]>
Commit | Line | Data |
---|---|---|
db9ecf05 | 1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
af49ca27 LP |
2 | #pragma once |
3 | ||
a2106925 | 4 | #include "conf-parser.h" |
00d28db3 | 5 | #include "in-addr-util.h" |
af49ca27 LP |
6 | #include "macro.h" |
7 | ||
00d28db3 YW |
8 | /* 127.0.0.53 in native endian */ |
9 | #define INADDR_DNS_STUB ((in_addr_t) 0x7f000035U) | |
10 | ||
37d7a7d9 JN |
11 | typedef enum DnsCacheMode DnsCacheMode; |
12 | ||
13 | enum DnsCacheMode { | |
14 | DNS_CACHE_MODE_NO, | |
15 | DNS_CACHE_MODE_YES, | |
16 | DNS_CACHE_MODE_NO_NEGATIVE, | |
17 | _DNS_CACHE_MODE_MAX, | |
18 | _DNS_CACHE_MODE_INVALID = 1 | |
19 | }; | |
20 | ||
af49ca27 | 21 | typedef enum ResolveSupport ResolveSupport; |
ad6c0475 | 22 | typedef enum DnssecMode DnssecMode; |
c9299be2 | 23 | typedef enum DnsOverTlsMode DnsOverTlsMode; |
af49ca27 LP |
24 | |
25 | enum ResolveSupport { | |
26 | RESOLVE_SUPPORT_NO, | |
27 | RESOLVE_SUPPORT_YES, | |
28 | RESOLVE_SUPPORT_RESOLVE, | |
29 | _RESOLVE_SUPPORT_MAX, | |
30 | _RESOLVE_SUPPORT_INVALID = -1 | |
31 | }; | |
32 | ||
ad6c0475 LP |
33 | enum DnssecMode { |
34 | /* No DNSSEC validation is done */ | |
35 | DNSSEC_NO, | |
36 | ||
37 | /* Validate locally, if the server knows DO, but if not, | |
38 | * don't. Don't trust the AD bit. If the server doesn't do | |
39 | * DNSSEC properly, downgrade to non-DNSSEC operation. Of | |
40 | * course, we then are vulnerable to a downgrade attack, but | |
41 | * that's life and what is configured. */ | |
42 | DNSSEC_ALLOW_DOWNGRADE, | |
43 | ||
44 | /* Insist on DNSSEC server support, and rather fail than downgrading. */ | |
45 | DNSSEC_YES, | |
46 | ||
47 | _DNSSEC_MODE_MAX, | |
48 | _DNSSEC_MODE_INVALID = -1 | |
49 | }; | |
50 | ||
c9299be2 | 51 | enum DnsOverTlsMode { |
5d67a7ae | 52 | /* No connection is made for DNS-over-TLS */ |
c9299be2 | 53 | DNS_OVER_TLS_NO, |
5d67a7ae IT |
54 | |
55 | /* Try to connect using DNS-over-TLS, but if connection fails, | |
2aed63f4 | 56 | * fall back to using an unencrypted connection */ |
c9299be2 | 57 | DNS_OVER_TLS_OPPORTUNISTIC, |
5d67a7ae | 58 | |
4310bfc2 IT |
59 | /* Enforce DNS-over-TLS and require valid server certificates */ |
60 | DNS_OVER_TLS_YES, | |
61 | ||
c9299be2 IT |
62 | _DNS_OVER_TLS_MODE_MAX, |
63 | _DNS_OVER_TLS_MODE_INVALID = -1 | |
5d67a7ae IT |
64 | }; |
65 | ||
a2106925 LP |
66 | CONFIG_PARSER_PROTOTYPE(config_parse_resolve_support); |
67 | CONFIG_PARSER_PROTOTYPE(config_parse_dnssec_mode); | |
c9299be2 | 68 | CONFIG_PARSER_PROTOTYPE(config_parse_dns_over_tls_mode); |
37d7a7d9 | 69 | CONFIG_PARSER_PROTOTYPE(config_parse_dns_cache_mode); |
af49ca27 LP |
70 | |
71 | const char* resolve_support_to_string(ResolveSupport p) _const_; | |
72 | ResolveSupport resolve_support_from_string(const char *s) _pure_; | |
ad6c0475 LP |
73 | |
74 | const char* dnssec_mode_to_string(DnssecMode p) _const_; | |
75 | DnssecMode dnssec_mode_from_string(const char *s) _pure_; | |
5d67a7ae | 76 | |
c9299be2 IT |
77 | const char* dns_over_tls_mode_to_string(DnsOverTlsMode p) _const_; |
78 | DnsOverTlsMode dns_over_tls_mode_from_string(const char *s) _pure_; | |
00d28db3 YW |
79 | |
80 | bool dns_server_address_valid(int family, const union in_addr_union *sa); | |
37d7a7d9 JN |
81 | |
82 | const char* dns_cache_mode_to_string(DnsCacheMode p) _const_; | |
83 | DnsCacheMode dns_cache_mode_from_string(const char *s) _pure_; | |
08281474 LP |
84 | |
85 | /* A resolv.conf file containing the DNS server and domain data we learnt from uplink, i.e. the full uplink data */ | |
86 | #define PRIVATE_UPLINK_RESOLV_CONF "/run/systemd/resolve/resolv.conf" | |
87 | ||
88 | /* A resolv.conf file containing the domain data we learnt from uplink, but our own DNS server address. */ | |
89 | #define PRIVATE_STUB_RESOLV_CONF "/run/systemd/resolve/stub-resolv.conf" | |
90 | ||
91 | /* A static resolv.conf file containing no domains, but only our own DNS server address */ | |
92 | #define PRIVATE_STATIC_RESOLV_CONF ROOTLIBEXECDIR "/resolv.conf" |