1 /* SPDX-License-Identifier: LGPL-2.1+ */
6 #include "alloc-util.h"
7 #include "dns-domain.h"
8 #include "format-util.h"
9 #include "resolved-dns-answer.h"
10 #include "resolved-dns-cache.h"
11 #include "resolved-dns-packet.h"
12 #include "string-util.h"
14 /* Never cache more than 4K entries. RFC 1536, Section 5 suggests to
15 * leave DNS caches unbounded, but that's crazy. */
16 #define CACHE_MAX 4096
18 /* We never keep any item longer than 2h in our cache */
19 #define CACHE_TTL_MAX_USEC (2 * USEC_PER_HOUR)
21 /* How long to cache strange rcodes, i.e. rcodes != SUCCESS and != NXDOMAIN (specifically: that's only SERVFAIL for
23 #define CACHE_TTL_STRANGE_RCODE_USEC (30 * USEC_PER_SEC)
25 typedef enum DnsCacheItemType DnsCacheItemType
;
26 typedef struct DnsCacheItem DnsCacheItem
;
28 enum DnsCacheItemType
{
32 DNS_CACHE_RCODE
, /* "strange" RCODE (effective only SERVFAIL for now) */
36 DnsCacheItemType type
;
38 DnsResourceRecord
*rr
;
47 union in_addr_union owner_address
;
50 LIST_FIELDS(DnsCacheItem
, by_key
);
53 static const char *dns_cache_item_type_to_string(DnsCacheItem
*item
) {
58 case DNS_CACHE_POSITIVE
:
61 case DNS_CACHE_NODATA
:
64 case DNS_CACHE_NXDOMAIN
:
68 return dns_rcode_to_string(item
->rcode
);
74 static void dns_cache_item_free(DnsCacheItem
*i
) {
78 dns_resource_record_unref(i
->rr
);
79 dns_resource_key_unref(i
->key
);
83 DEFINE_TRIVIAL_CLEANUP_FUNC(DnsCacheItem
*, dns_cache_item_free
);
85 static void dns_cache_item_unlink_and_free(DnsCache
*c
, DnsCacheItem
*i
) {
93 first
= hashmap_get(c
->by_key
, i
->key
);
94 LIST_REMOVE(by_key
, first
, i
);
97 assert_se(hashmap_replace(c
->by_key
, first
->key
, first
) >= 0);
99 hashmap_remove(c
->by_key
, i
->key
);
101 prioq_remove(c
->by_expiry
, i
, &i
->prioq_idx
);
103 dns_cache_item_free(i
);
106 static bool dns_cache_remove_by_rr(DnsCache
*c
, DnsResourceRecord
*rr
) {
107 DnsCacheItem
*first
, *i
;
110 first
= hashmap_get(c
->by_key
, rr
->key
);
111 LIST_FOREACH(by_key
, i
, first
) {
112 r
= dns_resource_record_equal(i
->rr
, rr
);
116 dns_cache_item_unlink_and_free(c
, i
);
124 static bool dns_cache_remove_by_key(DnsCache
*c
, DnsResourceKey
*key
) {
125 DnsCacheItem
*first
, *i
, *n
;
130 first
= hashmap_remove(c
->by_key
, key
);
134 LIST_FOREACH_SAFE(by_key
, i
, n
, first
) {
135 prioq_remove(c
->by_expiry
, i
, &i
->prioq_idx
);
136 dns_cache_item_free(i
);
142 void dns_cache_flush(DnsCache
*c
) {
147 while ((key
= hashmap_first_key(c
->by_key
)))
148 dns_cache_remove_by_key(c
, key
);
150 assert(hashmap_size(c
->by_key
) == 0);
151 assert(prioq_size(c
->by_expiry
) == 0);
153 c
->by_key
= hashmap_free(c
->by_key
);
154 c
->by_expiry
= prioq_free(c
->by_expiry
);
157 static void dns_cache_make_space(DnsCache
*c
, unsigned add
) {
163 /* Makes space for n new entries. Note that we actually allow
164 * the cache to grow beyond CACHE_MAX, but only when we shall
165 * add more RRs to the cache than CACHE_MAX at once. In that
166 * case the cache will be emptied completely otherwise. */
169 _cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*key
= NULL
;
172 if (prioq_size(c
->by_expiry
) <= 0)
175 if (prioq_size(c
->by_expiry
) + add
< CACHE_MAX
)
178 i
= prioq_peek(c
->by_expiry
);
181 /* Take an extra reference to the key so that it
182 * doesn't go away in the middle of the remove call */
183 key
= dns_resource_key_ref(i
->key
);
184 dns_cache_remove_by_key(c
, key
);
188 void dns_cache_prune(DnsCache
*c
) {
193 /* Remove all entries that are past their TTL */
197 char key_str
[DNS_RESOURCE_KEY_STRING_MAX
];
199 i
= prioq_peek(c
->by_expiry
);
204 t
= now(clock_boottime_or_monotonic());
209 /* Depending whether this is an mDNS shared entry
210 * either remove only this one RR or the whole RRset */
211 log_debug("Removing %scache entry for %s (expired "USEC_FMT
"s ago)",
212 i
->shared_owner
? "shared " : "",
213 dns_resource_key_to_string(i
->key
, key_str
, sizeof key_str
),
214 (t
- i
->until
) / USEC_PER_SEC
);
217 dns_cache_item_unlink_and_free(c
, i
);
219 _cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*key
= NULL
;
221 /* Take an extra reference to the key so that it
222 * doesn't go away in the middle of the remove call */
223 key
= dns_resource_key_ref(i
->key
);
224 dns_cache_remove_by_key(c
, key
);
229 static int dns_cache_item_prioq_compare_func(const void *a
, const void *b
) {
230 const DnsCacheItem
*x
= a
, *y
= b
;
232 return CMP(x
->until
, y
->until
);
235 static int dns_cache_init(DnsCache
*c
) {
240 r
= prioq_ensure_allocated(&c
->by_expiry
, dns_cache_item_prioq_compare_func
);
244 r
= hashmap_ensure_allocated(&c
->by_key
, &dns_resource_key_hash_ops
);
251 static int dns_cache_link_item(DnsCache
*c
, DnsCacheItem
*i
) {
258 r
= prioq_put(c
->by_expiry
, i
, &i
->prioq_idx
);
262 first
= hashmap_get(c
->by_key
, i
->key
);
264 _cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*k
= NULL
;
266 /* Keep a reference to the original key, while we manipulate the list. */
267 k
= dns_resource_key_ref(first
->key
);
269 /* Now, try to reduce the number of keys we keep */
270 dns_resource_key_reduce(&first
->key
, &i
->key
);
273 dns_resource_key_reduce(&first
->rr
->key
, &i
->key
);
275 dns_resource_key_reduce(&i
->rr
->key
, &i
->key
);
277 LIST_PREPEND(by_key
, first
, i
);
278 assert_se(hashmap_replace(c
->by_key
, first
->key
, first
) >= 0);
280 r
= hashmap_put(c
->by_key
, i
->key
, i
);
282 prioq_remove(c
->by_expiry
, i
, &i
->prioq_idx
);
290 static DnsCacheItem
* dns_cache_get(DnsCache
*c
, DnsResourceRecord
*rr
) {
296 LIST_FOREACH(by_key
, i
, hashmap_get(c
->by_key
, rr
->key
))
297 if (i
->rr
&& dns_resource_record_equal(i
->rr
, rr
) > 0)
303 static usec_t
calculate_until(DnsResourceRecord
*rr
, uint32_t nsec_ttl
, usec_t timestamp
, bool use_soa_minimum
) {
309 ttl
= MIN(rr
->ttl
, nsec_ttl
);
310 if (rr
->key
->type
== DNS_TYPE_SOA
&& use_soa_minimum
) {
311 /* If this is a SOA RR, and it is requested, clamp to
312 * the SOA's minimum field. This is used when we do
313 * negative caching, to determine the TTL for the
314 * negative caching entry. See RFC 2308, Section
317 if (ttl
> rr
->soa
.minimum
)
318 ttl
= rr
->soa
.minimum
;
321 u
= ttl
* USEC_PER_SEC
;
322 if (u
> CACHE_TTL_MAX_USEC
)
323 u
= CACHE_TTL_MAX_USEC
;
325 if (rr
->expiry
!= USEC_INFINITY
) {
328 /* Make use of the DNSSEC RRSIG expiry info, if we
331 left
= LESS_BY(rr
->expiry
, now(CLOCK_REALTIME
));
336 return timestamp
+ u
;
339 static void dns_cache_item_update_positive(
342 DnsResourceRecord
*rr
,
348 const union in_addr_union
*owner_address
) {
353 assert(owner_address
);
355 i
->type
= DNS_CACHE_POSITIVE
;
358 /* We are the first item in the list, we need to
359 * update the key used in the hashmap */
361 assert_se(hashmap_replace(c
->by_key
, rr
->key
, i
) >= 0);
363 dns_resource_record_ref(rr
);
364 dns_resource_record_unref(i
->rr
);
367 dns_resource_key_unref(i
->key
);
368 i
->key
= dns_resource_key_ref(rr
->key
);
370 i
->until
= calculate_until(rr
, (uint32_t) -1, timestamp
, false);
371 i
->authenticated
= authenticated
;
372 i
->shared_owner
= shared_owner
;
374 i
->ifindex
= ifindex
;
376 i
->owner_family
= owner_family
;
377 i
->owner_address
= *owner_address
;
379 prioq_reshuffle(c
->by_expiry
, i
, &i
->prioq_idx
);
382 static int dns_cache_put_positive(
384 DnsResourceRecord
*rr
,
390 const union in_addr_union
*owner_address
) {
392 _cleanup_(dns_cache_item_freep
) DnsCacheItem
*i
= NULL
;
393 DnsCacheItem
*existing
;
394 char key_str
[DNS_RESOURCE_KEY_STRING_MAX
];
399 assert(owner_address
);
401 /* Never cache pseudo RRs */
402 if (dns_class_is_pseudo(rr
->key
->class))
404 if (dns_type_is_pseudo(rr
->key
->type
))
407 /* New TTL is 0? Delete this specific entry... */
409 k
= dns_cache_remove_by_rr(c
, rr
);
411 k
> 0 ? "Removed zero TTL entry from cache" : "Not caching zero TTL cache entry",
412 dns_resource_key_to_string(rr
->key
, key_str
, sizeof key_str
));
416 /* Entry exists already? Update TTL, timestamp and owner */
417 existing
= dns_cache_get(c
, rr
);
419 dns_cache_item_update_positive(
432 /* Otherwise, add the new RR */
433 r
= dns_cache_init(c
);
437 dns_cache_make_space(c
, 1);
439 i
= new0(DnsCacheItem
, 1);
443 i
->type
= DNS_CACHE_POSITIVE
;
444 i
->key
= dns_resource_key_ref(rr
->key
);
445 i
->rr
= dns_resource_record_ref(rr
);
446 i
->until
= calculate_until(rr
, (uint32_t) -1, timestamp
, false);
447 i
->authenticated
= authenticated
;
448 i
->shared_owner
= shared_owner
;
449 i
->ifindex
= ifindex
;
450 i
->owner_family
= owner_family
;
451 i
->owner_address
= *owner_address
;
452 i
->prioq_idx
= PRIOQ_IDX_NULL
;
454 r
= dns_cache_link_item(c
, i
);
459 _cleanup_free_
char *t
= NULL
;
460 char ifname
[IF_NAMESIZE
+ 1];
462 (void) in_addr_to_string(i
->owner_family
, &i
->owner_address
, &t
);
464 log_debug("Added positive %s%s cache entry for %s "USEC_FMT
"s on %s/%s/%s",
465 i
->authenticated
? "authenticated" : "unauthenticated",
466 i
->shared_owner
? " shared" : "",
467 dns_resource_key_to_string(i
->key
, key_str
, sizeof key_str
),
468 (i
->until
- timestamp
) / USEC_PER_SEC
,
469 i
->ifindex
== 0 ? "*" : strna(format_ifname(i
->ifindex
, ifname
)),
470 af_to_name_short(i
->owner_family
),
478 static int dns_cache_put_negative(
485 DnsResourceRecord
*soa
,
487 const union in_addr_union
*owner_address
) {
489 _cleanup_(dns_cache_item_freep
) DnsCacheItem
*i
= NULL
;
490 char key_str
[DNS_RESOURCE_KEY_STRING_MAX
];
495 assert(owner_address
);
497 /* Never cache pseudo RR keys. DNS_TYPE_ANY is particularly
498 * important to filter out as we use this as a pseudo-type for
499 * NXDOMAIN entries */
500 if (dns_class_is_pseudo(key
->class))
502 if (dns_type_is_pseudo(key
->type
))
505 if (IN_SET(rcode
, DNS_RCODE_SUCCESS
, DNS_RCODE_NXDOMAIN
)) {
509 /* For negative replies, check if we have a TTL of a SOA */
510 if (nsec_ttl
<= 0 || soa
->soa
.minimum
<= 0 || soa
->ttl
<= 0) {
511 log_debug("Not caching negative entry with zero SOA/NSEC/NSEC3 TTL: %s",
512 dns_resource_key_to_string(key
, key_str
, sizeof key_str
));
515 } else if (rcode
!= DNS_RCODE_SERVFAIL
)
518 r
= dns_cache_init(c
);
522 dns_cache_make_space(c
, 1);
524 i
= new0(DnsCacheItem
, 1);
529 rcode
== DNS_RCODE_SUCCESS
? DNS_CACHE_NODATA
:
530 rcode
== DNS_RCODE_NXDOMAIN
? DNS_CACHE_NXDOMAIN
: DNS_CACHE_RCODE
;
532 i
->type
== DNS_CACHE_RCODE
? timestamp
+ CACHE_TTL_STRANGE_RCODE_USEC
:
533 calculate_until(soa
, nsec_ttl
, timestamp
, true);
534 i
->authenticated
= authenticated
;
535 i
->owner_family
= owner_family
;
536 i
->owner_address
= *owner_address
;
537 i
->prioq_idx
= PRIOQ_IDX_NULL
;
540 if (i
->type
== DNS_CACHE_NXDOMAIN
) {
541 /* NXDOMAIN entries should apply equally to all types, so we use ANY as
542 * a pseudo type for this purpose here. */
543 i
->key
= dns_resource_key_new(key
->class, DNS_TYPE_ANY
, dns_resource_key_name(key
));
547 /* Make sure to remove any previous entry for this
548 * specific ANY key. (For non-ANY keys the cache data
549 * is already cleared by the caller.) Note that we
550 * don't bother removing positive or NODATA cache
551 * items in this case, because it would either be slow
552 * or require explicit indexing by name */
553 dns_cache_remove_by_key(c
, key
);
555 i
->key
= dns_resource_key_ref(key
);
557 r
= dns_cache_link_item(c
, i
);
561 log_debug("Added %s cache entry for %s "USEC_FMT
"s",
562 dns_cache_item_type_to_string(i
),
563 dns_resource_key_to_string(i
->key
, key_str
, sizeof key_str
),
564 (i
->until
- timestamp
) / USEC_PER_SEC
);
570 static void dns_cache_remove_previous(
575 DnsResourceRecord
*rr
;
576 DnsAnswerFlags flags
;
580 /* First, if we were passed a key (i.e. on LLMNR/DNS, but
581 * not on mDNS), delete all matching old RRs, so that we only
582 * keep complete by_key in place. */
584 dns_cache_remove_by_key(c
, key
);
586 /* Second, flush all entries matching the answer, unless this
587 * is an RR that is explicitly marked to be "shared" between
588 * peers (i.e. mDNS RRs without the flush-cache bit set). */
589 DNS_ANSWER_FOREACH_FLAGS(rr
, flags
, answer
) {
590 if ((flags
& DNS_ANSWER_CACHEABLE
) == 0)
593 if (flags
& DNS_ANSWER_SHARED_OWNER
)
596 dns_cache_remove_by_key(c
, rr
->key
);
600 static bool rr_eligible(DnsResourceRecord
*rr
) {
603 /* When we see an NSEC/NSEC3 RR, we'll only cache it if it is from the lower zone, not the upper zone, since
604 * that's where the interesting bits are (with exception of DS RRs). Of course, this way we cannot derive DS
605 * existence from any cached NSEC/NSEC3, but that should be fine. */
607 switch (rr
->key
->type
) {
610 return !bitmap_isset(rr
->nsec
.types
, DNS_TYPE_NS
) ||
611 bitmap_isset(rr
->nsec
.types
, DNS_TYPE_SOA
);
614 return !bitmap_isset(rr
->nsec3
.types
, DNS_TYPE_NS
) ||
615 bitmap_isset(rr
->nsec3
.types
, DNS_TYPE_SOA
);
624 DnsCacheMode cache_mode
,
632 const union in_addr_union
*owner_address
) {
634 DnsResourceRecord
*soa
= NULL
, *rr
;
635 bool weird_rcode
= false;
636 DnsAnswerFlags flags
;
641 assert(owner_address
);
643 dns_cache_remove_previous(c
, key
, answer
);
645 /* We only care for positive replies and NXDOMAINs, on all other replies we will simply flush the respective
646 * entries, and that's it. (Well, with one further exception: since some DNS zones (akamai!) return SERVFAIL
647 * consistently for some lookups, and forwarders tend to propagate that we'll cache that too, but only for a
650 if (IN_SET(rcode
, DNS_RCODE_SUCCESS
, DNS_RCODE_NXDOMAIN
)) {
651 if (dns_answer_size(answer
) <= 0) {
653 char key_str
[DNS_RESOURCE_KEY_STRING_MAX
];
655 log_debug("Not caching negative entry without a SOA record: %s",
656 dns_resource_key_to_string(key
, key_str
, sizeof key_str
));
662 /* Only cache SERVFAIL as "weird" rcode for now. We can add more later, should that turn out to be
664 if (rcode
!= DNS_RCODE_SERVFAIL
)
670 cache_keys
= dns_answer_size(answer
);
674 /* Make some space for our new entries */
675 dns_cache_make_space(c
, cache_keys
);
678 timestamp
= now(clock_boottime_or_monotonic());
680 /* Second, add in positive entries for all contained RRs */
681 DNS_ANSWER_FOREACH_FULL(rr
, ifindex
, flags
, answer
) {
682 if ((flags
& DNS_ANSWER_CACHEABLE
) == 0 ||
686 r
= dns_cache_put_positive(
689 flags
& DNS_ANSWER_AUTHENTICATED
,
690 flags
& DNS_ANSWER_SHARED_OWNER
,
693 owner_family
, owner_address
);
698 if (!key
) /* mDNS doesn't know negative caching, really */
701 /* Third, add in negative entries if the key has no RR */
702 r
= dns_answer_match_key(answer
, key
, NULL
);
708 /* But not if it has a matching CNAME/DNAME (the negative
709 * caching will be done on the canonical name, not on the
711 r
= dns_answer_find_cname_or_dname(answer
, key
, NULL
, NULL
);
717 /* See https://tools.ietf.org/html/rfc2308, which say that a matching SOA record in the packet is used to
718 * enable negative caching. We apply one exception though: if we are about to cache a weird rcode we do so
719 * regardless of a SOA. */
720 r
= dns_answer_find_soa(answer
, key
, &soa
, &flags
);
723 if (r
== 0 && !weird_rcode
)
726 /* Refuse using the SOA data if it is unsigned, but the key is
728 if (authenticated
&& (flags
& DNS_ANSWER_AUTHENTICATED
) == 0)
732 if (cache_mode
== DNS_CACHE_MODE_NO_NEGATIVE
) {
733 char key_str
[DNS_RESOURCE_KEY_STRING_MAX
];
734 log_debug("Not caching negative entry for: %s, cache mode set to no-negative",
735 dns_resource_key_to_string(key
, key_str
, sizeof key_str
));
739 r
= dns_cache_put_negative(
747 owner_family
, owner_address
);
754 /* Adding all RRs failed. Let's clean up what we already
755 * added, just in case */
758 dns_cache_remove_by_key(c
, key
);
760 DNS_ANSWER_FOREACH_FLAGS(rr
, flags
, answer
) {
761 if ((flags
& DNS_ANSWER_CACHEABLE
) == 0)
764 dns_cache_remove_by_key(c
, rr
->key
);
770 static DnsCacheItem
*dns_cache_get_by_key_follow_cname_dname_nsec(DnsCache
*c
, DnsResourceKey
*k
) {
778 /* If we hit some OOM error, or suchlike, we don't care too
779 * much, after all this is just a cache */
781 i
= hashmap_get(c
->by_key
, k
);
785 n
= dns_resource_key_name(k
);
787 /* Check if we have an NXDOMAIN cache item for the name, notice that we use
788 * the pseudo-type ANY for NXDOMAIN cache items. */
789 i
= hashmap_get(c
->by_key
, &DNS_RESOURCE_KEY_CONST(k
->class, DNS_TYPE_ANY
, n
));
790 if (i
&& i
->type
== DNS_CACHE_NXDOMAIN
)
793 if (dns_type_may_redirect(k
->type
)) {
794 /* Check if we have a CNAME record instead */
795 i
= hashmap_get(c
->by_key
, &DNS_RESOURCE_KEY_CONST(k
->class, DNS_TYPE_CNAME
, n
));
796 if (i
&& i
->type
!= DNS_CACHE_NODATA
)
799 /* OK, let's look for cached DNAME records. */
804 i
= hashmap_get(c
->by_key
, &DNS_RESOURCE_KEY_CONST(k
->class, DNS_TYPE_DNAME
, n
));
805 if (i
&& i
->type
!= DNS_CACHE_NODATA
)
808 /* Jump one label ahead */
809 r
= dns_name_parent(&n
);
815 if (k
->type
!= DNS_TYPE_NSEC
) {
816 /* Check if we have an NSEC record instead for the name. */
817 i
= hashmap_get(c
->by_key
, &DNS_RESOURCE_KEY_CONST(k
->class, DNS_TYPE_NSEC
, n
));
825 int dns_cache_lookup(DnsCache
*c
, DnsResourceKey
*key
, bool clamp_ttl
, int *rcode
, DnsAnswer
**ret
, bool *authenticated
) {
826 _cleanup_(dns_answer_unrefp
) DnsAnswer
*answer
= NULL
;
827 char key_str
[DNS_RESOURCE_KEY_STRING_MAX
];
830 bool nxdomain
= false;
831 DnsCacheItem
*j
, *first
, *nsec
= NULL
;
832 bool have_authenticated
= false, have_non_authenticated
= false;
834 int found_rcode
= -1;
840 assert(authenticated
);
842 if (key
->type
== DNS_TYPE_ANY
|| key
->class == DNS_CLASS_ANY
) {
843 /* If we have ANY lookups we don't use the cache, so
844 * that the caller refreshes via the network. */
846 log_debug("Ignoring cache for ANY lookup: %s",
847 dns_resource_key_to_string(key
, key_str
, sizeof key_str
));
852 *rcode
= DNS_RCODE_SUCCESS
;
853 *authenticated
= false;
858 first
= dns_cache_get_by_key_follow_cname_dname_nsec(c
, key
);
860 /* If one question cannot be answered we need to refresh */
862 log_debug("Cache miss for %s",
863 dns_resource_key_to_string(key
, key_str
, sizeof key_str
));
868 *rcode
= DNS_RCODE_SUCCESS
;
869 *authenticated
= false;
874 LIST_FOREACH(by_key
, j
, first
) {
876 if (j
->rr
->key
->type
== DNS_TYPE_NSEC
)
880 } else if (j
->type
== DNS_CACHE_NXDOMAIN
)
882 else if (j
->type
== DNS_CACHE_RCODE
)
883 found_rcode
= j
->rcode
;
885 if (j
->authenticated
)
886 have_authenticated
= true;
888 have_non_authenticated
= true;
891 if (found_rcode
>= 0) {
892 log_debug("RCODE %s cache hit for %s",
893 dns_rcode_to_string(found_rcode
),
894 dns_resource_key_to_string(key
, key_str
, sizeof(key_str
)));
897 *rcode
= found_rcode
;
898 *authenticated
= false;
904 if (nsec
&& !IN_SET(key
->type
, DNS_TYPE_NSEC
, DNS_TYPE_DS
)) {
905 /* Note that we won't derive information for DS RRs from an NSEC, because we only cache NSEC RRs from
906 * the lower-zone of a zone cut, but the DS RRs are on the upper zone. */
908 log_debug("NSEC NODATA cache hit for %s",
909 dns_resource_key_to_string(key
, key_str
, sizeof key_str
));
911 /* We only found an NSEC record that matches our name.
912 * If it says the type doesn't exist report
913 * NODATA. Otherwise report a cache miss. */
916 *rcode
= DNS_RCODE_SUCCESS
;
917 *authenticated
= nsec
->authenticated
;
919 if (!bitmap_isset(nsec
->rr
->nsec
.types
, key
->type
) &&
920 !bitmap_isset(nsec
->rr
->nsec
.types
, DNS_TYPE_CNAME
) &&
921 !bitmap_isset(nsec
->rr
->nsec
.types
, DNS_TYPE_DNAME
)) {
930 log_debug("%s cache hit for %s",
932 nxdomain
? "NXDOMAIN" : "NODATA",
933 dns_resource_key_to_string(key
, key_str
, sizeof key_str
));
939 *rcode
= nxdomain
? DNS_RCODE_NXDOMAIN
: DNS_RCODE_SUCCESS
;
940 *authenticated
= have_authenticated
&& !have_non_authenticated
;
944 answer
= dns_answer_new(n
);
949 current
= now(clock_boottime_or_monotonic());
951 LIST_FOREACH(by_key
, j
, first
) {
952 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*rr
= NULL
;
958 rr
= dns_resource_record_ref(j
->rr
);
960 r
= dns_resource_record_clamp_ttl(&rr
, LESS_BY(j
->until
, current
) / USEC_PER_SEC
);
965 r
= dns_answer_add(answer
, rr
?: j
->rr
, j
->ifindex
, j
->authenticated
? DNS_ANSWER_AUTHENTICATED
: 0);
973 *rcode
= DNS_RCODE_SUCCESS
;
974 *authenticated
= have_authenticated
&& !have_non_authenticated
;
980 int dns_cache_check_conflicts(DnsCache
*cache
, DnsResourceRecord
*rr
, int owner_family
, const union in_addr_union
*owner_address
) {
981 DnsCacheItem
*i
, *first
;
982 bool same_owner
= true;
987 dns_cache_prune(cache
);
989 /* See if there's a cache entry for the same key. If there
990 * isn't there's no conflict */
991 first
= hashmap_get(cache
->by_key
, rr
->key
);
995 /* See if the RR key is owned by the same owner, if so, there
996 * isn't a conflict either */
997 LIST_FOREACH(by_key
, i
, first
) {
998 if (i
->owner_family
!= owner_family
||
999 !in_addr_equal(owner_family
, &i
->owner_address
, owner_address
)) {
1007 /* See if there's the exact same RR in the cache. If yes, then
1008 * there's no conflict. */
1009 if (dns_cache_get(cache
, rr
))
1012 /* There's a conflict */
1016 int dns_cache_export_shared_to_packet(DnsCache
*cache
, DnsPacket
*p
) {
1017 unsigned ancount
= 0;
1025 HASHMAP_FOREACH(i
, cache
->by_key
, iterator
) {
1028 LIST_FOREACH(by_key
, j
, i
) {
1032 if (!j
->shared_owner
)
1035 r
= dns_packet_append_rr(p
, j
->rr
, 0, NULL
, NULL
);
1036 if (r
== -EMSGSIZE
&& p
->protocol
== DNS_PROTOCOL_MDNS
) {
1037 /* For mDNS, if we're unable to stuff all known answers into the given packet,
1038 * allocate a new one, push the RR into that one and link it to the current one.
1041 DNS_PACKET_HEADER(p
)->ancount
= htobe16(ancount
);
1044 r
= dns_packet_new_query(&p
->more
, p
->protocol
, 0, true);
1048 /* continue with new packet */
1050 r
= dns_packet_append_rr(p
, j
->rr
, 0, NULL
, NULL
);
1060 DNS_PACKET_HEADER(p
)->ancount
= htobe16(ancount
);
1065 void dns_cache_dump(DnsCache
*cache
, FILE *f
) {
1075 HASHMAP_FOREACH(i
, cache
->by_key
, iterator
) {
1078 LIST_FOREACH(by_key
, j
, i
) {
1084 t
= dns_resource_record_to_string(j
->rr
);
1093 char key_str
[DNS_RESOURCE_KEY_STRING_MAX
];
1095 fputs(dns_resource_key_to_string(j
->key
, key_str
, sizeof key_str
), f
);
1097 fputs(dns_cache_item_type_to_string(j
), f
);
1104 bool dns_cache_is_empty(DnsCache
*cache
) {
1108 return hashmap_isempty(cache
->by_key
);
1111 unsigned dns_cache_size(DnsCache
*cache
) {
1115 return hashmap_size(cache
->by_key
);