resolved: rename "downgrade-ok" mode to "allow-downgrade"

author Lennart Poettering <lennart@poettering.net>

Tue, 5 Jan 2016 16:44:16 +0000 (17:44 +0100)

committer Lennart Poettering <lennart@poettering.net>

Tue, 5 Jan 2016 19:00:53 +0000 (20:00 +0100)
author Lennart Poettering <lennart@poettering.net>
Tue, 5 Jan 2016 16:44:16 +0000 (17:44 +0100)
committer Lennart Poettering <lennart@poettering.net>
Tue, 5 Jan 2016 19:00:53 +0000 (20:00 +0100)
diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml

index 3c1e698d33981f674648fd1e2d5a9f5bd984c2bd..c2c277b606ce04add614e1a92a1e081de866f6d5 100644 (file)
--- a/man/resolved.conf.xml
+++ b/man/resolved.conf.xml
@@ -143,13 +143,13 @@
        <varlistentry>
          <term><varname>DNSSEC=</varname></term>
          <listitem><para>Takes a boolean argument or
-        <literal>downgrade-ok</literal>. If true all DNS lookups are
+        <literal>allow-downgrade</literal>. If true all DNS lookups are
          DNSSEC-validated locally (excluding LLMNR and Multicast
          DNS). If a response for a lookup request is detected invalid
          this is returned as lookup failure to applications. Note that
          this mode requires a DNS server that supports DNSSEC. If the
          DNS server does not properly support DNSSEC all validations
-        will fail. If set to <literal>downgrade-ok</literal> DNSSEC
+        will fail. If set to <literal>allow-downgrade</literal> DNSSEC
          validation is attempted, but if the server does not support
          DNSSEC properly, DNSSEC mode is automatically disabled. Note
          that this mode makes DNSSEC validation vulnerable to
@@ -176,7 +176,7 @@
          lookups will fail, as it cannot be proved anymore whether
          lookups are correctly signed, or validly unsigned. If
          <varname>DNSSEC=</varname> is set to
-        <literal>downgrade-ok</literal> the resolver will
+        <literal>allow-downgrade</literal> the resolver will
          automatically turn off DNSSEC validation in such a case.</para>
  
          <para>Client programs looking up DNS data will be informed
@@ -193,7 +193,7 @@
          DNSSEC correctly, and where software or trust anchor updates
          happen regularly. On other systems it is recommended to set
          <varname>DNSSEC=</varname> to
-        <literal>downgrade-ok</literal>.</para>
+        <literal>allow-downgrade</literal>.</para>
          </listitem>
        </varlistentry>
  
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c

index 32d4834aa1db083c597122806f6631660383ae97..ff571986c08f4578cc05541a1ab59a9cbf999659 100644 (file)
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@@ -1568,7 +1568,7 @@ int dnssec_test_nsec(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *r
  
  static const char* const dnssec_mode_table[_DNSSEC_MODE_MAX] = {
          [DNSSEC_NO] = "no",
-        [DNSSEC_DOWNGRADE_OK] = "downgrade-ok",
+        [DNSSEC_ALLOW_DOWNGRADE] = "allow-downgrade",
          [DNSSEC_YES] = "yes",
  };
  DEFINE_STRING_TABLE_LOOKUP(dnssec_mode, DnssecMode);
diff --git a/src/resolve/resolved-dns-dnssec.h b/src/resolve/resolved-dns-dnssec.h

index 94d0b23f80d894108116cbbe553156fdc372249c..d818d1a9060d7e5991f6d94bd4ad1b739f034c86 100644 (file)
--- a/src/resolve/resolved-dns-dnssec.h
+++ b/src/resolve/resolved-dns-dnssec.h
@@ -37,7 +37,7 @@ enum DnssecMode {
           * DNSSEC properly, downgrade to non-DNSSEC operation. Of
           * course, we then are vulnerable to a downgrade attack, but
           * that's life and what is configured. */
-        DNSSEC_DOWNGRADE_OK,
+        DNSSEC_ALLOW_DOWNGRADE,
  
          /* Insist on DNSSEC server support, and rather fail than downgrading. */
          DNSSEC_YES,
diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c

index 870b7586fdd24bd48646feca6ffe8035aa8b589e..44267c6b2dd4b1c9dd96a8c57b28219f8d9d5fe8 100644 (file)
--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@@ -939,7 +939,7 @@ static int dns_transaction_prepare(DnsTransaction *t, usec_t ts) {
                           * this means we cannot do any DNSSEC logic
                           * anymore. */
  
-                        if (t->scope->dnssec_mode == DNSSEC_DOWNGRADE_OK) {
+                        if (t->scope->dnssec_mode == DNSSEC_ALLOW_DOWNGRADE) {
                                  /* We are in downgrade mode. In this
                                   * case, synthesize an unsigned empty
                                   * response, so that the any lookup
@@ -2266,7 +2266,7 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {
  
                                                  dns_server_packet_rrsig_missing(t->server);
  
-                                                if (t->scope->dnssec_mode == DNSSEC_DOWNGRADE_OK) {
+                                                if (t->scope->dnssec_mode == DNSSEC_ALLOW_DOWNGRADE) {
  
                                                          /* Downgrading is OK? If so, just consider the information unsigned */
author	Lennart Poettering <lennart@poettering.net>
	Tue, 5 Jan 2016 16:44:16 +0000 (17:44 +0100)
committer	Lennart Poettering <lennart@poettering.net>
	Tue, 5 Jan 2016 19:00:53 +0000 (20:00 +0100)
man/resolved.conf.xml		patch \| blob \| blame \| history
src/resolve/resolved-dns-dnssec.c		patch \| blob \| blame \| history
src/resolve/resolved-dns-dnssec.h		patch \| blob \| blame \| history
src/resolve/resolved-dns-transaction.c		patch \| blob \| blame \| history