| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
tcp reset / icmp port-unreachable are markedly different conditions than
packet loss. It doesn't make much sense to retry in this case. It's
actually not clear if there is any benefit at all retrying tcp
connections, which were presumably already retried as necessary by the
tcp stack.
|
| |
|
|
|
|
|
|
| |
This probably rarely helped anyway, but it also in some cases interferes
with auxiliary dnssec queries where the authoritative nameserver does
not support EDNS0/DNSSEC.
Fixes: ac6844460ca1 ("resolved: support RFC 8914 EDE error codes")
|
| |
|
|
|
|
|
|
|
|
| |
If the parent zone uses a non-opt-out method that provides authenticated
negative DS replies, we still can't expect signatures from the child
zone. sd-resolved was using the authenticated status of the DS reply to
require signatures for CNAMEs, even though it had already proved that no
signature exists.
Fixes: 47690634f157 ("resolved: don't request the SOA for every dns label")
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, sd-resolved unnecessarily requested SOA records for each dns
label in the query, even though they are not needed for the chain of
trust. Since 47690634f157, only the necessary records are queried when
validating.
This is actually a problem in allow-downgrade mode, since we will no
longer attempt a query for a record that we know is signed a priori, and
will therefore never update our belief about the state of dnssec support
in the recursive resolver.
Rectify this by reintroducing a query for the root zone SOA in the
allow-downgrade case, specifically to test that the resolver attaches
the RRSIGs which we know must exist.
Fixes: 47690634f157 ("resolved: don't request the SOA for every dns label")
|
| |
|
|
|
|
|
|
|
| |
If we request a DS and the resolver offers an unsigned SOA, a new
auxiliary transaction for the DS will be rejected as a loop, and we
might not make any progress toward finding the DS we need. Let's ensure
that we at least always check the parent in this case.
Fixes: 47690634f157 ("resolved: don't request the SOA for every dns label")
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
dns_transaction_request_dnssec_rr was already adjusted in 400171036592,
to allow for the return parameter to be passed uninitialized. However
this codepath was missed, meaning this function could sometimes return
success without having actually set the parameter.
Fixes: 400171036592 ("resolved: minor dnssec fixups")
Fixes: 47690634f157 ("resolved: don't request the SOA for every dns label")
|
| |
|
|
|
|
|
|
|
|
| |
We normally expect sd-resolved only to return the validated subset of a
validated response. In some cases we give up on validating, because we
have enough information already to conclude the answer is bogus.
Let's be sure to always reply with only the validated subset in these
cases too, so that we don't return bogus answers and confuse primitive
clients that won't see the SERVFAIL rcode.
|
| |
|
|
| |
Fixes: ce5b9d5b3c24 ("resolved: request DS with DNSKEY")
|
| |
|
|
| |
Follow-up for ce5b9d5b3c2466dd35691be0a662c4e3353a2bbf.
|
| |
|
|
| |
Follow-up for 47690634f157150e7b69c832d1f2d64d18b3f124.
|
| |
|
|
|
|
|
| |
When validating, when we lookup a DNSKEY for validation we will almost
certainly need the corresponding DS to complete the chain of trust.
Let's go ahead and request it right away so that we don't have to wait
in this common case.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When validating insecure delegations we don't actually need to request
the SOA for every single dns label. We need the DS records for the zone,
and we can seek them by querying for DS directly (in case we are at a
zone cut) and then following the SOA referrals or the parent name until
we have found a chain of trust.
Extra transactions and roundtrips, especially transactions for RRs that
aren't actually needed to validate and therefore aren't likely to be in
the recursive resolver's own cache are a big slowdown during validation.
Consequently, this change results in an enourmous speed up in validating
most names from our own cold-cache (10x or more), by eliminating a large
number of superfluous dnssec transactions.
|
| |
|
|
|
|
|
|
|
|
|
| |
In some cases when a query completes there are still pending
transactions that are no longer useful to answer the query. But if this
query is repeated in the future and we don't have the answers cached,
we're going to ask and ignore the answer again.
Instead of purging these superfluous transactions, let's wait and see if
they produce an answer, since we already asked the question, and use it
to fill our cache.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It has been demonstrated that tolerating an unbounded number of dnssec
signature validations is a bad idea. It is easy for a maliciously
crafted DNS reply to contain as many keytag collisions as desired,
causing us to iterate every dnskey and signature combination in vain.
The solution is to impose a maximum number of validations we will
tolerate. While collisions are not hard to craft, I still expect they
are unlikely in the wild so it should be safe to pick fairly small
values.
Here two limits are imposed: one on the maximum number of invalid
signatures encountered per rrset, and another on the total number of
validations performed per transaction.
|
| |
|
|
| |
Fixes #30928.
|
| | |
|
| |
|
|
|
|
|
|
| |
and include EDE code and message in the error messages.
This replaces 9ca133e97a0c8795b1f293ccea4965b4ad1accc4, and implements
originally suggested at
https://github.com/systemd/systemd/pull/30513#discussion_r1433823737
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- add missing initialization for DnsQuery.answer_ede_rcode,
- clear EDE code and message in dns_transaction_reset_answer(),
otherwise the previous EDE code or message may be mistakenly reused
on restart. This fixes memory leak of DnsTransaction.answer_ede_msg.
- also clear EDE code and message in dns_query_reset_answer(),
otherwise ede message is leaked if dns_query_accept() is called
multiple times for the same DnsQuery.
Follow-up for 9ca133e97a0c8795b1f293ccea4965b4ad1accc4.
Fixes #30752.
|
| |
|
|
|
|
|
|
|
| |
This partially reverts commit 9ca133e97a0c8795b1f293ccea4965b4ad1accc4.
Not only there is no reason to introduce a new transaction failure state,
but also the commit introduces several severe issues.
Fixes #30776, #30779.
|
| |
|
|
|
|
|
|
|
|
|
| |
- fix indentation,
- drop incorrect comment, dns_packet_ede_rcode() can handle unknown EDE rcode.
- 0 is a valid EDE rcode,
- DnsTransaction.answer_ede_msg may be NULL, so needs to use strempty()
on logging,
- drop redundant ede_rcode temporary variable.
Follow-up for ac6844460ca1c01eaf2cb209ffa21c200d21a8f8.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This makes the following:
- make dns_packet_ede_rcode() return -EINVAL when EDE code not found.
Otherwise, the caller may be confused that the packet has an unknown
error code.
- make the function escape EDE message only when non-utf8 message is received.
- the message handling logic is applied even if the error code is unknown, as
there is no reason that we escape EDE message only when an known error code
is received.
- reduce scope of variables,
- drop redundant 'else',
- append full stop to the log messages,
- drop redundant log message in the caller,
- split out error in the function and returned EDE error code.
Follow-up for ac6844460ca1c01eaf2cb209ffa21c200d21a8f8.
|
| |\
| |
| | |
resolved: support RFC 8914 EDE error codes
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
This new transaction result is emitted when the upstream server
indicates a fatal error that we will not try to recover from.
Currently, it is emitted when a validating recursive resolver reports an
error validating dnssec records for a domain. The extended error message
should help give context to the admin.
|
| | |
| |
| |
| |
| | |
If the server is able to indicate an extended error to us, using a
degraded feature set is unlikely to help.
|
| | |
| |
| |
| |
| |
| |
| | |
Some fields of the DnsPacket are not populated until we extract an
answer, like p->opt, despite being referenced by macros like
DNS_PACKET_RCODE. We can reorder some of the basic checks to follow
dns_packet_extract.
|
| |/
|
|
|
|
|
|
| |
dns_transaction_close_connection() is called
Follow-up for ac1b7b9e1933c14bc7bf36d4f32a888afb3f2f4d.
Fixes CID#1533020.
|
| |\
| |
| | |
tree-wide: drop unnecessary space or insert missing space
|
| | | |
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since in that case the event loop is already finished and we'd hit an
assertion:
[ 1295.993300] testsuite-75.sh[50]: + systemctl stop systemd-resolved.service
[ 1296.005152] systemd-resolved[298]: Assertion 'e->state != SD_EVENT_FINISHED' failed at src/libsystemd/sd-event/sd-event.c:1252, function sd_event_add_io(). Aborting.
Thread 1 (Thread 0x7f17d25e2940 (LWP 298)):
#0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
#1 0x00007f17d16ac8a3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
#2 0x00007f17d165c668 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3 0x00007f17d16444b8 in __GI_abort () at abort.c:79
#4 0x00007f17d2402d2d in log_assert_failed (text=<optimized out>, file=<optimized out>, line=<optimized out>, func=<optimized out>) at ../build/src/basic/log.c:968
#5 0x00007f17d240401c in log_assert_failed_return (text=text@entry=0x7f17d2533f13 "e->state != SD_EVENT_FINISHED", file=file@entry=0x7f17d25195d9 "src/libsystemd/sd-event/sd-event.c", line=line@entry=1252, func=func@entry=0x7f17d2567260 <__func__.140> "sd_event_add_io") at ../build/src/basic/log.c:987
#6 0x00007f17d24d011a in sd_event_add_io (e=0x55e5cb497270, ret=0x55e5cb4a5120, fd=fd@entry=26, events=events@entry=1, callback=callback@entry=0x55e5caff5466 <on_io_event>, userdata=0x55e5cb4a5110) at ../build/src/libsystemd/sd-event/sd-event.c:1252
#7 0x000055e5caff571c in manager_add_socket_to_graveyard (m=0x55e5cb43cf00, fd=26) at ../build/src/resolve/resolved-socket-graveyard.c:117
#8 0x000055e5cafd4253 in dns_transaction_close_connection (t=t@entry=0x55e5cb57c7d0, use_graveyard=use_graveyard@entry=true) at ../build/src/resolve/resolved-dns-transaction.c:78
#9 0x000055e5cafd8444 in dns_transaction_complete (t=t@entry=0x55e5cb57c7d0, state=state@entry=DNS_TRANSACTION_ABORTED) at ../build/src/resolve/resolved-dns-transaction.c:427
#10 0x000055e5cafc4969 in dns_scope_abort_transactions (s=s@entry=0x55e5cb4b1a70) at ../build/src/resolve/resolved-dns-scope.c:91
#11 0x000055e5cafc6aee in dns_scope_free (s=0x55e5cb4b1a70) at ../build/src/resolve/resolved-dns-scope.c:106
#12 0x000055e5cafe72d1 in link_free (l=0x55e5cb4a5160) at ../build/src/resolve/resolved-link.c:94
#13 0x000055e5cafedefc in manager_free (m=0x55e5cb43cf00) at ../build/src/resolve/resolved-manager.c:697
#14 0x000055e5caff99b6 in manager_freep (p=p@entry=0x7ffd71fab8f8) at ../build/src/resolve/resolved-manager.h:198
#15 0x000055e5caff9d66 in run (argc=argc@entry=1, argv=argv@entry=0x7ffd71faba78) at ../build/src/resolve/resolved.c:25
#16 0x000055e5caff9fe3 in main (argc=1, argv=0x7ffd71faba78) at ../build/src/resolve/resolved.c:99
Resolves: #30618
|
| |
|
|
| |
Fixes #25676
|
| |
|
|
|
|
|
|
|
| |
Then, this fixes the following issues:
- if dns_packet_append_zone() for other transaction is failed with
EMSGSIZE, the previously added key was not removed,
- if dns_transaction_prepare() for other transaction returns 0, then
we restated the loop without dropping previously appended keys, which
might not be necessary any more.
|
| |
|
|
|
|
| |
- mostly: usecase -> use case
- continously -> continuously
- single typos in docs/FILE_DESCRIPTOR_STORE.md
|
| | |
|
| |
|
|
|
| |
Added show-server-state verb to resolvectl
Added DumpStatistics and ResetStatistics methods to varlink
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Given that ERRNO_IS_DISCONNECT() also matches positive values,
make sure this macro is not called with arguments that do not have
errno semantics.
In this case the argument passed to ERRNO_IS_DISCONNECT() is the value
returned by dns_transaction_emit_tcp() and dns_transaction_emit_udp()
which are not expected to return any positive values, but let's be
consistent anyway and move the ERRNO_IS_DISCONNECT() invocation
to the branch where the return value is known to be negative.
|
| |
|
|
|
|
|
|
|
|
|
| |
Given that ERRNO_IS_DISCONNECT() also matches positive values,
make sure this macro is not called with arguments that do not have
errno semantics.
In this case the argument passed to ERRNO_IS_DISCONNECT() is the value
returned by manager_recv() which can legitimately return 1 without errno
semantics, so fix this by moving ERRNO_IS_DISCONNECT() invocation to the
branch where the return value is known to be negative.
|
| |
|
|
|
|
| |
The article "a" goes before consonant sounds and "an" goes before vowel
sounds. This commit changes an to a for UKI, UDP, UTF-8, URL, UUID, U-Label, UI
and USB, since they start with the sound /ˌjuː/.
|
| |
|
|
|
|
|
| |
serve stale feature to keep the DNS resource records beyond TTL to return them as stale records in case of upstream server is not reachable or returns negative response.
SD_RESOLVED_NO_STALE flag has been added to disable serving stale records via dbus.
added serve stale test cases to TEST-75-RESOLVED
Fixes: #21815
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
DVE-2018-0001 has been fixed by the vendor, and this workaround is no longer
needed. Removal of this workaround improves performance as queries used to be
retried more than necessory.
This reverts 1ed4e584f3a03f47d2313314b6b5a78c9dc6f135.
This reverts https://github.com/systemd/systemd/pull/18638
Keep .clamp_feature_level_servfail name, as imho it is more descriptive than
just .clamp_feature_level, especially if we ever need to add similar
workarounds as the one we had for DVE-2018-0001.
However note that there is another retry which was added in
8a33aa199dc1cea14494469ac9d7d08dc6721df1 - seems to be working around Stubby
resolver behaviour.
Fixes: #26967
|
| |
|
|
|
|
| |
If UDP is blocked on the system (e.g. by iptables or BPF), the kernel will
return EPERM on some or all of the system calls (connect, sendmsg, etc.).
In this case, try to fall back to TCP, which hopefully will not be blocked.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
-1 was used everywhere, but -EBADF or -EBADFD started being used in various
places. Let's make things consistent in the new style.
Note that there are two candidates:
EBADF 9 Bad file descriptor
EBADFD 77 File descriptor in bad state
Since we're initializating the fd, we're just assigning a value that means
"no fd yet", so it's just a bad file descriptor, and the first errno fits
better. If instead we had a valid file descriptor that became invalid because
of some operation or state change, the other errno would fit better.
In some places, initialization is dropped if unnecessary.
|
| |
|
|
| |
Resolves: #19824
|
| |
|
|
| |
Fixes #24842.
|
| | |
|
| | |
|
| |\
| |
| | |
resolve: mdns: fix use-after-free
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Otherwise, if we have many cached entries or pending transactions with
TYPE_ANY, then dns_transaction_make_packet_mdns() fails with -EMSGSIZE.
This also fixes use-after-free.
Fixes #23894.
|
| | |
| |
| |
| |
| | |
This also fixes timeout in dns_transaction_make_packet_mdns(), which was
incremented multiple times.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Also, this makes mDNS regular queries sent without delay (except for
one caused by the default accuracy of sd-event).
Note, RFC 6762 Section 5.2 is about continuous mDNS query, which is not
implemented yet.
|
