git.ipfire.org Git - thirdparty/systemd.git/commit - src/resolve/resolved-dns-dnssec.c

author	Lennart Poettering <lennart@poettering.net>
	Fri, 25 Dec 2015 14:05:46 +0000 (15:05 +0100)
committer	Lennart Poettering <lennart@poettering.net>
	Sat, 26 Dec 2015 18:09:11 +0000 (19:09 +0100)
commit	b652d4a2099d1c167584dcc1d179d47c58dc38a2
tree	3d597bd8be7cb96040d2d4a2cf8f08a7e685272e	tree \| snapshot
parent	0e4fb6b2dedf590741220b806c92e9e68857b457	commit \| diff

resolved: add an automatic downgrade to non-DNSSEC mode

This adds a mode that makes resolved automatically downgrade from DNSSEC
support to classic non-DNSSEC resolving if the configured DNS server is
not capable of DNSSEC. Enabling this mode increases compatibility with
crappy network equipment, but of course opens up the system to
downgrading attacks.

The new mode can be enabled by setting DNSSEC=downgrade-ok in
resolved.conf. DNSSEC=yes otoh remains a "strict" mode, where DNS
resolving rather fails then allow downgrading.

Downgrading is done:

- when the server does not support EDNS0+DO
- or when the server supports it but does not augment returned RRs with
RRSIGs. The latter is detected when requesting DS or SOA RRs for the
root domain (which is necessary to do proofs for unsigned data)

src/resolve/resolved-dns-dnssec.c		diff \| blob \| blame \| history
src/resolve/resolved-dns-dnssec.h		diff \| blob \| blame \| history
src/resolve/resolved-dns-server.c		diff \| blob \| blame \| history
src/resolve/resolved-dns-server.h		diff \| blob \| blame \| history
src/resolve/resolved-dns-transaction.c		diff \| blob \| blame \| history