diff options
| author | Lennart Poettering <lennart@poettering.net> | 2020-11-12 16:05:15 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2021-02-16 18:44:01 +0100 |
| commit | fba3e94df552b4fb6dd53b5e605259be42a27f4e (patch) | |
| tree | 6929b1844273bea8c7941f3790d484ccb7e0bac7 /src/resolve/resolved-dns-server.h | |
| parent | resolved: make feature level checks a bit more discriptive (diff) | |
| download | systemd-fba3e94df552b4fb6dd53b5e605259be42a27f4e.tar.xz systemd-fba3e94df552b4fb6dd53b5e605259be42a27f4e.zip | |
resolved: never go below DNSSEC feature level in DNSSEC strict mode
This adjusts our feature level handling: when DNSSEC strict mode is on,
let's never lower the feature level below the lowest DNSSEC mode.
Also, when asking whether DNSSEC is supproted, always say yes in strict
mode. This means that error reporting about transactions that fail
because of missing DNSSEC RRs will not report "incompatible-server" but
instead "missing-signature" or suchlike.
The main difference here is that DNSSEC failures become local to a
transaction, instead of propagating into the feature level we reuse for
future transactions. This is beneficial with routers that implement
"mostly a DNS proxy", i.e. that propagate most DNS requests 1:1 to their
upstream servers, but synthesize local answers for a select few domains.
For example, AVM Fritz!Boxes operate that way: they proxy most traffic
1:1 upstream in an DNSSEC-compatible fashion, but synthesize the
"fritz.box" locally, so that it can be used to configure the router.
This local domain cannot be DNSSEC verified, it comes without
signatures. Previously this would mean once that domain was resolved
feature level would be downgraded, and we'd thus fail all future DNSSEC
attempts. With this change, the immediate lookup for "fritz.box" will
fail validation, but for all other unrelated future ones that comes
without prejudice.
(While we are at it, also make a couple of other downgrade paths a bit
tighter.)
Fixes: #10570 #14435 #6490
Diffstat (limited to '')
| -rw-r--r-- | src/resolve/resolved-dns-server.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/resolve/resolved-dns-server.h b/src/resolve/resolved-dns-server.h index 16e492743d..7860e32183 100644 --- a/src/resolve/resolved-dns-server.h +++ b/src/resolve/resolved-dns-server.h @@ -43,6 +43,7 @@ typedef enum DnsServerFeatureLevel { #define DNS_SERVER_FEATURE_LEVEL_IS_EDNS0(x) ((x) >= DNS_SERVER_FEATURE_LEVEL_EDNS0) #define DNS_SERVER_FEATURE_LEVEL_IS_TLS(x) IN_SET(x, DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN, DNS_SERVER_FEATURE_LEVEL_TLS_DO) #define DNS_SERVER_FEATURE_LEVEL_IS_DNSSEC(x) ((x) >= DNS_SERVER_FEATURE_LEVEL_DO) +#define DNS_SERVER_FEATURE_LEVEL_IS_UDP(x) IN_SET(x, DNS_SERVER_FEATURE_LEVEL_UDP, DNS_SERVER_FEATURE_LEVEL_EDNS0, DNS_SERVER_FEATURE_LEVEL_DO, DNS_SERVER_FEATURE_LEVEL_LARGE) const char* dns_server_feature_level_to_string(int i) _const_; int dns_server_feature_level_from_string(const char *s) _pure_; |