picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
Systemd/src/resolve
History
Lennart Poettering 105e151299 resolved: add support NSEC3 proofs, as well as proofs for domains that are OK to be unsigned 
This large patch adds a couple of mechanisms to ensure we get NSEC3 and
proof-of-unsigned support into place. Specifically:

- Each item in an DnsAnswer gets two bit flags now:
  DNS_ANSWER_AUTHENTICATED and DNS_ANSWER_CACHEABLE. The former is
  necessary since DNS responses might contain signed as well as unsigned
  RRsets in one, and we need to remember which ones are signed and which
  ones aren't. The latter is necessary, since not we need to keep track
  which RRsets may be cached and which ones may not be, even while
  manipulating DnsAnswer objects.

- The .n_answer_cachable of DnsTransaction is dropped now (it used to
  store how many of the first DnsAnswer entries are cachable), and
  replaced by the DNS_ANSWER_CACHABLE flag instead.

- NSEC3 proofs are implemented now (lacking support for the wildcard
  part, to be added in a later commit).

- Support for the "AD" bit has been dropped. It's unsafe, and now that
  we have end-to-end authentication we don't need it anymore.

- An auxiliary DnsTransaction of a DnsTransactions is now kept around as
  least as long as the latter stays around. We no longer remove the
  auxiliary DnsTransaction as soon as it completed. THis is necessary,
  as we now are interested not only in the RRsets it acquired but also
  in its authentication status.
2015-12-18 14:48:50 +01:00
..
.gitignore resolve: add more record types and convert to gperf table 2014-08-03 22:02:32 -04:00
dns-type.c resolved: generalize DNS RR type validity checks 2015-12-11 14:14:27 +01:00
dns-type.h resolved: generalize DNS RR type validity checks 2015-12-11 14:14:27 +01:00
Makefile resolved: add daemon to manage resolv.conf 2014-05-19 18:14:56 +02:00
org.freedesktop.resolve1.conf resolved: add legacy dbus service and policy files 2014-07-16 03:41:39 +02:00
org.freedesktop.resolve1.service resolved: add legacy dbus service and policy files 2014-07-16 03:41:39 +02:00
resolved-bus.c resolved: generalize DNS RR type validity checks 2015-12-11 14:14:27 +01:00
resolved-bus.h resolved: rename resolved.h to resolved-manager.h 2014-08-01 16:14:59 +02:00
resolved-conf.c resolved: introduce a dnssec_mode setting per scope 2015-12-03 21:17:49 +01:00
resolved-conf.h resolved: introduce a dnssec_mode setting per scope 2015-12-03 21:17:49 +01:00
resolved-def.h resolved: add packet header details for mDNS 2015-12-08 16:41:45 +01:00
resolved-dns-answer.c resolved: add support NSEC3 proofs, as well as proofs for domains that are OK to be unsigned 2015-12-18 14:48:50 +01:00
resolved-dns-answer.h resolved: add support NSEC3 proofs, as well as proofs for domains that are OK to be unsigned 2015-12-18 14:48:50 +01:00
resolved-dns-cache.c resolved: add support NSEC3 proofs, as well as proofs for domains that are OK to be unsigned 2015-12-18 14:48:50 +01:00
resolved-dns-cache.h resolved: add support NSEC3 proofs, as well as proofs for domains that are OK to be unsigned 2015-12-18 14:48:50 +01:00
resolved-dns-dnssec.c resolved: add support NSEC3 proofs, as well as proofs for domains that are OK to be unsigned 2015-12-18 14:48:50 +01:00
resolved-dns-dnssec.h resolved: add support NSEC3 proofs, as well as proofs for domains that are OK to be unsigned 2015-12-18 14:48:50 +01:00
resolved-dns-packet.c resolved: add support NSEC3 proofs, as well as proofs for domains that are OK to be unsigned 2015-12-18 14:48:50 +01:00
resolved-dns-packet.h resolved: apparently not all names are used in canonical form for DNSSEC validation 2015-12-14 21:28:39 +01:00
resolved-dns-query.c resolved: add support NSEC3 proofs, as well as proofs for domains that are OK to be unsigned 2015-12-18 14:48:50 +01:00
resolved-dns-query.h resolved: chase DNSKEY/DS RRs when doing look-ups with DNSSEC enabled 2015-12-10 11:35:52 +01:00
resolved-dns-question.c resolved: cache - do negative caching only on the canonical name 2015-12-10 17:04:42 +01:00
resolved-dns-question.h resolved: make sure DNS_ANSWER_FOREACH() can be nested 2015-12-02 20:43:11 +01:00
resolved-dns-rr.c resolved: add support NSEC3 proofs, as well as proofs for domains that are OK to be unsigned 2015-12-18 14:48:50 +01:00
resolved-dns-rr.h resolved: add support NSEC3 proofs, as well as proofs for domains that are OK to be unsigned 2015-12-18 14:48:50 +01:00
resolved-dns-scope.c resolved: when destroying a scope, only abort live transactions 2015-12-18 14:48:49 +01:00
resolved-dns-scope.h resolved: add code to join/leave mDNS multicast groups 2015-12-08 16:41:45 +01:00
resolved-dns-search-domain.c dns-domain: simplify dns_name_is_root() and dns_name_is_single_label() 2015-11-25 22:00:07 +01:00
resolved-dns-search-domain.h resolved: fully support DNS search domains 2015-11-25 21:59:16 +01:00
resolved-dns-server.c resolved: announce support for large UDP packets 2015-11-27 01:35:47 +01:00
resolved-dns-server.h resolved: introduce a dnssec_mode setting per scope 2015-12-03 21:17:49 +01:00
resolved-dns-stream.c util-lib: split out allocation calls into alloc-util.[ch] 2015-10-27 13:45:53 +01:00
resolved-dns-stream.h remove unused includes 2015-02-23 23:53:42 +01:00
resolved-dns-transaction.c resolved: add support NSEC3 proofs, as well as proofs for domains that are OK to be unsigned 2015-12-18 14:48:50 +01:00
resolved-dns-transaction.h resolved: add support NSEC3 proofs, as well as proofs for domains that are OK to be unsigned 2015-12-18 14:48:50 +01:00
resolved-dns-trust-anchor.c resolved: add support NSEC3 proofs, as well as proofs for domains that are OK to be unsigned 2015-12-18 14:48:50 +01:00
resolved-dns-trust-anchor.h resolved: add a simple trust anchor database as additional RR source 2015-12-03 21:17:49 +01:00
resolved-dns-zone.c resolved: add support NSEC3 proofs, as well as proofs for domains that are OK to be unsigned 2015-12-18 14:48:50 +01:00
resolved-dns-zone.h resolved: chase DNSKEY/DS RRs when doing look-ups with DNSSEC enabled 2015-12-10 11:35:52 +01:00
resolved-gperf.gperf resolved: introduce a dnssec_mode setting per scope 2015-12-03 21:17:49 +01:00
resolved-link.c resolved: don't complain if networkd doesn't know an interface we care about 2015-12-18 14:48:49 +01:00
resolved-link.h resolved: create dns scopes for mDNS 2015-12-08 16:41:45 +01:00
resolved-llmnr.c resolved: llmnr, mdns: simplify error handling 2015-12-09 18:49:15 +01:00
resolved-llmnr.h resolved: use a #define for LLMNR port 2015-07-13 11:28:29 -04:00
resolved-manager.c resolved: use right format specifier to print transaction ID 2015-12-18 14:48:49 +01:00
resolved-manager.h resolved: add infrastructure for mDNS related sockets 2015-12-08 16:37:40 +01:00
resolved-mdns.c resolved: add support NSEC3 proofs, as well as proofs for domains that are OK to be unsigned 2015-12-18 14:48:50 +01:00
resolved-mdns.h resolved: add infrastructure for mDNS related sockets 2015-12-08 16:37:40 +01:00
resolved-resolv-conf.c resolved: flush the global DNS cache if /etc/resolv.conf is touched 2015-11-27 00:46:51 +01:00
resolved-resolv-conf.h resolved: split out all code dealing with /etc/resolv.conf into its own .c file 2015-11-25 21:58:37 +01:00
resolved.c resolved: make sure FallbackDNS= overrides built-in servers, doesn't extend them 2015-11-25 21:58:37 +01:00
resolved.conf.in resolved: introduce a dnssec_mode setting per scope 2015-12-03 21:17:49 +01:00
test-dnssec.c resolved: add support NSEC3 proofs, as well as proofs for domains that are OK to be unsigned 2015-12-18 14:48:50 +01:00