Documentation/networking/dns_resolver.rst

0001 .. SPDX-License-Identifier: GPL-2.0
0002
0003 ===================
0004 DNS Resolver Module
0005 ===================
0006
0007 .. Contents:
0008
0009  - Overview.
0010  - Compilation.
0011  - Setting up.
0012  - Usage.
0013  - Mechanism.
0014  - Debugging.
0015
0016
0017 Overview
0018 ========
0019
0020 The DNS resolver module provides a way for kernel services to make DNS queries
0021 by way of requesting a key of key type dns_resolver.  These queries are
0022 upcalled to userspace through /sbin/request-key.
0023
0024 These routines must be supported by userspace tools dns.upcall, cifs.upcall and
0025 request-key.  It is under development and does not yet provide the full feature
0026 set.  The features it does support include:
0027
0028  (*) Implements the dns_resolver key_type to contact userspace.
0029
0030 It does not yet support the following AFS features:
0031
0032  (*) Dns query support for AFSDB resource record.
0033
0034 This code is extracted from the CIFS filesystem.
0035
0036
0037 Compilation
0038 ===========
0039
0040 The module should be enabled by turning on the kernel configuration options::
0041
0042         CONFIG_DNS_RESOLVER     - tristate "DNS Resolver support"
0043
0044
0045 Setting up
0046 ==========
0047
0048 To set up this facility, the /etc/request-key.conf file must be altered so that
0049 /sbin/request-key can appropriately direct the upcalls.  For example, to handle
0050 basic dname to IPv4/IPv6 address resolution, the following line should be
0051 added::
0052
0053
0054         #OP     TYPE            DESC    CO-INFO PROGRAM ARG1 ARG2 ARG3 ...
0055         #====== ============    ======= ======= ==========================
0056         create  dns_resolver    *       *       /usr/sbin/cifs.upcall %k
0057
0058 To direct a query for query type 'foo', a line of the following should be added
0059 before the more general line given above as the first match is the one taken::
0060
0061         create  dns_resolver    foo:*   *       /usr/sbin/dns.foo %k
0062
0063
0064 Usage
0065 =====
0066
0067 To make use of this facility, one of the following functions that are
0068 implemented in the module can be called after doing::
0069
0070         #include <linux/dns_resolver.h>
0071
0072      ::
0073
0074         int dns_query(const char *type, const char *name, size_t namelen,
0075                      const char *options, char **_result, time_t *_expiry);
0076
0077      This is the basic access function.  It looks for a cached DNS query and if
0078      it doesn't find it, it upcalls to userspace to make a new DNS query, which
0079      may then be cached.  The key description is constructed as a string of the
0080      form::
0081
0082                 [<type>:]<name>
0083
0084      where <type> optionally specifies the particular upcall program to invoke,
0085      and thus the type of query to do, and <name> specifies the string to be
0086      looked up.  The default query type is a straight hostname to IP address
0087      set lookup.
0088
0089      The name parameter is not required to be a NUL-terminated string, and its
0090      length should be given by the namelen argument.
0091
0092      The options parameter may be NULL or it may be a set of options
0093      appropriate to the query type.
0094
0095      The return value is a string appropriate to the query type.  For instance,
0096      for the default query type it is just a list of comma-separated IPv4 and
0097      IPv6 addresses.  The caller must free the result.
0098
0099      The length of the result string is returned on success, and a negative
0100      error code is returned otherwise.  -EKEYREJECTED will be returned if the
0101      DNS lookup failed.
0102
0103      If _expiry is non-NULL, the expiry time (TTL) of the result will be
0104      returned also.
0105
0106 The kernel maintains an internal keyring in which it caches looked up keys.
0107 This can be cleared by any process that has the CAP_SYS_ADMIN capability by
0108 the use of KEYCTL_KEYRING_CLEAR on the keyring ID.
0109
0110
0111 Reading DNS Keys from Userspace
0112 ===============================
0113
0114 Keys of dns_resolver type can be read from userspace using keyctl_read() or
0115 "keyctl read/print/pipe".
0116
0117
0118 Mechanism
0119 =========
0120
0121 The dnsresolver module registers a key type called "dns_resolver".  Keys of
0122 this type are used to transport and cache DNS lookup results from userspace.
0123
0124 When dns_query() is invoked, it calls request_key() to search the local
0125 keyrings for a cached DNS result.  If that fails to find one, it upcalls to
0126 userspace to get a new result.
0127
0128 Upcalls to userspace are made through the request_key() upcall vector, and are
0129 directed by means of configuration lines in /etc/request-key.conf that tell
0130 /sbin/request-key what program to run to instantiate the key.
0131
0132 The upcall handler program is responsible for querying the DNS, processing the
0133 result into a form suitable for passing to the keyctl_instantiate_key()
0134 routine.  This then passes the data to dns_resolver_instantiate() which strips
0135 off and processes any options included in the data, and then attaches the
0136 remainder of the string to the key as its payload.
0137
0138 The upcall handler program should set the expiry time on the key to that of the
0139 lowest TTL of all the records it has extracted a result from.  This means that
0140 the key will be discarded and recreated when the data it holds has expired.
0141
0142 dns_query() returns a copy of the value attached to the key, or an error if
0143 that is indicated instead.
0144
0145 See <file:Documentation/security/keys/request-key.rst> for further
0146 information about request-key function.
0147
0148
0149 Debugging
0150 =========
0151
0152 Debugging messages can be turned on dynamically by writing a 1 into the
0153 following file::
0154
0155         /sys/module/dnsresolver/parameters/debug