picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
Systemd/src/resolve
History
Lennart Poettering 0c7bff0acc resolved: properly look for NSEC/NSEC3 RRs when getting a positive wildcard response 
This implements RFC 5155, Section 8.8 and RFC 4035, Section 5.3.4:

When we receive a response with an RRset generated from a wildcard we
need to look for one NSEC/NSEC3 RR that proves that there's no explicit RR
around before we accept the wildcard RRset as response.

This patch does a couple of things: the validation calls will now
identify wildcard signatures for us, and let us know the RRSIG used (so
that the RRSIG's signer field let's us know what the wildcard was that
generate the entry). Moreover, when iterating trough the RRsets of a
response we now employ three phases instead of just two.

a) in the first phase we only look for DNSKEYs RRs
b) in the second phase we only look for NSEC RRs
c) in the third phase we look for all kinds of RRs

Phase a) is necessary, since DNSKEYs "unlock" more signatures for us,
hence we shouldn't assume a key is missing until all DNSKEY RRs have
been processed.

Phase b) is necessary since NSECs need to be validated before we can
validate wildcard RRs due to the logic explained above.

Phase c) validates everything else. This phase also handles RRsets that
cannot be fully validated and removes them or lets the transaction fail.
2016-01-11 19:39:59 +01:00
..
.gitignore resolve: add more record types and convert to gperf table 2014-08-03 22:02:32 -04:00
dns-type.c resolved: split out a new dns_type_may_redirect() call 2015-12-26 19:09:09 +01:00
dns-type.h resolved: split out a new dns_type_may_redirect() call 2015-12-26 19:09:09 +01:00
Makefile resolved: add daemon to manage resolv.conf 2014-05-19 18:14:56 +02:00
org.freedesktop.resolve1.conf resolved: add legacy dbus service and policy files 2014-07-16 03:41:39 +02:00
org.freedesktop.resolve1.service resolved: add legacy dbus service and policy files 2014-07-16 03:41:39 +02:00
resolved-bus.c resolved: query_process_cname - make fully recursive 2016-01-07 14:43:24 +01:00
resolved-bus.h resolved: rename resolved.h to resolved-manager.h 2014-08-01 16:14:59 +02:00
resolved-conf.c resolved,networkd: add a per-interface DNSSEC setting 2016-01-05 20:10:31 +01:00
resolved-conf.h resolved,networkd: unify ResolveSupport enum 2016-01-05 17:30:51 +01:00
resolved-def.h resolved: add packet header details for mDNS 2015-12-08 16:41:45 +01:00
resolved-dns-answer.c resolved: partially implement RFC5011 Trust Anchor support 2016-01-04 22:42:10 +01:00
resolved-dns-answer.h resolved: partially implement RFC5011 Trust Anchor support 2016-01-04 22:42:10 +01:00
resolved-dns-cache.c resolved: when caching negative responses, honour NSEC/NSEC3 TTLs 2016-01-05 01:35:28 +01:00
resolved-dns-cache.h resolved: when caching negative responses, honour NSEC/NSEC3 TTLs 2016-01-05 01:35:28 +01:00
resolved-dns-dnssec.c resolved: properly look for NSEC/NSEC3 RRs when getting a positive wildcard response 2016-01-11 19:39:59 +01:00
resolved-dns-dnssec.h resolved: properly look for NSEC/NSEC3 RRs when getting a positive wildcard response 2016-01-11 19:39:59 +01:00
resolved-dns-packet.c basic: introduce generic ascii_strlower_n() call and make use of it everywhere 2016-01-11 19:39:59 +01:00
resolved-dns-packet.h resolved: parse EDNS0 rcode extension bits 2015-12-29 21:42:09 +01:00
resolved-dns-query.c resolved: query_process_cname - make fully recursive 2016-01-07 14:43:24 +01:00
resolved-dns-query.h resolved: query_process_cname - make fully recursive 2016-01-07 14:43:24 +01:00
resolved-dns-question.c resolved: cache - do negative caching only on the canonical name 2015-12-10 17:04:42 +01:00
resolved-dns-question.h resolved: make sure DNS_ANSWER_FOREACH() can be nested 2015-12-02 20:43:11 +01:00
resolved-dns-rr.c resolved: when validating, first strip revoked trust anchor keys from validated keys list 2016-01-11 19:39:59 +01:00
resolved-dns-rr.h resolved: when validating, first strip revoked trust anchor keys from validated keys list 2016-01-11 19:39:59 +01:00
resolved-dns-scope.c resolved,networkd: add a per-interface DNSSEC setting 2016-01-05 20:10:31 +01:00
resolved-dns-scope.h resolved: rework OPT RR generation logic 2015-12-27 01:41:40 +01:00
resolved-dns-search-domain.c dns-domain: simplify dns_name_is_root() and dns_name_is_single_label() 2015-11-25 22:00:07 +01:00
resolved-dns-search-domain.h resolved: fully support DNS search domains 2015-11-25 21:59:16 +01:00
resolved-dns-server.c resolved: use CLAMP() intsead of MIN(MAX()) 2015-12-29 21:42:10 +01:00
resolved-dns-server.h resolved: rename "features" variables to "feature_level" 2015-12-27 01:41:40 +01:00
resolved-dns-stream.c resolved: don't set TCP_NODELAY twice for TCP sockets 2015-12-26 19:09:10 +01:00
resolved-dns-stream.h remove unused includes 2015-02-23 23:53:42 +01:00
resolved-dns-transaction.c resolved: properly look for NSEC/NSEC3 RRs when getting a positive wildcard response 2016-01-11 19:39:59 +01:00
resolved-dns-transaction.h resolved: when caching negative responses, honour NSEC/NSEC3 TTLs 2016-01-05 01:35:28 +01:00
resolved-dns-trust-anchor.c resolved: when validating, first strip revoked trust anchor keys from validated keys list 2016-01-11 19:39:59 +01:00
resolved-dns-trust-anchor.h resolved: when validating, first strip revoked trust anchor keys from validated keys list 2016-01-11 19:39:59 +01:00
resolved-dns-zone.c resolved: internalize string buffer of dns_resource_record_to_string() 2015-12-26 19:09:10 +01:00
resolved-dns-zone.h resolved: chase DNSKEY/DS RRs when doing look-ups with DNSSEC enabled 2015-12-10 11:35:52 +01:00
resolved-gperf.gperf resolved,networkd: add a per-interface DNSSEC setting 2016-01-05 20:10:31 +01:00
resolved-link.c resolved: introduce support for per-interface negative trust anchors 2016-01-06 18:36:32 +01:00
resolved-link.h resolved: introduce support for per-interface negative trust anchors 2016-01-06 18:36:32 +01:00
resolved-llmnr.c resolved,networkd: unify ResolveSupport enum 2016-01-05 17:30:51 +01:00
resolved-llmnr.h resolved: use a #define for LLMNR port 2015-07-13 11:28:29 -04:00
resolved-manager.c resolved,networkd: add a per-interface DNSSEC setting 2016-01-05 20:10:31 +01:00
resolved-manager.h resolved,networkd: add a per-interface DNSSEC setting 2016-01-05 20:10:31 +01:00
resolved-mdns.c resolved,networkd: unify ResolveSupport enum 2016-01-05 17:30:51 +01:00
resolved-mdns.h resolved: add infrastructure for mDNS related sockets 2015-12-08 16:37:40 +01:00
resolved-resolv-conf.c resolved: flush the global DNS cache if /etc/resolv.conf is touched 2015-11-27 00:46:51 +01:00
resolved-resolv-conf.h resolved: split out all code dealing with /etc/resolv.conf into its own .c file 2015-11-25 21:58:37 +01:00
resolved.c resolved,networkd: add a per-interface DNSSEC setting 2016-01-05 20:10:31 +01:00
resolved.conf.in resolved: make MulticastDNS support configurable in resolved.conf 2016-01-05 17:41:41 +01:00
RFCs update RFCs 2016-01-04 22:42:10 +01:00
test-dnssec.c resolved: partially implement RFC5011 Trust Anchor support 2016-01-04 22:42:10 +01:00