src/resolve/dns-type.c

   1 /* SPDX-License-Identifier: LGPL-2.1+ */
   2 /***
   3   This file is part of systemd.
   4
   5   Copyright 2014 Zbigniew Jędrzejewski-Szmek
   6 ***/
   7
   8 #include <sys/socket.h>
   9 #include <errno.h>
  10
  11 #include "dns-type.h"
  12 #include "parse-util.h"
  13 #include "string-util.h"
  14
  15 typedef const struct {
  16         uint16_t type;
  17         const char *name;
  18 } dns_type;
  19
  20 static const struct dns_type_name *
  21 lookup_dns_type (register const char *str, register GPERF_LEN_TYPE len);
  22
  23 #include "dns_type-from-name.h"
  24 #include "dns_type-to-name.h"
  25
  26 int dns_type_from_string(const char *s) {
  27         const struct dns_type_name *sc;
  28
  29         assert(s);
  30
  31         sc = lookup_dns_type(s, strlen(s));
  32         if (sc)
  33                 return sc->id;
  34
  35         s = startswith_no_case(s, "TYPE");
  36         if (s) {
  37                 unsigned x;
  38
  39                 if (safe_atou(s, &x) >= 0 &&
  40                     x <= UINT16_MAX)
  41                         return (int) x;
  42         }
  43
  44         return _DNS_TYPE_INVALID;
  45 }
  46
  47 bool dns_type_is_pseudo(uint16_t type) {
  48
  49         /* Checks whether the specified type is a "pseudo-type". What
  50          * a "pseudo-type" precisely is, is defined only very weakly,
  51          * but apparently entails all RR types that are not actually
  52          * stored as RRs on the server and should hence also not be
  53          * cached. We use this list primarily to validate NSEC type
  54          * bitfields, and to verify what to cache. */
  55
  56         return IN_SET(type,
  57                       0, /* A Pseudo RR type, according to RFC 2931 */
  58                       DNS_TYPE_ANY,
  59                       DNS_TYPE_AXFR,
  60                       DNS_TYPE_IXFR,
  61                       DNS_TYPE_OPT,
  62                       DNS_TYPE_TSIG,
  63                       DNS_TYPE_TKEY
  64         );
  65 }
  66
  67 bool dns_class_is_pseudo(uint16_t class) {
  68         return class == DNS_TYPE_ANY;
  69 }
  70
  71 bool dns_type_is_valid_query(uint16_t type) {
  72
  73         /* The types valid as questions in packets */
  74
  75         return !IN_SET(type,
  76                        0,
  77                        DNS_TYPE_OPT,
  78                        DNS_TYPE_TSIG,
  79                        DNS_TYPE_TKEY,
  80
  81                        /* RRSIG are technically valid as questions, but we refuse doing explicit queries for them, as
  82                         * they aren't really payload, but signatures for payload, and cannot be validated on their
  83                         * own. After all they are the signatures, and have no signatures of their own validating
  84                         * them. */
  85                        DNS_TYPE_RRSIG);
  86 }
  87
  88 bool dns_type_is_zone_transer(uint16_t type) {
  89
  90         /* Zone transfers, either normal or incremental */
  91
  92         return IN_SET(type,
  93                       DNS_TYPE_AXFR,
  94                       DNS_TYPE_IXFR);
  95 }
  96
  97 bool dns_type_is_valid_rr(uint16_t type) {
  98
  99         /* The types valid as RR in packets (but not necessarily
 100          * stored on servers). */
 101
 102         return !IN_SET(type,
 103                        DNS_TYPE_ANY,
 104                        DNS_TYPE_AXFR,
 105                        DNS_TYPE_IXFR);
 106 }
 107
 108 bool dns_class_is_valid_rr(uint16_t class) {
 109         return class != DNS_CLASS_ANY;
 110 }
 111
 112 bool dns_type_may_redirect(uint16_t type) {
 113         /* The following record types should never be redirected using
 114          * CNAME/DNAME RRs. See
 115          * <https://tools.ietf.org/html/rfc4035#section-2.5>. */
 116
 117         if (dns_type_is_pseudo(type))
 118                 return false;
 119
 120         return !IN_SET(type,
 121                        DNS_TYPE_CNAME,
 122                        DNS_TYPE_DNAME,
 123                        DNS_TYPE_NSEC3,
 124                        DNS_TYPE_NSEC,
 125                        DNS_TYPE_RRSIG,
 126                        DNS_TYPE_NXT,
 127                        DNS_TYPE_SIG,
 128                        DNS_TYPE_KEY);
 129 }
 130
 131 bool dns_type_may_wildcard(uint16_t type) {
 132
 133         /* The following records may not be expanded from wildcard RRsets */
 134
 135         if (dns_type_is_pseudo(type))
 136                 return false;
 137
 138         return !IN_SET(type,
 139                        DNS_TYPE_NSEC3,
 140                        DNS_TYPE_SOA,
 141
 142                        /* Prohibited by https://tools.ietf.org/html/rfc4592#section-4.4 */
 143                        DNS_TYPE_DNAME);
 144 }
 145
 146 bool dns_type_apex_only(uint16_t type) {
 147
 148         /* Returns true for all RR types that may only appear signed in a zone apex */
 149
 150         return IN_SET(type,
 151                       DNS_TYPE_SOA,
 152                       DNS_TYPE_NS,            /* this one can appear elsewhere, too, but not signed */
 153                       DNS_TYPE_DNSKEY,
 154                       DNS_TYPE_NSEC3PARAM);
 155 }
 156
 157 bool dns_type_is_dnssec(uint16_t type) {
 158         return IN_SET(type,
 159                       DNS_TYPE_DS,
 160                       DNS_TYPE_DNSKEY,
 161                       DNS_TYPE_RRSIG,
 162                       DNS_TYPE_NSEC,
 163                       DNS_TYPE_NSEC3,
 164                       DNS_TYPE_NSEC3PARAM);
 165 }
 166
 167 bool dns_type_is_obsolete(uint16_t type) {
 168         return IN_SET(type,
 169                       /* Obsoleted by RFC 973 */
 170                       DNS_TYPE_MD,
 171                       DNS_TYPE_MF,
 172                       DNS_TYPE_MAILA,
 173
 174                       /* Kinda obsoleted by RFC 2505 */
 175                       DNS_TYPE_MB,
 176                       DNS_TYPE_MG,
 177                       DNS_TYPE_MR,
 178                       DNS_TYPE_MINFO,
 179                       DNS_TYPE_MAILB,
 180
 181                       /* RFC1127 kinda obsoleted this by recommending against its use */
 182                       DNS_TYPE_WKS,
 183
 184                       /* Declared historical by RFC 6563 */
 185                       DNS_TYPE_A6,
 186
 187                       /* Obsoleted by DNSSEC-bis */
 188                       DNS_TYPE_NXT,
 189
 190                       /* RFC 1035 removed support for concepts that needed this from RFC 883 */
 191                       DNS_TYPE_NULL);
 192 }
 193
 194 bool dns_type_needs_authentication(uint16_t type) {
 195
 196         /* Returns true for all (non-obsolete) RR types where records are not useful if they aren't
 197          * authenticated. I.e. everything that contains crypto keys. */
 198
 199         return IN_SET(type,
 200                       DNS_TYPE_CERT,
 201                       DNS_TYPE_SSHFP,
 202                       DNS_TYPE_IPSECKEY,
 203                       DNS_TYPE_DS,
 204                       DNS_TYPE_DNSKEY,
 205                       DNS_TYPE_TLSA,
 206                       DNS_TYPE_CDNSKEY,
 207                       DNS_TYPE_OPENPGPKEY,
 208                       DNS_TYPE_CAA);
 209 }
 210
 211 int dns_type_to_af(uint16_t t) {
 212         switch (t) {
 213
 214         case DNS_TYPE_A:
 215                 return AF_INET;
 216
 217         case DNS_TYPE_AAAA:
 218                 return AF_INET6;
 219
 220         case DNS_TYPE_ANY:
 221                 return AF_UNSPEC;
 222
 223         default:
 224                 return -EINVAL;
 225         }
 226 }
 227
 228 const char *dns_class_to_string(uint16_t class) {
 229
 230         switch (class) {
 231
 232         case DNS_CLASS_IN:
 233                 return "IN";
 234
 235         case DNS_CLASS_ANY:
 236                 return "ANY";
 237         }
 238
 239         return NULL;
 240 }
 241
 242 int dns_class_from_string(const char *s) {
 243
 244         if (!s)
 245                 return _DNS_CLASS_INVALID;
 246
 247         if (strcaseeq(s, "IN"))
 248                 return DNS_CLASS_IN;
 249         else if (strcaseeq(s, "ANY"))
 250                 return DNS_CLASS_ANY;
 251
 252         return _DNS_CLASS_INVALID;
 253 }
 254
 255 const char* tlsa_cert_usage_to_string(uint8_t cert_usage) {
 256
 257         switch (cert_usage) {
 258
 259         case 0:
 260                 return "CA constraint";
 261
 262         case 1:
 263                 return "Service certificate constraint";
 264
 265         case 2:
 266                 return "Trust anchor assertion";
 267
 268         case 3:
 269                 return "Domain-issued certificate";
 270
 271         case 4 ... 254:
 272                 return "Unassigned";
 273
 274         case 255:
 275                 return "Private use";
 276         }
 277
 278         return NULL;  /* clang cannot count that we covered everything */
 279 }
 280
 281 const char* tlsa_selector_to_string(uint8_t selector) {
 282         switch (selector) {
 283
 284         case 0:
 285                 return "Full Certificate";
 286
 287         case 1:
 288                 return "SubjectPublicKeyInfo";
 289
 290         case 2 ... 254:
 291                 return "Unassigned";
 292
 293         case 255:
 294                 return "Private use";
 295         }
 296
 297         return NULL;
 298 }
 299
 300 const char* tlsa_matching_type_to_string(uint8_t selector) {
 301
 302         switch (selector) {
 303
 304         case 0:
 305                 return "No hash used";
 306
 307         case 1:
 308                 return "SHA-256";
 309
 310         case 2:
 311                 return "SHA-512";
 312
 313         case 3 ... 254:
 314                 return "Unassigned";
 315
 316         case 255:
 317                 return "Private use";
 318         }
 319
 320         return NULL;
 321 }