nss-resolve: return NOTFOUND instead of UNAVAIL on resolution errors

It needs to be possible to tell apart "the nss-resolve module does not exist" (which can happen when running foreign-architecture programs) from "the queried DNS name failed DNSSEC validation" or other errors. So return NOTFOUND for these cases too, and only keep UNAVAIL for the cases where we cannot handle the given address family. This makes it possible to configure a fallback to "dns" without breaking DNSSEC, with "resolve [!UNAVAIL=return] dns". Add this to the manpage. This does not change behaviour if resolved is not running, as that already falls back to the "dns" glibc module. Fixes systemd#4157
martinpitt · Sep 16, 2016 · 3aafe1a · 3aafe1a
1 parent 8545f23
commit 3aafe1a
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 3 deletions.
diff --git a/man/nss-resolve.xml b/man/nss-resolve.xml
@@ -95,6 +95,12 @@ rpc:            db files
 
 netgroup:       nis</programlisting>
 
+    <para>If the <command>dns</command> module needs to be kept for cases where <command>nss-resolve</command> is not
+    available (like running foreign-architecture programs), configure <literal>hosts</literal> in
+    <filename>/etc/nsswitch.conf</filename> like this instead:</para>
+
+<programlisting>
+hosts:          files mymachines myhostname <command>resolve [!UNAVAIL=return]</command> dns</programlisting>
   </refsect1>
 
   <refsect1>

diff --git a/src/nss-resolve/nss-resolve.c b/src/nss-resolve/nss-resolve.c
@@ -279,9 +279,12 @@ enum nss_status _nss_resolve_gethostbyname4_r(
         }
 
 fail:
+        /* When we arrive here, resolved runs and has answered (fallback to
+         * "dns" is handled earlier). So we have a definitive "no" answer and
+         * should not fall back to subsequent NSS modules via "UNAVAIL". */
         *errnop = -r;
         *h_errnop = NO_RECOVERY;
-        return NSS_STATUS_UNAVAIL;
+        return NSS_STATUS_NOTFOUND;
 }
 
 enum nss_status _nss_resolve_gethostbyname3_r(
@@ -476,7 +479,7 @@ enum nss_status _nss_resolve_gethostbyname3_r(
 fail:
         *errnop = -r;
         *h_errnop = NO_RECOVERY;
-        return NSS_STATUS_UNAVAIL;
+        return NSS_STATUS_NOTFOUND;
 }
 
 enum nss_status _nss_resolve_gethostbyaddr2_r(
@@ -666,7 +669,7 @@ enum nss_status _nss_resolve_gethostbyaddr2_r(
 fail:
         *errnop = -r;
         *h_errnop = NO_RECOVERY;
-        return NSS_STATUS_UNAVAIL;
+        return NSS_STATUS_NOTFOUND;
 }
 
 NSS_GETHOSTBYNAME_FALLBACKS(resolve);