1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-10-28 03:25:27 +03:00
Commit Graph

23956 Commits

Author SHA1 Message Date
Lennart Poettering
950b692bfb resolved: use dns_name_parent() where appropriate 2015-12-18 19:15:34 +01:00
Lennart Poettering
fd009cd80e resolved: check SOA authentication state when negative caching
We should never use the TTL of an unauthenticated SOA to cache an
authenticated RR.
2015-12-18 19:12:48 +01:00
Lennart Poettering
1069048089 resolved: don't call dns_cache_remove() from dns_cache_put_negative()
We call it anyway as one of the first calls in dns_cache_put(), hence
there's no reason to do this multiple times.
2015-12-18 19:09:27 +01:00
Lennart Poettering
d98e550420 resolved: bump cache size a bit
Let's keep entries for longer and more of them. After all, due to the
DNSSEC hookup the amount of RRs we need to store is much higher now.
2015-12-18 19:07:31 +01:00
Lennart Poettering
222148b66d resolved: make use of dns_{class|type}_is_{pseudo|valid_rr}() everywhere 2015-12-18 19:06:23 +01:00
Lennart Poettering
ff7febd50a resolved: refuse accepting EDNS0 OPT RRs with a non-root domain 2015-12-18 18:57:08 +01:00
Lennart Poettering
4b548ef382 resolved: move DNS class utilities to dns-type.c and add more helpers
Let's make DNS class helpers more like DNS type helpers, let's move them
from resolved-dns-rr.[ch] into dns-type.[ch].

This also adds two new calls dns_class_is_pseudo() and
dns_class_is_valid_rr() which operate similar to dns_type_is_pseudo()
and dns_type_is_valid_rr() but for classes instead of types.

This should hopefully make handling of DNS classes and DNS types more
alike.
2015-12-18 18:53:11 +01:00
Lennart Poettering
3e92a71901 resolved: update TODO 2015-12-18 14:48:50 +01:00
Lennart Poettering
105e151299 resolved: add support NSEC3 proofs, as well as proofs for domains that are OK to be unsigned
This large patch adds a couple of mechanisms to ensure we get NSEC3 and
proof-of-unsigned support into place. Specifically:

- Each item in an DnsAnswer gets two bit flags now:
  DNS_ANSWER_AUTHENTICATED and DNS_ANSWER_CACHEABLE. The former is
  necessary since DNS responses might contain signed as well as unsigned
  RRsets in one, and we need to remember which ones are signed and which
  ones aren't. The latter is necessary, since not we need to keep track
  which RRsets may be cached and which ones may not be, even while
  manipulating DnsAnswer objects.

- The .n_answer_cachable of DnsTransaction is dropped now (it used to
  store how many of the first DnsAnswer entries are cachable), and
  replaced by the DNS_ANSWER_CACHABLE flag instead.

- NSEC3 proofs are implemented now (lacking support for the wildcard
  part, to be added in a later commit).

- Support for the "AD" bit has been dropped. It's unsafe, and now that
  we have end-to-end authentication we don't need it anymore.

- An auxiliary DnsTransaction of a DnsTransactions is now kept around as
  least as long as the latter stays around. We no longer remove the
  auxiliary DnsTransaction as soon as it completed. THis is necessary,
  as we now are interested not only in the RRsets it acquired but also
  in its authentication status.
2015-12-18 14:48:50 +01:00
Lennart Poettering
aae6a86e1a resolved: refuse to add auxiliary transactions loops
Let's be safe and explicitly avoid that we add an auxiliary transaction
dependency on ourselves.
2015-12-18 14:48:50 +01:00
Lennart Poettering
1849cb7cb7 resolved: don't check for NULL DnsAnswer object explicitly where unnecessary
The DNS_ANSWER_FOREACH macros do this internally anyway, no need to
duplicate this.
2015-12-18 14:48:49 +01:00
Lennart Poettering
423659abb8 resolved: stop timeout timer when validating transactions
We need no separate timeout anymore as soon as we received a reply, as
the auxiliary transactions have their own timeouts.
2015-12-18 14:48:49 +01:00
Lennart Poettering
f4e380379a resolved: when destroying a scope, only abort live transactions 2015-12-18 14:48:49 +01:00
Lennart Poettering
f7014757fd resolved: make sure we don't get confused when notifying transactions while they are destroyed
A failing transaction might cause other transactions to fail too, and
thus the set of transactions to notify for a transaction might change
while we are notifying them. Protect against that.
2015-12-18 14:48:49 +01:00
Lennart Poettering
a0c888c78c resolved: merge two bools into a bitfield 2015-12-18 14:48:49 +01:00
Lennart Poettering
deb3f3d335 resolved: use right format specifier to print transaction ID 2015-12-18 14:48:49 +01:00
Lennart Poettering
a5784c4985 resolved: cache stringified transaction key once per transaction
We end up needing the stringified transaction key in many log messages,
hence let's simplify the logic and cache it inside of the transaction:
generate it the first time we need it, and reuse it afterwards. Free it
when the transaction goes away.

This also updated a couple of log messages to make use of this.
2015-12-18 14:48:49 +01:00
Lennart Poettering
1ade96e980 resolved: don't complain if networkd doesn't know an interface we care about 2015-12-18 14:48:49 +01:00
Lennart Poettering
f7455baa01 shared: add dns_name_parent() call to determine parent domain of a domain 2015-12-18 14:48:49 +01:00
Daniel Mack
47260caf02 Merge pull request #2180 from phomes/resolve-misc
Resolve: misc cleanups
2015-12-16 20:14:36 +01:00
Thomas Hindoe Paaboel Andersen
b78b0b674f resolve: remove unused variable 2015-12-16 19:59:45 +01:00
Thomas Hindoe Paaboel Andersen
111befce55 resolve: fix indendation 2015-12-16 19:59:45 +01:00
Daniel Mack
523f8874c6 Merge pull request #2157 from keszybz/manager-status
Manager status
2015-12-15 15:57:19 +01:00
Daniel Mack
277b4cb5a6 Merge pull request #2174 from yuwata/journal-remote-man
man: fix typo in journal-remote.conf(5)
2015-12-15 15:56:19 +01:00
Yu Watanabe
190f373bc8 man: fix typo in journal-remote.conf(5) 2015-12-15 23:24:28 +09:00
Tom Gundersen
ab501843d6 Merge pull request #2168 from poettering/dnssec5
Fifth batch of DNSSEC support patches
2015-12-15 12:25:22 +00:00
Daniel Mack
52d3240b15 Merge pull request #2169 from yuwata/journal-remote-unit-doc
journal-remote: add documents in the unit files
2015-12-15 11:33:57 +01:00
Daniel Mack
cbdb172efc Merge pull request #2172 from evverx/fix-enable-hashmap
basic: ENABLE_DEBUG_HASHMAP needs <pthread.h>
2015-12-15 10:33:38 +01:00
Henrik Kaare Poulsen
3d4db144b0 basic: ENABLE_DEBUG_HASHMAP needs <pthread.h>
this is a follow-up for commit 11c3a36649
2015-12-15 07:10:50 +00:00
Yu Watanabe
c9d493281d journal-remote: add documents in the unit files 2015-12-15 10:51:12 +09:00
Lennart Poettering
73b8d8e928 resolved: update DNSSEC TODO 2015-12-14 21:32:17 +01:00
Lennart Poettering
72667f0890 resolved: add basic proof of non-existance support for NSEC+NSEC3
Note that this is not complete yet, as we don't handle wildcard domains
correctly, nor handle domains correctly that use empty non-terminals.
2015-12-14 21:28:39 +01:00
Lennart Poettering
d0ae14ff09 resolved: when serializing NSEC3 windows, don't write more windows than necessary 2015-12-14 21:28:39 +01:00
Lennart Poettering
e1a9f1a81d resolved: constify a parameter 2015-12-14 21:28:39 +01:00
Lennart Poettering
24a5b982cf resolved: always consider NSEC/NSEC3 RRs as "primary"
It's not OK to drop these for our proof of non-existance checks.
2015-12-14 21:28:39 +01:00
Lennart Poettering
5264131a9a resolved: don't choke on NULL DNS transactions when determining query candidate state 2015-12-14 21:28:39 +01:00
Lennart Poettering
0638401af3 resolved: initialize libgcrypt before using it 2015-12-14 21:28:39 +01:00
Lennart Poettering
a1972a9185 resolved: rework how we get the gcrypt digest algorithm ID from DNSSEC digest ids
Let's move this into a function digest_to_gcrypt() that we can reuse
later on when implementing NSEC3 validation.
2015-12-14 21:28:39 +01:00
Lennart Poettering
a3db237b8f resolved: apparently not all names are used in canonical form for DNSSEC validation
Specifically, it appears as if the NSEC next domain name should be in
the original casing rather than canonical form, when validating.
2015-12-14 21:28:39 +01:00
Daniel Mack
654d1b3350 Merge pull request #2165 from torstehu/fix-typo2
treewide: fix typos and indentation
2015-12-14 16:31:25 +01:00
Torstein Husebø
e5abebabb3 treewide: fix typos and indentation 2015-12-14 15:53:11 +01:00
Zbigniew Jędrzejewski-Szmek
4cee3a78bb manager: log log level changes uniformly
Output the same message when a request to change the log level is
received over dbus and through a signal. From the user point of view
those two operations are very similar and it's easy to think that the
dbus operation didn't work when the expected message is not emitted.

Also "downgrade" the message level to info, since this is a normal
user initiated action.
2015-12-13 14:53:52 -05:00
Zbigniew Jędrzejewski-Szmek
76b6f3f68f manager: move status output change debug messages to set function
This way we can only print the debug message when the status actually
changes. We also means we don't print anything when running in --user
mode, where status output is always disabled.
2015-12-13 14:52:19 -05:00
Daniel Mack
dc0306aac4 Merge pull request #2152 from evverx/respect-disable-tests
build-sys: fix --disable-tests
2015-12-13 17:22:48 +01:00
Evgeny Vereshchagin
5433c3e1a3 build-sys: fix --disable-tests
Fixes:
$ ./configure ... --disable-tests
$ make
$ sudo make check
FAIL: test/udev-test.pl
PASS: test/rule-syntax-check.py
PASS: test/sysv-generator-test.py
...
2015-12-13 07:50:11 +00:00
Daniel Mack
afcaed0cad Merge pull request #2148 from evverx/fix-enable-smack
build-sys: fix ./configure --enable-smack
2015-12-12 14:03:52 +01:00
Evgeny Vereshchagin
c0957da3f4 build-sys: refactor have_smack detection 2015-12-12 06:08:25 +00:00
Evgeny Vereshchagin
566c9f5ad5 build-sys: fix ./configure --enable-smack
Fixes:

$ ./configure ... --enable-smack
$ make src/core/load-fragment-gperf.c
$ grep -i smack src/core/load-fragment-gperf.c
{"Swap.SmackProcessLabel", config_parse_warn_compat, DISABLED_CONFIGURATION, 0},
...

should be
{"Swap.SmackProcessLabel", config_parse_exec_smack_process_label, 0, offsetof(Swap, exec_context)},
...
2015-12-12 03:53:22 +00:00
Tom Gundersen
a036133175 Merge pull request #2143 from poettering/dnssec4
Another batch of DNSSEC fixes
2015-12-11 18:38:14 +01:00
Lennart Poettering
29c1519ed4 resolved: don't eat up errors
dns_resource_key_match_soa() and dns_resource_key_match_cname_or_dname()
may return errors as negative return values. Make sure to propagate
those.
2015-12-11 15:10:56 +01:00