]>
Commit | Line | Data |
---|---|---|
db9ecf05 | 1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
74b2466e | 2 | |
b5efdb8a | 3 | #include "alloc-util.h" |
2a1037af | 4 | #include "dns-domain.h" |
011696f7 | 5 | #include "dns-type.h" |
ecdfb9a1 | 6 | #include "event-util.h" |
e2341b6b | 7 | #include "glyph-util.h" |
b5efdb8a | 8 | #include "hostname-util.h" |
78c6a153 | 9 | #include "local-addresses.h" |
74b2466e | 10 | #include "resolved-dns-query.h" |
839a4a20 | 11 | #include "resolved-dns-synthesize.h" |
dd0bc0f1 | 12 | #include "resolved-etc-hosts.h" |
23b298bc | 13 | #include "string-util.h" |
74b2466e | 14 | |
39762fdf | 15 | #define QUERIES_MAX 2048 |
45ec7efb | 16 | #define AUXILIARY_QUERIES_MAX 64 |
b4d12278 | 17 | #define CNAME_REDIRECTS_MAX 16 |
8ba9fd9c | 18 | |
e1004d0a | 19 | assert_cc(AUXILIARY_QUERIES_MAX < UINT8_MAX); |
b4d12278 | 20 | assert_cc(CNAME_REDIRECTS_MAX < UINT8_MAX); |
8ba9fd9c | 21 | |
801ad6a6 LP |
22 | static int dns_query_candidate_new(DnsQueryCandidate **ret, DnsQuery *q, DnsScope *s) { |
23 | DnsQueryCandidate *c; | |
74b2466e | 24 | |
801ad6a6 | 25 | assert(ret); |
faa133f3 | 26 | assert(q); |
801ad6a6 | 27 | assert(s); |
74b2466e | 28 | |
1ed31408 | 29 | c = new(DnsQueryCandidate, 1); |
801ad6a6 LP |
30 | if (!c) |
31 | return -ENOMEM; | |
32 | ||
1ed31408 | 33 | *c = (DnsQueryCandidate) { |
0e0fd08f | 34 | .n_ref = 1, |
1ed31408 LP |
35 | .query = q, |
36 | .scope = s, | |
37 | }; | |
801ad6a6 LP |
38 | |
39 | LIST_PREPEND(candidates_by_query, q->candidates, c); | |
40 | LIST_PREPEND(candidates_by_scope, s->query_candidates, c); | |
41 | ||
42 | *ret = c; | |
43 | return 0; | |
44 | } | |
45 | ||
46 | static void dns_query_candidate_stop(DnsQueryCandidate *c) { | |
47 | DnsTransaction *t; | |
74b2466e | 48 | |
801ad6a6 LP |
49 | assert(c); |
50 | ||
c856ef04 ZJS |
51 | /* Detach all the DnsTransactions attached to this query */ |
52 | ||
801ad6a6 | 53 | while ((t = set_steal_first(c->transactions))) { |
547973de | 54 | set_remove(t->notify_query_candidates, c); |
35aa04e9 | 55 | set_remove(t->notify_query_candidates_done, c); |
ec2c5e43 | 56 | dns_transaction_gc(t); |
74b2466e | 57 | } |
74b2466e LP |
58 | } |
59 | ||
c856ef04 ZJS |
60 | static DnsQueryCandidate* dns_query_candidate_unlink(DnsQueryCandidate *c) { |
61 | assert(c); | |
62 | ||
63 | /* Detach this DnsQueryCandidate from the Query and Scope objects */ | |
64 | ||
65 | if (c->query) { | |
66 | LIST_REMOVE(candidates_by_query, c->query->candidates, c); | |
67 | c->query = NULL; | |
68 | } | |
69 | ||
70 | if (c->scope) { | |
71 | LIST_REMOVE(candidates_by_scope, c->scope->query_candidates, c); | |
72 | c->scope = NULL; | |
73 | } | |
74 | ||
75 | return c; | |
76 | } | |
77 | ||
0e0fd08f | 78 | static DnsQueryCandidate* dns_query_candidate_free(DnsQueryCandidate *c) { |
801ad6a6 LP |
79 | if (!c) |
80 | return NULL; | |
81 | ||
82 | dns_query_candidate_stop(c); | |
c856ef04 | 83 | dns_query_candidate_unlink(c); |
801ad6a6 LP |
84 | |
85 | set_free(c->transactions); | |
86 | dns_search_domain_unref(c->search_domain); | |
87 | ||
6b430fdb | 88 | return mfree(c); |
801ad6a6 LP |
89 | } |
90 | ||
0e0fd08f ZJS |
91 | DEFINE_PUBLIC_TRIVIAL_REF_UNREF_FUNC(DnsQueryCandidate, dns_query_candidate, dns_query_candidate_free); |
92 | ||
801ad6a6 | 93 | static int dns_query_candidate_next_search_domain(DnsQueryCandidate *c) { |
c805014a | 94 | DnsSearchDomain *next; |
801ad6a6 LP |
95 | |
96 | assert(c); | |
97 | ||
ad44b56b | 98 | if (c->search_domain && c->search_domain->linked) |
801ad6a6 | 99 | next = c->search_domain->domains_next; |
ad44b56b LP |
100 | else |
101 | next = dns_scope_get_search_domains(c->scope); | |
801ad6a6 | 102 | |
ad44b56b | 103 | for (;;) { |
6627b7e2 LP |
104 | if (!next) /* We hit the end of the list */ |
105 | return 0; | |
801ad6a6 | 106 | |
ad44b56b LP |
107 | if (!next->route_only) |
108 | break; | |
801ad6a6 | 109 | |
ad44b56b LP |
110 | /* Skip over route-only domains */ |
111 | next = next->domains_next; | |
801ad6a6 LP |
112 | } |
113 | ||
114 | dns_search_domain_unref(c->search_domain); | |
115 | c->search_domain = dns_search_domain_ref(next); | |
6627b7e2 | 116 | |
801ad6a6 LP |
117 | return 1; |
118 | } | |
119 | ||
775ae354 LP |
120 | static int dns_query_candidate_add_transaction( |
121 | DnsQueryCandidate *c, | |
122 | DnsResourceKey *key, | |
123 | DnsPacket *bypass) { | |
124 | ||
29bd6012 | 125 | _cleanup_(dns_transaction_gcp) DnsTransaction *t = NULL; |
801ad6a6 LP |
126 | int r; |
127 | ||
128 | assert(c); | |
c856ef04 | 129 | assert(c->query); /* We shan't add transactions to a candidate that has been detached already */ |
801ad6a6 | 130 | |
775ae354 LP |
131 | if (key) { |
132 | /* Regular lookup with a resource key */ | |
133 | assert(!bypass); | |
134 | ||
135 | t = dns_scope_find_transaction(c->scope, key, c->query->flags); | |
136 | if (!t) { | |
137 | r = dns_transaction_new(&t, c->scope, key, NULL, c->query->flags); | |
138 | if (r < 0) | |
139 | return r; | |
140 | } else if (set_contains(c->transactions, t)) | |
141 | return 0; | |
142 | } else { | |
143 | /* "Bypass" lookup with a query packet */ | |
144 | assert(bypass); | |
145 | ||
146 | r = dns_transaction_new(&t, c->scope, NULL, bypass, c->query->flags); | |
801ad6a6 LP |
147 | if (r < 0) |
148 | return r; | |
775ae354 | 149 | } |
801ad6a6 | 150 | |
35aa04e9 LP |
151 | r = set_ensure_allocated(&t->notify_query_candidates_done, NULL); |
152 | if (r < 0) | |
29bd6012 | 153 | return r; |
35aa04e9 | 154 | |
de7fef4b | 155 | r = set_ensure_put(&t->notify_query_candidates, NULL, c); |
801ad6a6 | 156 | if (r < 0) |
29bd6012 | 157 | return r; |
801ad6a6 | 158 | |
de7fef4b | 159 | r = set_ensure_put(&c->transactions, NULL, t); |
801ad6a6 | 160 | if (r < 0) { |
547973de | 161 | (void) set_remove(t->notify_query_candidates, c); |
29bd6012 | 162 | return r; |
801ad6a6 LP |
163 | } |
164 | ||
29bd6012 | 165 | TAKE_PTR(t); |
547973de | 166 | return 1; |
801ad6a6 LP |
167 | } |
168 | ||
169 | static int dns_query_candidate_go(DnsQueryCandidate *c) { | |
d7ac0952 | 170 | _unused_ _cleanup_(dns_query_candidate_unrefp) DnsQueryCandidate *keep_c = NULL; |
801ad6a6 | 171 | DnsTransaction *t; |
801ad6a6 | 172 | int r; |
011696f7 | 173 | unsigned n = 0; |
801ad6a6 LP |
174 | |
175 | assert(c); | |
176 | ||
0e0fd08f ZJS |
177 | /* Let's keep a reference to the query while we're operating */ |
178 | keep_c = dns_query_candidate_ref(c); | |
4ea8b443 | 179 | |
801ad6a6 | 180 | /* Start the transactions that are not started yet */ |
90e74a66 | 181 | SET_FOREACH(t, c->transactions) { |
801ad6a6 LP |
182 | if (t->state != DNS_TRANSACTION_NULL) |
183 | continue; | |
184 | ||
185 | r = dns_transaction_go(t); | |
0e0fd08f | 186 | if (r < 0) |
801ad6a6 | 187 | return r; |
011696f7 LP |
188 | |
189 | n++; | |
801ad6a6 LP |
190 | } |
191 | ||
011696f7 | 192 | /* If there was nothing to start, then let's proceed immediately */ |
0e0fd08f | 193 | if (n == 0) |
011696f7 LP |
194 | dns_query_candidate_notify(c); |
195 | ||
801ad6a6 LP |
196 | return 0; |
197 | } | |
198 | ||
199 | static DnsTransactionState dns_query_candidate_state(DnsQueryCandidate *c) { | |
200 | DnsTransactionState state = DNS_TRANSACTION_NO_SERVERS; | |
201 | DnsTransaction *t; | |
801ad6a6 LP |
202 | |
203 | assert(c); | |
204 | ||
205 | if (c->error_code != 0) | |
7cc6ed7b | 206 | return DNS_TRANSACTION_ERRNO; |
801ad6a6 | 207 | |
adf6d848 | 208 | SET_FOREACH(t, c->transactions) |
801ad6a6 LP |
209 | |
210 | switch (t->state) { | |
211 | ||
5264131a LP |
212 | case DNS_TRANSACTION_NULL: |
213 | /* If there's a NULL transaction pending, then | |
214 | * this means not all transactions where | |
215 | * started yet, and we were called from within | |
216 | * the stackframe that is supposed to start | |
217 | * remaining transactions. In this case, | |
218 | * simply claim the candidate is pending. */ | |
219 | ||
801ad6a6 | 220 | case DNS_TRANSACTION_PENDING: |
547973de LP |
221 | case DNS_TRANSACTION_VALIDATING: |
222 | /* If there's one transaction currently in | |
223 | * VALIDATING state, then this means there's | |
224 | * also one in PENDING state, hence we can | |
225 | * return PENDING immediately. */ | |
226 | return DNS_TRANSACTION_PENDING; | |
801ad6a6 LP |
227 | |
228 | case DNS_TRANSACTION_SUCCESS: | |
229 | state = t->state; | |
230 | break; | |
231 | ||
232 | default: | |
233 | if (state != DNS_TRANSACTION_SUCCESS) | |
234 | state = t->state; | |
235 | ||
236 | break; | |
237 | } | |
801ad6a6 LP |
238 | |
239 | return state; | |
240 | } | |
241 | ||
242 | static int dns_query_candidate_setup_transactions(DnsQueryCandidate *c) { | |
23b298bc | 243 | DnsQuestion *question; |
801ad6a6 LP |
244 | DnsResourceKey *key; |
245 | int n = 0, r; | |
246 | ||
247 | assert(c); | |
c856ef04 | 248 | assert(c->query); /* We shan't add transactions to a candidate that has been detached already */ |
801ad6a6 LP |
249 | |
250 | dns_query_candidate_stop(c); | |
251 | ||
775ae354 LP |
252 | if (c->query->question_bypass) { |
253 | /* If this is a bypass query, then pass the original query packet along to the transaction */ | |
254 | ||
255 | assert(dns_question_size(c->query->question_bypass->question) == 1); | |
256 | ||
ab715ddb | 257 | if (!dns_scope_good_key(c->scope, dns_question_first_key(c->query->question_bypass->question))) |
775ae354 LP |
258 | return 0; |
259 | ||
260 | r = dns_query_candidate_add_transaction(c, NULL, c->query->question_bypass); | |
261 | if (r < 0) | |
262 | goto fail; | |
263 | ||
264 | return 1; | |
265 | } | |
266 | ||
23b298bc LP |
267 | question = dns_query_question_for_protocol(c->query, c->scope->protocol); |
268 | ||
801ad6a6 | 269 | /* Create one transaction per question key */ |
23b298bc | 270 | DNS_QUESTION_FOREACH(key, question) { |
801ad6a6 | 271 | _cleanup_(dns_resource_key_unrefp) DnsResourceKey *new_key = NULL; |
011696f7 LP |
272 | DnsResourceKey *qkey; |
273 | ||
801ad6a6 LP |
274 | if (c->search_domain) { |
275 | r = dns_resource_key_new_append_suffix(&new_key, key, c->search_domain->name); | |
276 | if (r < 0) | |
277 | goto fail; | |
801ad6a6 | 278 | |
011696f7 LP |
279 | qkey = new_key; |
280 | } else | |
281 | qkey = key; | |
282 | ||
283 | if (!dns_scope_good_key(c->scope, qkey)) | |
284 | continue; | |
285 | ||
775ae354 | 286 | r = dns_query_candidate_add_transaction(c, qkey, NULL); |
801ad6a6 LP |
287 | if (r < 0) |
288 | goto fail; | |
289 | ||
290 | n++; | |
291 | } | |
292 | ||
293 | return n; | |
294 | ||
295 | fail: | |
296 | dns_query_candidate_stop(c); | |
297 | return r; | |
298 | } | |
299 | ||
547973de | 300 | void dns_query_candidate_notify(DnsQueryCandidate *c) { |
801ad6a6 LP |
301 | DnsTransactionState state; |
302 | int r; | |
303 | ||
304 | assert(c); | |
305 | ||
c856ef04 ZJS |
306 | if (!c->query) /* This candidate has been abandoned, do nothing. */ |
307 | return; | |
308 | ||
801ad6a6 LP |
309 | state = dns_query_candidate_state(c); |
310 | ||
547973de | 311 | if (DNS_TRANSACTION_IS_LIVE(state)) |
801ad6a6 LP |
312 | return; |
313 | ||
314 | if (state != DNS_TRANSACTION_SUCCESS && c->search_domain) { | |
315 | ||
316 | r = dns_query_candidate_next_search_domain(c); | |
317 | if (r < 0) | |
318 | goto fail; | |
319 | ||
320 | if (r > 0) { | |
321 | /* OK, there's another search domain to try, let's do so. */ | |
322 | ||
323 | r = dns_query_candidate_setup_transactions(c); | |
324 | if (r < 0) | |
325 | goto fail; | |
326 | ||
327 | if (r > 0) { | |
328 | /* New transactions where queued. Start them and wait */ | |
329 | ||
330 | r = dns_query_candidate_go(c); | |
331 | if (r < 0) | |
332 | goto fail; | |
333 | ||
334 | return; | |
335 | } | |
336 | } | |
337 | ||
338 | } | |
339 | ||
340 | dns_query_ready(c->query); | |
341 | return; | |
342 | ||
343 | fail: | |
fed66db0 | 344 | c->error_code = log_warning_errno(r, "Failed to follow search domains: %m"); |
801ad6a6 LP |
345 | dns_query_ready(c->query); |
346 | } | |
347 | ||
348 | static void dns_query_stop(DnsQuery *q) { | |
801ad6a6 LP |
349 | assert(q); |
350 | ||
ecdfb9a1 | 351 | event_source_disable(q->timeout_event_source); |
801ad6a6 LP |
352 | |
353 | LIST_FOREACH(candidates_by_query, c, q->candidates) | |
354 | dns_query_candidate_stop(c); | |
355 | } | |
356 | ||
c856ef04 | 357 | static void dns_query_unlink_candidates(DnsQuery *q) { |
7820b320 LP |
358 | assert(q); |
359 | ||
360 | while (q->candidates) | |
c856ef04 ZJS |
361 | /* Here we drop *our* references to each of the candidates. If we had the only reference, the |
362 | * DnsQueryCandidate object will be freed. */ | |
363 | dns_query_candidate_unref(dns_query_candidate_unlink(q->candidates)); | |
7820b320 LP |
364 | } |
365 | ||
366 | static void dns_query_reset_answer(DnsQuery *q) { | |
367 | assert(q); | |
368 | ||
369 | q->answer = dns_answer_unref(q->answer); | |
370 | q->answer_rcode = 0; | |
371 | q->answer_dnssec_result = _DNSSEC_RESULT_INVALID; | |
7cc6ed7b | 372 | q->answer_errno = 0; |
6f055e43 | 373 | q->answer_query_flags = 0; |
7820b320 LP |
374 | q->answer_protocol = _DNS_PROTOCOL_INVALID; |
375 | q->answer_family = AF_UNSPEC; | |
376 | q->answer_search_domain = dns_search_domain_unref(q->answer_search_domain); | |
775ae354 | 377 | q->answer_full_packet = dns_packet_unref(q->answer_full_packet); |
7820b320 LP |
378 | } |
379 | ||
74b2466e | 380 | DnsQuery *dns_query_free(DnsQuery *q) { |
74b2466e LP |
381 | if (!q) |
382 | return NULL; | |
383 | ||
73bfd7be YW |
384 | q->timeout_event_source = sd_event_source_disable_unref(q->timeout_event_source); |
385 | ||
45ec7efb LP |
386 | while (q->auxiliary_queries) |
387 | dns_query_free(q->auxiliary_queries); | |
388 | ||
389 | if (q->auxiliary_for) { | |
390 | assert(q->auxiliary_for->n_auxiliary_queries > 0); | |
391 | q->auxiliary_for->n_auxiliary_queries--; | |
392 | LIST_REMOVE(auxiliary_queries, q->auxiliary_for->auxiliary_queries, q); | |
393 | } | |
394 | ||
c856ef04 | 395 | dns_query_unlink_candidates(q); |
322345fd | 396 | |
23b298bc LP |
397 | dns_question_unref(q->question_idna); |
398 | dns_question_unref(q->question_utf8); | |
775ae354 | 399 | dns_packet_unref(q->question_bypass); |
7820b320 LP |
400 | |
401 | dns_query_reset_answer(q); | |
322345fd | 402 | |
c9de4e0f | 403 | sd_bus_message_unref(q->bus_request); |
82bd6ddd | 404 | sd_bus_track_unref(q->bus_track); |
74b2466e | 405 | |
9581bb84 LP |
406 | if (q->varlink_request) { |
407 | varlink_set_userdata(q->varlink_request, NULL); | |
408 | varlink_unref(q->varlink_request); | |
409 | } | |
410 | ||
bde69bbd LP |
411 | if (q->request_packet) |
412 | hashmap_remove_value(q->stub_listener_extra ? | |
413 | q->stub_listener_extra->queries_by_packet : | |
414 | q->manager->stub_queries_by_packet, | |
415 | q->request_packet, | |
416 | q); | |
417 | ||
775ae354 LP |
418 | dns_packet_unref(q->request_packet); |
419 | dns_answer_unref(q->reply_answer); | |
420 | dns_answer_unref(q->reply_authoritative); | |
421 | dns_answer_unref(q->reply_additional); | |
b30bf55d | 422 | |
775ae354 | 423 | if (q->request_stream) { |
b30bf55d | 424 | /* Detach the stream from our query, in case something else keeps a reference to it. */ |
775ae354 LP |
425 | (void) set_remove(q->request_stream->queries, q); |
426 | q->request_stream = dns_stream_unref(q->request_stream); | |
b30bf55d LP |
427 | } |
428 | ||
23b298bc LP |
429 | free(q->request_address_string); |
430 | ||
39762fdf | 431 | if (q->manager) { |
74b2466e | 432 | LIST_REMOVE(queries, q->manager->dns_queries, q); |
39762fdf LP |
433 | q->manager->n_dns_queries--; |
434 | } | |
74b2466e | 435 | |
6b430fdb | 436 | return mfree(q); |
74b2466e LP |
437 | } |
438 | ||
23b298bc LP |
439 | int dns_query_new( |
440 | Manager *m, | |
441 | DnsQuery **ret, | |
442 | DnsQuestion *question_utf8, | |
443 | DnsQuestion *question_idna, | |
775ae354 | 444 | DnsPacket *question_bypass, |
17c8de63 LP |
445 | int ifindex, |
446 | uint64_t flags) { | |
23b298bc | 447 | |
74b2466e | 448 | _cleanup_(dns_query_freep) DnsQuery *q = NULL; |
775ae354 | 449 | char key_str[DNS_RESOURCE_KEY_STRING_MAX]; |
23b298bc | 450 | DnsResourceKey *key; |
faa133f3 | 451 | int r; |
74b2466e LP |
452 | |
453 | assert(m); | |
454 | ||
775ae354 LP |
455 | if (question_bypass) { |
456 | /* It's either a "bypass" query, or a regular one, but can't be both. */ | |
457 | if (question_utf8 || question_idna) | |
23b298bc LP |
458 | return -EINVAL; |
459 | ||
775ae354 LP |
460 | } else { |
461 | bool good = false; | |
23b298bc | 462 | |
1a71fe4e LP |
463 | /* This (primarily) checks two things: |
464 | * | |
465 | * 1. That the question is not empty | |
466 | * 2. That all RR keys in the question objects are for the same domain | |
467 | * | |
468 | * Or in other words, a single DnsQuery object may be used to look up A+AAAA combination for | |
469 | * the same domain name, or SRV+TXT (for DNS-SD services), but not for unrelated lookups. */ | |
470 | ||
775ae354 LP |
471 | if (dns_question_size(question_utf8) > 0) { |
472 | r = dns_question_is_valid_for_query(question_utf8); | |
23b298bc LP |
473 | if (r < 0) |
474 | return r; | |
475 | if (r == 0) | |
476 | return -EINVAL; | |
477 | ||
478 | good = true; | |
479 | } | |
23b298bc | 480 | |
775ae354 LP |
481 | /* If the IDNA and UTF8 questions are the same, merge their references */ |
482 | r = dns_question_is_equal(question_idna, question_utf8); | |
483 | if (r < 0) | |
484 | return r; | |
485 | if (r > 0) | |
486 | question_idna = question_utf8; | |
487 | else { | |
488 | if (dns_question_size(question_idna) > 0) { | |
489 | r = dns_question_is_valid_for_query(question_idna); | |
490 | if (r < 0) | |
491 | return r; | |
492 | if (r == 0) | |
493 | return -EINVAL; | |
494 | ||
495 | good = true; | |
496 | } | |
497 | } | |
498 | ||
499 | if (!good) /* don't allow empty queries */ | |
500 | return -EINVAL; | |
501 | } | |
74b2466e | 502 | |
39762fdf LP |
503 | if (m->n_dns_queries >= QUERIES_MAX) |
504 | return -EBUSY; | |
505 | ||
1ed31408 | 506 | q = new(DnsQuery, 1); |
74b2466e LP |
507 | if (!q) |
508 | return -ENOMEM; | |
509 | ||
1ed31408 LP |
510 | *q = (DnsQuery) { |
511 | .question_utf8 = dns_question_ref(question_utf8), | |
512 | .question_idna = dns_question_ref(question_idna), | |
775ae354 | 513 | .question_bypass = dns_packet_ref(question_bypass), |
1ed31408 LP |
514 | .ifindex = ifindex, |
515 | .flags = flags, | |
516 | .answer_dnssec_result = _DNSSEC_RESULT_INVALID, | |
517 | .answer_protocol = _DNS_PROTOCOL_INVALID, | |
518 | .answer_family = AF_UNSPEC, | |
519 | }; | |
322345fd | 520 | |
775ae354 LP |
521 | if (question_bypass) { |
522 | DNS_QUESTION_FOREACH(key, question_bypass->question) | |
523 | log_debug("Looking up bypass packet for %s.", | |
524 | dns_resource_key_to_string(key, key_str, sizeof key_str)); | |
525 | } else { | |
160f3145 | 526 | /* First dump UTF8 question */ |
775ae354 LP |
527 | DNS_QUESTION_FOREACH(key, question_utf8) |
528 | log_debug("Looking up RR for %s.", | |
529 | dns_resource_key_to_string(key, key_str, sizeof key_str)); | |
530 | ||
531 | /* And then dump the IDNA question, but only what hasn't been dumped already through the UTF8 question. */ | |
532 | DNS_QUESTION_FOREACH(key, question_idna) { | |
ab715ddb | 533 | r = dns_question_contains_key(question_utf8, key); |
775ae354 LP |
534 | if (r < 0) |
535 | return r; | |
536 | if (r > 0) | |
537 | continue; | |
23b298bc | 538 | |
775ae354 LP |
539 | log_debug("Looking up IDNA RR for %s.", |
540 | dns_resource_key_to_string(key, key_str, sizeof key_str)); | |
541 | } | |
74b2466e LP |
542 | } |
543 | ||
544 | LIST_PREPEND(queries, m->dns_queries, q); | |
39762fdf | 545 | m->n_dns_queries++; |
74b2466e LP |
546 | q->manager = m; |
547 | ||
8ba9fd9c LP |
548 | if (ret) |
549 | *ret = q; | |
8ba9fd9c | 550 | |
775ae354 | 551 | TAKE_PTR(q); |
8ba9fd9c LP |
552 | return 0; |
553 | } | |
554 | ||
45ec7efb LP |
555 | int dns_query_make_auxiliary(DnsQuery *q, DnsQuery *auxiliary_for) { |
556 | assert(q); | |
557 | assert(auxiliary_for); | |
558 | ||
61233823 | 559 | /* Ensure that the query is not auxiliary yet, and |
45ec7efb LP |
560 | * nothing else is auxiliary to it either */ |
561 | assert(!q->auxiliary_for); | |
562 | assert(!q->auxiliary_queries); | |
563 | ||
564 | /* Ensure that the unit we shall be made auxiliary for isn't | |
565 | * auxiliary itself */ | |
566 | assert(!auxiliary_for->auxiliary_for); | |
567 | ||
568 | if (auxiliary_for->n_auxiliary_queries >= AUXILIARY_QUERIES_MAX) | |
569 | return -EAGAIN; | |
570 | ||
571 | LIST_PREPEND(auxiliary_queries, auxiliary_for->auxiliary_queries, q); | |
572 | q->auxiliary_for = auxiliary_for; | |
573 | ||
574 | auxiliary_for->n_auxiliary_queries++; | |
575 | return 0; | |
576 | } | |
577 | ||
65a01e82 | 578 | void dns_query_complete(DnsQuery *q, DnsTransactionState state) { |
8ba9fd9c | 579 | assert(q); |
547973de LP |
580 | assert(!DNS_TRANSACTION_IS_LIVE(state)); |
581 | assert(DNS_TRANSACTION_IS_LIVE(q->state)); | |
8ba9fd9c | 582 | |
65a01e82 LP |
583 | /* Note that this call might invalidate the query. Callers should hence not attempt to access the |
584 | * query or transaction after calling this function. */ | |
8ba9fd9c | 585 | |
8ba9fd9c LP |
586 | q->state = state; |
587 | ||
0e26016e | 588 | if (q->question_utf8 && state == DNS_TRANSACTION_SUCCESS && set_size(q->manager->varlink_subscription) > 0) |
227e1279 | 589 | (void) manager_monitor_send(q->manager, q->answer, dns_question_first_name(q->question_utf8)); |
cb456374 | 590 | |
322345fd LP |
591 | dns_query_stop(q); |
592 | if (q->complete) | |
593 | q->complete(q); | |
8ba9fd9c LP |
594 | } |
595 | ||
596 | static int on_query_timeout(sd_event_source *s, usec_t usec, void *userdata) { | |
99534007 | 597 | DnsQuery *q = ASSERT_PTR(userdata); |
8ba9fd9c LP |
598 | |
599 | assert(s); | |
8ba9fd9c | 600 | |
ec2c5e43 | 601 | dns_query_complete(q, DNS_TRANSACTION_TIMEOUT); |
8ba9fd9c LP |
602 | return 0; |
603 | } | |
604 | ||
801ad6a6 | 605 | static int dns_query_add_candidate(DnsQuery *q, DnsScope *s) { |
0e0fd08f | 606 | _cleanup_(dns_query_candidate_unrefp) DnsQueryCandidate *c = NULL; |
faa133f3 LP |
607 | int r; |
608 | ||
609 | assert(q); | |
ec2c5e43 | 610 | assert(s); |
faa133f3 | 611 | |
801ad6a6 | 612 | r = dns_query_candidate_new(&c, q, s); |
faa133f3 LP |
613 | if (r < 0) |
614 | return r; | |
615 | ||
801ad6a6 | 616 | /* If this a single-label domain on DNS, we might append a suitable search domain first. */ |
3b5bd7d6 ZJS |
617 | if (!FLAGS_SET(q->flags, SD_RESOLVED_NO_SEARCH) && |
618 | dns_scope_name_wants_search_domain(s, dns_question_first_name(q->question_idna))) { | |
619 | /* OK, we want a search domain now. Let's find one for this scope */ | |
22f711bb | 620 | |
6da95857 | 621 | r = dns_query_candidate_next_search_domain(c); |
3b5bd7d6 | 622 | if (r < 0) |
7877e5ca | 623 | return r; |
faa133f3 LP |
624 | } |
625 | ||
801ad6a6 LP |
626 | r = dns_query_candidate_setup_transactions(c); |
627 | if (r < 0) | |
7877e5ca | 628 | return r; |
801ad6a6 | 629 | |
7877e5ca | 630 | TAKE_PTR(c); |
faa133f3 | 631 | return 0; |
faa133f3 LP |
632 | } |
633 | ||
78c6a153 | 634 | static int dns_query_synthesize_reply(DnsQuery *q, DnsTransactionState *state) { |
2a1037af | 635 | _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL; |
dd0bc0f1 | 636 | int r; |
2a1037af LP |
637 | |
638 | assert(q); | |
639 | assert(state); | |
640 | ||
dd0bc0f1 LP |
641 | /* Tries to synthesize localhost RR replies (and others) where appropriate. Note that this is done *after* the |
642 | * the normal lookup finished. The data from the network hence takes precedence over the data we | |
643 | * synthesize. (But note that many scopes refuse to resolve certain domain names) */ | |
2a1037af LP |
644 | |
645 | if (!IN_SET(*state, | |
3bbdc31d | 646 | DNS_TRANSACTION_RCODE_FAILURE, |
2a1037af LP |
647 | DNS_TRANSACTION_NO_SERVERS, |
648 | DNS_TRANSACTION_TIMEOUT, | |
edbcc1fd | 649 | DNS_TRANSACTION_ATTEMPTS_MAX_REACHED, |
0791110f LP |
650 | DNS_TRANSACTION_NETWORK_DOWN, |
651 | DNS_TRANSACTION_NOT_FOUND)) | |
78c6a153 | 652 | return 0; |
2a1037af | 653 | |
775ae354 LP |
654 | if (FLAGS_SET(q->flags, SD_RESOLVED_NO_SYNTHESIZE)) |
655 | return 0; | |
656 | ||
839a4a20 LP |
657 | r = dns_synthesize_answer( |
658 | q->manager, | |
775ae354 | 659 | q->question_bypass ? q->question_bypass->question : q->question_utf8, |
839a4a20 | 660 | q->ifindex, |
dd0bc0f1 | 661 | &answer); |
acf06088 LP |
662 | if (r == -ENXIO) { |
663 | /* If we get ENXIO this tells us to generate NXDOMAIN unconditionally. */ | |
2a1037af | 664 | |
acf06088 LP |
665 | dns_query_reset_answer(q); |
666 | q->answer_rcode = DNS_RCODE_NXDOMAIN; | |
667 | q->answer_protocol = dns_synthesize_protocol(q->flags); | |
668 | q->answer_family = dns_synthesize_family(q->flags); | |
5c1790d1 | 669 | q->answer_query_flags = SD_RESOLVED_AUTHENTICATED|SD_RESOLVED_CONFIDENTIAL|SD_RESOLVED_SYNTHETIC; |
acf06088 LP |
670 | *state = DNS_TRANSACTION_RCODE_FAILURE; |
671 | ||
672 | return 0; | |
673 | } | |
839a4a20 LP |
674 | if (r <= 0) |
675 | return r; | |
2a1037af | 676 | |
839a4a20 | 677 | dns_query_reset_answer(q); |
2a1037af | 678 | |
1cc6c93a | 679 | q->answer = TAKE_PTR(answer); |
2a1037af | 680 | q->answer_rcode = DNS_RCODE_SUCCESS; |
dd0bc0f1 LP |
681 | q->answer_protocol = dns_synthesize_protocol(q->flags); |
682 | q->answer_family = dns_synthesize_family(q->flags); | |
5c1790d1 | 683 | q->answer_query_flags = SD_RESOLVED_AUTHENTICATED|SD_RESOLVED_CONFIDENTIAL|SD_RESOLVED_SYNTHETIC; |
2a1037af LP |
684 | |
685 | *state = DNS_TRANSACTION_SUCCESS; | |
78c6a153 LP |
686 | |
687 | return 1; | |
2a1037af LP |
688 | } |
689 | ||
dd0bc0f1 LP |
690 | static int dns_query_try_etc_hosts(DnsQuery *q) { |
691 | _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL; | |
692 | int r; | |
693 | ||
694 | assert(q); | |
695 | ||
c805014a ZJS |
696 | /* Looks in /etc/hosts for matching entries. Note that this is done *before* the normal lookup is |
697 | * done. The data from /etc/hosts hence takes precedence over the network. */ | |
dd0bc0f1 | 698 | |
775ae354 LP |
699 | if (FLAGS_SET(q->flags, SD_RESOLVED_NO_SYNTHESIZE)) |
700 | return 0; | |
701 | ||
dd0bc0f1 LP |
702 | r = manager_etc_hosts_lookup( |
703 | q->manager, | |
775ae354 | 704 | q->question_bypass ? q->question_bypass->question : q->question_utf8, |
dd0bc0f1 LP |
705 | &answer); |
706 | if (r <= 0) | |
707 | return r; | |
708 | ||
709 | dns_query_reset_answer(q); | |
710 | ||
1cc6c93a | 711 | q->answer = TAKE_PTR(answer); |
dd0bc0f1 LP |
712 | q->answer_rcode = DNS_RCODE_SUCCESS; |
713 | q->answer_protocol = dns_synthesize_protocol(q->flags); | |
714 | q->answer_family = dns_synthesize_family(q->flags); | |
5c1790d1 | 715 | q->answer_query_flags = SD_RESOLVED_AUTHENTICATED|SD_RESOLVED_CONFIDENTIAL|SD_RESOLVED_SYNTHETIC; |
dd0bc0f1 LP |
716 | |
717 | return 1; | |
718 | } | |
719 | ||
322345fd | 720 | int dns_query_go(DnsQuery *q) { |
8ba9fd9c | 721 | DnsScopeMatch found = DNS_SCOPE_NO; |
03677889 | 722 | DnsScope *first = NULL; |
8ba9fd9c LP |
723 | int r; |
724 | ||
725 | assert(q); | |
726 | ||
ec2c5e43 | 727 | if (q->state != DNS_TRANSACTION_NULL) |
8ba9fd9c LP |
728 | return 0; |
729 | ||
dd0bc0f1 LP |
730 | r = dns_query_try_etc_hosts(q); |
731 | if (r < 0) | |
732 | return r; | |
733 | if (r > 0) { | |
734 | dns_query_complete(q, DNS_TRANSACTION_SUCCESS); | |
735 | return 1; | |
736 | } | |
737 | ||
8ba9fd9c | 738 | LIST_FOREACH(scopes, s, q->manager->dns_scopes) { |
74b2466e | 739 | DnsScopeMatch match; |
23b298bc | 740 | |
176a9a2c | 741 | match = dns_scope_good_domain(s, q); |
830f50ab | 742 | assert(match >= 0); |
a97a3b25 LP |
743 | if (match > found) { /* Does this match better? If so, remember how well it matched, and the first one |
744 | * that matches this well */ | |
745 | found = match; | |
74b2466e | 746 | first = s; |
74b2466e LP |
747 | } |
748 | } | |
749 | ||
2a1037af LP |
750 | if (found == DNS_SCOPE_NO) { |
751 | DnsTransactionState state = DNS_TRANSACTION_NO_SERVERS; | |
752 | ||
7cc6ed7b LP |
753 | r = dns_query_synthesize_reply(q, &state); |
754 | if (r < 0) | |
755 | return r; | |
756 | ||
d634711b LP |
757 | dns_query_complete(q, state); |
758 | return 1; | |
2a1037af | 759 | } |
74b2466e | 760 | |
801ad6a6 | 761 | r = dns_query_add_candidate(q, first); |
74b2466e | 762 | if (r < 0) |
ec2c5e43 | 763 | goto fail; |
74b2466e | 764 | |
74b2466e LP |
765 | LIST_FOREACH(scopes, s, first->scopes_next) { |
766 | DnsScopeMatch match; | |
767 | ||
176a9a2c | 768 | match = dns_scope_good_domain(s, q); |
830f50ab | 769 | assert(match >= 0); |
a97a3b25 | 770 | if (match < found) |
74b2466e LP |
771 | continue; |
772 | ||
801ad6a6 | 773 | r = dns_query_add_candidate(q, s); |
74b2466e | 774 | if (r < 0) |
ec2c5e43 | 775 | goto fail; |
74b2466e LP |
776 | } |
777 | ||
ab88b6d0 | 778 | dns_query_reset_answer(q); |
74b2466e | 779 | |
ecdfb9a1 | 780 | r = event_reset_time_relative( |
9a015429 LP |
781 | q->manager->event, |
782 | &q->timeout_event_source, | |
ba4e0427 | 783 | CLOCK_BOOTTIME, |
39cf0351 | 784 | SD_RESOLVED_QUERY_TIMEOUT_USEC, |
ecdfb9a1 YW |
785 | 0, on_query_timeout, q, |
786 | 0, "query-timeout", true); | |
74b2466e LP |
787 | if (r < 0) |
788 | goto fail; | |
789 | ||
ec2c5e43 | 790 | q->state = DNS_TRANSACTION_PENDING; |
faa133f3 | 791 | q->block_ready++; |
74b2466e | 792 | |
801ad6a6 LP |
793 | /* Start the transactions */ |
794 | LIST_FOREACH(candidates_by_query, c, q->candidates) { | |
795 | r = dns_query_candidate_go(c); | |
796 | if (r < 0) { | |
797 | q->block_ready--; | |
ec2c5e43 | 798 | goto fail; |
801ad6a6 | 799 | } |
74b2466e LP |
800 | } |
801 | ||
faa133f3 LP |
802 | q->block_ready--; |
803 | dns_query_ready(q); | |
322345fd | 804 | |
8ba9fd9c | 805 | return 1; |
74b2466e LP |
806 | |
807 | fail: | |
8ba9fd9c | 808 | dns_query_stop(q); |
74b2466e LP |
809 | return r; |
810 | } | |
811 | ||
801ad6a6 | 812 | static void dns_query_accept(DnsQuery *q, DnsQueryCandidate *c) { |
ec2c5e43 | 813 | DnsTransactionState state = DNS_TRANSACTION_NO_SERVERS; |
43fc4baa | 814 | bool has_authenticated = false, has_non_authenticated = false, has_confidential = false, has_non_confidential = false; |
019036a4 | 815 | DnssecResult dnssec_result_authenticated = _DNSSEC_RESULT_INVALID, dnssec_result_non_authenticated = _DNSSEC_RESULT_INVALID; |
801ad6a6 | 816 | DnsTransaction *t; |
547973de | 817 | int r; |
74b2466e LP |
818 | |
819 | assert(q); | |
820 | ||
801ad6a6 | 821 | if (!c) { |
7cc6ed7b LP |
822 | r = dns_query_synthesize_reply(q, &state); |
823 | if (r < 0) | |
824 | goto fail; | |
825 | ||
801ad6a6 | 826 | dns_query_complete(q, state); |
74b2466e | 827 | return; |
801ad6a6 | 828 | } |
74b2466e | 829 | |
a7bf2ada LP |
830 | if (c->error_code != 0) { |
831 | /* If the candidate had an error condition of its own, start with that. */ | |
832 | state = DNS_TRANSACTION_ERRNO; | |
833 | q->answer = dns_answer_unref(q->answer); | |
834 | q->answer_rcode = 0; | |
835 | q->answer_dnssec_result = _DNSSEC_RESULT_INVALID; | |
6f055e43 | 836 | q->answer_query_flags = 0; |
a7bf2ada | 837 | q->answer_errno = c->error_code; |
775ae354 | 838 | q->answer_full_packet = dns_packet_unref(q->answer_full_packet); |
a7bf2ada LP |
839 | } |
840 | ||
90e74a66 | 841 | SET_FOREACH(t, c->transactions) { |
74b2466e | 842 | |
801ad6a6 | 843 | switch (t->state) { |
934e9b10 | 844 | |
801ad6a6 | 845 | case DNS_TRANSACTION_SUCCESS: { |
775ae354 LP |
846 | /* We found a successful reply, merge it into the answer */ |
847 | ||
848 | if (state == DNS_TRANSACTION_SUCCESS) { | |
849 | r = dns_answer_extend(&q->answer, t->answer); | |
850 | if (r < 0) | |
851 | goto fail; | |
5c1790d1 LP |
852 | |
853 | q->answer_query_flags |= dns_transaction_source_to_query_flags(t->answer_source); | |
775ae354 LP |
854 | } else { |
855 | /* Override non-successful previous answers */ | |
1117a960 | 856 | DNS_ANSWER_REPLACE(q->answer, dns_answer_ref(t->answer)); |
5c1790d1 | 857 | q->answer_query_flags = dns_transaction_source_to_query_flags(t->answer_source); |
775ae354 | 858 | } |
019036a4 | 859 | |
ae6a4bbf | 860 | q->answer_rcode = t->answer_rcode; |
7cc6ed7b | 861 | q->answer_errno = 0; |
801ad6a6 | 862 | |
899e3cda | 863 | DNS_PACKET_REPLACE(q->answer_full_packet, dns_packet_ref(t->received)); |
775ae354 | 864 | |
6f055e43 | 865 | if (FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED)) { |
931851e8 | 866 | has_authenticated = true; |
019036a4 LP |
867 | dnssec_result_authenticated = t->answer_dnssec_result; |
868 | } else { | |
931851e8 | 869 | has_non_authenticated = true; |
019036a4 LP |
870 | dnssec_result_non_authenticated = t->answer_dnssec_result; |
871 | } | |
931851e8 | 872 | |
43fc4baa LP |
873 | if (FLAGS_SET(t->answer_query_flags, SD_RESOLVED_CONFIDENTIAL)) |
874 | has_confidential = true; | |
875 | else | |
876 | has_non_confidential = true; | |
877 | ||
801ad6a6 LP |
878 | state = DNS_TRANSACTION_SUCCESS; |
879 | break; | |
880 | } | |
881 | ||
801ad6a6 | 882 | case DNS_TRANSACTION_NULL: |
547973de LP |
883 | case DNS_TRANSACTION_PENDING: |
884 | case DNS_TRANSACTION_VALIDATING: | |
801ad6a6 LP |
885 | case DNS_TRANSACTION_ABORTED: |
886 | /* Ignore transactions that didn't complete */ | |
887 | continue; | |
888 | ||
889 | default: | |
cbb1aabb | 890 | /* Any kind of failure? Store the data away, if there's nothing stored yet. */ |
019036a4 LP |
891 | if (state == DNS_TRANSACTION_SUCCESS) |
892 | continue; | |
934e9b10 | 893 | |
cbb1aabb | 894 | /* If there's already an authenticated negative reply stored, then prefer that over any unauthenticated one */ |
6f055e43 LP |
895 | if (FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED) && |
896 | !FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED)) | |
cbb1aabb LP |
897 | continue; |
898 | ||
1117a960 | 899 | DNS_ANSWER_REPLACE(q->answer, dns_answer_ref(t->answer)); |
019036a4 LP |
900 | q->answer_rcode = t->answer_rcode; |
901 | q->answer_dnssec_result = t->answer_dnssec_result; | |
5c1790d1 | 902 | q->answer_query_flags = t->answer_query_flags | dns_transaction_source_to_query_flags(t->answer_source); |
7cc6ed7b | 903 | q->answer_errno = t->answer_errno; |
899e3cda | 904 | DNS_PACKET_REPLACE(q->answer_full_packet, dns_packet_ref(t->received)); |
934e9b10 | 905 | |
019036a4 | 906 | state = t->state; |
801ad6a6 | 907 | break; |
74b2466e | 908 | } |
801ad6a6 | 909 | } |
74b2466e | 910 | |
019036a4 | 911 | if (state == DNS_TRANSACTION_SUCCESS) { |
6f055e43 | 912 | SET_FLAG(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED, has_authenticated && !has_non_authenticated); |
43fc4baa | 913 | SET_FLAG(q->answer_query_flags, SD_RESOLVED_CONFIDENTIAL, has_confidential && !has_non_confidential); |
6f055e43 | 914 | q->answer_dnssec_result = FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED) ? dnssec_result_authenticated : dnssec_result_non_authenticated; |
019036a4 LP |
915 | } |
916 | ||
801ad6a6 LP |
917 | q->answer_protocol = c->scope->protocol; |
918 | q->answer_family = c->scope->family; | |
934e9b10 | 919 | |
801ad6a6 LP |
920 | dns_search_domain_unref(q->answer_search_domain); |
921 | q->answer_search_domain = dns_search_domain_ref(c->search_domain); | |
7e8e0422 | 922 | |
7cc6ed7b LP |
923 | r = dns_query_synthesize_reply(q, &state); |
924 | if (r < 0) | |
925 | goto fail; | |
926 | ||
801ad6a6 | 927 | dns_query_complete(q, state); |
7cc6ed7b LP |
928 | return; |
929 | ||
930 | fail: | |
931 | q->answer_errno = -r; | |
932 | dns_query_complete(q, DNS_TRANSACTION_ERRNO); | |
801ad6a6 | 933 | } |
934e9b10 | 934 | |
801ad6a6 | 935 | void dns_query_ready(DnsQuery *q) { |
03677889 | 936 | DnsQueryCandidate *bad = NULL; |
801ad6a6 | 937 | bool pending = false; |
74b2466e | 938 | |
801ad6a6 | 939 | assert(q); |
547973de | 940 | assert(DNS_TRANSACTION_IS_LIVE(q->state)); |
e4501ed4 | 941 | |
801ad6a6 LP |
942 | /* Note that this call might invalidate the query. Callers |
943 | * should hence not attempt to access the query or transaction | |
944 | * after calling this function, unless the block_ready | |
945 | * counter was explicitly bumped before doing so. */ | |
946 | ||
947 | if (q->block_ready > 0) | |
948 | return; | |
949 | ||
950 | LIST_FOREACH(candidates_by_query, c, q->candidates) { | |
951 | DnsTransactionState state; | |
952 | ||
953 | state = dns_query_candidate_state(c); | |
954 | switch (state) { | |
955 | ||
956 | case DNS_TRANSACTION_SUCCESS: | |
547973de | 957 | /* One of the candidates is successful, |
801ad6a6 LP |
958 | * let's use it, and copy its data out */ |
959 | dns_query_accept(q, c); | |
e4501ed4 LP |
960 | return; |
961 | ||
801ad6a6 | 962 | case DNS_TRANSACTION_NULL: |
547973de LP |
963 | case DNS_TRANSACTION_PENDING: |
964 | case DNS_TRANSACTION_VALIDATING: | |
965 | /* One of the candidates is still going on, | |
966 | * let's maybe wait for it */ | |
801ad6a6 LP |
967 | pending = true; |
968 | break; | |
e4501ed4 | 969 | |
801ad6a6 LP |
970 | default: |
971 | /* Any kind of failure */ | |
972 | bad = c; | |
973 | break; | |
974 | } | |
faa133f3 | 975 | } |
74b2466e | 976 | |
801ad6a6 LP |
977 | if (pending) |
978 | return; | |
2a1037af | 979 | |
801ad6a6 | 980 | dns_query_accept(q, bad); |
74b2466e | 981 | } |
8ba9fd9c | 982 | |
45ec7efb | 983 | static int dns_query_cname_redirect(DnsQuery *q, const DnsResourceRecord *cname) { |
23b298bc LP |
984 | _cleanup_(dns_question_unrefp) DnsQuestion *nq_idna = NULL, *nq_utf8 = NULL; |
985 | int r, k; | |
8ba9fd9c LP |
986 | |
987 | assert(q); | |
988 | ||
b4d12278 | 989 | if (q->n_cname_redirects >= CNAME_REDIRECTS_MAX) |
8ba9fd9c | 990 | return -ELOOP; |
b4d12278 | 991 | q->n_cname_redirects++; |
8ba9fd9c | 992 | |
23b298bc | 993 | r = dns_question_cname_redirect(q->question_idna, cname, &nq_idna); |
faa133f3 LP |
994 | if (r < 0) |
995 | return r; | |
4cba52cc | 996 | if (r > 0) |
e2341b6b DT |
997 | log_debug("Following CNAME/DNAME %s %s %s.", |
998 | dns_question_first_name(q->question_idna), | |
999 | special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), | |
1000 | dns_question_first_name(nq_idna)); | |
23b298bc LP |
1001 | |
1002 | k = dns_question_is_equal(q->question_idna, q->question_utf8); | |
1003 | if (k < 0) | |
4cba52cc | 1004 | return k; |
23b298bc LP |
1005 | if (k > 0) { |
1006 | /* Same question? Shortcut new question generation */ | |
1007 | nq_utf8 = dns_question_ref(nq_idna); | |
1008 | k = r; | |
1009 | } else { | |
1010 | k = dns_question_cname_redirect(q->question_utf8, cname, &nq_utf8); | |
1011 | if (k < 0) | |
1012 | return k; | |
4cba52cc | 1013 | if (k > 0) |
e2341b6b DT |
1014 | log_debug("Following UTF8 CNAME/DNAME %s %s %s.", |
1015 | dns_question_first_name(q->question_utf8), | |
1016 | special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), | |
1017 | dns_question_first_name(nq_utf8)); | |
23b298bc | 1018 | } |
8ba9fd9c | 1019 | |
23b298bc LP |
1020 | if (r == 0 && k == 0) /* No actual cname happened? */ |
1021 | return -ELOOP; | |
1022 | ||
d46b79bb | 1023 | if (q->answer_protocol == DNS_PROTOCOL_DNS) |
8e5de09f LP |
1024 | /* Don't permit CNAME redirects from unicast DNS to LLMNR or MulticastDNS, so that global resources |
1025 | * cannot invade the local namespace. The opposite way we permit: local names may redirect to global | |
1026 | * ones. */ | |
8e5de09f | 1027 | q->flags &= ~(SD_RESOLVED_LLMNR|SD_RESOLVED_MDNS); /* mask away the local protocols */ |
8e5de09f LP |
1028 | |
1029 | /* Turn off searching for the new name */ | |
1030 | q->flags |= SD_RESOLVED_NO_SEARCH; | |
1031 | ||
23b298bc | 1032 | dns_question_unref(q->question_idna); |
1cc6c93a | 1033 | q->question_idna = TAKE_PTR(nq_idna); |
bc7669cf | 1034 | |
23b298bc | 1035 | dns_question_unref(q->question_utf8); |
1cc6c93a | 1036 | q->question_utf8 = TAKE_PTR(nq_utf8); |
8ba9fd9c | 1037 | |
c856ef04 | 1038 | dns_query_unlink_candidates(q); |
b1eea703 LP |
1039 | |
1040 | /* Note that we do *not* reset the answer here, because the answer we previously got might already | |
1041 | * include everything we need, let's check that first */ | |
322345fd | 1042 | |
8e5de09f | 1043 | q->state = DNS_TRANSACTION_NULL; |
59a89990 | 1044 | |
8ba9fd9c LP |
1045 | return 0; |
1046 | } | |
82bd6ddd | 1047 | |
1db8e6d1 | 1048 | int dns_query_process_cname_one(DnsQuery *q) { |
45ec7efb | 1049 | _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *cname = NULL; |
23b298bc | 1050 | DnsQuestion *question; |
45ec7efb | 1051 | DnsResourceRecord *rr; |
1a71fe4e LP |
1052 | bool full_match = true; |
1053 | DnsResourceKey *k; | |
45ec7efb LP |
1054 | int r; |
1055 | ||
1056 | assert(q); | |
1057 | ||
1db8e6d1 LP |
1058 | /* Processes a CNAME redirect if there's one. Returns one of three values: |
1059 | * | |
1060 | * CNAME_QUERY_MATCH → direct RR match, caller should just use the RRs in this answer (and not | |
1061 | * bother with any CNAME/DNAME stuff) | |
1062 | * | |
1063 | * CNAME_QUERY_NOMATCH → no match at all, neither direct nor CNAME/DNAME, caller might decide to | |
1064 | * restart query or take things as NODATA reply. | |
1065 | * | |
1066 | * CNAME_QUERY_CNAME → no direct RR match, but a CNAME/DNAME match that we now followed for one step. | |
1067 | * | |
1068 | * The function might also return a failure, in particular -ELOOP if we encountered too many | |
1069 | * CNAMEs/DNAMEs in a chain or if following CNAMEs/DNAMEs was turned off. | |
1070 | * | |
1071 | * Note that this function doesn't actually restart the query. The caller can decide to do that in | |
1072 | * case of CNAME_QUERY_CNAME, though. */ | |
1073 | ||
7588460a TG |
1074 | if (!IN_SET(q->state, DNS_TRANSACTION_SUCCESS, DNS_TRANSACTION_NULL)) |
1075 | return DNS_QUERY_NOMATCH; | |
45ec7efb | 1076 | |
23b298bc | 1077 | question = dns_query_question_for_protocol(q, q->answer_protocol); |
45ec7efb | 1078 | |
1a71fe4e LP |
1079 | /* Small reminder: our question will consist of one or more RR keys that match in name, but not in |
1080 | * record type. Specifically, when we do an address lookup the question will typically consist of one | |
1081 | * A and one AAAA key lookup for the same domain name. When we get a response from a server we need | |
1082 | * to check if the answer answers all our questions to use it. Note that a response of CNAME/DNAME | |
1083 | * can answer both an A and the AAAA question for us, but an A/AAAA response only the relevant | |
1084 | * type. | |
1085 | * | |
1086 | * Hence we first check of the answers we collected are sufficient to answer all our questions | |
1087 | * directly. If one question wasn't answered we go on, waiting for more replies. However, if there's | |
1088 | * a CNAME/DNAME response we use it, and redirect to it, regardless if it was a response to the A or | |
7802194a | 1089 | * the AAAA query. */ |
1a71fe4e LP |
1090 | |
1091 | DNS_QUESTION_FOREACH(k, question) { | |
1092 | bool match = false; | |
1093 | ||
1094 | DNS_ANSWER_FOREACH(rr, q->answer) { | |
1095 | r = dns_resource_key_match_rr(k, rr, DNS_SEARCH_DOMAIN_NAME(q->answer_search_domain)); | |
1096 | if (r < 0) | |
1097 | return r; | |
1098 | if (r > 0) { | |
1099 | match = true; /* Yay, we found an RR that matches the key we are looking for */ | |
1100 | break; | |
1101 | } | |
1102 | } | |
1103 | ||
1104 | if (!match) { | |
1105 | /* Hmm. :-( there's no response for this key. This doesn't match. */ | |
1106 | full_match = false; | |
1107 | break; | |
1108 | } | |
1109 | } | |
45ec7efb | 1110 | |
1a71fe4e LP |
1111 | if (full_match) |
1112 | return DNS_QUERY_MATCH; /* The answer can answer our question in full, no need to follow CNAMEs/DNAMEs */ | |
1113 | ||
1114 | /* Let's see if there is a CNAME/DNAME to match. This case is simpler: we accept the CNAME/DNAME that | |
1115 | * matches any of our questions. */ | |
1116 | DNS_ANSWER_FOREACH(rr, q->answer) { | |
542e0c84 | 1117 | r = dns_question_matches_cname_or_dname(question, rr, DNS_SEARCH_DOMAIN_NAME(q->answer_search_domain)); |
45ec7efb LP |
1118 | if (r < 0) |
1119 | return r; | |
1120 | if (r > 0 && !cname) | |
1121 | cname = dns_resource_record_ref(rr); | |
1122 | } | |
1123 | ||
1124 | if (!cname) | |
1a71fe4e | 1125 | return DNS_QUERY_NOMATCH; /* No match and no CNAME/DNAME to follow */ |
45ec7efb LP |
1126 | |
1127 | if (q->flags & SD_RESOLVED_NO_CNAME) | |
1128 | return -ELOOP; | |
1129 | ||
6f055e43 | 1130 | if (!FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED)) |
28830a64 | 1131 | q->previous_redirect_unauthenticated = true; |
43fc4baa LP |
1132 | if (!FLAGS_SET(q->answer_query_flags, SD_RESOLVED_CONFIDENTIAL)) |
1133 | q->previous_redirect_non_confidential = true; | |
9ddf099f LP |
1134 | if (!FLAGS_SET(q->answer_query_flags, SD_RESOLVED_SYNTHETIC)) |
1135 | q->previous_redirect_non_synthetic = true; | |
28830a64 | 1136 | |
45ec7efb LP |
1137 | /* OK, let's actually follow the CNAME */ |
1138 | r = dns_query_cname_redirect(q, cname); | |
1139 | if (r < 0) | |
1140 | return r; | |
1141 | ||
1db8e6d1 LP |
1142 | return DNS_QUERY_CNAME; /* Tell caller that we did a single CNAME/DNAME redirection step */ |
1143 | } | |
45ec7efb | 1144 | |
1db8e6d1 LP |
1145 | int dns_query_process_cname_many(DnsQuery *q) { |
1146 | int r; | |
45ec7efb | 1147 | |
1db8e6d1 LP |
1148 | assert(q); |
1149 | ||
1150 | /* Follows CNAMEs through the current packet: as long as the current packet can fulfill our | |
1151 | * redirected CNAME queries we keep going, and restart the query once the current packet isn't good | |
1152 | * enough anymore. It's a wrapper around dns_query_process_cname_one() and returns the same values, | |
1153 | * but with extended semantics. Specifically: | |
1154 | * | |
1155 | * DNS_QUERY_MATCH → as above | |
1156 | * | |
1157 | * DNS_QUERY_CNAME → we ran into a CNAME/DNAME redirect that we could not answer from the current | |
1158 | * message, and thus restarted the query to resolve it. | |
1159 | * | |
1160 | * DNS_QUERY_NOMATCH → we reached the end of CNAME/DNAME chain, and there are no direct matches nor a | |
1161 | * CNAME/DNAME match. i.e. this is a NODATA case. | |
1162 | * | |
1163 | * Note that this function will restart the query for the caller if needed, and that's the case | |
1164 | * DNS_QUERY_CNAME is returned. | |
1165 | */ | |
1166 | ||
1167 | r = dns_query_process_cname_one(q); | |
1168 | if (r != DNS_QUERY_CNAME) | |
1169 | return r; /* The first redirect is special: if it doesn't answer the question that's no | |
1170 | * reason to restart the query, we just accept this as a NODATA answer. */ | |
1171 | ||
1172 | for (;;) { | |
1173 | r = dns_query_process_cname_one(q); | |
1174 | if (r < 0 || r == DNS_QUERY_MATCH) | |
1175 | return r; | |
1176 | if (r == DNS_QUERY_NOMATCH) { | |
1177 | /* OK, so we followed one or more CNAME/DNAME RR but the existing packet can't answer | |
1178 | * this. Let's restart the query hence, with the new question. Why the different | |
1179 | * handling than the first chain element? Because if the server answers a direct | |
1180 | * question with an empty answer then this is a NODATA response. But if it responds | |
1181 | * with a CNAME chain that ultimately is incomplete (i.e. a non-empty but truncated | |
1182 | * CNAME chain) then we better follow up ourselves and ask for the rest of the | |
1183 | * chain. This is particular relevant since our cache will store CNAME/DNAME | |
1184 | * redirects that we learnt about for lookups of certain DNS types, but later on we | |
1185 | * can reuse this data even for other DNS types, but in that case need to follow up | |
1186 | * with the final lookup of the chain ourselves with the RR type we ourselves are | |
1187 | * interested in. */ | |
1188 | r = dns_query_go(q); | |
1189 | if (r < 0) | |
1190 | return r; | |
1191 | ||
1192 | return DNS_QUERY_CNAME; | |
1193 | } | |
1194 | ||
1195 | /* So we found a CNAME that the existing packet already answers, again via a CNAME, let's | |
1196 | * continue going then. */ | |
1197 | assert(r == DNS_QUERY_CNAME); | |
1198 | } | |
45ec7efb LP |
1199 | } |
1200 | ||
23b298bc LP |
1201 | DnsQuestion* dns_query_question_for_protocol(DnsQuery *q, DnsProtocol protocol) { |
1202 | assert(q); | |
1203 | ||
775ae354 LP |
1204 | if (q->question_bypass) |
1205 | return q->question_bypass->question; | |
1206 | ||
23b298bc LP |
1207 | switch (protocol) { |
1208 | ||
1209 | case DNS_PROTOCOL_DNS: | |
1210 | return q->question_idna; | |
1211 | ||
1212 | case DNS_PROTOCOL_MDNS: | |
1213 | case DNS_PROTOCOL_LLMNR: | |
1214 | return q->question_utf8; | |
1215 | ||
1216 | default: | |
1217 | return NULL; | |
1218 | } | |
1219 | } | |
1220 | ||
1221 | const char *dns_query_string(DnsQuery *q) { | |
1222 | const char *name; | |
1223 | int r; | |
1224 | ||
1225 | /* Returns a somewhat useful human-readable lookup key string for this query */ | |
1226 | ||
775ae354 LP |
1227 | if (q->question_bypass) |
1228 | return dns_question_first_name(q->question_bypass->question); | |
1229 | ||
23b298bc LP |
1230 | if (q->request_address_string) |
1231 | return q->request_address_string; | |
1232 | ||
1233 | if (q->request_address_valid) { | |
1234 | r = in_addr_to_string(q->request_family, &q->request_address, &q->request_address_string); | |
1235 | if (r >= 0) | |
1236 | return q->request_address_string; | |
1237 | } | |
1238 | ||
1239 | name = dns_question_first_name(q->question_utf8); | |
1240 | if (name) | |
1241 | return name; | |
1242 | ||
1243 | return dns_question_first_name(q->question_idna); | |
1244 | } | |
28830a64 LP |
1245 | |
1246 | bool dns_query_fully_authenticated(DnsQuery *q) { | |
1247 | assert(q); | |
1248 | ||
6f055e43 | 1249 | return FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED) && !q->previous_redirect_unauthenticated; |
28830a64 | 1250 | } |
43fc4baa LP |
1251 | |
1252 | bool dns_query_fully_confidential(DnsQuery *q) { | |
1253 | assert(q); | |
1254 | ||
1255 | return FLAGS_SET(q->answer_query_flags, SD_RESOLVED_CONFIDENTIAL) && !q->previous_redirect_non_confidential; | |
1256 | } | |
4ad017cd | 1257 | |
9ddf099f | 1258 | bool dns_query_fully_authoritative(DnsQuery *q) { |
4ad017cd SB |
1259 | assert(q); |
1260 | ||
9ddf099f LP |
1261 | /* We are authoritative for everything synthetic (except if a previous CNAME/DNAME) wasn't |
1262 | * synthetic. (Note: SD_RESOLVED_SYNTHETIC is reset on each CNAME/DNAME, hence the explicit check for | |
7802194a | 1263 | * previous synthetic DNAME/CNAME redirections.) */ |
9ddf099f LP |
1264 | if ((q->answer_query_flags & SD_RESOLVED_SYNTHETIC) && !q->previous_redirect_non_synthetic) |
1265 | return true; | |
1266 | ||
1267 | /* We are also authoritative for everything coming only from the trust anchor and the local | |
1268 | * zones. (Note: the SD_RESOLVED_FROM_xyz flags we merge on each redirect, hence no need to | |
7802194a | 1269 | * explicitly check previous redirects here.) */ |
9ddf099f | 1270 | return (q->answer_query_flags & SD_RESOLVED_FROM_MASK & ~(SD_RESOLVED_FROM_TRUST_ANCHOR | SD_RESOLVED_FROM_ZONE)) == 0; |
4ad017cd | 1271 | } |