]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/resolve/resolved-dns-transaction.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
tree-wide: use ASSERT_PTR more
[thirdparty/systemd.git] / src / resolve / resolved-dns-transaction.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include "sd-messages.h"
4
5 #include "af-list.h"
6 #include "alloc-util.h"
7 #include "dns-domain.h"
8 #include "errno-list.h"
9 #include "errno-util.h"
10 #include "fd-util.h"
11 #include "glyph-util.h"
12 #include "random-util.h"
13 #include "resolved-dns-cache.h"
14 #include "resolved-dns-transaction.h"
15 #include "resolved-dnstls.h"
16 #include "resolved-llmnr.h"
17 #include "string-table.h"
18
19 #define TRANSACTIONS_MAX 4096
20 #define TRANSACTION_TCP_TIMEOUT_USEC (10U*USEC_PER_SEC)
21
22 /* After how much time to repeat classic DNS requests */
23 #define DNS_TIMEOUT_USEC (SD_RESOLVED_QUERY_TIMEOUT_USEC / DNS_TRANSACTION_ATTEMPTS_MAX)
24
25 static void dns_transaction_reset_answer(DnsTransaction *t) {
26 assert(t);
27
28 t->received = dns_packet_unref(t->received);
29 t->answer = dns_answer_unref(t->answer);
30 t->answer_rcode = 0;
31 t->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
32 t->answer_source = _DNS_TRANSACTION_SOURCE_INVALID;
33 t->answer_query_flags = 0;
34 t->answer_nsec_ttl = UINT32_MAX;
35 t->answer_errno = 0;
36 }
37
38 static void dns_transaction_flush_dnssec_transactions(DnsTransaction *t) {
39 DnsTransaction *z;
40
41 assert(t);
42
43 while ((z = set_steal_first(t->dnssec_transactions))) {
44 set_remove(z->notify_transactions, t);
45 set_remove(z->notify_transactions_done, t);
46 dns_transaction_gc(z);
47 }
48 }
49
50 static void dns_transaction_close_connection(
51 DnsTransaction *t,
52 bool use_graveyard) { /* Set use_graveyard = false when you know the connection is already
53 * dead, for example because you got a connection error back from the
54 * kernel. In that case there's no point in keeping the fd around,
55 * hence don't. */
56 int r;
57
58 assert(t);
59
60 if (t->stream) {
61 /* Let's detach the stream from our transaction, in case something else keeps a reference to it. */
62 LIST_REMOVE(transactions_by_stream, t->stream->transactions, t);
63
64 /* Remove packet in case it's still in the queue */
65 dns_packet_unref(ordered_set_remove(t->stream->write_queue, t->sent));
66
67 t->stream = dns_stream_unref(t->stream);
68 }
69
70 t->dns_udp_event_source = sd_event_source_disable_unref(t->dns_udp_event_source);
71
72 /* If we have an UDP socket where we sent a packet, but never received one, then add it to the socket
73 * graveyard, instead of closing it right away. That way it will stick around for a moment longer,
74 * and the reply we might still get from the server will be eaten up instead of resulting in an ICMP
75 * port unreachable error message. */
76
77 if (use_graveyard && t->dns_udp_fd >= 0 && t->sent && !t->received) {
78 r = manager_add_socket_to_graveyard(t->scope->manager, t->dns_udp_fd);
79 if (r < 0)
80 log_debug_errno(r, "Failed to add UDP socket to graveyard, closing immediately: %m");
81 else
82 TAKE_FD(t->dns_udp_fd);
83 }
84
85 t->dns_udp_fd = safe_close(t->dns_udp_fd);
86 }
87
88 static void dns_transaction_stop_timeout(DnsTransaction *t) {
89 assert(t);
90
91 t->timeout_event_source = sd_event_source_disable_unref(t->timeout_event_source);
92 }
93
94 DnsTransaction* dns_transaction_free(DnsTransaction *t) {
95 DnsQueryCandidate *c;
96 DnsZoneItem *i;
97 DnsTransaction *z;
98
99 if (!t)
100 return NULL;
101
102 log_debug("Freeing transaction %" PRIu16 ".", t->id);
103
104 dns_transaction_close_connection(t, true);
105 dns_transaction_stop_timeout(t);
106
107 dns_packet_unref(t->sent);
108 dns_transaction_reset_answer(t);
109
110 dns_server_unref(t->server);
111
112 if (t->scope) {
113 if (t->key) {
114 DnsTransaction *first;
115
116 first = hashmap_get(t->scope->transactions_by_key, t->key);
117 LIST_REMOVE(transactions_by_key, first, t);
118 if (first)
119 hashmap_replace(t->scope->transactions_by_key, first->key, first);
120 else
121 hashmap_remove(t->scope->transactions_by_key, t->key);
122 }
123
124 LIST_REMOVE(transactions_by_scope, t->scope->transactions, t);
125
126 if (t->id != 0)
127 hashmap_remove(t->scope->manager->dns_transactions, UINT_TO_PTR(t->id));
128 }
129
130 while ((c = set_steal_first(t->notify_query_candidates)))
131 set_remove(c->transactions, t);
132 set_free(t->notify_query_candidates);
133
134 while ((c = set_steal_first(t->notify_query_candidates_done)))
135 set_remove(c->transactions, t);
136 set_free(t->notify_query_candidates_done);
137
138 while ((i = set_steal_first(t->notify_zone_items)))
139 i->probe_transaction = NULL;
140 set_free(t->notify_zone_items);
141
142 while ((i = set_steal_first(t->notify_zone_items_done)))
143 i->probe_transaction = NULL;
144 set_free(t->notify_zone_items_done);
145
146 while ((z = set_steal_first(t->notify_transactions)))
147 set_remove(z->dnssec_transactions, t);
148 set_free(t->notify_transactions);
149
150 while ((z = set_steal_first(t->notify_transactions_done)))
151 set_remove(z->dnssec_transactions, t);
152 set_free(t->notify_transactions_done);
153
154 dns_transaction_flush_dnssec_transactions(t);
155 set_free(t->dnssec_transactions);
156
157 dns_answer_unref(t->validated_keys);
158 dns_resource_key_unref(t->key);
159 dns_packet_unref(t->bypass);
160
161 return mfree(t);
162 }
163
164 DEFINE_TRIVIAL_CLEANUP_FUNC(DnsTransaction*, dns_transaction_free);
165
166 DnsTransaction* dns_transaction_gc(DnsTransaction *t) {
167 assert(t);
168
169 /* Returns !NULL if we can't gc yet. */
170
171 if (t->block_gc > 0)
172 return t;
173
174 if (set_isempty(t->notify_query_candidates) &&
175 set_isempty(t->notify_query_candidates_done) &&
176 set_isempty(t->notify_zone_items) &&
177 set_isempty(t->notify_zone_items_done) &&
178 set_isempty(t->notify_transactions) &&
179 set_isempty(t->notify_transactions_done))
180 return dns_transaction_free(t);
181
182 return t;
183 }
184
185 static uint16_t pick_new_id(Manager *m) {
186 uint16_t new_id;
187
188 /* Find a fresh, unused transaction id. Note that this loop is bounded because there's a limit on the
189 * number of transactions, and it's much lower than the space of IDs. */
190
191 assert_cc(TRANSACTIONS_MAX < 0xFFFF);
192
193 do
194 random_bytes(&new_id, sizeof(new_id));
195 while (new_id == 0 ||
196 hashmap_get(m->dns_transactions, UINT_TO_PTR(new_id)));
197
198 return new_id;
199 }
200
201 static int key_ok(
202 DnsScope *scope,
203 DnsResourceKey *key) {
204
205 /* Don't allow looking up invalid or pseudo RRs */
206 if (!dns_type_is_valid_query(key->type))
207 return -EINVAL;
208 if (dns_type_is_obsolete(key->type))
209 return -EOPNOTSUPP;
210
211 /* We only support the IN class */
212 if (!IN_SET(key->class, DNS_CLASS_IN, DNS_CLASS_ANY))
213 return -EOPNOTSUPP;
214
215 /* Don't allows DNSSEC RRs to be looked up via LLMNR/mDNS. They don't really make sense
216 * there, and it speeds up our queries if we refuse this early */
217 if (scope->protocol != DNS_PROTOCOL_DNS &&
218 dns_type_is_dnssec(key->type))
219 return -EOPNOTSUPP;
220
221 return 0;
222 }
223
224 int dns_transaction_new(
225 DnsTransaction **ret,
226 DnsScope *s,
227 DnsResourceKey *key,
228 DnsPacket *bypass,
229 uint64_t query_flags) {
230
231 _cleanup_(dns_transaction_freep) DnsTransaction *t = NULL;
232 int r;
233
234 assert(ret);
235 assert(s);
236
237 if (key) {
238 assert(!bypass);
239
240 r = key_ok(s, key);
241 if (r < 0)
242 return r;
243 } else {
244 DnsResourceKey *qk;
245 assert(bypass);
246
247 r = dns_packet_validate_query(bypass);
248 if (r < 0)
249 return r;
250
251 DNS_QUESTION_FOREACH(qk, bypass->question) {
252 r = key_ok(s, qk);
253 if (r < 0)
254 return r;
255 }
256 }
257
258 if (hashmap_size(s->manager->dns_transactions) >= TRANSACTIONS_MAX)
259 return -EBUSY;
260
261 r = hashmap_ensure_allocated(&s->manager->dns_transactions, NULL);
262 if (r < 0)
263 return r;
264
265 if (key) {
266 r = hashmap_ensure_allocated(&s->transactions_by_key, &dns_resource_key_hash_ops);
267 if (r < 0)
268 return r;
269 }
270
271 t = new(DnsTransaction, 1);
272 if (!t)
273 return -ENOMEM;
274
275 *t = (DnsTransaction) {
276 .dns_udp_fd = -1,
277 .answer_source = _DNS_TRANSACTION_SOURCE_INVALID,
278 .answer_dnssec_result = _DNSSEC_RESULT_INVALID,
279 .answer_nsec_ttl = UINT32_MAX,
280 .key = dns_resource_key_ref(key),
281 .query_flags = query_flags,
282 .bypass = dns_packet_ref(bypass),
283 .current_feature_level = _DNS_SERVER_FEATURE_LEVEL_INVALID,
284 .clamp_feature_level_servfail = _DNS_SERVER_FEATURE_LEVEL_INVALID,
285 .clamp_feature_level_nxdomain = _DNS_SERVER_FEATURE_LEVEL_INVALID,
286 .id = pick_new_id(s->manager),
287 };
288
289 r = hashmap_put(s->manager->dns_transactions, UINT_TO_PTR(t->id), t);
290 if (r < 0) {
291 t->id = 0;
292 return r;
293 }
294
295 if (t->key) {
296 DnsTransaction *first;
297
298 first = hashmap_get(s->transactions_by_key, t->key);
299 LIST_PREPEND(transactions_by_key, first, t);
300
301 r = hashmap_replace(s->transactions_by_key, first->key, first);
302 if (r < 0) {
303 LIST_REMOVE(transactions_by_key, first, t);
304 return r;
305 }
306 }
307
308 LIST_PREPEND(transactions_by_scope, s->transactions, t);
309 t->scope = s;
310
311 s->manager->n_transactions_total++;
312
313 if (ret)
314 *ret = t;
315
316 TAKE_PTR(t);
317 return 0;
318 }
319
320 static void dns_transaction_shuffle_id(DnsTransaction *t) {
321 uint16_t new_id;
322 assert(t);
323
324 /* Pick a new ID for this transaction. */
325
326 new_id = pick_new_id(t->scope->manager);
327 assert_se(hashmap_remove_and_put(t->scope->manager->dns_transactions, UINT_TO_PTR(t->id), UINT_TO_PTR(new_id), t) >= 0);
328
329 log_debug("Transaction %" PRIu16 " is now %" PRIu16 ".", t->id, new_id);
330 t->id = new_id;
331
332 /* Make sure we generate a new packet with the new ID */
333 t->sent = dns_packet_unref(t->sent);
334 }
335
336 static void dns_transaction_tentative(DnsTransaction *t, DnsPacket *p) {
337 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
338 DnsZoneItem *z;
339
340 assert(t);
341 assert(p);
342 assert(t->scope->protocol == DNS_PROTOCOL_LLMNR);
343
344 if (manager_packet_from_local_address(t->scope->manager, p) != 0)
345 return;
346
347 log_debug("Transaction %" PRIu16 " for <%s> on scope %s on %s/%s got tentative packet from %s.",
348 t->id,
349 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str),
350 dns_protocol_to_string(t->scope->protocol),
351 t->scope->link ? t->scope->link->ifname : "*",
352 af_to_name_short(t->scope->family),
353 IN_ADDR_TO_STRING(p->family, &p->sender));
354
355 /* RFC 4795, Section 4.1 says that the peer with the
356 * lexicographically smaller IP address loses */
357 if (memcmp(&p->sender, &p->destination, FAMILY_ADDRESS_SIZE(p->family)) >= 0) {
358 log_debug("Peer has lexicographically larger IP address and thus lost in the conflict.");
359 return;
360 }
361
362 log_debug("We have the lexicographically larger IP address and thus lost in the conflict.");
363
364 t->block_gc++;
365
366 while ((z = set_first(t->notify_zone_items))) {
367 /* First, make sure the zone item drops the reference
368 * to us */
369 dns_zone_item_probe_stop(z);
370
371 /* Secondly, report this as conflict, so that we might
372 * look for a different hostname */
373 dns_zone_item_conflict(z);
374 }
375 t->block_gc--;
376
377 dns_transaction_gc(t);
378 }
379
380 void dns_transaction_complete(DnsTransaction *t, DnsTransactionState state) {
381 DnsQueryCandidate *c;
382 DnsZoneItem *z;
383 DnsTransaction *d;
384 const char *st;
385 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
386
387 assert(t);
388 assert(!DNS_TRANSACTION_IS_LIVE(state));
389
390 if (state == DNS_TRANSACTION_DNSSEC_FAILED) {
391 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str);
392
393 log_struct(LOG_NOTICE,
394 "MESSAGE_ID=" SD_MESSAGE_DNSSEC_FAILURE_STR,
395 LOG_MESSAGE("DNSSEC validation failed for question %s: %s",
396 key_str, dnssec_result_to_string(t->answer_dnssec_result)),
397 "DNS_TRANSACTION=%" PRIu16, t->id,
398 "DNS_QUESTION=%s", key_str,
399 "DNSSEC_RESULT=%s", dnssec_result_to_string(t->answer_dnssec_result),
400 "DNS_SERVER=%s", strna(dns_server_string_full(t->server)),
401 "DNS_SERVER_FEATURE_LEVEL=%s", dns_server_feature_level_to_string(t->server->possible_feature_level));
402 }
403
404 /* Note that this call might invalidate the query. Callers
405 * should hence not attempt to access the query or transaction
406 * after calling this function. */
407
408 if (state == DNS_TRANSACTION_ERRNO)
409 st = errno_to_name(t->answer_errno);
410 else
411 st = dns_transaction_state_to_string(state);
412
413 log_debug("%s transaction %" PRIu16 " for <%s> on scope %s on %s/%s now complete with <%s> from %s (%s; %s).",
414 t->bypass ? "Bypass" : "Regular",
415 t->id,
416 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str),
417 dns_protocol_to_string(t->scope->protocol),
418 t->scope->link ? t->scope->link->ifname : "*",
419 af_to_name_short(t->scope->family),
420 st,
421 t->answer_source < 0 ? "none" : dns_transaction_source_to_string(t->answer_source),
422 FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE) ? "not validated" :
423 (FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED) ? "authenticated" : "unsigned"),
424 FLAGS_SET(t->answer_query_flags, SD_RESOLVED_CONFIDENTIAL) ? "confidential" : "non-confidential");
425
426 t->state = state;
427
428 dns_transaction_close_connection(t, true);
429 dns_transaction_stop_timeout(t);
430
431 /* Notify all queries that are interested, but make sure the
432 * transaction isn't freed while we are still looking at it */
433 t->block_gc++;
434
435 SET_FOREACH_MOVE(c, t->notify_query_candidates_done, t->notify_query_candidates)
436 dns_query_candidate_notify(c);
437 SWAP_TWO(t->notify_query_candidates, t->notify_query_candidates_done);
438
439 SET_FOREACH_MOVE(z, t->notify_zone_items_done, t->notify_zone_items)
440 dns_zone_item_notify(z);
441 SWAP_TWO(t->notify_zone_items, t->notify_zone_items_done);
442 if (t->probing && t->state == DNS_TRANSACTION_ATTEMPTS_MAX_REACHED)
443 (void) dns_scope_announce(t->scope, false);
444
445 SET_FOREACH_MOVE(d, t->notify_transactions_done, t->notify_transactions)
446 dns_transaction_notify(d, t);
447 SWAP_TWO(t->notify_transactions, t->notify_transactions_done);
448
449 t->block_gc--;
450 dns_transaction_gc(t);
451 }
452
453 static void dns_transaction_complete_errno(DnsTransaction *t, int error) {
454 assert(t);
455 assert(error != 0);
456
457 t->answer_errno = abs(error);
458 dns_transaction_complete(t, DNS_TRANSACTION_ERRNO);
459 }
460
461 static int dns_transaction_pick_server(DnsTransaction *t) {
462 DnsServer *server;
463
464 assert(t);
465 assert(t->scope->protocol == DNS_PROTOCOL_DNS);
466
467 /* Pick a DNS server and a feature level for it. */
468
469 server = dns_scope_get_dns_server(t->scope);
470 if (!server)
471 return -ESRCH;
472
473 /* If we changed the server invalidate the feature level clamping, as the new server might have completely
474 * different properties. */
475 if (server != t->server) {
476 t->clamp_feature_level_servfail = _DNS_SERVER_FEATURE_LEVEL_INVALID;
477 t->clamp_feature_level_nxdomain = _DNS_SERVER_FEATURE_LEVEL_INVALID;
478 }
479
480 t->current_feature_level = dns_server_possible_feature_level(server);
481
482 /* Clamp the feature level if that is requested. */
483 if (t->clamp_feature_level_servfail != _DNS_SERVER_FEATURE_LEVEL_INVALID &&
484 t->current_feature_level > t->clamp_feature_level_servfail)
485 t->current_feature_level = t->clamp_feature_level_servfail;
486 if (t->clamp_feature_level_nxdomain != _DNS_SERVER_FEATURE_LEVEL_INVALID &&
487 t->current_feature_level > t->clamp_feature_level_nxdomain)
488 t->current_feature_level = t->clamp_feature_level_nxdomain;
489
490 log_debug("Using feature level %s for transaction %u.", dns_server_feature_level_to_string(t->current_feature_level), t->id);
491
492 if (server == t->server)
493 return 0;
494
495 dns_server_unref(t->server);
496 t->server = dns_server_ref(server);
497
498 t->n_picked_servers ++;
499
500 log_debug("Using DNS server %s for transaction %u.", strna(dns_server_string_full(t->server)), t->id);
501
502 return 1;
503 }
504
505 static void dns_transaction_retry(DnsTransaction *t, bool next_server) {
506 int r;
507
508 assert(t);
509
510 /* Retries the transaction as it is, possibly on a different server */
511
512 if (next_server && t->scope->protocol == DNS_PROTOCOL_DNS)
513 log_debug("Retrying transaction %" PRIu16 ", after switching servers.", t->id);
514 else
515 log_debug("Retrying transaction %" PRIu16 ".", t->id);
516
517 /* Before we try again, switch to a new server. */
518 if (next_server)
519 dns_scope_next_dns_server(t->scope, t->server);
520
521 r = dns_transaction_go(t);
522 if (r < 0)
523 dns_transaction_complete_errno(t, r);
524 }
525
526 static bool dns_transaction_limited_retry(DnsTransaction *t) {
527 assert(t);
528
529 /* If we haven't tried all different servers yet, let's try again with a different server */
530
531 if (t->n_picked_servers >= dns_scope_get_n_dns_servers(t->scope))
532 return false;
533
534 dns_transaction_retry(t, /* next_server= */ true);
535 return true;
536 }
537
538 static int dns_transaction_maybe_restart(DnsTransaction *t) {
539 int r;
540
541 assert(t);
542
543 /* Restarts the transaction, under a new ID if the feature level of the server changed since we first
544 * tried, without changing DNS server. Returns > 0 if the transaction was restarted, 0 if not. */
545
546 if (!t->server)
547 return 0;
548
549 if (t->current_feature_level <= dns_server_possible_feature_level(t->server))
550 return 0;
551
552 /* The server's current feature level is lower than when we sent the original query. We learnt something from
553 the response or possibly an auxiliary DNSSEC response that we didn't know before. We take that as reason to
554 restart the whole transaction. This is a good idea to deal with servers that respond rubbish if we include
555 OPT RR or DO bit. One of these cases is documented here, for example:
556 https://open.nlnetlabs.nl/pipermail/dnssec-trigger/2014-November/000376.html */
557
558 log_debug("Server feature level is now lower than when we began our transaction. Restarting with new ID.");
559 dns_transaction_shuffle_id(t);
560
561 r = dns_transaction_go(t);
562 if (r < 0)
563 return r;
564
565 return 1;
566 }
567
568 static void on_transaction_stream_error(DnsTransaction *t, int error) {
569 assert(t);
570
571 dns_transaction_close_connection(t, true);
572
573 if (ERRNO_IS_DISCONNECT(error)) {
574 if (t->scope->protocol == DNS_PROTOCOL_LLMNR) {
575 /* If the LLMNR/TCP connection failed, the host doesn't support LLMNR, and we cannot answer the
576 * question on this scope. */
577 dns_transaction_complete(t, DNS_TRANSACTION_NOT_FOUND);
578 return;
579 }
580
581 dns_transaction_retry(t, true);
582 return;
583 }
584 if (error != 0)
585 dns_transaction_complete_errno(t, error);
586 }
587
588 static int dns_transaction_on_stream_packet(DnsTransaction *t, DnsStream *s, DnsPacket *p) {
589 bool encrypted;
590
591 assert(t);
592 assert(s);
593 assert(p);
594
595 encrypted = s->encrypted;
596
597 dns_transaction_close_connection(t, true);
598
599 if (dns_packet_validate_reply(p) <= 0) {
600 log_debug("Invalid TCP reply packet.");
601 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
602 return 0;
603 }
604
605 dns_scope_check_conflicts(t->scope, p);
606
607 t->block_gc++;
608 dns_transaction_process_reply(t, p, encrypted);
609 t->block_gc--;
610
611 /* If the response wasn't useful, then complete the transition
612 * now. After all, we are the worst feature set now with TCP
613 * sockets, and there's really no point in retrying. */
614 if (t->state == DNS_TRANSACTION_PENDING)
615 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
616 else
617 dns_transaction_gc(t);
618
619 return 0;
620 }
621
622 static int on_stream_complete(DnsStream *s, int error) {
623 assert(s);
624
625 if (ERRNO_IS_DISCONNECT(error) && s->protocol != DNS_PROTOCOL_LLMNR) {
626 log_debug_errno(error, "Connection failure for DNS TCP stream: %m");
627
628 if (s->transactions) {
629 DnsTransaction *t;
630
631 t = s->transactions;
632 dns_server_packet_lost(t->server, IPPROTO_TCP, t->current_feature_level);
633 }
634 }
635
636 if (error != 0)
637 LIST_FOREACH(transactions_by_stream, t, s->transactions)
638 on_transaction_stream_error(t, error);
639
640 return 0;
641 }
642
643 static int on_stream_packet(DnsStream *s, DnsPacket *p) {
644 DnsTransaction *t;
645
646 assert(s);
647 assert(s->manager);
648 assert(p);
649
650 t = hashmap_get(s->manager->dns_transactions, UINT_TO_PTR(DNS_PACKET_ID(p)));
651 if (t && t->stream == s) /* Validate that the stream we got this on actually is the stream the
652 * transaction was using. */
653 return dns_transaction_on_stream_packet(t, s, p);
654
655 /* Ignore incorrect transaction id as an old transaction can have been canceled. */
656 log_debug("Received unexpected TCP reply packet with id %" PRIu16 ", ignoring.", DNS_PACKET_ID(p));
657 return 0;
658 }
659
660 static uint16_t dns_transaction_port(DnsTransaction *t) {
661 assert(t);
662
663 if (t->server->port > 0)
664 return t->server->port;
665
666 return DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level) ? 853 : 53;
667 }
668
669 static int dns_transaction_emit_tcp(DnsTransaction *t) {
670 usec_t stream_timeout_usec = DNS_STREAM_DEFAULT_TIMEOUT_USEC;
671 _cleanup_(dns_stream_unrefp) DnsStream *s = NULL;
672 _cleanup_close_ int fd = -1;
673 union sockaddr_union sa;
674 DnsStreamType type;
675 int r;
676
677 assert(t);
678 assert(t->sent);
679
680 dns_transaction_close_connection(t, true);
681
682 switch (t->scope->protocol) {
683
684 case DNS_PROTOCOL_DNS:
685 r = dns_transaction_pick_server(t);
686 if (r < 0)
687 return r;
688
689 if (manager_server_is_stub(t->scope->manager, t->server))
690 return -ELOOP;
691
692 if (!t->bypass) {
693 if (!dns_server_dnssec_supported(t->server) && dns_type_is_dnssec(dns_transaction_key(t)->type))
694 return -EOPNOTSUPP;
695
696 r = dns_server_adjust_opt(t->server, t->sent, t->current_feature_level);
697 if (r < 0)
698 return r;
699 }
700
701 if (t->server->stream && (DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level) == t->server->stream->encrypted))
702 s = dns_stream_ref(t->server->stream);
703 else
704 fd = dns_scope_socket_tcp(t->scope, AF_UNSPEC, NULL, t->server, dns_transaction_port(t), &sa);
705
706 /* Lower timeout in DNS-over-TLS opportunistic mode. In environments where DoT is blocked
707 * without ICMP response overly long delays when contacting DoT servers are nasty, in
708 * particular if multiple DNS servers are defined which we try in turn and all are
709 * blocked. Hence, substantially lower the timeout in that case. */
710 if (DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level) &&
711 dns_server_get_dns_over_tls_mode(t->server) == DNS_OVER_TLS_OPPORTUNISTIC)
712 stream_timeout_usec = DNS_STREAM_OPPORTUNISTIC_TLS_TIMEOUT_USEC;
713
714 type = DNS_STREAM_LOOKUP;
715 break;
716
717 case DNS_PROTOCOL_LLMNR:
718 /* When we already received a reply to this (but it was truncated), send to its sender address */
719 if (t->received)
720 fd = dns_scope_socket_tcp(t->scope, t->received->family, &t->received->sender, NULL, t->received->sender_port, &sa);
721 else {
722 union in_addr_union address;
723 int family = AF_UNSPEC;
724
725 /* Otherwise, try to talk to the owner of a
726 * the IP address, in case this is a reverse
727 * PTR lookup */
728
729 r = dns_name_address(dns_resource_key_name(dns_transaction_key(t)), &family, &address);
730 if (r < 0)
731 return r;
732 if (r == 0)
733 return -EINVAL;
734 if (family != t->scope->family)
735 return -ESRCH;
736
737 fd = dns_scope_socket_tcp(t->scope, family, &address, NULL, LLMNR_PORT, &sa);
738 }
739
740 type = DNS_STREAM_LLMNR_SEND;
741 break;
742
743 default:
744 return -EAFNOSUPPORT;
745 }
746
747 if (!s) {
748 if (fd < 0)
749 return fd;
750
751 r = dns_stream_new(t->scope->manager, &s, type, t->scope->protocol, fd, &sa,
752 on_stream_packet, on_stream_complete, stream_timeout_usec);
753 if (r < 0)
754 return r;
755
756 fd = -1;
757
758 #if ENABLE_DNS_OVER_TLS
759 if (t->scope->protocol == DNS_PROTOCOL_DNS &&
760 DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level)) {
761
762 assert(t->server);
763 r = dnstls_stream_connect_tls(s, t->server);
764 if (r < 0)
765 return r;
766 }
767 #endif
768
769 if (t->server) {
770 dns_server_unref_stream(t->server);
771 s->server = dns_server_ref(t->server);
772 t->server->stream = dns_stream_ref(s);
773 }
774
775 /* The interface index is difficult to determine if we are
776 * connecting to the local host, hence fill this in right away
777 * instead of determining it from the socket */
778 s->ifindex = dns_scope_ifindex(t->scope);
779 }
780
781 t->stream = TAKE_PTR(s);
782 LIST_PREPEND(transactions_by_stream, t->stream->transactions, t);
783
784 r = dns_stream_write_packet(t->stream, t->sent);
785 if (r < 0) {
786 dns_transaction_close_connection(t, /* use_graveyard= */ false);
787 return r;
788 }
789
790 dns_transaction_reset_answer(t);
791
792 t->tried_stream = true;
793
794 return 0;
795 }
796
797 static void dns_transaction_cache_answer(DnsTransaction *t) {
798 assert(t);
799
800 /* For mDNS we cache whenever we get the packet, rather than
801 * in each transaction. */
802 if (!IN_SET(t->scope->protocol, DNS_PROTOCOL_DNS, DNS_PROTOCOL_LLMNR))
803 return;
804
805 /* Caching disabled? */
806 if (t->scope->manager->enable_cache == DNS_CACHE_MODE_NO)
807 return;
808
809 /* If validation is turned off for this transaction, but DNSSEC is on, then let's not cache this */
810 if (FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE) && t->scope->dnssec_mode != DNSSEC_NO)
811 return;
812
813 /* Packet from localhost? */
814 if (!t->scope->manager->cache_from_localhost &&
815 in_addr_is_localhost(t->received->family, &t->received->sender) != 0)
816 return;
817
818 dns_cache_put(&t->scope->cache,
819 t->scope->manager->enable_cache,
820 dns_transaction_key(t),
821 t->answer_rcode,
822 t->answer,
823 DNS_PACKET_CD(t->received) ? t->received : NULL, /* only cache full packets with CD on,
824 * since our usecase for caching them
825 * is "bypass" mode which is only
826 * enabled for CD packets. */
827 t->answer_query_flags,
828 t->answer_dnssec_result,
829 t->answer_nsec_ttl,
830 t->received->family,
831 &t->received->sender);
832 }
833
834 static bool dns_transaction_dnssec_is_live(DnsTransaction *t) {
835 DnsTransaction *dt;
836
837 assert(t);
838
839 SET_FOREACH(dt, t->dnssec_transactions)
840 if (DNS_TRANSACTION_IS_LIVE(dt->state))
841 return true;
842
843 return false;
844 }
845
846 static int dns_transaction_dnssec_ready(DnsTransaction *t) {
847 DnsTransaction *dt;
848 int r;
849
850 assert(t);
851
852 /* Checks whether the auxiliary DNSSEC transactions of our transaction have completed, or are still
853 * ongoing. Returns 0, if we aren't ready for the DNSSEC validation, positive if we are. */
854
855 SET_FOREACH(dt, t->dnssec_transactions) {
856
857 switch (dt->state) {
858
859 case DNS_TRANSACTION_NULL:
860 case DNS_TRANSACTION_PENDING:
861 case DNS_TRANSACTION_VALIDATING:
862 /* Still ongoing */
863 return 0;
864
865 case DNS_TRANSACTION_RCODE_FAILURE:
866 if (!IN_SET(dt->answer_rcode, DNS_RCODE_NXDOMAIN, DNS_RCODE_SERVFAIL)) {
867 log_debug("Auxiliary DNSSEC RR query failed with rcode=%s.", FORMAT_DNS_RCODE(dt->answer_rcode));
868 goto fail;
869 }
870
871 /* Fall-through: NXDOMAIN/SERVFAIL is good enough for us. This is because some DNS servers
872 * erroneously return NXDOMAIN/SERVFAIL for empty non-terminals (Akamai...) or missing DS
873 * records (Facebook), and we need to handle that nicely, when asking for parent SOA or similar
874 * RRs to make unsigned proofs. */
875
876 case DNS_TRANSACTION_SUCCESS:
877 /* All good. */
878 break;
879
880 case DNS_TRANSACTION_DNSSEC_FAILED:
881 /* We handle DNSSEC failures different from other errors, as we care about the DNSSEC
882 * validation result */
883
884 log_debug("Auxiliary DNSSEC RR query failed validation: %s", dnssec_result_to_string(dt->answer_dnssec_result));
885 t->answer_dnssec_result = dt->answer_dnssec_result; /* Copy error code over */
886 dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
887 return 0;
888
889 default:
890 log_debug("Auxiliary DNSSEC RR query failed with %s", dns_transaction_state_to_string(dt->state));
891 goto fail;
892 }
893 }
894
895 /* All is ready, we can go and validate */
896 return 1;
897
898 fail:
899 /* Some auxiliary DNSSEC transaction failed for some reason. Maybe we learned something about the
900 * server due to this failure, and the feature level is now different? Let's see and restart the
901 * transaction if so. If not, let's propagate the auxiliary failure.
902 *
903 * This is particularly relevant if an auxiliary request figured out that DNSSEC doesn't work, and we
904 * are in permissive DNSSEC mode, and thus should restart things without DNSSEC magic. */
905 r = dns_transaction_maybe_restart(t);
906 if (r < 0)
907 return r;
908 if (r > 0)
909 return 0; /* don't validate just yet, we restarted things */
910
911 t->answer_dnssec_result = DNSSEC_FAILED_AUXILIARY;
912 dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
913 return 0;
914 }
915
916 static void dns_transaction_process_dnssec(DnsTransaction *t) {
917 int r;
918
919 assert(t);
920
921 /* Are there ongoing DNSSEC transactions? If so, let's wait for them. */
922 r = dns_transaction_dnssec_ready(t);
923 if (r < 0)
924 goto fail;
925 if (r == 0) /* We aren't ready yet (or one of our auxiliary transactions failed, and we shouldn't validate now */
926 return;
927
928 /* See if we learnt things from the additional DNSSEC transactions, that we didn't know before, and better
929 * restart the lookup immediately. */
930 r = dns_transaction_maybe_restart(t);
931 if (r < 0)
932 goto fail;
933 if (r > 0) /* Transaction got restarted... */
934 return;
935
936 /* All our auxiliary DNSSEC transactions are complete now. Try
937 * to validate our RRset now. */
938 r = dns_transaction_validate_dnssec(t);
939 if (r == -EBADMSG) {
940 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
941 return;
942 }
943 if (r < 0)
944 goto fail;
945
946 if (t->answer_dnssec_result == DNSSEC_INCOMPATIBLE_SERVER &&
947 t->scope->dnssec_mode == DNSSEC_YES) {
948
949 /* We are not in automatic downgrade mode, and the server is bad. Let's try a different server, maybe
950 * that works. */
951
952 if (dns_transaction_limited_retry(t))
953 return;
954
955 /* OK, let's give up, apparently all servers we tried didn't work. */
956 dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
957 return;
958 }
959
960 if (!IN_SET(t->answer_dnssec_result,
961 _DNSSEC_RESULT_INVALID, /* No DNSSEC validation enabled */
962 DNSSEC_VALIDATED, /* Answer is signed and validated successfully */
963 DNSSEC_UNSIGNED, /* Answer is right-fully unsigned */
964 DNSSEC_INCOMPATIBLE_SERVER)) { /* Server does not do DNSSEC (Yay, we are downgrade attack vulnerable!) */
965 dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
966 return;
967 }
968
969 if (t->answer_dnssec_result == DNSSEC_INCOMPATIBLE_SERVER)
970 dns_server_warn_downgrade(t->server);
971
972 dns_transaction_cache_answer(t);
973
974 if (t->answer_rcode == DNS_RCODE_SUCCESS)
975 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
976 else
977 dns_transaction_complete(t, DNS_TRANSACTION_RCODE_FAILURE);
978
979 return;
980
981 fail:
982 dns_transaction_complete_errno(t, r);
983 }
984
985 static int dns_transaction_has_positive_answer(DnsTransaction *t, DnsAnswerFlags *flags) {
986 int r;
987
988 assert(t);
989
990 /* Checks whether the answer is positive, i.e. either a direct
991 * answer to the question, or a CNAME/DNAME for it */
992
993 r = dns_answer_match_key(t->answer, dns_transaction_key(t), flags);
994 if (r != 0)
995 return r;
996
997 r = dns_answer_find_cname_or_dname(t->answer, dns_transaction_key(t), NULL, flags);
998 if (r != 0)
999 return r;
1000
1001 return false;
1002 }
1003
1004 static int dns_transaction_fix_rcode(DnsTransaction *t) {
1005 int r;
1006
1007 assert(t);
1008
1009 /* Fix up the RCODE to SUCCESS if we get at least one matching RR in a response. Note that this contradicts the
1010 * DNS RFCs a bit. Specifically, RFC 6604 Section 3 clarifies that the RCODE shall say something about a
1011 * CNAME/DNAME chain element coming after the last chain element contained in the message, and not the first
1012 * one included. However, it also indicates that not all DNS servers implement this correctly. Moreover, when
1013 * using DNSSEC we usually only can prove the first element of a CNAME/DNAME chain anyway, hence let's settle
1014 * on always processing the RCODE as referring to the immediate look-up we do, i.e. the first element of a
1015 * CNAME/DNAME chain. This way, we uniformly handle CNAME/DNAME chains, regardless if the DNS server
1016 * incorrectly implements RCODE, whether DNSSEC is in use, or whether the DNS server only supplied us with an
1017 * incomplete CNAME/DNAME chain.
1018 *
1019 * Or in other words: if we get at least one positive reply in a message we patch NXDOMAIN to become SUCCESS,
1020 * and then rely on the CNAME chasing logic to figure out that there's actually a CNAME error with a new
1021 * lookup. */
1022
1023 if (t->answer_rcode != DNS_RCODE_NXDOMAIN)
1024 return 0;
1025
1026 r = dns_transaction_has_positive_answer(t, NULL);
1027 if (r <= 0)
1028 return r;
1029
1030 t->answer_rcode = DNS_RCODE_SUCCESS;
1031 return 0;
1032 }
1033
1034 void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p, bool encrypted) {
1035 bool retry_with_tcp = false;
1036 int r;
1037
1038 assert(t);
1039 assert(p);
1040 assert(t->scope);
1041 assert(t->scope->manager);
1042
1043 if (t->state != DNS_TRANSACTION_PENDING)
1044 return;
1045
1046 /* Note that this call might invalidate the query. Callers
1047 * should hence not attempt to access the query or transaction
1048 * after calling this function. */
1049
1050 log_debug("Processing incoming packet of size %zu on transaction %" PRIu16" (rcode=%s).",
1051 p->size,
1052 t->id, FORMAT_DNS_RCODE(DNS_PACKET_RCODE(p)));
1053
1054 switch (t->scope->protocol) {
1055
1056 case DNS_PROTOCOL_LLMNR:
1057 /* For LLMNR we will not accept any packets from other interfaces */
1058
1059 if (p->ifindex != dns_scope_ifindex(t->scope))
1060 return;
1061
1062 if (p->family != t->scope->family)
1063 return;
1064
1065 /* Tentative packets are not full responses but still
1066 * useful for identifying uniqueness conflicts during
1067 * probing. */
1068 if (DNS_PACKET_LLMNR_T(p)) {
1069 dns_transaction_tentative(t, p);
1070 return;
1071 }
1072
1073 break;
1074
1075 case DNS_PROTOCOL_MDNS:
1076 /* For mDNS we will not accept any packets from other interfaces */
1077
1078 if (p->ifindex != dns_scope_ifindex(t->scope))
1079 return;
1080
1081 if (p->family != t->scope->family)
1082 return;
1083
1084 break;
1085
1086 case DNS_PROTOCOL_DNS:
1087 /* Note that we do not need to verify the
1088 * addresses/port numbers of incoming traffic, as we
1089 * invoked connect() on our UDP socket in which case
1090 * the kernel already does the needed verification for
1091 * us. */
1092 break;
1093
1094 default:
1095 assert_not_reached();
1096 }
1097
1098 if (t->received != p)
1099 DNS_PACKET_REPLACE(t->received, dns_packet_ref(p));
1100
1101 t->answer_source = DNS_TRANSACTION_NETWORK;
1102
1103 if (p->ipproto == IPPROTO_TCP) {
1104 if (DNS_PACKET_TC(p)) {
1105 /* Truncated via TCP? Somebody must be fucking with us */
1106 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
1107 return;
1108 }
1109
1110 if (DNS_PACKET_ID(p) != t->id) {
1111 /* Not the reply to our query? Somebody must be fucking with us */
1112 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
1113 return;
1114 }
1115 }
1116
1117 switch (t->scope->protocol) {
1118
1119 case DNS_PROTOCOL_DNS:
1120 assert(t->server);
1121
1122 if (!t->bypass &&
1123 IN_SET(DNS_PACKET_RCODE(p), DNS_RCODE_FORMERR, DNS_RCODE_SERVFAIL, DNS_RCODE_NOTIMP)) {
1124
1125 /* Request failed, immediately try again with reduced features */
1126
1127 if (t->current_feature_level <= DNS_SERVER_FEATURE_LEVEL_UDP) {
1128
1129 /* This was already at UDP feature level? If so, it doesn't make sense to downgrade
1130 * this transaction anymore, but let's see if it might make sense to send the request
1131 * to a different DNS server instead. If not let's process the response, and accept the
1132 * rcode. Note that we don't retry on TCP, since that's a suitable way to mitigate
1133 * packet loss, but is not going to give us better rcodes should we actually have
1134 * managed to get them already at UDP level. */
1135
1136 if (dns_transaction_limited_retry(t))
1137 return;
1138
1139 /* Give up, accept the rcode */
1140 log_debug("Server returned error: %s", FORMAT_DNS_RCODE(DNS_PACKET_RCODE(p)));
1141 break;
1142 }
1143
1144 /* SERVFAIL can happen for many reasons and may be transient.
1145 * To avoid unnecessary downgrades retry once with the initial level.
1146 * Check for clamp_feature_level_servfail having an invalid value as a sign that this is the
1147 * first attempt to downgrade. If so, clamp to the current value so that the transaction
1148 * is retried without actually downgrading. If the next try also fails we will downgrade by
1149 * hitting the else branch below. */
1150 if (DNS_PACKET_RCODE(p) == DNS_RCODE_SERVFAIL &&
1151 t->clamp_feature_level_servfail < 0) {
1152 t->clamp_feature_level_servfail = t->current_feature_level;
1153 log_debug("Server returned error %s, retrying transaction.",
1154 FORMAT_DNS_RCODE(DNS_PACKET_RCODE(p)));
1155 } else {
1156 /* Reduce this feature level by one and try again. */
1157 switch (t->current_feature_level) {
1158 case DNS_SERVER_FEATURE_LEVEL_TLS_DO:
1159 t->clamp_feature_level_servfail = DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN;
1160 break;
1161 case DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN + 1:
1162 /* Skip plain TLS when TLS is not supported */
1163 t->clamp_feature_level_servfail = DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN - 1;
1164 break;
1165 default:
1166 t->clamp_feature_level_servfail = t->current_feature_level - 1;
1167 }
1168
1169 log_debug("Server returned error %s, retrying transaction with reduced feature level %s.",
1170 FORMAT_DNS_RCODE(DNS_PACKET_RCODE(p)),
1171 dns_server_feature_level_to_string(t->clamp_feature_level_servfail));
1172 }
1173
1174 dns_transaction_retry(t, false /* use the same server */);
1175 return;
1176 }
1177
1178 if (DNS_PACKET_RCODE(p) == DNS_RCODE_REFUSED) {
1179 /* This server refused our request? If so, try again, use a different server */
1180 log_debug("Server returned REFUSED, switching servers, and retrying.");
1181
1182 if (dns_transaction_limited_retry(t))
1183 return;
1184
1185 break;
1186 }
1187
1188 if (DNS_PACKET_TC(p))
1189 dns_server_packet_truncated(t->server, t->current_feature_level);
1190
1191 break;
1192
1193 case DNS_PROTOCOL_LLMNR:
1194 case DNS_PROTOCOL_MDNS:
1195 dns_scope_packet_received(t->scope, p->timestamp - t->start_usec);
1196 break;
1197
1198 default:
1199 assert_not_reached();
1200 }
1201
1202 if (DNS_PACKET_TC(p)) {
1203
1204 /* Truncated packets for mDNS are not allowed. Give up immediately. */
1205 if (t->scope->protocol == DNS_PROTOCOL_MDNS) {
1206 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
1207 return;
1208 }
1209
1210 /* Response was truncated, let's try again with good old TCP */
1211 log_debug("Reply truncated, retrying via TCP.");
1212 retry_with_tcp = true;
1213
1214 } else if (t->scope->protocol == DNS_PROTOCOL_DNS &&
1215 DNS_PACKET_IS_FRAGMENTED(p)) {
1216
1217 /* Report the fragment size, so that we downgrade from LARGE to regular EDNS0 if needed */
1218 if (t->server)
1219 dns_server_packet_udp_fragmented(t->server, dns_packet_size_unfragmented(p));
1220
1221 if (t->current_feature_level > DNS_SERVER_FEATURE_LEVEL_UDP) {
1222 /* Packet was fragmented. Let's retry with TCP to avoid fragmentation attack
1223 * issues. (We don't do that on the lowest feature level however, since crappy DNS
1224 * servers often do not implement TCP, hence falling back to TCP on fragmentation is
1225 * counter-productive there.) */
1226
1227 log_debug("Reply fragmented, retrying via TCP. (Largest fragment size: %zu; Datagram size: %zu)",
1228 p->fragsize, p->size);
1229 retry_with_tcp = true;
1230 }
1231 }
1232
1233 if (retry_with_tcp) {
1234 r = dns_transaction_emit_tcp(t);
1235 if (r == -ESRCH) {
1236 /* No servers found? Damn! */
1237 dns_transaction_complete(t, DNS_TRANSACTION_NO_SERVERS);
1238 return;
1239 }
1240 if (r == -EOPNOTSUPP) {
1241 /* Tried to ask for DNSSEC RRs, on a server that doesn't do DNSSEC */
1242 dns_transaction_complete(t, DNS_TRANSACTION_RR_TYPE_UNSUPPORTED);
1243 return;
1244 }
1245 if (r < 0) {
1246 /* On LLMNR, if we cannot connect to the host,
1247 * we immediately give up */
1248 if (t->scope->protocol != DNS_PROTOCOL_DNS)
1249 goto fail;
1250
1251 /* On DNS, couldn't send? Try immediately again, with a new server */
1252 if (dns_transaction_limited_retry(t))
1253 return;
1254
1255 /* No new server to try, give up */
1256 dns_transaction_complete(t, DNS_TRANSACTION_ATTEMPTS_MAX_REACHED);
1257 }
1258
1259 return;
1260 }
1261
1262 /* After the superficial checks, actually parse the message. */
1263 r = dns_packet_extract(p);
1264 if (r < 0) {
1265 if (t->server) {
1266 dns_server_packet_invalid(t->server, t->current_feature_level);
1267
1268 r = dns_transaction_maybe_restart(t);
1269 if (r < 0)
1270 goto fail;
1271 if (r > 0) /* Transaction got restarted... */
1272 return;
1273 }
1274
1275 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
1276 return;
1277 }
1278
1279 if (t->scope->protocol == DNS_PROTOCOL_DNS &&
1280 !t->bypass &&
1281 DNS_PACKET_RCODE(p) == DNS_RCODE_NXDOMAIN &&
1282 p->opt && !DNS_PACKET_DO(p) &&
1283 DNS_SERVER_FEATURE_LEVEL_IS_EDNS0(t->current_feature_level) &&
1284 DNS_SERVER_FEATURE_LEVEL_IS_UDP(t->current_feature_level) &&
1285 t->scope->dnssec_mode != DNSSEC_YES) {
1286
1287 /* Some captive portals are special in that the Aruba/Datavalet hardware will miss
1288 * replacing the packets with the local server IP to point to the authenticated side
1289 * of the network if EDNS0 is enabled. Instead they return NXDOMAIN, with DO bit set
1290 * to zero... nothing to see here, yet respond with the captive portal IP, when using
1291 * the more simple UDP level.
1292 *
1293 * Common portal names that fail like so are:
1294 * secure.datavalet.io
1295 * securelogin.arubanetworks.com
1296 * securelogin.networks.mycompany.com
1297 *
1298 * Thus retry NXDOMAIN RCODES with a lower feature level.
1299 *
1300 * Do not lower the server's tracked feature level, as the captive portal should not
1301 * be lying for the wider internet (e.g. _other_ queries were observed fine with
1302 * EDNS0 on these networks, post auth), i.e. let's just lower the level transaction's
1303 * feature level.
1304 *
1305 * This is reported as https://github.com/dns-violations/dns-violations/blob/master/2018/DVE-2018-0001.md
1306 */
1307
1308 t->clamp_feature_level_nxdomain = DNS_SERVER_FEATURE_LEVEL_UDP;
1309
1310 log_debug("Server returned error %s in EDNS0 mode, retrying transaction with reduced feature level %s (DVE-2018-0001 mitigation)",
1311 FORMAT_DNS_RCODE(DNS_PACKET_RCODE(p)),
1312 dns_server_feature_level_to_string(t->clamp_feature_level_nxdomain));
1313
1314 dns_transaction_retry(t, false /* use the same server */);
1315 return;
1316 }
1317
1318 if (t->server) {
1319 /* Report that we successfully received a valid packet with a good rcode after we initially got a bad
1320 * rcode and subsequently downgraded the protocol */
1321
1322 if (IN_SET(DNS_PACKET_RCODE(p), DNS_RCODE_SUCCESS, DNS_RCODE_NXDOMAIN) &&
1323 t->clamp_feature_level_servfail != _DNS_SERVER_FEATURE_LEVEL_INVALID)
1324 dns_server_packet_rcode_downgrade(t->server, t->clamp_feature_level_servfail);
1325
1326 /* Report that the OPT RR was missing */
1327 if (!p->opt)
1328 dns_server_packet_bad_opt(t->server, t->current_feature_level);
1329
1330 /* Report that the server didn't copy our query DO bit from request to response */
1331 if (DNS_PACKET_DO(t->sent) && !DNS_PACKET_DO(t->received))
1332 dns_server_packet_do_off(t->server, t->current_feature_level);
1333
1334 /* Report that we successfully received a packet. We keep track of the largest packet
1335 * size/fragment size we got. Which is useful for announcing the EDNS(0) packet size we can
1336 * receive to our server. */
1337 dns_server_packet_received(t->server, p->ipproto, t->current_feature_level, dns_packet_size_unfragmented(p));
1338 }
1339
1340 /* See if we know things we didn't know before that indicate we better restart the lookup immediately. */
1341 r = dns_transaction_maybe_restart(t);
1342 if (r < 0)
1343 goto fail;
1344 if (r > 0) /* Transaction got restarted... */
1345 return;
1346
1347 /* When dealing with protocols other than mDNS only consider responses with equivalent query section
1348 * to the request. For mDNS this check doesn't make sense, because the section 6 of RFC6762 states
1349 * that "Multicast DNS responses MUST NOT contain any questions in the Question Section". */
1350 if (t->scope->protocol != DNS_PROTOCOL_MDNS) {
1351 r = dns_packet_is_reply_for(p, dns_transaction_key(t));
1352 if (r < 0)
1353 goto fail;
1354 if (r == 0) {
1355 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
1356 return;
1357 }
1358 }
1359
1360 /* Install the answer as answer to the transaction. We ref the answer twice here: the main `answer`
1361 * field is later replaced by the DNSSEC validated subset. The 'answer_auxiliary' field carries the
1362 * original complete record set, including RRSIG and friends. We use this when passing data to
1363 * clients that ask for DNSSEC metadata. */
1364 DNS_ANSWER_REPLACE(t->answer, dns_answer_ref(p->answer));
1365 t->answer_rcode = DNS_PACKET_RCODE(p);
1366 t->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
1367 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
1368 SET_FLAG(t->answer_query_flags, SD_RESOLVED_CONFIDENTIAL, encrypted);
1369
1370 r = dns_transaction_fix_rcode(t);
1371 if (r < 0)
1372 goto fail;
1373
1374 /* Block GC while starting requests for additional DNSSEC RRs */
1375 t->block_gc++;
1376 r = dns_transaction_request_dnssec_keys(t);
1377 t->block_gc--;
1378
1379 /* Maybe the transaction is ready for GC'ing now? If so, free it and return. */
1380 if (!dns_transaction_gc(t))
1381 return;
1382
1383 /* Requesting additional keys might have resulted in this transaction to fail, since the auxiliary
1384 * request failed for some reason. If so, we are not in pending state anymore, and we should exit
1385 * quickly. */
1386 if (t->state != DNS_TRANSACTION_PENDING)
1387 return;
1388 if (r < 0)
1389 goto fail;
1390 if (r > 0) {
1391 /* There are DNSSEC transactions pending now. Update the state accordingly. */
1392 t->state = DNS_TRANSACTION_VALIDATING;
1393 dns_transaction_close_connection(t, true);
1394 dns_transaction_stop_timeout(t);
1395 return;
1396 }
1397
1398 dns_transaction_process_dnssec(t);
1399 return;
1400
1401 fail:
1402 dns_transaction_complete_errno(t, r);
1403 }
1404
1405 static int on_dns_packet(sd_event_source *s, int fd, uint32_t revents, void *userdata) {
1406 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
1407 DnsTransaction *t = ASSERT_PTR(userdata);
1408 int r;
1409
1410 assert(t->scope);
1411
1412 r = manager_recv(t->scope->manager, fd, DNS_PROTOCOL_DNS, &p);
1413 if (ERRNO_IS_DISCONNECT(r)) {
1414 usec_t usec;
1415
1416 /* UDP connection failures get reported via ICMP and then are possibly delivered to us on the
1417 * next recvmsg(). Treat this like a lost packet. */
1418
1419 log_debug_errno(r, "Connection failure for DNS UDP packet: %m");
1420 assert_se(sd_event_now(t->scope->manager->event, CLOCK_BOOTTIME, &usec) >= 0);
1421 dns_server_packet_lost(t->server, IPPROTO_UDP, t->current_feature_level);
1422
1423 dns_transaction_close_connection(t, /* use_graveyard = */ false);
1424
1425 if (dns_transaction_limited_retry(t)) /* Try a different server */
1426 return 0;
1427
1428 dns_transaction_complete_errno(t, r);
1429 return 0;
1430 }
1431 if (r < 0) {
1432 dns_transaction_complete_errno(t, r);
1433 return 0;
1434 }
1435 if (r == 0)
1436 /* Spurious wakeup without any data */
1437 return 0;
1438
1439 r = dns_packet_validate_reply(p);
1440 if (r < 0) {
1441 log_debug_errno(r, "Received invalid DNS packet as response, ignoring: %m");
1442 return 0;
1443 }
1444 if (r == 0) {
1445 log_debug("Received inappropriate DNS packet as response, ignoring.");
1446 return 0;
1447 }
1448
1449 if (DNS_PACKET_ID(p) != t->id) {
1450 log_debug("Received packet with incorrect transaction ID, ignoring.");
1451 return 0;
1452 }
1453
1454 dns_transaction_process_reply(t, p, false);
1455 return 0;
1456 }
1457
1458 static int dns_transaction_emit_udp(DnsTransaction *t) {
1459 int r;
1460
1461 assert(t);
1462
1463 if (t->scope->protocol == DNS_PROTOCOL_DNS) {
1464
1465 r = dns_transaction_pick_server(t);
1466 if (r < 0)
1467 return r;
1468
1469 if (manager_server_is_stub(t->scope->manager, t->server))
1470 return -ELOOP;
1471
1472 if (t->current_feature_level < DNS_SERVER_FEATURE_LEVEL_UDP || DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level))
1473 return -EAGAIN; /* Sorry, can't do UDP, try TCP! */
1474
1475 if (!t->bypass && !dns_server_dnssec_supported(t->server) && dns_type_is_dnssec(dns_transaction_key(t)->type))
1476 return -EOPNOTSUPP;
1477
1478 if (r > 0 || t->dns_udp_fd < 0) { /* Server changed, or no connection yet. */
1479 int fd;
1480
1481 dns_transaction_close_connection(t, true);
1482
1483 /* Before we allocate a new UDP socket, let's process the graveyard a bit to free some fds */
1484 manager_socket_graveyard_process(t->scope->manager);
1485
1486 fd = dns_scope_socket_udp(t->scope, t->server);
1487 if (fd < 0)
1488 return fd;
1489
1490 r = sd_event_add_io(t->scope->manager->event, &t->dns_udp_event_source, fd, EPOLLIN, on_dns_packet, t);
1491 if (r < 0) {
1492 safe_close(fd);
1493 return r;
1494 }
1495
1496 (void) sd_event_source_set_description(t->dns_udp_event_source, "dns-transaction-udp");
1497 t->dns_udp_fd = fd;
1498 }
1499
1500 if (!t->bypass) {
1501 r = dns_server_adjust_opt(t->server, t->sent, t->current_feature_level);
1502 if (r < 0)
1503 return r;
1504 }
1505 } else
1506 dns_transaction_close_connection(t, true);
1507
1508 r = dns_scope_emit_udp(t->scope, t->dns_udp_fd, t->server ? t->server->family : AF_UNSPEC, t->sent);
1509 if (r < 0)
1510 return r;
1511
1512 dns_transaction_reset_answer(t);
1513
1514 return 0;
1515 }
1516
1517 static int on_transaction_timeout(sd_event_source *s, usec_t usec, void *userdata) {
1518 DnsTransaction *t = ASSERT_PTR(userdata);
1519
1520 assert(s);
1521
1522 if (t->initial_jitter_scheduled && !t->initial_jitter_elapsed) {
1523 log_debug("Initial jitter phase for transaction %" PRIu16 " elapsed.", t->id);
1524 t->initial_jitter_elapsed = true;
1525 } else {
1526 /* Timeout reached? Increase the timeout for the server used */
1527 switch (t->scope->protocol) {
1528
1529 case DNS_PROTOCOL_DNS:
1530 assert(t->server);
1531 dns_server_packet_lost(t->server, t->stream ? IPPROTO_TCP : IPPROTO_UDP, t->current_feature_level);
1532 break;
1533
1534 case DNS_PROTOCOL_LLMNR:
1535 case DNS_PROTOCOL_MDNS:
1536 dns_scope_packet_lost(t->scope, usec - t->start_usec);
1537 break;
1538
1539 default:
1540 assert_not_reached();
1541 }
1542
1543 log_debug("Timeout reached on transaction %" PRIu16 ".", t->id);
1544 }
1545
1546 dns_transaction_retry(t, /* next_server= */ true); /* try a different server, but given this means
1547 * packet loss, let's do so even if we already
1548 * tried a bunch */
1549 return 0;
1550 }
1551
1552 static int dns_transaction_setup_timeout(
1553 DnsTransaction *t,
1554 usec_t timeout_usec /* relative */,
1555 usec_t next_usec /* CLOCK_BOOTTIME */) {
1556
1557 int r;
1558
1559 assert(t);
1560
1561 dns_transaction_stop_timeout(t);
1562
1563 r = sd_event_add_time_relative(
1564 t->scope->manager->event,
1565 &t->timeout_event_source,
1566 CLOCK_BOOTTIME,
1567 timeout_usec, 0,
1568 on_transaction_timeout, t);
1569 if (r < 0)
1570 return r;
1571
1572 (void) sd_event_source_set_description(t->timeout_event_source, "dns-transaction-timeout");
1573
1574 t->next_attempt_after = next_usec;
1575 t->state = DNS_TRANSACTION_PENDING;
1576 return 0;
1577 }
1578
1579 static usec_t transaction_get_resend_timeout(DnsTransaction *t) {
1580 assert(t);
1581 assert(t->scope);
1582
1583 switch (t->scope->protocol) {
1584
1585 case DNS_PROTOCOL_DNS:
1586
1587 /* When we do TCP, grant a much longer timeout, as in this case there's no need for us to quickly
1588 * resend, as the kernel does that anyway for us, and we really don't want to interrupt it in that
1589 * needlessly. */
1590 if (t->stream)
1591 return TRANSACTION_TCP_TIMEOUT_USEC;
1592
1593 return DNS_TIMEOUT_USEC;
1594
1595 case DNS_PROTOCOL_MDNS:
1596 if (t->probing)
1597 return MDNS_PROBING_INTERVAL_USEC;
1598
1599 /* See RFC 6762 Section 5.1 suggests that timeout should be a few seconds. */
1600 assert(t->n_attempts > 0);
1601 return (1 << (t->n_attempts - 1)) * USEC_PER_SEC;
1602
1603 case DNS_PROTOCOL_LLMNR:
1604 return t->scope->resend_timeout;
1605
1606 default:
1607 assert_not_reached();
1608 }
1609 }
1610
1611 static void dns_transaction_randomize_answer(DnsTransaction *t) {
1612 int r;
1613
1614 assert(t);
1615
1616 /* Randomizes the order of the answer array. This is done for all cached responses, so that we return
1617 * a different order each time. We do this only for DNS traffic, in order to do some minimal, crappy
1618 * load balancing. We don't do this for LLMNR or mDNS, since the order (preferring link-local
1619 * addresses, and such like) might have meaning there, and load balancing is pointless. */
1620
1621 if (t->scope->protocol != DNS_PROTOCOL_DNS)
1622 return;
1623
1624 /* No point in randomizing, if there's just one RR */
1625 if (dns_answer_size(t->answer) <= 1)
1626 return;
1627
1628 r = dns_answer_reserve_or_clone(&t->answer, 0);
1629 if (r < 0) /* If this fails, just don't randomize, this is non-essential stuff after all */
1630 return (void) log_debug_errno(r, "Failed to clone answer record, not randomizing RR order of answer: %m");
1631
1632 dns_answer_randomize(t->answer);
1633 }
1634
1635 static int dns_transaction_prepare(DnsTransaction *t, usec_t ts) {
1636 int r;
1637
1638 assert(t);
1639
1640 /* Returns 0 if dns_transaction_complete() has been called. In that case the transaction and query
1641 * candidate objects may have been invalidated and must not be accessed. Returns 1 if the transaction
1642 * has been prepared. */
1643
1644 dns_transaction_stop_timeout(t);
1645
1646 if (!dns_scope_network_good(t->scope)) {
1647 dns_transaction_complete(t, DNS_TRANSACTION_NETWORK_DOWN);
1648 return 0;
1649 }
1650
1651 if (t->n_attempts >= TRANSACTION_ATTEMPTS_MAX(t->scope->protocol)) {
1652 DnsTransactionState result;
1653
1654 if (t->scope->protocol == DNS_PROTOCOL_LLMNR)
1655 /* If we didn't find anything on LLMNR, it's not an error, but a failure to resolve
1656 * the name. */
1657 result = DNS_TRANSACTION_NOT_FOUND;
1658 else
1659 result = DNS_TRANSACTION_ATTEMPTS_MAX_REACHED;
1660
1661 dns_transaction_complete(t, result);
1662 return 0;
1663 }
1664
1665 if (t->scope->protocol == DNS_PROTOCOL_LLMNR && t->tried_stream) {
1666 /* If we already tried via a stream, then we don't
1667 * retry on LLMNR. See RFC 4795, Section 2.7. */
1668 dns_transaction_complete(t, DNS_TRANSACTION_ATTEMPTS_MAX_REACHED);
1669 return 0;
1670 }
1671
1672 t->n_attempts++;
1673 t->start_usec = ts;
1674
1675 dns_transaction_reset_answer(t);
1676 dns_transaction_flush_dnssec_transactions(t);
1677
1678 /* Check the trust anchor. Do so only on classic DNS, since DNSSEC does not apply otherwise. */
1679 if (t->scope->protocol == DNS_PROTOCOL_DNS &&
1680 !FLAGS_SET(t->query_flags, SD_RESOLVED_NO_TRUST_ANCHOR)) {
1681 r = dns_trust_anchor_lookup_positive(&t->scope->manager->trust_anchor, dns_transaction_key(t), &t->answer);
1682 if (r < 0)
1683 return r;
1684 if (r > 0) {
1685 t->answer_rcode = DNS_RCODE_SUCCESS;
1686 t->answer_source = DNS_TRANSACTION_TRUST_ANCHOR;
1687 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED|SD_RESOLVED_CONFIDENTIAL, true);
1688 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
1689 return 0;
1690 }
1691
1692 if (dns_name_is_root(dns_resource_key_name(dns_transaction_key(t))) &&
1693 dns_transaction_key(t)->type == DNS_TYPE_DS) {
1694
1695 /* Hmm, this is a request for the root DS? A DS RR doesn't exist in the root zone,
1696 * and if our trust anchor didn't know it either, this means we cannot do any DNSSEC
1697 * logic anymore. */
1698
1699 if (t->scope->dnssec_mode == DNSSEC_ALLOW_DOWNGRADE) {
1700 /* We are in downgrade mode. In this case, synthesize an unsigned empty
1701 * response, so that the any lookup depending on this one can continue
1702 * assuming there was no DS, and hence the root zone was unsigned. */
1703
1704 t->answer_rcode = DNS_RCODE_SUCCESS;
1705 t->answer_source = DNS_TRANSACTION_TRUST_ANCHOR;
1706 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
1707 SET_FLAG(t->answer_query_flags, SD_RESOLVED_CONFIDENTIAL, true);
1708 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
1709 } else
1710 /* If we are not in downgrade mode, then fail the lookup, because we cannot
1711 * reasonably answer it. There might be DS RRs, but we don't know them, and
1712 * the DNS server won't tell them to us (and even if it would, we couldn't
1713 * validate and trust them. */
1714 dns_transaction_complete(t, DNS_TRANSACTION_NO_TRUST_ANCHOR);
1715
1716 return 0;
1717 }
1718 }
1719
1720 /* Check the zone. */
1721 if (!FLAGS_SET(t->query_flags, SD_RESOLVED_NO_ZONE)) {
1722 r = dns_zone_lookup(&t->scope->zone, dns_transaction_key(t), dns_scope_ifindex(t->scope), &t->answer, NULL, NULL);
1723 if (r < 0)
1724 return r;
1725 if (r > 0) {
1726 t->answer_rcode = DNS_RCODE_SUCCESS;
1727 t->answer_source = DNS_TRANSACTION_ZONE;
1728 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED|SD_RESOLVED_CONFIDENTIAL, true);
1729 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
1730 return 0;
1731 }
1732 }
1733
1734 /* Check the cache. */
1735 if (!FLAGS_SET(t->query_flags, SD_RESOLVED_NO_CACHE)) {
1736
1737 /* Before trying the cache, let's make sure we figured out a server to use. Should this cause
1738 * a change of server this might flush the cache. */
1739 (void) dns_scope_get_dns_server(t->scope);
1740
1741 /* Let's then prune all outdated entries */
1742 dns_cache_prune(&t->scope->cache);
1743
1744 r = dns_cache_lookup(
1745 &t->scope->cache,
1746 dns_transaction_key(t),
1747 t->query_flags,
1748 &t->answer_rcode,
1749 &t->answer,
1750 &t->received,
1751 &t->answer_query_flags,
1752 &t->answer_dnssec_result);
1753 if (r < 0)
1754 return r;
1755 if (r > 0) {
1756 dns_transaction_randomize_answer(t);
1757
1758 if (t->bypass && t->scope->protocol == DNS_PROTOCOL_DNS && !t->received)
1759 /* When bypass mode is on, do not use cached data unless it came with a full
1760 * packet. */
1761 dns_transaction_reset_answer(t);
1762 else {
1763 t->answer_source = DNS_TRANSACTION_CACHE;
1764 if (t->answer_rcode == DNS_RCODE_SUCCESS)
1765 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
1766 else
1767 dns_transaction_complete(t, DNS_TRANSACTION_RCODE_FAILURE);
1768 return 0;
1769 }
1770 }
1771 }
1772
1773 if (FLAGS_SET(t->query_flags, SD_RESOLVED_NO_NETWORK)) {
1774 dns_transaction_complete(t, DNS_TRANSACTION_NO_SOURCE);
1775 return 0;
1776 }
1777
1778 return 1;
1779 }
1780
1781 static int dns_packet_append_zone(DnsPacket *p, DnsTransaction *t, DnsResourceKey *k, unsigned *nscount) {
1782 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
1783 bool tentative;
1784 int r;
1785
1786 assert(p);
1787 assert(t);
1788 assert(k);
1789
1790 if (k->type != DNS_TYPE_ANY)
1791 return 0;
1792
1793 r = dns_zone_lookup(&t->scope->zone, k, t->scope->link->ifindex, &answer, NULL, &tentative);
1794 if (r < 0)
1795 return r;
1796
1797 return dns_packet_append_answer(p, answer, nscount);
1798 }
1799
1800 static int dns_transaction_make_packet_mdns(DnsTransaction *t) {
1801 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
1802 _cleanup_set_free_ Set *keys = NULL;
1803 unsigned qdcount, ancount = 0 /* avoid false maybe-uninitialized warning */, nscount;
1804 bool add_known_answers = false;
1805 usec_t ts;
1806 int r;
1807
1808 assert(t);
1809 assert(t->scope->protocol == DNS_PROTOCOL_MDNS);
1810
1811 /* Discard any previously prepared packet, so we can start over and coalesce again */
1812 t->sent = dns_packet_unref(t->sent);
1813
1814 /* First, create a dummy packet to calculate packet size. */
1815 r = dns_packet_new_query(&p, t->scope->protocol, 0, false);
1816 if (r < 0)
1817 return r;
1818
1819 r = dns_packet_append_key(p, dns_transaction_key(t), 0, NULL);
1820 if (r < 0)
1821 return r;
1822
1823 qdcount = 1;
1824
1825 if (dns_key_is_shared(dns_transaction_key(t)))
1826 add_known_answers = true;
1827
1828 r = dns_packet_append_zone(p, t, dns_transaction_key(t), NULL);
1829 if (r < 0)
1830 return r;
1831
1832 /* Save appended keys */
1833 r = set_ensure_put(&keys, &dns_resource_key_hash_ops, dns_transaction_key(t));
1834 if (r < 0)
1835 return r;
1836
1837 /*
1838 * For mDNS, we want to coalesce as many open queries in pending transactions into one single
1839 * query packet on the wire as possible. To achieve that, we iterate through all pending transactions
1840 * in our current scope, and see whether their timing constraints allow them to be sent.
1841 */
1842
1843 assert_se(sd_event_now(t->scope->manager->event, CLOCK_BOOTTIME, &ts) >= 0);
1844
1845 for (bool restart = true; restart;) {
1846 restart = false;
1847 LIST_FOREACH(transactions_by_scope, other, t->scope->transactions) {
1848 size_t saved_packet_size;
1849 bool append = false;
1850
1851 /* Skip ourselves */
1852 if (other == t)
1853 continue;
1854
1855 if (other->state != DNS_TRANSACTION_PENDING)
1856 continue;
1857
1858 if (other->next_attempt_after > ts)
1859 continue;
1860
1861 if (!set_contains(keys, dns_transaction_key(other))) {
1862 r = dns_packet_append_key(p, dns_transaction_key(other), 0, &saved_packet_size);
1863 /* If we can't stuff more questions into the packet, just give up.
1864 * One of the 'other' transactions will fire later and take care of the rest. */
1865 if (r == -EMSGSIZE)
1866 break;
1867 if (r < 0)
1868 return r;
1869
1870 r = dns_packet_append_zone(p, t, dns_transaction_key(other), NULL);
1871 if (r == -EMSGSIZE)
1872 break;
1873 if (r < 0)
1874 return r;
1875
1876 append = true;
1877 }
1878
1879 r = dns_transaction_prepare(other, ts);
1880 if (r < 0)
1881 return r;
1882 if (r == 0) {
1883 if (append)
1884 dns_packet_truncate(p, saved_packet_size);
1885
1886 /* In this case, not only this transaction, but multiple transactions may be
1887 * freed. Hence, we need to restart the loop. */
1888 restart = true;
1889 break;
1890 }
1891
1892 usec_t timeout = transaction_get_resend_timeout(other);
1893 r = dns_transaction_setup_timeout(other, timeout, usec_add(ts, timeout));
1894 if (r < 0)
1895 return r;
1896
1897 if (dns_key_is_shared(dns_transaction_key(other)))
1898 add_known_answers = true;
1899
1900 if (append) {
1901 r = set_ensure_put(&keys, &dns_resource_key_hash_ops, dns_transaction_key(other));
1902 if (r < 0)
1903 return r;
1904 }
1905
1906 qdcount++;
1907 if (qdcount >= UINT16_MAX)
1908 break;
1909 }
1910 }
1911
1912 /* Append known answer section if we're asking for any shared record */
1913 if (add_known_answers) {
1914 r = dns_cache_export_shared_to_packet(&t->scope->cache, p, ts, 0);
1915 if (r < 0)
1916 return r;
1917
1918 ancount = be16toh(DNS_PACKET_HEADER(p)->ancount);
1919 }
1920
1921 /* Then, create actual packet. */
1922 p = dns_packet_unref(p);
1923 r = dns_packet_new_query(&p, t->scope->protocol, 0, false);
1924 if (r < 0)
1925 return r;
1926
1927 /* Questions */
1928 DnsResourceKey *k;
1929 SET_FOREACH(k, keys) {
1930 r = dns_packet_append_key(p, k, 0, NULL);
1931 if (r < 0)
1932 return r;
1933 }
1934 DNS_PACKET_HEADER(p)->qdcount = htobe16(qdcount);
1935
1936 /* Known answers */
1937 if (add_known_answers) {
1938 r = dns_cache_export_shared_to_packet(&t->scope->cache, p, ts, ancount);
1939 if (r < 0)
1940 return r;
1941 }
1942
1943 /* Authorities */
1944 nscount = 0;
1945 SET_FOREACH(k, keys) {
1946 r = dns_packet_append_zone(p, t, k, &nscount);
1947 if (r < 0)
1948 return r;
1949 }
1950 DNS_PACKET_HEADER(p)->nscount = htobe16(nscount);
1951
1952 t->sent = TAKE_PTR(p);
1953 return 0;
1954 }
1955
1956 static int dns_transaction_make_packet(DnsTransaction *t) {
1957 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
1958 int r;
1959
1960 assert(t);
1961
1962 if (t->scope->protocol == DNS_PROTOCOL_MDNS)
1963 return dns_transaction_make_packet_mdns(t);
1964
1965 if (t->sent)
1966 return 0;
1967
1968 if (t->bypass && t->bypass->protocol == t->scope->protocol) {
1969 /* If bypass logic is enabled and the protocol if the original packet and our scope match,
1970 * take the original packet, copy it, and patch in our new ID */
1971 r = dns_packet_dup(&p, t->bypass);
1972 if (r < 0)
1973 return r;
1974 } else {
1975 r = dns_packet_new_query(
1976 &p, t->scope->protocol,
1977 /* min_alloc_dsize = */ 0,
1978 /* dnssec_cd = */ !FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE) &&
1979 t->scope->dnssec_mode != DNSSEC_NO);
1980 if (r < 0)
1981 return r;
1982
1983 r = dns_packet_append_key(p, dns_transaction_key(t), 0, NULL);
1984 if (r < 0)
1985 return r;
1986
1987 DNS_PACKET_HEADER(p)->qdcount = htobe16(1);
1988 }
1989
1990 DNS_PACKET_HEADER(p)->id = t->id;
1991
1992 t->sent = TAKE_PTR(p);
1993 return 0;
1994 }
1995
1996 int dns_transaction_go(DnsTransaction *t) {
1997 usec_t ts;
1998 int r;
1999 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
2000
2001 assert(t);
2002
2003 /* Returns > 0 if the transaction is now pending, returns 0 if could be processed immediately and has
2004 * finished now. In the latter case, the transaction and query candidate objects must not be accessed.
2005 */
2006
2007 assert_se(sd_event_now(t->scope->manager->event, CLOCK_BOOTTIME, &ts) >= 0);
2008
2009 r = dns_transaction_prepare(t, ts);
2010 if (r <= 0)
2011 return r;
2012
2013 log_debug("Firing %s transaction %" PRIu16 " for <%s> scope %s on %s/%s (validate=%s).",
2014 t->bypass ? "bypass" : "regular",
2015 t->id,
2016 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str),
2017 dns_protocol_to_string(t->scope->protocol),
2018 t->scope->link ? t->scope->link->ifname : "*",
2019 af_to_name_short(t->scope->family),
2020 yes_no(!FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE)));
2021
2022 if (!t->initial_jitter_scheduled &&
2023 IN_SET(t->scope->protocol, DNS_PROTOCOL_LLMNR, DNS_PROTOCOL_MDNS)) {
2024 usec_t jitter;
2025
2026 /* RFC 4795 Section 2.7 suggests all LLMNR queries should be delayed by a random time from 0 to
2027 * JITTER_INTERVAL.
2028 * RFC 6762 Section 8.1 suggests initial probe queries should be delayed by a random time from
2029 * 0 to 250ms. */
2030
2031 t->initial_jitter_scheduled = true;
2032 t->n_attempts = 0;
2033
2034 switch (t->scope->protocol) {
2035
2036 case DNS_PROTOCOL_LLMNR:
2037 jitter = random_u64_range(LLMNR_JITTER_INTERVAL_USEC);
2038 break;
2039
2040 case DNS_PROTOCOL_MDNS:
2041 if (t->probing)
2042 jitter = random_u64_range(MDNS_PROBING_INTERVAL_USEC);
2043 else
2044 jitter = 0;
2045 break;
2046 default:
2047 assert_not_reached();
2048 }
2049
2050 r = dns_transaction_setup_timeout(t, jitter, ts);
2051 if (r < 0)
2052 return r;
2053
2054 log_debug("Delaying %s transaction %" PRIu16 " for " USEC_FMT "us.",
2055 dns_protocol_to_string(t->scope->protocol),
2056 t->id,
2057 jitter);
2058 return 1;
2059 }
2060
2061 /* Otherwise, we need to ask the network */
2062 r = dns_transaction_make_packet(t);
2063 if (r < 0)
2064 return r;
2065
2066 if (t->scope->protocol == DNS_PROTOCOL_LLMNR &&
2067 (dns_name_endswith(dns_resource_key_name(dns_transaction_key(t)), "in-addr.arpa") > 0 ||
2068 dns_name_endswith(dns_resource_key_name(dns_transaction_key(t)), "ip6.arpa") > 0)) {
2069
2070 /* RFC 4795, Section 2.4. says reverse lookups shall
2071 * always be made via TCP on LLMNR */
2072 r = dns_transaction_emit_tcp(t);
2073 } else {
2074 /* Try via UDP, and if that fails due to large size or lack of
2075 * support try via TCP */
2076 r = dns_transaction_emit_udp(t);
2077 if (r == -EMSGSIZE)
2078 log_debug("Sending query via TCP since it is too large.");
2079 else if (r == -EAGAIN)
2080 log_debug("Sending query via TCP since UDP isn't supported or DNS-over-TLS is selected.");
2081 if (IN_SET(r, -EMSGSIZE, -EAGAIN))
2082 r = dns_transaction_emit_tcp(t);
2083 }
2084 if (r == -ELOOP) {
2085 if (t->scope->protocol != DNS_PROTOCOL_DNS)
2086 return r;
2087
2088 /* One of our own stub listeners */
2089 log_debug_errno(r, "Detected that specified DNS server is our own extra listener, switching DNS servers.");
2090
2091 dns_scope_next_dns_server(t->scope, t->server);
2092
2093 if (dns_scope_get_dns_server(t->scope) == t->server) {
2094 log_debug_errno(r, "Still pointing to extra listener after switching DNS servers, refusing operation.");
2095 dns_transaction_complete(t, DNS_TRANSACTION_STUB_LOOP);
2096 return 0;
2097 }
2098
2099 return dns_transaction_go(t);
2100 }
2101 if (r == -ESRCH) {
2102 /* No servers to send this to? */
2103 dns_transaction_complete(t, DNS_TRANSACTION_NO_SERVERS);
2104 return 0;
2105 }
2106 if (r == -EOPNOTSUPP) {
2107 /* Tried to ask for DNSSEC RRs, on a server that doesn't do DNSSEC */
2108 dns_transaction_complete(t, DNS_TRANSACTION_RR_TYPE_UNSUPPORTED);
2109 return 0;
2110 }
2111 if (t->scope->protocol == DNS_PROTOCOL_LLMNR && ERRNO_IS_DISCONNECT(r)) {
2112 /* On LLMNR, if we cannot connect to a host via TCP when doing reverse lookups. This means we cannot
2113 * answer this request with this protocol. */
2114 dns_transaction_complete(t, DNS_TRANSACTION_NOT_FOUND);
2115 return 0;
2116 }
2117 if (r < 0) {
2118 if (t->scope->protocol != DNS_PROTOCOL_DNS)
2119 return r;
2120
2121 /* Couldn't send? Try immediately again, with a new server */
2122 dns_scope_next_dns_server(t->scope, t->server);
2123
2124 return dns_transaction_go(t);
2125 }
2126
2127 usec_t timeout = transaction_get_resend_timeout(t);
2128 r = dns_transaction_setup_timeout(t, timeout, usec_add(ts, timeout));
2129 if (r < 0)
2130 return r;
2131
2132 return 1;
2133 }
2134
2135 static int dns_transaction_find_cyclic(DnsTransaction *t, DnsTransaction *aux) {
2136 DnsTransaction *n;
2137 int r;
2138
2139 assert(t);
2140 assert(aux);
2141
2142 /* Try to find cyclic dependencies between transaction objects */
2143
2144 if (t == aux)
2145 return 1;
2146
2147 SET_FOREACH(n, aux->dnssec_transactions) {
2148 r = dns_transaction_find_cyclic(t, n);
2149 if (r != 0)
2150 return r;
2151 }
2152
2153 return 0;
2154 }
2155
2156 static int dns_transaction_add_dnssec_transaction(DnsTransaction *t, DnsResourceKey *key, DnsTransaction **ret) {
2157 _cleanup_(dns_transaction_gcp) DnsTransaction *aux = NULL;
2158 int r;
2159
2160 assert(t);
2161 assert(ret);
2162 assert(key);
2163
2164 aux = dns_scope_find_transaction(t->scope, key, t->query_flags);
2165 if (!aux) {
2166 r = dns_transaction_new(&aux, t->scope, key, NULL, t->query_flags);
2167 if (r < 0)
2168 return r;
2169 } else {
2170 if (set_contains(t->dnssec_transactions, aux)) {
2171 *ret = aux;
2172 return 0;
2173 }
2174
2175 r = dns_transaction_find_cyclic(t, aux);
2176 if (r < 0)
2177 return r;
2178 if (r > 0) {
2179 char s[DNS_RESOURCE_KEY_STRING_MAX], saux[DNS_RESOURCE_KEY_STRING_MAX];
2180
2181 return log_debug_errno(SYNTHETIC_ERRNO(ELOOP),
2182 "Potential cyclic dependency, refusing to add transaction %" PRIu16 " (%s) as dependency for %" PRIu16 " (%s).",
2183 aux->id,
2184 dns_resource_key_to_string(dns_transaction_key(t), s, sizeof s),
2185 t->id,
2186 dns_resource_key_to_string(dns_transaction_key(aux), saux, sizeof saux));
2187 }
2188 }
2189
2190 r = set_ensure_allocated(&aux->notify_transactions_done, NULL);
2191 if (r < 0)
2192 return r;
2193
2194 r = set_ensure_put(&t->dnssec_transactions, NULL, aux);
2195 if (r < 0)
2196 return r;
2197
2198 r = set_ensure_put(&aux->notify_transactions, NULL, t);
2199 if (r < 0) {
2200 (void) set_remove(t->dnssec_transactions, aux);
2201 return r;
2202 }
2203
2204 *ret = TAKE_PTR(aux);
2205 return 1;
2206 }
2207
2208 static int dns_transaction_request_dnssec_rr(DnsTransaction *t, DnsResourceKey *key) {
2209 _cleanup_(dns_answer_unrefp) DnsAnswer *a = NULL;
2210 DnsTransaction *aux;
2211 int r;
2212
2213 assert(t);
2214 assert(key);
2215
2216 /* Try to get the data from the trust anchor */
2217 r = dns_trust_anchor_lookup_positive(&t->scope->manager->trust_anchor, key, &a);
2218 if (r < 0)
2219 return r;
2220 if (r > 0) {
2221 r = dns_answer_extend(&t->validated_keys, a);
2222 if (r < 0)
2223 return r;
2224
2225 return 0;
2226 }
2227
2228 /* This didn't work, ask for it via the network/cache then. */
2229 r = dns_transaction_add_dnssec_transaction(t, key, &aux);
2230 if (r == -ELOOP) /* This would result in a cyclic dependency */
2231 return 0;
2232 if (r < 0)
2233 return r;
2234
2235 if (aux->state == DNS_TRANSACTION_NULL) {
2236 r = dns_transaction_go(aux);
2237 if (r < 0)
2238 return r;
2239 }
2240
2241 return 1;
2242 }
2243
2244 static int dns_transaction_negative_trust_anchor_lookup(DnsTransaction *t, const char *name) {
2245 int r;
2246
2247 assert(t);
2248
2249 /* Check whether the specified name is in the NTA
2250 * database, either in the global one, or the link-local
2251 * one. */
2252
2253 r = dns_trust_anchor_lookup_negative(&t->scope->manager->trust_anchor, name);
2254 if (r != 0)
2255 return r;
2256
2257 if (!t->scope->link)
2258 return 0;
2259
2260 return link_negative_trust_anchor_lookup(t->scope->link, name);
2261 }
2262
2263 static int dns_transaction_has_negative_answer(DnsTransaction *t) {
2264 int r;
2265
2266 assert(t);
2267
2268 /* Checks whether the answer is negative, and lacks NSEC/NSEC3
2269 * RRs to prove it */
2270
2271 r = dns_transaction_has_positive_answer(t, NULL);
2272 if (r < 0)
2273 return r;
2274 if (r > 0)
2275 return false;
2276
2277 /* Is this key explicitly listed as a negative trust anchor?
2278 * If so, it's nothing we need to care about */
2279 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(dns_transaction_key(t)));
2280 if (r < 0)
2281 return r;
2282 return !r;
2283 }
2284
2285 static int dns_transaction_is_primary_response(DnsTransaction *t, DnsResourceRecord *rr) {
2286 int r;
2287
2288 assert(t);
2289 assert(rr);
2290
2291 /* Check if the specified RR is the "primary" response,
2292 * i.e. either matches the question precisely or is a
2293 * CNAME/DNAME for it. */
2294
2295 r = dns_resource_key_match_rr(dns_transaction_key(t), rr, NULL);
2296 if (r != 0)
2297 return r;
2298
2299 return dns_resource_key_match_cname_or_dname(dns_transaction_key(t), rr->key, NULL);
2300 }
2301
2302 static bool dns_transaction_dnssec_supported(DnsTransaction *t) {
2303 assert(t);
2304
2305 /* Checks whether our transaction's DNS server is assumed to be compatible with DNSSEC. Returns false as soon
2306 * as we changed our mind about a server, and now believe it is incompatible with DNSSEC. */
2307
2308 if (t->scope->protocol != DNS_PROTOCOL_DNS)
2309 return false;
2310
2311 /* If we have picked no server, then we are working from the cache or some other source, and DNSSEC might well
2312 * be supported, hence return true. */
2313 if (!t->server)
2314 return true;
2315
2316 /* Note that we do not check the feature level actually used for the transaction but instead the feature level
2317 * the server is known to support currently, as the transaction feature level might be lower than what the
2318 * server actually supports, since we might have downgraded this transaction's feature level because we got a
2319 * SERVFAIL earlier and wanted to check whether downgrading fixes it. */
2320
2321 return dns_server_dnssec_supported(t->server);
2322 }
2323
2324 static bool dns_transaction_dnssec_supported_full(DnsTransaction *t) {
2325 DnsTransaction *dt;
2326
2327 assert(t);
2328
2329 /* Checks whether our transaction our any of the auxiliary transactions couldn't do DNSSEC. */
2330
2331 if (!dns_transaction_dnssec_supported(t))
2332 return false;
2333
2334 SET_FOREACH(dt, t->dnssec_transactions)
2335 if (!dns_transaction_dnssec_supported(dt))
2336 return false;
2337
2338 return true;
2339 }
2340
2341 int dns_transaction_request_dnssec_keys(DnsTransaction *t) {
2342 DnsResourceRecord *rr;
2343
2344 int r;
2345
2346 assert(t);
2347
2348 /*
2349 * Retrieve all auxiliary RRs for the answer we got, so that
2350 * we can verify signatures or prove that RRs are rightfully
2351 * unsigned. Specifically:
2352 *
2353 * - For RRSIG we get the matching DNSKEY
2354 * - For DNSKEY we get the matching DS
2355 * - For unsigned SOA/NS we get the matching DS
2356 * - For unsigned CNAME/DNAME/DS we get the parent SOA RR
2357 * - For other unsigned RRs we get the matching SOA RR
2358 * - For SOA/NS queries with no matching response RR, and no NSEC/NSEC3, the DS RR
2359 * - For DS queries with no matching response RRs, and no NSEC/NSEC3, the parent's SOA RR
2360 * - For other queries with no matching response RRs, and no NSEC/NSEC3, the SOA RR
2361 */
2362
2363 if (FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE) || t->scope->dnssec_mode == DNSSEC_NO)
2364 return 0;
2365 if (t->answer_source != DNS_TRANSACTION_NETWORK)
2366 return 0; /* We only need to validate stuff from the network */
2367 if (!dns_transaction_dnssec_supported(t))
2368 return 0; /* If we can't do DNSSEC anyway there's no point in getting the auxiliary RRs */
2369
2370 DNS_ANSWER_FOREACH(rr, t->answer) {
2371
2372 if (dns_type_is_pseudo(rr->key->type))
2373 continue;
2374
2375 /* If this RR is in the negative trust anchor, we don't need to validate it. */
2376 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(rr->key));
2377 if (r < 0)
2378 return r;
2379 if (r > 0)
2380 continue;
2381
2382 switch (rr->key->type) {
2383
2384 case DNS_TYPE_RRSIG: {
2385 /* For each RRSIG we request the matching DNSKEY */
2386 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *dnskey = NULL;
2387
2388 /* If this RRSIG is about a DNSKEY RR and the
2389 * signer is the same as the owner, then we
2390 * already have the DNSKEY, and we don't have
2391 * to look for more. */
2392 if (rr->rrsig.type_covered == DNS_TYPE_DNSKEY) {
2393 r = dns_name_equal(rr->rrsig.signer, dns_resource_key_name(rr->key));
2394 if (r < 0)
2395 return r;
2396 if (r > 0)
2397 continue;
2398 }
2399
2400 /* If the signer is not a parent of our
2401 * original query, then this is about an
2402 * auxiliary RRset, but not anything we asked
2403 * for. In this case we aren't interested,
2404 * because we don't want to request additional
2405 * RRs for stuff we didn't really ask for, and
2406 * also to avoid request loops, where
2407 * additional RRs from one transaction result
2408 * in another transaction whose additional RRs
2409 * point back to the original transaction, and
2410 * we deadlock. */
2411 r = dns_name_endswith(dns_resource_key_name(dns_transaction_key(t)), rr->rrsig.signer);
2412 if (r < 0)
2413 return r;
2414 if (r == 0)
2415 continue;
2416
2417 dnskey = dns_resource_key_new(rr->key->class, DNS_TYPE_DNSKEY, rr->rrsig.signer);
2418 if (!dnskey)
2419 return -ENOMEM;
2420
2421 log_debug("Requesting DNSKEY to validate transaction %" PRIu16" (%s, RRSIG with key tag: %" PRIu16 ").",
2422 t->id, dns_resource_key_name(rr->key), rr->rrsig.key_tag);
2423 r = dns_transaction_request_dnssec_rr(t, dnskey);
2424 if (r < 0)
2425 return r;
2426 break;
2427 }
2428
2429 case DNS_TYPE_DNSKEY: {
2430 /* For each DNSKEY we request the matching DS */
2431 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *ds = NULL;
2432
2433 /* If the DNSKEY we are looking at is not for
2434 * zone we are interested in, nor any of its
2435 * parents, we aren't interested, and don't
2436 * request it. After all, we don't want to end
2437 * up in request loops, and want to keep
2438 * additional traffic down. */
2439
2440 r = dns_name_endswith(dns_resource_key_name(dns_transaction_key(t)), dns_resource_key_name(rr->key));
2441 if (r < 0)
2442 return r;
2443 if (r == 0)
2444 continue;
2445
2446 ds = dns_resource_key_new(rr->key->class, DNS_TYPE_DS, dns_resource_key_name(rr->key));
2447 if (!ds)
2448 return -ENOMEM;
2449
2450 log_debug("Requesting DS to validate transaction %" PRIu16" (%s, DNSKEY with key tag: %" PRIu16 ").",
2451 t->id, dns_resource_key_name(rr->key), dnssec_keytag(rr, false));
2452 r = dns_transaction_request_dnssec_rr(t, ds);
2453 if (r < 0)
2454 return r;
2455
2456 break;
2457 }
2458
2459 case DNS_TYPE_SOA:
2460 case DNS_TYPE_NS: {
2461 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *ds = NULL;
2462
2463 /* For an unsigned SOA or NS, try to acquire
2464 * the matching DS RR, as we are at a zone cut
2465 * then, and whether a DS exists tells us
2466 * whether the zone is signed. Do so only if
2467 * this RR matches our original question,
2468 * however. */
2469
2470 r = dns_resource_key_match_rr(dns_transaction_key(t), rr, NULL);
2471 if (r < 0)
2472 return r;
2473 if (r == 0) {
2474 /* Hmm, so this SOA RR doesn't match our original question. In this case, maybe this is
2475 * a negative reply, and we need the SOA RR's TTL in order to cache a negative entry?
2476 * If so, we need to validate it, too. */
2477
2478 r = dns_answer_match_key(t->answer, dns_transaction_key(t), NULL);
2479 if (r < 0)
2480 return r;
2481 if (r > 0) /* positive reply, we won't need the SOA and hence don't need to validate
2482 * it. */
2483 continue;
2484
2485 /* Only bother with this if the SOA/NS RR we are looking at is actually a parent of
2486 * what we are looking for, otherwise there's no value in it for us. */
2487 r = dns_name_endswith(dns_resource_key_name(dns_transaction_key(t)), dns_resource_key_name(rr->key));
2488 if (r < 0)
2489 return r;
2490 if (r == 0)
2491 continue;
2492 }
2493
2494 r = dnssec_has_rrsig(t->answer, rr->key);
2495 if (r < 0)
2496 return r;
2497 if (r > 0)
2498 continue;
2499
2500 ds = dns_resource_key_new(rr->key->class, DNS_TYPE_DS, dns_resource_key_name(rr->key));
2501 if (!ds)
2502 return -ENOMEM;
2503
2504 log_debug("Requesting DS to validate transaction %" PRIu16 " (%s, unsigned SOA/NS RRset).",
2505 t->id, dns_resource_key_name(rr->key));
2506 r = dns_transaction_request_dnssec_rr(t, ds);
2507 if (r < 0)
2508 return r;
2509
2510 break;
2511 }
2512
2513 case DNS_TYPE_DS:
2514 case DNS_TYPE_CNAME:
2515 case DNS_TYPE_DNAME: {
2516 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL;
2517 const char *name;
2518
2519 /* CNAMEs and DNAMEs cannot be located at a
2520 * zone apex, hence ask for the parent SOA for
2521 * unsigned CNAME/DNAME RRs, maybe that's the
2522 * apex. But do all that only if this is
2523 * actually a response to our original
2524 * question.
2525 *
2526 * Similar for DS RRs, which are signed when
2527 * the parent SOA is signed. */
2528
2529 r = dns_transaction_is_primary_response(t, rr);
2530 if (r < 0)
2531 return r;
2532 if (r == 0)
2533 continue;
2534
2535 r = dnssec_has_rrsig(t->answer, rr->key);
2536 if (r < 0)
2537 return r;
2538 if (r > 0)
2539 continue;
2540
2541 r = dns_answer_has_dname_for_cname(t->answer, rr);
2542 if (r < 0)
2543 return r;
2544 if (r > 0)
2545 continue;
2546
2547 name = dns_resource_key_name(rr->key);
2548 r = dns_name_parent(&name);
2549 if (r < 0)
2550 return r;
2551 if (r == 0)
2552 continue;
2553
2554 soa = dns_resource_key_new(rr->key->class, DNS_TYPE_SOA, name);
2555 if (!soa)
2556 return -ENOMEM;
2557
2558 log_debug("Requesting parent SOA to validate transaction %" PRIu16 " (%s, unsigned CNAME/DNAME/DS RRset).",
2559 t->id, dns_resource_key_name(rr->key));
2560 r = dns_transaction_request_dnssec_rr(t, soa);
2561 if (r < 0)
2562 return r;
2563
2564 break;
2565 }
2566
2567 default: {
2568 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL;
2569
2570 /* For other unsigned RRsets (including
2571 * NSEC/NSEC3!), look for proof the zone is
2572 * unsigned, by requesting the SOA RR of the
2573 * zone. However, do so only if they are
2574 * directly relevant to our original
2575 * question. */
2576
2577 r = dns_transaction_is_primary_response(t, rr);
2578 if (r < 0)
2579 return r;
2580 if (r == 0)
2581 continue;
2582
2583 r = dnssec_has_rrsig(t->answer, rr->key);
2584 if (r < 0)
2585 return r;
2586 if (r > 0)
2587 continue;
2588
2589 soa = dns_resource_key_new(rr->key->class, DNS_TYPE_SOA, dns_resource_key_name(rr->key));
2590 if (!soa)
2591 return -ENOMEM;
2592
2593 log_debug("Requesting SOA to validate transaction %" PRIu16 " (%s, unsigned non-SOA/NS RRset <%s>).",
2594 t->id, dns_resource_key_name(rr->key), dns_resource_record_to_string(rr));
2595 r = dns_transaction_request_dnssec_rr(t, soa);
2596 if (r < 0)
2597 return r;
2598 break;
2599 }}
2600 }
2601
2602 /* Above, we requested everything necessary to validate what
2603 * we got. Now, let's request what we need to validate what we
2604 * didn't get... */
2605
2606 r = dns_transaction_has_negative_answer(t);
2607 if (r < 0)
2608 return r;
2609 if (r > 0) {
2610 const char *name, *signed_status;
2611 uint16_t type = 0;
2612
2613 name = dns_resource_key_name(dns_transaction_key(t));
2614 signed_status = dns_answer_contains_nsec_or_nsec3(t->answer) ? "signed" : "unsigned";
2615
2616 /* If this was a SOA or NS request, then check if there's a DS RR for the same domain. Note that this
2617 * could also be used as indication that we are not at a zone apex, but in real world setups there are
2618 * too many broken DNS servers (Hello, incapdns.net!) where non-terminal zones return NXDOMAIN even
2619 * though they have further children. If this was a DS request, then it's signed when the parent zone
2620 * is signed, hence ask the parent SOA in that case. If this was any other RR then ask for the SOA RR,
2621 * to see if that is signed. */
2622
2623 if (dns_transaction_key(t)->type == DNS_TYPE_DS) {
2624 r = dns_name_parent(&name);
2625 if (r > 0) {
2626 type = DNS_TYPE_SOA;
2627 log_debug("Requesting parent SOA (%s %s) to validate transaction %" PRIu16 " (%s, %s empty DS response).",
2628 special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), name, t->id,
2629 dns_resource_key_name(dns_transaction_key(t)), signed_status);
2630 } else
2631 name = NULL;
2632
2633 } else if (IN_SET(dns_transaction_key(t)->type, DNS_TYPE_SOA, DNS_TYPE_NS)) {
2634
2635 type = DNS_TYPE_DS;
2636 log_debug("Requesting DS (%s %s) to validate transaction %" PRIu16 " (%s, %s empty SOA/NS response).",
2637 special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), name, t->id, name, signed_status);
2638
2639 } else {
2640 type = DNS_TYPE_SOA;
2641 log_debug("Requesting SOA (%s %s) to validate transaction %" PRIu16 " (%s, %s empty non-SOA/NS/DS response).",
2642 special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), name, t->id, name, signed_status);
2643 }
2644
2645 if (name) {
2646 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL;
2647
2648 soa = dns_resource_key_new(dns_transaction_key(t)->class, type, name);
2649 if (!soa)
2650 return -ENOMEM;
2651
2652 r = dns_transaction_request_dnssec_rr(t, soa);
2653 if (r < 0)
2654 return r;
2655 }
2656 }
2657
2658 return dns_transaction_dnssec_is_live(t);
2659 }
2660
2661 void dns_transaction_notify(DnsTransaction *t, DnsTransaction *source) {
2662 assert(t);
2663 assert(source);
2664
2665 /* Invoked whenever any of our auxiliary DNSSEC transactions completed its work. If the state is still PENDING,
2666 we are still in the loop that adds further DNSSEC transactions, hence don't check if we are ready yet. If
2667 the state is VALIDATING however, we should check if we are complete now. */
2668
2669 if (t->state == DNS_TRANSACTION_VALIDATING)
2670 dns_transaction_process_dnssec(t);
2671 }
2672
2673 static int dns_transaction_validate_dnskey_by_ds(DnsTransaction *t) {
2674 DnsAnswerItem *item;
2675 int r;
2676
2677 assert(t);
2678
2679 /* Add all DNSKEY RRs from the answer that are validated by DS
2680 * RRs from the list of validated keys to the list of
2681 * validated keys. */
2682
2683 DNS_ANSWER_FOREACH_ITEM(item, t->answer) {
2684
2685 r = dnssec_verify_dnskey_by_ds_search(item->rr, t->validated_keys);
2686 if (r < 0)
2687 return r;
2688 if (r == 0)
2689 continue;
2690
2691 /* If so, the DNSKEY is validated too. */
2692 r = dns_answer_add_extend(&t->validated_keys, item->rr, item->ifindex, item->flags|DNS_ANSWER_AUTHENTICATED, item->rrsig);
2693 if (r < 0)
2694 return r;
2695 }
2696
2697 return 0;
2698 }
2699
2700 static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *rr) {
2701 int r;
2702
2703 assert(t);
2704 assert(rr);
2705
2706 /* Checks if the RR we are looking for must be signed with an
2707 * RRSIG. This is used for positive responses. */
2708
2709 if (t->scope->dnssec_mode == DNSSEC_NO)
2710 return false;
2711
2712 if (dns_type_is_pseudo(rr->key->type))
2713 return -EINVAL;
2714
2715 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(rr->key));
2716 if (r < 0)
2717 return r;
2718 if (r > 0)
2719 return false;
2720
2721 switch (rr->key->type) {
2722
2723 case DNS_TYPE_RRSIG:
2724 /* RRSIGs are the signatures themselves, they need no signing. */
2725 return false;
2726
2727 case DNS_TYPE_SOA:
2728 case DNS_TYPE_NS: {
2729 DnsTransaction *dt;
2730
2731 /* For SOA or NS RRs we look for a matching DS transaction */
2732
2733 SET_FOREACH(dt, t->dnssec_transactions) {
2734
2735 if (dns_transaction_key(dt)->class != rr->key->class)
2736 continue;
2737 if (dns_transaction_key(dt)->type != DNS_TYPE_DS)
2738 continue;
2739
2740 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), dns_resource_key_name(rr->key));
2741 if (r < 0)
2742 return r;
2743 if (r == 0)
2744 continue;
2745
2746 /* We found a DS transactions for the SOA/NS
2747 * RRs we are looking at. If it discovered signed DS
2748 * RRs, then we need to be signed, too. */
2749
2750 if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
2751 return false;
2752
2753 return dns_answer_match_key(dt->answer, dns_transaction_key(dt), NULL);
2754 }
2755
2756 /* We found nothing that proves this is safe to leave
2757 * this unauthenticated, hence ask inist on
2758 * authentication. */
2759 return true;
2760 }
2761
2762 case DNS_TYPE_DS:
2763 case DNS_TYPE_CNAME:
2764 case DNS_TYPE_DNAME: {
2765 const char *parent = NULL;
2766 DnsTransaction *dt;
2767
2768 /*
2769 * CNAME/DNAME RRs cannot be located at a zone apex, hence look directly for the parent SOA.
2770 *
2771 * DS RRs are signed if the parent is signed, hence also look at the parent SOA
2772 */
2773
2774 SET_FOREACH(dt, t->dnssec_transactions) {
2775
2776 if (dns_transaction_key(dt)->class != rr->key->class)
2777 continue;
2778 if (dns_transaction_key(dt)->type != DNS_TYPE_SOA)
2779 continue;
2780
2781 if (!parent) {
2782 parent = dns_resource_key_name(rr->key);
2783 r = dns_name_parent(&parent);
2784 if (r < 0)
2785 return r;
2786 if (r == 0) {
2787 if (rr->key->type == DNS_TYPE_DS)
2788 return true;
2789
2790 /* A CNAME/DNAME without a parent? That's sooo weird. */
2791 return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG),
2792 "Transaction %" PRIu16 " claims CNAME/DNAME at root. Refusing.", t->id);
2793 }
2794 }
2795
2796 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), parent);
2797 if (r < 0)
2798 return r;
2799 if (r == 0)
2800 continue;
2801
2802 return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
2803 }
2804
2805 return true;
2806 }
2807
2808 default: {
2809 DnsTransaction *dt;
2810
2811 /* Any other kind of RR (including DNSKEY/NSEC/NSEC3). Let's see if our SOA lookup was authenticated */
2812
2813 SET_FOREACH(dt, t->dnssec_transactions) {
2814
2815 if (dns_transaction_key(dt)->class != rr->key->class)
2816 continue;
2817 if (dns_transaction_key(dt)->type != DNS_TYPE_SOA)
2818 continue;
2819
2820 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), dns_resource_key_name(rr->key));
2821 if (r < 0)
2822 return r;
2823 if (r == 0)
2824 continue;
2825
2826 /* We found the transaction that was supposed to find the SOA RR for us. It was
2827 * successful, but found no RR for us. This means we are not at a zone cut. In this
2828 * case, we require authentication if the SOA lookup was authenticated too. */
2829 return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
2830 }
2831
2832 return true;
2833 }}
2834 }
2835
2836 static int dns_transaction_in_private_tld(DnsTransaction *t, const DnsResourceKey *key) {
2837 DnsTransaction *dt;
2838 const char *tld;
2839 int r;
2840
2841 /* If DNSSEC downgrade mode is on, checks whether the
2842 * specified RR is one level below a TLD we have proven not to
2843 * exist. In such a case we assume that this is a private
2844 * domain, and permit it.
2845 *
2846 * This detects cases like the Fritz!Box router networks. Each
2847 * Fritz!Box router serves a private "fritz.box" zone, in the
2848 * non-existing TLD "box". Requests for the "fritz.box" domain
2849 * are served by the router itself, while requests for the
2850 * "box" domain will result in NXDOMAIN.
2851 *
2852 * Note that this logic is unable to detect cases where a
2853 * router serves a private DNS zone directly under
2854 * non-existing TLD. In such a case we cannot detect whether
2855 * the TLD is supposed to exist or not, as all requests we
2856 * make for it will be answered by the router's zone, and not
2857 * by the root zone. */
2858
2859 assert(t);
2860
2861 if (t->scope->dnssec_mode != DNSSEC_ALLOW_DOWNGRADE)
2862 return false; /* In strict DNSSEC mode what doesn't exist, doesn't exist */
2863
2864 tld = dns_resource_key_name(key);
2865 r = dns_name_parent(&tld);
2866 if (r < 0)
2867 return r;
2868 if (r == 0)
2869 return false; /* Already the root domain */
2870
2871 if (!dns_name_is_single_label(tld))
2872 return false;
2873
2874 SET_FOREACH(dt, t->dnssec_transactions) {
2875
2876 if (dns_transaction_key(dt)->class != key->class)
2877 continue;
2878
2879 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), tld);
2880 if (r < 0)
2881 return r;
2882 if (r == 0)
2883 continue;
2884
2885 /* We found an auxiliary lookup we did for the TLD. If
2886 * that returned with NXDOMAIN, we know the TLD didn't
2887 * exist, and hence this might be a private zone. */
2888
2889 return dt->answer_rcode == DNS_RCODE_NXDOMAIN;
2890 }
2891
2892 return false;
2893 }
2894
2895 static int dns_transaction_requires_nsec(DnsTransaction *t) {
2896 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
2897 DnsTransaction *dt;
2898 const char *name;
2899 uint16_t type = 0;
2900 int r;
2901
2902 assert(t);
2903
2904 /* Checks if we need to insist on NSEC/NSEC3 RRs for proving
2905 * this negative reply */
2906
2907 if (t->scope->dnssec_mode == DNSSEC_NO)
2908 return false;
2909
2910 if (dns_type_is_pseudo(dns_transaction_key(t)->type))
2911 return -EINVAL;
2912
2913 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(dns_transaction_key(t)));
2914 if (r < 0)
2915 return r;
2916 if (r > 0)
2917 return false;
2918
2919 r = dns_transaction_in_private_tld(t, dns_transaction_key(t));
2920 if (r < 0)
2921 return r;
2922 if (r > 0) {
2923 /* The lookup is from a TLD that is proven not to
2924 * exist, and we are in downgrade mode, hence ignore
2925 * that fact that we didn't get any NSEC RRs. */
2926
2927 log_info("Detected a negative query %s in a private DNS zone, permitting unsigned response.",
2928 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str));
2929 return false;
2930 }
2931
2932 name = dns_resource_key_name(dns_transaction_key(t));
2933
2934 if (dns_transaction_key(t)->type == DNS_TYPE_DS) {
2935
2936 /* We got a negative reply for this DS lookup? DS RRs are signed when their parent zone is signed,
2937 * hence check the parent SOA in this case. */
2938
2939 r = dns_name_parent(&name);
2940 if (r < 0)
2941 return r;
2942 if (r == 0)
2943 return true;
2944
2945 type = DNS_TYPE_SOA;
2946
2947 } else if (IN_SET(dns_transaction_key(t)->type, DNS_TYPE_SOA, DNS_TYPE_NS))
2948 /* We got a negative reply for this SOA/NS lookup? If so, check if there's a DS RR for this */
2949 type = DNS_TYPE_DS;
2950 else
2951 /* For all other negative replies, check for the SOA lookup */
2952 type = DNS_TYPE_SOA;
2953
2954 /* For all other RRs we check the SOA on the same level to see
2955 * if it's signed. */
2956
2957 SET_FOREACH(dt, t->dnssec_transactions) {
2958
2959 if (dns_transaction_key(dt)->class != dns_transaction_key(t)->class)
2960 continue;
2961 if (dns_transaction_key(dt)->type != type)
2962 continue;
2963
2964 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), name);
2965 if (r < 0)
2966 return r;
2967 if (r == 0)
2968 continue;
2969
2970 return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
2971 }
2972
2973 /* If in doubt, require NSEC/NSEC3 */
2974 return true;
2975 }
2976
2977 static int dns_transaction_dnskey_authenticated(DnsTransaction *t, DnsResourceRecord *rr) {
2978 DnsResourceRecord *rrsig;
2979 bool found = false;
2980 int r;
2981
2982 /* Checks whether any of the DNSKEYs used for the RRSIGs for
2983 * the specified RRset is authenticated (i.e. has a matching
2984 * DS RR). */
2985
2986 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(rr->key));
2987 if (r < 0)
2988 return r;
2989 if (r > 0)
2990 return false;
2991
2992 DNS_ANSWER_FOREACH(rrsig, t->answer) {
2993 DnsTransaction *dt;
2994
2995 r = dnssec_key_match_rrsig(rr->key, rrsig);
2996 if (r < 0)
2997 return r;
2998 if (r == 0)
2999 continue;
3000
3001 SET_FOREACH(dt, t->dnssec_transactions) {
3002
3003 if (dns_transaction_key(dt)->class != rr->key->class)
3004 continue;
3005
3006 if (dns_transaction_key(dt)->type == DNS_TYPE_DNSKEY) {
3007
3008 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), rrsig->rrsig.signer);
3009 if (r < 0)
3010 return r;
3011 if (r == 0)
3012 continue;
3013
3014 /* OK, we found an auxiliary DNSKEY lookup. If that lookup is authenticated,
3015 * report this. */
3016
3017 if (FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
3018 return true;
3019
3020 found = true;
3021
3022 } else if (dns_transaction_key(dt)->type == DNS_TYPE_DS) {
3023
3024 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), rrsig->rrsig.signer);
3025 if (r < 0)
3026 return r;
3027 if (r == 0)
3028 continue;
3029
3030 /* OK, we found an auxiliary DS lookup. If that lookup is authenticated and
3031 * non-zero, we won! */
3032
3033 if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
3034 return false;
3035
3036 return dns_answer_match_key(dt->answer, dns_transaction_key(dt), NULL);
3037 }
3038 }
3039 }
3040
3041 return found ? false : -ENXIO;
3042 }
3043
3044 static int dns_transaction_known_signed(DnsTransaction *t, DnsResourceRecord *rr) {
3045 assert(t);
3046 assert(rr);
3047
3048 /* We know that the root domain is signed, hence if it appears
3049 * not to be signed, there's a problem with the DNS server */
3050
3051 return rr->key->class == DNS_CLASS_IN &&
3052 dns_name_is_root(dns_resource_key_name(rr->key));
3053 }
3054
3055 static int dns_transaction_check_revoked_trust_anchors(DnsTransaction *t) {
3056 DnsResourceRecord *rr;
3057 int r;
3058
3059 assert(t);
3060
3061 /* Maybe warn the user that we encountered a revoked DNSKEY
3062 * for a key from our trust anchor. Note that we don't care
3063 * whether the DNSKEY can be authenticated or not. It's
3064 * sufficient if it is self-signed. */
3065
3066 DNS_ANSWER_FOREACH(rr, t->answer) {
3067 r = dns_trust_anchor_check_revoked(&t->scope->manager->trust_anchor, rr, t->answer);
3068 if (r < 0)
3069 return r;
3070 }
3071
3072 return 0;
3073 }
3074
3075 static int dns_transaction_invalidate_revoked_keys(DnsTransaction *t) {
3076 bool changed;
3077 int r;
3078
3079 assert(t);
3080
3081 /* Removes all DNSKEY/DS objects from t->validated_keys that
3082 * our trust anchors database considers revoked. */
3083
3084 do {
3085 DnsResourceRecord *rr;
3086
3087 changed = false;
3088
3089 DNS_ANSWER_FOREACH(rr, t->validated_keys) {
3090 r = dns_trust_anchor_is_revoked(&t->scope->manager->trust_anchor, rr);
3091 if (r < 0)
3092 return r;
3093 if (r > 0) {
3094 r = dns_answer_remove_by_rr(&t->validated_keys, rr);
3095 if (r < 0)
3096 return r;
3097
3098 assert(r > 0);
3099 changed = true;
3100 break;
3101 }
3102 }
3103 } while (changed);
3104
3105 return 0;
3106 }
3107
3108 static int dns_transaction_copy_validated(DnsTransaction *t) {
3109 DnsTransaction *dt;
3110 int r;
3111
3112 assert(t);
3113
3114 /* Copy all validated RRs from the auxiliary DNSSEC transactions into our set of validated RRs */
3115
3116 SET_FOREACH(dt, t->dnssec_transactions) {
3117
3118 if (DNS_TRANSACTION_IS_LIVE(dt->state))
3119 continue;
3120
3121 if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
3122 continue;
3123
3124 r = dns_answer_extend(&t->validated_keys, dt->answer);
3125 if (r < 0)
3126 return r;
3127 }
3128
3129 return 0;
3130 }
3131
3132 typedef enum {
3133 DNSSEC_PHASE_DNSKEY, /* Phase #1, only validate DNSKEYs */
3134 DNSSEC_PHASE_NSEC, /* Phase #2, only validate NSEC+NSEC3 */
3135 DNSSEC_PHASE_ALL, /* Phase #3, validate everything else */
3136 } Phase;
3137
3138 static int dnssec_validate_records(
3139 DnsTransaction *t,
3140 Phase phase,
3141 bool *have_nsec,
3142 DnsAnswer **validated) {
3143
3144 DnsResourceRecord *rr;
3145 int r;
3146
3147 /* Returns negative on error, 0 if validation failed, 1 to restart validation, 2 when finished. */
3148
3149 DNS_ANSWER_FOREACH(rr, t->answer) {
3150 _unused_ _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr_ref = dns_resource_record_ref(rr);
3151 DnsResourceRecord *rrsig = NULL;
3152 DnssecResult result;
3153
3154 switch (rr->key->type) {
3155 case DNS_TYPE_RRSIG:
3156 continue;
3157
3158 case DNS_TYPE_DNSKEY:
3159 /* We validate DNSKEYs only in the DNSKEY and ALL phases */
3160 if (phase == DNSSEC_PHASE_NSEC)
3161 continue;
3162 break;
3163
3164 case DNS_TYPE_NSEC:
3165 case DNS_TYPE_NSEC3:
3166 *have_nsec = true;
3167
3168 /* We validate NSEC/NSEC3 only in the NSEC and ALL phases */
3169 if (phase == DNSSEC_PHASE_DNSKEY)
3170 continue;
3171 break;
3172
3173 default:
3174 /* We validate all other RRs only in the ALL phases */
3175 if (phase != DNSSEC_PHASE_ALL)
3176 continue;
3177 }
3178
3179 r = dnssec_verify_rrset_search(
3180 t->answer,
3181 rr->key,
3182 t->validated_keys,
3183 USEC_INFINITY,
3184 &result,
3185 &rrsig);
3186 if (r < 0)
3187 return r;
3188
3189 log_debug("Looking at %s: %s", strna(dns_resource_record_to_string(rr)), dnssec_result_to_string(result));
3190
3191 if (result == DNSSEC_VALIDATED) {
3192 assert(rrsig);
3193
3194 if (rr->key->type == DNS_TYPE_DNSKEY) {
3195 /* If we just validated a DNSKEY RRset, then let's add these keys to
3196 * the set of validated keys for this transaction. */
3197
3198 r = dns_answer_copy_by_key(&t->validated_keys, t->answer, rr->key, DNS_ANSWER_AUTHENTICATED, rrsig);
3199 if (r < 0)
3200 return r;
3201
3202 /* Some of the DNSKEYs we just added might already have been revoked,
3203 * remove them again in that case. */
3204 r = dns_transaction_invalidate_revoked_keys(t);
3205 if (r < 0)
3206 return r;
3207 }
3208
3209 /* Add the validated RRset to the new list of validated RRsets, and remove it from
3210 * the unvalidated RRsets. We mark the RRset as authenticated and cacheable. */
3211 r = dns_answer_move_by_key(validated, &t->answer, rr->key, DNS_ANSWER_AUTHENTICATED|DNS_ANSWER_CACHEABLE, rrsig);
3212 if (r < 0)
3213 return r;
3214
3215 manager_dnssec_verdict(t->scope->manager, DNSSEC_SECURE, rr->key);
3216
3217 /* Exit the loop, we dropped something from the answer, start from the beginning */
3218 return 1;
3219 }
3220
3221 /* If we haven't read all DNSKEYs yet a negative result of the validation is irrelevant, as
3222 * there might be more DNSKEYs coming. Similar, if we haven't read all NSEC/NSEC3 RRs yet,
3223 * we cannot do positive wildcard proofs yet, as those require the NSEC/NSEC3 RRs. */
3224 if (phase != DNSSEC_PHASE_ALL)
3225 continue;
3226
3227 if (result == DNSSEC_VALIDATED_WILDCARD) {
3228 bool authenticated = false;
3229 const char *source;
3230
3231 assert(rrsig);
3232
3233 /* This RRset validated, but as a wildcard. This means we need
3234 * to prove via NSEC/NSEC3 that no matching non-wildcard RR exists. */
3235
3236 /* First step, determine the source of synthesis */
3237 r = dns_resource_record_source(rrsig, &source);
3238 if (r < 0)
3239 return r;
3240
3241 r = dnssec_test_positive_wildcard(*validated,
3242 dns_resource_key_name(rr->key),
3243 source,
3244 rrsig->rrsig.signer,
3245 &authenticated);
3246
3247 /* Unless the NSEC proof showed that the key really doesn't exist something is off. */
3248 if (r == 0)
3249 result = DNSSEC_INVALID;
3250 else {
3251 r = dns_answer_move_by_key(
3252 validated,
3253 &t->answer,
3254 rr->key,
3255 authenticated ? (DNS_ANSWER_AUTHENTICATED|DNS_ANSWER_CACHEABLE) : 0,
3256 rrsig);
3257 if (r < 0)
3258 return r;
3259
3260 manager_dnssec_verdict(t->scope->manager, authenticated ? DNSSEC_SECURE : DNSSEC_INSECURE, rr->key);
3261
3262 /* Exit the loop, we dropped something from the answer, start from the beginning */
3263 return 1;
3264 }
3265 }
3266
3267 if (result == DNSSEC_NO_SIGNATURE) {
3268 r = dns_transaction_requires_rrsig(t, rr);
3269 if (r < 0)
3270 return r;
3271 if (r == 0) {
3272 /* Data does not require signing. In that case, just copy it over,
3273 * but remember that this is by no means authenticated. */
3274 r = dns_answer_move_by_key(
3275 validated,
3276 &t->answer,
3277 rr->key,
3278 0,
3279 NULL);
3280 if (r < 0)
3281 return r;
3282
3283 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
3284 return 1;
3285 }
3286
3287 r = dns_transaction_known_signed(t, rr);
3288 if (r < 0)
3289 return r;
3290 if (r > 0) {
3291 /* This is an RR we know has to be signed. If it isn't this means
3292 * the server is not attaching RRSIGs, hence complain. */
3293
3294 dns_server_packet_rrsig_missing(t->server, t->current_feature_level);
3295
3296 if (t->scope->dnssec_mode == DNSSEC_ALLOW_DOWNGRADE) {
3297
3298 /* Downgrading is OK? If so, just consider the information unsigned */
3299
3300 r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0, NULL);
3301 if (r < 0)
3302 return r;
3303
3304 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
3305 return 1;
3306 }
3307
3308 /* Otherwise, fail */
3309 t->answer_dnssec_result = DNSSEC_INCOMPATIBLE_SERVER;
3310 return 0;
3311 }
3312
3313 r = dns_transaction_in_private_tld(t, rr->key);
3314 if (r < 0)
3315 return r;
3316 if (r > 0) {
3317 char s[DNS_RESOURCE_KEY_STRING_MAX];
3318
3319 /* The data is from a TLD that is proven not to exist, and we are in downgrade
3320 * mode, hence ignore the fact that this was not signed. */
3321
3322 log_info("Detected RRset %s is in a private DNS zone, permitting unsigned RRs.",
3323 dns_resource_key_to_string(rr->key, s, sizeof s));
3324
3325 r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0, NULL);
3326 if (r < 0)
3327 return r;
3328
3329 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
3330 return 1;
3331 }
3332 }
3333
3334 if (IN_SET(result,
3335 DNSSEC_MISSING_KEY,
3336 DNSSEC_SIGNATURE_EXPIRED,
3337 DNSSEC_UNSUPPORTED_ALGORITHM)) {
3338
3339 r = dns_transaction_dnskey_authenticated(t, rr);
3340 if (r < 0 && r != -ENXIO)
3341 return r;
3342 if (r == 0) {
3343 /* The DNSKEY transaction was not authenticated, this means there's
3344 * no DS for this, which means it's OK if no keys are found for this signature. */
3345
3346 r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0, NULL);
3347 if (r < 0)
3348 return r;
3349
3350 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
3351 return 1;
3352 }
3353 }
3354
3355 r = dns_transaction_is_primary_response(t, rr);
3356 if (r < 0)
3357 return r;
3358 if (r > 0) {
3359 /* Look for a matching DNAME for this CNAME */
3360 r = dns_answer_has_dname_for_cname(t->answer, rr);
3361 if (r < 0)
3362 return r;
3363 if (r == 0) {
3364 /* Also look among the stuff we already validated */
3365 r = dns_answer_has_dname_for_cname(*validated, rr);
3366 if (r < 0)
3367 return r;
3368 }
3369
3370 if (r == 0) {
3371 if (IN_SET(result,
3372 DNSSEC_INVALID,
3373 DNSSEC_SIGNATURE_EXPIRED,
3374 DNSSEC_NO_SIGNATURE))
3375 manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, rr->key);
3376 else /* DNSSEC_MISSING_KEY or DNSSEC_UNSUPPORTED_ALGORITHM */
3377 manager_dnssec_verdict(t->scope->manager, DNSSEC_INDETERMINATE, rr->key);
3378
3379 /* This is a primary response to our question, and it failed validation.
3380 * That's fatal. */
3381 t->answer_dnssec_result = result;
3382 return 0;
3383 }
3384
3385 /* This is a primary response, but we do have a DNAME RR
3386 * in the RR that can replay this CNAME, hence rely on
3387 * that, and we can remove the CNAME in favour of it. */
3388 }
3389
3390 /* This is just some auxiliary data. Just remove the RRset and continue. */
3391 r = dns_answer_remove_by_key(&t->answer, rr->key);
3392 if (r < 0)
3393 return r;
3394
3395 /* We dropped something from the answer, start from the beginning. */
3396 return 1;
3397 }
3398
3399 return 2; /* Finito. */
3400 }
3401
3402 int dns_transaction_validate_dnssec(DnsTransaction *t) {
3403 _cleanup_(dns_answer_unrefp) DnsAnswer *validated = NULL;
3404 Phase phase;
3405 DnsAnswerFlags flags;
3406 int r;
3407 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
3408
3409 assert(t);
3410
3411 /* We have now collected all DS and DNSKEY RRs in t->validated_keys, let's see which RRs we can now
3412 * authenticate with that. */
3413
3414 if (FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE) || t->scope->dnssec_mode == DNSSEC_NO)
3415 return 0;
3416
3417 /* Already validated */
3418 if (t->answer_dnssec_result != _DNSSEC_RESULT_INVALID)
3419 return 0;
3420
3421 /* Our own stuff needs no validation */
3422 if (IN_SET(t->answer_source, DNS_TRANSACTION_ZONE, DNS_TRANSACTION_TRUST_ANCHOR)) {
3423 t->answer_dnssec_result = DNSSEC_VALIDATED;
3424 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, true);
3425 return 0;
3426 }
3427
3428 /* Cached stuff is not affected by validation. */
3429 if (t->answer_source != DNS_TRANSACTION_NETWORK)
3430 return 0;
3431
3432 if (!dns_transaction_dnssec_supported_full(t)) {
3433 /* The server does not support DNSSEC, or doesn't augment responses with RRSIGs. */
3434 t->answer_dnssec_result = DNSSEC_INCOMPATIBLE_SERVER;
3435 log_debug("Not validating response for %" PRIu16 ", used server feature level does not support DNSSEC.", t->id);
3436 return 0;
3437 }
3438
3439 log_debug("Validating response from transaction %" PRIu16 " (%s).",
3440 t->id,
3441 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str));
3442
3443 /* First, see if this response contains any revoked trust
3444 * anchors we care about */
3445 r = dns_transaction_check_revoked_trust_anchors(t);
3446 if (r < 0)
3447 return r;
3448
3449 /* Third, copy all RRs we acquired successfully from auxiliary RRs over. */
3450 r = dns_transaction_copy_validated(t);
3451 if (r < 0)
3452 return r;
3453
3454 /* Second, see if there are DNSKEYs we already know a
3455 * validated DS for. */
3456 r = dns_transaction_validate_dnskey_by_ds(t);
3457 if (r < 0)
3458 return r;
3459
3460 /* Fourth, remove all DNSKEY and DS RRs again that our trust
3461 * anchor says are revoked. After all we might have marked
3462 * some keys revoked above, but they might still be lingering
3463 * in our validated_keys list. */
3464 r = dns_transaction_invalidate_revoked_keys(t);
3465 if (r < 0)
3466 return r;
3467
3468 phase = DNSSEC_PHASE_DNSKEY;
3469 for (;;) {
3470 bool have_nsec = false;
3471
3472 r = dnssec_validate_records(t, phase, &have_nsec, &validated);
3473 if (r <= 0)
3474 return r;
3475
3476 /* Try again as long as we managed to achieve something */
3477 if (r == 1)
3478 continue;
3479
3480 if (phase == DNSSEC_PHASE_DNSKEY && have_nsec) {
3481 /* OK, we processed all DNSKEYs, and there are NSEC/NSEC3 RRs, look at those now. */
3482 phase = DNSSEC_PHASE_NSEC;
3483 continue;
3484 }
3485
3486 if (phase != DNSSEC_PHASE_ALL) {
3487 /* OK, we processed all DNSKEYs and NSEC/NSEC3 RRs, look at all the rest now.
3488 * Note that in this third phase we start to remove RRs we couldn't validate. */
3489 phase = DNSSEC_PHASE_ALL;
3490 continue;
3491 }
3492
3493 /* We're done */
3494 break;
3495 }
3496
3497 DNS_ANSWER_REPLACE(t->answer, TAKE_PTR(validated));
3498
3499 /* At this point the answer only contains validated
3500 * RRsets. Now, let's see if it actually answers the question
3501 * we asked. If so, great! If it doesn't, then see if
3502 * NSEC/NSEC3 can prove this. */
3503 r = dns_transaction_has_positive_answer(t, &flags);
3504 if (r > 0) {
3505 /* Yes, it answers the question! */
3506
3507 if (flags & DNS_ANSWER_AUTHENTICATED) {
3508 /* The answer is fully authenticated, yay. */
3509 t->answer_dnssec_result = DNSSEC_VALIDATED;
3510 t->answer_rcode = DNS_RCODE_SUCCESS;
3511 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, true);
3512 } else {
3513 /* The answer is not fully authenticated. */
3514 t->answer_dnssec_result = DNSSEC_UNSIGNED;
3515 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
3516 }
3517
3518 } else if (r == 0) {
3519 DnssecNsecResult nr;
3520 bool authenticated = false;
3521
3522 /* Bummer! Let's check NSEC/NSEC3 */
3523 r = dnssec_nsec_test(t->answer, dns_transaction_key(t), &nr, &authenticated, &t->answer_nsec_ttl);
3524 if (r < 0)
3525 return r;
3526
3527 switch (nr) {
3528
3529 case DNSSEC_NSEC_NXDOMAIN:
3530 /* NSEC proves the domain doesn't exist. Very good. */
3531 log_debug("Proved NXDOMAIN via NSEC/NSEC3 for transaction %u (%s)", t->id, key_str);
3532 t->answer_dnssec_result = DNSSEC_VALIDATED;
3533 t->answer_rcode = DNS_RCODE_NXDOMAIN;
3534 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, authenticated);
3535
3536 manager_dnssec_verdict(t->scope->manager, authenticated ? DNSSEC_SECURE : DNSSEC_INSECURE, dns_transaction_key(t));
3537 break;
3538
3539 case DNSSEC_NSEC_NODATA:
3540 /* NSEC proves that there's no data here, very good. */
3541 log_debug("Proved NODATA via NSEC/NSEC3 for transaction %u (%s)", t->id, key_str);
3542 t->answer_dnssec_result = DNSSEC_VALIDATED;
3543 t->answer_rcode = DNS_RCODE_SUCCESS;
3544 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, authenticated);
3545
3546 manager_dnssec_verdict(t->scope->manager, authenticated ? DNSSEC_SECURE : DNSSEC_INSECURE, dns_transaction_key(t));
3547 break;
3548
3549 case DNSSEC_NSEC_OPTOUT:
3550 /* NSEC3 says the data might not be signed */
3551 log_debug("Data is NSEC3 opt-out via NSEC/NSEC3 for transaction %u (%s)", t->id, key_str);
3552 t->answer_dnssec_result = DNSSEC_UNSIGNED;
3553 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
3554
3555 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, dns_transaction_key(t));
3556 break;
3557
3558 case DNSSEC_NSEC_NO_RR:
3559 /* No NSEC data? Bummer! */
3560
3561 r = dns_transaction_requires_nsec(t);
3562 if (r < 0)
3563 return r;
3564 if (r > 0) {
3565 t->answer_dnssec_result = DNSSEC_NO_SIGNATURE;
3566 manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, dns_transaction_key(t));
3567 } else {
3568 t->answer_dnssec_result = DNSSEC_UNSIGNED;
3569 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
3570 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, dns_transaction_key(t));
3571 }
3572
3573 break;
3574
3575 case DNSSEC_NSEC_UNSUPPORTED_ALGORITHM:
3576 /* We don't know the NSEC3 algorithm used? */
3577 t->answer_dnssec_result = DNSSEC_UNSUPPORTED_ALGORITHM;
3578 manager_dnssec_verdict(t->scope->manager, DNSSEC_INDETERMINATE, dns_transaction_key(t));
3579 break;
3580
3581 case DNSSEC_NSEC_FOUND:
3582 case DNSSEC_NSEC_CNAME:
3583 /* NSEC says it needs to be there, but we couldn't find it? Bummer! */
3584 t->answer_dnssec_result = DNSSEC_NSEC_MISMATCH;
3585 manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, dns_transaction_key(t));
3586 break;
3587
3588 default:
3589 assert_not_reached();
3590 }
3591 }
3592
3593 return 1;
3594 }
3595
3596 static const char* const dns_transaction_state_table[_DNS_TRANSACTION_STATE_MAX] = {
3597 [DNS_TRANSACTION_NULL] = "null",
3598 [DNS_TRANSACTION_PENDING] = "pending",
3599 [DNS_TRANSACTION_VALIDATING] = "validating",
3600 [DNS_TRANSACTION_RCODE_FAILURE] = "rcode-failure",
3601 [DNS_TRANSACTION_SUCCESS] = "success",
3602 [DNS_TRANSACTION_NO_SERVERS] = "no-servers",
3603 [DNS_TRANSACTION_TIMEOUT] = "timeout",
3604 [DNS_TRANSACTION_ATTEMPTS_MAX_REACHED] = "attempts-max-reached",
3605 [DNS_TRANSACTION_INVALID_REPLY] = "invalid-reply",
3606 [DNS_TRANSACTION_ERRNO] = "errno",
3607 [DNS_TRANSACTION_ABORTED] = "aborted",
3608 [DNS_TRANSACTION_DNSSEC_FAILED] = "dnssec-failed",
3609 [DNS_TRANSACTION_NO_TRUST_ANCHOR] = "no-trust-anchor",
3610 [DNS_TRANSACTION_RR_TYPE_UNSUPPORTED] = "rr-type-unsupported",
3611 [DNS_TRANSACTION_NETWORK_DOWN] = "network-down",
3612 [DNS_TRANSACTION_NOT_FOUND] = "not-found",
3613 [DNS_TRANSACTION_NO_SOURCE] = "no-source",
3614 [DNS_TRANSACTION_STUB_LOOP] = "stub-loop",
3615 };
3616 DEFINE_STRING_TABLE_LOOKUP(dns_transaction_state, DnsTransactionState);
3617
3618 static const char* const dns_transaction_source_table[_DNS_TRANSACTION_SOURCE_MAX] = {
3619 [DNS_TRANSACTION_NETWORK] = "network",
3620 [DNS_TRANSACTION_CACHE] = "cache",
3621 [DNS_TRANSACTION_ZONE] = "zone",
3622 [DNS_TRANSACTION_TRUST_ANCHOR] = "trust-anchor",
3623 };
3624 DEFINE_STRING_TABLE_LOOKUP(dns_transaction_source, DnsTransactionSource);
Unnamed repository; edit this file 'description' to name the repository.