1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-25 23:21:33 +03:00
Commit Graph

24154 Commits

Author SHA1 Message Date
Lennart Poettering
d33b6cf343 resolved: try to detect fritz.box-style private DNS zones, and downgrade to non-DNSSEC mode for them
This adds logic to detect cases like the Fritz!Box routers which serve
a private DNS domain "fritz.box" under the TLD "box" that does not
exist in the root servers. If this is detected DNSSEC validation is
turned off for this private domain, thus improving compatibility with
such private DNS zones.

This should be fairly secure as we first rely on the proof that .box
does not exist before this logic is applied. Nevertheless the logic is
only enabled for DNSSEC=allow-downgrade mode.

This logic does not work for routers that set up a full DNS zone directly
under a non-existing TLD, as in that case we cannot prove
that the domain is truly non-existing according to the root servers.
2016-01-05 22:13:56 +01:00
Lennart Poettering
105f6c4bdc resolved: when dumping trust anchor contents, clarify when it is empty 2016-01-05 20:27:29 +01:00
Lennart Poettering
3eb6aa009d resolved: fix DNSSEC transaction dependency recursion check
We followed the wrong connection. This only worked sometimes at all, because we
also return the wrong error code.
2016-01-05 20:27:18 +01:00
Lennart Poettering
d1d1d4b807 update DNSSEC TODO 2016-01-05 20:10:31 +01:00
Lennart Poettering
ad6c047561 resolved,networkd: add a per-interface DNSSEC setting
This adds a DNSSEC= setting to .network files, and makes resolved honour
them.
2016-01-05 20:10:31 +01:00
Lennart Poettering
125ae29d1b resolved: log about per-interface setting parse errors 2016-01-05 20:00:59 +01:00
Lennart Poettering
00f0a16ab4 resolved: properly release all DnsServers that belong to a link 2016-01-05 20:00:59 +01:00
Lennart Poettering
1ed8c0fbb4 resolved: rename "downgrade-ok" mode to "allow-downgrade"
After discussing this with Tom, we figured out "allow-downgrade" sounds
nicer.
2016-01-05 20:00:53 +01:00
Lennart Poettering
f41b446a76 man: document that DNS= and Domains= is implemented by resolved 2016-01-05 17:41:41 +01:00
Lennart Poettering
b83d91c029 resolved: make MulticastDNS support configurable in resolved.conf
The option is already there, but wasn't exported in the configuration
file so far. Fix that.
2016-01-05 17:41:41 +01:00
Lennart Poettering
aaa297d4e5 networkd,resolved: add a per-interface mdns configuration option 2016-01-05 17:41:41 +01:00
Lennart Poettering
af49ca27ff resolved,networkd: unify ResolveSupport enum
networkd previously knew an enum "ResolveSupport" for configuring
per-interface LLMNR support, resolved had a similar enum just called
"Support", with the same value and similar pasers.

Unify this, call the enum ResolveSupport, and port both daemons to it.
2016-01-05 17:30:51 +01:00
Lennart Poettering
b18b866215 basic: add string table macros for "extended boolean" enums
In a couple of cases we maintain configuration settings that know an on
and off state, like a boolean, plus some additional states. We generally
parse them as booleans first, and if that fails check for specific
additional values.

This adds a generalized set of macros for parsing such settings, and
ports one use in resolved and another in networkd over to it.
2016-01-05 17:30:43 +01:00
Lennart Poettering
38e5900fc6 sd-network: unify parsing of /run/systemd/netif/links/* string fields 2016-01-05 17:30:43 +01:00
Lennart Poettering
d57d3973a7 man: fix a few typos 2016-01-05 17:30:43 +01:00
Lennart Poettering
79a4c0160a Merge pull request #2272 from kinvolk/alban/typos
machine: fix typo: MS_MOUNT does not exist
2016-01-05 16:40:29 +01:00
Alban Crequy
ecb0573db1 machine: fix typo: MS_MOUNT does not exist 2016-01-05 16:14:42 +01:00
Tom Gundersen
16b85c51ed Merge pull request #2269 from poettering/dnssec11
Eleventh DNSSEC patch set
2016-01-05 15:47:15 +01:00
Lennart Poettering
b5a8703fdb man: add documentation for dnssec-trust-anchors.d(5) 2016-01-05 14:20:27 +01:00
Lennart Poettering
d76f90f171 resolved: also skip built-in trust anchor addition of there's a DNSKEY RR for the root domain defined
We already skip this when the trust anchor files define a DS RR for the
root domain, now also skip it if there's a DNSKEY RR.
2016-01-05 14:19:05 +01:00
Lennart Poettering
e7d179acb9 resolved: move trust anchor files to /etc/dnssec-trust-anchors.d/
These files are not specific to resolved really, and this is then more
in-line with how /etc/sysctl.d and suchlike is handled.
2016-01-05 14:18:18 +01:00
Lennart Poettering
2135de9adb Merge pull request #2205 from pohly/cgroup-smack-run-label
mount-setup.c: fix handling of symlink Smack labelling in cgroup setup
2016-01-05 12:51:14 +01:00
Patrick Ohly
ea2b93a8ee mount-setup.c: fix handling of symlink Smack labelling in cgroup setup
The code introduced in f8c1a81c51 (= systemd 227) failed for me with:
  Failed to copy smack label from net_cls to /sys/fs/cgroup/net_cls: No such file or directory

There is no need for a symlink in this case because source and target
are identical. The symlink() call is allowed to fail when the target
already exists. When that happens, copying the Smack label must be
skipped.

But the code also failed when there is a symlink, like "cpu ->
cpu,cpuacct", because mac_smack_copy() got called with
src="cpu,cpuacct" which fails to find the entry because the current
directory is not inside /sys/fs/cgroup. The absolute path to the existing
entry must be used instead.
2016-01-05 12:49:48 +01:00
Lennart Poettering
d3eae7d8c4 Merge pull request #2268 from whot/hwdb-updates
hwdb: add axis ranges and resolution for Dell Lattitude E6220
2016-01-05 01:42:04 +01:00
Lennart Poettering
d3760be01b resolved: when caching negative responses, honour NSEC/NSEC3 TTLs
When storing negative responses, clamp the SOA minimum TTL (as suggested
by RFC2308) to the TTL of the NSEC/NSEC3 RRs we used to prove
non-existance, if it there is any.

This is necessary since otherwise an attacker might put together a faked
negative response for one of our question including a high-ttl SOA RR
for any parent zone, and we'd use trust the TTL.
2016-01-05 01:35:28 +01:00
Lennart Poettering
519d39deee man: add basic documentation for resolved.conf's DNSSEC= switch 2016-01-05 00:31:32 +01:00
Peter Hutterer
75e60eea58 hwdb: add axis ranges and resolution for Dell Lattitude E6220
https://bugzilla.redhat.com/show_bug.cgi?id=1293576
2016-01-05 08:14:04 +10:00
Lennart Poettering
6f8a2c6817 update DNSSEC TODO 2016-01-04 22:43:25 +01:00
Lennart Poettering
b2b796b8ab resolved: explicitly handle case when the trust anchor is empty
Since we honour RFC5011 revoked keys it might happen we end up with an
empty trust anchor, or one where there's no entry for the root left.
With this patch the logic is changed what to do in this case.

Before this patch we'd end up requesting the root DS, which returns with
NODATA but a signed NSEC we cannot verify, since the trust anchor is
empty after all. Thus we'd return a DNSSEC result of "missing-key", as
we lack a verified version of the key.

With this patch in place, look-ups for the root DS are explicitly
recognized, and not passed on to the DNS servers. Instead, if
downgrade-ok mode is on an unsigned NODATA response is synthesized, so
that the validator code continues under the assumption the root zone was
unsigned. If downgrade-ok mode is off a new transaction failure is
generated, that makes this case recognizable.
2016-01-04 22:42:10 +01:00
Lennart Poettering
a761c1ca85 resolved: introduce a proper bus error for DNSSEC validation errors 2016-01-04 22:42:10 +01:00
Lennart Poettering
f2992dc184 resolved: explicitly avoid cyclic transaction dependencies
We already try hard not to create cyclic transaction dependencies, where
a transaction requires another one for DNSSEC validation purposes, which
in turn (possibly indirectly) pulls in the original transaction again,
thus resulting in a cyclic dependency and ultimately a deadlock since
each transaction waits for another one forever.

So far we wanted to avoid such cyclic dependencies by only going "up the
tree" when requesting auxiliary RRs and only going from one RR type to
another, but never back. However this turned out to be insufficient.
Consider a domain that publishes one or more DNSKEY but which has no DS
for it. A request for the domain's DNSKEY triggers a request for the
domain's DS, which will then fail, but return an NSEC, signed by the
DNSKEY. To validate that we'd request the DNSKEY again. Thus a DNSKEY
request results in a DS request which results in the original DNSKEY
request again. If the original lookup had been a DS lookup we'd end up
in the same cyclic dependency, hence we cannot statically break one of
them, since both requests are of course fully valid. Hence, do full
cyclic dependency checking: each time we are about to add a dependency
to a transaction, check if the transaction is already a dependency of
the dependency (recursively down the tree).
2016-01-04 22:42:10 +01:00
Lennart Poettering
51e399bceb resolved: block transaction GC'ing while dns_transaction_request_dnssec_keys() is running
If any of the transactions started by
dns_transaction_request_dnssec_keys() finishes promptly without
requiring asynchronous operation this is reported back to the issuing
transaction from the same stackframe. This might ultimately result in
this transaction to be freed while we are still in its
_request_dnssec_keys() stack frame. To avoid memory corruption block the
transaction GC while in the call, and manually issue a GC after it
returned.
2016-01-04 22:42:10 +01:00
Lennart Poettering
3347e6a299 update RFCs 2016-01-04 22:42:10 +01:00
Lennart Poettering
0c85702874 resolved: partially implement RFC5011 Trust Anchor support
With this patch resolved will properly handle revoked keys, but not
augment the locally configured trust anchor database with newly learned
keys.

Specifically, resolved now refuses validating RRsets with
revoked keys, and it will remove revoked keys from the configured trust
anchors (only until reboot).

This patch does not add logic for adding new keys to the set of trust
anchors. This is a deliberate decision as this only can work with
persistent disk storage, and would result in a different update logic
for stateful and stateless systems.  Since we have to support stateless
systems anyway, and don't want to encourage two independent upgrade
paths we focus on upgrading the trust anchor database via the usual OS
upgrade logic.

Whenever a trust anchor entry is found revoked and removed from the
trust anchor a recognizable log message is written, encouraging the user
to update the trust anchor or update his operating system.
2016-01-04 22:42:10 +01:00
Lennart Poettering
85aeaccc10 resolved: fix DNSSEC canonical ordering logic
When applying canonical DNSSEC ordering for an RRset only order by the
wire format of the RRs' RDATA, not by the full wire formatting. The RFC
isn't particularly clear about this, but this is apparently how it is
done. This fixes validation of pentagon.gov's DS RRset.
2016-01-04 20:27:45 +01:00
Lennart Poettering
beef6a5fc5 resolved: actually make use of message ID when logging about failed DNSSEC validation 2016-01-04 20:25:55 +01:00
Zbigniew Jędrzejewski-Szmek
d7a2f11bb9 Merge pull request #2259 from evverx/fix-test-execute
core: only skip setup of "special" signals in test mode
2016-01-04 14:10:13 -05:00
Zbigniew Jędrzejewski-Szmek
393ebb8f3e Merge pull request #2263 from awilfox/add-discoverable-root-for-itanium
Add GPT partition type GUID for Itanium root partition
2016-01-04 13:49:00 -05:00
Evgeny Vereshchagin
37453b3a2a core: don't enable special signals in test mode
Fixes:
$ systemd-analyze verify ...
Failed to open /dev/tty0: Permission denied
2016-01-04 18:39:55 +00:00
Andrew Wilcox
f827e09fda Add GPT partition type GUID for Itanium root partition 2016-01-04 06:22:58 -06:00
Martin Pitt
993898a2af Merge pull request #2248 from APokorny/detect-touchscreens-with-btn-touch
udev: Fix touch screen detection
2016-01-04 08:36:41 +01:00
Evgeny Vereshchagin
2ce2cce3ad core: revert "manager: do not set up signals in test mode"
This reverts commit 5aa1054521.

Fixes test-execute
$ sudo make check TESTS=test-execute
...
$ cat test-execute.log
+ test /tmp/test-exec_workingdirectory = /tmp/test-exec_workingdirectory
Test timeout when testing exec-workingdirectory.service
exec-workingdirectory.service
	UMask: 0022
	WorkingDirectory: /tmp/test-exec_workingdirectory
	RootDirectory: /
	NonBlocking: no
	PrivateTmp: no
	PrivateNetwork: no
	PrivateDevices: no
	ProtectHome: no
	ProtectSystem: no
	IgnoreSIGPIPE: yes
	RuntimeDirectoryMode: 0755
	StandardInput: null
	StandardOutput: inherit
	StandardError: inherit
FAIL test-execute (exit status: 1)
2016-01-04 04:13:00 +00:00
Lennart Poettering
2a0d751be4 resolved: refuse revoked DNSKEYs in trust anchor 2016-01-03 17:57:44 +01:00
Lennart Poettering
28b8191e2f resolved: never authenticate RRsets with revoked keys 2016-01-03 17:56:50 +01:00
Lennart Poettering
1d3db294fc resolved: print a log message when we ignore an NSEC3 RR with an excessive amount of iterations 2016-01-03 17:54:01 +01:00
Lennart Poettering
05442a9cdc Merge pull request #2245 from ssahani/socket1
core: socket options fix SCTP_NODELAY
2016-01-03 14:19:37 +01:00
Lennart Poettering
edcd8ae3ab Merge pull request #2254 from kelemeng/master
Updated Hungarian translations
2016-01-03 14:19:00 +01:00
Lennart Poettering
092500ec39 Merge pull request #2255 from teg/resolved-fixes-2
Fixes to NSEC3 proof v2
2016-01-03 14:18:05 +01:00
Tom Gundersen
113325b864 Merge pull request #2256 from poettering/dnssec10
Tenth DNSSEC patch set
2016-01-03 14:02:10 +01:00
Lennart Poettering
c1dafe4f31 resolve: add RFC4501 URI support to systemd-resolve-host 2016-01-03 12:59:26 +01:00