]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/resolve/resolved-dns-transaction.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge pull request #18679 from keszybz/rfkill-size-leniency
[thirdparty/systemd.git] / src / resolve / resolved-dns-transaction.c
CommitLineData
db9ecf05 1/* SPDX-License-Identifier: LGPL-2.1-or-later */
ec2c5e43 2
62cc1c55 3#include "sd-messages.h"
beef6a5f 4
ec2c5e43 5#include "af-list.h"
b5efdb8a 6#include "alloc-util.h"
f52e61da 7#include "dns-domain.h"
7cc6ed7b 8#include "errno-list.h"
c3fecddf 9#include "errno-util.h"
3ffd4af2
LP		 10#include "fd-util.h"
11#include "random-util.h"
7778dfff 12#include "resolved-dns-cache.h"
3ffd4af2 13#include "resolved-dns-transaction.h"
6016fcb0 14#include "resolved-dnstls.h"
aedf00a2 15#include "resolved-llmnr.h"
6016fcb0 16#include "string-table.h"
5d67a7ae 17
b214dc0f 18#define TRANSACTIONS_MAX 4096
dc349f5f 19#define TRANSACTION_TCP_TIMEOUT_USEC (10U*USEC_PER_SEC)
b214dc0f 20
dbc4661a
MCO		 21/* After how much time to repeat classic DNS requests */
22#define DNS_TIMEOUT_USEC (SD_RESOLVED_QUERY_TIMEOUT_USEC / DNS_TRANSACTION_ATTEMPTS_MAX)
23
c61d2b44
LP		 24static void dns_transaction_reset_answer(DnsTransaction *t) {
25 assert(t);
26
27 t->received = dns_packet_unref(t->received);
28 t->answer = dns_answer_unref(t->answer);
29 t->answer_rcode = 0;
30 t->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
31 t->answer_source = _DNS_TRANSACTION_SOURCE_INVALID;
6f055e43 32 t->answer_query_flags = 0;
d3760be0 33 t->answer_nsec_ttl = (uint32_t) -1;
7cc6ed7b 34 t->answer_errno = 0;
c61d2b44
LP		 35}
36
c5b4f861
LP		 37static void dns_transaction_flush_dnssec_transactions(DnsTransaction *t) {
38 DnsTransaction *z;
39
40 assert(t);
41
42 while ((z = set_steal_first(t->dnssec_transactions))) {
43 set_remove(z->notify_transactions, t);
35aa04e9 44 set_remove(z->notify_transactions_done, t);
c5b4f861
LP		 45 dns_transaction_gc(z);
46 }
47}
48
80710ade
LP		 49static void dns_transaction_close_connection(
50 DnsTransaction *t,
51 bool use_graveyard) { /* Set use_graveyard = false when you know the connection is already
52 * dead, for example because you got a connection error back from the
53 * kernel. In that case there's no point in keeping the fd around,
54 * hence don't. */
55 int r;
56
f32f0e57
LP		 57 assert(t);
58
b30bf55d
LP		 59 if (t->stream) {
60 /* Let's detach the stream from our transaction, in case something else keeps a reference to it. */
98767d75
IT		 61 LIST_REMOVE(transactions_by_stream, t->stream->transactions, t);
62
63 /* Remove packet in case it's still in the queue */
64 dns_packet_unref(ordered_set_remove(t->stream->write_queue, t->sent));
65
b30bf55d
LP		 66 t->stream = dns_stream_unref(t->stream);
67 }
68
f32f0e57 69 t->dns_udp_event_source = sd_event_source_unref(t->dns_udp_event_source);
80710ade
LP		 70
71 /* If we have an UDP socket where we sent a packet, but never received one, then add it to the socket
72 * graveyard, instead of closing it right away. That way it will stick around for a moment longer,
73 * and the reply we might still get from the server will be eaten up instead of resulting in an ICMP
74 * port unreachable error message. */
75
76 if (use_graveyard && t->dns_udp_fd >= 0 && t->sent && !t->received) {
77 r = manager_add_socket_to_graveyard(t->scope->manager, t->dns_udp_fd);
78 if (r < 0)
79 log_debug_errno(r, "Failed to add UDP socket to graveyard, closing immediately: %m");
80 else
81 TAKE_FD(t->dns_udp_fd);
82 }
83
f32f0e57
LP		 84 t->dns_udp_fd = safe_close(t->dns_udp_fd);
85}
86
f535705a 87static void dns_transaction_stop_timeout(DnsTransaction *t) {
97cc656c
LP		 88 assert(t);
89
90 t->timeout_event_source = sd_event_source_unref(t->timeout_event_source);
97cc656c
LP		 91}
92
ec2c5e43 93DnsTransaction* dns_transaction_free(DnsTransaction *t) {
801ad6a6 94 DnsQueryCandidate *c;
ec2c5e43 95 DnsZoneItem *i;
547973de 96 DnsTransaction *z;
ec2c5e43
LP		 97
98 if (!t)
99 return NULL;
100
51e399bc
LP		 101 log_debug("Freeing transaction %" PRIu16 ".", t->id);
102
80710ade 103 dns_transaction_close_connection(t, true);
f535705a 104 dns_transaction_stop_timeout(t);
ec2c5e43 105
ec2c5e43 106 dns_packet_unref(t->sent);
c61d2b44 107 dns_transaction_reset_answer(t);
ec2c5e43 108
8300ba21 109 dns_server_unref(t->server);
ec2c5e43
LP		 110
111 if (t->scope) {
775ae354
LP		 112 if (t->key) {
113 DnsTransaction *first;
114
115 first = hashmap_get(t->scope->transactions_by_key, t->key);
116 LIST_REMOVE(transactions_by_key, first, t);
117 if (first)
118 hashmap_replace(t->scope->transactions_by_key, first->key, first);
119 else
120 hashmap_remove(t->scope->transactions_by_key, t->key);
121 }
ec2c5e43 122
775ae354 123 LIST_REMOVE(transactions_by_scope, t->scope->transactions, t);
ec2c5e43
LP		 124 }
125
775ae354
LP		 126 if (t->id != 0)
127 hashmap_remove(t->scope->manager->dns_transactions, UINT_TO_PTR(t->id));
128
547973de 129 while ((c = set_steal_first(t->notify_query_candidates)))
801ad6a6 130 set_remove(c->transactions, t);
547973de 131 set_free(t->notify_query_candidates);
801ad6a6 132
35aa04e9
LP		 133 while ((c = set_steal_first(t->notify_query_candidates_done)))
134 set_remove(c->transactions, t);
135 set_free(t->notify_query_candidates_done);
136
547973de 137 while ((i = set_steal_first(t->notify_zone_items)))
ec2c5e43 138 i->probe_transaction = NULL;
547973de
LP		 139 set_free(t->notify_zone_items);
140
35aa04e9
LP		 141 while ((i = set_steal_first(t->notify_zone_items_done)))
142 i->probe_transaction = NULL;
143 set_free(t->notify_zone_items_done);
144
547973de
LP		 145 while ((z = set_steal_first(t->notify_transactions)))
146 set_remove(z->dnssec_transactions, t);
147 set_free(t->notify_transactions);
148
35aa04e9
LP		 149 while ((z = set_steal_first(t->notify_transactions_done)))
150 set_remove(z->dnssec_transactions, t);
151 set_free(t->notify_transactions_done);
152
c5b4f861 153 dns_transaction_flush_dnssec_transactions(t);
547973de
LP		 154 set_free(t->dnssec_transactions);
155
156 dns_answer_unref(t->validated_keys);
97cc656c 157 dns_resource_key_unref(t->key);
775ae354 158 dns_packet_unref(t->bypass);
97cc656c 159
6b430fdb 160 return mfree(t);
ec2c5e43
LP		 161}
162
163DEFINE_TRIVIAL_CLEANUP_FUNC(DnsTransaction*, dns_transaction_free);
164
1f388301 165DnsTransaction* dns_transaction_gc(DnsTransaction *t) {
ec2c5e43
LP		 166 assert(t);
167
1f388301
ZJS		 168 /* Returns !NULL if we can't gc yet. */
169
ec2c5e43 170 if (t->block_gc > 0)
1f388301 171 return t;
ec2c5e43 172
547973de 173 if (set_isempty(t->notify_query_candidates) &&
35aa04e9 174 set_isempty(t->notify_query_candidates_done) &&
547973de 175 set_isempty(t->notify_zone_items) &&
35aa04e9
LP		 176 set_isempty(t->notify_zone_items_done) &&
177 set_isempty(t->notify_transactions) &&
1f388301
ZJS		 178 set_isempty(t->notify_transactions_done))
179 return dns_transaction_free(t);
51e399bc 180
1f388301 181 return t;
ec2c5e43
LP		 182}
183
4dd15077
LP		 184static uint16_t pick_new_id(Manager *m) {
185 uint16_t new_id;
186
4ea8b443
ZJS		 187 /* Find a fresh, unused transaction id. Note that this loop is bounded because there's a limit on the
188 * number of transactions, and it's much lower than the space of IDs. */
4dd15077
LP		 189
190 assert_cc(TRANSACTIONS_MAX < 0xFFFF);
191
192 do
193 random_bytes(&new_id, sizeof(new_id));
194 while (new_id == 0 ||
195 hashmap_get(m->dns_transactions, UINT_TO_PTR(new_id)));
196
197 return new_id;
198}
199
775ae354
LP		 200static int key_ok(
201 DnsScope *scope,
202 DnsResourceKey *key) {
ec2c5e43 203
9eae2bf3 204 /* Don't allow looking up invalid or pseudo RRs */
c463eb78 205 if (!dns_type_is_valid_query(key->type))
9eae2bf3 206 return -EINVAL;
d0129ddb
LP		 207 if (dns_type_is_obsolete(key->type))
208 return -EOPNOTSUPP;
9eae2bf3
LP		 209
210 /* We only support the IN class */
4c701096 211 if (!IN_SET(key->class, DNS_CLASS_IN, DNS_CLASS_ANY))
9eae2bf3
LP		 212 return -EOPNOTSUPP;
213
775ae354
LP		 214 /* Don't allows DNSSEC RRs to be looked up via LLMNR/mDNS. They don't really make sense
215 * there, and it speeds up our queries if we refuse this early */
216 if (scope->protocol != DNS_PROTOCOL_DNS &&
217 dns_type_is_dnssec(key->type))
218 return -EOPNOTSUPP;
219
220 return 0;
221}
222
223int dns_transaction_new(
224 DnsTransaction **ret,
225 DnsScope *s,
226 DnsResourceKey *key,
227 DnsPacket *bypass,
228 uint64_t query_flags) {
229
230 _cleanup_(dns_transaction_freep) DnsTransaction *t = NULL;
231 int r;
232
233 assert(ret);
234 assert(s);
235
236 if (key) {
237 assert(!bypass);
238
239 r = key_ok(s, key);
240 if (r < 0)
241 return r;
242 } else {
243 DnsResourceKey *qk;
244 assert(bypass);
245
246 r = dns_packet_validate_query(bypass);
247 if (r < 0)
248 return r;
249
250 DNS_QUESTION_FOREACH(qk, bypass->question) {
251 r = key_ok(s, qk);
252 if (r < 0)
253 return r;
254 }
255 }
256
b214dc0f
LP		 257 if (hashmap_size(s->manager->dns_transactions) >= TRANSACTIONS_MAX)
258 return -EBUSY;
259
d5099efc 260 r = hashmap_ensure_allocated(&s->manager->dns_transactions, NULL);
ec2c5e43
LP		 261 if (r < 0)
262 return r;
263
775ae354
LP		 264 if (key) {
265 r = hashmap_ensure_allocated(&s->transactions_by_key, &dns_resource_key_hash_ops);
266 if (r < 0)
267 return r;
268 }
da0c630e 269
1ed31408 270 t = new(DnsTransaction, 1);
ec2c5e43
LP		 271 if (!t)
272 return -ENOMEM;
273
1ed31408
LP		 274 *t = (DnsTransaction) {
275 .dns_udp_fd = -1,
276 .answer_source = _DNS_TRANSACTION_SOURCE_INVALID,
277 .answer_dnssec_result = _DNSSEC_RESULT_INVALID,
278 .answer_nsec_ttl = (uint32_t) -1,
279 .key = dns_resource_key_ref(key),
775ae354
LP		 280 .query_flags = query_flags,
281 .bypass = dns_packet_ref(bypass),
1ed31408 282 .current_feature_level = _DNS_SERVER_FEATURE_LEVEL_INVALID,
1ed4e584
LP		 283 .clamp_feature_level_servfail = _DNS_SERVER_FEATURE_LEVEL_INVALID,
284 .clamp_feature_level_nxdomain = _DNS_SERVER_FEATURE_LEVEL_INVALID,
1ed31408
LP		 285 .id = pick_new_id(s->manager),
286 };
ec2c5e43
LP		 287
288 r = hashmap_put(s->manager->dns_transactions, UINT_TO_PTR(t->id), t);
289 if (r < 0) {
290 t->id = 0;
291 return r;
292 }
293
775ae354
LP		 294 if (t->key) {
295 DnsTransaction *first;
296
297 first = hashmap_get(s->transactions_by_key, t->key);
298 LIST_PREPEND(transactions_by_key, first, t);
299
300 r = hashmap_replace(s->transactions_by_key, first->key, first);
301 if (r < 0) {
302 LIST_REMOVE(transactions_by_key, first, t);
303 return r;
304 }
da0c630e
LP		 305 }
306
f9ebb22a 307 LIST_PREPEND(transactions_by_scope, s->transactions, t);
ec2c5e43
LP		 308 t->scope = s;
309
313cefa1 310 s->manager->n_transactions_total++;
a150ff5e 311
ec2c5e43
LP		 312 if (ret)
313 *ret = t;
314
775ae354 315 TAKE_PTR(t);
ec2c5e43
LP		 316 return 0;
317}
318
4dd15077
LP		 319static void dns_transaction_shuffle_id(DnsTransaction *t) {
320 uint16_t new_id;
321 assert(t);
322
323 /* Pick a new ID for this transaction. */
324
325 new_id = pick_new_id(t->scope->manager);
326 assert_se(hashmap_remove_and_put(t->scope->manager->dns_transactions, UINT_TO_PTR(t->id), UINT_TO_PTR(new_id), t) >= 0);
327
328 log_debug("Transaction %" PRIu16 " is now %" PRIu16 ".", t->id, new_id);
329 t->id = new_id;
330
331 /* Make sure we generate a new packet with the new ID */
332 t->sent = dns_packet_unref(t->sent);
333}
334
ec2c5e43 335static void dns_transaction_tentative(DnsTransaction *t, DnsPacket *p) {
2fb3034c 336 _cleanup_free_ char *pretty = NULL;
202b76ae 337 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
ec2c5e43 338 DnsZoneItem *z;
ec2c5e43
LP		 339
340 assert(t);
341 assert(p);
94378145 342 assert(t->scope->protocol == DNS_PROTOCOL_LLMNR);
ec2c5e43 343
94378145 344 if (manager_packet_from_local_address(t->scope->manager, p) != 0)
ec2c5e43
LP		 345 return;
346
164d025d 347 (void) in_addr_to_string(p->family, &p->sender, &pretty);
2fb3034c 348
a5784c49
LP		 349 log_debug("Transaction %" PRIu16 " for <%s> on scope %s on %s/%s got tentative packet from %s.",
350 t->id,
42df9532 351 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str),
ec2c5e43 352 dns_protocol_to_string(t->scope->protocol),
6ff79f76 353 t->scope->link ? t->scope->link->ifname : "*",
202b76ae 354 af_to_name_short(t->scope->family),
164d025d 355 strnull(pretty));
ec2c5e43 356
a4076574
LP		 357 /* RFC 4795, Section 4.1 says that the peer with the
358 * lexicographically smaller IP address loses */
4d91eec4
LP		 359 if (memcmp(&p->sender, &p->destination, FAMILY_ADDRESS_SIZE(p->family)) >= 0) {
360 log_debug("Peer has lexicographically larger IP address and thus lost in the conflict.");
a4076574
LP		 361 return;
362 }
363
4d91eec4 364 log_debug("We have the lexicographically larger IP address and thus lost in the conflict.");
a4076574 365
ec2c5e43 366 t->block_gc++;
35aa04e9 367
547973de 368 while ((z = set_first(t->notify_zone_items))) {
3ef64445
LP		 369 /* First, make sure the zone item drops the reference
370 * to us */
371 dns_zone_item_probe_stop(z);
372
373 /* Secondly, report this as conflict, so that we might
374 * look for a different hostname */
ec2c5e43 375 dns_zone_item_conflict(z);
3ef64445 376 }
ec2c5e43
LP		 377 t->block_gc--;
378
379 dns_transaction_gc(t);
380}
381
382void dns_transaction_complete(DnsTransaction *t, DnsTransactionState state) {
801ad6a6 383 DnsQueryCandidate *c;
ec2c5e43 384 DnsZoneItem *z;
547973de 385 DnsTransaction *d;
7cc6ed7b 386 const char *st;
202b76ae 387 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
ec2c5e43
LP		 388
389 assert(t);
547973de 390 assert(!DNS_TRANSACTION_IS_LIVE(state));
e56187ca 391
202b76ae 392 if (state == DNS_TRANSACTION_DNSSEC_FAILED) {
42df9532 393 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str);
202b76ae 394
f61dfddb 395 log_struct(LOG_NOTICE,
2b044526 396 "MESSAGE_ID=" SD_MESSAGE_DNSSEC_FAILURE_STR,
202b76ae 397 LOG_MESSAGE("DNSSEC validation failed for question %s: %s", key_str, dnssec_result_to_string(t->answer_dnssec_result)),
f61dfddb 398 "DNS_TRANSACTION=%" PRIu16, t->id,
202b76ae 399 "DNS_QUESTION=%s", key_str,
f61dfddb 400 "DNSSEC_RESULT=%s", dnssec_result_to_string(t->answer_dnssec_result),
8aa5afd2 401 "DNS_SERVER=%s", strna(dns_server_string_full(t->server)),
a1230ff9 402 "DNS_SERVER_FEATURE_LEVEL=%s", dns_server_feature_level_to_string(t->server->possible_feature_level));
202b76ae 403 }
f61dfddb 404
ec2c5e43
LP		 405 /* Note that this call might invalidate the query. Callers
406 * should hence not attempt to access the query or transaction
407 * after calling this function. */
408
7cc6ed7b
LP		 409 if (state == DNS_TRANSACTION_ERRNO)
410 st = errno_to_name(t->answer_errno);
411 else
412 st = dns_transaction_state_to_string(state);
413
43fc4baa 414 log_debug("%s transaction %" PRIu16 " for <%s> on scope %s on %s/%s now complete with <%s> from %s (%s; %s).",
775ae354 415 t->bypass ? "Bypass" : "Regular",
a5784c49 416 t->id,
42df9532 417 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str),
ec2c5e43 418 dns_protocol_to_string(t->scope->protocol),
6ff79f76 419 t->scope->link ? t->scope->link->ifname : "*",
202b76ae 420 af_to_name_short(t->scope->family),
7cc6ed7b 421 st,
a5784c49 422 t->answer_source < 0 ? "none" : dns_transaction_source_to_string(t->answer_source),
775ae354 423 FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE) ? "not validated" :
43fc4baa
LP		 424 (FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED) ? "authenticated" : "unsigned"),
425 FLAGS_SET(t->answer_query_flags, SD_RESOLVED_CONFIDENTIAL) ? "confidential" : "non-confidential");
ec2c5e43
LP		 426
427 t->state = state;
428
80710ade 429 dns_transaction_close_connection(t, true);
f535705a 430 dns_transaction_stop_timeout(t);
ec2c5e43
LP		 431
432 /* Notify all queries that are interested, but make sure the
433 * transaction isn't freed while we are still looking at it */
434 t->block_gc++;
f7014757 435
35aa04e9 436 SET_FOREACH_MOVE(c, t->notify_query_candidates_done, t->notify_query_candidates)
547973de 437 dns_query_candidate_notify(c);
35aa04e9 438 SWAP_TWO(t->notify_query_candidates, t->notify_query_candidates_done);
ec2c5e43 439
35aa04e9
LP		 440 SET_FOREACH_MOVE(z, t->notify_zone_items_done, t->notify_zone_items)
441 dns_zone_item_notify(z);
442 SWAP_TWO(t->notify_zone_items, t->notify_zone_items_done);
8d67e72c 443 if (t->probing && t->state == DNS_TRANSACTION_ATTEMPTS_MAX_REACHED)
1a63fc54 444 (void) dns_scope_announce(t->scope, false);
f7014757 445
35aa04e9
LP		 446 SET_FOREACH_MOVE(d, t->notify_transactions_done, t->notify_transactions)
447 dns_transaction_notify(d, t);
448 SWAP_TWO(t->notify_transactions, t->notify_transactions_done);
f7014757
LP		 449
450 t->block_gc--;
ec2c5e43
LP		 451 dns_transaction_gc(t);
452}
453
fd8a3017
LP		 454static void dns_transaction_complete_errno(DnsTransaction *t, int error) {
455 assert(t);
456 assert(error != 0);
457
458 t->answer_errno = abs(error);
459 dns_transaction_complete(t, DNS_TRANSACTION_ERRNO);
460}
461
519ef046
LP		 462static int dns_transaction_pick_server(DnsTransaction *t) {
463 DnsServer *server;
464
465 assert(t);
466 assert(t->scope->protocol == DNS_PROTOCOL_DNS);
467
d001e0a3
LP		 468 /* Pick a DNS server and a feature level for it. */
469
519ef046
LP		 470 server = dns_scope_get_dns_server(t->scope);
471 if (!server)
472 return -ESRCH;
473
d001e0a3
LP		 474 /* If we changed the server invalidate the feature level clamping, as the new server might have completely
475 * different properties. */
1ed4e584
LP		 476 if (server != t->server) {
477 t->clamp_feature_level_servfail = _DNS_SERVER_FEATURE_LEVEL_INVALID;
478 t->clamp_feature_level_nxdomain = _DNS_SERVER_FEATURE_LEVEL_INVALID;
479 }
d001e0a3 480
274b8748 481 t->current_feature_level = dns_server_possible_feature_level(server);
519ef046 482
d001e0a3 483 /* Clamp the feature level if that is requested. */
1ed4e584
LP		 484 if (t->clamp_feature_level_servfail != _DNS_SERVER_FEATURE_LEVEL_INVALID &&
485 t->current_feature_level > t->clamp_feature_level_servfail)
486 t->current_feature_level = t->clamp_feature_level_servfail;
487 if (t->clamp_feature_level_nxdomain != _DNS_SERVER_FEATURE_LEVEL_INVALID &&
488 t->current_feature_level > t->clamp_feature_level_nxdomain)
489 t->current_feature_level = t->clamp_feature_level_nxdomain;
d001e0a3
LP		 490
491 log_debug("Using feature level %s for transaction %u.", dns_server_feature_level_to_string(t->current_feature_level), t->id);
492
519ef046
LP		 493 if (server == t->server)
494 return 0;
495
496 dns_server_unref(t->server);
497 t->server = dns_server_ref(server);
498
44db02d0
LP		 499 t->n_picked_servers ++;
500
8aa5afd2 501 log_debug("Using DNS server %s for transaction %u.", strna(dns_server_string_full(t->server)), t->id);
d001e0a3 502
519ef046
LP		 503 return 1;
504}
505
d001e0a3 506static void dns_transaction_retry(DnsTransaction *t, bool next_server) {
8d10d620
LP		 507 int r;
508
509 assert(t);
510
7ef863a7
LP		 511 /* Retries the transaction as it is, possibly on a different server */
512
513 if (next_server)
514 log_debug("Retrying transaction %" PRIu16 ", after switching servers.", t->id);
515 else
516 log_debug("Retrying transaction %" PRIu16 ".", t->id);
8d10d620
LP		 517
518 /* Before we try again, switch to a new server. */
d001e0a3 519 if (next_server)
5e8bc852 520 dns_scope_next_dns_server(t->scope, t->server);
8d10d620
LP		 521
522 r = dns_transaction_go(t);
fd8a3017
LP		 523 if (r < 0)
524 dns_transaction_complete_errno(t, r);
8d10d620
LP		 525}
526
9147b591
LP		 527static bool dns_transaction_limited_retry(DnsTransaction *t) {
528 assert(t);
529
530 /* If we haven't tried all different servers yet, let's try again with a different server */
531
532 if (t->n_picked_servers >= dns_scope_get_n_dns_servers(t->scope))
533 return false;
534
535 dns_transaction_retry(t, /* next_server= */ true);
536 return true;
537}
538
c02cf2f4 539static int dns_transaction_maybe_restart(DnsTransaction *t) {
5278bbfe
LP		 540 int r;
541
c02cf2f4
LP		 542 assert(t);
543
9147b591
LP		 544 /* Restarts the transaction, under a new ID if the feature level of the server changed since we first
545 * tried, without changing DNS server. Returns > 0 if the transaction was restarted, 0 if not. */
5278bbfe 546
c02cf2f4
LP		 547 if (!t->server)
548 return 0;
549
550 if (t->current_feature_level <= dns_server_possible_feature_level(t->server))
551 return 0;
552
553 /* The server's current feature level is lower than when we sent the original query. We learnt something from
554 the response or possibly an auxiliary DNSSEC response that we didn't know before. We take that as reason to
555 restart the whole transaction. This is a good idea to deal with servers that respond rubbish if we include
556 OPT RR or DO bit. One of these cases is documented here, for example:
557 https://open.nlnetlabs.nl/pipermail/dnssec-trigger/2014-November/000376.html */
558
4dd15077
LP		 559 log_debug("Server feature level is now lower than when we began our transaction. Restarting with new ID.");
560 dns_transaction_shuffle_id(t);
5278bbfe
LP		 561
562 r = dns_transaction_go(t);
563 if (r < 0)
564 return r;
565
566 return 1;
c02cf2f4
LP		 567}
568
98767d75
IT		 569static void on_transaction_stream_error(DnsTransaction *t, int error) {
570 assert(t);
ec2c5e43 571
80710ade 572 dns_transaction_close_connection(t, true);
ec2c5e43 573
a1a3f73a 574 if (ERRNO_IS_DISCONNECT(error)) {
0791110f
LP		 575 if (t->scope->protocol == DNS_PROTOCOL_LLMNR) {
576 /* If the LLMNR/TCP connection failed, the host doesn't support LLMNR, and we cannot answer the
577 * question on this scope. */
578 dns_transaction_complete(t, DNS_TRANSACTION_NOT_FOUND);
daab72ea 579 return;
0791110f
LP		 580 }
581
d001e0a3 582 dns_transaction_retry(t, true);
daab72ea 583 return;
ac720200 584 }
fd8a3017
LP		 585 if (error != 0)
586 dns_transaction_complete_errno(t, error);
98767d75
IT		 587}
588
43fc4baa
LP		 589static int dns_transaction_on_stream_packet(DnsTransaction *t, DnsStream *s, DnsPacket *p) {
590 bool encrypted;
591
98767d75 592 assert(t);
43fc4baa 593 assert(s);
98767d75
IT		 594 assert(p);
595
43fc4baa
LP		 596 encrypted = s->encrypted;
597
80710ade 598 dns_transaction_close_connection(t, true);
ec2c5e43 599
a4076574 600 if (dns_packet_validate_reply(p) <= 0) {
a20b9592 601 log_debug("Invalid TCP reply packet.");
a4076574
LP		 602 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
603 return 0;
604 }
605
606 dns_scope_check_conflicts(t->scope, p);
607
ec2c5e43 608 t->block_gc++;
43fc4baa 609 dns_transaction_process_reply(t, p, encrypted);
ec2c5e43
LP		 610 t->block_gc--;
611
519ef046
LP		 612 /* If the response wasn't useful, then complete the transition
613 * now. After all, we are the worst feature set now with TCP
614 * sockets, and there's really no point in retrying. */
ec2c5e43
LP		 615 if (t->state == DNS_TRANSACTION_PENDING)
616 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
598f44bd
LP		 617 else
618 dns_transaction_gc(t);
ec2c5e43
LP		 619
620 return 0;
621}
622
98767d75 623static int on_stream_complete(DnsStream *s, int error) {
7172e4ee 624 assert(s);
98767d75
IT		 625
626 if (ERRNO_IS_DISCONNECT(error) && s->protocol != DNS_PROTOCOL_LLMNR) {
98767d75
IT		 627 log_debug_errno(error, "Connection failure for DNS TCP stream: %m");
628
629 if (s->transactions) {
97d5d905
LP		 630 DnsTransaction *t;
631
98767d75 632 t = s->transactions;
3da3cdd5 633 dns_server_packet_lost(t->server, IPPROTO_TCP, t->current_feature_level);
98767d75
IT		 634 }
635 }
636
97d5d905
LP		 637 if (error != 0) {
638 DnsTransaction *t, *n;
639
640 LIST_FOREACH_SAFE(transactions_by_stream, t, n, s->transactions)
98767d75 641 on_transaction_stream_error(t, error);
97d5d905 642 }
98767d75 643
97d5d905 644 return 0;
98767d75
IT		 645}
646
747a8a74 647static int on_stream_packet(DnsStream *s) {
98767d75 648 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
98767d75
IT		 649 DnsTransaction *t;
650
aa337a5e
LP		 651 assert(s);
652
98767d75 653 /* Take ownership of packet to be able to receive new packets */
43fc4baa 654 assert_se(p = dns_stream_take_read_packet(s));
98767d75
IT		 655
656 t = hashmap_get(s->manager->dns_transactions, UINT_TO_PTR(DNS_PACKET_ID(p)));
b52eac20
LP		 657 if (t && t->stream == s) /* Validate that the stream we got this on actually is the stream the
658 * transaction was using. */
43fc4baa 659 return dns_transaction_on_stream_packet(t, s, p);
98767d75 660
8227cfa1 661 /* Ignore incorrect transaction id as an old transaction can have been canceled. */
30f9e0bf 662 log_debug("Received unexpected TCP reply packet with id %" PRIu16 ", ignoring.", DNS_PACKET_ID(p));
aa337a5e 663 return 0;
98767d75
IT		 664}
665
da9de738 666static uint16_t dns_transaction_port(DnsTransaction *t) {
775ae354
LP		 667 assert(t);
668
da9de738
YW		 669 if (t->server->port > 0)
670 return t->server->port;
775ae354 671
da9de738 672 return DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level) ? 853 : 53;
ec962fba
LP		 673}
674
98767d75 675static int dns_transaction_emit_tcp(DnsTransaction *t) {
98767d75 676 _cleanup_(dns_stream_unrefp) DnsStream *s = NULL;
652ba568 677 _cleanup_close_ int fd = -1;
91ccab1e 678 union sockaddr_union sa;
652ba568 679 DnsStreamType type;
ec2c5e43
LP		 680 int r;
681
682 assert(t);
775ae354 683 assert(t->sent);
ec2c5e43 684
80710ade 685 dns_transaction_close_connection(t, true);
ec2c5e43 686
106784eb 687 switch (t->scope->protocol) {
519ef046 688
106784eb 689 case DNS_PROTOCOL_DNS:
519ef046
LP		 690 r = dns_transaction_pick_server(t);
691 if (r < 0)
692 return r;
693
49ef064c
LP		 694 if (manager_server_is_stub(t->scope->manager, t->server))
695 return -ELOOP;
696
775ae354
LP		 697 if (!t->bypass) {
698 if (!dns_server_dnssec_supported(t->server) && dns_type_is_dnssec(dns_transaction_key(t)->type))
699 return -EOPNOTSUPP;
91adc4db 700
775ae354
LP		 701 r = dns_server_adjust_opt(t->server, t->sent, t->current_feature_level);
702 if (r < 0)
703 return r;
704 }
519ef046 705
5d67a7ae 706 if (t->server->stream && (DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level) == t->server->stream->encrypted))
98767d75
IT		 707 s = dns_stream_ref(t->server->stream);
708 else
da9de738 709 fd = dns_scope_socket_tcp(t->scope, AF_UNSPEC, NULL, t->server, dns_transaction_port(t), &sa);
98767d75 710
652ba568 711 type = DNS_STREAM_LOOKUP;
106784eb 712 break;
ec2c5e43 713
106784eb 714 case DNS_PROTOCOL_LLMNR:
a8f6397f 715 /* When we already received a reply to this (but it was truncated), send to its sender address */
ec2c5e43 716 if (t->received)
91ccab1e 717 fd = dns_scope_socket_tcp(t->scope, t->received->family, &t->received->sender, NULL, t->received->sender_port, &sa);
ec2c5e43
LP		 718 else {
719 union in_addr_union address;
a7f7d1bd 720 int family = AF_UNSPEC;
ec2c5e43
LP		 721
722 /* Otherwise, try to talk to the owner of a
723 * the IP address, in case this is a reverse
724 * PTR lookup */
f52e61da 725
42df9532 726 r = dns_name_address(dns_resource_key_name(dns_transaction_key(t)), &family, &address);
ec2c5e43
LP		 727 if (r < 0)
728 return r;
729 if (r == 0)
730 return -EINVAL;
9e08a6e0 731 if (family != t->scope->family)
9318cdd3 732 return -ESRCH;
ec2c5e43 733
91ccab1e 734 fd = dns_scope_socket_tcp(t->scope, family, &address, NULL, LLMNR_PORT, &sa);
ec2c5e43 735 }
106784eb 736
652ba568 737 type = DNS_STREAM_LLMNR_SEND;
106784eb
DM		 738 break;
739
740 default:
ec2c5e43 741 return -EAFNOSUPPORT;
106784eb 742 }
ec2c5e43 743
98767d75
IT		 744 if (!s) {
745 if (fd < 0)
746 return fd;
ec2c5e43 747
652ba568 748 r = dns_stream_new(t->scope->manager, &s, type, t->scope->protocol, fd, &sa);
98767d75
IT		 749 if (r < 0)
750 return r;
751
752 fd = -1;
753
56ddbf10 754#if ENABLE_DNS_OVER_TLS
199dda9c
LP		 755 if (t->scope->protocol == DNS_PROTOCOL_DNS &&
756 DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level)) {
757
b02a7e1a 758 assert(t->server);
6016fcb0 759 r = dnstls_stream_connect_tls(s, t->server);
5d67a7ae
IT		 760 if (r < 0)
761 return r;
762 }
763#endif
764
19feb28f 765 if (t->server) {
904dcaf9 766 dns_server_unref_stream(t->server);
19feb28f 767 s->server = dns_server_ref(t->server);
8227cfa1 768 t->server->stream = dns_stream_ref(s);
19feb28f
IT		 769 }
770
98767d75 771 s->complete = on_stream_complete;
747a8a74 772 s->on_packet = on_stream_packet;
98767d75
IT		 773
774 /* The interface index is difficult to determine if we are
775 * connecting to the local host, hence fill this in right away
776 * instead of determining it from the socket */
777 s->ifindex = dns_scope_ifindex(t->scope);
778 }
779
780 t->stream = TAKE_PTR(s);
781 LIST_PREPEND(transactions_by_stream, t->stream->transactions, t);
ec2c5e43
LP		 782
783 r = dns_stream_write_packet(t->stream, t->sent);
784 if (r < 0) {
80710ade 785 dns_transaction_close_connection(t, /* use_graveyard= */ false);
ec2c5e43
LP		 786 return r;
787 }
788
519ef046
LP		 789 dns_transaction_reset_answer(t);
790
cbe4216d
LP		 791 t->tried_stream = true;
792
ec2c5e43
LP		 793 return 0;
794}
795
547973de 796static void dns_transaction_cache_answer(DnsTransaction *t) {
547973de
LP		 797 assert(t);
798
799 /* For mDNS we cache whenever we get the packet, rather than
800 * in each transaction. */
801 if (!IN_SET(t->scope->protocol, DNS_PROTOCOL_DNS, DNS_PROTOCOL_LLMNR))
802 return;
803
ceeddf79 804 /* Caching disabled? */
37d7a7d9 805 if (t->scope->manager->enable_cache == DNS_CACHE_MODE_NO)
ceeddf79
MP		 806 return;
807
775ae354
LP		 808 /* If validation is turned off for this transaction, but DNSSEC is on, then let's not cache this */
809 if (FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE) && t->scope->dnssec_mode != DNSSEC_NO)
810 return;
811
6d8325f6
PS		 812 /* Packet from localhost? */
813 if (!t->scope->manager->cache_from_localhost &&
814 in_addr_is_localhost(t->received->family, &t->received->sender) != 0)
547973de
LP		 815 return;
816
547973de 817 dns_cache_put(&t->scope->cache,
37d7a7d9 818 t->scope->manager->enable_cache,
42df9532 819 dns_transaction_key(t),
547973de
LP		 820 t->answer_rcode,
821 t->answer,
775ae354
LP		 822 DNS_PACKET_CD(t->received) ? t->received : NULL, /* only cache full packets with CD on,
823 * since our usecase for caching them
824 * is "bypass" mode which is only
825 * enabled for CD packets. */
6f055e43 826 t->answer_query_flags,
775ae354 827 t->answer_dnssec_result,
d3760be0 828 t->answer_nsec_ttl,
547973de
LP		 829 t->received->family,
830 &t->received->sender);
831}
832
105e1512
LP		 833static bool dns_transaction_dnssec_is_live(DnsTransaction *t) {
834 DnsTransaction *dt;
105e1512
LP		 835
836 assert(t);
837
90e74a66 838 SET_FOREACH(dt, t->dnssec_transactions)
105e1512
LP		 839 if (DNS_TRANSACTION_IS_LIVE(dt->state))
840 return true;
841
842 return false;
843}
844
942eb2e7
LP		 845static int dns_transaction_dnssec_ready(DnsTransaction *t) {
846 DnsTransaction *dt;
e30a62bf 847 int r;
942eb2e7
LP		 848
849 assert(t);
850
851 /* Checks whether the auxiliary DNSSEC transactions of our transaction have completed, or are still
852 * ongoing. Returns 0, if we aren't ready for the DNSSEC validation, positive if we are. */
853
90e74a66 854 SET_FOREACH(dt, t->dnssec_transactions) {
942eb2e7
LP		 855
856 switch (dt->state) {
857
858 case DNS_TRANSACTION_NULL:
859 case DNS_TRANSACTION_PENDING:
860 case DNS_TRANSACTION_VALIDATING:
861 /* Still ongoing */
862 return 0;
863
864 case DNS_TRANSACTION_RCODE_FAILURE:
b3c6b00a 865 if (!IN_SET(dt->answer_rcode, DNS_RCODE_NXDOMAIN, DNS_RCODE_SERVFAIL)) {
942eb2e7
LP		 866 log_debug("Auxiliary DNSSEC RR query failed with rcode=%s.", dns_rcode_to_string(dt->answer_rcode));
867 goto fail;
868 }
869
b3c6b00a 870 /* Fall-through: NXDOMAIN/SERVFAIL is good enough for us. This is because some DNS servers
5238e957 871 * erroneously return NXDOMAIN/SERVFAIL for empty non-terminals (Akamai...) or missing DS
b3c6b00a
LP		 872 * records (Facebook), and we need to handle that nicely, when asking for parent SOA or similar
873 * RRs to make unsigned proofs. */
942eb2e7
LP		 874
875 case DNS_TRANSACTION_SUCCESS:
876 /* All good. */
877 break;
878
879 case DNS_TRANSACTION_DNSSEC_FAILED:
880 /* We handle DNSSEC failures different from other errors, as we care about the DNSSEC
e30a62bf 881 * validation result */
942eb2e7
LP		 882
883 log_debug("Auxiliary DNSSEC RR query failed validation: %s", dnssec_result_to_string(dt->answer_dnssec_result));
884 t->answer_dnssec_result = dt->answer_dnssec_result; /* Copy error code over */
885 dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
886 return 0;
887
942eb2e7
LP		 888 default:
889 log_debug("Auxiliary DNSSEC RR query failed with %s", dns_transaction_state_to_string(dt->state));
890 goto fail;
891 }
892 }
893
894 /* All is ready, we can go and validate */
895 return 1;
896
897fail:
e30a62bf
LP		 898 /* Some auxiliary DNSSEC transaction failed for some reason. Maybe we learned something about the
899 * server due to this failure, and the feature level is now different? Let's see and restart the
900 * transaction if so. If not, let's propagate the auxiliary failure.
901 *
902 * This is particularly relevant if an auxiliary request figured out that DNSSEC doesn't work, and we
903 * are in permissive DNSSEC mode, and thus should restart things without DNSSEC magic. */
904 r = dns_transaction_maybe_restart(t);
905 if (r < 0)
906 return r;
907 if (r > 0)
908 return 0; /* don't validate just yet, we restarted things */
909
942eb2e7
LP		 910 t->answer_dnssec_result = DNSSEC_FAILED_AUXILIARY;
911 dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
912 return 0;
913}
914
547973de
LP		 915static void dns_transaction_process_dnssec(DnsTransaction *t) {
916 int r;
917
918 assert(t);
919
920 /* Are there ongoing DNSSEC transactions? If so, let's wait for them. */
942eb2e7 921 r = dns_transaction_dnssec_ready(t);
7cc6ed7b
LP		 922 if (r < 0)
923 goto fail;
942eb2e7 924 if (r == 0) /* We aren't ready yet (or one of our auxiliary transactions failed, and we shouldn't validate now */
547973de
LP		 925 return;
926
c02cf2f4
LP		 927 /* See if we learnt things from the additional DNSSEC transactions, that we didn't know before, and better
928 * restart the lookup immediately. */
929 r = dns_transaction_maybe_restart(t);
7cc6ed7b
LP		 930 if (r < 0)
931 goto fail;
c02cf2f4
LP		 932 if (r > 0) /* Transaction got restarted... */
933 return;
934
547973de
LP		 935 /* All our auxiliary DNSSEC transactions are complete now. Try
936 * to validate our RRset now. */
937 r = dns_transaction_validate_dnssec(t);
fcfaff12
LP		 938 if (r == -EBADMSG) {
939 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
940 return;
941 }
7cc6ed7b
LP		 942 if (r < 0)
943 goto fail;
547973de 944
b652d4a2
LP		 945 if (t->answer_dnssec_result == DNSSEC_INCOMPATIBLE_SERVER &&
946 t->scope->dnssec_mode == DNSSEC_YES) {
e82b1132
LP		 947
948 /* We are not in automatic downgrade mode, and the server is bad. Let's try a different server, maybe
949 * that works. */
950
9147b591 951 if (dns_transaction_limited_retry(t))
e82b1132 952 return;
e82b1132
LP		 953
954 /* OK, let's give up, apparently all servers we tried didn't work. */
b652d4a2
LP		 955 dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
956 return;
957 }
958
019036a4 959 if (!IN_SET(t->answer_dnssec_result,
b652d4a2
LP		 960 _DNSSEC_RESULT_INVALID, /* No DNSSEC validation enabled */
961 DNSSEC_VALIDATED, /* Answer is signed and validated successfully */
962 DNSSEC_UNSIGNED, /* Answer is right-fully unsigned */
963 DNSSEC_INCOMPATIBLE_SERVER)) { /* Server does not do DNSSEC (Yay, we are downgrade attack vulnerable!) */
547973de
LP		 964 dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
965 return;
966 }
967
1e02e182
LP		 968 if (t->answer_dnssec_result == DNSSEC_INCOMPATIBLE_SERVER)
969 dns_server_warn_downgrade(t->server);
970
547973de
LP		 971 dns_transaction_cache_answer(t);
972
973 if (t->answer_rcode == DNS_RCODE_SUCCESS)
974 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
975 else
3bbdc31d 976 dns_transaction_complete(t, DNS_TRANSACTION_RCODE_FAILURE);
7cc6ed7b
LP		 977
978 return;
979
980fail:
fd8a3017 981 dns_transaction_complete_errno(t, r);
547973de
LP		 982}
983
eac7cda2
LP		 984static int dns_transaction_has_positive_answer(DnsTransaction *t, DnsAnswerFlags *flags) {
985 int r;
986
987 assert(t);
988
989 /* Checks whether the answer is positive, i.e. either a direct
990 * answer to the question, or a CNAME/DNAME for it */
991
42df9532 992 r = dns_answer_match_key(t->answer, dns_transaction_key(t), flags);
eac7cda2
LP		 993 if (r != 0)
994 return r;
995
42df9532 996 r = dns_answer_find_cname_or_dname(t->answer, dns_transaction_key(t), NULL, flags);
eac7cda2
LP		 997 if (r != 0)
998 return r;
999
1000 return false;
1001}
1002
1003static int dns_transaction_fix_rcode(DnsTransaction *t) {
1004 int r;
1005
1006 assert(t);
1007
1008 /* Fix up the RCODE to SUCCESS if we get at least one matching RR in a response. Note that this contradicts the
1009 * DNS RFCs a bit. Specifically, RFC 6604 Section 3 clarifies that the RCODE shall say something about a
1010 * CNAME/DNAME chain element coming after the last chain element contained in the message, and not the first
1011 * one included. However, it also indicates that not all DNS servers implement this correctly. Moreover, when
1012 * using DNSSEC we usually only can prove the first element of a CNAME/DNAME chain anyway, hence let's settle
1013 * on always processing the RCODE as referring to the immediate look-up we do, i.e. the first element of a
1014 * CNAME/DNAME chain. This way, we uniformly handle CNAME/DNAME chains, regardless if the DNS server
1015 * incorrectly implements RCODE, whether DNSSEC is in use, or whether the DNS server only supplied us with an
1016 * incomplete CNAME/DNAME chain.
1017 *
1018 * Or in other words: if we get at least one positive reply in a message we patch NXDOMAIN to become SUCCESS,
1019 * and then rely on the CNAME chasing logic to figure out that there's actually a CNAME error with a new
1020 * lookup. */
1021
1022 if (t->answer_rcode != DNS_RCODE_NXDOMAIN)
1023 return 0;
1024
1025 r = dns_transaction_has_positive_answer(t, NULL);
1026 if (r <= 0)
1027 return r;
1028
1029 t->answer_rcode = DNS_RCODE_SUCCESS;
1030 return 0;
1031}
1032
43fc4baa 1033void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p, bool encrypted) {
acbf761b 1034 bool retry_with_tcp = false;
ec2c5e43
LP		 1035 int r;
1036
1037 assert(t);
1038 assert(p);
9df3ba6c
TG		 1039 assert(t->scope);
1040 assert(t->scope->manager);
ec2c5e43 1041
5a7e41a3
LP		 1042 if (t->state != DNS_TRANSACTION_PENDING)
1043 return;
1044
ec2c5e43
LP		 1045 /* Note that this call might invalidate the query. Callers
1046 * should hence not attempt to access the query or transaction
1047 * after calling this function. */
1048
11833205
ZJS		 1049 log_debug("Processing incoming packet on transaction %" PRIu16" (rcode=%s).",
1050 t->id, dns_rcode_to_string(DNS_PACKET_RCODE(p)));
b5efcf29 1051
106784eb 1052 switch (t->scope->protocol) {
b5efcf29 1053
106784eb 1054 case DNS_PROTOCOL_LLMNR:
97ebebbc 1055 /* For LLMNR we will not accept any packets from other interfaces */
ec2c5e43 1056
97ebebbc 1057 if (p->ifindex != dns_scope_ifindex(t->scope))
ec2c5e43
LP		 1058 return;
1059
1060 if (p->family != t->scope->family)
1061 return;
1062
1063 /* Tentative packets are not full responses but still
1064 * useful for identifying uniqueness conflicts during
1065 * probing. */
8b757a38 1066 if (DNS_PACKET_LLMNR_T(p)) {
ec2c5e43
LP		 1067 dns_transaction_tentative(t, p);
1068 return;
1069 }
106784eb
DM		 1070
1071 break;
1072
4e5bf5e1 1073 case DNS_PROTOCOL_MDNS:
4e5bf5e1 1074 /* For mDNS we will not accept any packets from other interfaces */
97ebebbc
LP		 1075
1076 if (p->ifindex != dns_scope_ifindex(t->scope))
4e5bf5e1
DM		 1077 return;
1078
1079 if (p->family != t->scope->family)
1080 return;
1081
1082 break;
1083
106784eb 1084 case DNS_PROTOCOL_DNS:
8ad182a1
LP		 1085 /* Note that we do not need to verify the
1086 * addresses/port numbers of incoming traffic, as we
1087 * invoked connect() on our UDP socket in which case
1088 * the kernel already does the needed verification for
1089 * us. */
106784eb
DM		 1090 break;
1091
1092 default:
9c56a6f3 1093 assert_not_reached("Invalid DNS protocol.");
ec2c5e43
LP		 1094 }
1095
ec2c5e43
LP		 1096 if (t->received != p) {
1097 dns_packet_unref(t->received);
1098 t->received = dns_packet_ref(p);
1099 }
1100
c3bc53e6
LP		 1101 t->answer_source = DNS_TRANSACTION_NETWORK;
1102
ec2c5e43
LP		 1103 if (p->ipproto == IPPROTO_TCP) {
1104 if (DNS_PACKET_TC(p)) {
1105 /* Truncated via TCP? Somebody must be fucking with us */
1106 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
1107 return;
1108 }
1109
1110 if (DNS_PACKET_ID(p) != t->id) {
1111 /* Not the reply to our query? Somebody must be fucking with us */
1112 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
1113 return;
1114 }
1115 }
1116
9df3ba6c 1117 switch (t->scope->protocol) {
8af5b883 1118
9df3ba6c
TG		 1119 case DNS_PROTOCOL_DNS:
1120 assert(t->server);
1121
775ae354
LP		 1122 if (!t->bypass &&
1123 IN_SET(DNS_PACKET_RCODE(p), DNS_RCODE_FORMERR, DNS_RCODE_SERVFAIL, DNS_RCODE_NOTIMP)) {
4e0b8b17 1124
8af5b883 1125 /* Request failed, immediately try again with reduced features */
4e0b8b17 1126
7d581a65 1127 if (t->current_feature_level <= DNS_SERVER_FEATURE_LEVEL_UDP) {
44db02d0 1128
7d581a65 1129 /* This was already at UDP feature level? If so, it doesn't make sense to downgrade
44db02d0
LP		 1130 * this transaction anymore, but let's see if it might make sense to send the request
1131 * to a different DNS server instead. If not let's process the response, and accept the
7d581a65
LP		 1132 * rcode. Note that we don't retry on TCP, since that's a suitable way to mitigate
1133 * packet loss, but is not going to give us better rcodes should we actually have
1134 * managed to get them already at UDP level. */
1135
9147b591 1136 if (dns_transaction_limited_retry(t))
44db02d0 1137 return;
44db02d0
LP		 1138
1139 /* Give up, accept the rcode */
d001e0a3
LP		 1140 log_debug("Server returned error: %s", dns_rcode_to_string(DNS_PACKET_RCODE(p)));
1141 break;
1142 }
1143
1144 /* Reduce this feature level by one and try again. */
5d67a7ae
IT		 1145 switch (t->current_feature_level) {
1146 case DNS_SERVER_FEATURE_LEVEL_TLS_DO:
1ed4e584 1147 t->clamp_feature_level_servfail = DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN;
5d67a7ae
IT		 1148 break;
1149 case DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN + 1:
1150 /* Skip plain TLS when TLS is not supported */
1ed4e584 1151 t->clamp_feature_level_servfail = DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN - 1;
5d67a7ae
IT		 1152 break;
1153 default:
1ed4e584 1154 t->clamp_feature_level_servfail = t->current_feature_level - 1;
5d67a7ae 1155 }
d001e0a3
LP		 1156
1157 log_debug("Server returned error %s, retrying transaction with reduced feature level %s.",
1158 dns_rcode_to_string(DNS_PACKET_RCODE(p)),
1ed4e584 1159 dns_server_feature_level_to_string(t->clamp_feature_level_servfail));
d001e0a3
LP		 1160
1161 dns_transaction_retry(t, false /* use the same server */);
4e0b8b17 1162 return;
eb08640a
LP		 1163 }
1164
1165 if (DNS_PACKET_RCODE(p) == DNS_RCODE_REFUSED) {
1166 /* This server refused our request? If so, try again, use a different server */
1167 log_debug("Server returned REFUSED, switching servers, and retrying.");
9147b591
LP		 1168
1169 if (dns_transaction_limited_retry(t))
1170 return;
1171
1172 break;
eb08640a
LP		 1173 }
1174
1175 if (DNS_PACKET_TC(p))
274b8748 1176 dns_server_packet_truncated(t->server, t->current_feature_level);
9df3ba6c
TG		 1177
1178 break;
8af5b883 1179
9df3ba6c
TG		 1180 case DNS_PROTOCOL_LLMNR:
1181 case DNS_PROTOCOL_MDNS:
5777c613 1182 dns_scope_packet_received(t->scope, p->timestamp - t->start_usec);
9df3ba6c 1183 break;
8af5b883 1184
9df3ba6c 1185 default:
8af5b883 1186 assert_not_reached("Invalid DNS protocol.");
9df3ba6c
TG		 1187 }
1188
ec2c5e43 1189 if (DNS_PACKET_TC(p)) {
547493c5
DM		 1190
1191 /* Truncated packets for mDNS are not allowed. Give up immediately. */
1192 if (t->scope->protocol == DNS_PROTOCOL_MDNS) {
1193 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
1194 return;
1195 }
1196
acbf761b 1197 /* Response was truncated, let's try again with good old TCP */
f757cd85 1198 log_debug("Reply truncated, retrying via TCP.");
acbf761b 1199 retry_with_tcp = true;
f757cd85 1200
acbf761b
LP		 1201 } else if (t->scope->protocol == DNS_PROTOCOL_DNS &&
1202 DNS_PACKET_IS_FRAGMENTED(p)) {
1203
1204 /* Report the fragment size, so that we downgrade from LARGE to regular EDNS0 if needed */
1205 if (t->server)
1206 dns_server_packet_udp_fragmented(t->server, dns_packet_size_unfragmented(p));
1207
1208 if (t->current_feature_level > DNS_SERVER_FEATURE_LEVEL_UDP) {
1209 /* Packet was fragmented. Let's retry with TCP to avoid fragmentation attack
1210 * issues. (We don't do that on the lowest feature level however, since crappy DNS
1211 * servers often do not implement TCP, hence falling back to TCP on fragmentation is
1212 * counter-productive there.) */
1213
1214 log_debug("Reply fragmented, retrying via TCP.");
1215 retry_with_tcp = true;
1216 }
1217 }
1218
1219 if (retry_with_tcp) {
98767d75 1220 r = dns_transaction_emit_tcp(t);
ec2c5e43
LP		 1221 if (r == -ESRCH) {
1222 /* No servers found? Damn! */
1223 dns_transaction_complete(t, DNS_TRANSACTION_NO_SERVERS);
1224 return;
1225 }
91adc4db
LP		 1226 if (r == -EOPNOTSUPP) {
1227 /* Tried to ask for DNSSEC RRs, on a server that doesn't do DNSSEC */
1228 dns_transaction_complete(t, DNS_TRANSACTION_RR_TYPE_UNSUPPORTED);
1229 return;
1230 }
ec2c5e43 1231 if (r < 0) {
8af5b883 1232 /* On LLMNR, if we cannot connect to the host,
ec2c5e43 1233 * we immediately give up */
7cc6ed7b
LP		 1234 if (t->scope->protocol != DNS_PROTOCOL_DNS)
1235 goto fail;
ec2c5e43
LP		 1236
1237 /* On DNS, couldn't send? Try immediately again, with a new server */
9147b591
LP		 1238 if (dns_transaction_limited_retry(t))
1239 return;
1240
1241 /* No new server to try, give up */
1242 dns_transaction_complete(t, DNS_TRANSACTION_ATTEMPTS_MAX_REACHED);
ec2c5e43 1243 }
2a6658ef
LP		 1244
1245 return;
ec2c5e43
LP		 1246 }
1247
de54e62b 1248 /* After the superficial checks, actually parse the message. */
ec2c5e43
LP		 1249 r = dns_packet_extract(p);
1250 if (r < 0) {
2c42a217
LP		 1251 if (t->server) {
1252 dns_server_packet_invalid(t->server, t->current_feature_level);
1253
1254 r = dns_transaction_maybe_restart(t);
1255 if (r < 0)
1256 goto fail;
1257 if (r > 0) /* Transaction got restarted... */
1258 return;
1259 }
1260
ec2c5e43
LP		 1261 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
1262 return;
1263 }
1264
1ed4e584
LP		 1265 if (t->scope->protocol == DNS_PROTOCOL_DNS &&
1266 !t->bypass &&
1267 DNS_PACKET_RCODE(p) == DNS_RCODE_NXDOMAIN &&
1268 p->opt && !DNS_PACKET_DO(p) &&
1269 DNS_SERVER_FEATURE_LEVEL_IS_EDNS0(t->current_feature_level) &&
1270 DNS_SERVER_FEATURE_LEVEL_IS_UDP(t->current_feature_level) &&
1271 t->scope->dnssec_mode != DNSSEC_YES) {
1272
1273 /* Some captive portals are special in that the Aruba/Datavalet hardware will miss
1274 * replacing the packets with the local server IP to point to the authenticated side
1275 * of the network if EDNS0 is enabled. Instead they return NXDOMAIN, with DO bit set
1276 * to zero... nothing to see here, yet respond with the captive portal IP, when using
1277 * the more simple UDP level.
1278 *
1279 * Common portal names that fail like so are:
1280 * secure.datavalet.io
1281 * securelogin.arubanetworks.com
1282 * securelogin.networks.mycompany.com
1283 *
1284 * Thus retry NXDOMAIN RCODES with a lower feature level.
1285 *
1286 * Do not lower the server's tracked feature level, as the captive portal should not
1287 * be lying for the wider internet (e.g. _other_ queries were observed fine with
1288 * EDNS0 on these networks, post auth), i.e. let's just lower the level transaction's
1289 * feature level.
1290 *
1291 * This is reported as https://github.com/dns-violations/dns-violations/blob/master/2018/DVE-2018-0001.md
1292 */
1293
1294 t->clamp_feature_level_nxdomain = DNS_SERVER_FEATURE_LEVEL_UDP;
1295
1296 log_debug("Server returned error %s in EDNS0 mode, retrying transaction with reduced feature level %s (DVE-2018-0001 mitigation)",
1297 dns_rcode_to_string(DNS_PACKET_RCODE(p)),
1298 dns_server_feature_level_to_string(t->clamp_feature_level_nxdomain));
1299
1300 dns_transaction_retry(t, false /* use the same server */);
1301 return;
1302 }
1303
ed9717fc 1304 if (t->server) {
d001e0a3
LP		 1305 /* Report that we successfully received a valid packet with a good rcode after we initially got a bad
1306 * rcode and subsequently downgraded the protocol */
1307
1308 if (IN_SET(DNS_PACKET_RCODE(p), DNS_RCODE_SUCCESS, DNS_RCODE_NXDOMAIN) &&
1ed4e584
LP		 1309 t->clamp_feature_level_servfail != _DNS_SERVER_FEATURE_LEVEL_INVALID)
1310 dns_server_packet_rcode_downgrade(t->server, t->clamp_feature_level_servfail);
d001e0a3
LP		 1311
1312 /* Report that the OPT RR was missing */
ed9717fc
LP		 1313 if (!p->opt)
1314 dns_server_packet_bad_opt(t->server, t->current_feature_level);
1315
d96275d8
LP		 1316 /* Report that the server didn't copy our query DO bit from request to response */
1317 if (DNS_PACKET_DO(t->sent) && !DNS_PACKET_DO(t->received))
1318 dns_server_packet_do_off(t->server, t->current_feature_level);
1319
acbf761b
LP		 1320 /* Report that we successfully received a packet. We keep track of the largest packet
1321 * size/fragment size we got. Which is useful for announcing the EDNS(0) packet size we can
1322 * receive to our server. */
1323 dns_server_packet_received(t->server, p->ipproto, t->current_feature_level, dns_packet_size_unfragmented(p));
ed9717fc 1324 }
de54e62b 1325
c02cf2f4
LP		 1326 /* See if we know things we didn't know before that indicate we better restart the lookup immediately. */
1327 r = dns_transaction_maybe_restart(t);
7cc6ed7b
LP		 1328 if (r < 0)
1329 goto fail;
c02cf2f4
LP		 1330 if (r > 0) /* Transaction got restarted... */
1331 return;
1332
8facd1ce
LP		 1333 /* When dealing with protocols other than mDNS only consider responses with equivalent query section
1334 * to the request. For mDNS this check doesn't make sense, because the section 6 of RFC6762 states
1335 * that "Multicast DNS responses MUST NOT contain any questions in the Question Section". */
1336 if (t->scope->protocol != DNS_PROTOCOL_MDNS) {
42df9532 1337 r = dns_packet_is_reply_for(p, dns_transaction_key(t));
8facd1ce
LP		 1338 if (r < 0)
1339 goto fail;
1340 if (r == 0) {
1341 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
1342 return;
547493c5 1343 }
8facd1ce 1344 }
29815b6c 1345
775ae354
LP		 1346 /* Install the answer as answer to the transaction. We ref the answer twice here: the main `answer`
1347 * field is later replaced by the DNSSEC validated subset. The 'answer_auxiliary' field carries the
1348 * original complete record set, including RRSIG and friends. We use this when passing data to
1349 * clients that ask for DNSSEC metadata. */
8facd1ce
LP		 1350 dns_answer_unref(t->answer);
1351 t->answer = dns_answer_ref(p->answer);
1352 t->answer_rcode = DNS_PACKET_RCODE(p);
1353 t->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
6f055e43 1354 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
43fc4baa 1355 SET_FLAG(t->answer_query_flags, SD_RESOLVED_CONFIDENTIAL, encrypted);
79e24931 1356
8facd1ce
LP		 1357 r = dns_transaction_fix_rcode(t);
1358 if (r < 0)
1359 goto fail;
eac7cda2 1360
8facd1ce
LP		 1361 /* Block GC while starting requests for additional DNSSEC RRs */
1362 t->block_gc++;
1363 r = dns_transaction_request_dnssec_keys(t);
1364 t->block_gc--;
51e399bc 1365
8facd1ce
LP		 1366 /* Maybe the transaction is ready for GC'ing now? If so, free it and return. */
1367 if (!dns_transaction_gc(t))
1368 return;
51e399bc 1369
8facd1ce
LP		 1370 /* Requesting additional keys might have resulted in this transaction to fail, since the auxiliary
1371 * request failed for some reason. If so, we are not in pending state anymore, and we should exit
1372 * quickly. */
1373 if (t->state != DNS_TRANSACTION_PENDING)
1374 return;
1375 if (r < 0)
1376 goto fail;
1377 if (r > 0) {
1378 /* There are DNSSEC transactions pending now. Update the state accordingly. */
1379 t->state = DNS_TRANSACTION_VALIDATING;
80710ade 1380 dns_transaction_close_connection(t, true);
8facd1ce
LP		 1381 dns_transaction_stop_timeout(t);
1382 return;
547493c5 1383 }
ec2c5e43 1384
547973de 1385 dns_transaction_process_dnssec(t);
7cc6ed7b
LP		 1386 return;
1387
1388fail:
fd8a3017 1389 dns_transaction_complete_errno(t, r);
ec2c5e43
LP		 1390}
1391
c19ffd9f
TG		 1392static int on_dns_packet(sd_event_source *s, int fd, uint32_t revents, void *userdata) {
1393 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
1394 DnsTransaction *t = userdata;
1395 int r;
1396
1397 assert(t);
1398 assert(t->scope);
1399
1400 r = manager_recv(t->scope->manager, fd, DNS_PROTOCOL_DNS, &p);
95d2155a 1401 if (ERRNO_IS_DISCONNECT(r)) {
7e1851e3 1402 usec_t usec;
c19ffd9f 1403
f731fd5b
ZJS		 1404 /* UDP connection failures get reported via ICMP and then are possibly delivered to us on the
1405 * next recvmsg(). Treat this like a lost packet. */
7e1851e3 1406
92ec902a 1407 log_debug_errno(r, "Connection failure for DNS UDP packet: %m");
7e1851e3 1408 assert_se(sd_event_now(t->scope->manager->event, clock_boottime_or_monotonic(), &usec) >= 0);
3da3cdd5 1409 dns_server_packet_lost(t->server, IPPROTO_UDP, t->current_feature_level);
7e1851e3 1410
d68dbb37
LP		 1411 dns_transaction_close_connection(t, /* use_graveyard = */ false);
1412
9147b591
LP		 1413 if (dns_transaction_limited_retry(t)) /* Try a different server */
1414 return 0;
1415
1416 dns_transaction_complete_errno(t, r);
7e1851e3
LP		 1417 return 0;
1418 }
1419 if (r < 0) {
fd8a3017 1420 dns_transaction_complete_errno(t, r);
7e1851e3
LP		 1421 return 0;
1422 }
f731fd5b
ZJS		 1423 if (r == 0)
1424 /* Spurious wakeup without any data */
1425 return 0;
7e1851e3
LP		 1426
1427 r = dns_packet_validate_reply(p);
1428 if (r < 0) {
1429 log_debug_errno(r, "Received invalid DNS packet as response, ignoring: %m");
1430 return 0;
1431 }
1432 if (r == 0) {
e09f605e 1433 log_debug("Received inappropriate DNS packet as response, ignoring.");
7e1851e3
LP		 1434 return 0;
1435 }
1436
1437 if (DNS_PACKET_ID(p) != t->id) {
e09f605e 1438 log_debug("Received packet with incorrect transaction ID, ignoring.");
7e1851e3
LP		 1439 return 0;
1440 }
c19ffd9f 1441
43fc4baa 1442 dns_transaction_process_reply(t, p, false);
c19ffd9f
TG		 1443 return 0;
1444}
1445
49cce12d 1446static int dns_transaction_emit_udp(DnsTransaction *t) {
c19ffd9f
TG		 1447 int r;
1448
1449 assert(t);
c19ffd9f 1450
519ef046 1451 if (t->scope->protocol == DNS_PROTOCOL_DNS) {
c19ffd9f 1452
519ef046 1453 r = dns_transaction_pick_server(t);
471d40d9
TG		 1454 if (r < 0)
1455 return r;
c19ffd9f 1456
49ef064c
LP		 1457 if (manager_server_is_stub(t->scope->manager, t->server))
1458 return -ELOOP;
1459
5d67a7ae 1460 if (t->current_feature_level < DNS_SERVER_FEATURE_LEVEL_UDP || DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level))
7d581a65 1461 return -EAGAIN; /* Sorry, can't do UDP, try TCP! */
519ef046 1462
775ae354 1463 if (!t->bypass && !dns_server_dnssec_supported(t->server) && dns_type_is_dnssec(dns_transaction_key(t)->type))
91adc4db
LP		 1464 return -EOPNOTSUPP;
1465
519ef046
LP		 1466 if (r > 0 || t->dns_udp_fd < 0) { /* Server changed, or no connection yet. */
1467 int fd;
1468
80710ade
LP		 1469 dns_transaction_close_connection(t, true);
1470
1471 /* Before we allocate a new UDP socket, let's process the graveyard a bit to free some fds */
1472 manager_socket_graveyard_process(t->scope->manager);
c19ffd9f 1473
da9de738 1474 fd = dns_scope_socket_udp(t->scope, t->server);
519ef046
LP		 1475 if (fd < 0)
1476 return fd;
1477
1478 r = sd_event_add_io(t->scope->manager->event, &t->dns_udp_event_source, fd, EPOLLIN, on_dns_packet, t);
1479 if (r < 0) {
1480 safe_close(fd);
1481 return r;
1482 }
1483
aa4a9deb 1484 (void) sd_event_source_set_description(t->dns_udp_event_source, "dns-transaction-udp");
519ef046
LP		 1485 t->dns_udp_fd = fd;
1486 }
1487
775ae354
LP		 1488 if (!t->bypass) {
1489 r = dns_server_adjust_opt(t->server, t->sent, t->current_feature_level);
1490 if (r < 0)
1491 return r;
1492 }
519ef046 1493 } else
80710ade 1494 dns_transaction_close_connection(t, true);
519ef046 1495
d79677ab 1496 r = dns_scope_emit_udp(t->scope, t->dns_udp_fd, t->server ? t->server->family : AF_UNSPEC, t->sent);
471d40d9
TG		 1497 if (r < 0)
1498 return r;
c19ffd9f 1499
519ef046 1500 dns_transaction_reset_answer(t);
be808ea0 1501
471d40d9 1502 return 0;
c19ffd9f
TG		 1503}
1504
ec2c5e43
LP		 1505static int on_transaction_timeout(sd_event_source *s, usec_t usec, void *userdata) {
1506 DnsTransaction *t = userdata;
ec2c5e43
LP		 1507
1508 assert(s);
1509 assert(t);
1510
ef7ce6df
DM		 1511 if (!t->initial_jitter_scheduled || t->initial_jitter_elapsed) {
1512 /* Timeout reached? Increase the timeout for the server used */
1513 switch (t->scope->protocol) {
49cce12d 1514
ef7ce6df
DM		 1515 case DNS_PROTOCOL_DNS:
1516 assert(t->server);
3da3cdd5 1517 dns_server_packet_lost(t->server, t->stream ? IPPROTO_TCP : IPPROTO_UDP, t->current_feature_level);
ef7ce6df 1518 break;
49cce12d 1519
ef7ce6df
DM		 1520 case DNS_PROTOCOL_LLMNR:
1521 case DNS_PROTOCOL_MDNS:
1522 dns_scope_packet_lost(t->scope, usec - t->start_usec);
ef7ce6df 1523 break;
49cce12d 1524
ef7ce6df
DM		 1525 default:
1526 assert_not_reached("Invalid DNS protocol.");
1527 }
1528
1529 if (t->initial_jitter_scheduled)
1530 t->initial_jitter_elapsed = true;
be808ea0
TG		 1531 }
1532
423659ab
LP		 1533 log_debug("Timeout reached on transaction %" PRIu16 ".", t->id);
1534
9147b591
LP		 1535 dns_transaction_retry(t, true); /* try a different server, but given this means packet loss, let's do
1536 * so even if we already tried a bunch */
ec2c5e43
LP		 1537 return 0;
1538}
1539
9df3ba6c
TG		 1540static usec_t transaction_get_resend_timeout(DnsTransaction *t) {
1541 assert(t);
1542 assert(t->scope);
1543
1544 switch (t->scope->protocol) {
49cce12d 1545
9df3ba6c 1546 case DNS_PROTOCOL_DNS:
dc349f5f
LP		 1547
1548 /* When we do TCP, grant a much longer timeout, as in this case there's no need for us to quickly
1549 * resend, as the kernel does that anyway for us, and we really don't want to interrupt it in that
1550 * needlessly. */
1551 if (t->stream)
1552 return TRANSACTION_TCP_TIMEOUT_USEC;
1553
dbc4661a 1554 return DNS_TIMEOUT_USEC;
49cce12d 1555
9df3ba6c 1556 case DNS_PROTOCOL_MDNS:
11a27c2e 1557 assert(t->n_attempts > 0);
53fda2bb
DR		 1558 if (t->probing)
1559 return MDNS_PROBING_INTERVAL_USEC;
1560 else
1561 return (1 << (t->n_attempts - 1)) * USEC_PER_SEC;
49cce12d 1562
11a27c2e 1563 case DNS_PROTOCOL_LLMNR:
9df3ba6c 1564 return t->scope->resend_timeout;
49cce12d 1565
9df3ba6c
TG		 1566 default:
1567 assert_not_reached("Invalid DNS protocol.");
1568 }
1569}
1570
3f0a7b3a
LP		 1571static void dns_transaction_randomize_answer(DnsTransaction *t) {
1572 int r;
1573
1574 assert(t);
1575
1576 /* Randomizes the order of the answer array. This is done for all cached responses, so that we return
1577 * a different order each time. We do this only for DNS traffic, in order to do some minimal, crappy
1578 * load balancing. We don't do this for LLMNR or mDNS, since the order (preferring link-local
1579 * addresses, and such like) might have meaning there, and load balancing is pointless. */
1580
1581 if (t->scope->protocol != DNS_PROTOCOL_DNS)
1582 return;
1583
1584 /* No point in randomizing, if there's just one RR */
1585 if (dns_answer_size(t->answer) <= 1)
1586 return;
1587
1588 r = dns_answer_reserve_or_clone(&t->answer, 0);
1589 if (r < 0) /* If this fails, just don't randomize, this is non-essential stuff after all */
1590 return (void) log_debug_errno(r, "Failed to clone answer record, not randomizing RR order of answer: %m");
1591
1592 dns_answer_randomize(t->answer);
1593}
1594
c842ff24 1595static int dns_transaction_prepare(DnsTransaction *t, usec_t ts) {
ec2c5e43
LP		 1596 int r;
1597
1598 assert(t);
1599
4ea8b443
ZJS		 1600 /* Returns 0 if dns_transaction_complete() has been called. In that case the transaction and query
1601 * candidate objects may have been invalidated and must not be accessed. Returns 1 if the transaction
1602 * has been prepared. */
1603
f535705a 1604 dns_transaction_stop_timeout(t);
ec2c5e43 1605
86b112a3 1606 if (!dns_scope_network_good(t->scope)) {
edbcc1fd
LP		 1607 dns_transaction_complete(t, DNS_TRANSACTION_NETWORK_DOWN);
1608 return 0;
1609 }
1610
ec2c5e43 1611 if (t->n_attempts >= TRANSACTION_ATTEMPTS_MAX(t->scope->protocol)) {
e53b8cc5
ZJS		 1612 DnsTransactionState result;
1613
1614 if (t->scope->protocol == DNS_PROTOCOL_LLMNR)
1615 /* If we didn't find anything on LLMNR, it's not an error, but a failure to resolve
1616 * the name. */
1617 result = DNS_TRANSACTION_NOT_FOUND;
1618 else
1619 result = DNS_TRANSACTION_ATTEMPTS_MAX_REACHED;
1620
1621 dns_transaction_complete(t, result);
ec2c5e43
LP		 1622 return 0;
1623 }
1624
cbe4216d 1625 if (t->scope->protocol == DNS_PROTOCOL_LLMNR && t->tried_stream) {
ec2c5e43
LP		 1626 /* If we already tried via a stream, then we don't
1627 * retry on LLMNR. See RFC 4795, Section 2.7. */
1628 dns_transaction_complete(t, DNS_TRANSACTION_ATTEMPTS_MAX_REACHED);
1629 return 0;
1630 }
1631
1632 t->n_attempts++;
9df3ba6c 1633 t->start_usec = ts;
c61d2b44
LP		 1634
1635 dns_transaction_reset_answer(t);
c5b4f861 1636 dns_transaction_flush_dnssec_transactions(t);
ec2c5e43 1637
0d2cd476 1638 /* Check the trust anchor. Do so only on classic DNS, since DNSSEC does not apply otherwise. */
775ae354
LP		 1639 if (t->scope->protocol == DNS_PROTOCOL_DNS &&
1640 !FLAGS_SET(t->query_flags, SD_RESOLVED_NO_TRUST_ANCHOR)) {
42df9532 1641 r = dns_trust_anchor_lookup_positive(&t->scope->manager->trust_anchor, dns_transaction_key(t), &t->answer);
0d2cd476
LP		 1642 if (r < 0)
1643 return r;
1644 if (r > 0) {
1645 t->answer_rcode = DNS_RCODE_SUCCESS;
1646 t->answer_source = DNS_TRANSACTION_TRUST_ANCHOR;
43fc4baa 1647 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED|SD_RESOLVED_CONFIDENTIAL, true);
0d2cd476
LP		 1648 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
1649 return 0;
1650 }
b2b796b8 1651
42df9532
LP		 1652 if (dns_name_is_root(dns_resource_key_name(dns_transaction_key(t))) &&
1653 dns_transaction_key(t)->type == DNS_TYPE_DS) {
b2b796b8 1654
775ae354
LP		 1655 /* Hmm, this is a request for the root DS? A DS RR doesn't exist in the root zone,
1656 * and if our trust anchor didn't know it either, this means we cannot do any DNSSEC
1657 * logic anymore. */
b2b796b8 1658
1ed8c0fb 1659 if (t->scope->dnssec_mode == DNSSEC_ALLOW_DOWNGRADE) {
775ae354
LP		 1660 /* We are in downgrade mode. In this case, synthesize an unsigned empty
1661 * response, so that the any lookup depending on this one can continue
1662 * assuming there was no DS, and hence the root zone was unsigned. */
b2b796b8
LP		 1663
1664 t->answer_rcode = DNS_RCODE_SUCCESS;
1665 t->answer_source = DNS_TRANSACTION_TRUST_ANCHOR;
6f055e43 1666 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
43fc4baa 1667 SET_FLAG(t->answer_query_flags, SD_RESOLVED_CONFIDENTIAL, true);
b2b796b8
LP		 1668 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
1669 } else
775ae354
LP		 1670 /* If we are not in downgrade mode, then fail the lookup, because we cannot
1671 * reasonably answer it. There might be DS RRs, but we don't know them, and
1672 * the DNS server won't tell them to us (and even if it would, we couldn't
1673 * validate and trust them. */
b2b796b8
LP		 1674 dns_transaction_complete(t, DNS_TRANSACTION_NO_TRUST_ANCHOR);
1675
1676 return 0;
1677 }
0d2cd476
LP		 1678 }
1679
775ae354
LP		 1680 /* Check the zone. */
1681 if (!FLAGS_SET(t->query_flags, SD_RESOLVED_NO_ZONE)) {
42df9532 1682 r = dns_zone_lookup(&t->scope->zone, dns_transaction_key(t), dns_scope_ifindex(t->scope), &t->answer, NULL, NULL);
d746bb3e
LP		 1683 if (r < 0)
1684 return r;
1685 if (r > 0) {
ae6a4bbf 1686 t->answer_rcode = DNS_RCODE_SUCCESS;
c3bc53e6 1687 t->answer_source = DNS_TRANSACTION_ZONE;
43fc4baa 1688 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED|SD_RESOLVED_CONFIDENTIAL, true);
d746bb3e
LP		 1689 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
1690 return 0;
1691 }
1692 }
1693
775ae354
LP		 1694 /* Check the cache. */
1695 if (!FLAGS_SET(t->query_flags, SD_RESOLVED_NO_CACHE)) {
2c27fbca 1696
775ae354
LP		 1697 /* Before trying the cache, let's make sure we figured out a server to use. Should this cause
1698 * a change of server this might flush the cache. */
5cdb8930 1699 (void) dns_scope_get_dns_server(t->scope);
2c27fbca 1700
4d926a69
LP		 1701 /* Let's then prune all outdated entries */
1702 dns_cache_prune(&t->scope->cache);
1703
775ae354
LP		 1704 r = dns_cache_lookup(
1705 &t->scope->cache,
1706 dns_transaction_key(t),
1707 t->query_flags,
1708 &t->answer_rcode,
1709 &t->answer,
1710 &t->received,
6f055e43 1711 &t->answer_query_flags,
775ae354 1712 &t->answer_dnssec_result);
4d926a69
LP		 1713 if (r < 0)
1714 return r;
1715 if (r > 0) {
3f0a7b3a
LP		 1716 dns_transaction_randomize_answer(t);
1717
775ae354
LP		 1718 if (t->bypass && t->scope->protocol == DNS_PROTOCOL_DNS && !t->received)
1719 /* When bypass mode is on, do not use cached data unless it came with a full
1720 * packet. */
1721 dns_transaction_reset_answer(t);
1722 else {
1723 t->answer_source = DNS_TRANSACTION_CACHE;
1724 if (t->answer_rcode == DNS_RCODE_SUCCESS)
1725 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
1726 else
1727 dns_transaction_complete(t, DNS_TRANSACTION_RCODE_FAILURE);
1728 return 0;
1729 }
4d926a69 1730 }
ec2c5e43
LP		 1731 }
1732
775ae354
LP		 1733 if (FLAGS_SET(t->query_flags, SD_RESOLVED_NO_NETWORK)) {
1734 dns_transaction_complete(t, DNS_TRANSACTION_NO_SOURCE);
1735 return 0;
1736 }
1737
1effe965
DM		 1738 return 1;
1739}
1740
0afa57e2 1741static int dns_transaction_make_packet_mdns(DnsTransaction *t) {
0afa57e2 1742 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
7778dfff 1743 bool add_known_answers = false;
0afa57e2 1744 DnsTransaction *other;
0d5ee47d
DR		 1745 DnsResourceKey *tkey;
1746 _cleanup_set_free_ Set *keys = NULL;
0afa57e2 1747 unsigned qdcount;
0d5ee47d 1748 unsigned nscount = 0;
0afa57e2
DM		 1749 usec_t ts;
1750 int r;
1751
1752 assert(t);
1753 assert(t->scope->protocol == DNS_PROTOCOL_MDNS);
1754
e5abebab 1755 /* Discard any previously prepared packet, so we can start over and coalesce again */
0afa57e2
DM		 1756 t->sent = dns_packet_unref(t->sent);
1757
1758 r = dns_packet_new_query(&p, t->scope->protocol, 0, false);
1759 if (r < 0)
1760 return r;
1761
42df9532 1762 r = dns_packet_append_key(p, dns_transaction_key(t), 0, NULL);
0afa57e2
DM		 1763 if (r < 0)
1764 return r;
1765
1766 qdcount = 1;
1767
42df9532 1768 if (dns_key_is_shared(dns_transaction_key(t)))
7778dfff
DM		 1769 add_known_answers = true;
1770
42df9532
LP		 1771 if (dns_transaction_key(t)->type == DNS_TYPE_ANY) {
1772 r = set_ensure_put(&keys, &dns_resource_key_hash_ops, dns_transaction_key(t));
0d5ee47d
DR		 1773 if (r < 0)
1774 return r;
1775 }
1776
0afa57e2
DM		 1777 /*
1778 * For mDNS, we want to coalesce as many open queries in pending transactions into one single
1779 * query packet on the wire as possible. To achieve that, we iterate through all pending transactions
5238e957 1780 * in our current scope, and see whether their timing constraints allow them to be sent.
0afa57e2
DM		 1781 */
1782
1783 assert_se(sd_event_now(t->scope->manager->event, clock_boottime_or_monotonic(), &ts) >= 0);
1784
1785 LIST_FOREACH(transactions_by_scope, other, t->scope->transactions) {
1786
1787 /* Skip ourselves */
1788 if (other == t)
1789 continue;
1790
1791 if (other->state != DNS_TRANSACTION_PENDING)
1792 continue;
1793
1794 if (other->next_attempt_after > ts)
1795 continue;
1796
1797 if (qdcount >= UINT16_MAX)
1798 break;
1799
42df9532 1800 r = dns_packet_append_key(p, dns_transaction_key(other), 0, NULL);
0afa57e2
DM		 1801
1802 /*
1803 * If we can't stuff more questions into the packet, just give up.
1804 * One of the 'other' transactions will fire later and take care of the rest.
1805 */
1806 if (r == -EMSGSIZE)
1807 break;
1808
1809 if (r < 0)
1810 return r;
1811
c842ff24 1812 r = dns_transaction_prepare(other, ts);
0afa57e2
DM		 1813 if (r <= 0)
1814 continue;
1815
1816 ts += transaction_get_resend_timeout(other);
1817
1818 r = sd_event_add_time(
1819 other->scope->manager->event,
1820 &other->timeout_event_source,
1821 clock_boottime_or_monotonic(),
1822 ts, 0,
1823 on_transaction_timeout, other);
1824 if (r < 0)
1825 return r;
1826
ff537038 1827 (void) sd_event_source_set_description(other->timeout_event_source, "dns-transaction-timeout");
aa4a9deb 1828
0afa57e2
DM		 1829 other->state = DNS_TRANSACTION_PENDING;
1830 other->next_attempt_after = ts;
1831
313cefa1 1832 qdcount++;
7778dfff 1833
42df9532 1834 if (dns_key_is_shared(dns_transaction_key(other)))
7778dfff 1835 add_known_answers = true;
0d5ee47d 1836
42df9532
LP		 1837 if (dns_transaction_key(other)->type == DNS_TYPE_ANY) {
1838 r = set_ensure_put(&keys, &dns_resource_key_hash_ops, dns_transaction_key(other));
0d5ee47d
DR		 1839 if (r < 0)
1840 return r;
1841 }
0afa57e2
DM		 1842 }
1843
1844 DNS_PACKET_HEADER(p)->qdcount = htobe16(qdcount);
0afa57e2 1845
7778dfff
DM		 1846 /* Append known answer section if we're asking for any shared record */
1847 if (add_known_answers) {
1848 r = dns_cache_export_shared_to_packet(&t->scope->cache, p);
1849 if (r < 0)
1850 return r;
1851 }
1852
90e74a66 1853 SET_FOREACH(tkey, keys) {
0d5ee47d
DR		 1854 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
1855 bool tentative;
1856
1857 r = dns_zone_lookup(&t->scope->zone, tkey, t->scope->link->ifindex, &answer, NULL, &tentative);
1858 if (r < 0)
1859 return r;
1860
6f76e68a 1861 r = dns_packet_append_answer(p, answer, &nscount);
0d5ee47d
DR		 1862 if (r < 0)
1863 return r;
0d5ee47d
DR		 1864 }
1865 DNS_PACKET_HEADER(p)->nscount = htobe16(nscount);
1866
1cc6c93a 1867 t->sent = TAKE_PTR(p);
0afa57e2
DM		 1868
1869 return 0;
1870}
1871
1872static int dns_transaction_make_packet(DnsTransaction *t) {
1873 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
1874 int r;
1875
1876 assert(t);
1877
1878 if (t->scope->protocol == DNS_PROTOCOL_MDNS)
1879 return dns_transaction_make_packet_mdns(t);
1880
1881 if (t->sent)
1882 return 0;
1883
775ae354
LP		 1884 if (t->bypass && t->bypass->protocol == t->scope->protocol) {
1885 /* If bypass logic is enabled and the protocol if the original packet and our scope match,
1886 * take the original packet, copy it, and patch in our new ID */
1887 r = dns_packet_dup(&p, t->bypass);
1888 if (r < 0)
1889 return r;
1890 } else {
1891 r = dns_packet_new_query(
1892 &p, t->scope->protocol,
1893 /* min_alloc_dsize = */ 0,
1894 /* dnssec_cd = */ !FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE) &&
1895 t->scope->dnssec_mode != DNSSEC_NO);
1896 if (r < 0)
1897 return r;
0afa57e2 1898
775ae354
LP		 1899 r = dns_packet_append_key(p, dns_transaction_key(t), 0, NULL);
1900 if (r < 0)
1901 return r;
1902
1903 DNS_PACKET_HEADER(p)->qdcount = htobe16(1);
1904 }
0afa57e2 1905
0afa57e2
DM		 1906 DNS_PACKET_HEADER(p)->id = t->id;
1907
1cc6c93a 1908 t->sent = TAKE_PTR(p);
0afa57e2
DM		 1909 return 0;
1910}
1911
1effe965
DM		 1912int dns_transaction_go(DnsTransaction *t) {
1913 usec_t ts;
1914 int r;
202b76ae 1915 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
1effe965
DM		 1916
1917 assert(t);
1918
4ea8b443
ZJS		 1919 /* Returns > 0 if the transaction is now pending, returns 0 if could be processed immediately and has
1920 * finished now. In the latter case, the transaction and query candidate objects must not be accessed.
1921 */
5278bbfe 1922
1effe965 1923 assert_se(sd_event_now(t->scope->manager->event, clock_boottime_or_monotonic(), &ts) >= 0);
547973de 1924
c842ff24 1925 r = dns_transaction_prepare(t, ts);
1effe965
DM		 1926 if (r <= 0)
1927 return r;
1928
775ae354
LP		 1929 log_debug("%s transaction %" PRIu16 " for <%s> scope %s on %s/%s (validate=%s).",
1930 t->bypass ? "Bypass" : "Regular",
a5784c49 1931 t->id,
42df9532 1932 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str),
a5784c49 1933 dns_protocol_to_string(t->scope->protocol),
6ff79f76 1934 t->scope->link ? t->scope->link->ifname : "*",
775ae354
LP		 1935 af_to_name_short(t->scope->family),
1936 yes_no(!FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE)));
1effe965 1937
ef7ce6df 1938 if (!t->initial_jitter_scheduled &&
3742095b 1939 IN_SET(t->scope->protocol, DNS_PROTOCOL_LLMNR, DNS_PROTOCOL_MDNS)) {
ea12bcc7 1940 usec_t jitter, accuracy;
6e068472
LP		 1941
1942 /* RFC 4795 Section 2.7 suggests all queries should be
1943 * delayed by a random time from 0 to JITTER_INTERVAL. */
1944
ef7ce6df 1945 t->initial_jitter_scheduled = true;
6e068472
LP		 1946
1947 random_bytes(&jitter, sizeof(jitter));
ea12bcc7
DM		 1948
1949 switch (t->scope->protocol) {
519ef046 1950
ea12bcc7
DM		 1951 case DNS_PROTOCOL_LLMNR:
1952 jitter %= LLMNR_JITTER_INTERVAL_USEC;
1953 accuracy = LLMNR_JITTER_INTERVAL_USEC;
1954 break;
519ef046 1955
ea12bcc7
DM		 1956 case DNS_PROTOCOL_MDNS:
1957 jitter %= MDNS_JITTER_RANGE_USEC;
1958 jitter += MDNS_JITTER_MIN_USEC;
1959 accuracy = MDNS_JITTER_RANGE_USEC;
1960 break;
1961 default:
1962 assert_not_reached("bad protocol");
1963 }
6e068472
LP		 1964
1965 r = sd_event_add_time(
1966 t->scope->manager->event,
1967 &t->timeout_event_source,
1968 clock_boottime_or_monotonic(),
ea12bcc7 1969 ts + jitter, accuracy,
6e068472
LP		 1970 on_transaction_timeout, t);
1971 if (r < 0)
1972 return r;
1973
aa4a9deb
LP		 1974 (void) sd_event_source_set_description(t->timeout_event_source, "dns-transaction-timeout");
1975
6e068472 1976 t->n_attempts = 0;
a9da14e1 1977 t->next_attempt_after = ts;
6e068472
LP		 1978 t->state = DNS_TRANSACTION_PENDING;
1979
ea12bcc7 1980 log_debug("Delaying %s transaction for " USEC_FMT "us.", dns_protocol_to_string(t->scope->protocol), jitter);
4ea8b443 1981 return 1;
6e068472
LP		 1982 }
1983
ec2c5e43
LP		 1984 /* Otherwise, we need to ask the network */
1985 r = dns_transaction_make_packet(t);
ec2c5e43
LP		 1986 if (r < 0)
1987 return r;
1988
1989 if (t->scope->protocol == DNS_PROTOCOL_LLMNR &&
42df9532
LP		 1990 (dns_name_endswith(dns_resource_key_name(dns_transaction_key(t)), "in-addr.arpa") > 0 ||
1991 dns_name_endswith(dns_resource_key_name(dns_transaction_key(t)), "ip6.arpa") > 0)) {
ec2c5e43
LP		 1992
1993 /* RFC 4795, Section 2.4. says reverse lookups shall
1994 * always be made via TCP on LLMNR */
98767d75 1995 r = dns_transaction_emit_tcp(t);
ec2c5e43 1996 } else {
be808ea0
TG		 1997 /* Try via UDP, and if that fails due to large size or lack of
1998 * support try via TCP */
49cce12d 1999 r = dns_transaction_emit_udp(t);
29ab0552
LP		 2000 if (r == -EMSGSIZE)
2001 log_debug("Sending query via TCP since it is too large.");
dc349f5f 2002 else if (r == -EAGAIN)
6c0bacc1 2003 log_debug("Sending query via TCP since UDP isn't supported or DNS-over-TLS is selected.");
4c701096 2004 if (IN_SET(r, -EMSGSIZE, -EAGAIN))
98767d75 2005 r = dns_transaction_emit_tcp(t);
ec2c5e43 2006 }
49ef064c
LP		 2007 if (r == -ELOOP) {
2008 if (t->scope->protocol != DNS_PROTOCOL_DNS)
2009 return r;
2010
2011 /* One of our own stub listeners */
2012 log_debug_errno(r, "Detected that specified DNS server is our own extra listener, switching DNS servers.");
2013
5e8bc852 2014 dns_scope_next_dns_server(t->scope, t->server);
49ef064c
LP		 2015
2016 if (dns_scope_get_dns_server(t->scope) == t->server) {
2017 log_debug_errno(r, "Still pointing to extra listener after switching DNS servers, refusing operation.");
2018 dns_transaction_complete(t, DNS_TRANSACTION_STUB_LOOP);
2019 return 0;
2020 }
be808ea0 2021
49ef064c
LP		 2022 return dns_transaction_go(t);
2023 }
ec2c5e43
LP		 2024 if (r == -ESRCH) {
2025 /* No servers to send this to? */
2026 dns_transaction_complete(t, DNS_TRANSACTION_NO_SERVERS);
2027 return 0;
91adc4db
LP		 2028 }
2029 if (r == -EOPNOTSUPP) {
2030 /* Tried to ask for DNSSEC RRs, on a server that doesn't do DNSSEC */
2031 dns_transaction_complete(t, DNS_TRANSACTION_RR_TYPE_UNSUPPORTED);
2032 return 0;
2033 }
95d2155a 2034 if (t->scope->protocol == DNS_PROTOCOL_LLMNR && ERRNO_IS_DISCONNECT(r)) {
e94968ba 2035 /* On LLMNR, if we cannot connect to a host via TCP when doing reverse lookups. This means we cannot
0791110f
LP		 2036 * answer this request with this protocol. */
2037 dns_transaction_complete(t, DNS_TRANSACTION_NOT_FOUND);
2038 return 0;
2039 }
91adc4db 2040 if (r < 0) {
7cc6ed7b
LP		 2041 if (t->scope->protocol != DNS_PROTOCOL_DNS)
2042 return r;
13b551ac 2043
ec2c5e43 2044 /* Couldn't send? Try immediately again, with a new server */
5e8bc852 2045 dns_scope_next_dns_server(t->scope, t->server);
ec2c5e43
LP		 2046
2047 return dns_transaction_go(t);
2048 }
2049
a9da14e1
DM		 2050 ts += transaction_get_resend_timeout(t);
2051
9a015429
LP		 2052 r = sd_event_add_time(
2053 t->scope->manager->event,
2054 &t->timeout_event_source,
2055 clock_boottime_or_monotonic(),
a9da14e1 2056 ts, 0,
9a015429 2057 on_transaction_timeout, t);
ec2c5e43
LP		 2058 if (r < 0)
2059 return r;
2060
aa4a9deb
LP		 2061 (void) sd_event_source_set_description(t->timeout_event_source, "dns-transaction-timeout");
2062
ec2c5e43 2063 t->state = DNS_TRANSACTION_PENDING;
a9da14e1
DM		 2064 t->next_attempt_after = ts;
2065
ec2c5e43
LP		 2066 return 1;
2067}
2068
f2992dc1
LP		 2069static int dns_transaction_find_cyclic(DnsTransaction *t, DnsTransaction *aux) {
2070 DnsTransaction *n;
f2992dc1
LP		 2071 int r;
2072
2073 assert(t);
2074 assert(aux);
2075
2076 /* Try to find cyclic dependencies between transaction objects */
2077
2078 if (t == aux)
2079 return 1;
2080
90e74a66 2081 SET_FOREACH(n, aux->dnssec_transactions) {
f2992dc1
LP		 2082 r = dns_transaction_find_cyclic(t, n);
2083 if (r != 0)
2084 return r;
2085 }
2086
3eb6aa00 2087 return 0;
f2992dc1
LP		 2088}
2089
547973de 2090static int dns_transaction_add_dnssec_transaction(DnsTransaction *t, DnsResourceKey *key, DnsTransaction **ret) {
29bd6012 2091 _cleanup_(dns_transaction_gcp) DnsTransaction *aux = NULL;
547973de
LP		 2092 int r;
2093
2094 assert(t);
2095 assert(ret);
2096 assert(key);
2097
775ae354 2098 aux = dns_scope_find_transaction(t->scope, key, t->query_flags);
547973de 2099 if (!aux) {
775ae354 2100 r = dns_transaction_new(&aux, t->scope, key, NULL, t->query_flags);
547973de
LP		 2101 if (r < 0)
2102 return r;
2103 } else {
2104 if (set_contains(t->dnssec_transactions, aux)) {
2105 *ret = aux;
2106 return 0;
2107 }
f2992dc1
LP		 2108
2109 r = dns_transaction_find_cyclic(t, aux);
2110 if (r < 0)
2111 return r;
2112 if (r > 0) {
202b76ae
ZJS		 2113 char s[DNS_RESOURCE_KEY_STRING_MAX], saux[DNS_RESOURCE_KEY_STRING_MAX];
2114
baaa35ad
ZJS		 2115 return log_debug_errno(SYNTHETIC_ERRNO(ELOOP),
2116 "Potential cyclic dependency, refusing to add transaction %" PRIu16 " (%s) as dependency for %" PRIu16 " (%s).",
2117 aux->id,
42df9532 2118 dns_resource_key_to_string(dns_transaction_key(t), s, sizeof s),
baaa35ad 2119 t->id,
42df9532 2120 dns_resource_key_to_string(dns_transaction_key(aux), saux, sizeof saux));
f2992dc1 2121 }
547973de
LP		 2122 }
2123
35aa04e9
LP		 2124 r = set_ensure_allocated(&aux->notify_transactions_done, NULL);
2125 if (r < 0)
29bd6012 2126 return r;
547973de 2127
de7fef4b 2128 r = set_ensure_put(&t->dnssec_transactions, NULL, aux);
547973de 2129 if (r < 0)
a75cb4e2 2130 return r;
547973de 2131
de7fef4b 2132 r = set_ensure_put(&aux->notify_transactions, NULL, t);
547973de
LP		 2133 if (r < 0) {
2134 (void) set_remove(t->dnssec_transactions, aux);
29bd6012 2135 return r;
547973de
LP		 2136 }
2137
29bd6012 2138 *ret = TAKE_PTR(aux);
547973de 2139 return 1;
547973de
LP		 2140}
2141
2142static int dns_transaction_request_dnssec_rr(DnsTransaction *t, DnsResourceKey *key) {
2143 _cleanup_(dns_answer_unrefp) DnsAnswer *a = NULL;
2144 DnsTransaction *aux;
2145 int r;
2146
2147 assert(t);
2148 assert(key);
2149
2150 /* Try to get the data from the trust anchor */
8e54f5d9 2151 r = dns_trust_anchor_lookup_positive(&t->scope->manager->trust_anchor, key, &a);
547973de
LP		 2152 if (r < 0)
2153 return r;
2154 if (r > 0) {
2155 r = dns_answer_extend(&t->validated_keys, a);
2156 if (r < 0)
2157 return r;
2158
2159 return 0;
2160 }
2161
2162 /* This didn't work, ask for it via the network/cache then. */
2163 r = dns_transaction_add_dnssec_transaction(t, key, &aux);
f2992dc1
LP		 2164 if (r == -ELOOP) /* This would result in a cyclic dependency */
2165 return 0;
547973de
LP		 2166 if (r < 0)
2167 return r;
2168
2169 if (aux->state == DNS_TRANSACTION_NULL) {
2170 r = dns_transaction_go(aux);
2171 if (r < 0)
2172 return r;
2173 }
2174
f2992dc1 2175 return 1;
547973de
LP		 2176}
2177
8a516214
LP		 2178static int dns_transaction_negative_trust_anchor_lookup(DnsTransaction *t, const char *name) {
2179 int r;
2180
2181 assert(t);
2182
c629ff58 2183 /* Check whether the specified name is in the NTA
8a516214
LP		 2184 * database, either in the global one, or the link-local
2185 * one. */
2186
2187 r = dns_trust_anchor_lookup_negative(&t->scope->manager->trust_anchor, name);
2188 if (r != 0)
2189 return r;
2190
2191 if (!t->scope->link)
2192 return 0;
2193
7e8a93b7 2194 return link_negative_trust_anchor_lookup(t->scope->link, name);
8a516214
LP		 2195}
2196
105e1512
LP		 2197static int dns_transaction_has_unsigned_negative_answer(DnsTransaction *t) {
2198 int r;
2199
2200 assert(t);
2201
2202 /* Checks whether the answer is negative, and lacks NSEC/NSEC3
2203 * RRs to prove it */
2204
2205 r = dns_transaction_has_positive_answer(t, NULL);
2206 if (r < 0)
2207 return r;
2208 if (r > 0)
2209 return false;
2210
8e54f5d9
LP		 2211 /* Is this key explicitly listed as a negative trust anchor?
2212 * If so, it's nothing we need to care about */
42df9532 2213 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(dns_transaction_key(t)));
8e54f5d9
LP		 2214 if (r < 0)
2215 return r;
2216 if (r > 0)
2217 return false;
2218
105e1512
LP		 2219 /* The answer does not contain any RRs that match to the
2220 * question. If so, let's see if there are any NSEC/NSEC3 RRs
2221 * included. If not, the answer is unsigned. */
2222
2223 r = dns_answer_contains_nsec_or_nsec3(t->answer);
2224 if (r < 0)
2225 return r;
2226 if (r > 0)
2227 return false;
2228
2229 return true;
2230}
2231
2232static int dns_transaction_is_primary_response(DnsTransaction *t, DnsResourceRecord *rr) {
2233 int r;
2234
2235 assert(t);
2236 assert(rr);
2237
2238 /* Check if the specified RR is the "primary" response,
2239 * i.e. either matches the question precisely or is a
4cb94977 2240 * CNAME/DNAME for it. */
105e1512 2241
42df9532 2242 r = dns_resource_key_match_rr(dns_transaction_key(t), rr, NULL);
105e1512
LP		 2243 if (r != 0)
2244 return r;
2245
42df9532 2246 return dns_resource_key_match_cname_or_dname(dns_transaction_key(t), rr->key, NULL);
105e1512
LP		 2247}
2248
92ec902a
LP		 2249static bool dns_transaction_dnssec_supported(DnsTransaction *t) {
2250 assert(t);
2251
2252 /* Checks whether our transaction's DNS server is assumed to be compatible with DNSSEC. Returns false as soon
2253 * as we changed our mind about a server, and now believe it is incompatible with DNSSEC. */
2254
2255 if (t->scope->protocol != DNS_PROTOCOL_DNS)
2256 return false;
2257
2258 /* If we have picked no server, then we are working from the cache or some other source, and DNSSEC might well
2259 * be supported, hence return true. */
2260 if (!t->server)
2261 return true;
2262
d001e0a3
LP		 2263 /* Note that we do not check the feature level actually used for the transaction but instead the feature level
2264 * the server is known to support currently, as the transaction feature level might be lower than what the
2265 * server actually supports, since we might have downgraded this transaction's feature level because we got a
2266 * SERVFAIL earlier and wanted to check whether downgrading fixes it. */
92ec902a
LP		 2267
2268 return dns_server_dnssec_supported(t->server);
2269}
2270
2271static bool dns_transaction_dnssec_supported_full(DnsTransaction *t) {
2272 DnsTransaction *dt;
92ec902a
LP		 2273
2274 assert(t);
2275
2276 /* Checks whether our transaction our any of the auxiliary transactions couldn't do DNSSEC. */
2277
2278 if (!dns_transaction_dnssec_supported(t))
2279 return false;
2280
90e74a66 2281 SET_FOREACH(dt, t->dnssec_transactions)
92ec902a
LP		 2282 if (!dns_transaction_dnssec_supported(dt))
2283 return false;
2284
2285 return true;
2286}
2287
547973de
LP		 2288int dns_transaction_request_dnssec_keys(DnsTransaction *t) {
2289 DnsResourceRecord *rr;
105e1512 2290
547973de
LP		 2291 int r;
2292
2293 assert(t);
2294
105e1512
LP		 2295 /*
2296 * Retrieve all auxiliary RRs for the answer we got, so that
2297 * we can verify signatures or prove that RRs are rightfully
2298 * unsigned. Specifically:
2299 *
2300 * - For RRSIG we get the matching DNSKEY
2301 * - For DNSKEY we get the matching DS
2302 * - For unsigned SOA/NS we get the matching DS
b63fca62 2303 * - For unsigned CNAME/DNAME/DS we get the parent SOA RR
105e1512 2304 * - For other unsigned RRs we get the matching SOA RR
4bbc06cc
LP		 2305 * - For SOA/NS queries with no matching response RR, and no NSEC/NSEC3, the DS RR
2306 * - For DS queries with no matching response RRs, and no NSEC/NSEC3, the parent's SOA RR
105e1512
LP		 2307 * - For other queries with no matching response RRs, and no NSEC/NSEC3, the SOA RR
2308 */
2309
775ae354 2310 if (FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE) || t->scope->dnssec_mode == DNSSEC_NO)
547973de 2311 return 0;
92ec902a
LP		 2312 if (t->answer_source != DNS_TRANSACTION_NETWORK)
2313 return 0; /* We only need to validate stuff from the network */
2314 if (!dns_transaction_dnssec_supported(t))
5238e957 2315 return 0; /* If we can't do DNSSEC anyway there's no point in getting the auxiliary RRs */
b652d4a2 2316
547973de
LP		 2317 DNS_ANSWER_FOREACH(rr, t->answer) {
2318
105e1512
LP		 2319 if (dns_type_is_pseudo(rr->key->type))
2320 continue;
2321
8e54f5d9 2322 /* If this RR is in the negative trust anchor, we don't need to validate it. */
1c02e7ba 2323 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(rr->key));
8e54f5d9
LP		 2324 if (r < 0)
2325 return r;
2326 if (r > 0)
2327 continue;
2328
547973de
LP		 2329 switch (rr->key->type) {
2330
2331 case DNS_TYPE_RRSIG: {
2332 /* For each RRSIG we request the matching DNSKEY */
2333 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *dnskey = NULL;
2334
2335 /* If this RRSIG is about a DNSKEY RR and the
2336 * signer is the same as the owner, then we
2337 * already have the DNSKEY, and we don't have
2338 * to look for more. */
2339 if (rr->rrsig.type_covered == DNS_TYPE_DNSKEY) {
1c02e7ba 2340 r = dns_name_equal(rr->rrsig.signer, dns_resource_key_name(rr->key));
547973de
LP		 2341 if (r < 0)
2342 return r;
2343 if (r > 0)
2344 continue;
2345 }
2346
105e1512
LP		 2347 /* If the signer is not a parent of our
2348 * original query, then this is about an
2349 * auxiliary RRset, but not anything we asked
2350 * for. In this case we aren't interested,
2351 * because we don't want to request additional
2352 * RRs for stuff we didn't really ask for, and
2353 * also to avoid request loops, where
2354 * additional RRs from one transaction result
5238e957 2355 * in another transaction whose additional RRs
105e1512
LP		 2356 * point back to the original transaction, and
2357 * we deadlock. */
42df9532 2358 r = dns_name_endswith(dns_resource_key_name(dns_transaction_key(t)), rr->rrsig.signer);
547973de
LP		 2359 if (r < 0)
2360 return r;
2361 if (r == 0)
2362 continue;
2363
2364 dnskey = dns_resource_key_new(rr->key->class, DNS_TYPE_DNSKEY, rr->rrsig.signer);
2365 if (!dnskey)
2366 return -ENOMEM;
2367
1c02e7ba
ZJS		 2368 log_debug("Requesting DNSKEY to validate transaction %" PRIu16" (%s, RRSIG with key tag: %" PRIu16 ").",
2369 t->id, dns_resource_key_name(rr->key), rr->rrsig.key_tag);
547973de
LP		 2370 r = dns_transaction_request_dnssec_rr(t, dnskey);
2371 if (r < 0)
2372 return r;
2373 break;
2374 }
2375
2376 case DNS_TYPE_DNSKEY: {
2377 /* For each DNSKEY we request the matching DS */
2378 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *ds = NULL;
2379
105e1512
LP		 2380 /* If the DNSKEY we are looking at is not for
2381 * zone we are interested in, nor any of its
2382 * parents, we aren't interested, and don't
2383 * request it. After all, we don't want to end
2384 * up in request loops, and want to keep
2385 * additional traffic down. */
2386
42df9532 2387 r = dns_name_endswith(dns_resource_key_name(dns_transaction_key(t)), dns_resource_key_name(rr->key));
105e1512
LP		 2388 if (r < 0)
2389 return r;
2390 if (r == 0)
2391 continue;
2392
1c02e7ba 2393 ds = dns_resource_key_new(rr->key->class, DNS_TYPE_DS, dns_resource_key_name(rr->key));
547973de
LP		 2394 if (!ds)
2395 return -ENOMEM;
2396
1c02e7ba
ZJS		 2397 log_debug("Requesting DS to validate transaction %" PRIu16" (%s, DNSKEY with key tag: %" PRIu16 ").",
2398 t->id, dns_resource_key_name(rr->key), dnssec_keytag(rr, false));
105e1512
LP		 2399 r = dns_transaction_request_dnssec_rr(t, ds);
2400 if (r < 0)
2401 return r;
547973de 2402
105e1512
LP		 2403 break;
2404 }
2405
105e1512
LP		 2406 case DNS_TYPE_SOA:
2407 case DNS_TYPE_NS: {
2408 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *ds = NULL;
2409
2410 /* For an unsigned SOA or NS, try to acquire
2411 * the matching DS RR, as we are at a zone cut
2412 * then, and whether a DS exists tells us
2413 * whether the zone is signed. Do so only if
2414 * this RR matches our original question,
2415 * however. */
2416
42df9532 2417 r = dns_resource_key_match_rr(dns_transaction_key(t), rr, NULL);
105e1512
LP		 2418 if (r < 0)
2419 return r;
6993d264
LP		 2420 if (r == 0) {
2421 /* Hmm, so this SOA RR doesn't match our original question. In this case, maybe this is
d51c4fca 2422 * a negative reply, and we need the SOA RR's TTL in order to cache a negative entry?
6993d264
LP		 2423 * If so, we need to validate it, too. */
2424
42df9532 2425 r = dns_answer_match_key(t->answer, dns_transaction_key(t), NULL);
6993d264
LP		 2426 if (r < 0)
2427 return r;
2428 if (r > 0) /* positive reply, we won't need the SOA and hence don't need to validate
2429 * it. */
2430 continue;
d5acaa51
LP		 2431
2432 /* Only bother with this if the SOA/NS RR we are looking at is actually a parent of
2433 * what we are looking for, otherwise there's no value in it for us. */
42df9532 2434 r = dns_name_endswith(dns_resource_key_name(dns_transaction_key(t)), dns_resource_key_name(rr->key));
d5acaa51
LP		 2435 if (r < 0)
2436 return r;
2437 if (r == 0)
2438 continue;
6993d264 2439 }
105e1512
LP		 2440
2441 r = dnssec_has_rrsig(t->answer, rr->key);
2442 if (r < 0)
2443 return r;
2444 if (r > 0)
2445 continue;
2446
1c02e7ba 2447 ds = dns_resource_key_new(rr->key->class, DNS_TYPE_DS, dns_resource_key_name(rr->key));
105e1512
LP		 2448 if (!ds)
2449 return -ENOMEM;
2450
1c02e7ba
ZJS		 2451 log_debug("Requesting DS to validate transaction %" PRIu16 " (%s, unsigned SOA/NS RRset).",
2452 t->id, dns_resource_key_name(rr->key));
547973de
LP		 2453 r = dns_transaction_request_dnssec_rr(t, ds);
2454 if (r < 0)
2455 return r;
2456
2457 break;
105e1512
LP		 2458 }
2459
b63fca62 2460 case DNS_TYPE_DS:
105e1512
LP		 2461 case DNS_TYPE_CNAME:
2462 case DNS_TYPE_DNAME: {
2463 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL;
2464 const char *name;
2465
2466 /* CNAMEs and DNAMEs cannot be located at a
2467 * zone apex, hence ask for the parent SOA for
2468 * unsigned CNAME/DNAME RRs, maybe that's the
2469 * apex. But do all that only if this is
2470 * actually a response to our original
b63fca62
LP		 2471 * question.
2472 *
2473 * Similar for DS RRs, which are signed when
2474 * the parent SOA is signed. */
105e1512
LP		 2475
2476 r = dns_transaction_is_primary_response(t, rr);
2477 if (r < 0)
2478 return r;
2479 if (r == 0)
2480 continue;
2481
2482 r = dnssec_has_rrsig(t->answer, rr->key);
2483 if (r < 0)
2484 return r;
2485 if (r > 0)
2486 continue;
2487
43e6779a
LP		 2488 r = dns_answer_has_dname_for_cname(t->answer, rr);
2489 if (r < 0)
2490 return r;
2491 if (r > 0)
2492 continue;
2493
1c02e7ba 2494 name = dns_resource_key_name(rr->key);
105e1512
LP		 2495 r = dns_name_parent(&name);
2496 if (r < 0)
2497 return r;
2498 if (r == 0)
2499 continue;
2500
2501 soa = dns_resource_key_new(rr->key->class, DNS_TYPE_SOA, name);
2502 if (!soa)
2503 return -ENOMEM;
2504
1c02e7ba
ZJS		 2505 log_debug("Requesting parent SOA to validate transaction %" PRIu16 " (%s, unsigned CNAME/DNAME/DS RRset).",
2506 t->id, dns_resource_key_name(rr->key));
105e1512
LP		 2507 r = dns_transaction_request_dnssec_rr(t, soa);
2508 if (r < 0)
2509 return r;
2510
2511 break;
2512 }
2513
2514 default: {
2515 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL;
2516
b63fca62
LP		 2517 /* For other unsigned RRsets (including
2518 * NSEC/NSEC3!), look for proof the zone is
2519 * unsigned, by requesting the SOA RR of the
2520 * zone. However, do so only if they are
2521 * directly relevant to our original
105e1512
LP		 2522 * question. */
2523
2524 r = dns_transaction_is_primary_response(t, rr);
2525 if (r < 0)
2526 return r;
2527 if (r == 0)
2528 continue;
2529
2530 r = dnssec_has_rrsig(t->answer, rr->key);
2531 if (r < 0)
2532 return r;
2533 if (r > 0)
2534 continue;
2535
1c02e7ba 2536 soa = dns_resource_key_new(rr->key->class, DNS_TYPE_SOA, dns_resource_key_name(rr->key));
105e1512
LP		 2537 if (!soa)
2538 return -ENOMEM;
2539
1c02e7ba
ZJS		 2540 log_debug("Requesting SOA to validate transaction %" PRIu16 " (%s, unsigned non-SOA/NS RRset <%s>).",
2541 t->id, dns_resource_key_name(rr->key), dns_resource_record_to_string(rr));
105e1512
LP		 2542 r = dns_transaction_request_dnssec_rr(t, soa);
2543 if (r < 0)
2544 return r;
2545 break;
547973de
LP		 2546 }}
2547 }
2548
105e1512
LP		 2549 /* Above, we requested everything necessary to validate what
2550 * we got. Now, let's request what we need to validate what we
2551 * didn't get... */
2552
2553 r = dns_transaction_has_unsigned_negative_answer(t);
2554 if (r < 0)
2555 return r;
2556 if (r > 0) {
2557 const char *name;
4bbc06cc 2558 uint16_t type = 0;
105e1512 2559
42df9532 2560 name = dns_resource_key_name(dns_transaction_key(t));
105e1512 2561
4bbc06cc
LP		 2562 /* If this was a SOA or NS request, then check if there's a DS RR for the same domain. Note that this
2563 * could also be used as indication that we are not at a zone apex, but in real world setups there are
2564 * too many broken DNS servers (Hello, incapdns.net!) where non-terminal zones return NXDOMAIN even
2565 * though they have further children. If this was a DS request, then it's signed when the parent zone
2566 * is signed, hence ask the parent SOA in that case. If this was any other RR then ask for the SOA RR,
2567 * to see if that is signed. */
105e1512 2568
42df9532 2569 if (dns_transaction_key(t)->type == DNS_TYPE_DS) {
105e1512 2570 r = dns_name_parent(&name);
4bbc06cc
LP		 2571 if (r > 0) {
2572 type = DNS_TYPE_SOA;
6d72da2f 2573 log_debug("Requesting parent SOA (→ %s) to validate transaction %" PRIu16 " (%s, unsigned empty DS response).",
42df9532 2574 name, t->id, dns_resource_key_name(dns_transaction_key(t)));
4bbc06cc 2575 } else
105e1512 2576 name = NULL;
4bbc06cc 2577
42df9532 2578 } else if (IN_SET(dns_transaction_key(t)->type, DNS_TYPE_SOA, DNS_TYPE_NS)) {
4bbc06cc
LP		 2579
2580 type = DNS_TYPE_DS;
6d72da2f
LP		 2581 log_debug("Requesting DS (→ %s) to validate transaction %" PRIu16 " (%s, unsigned empty SOA/NS response).",
2582 name, t->id, name);
4bbc06cc
LP		 2583
2584 } else {
2585 type = DNS_TYPE_SOA;
6d72da2f
LP		 2586 log_debug("Requesting SOA (→ %s) to validate transaction %" PRIu16 " (%s, unsigned empty non-SOA/NS/DS response).",
2587 name, t->id, name);
4bbc06cc 2588 }
105e1512
LP		 2589
2590 if (name) {
2591 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL;
2592
42df9532 2593 soa = dns_resource_key_new(dns_transaction_key(t)->class, type, name);
105e1512
LP		 2594 if (!soa)
2595 return -ENOMEM;
2596
2597 r = dns_transaction_request_dnssec_rr(t, soa);
2598 if (r < 0)
2599 return r;
2600 }
2601 }
2602
2603 return dns_transaction_dnssec_is_live(t);
547973de
LP		 2604}
2605
2606void dns_transaction_notify(DnsTransaction *t, DnsTransaction *source) {
547973de 2607 assert(t);
547973de
LP		 2608 assert(source);
2609
942eb2e7
LP		 2610 /* Invoked whenever any of our auxiliary DNSSEC transactions completed its work. If the state is still PENDING,
2611 we are still in the loop that adds further DNSSEC transactions, hence don't check if we are ready yet. If
2612 the state is VALIDATING however, we should check if we are complete now. */
105e1512 2613
942eb2e7
LP		 2614 if (t->state == DNS_TRANSACTION_VALIDATING)
2615 dns_transaction_process_dnssec(t);
547973de
LP		 2616}
2617
105e1512 2618static int dns_transaction_validate_dnskey_by_ds(DnsTransaction *t) {
04617bf8
LP		 2619 DnsAnswerItem *item;
2620 int r;
105e1512
LP		 2621
2622 assert(t);
2623
2624 /* Add all DNSKEY RRs from the answer that are validated by DS
2625 * RRs from the list of validated keys to the list of
2626 * validated keys. */
2627
04617bf8 2628 DNS_ANSWER_FOREACH_ITEM(item, t->answer) {
105e1512 2629
04617bf8 2630 r = dnssec_verify_dnskey_by_ds_search(item->rr, t->validated_keys);
105e1512
LP		 2631 if (r < 0)
2632 return r;
2633 if (r == 0)
2634 continue;
2635
2636 /* If so, the DNSKEY is validated too. */
04617bf8 2637 r = dns_answer_add_extend(&t->validated_keys, item->rr, item->ifindex, item->flags|DNS_ANSWER_AUTHENTICATED, item->rrsig);
105e1512
LP		 2638 if (r < 0)
2639 return r;
2640 }
2641
2642 return 0;
2643}
2644
2645static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *rr) {
56352fe9
LP		 2646 int r;
2647
2648 assert(t);
2649 assert(rr);
2650
105e1512
LP		 2651 /* Checks if the RR we are looking for must be signed with an
2652 * RRSIG. This is used for positive responses. */
24a5b982 2653
b652d4a2 2654 if (t->scope->dnssec_mode == DNSSEC_NO)
105e1512 2655 return false;
56352fe9 2656
105e1512
LP		 2657 if (dns_type_is_pseudo(rr->key->type))
2658 return -EINVAL;
56352fe9 2659
1c02e7ba 2660 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(rr->key));
8e54f5d9
LP		 2661 if (r < 0)
2662 return r;
2663 if (r > 0)
2664 return false;
2665
105e1512 2666 switch (rr->key->type) {
56352fe9 2667
105e1512
LP		 2668 case DNS_TYPE_RRSIG:
2669 /* RRSIGs are the signatures themselves, they need no signing. */
2670 return false;
2671
2672 case DNS_TYPE_SOA:
2673 case DNS_TYPE_NS: {
2674 DnsTransaction *dt;
105e1512 2675
b63fca62 2676 /* For SOA or NS RRs we look for a matching DS transaction */
105e1512 2677
90e74a66 2678 SET_FOREACH(dt, t->dnssec_transactions) {
105e1512 2679
42df9532 2680 if (dns_transaction_key(dt)->class != rr->key->class)
105e1512 2681 continue;
42df9532 2682 if (dns_transaction_key(dt)->type != DNS_TYPE_DS)
105e1512
LP		 2683 continue;
2684
42df9532 2685 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), dns_resource_key_name(rr->key));
105e1512
LP		 2686 if (r < 0)
2687 return r;
2688 if (r == 0)
2689 continue;
2690
2691 /* We found a DS transactions for the SOA/NS
2692 * RRs we are looking at. If it discovered signed DS
2693 * RRs, then we need to be signed, too. */
2694
6f055e43 2695 if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
097a2517 2696 return false;
105e1512 2697
42df9532 2698 return dns_answer_match_key(dt->answer, dns_transaction_key(dt), NULL);
105e1512
LP		 2699 }
2700
2701 /* We found nothing that proves this is safe to leave
2702 * this unauthenticated, hence ask inist on
2703 * authentication. */
2704 return true;
2705 }
2706
b63fca62 2707 case DNS_TYPE_DS:
105e1512
LP		 2708 case DNS_TYPE_CNAME:
2709 case DNS_TYPE_DNAME: {
2710 const char *parent = NULL;
2711 DnsTransaction *dt;
105e1512 2712
b63fca62
LP		 2713 /*
2714 * CNAME/DNAME RRs cannot be located at a zone apex, hence look directly for the parent SOA.
2715 *
2716 * DS RRs are signed if the parent is signed, hence also look at the parent SOA
2717 */
105e1512 2718
90e74a66 2719 SET_FOREACH(dt, t->dnssec_transactions) {
105e1512 2720
42df9532 2721 if (dns_transaction_key(dt)->class != rr->key->class)
105e1512 2722 continue;
42df9532 2723 if (dns_transaction_key(dt)->type != DNS_TYPE_SOA)
105e1512
LP		 2724 continue;
2725
2726 if (!parent) {
1c02e7ba 2727 parent = dns_resource_key_name(rr->key);
105e1512
LP		 2728 r = dns_name_parent(&parent);
2729 if (r < 0)
2730 return r;
2731 if (r == 0) {
b63fca62
LP		 2732 if (rr->key->type == DNS_TYPE_DS)
2733 return true;
2734
105e1512 2735 /* A CNAME/DNAME without a parent? That's sooo weird. */
baaa35ad
ZJS		 2736 return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG),
2737 "Transaction %" PRIu16 " claims CNAME/DNAME at root. Refusing.", t->id);
105e1512
LP		 2738 }
2739 }
2740
42df9532 2741 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), parent);
105e1512
LP		 2742 if (r < 0)
2743 return r;
2744 if (r == 0)
2745 continue;
2746
6f055e43 2747 return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
105e1512
LP		 2748 }
2749
2750 return true;
2751 }
2752
2753 default: {
2754 DnsTransaction *dt;
105e1512 2755
b63fca62 2756 /* Any other kind of RR (including DNSKEY/NSEC/NSEC3). Let's see if our SOA lookup was authenticated */
105e1512 2757
90e74a66 2758 SET_FOREACH(dt, t->dnssec_transactions) {
105e1512 2759
42df9532 2760 if (dns_transaction_key(dt)->class != rr->key->class)
105e1512 2761 continue;
42df9532 2762 if (dns_transaction_key(dt)->type != DNS_TYPE_SOA)
105e1512
LP		 2763 continue;
2764
42df9532 2765 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), dns_resource_key_name(rr->key));
105e1512
LP		 2766 if (r < 0)
2767 return r;
2768 if (r == 0)
2769 continue;
2770
6f055e43
LP		 2771 /* We found the transaction that was supposed to find the SOA RR for us. It was
2772 * successful, but found no RR for us. This means we are not at a zone cut. In this
2773 * case, we require authentication if the SOA lookup was authenticated too. */
2774 return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
105e1512
LP		 2775 }
2776
2777 return true;
2778 }}
56352fe9
LP		 2779}
2780
d33b6cf3
LP		 2781static int dns_transaction_in_private_tld(DnsTransaction *t, const DnsResourceKey *key) {
2782 DnsTransaction *dt;
2783 const char *tld;
d33b6cf3
LP		 2784 int r;
2785
2786 /* If DNSSEC downgrade mode is on, checks whether the
2787 * specified RR is one level below a TLD we have proven not to
2788 * exist. In such a case we assume that this is a private
2789 * domain, and permit it.
2790 *
2791 * This detects cases like the Fritz!Box router networks. Each
2792 * Fritz!Box router serves a private "fritz.box" zone, in the
2793 * non-existing TLD "box". Requests for the "fritz.box" domain
2794 * are served by the router itself, while requests for the
2795 * "box" domain will result in NXDOMAIN.
2796 *
2797 * Note that this logic is unable to detect cases where a
2798 * router serves a private DNS zone directly under
2799 * non-existing TLD. In such a case we cannot detect whether
2800 * the TLD is supposed to exist or not, as all requests we
2801 * make for it will be answered by the router's zone, and not
2802 * by the root zone. */
2803
2804 assert(t);
2805
2806 if (t->scope->dnssec_mode != DNSSEC_ALLOW_DOWNGRADE)
2807 return false; /* In strict DNSSEC mode what doesn't exist, doesn't exist */
2808
1c02e7ba 2809 tld = dns_resource_key_name(key);
d33b6cf3
LP		 2810 r = dns_name_parent(&tld);
2811 if (r < 0)
2812 return r;
2813 if (r == 0)
2814 return false; /* Already the root domain */
2815
2816 if (!dns_name_is_single_label(tld))
2817 return false;
2818
90e74a66 2819 SET_FOREACH(dt, t->dnssec_transactions) {
d33b6cf3 2820
42df9532 2821 if (dns_transaction_key(dt)->class != key->class)
d33b6cf3
LP		 2822 continue;
2823
42df9532 2824 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), tld);
d33b6cf3
LP		 2825 if (r < 0)
2826 return r;
2827 if (r == 0)
2828 continue;
2829
2830 /* We found an auxiliary lookup we did for the TLD. If
2831 * that returned with NXDOMAIN, we know the TLD didn't
2832 * exist, and hence this might be a private zone. */
2833
2834 return dt->answer_rcode == DNS_RCODE_NXDOMAIN;
2835 }
2836
2837 return false;
2838}
2839
105e1512 2840static int dns_transaction_requires_nsec(DnsTransaction *t) {
4bbc06cc 2841 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
105e1512
LP		 2842 DnsTransaction *dt;
2843 const char *name;
4bbc06cc 2844 uint16_t type = 0;
105e1512 2845 int r;
56352fe9
LP		 2846
2847 assert(t);
2848
105e1512
LP		 2849 /* Checks if we need to insist on NSEC/NSEC3 RRs for proving
2850 * this negative reply */
56352fe9 2851
b652d4a2 2852 if (t->scope->dnssec_mode == DNSSEC_NO)
105e1512 2853 return false;
56352fe9 2854
42df9532 2855 if (dns_type_is_pseudo(dns_transaction_key(t)->type))
105e1512
LP		 2856 return -EINVAL;
2857
42df9532 2858 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(dns_transaction_key(t)));
8e54f5d9
LP		 2859 if (r < 0)
2860 return r;
2861 if (r > 0)
2862 return false;
2863
42df9532 2864 r = dns_transaction_in_private_tld(t, dns_transaction_key(t));
d33b6cf3
LP		 2865 if (r < 0)
2866 return r;
2867 if (r > 0) {
2868 /* The lookup is from a TLD that is proven not to
2869 * exist, and we are in downgrade mode, hence ignore
13e785f7 2870 * that fact that we didn't get any NSEC RRs. */
d33b6cf3 2871
202b76ae 2872 log_info("Detected a negative query %s in a private DNS zone, permitting unsigned response.",
42df9532 2873 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str));
d33b6cf3
LP		 2874 return false;
2875 }
2876
42df9532 2877 name = dns_resource_key_name(dns_transaction_key(t));
105e1512 2878
42df9532 2879 if (dns_transaction_key(t)->type == DNS_TYPE_DS) {
105e1512 2880
4bbc06cc
LP		 2881 /* We got a negative reply for this DS lookup? DS RRs are signed when their parent zone is signed,
2882 * hence check the parent SOA in this case. */
105e1512
LP		 2883
2884 r = dns_name_parent(&name);
56352fe9
LP		 2885 if (r < 0)
2886 return r;
2887 if (r == 0)
105e1512 2888 return true;
4bbc06cc
LP		 2889
2890 type = DNS_TYPE_SOA;
2891
42df9532 2892 } else if (IN_SET(dns_transaction_key(t)->type, DNS_TYPE_SOA, DNS_TYPE_NS))
4bbc06cc
LP		 2893 /* We got a negative reply for this SOA/NS lookup? If so, check if there's a DS RR for this */
2894 type = DNS_TYPE_DS;
2895 else
2896 /* For all other negative replies, check for the SOA lookup */
2897 type = DNS_TYPE_SOA;
105e1512
LP		 2898
2899 /* For all other RRs we check the SOA on the same level to see
2900 * if it's signed. */
2901
90e74a66 2902 SET_FOREACH(dt, t->dnssec_transactions) {
105e1512 2903
42df9532 2904 if (dns_transaction_key(dt)->class != dns_transaction_key(t)->class)
105e1512 2905 continue;
42df9532 2906 if (dns_transaction_key(dt)->type != type)
56352fe9
LP		 2907 continue;
2908
42df9532 2909 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), name);
56352fe9
LP		 2910 if (r < 0)
2911 return r;
105e1512
LP		 2912 if (r == 0)
2913 continue;
2914
6f055e43 2915 return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
56352fe9
LP		 2916 }
2917
105e1512
LP		 2918 /* If in doubt, require NSEC/NSEC3 */
2919 return true;
56352fe9
LP		 2920}
2921
94aa7071
LP		 2922static int dns_transaction_dnskey_authenticated(DnsTransaction *t, DnsResourceRecord *rr) {
2923 DnsResourceRecord *rrsig;
2924 bool found = false;
2925 int r;
2926
2927 /* Checks whether any of the DNSKEYs used for the RRSIGs for
2928 * the specified RRset is authenticated (i.e. has a matching
2929 * DS RR). */
2930
1c02e7ba 2931 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(rr->key));
8e54f5d9
LP		 2932 if (r < 0)
2933 return r;
2934 if (r > 0)
2935 return false;
2936
94aa7071
LP		 2937 DNS_ANSWER_FOREACH(rrsig, t->answer) {
2938 DnsTransaction *dt;
94aa7071
LP		 2939
2940 r = dnssec_key_match_rrsig(rr->key, rrsig);
2941 if (r < 0)
2942 return r;
2943 if (r == 0)
2944 continue;
2945
90e74a66 2946 SET_FOREACH(dt, t->dnssec_transactions) {
94aa7071 2947
42df9532 2948 if (dns_transaction_key(dt)->class != rr->key->class)
94aa7071
LP		 2949 continue;
2950
42df9532 2951 if (dns_transaction_key(dt)->type == DNS_TYPE_DNSKEY) {
94aa7071 2952
42df9532 2953 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), rrsig->rrsig.signer);
94aa7071
LP		 2954 if (r < 0)
2955 return r;
2956 if (r == 0)
2957 continue;
2958
6f055e43
LP		 2959 /* OK, we found an auxiliary DNSKEY lookup. If that lookup is authenticated,
2960 * report this. */
94aa7071 2961
6f055e43 2962 if (FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
94aa7071
LP		 2963 return true;
2964
2965 found = true;
2966
42df9532 2967 } else if (dns_transaction_key(dt)->type == DNS_TYPE_DS) {
94aa7071 2968
42df9532 2969 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), rrsig->rrsig.signer);
94aa7071
LP		 2970 if (r < 0)
2971 return r;
2972 if (r == 0)
2973 continue;
2974
6f055e43
LP		 2975 /* OK, we found an auxiliary DS lookup. If that lookup is authenticated and
2976 * non-zero, we won! */
94aa7071 2977
6f055e43 2978 if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
94aa7071
LP		 2979 return false;
2980
42df9532 2981 return dns_answer_match_key(dt->answer, dns_transaction_key(dt), NULL);
94aa7071
LP		 2982 }
2983 }
2984 }
2985
2986 return found ? false : -ENXIO;
2987}
2988
b652d4a2
LP		 2989static int dns_transaction_known_signed(DnsTransaction *t, DnsResourceRecord *rr) {
2990 assert(t);
2991 assert(rr);
2992
2993 /* We know that the root domain is signed, hence if it appears
2994 * not to be signed, there's a problem with the DNS server */
2995
2996 return rr->key->class == DNS_CLASS_IN &&
1c02e7ba 2997 dns_name_is_root(dns_resource_key_name(rr->key));
b652d4a2
LP		 2998}
2999
0f87f3e8
LP		 3000static int dns_transaction_check_revoked_trust_anchors(DnsTransaction *t) {
3001 DnsResourceRecord *rr;
3002 int r;
3003
3004 assert(t);
3005
3006 /* Maybe warn the user that we encountered a revoked DNSKEY
3007 * for a key from our trust anchor. Note that we don't care
3008 * whether the DNSKEY can be authenticated or not. It's
3009 * sufficient if it is self-signed. */
3010
3011 DNS_ANSWER_FOREACH(rr, t->answer) {
d424da2a 3012 r = dns_trust_anchor_check_revoked(&t->scope->manager->trust_anchor, rr, t->answer);
0f87f3e8
LP		 3013 if (r < 0)
3014 return r;
3015 }
3016
3017 return 0;
3018}
3019
c9c72065
LP		 3020static int dns_transaction_invalidate_revoked_keys(DnsTransaction *t) {
3021 bool changed;
3022 int r;
3023
3024 assert(t);
3025
3026 /* Removes all DNSKEY/DS objects from t->validated_keys that
3027 * our trust anchors database considers revoked. */
3028
3029 do {
3030 DnsResourceRecord *rr;
3031
3032 changed = false;
3033
3034 DNS_ANSWER_FOREACH(rr, t->validated_keys) {
3035 r = dns_trust_anchor_is_revoked(&t->scope->manager->trust_anchor, rr);
3036 if (r < 0)
3037 return r;
3038 if (r > 0) {
3039 r = dns_answer_remove_by_rr(&t->validated_keys, rr);
3040 if (r < 0)
3041 return r;
3042
3043 assert(r > 0);
3044 changed = true;
3045 break;
3046 }
3047 }
3048 } while (changed);
3049
3050 return 0;
3051}
3052
942eb2e7
LP		 3053static int dns_transaction_copy_validated(DnsTransaction *t) {
3054 DnsTransaction *dt;
942eb2e7
LP		 3055 int r;
3056
3057 assert(t);
3058
3059 /* Copy all validated RRs from the auxiliary DNSSEC transactions into our set of validated RRs */
3060
90e74a66 3061 SET_FOREACH(dt, t->dnssec_transactions) {
942eb2e7
LP		 3062
3063 if (DNS_TRANSACTION_IS_LIVE(dt->state))
3064 continue;
3065
6f055e43 3066 if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
942eb2e7
LP		 3067 continue;
3068
3069 r = dns_answer_extend(&t->validated_keys, dt->answer);
3070 if (r < 0)
3071 return r;
3072 }
3073
3074 return 0;
3075}
3076
c690b20a
ZJS		 3077typedef enum {
3078 DNSSEC_PHASE_DNSKEY, /* Phase #1, only validate DNSKEYs */
3079 DNSSEC_PHASE_NSEC, /* Phase #2, only validate NSEC+NSEC3 */
3080 DNSSEC_PHASE_ALL, /* Phase #3, validate everything else */
3081} Phase;
3082
3083static int dnssec_validate_records(
3084 DnsTransaction *t,
3085 Phase phase,
3086 bool *have_nsec,
3087 DnsAnswer **validated) {
3088
547973de 3089 DnsResourceRecord *rr;
56352fe9 3090 int r;
547973de 3091
c690b20a 3092 /* Returns negative on error, 0 if validation failed, 1 to restart validation, 2 when finished. */
547973de 3093
c690b20a
ZJS		 3094 DNS_ANSWER_FOREACH(rr, t->answer) {
3095 DnsResourceRecord *rrsig = NULL;
3096 DnssecResult result;
547973de 3097
c690b20a
ZJS		 3098 switch (rr->key->type) {
3099 case DNS_TYPE_RRSIG:
3100 continue;
547973de 3101
c690b20a
ZJS		 3102 case DNS_TYPE_DNSKEY:
3103 /* We validate DNSKEYs only in the DNSKEY and ALL phases */
3104 if (phase == DNSSEC_PHASE_NSEC)
3105 continue;
3106 break;
547973de 3107
c690b20a
ZJS		 3108 case DNS_TYPE_NSEC:
3109 case DNS_TYPE_NSEC3:
3110 *have_nsec = true;
547973de 3111
c690b20a
ZJS		 3112 /* We validate NSEC/NSEC3 only in the NSEC and ALL phases */
3113 if (phase == DNSSEC_PHASE_DNSKEY)
3114 continue;
3115 break;
105e1512 3116
c690b20a
ZJS		 3117 default:
3118 /* We validate all other RRs only in the ALL phases */
3119 if (phase != DNSSEC_PHASE_ALL)
3120 continue;
3121 }
b652d4a2 3122
04617bf8
LP		 3123 r = dnssec_verify_rrset_search(
3124 t->answer,
3125 rr->key,
3126 t->validated_keys,
3127 USEC_INFINITY,
3128 &result,
3129 &rrsig);
c690b20a
ZJS		 3130 if (r < 0)
3131 return r;
547973de 3132
c690b20a 3133 log_debug("Looking at %s: %s", strna(dns_resource_record_to_string(rr)), dnssec_result_to_string(result));
0f87f3e8 3134
c690b20a 3135 if (result == DNSSEC_VALIDATED) {
04617bf8 3136 assert(rrsig);
942eb2e7 3137
c690b20a
ZJS		 3138 if (rr->key->type == DNS_TYPE_DNSKEY) {
3139 /* If we just validated a DNSKEY RRset, then let's add these keys to
3140 * the set of validated keys for this transaction. */
547973de 3141
04617bf8 3142 r = dns_answer_copy_by_key(&t->validated_keys, t->answer, rr->key, DNS_ANSWER_AUTHENTICATED, rrsig);
c690b20a
ZJS		 3143 if (r < 0)
3144 return r;
c9c72065 3145
c690b20a
ZJS		 3146 /* Some of the DNSKEYs we just added might already have been revoked,
3147 * remove them again in that case. */
3148 r = dns_transaction_invalidate_revoked_keys(t);
3149 if (r < 0)
3150 return r;
3151 }
547973de 3152
04617bf8
LP		 3153 /* Add the validated RRset to the new list of validated RRsets, and remove it from
3154 * the unvalidated RRsets. We mark the RRset as authenticated and cacheable. */
3155 r = dns_answer_move_by_key(validated, &t->answer, rr->key, DNS_ANSWER_AUTHENTICATED|DNS_ANSWER_CACHEABLE, rrsig);
c690b20a
ZJS		 3156 if (r < 0)
3157 return r;
547973de 3158
c690b20a 3159 manager_dnssec_verdict(t->scope->manager, DNSSEC_SECURE, rr->key);
0c7bff0a 3160
c690b20a
ZJS		 3161 /* Exit the loop, we dropped something from the answer, start from the beginning */
3162 return 1;
3163 }
547973de 3164
c690b20a
ZJS		 3165 /* If we haven't read all DNSKEYs yet a negative result of the validation is irrelevant, as
3166 * there might be more DNSKEYs coming. Similar, if we haven't read all NSEC/NSEC3 RRs yet,
3167 * we cannot do positive wildcard proofs yet, as those require the NSEC/NSEC3 RRs. */
3168 if (phase != DNSSEC_PHASE_ALL)
3169 continue;
0c7bff0a 3170
c690b20a
ZJS		 3171 if (result == DNSSEC_VALIDATED_WILDCARD) {
3172 bool authenticated = false;
3173 const char *source;
0c7bff0a 3174
04617bf8
LP		 3175 assert(rrsig);
3176
c690b20a 3177 /* This RRset validated, but as a wildcard. This means we need
13e785f7 3178 * to prove via NSEC/NSEC3 that no matching non-wildcard RR exists. */
0c7bff0a 3179
c690b20a
ZJS		 3180 /* First step, determine the source of synthesis */
3181 r = dns_resource_record_source(rrsig, &source);
3182 if (r < 0)
3183 return r;
0c7bff0a 3184
c690b20a 3185 r = dnssec_test_positive_wildcard(*validated,
1c02e7ba 3186 dns_resource_key_name(rr->key),
c690b20a
ZJS		 3187 source,
3188 rrsig->rrsig.signer,
3189 &authenticated);
0c7bff0a 3190
c690b20a
ZJS		 3191 /* Unless the NSEC proof showed that the key really doesn't exist something is off. */
3192 if (r == 0)
3193 result = DNSSEC_INVALID;
3194 else {
04617bf8
LP		 3195 r = dns_answer_move_by_key(
3196 validated,
3197 &t->answer,
3198 rr->key,
3199 authenticated ? (DNS_ANSWER_AUTHENTICATED|DNS_ANSWER_CACHEABLE) : 0,
3200 rrsig);
c690b20a
ZJS		 3201 if (r < 0)
3202 return r;
3203
3204 manager_dnssec_verdict(t->scope->manager, authenticated ? DNSSEC_SECURE : DNSSEC_INSECURE, rr->key);
3205
3206 /* Exit the loop, we dropped something from the answer, start from the beginning */
3207 return 1;
0c7bff0a 3208 }
c690b20a 3209 }
0c7bff0a 3210
c690b20a
ZJS		 3211 if (result == DNSSEC_NO_SIGNATURE) {
3212 r = dns_transaction_requires_rrsig(t, rr);
547973de
LP		 3213 if (r < 0)
3214 return r;
c690b20a
ZJS		 3215 if (r == 0) {
3216 /* Data does not require signing. In that case, just copy it over,
13e785f7 3217 * but remember that this is by no means authenticated. */
04617bf8
LP		 3218 r = dns_answer_move_by_key(
3219 validated,
3220 &t->answer,
3221 rr->key,
3222 0,
3223 NULL);
c690b20a
ZJS		 3224 if (r < 0)
3225 return r;
3226
3227 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
3228 return 1;
3229 }
547973de 3230
c690b20a
ZJS		 3231 r = dns_transaction_known_signed(t, rr);
3232 if (r < 0)
3233 return r;
3234 if (r > 0) {
3235 /* This is an RR we know has to be signed. If it isn't this means
3236 * the server is not attaching RRSIGs, hence complain. */
547973de 3237
c690b20a 3238 dns_server_packet_rrsig_missing(t->server, t->current_feature_level);
547973de 3239
c690b20a 3240 if (t->scope->dnssec_mode == DNSSEC_ALLOW_DOWNGRADE) {
547973de 3241
c690b20a 3242 /* Downgrading is OK? If so, just consider the information unsigned */
c9c72065 3243
04617bf8 3244 r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0, NULL);
c9c72065
LP		 3245 if (r < 0)
3246 return r;
547973de 3247
c690b20a
ZJS		 3248 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
3249 return 1;
3250 }
a150ff5e 3251
c690b20a
ZJS		 3252 /* Otherwise, fail */
3253 t->answer_dnssec_result = DNSSEC_INCOMPATIBLE_SERVER;
3254 return 0;
f3cf586d 3255 }
547973de 3256
c690b20a
ZJS		 3257 r = dns_transaction_in_private_tld(t, rr->key);
3258 if (r < 0)
3259 return r;
3260 if (r > 0) {
202b76ae 3261 char s[DNS_RESOURCE_KEY_STRING_MAX];
b652d4a2 3262
c690b20a
ZJS		 3263 /* The data is from a TLD that is proven not to exist, and we are in downgrade
3264 * mode, hence ignore the fact that this was not signed. */
0c7bff0a 3265
202b76ae
ZJS		 3266 log_info("Detected RRset %s is in a private DNS zone, permitting unsigned RRs.",
3267 dns_resource_key_to_string(rr->key, s, sizeof s));
0c7bff0a 3268
04617bf8 3269 r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0, NULL);
0c7bff0a
LP		 3270 if (r < 0)
3271 return r;
0c7bff0a 3272
c690b20a
ZJS		 3273 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
3274 return 1;
3275 }
3276 }
0c7bff0a 3277
c690b20a
ZJS		 3278 if (IN_SET(result,
3279 DNSSEC_MISSING_KEY,
3280 DNSSEC_SIGNATURE_EXPIRED,
3281 DNSSEC_UNSUPPORTED_ALGORITHM)) {
0c7bff0a 3282
c690b20a
ZJS		 3283 r = dns_transaction_dnskey_authenticated(t, rr);
3284 if (r < 0 && r != -ENXIO)
3285 return r;
3286 if (r == 0) {
3287 /* The DNSKEY transaction was not authenticated, this means there's
3288 * no DS for this, which means it's OK if no keys are found for this signature. */
0c7bff0a 3289
04617bf8 3290 r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0, NULL);
f3cf586d
LP		 3291 if (r < 0)
3292 return r;
b652d4a2 3293
c690b20a
ZJS		 3294 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
3295 return 1;
3296 }
3297 }
b652d4a2 3298
c690b20a
ZJS		 3299 r = dns_transaction_is_primary_response(t, rr);
3300 if (r < 0)
3301 return r;
3302 if (r > 0) {
3303 /* Look for a matching DNAME for this CNAME */
3304 r = dns_answer_has_dname_for_cname(t->answer, rr);
3305 if (r < 0)
3306 return r;
3307 if (r == 0) {
3308 /* Also look among the stuff we already validated */
3309 r = dns_answer_has_dname_for_cname(*validated, rr);
f3cf586d
LP		 3310 if (r < 0)
3311 return r;
c690b20a 3312 }
d33b6cf3 3313
c690b20a
ZJS		 3314 if (r == 0) {
3315 if (IN_SET(result,
3316 DNSSEC_INVALID,
3317 DNSSEC_SIGNATURE_EXPIRED,
3318 DNSSEC_NO_SIGNATURE))
3319 manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, rr->key);
3320 else /* DNSSEC_MISSING_KEY or DNSSEC_UNSUPPORTED_ALGORITHM */
3321 manager_dnssec_verdict(t->scope->manager, DNSSEC_INDETERMINATE, rr->key);
3322
3323 /* This is a primary response to our question, and it failed validation.
3324 * That's fatal. */
3325 t->answer_dnssec_result = result;
3326 return 0;
3327 }
d33b6cf3 3328
c690b20a
ZJS		 3329 /* This is a primary response, but we do have a DNAME RR
3330 * in the RR that can replay this CNAME, hence rely on
3331 * that, and we can remove the CNAME in favour of it. */
3332 }
d33b6cf3 3333
c690b20a
ZJS		 3334 /* This is just some auxiliary data. Just remove the RRset and continue. */
3335 r = dns_answer_remove_by_key(&t->answer, rr->key);
3336 if (r < 0)
3337 return r;
d33b6cf3 3338
c690b20a
ZJS		 3339 /* We dropped something from the answer, start from the beginning. */
3340 return 1;
3341 }
f3cf586d 3342
c690b20a
ZJS		 3343 return 2; /* Finito. */
3344}
94aa7071 3345
c690b20a
ZJS		 3346int dns_transaction_validate_dnssec(DnsTransaction *t) {
3347 _cleanup_(dns_answer_unrefp) DnsAnswer *validated = NULL;
3348 Phase phase;
3349 DnsAnswerFlags flags;
3350 int r;
202b76ae 3351 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
94aa7071 3352
c690b20a 3353 assert(t);
94aa7071 3354
775ae354 3355 /* We have now collected all DS and DNSKEY RRs in t->validated_keys, let's see which RRs we can now
c690b20a 3356 * authenticate with that. */
94aa7071 3357
775ae354 3358 if (FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE) || t->scope->dnssec_mode == DNSSEC_NO)
c690b20a 3359 return 0;
a150ff5e 3360
c690b20a
ZJS		 3361 /* Already validated */
3362 if (t->answer_dnssec_result != _DNSSEC_RESULT_INVALID)
3363 return 0;
105e1512 3364
c690b20a
ZJS		 3365 /* Our own stuff needs no validation */
3366 if (IN_SET(t->answer_source, DNS_TRANSACTION_ZONE, DNS_TRANSACTION_TRUST_ANCHOR)) {
3367 t->answer_dnssec_result = DNSSEC_VALIDATED;
6f055e43 3368 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, true);
c690b20a
ZJS		 3369 return 0;
3370 }
a150ff5e 3371
c690b20a
ZJS		 3372 /* Cached stuff is not affected by validation. */
3373 if (t->answer_source != DNS_TRANSACTION_NETWORK)
3374 return 0;
f3cf586d 3375
c690b20a
ZJS		 3376 if (!dns_transaction_dnssec_supported_full(t)) {
3377 /* The server does not support DNSSEC, or doesn't augment responses with RRSIGs. */
3378 t->answer_dnssec_result = DNSSEC_INCOMPATIBLE_SERVER;
d001e0a3 3379 log_debug("Not validating response for %" PRIu16 ", used server feature level does not support DNSSEC.", t->id);
c690b20a
ZJS		 3380 return 0;
3381 }
f3cf586d 3382
202b76ae
ZJS		 3383 log_debug("Validating response from transaction %" PRIu16 " (%s).",
3384 t->id,
42df9532 3385 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str));
547973de 3386
c690b20a
ZJS		 3387 /* First, see if this response contains any revoked trust
3388 * anchors we care about */
3389 r = dns_transaction_check_revoked_trust_anchors(t);
3390 if (r < 0)
3391 return r;
43e6779a 3392
c690b20a
ZJS		 3393 /* Third, copy all RRs we acquired successfully from auxiliary RRs over. */
3394 r = dns_transaction_copy_validated(t);
3395 if (r < 0)
3396 return r;
43e6779a 3397
c690b20a
ZJS		 3398 /* Second, see if there are DNSKEYs we already know a
3399 * validated DS for. */
3400 r = dns_transaction_validate_dnskey_by_ds(t);
3401 if (r < 0)
3402 return r;
43e6779a 3403
c690b20a
ZJS		 3404 /* Fourth, remove all DNSKEY and DS RRs again that our trust
3405 * anchor says are revoked. After all we might have marked
3406 * some keys revoked above, but they might still be lingering
3407 * in our validated_keys list. */
3408 r = dns_transaction_invalidate_revoked_keys(t);
3409 if (r < 0)
3410 return r;
f3cf586d 3411
c690b20a
ZJS		 3412 phase = DNSSEC_PHASE_DNSKEY;
3413 for (;;) {
3414 bool have_nsec = false;
f3cf586d 3415
c690b20a
ZJS		 3416 r = dnssec_validate_records(t, phase, &have_nsec, &validated);
3417 if (r <= 0)
3418 return r;
547973de 3419
c690b20a
ZJS		 3420 /* Try again as long as we managed to achieve something */
3421 if (r == 1)
547973de
LP		 3422 continue;
3423
c690b20a 3424 if (phase == DNSSEC_PHASE_DNSKEY && have_nsec) {
0c7bff0a 3425 /* OK, we processed all DNSKEYs, and there are NSEC/NSEC3 RRs, look at those now. */
c690b20a 3426 phase = DNSSEC_PHASE_NSEC;
0c7bff0a
LP		 3427 continue;
3428 }
3429
c690b20a
ZJS		 3430 if (phase != DNSSEC_PHASE_ALL) {
3431 /* OK, we processed all DNSKEYs and NSEC/NSEC3 RRs, look at all the rest now.
3432 * Note that in this third phase we start to remove RRs we couldn't validate. */
3433 phase = DNSSEC_PHASE_ALL;
56352fe9 3434 continue;
547973de
LP		 3435 }
3436
56352fe9 3437 /* We're done */
547973de
LP		 3438 break;
3439 }
3440
3441 dns_answer_unref(t->answer);
1cc6c93a 3442 t->answer = TAKE_PTR(validated);
547973de 3443
72667f08
LP		 3444 /* At this point the answer only contains validated
3445 * RRsets. Now, let's see if it actually answers the question
3446 * we asked. If so, great! If it doesn't, then see if
3447 * NSEC/NSEC3 can prove this. */
105e1512 3448 r = dns_transaction_has_positive_answer(t, &flags);
72667f08 3449 if (r > 0) {
105e1512
LP		 3450 /* Yes, it answers the question! */
3451
3452 if (flags & DNS_ANSWER_AUTHENTICATED) {
3453 /* The answer is fully authenticated, yay. */
019036a4 3454 t->answer_dnssec_result = DNSSEC_VALIDATED;
105e1512 3455 t->answer_rcode = DNS_RCODE_SUCCESS;
6f055e43 3456 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, true);
105e1512
LP		 3457 } else {
3458 /* The answer is not fully authenticated. */
019036a4 3459 t->answer_dnssec_result = DNSSEC_UNSIGNED;
6f055e43 3460 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
105e1512
LP		 3461 }
3462
72667f08
LP		 3463 } else if (r == 0) {
3464 DnssecNsecResult nr;
ed29bfdc 3465 bool authenticated = false;
72667f08
LP		 3466
3467 /* Bummer! Let's check NSEC/NSEC3 */
42df9532 3468 r = dnssec_nsec_test(t->answer, dns_transaction_key(t), &nr, &authenticated, &t->answer_nsec_ttl);
72667f08
LP		 3469 if (r < 0)
3470 return r;
3471
3472 switch (nr) {
3473
3474 case DNSSEC_NSEC_NXDOMAIN:
3475 /* NSEC proves the domain doesn't exist. Very good. */
202b76ae 3476 log_debug("Proved NXDOMAIN via NSEC/NSEC3 for transaction %u (%s)", t->id, key_str);
019036a4 3477 t->answer_dnssec_result = DNSSEC_VALIDATED;
72667f08 3478 t->answer_rcode = DNS_RCODE_NXDOMAIN;
6f055e43 3479 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, authenticated);
7aa8ce98 3480
42df9532 3481 manager_dnssec_verdict(t->scope->manager, authenticated ? DNSSEC_SECURE : DNSSEC_INSECURE, dns_transaction_key(t));
72667f08
LP		 3482 break;
3483
3484 case DNSSEC_NSEC_NODATA:
3485 /* NSEC proves that there's no data here, very good. */
202b76ae 3486 log_debug("Proved NODATA via NSEC/NSEC3 for transaction %u (%s)", t->id, key_str);
019036a4 3487 t->answer_dnssec_result = DNSSEC_VALIDATED;
72667f08 3488 t->answer_rcode = DNS_RCODE_SUCCESS;
6f055e43 3489 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, authenticated);
7aa8ce98 3490
42df9532 3491 manager_dnssec_verdict(t->scope->manager, authenticated ? DNSSEC_SECURE : DNSSEC_INSECURE, dns_transaction_key(t));
72667f08
LP		 3492 break;
3493
105e1512
LP		 3494 case DNSSEC_NSEC_OPTOUT:
3495 /* NSEC3 says the data might not be signed */
202b76ae 3496 log_debug("Data is NSEC3 opt-out via NSEC/NSEC3 for transaction %u (%s)", t->id, key_str);
019036a4 3497 t->answer_dnssec_result = DNSSEC_UNSIGNED;
6f055e43 3498 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
7aa8ce98 3499
42df9532 3500 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, dns_transaction_key(t));
105e1512
LP		 3501 break;
3502
72667f08
LP		 3503 case DNSSEC_NSEC_NO_RR:
3504 /* No NSEC data? Bummer! */
105e1512
LP		 3505
3506 r = dns_transaction_requires_nsec(t);
3507 if (r < 0)
3508 return r;
7aa8ce98 3509 if (r > 0) {
019036a4 3510 t->answer_dnssec_result = DNSSEC_NO_SIGNATURE;
42df9532 3511 manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, dns_transaction_key(t));
7aa8ce98 3512 } else {
019036a4 3513 t->answer_dnssec_result = DNSSEC_UNSIGNED;
6f055e43 3514 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
42df9532 3515 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, dns_transaction_key(t));
105e1512
LP		 3516 }
3517
3518 break;
3519
3520 case DNSSEC_NSEC_UNSUPPORTED_ALGORITHM:
3521 /* We don't know the NSEC3 algorithm used? */
019036a4 3522 t->answer_dnssec_result = DNSSEC_UNSUPPORTED_ALGORITHM;
42df9532 3523 manager_dnssec_verdict(t->scope->manager, DNSSEC_INDETERMINATE, dns_transaction_key(t));
72667f08
LP		 3524 break;
3525
3526 case DNSSEC_NSEC_FOUND:
146035b3 3527 case DNSSEC_NSEC_CNAME:
72667f08 3528 /* NSEC says it needs to be there, but we couldn't find it? Bummer! */
019036a4 3529 t->answer_dnssec_result = DNSSEC_NSEC_MISMATCH;
42df9532 3530 manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, dns_transaction_key(t));
72667f08
LP		 3531 break;
3532
3533 default:
3534 assert_not_reached("Unexpected NSEC result.");
3535 }
3536 }
3537
547973de
LP		 3538 return 1;
3539}
3540
ec2c5e43
LP		 3541static const char* const dns_transaction_state_table[_DNS_TRANSACTION_STATE_MAX] = {
3542 [DNS_TRANSACTION_NULL] = "null",
3543 [DNS_TRANSACTION_PENDING] = "pending",
547973de 3544 [DNS_TRANSACTION_VALIDATING] = "validating",
3bbdc31d 3545 [DNS_TRANSACTION_RCODE_FAILURE] = "rcode-failure",
ec2c5e43
LP		 3546 [DNS_TRANSACTION_SUCCESS] = "success",
3547 [DNS_TRANSACTION_NO_SERVERS] = "no-servers",
3548 [DNS_TRANSACTION_TIMEOUT] = "timeout",
3549 [DNS_TRANSACTION_ATTEMPTS_MAX_REACHED] = "attempts-max-reached",
3550 [DNS_TRANSACTION_INVALID_REPLY] = "invalid-reply",
7cc6ed7b 3551 [DNS_TRANSACTION_ERRNO] = "errno",
ec2c5e43 3552 [DNS_TRANSACTION_ABORTED] = "aborted",
547973de 3553 [DNS_TRANSACTION_DNSSEC_FAILED] = "dnssec-failed",
b2b796b8 3554 [DNS_TRANSACTION_NO_TRUST_ANCHOR] = "no-trust-anchor",
91adc4db 3555 [DNS_TRANSACTION_RR_TYPE_UNSUPPORTED] = "rr-type-unsupported",
edbcc1fd 3556 [DNS_TRANSACTION_NETWORK_DOWN] = "network-down",
0791110f 3557 [DNS_TRANSACTION_NOT_FOUND] = "not-found",
775ae354 3558 [DNS_TRANSACTION_NO_SOURCE] = "no-source",
49ef064c 3559 [DNS_TRANSACTION_STUB_LOOP] = "stub-loop",
ec2c5e43
LP		 3560};
3561DEFINE_STRING_TABLE_LOOKUP(dns_transaction_state, DnsTransactionState);
c3bc53e6
LP		 3562
3563static const char* const dns_transaction_source_table[_DNS_TRANSACTION_SOURCE_MAX] = {
3564 [DNS_TRANSACTION_NETWORK] = "network",
3565 [DNS_TRANSACTION_CACHE] = "cache",
3566 [DNS_TRANSACTION_ZONE] = "zone",
0d2cd476 3567 [DNS_TRANSACTION_TRUST_ANCHOR] = "trust-anchor",
c3bc53e6
LP		 3568};
3569DEFINE_STRING_TABLE_LOOKUP(dns_transaction_source, DnsTransactionSource);
Unnamed repository; edit this file 'description' to name the repository.