]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/resolve/resolved-dns-transaction.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
tree-wide: drop space between variable and an increment/decrement
[thirdparty/systemd.git] / src / resolve / resolved-dns-transaction.c
CommitLineData
db9ecf05 1/* SPDX-License-Identifier: LGPL-2.1-or-later */
ec2c5e43 2
62cc1c55 3#include "sd-messages.h"
beef6a5f 4
ec2c5e43 5#include "af-list.h"
b5efdb8a 6#include "alloc-util.h"
f52e61da 7#include "dns-domain.h"
7cc6ed7b 8#include "errno-list.h"
c3fecddf 9#include "errno-util.h"
3ffd4af2 10#include "fd-util.h"
e2341b6b 11#include "glyph-util.h"
3ffd4af2 12#include "random-util.h"
7778dfff 13#include "resolved-dns-cache.h"
3ffd4af2 14#include "resolved-dns-transaction.h"
6016fcb0 15#include "resolved-dnstls.h"
aedf00a2 16#include "resolved-llmnr.h"
6016fcb0 17#include "string-table.h"
5d67a7ae 18
b214dc0f 19#define TRANSACTIONS_MAX 4096
dc349f5f 20#define TRANSACTION_TCP_TIMEOUT_USEC (10U*USEC_PER_SEC)
b214dc0f 21
dbc4661a
MCO		 22/* After how much time to repeat classic DNS requests */
23#define DNS_TIMEOUT_USEC (SD_RESOLVED_QUERY_TIMEOUT_USEC / DNS_TRANSACTION_ATTEMPTS_MAX)
24
c61d2b44
LP		 25static void dns_transaction_reset_answer(DnsTransaction *t) {
26 assert(t);
27
28 t->received = dns_packet_unref(t->received);
29 t->answer = dns_answer_unref(t->answer);
30 t->answer_rcode = 0;
31 t->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
32 t->answer_source = _DNS_TRANSACTION_SOURCE_INVALID;
6f055e43 33 t->answer_query_flags = 0;
f5fbe71d 34 t->answer_nsec_ttl = UINT32_MAX;
7cc6ed7b 35 t->answer_errno = 0;
c61d2b44
LP		 36}
37
c5b4f861
LP		 38static void dns_transaction_flush_dnssec_transactions(DnsTransaction *t) {
39 DnsTransaction *z;
40
41 assert(t);
42
43 while ((z = set_steal_first(t->dnssec_transactions))) {
44 set_remove(z->notify_transactions, t);
35aa04e9 45 set_remove(z->notify_transactions_done, t);
c5b4f861
LP		 46 dns_transaction_gc(z);
47 }
48}
49
80710ade
LP		 50static void dns_transaction_close_connection(
51 DnsTransaction *t,
52 bool use_graveyard) { /* Set use_graveyard = false when you know the connection is already
53 * dead, for example because you got a connection error back from the
54 * kernel. In that case there's no point in keeping the fd around,
55 * hence don't. */
56 int r;
57
f32f0e57
LP		 58 assert(t);
59
b30bf55d
LP		 60 if (t->stream) {
61 /* Let's detach the stream from our transaction, in case something else keeps a reference to it. */
98767d75
IT		 62 LIST_REMOVE(transactions_by_stream, t->stream->transactions, t);
63
64 /* Remove packet in case it's still in the queue */
65 dns_packet_unref(ordered_set_remove(t->stream->write_queue, t->sent));
66
b30bf55d
LP		 67 t->stream = dns_stream_unref(t->stream);
68 }
69
97935302 70 t->dns_udp_event_source = sd_event_source_disable_unref(t->dns_udp_event_source);
80710ade 71
5bc9ea07 72 /* If we have a UDP socket where we sent a packet, but never received one, then add it to the socket
80710ade
LP		 73 * graveyard, instead of closing it right away. That way it will stick around for a moment longer,
74 * and the reply we might still get from the server will be eaten up instead of resulting in an ICMP
75 * port unreachable error message. */
76
77 if (use_graveyard && t->dns_udp_fd >= 0 && t->sent && !t->received) {
78 r = manager_add_socket_to_graveyard(t->scope->manager, t->dns_udp_fd);
79 if (r < 0)
80 log_debug_errno(r, "Failed to add UDP socket to graveyard, closing immediately: %m");
81 else
82 TAKE_FD(t->dns_udp_fd);
83 }
84
f32f0e57
LP		 85 t->dns_udp_fd = safe_close(t->dns_udp_fd);
86}
87
f535705a 88static void dns_transaction_stop_timeout(DnsTransaction *t) {
97cc656c
LP		 89 assert(t);
90
97935302 91 t->timeout_event_source = sd_event_source_disable_unref(t->timeout_event_source);
97cc656c
LP		 92}
93
ec2c5e43 94DnsTransaction* dns_transaction_free(DnsTransaction *t) {
801ad6a6 95 DnsQueryCandidate *c;
ec2c5e43 96 DnsZoneItem *i;
547973de 97 DnsTransaction *z;
ec2c5e43
LP		 98
99 if (!t)
100 return NULL;
101
51e399bc
LP		 102 log_debug("Freeing transaction %" PRIu16 ".", t->id);
103
80710ade 104 dns_transaction_close_connection(t, true);
f535705a 105 dns_transaction_stop_timeout(t);
ec2c5e43 106
ec2c5e43 107 dns_packet_unref(t->sent);
c61d2b44 108 dns_transaction_reset_answer(t);
ec2c5e43 109
8300ba21 110 dns_server_unref(t->server);
ec2c5e43
LP		 111
112 if (t->scope) {
775ae354
LP		 113 if (t->key) {
114 DnsTransaction *first;
115
116 first = hashmap_get(t->scope->transactions_by_key, t->key);
117 LIST_REMOVE(transactions_by_key, first, t);
118 if (first)
119 hashmap_replace(t->scope->transactions_by_key, first->key, first);
120 else
121 hashmap_remove(t->scope->transactions_by_key, t->key);
122 }
ec2c5e43 123
775ae354 124 LIST_REMOVE(transactions_by_scope, t->scope->transactions, t);
ec2c5e43 125
013668db
LP		 126 if (t->id != 0)
127 hashmap_remove(t->scope->manager->dns_transactions, UINT_TO_PTR(t->id));
128 }
775ae354 129
547973de 130 while ((c = set_steal_first(t->notify_query_candidates)))
801ad6a6 131 set_remove(c->transactions, t);
547973de 132 set_free(t->notify_query_candidates);
801ad6a6 133
35aa04e9
LP		 134 while ((c = set_steal_first(t->notify_query_candidates_done)))
135 set_remove(c->transactions, t);
136 set_free(t->notify_query_candidates_done);
137
547973de 138 while ((i = set_steal_first(t->notify_zone_items)))
ec2c5e43 139 i->probe_transaction = NULL;
547973de
LP		 140 set_free(t->notify_zone_items);
141
35aa04e9
LP		 142 while ((i = set_steal_first(t->notify_zone_items_done)))
143 i->probe_transaction = NULL;
144 set_free(t->notify_zone_items_done);
145
547973de
LP		 146 while ((z = set_steal_first(t->notify_transactions)))
147 set_remove(z->dnssec_transactions, t);
148 set_free(t->notify_transactions);
149
35aa04e9
LP		 150 while ((z = set_steal_first(t->notify_transactions_done)))
151 set_remove(z->dnssec_transactions, t);
152 set_free(t->notify_transactions_done);
153
c5b4f861 154 dns_transaction_flush_dnssec_transactions(t);
547973de
LP		 155 set_free(t->dnssec_transactions);
156
157 dns_answer_unref(t->validated_keys);
97cc656c 158 dns_resource_key_unref(t->key);
775ae354 159 dns_packet_unref(t->bypass);
97cc656c 160
6b430fdb 161 return mfree(t);
ec2c5e43
LP		 162}
163
164DEFINE_TRIVIAL_CLEANUP_FUNC(DnsTransaction*, dns_transaction_free);
165
1f388301 166DnsTransaction* dns_transaction_gc(DnsTransaction *t) {
ec2c5e43
LP		 167 assert(t);
168
1f388301
ZJS		 169 /* Returns !NULL if we can't gc yet. */
170
ec2c5e43 171 if (t->block_gc > 0)
1f388301 172 return t;
ec2c5e43 173
547973de 174 if (set_isempty(t->notify_query_candidates) &&
35aa04e9 175 set_isempty(t->notify_query_candidates_done) &&
547973de 176 set_isempty(t->notify_zone_items) &&
35aa04e9
LP		 177 set_isempty(t->notify_zone_items_done) &&
178 set_isempty(t->notify_transactions) &&
1f388301
ZJS		 179 set_isempty(t->notify_transactions_done))
180 return dns_transaction_free(t);
51e399bc 181
1f388301 182 return t;
ec2c5e43
LP		 183}
184
4dd15077
LP		 185static uint16_t pick_new_id(Manager *m) {
186 uint16_t new_id;
187
4ea8b443
ZJS		 188 /* Find a fresh, unused transaction id. Note that this loop is bounded because there's a limit on the
189 * number of transactions, and it's much lower than the space of IDs. */
4dd15077
LP		 190
191 assert_cc(TRANSACTIONS_MAX < 0xFFFF);
192
193 do
194 random_bytes(&new_id, sizeof(new_id));
195 while (new_id == 0 ||
196 hashmap_get(m->dns_transactions, UINT_TO_PTR(new_id)));
197
198 return new_id;
199}
200
775ae354
LP		 201static int key_ok(
202 DnsScope *scope,
203 DnsResourceKey *key) {
ec2c5e43 204
9eae2bf3 205 /* Don't allow looking up invalid or pseudo RRs */
c463eb78 206 if (!dns_type_is_valid_query(key->type))
9eae2bf3 207 return -EINVAL;
d0129ddb
LP		 208 if (dns_type_is_obsolete(key->type))
209 return -EOPNOTSUPP;
9eae2bf3
LP		 210
211 /* We only support the IN class */
4c701096 212 if (!IN_SET(key->class, DNS_CLASS_IN, DNS_CLASS_ANY))
9eae2bf3
LP		 213 return -EOPNOTSUPP;
214
775ae354
LP		 215 /* Don't allows DNSSEC RRs to be looked up via LLMNR/mDNS. They don't really make sense
216 * there, and it speeds up our queries if we refuse this early */
217 if (scope->protocol != DNS_PROTOCOL_DNS &&
218 dns_type_is_dnssec(key->type))
219 return -EOPNOTSUPP;
220
221 return 0;
222}
223
224int dns_transaction_new(
225 DnsTransaction **ret,
226 DnsScope *s,
227 DnsResourceKey *key,
228 DnsPacket *bypass,
229 uint64_t query_flags) {
230
231 _cleanup_(dns_transaction_freep) DnsTransaction *t = NULL;
232 int r;
233
234 assert(ret);
235 assert(s);
236
237 if (key) {
238 assert(!bypass);
239
240 r = key_ok(s, key);
241 if (r < 0)
242 return r;
243 } else {
244 DnsResourceKey *qk;
245 assert(bypass);
246
247 r = dns_packet_validate_query(bypass);
248 if (r < 0)
249 return r;
250
251 DNS_QUESTION_FOREACH(qk, bypass->question) {
252 r = key_ok(s, qk);
253 if (r < 0)
254 return r;
255 }
256 }
257
b214dc0f
LP		 258 if (hashmap_size(s->manager->dns_transactions) >= TRANSACTIONS_MAX)
259 return -EBUSY;
260
d5099efc 261 r = hashmap_ensure_allocated(&s->manager->dns_transactions, NULL);
ec2c5e43
LP		 262 if (r < 0)
263 return r;
264
775ae354
LP		 265 if (key) {
266 r = hashmap_ensure_allocated(&s->transactions_by_key, &dns_resource_key_hash_ops);
267 if (r < 0)
268 return r;
269 }
da0c630e 270
1ed31408 271 t = new(DnsTransaction, 1);
ec2c5e43
LP		 272 if (!t)
273 return -ENOMEM;
274
1ed31408 275 *t = (DnsTransaction) {
254d1313 276 .dns_udp_fd = -EBADF,
1ed31408
LP		 277 .answer_source = _DNS_TRANSACTION_SOURCE_INVALID,
278 .answer_dnssec_result = _DNSSEC_RESULT_INVALID,
f5fbe71d 279 .answer_nsec_ttl = UINT32_MAX,
1ed31408 280 .key = dns_resource_key_ref(key),
775ae354
LP		 281 .query_flags = query_flags,
282 .bypass = dns_packet_ref(bypass),
1ed31408 283 .current_feature_level = _DNS_SERVER_FEATURE_LEVEL_INVALID,
1ed4e584 284 .clamp_feature_level_servfail = _DNS_SERVER_FEATURE_LEVEL_INVALID,
1ed31408
LP		 285 .id = pick_new_id(s->manager),
286 };
ec2c5e43
LP		 287
288 r = hashmap_put(s->manager->dns_transactions, UINT_TO_PTR(t->id), t);
289 if (r < 0) {
290 t->id = 0;
291 return r;
292 }
293
775ae354
LP		 294 if (t->key) {
295 DnsTransaction *first;
296
297 first = hashmap_get(s->transactions_by_key, t->key);
298 LIST_PREPEND(transactions_by_key, first, t);
299
300 r = hashmap_replace(s->transactions_by_key, first->key, first);
301 if (r < 0) {
302 LIST_REMOVE(transactions_by_key, first, t);
303 return r;
304 }
da0c630e
LP		 305 }
306
f9ebb22a 307 LIST_PREPEND(transactions_by_scope, s->transactions, t);
ec2c5e43
LP		 308 t->scope = s;
309
313cefa1 310 s->manager->n_transactions_total++;
a150ff5e 311
ec2c5e43
LP		 312 if (ret)
313 *ret = t;
314
775ae354 315 TAKE_PTR(t);
ec2c5e43
LP		 316 return 0;
317}
318
4dd15077
LP		 319static void dns_transaction_shuffle_id(DnsTransaction *t) {
320 uint16_t new_id;
321 assert(t);
322
323 /* Pick a new ID for this transaction. */
324
325 new_id = pick_new_id(t->scope->manager);
326 assert_se(hashmap_remove_and_put(t->scope->manager->dns_transactions, UINT_TO_PTR(t->id), UINT_TO_PTR(new_id), t) >= 0);
327
328 log_debug("Transaction %" PRIu16 " is now %" PRIu16 ".", t->id, new_id);
329 t->id = new_id;
330
331 /* Make sure we generate a new packet with the new ID */
332 t->sent = dns_packet_unref(t->sent);
333}
334
ec2c5e43 335static void dns_transaction_tentative(DnsTransaction *t, DnsPacket *p) {
202b76ae 336 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
ec2c5e43 337 DnsZoneItem *z;
ec2c5e43
LP		 338
339 assert(t);
340 assert(p);
94378145 341 assert(t->scope->protocol == DNS_PROTOCOL_LLMNR);
ec2c5e43 342
94378145 343 if (manager_packet_from_local_address(t->scope->manager, p) != 0)
ec2c5e43
LP		 344 return;
345
a5784c49
LP		 346 log_debug("Transaction %" PRIu16 " for <%s> on scope %s on %s/%s got tentative packet from %s.",
347 t->id,
42df9532 348 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str),
ec2c5e43 349 dns_protocol_to_string(t->scope->protocol),
6ff79f76 350 t->scope->link ? t->scope->link->ifname : "*",
202b76ae 351 af_to_name_short(t->scope->family),
84dbb3fd 352 IN_ADDR_TO_STRING(p->family, &p->sender));
ec2c5e43 353
a4076574
LP		 354 /* RFC 4795, Section 4.1 says that the peer with the
355 * lexicographically smaller IP address loses */
4d91eec4
LP		 356 if (memcmp(&p->sender, &p->destination, FAMILY_ADDRESS_SIZE(p->family)) >= 0) {
357 log_debug("Peer has lexicographically larger IP address and thus lost in the conflict.");
a4076574
LP		 358 return;
359 }
360
4d91eec4 361 log_debug("We have the lexicographically larger IP address and thus lost in the conflict.");
a4076574 362
ec2c5e43 363 t->block_gc++;
35aa04e9 364
547973de 365 while ((z = set_first(t->notify_zone_items))) {
3ef64445
LP		 366 /* First, make sure the zone item drops the reference
367 * to us */
368 dns_zone_item_probe_stop(z);
369
370 /* Secondly, report this as conflict, so that we might
371 * look for a different hostname */
ec2c5e43 372 dns_zone_item_conflict(z);
3ef64445 373 }
ec2c5e43
LP		 374 t->block_gc--;
375
376 dns_transaction_gc(t);
377}
378
379void dns_transaction_complete(DnsTransaction *t, DnsTransactionState state) {
801ad6a6 380 DnsQueryCandidate *c;
ec2c5e43 381 DnsZoneItem *z;
547973de 382 DnsTransaction *d;
7cc6ed7b 383 const char *st;
202b76ae 384 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
ec2c5e43
LP		 385
386 assert(t);
547973de 387 assert(!DNS_TRANSACTION_IS_LIVE(state));
e56187ca 388
202b76ae 389 if (state == DNS_TRANSACTION_DNSSEC_FAILED) {
42df9532 390 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str);
202b76ae 391
f61dfddb 392 log_struct(LOG_NOTICE,
2b044526 393 "MESSAGE_ID=" SD_MESSAGE_DNSSEC_FAILURE_STR,
92663a5e
ZJS		 394 LOG_MESSAGE("DNSSEC validation failed for question %s: %s",
395 key_str, dnssec_result_to_string(t->answer_dnssec_result)),
f61dfddb 396 "DNS_TRANSACTION=%" PRIu16, t->id,
202b76ae 397 "DNS_QUESTION=%s", key_str,
f61dfddb 398 "DNSSEC_RESULT=%s", dnssec_result_to_string(t->answer_dnssec_result),
8aa5afd2 399 "DNS_SERVER=%s", strna(dns_server_string_full(t->server)),
a1230ff9 400 "DNS_SERVER_FEATURE_LEVEL=%s", dns_server_feature_level_to_string(t->server->possible_feature_level));
202b76ae 401 }
f61dfddb 402
ec2c5e43
LP		 403 /* Note that this call might invalidate the query. Callers
404 * should hence not attempt to access the query or transaction
405 * after calling this function. */
406
7cc6ed7b
LP		 407 if (state == DNS_TRANSACTION_ERRNO)
408 st = errno_to_name(t->answer_errno);
409 else
410 st = dns_transaction_state_to_string(state);
411
43fc4baa 412 log_debug("%s transaction %" PRIu16 " for <%s> on scope %s on %s/%s now complete with <%s> from %s (%s; %s).",
775ae354 413 t->bypass ? "Bypass" : "Regular",
a5784c49 414 t->id,
42df9532 415 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str),
ec2c5e43 416 dns_protocol_to_string(t->scope->protocol),
6ff79f76 417 t->scope->link ? t->scope->link->ifname : "*",
202b76ae 418 af_to_name_short(t->scope->family),
7cc6ed7b 419 st,
a5784c49 420 t->answer_source < 0 ? "none" : dns_transaction_source_to_string(t->answer_source),
775ae354 421 FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE) ? "not validated" :
43fc4baa
LP		 422 (FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED) ? "authenticated" : "unsigned"),
423 FLAGS_SET(t->answer_query_flags, SD_RESOLVED_CONFIDENTIAL) ? "confidential" : "non-confidential");
ec2c5e43
LP		 424
425 t->state = state;
426
80710ade 427 dns_transaction_close_connection(t, true);
f535705a 428 dns_transaction_stop_timeout(t);
ec2c5e43
LP		 429
430 /* Notify all queries that are interested, but make sure the
431 * transaction isn't freed while we are still looking at it */
432 t->block_gc++;
f7014757 433
35aa04e9 434 SET_FOREACH_MOVE(c, t->notify_query_candidates_done, t->notify_query_candidates)
547973de 435 dns_query_candidate_notify(c);
35aa04e9 436 SWAP_TWO(t->notify_query_candidates, t->notify_query_candidates_done);
ec2c5e43 437
35aa04e9
LP		 438 SET_FOREACH_MOVE(z, t->notify_zone_items_done, t->notify_zone_items)
439 dns_zone_item_notify(z);
440 SWAP_TWO(t->notify_zone_items, t->notify_zone_items_done);
8d67e72c 441 if (t->probing && t->state == DNS_TRANSACTION_ATTEMPTS_MAX_REACHED)
1a63fc54 442 (void) dns_scope_announce(t->scope, false);
f7014757 443
35aa04e9
LP		 444 SET_FOREACH_MOVE(d, t->notify_transactions_done, t->notify_transactions)
445 dns_transaction_notify(d, t);
446 SWAP_TWO(t->notify_transactions, t->notify_transactions_done);
f7014757
LP		 447
448 t->block_gc--;
ec2c5e43
LP		 449 dns_transaction_gc(t);
450}
451
fd8a3017
LP		 452static void dns_transaction_complete_errno(DnsTransaction *t, int error) {
453 assert(t);
454 assert(error != 0);
455
456 t->answer_errno = abs(error);
457 dns_transaction_complete(t, DNS_TRANSACTION_ERRNO);
458}
459
519ef046
LP		 460static int dns_transaction_pick_server(DnsTransaction *t) {
461 DnsServer *server;
462
463 assert(t);
464 assert(t->scope->protocol == DNS_PROTOCOL_DNS);
465
d001e0a3
LP		 466 /* Pick a DNS server and a feature level for it. */
467
519ef046
LP		 468 server = dns_scope_get_dns_server(t->scope);
469 if (!server)
470 return -ESRCH;
471
d001e0a3
LP		 472 /* If we changed the server invalidate the feature level clamping, as the new server might have completely
473 * different properties. */
4aa37ad3 474 if (server != t->server)
1ed4e584 475 t->clamp_feature_level_servfail = _DNS_SERVER_FEATURE_LEVEL_INVALID;
d001e0a3 476
274b8748 477 t->current_feature_level = dns_server_possible_feature_level(server);
519ef046 478
d001e0a3 479 /* Clamp the feature level if that is requested. */
1ed4e584
LP		 480 if (t->clamp_feature_level_servfail != _DNS_SERVER_FEATURE_LEVEL_INVALID &&
481 t->current_feature_level > t->clamp_feature_level_servfail)
482 t->current_feature_level = t->clamp_feature_level_servfail;
d001e0a3
LP		 483
484 log_debug("Using feature level %s for transaction %u.", dns_server_feature_level_to_string(t->current_feature_level), t->id);
485
519ef046
LP		 486 if (server == t->server)
487 return 0;
488
489 dns_server_unref(t->server);
490 t->server = dns_server_ref(server);
491
b3a9d980 492 t->n_picked_servers++;
44db02d0 493
8aa5afd2 494 log_debug("Using DNS server %s for transaction %u.", strna(dns_server_string_full(t->server)), t->id);
d001e0a3 495
519ef046
LP		 496 return 1;
497}
498
d001e0a3 499static void dns_transaction_retry(DnsTransaction *t, bool next_server) {
8d10d620
LP		 500 int r;
501
502 assert(t);
503
7ef863a7
LP		 504 /* Retries the transaction as it is, possibly on a different server */
505
ca55fb88 506 if (next_server && t->scope->protocol == DNS_PROTOCOL_DNS)
7ef863a7
LP		 507 log_debug("Retrying transaction %" PRIu16 ", after switching servers.", t->id);
508 else
509 log_debug("Retrying transaction %" PRIu16 ".", t->id);
8d10d620
LP		 510
511 /* Before we try again, switch to a new server. */
d001e0a3 512 if (next_server)
5e8bc852 513 dns_scope_next_dns_server(t->scope, t->server);
8d10d620
LP		 514
515 r = dns_transaction_go(t);
fd8a3017
LP		 516 if (r < 0)
517 dns_transaction_complete_errno(t, r);
8d10d620
LP		 518}
519
9147b591
LP		 520static bool dns_transaction_limited_retry(DnsTransaction *t) {
521 assert(t);
522
523 /* If we haven't tried all different servers yet, let's try again with a different server */
524
525 if (t->n_picked_servers >= dns_scope_get_n_dns_servers(t->scope))
526 return false;
527
528 dns_transaction_retry(t, /* next_server= */ true);
529 return true;
530}
531
c02cf2f4 532static int dns_transaction_maybe_restart(DnsTransaction *t) {
5278bbfe
LP		 533 int r;
534
c02cf2f4
LP		 535 assert(t);
536
9147b591
LP		 537 /* Restarts the transaction, under a new ID if the feature level of the server changed since we first
538 * tried, without changing DNS server. Returns > 0 if the transaction was restarted, 0 if not. */
5278bbfe 539
c02cf2f4
LP		 540 if (!t->server)
541 return 0;
542
543 if (t->current_feature_level <= dns_server_possible_feature_level(t->server))
544 return 0;
545
546 /* The server's current feature level is lower than when we sent the original query. We learnt something from
547 the response or possibly an auxiliary DNSSEC response that we didn't know before. We take that as reason to
548 restart the whole transaction. This is a good idea to deal with servers that respond rubbish if we include
549 OPT RR or DO bit. One of these cases is documented here, for example:
550 https://open.nlnetlabs.nl/pipermail/dnssec-trigger/2014-November/000376.html */
551
4dd15077
LP		 552 log_debug("Server feature level is now lower than when we began our transaction. Restarting with new ID.");
553 dns_transaction_shuffle_id(t);
5278bbfe
LP		 554
555 r = dns_transaction_go(t);
556 if (r < 0)
557 return r;
558
559 return 1;
c02cf2f4
LP		 560}
561
98767d75
IT		 562static void on_transaction_stream_error(DnsTransaction *t, int error) {
563 assert(t);
ec2c5e43 564
80710ade 565 dns_transaction_close_connection(t, true);
ec2c5e43 566
a1a3f73a 567 if (ERRNO_IS_DISCONNECT(error)) {
0791110f
LP		 568 if (t->scope->protocol == DNS_PROTOCOL_LLMNR) {
569 /* If the LLMNR/TCP connection failed, the host doesn't support LLMNR, and we cannot answer the
570 * question on this scope. */
571 dns_transaction_complete(t, DNS_TRANSACTION_NOT_FOUND);
daab72ea 572 return;
0791110f
LP		 573 }
574
d001e0a3 575 dns_transaction_retry(t, true);
daab72ea 576 return;
ac720200 577 }
fd8a3017
LP		 578 if (error != 0)
579 dns_transaction_complete_errno(t, error);
98767d75
IT		 580}
581
43fc4baa
LP		 582static int dns_transaction_on_stream_packet(DnsTransaction *t, DnsStream *s, DnsPacket *p) {
583 bool encrypted;
584
98767d75 585 assert(t);
43fc4baa 586 assert(s);
98767d75
IT		 587 assert(p);
588
43fc4baa
LP		 589 encrypted = s->encrypted;
590
80710ade 591 dns_transaction_close_connection(t, true);
ec2c5e43 592
a4076574 593 if (dns_packet_validate_reply(p) <= 0) {
a20b9592 594 log_debug("Invalid TCP reply packet.");
a4076574
LP		 595 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
596 return 0;
597 }
598
599 dns_scope_check_conflicts(t->scope, p);
600
ec2c5e43 601 t->block_gc++;
43fc4baa 602 dns_transaction_process_reply(t, p, encrypted);
ec2c5e43
LP		 603 t->block_gc--;
604
519ef046
LP		 605 /* If the response wasn't useful, then complete the transition
606 * now. After all, we are the worst feature set now with TCP
607 * sockets, and there's really no point in retrying. */
ec2c5e43
LP		 608 if (t->state == DNS_TRANSACTION_PENDING)
609 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
598f44bd
LP		 610 else
611 dns_transaction_gc(t);
ec2c5e43
LP		 612
613 return 0;
614}
615
98767d75 616static int on_stream_complete(DnsStream *s, int error) {
7172e4ee 617 assert(s);
98767d75
IT		 618
619 if (ERRNO_IS_DISCONNECT(error) && s->protocol != DNS_PROTOCOL_LLMNR) {
98767d75
IT		 620 log_debug_errno(error, "Connection failure for DNS TCP stream: %m");
621
622 if (s->transactions) {
97d5d905
LP		 623 DnsTransaction *t;
624
98767d75 625 t = s->transactions;
3da3cdd5 626 dns_server_packet_lost(t->server, IPPROTO_TCP, t->current_feature_level);
98767d75
IT		 627 }
628 }
629
03677889 630 if (error != 0)
80a226b2 631 LIST_FOREACH(transactions_by_stream, t, s->transactions)
98767d75 632 on_transaction_stream_error(t, error);
98767d75 633
97d5d905 634 return 0;
98767d75
IT		 635}
636
624f907e 637static int on_stream_packet(DnsStream *s, DnsPacket *p) {
98767d75
IT		 638 DnsTransaction *t;
639
aa337a5e 640 assert(s);
624f907e
YW		 641 assert(s->manager);
642 assert(p);
98767d75
IT		 643
644 t = hashmap_get(s->manager->dns_transactions, UINT_TO_PTR(DNS_PACKET_ID(p)));
b52eac20
LP		 645 if (t && t->stream == s) /* Validate that the stream we got this on actually is the stream the
646 * transaction was using. */
43fc4baa 647 return dns_transaction_on_stream_packet(t, s, p);
98767d75 648
8227cfa1 649 /* Ignore incorrect transaction id as an old transaction can have been canceled. */
30f9e0bf 650 log_debug("Received unexpected TCP reply packet with id %" PRIu16 ", ignoring.", DNS_PACKET_ID(p));
aa337a5e 651 return 0;
98767d75
IT		 652}
653
da9de738 654static uint16_t dns_transaction_port(DnsTransaction *t) {
775ae354
LP		 655 assert(t);
656
da9de738
YW		 657 if (t->server->port > 0)
658 return t->server->port;
775ae354 659
da9de738 660 return DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level) ? 853 : 53;
ec962fba
LP		 661}
662
98767d75 663static int dns_transaction_emit_tcp(DnsTransaction *t) {
e1158539 664 usec_t stream_timeout_usec = DNS_STREAM_DEFAULT_TIMEOUT_USEC;
98767d75 665 _cleanup_(dns_stream_unrefp) DnsStream *s = NULL;
254d1313 666 _cleanup_close_ int fd = -EBADF;
91ccab1e 667 union sockaddr_union sa;
652ba568 668 DnsStreamType type;
ec2c5e43
LP		 669 int r;
670
671 assert(t);
775ae354 672 assert(t->sent);
ec2c5e43 673
80710ade 674 dns_transaction_close_connection(t, true);
ec2c5e43 675
106784eb 676 switch (t->scope->protocol) {
519ef046 677
106784eb 678 case DNS_PROTOCOL_DNS:
519ef046
LP		 679 r = dns_transaction_pick_server(t);
680 if (r < 0)
681 return r;
682
49ef064c
LP		 683 if (manager_server_is_stub(t->scope->manager, t->server))
684 return -ELOOP;
685
775ae354
LP		 686 if (!t->bypass) {
687 if (!dns_server_dnssec_supported(t->server) && dns_type_is_dnssec(dns_transaction_key(t)->type))
688 return -EOPNOTSUPP;
91adc4db 689
775ae354
LP		 690 r = dns_server_adjust_opt(t->server, t->sent, t->current_feature_level);
691 if (r < 0)
692 return r;
693 }
519ef046 694
5d67a7ae 695 if (t->server->stream && (DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level) == t->server->stream->encrypted))
98767d75
IT		 696 s = dns_stream_ref(t->server->stream);
697 else
da9de738 698 fd = dns_scope_socket_tcp(t->scope, AF_UNSPEC, NULL, t->server, dns_transaction_port(t), &sa);
98767d75 699
e1158539
LP		 700 /* Lower timeout in DNS-over-TLS opportunistic mode. In environments where DoT is blocked
701 * without ICMP response overly long delays when contacting DoT servers are nasty, in
702 * particular if multiple DNS servers are defined which we try in turn and all are
703 * blocked. Hence, substantially lower the timeout in that case. */
704 if (DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level) &&
705 dns_server_get_dns_over_tls_mode(t->server) == DNS_OVER_TLS_OPPORTUNISTIC)
706 stream_timeout_usec = DNS_STREAM_OPPORTUNISTIC_TLS_TIMEOUT_USEC;
707
652ba568 708 type = DNS_STREAM_LOOKUP;
106784eb 709 break;
ec2c5e43 710
106784eb 711 case DNS_PROTOCOL_LLMNR:
a8f6397f 712 /* When we already received a reply to this (but it was truncated), send to its sender address */
ec2c5e43 713 if (t->received)
91ccab1e 714 fd = dns_scope_socket_tcp(t->scope, t->received->family, &t->received->sender, NULL, t->received->sender_port, &sa);
ec2c5e43
LP		 715 else {
716 union in_addr_union address;
a7f7d1bd 717 int family = AF_UNSPEC;
ec2c5e43
LP		 718
719 /* Otherwise, try to talk to the owner of a
720 * the IP address, in case this is a reverse
721 * PTR lookup */
f52e61da 722
42df9532 723 r = dns_name_address(dns_resource_key_name(dns_transaction_key(t)), &family, &address);
ec2c5e43
LP		 724 if (r < 0)
725 return r;
726 if (r == 0)
727 return -EINVAL;
9e08a6e0 728 if (family != t->scope->family)
9318cdd3 729 return -ESRCH;
ec2c5e43 730
91ccab1e 731 fd = dns_scope_socket_tcp(t->scope, family, &address, NULL, LLMNR_PORT, &sa);
ec2c5e43 732 }
106784eb 733
652ba568 734 type = DNS_STREAM_LLMNR_SEND;
106784eb
DM		 735 break;
736
737 default:
ec2c5e43 738 return -EAFNOSUPPORT;
106784eb 739 }
ec2c5e43 740
98767d75
IT		 741 if (!s) {
742 if (fd < 0)
743 return fd;
ec2c5e43 744
18230451
YW		 745 r = dns_stream_new(t->scope->manager, &s, type, t->scope->protocol, fd, &sa,
746 on_stream_packet, on_stream_complete, stream_timeout_usec);
98767d75
IT		 747 if (r < 0)
748 return r;
749
254d1313 750 fd = -EBADF;
98767d75 751
56ddbf10 752#if ENABLE_DNS_OVER_TLS
199dda9c
LP		 753 if (t->scope->protocol == DNS_PROTOCOL_DNS &&
754 DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level)) {
755
b02a7e1a 756 assert(t->server);
6016fcb0 757 r = dnstls_stream_connect_tls(s, t->server);
5d67a7ae
IT		 758 if (r < 0)
759 return r;
760 }
761#endif
762
19feb28f 763 if (t->server) {
904dcaf9 764 dns_server_unref_stream(t->server);
19feb28f 765 s->server = dns_server_ref(t->server);
8227cfa1 766 t->server->stream = dns_stream_ref(s);
19feb28f
IT		 767 }
768
98767d75
IT		 769 /* The interface index is difficult to determine if we are
770 * connecting to the local host, hence fill this in right away
771 * instead of determining it from the socket */
772 s->ifindex = dns_scope_ifindex(t->scope);
773 }
774
775 t->stream = TAKE_PTR(s);
776 LIST_PREPEND(transactions_by_stream, t->stream->transactions, t);
ec2c5e43
LP		 777
778 r = dns_stream_write_packet(t->stream, t->sent);
779 if (r < 0) {
80710ade 780 dns_transaction_close_connection(t, /* use_graveyard= */ false);
ec2c5e43
LP		 781 return r;
782 }
783
519ef046
LP		 784 dns_transaction_reset_answer(t);
785
cbe4216d
LP		 786 t->tried_stream = true;
787
ec2c5e43
LP		 788 return 0;
789}
790
547973de 791static void dns_transaction_cache_answer(DnsTransaction *t) {
547973de
LP		 792 assert(t);
793
794 /* For mDNS we cache whenever we get the packet, rather than
795 * in each transaction. */
796 if (!IN_SET(t->scope->protocol, DNS_PROTOCOL_DNS, DNS_PROTOCOL_LLMNR))
797 return;
798
ceeddf79 799 /* Caching disabled? */
37d7a7d9 800 if (t->scope->manager->enable_cache == DNS_CACHE_MODE_NO)
ceeddf79
MP		 801 return;
802
775ae354
LP		 803 /* If validation is turned off for this transaction, but DNSSEC is on, then let's not cache this */
804 if (FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE) && t->scope->dnssec_mode != DNSSEC_NO)
805 return;
806
6d8325f6
PS		 807 /* Packet from localhost? */
808 if (!t->scope->manager->cache_from_localhost &&
809 in_addr_is_localhost(t->received->family, &t->received->sender) != 0)
547973de
LP		 810 return;
811
547973de 812 dns_cache_put(&t->scope->cache,
37d7a7d9 813 t->scope->manager->enable_cache,
a78049fc 814 t->scope->protocol,
42df9532 815 dns_transaction_key(t),
547973de
LP		 816 t->answer_rcode,
817 t->answer,
775ae354 818 DNS_PACKET_CD(t->received) ? t->received : NULL, /* only cache full packets with CD on,
7227dd81 819 * since our use case for caching them
775ae354
LP		 820 * is "bypass" mode which is only
821 * enabled for CD packets. */
6f055e43 822 t->answer_query_flags,
775ae354 823 t->answer_dnssec_result,
d3760be0 824 t->answer_nsec_ttl,
547973de 825 t->received->family,
5ed91481
KV		 826 &t->received->sender,
827 t->scope->manager->stale_retention_usec);
547973de
LP		 828}
829
105e1512
LP		 830static bool dns_transaction_dnssec_is_live(DnsTransaction *t) {
831 DnsTransaction *dt;
105e1512
LP		 832
833 assert(t);
834
90e74a66 835 SET_FOREACH(dt, t->dnssec_transactions)
105e1512
LP		 836 if (DNS_TRANSACTION_IS_LIVE(dt->state))
837 return true;
838
839 return false;
840}
841
942eb2e7
LP		 842static int dns_transaction_dnssec_ready(DnsTransaction *t) {
843 DnsTransaction *dt;
e30a62bf 844 int r;
942eb2e7
LP		 845
846 assert(t);
847
848 /* Checks whether the auxiliary DNSSEC transactions of our transaction have completed, or are still
849 * ongoing. Returns 0, if we aren't ready for the DNSSEC validation, positive if we are. */
850
90e74a66 851 SET_FOREACH(dt, t->dnssec_transactions) {
942eb2e7
LP		 852
853 switch (dt->state) {
854
855 case DNS_TRANSACTION_NULL:
856 case DNS_TRANSACTION_PENDING:
857 case DNS_TRANSACTION_VALIDATING:
858 /* Still ongoing */
859 return 0;
860
861 case DNS_TRANSACTION_RCODE_FAILURE:
b3c6b00a 862 if (!IN_SET(dt->answer_rcode, DNS_RCODE_NXDOMAIN, DNS_RCODE_SERVFAIL)) {
0d609349 863 log_debug("Auxiliary DNSSEC RR query failed with rcode=%s.", FORMAT_DNS_RCODE(dt->answer_rcode));
942eb2e7
LP		 864 goto fail;
865 }
866
b3c6b00a 867 /* Fall-through: NXDOMAIN/SERVFAIL is good enough for us. This is because some DNS servers
5238e957 868 * erroneously return NXDOMAIN/SERVFAIL for empty non-terminals (Akamai...) or missing DS
b3c6b00a
LP		 869 * records (Facebook), and we need to handle that nicely, when asking for parent SOA or similar
870 * RRs to make unsigned proofs. */
942eb2e7
LP		 871
872 case DNS_TRANSACTION_SUCCESS:
873 /* All good. */
874 break;
875
876 case DNS_TRANSACTION_DNSSEC_FAILED:
877 /* We handle DNSSEC failures different from other errors, as we care about the DNSSEC
e30a62bf 878 * validation result */
942eb2e7
LP		 879
880 log_debug("Auxiliary DNSSEC RR query failed validation: %s", dnssec_result_to_string(dt->answer_dnssec_result));
881 t->answer_dnssec_result = dt->answer_dnssec_result; /* Copy error code over */
882 dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
883 return 0;
884
942eb2e7
LP		 885 default:
886 log_debug("Auxiliary DNSSEC RR query failed with %s", dns_transaction_state_to_string(dt->state));
887 goto fail;
888 }
889 }
890
891 /* All is ready, we can go and validate */
892 return 1;
893
894fail:
e30a62bf
LP		 895 /* Some auxiliary DNSSEC transaction failed for some reason. Maybe we learned something about the
896 * server due to this failure, and the feature level is now different? Let's see and restart the
897 * transaction if so. If not, let's propagate the auxiliary failure.
898 *
899 * This is particularly relevant if an auxiliary request figured out that DNSSEC doesn't work, and we
900 * are in permissive DNSSEC mode, and thus should restart things without DNSSEC magic. */
901 r = dns_transaction_maybe_restart(t);
902 if (r < 0)
903 return r;
904 if (r > 0)
905 return 0; /* don't validate just yet, we restarted things */
906
942eb2e7
LP		 907 t->answer_dnssec_result = DNSSEC_FAILED_AUXILIARY;
908 dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
909 return 0;
910}
911
547973de
LP		 912static void dns_transaction_process_dnssec(DnsTransaction *t) {
913 int r;
914
915 assert(t);
916
917 /* Are there ongoing DNSSEC transactions? If so, let's wait for them. */
942eb2e7 918 r = dns_transaction_dnssec_ready(t);
7cc6ed7b
LP		 919 if (r < 0)
920 goto fail;
942eb2e7 921 if (r == 0) /* We aren't ready yet (or one of our auxiliary transactions failed, and we shouldn't validate now */
547973de
LP		 922 return;
923
c02cf2f4
LP		 924 /* See if we learnt things from the additional DNSSEC transactions, that we didn't know before, and better
925 * restart the lookup immediately. */
926 r = dns_transaction_maybe_restart(t);
7cc6ed7b
LP		 927 if (r < 0)
928 goto fail;
c02cf2f4
LP		 929 if (r > 0) /* Transaction got restarted... */
930 return;
931
547973de
LP		 932 /* All our auxiliary DNSSEC transactions are complete now. Try
933 * to validate our RRset now. */
934 r = dns_transaction_validate_dnssec(t);
fcfaff12
LP		 935 if (r == -EBADMSG) {
936 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
937 return;
938 }
7cc6ed7b
LP		 939 if (r < 0)
940 goto fail;
547973de 941
b652d4a2
LP		 942 if (t->answer_dnssec_result == DNSSEC_INCOMPATIBLE_SERVER &&
943 t->scope->dnssec_mode == DNSSEC_YES) {
e82b1132
LP		 944
945 /* We are not in automatic downgrade mode, and the server is bad. Let's try a different server, maybe
946 * that works. */
947
9147b591 948 if (dns_transaction_limited_retry(t))
e82b1132 949 return;
e82b1132
LP		 950
951 /* OK, let's give up, apparently all servers we tried didn't work. */
b652d4a2
LP		 952 dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
953 return;
954 }
955
019036a4 956 if (!IN_SET(t->answer_dnssec_result,
b652d4a2
LP		 957 _DNSSEC_RESULT_INVALID, /* No DNSSEC validation enabled */
958 DNSSEC_VALIDATED, /* Answer is signed and validated successfully */
959 DNSSEC_UNSIGNED, /* Answer is right-fully unsigned */
960 DNSSEC_INCOMPATIBLE_SERVER)) { /* Server does not do DNSSEC (Yay, we are downgrade attack vulnerable!) */
547973de
LP		 961 dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
962 return;
963 }
964
1e02e182
LP		 965 if (t->answer_dnssec_result == DNSSEC_INCOMPATIBLE_SERVER)
966 dns_server_warn_downgrade(t->server);
967
547973de
LP		 968 dns_transaction_cache_answer(t);
969
970 if (t->answer_rcode == DNS_RCODE_SUCCESS)
971 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
972 else
3bbdc31d 973 dns_transaction_complete(t, DNS_TRANSACTION_RCODE_FAILURE);
7cc6ed7b
LP		 974
975 return;
976
977fail:
fd8a3017 978 dns_transaction_complete_errno(t, r);
547973de
LP		 979}
980
eac7cda2
LP		 981static int dns_transaction_has_positive_answer(DnsTransaction *t, DnsAnswerFlags *flags) {
982 int r;
983
984 assert(t);
985
986 /* Checks whether the answer is positive, i.e. either a direct
987 * answer to the question, or a CNAME/DNAME for it */
988
42df9532 989 r = dns_answer_match_key(t->answer, dns_transaction_key(t), flags);
eac7cda2
LP		 990 if (r != 0)
991 return r;
992
42df9532 993 r = dns_answer_find_cname_or_dname(t->answer, dns_transaction_key(t), NULL, flags);
eac7cda2
LP		 994 if (r != 0)
995 return r;
996
997 return false;
998}
999
1000static int dns_transaction_fix_rcode(DnsTransaction *t) {
1001 int r;
1002
1003 assert(t);
1004
1005 /* Fix up the RCODE to SUCCESS if we get at least one matching RR in a response. Note that this contradicts the
1006 * DNS RFCs a bit. Specifically, RFC 6604 Section 3 clarifies that the RCODE shall say something about a
1007 * CNAME/DNAME chain element coming after the last chain element contained in the message, and not the first
1008 * one included. However, it also indicates that not all DNS servers implement this correctly. Moreover, when
1009 * using DNSSEC we usually only can prove the first element of a CNAME/DNAME chain anyway, hence let's settle
1010 * on always processing the RCODE as referring to the immediate look-up we do, i.e. the first element of a
1011 * CNAME/DNAME chain. This way, we uniformly handle CNAME/DNAME chains, regardless if the DNS server
1012 * incorrectly implements RCODE, whether DNSSEC is in use, or whether the DNS server only supplied us with an
1013 * incomplete CNAME/DNAME chain.
1014 *
1015 * Or in other words: if we get at least one positive reply in a message we patch NXDOMAIN to become SUCCESS,
1016 * and then rely on the CNAME chasing logic to figure out that there's actually a CNAME error with a new
1017 * lookup. */
1018
1019 if (t->answer_rcode != DNS_RCODE_NXDOMAIN)
1020 return 0;
1021
1022 r = dns_transaction_has_positive_answer(t, NULL);
1023 if (r <= 0)
1024 return r;
1025
1026 t->answer_rcode = DNS_RCODE_SUCCESS;
1027 return 0;
1028}
1029
43fc4baa 1030void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p, bool encrypted) {
acbf761b 1031 bool retry_with_tcp = false;
ec2c5e43
LP		 1032 int r;
1033
1034 assert(t);
1035 assert(p);
9df3ba6c
TG		 1036 assert(t->scope);
1037 assert(t->scope->manager);
ec2c5e43 1038
5a7e41a3
LP		 1039 if (t->state != DNS_TRANSACTION_PENDING)
1040 return;
1041
bc837621
KV		 1042 /* Increment the total failure counter only when it is the first attempt at querying and the upstream
1043 * server returns a failure response code. This ensures a more accurate count of the number of queries
1044 * that received a failure response code, as it doesn't consider retries. */
1045
1046 if (t->n_attempts == 1 && !IN_SET(DNS_PACKET_RCODE(p), DNS_RCODE_SUCCESS, DNS_RCODE_NXDOMAIN))
1047 t->scope->manager->n_failure_responses_total++;
1048
ec2c5e43
LP		 1049 /* Note that this call might invalidate the query. Callers
1050 * should hence not attempt to access the query or transaction
1051 * after calling this function. */
1052
f7155840
LP		 1053 log_debug("Processing incoming packet of size %zu on transaction %" PRIu16" (rcode=%s).",
1054 p->size,
0d609349 1055 t->id, FORMAT_DNS_RCODE(DNS_PACKET_RCODE(p)));
b5efcf29 1056
106784eb 1057 switch (t->scope->protocol) {
b5efcf29 1058
106784eb 1059 case DNS_PROTOCOL_LLMNR:
97ebebbc 1060 /* For LLMNR we will not accept any packets from other interfaces */
ec2c5e43 1061
97ebebbc 1062 if (p->ifindex != dns_scope_ifindex(t->scope))
ec2c5e43
LP		 1063 return;
1064
1065 if (p->family != t->scope->family)
1066 return;
1067
1068 /* Tentative packets are not full responses but still
1069 * useful for identifying uniqueness conflicts during
1070 * probing. */
8b757a38 1071 if (DNS_PACKET_LLMNR_T(p)) {
ec2c5e43
LP		 1072 dns_transaction_tentative(t, p);
1073 return;
1074 }
106784eb
DM		 1075
1076 break;
1077
4e5bf5e1 1078 case DNS_PROTOCOL_MDNS:
4e5bf5e1 1079 /* For mDNS we will not accept any packets from other interfaces */
97ebebbc
LP		 1080
1081 if (p->ifindex != dns_scope_ifindex(t->scope))
4e5bf5e1
DM		 1082 return;
1083
1084 if (p->family != t->scope->family)
1085 return;
1086
1087 break;
1088
106784eb 1089 case DNS_PROTOCOL_DNS:
8ad182a1
LP		 1090 /* Note that we do not need to verify the
1091 * addresses/port numbers of incoming traffic, as we
1092 * invoked connect() on our UDP socket in which case
1093 * the kernel already does the needed verification for
1094 * us. */
106784eb
DM		 1095 break;
1096
1097 default:
04499a70 1098 assert_not_reached();
ec2c5e43
LP		 1099 }
1100
899e3cda
ZJS		 1101 if (t->received != p)
1102 DNS_PACKET_REPLACE(t->received, dns_packet_ref(p));
ec2c5e43 1103
c3bc53e6
LP		 1104 t->answer_source = DNS_TRANSACTION_NETWORK;
1105
ec2c5e43
LP		 1106 if (p->ipproto == IPPROTO_TCP) {
1107 if (DNS_PACKET_TC(p)) {
1108 /* Truncated via TCP? Somebody must be fucking with us */
1109 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
1110 return;
1111 }
1112
1113 if (DNS_PACKET_ID(p) != t->id) {
1114 /* Not the reply to our query? Somebody must be fucking with us */
1115 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
1116 return;
1117 }
1118 }
1119
9df3ba6c 1120 switch (t->scope->protocol) {
8af5b883 1121
9df3ba6c
TG		 1122 case DNS_PROTOCOL_DNS:
1123 assert(t->server);
1124
775ae354
LP		 1125 if (!t->bypass &&
1126 IN_SET(DNS_PACKET_RCODE(p), DNS_RCODE_FORMERR, DNS_RCODE_SERVFAIL, DNS_RCODE_NOTIMP)) {
4e0b8b17 1127
8af5b883 1128 /* Request failed, immediately try again with reduced features */
4e0b8b17 1129
7d581a65 1130 if (t->current_feature_level <= DNS_SERVER_FEATURE_LEVEL_UDP) {
44db02d0 1131
7d581a65 1132 /* This was already at UDP feature level? If so, it doesn't make sense to downgrade
44db02d0
LP		 1133 * this transaction anymore, but let's see if it might make sense to send the request
1134 * to a different DNS server instead. If not let's process the response, and accept the
7d581a65
LP		 1135 * rcode. Note that we don't retry on TCP, since that's a suitable way to mitigate
1136 * packet loss, but is not going to give us better rcodes should we actually have
1137 * managed to get them already at UDP level. */
1138
9147b591 1139 if (dns_transaction_limited_retry(t))
44db02d0 1140 return;
44db02d0
LP		 1141
1142 /* Give up, accept the rcode */
0d609349 1143 log_debug("Server returned error: %s", FORMAT_DNS_RCODE(DNS_PACKET_RCODE(p)));
d001e0a3
LP		 1144 break;
1145 }
1146
8a33aa19
SS		 1147 /* SERVFAIL can happen for many reasons and may be transient.
1148 * To avoid unnecessary downgrades retry once with the initial level.
1149 * Check for clamp_feature_level_servfail having an invalid value as a sign that this is the
1150 * first attempt to downgrade. If so, clamp to the current value so that the transaction
1151 * is retried without actually downgrading. If the next try also fails we will downgrade by
1152 * hitting the else branch below. */
1153 if (DNS_PACKET_RCODE(p) == DNS_RCODE_SERVFAIL &&
1154 t->clamp_feature_level_servfail < 0) {
1155 t->clamp_feature_level_servfail = t->current_feature_level;
1156 log_debug("Server returned error %s, retrying transaction.",
0d609349 1157 FORMAT_DNS_RCODE(DNS_PACKET_RCODE(p)));
8a33aa19
SS		 1158 } else {
1159 /* Reduce this feature level by one and try again. */
1160 switch (t->current_feature_level) {
1161 case DNS_SERVER_FEATURE_LEVEL_TLS_DO:
1162 t->clamp_feature_level_servfail = DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN;
1163 break;
1164 case DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN + 1:
1165 /* Skip plain TLS when TLS is not supported */
1166 t->clamp_feature_level_servfail = DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN - 1;
1167 break;
1168 default:
1169 t->clamp_feature_level_servfail = t->current_feature_level - 1;
1170 }
1171
1172 log_debug("Server returned error %s, retrying transaction with reduced feature level %s.",
0d609349 1173 FORMAT_DNS_RCODE(DNS_PACKET_RCODE(p)),
8a33aa19 1174 dns_server_feature_level_to_string(t->clamp_feature_level_servfail));
5d67a7ae 1175 }
d001e0a3 1176
d001e0a3 1177 dns_transaction_retry(t, false /* use the same server */);
4e0b8b17 1178 return;
eb08640a
LP		 1179 }
1180
1181 if (DNS_PACKET_RCODE(p) == DNS_RCODE_REFUSED) {
1182 /* This server refused our request? If so, try again, use a different server */
1183 log_debug("Server returned REFUSED, switching servers, and retrying.");
9147b591
LP		 1184
1185 if (dns_transaction_limited_retry(t))
1186 return;
1187
1188 break;
eb08640a
LP		 1189 }
1190
1191 if (DNS_PACKET_TC(p))
274b8748 1192 dns_server_packet_truncated(t->server, t->current_feature_level);
9df3ba6c
TG		 1193
1194 break;
8af5b883 1195
9df3ba6c
TG		 1196 case DNS_PROTOCOL_LLMNR:
1197 case DNS_PROTOCOL_MDNS:
5777c613 1198 dns_scope_packet_received(t->scope, p->timestamp - t->start_usec);
9df3ba6c 1199 break;
8af5b883 1200
9df3ba6c 1201 default:
04499a70 1202 assert_not_reached();
9df3ba6c
TG		 1203 }
1204
ec2c5e43 1205 if (DNS_PACKET_TC(p)) {
547493c5
DM		 1206
1207 /* Truncated packets for mDNS are not allowed. Give up immediately. */
1208 if (t->scope->protocol == DNS_PROTOCOL_MDNS) {
1209 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
1210 return;
1211 }
1212
acbf761b 1213 /* Response was truncated, let's try again with good old TCP */
f757cd85 1214 log_debug("Reply truncated, retrying via TCP.");
acbf761b 1215 retry_with_tcp = true;
f757cd85 1216
acbf761b
LP		 1217 } else if (t->scope->protocol == DNS_PROTOCOL_DNS &&
1218 DNS_PACKET_IS_FRAGMENTED(p)) {
1219
1220 /* Report the fragment size, so that we downgrade from LARGE to regular EDNS0 if needed */
1221 if (t->server)
1222 dns_server_packet_udp_fragmented(t->server, dns_packet_size_unfragmented(p));
1223
1224 if (t->current_feature_level > DNS_SERVER_FEATURE_LEVEL_UDP) {
1225 /* Packet was fragmented. Let's retry with TCP to avoid fragmentation attack
1226 * issues. (We don't do that on the lowest feature level however, since crappy DNS
1227 * servers often do not implement TCP, hence falling back to TCP on fragmentation is
1228 * counter-productive there.) */
1229
f7155840
LP		 1230 log_debug("Reply fragmented, retrying via TCP. (Largest fragment size: %zu; Datagram size: %zu)",
1231 p->fragsize, p->size);
acbf761b
LP		 1232 retry_with_tcp = true;
1233 }
1234 }
1235
1236 if (retry_with_tcp) {
98767d75 1237 r = dns_transaction_emit_tcp(t);
ec2c5e43
LP		 1238 if (r == -ESRCH) {
1239 /* No servers found? Damn! */
1240 dns_transaction_complete(t, DNS_TRANSACTION_NO_SERVERS);
1241 return;
1242 }
91adc4db
LP		 1243 if (r == -EOPNOTSUPP) {
1244 /* Tried to ask for DNSSEC RRs, on a server that doesn't do DNSSEC */
1245 dns_transaction_complete(t, DNS_TRANSACTION_RR_TYPE_UNSUPPORTED);
1246 return;
1247 }
ec2c5e43 1248 if (r < 0) {
8af5b883 1249 /* On LLMNR, if we cannot connect to the host,
ec2c5e43 1250 * we immediately give up */
7cc6ed7b
LP		 1251 if (t->scope->protocol != DNS_PROTOCOL_DNS)
1252 goto fail;
ec2c5e43
LP		 1253
1254 /* On DNS, couldn't send? Try immediately again, with a new server */
9147b591
LP		 1255 if (dns_transaction_limited_retry(t))
1256 return;
1257
1258 /* No new server to try, give up */
1259 dns_transaction_complete(t, DNS_TRANSACTION_ATTEMPTS_MAX_REACHED);
ec2c5e43 1260 }
2a6658ef
LP		 1261
1262 return;
ec2c5e43
LP		 1263 }
1264
de54e62b 1265 /* After the superficial checks, actually parse the message. */
ec2c5e43
LP		 1266 r = dns_packet_extract(p);
1267 if (r < 0) {
2c42a217
LP		 1268 if (t->server) {
1269 dns_server_packet_invalid(t->server, t->current_feature_level);
1270
1271 r = dns_transaction_maybe_restart(t);
1272 if (r < 0)
1273 goto fail;
1274 if (r > 0) /* Transaction got restarted... */
1275 return;
1276 }
1277
ec2c5e43
LP		 1278 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
1279 return;
1280 }
1281
ed9717fc 1282 if (t->server) {
d001e0a3
LP		 1283 /* Report that we successfully received a valid packet with a good rcode after we initially got a bad
1284 * rcode and subsequently downgraded the protocol */
1285
1286 if (IN_SET(DNS_PACKET_RCODE(p), DNS_RCODE_SUCCESS, DNS_RCODE_NXDOMAIN) &&
1ed4e584
LP		 1287 t->clamp_feature_level_servfail != _DNS_SERVER_FEATURE_LEVEL_INVALID)
1288 dns_server_packet_rcode_downgrade(t->server, t->clamp_feature_level_servfail);
d001e0a3
LP		 1289
1290 /* Report that the OPT RR was missing */
ed9717fc
LP		 1291 if (!p->opt)
1292 dns_server_packet_bad_opt(t->server, t->current_feature_level);
1293
d96275d8
LP		 1294 /* Report that the server didn't copy our query DO bit from request to response */
1295 if (DNS_PACKET_DO(t->sent) && !DNS_PACKET_DO(t->received))
1296 dns_server_packet_do_off(t->server, t->current_feature_level);
1297
acbf761b
LP		 1298 /* Report that we successfully received a packet. We keep track of the largest packet
1299 * size/fragment size we got. Which is useful for announcing the EDNS(0) packet size we can
1300 * receive to our server. */
1301 dns_server_packet_received(t->server, p->ipproto, t->current_feature_level, dns_packet_size_unfragmented(p));
ed9717fc 1302 }
de54e62b 1303
c02cf2f4
LP		 1304 /* See if we know things we didn't know before that indicate we better restart the lookup immediately. */
1305 r = dns_transaction_maybe_restart(t);
7cc6ed7b
LP		 1306 if (r < 0)
1307 goto fail;
c02cf2f4
LP		 1308 if (r > 0) /* Transaction got restarted... */
1309 return;
1310
8facd1ce
LP		 1311 /* When dealing with protocols other than mDNS only consider responses with equivalent query section
1312 * to the request. For mDNS this check doesn't make sense, because the section 6 of RFC6762 states
1313 * that "Multicast DNS responses MUST NOT contain any questions in the Question Section". */
1314 if (t->scope->protocol != DNS_PROTOCOL_MDNS) {
42df9532 1315 r = dns_packet_is_reply_for(p, dns_transaction_key(t));
8facd1ce
LP		 1316 if (r < 0)
1317 goto fail;
1318 if (r == 0) {
1319 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
1320 return;
547493c5 1321 }
8facd1ce 1322 }
29815b6c 1323
775ae354
LP		 1324 /* Install the answer as answer to the transaction. We ref the answer twice here: the main `answer`
1325 * field is later replaced by the DNSSEC validated subset. The 'answer_auxiliary' field carries the
1326 * original complete record set, including RRSIG and friends. We use this when passing data to
1327 * clients that ask for DNSSEC metadata. */
1117a960 1328 DNS_ANSWER_REPLACE(t->answer, dns_answer_ref(p->answer));
8facd1ce
LP		 1329 t->answer_rcode = DNS_PACKET_RCODE(p);
1330 t->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
6f055e43 1331 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
43fc4baa 1332 SET_FLAG(t->answer_query_flags, SD_RESOLVED_CONFIDENTIAL, encrypted);
79e24931 1333
8facd1ce
LP		 1334 r = dns_transaction_fix_rcode(t);
1335 if (r < 0)
1336 goto fail;
eac7cda2 1337
8facd1ce
LP		 1338 /* Block GC while starting requests for additional DNSSEC RRs */
1339 t->block_gc++;
1340 r = dns_transaction_request_dnssec_keys(t);
1341 t->block_gc--;
51e399bc 1342
8facd1ce
LP		 1343 /* Maybe the transaction is ready for GC'ing now? If so, free it and return. */
1344 if (!dns_transaction_gc(t))
1345 return;
51e399bc 1346
8facd1ce
LP		 1347 /* Requesting additional keys might have resulted in this transaction to fail, since the auxiliary
1348 * request failed for some reason. If so, we are not in pending state anymore, and we should exit
1349 * quickly. */
1350 if (t->state != DNS_TRANSACTION_PENDING)
1351 return;
1352 if (r < 0)
1353 goto fail;
1354 if (r > 0) {
1355 /* There are DNSSEC transactions pending now. Update the state accordingly. */
1356 t->state = DNS_TRANSACTION_VALIDATING;
80710ade 1357 dns_transaction_close_connection(t, true);
8facd1ce
LP		 1358 dns_transaction_stop_timeout(t);
1359 return;
547493c5 1360 }
ec2c5e43 1361
547973de 1362 dns_transaction_process_dnssec(t);
7cc6ed7b
LP		 1363 return;
1364
1365fail:
fd8a3017 1366 dns_transaction_complete_errno(t, r);
ec2c5e43
LP		 1367}
1368
c19ffd9f
TG		 1369static int on_dns_packet(sd_event_source *s, int fd, uint32_t revents, void *userdata) {
1370 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
99534007 1371 DnsTransaction *t = ASSERT_PTR(userdata);
c19ffd9f
TG		 1372 int r;
1373
c19ffd9f
TG		 1374 assert(t->scope);
1375
1376 r = manager_recv(t->scope->manager, fd, DNS_PROTOCOL_DNS, &p);
0bdea17c
DL		 1377 if (r < 0) {
1378 if (ERRNO_IS_DISCONNECT(r)) {
1379 usec_t usec;
7e1851e3 1380
0bdea17c
DL		 1381 /* UDP connection failures get reported via ICMP and then are possibly delivered to us on the
1382 * next recvmsg(). Treat this like a lost packet. */
7e1851e3 1383
0bdea17c
DL		 1384 log_debug_errno(r, "Connection failure for DNS UDP packet: %m");
1385 assert_se(sd_event_now(t->scope->manager->event, CLOCK_BOOTTIME, &usec) >= 0);
1386 dns_server_packet_lost(t->server, IPPROTO_UDP, t->current_feature_level);
d68dbb37 1387
0bdea17c 1388 dns_transaction_close_connection(t, /* use_graveyard = */ false);
9147b591 1389
0bdea17c
DL		 1390 if (dns_transaction_limited_retry(t)) /* Try a different server */
1391 return 0;
1392 }
fd8a3017 1393 dns_transaction_complete_errno(t, r);
7e1851e3
LP		 1394 return 0;
1395 }
f731fd5b
ZJS		 1396 if (r == 0)
1397 /* Spurious wakeup without any data */
1398 return 0;
7e1851e3
LP		 1399
1400 r = dns_packet_validate_reply(p);
1401 if (r < 0) {
1402 log_debug_errno(r, "Received invalid DNS packet as response, ignoring: %m");
1403 return 0;
1404 }
1405 if (r == 0) {
e09f605e 1406 log_debug("Received inappropriate DNS packet as response, ignoring.");
7e1851e3
LP		 1407 return 0;
1408 }
1409
1410 if (DNS_PACKET_ID(p) != t->id) {
e09f605e 1411 log_debug("Received packet with incorrect transaction ID, ignoring.");
7e1851e3
LP		 1412 return 0;
1413 }
c19ffd9f 1414
43fc4baa 1415 dns_transaction_process_reply(t, p, false);
c19ffd9f
TG		 1416 return 0;
1417}
1418
49cce12d 1419static int dns_transaction_emit_udp(DnsTransaction *t) {
c19ffd9f
TG		 1420 int r;
1421
1422 assert(t);
c19ffd9f 1423
519ef046 1424 if (t->scope->protocol == DNS_PROTOCOL_DNS) {
c19ffd9f 1425
519ef046 1426 r = dns_transaction_pick_server(t);
471d40d9
TG		 1427 if (r < 0)
1428 return r;
c19ffd9f 1429
49ef064c
LP		 1430 if (manager_server_is_stub(t->scope->manager, t->server))
1431 return -ELOOP;
1432
5d67a7ae 1433 if (t->current_feature_level < DNS_SERVER_FEATURE_LEVEL_UDP || DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level))
7d581a65 1434 return -EAGAIN; /* Sorry, can't do UDP, try TCP! */
519ef046 1435
775ae354 1436 if (!t->bypass && !dns_server_dnssec_supported(t->server) && dns_type_is_dnssec(dns_transaction_key(t)->type))
91adc4db
LP		 1437 return -EOPNOTSUPP;
1438
519ef046
LP		 1439 if (r > 0 || t->dns_udp_fd < 0) { /* Server changed, or no connection yet. */
1440 int fd;
1441
80710ade
LP		 1442 dns_transaction_close_connection(t, true);
1443
1444 /* Before we allocate a new UDP socket, let's process the graveyard a bit to free some fds */
1445 manager_socket_graveyard_process(t->scope->manager);
c19ffd9f 1446
da9de738 1447 fd = dns_scope_socket_udp(t->scope, t->server);
519ef046
LP		 1448 if (fd < 0)
1449 return fd;
1450
1451 r = sd_event_add_io(t->scope->manager->event, &t->dns_udp_event_source, fd, EPOLLIN, on_dns_packet, t);
1452 if (r < 0) {
1453 safe_close(fd);
1454 return r;
1455 }
1456
aa4a9deb 1457 (void) sd_event_source_set_description(t->dns_udp_event_source, "dns-transaction-udp");
519ef046
LP		 1458 t->dns_udp_fd = fd;
1459 }
1460
775ae354
LP		 1461 if (!t->bypass) {
1462 r = dns_server_adjust_opt(t->server, t->sent, t->current_feature_level);
1463 if (r < 0)
1464 return r;
1465 }
519ef046 1466 } else
80710ade 1467 dns_transaction_close_connection(t, true);
519ef046 1468
d79677ab 1469 r = dns_scope_emit_udp(t->scope, t->dns_udp_fd, t->server ? t->server->family : AF_UNSPEC, t->sent);
471d40d9
TG		 1470 if (r < 0)
1471 return r;
c19ffd9f 1472
519ef046 1473 dns_transaction_reset_answer(t);
be808ea0 1474
471d40d9 1475 return 0;
c19ffd9f
TG		 1476}
1477
ec2c5e43 1478static int on_transaction_timeout(sd_event_source *s, usec_t usec, void *userdata) {
99534007 1479 DnsTransaction *t = ASSERT_PTR(userdata);
ec2c5e43
LP		 1480
1481 assert(s);
ec2c5e43 1482
bc837621
KV		 1483 t->seen_timeout = true;
1484
213cb4f7
LP		 1485 if (t->initial_jitter_scheduled && !t->initial_jitter_elapsed) {
1486 log_debug("Initial jitter phase for transaction %" PRIu16 " elapsed.", t->id);
1487 t->initial_jitter_elapsed = true;
1488 } else {
ef7ce6df
DM		 1489 /* Timeout reached? Increase the timeout for the server used */
1490 switch (t->scope->protocol) {
49cce12d 1491
ef7ce6df
DM		 1492 case DNS_PROTOCOL_DNS:
1493 assert(t->server);
3da3cdd5 1494 dns_server_packet_lost(t->server, t->stream ? IPPROTO_TCP : IPPROTO_UDP, t->current_feature_level);
ef7ce6df 1495 break;
49cce12d 1496
ef7ce6df
DM		 1497 case DNS_PROTOCOL_LLMNR:
1498 case DNS_PROTOCOL_MDNS:
1499 dns_scope_packet_lost(t->scope, usec - t->start_usec);
ef7ce6df 1500 break;
49cce12d 1501
ef7ce6df 1502 default:
04499a70 1503 assert_not_reached();
ef7ce6df
DM		 1504 }
1505
213cb4f7 1506 log_debug("Timeout reached on transaction %" PRIu16 ".", t->id);
be808ea0
TG		 1507 }
1508
213cb4f7
LP		 1509 dns_transaction_retry(t, /* next_server= */ true); /* try a different server, but given this means
1510 * packet loss, let's do so even if we already
1511 * tried a bunch */
ec2c5e43
LP		 1512 return 0;
1513}
1514
87b91644
YW		 1515static int dns_transaction_setup_timeout(
1516 DnsTransaction *t,
1517 usec_t timeout_usec /* relative */,
1518 usec_t next_usec /* CLOCK_BOOTTIME */) {
1519
1520 int r;
1521
1522 assert(t);
1523
1524 dns_transaction_stop_timeout(t);
1525
1526 r = sd_event_add_time_relative(
1527 t->scope->manager->event,
1528 &t->timeout_event_source,
1529 CLOCK_BOOTTIME,
1530 timeout_usec, 0,
1531 on_transaction_timeout, t);
1532 if (r < 0)
1533 return r;
1534
1535 (void) sd_event_source_set_description(t->timeout_event_source, "dns-transaction-timeout");
1536
1537 t->next_attempt_after = next_usec;
1538 t->state = DNS_TRANSACTION_PENDING;
1539 return 0;
1540}
1541
9df3ba6c
TG		 1542static usec_t transaction_get_resend_timeout(DnsTransaction *t) {
1543 assert(t);
1544 assert(t->scope);
1545
1546 switch (t->scope->protocol) {
49cce12d 1547
9df3ba6c 1548 case DNS_PROTOCOL_DNS:
dc349f5f
LP		 1549
1550 /* When we do TCP, grant a much longer timeout, as in this case there's no need for us to quickly
1551 * resend, as the kernel does that anyway for us, and we really don't want to interrupt it in that
1552 * needlessly. */
1553 if (t->stream)
1554 return TRANSACTION_TCP_TIMEOUT_USEC;
1555
dbc4661a 1556 return DNS_TIMEOUT_USEC;
49cce12d 1557
9df3ba6c 1558 case DNS_PROTOCOL_MDNS:
53fda2bb
DR		 1559 if (t->probing)
1560 return MDNS_PROBING_INTERVAL_USEC;
4b2ceb8a
YW		 1561
1562 /* See RFC 6762 Section 5.1 suggests that timeout should be a few seconds. */
1563 assert(t->n_attempts > 0);
1564 return (1 << (t->n_attempts - 1)) * USEC_PER_SEC;
49cce12d 1565
11a27c2e 1566 case DNS_PROTOCOL_LLMNR:
9df3ba6c 1567 return t->scope->resend_timeout;
49cce12d 1568
9df3ba6c 1569 default:
04499a70 1570 assert_not_reached();
9df3ba6c
TG		 1571 }
1572}
1573
3f0a7b3a
LP		 1574static void dns_transaction_randomize_answer(DnsTransaction *t) {
1575 int r;
1576
1577 assert(t);
1578
1579 /* Randomizes the order of the answer array. This is done for all cached responses, so that we return
1580 * a different order each time. We do this only for DNS traffic, in order to do some minimal, crappy
1581 * load balancing. We don't do this for LLMNR or mDNS, since the order (preferring link-local
1582 * addresses, and such like) might have meaning there, and load balancing is pointless. */
1583
1584 if (t->scope->protocol != DNS_PROTOCOL_DNS)
1585 return;
1586
1587 /* No point in randomizing, if there's just one RR */
1588 if (dns_answer_size(t->answer) <= 1)
1589 return;
1590
1591 r = dns_answer_reserve_or_clone(&t->answer, 0);
1592 if (r < 0) /* If this fails, just don't randomize, this is non-essential stuff after all */
1593 return (void) log_debug_errno(r, "Failed to clone answer record, not randomizing RR order of answer: %m");
1594
1595 dns_answer_randomize(t->answer);
1596}
1597
c842ff24 1598static int dns_transaction_prepare(DnsTransaction *t, usec_t ts) {
ec2c5e43
LP		 1599 int r;
1600
1601 assert(t);
1602
4ea8b443
ZJS		 1603 /* Returns 0 if dns_transaction_complete() has been called. In that case the transaction and query
1604 * candidate objects may have been invalidated and must not be accessed. Returns 1 if the transaction
1605 * has been prepared. */
1606
f535705a 1607 dns_transaction_stop_timeout(t);
ec2c5e43 1608
bc837621
KV		 1609 if (t->n_attempts == 1 && t->seen_timeout)
1610 t->scope->manager->n_timeouts_total++;
1611
86b112a3 1612 if (!dns_scope_network_good(t->scope)) {
edbcc1fd
LP		 1613 dns_transaction_complete(t, DNS_TRANSACTION_NETWORK_DOWN);
1614 return 0;
1615 }
1616
c3dbb132 1617 if (t->n_attempts >= TRANSACTION_ATTEMPTS_MAX(t->scope->protocol)) {
e53b8cc5
ZJS		 1618 DnsTransactionState result;
1619
1620 if (t->scope->protocol == DNS_PROTOCOL_LLMNR)
1621 /* If we didn't find anything on LLMNR, it's not an error, but a failure to resolve
1622 * the name. */
1623 result = DNS_TRANSACTION_NOT_FOUND;
1624 else
1625 result = DNS_TRANSACTION_ATTEMPTS_MAX_REACHED;
1626
1627 dns_transaction_complete(t, result);
ec2c5e43
LP		 1628 return 0;
1629 }
1630
cbe4216d 1631 if (t->scope->protocol == DNS_PROTOCOL_LLMNR && t->tried_stream) {
ec2c5e43
LP		 1632 /* If we already tried via a stream, then we don't
1633 * retry on LLMNR. See RFC 4795, Section 2.7. */
1634 dns_transaction_complete(t, DNS_TRANSACTION_ATTEMPTS_MAX_REACHED);
1635 return 0;
1636 }
1637
1638 t->n_attempts++;
9df3ba6c 1639 t->start_usec = ts;
c61d2b44
LP		 1640
1641 dns_transaction_reset_answer(t);
c5b4f861 1642 dns_transaction_flush_dnssec_transactions(t);
ec2c5e43 1643
0d2cd476 1644 /* Check the trust anchor. Do so only on classic DNS, since DNSSEC does not apply otherwise. */
775ae354
LP		 1645 if (t->scope->protocol == DNS_PROTOCOL_DNS &&
1646 !FLAGS_SET(t->query_flags, SD_RESOLVED_NO_TRUST_ANCHOR)) {
42df9532 1647 r = dns_trust_anchor_lookup_positive(&t->scope->manager->trust_anchor, dns_transaction_key(t), &t->answer);
0d2cd476
LP		 1648 if (r < 0)
1649 return r;
1650 if (r > 0) {
1651 t->answer_rcode = DNS_RCODE_SUCCESS;
1652 t->answer_source = DNS_TRANSACTION_TRUST_ANCHOR;
43fc4baa 1653 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED|SD_RESOLVED_CONFIDENTIAL, true);
0d2cd476
LP		 1654 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
1655 return 0;
1656 }
b2b796b8 1657
42df9532
LP		 1658 if (dns_name_is_root(dns_resource_key_name(dns_transaction_key(t))) &&
1659 dns_transaction_key(t)->type == DNS_TYPE_DS) {
b2b796b8 1660
775ae354
LP		 1661 /* Hmm, this is a request for the root DS? A DS RR doesn't exist in the root zone,
1662 * and if our trust anchor didn't know it either, this means we cannot do any DNSSEC
1663 * logic anymore. */
b2b796b8 1664
1ed8c0fb 1665 if (t->scope->dnssec_mode == DNSSEC_ALLOW_DOWNGRADE) {
775ae354
LP		 1666 /* We are in downgrade mode. In this case, synthesize an unsigned empty
1667 * response, so that the any lookup depending on this one can continue
1668 * assuming there was no DS, and hence the root zone was unsigned. */
b2b796b8
LP		 1669
1670 t->answer_rcode = DNS_RCODE_SUCCESS;
1671 t->answer_source = DNS_TRANSACTION_TRUST_ANCHOR;
6f055e43 1672 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
43fc4baa 1673 SET_FLAG(t->answer_query_flags, SD_RESOLVED_CONFIDENTIAL, true);
b2b796b8
LP		 1674 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
1675 } else
775ae354
LP		 1676 /* If we are not in downgrade mode, then fail the lookup, because we cannot
1677 * reasonably answer it. There might be DS RRs, but we don't know them, and
1678 * the DNS server won't tell them to us (and even if it would, we couldn't
1679 * validate and trust them. */
b2b796b8
LP		 1680 dns_transaction_complete(t, DNS_TRANSACTION_NO_TRUST_ANCHOR);
1681
1682 return 0;
1683 }
0d2cd476
LP		 1684 }
1685
775ae354
LP		 1686 /* Check the zone. */
1687 if (!FLAGS_SET(t->query_flags, SD_RESOLVED_NO_ZONE)) {
42df9532 1688 r = dns_zone_lookup(&t->scope->zone, dns_transaction_key(t), dns_scope_ifindex(t->scope), &t->answer, NULL, NULL);
d746bb3e
LP		 1689 if (r < 0)
1690 return r;
1691 if (r > 0) {
ae6a4bbf 1692 t->answer_rcode = DNS_RCODE_SUCCESS;
c3bc53e6 1693 t->answer_source = DNS_TRANSACTION_ZONE;
43fc4baa 1694 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED|SD_RESOLVED_CONFIDENTIAL, true);
d746bb3e
LP		 1695 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
1696 return 0;
1697 }
1698 }
1699
775ae354
LP		 1700 /* Check the cache. */
1701 if (!FLAGS_SET(t->query_flags, SD_RESOLVED_NO_CACHE)) {
2c27fbca 1702
775ae354
LP		 1703 /* Before trying the cache, let's make sure we figured out a server to use. Should this cause
1704 * a change of server this might flush the cache. */
5cdb8930 1705 (void) dns_scope_get_dns_server(t->scope);
2c27fbca 1706
4d926a69
LP		 1707 /* Let's then prune all outdated entries */
1708 dns_cache_prune(&t->scope->cache);
1709
5ed91481
KV		 1710 /* For the initial attempt or when no stale data is requested, disable serve stale
1711 * and answer the question from the cache (honors ttl property).
1712 * On the second attempt, if StaleRetentionSec is greater than zero,
1713 * try to answer the question using stale date (honors until property) */
1714 uint64_t query_flags = t->query_flags;
1715 if (t->n_attempts == 1 || t->scope->manager->stale_retention_usec == 0)
1716 query_flags |= SD_RESOLVED_NO_STALE;
1717
775ae354
LP		 1718 r = dns_cache_lookup(
1719 &t->scope->cache,
1720 dns_transaction_key(t),
5ed91481 1721 query_flags,
775ae354
LP		 1722 &t->answer_rcode,
1723 &t->answer,
1724 &t->received,
6f055e43 1725 &t->answer_query_flags,
775ae354 1726 &t->answer_dnssec_result);
4d926a69
LP		 1727 if (r < 0)
1728 return r;
1729 if (r > 0) {
3f0a7b3a
LP		 1730 dns_transaction_randomize_answer(t);
1731
775ae354
LP		 1732 if (t->bypass && t->scope->protocol == DNS_PROTOCOL_DNS && !t->received)
1733 /* When bypass mode is on, do not use cached data unless it came with a full
1734 * packet. */
1735 dns_transaction_reset_answer(t);
1736 else {
5ed91481 1737 if (t->n_attempts > 1 && !FLAGS_SET(query_flags, SD_RESOLVED_NO_STALE)) {
bc837621
KV		 1738
1739 if (t->answer_rcode == DNS_RCODE_SUCCESS) {
1740 if (t->seen_timeout)
1741 t->scope->manager->n_timeouts_served_stale_total++;
1742 else
1743 t->scope->manager->n_failure_responses_served_stale_total++;
1744 }
1745
5ed91481
KV		 1746 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
1747 log_debug("Serve Stale response rcode=%s for %s",
1748 FORMAT_DNS_RCODE(t->answer_rcode),
1749 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str));
1750 }
1751
775ae354
LP		 1752 t->answer_source = DNS_TRANSACTION_CACHE;
1753 if (t->answer_rcode == DNS_RCODE_SUCCESS)
1754 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
1755 else
1756 dns_transaction_complete(t, DNS_TRANSACTION_RCODE_FAILURE);
1757 return 0;
1758 }
4d926a69 1759 }
ec2c5e43
LP		 1760 }
1761
775ae354
LP		 1762 if (FLAGS_SET(t->query_flags, SD_RESOLVED_NO_NETWORK)) {
1763 dns_transaction_complete(t, DNS_TRANSACTION_NO_SOURCE);
1764 return 0;
1765 }
1766
1effe965
DM		 1767 return 1;
1768}
1769
325513bc
YW		 1770static int dns_packet_append_zone(DnsPacket *p, DnsTransaction *t, DnsResourceKey *k, unsigned *nscount) {
1771 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
1772 bool tentative;
1773 int r;
1774
1775 assert(p);
1776 assert(t);
1777 assert(k);
1778
1779 if (k->type != DNS_TYPE_ANY)
1780 return 0;
1781
1782 r = dns_zone_lookup(&t->scope->zone, k, t->scope->link->ifindex, &answer, NULL, &tentative);
1783 if (r < 0)
1784 return r;
1785
1786 return dns_packet_append_answer(p, answer, nscount);
1787}
1788
7645e5a8 1789static int mdns_make_dummy_packet(DnsTransaction *t, DnsPacket **ret_packet, Set **ret_keys) {
0afa57e2 1790 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
0d5ee47d 1791 _cleanup_set_free_ Set *keys = NULL;
325513bc 1792 bool add_known_answers = false;
7645e5a8 1793 unsigned qdcount;
0afa57e2
DM		 1794 usec_t ts;
1795 int r;
1796
1797 assert(t);
7645e5a8 1798 assert(t->scope);
0afa57e2 1799 assert(t->scope->protocol == DNS_PROTOCOL_MDNS);
7645e5a8
YW		 1800 assert(ret_packet);
1801 assert(ret_keys);
0afa57e2 1802
0afa57e2
DM		 1803 r = dns_packet_new_query(&p, t->scope->protocol, 0, false);
1804 if (r < 0)
1805 return r;
1806
42df9532 1807 r = dns_packet_append_key(p, dns_transaction_key(t), 0, NULL);
0afa57e2
DM		 1808 if (r < 0)
1809 return r;
1810
1811 qdcount = 1;
1812
42df9532 1813 if (dns_key_is_shared(dns_transaction_key(t)))
7778dfff
DM		 1814 add_known_answers = true;
1815
325513bc
YW		 1816 r = dns_packet_append_zone(p, t, dns_transaction_key(t), NULL);
1817 if (r < 0)
1818 return r;
1819
1820 /* Save appended keys */
1821 r = set_ensure_put(&keys, &dns_resource_key_hash_ops, dns_transaction_key(t));
1822 if (r < 0)
1823 return r;
0d5ee47d 1824
ba4e0427 1825 assert_se(sd_event_now(t->scope->manager->event, CLOCK_BOOTTIME, &ts) >= 0);
0afa57e2 1826
7645e5a8 1827 LIST_FOREACH(transactions_by_scope, other, t->scope->transactions) {
0afa57e2 1828
7645e5a8
YW		 1829 /* Skip ourselves */
1830 if (other == t)
1831 continue;
0afa57e2 1832
7645e5a8
YW		 1833 if (other->state != DNS_TRANSACTION_PENDING)
1834 continue;
0afa57e2 1835
7645e5a8
YW		 1836 if (other->next_attempt_after > ts)
1837 continue;
0afa57e2 1838
7645e5a8
YW		 1839 if (!set_contains(keys, dns_transaction_key(other))) {
1840 size_t saved_packet_size;
0afa57e2 1841
7645e5a8
YW		 1842 r = dns_packet_append_key(p, dns_transaction_key(other), 0, &saved_packet_size);
1843 /* If we can't stuff more questions into the packet, just give up.
1844 * One of the 'other' transactions will fire later and take care of the rest. */
1845 if (r == -EMSGSIZE)
1846 break;
325513bc
YW		 1847 if (r < 0)
1848 return r;
0afa57e2 1849
7645e5a8
YW		 1850 r = dns_packet_append_zone(p, t, dns_transaction_key(other), NULL);
1851 if (r == -EMSGSIZE) {
1852 dns_packet_truncate(p, saved_packet_size);
325513bc
YW		 1853 break;
1854 }
7645e5a8
YW		 1855 if (r < 0)
1856 return r;
aa4a9deb 1857
7645e5a8 1858 r = set_ensure_put(&keys, &dns_resource_key_hash_ops, dns_transaction_key(other));
325513bc
YW		 1859 if (r < 0)
1860 return r;
7645e5a8
YW		 1861 }
1862
1863 r = dns_transaction_prepare(other, ts);
1864 if (r < 0)
1865 return r;
1866 if (r == 0)
1867 /* In this case, not only this transaction, but multiple transactions may be
1868 * freed. Hence, we need to restart the loop. */
1869 return -EAGAIN;
0afa57e2 1870
7645e5a8
YW		 1871 usec_t timeout = transaction_get_resend_timeout(other);
1872 r = dns_transaction_setup_timeout(other, timeout, usec_add(ts, timeout));
1873 if (r < 0)
1874 return r;
7778dfff 1875
7645e5a8
YW		 1876 if (dns_key_is_shared(dns_transaction_key(other)))
1877 add_known_answers = true;
0d5ee47d 1878
7645e5a8
YW		 1879 qdcount++;
1880 if (qdcount >= UINT16_MAX)
1881 break;
0afa57e2
DM		 1882 }
1883
7645e5a8
YW		 1884 DNS_PACKET_HEADER(p)->qdcount = htobe16(qdcount);
1885
1886 /* Append known answers section if we're asking for any shared record */
7778dfff 1887 if (add_known_answers) {
325513bc 1888 r = dns_cache_export_shared_to_packet(&t->scope->cache, p, ts, 0);
7778dfff
DM		 1889 if (r < 0)
1890 return r;
7645e5a8 1891 }
325513bc 1892
7645e5a8
YW		 1893 *ret_packet = TAKE_PTR(p);
1894 *ret_keys = TAKE_PTR(keys);
1895 return add_known_answers;
1896}
1897
1898static int dns_transaction_make_packet_mdns(DnsTransaction *t) {
1899 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL, *dummy = NULL;
1900 _cleanup_set_free_ Set *keys = NULL;
1901 bool add_known_answers;
1902 DnsResourceKey *k;
1903 unsigned c;
1904 int r;
1905
1906 assert(t);
1907 assert(t->scope->protocol == DNS_PROTOCOL_MDNS);
1908
1909 /* Discard any previously prepared packet, so we can start over and coalesce again */
1910 t->sent = dns_packet_unref(t->sent);
1911
1912 /* First, create a dummy packet to calculate the number of known answers to be appended in the first packet. */
1913 for (;;) {
1914 r = mdns_make_dummy_packet(t, &dummy, &keys);
1915 if (r == -EAGAIN)
1916 continue;
1917 if (r < 0)
1918 return r;
1919
1920 add_known_answers = r;
1921 break;
7778dfff
DM		 1922 }
1923
5162b2a1 1924 /* Then, create actual packet. */
325513bc
YW		 1925 r = dns_packet_new_query(&p, t->scope->protocol, 0, false);
1926 if (r < 0)
1927 return r;
1928
1929 /* Questions */
7645e5a8 1930 c = 0;
325513bc
YW		 1931 SET_FOREACH(k, keys) {
1932 r = dns_packet_append_key(p, k, 0, NULL);
1933 if (r < 0)
1934 return r;
7645e5a8 1935 c++;
325513bc 1936 }
7645e5a8 1937 DNS_PACKET_HEADER(p)->qdcount = htobe16(c);
0d5ee47d 1938
325513bc
YW		 1939 /* Known answers */
1940 if (add_known_answers) {
7645e5a8
YW		 1941 usec_t ts;
1942
1943 assert_se(sd_event_now(t->scope->manager->event, CLOCK_BOOTTIME, &ts) >= 0);
1944
1945 r = dns_cache_export_shared_to_packet(&t->scope->cache, p, ts, be16toh(DNS_PACKET_HEADER(dummy)->ancount));
0d5ee47d
DR		 1946 if (r < 0)
1947 return r;
325513bc 1948 }
0d5ee47d 1949
325513bc 1950 /* Authorities */
7645e5a8 1951 c = 0;
325513bc 1952 SET_FOREACH(k, keys) {
7645e5a8 1953 r = dns_packet_append_zone(p, t, k, &c);
0d5ee47d
DR		 1954 if (r < 0)
1955 return r;
0d5ee47d 1956 }
7645e5a8 1957 DNS_PACKET_HEADER(p)->nscount = htobe16(c);
0d5ee47d 1958
1cc6c93a 1959 t->sent = TAKE_PTR(p);
0afa57e2
DM		 1960 return 0;
1961}
1962
1963static int dns_transaction_make_packet(DnsTransaction *t) {
1964 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
1965 int r;
1966
1967 assert(t);
1968
1969 if (t->scope->protocol == DNS_PROTOCOL_MDNS)
1970 return dns_transaction_make_packet_mdns(t);
1971
1972 if (t->sent)
1973 return 0;
1974
775ae354
LP		 1975 if (t->bypass && t->bypass->protocol == t->scope->protocol) {
1976 /* If bypass logic is enabled and the protocol if the original packet and our scope match,
1977 * take the original packet, copy it, and patch in our new ID */
1978 r = dns_packet_dup(&p, t->bypass);
1979 if (r < 0)
1980 return r;
1981 } else {
1982 r = dns_packet_new_query(
1983 &p, t->scope->protocol,
1984 /* min_alloc_dsize = */ 0,
1985 /* dnssec_cd = */ !FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE) &&
1986 t->scope->dnssec_mode != DNSSEC_NO);
1987 if (r < 0)
1988 return r;
0afa57e2 1989
775ae354
LP		 1990 r = dns_packet_append_key(p, dns_transaction_key(t), 0, NULL);
1991 if (r < 0)
1992 return r;
1993
1994 DNS_PACKET_HEADER(p)->qdcount = htobe16(1);
1995 }
0afa57e2 1996
0afa57e2
DM		 1997 DNS_PACKET_HEADER(p)->id = t->id;
1998
1cc6c93a 1999 t->sent = TAKE_PTR(p);
0afa57e2
DM		 2000 return 0;
2001}
2002
1effe965
DM		 2003int dns_transaction_go(DnsTransaction *t) {
2004 usec_t ts;
2005 int r;
202b76ae 2006 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
1effe965
DM		 2007
2008 assert(t);
2009
4ea8b443
ZJS		 2010 /* Returns > 0 if the transaction is now pending, returns 0 if could be processed immediately and has
2011 * finished now. In the latter case, the transaction and query candidate objects must not be accessed.
2012 */
5278bbfe 2013
ba4e0427 2014 assert_se(sd_event_now(t->scope->manager->event, CLOCK_BOOTTIME, &ts) >= 0);
547973de 2015
c842ff24 2016 r = dns_transaction_prepare(t, ts);
1effe965
DM		 2017 if (r <= 0)
2018 return r;
2019
213cb4f7
LP		 2020 log_debug("Firing %s transaction %" PRIu16 " for <%s> scope %s on %s/%s (validate=%s).",
2021 t->bypass ? "bypass" : "regular",
a5784c49 2022 t->id,
42df9532 2023 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str),
a5784c49 2024 dns_protocol_to_string(t->scope->protocol),
6ff79f76 2025 t->scope->link ? t->scope->link->ifname : "*",
775ae354
LP		 2026 af_to_name_short(t->scope->family),
2027 yes_no(!FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE)));
1effe965 2028
ef7ce6df 2029 if (!t->initial_jitter_scheduled &&
3742095b 2030 IN_SET(t->scope->protocol, DNS_PROTOCOL_LLMNR, DNS_PROTOCOL_MDNS)) {
765647ba 2031 usec_t jitter;
6e068472 2032
765647ba
YW		 2033 /* RFC 4795 Section 2.7 suggests all LLMNR queries should be delayed by a random time from 0 to
2034 * JITTER_INTERVAL.
2035 * RFC 6762 Section 8.1 suggests initial probe queries should be delayed by a random time from
2036 * 0 to 250ms. */
6e068472 2037
ef7ce6df 2038 t->initial_jitter_scheduled = true;
87b91644 2039 t->n_attempts = 0;
6e068472 2040
ea12bcc7 2041 switch (t->scope->protocol) {
519ef046 2042
ea12bcc7 2043 case DNS_PROTOCOL_LLMNR:
9ee18bf4 2044 jitter = random_u64_range(LLMNR_JITTER_INTERVAL_USEC);
ea12bcc7 2045 break;
519ef046 2046
ea12bcc7 2047 case DNS_PROTOCOL_MDNS:
765647ba
YW		 2048 if (t->probing)
2049 jitter = random_u64_range(MDNS_PROBING_INTERVAL_USEC);
2050 else
2051 jitter = 0;
ea12bcc7
DM		 2052 break;
2053 default:
04499a70 2054 assert_not_reached();
ea12bcc7 2055 }
6e068472 2056
87b91644 2057 r = dns_transaction_setup_timeout(t, jitter, ts);
6e068472
LP		 2058 if (r < 0)
2059 return r;
2060
2f9c3b2a
LP		 2061 log_debug("Delaying %s transaction %" PRIu16 " for " USEC_FMT "us.",
2062 dns_protocol_to_string(t->scope->protocol),
2063 t->id,
2064 jitter);
4ea8b443 2065 return 1;
6e068472
LP		 2066 }
2067
ec2c5e43
LP		 2068 /* Otherwise, we need to ask the network */
2069 r = dns_transaction_make_packet(t);
ec2c5e43
LP		 2070 if (r < 0)
2071 return r;
2072
2073 if (t->scope->protocol == DNS_PROTOCOL_LLMNR &&
42df9532
LP		 2074 (dns_name_endswith(dns_resource_key_name(dns_transaction_key(t)), "in-addr.arpa") > 0 ||
2075 dns_name_endswith(dns_resource_key_name(dns_transaction_key(t)), "ip6.arpa") > 0)) {
ec2c5e43
LP		 2076
2077 /* RFC 4795, Section 2.4. says reverse lookups shall
2078 * always be made via TCP on LLMNR */
98767d75 2079 r = dns_transaction_emit_tcp(t);
ec2c5e43 2080 } else {
be808ea0
TG		 2081 /* Try via UDP, and if that fails due to large size or lack of
2082 * support try via TCP */
49cce12d 2083 r = dns_transaction_emit_udp(t);
29ab0552
LP		 2084 if (r == -EMSGSIZE)
2085 log_debug("Sending query via TCP since it is too large.");
dc349f5f 2086 else if (r == -EAGAIN)
6c0bacc1 2087 log_debug("Sending query via TCP since UDP isn't supported or DNS-over-TLS is selected.");
3dd6336a
JB		 2088 else if (r == -EPERM)
2089 log_debug("Sending query via TCP since UDP is blocked.");
2090 if (IN_SET(r, -EMSGSIZE, -EAGAIN, -EPERM))
98767d75 2091 r = dns_transaction_emit_tcp(t);
ec2c5e43 2092 }
49ef064c
LP		 2093 if (r == -ELOOP) {
2094 if (t->scope->protocol != DNS_PROTOCOL_DNS)
2095 return r;
2096
2097 /* One of our own stub listeners */
2098 log_debug_errno(r, "Detected that specified DNS server is our own extra listener, switching DNS servers.");
2099
5e8bc852 2100 dns_scope_next_dns_server(t->scope, t->server);
49ef064c
LP		 2101
2102 if (dns_scope_get_dns_server(t->scope) == t->server) {
2103 log_debug_errno(r, "Still pointing to extra listener after switching DNS servers, refusing operation.");
2104 dns_transaction_complete(t, DNS_TRANSACTION_STUB_LOOP);
2105 return 0;
2106 }
be808ea0 2107
49ef064c
LP		 2108 return dns_transaction_go(t);
2109 }
ec2c5e43
LP		 2110 if (r == -ESRCH) {
2111 /* No servers to send this to? */
2112 dns_transaction_complete(t, DNS_TRANSACTION_NO_SERVERS);
2113 return 0;
91adc4db
LP		 2114 }
2115 if (r == -EOPNOTSUPP) {
2116 /* Tried to ask for DNSSEC RRs, on a server that doesn't do DNSSEC */
2117 dns_transaction_complete(t, DNS_TRANSACTION_RR_TYPE_UNSUPPORTED);
2118 return 0;
2119 }
13d84288 2120 if (t->scope->protocol == DNS_PROTOCOL_LLMNR && ERRNO_IS_NEG_DISCONNECT(r)) {
e94968ba 2121 /* On LLMNR, if we cannot connect to a host via TCP when doing reverse lookups. This means we cannot
0791110f
LP		 2122 * answer this request with this protocol. */
2123 dns_transaction_complete(t, DNS_TRANSACTION_NOT_FOUND);
2124 return 0;
2125 }
91adc4db 2126 if (r < 0) {
7cc6ed7b
LP		 2127 if (t->scope->protocol != DNS_PROTOCOL_DNS)
2128 return r;
13b551ac 2129
ec2c5e43 2130 /* Couldn't send? Try immediately again, with a new server */
5e8bc852 2131 dns_scope_next_dns_server(t->scope, t->server);
ec2c5e43
LP		 2132
2133 return dns_transaction_go(t);
2134 }
2135
87b91644
YW		 2136 usec_t timeout = transaction_get_resend_timeout(t);
2137 r = dns_transaction_setup_timeout(t, timeout, usec_add(ts, timeout));
ec2c5e43
LP		 2138 if (r < 0)
2139 return r;
2140
ec2c5e43
LP		 2141 return 1;
2142}
2143
f2992dc1
LP		 2144static int dns_transaction_find_cyclic(DnsTransaction *t, DnsTransaction *aux) {
2145 DnsTransaction *n;
f2992dc1
LP		 2146 int r;
2147
2148 assert(t);
2149 assert(aux);
2150
2151 /* Try to find cyclic dependencies between transaction objects */
2152
2153 if (t == aux)
2154 return 1;
2155
90e74a66 2156 SET_FOREACH(n, aux->dnssec_transactions) {
f2992dc1
LP		 2157 r = dns_transaction_find_cyclic(t, n);
2158 if (r != 0)
2159 return r;
2160 }
2161
3eb6aa00 2162 return 0;
f2992dc1
LP		 2163}
2164
547973de 2165static int dns_transaction_add_dnssec_transaction(DnsTransaction *t, DnsResourceKey *key, DnsTransaction **ret) {
29bd6012 2166 _cleanup_(dns_transaction_gcp) DnsTransaction *aux = NULL;
547973de
LP		 2167 int r;
2168
2169 assert(t);
2170 assert(ret);
2171 assert(key);
2172
775ae354 2173 aux = dns_scope_find_transaction(t->scope, key, t->query_flags);
547973de 2174 if (!aux) {
775ae354 2175 r = dns_transaction_new(&aux, t->scope, key, NULL, t->query_flags);
547973de
LP		 2176 if (r < 0)
2177 return r;
2178 } else {
2179 if (set_contains(t->dnssec_transactions, aux)) {
2180 *ret = aux;
2181 return 0;
2182 }
f2992dc1
LP		 2183
2184 r = dns_transaction_find_cyclic(t, aux);
2185 if (r < 0)
2186 return r;
2187 if (r > 0) {
202b76ae
ZJS		 2188 char s[DNS_RESOURCE_KEY_STRING_MAX], saux[DNS_RESOURCE_KEY_STRING_MAX];
2189
baaa35ad
ZJS		 2190 return log_debug_errno(SYNTHETIC_ERRNO(ELOOP),
2191 "Potential cyclic dependency, refusing to add transaction %" PRIu16 " (%s) as dependency for %" PRIu16 " (%s).",
2192 aux->id,
42df9532 2193 dns_resource_key_to_string(dns_transaction_key(t), s, sizeof s),
baaa35ad 2194 t->id,
42df9532 2195 dns_resource_key_to_string(dns_transaction_key(aux), saux, sizeof saux));
f2992dc1 2196 }
547973de
LP		 2197 }
2198
35aa04e9
LP		 2199 r = set_ensure_allocated(&aux->notify_transactions_done, NULL);
2200 if (r < 0)
29bd6012 2201 return r;
547973de 2202
de7fef4b 2203 r = set_ensure_put(&t->dnssec_transactions, NULL, aux);
547973de 2204 if (r < 0)
a75cb4e2 2205 return r;
547973de 2206
de7fef4b 2207 r = set_ensure_put(&aux->notify_transactions, NULL, t);
547973de
LP		 2208 if (r < 0) {
2209 (void) set_remove(t->dnssec_transactions, aux);
29bd6012 2210 return r;
547973de
LP		 2211 }
2212
29bd6012 2213 *ret = TAKE_PTR(aux);
547973de 2214 return 1;
547973de
LP		 2215}
2216
2217static int dns_transaction_request_dnssec_rr(DnsTransaction *t, DnsResourceKey *key) {
2218 _cleanup_(dns_answer_unrefp) DnsAnswer *a = NULL;
2219 DnsTransaction *aux;
2220 int r;
2221
2222 assert(t);
2223 assert(key);
2224
2225 /* Try to get the data from the trust anchor */
8e54f5d9 2226 r = dns_trust_anchor_lookup_positive(&t->scope->manager->trust_anchor, key, &a);
547973de
LP		 2227 if (r < 0)
2228 return r;
2229 if (r > 0) {
2230 r = dns_answer_extend(&t->validated_keys, a);
2231 if (r < 0)
2232 return r;
2233
2234 return 0;
2235 }
2236
2237 /* This didn't work, ask for it via the network/cache then. */
2238 r = dns_transaction_add_dnssec_transaction(t, key, &aux);
f2992dc1
LP		 2239 if (r == -ELOOP) /* This would result in a cyclic dependency */
2240 return 0;
547973de
LP		 2241 if (r < 0)
2242 return r;
2243
2244 if (aux->state == DNS_TRANSACTION_NULL) {
2245 r = dns_transaction_go(aux);
2246 if (r < 0)
2247 return r;
2248 }
2249
f2992dc1 2250 return 1;
547973de
LP		 2251}
2252
8a516214
LP		 2253static int dns_transaction_negative_trust_anchor_lookup(DnsTransaction *t, const char *name) {
2254 int r;
2255
2256 assert(t);
2257
c629ff58 2258 /* Check whether the specified name is in the NTA
8a516214
LP		 2259 * database, either in the global one, or the link-local
2260 * one. */
2261
2262 r = dns_trust_anchor_lookup_negative(&t->scope->manager->trust_anchor, name);
2263 if (r != 0)
2264 return r;
2265
2266 if (!t->scope->link)
2267 return 0;
2268
7e8a93b7 2269 return link_negative_trust_anchor_lookup(t->scope->link, name);
8a516214
LP		 2270}
2271
26b23d11 2272static int dns_transaction_has_negative_answer(DnsTransaction *t) {
105e1512
LP		 2273 int r;
2274
2275 assert(t);
2276
2277 /* Checks whether the answer is negative, and lacks NSEC/NSEC3
2278 * RRs to prove it */
2279
2280 r = dns_transaction_has_positive_answer(t, NULL);
2281 if (r < 0)
2282 return r;
2283 if (r > 0)
2284 return false;
2285
8e54f5d9
LP		 2286 /* Is this key explicitly listed as a negative trust anchor?
2287 * If so, it's nothing we need to care about */
42df9532 2288 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(dns_transaction_key(t)));
8e54f5d9
LP		 2289 if (r < 0)
2290 return r;
26b23d11 2291 return !r;
105e1512
LP		 2292}
2293
2294static int dns_transaction_is_primary_response(DnsTransaction *t, DnsResourceRecord *rr) {
2295 int r;
2296
2297 assert(t);
2298 assert(rr);
2299
2300 /* Check if the specified RR is the "primary" response,
2301 * i.e. either matches the question precisely or is a
4cb94977 2302 * CNAME/DNAME for it. */
105e1512 2303
42df9532 2304 r = dns_resource_key_match_rr(dns_transaction_key(t), rr, NULL);
105e1512
LP		 2305 if (r != 0)
2306 return r;
2307
42df9532 2308 return dns_resource_key_match_cname_or_dname(dns_transaction_key(t), rr->key, NULL);
105e1512
LP		 2309}
2310
92ec902a
LP		 2311static bool dns_transaction_dnssec_supported(DnsTransaction *t) {
2312 assert(t);
2313
2314 /* Checks whether our transaction's DNS server is assumed to be compatible with DNSSEC. Returns false as soon
2315 * as we changed our mind about a server, and now believe it is incompatible with DNSSEC. */
2316
2317 if (t->scope->protocol != DNS_PROTOCOL_DNS)
2318 return false;
2319
2320 /* If we have picked no server, then we are working from the cache or some other source, and DNSSEC might well
2321 * be supported, hence return true. */
2322 if (!t->server)
2323 return true;
2324
d001e0a3
LP		 2325 /* Note that we do not check the feature level actually used for the transaction but instead the feature level
2326 * the server is known to support currently, as the transaction feature level might be lower than what the
2327 * server actually supports, since we might have downgraded this transaction's feature level because we got a
2328 * SERVFAIL earlier and wanted to check whether downgrading fixes it. */
92ec902a
LP		 2329
2330 return dns_server_dnssec_supported(t->server);
2331}
2332
2333static bool dns_transaction_dnssec_supported_full(DnsTransaction *t) {
2334 DnsTransaction *dt;
92ec902a
LP		 2335
2336 assert(t);
2337
2338 /* Checks whether our transaction our any of the auxiliary transactions couldn't do DNSSEC. */
2339
2340 if (!dns_transaction_dnssec_supported(t))
2341 return false;
2342
90e74a66 2343 SET_FOREACH(dt, t->dnssec_transactions)
92ec902a
LP		 2344 if (!dns_transaction_dnssec_supported(dt))
2345 return false;
2346
2347 return true;
2348}
2349
547973de
LP		 2350int dns_transaction_request_dnssec_keys(DnsTransaction *t) {
2351 DnsResourceRecord *rr;
105e1512 2352
547973de
LP		 2353 int r;
2354
2355 assert(t);
2356
105e1512
LP		 2357 /*
2358 * Retrieve all auxiliary RRs for the answer we got, so that
2359 * we can verify signatures or prove that RRs are rightfully
2360 * unsigned. Specifically:
2361 *
2362 * - For RRSIG we get the matching DNSKEY
2363 * - For DNSKEY we get the matching DS
2364 * - For unsigned SOA/NS we get the matching DS
b63fca62 2365 * - For unsigned CNAME/DNAME/DS we get the parent SOA RR
105e1512 2366 * - For other unsigned RRs we get the matching SOA RR
4bbc06cc
LP		 2367 * - For SOA/NS queries with no matching response RR, and no NSEC/NSEC3, the DS RR
2368 * - For DS queries with no matching response RRs, and no NSEC/NSEC3, the parent's SOA RR
105e1512
LP		 2369 * - For other queries with no matching response RRs, and no NSEC/NSEC3, the SOA RR
2370 */
2371
775ae354 2372 if (FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE) || t->scope->dnssec_mode == DNSSEC_NO)
547973de 2373 return 0;
92ec902a
LP		 2374 if (t->answer_source != DNS_TRANSACTION_NETWORK)
2375 return 0; /* We only need to validate stuff from the network */
2376 if (!dns_transaction_dnssec_supported(t))
5238e957 2377 return 0; /* If we can't do DNSSEC anyway there's no point in getting the auxiliary RRs */
b652d4a2 2378
547973de
LP		 2379 DNS_ANSWER_FOREACH(rr, t->answer) {
2380
105e1512
LP		 2381 if (dns_type_is_pseudo(rr->key->type))
2382 continue;
2383
8e54f5d9 2384 /* If this RR is in the negative trust anchor, we don't need to validate it. */
1c02e7ba 2385 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(rr->key));
8e54f5d9
LP		 2386 if (r < 0)
2387 return r;
2388 if (r > 0)
2389 continue;
2390
547973de
LP		 2391 switch (rr->key->type) {
2392
2393 case DNS_TYPE_RRSIG: {
2394 /* For each RRSIG we request the matching DNSKEY */
2395 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *dnskey = NULL;
2396
2397 /* If this RRSIG is about a DNSKEY RR and the
2398 * signer is the same as the owner, then we
2399 * already have the DNSKEY, and we don't have
2400 * to look for more. */
2401 if (rr->rrsig.type_covered == DNS_TYPE_DNSKEY) {
1c02e7ba 2402 r = dns_name_equal(rr->rrsig.signer, dns_resource_key_name(rr->key));
547973de
LP		 2403 if (r < 0)
2404 return r;
2405 if (r > 0)
2406 continue;
2407 }
2408
105e1512
LP		 2409 /* If the signer is not a parent of our
2410 * original query, then this is about an
2411 * auxiliary RRset, but not anything we asked
2412 * for. In this case we aren't interested,
2413 * because we don't want to request additional
2414 * RRs for stuff we didn't really ask for, and
2415 * also to avoid request loops, where
2416 * additional RRs from one transaction result
5238e957 2417 * in another transaction whose additional RRs
105e1512
LP		 2418 * point back to the original transaction, and
2419 * we deadlock. */
42df9532 2420 r = dns_name_endswith(dns_resource_key_name(dns_transaction_key(t)), rr->rrsig.signer);
547973de
LP		 2421 if (r < 0)
2422 return r;
2423 if (r == 0)
2424 continue;
2425
2426 dnskey = dns_resource_key_new(rr->key->class, DNS_TYPE_DNSKEY, rr->rrsig.signer);
2427 if (!dnskey)
2428 return -ENOMEM;
2429
1c02e7ba
ZJS		 2430 log_debug("Requesting DNSKEY to validate transaction %" PRIu16" (%s, RRSIG with key tag: %" PRIu16 ").",
2431 t->id, dns_resource_key_name(rr->key), rr->rrsig.key_tag);
547973de
LP		 2432 r = dns_transaction_request_dnssec_rr(t, dnskey);
2433 if (r < 0)
2434 return r;
2435 break;
2436 }
2437
2438 case DNS_TYPE_DNSKEY: {
2439 /* For each DNSKEY we request the matching DS */
2440 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *ds = NULL;
2441
105e1512
LP		 2442 /* If the DNSKEY we are looking at is not for
2443 * zone we are interested in, nor any of its
2444 * parents, we aren't interested, and don't
2445 * request it. After all, we don't want to end
2446 * up in request loops, and want to keep
2447 * additional traffic down. */
2448
42df9532 2449 r = dns_name_endswith(dns_resource_key_name(dns_transaction_key(t)), dns_resource_key_name(rr->key));
105e1512
LP		 2450 if (r < 0)
2451 return r;
2452 if (r == 0)
2453 continue;
2454
1c02e7ba 2455 ds = dns_resource_key_new(rr->key->class, DNS_TYPE_DS, dns_resource_key_name(rr->key));
547973de
LP		 2456 if (!ds)
2457 return -ENOMEM;
2458
1c02e7ba
ZJS		 2459 log_debug("Requesting DS to validate transaction %" PRIu16" (%s, DNSKEY with key tag: %" PRIu16 ").",
2460 t->id, dns_resource_key_name(rr->key), dnssec_keytag(rr, false));
105e1512
LP		 2461 r = dns_transaction_request_dnssec_rr(t, ds);
2462 if (r < 0)
2463 return r;
547973de 2464
105e1512
LP		 2465 break;
2466 }
2467
105e1512
LP		 2468 case DNS_TYPE_SOA:
2469 case DNS_TYPE_NS: {
2470 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *ds = NULL;
2471
2472 /* For an unsigned SOA or NS, try to acquire
2473 * the matching DS RR, as we are at a zone cut
2474 * then, and whether a DS exists tells us
2475 * whether the zone is signed. Do so only if
2476 * this RR matches our original question,
2477 * however. */
2478
42df9532 2479 r = dns_resource_key_match_rr(dns_transaction_key(t), rr, NULL);
105e1512
LP		 2480 if (r < 0)
2481 return r;
6993d264
LP		 2482 if (r == 0) {
2483 /* Hmm, so this SOA RR doesn't match our original question. In this case, maybe this is
d51c4fca 2484 * a negative reply, and we need the SOA RR's TTL in order to cache a negative entry?
6993d264
LP		 2485 * If so, we need to validate it, too. */
2486
42df9532 2487 r = dns_answer_match_key(t->answer, dns_transaction_key(t), NULL);
6993d264
LP		 2488 if (r < 0)
2489 return r;
2490 if (r > 0) /* positive reply, we won't need the SOA and hence don't need to validate
2491 * it. */
2492 continue;
d5acaa51
LP		 2493
2494 /* Only bother with this if the SOA/NS RR we are looking at is actually a parent of
2495 * what we are looking for, otherwise there's no value in it for us. */
42df9532 2496 r = dns_name_endswith(dns_resource_key_name(dns_transaction_key(t)), dns_resource_key_name(rr->key));
d5acaa51
LP		 2497 if (r < 0)
2498 return r;
2499 if (r == 0)
2500 continue;
6993d264 2501 }
105e1512
LP		 2502
2503 r = dnssec_has_rrsig(t->answer, rr->key);
2504 if (r < 0)
2505 return r;
2506 if (r > 0)
2507 continue;
2508
1c02e7ba 2509 ds = dns_resource_key_new(rr->key->class, DNS_TYPE_DS, dns_resource_key_name(rr->key));
105e1512
LP		 2510 if (!ds)
2511 return -ENOMEM;
2512
1c02e7ba
ZJS		 2513 log_debug("Requesting DS to validate transaction %" PRIu16 " (%s, unsigned SOA/NS RRset).",
2514 t->id, dns_resource_key_name(rr->key));
547973de
LP		 2515 r = dns_transaction_request_dnssec_rr(t, ds);
2516 if (r < 0)
2517 return r;
2518
2519 break;
105e1512
LP		 2520 }
2521
b63fca62 2522 case DNS_TYPE_DS:
105e1512
LP		 2523 case DNS_TYPE_CNAME:
2524 case DNS_TYPE_DNAME: {
2525 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL;
2526 const char *name;
2527
2528 /* CNAMEs and DNAMEs cannot be located at a
2529 * zone apex, hence ask for the parent SOA for
2530 * unsigned CNAME/DNAME RRs, maybe that's the
2531 * apex. But do all that only if this is
2532 * actually a response to our original
b63fca62
LP		 2533 * question.
2534 *
2535 * Similar for DS RRs, which are signed when
2536 * the parent SOA is signed. */
105e1512
LP		 2537
2538 r = dns_transaction_is_primary_response(t, rr);
2539 if (r < 0)
2540 return r;
2541 if (r == 0)
2542 continue;
2543
2544 r = dnssec_has_rrsig(t->answer, rr->key);
2545 if (r < 0)
2546 return r;
2547 if (r > 0)
2548 continue;
2549
43e6779a
LP		 2550 r = dns_answer_has_dname_for_cname(t->answer, rr);
2551 if (r < 0)
2552 return r;
2553 if (r > 0)
2554 continue;
2555
1c02e7ba 2556 name = dns_resource_key_name(rr->key);
105e1512
LP		 2557 r = dns_name_parent(&name);
2558 if (r < 0)
2559 return r;
2560 if (r == 0)
2561 continue;
2562
2563 soa = dns_resource_key_new(rr->key->class, DNS_TYPE_SOA, name);
2564 if (!soa)
2565 return -ENOMEM;
2566
1c02e7ba
ZJS		 2567 log_debug("Requesting parent SOA to validate transaction %" PRIu16 " (%s, unsigned CNAME/DNAME/DS RRset).",
2568 t->id, dns_resource_key_name(rr->key));
105e1512
LP		 2569 r = dns_transaction_request_dnssec_rr(t, soa);
2570 if (r < 0)
2571 return r;
2572
2573 break;
2574 }
2575
2576 default: {
2577 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL;
2578
b63fca62
LP		 2579 /* For other unsigned RRsets (including
2580 * NSEC/NSEC3!), look for proof the zone is
2581 * unsigned, by requesting the SOA RR of the
2582 * zone. However, do so only if they are
2583 * directly relevant to our original
105e1512
LP		 2584 * question. */
2585
2586 r = dns_transaction_is_primary_response(t, rr);
2587 if (r < 0)
2588 return r;
2589 if (r == 0)
2590 continue;
2591
2592 r = dnssec_has_rrsig(t->answer, rr->key);
2593 if (r < 0)
2594 return r;
2595 if (r > 0)
2596 continue;
2597
1c02e7ba 2598 soa = dns_resource_key_new(rr->key->class, DNS_TYPE_SOA, dns_resource_key_name(rr->key));
105e1512
LP		 2599 if (!soa)
2600 return -ENOMEM;
2601
1c02e7ba
ZJS		 2602 log_debug("Requesting SOA to validate transaction %" PRIu16 " (%s, unsigned non-SOA/NS RRset <%s>).",
2603 t->id, dns_resource_key_name(rr->key), dns_resource_record_to_string(rr));
105e1512
LP		 2604 r = dns_transaction_request_dnssec_rr(t, soa);
2605 if (r < 0)
2606 return r;
2607 break;
547973de
LP		 2608 }}
2609 }
2610
105e1512
LP		 2611 /* Above, we requested everything necessary to validate what
2612 * we got. Now, let's request what we need to validate what we
2613 * didn't get... */
2614
26b23d11 2615 r = dns_transaction_has_negative_answer(t);
105e1512
LP		 2616 if (r < 0)
2617 return r;
2618 if (r > 0) {
26b23d11 2619 const char *name, *signed_status;
4bbc06cc 2620 uint16_t type = 0;
105e1512 2621
42df9532 2622 name = dns_resource_key_name(dns_transaction_key(t));
26b23d11 2623 signed_status = dns_answer_contains_nsec_or_nsec3(t->answer) ? "signed" : "unsigned";
105e1512 2624
4bbc06cc
LP		 2625 /* If this was a SOA or NS request, then check if there's a DS RR for the same domain. Note that this
2626 * could also be used as indication that we are not at a zone apex, but in real world setups there are
2627 * too many broken DNS servers (Hello, incapdns.net!) where non-terminal zones return NXDOMAIN even
2628 * though they have further children. If this was a DS request, then it's signed when the parent zone
2629 * is signed, hence ask the parent SOA in that case. If this was any other RR then ask for the SOA RR,
2630 * to see if that is signed. */
105e1512 2631
42df9532 2632 if (dns_transaction_key(t)->type == DNS_TYPE_DS) {
105e1512 2633 r = dns_name_parent(&name);
4bbc06cc
LP		 2634 if (r > 0) {
2635 type = DNS_TYPE_SOA;
e2341b6b
DT		 2636 log_debug("Requesting parent SOA (%s %s) to validate transaction %" PRIu16 " (%s, %s empty DS response).",
2637 special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), name, t->id,
2638 dns_resource_key_name(dns_transaction_key(t)), signed_status);
4bbc06cc 2639 } else
105e1512 2640 name = NULL;
4bbc06cc 2641
42df9532 2642 } else if (IN_SET(dns_transaction_key(t)->type, DNS_TYPE_SOA, DNS_TYPE_NS)) {
4bbc06cc
LP		 2643
2644 type = DNS_TYPE_DS;
e2341b6b
DT		 2645 log_debug("Requesting DS (%s %s) to validate transaction %" PRIu16 " (%s, %s empty SOA/NS response).",
2646 special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), name, t->id, name, signed_status);
4bbc06cc
LP		 2647
2648 } else {
2649 type = DNS_TYPE_SOA;
e2341b6b
DT		 2650 log_debug("Requesting SOA (%s %s) to validate transaction %" PRIu16 " (%s, %s empty non-SOA/NS/DS response).",
2651 special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), name, t->id, name, signed_status);
4bbc06cc 2652 }
105e1512
LP		 2653
2654 if (name) {
2655 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL;
2656
42df9532 2657 soa = dns_resource_key_new(dns_transaction_key(t)->class, type, name);
105e1512
LP		 2658 if (!soa)
2659 return -ENOMEM;
2660
2661 r = dns_transaction_request_dnssec_rr(t, soa);
2662 if (r < 0)
2663 return r;
2664 }
2665 }
2666
2667 return dns_transaction_dnssec_is_live(t);
547973de
LP		 2668}
2669
2670void dns_transaction_notify(DnsTransaction *t, DnsTransaction *source) {
547973de 2671 assert(t);
547973de
LP		 2672 assert(source);
2673
942eb2e7
LP		 2674 /* Invoked whenever any of our auxiliary DNSSEC transactions completed its work. If the state is still PENDING,
2675 we are still in the loop that adds further DNSSEC transactions, hence don't check if we are ready yet. If
2676 the state is VALIDATING however, we should check if we are complete now. */
105e1512 2677
942eb2e7
LP		 2678 if (t->state == DNS_TRANSACTION_VALIDATING)
2679 dns_transaction_process_dnssec(t);
547973de
LP		 2680}
2681
105e1512 2682static int dns_transaction_validate_dnskey_by_ds(DnsTransaction *t) {
04617bf8
LP		 2683 DnsAnswerItem *item;
2684 int r;
105e1512
LP		 2685
2686 assert(t);
2687
2688 /* Add all DNSKEY RRs from the answer that are validated by DS
2689 * RRs from the list of validated keys to the list of
2690 * validated keys. */
2691
04617bf8 2692 DNS_ANSWER_FOREACH_ITEM(item, t->answer) {
105e1512 2693
04617bf8 2694 r = dnssec_verify_dnskey_by_ds_search(item->rr, t->validated_keys);
105e1512
LP		 2695 if (r < 0)
2696 return r;
2697 if (r == 0)
2698 continue;
2699
2700 /* If so, the DNSKEY is validated too. */
04617bf8 2701 r = dns_answer_add_extend(&t->validated_keys, item->rr, item->ifindex, item->flags|DNS_ANSWER_AUTHENTICATED, item->rrsig);
105e1512
LP		 2702 if (r < 0)
2703 return r;
2704 }
2705
2706 return 0;
2707}
2708
2709static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *rr) {
56352fe9
LP		 2710 int r;
2711
2712 assert(t);
2713 assert(rr);
2714
105e1512
LP		 2715 /* Checks if the RR we are looking for must be signed with an
2716 * RRSIG. This is used for positive responses. */
24a5b982 2717
b652d4a2 2718 if (t->scope->dnssec_mode == DNSSEC_NO)
105e1512 2719 return false;
56352fe9 2720
105e1512
LP		 2721 if (dns_type_is_pseudo(rr->key->type))
2722 return -EINVAL;
56352fe9 2723
1c02e7ba 2724 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(rr->key));
8e54f5d9
LP		 2725 if (r < 0)
2726 return r;
2727 if (r > 0)
2728 return false;
2729
105e1512 2730 switch (rr->key->type) {
56352fe9 2731
105e1512
LP		 2732 case DNS_TYPE_RRSIG:
2733 /* RRSIGs are the signatures themselves, they need no signing. */
2734 return false;
2735
2736 case DNS_TYPE_SOA:
2737 case DNS_TYPE_NS: {
2738 DnsTransaction *dt;
105e1512 2739
b63fca62 2740 /* For SOA or NS RRs we look for a matching DS transaction */
105e1512 2741
90e74a66 2742 SET_FOREACH(dt, t->dnssec_transactions) {
105e1512 2743
42df9532 2744 if (dns_transaction_key(dt)->class != rr->key->class)
105e1512 2745 continue;
42df9532 2746 if (dns_transaction_key(dt)->type != DNS_TYPE_DS)
105e1512
LP		 2747 continue;
2748
42df9532 2749 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), dns_resource_key_name(rr->key));
105e1512
LP		 2750 if (r < 0)
2751 return r;
2752 if (r == 0)
2753 continue;
2754
2755 /* We found a DS transactions for the SOA/NS
2756 * RRs we are looking at. If it discovered signed DS
2757 * RRs, then we need to be signed, too. */
2758
6f055e43 2759 if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
097a2517 2760 return false;
105e1512 2761
42df9532 2762 return dns_answer_match_key(dt->answer, dns_transaction_key(dt), NULL);
105e1512
LP		 2763 }
2764
2765 /* We found nothing that proves this is safe to leave
2766 * this unauthenticated, hence ask inist on
2767 * authentication. */
2768 return true;
2769 }
2770
b63fca62 2771 case DNS_TYPE_DS:
105e1512
LP		 2772 case DNS_TYPE_CNAME:
2773 case DNS_TYPE_DNAME: {
2774 const char *parent = NULL;
2775 DnsTransaction *dt;
105e1512 2776
b63fca62
LP		 2777 /*
2778 * CNAME/DNAME RRs cannot be located at a zone apex, hence look directly for the parent SOA.
2779 *
2780 * DS RRs are signed if the parent is signed, hence also look at the parent SOA
2781 */
105e1512 2782
90e74a66 2783 SET_FOREACH(dt, t->dnssec_transactions) {
105e1512 2784
42df9532 2785 if (dns_transaction_key(dt)->class != rr->key->class)
105e1512 2786 continue;
42df9532 2787 if (dns_transaction_key(dt)->type != DNS_TYPE_SOA)
105e1512
LP		 2788 continue;
2789
2790 if (!parent) {
1c02e7ba 2791 parent = dns_resource_key_name(rr->key);
105e1512
LP		 2792 r = dns_name_parent(&parent);
2793 if (r < 0)
2794 return r;
2795 if (r == 0) {
b63fca62
LP		 2796 if (rr->key->type == DNS_TYPE_DS)
2797 return true;
2798
105e1512 2799 /* A CNAME/DNAME without a parent? That's sooo weird. */
baaa35ad
ZJS		 2800 return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG),
2801 "Transaction %" PRIu16 " claims CNAME/DNAME at root. Refusing.", t->id);
105e1512
LP		 2802 }
2803 }
2804
42df9532 2805 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), parent);
105e1512
LP		 2806 if (r < 0)
2807 return r;
2808 if (r == 0)
2809 continue;
2810
3b4cc143 2811 return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
105e1512
LP		 2812 }
2813
2814 return true;
2815 }
2816
2817 default: {
2818 DnsTransaction *dt;
105e1512 2819
b63fca62 2820 /* Any other kind of RR (including DNSKEY/NSEC/NSEC3). Let's see if our SOA lookup was authenticated */
105e1512 2821
90e74a66 2822 SET_FOREACH(dt, t->dnssec_transactions) {
105e1512 2823
42df9532 2824 if (dns_transaction_key(dt)->class != rr->key->class)
105e1512 2825 continue;
42df9532 2826 if (dns_transaction_key(dt)->type != DNS_TYPE_SOA)
105e1512
LP		 2827 continue;
2828
42df9532 2829 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), dns_resource_key_name(rr->key));
105e1512
LP		 2830 if (r < 0)
2831 return r;
2832 if (r == 0)
2833 continue;
2834
6f055e43
LP		 2835 /* We found the transaction that was supposed to find the SOA RR for us. It was
2836 * successful, but found no RR for us. This means we are not at a zone cut. In this
2837 * case, we require authentication if the SOA lookup was authenticated too. */
3b4cc143 2838 return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
105e1512
LP		 2839 }
2840
2841 return true;
2842 }}
56352fe9
LP		 2843}
2844
d33b6cf3
LP		 2845static int dns_transaction_in_private_tld(DnsTransaction *t, const DnsResourceKey *key) {
2846 DnsTransaction *dt;
2847 const char *tld;
d33b6cf3
LP		 2848 int r;
2849
2850 /* If DNSSEC downgrade mode is on, checks whether the
2851 * specified RR is one level below a TLD we have proven not to
2852 * exist. In such a case we assume that this is a private
2853 * domain, and permit it.
2854 *
2855 * This detects cases like the Fritz!Box router networks. Each
2856 * Fritz!Box router serves a private "fritz.box" zone, in the
2857 * non-existing TLD "box". Requests for the "fritz.box" domain
2858 * are served by the router itself, while requests for the
2859 * "box" domain will result in NXDOMAIN.
2860 *
2861 * Note that this logic is unable to detect cases where a
2862 * router serves a private DNS zone directly under
2863 * non-existing TLD. In such a case we cannot detect whether
2864 * the TLD is supposed to exist or not, as all requests we
2865 * make for it will be answered by the router's zone, and not
2866 * by the root zone. */
2867
2868 assert(t);
2869
2870 if (t->scope->dnssec_mode != DNSSEC_ALLOW_DOWNGRADE)
2871 return false; /* In strict DNSSEC mode what doesn't exist, doesn't exist */
2872
1c02e7ba 2873 tld = dns_resource_key_name(key);
d33b6cf3
LP		 2874 r = dns_name_parent(&tld);
2875 if (r < 0)
2876 return r;
2877 if (r == 0)
2878 return false; /* Already the root domain */
2879
2880 if (!dns_name_is_single_label(tld))
2881 return false;
2882
90e74a66 2883 SET_FOREACH(dt, t->dnssec_transactions) {
d33b6cf3 2884
42df9532 2885 if (dns_transaction_key(dt)->class != key->class)
d33b6cf3
LP		 2886 continue;
2887
42df9532 2888 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), tld);
d33b6cf3
LP		 2889 if (r < 0)
2890 return r;
2891 if (r == 0)
2892 continue;
2893
2894 /* We found an auxiliary lookup we did for the TLD. If
2895 * that returned with NXDOMAIN, we know the TLD didn't
2896 * exist, and hence this might be a private zone. */
2897
2898 return dt->answer_rcode == DNS_RCODE_NXDOMAIN;
2899 }
2900
2901 return false;
2902}
2903
105e1512 2904static int dns_transaction_requires_nsec(DnsTransaction *t) {
4bbc06cc 2905 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
105e1512
LP		 2906 DnsTransaction *dt;
2907 const char *name;
4bbc06cc 2908 uint16_t type = 0;
105e1512 2909 int r;
56352fe9
LP		 2910
2911 assert(t);
2912
105e1512
LP		 2913 /* Checks if we need to insist on NSEC/NSEC3 RRs for proving
2914 * this negative reply */
56352fe9 2915
b652d4a2 2916 if (t->scope->dnssec_mode == DNSSEC_NO)
105e1512 2917 return false;
56352fe9 2918
42df9532 2919 if (dns_type_is_pseudo(dns_transaction_key(t)->type))
105e1512
LP		 2920 return -EINVAL;
2921
42df9532 2922 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(dns_transaction_key(t)));
8e54f5d9
LP		 2923 if (r < 0)
2924 return r;
2925 if (r > 0)
2926 return false;
2927
42df9532 2928 r = dns_transaction_in_private_tld(t, dns_transaction_key(t));
d33b6cf3
LP		 2929 if (r < 0)
2930 return r;
2931 if (r > 0) {
2932 /* The lookup is from a TLD that is proven not to
2933 * exist, and we are in downgrade mode, hence ignore
13e785f7 2934 * that fact that we didn't get any NSEC RRs. */
d33b6cf3 2935
202b76ae 2936 log_info("Detected a negative query %s in a private DNS zone, permitting unsigned response.",
42df9532 2937 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str));
d33b6cf3
LP		 2938 return false;
2939 }
2940
42df9532 2941 name = dns_resource_key_name(dns_transaction_key(t));
105e1512 2942
42df9532 2943 if (dns_transaction_key(t)->type == DNS_TYPE_DS) {
105e1512 2944
4bbc06cc
LP		 2945 /* We got a negative reply for this DS lookup? DS RRs are signed when their parent zone is signed,
2946 * hence check the parent SOA in this case. */
105e1512
LP		 2947
2948 r = dns_name_parent(&name);
56352fe9
LP		 2949 if (r < 0)
2950 return r;
2951 if (r == 0)
105e1512 2952 return true;
4bbc06cc
LP		 2953
2954 type = DNS_TYPE_SOA;
2955
42df9532 2956 } else if (IN_SET(dns_transaction_key(t)->type, DNS_TYPE_SOA, DNS_TYPE_NS))
4bbc06cc
LP		 2957 /* We got a negative reply for this SOA/NS lookup? If so, check if there's a DS RR for this */
2958 type = DNS_TYPE_DS;
2959 else
2960 /* For all other negative replies, check for the SOA lookup */
2961 type = DNS_TYPE_SOA;
105e1512
LP		 2962
2963 /* For all other RRs we check the SOA on the same level to see
2964 * if it's signed. */
2965
90e74a66 2966 SET_FOREACH(dt, t->dnssec_transactions) {
105e1512 2967
42df9532 2968 if (dns_transaction_key(dt)->class != dns_transaction_key(t)->class)
105e1512 2969 continue;
42df9532 2970 if (dns_transaction_key(dt)->type != type)
56352fe9
LP		 2971 continue;
2972
42df9532 2973 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), name);
56352fe9
LP		 2974 if (r < 0)
2975 return r;
105e1512
LP		 2976 if (r == 0)
2977 continue;
2978
6f055e43 2979 return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
56352fe9
LP		 2980 }
2981
105e1512
LP		 2982 /* If in doubt, require NSEC/NSEC3 */
2983 return true;
56352fe9
LP		 2984}
2985
94aa7071
LP		 2986static int dns_transaction_dnskey_authenticated(DnsTransaction *t, DnsResourceRecord *rr) {
2987 DnsResourceRecord *rrsig;
2988 bool found = false;
2989 int r;
2990
2991 /* Checks whether any of the DNSKEYs used for the RRSIGs for
2992 * the specified RRset is authenticated (i.e. has a matching
2993 * DS RR). */
2994
1c02e7ba 2995 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(rr->key));
8e54f5d9
LP		 2996 if (r < 0)
2997 return r;
2998 if (r > 0)
2999 return false;
3000
94aa7071
LP		 3001 DNS_ANSWER_FOREACH(rrsig, t->answer) {
3002 DnsTransaction *dt;
94aa7071
LP		 3003
3004 r = dnssec_key_match_rrsig(rr->key, rrsig);
3005 if (r < 0)
3006 return r;
3007 if (r == 0)
3008 continue;
3009
90e74a66 3010 SET_FOREACH(dt, t->dnssec_transactions) {
94aa7071 3011
42df9532 3012 if (dns_transaction_key(dt)->class != rr->key->class)
94aa7071
LP		 3013 continue;
3014
42df9532 3015 if (dns_transaction_key(dt)->type == DNS_TYPE_DNSKEY) {
94aa7071 3016
42df9532 3017 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), rrsig->rrsig.signer);
94aa7071
LP		 3018 if (r < 0)
3019 return r;
3020 if (r == 0)
3021 continue;
3022
6f055e43
LP		 3023 /* OK, we found an auxiliary DNSKEY lookup. If that lookup is authenticated,
3024 * report this. */
94aa7071 3025
6f055e43 3026 if (FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
94aa7071
LP		 3027 return true;
3028
3029 found = true;
3030
42df9532 3031 } else if (dns_transaction_key(dt)->type == DNS_TYPE_DS) {
94aa7071 3032
42df9532 3033 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), rrsig->rrsig.signer);
94aa7071
LP		 3034 if (r < 0)
3035 return r;
3036 if (r == 0)
3037 continue;
3038
6f055e43
LP		 3039 /* OK, we found an auxiliary DS lookup. If that lookup is authenticated and
3040 * non-zero, we won! */
94aa7071 3041
6f055e43 3042 if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
94aa7071
LP		 3043 return false;
3044
42df9532 3045 return dns_answer_match_key(dt->answer, dns_transaction_key(dt), NULL);
94aa7071
LP		 3046 }
3047 }
3048 }
3049
3050 return found ? false : -ENXIO;
3051}
3052
b652d4a2
LP		 3053static int dns_transaction_known_signed(DnsTransaction *t, DnsResourceRecord *rr) {
3054 assert(t);
3055 assert(rr);
3056
3057 /* We know that the root domain is signed, hence if it appears
3058 * not to be signed, there's a problem with the DNS server */
3059
3060 return rr->key->class == DNS_CLASS_IN &&
1c02e7ba 3061 dns_name_is_root(dns_resource_key_name(rr->key));
b652d4a2
LP		 3062}
3063
0f87f3e8
LP		 3064static int dns_transaction_check_revoked_trust_anchors(DnsTransaction *t) {
3065 DnsResourceRecord *rr;
3066 int r;
3067
3068 assert(t);
3069
3070 /* Maybe warn the user that we encountered a revoked DNSKEY
3071 * for a key from our trust anchor. Note that we don't care
3072 * whether the DNSKEY can be authenticated or not. It's
3073 * sufficient if it is self-signed. */
3074
3075 DNS_ANSWER_FOREACH(rr, t->answer) {
d424da2a 3076 r = dns_trust_anchor_check_revoked(&t->scope->manager->trust_anchor, rr, t->answer);
0f87f3e8
LP		 3077 if (r < 0)
3078 return r;
3079 }
3080
3081 return 0;
3082}
3083
c9c72065
LP		 3084static int dns_transaction_invalidate_revoked_keys(DnsTransaction *t) {
3085 bool changed;
3086 int r;
3087
3088 assert(t);
3089
3090 /* Removes all DNSKEY/DS objects from t->validated_keys that
3091 * our trust anchors database considers revoked. */
3092
3093 do {
3094 DnsResourceRecord *rr;
3095
3096 changed = false;
3097
3098 DNS_ANSWER_FOREACH(rr, t->validated_keys) {
3099 r = dns_trust_anchor_is_revoked(&t->scope->manager->trust_anchor, rr);
3100 if (r < 0)
3101 return r;
3102 if (r > 0) {
3103 r = dns_answer_remove_by_rr(&t->validated_keys, rr);
3104 if (r < 0)
3105 return r;
3106
3107 assert(r > 0);
3108 changed = true;
3109 break;
3110 }
3111 }
3112 } while (changed);
3113
3114 return 0;
3115}
3116
942eb2e7
LP		 3117static int dns_transaction_copy_validated(DnsTransaction *t) {
3118 DnsTransaction *dt;
942eb2e7
LP		 3119 int r;
3120
3121 assert(t);
3122
3123 /* Copy all validated RRs from the auxiliary DNSSEC transactions into our set of validated RRs */
3124
90e74a66 3125 SET_FOREACH(dt, t->dnssec_transactions) {
942eb2e7
LP		 3126
3127 if (DNS_TRANSACTION_IS_LIVE(dt->state))
3128 continue;
3129
6f055e43 3130 if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
942eb2e7
LP		 3131 continue;
3132
3133 r = dns_answer_extend(&t->validated_keys, dt->answer);
3134 if (r < 0)
3135 return r;
3136 }
3137
3138 return 0;
3139}
3140
c690b20a
ZJS		 3141typedef enum {
3142 DNSSEC_PHASE_DNSKEY, /* Phase #1, only validate DNSKEYs */
3143 DNSSEC_PHASE_NSEC, /* Phase #2, only validate NSEC+NSEC3 */
3144 DNSSEC_PHASE_ALL, /* Phase #3, validate everything else */
3145} Phase;
3146
3147static int dnssec_validate_records(
3148 DnsTransaction *t,
3149 Phase phase,
3150 bool *have_nsec,
3151 DnsAnswer **validated) {
3152
547973de 3153 DnsResourceRecord *rr;
56352fe9 3154 int r;
547973de 3155
c690b20a 3156 /* Returns negative on error, 0 if validation failed, 1 to restart validation, 2 when finished. */
547973de 3157
c690b20a 3158 DNS_ANSWER_FOREACH(rr, t->answer) {
71aee23d 3159 _unused_ _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr_ref = dns_resource_record_ref(rr);
c690b20a
ZJS		 3160 DnsResourceRecord *rrsig = NULL;
3161 DnssecResult result;
547973de 3162
c690b20a
ZJS		 3163 switch (rr->key->type) {
3164 case DNS_TYPE_RRSIG:
3165 continue;
547973de 3166
c690b20a
ZJS		 3167 case DNS_TYPE_DNSKEY:
3168 /* We validate DNSKEYs only in the DNSKEY and ALL phases */
3169 if (phase == DNSSEC_PHASE_NSEC)
3170 continue;
3171 break;
547973de 3172
c690b20a
ZJS		 3173 case DNS_TYPE_NSEC:
3174 case DNS_TYPE_NSEC3:
3175 *have_nsec = true;
547973de 3176
c690b20a
ZJS		 3177 /* We validate NSEC/NSEC3 only in the NSEC and ALL phases */
3178 if (phase == DNSSEC_PHASE_DNSKEY)
3179 continue;
3180 break;
105e1512 3181
c690b20a
ZJS		 3182 default:
3183 /* We validate all other RRs only in the ALL phases */
3184 if (phase != DNSSEC_PHASE_ALL)
3185 continue;
3186 }
b652d4a2 3187
04617bf8
LP		 3188 r = dnssec_verify_rrset_search(
3189 t->answer,
3190 rr->key,
3191 t->validated_keys,
3192 USEC_INFINITY,
3193 &result,
3194 &rrsig);
c690b20a
ZJS		 3195 if (r < 0)
3196 return r;
547973de 3197
c690b20a 3198 log_debug("Looking at %s: %s", strna(dns_resource_record_to_string(rr)), dnssec_result_to_string(result));
0f87f3e8 3199
c690b20a 3200 if (result == DNSSEC_VALIDATED) {
04617bf8 3201 assert(rrsig);
942eb2e7 3202
c690b20a
ZJS		 3203 if (rr->key->type == DNS_TYPE_DNSKEY) {
3204 /* If we just validated a DNSKEY RRset, then let's add these keys to
3205 * the set of validated keys for this transaction. */
547973de 3206
04617bf8 3207 r = dns_answer_copy_by_key(&t->validated_keys, t->answer, rr->key, DNS_ANSWER_AUTHENTICATED, rrsig);
c690b20a
ZJS		 3208 if (r < 0)
3209 return r;
c9c72065 3210
c690b20a
ZJS		 3211 /* Some of the DNSKEYs we just added might already have been revoked,
3212 * remove them again in that case. */
3213 r = dns_transaction_invalidate_revoked_keys(t);
3214 if (r < 0)
3215 return r;
3216 }
547973de 3217
04617bf8
LP		 3218 /* Add the validated RRset to the new list of validated RRsets, and remove it from
3219 * the unvalidated RRsets. We mark the RRset as authenticated and cacheable. */
3220 r = dns_answer_move_by_key(validated, &t->answer, rr->key, DNS_ANSWER_AUTHENTICATED|DNS_ANSWER_CACHEABLE, rrsig);
c690b20a
ZJS		 3221 if (r < 0)
3222 return r;
547973de 3223
c690b20a 3224 manager_dnssec_verdict(t->scope->manager, DNSSEC_SECURE, rr->key);
0c7bff0a 3225
c690b20a
ZJS		 3226 /* Exit the loop, we dropped something from the answer, start from the beginning */
3227 return 1;
3228 }
547973de 3229
c690b20a
ZJS		 3230 /* If we haven't read all DNSKEYs yet a negative result of the validation is irrelevant, as
3231 * there might be more DNSKEYs coming. Similar, if we haven't read all NSEC/NSEC3 RRs yet,
3232 * we cannot do positive wildcard proofs yet, as those require the NSEC/NSEC3 RRs. */
3233 if (phase != DNSSEC_PHASE_ALL)
3234 continue;
0c7bff0a 3235
c690b20a
ZJS		 3236 if (result == DNSSEC_VALIDATED_WILDCARD) {
3237 bool authenticated = false;
3238 const char *source;
0c7bff0a 3239
04617bf8
LP		 3240 assert(rrsig);
3241
c690b20a 3242 /* This RRset validated, but as a wildcard. This means we need
13e785f7 3243 * to prove via NSEC/NSEC3 that no matching non-wildcard RR exists. */
0c7bff0a 3244
c690b20a
ZJS		 3245 /* First step, determine the source of synthesis */
3246 r = dns_resource_record_source(rrsig, &source);
3247 if (r < 0)
3248 return r;
0c7bff0a 3249
c690b20a 3250 r = dnssec_test_positive_wildcard(*validated,
1c02e7ba 3251 dns_resource_key_name(rr->key),
c690b20a
ZJS		 3252 source,
3253 rrsig->rrsig.signer,
3254 &authenticated);
0c7bff0a 3255
c690b20a
ZJS		 3256 /* Unless the NSEC proof showed that the key really doesn't exist something is off. */
3257 if (r == 0)
3258 result = DNSSEC_INVALID;
3259 else {
04617bf8
LP		 3260 r = dns_answer_move_by_key(
3261 validated,
3262 &t->answer,
3263 rr->key,
3264 authenticated ? (DNS_ANSWER_AUTHENTICATED|DNS_ANSWER_CACHEABLE) : 0,
3265 rrsig);
c690b20a
ZJS		 3266 if (r < 0)
3267 return r;
3268
3269 manager_dnssec_verdict(t->scope->manager, authenticated ? DNSSEC_SECURE : DNSSEC_INSECURE, rr->key);
3270
3271 /* Exit the loop, we dropped something from the answer, start from the beginning */
3272 return 1;
0c7bff0a 3273 }
c690b20a 3274 }
0c7bff0a 3275
c690b20a
ZJS		 3276 if (result == DNSSEC_NO_SIGNATURE) {
3277 r = dns_transaction_requires_rrsig(t, rr);
547973de
LP		 3278 if (r < 0)
3279 return r;
c690b20a
ZJS		 3280 if (r == 0) {
3281 /* Data does not require signing. In that case, just copy it over,
13e785f7 3282 * but remember that this is by no means authenticated. */
04617bf8
LP		 3283 r = dns_answer_move_by_key(
3284 validated,
3285 &t->answer,
3286 rr->key,
3287 0,
3288 NULL);
c690b20a
ZJS		 3289 if (r < 0)
3290 return r;
3291
3292 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
3293 return 1;
3294 }
547973de 3295
c690b20a
ZJS		 3296 r = dns_transaction_known_signed(t, rr);
3297 if (r < 0)
3298 return r;
3299 if (r > 0) {
3300 /* This is an RR we know has to be signed. If it isn't this means
3301 * the server is not attaching RRSIGs, hence complain. */
547973de 3302
c690b20a 3303 dns_server_packet_rrsig_missing(t->server, t->current_feature_level);
547973de 3304
c690b20a 3305 if (t->scope->dnssec_mode == DNSSEC_ALLOW_DOWNGRADE) {
547973de 3306
c690b20a 3307 /* Downgrading is OK? If so, just consider the information unsigned */
c9c72065 3308
04617bf8 3309 r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0, NULL);
c9c72065
LP		 3310 if (r < 0)
3311 return r;
547973de 3312
c690b20a
ZJS		 3313 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
3314 return 1;
3315 }
a150ff5e 3316
c690b20a
ZJS		 3317 /* Otherwise, fail */
3318 t->answer_dnssec_result = DNSSEC_INCOMPATIBLE_SERVER;
3319 return 0;
f3cf586d 3320 }
547973de 3321
c690b20a
ZJS		 3322 r = dns_transaction_in_private_tld(t, rr->key);
3323 if (r < 0)
3324 return r;
3325 if (r > 0) {
202b76ae 3326 char s[DNS_RESOURCE_KEY_STRING_MAX];
b652d4a2 3327
c690b20a
ZJS		 3328 /* The data is from a TLD that is proven not to exist, and we are in downgrade
3329 * mode, hence ignore the fact that this was not signed. */
0c7bff0a 3330
202b76ae
ZJS		 3331 log_info("Detected RRset %s is in a private DNS zone, permitting unsigned RRs.",
3332 dns_resource_key_to_string(rr->key, s, sizeof s));
0c7bff0a 3333
04617bf8 3334 r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0, NULL);
0c7bff0a
LP		 3335 if (r < 0)
3336 return r;
0c7bff0a 3337
c690b20a
ZJS		 3338 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
3339 return 1;
3340 }
3341 }
0c7bff0a 3342
1ca36001
JM		 3343 /* https://datatracker.ietf.org/doc/html/rfc6840#section-5.2 */
3344 if (result == DNSSEC_UNSUPPORTED_ALGORITHM) {
3345 r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0, NULL);
3346 if (r < 0)
3347 return r;
3348
3349 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
3350 return 1;
3351 }
3352
c690b20a
ZJS		 3353 if (IN_SET(result,
3354 DNSSEC_MISSING_KEY,
1ca36001 3355 DNSSEC_SIGNATURE_EXPIRED)) {
0c7bff0a 3356
c690b20a
ZJS		 3357 r = dns_transaction_dnskey_authenticated(t, rr);
3358 if (r < 0 && r != -ENXIO)
3359 return r;
3360 if (r == 0) {
3361 /* The DNSKEY transaction was not authenticated, this means there's
3362 * no DS for this, which means it's OK if no keys are found for this signature. */
0c7bff0a 3363
04617bf8 3364 r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0, NULL);
f3cf586d
LP		 3365 if (r < 0)
3366 return r;
b652d4a2 3367
c690b20a
ZJS		 3368 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
3369 return 1;
3370 }
3371 }
b652d4a2 3372
c690b20a
ZJS		 3373 r = dns_transaction_is_primary_response(t, rr);
3374 if (r < 0)
3375 return r;
3376 if (r > 0) {
3377 /* Look for a matching DNAME for this CNAME */
3378 r = dns_answer_has_dname_for_cname(t->answer, rr);
3379 if (r < 0)
3380 return r;
3381 if (r == 0) {
3382 /* Also look among the stuff we already validated */
3383 r = dns_answer_has_dname_for_cname(*validated, rr);
f3cf586d
LP		 3384 if (r < 0)
3385 return r;
c690b20a 3386 }
d33b6cf3 3387
c690b20a
ZJS		 3388 if (r == 0) {
3389 if (IN_SET(result,
3390 DNSSEC_INVALID,
3391 DNSSEC_SIGNATURE_EXPIRED,
3392 DNSSEC_NO_SIGNATURE))
3393 manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, rr->key);
3394 else /* DNSSEC_MISSING_KEY or DNSSEC_UNSUPPORTED_ALGORITHM */
3395 manager_dnssec_verdict(t->scope->manager, DNSSEC_INDETERMINATE, rr->key);
3396
3397 /* This is a primary response to our question, and it failed validation.
3398 * That's fatal. */
3399 t->answer_dnssec_result = result;
3400 return 0;
3401 }
d33b6cf3 3402
c690b20a
ZJS		 3403 /* This is a primary response, but we do have a DNAME RR
3404 * in the RR that can replay this CNAME, hence rely on
3405 * that, and we can remove the CNAME in favour of it. */
3406 }
d33b6cf3 3407
c690b20a
ZJS		 3408 /* This is just some auxiliary data. Just remove the RRset and continue. */
3409 r = dns_answer_remove_by_key(&t->answer, rr->key);
3410 if (r < 0)
3411 return r;
d33b6cf3 3412
c690b20a
ZJS		 3413 /* We dropped something from the answer, start from the beginning. */
3414 return 1;
3415 }
f3cf586d 3416
c690b20a
ZJS		 3417 return 2; /* Finito. */
3418}
94aa7071 3419
c690b20a
ZJS		 3420int dns_transaction_validate_dnssec(DnsTransaction *t) {
3421 _cleanup_(dns_answer_unrefp) DnsAnswer *validated = NULL;
3422 Phase phase;
3423 DnsAnswerFlags flags;
3424 int r;
202b76ae 3425 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
94aa7071 3426
c690b20a 3427 assert(t);
94aa7071 3428
775ae354 3429 /* We have now collected all DS and DNSKEY RRs in t->validated_keys, let's see which RRs we can now
c690b20a 3430 * authenticate with that. */
94aa7071 3431
775ae354 3432 if (FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE) || t->scope->dnssec_mode == DNSSEC_NO)
c690b20a 3433 return 0;
a150ff5e 3434
c690b20a
ZJS		 3435 /* Already validated */
3436 if (t->answer_dnssec_result != _DNSSEC_RESULT_INVALID)
3437 return 0;
105e1512 3438
c690b20a
ZJS		 3439 /* Our own stuff needs no validation */
3440 if (IN_SET(t->answer_source, DNS_TRANSACTION_ZONE, DNS_TRANSACTION_TRUST_ANCHOR)) {
3441 t->answer_dnssec_result = DNSSEC_VALIDATED;
6f055e43 3442 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, true);
c690b20a
ZJS		 3443 return 0;
3444 }
a150ff5e 3445
c690b20a
ZJS		 3446 /* Cached stuff is not affected by validation. */
3447 if (t->answer_source != DNS_TRANSACTION_NETWORK)
3448 return 0;
f3cf586d 3449
c690b20a
ZJS		 3450 if (!dns_transaction_dnssec_supported_full(t)) {
3451 /* The server does not support DNSSEC, or doesn't augment responses with RRSIGs. */
3452 t->answer_dnssec_result = DNSSEC_INCOMPATIBLE_SERVER;
d001e0a3 3453 log_debug("Not validating response for %" PRIu16 ", used server feature level does not support DNSSEC.", t->id);
c690b20a
ZJS		 3454 return 0;
3455 }
f3cf586d 3456
202b76ae
ZJS		 3457 log_debug("Validating response from transaction %" PRIu16 " (%s).",
3458 t->id,
42df9532 3459 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str));
547973de 3460
c690b20a
ZJS		 3461 /* First, see if this response contains any revoked trust
3462 * anchors we care about */
3463 r = dns_transaction_check_revoked_trust_anchors(t);
3464 if (r < 0)
3465 return r;
43e6779a 3466
c690b20a
ZJS		 3467 /* Third, copy all RRs we acquired successfully from auxiliary RRs over. */
3468 r = dns_transaction_copy_validated(t);
3469 if (r < 0)
3470 return r;
43e6779a 3471
c690b20a
ZJS		 3472 /* Second, see if there are DNSKEYs we already know a
3473 * validated DS for. */
3474 r = dns_transaction_validate_dnskey_by_ds(t);
3475 if (r < 0)
3476 return r;
43e6779a 3477
c690b20a
ZJS		 3478 /* Fourth, remove all DNSKEY and DS RRs again that our trust
3479 * anchor says are revoked. After all we might have marked
3480 * some keys revoked above, but they might still be lingering
3481 * in our validated_keys list. */
3482 r = dns_transaction_invalidate_revoked_keys(t);
3483 if (r < 0)
3484 return r;
f3cf586d 3485
c690b20a
ZJS		 3486 phase = DNSSEC_PHASE_DNSKEY;
3487 for (;;) {
3488 bool have_nsec = false;
f3cf586d 3489
c690b20a
ZJS		 3490 r = dnssec_validate_records(t, phase, &have_nsec, &validated);
3491 if (r <= 0)
3492 return r;
547973de 3493
c690b20a
ZJS		 3494 /* Try again as long as we managed to achieve something */
3495 if (r == 1)
547973de
LP		 3496 continue;
3497
c690b20a 3498 if (phase == DNSSEC_PHASE_DNSKEY && have_nsec) {
0c7bff0a 3499 /* OK, we processed all DNSKEYs, and there are NSEC/NSEC3 RRs, look at those now. */
c690b20a 3500 phase = DNSSEC_PHASE_NSEC;
0c7bff0a
LP		 3501 continue;
3502 }
3503
c690b20a
ZJS		 3504 if (phase != DNSSEC_PHASE_ALL) {
3505 /* OK, we processed all DNSKEYs and NSEC/NSEC3 RRs, look at all the rest now.
3506 * Note that in this third phase we start to remove RRs we couldn't validate. */
3507 phase = DNSSEC_PHASE_ALL;
56352fe9 3508 continue;
547973de
LP		 3509 }
3510
56352fe9 3511 /* We're done */
547973de
LP		 3512 break;
3513 }
3514
1117a960 3515 DNS_ANSWER_REPLACE(t->answer, TAKE_PTR(validated));
547973de 3516
72667f08
LP		 3517 /* At this point the answer only contains validated
3518 * RRsets. Now, let's see if it actually answers the question
3519 * we asked. If so, great! If it doesn't, then see if
3520 * NSEC/NSEC3 can prove this. */
105e1512 3521 r = dns_transaction_has_positive_answer(t, &flags);
72667f08 3522 if (r > 0) {
105e1512
LP		 3523 /* Yes, it answers the question! */
3524
3525 if (flags & DNS_ANSWER_AUTHENTICATED) {
3526 /* The answer is fully authenticated, yay. */
019036a4 3527 t->answer_dnssec_result = DNSSEC_VALIDATED;
105e1512 3528 t->answer_rcode = DNS_RCODE_SUCCESS;
6f055e43 3529 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, true);
105e1512
LP		 3530 } else {
3531 /* The answer is not fully authenticated. */
019036a4 3532 t->answer_dnssec_result = DNSSEC_UNSIGNED;
6f055e43 3533 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
105e1512
LP		 3534 }
3535
72667f08
LP		 3536 } else if (r == 0) {
3537 DnssecNsecResult nr;
ed29bfdc 3538 bool authenticated = false;
72667f08
LP		 3539
3540 /* Bummer! Let's check NSEC/NSEC3 */
42df9532 3541 r = dnssec_nsec_test(t->answer, dns_transaction_key(t), &nr, &authenticated, &t->answer_nsec_ttl);
72667f08
LP		 3542 if (r < 0)
3543 return r;
3544
3545 switch (nr) {
3546
3547 case DNSSEC_NSEC_NXDOMAIN:
3548 /* NSEC proves the domain doesn't exist. Very good. */
202b76ae 3549 log_debug("Proved NXDOMAIN via NSEC/NSEC3 for transaction %u (%s)", t->id, key_str);
019036a4 3550 t->answer_dnssec_result = DNSSEC_VALIDATED;
72667f08 3551 t->answer_rcode = DNS_RCODE_NXDOMAIN;
6f055e43 3552 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, authenticated);
7aa8ce98 3553
42df9532 3554 manager_dnssec_verdict(t->scope->manager, authenticated ? DNSSEC_SECURE : DNSSEC_INSECURE, dns_transaction_key(t));
72667f08
LP		 3555 break;
3556
3557 case DNSSEC_NSEC_NODATA:
3558 /* NSEC proves that there's no data here, very good. */
202b76ae 3559 log_debug("Proved NODATA via NSEC/NSEC3 for transaction %u (%s)", t->id, key_str);
019036a4 3560 t->answer_dnssec_result = DNSSEC_VALIDATED;
72667f08 3561 t->answer_rcode = DNS_RCODE_SUCCESS;
6f055e43 3562 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, authenticated);
7aa8ce98 3563
42df9532 3564 manager_dnssec_verdict(t->scope->manager, authenticated ? DNSSEC_SECURE : DNSSEC_INSECURE, dns_transaction_key(t));
72667f08
LP		 3565 break;
3566
105e1512
LP		 3567 case DNSSEC_NSEC_OPTOUT:
3568 /* NSEC3 says the data might not be signed */
202b76ae 3569 log_debug("Data is NSEC3 opt-out via NSEC/NSEC3 for transaction %u (%s)", t->id, key_str);
019036a4 3570 t->answer_dnssec_result = DNSSEC_UNSIGNED;
6f055e43 3571 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
7aa8ce98 3572
42df9532 3573 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, dns_transaction_key(t));
105e1512
LP		 3574 break;
3575
72667f08
LP		 3576 case DNSSEC_NSEC_NO_RR:
3577 /* No NSEC data? Bummer! */
105e1512
LP		 3578
3579 r = dns_transaction_requires_nsec(t);
3580 if (r < 0)
3581 return r;
7aa8ce98 3582 if (r > 0) {
019036a4 3583 t->answer_dnssec_result = DNSSEC_NO_SIGNATURE;
42df9532 3584 manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, dns_transaction_key(t));
7aa8ce98 3585 } else {
019036a4 3586 t->answer_dnssec_result = DNSSEC_UNSIGNED;
6f055e43 3587 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
42df9532 3588 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, dns_transaction_key(t));
105e1512
LP		 3589 }
3590
3591 break;
3592
3593 case DNSSEC_NSEC_UNSUPPORTED_ALGORITHM:
3594 /* We don't know the NSEC3 algorithm used? */
019036a4 3595 t->answer_dnssec_result = DNSSEC_UNSUPPORTED_ALGORITHM;
42df9532 3596 manager_dnssec_verdict(t->scope->manager, DNSSEC_INDETERMINATE, dns_transaction_key(t));
72667f08
LP		 3597 break;
3598
3599 case DNSSEC_NSEC_FOUND:
146035b3 3600 case DNSSEC_NSEC_CNAME:
72667f08 3601 /* NSEC says it needs to be there, but we couldn't find it? Bummer! */
019036a4 3602 t->answer_dnssec_result = DNSSEC_NSEC_MISMATCH;
42df9532 3603 manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, dns_transaction_key(t));
72667f08
LP		 3604 break;
3605
3606 default:
04499a70 3607 assert_not_reached();
72667f08
LP		 3608 }
3609 }
3610
547973de
LP		 3611 return 1;
3612}
3613
ec2c5e43 3614static const char* const dns_transaction_state_table[_DNS_TRANSACTION_STATE_MAX] = {
e3e64a1a
ZJS		 3615 [DNS_TRANSACTION_NULL] = "null",
3616 [DNS_TRANSACTION_PENDING] = "pending",
3617 [DNS_TRANSACTION_VALIDATING] = "validating",
3618 [DNS_TRANSACTION_RCODE_FAILURE] = "rcode-failure",
3619 [DNS_TRANSACTION_SUCCESS] = "success",
3620 [DNS_TRANSACTION_NO_SERVERS] = "no-servers",
3621 [DNS_TRANSACTION_TIMEOUT] = "timeout",
ec2c5e43 3622 [DNS_TRANSACTION_ATTEMPTS_MAX_REACHED] = "attempts-max-reached",
e3e64a1a
ZJS		 3623 [DNS_TRANSACTION_INVALID_REPLY] = "invalid-reply",
3624 [DNS_TRANSACTION_ERRNO] = "errno",
3625 [DNS_TRANSACTION_ABORTED] = "aborted",
3626 [DNS_TRANSACTION_DNSSEC_FAILED] = "dnssec-failed",
3627 [DNS_TRANSACTION_NO_TRUST_ANCHOR] = "no-trust-anchor",
3628 [DNS_TRANSACTION_RR_TYPE_UNSUPPORTED] = "rr-type-unsupported",
3629 [DNS_TRANSACTION_NETWORK_DOWN] = "network-down",
3630 [DNS_TRANSACTION_NOT_FOUND] = "not-found",
3631 [DNS_TRANSACTION_NO_SOURCE] = "no-source",
3632 [DNS_TRANSACTION_STUB_LOOP] = "stub-loop",
ec2c5e43
LP		 3633};
3634DEFINE_STRING_TABLE_LOOKUP(dns_transaction_state, DnsTransactionState);
c3bc53e6
LP		 3635
3636static const char* const dns_transaction_source_table[_DNS_TRANSACTION_SOURCE_MAX] = {
e3e64a1a
ZJS		 3637 [DNS_TRANSACTION_NETWORK] = "network",
3638 [DNS_TRANSACTION_CACHE] = "cache",
3639 [DNS_TRANSACTION_ZONE] = "zone",
0d2cd476 3640 [DNS_TRANSACTION_TRUST_ANCHOR] = "trust-anchor",
c3bc53e6
LP		 3641};
3642DEFINE_STRING_TABLE_LOOKUP(dns_transaction_source, DnsTransactionSource);
Unnamed repository; edit this file 'description' to name the repository.