]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/resolve/resolved-dns-transaction.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #30513 from rpigott/resolved-ede
[thirdparty/systemd.git] / src / resolve / resolved-dns-transaction.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include "sd-messages.h"
4
5 #include "af-list.h"
6 #include "alloc-util.h"
7 #include "dns-domain.h"
8 #include "errno-list.h"
9 #include "errno-util.h"
10 #include "fd-util.h"
11 #include "glyph-util.h"
12 #include "random-util.h"
13 #include "resolved-dns-cache.h"
14 #include "resolved-dns-transaction.h"
15 #include "resolved-dnstls.h"
16 #include "resolved-llmnr.h"
17 #include "string-table.h"
18
19 #define TRANSACTIONS_MAX 4096
20 #define TRANSACTION_TCP_TIMEOUT_USEC (10U*USEC_PER_SEC)
21
22 /* After how much time to repeat classic DNS requests */
23 #define DNS_TIMEOUT_USEC (SD_RESOLVED_QUERY_TIMEOUT_USEC / DNS_TRANSACTION_ATTEMPTS_MAX)
24
25 static void dns_transaction_reset_answer(DnsTransaction *t) {
26 assert(t);
27
28 t->received = dns_packet_unref(t->received);
29 t->answer = dns_answer_unref(t->answer);
30 t->answer_rcode = 0;
31 t->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
32 t->answer_source = _DNS_TRANSACTION_SOURCE_INVALID;
33 t->answer_query_flags = 0;
34 t->answer_nsec_ttl = UINT32_MAX;
35 t->answer_errno = 0;
36 }
37
38 static void dns_transaction_flush_dnssec_transactions(DnsTransaction *t) {
39 DnsTransaction *z;
40
41 assert(t);
42
43 while ((z = set_steal_first(t->dnssec_transactions))) {
44 set_remove(z->notify_transactions, t);
45 set_remove(z->notify_transactions_done, t);
46 dns_transaction_gc(z);
47 }
48 }
49
50 static void dns_transaction_close_connection(
51 DnsTransaction *t,
52 bool use_graveyard) { /* Set use_graveyard = false when you know the connection is already
53 * dead, for example because you got a connection error back from the
54 * kernel. In that case there's no point in keeping the fd around,
55 * hence don't. */
56 int r;
57
58 assert(t);
59
60 if (t->stream) {
61 /* Let's detach the stream from our transaction, in case something else keeps a reference to it. */
62 LIST_REMOVE(transactions_by_stream, t->stream->transactions, t);
63
64 /* Remove packet in case it's still in the queue */
65 dns_packet_unref(ordered_set_remove(t->stream->write_queue, t->sent));
66
67 t->stream = dns_stream_unref(t->stream);
68 }
69
70 t->dns_udp_event_source = sd_event_source_disable_unref(t->dns_udp_event_source);
71
72 /* If we have a UDP socket where we sent a packet, but never received one, then add it to the socket
73 * graveyard, instead of closing it right away. That way it will stick around for a moment longer,
74 * and the reply we might still get from the server will be eaten up instead of resulting in an ICMP
75 * port unreachable error message. */
76
77 /* Skip the graveyard stuff when we're shutting down, since that requires running event loop.
78 * Note that this is also called from dns_transaction_free(). In that case, scope may be NULL. */
79 if (!t->scope ||
80 !t->scope->manager ||
81 !t->scope->manager->event ||
82 sd_event_get_state(t->scope->manager->event) == SD_EVENT_FINISHED)
83 use_graveyard = false;
84
85 if (use_graveyard && t->dns_udp_fd >= 0 && t->sent && !t->received) {
86 r = manager_add_socket_to_graveyard(t->scope->manager, t->dns_udp_fd);
87 if (r < 0)
88 log_debug_errno(r, "Failed to add UDP socket to graveyard, closing immediately: %m");
89 else
90 TAKE_FD(t->dns_udp_fd);
91 }
92
93 t->dns_udp_fd = safe_close(t->dns_udp_fd);
94 }
95
96 static void dns_transaction_stop_timeout(DnsTransaction *t) {
97 assert(t);
98
99 t->timeout_event_source = sd_event_source_disable_unref(t->timeout_event_source);
100 }
101
102 DnsTransaction* dns_transaction_free(DnsTransaction *t) {
103 DnsQueryCandidate *c;
104 DnsZoneItem *i;
105 DnsTransaction *z;
106
107 if (!t)
108 return NULL;
109
110 log_debug("Freeing transaction %" PRIu16 ".", t->id);
111
112 dns_transaction_close_connection(t, true);
113 dns_transaction_stop_timeout(t);
114
115 dns_packet_unref(t->sent);
116 dns_transaction_reset_answer(t);
117
118 dns_server_unref(t->server);
119
120 if (t->scope) {
121 if (t->key) {
122 DnsTransaction *first;
123
124 first = hashmap_get(t->scope->transactions_by_key, t->key);
125 LIST_REMOVE(transactions_by_key, first, t);
126 if (first)
127 hashmap_replace(t->scope->transactions_by_key, first->key, first);
128 else
129 hashmap_remove(t->scope->transactions_by_key, t->key);
130 }
131
132 LIST_REMOVE(transactions_by_scope, t->scope->transactions, t);
133
134 if (t->id != 0)
135 hashmap_remove(t->scope->manager->dns_transactions, UINT_TO_PTR(t->id));
136 }
137
138 while ((c = set_steal_first(t->notify_query_candidates)))
139 set_remove(c->transactions, t);
140 set_free(t->notify_query_candidates);
141
142 while ((c = set_steal_first(t->notify_query_candidates_done)))
143 set_remove(c->transactions, t);
144 set_free(t->notify_query_candidates_done);
145
146 while ((i = set_steal_first(t->notify_zone_items)))
147 i->probe_transaction = NULL;
148 set_free(t->notify_zone_items);
149
150 while ((i = set_steal_first(t->notify_zone_items_done)))
151 i->probe_transaction = NULL;
152 set_free(t->notify_zone_items_done);
153
154 while ((z = set_steal_first(t->notify_transactions)))
155 set_remove(z->dnssec_transactions, t);
156 set_free(t->notify_transactions);
157
158 while ((z = set_steal_first(t->notify_transactions_done)))
159 set_remove(z->dnssec_transactions, t);
160 set_free(t->notify_transactions_done);
161
162 dns_transaction_flush_dnssec_transactions(t);
163 set_free(t->dnssec_transactions);
164
165 dns_answer_unref(t->validated_keys);
166 dns_resource_key_unref(t->key);
167 dns_packet_unref(t->bypass);
168
169 free(t->answer_ede_msg);
170
171 return mfree(t);
172 }
173
174 DEFINE_TRIVIAL_CLEANUP_FUNC(DnsTransaction*, dns_transaction_free);
175
176 DnsTransaction* dns_transaction_gc(DnsTransaction *t) {
177 assert(t);
178
179 /* Returns !NULL if we can't gc yet. */
180
181 if (t->block_gc > 0)
182 return t;
183
184 if (set_isempty(t->notify_query_candidates) &&
185 set_isempty(t->notify_query_candidates_done) &&
186 set_isempty(t->notify_zone_items) &&
187 set_isempty(t->notify_zone_items_done) &&
188 set_isempty(t->notify_transactions) &&
189 set_isempty(t->notify_transactions_done))
190 return dns_transaction_free(t);
191
192 return t;
193 }
194
195 static uint16_t pick_new_id(Manager *m) {
196 uint16_t new_id;
197
198 /* Find a fresh, unused transaction id. Note that this loop is bounded because there's a limit on the
199 * number of transactions, and it's much lower than the space of IDs. */
200
201 assert_cc(TRANSACTIONS_MAX < 0xFFFF);
202
203 do
204 random_bytes(&new_id, sizeof(new_id));
205 while (new_id == 0 ||
206 hashmap_get(m->dns_transactions, UINT_TO_PTR(new_id)));
207
208 return new_id;
209 }
210
211 static int key_ok(
212 DnsScope *scope,
213 DnsResourceKey *key) {
214
215 /* Don't allow looking up invalid or pseudo RRs */
216 if (!dns_type_is_valid_query(key->type))
217 return -EINVAL;
218 if (dns_type_is_obsolete(key->type))
219 return -EOPNOTSUPP;
220
221 /* We only support the IN class */
222 if (!IN_SET(key->class, DNS_CLASS_IN, DNS_CLASS_ANY))
223 return -EOPNOTSUPP;
224
225 /* Don't allows DNSSEC RRs to be looked up via LLMNR/mDNS. They don't really make sense
226 * there, and it speeds up our queries if we refuse this early */
227 if (scope->protocol != DNS_PROTOCOL_DNS &&
228 dns_type_is_dnssec(key->type))
229 return -EOPNOTSUPP;
230
231 return 0;
232 }
233
234 int dns_transaction_new(
235 DnsTransaction **ret,
236 DnsScope *s,
237 DnsResourceKey *key,
238 DnsPacket *bypass,
239 uint64_t query_flags) {
240
241 _cleanup_(dns_transaction_freep) DnsTransaction *t = NULL;
242 int r;
243
244 assert(ret);
245 assert(s);
246
247 if (key) {
248 assert(!bypass);
249
250 r = key_ok(s, key);
251 if (r < 0)
252 return r;
253 } else {
254 DnsResourceKey *qk;
255 assert(bypass);
256
257 r = dns_packet_validate_query(bypass);
258 if (r < 0)
259 return r;
260
261 DNS_QUESTION_FOREACH(qk, bypass->question) {
262 r = key_ok(s, qk);
263 if (r < 0)
264 return r;
265 }
266 }
267
268 if (hashmap_size(s->manager->dns_transactions) >= TRANSACTIONS_MAX)
269 return -EBUSY;
270
271 r = hashmap_ensure_allocated(&s->manager->dns_transactions, NULL);
272 if (r < 0)
273 return r;
274
275 if (key) {
276 r = hashmap_ensure_allocated(&s->transactions_by_key, &dns_resource_key_hash_ops);
277 if (r < 0)
278 return r;
279 }
280
281 t = new(DnsTransaction, 1);
282 if (!t)
283 return -ENOMEM;
284
285 *t = (DnsTransaction) {
286 .dns_udp_fd = -EBADF,
287 .answer_source = _DNS_TRANSACTION_SOURCE_INVALID,
288 .answer_dnssec_result = _DNSSEC_RESULT_INVALID,
289 .answer_ede_rcode = _DNS_EDE_RCODE_INVALID,
290 .answer_nsec_ttl = UINT32_MAX,
291 .key = dns_resource_key_ref(key),
292 .query_flags = query_flags,
293 .bypass = dns_packet_ref(bypass),
294 .current_feature_level = _DNS_SERVER_FEATURE_LEVEL_INVALID,
295 .clamp_feature_level_servfail = _DNS_SERVER_FEATURE_LEVEL_INVALID,
296 .id = pick_new_id(s->manager),
297 };
298
299 r = hashmap_put(s->manager->dns_transactions, UINT_TO_PTR(t->id), t);
300 if (r < 0) {
301 t->id = 0;
302 return r;
303 }
304
305 if (t->key) {
306 DnsTransaction *first;
307
308 first = hashmap_get(s->transactions_by_key, t->key);
309 LIST_PREPEND(transactions_by_key, first, t);
310
311 r = hashmap_replace(s->transactions_by_key, first->key, first);
312 if (r < 0) {
313 LIST_REMOVE(transactions_by_key, first, t);
314 return r;
315 }
316 }
317
318 LIST_PREPEND(transactions_by_scope, s->transactions, t);
319 t->scope = s;
320
321 s->manager->n_transactions_total++;
322
323 if (ret)
324 *ret = t;
325
326 TAKE_PTR(t);
327 return 0;
328 }
329
330 static void dns_transaction_shuffle_id(DnsTransaction *t) {
331 uint16_t new_id;
332 assert(t);
333
334 /* Pick a new ID for this transaction. */
335
336 new_id = pick_new_id(t->scope->manager);
337 assert_se(hashmap_remove_and_put(t->scope->manager->dns_transactions, UINT_TO_PTR(t->id), UINT_TO_PTR(new_id), t) >= 0);
338
339 log_debug("Transaction %" PRIu16 " is now %" PRIu16 ".", t->id, new_id);
340 t->id = new_id;
341
342 /* Make sure we generate a new packet with the new ID */
343 t->sent = dns_packet_unref(t->sent);
344 }
345
346 static void dns_transaction_tentative(DnsTransaction *t, DnsPacket *p) {
347 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
348 DnsZoneItem *z;
349
350 assert(t);
351 assert(p);
352 assert(t->scope->protocol == DNS_PROTOCOL_LLMNR);
353
354 if (manager_packet_from_local_address(t->scope->manager, p) != 0)
355 return;
356
357 log_debug("Transaction %" PRIu16 " for <%s> on scope %s on %s/%s got tentative packet from %s.",
358 t->id,
359 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str),
360 dns_protocol_to_string(t->scope->protocol),
361 t->scope->link ? t->scope->link->ifname : "*",
362 af_to_name_short(t->scope->family),
363 IN_ADDR_TO_STRING(p->family, &p->sender));
364
365 /* RFC 4795, Section 4.1 says that the peer with the
366 * lexicographically smaller IP address loses */
367 if (memcmp(&p->sender, &p->destination, FAMILY_ADDRESS_SIZE(p->family)) >= 0) {
368 log_debug("Peer has lexicographically larger IP address and thus lost in the conflict.");
369 return;
370 }
371
372 log_debug("We have the lexicographically larger IP address and thus lost in the conflict.");
373
374 t->block_gc++;
375
376 while ((z = set_first(t->notify_zone_items))) {
377 /* First, make sure the zone item drops the reference
378 * to us */
379 dns_zone_item_probe_stop(z);
380
381 /* Secondly, report this as conflict, so that we might
382 * look for a different hostname */
383 dns_zone_item_conflict(z);
384 }
385 t->block_gc--;
386
387 dns_transaction_gc(t);
388 }
389
390 void dns_transaction_complete(DnsTransaction *t, DnsTransactionState state) {
391 DnsQueryCandidate *c;
392 DnsZoneItem *z;
393 DnsTransaction *d;
394 const char *st;
395 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
396
397 assert(t);
398 assert(!DNS_TRANSACTION_IS_LIVE(state));
399
400 if (state == DNS_TRANSACTION_DNSSEC_FAILED) {
401 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str);
402
403 log_struct(LOG_NOTICE,
404 "MESSAGE_ID=" SD_MESSAGE_DNSSEC_FAILURE_STR,
405 LOG_MESSAGE("DNSSEC validation failed for question %s: %s",
406 key_str, dnssec_result_to_string(t->answer_dnssec_result)),
407 "DNS_TRANSACTION=%" PRIu16, t->id,
408 "DNS_QUESTION=%s", key_str,
409 "DNSSEC_RESULT=%s", dnssec_result_to_string(t->answer_dnssec_result),
410 "DNS_SERVER=%s", strna(dns_server_string_full(t->server)),
411 "DNS_SERVER_FEATURE_LEVEL=%s", dns_server_feature_level_to_string(t->server->possible_feature_level));
412 }
413
414 if (state == DNS_TRANSACTION_UPSTREAM_DNSSEC_FAILURE) {
415 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str);
416
417 log_struct(LOG_NOTICE,
418 "MESSAGE_ID=" SD_MESSAGE_DNSSEC_FAILURE_STR,
419 LOG_MESSAGE("Upstream resolver reported failure for question %s: %s%s%s",
420 key_str, dns_ede_rcode_to_string(t->answer_ede_rcode),
421 isempty(t->answer_ede_msg) ? "" : ": ", t->answer_ede_msg),
422 "DNS_TRANSACTION=%" PRIu16, t->id,
423 "DNS_QUESTION=%s", key_str,
424 "DNS_EDE_RCODE=%s", dns_ede_rcode_to_string(t->answer_ede_rcode),
425 "DNS_SERVER=%s", strna(dns_server_string_full(t->server)),
426 "DNS_SERVER_FEATURE_LEVEL=%s", dns_server_feature_level_to_string(t->server->possible_feature_level));
427 }
428
429 /* Note that this call might invalidate the query. Callers
430 * should hence not attempt to access the query or transaction
431 * after calling this function. */
432
433 if (state == DNS_TRANSACTION_ERRNO)
434 st = errno_to_name(t->answer_errno);
435 else
436 st = dns_transaction_state_to_string(state);
437
438 log_debug("%s transaction %" PRIu16 " for <%s> on scope %s on %s/%s now complete with <%s> from %s (%s; %s).",
439 t->bypass ? "Bypass" : "Regular",
440 t->id,
441 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str),
442 dns_protocol_to_string(t->scope->protocol),
443 t->scope->link ? t->scope->link->ifname : "*",
444 af_to_name_short(t->scope->family),
445 st,
446 t->answer_source < 0 ? "none" : dns_transaction_source_to_string(t->answer_source),
447 FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE) ? "not validated" :
448 (FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED) ? "authenticated" : "unsigned"),
449 FLAGS_SET(t->answer_query_flags, SD_RESOLVED_CONFIDENTIAL) ? "confidential" : "non-confidential");
450
451 t->state = state;
452
453 dns_transaction_close_connection(t, true);
454 dns_transaction_stop_timeout(t);
455
456 /* Notify all queries that are interested, but make sure the
457 * transaction isn't freed while we are still looking at it */
458 t->block_gc++;
459
460 SET_FOREACH_MOVE(c, t->notify_query_candidates_done, t->notify_query_candidates)
461 dns_query_candidate_notify(c);
462 SWAP_TWO(t->notify_query_candidates, t->notify_query_candidates_done);
463
464 SET_FOREACH_MOVE(z, t->notify_zone_items_done, t->notify_zone_items)
465 dns_zone_item_notify(z);
466 SWAP_TWO(t->notify_zone_items, t->notify_zone_items_done);
467 if (t->probing && t->state == DNS_TRANSACTION_ATTEMPTS_MAX_REACHED)
468 (void) dns_scope_announce(t->scope, false);
469
470 SET_FOREACH_MOVE(d, t->notify_transactions_done, t->notify_transactions)
471 dns_transaction_notify(d, t);
472 SWAP_TWO(t->notify_transactions, t->notify_transactions_done);
473
474 t->block_gc--;
475 dns_transaction_gc(t);
476 }
477
478 static void dns_transaction_complete_errno(DnsTransaction *t, int error) {
479 assert(t);
480 assert(error != 0);
481
482 t->answer_errno = abs(error);
483 dns_transaction_complete(t, DNS_TRANSACTION_ERRNO);
484 }
485
486 static int dns_transaction_pick_server(DnsTransaction *t) {
487 DnsServer *server;
488
489 assert(t);
490 assert(t->scope->protocol == DNS_PROTOCOL_DNS);
491
492 /* Pick a DNS server and a feature level for it. */
493
494 server = dns_scope_get_dns_server(t->scope);
495 if (!server)
496 return -ESRCH;
497
498 /* If we changed the server invalidate the feature level clamping, as the new server might have completely
499 * different properties. */
500 if (server != t->server)
501 t->clamp_feature_level_servfail = _DNS_SERVER_FEATURE_LEVEL_INVALID;
502
503 t->current_feature_level = dns_server_possible_feature_level(server);
504
505 /* Clamp the feature level if that is requested. */
506 if (t->clamp_feature_level_servfail != _DNS_SERVER_FEATURE_LEVEL_INVALID &&
507 t->current_feature_level > t->clamp_feature_level_servfail)
508 t->current_feature_level = t->clamp_feature_level_servfail;
509
510 log_debug("Using feature level %s for transaction %u.", dns_server_feature_level_to_string(t->current_feature_level), t->id);
511
512 if (server == t->server)
513 return 0;
514
515 dns_server_unref(t->server);
516 t->server = dns_server_ref(server);
517
518 t->n_picked_servers++;
519
520 log_debug("Using DNS server %s for transaction %u.", strna(dns_server_string_full(t->server)), t->id);
521
522 return 1;
523 }
524
525 static void dns_transaction_retry(DnsTransaction *t, bool next_server) {
526 int r;
527
528 assert(t);
529
530 /* Retries the transaction as it is, possibly on a different server */
531
532 if (next_server && t->scope->protocol == DNS_PROTOCOL_DNS)
533 log_debug("Retrying transaction %" PRIu16 ", after switching servers.", t->id);
534 else
535 log_debug("Retrying transaction %" PRIu16 ".", t->id);
536
537 /* Before we try again, switch to a new server. */
538 if (next_server)
539 dns_scope_next_dns_server(t->scope, t->server);
540
541 r = dns_transaction_go(t);
542 if (r < 0)
543 dns_transaction_complete_errno(t, r);
544 }
545
546 static bool dns_transaction_limited_retry(DnsTransaction *t) {
547 assert(t);
548
549 /* If we haven't tried all different servers yet, let's try again with a different server */
550
551 if (t->n_picked_servers >= dns_scope_get_n_dns_servers(t->scope))
552 return false;
553
554 dns_transaction_retry(t, /* next_server= */ true);
555 return true;
556 }
557
558 static int dns_transaction_maybe_restart(DnsTransaction *t) {
559 int r;
560
561 assert(t);
562
563 /* Restarts the transaction, under a new ID if the feature level of the server changed since we first
564 * tried, without changing DNS server. Returns > 0 if the transaction was restarted, 0 if not. */
565
566 if (!t->server)
567 return 0;
568
569 if (t->current_feature_level <= dns_server_possible_feature_level(t->server))
570 return 0;
571
572 /* The server's current feature level is lower than when we sent the original query. We learnt something from
573 the response or possibly an auxiliary DNSSEC response that we didn't know before. We take that as reason to
574 restart the whole transaction. This is a good idea to deal with servers that respond rubbish if we include
575 OPT RR or DO bit. One of these cases is documented here, for example:
576 https://open.nlnetlabs.nl/pipermail/dnssec-trigger/2014-November/000376.html */
577
578 log_debug("Server feature level is now lower than when we began our transaction. Restarting with new ID.");
579 dns_transaction_shuffle_id(t);
580
581 r = dns_transaction_go(t);
582 if (r < 0)
583 return r;
584
585 return 1;
586 }
587
588 static void on_transaction_stream_error(DnsTransaction *t, int error) {
589 assert(t);
590
591 dns_transaction_close_connection(t, true);
592
593 if (ERRNO_IS_DISCONNECT(error)) {
594 if (t->scope->protocol == DNS_PROTOCOL_LLMNR) {
595 /* If the LLMNR/TCP connection failed, the host doesn't support LLMNR, and we cannot answer the
596 * question on this scope. */
597 dns_transaction_complete(t, DNS_TRANSACTION_NOT_FOUND);
598 return;
599 }
600
601 dns_transaction_retry(t, true);
602 return;
603 }
604 if (error != 0)
605 dns_transaction_complete_errno(t, error);
606 }
607
608 static int dns_transaction_on_stream_packet(DnsTransaction *t, DnsStream *s, DnsPacket *p) {
609 bool encrypted;
610
611 assert(t);
612 assert(s);
613 assert(p);
614
615 encrypted = s->encrypted;
616
617 dns_transaction_close_connection(t, true);
618
619 if (dns_packet_validate_reply(p) <= 0) {
620 log_debug("Invalid TCP reply packet.");
621 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
622 return 0;
623 }
624
625 dns_scope_check_conflicts(t->scope, p);
626
627 t->block_gc++;
628 dns_transaction_process_reply(t, p, encrypted);
629 t->block_gc--;
630
631 /* If the response wasn't useful, then complete the transition
632 * now. After all, we are the worst feature set now with TCP
633 * sockets, and there's really no point in retrying. */
634 if (t->state == DNS_TRANSACTION_PENDING)
635 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
636 else
637 dns_transaction_gc(t);
638
639 return 0;
640 }
641
642 static int on_stream_complete(DnsStream *s, int error) {
643 assert(s);
644
645 if (ERRNO_IS_DISCONNECT(error) && s->protocol != DNS_PROTOCOL_LLMNR) {
646 log_debug_errno(error, "Connection failure for DNS TCP stream: %m");
647
648 if (s->transactions) {
649 DnsTransaction *t;
650
651 t = s->transactions;
652 dns_server_packet_lost(t->server, IPPROTO_TCP, t->current_feature_level);
653 }
654 }
655
656 if (error != 0)
657 LIST_FOREACH(transactions_by_stream, t, s->transactions)
658 on_transaction_stream_error(t, error);
659
660 return 0;
661 }
662
663 static int on_stream_packet(DnsStream *s, DnsPacket *p) {
664 DnsTransaction *t;
665
666 assert(s);
667 assert(s->manager);
668 assert(p);
669
670 t = hashmap_get(s->manager->dns_transactions, UINT_TO_PTR(DNS_PACKET_ID(p)));
671 if (t && t->stream == s) /* Validate that the stream we got this on actually is the stream the
672 * transaction was using. */
673 return dns_transaction_on_stream_packet(t, s, p);
674
675 /* Ignore incorrect transaction id as an old transaction can have been canceled. */
676 log_debug("Received unexpected TCP reply packet with id %" PRIu16 ", ignoring.", DNS_PACKET_ID(p));
677 return 0;
678 }
679
680 static uint16_t dns_transaction_port(DnsTransaction *t) {
681 assert(t);
682
683 if (t->server->port > 0)
684 return t->server->port;
685
686 return DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level) ? 853 : 53;
687 }
688
689 static int dns_transaction_emit_tcp(DnsTransaction *t) {
690 usec_t stream_timeout_usec = DNS_STREAM_DEFAULT_TIMEOUT_USEC;
691 _cleanup_(dns_stream_unrefp) DnsStream *s = NULL;
692 _cleanup_close_ int fd = -EBADF;
693 union sockaddr_union sa;
694 DnsStreamType type;
695 int r;
696
697 assert(t);
698 assert(t->sent);
699
700 dns_transaction_close_connection(t, true);
701
702 switch (t->scope->protocol) {
703
704 case DNS_PROTOCOL_DNS:
705 r = dns_transaction_pick_server(t);
706 if (r < 0)
707 return r;
708
709 if (manager_server_is_stub(t->scope->manager, t->server))
710 return -ELOOP;
711
712 if (!t->bypass) {
713 if (!dns_server_dnssec_supported(t->server) && dns_type_is_dnssec(dns_transaction_key(t)->type))
714 return -EOPNOTSUPP;
715
716 r = dns_server_adjust_opt(t->server, t->sent, t->current_feature_level);
717 if (r < 0)
718 return r;
719 }
720
721 if (t->server->stream && (DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level) == t->server->stream->encrypted))
722 s = dns_stream_ref(t->server->stream);
723 else
724 fd = dns_scope_socket_tcp(t->scope, AF_UNSPEC, NULL, t->server, dns_transaction_port(t), &sa);
725
726 /* Lower timeout in DNS-over-TLS opportunistic mode. In environments where DoT is blocked
727 * without ICMP response overly long delays when contacting DoT servers are nasty, in
728 * particular if multiple DNS servers are defined which we try in turn and all are
729 * blocked. Hence, substantially lower the timeout in that case. */
730 if (DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level) &&
731 dns_server_get_dns_over_tls_mode(t->server) == DNS_OVER_TLS_OPPORTUNISTIC)
732 stream_timeout_usec = DNS_STREAM_OPPORTUNISTIC_TLS_TIMEOUT_USEC;
733
734 type = DNS_STREAM_LOOKUP;
735 break;
736
737 case DNS_PROTOCOL_LLMNR:
738 /* When we already received a reply to this (but it was truncated), send to its sender address */
739 if (t->received)
740 fd = dns_scope_socket_tcp(t->scope, t->received->family, &t->received->sender, NULL, t->received->sender_port, &sa);
741 else {
742 union in_addr_union address;
743 int family = AF_UNSPEC;
744
745 /* Otherwise, try to talk to the owner of a
746 * the IP address, in case this is a reverse
747 * PTR lookup */
748
749 r = dns_name_address(dns_resource_key_name(dns_transaction_key(t)), &family, &address);
750 if (r < 0)
751 return r;
752 if (r == 0)
753 return -EINVAL;
754 if (family != t->scope->family)
755 return -ESRCH;
756
757 fd = dns_scope_socket_tcp(t->scope, family, &address, NULL, LLMNR_PORT, &sa);
758 }
759
760 type = DNS_STREAM_LLMNR_SEND;
761 break;
762
763 default:
764 return -EAFNOSUPPORT;
765 }
766
767 if (!s) {
768 if (fd < 0)
769 return fd;
770
771 r = dns_stream_new(t->scope->manager, &s, type, t->scope->protocol, fd, &sa,
772 on_stream_packet, on_stream_complete, stream_timeout_usec);
773 if (r < 0)
774 return r;
775
776 fd = -EBADF;
777
778 #if ENABLE_DNS_OVER_TLS
779 if (t->scope->protocol == DNS_PROTOCOL_DNS &&
780 DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level)) {
781
782 assert(t->server);
783 r = dnstls_stream_connect_tls(s, t->server);
784 if (r < 0)
785 return r;
786 }
787 #endif
788
789 if (t->server) {
790 dns_server_unref_stream(t->server);
791 s->server = dns_server_ref(t->server);
792 t->server->stream = dns_stream_ref(s);
793 }
794
795 /* The interface index is difficult to determine if we are
796 * connecting to the local host, hence fill this in right away
797 * instead of determining it from the socket */
798 s->ifindex = dns_scope_ifindex(t->scope);
799 }
800
801 t->stream = TAKE_PTR(s);
802 LIST_PREPEND(transactions_by_stream, t->stream->transactions, t);
803
804 r = dns_stream_write_packet(t->stream, t->sent);
805 if (r < 0) {
806 dns_transaction_close_connection(t, /* use_graveyard= */ false);
807 return r;
808 }
809
810 dns_transaction_reset_answer(t);
811
812 t->tried_stream = true;
813
814 return 0;
815 }
816
817 static void dns_transaction_cache_answer(DnsTransaction *t) {
818 assert(t);
819
820 /* For mDNS we cache whenever we get the packet, rather than
821 * in each transaction. */
822 if (!IN_SET(t->scope->protocol, DNS_PROTOCOL_DNS, DNS_PROTOCOL_LLMNR))
823 return;
824
825 /* Caching disabled? */
826 if (t->scope->manager->enable_cache == DNS_CACHE_MODE_NO)
827 return;
828
829 /* If validation is turned off for this transaction, but DNSSEC is on, then let's not cache this */
830 if (FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE) && t->scope->dnssec_mode != DNSSEC_NO)
831 return;
832
833 /* Packet from localhost? */
834 if (!t->scope->manager->cache_from_localhost &&
835 in_addr_is_localhost(t->received->family, &t->received->sender) != 0)
836 return;
837
838 dns_cache_put(&t->scope->cache,
839 t->scope->manager->enable_cache,
840 t->scope->protocol,
841 dns_transaction_key(t),
842 t->answer_rcode,
843 t->answer,
844 DNS_PACKET_CD(t->received) ? t->received : NULL, /* only cache full packets with CD on,
845 * since our use case for caching them
846 * is "bypass" mode which is only
847 * enabled for CD packets. */
848 t->answer_query_flags,
849 t->answer_dnssec_result,
850 t->answer_nsec_ttl,
851 t->received->family,
852 &t->received->sender,
853 t->scope->manager->stale_retention_usec);
854 }
855
856 static bool dns_transaction_dnssec_is_live(DnsTransaction *t) {
857 DnsTransaction *dt;
858
859 assert(t);
860
861 SET_FOREACH(dt, t->dnssec_transactions)
862 if (DNS_TRANSACTION_IS_LIVE(dt->state))
863 return true;
864
865 return false;
866 }
867
868 static int dns_transaction_dnssec_ready(DnsTransaction *t) {
869 DnsTransaction *dt;
870 int r;
871
872 assert(t);
873
874 /* Checks whether the auxiliary DNSSEC transactions of our transaction have completed, or are still
875 * ongoing. Returns 0, if we aren't ready for the DNSSEC validation, positive if we are. */
876
877 SET_FOREACH(dt, t->dnssec_transactions) {
878
879 switch (dt->state) {
880
881 case DNS_TRANSACTION_NULL:
882 case DNS_TRANSACTION_PENDING:
883 case DNS_TRANSACTION_VALIDATING:
884 /* Still ongoing */
885 return 0;
886
887 case DNS_TRANSACTION_RCODE_FAILURE:
888 if (!IN_SET(dt->answer_rcode, DNS_RCODE_NXDOMAIN, DNS_RCODE_SERVFAIL)) {
889 log_debug("Auxiliary DNSSEC RR query failed with rcode=%s.", FORMAT_DNS_RCODE(dt->answer_rcode));
890 goto fail;
891 }
892
893 /* Fall-through: NXDOMAIN/SERVFAIL is good enough for us. This is because some DNS servers
894 * erroneously return NXDOMAIN/SERVFAIL for empty non-terminals (Akamai...) or missing DS
895 * records (Facebook), and we need to handle that nicely, when asking for parent SOA or similar
896 * RRs to make unsigned proofs. */
897
898 case DNS_TRANSACTION_SUCCESS:
899 /* All good. */
900 break;
901
902 case DNS_TRANSACTION_DNSSEC_FAILED:
903 /* We handle DNSSEC failures different from other errors, as we care about the DNSSEC
904 * validation result */
905
906 log_debug("Auxiliary DNSSEC RR query failed validation: %s", dnssec_result_to_string(dt->answer_dnssec_result));
907 t->answer_dnssec_result = dt->answer_dnssec_result; /* Copy error code over */
908 dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
909 return 0;
910
911 default:
912 log_debug("Auxiliary DNSSEC RR query failed with %s", dns_transaction_state_to_string(dt->state));
913 goto fail;
914 }
915 }
916
917 /* All is ready, we can go and validate */
918 return 1;
919
920 fail:
921 /* Some auxiliary DNSSEC transaction failed for some reason. Maybe we learned something about the
922 * server due to this failure, and the feature level is now different? Let's see and restart the
923 * transaction if so. If not, let's propagate the auxiliary failure.
924 *
925 * This is particularly relevant if an auxiliary request figured out that DNSSEC doesn't work, and we
926 * are in permissive DNSSEC mode, and thus should restart things without DNSSEC magic. */
927 r = dns_transaction_maybe_restart(t);
928 if (r < 0)
929 return r;
930 if (r > 0)
931 return 0; /* don't validate just yet, we restarted things */
932
933 t->answer_dnssec_result = DNSSEC_FAILED_AUXILIARY;
934 dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
935 return 0;
936 }
937
938 static void dns_transaction_process_dnssec(DnsTransaction *t) {
939 int r;
940
941 assert(t);
942
943 /* Are there ongoing DNSSEC transactions? If so, let's wait for them. */
944 r = dns_transaction_dnssec_ready(t);
945 if (r < 0)
946 goto fail;
947 if (r == 0) /* We aren't ready yet (or one of our auxiliary transactions failed, and we shouldn't validate now */
948 return;
949
950 /* See if we learnt things from the additional DNSSEC transactions, that we didn't know before, and better
951 * restart the lookup immediately. */
952 r = dns_transaction_maybe_restart(t);
953 if (r < 0)
954 goto fail;
955 if (r > 0) /* Transaction got restarted... */
956 return;
957
958 /* All our auxiliary DNSSEC transactions are complete now. Try
959 * to validate our RRset now. */
960 r = dns_transaction_validate_dnssec(t);
961 if (r == -EBADMSG) {
962 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
963 return;
964 }
965 if (r < 0)
966 goto fail;
967
968 if (t->answer_dnssec_result == DNSSEC_INCOMPATIBLE_SERVER &&
969 t->scope->dnssec_mode == DNSSEC_YES) {
970
971 /* We are not in automatic downgrade mode, and the server is bad. Let's try a different server, maybe
972 * that works. */
973
974 if (dns_transaction_limited_retry(t))
975 return;
976
977 /* OK, let's give up, apparently all servers we tried didn't work. */
978 dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
979 return;
980 }
981
982 if (!IN_SET(t->answer_dnssec_result,
983 _DNSSEC_RESULT_INVALID, /* No DNSSEC validation enabled */
984 DNSSEC_VALIDATED, /* Answer is signed and validated successfully */
985 DNSSEC_UNSIGNED, /* Answer is right-fully unsigned */
986 DNSSEC_INCOMPATIBLE_SERVER)) { /* Server does not do DNSSEC (Yay, we are downgrade attack vulnerable!) */
987 dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
988 return;
989 }
990
991 if (t->answer_dnssec_result == DNSSEC_INCOMPATIBLE_SERVER)
992 dns_server_warn_downgrade(t->server);
993
994 dns_transaction_cache_answer(t);
995
996 if (t->answer_rcode == DNS_RCODE_SUCCESS)
997 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
998 else
999 dns_transaction_complete(t, DNS_TRANSACTION_RCODE_FAILURE);
1000
1001 return;
1002
1003 fail:
1004 dns_transaction_complete_errno(t, r);
1005 }
1006
1007 static int dns_transaction_has_positive_answer(DnsTransaction *t, DnsAnswerFlags *flags) {
1008 int r;
1009
1010 assert(t);
1011
1012 /* Checks whether the answer is positive, i.e. either a direct
1013 * answer to the question, or a CNAME/DNAME for it */
1014
1015 r = dns_answer_match_key(t->answer, dns_transaction_key(t), flags);
1016 if (r != 0)
1017 return r;
1018
1019 r = dns_answer_find_cname_or_dname(t->answer, dns_transaction_key(t), NULL, flags);
1020 if (r != 0)
1021 return r;
1022
1023 return false;
1024 }
1025
1026 static int dns_transaction_fix_rcode(DnsTransaction *t) {
1027 int r;
1028
1029 assert(t);
1030
1031 /* Fix up the RCODE to SUCCESS if we get at least one matching RR in a response. Note that this contradicts the
1032 * DNS RFCs a bit. Specifically, RFC 6604 Section 3 clarifies that the RCODE shall say something about a
1033 * CNAME/DNAME chain element coming after the last chain element contained in the message, and not the first
1034 * one included. However, it also indicates that not all DNS servers implement this correctly. Moreover, when
1035 * using DNSSEC we usually only can prove the first element of a CNAME/DNAME chain anyway, hence let's settle
1036 * on always processing the RCODE as referring to the immediate look-up we do, i.e. the first element of a
1037 * CNAME/DNAME chain. This way, we uniformly handle CNAME/DNAME chains, regardless if the DNS server
1038 * incorrectly implements RCODE, whether DNSSEC is in use, or whether the DNS server only supplied us with an
1039 * incomplete CNAME/DNAME chain.
1040 *
1041 * Or in other words: if we get at least one positive reply in a message we patch NXDOMAIN to become SUCCESS,
1042 * and then rely on the CNAME chasing logic to figure out that there's actually a CNAME error with a new
1043 * lookup. */
1044
1045 if (t->answer_rcode != DNS_RCODE_NXDOMAIN)
1046 return 0;
1047
1048 r = dns_transaction_has_positive_answer(t, NULL);
1049 if (r <= 0)
1050 return r;
1051
1052 t->answer_rcode = DNS_RCODE_SUCCESS;
1053 return 0;
1054 }
1055
1056 void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p, bool encrypted) {
1057 bool retry_with_tcp = false;
1058 int r;
1059
1060 assert(t);
1061 assert(p);
1062 assert(t->scope);
1063 assert(t->scope->manager);
1064
1065 if (t->state != DNS_TRANSACTION_PENDING)
1066 return;
1067
1068 /* Increment the total failure counter only when it is the first attempt at querying and the upstream
1069 * server returns a failure response code. This ensures a more accurate count of the number of queries
1070 * that received a failure response code, as it doesn't consider retries. */
1071
1072 if (t->n_attempts == 1 && !IN_SET(DNS_PACKET_RCODE(p), DNS_RCODE_SUCCESS, DNS_RCODE_NXDOMAIN))
1073 t->scope->manager->n_failure_responses_total++;
1074
1075 /* Note that this call might invalidate the query. Callers
1076 * should hence not attempt to access the query or transaction
1077 * after calling this function. */
1078
1079 log_debug("Processing incoming packet of size %zu on transaction %" PRIu16" (rcode=%s).",
1080 p->size,
1081 t->id, FORMAT_DNS_RCODE(DNS_PACKET_RCODE(p)));
1082
1083 switch (t->scope->protocol) {
1084
1085 case DNS_PROTOCOL_LLMNR:
1086 /* For LLMNR we will not accept any packets from other interfaces */
1087
1088 if (p->ifindex != dns_scope_ifindex(t->scope))
1089 return;
1090
1091 if (p->family != t->scope->family)
1092 return;
1093
1094 /* Tentative packets are not full responses but still
1095 * useful for identifying uniqueness conflicts during
1096 * probing. */
1097 if (DNS_PACKET_LLMNR_T(p)) {
1098 dns_transaction_tentative(t, p);
1099 return;
1100 }
1101
1102 break;
1103
1104 case DNS_PROTOCOL_MDNS:
1105 /* For mDNS we will not accept any packets from other interfaces */
1106
1107 if (p->ifindex != dns_scope_ifindex(t->scope))
1108 return;
1109
1110 if (p->family != t->scope->family)
1111 return;
1112
1113 break;
1114
1115 case DNS_PROTOCOL_DNS:
1116 /* Note that we do not need to verify the
1117 * addresses/port numbers of incoming traffic, as we
1118 * invoked connect() on our UDP socket in which case
1119 * the kernel already does the needed verification for
1120 * us. */
1121 break;
1122
1123 default:
1124 assert_not_reached();
1125 }
1126
1127 if (t->received != p)
1128 DNS_PACKET_REPLACE(t->received, dns_packet_ref(p));
1129
1130 t->answer_source = DNS_TRANSACTION_NETWORK;
1131
1132 if (p->ipproto == IPPROTO_TCP) {
1133 if (DNS_PACKET_TC(p)) {
1134 /* Truncated via TCP? Somebody must be fucking with us */
1135 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
1136 return;
1137 }
1138
1139 if (DNS_PACKET_ID(p) != t->id) {
1140 /* Not the reply to our query? Somebody must be fucking with us */
1141 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
1142 return;
1143 }
1144 }
1145
1146 if (DNS_PACKET_TC(p)) {
1147
1148 /* Truncated packets for mDNS are not allowed. Give up immediately. */
1149 if (t->scope->protocol == DNS_PROTOCOL_MDNS) {
1150 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
1151 return;
1152 }
1153
1154 /* Response was truncated, let's try again with good old TCP */
1155 log_debug("Reply truncated, retrying via TCP.");
1156 retry_with_tcp = true;
1157
1158 } else if (t->scope->protocol == DNS_PROTOCOL_DNS &&
1159 DNS_PACKET_IS_FRAGMENTED(p)) {
1160
1161 /* Report the fragment size, so that we downgrade from LARGE to regular EDNS0 if needed */
1162 if (t->server)
1163 dns_server_packet_udp_fragmented(t->server, dns_packet_size_unfragmented(p));
1164
1165 if (t->current_feature_level > DNS_SERVER_FEATURE_LEVEL_UDP) {
1166 /* Packet was fragmented. Let's retry with TCP to avoid fragmentation attack
1167 * issues. (We don't do that on the lowest feature level however, since crappy DNS
1168 * servers often do not implement TCP, hence falling back to TCP on fragmentation is
1169 * counter-productive there.) */
1170
1171 log_debug("Reply fragmented, retrying via TCP. (Largest fragment size: %zu; Datagram size: %zu)",
1172 p->fragsize, p->size);
1173 retry_with_tcp = true;
1174 }
1175 }
1176
1177 if (retry_with_tcp) {
1178 r = dns_transaction_emit_tcp(t);
1179 if (r == -ESRCH) {
1180 /* No servers found? Damn! */
1181 dns_transaction_complete(t, DNS_TRANSACTION_NO_SERVERS);
1182 return;
1183 }
1184 if (r == -EOPNOTSUPP) {
1185 /* Tried to ask for DNSSEC RRs, on a server that doesn't do DNSSEC */
1186 dns_transaction_complete(t, DNS_TRANSACTION_RR_TYPE_UNSUPPORTED);
1187 return;
1188 }
1189 if (r < 0) {
1190 /* On LLMNR, if we cannot connect to the host,
1191 * we immediately give up */
1192 if (t->scope->protocol != DNS_PROTOCOL_DNS)
1193 goto fail;
1194
1195 /* On DNS, couldn't send? Try immediately again, with a new server */
1196 if (dns_transaction_limited_retry(t))
1197 return;
1198
1199 /* No new server to try, give up */
1200 dns_transaction_complete(t, DNS_TRANSACTION_ATTEMPTS_MAX_REACHED);
1201 }
1202
1203 return;
1204 }
1205
1206 /* After the superficial checks, actually parse the message. */
1207 r = dns_packet_extract(p);
1208 if (r < 0) {
1209 if (t->server) {
1210 dns_server_packet_invalid(t->server, t->current_feature_level);
1211
1212 r = dns_transaction_maybe_restart(t);
1213 if (r < 0)
1214 goto fail;
1215 if (r > 0) /* Transaction got restarted... */
1216 return;
1217 }
1218
1219 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
1220 return;
1221 }
1222
1223 switch (t->scope->protocol) {
1224
1225 case DNS_PROTOCOL_DNS: {
1226 int ede_rcode;
1227 _cleanup_free_ char *ede_msg = NULL;
1228
1229 assert(t->server);
1230
1231 ede_rcode = dns_packet_ede_rcode(p, &ede_msg);
1232 if (ede_rcode < 0 && ede_rcode != -EINVAL)
1233 log_debug_errno(ede_rcode, "Unable to extract EDE error code from packet, ignoring: %m");
1234 else {
1235 t->answer_ede_rcode = ede_rcode;
1236 t->answer_ede_msg = TAKE_PTR(ede_msg);
1237 }
1238
1239 if (!t->bypass &&
1240 IN_SET(DNS_PACKET_RCODE(p), DNS_RCODE_FORMERR, DNS_RCODE_SERVFAIL, DNS_RCODE_NOTIMP)) {
1241 /* If the server has replied with detailed error data, using a degraded feature set
1242 * will likely not help anyone. Examine the detailed error to determine the best
1243 * course of action. */
1244 if (ede_rcode >= 0 && DNS_PACKET_RCODE(p) == DNS_RCODE_SERVFAIL) {
1245 /* These codes are related to DNSSEC configuration errors. If accurate,
1246 * this is the domain operator's problem, and retrying won't help. */
1247 if (dns_ede_rcode_is_dnssec(ede_rcode)) {
1248 log_debug("Server returned error: %s (%s%s%s). Lookup failed.",
1249 FORMAT_DNS_RCODE(DNS_PACKET_RCODE(p)),
1250 FORMAT_DNS_EDE_RCODE(ede_rcode),
1251 isempty(t->answer_ede_msg) ? "" : ": ",
1252 t->answer_ede_msg);
1253 dns_transaction_complete(t, DNS_TRANSACTION_UPSTREAM_DNSSEC_FAILURE);
1254 return;
1255 }
1256
1257 /* These codes probably indicate a transient error. Let's try again. */
1258 if (IN_SET(ede_rcode, DNS_EDE_RCODE_NOT_READY, DNS_EDE_RCODE_NET_ERROR)) {
1259 log_debug("Server returned error: %s (%s%s%s), retrying transaction.",
1260 FORMAT_DNS_RCODE(DNS_PACKET_RCODE(p)),
1261 FORMAT_DNS_EDE_RCODE(ede_rcode),
1262 isempty(t->answer_ede_msg) ? "" : ": ",
1263 t->answer_ede_msg);
1264 dns_transaction_retry(t, false);
1265 return;
1266 }
1267
1268 /* OK, the query failed, but we still shouldn't degrade the feature set for
1269 * this server. */
1270 log_debug("Server returned error: %s (%s%s%s)",
1271 FORMAT_DNS_RCODE(DNS_PACKET_RCODE(p)),
1272 FORMAT_DNS_EDE_RCODE(ede_rcode),
1273 isempty(t->answer_ede_msg) ? "" : ": ", t->answer_ede_msg);
1274 break;
1275 } /* No EDE rcode, or EDE rcode we don't understand */
1276
1277 /* Request failed, immediately try again with reduced features */
1278
1279 if (t->current_feature_level <= DNS_SERVER_FEATURE_LEVEL_UDP) {
1280
1281 /* This was already at UDP feature level? If so, it doesn't make sense to downgrade
1282 * this transaction anymore, but let's see if it might make sense to send the request
1283 * to a different DNS server instead. If not let's process the response, and accept the
1284 * rcode. Note that we don't retry on TCP, since that's a suitable way to mitigate
1285 * packet loss, but is not going to give us better rcodes should we actually have
1286 * managed to get them already at UDP level. */
1287
1288 if (dns_transaction_limited_retry(t))
1289 return;
1290
1291 /* Give up, accept the rcode */
1292 log_debug("Server returned error: %s", FORMAT_DNS_RCODE(DNS_PACKET_RCODE(p)));
1293 break;
1294 }
1295
1296 /* SERVFAIL can happen for many reasons and may be transient.
1297 * To avoid unnecessary downgrades retry once with the initial level.
1298 * Check for clamp_feature_level_servfail having an invalid value as a sign that this is the
1299 * first attempt to downgrade. If so, clamp to the current value so that the transaction
1300 * is retried without actually downgrading. If the next try also fails we will downgrade by
1301 * hitting the else branch below. */
1302 if (DNS_PACKET_RCODE(p) == DNS_RCODE_SERVFAIL &&
1303 t->clamp_feature_level_servfail < 0) {
1304 t->clamp_feature_level_servfail = t->current_feature_level;
1305 log_debug("Server returned error %s, retrying transaction.",
1306 FORMAT_DNS_RCODE(DNS_PACKET_RCODE(p)));
1307 } else {
1308 /* Reduce this feature level by one and try again. */
1309 switch (t->current_feature_level) {
1310 case DNS_SERVER_FEATURE_LEVEL_TLS_DO:
1311 t->clamp_feature_level_servfail = DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN;
1312 break;
1313 case DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN + 1:
1314 /* Skip plain TLS when TLS is not supported */
1315 t->clamp_feature_level_servfail = DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN - 1;
1316 break;
1317 default:
1318 t->clamp_feature_level_servfail = t->current_feature_level - 1;
1319 }
1320
1321 log_debug("Server returned error %s, retrying transaction with reduced feature level %s.",
1322 FORMAT_DNS_RCODE(DNS_PACKET_RCODE(p)),
1323 dns_server_feature_level_to_string(t->clamp_feature_level_servfail));
1324 }
1325
1326 dns_transaction_retry(t, false /* use the same server */);
1327 return;
1328 }
1329
1330 if (DNS_PACKET_RCODE(p) == DNS_RCODE_REFUSED) {
1331 /* This server refused our request? If so, try again, use a different server */
1332 if (ede_rcode > 0)
1333 log_debug("Server returned REFUSED (%s), switching servers, and retrying.",
1334 FORMAT_DNS_EDE_RCODE(ede_rcode));
1335 else
1336 log_debug("Server returned REFUSED, switching servers, and retrying.");
1337
1338 if (dns_transaction_limited_retry(t))
1339 return;
1340
1341 break;
1342 }
1343
1344 if (DNS_PACKET_TC(p))
1345 dns_server_packet_truncated(t->server, t->current_feature_level);
1346
1347 break;
1348 }
1349
1350 case DNS_PROTOCOL_LLMNR:
1351 case DNS_PROTOCOL_MDNS:
1352 dns_scope_packet_received(t->scope, p->timestamp - t->start_usec);
1353 break;
1354
1355 default:
1356 assert_not_reached();
1357 }
1358
1359 if (t->server) {
1360 /* Report that we successfully received a valid packet with a good rcode after we initially got a bad
1361 * rcode and subsequently downgraded the protocol */
1362
1363 if (IN_SET(DNS_PACKET_RCODE(p), DNS_RCODE_SUCCESS, DNS_RCODE_NXDOMAIN) &&
1364 t->clamp_feature_level_servfail != _DNS_SERVER_FEATURE_LEVEL_INVALID)
1365 dns_server_packet_rcode_downgrade(t->server, t->clamp_feature_level_servfail);
1366
1367 /* Report that the OPT RR was missing */
1368 if (!p->opt)
1369 dns_server_packet_bad_opt(t->server, t->current_feature_level);
1370
1371 /* Report that the server didn't copy our query DO bit from request to response */
1372 if (DNS_PACKET_DO(t->sent) && !DNS_PACKET_DO(t->received))
1373 dns_server_packet_do_off(t->server, t->current_feature_level);
1374
1375 /* Report that we successfully received a packet. We keep track of the largest packet
1376 * size/fragment size we got. Which is useful for announcing the EDNS(0) packet size we can
1377 * receive to our server. */
1378 dns_server_packet_received(t->server, p->ipproto, t->current_feature_level, dns_packet_size_unfragmented(p));
1379 }
1380
1381 /* See if we know things we didn't know before that indicate we better restart the lookup immediately. */
1382 r = dns_transaction_maybe_restart(t);
1383 if (r < 0)
1384 goto fail;
1385 if (r > 0) /* Transaction got restarted... */
1386 return;
1387
1388 /* When dealing with protocols other than mDNS only consider responses with equivalent query section
1389 * to the request. For mDNS this check doesn't make sense, because the section 6 of RFC6762 states
1390 * that "Multicast DNS responses MUST NOT contain any questions in the Question Section". */
1391 if (t->scope->protocol != DNS_PROTOCOL_MDNS) {
1392 r = dns_packet_is_reply_for(p, dns_transaction_key(t));
1393 if (r < 0)
1394 goto fail;
1395 if (r == 0) {
1396 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
1397 return;
1398 }
1399 }
1400
1401 /* Install the answer as answer to the transaction. We ref the answer twice here: the main `answer`
1402 * field is later replaced by the DNSSEC validated subset. The 'answer_auxiliary' field carries the
1403 * original complete record set, including RRSIG and friends. We use this when passing data to
1404 * clients that ask for DNSSEC metadata. */
1405 DNS_ANSWER_REPLACE(t->answer, dns_answer_ref(p->answer));
1406 t->answer_rcode = DNS_PACKET_RCODE(p);
1407 t->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
1408 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
1409 SET_FLAG(t->answer_query_flags, SD_RESOLVED_CONFIDENTIAL, encrypted);
1410
1411 r = dns_transaction_fix_rcode(t);
1412 if (r < 0)
1413 goto fail;
1414
1415 /* Block GC while starting requests for additional DNSSEC RRs */
1416 t->block_gc++;
1417 r = dns_transaction_request_dnssec_keys(t);
1418 t->block_gc--;
1419
1420 /* Maybe the transaction is ready for GC'ing now? If so, free it and return. */
1421 if (!dns_transaction_gc(t))
1422 return;
1423
1424 /* Requesting additional keys might have resulted in this transaction to fail, since the auxiliary
1425 * request failed for some reason. If so, we are not in pending state anymore, and we should exit
1426 * quickly. */
1427 if (t->state != DNS_TRANSACTION_PENDING)
1428 return;
1429 if (r < 0)
1430 goto fail;
1431 if (r > 0) {
1432 /* There are DNSSEC transactions pending now. Update the state accordingly. */
1433 t->state = DNS_TRANSACTION_VALIDATING;
1434 dns_transaction_close_connection(t, true);
1435 dns_transaction_stop_timeout(t);
1436 return;
1437 }
1438
1439 dns_transaction_process_dnssec(t);
1440 return;
1441
1442 fail:
1443 dns_transaction_complete_errno(t, r);
1444 }
1445
1446 static int on_dns_packet(sd_event_source *s, int fd, uint32_t revents, void *userdata) {
1447 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
1448 DnsTransaction *t = ASSERT_PTR(userdata);
1449 int r;
1450
1451 assert(t->scope);
1452
1453 r = manager_recv(t->scope->manager, fd, DNS_PROTOCOL_DNS, &p);
1454 if (r < 0) {
1455 if (ERRNO_IS_DISCONNECT(r)) {
1456 usec_t usec;
1457
1458 /* UDP connection failures get reported via ICMP and then are possibly delivered to us on the
1459 * next recvmsg(). Treat this like a lost packet. */
1460
1461 log_debug_errno(r, "Connection failure for DNS UDP packet: %m");
1462 assert_se(sd_event_now(t->scope->manager->event, CLOCK_BOOTTIME, &usec) >= 0);
1463 dns_server_packet_lost(t->server, IPPROTO_UDP, t->current_feature_level);
1464
1465 dns_transaction_close_connection(t, /* use_graveyard = */ false);
1466
1467 if (dns_transaction_limited_retry(t)) /* Try a different server */
1468 return 0;
1469 }
1470 dns_transaction_complete_errno(t, r);
1471 return 0;
1472 }
1473 if (r == 0)
1474 /* Spurious wakeup without any data */
1475 return 0;
1476
1477 r = dns_packet_validate_reply(p);
1478 if (r < 0) {
1479 log_debug_errno(r, "Received invalid DNS packet as response, ignoring: %m");
1480 return 0;
1481 }
1482 if (r == 0) {
1483 log_debug("Received inappropriate DNS packet as response, ignoring.");
1484 return 0;
1485 }
1486
1487 if (DNS_PACKET_ID(p) != t->id) {
1488 log_debug("Received packet with incorrect transaction ID, ignoring.");
1489 return 0;
1490 }
1491
1492 dns_transaction_process_reply(t, p, false);
1493 return 0;
1494 }
1495
1496 static int dns_transaction_emit_udp(DnsTransaction *t) {
1497 int r;
1498
1499 assert(t);
1500
1501 if (t->scope->protocol == DNS_PROTOCOL_DNS) {
1502
1503 r = dns_transaction_pick_server(t);
1504 if (r < 0)
1505 return r;
1506
1507 if (manager_server_is_stub(t->scope->manager, t->server))
1508 return -ELOOP;
1509
1510 if (t->current_feature_level < DNS_SERVER_FEATURE_LEVEL_UDP || DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level))
1511 return -EAGAIN; /* Sorry, can't do UDP, try TCP! */
1512
1513 if (!t->bypass && !dns_server_dnssec_supported(t->server) && dns_type_is_dnssec(dns_transaction_key(t)->type))
1514 return -EOPNOTSUPP;
1515
1516 if (r > 0 || t->dns_udp_fd < 0) { /* Server changed, or no connection yet. */
1517 int fd;
1518
1519 dns_transaction_close_connection(t, true);
1520
1521 /* Before we allocate a new UDP socket, let's process the graveyard a bit to free some fds */
1522 manager_socket_graveyard_process(t->scope->manager);
1523
1524 fd = dns_scope_socket_udp(t->scope, t->server);
1525 if (fd < 0)
1526 return fd;
1527
1528 r = sd_event_add_io(t->scope->manager->event, &t->dns_udp_event_source, fd, EPOLLIN, on_dns_packet, t);
1529 if (r < 0) {
1530 safe_close(fd);
1531 return r;
1532 }
1533
1534 (void) sd_event_source_set_description(t->dns_udp_event_source, "dns-transaction-udp");
1535 t->dns_udp_fd = fd;
1536 }
1537
1538 if (!t->bypass) {
1539 r = dns_server_adjust_opt(t->server, t->sent, t->current_feature_level);
1540 if (r < 0)
1541 return r;
1542 }
1543 } else
1544 dns_transaction_close_connection(t, true);
1545
1546 r = dns_scope_emit_udp(t->scope, t->dns_udp_fd, t->server ? t->server->family : AF_UNSPEC, t->sent);
1547 if (r < 0)
1548 return r;
1549
1550 dns_transaction_reset_answer(t);
1551
1552 return 0;
1553 }
1554
1555 static int on_transaction_timeout(sd_event_source *s, usec_t usec, void *userdata) {
1556 DnsTransaction *t = ASSERT_PTR(userdata);
1557
1558 assert(s);
1559
1560 t->seen_timeout = true;
1561
1562 if (t->initial_jitter_scheduled && !t->initial_jitter_elapsed) {
1563 log_debug("Initial jitter phase for transaction %" PRIu16 " elapsed.", t->id);
1564 t->initial_jitter_elapsed = true;
1565 } else {
1566 /* Timeout reached? Increase the timeout for the server used */
1567 switch (t->scope->protocol) {
1568
1569 case DNS_PROTOCOL_DNS:
1570 assert(t->server);
1571 dns_server_packet_lost(t->server, t->stream ? IPPROTO_TCP : IPPROTO_UDP, t->current_feature_level);
1572 break;
1573
1574 case DNS_PROTOCOL_LLMNR:
1575 case DNS_PROTOCOL_MDNS:
1576 dns_scope_packet_lost(t->scope, usec - t->start_usec);
1577 break;
1578
1579 default:
1580 assert_not_reached();
1581 }
1582
1583 log_debug("Timeout reached on transaction %" PRIu16 ".", t->id);
1584 }
1585
1586 dns_transaction_retry(t, /* next_server= */ true); /* try a different server, but given this means
1587 * packet loss, let's do so even if we already
1588 * tried a bunch */
1589 return 0;
1590 }
1591
1592 static int dns_transaction_setup_timeout(
1593 DnsTransaction *t,
1594 usec_t timeout_usec /* relative */,
1595 usec_t next_usec /* CLOCK_BOOTTIME */) {
1596
1597 int r;
1598
1599 assert(t);
1600
1601 dns_transaction_stop_timeout(t);
1602
1603 r = sd_event_add_time_relative(
1604 t->scope->manager->event,
1605 &t->timeout_event_source,
1606 CLOCK_BOOTTIME,
1607 timeout_usec, 0,
1608 on_transaction_timeout, t);
1609 if (r < 0)
1610 return r;
1611
1612 (void) sd_event_source_set_description(t->timeout_event_source, "dns-transaction-timeout");
1613
1614 t->next_attempt_after = next_usec;
1615 t->state = DNS_TRANSACTION_PENDING;
1616 return 0;
1617 }
1618
1619 static usec_t transaction_get_resend_timeout(DnsTransaction *t) {
1620 assert(t);
1621 assert(t->scope);
1622
1623 switch (t->scope->protocol) {
1624
1625 case DNS_PROTOCOL_DNS:
1626
1627 /* When we do TCP, grant a much longer timeout, as in this case there's no need for us to quickly
1628 * resend, as the kernel does that anyway for us, and we really don't want to interrupt it in that
1629 * needlessly. */
1630 if (t->stream)
1631 return TRANSACTION_TCP_TIMEOUT_USEC;
1632
1633 return DNS_TIMEOUT_USEC;
1634
1635 case DNS_PROTOCOL_MDNS:
1636 if (t->probing)
1637 return MDNS_PROBING_INTERVAL_USEC;
1638
1639 /* See RFC 6762 Section 5.1 suggests that timeout should be a few seconds. */
1640 assert(t->n_attempts > 0);
1641 return (1 << (t->n_attempts - 1)) * USEC_PER_SEC;
1642
1643 case DNS_PROTOCOL_LLMNR:
1644 return t->scope->resend_timeout;
1645
1646 default:
1647 assert_not_reached();
1648 }
1649 }
1650
1651 static void dns_transaction_randomize_answer(DnsTransaction *t) {
1652 int r;
1653
1654 assert(t);
1655
1656 /* Randomizes the order of the answer array. This is done for all cached responses, so that we return
1657 * a different order each time. We do this only for DNS traffic, in order to do some minimal, crappy
1658 * load balancing. We don't do this for LLMNR or mDNS, since the order (preferring link-local
1659 * addresses, and such like) might have meaning there, and load balancing is pointless. */
1660
1661 if (t->scope->protocol != DNS_PROTOCOL_DNS)
1662 return;
1663
1664 /* No point in randomizing, if there's just one RR */
1665 if (dns_answer_size(t->answer) <= 1)
1666 return;
1667
1668 r = dns_answer_reserve_or_clone(&t->answer, 0);
1669 if (r < 0) /* If this fails, just don't randomize, this is non-essential stuff after all */
1670 return (void) log_debug_errno(r, "Failed to clone answer record, not randomizing RR order of answer: %m");
1671
1672 dns_answer_randomize(t->answer);
1673 }
1674
1675 static int dns_transaction_prepare(DnsTransaction *t, usec_t ts) {
1676 int r;
1677
1678 assert(t);
1679
1680 /* Returns 0 if dns_transaction_complete() has been called. In that case the transaction and query
1681 * candidate objects may have been invalidated and must not be accessed. Returns 1 if the transaction
1682 * has been prepared. */
1683
1684 dns_transaction_stop_timeout(t);
1685
1686 if (t->n_attempts == 1 && t->seen_timeout)
1687 t->scope->manager->n_timeouts_total++;
1688
1689 if (!dns_scope_network_good(t->scope)) {
1690 dns_transaction_complete(t, DNS_TRANSACTION_NETWORK_DOWN);
1691 return 0;
1692 }
1693
1694 if (t->n_attempts >= TRANSACTION_ATTEMPTS_MAX(t->scope->protocol)) {
1695 DnsTransactionState result;
1696
1697 if (t->scope->protocol == DNS_PROTOCOL_LLMNR)
1698 /* If we didn't find anything on LLMNR, it's not an error, but a failure to resolve
1699 * the name. */
1700 result = DNS_TRANSACTION_NOT_FOUND;
1701 else
1702 result = DNS_TRANSACTION_ATTEMPTS_MAX_REACHED;
1703
1704 dns_transaction_complete(t, result);
1705 return 0;
1706 }
1707
1708 if (t->scope->protocol == DNS_PROTOCOL_LLMNR && t->tried_stream) {
1709 /* If we already tried via a stream, then we don't
1710 * retry on LLMNR. See RFC 4795, Section 2.7. */
1711 dns_transaction_complete(t, DNS_TRANSACTION_ATTEMPTS_MAX_REACHED);
1712 return 0;
1713 }
1714
1715 t->n_attempts++;
1716 t->start_usec = ts;
1717
1718 dns_transaction_reset_answer(t);
1719 dns_transaction_flush_dnssec_transactions(t);
1720
1721 /* Check the trust anchor. Do so only on classic DNS, since DNSSEC does not apply otherwise. */
1722 if (t->scope->protocol == DNS_PROTOCOL_DNS &&
1723 !FLAGS_SET(t->query_flags, SD_RESOLVED_NO_TRUST_ANCHOR)) {
1724 r = dns_trust_anchor_lookup_positive(&t->scope->manager->trust_anchor, dns_transaction_key(t), &t->answer);
1725 if (r < 0)
1726 return r;
1727 if (r > 0) {
1728 t->answer_rcode = DNS_RCODE_SUCCESS;
1729 t->answer_source = DNS_TRANSACTION_TRUST_ANCHOR;
1730 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED|SD_RESOLVED_CONFIDENTIAL, true);
1731 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
1732 return 0;
1733 }
1734
1735 if (dns_name_is_root(dns_resource_key_name(dns_transaction_key(t))) &&
1736 dns_transaction_key(t)->type == DNS_TYPE_DS) {
1737
1738 /* Hmm, this is a request for the root DS? A DS RR doesn't exist in the root zone,
1739 * and if our trust anchor didn't know it either, this means we cannot do any DNSSEC
1740 * logic anymore. */
1741
1742 if (t->scope->dnssec_mode == DNSSEC_ALLOW_DOWNGRADE) {
1743 /* We are in downgrade mode. In this case, synthesize an unsigned empty
1744 * response, so that the any lookup depending on this one can continue
1745 * assuming there was no DS, and hence the root zone was unsigned. */
1746
1747 t->answer_rcode = DNS_RCODE_SUCCESS;
1748 t->answer_source = DNS_TRANSACTION_TRUST_ANCHOR;
1749 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
1750 SET_FLAG(t->answer_query_flags, SD_RESOLVED_CONFIDENTIAL, true);
1751 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
1752 } else
1753 /* If we are not in downgrade mode, then fail the lookup, because we cannot
1754 * reasonably answer it. There might be DS RRs, but we don't know them, and
1755 * the DNS server won't tell them to us (and even if it would, we couldn't
1756 * validate and trust them. */
1757 dns_transaction_complete(t, DNS_TRANSACTION_NO_TRUST_ANCHOR);
1758
1759 return 0;
1760 }
1761 }
1762
1763 /* Check the zone. */
1764 if (!FLAGS_SET(t->query_flags, SD_RESOLVED_NO_ZONE)) {
1765 r = dns_zone_lookup(&t->scope->zone, dns_transaction_key(t), dns_scope_ifindex(t->scope), &t->answer, NULL, NULL);
1766 if (r < 0)
1767 return r;
1768 if (r > 0) {
1769 t->answer_rcode = DNS_RCODE_SUCCESS;
1770 t->answer_source = DNS_TRANSACTION_ZONE;
1771 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED|SD_RESOLVED_CONFIDENTIAL, true);
1772 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
1773 return 0;
1774 }
1775 }
1776
1777 /* Check the cache. */
1778 if (!FLAGS_SET(t->query_flags, SD_RESOLVED_NO_CACHE)) {
1779
1780 /* Before trying the cache, let's make sure we figured out a server to use. Should this cause
1781 * a change of server this might flush the cache. */
1782 (void) dns_scope_get_dns_server(t->scope);
1783
1784 /* Let's then prune all outdated entries */
1785 dns_cache_prune(&t->scope->cache);
1786
1787 /* For the initial attempt or when no stale data is requested, disable serve stale
1788 * and answer the question from the cache (honors ttl property).
1789 * On the second attempt, if StaleRetentionSec is greater than zero,
1790 * try to answer the question using stale date (honors until property) */
1791 uint64_t query_flags = t->query_flags;
1792 if (t->n_attempts == 1 || t->scope->manager->stale_retention_usec == 0)
1793 query_flags |= SD_RESOLVED_NO_STALE;
1794
1795 r = dns_cache_lookup(
1796 &t->scope->cache,
1797 dns_transaction_key(t),
1798 query_flags,
1799 &t->answer_rcode,
1800 &t->answer,
1801 &t->received,
1802 &t->answer_query_flags,
1803 &t->answer_dnssec_result);
1804 if (r < 0)
1805 return r;
1806 if (r > 0) {
1807 dns_transaction_randomize_answer(t);
1808
1809 if (t->bypass && t->scope->protocol == DNS_PROTOCOL_DNS && !t->received)
1810 /* When bypass mode is on, do not use cached data unless it came with a full
1811 * packet. */
1812 dns_transaction_reset_answer(t);
1813 else {
1814 if (t->n_attempts > 1 && !FLAGS_SET(query_flags, SD_RESOLVED_NO_STALE)) {
1815
1816 if (t->answer_rcode == DNS_RCODE_SUCCESS) {
1817 if (t->seen_timeout)
1818 t->scope->manager->n_timeouts_served_stale_total++;
1819 else
1820 t->scope->manager->n_failure_responses_served_stale_total++;
1821 }
1822
1823 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
1824 log_debug("Serve Stale response rcode=%s for %s",
1825 FORMAT_DNS_RCODE(t->answer_rcode),
1826 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str));
1827 }
1828
1829 t->answer_source = DNS_TRANSACTION_CACHE;
1830 if (t->answer_rcode == DNS_RCODE_SUCCESS)
1831 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
1832 else
1833 dns_transaction_complete(t, DNS_TRANSACTION_RCODE_FAILURE);
1834 return 0;
1835 }
1836 }
1837 }
1838
1839 if (FLAGS_SET(t->query_flags, SD_RESOLVED_NO_NETWORK)) {
1840 dns_transaction_complete(t, DNS_TRANSACTION_NO_SOURCE);
1841 return 0;
1842 }
1843
1844 return 1;
1845 }
1846
1847 static int dns_packet_append_zone(DnsPacket *p, DnsTransaction *t, DnsResourceKey *k, unsigned *nscount) {
1848 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
1849 bool tentative;
1850 int r;
1851
1852 assert(p);
1853 assert(t);
1854 assert(k);
1855
1856 if (k->type != DNS_TYPE_ANY)
1857 return 0;
1858
1859 r = dns_zone_lookup(&t->scope->zone, k, t->scope->link->ifindex, &answer, NULL, &tentative);
1860 if (r < 0)
1861 return r;
1862
1863 return dns_packet_append_answer(p, answer, nscount);
1864 }
1865
1866 static int mdns_make_dummy_packet(DnsTransaction *t, DnsPacket **ret_packet, Set **ret_keys) {
1867 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
1868 _cleanup_set_free_ Set *keys = NULL;
1869 bool add_known_answers = false;
1870 unsigned qdcount;
1871 usec_t ts;
1872 int r;
1873
1874 assert(t);
1875 assert(t->scope);
1876 assert(t->scope->protocol == DNS_PROTOCOL_MDNS);
1877 assert(ret_packet);
1878 assert(ret_keys);
1879
1880 r = dns_packet_new_query(&p, t->scope->protocol, 0, false);
1881 if (r < 0)
1882 return r;
1883
1884 r = dns_packet_append_key(p, dns_transaction_key(t), 0, NULL);
1885 if (r < 0)
1886 return r;
1887
1888 qdcount = 1;
1889
1890 if (dns_key_is_shared(dns_transaction_key(t)))
1891 add_known_answers = true;
1892
1893 r = dns_packet_append_zone(p, t, dns_transaction_key(t), NULL);
1894 if (r < 0)
1895 return r;
1896
1897 /* Save appended keys */
1898 r = set_ensure_put(&keys, &dns_resource_key_hash_ops, dns_transaction_key(t));
1899 if (r < 0)
1900 return r;
1901
1902 assert_se(sd_event_now(t->scope->manager->event, CLOCK_BOOTTIME, &ts) >= 0);
1903
1904 LIST_FOREACH(transactions_by_scope, other, t->scope->transactions) {
1905
1906 /* Skip ourselves */
1907 if (other == t)
1908 continue;
1909
1910 if (other->state != DNS_TRANSACTION_PENDING)
1911 continue;
1912
1913 if (other->next_attempt_after > ts)
1914 continue;
1915
1916 if (!set_contains(keys, dns_transaction_key(other))) {
1917 size_t saved_packet_size;
1918
1919 r = dns_packet_append_key(p, dns_transaction_key(other), 0, &saved_packet_size);
1920 /* If we can't stuff more questions into the packet, just give up.
1921 * One of the 'other' transactions will fire later and take care of the rest. */
1922 if (r == -EMSGSIZE)
1923 break;
1924 if (r < 0)
1925 return r;
1926
1927 r = dns_packet_append_zone(p, t, dns_transaction_key(other), NULL);
1928 if (r == -EMSGSIZE) {
1929 dns_packet_truncate(p, saved_packet_size);
1930 break;
1931 }
1932 if (r < 0)
1933 return r;
1934
1935 r = set_ensure_put(&keys, &dns_resource_key_hash_ops, dns_transaction_key(other));
1936 if (r < 0)
1937 return r;
1938 }
1939
1940 r = dns_transaction_prepare(other, ts);
1941 if (r < 0)
1942 return r;
1943 if (r == 0)
1944 /* In this case, not only this transaction, but multiple transactions may be
1945 * freed. Hence, we need to restart the loop. */
1946 return -EAGAIN;
1947
1948 usec_t timeout = transaction_get_resend_timeout(other);
1949 r = dns_transaction_setup_timeout(other, timeout, usec_add(ts, timeout));
1950 if (r < 0)
1951 return r;
1952
1953 if (dns_key_is_shared(dns_transaction_key(other)))
1954 add_known_answers = true;
1955
1956 qdcount++;
1957 if (qdcount >= UINT16_MAX)
1958 break;
1959 }
1960
1961 DNS_PACKET_HEADER(p)->qdcount = htobe16(qdcount);
1962
1963 /* Append known answers section if we're asking for any shared record */
1964 if (add_known_answers) {
1965 r = dns_cache_export_shared_to_packet(&t->scope->cache, p, ts, 0);
1966 if (r < 0)
1967 return r;
1968 }
1969
1970 *ret_packet = TAKE_PTR(p);
1971 *ret_keys = TAKE_PTR(keys);
1972 return add_known_answers;
1973 }
1974
1975 static int dns_transaction_make_packet_mdns(DnsTransaction *t) {
1976 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL, *dummy = NULL;
1977 _cleanup_set_free_ Set *keys = NULL;
1978 bool add_known_answers;
1979 DnsResourceKey *k;
1980 unsigned c;
1981 int r;
1982
1983 assert(t);
1984 assert(t->scope->protocol == DNS_PROTOCOL_MDNS);
1985
1986 /* Discard any previously prepared packet, so we can start over and coalesce again */
1987 t->sent = dns_packet_unref(t->sent);
1988
1989 /* First, create a dummy packet to calculate the number of known answers to be appended in the first packet. */
1990 for (;;) {
1991 r = mdns_make_dummy_packet(t, &dummy, &keys);
1992 if (r == -EAGAIN)
1993 continue;
1994 if (r < 0)
1995 return r;
1996
1997 add_known_answers = r;
1998 break;
1999 }
2000
2001 /* Then, create actual packet. */
2002 r = dns_packet_new_query(&p, t->scope->protocol, 0, false);
2003 if (r < 0)
2004 return r;
2005
2006 /* Questions */
2007 c = 0;
2008 SET_FOREACH(k, keys) {
2009 r = dns_packet_append_key(p, k, 0, NULL);
2010 if (r < 0)
2011 return r;
2012 c++;
2013 }
2014 DNS_PACKET_HEADER(p)->qdcount = htobe16(c);
2015
2016 /* Known answers */
2017 if (add_known_answers) {
2018 usec_t ts;
2019
2020 assert_se(sd_event_now(t->scope->manager->event, CLOCK_BOOTTIME, &ts) >= 0);
2021
2022 r = dns_cache_export_shared_to_packet(&t->scope->cache, p, ts, be16toh(DNS_PACKET_HEADER(dummy)->ancount));
2023 if (r < 0)
2024 return r;
2025 }
2026
2027 /* Authorities */
2028 c = 0;
2029 SET_FOREACH(k, keys) {
2030 r = dns_packet_append_zone(p, t, k, &c);
2031 if (r < 0)
2032 return r;
2033 }
2034 DNS_PACKET_HEADER(p)->nscount = htobe16(c);
2035
2036 t->sent = TAKE_PTR(p);
2037 return 0;
2038 }
2039
2040 static int dns_transaction_make_packet(DnsTransaction *t) {
2041 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
2042 int r;
2043
2044 assert(t);
2045
2046 if (t->scope->protocol == DNS_PROTOCOL_MDNS)
2047 return dns_transaction_make_packet_mdns(t);
2048
2049 if (t->sent)
2050 return 0;
2051
2052 if (t->bypass && t->bypass->protocol == t->scope->protocol) {
2053 /* If bypass logic is enabled and the protocol if the original packet and our scope match,
2054 * take the original packet, copy it, and patch in our new ID */
2055 r = dns_packet_dup(&p, t->bypass);
2056 if (r < 0)
2057 return r;
2058 } else {
2059 r = dns_packet_new_query(
2060 &p, t->scope->protocol,
2061 /* min_alloc_dsize = */ 0,
2062 /* dnssec_cd = */ !FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE) &&
2063 t->scope->dnssec_mode != DNSSEC_NO);
2064 if (r < 0)
2065 return r;
2066
2067 r = dns_packet_append_key(p, dns_transaction_key(t), 0, NULL);
2068 if (r < 0)
2069 return r;
2070
2071 DNS_PACKET_HEADER(p)->qdcount = htobe16(1);
2072 }
2073
2074 DNS_PACKET_HEADER(p)->id = t->id;
2075
2076 t->sent = TAKE_PTR(p);
2077 return 0;
2078 }
2079
2080 int dns_transaction_go(DnsTransaction *t) {
2081 usec_t ts;
2082 int r;
2083 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
2084
2085 assert(t);
2086
2087 /* Returns > 0 if the transaction is now pending, returns 0 if could be processed immediately and has
2088 * finished now. In the latter case, the transaction and query candidate objects must not be accessed.
2089 */
2090
2091 assert_se(sd_event_now(t->scope->manager->event, CLOCK_BOOTTIME, &ts) >= 0);
2092
2093 r = dns_transaction_prepare(t, ts);
2094 if (r <= 0)
2095 return r;
2096
2097 log_debug("Firing %s transaction %" PRIu16 " for <%s> scope %s on %s/%s (validate=%s).",
2098 t->bypass ? "bypass" : "regular",
2099 t->id,
2100 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str),
2101 dns_protocol_to_string(t->scope->protocol),
2102 t->scope->link ? t->scope->link->ifname : "*",
2103 af_to_name_short(t->scope->family),
2104 yes_no(!FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE)));
2105
2106 if (!t->initial_jitter_scheduled &&
2107 IN_SET(t->scope->protocol, DNS_PROTOCOL_LLMNR, DNS_PROTOCOL_MDNS)) {
2108 usec_t jitter;
2109
2110 /* RFC 4795 Section 2.7 suggests all LLMNR queries should be delayed by a random time from 0 to
2111 * JITTER_INTERVAL.
2112 * RFC 6762 Section 8.1 suggests initial probe queries should be delayed by a random time from
2113 * 0 to 250ms. */
2114
2115 t->initial_jitter_scheduled = true;
2116 t->n_attempts = 0;
2117
2118 switch (t->scope->protocol) {
2119
2120 case DNS_PROTOCOL_LLMNR:
2121 jitter = random_u64_range(LLMNR_JITTER_INTERVAL_USEC);
2122 break;
2123
2124 case DNS_PROTOCOL_MDNS:
2125 if (t->probing)
2126 jitter = random_u64_range(MDNS_PROBING_INTERVAL_USEC);
2127 else
2128 jitter = 0;
2129 break;
2130 default:
2131 assert_not_reached();
2132 }
2133
2134 r = dns_transaction_setup_timeout(t, jitter, ts);
2135 if (r < 0)
2136 return r;
2137
2138 log_debug("Delaying %s transaction %" PRIu16 " for " USEC_FMT "us.",
2139 dns_protocol_to_string(t->scope->protocol),
2140 t->id,
2141 jitter);
2142 return 1;
2143 }
2144
2145 /* Otherwise, we need to ask the network */
2146 r = dns_transaction_make_packet(t);
2147 if (r < 0)
2148 return r;
2149
2150 if (t->scope->protocol == DNS_PROTOCOL_LLMNR &&
2151 (dns_name_endswith(dns_resource_key_name(dns_transaction_key(t)), "in-addr.arpa") > 0 ||
2152 dns_name_endswith(dns_resource_key_name(dns_transaction_key(t)), "ip6.arpa") > 0)) {
2153
2154 /* RFC 4795, Section 2.4. says reverse lookups shall
2155 * always be made via TCP on LLMNR */
2156 r = dns_transaction_emit_tcp(t);
2157 } else {
2158 /* Try via UDP, and if that fails due to large size or lack of
2159 * support try via TCP */
2160 r = dns_transaction_emit_udp(t);
2161 if (r == -EMSGSIZE)
2162 log_debug("Sending query via TCP since it is too large.");
2163 else if (r == -EAGAIN)
2164 log_debug("Sending query via TCP since UDP isn't supported or DNS-over-TLS is selected.");
2165 else if (r == -EPERM)
2166 log_debug("Sending query via TCP since UDP is blocked.");
2167 if (IN_SET(r, -EMSGSIZE, -EAGAIN, -EPERM))
2168 r = dns_transaction_emit_tcp(t);
2169 }
2170 if (r == -ELOOP) {
2171 if (t->scope->protocol != DNS_PROTOCOL_DNS)
2172 return r;
2173
2174 /* One of our own stub listeners */
2175 log_debug_errno(r, "Detected that specified DNS server is our own extra listener, switching DNS servers.");
2176
2177 dns_scope_next_dns_server(t->scope, t->server);
2178
2179 if (dns_scope_get_dns_server(t->scope) == t->server) {
2180 log_debug_errno(r, "Still pointing to extra listener after switching DNS servers, refusing operation.");
2181 dns_transaction_complete(t, DNS_TRANSACTION_STUB_LOOP);
2182 return 0;
2183 }
2184
2185 return dns_transaction_go(t);
2186 }
2187 if (r == -ESRCH) {
2188 /* No servers to send this to? */
2189 dns_transaction_complete(t, DNS_TRANSACTION_NO_SERVERS);
2190 return 0;
2191 }
2192 if (r == -EOPNOTSUPP) {
2193 /* Tried to ask for DNSSEC RRs, on a server that doesn't do DNSSEC */
2194 dns_transaction_complete(t, DNS_TRANSACTION_RR_TYPE_UNSUPPORTED);
2195 return 0;
2196 }
2197 if (t->scope->protocol == DNS_PROTOCOL_LLMNR && ERRNO_IS_NEG_DISCONNECT(r)) {
2198 /* On LLMNR, if we cannot connect to a host via TCP when doing reverse lookups. This means we cannot
2199 * answer this request with this protocol. */
2200 dns_transaction_complete(t, DNS_TRANSACTION_NOT_FOUND);
2201 return 0;
2202 }
2203 if (r < 0) {
2204 if (t->scope->protocol != DNS_PROTOCOL_DNS)
2205 return r;
2206
2207 /* Couldn't send? Try immediately again, with a new server */
2208 dns_scope_next_dns_server(t->scope, t->server);
2209
2210 return dns_transaction_go(t);
2211 }
2212
2213 usec_t timeout = transaction_get_resend_timeout(t);
2214 r = dns_transaction_setup_timeout(t, timeout, usec_add(ts, timeout));
2215 if (r < 0)
2216 return r;
2217
2218 return 1;
2219 }
2220
2221 static int dns_transaction_find_cyclic(DnsTransaction *t, DnsTransaction *aux) {
2222 DnsTransaction *n;
2223 int r;
2224
2225 assert(t);
2226 assert(aux);
2227
2228 /* Try to find cyclic dependencies between transaction objects */
2229
2230 if (t == aux)
2231 return 1;
2232
2233 SET_FOREACH(n, aux->dnssec_transactions) {
2234 r = dns_transaction_find_cyclic(t, n);
2235 if (r != 0)
2236 return r;
2237 }
2238
2239 return 0;
2240 }
2241
2242 static int dns_transaction_add_dnssec_transaction(DnsTransaction *t, DnsResourceKey *key, DnsTransaction **ret) {
2243 _cleanup_(dns_transaction_gcp) DnsTransaction *aux = NULL;
2244 int r;
2245
2246 assert(t);
2247 assert(ret);
2248 assert(key);
2249
2250 aux = dns_scope_find_transaction(t->scope, key, t->query_flags);
2251 if (!aux) {
2252 r = dns_transaction_new(&aux, t->scope, key, NULL, t->query_flags);
2253 if (r < 0)
2254 return r;
2255 } else {
2256 if (set_contains(t->dnssec_transactions, aux)) {
2257 *ret = aux;
2258 return 0;
2259 }
2260
2261 r = dns_transaction_find_cyclic(t, aux);
2262 if (r < 0)
2263 return r;
2264 if (r > 0) {
2265 char s[DNS_RESOURCE_KEY_STRING_MAX], saux[DNS_RESOURCE_KEY_STRING_MAX];
2266
2267 return log_debug_errno(SYNTHETIC_ERRNO(ELOOP),
2268 "Potential cyclic dependency, refusing to add transaction %" PRIu16 " (%s) as dependency for %" PRIu16 " (%s).",
2269 aux->id,
2270 dns_resource_key_to_string(dns_transaction_key(t), s, sizeof s),
2271 t->id,
2272 dns_resource_key_to_string(dns_transaction_key(aux), saux, sizeof saux));
2273 }
2274 }
2275
2276 r = set_ensure_allocated(&aux->notify_transactions_done, NULL);
2277 if (r < 0)
2278 return r;
2279
2280 r = set_ensure_put(&t->dnssec_transactions, NULL, aux);
2281 if (r < 0)
2282 return r;
2283
2284 r = set_ensure_put(&aux->notify_transactions, NULL, t);
2285 if (r < 0) {
2286 (void) set_remove(t->dnssec_transactions, aux);
2287 return r;
2288 }
2289
2290 *ret = TAKE_PTR(aux);
2291 return 1;
2292 }
2293
2294 static int dns_transaction_request_dnssec_rr(DnsTransaction *t, DnsResourceKey *key) {
2295 _cleanup_(dns_answer_unrefp) DnsAnswer *a = NULL;
2296 DnsTransaction *aux;
2297 int r;
2298
2299 assert(t);
2300 assert(key);
2301
2302 /* Try to get the data from the trust anchor */
2303 r = dns_trust_anchor_lookup_positive(&t->scope->manager->trust_anchor, key, &a);
2304 if (r < 0)
2305 return r;
2306 if (r > 0) {
2307 r = dns_answer_extend(&t->validated_keys, a);
2308 if (r < 0)
2309 return r;
2310
2311 return 0;
2312 }
2313
2314 /* This didn't work, ask for it via the network/cache then. */
2315 r = dns_transaction_add_dnssec_transaction(t, key, &aux);
2316 if (r == -ELOOP) /* This would result in a cyclic dependency */
2317 return 0;
2318 if (r < 0)
2319 return r;
2320
2321 if (aux->state == DNS_TRANSACTION_NULL) {
2322 r = dns_transaction_go(aux);
2323 if (r < 0)
2324 return r;
2325 }
2326
2327 return 1;
2328 }
2329
2330 static int dns_transaction_negative_trust_anchor_lookup(DnsTransaction *t, const char *name) {
2331 int r;
2332
2333 assert(t);
2334
2335 /* Check whether the specified name is in the NTA
2336 * database, either in the global one, or the link-local
2337 * one. */
2338
2339 r = dns_trust_anchor_lookup_negative(&t->scope->manager->trust_anchor, name);
2340 if (r != 0)
2341 return r;
2342
2343 if (!t->scope->link)
2344 return 0;
2345
2346 return link_negative_trust_anchor_lookup(t->scope->link, name);
2347 }
2348
2349 static int dns_transaction_has_negative_answer(DnsTransaction *t) {
2350 int r;
2351
2352 assert(t);
2353
2354 /* Checks whether the answer is negative, and lacks NSEC/NSEC3
2355 * RRs to prove it */
2356
2357 r = dns_transaction_has_positive_answer(t, NULL);
2358 if (r < 0)
2359 return r;
2360 if (r > 0)
2361 return false;
2362
2363 /* Is this key explicitly listed as a negative trust anchor?
2364 * If so, it's nothing we need to care about */
2365 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(dns_transaction_key(t)));
2366 if (r < 0)
2367 return r;
2368 return !r;
2369 }
2370
2371 static int dns_transaction_is_primary_response(DnsTransaction *t, DnsResourceRecord *rr) {
2372 int r;
2373
2374 assert(t);
2375 assert(rr);
2376
2377 /* Check if the specified RR is the "primary" response,
2378 * i.e. either matches the question precisely or is a
2379 * CNAME/DNAME for it. */
2380
2381 r = dns_resource_key_match_rr(dns_transaction_key(t), rr, NULL);
2382 if (r != 0)
2383 return r;
2384
2385 return dns_resource_key_match_cname_or_dname(dns_transaction_key(t), rr->key, NULL);
2386 }
2387
2388 static bool dns_transaction_dnssec_supported(DnsTransaction *t) {
2389 assert(t);
2390
2391 /* Checks whether our transaction's DNS server is assumed to be compatible with DNSSEC. Returns false as soon
2392 * as we changed our mind about a server, and now believe it is incompatible with DNSSEC. */
2393
2394 if (t->scope->protocol != DNS_PROTOCOL_DNS)
2395 return false;
2396
2397 /* If we have picked no server, then we are working from the cache or some other source, and DNSSEC might well
2398 * be supported, hence return true. */
2399 if (!t->server)
2400 return true;
2401
2402 /* Note that we do not check the feature level actually used for the transaction but instead the feature level
2403 * the server is known to support currently, as the transaction feature level might be lower than what the
2404 * server actually supports, since we might have downgraded this transaction's feature level because we got a
2405 * SERVFAIL earlier and wanted to check whether downgrading fixes it. */
2406
2407 return dns_server_dnssec_supported(t->server);
2408 }
2409
2410 static bool dns_transaction_dnssec_supported_full(DnsTransaction *t) {
2411 DnsTransaction *dt;
2412
2413 assert(t);
2414
2415 /* Checks whether our transaction our any of the auxiliary transactions couldn't do DNSSEC. */
2416
2417 if (!dns_transaction_dnssec_supported(t))
2418 return false;
2419
2420 SET_FOREACH(dt, t->dnssec_transactions)
2421 if (!dns_transaction_dnssec_supported(dt))
2422 return false;
2423
2424 return true;
2425 }
2426
2427 int dns_transaction_request_dnssec_keys(DnsTransaction *t) {
2428 DnsResourceRecord *rr;
2429
2430 int r;
2431
2432 assert(t);
2433
2434 /*
2435 * Retrieve all auxiliary RRs for the answer we got, so that
2436 * we can verify signatures or prove that RRs are rightfully
2437 * unsigned. Specifically:
2438 *
2439 * - For RRSIG we get the matching DNSKEY
2440 * - For DNSKEY we get the matching DS
2441 * - For unsigned SOA/NS we get the matching DS
2442 * - For unsigned CNAME/DNAME/DS we get the parent SOA RR
2443 * - For other unsigned RRs we get the matching SOA RR
2444 * - For SOA/NS queries with no matching response RR, and no NSEC/NSEC3, the DS RR
2445 * - For DS queries with no matching response RRs, and no NSEC/NSEC3, the parent's SOA RR
2446 * - For other queries with no matching response RRs, and no NSEC/NSEC3, the SOA RR
2447 */
2448
2449 if (FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE) || t->scope->dnssec_mode == DNSSEC_NO)
2450 return 0;
2451 if (t->answer_source != DNS_TRANSACTION_NETWORK)
2452 return 0; /* We only need to validate stuff from the network */
2453 if (!dns_transaction_dnssec_supported(t))
2454 return 0; /* If we can't do DNSSEC anyway there's no point in getting the auxiliary RRs */
2455
2456 DNS_ANSWER_FOREACH(rr, t->answer) {
2457
2458 if (dns_type_is_pseudo(rr->key->type))
2459 continue;
2460
2461 /* If this RR is in the negative trust anchor, we don't need to validate it. */
2462 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(rr->key));
2463 if (r < 0)
2464 return r;
2465 if (r > 0)
2466 continue;
2467
2468 switch (rr->key->type) {
2469
2470 case DNS_TYPE_RRSIG: {
2471 /* For each RRSIG we request the matching DNSKEY */
2472 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *dnskey = NULL;
2473
2474 /* If this RRSIG is about a DNSKEY RR and the
2475 * signer is the same as the owner, then we
2476 * already have the DNSKEY, and we don't have
2477 * to look for more. */
2478 if (rr->rrsig.type_covered == DNS_TYPE_DNSKEY) {
2479 r = dns_name_equal(rr->rrsig.signer, dns_resource_key_name(rr->key));
2480 if (r < 0)
2481 return r;
2482 if (r > 0)
2483 continue;
2484 }
2485
2486 /* If the signer is not a parent of our
2487 * original query, then this is about an
2488 * auxiliary RRset, but not anything we asked
2489 * for. In this case we aren't interested,
2490 * because we don't want to request additional
2491 * RRs for stuff we didn't really ask for, and
2492 * also to avoid request loops, where
2493 * additional RRs from one transaction result
2494 * in another transaction whose additional RRs
2495 * point back to the original transaction, and
2496 * we deadlock. */
2497 r = dns_name_endswith(dns_resource_key_name(dns_transaction_key(t)), rr->rrsig.signer);
2498 if (r < 0)
2499 return r;
2500 if (r == 0)
2501 continue;
2502
2503 dnskey = dns_resource_key_new(rr->key->class, DNS_TYPE_DNSKEY, rr->rrsig.signer);
2504 if (!dnskey)
2505 return -ENOMEM;
2506
2507 log_debug("Requesting DNSKEY to validate transaction %" PRIu16" (%s, RRSIG with key tag: %" PRIu16 ").",
2508 t->id, dns_resource_key_name(rr->key), rr->rrsig.key_tag);
2509 r = dns_transaction_request_dnssec_rr(t, dnskey);
2510 if (r < 0)
2511 return r;
2512 break;
2513 }
2514
2515 case DNS_TYPE_DNSKEY: {
2516 /* For each DNSKEY we request the matching DS */
2517 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *ds = NULL;
2518
2519 /* If the DNSKEY we are looking at is not for
2520 * zone we are interested in, nor any of its
2521 * parents, we aren't interested, and don't
2522 * request it. After all, we don't want to end
2523 * up in request loops, and want to keep
2524 * additional traffic down. */
2525
2526 r = dns_name_endswith(dns_resource_key_name(dns_transaction_key(t)), dns_resource_key_name(rr->key));
2527 if (r < 0)
2528 return r;
2529 if (r == 0)
2530 continue;
2531
2532 ds = dns_resource_key_new(rr->key->class, DNS_TYPE_DS, dns_resource_key_name(rr->key));
2533 if (!ds)
2534 return -ENOMEM;
2535
2536 log_debug("Requesting DS to validate transaction %" PRIu16" (%s, DNSKEY with key tag: %" PRIu16 ").",
2537 t->id, dns_resource_key_name(rr->key), dnssec_keytag(rr, false));
2538 r = dns_transaction_request_dnssec_rr(t, ds);
2539 if (r < 0)
2540 return r;
2541
2542 break;
2543 }
2544
2545 case DNS_TYPE_SOA:
2546 case DNS_TYPE_NS: {
2547 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *ds = NULL;
2548
2549 /* For an unsigned SOA or NS, try to acquire
2550 * the matching DS RR, as we are at a zone cut
2551 * then, and whether a DS exists tells us
2552 * whether the zone is signed. Do so only if
2553 * this RR matches our original question,
2554 * however. */
2555
2556 r = dns_resource_key_match_rr(dns_transaction_key(t), rr, NULL);
2557 if (r < 0)
2558 return r;
2559 if (r == 0) {
2560 /* Hmm, so this SOA RR doesn't match our original question. In this case, maybe this is
2561 * a negative reply, and we need the SOA RR's TTL in order to cache a negative entry?
2562 * If so, we need to validate it, too. */
2563
2564 r = dns_answer_match_key(t->answer, dns_transaction_key(t), NULL);
2565 if (r < 0)
2566 return r;
2567 if (r > 0) /* positive reply, we won't need the SOA and hence don't need to validate
2568 * it. */
2569 continue;
2570
2571 /* Only bother with this if the SOA/NS RR we are looking at is actually a parent of
2572 * what we are looking for, otherwise there's no value in it for us. */
2573 r = dns_name_endswith(dns_resource_key_name(dns_transaction_key(t)), dns_resource_key_name(rr->key));
2574 if (r < 0)
2575 return r;
2576 if (r == 0)
2577 continue;
2578 }
2579
2580 r = dnssec_has_rrsig(t->answer, rr->key);
2581 if (r < 0)
2582 return r;
2583 if (r > 0)
2584 continue;
2585
2586 ds = dns_resource_key_new(rr->key->class, DNS_TYPE_DS, dns_resource_key_name(rr->key));
2587 if (!ds)
2588 return -ENOMEM;
2589
2590 log_debug("Requesting DS to validate transaction %" PRIu16 " (%s, unsigned SOA/NS RRset).",
2591 t->id, dns_resource_key_name(rr->key));
2592 r = dns_transaction_request_dnssec_rr(t, ds);
2593 if (r < 0)
2594 return r;
2595
2596 break;
2597 }
2598
2599 case DNS_TYPE_DS:
2600 case DNS_TYPE_CNAME:
2601 case DNS_TYPE_DNAME: {
2602 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL;
2603 const char *name;
2604
2605 /* CNAMEs and DNAMEs cannot be located at a
2606 * zone apex, hence ask for the parent SOA for
2607 * unsigned CNAME/DNAME RRs, maybe that's the
2608 * apex. But do all that only if this is
2609 * actually a response to our original
2610 * question.
2611 *
2612 * Similar for DS RRs, which are signed when
2613 * the parent SOA is signed. */
2614
2615 r = dns_transaction_is_primary_response(t, rr);
2616 if (r < 0)
2617 return r;
2618 if (r == 0)
2619 continue;
2620
2621 r = dnssec_has_rrsig(t->answer, rr->key);
2622 if (r < 0)
2623 return r;
2624 if (r > 0)
2625 continue;
2626
2627 r = dns_answer_has_dname_for_cname(t->answer, rr);
2628 if (r < 0)
2629 return r;
2630 if (r > 0)
2631 continue;
2632
2633 name = dns_resource_key_name(rr->key);
2634 r = dns_name_parent(&name);
2635 if (r < 0)
2636 return r;
2637 if (r == 0)
2638 continue;
2639
2640 soa = dns_resource_key_new(rr->key->class, DNS_TYPE_SOA, name);
2641 if (!soa)
2642 return -ENOMEM;
2643
2644 log_debug("Requesting parent SOA to validate transaction %" PRIu16 " (%s, unsigned CNAME/DNAME/DS RRset).",
2645 t->id, dns_resource_key_name(rr->key));
2646 r = dns_transaction_request_dnssec_rr(t, soa);
2647 if (r < 0)
2648 return r;
2649
2650 break;
2651 }
2652
2653 default: {
2654 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL;
2655
2656 /* For other unsigned RRsets (including
2657 * NSEC/NSEC3!), look for proof the zone is
2658 * unsigned, by requesting the SOA RR of the
2659 * zone. However, do so only if they are
2660 * directly relevant to our original
2661 * question. */
2662
2663 r = dns_transaction_is_primary_response(t, rr);
2664 if (r < 0)
2665 return r;
2666 if (r == 0)
2667 continue;
2668
2669 r = dnssec_has_rrsig(t->answer, rr->key);
2670 if (r < 0)
2671 return r;
2672 if (r > 0)
2673 continue;
2674
2675 soa = dns_resource_key_new(rr->key->class, DNS_TYPE_SOA, dns_resource_key_name(rr->key));
2676 if (!soa)
2677 return -ENOMEM;
2678
2679 log_debug("Requesting SOA to validate transaction %" PRIu16 " (%s, unsigned non-SOA/NS RRset <%s>).",
2680 t->id, dns_resource_key_name(rr->key), dns_resource_record_to_string(rr));
2681 r = dns_transaction_request_dnssec_rr(t, soa);
2682 if (r < 0)
2683 return r;
2684 break;
2685 }}
2686 }
2687
2688 /* Above, we requested everything necessary to validate what
2689 * we got. Now, let's request what we need to validate what we
2690 * didn't get... */
2691
2692 r = dns_transaction_has_negative_answer(t);
2693 if (r < 0)
2694 return r;
2695 if (r > 0) {
2696 const char *name, *signed_status;
2697 uint16_t type = 0;
2698
2699 name = dns_resource_key_name(dns_transaction_key(t));
2700 signed_status = dns_answer_contains_nsec_or_nsec3(t->answer) ? "signed" : "unsigned";
2701
2702 /* If this was a SOA or NS request, then check if there's a DS RR for the same domain. Note that this
2703 * could also be used as indication that we are not at a zone apex, but in real world setups there are
2704 * too many broken DNS servers (Hello, incapdns.net!) where non-terminal zones return NXDOMAIN even
2705 * though they have further children. If this was a DS request, then it's signed when the parent zone
2706 * is signed, hence ask the parent SOA in that case. If this was any other RR then ask for the SOA RR,
2707 * to see if that is signed. */
2708
2709 if (dns_transaction_key(t)->type == DNS_TYPE_DS) {
2710 r = dns_name_parent(&name);
2711 if (r > 0) {
2712 type = DNS_TYPE_SOA;
2713 log_debug("Requesting parent SOA (%s %s) to validate transaction %" PRIu16 " (%s, %s empty DS response).",
2714 special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), name, t->id,
2715 dns_resource_key_name(dns_transaction_key(t)), signed_status);
2716 } else
2717 name = NULL;
2718
2719 } else if (IN_SET(dns_transaction_key(t)->type, DNS_TYPE_SOA, DNS_TYPE_NS)) {
2720
2721 type = DNS_TYPE_DS;
2722 log_debug("Requesting DS (%s %s) to validate transaction %" PRIu16 " (%s, %s empty SOA/NS response).",
2723 special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), name, t->id, name, signed_status);
2724
2725 } else {
2726 type = DNS_TYPE_SOA;
2727 log_debug("Requesting SOA (%s %s) to validate transaction %" PRIu16 " (%s, %s empty non-SOA/NS/DS response).",
2728 special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), name, t->id, name, signed_status);
2729 }
2730
2731 if (name) {
2732 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL;
2733
2734 soa = dns_resource_key_new(dns_transaction_key(t)->class, type, name);
2735 if (!soa)
2736 return -ENOMEM;
2737
2738 r = dns_transaction_request_dnssec_rr(t, soa);
2739 if (r < 0)
2740 return r;
2741 }
2742 }
2743
2744 return dns_transaction_dnssec_is_live(t);
2745 }
2746
2747 void dns_transaction_notify(DnsTransaction *t, DnsTransaction *source) {
2748 assert(t);
2749 assert(source);
2750
2751 /* Invoked whenever any of our auxiliary DNSSEC transactions completed its work. If the state is still PENDING,
2752 we are still in the loop that adds further DNSSEC transactions, hence don't check if we are ready yet. If
2753 the state is VALIDATING however, we should check if we are complete now. */
2754
2755 if (t->state == DNS_TRANSACTION_VALIDATING)
2756 dns_transaction_process_dnssec(t);
2757 }
2758
2759 static int dns_transaction_validate_dnskey_by_ds(DnsTransaction *t) {
2760 DnsAnswerItem *item;
2761 int r;
2762
2763 assert(t);
2764
2765 /* Add all DNSKEY RRs from the answer that are validated by DS
2766 * RRs from the list of validated keys to the list of
2767 * validated keys. */
2768
2769 DNS_ANSWER_FOREACH_ITEM(item, t->answer) {
2770
2771 r = dnssec_verify_dnskey_by_ds_search(item->rr, t->validated_keys);
2772 if (r < 0)
2773 return r;
2774 if (r == 0)
2775 continue;
2776
2777 /* If so, the DNSKEY is validated too. */
2778 r = dns_answer_add_extend(&t->validated_keys, item->rr, item->ifindex, item->flags|DNS_ANSWER_AUTHENTICATED, item->rrsig);
2779 if (r < 0)
2780 return r;
2781 }
2782
2783 return 0;
2784 }
2785
2786 static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *rr) {
2787 int r;
2788
2789 assert(t);
2790 assert(rr);
2791
2792 /* Checks if the RR we are looking for must be signed with an
2793 * RRSIG. This is used for positive responses. */
2794
2795 if (t->scope->dnssec_mode == DNSSEC_NO)
2796 return false;
2797
2798 if (dns_type_is_pseudo(rr->key->type))
2799 return -EINVAL;
2800
2801 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(rr->key));
2802 if (r < 0)
2803 return r;
2804 if (r > 0)
2805 return false;
2806
2807 switch (rr->key->type) {
2808
2809 case DNS_TYPE_RRSIG:
2810 /* RRSIGs are the signatures themselves, they need no signing. */
2811 return false;
2812
2813 case DNS_TYPE_SOA:
2814 case DNS_TYPE_NS: {
2815 DnsTransaction *dt;
2816
2817 /* For SOA or NS RRs we look for a matching DS transaction */
2818
2819 SET_FOREACH(dt, t->dnssec_transactions) {
2820
2821 if (dns_transaction_key(dt)->class != rr->key->class)
2822 continue;
2823 if (dns_transaction_key(dt)->type != DNS_TYPE_DS)
2824 continue;
2825
2826 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), dns_resource_key_name(rr->key));
2827 if (r < 0)
2828 return r;
2829 if (r == 0)
2830 continue;
2831
2832 /* We found a DS transactions for the SOA/NS
2833 * RRs we are looking at. If it discovered signed DS
2834 * RRs, then we need to be signed, too. */
2835
2836 if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
2837 return false;
2838
2839 return dns_answer_match_key(dt->answer, dns_transaction_key(dt), NULL);
2840 }
2841
2842 /* We found nothing that proves this is safe to leave
2843 * this unauthenticated, hence ask inist on
2844 * authentication. */
2845 return true;
2846 }
2847
2848 case DNS_TYPE_DS:
2849 case DNS_TYPE_CNAME:
2850 case DNS_TYPE_DNAME: {
2851 const char *parent = NULL;
2852 DnsTransaction *dt;
2853
2854 /*
2855 * CNAME/DNAME RRs cannot be located at a zone apex, hence look directly for the parent SOA.
2856 *
2857 * DS RRs are signed if the parent is signed, hence also look at the parent SOA
2858 */
2859
2860 SET_FOREACH(dt, t->dnssec_transactions) {
2861
2862 if (dns_transaction_key(dt)->class != rr->key->class)
2863 continue;
2864 if (dns_transaction_key(dt)->type != DNS_TYPE_SOA)
2865 continue;
2866
2867 if (!parent) {
2868 parent = dns_resource_key_name(rr->key);
2869 r = dns_name_parent(&parent);
2870 if (r < 0)
2871 return r;
2872 if (r == 0) {
2873 if (rr->key->type == DNS_TYPE_DS)
2874 return true;
2875
2876 /* A CNAME/DNAME without a parent? That's sooo weird. */
2877 return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG),
2878 "Transaction %" PRIu16 " claims CNAME/DNAME at root. Refusing.", t->id);
2879 }
2880 }
2881
2882 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), parent);
2883 if (r < 0)
2884 return r;
2885 if (r == 0)
2886 continue;
2887
2888 return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
2889 }
2890
2891 return true;
2892 }
2893
2894 default: {
2895 DnsTransaction *dt;
2896
2897 /* Any other kind of RR (including DNSKEY/NSEC/NSEC3). Let's see if our SOA lookup was authenticated */
2898
2899 SET_FOREACH(dt, t->dnssec_transactions) {
2900
2901 if (dns_transaction_key(dt)->class != rr->key->class)
2902 continue;
2903 if (dns_transaction_key(dt)->type != DNS_TYPE_SOA)
2904 continue;
2905
2906 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), dns_resource_key_name(rr->key));
2907 if (r < 0)
2908 return r;
2909 if (r == 0)
2910 continue;
2911
2912 /* We found the transaction that was supposed to find the SOA RR for us. It was
2913 * successful, but found no RR for us. This means we are not at a zone cut. In this
2914 * case, we require authentication if the SOA lookup was authenticated too. */
2915 return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
2916 }
2917
2918 return true;
2919 }}
2920 }
2921
2922 static int dns_transaction_in_private_tld(DnsTransaction *t, const DnsResourceKey *key) {
2923 DnsTransaction *dt;
2924 const char *tld;
2925 int r;
2926
2927 /* If DNSSEC downgrade mode is on, checks whether the
2928 * specified RR is one level below a TLD we have proven not to
2929 * exist. In such a case we assume that this is a private
2930 * domain, and permit it.
2931 *
2932 * This detects cases like the Fritz!Box router networks. Each
2933 * Fritz!Box router serves a private "fritz.box" zone, in the
2934 * non-existing TLD "box". Requests for the "fritz.box" domain
2935 * are served by the router itself, while requests for the
2936 * "box" domain will result in NXDOMAIN.
2937 *
2938 * Note that this logic is unable to detect cases where a
2939 * router serves a private DNS zone directly under
2940 * non-existing TLD. In such a case we cannot detect whether
2941 * the TLD is supposed to exist or not, as all requests we
2942 * make for it will be answered by the router's zone, and not
2943 * by the root zone. */
2944
2945 assert(t);
2946
2947 if (t->scope->dnssec_mode != DNSSEC_ALLOW_DOWNGRADE)
2948 return false; /* In strict DNSSEC mode what doesn't exist, doesn't exist */
2949
2950 tld = dns_resource_key_name(key);
2951 r = dns_name_parent(&tld);
2952 if (r < 0)
2953 return r;
2954 if (r == 0)
2955 return false; /* Already the root domain */
2956
2957 if (!dns_name_is_single_label(tld))
2958 return false;
2959
2960 SET_FOREACH(dt, t->dnssec_transactions) {
2961
2962 if (dns_transaction_key(dt)->class != key->class)
2963 continue;
2964
2965 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), tld);
2966 if (r < 0)
2967 return r;
2968 if (r == 0)
2969 continue;
2970
2971 /* We found an auxiliary lookup we did for the TLD. If
2972 * that returned with NXDOMAIN, we know the TLD didn't
2973 * exist, and hence this might be a private zone. */
2974
2975 return dt->answer_rcode == DNS_RCODE_NXDOMAIN;
2976 }
2977
2978 return false;
2979 }
2980
2981 static int dns_transaction_requires_nsec(DnsTransaction *t) {
2982 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
2983 DnsTransaction *dt;
2984 const char *name;
2985 uint16_t type = 0;
2986 int r;
2987
2988 assert(t);
2989
2990 /* Checks if we need to insist on NSEC/NSEC3 RRs for proving
2991 * this negative reply */
2992
2993 if (t->scope->dnssec_mode == DNSSEC_NO)
2994 return false;
2995
2996 if (dns_type_is_pseudo(dns_transaction_key(t)->type))
2997 return -EINVAL;
2998
2999 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(dns_transaction_key(t)));
3000 if (r < 0)
3001 return r;
3002 if (r > 0)
3003 return false;
3004
3005 r = dns_transaction_in_private_tld(t, dns_transaction_key(t));
3006 if (r < 0)
3007 return r;
3008 if (r > 0) {
3009 /* The lookup is from a TLD that is proven not to
3010 * exist, and we are in downgrade mode, hence ignore
3011 * that fact that we didn't get any NSEC RRs. */
3012
3013 log_info("Detected a negative query %s in a private DNS zone, permitting unsigned response.",
3014 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str));
3015 return false;
3016 }
3017
3018 name = dns_resource_key_name(dns_transaction_key(t));
3019
3020 if (dns_transaction_key(t)->type == DNS_TYPE_DS) {
3021
3022 /* We got a negative reply for this DS lookup? DS RRs are signed when their parent zone is signed,
3023 * hence check the parent SOA in this case. */
3024
3025 r = dns_name_parent(&name);
3026 if (r < 0)
3027 return r;
3028 if (r == 0)
3029 return true;
3030
3031 type = DNS_TYPE_SOA;
3032
3033 } else if (IN_SET(dns_transaction_key(t)->type, DNS_TYPE_SOA, DNS_TYPE_NS))
3034 /* We got a negative reply for this SOA/NS lookup? If so, check if there's a DS RR for this */
3035 type = DNS_TYPE_DS;
3036 else
3037 /* For all other negative replies, check for the SOA lookup */
3038 type = DNS_TYPE_SOA;
3039
3040 /* For all other RRs we check the SOA on the same level to see
3041 * if it's signed. */
3042
3043 SET_FOREACH(dt, t->dnssec_transactions) {
3044
3045 if (dns_transaction_key(dt)->class != dns_transaction_key(t)->class)
3046 continue;
3047 if (dns_transaction_key(dt)->type != type)
3048 continue;
3049
3050 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), name);
3051 if (r < 0)
3052 return r;
3053 if (r == 0)
3054 continue;
3055
3056 return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
3057 }
3058
3059 /* If in doubt, require NSEC/NSEC3 */
3060 return true;
3061 }
3062
3063 static int dns_transaction_dnskey_authenticated(DnsTransaction *t, DnsResourceRecord *rr) {
3064 DnsResourceRecord *rrsig;
3065 bool found = false;
3066 int r;
3067
3068 /* Checks whether any of the DNSKEYs used for the RRSIGs for
3069 * the specified RRset is authenticated (i.e. has a matching
3070 * DS RR). */
3071
3072 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(rr->key));
3073 if (r < 0)
3074 return r;
3075 if (r > 0)
3076 return false;
3077
3078 DNS_ANSWER_FOREACH(rrsig, t->answer) {
3079 DnsTransaction *dt;
3080
3081 r = dnssec_key_match_rrsig(rr->key, rrsig);
3082 if (r < 0)
3083 return r;
3084 if (r == 0)
3085 continue;
3086
3087 SET_FOREACH(dt, t->dnssec_transactions) {
3088
3089 if (dns_transaction_key(dt)->class != rr->key->class)
3090 continue;
3091
3092 if (dns_transaction_key(dt)->type == DNS_TYPE_DNSKEY) {
3093
3094 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), rrsig->rrsig.signer);
3095 if (r < 0)
3096 return r;
3097 if (r == 0)
3098 continue;
3099
3100 /* OK, we found an auxiliary DNSKEY lookup. If that lookup is authenticated,
3101 * report this. */
3102
3103 if (FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
3104 return true;
3105
3106 found = true;
3107
3108 } else if (dns_transaction_key(dt)->type == DNS_TYPE_DS) {
3109
3110 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), rrsig->rrsig.signer);
3111 if (r < 0)
3112 return r;
3113 if (r == 0)
3114 continue;
3115
3116 /* OK, we found an auxiliary DS lookup. If that lookup is authenticated and
3117 * non-zero, we won! */
3118
3119 if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
3120 return false;
3121
3122 return dns_answer_match_key(dt->answer, dns_transaction_key(dt), NULL);
3123 }
3124 }
3125 }
3126
3127 return found ? false : -ENXIO;
3128 }
3129
3130 static int dns_transaction_known_signed(DnsTransaction *t, DnsResourceRecord *rr) {
3131 assert(t);
3132 assert(rr);
3133
3134 /* We know that the root domain is signed, hence if it appears
3135 * not to be signed, there's a problem with the DNS server */
3136
3137 return rr->key->class == DNS_CLASS_IN &&
3138 dns_name_is_root(dns_resource_key_name(rr->key));
3139 }
3140
3141 static int dns_transaction_check_revoked_trust_anchors(DnsTransaction *t) {
3142 DnsResourceRecord *rr;
3143 int r;
3144
3145 assert(t);
3146
3147 /* Maybe warn the user that we encountered a revoked DNSKEY
3148 * for a key from our trust anchor. Note that we don't care
3149 * whether the DNSKEY can be authenticated or not. It's
3150 * sufficient if it is self-signed. */
3151
3152 DNS_ANSWER_FOREACH(rr, t->answer) {
3153 r = dns_trust_anchor_check_revoked(&t->scope->manager->trust_anchor, rr, t->answer);
3154 if (r < 0)
3155 return r;
3156 }
3157
3158 return 0;
3159 }
3160
3161 static int dns_transaction_invalidate_revoked_keys(DnsTransaction *t) {
3162 bool changed;
3163 int r;
3164
3165 assert(t);
3166
3167 /* Removes all DNSKEY/DS objects from t->validated_keys that
3168 * our trust anchors database considers revoked. */
3169
3170 do {
3171 DnsResourceRecord *rr;
3172
3173 changed = false;
3174
3175 DNS_ANSWER_FOREACH(rr, t->validated_keys) {
3176 r = dns_trust_anchor_is_revoked(&t->scope->manager->trust_anchor, rr);
3177 if (r < 0)
3178 return r;
3179 if (r > 0) {
3180 r = dns_answer_remove_by_rr(&t->validated_keys, rr);
3181 if (r < 0)
3182 return r;
3183
3184 assert(r > 0);
3185 changed = true;
3186 break;
3187 }
3188 }
3189 } while (changed);
3190
3191 return 0;
3192 }
3193
3194 static int dns_transaction_copy_validated(DnsTransaction *t) {
3195 DnsTransaction *dt;
3196 int r;
3197
3198 assert(t);
3199
3200 /* Copy all validated RRs from the auxiliary DNSSEC transactions into our set of validated RRs */
3201
3202 SET_FOREACH(dt, t->dnssec_transactions) {
3203
3204 if (DNS_TRANSACTION_IS_LIVE(dt->state))
3205 continue;
3206
3207 if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
3208 continue;
3209
3210 r = dns_answer_extend(&t->validated_keys, dt->answer);
3211 if (r < 0)
3212 return r;
3213 }
3214
3215 return 0;
3216 }
3217
3218 typedef enum {
3219 DNSSEC_PHASE_DNSKEY, /* Phase #1, only validate DNSKEYs */
3220 DNSSEC_PHASE_NSEC, /* Phase #2, only validate NSEC+NSEC3 */
3221 DNSSEC_PHASE_ALL, /* Phase #3, validate everything else */
3222 } Phase;
3223
3224 static int dnssec_validate_records(
3225 DnsTransaction *t,
3226 Phase phase,
3227 bool *have_nsec,
3228 DnsAnswer **validated) {
3229
3230 DnsResourceRecord *rr;
3231 int r;
3232
3233 /* Returns negative on error, 0 if validation failed, 1 to restart validation, 2 when finished. */
3234
3235 DNS_ANSWER_FOREACH(rr, t->answer) {
3236 _unused_ _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr_ref = dns_resource_record_ref(rr);
3237 DnsResourceRecord *rrsig = NULL;
3238 DnssecResult result;
3239
3240 switch (rr->key->type) {
3241 case DNS_TYPE_RRSIG:
3242 continue;
3243
3244 case DNS_TYPE_DNSKEY:
3245 /* We validate DNSKEYs only in the DNSKEY and ALL phases */
3246 if (phase == DNSSEC_PHASE_NSEC)
3247 continue;
3248 break;
3249
3250 case DNS_TYPE_NSEC:
3251 case DNS_TYPE_NSEC3:
3252 *have_nsec = true;
3253
3254 /* We validate NSEC/NSEC3 only in the NSEC and ALL phases */
3255 if (phase == DNSSEC_PHASE_DNSKEY)
3256 continue;
3257 break;
3258
3259 default:
3260 /* We validate all other RRs only in the ALL phases */
3261 if (phase != DNSSEC_PHASE_ALL)
3262 continue;
3263 }
3264
3265 r = dnssec_verify_rrset_search(
3266 t->answer,
3267 rr->key,
3268 t->validated_keys,
3269 USEC_INFINITY,
3270 &result,
3271 &rrsig);
3272 if (r < 0)
3273 return r;
3274
3275 log_debug("Looking at %s: %s", strna(dns_resource_record_to_string(rr)), dnssec_result_to_string(result));
3276
3277 if (result == DNSSEC_VALIDATED) {
3278 assert(rrsig);
3279
3280 if (rr->key->type == DNS_TYPE_DNSKEY) {
3281 /* If we just validated a DNSKEY RRset, then let's add these keys to
3282 * the set of validated keys for this transaction. */
3283
3284 r = dns_answer_copy_by_key(&t->validated_keys, t->answer, rr->key, DNS_ANSWER_AUTHENTICATED, rrsig);
3285 if (r < 0)
3286 return r;
3287
3288 /* Some of the DNSKEYs we just added might already have been revoked,
3289 * remove them again in that case. */
3290 r = dns_transaction_invalidate_revoked_keys(t);
3291 if (r < 0)
3292 return r;
3293 }
3294
3295 /* Add the validated RRset to the new list of validated RRsets, and remove it from
3296 * the unvalidated RRsets. We mark the RRset as authenticated and cacheable. */
3297 r = dns_answer_move_by_key(validated, &t->answer, rr->key, DNS_ANSWER_AUTHENTICATED|DNS_ANSWER_CACHEABLE, rrsig);
3298 if (r < 0)
3299 return r;
3300
3301 manager_dnssec_verdict(t->scope->manager, DNSSEC_SECURE, rr->key);
3302
3303 /* Exit the loop, we dropped something from the answer, start from the beginning */
3304 return 1;
3305 }
3306
3307 /* If we haven't read all DNSKEYs yet a negative result of the validation is irrelevant, as
3308 * there might be more DNSKEYs coming. Similar, if we haven't read all NSEC/NSEC3 RRs yet,
3309 * we cannot do positive wildcard proofs yet, as those require the NSEC/NSEC3 RRs. */
3310 if (phase != DNSSEC_PHASE_ALL)
3311 continue;
3312
3313 if (result == DNSSEC_VALIDATED_WILDCARD) {
3314 bool authenticated = false;
3315 const char *source;
3316
3317 assert(rrsig);
3318
3319 /* This RRset validated, but as a wildcard. This means we need
3320 * to prove via NSEC/NSEC3 that no matching non-wildcard RR exists. */
3321
3322 /* First step, determine the source of synthesis */
3323 r = dns_resource_record_source(rrsig, &source);
3324 if (r < 0)
3325 return r;
3326
3327 r = dnssec_test_positive_wildcard(*validated,
3328 dns_resource_key_name(rr->key),
3329 source,
3330 rrsig->rrsig.signer,
3331 &authenticated);
3332
3333 /* Unless the NSEC proof showed that the key really doesn't exist something is off. */
3334 if (r == 0)
3335 result = DNSSEC_INVALID;
3336 else {
3337 r = dns_answer_move_by_key(
3338 validated,
3339 &t->answer,
3340 rr->key,
3341 authenticated ? (DNS_ANSWER_AUTHENTICATED|DNS_ANSWER_CACHEABLE) : 0,
3342 rrsig);
3343 if (r < 0)
3344 return r;
3345
3346 manager_dnssec_verdict(t->scope->manager, authenticated ? DNSSEC_SECURE : DNSSEC_INSECURE, rr->key);
3347
3348 /* Exit the loop, we dropped something from the answer, start from the beginning */
3349 return 1;
3350 }
3351 }
3352
3353 if (result == DNSSEC_NO_SIGNATURE) {
3354 r = dns_transaction_requires_rrsig(t, rr);
3355 if (r < 0)
3356 return r;
3357 if (r == 0) {
3358 /* Data does not require signing. In that case, just copy it over,
3359 * but remember that this is by no means authenticated. */
3360 r = dns_answer_move_by_key(
3361 validated,
3362 &t->answer,
3363 rr->key,
3364 0,
3365 NULL);
3366 if (r < 0)
3367 return r;
3368
3369 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
3370 return 1;
3371 }
3372
3373 r = dns_transaction_known_signed(t, rr);
3374 if (r < 0)
3375 return r;
3376 if (r > 0) {
3377 /* This is an RR we know has to be signed. If it isn't this means
3378 * the server is not attaching RRSIGs, hence complain. */
3379
3380 dns_server_packet_rrsig_missing(t->server, t->current_feature_level);
3381
3382 if (t->scope->dnssec_mode == DNSSEC_ALLOW_DOWNGRADE) {
3383
3384 /* Downgrading is OK? If so, just consider the information unsigned */
3385
3386 r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0, NULL);
3387 if (r < 0)
3388 return r;
3389
3390 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
3391 return 1;
3392 }
3393
3394 /* Otherwise, fail */
3395 t->answer_dnssec_result = DNSSEC_INCOMPATIBLE_SERVER;
3396 return 0;
3397 }
3398
3399 r = dns_transaction_in_private_tld(t, rr->key);
3400 if (r < 0)
3401 return r;
3402 if (r > 0) {
3403 char s[DNS_RESOURCE_KEY_STRING_MAX];
3404
3405 /* The data is from a TLD that is proven not to exist, and we are in downgrade
3406 * mode, hence ignore the fact that this was not signed. */
3407
3408 log_info("Detected RRset %s is in a private DNS zone, permitting unsigned RRs.",
3409 dns_resource_key_to_string(rr->key, s, sizeof s));
3410
3411 r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0, NULL);
3412 if (r < 0)
3413 return r;
3414
3415 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
3416 return 1;
3417 }
3418 }
3419
3420 /* https://datatracker.ietf.org/doc/html/rfc6840#section-5.2 */
3421 if (result == DNSSEC_UNSUPPORTED_ALGORITHM) {
3422 r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0, NULL);
3423 if (r < 0)
3424 return r;
3425
3426 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
3427 return 1;
3428 }
3429
3430 if (IN_SET(result,
3431 DNSSEC_MISSING_KEY,
3432 DNSSEC_SIGNATURE_EXPIRED)) {
3433
3434 r = dns_transaction_dnskey_authenticated(t, rr);
3435 if (r < 0 && r != -ENXIO)
3436 return r;
3437 if (r == 0) {
3438 /* The DNSKEY transaction was not authenticated, this means there's
3439 * no DS for this, which means it's OK if no keys are found for this signature. */
3440
3441 r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0, NULL);
3442 if (r < 0)
3443 return r;
3444
3445 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
3446 return 1;
3447 }
3448 }
3449
3450 r = dns_transaction_is_primary_response(t, rr);
3451 if (r < 0)
3452 return r;
3453 if (r > 0) {
3454 /* Look for a matching DNAME for this CNAME */
3455 r = dns_answer_has_dname_for_cname(t->answer, rr);
3456 if (r < 0)
3457 return r;
3458 if (r == 0) {
3459 /* Also look among the stuff we already validated */
3460 r = dns_answer_has_dname_for_cname(*validated, rr);
3461 if (r < 0)
3462 return r;
3463 }
3464
3465 if (r == 0) {
3466 if (IN_SET(result,
3467 DNSSEC_INVALID,
3468 DNSSEC_SIGNATURE_EXPIRED,
3469 DNSSEC_NO_SIGNATURE))
3470 manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, rr->key);
3471 else /* DNSSEC_MISSING_KEY or DNSSEC_UNSUPPORTED_ALGORITHM */
3472 manager_dnssec_verdict(t->scope->manager, DNSSEC_INDETERMINATE, rr->key);
3473
3474 /* This is a primary response to our question, and it failed validation.
3475 * That's fatal. */
3476 t->answer_dnssec_result = result;
3477 return 0;
3478 }
3479
3480 /* This is a primary response, but we do have a DNAME RR
3481 * in the RR that can replay this CNAME, hence rely on
3482 * that, and we can remove the CNAME in favour of it. */
3483 }
3484
3485 /* This is just some auxiliary data. Just remove the RRset and continue. */
3486 r = dns_answer_remove_by_key(&t->answer, rr->key);
3487 if (r < 0)
3488 return r;
3489
3490 /* We dropped something from the answer, start from the beginning. */
3491 return 1;
3492 }
3493
3494 return 2; /* Finito. */
3495 }
3496
3497 int dns_transaction_validate_dnssec(DnsTransaction *t) {
3498 _cleanup_(dns_answer_unrefp) DnsAnswer *validated = NULL;
3499 Phase phase;
3500 DnsAnswerFlags flags;
3501 int r;
3502 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
3503
3504 assert(t);
3505
3506 /* We have now collected all DS and DNSKEY RRs in t->validated_keys, let's see which RRs we can now
3507 * authenticate with that. */
3508
3509 if (FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE) || t->scope->dnssec_mode == DNSSEC_NO)
3510 return 0;
3511
3512 /* Already validated */
3513 if (t->answer_dnssec_result != _DNSSEC_RESULT_INVALID)
3514 return 0;
3515
3516 /* Our own stuff needs no validation */
3517 if (IN_SET(t->answer_source, DNS_TRANSACTION_ZONE, DNS_TRANSACTION_TRUST_ANCHOR)) {
3518 t->answer_dnssec_result = DNSSEC_VALIDATED;
3519 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, true);
3520 return 0;
3521 }
3522
3523 /* Cached stuff is not affected by validation. */
3524 if (t->answer_source != DNS_TRANSACTION_NETWORK)
3525 return 0;
3526
3527 if (!dns_transaction_dnssec_supported_full(t)) {
3528 /* The server does not support DNSSEC, or doesn't augment responses with RRSIGs. */
3529 t->answer_dnssec_result = DNSSEC_INCOMPATIBLE_SERVER;
3530 log_debug("Not validating response for %" PRIu16 ", used server feature level does not support DNSSEC.", t->id);
3531 return 0;
3532 }
3533
3534 log_debug("Validating response from transaction %" PRIu16 " (%s).",
3535 t->id,
3536 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str));
3537
3538 /* First, see if this response contains any revoked trust
3539 * anchors we care about */
3540 r = dns_transaction_check_revoked_trust_anchors(t);
3541 if (r < 0)
3542 return r;
3543
3544 /* Third, copy all RRs we acquired successfully from auxiliary RRs over. */
3545 r = dns_transaction_copy_validated(t);
3546 if (r < 0)
3547 return r;
3548
3549 /* Second, see if there are DNSKEYs we already know a
3550 * validated DS for. */
3551 r = dns_transaction_validate_dnskey_by_ds(t);
3552 if (r < 0)
3553 return r;
3554
3555 /* Fourth, remove all DNSKEY and DS RRs again that our trust
3556 * anchor says are revoked. After all we might have marked
3557 * some keys revoked above, but they might still be lingering
3558 * in our validated_keys list. */
3559 r = dns_transaction_invalidate_revoked_keys(t);
3560 if (r < 0)
3561 return r;
3562
3563 phase = DNSSEC_PHASE_DNSKEY;
3564 for (;;) {
3565 bool have_nsec = false;
3566
3567 r = dnssec_validate_records(t, phase, &have_nsec, &validated);
3568 if (r <= 0)
3569 return r;
3570
3571 /* Try again as long as we managed to achieve something */
3572 if (r == 1)
3573 continue;
3574
3575 if (phase == DNSSEC_PHASE_DNSKEY && have_nsec) {
3576 /* OK, we processed all DNSKEYs, and there are NSEC/NSEC3 RRs, look at those now. */
3577 phase = DNSSEC_PHASE_NSEC;
3578 continue;
3579 }
3580
3581 if (phase != DNSSEC_PHASE_ALL) {
3582 /* OK, we processed all DNSKEYs and NSEC/NSEC3 RRs, look at all the rest now.
3583 * Note that in this third phase we start to remove RRs we couldn't validate. */
3584 phase = DNSSEC_PHASE_ALL;
3585 continue;
3586 }
3587
3588 /* We're done */
3589 break;
3590 }
3591
3592 DNS_ANSWER_REPLACE(t->answer, TAKE_PTR(validated));
3593
3594 /* At this point the answer only contains validated
3595 * RRsets. Now, let's see if it actually answers the question
3596 * we asked. If so, great! If it doesn't, then see if
3597 * NSEC/NSEC3 can prove this. */
3598 r = dns_transaction_has_positive_answer(t, &flags);
3599 if (r > 0) {
3600 /* Yes, it answers the question! */
3601
3602 if (flags & DNS_ANSWER_AUTHENTICATED) {
3603 /* The answer is fully authenticated, yay. */
3604 t->answer_dnssec_result = DNSSEC_VALIDATED;
3605 t->answer_rcode = DNS_RCODE_SUCCESS;
3606 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, true);
3607 } else {
3608 /* The answer is not fully authenticated. */
3609 t->answer_dnssec_result = DNSSEC_UNSIGNED;
3610 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
3611 }
3612
3613 } else if (r == 0) {
3614 DnssecNsecResult nr;
3615 bool authenticated = false;
3616
3617 /* Bummer! Let's check NSEC/NSEC3 */
3618 r = dnssec_nsec_test(t->answer, dns_transaction_key(t), &nr, &authenticated, &t->answer_nsec_ttl);
3619 if (r < 0)
3620 return r;
3621
3622 switch (nr) {
3623
3624 case DNSSEC_NSEC_NXDOMAIN:
3625 /* NSEC proves the domain doesn't exist. Very good. */
3626 log_debug("Proved NXDOMAIN via NSEC/NSEC3 for transaction %u (%s)", t->id, key_str);
3627 t->answer_dnssec_result = DNSSEC_VALIDATED;
3628 t->answer_rcode = DNS_RCODE_NXDOMAIN;
3629 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, authenticated);
3630
3631 manager_dnssec_verdict(t->scope->manager, authenticated ? DNSSEC_SECURE : DNSSEC_INSECURE, dns_transaction_key(t));
3632 break;
3633
3634 case DNSSEC_NSEC_NODATA:
3635 /* NSEC proves that there's no data here, very good. */
3636 log_debug("Proved NODATA via NSEC/NSEC3 for transaction %u (%s)", t->id, key_str);
3637 t->answer_dnssec_result = DNSSEC_VALIDATED;
3638 t->answer_rcode = DNS_RCODE_SUCCESS;
3639 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, authenticated);
3640
3641 manager_dnssec_verdict(t->scope->manager, authenticated ? DNSSEC_SECURE : DNSSEC_INSECURE, dns_transaction_key(t));
3642 break;
3643
3644 case DNSSEC_NSEC_OPTOUT:
3645 /* NSEC3 says the data might not be signed */
3646 log_debug("Data is NSEC3 opt-out via NSEC/NSEC3 for transaction %u (%s)", t->id, key_str);
3647 t->answer_dnssec_result = DNSSEC_UNSIGNED;
3648 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
3649
3650 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, dns_transaction_key(t));
3651 break;
3652
3653 case DNSSEC_NSEC_NO_RR:
3654 /* No NSEC data? Bummer! */
3655
3656 r = dns_transaction_requires_nsec(t);
3657 if (r < 0)
3658 return r;
3659 if (r > 0) {
3660 t->answer_dnssec_result = DNSSEC_NO_SIGNATURE;
3661 manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, dns_transaction_key(t));
3662 } else {
3663 t->answer_dnssec_result = DNSSEC_UNSIGNED;
3664 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
3665 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, dns_transaction_key(t));
3666 }
3667
3668 break;
3669
3670 case DNSSEC_NSEC_UNSUPPORTED_ALGORITHM:
3671 /* We don't know the NSEC3 algorithm used? */
3672 t->answer_dnssec_result = DNSSEC_UNSUPPORTED_ALGORITHM;
3673 manager_dnssec_verdict(t->scope->manager, DNSSEC_INDETERMINATE, dns_transaction_key(t));
3674 break;
3675
3676 case DNSSEC_NSEC_FOUND:
3677 case DNSSEC_NSEC_CNAME:
3678 /* NSEC says it needs to be there, but we couldn't find it? Bummer! */
3679 t->answer_dnssec_result = DNSSEC_NSEC_MISMATCH;
3680 manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, dns_transaction_key(t));
3681 break;
3682
3683 default:
3684 assert_not_reached();
3685 }
3686 }
3687
3688 return 1;
3689 }
3690
3691 static const char* const dns_transaction_state_table[_DNS_TRANSACTION_STATE_MAX] = {
3692 [DNS_TRANSACTION_NULL] = "null",
3693 [DNS_TRANSACTION_PENDING] = "pending",
3694 [DNS_TRANSACTION_VALIDATING] = "validating",
3695 [DNS_TRANSACTION_RCODE_FAILURE] = "rcode-failure",
3696 [DNS_TRANSACTION_SUCCESS] = "success",
3697 [DNS_TRANSACTION_NO_SERVERS] = "no-servers",
3698 [DNS_TRANSACTION_TIMEOUT] = "timeout",
3699 [DNS_TRANSACTION_ATTEMPTS_MAX_REACHED] = "attempts-max-reached",
3700 [DNS_TRANSACTION_INVALID_REPLY] = "invalid-reply",
3701 [DNS_TRANSACTION_ERRNO] = "errno",
3702 [DNS_TRANSACTION_ABORTED] = "aborted",
3703 [DNS_TRANSACTION_DNSSEC_FAILED] = "dnssec-failed",
3704 [DNS_TRANSACTION_NO_TRUST_ANCHOR] = "no-trust-anchor",
3705 [DNS_TRANSACTION_RR_TYPE_UNSUPPORTED] = "rr-type-unsupported",
3706 [DNS_TRANSACTION_NETWORK_DOWN] = "network-down",
3707 [DNS_TRANSACTION_NOT_FOUND] = "not-found",
3708 [DNS_TRANSACTION_NO_SOURCE] = "no-source",
3709 [DNS_TRANSACTION_STUB_LOOP] = "stub-loop",
3710 };
3711 DEFINE_STRING_TABLE_LOOKUP(dns_transaction_state, DnsTransactionState);
3712
3713 static const char* const dns_transaction_source_table[_DNS_TRANSACTION_SOURCE_MAX] = {
3714 [DNS_TRANSACTION_NETWORK] = "network",
3715 [DNS_TRANSACTION_CACHE] = "cache",
3716 [DNS_TRANSACTION_ZONE] = "zone",
3717 [DNS_TRANSACTION_TRUST_ANCHOR] = "trust-anchor",
3718 };
3719 DEFINE_STRING_TABLE_LOOKUP(dns_transaction_source, DnsTransactionSource);
Unnamed repository; edit this file 'description' to name the repository.