1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2014 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
23 #include "alloc-util.h"
24 #include "dns-domain.h"
26 #include "random-util.h"
27 #include "resolved-dns-cache.h"
28 #include "resolved-dns-transaction.h"
29 #include "resolved-llmnr.h"
30 #include "string-table.h"
32 static void dns_transaction_reset_answer(DnsTransaction
*t
) {
35 t
->received
= dns_packet_unref(t
->received
);
36 t
->answer
= dns_answer_unref(t
->answer
);
38 t
->answer_dnssec_result
= _DNSSEC_RESULT_INVALID
;
39 t
->answer_source
= _DNS_TRANSACTION_SOURCE_INVALID
;
40 t
->answer_authenticated
= false;
43 static void dns_transaction_close_connection(DnsTransaction
*t
) {
46 t
->stream
= dns_stream_free(t
->stream
);
47 t
->dns_udp_event_source
= sd_event_source_unref(t
->dns_udp_event_source
);
48 t
->dns_udp_fd
= safe_close(t
->dns_udp_fd
);
51 static void dns_transaction_stop_timeout(DnsTransaction
*t
) {
54 t
->timeout_event_source
= sd_event_source_unref(t
->timeout_event_source
);
57 DnsTransaction
* dns_transaction_free(DnsTransaction
*t
) {
65 dns_transaction_close_connection(t
);
66 dns_transaction_stop_timeout(t
);
68 dns_packet_unref(t
->sent
);
69 dns_transaction_reset_answer(t
);
71 dns_server_unref(t
->server
);
74 hashmap_remove_value(t
->scope
->transactions_by_key
, t
->key
, t
);
75 LIST_REMOVE(transactions_by_scope
, t
->scope
->transactions
, t
);
78 hashmap_remove(t
->scope
->manager
->dns_transactions
, UINT_TO_PTR(t
->id
));
81 while ((c
= set_steal_first(t
->notify_query_candidates
)))
82 set_remove(c
->transactions
, t
);
83 set_free(t
->notify_query_candidates
);
85 while ((i
= set_steal_first(t
->notify_zone_items
)))
86 i
->probe_transaction
= NULL
;
87 set_free(t
->notify_zone_items
);
89 while ((z
= set_steal_first(t
->notify_transactions
)))
90 set_remove(z
->dnssec_transactions
, t
);
91 set_free(t
->notify_transactions
);
93 while ((z
= set_steal_first(t
->dnssec_transactions
))) {
94 set_remove(z
->notify_transactions
, t
);
95 dns_transaction_gc(z
);
97 set_free(t
->dnssec_transactions
);
99 dns_answer_unref(t
->validated_keys
);
100 dns_resource_key_unref(t
->key
);
107 DEFINE_TRIVIAL_CLEANUP_FUNC(DnsTransaction
*, dns_transaction_free
);
109 void dns_transaction_gc(DnsTransaction
*t
) {
115 if (set_isempty(t
->notify_query_candidates
) &&
116 set_isempty(t
->notify_zone_items
) &&
117 set_isempty(t
->notify_transactions
))
118 dns_transaction_free(t
);
121 int dns_transaction_new(DnsTransaction
**ret
, DnsScope
*s
, DnsResourceKey
*key
) {
122 _cleanup_(dns_transaction_freep
) DnsTransaction
*t
= NULL
;
129 /* Don't allow looking up invalid or pseudo RRs */
130 if (!dns_type_is_valid_query(key
->type
))
133 /* We only support the IN class */
134 if (key
->class != DNS_CLASS_IN
&& key
->class != DNS_CLASS_ANY
)
137 r
= hashmap_ensure_allocated(&s
->manager
->dns_transactions
, NULL
);
141 r
= hashmap_ensure_allocated(&s
->transactions_by_key
, &dns_resource_key_hash_ops
);
145 t
= new0(DnsTransaction
, 1);
150 t
->answer_source
= _DNS_TRANSACTION_SOURCE_INVALID
;
151 t
->answer_dnssec_result
= _DNSSEC_RESULT_INVALID
;
152 t
->key
= dns_resource_key_ref(key
);
154 /* Find a fresh, unused transaction id */
156 random_bytes(&t
->id
, sizeof(t
->id
));
158 hashmap_get(s
->manager
->dns_transactions
, UINT_TO_PTR(t
->id
)));
160 r
= hashmap_put(s
->manager
->dns_transactions
, UINT_TO_PTR(t
->id
), t
);
166 r
= hashmap_replace(s
->transactions_by_key
, t
->key
, t
);
168 hashmap_remove(s
->manager
->dns_transactions
, UINT_TO_PTR(t
->id
));
172 LIST_PREPEND(transactions_by_scope
, s
->transactions
, t
);
175 s
->manager
->n_transactions_total
++;
185 static void dns_transaction_tentative(DnsTransaction
*t
, DnsPacket
*p
) {
186 _cleanup_free_
char *pretty
= NULL
;
192 if (manager_our_packet(t
->scope
->manager
, p
) != 0)
195 in_addr_to_string(p
->family
, &p
->sender
, &pretty
);
197 log_debug("Transaction %" PRIu16
" for <%s> on scope %s on %s/%s got tentative packet from %s.",
199 dns_transaction_key_string(t
),
200 dns_protocol_to_string(t
->scope
->protocol
),
201 t
->scope
->link
? t
->scope
->link
->name
: "*",
202 t
->scope
->family
== AF_UNSPEC
? "*" : af_to_name(t
->scope
->family
),
205 /* RFC 4795, Section 4.1 says that the peer with the
206 * lexicographically smaller IP address loses */
207 if (memcmp(&p
->sender
, &p
->destination
, FAMILY_ADDRESS_SIZE(p
->family
)) >= 0) {
208 log_debug("Peer has lexicographically larger IP address and thus lost in the conflict.");
212 log_debug("We have the lexicographically larger IP address and thus lost in the conflict.");
215 while ((z
= set_first(t
->notify_zone_items
))) {
216 /* First, make sure the zone item drops the reference
218 dns_zone_item_probe_stop(z
);
220 /* Secondly, report this as conflict, so that we might
221 * look for a different hostname */
222 dns_zone_item_conflict(z
);
226 dns_transaction_gc(t
);
229 void dns_transaction_complete(DnsTransaction
*t
, DnsTransactionState state
) {
230 DnsQueryCandidate
*c
;
236 assert(!DNS_TRANSACTION_IS_LIVE(state
));
238 if (state
== DNS_TRANSACTION_DNSSEC_FAILED
)
239 log_struct(LOG_NOTICE
,
240 LOG_MESSAGE("DNSSEC validation failed for question %s: %s", dns_transaction_key_string(t
), dnssec_result_to_string(t
->answer_dnssec_result
)),
241 "DNS_TRANSACTION=%" PRIu16
, t
->id
,
242 "DNS_QUESTION=%s", dns_transaction_key_string(t
),
243 "DNSSEC_RESULT=%s", dnssec_result_to_string(t
->answer_dnssec_result
),
246 /* Note that this call might invalidate the query. Callers
247 * should hence not attempt to access the query or transaction
248 * after calling this function. */
250 log_debug("Transaction %" PRIu16
" for <%s> on scope %s on %s/%s now complete with <%s> from %s (%s).",
252 dns_transaction_key_string(t
),
253 dns_protocol_to_string(t
->scope
->protocol
),
254 t
->scope
->link
? t
->scope
->link
->name
: "*",
255 t
->scope
->family
== AF_UNSPEC
? "*" : af_to_name(t
->scope
->family
),
256 dns_transaction_state_to_string(state
),
257 t
->answer_source
< 0 ? "none" : dns_transaction_source_to_string(t
->answer_source
),
258 t
->answer_authenticated
? "authenticated" : "unsigned");
262 dns_transaction_close_connection(t
);
263 dns_transaction_stop_timeout(t
);
265 /* Notify all queries that are interested, but make sure the
266 * transaction isn't freed while we are still looking at it */
269 SET_FOREACH(c
, t
->notify_query_candidates
, i
)
270 dns_query_candidate_notify(c
);
271 SET_FOREACH(z
, t
->notify_zone_items
, i
)
272 dns_zone_item_notify(z
);
274 if (!set_isempty(t
->notify_transactions
)) {
278 /* We need to be careful when notifying other
279 * transactions, as that might destroy other
280 * transactions in our list. Hence, in order to be
281 * able to safely iterate through the list of
282 * transactions, take a GC lock on all of them
283 * first. Then, in a second loop, notify them, but
284 * first unlock that specific transaction. */
286 nt
= newa(DnsTransaction
*, set_size(t
->notify_transactions
));
287 SET_FOREACH(d
, t
->notify_transactions
, i
) {
292 assert(n
== set_size(t
->notify_transactions
));
294 for (j
= 0; j
< n
; j
++) {
295 if (set_contains(t
->notify_transactions
, nt
[j
]))
296 dns_transaction_notify(nt
[j
], t
);
299 dns_transaction_gc(nt
[j
]);
304 dns_transaction_gc(t
);
307 static int dns_transaction_pick_server(DnsTransaction
*t
) {
311 assert(t
->scope
->protocol
== DNS_PROTOCOL_DNS
);
313 server
= dns_scope_get_dns_server(t
->scope
);
317 t
->current_features
= dns_server_possible_feature_level(server
);
319 if (server
== t
->server
)
322 dns_server_unref(t
->server
);
323 t
->server
= dns_server_ref(server
);
328 static int on_stream_complete(DnsStream
*s
, int error
) {
329 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
333 assert(s
->transaction
);
335 /* Copy the data we care about out of the stream before we
338 p
= dns_packet_ref(s
->read_packet
);
340 t
->stream
= dns_stream_free(t
->stream
);
342 if (IN_SET(error
, ENOTCONN
, ECONNRESET
, ECONNREFUSED
, ECONNABORTED
, EPIPE
)) {
343 dns_transaction_complete(t
, DNS_TRANSACTION_CONNECTION_FAILURE
);
348 dns_transaction_complete(t
, DNS_TRANSACTION_RESOURCES
);
352 if (dns_packet_validate_reply(p
) <= 0) {
353 log_debug("Invalid TCP reply packet.");
354 dns_transaction_complete(t
, DNS_TRANSACTION_INVALID_REPLY
);
358 dns_scope_check_conflicts(t
->scope
, p
);
361 dns_transaction_process_reply(t
, p
);
364 /* If the response wasn't useful, then complete the transition
365 * now. After all, we are the worst feature set now with TCP
366 * sockets, and there's really no point in retrying. */
367 if (t
->state
== DNS_TRANSACTION_PENDING
)
368 dns_transaction_complete(t
, DNS_TRANSACTION_INVALID_REPLY
);
370 dns_transaction_gc(t
);
375 static int dns_transaction_open_tcp(DnsTransaction
*t
) {
376 _cleanup_close_
int fd
= -1;
381 dns_transaction_close_connection(t
);
383 switch (t
->scope
->protocol
) {
385 case DNS_PROTOCOL_DNS
:
386 r
= dns_transaction_pick_server(t
);
390 r
= dns_server_adjust_opt(t
->server
, t
->sent
, t
->current_features
);
394 fd
= dns_scope_socket_tcp(t
->scope
, AF_UNSPEC
, NULL
, t
->server
, 53);
397 case DNS_PROTOCOL_LLMNR
:
398 /* When we already received a reply to this (but it was truncated), send to its sender address */
400 fd
= dns_scope_socket_tcp(t
->scope
, t
->received
->family
, &t
->received
->sender
, NULL
, t
->received
->sender_port
);
402 union in_addr_union address
;
403 int family
= AF_UNSPEC
;
405 /* Otherwise, try to talk to the owner of a
406 * the IP address, in case this is a reverse
409 r
= dns_name_address(DNS_RESOURCE_KEY_NAME(t
->key
), &family
, &address
);
414 if (family
!= t
->scope
->family
)
417 fd
= dns_scope_socket_tcp(t
->scope
, family
, &address
, NULL
, LLMNR_PORT
);
423 return -EAFNOSUPPORT
;
429 r
= dns_stream_new(t
->scope
->manager
, &t
->stream
, t
->scope
->protocol
, fd
);
434 r
= dns_stream_write_packet(t
->stream
, t
->sent
);
436 t
->stream
= dns_stream_free(t
->stream
);
440 t
->stream
->complete
= on_stream_complete
;
441 t
->stream
->transaction
= t
;
443 /* The interface index is difficult to determine if we are
444 * connecting to the local host, hence fill this in right away
445 * instead of determining it from the socket */
447 t
->stream
->ifindex
= t
->scope
->link
->ifindex
;
449 dns_transaction_reset_answer(t
);
451 t
->tried_stream
= true;
456 static void dns_transaction_cache_answer(DnsTransaction
*t
) {
459 /* For mDNS we cache whenever we get the packet, rather than
460 * in each transaction. */
461 if (!IN_SET(t
->scope
->protocol
, DNS_PROTOCOL_DNS
, DNS_PROTOCOL_LLMNR
))
464 /* We never cache if this packet is from the local host, under
465 * the assumption that a locally running DNS server would
466 * cache this anyway, and probably knows better when to flush
467 * the cache then we could. */
468 if (!DNS_PACKET_SHALL_CACHE(t
->received
))
471 dns_cache_put(&t
->scope
->cache
,
475 t
->answer_authenticated
,
478 &t
->received
->sender
);
481 static bool dns_transaction_dnssec_is_live(DnsTransaction
*t
) {
487 SET_FOREACH(dt
, t
->dnssec_transactions
, i
)
488 if (DNS_TRANSACTION_IS_LIVE(dt
->state
))
494 static void dns_transaction_process_dnssec(DnsTransaction
*t
) {
499 /* Are there ongoing DNSSEC transactions? If so, let's wait for them. */
500 if (dns_transaction_dnssec_is_live(t
))
503 /* All our auxiliary DNSSEC transactions are complete now. Try
504 * to validate our RRset now. */
505 r
= dns_transaction_validate_dnssec(t
);
507 dns_transaction_complete(t
, DNS_TRANSACTION_RESOURCES
);
511 if (t
->answer_dnssec_result
== DNSSEC_INCOMPATIBLE_SERVER
&&
512 t
->scope
->dnssec_mode
== DNSSEC_YES
) {
513 /* We are not in automatic downgrade mode, and the
514 * server is bad, refuse operation. */
515 dns_transaction_complete(t
, DNS_TRANSACTION_DNSSEC_FAILED
);
519 if (!IN_SET(t
->answer_dnssec_result
,
520 _DNSSEC_RESULT_INVALID
, /* No DNSSEC validation enabled */
521 DNSSEC_VALIDATED
, /* Answer is signed and validated successfully */
522 DNSSEC_UNSIGNED
, /* Answer is right-fully unsigned */
523 DNSSEC_INCOMPATIBLE_SERVER
)) { /* Server does not do DNSSEC (Yay, we are downgrade attack vulnerable!) */
524 dns_transaction_complete(t
, DNS_TRANSACTION_DNSSEC_FAILED
);
528 dns_transaction_cache_answer(t
);
530 if (t
->answer_rcode
== DNS_RCODE_SUCCESS
)
531 dns_transaction_complete(t
, DNS_TRANSACTION_SUCCESS
);
533 dns_transaction_complete(t
, DNS_TRANSACTION_RCODE_FAILURE
);
536 void dns_transaction_process_reply(DnsTransaction
*t
, DnsPacket
*p
) {
543 assert(t
->scope
->manager
);
545 if (t
->state
!= DNS_TRANSACTION_PENDING
)
548 /* Note that this call might invalidate the query. Callers
549 * should hence not attempt to access the query or transaction
550 * after calling this function. */
552 log_debug("Processing incoming packet on transaction %" PRIu16
".", t
->id
);
554 switch (t
->scope
->protocol
) {
556 case DNS_PROTOCOL_LLMNR
:
557 assert(t
->scope
->link
);
559 /* For LLMNR we will not accept any packets from other
562 if (p
->ifindex
!= t
->scope
->link
->ifindex
)
565 if (p
->family
!= t
->scope
->family
)
568 /* Tentative packets are not full responses but still
569 * useful for identifying uniqueness conflicts during
571 if (DNS_PACKET_LLMNR_T(p
)) {
572 dns_transaction_tentative(t
, p
);
578 case DNS_PROTOCOL_MDNS
:
579 assert(t
->scope
->link
);
581 /* For mDNS we will not accept any packets from other interfaces */
582 if (p
->ifindex
!= t
->scope
->link
->ifindex
)
585 if (p
->family
!= t
->scope
->family
)
590 case DNS_PROTOCOL_DNS
:
594 assert_not_reached("Invalid DNS protocol.");
597 if (t
->received
!= p
) {
598 dns_packet_unref(t
->received
);
599 t
->received
= dns_packet_ref(p
);
602 t
->answer_source
= DNS_TRANSACTION_NETWORK
;
604 if (p
->ipproto
== IPPROTO_TCP
) {
605 if (DNS_PACKET_TC(p
)) {
606 /* Truncated via TCP? Somebody must be fucking with us */
607 dns_transaction_complete(t
, DNS_TRANSACTION_INVALID_REPLY
);
611 if (DNS_PACKET_ID(p
) != t
->id
) {
612 /* Not the reply to our query? Somebody must be fucking with us */
613 dns_transaction_complete(t
, DNS_TRANSACTION_INVALID_REPLY
);
618 assert_se(sd_event_now(t
->scope
->manager
->event
, clock_boottime_or_monotonic(), &ts
) >= 0);
620 switch (t
->scope
->protocol
) {
622 case DNS_PROTOCOL_DNS
:
625 if (IN_SET(DNS_PACKET_RCODE(p
), DNS_RCODE_FORMERR
, DNS_RCODE_SERVFAIL
, DNS_RCODE_NOTIMP
)) {
627 /* Request failed, immediately try again with reduced features */
628 log_debug("Server returned error: %s", dns_rcode_to_string(DNS_PACKET_RCODE(p
)));
630 dns_server_packet_failed(t
->server
, t
->current_features
);
632 r
= dns_transaction_go(t
);
634 dns_transaction_complete(t
, DNS_TRANSACTION_RESOURCES
);
640 dns_server_packet_received(t
->server
, t
->current_features
, ts
- t
->start_usec
, p
->size
);
644 case DNS_PROTOCOL_LLMNR
:
645 case DNS_PROTOCOL_MDNS
:
646 dns_scope_packet_received(t
->scope
, ts
- t
->start_usec
);
650 assert_not_reached("Invalid DNS protocol.");
653 if (DNS_PACKET_TC(p
)) {
655 /* Truncated packets for mDNS are not allowed. Give up immediately. */
656 if (t
->scope
->protocol
== DNS_PROTOCOL_MDNS
) {
657 dns_transaction_complete(t
, DNS_TRANSACTION_INVALID_REPLY
);
661 /* Response was truncated, let's try again with good old TCP */
662 r
= dns_transaction_open_tcp(t
);
664 /* No servers found? Damn! */
665 dns_transaction_complete(t
, DNS_TRANSACTION_NO_SERVERS
);
669 /* On LLMNR, if we cannot connect to the host,
670 * we immediately give up */
671 if (t
->scope
->protocol
== DNS_PROTOCOL_LLMNR
) {
672 dns_transaction_complete(t
, DNS_TRANSACTION_RESOURCES
);
676 /* On DNS, couldn't send? Try immediately again, with a new server */
677 dns_scope_next_dns_server(t
->scope
);
679 r
= dns_transaction_go(t
);
681 dns_transaction_complete(t
, DNS_TRANSACTION_RESOURCES
);
689 /* Parse message, if it isn't parsed yet. */
690 r
= dns_packet_extract(p
);
692 dns_transaction_complete(t
, DNS_TRANSACTION_INVALID_REPLY
);
696 if (IN_SET(t
->scope
->protocol
, DNS_PROTOCOL_DNS
, DNS_PROTOCOL_LLMNR
)) {
698 /* Only consider responses with equivalent query section to the request */
699 r
= dns_packet_is_reply_for(p
, t
->key
);
701 dns_transaction_complete(t
, DNS_TRANSACTION_RESOURCES
);
705 dns_transaction_complete(t
, DNS_TRANSACTION_INVALID_REPLY
);
709 /* Install the answer as answer to the transaction */
710 dns_answer_unref(t
->answer
);
711 t
->answer
= dns_answer_ref(p
->answer
);
712 t
->answer_rcode
= DNS_PACKET_RCODE(p
);
713 t
->answer_dnssec_result
= _DNSSEC_RESULT_INVALID
;
714 t
->answer_authenticated
= false;
716 r
= dns_transaction_request_dnssec_keys(t
);
718 dns_transaction_complete(t
, DNS_TRANSACTION_RESOURCES
);
722 /* There are DNSSEC transactions pending now. Update the state accordingly. */
723 t
->state
= DNS_TRANSACTION_VALIDATING
;
724 dns_transaction_close_connection(t
);
725 dns_transaction_stop_timeout(t
);
730 dns_transaction_process_dnssec(t
);
733 static int on_dns_packet(sd_event_source
*s
, int fd
, uint32_t revents
, void *userdata
) {
734 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
735 DnsTransaction
*t
= userdata
;
741 r
= manager_recv(t
->scope
->manager
, fd
, DNS_PROTOCOL_DNS
, &p
);
745 if (dns_packet_validate_reply(p
) > 0 &&
746 DNS_PACKET_ID(p
) == t
->id
)
747 dns_transaction_process_reply(t
, p
);
749 log_debug("Invalid DNS UDP packet, ignoring.");
754 static int dns_transaction_emit_udp(DnsTransaction
*t
) {
759 if (t
->scope
->protocol
== DNS_PROTOCOL_DNS
) {
761 r
= dns_transaction_pick_server(t
);
765 if (t
->current_features
< DNS_SERVER_FEATURE_LEVEL_UDP
)
768 if (r
> 0 || t
->dns_udp_fd
< 0) { /* Server changed, or no connection yet. */
771 dns_transaction_close_connection(t
);
773 fd
= dns_scope_socket_udp(t
->scope
, t
->server
, 53);
777 r
= sd_event_add_io(t
->scope
->manager
->event
, &t
->dns_udp_event_source
, fd
, EPOLLIN
, on_dns_packet
, t
);
786 r
= dns_server_adjust_opt(t
->server
, t
->sent
, t
->current_features
);
790 dns_transaction_close_connection(t
);
792 r
= dns_scope_emit_udp(t
->scope
, t
->dns_udp_fd
, t
->sent
);
796 dns_transaction_reset_answer(t
);
801 static int on_transaction_timeout(sd_event_source
*s
, usec_t usec
, void *userdata
) {
802 DnsTransaction
*t
= userdata
;
808 if (!t
->initial_jitter_scheduled
|| t
->initial_jitter_elapsed
) {
809 /* Timeout reached? Increase the timeout for the server used */
810 switch (t
->scope
->protocol
) {
812 case DNS_PROTOCOL_DNS
:
814 dns_server_packet_lost(t
->server
, t
->current_features
, usec
- t
->start_usec
);
817 case DNS_PROTOCOL_LLMNR
:
818 case DNS_PROTOCOL_MDNS
:
819 dns_scope_packet_lost(t
->scope
, usec
- t
->start_usec
);
823 assert_not_reached("Invalid DNS protocol.");
826 if (t
->initial_jitter_scheduled
)
827 t
->initial_jitter_elapsed
= true;
830 log_debug("Timeout reached on transaction %" PRIu16
".", t
->id
);
832 /* ...and try again with a new server */
833 dns_scope_next_dns_server(t
->scope
);
835 r
= dns_transaction_go(t
);
837 dns_transaction_complete(t
, DNS_TRANSACTION_RESOURCES
);
842 static usec_t
transaction_get_resend_timeout(DnsTransaction
*t
) {
846 switch (t
->scope
->protocol
) {
848 case DNS_PROTOCOL_DNS
:
850 return t
->server
->resend_timeout
;
852 case DNS_PROTOCOL_MDNS
:
853 assert(t
->n_attempts
> 0);
854 return (1 << (t
->n_attempts
- 1)) * USEC_PER_SEC
;
856 case DNS_PROTOCOL_LLMNR
:
857 return t
->scope
->resend_timeout
;
860 assert_not_reached("Invalid DNS protocol.");
864 static int dns_transaction_prepare(DnsTransaction
*t
, usec_t ts
) {
869 dns_transaction_stop_timeout(t
);
871 if (t
->n_attempts
>= TRANSACTION_ATTEMPTS_MAX(t
->scope
->protocol
)) {
872 dns_transaction_complete(t
, DNS_TRANSACTION_ATTEMPTS_MAX_REACHED
);
876 if (t
->scope
->protocol
== DNS_PROTOCOL_LLMNR
&& t
->tried_stream
) {
877 /* If we already tried via a stream, then we don't
878 * retry on LLMNR. See RFC 4795, Section 2.7. */
879 dns_transaction_complete(t
, DNS_TRANSACTION_ATTEMPTS_MAX_REACHED
);
886 dns_transaction_reset_answer(t
);
888 /* Check the trust anchor. Do so only on classic DNS, since DNSSEC does not apply otherwise. */
889 if (t
->scope
->protocol
== DNS_PROTOCOL_DNS
) {
890 r
= dns_trust_anchor_lookup(&t
->scope
->manager
->trust_anchor
, t
->key
, &t
->answer
);
894 t
->answer_rcode
= DNS_RCODE_SUCCESS
;
895 t
->answer_source
= DNS_TRANSACTION_TRUST_ANCHOR
;
896 t
->answer_authenticated
= true;
897 dns_transaction_complete(t
, DNS_TRANSACTION_SUCCESS
);
902 /* Check the zone, but only if this transaction is not used
903 * for probing or verifying a zone item. */
904 if (set_isempty(t
->notify_zone_items
)) {
906 r
= dns_zone_lookup(&t
->scope
->zone
, t
->key
, &t
->answer
, NULL
, NULL
);
910 t
->answer_rcode
= DNS_RCODE_SUCCESS
;
911 t
->answer_source
= DNS_TRANSACTION_ZONE
;
912 t
->answer_authenticated
= true;
913 dns_transaction_complete(t
, DNS_TRANSACTION_SUCCESS
);
918 /* Check the cache, but only if this transaction is not used
919 * for probing or verifying a zone item. */
920 if (set_isempty(t
->notify_zone_items
)) {
922 /* Before trying the cache, let's make sure we figured out a
923 * server to use. Should this cause a change of server this
924 * might flush the cache. */
925 dns_scope_get_dns_server(t
->scope
);
927 /* Let's then prune all outdated entries */
928 dns_cache_prune(&t
->scope
->cache
);
930 r
= dns_cache_lookup(&t
->scope
->cache
, t
->key
, &t
->answer_rcode
, &t
->answer
, &t
->answer_authenticated
);
934 t
->answer_source
= DNS_TRANSACTION_CACHE
;
935 if (t
->answer_rcode
== DNS_RCODE_SUCCESS
)
936 dns_transaction_complete(t
, DNS_TRANSACTION_SUCCESS
);
938 dns_transaction_complete(t
, DNS_TRANSACTION_RCODE_FAILURE
);
946 static int dns_transaction_make_packet_mdns(DnsTransaction
*t
) {
948 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
949 bool add_known_answers
= false;
950 DnsTransaction
*other
;
956 assert(t
->scope
->protocol
== DNS_PROTOCOL_MDNS
);
958 /* Discard any previously prepared packet, so we can start over and coalesce again */
959 t
->sent
= dns_packet_unref(t
->sent
);
961 r
= dns_packet_new_query(&p
, t
->scope
->protocol
, 0, false);
965 r
= dns_packet_append_key(p
, t
->key
, NULL
);
971 if (dns_key_is_shared(t
->key
))
972 add_known_answers
= true;
975 * For mDNS, we want to coalesce as many open queries in pending transactions into one single
976 * query packet on the wire as possible. To achieve that, we iterate through all pending transactions
977 * in our current scope, and see whether their timing contraints allow them to be sent.
980 assert_se(sd_event_now(t
->scope
->manager
->event
, clock_boottime_or_monotonic(), &ts
) >= 0);
982 LIST_FOREACH(transactions_by_scope
, other
, t
->scope
->transactions
) {
988 if (other
->state
!= DNS_TRANSACTION_PENDING
)
991 if (other
->next_attempt_after
> ts
)
994 if (qdcount
>= UINT16_MAX
)
997 r
= dns_packet_append_key(p
, other
->key
, NULL
);
1000 * If we can't stuff more questions into the packet, just give up.
1001 * One of the 'other' transactions will fire later and take care of the rest.
1009 r
= dns_transaction_prepare(other
, ts
);
1013 ts
+= transaction_get_resend_timeout(other
);
1015 r
= sd_event_add_time(
1016 other
->scope
->manager
->event
,
1017 &other
->timeout_event_source
,
1018 clock_boottime_or_monotonic(),
1020 on_transaction_timeout
, other
);
1024 other
->state
= DNS_TRANSACTION_PENDING
;
1025 other
->next_attempt_after
= ts
;
1029 if (dns_key_is_shared(other
->key
))
1030 add_known_answers
= true;
1033 DNS_PACKET_HEADER(p
)->qdcount
= htobe16(qdcount
);
1035 /* Append known answer section if we're asking for any shared record */
1036 if (add_known_answers
) {
1037 r
= dns_cache_export_shared_to_packet(&t
->scope
->cache
, p
);
1048 static int dns_transaction_make_packet(DnsTransaction
*t
) {
1049 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
1054 if (t
->scope
->protocol
== DNS_PROTOCOL_MDNS
)
1055 return dns_transaction_make_packet_mdns(t
);
1060 r
= dns_packet_new_query(&p
, t
->scope
->protocol
, 0, t
->scope
->dnssec_mode
!= DNSSEC_NO
);
1064 r
= dns_scope_good_key(t
->scope
, t
->key
);
1070 r
= dns_packet_append_key(p
, t
->key
, NULL
);
1074 DNS_PACKET_HEADER(p
)->qdcount
= htobe16(1);
1075 DNS_PACKET_HEADER(p
)->id
= t
->id
;
1083 int dns_transaction_go(DnsTransaction
*t
) {
1089 assert_se(sd_event_now(t
->scope
->manager
->event
, clock_boottime_or_monotonic(), &ts
) >= 0);
1091 r
= dns_transaction_prepare(t
, ts
);
1095 log_debug("Excercising transaction %" PRIu16
" for <%s> on scope %s on %s/%s.",
1097 dns_transaction_key_string(t
),
1098 dns_protocol_to_string(t
->scope
->protocol
),
1099 t
->scope
->link
? t
->scope
->link
->name
: "*",
1100 t
->scope
->family
== AF_UNSPEC
? "*" : af_to_name(t
->scope
->family
));
1102 if (!t
->initial_jitter_scheduled
&&
1103 (t
->scope
->protocol
== DNS_PROTOCOL_LLMNR
||
1104 t
->scope
->protocol
== DNS_PROTOCOL_MDNS
)) {
1105 usec_t jitter
, accuracy
;
1107 /* RFC 4795 Section 2.7 suggests all queries should be
1108 * delayed by a random time from 0 to JITTER_INTERVAL. */
1110 t
->initial_jitter_scheduled
= true;
1112 random_bytes(&jitter
, sizeof(jitter
));
1114 switch (t
->scope
->protocol
) {
1116 case DNS_PROTOCOL_LLMNR
:
1117 jitter
%= LLMNR_JITTER_INTERVAL_USEC
;
1118 accuracy
= LLMNR_JITTER_INTERVAL_USEC
;
1121 case DNS_PROTOCOL_MDNS
:
1122 jitter
%= MDNS_JITTER_RANGE_USEC
;
1123 jitter
+= MDNS_JITTER_MIN_USEC
;
1124 accuracy
= MDNS_JITTER_RANGE_USEC
;
1127 assert_not_reached("bad protocol");
1130 r
= sd_event_add_time(
1131 t
->scope
->manager
->event
,
1132 &t
->timeout_event_source
,
1133 clock_boottime_or_monotonic(),
1134 ts
+ jitter
, accuracy
,
1135 on_transaction_timeout
, t
);
1140 t
->next_attempt_after
= ts
;
1141 t
->state
= DNS_TRANSACTION_PENDING
;
1143 log_debug("Delaying %s transaction for " USEC_FMT
"us.", dns_protocol_to_string(t
->scope
->protocol
), jitter
);
1147 /* Otherwise, we need to ask the network */
1148 r
= dns_transaction_make_packet(t
);
1150 /* Not the right request to make on this network?
1151 * (i.e. an A request made on IPv6 or an AAAA request
1152 * made on IPv4, on LLMNR or mDNS.) */
1153 dns_transaction_complete(t
, DNS_TRANSACTION_NO_SERVERS
);
1159 if (t
->scope
->protocol
== DNS_PROTOCOL_LLMNR
&&
1160 (dns_name_endswith(DNS_RESOURCE_KEY_NAME(t
->key
), "in-addr.arpa") > 0 ||
1161 dns_name_endswith(DNS_RESOURCE_KEY_NAME(t
->key
), "ip6.arpa") > 0)) {
1163 /* RFC 4795, Section 2.4. says reverse lookups shall
1164 * always be made via TCP on LLMNR */
1165 r
= dns_transaction_open_tcp(t
);
1167 /* Try via UDP, and if that fails due to large size or lack of
1168 * support try via TCP */
1169 r
= dns_transaction_emit_udp(t
);
1170 if (r
== -EMSGSIZE
|| r
== -EAGAIN
)
1171 r
= dns_transaction_open_tcp(t
);
1175 /* No servers to send this to? */
1176 dns_transaction_complete(t
, DNS_TRANSACTION_NO_SERVERS
);
1179 if (t
->scope
->protocol
!= DNS_PROTOCOL_DNS
) {
1180 dns_transaction_complete(t
, DNS_TRANSACTION_RESOURCES
);
1184 /* Couldn't send? Try immediately again, with a new server */
1185 dns_scope_next_dns_server(t
->scope
);
1187 return dns_transaction_go(t
);
1190 ts
+= transaction_get_resend_timeout(t
);
1192 r
= sd_event_add_time(
1193 t
->scope
->manager
->event
,
1194 &t
->timeout_event_source
,
1195 clock_boottime_or_monotonic(),
1197 on_transaction_timeout
, t
);
1201 t
->state
= DNS_TRANSACTION_PENDING
;
1202 t
->next_attempt_after
= ts
;
1207 static int dns_transaction_add_dnssec_transaction(DnsTransaction
*t
, DnsResourceKey
*key
, DnsTransaction
**ret
) {
1208 DnsTransaction
*aux
;
1215 aux
= dns_scope_find_transaction(t
->scope
, key
, true);
1217 r
= dns_transaction_new(&aux
, t
->scope
, key
);
1221 if (set_contains(t
->dnssec_transactions
, aux
)) {
1227 r
= set_ensure_allocated(&t
->dnssec_transactions
, NULL
);
1231 r
= set_ensure_allocated(&aux
->notify_transactions
, NULL
);
1235 r
= set_put(t
->dnssec_transactions
, aux
);
1239 r
= set_put(aux
->notify_transactions
, t
);
1241 (void) set_remove(t
->dnssec_transactions
, aux
);
1249 dns_transaction_gc(aux
);
1253 static int dns_transaction_request_dnssec_rr(DnsTransaction
*t
, DnsResourceKey
*key
) {
1254 _cleanup_(dns_answer_unrefp
) DnsAnswer
*a
= NULL
;
1255 DnsTransaction
*aux
;
1261 r
= dns_resource_key_equal(t
->key
, key
);
1264 if (r
> 0) /* Don't go in circles */
1267 /* Try to get the data from the trust anchor */
1268 r
= dns_trust_anchor_lookup(&t
->scope
->manager
->trust_anchor
, key
, &a
);
1272 r
= dns_answer_extend(&t
->validated_keys
, a
);
1279 /* This didn't work, ask for it via the network/cache then. */
1280 r
= dns_transaction_add_dnssec_transaction(t
, key
, &aux
);
1284 if (aux
->state
== DNS_TRANSACTION_NULL
) {
1285 r
= dns_transaction_go(aux
);
1293 static int dns_transaction_has_positive_answer(DnsTransaction
*t
, DnsAnswerFlags
*flags
) {
1298 /* Checks whether the answer is positive, i.e. either a direct
1299 * answer to the question, or a CNAME/DNAME for it */
1301 r
= dns_answer_match_key(t
->answer
, t
->key
, flags
);
1305 r
= dns_answer_find_cname_or_dname(t
->answer
, t
->key
, NULL
, flags
);
1312 static int dns_transaction_has_unsigned_negative_answer(DnsTransaction
*t
) {
1317 /* Checks whether the answer is negative, and lacks NSEC/NSEC3
1318 * RRs to prove it */
1320 r
= dns_transaction_has_positive_answer(t
, NULL
);
1326 /* The answer does not contain any RRs that match to the
1327 * question. If so, let's see if there are any NSEC/NSEC3 RRs
1328 * included. If not, the answer is unsigned. */
1330 r
= dns_answer_contains_nsec_or_nsec3(t
->answer
);
1339 static int dns_transaction_is_primary_response(DnsTransaction
*t
, DnsResourceRecord
*rr
) {
1345 /* Check if the specified RR is the "primary" response,
1346 * i.e. either matches the question precisely or is a
1347 * CNAME/DNAME for it, or is any kind of NSEC/NSEC3 RR */
1349 r
= dns_resource_key_match_rr(t
->key
, rr
, NULL
);
1353 r
= dns_resource_key_match_cname_or_dname(t
->key
, rr
->key
, NULL
);
1357 if (rr
->key
->type
== DNS_TYPE_NSEC3
) {
1360 p
= DNS_RESOURCE_KEY_NAME(rr
->key
);
1361 r
= dns_name_parent(&p
);
1365 r
= dns_name_endswith(DNS_RESOURCE_KEY_NAME(t
->key
), p
);
1373 return rr
->key
->type
== DNS_TYPE_NSEC
;
1376 int dns_transaction_request_dnssec_keys(DnsTransaction
*t
) {
1377 DnsResourceRecord
*rr
;
1384 * Retrieve all auxiliary RRs for the answer we got, so that
1385 * we can verify signatures or prove that RRs are rightfully
1386 * unsigned. Specifically:
1388 * - For RRSIG we get the matching DNSKEY
1389 * - For DNSKEY we get the matching DS
1390 * - For unsigned SOA/NS we get the matching DS
1391 * - For unsigned CNAME/DNAME/DS we get the parent SOA RR
1392 * - For other unsigned RRs we get the matching SOA RR
1393 * - For SOA/NS/DS queries with no matching response RRs, and no NSEC/NSEC3, the parent's SOA RR
1394 * - For other queries with no matching response RRs, and no NSEC/NSEC3, the SOA RR
1397 if (t
->scope
->dnssec_mode
== DNSSEC_NO
)
1400 if (t
->current_features
< DNS_SERVER_FEATURE_LEVEL_DO
)
1401 return 0; /* Server doesn't do DNSSEC, there's no point in requesting any RRs then. */
1402 if (t
->server
&& t
->server
->rrsig_missing
)
1403 return 0; /* Server handles DNSSEC requests, but isn't augmenting responses with RRSIGs. No point in trying DNSSEC then. */
1405 DNS_ANSWER_FOREACH(rr
, t
->answer
) {
1407 if (dns_type_is_pseudo(rr
->key
->type
))
1410 switch (rr
->key
->type
) {
1412 case DNS_TYPE_RRSIG
: {
1413 /* For each RRSIG we request the matching DNSKEY */
1414 _cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*dnskey
= NULL
;
1416 /* If this RRSIG is about a DNSKEY RR and the
1417 * signer is the same as the owner, then we
1418 * already have the DNSKEY, and we don't have
1419 * to look for more. */
1420 if (rr
->rrsig
.type_covered
== DNS_TYPE_DNSKEY
) {
1421 r
= dns_name_equal(rr
->rrsig
.signer
, DNS_RESOURCE_KEY_NAME(rr
->key
));
1428 /* If the signer is not a parent of our
1429 * original query, then this is about an
1430 * auxiliary RRset, but not anything we asked
1431 * for. In this case we aren't interested,
1432 * because we don't want to request additional
1433 * RRs for stuff we didn't really ask for, and
1434 * also to avoid request loops, where
1435 * additional RRs from one transaction result
1436 * in another transaction whose additonal RRs
1437 * point back to the original transaction, and
1439 r
= dns_name_endswith(DNS_RESOURCE_KEY_NAME(t
->key
), rr
->rrsig
.signer
);
1445 dnskey
= dns_resource_key_new(rr
->key
->class, DNS_TYPE_DNSKEY
, rr
->rrsig
.signer
);
1449 log_debug("Requesting DNSKEY to validate transaction %" PRIu16
" (%s, RRSIG with key tag: %" PRIu16
").", t
->id
, DNS_RESOURCE_KEY_NAME(rr
->key
), rr
->rrsig
.key_tag
);
1450 r
= dns_transaction_request_dnssec_rr(t
, dnskey
);
1456 case DNS_TYPE_DNSKEY
: {
1457 /* For each DNSKEY we request the matching DS */
1458 _cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*ds
= NULL
;
1460 /* If the DNSKEY we are looking at is not for
1461 * zone we are interested in, nor any of its
1462 * parents, we aren't interested, and don't
1463 * request it. After all, we don't want to end
1464 * up in request loops, and want to keep
1465 * additional traffic down. */
1467 r
= dns_name_endswith(DNS_RESOURCE_KEY_NAME(t
->key
), DNS_RESOURCE_KEY_NAME(rr
->key
));
1473 ds
= dns_resource_key_new(rr
->key
->class, DNS_TYPE_DS
, DNS_RESOURCE_KEY_NAME(rr
->key
));
1477 log_debug("Requesting DS to validate transaction %" PRIu16
" (%s, DNSKEY with key tag: %" PRIu16
").", t
->id
, DNS_RESOURCE_KEY_NAME(rr
->key
), dnssec_keytag(rr
));
1478 r
= dns_transaction_request_dnssec_rr(t
, ds
);
1487 _cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*ds
= NULL
;
1489 /* For an unsigned SOA or NS, try to acquire
1490 * the matching DS RR, as we are at a zone cut
1491 * then, and whether a DS exists tells us
1492 * whether the zone is signed. Do so only if
1493 * this RR matches our original question,
1496 r
= dns_resource_key_match_rr(t
->key
, rr
, NULL
);
1502 r
= dnssec_has_rrsig(t
->answer
, rr
->key
);
1508 ds
= dns_resource_key_new(rr
->key
->class, DNS_TYPE_DS
, DNS_RESOURCE_KEY_NAME(rr
->key
));
1512 log_debug("Requesting DS to validate transaction %" PRIu16
" (%s, unsigned SOA/NS RRset).", t
->id
, DNS_RESOURCE_KEY_NAME(rr
->key
));
1513 r
= dns_transaction_request_dnssec_rr(t
, ds
);
1521 case DNS_TYPE_CNAME
:
1522 case DNS_TYPE_DNAME
: {
1523 _cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*soa
= NULL
;
1526 /* CNAMEs and DNAMEs cannot be located at a
1527 * zone apex, hence ask for the parent SOA for
1528 * unsigned CNAME/DNAME RRs, maybe that's the
1529 * apex. But do all that only if this is
1530 * actually a response to our original
1533 * Similar for DS RRs, which are signed when
1534 * the parent SOA is signed. */
1536 r
= dns_transaction_is_primary_response(t
, rr
);
1542 r
= dnssec_has_rrsig(t
->answer
, rr
->key
);
1548 name
= DNS_RESOURCE_KEY_NAME(rr
->key
);
1549 r
= dns_name_parent(&name
);
1555 soa
= dns_resource_key_new(rr
->key
->class, DNS_TYPE_SOA
, name
);
1559 log_debug("Requesting parent SOA to validate transaction %" PRIu16
" (%s, unsigned CNAME/DNAME/DS RRset).", t
->id
, DNS_RESOURCE_KEY_NAME(rr
->key
));
1560 r
= dns_transaction_request_dnssec_rr(t
, soa
);
1568 _cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*soa
= NULL
;
1570 /* For other unsigned RRsets (including
1571 * NSEC/NSEC3!), look for proof the zone is
1572 * unsigned, by requesting the SOA RR of the
1573 * zone. However, do so only if they are
1574 * directly relevant to our original
1577 r
= dns_transaction_is_primary_response(t
, rr
);
1583 r
= dnssec_has_rrsig(t
->answer
, rr
->key
);
1589 soa
= dns_resource_key_new(rr
->key
->class, DNS_TYPE_SOA
, DNS_RESOURCE_KEY_NAME(rr
->key
));
1593 log_debug("Requesting SOA to validate transaction %" PRIu16
" (%s, unsigned non-SOA/NS RRset <%s>).", t
->id
, DNS_RESOURCE_KEY_NAME(rr
->key
), dns_resource_record_to_string(rr
));
1594 r
= dns_transaction_request_dnssec_rr(t
, soa
);
1601 /* Above, we requested everything necessary to validate what
1602 * we got. Now, let's request what we need to validate what we
1605 r
= dns_transaction_has_unsigned_negative_answer(t
);
1611 name
= DNS_RESOURCE_KEY_NAME(t
->key
);
1613 /* If this was a SOA or NS request, then this
1614 * indicates that we are not at a zone apex, hence ask
1615 * the parent name instead. If this was a DS request,
1616 * then it's signed when the parent zone is signed,
1617 * hence ask the parent in that case, too. */
1619 if (IN_SET(t
->key
->type
, DNS_TYPE_SOA
, DNS_TYPE_NS
, DNS_TYPE_DS
)) {
1620 r
= dns_name_parent(&name
);
1624 log_debug("Requesting parent SOA to validate transaction %" PRIu16
" (%s, unsigned empty SOA/NS/DS response).", t
->id
, DNS_RESOURCE_KEY_NAME(t
->key
));
1628 log_debug("Requesting SOA to validate transaction %" PRIu16
" (%s, unsigned empty non-SOA/NS/DS response).", t
->id
, DNS_RESOURCE_KEY_NAME(t
->key
));
1631 _cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*soa
= NULL
;
1633 soa
= dns_resource_key_new(t
->key
->class, DNS_TYPE_SOA
, name
);
1637 r
= dns_transaction_request_dnssec_rr(t
, soa
);
1643 return dns_transaction_dnssec_is_live(t
);
1646 void dns_transaction_notify(DnsTransaction
*t
, DnsTransaction
*source
) {
1652 if (!IN_SET(t
->state
, DNS_TRANSACTION_PENDING
, DNS_TRANSACTION_VALIDATING
))
1655 /* Invoked whenever any of our auxiliary DNSSEC transactions
1656 completed its work. We copy any RRs from that transaction
1657 over into our list of validated keys -- but only if the
1658 answer is authenticated.
1660 Note that we fail our transaction if the auxiliary
1661 transaction failed, except on NXDOMAIN. This is because
1662 some broken DNS servers (Akamai...) will return NXDOMAIN
1663 for empty non-terminals. */
1665 switch (source
->state
) {
1667 case DNS_TRANSACTION_DNSSEC_FAILED
:
1669 log_debug("Auxiliary DNSSEC RR query failed validation: %s", dnssec_result_to_string(source
->answer_dnssec_result
));
1670 t
->answer_dnssec_result
= source
->answer_dnssec_result
; /* Copy error code over */
1671 dns_transaction_complete(t
, DNS_TRANSACTION_DNSSEC_FAILED
);
1674 case DNS_TRANSACTION_RCODE_FAILURE
:
1676 if (source
->answer_rcode
!= DNS_RCODE_NXDOMAIN
) {
1677 log_debug("Auxiliary DNSSEC RR query failed with rcode=%i.", source
->answer_rcode
);
1681 /* fall-through: NXDOMAIN is good enough for us */
1683 case DNS_TRANSACTION_SUCCESS
:
1684 if (source
->answer_authenticated
) {
1685 r
= dns_answer_extend(&t
->validated_keys
, source
->answer
);
1687 log_error_errno(r
, "Failed to merge validated DNSSEC key data: %m");
1692 /* If the state is still PENDING, we are still in the loop
1693 * that adds further DNSSEC transactions, hence don't check if
1694 * we are ready yet. If the state is VALIDATING however, we
1695 * should check if we are complete now. */
1696 if (t
->state
== DNS_TRANSACTION_VALIDATING
)
1697 dns_transaction_process_dnssec(t
);
1701 log_debug("Auxiliary DNSSEC RR query failed with %s", dns_transaction_state_to_string(source
->state
));
1708 t
->answer_dnssec_result
= DNSSEC_FAILED_AUXILIARY
;
1709 dns_transaction_complete(t
, DNS_TRANSACTION_DNSSEC_FAILED
);
1712 static int dns_transaction_validate_dnskey_by_ds(DnsTransaction
*t
) {
1713 DnsResourceRecord
*rr
;
1718 /* Add all DNSKEY RRs from the answer that are validated by DS
1719 * RRs from the list of validated keys to the list of
1720 * validated keys. */
1722 DNS_ANSWER_FOREACH_IFINDEX(rr
, ifindex
, t
->answer
) {
1724 r
= dnssec_verify_dnskey_search(rr
, t
->validated_keys
);
1730 /* If so, the DNSKEY is validated too. */
1731 r
= dns_answer_add_extend(&t
->validated_keys
, rr
, ifindex
, DNS_ANSWER_AUTHENTICATED
);
1739 static int dns_transaction_requires_rrsig(DnsTransaction
*t
, DnsResourceRecord
*rr
) {
1745 /* Checks if the RR we are looking for must be signed with an
1746 * RRSIG. This is used for positive responses. */
1748 if (t
->scope
->dnssec_mode
== DNSSEC_NO
)
1751 if (dns_type_is_pseudo(rr
->key
->type
))
1754 switch (rr
->key
->type
) {
1756 case DNS_TYPE_RRSIG
:
1757 /* RRSIGs are the signatures themselves, they need no signing. */
1765 /* For SOA or NS RRs we look for a matching DS transaction */
1767 SET_FOREACH(dt
, t
->dnssec_transactions
, i
) {
1769 if (dt
->key
->class != rr
->key
->class)
1771 if (dt
->key
->type
!= DNS_TYPE_DS
)
1774 r
= dns_name_equal(DNS_RESOURCE_KEY_NAME(dt
->key
), DNS_RESOURCE_KEY_NAME(rr
->key
));
1780 /* We found a DS transactions for the SOA/NS
1781 * RRs we are looking at. If it discovered signed DS
1782 * RRs, then we need to be signed, too. */
1784 if (!dt
->answer_authenticated
)
1787 return dns_answer_match_key(dt
->answer
, dt
->key
, NULL
);
1790 /* We found nothing that proves this is safe to leave
1791 * this unauthenticated, hence ask inist on
1792 * authentication. */
1797 case DNS_TYPE_CNAME
:
1798 case DNS_TYPE_DNAME
: {
1799 const char *parent
= NULL
;
1804 * CNAME/DNAME RRs cannot be located at a zone apex, hence look directly for the parent SOA.
1806 * DS RRs are signed if the parent is signed, hence also look at the parent SOA
1809 SET_FOREACH(dt
, t
->dnssec_transactions
, i
) {
1811 if (dt
->key
->class != rr
->key
->class)
1813 if (dt
->key
->type
!= DNS_TYPE_SOA
)
1817 parent
= DNS_RESOURCE_KEY_NAME(rr
->key
);
1818 r
= dns_name_parent(&parent
);
1822 if (rr
->key
->type
== DNS_TYPE_DS
)
1825 /* A CNAME/DNAME without a parent? That's sooo weird. */
1826 log_debug("Transaction %" PRIu16
" claims CNAME/DNAME at root. Refusing.", t
->id
);
1831 r
= dns_name_equal(DNS_RESOURCE_KEY_NAME(dt
->key
), parent
);
1837 return t
->answer_authenticated
;
1847 /* Any other kind of RR (including DNSKEY/NSEC/NSEC3). Let's see if our SOA lookup was authenticated */
1849 SET_FOREACH(dt
, t
->dnssec_transactions
, i
) {
1851 if (dt
->key
->class != rr
->key
->class)
1853 if (dt
->key
->type
!= DNS_TYPE_SOA
)
1856 r
= dns_name_equal(DNS_RESOURCE_KEY_NAME(dt
->key
), DNS_RESOURCE_KEY_NAME(rr
->key
));
1862 /* We found the transaction that was supposed to find
1863 * the SOA RR for us. It was successful, but found no
1864 * RR for us. This means we are not at a zone cut. In
1865 * this case, we require authentication if the SOA
1866 * lookup was authenticated too. */
1867 return t
->answer_authenticated
;
1874 static int dns_transaction_requires_nsec(DnsTransaction
*t
) {
1882 /* Checks if we need to insist on NSEC/NSEC3 RRs for proving
1883 * this negative reply */
1885 if (t
->scope
->dnssec_mode
== DNSSEC_NO
)
1888 if (dns_type_is_pseudo(t
->key
->type
))
1891 name
= DNS_RESOURCE_KEY_NAME(t
->key
);
1893 if (IN_SET(t
->key
->type
, DNS_TYPE_SOA
, DNS_TYPE_NS
, DNS_TYPE_DS
)) {
1895 /* We got a negative reply for this SOA/NS lookup? If
1896 * so, then we are not at a zone apex, and thus should
1897 * look at the result of the parent SOA lookup.
1899 * We got a negative reply for this DS lookup? DS RRs
1900 * are signed when their parent zone is signed, hence
1901 * also check the parent SOA in this case. */
1903 r
= dns_name_parent(&name
);
1910 /* For all other RRs we check the SOA on the same level to see
1911 * if it's signed. */
1913 SET_FOREACH(dt
, t
->dnssec_transactions
, i
) {
1915 if (dt
->key
->class != t
->key
->class)
1917 if (dt
->key
->type
!= DNS_TYPE_SOA
)
1920 r
= dns_name_equal(DNS_RESOURCE_KEY_NAME(dt
->key
), name
);
1926 return dt
->answer_authenticated
;
1929 /* If in doubt, require NSEC/NSEC3 */
1933 static int dns_transaction_dnskey_authenticated(DnsTransaction
*t
, DnsResourceRecord
*rr
) {
1934 DnsResourceRecord
*rrsig
;
1938 /* Checks whether any of the DNSKEYs used for the RRSIGs for
1939 * the specified RRset is authenticated (i.e. has a matching
1942 DNS_ANSWER_FOREACH(rrsig
, t
->answer
) {
1946 r
= dnssec_key_match_rrsig(rr
->key
, rrsig
);
1952 SET_FOREACH(dt
, t
->dnssec_transactions
, i
) {
1954 if (dt
->key
->class != rr
->key
->class)
1957 if (dt
->key
->type
== DNS_TYPE_DNSKEY
) {
1959 r
= dns_name_equal(DNS_RESOURCE_KEY_NAME(dt
->key
), rrsig
->rrsig
.signer
);
1965 /* OK, we found an auxiliary DNSKEY
1966 * lookup. If that lookup is
1967 * authenticated, report this. */
1969 if (dt
->answer_authenticated
)
1974 } else if (dt
->key
->type
== DNS_TYPE_DS
) {
1976 r
= dns_name_equal(DNS_RESOURCE_KEY_NAME(dt
->key
), rrsig
->rrsig
.signer
);
1982 /* OK, we found an auxiliary DS
1983 * lookup. If that lookup is
1984 * authenticated and non-zero, we
1987 if (!dt
->answer_authenticated
)
1990 return dns_answer_match_key(dt
->answer
, dt
->key
, NULL
);
1995 return found
? false : -ENXIO
;
1998 static int dns_transaction_known_signed(DnsTransaction
*t
, DnsResourceRecord
*rr
) {
2002 /* We know that the root domain is signed, hence if it appears
2003 * not to be signed, there's a problem with the DNS server */
2005 return rr
->key
->class == DNS_CLASS_IN
&&
2006 dns_name_is_root(DNS_RESOURCE_KEY_NAME(rr
->key
));
2009 int dns_transaction_validate_dnssec(DnsTransaction
*t
) {
2010 _cleanup_(dns_answer_unrefp
) DnsAnswer
*validated
= NULL
;
2011 bool dnskeys_finalized
= false;
2012 DnsResourceRecord
*rr
;
2013 DnsAnswerFlags flags
;
2018 /* We have now collected all DS and DNSKEY RRs in
2019 * t->validated_keys, let's see which RRs we can now
2020 * authenticate with that. */
2022 if (t
->scope
->dnssec_mode
== DNSSEC_NO
)
2025 /* Already validated */
2026 if (t
->answer_dnssec_result
!= _DNSSEC_RESULT_INVALID
)
2029 /* Our own stuff needs no validation */
2030 if (IN_SET(t
->answer_source
, DNS_TRANSACTION_ZONE
, DNS_TRANSACTION_TRUST_ANCHOR
)) {
2031 t
->answer_dnssec_result
= DNSSEC_VALIDATED
;
2032 t
->answer_authenticated
= true;
2036 /* Cached stuff is not affected by validation. */
2037 if (t
->answer_source
!= DNS_TRANSACTION_NETWORK
)
2040 if (t
->current_features
< DNS_SERVER_FEATURE_LEVEL_DO
||
2041 (t
->server
&& t
->server
->rrsig_missing
)) {
2042 /* The server does not support DNSSEC, or doesn't augment responses with RRSIGs. */
2043 t
->answer_dnssec_result
= DNSSEC_INCOMPATIBLE_SERVER
;
2047 log_debug("Validating response from transaction %" PRIu16
" (%s).", t
->id
, dns_transaction_key_string(t
));
2049 /* First see if there are DNSKEYs we already known a validated DS for. */
2050 r
= dns_transaction_validate_dnskey_by_ds(t
);
2055 bool changed
= false;
2057 DNS_ANSWER_FOREACH(rr
, t
->answer
) {
2058 DnssecResult result
;
2060 if (rr
->key
->type
== DNS_TYPE_RRSIG
)
2063 r
= dnssec_verify_rrset_search(t
->answer
, rr
->key
, t
->validated_keys
, USEC_INFINITY
, &result
);
2067 log_debug("Looking at %s: %s", strna(dns_resource_record_to_string(rr
)), dnssec_result_to_string(result
));
2069 if (result
== DNSSEC_VALIDATED
) {
2071 if (rr
->key
->type
== DNS_TYPE_DNSKEY
) {
2072 /* If we just validated a
2073 * DNSKEY RRset, then let's
2074 * add these keys to the set
2075 * of validated keys for this
2078 r
= dns_answer_copy_by_key(&t
->validated_keys
, t
->answer
, rr
->key
, DNS_ANSWER_AUTHENTICATED
);
2083 /* Add the validated RRset to the new
2084 * list of validated RRsets, and
2085 * remove it from the unvalidated
2086 * RRsets. We mark the RRset as
2087 * authenticated and cacheable. */
2088 r
= dns_answer_move_by_key(&validated
, &t
->answer
, rr
->key
, DNS_ANSWER_AUTHENTICATED
|DNS_ANSWER_CACHEABLE
);
2092 t
->scope
->manager
->n_dnssec_secure
++;
2094 /* Exit the loop, we dropped something from the answer, start from the beginning */
2098 } else if (dnskeys_finalized
) {
2100 /* If we haven't read all DNSKEYs yet
2101 * a negative result of the validation
2102 * is irrelevant, as there might be
2103 * more DNSKEYs coming. */
2105 if (result
== DNSSEC_NO_SIGNATURE
) {
2106 r
= dns_transaction_requires_rrsig(t
, rr
);
2110 /* Data does not require signing. In that case, just copy it over,
2111 * but remember that this is by no means authenticated.*/
2112 r
= dns_answer_move_by_key(&validated
, &t
->answer
, rr
->key
, 0);
2116 t
->scope
->manager
->n_dnssec_insecure
++;
2122 r
= dns_transaction_known_signed(t
, rr
);
2126 /* This is an RR we know has to be signed. If it isn't this means
2127 * the server is not attaching RRSIGs, hence complain. */
2129 dns_server_packet_rrsig_missing(t
->server
);
2131 if (t
->scope
->dnssec_mode
== DNSSEC_DOWNGRADE_OK
) {
2133 /* Downgrading is OK? If so, just consider the information unsigned */
2135 r
= dns_answer_move_by_key(&validated
, &t
->answer
, rr
->key
, 0);
2139 t
->scope
->manager
->n_dnssec_insecure
++;
2144 /* Otherwise, fail */
2145 t
->answer_dnssec_result
= DNSSEC_INCOMPATIBLE_SERVER
;
2152 DNSSEC_SIGNATURE_EXPIRED
,
2153 DNSSEC_UNSUPPORTED_ALGORITHM
)) {
2155 r
= dns_transaction_dnskey_authenticated(t
, rr
);
2156 if (r
< 0 && r
!= -ENXIO
)
2159 /* The DNSKEY transaction was not authenticated, this means there's
2160 * no DS for this, which means it's OK if no keys are found for this signature. */
2162 r
= dns_answer_move_by_key(&validated
, &t
->answer
, rr
->key
, 0);
2166 t
->scope
->manager
->n_dnssec_insecure
++;
2175 DNSSEC_SIGNATURE_EXPIRED
,
2176 DNSSEC_NO_SIGNATURE
,
2177 DNSSEC_UNSUPPORTED_ALGORITHM
))
2178 t
->scope
->manager
->n_dnssec_bogus
++;
2180 t
->scope
->manager
->n_dnssec_indeterminate
++;
2182 r
= dns_transaction_is_primary_response(t
, rr
);
2186 /* This is a primary response
2187 * to our question, and it
2188 * failed validation. That's
2190 t
->answer_dnssec_result
= result
;
2194 /* This is just some auxiliary
2195 * data. Just remove the RRset and
2197 r
= dns_answer_remove_by_key(&t
->answer
, rr
->key
);
2201 /* Exit the loop, we dropped something from the answer, start from the beginning */
2210 if (!dnskeys_finalized
) {
2211 /* OK, now we know we have added all DNSKEYs
2212 * we possibly could to our validated
2213 * list. Now run the whole thing once more,
2214 * and strip everything we still cannot
2217 dnskeys_finalized
= true;
2225 dns_answer_unref(t
->answer
);
2226 t
->answer
= validated
;
2229 /* At this point the answer only contains validated
2230 * RRsets. Now, let's see if it actually answers the question
2231 * we asked. If so, great! If it doesn't, then see if
2232 * NSEC/NSEC3 can prove this. */
2233 r
= dns_transaction_has_positive_answer(t
, &flags
);
2235 /* Yes, it answers the question! */
2237 if (flags
& DNS_ANSWER_AUTHENTICATED
) {
2238 /* The answer is fully authenticated, yay. */
2239 t
->answer_dnssec_result
= DNSSEC_VALIDATED
;
2240 t
->answer_rcode
= DNS_RCODE_SUCCESS
;
2241 t
->answer_authenticated
= true;
2243 /* The answer is not fully authenticated. */
2244 t
->answer_dnssec_result
= DNSSEC_UNSIGNED
;
2245 t
->answer_authenticated
= false;
2248 } else if (r
== 0) {
2249 DnssecNsecResult nr
;
2250 bool authenticated
= false;
2252 /* Bummer! Let's check NSEC/NSEC3 */
2253 r
= dnssec_test_nsec(t
->answer
, t
->key
, &nr
, &authenticated
);
2259 case DNSSEC_NSEC_NXDOMAIN
:
2260 /* NSEC proves the domain doesn't exist. Very good. */
2261 log_debug("Proved NXDOMAIN via NSEC/NSEC3 for transaction %u (%s)", t
->id
, dns_transaction_key_string(t
));
2262 t
->answer_dnssec_result
= DNSSEC_VALIDATED
;
2263 t
->answer_rcode
= DNS_RCODE_NXDOMAIN
;
2264 t
->answer_authenticated
= authenticated
;
2267 case DNSSEC_NSEC_NODATA
:
2268 /* NSEC proves that there's no data here, very good. */
2269 log_debug("Proved NODATA via NSEC/NSEC3 for transaction %u (%s)", t
->id
, dns_transaction_key_string(t
));
2270 t
->answer_dnssec_result
= DNSSEC_VALIDATED
;
2271 t
->answer_rcode
= DNS_RCODE_SUCCESS
;
2272 t
->answer_authenticated
= authenticated
;
2275 case DNSSEC_NSEC_OPTOUT
:
2276 /* NSEC3 says the data might not be signed */
2277 log_debug("Data is NSEC3 opt-out via NSEC/NSEC3 for transaction %u (%s)", t
->id
, dns_transaction_key_string(t
));
2278 t
->answer_dnssec_result
= DNSSEC_UNSIGNED
;
2279 t
->answer_authenticated
= false;
2282 case DNSSEC_NSEC_NO_RR
:
2283 /* No NSEC data? Bummer! */
2285 r
= dns_transaction_requires_nsec(t
);
2289 t
->answer_dnssec_result
= DNSSEC_NO_SIGNATURE
;
2291 t
->answer_dnssec_result
= DNSSEC_UNSIGNED
;
2292 t
->answer_authenticated
= false;
2297 case DNSSEC_NSEC_UNSUPPORTED_ALGORITHM
:
2298 /* We don't know the NSEC3 algorithm used? */
2299 t
->answer_dnssec_result
= DNSSEC_UNSUPPORTED_ALGORITHM
;
2302 case DNSSEC_NSEC_FOUND
:
2303 case DNSSEC_NSEC_CNAME
:
2304 /* NSEC says it needs to be there, but we couldn't find it? Bummer! */
2305 t
->answer_dnssec_result
= DNSSEC_NSEC_MISMATCH
;
2309 assert_not_reached("Unexpected NSEC result.");
2316 const char *dns_transaction_key_string(DnsTransaction
*t
) {
2319 if (!t
->key_string
) {
2320 if (dns_resource_key_to_string(t
->key
, &t
->key_string
) < 0)
2324 return strstrip(t
->key_string
);
2327 static const char* const dns_transaction_state_table
[_DNS_TRANSACTION_STATE_MAX
] = {
2328 [DNS_TRANSACTION_NULL
] = "null",
2329 [DNS_TRANSACTION_PENDING
] = "pending",
2330 [DNS_TRANSACTION_VALIDATING
] = "validating",
2331 [DNS_TRANSACTION_RCODE_FAILURE
] = "rcode-failure",
2332 [DNS_TRANSACTION_SUCCESS
] = "success",
2333 [DNS_TRANSACTION_NO_SERVERS
] = "no-servers",
2334 [DNS_TRANSACTION_TIMEOUT
] = "timeout",
2335 [DNS_TRANSACTION_ATTEMPTS_MAX_REACHED
] = "attempts-max-reached",
2336 [DNS_TRANSACTION_INVALID_REPLY
] = "invalid-reply",
2337 [DNS_TRANSACTION_RESOURCES
] = "resources",
2338 [DNS_TRANSACTION_CONNECTION_FAILURE
] = "connection-failure",
2339 [DNS_TRANSACTION_ABORTED
] = "aborted",
2340 [DNS_TRANSACTION_DNSSEC_FAILED
] = "dnssec-failed",
2342 DEFINE_STRING_TABLE_LOOKUP(dns_transaction_state
, DnsTransactionState
);
2344 static const char* const dns_transaction_source_table
[_DNS_TRANSACTION_SOURCE_MAX
] = {
2345 [DNS_TRANSACTION_NETWORK
] = "network",
2346 [DNS_TRANSACTION_CACHE
] = "cache",
2347 [DNS_TRANSACTION_ZONE
] = "zone",
2348 [DNS_TRANSACTION_TRUST_ANCHOR
] = "trust-anchor",
2350 DEFINE_STRING_TABLE_LOOKUP(dns_transaction_source
, DnsTransactionSource
);