]>
Commit | Line | Data |
---|---|---|
db9ecf05 | 1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
322345fd | 2 | |
202b76ae ZJS |
3 | #include <net/if.h> |
4 | ||
5 | #include "af-list.h" | |
b5efdb8a | 6 | #include "alloc-util.h" |
58db254a | 7 | #include "dns-domain.h" |
518a66ec | 8 | #include "format-util.h" |
02c2857b | 9 | #include "resolved-dns-answer.h" |
322345fd | 10 | #include "resolved-dns-cache.h" |
7e8e0422 | 11 | #include "resolved-dns-packet.h" |
58db254a | 12 | #include "string-util.h" |
322345fd | 13 | |
6af47493 LP |
14 | /* Never cache more than 4K entries. RFC 1536, Section 5 suggests to |
15 | * leave DNS caches unbounded, but that's crazy. */ | |
d98e5504 | 16 | #define CACHE_MAX 4096 |
cbd4560e | 17 | |
d98e5504 LP |
18 | /* We never keep any item longer than 2h in our cache */ |
19 | #define CACHE_TTL_MAX_USEC (2 * USEC_PER_HOUR) | |
322345fd | 20 | |
201d9958 LP |
21 | /* How long to cache strange rcodes, i.e. rcodes != SUCCESS and != NXDOMAIN (specifically: that's only SERVFAIL for |
22 | * now) */ | |
19bcef9d | 23 | #define CACHE_TTL_STRANGE_RCODE_USEC (10 * USEC_PER_SEC) |
201d9958 | 24 | |
43fc4baa | 25 | #define CACHEABLE_QUERY_FLAGS (SD_RESOLVED_AUTHENTICATED|SD_RESOLVED_CONFIDENTIAL) |
6f055e43 | 26 | |
623a4c97 LP |
27 | typedef enum DnsCacheItemType DnsCacheItemType; |
28 | typedef struct DnsCacheItem DnsCacheItem; | |
29 | ||
30 | enum DnsCacheItemType { | |
31 | DNS_CACHE_POSITIVE, | |
32 | DNS_CACHE_NODATA, | |
33 | DNS_CACHE_NXDOMAIN, | |
201d9958 | 34 | DNS_CACHE_RCODE, /* "strange" RCODE (effective only SERVFAIL for now) */ |
623a4c97 LP |
35 | }; |
36 | ||
37 | struct DnsCacheItem { | |
d2579eec | 38 | DnsCacheItemType type; |
8e95506a | 39 | int rcode; |
775ae354 LP |
40 | DnsResourceKey *key; /* The key for this item, i.e. the lookup key */ |
41 | DnsResourceRecord *rr; /* The RR for this item, i.e. the lookup value for positive queries */ | |
42 | DnsAnswer *answer; /* The full validated answer, if this is an RRset acquired via a "primary" lookup */ | |
43 | DnsPacket *full_packet; /* The full packet this information was acquired with */ | |
d2579eec | 44 | |
623a4c97 | 45 | usec_t until; |
43fc4baa | 46 | uint64_t query_flags; /* SD_RESOLVED_AUTHENTICATED and/or SD_RESOLVED_CONFIDENTIAL */ |
775ae354 | 47 | DnssecResult dnssec_result; |
d2579eec | 48 | |
06d12754 | 49 | int ifindex; |
a4076574 LP |
50 | int owner_family; |
51 | union in_addr_union owner_address; | |
d2579eec LP |
52 | |
53 | unsigned prioq_idx; | |
623a4c97 | 54 | LIST_FIELDS(DnsCacheItem, by_key); |
8e95506a YW |
55 | |
56 | bool shared_owner; | |
623a4c97 LP |
57 | }; |
58 | ||
775ae354 LP |
59 | /* Returns true if this is a cache item created as result of an explicit lookup, or created as "side-effect" |
60 | * of another request. "Primary" entries will carry the full answer data (with NSEC, …) that can aso prove | |
6b5e8240 | 61 | * wildcard expansion, non-existence and such, while entries that were created as "side-effect" just contain |
775ae354 LP |
62 | * immediate RR data for the specified RR key, but nothing else. */ |
63 | #define DNS_CACHE_ITEM_IS_PRIMARY(item) (!!(item)->answer) | |
64 | ||
201d9958 LP |
65 | static const char *dns_cache_item_type_to_string(DnsCacheItem *item) { |
66 | assert(item); | |
67 | ||
68 | switch (item->type) { | |
69 | ||
70 | case DNS_CACHE_POSITIVE: | |
71 | return "POSITIVE"; | |
72 | ||
73 | case DNS_CACHE_NODATA: | |
74 | return "NODATA"; | |
75 | ||
76 | case DNS_CACHE_NXDOMAIN: | |
77 | return "NXDOMAIN"; | |
78 | ||
79 | case DNS_CACHE_RCODE: | |
80 | return dns_rcode_to_string(item->rcode); | |
81 | } | |
82 | ||
83 | return NULL; | |
84 | } | |
85 | ||
75db809a | 86 | static DnsCacheItem* dns_cache_item_free(DnsCacheItem *i) { |
322345fd | 87 | if (!i) |
75db809a | 88 | return NULL; |
322345fd LP |
89 | |
90 | dns_resource_record_unref(i->rr); | |
7e8e0422 | 91 | dns_resource_key_unref(i->key); |
775ae354 LP |
92 | dns_answer_unref(i->answer); |
93 | dns_packet_unref(i->full_packet); | |
75db809a | 94 | return mfree(i); |
322345fd | 95 | } |
322345fd LP |
96 | DEFINE_TRIVIAL_CLEANUP_FUNC(DnsCacheItem*, dns_cache_item_free); |
97 | ||
39963f11 | 98 | static void dns_cache_item_unlink_and_free(DnsCache *c, DnsCacheItem *i) { |
322345fd LP |
99 | DnsCacheItem *first; |
100 | ||
101 | assert(c); | |
102 | ||
103 | if (!i) | |
104 | return; | |
105 | ||
7e8e0422 LP |
106 | first = hashmap_get(c->by_key, i->key); |
107 | LIST_REMOVE(by_key, first, i); | |
322345fd LP |
108 | |
109 | if (first) | |
7e8e0422 | 110 | assert_se(hashmap_replace(c->by_key, first->key, first) >= 0); |
322345fd | 111 | else |
7e8e0422 | 112 | hashmap_remove(c->by_key, i->key); |
322345fd | 113 | |
7e8e0422 | 114 | prioq_remove(c->by_expiry, i, &i->prioq_idx); |
322345fd LP |
115 | |
116 | dns_cache_item_free(i); | |
117 | } | |
118 | ||
f5bdeb01 | 119 | static bool dns_cache_remove_by_rr(DnsCache *c, DnsResourceRecord *rr) { |
03677889 | 120 | DnsCacheItem *first; |
f5bdeb01 LP |
121 | int r; |
122 | ||
123 | first = hashmap_get(c->by_key, rr->key); | |
124 | LIST_FOREACH(by_key, i, first) { | |
125 | r = dns_resource_record_equal(i->rr, rr); | |
126 | if (r < 0) | |
127 | return r; | |
128 | if (r > 0) { | |
39963f11 | 129 | dns_cache_item_unlink_and_free(c, i); |
f5bdeb01 LP |
130 | return true; |
131 | } | |
132 | } | |
133 | ||
134 | return false; | |
135 | } | |
136 | ||
2dda578f | 137 | static bool dns_cache_remove_by_key(DnsCache *c, DnsResourceKey *key) { |
03677889 | 138 | DnsCacheItem *first; |
322345fd LP |
139 | |
140 | assert(c); | |
141 | assert(key); | |
142 | ||
1f97052f LP |
143 | first = hashmap_remove(c->by_key, key); |
144 | if (!first) | |
145 | return false; | |
146 | ||
80a226b2 | 147 | LIST_FOREACH(by_key, i, first) { |
1f97052f LP |
148 | prioq_remove(c->by_expiry, i, &i->prioq_idx); |
149 | dns_cache_item_free(i); | |
6b34a6c9 TG |
150 | } |
151 | ||
1f97052f | 152 | return true; |
322345fd LP |
153 | } |
154 | ||
ef9a3e3c LP |
155 | void dns_cache_flush(DnsCache *c) { |
156 | DnsResourceKey *key; | |
157 | ||
158 | assert(c); | |
159 | ||
160 | while ((key = hashmap_first_key(c->by_key))) | |
2dda578f | 161 | dns_cache_remove_by_key(c, key); |
ef9a3e3c LP |
162 | |
163 | assert(hashmap_size(c->by_key) == 0); | |
164 | assert(prioq_size(c->by_expiry) == 0); | |
165 | ||
166 | c->by_key = hashmap_free(c->by_key); | |
167 | c->by_expiry = prioq_free(c->by_expiry); | |
168 | } | |
169 | ||
322345fd LP |
170 | static void dns_cache_make_space(DnsCache *c, unsigned add) { |
171 | assert(c); | |
172 | ||
173 | if (add <= 0) | |
174 | return; | |
175 | ||
176 | /* Makes space for n new entries. Note that we actually allow | |
177 | * the cache to grow beyond CACHE_MAX, but only when we shall | |
178 | * add more RRs to the cache than CACHE_MAX at once. In that | |
179 | * case the cache will be emptied completely otherwise. */ | |
180 | ||
181 | for (;;) { | |
faa133f3 | 182 | _cleanup_(dns_resource_key_unrefp) DnsResourceKey *key = NULL; |
322345fd LP |
183 | DnsCacheItem *i; |
184 | ||
7e8e0422 | 185 | if (prioq_size(c->by_expiry) <= 0) |
322345fd LP |
186 | break; |
187 | ||
7e8e0422 | 188 | if (prioq_size(c->by_expiry) + add < CACHE_MAX) |
322345fd LP |
189 | break; |
190 | ||
7e8e0422 | 191 | i = prioq_peek(c->by_expiry); |
cbd4560e LP |
192 | assert(i); |
193 | ||
faa133f3 | 194 | /* Take an extra reference to the key so that it |
cbd4560e | 195 | * doesn't go away in the middle of the remove call */ |
7e8e0422 | 196 | key = dns_resource_key_ref(i->key); |
2dda578f | 197 | dns_cache_remove_by_key(c, key); |
322345fd LP |
198 | } |
199 | } | |
200 | ||
201 | void dns_cache_prune(DnsCache *c) { | |
202 | usec_t t = 0; | |
203 | ||
204 | assert(c); | |
205 | ||
206 | /* Remove all entries that are past their TTL */ | |
207 | ||
208 | for (;;) { | |
209 | DnsCacheItem *i; | |
202b76ae | 210 | char key_str[DNS_RESOURCE_KEY_STRING_MAX]; |
322345fd | 211 | |
7e8e0422 | 212 | i = prioq_peek(c->by_expiry); |
322345fd LP |
213 | if (!i) |
214 | break; | |
215 | ||
322345fd | 216 | if (t <= 0) |
ba4e0427 | 217 | t = now(CLOCK_BOOTTIME); |
322345fd | 218 | |
7e8e0422 | 219 | if (i->until > t) |
322345fd LP |
220 | break; |
221 | ||
d2579eec | 222 | /* Depending whether this is an mDNS shared entry |
202b76ae ZJS |
223 | * either remove only this one RR or the whole RRset */ |
224 | log_debug("Removing %scache entry for %s (expired "USEC_FMT"s ago)", | |
225 | i->shared_owner ? "shared " : "", | |
226 | dns_resource_key_to_string(i->key, key_str, sizeof key_str), | |
227 | (t - i->until) / USEC_PER_SEC); | |
228 | ||
d2579eec | 229 | if (i->shared_owner) |
39963f11 | 230 | dns_cache_item_unlink_and_free(c, i); |
d2579eec LP |
231 | else { |
232 | _cleanup_(dns_resource_key_unrefp) DnsResourceKey *key = NULL; | |
233 | ||
234 | /* Take an extra reference to the key so that it | |
235 | * doesn't go away in the middle of the remove call */ | |
236 | key = dns_resource_key_ref(i->key); | |
2dda578f | 237 | dns_cache_remove_by_key(c, key); |
d2579eec | 238 | } |
322345fd LP |
239 | } |
240 | } | |
241 | ||
242 | static int dns_cache_item_prioq_compare_func(const void *a, const void *b) { | |
322345fd LP |
243 | const DnsCacheItem *x = a, *y = b; |
244 | ||
a0edd02e | 245 | return CMP(x->until, y->until); |
322345fd LP |
246 | } |
247 | ||
623a4c97 | 248 | static int dns_cache_init(DnsCache *c) { |
7e8e0422 LP |
249 | int r; |
250 | ||
623a4c97 LP |
251 | assert(c); |
252 | ||
7e8e0422 LP |
253 | r = prioq_ensure_allocated(&c->by_expiry, dns_cache_item_prioq_compare_func); |
254 | if (r < 0) | |
255 | return r; | |
256 | ||
d5099efc | 257 | r = hashmap_ensure_allocated(&c->by_key, &dns_resource_key_hash_ops); |
7e8e0422 LP |
258 | if (r < 0) |
259 | return r; | |
260 | ||
261 | return r; | |
262 | } | |
263 | ||
264 | static int dns_cache_link_item(DnsCache *c, DnsCacheItem *i) { | |
265 | DnsCacheItem *first; | |
266 | int r; | |
267 | ||
322345fd LP |
268 | assert(c); |
269 | assert(i); | |
322345fd | 270 | |
7e8e0422 LP |
271 | r = prioq_put(c->by_expiry, i, &i->prioq_idx); |
272 | if (r < 0) | |
273 | return r; | |
322345fd | 274 | |
7e8e0422 LP |
275 | first = hashmap_get(c->by_key, i->key); |
276 | if (first) { | |
d7ac0952 | 277 | _unused_ _cleanup_(dns_resource_key_unrefp) DnsResourceKey *k = NULL; |
f57e3cd5 LP |
278 | |
279 | /* Keep a reference to the original key, while we manipulate the list. */ | |
280 | k = dns_resource_key_ref(first->key); | |
281 | ||
282 | /* Now, try to reduce the number of keys we keep */ | |
283 | dns_resource_key_reduce(&first->key, &i->key); | |
284 | ||
285 | if (first->rr) | |
286 | dns_resource_key_reduce(&first->rr->key, &i->key); | |
287 | if (i->rr) | |
288 | dns_resource_key_reduce(&i->rr->key, &i->key); | |
289 | ||
7e8e0422 LP |
290 | LIST_PREPEND(by_key, first, i); |
291 | assert_se(hashmap_replace(c->by_key, first->key, first) >= 0); | |
292 | } else { | |
293 | r = hashmap_put(c->by_key, i->key, i); | |
294 | if (r < 0) { | |
295 | prioq_remove(c->by_expiry, i, &i->prioq_idx); | |
296 | return r; | |
297 | } | |
322345fd LP |
298 | } |
299 | ||
7e8e0422 | 300 | return 0; |
322345fd LP |
301 | } |
302 | ||
faa133f3 | 303 | static DnsCacheItem* dns_cache_get(DnsCache *c, DnsResourceRecord *rr) { |
faa133f3 LP |
304 | assert(c); |
305 | assert(rr); | |
306 | ||
03677889 | 307 | LIST_FOREACH(by_key, i, (DnsCacheItem*) hashmap_get(c->by_key, rr->key)) |
3ef77d04 | 308 | if (i->rr && dns_resource_record_equal(i->rr, rr) > 0) |
faa133f3 LP |
309 | return i; |
310 | ||
311 | return NULL; | |
312 | } | |
313 | ||
b974211a LP |
314 | static usec_t calculate_until( |
315 | DnsResourceRecord *rr, | |
316 | uint32_t min_ttl, | |
317 | uint32_t nsec_ttl, | |
318 | usec_t timestamp, | |
319 | bool use_soa_minimum) { | |
320 | ||
b211dc7e LP |
321 | uint32_t ttl; |
322 | usec_t u; | |
ee3d6aff LP |
323 | |
324 | assert(rr); | |
325 | ||
b974211a | 326 | ttl = MIN(min_ttl, nsec_ttl); |
b211dc7e | 327 | if (rr->key->type == DNS_TYPE_SOA && use_soa_minimum) { |
3b7006cb LP |
328 | /* If this is a SOA RR, and it is requested, clamp to the SOA's minimum field. This is used |
329 | * when we do negative caching, to determine the TTL for the negative caching entry. See RFC | |
330 | * 2308, Section 5. */ | |
ee3d6aff | 331 | |
b211dc7e LP |
332 | if (ttl > rr->soa.minimum) |
333 | ttl = rr->soa.minimum; | |
334 | } | |
335 | ||
336 | u = ttl * USEC_PER_SEC; | |
337 | if (u > CACHE_TTL_MAX_USEC) | |
338 | u = CACHE_TTL_MAX_USEC; | |
ee3d6aff LP |
339 | |
340 | if (rr->expiry != USEC_INFINITY) { | |
341 | usec_t left; | |
342 | ||
3b7006cb | 343 | /* Make use of the DNSSEC RRSIG expiry info, if we have it */ |
ee3d6aff LP |
344 | |
345 | left = LESS_BY(rr->expiry, now(CLOCK_REALTIME)); | |
b211dc7e LP |
346 | if (u > left) |
347 | u = left; | |
ee3d6aff LP |
348 | } |
349 | ||
b211dc7e | 350 | return timestamp + u; |
ee3d6aff LP |
351 | } |
352 | ||
d2579eec LP |
353 | static void dns_cache_item_update_positive( |
354 | DnsCache *c, | |
355 | DnsCacheItem *i, | |
356 | DnsResourceRecord *rr, | |
775ae354 LP |
357 | DnsAnswer *answer, |
358 | DnsPacket *full_packet, | |
b974211a | 359 | uint32_t min_ttl, |
6f055e43 | 360 | uint64_t query_flags, |
d2579eec | 361 | bool shared_owner, |
775ae354 | 362 | DnssecResult dnssec_result, |
d2579eec | 363 | usec_t timestamp, |
06d12754 | 364 | int ifindex, |
d2579eec LP |
365 | int owner_family, |
366 | const union in_addr_union *owner_address) { | |
367 | ||
7e8e0422 LP |
368 | assert(c); |
369 | assert(i); | |
370 | assert(rr); | |
d2579eec | 371 | assert(owner_address); |
7e8e0422 LP |
372 | |
373 | i->type = DNS_CACHE_POSITIVE; | |
374 | ||
ece174c5 | 375 | if (!i->by_key_prev) |
7e8e0422 LP |
376 | /* We are the first item in the list, we need to |
377 | * update the key used in the hashmap */ | |
378 | ||
379 | assert_se(hashmap_replace(c->by_key, rr->key, i) >= 0); | |
7e8e0422 | 380 | |
7daeec3e | 381 | DNS_RR_REPLACE(i->rr, dns_resource_record_ref(rr)); |
7e8e0422 | 382 | |
57318441 | 383 | DNS_RESOURCE_KEY_REPLACE(i->key, dns_resource_key_ref(rr->key)); |
7e8e0422 | 384 | |
1117a960 | 385 | DNS_ANSWER_REPLACE(i->answer, dns_answer_ref(answer)); |
775ae354 | 386 | |
899e3cda | 387 | DNS_PACKET_REPLACE(i->full_packet, dns_packet_ref(full_packet)); |
775ae354 | 388 | |
b974211a | 389 | i->until = calculate_until(rr, min_ttl, UINT32_MAX, timestamp, false); |
6f055e43 | 390 | i->query_flags = query_flags & CACHEABLE_QUERY_FLAGS; |
d2579eec | 391 | i->shared_owner = shared_owner; |
775ae354 | 392 | i->dnssec_result = dnssec_result; |
d2579eec | 393 | |
06d12754 LP |
394 | i->ifindex = ifindex; |
395 | ||
d2579eec LP |
396 | i->owner_family = owner_family; |
397 | i->owner_address = *owner_address; | |
7e8e0422 LP |
398 | |
399 | prioq_reshuffle(c->by_expiry, i, &i->prioq_idx); | |
400 | } | |
401 | ||
a4076574 LP |
402 | static int dns_cache_put_positive( |
403 | DnsCache *c, | |
a78049fc | 404 | DnsProtocol protocol, |
a4076574 | 405 | DnsResourceRecord *rr, |
775ae354 LP |
406 | DnsAnswer *answer, |
407 | DnsPacket *full_packet, | |
6f055e43 | 408 | uint64_t query_flags, |
d2579eec | 409 | bool shared_owner, |
775ae354 | 410 | DnssecResult dnssec_result, |
a4076574 | 411 | usec_t timestamp, |
06d12754 | 412 | int ifindex, |
a4076574 LP |
413 | int owner_family, |
414 | const union in_addr_union *owner_address) { | |
415 | ||
518a66ec | 416 | char key_str[DNS_RESOURCE_KEY_STRING_MAX]; |
b974211a LP |
417 | DnsCacheItem *existing; |
418 | uint32_t min_ttl; | |
f6d80c36 | 419 | int r; |
322345fd LP |
420 | |
421 | assert(c); | |
422 | assert(rr); | |
a4076574 | 423 | assert(owner_address); |
322345fd | 424 | |
222148b6 LP |
425 | /* Never cache pseudo RRs */ |
426 | if (dns_class_is_pseudo(rr->key->class)) | |
427 | return 0; | |
428 | if (dns_type_is_pseudo(rr->key->type)) | |
429 | return 0; | |
430 | ||
b974211a LP |
431 | /* Determine the minimal TTL of all RRs in the answer plus the one by the main RR we are supposed to |
432 | * cache. Since we cache whole answers to questions we should never return answers where only some | |
433 | * RRs are still valid, hence find the lowest here */ | |
18da9364 | 434 | min_ttl = MIN(dns_answer_min_ttl(answer), rr->ttl); |
b974211a | 435 | |
f5bdeb01 | 436 | /* New TTL is 0? Delete this specific entry... */ |
b974211a | 437 | if (min_ttl <= 0) { |
f6d80c36 | 438 | r = dns_cache_remove_by_rr(c, rr); |
202b76ae | 439 | log_debug("%s: %s", |
f6d80c36 | 440 | r > 0 ? "Removed zero TTL entry from cache" : "Not caching zero TTL cache entry", |
18665d1f | 441 | dns_resource_key_to_string(rr->key, key_str, sizeof key_str)); |
322345fd LP |
442 | return 0; |
443 | } | |
444 | ||
13e785f7 | 445 | /* Entry exists already? Update TTL, timestamp and owner */ |
322345fd LP |
446 | existing = dns_cache_get(c, rr); |
447 | if (existing) { | |
d2579eec LP |
448 | dns_cache_item_update_positive( |
449 | c, | |
450 | existing, | |
451 | rr, | |
775ae354 LP |
452 | answer, |
453 | full_packet, | |
b974211a | 454 | min_ttl, |
6f055e43 | 455 | query_flags, |
d2579eec | 456 | shared_owner, |
775ae354 | 457 | dnssec_result, |
d2579eec | 458 | timestamp, |
06d12754 | 459 | ifindex, |
d2579eec LP |
460 | owner_family, |
461 | owner_address); | |
322345fd LP |
462 | return 0; |
463 | } | |
464 | ||
a78049fc YW |
465 | /* Do not cache mDNS goodbye packet. */ |
466 | if (protocol == DNS_PROTOCOL_MDNS && rr->ttl <= 1) | |
467 | return 0; | |
468 | ||
322345fd | 469 | /* Otherwise, add the new RR */ |
623a4c97 | 470 | r = dns_cache_init(c); |
322345fd LP |
471 | if (r < 0) |
472 | return r; | |
473 | ||
7e8e0422 LP |
474 | dns_cache_make_space(c, 1); |
475 | ||
f69ea167 | 476 | _cleanup_(dns_cache_item_freep) DnsCacheItem *i = new(DnsCacheItem, 1); |
7e8e0422 LP |
477 | if (!i) |
478 | return -ENOMEM; | |
479 | ||
1ed31408 LP |
480 | *i = (DnsCacheItem) { |
481 | .type = DNS_CACHE_POSITIVE, | |
482 | .key = dns_resource_key_ref(rr->key), | |
483 | .rr = dns_resource_record_ref(rr), | |
775ae354 LP |
484 | .answer = dns_answer_ref(answer), |
485 | .full_packet = dns_packet_ref(full_packet), | |
b974211a | 486 | .until = calculate_until(rr, min_ttl, UINT32_MAX, timestamp, false), |
6f055e43 | 487 | .query_flags = query_flags & CACHEABLE_QUERY_FLAGS, |
1ed31408 | 488 | .shared_owner = shared_owner, |
775ae354 | 489 | .dnssec_result = dnssec_result, |
1ed31408 LP |
490 | .ifindex = ifindex, |
491 | .owner_family = owner_family, | |
492 | .owner_address = *owner_address, | |
493 | .prioq_idx = PRIOQ_IDX_NULL, | |
494 | }; | |
7e8e0422 LP |
495 | |
496 | r = dns_cache_link_item(c, i); | |
497 | if (r < 0) | |
498 | return r; | |
499 | ||
84dbb3fd ZJS |
500 | log_debug("Added positive %s %s%s cache entry for %s "USEC_FMT"s on %s/%s/%s", |
501 | FLAGS_SET(i->query_flags, SD_RESOLVED_AUTHENTICATED) ? "authenticated" : "unauthenticated", | |
502 | FLAGS_SET(i->query_flags, SD_RESOLVED_CONFIDENTIAL) ? "confidential" : "non-confidential", | |
503 | i->shared_owner ? " shared" : "", | |
504 | dns_resource_key_to_string(i->key, key_str, sizeof key_str), | |
505 | (i->until - timestamp) / USEC_PER_SEC, | |
506 | i->ifindex == 0 ? "*" : FORMAT_IFNAME(i->ifindex), | |
507 | af_to_name_short(i->owner_family), | |
508 | IN_ADDR_TO_STRING(i->owner_family, &i->owner_address)); | |
6b34a6c9 | 509 | |
f69ea167 | 510 | TAKE_PTR(i); |
7e8e0422 LP |
511 | return 0; |
512 | } | |
513 | ||
a4076574 LP |
514 | static int dns_cache_put_negative( |
515 | DnsCache *c, | |
516 | DnsResourceKey *key, | |
517 | int rcode, | |
775ae354 LP |
518 | DnsAnswer *answer, |
519 | DnsPacket *full_packet, | |
6f055e43 | 520 | uint64_t query_flags, |
775ae354 | 521 | DnssecResult dnssec_result, |
d3760be0 | 522 | uint32_t nsec_ttl, |
a4076574 | 523 | usec_t timestamp, |
b211dc7e | 524 | DnsResourceRecord *soa, |
a4076574 LP |
525 | int owner_family, |
526 | const union in_addr_union *owner_address) { | |
527 | ||
7e8e0422 | 528 | _cleanup_(dns_cache_item_freep) DnsCacheItem *i = NULL; |
202b76ae | 529 | char key_str[DNS_RESOURCE_KEY_STRING_MAX]; |
7e8e0422 LP |
530 | int r; |
531 | ||
532 | assert(c); | |
533 | assert(key); | |
a4076574 | 534 | assert(owner_address); |
7e8e0422 | 535 | |
98b6be77 LP |
536 | /* Never cache pseudo RR keys. DNS_TYPE_ANY is particularly |
537 | * important to filter out as we use this as a pseudo-type for | |
538 | * NXDOMAIN entries */ | |
222148b6 | 539 | if (dns_class_is_pseudo(key->class)) |
ddf16339 | 540 | return 0; |
c33be4a6 | 541 | if (dns_type_is_pseudo(key->type)) |
ddf16339 | 542 | return 0; |
222148b6 | 543 | |
201d9958 LP |
544 | if (IN_SET(rcode, DNS_RCODE_SUCCESS, DNS_RCODE_NXDOMAIN)) { |
545 | if (!soa) | |
546 | return 0; | |
ddf16339 | 547 | |
201d9958 LP |
548 | /* For negative replies, check if we have a TTL of a SOA */ |
549 | if (nsec_ttl <= 0 || soa->soa.minimum <= 0 || soa->ttl <= 0) { | |
550 | log_debug("Not caching negative entry with zero SOA/NSEC/NSEC3 TTL: %s", | |
551 | dns_resource_key_to_string(key, key_str, sizeof key_str)); | |
552 | return 0; | |
553 | } | |
554 | } else if (rcode != DNS_RCODE_SERVFAIL) | |
7e8e0422 LP |
555 | return 0; |
556 | ||
623a4c97 | 557 | r = dns_cache_init(c); |
322345fd LP |
558 | if (r < 0) |
559 | return r; | |
560 | ||
561 | dns_cache_make_space(c, 1); | |
562 | ||
1ed31408 | 563 | i = new(DnsCacheItem, 1); |
322345fd LP |
564 | if (!i) |
565 | return -ENOMEM; | |
566 | ||
1ed31408 LP |
567 | *i = (DnsCacheItem) { |
568 | .type = | |
569 | rcode == DNS_RCODE_SUCCESS ? DNS_CACHE_NODATA : | |
570 | rcode == DNS_RCODE_NXDOMAIN ? DNS_CACHE_NXDOMAIN : DNS_CACHE_RCODE, | |
6f055e43 | 571 | .query_flags = query_flags & CACHEABLE_QUERY_FLAGS, |
775ae354 | 572 | .dnssec_result = dnssec_result, |
1ed31408 LP |
573 | .owner_family = owner_family, |
574 | .owner_address = *owner_address, | |
575 | .prioq_idx = PRIOQ_IDX_NULL, | |
576 | .rcode = rcode, | |
775ae354 LP |
577 | .answer = dns_answer_ref(answer), |
578 | .full_packet = dns_packet_ref(full_packet), | |
1ed31408 | 579 | }; |
322345fd | 580 | |
b974211a LP |
581 | /* Determine how long to cache this entry. In case we have some RRs in the answer use the lowest TTL |
582 | * of any of them. Typically that's the SOA's TTL, which is OK, but could possibly be lower because | |
583 | * of some other RR. Let's better take the lowest option here than a needlessly high one */ | |
eaa26948 LP |
584 | i->until = |
585 | i->type == DNS_CACHE_RCODE ? timestamp + CACHE_TTL_STRANGE_RCODE_USEC : | |
b974211a | 586 | calculate_until(soa, dns_answer_min_ttl(answer), nsec_ttl, timestamp, true); |
eaa26948 | 587 | |
71e13669 TG |
588 | if (i->type == DNS_CACHE_NXDOMAIN) { |
589 | /* NXDOMAIN entries should apply equally to all types, so we use ANY as | |
590 | * a pseudo type for this purpose here. */ | |
1c02e7ba | 591 | i->key = dns_resource_key_new(key->class, DNS_TYPE_ANY, dns_resource_key_name(key)); |
71e13669 TG |
592 | if (!i->key) |
593 | return -ENOMEM; | |
a5444ca9 LP |
594 | |
595 | /* Make sure to remove any previous entry for this | |
596 | * specific ANY key. (For non-ANY keys the cache data | |
597 | * is already cleared by the caller.) Note that we | |
598 | * don't bother removing positive or NODATA cache | |
599 | * items in this case, because it would either be slow | |
600 | * or require explicit indexing by name */ | |
601 | dns_cache_remove_by_key(c, key); | |
71e13669 TG |
602 | } else |
603 | i->key = dns_resource_key_ref(key); | |
604 | ||
7e8e0422 | 605 | r = dns_cache_link_item(c, i); |
322345fd LP |
606 | if (r < 0) |
607 | return r; | |
608 | ||
202b76ae | 609 | log_debug("Added %s cache entry for %s "USEC_FMT"s", |
201d9958 | 610 | dns_cache_item_type_to_string(i), |
202b76ae ZJS |
611 | dns_resource_key_to_string(i->key, key_str, sizeof key_str), |
612 | (i->until - timestamp) / USEC_PER_SEC); | |
6b34a6c9 | 613 | |
322345fd | 614 | i = NULL; |
322345fd LP |
615 | return 0; |
616 | } | |
617 | ||
d2579eec LP |
618 | static void dns_cache_remove_previous( |
619 | DnsCache *c, | |
620 | DnsResourceKey *key, | |
621 | DnsAnswer *answer) { | |
622 | ||
623 | DnsResourceRecord *rr; | |
624 | DnsAnswerFlags flags; | |
625 | ||
626 | assert(c); | |
627 | ||
628 | /* First, if we were passed a key (i.e. on LLMNR/DNS, but | |
629 | * not on mDNS), delete all matching old RRs, so that we only | |
630 | * keep complete by_key in place. */ | |
631 | if (key) | |
2dda578f | 632 | dns_cache_remove_by_key(c, key); |
d2579eec LP |
633 | |
634 | /* Second, flush all entries matching the answer, unless this | |
635 | * is an RR that is explicitly marked to be "shared" between | |
636 | * peers (i.e. mDNS RRs without the flush-cache bit set). */ | |
637 | DNS_ANSWER_FOREACH_FLAGS(rr, flags, answer) { | |
638 | if ((flags & DNS_ANSWER_CACHEABLE) == 0) | |
639 | continue; | |
640 | ||
641 | if (flags & DNS_ANSWER_SHARED_OWNER) | |
642 | continue; | |
643 | ||
2dda578f | 644 | dns_cache_remove_by_key(c, rr->key); |
d2579eec LP |
645 | } |
646 | } | |
647 | ||
f6618dcd LP |
648 | static bool rr_eligible(DnsResourceRecord *rr) { |
649 | assert(rr); | |
650 | ||
651 | /* When we see an NSEC/NSEC3 RR, we'll only cache it if it is from the lower zone, not the upper zone, since | |
652 | * that's where the interesting bits are (with exception of DS RRs). Of course, this way we cannot derive DS | |
653 | * existence from any cached NSEC/NSEC3, but that should be fine. */ | |
654 | ||
655 | switch (rr->key->type) { | |
656 | ||
657 | case DNS_TYPE_NSEC: | |
658 | return !bitmap_isset(rr->nsec.types, DNS_TYPE_NS) || | |
659 | bitmap_isset(rr->nsec.types, DNS_TYPE_SOA); | |
660 | ||
661 | case DNS_TYPE_NSEC3: | |
662 | return !bitmap_isset(rr->nsec3.types, DNS_TYPE_NS) || | |
663 | bitmap_isset(rr->nsec3.types, DNS_TYPE_SOA); | |
664 | ||
665 | default: | |
666 | return true; | |
667 | } | |
668 | } | |
669 | ||
a4076574 LP |
670 | int dns_cache_put( |
671 | DnsCache *c, | |
37d7a7d9 | 672 | DnsCacheMode cache_mode, |
a78049fc | 673 | DnsProtocol protocol, |
8e427d9b | 674 | DnsResourceKey *key, |
a4076574 LP |
675 | int rcode, |
676 | DnsAnswer *answer, | |
775ae354 | 677 | DnsPacket *full_packet, |
6f055e43 | 678 | uint64_t query_flags, |
775ae354 | 679 | DnssecResult dnssec_result, |
d3760be0 | 680 | uint32_t nsec_ttl, |
a4076574 LP |
681 | int owner_family, |
682 | const union in_addr_union *owner_address) { | |
683 | ||
9c5fcb8a | 684 | DnsResourceRecord *soa = NULL; |
201d9958 | 685 | bool weird_rcode = false; |
9c5fcb8a | 686 | DnsAnswerItem *item; |
105e1512 LP |
687 | DnsAnswerFlags flags; |
688 | unsigned cache_keys; | |
43475909 | 689 | usec_t timestamp; |
9c5fcb8a | 690 | int r; |
322345fd LP |
691 | |
692 | assert(c); | |
d2579eec | 693 | assert(owner_address); |
322345fd | 694 | |
d2579eec | 695 | dns_cache_remove_previous(c, key, answer); |
0ec7c46e | 696 | |
201d9958 LP |
697 | /* We only care for positive replies and NXDOMAINs, on all other replies we will simply flush the respective |
698 | * entries, and that's it. (Well, with one further exception: since some DNS zones (akamai!) return SERVFAIL | |
699 | * consistently for some lookups, and forwarders tend to propagate that we'll cache that too, but only for a | |
700 | * short time.) */ | |
6ff01a0d | 701 | |
201d9958 | 702 | if (IN_SET(rcode, DNS_RCODE_SUCCESS, DNS_RCODE_NXDOMAIN)) { |
77db3cae | 703 | if (dns_answer_isempty(answer)) { |
e55fc5b0 YW |
704 | if (key) { |
705 | char key_str[DNS_RESOURCE_KEY_STRING_MAX]; | |
201d9958 | 706 | |
e55fc5b0 YW |
707 | log_debug("Not caching negative entry without a SOA record: %s", |
708 | dns_resource_key_to_string(key, key_str, sizeof key_str)); | |
709 | } | |
775ae354 | 710 | |
201d9958 LP |
711 | return 0; |
712 | } | |
713 | ||
714 | } else { | |
715 | /* Only cache SERVFAIL as "weird" rcode for now. We can add more later, should that turn out to be | |
716 | * beneficial. */ | |
717 | if (rcode != DNS_RCODE_SERVFAIL) | |
718 | return 0; | |
719 | ||
720 | weird_rcode = true; | |
c3cb6dc2 | 721 | } |
0ec7c46e | 722 | |
ea207b63 | 723 | cache_keys = dns_answer_size(answer); |
8e427d9b | 724 | if (key) |
313cefa1 | 725 | cache_keys++; |
eff91ee0 | 726 | |
7e8e0422 | 727 | /* Make some space for our new entries */ |
eff91ee0 | 728 | dns_cache_make_space(c, cache_keys); |
322345fd | 729 | |
ba4e0427 | 730 | timestamp = now(CLOCK_BOOTTIME); |
322345fd | 731 | |
7e8e0422 | 732 | /* Second, add in positive entries for all contained RRs */ |
9c5fcb8a | 733 | DNS_ANSWER_FOREACH_ITEM(item, answer) { |
775ae354 LP |
734 | int primary = false; |
735 | ||
736 | if (!FLAGS_SET(item->flags, DNS_ANSWER_CACHEABLE) || | |
9c5fcb8a | 737 | !rr_eligible(item->rr)) |
f6618dcd LP |
738 | continue; |
739 | ||
775ae354 LP |
740 | if (key) { |
741 | /* We store the auxiliary RRs and packet data in the cache only if they were in | |
742 | * direct response to the original query. If we cache an RR we also received, and | |
743 | * that is just auxiliary information we can't use the data, hence don't. */ | |
744 | ||
745 | primary = dns_resource_key_match_rr(key, item->rr, NULL); | |
746 | if (primary < 0) | |
747 | return primary; | |
748 | if (primary == 0) { | |
749 | primary = dns_resource_key_match_cname_or_dname(key, item->rr->key, NULL); | |
750 | if (primary < 0) | |
751 | return primary; | |
752 | } | |
753 | } | |
754 | ||
755 | if (!primary) { | |
756 | DnsCacheItem *first; | |
757 | ||
758 | /* Do not replace existing cache items for primary lookups with non-primary | |
759 | * data. After all the primary lookup data is a lot more useful. */ | |
760 | first = hashmap_get(c->by_key, item->rr->key); | |
761 | if (first && DNS_CACHE_ITEM_IS_PRIMARY(first)) | |
762 | return 0; | |
763 | } | |
764 | ||
d2579eec LP |
765 | r = dns_cache_put_positive( |
766 | c, | |
a78049fc | 767 | protocol, |
9c5fcb8a | 768 | item->rr, |
775ae354 LP |
769 | primary ? answer : NULL, |
770 | primary ? full_packet : NULL, | |
43fc4baa LP |
771 | ((item->flags & DNS_ANSWER_AUTHENTICATED) ? SD_RESOLVED_AUTHENTICATED : 0) | |
772 | (query_flags & SD_RESOLVED_CONFIDENTIAL), | |
9c5fcb8a | 773 | item->flags & DNS_ANSWER_SHARED_OWNER, |
775ae354 | 774 | dnssec_result, |
d2579eec | 775 | timestamp, |
9c5fcb8a | 776 | item->ifindex, |
775ae354 LP |
777 | owner_family, |
778 | owner_address); | |
7e8e0422 LP |
779 | if (r < 0) |
780 | goto fail; | |
781 | } | |
782 | ||
d2579eec | 783 | if (!key) /* mDNS doesn't know negative caching, really */ |
eff91ee0 DM |
784 | return 0; |
785 | ||
8e427d9b | 786 | /* Third, add in negative entries if the key has no RR */ |
105e1512 | 787 | r = dns_answer_match_key(answer, key, NULL); |
8e427d9b TG |
788 | if (r < 0) |
789 | goto fail; | |
790 | if (r > 0) | |
791 | return 0; | |
7e8e0422 | 792 | |
3b7006cb LP |
793 | /* But not if it has a matching CNAME/DNAME (the negative caching will be done on the canonical name, |
794 | * not on the alias) */ | |
105e1512 | 795 | r = dns_answer_find_cname_or_dname(answer, key, NULL, NULL); |
5d27351f TG |
796 | if (r < 0) |
797 | goto fail; | |
798 | if (r > 0) | |
799 | return 0; | |
800 | ||
201d9958 LP |
801 | /* See https://tools.ietf.org/html/rfc2308, which say that a matching SOA record in the packet is used to |
802 | * enable negative caching. We apply one exception though: if we are about to cache a weird rcode we do so | |
803 | * regardless of a SOA. */ | |
fd009cd8 | 804 | r = dns_answer_find_soa(answer, key, &soa, &flags); |
8e427d9b TG |
805 | if (r < 0) |
806 | goto fail; | |
201d9958 | 807 | if (r == 0 && !weird_rcode) |
fd009cd8 | 808 | return 0; |
201d9958 | 809 | if (r > 0) { |
3b7006cb | 810 | /* Refuse using the SOA data if it is unsigned, but the key is signed */ |
6f055e43 LP |
811 | if (FLAGS_SET(query_flags, SD_RESOLVED_AUTHENTICATED) && |
812 | (flags & DNS_ANSWER_AUTHENTICATED) == 0) | |
201d9958 LP |
813 | return 0; |
814 | } | |
fd009cd8 | 815 | |
37d7a7d9 JN |
816 | if (cache_mode == DNS_CACHE_MODE_NO_NEGATIVE) { |
817 | char key_str[DNS_RESOURCE_KEY_STRING_MAX]; | |
818 | log_debug("Not caching negative entry for: %s, cache mode set to no-negative", | |
b12058e8 | 819 | dns_resource_key_to_string(key, key_str, sizeof key_str)); |
37d7a7d9 JN |
820 | return 0; |
821 | } | |
822 | ||
d2579eec LP |
823 | r = dns_cache_put_negative( |
824 | c, | |
825 | key, | |
826 | rcode, | |
775ae354 LP |
827 | answer, |
828 | full_packet, | |
6f055e43 | 829 | query_flags, |
775ae354 | 830 | dnssec_result, |
d3760be0 | 831 | nsec_ttl, |
d2579eec | 832 | timestamp, |
b211dc7e | 833 | soa, |
d2579eec | 834 | owner_family, owner_address); |
8e427d9b TG |
835 | if (r < 0) |
836 | goto fail; | |
322345fd LP |
837 | |
838 | return 0; | |
839 | ||
840 | fail: | |
841 | /* Adding all RRs failed. Let's clean up what we already | |
842 | * added, just in case */ | |
843 | ||
8e427d9b | 844 | if (key) |
2dda578f | 845 | dns_cache_remove_by_key(c, key); |
eff91ee0 | 846 | |
9c5fcb8a LP |
847 | DNS_ANSWER_FOREACH_ITEM(item, answer) { |
848 | if ((item->flags & DNS_ANSWER_CACHEABLE) == 0) | |
105e1512 LP |
849 | continue; |
850 | ||
9c5fcb8a | 851 | dns_cache_remove_by_key(c, item->rr->key); |
105e1512 | 852 | } |
322345fd LP |
853 | |
854 | return r; | |
855 | } | |
856 | ||
37da8931 | 857 | static DnsCacheItem *dns_cache_get_by_key_follow_cname_dname_nsec(DnsCache *c, DnsResourceKey *k) { |
58db254a LP |
858 | DnsCacheItem *i; |
859 | const char *n; | |
860 | int r; | |
5643c00a TG |
861 | |
862 | assert(c); | |
863 | assert(k); | |
864 | ||
58db254a LP |
865 | /* If we hit some OOM error, or suchlike, we don't care too |
866 | * much, after all this is just a cache */ | |
867 | ||
5643c00a | 868 | i = hashmap_get(c->by_key, k); |
d7ce6c94 | 869 | if (i) |
37da8931 LP |
870 | return i; |
871 | ||
1c02e7ba | 872 | n = dns_resource_key_name(k); |
37da8931 | 873 | |
71e13669 TG |
874 | /* Check if we have an NXDOMAIN cache item for the name, notice that we use |
875 | * the pseudo-type ANY for NXDOMAIN cache items. */ | |
876 | i = hashmap_get(c->by_key, &DNS_RESOURCE_KEY_CONST(k->class, DNS_TYPE_ANY, n)); | |
877 | if (i && i->type == DNS_CACHE_NXDOMAIN) | |
878 | return i; | |
879 | ||
d3c7e913 | 880 | if (dns_type_may_redirect(k->type)) { |
d7ce6c94 TG |
881 | /* Check if we have a CNAME record instead */ |
882 | i = hashmap_get(c->by_key, &DNS_RESOURCE_KEY_CONST(k->class, DNS_TYPE_CNAME, n)); | |
3740146a | 883 | if (i && i->type != DNS_CACHE_NODATA) |
d7ce6c94 | 884 | return i; |
5643c00a | 885 | |
d7ce6c94 TG |
886 | /* OK, let's look for cached DNAME records. */ |
887 | for (;;) { | |
d7ce6c94 TG |
888 | if (isempty(n)) |
889 | return NULL; | |
890 | ||
891 | i = hashmap_get(c->by_key, &DNS_RESOURCE_KEY_CONST(k->class, DNS_TYPE_DNAME, n)); | |
3740146a | 892 | if (i && i->type != DNS_CACHE_NODATA) |
d7ce6c94 | 893 | return i; |
58db254a | 894 | |
d7ce6c94 | 895 | /* Jump one label ahead */ |
950b692b | 896 | r = dns_name_parent(&n); |
d7ce6c94 TG |
897 | if (r <= 0) |
898 | return NULL; | |
899 | } | |
900 | } | |
5643c00a | 901 | |
950b692b | 902 | if (k->type != DNS_TYPE_NSEC) { |
d7ce6c94 TG |
903 | /* Check if we have an NSEC record instead for the name. */ |
904 | i = hashmap_get(c->by_key, &DNS_RESOURCE_KEY_CONST(k->class, DNS_TYPE_NSEC, n)); | |
58db254a LP |
905 | if (i) |
906 | return i; | |
58db254a LP |
907 | } |
908 | ||
909 | return NULL; | |
5643c00a TG |
910 | } |
911 | ||
775ae354 LP |
912 | static int answer_add_clamp_ttl( |
913 | DnsAnswer **answer, | |
914 | DnsResourceRecord *rr, | |
915 | int ifindex, | |
916 | DnsAnswerFlags answer_flags, | |
917 | DnsResourceRecord *rrsig, | |
918 | uint64_t query_flags, | |
919 | usec_t until, | |
920 | usec_t current) { | |
921 | ||
922 | _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *patched = NULL, *patched_rrsig = NULL; | |
923 | int r; | |
924 | ||
925 | assert(answer); | |
926 | assert(rr); | |
927 | ||
928 | if (FLAGS_SET(query_flags, SD_RESOLVED_CLAMP_TTL)) { | |
a1acc6e3 LP |
929 | uint32_t left_ttl; |
930 | ||
e7d48709 ZJS |
931 | assert(current > 0); |
932 | ||
a1acc6e3 LP |
933 | /* Let's determine how much time is left for this cache entry. Note that we round down, but |
934 | * clamp this to be 1s at minimum, since we usually want records to remain cached better too | |
935 | * short a time than too long a time, but otoh don't want to return 0 ever, since that has | |
936 | * special semantics in various contexts — in particular in mDNS */ | |
937 | ||
938 | left_ttl = MAX(1U, LESS_BY(until, current) / USEC_PER_SEC); | |
939 | ||
775ae354 LP |
940 | patched = dns_resource_record_ref(rr); |
941 | ||
a1acc6e3 | 942 | r = dns_resource_record_clamp_ttl(&patched, left_ttl); |
775ae354 LP |
943 | if (r < 0) |
944 | return r; | |
945 | ||
946 | rr = patched; | |
947 | ||
948 | if (rrsig) { | |
949 | patched_rrsig = dns_resource_record_ref(rrsig); | |
a1acc6e3 | 950 | r = dns_resource_record_clamp_ttl(&patched_rrsig, left_ttl); |
775ae354 LP |
951 | if (r < 0) |
952 | return r; | |
953 | ||
954 | rrsig = patched_rrsig; | |
955 | } | |
956 | } | |
957 | ||
958 | r = dns_answer_add_extend(answer, rr, ifindex, answer_flags, rrsig); | |
959 | if (r < 0) | |
960 | return r; | |
961 | ||
962 | return 0; | |
963 | } | |
964 | ||
965 | int dns_cache_lookup( | |
966 | DnsCache *c, | |
967 | DnsResourceKey *key, | |
968 | uint64_t query_flags, | |
969 | int *ret_rcode, | |
970 | DnsAnswer **ret_answer, | |
971 | DnsPacket **ret_full_packet, | |
6f055e43 | 972 | uint64_t *ret_query_flags, |
775ae354 LP |
973 | DnssecResult *ret_dnssec_result) { |
974 | ||
975 | _cleanup_(dns_packet_unrefp) DnsPacket *full_packet = NULL; | |
faa133f3 | 976 | _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL; |
202b76ae | 977 | char key_str[DNS_RESOURCE_KEY_STRING_MAX]; |
f52e61da | 978 | unsigned n = 0; |
322345fd | 979 | int r; |
7e8e0422 | 980 | bool nxdomain = false; |
03677889 | 981 | DnsCacheItem *first, *nsec = NULL; |
43fc4baa | 982 | bool have_authenticated = false, have_non_authenticated = false, have_confidential = false, have_non_confidential = false; |
e7d48709 | 983 | usec_t current = 0; |
201d9958 | 984 | int found_rcode = -1; |
775ae354 LP |
985 | DnssecResult dnssec_result = -1; |
986 | int have_dnssec_result = -1; | |
322345fd LP |
987 | |
988 | assert(c); | |
f52e61da | 989 | assert(key); |
322345fd | 990 | |
202b76ae | 991 | if (key->type == DNS_TYPE_ANY || key->class == DNS_CLASS_ANY) { |
775ae354 LP |
992 | /* If we have ANY lookups we don't use the cache, so that the caller refreshes via the |
993 | * network. */ | |
322345fd | 994 | |
202b76ae ZJS |
995 | log_debug("Ignoring cache for ANY lookup: %s", |
996 | dns_resource_key_to_string(key, key_str, sizeof key_str)); | |
775ae354 | 997 | goto miss; |
f52e61da | 998 | } |
6b34a6c9 | 999 | |
37da8931 | 1000 | first = dns_cache_get_by_key_follow_cname_dname_nsec(c, key); |
f52e61da LP |
1001 | if (!first) { |
1002 | /* If one question cannot be answered we need to refresh */ | |
ddf16339 | 1003 | |
202b76ae ZJS |
1004 | log_debug("Cache miss for %s", |
1005 | dns_resource_key_to_string(key, key_str, sizeof key_str)); | |
775ae354 LP |
1006 | goto miss; |
1007 | } | |
6b34a6c9 | 1008 | |
e7d48709 ZJS |
1009 | if (FLAGS_SET(query_flags, SD_RESOLVED_CLAMP_TTL)) { |
1010 | /* 'current' is always passed to answer_add_clamp_ttl(), but is only used conditionally. | |
1011 | * We'll do the same assert there to make sure that it was initialized properly. */ | |
ba4e0427 | 1012 | current = now(CLOCK_BOOTTIME); |
e7d48709 ZJS |
1013 | assert(current > 0); |
1014 | } | |
a150ff5e | 1015 | |
775ae354 LP |
1016 | LIST_FOREACH(by_key, j, first) { |
1017 | /* If the caller doesn't allow us to answer questions from cache data learned from | |
1018 | * "side-effect", skip this entry. */ | |
1019 | if (FLAGS_SET(query_flags, SD_RESOLVED_REQUIRE_PRIMARY) && | |
1020 | !DNS_CACHE_ITEM_IS_PRIMARY(j)) { | |
1021 | log_debug("Primary answer was requested for cache lookup for %s, which we don't have.", | |
1022 | dns_resource_key_to_string(key, key_str, sizeof key_str)); | |
2d4a4e14 | 1023 | |
775ae354 LP |
1024 | goto miss; |
1025 | } | |
6b34a6c9 | 1026 | |
775ae354 LP |
1027 | if (j->type == DNS_CACHE_NXDOMAIN) |
1028 | nxdomain = true; | |
1029 | else if (j->type == DNS_CACHE_RCODE) | |
1030 | found_rcode = j->rcode; | |
1031 | else if (j->rr) { | |
37da8931 | 1032 | if (j->rr->key->type == DNS_TYPE_NSEC) |
931851e8 LP |
1033 | nsec = j; |
1034 | ||
f52e61da | 1035 | n++; |
775ae354 | 1036 | } |
931851e8 | 1037 | |
6f055e43 | 1038 | if (FLAGS_SET(j->query_flags, SD_RESOLVED_AUTHENTICATED)) |
931851e8 LP |
1039 | have_authenticated = true; |
1040 | else | |
1041 | have_non_authenticated = true; | |
775ae354 | 1042 | |
43fc4baa LP |
1043 | if (FLAGS_SET(j->query_flags, SD_RESOLVED_CONFIDENTIAL)) |
1044 | have_confidential = true; | |
1045 | else | |
1046 | have_non_confidential = true; | |
1047 | ||
775ae354 LP |
1048 | if (j->dnssec_result < 0) { |
1049 | have_dnssec_result = false; /* an entry without dnssec result? then invalidate things for good */ | |
1050 | dnssec_result = _DNSSEC_RESULT_INVALID; | |
1051 | } else if (have_dnssec_result < 0) { | |
1052 | have_dnssec_result = true; /* So far no result seen, let's pick this one up */ | |
1053 | dnssec_result = j->dnssec_result; | |
1054 | } else if (have_dnssec_result > 0 && j->dnssec_result != dnssec_result) { | |
1055 | have_dnssec_result = false; /* conflicting result seen? then invalidate for good */ | |
1056 | dnssec_result = _DNSSEC_RESULT_INVALID; | |
1057 | } | |
1058 | ||
1059 | /* Append the answer RRs to our answer. Ideally we have the answer object, which we | |
1060 | * preferably use. But if the cached entry was generated as "side-effect" of a reply, | |
1061 | * i.e. from validated auxiliary records rather than from the main reply, then we use the | |
1062 | * individual RRs only instead. */ | |
1063 | if (j->answer) { | |
1064 | ||
1065 | /* Minor optimization, if the full answer object of this and the previous RR is the | |
1066 | * same, don't bother adding it again. Typically we store a full RRset here, hence | |
1067 | * that should be the case. */ | |
1068 | if (!j->by_key_prev || j->answer != j->by_key_prev->answer) { | |
1069 | DnsAnswerItem *item; | |
1070 | ||
1071 | DNS_ANSWER_FOREACH_ITEM(item, j->answer) { | |
b974211a LP |
1072 | r = answer_add_clamp_ttl( |
1073 | &answer, | |
1074 | item->rr, | |
1075 | item->ifindex, | |
1076 | item->flags, | |
1077 | item->rrsig, | |
1078 | query_flags, | |
1079 | j->until, | |
1080 | current); | |
775ae354 LP |
1081 | if (r < 0) |
1082 | return r; | |
1083 | } | |
1084 | } | |
1085 | ||
1086 | } else if (j->rr) { | |
b974211a LP |
1087 | r = answer_add_clamp_ttl( |
1088 | &answer, | |
1089 | j->rr, | |
1090 | j->ifindex, | |
1091 | FLAGS_SET(j->query_flags, SD_RESOLVED_AUTHENTICATED) ? DNS_ANSWER_AUTHENTICATED : 0, | |
1092 | NULL, | |
1093 | query_flags, | |
1094 | j->until, | |
1095 | current); | |
775ae354 LP |
1096 | if (r < 0) |
1097 | return r; | |
1098 | } | |
1099 | ||
1100 | /* We'll return any packet we have for this. Typically all cache entries for the same key | |
1101 | * should come from the same packet anyway, hence it doesn't really matter which packet we | |
1102 | * return here, they should all resolve to the same anyway. */ | |
1103 | if (!full_packet && j->full_packet) | |
1104 | full_packet = dns_packet_ref(j->full_packet); | |
f52e61da | 1105 | } |
6b34a6c9 | 1106 | |
201d9958 LP |
1107 | if (found_rcode >= 0) { |
1108 | log_debug("RCODE %s cache hit for %s", | |
0d609349 | 1109 | FORMAT_DNS_RCODE(found_rcode), |
201d9958 LP |
1110 | dns_resource_key_to_string(key, key_str, sizeof(key_str))); |
1111 | ||
775ae354 LP |
1112 | if (ret_rcode) |
1113 | *ret_rcode = found_rcode; | |
1114 | if (ret_answer) | |
1115 | *ret_answer = TAKE_PTR(answer); | |
1116 | if (ret_full_packet) | |
1117 | *ret_full_packet = TAKE_PTR(full_packet); | |
6f055e43 LP |
1118 | if (ret_query_flags) |
1119 | *ret_query_flags = 0; | |
775ae354 LP |
1120 | if (ret_dnssec_result) |
1121 | *ret_dnssec_result = dnssec_result; | |
201d9958 LP |
1122 | |
1123 | c->n_hit++; | |
1124 | return 1; | |
1125 | } | |
1126 | ||
f6618dcd | 1127 | if (nsec && !IN_SET(key->type, DNS_TYPE_NSEC, DNS_TYPE_DS)) { |
775ae354 LP |
1128 | /* Note that we won't derive information for DS RRs from an NSEC, because we only cache NSEC |
1129 | * RRs from the lower-zone of a zone cut, but the DS RRs are on the upper zone. */ | |
f6618dcd | 1130 | |
202b76ae ZJS |
1131 | log_debug("NSEC NODATA cache hit for %s", |
1132 | dns_resource_key_to_string(key, key_str, sizeof key_str)); | |
37da8931 | 1133 | |
775ae354 LP |
1134 | /* We only found an NSEC record that matches our name. If it says the type doesn't exist |
1135 | * report NODATA. Otherwise report a cache miss. */ | |
37da8931 | 1136 | |
775ae354 LP |
1137 | if (ret_rcode) |
1138 | *ret_rcode = DNS_RCODE_SUCCESS; | |
1139 | if (ret_answer) | |
1140 | *ret_answer = TAKE_PTR(answer); | |
1141 | if (ret_full_packet) | |
1142 | *ret_full_packet = TAKE_PTR(full_packet); | |
6f055e43 LP |
1143 | if (ret_query_flags) |
1144 | *ret_query_flags = nsec->query_flags; | |
775ae354 LP |
1145 | if (ret_dnssec_result) |
1146 | *ret_dnssec_result = nsec->dnssec_result; | |
37da8931 | 1147 | |
a150ff5e LP |
1148 | if (!bitmap_isset(nsec->rr->nsec.types, key->type) && |
1149 | !bitmap_isset(nsec->rr->nsec.types, DNS_TYPE_CNAME) && | |
1150 | !bitmap_isset(nsec->rr->nsec.types, DNS_TYPE_DNAME)) { | |
1151 | c->n_hit++; | |
1152 | return 1; | |
1153 | } | |
1154 | ||
1155 | c->n_miss++; | |
1156 | return 0; | |
37da8931 LP |
1157 | } |
1158 | ||
202b76ae ZJS |
1159 | log_debug("%s cache hit for %s", |
1160 | n > 0 ? "Positive" : | |
1161 | nxdomain ? "NXDOMAIN" : "NODATA", | |
1162 | dns_resource_key_to_string(key, key_str, sizeof key_str)); | |
faa133f3 | 1163 | |
7e8e0422 | 1164 | if (n <= 0) { |
a150ff5e LP |
1165 | c->n_hit++; |
1166 | ||
775ae354 LP |
1167 | if (ret_rcode) |
1168 | *ret_rcode = nxdomain ? DNS_RCODE_NXDOMAIN : DNS_RCODE_SUCCESS; | |
1169 | if (ret_answer) | |
1170 | *ret_answer = TAKE_PTR(answer); | |
1171 | if (ret_full_packet) | |
1172 | *ret_full_packet = TAKE_PTR(full_packet); | |
6f055e43 | 1173 | if (ret_query_flags) |
43fc4baa LP |
1174 | *ret_query_flags = |
1175 | ((have_authenticated && !have_non_authenticated) ? SD_RESOLVED_AUTHENTICATED : 0) | | |
1176 | ((have_confidential && !have_non_confidential) ? SD_RESOLVED_CONFIDENTIAL : 0); | |
775ae354 LP |
1177 | if (ret_dnssec_result) |
1178 | *ret_dnssec_result = dnssec_result; | |
17c8de63 | 1179 | |
775ae354 | 1180 | return 1; |
322345fd LP |
1181 | } |
1182 | ||
a150ff5e LP |
1183 | c->n_hit++; |
1184 | ||
775ae354 LP |
1185 | if (ret_rcode) |
1186 | *ret_rcode = DNS_RCODE_SUCCESS; | |
1187 | if (ret_answer) | |
1188 | *ret_answer = TAKE_PTR(answer); | |
1189 | if (ret_full_packet) | |
1190 | *ret_full_packet = TAKE_PTR(full_packet); | |
6f055e43 | 1191 | if (ret_query_flags) |
43fc4baa LP |
1192 | *ret_query_flags = |
1193 | ((have_authenticated && !have_non_authenticated) ? SD_RESOLVED_AUTHENTICATED : 0) | | |
1194 | ((have_confidential && !have_non_confidential) ? SD_RESOLVED_CONFIDENTIAL : 0); | |
775ae354 LP |
1195 | if (ret_dnssec_result) |
1196 | *ret_dnssec_result = dnssec_result; | |
faa133f3 LP |
1197 | |
1198 | return n; | |
775ae354 LP |
1199 | |
1200 | miss: | |
1201 | if (ret_rcode) | |
1202 | *ret_rcode = DNS_RCODE_SUCCESS; | |
1203 | if (ret_answer) | |
1204 | *ret_answer = NULL; | |
1205 | if (ret_full_packet) | |
1206 | *ret_full_packet = NULL; | |
6f055e43 LP |
1207 | if (ret_query_flags) |
1208 | *ret_query_flags = 0; | |
775ae354 LP |
1209 | if (ret_dnssec_result) |
1210 | *ret_dnssec_result = _DNSSEC_RESULT_INVALID; | |
1211 | ||
1212 | c->n_miss++; | |
1213 | return 0; | |
322345fd | 1214 | } |
a4076574 LP |
1215 | |
1216 | int dns_cache_check_conflicts(DnsCache *cache, DnsResourceRecord *rr, int owner_family, const union in_addr_union *owner_address) { | |
03677889 | 1217 | DnsCacheItem *first; |
a4076574 LP |
1218 | bool same_owner = true; |
1219 | ||
1220 | assert(cache); | |
1221 | assert(rr); | |
1222 | ||
1223 | dns_cache_prune(cache); | |
1224 | ||
1225 | /* See if there's a cache entry for the same key. If there | |
1226 | * isn't there's no conflict */ | |
1227 | first = hashmap_get(cache->by_key, rr->key); | |
1228 | if (!first) | |
1229 | return 0; | |
1230 | ||
1231 | /* See if the RR key is owned by the same owner, if so, there | |
1232 | * isn't a conflict either */ | |
1233 | LIST_FOREACH(by_key, i, first) { | |
1234 | if (i->owner_family != owner_family || | |
1235 | !in_addr_equal(owner_family, &i->owner_address, owner_address)) { | |
1236 | same_owner = false; | |
1237 | break; | |
1238 | } | |
1239 | } | |
1240 | if (same_owner) | |
1241 | return 0; | |
1242 | ||
1243 | /* See if there's the exact same RR in the cache. If yes, then | |
1244 | * there's no conflict. */ | |
1245 | if (dns_cache_get(cache, rr)) | |
1246 | return 0; | |
1247 | ||
1248 | /* There's a conflict */ | |
1249 | return 1; | |
1250 | } | |
4d506d6b | 1251 | |
325513bc | 1252 | int dns_cache_export_shared_to_packet(DnsCache *cache, DnsPacket *p, usec_t ts, unsigned max_rr) { |
7778dfff | 1253 | unsigned ancount = 0; |
7778dfff DM |
1254 | DnsCacheItem *i; |
1255 | int r; | |
1256 | ||
1257 | assert(cache); | |
261f3673 | 1258 | assert(p); |
325513bc | 1259 | assert(p->protocol == DNS_PROTOCOL_MDNS); |
f941c124 | 1260 | |
03677889 | 1261 | HASHMAP_FOREACH(i, cache->by_key) |
7778dfff | 1262 | LIST_FOREACH(by_key, j, i) { |
7778dfff DM |
1263 | if (!j->rr) |
1264 | continue; | |
1265 | ||
d2579eec | 1266 | if (!j->shared_owner) |
7778dfff DM |
1267 | continue; |
1268 | ||
f941c124 VCS |
1269 | /* RFC6762 7.1: Don't append records with less than half the TTL remaining |
1270 | * as known answers. */ | |
325513bc | 1271 | if (usec_sub_unsigned(j->until, ts) < j->rr->ttl * USEC_PER_SEC / 2) |
f941c124 VCS |
1272 | continue; |
1273 | ||
58ab31d5 | 1274 | r = dns_packet_append_rr(p, j->rr, 0, NULL, NULL); |
325513bc YW |
1275 | if (r == -EMSGSIZE) { |
1276 | if (max_rr == 0) | |
1277 | /* If max_rr == 0, do not allocate more packets. */ | |
1278 | goto finalize; | |
1279 | ||
1280 | /* If we're unable to stuff all known answers into the given packet, allocate | |
1281 | * a new one, push the RR into that one and link it to the current one. */ | |
261f3673 DM |
1282 | |
1283 | DNS_PACKET_HEADER(p)->ancount = htobe16(ancount); | |
1284 | ancount = 0; | |
1285 | ||
1286 | r = dns_packet_new_query(&p->more, p->protocol, 0, true); | |
1287 | if (r < 0) | |
1288 | return r; | |
1289 | ||
1290 | /* continue with new packet */ | |
1291 | p = p->more; | |
58ab31d5 | 1292 | r = dns_packet_append_rr(p, j->rr, 0, NULL, NULL); |
261f3673 DM |
1293 | } |
1294 | ||
7778dfff DM |
1295 | if (r < 0) |
1296 | return r; | |
1297 | ||
313cefa1 | 1298 | ancount++; |
325513bc YW |
1299 | if (max_rr > 0 && ancount >= max_rr) { |
1300 | DNS_PACKET_HEADER(p)->ancount = htobe16(ancount); | |
1301 | ancount = 0; | |
1302 | ||
1303 | r = dns_packet_new_query(&p->more, p->protocol, 0, true); | |
1304 | if (r < 0) | |
1305 | return r; | |
1306 | ||
1307 | p = p->more; | |
1308 | ||
1309 | max_rr = UINT_MAX; | |
1310 | } | |
7778dfff | 1311 | } |
7778dfff | 1312 | |
325513bc | 1313 | finalize: |
7778dfff DM |
1314 | DNS_PACKET_HEADER(p)->ancount = htobe16(ancount); |
1315 | ||
1316 | return 0; | |
1317 | } | |
1318 | ||
ca9fab88 | 1319 | void dns_cache_dump(DnsCache *cache, FILE *f) { |
4d506d6b | 1320 | DnsCacheItem *i; |
4d506d6b LP |
1321 | |
1322 | if (!cache) | |
1323 | return; | |
1324 | ||
1325 | if (!f) | |
1326 | f = stdout; | |
1327 | ||
03677889 | 1328 | HASHMAP_FOREACH(i, cache->by_key) |
4d506d6b | 1329 | LIST_FOREACH(by_key, j, i) { |
4d506d6b LP |
1330 | |
1331 | fputc('\t', f); | |
1332 | ||
1333 | if (j->rr) { | |
7b50eb2e LP |
1334 | const char *t; |
1335 | t = dns_resource_record_to_string(j->rr); | |
1336 | if (!t) { | |
4d506d6b LP |
1337 | log_oom(); |
1338 | continue; | |
1339 | } | |
1340 | ||
1341 | fputs(t, f); | |
1342 | fputc('\n', f); | |
1343 | } else { | |
202b76ae | 1344 | char key_str[DNS_RESOURCE_KEY_STRING_MAX]; |
4d506d6b | 1345 | |
202b76ae | 1346 | fputs(dns_resource_key_to_string(j->key, key_str, sizeof key_str), f); |
4d506d6b | 1347 | fputs(" -- ", f); |
201d9958 | 1348 | fputs(dns_cache_item_type_to_string(j), f); |
4d506d6b LP |
1349 | fputc('\n', f); |
1350 | } | |
1351 | } | |
4d506d6b LP |
1352 | } |
1353 | ||
1354 | bool dns_cache_is_empty(DnsCache *cache) { | |
1355 | if (!cache) | |
1356 | return true; | |
1357 | ||
1358 | return hashmap_isempty(cache->by_key); | |
1359 | } | |
a150ff5e LP |
1360 | |
1361 | unsigned dns_cache_size(DnsCache *cache) { | |
1362 | if (!cache) | |
1363 | return 0; | |
1364 | ||
1365 | return hashmap_size(cache->by_key); | |
1366 | } |