]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/resolve/resolved-dns-query.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
license: LGPL-2.1+ -> LGPL-2.1-or-later
[thirdparty/systemd.git] / src / resolve / resolved-dns-query.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include "alloc-util.h"
4 #include "dns-domain.h"
5 #include "dns-type.h"
6 #include "hostname-util.h"
7 #include "local-addresses.h"
8 #include "resolved-dns-query.h"
9 #include "resolved-dns-synthesize.h"
10 #include "resolved-etc-hosts.h"
11 #include "string-util.h"
12
13 #define CNAME_MAX 8
14 #define QUERIES_MAX 2048
15 #define AUXILIARY_QUERIES_MAX 64
16
17 static int dns_query_candidate_new(DnsQueryCandidate **ret, DnsQuery *q, DnsScope *s) {
18 DnsQueryCandidate *c;
19
20 assert(ret);
21 assert(q);
22 assert(s);
23
24 c = new(DnsQueryCandidate, 1);
25 if (!c)
26 return -ENOMEM;
27
28 *c = (DnsQueryCandidate) {
29 .query = q,
30 .scope = s,
31 };
32
33 LIST_PREPEND(candidates_by_query, q->candidates, c);
34 LIST_PREPEND(candidates_by_scope, s->query_candidates, c);
35
36 *ret = c;
37 return 0;
38 }
39
40 static void dns_query_candidate_stop(DnsQueryCandidate *c) {
41 DnsTransaction *t;
42
43 assert(c);
44
45 while ((t = set_steal_first(c->transactions))) {
46 set_remove(t->notify_query_candidates, c);
47 set_remove(t->notify_query_candidates_done, c);
48 dns_transaction_gc(t);
49 }
50 }
51
52 DnsQueryCandidate* dns_query_candidate_free(DnsQueryCandidate *c) {
53
54 if (!c)
55 return NULL;
56
57 dns_query_candidate_stop(c);
58
59 set_free(c->transactions);
60 dns_search_domain_unref(c->search_domain);
61
62 if (c->query)
63 LIST_REMOVE(candidates_by_query, c->query->candidates, c);
64
65 if (c->scope)
66 LIST_REMOVE(candidates_by_scope, c->scope->query_candidates, c);
67
68 return mfree(c);
69 }
70
71 static int dns_query_candidate_next_search_domain(DnsQueryCandidate *c) {
72 DnsSearchDomain *next = NULL;
73
74 assert(c);
75
76 if (c->search_domain && c->search_domain->linked)
77 next = c->search_domain->domains_next;
78 else
79 next = dns_scope_get_search_domains(c->scope);
80
81 for (;;) {
82 if (!next) /* We hit the end of the list */
83 return 0;
84
85 if (!next->route_only)
86 break;
87
88 /* Skip over route-only domains */
89 next = next->domains_next;
90 }
91
92 dns_search_domain_unref(c->search_domain);
93 c->search_domain = dns_search_domain_ref(next);
94
95 return 1;
96 }
97
98 static int dns_query_candidate_add_transaction(DnsQueryCandidate *c, DnsResourceKey *key) {
99 _cleanup_(dns_transaction_gcp) DnsTransaction *t = NULL;
100 int r;
101
102 assert(c);
103 assert(key);
104
105 t = dns_scope_find_transaction(c->scope, key, true);
106 if (!t) {
107 r = dns_transaction_new(&t, c->scope, key);
108 if (r < 0)
109 return r;
110 } else if (set_contains(c->transactions, t))
111 return 0;
112
113 r = set_ensure_allocated(&t->notify_query_candidates_done, NULL);
114 if (r < 0)
115 return r;
116
117 r = set_ensure_put(&t->notify_query_candidates, NULL, c);
118 if (r < 0)
119 return r;
120
121 r = set_ensure_put(&c->transactions, NULL, t);
122 if (r < 0) {
123 (void) set_remove(t->notify_query_candidates, c);
124 return r;
125 }
126
127 t->clamp_ttl = c->query->clamp_ttl;
128 TAKE_PTR(t);
129 return 1;
130 }
131
132 static int dns_query_candidate_go(DnsQueryCandidate *c) {
133 DnsTransaction *t;
134 int r;
135 unsigned n = 0;
136
137 assert(c);
138
139 /* Start the transactions that are not started yet */
140 SET_FOREACH(t, c->transactions) {
141 if (t->state != DNS_TRANSACTION_NULL)
142 continue;
143
144 r = dns_transaction_go(t);
145 if (r < 0)
146 return r;
147
148 n++;
149 }
150
151 /* If there was nothing to start, then let's proceed immediately */
152 if (n == 0)
153 dns_query_candidate_notify(c);
154
155 return 0;
156 }
157
158 static DnsTransactionState dns_query_candidate_state(DnsQueryCandidate *c) {
159 DnsTransactionState state = DNS_TRANSACTION_NO_SERVERS;
160 DnsTransaction *t;
161
162 assert(c);
163
164 if (c->error_code != 0)
165 return DNS_TRANSACTION_ERRNO;
166
167 SET_FOREACH(t, c->transactions) {
168
169 switch (t->state) {
170
171 case DNS_TRANSACTION_NULL:
172 /* If there's a NULL transaction pending, then
173 * this means not all transactions where
174 * started yet, and we were called from within
175 * the stackframe that is supposed to start
176 * remaining transactions. In this case,
177 * simply claim the candidate is pending. */
178
179 case DNS_TRANSACTION_PENDING:
180 case DNS_TRANSACTION_VALIDATING:
181 /* If there's one transaction currently in
182 * VALIDATING state, then this means there's
183 * also one in PENDING state, hence we can
184 * return PENDING immediately. */
185 return DNS_TRANSACTION_PENDING;
186
187 case DNS_TRANSACTION_SUCCESS:
188 state = t->state;
189 break;
190
191 default:
192 if (state != DNS_TRANSACTION_SUCCESS)
193 state = t->state;
194
195 break;
196 }
197 }
198
199 return state;
200 }
201
202 static int dns_query_candidate_setup_transactions(DnsQueryCandidate *c) {
203 DnsQuestion *question;
204 DnsResourceKey *key;
205 int n = 0, r;
206
207 assert(c);
208
209 dns_query_candidate_stop(c);
210
211 question = dns_query_question_for_protocol(c->query, c->scope->protocol);
212
213 /* Create one transaction per question key */
214 DNS_QUESTION_FOREACH(key, question) {
215 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *new_key = NULL;
216 DnsResourceKey *qkey;
217
218 if (c->search_domain) {
219 r = dns_resource_key_new_append_suffix(&new_key, key, c->search_domain->name);
220 if (r < 0)
221 goto fail;
222
223 qkey = new_key;
224 } else
225 qkey = key;
226
227 if (!dns_scope_good_key(c->scope, qkey))
228 continue;
229
230 r = dns_query_candidate_add_transaction(c, qkey);
231 if (r < 0)
232 goto fail;
233
234 n++;
235 }
236
237 return n;
238
239 fail:
240 dns_query_candidate_stop(c);
241 return r;
242 }
243
244 void dns_query_candidate_notify(DnsQueryCandidate *c) {
245 DnsTransactionState state;
246 int r;
247
248 assert(c);
249
250 state = dns_query_candidate_state(c);
251
252 if (DNS_TRANSACTION_IS_LIVE(state))
253 return;
254
255 if (state != DNS_TRANSACTION_SUCCESS && c->search_domain) {
256
257 r = dns_query_candidate_next_search_domain(c);
258 if (r < 0)
259 goto fail;
260
261 if (r > 0) {
262 /* OK, there's another search domain to try, let's do so. */
263
264 r = dns_query_candidate_setup_transactions(c);
265 if (r < 0)
266 goto fail;
267
268 if (r > 0) {
269 /* New transactions where queued. Start them and wait */
270
271 r = dns_query_candidate_go(c);
272 if (r < 0)
273 goto fail;
274
275 return;
276 }
277 }
278
279 }
280
281 dns_query_ready(c->query);
282 return;
283
284 fail:
285 log_warning_errno(r, "Failed to follow search domains: %m");
286 c->error_code = r;
287 dns_query_ready(c->query);
288 }
289
290 static void dns_query_stop(DnsQuery *q) {
291 DnsQueryCandidate *c;
292
293 assert(q);
294
295 q->timeout_event_source = sd_event_source_unref(q->timeout_event_source);
296
297 LIST_FOREACH(candidates_by_query, c, q->candidates)
298 dns_query_candidate_stop(c);
299 }
300
301 static void dns_query_free_candidates(DnsQuery *q) {
302 assert(q);
303
304 while (q->candidates)
305 dns_query_candidate_free(q->candidates);
306 }
307
308 static void dns_query_reset_answer(DnsQuery *q) {
309 assert(q);
310
311 q->answer = dns_answer_unref(q->answer);
312 q->answer_rcode = 0;
313 q->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
314 q->answer_errno = 0;
315 q->answer_authenticated = false;
316 q->answer_protocol = _DNS_PROTOCOL_INVALID;
317 q->answer_family = AF_UNSPEC;
318 q->answer_search_domain = dns_search_domain_unref(q->answer_search_domain);
319 }
320
321 DnsQuery *dns_query_free(DnsQuery *q) {
322 if (!q)
323 return NULL;
324
325 while (q->auxiliary_queries)
326 dns_query_free(q->auxiliary_queries);
327
328 if (q->auxiliary_for) {
329 assert(q->auxiliary_for->n_auxiliary_queries > 0);
330 q->auxiliary_for->n_auxiliary_queries--;
331 LIST_REMOVE(auxiliary_queries, q->auxiliary_for->auxiliary_queries, q);
332 }
333
334 dns_query_free_candidates(q);
335
336 dns_question_unref(q->question_idna);
337 dns_question_unref(q->question_utf8);
338
339 dns_query_reset_answer(q);
340
341 sd_bus_message_unref(q->bus_request);
342 sd_bus_track_unref(q->bus_track);
343
344 if (q->varlink_request) {
345 varlink_set_userdata(q->varlink_request, NULL);
346 varlink_unref(q->varlink_request);
347 }
348
349 dns_packet_unref(q->request_dns_packet);
350 dns_packet_unref(q->reply_dns_packet);
351
352 if (q->request_dns_stream) {
353 /* Detach the stream from our query, in case something else keeps a reference to it. */
354 (void) set_remove(q->request_dns_stream->queries, q);
355 q->request_dns_stream = dns_stream_unref(q->request_dns_stream);
356 }
357
358 free(q->request_address_string);
359
360 if (q->manager) {
361 LIST_REMOVE(queries, q->manager->dns_queries, q);
362 q->manager->n_dns_queries--;
363 }
364
365 return mfree(q);
366 }
367
368 int dns_query_new(
369 Manager *m,
370 DnsQuery **ret,
371 DnsQuestion *question_utf8,
372 DnsQuestion *question_idna,
373 int ifindex,
374 uint64_t flags) {
375
376 _cleanup_(dns_query_freep) DnsQuery *q = NULL;
377 DnsResourceKey *key;
378 bool good = false;
379 int r;
380 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
381
382 assert(m);
383
384 if (dns_question_size(question_utf8) > 0) {
385 r = dns_question_is_valid_for_query(question_utf8);
386 if (r < 0)
387 return r;
388 if (r == 0)
389 return -EINVAL;
390
391 good = true;
392 }
393
394 /* If the IDNA and UTF8 questions are the same, merge their references */
395 r = dns_question_is_equal(question_idna, question_utf8);
396 if (r < 0)
397 return r;
398 if (r > 0)
399 question_idna = question_utf8;
400 else {
401 if (dns_question_size(question_idna) > 0) {
402 r = dns_question_is_valid_for_query(question_idna);
403 if (r < 0)
404 return r;
405 if (r == 0)
406 return -EINVAL;
407
408 good = true;
409 }
410 }
411
412 if (!good) /* don't allow empty queries */
413 return -EINVAL;
414
415 if (m->n_dns_queries >= QUERIES_MAX)
416 return -EBUSY;
417
418 q = new(DnsQuery, 1);
419 if (!q)
420 return -ENOMEM;
421
422 *q = (DnsQuery) {
423 .question_utf8 = dns_question_ref(question_utf8),
424 .question_idna = dns_question_ref(question_idna),
425 .ifindex = ifindex,
426 .flags = flags,
427 .answer_dnssec_result = _DNSSEC_RESULT_INVALID,
428 .answer_protocol = _DNS_PROTOCOL_INVALID,
429 .answer_family = AF_UNSPEC,
430 };
431
432 /* First dump UTF8 question */
433 DNS_QUESTION_FOREACH(key, question_utf8)
434 log_debug("Looking up RR for %s.",
435 dns_resource_key_to_string(key, key_str, sizeof key_str));
436
437 /* And then dump the IDNA question, but only what hasn't been dumped already through the UTF8 question. */
438 DNS_QUESTION_FOREACH(key, question_idna) {
439 r = dns_question_contains(question_utf8, key);
440 if (r < 0)
441 return r;
442 if (r > 0)
443 continue;
444
445 log_debug("Looking up IDNA RR for %s.",
446 dns_resource_key_to_string(key, key_str, sizeof key_str));
447 }
448
449 LIST_PREPEND(queries, m->dns_queries, q);
450 m->n_dns_queries++;
451 q->manager = m;
452
453 if (ret)
454 *ret = q;
455 q = NULL;
456
457 return 0;
458 }
459
460 int dns_query_make_auxiliary(DnsQuery *q, DnsQuery *auxiliary_for) {
461 assert(q);
462 assert(auxiliary_for);
463
464 /* Ensure that the query is not auxiliary yet, and
465 * nothing else is auxiliary to it either */
466 assert(!q->auxiliary_for);
467 assert(!q->auxiliary_queries);
468
469 /* Ensure that the unit we shall be made auxiliary for isn't
470 * auxiliary itself */
471 assert(!auxiliary_for->auxiliary_for);
472
473 if (auxiliary_for->n_auxiliary_queries >= AUXILIARY_QUERIES_MAX)
474 return -EAGAIN;
475
476 LIST_PREPEND(auxiliary_queries, auxiliary_for->auxiliary_queries, q);
477 q->auxiliary_for = auxiliary_for;
478
479 auxiliary_for->n_auxiliary_queries++;
480 return 0;
481 }
482
483 void dns_query_complete(DnsQuery *q, DnsTransactionState state) {
484 assert(q);
485 assert(!DNS_TRANSACTION_IS_LIVE(state));
486 assert(DNS_TRANSACTION_IS_LIVE(q->state));
487
488 /* Note that this call might invalidate the query. Callers should hence not attempt to access the
489 * query or transaction after calling this function. */
490
491 q->state = state;
492
493 dns_query_stop(q);
494 if (q->complete)
495 q->complete(q);
496 }
497
498 static int on_query_timeout(sd_event_source *s, usec_t usec, void *userdata) {
499 DnsQuery *q = userdata;
500
501 assert(s);
502 assert(q);
503
504 dns_query_complete(q, DNS_TRANSACTION_TIMEOUT);
505 return 0;
506 }
507
508 static int dns_query_add_candidate(DnsQuery *q, DnsScope *s) {
509 _cleanup_(dns_query_candidate_freep) DnsQueryCandidate *c = NULL;
510 int r;
511
512 assert(q);
513 assert(s);
514
515 r = dns_query_candidate_new(&c, q, s);
516 if (r < 0)
517 return r;
518
519 /* If this a single-label domain on DNS, we might append a suitable search domain first. */
520 if (!FLAGS_SET(q->flags, SD_RESOLVED_NO_SEARCH) &&
521 dns_scope_name_wants_search_domain(s, dns_question_first_name(q->question_idna))) {
522 /* OK, we want a search domain now. Let's find one for this scope */
523
524 r = dns_query_candidate_next_search_domain(c);
525 if (r < 0)
526 return r;
527 }
528
529 r = dns_query_candidate_setup_transactions(c);
530 if (r < 0)
531 return r;
532
533 TAKE_PTR(c);
534 return 0;
535 }
536
537 static int dns_query_synthesize_reply(DnsQuery *q, DnsTransactionState *state) {
538 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
539 int r;
540
541 assert(q);
542 assert(state);
543
544 /* Tries to synthesize localhost RR replies (and others) where appropriate. Note that this is done *after* the
545 * the normal lookup finished. The data from the network hence takes precedence over the data we
546 * synthesize. (But note that many scopes refuse to resolve certain domain names) */
547
548 if (!IN_SET(*state,
549 DNS_TRANSACTION_RCODE_FAILURE,
550 DNS_TRANSACTION_NO_SERVERS,
551 DNS_TRANSACTION_TIMEOUT,
552 DNS_TRANSACTION_ATTEMPTS_MAX_REACHED,
553 DNS_TRANSACTION_NETWORK_DOWN,
554 DNS_TRANSACTION_NOT_FOUND))
555 return 0;
556
557 r = dns_synthesize_answer(
558 q->manager,
559 q->question_utf8,
560 q->ifindex,
561 &answer);
562 if (r == -ENXIO) {
563 /* If we get ENXIO this tells us to generate NXDOMAIN unconditionally. */
564
565 dns_query_reset_answer(q);
566 q->answer_rcode = DNS_RCODE_NXDOMAIN;
567 q->answer_protocol = dns_synthesize_protocol(q->flags);
568 q->answer_family = dns_synthesize_family(q->flags);
569 q->answer_authenticated = true;
570 *state = DNS_TRANSACTION_RCODE_FAILURE;
571
572 return 0;
573 }
574 if (r <= 0)
575 return r;
576
577 dns_query_reset_answer(q);
578
579 q->answer = TAKE_PTR(answer);
580 q->answer_rcode = DNS_RCODE_SUCCESS;
581 q->answer_protocol = dns_synthesize_protocol(q->flags);
582 q->answer_family = dns_synthesize_family(q->flags);
583 q->answer_authenticated = true;
584
585 *state = DNS_TRANSACTION_SUCCESS;
586
587 return 1;
588 }
589
590 static int dns_query_try_etc_hosts(DnsQuery *q) {
591 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
592 int r;
593
594 assert(q);
595
596 /* Looks in /etc/hosts for matching entries. Note that this is done *before* the normal lookup is done. The
597 * data from /etc/hosts hence takes precedence over the network. */
598
599 r = manager_etc_hosts_lookup(
600 q->manager,
601 q->question_utf8,
602 &answer);
603 if (r <= 0)
604 return r;
605
606 dns_query_reset_answer(q);
607
608 q->answer = TAKE_PTR(answer);
609 q->answer_rcode = DNS_RCODE_SUCCESS;
610 q->answer_protocol = dns_synthesize_protocol(q->flags);
611 q->answer_family = dns_synthesize_family(q->flags);
612 q->answer_authenticated = true;
613
614 return 1;
615 }
616
617 int dns_query_go(DnsQuery *q) {
618 DnsScopeMatch found = DNS_SCOPE_NO;
619 DnsScope *s, *first = NULL;
620 DnsQueryCandidate *c;
621 int r;
622
623 assert(q);
624
625 if (q->state != DNS_TRANSACTION_NULL)
626 return 0;
627
628 r = dns_query_try_etc_hosts(q);
629 if (r < 0)
630 return r;
631 if (r > 0) {
632 dns_query_complete(q, DNS_TRANSACTION_SUCCESS);
633 return 1;
634 }
635
636 LIST_FOREACH(scopes, s, q->manager->dns_scopes) {
637 DnsScopeMatch match;
638 const char *name;
639
640 name = dns_question_first_name(dns_query_question_for_protocol(q, s->protocol));
641 if (!name)
642 continue;
643
644 match = dns_scope_good_domain(s, q->ifindex, q->flags, name);
645 if (match < 0) {
646 log_debug("Couldn't check if '%s' matches against scope, ignoring.", name);
647 continue;
648 }
649
650 if (match > found) { /* Does this match better? If so, remember how well it matched, and the first one
651 * that matches this well */
652 found = match;
653 first = s;
654 }
655 }
656
657 if (found == DNS_SCOPE_NO) {
658 DnsTransactionState state = DNS_TRANSACTION_NO_SERVERS;
659
660 r = dns_query_synthesize_reply(q, &state);
661 if (r < 0)
662 return r;
663
664 dns_query_complete(q, state);
665 return 1;
666 }
667
668 r = dns_query_add_candidate(q, first);
669 if (r < 0)
670 goto fail;
671
672 LIST_FOREACH(scopes, s, first->scopes_next) {
673 DnsScopeMatch match;
674 const char *name;
675
676 name = dns_question_first_name(dns_query_question_for_protocol(q, s->protocol));
677 if (!name)
678 continue;
679
680 match = dns_scope_good_domain(s, q->ifindex, q->flags, name);
681 if (match < 0) {
682 log_debug("Couldn't check if '%s' matches against scope, ignoring.", name);
683 continue;
684 }
685
686 if (match < found)
687 continue;
688
689 r = dns_query_add_candidate(q, s);
690 if (r < 0)
691 goto fail;
692 }
693
694 dns_query_reset_answer(q);
695
696 r = sd_event_add_time_relative(
697 q->manager->event,
698 &q->timeout_event_source,
699 clock_boottime_or_monotonic(),
700 SD_RESOLVED_QUERY_TIMEOUT_USEC,
701 0, on_query_timeout, q);
702 if (r < 0)
703 goto fail;
704
705 (void) sd_event_source_set_description(q->timeout_event_source, "query-timeout");
706
707 q->state = DNS_TRANSACTION_PENDING;
708 q->block_ready++;
709
710 /* Start the transactions */
711 LIST_FOREACH(candidates_by_query, c, q->candidates) {
712 r = dns_query_candidate_go(c);
713 if (r < 0) {
714 q->block_ready--;
715 goto fail;
716 }
717 }
718
719 q->block_ready--;
720 dns_query_ready(q);
721
722 return 1;
723
724 fail:
725 dns_query_stop(q);
726 return r;
727 }
728
729 static void dns_query_accept(DnsQuery *q, DnsQueryCandidate *c) {
730 DnsTransactionState state = DNS_TRANSACTION_NO_SERVERS;
731 bool has_authenticated = false, has_non_authenticated = false;
732 DnssecResult dnssec_result_authenticated = _DNSSEC_RESULT_INVALID, dnssec_result_non_authenticated = _DNSSEC_RESULT_INVALID;
733 DnsTransaction *t;
734 int r;
735
736 assert(q);
737
738 if (!c) {
739 r = dns_query_synthesize_reply(q, &state);
740 if (r < 0)
741 goto fail;
742
743 dns_query_complete(q, state);
744 return;
745 }
746
747 if (c->error_code != 0) {
748 /* If the candidate had an error condition of its own, start with that. */
749 state = DNS_TRANSACTION_ERRNO;
750 q->answer = dns_answer_unref(q->answer);
751 q->answer_rcode = 0;
752 q->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
753 q->answer_authenticated = false;
754 q->answer_errno = c->error_code;
755 }
756
757 SET_FOREACH(t, c->transactions) {
758
759 switch (t->state) {
760
761 case DNS_TRANSACTION_SUCCESS: {
762 /* We found a successfully reply, merge it into the answer */
763 r = dns_answer_extend(&q->answer, t->answer);
764 if (r < 0)
765 goto fail;
766
767 q->answer_rcode = t->answer_rcode;
768 q->answer_errno = 0;
769
770 if (t->answer_authenticated) {
771 has_authenticated = true;
772 dnssec_result_authenticated = t->answer_dnssec_result;
773 } else {
774 has_non_authenticated = true;
775 dnssec_result_non_authenticated = t->answer_dnssec_result;
776 }
777
778 state = DNS_TRANSACTION_SUCCESS;
779 break;
780 }
781
782 case DNS_TRANSACTION_NULL:
783 case DNS_TRANSACTION_PENDING:
784 case DNS_TRANSACTION_VALIDATING:
785 case DNS_TRANSACTION_ABORTED:
786 /* Ignore transactions that didn't complete */
787 continue;
788
789 default:
790 /* Any kind of failure? Store the data away, if there's nothing stored yet. */
791 if (state == DNS_TRANSACTION_SUCCESS)
792 continue;
793
794 /* If there's already an authenticated negative reply stored, then prefer that over any unauthenticated one */
795 if (q->answer_authenticated && !t->answer_authenticated)
796 continue;
797
798 q->answer = dns_answer_unref(q->answer);
799 q->answer_rcode = t->answer_rcode;
800 q->answer_dnssec_result = t->answer_dnssec_result;
801 q->answer_authenticated = t->answer_authenticated;
802 q->answer_errno = t->answer_errno;
803
804 state = t->state;
805 break;
806 }
807 }
808
809 if (state == DNS_TRANSACTION_SUCCESS) {
810 q->answer_authenticated = has_authenticated && !has_non_authenticated;
811 q->answer_dnssec_result = q->answer_authenticated ? dnssec_result_authenticated : dnssec_result_non_authenticated;
812 }
813
814 q->answer_protocol = c->scope->protocol;
815 q->answer_family = c->scope->family;
816
817 dns_search_domain_unref(q->answer_search_domain);
818 q->answer_search_domain = dns_search_domain_ref(c->search_domain);
819
820 r = dns_query_synthesize_reply(q, &state);
821 if (r < 0)
822 goto fail;
823
824 dns_query_complete(q, state);
825 return;
826
827 fail:
828 q->answer_errno = -r;
829 dns_query_complete(q, DNS_TRANSACTION_ERRNO);
830 }
831
832 void dns_query_ready(DnsQuery *q) {
833
834 DnsQueryCandidate *bad = NULL, *c;
835 bool pending = false;
836
837 assert(q);
838 assert(DNS_TRANSACTION_IS_LIVE(q->state));
839
840 /* Note that this call might invalidate the query. Callers
841 * should hence not attempt to access the query or transaction
842 * after calling this function, unless the block_ready
843 * counter was explicitly bumped before doing so. */
844
845 if (q->block_ready > 0)
846 return;
847
848 LIST_FOREACH(candidates_by_query, c, q->candidates) {
849 DnsTransactionState state;
850
851 state = dns_query_candidate_state(c);
852 switch (state) {
853
854 case DNS_TRANSACTION_SUCCESS:
855 /* One of the candidates is successful,
856 * let's use it, and copy its data out */
857 dns_query_accept(q, c);
858 return;
859
860 case DNS_TRANSACTION_NULL:
861 case DNS_TRANSACTION_PENDING:
862 case DNS_TRANSACTION_VALIDATING:
863 /* One of the candidates is still going on,
864 * let's maybe wait for it */
865 pending = true;
866 break;
867
868 default:
869 /* Any kind of failure */
870 bad = c;
871 break;
872 }
873 }
874
875 if (pending)
876 return;
877
878 dns_query_accept(q, bad);
879 }
880
881 static int dns_query_cname_redirect(DnsQuery *q, const DnsResourceRecord *cname) {
882 _cleanup_(dns_question_unrefp) DnsQuestion *nq_idna = NULL, *nq_utf8 = NULL;
883 int r, k;
884
885 assert(q);
886
887 q->n_cname_redirects++;
888 if (q->n_cname_redirects > CNAME_MAX)
889 return -ELOOP;
890
891 r = dns_question_cname_redirect(q->question_idna, cname, &nq_idna);
892 if (r < 0)
893 return r;
894 else if (r > 0)
895 log_debug("Following CNAME/DNAME %s → %s.", dns_question_first_name(q->question_idna), dns_question_first_name(nq_idna));
896
897 k = dns_question_is_equal(q->question_idna, q->question_utf8);
898 if (k < 0)
899 return r;
900 if (k > 0) {
901 /* Same question? Shortcut new question generation */
902 nq_utf8 = dns_question_ref(nq_idna);
903 k = r;
904 } else {
905 k = dns_question_cname_redirect(q->question_utf8, cname, &nq_utf8);
906 if (k < 0)
907 return k;
908 else if (k > 0)
909 log_debug("Following UTF8 CNAME/DNAME %s → %s.", dns_question_first_name(q->question_utf8), dns_question_first_name(nq_utf8));
910 }
911
912 if (r == 0 && k == 0) /* No actual cname happened? */
913 return -ELOOP;
914
915 if (q->answer_protocol == DNS_PROTOCOL_DNS)
916 /* Don't permit CNAME redirects from unicast DNS to LLMNR or MulticastDNS, so that global resources
917 * cannot invade the local namespace. The opposite way we permit: local names may redirect to global
918 * ones. */
919 q->flags &= ~(SD_RESOLVED_LLMNR|SD_RESOLVED_MDNS); /* mask away the local protocols */
920
921 /* Turn off searching for the new name */
922 q->flags |= SD_RESOLVED_NO_SEARCH;
923
924 dns_question_unref(q->question_idna);
925 q->question_idna = TAKE_PTR(nq_idna);
926
927 dns_question_unref(q->question_utf8);
928 q->question_utf8 = TAKE_PTR(nq_utf8);
929
930 dns_query_free_candidates(q);
931 dns_query_reset_answer(q);
932
933 q->state = DNS_TRANSACTION_NULL;
934
935 return 0;
936 }
937
938 int dns_query_process_cname(DnsQuery *q) {
939 _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *cname = NULL;
940 DnsQuestion *question;
941 DnsResourceRecord *rr;
942 int r;
943
944 assert(q);
945
946 if (!IN_SET(q->state, DNS_TRANSACTION_SUCCESS, DNS_TRANSACTION_NULL))
947 return DNS_QUERY_NOMATCH;
948
949 question = dns_query_question_for_protocol(q, q->answer_protocol);
950
951 DNS_ANSWER_FOREACH(rr, q->answer) {
952 r = dns_question_matches_rr(question, rr, DNS_SEARCH_DOMAIN_NAME(q->answer_search_domain));
953 if (r < 0)
954 return r;
955 if (r > 0)
956 return DNS_QUERY_MATCH; /* The answer matches directly, no need to follow cnames */
957
958 r = dns_question_matches_cname_or_dname(question, rr, DNS_SEARCH_DOMAIN_NAME(q->answer_search_domain));
959 if (r < 0)
960 return r;
961 if (r > 0 && !cname)
962 cname = dns_resource_record_ref(rr);
963 }
964
965 if (!cname)
966 return DNS_QUERY_NOMATCH; /* No match and no cname to follow */
967
968 if (q->flags & SD_RESOLVED_NO_CNAME)
969 return -ELOOP;
970
971 if (!q->answer_authenticated)
972 q->previous_redirect_unauthenticated = true;
973
974 /* OK, let's actually follow the CNAME */
975 r = dns_query_cname_redirect(q, cname);
976 if (r < 0)
977 return r;
978
979 /* Let's see if the answer can already answer the new
980 * redirected question */
981 r = dns_query_process_cname(q);
982 if (r != DNS_QUERY_NOMATCH)
983 return r;
984
985 /* OK, it cannot, let's begin with the new query */
986 r = dns_query_go(q);
987 if (r < 0)
988 return r;
989
990 return DNS_QUERY_RESTARTED; /* We restarted the query for a new cname */
991 }
992
993 DnsQuestion* dns_query_question_for_protocol(DnsQuery *q, DnsProtocol protocol) {
994 assert(q);
995
996 switch (protocol) {
997
998 case DNS_PROTOCOL_DNS:
999 return q->question_idna;
1000
1001 case DNS_PROTOCOL_MDNS:
1002 case DNS_PROTOCOL_LLMNR:
1003 return q->question_utf8;
1004
1005 default:
1006 return NULL;
1007 }
1008 }
1009
1010 const char *dns_query_string(DnsQuery *q) {
1011 const char *name;
1012 int r;
1013
1014 /* Returns a somewhat useful human-readable lookup key string for this query */
1015
1016 if (q->request_address_string)
1017 return q->request_address_string;
1018
1019 if (q->request_address_valid) {
1020 r = in_addr_to_string(q->request_family, &q->request_address, &q->request_address_string);
1021 if (r >= 0)
1022 return q->request_address_string;
1023 }
1024
1025 name = dns_question_first_name(q->question_utf8);
1026 if (name)
1027 return name;
1028
1029 return dns_question_first_name(q->question_idna);
1030 }
1031
1032 bool dns_query_fully_authenticated(DnsQuery *q) {
1033 assert(q);
1034
1035 return q->answer_authenticated && !q->previous_redirect_unauthenticated;
1036 }
Unnamed repository; edit this file 'description' to name the repository.