summaryrefslogtreecommitdiffstats
path: root/src/coredump
diff options
context:
space:
mode:
authorRonan Pigott <ronan@rjp.ie>2024-03-06 03:03:16 +0100
committerLuca Boccassi <luca.boccassi@gmail.com>2024-03-08 00:01:08 +0100
commitabcc94b351ad030bce63568f6c4bc3f97fbaa109 (patch)
tree4b2dff7cd309948aced1d8ea85e2d2846aa3a740 /src/coredump
parentAdd more unit test to cover the uid_range_covers inside the uid-range.c file... (diff)
downloadsystemd-abcc94b351ad030bce63568f6c4bc3f97fbaa109.tar.xz
systemd-abcc94b351ad030bce63568f6c4bc3f97fbaa109.zip
resolved: don't cache NXDOMAIN for SUDN resolver.arpa
The name resolver.arpa is reserved for RFC9462 "Discovery of Designated Resolvers" (DDR). This relies on regular dns queries for SVCB records at the special use domain name _dns.resolver.arpa. Unfortunately, older nameservers (or broken ones) won't know about this SUDN and will likely return NXDOMAIN. If this is cached, the cache entry will become an impediment for any clients trying to discover designated resolvers through the stub-resolver, or potentially even sd-resolved itself, were it to implement DDR. The RFC recommendation is that "clients MUST NOT perform A or AAAA queries for resolver.arpa", and "resolvers SHOULD respond to queries of any type other than SVCB for _dns.resolver.arpa. with NODATA and queries of any type for any domain name under resolver.arpa with NODATA." which should help avoid potential compatibility issues. This enforces that condition within sd-resolved, and avoids caching any such erroneous NXDOMAIN. The RFC also recommends requests for this domain should never be forwarded, to prevent authentication failures. Since there isn't much point in establishing secure communication to the local stub, we still allow SVCB to be forwarded from the stub, in case the client cares to implement some other authentication method and understands the consequences of skipping the local stub. Normal clients are not expected to implement DDR, but this change will protect sd-resolved's own caches in case they try. Although A and AAAA are prohibited, I think validating resolvers might reasonably query for dnssec records, even though the resolver.arpa zone does not exist (it is declared to be a locally served zone). For this reason, I have also added resolver.arpa to the builtin dnssec NTA.
Diffstat (limited to 'src/coredump')
0 files changed, 0 insertions, 0 deletions