nss-resolve: return NOTFOUND instead of UNAVAIL for DNSSEC validation failures #4164
Conversation
|
Hmm, my intuition is that the list of affected errors may be a lot larger than just |
|
We could also flip this around to whitelist errors for UNAVAIL, such as "resolved is not running" or similar D-Bus connection problems. |
|
Indeed that was a bit dense.. If we only use |
martinpitt
added
the
reviewed/needs-rework 🔨
martinpitt
force-pushed
the
nss-resolve
branch
from
7812fc3
to
3aafe1a
Compare
martinpitt
removed
the
reviewed/needs-rework 🔨
|
Updated, this is more robust now. |
|
Note that this does not affect the callers of Right now these are pretty useless, as we e. g. return |
|
I. e. the error codes with this are more predictable now:
|
Handle general errors from the resolved call in _nss_resolve_gethostbyaddr2_r() the same say as in the other variants: Just "goto fail" as that does exactly the same.
resolve includes myhostname functionality, so there is no need to add it again.
| @@ -95,6 +95,12 @@ rpc: db files | |||
|
|
|||
| netgroup: nis</programlisting> | |||
|
|
|||
| <para>If the <command>dns</command> module needs to be kept for cases where <command>nss-resolve</command> is not | |||
| available (like running foreign-architecture programs), configure <literal>hosts</literal> in | |||
There was a problem hiding this comment.
foreign arch is a bit special, why not say that "the module is not installed, or not available for current architecture"?
It needs to be possible to tell apart "the nss-resolve module does not exist" (which can happen when running foreign-architecture programs) from "the queried DNS name failed DNSSEC validation" or other errors. So return NOTFOUND for these cases too, and only keep UNAVAIL for the cases where we cannot handle the given address family. This makes it possible to configure a fallback to "dns" without breaking DNSSEC, with "resolve [!UNAVAIL=return] dns". Add this to the manpage. This does not change behaviour if resolved is not running, as that already falls back to the "dns" glibc module. Fixes systemd#4157
martinpitt
force-pushed
the
nss-resolve
branch
from
3aafe1a
to
d724751
Compare
|
Updated again to clarify manpage and rebase on current master. |
It needs to be possible to tell apart "the nss-resolve module does not exist" (which can happen when running foreign-architecture programs) from "the queried DNS name failed DNSSEC validation". The latter is much more like "host not found" (NXDOMAIN), so return NOTFOUND for these cases too.
This makes it possible to configure a fallback to "dns" without breaking DNSSEC, with
Fixes #4157