]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/resolve/resolved-dns-transaction.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Drop the text argument from assert_not_reached()
[thirdparty/systemd.git] / src / resolve / resolved-dns-transaction.c
CommitLineData
db9ecf05 1/* SPDX-License-Identifier: LGPL-2.1-or-later */
ec2c5e43 2
62cc1c55 3#include "sd-messages.h"
beef6a5f 4
ec2c5e43 5#include "af-list.h"
b5efdb8a 6#include "alloc-util.h"
f52e61da 7#include "dns-domain.h"
7cc6ed7b 8#include "errno-list.h"
c3fecddf 9#include "errno-util.h"
3ffd4af2
LP		 10#include "fd-util.h"
11#include "random-util.h"
7778dfff 12#include "resolved-dns-cache.h"
3ffd4af2 13#include "resolved-dns-transaction.h"
6016fcb0 14#include "resolved-dnstls.h"
aedf00a2 15#include "resolved-llmnr.h"
6016fcb0 16#include "string-table.h"
5d67a7ae 17
b214dc0f 18#define TRANSACTIONS_MAX 4096
dc349f5f 19#define TRANSACTION_TCP_TIMEOUT_USEC (10U*USEC_PER_SEC)
b214dc0f 20
dbc4661a
MCO		 21/* After how much time to repeat classic DNS requests */
22#define DNS_TIMEOUT_USEC (SD_RESOLVED_QUERY_TIMEOUT_USEC / DNS_TRANSACTION_ATTEMPTS_MAX)
23
c61d2b44
LP		 24static void dns_transaction_reset_answer(DnsTransaction *t) {
25 assert(t);
26
27 t->received = dns_packet_unref(t->received);
28 t->answer = dns_answer_unref(t->answer);
29 t->answer_rcode = 0;
30 t->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
31 t->answer_source = _DNS_TRANSACTION_SOURCE_INVALID;
6f055e43 32 t->answer_query_flags = 0;
f5fbe71d 33 t->answer_nsec_ttl = UINT32_MAX;
7cc6ed7b 34 t->answer_errno = 0;
c61d2b44
LP		 35}
36
c5b4f861
LP		 37static void dns_transaction_flush_dnssec_transactions(DnsTransaction *t) {
38 DnsTransaction *z;
39
40 assert(t);
41
42 while ((z = set_steal_first(t->dnssec_transactions))) {
43 set_remove(z->notify_transactions, t);
35aa04e9 44 set_remove(z->notify_transactions_done, t);
c5b4f861
LP		 45 dns_transaction_gc(z);
46 }
47}
48
80710ade
LP		 49static void dns_transaction_close_connection(
50 DnsTransaction *t,
51 bool use_graveyard) { /* Set use_graveyard = false when you know the connection is already
52 * dead, for example because you got a connection error back from the
53 * kernel. In that case there's no point in keeping the fd around,
54 * hence don't. */
55 int r;
56
f32f0e57
LP		 57 assert(t);
58
b30bf55d
LP		 59 if (t->stream) {
60 /* Let's detach the stream from our transaction, in case something else keeps a reference to it. */
98767d75
IT		 61 LIST_REMOVE(transactions_by_stream, t->stream->transactions, t);
62
63 /* Remove packet in case it's still in the queue */
64 dns_packet_unref(ordered_set_remove(t->stream->write_queue, t->sent));
65
b30bf55d
LP		 66 t->stream = dns_stream_unref(t->stream);
67 }
68
97935302 69 t->dns_udp_event_source = sd_event_source_disable_unref(t->dns_udp_event_source);
80710ade
LP		 70
71 /* If we have an UDP socket where we sent a packet, but never received one, then add it to the socket
72 * graveyard, instead of closing it right away. That way it will stick around for a moment longer,
73 * and the reply we might still get from the server will be eaten up instead of resulting in an ICMP
74 * port unreachable error message. */
75
76 if (use_graveyard && t->dns_udp_fd >= 0 && t->sent && !t->received) {
77 r = manager_add_socket_to_graveyard(t->scope->manager, t->dns_udp_fd);
78 if (r < 0)
79 log_debug_errno(r, "Failed to add UDP socket to graveyard, closing immediately: %m");
80 else
81 TAKE_FD(t->dns_udp_fd);
82 }
83
f32f0e57
LP		 84 t->dns_udp_fd = safe_close(t->dns_udp_fd);
85}
86
f535705a 87static void dns_transaction_stop_timeout(DnsTransaction *t) {
97cc656c
LP		 88 assert(t);
89
97935302 90 t->timeout_event_source = sd_event_source_disable_unref(t->timeout_event_source);
97cc656c
LP		 91}
92
ec2c5e43 93DnsTransaction* dns_transaction_free(DnsTransaction *t) {
801ad6a6 94 DnsQueryCandidate *c;
ec2c5e43 95 DnsZoneItem *i;
547973de 96 DnsTransaction *z;
ec2c5e43
LP		 97
98 if (!t)
99 return NULL;
100
51e399bc
LP		 101 log_debug("Freeing transaction %" PRIu16 ".", t->id);
102
80710ade 103 dns_transaction_close_connection(t, true);
f535705a 104 dns_transaction_stop_timeout(t);
ec2c5e43 105
ec2c5e43 106 dns_packet_unref(t->sent);
c61d2b44 107 dns_transaction_reset_answer(t);
ec2c5e43 108
8300ba21 109 dns_server_unref(t->server);
ec2c5e43
LP		 110
111 if (t->scope) {
775ae354
LP		 112 if (t->key) {
113 DnsTransaction *first;
114
115 first = hashmap_get(t->scope->transactions_by_key, t->key);
116 LIST_REMOVE(transactions_by_key, first, t);
117 if (first)
118 hashmap_replace(t->scope->transactions_by_key, first->key, first);
119 else
120 hashmap_remove(t->scope->transactions_by_key, t->key);
121 }
ec2c5e43 122
775ae354 123 LIST_REMOVE(transactions_by_scope, t->scope->transactions, t);
ec2c5e43 124
013668db
LP		 125 if (t->id != 0)
126 hashmap_remove(t->scope->manager->dns_transactions, UINT_TO_PTR(t->id));
127 }
775ae354 128
547973de 129 while ((c = set_steal_first(t->notify_query_candidates)))
801ad6a6 130 set_remove(c->transactions, t);
547973de 131 set_free(t->notify_query_candidates);
801ad6a6 132
35aa04e9
LP		 133 while ((c = set_steal_first(t->notify_query_candidates_done)))
134 set_remove(c->transactions, t);
135 set_free(t->notify_query_candidates_done);
136
547973de 137 while ((i = set_steal_first(t->notify_zone_items)))
ec2c5e43 138 i->probe_transaction = NULL;
547973de
LP		 139 set_free(t->notify_zone_items);
140
35aa04e9
LP		 141 while ((i = set_steal_first(t->notify_zone_items_done)))
142 i->probe_transaction = NULL;
143 set_free(t->notify_zone_items_done);
144
547973de
LP		 145 while ((z = set_steal_first(t->notify_transactions)))
146 set_remove(z->dnssec_transactions, t);
147 set_free(t->notify_transactions);
148
35aa04e9
LP		 149 while ((z = set_steal_first(t->notify_transactions_done)))
150 set_remove(z->dnssec_transactions, t);
151 set_free(t->notify_transactions_done);
152
c5b4f861 153 dns_transaction_flush_dnssec_transactions(t);
547973de
LP		 154 set_free(t->dnssec_transactions);
155
156 dns_answer_unref(t->validated_keys);
97cc656c 157 dns_resource_key_unref(t->key);
775ae354 158 dns_packet_unref(t->bypass);
97cc656c 159
6b430fdb 160 return mfree(t);
ec2c5e43
LP		 161}
162
163DEFINE_TRIVIAL_CLEANUP_FUNC(DnsTransaction*, dns_transaction_free);
164
1f388301 165DnsTransaction* dns_transaction_gc(DnsTransaction *t) {
ec2c5e43
LP		 166 assert(t);
167
1f388301
ZJS		 168 /* Returns !NULL if we can't gc yet. */
169
ec2c5e43 170 if (t->block_gc > 0)
1f388301 171 return t;
ec2c5e43 172
547973de 173 if (set_isempty(t->notify_query_candidates) &&
35aa04e9 174 set_isempty(t->notify_query_candidates_done) &&
547973de 175 set_isempty(t->notify_zone_items) &&
35aa04e9
LP		 176 set_isempty(t->notify_zone_items_done) &&
177 set_isempty(t->notify_transactions) &&
1f388301
ZJS		 178 set_isempty(t->notify_transactions_done))
179 return dns_transaction_free(t);
51e399bc 180
1f388301 181 return t;
ec2c5e43
LP		 182}
183
4dd15077
LP		 184static uint16_t pick_new_id(Manager *m) {
185 uint16_t new_id;
186
4ea8b443
ZJS		 187 /* Find a fresh, unused transaction id. Note that this loop is bounded because there's a limit on the
188 * number of transactions, and it's much lower than the space of IDs. */
4dd15077
LP		 189
190 assert_cc(TRANSACTIONS_MAX < 0xFFFF);
191
192 do
193 random_bytes(&new_id, sizeof(new_id));
194 while (new_id == 0 ||
195 hashmap_get(m->dns_transactions, UINT_TO_PTR(new_id)));
196
197 return new_id;
198}
199
775ae354
LP		 200static int key_ok(
201 DnsScope *scope,
202 DnsResourceKey *key) {
ec2c5e43 203
9eae2bf3 204 /* Don't allow looking up invalid or pseudo RRs */
c463eb78 205 if (!dns_type_is_valid_query(key->type))
9eae2bf3 206 return -EINVAL;
d0129ddb
LP		 207 if (dns_type_is_obsolete(key->type))
208 return -EOPNOTSUPP;
9eae2bf3
LP		 209
210 /* We only support the IN class */
4c701096 211 if (!IN_SET(key->class, DNS_CLASS_IN, DNS_CLASS_ANY))
9eae2bf3
LP		 212 return -EOPNOTSUPP;
213
775ae354
LP		 214 /* Don't allows DNSSEC RRs to be looked up via LLMNR/mDNS. They don't really make sense
215 * there, and it speeds up our queries if we refuse this early */
216 if (scope->protocol != DNS_PROTOCOL_DNS &&
217 dns_type_is_dnssec(key->type))
218 return -EOPNOTSUPP;
219
220 return 0;
221}
222
223int dns_transaction_new(
224 DnsTransaction **ret,
225 DnsScope *s,
226 DnsResourceKey *key,
227 DnsPacket *bypass,
228 uint64_t query_flags) {
229
230 _cleanup_(dns_transaction_freep) DnsTransaction *t = NULL;
231 int r;
232
233 assert(ret);
234 assert(s);
235
236 if (key) {
237 assert(!bypass);
238
239 r = key_ok(s, key);
240 if (r < 0)
241 return r;
242 } else {
243 DnsResourceKey *qk;
244 assert(bypass);
245
246 r = dns_packet_validate_query(bypass);
247 if (r < 0)
248 return r;
249
250 DNS_QUESTION_FOREACH(qk, bypass->question) {
251 r = key_ok(s, qk);
252 if (r < 0)
253 return r;
254 }
255 }
256
b214dc0f
LP		 257 if (hashmap_size(s->manager->dns_transactions) >= TRANSACTIONS_MAX)
258 return -EBUSY;
259
d5099efc 260 r = hashmap_ensure_allocated(&s->manager->dns_transactions, NULL);
ec2c5e43
LP		 261 if (r < 0)
262 return r;
263
775ae354
LP		 264 if (key) {
265 r = hashmap_ensure_allocated(&s->transactions_by_key, &dns_resource_key_hash_ops);
266 if (r < 0)
267 return r;
268 }
da0c630e 269
1ed31408 270 t = new(DnsTransaction, 1);
ec2c5e43
LP		 271 if (!t)
272 return -ENOMEM;
273
1ed31408
LP		 274 *t = (DnsTransaction) {
275 .dns_udp_fd = -1,
276 .answer_source = _DNS_TRANSACTION_SOURCE_INVALID,
277 .answer_dnssec_result = _DNSSEC_RESULT_INVALID,
f5fbe71d 278 .answer_nsec_ttl = UINT32_MAX,
1ed31408 279 .key = dns_resource_key_ref(key),
775ae354
LP		 280 .query_flags = query_flags,
281 .bypass = dns_packet_ref(bypass),
1ed31408 282 .current_feature_level = _DNS_SERVER_FEATURE_LEVEL_INVALID,
1ed4e584
LP		 283 .clamp_feature_level_servfail = _DNS_SERVER_FEATURE_LEVEL_INVALID,
284 .clamp_feature_level_nxdomain = _DNS_SERVER_FEATURE_LEVEL_INVALID,
1ed31408
LP		 285 .id = pick_new_id(s->manager),
286 };
ec2c5e43
LP		 287
288 r = hashmap_put(s->manager->dns_transactions, UINT_TO_PTR(t->id), t);
289 if (r < 0) {
290 t->id = 0;
291 return r;
292 }
293
775ae354
LP		 294 if (t->key) {
295 DnsTransaction *first;
296
297 first = hashmap_get(s->transactions_by_key, t->key);
298 LIST_PREPEND(transactions_by_key, first, t);
299
300 r = hashmap_replace(s->transactions_by_key, first->key, first);
301 if (r < 0) {
302 LIST_REMOVE(transactions_by_key, first, t);
303 return r;
304 }
da0c630e
LP		 305 }
306
f9ebb22a 307 LIST_PREPEND(transactions_by_scope, s->transactions, t);
ec2c5e43
LP		 308 t->scope = s;
309
313cefa1 310 s->manager->n_transactions_total++;
a150ff5e 311
ec2c5e43
LP		 312 if (ret)
313 *ret = t;
314
775ae354 315 TAKE_PTR(t);
ec2c5e43
LP		 316 return 0;
317}
318
4dd15077
LP		 319static void dns_transaction_shuffle_id(DnsTransaction *t) {
320 uint16_t new_id;
321 assert(t);
322
323 /* Pick a new ID for this transaction. */
324
325 new_id = pick_new_id(t->scope->manager);
326 assert_se(hashmap_remove_and_put(t->scope->manager->dns_transactions, UINT_TO_PTR(t->id), UINT_TO_PTR(new_id), t) >= 0);
327
328 log_debug("Transaction %" PRIu16 " is now %" PRIu16 ".", t->id, new_id);
329 t->id = new_id;
330
331 /* Make sure we generate a new packet with the new ID */
332 t->sent = dns_packet_unref(t->sent);
333}
334
ec2c5e43 335static void dns_transaction_tentative(DnsTransaction *t, DnsPacket *p) {
2fb3034c 336 _cleanup_free_ char *pretty = NULL;
202b76ae 337 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
ec2c5e43 338 DnsZoneItem *z;
ec2c5e43
LP		 339
340 assert(t);
341 assert(p);
94378145 342 assert(t->scope->protocol == DNS_PROTOCOL_LLMNR);
ec2c5e43 343
94378145 344 if (manager_packet_from_local_address(t->scope->manager, p) != 0)
ec2c5e43
LP		 345 return;
346
164d025d 347 (void) in_addr_to_string(p->family, &p->sender, &pretty);
2fb3034c 348
a5784c49
LP		 349 log_debug("Transaction %" PRIu16 " for <%s> on scope %s on %s/%s got tentative packet from %s.",
350 t->id,
42df9532 351 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str),
ec2c5e43 352 dns_protocol_to_string(t->scope->protocol),
6ff79f76 353 t->scope->link ? t->scope->link->ifname : "*",
202b76ae 354 af_to_name_short(t->scope->family),
164d025d 355 strnull(pretty));
ec2c5e43 356
a4076574
LP		 357 /* RFC 4795, Section 4.1 says that the peer with the
358 * lexicographically smaller IP address loses */
4d91eec4
LP		 359 if (memcmp(&p->sender, &p->destination, FAMILY_ADDRESS_SIZE(p->family)) >= 0) {
360 log_debug("Peer has lexicographically larger IP address and thus lost in the conflict.");
a4076574
LP		 361 return;
362 }
363
4d91eec4 364 log_debug("We have the lexicographically larger IP address and thus lost in the conflict.");
a4076574 365
ec2c5e43 366 t->block_gc++;
35aa04e9 367
547973de 368 while ((z = set_first(t->notify_zone_items))) {
3ef64445
LP		 369 /* First, make sure the zone item drops the reference
370 * to us */
371 dns_zone_item_probe_stop(z);
372
373 /* Secondly, report this as conflict, so that we might
374 * look for a different hostname */
ec2c5e43 375 dns_zone_item_conflict(z);
3ef64445 376 }
ec2c5e43
LP		 377 t->block_gc--;
378
379 dns_transaction_gc(t);
380}
381
382void dns_transaction_complete(DnsTransaction *t, DnsTransactionState state) {
801ad6a6 383 DnsQueryCandidate *c;
ec2c5e43 384 DnsZoneItem *z;
547973de 385 DnsTransaction *d;
7cc6ed7b 386 const char *st;
202b76ae 387 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
ec2c5e43
LP		 388
389 assert(t);
547973de 390 assert(!DNS_TRANSACTION_IS_LIVE(state));
e56187ca 391
202b76ae 392 if (state == DNS_TRANSACTION_DNSSEC_FAILED) {
42df9532 393 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str);
202b76ae 394
f61dfddb 395 log_struct(LOG_NOTICE,
2b044526 396 "MESSAGE_ID=" SD_MESSAGE_DNSSEC_FAILURE_STR,
202b76ae 397 LOG_MESSAGE("DNSSEC validation failed for question %s: %s", key_str, dnssec_result_to_string(t->answer_dnssec_result)),
f61dfddb 398 "DNS_TRANSACTION=%" PRIu16, t->id,
202b76ae 399 "DNS_QUESTION=%s", key_str,
f61dfddb 400 "DNSSEC_RESULT=%s", dnssec_result_to_string(t->answer_dnssec_result),
8aa5afd2 401 "DNS_SERVER=%s", strna(dns_server_string_full(t->server)),
a1230ff9 402 "DNS_SERVER_FEATURE_LEVEL=%s", dns_server_feature_level_to_string(t->server->possible_feature_level));
202b76ae 403 }
f61dfddb 404
ec2c5e43
LP		 405 /* Note that this call might invalidate the query. Callers
406 * should hence not attempt to access the query or transaction
407 * after calling this function. */
408
7cc6ed7b
LP		 409 if (state == DNS_TRANSACTION_ERRNO)
410 st = errno_to_name(t->answer_errno);
411 else
412 st = dns_transaction_state_to_string(state);
413
43fc4baa 414 log_debug("%s transaction %" PRIu16 " for <%s> on scope %s on %s/%s now complete with <%s> from %s (%s; %s).",
775ae354 415 t->bypass ? "Bypass" : "Regular",
a5784c49 416 t->id,
42df9532 417 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str),
ec2c5e43 418 dns_protocol_to_string(t->scope->protocol),
6ff79f76 419 t->scope->link ? t->scope->link->ifname : "*",
202b76ae 420 af_to_name_short(t->scope->family),
7cc6ed7b 421 st,
a5784c49 422 t->answer_source < 0 ? "none" : dns_transaction_source_to_string(t->answer_source),
775ae354 423 FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE) ? "not validated" :
43fc4baa
LP		 424 (FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED) ? "authenticated" : "unsigned"),
425 FLAGS_SET(t->answer_query_flags, SD_RESOLVED_CONFIDENTIAL) ? "confidential" : "non-confidential");
ec2c5e43
LP		 426
427 t->state = state;
428
80710ade 429 dns_transaction_close_connection(t, true);
f535705a 430 dns_transaction_stop_timeout(t);
ec2c5e43
LP		 431
432 /* Notify all queries that are interested, but make sure the
433 * transaction isn't freed while we are still looking at it */
434 t->block_gc++;
f7014757 435
35aa04e9 436 SET_FOREACH_MOVE(c, t->notify_query_candidates_done, t->notify_query_candidates)
547973de 437 dns_query_candidate_notify(c);
35aa04e9 438 SWAP_TWO(t->notify_query_candidates, t->notify_query_candidates_done);
ec2c5e43 439
35aa04e9
LP		 440 SET_FOREACH_MOVE(z, t->notify_zone_items_done, t->notify_zone_items)
441 dns_zone_item_notify(z);
442 SWAP_TWO(t->notify_zone_items, t->notify_zone_items_done);
8d67e72c 443 if (t->probing && t->state == DNS_TRANSACTION_ATTEMPTS_MAX_REACHED)
1a63fc54 444 (void) dns_scope_announce(t->scope, false);
f7014757 445
35aa04e9
LP		 446 SET_FOREACH_MOVE(d, t->notify_transactions_done, t->notify_transactions)
447 dns_transaction_notify(d, t);
448 SWAP_TWO(t->notify_transactions, t->notify_transactions_done);
f7014757
LP		 449
450 t->block_gc--;
ec2c5e43
LP		 451 dns_transaction_gc(t);
452}
453
fd8a3017
LP		 454static void dns_transaction_complete_errno(DnsTransaction *t, int error) {
455 assert(t);
456 assert(error != 0);
457
458 t->answer_errno = abs(error);
459 dns_transaction_complete(t, DNS_TRANSACTION_ERRNO);
460}
461
519ef046
LP		 462static int dns_transaction_pick_server(DnsTransaction *t) {
463 DnsServer *server;
464
465 assert(t);
466 assert(t->scope->protocol == DNS_PROTOCOL_DNS);
467
d001e0a3
LP		 468 /* Pick a DNS server and a feature level for it. */
469
519ef046
LP		 470 server = dns_scope_get_dns_server(t->scope);
471 if (!server)
472 return -ESRCH;
473
d001e0a3
LP		 474 /* If we changed the server invalidate the feature level clamping, as the new server might have completely
475 * different properties. */
1ed4e584
LP		 476 if (server != t->server) {
477 t->clamp_feature_level_servfail = _DNS_SERVER_FEATURE_LEVEL_INVALID;
478 t->clamp_feature_level_nxdomain = _DNS_SERVER_FEATURE_LEVEL_INVALID;
479 }
d001e0a3 480
274b8748 481 t->current_feature_level = dns_server_possible_feature_level(server);
519ef046 482
d001e0a3 483 /* Clamp the feature level if that is requested. */
1ed4e584
LP		 484 if (t->clamp_feature_level_servfail != _DNS_SERVER_FEATURE_LEVEL_INVALID &&
485 t->current_feature_level > t->clamp_feature_level_servfail)
486 t->current_feature_level = t->clamp_feature_level_servfail;
487 if (t->clamp_feature_level_nxdomain != _DNS_SERVER_FEATURE_LEVEL_INVALID &&
488 t->current_feature_level > t->clamp_feature_level_nxdomain)
489 t->current_feature_level = t->clamp_feature_level_nxdomain;
d001e0a3
LP		 490
491 log_debug("Using feature level %s for transaction %u.", dns_server_feature_level_to_string(t->current_feature_level), t->id);
492
519ef046
LP		 493 if (server == t->server)
494 return 0;
495
496 dns_server_unref(t->server);
497 t->server = dns_server_ref(server);
498
44db02d0
LP		 499 t->n_picked_servers ++;
500
8aa5afd2 501 log_debug("Using DNS server %s for transaction %u.", strna(dns_server_string_full(t->server)), t->id);
d001e0a3 502
519ef046
LP		 503 return 1;
504}
505
d001e0a3 506static void dns_transaction_retry(DnsTransaction *t, bool next_server) {
8d10d620
LP		 507 int r;
508
509 assert(t);
510
7ef863a7
LP		 511 /* Retries the transaction as it is, possibly on a different server */
512
ca55fb88 513 if (next_server && t->scope->protocol == DNS_PROTOCOL_DNS)
7ef863a7
LP		 514 log_debug("Retrying transaction %" PRIu16 ", after switching servers.", t->id);
515 else
516 log_debug("Retrying transaction %" PRIu16 ".", t->id);
8d10d620
LP		 517
518 /* Before we try again, switch to a new server. */
d001e0a3 519 if (next_server)
5e8bc852 520 dns_scope_next_dns_server(t->scope, t->server);
8d10d620
LP		 521
522 r = dns_transaction_go(t);
fd8a3017
LP		 523 if (r < 0)
524 dns_transaction_complete_errno(t, r);
8d10d620
LP		 525}
526
9147b591
LP		 527static bool dns_transaction_limited_retry(DnsTransaction *t) {
528 assert(t);
529
530 /* If we haven't tried all different servers yet, let's try again with a different server */
531
532 if (t->n_picked_servers >= dns_scope_get_n_dns_servers(t->scope))
533 return false;
534
535 dns_transaction_retry(t, /* next_server= */ true);
536 return true;
537}
538
c02cf2f4 539static int dns_transaction_maybe_restart(DnsTransaction *t) {
5278bbfe
LP		 540 int r;
541
c02cf2f4
LP		 542 assert(t);
543
9147b591
LP		 544 /* Restarts the transaction, under a new ID if the feature level of the server changed since we first
545 * tried, without changing DNS server. Returns > 0 if the transaction was restarted, 0 if not. */
5278bbfe 546
c02cf2f4
LP		 547 if (!t->server)
548 return 0;
549
550 if (t->current_feature_level <= dns_server_possible_feature_level(t->server))
551 return 0;
552
553 /* The server's current feature level is lower than when we sent the original query. We learnt something from
554 the response or possibly an auxiliary DNSSEC response that we didn't know before. We take that as reason to
555 restart the whole transaction. This is a good idea to deal with servers that respond rubbish if we include
556 OPT RR or DO bit. One of these cases is documented here, for example:
557 https://open.nlnetlabs.nl/pipermail/dnssec-trigger/2014-November/000376.html */
558
4dd15077
LP		 559 log_debug("Server feature level is now lower than when we began our transaction. Restarting with new ID.");
560 dns_transaction_shuffle_id(t);
5278bbfe
LP		 561
562 r = dns_transaction_go(t);
563 if (r < 0)
564 return r;
565
566 return 1;
c02cf2f4
LP		 567}
568
98767d75
IT		 569static void on_transaction_stream_error(DnsTransaction *t, int error) {
570 assert(t);
ec2c5e43 571
80710ade 572 dns_transaction_close_connection(t, true);
ec2c5e43 573
a1a3f73a 574 if (ERRNO_IS_DISCONNECT(error)) {
0791110f
LP		 575 if (t->scope->protocol == DNS_PROTOCOL_LLMNR) {
576 /* If the LLMNR/TCP connection failed, the host doesn't support LLMNR, and we cannot answer the
577 * question on this scope. */
578 dns_transaction_complete(t, DNS_TRANSACTION_NOT_FOUND);
daab72ea 579 return;
0791110f
LP		 580 }
581
d001e0a3 582 dns_transaction_retry(t, true);
daab72ea 583 return;
ac720200 584 }
fd8a3017
LP		 585 if (error != 0)
586 dns_transaction_complete_errno(t, error);
98767d75
IT		 587}
588
43fc4baa
LP		 589static int dns_transaction_on_stream_packet(DnsTransaction *t, DnsStream *s, DnsPacket *p) {
590 bool encrypted;
591
98767d75 592 assert(t);
43fc4baa 593 assert(s);
98767d75
IT		 594 assert(p);
595
43fc4baa
LP		 596 encrypted = s->encrypted;
597
80710ade 598 dns_transaction_close_connection(t, true);
ec2c5e43 599
a4076574 600 if (dns_packet_validate_reply(p) <= 0) {
a20b9592 601 log_debug("Invalid TCP reply packet.");
a4076574
LP		 602 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
603 return 0;
604 }
605
606 dns_scope_check_conflicts(t->scope, p);
607
ec2c5e43 608 t->block_gc++;
43fc4baa 609 dns_transaction_process_reply(t, p, encrypted);
ec2c5e43
LP		 610 t->block_gc--;
611
519ef046
LP		 612 /* If the response wasn't useful, then complete the transition
613 * now. After all, we are the worst feature set now with TCP
614 * sockets, and there's really no point in retrying. */
ec2c5e43
LP		 615 if (t->state == DNS_TRANSACTION_PENDING)
616 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
598f44bd
LP		 617 else
618 dns_transaction_gc(t);
ec2c5e43
LP		 619
620 return 0;
621}
622
98767d75 623static int on_stream_complete(DnsStream *s, int error) {
7172e4ee 624 assert(s);
98767d75
IT		 625
626 if (ERRNO_IS_DISCONNECT(error) && s->protocol != DNS_PROTOCOL_LLMNR) {
98767d75
IT		 627 log_debug_errno(error, "Connection failure for DNS TCP stream: %m");
628
629 if (s->transactions) {
97d5d905
LP		 630 DnsTransaction *t;
631
98767d75 632 t = s->transactions;
3da3cdd5 633 dns_server_packet_lost(t->server, IPPROTO_TCP, t->current_feature_level);
98767d75
IT		 634 }
635 }
636
97d5d905
LP		 637 if (error != 0) {
638 DnsTransaction *t, *n;
639
640 LIST_FOREACH_SAFE(transactions_by_stream, t, n, s->transactions)
98767d75 641 on_transaction_stream_error(t, error);
97d5d905 642 }
98767d75 643
97d5d905 644 return 0;
98767d75
IT		 645}
646
747a8a74 647static int on_stream_packet(DnsStream *s) {
98767d75 648 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
98767d75
IT		 649 DnsTransaction *t;
650
aa337a5e
LP		 651 assert(s);
652
98767d75 653 /* Take ownership of packet to be able to receive new packets */
43fc4baa 654 assert_se(p = dns_stream_take_read_packet(s));
98767d75
IT		 655
656 t = hashmap_get(s->manager->dns_transactions, UINT_TO_PTR(DNS_PACKET_ID(p)));
b52eac20
LP		 657 if (t && t->stream == s) /* Validate that the stream we got this on actually is the stream the
658 * transaction was using. */
43fc4baa 659 return dns_transaction_on_stream_packet(t, s, p);
98767d75 660
8227cfa1 661 /* Ignore incorrect transaction id as an old transaction can have been canceled. */
30f9e0bf 662 log_debug("Received unexpected TCP reply packet with id %" PRIu16 ", ignoring.", DNS_PACKET_ID(p));
aa337a5e 663 return 0;
98767d75
IT		 664}
665
da9de738 666static uint16_t dns_transaction_port(DnsTransaction *t) {
775ae354
LP		 667 assert(t);
668
da9de738
YW		 669 if (t->server->port > 0)
670 return t->server->port;
775ae354 671
da9de738 672 return DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level) ? 853 : 53;
ec962fba
LP		 673}
674
98767d75 675static int dns_transaction_emit_tcp(DnsTransaction *t) {
98767d75 676 _cleanup_(dns_stream_unrefp) DnsStream *s = NULL;
652ba568 677 _cleanup_close_ int fd = -1;
91ccab1e 678 union sockaddr_union sa;
652ba568 679 DnsStreamType type;
ec2c5e43
LP		 680 int r;
681
682 assert(t);
775ae354 683 assert(t->sent);
ec2c5e43 684
80710ade 685 dns_transaction_close_connection(t, true);
ec2c5e43 686
106784eb 687 switch (t->scope->protocol) {
519ef046 688
106784eb 689 case DNS_PROTOCOL_DNS:
519ef046
LP		 690 r = dns_transaction_pick_server(t);
691 if (r < 0)
692 return r;
693
49ef064c
LP		 694 if (manager_server_is_stub(t->scope->manager, t->server))
695 return -ELOOP;
696
775ae354
LP		 697 if (!t->bypass) {
698 if (!dns_server_dnssec_supported(t->server) && dns_type_is_dnssec(dns_transaction_key(t)->type))
699 return -EOPNOTSUPP;
91adc4db 700
775ae354
LP		 701 r = dns_server_adjust_opt(t->server, t->sent, t->current_feature_level);
702 if (r < 0)
703 return r;
704 }
519ef046 705
5d67a7ae 706 if (t->server->stream && (DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level) == t->server->stream->encrypted))
98767d75
IT		 707 s = dns_stream_ref(t->server->stream);
708 else
da9de738 709 fd = dns_scope_socket_tcp(t->scope, AF_UNSPEC, NULL, t->server, dns_transaction_port(t), &sa);
98767d75 710
652ba568 711 type = DNS_STREAM_LOOKUP;
106784eb 712 break;
ec2c5e43 713
106784eb 714 case DNS_PROTOCOL_LLMNR:
a8f6397f 715 /* When we already received a reply to this (but it was truncated), send to its sender address */
ec2c5e43 716 if (t->received)
91ccab1e 717 fd = dns_scope_socket_tcp(t->scope, t->received->family, &t->received->sender, NULL, t->received->sender_port, &sa);
ec2c5e43
LP		 718 else {
719 union in_addr_union address;
a7f7d1bd 720 int family = AF_UNSPEC;
ec2c5e43
LP		 721
722 /* Otherwise, try to talk to the owner of a
723 * the IP address, in case this is a reverse
724 * PTR lookup */
f52e61da 725
42df9532 726 r = dns_name_address(dns_resource_key_name(dns_transaction_key(t)), &family, &address);
ec2c5e43
LP		 727 if (r < 0)
728 return r;
729 if (r == 0)
730 return -EINVAL;
9e08a6e0 731 if (family != t->scope->family)
9318cdd3 732 return -ESRCH;
ec2c5e43 733
91ccab1e 734 fd = dns_scope_socket_tcp(t->scope, family, &address, NULL, LLMNR_PORT, &sa);
ec2c5e43 735 }
106784eb 736
652ba568 737 type = DNS_STREAM_LLMNR_SEND;
106784eb
DM		 738 break;
739
740 default:
ec2c5e43 741 return -EAFNOSUPPORT;
106784eb 742 }
ec2c5e43 743
98767d75
IT		 744 if (!s) {
745 if (fd < 0)
746 return fd;
ec2c5e43 747
652ba568 748 r = dns_stream_new(t->scope->manager, &s, type, t->scope->protocol, fd, &sa);
98767d75
IT		 749 if (r < 0)
750 return r;
751
752 fd = -1;
753
56ddbf10 754#if ENABLE_DNS_OVER_TLS
199dda9c
LP		 755 if (t->scope->protocol == DNS_PROTOCOL_DNS &&
756 DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level)) {
757
b02a7e1a 758 assert(t->server);
6016fcb0 759 r = dnstls_stream_connect_tls(s, t->server);
5d67a7ae
IT		 760 if (r < 0)
761 return r;
762 }
763#endif
764
19feb28f 765 if (t->server) {
904dcaf9 766 dns_server_unref_stream(t->server);
19feb28f 767 s->server = dns_server_ref(t->server);
8227cfa1 768 t->server->stream = dns_stream_ref(s);
19feb28f
IT		 769 }
770
98767d75 771 s->complete = on_stream_complete;
747a8a74 772 s->on_packet = on_stream_packet;
98767d75
IT		 773
774 /* The interface index is difficult to determine if we are
775 * connecting to the local host, hence fill this in right away
776 * instead of determining it from the socket */
777 s->ifindex = dns_scope_ifindex(t->scope);
778 }
779
780 t->stream = TAKE_PTR(s);
781 LIST_PREPEND(transactions_by_stream, t->stream->transactions, t);
ec2c5e43
LP		 782
783 r = dns_stream_write_packet(t->stream, t->sent);
784 if (r < 0) {
80710ade 785 dns_transaction_close_connection(t, /* use_graveyard= */ false);
ec2c5e43
LP		 786 return r;
787 }
788
519ef046
LP		 789 dns_transaction_reset_answer(t);
790
cbe4216d
LP		 791 t->tried_stream = true;
792
ec2c5e43
LP		 793 return 0;
794}
795
547973de 796static void dns_transaction_cache_answer(DnsTransaction *t) {
547973de
LP		 797 assert(t);
798
799 /* For mDNS we cache whenever we get the packet, rather than
800 * in each transaction. */
801 if (!IN_SET(t->scope->protocol, DNS_PROTOCOL_DNS, DNS_PROTOCOL_LLMNR))
802 return;
803
ceeddf79 804 /* Caching disabled? */
37d7a7d9 805 if (t->scope->manager->enable_cache == DNS_CACHE_MODE_NO)
ceeddf79
MP		 806 return;
807
775ae354
LP		 808 /* If validation is turned off for this transaction, but DNSSEC is on, then let's not cache this */
809 if (FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE) && t->scope->dnssec_mode != DNSSEC_NO)
810 return;
811
6d8325f6
PS		 812 /* Packet from localhost? */
813 if (!t->scope->manager->cache_from_localhost &&
814 in_addr_is_localhost(t->received->family, &t->received->sender) != 0)
547973de
LP		 815 return;
816
547973de 817 dns_cache_put(&t->scope->cache,
37d7a7d9 818 t->scope->manager->enable_cache,
42df9532 819 dns_transaction_key(t),
547973de
LP		 820 t->answer_rcode,
821 t->answer,
775ae354
LP		 822 DNS_PACKET_CD(t->received) ? t->received : NULL, /* only cache full packets with CD on,
823 * since our usecase for caching them
824 * is "bypass" mode which is only
825 * enabled for CD packets. */
6f055e43 826 t->answer_query_flags,
775ae354 827 t->answer_dnssec_result,
d3760be0 828 t->answer_nsec_ttl,
547973de
LP		 829 t->received->family,
830 &t->received->sender);
831}
832
105e1512
LP		 833static bool dns_transaction_dnssec_is_live(DnsTransaction *t) {
834 DnsTransaction *dt;
105e1512
LP		 835
836 assert(t);
837
90e74a66 838 SET_FOREACH(dt, t->dnssec_transactions)
105e1512
LP		 839 if (DNS_TRANSACTION_IS_LIVE(dt->state))
840 return true;
841
842 return false;
843}
844
942eb2e7
LP		 845static int dns_transaction_dnssec_ready(DnsTransaction *t) {
846 DnsTransaction *dt;
e30a62bf 847 int r;
942eb2e7
LP		 848
849 assert(t);
850
851 /* Checks whether the auxiliary DNSSEC transactions of our transaction have completed, or are still
852 * ongoing. Returns 0, if we aren't ready for the DNSSEC validation, positive if we are. */
853
90e74a66 854 SET_FOREACH(dt, t->dnssec_transactions) {
942eb2e7
LP		 855
856 switch (dt->state) {
857
858 case DNS_TRANSACTION_NULL:
859 case DNS_TRANSACTION_PENDING:
860 case DNS_TRANSACTION_VALIDATING:
861 /* Still ongoing */
862 return 0;
863
864 case DNS_TRANSACTION_RCODE_FAILURE:
b3c6b00a 865 if (!IN_SET(dt->answer_rcode, DNS_RCODE_NXDOMAIN, DNS_RCODE_SERVFAIL)) {
942eb2e7
LP		 866 log_debug("Auxiliary DNSSEC RR query failed with rcode=%s.", dns_rcode_to_string(dt->answer_rcode));
867 goto fail;
868 }
869
b3c6b00a 870 /* Fall-through: NXDOMAIN/SERVFAIL is good enough for us. This is because some DNS servers
5238e957 871 * erroneously return NXDOMAIN/SERVFAIL for empty non-terminals (Akamai...) or missing DS
b3c6b00a
LP		 872 * records (Facebook), and we need to handle that nicely, when asking for parent SOA or similar
873 * RRs to make unsigned proofs. */
942eb2e7
LP		 874
875 case DNS_TRANSACTION_SUCCESS:
876 /* All good. */
877 break;
878
879 case DNS_TRANSACTION_DNSSEC_FAILED:
880 /* We handle DNSSEC failures different from other errors, as we care about the DNSSEC
e30a62bf 881 * validation result */
942eb2e7
LP		 882
883 log_debug("Auxiliary DNSSEC RR query failed validation: %s", dnssec_result_to_string(dt->answer_dnssec_result));
884 t->answer_dnssec_result = dt->answer_dnssec_result; /* Copy error code over */
885 dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
886 return 0;
887
942eb2e7
LP		 888 default:
889 log_debug("Auxiliary DNSSEC RR query failed with %s", dns_transaction_state_to_string(dt->state));
890 goto fail;
891 }
892 }
893
894 /* All is ready, we can go and validate */
895 return 1;
896
897fail:
e30a62bf
LP		 898 /* Some auxiliary DNSSEC transaction failed for some reason. Maybe we learned something about the
899 * server due to this failure, and the feature level is now different? Let's see and restart the
900 * transaction if so. If not, let's propagate the auxiliary failure.
901 *
902 * This is particularly relevant if an auxiliary request figured out that DNSSEC doesn't work, and we
903 * are in permissive DNSSEC mode, and thus should restart things without DNSSEC magic. */
904 r = dns_transaction_maybe_restart(t);
905 if (r < 0)
906 return r;
907 if (r > 0)
908 return 0; /* don't validate just yet, we restarted things */
909
942eb2e7
LP		 910 t->answer_dnssec_result = DNSSEC_FAILED_AUXILIARY;
911 dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
912 return 0;
913}
914
547973de
LP		 915static void dns_transaction_process_dnssec(DnsTransaction *t) {
916 int r;
917
918 assert(t);
919
920 /* Are there ongoing DNSSEC transactions? If so, let's wait for them. */
942eb2e7 921 r = dns_transaction_dnssec_ready(t);
7cc6ed7b
LP		 922 if (r < 0)
923 goto fail;
942eb2e7 924 if (r == 0) /* We aren't ready yet (or one of our auxiliary transactions failed, and we shouldn't validate now */
547973de
LP		 925 return;
926
c02cf2f4
LP		 927 /* See if we learnt things from the additional DNSSEC transactions, that we didn't know before, and better
928 * restart the lookup immediately. */
929 r = dns_transaction_maybe_restart(t);
7cc6ed7b
LP		 930 if (r < 0)
931 goto fail;
c02cf2f4
LP		 932 if (r > 0) /* Transaction got restarted... */
933 return;
934
547973de
LP		 935 /* All our auxiliary DNSSEC transactions are complete now. Try
936 * to validate our RRset now. */
937 r = dns_transaction_validate_dnssec(t);
fcfaff12
LP		 938 if (r == -EBADMSG) {
939 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
940 return;
941 }
7cc6ed7b
LP		 942 if (r < 0)
943 goto fail;
547973de 944
b652d4a2
LP		 945 if (t->answer_dnssec_result == DNSSEC_INCOMPATIBLE_SERVER &&
946 t->scope->dnssec_mode == DNSSEC_YES) {
e82b1132
LP		 947
948 /* We are not in automatic downgrade mode, and the server is bad. Let's try a different server, maybe
949 * that works. */
950
9147b591 951 if (dns_transaction_limited_retry(t))
e82b1132 952 return;
e82b1132
LP		 953
954 /* OK, let's give up, apparently all servers we tried didn't work. */
b652d4a2
LP		 955 dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
956 return;
957 }
958
019036a4 959 if (!IN_SET(t->answer_dnssec_result,
b652d4a2
LP		 960 _DNSSEC_RESULT_INVALID, /* No DNSSEC validation enabled */
961 DNSSEC_VALIDATED, /* Answer is signed and validated successfully */
962 DNSSEC_UNSIGNED, /* Answer is right-fully unsigned */
963 DNSSEC_INCOMPATIBLE_SERVER)) { /* Server does not do DNSSEC (Yay, we are downgrade attack vulnerable!) */
547973de
LP		 964 dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
965 return;
966 }
967
1e02e182
LP		 968 if (t->answer_dnssec_result == DNSSEC_INCOMPATIBLE_SERVER)
969 dns_server_warn_downgrade(t->server);
970
547973de
LP		 971 dns_transaction_cache_answer(t);
972
973 if (t->answer_rcode == DNS_RCODE_SUCCESS)
974 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
975 else
3bbdc31d 976 dns_transaction_complete(t, DNS_TRANSACTION_RCODE_FAILURE);
7cc6ed7b
LP		 977
978 return;
979
980fail:
fd8a3017 981 dns_transaction_complete_errno(t, r);
547973de
LP		 982}
983
eac7cda2
LP		 984static int dns_transaction_has_positive_answer(DnsTransaction *t, DnsAnswerFlags *flags) {
985 int r;
986
987 assert(t);
988
989 /* Checks whether the answer is positive, i.e. either a direct
990 * answer to the question, or a CNAME/DNAME for it */
991
42df9532 992 r = dns_answer_match_key(t->answer, dns_transaction_key(t), flags);
eac7cda2
LP		 993 if (r != 0)
994 return r;
995
42df9532 996 r = dns_answer_find_cname_or_dname(t->answer, dns_transaction_key(t), NULL, flags);
eac7cda2
LP		 997 if (r != 0)
998 return r;
999
1000 return false;
1001}
1002
1003static int dns_transaction_fix_rcode(DnsTransaction *t) {
1004 int r;
1005
1006 assert(t);
1007
1008 /* Fix up the RCODE to SUCCESS if we get at least one matching RR in a response. Note that this contradicts the
1009 * DNS RFCs a bit. Specifically, RFC 6604 Section 3 clarifies that the RCODE shall say something about a
1010 * CNAME/DNAME chain element coming after the last chain element contained in the message, and not the first
1011 * one included. However, it also indicates that not all DNS servers implement this correctly. Moreover, when
1012 * using DNSSEC we usually only can prove the first element of a CNAME/DNAME chain anyway, hence let's settle
1013 * on always processing the RCODE as referring to the immediate look-up we do, i.e. the first element of a
1014 * CNAME/DNAME chain. This way, we uniformly handle CNAME/DNAME chains, regardless if the DNS server
1015 * incorrectly implements RCODE, whether DNSSEC is in use, or whether the DNS server only supplied us with an
1016 * incomplete CNAME/DNAME chain.
1017 *
1018 * Or in other words: if we get at least one positive reply in a message we patch NXDOMAIN to become SUCCESS,
1019 * and then rely on the CNAME chasing logic to figure out that there's actually a CNAME error with a new
1020 * lookup. */
1021
1022 if (t->answer_rcode != DNS_RCODE_NXDOMAIN)
1023 return 0;
1024
1025 r = dns_transaction_has_positive_answer(t, NULL);
1026 if (r <= 0)
1027 return r;
1028
1029 t->answer_rcode = DNS_RCODE_SUCCESS;
1030 return 0;
1031}
1032
43fc4baa 1033void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p, bool encrypted) {
acbf761b 1034 bool retry_with_tcp = false;
ec2c5e43
LP		 1035 int r;
1036
1037 assert(t);
1038 assert(p);
9df3ba6c
TG		 1039 assert(t->scope);
1040 assert(t->scope->manager);
ec2c5e43 1041
5a7e41a3
LP		 1042 if (t->state != DNS_TRANSACTION_PENDING)
1043 return;
1044
ec2c5e43
LP		 1045 /* Note that this call might invalidate the query. Callers
1046 * should hence not attempt to access the query or transaction
1047 * after calling this function. */
1048
f7155840
LP		 1049 log_debug("Processing incoming packet of size %zu on transaction %" PRIu16" (rcode=%s).",
1050 p->size,
11833205 1051 t->id, dns_rcode_to_string(DNS_PACKET_RCODE(p)));
b5efcf29 1052
106784eb 1053 switch (t->scope->protocol) {
b5efcf29 1054
106784eb 1055 case DNS_PROTOCOL_LLMNR:
97ebebbc 1056 /* For LLMNR we will not accept any packets from other interfaces */
ec2c5e43 1057
97ebebbc 1058 if (p->ifindex != dns_scope_ifindex(t->scope))
ec2c5e43
LP		 1059 return;
1060
1061 if (p->family != t->scope->family)
1062 return;
1063
1064 /* Tentative packets are not full responses but still
1065 * useful for identifying uniqueness conflicts during
1066 * probing. */
8b757a38 1067 if (DNS_PACKET_LLMNR_T(p)) {
ec2c5e43
LP		 1068 dns_transaction_tentative(t, p);
1069 return;
1070 }
106784eb
DM		 1071
1072 break;
1073
4e5bf5e1 1074 case DNS_PROTOCOL_MDNS:
4e5bf5e1 1075 /* For mDNS we will not accept any packets from other interfaces */
97ebebbc
LP		 1076
1077 if (p->ifindex != dns_scope_ifindex(t->scope))
4e5bf5e1
DM		 1078 return;
1079
1080 if (p->family != t->scope->family)
1081 return;
1082
1083 break;
1084
106784eb 1085 case DNS_PROTOCOL_DNS:
8ad182a1
LP		 1086 /* Note that we do not need to verify the
1087 * addresses/port numbers of incoming traffic, as we
1088 * invoked connect() on our UDP socket in which case
1089 * the kernel already does the needed verification for
1090 * us. */
106784eb
DM		 1091 break;
1092
1093 default:
04499a70 1094 assert_not_reached();
ec2c5e43
LP		 1095 }
1096
ec2c5e43
LP		 1097 if (t->received != p) {
1098 dns_packet_unref(t->received);
1099 t->received = dns_packet_ref(p);
1100 }
1101
c3bc53e6
LP		 1102 t->answer_source = DNS_TRANSACTION_NETWORK;
1103
ec2c5e43
LP		 1104 if (p->ipproto == IPPROTO_TCP) {
1105 if (DNS_PACKET_TC(p)) {
1106 /* Truncated via TCP? Somebody must be fucking with us */
1107 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
1108 return;
1109 }
1110
1111 if (DNS_PACKET_ID(p) != t->id) {
1112 /* Not the reply to our query? Somebody must be fucking with us */
1113 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
1114 return;
1115 }
1116 }
1117
9df3ba6c 1118 switch (t->scope->protocol) {
8af5b883 1119
9df3ba6c
TG		 1120 case DNS_PROTOCOL_DNS:
1121 assert(t->server);
1122
775ae354
LP		 1123 if (!t->bypass &&
1124 IN_SET(DNS_PACKET_RCODE(p), DNS_RCODE_FORMERR, DNS_RCODE_SERVFAIL, DNS_RCODE_NOTIMP)) {
4e0b8b17 1125
8af5b883 1126 /* Request failed, immediately try again with reduced features */
4e0b8b17 1127
7d581a65 1128 if (t->current_feature_level <= DNS_SERVER_FEATURE_LEVEL_UDP) {
44db02d0 1129
7d581a65 1130 /* This was already at UDP feature level? If so, it doesn't make sense to downgrade
44db02d0
LP		 1131 * this transaction anymore, but let's see if it might make sense to send the request
1132 * to a different DNS server instead. If not let's process the response, and accept the
7d581a65
LP		 1133 * rcode. Note that we don't retry on TCP, since that's a suitable way to mitigate
1134 * packet loss, but is not going to give us better rcodes should we actually have
1135 * managed to get them already at UDP level. */
1136
9147b591 1137 if (dns_transaction_limited_retry(t))
44db02d0 1138 return;
44db02d0
LP		 1139
1140 /* Give up, accept the rcode */
d001e0a3
LP		 1141 log_debug("Server returned error: %s", dns_rcode_to_string(DNS_PACKET_RCODE(p)));
1142 break;
1143 }
1144
1145 /* Reduce this feature level by one and try again. */
5d67a7ae
IT		 1146 switch (t->current_feature_level) {
1147 case DNS_SERVER_FEATURE_LEVEL_TLS_DO:
1ed4e584 1148 t->clamp_feature_level_servfail = DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN;
5d67a7ae
IT		 1149 break;
1150 case DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN + 1:
1151 /* Skip plain TLS when TLS is not supported */
1ed4e584 1152 t->clamp_feature_level_servfail = DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN - 1;
5d67a7ae
IT		 1153 break;
1154 default:
1ed4e584 1155 t->clamp_feature_level_servfail = t->current_feature_level - 1;
5d67a7ae 1156 }
d001e0a3
LP		 1157
1158 log_debug("Server returned error %s, retrying transaction with reduced feature level %s.",
1159 dns_rcode_to_string(DNS_PACKET_RCODE(p)),
1ed4e584 1160 dns_server_feature_level_to_string(t->clamp_feature_level_servfail));
d001e0a3
LP		 1161
1162 dns_transaction_retry(t, false /* use the same server */);
4e0b8b17 1163 return;
eb08640a
LP		 1164 }
1165
1166 if (DNS_PACKET_RCODE(p) == DNS_RCODE_REFUSED) {
1167 /* This server refused our request? If so, try again, use a different server */
1168 log_debug("Server returned REFUSED, switching servers, and retrying.");
9147b591
LP		 1169
1170 if (dns_transaction_limited_retry(t))
1171 return;
1172
1173 break;
eb08640a
LP		 1174 }
1175
1176 if (DNS_PACKET_TC(p))
274b8748 1177 dns_server_packet_truncated(t->server, t->current_feature_level);
9df3ba6c
TG		 1178
1179 break;
8af5b883 1180
9df3ba6c
TG		 1181 case DNS_PROTOCOL_LLMNR:
1182 case DNS_PROTOCOL_MDNS:
5777c613 1183 dns_scope_packet_received(t->scope, p->timestamp - t->start_usec);
9df3ba6c 1184 break;
8af5b883 1185
9df3ba6c 1186 default:
04499a70 1187 assert_not_reached();
9df3ba6c
TG		 1188 }
1189
ec2c5e43 1190 if (DNS_PACKET_TC(p)) {
547493c5
DM		 1191
1192 /* Truncated packets for mDNS are not allowed. Give up immediately. */
1193 if (t->scope->protocol == DNS_PROTOCOL_MDNS) {
1194 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
1195 return;
1196 }
1197
acbf761b 1198 /* Response was truncated, let's try again with good old TCP */
f757cd85 1199 log_debug("Reply truncated, retrying via TCP.");
acbf761b 1200 retry_with_tcp = true;
f757cd85 1201
acbf761b
LP		 1202 } else if (t->scope->protocol == DNS_PROTOCOL_DNS &&
1203 DNS_PACKET_IS_FRAGMENTED(p)) {
1204
1205 /* Report the fragment size, so that we downgrade from LARGE to regular EDNS0 if needed */
1206 if (t->server)
1207 dns_server_packet_udp_fragmented(t->server, dns_packet_size_unfragmented(p));
1208
1209 if (t->current_feature_level > DNS_SERVER_FEATURE_LEVEL_UDP) {
1210 /* Packet was fragmented. Let's retry with TCP to avoid fragmentation attack
1211 * issues. (We don't do that on the lowest feature level however, since crappy DNS
1212 * servers often do not implement TCP, hence falling back to TCP on fragmentation is
1213 * counter-productive there.) */
1214
f7155840
LP		 1215 log_debug("Reply fragmented, retrying via TCP. (Largest fragment size: %zu; Datagram size: %zu)",
1216 p->fragsize, p->size);
acbf761b
LP		 1217 retry_with_tcp = true;
1218 }
1219 }
1220
1221 if (retry_with_tcp) {
98767d75 1222 r = dns_transaction_emit_tcp(t);
ec2c5e43
LP		 1223 if (r == -ESRCH) {
1224 /* No servers found? Damn! */
1225 dns_transaction_complete(t, DNS_TRANSACTION_NO_SERVERS);
1226 return;
1227 }
91adc4db
LP		 1228 if (r == -EOPNOTSUPP) {
1229 /* Tried to ask for DNSSEC RRs, on a server that doesn't do DNSSEC */
1230 dns_transaction_complete(t, DNS_TRANSACTION_RR_TYPE_UNSUPPORTED);
1231 return;
1232 }
ec2c5e43 1233 if (r < 0) {
8af5b883 1234 /* On LLMNR, if we cannot connect to the host,
ec2c5e43 1235 * we immediately give up */
7cc6ed7b
LP		 1236 if (t->scope->protocol != DNS_PROTOCOL_DNS)
1237 goto fail;
ec2c5e43
LP		 1238
1239 /* On DNS, couldn't send? Try immediately again, with a new server */
9147b591
LP		 1240 if (dns_transaction_limited_retry(t))
1241 return;
1242
1243 /* No new server to try, give up */
1244 dns_transaction_complete(t, DNS_TRANSACTION_ATTEMPTS_MAX_REACHED);
ec2c5e43 1245 }
2a6658ef
LP		 1246
1247 return;
ec2c5e43
LP		 1248 }
1249
de54e62b 1250 /* After the superficial checks, actually parse the message. */
ec2c5e43
LP		 1251 r = dns_packet_extract(p);
1252 if (r < 0) {
2c42a217
LP		 1253 if (t->server) {
1254 dns_server_packet_invalid(t->server, t->current_feature_level);
1255
1256 r = dns_transaction_maybe_restart(t);
1257 if (r < 0)
1258 goto fail;
1259 if (r > 0) /* Transaction got restarted... */
1260 return;
1261 }
1262
ec2c5e43
LP		 1263 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
1264 return;
1265 }
1266
1ed4e584
LP		 1267 if (t->scope->protocol == DNS_PROTOCOL_DNS &&
1268 !t->bypass &&
1269 DNS_PACKET_RCODE(p) == DNS_RCODE_NXDOMAIN &&
1270 p->opt && !DNS_PACKET_DO(p) &&
1271 DNS_SERVER_FEATURE_LEVEL_IS_EDNS0(t->current_feature_level) &&
1272 DNS_SERVER_FEATURE_LEVEL_IS_UDP(t->current_feature_level) &&
1273 t->scope->dnssec_mode != DNSSEC_YES) {
1274
1275 /* Some captive portals are special in that the Aruba/Datavalet hardware will miss
1276 * replacing the packets with the local server IP to point to the authenticated side
1277 * of the network if EDNS0 is enabled. Instead they return NXDOMAIN, with DO bit set
1278 * to zero... nothing to see here, yet respond with the captive portal IP, when using
1279 * the more simple UDP level.
1280 *
1281 * Common portal names that fail like so are:
1282 * secure.datavalet.io
1283 * securelogin.arubanetworks.com
1284 * securelogin.networks.mycompany.com
1285 *
1286 * Thus retry NXDOMAIN RCODES with a lower feature level.
1287 *
1288 * Do not lower the server's tracked feature level, as the captive portal should not
1289 * be lying for the wider internet (e.g. _other_ queries were observed fine with
1290 * EDNS0 on these networks, post auth), i.e. let's just lower the level transaction's
1291 * feature level.
1292 *
1293 * This is reported as https://github.com/dns-violations/dns-violations/blob/master/2018/DVE-2018-0001.md
1294 */
1295
1296 t->clamp_feature_level_nxdomain = DNS_SERVER_FEATURE_LEVEL_UDP;
1297
1298 log_debug("Server returned error %s in EDNS0 mode, retrying transaction with reduced feature level %s (DVE-2018-0001 mitigation)",
1299 dns_rcode_to_string(DNS_PACKET_RCODE(p)),
1300 dns_server_feature_level_to_string(t->clamp_feature_level_nxdomain));
1301
1302 dns_transaction_retry(t, false /* use the same server */);
1303 return;
1304 }
1305
ed9717fc 1306 if (t->server) {
d001e0a3
LP		 1307 /* Report that we successfully received a valid packet with a good rcode after we initially got a bad
1308 * rcode and subsequently downgraded the protocol */
1309
1310 if (IN_SET(DNS_PACKET_RCODE(p), DNS_RCODE_SUCCESS, DNS_RCODE_NXDOMAIN) &&
1ed4e584
LP		 1311 t->clamp_feature_level_servfail != _DNS_SERVER_FEATURE_LEVEL_INVALID)
1312 dns_server_packet_rcode_downgrade(t->server, t->clamp_feature_level_servfail);
d001e0a3
LP		 1313
1314 /* Report that the OPT RR was missing */
ed9717fc
LP		 1315 if (!p->opt)
1316 dns_server_packet_bad_opt(t->server, t->current_feature_level);
1317
d96275d8
LP		 1318 /* Report that the server didn't copy our query DO bit from request to response */
1319 if (DNS_PACKET_DO(t->sent) && !DNS_PACKET_DO(t->received))
1320 dns_server_packet_do_off(t->server, t->current_feature_level);
1321
acbf761b
LP		 1322 /* Report that we successfully received a packet. We keep track of the largest packet
1323 * size/fragment size we got. Which is useful for announcing the EDNS(0) packet size we can
1324 * receive to our server. */
1325 dns_server_packet_received(t->server, p->ipproto, t->current_feature_level, dns_packet_size_unfragmented(p));
ed9717fc 1326 }
de54e62b 1327
c02cf2f4
LP		 1328 /* See if we know things we didn't know before that indicate we better restart the lookup immediately. */
1329 r = dns_transaction_maybe_restart(t);
7cc6ed7b
LP		 1330 if (r < 0)
1331 goto fail;
c02cf2f4
LP		 1332 if (r > 0) /* Transaction got restarted... */
1333 return;
1334
8facd1ce
LP		 1335 /* When dealing with protocols other than mDNS only consider responses with equivalent query section
1336 * to the request. For mDNS this check doesn't make sense, because the section 6 of RFC6762 states
1337 * that "Multicast DNS responses MUST NOT contain any questions in the Question Section". */
1338 if (t->scope->protocol != DNS_PROTOCOL_MDNS) {
42df9532 1339 r = dns_packet_is_reply_for(p, dns_transaction_key(t));
8facd1ce
LP		 1340 if (r < 0)
1341 goto fail;
1342 if (r == 0) {
1343 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
1344 return;
547493c5 1345 }
8facd1ce 1346 }
29815b6c 1347
775ae354
LP		 1348 /* Install the answer as answer to the transaction. We ref the answer twice here: the main `answer`
1349 * field is later replaced by the DNSSEC validated subset. The 'answer_auxiliary' field carries the
1350 * original complete record set, including RRSIG and friends. We use this when passing data to
1351 * clients that ask for DNSSEC metadata. */
8facd1ce
LP		 1352 dns_answer_unref(t->answer);
1353 t->answer = dns_answer_ref(p->answer);
1354 t->answer_rcode = DNS_PACKET_RCODE(p);
1355 t->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
6f055e43 1356 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
43fc4baa 1357 SET_FLAG(t->answer_query_flags, SD_RESOLVED_CONFIDENTIAL, encrypted);
79e24931 1358
8facd1ce
LP		 1359 r = dns_transaction_fix_rcode(t);
1360 if (r < 0)
1361 goto fail;
eac7cda2 1362
8facd1ce
LP		 1363 /* Block GC while starting requests for additional DNSSEC RRs */
1364 t->block_gc++;
1365 r = dns_transaction_request_dnssec_keys(t);
1366 t->block_gc--;
51e399bc 1367
8facd1ce
LP		 1368 /* Maybe the transaction is ready for GC'ing now? If so, free it and return. */
1369 if (!dns_transaction_gc(t))
1370 return;
51e399bc 1371
8facd1ce
LP		 1372 /* Requesting additional keys might have resulted in this transaction to fail, since the auxiliary
1373 * request failed for some reason. If so, we are not in pending state anymore, and we should exit
1374 * quickly. */
1375 if (t->state != DNS_TRANSACTION_PENDING)
1376 return;
1377 if (r < 0)
1378 goto fail;
1379 if (r > 0) {
1380 /* There are DNSSEC transactions pending now. Update the state accordingly. */
1381 t->state = DNS_TRANSACTION_VALIDATING;
80710ade 1382 dns_transaction_close_connection(t, true);
8facd1ce
LP		 1383 dns_transaction_stop_timeout(t);
1384 return;
547493c5 1385 }
ec2c5e43 1386
547973de 1387 dns_transaction_process_dnssec(t);
7cc6ed7b
LP		 1388 return;
1389
1390fail:
fd8a3017 1391 dns_transaction_complete_errno(t, r);
ec2c5e43
LP		 1392}
1393
c19ffd9f
TG		 1394static int on_dns_packet(sd_event_source *s, int fd, uint32_t revents, void *userdata) {
1395 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
1396 DnsTransaction *t = userdata;
1397 int r;
1398
1399 assert(t);
1400 assert(t->scope);
1401
1402 r = manager_recv(t->scope->manager, fd, DNS_PROTOCOL_DNS, &p);
95d2155a 1403 if (ERRNO_IS_DISCONNECT(r)) {
7e1851e3 1404 usec_t usec;
c19ffd9f 1405
f731fd5b
ZJS		 1406 /* UDP connection failures get reported via ICMP and then are possibly delivered to us on the
1407 * next recvmsg(). Treat this like a lost packet. */
7e1851e3 1408
92ec902a 1409 log_debug_errno(r, "Connection failure for DNS UDP packet: %m");
7e1851e3 1410 assert_se(sd_event_now(t->scope->manager->event, clock_boottime_or_monotonic(), &usec) >= 0);
3da3cdd5 1411 dns_server_packet_lost(t->server, IPPROTO_UDP, t->current_feature_level);
7e1851e3 1412
d68dbb37
LP		 1413 dns_transaction_close_connection(t, /* use_graveyard = */ false);
1414
9147b591
LP		 1415 if (dns_transaction_limited_retry(t)) /* Try a different server */
1416 return 0;
1417
1418 dns_transaction_complete_errno(t, r);
7e1851e3
LP		 1419 return 0;
1420 }
1421 if (r < 0) {
fd8a3017 1422 dns_transaction_complete_errno(t, r);
7e1851e3
LP		 1423 return 0;
1424 }
f731fd5b
ZJS		 1425 if (r == 0)
1426 /* Spurious wakeup without any data */
1427 return 0;
7e1851e3
LP		 1428
1429 r = dns_packet_validate_reply(p);
1430 if (r < 0) {
1431 log_debug_errno(r, "Received invalid DNS packet as response, ignoring: %m");
1432 return 0;
1433 }
1434 if (r == 0) {
e09f605e 1435 log_debug("Received inappropriate DNS packet as response, ignoring.");
7e1851e3
LP		 1436 return 0;
1437 }
1438
1439 if (DNS_PACKET_ID(p) != t->id) {
e09f605e 1440 log_debug("Received packet with incorrect transaction ID, ignoring.");
7e1851e3
LP		 1441 return 0;
1442 }
c19ffd9f 1443
43fc4baa 1444 dns_transaction_process_reply(t, p, false);
c19ffd9f
TG		 1445 return 0;
1446}
1447
49cce12d 1448static int dns_transaction_emit_udp(DnsTransaction *t) {
c19ffd9f
TG		 1449 int r;
1450
1451 assert(t);
c19ffd9f 1452
519ef046 1453 if (t->scope->protocol == DNS_PROTOCOL_DNS) {
c19ffd9f 1454
519ef046 1455 r = dns_transaction_pick_server(t);
471d40d9
TG		 1456 if (r < 0)
1457 return r;
c19ffd9f 1458
49ef064c
LP		 1459 if (manager_server_is_stub(t->scope->manager, t->server))
1460 return -ELOOP;
1461
5d67a7ae 1462 if (t->current_feature_level < DNS_SERVER_FEATURE_LEVEL_UDP || DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level))
7d581a65 1463 return -EAGAIN; /* Sorry, can't do UDP, try TCP! */
519ef046 1464
775ae354 1465 if (!t->bypass && !dns_server_dnssec_supported(t->server) && dns_type_is_dnssec(dns_transaction_key(t)->type))
91adc4db
LP		 1466 return -EOPNOTSUPP;
1467
519ef046
LP		 1468 if (r > 0 || t->dns_udp_fd < 0) { /* Server changed, or no connection yet. */
1469 int fd;
1470
80710ade
LP		 1471 dns_transaction_close_connection(t, true);
1472
1473 /* Before we allocate a new UDP socket, let's process the graveyard a bit to free some fds */
1474 manager_socket_graveyard_process(t->scope->manager);
c19ffd9f 1475
da9de738 1476 fd = dns_scope_socket_udp(t->scope, t->server);
519ef046
LP		 1477 if (fd < 0)
1478 return fd;
1479
1480 r = sd_event_add_io(t->scope->manager->event, &t->dns_udp_event_source, fd, EPOLLIN, on_dns_packet, t);
1481 if (r < 0) {
1482 safe_close(fd);
1483 return r;
1484 }
1485
aa4a9deb 1486 (void) sd_event_source_set_description(t->dns_udp_event_source, "dns-transaction-udp");
519ef046
LP		 1487 t->dns_udp_fd = fd;
1488 }
1489
775ae354
LP		 1490 if (!t->bypass) {
1491 r = dns_server_adjust_opt(t->server, t->sent, t->current_feature_level);
1492 if (r < 0)
1493 return r;
1494 }
519ef046 1495 } else
80710ade 1496 dns_transaction_close_connection(t, true);
519ef046 1497
d79677ab 1498 r = dns_scope_emit_udp(t->scope, t->dns_udp_fd, t->server ? t->server->family : AF_UNSPEC, t->sent);
471d40d9
TG		 1499 if (r < 0)
1500 return r;
c19ffd9f 1501
519ef046 1502 dns_transaction_reset_answer(t);
be808ea0 1503
471d40d9 1504 return 0;
c19ffd9f
TG		 1505}
1506
ec2c5e43
LP		 1507static int on_transaction_timeout(sd_event_source *s, usec_t usec, void *userdata) {
1508 DnsTransaction *t = userdata;
ec2c5e43
LP		 1509
1510 assert(s);
1511 assert(t);
1512
213cb4f7
LP		 1513 if (t->initial_jitter_scheduled && !t->initial_jitter_elapsed) {
1514 log_debug("Initial jitter phase for transaction %" PRIu16 " elapsed.", t->id);
1515 t->initial_jitter_elapsed = true;
1516 } else {
ef7ce6df
DM		 1517 /* Timeout reached? Increase the timeout for the server used */
1518 switch (t->scope->protocol) {
49cce12d 1519
ef7ce6df
DM		 1520 case DNS_PROTOCOL_DNS:
1521 assert(t->server);
3da3cdd5 1522 dns_server_packet_lost(t->server, t->stream ? IPPROTO_TCP : IPPROTO_UDP, t->current_feature_level);
ef7ce6df 1523 break;
49cce12d 1524
ef7ce6df
DM		 1525 case DNS_PROTOCOL_LLMNR:
1526 case DNS_PROTOCOL_MDNS:
1527 dns_scope_packet_lost(t->scope, usec - t->start_usec);
ef7ce6df 1528 break;
49cce12d 1529
ef7ce6df 1530 default:
04499a70 1531 assert_not_reached();
ef7ce6df
DM		 1532 }
1533
213cb4f7 1534 log_debug("Timeout reached on transaction %" PRIu16 ".", t->id);
be808ea0
TG		 1535 }
1536
213cb4f7
LP		 1537 dns_transaction_retry(t, /* next_server= */ true); /* try a different server, but given this means
1538 * packet loss, let's do so even if we already
1539 * tried a bunch */
ec2c5e43
LP		 1540 return 0;
1541}
1542
9df3ba6c
TG		 1543static usec_t transaction_get_resend_timeout(DnsTransaction *t) {
1544 assert(t);
1545 assert(t->scope);
1546
1547 switch (t->scope->protocol) {
49cce12d 1548
9df3ba6c 1549 case DNS_PROTOCOL_DNS:
dc349f5f
LP		 1550
1551 /* When we do TCP, grant a much longer timeout, as in this case there's no need for us to quickly
1552 * resend, as the kernel does that anyway for us, and we really don't want to interrupt it in that
1553 * needlessly. */
1554 if (t->stream)
1555 return TRANSACTION_TCP_TIMEOUT_USEC;
1556
dbc4661a 1557 return DNS_TIMEOUT_USEC;
49cce12d 1558
9df3ba6c 1559 case DNS_PROTOCOL_MDNS:
11a27c2e 1560 assert(t->n_attempts > 0);
53fda2bb
DR		 1561 if (t->probing)
1562 return MDNS_PROBING_INTERVAL_USEC;
1563 else
1564 return (1 << (t->n_attempts - 1)) * USEC_PER_SEC;
49cce12d 1565
11a27c2e 1566 case DNS_PROTOCOL_LLMNR:
9df3ba6c 1567 return t->scope->resend_timeout;
49cce12d 1568
9df3ba6c 1569 default:
04499a70 1570 assert_not_reached();
9df3ba6c
TG		 1571 }
1572}
1573
3f0a7b3a
LP		 1574static void dns_transaction_randomize_answer(DnsTransaction *t) {
1575 int r;
1576
1577 assert(t);
1578
1579 /* Randomizes the order of the answer array. This is done for all cached responses, so that we return
1580 * a different order each time. We do this only for DNS traffic, in order to do some minimal, crappy
1581 * load balancing. We don't do this for LLMNR or mDNS, since the order (preferring link-local
1582 * addresses, and such like) might have meaning there, and load balancing is pointless. */
1583
1584 if (t->scope->protocol != DNS_PROTOCOL_DNS)
1585 return;
1586
1587 /* No point in randomizing, if there's just one RR */
1588 if (dns_answer_size(t->answer) <= 1)
1589 return;
1590
1591 r = dns_answer_reserve_or_clone(&t->answer, 0);
1592 if (r < 0) /* If this fails, just don't randomize, this is non-essential stuff after all */
1593 return (void) log_debug_errno(r, "Failed to clone answer record, not randomizing RR order of answer: %m");
1594
1595 dns_answer_randomize(t->answer);
1596}
1597
c842ff24 1598static int dns_transaction_prepare(DnsTransaction *t, usec_t ts) {
ec2c5e43
LP		 1599 int r;
1600
1601 assert(t);
1602
4ea8b443
ZJS		 1603 /* Returns 0 if dns_transaction_complete() has been called. In that case the transaction and query
1604 * candidate objects may have been invalidated and must not be accessed. Returns 1 if the transaction
1605 * has been prepared. */
1606
f535705a 1607 dns_transaction_stop_timeout(t);
ec2c5e43 1608
86b112a3 1609 if (!dns_scope_network_good(t->scope)) {
edbcc1fd
LP		 1610 dns_transaction_complete(t, DNS_TRANSACTION_NETWORK_DOWN);
1611 return 0;
1612 }
1613
ec2c5e43 1614 if (t->n_attempts >= TRANSACTION_ATTEMPTS_MAX(t->scope->protocol)) {
e53b8cc5
ZJS		 1615 DnsTransactionState result;
1616
1617 if (t->scope->protocol == DNS_PROTOCOL_LLMNR)
1618 /* If we didn't find anything on LLMNR, it's not an error, but a failure to resolve
1619 * the name. */
1620 result = DNS_TRANSACTION_NOT_FOUND;
1621 else
1622 result = DNS_TRANSACTION_ATTEMPTS_MAX_REACHED;
1623
1624 dns_transaction_complete(t, result);
ec2c5e43
LP		 1625 return 0;
1626 }
1627
cbe4216d 1628 if (t->scope->protocol == DNS_PROTOCOL_LLMNR && t->tried_stream) {
ec2c5e43
LP		 1629 /* If we already tried via a stream, then we don't
1630 * retry on LLMNR. See RFC 4795, Section 2.7. */
1631 dns_transaction_complete(t, DNS_TRANSACTION_ATTEMPTS_MAX_REACHED);
1632 return 0;
1633 }
1634
1635 t->n_attempts++;
9df3ba6c 1636 t->start_usec = ts;
c61d2b44
LP		 1637
1638 dns_transaction_reset_answer(t);
c5b4f861 1639 dns_transaction_flush_dnssec_transactions(t);
ec2c5e43 1640
0d2cd476 1641 /* Check the trust anchor. Do so only on classic DNS, since DNSSEC does not apply otherwise. */
775ae354
LP		 1642 if (t->scope->protocol == DNS_PROTOCOL_DNS &&
1643 !FLAGS_SET(t->query_flags, SD_RESOLVED_NO_TRUST_ANCHOR)) {
42df9532 1644 r = dns_trust_anchor_lookup_positive(&t->scope->manager->trust_anchor, dns_transaction_key(t), &t->answer);
0d2cd476
LP		 1645 if (r < 0)
1646 return r;
1647 if (r > 0) {
1648 t->answer_rcode = DNS_RCODE_SUCCESS;
1649 t->answer_source = DNS_TRANSACTION_TRUST_ANCHOR;
43fc4baa 1650 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED|SD_RESOLVED_CONFIDENTIAL, true);
0d2cd476
LP		 1651 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
1652 return 0;
1653 }
b2b796b8 1654
42df9532
LP		 1655 if (dns_name_is_root(dns_resource_key_name(dns_transaction_key(t))) &&
1656 dns_transaction_key(t)->type == DNS_TYPE_DS) {
b2b796b8 1657
775ae354
LP		 1658 /* Hmm, this is a request for the root DS? A DS RR doesn't exist in the root zone,
1659 * and if our trust anchor didn't know it either, this means we cannot do any DNSSEC
1660 * logic anymore. */
b2b796b8 1661
1ed8c0fb 1662 if (t->scope->dnssec_mode == DNSSEC_ALLOW_DOWNGRADE) {
775ae354
LP		 1663 /* We are in downgrade mode. In this case, synthesize an unsigned empty
1664 * response, so that the any lookup depending on this one can continue
1665 * assuming there was no DS, and hence the root zone was unsigned. */
b2b796b8
LP		 1666
1667 t->answer_rcode = DNS_RCODE_SUCCESS;
1668 t->answer_source = DNS_TRANSACTION_TRUST_ANCHOR;
6f055e43 1669 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
43fc4baa 1670 SET_FLAG(t->answer_query_flags, SD_RESOLVED_CONFIDENTIAL, true);
b2b796b8
LP		 1671 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
1672 } else
775ae354
LP		 1673 /* If we are not in downgrade mode, then fail the lookup, because we cannot
1674 * reasonably answer it. There might be DS RRs, but we don't know them, and
1675 * the DNS server won't tell them to us (and even if it would, we couldn't
1676 * validate and trust them. */
b2b796b8
LP		 1677 dns_transaction_complete(t, DNS_TRANSACTION_NO_TRUST_ANCHOR);
1678
1679 return 0;
1680 }
0d2cd476
LP		 1681 }
1682
775ae354
LP		 1683 /* Check the zone. */
1684 if (!FLAGS_SET(t->query_flags, SD_RESOLVED_NO_ZONE)) {
42df9532 1685 r = dns_zone_lookup(&t->scope->zone, dns_transaction_key(t), dns_scope_ifindex(t->scope), &t->answer, NULL, NULL);
d746bb3e
LP		 1686 if (r < 0)
1687 return r;
1688 if (r > 0) {
ae6a4bbf 1689 t->answer_rcode = DNS_RCODE_SUCCESS;
c3bc53e6 1690 t->answer_source = DNS_TRANSACTION_ZONE;
43fc4baa 1691 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED|SD_RESOLVED_CONFIDENTIAL, true);
d746bb3e
LP		 1692 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
1693 return 0;
1694 }
1695 }
1696
775ae354
LP		 1697 /* Check the cache. */
1698 if (!FLAGS_SET(t->query_flags, SD_RESOLVED_NO_CACHE)) {
2c27fbca 1699
775ae354
LP		 1700 /* Before trying the cache, let's make sure we figured out a server to use. Should this cause
1701 * a change of server this might flush the cache. */
5cdb8930 1702 (void) dns_scope_get_dns_server(t->scope);
2c27fbca 1703
4d926a69
LP		 1704 /* Let's then prune all outdated entries */
1705 dns_cache_prune(&t->scope->cache);
1706
775ae354
LP		 1707 r = dns_cache_lookup(
1708 &t->scope->cache,
1709 dns_transaction_key(t),
1710 t->query_flags,
1711 &t->answer_rcode,
1712 &t->answer,
1713 &t->received,
6f055e43 1714 &t->answer_query_flags,
775ae354 1715 &t->answer_dnssec_result);
4d926a69
LP		 1716 if (r < 0)
1717 return r;
1718 if (r > 0) {
3f0a7b3a
LP		 1719 dns_transaction_randomize_answer(t);
1720
775ae354
LP		 1721 if (t->bypass && t->scope->protocol == DNS_PROTOCOL_DNS && !t->received)
1722 /* When bypass mode is on, do not use cached data unless it came with a full
1723 * packet. */
1724 dns_transaction_reset_answer(t);
1725 else {
1726 t->answer_source = DNS_TRANSACTION_CACHE;
1727 if (t->answer_rcode == DNS_RCODE_SUCCESS)
1728 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
1729 else
1730 dns_transaction_complete(t, DNS_TRANSACTION_RCODE_FAILURE);
1731 return 0;
1732 }
4d926a69 1733 }
ec2c5e43
LP		 1734 }
1735
775ae354
LP		 1736 if (FLAGS_SET(t->query_flags, SD_RESOLVED_NO_NETWORK)) {
1737 dns_transaction_complete(t, DNS_TRANSACTION_NO_SOURCE);
1738 return 0;
1739 }
1740
1effe965
DM		 1741 return 1;
1742}
1743
0afa57e2 1744static int dns_transaction_make_packet_mdns(DnsTransaction *t) {
0afa57e2 1745 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
7778dfff 1746 bool add_known_answers = false;
0afa57e2 1747 DnsTransaction *other;
0d5ee47d
DR		 1748 DnsResourceKey *tkey;
1749 _cleanup_set_free_ Set *keys = NULL;
0afa57e2 1750 unsigned qdcount;
0d5ee47d 1751 unsigned nscount = 0;
0afa57e2
DM		 1752 usec_t ts;
1753 int r;
1754
1755 assert(t);
1756 assert(t->scope->protocol == DNS_PROTOCOL_MDNS);
1757
e5abebab 1758 /* Discard any previously prepared packet, so we can start over and coalesce again */
0afa57e2
DM		 1759 t->sent = dns_packet_unref(t->sent);
1760
1761 r = dns_packet_new_query(&p, t->scope->protocol, 0, false);
1762 if (r < 0)
1763 return r;
1764
42df9532 1765 r = dns_packet_append_key(p, dns_transaction_key(t), 0, NULL);
0afa57e2
DM		 1766 if (r < 0)
1767 return r;
1768
1769 qdcount = 1;
1770
42df9532 1771 if (dns_key_is_shared(dns_transaction_key(t)))
7778dfff
DM		 1772 add_known_answers = true;
1773
42df9532
LP		 1774 if (dns_transaction_key(t)->type == DNS_TYPE_ANY) {
1775 r = set_ensure_put(&keys, &dns_resource_key_hash_ops, dns_transaction_key(t));
0d5ee47d
DR		 1776 if (r < 0)
1777 return r;
1778 }
1779
0afa57e2
DM		 1780 /*
1781 * For mDNS, we want to coalesce as many open queries in pending transactions into one single
1782 * query packet on the wire as possible. To achieve that, we iterate through all pending transactions
5238e957 1783 * in our current scope, and see whether their timing constraints allow them to be sent.
0afa57e2
DM		 1784 */
1785
1786 assert_se(sd_event_now(t->scope->manager->event, clock_boottime_or_monotonic(), &ts) >= 0);
1787
1788 LIST_FOREACH(transactions_by_scope, other, t->scope->transactions) {
1789
1790 /* Skip ourselves */
1791 if (other == t)
1792 continue;
1793
1794 if (other->state != DNS_TRANSACTION_PENDING)
1795 continue;
1796
1797 if (other->next_attempt_after > ts)
1798 continue;
1799
1800 if (qdcount >= UINT16_MAX)
1801 break;
1802
42df9532 1803 r = dns_packet_append_key(p, dns_transaction_key(other), 0, NULL);
0afa57e2
DM		 1804
1805 /*
1806 * If we can't stuff more questions into the packet, just give up.
1807 * One of the 'other' transactions will fire later and take care of the rest.
1808 */
1809 if (r == -EMSGSIZE)
1810 break;
1811
1812 if (r < 0)
1813 return r;
1814
c842ff24 1815 r = dns_transaction_prepare(other, ts);
0afa57e2
DM		 1816 if (r <= 0)
1817 continue;
1818
1819 ts += transaction_get_resend_timeout(other);
1820
1821 r = sd_event_add_time(
1822 other->scope->manager->event,
1823 &other->timeout_event_source,
1824 clock_boottime_or_monotonic(),
1825 ts, 0,
1826 on_transaction_timeout, other);
1827 if (r < 0)
1828 return r;
1829
ff537038 1830 (void) sd_event_source_set_description(other->timeout_event_source, "dns-transaction-timeout");
aa4a9deb 1831
0afa57e2
DM		 1832 other->state = DNS_TRANSACTION_PENDING;
1833 other->next_attempt_after = ts;
1834
313cefa1 1835 qdcount++;
7778dfff 1836
42df9532 1837 if (dns_key_is_shared(dns_transaction_key(other)))
7778dfff 1838 add_known_answers = true;
0d5ee47d 1839
42df9532
LP		 1840 if (dns_transaction_key(other)->type == DNS_TYPE_ANY) {
1841 r = set_ensure_put(&keys, &dns_resource_key_hash_ops, dns_transaction_key(other));
0d5ee47d
DR		 1842 if (r < 0)
1843 return r;
1844 }
0afa57e2
DM		 1845 }
1846
1847 DNS_PACKET_HEADER(p)->qdcount = htobe16(qdcount);
0afa57e2 1848
7778dfff
DM		 1849 /* Append known answer section if we're asking for any shared record */
1850 if (add_known_answers) {
1851 r = dns_cache_export_shared_to_packet(&t->scope->cache, p);
1852 if (r < 0)
1853 return r;
1854 }
1855
90e74a66 1856 SET_FOREACH(tkey, keys) {
0d5ee47d
DR		 1857 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
1858 bool tentative;
1859
1860 r = dns_zone_lookup(&t->scope->zone, tkey, t->scope->link->ifindex, &answer, NULL, &tentative);
1861 if (r < 0)
1862 return r;
1863
6f76e68a 1864 r = dns_packet_append_answer(p, answer, &nscount);
0d5ee47d
DR		 1865 if (r < 0)
1866 return r;
0d5ee47d
DR		 1867 }
1868 DNS_PACKET_HEADER(p)->nscount = htobe16(nscount);
1869
1cc6c93a 1870 t->sent = TAKE_PTR(p);
0afa57e2
DM		 1871
1872 return 0;
1873}
1874
1875static int dns_transaction_make_packet(DnsTransaction *t) {
1876 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
1877 int r;
1878
1879 assert(t);
1880
1881 if (t->scope->protocol == DNS_PROTOCOL_MDNS)
1882 return dns_transaction_make_packet_mdns(t);
1883
1884 if (t->sent)
1885 return 0;
1886
775ae354
LP		 1887 if (t->bypass && t->bypass->protocol == t->scope->protocol) {
1888 /* If bypass logic is enabled and the protocol if the original packet and our scope match,
1889 * take the original packet, copy it, and patch in our new ID */
1890 r = dns_packet_dup(&p, t->bypass);
1891 if (r < 0)
1892 return r;
1893 } else {
1894 r = dns_packet_new_query(
1895 &p, t->scope->protocol,
1896 /* min_alloc_dsize = */ 0,
1897 /* dnssec_cd = */ !FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE) &&
1898 t->scope->dnssec_mode != DNSSEC_NO);
1899 if (r < 0)
1900 return r;
0afa57e2 1901
775ae354
LP		 1902 r = dns_packet_append_key(p, dns_transaction_key(t), 0, NULL);
1903 if (r < 0)
1904 return r;
1905
1906 DNS_PACKET_HEADER(p)->qdcount = htobe16(1);
1907 }
0afa57e2 1908
0afa57e2
DM		 1909 DNS_PACKET_HEADER(p)->id = t->id;
1910
1cc6c93a 1911 t->sent = TAKE_PTR(p);
0afa57e2
DM		 1912 return 0;
1913}
1914
1effe965
DM		 1915int dns_transaction_go(DnsTransaction *t) {
1916 usec_t ts;
1917 int r;
202b76ae 1918 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
1effe965
DM		 1919
1920 assert(t);
1921
4ea8b443
ZJS		 1922 /* Returns > 0 if the transaction is now pending, returns 0 if could be processed immediately and has
1923 * finished now. In the latter case, the transaction and query candidate objects must not be accessed.
1924 */
5278bbfe 1925
1effe965 1926 assert_se(sd_event_now(t->scope->manager->event, clock_boottime_or_monotonic(), &ts) >= 0);
547973de 1927
c842ff24 1928 r = dns_transaction_prepare(t, ts);
1effe965
DM		 1929 if (r <= 0)
1930 return r;
1931
213cb4f7
LP		 1932 log_debug("Firing %s transaction %" PRIu16 " for <%s> scope %s on %s/%s (validate=%s).",
1933 t->bypass ? "bypass" : "regular",
a5784c49 1934 t->id,
42df9532 1935 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str),
a5784c49 1936 dns_protocol_to_string(t->scope->protocol),
6ff79f76 1937 t->scope->link ? t->scope->link->ifname : "*",
775ae354
LP		 1938 af_to_name_short(t->scope->family),
1939 yes_no(!FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE)));
1effe965 1940
ef7ce6df 1941 if (!t->initial_jitter_scheduled &&
3742095b 1942 IN_SET(t->scope->protocol, DNS_PROTOCOL_LLMNR, DNS_PROTOCOL_MDNS)) {
ea12bcc7 1943 usec_t jitter, accuracy;
6e068472 1944
9ee18bf4
LP		 1945 /* RFC 4795 Section 2.7 suggests all queries should be delayed by a random time from 0 to
1946 * JITTER_INTERVAL. */
6e068472 1947
ef7ce6df 1948 t->initial_jitter_scheduled = true;
6e068472 1949
ea12bcc7 1950 switch (t->scope->protocol) {
519ef046 1951
ea12bcc7 1952 case DNS_PROTOCOL_LLMNR:
9ee18bf4 1953 jitter = random_u64_range(LLMNR_JITTER_INTERVAL_USEC);
ea12bcc7
DM		 1954 accuracy = LLMNR_JITTER_INTERVAL_USEC;
1955 break;
519ef046 1956
ea12bcc7 1957 case DNS_PROTOCOL_MDNS:
9ee18bf4 1958 jitter = usec_add(random_u64_range(MDNS_JITTER_RANGE_USEC), MDNS_JITTER_MIN_USEC);
ea12bcc7
DM		 1959 accuracy = MDNS_JITTER_RANGE_USEC;
1960 break;
1961 default:
04499a70 1962 assert_not_reached();
ea12bcc7 1963 }
6e068472 1964
6d660692
LP		 1965 assert(!t->timeout_event_source);
1966
1967 r = sd_event_add_time_relative(
6e068472
LP		 1968 t->scope->manager->event,
1969 &t->timeout_event_source,
1970 clock_boottime_or_monotonic(),
6d660692 1971 jitter, accuracy,
6e068472
LP		 1972 on_transaction_timeout, t);
1973 if (r < 0)
1974 return r;
1975
aa4a9deb
LP		 1976 (void) sd_event_source_set_description(t->timeout_event_source, "dns-transaction-timeout");
1977
6e068472 1978 t->n_attempts = 0;
a9da14e1 1979 t->next_attempt_after = ts;
6e068472
LP		 1980 t->state = DNS_TRANSACTION_PENDING;
1981
2f9c3b2a
LP		 1982 log_debug("Delaying %s transaction %" PRIu16 " for " USEC_FMT "us.",
1983 dns_protocol_to_string(t->scope->protocol),
1984 t->id,
1985 jitter);
4ea8b443 1986 return 1;
6e068472
LP		 1987 }
1988
ec2c5e43
LP		 1989 /* Otherwise, we need to ask the network */
1990 r = dns_transaction_make_packet(t);
ec2c5e43
LP		 1991 if (r < 0)
1992 return r;
1993
1994 if (t->scope->protocol == DNS_PROTOCOL_LLMNR &&
42df9532
LP		 1995 (dns_name_endswith(dns_resource_key_name(dns_transaction_key(t)), "in-addr.arpa") > 0 ||
1996 dns_name_endswith(dns_resource_key_name(dns_transaction_key(t)), "ip6.arpa") > 0)) {
ec2c5e43
LP		 1997
1998 /* RFC 4795, Section 2.4. says reverse lookups shall
1999 * always be made via TCP on LLMNR */
98767d75 2000 r = dns_transaction_emit_tcp(t);
ec2c5e43 2001 } else {
be808ea0
TG		 2002 /* Try via UDP, and if that fails due to large size or lack of
2003 * support try via TCP */
49cce12d 2004 r = dns_transaction_emit_udp(t);
29ab0552
LP		 2005 if (r == -EMSGSIZE)
2006 log_debug("Sending query via TCP since it is too large.");
dc349f5f 2007 else if (r == -EAGAIN)
6c0bacc1 2008 log_debug("Sending query via TCP since UDP isn't supported or DNS-over-TLS is selected.");
4c701096 2009 if (IN_SET(r, -EMSGSIZE, -EAGAIN))
98767d75 2010 r = dns_transaction_emit_tcp(t);
ec2c5e43 2011 }
49ef064c
LP		 2012 if (r == -ELOOP) {
2013 if (t->scope->protocol != DNS_PROTOCOL_DNS)
2014 return r;
2015
2016 /* One of our own stub listeners */
2017 log_debug_errno(r, "Detected that specified DNS server is our own extra listener, switching DNS servers.");
2018
5e8bc852 2019 dns_scope_next_dns_server(t->scope, t->server);
49ef064c
LP		 2020
2021 if (dns_scope_get_dns_server(t->scope) == t->server) {
2022 log_debug_errno(r, "Still pointing to extra listener after switching DNS servers, refusing operation.");
2023 dns_transaction_complete(t, DNS_TRANSACTION_STUB_LOOP);
2024 return 0;
2025 }
be808ea0 2026
49ef064c
LP		 2027 return dns_transaction_go(t);
2028 }
ec2c5e43
LP		 2029 if (r == -ESRCH) {
2030 /* No servers to send this to? */
2031 dns_transaction_complete(t, DNS_TRANSACTION_NO_SERVERS);
2032 return 0;
91adc4db
LP		 2033 }
2034 if (r == -EOPNOTSUPP) {
2035 /* Tried to ask for DNSSEC RRs, on a server that doesn't do DNSSEC */
2036 dns_transaction_complete(t, DNS_TRANSACTION_RR_TYPE_UNSUPPORTED);
2037 return 0;
2038 }
95d2155a 2039 if (t->scope->protocol == DNS_PROTOCOL_LLMNR && ERRNO_IS_DISCONNECT(r)) {
e94968ba 2040 /* On LLMNR, if we cannot connect to a host via TCP when doing reverse lookups. This means we cannot
0791110f
LP		 2041 * answer this request with this protocol. */
2042 dns_transaction_complete(t, DNS_TRANSACTION_NOT_FOUND);
2043 return 0;
2044 }
91adc4db 2045 if (r < 0) {
7cc6ed7b
LP		 2046 if (t->scope->protocol != DNS_PROTOCOL_DNS)
2047 return r;
13b551ac 2048
ec2c5e43 2049 /* Couldn't send? Try immediately again, with a new server */
5e8bc852 2050 dns_scope_next_dns_server(t->scope, t->server);
ec2c5e43
LP		 2051
2052 return dns_transaction_go(t);
2053 }
2054
a9da14e1
DM		 2055 ts += transaction_get_resend_timeout(t);
2056
9a015429
LP		 2057 r = sd_event_add_time(
2058 t->scope->manager->event,
2059 &t->timeout_event_source,
2060 clock_boottime_or_monotonic(),
a9da14e1 2061 ts, 0,
9a015429 2062 on_transaction_timeout, t);
ec2c5e43
LP		 2063 if (r < 0)
2064 return r;
2065
aa4a9deb
LP		 2066 (void) sd_event_source_set_description(t->timeout_event_source, "dns-transaction-timeout");
2067
ec2c5e43 2068 t->state = DNS_TRANSACTION_PENDING;
a9da14e1
DM		 2069 t->next_attempt_after = ts;
2070
ec2c5e43
LP		 2071 return 1;
2072}
2073
f2992dc1
LP		 2074static int dns_transaction_find_cyclic(DnsTransaction *t, DnsTransaction *aux) {
2075 DnsTransaction *n;
f2992dc1
LP		 2076 int r;
2077
2078 assert(t);
2079 assert(aux);
2080
2081 /* Try to find cyclic dependencies between transaction objects */
2082
2083 if (t == aux)
2084 return 1;
2085
90e74a66 2086 SET_FOREACH(n, aux->dnssec_transactions) {
f2992dc1
LP		 2087 r = dns_transaction_find_cyclic(t, n);
2088 if (r != 0)
2089 return r;
2090 }
2091
3eb6aa00 2092 return 0;
f2992dc1
LP		 2093}
2094
547973de 2095static int dns_transaction_add_dnssec_transaction(DnsTransaction *t, DnsResourceKey *key, DnsTransaction **ret) {
29bd6012 2096 _cleanup_(dns_transaction_gcp) DnsTransaction *aux = NULL;
547973de
LP		 2097 int r;
2098
2099 assert(t);
2100 assert(ret);
2101 assert(key);
2102
775ae354 2103 aux = dns_scope_find_transaction(t->scope, key, t->query_flags);
547973de 2104 if (!aux) {
775ae354 2105 r = dns_transaction_new(&aux, t->scope, key, NULL, t->query_flags);
547973de
LP		 2106 if (r < 0)
2107 return r;
2108 } else {
2109 if (set_contains(t->dnssec_transactions, aux)) {
2110 *ret = aux;
2111 return 0;
2112 }
f2992dc1
LP		 2113
2114 r = dns_transaction_find_cyclic(t, aux);
2115 if (r < 0)
2116 return r;
2117 if (r > 0) {
202b76ae
ZJS		 2118 char s[DNS_RESOURCE_KEY_STRING_MAX], saux[DNS_RESOURCE_KEY_STRING_MAX];
2119
baaa35ad
ZJS		 2120 return log_debug_errno(SYNTHETIC_ERRNO(ELOOP),
2121 "Potential cyclic dependency, refusing to add transaction %" PRIu16 " (%s) as dependency for %" PRIu16 " (%s).",
2122 aux->id,
42df9532 2123 dns_resource_key_to_string(dns_transaction_key(t), s, sizeof s),
baaa35ad 2124 t->id,
42df9532 2125 dns_resource_key_to_string(dns_transaction_key(aux), saux, sizeof saux));
f2992dc1 2126 }
547973de
LP		 2127 }
2128
35aa04e9
LP		 2129 r = set_ensure_allocated(&aux->notify_transactions_done, NULL);
2130 if (r < 0)
29bd6012 2131 return r;
547973de 2132
de7fef4b 2133 r = set_ensure_put(&t->dnssec_transactions, NULL, aux);
547973de 2134 if (r < 0)
a75cb4e2 2135 return r;
547973de 2136
de7fef4b 2137 r = set_ensure_put(&aux->notify_transactions, NULL, t);
547973de
LP		 2138 if (r < 0) {
2139 (void) set_remove(t->dnssec_transactions, aux);
29bd6012 2140 return r;
547973de
LP		 2141 }
2142
29bd6012 2143 *ret = TAKE_PTR(aux);
547973de 2144 return 1;
547973de
LP		 2145}
2146
2147static int dns_transaction_request_dnssec_rr(DnsTransaction *t, DnsResourceKey *key) {
2148 _cleanup_(dns_answer_unrefp) DnsAnswer *a = NULL;
2149 DnsTransaction *aux;
2150 int r;
2151
2152 assert(t);
2153 assert(key);
2154
2155 /* Try to get the data from the trust anchor */
8e54f5d9 2156 r = dns_trust_anchor_lookup_positive(&t->scope->manager->trust_anchor, key, &a);
547973de
LP		 2157 if (r < 0)
2158 return r;
2159 if (r > 0) {
2160 r = dns_answer_extend(&t->validated_keys, a);
2161 if (r < 0)
2162 return r;
2163
2164 return 0;
2165 }
2166
2167 /* This didn't work, ask for it via the network/cache then. */
2168 r = dns_transaction_add_dnssec_transaction(t, key, &aux);
f2992dc1
LP		 2169 if (r == -ELOOP) /* This would result in a cyclic dependency */
2170 return 0;
547973de
LP		 2171 if (r < 0)
2172 return r;
2173
2174 if (aux->state == DNS_TRANSACTION_NULL) {
2175 r = dns_transaction_go(aux);
2176 if (r < 0)
2177 return r;
2178 }
2179
f2992dc1 2180 return 1;
547973de
LP		 2181}
2182
8a516214
LP		 2183static int dns_transaction_negative_trust_anchor_lookup(DnsTransaction *t, const char *name) {
2184 int r;
2185
2186 assert(t);
2187
c629ff58 2188 /* Check whether the specified name is in the NTA
8a516214
LP		 2189 * database, either in the global one, or the link-local
2190 * one. */
2191
2192 r = dns_trust_anchor_lookup_negative(&t->scope->manager->trust_anchor, name);
2193 if (r != 0)
2194 return r;
2195
2196 if (!t->scope->link)
2197 return 0;
2198
7e8a93b7 2199 return link_negative_trust_anchor_lookup(t->scope->link, name);
8a516214
LP		 2200}
2201
105e1512
LP		 2202static int dns_transaction_has_unsigned_negative_answer(DnsTransaction *t) {
2203 int r;
2204
2205 assert(t);
2206
2207 /* Checks whether the answer is negative, and lacks NSEC/NSEC3
2208 * RRs to prove it */
2209
2210 r = dns_transaction_has_positive_answer(t, NULL);
2211 if (r < 0)
2212 return r;
2213 if (r > 0)
2214 return false;
2215
8e54f5d9
LP		 2216 /* Is this key explicitly listed as a negative trust anchor?
2217 * If so, it's nothing we need to care about */
42df9532 2218 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(dns_transaction_key(t)));
8e54f5d9
LP		 2219 if (r < 0)
2220 return r;
2221 if (r > 0)
2222 return false;
2223
105e1512
LP		 2224 /* The answer does not contain any RRs that match to the
2225 * question. If so, let's see if there are any NSEC/NSEC3 RRs
2226 * included. If not, the answer is unsigned. */
2227
9fffe0a9 2228 return !dns_answer_contains_nsec_or_nsec3(t->answer);
105e1512
LP		 2229}
2230
2231static int dns_transaction_is_primary_response(DnsTransaction *t, DnsResourceRecord *rr) {
2232 int r;
2233
2234 assert(t);
2235 assert(rr);
2236
2237 /* Check if the specified RR is the "primary" response,
2238 * i.e. either matches the question precisely or is a
4cb94977 2239 * CNAME/DNAME for it. */
105e1512 2240
42df9532 2241 r = dns_resource_key_match_rr(dns_transaction_key(t), rr, NULL);
105e1512
LP		 2242 if (r != 0)
2243 return r;
2244
42df9532 2245 return dns_resource_key_match_cname_or_dname(dns_transaction_key(t), rr->key, NULL);
105e1512
LP		 2246}
2247
92ec902a
LP		 2248static bool dns_transaction_dnssec_supported(DnsTransaction *t) {
2249 assert(t);
2250
2251 /* Checks whether our transaction's DNS server is assumed to be compatible with DNSSEC. Returns false as soon
2252 * as we changed our mind about a server, and now believe it is incompatible with DNSSEC. */
2253
2254 if (t->scope->protocol != DNS_PROTOCOL_DNS)
2255 return false;
2256
2257 /* If we have picked no server, then we are working from the cache or some other source, and DNSSEC might well
2258 * be supported, hence return true. */
2259 if (!t->server)
2260 return true;
2261
d001e0a3
LP		 2262 /* Note that we do not check the feature level actually used for the transaction but instead the feature level
2263 * the server is known to support currently, as the transaction feature level might be lower than what the
2264 * server actually supports, since we might have downgraded this transaction's feature level because we got a
2265 * SERVFAIL earlier and wanted to check whether downgrading fixes it. */
92ec902a
LP		 2266
2267 return dns_server_dnssec_supported(t->server);
2268}
2269
2270static bool dns_transaction_dnssec_supported_full(DnsTransaction *t) {
2271 DnsTransaction *dt;
92ec902a
LP		 2272
2273 assert(t);
2274
2275 /* Checks whether our transaction our any of the auxiliary transactions couldn't do DNSSEC. */
2276
2277 if (!dns_transaction_dnssec_supported(t))
2278 return false;
2279
90e74a66 2280 SET_FOREACH(dt, t->dnssec_transactions)
92ec902a
LP		 2281 if (!dns_transaction_dnssec_supported(dt))
2282 return false;
2283
2284 return true;
2285}
2286
547973de
LP		 2287int dns_transaction_request_dnssec_keys(DnsTransaction *t) {
2288 DnsResourceRecord *rr;
105e1512 2289
547973de
LP		 2290 int r;
2291
2292 assert(t);
2293
105e1512
LP		 2294 /*
2295 * Retrieve all auxiliary RRs for the answer we got, so that
2296 * we can verify signatures or prove that RRs are rightfully
2297 * unsigned. Specifically:
2298 *
2299 * - For RRSIG we get the matching DNSKEY
2300 * - For DNSKEY we get the matching DS
2301 * - For unsigned SOA/NS we get the matching DS
b63fca62 2302 * - For unsigned CNAME/DNAME/DS we get the parent SOA RR
105e1512 2303 * - For other unsigned RRs we get the matching SOA RR
4bbc06cc
LP		 2304 * - For SOA/NS queries with no matching response RR, and no NSEC/NSEC3, the DS RR
2305 * - For DS queries with no matching response RRs, and no NSEC/NSEC3, the parent's SOA RR
105e1512
LP		 2306 * - For other queries with no matching response RRs, and no NSEC/NSEC3, the SOA RR
2307 */
2308
775ae354 2309 if (FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE) || t->scope->dnssec_mode == DNSSEC_NO)
547973de 2310 return 0;
92ec902a
LP		 2311 if (t->answer_source != DNS_TRANSACTION_NETWORK)
2312 return 0; /* We only need to validate stuff from the network */
2313 if (!dns_transaction_dnssec_supported(t))
5238e957 2314 return 0; /* If we can't do DNSSEC anyway there's no point in getting the auxiliary RRs */
b652d4a2 2315
547973de
LP		 2316 DNS_ANSWER_FOREACH(rr, t->answer) {
2317
105e1512
LP		 2318 if (dns_type_is_pseudo(rr->key->type))
2319 continue;
2320
8e54f5d9 2321 /* If this RR is in the negative trust anchor, we don't need to validate it. */
1c02e7ba 2322 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(rr->key));
8e54f5d9
LP		 2323 if (r < 0)
2324 return r;
2325 if (r > 0)
2326 continue;
2327
547973de
LP		 2328 switch (rr->key->type) {
2329
2330 case DNS_TYPE_RRSIG: {
2331 /* For each RRSIG we request the matching DNSKEY */
2332 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *dnskey = NULL;
2333
2334 /* If this RRSIG is about a DNSKEY RR and the
2335 * signer is the same as the owner, then we
2336 * already have the DNSKEY, and we don't have
2337 * to look for more. */
2338 if (rr->rrsig.type_covered == DNS_TYPE_DNSKEY) {
1c02e7ba 2339 r = dns_name_equal(rr->rrsig.signer, dns_resource_key_name(rr->key));
547973de
LP		 2340 if (r < 0)
2341 return r;
2342 if (r > 0)
2343 continue;
2344 }
2345
105e1512
LP		 2346 /* If the signer is not a parent of our
2347 * original query, then this is about an
2348 * auxiliary RRset, but not anything we asked
2349 * for. In this case we aren't interested,
2350 * because we don't want to request additional
2351 * RRs for stuff we didn't really ask for, and
2352 * also to avoid request loops, where
2353 * additional RRs from one transaction result
5238e957 2354 * in another transaction whose additional RRs
105e1512
LP		 2355 * point back to the original transaction, and
2356 * we deadlock. */
42df9532 2357 r = dns_name_endswith(dns_resource_key_name(dns_transaction_key(t)), rr->rrsig.signer);
547973de
LP		 2358 if (r < 0)
2359 return r;
2360 if (r == 0)
2361 continue;
2362
2363 dnskey = dns_resource_key_new(rr->key->class, DNS_TYPE_DNSKEY, rr->rrsig.signer);
2364 if (!dnskey)
2365 return -ENOMEM;
2366
1c02e7ba
ZJS		 2367 log_debug("Requesting DNSKEY to validate transaction %" PRIu16" (%s, RRSIG with key tag: %" PRIu16 ").",
2368 t->id, dns_resource_key_name(rr->key), rr->rrsig.key_tag);
547973de
LP		 2369 r = dns_transaction_request_dnssec_rr(t, dnskey);
2370 if (r < 0)
2371 return r;
2372 break;
2373 }
2374
2375 case DNS_TYPE_DNSKEY: {
2376 /* For each DNSKEY we request the matching DS */
2377 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *ds = NULL;
2378
105e1512
LP		 2379 /* If the DNSKEY we are looking at is not for
2380 * zone we are interested in, nor any of its
2381 * parents, we aren't interested, and don't
2382 * request it. After all, we don't want to end
2383 * up in request loops, and want to keep
2384 * additional traffic down. */
2385
42df9532 2386 r = dns_name_endswith(dns_resource_key_name(dns_transaction_key(t)), dns_resource_key_name(rr->key));
105e1512
LP		 2387 if (r < 0)
2388 return r;
2389 if (r == 0)
2390 continue;
2391
1c02e7ba 2392 ds = dns_resource_key_new(rr->key->class, DNS_TYPE_DS, dns_resource_key_name(rr->key));
547973de
LP		 2393 if (!ds)
2394 return -ENOMEM;
2395
1c02e7ba
ZJS		 2396 log_debug("Requesting DS to validate transaction %" PRIu16" (%s, DNSKEY with key tag: %" PRIu16 ").",
2397 t->id, dns_resource_key_name(rr->key), dnssec_keytag(rr, false));
105e1512
LP		 2398 r = dns_transaction_request_dnssec_rr(t, ds);
2399 if (r < 0)
2400 return r;
547973de 2401
105e1512
LP		 2402 break;
2403 }
2404
105e1512
LP		 2405 case DNS_TYPE_SOA:
2406 case DNS_TYPE_NS: {
2407 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *ds = NULL;
2408
2409 /* For an unsigned SOA or NS, try to acquire
2410 * the matching DS RR, as we are at a zone cut
2411 * then, and whether a DS exists tells us
2412 * whether the zone is signed. Do so only if
2413 * this RR matches our original question,
2414 * however. */
2415
42df9532 2416 r = dns_resource_key_match_rr(dns_transaction_key(t), rr, NULL);
105e1512
LP		 2417 if (r < 0)
2418 return r;
6993d264
LP		 2419 if (r == 0) {
2420 /* Hmm, so this SOA RR doesn't match our original question. In this case, maybe this is
d51c4fca 2421 * a negative reply, and we need the SOA RR's TTL in order to cache a negative entry?
6993d264
LP		 2422 * If so, we need to validate it, too. */
2423
42df9532 2424 r = dns_answer_match_key(t->answer, dns_transaction_key(t), NULL);
6993d264
LP		 2425 if (r < 0)
2426 return r;
2427 if (r > 0) /* positive reply, we won't need the SOA and hence don't need to validate
2428 * it. */
2429 continue;
d5acaa51
LP		 2430
2431 /* Only bother with this if the SOA/NS RR we are looking at is actually a parent of
2432 * what we are looking for, otherwise there's no value in it for us. */
42df9532 2433 r = dns_name_endswith(dns_resource_key_name(dns_transaction_key(t)), dns_resource_key_name(rr->key));
d5acaa51
LP		 2434 if (r < 0)
2435 return r;
2436 if (r == 0)
2437 continue;
6993d264 2438 }
105e1512
LP		 2439
2440 r = dnssec_has_rrsig(t->answer, rr->key);
2441 if (r < 0)
2442 return r;
2443 if (r > 0)
2444 continue;
2445
1c02e7ba 2446 ds = dns_resource_key_new(rr->key->class, DNS_TYPE_DS, dns_resource_key_name(rr->key));
105e1512
LP		 2447 if (!ds)
2448 return -ENOMEM;
2449
1c02e7ba
ZJS		 2450 log_debug("Requesting DS to validate transaction %" PRIu16 " (%s, unsigned SOA/NS RRset).",
2451 t->id, dns_resource_key_name(rr->key));
547973de
LP		 2452 r = dns_transaction_request_dnssec_rr(t, ds);
2453 if (r < 0)
2454 return r;
2455
2456 break;
105e1512
LP		 2457 }
2458
b63fca62 2459 case DNS_TYPE_DS:
105e1512
LP		 2460 case DNS_TYPE_CNAME:
2461 case DNS_TYPE_DNAME: {
2462 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL;
2463 const char *name;
2464
2465 /* CNAMEs and DNAMEs cannot be located at a
2466 * zone apex, hence ask for the parent SOA for
2467 * unsigned CNAME/DNAME RRs, maybe that's the
2468 * apex. But do all that only if this is
2469 * actually a response to our original
b63fca62
LP		 2470 * question.
2471 *
2472 * Similar for DS RRs, which are signed when
2473 * the parent SOA is signed. */
105e1512
LP		 2474
2475 r = dns_transaction_is_primary_response(t, rr);
2476 if (r < 0)
2477 return r;
2478 if (r == 0)
2479 continue;
2480
2481 r = dnssec_has_rrsig(t->answer, rr->key);
2482 if (r < 0)
2483 return r;
2484 if (r > 0)
2485 continue;
2486
43e6779a
LP		 2487 r = dns_answer_has_dname_for_cname(t->answer, rr);
2488 if (r < 0)
2489 return r;
2490 if (r > 0)
2491 continue;
2492
1c02e7ba 2493 name = dns_resource_key_name(rr->key);
105e1512
LP		 2494 r = dns_name_parent(&name);
2495 if (r < 0)
2496 return r;
2497 if (r == 0)
2498 continue;
2499
2500 soa = dns_resource_key_new(rr->key->class, DNS_TYPE_SOA, name);
2501 if (!soa)
2502 return -ENOMEM;
2503
1c02e7ba
ZJS		 2504 log_debug("Requesting parent SOA to validate transaction %" PRIu16 " (%s, unsigned CNAME/DNAME/DS RRset).",
2505 t->id, dns_resource_key_name(rr->key));
105e1512
LP		 2506 r = dns_transaction_request_dnssec_rr(t, soa);
2507 if (r < 0)
2508 return r;
2509
2510 break;
2511 }
2512
2513 default: {
2514 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL;
2515
b63fca62
LP		 2516 /* For other unsigned RRsets (including
2517 * NSEC/NSEC3!), look for proof the zone is
2518 * unsigned, by requesting the SOA RR of the
2519 * zone. However, do so only if they are
2520 * directly relevant to our original
105e1512
LP		 2521 * question. */
2522
2523 r = dns_transaction_is_primary_response(t, rr);
2524 if (r < 0)
2525 return r;
2526 if (r == 0)
2527 continue;
2528
2529 r = dnssec_has_rrsig(t->answer, rr->key);
2530 if (r < 0)
2531 return r;
2532 if (r > 0)
2533 continue;
2534
1c02e7ba 2535 soa = dns_resource_key_new(rr->key->class, DNS_TYPE_SOA, dns_resource_key_name(rr->key));
105e1512
LP		 2536 if (!soa)
2537 return -ENOMEM;
2538
1c02e7ba
ZJS		 2539 log_debug("Requesting SOA to validate transaction %" PRIu16 " (%s, unsigned non-SOA/NS RRset <%s>).",
2540 t->id, dns_resource_key_name(rr->key), dns_resource_record_to_string(rr));
105e1512
LP		 2541 r = dns_transaction_request_dnssec_rr(t, soa);
2542 if (r < 0)
2543 return r;
2544 break;
547973de
LP		 2545 }}
2546 }
2547
105e1512
LP		 2548 /* Above, we requested everything necessary to validate what
2549 * we got. Now, let's request what we need to validate what we
2550 * didn't get... */
2551
2552 r = dns_transaction_has_unsigned_negative_answer(t);
2553 if (r < 0)
2554 return r;
2555 if (r > 0) {
2556 const char *name;
4bbc06cc 2557 uint16_t type = 0;
105e1512 2558
42df9532 2559 name = dns_resource_key_name(dns_transaction_key(t));
105e1512 2560
4bbc06cc
LP		 2561 /* If this was a SOA or NS request, then check if there's a DS RR for the same domain. Note that this
2562 * could also be used as indication that we are not at a zone apex, but in real world setups there are
2563 * too many broken DNS servers (Hello, incapdns.net!) where non-terminal zones return NXDOMAIN even
2564 * though they have further children. If this was a DS request, then it's signed when the parent zone
2565 * is signed, hence ask the parent SOA in that case. If this was any other RR then ask for the SOA RR,
2566 * to see if that is signed. */
105e1512 2567
42df9532 2568 if (dns_transaction_key(t)->type == DNS_TYPE_DS) {
105e1512 2569 r = dns_name_parent(&name);
4bbc06cc
LP		 2570 if (r > 0) {
2571 type = DNS_TYPE_SOA;
6d72da2f 2572 log_debug("Requesting parent SOA (→ %s) to validate transaction %" PRIu16 " (%s, unsigned empty DS response).",
42df9532 2573 name, t->id, dns_resource_key_name(dns_transaction_key(t)));
4bbc06cc 2574 } else
105e1512 2575 name = NULL;
4bbc06cc 2576
42df9532 2577 } else if (IN_SET(dns_transaction_key(t)->type, DNS_TYPE_SOA, DNS_TYPE_NS)) {
4bbc06cc
LP		 2578
2579 type = DNS_TYPE_DS;
6d72da2f
LP		 2580 log_debug("Requesting DS (→ %s) to validate transaction %" PRIu16 " (%s, unsigned empty SOA/NS response).",
2581 name, t->id, name);
4bbc06cc
LP		 2582
2583 } else {
2584 type = DNS_TYPE_SOA;
6d72da2f
LP		 2585 log_debug("Requesting SOA (→ %s) to validate transaction %" PRIu16 " (%s, unsigned empty non-SOA/NS/DS response).",
2586 name, t->id, name);
4bbc06cc 2587 }
105e1512
LP		 2588
2589 if (name) {
2590 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL;
2591
42df9532 2592 soa = dns_resource_key_new(dns_transaction_key(t)->class, type, name);
105e1512
LP		 2593 if (!soa)
2594 return -ENOMEM;
2595
2596 r = dns_transaction_request_dnssec_rr(t, soa);
2597 if (r < 0)
2598 return r;
2599 }
2600 }
2601
2602 return dns_transaction_dnssec_is_live(t);
547973de
LP		 2603}
2604
2605void dns_transaction_notify(DnsTransaction *t, DnsTransaction *source) {
547973de 2606 assert(t);
547973de
LP		 2607 assert(source);
2608
942eb2e7
LP		 2609 /* Invoked whenever any of our auxiliary DNSSEC transactions completed its work. If the state is still PENDING,
2610 we are still in the loop that adds further DNSSEC transactions, hence don't check if we are ready yet. If
2611 the state is VALIDATING however, we should check if we are complete now. */
105e1512 2612
942eb2e7
LP		 2613 if (t->state == DNS_TRANSACTION_VALIDATING)
2614 dns_transaction_process_dnssec(t);
547973de
LP		 2615}
2616
105e1512 2617static int dns_transaction_validate_dnskey_by_ds(DnsTransaction *t) {
04617bf8
LP		 2618 DnsAnswerItem *item;
2619 int r;
105e1512
LP		 2620
2621 assert(t);
2622
2623 /* Add all DNSKEY RRs from the answer that are validated by DS
2624 * RRs from the list of validated keys to the list of
2625 * validated keys. */
2626
04617bf8 2627 DNS_ANSWER_FOREACH_ITEM(item, t->answer) {
105e1512 2628
04617bf8 2629 r = dnssec_verify_dnskey_by_ds_search(item->rr, t->validated_keys);
105e1512
LP		 2630 if (r < 0)
2631 return r;
2632 if (r == 0)
2633 continue;
2634
2635 /* If so, the DNSKEY is validated too. */
04617bf8 2636 r = dns_answer_add_extend(&t->validated_keys, item->rr, item->ifindex, item->flags|DNS_ANSWER_AUTHENTICATED, item->rrsig);
105e1512
LP		 2637 if (r < 0)
2638 return r;
2639 }
2640
2641 return 0;
2642}
2643
2644static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *rr) {
56352fe9
LP		 2645 int r;
2646
2647 assert(t);
2648 assert(rr);
2649
105e1512
LP		 2650 /* Checks if the RR we are looking for must be signed with an
2651 * RRSIG. This is used for positive responses. */
24a5b982 2652
b652d4a2 2653 if (t->scope->dnssec_mode == DNSSEC_NO)
105e1512 2654 return false;
56352fe9 2655
105e1512
LP		 2656 if (dns_type_is_pseudo(rr->key->type))
2657 return -EINVAL;
56352fe9 2658
1c02e7ba 2659 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(rr->key));
8e54f5d9
LP		 2660 if (r < 0)
2661 return r;
2662 if (r > 0)
2663 return false;
2664
105e1512 2665 switch (rr->key->type) {
56352fe9 2666
105e1512
LP		 2667 case DNS_TYPE_RRSIG:
2668 /* RRSIGs are the signatures themselves, they need no signing. */
2669 return false;
2670
2671 case DNS_TYPE_SOA:
2672 case DNS_TYPE_NS: {
2673 DnsTransaction *dt;
105e1512 2674
b63fca62 2675 /* For SOA or NS RRs we look for a matching DS transaction */
105e1512 2676
90e74a66 2677 SET_FOREACH(dt, t->dnssec_transactions) {
105e1512 2678
42df9532 2679 if (dns_transaction_key(dt)->class != rr->key->class)
105e1512 2680 continue;
42df9532 2681 if (dns_transaction_key(dt)->type != DNS_TYPE_DS)
105e1512
LP		 2682 continue;
2683
42df9532 2684 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), dns_resource_key_name(rr->key));
105e1512
LP		 2685 if (r < 0)
2686 return r;
2687 if (r == 0)
2688 continue;
2689
2690 /* We found a DS transactions for the SOA/NS
2691 * RRs we are looking at. If it discovered signed DS
2692 * RRs, then we need to be signed, too. */
2693
6f055e43 2694 if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
097a2517 2695 return false;
105e1512 2696
42df9532 2697 return dns_answer_match_key(dt->answer, dns_transaction_key(dt), NULL);
105e1512
LP		 2698 }
2699
2700 /* We found nothing that proves this is safe to leave
2701 * this unauthenticated, hence ask inist on
2702 * authentication. */
2703 return true;
2704 }
2705
b63fca62 2706 case DNS_TYPE_DS:
105e1512
LP		 2707 case DNS_TYPE_CNAME:
2708 case DNS_TYPE_DNAME: {
2709 const char *parent = NULL;
2710 DnsTransaction *dt;
105e1512 2711
b63fca62
LP		 2712 /*
2713 * CNAME/DNAME RRs cannot be located at a zone apex, hence look directly for the parent SOA.
2714 *
2715 * DS RRs are signed if the parent is signed, hence also look at the parent SOA
2716 */
105e1512 2717
90e74a66 2718 SET_FOREACH(dt, t->dnssec_transactions) {
105e1512 2719
42df9532 2720 if (dns_transaction_key(dt)->class != rr->key->class)
105e1512 2721 continue;
42df9532 2722 if (dns_transaction_key(dt)->type != DNS_TYPE_SOA)
105e1512
LP		 2723 continue;
2724
2725 if (!parent) {
1c02e7ba 2726 parent = dns_resource_key_name(rr->key);
105e1512
LP		 2727 r = dns_name_parent(&parent);
2728 if (r < 0)
2729 return r;
2730 if (r == 0) {
b63fca62
LP		 2731 if (rr->key->type == DNS_TYPE_DS)
2732 return true;
2733
105e1512 2734 /* A CNAME/DNAME without a parent? That's sooo weird. */
baaa35ad
ZJS		 2735 return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG),
2736 "Transaction %" PRIu16 " claims CNAME/DNAME at root. Refusing.", t->id);
105e1512
LP		 2737 }
2738 }
2739
42df9532 2740 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), parent);
105e1512
LP		 2741 if (r < 0)
2742 return r;
2743 if (r == 0)
2744 continue;
2745
6f055e43 2746 return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
105e1512
LP		 2747 }
2748
2749 return true;
2750 }
2751
2752 default: {
2753 DnsTransaction *dt;
105e1512 2754
b63fca62 2755 /* Any other kind of RR (including DNSKEY/NSEC/NSEC3). Let's see if our SOA lookup was authenticated */
105e1512 2756
90e74a66 2757 SET_FOREACH(dt, t->dnssec_transactions) {
105e1512 2758
42df9532 2759 if (dns_transaction_key(dt)->class != rr->key->class)
105e1512 2760 continue;
42df9532 2761 if (dns_transaction_key(dt)->type != DNS_TYPE_SOA)
105e1512
LP		 2762 continue;
2763
42df9532 2764 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), dns_resource_key_name(rr->key));
105e1512
LP		 2765 if (r < 0)
2766 return r;
2767 if (r == 0)
2768 continue;
2769
6f055e43
LP		 2770 /* We found the transaction that was supposed to find the SOA RR for us. It was
2771 * successful, but found no RR for us. This means we are not at a zone cut. In this
2772 * case, we require authentication if the SOA lookup was authenticated too. */
2773 return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
105e1512
LP		 2774 }
2775
2776 return true;
2777 }}
56352fe9
LP		 2778}
2779
d33b6cf3
LP		 2780static int dns_transaction_in_private_tld(DnsTransaction *t, const DnsResourceKey *key) {
2781 DnsTransaction *dt;
2782 const char *tld;
d33b6cf3
LP		 2783 int r;
2784
2785 /* If DNSSEC downgrade mode is on, checks whether the
2786 * specified RR is one level below a TLD we have proven not to
2787 * exist. In such a case we assume that this is a private
2788 * domain, and permit it.
2789 *
2790 * This detects cases like the Fritz!Box router networks. Each
2791 * Fritz!Box router serves a private "fritz.box" zone, in the
2792 * non-existing TLD "box". Requests for the "fritz.box" domain
2793 * are served by the router itself, while requests for the
2794 * "box" domain will result in NXDOMAIN.
2795 *
2796 * Note that this logic is unable to detect cases where a
2797 * router serves a private DNS zone directly under
2798 * non-existing TLD. In such a case we cannot detect whether
2799 * the TLD is supposed to exist or not, as all requests we
2800 * make for it will be answered by the router's zone, and not
2801 * by the root zone. */
2802
2803 assert(t);
2804
2805 if (t->scope->dnssec_mode != DNSSEC_ALLOW_DOWNGRADE)
2806 return false; /* In strict DNSSEC mode what doesn't exist, doesn't exist */
2807
1c02e7ba 2808 tld = dns_resource_key_name(key);
d33b6cf3
LP		 2809 r = dns_name_parent(&tld);
2810 if (r < 0)
2811 return r;
2812 if (r == 0)
2813 return false; /* Already the root domain */
2814
2815 if (!dns_name_is_single_label(tld))
2816 return false;
2817
90e74a66 2818 SET_FOREACH(dt, t->dnssec_transactions) {
d33b6cf3 2819
42df9532 2820 if (dns_transaction_key(dt)->class != key->class)
d33b6cf3
LP		 2821 continue;
2822
42df9532 2823 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), tld);
d33b6cf3
LP		 2824 if (r < 0)
2825 return r;
2826 if (r == 0)
2827 continue;
2828
2829 /* We found an auxiliary lookup we did for the TLD. If
2830 * that returned with NXDOMAIN, we know the TLD didn't
2831 * exist, and hence this might be a private zone. */
2832
2833 return dt->answer_rcode == DNS_RCODE_NXDOMAIN;
2834 }
2835
2836 return false;
2837}
2838
105e1512 2839static int dns_transaction_requires_nsec(DnsTransaction *t) {
4bbc06cc 2840 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
105e1512
LP		 2841 DnsTransaction *dt;
2842 const char *name;
4bbc06cc 2843 uint16_t type = 0;
105e1512 2844 int r;
56352fe9
LP		 2845
2846 assert(t);
2847
105e1512
LP		 2848 /* Checks if we need to insist on NSEC/NSEC3 RRs for proving
2849 * this negative reply */
56352fe9 2850
b652d4a2 2851 if (t->scope->dnssec_mode == DNSSEC_NO)
105e1512 2852 return false;
56352fe9 2853
42df9532 2854 if (dns_type_is_pseudo(dns_transaction_key(t)->type))
105e1512
LP		 2855 return -EINVAL;
2856
42df9532 2857 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(dns_transaction_key(t)));
8e54f5d9
LP		 2858 if (r < 0)
2859 return r;
2860 if (r > 0)
2861 return false;
2862
42df9532 2863 r = dns_transaction_in_private_tld(t, dns_transaction_key(t));
d33b6cf3
LP		 2864 if (r < 0)
2865 return r;
2866 if (r > 0) {
2867 /* The lookup is from a TLD that is proven not to
2868 * exist, and we are in downgrade mode, hence ignore
13e785f7 2869 * that fact that we didn't get any NSEC RRs. */
d33b6cf3 2870
202b76ae 2871 log_info("Detected a negative query %s in a private DNS zone, permitting unsigned response.",
42df9532 2872 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str));
d33b6cf3
LP		 2873 return false;
2874 }
2875
42df9532 2876 name = dns_resource_key_name(dns_transaction_key(t));
105e1512 2877
42df9532 2878 if (dns_transaction_key(t)->type == DNS_TYPE_DS) {
105e1512 2879
4bbc06cc
LP		 2880 /* We got a negative reply for this DS lookup? DS RRs are signed when their parent zone is signed,
2881 * hence check the parent SOA in this case. */
105e1512
LP		 2882
2883 r = dns_name_parent(&name);
56352fe9
LP		 2884 if (r < 0)
2885 return r;
2886 if (r == 0)
105e1512 2887 return true;
4bbc06cc
LP		 2888
2889 type = DNS_TYPE_SOA;
2890
42df9532 2891 } else if (IN_SET(dns_transaction_key(t)->type, DNS_TYPE_SOA, DNS_TYPE_NS))
4bbc06cc
LP		 2892 /* We got a negative reply for this SOA/NS lookup? If so, check if there's a DS RR for this */
2893 type = DNS_TYPE_DS;
2894 else
2895 /* For all other negative replies, check for the SOA lookup */
2896 type = DNS_TYPE_SOA;
105e1512
LP		 2897
2898 /* For all other RRs we check the SOA on the same level to see
2899 * if it's signed. */
2900
90e74a66 2901 SET_FOREACH(dt, t->dnssec_transactions) {
105e1512 2902
42df9532 2903 if (dns_transaction_key(dt)->class != dns_transaction_key(t)->class)
105e1512 2904 continue;
42df9532 2905 if (dns_transaction_key(dt)->type != type)
56352fe9
LP		 2906 continue;
2907
42df9532 2908 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), name);
56352fe9
LP		 2909 if (r < 0)
2910 return r;
105e1512
LP		 2911 if (r == 0)
2912 continue;
2913
6f055e43 2914 return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
56352fe9
LP		 2915 }
2916
105e1512
LP		 2917 /* If in doubt, require NSEC/NSEC3 */
2918 return true;
56352fe9
LP		 2919}
2920
94aa7071
LP		 2921static int dns_transaction_dnskey_authenticated(DnsTransaction *t, DnsResourceRecord *rr) {
2922 DnsResourceRecord *rrsig;
2923 bool found = false;
2924 int r;
2925
2926 /* Checks whether any of the DNSKEYs used for the RRSIGs for
2927 * the specified RRset is authenticated (i.e. has a matching
2928 * DS RR). */
2929
1c02e7ba 2930 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(rr->key));
8e54f5d9
LP		 2931 if (r < 0)
2932 return r;
2933 if (r > 0)
2934 return false;
2935
94aa7071
LP		 2936 DNS_ANSWER_FOREACH(rrsig, t->answer) {
2937 DnsTransaction *dt;
94aa7071
LP		 2938
2939 r = dnssec_key_match_rrsig(rr->key, rrsig);
2940 if (r < 0)
2941 return r;
2942 if (r == 0)
2943 continue;
2944
90e74a66 2945 SET_FOREACH(dt, t->dnssec_transactions) {
94aa7071 2946
42df9532 2947 if (dns_transaction_key(dt)->class != rr->key->class)
94aa7071
LP		 2948 continue;
2949
42df9532 2950 if (dns_transaction_key(dt)->type == DNS_TYPE_DNSKEY) {
94aa7071 2951
42df9532 2952 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), rrsig->rrsig.signer);
94aa7071
LP		 2953 if (r < 0)
2954 return r;
2955 if (r == 0)
2956 continue;
2957
6f055e43
LP		 2958 /* OK, we found an auxiliary DNSKEY lookup. If that lookup is authenticated,
2959 * report this. */
94aa7071 2960
6f055e43 2961 if (FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
94aa7071
LP		 2962 return true;
2963
2964 found = true;
2965
42df9532 2966 } else if (dns_transaction_key(dt)->type == DNS_TYPE_DS) {
94aa7071 2967
42df9532 2968 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), rrsig->rrsig.signer);
94aa7071
LP		 2969 if (r < 0)
2970 return r;
2971 if (r == 0)
2972 continue;
2973
6f055e43
LP		 2974 /* OK, we found an auxiliary DS lookup. If that lookup is authenticated and
2975 * non-zero, we won! */
94aa7071 2976
6f055e43 2977 if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
94aa7071
LP		 2978 return false;
2979
42df9532 2980 return dns_answer_match_key(dt->answer, dns_transaction_key(dt), NULL);
94aa7071
LP		 2981 }
2982 }
2983 }
2984
2985 return found ? false : -ENXIO;
2986}
2987
b652d4a2
LP		 2988static int dns_transaction_known_signed(DnsTransaction *t, DnsResourceRecord *rr) {
2989 assert(t);
2990 assert(rr);
2991
2992 /* We know that the root domain is signed, hence if it appears
2993 * not to be signed, there's a problem with the DNS server */
2994
2995 return rr->key->class == DNS_CLASS_IN &&
1c02e7ba 2996 dns_name_is_root(dns_resource_key_name(rr->key));
b652d4a2
LP		 2997}
2998
0f87f3e8
LP		 2999static int dns_transaction_check_revoked_trust_anchors(DnsTransaction *t) {
3000 DnsResourceRecord *rr;
3001 int r;
3002
3003 assert(t);
3004
3005 /* Maybe warn the user that we encountered a revoked DNSKEY
3006 * for a key from our trust anchor. Note that we don't care
3007 * whether the DNSKEY can be authenticated or not. It's
3008 * sufficient if it is self-signed. */
3009
3010 DNS_ANSWER_FOREACH(rr, t->answer) {
d424da2a 3011 r = dns_trust_anchor_check_revoked(&t->scope->manager->trust_anchor, rr, t->answer);
0f87f3e8
LP		 3012 if (r < 0)
3013 return r;
3014 }
3015
3016 return 0;
3017}
3018
c9c72065
LP		 3019static int dns_transaction_invalidate_revoked_keys(DnsTransaction *t) {
3020 bool changed;
3021 int r;
3022
3023 assert(t);
3024
3025 /* Removes all DNSKEY/DS objects from t->validated_keys that
3026 * our trust anchors database considers revoked. */
3027
3028 do {
3029 DnsResourceRecord *rr;
3030
3031 changed = false;
3032
3033 DNS_ANSWER_FOREACH(rr, t->validated_keys) {
3034 r = dns_trust_anchor_is_revoked(&t->scope->manager->trust_anchor, rr);
3035 if (r < 0)
3036 return r;
3037 if (r > 0) {
3038 r = dns_answer_remove_by_rr(&t->validated_keys, rr);
3039 if (r < 0)
3040 return r;
3041
3042 assert(r > 0);
3043 changed = true;
3044 break;
3045 }
3046 }
3047 } while (changed);
3048
3049 return 0;
3050}
3051
942eb2e7
LP		 3052static int dns_transaction_copy_validated(DnsTransaction *t) {
3053 DnsTransaction *dt;
942eb2e7
LP		 3054 int r;
3055
3056 assert(t);
3057
3058 /* Copy all validated RRs from the auxiliary DNSSEC transactions into our set of validated RRs */
3059
90e74a66 3060 SET_FOREACH(dt, t->dnssec_transactions) {
942eb2e7
LP		 3061
3062 if (DNS_TRANSACTION_IS_LIVE(dt->state))
3063 continue;
3064
6f055e43 3065 if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
942eb2e7
LP		 3066 continue;
3067
3068 r = dns_answer_extend(&t->validated_keys, dt->answer);
3069 if (r < 0)
3070 return r;
3071 }
3072
3073 return 0;
3074}
3075
c690b20a
ZJS		 3076typedef enum {
3077 DNSSEC_PHASE_DNSKEY, /* Phase #1, only validate DNSKEYs */
3078 DNSSEC_PHASE_NSEC, /* Phase #2, only validate NSEC+NSEC3 */
3079 DNSSEC_PHASE_ALL, /* Phase #3, validate everything else */
3080} Phase;
3081
3082static int dnssec_validate_records(
3083 DnsTransaction *t,
3084 Phase phase,
3085 bool *have_nsec,
3086 DnsAnswer **validated) {
3087
547973de 3088 DnsResourceRecord *rr;
56352fe9 3089 int r;
547973de 3090
c690b20a 3091 /* Returns negative on error, 0 if validation failed, 1 to restart validation, 2 when finished. */
547973de 3092
c690b20a
ZJS		 3093 DNS_ANSWER_FOREACH(rr, t->answer) {
3094 DnsResourceRecord *rrsig = NULL;
3095 DnssecResult result;
547973de 3096
c690b20a
ZJS		 3097 switch (rr->key->type) {
3098 case DNS_TYPE_RRSIG:
3099 continue;
547973de 3100
c690b20a
ZJS		 3101 case DNS_TYPE_DNSKEY:
3102 /* We validate DNSKEYs only in the DNSKEY and ALL phases */
3103 if (phase == DNSSEC_PHASE_NSEC)
3104 continue;
3105 break;
547973de 3106
c690b20a
ZJS		 3107 case DNS_TYPE_NSEC:
3108 case DNS_TYPE_NSEC3:
3109 *have_nsec = true;
547973de 3110
c690b20a
ZJS		 3111 /* We validate NSEC/NSEC3 only in the NSEC and ALL phases */
3112 if (phase == DNSSEC_PHASE_DNSKEY)
3113 continue;
3114 break;
105e1512 3115
c690b20a
ZJS		 3116 default:
3117 /* We validate all other RRs only in the ALL phases */
3118 if (phase != DNSSEC_PHASE_ALL)
3119 continue;
3120 }
b652d4a2 3121
04617bf8
LP		 3122 r = dnssec_verify_rrset_search(
3123 t->answer,
3124 rr->key,
3125 t->validated_keys,
3126 USEC_INFINITY,
3127 &result,
3128 &rrsig);
c690b20a
ZJS		 3129 if (r < 0)
3130 return r;
547973de 3131
c690b20a 3132 log_debug("Looking at %s: %s", strna(dns_resource_record_to_string(rr)), dnssec_result_to_string(result));
0f87f3e8 3133
c690b20a 3134 if (result == DNSSEC_VALIDATED) {
04617bf8 3135 assert(rrsig);
942eb2e7 3136
c690b20a
ZJS		 3137 if (rr->key->type == DNS_TYPE_DNSKEY) {
3138 /* If we just validated a DNSKEY RRset, then let's add these keys to
3139 * the set of validated keys for this transaction. */
547973de 3140
04617bf8 3141 r = dns_answer_copy_by_key(&t->validated_keys, t->answer, rr->key, DNS_ANSWER_AUTHENTICATED, rrsig);
c690b20a
ZJS		 3142 if (r < 0)
3143 return r;
c9c72065 3144
c690b20a
ZJS		 3145 /* Some of the DNSKEYs we just added might already have been revoked,
3146 * remove them again in that case. */
3147 r = dns_transaction_invalidate_revoked_keys(t);
3148 if (r < 0)
3149 return r;
3150 }
547973de 3151
04617bf8
LP		 3152 /* Add the validated RRset to the new list of validated RRsets, and remove it from
3153 * the unvalidated RRsets. We mark the RRset as authenticated and cacheable. */
3154 r = dns_answer_move_by_key(validated, &t->answer, rr->key, DNS_ANSWER_AUTHENTICATED|DNS_ANSWER_CACHEABLE, rrsig);
c690b20a
ZJS		 3155 if (r < 0)
3156 return r;
547973de 3157
c690b20a 3158 manager_dnssec_verdict(t->scope->manager, DNSSEC_SECURE, rr->key);
0c7bff0a 3159
c690b20a
ZJS		 3160 /* Exit the loop, we dropped something from the answer, start from the beginning */
3161 return 1;
3162 }
547973de 3163
c690b20a
ZJS		 3164 /* If we haven't read all DNSKEYs yet a negative result of the validation is irrelevant, as
3165 * there might be more DNSKEYs coming. Similar, if we haven't read all NSEC/NSEC3 RRs yet,
3166 * we cannot do positive wildcard proofs yet, as those require the NSEC/NSEC3 RRs. */
3167 if (phase != DNSSEC_PHASE_ALL)
3168 continue;
0c7bff0a 3169
c690b20a
ZJS		 3170 if (result == DNSSEC_VALIDATED_WILDCARD) {
3171 bool authenticated = false;
3172 const char *source;
0c7bff0a 3173
04617bf8
LP		 3174 assert(rrsig);
3175
c690b20a 3176 /* This RRset validated, but as a wildcard. This means we need
13e785f7 3177 * to prove via NSEC/NSEC3 that no matching non-wildcard RR exists. */
0c7bff0a 3178
c690b20a
ZJS		 3179 /* First step, determine the source of synthesis */
3180 r = dns_resource_record_source(rrsig, &source);
3181 if (r < 0)
3182 return r;
0c7bff0a 3183
c690b20a 3184 r = dnssec_test_positive_wildcard(*validated,
1c02e7ba 3185 dns_resource_key_name(rr->key),
c690b20a
ZJS		 3186 source,
3187 rrsig->rrsig.signer,
3188 &authenticated);
0c7bff0a 3189
c690b20a
ZJS		 3190 /* Unless the NSEC proof showed that the key really doesn't exist something is off. */
3191 if (r == 0)
3192 result = DNSSEC_INVALID;
3193 else {
04617bf8
LP		 3194 r = dns_answer_move_by_key(
3195 validated,
3196 &t->answer,
3197 rr->key,
3198 authenticated ? (DNS_ANSWER_AUTHENTICATED|DNS_ANSWER_CACHEABLE) : 0,
3199 rrsig);
c690b20a
ZJS		 3200 if (r < 0)
3201 return r;
3202
3203 manager_dnssec_verdict(t->scope->manager, authenticated ? DNSSEC_SECURE : DNSSEC_INSECURE, rr->key);
3204
3205 /* Exit the loop, we dropped something from the answer, start from the beginning */
3206 return 1;
0c7bff0a 3207 }
c690b20a 3208 }
0c7bff0a 3209
c690b20a
ZJS		 3210 if (result == DNSSEC_NO_SIGNATURE) {
3211 r = dns_transaction_requires_rrsig(t, rr);
547973de
LP		 3212 if (r < 0)
3213 return r;
c690b20a
ZJS		 3214 if (r == 0) {
3215 /* Data does not require signing. In that case, just copy it over,
13e785f7 3216 * but remember that this is by no means authenticated. */
04617bf8
LP		 3217 r = dns_answer_move_by_key(
3218 validated,
3219 &t->answer,
3220 rr->key,
3221 0,
3222 NULL);
c690b20a
ZJS		 3223 if (r < 0)
3224 return r;
3225
3226 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
3227 return 1;
3228 }
547973de 3229
c690b20a
ZJS		 3230 r = dns_transaction_known_signed(t, rr);
3231 if (r < 0)
3232 return r;
3233 if (r > 0) {
3234 /* This is an RR we know has to be signed. If it isn't this means
3235 * the server is not attaching RRSIGs, hence complain. */
547973de 3236
c690b20a 3237 dns_server_packet_rrsig_missing(t->server, t->current_feature_level);
547973de 3238
c690b20a 3239 if (t->scope->dnssec_mode == DNSSEC_ALLOW_DOWNGRADE) {
547973de 3240
c690b20a 3241 /* Downgrading is OK? If so, just consider the information unsigned */
c9c72065 3242
04617bf8 3243 r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0, NULL);
c9c72065
LP		 3244 if (r < 0)
3245 return r;
547973de 3246
c690b20a
ZJS		 3247 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
3248 return 1;
3249 }
a150ff5e 3250
c690b20a
ZJS		 3251 /* Otherwise, fail */
3252 t->answer_dnssec_result = DNSSEC_INCOMPATIBLE_SERVER;
3253 return 0;
f3cf586d 3254 }
547973de 3255
c690b20a
ZJS		 3256 r = dns_transaction_in_private_tld(t, rr->key);
3257 if (r < 0)
3258 return r;
3259 if (r > 0) {
202b76ae 3260 char s[DNS_RESOURCE_KEY_STRING_MAX];
b652d4a2 3261
c690b20a
ZJS		 3262 /* The data is from a TLD that is proven not to exist, and we are in downgrade
3263 * mode, hence ignore the fact that this was not signed. */
0c7bff0a 3264
202b76ae
ZJS		 3265 log_info("Detected RRset %s is in a private DNS zone, permitting unsigned RRs.",
3266 dns_resource_key_to_string(rr->key, s, sizeof s));
0c7bff0a 3267
04617bf8 3268 r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0, NULL);
0c7bff0a
LP		 3269 if (r < 0)
3270 return r;
0c7bff0a 3271
c690b20a
ZJS		 3272 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
3273 return 1;
3274 }
3275 }
0c7bff0a 3276
c690b20a
ZJS		 3277 if (IN_SET(result,
3278 DNSSEC_MISSING_KEY,
3279 DNSSEC_SIGNATURE_EXPIRED,
3280 DNSSEC_UNSUPPORTED_ALGORITHM)) {
0c7bff0a 3281
c690b20a
ZJS		 3282 r = dns_transaction_dnskey_authenticated(t, rr);
3283 if (r < 0 && r != -ENXIO)
3284 return r;
3285 if (r == 0) {
3286 /* The DNSKEY transaction was not authenticated, this means there's
3287 * no DS for this, which means it's OK if no keys are found for this signature. */
0c7bff0a 3288
04617bf8 3289 r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0, NULL);
f3cf586d
LP		 3290 if (r < 0)
3291 return r;
b652d4a2 3292
c690b20a
ZJS		 3293 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
3294 return 1;
3295 }
3296 }
b652d4a2 3297
c690b20a
ZJS		 3298 r = dns_transaction_is_primary_response(t, rr);
3299 if (r < 0)
3300 return r;
3301 if (r > 0) {
3302 /* Look for a matching DNAME for this CNAME */
3303 r = dns_answer_has_dname_for_cname(t->answer, rr);
3304 if (r < 0)
3305 return r;
3306 if (r == 0) {
3307 /* Also look among the stuff we already validated */
3308 r = dns_answer_has_dname_for_cname(*validated, rr);
f3cf586d
LP		 3309 if (r < 0)
3310 return r;
c690b20a 3311 }
d33b6cf3 3312
c690b20a
ZJS		 3313 if (r == 0) {
3314 if (IN_SET(result,
3315 DNSSEC_INVALID,
3316 DNSSEC_SIGNATURE_EXPIRED,
3317 DNSSEC_NO_SIGNATURE))
3318 manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, rr->key);
3319 else /* DNSSEC_MISSING_KEY or DNSSEC_UNSUPPORTED_ALGORITHM */
3320 manager_dnssec_verdict(t->scope->manager, DNSSEC_INDETERMINATE, rr->key);
3321
3322 /* This is a primary response to our question, and it failed validation.
3323 * That's fatal. */
3324 t->answer_dnssec_result = result;
3325 return 0;
3326 }
d33b6cf3 3327
c690b20a
ZJS		 3328 /* This is a primary response, but we do have a DNAME RR
3329 * in the RR that can replay this CNAME, hence rely on
3330 * that, and we can remove the CNAME in favour of it. */
3331 }
d33b6cf3 3332
c690b20a
ZJS		 3333 /* This is just some auxiliary data. Just remove the RRset and continue. */
3334 r = dns_answer_remove_by_key(&t->answer, rr->key);
3335 if (r < 0)
3336 return r;
d33b6cf3 3337
c690b20a
ZJS		 3338 /* We dropped something from the answer, start from the beginning. */
3339 return 1;
3340 }
f3cf586d 3341
c690b20a
ZJS		 3342 return 2; /* Finito. */
3343}
94aa7071 3344
c690b20a
ZJS		 3345int dns_transaction_validate_dnssec(DnsTransaction *t) {
3346 _cleanup_(dns_answer_unrefp) DnsAnswer *validated = NULL;
3347 Phase phase;
3348 DnsAnswerFlags flags;
3349 int r;
202b76ae 3350 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
94aa7071 3351
c690b20a 3352 assert(t);
94aa7071 3353
775ae354 3354 /* We have now collected all DS and DNSKEY RRs in t->validated_keys, let's see which RRs we can now
c690b20a 3355 * authenticate with that. */
94aa7071 3356
775ae354 3357 if (FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE) || t->scope->dnssec_mode == DNSSEC_NO)
c690b20a 3358 return 0;
a150ff5e 3359
c690b20a
ZJS		 3360 /* Already validated */
3361 if (t->answer_dnssec_result != _DNSSEC_RESULT_INVALID)
3362 return 0;
105e1512 3363
c690b20a
ZJS		 3364 /* Our own stuff needs no validation */
3365 if (IN_SET(t->answer_source, DNS_TRANSACTION_ZONE, DNS_TRANSACTION_TRUST_ANCHOR)) {
3366 t->answer_dnssec_result = DNSSEC_VALIDATED;
6f055e43 3367 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, true);
c690b20a
ZJS		 3368 return 0;
3369 }
a150ff5e 3370
c690b20a
ZJS		 3371 /* Cached stuff is not affected by validation. */
3372 if (t->answer_source != DNS_TRANSACTION_NETWORK)
3373 return 0;
f3cf586d 3374
c690b20a
ZJS		 3375 if (!dns_transaction_dnssec_supported_full(t)) {
3376 /* The server does not support DNSSEC, or doesn't augment responses with RRSIGs. */
3377 t->answer_dnssec_result = DNSSEC_INCOMPATIBLE_SERVER;
d001e0a3 3378 log_debug("Not validating response for %" PRIu16 ", used server feature level does not support DNSSEC.", t->id);
c690b20a
ZJS		 3379 return 0;
3380 }
f3cf586d 3381
202b76ae
ZJS		 3382 log_debug("Validating response from transaction %" PRIu16 " (%s).",
3383 t->id,
42df9532 3384 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str));
547973de 3385
c690b20a
ZJS		 3386 /* First, see if this response contains any revoked trust
3387 * anchors we care about */
3388 r = dns_transaction_check_revoked_trust_anchors(t);
3389 if (r < 0)
3390 return r;
43e6779a 3391
c690b20a
ZJS		 3392 /* Third, copy all RRs we acquired successfully from auxiliary RRs over. */
3393 r = dns_transaction_copy_validated(t);
3394 if (r < 0)
3395 return r;
43e6779a 3396
c690b20a
ZJS		 3397 /* Second, see if there are DNSKEYs we already know a
3398 * validated DS for. */
3399 r = dns_transaction_validate_dnskey_by_ds(t);
3400 if (r < 0)
3401 return r;
43e6779a 3402
c690b20a
ZJS		 3403 /* Fourth, remove all DNSKEY and DS RRs again that our trust
3404 * anchor says are revoked. After all we might have marked
3405 * some keys revoked above, but they might still be lingering
3406 * in our validated_keys list. */
3407 r = dns_transaction_invalidate_revoked_keys(t);
3408 if (r < 0)
3409 return r;
f3cf586d 3410
c690b20a
ZJS		 3411 phase = DNSSEC_PHASE_DNSKEY;
3412 for (;;) {
3413 bool have_nsec = false;
f3cf586d 3414
c690b20a
ZJS		 3415 r = dnssec_validate_records(t, phase, &have_nsec, &validated);
3416 if (r <= 0)
3417 return r;
547973de 3418
c690b20a
ZJS		 3419 /* Try again as long as we managed to achieve something */
3420 if (r == 1)
547973de
LP		 3421 continue;
3422
c690b20a 3423 if (phase == DNSSEC_PHASE_DNSKEY && have_nsec) {
0c7bff0a 3424 /* OK, we processed all DNSKEYs, and there are NSEC/NSEC3 RRs, look at those now. */
c690b20a 3425 phase = DNSSEC_PHASE_NSEC;
0c7bff0a
LP		 3426 continue;
3427 }
3428
c690b20a
ZJS		 3429 if (phase != DNSSEC_PHASE_ALL) {
3430 /* OK, we processed all DNSKEYs and NSEC/NSEC3 RRs, look at all the rest now.
3431 * Note that in this third phase we start to remove RRs we couldn't validate. */
3432 phase = DNSSEC_PHASE_ALL;
56352fe9 3433 continue;
547973de
LP		 3434 }
3435
56352fe9 3436 /* We're done */
547973de
LP		 3437 break;
3438 }
3439
3440 dns_answer_unref(t->answer);
1cc6c93a 3441 t->answer = TAKE_PTR(validated);
547973de 3442
72667f08
LP		 3443 /* At this point the answer only contains validated
3444 * RRsets. Now, let's see if it actually answers the question
3445 * we asked. If so, great! If it doesn't, then see if
3446 * NSEC/NSEC3 can prove this. */
105e1512 3447 r = dns_transaction_has_positive_answer(t, &flags);
72667f08 3448 if (r > 0) {
105e1512
LP		 3449 /* Yes, it answers the question! */
3450
3451 if (flags & DNS_ANSWER_AUTHENTICATED) {
3452 /* The answer is fully authenticated, yay. */
019036a4 3453 t->answer_dnssec_result = DNSSEC_VALIDATED;
105e1512 3454 t->answer_rcode = DNS_RCODE_SUCCESS;
6f055e43 3455 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, true);
105e1512
LP		 3456 } else {
3457 /* The answer is not fully authenticated. */
019036a4 3458 t->answer_dnssec_result = DNSSEC_UNSIGNED;
6f055e43 3459 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
105e1512
LP		 3460 }
3461
72667f08
LP		 3462 } else if (r == 0) {
3463 DnssecNsecResult nr;
ed29bfdc 3464 bool authenticated = false;
72667f08
LP		 3465
3466 /* Bummer! Let's check NSEC/NSEC3 */
42df9532 3467 r = dnssec_nsec_test(t->answer, dns_transaction_key(t), &nr, &authenticated, &t->answer_nsec_ttl);
72667f08
LP		 3468 if (r < 0)
3469 return r;
3470
3471 switch (nr) {
3472
3473 case DNSSEC_NSEC_NXDOMAIN:
3474 /* NSEC proves the domain doesn't exist. Very good. */
202b76ae 3475 log_debug("Proved NXDOMAIN via NSEC/NSEC3 for transaction %u (%s)", t->id, key_str);
019036a4 3476 t->answer_dnssec_result = DNSSEC_VALIDATED;
72667f08 3477 t->answer_rcode = DNS_RCODE_NXDOMAIN;
6f055e43 3478 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, authenticated);
7aa8ce98 3479
42df9532 3480 manager_dnssec_verdict(t->scope->manager, authenticated ? DNSSEC_SECURE : DNSSEC_INSECURE, dns_transaction_key(t));
72667f08
LP		 3481 break;
3482
3483 case DNSSEC_NSEC_NODATA:
3484 /* NSEC proves that there's no data here, very good. */
202b76ae 3485 log_debug("Proved NODATA via NSEC/NSEC3 for transaction %u (%s)", t->id, key_str);
019036a4 3486 t->answer_dnssec_result = DNSSEC_VALIDATED;
72667f08 3487 t->answer_rcode = DNS_RCODE_SUCCESS;
6f055e43 3488 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, authenticated);
7aa8ce98 3489
42df9532 3490 manager_dnssec_verdict(t->scope->manager, authenticated ? DNSSEC_SECURE : DNSSEC_INSECURE, dns_transaction_key(t));
72667f08
LP		 3491 break;
3492
105e1512
LP		 3493 case DNSSEC_NSEC_OPTOUT:
3494 /* NSEC3 says the data might not be signed */
202b76ae 3495 log_debug("Data is NSEC3 opt-out via NSEC/NSEC3 for transaction %u (%s)", t->id, key_str);
019036a4 3496 t->answer_dnssec_result = DNSSEC_UNSIGNED;
6f055e43 3497 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
7aa8ce98 3498
42df9532 3499 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, dns_transaction_key(t));
105e1512
LP		 3500 break;
3501
72667f08
LP		 3502 case DNSSEC_NSEC_NO_RR:
3503 /* No NSEC data? Bummer! */
105e1512
LP		 3504
3505 r = dns_transaction_requires_nsec(t);
3506 if (r < 0)
3507 return r;
7aa8ce98 3508 if (r > 0) {
019036a4 3509 t->answer_dnssec_result = DNSSEC_NO_SIGNATURE;
42df9532 3510 manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, dns_transaction_key(t));
7aa8ce98 3511 } else {
019036a4 3512 t->answer_dnssec_result = DNSSEC_UNSIGNED;
6f055e43 3513 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
42df9532 3514 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, dns_transaction_key(t));
105e1512
LP		 3515 }
3516
3517 break;
3518
3519 case DNSSEC_NSEC_UNSUPPORTED_ALGORITHM:
3520 /* We don't know the NSEC3 algorithm used? */
019036a4 3521 t->answer_dnssec_result = DNSSEC_UNSUPPORTED_ALGORITHM;
42df9532 3522 manager_dnssec_verdict(t->scope->manager, DNSSEC_INDETERMINATE, dns_transaction_key(t));
72667f08
LP		 3523 break;
3524
3525 case DNSSEC_NSEC_FOUND:
146035b3 3526 case DNSSEC_NSEC_CNAME:
72667f08 3527 /* NSEC says it needs to be there, but we couldn't find it? Bummer! */
019036a4 3528 t->answer_dnssec_result = DNSSEC_NSEC_MISMATCH;
42df9532 3529 manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, dns_transaction_key(t));
72667f08
LP		 3530 break;
3531
3532 default:
04499a70 3533 assert_not_reached();
72667f08
LP		 3534 }
3535 }
3536
547973de
LP		 3537 return 1;
3538}
3539
ec2c5e43 3540static const char* const dns_transaction_state_table[_DNS_TRANSACTION_STATE_MAX] = {
e3e64a1a
ZJS		 3541 [DNS_TRANSACTION_NULL] = "null",
3542 [DNS_TRANSACTION_PENDING] = "pending",
3543 [DNS_TRANSACTION_VALIDATING] = "validating",
3544 [DNS_TRANSACTION_RCODE_FAILURE] = "rcode-failure",
3545 [DNS_TRANSACTION_SUCCESS] = "success",
3546 [DNS_TRANSACTION_NO_SERVERS] = "no-servers",
3547 [DNS_TRANSACTION_TIMEOUT] = "timeout",
ec2c5e43 3548 [DNS_TRANSACTION_ATTEMPTS_MAX_REACHED] = "attempts-max-reached",
e3e64a1a
ZJS		 3549 [DNS_TRANSACTION_INVALID_REPLY] = "invalid-reply",
3550 [DNS_TRANSACTION_ERRNO] = "errno",
3551 [DNS_TRANSACTION_ABORTED] = "aborted",
3552 [DNS_TRANSACTION_DNSSEC_FAILED] = "dnssec-failed",
3553 [DNS_TRANSACTION_NO_TRUST_ANCHOR] = "no-trust-anchor",
3554 [DNS_TRANSACTION_RR_TYPE_UNSUPPORTED] = "rr-type-unsupported",
3555 [DNS_TRANSACTION_NETWORK_DOWN] = "network-down",
3556 [DNS_TRANSACTION_NOT_FOUND] = "not-found",
3557 [DNS_TRANSACTION_NO_SOURCE] = "no-source",
3558 [DNS_TRANSACTION_STUB_LOOP] = "stub-loop",
ec2c5e43
LP		 3559};
3560DEFINE_STRING_TABLE_LOOKUP(dns_transaction_state, DnsTransactionState);
c3bc53e6
LP		 3561
3562static const char* const dns_transaction_source_table[_DNS_TRANSACTION_SOURCE_MAX] = {
e3e64a1a
ZJS		 3563 [DNS_TRANSACTION_NETWORK] = "network",
3564 [DNS_TRANSACTION_CACHE] = "cache",
3565 [DNS_TRANSACTION_ZONE] = "zone",
0d2cd476 3566 [DNS_TRANSACTION_TRUST_ANCHOR] = "trust-anchor",
c3bc53e6
LP		 3567};
3568DEFINE_STRING_TABLE_LOOKUP(dns_transaction_source, DnsTransactionSource);
Unnamed repository; edit this file 'description' to name the repository.