summaryrefslogtreecommitdiffstats
path: root/src/resolve/resolved-dns-cache.h (follow)
Commit message (Collapse)AuthorAgeFilesLines
* libsystemd: turn json.[ch] into a public APILennart Poettering2024-06-121-1/+1
| | | | | | | | | | | | | | | This is preparation for making our Varlink API a public API. Since our Varlink API is built on top of our JSON API we need to make that public first (it's a nice API, but JSON APIs there are already enough, this is purely about the Varlink angle). I made most of the json.h APIs public, and just placed them in sd-json.h. Sometimes I wasn't so sure however, since the underlying data structures would have to be made public too. If in doubt I didn#t risk it, and moved the relevant API to src/libsystemd/sd-json/json-util.h instead (without any sd_* symbol prefixes). This is mostly a giant search/replace patch.
* resolved: remove entry from cache when goodbye packet receivedVishal Chillara Srinivas2024-03-051-0/+2
| | | | | | | | | | RFC6762 10.1 says that queriers receiving a Multicast DNS response with a TTL of zero SHOULD record a TTL of 1 and then delete the record one second later. Added a timer event to trigger a callback to clean-up the cache one second after a goodbye packet is received. The callback also checks for any cache entries expiring within the next one second and schedules follow-up cleanup callbacks accordingly.
* resolved: added serve stale feature implementation of RFC 8767Kiran Vemula2023-06-161-1/+2
| | | | | | | serve stale feature to keep the DNS resource records beyond TTL to return them as stale records in case of upstream server is not reachable or returns negative response. SD_RESOLVED_NO_STALE flag has been added to disable serving stale records via dbus. added serve stale test cases to TEST-75-RESOLVED Fixes: #21815
* resolved: add DumpCache varlink call for acquiring a complete dump of all of ↵Lennart Poettering2023-06-121-0/+2
| | | | | | | | | | | | resolved's RR caches This adds a simple varlink call io.systemd.Resolve.Monitor.DumpCache to the existing io.systemd.Resolve.Monitor service. It compiles a JSON object containing the per-scope cache entries and returns it. Replaces: #20053 #19104 Fixes: #14796
* resolve: do not cache mDNS goodbye packetYu Watanabe2022-09-301-0/+1
| | | | Fixes #24842.
* resolve: mdns: calculate required packet size to store questions and authoritiesYu Watanabe2022-07-081-1/+1
| | | | | | | | | Otherwise, if we have many cached entries or pending transactions with TYPE_ANY, then dns_transaction_make_packet_mdns() fails with -EMSGSIZE. This also fixes use-after-free. Fixes #23894.
* resolved: replace "answer_authenticated" bool by uint64_t query_flags fieldLennart Poettering2021-02-161-2/+2
| | | | | | | | | | | | | Let's use the same flags type we use for client communication, i.e. instead of "bool answer_authenticated", let's use "uint64_t answer_query_flags", with the SD_RESOLVED_AUTHENTICATED flag. This is mostly just search/replace, i.e. a refactoring, no change in behaviour. This becomes useful once in a later commit SD_RESOLVED_CONFIDENTIAL is added to indicate resolution that either were encrypted (DNS-over-TLS) or never left the local system.
* resolved: drop timestamp parameter to dns_cache_put() we don't ever passLennart Poettering2021-02-091-1/+0
|
* resolved: add support for answering DNSSEC questions on the stubLennart Poettering2021-02-091-2/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This substantially beefs up the local DNS stub feature set in order to allow local clients to do DNSSEC validation through the stub. Previously we'd return NOTIMP if we'd get a DO or DO+CD lookup. With this change we'll instead: 1. If we get DO+CD requests (i.e. DNSSEC with no local checking) we'll proxy DNS queries and response mostly unmodified to/from upstream DNS servers if possible (this is called "bypass" mode). We will patch in new request IDs, (and patch them back out on reply), so that we can sanely keep track of things. We'll also maintain a minimal local cache for such lookups, always keeping the whole DNS packets in it (if we reply from cache we'll patch the TTLs of all included RRs). 2. If we get DO requests without CD (i.e. DNSSEC with local checking) we'll resolve and validate locally. In this mode we will not proxy packets, but generate our own. We will however cache the combination of answer RRs (along with their packet section assignments) we got back in the cache, and use this information to generate reply packets from the DNS stub. In both cases: if we determine a lookup is to be answered from LLMNR or mDNS we'll always revert to non-DNSSEC, non-proxy operation as before. Answers will lack the DO bit then, since the data cannot be validated via DNSSEC by the clients. To make this logic more debuggable, this also adds query flags for turning off RR sources. i.e. cache/network/zone/trust anchor/local synthesis may now be disabled individually for each lookup. The cache is substantially updated to make all this work: in addition to caching simple RRs for lookup RR keys, we'll now cache the whole packets and the whole combination of RRs, so that we can answer DO and DO+CD replies sensibly according to the rules described above. This sounds wasteful, but given that the DnsResourceRecord/DnsResourceKey/DnsAnswer/DnsPacket objects are all ref-counted and we try to merge references the actual additional memory used should be limited (but this might be something to optimize further later on). To implement classic RR key lookups and new-style packet proxy lookups (i.e. the ones necessary for DO+CD packet proxying, as described above) DnsTransaction and DnsQuery objects now always maintain either a DnsResourceKey/DnsQuestion as lookup key or a DnsPacket for "bypass" mode. Fixes: #4621 #17218
* Revert "resolvectl: Add show-multicast verb to show discovered LLMNR/mDNS hosts"Lennart Poettering2021-02-051-2/+1
|
* resolve: Add GetMulticastHosts() D-Bus methodDaan De Meyer2021-01-301-1/+2
| | | | | | GetMulticastHosts() returns an array of hostnames/addresses discovered via LLMNR or Multicast DNS. It does not trigger any discovery on its own. Instead, it simply returns whatever is already in resolved's cache.
* license: LGPL-2.1+ -> LGPL-2.1-or-laterYu Watanabe2020-11-091-1/+1
|
* resolved: switch cache option to a tri-state option (systemd#5552).Jorge Niedbalski2019-07-171-1/+2
| | | | | | | | | | | | | Change the resolved.conf Cache option to a tri-state "no, no-negative, yes" values. If a lookup returns SERVFAIL systemd-resolved will cache the result for 30s (See 201d995), however, there are several use cases on which this condition is not acceptable (See systemd#5552 comments) and the only workaround would be to disable cache entirely or flush it , which isn't optimal. This change adds the 'no-negative' option when set it avoids putting in cache negative answers but still works the same heuristics for positive answers. Signed-off-by: Jorge Niedbalski <jnr@metaklass.org>
* tree-wide: remove Lennart's copyright linesLennart Poettering2018-06-141-4/+0
| | | | | | | | | | | These lines are generally out-of-date, incomplete and unnecessary. With SPDX and git repository much more accurate and fine grained information about licensing and authorship is available, hence let's drop the per-file copyright notice. Of course, removing copyright lines of others is problematic, hence this commit only removes my own lines and leaves all others untouched. It might be nicer if sooner or later those could go away too, making git the only and accurate source of authorship information.
* tree-wide: drop 'This file is part of systemd' blurbLennart Poettering2018-06-141-2/+0
| | | | | | | | | | | | | | | | This part of the copyright blurb stems from the GPL use recommendations: https://www.gnu.org/licenses/gpl-howto.en.html The concept appears to originate in times where version control was per file, instead of per tree, and was a way to glue the files together. Ultimately, we nowadays don't live in that world anymore, and this information is entirely useless anyway, as people are very welcome to copy these files into any projects they like, and they shouldn't have to change bits that are part of our copyright header for that. hence, let's just get rid of this old cruft, and shorten our codebase a bit.
* tree-wide: drop license boilerplateZbigniew Jędrzejewski-Szmek2018-04-061-13/+0
| | | | | | | | | | Files which are installed as-is (any .service and other unit files, .conf files, .policy files, etc), are left as is. My assumption is that SPDX identifiers are not yet that well known, so it's better to retain the extended header to avoid any doubt. I also kept any copyright lines. We can probably remove them, but it'd nice to obtain explicit acks from all involved authors before doing that.
* Add SPDX license identifiers to source files under the LGPLZbigniew Jędrzejewski-Szmek2017-11-191-0/+1
| | | | | This follows what the kernel is doing, c.f. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5fd54ace4721fc5ce2bb5aef6318fcf17f421460.
* resolved: when using the ResolveRecord() bus call, adjust TTL for caching timeLennart Poettering2016-06-211-1/+1
| | | | | | | | | | | When we return the full RR wire data, let's make sure the TTL included in it is adjusted by the time the RR sat in the cache. As an optimization we do this only for ResolveRecord() and not for ResolveHostname() and friends, since adjusting the TTL means copying the RR object, and we don#t want to do that if there's no reason to. (ResolveHostname() and friends don't return the TTL hence there's no reason to in that case)
* tree-wide: remove Emacs lines from all filesDaniel Mack2016-02-101-2/+0
| | | | | This should be handled fine now by .dir-locals.el, so need to carry that stuff in every file.
* resolved: when caching negative responses, honour NSEC/NSEC3 TTLsLennart Poettering2016-01-051-1/+1
| | | | | | | | | | When storing negative responses, clamp the SOA minimum TTL (as suggested by RFC2308) to the TTL of the NSEC/NSEC3 RRs we used to prove non-existance, if it there is any. This is necessary since otherwise an attacker might put together a faked negative response for one of our question including a high-ttl SOA RR for any parent zone, and we'd use trust the TTL.
* resolved: gather statistics about resolved namesLennart Poettering2015-12-261-0/+4
| | | | | | This collects statistical data about transactions, dnssec verifications and the cache, and exposes it over the bus. The systemd-resolve-host tool learns new options to query these statistics and reset them.
* resolved: add support NSEC3 proofs, as well as proofs for domains that are ↵Lennart Poettering2015-12-181-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | OK to be unsigned This large patch adds a couple of mechanisms to ensure we get NSEC3 and proof-of-unsigned support into place. Specifically: - Each item in an DnsAnswer gets two bit flags now: DNS_ANSWER_AUTHENTICATED and DNS_ANSWER_CACHEABLE. The former is necessary since DNS responses might contain signed as well as unsigned RRsets in one, and we need to remember which ones are signed and which ones aren't. The latter is necessary, since not we need to keep track which RRsets may be cached and which ones may not be, even while manipulating DnsAnswer objects. - The .n_answer_cachable of DnsTransaction is dropped now (it used to store how many of the first DnsAnswer entries are cachable), and replaced by the DNS_ANSWER_CACHABLE flag instead. - NSEC3 proofs are implemented now (lacking support for the wildcard part, to be added in a later commit). - Support for the "AD" bit has been dropped. It's unsafe, and now that we have end-to-end authentication we don't need it anymore. - An auxiliary DnsTransaction of a DnsTransactions is now kept around as least as long as the latter stays around. We no longer remove the auxiliary DnsTransaction as soon as it completed. THis is necessary, as we now are interested not only in the RRsets it acquired but also in its authentication status.
* resolved: add dns_cache_export_to_packet()Daniel Mack2015-12-081-0/+3
| | | | | | This new functions exports cached records of type PTR, SRV and TXT into an existing DnsPacket. This is used in order to fill in known records to mDNS queries, for known answer supression.
* resolved: add a concept of "authenticated" responsesLennart Poettering2015-12-031-2/+2
| | | | | | | | | | | | | | | This adds a new SD_RESOLVED_AUTHENTICATED flag for responses we return on the bus. When set, then the data has been authenticated. For now this mostly reflects the DNSSEC AD bit, if DNSSEC=trust is set. As soon as the client-side validation is complete it will be hooked up to this flag too. We also set this bit whenver we generated the data ourselves, for example, because it originates in our local LLMNR zone, or from the built-in trust anchor database. The "systemd-resolve-host" tool has been updated to show the flag state for the data it shows.
* resolved: add basic DNSSEC supportLennart Poettering2015-12-021-1/+0
| | | | | | | | | | | | | | | | | This adds most basic operation for doing DNSSEC validation on the client side. However, it does not actually add the verification logic to the resolver. Specifically, this patch only includes: - Verifying DNSKEY RRs against a DS RRs - Verifying RRSets against a combination of RRSIG and DNSKEY RRs - Matching up RRSIG RRs and DNSKEY RRs - Matching up RR keys and RRSIG RRs - Calculating the DNSSEC key tag from a DNSKEY RR All currently used DNSSEC combinations of SHA and RSA are implemented. Support for MD5 hashing and DSA or EC cyphers are not. MD5 and DSA are probably obsolete, and shouldn't be added. EC should probably be added eventually, if it actually is deployed on the Internet.
* tree-wide: sort includes in *.hThomas Hindoe Paaboel Andersen2015-11-181-3/+3
| | | | | This is a continuation of the previous include sort patch, which only sorted for .c files.
* resolved: cache - only allow putting a single question key at a timeTom Gundersen2015-09-161-1/+1
| | | | | Only one key is allowed per transaction now, so let's simplify things and only allow putting one question key into the cache at a time.
* resolved: dump cache and zone contents to syslog on SIGUSR1Lennart Poettering2015-08-261-0/+3
|
* resolved: only maintain one question RR key per transactionLennart Poettering2015-08-211-1/+1
| | | | | | | Let's simplify things and only maintain a single RR key per transaction object, instead of a full DnsQuestion. Unicast DNS and LLMNR don't support multiple questions per packet anway, and Multicast DNS suggests coalescing questions beyond a single dns query, across the whole system.
* remove unused includesThomas Hindoe Paaboel Andersen2015-02-231-1/+0
| | | | | | This patch removes includes that are not used. The removals were found with include-what-you-use which checks if any of the symbols from a header is in use.
* resolved: implement full LLMNR conflict detection logicLennart Poettering2014-08-111-1/+3
|
* resolved: only cache answer RRs, never additional or authoritative RRs of ↵Lennart Poettering2014-07-301-1/+1
| | | | responses
* resolve: add llmnr responder side for UDP and TCPLennart Poettering2014-07-291-17/+0
| | | | Name defending is still missing.
* resolved: implement negative cachingLennart Poettering2014-07-231-11/+15
|
* resolved: rework logic so that we can share transactions between queries of ↵Lennart Poettering2014-07-231-4/+4
| | | | different clients
* resolved: add DNS cacheLennart Poettering2014-07-171-0/+57