| #
a34e6b00 |
| 20-Jun-2022 |
jca <jca@openbsd.org> |
Fixup comment
|
| #
931108e9 |
| 22-Nov-2021 |
jca <jca@openbsd.org> |
Implement rfc6840 (AD flag processing) if using trusted name servers
libc can't do DNSSEC validation but it can ask a "security-aware"
resolver to do so. Let's send queries with the AD flag set whe
Implement rfc6840 (AD flag processing) if using trusted name servers
libc can't do DNSSEC validation but it can ask a "security-aware"
resolver to do so. Let's send queries with the AD flag set when
appropriate, and let applications look at the AD flag in responses in
a safe way, ie clear the AD flag if the resolvers aren't trusted.
By default we only trust resolvers if resolv.conf(5) only lists name
servers on localhost - the obvious candidates being unwind(8) and
unbound(8). For non-localhost resolvers, an admin who trusts *all the
name servers* listed in resolv.conf(5) *and the network path leading to
them* can annotate this with "options trust-ad".
AD flag processing gives ssh -o VerifyHostkeyDNS=Yes a chance to fetch
SSHFP records in a secure manner, and tightens the situation for other
applications, eg those using RES_USE_DNSSEC for DANE. It should be
noted that postfix currently assumes trusted name servers by default and
forces RES_TRUSTAD if available.
RES_TRUSTAD and "options trust-ad" were first introduced in glibc by
Florian Weimer. Florian Obser (florian@) contributed various
improvements, fixed a bug and added automatic trust for name servers on
localhost.
ok florian@ phessler@
show more ...
|
| #
449cbdb1 |
| 28-Sep-2019 |
eric <eric@openbsd.org> |
correctly handle read(2) return value.
fix issue reported by Mikolaj Kucharski.
ok martijn@ deraadt@
|
| #
ca9d64e0 |
| 14-Jan-2019 |
otto <otto@openbsd.org> |
Unbreak tree. Last minute changes are evil.
|
| #
3d657e16 |
| 14-Jan-2019 |
otto <otto@openbsd.org> |
There are cases where a program doing dns requests wants to set the
Checking Disabled flag. Introduce a RES flag to do so. ok krw@
deraadt@ eric@
|
| #
cff9705a |
| 15-Mar-2017 |
deraadt <deraadt@openbsd.org> |
use recallocarray to resize buffer - ensures that detritus from previous
lookups isn't left lying around the address space.
ok eric
|
| #
f9bcbebd |
| 14-Mar-2017 |
deraadt <deraadt@openbsd.org> |
don't need to handle the malloc case special, since realloc works
with NULL
ok eric
|
| #
d4d39a6f |
| 27-Feb-2017 |
jca <jca@openbsd.org> |
Add support for RES_USE_DNSSEC
RES_USE_DNSSEC is implemented by setting the DNSSEC DO bit in outgoing
queries. The resolver is then supposed to set the AD bit in the reply
if it managed to validate
Add support for RES_USE_DNSSEC
RES_USE_DNSSEC is implemented by setting the DNSSEC DO bit in outgoing
queries. The resolver is then supposed to set the AD bit in the reply
if it managed to validate the answer through DNSSEC. Useful when the
application doesn't implement validation internally. This scheme
assumes that the validating resolver is trusted and that the
communication channel between the validating resolver and and the client
is secure.
ok eric@ gilles@
show more ...
|
| #
abe78e02 |
| 27-Feb-2017 |
jca <jca@openbsd.org> |
Put a common flags field in the query struct, rather than in some
elements of the union.
This field is for internal asr flags. The flags in "struct rrset" and
"struct ni" are different kinds of fla
Put a common flags field in the query struct, rather than in some
elements of the union.
This field is for internal asr flags. The flags in "struct rrset" and
"struct ni" are different kinds of flags.
ok eric@
show more ...
|
| #
19313708 |
| 18-Feb-2017 |
eric <eric@openbsd.org> |
Use more specific error codes for invalid packets.
In particular, truncated packets without the TC flag set (non-compliant
server sending too large packets) now fail with EOVERFLOW instead of EINVAL,
Use more specific error codes for invalid packets.
In particular, truncated packets without the TC flag set (non-compliant
server sending too large packets) now fail with EOVERFLOW instead of EINVAL,
so the TCP fallback mechanism can work.
feedback and ok krw@ jca@ benno@
show more ...
|
| #
2aa4cd21 |
| 18-Feb-2017 |
jca <jca@openbsd.org> |
Add EDNS0 support.
EDNS allows for various DNS extensions, among which UDP DNS packets size
bigger than 512 bytes. The default is still to not advertize anything.
ok eric@
|
| #
7c8731c1 |
| 17-Feb-2017 |
krw <krw@openbsd.org> |
Increase UDP packet buffer to 4096 bytes from 512. There are some really
broken DNS servers out there that send packets >512 bytes w/o even the
courtesy of trying to use EDNS0.
A partial workaround
Increase UDP packet buffer to 4096 bytes from 512. There are some really
broken DNS servers out there that send packets >512 bytes w/o even the
courtesy of trying to use EDNS0.
A partial workaround as more complete packet parsing solutions are
worked on.
ok jca@ eric@
show more ...
|
| #
9dcd10c8 |
| 23-Oct-2015 |
deraadt <deraadt@openbsd.org> |
Switch to using SOCK_DNS flag, rather than the dnssocket() and
dnssonnect() calls. Be a bit careful crossing over this, need a kernel
no older than Monday.
ok guenther tedu semarie
|
| #
21d17080 |
| 18-Oct-2015 |
deraadt <deraadt@openbsd.org> |
libc DNS functions will now use the new dnssocket() / dnsconnect()
system calls. These signal to the pledge kernel code that a DNS
transaction is happening. These special sockets only work well wit
libc DNS functions will now use the new dnssocket() / dnsconnect()
system calls. These signal to the pledge kernel code that a DNS
transaction is happening. These special sockets only work well with
port 53 (there are some cute plans...).
Programs calling pledge "inet" will not work! You need pledge "dns",
and of course, you need a fairly fresh kernel.
ok guenther kettenis tedu
show more ...
|
| #
a55a423a |
| 20-Sep-2015 |
eric <eric@openbsd.org> |
remove bogus includes of err.h
|
| #
5826fd8c |
| 14-Sep-2015 |
guenther <guenther@openbsd.org> |
Wrap <asr.h> so internal calls go direct and all the symbols are weak
|
| #
253ef892 |
| 09-Sep-2015 |
deraadt <deraadt@openbsd.org> |
Hide all unnecessary asr / resolver related API with _ prefixes.
direction & ok guenther
|
| #
186d27dc |
| 09-Sep-2015 |
guenther <guenther@openbsd.org> |
Use SOCK_NONBLOCK in a couple more places
ok deraadt@
|
| #
134ba205 |
| 20-Jun-2015 |
jca <jca@openbsd.org> |
Rename print_sockaddr() to avoid symbol visibility problems
print_sockaddr is internal to asr, and conflicts with ports/net/samba4.
ok eric@
|
| #
d216d6b1 |
| 26-Mar-2014 |
eric <eric@openbsd.org> |
Make the asr API public. Install asr.h to /usr/include.h and manpages.
Include tweaks suggested by mpi@
ok deraadt@
|
| #
5be03f8f |
| 25-Mar-2014 |
eric <eric@openbsd.org> |
Cleanup and simplify the API to be exposed. Use better names for
structures, functions and defines.
discussed with and ok deraadt@ guenther@
|
| #
f90bf415 |
| 14-Mar-2014 |
eric <eric@openbsd.org> |
prefix structure names to avoid ambiguity and possible collisions when
the API gets public.
ok deraadt@
|
| #
5bd9e5c2 |
| 12-Jul-2013 |
eric <eric@openbsd.org> |
Make some symbols static and prefix all visible symbols with asr_
to prevent collisions with third-party programs.
suggested by sthen@, ok theo@
|
| #
d3064b1f |
| 01-Jun-2013 |
eric <eric@openbsd.org> |
iterating over the ns list only matters for res_send_async.c, so move
things around.
|
| #
c5221d45 |
| 30-Apr-2013 |
eric <eric@openbsd.org> |
Do not take external buffers for storing DNS responses in the internal
async API. That is actually useless and it makes the code more
complicated. The required buffers are always allocated when nee
Do not take external buffers for storing DNS responses in the internal
async API. That is actually useless and it makes the code more
complicated. The required buffers are always allocated when needed.
show more ...
|