mirror of
https://github.com/openbsd/src.git
synced 2025-01-02 14:25:36 -08:00
931108e92d
libc can't do DNSSEC validation but it can ask a "security-aware" resolver to do so. Let's send queries with the AD flag set when appropriate, and let applications look at the AD flag in responses in a safe way, ie clear the AD flag if the resolvers aren't trusted. By default we only trust resolvers if resolv.conf(5) only lists name servers on localhost - the obvious candidates being unwind(8) and unbound(8). For non-localhost resolvers, an admin who trusts *all the name servers* listed in resolv.conf(5) *and the network path leading to them* can annotate this with "options trust-ad". AD flag processing gives ssh -o VerifyHostkeyDNS=Yes a chance to fetch SSHFP records in a secure manner, and tightens the situation for other applications, eg those using RES_USE_DNSSEC for DANE. It should be noted that postfix currently assumes trusted name servers by default and forces RES_TRUSTAD if available. RES_TRUSTAD and "options trust-ad" were first introduced in glibc by Florian Weimer. Florian Obser (florian@) contributed various improvements, fixed a bug and added automatic trust for name servers on localhost. ok florian@ phessler@
315 lines
12 KiB
C
315 lines
12 KiB
C
/* $OpenBSD: resolv.h,v 1.23 2021/11/22 20:18:27 jca Exp $ */
|
|
|
|
/*
|
|
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
* 3. Neither the name of the project nor the names of its contributors
|
|
* may be used to endorse or promote products derived from this software
|
|
* without specific prior written permission.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
* SUCH DAMAGE.
|
|
*/
|
|
|
|
/*
|
|
* ++Copyright++ 1983, 1987, 1989, 1993
|
|
* -
|
|
* Copyright (c) 1983, 1987, 1989, 1993
|
|
* The Regents of the University of California. All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
* 3. Neither the name of the University nor the names of its contributors
|
|
* may be used to endorse or promote products derived from this software
|
|
* without specific prior written permission.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
* SUCH DAMAGE.
|
|
* -
|
|
* Portions Copyright (c) 1993 by Digital Equipment Corporation.
|
|
*
|
|
* Permission to use, copy, modify, and distribute this software for any
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
* copyright notice and this permission notice appear in all copies, and that
|
|
* the name of Digital Equipment Corporation not be used in advertising or
|
|
* publicity pertaining to distribution of the document or software without
|
|
* specific, written prior permission.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
|
|
* WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
|
|
* OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DIGITAL EQUIPMENT
|
|
* CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
|
|
* DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
|
|
* PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
|
|
* ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
|
|
* SOFTWARE.
|
|
* -
|
|
* --Copyright--
|
|
*/
|
|
|
|
/*
|
|
* @(#)resolv.h 8.1 (Berkeley) 6/2/93
|
|
* $From: resolv.h,v 8.17 1996/11/26 10:11:20 vixie Exp $
|
|
*/
|
|
|
|
#ifndef _RESOLV_H_
|
|
#define _RESOLV_H_
|
|
|
|
#include <sys/types.h>
|
|
#include <sys/socket.h>
|
|
#include <stdio.h>
|
|
|
|
/*
|
|
* Revision information. This is the release date in YYYYMMDD format.
|
|
* It can change every day so the right thing to do with it is use it
|
|
* in preprocessor commands such as "#if (__RES > 19931104)". Do not
|
|
* compare for equality; rather, use it to determine whether your resolver
|
|
* is new enough to contain a certain feature.
|
|
*/
|
|
|
|
#define __RES 19960801
|
|
|
|
/*
|
|
* Resolver configuration file.
|
|
* Normally not present, but may contain the address of the
|
|
* initial name server(s) to query and the domain search list.
|
|
*/
|
|
|
|
#ifndef _PATH_RESCONF
|
|
#define _PATH_RESCONF "/etc/resolv.conf"
|
|
#endif
|
|
|
|
/*
|
|
* Global defines and variables for resolver stub.
|
|
*/
|
|
#define MAXNS 3 /* max # name servers we'll track */
|
|
#define MAXDFLSRCH 3 /* # default domain levels to try */
|
|
#define MAXDNSRCH 6 /* max # domains in search path */
|
|
#define LOCALDOMAINPARTS 2 /* min levels in name that is "local" */
|
|
#define MAXDNSLUS 4 /* max # of host lookup types */
|
|
|
|
#define RES_TIMEOUT 5 /* min. seconds between retries */
|
|
#define MAXRESOLVSORT 10 /* number of net to sort on */
|
|
#define RES_MAXNDOTS 15 /* should reflect bit field size */
|
|
|
|
struct __res_state {
|
|
int retrans; /* retransmission time interval */
|
|
int retry; /* number of times to retransmit */
|
|
unsigned int options; /* option flags - see below. */
|
|
int nscount; /* number of name servers */
|
|
int family[2]; /* specifies which address
|
|
* families will be queried and
|
|
* in which order */
|
|
struct sockaddr_in
|
|
nsaddr_list[MAXNS]; /* address of name server */
|
|
#define nsaddr nsaddr_list[0] /* for backward compatibility */
|
|
unsigned short id; /* current message id */
|
|
char *dnsrch[MAXDNSRCH+1]; /* components of domain to search */
|
|
char defdname[256]; /* default domain (deprecated) */
|
|
unsigned int pfcode; /* RES_PRF_ flags - see below. */
|
|
unsigned ndots:4; /* threshold for initial abs. query */
|
|
unsigned nsort:4; /* number of elements in sort_list[] */
|
|
char unused[3];
|
|
struct {
|
|
struct in_addr addr;
|
|
u_int32_t mask;
|
|
} sort_list[MAXRESOLVSORT];
|
|
char lookups[MAXDNSLUS];
|
|
struct { time_t __res_sec; long __res_nsec; } restimespec;
|
|
time_t reschktime;
|
|
};
|
|
|
|
#if 1 /* INET6 */
|
|
/*
|
|
* replacement of __res_state, separated to keep binary compatibility.
|
|
*/
|
|
struct __res_state_ext {
|
|
struct sockaddr_storage nsaddr_list[MAXNS];
|
|
struct {
|
|
int af; /* address family for addr, mask */
|
|
union {
|
|
struct in_addr ina;
|
|
struct in6_addr in6a;
|
|
} addr, mask;
|
|
} sort_list[MAXRESOLVSORT];
|
|
};
|
|
#endif
|
|
|
|
|
|
/*
|
|
* Resolver options (keep these in synch with res_debug.c, please)
|
|
*/
|
|
#define RES_INIT 0x00000001 /* address initialized */
|
|
#define RES_DEBUG 0x00000002 /* print debug messages */
|
|
#define RES_AAONLY 0x00000004 /* authoritative answers only (!IMPL)*/
|
|
#define RES_USEVC 0x00000008 /* use virtual circuit */
|
|
#define RES_PRIMARY 0x00000010 /* query primary server only (!IMPL) */
|
|
#define RES_IGNTC 0x00000020 /* ignore trucation errors */
|
|
#define RES_RECURSE 0x00000040 /* recursion desired */
|
|
#define RES_DEFNAMES 0x00000080 /* use default domain name */
|
|
#define RES_STAYOPEN 0x00000100 /* Keep TCP socket open */
|
|
#define RES_DNSRCH 0x00000200 /* search up local domain tree */
|
|
#define RES_INSECURE1 0x00000400 /* type 1 security disabled */
|
|
#define RES_INSECURE2 0x00000800 /* type 2 security disabled */
|
|
#define RES_NOALIASES 0x00001000 /* shuts off HOSTALIASES feature */
|
|
#define RES_USE_INET6 0x00002000 /* use/map IPv6 in gethostbyname() */
|
|
/* KAME extensions: use higher bit to avoid conflict with ISC use */
|
|
#define RES_USE_EDNS0 0x40000000 /* use EDNS0 */
|
|
/* DNSSEC extensions: use higher bit to avoid conflict with ISC use */
|
|
#define RES_USE_DNSSEC 0x20000000 /* use DNSSEC using OK bit in OPT */
|
|
#define RES_USE_CD 0x10000000 /* set Checking Disabled flag */
|
|
#define RES_TRUSTAD 0x80000000 /* Request AD, keep it in responses. */
|
|
|
|
#define RES_DEFAULT (RES_RECURSE | RES_DEFNAMES | RES_DNSRCH)
|
|
|
|
/*
|
|
* Resolver "pfcode" values. Used by dig.
|
|
*/
|
|
#define RES_PRF_STATS 0x00000001
|
|
/* 0x00000002 */
|
|
#define RES_PRF_CLASS 0x00000004
|
|
#define RES_PRF_CMD 0x00000008
|
|
#define RES_PRF_QUES 0x00000010
|
|
#define RES_PRF_ANS 0x00000020
|
|
#define RES_PRF_AUTH 0x00000040
|
|
#define RES_PRF_ADD 0x00000080
|
|
#define RES_PRF_HEAD1 0x00000100
|
|
#define RES_PRF_HEAD2 0x00000200
|
|
#define RES_PRF_TTLID 0x00000400
|
|
#define RES_PRF_HEADX 0x00000800
|
|
#define RES_PRF_QUERY 0x00001000
|
|
#define RES_PRF_REPLY 0x00002000
|
|
#define RES_PRF_INIT 0x00004000
|
|
/* 0x00008000 */
|
|
|
|
/* hooks are still experimental as of 4.9.2 */
|
|
typedef enum { res_goahead, res_nextns, res_modified, res_done, res_error }
|
|
res_sendhookact;
|
|
|
|
typedef res_sendhookact (*res_send_qhook)(struct sockaddr_in * const *ns,
|
|
const unsigned char **query,
|
|
int *querylen,
|
|
unsigned char *ans,
|
|
int anssiz,
|
|
int *resplen);
|
|
|
|
typedef res_sendhookact (*res_send_rhook)(const struct sockaddr_in *ns,
|
|
const unsigned char *query,
|
|
int querylen,
|
|
unsigned char *ans,
|
|
int anssiz,
|
|
int *resplen);
|
|
|
|
struct res_sym {
|
|
int number; /* Identifying number, like T_MX */
|
|
char * name; /* Its symbolic name, like "MX" */
|
|
char * humanname; /* Its fun name, like "mail exchanger" */
|
|
};
|
|
|
|
extern struct __res_state _res;
|
|
#if 1 /* INET6 */
|
|
extern struct __res_state_ext _res_ext;
|
|
#endif
|
|
extern const struct res_sym __p_class_syms[];
|
|
extern const struct res_sym __p_type_syms[];
|
|
|
|
/* Private routines shared between libc/net, named, nslookup and others. */
|
|
#define res_hnok __res_hnok
|
|
#define res_ownok __res_ownok
|
|
#define res_mailok __res_mailok
|
|
#define res_dnok __res_dnok
|
|
#define sym_ntos __sym_ntos
|
|
#define b64_ntop __b64_ntop
|
|
#define b64_pton __b64_pton
|
|
#define dn_skipname __dn_skipname
|
|
#define putlong __putlong
|
|
#define putshort __putshort
|
|
#define p_class __p_class
|
|
#define p_type __p_type
|
|
#define dn_count_labels __dn_count_labels
|
|
#define dn_comp __dn_comp
|
|
#define res_randomid __res_randomid
|
|
#define res_send __res_send
|
|
#define res_opt __res_opt
|
|
|
|
#ifdef BIND_RES_POSIX3
|
|
#define dn_expand __dn_expand
|
|
#define res_init __res_init
|
|
#define res_query __res_query
|
|
#define res_search __res_search
|
|
#define res_querydomain __res_querydomain
|
|
#define res_mkquery __res_mkquery
|
|
#endif
|
|
|
|
__BEGIN_DECLS
|
|
int res_hnok(const char *);
|
|
int res_ownok(const char *);
|
|
int res_mailok(const char *);
|
|
int res_dnok(const char *);
|
|
const char * sym_ntos(const struct res_sym *, int, int *);
|
|
int b64_ntop(unsigned char const *, size_t, char *, size_t);
|
|
int b64_pton(char const *, unsigned char *, size_t);
|
|
int dn_skipname(const unsigned char *,
|
|
const unsigned char *);
|
|
void putlong(u_int32_t, unsigned char *);
|
|
void putshort(u_int16_t, unsigned char *);
|
|
const char * p_class(int);
|
|
const char * p_type(int);
|
|
int dn_comp(const char *, unsigned char *, int,
|
|
unsigned char **, unsigned char **);
|
|
int dn_expand(const unsigned char *, const unsigned char *,
|
|
const unsigned char *, char *, int);
|
|
int res_init(void);
|
|
unsigned int res_randomid(void);
|
|
int res_query(const char *, int, int, unsigned char *, int)
|
|
__attribute__((__bounded__(__string__,4,5)));
|
|
int res_search(const char *, int, int, unsigned char *, int)
|
|
__attribute__((__bounded__(__string__,4,5)));
|
|
int res_querydomain(const char *, const char *, int, int,
|
|
unsigned char *, int)
|
|
__attribute__((__bounded__(__string__,5,6)));
|
|
int res_mkquery(int, const char *, int, int,
|
|
const unsigned char *, int, const unsigned char *,
|
|
unsigned char *, int)
|
|
__attribute__((__bounded__(__string__,5,6)))
|
|
__attribute__((__bounded__(__string__,8,9)));
|
|
int res_send(const unsigned char *, int, unsigned char *,
|
|
int)
|
|
__attribute__((__bounded__(__string__,3,4)));
|
|
__END_DECLS
|
|
|
|
#endif /* !_RESOLV_H_ */
|