src/resolve/dns-type.c

   1 /* SPDX-License-Identifier: LGPL-2.1+ */
   2 /***
   3   Copyright © 2014 Zbigniew Jędrzejewski-Szmek
   4 ***/
   5
   6 #include <sys/socket.h>
   7 #include <errno.h>
   8
   9 #include "dns-type.h"
  10 #include "parse-util.h"
  11 #include "string-util.h"
  12
  13 typedef const struct {
  14         uint16_t type;
  15         const char *name;
  16 } dns_type;
  17
  18 static const struct dns_type_name *
  19 lookup_dns_type (register const char *str, register GPERF_LEN_TYPE len);
  20
  21 #include "dns_type-from-name.h"
  22 #include "dns_type-to-name.h"
  23
  24 int dns_type_from_string(const char *s) {
  25         const struct dns_type_name *sc;
  26
  27         assert(s);
  28
  29         sc = lookup_dns_type(s, strlen(s));
  30         if (sc)
  31                 return sc->id;
  32
  33         s = startswith_no_case(s, "TYPE");
  34         if (s) {
  35                 unsigned x;
  36
  37                 if (safe_atou(s, &x) >= 0 &&
  38                     x <= UINT16_MAX)
  39                         return (int) x;
  40         }
  41
  42         return _DNS_TYPE_INVALID;
  43 }
  44
  45 bool dns_type_is_pseudo(uint16_t type) {
  46
  47         /* Checks whether the specified type is a "pseudo-type". What
  48          * a "pseudo-type" precisely is, is defined only very weakly,
  49          * but apparently entails all RR types that are not actually
  50          * stored as RRs on the server and should hence also not be
  51          * cached. We use this list primarily to validate NSEC type
  52          * bitfields, and to verify what to cache. */
  53
  54         return IN_SET(type,
  55                       0, /* A Pseudo RR type, according to RFC 2931 */
  56                       DNS_TYPE_ANY,
  57                       DNS_TYPE_AXFR,
  58                       DNS_TYPE_IXFR,
  59                       DNS_TYPE_OPT,
  60                       DNS_TYPE_TSIG,
  61                       DNS_TYPE_TKEY
  62         );
  63 }
  64
  65 bool dns_class_is_pseudo(uint16_t class) {
  66         return class == DNS_TYPE_ANY;
  67 }
  68
  69 bool dns_type_is_valid_query(uint16_t type) {
  70
  71         /* The types valid as questions in packets */
  72
  73         return !IN_SET(type,
  74                        0,
  75                        DNS_TYPE_OPT,
  76                        DNS_TYPE_TSIG,
  77                        DNS_TYPE_TKEY,
  78
  79                        /* RRSIG are technically valid as questions, but we refuse doing explicit queries for them, as
  80                         * they aren't really payload, but signatures for payload, and cannot be validated on their
  81                         * own. After all they are the signatures, and have no signatures of their own validating
  82                         * them. */
  83                        DNS_TYPE_RRSIG);
  84 }
  85
  86 bool dns_type_is_zone_transer(uint16_t type) {
  87
  88         /* Zone transfers, either normal or incremental */
  89
  90         return IN_SET(type,
  91                       DNS_TYPE_AXFR,
  92                       DNS_TYPE_IXFR);
  93 }
  94
  95 bool dns_type_is_valid_rr(uint16_t type) {
  96
  97         /* The types valid as RR in packets (but not necessarily
  98          * stored on servers). */
  99
 100         return !IN_SET(type,
 101                        DNS_TYPE_ANY,
 102                        DNS_TYPE_AXFR,
 103                        DNS_TYPE_IXFR);
 104 }
 105
 106 bool dns_class_is_valid_rr(uint16_t class) {
 107         return class != DNS_CLASS_ANY;
 108 }
 109
 110 bool dns_type_may_redirect(uint16_t type) {
 111         /* The following record types should never be redirected using
 112          * CNAME/DNAME RRs. See
 113          * <https://tools.ietf.org/html/rfc4035#section-2.5>. */
 114
 115         if (dns_type_is_pseudo(type))
 116                 return false;
 117
 118         return !IN_SET(type,
 119                        DNS_TYPE_CNAME,
 120                        DNS_TYPE_DNAME,
 121                        DNS_TYPE_NSEC3,
 122                        DNS_TYPE_NSEC,
 123                        DNS_TYPE_RRSIG,
 124                        DNS_TYPE_NXT,
 125                        DNS_TYPE_SIG,
 126                        DNS_TYPE_KEY);
 127 }
 128
 129 bool dns_type_may_wildcard(uint16_t type) {
 130
 131         /* The following records may not be expanded from wildcard RRsets */
 132
 133         if (dns_type_is_pseudo(type))
 134                 return false;
 135
 136         return !IN_SET(type,
 137                        DNS_TYPE_NSEC3,
 138                        DNS_TYPE_SOA,
 139
 140                        /* Prohibited by https://tools.ietf.org/html/rfc4592#section-4.4 */
 141                        DNS_TYPE_DNAME);
 142 }
 143
 144 bool dns_type_apex_only(uint16_t type) {
 145
 146         /* Returns true for all RR types that may only appear signed in a zone apex */
 147
 148         return IN_SET(type,
 149                       DNS_TYPE_SOA,
 150                       DNS_TYPE_NS,            /* this one can appear elsewhere, too, but not signed */
 151                       DNS_TYPE_DNSKEY,
 152                       DNS_TYPE_NSEC3PARAM);
 153 }
 154
 155 bool dns_type_is_dnssec(uint16_t type) {
 156         return IN_SET(type,
 157                       DNS_TYPE_DS,
 158                       DNS_TYPE_DNSKEY,
 159                       DNS_TYPE_RRSIG,
 160                       DNS_TYPE_NSEC,
 161                       DNS_TYPE_NSEC3,
 162                       DNS_TYPE_NSEC3PARAM);
 163 }
 164
 165 bool dns_type_is_obsolete(uint16_t type) {
 166         return IN_SET(type,
 167                       /* Obsoleted by RFC 973 */
 168                       DNS_TYPE_MD,
 169                       DNS_TYPE_MF,
 170                       DNS_TYPE_MAILA,
 171
 172                       /* Kinda obsoleted by RFC 2505 */
 173                       DNS_TYPE_MB,
 174                       DNS_TYPE_MG,
 175                       DNS_TYPE_MR,
 176                       DNS_TYPE_MINFO,
 177                       DNS_TYPE_MAILB,
 178
 179                       /* RFC1127 kinda obsoleted this by recommending against its use */
 180                       DNS_TYPE_WKS,
 181
 182                       /* Declared historical by RFC 6563 */
 183                       DNS_TYPE_A6,
 184
 185                       /* Obsoleted by DNSSEC-bis */
 186                       DNS_TYPE_NXT,
 187
 188                       /* RFC 1035 removed support for concepts that needed this from RFC 883 */
 189                       DNS_TYPE_NULL);
 190 }
 191
 192 bool dns_type_needs_authentication(uint16_t type) {
 193
 194         /* Returns true for all (non-obsolete) RR types where records are not useful if they aren't
 195          * authenticated. I.e. everything that contains crypto keys. */
 196
 197         return IN_SET(type,
 198                       DNS_TYPE_CERT,
 199                       DNS_TYPE_SSHFP,
 200                       DNS_TYPE_IPSECKEY,
 201                       DNS_TYPE_DS,
 202                       DNS_TYPE_DNSKEY,
 203                       DNS_TYPE_TLSA,
 204                       DNS_TYPE_CDNSKEY,
 205                       DNS_TYPE_OPENPGPKEY,
 206                       DNS_TYPE_CAA);
 207 }
 208
 209 int dns_type_to_af(uint16_t t) {
 210         switch (t) {
 211
 212         case DNS_TYPE_A:
 213                 return AF_INET;
 214
 215         case DNS_TYPE_AAAA:
 216                 return AF_INET6;
 217
 218         case DNS_TYPE_ANY:
 219                 return AF_UNSPEC;
 220
 221         default:
 222                 return -EINVAL;
 223         }
 224 }
 225
 226 const char *dns_class_to_string(uint16_t class) {
 227
 228         switch (class) {
 229
 230         case DNS_CLASS_IN:
 231                 return "IN";
 232
 233         case DNS_CLASS_ANY:
 234                 return "ANY";
 235         }
 236
 237         return NULL;
 238 }
 239
 240 int dns_class_from_string(const char *s) {
 241
 242         if (!s)
 243                 return _DNS_CLASS_INVALID;
 244
 245         if (strcaseeq(s, "IN"))
 246                 return DNS_CLASS_IN;
 247         else if (strcaseeq(s, "ANY"))
 248                 return DNS_CLASS_ANY;
 249
 250         return _DNS_CLASS_INVALID;
 251 }
 252
 253 const char* tlsa_cert_usage_to_string(uint8_t cert_usage) {
 254
 255         switch (cert_usage) {
 256
 257         case 0:
 258                 return "CA constraint";
 259
 260         case 1:
 261                 return "Service certificate constraint";
 262
 263         case 2:
 264                 return "Trust anchor assertion";
 265
 266         case 3:
 267                 return "Domain-issued certificate";
 268
 269         case 4 ... 254:
 270                 return "Unassigned";
 271
 272         case 255:
 273                 return "Private use";
 274         }
 275
 276         return NULL;  /* clang cannot count that we covered everything */
 277 }
 278
 279 const char* tlsa_selector_to_string(uint8_t selector) {
 280         switch (selector) {
 281
 282         case 0:
 283                 return "Full Certificate";
 284
 285         case 1:
 286                 return "SubjectPublicKeyInfo";
 287
 288         case 2 ... 254:
 289                 return "Unassigned";
 290
 291         case 255:
 292                 return "Private use";
 293         }
 294
 295         return NULL;
 296 }
 297
 298 const char* tlsa_matching_type_to_string(uint8_t selector) {
 299
 300         switch (selector) {
 301
 302         case 0:
 303                 return "No hash used";
 304
 305         case 1:
 306                 return "SHA-256";
 307
 308         case 2:
 309                 return "SHA-512";
 310
 311         case 3 ... 254:
 312                 return "Unassigned";
 313
 314         case 255:
 315                 return "Private use";
 316         }
 317
 318         return NULL;
 319 }