]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/resolve/resolved-dns-transaction.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
tree-wide: use -EBADF for fd initialization
[thirdparty/systemd.git] / src / resolve / resolved-dns-transaction.c
CommitLineData
db9ecf05 1/* SPDX-License-Identifier: LGPL-2.1-or-later */
ec2c5e43 2
62cc1c55 3#include "sd-messages.h"
beef6a5f 4
ec2c5e43 5#include "af-list.h"
b5efdb8a 6#include "alloc-util.h"
f52e61da 7#include "dns-domain.h"
7cc6ed7b 8#include "errno-list.h"
c3fecddf 9#include "errno-util.h"
3ffd4af2 10#include "fd-util.h"
e2341b6b 11#include "glyph-util.h"
3ffd4af2 12#include "random-util.h"
7778dfff 13#include "resolved-dns-cache.h"
3ffd4af2 14#include "resolved-dns-transaction.h"
6016fcb0 15#include "resolved-dnstls.h"
aedf00a2 16#include "resolved-llmnr.h"
6016fcb0 17#include "string-table.h"
5d67a7ae 18
b214dc0f 19#define TRANSACTIONS_MAX 4096
dc349f5f 20#define TRANSACTION_TCP_TIMEOUT_USEC (10U*USEC_PER_SEC)
b214dc0f 21
dbc4661a
MCO		 22/* After how much time to repeat classic DNS requests */
23#define DNS_TIMEOUT_USEC (SD_RESOLVED_QUERY_TIMEOUT_USEC / DNS_TRANSACTION_ATTEMPTS_MAX)
24
c61d2b44
LP		 25static void dns_transaction_reset_answer(DnsTransaction *t) {
26 assert(t);
27
28 t->received = dns_packet_unref(t->received);
29 t->answer = dns_answer_unref(t->answer);
30 t->answer_rcode = 0;
31 t->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
32 t->answer_source = _DNS_TRANSACTION_SOURCE_INVALID;
6f055e43 33 t->answer_query_flags = 0;
f5fbe71d 34 t->answer_nsec_ttl = UINT32_MAX;
7cc6ed7b 35 t->answer_errno = 0;
c61d2b44
LP		 36}
37
c5b4f861
LP		 38static void dns_transaction_flush_dnssec_transactions(DnsTransaction *t) {
39 DnsTransaction *z;
40
41 assert(t);
42
43 while ((z = set_steal_first(t->dnssec_transactions))) {
44 set_remove(z->notify_transactions, t);
35aa04e9 45 set_remove(z->notify_transactions_done, t);
c5b4f861
LP		 46 dns_transaction_gc(z);
47 }
48}
49
80710ade
LP		 50static void dns_transaction_close_connection(
51 DnsTransaction *t,
52 bool use_graveyard) { /* Set use_graveyard = false when you know the connection is already
53 * dead, for example because you got a connection error back from the
54 * kernel. In that case there's no point in keeping the fd around,
55 * hence don't. */
56 int r;
57
f32f0e57
LP		 58 assert(t);
59
b30bf55d
LP		 60 if (t->stream) {
61 /* Let's detach the stream from our transaction, in case something else keeps a reference to it. */
98767d75
IT		 62 LIST_REMOVE(transactions_by_stream, t->stream->transactions, t);
63
64 /* Remove packet in case it's still in the queue */
65 dns_packet_unref(ordered_set_remove(t->stream->write_queue, t->sent));
66
b30bf55d
LP		 67 t->stream = dns_stream_unref(t->stream);
68 }
69
97935302 70 t->dns_udp_event_source = sd_event_source_disable_unref(t->dns_udp_event_source);
80710ade
LP		 71
72 /* If we have an UDP socket where we sent a packet, but never received one, then add it to the socket
73 * graveyard, instead of closing it right away. That way it will stick around for a moment longer,
74 * and the reply we might still get from the server will be eaten up instead of resulting in an ICMP
75 * port unreachable error message. */
76
77 if (use_graveyard && t->dns_udp_fd >= 0 && t->sent && !t->received) {
78 r = manager_add_socket_to_graveyard(t->scope->manager, t->dns_udp_fd);
79 if (r < 0)
80 log_debug_errno(r, "Failed to add UDP socket to graveyard, closing immediately: %m");
81 else
82 TAKE_FD(t->dns_udp_fd);
83 }
84
f32f0e57
LP		 85 t->dns_udp_fd = safe_close(t->dns_udp_fd);
86}
87
f535705a 88static void dns_transaction_stop_timeout(DnsTransaction *t) {
97cc656c
LP		 89 assert(t);
90
97935302 91 t->timeout_event_source = sd_event_source_disable_unref(t->timeout_event_source);
97cc656c
LP		 92}
93
ec2c5e43 94DnsTransaction* dns_transaction_free(DnsTransaction *t) {
801ad6a6 95 DnsQueryCandidate *c;
ec2c5e43 96 DnsZoneItem *i;
547973de 97 DnsTransaction *z;
ec2c5e43
LP		 98
99 if (!t)
100 return NULL;
101
51e399bc
LP		 102 log_debug("Freeing transaction %" PRIu16 ".", t->id);
103
80710ade 104 dns_transaction_close_connection(t, true);
f535705a 105 dns_transaction_stop_timeout(t);
ec2c5e43 106
ec2c5e43 107 dns_packet_unref(t->sent);
c61d2b44 108 dns_transaction_reset_answer(t);
ec2c5e43 109
8300ba21 110 dns_server_unref(t->server);
ec2c5e43
LP		 111
112 if (t->scope) {
775ae354
LP		 113 if (t->key) {
114 DnsTransaction *first;
115
116 first = hashmap_get(t->scope->transactions_by_key, t->key);
117 LIST_REMOVE(transactions_by_key, first, t);
118 if (first)
119 hashmap_replace(t->scope->transactions_by_key, first->key, first);
120 else
121 hashmap_remove(t->scope->transactions_by_key, t->key);
122 }
ec2c5e43 123
775ae354 124 LIST_REMOVE(transactions_by_scope, t->scope->transactions, t);
ec2c5e43 125
013668db
LP		 126 if (t->id != 0)
127 hashmap_remove(t->scope->manager->dns_transactions, UINT_TO_PTR(t->id));
128 }
775ae354 129
547973de 130 while ((c = set_steal_first(t->notify_query_candidates)))
801ad6a6 131 set_remove(c->transactions, t);
547973de 132 set_free(t->notify_query_candidates);
801ad6a6 133
35aa04e9
LP		 134 while ((c = set_steal_first(t->notify_query_candidates_done)))
135 set_remove(c->transactions, t);
136 set_free(t->notify_query_candidates_done);
137
547973de 138 while ((i = set_steal_first(t->notify_zone_items)))
ec2c5e43 139 i->probe_transaction = NULL;
547973de
LP		 140 set_free(t->notify_zone_items);
141
35aa04e9
LP		 142 while ((i = set_steal_first(t->notify_zone_items_done)))
143 i->probe_transaction = NULL;
144 set_free(t->notify_zone_items_done);
145
547973de
LP		 146 while ((z = set_steal_first(t->notify_transactions)))
147 set_remove(z->dnssec_transactions, t);
148 set_free(t->notify_transactions);
149
35aa04e9
LP		 150 while ((z = set_steal_first(t->notify_transactions_done)))
151 set_remove(z->dnssec_transactions, t);
152 set_free(t->notify_transactions_done);
153
c5b4f861 154 dns_transaction_flush_dnssec_transactions(t);
547973de
LP		 155 set_free(t->dnssec_transactions);
156
157 dns_answer_unref(t->validated_keys);
97cc656c 158 dns_resource_key_unref(t->key);
775ae354 159 dns_packet_unref(t->bypass);
97cc656c 160
6b430fdb 161 return mfree(t);
ec2c5e43
LP		 162}
163
164DEFINE_TRIVIAL_CLEANUP_FUNC(DnsTransaction*, dns_transaction_free);
165
1f388301 166DnsTransaction* dns_transaction_gc(DnsTransaction *t) {
ec2c5e43
LP		 167 assert(t);
168
1f388301
ZJS		 169 /* Returns !NULL if we can't gc yet. */
170
ec2c5e43 171 if (t->block_gc > 0)
1f388301 172 return t;
ec2c5e43 173
547973de 174 if (set_isempty(t->notify_query_candidates) &&
35aa04e9 175 set_isempty(t->notify_query_candidates_done) &&
547973de 176 set_isempty(t->notify_zone_items) &&
35aa04e9
LP		 177 set_isempty(t->notify_zone_items_done) &&
178 set_isempty(t->notify_transactions) &&
1f388301
ZJS		 179 set_isempty(t->notify_transactions_done))
180 return dns_transaction_free(t);
51e399bc 181
1f388301 182 return t;
ec2c5e43
LP		 183}
184
4dd15077
LP		 185static uint16_t pick_new_id(Manager *m) {
186 uint16_t new_id;
187
4ea8b443
ZJS		 188 /* Find a fresh, unused transaction id. Note that this loop is bounded because there's a limit on the
189 * number of transactions, and it's much lower than the space of IDs. */
4dd15077
LP		 190
191 assert_cc(TRANSACTIONS_MAX < 0xFFFF);
192
193 do
194 random_bytes(&new_id, sizeof(new_id));
195 while (new_id == 0 ||
196 hashmap_get(m->dns_transactions, UINT_TO_PTR(new_id)));
197
198 return new_id;
199}
200
775ae354
LP		 201static int key_ok(
202 DnsScope *scope,
203 DnsResourceKey *key) {
ec2c5e43 204
9eae2bf3 205 /* Don't allow looking up invalid or pseudo RRs */
c463eb78 206 if (!dns_type_is_valid_query(key->type))
9eae2bf3 207 return -EINVAL;
d0129ddb
LP		 208 if (dns_type_is_obsolete(key->type))
209 return -EOPNOTSUPP;
9eae2bf3
LP		 210
211 /* We only support the IN class */
4c701096 212 if (!IN_SET(key->class, DNS_CLASS_IN, DNS_CLASS_ANY))
9eae2bf3
LP		 213 return -EOPNOTSUPP;
214
775ae354
LP		 215 /* Don't allows DNSSEC RRs to be looked up via LLMNR/mDNS. They don't really make sense
216 * there, and it speeds up our queries if we refuse this early */
217 if (scope->protocol != DNS_PROTOCOL_DNS &&
218 dns_type_is_dnssec(key->type))
219 return -EOPNOTSUPP;
220
221 return 0;
222}
223
224int dns_transaction_new(
225 DnsTransaction **ret,
226 DnsScope *s,
227 DnsResourceKey *key,
228 DnsPacket *bypass,
229 uint64_t query_flags) {
230
231 _cleanup_(dns_transaction_freep) DnsTransaction *t = NULL;
232 int r;
233
234 assert(ret);
235 assert(s);
236
237 if (key) {
238 assert(!bypass);
239
240 r = key_ok(s, key);
241 if (r < 0)
242 return r;
243 } else {
244 DnsResourceKey *qk;
245 assert(bypass);
246
247 r = dns_packet_validate_query(bypass);
248 if (r < 0)
249 return r;
250
251 DNS_QUESTION_FOREACH(qk, bypass->question) {
252 r = key_ok(s, qk);
253 if (r < 0)
254 return r;
255 }
256 }
257
b214dc0f
LP		 258 if (hashmap_size(s->manager->dns_transactions) >= TRANSACTIONS_MAX)
259 return -EBUSY;
260
d5099efc 261 r = hashmap_ensure_allocated(&s->manager->dns_transactions, NULL);
ec2c5e43
LP		 262 if (r < 0)
263 return r;
264
775ae354
LP		 265 if (key) {
266 r = hashmap_ensure_allocated(&s->transactions_by_key, &dns_resource_key_hash_ops);
267 if (r < 0)
268 return r;
269 }
da0c630e 270
1ed31408 271 t = new(DnsTransaction, 1);
ec2c5e43
LP		 272 if (!t)
273 return -ENOMEM;
274
1ed31408 275 *t = (DnsTransaction) {
254d1313 276 .dns_udp_fd = -EBADF,
1ed31408
LP		 277 .answer_source = _DNS_TRANSACTION_SOURCE_INVALID,
278 .answer_dnssec_result = _DNSSEC_RESULT_INVALID,
f5fbe71d 279 .answer_nsec_ttl = UINT32_MAX,
1ed31408 280 .key = dns_resource_key_ref(key),
775ae354
LP		 281 .query_flags = query_flags,
282 .bypass = dns_packet_ref(bypass),
1ed31408 283 .current_feature_level = _DNS_SERVER_FEATURE_LEVEL_INVALID,
1ed4e584
LP		 284 .clamp_feature_level_servfail = _DNS_SERVER_FEATURE_LEVEL_INVALID,
285 .clamp_feature_level_nxdomain = _DNS_SERVER_FEATURE_LEVEL_INVALID,
1ed31408
LP		 286 .id = pick_new_id(s->manager),
287 };
ec2c5e43
LP		 288
289 r = hashmap_put(s->manager->dns_transactions, UINT_TO_PTR(t->id), t);
290 if (r < 0) {
291 t->id = 0;
292 return r;
293 }
294
775ae354
LP		 295 if (t->key) {
296 DnsTransaction *first;
297
298 first = hashmap_get(s->transactions_by_key, t->key);
299 LIST_PREPEND(transactions_by_key, first, t);
300
301 r = hashmap_replace(s->transactions_by_key, first->key, first);
302 if (r < 0) {
303 LIST_REMOVE(transactions_by_key, first, t);
304 return r;
305 }
da0c630e
LP		 306 }
307
f9ebb22a 308 LIST_PREPEND(transactions_by_scope, s->transactions, t);
ec2c5e43
LP		 309 t->scope = s;
310
313cefa1 311 s->manager->n_transactions_total++;
a150ff5e 312
ec2c5e43
LP		 313 if (ret)
314 *ret = t;
315
775ae354 316 TAKE_PTR(t);
ec2c5e43
LP		 317 return 0;
318}
319
4dd15077
LP		 320static void dns_transaction_shuffle_id(DnsTransaction *t) {
321 uint16_t new_id;
322 assert(t);
323
324 /* Pick a new ID for this transaction. */
325
326 new_id = pick_new_id(t->scope->manager);
327 assert_se(hashmap_remove_and_put(t->scope->manager->dns_transactions, UINT_TO_PTR(t->id), UINT_TO_PTR(new_id), t) >= 0);
328
329 log_debug("Transaction %" PRIu16 " is now %" PRIu16 ".", t->id, new_id);
330 t->id = new_id;
331
332 /* Make sure we generate a new packet with the new ID */
333 t->sent = dns_packet_unref(t->sent);
334}
335
ec2c5e43 336static void dns_transaction_tentative(DnsTransaction *t, DnsPacket *p) {
202b76ae 337 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
ec2c5e43 338 DnsZoneItem *z;
ec2c5e43
LP		 339
340 assert(t);
341 assert(p);
94378145 342 assert(t->scope->protocol == DNS_PROTOCOL_LLMNR);
ec2c5e43 343
94378145 344 if (manager_packet_from_local_address(t->scope->manager, p) != 0)
ec2c5e43
LP		 345 return;
346
a5784c49
LP		 347 log_debug("Transaction %" PRIu16 " for <%s> on scope %s on %s/%s got tentative packet from %s.",
348 t->id,
42df9532 349 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str),
ec2c5e43 350 dns_protocol_to_string(t->scope->protocol),
6ff79f76 351 t->scope->link ? t->scope->link->ifname : "*",
202b76ae 352 af_to_name_short(t->scope->family),
84dbb3fd 353 IN_ADDR_TO_STRING(p->family, &p->sender));
ec2c5e43 354
a4076574
LP		 355 /* RFC 4795, Section 4.1 says that the peer with the
356 * lexicographically smaller IP address loses */
4d91eec4
LP		 357 if (memcmp(&p->sender, &p->destination, FAMILY_ADDRESS_SIZE(p->family)) >= 0) {
358 log_debug("Peer has lexicographically larger IP address and thus lost in the conflict.");
a4076574
LP		 359 return;
360 }
361
4d91eec4 362 log_debug("We have the lexicographically larger IP address and thus lost in the conflict.");
a4076574 363
ec2c5e43 364 t->block_gc++;
35aa04e9 365
547973de 366 while ((z = set_first(t->notify_zone_items))) {
3ef64445
LP		 367 /* First, make sure the zone item drops the reference
368 * to us */
369 dns_zone_item_probe_stop(z);
370
371 /* Secondly, report this as conflict, so that we might
372 * look for a different hostname */
ec2c5e43 373 dns_zone_item_conflict(z);
3ef64445 374 }
ec2c5e43
LP		 375 t->block_gc--;
376
377 dns_transaction_gc(t);
378}
379
380void dns_transaction_complete(DnsTransaction *t, DnsTransactionState state) {
801ad6a6 381 DnsQueryCandidate *c;
ec2c5e43 382 DnsZoneItem *z;
547973de 383 DnsTransaction *d;
7cc6ed7b 384 const char *st;
202b76ae 385 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
ec2c5e43
LP		 386
387 assert(t);
547973de 388 assert(!DNS_TRANSACTION_IS_LIVE(state));
e56187ca 389
202b76ae 390 if (state == DNS_TRANSACTION_DNSSEC_FAILED) {
42df9532 391 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str);
202b76ae 392
f61dfddb 393 log_struct(LOG_NOTICE,
2b044526 394 "MESSAGE_ID=" SD_MESSAGE_DNSSEC_FAILURE_STR,
92663a5e
ZJS		 395 LOG_MESSAGE("DNSSEC validation failed for question %s: %s",
396 key_str, dnssec_result_to_string(t->answer_dnssec_result)),
f61dfddb 397 "DNS_TRANSACTION=%" PRIu16, t->id,
202b76ae 398 "DNS_QUESTION=%s", key_str,
f61dfddb 399 "DNSSEC_RESULT=%s", dnssec_result_to_string(t->answer_dnssec_result),
8aa5afd2 400 "DNS_SERVER=%s", strna(dns_server_string_full(t->server)),
a1230ff9 401 "DNS_SERVER_FEATURE_LEVEL=%s", dns_server_feature_level_to_string(t->server->possible_feature_level));
202b76ae 402 }
f61dfddb 403
ec2c5e43
LP		 404 /* Note that this call might invalidate the query. Callers
405 * should hence not attempt to access the query or transaction
406 * after calling this function. */
407
7cc6ed7b
LP		 408 if (state == DNS_TRANSACTION_ERRNO)
409 st = errno_to_name(t->answer_errno);
410 else
411 st = dns_transaction_state_to_string(state);
412
43fc4baa 413 log_debug("%s transaction %" PRIu16 " for <%s> on scope %s on %s/%s now complete with <%s> from %s (%s; %s).",
775ae354 414 t->bypass ? "Bypass" : "Regular",
a5784c49 415 t->id,
42df9532 416 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str),
ec2c5e43 417 dns_protocol_to_string(t->scope->protocol),
6ff79f76 418 t->scope->link ? t->scope->link->ifname : "*",
202b76ae 419 af_to_name_short(t->scope->family),
7cc6ed7b 420 st,
a5784c49 421 t->answer_source < 0 ? "none" : dns_transaction_source_to_string(t->answer_source),
775ae354 422 FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE) ? "not validated" :
43fc4baa
LP		 423 (FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED) ? "authenticated" : "unsigned"),
424 FLAGS_SET(t->answer_query_flags, SD_RESOLVED_CONFIDENTIAL) ? "confidential" : "non-confidential");
ec2c5e43
LP		 425
426 t->state = state;
427
80710ade 428 dns_transaction_close_connection(t, true);
f535705a 429 dns_transaction_stop_timeout(t);
ec2c5e43
LP		 430
431 /* Notify all queries that are interested, but make sure the
432 * transaction isn't freed while we are still looking at it */
433 t->block_gc++;
f7014757 434
35aa04e9 435 SET_FOREACH_MOVE(c, t->notify_query_candidates_done, t->notify_query_candidates)
547973de 436 dns_query_candidate_notify(c);
35aa04e9 437 SWAP_TWO(t->notify_query_candidates, t->notify_query_candidates_done);
ec2c5e43 438
35aa04e9
LP		 439 SET_FOREACH_MOVE(z, t->notify_zone_items_done, t->notify_zone_items)
440 dns_zone_item_notify(z);
441 SWAP_TWO(t->notify_zone_items, t->notify_zone_items_done);
8d67e72c 442 if (t->probing && t->state == DNS_TRANSACTION_ATTEMPTS_MAX_REACHED)
1a63fc54 443 (void) dns_scope_announce(t->scope, false);
f7014757 444
35aa04e9
LP		 445 SET_FOREACH_MOVE(d, t->notify_transactions_done, t->notify_transactions)
446 dns_transaction_notify(d, t);
447 SWAP_TWO(t->notify_transactions, t->notify_transactions_done);
f7014757
LP		 448
449 t->block_gc--;
ec2c5e43
LP		 450 dns_transaction_gc(t);
451}
452
fd8a3017
LP		 453static void dns_transaction_complete_errno(DnsTransaction *t, int error) {
454 assert(t);
455 assert(error != 0);
456
457 t->answer_errno = abs(error);
458 dns_transaction_complete(t, DNS_TRANSACTION_ERRNO);
459}
460
519ef046
LP		 461static int dns_transaction_pick_server(DnsTransaction *t) {
462 DnsServer *server;
463
464 assert(t);
465 assert(t->scope->protocol == DNS_PROTOCOL_DNS);
466
d001e0a3
LP		 467 /* Pick a DNS server and a feature level for it. */
468
519ef046
LP		 469 server = dns_scope_get_dns_server(t->scope);
470 if (!server)
471 return -ESRCH;
472
d001e0a3
LP		 473 /* If we changed the server invalidate the feature level clamping, as the new server might have completely
474 * different properties. */
1ed4e584
LP		 475 if (server != t->server) {
476 t->clamp_feature_level_servfail = _DNS_SERVER_FEATURE_LEVEL_INVALID;
477 t->clamp_feature_level_nxdomain = _DNS_SERVER_FEATURE_LEVEL_INVALID;
478 }
d001e0a3 479
274b8748 480 t->current_feature_level = dns_server_possible_feature_level(server);
519ef046 481
d001e0a3 482 /* Clamp the feature level if that is requested. */
1ed4e584
LP		 483 if (t->clamp_feature_level_servfail != _DNS_SERVER_FEATURE_LEVEL_INVALID &&
484 t->current_feature_level > t->clamp_feature_level_servfail)
485 t->current_feature_level = t->clamp_feature_level_servfail;
486 if (t->clamp_feature_level_nxdomain != _DNS_SERVER_FEATURE_LEVEL_INVALID &&
487 t->current_feature_level > t->clamp_feature_level_nxdomain)
488 t->current_feature_level = t->clamp_feature_level_nxdomain;
d001e0a3
LP		 489
490 log_debug("Using feature level %s for transaction %u.", dns_server_feature_level_to_string(t->current_feature_level), t->id);
491
519ef046
LP		 492 if (server == t->server)
493 return 0;
494
495 dns_server_unref(t->server);
496 t->server = dns_server_ref(server);
497
44db02d0
LP		 498 t->n_picked_servers ++;
499
8aa5afd2 500 log_debug("Using DNS server %s for transaction %u.", strna(dns_server_string_full(t->server)), t->id);
d001e0a3 501
519ef046
LP		 502 return 1;
503}
504
d001e0a3 505static void dns_transaction_retry(DnsTransaction *t, bool next_server) {
8d10d620
LP		 506 int r;
507
508 assert(t);
509
7ef863a7
LP		 510 /* Retries the transaction as it is, possibly on a different server */
511
ca55fb88 512 if (next_server && t->scope->protocol == DNS_PROTOCOL_DNS)
7ef863a7
LP		 513 log_debug("Retrying transaction %" PRIu16 ", after switching servers.", t->id);
514 else
515 log_debug("Retrying transaction %" PRIu16 ".", t->id);
8d10d620
LP		 516
517 /* Before we try again, switch to a new server. */
d001e0a3 518 if (next_server)
5e8bc852 519 dns_scope_next_dns_server(t->scope, t->server);
8d10d620
LP		 520
521 r = dns_transaction_go(t);
fd8a3017
LP		 522 if (r < 0)
523 dns_transaction_complete_errno(t, r);
8d10d620
LP		 524}
525
9147b591
LP		 526static bool dns_transaction_limited_retry(DnsTransaction *t) {
527 assert(t);
528
529 /* If we haven't tried all different servers yet, let's try again with a different server */
530
531 if (t->n_picked_servers >= dns_scope_get_n_dns_servers(t->scope))
532 return false;
533
534 dns_transaction_retry(t, /* next_server= */ true);
535 return true;
536}
537
c02cf2f4 538static int dns_transaction_maybe_restart(DnsTransaction *t) {
5278bbfe
LP		 539 int r;
540
c02cf2f4
LP		 541 assert(t);
542
9147b591
LP		 543 /* Restarts the transaction, under a new ID if the feature level of the server changed since we first
544 * tried, without changing DNS server. Returns > 0 if the transaction was restarted, 0 if not. */
5278bbfe 545
c02cf2f4
LP		 546 if (!t->server)
547 return 0;
548
549 if (t->current_feature_level <= dns_server_possible_feature_level(t->server))
550 return 0;
551
552 /* The server's current feature level is lower than when we sent the original query. We learnt something from
553 the response or possibly an auxiliary DNSSEC response that we didn't know before. We take that as reason to
554 restart the whole transaction. This is a good idea to deal with servers that respond rubbish if we include
555 OPT RR or DO bit. One of these cases is documented here, for example:
556 https://open.nlnetlabs.nl/pipermail/dnssec-trigger/2014-November/000376.html */
557
4dd15077
LP		 558 log_debug("Server feature level is now lower than when we began our transaction. Restarting with new ID.");
559 dns_transaction_shuffle_id(t);
5278bbfe
LP		 560
561 r = dns_transaction_go(t);
562 if (r < 0)
563 return r;
564
565 return 1;
c02cf2f4
LP		 566}
567
98767d75
IT		 568static void on_transaction_stream_error(DnsTransaction *t, int error) {
569 assert(t);
ec2c5e43 570
80710ade 571 dns_transaction_close_connection(t, true);
ec2c5e43 572
a1a3f73a 573 if (ERRNO_IS_DISCONNECT(error)) {
0791110f
LP		 574 if (t->scope->protocol == DNS_PROTOCOL_LLMNR) {
575 /* If the LLMNR/TCP connection failed, the host doesn't support LLMNR, and we cannot answer the
576 * question on this scope. */
577 dns_transaction_complete(t, DNS_TRANSACTION_NOT_FOUND);
daab72ea 578 return;
0791110f
LP		 579 }
580
d001e0a3 581 dns_transaction_retry(t, true);
daab72ea 582 return;
ac720200 583 }
fd8a3017
LP		 584 if (error != 0)
585 dns_transaction_complete_errno(t, error);
98767d75
IT		 586}
587
43fc4baa
LP		 588static int dns_transaction_on_stream_packet(DnsTransaction *t, DnsStream *s, DnsPacket *p) {
589 bool encrypted;
590
98767d75 591 assert(t);
43fc4baa 592 assert(s);
98767d75
IT		 593 assert(p);
594
43fc4baa
LP		 595 encrypted = s->encrypted;
596
80710ade 597 dns_transaction_close_connection(t, true);
ec2c5e43 598
a4076574 599 if (dns_packet_validate_reply(p) <= 0) {
a20b9592 600 log_debug("Invalid TCP reply packet.");
a4076574
LP		 601 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
602 return 0;
603 }
604
605 dns_scope_check_conflicts(t->scope, p);
606
ec2c5e43 607 t->block_gc++;
43fc4baa 608 dns_transaction_process_reply(t, p, encrypted);
ec2c5e43
LP		 609 t->block_gc--;
610
519ef046
LP		 611 /* If the response wasn't useful, then complete the transition
612 * now. After all, we are the worst feature set now with TCP
613 * sockets, and there's really no point in retrying. */
ec2c5e43
LP		 614 if (t->state == DNS_TRANSACTION_PENDING)
615 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
598f44bd
LP		 616 else
617 dns_transaction_gc(t);
ec2c5e43
LP		 618
619 return 0;
620}
621
98767d75 622static int on_stream_complete(DnsStream *s, int error) {
7172e4ee 623 assert(s);
98767d75
IT		 624
625 if (ERRNO_IS_DISCONNECT(error) && s->protocol != DNS_PROTOCOL_LLMNR) {
98767d75
IT		 626 log_debug_errno(error, "Connection failure for DNS TCP stream: %m");
627
628 if (s->transactions) {
97d5d905
LP		 629 DnsTransaction *t;
630
98767d75 631 t = s->transactions;
3da3cdd5 632 dns_server_packet_lost(t->server, IPPROTO_TCP, t->current_feature_level);
98767d75
IT		 633 }
634 }
635
03677889 636 if (error != 0)
80a226b2 637 LIST_FOREACH(transactions_by_stream, t, s->transactions)
98767d75 638 on_transaction_stream_error(t, error);
98767d75 639
97d5d905 640 return 0;
98767d75
IT		 641}
642
624f907e 643static int on_stream_packet(DnsStream *s, DnsPacket *p) {
98767d75
IT		 644 DnsTransaction *t;
645
aa337a5e 646 assert(s);
624f907e
YW		 647 assert(s->manager);
648 assert(p);
98767d75
IT		 649
650 t = hashmap_get(s->manager->dns_transactions, UINT_TO_PTR(DNS_PACKET_ID(p)));
b52eac20
LP		 651 if (t && t->stream == s) /* Validate that the stream we got this on actually is the stream the
652 * transaction was using. */
43fc4baa 653 return dns_transaction_on_stream_packet(t, s, p);
98767d75 654
8227cfa1 655 /* Ignore incorrect transaction id as an old transaction can have been canceled. */
30f9e0bf 656 log_debug("Received unexpected TCP reply packet with id %" PRIu16 ", ignoring.", DNS_PACKET_ID(p));
aa337a5e 657 return 0;
98767d75
IT		 658}
659
da9de738 660static uint16_t dns_transaction_port(DnsTransaction *t) {
775ae354
LP		 661 assert(t);
662
da9de738
YW		 663 if (t->server->port > 0)
664 return t->server->port;
775ae354 665
da9de738 666 return DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level) ? 853 : 53;
ec962fba
LP		 667}
668
98767d75 669static int dns_transaction_emit_tcp(DnsTransaction *t) {
e1158539 670 usec_t stream_timeout_usec = DNS_STREAM_DEFAULT_TIMEOUT_USEC;
98767d75 671 _cleanup_(dns_stream_unrefp) DnsStream *s = NULL;
254d1313 672 _cleanup_close_ int fd = -EBADF;
91ccab1e 673 union sockaddr_union sa;
652ba568 674 DnsStreamType type;
ec2c5e43
LP		 675 int r;
676
677 assert(t);
775ae354 678 assert(t->sent);
ec2c5e43 679
80710ade 680 dns_transaction_close_connection(t, true);
ec2c5e43 681
106784eb 682 switch (t->scope->protocol) {
519ef046 683
106784eb 684 case DNS_PROTOCOL_DNS:
519ef046
LP		 685 r = dns_transaction_pick_server(t);
686 if (r < 0)
687 return r;
688
49ef064c
LP		 689 if (manager_server_is_stub(t->scope->manager, t->server))
690 return -ELOOP;
691
775ae354
LP		 692 if (!t->bypass) {
693 if (!dns_server_dnssec_supported(t->server) && dns_type_is_dnssec(dns_transaction_key(t)->type))
694 return -EOPNOTSUPP;
91adc4db 695
775ae354
LP		 696 r = dns_server_adjust_opt(t->server, t->sent, t->current_feature_level);
697 if (r < 0)
698 return r;
699 }
519ef046 700
5d67a7ae 701 if (t->server->stream && (DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level) == t->server->stream->encrypted))
98767d75
IT		 702 s = dns_stream_ref(t->server->stream);
703 else
da9de738 704 fd = dns_scope_socket_tcp(t->scope, AF_UNSPEC, NULL, t->server, dns_transaction_port(t), &sa);
98767d75 705
e1158539
LP		 706 /* Lower timeout in DNS-over-TLS opportunistic mode. In environments where DoT is blocked
707 * without ICMP response overly long delays when contacting DoT servers are nasty, in
708 * particular if multiple DNS servers are defined which we try in turn and all are
709 * blocked. Hence, substantially lower the timeout in that case. */
710 if (DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level) &&
711 dns_server_get_dns_over_tls_mode(t->server) == DNS_OVER_TLS_OPPORTUNISTIC)
712 stream_timeout_usec = DNS_STREAM_OPPORTUNISTIC_TLS_TIMEOUT_USEC;
713
652ba568 714 type = DNS_STREAM_LOOKUP;
106784eb 715 break;
ec2c5e43 716
106784eb 717 case DNS_PROTOCOL_LLMNR:
a8f6397f 718 /* When we already received a reply to this (but it was truncated), send to its sender address */
ec2c5e43 719 if (t->received)
91ccab1e 720 fd = dns_scope_socket_tcp(t->scope, t->received->family, &t->received->sender, NULL, t->received->sender_port, &sa);
ec2c5e43
LP		 721 else {
722 union in_addr_union address;
a7f7d1bd 723 int family = AF_UNSPEC;
ec2c5e43
LP		 724
725 /* Otherwise, try to talk to the owner of a
726 * the IP address, in case this is a reverse
727 * PTR lookup */
f52e61da 728
42df9532 729 r = dns_name_address(dns_resource_key_name(dns_transaction_key(t)), &family, &address);
ec2c5e43
LP		 730 if (r < 0)
731 return r;
732 if (r == 0)
733 return -EINVAL;
9e08a6e0 734 if (family != t->scope->family)
9318cdd3 735 return -ESRCH;
ec2c5e43 736
91ccab1e 737 fd = dns_scope_socket_tcp(t->scope, family, &address, NULL, LLMNR_PORT, &sa);
ec2c5e43 738 }
106784eb 739
652ba568 740 type = DNS_STREAM_LLMNR_SEND;
106784eb
DM		 741 break;
742
743 default:
ec2c5e43 744 return -EAFNOSUPPORT;
106784eb 745 }
ec2c5e43 746
98767d75
IT		 747 if (!s) {
748 if (fd < 0)
749 return fd;
ec2c5e43 750
18230451
YW		 751 r = dns_stream_new(t->scope->manager, &s, type, t->scope->protocol, fd, &sa,
752 on_stream_packet, on_stream_complete, stream_timeout_usec);
98767d75
IT		 753 if (r < 0)
754 return r;
755
254d1313 756 fd = -EBADF;
98767d75 757
56ddbf10 758#if ENABLE_DNS_OVER_TLS
199dda9c
LP		 759 if (t->scope->protocol == DNS_PROTOCOL_DNS &&
760 DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level)) {
761
b02a7e1a 762 assert(t->server);
6016fcb0 763 r = dnstls_stream_connect_tls(s, t->server);
5d67a7ae
IT		 764 if (r < 0)
765 return r;
766 }
767#endif
768
19feb28f 769 if (t->server) {
904dcaf9 770 dns_server_unref_stream(t->server);
19feb28f 771 s->server = dns_server_ref(t->server);
8227cfa1 772 t->server->stream = dns_stream_ref(s);
19feb28f
IT		 773 }
774
98767d75
IT		 775 /* The interface index is difficult to determine if we are
776 * connecting to the local host, hence fill this in right away
777 * instead of determining it from the socket */
778 s->ifindex = dns_scope_ifindex(t->scope);
779 }
780
781 t->stream = TAKE_PTR(s);
782 LIST_PREPEND(transactions_by_stream, t->stream->transactions, t);
ec2c5e43
LP		 783
784 r = dns_stream_write_packet(t->stream, t->sent);
785 if (r < 0) {
80710ade 786 dns_transaction_close_connection(t, /* use_graveyard= */ false);
ec2c5e43
LP		 787 return r;
788 }
789
519ef046
LP		 790 dns_transaction_reset_answer(t);
791
cbe4216d
LP		 792 t->tried_stream = true;
793
ec2c5e43
LP		 794 return 0;
795}
796
547973de 797static void dns_transaction_cache_answer(DnsTransaction *t) {
547973de
LP		 798 assert(t);
799
800 /* For mDNS we cache whenever we get the packet, rather than
801 * in each transaction. */
802 if (!IN_SET(t->scope->protocol, DNS_PROTOCOL_DNS, DNS_PROTOCOL_LLMNR))
803 return;
804
ceeddf79 805 /* Caching disabled? */
37d7a7d9 806 if (t->scope->manager->enable_cache == DNS_CACHE_MODE_NO)
ceeddf79
MP		 807 return;
808
775ae354
LP		 809 /* If validation is turned off for this transaction, but DNSSEC is on, then let's not cache this */
810 if (FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE) && t->scope->dnssec_mode != DNSSEC_NO)
811 return;
812
6d8325f6
PS		 813 /* Packet from localhost? */
814 if (!t->scope->manager->cache_from_localhost &&
815 in_addr_is_localhost(t->received->family, &t->received->sender) != 0)
547973de
LP		 816 return;
817
547973de 818 dns_cache_put(&t->scope->cache,
37d7a7d9 819 t->scope->manager->enable_cache,
a78049fc 820 t->scope->protocol,
42df9532 821 dns_transaction_key(t),
547973de
LP		 822 t->answer_rcode,
823 t->answer,
775ae354
LP		 824 DNS_PACKET_CD(t->received) ? t->received : NULL, /* only cache full packets with CD on,
825 * since our usecase for caching them
826 * is "bypass" mode which is only
827 * enabled for CD packets. */
6f055e43 828 t->answer_query_flags,
775ae354 829 t->answer_dnssec_result,
d3760be0 830 t->answer_nsec_ttl,
547973de
LP		 831 t->received->family,
832 &t->received->sender);
833}
834
105e1512
LP		 835static bool dns_transaction_dnssec_is_live(DnsTransaction *t) {
836 DnsTransaction *dt;
105e1512
LP		 837
838 assert(t);
839
90e74a66 840 SET_FOREACH(dt, t->dnssec_transactions)
105e1512
LP		 841 if (DNS_TRANSACTION_IS_LIVE(dt->state))
842 return true;
843
844 return false;
845}
846
942eb2e7
LP		 847static int dns_transaction_dnssec_ready(DnsTransaction *t) {
848 DnsTransaction *dt;
e30a62bf 849 int r;
942eb2e7
LP		 850
851 assert(t);
852
853 /* Checks whether the auxiliary DNSSEC transactions of our transaction have completed, or are still
854 * ongoing. Returns 0, if we aren't ready for the DNSSEC validation, positive if we are. */
855
90e74a66 856 SET_FOREACH(dt, t->dnssec_transactions) {
942eb2e7
LP		 857
858 switch (dt->state) {
859
860 case DNS_TRANSACTION_NULL:
861 case DNS_TRANSACTION_PENDING:
862 case DNS_TRANSACTION_VALIDATING:
863 /* Still ongoing */
864 return 0;
865
866 case DNS_TRANSACTION_RCODE_FAILURE:
b3c6b00a 867 if (!IN_SET(dt->answer_rcode, DNS_RCODE_NXDOMAIN, DNS_RCODE_SERVFAIL)) {
0d609349 868 log_debug("Auxiliary DNSSEC RR query failed with rcode=%s.", FORMAT_DNS_RCODE(dt->answer_rcode));
942eb2e7
LP		 869 goto fail;
870 }
871
b3c6b00a 872 /* Fall-through: NXDOMAIN/SERVFAIL is good enough for us. This is because some DNS servers
5238e957 873 * erroneously return NXDOMAIN/SERVFAIL for empty non-terminals (Akamai...) or missing DS
b3c6b00a
LP		 874 * records (Facebook), and we need to handle that nicely, when asking for parent SOA or similar
875 * RRs to make unsigned proofs. */
942eb2e7
LP		 876
877 case DNS_TRANSACTION_SUCCESS:
878 /* All good. */
879 break;
880
881 case DNS_TRANSACTION_DNSSEC_FAILED:
882 /* We handle DNSSEC failures different from other errors, as we care about the DNSSEC
e30a62bf 883 * validation result */
942eb2e7
LP		 884
885 log_debug("Auxiliary DNSSEC RR query failed validation: %s", dnssec_result_to_string(dt->answer_dnssec_result));
886 t->answer_dnssec_result = dt->answer_dnssec_result; /* Copy error code over */
887 dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
888 return 0;
889
942eb2e7
LP		 890 default:
891 log_debug("Auxiliary DNSSEC RR query failed with %s", dns_transaction_state_to_string(dt->state));
892 goto fail;
893 }
894 }
895
896 /* All is ready, we can go and validate */
897 return 1;
898
899fail:
e30a62bf
LP		 900 /* Some auxiliary DNSSEC transaction failed for some reason. Maybe we learned something about the
901 * server due to this failure, and the feature level is now different? Let's see and restart the
902 * transaction if so. If not, let's propagate the auxiliary failure.
903 *
904 * This is particularly relevant if an auxiliary request figured out that DNSSEC doesn't work, and we
905 * are in permissive DNSSEC mode, and thus should restart things without DNSSEC magic. */
906 r = dns_transaction_maybe_restart(t);
907 if (r < 0)
908 return r;
909 if (r > 0)
910 return 0; /* don't validate just yet, we restarted things */
911
942eb2e7
LP		 912 t->answer_dnssec_result = DNSSEC_FAILED_AUXILIARY;
913 dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
914 return 0;
915}
916
547973de
LP		 917static void dns_transaction_process_dnssec(DnsTransaction *t) {
918 int r;
919
920 assert(t);
921
922 /* Are there ongoing DNSSEC transactions? If so, let's wait for them. */
942eb2e7 923 r = dns_transaction_dnssec_ready(t);
7cc6ed7b
LP		 924 if (r < 0)
925 goto fail;
942eb2e7 926 if (r == 0) /* We aren't ready yet (or one of our auxiliary transactions failed, and we shouldn't validate now */
547973de
LP		 927 return;
928
c02cf2f4
LP		 929 /* See if we learnt things from the additional DNSSEC transactions, that we didn't know before, and better
930 * restart the lookup immediately. */
931 r = dns_transaction_maybe_restart(t);
7cc6ed7b
LP		 932 if (r < 0)
933 goto fail;
c02cf2f4
LP		 934 if (r > 0) /* Transaction got restarted... */
935 return;
936
547973de
LP		 937 /* All our auxiliary DNSSEC transactions are complete now. Try
938 * to validate our RRset now. */
939 r = dns_transaction_validate_dnssec(t);
fcfaff12
LP		 940 if (r == -EBADMSG) {
941 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
942 return;
943 }
7cc6ed7b
LP		 944 if (r < 0)
945 goto fail;
547973de 946
b652d4a2
LP		 947 if (t->answer_dnssec_result == DNSSEC_INCOMPATIBLE_SERVER &&
948 t->scope->dnssec_mode == DNSSEC_YES) {
e82b1132
LP		 949
950 /* We are not in automatic downgrade mode, and the server is bad. Let's try a different server, maybe
951 * that works. */
952
9147b591 953 if (dns_transaction_limited_retry(t))
e82b1132 954 return;
e82b1132
LP		 955
956 /* OK, let's give up, apparently all servers we tried didn't work. */
b652d4a2
LP		 957 dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
958 return;
959 }
960
019036a4 961 if (!IN_SET(t->answer_dnssec_result,
b652d4a2
LP		 962 _DNSSEC_RESULT_INVALID, /* No DNSSEC validation enabled */
963 DNSSEC_VALIDATED, /* Answer is signed and validated successfully */
964 DNSSEC_UNSIGNED, /* Answer is right-fully unsigned */
965 DNSSEC_INCOMPATIBLE_SERVER)) { /* Server does not do DNSSEC (Yay, we are downgrade attack vulnerable!) */
547973de
LP		 966 dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
967 return;
968 }
969
1e02e182
LP		 970 if (t->answer_dnssec_result == DNSSEC_INCOMPATIBLE_SERVER)
971 dns_server_warn_downgrade(t->server);
972
547973de
LP		 973 dns_transaction_cache_answer(t);
974
975 if (t->answer_rcode == DNS_RCODE_SUCCESS)
976 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
977 else
3bbdc31d 978 dns_transaction_complete(t, DNS_TRANSACTION_RCODE_FAILURE);
7cc6ed7b
LP		 979
980 return;
981
982fail:
fd8a3017 983 dns_transaction_complete_errno(t, r);
547973de
LP		 984}
985
eac7cda2
LP		 986static int dns_transaction_has_positive_answer(DnsTransaction *t, DnsAnswerFlags *flags) {
987 int r;
988
989 assert(t);
990
991 /* Checks whether the answer is positive, i.e. either a direct
992 * answer to the question, or a CNAME/DNAME for it */
993
42df9532 994 r = dns_answer_match_key(t->answer, dns_transaction_key(t), flags);
eac7cda2
LP		 995 if (r != 0)
996 return r;
997
42df9532 998 r = dns_answer_find_cname_or_dname(t->answer, dns_transaction_key(t), NULL, flags);
eac7cda2
LP		 999 if (r != 0)
1000 return r;
1001
1002 return false;
1003}
1004
1005static int dns_transaction_fix_rcode(DnsTransaction *t) {
1006 int r;
1007
1008 assert(t);
1009
1010 /* Fix up the RCODE to SUCCESS if we get at least one matching RR in a response. Note that this contradicts the
1011 * DNS RFCs a bit. Specifically, RFC 6604 Section 3 clarifies that the RCODE shall say something about a
1012 * CNAME/DNAME chain element coming after the last chain element contained in the message, and not the first
1013 * one included. However, it also indicates that not all DNS servers implement this correctly. Moreover, when
1014 * using DNSSEC we usually only can prove the first element of a CNAME/DNAME chain anyway, hence let's settle
1015 * on always processing the RCODE as referring to the immediate look-up we do, i.e. the first element of a
1016 * CNAME/DNAME chain. This way, we uniformly handle CNAME/DNAME chains, regardless if the DNS server
1017 * incorrectly implements RCODE, whether DNSSEC is in use, or whether the DNS server only supplied us with an
1018 * incomplete CNAME/DNAME chain.
1019 *
1020 * Or in other words: if we get at least one positive reply in a message we patch NXDOMAIN to become SUCCESS,
1021 * and then rely on the CNAME chasing logic to figure out that there's actually a CNAME error with a new
1022 * lookup. */
1023
1024 if (t->answer_rcode != DNS_RCODE_NXDOMAIN)
1025 return 0;
1026
1027 r = dns_transaction_has_positive_answer(t, NULL);
1028 if (r <= 0)
1029 return r;
1030
1031 t->answer_rcode = DNS_RCODE_SUCCESS;
1032 return 0;
1033}
1034
43fc4baa 1035void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p, bool encrypted) {
acbf761b 1036 bool retry_with_tcp = false;
ec2c5e43
LP		 1037 int r;
1038
1039 assert(t);
1040 assert(p);
9df3ba6c
TG		 1041 assert(t->scope);
1042 assert(t->scope->manager);
ec2c5e43 1043
5a7e41a3
LP		 1044 if (t->state != DNS_TRANSACTION_PENDING)
1045 return;
1046
ec2c5e43
LP		 1047 /* Note that this call might invalidate the query. Callers
1048 * should hence not attempt to access the query or transaction
1049 * after calling this function. */
1050
f7155840
LP		 1051 log_debug("Processing incoming packet of size %zu on transaction %" PRIu16" (rcode=%s).",
1052 p->size,
0d609349 1053 t->id, FORMAT_DNS_RCODE(DNS_PACKET_RCODE(p)));
b5efcf29 1054
106784eb 1055 switch (t->scope->protocol) {
b5efcf29 1056
106784eb 1057 case DNS_PROTOCOL_LLMNR:
97ebebbc 1058 /* For LLMNR we will not accept any packets from other interfaces */
ec2c5e43 1059
97ebebbc 1060 if (p->ifindex != dns_scope_ifindex(t->scope))
ec2c5e43
LP		 1061 return;
1062
1063 if (p->family != t->scope->family)
1064 return;
1065
1066 /* Tentative packets are not full responses but still
1067 * useful for identifying uniqueness conflicts during
1068 * probing. */
8b757a38 1069 if (DNS_PACKET_LLMNR_T(p)) {
ec2c5e43
LP		 1070 dns_transaction_tentative(t, p);
1071 return;
1072 }
106784eb
DM		 1073
1074 break;
1075
4e5bf5e1 1076 case DNS_PROTOCOL_MDNS:
4e5bf5e1 1077 /* For mDNS we will not accept any packets from other interfaces */
97ebebbc
LP		 1078
1079 if (p->ifindex != dns_scope_ifindex(t->scope))
4e5bf5e1
DM		 1080 return;
1081
1082 if (p->family != t->scope->family)
1083 return;
1084
1085 break;
1086
106784eb 1087 case DNS_PROTOCOL_DNS:
8ad182a1
LP		 1088 /* Note that we do not need to verify the
1089 * addresses/port numbers of incoming traffic, as we
1090 * invoked connect() on our UDP socket in which case
1091 * the kernel already does the needed verification for
1092 * us. */
106784eb
DM		 1093 break;
1094
1095 default:
04499a70 1096 assert_not_reached();
ec2c5e43
LP		 1097 }
1098
899e3cda
ZJS		 1099 if (t->received != p)
1100 DNS_PACKET_REPLACE(t->received, dns_packet_ref(p));
ec2c5e43 1101
c3bc53e6
LP		 1102 t->answer_source = DNS_TRANSACTION_NETWORK;
1103
ec2c5e43
LP		 1104 if (p->ipproto == IPPROTO_TCP) {
1105 if (DNS_PACKET_TC(p)) {
1106 /* Truncated via TCP? Somebody must be fucking with us */
1107 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
1108 return;
1109 }
1110
1111 if (DNS_PACKET_ID(p) != t->id) {
1112 /* Not the reply to our query? Somebody must be fucking with us */
1113 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
1114 return;
1115 }
1116 }
1117
9df3ba6c 1118 switch (t->scope->protocol) {
8af5b883 1119
9df3ba6c
TG		 1120 case DNS_PROTOCOL_DNS:
1121 assert(t->server);
1122
775ae354
LP		 1123 if (!t->bypass &&
1124 IN_SET(DNS_PACKET_RCODE(p), DNS_RCODE_FORMERR, DNS_RCODE_SERVFAIL, DNS_RCODE_NOTIMP)) {
4e0b8b17 1125
8af5b883 1126 /* Request failed, immediately try again with reduced features */
4e0b8b17 1127
7d581a65 1128 if (t->current_feature_level <= DNS_SERVER_FEATURE_LEVEL_UDP) {
44db02d0 1129
7d581a65 1130 /* This was already at UDP feature level? If so, it doesn't make sense to downgrade
44db02d0
LP		 1131 * this transaction anymore, but let's see if it might make sense to send the request
1132 * to a different DNS server instead. If not let's process the response, and accept the
7d581a65
LP		 1133 * rcode. Note that we don't retry on TCP, since that's a suitable way to mitigate
1134 * packet loss, but is not going to give us better rcodes should we actually have
1135 * managed to get them already at UDP level. */
1136
9147b591 1137 if (dns_transaction_limited_retry(t))
44db02d0 1138 return;
44db02d0
LP		 1139
1140 /* Give up, accept the rcode */
0d609349 1141 log_debug("Server returned error: %s", FORMAT_DNS_RCODE(DNS_PACKET_RCODE(p)));
d001e0a3
LP		 1142 break;
1143 }
1144
8a33aa19
SS		 1145 /* SERVFAIL can happen for many reasons and may be transient.
1146 * To avoid unnecessary downgrades retry once with the initial level.
1147 * Check for clamp_feature_level_servfail having an invalid value as a sign that this is the
1148 * first attempt to downgrade. If so, clamp to the current value so that the transaction
1149 * is retried without actually downgrading. If the next try also fails we will downgrade by
1150 * hitting the else branch below. */
1151 if (DNS_PACKET_RCODE(p) == DNS_RCODE_SERVFAIL &&
1152 t->clamp_feature_level_servfail < 0) {
1153 t->clamp_feature_level_servfail = t->current_feature_level;
1154 log_debug("Server returned error %s, retrying transaction.",
0d609349 1155 FORMAT_DNS_RCODE(DNS_PACKET_RCODE(p)));
8a33aa19
SS		 1156 } else {
1157 /* Reduce this feature level by one and try again. */
1158 switch (t->current_feature_level) {
1159 case DNS_SERVER_FEATURE_LEVEL_TLS_DO:
1160 t->clamp_feature_level_servfail = DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN;
1161 break;
1162 case DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN + 1:
1163 /* Skip plain TLS when TLS is not supported */
1164 t->clamp_feature_level_servfail = DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN - 1;
1165 break;
1166 default:
1167 t->clamp_feature_level_servfail = t->current_feature_level - 1;
1168 }
1169
1170 log_debug("Server returned error %s, retrying transaction with reduced feature level %s.",
0d609349 1171 FORMAT_DNS_RCODE(DNS_PACKET_RCODE(p)),
8a33aa19 1172 dns_server_feature_level_to_string(t->clamp_feature_level_servfail));
5d67a7ae 1173 }
d001e0a3 1174
d001e0a3 1175 dns_transaction_retry(t, false /* use the same server */);
4e0b8b17 1176 return;
eb08640a
LP		 1177 }
1178
1179 if (DNS_PACKET_RCODE(p) == DNS_RCODE_REFUSED) {
1180 /* This server refused our request? If so, try again, use a different server */
1181 log_debug("Server returned REFUSED, switching servers, and retrying.");
9147b591
LP		 1182
1183 if (dns_transaction_limited_retry(t))
1184 return;
1185
1186 break;
eb08640a
LP		 1187 }
1188
1189 if (DNS_PACKET_TC(p))
274b8748 1190 dns_server_packet_truncated(t->server, t->current_feature_level);
9df3ba6c
TG		 1191
1192 break;
8af5b883 1193
9df3ba6c
TG		 1194 case DNS_PROTOCOL_LLMNR:
1195 case DNS_PROTOCOL_MDNS:
5777c613 1196 dns_scope_packet_received(t->scope, p->timestamp - t->start_usec);
9df3ba6c 1197 break;
8af5b883 1198
9df3ba6c 1199 default:
04499a70 1200 assert_not_reached();
9df3ba6c
TG		 1201 }
1202
ec2c5e43 1203 if (DNS_PACKET_TC(p)) {
547493c5
DM		 1204
1205 /* Truncated packets for mDNS are not allowed. Give up immediately. */
1206 if (t->scope->protocol == DNS_PROTOCOL_MDNS) {
1207 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
1208 return;
1209 }
1210
acbf761b 1211 /* Response was truncated, let's try again with good old TCP */
f757cd85 1212 log_debug("Reply truncated, retrying via TCP.");
acbf761b 1213 retry_with_tcp = true;
f757cd85 1214
acbf761b
LP		 1215 } else if (t->scope->protocol == DNS_PROTOCOL_DNS &&
1216 DNS_PACKET_IS_FRAGMENTED(p)) {
1217
1218 /* Report the fragment size, so that we downgrade from LARGE to regular EDNS0 if needed */
1219 if (t->server)
1220 dns_server_packet_udp_fragmented(t->server, dns_packet_size_unfragmented(p));
1221
1222 if (t->current_feature_level > DNS_SERVER_FEATURE_LEVEL_UDP) {
1223 /* Packet was fragmented. Let's retry with TCP to avoid fragmentation attack
1224 * issues. (We don't do that on the lowest feature level however, since crappy DNS
1225 * servers often do not implement TCP, hence falling back to TCP on fragmentation is
1226 * counter-productive there.) */
1227
f7155840
LP		 1228 log_debug("Reply fragmented, retrying via TCP. (Largest fragment size: %zu; Datagram size: %zu)",
1229 p->fragsize, p->size);
acbf761b
LP		 1230 retry_with_tcp = true;
1231 }
1232 }
1233
1234 if (retry_with_tcp) {
98767d75 1235 r = dns_transaction_emit_tcp(t);
ec2c5e43
LP		 1236 if (r == -ESRCH) {
1237 /* No servers found? Damn! */
1238 dns_transaction_complete(t, DNS_TRANSACTION_NO_SERVERS);
1239 return;
1240 }
91adc4db
LP		 1241 if (r == -EOPNOTSUPP) {
1242 /* Tried to ask for DNSSEC RRs, on a server that doesn't do DNSSEC */
1243 dns_transaction_complete(t, DNS_TRANSACTION_RR_TYPE_UNSUPPORTED);
1244 return;
1245 }
ec2c5e43 1246 if (r < 0) {
8af5b883 1247 /* On LLMNR, if we cannot connect to the host,
ec2c5e43 1248 * we immediately give up */
7cc6ed7b
LP		 1249 if (t->scope->protocol != DNS_PROTOCOL_DNS)
1250 goto fail;
ec2c5e43
LP		 1251
1252 /* On DNS, couldn't send? Try immediately again, with a new server */
9147b591
LP		 1253 if (dns_transaction_limited_retry(t))
1254 return;
1255
1256 /* No new server to try, give up */
1257 dns_transaction_complete(t, DNS_TRANSACTION_ATTEMPTS_MAX_REACHED);
ec2c5e43 1258 }
2a6658ef
LP		 1259
1260 return;
ec2c5e43
LP		 1261 }
1262
de54e62b 1263 /* After the superficial checks, actually parse the message. */
ec2c5e43
LP		 1264 r = dns_packet_extract(p);
1265 if (r < 0) {
2c42a217
LP		 1266 if (t->server) {
1267 dns_server_packet_invalid(t->server, t->current_feature_level);
1268
1269 r = dns_transaction_maybe_restart(t);
1270 if (r < 0)
1271 goto fail;
1272 if (r > 0) /* Transaction got restarted... */
1273 return;
1274 }
1275
ec2c5e43
LP		 1276 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
1277 return;
1278 }
1279
1ed4e584
LP		 1280 if (t->scope->protocol == DNS_PROTOCOL_DNS &&
1281 !t->bypass &&
1282 DNS_PACKET_RCODE(p) == DNS_RCODE_NXDOMAIN &&
1283 p->opt && !DNS_PACKET_DO(p) &&
1284 DNS_SERVER_FEATURE_LEVEL_IS_EDNS0(t->current_feature_level) &&
1285 DNS_SERVER_FEATURE_LEVEL_IS_UDP(t->current_feature_level) &&
1286 t->scope->dnssec_mode != DNSSEC_YES) {
1287
1288 /* Some captive portals are special in that the Aruba/Datavalet hardware will miss
1289 * replacing the packets with the local server IP to point to the authenticated side
1290 * of the network if EDNS0 is enabled. Instead they return NXDOMAIN, with DO bit set
1291 * to zero... nothing to see here, yet respond with the captive portal IP, when using
1292 * the more simple UDP level.
1293 *
1294 * Common portal names that fail like so are:
1295 * secure.datavalet.io
1296 * securelogin.arubanetworks.com
1297 * securelogin.networks.mycompany.com
1298 *
1299 * Thus retry NXDOMAIN RCODES with a lower feature level.
1300 *
1301 * Do not lower the server's tracked feature level, as the captive portal should not
1302 * be lying for the wider internet (e.g. _other_ queries were observed fine with
1303 * EDNS0 on these networks, post auth), i.e. let's just lower the level transaction's
1304 * feature level.
1305 *
1306 * This is reported as https://github.com/dns-violations/dns-violations/blob/master/2018/DVE-2018-0001.md
1307 */
1308
1309 t->clamp_feature_level_nxdomain = DNS_SERVER_FEATURE_LEVEL_UDP;
1310
1311 log_debug("Server returned error %s in EDNS0 mode, retrying transaction with reduced feature level %s (DVE-2018-0001 mitigation)",
0d609349 1312 FORMAT_DNS_RCODE(DNS_PACKET_RCODE(p)),
1ed4e584
LP		 1313 dns_server_feature_level_to_string(t->clamp_feature_level_nxdomain));
1314
1315 dns_transaction_retry(t, false /* use the same server */);
1316 return;
1317 }
1318
ed9717fc 1319 if (t->server) {
d001e0a3
LP		 1320 /* Report that we successfully received a valid packet with a good rcode after we initially got a bad
1321 * rcode and subsequently downgraded the protocol */
1322
1323 if (IN_SET(DNS_PACKET_RCODE(p), DNS_RCODE_SUCCESS, DNS_RCODE_NXDOMAIN) &&
1ed4e584
LP		 1324 t->clamp_feature_level_servfail != _DNS_SERVER_FEATURE_LEVEL_INVALID)
1325 dns_server_packet_rcode_downgrade(t->server, t->clamp_feature_level_servfail);
d001e0a3
LP		 1326
1327 /* Report that the OPT RR was missing */
ed9717fc
LP		 1328 if (!p->opt)
1329 dns_server_packet_bad_opt(t->server, t->current_feature_level);
1330
d96275d8
LP		 1331 /* Report that the server didn't copy our query DO bit from request to response */
1332 if (DNS_PACKET_DO(t->sent) && !DNS_PACKET_DO(t->received))
1333 dns_server_packet_do_off(t->server, t->current_feature_level);
1334
acbf761b
LP		 1335 /* Report that we successfully received a packet. We keep track of the largest packet
1336 * size/fragment size we got. Which is useful for announcing the EDNS(0) packet size we can
1337 * receive to our server. */
1338 dns_server_packet_received(t->server, p->ipproto, t->current_feature_level, dns_packet_size_unfragmented(p));
ed9717fc 1339 }
de54e62b 1340
c02cf2f4
LP		 1341 /* See if we know things we didn't know before that indicate we better restart the lookup immediately. */
1342 r = dns_transaction_maybe_restart(t);
7cc6ed7b
LP		 1343 if (r < 0)
1344 goto fail;
c02cf2f4
LP		 1345 if (r > 0) /* Transaction got restarted... */
1346 return;
1347
8facd1ce
LP		 1348 /* When dealing with protocols other than mDNS only consider responses with equivalent query section
1349 * to the request. For mDNS this check doesn't make sense, because the section 6 of RFC6762 states
1350 * that "Multicast DNS responses MUST NOT contain any questions in the Question Section". */
1351 if (t->scope->protocol != DNS_PROTOCOL_MDNS) {
42df9532 1352 r = dns_packet_is_reply_for(p, dns_transaction_key(t));
8facd1ce
LP		 1353 if (r < 0)
1354 goto fail;
1355 if (r == 0) {
1356 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
1357 return;
547493c5 1358 }
8facd1ce 1359 }
29815b6c 1360
775ae354
LP		 1361 /* Install the answer as answer to the transaction. We ref the answer twice here: the main `answer`
1362 * field is later replaced by the DNSSEC validated subset. The 'answer_auxiliary' field carries the
1363 * original complete record set, including RRSIG and friends. We use this when passing data to
1364 * clients that ask for DNSSEC metadata. */
1117a960 1365 DNS_ANSWER_REPLACE(t->answer, dns_answer_ref(p->answer));
8facd1ce
LP		 1366 t->answer_rcode = DNS_PACKET_RCODE(p);
1367 t->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
6f055e43 1368 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
43fc4baa 1369 SET_FLAG(t->answer_query_flags, SD_RESOLVED_CONFIDENTIAL, encrypted);
79e24931 1370
8facd1ce
LP		 1371 r = dns_transaction_fix_rcode(t);
1372 if (r < 0)
1373 goto fail;
eac7cda2 1374
8facd1ce
LP		 1375 /* Block GC while starting requests for additional DNSSEC RRs */
1376 t->block_gc++;
1377 r = dns_transaction_request_dnssec_keys(t);
1378 t->block_gc--;
51e399bc 1379
8facd1ce
LP		 1380 /* Maybe the transaction is ready for GC'ing now? If so, free it and return. */
1381 if (!dns_transaction_gc(t))
1382 return;
51e399bc 1383
8facd1ce
LP		 1384 /* Requesting additional keys might have resulted in this transaction to fail, since the auxiliary
1385 * request failed for some reason. If so, we are not in pending state anymore, and we should exit
1386 * quickly. */
1387 if (t->state != DNS_TRANSACTION_PENDING)
1388 return;
1389 if (r < 0)
1390 goto fail;
1391 if (r > 0) {
1392 /* There are DNSSEC transactions pending now. Update the state accordingly. */
1393 t->state = DNS_TRANSACTION_VALIDATING;
80710ade 1394 dns_transaction_close_connection(t, true);
8facd1ce
LP		 1395 dns_transaction_stop_timeout(t);
1396 return;
547493c5 1397 }
ec2c5e43 1398
547973de 1399 dns_transaction_process_dnssec(t);
7cc6ed7b
LP		 1400 return;
1401
1402fail:
fd8a3017 1403 dns_transaction_complete_errno(t, r);
ec2c5e43
LP		 1404}
1405
c19ffd9f
TG		 1406static int on_dns_packet(sd_event_source *s, int fd, uint32_t revents, void *userdata) {
1407 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
99534007 1408 DnsTransaction *t = ASSERT_PTR(userdata);
c19ffd9f
TG		 1409 int r;
1410
c19ffd9f
TG		 1411 assert(t->scope);
1412
1413 r = manager_recv(t->scope->manager, fd, DNS_PROTOCOL_DNS, &p);
95d2155a 1414 if (ERRNO_IS_DISCONNECT(r)) {
7e1851e3 1415 usec_t usec;
c19ffd9f 1416
f731fd5b
ZJS		 1417 /* UDP connection failures get reported via ICMP and then are possibly delivered to us on the
1418 * next recvmsg(). Treat this like a lost packet. */
7e1851e3 1419
92ec902a 1420 log_debug_errno(r, "Connection failure for DNS UDP packet: %m");
ba4e0427 1421 assert_se(sd_event_now(t->scope->manager->event, CLOCK_BOOTTIME, &usec) >= 0);
3da3cdd5 1422 dns_server_packet_lost(t->server, IPPROTO_UDP, t->current_feature_level);
7e1851e3 1423
d68dbb37
LP		 1424 dns_transaction_close_connection(t, /* use_graveyard = */ false);
1425
9147b591
LP		 1426 if (dns_transaction_limited_retry(t)) /* Try a different server */
1427 return 0;
1428
1429 dns_transaction_complete_errno(t, r);
7e1851e3
LP		 1430 return 0;
1431 }
1432 if (r < 0) {
fd8a3017 1433 dns_transaction_complete_errno(t, r);
7e1851e3
LP		 1434 return 0;
1435 }
f731fd5b
ZJS		 1436 if (r == 0)
1437 /* Spurious wakeup without any data */
1438 return 0;
7e1851e3
LP		 1439
1440 r = dns_packet_validate_reply(p);
1441 if (r < 0) {
1442 log_debug_errno(r, "Received invalid DNS packet as response, ignoring: %m");
1443 return 0;
1444 }
1445 if (r == 0) {
e09f605e 1446 log_debug("Received inappropriate DNS packet as response, ignoring.");
7e1851e3
LP		 1447 return 0;
1448 }
1449
1450 if (DNS_PACKET_ID(p) != t->id) {
e09f605e 1451 log_debug("Received packet with incorrect transaction ID, ignoring.");
7e1851e3
LP		 1452 return 0;
1453 }
c19ffd9f 1454
43fc4baa 1455 dns_transaction_process_reply(t, p, false);
c19ffd9f
TG		 1456 return 0;
1457}
1458
49cce12d 1459static int dns_transaction_emit_udp(DnsTransaction *t) {
c19ffd9f
TG		 1460 int r;
1461
1462 assert(t);
c19ffd9f 1463
519ef046 1464 if (t->scope->protocol == DNS_PROTOCOL_DNS) {
c19ffd9f 1465
519ef046 1466 r = dns_transaction_pick_server(t);
471d40d9
TG		 1467 if (r < 0)
1468 return r;
c19ffd9f 1469
49ef064c
LP		 1470 if (manager_server_is_stub(t->scope->manager, t->server))
1471 return -ELOOP;
1472
5d67a7ae 1473 if (t->current_feature_level < DNS_SERVER_FEATURE_LEVEL_UDP || DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level))
7d581a65 1474 return -EAGAIN; /* Sorry, can't do UDP, try TCP! */
519ef046 1475
775ae354 1476 if (!t->bypass && !dns_server_dnssec_supported(t->server) && dns_type_is_dnssec(dns_transaction_key(t)->type))
91adc4db
LP		 1477 return -EOPNOTSUPP;
1478
519ef046
LP		 1479 if (r > 0 || t->dns_udp_fd < 0) { /* Server changed, or no connection yet. */
1480 int fd;
1481
80710ade
LP		 1482 dns_transaction_close_connection(t, true);
1483
1484 /* Before we allocate a new UDP socket, let's process the graveyard a bit to free some fds */
1485 manager_socket_graveyard_process(t->scope->manager);
c19ffd9f 1486
da9de738 1487 fd = dns_scope_socket_udp(t->scope, t->server);
519ef046
LP		 1488 if (fd < 0)
1489 return fd;
1490
1491 r = sd_event_add_io(t->scope->manager->event, &t->dns_udp_event_source, fd, EPOLLIN, on_dns_packet, t);
1492 if (r < 0) {
1493 safe_close(fd);
1494 return r;
1495 }
1496
aa4a9deb 1497 (void) sd_event_source_set_description(t->dns_udp_event_source, "dns-transaction-udp");
519ef046
LP		 1498 t->dns_udp_fd = fd;
1499 }
1500
775ae354
LP		 1501 if (!t->bypass) {
1502 r = dns_server_adjust_opt(t->server, t->sent, t->current_feature_level);
1503 if (r < 0)
1504 return r;
1505 }
519ef046 1506 } else
80710ade 1507 dns_transaction_close_connection(t, true);
519ef046 1508
d79677ab 1509 r = dns_scope_emit_udp(t->scope, t->dns_udp_fd, t->server ? t->server->family : AF_UNSPEC, t->sent);
471d40d9
TG		 1510 if (r < 0)
1511 return r;
c19ffd9f 1512
519ef046 1513 dns_transaction_reset_answer(t);
be808ea0 1514
471d40d9 1515 return 0;
c19ffd9f
TG		 1516}
1517
ec2c5e43 1518static int on_transaction_timeout(sd_event_source *s, usec_t usec, void *userdata) {
99534007 1519 DnsTransaction *t = ASSERT_PTR(userdata);
ec2c5e43
LP		 1520
1521 assert(s);
ec2c5e43 1522
213cb4f7
LP		 1523 if (t->initial_jitter_scheduled && !t->initial_jitter_elapsed) {
1524 log_debug("Initial jitter phase for transaction %" PRIu16 " elapsed.", t->id);
1525 t->initial_jitter_elapsed = true;
1526 } else {
ef7ce6df
DM		 1527 /* Timeout reached? Increase the timeout for the server used */
1528 switch (t->scope->protocol) {
49cce12d 1529
ef7ce6df
DM		 1530 case DNS_PROTOCOL_DNS:
1531 assert(t->server);
3da3cdd5 1532 dns_server_packet_lost(t->server, t->stream ? IPPROTO_TCP : IPPROTO_UDP, t->current_feature_level);
ef7ce6df 1533 break;
49cce12d 1534
ef7ce6df
DM		 1535 case DNS_PROTOCOL_LLMNR:
1536 case DNS_PROTOCOL_MDNS:
1537 dns_scope_packet_lost(t->scope, usec - t->start_usec);
ef7ce6df 1538 break;
49cce12d 1539
ef7ce6df 1540 default:
04499a70 1541 assert_not_reached();
ef7ce6df
DM		 1542 }
1543
213cb4f7 1544 log_debug("Timeout reached on transaction %" PRIu16 ".", t->id);
be808ea0
TG		 1545 }
1546
213cb4f7
LP		 1547 dns_transaction_retry(t, /* next_server= */ true); /* try a different server, but given this means
1548 * packet loss, let's do so even if we already
1549 * tried a bunch */
ec2c5e43
LP		 1550 return 0;
1551}
1552
87b91644
YW		 1553static int dns_transaction_setup_timeout(
1554 DnsTransaction *t,
1555 usec_t timeout_usec /* relative */,
1556 usec_t next_usec /* CLOCK_BOOTTIME */) {
1557
1558 int r;
1559
1560 assert(t);
1561
1562 dns_transaction_stop_timeout(t);
1563
1564 r = sd_event_add_time_relative(
1565 t->scope->manager->event,
1566 &t->timeout_event_source,
1567 CLOCK_BOOTTIME,
1568 timeout_usec, 0,
1569 on_transaction_timeout, t);
1570 if (r < 0)
1571 return r;
1572
1573 (void) sd_event_source_set_description(t->timeout_event_source, "dns-transaction-timeout");
1574
1575 t->next_attempt_after = next_usec;
1576 t->state = DNS_TRANSACTION_PENDING;
1577 return 0;
1578}
1579
9df3ba6c
TG		 1580static usec_t transaction_get_resend_timeout(DnsTransaction *t) {
1581 assert(t);
1582 assert(t->scope);
1583
1584 switch (t->scope->protocol) {
49cce12d 1585
9df3ba6c 1586 case DNS_PROTOCOL_DNS:
dc349f5f
LP		 1587
1588 /* When we do TCP, grant a much longer timeout, as in this case there's no need for us to quickly
1589 * resend, as the kernel does that anyway for us, and we really don't want to interrupt it in that
1590 * needlessly. */
1591 if (t->stream)
1592 return TRANSACTION_TCP_TIMEOUT_USEC;
1593
dbc4661a 1594 return DNS_TIMEOUT_USEC;
49cce12d 1595
9df3ba6c 1596 case DNS_PROTOCOL_MDNS:
53fda2bb
DR		 1597 if (t->probing)
1598 return MDNS_PROBING_INTERVAL_USEC;
4b2ceb8a
YW		 1599
1600 /* See RFC 6762 Section 5.1 suggests that timeout should be a few seconds. */
1601 assert(t->n_attempts > 0);
1602 return (1 << (t->n_attempts - 1)) * USEC_PER_SEC;
49cce12d 1603
11a27c2e 1604 case DNS_PROTOCOL_LLMNR:
9df3ba6c 1605 return t->scope->resend_timeout;
49cce12d 1606
9df3ba6c 1607 default:
04499a70 1608 assert_not_reached();
9df3ba6c
TG		 1609 }
1610}
1611
3f0a7b3a
LP		 1612static void dns_transaction_randomize_answer(DnsTransaction *t) {
1613 int r;
1614
1615 assert(t);
1616
1617 /* Randomizes the order of the answer array. This is done for all cached responses, so that we return
1618 * a different order each time. We do this only for DNS traffic, in order to do some minimal, crappy
1619 * load balancing. We don't do this for LLMNR or mDNS, since the order (preferring link-local
1620 * addresses, and such like) might have meaning there, and load balancing is pointless. */
1621
1622 if (t->scope->protocol != DNS_PROTOCOL_DNS)
1623 return;
1624
1625 /* No point in randomizing, if there's just one RR */
1626 if (dns_answer_size(t->answer) <= 1)
1627 return;
1628
1629 r = dns_answer_reserve_or_clone(&t->answer, 0);
1630 if (r < 0) /* If this fails, just don't randomize, this is non-essential stuff after all */
1631 return (void) log_debug_errno(r, "Failed to clone answer record, not randomizing RR order of answer: %m");
1632
1633 dns_answer_randomize(t->answer);
1634}
1635
c842ff24 1636static int dns_transaction_prepare(DnsTransaction *t, usec_t ts) {
ec2c5e43
LP		 1637 int r;
1638
1639 assert(t);
1640
4ea8b443
ZJS		 1641 /* Returns 0 if dns_transaction_complete() has been called. In that case the transaction and query
1642 * candidate objects may have been invalidated and must not be accessed. Returns 1 if the transaction
1643 * has been prepared. */
1644
f535705a 1645 dns_transaction_stop_timeout(t);
ec2c5e43 1646
86b112a3 1647 if (!dns_scope_network_good(t->scope)) {
edbcc1fd
LP		 1648 dns_transaction_complete(t, DNS_TRANSACTION_NETWORK_DOWN);
1649 return 0;
1650 }
1651
c3dbb132 1652 if (t->n_attempts >= TRANSACTION_ATTEMPTS_MAX(t->scope->protocol)) {
e53b8cc5
ZJS		 1653 DnsTransactionState result;
1654
1655 if (t->scope->protocol == DNS_PROTOCOL_LLMNR)
1656 /* If we didn't find anything on LLMNR, it's not an error, but a failure to resolve
1657 * the name. */
1658 result = DNS_TRANSACTION_NOT_FOUND;
1659 else
1660 result = DNS_TRANSACTION_ATTEMPTS_MAX_REACHED;
1661
1662 dns_transaction_complete(t, result);
ec2c5e43
LP		 1663 return 0;
1664 }
1665
cbe4216d 1666 if (t->scope->protocol == DNS_PROTOCOL_LLMNR && t->tried_stream) {
ec2c5e43
LP		 1667 /* If we already tried via a stream, then we don't
1668 * retry on LLMNR. See RFC 4795, Section 2.7. */
1669 dns_transaction_complete(t, DNS_TRANSACTION_ATTEMPTS_MAX_REACHED);
1670 return 0;
1671 }
1672
1673 t->n_attempts++;
9df3ba6c 1674 t->start_usec = ts;
c61d2b44
LP		 1675
1676 dns_transaction_reset_answer(t);
c5b4f861 1677 dns_transaction_flush_dnssec_transactions(t);
ec2c5e43 1678
0d2cd476 1679 /* Check the trust anchor. Do so only on classic DNS, since DNSSEC does not apply otherwise. */
775ae354
LP		 1680 if (t->scope->protocol == DNS_PROTOCOL_DNS &&
1681 !FLAGS_SET(t->query_flags, SD_RESOLVED_NO_TRUST_ANCHOR)) {
42df9532 1682 r = dns_trust_anchor_lookup_positive(&t->scope->manager->trust_anchor, dns_transaction_key(t), &t->answer);
0d2cd476
LP		 1683 if (r < 0)
1684 return r;
1685 if (r > 0) {
1686 t->answer_rcode = DNS_RCODE_SUCCESS;
1687 t->answer_source = DNS_TRANSACTION_TRUST_ANCHOR;
43fc4baa 1688 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED|SD_RESOLVED_CONFIDENTIAL, true);
0d2cd476
LP		 1689 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
1690 return 0;
1691 }
b2b796b8 1692
42df9532
LP		 1693 if (dns_name_is_root(dns_resource_key_name(dns_transaction_key(t))) &&
1694 dns_transaction_key(t)->type == DNS_TYPE_DS) {
b2b796b8 1695
775ae354
LP		 1696 /* Hmm, this is a request for the root DS? A DS RR doesn't exist in the root zone,
1697 * and if our trust anchor didn't know it either, this means we cannot do any DNSSEC
1698 * logic anymore. */
b2b796b8 1699
1ed8c0fb 1700 if (t->scope->dnssec_mode == DNSSEC_ALLOW_DOWNGRADE) {
775ae354
LP		 1701 /* We are in downgrade mode. In this case, synthesize an unsigned empty
1702 * response, so that the any lookup depending on this one can continue
1703 * assuming there was no DS, and hence the root zone was unsigned. */
b2b796b8
LP		 1704
1705 t->answer_rcode = DNS_RCODE_SUCCESS;
1706 t->answer_source = DNS_TRANSACTION_TRUST_ANCHOR;
6f055e43 1707 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
43fc4baa 1708 SET_FLAG(t->answer_query_flags, SD_RESOLVED_CONFIDENTIAL, true);
b2b796b8
LP		 1709 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
1710 } else
775ae354
LP		 1711 /* If we are not in downgrade mode, then fail the lookup, because we cannot
1712 * reasonably answer it. There might be DS RRs, but we don't know them, and
1713 * the DNS server won't tell them to us (and even if it would, we couldn't
1714 * validate and trust them. */
b2b796b8
LP		 1715 dns_transaction_complete(t, DNS_TRANSACTION_NO_TRUST_ANCHOR);
1716
1717 return 0;
1718 }
0d2cd476
LP		 1719 }
1720
775ae354
LP		 1721 /* Check the zone. */
1722 if (!FLAGS_SET(t->query_flags, SD_RESOLVED_NO_ZONE)) {
42df9532 1723 r = dns_zone_lookup(&t->scope->zone, dns_transaction_key(t), dns_scope_ifindex(t->scope), &t->answer, NULL, NULL);
d746bb3e
LP		 1724 if (r < 0)
1725 return r;
1726 if (r > 0) {
ae6a4bbf 1727 t->answer_rcode = DNS_RCODE_SUCCESS;
c3bc53e6 1728 t->answer_source = DNS_TRANSACTION_ZONE;
43fc4baa 1729 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED|SD_RESOLVED_CONFIDENTIAL, true);
d746bb3e
LP		 1730 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
1731 return 0;
1732 }
1733 }
1734
775ae354
LP		 1735 /* Check the cache. */
1736 if (!FLAGS_SET(t->query_flags, SD_RESOLVED_NO_CACHE)) {
2c27fbca 1737
775ae354
LP		 1738 /* Before trying the cache, let's make sure we figured out a server to use. Should this cause
1739 * a change of server this might flush the cache. */
5cdb8930 1740 (void) dns_scope_get_dns_server(t->scope);
2c27fbca 1741
4d926a69
LP		 1742 /* Let's then prune all outdated entries */
1743 dns_cache_prune(&t->scope->cache);
1744
775ae354
LP		 1745 r = dns_cache_lookup(
1746 &t->scope->cache,
1747 dns_transaction_key(t),
1748 t->query_flags,
1749 &t->answer_rcode,
1750 &t->answer,
1751 &t->received,
6f055e43 1752 &t->answer_query_flags,
775ae354 1753 &t->answer_dnssec_result);
4d926a69
LP		 1754 if (r < 0)
1755 return r;
1756 if (r > 0) {
3f0a7b3a
LP		 1757 dns_transaction_randomize_answer(t);
1758
775ae354
LP		 1759 if (t->bypass && t->scope->protocol == DNS_PROTOCOL_DNS && !t->received)
1760 /* When bypass mode is on, do not use cached data unless it came with a full
1761 * packet. */
1762 dns_transaction_reset_answer(t);
1763 else {
1764 t->answer_source = DNS_TRANSACTION_CACHE;
1765 if (t->answer_rcode == DNS_RCODE_SUCCESS)
1766 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
1767 else
1768 dns_transaction_complete(t, DNS_TRANSACTION_RCODE_FAILURE);
1769 return 0;
1770 }
4d926a69 1771 }
ec2c5e43
LP		 1772 }
1773
775ae354
LP		 1774 if (FLAGS_SET(t->query_flags, SD_RESOLVED_NO_NETWORK)) {
1775 dns_transaction_complete(t, DNS_TRANSACTION_NO_SOURCE);
1776 return 0;
1777 }
1778
1effe965
DM		 1779 return 1;
1780}
1781
325513bc
YW		 1782static int dns_packet_append_zone(DnsPacket *p, DnsTransaction *t, DnsResourceKey *k, unsigned *nscount) {
1783 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
1784 bool tentative;
1785 int r;
1786
1787 assert(p);
1788 assert(t);
1789 assert(k);
1790
1791 if (k->type != DNS_TYPE_ANY)
1792 return 0;
1793
1794 r = dns_zone_lookup(&t->scope->zone, k, t->scope->link->ifindex, &answer, NULL, &tentative);
1795 if (r < 0)
1796 return r;
1797
1798 return dns_packet_append_answer(p, answer, nscount);
1799}
1800
0afa57e2 1801static int dns_transaction_make_packet_mdns(DnsTransaction *t) {
0afa57e2 1802 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
0d5ee47d 1803 _cleanup_set_free_ Set *keys = NULL;
325513bc
YW		 1804 unsigned qdcount, ancount = 0 /* avoid false maybe-uninitialized warning */, nscount;
1805 bool add_known_answers = false;
0afa57e2
DM		 1806 usec_t ts;
1807 int r;
1808
1809 assert(t);
1810 assert(t->scope->protocol == DNS_PROTOCOL_MDNS);
1811
e5abebab 1812 /* Discard any previously prepared packet, so we can start over and coalesce again */
0afa57e2
DM		 1813 t->sent = dns_packet_unref(t->sent);
1814
325513bc 1815 /* First, create a dummy packet to calculate packet size. */
0afa57e2
DM		 1816 r = dns_packet_new_query(&p, t->scope->protocol, 0, false);
1817 if (r < 0)
1818 return r;
1819
42df9532 1820 r = dns_packet_append_key(p, dns_transaction_key(t), 0, NULL);
0afa57e2
DM		 1821 if (r < 0)
1822 return r;
1823
1824 qdcount = 1;
1825
42df9532 1826 if (dns_key_is_shared(dns_transaction_key(t)))
7778dfff
DM		 1827 add_known_answers = true;
1828
325513bc
YW		 1829 r = dns_packet_append_zone(p, t, dns_transaction_key(t), NULL);
1830 if (r < 0)
1831 return r;
1832
1833 /* Save appended keys */
1834 r = set_ensure_put(&keys, &dns_resource_key_hash_ops, dns_transaction_key(t));
1835 if (r < 0)
1836 return r;
0d5ee47d 1837
0afa57e2
DM		 1838 /*
1839 * For mDNS, we want to coalesce as many open queries in pending transactions into one single
1840 * query packet on the wire as possible. To achieve that, we iterate through all pending transactions
5238e957 1841 * in our current scope, and see whether their timing constraints allow them to be sent.
0afa57e2
DM		 1842 */
1843
ba4e0427 1844 assert_se(sd_event_now(t->scope->manager->event, CLOCK_BOOTTIME, &ts) >= 0);
0afa57e2 1845
325513bc
YW		 1846 for (bool restart = true; restart;) {
1847 restart = false;
1848 LIST_FOREACH(transactions_by_scope, other, t->scope->transactions) {
1849 size_t saved_packet_size;
1850 bool append = false;
0afa57e2 1851
325513bc
YW		 1852 /* Skip ourselves */
1853 if (other == t)
1854 continue;
0afa57e2 1855
325513bc
YW		 1856 if (other->state != DNS_TRANSACTION_PENDING)
1857 continue;
0afa57e2 1858
325513bc
YW		 1859 if (other->next_attempt_after > ts)
1860 continue;
0afa57e2 1861
325513bc
YW		 1862 if (!set_contains(keys, dns_transaction_key(other))) {
1863 r = dns_packet_append_key(p, dns_transaction_key(other), 0, &saved_packet_size);
1864 /* If we can't stuff more questions into the packet, just give up.
1865 * One of the 'other' transactions will fire later and take care of the rest. */
1866 if (r == -EMSGSIZE)
1867 break;
1868 if (r < 0)
1869 return r;
0afa57e2 1870
325513bc
YW		 1871 r = dns_packet_append_zone(p, t, dns_transaction_key(other), NULL);
1872 if (r == -EMSGSIZE)
1873 break;
1874 if (r < 0)
1875 return r;
0afa57e2 1876
325513bc
YW		 1877 append = true;
1878 }
0afa57e2 1879
325513bc
YW		 1880 r = dns_transaction_prepare(other, ts);
1881 if (r < 0)
1882 return r;
1883 if (r == 0) {
1884 if (append)
1885 dns_packet_truncate(p, saved_packet_size);
0afa57e2 1886
325513bc
YW		 1887 /* In this case, not only this transaction, but multiple transactions may be
1888 * freed. Hence, we need to restart the loop. */
1889 restart = true;
1890 break;
1891 }
aa4a9deb 1892
325513bc
YW		 1893 usec_t timeout = transaction_get_resend_timeout(other);
1894 r = dns_transaction_setup_timeout(other, timeout, usec_add(ts, timeout));
1895 if (r < 0)
1896 return r;
0afa57e2 1897
325513bc
YW		 1898 if (dns_key_is_shared(dns_transaction_key(other)))
1899 add_known_answers = true;
7778dfff 1900
325513bc
YW		 1901 if (append) {
1902 r = set_ensure_put(&keys, &dns_resource_key_hash_ops, dns_transaction_key(other));
1903 if (r < 0)
1904 return r;
1905 }
0d5ee47d 1906
325513bc
YW		 1907 qdcount++;
1908 if (qdcount >= UINT16_MAX)
1909 break;
0d5ee47d 1910 }
0afa57e2
DM		 1911 }
1912
7778dfff
DM		 1913 /* Append known answer section if we're asking for any shared record */
1914 if (add_known_answers) {
325513bc 1915 r = dns_cache_export_shared_to_packet(&t->scope->cache, p, ts, 0);
7778dfff
DM		 1916 if (r < 0)
1917 return r;
325513bc
YW		 1918
1919 ancount = be16toh(DNS_PACKET_HEADER(p)->ancount);
7778dfff
DM		 1920 }
1921
5162b2a1 1922 /* Then, create actual packet. */
325513bc
YW		 1923 p = dns_packet_unref(p);
1924 r = dns_packet_new_query(&p, t->scope->protocol, 0, false);
1925 if (r < 0)
1926 return r;
1927
1928 /* Questions */
1929 DnsResourceKey *k;
1930 SET_FOREACH(k, keys) {
1931 r = dns_packet_append_key(p, k, 0, NULL);
1932 if (r < 0)
1933 return r;
1934 }
1935 DNS_PACKET_HEADER(p)->qdcount = htobe16(qdcount);
0d5ee47d 1936
325513bc
YW		 1937 /* Known answers */
1938 if (add_known_answers) {
1939 r = dns_cache_export_shared_to_packet(&t->scope->cache, p, ts, ancount);
0d5ee47d
DR		 1940 if (r < 0)
1941 return r;
325513bc 1942 }
0d5ee47d 1943
325513bc
YW		 1944 /* Authorities */
1945 nscount = 0;
1946 SET_FOREACH(k, keys) {
1947 r = dns_packet_append_zone(p, t, k, &nscount);
0d5ee47d
DR		 1948 if (r < 0)
1949 return r;
0d5ee47d
DR		 1950 }
1951 DNS_PACKET_HEADER(p)->nscount = htobe16(nscount);
1952
1cc6c93a 1953 t->sent = TAKE_PTR(p);
0afa57e2
DM		 1954 return 0;
1955}
1956
1957static int dns_transaction_make_packet(DnsTransaction *t) {
1958 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
1959 int r;
1960
1961 assert(t);
1962
1963 if (t->scope->protocol == DNS_PROTOCOL_MDNS)
1964 return dns_transaction_make_packet_mdns(t);
1965
1966 if (t->sent)
1967 return 0;
1968
775ae354
LP		 1969 if (t->bypass && t->bypass->protocol == t->scope->protocol) {
1970 /* If bypass logic is enabled and the protocol if the original packet and our scope match,
1971 * take the original packet, copy it, and patch in our new ID */
1972 r = dns_packet_dup(&p, t->bypass);
1973 if (r < 0)
1974 return r;
1975 } else {
1976 r = dns_packet_new_query(
1977 &p, t->scope->protocol,
1978 /* min_alloc_dsize = */ 0,
1979 /* dnssec_cd = */ !FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE) &&
1980 t->scope->dnssec_mode != DNSSEC_NO);
1981 if (r < 0)
1982 return r;
0afa57e2 1983
775ae354
LP		 1984 r = dns_packet_append_key(p, dns_transaction_key(t), 0, NULL);
1985 if (r < 0)
1986 return r;
1987
1988 DNS_PACKET_HEADER(p)->qdcount = htobe16(1);
1989 }
0afa57e2 1990
0afa57e2
DM		 1991 DNS_PACKET_HEADER(p)->id = t->id;
1992
1cc6c93a 1993 t->sent = TAKE_PTR(p);
0afa57e2
DM		 1994 return 0;
1995}
1996
1effe965
DM		 1997int dns_transaction_go(DnsTransaction *t) {
1998 usec_t ts;
1999 int r;
202b76ae 2000 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
1effe965
DM		 2001
2002 assert(t);
2003
4ea8b443
ZJS		 2004 /* Returns > 0 if the transaction is now pending, returns 0 if could be processed immediately and has
2005 * finished now. In the latter case, the transaction and query candidate objects must not be accessed.
2006 */
5278bbfe 2007
ba4e0427 2008 assert_se(sd_event_now(t->scope->manager->event, CLOCK_BOOTTIME, &ts) >= 0);
547973de 2009
c842ff24 2010 r = dns_transaction_prepare(t, ts);
1effe965
DM		 2011 if (r <= 0)
2012 return r;
2013
213cb4f7
LP		 2014 log_debug("Firing %s transaction %" PRIu16 " for <%s> scope %s on %s/%s (validate=%s).",
2015 t->bypass ? "bypass" : "regular",
a5784c49 2016 t->id,
42df9532 2017 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str),
a5784c49 2018 dns_protocol_to_string(t->scope->protocol),
6ff79f76 2019 t->scope->link ? t->scope->link->ifname : "*",
775ae354
LP		 2020 af_to_name_short(t->scope->family),
2021 yes_no(!FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE)));
1effe965 2022
ef7ce6df 2023 if (!t->initial_jitter_scheduled &&
3742095b 2024 IN_SET(t->scope->protocol, DNS_PROTOCOL_LLMNR, DNS_PROTOCOL_MDNS)) {
765647ba 2025 usec_t jitter;
6e068472 2026
765647ba
YW		 2027 /* RFC 4795 Section 2.7 suggests all LLMNR queries should be delayed by a random time from 0 to
2028 * JITTER_INTERVAL.
2029 * RFC 6762 Section 8.1 suggests initial probe queries should be delayed by a random time from
2030 * 0 to 250ms. */
6e068472 2031
ef7ce6df 2032 t->initial_jitter_scheduled = true;
87b91644 2033 t->n_attempts = 0;
6e068472 2034
ea12bcc7 2035 switch (t->scope->protocol) {
519ef046 2036
ea12bcc7 2037 case DNS_PROTOCOL_LLMNR:
9ee18bf4 2038 jitter = random_u64_range(LLMNR_JITTER_INTERVAL_USEC);
ea12bcc7 2039 break;
519ef046 2040
ea12bcc7 2041 case DNS_PROTOCOL_MDNS:
765647ba
YW		 2042 if (t->probing)
2043 jitter = random_u64_range(MDNS_PROBING_INTERVAL_USEC);
2044 else
2045 jitter = 0;
ea12bcc7
DM		 2046 break;
2047 default:
04499a70 2048 assert_not_reached();
ea12bcc7 2049 }
6e068472 2050
87b91644 2051 r = dns_transaction_setup_timeout(t, jitter, ts);
6e068472
LP		 2052 if (r < 0)
2053 return r;
2054
2f9c3b2a
LP		 2055 log_debug("Delaying %s transaction %" PRIu16 " for " USEC_FMT "us.",
2056 dns_protocol_to_string(t->scope->protocol),
2057 t->id,
2058 jitter);
4ea8b443 2059 return 1;
6e068472
LP		 2060 }
2061
ec2c5e43
LP		 2062 /* Otherwise, we need to ask the network */
2063 r = dns_transaction_make_packet(t);
ec2c5e43
LP		 2064 if (r < 0)
2065 return r;
2066
2067 if (t->scope->protocol == DNS_PROTOCOL_LLMNR &&
42df9532
LP		 2068 (dns_name_endswith(dns_resource_key_name(dns_transaction_key(t)), "in-addr.arpa") > 0 ||
2069 dns_name_endswith(dns_resource_key_name(dns_transaction_key(t)), "ip6.arpa") > 0)) {
ec2c5e43
LP		 2070
2071 /* RFC 4795, Section 2.4. says reverse lookups shall
2072 * always be made via TCP on LLMNR */
98767d75 2073 r = dns_transaction_emit_tcp(t);
ec2c5e43 2074 } else {
be808ea0
TG		 2075 /* Try via UDP, and if that fails due to large size or lack of
2076 * support try via TCP */
49cce12d 2077 r = dns_transaction_emit_udp(t);
29ab0552
LP		 2078 if (r == -EMSGSIZE)
2079 log_debug("Sending query via TCP since it is too large.");
dc349f5f 2080 else if (r == -EAGAIN)
6c0bacc1 2081 log_debug("Sending query via TCP since UDP isn't supported or DNS-over-TLS is selected.");
4c701096 2082 if (IN_SET(r, -EMSGSIZE, -EAGAIN))
98767d75 2083 r = dns_transaction_emit_tcp(t);
ec2c5e43 2084 }
49ef064c
LP		 2085 if (r == -ELOOP) {
2086 if (t->scope->protocol != DNS_PROTOCOL_DNS)
2087 return r;
2088
2089 /* One of our own stub listeners */
2090 log_debug_errno(r, "Detected that specified DNS server is our own extra listener, switching DNS servers.");
2091
5e8bc852 2092 dns_scope_next_dns_server(t->scope, t->server);
49ef064c
LP		 2093
2094 if (dns_scope_get_dns_server(t->scope) == t->server) {
2095 log_debug_errno(r, "Still pointing to extra listener after switching DNS servers, refusing operation.");
2096 dns_transaction_complete(t, DNS_TRANSACTION_STUB_LOOP);
2097 return 0;
2098 }
be808ea0 2099
49ef064c
LP		 2100 return dns_transaction_go(t);
2101 }
ec2c5e43
LP		 2102 if (r == -ESRCH) {
2103 /* No servers to send this to? */
2104 dns_transaction_complete(t, DNS_TRANSACTION_NO_SERVERS);
2105 return 0;
91adc4db
LP		 2106 }
2107 if (r == -EOPNOTSUPP) {
2108 /* Tried to ask for DNSSEC RRs, on a server that doesn't do DNSSEC */
2109 dns_transaction_complete(t, DNS_TRANSACTION_RR_TYPE_UNSUPPORTED);
2110 return 0;
2111 }
95d2155a 2112 if (t->scope->protocol == DNS_PROTOCOL_LLMNR && ERRNO_IS_DISCONNECT(r)) {
e94968ba 2113 /* On LLMNR, if we cannot connect to a host via TCP when doing reverse lookups. This means we cannot
0791110f
LP		 2114 * answer this request with this protocol. */
2115 dns_transaction_complete(t, DNS_TRANSACTION_NOT_FOUND);
2116 return 0;
2117 }
91adc4db 2118 if (r < 0) {
7cc6ed7b
LP		 2119 if (t->scope->protocol != DNS_PROTOCOL_DNS)
2120 return r;
13b551ac 2121
ec2c5e43 2122 /* Couldn't send? Try immediately again, with a new server */
5e8bc852 2123 dns_scope_next_dns_server(t->scope, t->server);
ec2c5e43
LP		 2124
2125 return dns_transaction_go(t);
2126 }
2127
87b91644
YW		 2128 usec_t timeout = transaction_get_resend_timeout(t);
2129 r = dns_transaction_setup_timeout(t, timeout, usec_add(ts, timeout));
ec2c5e43
LP		 2130 if (r < 0)
2131 return r;
2132
ec2c5e43
LP		 2133 return 1;
2134}
2135
f2992dc1
LP		 2136static int dns_transaction_find_cyclic(DnsTransaction *t, DnsTransaction *aux) {
2137 DnsTransaction *n;
f2992dc1
LP		 2138 int r;
2139
2140 assert(t);
2141 assert(aux);
2142
2143 /* Try to find cyclic dependencies between transaction objects */
2144
2145 if (t == aux)
2146 return 1;
2147
90e74a66 2148 SET_FOREACH(n, aux->dnssec_transactions) {
f2992dc1
LP		 2149 r = dns_transaction_find_cyclic(t, n);
2150 if (r != 0)
2151 return r;
2152 }
2153
3eb6aa00 2154 return 0;
f2992dc1
LP		 2155}
2156
547973de 2157static int dns_transaction_add_dnssec_transaction(DnsTransaction *t, DnsResourceKey *key, DnsTransaction **ret) {
29bd6012 2158 _cleanup_(dns_transaction_gcp) DnsTransaction *aux = NULL;
547973de
LP		 2159 int r;
2160
2161 assert(t);
2162 assert(ret);
2163 assert(key);
2164
775ae354 2165 aux = dns_scope_find_transaction(t->scope, key, t->query_flags);
547973de 2166 if (!aux) {
775ae354 2167 r = dns_transaction_new(&aux, t->scope, key, NULL, t->query_flags);
547973de
LP		 2168 if (r < 0)
2169 return r;
2170 } else {
2171 if (set_contains(t->dnssec_transactions, aux)) {
2172 *ret = aux;
2173 return 0;
2174 }
f2992dc1
LP		 2175
2176 r = dns_transaction_find_cyclic(t, aux);
2177 if (r < 0)
2178 return r;
2179 if (r > 0) {
202b76ae
ZJS		 2180 char s[DNS_RESOURCE_KEY_STRING_MAX], saux[DNS_RESOURCE_KEY_STRING_MAX];
2181
baaa35ad
ZJS		 2182 return log_debug_errno(SYNTHETIC_ERRNO(ELOOP),
2183 "Potential cyclic dependency, refusing to add transaction %" PRIu16 " (%s) as dependency for %" PRIu16 " (%s).",
2184 aux->id,
42df9532 2185 dns_resource_key_to_string(dns_transaction_key(t), s, sizeof s),
baaa35ad 2186 t->id,
42df9532 2187 dns_resource_key_to_string(dns_transaction_key(aux), saux, sizeof saux));
f2992dc1 2188 }
547973de
LP		 2189 }
2190
35aa04e9
LP		 2191 r = set_ensure_allocated(&aux->notify_transactions_done, NULL);
2192 if (r < 0)
29bd6012 2193 return r;
547973de 2194
de7fef4b 2195 r = set_ensure_put(&t->dnssec_transactions, NULL, aux);
547973de 2196 if (r < 0)
a75cb4e2 2197 return r;
547973de 2198
de7fef4b 2199 r = set_ensure_put(&aux->notify_transactions, NULL, t);
547973de
LP		 2200 if (r < 0) {
2201 (void) set_remove(t->dnssec_transactions, aux);
29bd6012 2202 return r;
547973de
LP		 2203 }
2204
29bd6012 2205 *ret = TAKE_PTR(aux);
547973de 2206 return 1;
547973de
LP		 2207}
2208
2209static int dns_transaction_request_dnssec_rr(DnsTransaction *t, DnsResourceKey *key) {
2210 _cleanup_(dns_answer_unrefp) DnsAnswer *a = NULL;
2211 DnsTransaction *aux;
2212 int r;
2213
2214 assert(t);
2215 assert(key);
2216
2217 /* Try to get the data from the trust anchor */
8e54f5d9 2218 r = dns_trust_anchor_lookup_positive(&t->scope->manager->trust_anchor, key, &a);
547973de
LP		 2219 if (r < 0)
2220 return r;
2221 if (r > 0) {
2222 r = dns_answer_extend(&t->validated_keys, a);
2223 if (r < 0)
2224 return r;
2225
2226 return 0;
2227 }
2228
2229 /* This didn't work, ask for it via the network/cache then. */
2230 r = dns_transaction_add_dnssec_transaction(t, key, &aux);
f2992dc1
LP		 2231 if (r == -ELOOP) /* This would result in a cyclic dependency */
2232 return 0;
547973de
LP		 2233 if (r < 0)
2234 return r;
2235
2236 if (aux->state == DNS_TRANSACTION_NULL) {
2237 r = dns_transaction_go(aux);
2238 if (r < 0)
2239 return r;
2240 }
2241
f2992dc1 2242 return 1;
547973de
LP		 2243}
2244
8a516214
LP		 2245static int dns_transaction_negative_trust_anchor_lookup(DnsTransaction *t, const char *name) {
2246 int r;
2247
2248 assert(t);
2249
c629ff58 2250 /* Check whether the specified name is in the NTA
8a516214
LP		 2251 * database, either in the global one, or the link-local
2252 * one. */
2253
2254 r = dns_trust_anchor_lookup_negative(&t->scope->manager->trust_anchor, name);
2255 if (r != 0)
2256 return r;
2257
2258 if (!t->scope->link)
2259 return 0;
2260
7e8a93b7 2261 return link_negative_trust_anchor_lookup(t->scope->link, name);
8a516214
LP		 2262}
2263
26b23d11 2264static int dns_transaction_has_negative_answer(DnsTransaction *t) {
105e1512
LP		 2265 int r;
2266
2267 assert(t);
2268
2269 /* Checks whether the answer is negative, and lacks NSEC/NSEC3
2270 * RRs to prove it */
2271
2272 r = dns_transaction_has_positive_answer(t, NULL);
2273 if (r < 0)
2274 return r;
2275 if (r > 0)
2276 return false;
2277
8e54f5d9
LP		 2278 /* Is this key explicitly listed as a negative trust anchor?
2279 * If so, it's nothing we need to care about */
42df9532 2280 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(dns_transaction_key(t)));
8e54f5d9
LP		 2281 if (r < 0)
2282 return r;
26b23d11 2283 return !r;
105e1512
LP		 2284}
2285
2286static int dns_transaction_is_primary_response(DnsTransaction *t, DnsResourceRecord *rr) {
2287 int r;
2288
2289 assert(t);
2290 assert(rr);
2291
2292 /* Check if the specified RR is the "primary" response,
2293 * i.e. either matches the question precisely or is a
4cb94977 2294 * CNAME/DNAME for it. */
105e1512 2295
42df9532 2296 r = dns_resource_key_match_rr(dns_transaction_key(t), rr, NULL);
105e1512
LP		 2297 if (r != 0)
2298 return r;
2299
42df9532 2300 return dns_resource_key_match_cname_or_dname(dns_transaction_key(t), rr->key, NULL);
105e1512
LP		 2301}
2302
92ec902a
LP		 2303static bool dns_transaction_dnssec_supported(DnsTransaction *t) {
2304 assert(t);
2305
2306 /* Checks whether our transaction's DNS server is assumed to be compatible with DNSSEC. Returns false as soon
2307 * as we changed our mind about a server, and now believe it is incompatible with DNSSEC. */
2308
2309 if (t->scope->protocol != DNS_PROTOCOL_DNS)
2310 return false;
2311
2312 /* If we have picked no server, then we are working from the cache or some other source, and DNSSEC might well
2313 * be supported, hence return true. */
2314 if (!t->server)
2315 return true;
2316
d001e0a3
LP		 2317 /* Note that we do not check the feature level actually used for the transaction but instead the feature level
2318 * the server is known to support currently, as the transaction feature level might be lower than what the
2319 * server actually supports, since we might have downgraded this transaction's feature level because we got a
2320 * SERVFAIL earlier and wanted to check whether downgrading fixes it. */
92ec902a
LP		 2321
2322 return dns_server_dnssec_supported(t->server);
2323}
2324
2325static bool dns_transaction_dnssec_supported_full(DnsTransaction *t) {
2326 DnsTransaction *dt;
92ec902a
LP		 2327
2328 assert(t);
2329
2330 /* Checks whether our transaction our any of the auxiliary transactions couldn't do DNSSEC. */
2331
2332 if (!dns_transaction_dnssec_supported(t))
2333 return false;
2334
90e74a66 2335 SET_FOREACH(dt, t->dnssec_transactions)
92ec902a
LP		 2336 if (!dns_transaction_dnssec_supported(dt))
2337 return false;
2338
2339 return true;
2340}
2341
547973de
LP		 2342int dns_transaction_request_dnssec_keys(DnsTransaction *t) {
2343 DnsResourceRecord *rr;
105e1512 2344
547973de
LP		 2345 int r;
2346
2347 assert(t);
2348
105e1512
LP		 2349 /*
2350 * Retrieve all auxiliary RRs for the answer we got, so that
2351 * we can verify signatures or prove that RRs are rightfully
2352 * unsigned. Specifically:
2353 *
2354 * - For RRSIG we get the matching DNSKEY
2355 * - For DNSKEY we get the matching DS
2356 * - For unsigned SOA/NS we get the matching DS
b63fca62 2357 * - For unsigned CNAME/DNAME/DS we get the parent SOA RR
105e1512 2358 * - For other unsigned RRs we get the matching SOA RR
4bbc06cc
LP		 2359 * - For SOA/NS queries with no matching response RR, and no NSEC/NSEC3, the DS RR
2360 * - For DS queries with no matching response RRs, and no NSEC/NSEC3, the parent's SOA RR
105e1512
LP		 2361 * - For other queries with no matching response RRs, and no NSEC/NSEC3, the SOA RR
2362 */
2363
775ae354 2364 if (FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE) || t->scope->dnssec_mode == DNSSEC_NO)
547973de 2365 return 0;
92ec902a
LP		 2366 if (t->answer_source != DNS_TRANSACTION_NETWORK)
2367 return 0; /* We only need to validate stuff from the network */
2368 if (!dns_transaction_dnssec_supported(t))
5238e957 2369 return 0; /* If we can't do DNSSEC anyway there's no point in getting the auxiliary RRs */
b652d4a2 2370
547973de
LP		 2371 DNS_ANSWER_FOREACH(rr, t->answer) {
2372
105e1512
LP		 2373 if (dns_type_is_pseudo(rr->key->type))
2374 continue;
2375
8e54f5d9 2376 /* If this RR is in the negative trust anchor, we don't need to validate it. */
1c02e7ba 2377 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(rr->key));
8e54f5d9
LP		 2378 if (r < 0)
2379 return r;
2380 if (r > 0)
2381 continue;
2382
547973de
LP		 2383 switch (rr->key->type) {
2384
2385 case DNS_TYPE_RRSIG: {
2386 /* For each RRSIG we request the matching DNSKEY */
2387 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *dnskey = NULL;
2388
2389 /* If this RRSIG is about a DNSKEY RR and the
2390 * signer is the same as the owner, then we
2391 * already have the DNSKEY, and we don't have
2392 * to look for more. */
2393 if (rr->rrsig.type_covered == DNS_TYPE_DNSKEY) {
1c02e7ba 2394 r = dns_name_equal(rr->rrsig.signer, dns_resource_key_name(rr->key));
547973de
LP		 2395 if (r < 0)
2396 return r;
2397 if (r > 0)
2398 continue;
2399 }
2400
105e1512
LP		 2401 /* If the signer is not a parent of our
2402 * original query, then this is about an
2403 * auxiliary RRset, but not anything we asked
2404 * for. In this case we aren't interested,
2405 * because we don't want to request additional
2406 * RRs for stuff we didn't really ask for, and
2407 * also to avoid request loops, where
2408 * additional RRs from one transaction result
5238e957 2409 * in another transaction whose additional RRs
105e1512
LP		 2410 * point back to the original transaction, and
2411 * we deadlock. */
42df9532 2412 r = dns_name_endswith(dns_resource_key_name(dns_transaction_key(t)), rr->rrsig.signer);
547973de
LP		 2413 if (r < 0)
2414 return r;
2415 if (r == 0)
2416 continue;
2417
2418 dnskey = dns_resource_key_new(rr->key->class, DNS_TYPE_DNSKEY, rr->rrsig.signer);
2419 if (!dnskey)
2420 return -ENOMEM;
2421
1c02e7ba
ZJS		 2422 log_debug("Requesting DNSKEY to validate transaction %" PRIu16" (%s, RRSIG with key tag: %" PRIu16 ").",
2423 t->id, dns_resource_key_name(rr->key), rr->rrsig.key_tag);
547973de
LP		 2424 r = dns_transaction_request_dnssec_rr(t, dnskey);
2425 if (r < 0)
2426 return r;
2427 break;
2428 }
2429
2430 case DNS_TYPE_DNSKEY: {
2431 /* For each DNSKEY we request the matching DS */
2432 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *ds = NULL;
2433
105e1512
LP		 2434 /* If the DNSKEY we are looking at is not for
2435 * zone we are interested in, nor any of its
2436 * parents, we aren't interested, and don't
2437 * request it. After all, we don't want to end
2438 * up in request loops, and want to keep
2439 * additional traffic down. */
2440
42df9532 2441 r = dns_name_endswith(dns_resource_key_name(dns_transaction_key(t)), dns_resource_key_name(rr->key));
105e1512
LP		 2442 if (r < 0)
2443 return r;
2444 if (r == 0)
2445 continue;
2446
1c02e7ba 2447 ds = dns_resource_key_new(rr->key->class, DNS_TYPE_DS, dns_resource_key_name(rr->key));
547973de
LP		 2448 if (!ds)
2449 return -ENOMEM;
2450
1c02e7ba
ZJS		 2451 log_debug("Requesting DS to validate transaction %" PRIu16" (%s, DNSKEY with key tag: %" PRIu16 ").",
2452 t->id, dns_resource_key_name(rr->key), dnssec_keytag(rr, false));
105e1512
LP		 2453 r = dns_transaction_request_dnssec_rr(t, ds);
2454 if (r < 0)
2455 return r;
547973de 2456
105e1512
LP		 2457 break;
2458 }
2459
105e1512
LP		 2460 case DNS_TYPE_SOA:
2461 case DNS_TYPE_NS: {
2462 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *ds = NULL;
2463
2464 /* For an unsigned SOA or NS, try to acquire
2465 * the matching DS RR, as we are at a zone cut
2466 * then, and whether a DS exists tells us
2467 * whether the zone is signed. Do so only if
2468 * this RR matches our original question,
2469 * however. */
2470
42df9532 2471 r = dns_resource_key_match_rr(dns_transaction_key(t), rr, NULL);
105e1512
LP		 2472 if (r < 0)
2473 return r;
6993d264
LP		 2474 if (r == 0) {
2475 /* Hmm, so this SOA RR doesn't match our original question. In this case, maybe this is
d51c4fca 2476 * a negative reply, and we need the SOA RR's TTL in order to cache a negative entry?
6993d264
LP		 2477 * If so, we need to validate it, too. */
2478
42df9532 2479 r = dns_answer_match_key(t->answer, dns_transaction_key(t), NULL);
6993d264
LP		 2480 if (r < 0)
2481 return r;
2482 if (r > 0) /* positive reply, we won't need the SOA and hence don't need to validate
2483 * it. */
2484 continue;
d5acaa51
LP		 2485
2486 /* Only bother with this if the SOA/NS RR we are looking at is actually a parent of
2487 * what we are looking for, otherwise there's no value in it for us. */
42df9532 2488 r = dns_name_endswith(dns_resource_key_name(dns_transaction_key(t)), dns_resource_key_name(rr->key));
d5acaa51
LP		 2489 if (r < 0)
2490 return r;
2491 if (r == 0)
2492 continue;
6993d264 2493 }
105e1512
LP		 2494
2495 r = dnssec_has_rrsig(t->answer, rr->key);
2496 if (r < 0)
2497 return r;
2498 if (r > 0)
2499 continue;
2500
1c02e7ba 2501 ds = dns_resource_key_new(rr->key->class, DNS_TYPE_DS, dns_resource_key_name(rr->key));
105e1512
LP		 2502 if (!ds)
2503 return -ENOMEM;
2504
1c02e7ba
ZJS		 2505 log_debug("Requesting DS to validate transaction %" PRIu16 " (%s, unsigned SOA/NS RRset).",
2506 t->id, dns_resource_key_name(rr->key));
547973de
LP		 2507 r = dns_transaction_request_dnssec_rr(t, ds);
2508 if (r < 0)
2509 return r;
2510
2511 break;
105e1512
LP		 2512 }
2513
b63fca62 2514 case DNS_TYPE_DS:
105e1512
LP		 2515 case DNS_TYPE_CNAME:
2516 case DNS_TYPE_DNAME: {
2517 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL;
2518 const char *name;
2519
2520 /* CNAMEs and DNAMEs cannot be located at a
2521 * zone apex, hence ask for the parent SOA for
2522 * unsigned CNAME/DNAME RRs, maybe that's the
2523 * apex. But do all that only if this is
2524 * actually a response to our original
b63fca62
LP		 2525 * question.
2526 *
2527 * Similar for DS RRs, which are signed when
2528 * the parent SOA is signed. */
105e1512
LP		 2529
2530 r = dns_transaction_is_primary_response(t, rr);
2531 if (r < 0)
2532 return r;
2533 if (r == 0)
2534 continue;
2535
2536 r = dnssec_has_rrsig(t->answer, rr->key);
2537 if (r < 0)
2538 return r;
2539 if (r > 0)
2540 continue;
2541
43e6779a
LP		 2542 r = dns_answer_has_dname_for_cname(t->answer, rr);
2543 if (r < 0)
2544 return r;
2545 if (r > 0)
2546 continue;
2547
1c02e7ba 2548 name = dns_resource_key_name(rr->key);
105e1512
LP		 2549 r = dns_name_parent(&name);
2550 if (r < 0)
2551 return r;
2552 if (r == 0)
2553 continue;
2554
2555 soa = dns_resource_key_new(rr->key->class, DNS_TYPE_SOA, name);
2556 if (!soa)
2557 return -ENOMEM;
2558
1c02e7ba
ZJS		 2559 log_debug("Requesting parent SOA to validate transaction %" PRIu16 " (%s, unsigned CNAME/DNAME/DS RRset).",
2560 t->id, dns_resource_key_name(rr->key));
105e1512
LP		 2561 r = dns_transaction_request_dnssec_rr(t, soa);
2562 if (r < 0)
2563 return r;
2564
2565 break;
2566 }
2567
2568 default: {
2569 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL;
2570
b63fca62
LP		 2571 /* For other unsigned RRsets (including
2572 * NSEC/NSEC3!), look for proof the zone is
2573 * unsigned, by requesting the SOA RR of the
2574 * zone. However, do so only if they are
2575 * directly relevant to our original
105e1512
LP		 2576 * question. */
2577
2578 r = dns_transaction_is_primary_response(t, rr);
2579 if (r < 0)
2580 return r;
2581 if (r == 0)
2582 continue;
2583
2584 r = dnssec_has_rrsig(t->answer, rr->key);
2585 if (r < 0)
2586 return r;
2587 if (r > 0)
2588 continue;
2589
1c02e7ba 2590 soa = dns_resource_key_new(rr->key->class, DNS_TYPE_SOA, dns_resource_key_name(rr->key));
105e1512
LP		 2591 if (!soa)
2592 return -ENOMEM;
2593
1c02e7ba
ZJS		 2594 log_debug("Requesting SOA to validate transaction %" PRIu16 " (%s, unsigned non-SOA/NS RRset <%s>).",
2595 t->id, dns_resource_key_name(rr->key), dns_resource_record_to_string(rr));
105e1512
LP		 2596 r = dns_transaction_request_dnssec_rr(t, soa);
2597 if (r < 0)
2598 return r;
2599 break;
547973de
LP		 2600 }}
2601 }
2602
105e1512
LP		 2603 /* Above, we requested everything necessary to validate what
2604 * we got. Now, let's request what we need to validate what we
2605 * didn't get... */
2606
26b23d11 2607 r = dns_transaction_has_negative_answer(t);
105e1512
LP		 2608 if (r < 0)
2609 return r;
2610 if (r > 0) {
26b23d11 2611 const char *name, *signed_status;
4bbc06cc 2612 uint16_t type = 0;
105e1512 2613
42df9532 2614 name = dns_resource_key_name(dns_transaction_key(t));
26b23d11 2615 signed_status = dns_answer_contains_nsec_or_nsec3(t->answer) ? "signed" : "unsigned";
105e1512 2616
4bbc06cc
LP		 2617 /* If this was a SOA or NS request, then check if there's a DS RR for the same domain. Note that this
2618 * could also be used as indication that we are not at a zone apex, but in real world setups there are
2619 * too many broken DNS servers (Hello, incapdns.net!) where non-terminal zones return NXDOMAIN even
2620 * though they have further children. If this was a DS request, then it's signed when the parent zone
2621 * is signed, hence ask the parent SOA in that case. If this was any other RR then ask for the SOA RR,
2622 * to see if that is signed. */
105e1512 2623
42df9532 2624 if (dns_transaction_key(t)->type == DNS_TYPE_DS) {
105e1512 2625 r = dns_name_parent(&name);
4bbc06cc
LP		 2626 if (r > 0) {
2627 type = DNS_TYPE_SOA;
e2341b6b
DT		 2628 log_debug("Requesting parent SOA (%s %s) to validate transaction %" PRIu16 " (%s, %s empty DS response).",
2629 special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), name, t->id,
2630 dns_resource_key_name(dns_transaction_key(t)), signed_status);
4bbc06cc 2631 } else
105e1512 2632 name = NULL;
4bbc06cc 2633
42df9532 2634 } else if (IN_SET(dns_transaction_key(t)->type, DNS_TYPE_SOA, DNS_TYPE_NS)) {
4bbc06cc
LP		 2635
2636 type = DNS_TYPE_DS;
e2341b6b
DT		 2637 log_debug("Requesting DS (%s %s) to validate transaction %" PRIu16 " (%s, %s empty SOA/NS response).",
2638 special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), name, t->id, name, signed_status);
4bbc06cc
LP		 2639
2640 } else {
2641 type = DNS_TYPE_SOA;
e2341b6b
DT		 2642 log_debug("Requesting SOA (%s %s) to validate transaction %" PRIu16 " (%s, %s empty non-SOA/NS/DS response).",
2643 special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), name, t->id, name, signed_status);
4bbc06cc 2644 }
105e1512
LP		 2645
2646 if (name) {
2647 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL;
2648
42df9532 2649 soa = dns_resource_key_new(dns_transaction_key(t)->class, type, name);
105e1512
LP		 2650 if (!soa)
2651 return -ENOMEM;
2652
2653 r = dns_transaction_request_dnssec_rr(t, soa);
2654 if (r < 0)
2655 return r;
2656 }
2657 }
2658
2659 return dns_transaction_dnssec_is_live(t);
547973de
LP		 2660}
2661
2662void dns_transaction_notify(DnsTransaction *t, DnsTransaction *source) {
547973de 2663 assert(t);
547973de
LP		 2664 assert(source);
2665
942eb2e7
LP		 2666 /* Invoked whenever any of our auxiliary DNSSEC transactions completed its work. If the state is still PENDING,
2667 we are still in the loop that adds further DNSSEC transactions, hence don't check if we are ready yet. If
2668 the state is VALIDATING however, we should check if we are complete now. */
105e1512 2669
942eb2e7
LP		 2670 if (t->state == DNS_TRANSACTION_VALIDATING)
2671 dns_transaction_process_dnssec(t);
547973de
LP		 2672}
2673
105e1512 2674static int dns_transaction_validate_dnskey_by_ds(DnsTransaction *t) {
04617bf8
LP		 2675 DnsAnswerItem *item;
2676 int r;
105e1512
LP		 2677
2678 assert(t);
2679
2680 /* Add all DNSKEY RRs from the answer that are validated by DS
2681 * RRs from the list of validated keys to the list of
2682 * validated keys. */
2683
04617bf8 2684 DNS_ANSWER_FOREACH_ITEM(item, t->answer) {
105e1512 2685
04617bf8 2686 r = dnssec_verify_dnskey_by_ds_search(item->rr, t->validated_keys);
105e1512
LP		 2687 if (r < 0)
2688 return r;
2689 if (r == 0)
2690 continue;
2691
2692 /* If so, the DNSKEY is validated too. */
04617bf8 2693 r = dns_answer_add_extend(&t->validated_keys, item->rr, item->ifindex, item->flags|DNS_ANSWER_AUTHENTICATED, item->rrsig);
105e1512
LP		 2694 if (r < 0)
2695 return r;
2696 }
2697
2698 return 0;
2699}
2700
2701static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *rr) {
56352fe9
LP		 2702 int r;
2703
2704 assert(t);
2705 assert(rr);
2706
105e1512
LP		 2707 /* Checks if the RR we are looking for must be signed with an
2708 * RRSIG. This is used for positive responses. */
24a5b982 2709
b652d4a2 2710 if (t->scope->dnssec_mode == DNSSEC_NO)
105e1512 2711 return false;
56352fe9 2712
105e1512
LP		 2713 if (dns_type_is_pseudo(rr->key->type))
2714 return -EINVAL;
56352fe9 2715
1c02e7ba 2716 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(rr->key));
8e54f5d9
LP		 2717 if (r < 0)
2718 return r;
2719 if (r > 0)
2720 return false;
2721
105e1512 2722 switch (rr->key->type) {
56352fe9 2723
105e1512
LP		 2724 case DNS_TYPE_RRSIG:
2725 /* RRSIGs are the signatures themselves, they need no signing. */
2726 return false;
2727
2728 case DNS_TYPE_SOA:
2729 case DNS_TYPE_NS: {
2730 DnsTransaction *dt;
105e1512 2731
b63fca62 2732 /* For SOA or NS RRs we look for a matching DS transaction */
105e1512 2733
90e74a66 2734 SET_FOREACH(dt, t->dnssec_transactions) {
105e1512 2735
42df9532 2736 if (dns_transaction_key(dt)->class != rr->key->class)
105e1512 2737 continue;
42df9532 2738 if (dns_transaction_key(dt)->type != DNS_TYPE_DS)
105e1512
LP		 2739 continue;
2740
42df9532 2741 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), dns_resource_key_name(rr->key));
105e1512
LP		 2742 if (r < 0)
2743 return r;
2744 if (r == 0)
2745 continue;
2746
2747 /* We found a DS transactions for the SOA/NS
2748 * RRs we are looking at. If it discovered signed DS
2749 * RRs, then we need to be signed, too. */
2750
6f055e43 2751 if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
097a2517 2752 return false;
105e1512 2753
42df9532 2754 return dns_answer_match_key(dt->answer, dns_transaction_key(dt), NULL);
105e1512
LP		 2755 }
2756
2757 /* We found nothing that proves this is safe to leave
2758 * this unauthenticated, hence ask inist on
2759 * authentication. */
2760 return true;
2761 }
2762
b63fca62 2763 case DNS_TYPE_DS:
105e1512
LP		 2764 case DNS_TYPE_CNAME:
2765 case DNS_TYPE_DNAME: {
2766 const char *parent = NULL;
2767 DnsTransaction *dt;
105e1512 2768
b63fca62
LP		 2769 /*
2770 * CNAME/DNAME RRs cannot be located at a zone apex, hence look directly for the parent SOA.
2771 *
2772 * DS RRs are signed if the parent is signed, hence also look at the parent SOA
2773 */
105e1512 2774
90e74a66 2775 SET_FOREACH(dt, t->dnssec_transactions) {
105e1512 2776
42df9532 2777 if (dns_transaction_key(dt)->class != rr->key->class)
105e1512 2778 continue;
42df9532 2779 if (dns_transaction_key(dt)->type != DNS_TYPE_SOA)
105e1512
LP		 2780 continue;
2781
2782 if (!parent) {
1c02e7ba 2783 parent = dns_resource_key_name(rr->key);
105e1512
LP		 2784 r = dns_name_parent(&parent);
2785 if (r < 0)
2786 return r;
2787 if (r == 0) {
b63fca62
LP		 2788 if (rr->key->type == DNS_TYPE_DS)
2789 return true;
2790
105e1512 2791 /* A CNAME/DNAME without a parent? That's sooo weird. */
baaa35ad
ZJS		 2792 return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG),
2793 "Transaction %" PRIu16 " claims CNAME/DNAME at root. Refusing.", t->id);
105e1512
LP		 2794 }
2795 }
2796
42df9532 2797 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), parent);
105e1512
LP		 2798 if (r < 0)
2799 return r;
2800 if (r == 0)
2801 continue;
2802
6f055e43 2803 return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
105e1512
LP		 2804 }
2805
2806 return true;
2807 }
2808
2809 default: {
2810 DnsTransaction *dt;
105e1512 2811
b63fca62 2812 /* Any other kind of RR (including DNSKEY/NSEC/NSEC3). Let's see if our SOA lookup was authenticated */
105e1512 2813
90e74a66 2814 SET_FOREACH(dt, t->dnssec_transactions) {
105e1512 2815
42df9532 2816 if (dns_transaction_key(dt)->class != rr->key->class)
105e1512 2817 continue;
42df9532 2818 if (dns_transaction_key(dt)->type != DNS_TYPE_SOA)
105e1512
LP		 2819 continue;
2820
42df9532 2821 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), dns_resource_key_name(rr->key));
105e1512
LP		 2822 if (r < 0)
2823 return r;
2824 if (r == 0)
2825 continue;
2826
6f055e43
LP		 2827 /* We found the transaction that was supposed to find the SOA RR for us. It was
2828 * successful, but found no RR for us. This means we are not at a zone cut. In this
2829 * case, we require authentication if the SOA lookup was authenticated too. */
2830 return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
105e1512
LP		 2831 }
2832
2833 return true;
2834 }}
56352fe9
LP		 2835}
2836
d33b6cf3
LP		 2837static int dns_transaction_in_private_tld(DnsTransaction *t, const DnsResourceKey *key) {
2838 DnsTransaction *dt;
2839 const char *tld;
d33b6cf3
LP		 2840 int r;
2841
2842 /* If DNSSEC downgrade mode is on, checks whether the
2843 * specified RR is one level below a TLD we have proven not to
2844 * exist. In such a case we assume that this is a private
2845 * domain, and permit it.
2846 *
2847 * This detects cases like the Fritz!Box router networks. Each
2848 * Fritz!Box router serves a private "fritz.box" zone, in the
2849 * non-existing TLD "box". Requests for the "fritz.box" domain
2850 * are served by the router itself, while requests for the
2851 * "box" domain will result in NXDOMAIN.
2852 *
2853 * Note that this logic is unable to detect cases where a
2854 * router serves a private DNS zone directly under
2855 * non-existing TLD. In such a case we cannot detect whether
2856 * the TLD is supposed to exist or not, as all requests we
2857 * make for it will be answered by the router's zone, and not
2858 * by the root zone. */
2859
2860 assert(t);
2861
2862 if (t->scope->dnssec_mode != DNSSEC_ALLOW_DOWNGRADE)
2863 return false; /* In strict DNSSEC mode what doesn't exist, doesn't exist */
2864
1c02e7ba 2865 tld = dns_resource_key_name(key);
d33b6cf3
LP		 2866 r = dns_name_parent(&tld);
2867 if (r < 0)
2868 return r;
2869 if (r == 0)
2870 return false; /* Already the root domain */
2871
2872 if (!dns_name_is_single_label(tld))
2873 return false;
2874
90e74a66 2875 SET_FOREACH(dt, t->dnssec_transactions) {
d33b6cf3 2876
42df9532 2877 if (dns_transaction_key(dt)->class != key->class)
d33b6cf3
LP		 2878 continue;
2879
42df9532 2880 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), tld);
d33b6cf3
LP		 2881 if (r < 0)
2882 return r;
2883 if (r == 0)
2884 continue;
2885
2886 /* We found an auxiliary lookup we did for the TLD. If
2887 * that returned with NXDOMAIN, we know the TLD didn't
2888 * exist, and hence this might be a private zone. */
2889
2890 return dt->answer_rcode == DNS_RCODE_NXDOMAIN;
2891 }
2892
2893 return false;
2894}
2895
105e1512 2896static int dns_transaction_requires_nsec(DnsTransaction *t) {
4bbc06cc 2897 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
105e1512
LP		 2898 DnsTransaction *dt;
2899 const char *name;
4bbc06cc 2900 uint16_t type = 0;
105e1512 2901 int r;
56352fe9
LP		 2902
2903 assert(t);
2904
105e1512
LP		 2905 /* Checks if we need to insist on NSEC/NSEC3 RRs for proving
2906 * this negative reply */
56352fe9 2907
b652d4a2 2908 if (t->scope->dnssec_mode == DNSSEC_NO)
105e1512 2909 return false;
56352fe9 2910
42df9532 2911 if (dns_type_is_pseudo(dns_transaction_key(t)->type))
105e1512
LP		 2912 return -EINVAL;
2913
42df9532 2914 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(dns_transaction_key(t)));
8e54f5d9
LP		 2915 if (r < 0)
2916 return r;
2917 if (r > 0)
2918 return false;
2919
42df9532 2920 r = dns_transaction_in_private_tld(t, dns_transaction_key(t));
d33b6cf3
LP		 2921 if (r < 0)
2922 return r;
2923 if (r > 0) {
2924 /* The lookup is from a TLD that is proven not to
2925 * exist, and we are in downgrade mode, hence ignore
13e785f7 2926 * that fact that we didn't get any NSEC RRs. */
d33b6cf3 2927
202b76ae 2928 log_info("Detected a negative query %s in a private DNS zone, permitting unsigned response.",
42df9532 2929 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str));
d33b6cf3
LP		 2930 return false;
2931 }
2932
42df9532 2933 name = dns_resource_key_name(dns_transaction_key(t));
105e1512 2934
42df9532 2935 if (dns_transaction_key(t)->type == DNS_TYPE_DS) {
105e1512 2936
4bbc06cc
LP		 2937 /* We got a negative reply for this DS lookup? DS RRs are signed when their parent zone is signed,
2938 * hence check the parent SOA in this case. */
105e1512
LP		 2939
2940 r = dns_name_parent(&name);
56352fe9
LP		 2941 if (r < 0)
2942 return r;
2943 if (r == 0)
105e1512 2944 return true;
4bbc06cc
LP		 2945
2946 type = DNS_TYPE_SOA;
2947
42df9532 2948 } else if (IN_SET(dns_transaction_key(t)->type, DNS_TYPE_SOA, DNS_TYPE_NS))
4bbc06cc
LP		 2949 /* We got a negative reply for this SOA/NS lookup? If so, check if there's a DS RR for this */
2950 type = DNS_TYPE_DS;
2951 else
2952 /* For all other negative replies, check for the SOA lookup */
2953 type = DNS_TYPE_SOA;
105e1512
LP		 2954
2955 /* For all other RRs we check the SOA on the same level to see
2956 * if it's signed. */
2957
90e74a66 2958 SET_FOREACH(dt, t->dnssec_transactions) {
105e1512 2959
42df9532 2960 if (dns_transaction_key(dt)->class != dns_transaction_key(t)->class)
105e1512 2961 continue;
42df9532 2962 if (dns_transaction_key(dt)->type != type)
56352fe9
LP		 2963 continue;
2964
42df9532 2965 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), name);
56352fe9
LP		 2966 if (r < 0)
2967 return r;
105e1512
LP		 2968 if (r == 0)
2969 continue;
2970
6f055e43 2971 return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
56352fe9
LP		 2972 }
2973
105e1512
LP		 2974 /* If in doubt, require NSEC/NSEC3 */
2975 return true;
56352fe9
LP		 2976}
2977
94aa7071
LP		 2978static int dns_transaction_dnskey_authenticated(DnsTransaction *t, DnsResourceRecord *rr) {
2979 DnsResourceRecord *rrsig;
2980 bool found = false;
2981 int r;
2982
2983 /* Checks whether any of the DNSKEYs used for the RRSIGs for
2984 * the specified RRset is authenticated (i.e. has a matching
2985 * DS RR). */
2986
1c02e7ba 2987 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(rr->key));
8e54f5d9
LP		 2988 if (r < 0)
2989 return r;
2990 if (r > 0)
2991 return false;
2992
94aa7071
LP		 2993 DNS_ANSWER_FOREACH(rrsig, t->answer) {
2994 DnsTransaction *dt;
94aa7071
LP		 2995
2996 r = dnssec_key_match_rrsig(rr->key, rrsig);
2997 if (r < 0)
2998 return r;
2999 if (r == 0)
3000 continue;
3001
90e74a66 3002 SET_FOREACH(dt, t->dnssec_transactions) {
94aa7071 3003
42df9532 3004 if (dns_transaction_key(dt)->class != rr->key->class)
94aa7071
LP		 3005 continue;
3006
42df9532 3007 if (dns_transaction_key(dt)->type == DNS_TYPE_DNSKEY) {
94aa7071 3008
42df9532 3009 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), rrsig->rrsig.signer);
94aa7071
LP		 3010 if (r < 0)
3011 return r;
3012 if (r == 0)
3013 continue;
3014
6f055e43
LP		 3015 /* OK, we found an auxiliary DNSKEY lookup. If that lookup is authenticated,
3016 * report this. */
94aa7071 3017
6f055e43 3018 if (FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
94aa7071
LP		 3019 return true;
3020
3021 found = true;
3022
42df9532 3023 } else if (dns_transaction_key(dt)->type == DNS_TYPE_DS) {
94aa7071 3024
42df9532 3025 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), rrsig->rrsig.signer);
94aa7071
LP		 3026 if (r < 0)
3027 return r;
3028 if (r == 0)
3029 continue;
3030
6f055e43
LP		 3031 /* OK, we found an auxiliary DS lookup. If that lookup is authenticated and
3032 * non-zero, we won! */
94aa7071 3033
6f055e43 3034 if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
94aa7071
LP		 3035 return false;
3036
42df9532 3037 return dns_answer_match_key(dt->answer, dns_transaction_key(dt), NULL);
94aa7071
LP		 3038 }
3039 }
3040 }
3041
3042 return found ? false : -ENXIO;
3043}
3044
b652d4a2
LP		 3045static int dns_transaction_known_signed(DnsTransaction *t, DnsResourceRecord *rr) {
3046 assert(t);
3047 assert(rr);
3048
3049 /* We know that the root domain is signed, hence if it appears
3050 * not to be signed, there's a problem with the DNS server */
3051
3052 return rr->key->class == DNS_CLASS_IN &&
1c02e7ba 3053 dns_name_is_root(dns_resource_key_name(rr->key));
b652d4a2
LP		 3054}
3055
0f87f3e8
LP		 3056static int dns_transaction_check_revoked_trust_anchors(DnsTransaction *t) {
3057 DnsResourceRecord *rr;
3058 int r;
3059
3060 assert(t);
3061
3062 /* Maybe warn the user that we encountered a revoked DNSKEY
3063 * for a key from our trust anchor. Note that we don't care
3064 * whether the DNSKEY can be authenticated or not. It's
3065 * sufficient if it is self-signed. */
3066
3067 DNS_ANSWER_FOREACH(rr, t->answer) {
d424da2a 3068 r = dns_trust_anchor_check_revoked(&t->scope->manager->trust_anchor, rr, t->answer);
0f87f3e8
LP		 3069 if (r < 0)
3070 return r;
3071 }
3072
3073 return 0;
3074}
3075
c9c72065
LP		 3076static int dns_transaction_invalidate_revoked_keys(DnsTransaction *t) {
3077 bool changed;
3078 int r;
3079
3080 assert(t);
3081
3082 /* Removes all DNSKEY/DS objects from t->validated_keys that
3083 * our trust anchors database considers revoked. */
3084
3085 do {
3086 DnsResourceRecord *rr;
3087
3088 changed = false;
3089
3090 DNS_ANSWER_FOREACH(rr, t->validated_keys) {
3091 r = dns_trust_anchor_is_revoked(&t->scope->manager->trust_anchor, rr);
3092 if (r < 0)
3093 return r;
3094 if (r > 0) {
3095 r = dns_answer_remove_by_rr(&t->validated_keys, rr);
3096 if (r < 0)
3097 return r;
3098
3099 assert(r > 0);
3100 changed = true;
3101 break;
3102 }
3103 }
3104 } while (changed);
3105
3106 return 0;
3107}
3108
942eb2e7
LP		 3109static int dns_transaction_copy_validated(DnsTransaction *t) {
3110 DnsTransaction *dt;
942eb2e7
LP		 3111 int r;
3112
3113 assert(t);
3114
3115 /* Copy all validated RRs from the auxiliary DNSSEC transactions into our set of validated RRs */
3116
90e74a66 3117 SET_FOREACH(dt, t->dnssec_transactions) {
942eb2e7
LP		 3118
3119 if (DNS_TRANSACTION_IS_LIVE(dt->state))
3120 continue;
3121
6f055e43 3122 if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
942eb2e7
LP		 3123 continue;
3124
3125 r = dns_answer_extend(&t->validated_keys, dt->answer);
3126 if (r < 0)
3127 return r;
3128 }
3129
3130 return 0;
3131}
3132
c690b20a
ZJS		 3133typedef enum {
3134 DNSSEC_PHASE_DNSKEY, /* Phase #1, only validate DNSKEYs */
3135 DNSSEC_PHASE_NSEC, /* Phase #2, only validate NSEC+NSEC3 */
3136 DNSSEC_PHASE_ALL, /* Phase #3, validate everything else */
3137} Phase;
3138
3139static int dnssec_validate_records(
3140 DnsTransaction *t,
3141 Phase phase,
3142 bool *have_nsec,
3143 DnsAnswer **validated) {
3144
547973de 3145 DnsResourceRecord *rr;
56352fe9 3146 int r;
547973de 3147
c690b20a 3148 /* Returns negative on error, 0 if validation failed, 1 to restart validation, 2 when finished. */
547973de 3149
c690b20a 3150 DNS_ANSWER_FOREACH(rr, t->answer) {
71aee23d 3151 _unused_ _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr_ref = dns_resource_record_ref(rr);
c690b20a
ZJS		 3152 DnsResourceRecord *rrsig = NULL;
3153 DnssecResult result;
547973de 3154
c690b20a
ZJS		 3155 switch (rr->key->type) {
3156 case DNS_TYPE_RRSIG:
3157 continue;
547973de 3158
c690b20a
ZJS		 3159 case DNS_TYPE_DNSKEY:
3160 /* We validate DNSKEYs only in the DNSKEY and ALL phases */
3161 if (phase == DNSSEC_PHASE_NSEC)
3162 continue;
3163 break;
547973de 3164
c690b20a
ZJS		 3165 case DNS_TYPE_NSEC:
3166 case DNS_TYPE_NSEC3:
3167 *have_nsec = true;
547973de 3168
c690b20a
ZJS		 3169 /* We validate NSEC/NSEC3 only in the NSEC and ALL phases */
3170 if (phase == DNSSEC_PHASE_DNSKEY)
3171 continue;
3172 break;
105e1512 3173
c690b20a
ZJS		 3174 default:
3175 /* We validate all other RRs only in the ALL phases */
3176 if (phase != DNSSEC_PHASE_ALL)
3177 continue;
3178 }
b652d4a2 3179
04617bf8
LP		 3180 r = dnssec_verify_rrset_search(
3181 t->answer,
3182 rr->key,
3183 t->validated_keys,
3184 USEC_INFINITY,
3185 &result,
3186 &rrsig);
c690b20a
ZJS		 3187 if (r < 0)
3188 return r;
547973de 3189
c690b20a 3190 log_debug("Looking at %s: %s", strna(dns_resource_record_to_string(rr)), dnssec_result_to_string(result));
0f87f3e8 3191
c690b20a 3192 if (result == DNSSEC_VALIDATED) {
04617bf8 3193 assert(rrsig);
942eb2e7 3194
c690b20a
ZJS		 3195 if (rr->key->type == DNS_TYPE_DNSKEY) {
3196 /* If we just validated a DNSKEY RRset, then let's add these keys to
3197 * the set of validated keys for this transaction. */
547973de 3198
04617bf8 3199 r = dns_answer_copy_by_key(&t->validated_keys, t->answer, rr->key, DNS_ANSWER_AUTHENTICATED, rrsig);
c690b20a
ZJS		 3200 if (r < 0)
3201 return r;
c9c72065 3202
c690b20a
ZJS		 3203 /* Some of the DNSKEYs we just added might already have been revoked,
3204 * remove them again in that case. */
3205 r = dns_transaction_invalidate_revoked_keys(t);
3206 if (r < 0)
3207 return r;
3208 }
547973de 3209
04617bf8
LP		 3210 /* Add the validated RRset to the new list of validated RRsets, and remove it from
3211 * the unvalidated RRsets. We mark the RRset as authenticated and cacheable. */
3212 r = dns_answer_move_by_key(validated, &t->answer, rr->key, DNS_ANSWER_AUTHENTICATED|DNS_ANSWER_CACHEABLE, rrsig);
c690b20a
ZJS		 3213 if (r < 0)
3214 return r;
547973de 3215
c690b20a 3216 manager_dnssec_verdict(t->scope->manager, DNSSEC_SECURE, rr->key);
0c7bff0a 3217
c690b20a
ZJS		 3218 /* Exit the loop, we dropped something from the answer, start from the beginning */
3219 return 1;
3220 }
547973de 3221
c690b20a
ZJS		 3222 /* If we haven't read all DNSKEYs yet a negative result of the validation is irrelevant, as
3223 * there might be more DNSKEYs coming. Similar, if we haven't read all NSEC/NSEC3 RRs yet,
3224 * we cannot do positive wildcard proofs yet, as those require the NSEC/NSEC3 RRs. */
3225 if (phase != DNSSEC_PHASE_ALL)
3226 continue;
0c7bff0a 3227
c690b20a
ZJS		 3228 if (result == DNSSEC_VALIDATED_WILDCARD) {
3229 bool authenticated = false;
3230 const char *source;
0c7bff0a 3231
04617bf8
LP		 3232 assert(rrsig);
3233
c690b20a 3234 /* This RRset validated, but as a wildcard. This means we need
13e785f7 3235 * to prove via NSEC/NSEC3 that no matching non-wildcard RR exists. */
0c7bff0a 3236
c690b20a
ZJS		 3237 /* First step, determine the source of synthesis */
3238 r = dns_resource_record_source(rrsig, &source);
3239 if (r < 0)
3240 return r;
0c7bff0a 3241
c690b20a 3242 r = dnssec_test_positive_wildcard(*validated,
1c02e7ba 3243 dns_resource_key_name(rr->key),
c690b20a
ZJS		 3244 source,
3245 rrsig->rrsig.signer,
3246 &authenticated);
0c7bff0a 3247
c690b20a
ZJS		 3248 /* Unless the NSEC proof showed that the key really doesn't exist something is off. */
3249 if (r == 0)
3250 result = DNSSEC_INVALID;
3251 else {
04617bf8
LP		 3252 r = dns_answer_move_by_key(
3253 validated,
3254 &t->answer,
3255 rr->key,
3256 authenticated ? (DNS_ANSWER_AUTHENTICATED|DNS_ANSWER_CACHEABLE) : 0,
3257 rrsig);
c690b20a
ZJS		 3258 if (r < 0)
3259 return r;
3260
3261 manager_dnssec_verdict(t->scope->manager, authenticated ? DNSSEC_SECURE : DNSSEC_INSECURE, rr->key);
3262
3263 /* Exit the loop, we dropped something from the answer, start from the beginning */
3264 return 1;
0c7bff0a 3265 }
c690b20a 3266 }
0c7bff0a 3267
c690b20a
ZJS		 3268 if (result == DNSSEC_NO_SIGNATURE) {
3269 r = dns_transaction_requires_rrsig(t, rr);
547973de
LP		 3270 if (r < 0)
3271 return r;
c690b20a
ZJS		 3272 if (r == 0) {
3273 /* Data does not require signing. In that case, just copy it over,
13e785f7 3274 * but remember that this is by no means authenticated. */
04617bf8
LP		 3275 r = dns_answer_move_by_key(
3276 validated,
3277 &t->answer,
3278 rr->key,
3279 0,
3280 NULL);
c690b20a
ZJS		 3281 if (r < 0)
3282 return r;
3283
3284 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
3285 return 1;
3286 }
547973de 3287
c690b20a
ZJS		 3288 r = dns_transaction_known_signed(t, rr);
3289 if (r < 0)
3290 return r;
3291 if (r > 0) {
3292 /* This is an RR we know has to be signed. If it isn't this means
3293 * the server is not attaching RRSIGs, hence complain. */
547973de 3294
c690b20a 3295 dns_server_packet_rrsig_missing(t->server, t->current_feature_level);
547973de 3296
c690b20a 3297 if (t->scope->dnssec_mode == DNSSEC_ALLOW_DOWNGRADE) {
547973de 3298
c690b20a 3299 /* Downgrading is OK? If so, just consider the information unsigned */
c9c72065 3300
04617bf8 3301 r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0, NULL);
c9c72065
LP		 3302 if (r < 0)
3303 return r;
547973de 3304
c690b20a
ZJS		 3305 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
3306 return 1;
3307 }
a150ff5e 3308
c690b20a
ZJS		 3309 /* Otherwise, fail */
3310 t->answer_dnssec_result = DNSSEC_INCOMPATIBLE_SERVER;
3311 return 0;
f3cf586d 3312 }
547973de 3313
c690b20a
ZJS		 3314 r = dns_transaction_in_private_tld(t, rr->key);
3315 if (r < 0)
3316 return r;
3317 if (r > 0) {
202b76ae 3318 char s[DNS_RESOURCE_KEY_STRING_MAX];
b652d4a2 3319
c690b20a
ZJS		 3320 /* The data is from a TLD that is proven not to exist, and we are in downgrade
3321 * mode, hence ignore the fact that this was not signed. */
0c7bff0a 3322
202b76ae
ZJS		 3323 log_info("Detected RRset %s is in a private DNS zone, permitting unsigned RRs.",
3324 dns_resource_key_to_string(rr->key, s, sizeof s));
0c7bff0a 3325
04617bf8 3326 r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0, NULL);
0c7bff0a
LP		 3327 if (r < 0)
3328 return r;
0c7bff0a 3329
c690b20a
ZJS		 3330 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
3331 return 1;
3332 }
3333 }
0c7bff0a 3334
1ca36001
JM		 3335 /* https://datatracker.ietf.org/doc/html/rfc6840#section-5.2 */
3336 if (result == DNSSEC_UNSUPPORTED_ALGORITHM) {
3337 r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0, NULL);
3338 if (r < 0)
3339 return r;
3340
3341 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
3342 return 1;
3343 }
3344
c690b20a
ZJS		 3345 if (IN_SET(result,
3346 DNSSEC_MISSING_KEY,
1ca36001 3347 DNSSEC_SIGNATURE_EXPIRED)) {
0c7bff0a 3348
c690b20a
ZJS		 3349 r = dns_transaction_dnskey_authenticated(t, rr);
3350 if (r < 0 && r != -ENXIO)
3351 return r;
3352 if (r == 0) {
3353 /* The DNSKEY transaction was not authenticated, this means there's
3354 * no DS for this, which means it's OK if no keys are found for this signature. */
0c7bff0a 3355
04617bf8 3356 r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0, NULL);
f3cf586d
LP		 3357 if (r < 0)
3358 return r;
b652d4a2 3359
c690b20a
ZJS		 3360 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
3361 return 1;
3362 }
3363 }
b652d4a2 3364
c690b20a
ZJS		 3365 r = dns_transaction_is_primary_response(t, rr);
3366 if (r < 0)
3367 return r;
3368 if (r > 0) {
3369 /* Look for a matching DNAME for this CNAME */
3370 r = dns_answer_has_dname_for_cname(t->answer, rr);
3371 if (r < 0)
3372 return r;
3373 if (r == 0) {
3374 /* Also look among the stuff we already validated */
3375 r = dns_answer_has_dname_for_cname(*validated, rr);
f3cf586d
LP		 3376 if (r < 0)
3377 return r;
c690b20a 3378 }
d33b6cf3 3379
c690b20a
ZJS		 3380 if (r == 0) {
3381 if (IN_SET(result,
3382 DNSSEC_INVALID,
3383 DNSSEC_SIGNATURE_EXPIRED,
3384 DNSSEC_NO_SIGNATURE))
3385 manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, rr->key);
3386 else /* DNSSEC_MISSING_KEY or DNSSEC_UNSUPPORTED_ALGORITHM */
3387 manager_dnssec_verdict(t->scope->manager, DNSSEC_INDETERMINATE, rr->key);
3388
3389 /* This is a primary response to our question, and it failed validation.
3390 * That's fatal. */
3391 t->answer_dnssec_result = result;
3392 return 0;
3393 }
d33b6cf3 3394
c690b20a
ZJS		 3395 /* This is a primary response, but we do have a DNAME RR
3396 * in the RR that can replay this CNAME, hence rely on
3397 * that, and we can remove the CNAME in favour of it. */
3398 }
d33b6cf3 3399
c690b20a
ZJS		 3400 /* This is just some auxiliary data. Just remove the RRset and continue. */
3401 r = dns_answer_remove_by_key(&t->answer, rr->key);
3402 if (r < 0)
3403 return r;
d33b6cf3 3404
c690b20a
ZJS		 3405 /* We dropped something from the answer, start from the beginning. */
3406 return 1;
3407 }
f3cf586d 3408
c690b20a
ZJS		 3409 return 2; /* Finito. */
3410}
94aa7071 3411
c690b20a
ZJS		 3412int dns_transaction_validate_dnssec(DnsTransaction *t) {
3413 _cleanup_(dns_answer_unrefp) DnsAnswer *validated = NULL;
3414 Phase phase;
3415 DnsAnswerFlags flags;
3416 int r;
202b76ae 3417 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
94aa7071 3418
c690b20a 3419 assert(t);
94aa7071 3420
775ae354 3421 /* We have now collected all DS and DNSKEY RRs in t->validated_keys, let's see which RRs we can now
c690b20a 3422 * authenticate with that. */
94aa7071 3423
775ae354 3424 if (FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE) || t->scope->dnssec_mode == DNSSEC_NO)
c690b20a 3425 return 0;
a150ff5e 3426
c690b20a
ZJS		 3427 /* Already validated */
3428 if (t->answer_dnssec_result != _DNSSEC_RESULT_INVALID)
3429 return 0;
105e1512 3430
c690b20a
ZJS		 3431 /* Our own stuff needs no validation */
3432 if (IN_SET(t->answer_source, DNS_TRANSACTION_ZONE, DNS_TRANSACTION_TRUST_ANCHOR)) {
3433 t->answer_dnssec_result = DNSSEC_VALIDATED;
6f055e43 3434 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, true);
c690b20a
ZJS		 3435 return 0;
3436 }
a150ff5e 3437
c690b20a
ZJS		 3438 /* Cached stuff is not affected by validation. */
3439 if (t->answer_source != DNS_TRANSACTION_NETWORK)
3440 return 0;
f3cf586d 3441
c690b20a
ZJS		 3442 if (!dns_transaction_dnssec_supported_full(t)) {
3443 /* The server does not support DNSSEC, or doesn't augment responses with RRSIGs. */
3444 t->answer_dnssec_result = DNSSEC_INCOMPATIBLE_SERVER;
d001e0a3 3445 log_debug("Not validating response for %" PRIu16 ", used server feature level does not support DNSSEC.", t->id);
c690b20a
ZJS		 3446 return 0;
3447 }
f3cf586d 3448
202b76ae
ZJS		 3449 log_debug("Validating response from transaction %" PRIu16 " (%s).",
3450 t->id,
42df9532 3451 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str));
547973de 3452
c690b20a
ZJS		 3453 /* First, see if this response contains any revoked trust
3454 * anchors we care about */
3455 r = dns_transaction_check_revoked_trust_anchors(t);
3456 if (r < 0)
3457 return r;
43e6779a 3458
c690b20a
ZJS		 3459 /* Third, copy all RRs we acquired successfully from auxiliary RRs over. */
3460 r = dns_transaction_copy_validated(t);
3461 if (r < 0)
3462 return r;
43e6779a 3463
c690b20a
ZJS		 3464 /* Second, see if there are DNSKEYs we already know a
3465 * validated DS for. */
3466 r = dns_transaction_validate_dnskey_by_ds(t);
3467 if (r < 0)
3468 return r;
43e6779a 3469
c690b20a
ZJS		 3470 /* Fourth, remove all DNSKEY and DS RRs again that our trust
3471 * anchor says are revoked. After all we might have marked
3472 * some keys revoked above, but they might still be lingering
3473 * in our validated_keys list. */
3474 r = dns_transaction_invalidate_revoked_keys(t);
3475 if (r < 0)
3476 return r;
f3cf586d 3477
c690b20a
ZJS		 3478 phase = DNSSEC_PHASE_DNSKEY;
3479 for (;;) {
3480 bool have_nsec = false;
f3cf586d 3481
c690b20a
ZJS		 3482 r = dnssec_validate_records(t, phase, &have_nsec, &validated);
3483 if (r <= 0)
3484 return r;
547973de 3485
c690b20a
ZJS		 3486 /* Try again as long as we managed to achieve something */
3487 if (r == 1)
547973de
LP		 3488 continue;
3489
c690b20a 3490 if (phase == DNSSEC_PHASE_DNSKEY && have_nsec) {
0c7bff0a 3491 /* OK, we processed all DNSKEYs, and there are NSEC/NSEC3 RRs, look at those now. */
c690b20a 3492 phase = DNSSEC_PHASE_NSEC;
0c7bff0a
LP		 3493 continue;
3494 }
3495
c690b20a
ZJS		 3496 if (phase != DNSSEC_PHASE_ALL) {
3497 /* OK, we processed all DNSKEYs and NSEC/NSEC3 RRs, look at all the rest now.
3498 * Note that in this third phase we start to remove RRs we couldn't validate. */
3499 phase = DNSSEC_PHASE_ALL;
56352fe9 3500 continue;
547973de
LP		 3501 }
3502
56352fe9 3503 /* We're done */
547973de
LP		 3504 break;
3505 }
3506
1117a960 3507 DNS_ANSWER_REPLACE(t->answer, TAKE_PTR(validated));
547973de 3508
72667f08
LP		 3509 /* At this point the answer only contains validated
3510 * RRsets. Now, let's see if it actually answers the question
3511 * we asked. If so, great! If it doesn't, then see if
3512 * NSEC/NSEC3 can prove this. */
105e1512 3513 r = dns_transaction_has_positive_answer(t, &flags);
72667f08 3514 if (r > 0) {
105e1512
LP		 3515 /* Yes, it answers the question! */
3516
3517 if (flags & DNS_ANSWER_AUTHENTICATED) {
3518 /* The answer is fully authenticated, yay. */
019036a4 3519 t->answer_dnssec_result = DNSSEC_VALIDATED;
105e1512 3520 t->answer_rcode = DNS_RCODE_SUCCESS;
6f055e43 3521 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, true);
105e1512
LP		 3522 } else {
3523 /* The answer is not fully authenticated. */
019036a4 3524 t->answer_dnssec_result = DNSSEC_UNSIGNED;
6f055e43 3525 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
105e1512
LP		 3526 }
3527
72667f08
LP		 3528 } else if (r == 0) {
3529 DnssecNsecResult nr;
ed29bfdc 3530 bool authenticated = false;
72667f08
LP		 3531
3532 /* Bummer! Let's check NSEC/NSEC3 */
42df9532 3533 r = dnssec_nsec_test(t->answer, dns_transaction_key(t), &nr, &authenticated, &t->answer_nsec_ttl);
72667f08
LP		 3534 if (r < 0)
3535 return r;
3536
3537 switch (nr) {
3538
3539 case DNSSEC_NSEC_NXDOMAIN:
3540 /* NSEC proves the domain doesn't exist. Very good. */
202b76ae 3541 log_debug("Proved NXDOMAIN via NSEC/NSEC3 for transaction %u (%s)", t->id, key_str);
019036a4 3542 t->answer_dnssec_result = DNSSEC_VALIDATED;
72667f08 3543 t->answer_rcode = DNS_RCODE_NXDOMAIN;
6f055e43 3544 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, authenticated);
7aa8ce98 3545
42df9532 3546 manager_dnssec_verdict(t->scope->manager, authenticated ? DNSSEC_SECURE : DNSSEC_INSECURE, dns_transaction_key(t));
72667f08
LP		 3547 break;
3548
3549 case DNSSEC_NSEC_NODATA:
3550 /* NSEC proves that there's no data here, very good. */
202b76ae 3551 log_debug("Proved NODATA via NSEC/NSEC3 for transaction %u (%s)", t->id, key_str);
019036a4 3552 t->answer_dnssec_result = DNSSEC_VALIDATED;
72667f08 3553 t->answer_rcode = DNS_RCODE_SUCCESS;
6f055e43 3554 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, authenticated);
7aa8ce98 3555
42df9532 3556 manager_dnssec_verdict(t->scope->manager, authenticated ? DNSSEC_SECURE : DNSSEC_INSECURE, dns_transaction_key(t));
72667f08
LP		 3557 break;
3558
105e1512
LP		 3559 case DNSSEC_NSEC_OPTOUT:
3560 /* NSEC3 says the data might not be signed */
202b76ae 3561 log_debug("Data is NSEC3 opt-out via NSEC/NSEC3 for transaction %u (%s)", t->id, key_str);
019036a4 3562 t->answer_dnssec_result = DNSSEC_UNSIGNED;
6f055e43 3563 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
7aa8ce98 3564
42df9532 3565 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, dns_transaction_key(t));
105e1512
LP		 3566 break;
3567
72667f08
LP		 3568 case DNSSEC_NSEC_NO_RR:
3569 /* No NSEC data? Bummer! */
105e1512
LP		 3570
3571 r = dns_transaction_requires_nsec(t);
3572 if (r < 0)
3573 return r;
7aa8ce98 3574 if (r > 0) {
019036a4 3575 t->answer_dnssec_result = DNSSEC_NO_SIGNATURE;
42df9532 3576 manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, dns_transaction_key(t));
7aa8ce98 3577 } else {
019036a4 3578 t->answer_dnssec_result = DNSSEC_UNSIGNED;
6f055e43 3579 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
42df9532 3580 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, dns_transaction_key(t));
105e1512
LP		 3581 }
3582
3583 break;
3584
3585 case DNSSEC_NSEC_UNSUPPORTED_ALGORITHM:
3586 /* We don't know the NSEC3 algorithm used? */
019036a4 3587 t->answer_dnssec_result = DNSSEC_UNSUPPORTED_ALGORITHM;
42df9532 3588 manager_dnssec_verdict(t->scope->manager, DNSSEC_INDETERMINATE, dns_transaction_key(t));
72667f08
LP		 3589 break;
3590
3591 case DNSSEC_NSEC_FOUND:
146035b3 3592 case DNSSEC_NSEC_CNAME:
72667f08 3593 /* NSEC says it needs to be there, but we couldn't find it? Bummer! */
019036a4 3594 t->answer_dnssec_result = DNSSEC_NSEC_MISMATCH;
42df9532 3595 manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, dns_transaction_key(t));
72667f08
LP		 3596 break;
3597
3598 default:
04499a70 3599 assert_not_reached();
72667f08
LP		 3600 }
3601 }
3602
547973de
LP		 3603 return 1;
3604}
3605
ec2c5e43 3606static const char* const dns_transaction_state_table[_DNS_TRANSACTION_STATE_MAX] = {
e3e64a1a
ZJS		 3607 [DNS_TRANSACTION_NULL] = "null",
3608 [DNS_TRANSACTION_PENDING] = "pending",
3609 [DNS_TRANSACTION_VALIDATING] = "validating",
3610 [DNS_TRANSACTION_RCODE_FAILURE] = "rcode-failure",
3611 [DNS_TRANSACTION_SUCCESS] = "success",
3612 [DNS_TRANSACTION_NO_SERVERS] = "no-servers",
3613 [DNS_TRANSACTION_TIMEOUT] = "timeout",
ec2c5e43 3614 [DNS_TRANSACTION_ATTEMPTS_MAX_REACHED] = "attempts-max-reached",
e3e64a1a
ZJS		 3615 [DNS_TRANSACTION_INVALID_REPLY] = "invalid-reply",
3616 [DNS_TRANSACTION_ERRNO] = "errno",
3617 [DNS_TRANSACTION_ABORTED] = "aborted",
3618 [DNS_TRANSACTION_DNSSEC_FAILED] = "dnssec-failed",
3619 [DNS_TRANSACTION_NO_TRUST_ANCHOR] = "no-trust-anchor",
3620 [DNS_TRANSACTION_RR_TYPE_UNSUPPORTED] = "rr-type-unsupported",
3621 [DNS_TRANSACTION_NETWORK_DOWN] = "network-down",
3622 [DNS_TRANSACTION_NOT_FOUND] = "not-found",
3623 [DNS_TRANSACTION_NO_SOURCE] = "no-source",
3624 [DNS_TRANSACTION_STUB_LOOP] = "stub-loop",
ec2c5e43
LP		 3625};
3626DEFINE_STRING_TABLE_LOOKUP(dns_transaction_state, DnsTransactionState);
c3bc53e6
LP		 3627
3628static const char* const dns_transaction_source_table[_DNS_TRANSACTION_SOURCE_MAX] = {
e3e64a1a
ZJS		 3629 [DNS_TRANSACTION_NETWORK] = "network",
3630 [DNS_TRANSACTION_CACHE] = "cache",
3631 [DNS_TRANSACTION_ZONE] = "zone",
0d2cd476 3632 [DNS_TRANSACTION_TRUST_ANCHOR] = "trust-anchor",
c3bc53e6
LP		 3633};
3634DEFINE_STRING_TABLE_LOOKUP(dns_transaction_source, DnsTransactionSource);
Unnamed repository; edit this file 'description' to name the repository.