]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/resolve/resolved-dns-query.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
resolved: rename 'notification' → 'monitor'
[thirdparty/systemd.git] / src / resolve / resolved-dns-query.c
CommitLineData
db9ecf05 1/* SPDX-License-Identifier: LGPL-2.1-or-later */
74b2466e 2
b5efdb8a 3#include "alloc-util.h"
2a1037af 4#include "dns-domain.h"
011696f7 5#include "dns-type.h"
ecdfb9a1 6#include "event-util.h"
e2341b6b 7#include "glyph-util.h"
b5efdb8a 8#include "hostname-util.h"
78c6a153 9#include "local-addresses.h"
74b2466e 10#include "resolved-dns-query.h"
839a4a20 11#include "resolved-dns-synthesize.h"
dd0bc0f1 12#include "resolved-etc-hosts.h"
23b298bc 13#include "string-util.h"
74b2466e 14
39762fdf 15#define QUERIES_MAX 2048
45ec7efb 16#define AUXILIARY_QUERIES_MAX 64
b4d12278 17#define CNAME_REDIRECTS_MAX 16
8ba9fd9c 18
e1004d0a 19assert_cc(AUXILIARY_QUERIES_MAX < UINT8_MAX);
b4d12278 20assert_cc(CNAME_REDIRECTS_MAX < UINT8_MAX);
8ba9fd9c 21
801ad6a6
LP		 22static int dns_query_candidate_new(DnsQueryCandidate **ret, DnsQuery *q, DnsScope *s) {
23 DnsQueryCandidate *c;
74b2466e 24
801ad6a6 25 assert(ret);
faa133f3 26 assert(q);
801ad6a6 27 assert(s);
74b2466e 28
1ed31408 29 c = new(DnsQueryCandidate, 1);
801ad6a6
LP		 30 if (!c)
31 return -ENOMEM;
32
1ed31408 33 *c = (DnsQueryCandidate) {
0e0fd08f 34 .n_ref = 1,
1ed31408
LP		 35 .query = q,
36 .scope = s,
37 };
801ad6a6
LP		 38
39 LIST_PREPEND(candidates_by_query, q->candidates, c);
40 LIST_PREPEND(candidates_by_scope, s->query_candidates, c);
41
42 *ret = c;
43 return 0;
44}
45
46static void dns_query_candidate_stop(DnsQueryCandidate *c) {
47 DnsTransaction *t;
74b2466e 48
801ad6a6
LP		 49 assert(c);
50
c856ef04
ZJS		 51 /* Detach all the DnsTransactions attached to this query */
52
801ad6a6 53 while ((t = set_steal_first(c->transactions))) {
547973de 54 set_remove(t->notify_query_candidates, c);
35aa04e9 55 set_remove(t->notify_query_candidates_done, c);
ec2c5e43 56 dns_transaction_gc(t);
74b2466e 57 }
74b2466e
LP		 58}
59
c856ef04
ZJS		 60static DnsQueryCandidate* dns_query_candidate_unlink(DnsQueryCandidate *c) {
61 assert(c);
62
63 /* Detach this DnsQueryCandidate from the Query and Scope objects */
64
65 if (c->query) {
66 LIST_REMOVE(candidates_by_query, c->query->candidates, c);
67 c->query = NULL;
68 }
69
70 if (c->scope) {
71 LIST_REMOVE(candidates_by_scope, c->scope->query_candidates, c);
72 c->scope = NULL;
73 }
74
75 return c;
76}
77
0e0fd08f 78static DnsQueryCandidate* dns_query_candidate_free(DnsQueryCandidate *c) {
801ad6a6
LP		 79 if (!c)
80 return NULL;
81
82 dns_query_candidate_stop(c);
c856ef04 83 dns_query_candidate_unlink(c);
801ad6a6
LP		 84
85 set_free(c->transactions);
86 dns_search_domain_unref(c->search_domain);
87
6b430fdb 88 return mfree(c);
801ad6a6
LP		 89}
90
0e0fd08f
ZJS		 91DEFINE_PUBLIC_TRIVIAL_REF_UNREF_FUNC(DnsQueryCandidate, dns_query_candidate, dns_query_candidate_free);
92
801ad6a6 93static int dns_query_candidate_next_search_domain(DnsQueryCandidate *c) {
c805014a 94 DnsSearchDomain *next;
801ad6a6
LP		 95
96 assert(c);
97
ad44b56b 98 if (c->search_domain && c->search_domain->linked)
801ad6a6 99 next = c->search_domain->domains_next;
ad44b56b
LP		 100 else
101 next = dns_scope_get_search_domains(c->scope);
801ad6a6 102
ad44b56b 103 for (;;) {
6627b7e2
LP		 104 if (!next) /* We hit the end of the list */
105 return 0;
801ad6a6 106
ad44b56b
LP		 107 if (!next->route_only)
108 break;
801ad6a6 109
ad44b56b
LP		 110 /* Skip over route-only domains */
111 next = next->domains_next;
801ad6a6
LP		 112 }
113
114 dns_search_domain_unref(c->search_domain);
115 c->search_domain = dns_search_domain_ref(next);
6627b7e2 116
801ad6a6
LP		 117 return 1;
118}
119
775ae354
LP		 120static int dns_query_candidate_add_transaction(
121 DnsQueryCandidate *c,
122 DnsResourceKey *key,
123 DnsPacket *bypass) {
124
29bd6012 125 _cleanup_(dns_transaction_gcp) DnsTransaction *t = NULL;
801ad6a6
LP		 126 int r;
127
128 assert(c);
c856ef04 129 assert(c->query); /* We shan't add transactions to a candidate that has been detached already */
801ad6a6 130
775ae354
LP		 131 if (key) {
132 /* Regular lookup with a resource key */
133 assert(!bypass);
134
135 t = dns_scope_find_transaction(c->scope, key, c->query->flags);
136 if (!t) {
137 r = dns_transaction_new(&t, c->scope, key, NULL, c->query->flags);
138 if (r < 0)
139 return r;
140 } else if (set_contains(c->transactions, t))
141 return 0;
142 } else {
143 /* "Bypass" lookup with a query packet */
144 assert(bypass);
145
146 r = dns_transaction_new(&t, c->scope, NULL, bypass, c->query->flags);
801ad6a6
LP		 147 if (r < 0)
148 return r;
775ae354 149 }
801ad6a6 150
35aa04e9
LP		 151 r = set_ensure_allocated(&t->notify_query_candidates_done, NULL);
152 if (r < 0)
29bd6012 153 return r;
35aa04e9 154
de7fef4b 155 r = set_ensure_put(&t->notify_query_candidates, NULL, c);
801ad6a6 156 if (r < 0)
29bd6012 157 return r;
801ad6a6 158
de7fef4b 159 r = set_ensure_put(&c->transactions, NULL, t);
801ad6a6 160 if (r < 0) {
547973de 161 (void) set_remove(t->notify_query_candidates, c);
29bd6012 162 return r;
801ad6a6
LP		 163 }
164
29bd6012 165 TAKE_PTR(t);
547973de 166 return 1;
801ad6a6
LP		 167}
168
169static int dns_query_candidate_go(DnsQueryCandidate *c) {
d7ac0952 170 _unused_ _cleanup_(dns_query_candidate_unrefp) DnsQueryCandidate *keep_c = NULL;
801ad6a6 171 DnsTransaction *t;
801ad6a6 172 int r;
011696f7 173 unsigned n = 0;
801ad6a6
LP		 174
175 assert(c);
176
0e0fd08f
ZJS		 177 /* Let's keep a reference to the query while we're operating */
178 keep_c = dns_query_candidate_ref(c);
4ea8b443 179
801ad6a6 180 /* Start the transactions that are not started yet */
90e74a66 181 SET_FOREACH(t, c->transactions) {
801ad6a6
LP		 182 if (t->state != DNS_TRANSACTION_NULL)
183 continue;
184
185 r = dns_transaction_go(t);
0e0fd08f 186 if (r < 0)
801ad6a6 187 return r;
011696f7
LP		 188
189 n++;
801ad6a6
LP		 190 }
191
011696f7 192 /* If there was nothing to start, then let's proceed immediately */
0e0fd08f 193 if (n == 0)
011696f7
LP		 194 dns_query_candidate_notify(c);
195
801ad6a6
LP		 196 return 0;
197}
198
199static DnsTransactionState dns_query_candidate_state(DnsQueryCandidate *c) {
200 DnsTransactionState state = DNS_TRANSACTION_NO_SERVERS;
201 DnsTransaction *t;
801ad6a6
LP		 202
203 assert(c);
204
205 if (c->error_code != 0)
7cc6ed7b 206 return DNS_TRANSACTION_ERRNO;
801ad6a6 207
adf6d848 208 SET_FOREACH(t, c->transactions)
801ad6a6
LP		 209
210 switch (t->state) {
211
5264131a
LP		 212 case DNS_TRANSACTION_NULL:
213 /* If there's a NULL transaction pending, then
214 * this means not all transactions where
215 * started yet, and we were called from within
216 * the stackframe that is supposed to start
217 * remaining transactions. In this case,
218 * simply claim the candidate is pending. */
219
801ad6a6 220 case DNS_TRANSACTION_PENDING:
547973de
LP		 221 case DNS_TRANSACTION_VALIDATING:
222 /* If there's one transaction currently in
223 * VALIDATING state, then this means there's
224 * also one in PENDING state, hence we can
225 * return PENDING immediately. */
226 return DNS_TRANSACTION_PENDING;
801ad6a6
LP		 227
228 case DNS_TRANSACTION_SUCCESS:
229 state = t->state;
230 break;
231
232 default:
233 if (state != DNS_TRANSACTION_SUCCESS)
234 state = t->state;
235
236 break;
237 }
801ad6a6
LP		 238
239 return state;
240}
241
242static int dns_query_candidate_setup_transactions(DnsQueryCandidate *c) {
23b298bc 243 DnsQuestion *question;
801ad6a6
LP		 244 DnsResourceKey *key;
245 int n = 0, r;
246
247 assert(c);
c856ef04 248 assert(c->query); /* We shan't add transactions to a candidate that has been detached already */
801ad6a6
LP		 249
250 dns_query_candidate_stop(c);
251
775ae354
LP		 252 if (c->query->question_bypass) {
253 /* If this is a bypass query, then pass the original query packet along to the transaction */
254
255 assert(dns_question_size(c->query->question_bypass->question) == 1);
256
ab715ddb 257 if (!dns_scope_good_key(c->scope, dns_question_first_key(c->query->question_bypass->question)))
775ae354
LP		 258 return 0;
259
260 r = dns_query_candidate_add_transaction(c, NULL, c->query->question_bypass);
261 if (r < 0)
262 goto fail;
263
264 return 1;
265 }
266
23b298bc
LP		 267 question = dns_query_question_for_protocol(c->query, c->scope->protocol);
268
801ad6a6 269 /* Create one transaction per question key */
23b298bc 270 DNS_QUESTION_FOREACH(key, question) {
801ad6a6 271 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *new_key = NULL;
011696f7
LP		 272 DnsResourceKey *qkey;
273
801ad6a6
LP		 274 if (c->search_domain) {
275 r = dns_resource_key_new_append_suffix(&new_key, key, c->search_domain->name);
276 if (r < 0)
277 goto fail;
801ad6a6 278
011696f7
LP		 279 qkey = new_key;
280 } else
281 qkey = key;
282
283 if (!dns_scope_good_key(c->scope, qkey))
284 continue;
285
775ae354 286 r = dns_query_candidate_add_transaction(c, qkey, NULL);
801ad6a6
LP		 287 if (r < 0)
288 goto fail;
289
290 n++;
291 }
292
293 return n;
294
295fail:
296 dns_query_candidate_stop(c);
297 return r;
298}
299
547973de 300void dns_query_candidate_notify(DnsQueryCandidate *c) {
801ad6a6
LP		 301 DnsTransactionState state;
302 int r;
303
304 assert(c);
305
c856ef04
ZJS		 306 if (!c->query) /* This candidate has been abandoned, do nothing. */
307 return;
308
801ad6a6
LP		 309 state = dns_query_candidate_state(c);
310
547973de 311 if (DNS_TRANSACTION_IS_LIVE(state))
801ad6a6
LP		 312 return;
313
314 if (state != DNS_TRANSACTION_SUCCESS && c->search_domain) {
315
316 r = dns_query_candidate_next_search_domain(c);
317 if (r < 0)
318 goto fail;
319
320 if (r > 0) {
321 /* OK, there's another search domain to try, let's do so. */
322
323 r = dns_query_candidate_setup_transactions(c);
324 if (r < 0)
325 goto fail;
326
327 if (r > 0) {
328 /* New transactions where queued. Start them and wait */
329
330 r = dns_query_candidate_go(c);
331 if (r < 0)
332 goto fail;
333
334 return;
335 }
336 }
337
338 }
339
340 dns_query_ready(c->query);
341 return;
342
343fail:
fed66db0 344 c->error_code = log_warning_errno(r, "Failed to follow search domains: %m");
801ad6a6
LP		 345 dns_query_ready(c->query);
346}
347
348static void dns_query_stop(DnsQuery *q) {
801ad6a6
LP		 349 assert(q);
350
ecdfb9a1 351 event_source_disable(q->timeout_event_source);
801ad6a6
LP		 352
353 LIST_FOREACH(candidates_by_query, c, q->candidates)
354 dns_query_candidate_stop(c);
355}
356
c856ef04 357static void dns_query_unlink_candidates(DnsQuery *q) {
7820b320
LP		 358 assert(q);
359
360 while (q->candidates)
c856ef04
ZJS		 361 /* Here we drop *our* references to each of the candidates. If we had the only reference, the
362 * DnsQueryCandidate object will be freed. */
363 dns_query_candidate_unref(dns_query_candidate_unlink(q->candidates));
7820b320
LP		 364}
365
366static void dns_query_reset_answer(DnsQuery *q) {
367 assert(q);
368
369 q->answer = dns_answer_unref(q->answer);
370 q->answer_rcode = 0;
371 q->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
7cc6ed7b 372 q->answer_errno = 0;
6f055e43 373 q->answer_query_flags = 0;
7820b320
LP		 374 q->answer_protocol = _DNS_PROTOCOL_INVALID;
375 q->answer_family = AF_UNSPEC;
376 q->answer_search_domain = dns_search_domain_unref(q->answer_search_domain);
775ae354 377 q->answer_full_packet = dns_packet_unref(q->answer_full_packet);
7820b320
LP		 378}
379
74b2466e 380DnsQuery *dns_query_free(DnsQuery *q) {
74b2466e
LP		 381 if (!q)
382 return NULL;
383
73bfd7be
YW		 384 q->timeout_event_source = sd_event_source_disable_unref(q->timeout_event_source);
385
45ec7efb
LP		 386 while (q->auxiliary_queries)
387 dns_query_free(q->auxiliary_queries);
388
389 if (q->auxiliary_for) {
390 assert(q->auxiliary_for->n_auxiliary_queries > 0);
391 q->auxiliary_for->n_auxiliary_queries--;
392 LIST_REMOVE(auxiliary_queries, q->auxiliary_for->auxiliary_queries, q);
393 }
394
c856ef04 395 dns_query_unlink_candidates(q);
322345fd 396
23b298bc
LP		 397 dns_question_unref(q->question_idna);
398 dns_question_unref(q->question_utf8);
775ae354 399 dns_packet_unref(q->question_bypass);
7820b320
LP		 400
401 dns_query_reset_answer(q);
322345fd 402
c9de4e0f 403 sd_bus_message_unref(q->bus_request);
82bd6ddd 404 sd_bus_track_unref(q->bus_track);
74b2466e 405
9581bb84
LP		 406 if (q->varlink_request) {
407 varlink_set_userdata(q->varlink_request, NULL);
408 varlink_unref(q->varlink_request);
409 }
410
bde69bbd
LP		 411 if (q->request_packet)
412 hashmap_remove_value(q->stub_listener_extra ?
413 q->stub_listener_extra->queries_by_packet :
414 q->manager->stub_queries_by_packet,
415 q->request_packet,
416 q);
417
775ae354
LP		 418 dns_packet_unref(q->request_packet);
419 dns_answer_unref(q->reply_answer);
420 dns_answer_unref(q->reply_authoritative);
421 dns_answer_unref(q->reply_additional);
b30bf55d 422
775ae354 423 if (q->request_stream) {
b30bf55d 424 /* Detach the stream from our query, in case something else keeps a reference to it. */
775ae354
LP		 425 (void) set_remove(q->request_stream->queries, q);
426 q->request_stream = dns_stream_unref(q->request_stream);
b30bf55d
LP		 427 }
428
23b298bc
LP		 429 free(q->request_address_string);
430
39762fdf 431 if (q->manager) {
74b2466e 432 LIST_REMOVE(queries, q->manager->dns_queries, q);
39762fdf
LP		 433 q->manager->n_dns_queries--;
434 }
74b2466e 435
6b430fdb 436 return mfree(q);
74b2466e
LP		 437}
438
23b298bc
LP		 439int dns_query_new(
440 Manager *m,
441 DnsQuery **ret,
442 DnsQuestion *question_utf8,
443 DnsQuestion *question_idna,
775ae354 444 DnsPacket *question_bypass,
17c8de63
LP		 445 int ifindex,
446 uint64_t flags) {
23b298bc 447
74b2466e 448 _cleanup_(dns_query_freep) DnsQuery *q = NULL;
775ae354 449 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
23b298bc 450 DnsResourceKey *key;
faa133f3 451 int r;
74b2466e
LP		 452
453 assert(m);
454
775ae354
LP		 455 if (question_bypass) {
456 /* It's either a "bypass" query, or a regular one, but can't be both. */
457 if (question_utf8 || question_idna)
23b298bc
LP		 458 return -EINVAL;
459
775ae354
LP		 460 } else {
461 bool good = false;
23b298bc 462
1a71fe4e
LP		 463 /* This (primarily) checks two things:
464 *
465 * 1. That the question is not empty
466 * 2. That all RR keys in the question objects are for the same domain
467 *
468 * Or in other words, a single DnsQuery object may be used to look up A+AAAA combination for
469 * the same domain name, or SRV+TXT (for DNS-SD services), but not for unrelated lookups. */
470
775ae354
LP		 471 if (dns_question_size(question_utf8) > 0) {
472 r = dns_question_is_valid_for_query(question_utf8);
23b298bc
LP		 473 if (r < 0)
474 return r;
475 if (r == 0)
476 return -EINVAL;
477
478 good = true;
479 }
23b298bc 480
775ae354
LP		 481 /* If the IDNA and UTF8 questions are the same, merge their references */
482 r = dns_question_is_equal(question_idna, question_utf8);
483 if (r < 0)
484 return r;
485 if (r > 0)
486 question_idna = question_utf8;
487 else {
488 if (dns_question_size(question_idna) > 0) {
489 r = dns_question_is_valid_for_query(question_idna);
490 if (r < 0)
491 return r;
492 if (r == 0)
493 return -EINVAL;
494
495 good = true;
496 }
497 }
498
499 if (!good) /* don't allow empty queries */
500 return -EINVAL;
501 }
74b2466e 502
39762fdf
LP		 503 if (m->n_dns_queries >= QUERIES_MAX)
504 return -EBUSY;
505
1ed31408 506 q = new(DnsQuery, 1);
74b2466e
LP		 507 if (!q)
508 return -ENOMEM;
509
1ed31408
LP		 510 *q = (DnsQuery) {
511 .question_utf8 = dns_question_ref(question_utf8),
512 .question_idna = dns_question_ref(question_idna),
775ae354 513 .question_bypass = dns_packet_ref(question_bypass),
1ed31408
LP		 514 .ifindex = ifindex,
515 .flags = flags,
516 .answer_dnssec_result = _DNSSEC_RESULT_INVALID,
517 .answer_protocol = _DNS_PROTOCOL_INVALID,
518 .answer_family = AF_UNSPEC,
519 };
322345fd 520
775ae354
LP		 521 if (question_bypass) {
522 DNS_QUESTION_FOREACH(key, question_bypass->question)
523 log_debug("Looking up bypass packet for %s.",
524 dns_resource_key_to_string(key, key_str, sizeof key_str));
525 } else {
160f3145 526 /* First dump UTF8 question */
775ae354
LP		 527 DNS_QUESTION_FOREACH(key, question_utf8)
528 log_debug("Looking up RR for %s.",
529 dns_resource_key_to_string(key, key_str, sizeof key_str));
530
531 /* And then dump the IDNA question, but only what hasn't been dumped already through the UTF8 question. */
532 DNS_QUESTION_FOREACH(key, question_idna) {
ab715ddb 533 r = dns_question_contains_key(question_utf8, key);
775ae354
LP		 534 if (r < 0)
535 return r;
536 if (r > 0)
537 continue;
23b298bc 538
775ae354
LP		 539 log_debug("Looking up IDNA RR for %s.",
540 dns_resource_key_to_string(key, key_str, sizeof key_str));
541 }
74b2466e
LP		 542 }
543
544 LIST_PREPEND(queries, m->dns_queries, q);
39762fdf 545 m->n_dns_queries++;
74b2466e
LP		 546 q->manager = m;
547
8ba9fd9c
LP		 548 if (ret)
549 *ret = q;
8ba9fd9c 550
775ae354 551 TAKE_PTR(q);
8ba9fd9c
LP		 552 return 0;
553}
554
45ec7efb
LP		 555int dns_query_make_auxiliary(DnsQuery *q, DnsQuery *auxiliary_for) {
556 assert(q);
557 assert(auxiliary_for);
558
61233823 559 /* Ensure that the query is not auxiliary yet, and
45ec7efb
LP		 560 * nothing else is auxiliary to it either */
561 assert(!q->auxiliary_for);
562 assert(!q->auxiliary_queries);
563
564 /* Ensure that the unit we shall be made auxiliary for isn't
565 * auxiliary itself */
566 assert(!auxiliary_for->auxiliary_for);
567
568 if (auxiliary_for->n_auxiliary_queries >= AUXILIARY_QUERIES_MAX)
569 return -EAGAIN;
570
571 LIST_PREPEND(auxiliary_queries, auxiliary_for->auxiliary_queries, q);
572 q->auxiliary_for = auxiliary_for;
573
574 auxiliary_for->n_auxiliary_queries++;
575 return 0;
576}
577
65a01e82 578void dns_query_complete(DnsQuery *q, DnsTransactionState state) {
8ba9fd9c 579 assert(q);
547973de
LP		 580 assert(!DNS_TRANSACTION_IS_LIVE(state));
581 assert(DNS_TRANSACTION_IS_LIVE(q->state));
8ba9fd9c 582
65a01e82
LP		 583 /* Note that this call might invalidate the query. Callers should hence not attempt to access the
584 * query or transaction after calling this function. */
8ba9fd9c 585
8ba9fd9c
LP		 586 q->state = state;
587
0e26016e 588 if (q->question_utf8 && state == DNS_TRANSACTION_SUCCESS && set_size(q->manager->varlink_subscription) > 0)
227e1279 589 (void) manager_monitor_send(q->manager, q->answer, dns_question_first_name(q->question_utf8));
cb456374 590
322345fd
LP		 591 dns_query_stop(q);
592 if (q->complete)
593 q->complete(q);
8ba9fd9c
LP		 594}
595
596static int on_query_timeout(sd_event_source *s, usec_t usec, void *userdata) {
99534007 597 DnsQuery *q = ASSERT_PTR(userdata);
8ba9fd9c
LP		 598
599 assert(s);
8ba9fd9c 600
ec2c5e43 601 dns_query_complete(q, DNS_TRANSACTION_TIMEOUT);
8ba9fd9c
LP		 602 return 0;
603}
604
801ad6a6 605static int dns_query_add_candidate(DnsQuery *q, DnsScope *s) {
0e0fd08f 606 _cleanup_(dns_query_candidate_unrefp) DnsQueryCandidate *c = NULL;
faa133f3
LP		 607 int r;
608
609 assert(q);
ec2c5e43 610 assert(s);
faa133f3 611
801ad6a6 612 r = dns_query_candidate_new(&c, q, s);
faa133f3
LP		 613 if (r < 0)
614 return r;
615
801ad6a6 616 /* If this a single-label domain on DNS, we might append a suitable search domain first. */
3b5bd7d6
ZJS		 617 if (!FLAGS_SET(q->flags, SD_RESOLVED_NO_SEARCH) &&
618 dns_scope_name_wants_search_domain(s, dns_question_first_name(q->question_idna))) {
619 /* OK, we want a search domain now. Let's find one for this scope */
22f711bb 620
6da95857 621 r = dns_query_candidate_next_search_domain(c);
3b5bd7d6 622 if (r < 0)
7877e5ca 623 return r;
faa133f3
LP		 624 }
625
801ad6a6
LP		 626 r = dns_query_candidate_setup_transactions(c);
627 if (r < 0)
7877e5ca 628 return r;
801ad6a6 629
7877e5ca 630 TAKE_PTR(c);
faa133f3 631 return 0;
faa133f3
LP		 632}
633
78c6a153 634static int dns_query_synthesize_reply(DnsQuery *q, DnsTransactionState *state) {
2a1037af 635 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
dd0bc0f1 636 int r;
2a1037af
LP		 637
638 assert(q);
639 assert(state);
640
dd0bc0f1
LP		 641 /* Tries to synthesize localhost RR replies (and others) where appropriate. Note that this is done *after* the
642 * the normal lookup finished. The data from the network hence takes precedence over the data we
643 * synthesize. (But note that many scopes refuse to resolve certain domain names) */
2a1037af
LP		 644
645 if (!IN_SET(*state,
3bbdc31d 646 DNS_TRANSACTION_RCODE_FAILURE,
2a1037af
LP		 647 DNS_TRANSACTION_NO_SERVERS,
648 DNS_TRANSACTION_TIMEOUT,
edbcc1fd 649 DNS_TRANSACTION_ATTEMPTS_MAX_REACHED,
0791110f
LP		 650 DNS_TRANSACTION_NETWORK_DOWN,
651 DNS_TRANSACTION_NOT_FOUND))
78c6a153 652 return 0;
2a1037af 653
775ae354
LP		 654 if (FLAGS_SET(q->flags, SD_RESOLVED_NO_SYNTHESIZE))
655 return 0;
656
839a4a20
LP		 657 r = dns_synthesize_answer(
658 q->manager,
775ae354 659 q->question_bypass ? q->question_bypass->question : q->question_utf8,
839a4a20 660 q->ifindex,
dd0bc0f1 661 &answer);
acf06088
LP		 662 if (r == -ENXIO) {
663 /* If we get ENXIO this tells us to generate NXDOMAIN unconditionally. */
2a1037af 664
acf06088
LP		 665 dns_query_reset_answer(q);
666 q->answer_rcode = DNS_RCODE_NXDOMAIN;
667 q->answer_protocol = dns_synthesize_protocol(q->flags);
668 q->answer_family = dns_synthesize_family(q->flags);
5c1790d1 669 q->answer_query_flags = SD_RESOLVED_AUTHENTICATED|SD_RESOLVED_CONFIDENTIAL|SD_RESOLVED_SYNTHETIC;
acf06088
LP		 670 *state = DNS_TRANSACTION_RCODE_FAILURE;
671
672 return 0;
673 }
839a4a20
LP		 674 if (r <= 0)
675 return r;
2a1037af 676
839a4a20 677 dns_query_reset_answer(q);
2a1037af 678
1cc6c93a 679 q->answer = TAKE_PTR(answer);
2a1037af 680 q->answer_rcode = DNS_RCODE_SUCCESS;
dd0bc0f1
LP		 681 q->answer_protocol = dns_synthesize_protocol(q->flags);
682 q->answer_family = dns_synthesize_family(q->flags);
5c1790d1 683 q->answer_query_flags = SD_RESOLVED_AUTHENTICATED|SD_RESOLVED_CONFIDENTIAL|SD_RESOLVED_SYNTHETIC;
2a1037af
LP		 684
685 *state = DNS_TRANSACTION_SUCCESS;
78c6a153
LP		 686
687 return 1;
2a1037af
LP		 688}
689
dd0bc0f1
LP		 690static int dns_query_try_etc_hosts(DnsQuery *q) {
691 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
692 int r;
693
694 assert(q);
695
c805014a
ZJS		 696 /* Looks in /etc/hosts for matching entries. Note that this is done *before* the normal lookup is
697 * done. The data from /etc/hosts hence takes precedence over the network. */
dd0bc0f1 698
775ae354
LP		 699 if (FLAGS_SET(q->flags, SD_RESOLVED_NO_SYNTHESIZE))
700 return 0;
701
dd0bc0f1
LP		 702 r = manager_etc_hosts_lookup(
703 q->manager,
775ae354 704 q->question_bypass ? q->question_bypass->question : q->question_utf8,
dd0bc0f1
LP		 705 &answer);
706 if (r <= 0)
707 return r;
708
709 dns_query_reset_answer(q);
710
1cc6c93a 711 q->answer = TAKE_PTR(answer);
dd0bc0f1
LP		 712 q->answer_rcode = DNS_RCODE_SUCCESS;
713 q->answer_protocol = dns_synthesize_protocol(q->flags);
714 q->answer_family = dns_synthesize_family(q->flags);
5c1790d1 715 q->answer_query_flags = SD_RESOLVED_AUTHENTICATED|SD_RESOLVED_CONFIDENTIAL|SD_RESOLVED_SYNTHETIC;
dd0bc0f1
LP		 716
717 return 1;
718}
719
322345fd 720int dns_query_go(DnsQuery *q) {
8ba9fd9c 721 DnsScopeMatch found = DNS_SCOPE_NO;
03677889 722 DnsScope *first = NULL;
8ba9fd9c
LP		 723 int r;
724
725 assert(q);
726
ec2c5e43 727 if (q->state != DNS_TRANSACTION_NULL)
8ba9fd9c
LP		 728 return 0;
729
dd0bc0f1
LP		 730 r = dns_query_try_etc_hosts(q);
731 if (r < 0)
732 return r;
733 if (r > 0) {
734 dns_query_complete(q, DNS_TRANSACTION_SUCCESS);
735 return 1;
736 }
737
8ba9fd9c 738 LIST_FOREACH(scopes, s, q->manager->dns_scopes) {
74b2466e 739 DnsScopeMatch match;
23b298bc 740
176a9a2c 741 match = dns_scope_good_domain(s, q);
830f50ab 742 assert(match >= 0);
a97a3b25
LP		 743 if (match > found) { /* Does this match better? If so, remember how well it matched, and the first one
744 * that matches this well */
745 found = match;
74b2466e 746 first = s;
74b2466e
LP		 747 }
748 }
749
2a1037af
LP		 750 if (found == DNS_SCOPE_NO) {
751 DnsTransactionState state = DNS_TRANSACTION_NO_SERVERS;
752
7cc6ed7b
LP		 753 r = dns_query_synthesize_reply(q, &state);
754 if (r < 0)
755 return r;
756
d634711b
LP		 757 dns_query_complete(q, state);
758 return 1;
2a1037af 759 }
74b2466e 760
801ad6a6 761 r = dns_query_add_candidate(q, first);
74b2466e 762 if (r < 0)
ec2c5e43 763 goto fail;
74b2466e 764
74b2466e
LP		 765 LIST_FOREACH(scopes, s, first->scopes_next) {
766 DnsScopeMatch match;
767
176a9a2c 768 match = dns_scope_good_domain(s, q);
830f50ab 769 assert(match >= 0);
a97a3b25 770 if (match < found)
74b2466e
LP		 771 continue;
772
801ad6a6 773 r = dns_query_add_candidate(q, s);
74b2466e 774 if (r < 0)
ec2c5e43 775 goto fail;
74b2466e
LP		 776 }
777
ab88b6d0 778 dns_query_reset_answer(q);
74b2466e 779
ecdfb9a1 780 r = event_reset_time_relative(
9a015429
LP		 781 q->manager->event,
782 &q->timeout_event_source,
ba4e0427 783 CLOCK_BOOTTIME,
39cf0351 784 SD_RESOLVED_QUERY_TIMEOUT_USEC,
ecdfb9a1
YW		 785 0, on_query_timeout, q,
786 0, "query-timeout", true);
74b2466e
LP		 787 if (r < 0)
788 goto fail;
789
ec2c5e43 790 q->state = DNS_TRANSACTION_PENDING;
faa133f3 791 q->block_ready++;
74b2466e 792
801ad6a6
LP		 793 /* Start the transactions */
794 LIST_FOREACH(candidates_by_query, c, q->candidates) {
795 r = dns_query_candidate_go(c);
796 if (r < 0) {
797 q->block_ready--;
ec2c5e43 798 goto fail;
801ad6a6 799 }
74b2466e
LP		 800 }
801
faa133f3
LP		 802 q->block_ready--;
803 dns_query_ready(q);
322345fd 804
8ba9fd9c 805 return 1;
74b2466e
LP		 806
807fail:
8ba9fd9c 808 dns_query_stop(q);
74b2466e
LP		 809 return r;
810}
811
801ad6a6 812static void dns_query_accept(DnsQuery *q, DnsQueryCandidate *c) {
ec2c5e43 813 DnsTransactionState state = DNS_TRANSACTION_NO_SERVERS;
43fc4baa 814 bool has_authenticated = false, has_non_authenticated = false, has_confidential = false, has_non_confidential = false;
019036a4 815 DnssecResult dnssec_result_authenticated = _DNSSEC_RESULT_INVALID, dnssec_result_non_authenticated = _DNSSEC_RESULT_INVALID;
801ad6a6 816 DnsTransaction *t;
547973de 817 int r;
74b2466e
LP		 818
819 assert(q);
820
801ad6a6 821 if (!c) {
7cc6ed7b
LP		 822 r = dns_query_synthesize_reply(q, &state);
823 if (r < 0)
824 goto fail;
825
801ad6a6 826 dns_query_complete(q, state);
74b2466e 827 return;
801ad6a6 828 }
74b2466e 829
a7bf2ada
LP		 830 if (c->error_code != 0) {
831 /* If the candidate had an error condition of its own, start with that. */
832 state = DNS_TRANSACTION_ERRNO;
833 q->answer = dns_answer_unref(q->answer);
834 q->answer_rcode = 0;
835 q->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
6f055e43 836 q->answer_query_flags = 0;
a7bf2ada 837 q->answer_errno = c->error_code;
775ae354 838 q->answer_full_packet = dns_packet_unref(q->answer_full_packet);
a7bf2ada
LP		 839 }
840
90e74a66 841 SET_FOREACH(t, c->transactions) {
74b2466e 842
801ad6a6 843 switch (t->state) {
934e9b10 844
801ad6a6 845 case DNS_TRANSACTION_SUCCESS: {
775ae354
LP		 846 /* We found a successful reply, merge it into the answer */
847
848 if (state == DNS_TRANSACTION_SUCCESS) {
849 r = dns_answer_extend(&q->answer, t->answer);
850 if (r < 0)
851 goto fail;
5c1790d1
LP		 852
853 q->answer_query_flags |= dns_transaction_source_to_query_flags(t->answer_source);
775ae354
LP		 854 } else {
855 /* Override non-successful previous answers */
1117a960 856 DNS_ANSWER_REPLACE(q->answer, dns_answer_ref(t->answer));
5c1790d1 857 q->answer_query_flags = dns_transaction_source_to_query_flags(t->answer_source);
775ae354 858 }
019036a4 859
ae6a4bbf 860 q->answer_rcode = t->answer_rcode;
7cc6ed7b 861 q->answer_errno = 0;
801ad6a6 862
899e3cda 863 DNS_PACKET_REPLACE(q->answer_full_packet, dns_packet_ref(t->received));
775ae354 864
6f055e43 865 if (FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED)) {
931851e8 866 has_authenticated = true;
019036a4
LP		 867 dnssec_result_authenticated = t->answer_dnssec_result;
868 } else {
931851e8 869 has_non_authenticated = true;
019036a4
LP		 870 dnssec_result_non_authenticated = t->answer_dnssec_result;
871 }
931851e8 872
43fc4baa
LP		 873 if (FLAGS_SET(t->answer_query_flags, SD_RESOLVED_CONFIDENTIAL))
874 has_confidential = true;
875 else
876 has_non_confidential = true;
877
801ad6a6
LP		 878 state = DNS_TRANSACTION_SUCCESS;
879 break;
880 }
881
801ad6a6 882 case DNS_TRANSACTION_NULL:
547973de
LP		 883 case DNS_TRANSACTION_PENDING:
884 case DNS_TRANSACTION_VALIDATING:
801ad6a6
LP		 885 case DNS_TRANSACTION_ABORTED:
886 /* Ignore transactions that didn't complete */
887 continue;
888
889 default:
cbb1aabb 890 /* Any kind of failure? Store the data away, if there's nothing stored yet. */
019036a4
LP		 891 if (state == DNS_TRANSACTION_SUCCESS)
892 continue;
934e9b10 893
cbb1aabb 894 /* If there's already an authenticated negative reply stored, then prefer that over any unauthenticated one */
6f055e43
LP		 895 if (FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED) &&
896 !FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
cbb1aabb
LP		 897 continue;
898
1117a960 899 DNS_ANSWER_REPLACE(q->answer, dns_answer_ref(t->answer));
019036a4
LP		 900 q->answer_rcode = t->answer_rcode;
901 q->answer_dnssec_result = t->answer_dnssec_result;
5c1790d1 902 q->answer_query_flags = t->answer_query_flags | dns_transaction_source_to_query_flags(t->answer_source);
7cc6ed7b 903 q->answer_errno = t->answer_errno;
899e3cda 904 DNS_PACKET_REPLACE(q->answer_full_packet, dns_packet_ref(t->received));
934e9b10 905
019036a4 906 state = t->state;
801ad6a6 907 break;
74b2466e 908 }
801ad6a6 909 }
74b2466e 910
019036a4 911 if (state == DNS_TRANSACTION_SUCCESS) {
6f055e43 912 SET_FLAG(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED, has_authenticated && !has_non_authenticated);
43fc4baa 913 SET_FLAG(q->answer_query_flags, SD_RESOLVED_CONFIDENTIAL, has_confidential && !has_non_confidential);
6f055e43 914 q->answer_dnssec_result = FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED) ? dnssec_result_authenticated : dnssec_result_non_authenticated;
019036a4
LP		 915 }
916
801ad6a6
LP		 917 q->answer_protocol = c->scope->protocol;
918 q->answer_family = c->scope->family;
934e9b10 919
801ad6a6
LP		 920 dns_search_domain_unref(q->answer_search_domain);
921 q->answer_search_domain = dns_search_domain_ref(c->search_domain);
7e8e0422 922
7cc6ed7b
LP		 923 r = dns_query_synthesize_reply(q, &state);
924 if (r < 0)
925 goto fail;
926
801ad6a6 927 dns_query_complete(q, state);
7cc6ed7b
LP		 928 return;
929
930fail:
931 q->answer_errno = -r;
932 dns_query_complete(q, DNS_TRANSACTION_ERRNO);
801ad6a6 933}
934e9b10 934
801ad6a6 935void dns_query_ready(DnsQuery *q) {
03677889 936 DnsQueryCandidate *bad = NULL;
801ad6a6 937 bool pending = false;
74b2466e 938
801ad6a6 939 assert(q);
547973de 940 assert(DNS_TRANSACTION_IS_LIVE(q->state));
e4501ed4 941
801ad6a6
LP		 942 /* Note that this call might invalidate the query. Callers
943 * should hence not attempt to access the query or transaction
944 * after calling this function, unless the block_ready
945 * counter was explicitly bumped before doing so. */
946
947 if (q->block_ready > 0)
948 return;
949
950 LIST_FOREACH(candidates_by_query, c, q->candidates) {
951 DnsTransactionState state;
952
953 state = dns_query_candidate_state(c);
954 switch (state) {
955
956 case DNS_TRANSACTION_SUCCESS:
547973de 957 /* One of the candidates is successful,
801ad6a6
LP		 958 * let's use it, and copy its data out */
959 dns_query_accept(q, c);
e4501ed4
LP		 960 return;
961
801ad6a6 962 case DNS_TRANSACTION_NULL:
547973de
LP		 963 case DNS_TRANSACTION_PENDING:
964 case DNS_TRANSACTION_VALIDATING:
965 /* One of the candidates is still going on,
966 * let's maybe wait for it */
801ad6a6
LP		 967 pending = true;
968 break;
e4501ed4 969
801ad6a6
LP		 970 default:
971 /* Any kind of failure */
972 bad = c;
973 break;
974 }
faa133f3 975 }
74b2466e 976
801ad6a6
LP		 977 if (pending)
978 return;
2a1037af 979
801ad6a6 980 dns_query_accept(q, bad);
74b2466e 981}
8ba9fd9c 982
45ec7efb 983static int dns_query_cname_redirect(DnsQuery *q, const DnsResourceRecord *cname) {
23b298bc
LP		 984 _cleanup_(dns_question_unrefp) DnsQuestion *nq_idna = NULL, *nq_utf8 = NULL;
985 int r, k;
8ba9fd9c
LP		 986
987 assert(q);
988
b4d12278 989 if (q->n_cname_redirects >= CNAME_REDIRECTS_MAX)
8ba9fd9c 990 return -ELOOP;
b4d12278 991 q->n_cname_redirects++;
8ba9fd9c 992
23b298bc 993 r = dns_question_cname_redirect(q->question_idna, cname, &nq_idna);
faa133f3
LP		 994 if (r < 0)
995 return r;
4cba52cc 996 if (r > 0)
e2341b6b
DT		 997 log_debug("Following CNAME/DNAME %s %s %s.",
998 dns_question_first_name(q->question_idna),
999 special_glyph(SPECIAL_GLYPH_ARROW_RIGHT),
1000 dns_question_first_name(nq_idna));
23b298bc
LP		 1001
1002 k = dns_question_is_equal(q->question_idna, q->question_utf8);
1003 if (k < 0)
4cba52cc 1004 return k;
23b298bc
LP		 1005 if (k > 0) {
1006 /* Same question? Shortcut new question generation */
1007 nq_utf8 = dns_question_ref(nq_idna);
1008 k = r;
1009 } else {
1010 k = dns_question_cname_redirect(q->question_utf8, cname, &nq_utf8);
1011 if (k < 0)
1012 return k;
4cba52cc 1013 if (k > 0)
e2341b6b
DT		 1014 log_debug("Following UTF8 CNAME/DNAME %s %s %s.",
1015 dns_question_first_name(q->question_utf8),
1016 special_glyph(SPECIAL_GLYPH_ARROW_RIGHT),
1017 dns_question_first_name(nq_utf8));
23b298bc 1018 }
8ba9fd9c 1019
23b298bc
LP		 1020 if (r == 0 && k == 0) /* No actual cname happened? */
1021 return -ELOOP;
1022
d46b79bb 1023 if (q->answer_protocol == DNS_PROTOCOL_DNS)
8e5de09f
LP		 1024 /* Don't permit CNAME redirects from unicast DNS to LLMNR or MulticastDNS, so that global resources
1025 * cannot invade the local namespace. The opposite way we permit: local names may redirect to global
1026 * ones. */
8e5de09f 1027 q->flags &= ~(SD_RESOLVED_LLMNR|SD_RESOLVED_MDNS); /* mask away the local protocols */
8e5de09f
LP		 1028
1029 /* Turn off searching for the new name */
1030 q->flags |= SD_RESOLVED_NO_SEARCH;
1031
23b298bc 1032 dns_question_unref(q->question_idna);
1cc6c93a 1033 q->question_idna = TAKE_PTR(nq_idna);
bc7669cf 1034
23b298bc 1035 dns_question_unref(q->question_utf8);
1cc6c93a 1036 q->question_utf8 = TAKE_PTR(nq_utf8);
8ba9fd9c 1037
c856ef04 1038 dns_query_unlink_candidates(q);
b1eea703
LP		 1039
1040 /* Note that we do *not* reset the answer here, because the answer we previously got might already
1041 * include everything we need, let's check that first */
322345fd 1042
8e5de09f 1043 q->state = DNS_TRANSACTION_NULL;
59a89990 1044
8ba9fd9c
LP		 1045 return 0;
1046}
82bd6ddd 1047
1db8e6d1 1048int dns_query_process_cname_one(DnsQuery *q) {
45ec7efb 1049 _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *cname = NULL;
23b298bc 1050 DnsQuestion *question;
45ec7efb 1051 DnsResourceRecord *rr;
1a71fe4e
LP		 1052 bool full_match = true;
1053 DnsResourceKey *k;
45ec7efb
LP		 1054 int r;
1055
1056 assert(q);
1057
1db8e6d1
LP		 1058 /* Processes a CNAME redirect if there's one. Returns one of three values:
1059 *
1060 * CNAME_QUERY_MATCH → direct RR match, caller should just use the RRs in this answer (and not
1061 * bother with any CNAME/DNAME stuff)
1062 *
1063 * CNAME_QUERY_NOMATCH → no match at all, neither direct nor CNAME/DNAME, caller might decide to
1064 * restart query or take things as NODATA reply.
1065 *
1066 * CNAME_QUERY_CNAME → no direct RR match, but a CNAME/DNAME match that we now followed for one step.
1067 *
1068 * The function might also return a failure, in particular -ELOOP if we encountered too many
1069 * CNAMEs/DNAMEs in a chain or if following CNAMEs/DNAMEs was turned off.
1070 *
1071 * Note that this function doesn't actually restart the query. The caller can decide to do that in
1072 * case of CNAME_QUERY_CNAME, though. */
1073
7588460a
TG		 1074 if (!IN_SET(q->state, DNS_TRANSACTION_SUCCESS, DNS_TRANSACTION_NULL))
1075 return DNS_QUERY_NOMATCH;
45ec7efb 1076
23b298bc 1077 question = dns_query_question_for_protocol(q, q->answer_protocol);
45ec7efb 1078
1a71fe4e
LP		 1079 /* Small reminder: our question will consist of one or more RR keys that match in name, but not in
1080 * record type. Specifically, when we do an address lookup the question will typically consist of one
1081 * A and one AAAA key lookup for the same domain name. When we get a response from a server we need
1082 * to check if the answer answers all our questions to use it. Note that a response of CNAME/DNAME
1083 * can answer both an A and the AAAA question for us, but an A/AAAA response only the relevant
1084 * type.
1085 *
1086 * Hence we first check of the answers we collected are sufficient to answer all our questions
1087 * directly. If one question wasn't answered we go on, waiting for more replies. However, if there's
1088 * a CNAME/DNAME response we use it, and redirect to it, regardless if it was a response to the A or
7802194a 1089 * the AAAA query. */
1a71fe4e
LP		 1090
1091 DNS_QUESTION_FOREACH(k, question) {
1092 bool match = false;
1093
1094 DNS_ANSWER_FOREACH(rr, q->answer) {
1095 r = dns_resource_key_match_rr(k, rr, DNS_SEARCH_DOMAIN_NAME(q->answer_search_domain));
1096 if (r < 0)
1097 return r;
1098 if (r > 0) {
1099 match = true; /* Yay, we found an RR that matches the key we are looking for */
1100 break;
1101 }
1102 }
1103
1104 if (!match) {
1105 /* Hmm. :-( there's no response for this key. This doesn't match. */
1106 full_match = false;
1107 break;
1108 }
1109 }
45ec7efb 1110
1a71fe4e
LP		 1111 if (full_match)
1112 return DNS_QUERY_MATCH; /* The answer can answer our question in full, no need to follow CNAMEs/DNAMEs */
1113
1114 /* Let's see if there is a CNAME/DNAME to match. This case is simpler: we accept the CNAME/DNAME that
1115 * matches any of our questions. */
1116 DNS_ANSWER_FOREACH(rr, q->answer) {
542e0c84 1117 r = dns_question_matches_cname_or_dname(question, rr, DNS_SEARCH_DOMAIN_NAME(q->answer_search_domain));
45ec7efb
LP		 1118 if (r < 0)
1119 return r;
1120 if (r > 0 && !cname)
1121 cname = dns_resource_record_ref(rr);
1122 }
1123
1124 if (!cname)
1a71fe4e 1125 return DNS_QUERY_NOMATCH; /* No match and no CNAME/DNAME to follow */
45ec7efb
LP		 1126
1127 if (q->flags & SD_RESOLVED_NO_CNAME)
1128 return -ELOOP;
1129
6f055e43 1130 if (!FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
28830a64 1131 q->previous_redirect_unauthenticated = true;
43fc4baa
LP		 1132 if (!FLAGS_SET(q->answer_query_flags, SD_RESOLVED_CONFIDENTIAL))
1133 q->previous_redirect_non_confidential = true;
9ddf099f
LP		 1134 if (!FLAGS_SET(q->answer_query_flags, SD_RESOLVED_SYNTHETIC))
1135 q->previous_redirect_non_synthetic = true;
28830a64 1136
45ec7efb
LP		 1137 /* OK, let's actually follow the CNAME */
1138 r = dns_query_cname_redirect(q, cname);
1139 if (r < 0)
1140 return r;
1141
1db8e6d1
LP		 1142 return DNS_QUERY_CNAME; /* Tell caller that we did a single CNAME/DNAME redirection step */
1143}
45ec7efb 1144
1db8e6d1
LP		 1145int dns_query_process_cname_many(DnsQuery *q) {
1146 int r;
45ec7efb 1147
1db8e6d1
LP		 1148 assert(q);
1149
1150 /* Follows CNAMEs through the current packet: as long as the current packet can fulfill our
1151 * redirected CNAME queries we keep going, and restart the query once the current packet isn't good
1152 * enough anymore. It's a wrapper around dns_query_process_cname_one() and returns the same values,
1153 * but with extended semantics. Specifically:
1154 *
1155 * DNS_QUERY_MATCH → as above
1156 *
1157 * DNS_QUERY_CNAME → we ran into a CNAME/DNAME redirect that we could not answer from the current
1158 * message, and thus restarted the query to resolve it.
1159 *
1160 * DNS_QUERY_NOMATCH → we reached the end of CNAME/DNAME chain, and there are no direct matches nor a
1161 * CNAME/DNAME match. i.e. this is a NODATA case.
1162 *
1163 * Note that this function will restart the query for the caller if needed, and that's the case
1164 * DNS_QUERY_CNAME is returned.
1165 */
1166
1167 r = dns_query_process_cname_one(q);
1168 if (r != DNS_QUERY_CNAME)
1169 return r; /* The first redirect is special: if it doesn't answer the question that's no
1170 * reason to restart the query, we just accept this as a NODATA answer. */
1171
1172 for (;;) {
1173 r = dns_query_process_cname_one(q);
1174 if (r < 0 || r == DNS_QUERY_MATCH)
1175 return r;
1176 if (r == DNS_QUERY_NOMATCH) {
1177 /* OK, so we followed one or more CNAME/DNAME RR but the existing packet can't answer
1178 * this. Let's restart the query hence, with the new question. Why the different
1179 * handling than the first chain element? Because if the server answers a direct
1180 * question with an empty answer then this is a NODATA response. But if it responds
1181 * with a CNAME chain that ultimately is incomplete (i.e. a non-empty but truncated
1182 * CNAME chain) then we better follow up ourselves and ask for the rest of the
1183 * chain. This is particular relevant since our cache will store CNAME/DNAME
1184 * redirects that we learnt about for lookups of certain DNS types, but later on we
1185 * can reuse this data even for other DNS types, but in that case need to follow up
1186 * with the final lookup of the chain ourselves with the RR type we ourselves are
1187 * interested in. */
1188 r = dns_query_go(q);
1189 if (r < 0)
1190 return r;
1191
1192 return DNS_QUERY_CNAME;
1193 }
1194
1195 /* So we found a CNAME that the existing packet already answers, again via a CNAME, let's
1196 * continue going then. */
1197 assert(r == DNS_QUERY_CNAME);
1198 }
45ec7efb
LP		 1199}
1200
23b298bc
LP		 1201DnsQuestion* dns_query_question_for_protocol(DnsQuery *q, DnsProtocol protocol) {
1202 assert(q);
1203
775ae354
LP		 1204 if (q->question_bypass)
1205 return q->question_bypass->question;
1206
23b298bc
LP		 1207 switch (protocol) {
1208
1209 case DNS_PROTOCOL_DNS:
1210 return q->question_idna;
1211
1212 case DNS_PROTOCOL_MDNS:
1213 case DNS_PROTOCOL_LLMNR:
1214 return q->question_utf8;
1215
1216 default:
1217 return NULL;
1218 }
1219}
1220
1221const char *dns_query_string(DnsQuery *q) {
1222 const char *name;
1223 int r;
1224
1225 /* Returns a somewhat useful human-readable lookup key string for this query */
1226
775ae354
LP		 1227 if (q->question_bypass)
1228 return dns_question_first_name(q->question_bypass->question);
1229
23b298bc
LP		 1230 if (q->request_address_string)
1231 return q->request_address_string;
1232
1233 if (q->request_address_valid) {
1234 r = in_addr_to_string(q->request_family, &q->request_address, &q->request_address_string);
1235 if (r >= 0)
1236 return q->request_address_string;
1237 }
1238
1239 name = dns_question_first_name(q->question_utf8);
1240 if (name)
1241 return name;
1242
1243 return dns_question_first_name(q->question_idna);
1244}
28830a64
LP		 1245
1246bool dns_query_fully_authenticated(DnsQuery *q) {
1247 assert(q);
1248
6f055e43 1249 return FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED) && !q->previous_redirect_unauthenticated;
28830a64 1250}
43fc4baa
LP		 1251
1252bool dns_query_fully_confidential(DnsQuery *q) {
1253 assert(q);
1254
1255 return FLAGS_SET(q->answer_query_flags, SD_RESOLVED_CONFIDENTIAL) && !q->previous_redirect_non_confidential;
1256}
4ad017cd 1257
9ddf099f 1258bool dns_query_fully_authoritative(DnsQuery *q) {
4ad017cd
SB		 1259 assert(q);
1260
9ddf099f
LP		 1261 /* We are authoritative for everything synthetic (except if a previous CNAME/DNAME) wasn't
1262 * synthetic. (Note: SD_RESOLVED_SYNTHETIC is reset on each CNAME/DNAME, hence the explicit check for
7802194a 1263 * previous synthetic DNAME/CNAME redirections.) */
9ddf099f
LP		 1264 if ((q->answer_query_flags & SD_RESOLVED_SYNTHETIC) && !q->previous_redirect_non_synthetic)
1265 return true;
1266
1267 /* We are also authoritative for everything coming only from the trust anchor and the local
1268 * zones. (Note: the SD_RESOLVED_FROM_xyz flags we merge on each redirect, hence no need to
7802194a 1269 * explicitly check previous redirects here.) */
9ddf099f 1270 return (q->answer_query_flags & SD_RESOLVED_FROM_MASK & ~(SD_RESOLVED_FROM_TRUST_ANCHOR | SD_RESOLVED_FROM_ZONE)) == 0;
4ad017cd 1271}
Unnamed repository; edit this file 'description' to name the repository.