]>
Commit | Line | Data |
---|---|---|
db9ecf05 | 1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
74b2466e | 2 | |
b5efdb8a | 3 | #include "alloc-util.h" |
2a1037af | 4 | #include "dns-domain.h" |
011696f7 | 5 | #include "dns-type.h" |
ecdfb9a1 | 6 | #include "event-util.h" |
e2341b6b | 7 | #include "glyph-util.h" |
b5efdb8a | 8 | #include "hostname-util.h" |
78c6a153 | 9 | #include "local-addresses.h" |
74b2466e | 10 | #include "resolved-dns-query.h" |
839a4a20 | 11 | #include "resolved-dns-synthesize.h" |
dd0bc0f1 | 12 | #include "resolved-etc-hosts.h" |
23b298bc | 13 | #include "string-util.h" |
74b2466e | 14 | |
39762fdf | 15 | #define QUERIES_MAX 2048 |
45ec7efb | 16 | #define AUXILIARY_QUERIES_MAX 64 |
b4d12278 | 17 | #define CNAME_REDIRECTS_MAX 16 |
8ba9fd9c | 18 | |
e1004d0a | 19 | assert_cc(AUXILIARY_QUERIES_MAX < UINT8_MAX); |
b4d12278 | 20 | assert_cc(CNAME_REDIRECTS_MAX < UINT8_MAX); |
8ba9fd9c | 21 | |
801ad6a6 LP |
22 | static int dns_query_candidate_new(DnsQueryCandidate **ret, DnsQuery *q, DnsScope *s) { |
23 | DnsQueryCandidate *c; | |
74b2466e | 24 | |
801ad6a6 | 25 | assert(ret); |
faa133f3 | 26 | assert(q); |
801ad6a6 | 27 | assert(s); |
74b2466e | 28 | |
1ed31408 | 29 | c = new(DnsQueryCandidate, 1); |
801ad6a6 LP |
30 | if (!c) |
31 | return -ENOMEM; | |
32 | ||
1ed31408 | 33 | *c = (DnsQueryCandidate) { |
0e0fd08f | 34 | .n_ref = 1, |
1ed31408 LP |
35 | .query = q, |
36 | .scope = s, | |
37 | }; | |
801ad6a6 LP |
38 | |
39 | LIST_PREPEND(candidates_by_query, q->candidates, c); | |
40 | LIST_PREPEND(candidates_by_scope, s->query_candidates, c); | |
41 | ||
42 | *ret = c; | |
43 | return 0; | |
44 | } | |
45 | ||
46 | static void dns_query_candidate_stop(DnsQueryCandidate *c) { | |
47 | DnsTransaction *t; | |
74b2466e | 48 | |
801ad6a6 LP |
49 | assert(c); |
50 | ||
c856ef04 ZJS |
51 | /* Detach all the DnsTransactions attached to this query */ |
52 | ||
801ad6a6 | 53 | while ((t = set_steal_first(c->transactions))) { |
547973de | 54 | set_remove(t->notify_query_candidates, c); |
35aa04e9 | 55 | set_remove(t->notify_query_candidates_done, c); |
ec2c5e43 | 56 | dns_transaction_gc(t); |
74b2466e | 57 | } |
74b2466e LP |
58 | } |
59 | ||
c856ef04 ZJS |
60 | static DnsQueryCandidate* dns_query_candidate_unlink(DnsQueryCandidate *c) { |
61 | assert(c); | |
62 | ||
63 | /* Detach this DnsQueryCandidate from the Query and Scope objects */ | |
64 | ||
65 | if (c->query) { | |
66 | LIST_REMOVE(candidates_by_query, c->query->candidates, c); | |
67 | c->query = NULL; | |
68 | } | |
69 | ||
70 | if (c->scope) { | |
71 | LIST_REMOVE(candidates_by_scope, c->scope->query_candidates, c); | |
72 | c->scope = NULL; | |
73 | } | |
74 | ||
75 | return c; | |
76 | } | |
77 | ||
0e0fd08f | 78 | static DnsQueryCandidate* dns_query_candidate_free(DnsQueryCandidate *c) { |
801ad6a6 LP |
79 | if (!c) |
80 | return NULL; | |
81 | ||
82 | dns_query_candidate_stop(c); | |
c856ef04 | 83 | dns_query_candidate_unlink(c); |
801ad6a6 LP |
84 | |
85 | set_free(c->transactions); | |
86 | dns_search_domain_unref(c->search_domain); | |
87 | ||
6b430fdb | 88 | return mfree(c); |
801ad6a6 LP |
89 | } |
90 | ||
0e0fd08f ZJS |
91 | DEFINE_PUBLIC_TRIVIAL_REF_UNREF_FUNC(DnsQueryCandidate, dns_query_candidate, dns_query_candidate_free); |
92 | ||
801ad6a6 | 93 | static int dns_query_candidate_next_search_domain(DnsQueryCandidate *c) { |
c805014a | 94 | DnsSearchDomain *next; |
801ad6a6 LP |
95 | |
96 | assert(c); | |
97 | ||
ad44b56b | 98 | if (c->search_domain && c->search_domain->linked) |
801ad6a6 | 99 | next = c->search_domain->domains_next; |
ad44b56b LP |
100 | else |
101 | next = dns_scope_get_search_domains(c->scope); | |
801ad6a6 | 102 | |
ad44b56b | 103 | for (;;) { |
6627b7e2 LP |
104 | if (!next) /* We hit the end of the list */ |
105 | return 0; | |
801ad6a6 | 106 | |
ad44b56b LP |
107 | if (!next->route_only) |
108 | break; | |
801ad6a6 | 109 | |
ad44b56b LP |
110 | /* Skip over route-only domains */ |
111 | next = next->domains_next; | |
801ad6a6 LP |
112 | } |
113 | ||
114 | dns_search_domain_unref(c->search_domain); | |
115 | c->search_domain = dns_search_domain_ref(next); | |
6627b7e2 | 116 | |
801ad6a6 LP |
117 | return 1; |
118 | } | |
119 | ||
775ae354 LP |
120 | static int dns_query_candidate_add_transaction( |
121 | DnsQueryCandidate *c, | |
122 | DnsResourceKey *key, | |
123 | DnsPacket *bypass) { | |
124 | ||
29bd6012 | 125 | _cleanup_(dns_transaction_gcp) DnsTransaction *t = NULL; |
801ad6a6 LP |
126 | int r; |
127 | ||
128 | assert(c); | |
c856ef04 | 129 | assert(c->query); /* We shan't add transactions to a candidate that has been detached already */ |
801ad6a6 | 130 | |
775ae354 LP |
131 | if (key) { |
132 | /* Regular lookup with a resource key */ | |
133 | assert(!bypass); | |
134 | ||
135 | t = dns_scope_find_transaction(c->scope, key, c->query->flags); | |
136 | if (!t) { | |
137 | r = dns_transaction_new(&t, c->scope, key, NULL, c->query->flags); | |
138 | if (r < 0) | |
139 | return r; | |
140 | } else if (set_contains(c->transactions, t)) | |
141 | return 0; | |
142 | } else { | |
143 | /* "Bypass" lookup with a query packet */ | |
144 | assert(bypass); | |
145 | ||
146 | r = dns_transaction_new(&t, c->scope, NULL, bypass, c->query->flags); | |
801ad6a6 LP |
147 | if (r < 0) |
148 | return r; | |
775ae354 | 149 | } |
801ad6a6 | 150 | |
35aa04e9 LP |
151 | r = set_ensure_allocated(&t->notify_query_candidates_done, NULL); |
152 | if (r < 0) | |
29bd6012 | 153 | return r; |
35aa04e9 | 154 | |
de7fef4b | 155 | r = set_ensure_put(&t->notify_query_candidates, NULL, c); |
801ad6a6 | 156 | if (r < 0) |
29bd6012 | 157 | return r; |
801ad6a6 | 158 | |
de7fef4b | 159 | r = set_ensure_put(&c->transactions, NULL, t); |
801ad6a6 | 160 | if (r < 0) { |
547973de | 161 | (void) set_remove(t->notify_query_candidates, c); |
29bd6012 | 162 | return r; |
801ad6a6 LP |
163 | } |
164 | ||
29bd6012 | 165 | TAKE_PTR(t); |
547973de | 166 | return 1; |
801ad6a6 LP |
167 | } |
168 | ||
169 | static int dns_query_candidate_go(DnsQueryCandidate *c) { | |
d7ac0952 | 170 | _unused_ _cleanup_(dns_query_candidate_unrefp) DnsQueryCandidate *keep_c = NULL; |
801ad6a6 | 171 | DnsTransaction *t; |
801ad6a6 | 172 | int r; |
011696f7 | 173 | unsigned n = 0; |
801ad6a6 LP |
174 | |
175 | assert(c); | |
176 | ||
0e0fd08f ZJS |
177 | /* Let's keep a reference to the query while we're operating */ |
178 | keep_c = dns_query_candidate_ref(c); | |
4ea8b443 | 179 | |
801ad6a6 | 180 | /* Start the transactions that are not started yet */ |
90e74a66 | 181 | SET_FOREACH(t, c->transactions) { |
801ad6a6 LP |
182 | if (t->state != DNS_TRANSACTION_NULL) |
183 | continue; | |
184 | ||
185 | r = dns_transaction_go(t); | |
0e0fd08f | 186 | if (r < 0) |
801ad6a6 | 187 | return r; |
011696f7 LP |
188 | |
189 | n++; | |
801ad6a6 LP |
190 | } |
191 | ||
011696f7 | 192 | /* If there was nothing to start, then let's proceed immediately */ |
0e0fd08f | 193 | if (n == 0) |
011696f7 LP |
194 | dns_query_candidate_notify(c); |
195 | ||
801ad6a6 LP |
196 | return 0; |
197 | } | |
198 | ||
199 | static DnsTransactionState dns_query_candidate_state(DnsQueryCandidate *c) { | |
200 | DnsTransactionState state = DNS_TRANSACTION_NO_SERVERS; | |
201 | DnsTransaction *t; | |
801ad6a6 LP |
202 | |
203 | assert(c); | |
204 | ||
205 | if (c->error_code != 0) | |
7cc6ed7b | 206 | return DNS_TRANSACTION_ERRNO; |
801ad6a6 | 207 | |
adf6d848 | 208 | SET_FOREACH(t, c->transactions) |
801ad6a6 LP |
209 | |
210 | switch (t->state) { | |
211 | ||
5264131a LP |
212 | case DNS_TRANSACTION_NULL: |
213 | /* If there's a NULL transaction pending, then | |
214 | * this means not all transactions where | |
215 | * started yet, and we were called from within | |
216 | * the stackframe that is supposed to start | |
217 | * remaining transactions. In this case, | |
218 | * simply claim the candidate is pending. */ | |
219 | ||
801ad6a6 | 220 | case DNS_TRANSACTION_PENDING: |
547973de LP |
221 | case DNS_TRANSACTION_VALIDATING: |
222 | /* If there's one transaction currently in | |
223 | * VALIDATING state, then this means there's | |
224 | * also one in PENDING state, hence we can | |
225 | * return PENDING immediately. */ | |
226 | return DNS_TRANSACTION_PENDING; | |
801ad6a6 LP |
227 | |
228 | case DNS_TRANSACTION_SUCCESS: | |
229 | state = t->state; | |
230 | break; | |
231 | ||
232 | default: | |
233 | if (state != DNS_TRANSACTION_SUCCESS) | |
234 | state = t->state; | |
235 | ||
236 | break; | |
237 | } | |
801ad6a6 LP |
238 | |
239 | return state; | |
240 | } | |
241 | ||
242 | static int dns_query_candidate_setup_transactions(DnsQueryCandidate *c) { | |
23b298bc | 243 | DnsQuestion *question; |
801ad6a6 LP |
244 | DnsResourceKey *key; |
245 | int n = 0, r; | |
246 | ||
247 | assert(c); | |
c856ef04 | 248 | assert(c->query); /* We shan't add transactions to a candidate that has been detached already */ |
801ad6a6 LP |
249 | |
250 | dns_query_candidate_stop(c); | |
251 | ||
775ae354 LP |
252 | if (c->query->question_bypass) { |
253 | /* If this is a bypass query, then pass the original query packet along to the transaction */ | |
254 | ||
255 | assert(dns_question_size(c->query->question_bypass->question) == 1); | |
256 | ||
ab715ddb | 257 | if (!dns_scope_good_key(c->scope, dns_question_first_key(c->query->question_bypass->question))) |
775ae354 LP |
258 | return 0; |
259 | ||
260 | r = dns_query_candidate_add_transaction(c, NULL, c->query->question_bypass); | |
261 | if (r < 0) | |
262 | goto fail; | |
263 | ||
264 | return 1; | |
265 | } | |
266 | ||
23b298bc LP |
267 | question = dns_query_question_for_protocol(c->query, c->scope->protocol); |
268 | ||
801ad6a6 | 269 | /* Create one transaction per question key */ |
23b298bc | 270 | DNS_QUESTION_FOREACH(key, question) { |
801ad6a6 | 271 | _cleanup_(dns_resource_key_unrefp) DnsResourceKey *new_key = NULL; |
011696f7 LP |
272 | DnsResourceKey *qkey; |
273 | ||
801ad6a6 LP |
274 | if (c->search_domain) { |
275 | r = dns_resource_key_new_append_suffix(&new_key, key, c->search_domain->name); | |
276 | if (r < 0) | |
277 | goto fail; | |
801ad6a6 | 278 | |
011696f7 LP |
279 | qkey = new_key; |
280 | } else | |
281 | qkey = key; | |
282 | ||
283 | if (!dns_scope_good_key(c->scope, qkey)) | |
284 | continue; | |
285 | ||
775ae354 | 286 | r = dns_query_candidate_add_transaction(c, qkey, NULL); |
801ad6a6 LP |
287 | if (r < 0) |
288 | goto fail; | |
289 | ||
290 | n++; | |
291 | } | |
292 | ||
293 | return n; | |
294 | ||
295 | fail: | |
296 | dns_query_candidate_stop(c); | |
297 | return r; | |
298 | } | |
299 | ||
547973de | 300 | void dns_query_candidate_notify(DnsQueryCandidate *c) { |
801ad6a6 LP |
301 | DnsTransactionState state; |
302 | int r; | |
303 | ||
304 | assert(c); | |
305 | ||
c856ef04 ZJS |
306 | if (!c->query) /* This candidate has been abandoned, do nothing. */ |
307 | return; | |
308 | ||
801ad6a6 LP |
309 | state = dns_query_candidate_state(c); |
310 | ||
547973de | 311 | if (DNS_TRANSACTION_IS_LIVE(state)) |
801ad6a6 LP |
312 | return; |
313 | ||
314 | if (state != DNS_TRANSACTION_SUCCESS && c->search_domain) { | |
315 | ||
316 | r = dns_query_candidate_next_search_domain(c); | |
317 | if (r < 0) | |
318 | goto fail; | |
319 | ||
320 | if (r > 0) { | |
321 | /* OK, there's another search domain to try, let's do so. */ | |
322 | ||
323 | r = dns_query_candidate_setup_transactions(c); | |
324 | if (r < 0) | |
325 | goto fail; | |
326 | ||
327 | if (r > 0) { | |
328 | /* New transactions where queued. Start them and wait */ | |
329 | ||
330 | r = dns_query_candidate_go(c); | |
331 | if (r < 0) | |
332 | goto fail; | |
333 | ||
334 | return; | |
335 | } | |
336 | } | |
337 | ||
338 | } | |
339 | ||
340 | dns_query_ready(c->query); | |
341 | return; | |
342 | ||
343 | fail: | |
fed66db0 | 344 | c->error_code = log_warning_errno(r, "Failed to follow search domains: %m"); |
801ad6a6 LP |
345 | dns_query_ready(c->query); |
346 | } | |
347 | ||
348 | static void dns_query_stop(DnsQuery *q) { | |
801ad6a6 LP |
349 | assert(q); |
350 | ||
ecdfb9a1 | 351 | event_source_disable(q->timeout_event_source); |
801ad6a6 LP |
352 | |
353 | LIST_FOREACH(candidates_by_query, c, q->candidates) | |
354 | dns_query_candidate_stop(c); | |
355 | } | |
356 | ||
c856ef04 | 357 | static void dns_query_unlink_candidates(DnsQuery *q) { |
7820b320 LP |
358 | assert(q); |
359 | ||
360 | while (q->candidates) | |
c856ef04 ZJS |
361 | /* Here we drop *our* references to each of the candidates. If we had the only reference, the |
362 | * DnsQueryCandidate object will be freed. */ | |
363 | dns_query_candidate_unref(dns_query_candidate_unlink(q->candidates)); | |
7820b320 LP |
364 | } |
365 | ||
366 | static void dns_query_reset_answer(DnsQuery *q) { | |
367 | assert(q); | |
368 | ||
369 | q->answer = dns_answer_unref(q->answer); | |
370 | q->answer_rcode = 0; | |
371 | q->answer_dnssec_result = _DNSSEC_RESULT_INVALID; | |
7cc6ed7b | 372 | q->answer_errno = 0; |
6f055e43 | 373 | q->answer_query_flags = 0; |
7820b320 LP |
374 | q->answer_protocol = _DNS_PROTOCOL_INVALID; |
375 | q->answer_family = AF_UNSPEC; | |
376 | q->answer_search_domain = dns_search_domain_unref(q->answer_search_domain); | |
775ae354 | 377 | q->answer_full_packet = dns_packet_unref(q->answer_full_packet); |
7820b320 LP |
378 | } |
379 | ||
74b2466e | 380 | DnsQuery *dns_query_free(DnsQuery *q) { |
74b2466e LP |
381 | if (!q) |
382 | return NULL; | |
383 | ||
73bfd7be YW |
384 | q->timeout_event_source = sd_event_source_disable_unref(q->timeout_event_source); |
385 | ||
45ec7efb LP |
386 | while (q->auxiliary_queries) |
387 | dns_query_free(q->auxiliary_queries); | |
388 | ||
389 | if (q->auxiliary_for) { | |
390 | assert(q->auxiliary_for->n_auxiliary_queries > 0); | |
391 | q->auxiliary_for->n_auxiliary_queries--; | |
392 | LIST_REMOVE(auxiliary_queries, q->auxiliary_for->auxiliary_queries, q); | |
393 | } | |
394 | ||
c856ef04 | 395 | dns_query_unlink_candidates(q); |
322345fd | 396 | |
23b298bc LP |
397 | dns_question_unref(q->question_idna); |
398 | dns_question_unref(q->question_utf8); | |
775ae354 | 399 | dns_packet_unref(q->question_bypass); |
7820b320 LP |
400 | |
401 | dns_query_reset_answer(q); | |
322345fd | 402 | |
c9de4e0f | 403 | sd_bus_message_unref(q->bus_request); |
82bd6ddd | 404 | sd_bus_track_unref(q->bus_track); |
74b2466e | 405 | |
9581bb84 LP |
406 | if (q->varlink_request) { |
407 | varlink_set_userdata(q->varlink_request, NULL); | |
408 | varlink_unref(q->varlink_request); | |
409 | } | |
410 | ||
bde69bbd LP |
411 | if (q->request_packet) |
412 | hashmap_remove_value(q->stub_listener_extra ? | |
413 | q->stub_listener_extra->queries_by_packet : | |
414 | q->manager->stub_queries_by_packet, | |
415 | q->request_packet, | |
416 | q); | |
417 | ||
775ae354 LP |
418 | dns_packet_unref(q->request_packet); |
419 | dns_answer_unref(q->reply_answer); | |
420 | dns_answer_unref(q->reply_authoritative); | |
421 | dns_answer_unref(q->reply_additional); | |
b30bf55d | 422 | |
775ae354 | 423 | if (q->request_stream) { |
b30bf55d | 424 | /* Detach the stream from our query, in case something else keeps a reference to it. */ |
775ae354 LP |
425 | (void) set_remove(q->request_stream->queries, q); |
426 | q->request_stream = dns_stream_unref(q->request_stream); | |
b30bf55d LP |
427 | } |
428 | ||
23b298bc | 429 | free(q->request_address_string); |
cb456374 | 430 | free(q->request_name); |
23b298bc | 431 | |
39762fdf | 432 | if (q->manager) { |
74b2466e | 433 | LIST_REMOVE(queries, q->manager->dns_queries, q); |
39762fdf LP |
434 | q->manager->n_dns_queries--; |
435 | } | |
74b2466e | 436 | |
6b430fdb | 437 | return mfree(q); |
74b2466e LP |
438 | } |
439 | ||
23b298bc LP |
440 | int dns_query_new( |
441 | Manager *m, | |
442 | DnsQuery **ret, | |
443 | DnsQuestion *question_utf8, | |
444 | DnsQuestion *question_idna, | |
775ae354 | 445 | DnsPacket *question_bypass, |
17c8de63 LP |
446 | int ifindex, |
447 | uint64_t flags) { | |
23b298bc | 448 | |
74b2466e | 449 | _cleanup_(dns_query_freep) DnsQuery *q = NULL; |
775ae354 | 450 | char key_str[DNS_RESOURCE_KEY_STRING_MAX]; |
23b298bc | 451 | DnsResourceKey *key; |
faa133f3 | 452 | int r; |
74b2466e LP |
453 | |
454 | assert(m); | |
455 | ||
775ae354 LP |
456 | if (question_bypass) { |
457 | /* It's either a "bypass" query, or a regular one, but can't be both. */ | |
458 | if (question_utf8 || question_idna) | |
23b298bc LP |
459 | return -EINVAL; |
460 | ||
775ae354 LP |
461 | } else { |
462 | bool good = false; | |
23b298bc | 463 | |
1a71fe4e LP |
464 | /* This (primarily) checks two things: |
465 | * | |
466 | * 1. That the question is not empty | |
467 | * 2. That all RR keys in the question objects are for the same domain | |
468 | * | |
469 | * Or in other words, a single DnsQuery object may be used to look up A+AAAA combination for | |
470 | * the same domain name, or SRV+TXT (for DNS-SD services), but not for unrelated lookups. */ | |
471 | ||
775ae354 LP |
472 | if (dns_question_size(question_utf8) > 0) { |
473 | r = dns_question_is_valid_for_query(question_utf8); | |
23b298bc LP |
474 | if (r < 0) |
475 | return r; | |
476 | if (r == 0) | |
477 | return -EINVAL; | |
478 | ||
479 | good = true; | |
480 | } | |
23b298bc | 481 | |
775ae354 LP |
482 | /* If the IDNA and UTF8 questions are the same, merge their references */ |
483 | r = dns_question_is_equal(question_idna, question_utf8); | |
484 | if (r < 0) | |
485 | return r; | |
486 | if (r > 0) | |
487 | question_idna = question_utf8; | |
488 | else { | |
489 | if (dns_question_size(question_idna) > 0) { | |
490 | r = dns_question_is_valid_for_query(question_idna); | |
491 | if (r < 0) | |
492 | return r; | |
493 | if (r == 0) | |
494 | return -EINVAL; | |
495 | ||
496 | good = true; | |
497 | } | |
498 | } | |
499 | ||
500 | if (!good) /* don't allow empty queries */ | |
501 | return -EINVAL; | |
502 | } | |
74b2466e | 503 | |
39762fdf LP |
504 | if (m->n_dns_queries >= QUERIES_MAX) |
505 | return -EBUSY; | |
506 | ||
1ed31408 | 507 | q = new(DnsQuery, 1); |
74b2466e LP |
508 | if (!q) |
509 | return -ENOMEM; | |
510 | ||
1ed31408 LP |
511 | *q = (DnsQuery) { |
512 | .question_utf8 = dns_question_ref(question_utf8), | |
513 | .question_idna = dns_question_ref(question_idna), | |
775ae354 | 514 | .question_bypass = dns_packet_ref(question_bypass), |
1ed31408 LP |
515 | .ifindex = ifindex, |
516 | .flags = flags, | |
517 | .answer_dnssec_result = _DNSSEC_RESULT_INVALID, | |
518 | .answer_protocol = _DNS_PROTOCOL_INVALID, | |
519 | .answer_family = AF_UNSPEC, | |
520 | }; | |
322345fd | 521 | |
775ae354 LP |
522 | if (question_bypass) { |
523 | DNS_QUESTION_FOREACH(key, question_bypass->question) | |
524 | log_debug("Looking up bypass packet for %s.", | |
525 | dns_resource_key_to_string(key, key_str, sizeof key_str)); | |
526 | } else { | |
160f3145 | 527 | /* First dump UTF8 question */ |
775ae354 LP |
528 | DNS_QUESTION_FOREACH(key, question_utf8) |
529 | log_debug("Looking up RR for %s.", | |
530 | dns_resource_key_to_string(key, key_str, sizeof key_str)); | |
531 | ||
532 | /* And then dump the IDNA question, but only what hasn't been dumped already through the UTF8 question. */ | |
533 | DNS_QUESTION_FOREACH(key, question_idna) { | |
ab715ddb | 534 | r = dns_question_contains_key(question_utf8, key); |
775ae354 LP |
535 | if (r < 0) |
536 | return r; | |
537 | if (r > 0) | |
538 | continue; | |
23b298bc | 539 | |
775ae354 LP |
540 | log_debug("Looking up IDNA RR for %s.", |
541 | dns_resource_key_to_string(key, key_str, sizeof key_str)); | |
542 | } | |
74b2466e LP |
543 | } |
544 | ||
545 | LIST_PREPEND(queries, m->dns_queries, q); | |
39762fdf | 546 | m->n_dns_queries++; |
74b2466e LP |
547 | q->manager = m; |
548 | ||
8ba9fd9c LP |
549 | if (ret) |
550 | *ret = q; | |
8ba9fd9c | 551 | |
775ae354 | 552 | TAKE_PTR(q); |
8ba9fd9c LP |
553 | return 0; |
554 | } | |
555 | ||
45ec7efb LP |
556 | int dns_query_make_auxiliary(DnsQuery *q, DnsQuery *auxiliary_for) { |
557 | assert(q); | |
558 | assert(auxiliary_for); | |
559 | ||
61233823 | 560 | /* Ensure that the query is not auxiliary yet, and |
45ec7efb LP |
561 | * nothing else is auxiliary to it either */ |
562 | assert(!q->auxiliary_for); | |
563 | assert(!q->auxiliary_queries); | |
564 | ||
565 | /* Ensure that the unit we shall be made auxiliary for isn't | |
566 | * auxiliary itself */ | |
567 | assert(!auxiliary_for->auxiliary_for); | |
568 | ||
569 | if (auxiliary_for->n_auxiliary_queries >= AUXILIARY_QUERIES_MAX) | |
570 | return -EAGAIN; | |
571 | ||
572 | LIST_PREPEND(auxiliary_queries, auxiliary_for->auxiliary_queries, q); | |
573 | q->auxiliary_for = auxiliary_for; | |
574 | ||
575 | auxiliary_for->n_auxiliary_queries++; | |
576 | return 0; | |
577 | } | |
578 | ||
65a01e82 | 579 | void dns_query_complete(DnsQuery *q, DnsTransactionState state) { |
8ba9fd9c | 580 | assert(q); |
547973de LP |
581 | assert(!DNS_TRANSACTION_IS_LIVE(state)); |
582 | assert(DNS_TRANSACTION_IS_LIVE(q->state)); | |
8ba9fd9c | 583 | |
65a01e82 LP |
584 | /* Note that this call might invalidate the query. Callers should hence not attempt to access the |
585 | * query or transaction after calling this function. */ | |
8ba9fd9c | 586 | |
8ba9fd9c LP |
587 | q->state = state; |
588 | ||
cb456374 SK |
589 | if (state == DNS_TRANSACTION_SUCCESS && set_size(q->manager->varlink_subscription) > 0) { |
590 | DnsQuestion *question = q->request_packet ? q->request_packet->question : NULL; | |
591 | const char *query_name = question ? dns_question_first_name(question) : q->request_name; | |
592 | if (query_name) | |
593 | (void) send_dns_notification(q->manager, q->answer, query_name); | |
594 | } | |
595 | ||
322345fd LP |
596 | dns_query_stop(q); |
597 | if (q->complete) | |
598 | q->complete(q); | |
8ba9fd9c LP |
599 | } |
600 | ||
601 | static int on_query_timeout(sd_event_source *s, usec_t usec, void *userdata) { | |
99534007 | 602 | DnsQuery *q = ASSERT_PTR(userdata); |
8ba9fd9c LP |
603 | |
604 | assert(s); | |
8ba9fd9c | 605 | |
ec2c5e43 | 606 | dns_query_complete(q, DNS_TRANSACTION_TIMEOUT); |
8ba9fd9c LP |
607 | return 0; |
608 | } | |
609 | ||
801ad6a6 | 610 | static int dns_query_add_candidate(DnsQuery *q, DnsScope *s) { |
0e0fd08f | 611 | _cleanup_(dns_query_candidate_unrefp) DnsQueryCandidate *c = NULL; |
faa133f3 LP |
612 | int r; |
613 | ||
614 | assert(q); | |
ec2c5e43 | 615 | assert(s); |
faa133f3 | 616 | |
801ad6a6 | 617 | r = dns_query_candidate_new(&c, q, s); |
faa133f3 LP |
618 | if (r < 0) |
619 | return r; | |
620 | ||
801ad6a6 | 621 | /* If this a single-label domain on DNS, we might append a suitable search domain first. */ |
3b5bd7d6 ZJS |
622 | if (!FLAGS_SET(q->flags, SD_RESOLVED_NO_SEARCH) && |
623 | dns_scope_name_wants_search_domain(s, dns_question_first_name(q->question_idna))) { | |
624 | /* OK, we want a search domain now. Let's find one for this scope */ | |
22f711bb | 625 | |
6da95857 | 626 | r = dns_query_candidate_next_search_domain(c); |
3b5bd7d6 | 627 | if (r < 0) |
7877e5ca | 628 | return r; |
faa133f3 LP |
629 | } |
630 | ||
801ad6a6 LP |
631 | r = dns_query_candidate_setup_transactions(c); |
632 | if (r < 0) | |
7877e5ca | 633 | return r; |
801ad6a6 | 634 | |
7877e5ca | 635 | TAKE_PTR(c); |
faa133f3 | 636 | return 0; |
faa133f3 LP |
637 | } |
638 | ||
78c6a153 | 639 | static int dns_query_synthesize_reply(DnsQuery *q, DnsTransactionState *state) { |
2a1037af | 640 | _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL; |
dd0bc0f1 | 641 | int r; |
2a1037af LP |
642 | |
643 | assert(q); | |
644 | assert(state); | |
645 | ||
dd0bc0f1 LP |
646 | /* Tries to synthesize localhost RR replies (and others) where appropriate. Note that this is done *after* the |
647 | * the normal lookup finished. The data from the network hence takes precedence over the data we | |
648 | * synthesize. (But note that many scopes refuse to resolve certain domain names) */ | |
2a1037af LP |
649 | |
650 | if (!IN_SET(*state, | |
3bbdc31d | 651 | DNS_TRANSACTION_RCODE_FAILURE, |
2a1037af LP |
652 | DNS_TRANSACTION_NO_SERVERS, |
653 | DNS_TRANSACTION_TIMEOUT, | |
edbcc1fd | 654 | DNS_TRANSACTION_ATTEMPTS_MAX_REACHED, |
0791110f LP |
655 | DNS_TRANSACTION_NETWORK_DOWN, |
656 | DNS_TRANSACTION_NOT_FOUND)) | |
78c6a153 | 657 | return 0; |
2a1037af | 658 | |
775ae354 LP |
659 | if (FLAGS_SET(q->flags, SD_RESOLVED_NO_SYNTHESIZE)) |
660 | return 0; | |
661 | ||
839a4a20 LP |
662 | r = dns_synthesize_answer( |
663 | q->manager, | |
775ae354 | 664 | q->question_bypass ? q->question_bypass->question : q->question_utf8, |
839a4a20 | 665 | q->ifindex, |
dd0bc0f1 | 666 | &answer); |
acf06088 LP |
667 | if (r == -ENXIO) { |
668 | /* If we get ENXIO this tells us to generate NXDOMAIN unconditionally. */ | |
2a1037af | 669 | |
acf06088 LP |
670 | dns_query_reset_answer(q); |
671 | q->answer_rcode = DNS_RCODE_NXDOMAIN; | |
672 | q->answer_protocol = dns_synthesize_protocol(q->flags); | |
673 | q->answer_family = dns_synthesize_family(q->flags); | |
5c1790d1 | 674 | q->answer_query_flags = SD_RESOLVED_AUTHENTICATED|SD_RESOLVED_CONFIDENTIAL|SD_RESOLVED_SYNTHETIC; |
acf06088 LP |
675 | *state = DNS_TRANSACTION_RCODE_FAILURE; |
676 | ||
677 | return 0; | |
678 | } | |
839a4a20 LP |
679 | if (r <= 0) |
680 | return r; | |
2a1037af | 681 | |
839a4a20 | 682 | dns_query_reset_answer(q); |
2a1037af | 683 | |
1cc6c93a | 684 | q->answer = TAKE_PTR(answer); |
2a1037af | 685 | q->answer_rcode = DNS_RCODE_SUCCESS; |
dd0bc0f1 LP |
686 | q->answer_protocol = dns_synthesize_protocol(q->flags); |
687 | q->answer_family = dns_synthesize_family(q->flags); | |
5c1790d1 | 688 | q->answer_query_flags = SD_RESOLVED_AUTHENTICATED|SD_RESOLVED_CONFIDENTIAL|SD_RESOLVED_SYNTHETIC; |
2a1037af LP |
689 | |
690 | *state = DNS_TRANSACTION_SUCCESS; | |
78c6a153 LP |
691 | |
692 | return 1; | |
2a1037af LP |
693 | } |
694 | ||
dd0bc0f1 LP |
695 | static int dns_query_try_etc_hosts(DnsQuery *q) { |
696 | _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL; | |
697 | int r; | |
698 | ||
699 | assert(q); | |
700 | ||
c805014a ZJS |
701 | /* Looks in /etc/hosts for matching entries. Note that this is done *before* the normal lookup is |
702 | * done. The data from /etc/hosts hence takes precedence over the network. */ | |
dd0bc0f1 | 703 | |
775ae354 LP |
704 | if (FLAGS_SET(q->flags, SD_RESOLVED_NO_SYNTHESIZE)) |
705 | return 0; | |
706 | ||
dd0bc0f1 LP |
707 | r = manager_etc_hosts_lookup( |
708 | q->manager, | |
775ae354 | 709 | q->question_bypass ? q->question_bypass->question : q->question_utf8, |
dd0bc0f1 LP |
710 | &answer); |
711 | if (r <= 0) | |
712 | return r; | |
713 | ||
714 | dns_query_reset_answer(q); | |
715 | ||
1cc6c93a | 716 | q->answer = TAKE_PTR(answer); |
dd0bc0f1 LP |
717 | q->answer_rcode = DNS_RCODE_SUCCESS; |
718 | q->answer_protocol = dns_synthesize_protocol(q->flags); | |
719 | q->answer_family = dns_synthesize_family(q->flags); | |
5c1790d1 | 720 | q->answer_query_flags = SD_RESOLVED_AUTHENTICATED|SD_RESOLVED_CONFIDENTIAL|SD_RESOLVED_SYNTHETIC; |
dd0bc0f1 LP |
721 | |
722 | return 1; | |
723 | } | |
724 | ||
322345fd | 725 | int dns_query_go(DnsQuery *q) { |
8ba9fd9c | 726 | DnsScopeMatch found = DNS_SCOPE_NO; |
03677889 | 727 | DnsScope *first = NULL; |
8ba9fd9c LP |
728 | int r; |
729 | ||
730 | assert(q); | |
731 | ||
ec2c5e43 | 732 | if (q->state != DNS_TRANSACTION_NULL) |
8ba9fd9c LP |
733 | return 0; |
734 | ||
dd0bc0f1 LP |
735 | r = dns_query_try_etc_hosts(q); |
736 | if (r < 0) | |
737 | return r; | |
738 | if (r > 0) { | |
739 | dns_query_complete(q, DNS_TRANSACTION_SUCCESS); | |
740 | return 1; | |
741 | } | |
742 | ||
8ba9fd9c | 743 | LIST_FOREACH(scopes, s, q->manager->dns_scopes) { |
74b2466e | 744 | DnsScopeMatch match; |
23b298bc | 745 | |
176a9a2c | 746 | match = dns_scope_good_domain(s, q); |
830f50ab | 747 | assert(match >= 0); |
a97a3b25 LP |
748 | if (match > found) { /* Does this match better? If so, remember how well it matched, and the first one |
749 | * that matches this well */ | |
750 | found = match; | |
74b2466e | 751 | first = s; |
74b2466e LP |
752 | } |
753 | } | |
754 | ||
2a1037af LP |
755 | if (found == DNS_SCOPE_NO) { |
756 | DnsTransactionState state = DNS_TRANSACTION_NO_SERVERS; | |
757 | ||
7cc6ed7b LP |
758 | r = dns_query_synthesize_reply(q, &state); |
759 | if (r < 0) | |
760 | return r; | |
761 | ||
d634711b LP |
762 | dns_query_complete(q, state); |
763 | return 1; | |
2a1037af | 764 | } |
74b2466e | 765 | |
801ad6a6 | 766 | r = dns_query_add_candidate(q, first); |
74b2466e | 767 | if (r < 0) |
ec2c5e43 | 768 | goto fail; |
74b2466e | 769 | |
74b2466e LP |
770 | LIST_FOREACH(scopes, s, first->scopes_next) { |
771 | DnsScopeMatch match; | |
772 | ||
176a9a2c | 773 | match = dns_scope_good_domain(s, q); |
830f50ab | 774 | assert(match >= 0); |
a97a3b25 | 775 | if (match < found) |
74b2466e LP |
776 | continue; |
777 | ||
801ad6a6 | 778 | r = dns_query_add_candidate(q, s); |
74b2466e | 779 | if (r < 0) |
ec2c5e43 | 780 | goto fail; |
74b2466e LP |
781 | } |
782 | ||
ab88b6d0 | 783 | dns_query_reset_answer(q); |
74b2466e | 784 | |
ecdfb9a1 | 785 | r = event_reset_time_relative( |
9a015429 LP |
786 | q->manager->event, |
787 | &q->timeout_event_source, | |
ba4e0427 | 788 | CLOCK_BOOTTIME, |
39cf0351 | 789 | SD_RESOLVED_QUERY_TIMEOUT_USEC, |
ecdfb9a1 YW |
790 | 0, on_query_timeout, q, |
791 | 0, "query-timeout", true); | |
74b2466e LP |
792 | if (r < 0) |
793 | goto fail; | |
794 | ||
ec2c5e43 | 795 | q->state = DNS_TRANSACTION_PENDING; |
faa133f3 | 796 | q->block_ready++; |
74b2466e | 797 | |
801ad6a6 LP |
798 | /* Start the transactions */ |
799 | LIST_FOREACH(candidates_by_query, c, q->candidates) { | |
800 | r = dns_query_candidate_go(c); | |
801 | if (r < 0) { | |
802 | q->block_ready--; | |
ec2c5e43 | 803 | goto fail; |
801ad6a6 | 804 | } |
74b2466e LP |
805 | } |
806 | ||
faa133f3 LP |
807 | q->block_ready--; |
808 | dns_query_ready(q); | |
322345fd | 809 | |
8ba9fd9c | 810 | return 1; |
74b2466e LP |
811 | |
812 | fail: | |
8ba9fd9c | 813 | dns_query_stop(q); |
74b2466e LP |
814 | return r; |
815 | } | |
816 | ||
801ad6a6 | 817 | static void dns_query_accept(DnsQuery *q, DnsQueryCandidate *c) { |
ec2c5e43 | 818 | DnsTransactionState state = DNS_TRANSACTION_NO_SERVERS; |
43fc4baa | 819 | bool has_authenticated = false, has_non_authenticated = false, has_confidential = false, has_non_confidential = false; |
019036a4 | 820 | DnssecResult dnssec_result_authenticated = _DNSSEC_RESULT_INVALID, dnssec_result_non_authenticated = _DNSSEC_RESULT_INVALID; |
801ad6a6 | 821 | DnsTransaction *t; |
547973de | 822 | int r; |
74b2466e LP |
823 | |
824 | assert(q); | |
825 | ||
801ad6a6 | 826 | if (!c) { |
7cc6ed7b LP |
827 | r = dns_query_synthesize_reply(q, &state); |
828 | if (r < 0) | |
829 | goto fail; | |
830 | ||
801ad6a6 | 831 | dns_query_complete(q, state); |
74b2466e | 832 | return; |
801ad6a6 | 833 | } |
74b2466e | 834 | |
a7bf2ada LP |
835 | if (c->error_code != 0) { |
836 | /* If the candidate had an error condition of its own, start with that. */ | |
837 | state = DNS_TRANSACTION_ERRNO; | |
838 | q->answer = dns_answer_unref(q->answer); | |
839 | q->answer_rcode = 0; | |
840 | q->answer_dnssec_result = _DNSSEC_RESULT_INVALID; | |
6f055e43 | 841 | q->answer_query_flags = 0; |
a7bf2ada | 842 | q->answer_errno = c->error_code; |
775ae354 | 843 | q->answer_full_packet = dns_packet_unref(q->answer_full_packet); |
a7bf2ada LP |
844 | } |
845 | ||
90e74a66 | 846 | SET_FOREACH(t, c->transactions) { |
74b2466e | 847 | |
801ad6a6 | 848 | switch (t->state) { |
934e9b10 | 849 | |
801ad6a6 | 850 | case DNS_TRANSACTION_SUCCESS: { |
775ae354 LP |
851 | /* We found a successful reply, merge it into the answer */ |
852 | ||
853 | if (state == DNS_TRANSACTION_SUCCESS) { | |
854 | r = dns_answer_extend(&q->answer, t->answer); | |
855 | if (r < 0) | |
856 | goto fail; | |
5c1790d1 LP |
857 | |
858 | q->answer_query_flags |= dns_transaction_source_to_query_flags(t->answer_source); | |
775ae354 LP |
859 | } else { |
860 | /* Override non-successful previous answers */ | |
1117a960 | 861 | DNS_ANSWER_REPLACE(q->answer, dns_answer_ref(t->answer)); |
5c1790d1 | 862 | q->answer_query_flags = dns_transaction_source_to_query_flags(t->answer_source); |
775ae354 | 863 | } |
019036a4 | 864 | |
ae6a4bbf | 865 | q->answer_rcode = t->answer_rcode; |
7cc6ed7b | 866 | q->answer_errno = 0; |
801ad6a6 | 867 | |
899e3cda | 868 | DNS_PACKET_REPLACE(q->answer_full_packet, dns_packet_ref(t->received)); |
775ae354 | 869 | |
6f055e43 | 870 | if (FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED)) { |
931851e8 | 871 | has_authenticated = true; |
019036a4 LP |
872 | dnssec_result_authenticated = t->answer_dnssec_result; |
873 | } else { | |
931851e8 | 874 | has_non_authenticated = true; |
019036a4 LP |
875 | dnssec_result_non_authenticated = t->answer_dnssec_result; |
876 | } | |
931851e8 | 877 | |
43fc4baa LP |
878 | if (FLAGS_SET(t->answer_query_flags, SD_RESOLVED_CONFIDENTIAL)) |
879 | has_confidential = true; | |
880 | else | |
881 | has_non_confidential = true; | |
882 | ||
801ad6a6 LP |
883 | state = DNS_TRANSACTION_SUCCESS; |
884 | break; | |
885 | } | |
886 | ||
801ad6a6 | 887 | case DNS_TRANSACTION_NULL: |
547973de LP |
888 | case DNS_TRANSACTION_PENDING: |
889 | case DNS_TRANSACTION_VALIDATING: | |
801ad6a6 LP |
890 | case DNS_TRANSACTION_ABORTED: |
891 | /* Ignore transactions that didn't complete */ | |
892 | continue; | |
893 | ||
894 | default: | |
cbb1aabb | 895 | /* Any kind of failure? Store the data away, if there's nothing stored yet. */ |
019036a4 LP |
896 | if (state == DNS_TRANSACTION_SUCCESS) |
897 | continue; | |
934e9b10 | 898 | |
cbb1aabb | 899 | /* If there's already an authenticated negative reply stored, then prefer that over any unauthenticated one */ |
6f055e43 LP |
900 | if (FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED) && |
901 | !FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED)) | |
cbb1aabb LP |
902 | continue; |
903 | ||
1117a960 | 904 | DNS_ANSWER_REPLACE(q->answer, dns_answer_ref(t->answer)); |
019036a4 LP |
905 | q->answer_rcode = t->answer_rcode; |
906 | q->answer_dnssec_result = t->answer_dnssec_result; | |
5c1790d1 | 907 | q->answer_query_flags = t->answer_query_flags | dns_transaction_source_to_query_flags(t->answer_source); |
7cc6ed7b | 908 | q->answer_errno = t->answer_errno; |
899e3cda | 909 | DNS_PACKET_REPLACE(q->answer_full_packet, dns_packet_ref(t->received)); |
934e9b10 | 910 | |
019036a4 | 911 | state = t->state; |
801ad6a6 | 912 | break; |
74b2466e | 913 | } |
801ad6a6 | 914 | } |
74b2466e | 915 | |
019036a4 | 916 | if (state == DNS_TRANSACTION_SUCCESS) { |
6f055e43 | 917 | SET_FLAG(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED, has_authenticated && !has_non_authenticated); |
43fc4baa | 918 | SET_FLAG(q->answer_query_flags, SD_RESOLVED_CONFIDENTIAL, has_confidential && !has_non_confidential); |
6f055e43 | 919 | q->answer_dnssec_result = FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED) ? dnssec_result_authenticated : dnssec_result_non_authenticated; |
019036a4 LP |
920 | } |
921 | ||
801ad6a6 LP |
922 | q->answer_protocol = c->scope->protocol; |
923 | q->answer_family = c->scope->family; | |
934e9b10 | 924 | |
801ad6a6 LP |
925 | dns_search_domain_unref(q->answer_search_domain); |
926 | q->answer_search_domain = dns_search_domain_ref(c->search_domain); | |
7e8e0422 | 927 | |
7cc6ed7b LP |
928 | r = dns_query_synthesize_reply(q, &state); |
929 | if (r < 0) | |
930 | goto fail; | |
931 | ||
801ad6a6 | 932 | dns_query_complete(q, state); |
7cc6ed7b LP |
933 | return; |
934 | ||
935 | fail: | |
936 | q->answer_errno = -r; | |
937 | dns_query_complete(q, DNS_TRANSACTION_ERRNO); | |
801ad6a6 | 938 | } |
934e9b10 | 939 | |
801ad6a6 | 940 | void dns_query_ready(DnsQuery *q) { |
03677889 | 941 | DnsQueryCandidate *bad = NULL; |
801ad6a6 | 942 | bool pending = false; |
74b2466e | 943 | |
801ad6a6 | 944 | assert(q); |
547973de | 945 | assert(DNS_TRANSACTION_IS_LIVE(q->state)); |
e4501ed4 | 946 | |
801ad6a6 LP |
947 | /* Note that this call might invalidate the query. Callers |
948 | * should hence not attempt to access the query or transaction | |
949 | * after calling this function, unless the block_ready | |
950 | * counter was explicitly bumped before doing so. */ | |
951 | ||
952 | if (q->block_ready > 0) | |
953 | return; | |
954 | ||
955 | LIST_FOREACH(candidates_by_query, c, q->candidates) { | |
956 | DnsTransactionState state; | |
957 | ||
958 | state = dns_query_candidate_state(c); | |
959 | switch (state) { | |
960 | ||
961 | case DNS_TRANSACTION_SUCCESS: | |
547973de | 962 | /* One of the candidates is successful, |
801ad6a6 LP |
963 | * let's use it, and copy its data out */ |
964 | dns_query_accept(q, c); | |
e4501ed4 LP |
965 | return; |
966 | ||
801ad6a6 | 967 | case DNS_TRANSACTION_NULL: |
547973de LP |
968 | case DNS_TRANSACTION_PENDING: |
969 | case DNS_TRANSACTION_VALIDATING: | |
970 | /* One of the candidates is still going on, | |
971 | * let's maybe wait for it */ | |
801ad6a6 LP |
972 | pending = true; |
973 | break; | |
e4501ed4 | 974 | |
801ad6a6 LP |
975 | default: |
976 | /* Any kind of failure */ | |
977 | bad = c; | |
978 | break; | |
979 | } | |
faa133f3 | 980 | } |
74b2466e | 981 | |
801ad6a6 LP |
982 | if (pending) |
983 | return; | |
2a1037af | 984 | |
801ad6a6 | 985 | dns_query_accept(q, bad); |
74b2466e | 986 | } |
8ba9fd9c | 987 | |
45ec7efb | 988 | static int dns_query_cname_redirect(DnsQuery *q, const DnsResourceRecord *cname) { |
23b298bc LP |
989 | _cleanup_(dns_question_unrefp) DnsQuestion *nq_idna = NULL, *nq_utf8 = NULL; |
990 | int r, k; | |
8ba9fd9c LP |
991 | |
992 | assert(q); | |
993 | ||
b4d12278 | 994 | if (q->n_cname_redirects >= CNAME_REDIRECTS_MAX) |
8ba9fd9c | 995 | return -ELOOP; |
b4d12278 | 996 | q->n_cname_redirects++; |
8ba9fd9c | 997 | |
23b298bc | 998 | r = dns_question_cname_redirect(q->question_idna, cname, &nq_idna); |
faa133f3 LP |
999 | if (r < 0) |
1000 | return r; | |
4cba52cc | 1001 | if (r > 0) |
e2341b6b DT |
1002 | log_debug("Following CNAME/DNAME %s %s %s.", |
1003 | dns_question_first_name(q->question_idna), | |
1004 | special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), | |
1005 | dns_question_first_name(nq_idna)); | |
23b298bc LP |
1006 | |
1007 | k = dns_question_is_equal(q->question_idna, q->question_utf8); | |
1008 | if (k < 0) | |
4cba52cc | 1009 | return k; |
23b298bc LP |
1010 | if (k > 0) { |
1011 | /* Same question? Shortcut new question generation */ | |
1012 | nq_utf8 = dns_question_ref(nq_idna); | |
1013 | k = r; | |
1014 | } else { | |
1015 | k = dns_question_cname_redirect(q->question_utf8, cname, &nq_utf8); | |
1016 | if (k < 0) | |
1017 | return k; | |
4cba52cc | 1018 | if (k > 0) |
e2341b6b DT |
1019 | log_debug("Following UTF8 CNAME/DNAME %s %s %s.", |
1020 | dns_question_first_name(q->question_utf8), | |
1021 | special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), | |
1022 | dns_question_first_name(nq_utf8)); | |
23b298bc | 1023 | } |
8ba9fd9c | 1024 | |
23b298bc LP |
1025 | if (r == 0 && k == 0) /* No actual cname happened? */ |
1026 | return -ELOOP; | |
1027 | ||
d46b79bb | 1028 | if (q->answer_protocol == DNS_PROTOCOL_DNS) |
8e5de09f LP |
1029 | /* Don't permit CNAME redirects from unicast DNS to LLMNR or MulticastDNS, so that global resources |
1030 | * cannot invade the local namespace. The opposite way we permit: local names may redirect to global | |
1031 | * ones. */ | |
8e5de09f | 1032 | q->flags &= ~(SD_RESOLVED_LLMNR|SD_RESOLVED_MDNS); /* mask away the local protocols */ |
8e5de09f LP |
1033 | |
1034 | /* Turn off searching for the new name */ | |
1035 | q->flags |= SD_RESOLVED_NO_SEARCH; | |
1036 | ||
23b298bc | 1037 | dns_question_unref(q->question_idna); |
1cc6c93a | 1038 | q->question_idna = TAKE_PTR(nq_idna); |
bc7669cf | 1039 | |
23b298bc | 1040 | dns_question_unref(q->question_utf8); |
1cc6c93a | 1041 | q->question_utf8 = TAKE_PTR(nq_utf8); |
8ba9fd9c | 1042 | |
c856ef04 | 1043 | dns_query_unlink_candidates(q); |
b1eea703 LP |
1044 | |
1045 | /* Note that we do *not* reset the answer here, because the answer we previously got might already | |
1046 | * include everything we need, let's check that first */ | |
322345fd | 1047 | |
8e5de09f | 1048 | q->state = DNS_TRANSACTION_NULL; |
59a89990 | 1049 | |
8ba9fd9c LP |
1050 | return 0; |
1051 | } | |
82bd6ddd | 1052 | |
1db8e6d1 | 1053 | int dns_query_process_cname_one(DnsQuery *q) { |
45ec7efb | 1054 | _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *cname = NULL; |
23b298bc | 1055 | DnsQuestion *question; |
45ec7efb | 1056 | DnsResourceRecord *rr; |
1a71fe4e LP |
1057 | bool full_match = true; |
1058 | DnsResourceKey *k; | |
45ec7efb LP |
1059 | int r; |
1060 | ||
1061 | assert(q); | |
1062 | ||
1db8e6d1 LP |
1063 | /* Processes a CNAME redirect if there's one. Returns one of three values: |
1064 | * | |
1065 | * CNAME_QUERY_MATCH → direct RR match, caller should just use the RRs in this answer (and not | |
1066 | * bother with any CNAME/DNAME stuff) | |
1067 | * | |
1068 | * CNAME_QUERY_NOMATCH → no match at all, neither direct nor CNAME/DNAME, caller might decide to | |
1069 | * restart query or take things as NODATA reply. | |
1070 | * | |
1071 | * CNAME_QUERY_CNAME → no direct RR match, but a CNAME/DNAME match that we now followed for one step. | |
1072 | * | |
1073 | * The function might also return a failure, in particular -ELOOP if we encountered too many | |
1074 | * CNAMEs/DNAMEs in a chain or if following CNAMEs/DNAMEs was turned off. | |
1075 | * | |
1076 | * Note that this function doesn't actually restart the query. The caller can decide to do that in | |
1077 | * case of CNAME_QUERY_CNAME, though. */ | |
1078 | ||
7588460a TG |
1079 | if (!IN_SET(q->state, DNS_TRANSACTION_SUCCESS, DNS_TRANSACTION_NULL)) |
1080 | return DNS_QUERY_NOMATCH; | |
45ec7efb | 1081 | |
23b298bc | 1082 | question = dns_query_question_for_protocol(q, q->answer_protocol); |
45ec7efb | 1083 | |
1a71fe4e LP |
1084 | /* Small reminder: our question will consist of one or more RR keys that match in name, but not in |
1085 | * record type. Specifically, when we do an address lookup the question will typically consist of one | |
1086 | * A and one AAAA key lookup for the same domain name. When we get a response from a server we need | |
1087 | * to check if the answer answers all our questions to use it. Note that a response of CNAME/DNAME | |
1088 | * can answer both an A and the AAAA question for us, but an A/AAAA response only the relevant | |
1089 | * type. | |
1090 | * | |
1091 | * Hence we first check of the answers we collected are sufficient to answer all our questions | |
1092 | * directly. If one question wasn't answered we go on, waiting for more replies. However, if there's | |
1093 | * a CNAME/DNAME response we use it, and redirect to it, regardless if it was a response to the A or | |
7802194a | 1094 | * the AAAA query. */ |
1a71fe4e LP |
1095 | |
1096 | DNS_QUESTION_FOREACH(k, question) { | |
1097 | bool match = false; | |
1098 | ||
1099 | DNS_ANSWER_FOREACH(rr, q->answer) { | |
1100 | r = dns_resource_key_match_rr(k, rr, DNS_SEARCH_DOMAIN_NAME(q->answer_search_domain)); | |
1101 | if (r < 0) | |
1102 | return r; | |
1103 | if (r > 0) { | |
1104 | match = true; /* Yay, we found an RR that matches the key we are looking for */ | |
1105 | break; | |
1106 | } | |
1107 | } | |
1108 | ||
1109 | if (!match) { | |
1110 | /* Hmm. :-( there's no response for this key. This doesn't match. */ | |
1111 | full_match = false; | |
1112 | break; | |
1113 | } | |
1114 | } | |
45ec7efb | 1115 | |
1a71fe4e LP |
1116 | if (full_match) |
1117 | return DNS_QUERY_MATCH; /* The answer can answer our question in full, no need to follow CNAMEs/DNAMEs */ | |
1118 | ||
1119 | /* Let's see if there is a CNAME/DNAME to match. This case is simpler: we accept the CNAME/DNAME that | |
1120 | * matches any of our questions. */ | |
1121 | DNS_ANSWER_FOREACH(rr, q->answer) { | |
542e0c84 | 1122 | r = dns_question_matches_cname_or_dname(question, rr, DNS_SEARCH_DOMAIN_NAME(q->answer_search_domain)); |
45ec7efb LP |
1123 | if (r < 0) |
1124 | return r; | |
1125 | if (r > 0 && !cname) | |
1126 | cname = dns_resource_record_ref(rr); | |
1127 | } | |
1128 | ||
1129 | if (!cname) | |
1a71fe4e | 1130 | return DNS_QUERY_NOMATCH; /* No match and no CNAME/DNAME to follow */ |
45ec7efb LP |
1131 | |
1132 | if (q->flags & SD_RESOLVED_NO_CNAME) | |
1133 | return -ELOOP; | |
1134 | ||
6f055e43 | 1135 | if (!FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED)) |
28830a64 | 1136 | q->previous_redirect_unauthenticated = true; |
43fc4baa LP |
1137 | if (!FLAGS_SET(q->answer_query_flags, SD_RESOLVED_CONFIDENTIAL)) |
1138 | q->previous_redirect_non_confidential = true; | |
9ddf099f LP |
1139 | if (!FLAGS_SET(q->answer_query_flags, SD_RESOLVED_SYNTHETIC)) |
1140 | q->previous_redirect_non_synthetic = true; | |
28830a64 | 1141 | |
45ec7efb LP |
1142 | /* OK, let's actually follow the CNAME */ |
1143 | r = dns_query_cname_redirect(q, cname); | |
1144 | if (r < 0) | |
1145 | return r; | |
1146 | ||
1db8e6d1 LP |
1147 | return DNS_QUERY_CNAME; /* Tell caller that we did a single CNAME/DNAME redirection step */ |
1148 | } | |
45ec7efb | 1149 | |
1db8e6d1 LP |
1150 | int dns_query_process_cname_many(DnsQuery *q) { |
1151 | int r; | |
45ec7efb | 1152 | |
1db8e6d1 LP |
1153 | assert(q); |
1154 | ||
1155 | /* Follows CNAMEs through the current packet: as long as the current packet can fulfill our | |
1156 | * redirected CNAME queries we keep going, and restart the query once the current packet isn't good | |
1157 | * enough anymore. It's a wrapper around dns_query_process_cname_one() and returns the same values, | |
1158 | * but with extended semantics. Specifically: | |
1159 | * | |
1160 | * DNS_QUERY_MATCH → as above | |
1161 | * | |
1162 | * DNS_QUERY_CNAME → we ran into a CNAME/DNAME redirect that we could not answer from the current | |
1163 | * message, and thus restarted the query to resolve it. | |
1164 | * | |
1165 | * DNS_QUERY_NOMATCH → we reached the end of CNAME/DNAME chain, and there are no direct matches nor a | |
1166 | * CNAME/DNAME match. i.e. this is a NODATA case. | |
1167 | * | |
1168 | * Note that this function will restart the query for the caller if needed, and that's the case | |
1169 | * DNS_QUERY_CNAME is returned. | |
1170 | */ | |
1171 | ||
1172 | r = dns_query_process_cname_one(q); | |
1173 | if (r != DNS_QUERY_CNAME) | |
1174 | return r; /* The first redirect is special: if it doesn't answer the question that's no | |
1175 | * reason to restart the query, we just accept this as a NODATA answer. */ | |
1176 | ||
1177 | for (;;) { | |
1178 | r = dns_query_process_cname_one(q); | |
1179 | if (r < 0 || r == DNS_QUERY_MATCH) | |
1180 | return r; | |
1181 | if (r == DNS_QUERY_NOMATCH) { | |
1182 | /* OK, so we followed one or more CNAME/DNAME RR but the existing packet can't answer | |
1183 | * this. Let's restart the query hence, with the new question. Why the different | |
1184 | * handling than the first chain element? Because if the server answers a direct | |
1185 | * question with an empty answer then this is a NODATA response. But if it responds | |
1186 | * with a CNAME chain that ultimately is incomplete (i.e. a non-empty but truncated | |
1187 | * CNAME chain) then we better follow up ourselves and ask for the rest of the | |
1188 | * chain. This is particular relevant since our cache will store CNAME/DNAME | |
1189 | * redirects that we learnt about for lookups of certain DNS types, but later on we | |
1190 | * can reuse this data even for other DNS types, but in that case need to follow up | |
1191 | * with the final lookup of the chain ourselves with the RR type we ourselves are | |
1192 | * interested in. */ | |
1193 | r = dns_query_go(q); | |
1194 | if (r < 0) | |
1195 | return r; | |
1196 | ||
1197 | return DNS_QUERY_CNAME; | |
1198 | } | |
1199 | ||
1200 | /* So we found a CNAME that the existing packet already answers, again via a CNAME, let's | |
1201 | * continue going then. */ | |
1202 | assert(r == DNS_QUERY_CNAME); | |
1203 | } | |
45ec7efb LP |
1204 | } |
1205 | ||
23b298bc LP |
1206 | DnsQuestion* dns_query_question_for_protocol(DnsQuery *q, DnsProtocol protocol) { |
1207 | assert(q); | |
1208 | ||
775ae354 LP |
1209 | if (q->question_bypass) |
1210 | return q->question_bypass->question; | |
1211 | ||
23b298bc LP |
1212 | switch (protocol) { |
1213 | ||
1214 | case DNS_PROTOCOL_DNS: | |
1215 | return q->question_idna; | |
1216 | ||
1217 | case DNS_PROTOCOL_MDNS: | |
1218 | case DNS_PROTOCOL_LLMNR: | |
1219 | return q->question_utf8; | |
1220 | ||
1221 | default: | |
1222 | return NULL; | |
1223 | } | |
1224 | } | |
1225 | ||
1226 | const char *dns_query_string(DnsQuery *q) { | |
1227 | const char *name; | |
1228 | int r; | |
1229 | ||
1230 | /* Returns a somewhat useful human-readable lookup key string for this query */ | |
1231 | ||
775ae354 LP |
1232 | if (q->question_bypass) |
1233 | return dns_question_first_name(q->question_bypass->question); | |
1234 | ||
23b298bc LP |
1235 | if (q->request_address_string) |
1236 | return q->request_address_string; | |
1237 | ||
1238 | if (q->request_address_valid) { | |
1239 | r = in_addr_to_string(q->request_family, &q->request_address, &q->request_address_string); | |
1240 | if (r >= 0) | |
1241 | return q->request_address_string; | |
1242 | } | |
1243 | ||
1244 | name = dns_question_first_name(q->question_utf8); | |
1245 | if (name) | |
1246 | return name; | |
1247 | ||
1248 | return dns_question_first_name(q->question_idna); | |
1249 | } | |
28830a64 LP |
1250 | |
1251 | bool dns_query_fully_authenticated(DnsQuery *q) { | |
1252 | assert(q); | |
1253 | ||
6f055e43 | 1254 | return FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED) && !q->previous_redirect_unauthenticated; |
28830a64 | 1255 | } |
43fc4baa LP |
1256 | |
1257 | bool dns_query_fully_confidential(DnsQuery *q) { | |
1258 | assert(q); | |
1259 | ||
1260 | return FLAGS_SET(q->answer_query_flags, SD_RESOLVED_CONFIDENTIAL) && !q->previous_redirect_non_confidential; | |
1261 | } | |
4ad017cd | 1262 | |
9ddf099f | 1263 | bool dns_query_fully_authoritative(DnsQuery *q) { |
4ad017cd SB |
1264 | assert(q); |
1265 | ||
9ddf099f LP |
1266 | /* We are authoritative for everything synthetic (except if a previous CNAME/DNAME) wasn't |
1267 | * synthetic. (Note: SD_RESOLVED_SYNTHETIC is reset on each CNAME/DNAME, hence the explicit check for | |
7802194a | 1268 | * previous synthetic DNAME/CNAME redirections.) */ |
9ddf099f LP |
1269 | if ((q->answer_query_flags & SD_RESOLVED_SYNTHETIC) && !q->previous_redirect_non_synthetic) |
1270 | return true; | |
1271 | ||
1272 | /* We are also authoritative for everything coming only from the trust anchor and the local | |
1273 | * zones. (Note: the SD_RESOLVED_FROM_xyz flags we merge on each redirect, hence no need to | |
7802194a | 1274 | * explicitly check previous redirects here.) */ |
9ddf099f | 1275 | return (q->answer_query_flags & SD_RESOLVED_FROM_MASK & ~(SD_RESOLVED_FROM_TRUST_ANCHOR | SD_RESOLVED_FROM_ZONE)) == 0; |
4ad017cd | 1276 | } |