00
Daniel Mack b4f1862df2 resolved: create dns scopes for mDNS
Follow what LLMNR does, and create per-link DnsScope objects.
2015-12-08 16:41:45 +01:00
Daniel Mack 0db4c90afd resolved: add code to join/leave mDNS multicast groups
Per link, join the mDNS multicast groups when the scope is created, and
leave it again when the scope goes away.
2015-12-08 16:41:45 +01:00
Daniel Mack 4e5bf5e158 resolved: add packet header details for mDNS
Validate mDNS queries and responses by looking at some header fields,
add mDNS flags.
2015-12-08 16:41:45 +01:00
Daniel Mack bc7702b098 resolved: add infrastructure for mDNS related sockets
Just hook up mDNS listeners with an empty packet dispather function,
introduce a config directive, man page updates etc.
2015-12-08 16:37:40 +01:00
Thomas Hindoe Paaboel Andersen 22ebb9e4a9 resolve: remove unused variable 2015-12-06 13:49:33 +01:00
Lennart Poettering bb1fa24261 resolved: update DNSSEC TODO list a bit 2015-12-03 21:17:50 +01:00
Lennart Poettering 931851e8e4 resolved: add a concept of "authenticated" responses
This adds a new SD_RESOLVED_AUTHENTICATED flag for responses we return
on the bus. When set, then the data has been authenticated. For now this
mostly reflects the DNSSEC AD bit, if DNSSEC=trust is set. As soon as
the client-side validation is complete it will be hooked up to this flag
too.

We also set this bit whenver we generated the data ourselves, for
example, because it originates in our local LLMNR zone, or from the
built-in trust anchor database.

The "systemd-resolve-host" tool has been updated to show the flag state
for the data it shows.
2015-12-03 21:17:49 +01:00
Lennart Poettering 3ba27cd339 resolved: when synthesizing NODATA from cached NSEC bitmaps, honour CNAME/DNAME
When an RR type is not set in an NSEC, then the CNAME/DNAME types might
still be, hence check them too.

Otherwise we might end up refusing resolving of CNAME'd RRs if we cached
an NSEC before.
2015-12-03 21:17:49 +01:00
Lennart Poettering 2cd8727718 resolved: maintain a short TODO list for DNSSEC support in the dnssec C files for now 2015-12-03 21:17:49 +01:00
Lennart Poettering 24710c48ed resolved: introduce a dnssec_mode setting per scope
The setting controls which kind of DNSSEC validation is done: none at
all, trusting the AD bit, or client-side validation.

For now, no validation is implemented, hence the setting doesn't do much
yet, except of toggling the CD bit in the generated messages if full
client-side validation is requested.
2015-12-03 21:17:49 +01:00
Lennart Poettering 896c567247 resolved: add a limit on the max DNSSEC RRSIG expiry skew we allow 2015-12-03 21:17:49 +01:00
Lennart Poettering 0d2cd47617 resolved: add a simple trust anchor database as additional RR source
When doing DNSSEC lookups we need to know one or more DS or DNSKEY RRs
as trust anchors to validate lookups. With this change we add a
compiled-in trust anchor database, serving the root DS key as of today,
retrieved from:

https://data.iana.org/root-anchors/root-anchors.xml

The interface is kept generic, so that additional DS or DNSKEY RRs may
be served via the same interface, for example by provisioning them
locally in external files to support "islands" of security.

The trust anchor database becomes the fourth source of RRs we maintain,
besides, the network, the local cache, and the local zone.
2015-12-03 21:17:49 +01:00
Lennart Poettering 28b9b76406 resolved: rework how we allow allow queries to be dispatched to scopes
Previously, we'd never do any single-label or root domain lookups via
DNS, thus leaving single-label lookups to LLMNR and the search path
logic in order that single-label names don't leak too easily onto the
internet. With this change we open things up a bit, and only prohibit
A/AAAA lookups of single-label/root domains, but allow all other
lookups. This should provide similar protection, but allow us to resolve
DNSKEY+DS RRs for the top-level and root domains.

(This also simplifies handling of the search domain detection, and gets
rid of dns_scope_has_search_domains() in favour of
dns_scope_get_search_domains()).
2015-12-03 21:17:49 +01:00
Lennart Poettering 22f711bb6a resolved: don't bother with picking a search domain when searching is disabled 2015-12-03 21:17:49 +01:00
Lennart Poettering 1b4f6e79ec resolved: optionally, allocate DnsResourceKey objects on the stack
Sometimes when looking up entries in hashmaps indexed by a
DnsResourceKey it is helpful not having to allocate a full
DnsResourceKey dynamically just to use it as search key. Instead,
optionally allow allocation of a DnsResourceKey on the stack. Resource
keys allocated like that of course are subject to other lifetime cycles
than the usual Resource keys, hence initialize the reference counter to
to (unsigned) -1.

While we are at it, remove the prototype for
dns_resource_key_new_dname() which was never implemented.
2015-12-03 21:17:49 +01:00
Lennart Poettering 2a44bec4f6 resolved: make expiration error recognizable 2015-12-03 21:17:49 +01:00
Lennart Poettering c9ad0edbab resolved: refuse resolving of a number of domains listed in RFC6303
We already blacklisted a few domains, add more.
2015-12-03 21:17:49 +01:00
Lennart Poettering 964ef14c25 resolved: support the RSASHA1_NSEC3_SHA1 pseudo-algorithm
RSASHA1_NSEC3_SHA1 is an alias for RSASHA1, used to do NSEC3 feature
negotiation. While verifying RRsets there's no difference, hence support
it here.
2015-12-03 00:39:44 +01:00
Lennart Poettering 37da893166 resolved: synthesize NODATA cache results when we find matching NSEC RRs
If we have a precisely matching NSEC RR for a name, we can use its type
bit field to synthesize NODATA cache lookup results for all types not
mentioned in there.

This is useful for mDNS where NSEC RRs are used to indicate missing RRs
for a specific type, but is beneficial in other cases too.

To test this, consider these two lines:

systemd-resolve-host -t NSEC nasa.gov
systemd-resolve-host -t SRV nasa.gov

The second line will not result in traffic as the first line already
cached the NSEC field.
2015-12-03 00:26:58 +01:00
Lennart Poettering 8730bccfc5 resolved: move algorithm/digest definitions into resolved-dns-rr.h
After all, they are for flags and parameters of RRs and already relevant
when dealing with RRs outside of the serialization concept.
2015-12-03 00:26:58 +01:00
Lennart Poettering 2a32632159 resolved: don't accept expired RRSIGs 2015-12-03 00:26:58 +01:00
Lennart Poettering 2b442ac878 resolved: add basic DNSSEC support
This adds most basic operation for doing DNSSEC validation on the
client side. However, it does not actually add the verification logic to
the resolver. Specifically, this patch only includes:

- Verifying DNSKEY RRs against a DS RRs
- Verifying RRSets against a combination of RRSIG and DNSKEY RRs
- Matching up RRSIG RRs and DNSKEY RRs
- Matching up RR keys and RRSIG RRs
- Calculating the DNSSEC key tag from a DNSKEY RR

All currently used DNSSEC combinations of SHA and RSA are implemented. Support
for MD5 hashing and DSA or EC cyphers are not. MD5 and DSA are probably
obsolete, and shouldn't be added. EC should probably be added
eventually, if it actually is deployed on the Internet.
2015-12-02 22:50:11 +01:00
Lennart Poettering 4e2d538f33 resolved: port ResolveRecord() bus call implementation to dns_resource_record_to_wire_format()
Now that we have dns_resource_record_to_wire_format() we can generate
the RR serialization we return to bus clients in ResolveRecord() with
it. We pass the RR data along in the original form, not the DNSSEC
canonical form, since that would mean we'd lose RR name casing, which is
however important to keep for DNS-SD services and similar.
2015-12-02 22:50:11 +01:00
Lennart Poettering a8812dd7f1 resolved: add code to generate the wire format for a single RR
This adds dns_resource_record_to_wire_format() that generates the raw
wire-format of a single DnsResourceRecord object, and caches it in the
object, optionally in DNSSEC canonical form. This call is used later to
generate the RR serialization of RRs to verify.

This adds four new fields to DnsResourceRecord objects:

- wire_format points to the buffer with the wire-format version of the
  RR
- wire_format_size stores the size of that buffer
- wire_format_rdata_offset specifies the index into the buffer where the
  RDATA of the RR begins (i.e. the size of the key part of the RR).
- wire_format_canonical is a boolean that stores whether the cached wire
  format is in DNSSEC canonical form or not.

Note that this patch adds a mode where a DnsPacket is allocated on the
stack (instead of on the heap), so that it is cheaper to reuse the
DnsPacket object for generating this wire format. After all we reuse the
DnsPacket object for this, since it comes with all the dynamic memory
management, and serialization calls we need anyway.
2015-12-02 22:50:11 +01:00
Lennart Poettering 9551c15505 resolved: add code to map DNSSEC digest types to strings and back 2015-12-02 22:50:11 +01:00
Lennart Poettering f91dc2400d resolved: store DNSKEY fields flags+protocol as-is
When verifying signatures we need to be able to verify the original
data we got for an RR set, and that means we cannot simply drop flags
bits or consider RRs invalid too eagerly. Hence, instead of parsing the
DNSKEY flags store them as-is. Similar, accept the protocol field as it
is, and don't consider it a parsing error if it is not 3.

Of course, this means that the DNSKEY handling code later on needs to
check explicit for protocol != 3.
2015-12-02 22:50:11 +01:00
Lennart Poettering e30ec345ac resolved: add RFC 5702 defined DNSSEC algorithms to table 2015-12-02 22:50:11 +01:00
Lennart Poettering 92aea95e16 resolved: make sure DNS_ANSWER_FOREACH() can be nested
Change the iterator counter so that a different varable is used for each
invocation of the macro, so that it may be nested.
2015-12-02 20:43:11 +01:00
Lennart Poettering c38a52dae3 resolved: simplify dns_packet_append_string()
It essentially does the same as dns_packet_append_raw_string(), hence
make it a wrapper around it.
2015-12-02 20:35:08 +01:00
Thomas Hindoe Paaboel Andersen ae96c4eb2c tree-wide: remove unused variables 2015-11-29 08:59:40 +01:00
David Herrmann 564c44436c Merge pull request #2052 from poettering/export-cleanup
Make gcc cleanup helper calls public in most of our sd-xyz APIs
2015-11-27 20:26:33 +01:00
Lennart Poettering 9ead3519c5 resolved: add one more comment with a link to the matching RFC 2015-11-27 19:23:46 +01:00
Lennart Poettering 4afd3348c7 tree-wide: expose "p"-suffix unref calls in public APIs to make gcc cleanup easy
GLIB has recently started to officially support the gcc cleanup
attribute in its public API, hence let's do the same for our APIs.

With this patch we'll define an xyz_unrefp() call for each public
xyz_unref() call, to make it easy to use inside a
__attribute__((cleanup())) expression. Then, all code is ported over to
make use of this.

The new calls are also documented in the man pages, with examples how to
use them (well, I only added docs where the _unref() call itself already
had docs, and the examples, only cover sd_bus_unrefp() and
sd_event_unrefp()).

This also renames sd_lldp_free() to sd_lldp_unref(), since that's how we
tend to call our destructors these days.

Note that this defines no public macro that wraps gcc's attribute and
makes it easier to use. While I think it's our duty in the library to
make our stuff easy to use, I figure it's not our duty to make gcc's own
features easy to use on its own. Most likely, client code which wants to
make use of this should define its own:

       #define _cleanup_(function) __attribute__((cleanup(function)))

Or similar, to make the gcc feature easier to use.

Making this logic public has the benefit that we can remove three header
files whose only purpose was to define these functions internally.

See #2008.
2015-11-27 19:19:36 +01:00
Tom Gundersen d74fb368b1 resolved: announce support for large UDP packets
This is often needed for proper DNSSEC support, and even to handle AAAA records
without falling back to TCP.

If the path between the client and server is fully compliant, this should always
work, however, that is not the case, and overlarge packets will get mysteriously
lost in some cases.

For that reason, we use a similar fallback mechanism as we do for palin EDNS0,
EDNS0+DO, etc.:

The large UDP size feature is different from the other supported feature, as we
cannot simply verify that it works based on receiving a reply (as the server
will usually send us much smaller packets than what we claim to support, so
simply receiving a reply does not mean much).

For that reason, we keep track of the largest UDP packet we ever received, as this
is the smallest known good size (defaulting to the standard 512 bytes). If
announcing the default large size of 4096 fails (in the same way as the other
features), we fall back to the known good size. The same logic of retrying after a
grace-period applies.
2015-11-27 01:35:47 +01:00
Tom Gundersen 7586f4d172 resolved: set the DNSSEC OK (DO) flag
This indicates that we can handle DNSSEC records (per RFC3225), even if
all we do is silently drop them. This feature requires EDNS0 support.

As we do not yet support larger UDP packets, this feature increases the
risk of getting truncated packets.

Similarly to how we fall back to plain UDP if EDNS0 fails, we will fall
back to plain EDNS0 if EDNS0+DO fails (with the same logic of remembering
success and retrying after a grace period after failure).
2015-11-27 01:35:34 +01:00
Tom Gundersen 9c5e12a431 resolved: implement minimal EDNS0 support
This is a minimal implementation of RFC6891. Only default values
are used, so in reality this will be a noop.

EDNS0 support is dependent on the current server's feature level,
so appending the OPT pseudo RR is done when the packet is emitted,
rather than when it is assembled. To handle different feature
levels on retransmission, we strip off the OPT RR again after
sending the packet.

Similarly, to how we fall back to TCP if UDP fails, we fall back
to plain UDP if EDNS0 fails (but if EDNS0 ever succeeded we never
fall back again, and after a timeout we will retry EDNS0).
2015-11-27 01:35:34 +01:00
Tom Gundersen dc913c9a1f resolved: rr - add OPT pseudo-rr support
Needed for EDNS0.
2015-11-27 01:35:34 +01:00
Tom Gundersen 4e0b8b17a7 resolved: degrade the feature level on explicit failure
Previously, we would only degrade on packet loss, but when adding EDNS0 support,
we also have to handle the case where the server replies with an explicit error.
2015-11-27 01:35:33 +01:00
Tom Gundersen be808ea083 resolved: fallback to TCP if UDP fails
This is inspired by the logic in BIND [0], follow-up patches
will implement the reset of that scheme.

If we get a server error back, or if after several attempts we don't
get a reply at all, we switch from UDP to TCP for the given
server for the current and all subsequent requests. However, if
we ever successfully received a reply over UDP, we never fall
back to TCP, and once a grace-period has passed, we try to upgrade
again to using UDP. The grace-period starts off at five minutes
after the current feature level was verified and then grows
exponentially to six hours. This is to mitigate problems due
to temporary lack of network connectivity, but at the same time
avoid flooding the network with retries when the feature attempted
feature level genuinely does not work.

Note that UDP is likely much more commonly supported than TCP,
but depending on the path between the client and the server, we
may have more luck with TCP in case something is wrong. We really
do prefer UDP though, as that is much more lightweight, that is
why TCP is only the last resort.

[0]: <https://kb.isc.org/article/AA-01219/0/Refinements-to-EDNS-fallback-behavior-can-cause-different-outcomes-in-Recursive-Servers.html>
2015-11-27 01:35:33 +01:00
Lennart Poettering d830ebbdf6 resolved: never cache RRs originating from localhost
After all, this is likely a local DNS forwarder that caches anyway,
hence there's no point in caching twice.

Fixes #2038.
2015-11-27 00:46:51 +01:00
Lennart Poettering 452b4e327d resolved: flush the global DNS cache if /etc/resolv.conf is touched
After all /etc/resolv.conf is usually done when the network
configuration changes, which is a good reason to flush the global cache.

See: #2038
2015-11-27 00:46:51 +01:00
Lennart Poettering bf7fabd600 resolved: don't clear the server list too eagerly
If /etc/resolv.conf is missing, this should not result in the server
list to be cleared, after all the native data from resolved.conf
shouldn't be flushed out then. Hence flush out the data only if
/etc/resolv.conf exists, but we cannot read it for some reason.
2015-11-27 00:46:51 +01:00
Lennart Poettering 039a8725fd resolved: fix build 2015-11-27 00:10:29 +01:00