1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-24 21:34:08 +03:00
Commit Graph

54 Commits

Author SHA1 Message Date
Jörg Thalheim
eec394f10b systemd-resolved: use hostname for certificate validation in DoT
Widely accepted certificates for IP addresses are expensive and only
affordable for larger organizations. Therefore if the user provides
the hostname in the DNS= option, we should use it instead of the IP
address.
2020-03-07 01:37:30 +09:00
Guilhem Lettron
2e22a54f4e Implement SNI when using DNS-over-TLS
Some DNS providers need SNI to identify client.

This can be used by adding #name to a DNS.
Example:
[Resolve]
DNS=192.168.1.1#example.com
2019-12-04 23:24:06 +09:00
Riccardo Schirone
2f2b28ab35 Be more specific in resolved.conf man page with regard to DNSOverTLS
DNSOverTLS in strict mode (value yes) does check the server, as it is said in
the first few lines of the option documentation. The check is not performed in
"opportunistic" mode, however, as that is allowed by RFC 7858, section "4.1.
Opportunistic Privacy Profile".

> With such a discovered DNS server, the client might or might not validate the
> resolver. These choices maximize availability and performance, but they leave
> the client vulnerable to on-path attacks that remove privacy.
2019-11-13 22:44:15 +01:00
Jorge Niedbalski
37d7a7d984 resolved: switch cache option to a tri-state option (systemd#5552).
Change the resolved.conf Cache option to a tri-state "no, no-negative, yes" values.

If a lookup returns SERVFAIL systemd-resolved will cache the result for 30s (See 201d995),
however, there are several use cases on which this condition is not acceptable (See systemd#5552 comments)
and the only workaround would be to disable cache entirely or flush it , which isn't optimal.

This change adds the 'no-negative' option when set it avoids putting in cache
negative answers but still works the same heuristics for positive answers.

Signed-off-by: Jorge Niedbalski <jnr@metaklass.org>
2019-07-17 10:42:53 -04:00
Iwan Timmer
4310bfc20b resolved: add strict mode for DNS-over-TLS
Add strict mode for DNS-over-TLS, which will require TLS support from the server. Closes #10755
2019-06-19 13:10:44 +02:00
Zbigniew Jędrzejewski-Szmek
3a54a15760 man: use same header for all files
The "include" files had type "book" for some raeason. I don't think this
is meaningful. Let's just use the same everywhere.

$ perl -i -0pe 's^..DOCTYPE (book|refentry) PUBLIC "-//OASIS//DTD DocBook XML V4.[25]//EN"\s+"http^<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"\n  "http^gms' man/*.xml
2019-03-14 14:42:05 +01:00
Zbigniew Jędrzejewski-Szmek
0307f79171 man: standarize on one-line license header
No need to waste space, and uniformity is good.

$ perl -i -0pe 's|\n+<!--\s*SPDX-License-Identifier: LGPL-2.1..\s*-->|\n<!-- SPDX-License-Identifier: LGPL-2.1+ -->|gms' man/*.xml
2019-03-14 14:29:37 +01:00
Sam Morris
4b987478b0 resolved: have the stub resolver listen on both TCP and UDP by default
RFC7766 section 4 states that in the absence of EDNS0, a response that
is too large for a 512-byte UDP packet will have the 'truncated' bit
set. The client is expected to retry the query over TCP.

Fixes #10264.
2018-12-12 21:21:04 +01:00
Alexander Kurtz
f628e3eea7 man: fix default value in resolved.conf man page (#10733)
See https://github.com/systemd/systemd/blob/v239/meson_options.txt#L190
2018-11-12 15:44:55 +09:00
Todd Walton
eaaec6cc12 man: fix RFC ref in resolved.conf man page (#9976)
This is a simple one-character fix to reference the correct RFC for
LLMNR, which is RFC 4795, not RFC 4794.
2018-08-30 09:47:07 +09:00
Yu Watanabe
494c5676b3 man: use literal tag 2018-07-28 21:46:22 +09:00
Yu Watanabe
8631708741 resolve: add option to toggle reading /etc/hosts
Workaround for #9718.
2018-07-28 21:46:00 +09:00
Zbigniew Jędrzejewski-Szmek
514094f933 man: drop mode line in file headers
This is already included in .dir-locals, so we don't need it
in the files themselves.
2018-07-03 01:32:25 +02:00
Zbigniew Jędrzejewski-Szmek
d9b02e1697 tree-wide: drop copyright headers from frequent contributors
Fixes #9320.

for p in Shapovalov Chevalier Rozhkov Sievers Mack Herrmann Schmidt Rudenberg Sahani Landden Andersen Watanabe; do
  git grep -e 'Copyright.*'$p -l|xargs perl -i -0pe 's|/([*][*])?[*]\s+([*#]\s+)?Copyright[^\n]*'$p'[^\n]*\s*[*]([*][*])?/\n*|\n|gms; s|\s+([*#]\s+)?Copyright[^\n]*'$p'[^\n]*\n*|\n|gms'
done
2018-06-20 11:58:53 +02:00
Zbigniew Jędrzejewski-Szmek
fdbbee37d5 man: drop unused <authorgroup> tags from man sources
Docbook styles required those to be present, even though the templates that we
use did not show those names anywhere. But something changed semi-recently (I
would suspect docbook templates, but there was only a minor version bump in
recent years, and the changelog does not suggest anything related), and builds
now work without those entries. Let's drop this dead weight.

Tested with F26-F29, debian unstable.

$ perl -i -0pe 's/\s*<authorgroup>.*<.authorgroup>//gms' man/*xml
2018-06-14 12:22:18 +02:00
Lennart Poettering
96b2fb93c5 tree-wide: beautify remaining copyright statements
Let's unify an beautify our remaining copyright statements, with a
unicode ©. This means our copyright statements are now always formatted
the same way. Yay.
2018-06-14 10:20:21 +02:00
Lennart Poettering
818bf54632 tree-wide: drop 'This file is part of systemd' blurb
This part of the copyright blurb stems from the GPL use recommendations:

https://www.gnu.org/licenses/gpl-howto.en.html

The concept appears to originate in times where version control was per
file, instead of per tree, and was a way to glue the files together.
Ultimately, we nowadays don't live in that world anymore, and this
information is entirely useless anyway, as people are very welcome to
copy these files into any projects they like, and they shouldn't have to
change bits that are part of our copyright header for that.

hence, let's just get rid of this old cruft, and shorten our codebase a
bit.
2018-06-14 10:20:20 +02:00
Iwan Timmer
c9299be2f5 resolve: rename PrivateDNS to DNSOverTLS
PrivateDNS is not considered a good name for this option, so rename it to DNSOverTLS
2018-06-14 09:57:56 +02:00
Iwan Timmer
30e59c84d7 man: document DNS-over-TLS options 2018-06-12 18:50:30 +02:00
Zbigniew Jędrzejewski-Szmek
11a1589223 tree-wide: drop license boilerplate
Files which are installed as-is (any .service and other unit files, .conf
files, .policy files, etc), are left as is. My assumption is that SPDX
identifiers are not yet that well known, so it's better to retain the
extended header to avoid any doubt.

I also kept any copyright lines. We can probably remove them, but it'd nice to
obtain explicit acks from all involved authors before doing that.
2018-04-06 18:58:55 +02:00
Zbigniew Jędrzejewski-Szmek
572eb058cf Add SPDX license identifiers to man pages 2017-11-19 19:08:15 +01:00
Zbigniew Jędrzejewski-Szmek
1ec57f3394 build-sys: s/ENABLE_RESOLVED/ENABLE_RESOLVE/
The configuration option was called -Dresolve, but the internal define
was …RESOLVED. This options governs more than just resolved itself, so
let's settle on the version without "d".
2017-10-04 12:09:51 +02:00
Yu Watanabe
77525fdc8d resolved: add global config option to control mDNS stack 2017-03-21 13:35:08 +09:00
Lennart Poettering
3157b2d9d2 Merge pull request #4061 from dm0-/coreos-1545
resolved: add an option to disable the stub resolver
2016-10-07 23:38:03 +02:00
David Michael
1ae4329575 resolved: add an option to control the DNS stub listener 2016-10-07 12:14:38 -07:00
Stefan Schweter
cfaf4b75e0 man: remove consecutive duplicate words (#4268)
This PR removes consecutive duplicate words from the man pages of:

* `resolved.conf.xml`
* `systemd.exec.xml`
* `systemd.socket.xml`
2016-10-03 17:09:54 +02:00
Lennart Poettering
5bd7342617 man: rework resolved.conf's Cache= documentation
Let's not mention the supposed security benefit of turning off caching. It is
really questionnable, and I#d rather not create the impression that we actually
believed turning off caching would be a good idea.

Instead, mention that Cache=no is implicit if a DNS server on the local host is
used.
2016-07-22 20:17:23 +02:00
Martin Pitt
ceeddf79b8 resolved: add option to disable caching (#3592)
In some cases, caching DNS results locally is not desirable, a it makes DNS
cache poisoning attacks a tad easier and also allows users on the system to
determine whether or not a particular domain got visited by another user. Thus
provide a new "Cache" resolved.conf option to disable it.
2016-06-24 07:54:28 +02:00
Lennart Poettering
dcabda4155 Merge pull request #2469 from keszybz/resolved-2
Resolved 2
2016-01-30 15:04:56 +01:00
Zbigniew Jędrzejewski-Szmek
c542f805dd man: reword sentence 2016-01-29 12:24:15 -05:00
Lennart Poettering
dbc7bede4a man: actually say which section resolv.conf's setting should be placed in 2016-01-29 14:53:01 +01:00
Lennart Poettering
adc800a6e0 resolved: allow configuration of routing domains in Domains= 2016-01-26 14:42:04 +01:00
Zbigniew Jędrzejewski-Szmek
524f3e5c9d man: fix references to a few external man pages
Noticed in pull request #2067.
2016-01-25 20:04:58 -05:00
Daniel Mack
60402bdc52 resolved: remove configuration knobs for mDNS until it's ready
These bits were intenionally left out while mDNS is under development.

Remove the exposed knobs and man page entries again until this is settled.
2016-01-19 14:11:05 +01:00
Lennart Poettering
d33b6cf343 resolved: try to detect fritz.box-style private DNS zones, and downgrade to non-DNSSEC mode for them
This adds logic to detect cases like the Fritz!Box routers which serve
a private DNS domain "fritz.box" under the TLD "box" that does not
exist in the root servers. If this is detected DNSSEC validation is
turned off for this private domain, thus improving compatibility with
such private DNS zones.

This should be fairly secure as we first rely on the proof that .box
does not exist before this logic is applied. Nevertheless the logic is
only enabled for DNSSEC=allow-downgrade mode.

This logic does not work for routers that set up a full DNS zone directly
under a non-existing TLD, as in that case we cannot prove
that the domain is truly non-existing according to the root servers.
2016-01-05 22:13:56 +01:00
Lennart Poettering
ad6c047561 resolved,networkd: add a per-interface DNSSEC setting
This adds a DNSSEC= setting to .network files, and makes resolved honour
them.
2016-01-05 20:10:31 +01:00
Lennart Poettering
1ed8c0fbb4 resolved: rename "downgrade-ok" mode to "allow-downgrade"
After discussing this with Tom, we figured out "allow-downgrade" sounds
nicer.
2016-01-05 20:00:53 +01:00
Lennart Poettering
b83d91c029 resolved: make MulticastDNS support configurable in resolved.conf
The option is already there, but wasn't exported in the configuration
file so far. Fix that.
2016-01-05 17:41:41 +01:00
Lennart Poettering
d57d3973a7 man: fix a few typos 2016-01-05 17:30:43 +01:00
Lennart Poettering
b5a8703fdb man: add documentation for dnssec-trust-anchors.d(5) 2016-01-05 14:20:27 +01:00
Lennart Poettering
519d39deee man: add basic documentation for resolved.conf's DNSSEC= switch 2016-01-05 00:31:32 +01:00
Lennart Poettering
a51c10485a resolved: add a generic DnsSearchDomain concept
With this change, we add a new object to resolved, "DnsSearchDomain="
which wraps a search domain. This is then used to introduce a global
search domain list, in addition to the existing per-link search domain
list which is reword to make use of this new object too.

This is preparation for implement proper unicast DNS search domain
support.
2015-11-25 21:58:38 +01:00
Lennart Poettering
9f2912db78 man: fix documentation how /etc/resolv.conf is read
/etc/resolv.conf is only read when the DNS= setting does not appear at
all in resolved.conf, regardless if set to the empty list or anything
else. Correct that in the man page.
2015-11-25 21:58:37 +01:00
Jan Engelhardt
a8eaaee72a doc: correct orthography, word forms and missing/extraneous words 2015-11-06 13:45:21 +01:00
Jan Engelhardt
b938cb902c doc: correct punctuation and improve typography in documentation 2015-11-06 13:00:02 +01:00
Tom Gundersen
12b42c7667 man: revert dynamic paths for split-usr setups
This did not really work out as we had hoped. Trying to do this upstream
introduced several problems that probably makes it better suited as a
downstream patch after all. At any rate, it is not releaseable in the
current state, so we at least need to revert this before the release.

 * by adjusting the path to binaries, but not do the same thing to the
   search path we end up with inconsistent man-pages. Adjusting the search
   path too would be quite messy, and it is not at all obvious that this is
   worth the effort, but at any rate it would have to be done before we
   could ship this.

 * this means that distributed man-pages does not make sense as they depend
   on config options, and for better or worse we are still distributing
   man pages, so that is something that definitely needs sorting out before
   we could ship with this patch.

 * we have long held that split-usr is only minimally supported in order
   to boot, and something we hope will eventually go away. So before we start
   adding even more magic/effort in order to make this work nicely, we should
   probably question if it makes sense at all.
2015-06-18 19:47:44 +02:00
Filipe Brandenburger
681eb9cf2b man: generate configured paths in manpages
In particular, use /lib/systemd instead of /usr/lib/systemd in distributions
like Debian which still have not adopted a /usr merge setup.

Use XML entities from man/custom-entities.ent to replace configured paths while
doing XSLT processing of the original XML files. There was precedent of some
files (such as systemd.generator.xml) which were already using this approach.

This addresses most of the (manual) fixes from this patch:
http://anonscm.debian.org/cgit/pkg-systemd/systemd.git/tree/debian/patches/Fix-paths-in-man-pages.patch?h=experimental-220

The idea of using generic XML entities was presented here:
http://lists.freedesktop.org/archives/systemd-devel/2015-May/032240.html

This patch solves almost all the issues, with the exception of:
- Path to /bin/mount and /bin/umount.
- Generic statements about preference of /lib over /etc.

These will be handled separately by follow up patches.

Tested:
- With default configure settings, ran "make install" to two separate
  directories and compared the output to confirm they matched exactly.
- Used a set of configure flags including $CONFFLAGS from Debian:
  http://anonscm.debian.org/cgit/pkg-systemd/systemd.git/tree/debian/rules
  Installed the tree and confirmed the paths use /lib/systemd instead of
  /usr/lib/systemd and that no other unexpected differences exist.
- Confirmed that `make distcheck` still passes.
2015-05-28 19:28:19 +02:00
Zbigniew Jędrzejewski-Szmek
e93549ef29 Do not advertise .d snippets over main config file
For daemons which have a main configuration file, there's
little reason for the administrator to use configuration snippets.
They are useful for packagers which need to override settings, but
we shouldn't advertise that as the main way of configuring those
services.

https://bugs.freedesktop.org/show_bug.cgi?id=89397
2015-03-03 19:10:21 -05:00
Zbigniew Jędrzejewski-Szmek
b975b0d514 man: boilerplate unification 2015-02-10 23:24:27 -05:00
Zbigniew Jędrzejewski-Szmek
798d3a524e Reindent man pages to 2ch 2015-02-03 23:11:35 -05:00