1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2014 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
22 #include <sd-messages.h>
25 #include "alloc-util.h"
26 #include "dns-domain.h"
28 #include "random-util.h"
29 #include "resolved-dns-cache.h"
30 #include "resolved-dns-transaction.h"
31 #include "resolved-llmnr.h"
32 #include "string-table.h"
34 static void dns_transaction_reset_answer(DnsTransaction
*t
) {
37 t
->received
= dns_packet_unref(t
->received
);
38 t
->answer
= dns_answer_unref(t
->answer
);
40 t
->answer_dnssec_result
= _DNSSEC_RESULT_INVALID
;
41 t
->answer_source
= _DNS_TRANSACTION_SOURCE_INVALID
;
42 t
->answer_authenticated
= false;
43 t
->answer_nsec_ttl
= (uint32_t) -1;
46 static void dns_transaction_close_connection(DnsTransaction
*t
) {
49 t
->stream
= dns_stream_free(t
->stream
);
50 t
->dns_udp_event_source
= sd_event_source_unref(t
->dns_udp_event_source
);
51 t
->dns_udp_fd
= safe_close(t
->dns_udp_fd
);
54 static void dns_transaction_stop_timeout(DnsTransaction
*t
) {
57 t
->timeout_event_source
= sd_event_source_unref(t
->timeout_event_source
);
60 DnsTransaction
* dns_transaction_free(DnsTransaction
*t
) {
68 log_debug("Freeing transaction %" PRIu16
".", t
->id
);
70 dns_transaction_close_connection(t
);
71 dns_transaction_stop_timeout(t
);
73 dns_packet_unref(t
->sent
);
74 dns_transaction_reset_answer(t
);
76 dns_server_unref(t
->server
);
79 hashmap_remove_value(t
->scope
->transactions_by_key
, t
->key
, t
);
80 LIST_REMOVE(transactions_by_scope
, t
->scope
->transactions
, t
);
83 hashmap_remove(t
->scope
->manager
->dns_transactions
, UINT_TO_PTR(t
->id
));
86 while ((c
= set_steal_first(t
->notify_query_candidates
)))
87 set_remove(c
->transactions
, t
);
88 set_free(t
->notify_query_candidates
);
90 while ((i
= set_steal_first(t
->notify_zone_items
)))
91 i
->probe_transaction
= NULL
;
92 set_free(t
->notify_zone_items
);
94 while ((z
= set_steal_first(t
->notify_transactions
)))
95 set_remove(z
->dnssec_transactions
, t
);
96 set_free(t
->notify_transactions
);
98 while ((z
= set_steal_first(t
->dnssec_transactions
))) {
99 set_remove(z
->notify_transactions
, t
);
100 dns_transaction_gc(z
);
102 set_free(t
->dnssec_transactions
);
104 dns_answer_unref(t
->validated_keys
);
105 dns_resource_key_unref(t
->key
);
112 DEFINE_TRIVIAL_CLEANUP_FUNC(DnsTransaction
*, dns_transaction_free
);
114 bool dns_transaction_gc(DnsTransaction
*t
) {
120 if (set_isempty(t
->notify_query_candidates
) &&
121 set_isempty(t
->notify_zone_items
) &&
122 set_isempty(t
->notify_transactions
)) {
123 dns_transaction_free(t
);
130 int dns_transaction_new(DnsTransaction
**ret
, DnsScope
*s
, DnsResourceKey
*key
) {
131 _cleanup_(dns_transaction_freep
) DnsTransaction
*t
= NULL
;
138 /* Don't allow looking up invalid or pseudo RRs */
139 if (!dns_type_is_valid_query(key
->type
))
142 /* We only support the IN class */
143 if (key
->class != DNS_CLASS_IN
&& key
->class != DNS_CLASS_ANY
)
146 r
= hashmap_ensure_allocated(&s
->manager
->dns_transactions
, NULL
);
150 r
= hashmap_ensure_allocated(&s
->transactions_by_key
, &dns_resource_key_hash_ops
);
154 t
= new0(DnsTransaction
, 1);
159 t
->answer_source
= _DNS_TRANSACTION_SOURCE_INVALID
;
160 t
->answer_dnssec_result
= _DNSSEC_RESULT_INVALID
;
161 t
->answer_nsec_ttl
= (uint32_t) -1;
162 t
->key
= dns_resource_key_ref(key
);
164 /* Find a fresh, unused transaction id */
166 random_bytes(&t
->id
, sizeof(t
->id
));
168 hashmap_get(s
->manager
->dns_transactions
, UINT_TO_PTR(t
->id
)));
170 r
= hashmap_put(s
->manager
->dns_transactions
, UINT_TO_PTR(t
->id
), t
);
176 r
= hashmap_replace(s
->transactions_by_key
, t
->key
, t
);
178 hashmap_remove(s
->manager
->dns_transactions
, UINT_TO_PTR(t
->id
));
182 LIST_PREPEND(transactions_by_scope
, s
->transactions
, t
);
185 s
->manager
->n_transactions_total
++;
195 static void dns_transaction_tentative(DnsTransaction
*t
, DnsPacket
*p
) {
196 _cleanup_free_
char *pretty
= NULL
;
202 if (manager_our_packet(t
->scope
->manager
, p
) != 0)
205 in_addr_to_string(p
->family
, &p
->sender
, &pretty
);
207 log_debug("Transaction %" PRIu16
" for <%s> on scope %s on %s/%s got tentative packet from %s.",
209 dns_transaction_key_string(t
),
210 dns_protocol_to_string(t
->scope
->protocol
),
211 t
->scope
->link
? t
->scope
->link
->name
: "*",
212 t
->scope
->family
== AF_UNSPEC
? "*" : af_to_name(t
->scope
->family
),
215 /* RFC 4795, Section 4.1 says that the peer with the
216 * lexicographically smaller IP address loses */
217 if (memcmp(&p
->sender
, &p
->destination
, FAMILY_ADDRESS_SIZE(p
->family
)) >= 0) {
218 log_debug("Peer has lexicographically larger IP address and thus lost in the conflict.");
222 log_debug("We have the lexicographically larger IP address and thus lost in the conflict.");
225 while ((z
= set_first(t
->notify_zone_items
))) {
226 /* First, make sure the zone item drops the reference
228 dns_zone_item_probe_stop(z
);
230 /* Secondly, report this as conflict, so that we might
231 * look for a different hostname */
232 dns_zone_item_conflict(z
);
236 dns_transaction_gc(t
);
239 void dns_transaction_complete(DnsTransaction
*t
, DnsTransactionState state
) {
240 DnsQueryCandidate
*c
;
246 assert(!DNS_TRANSACTION_IS_LIVE(state
));
248 if (state
== DNS_TRANSACTION_DNSSEC_FAILED
)
249 log_struct(LOG_NOTICE
,
250 LOG_MESSAGE_ID(SD_MESSAGE_DNSSEC_FAILURE
),
251 LOG_MESSAGE("DNSSEC validation failed for question %s: %s", dns_transaction_key_string(t
), dnssec_result_to_string(t
->answer_dnssec_result
)),
252 "DNS_TRANSACTION=%" PRIu16
, t
->id
,
253 "DNS_QUESTION=%s", dns_transaction_key_string(t
),
254 "DNSSEC_RESULT=%s", dnssec_result_to_string(t
->answer_dnssec_result
),
257 /* Note that this call might invalidate the query. Callers
258 * should hence not attempt to access the query or transaction
259 * after calling this function. */
261 log_debug("Transaction %" PRIu16
" for <%s> on scope %s on %s/%s now complete with <%s> from %s (%s).",
263 dns_transaction_key_string(t
),
264 dns_protocol_to_string(t
->scope
->protocol
),
265 t
->scope
->link
? t
->scope
->link
->name
: "*",
266 t
->scope
->family
== AF_UNSPEC
? "*" : af_to_name(t
->scope
->family
),
267 dns_transaction_state_to_string(state
),
268 t
->answer_source
< 0 ? "none" : dns_transaction_source_to_string(t
->answer_source
),
269 t
->answer_authenticated
? "authenticated" : "unsigned");
273 dns_transaction_close_connection(t
);
274 dns_transaction_stop_timeout(t
);
276 /* Notify all queries that are interested, but make sure the
277 * transaction isn't freed while we are still looking at it */
280 SET_FOREACH(c
, t
->notify_query_candidates
, i
)
281 dns_query_candidate_notify(c
);
282 SET_FOREACH(z
, t
->notify_zone_items
, i
)
283 dns_zone_item_notify(z
);
285 if (!set_isempty(t
->notify_transactions
)) {
289 /* We need to be careful when notifying other
290 * transactions, as that might destroy other
291 * transactions in our list. Hence, in order to be
292 * able to safely iterate through the list of
293 * transactions, take a GC lock on all of them
294 * first. Then, in a second loop, notify them, but
295 * first unlock that specific transaction. */
297 nt
= newa(DnsTransaction
*, set_size(t
->notify_transactions
));
298 SET_FOREACH(d
, t
->notify_transactions
, i
) {
303 assert(n
== set_size(t
->notify_transactions
));
305 for (j
= 0; j
< n
; j
++) {
306 if (set_contains(t
->notify_transactions
, nt
[j
]))
307 dns_transaction_notify(nt
[j
], t
);
310 dns_transaction_gc(nt
[j
]);
315 dns_transaction_gc(t
);
318 static int dns_transaction_pick_server(DnsTransaction
*t
) {
322 assert(t
->scope
->protocol
== DNS_PROTOCOL_DNS
);
324 server
= dns_scope_get_dns_server(t
->scope
);
328 t
->current_features
= dns_server_possible_feature_level(server
);
330 if (server
== t
->server
)
333 dns_server_unref(t
->server
);
334 t
->server
= dns_server_ref(server
);
339 static int on_stream_complete(DnsStream
*s
, int error
) {
340 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
344 assert(s
->transaction
);
346 /* Copy the data we care about out of the stream before we
349 p
= dns_packet_ref(s
->read_packet
);
351 t
->stream
= dns_stream_free(t
->stream
);
353 if (IN_SET(error
, ENOTCONN
, ECONNRESET
, ECONNREFUSED
, ECONNABORTED
, EPIPE
)) {
354 dns_transaction_complete(t
, DNS_TRANSACTION_CONNECTION_FAILURE
);
359 dns_transaction_complete(t
, DNS_TRANSACTION_RESOURCES
);
363 if (dns_packet_validate_reply(p
) <= 0) {
364 log_debug("Invalid TCP reply packet.");
365 dns_transaction_complete(t
, DNS_TRANSACTION_INVALID_REPLY
);
369 dns_scope_check_conflicts(t
->scope
, p
);
372 dns_transaction_process_reply(t
, p
);
375 /* If the response wasn't useful, then complete the transition
376 * now. After all, we are the worst feature set now with TCP
377 * sockets, and there's really no point in retrying. */
378 if (t
->state
== DNS_TRANSACTION_PENDING
)
379 dns_transaction_complete(t
, DNS_TRANSACTION_INVALID_REPLY
);
381 dns_transaction_gc(t
);
386 static int dns_transaction_open_tcp(DnsTransaction
*t
) {
387 _cleanup_close_
int fd
= -1;
392 dns_transaction_close_connection(t
);
394 switch (t
->scope
->protocol
) {
396 case DNS_PROTOCOL_DNS
:
397 r
= dns_transaction_pick_server(t
);
401 r
= dns_server_adjust_opt(t
->server
, t
->sent
, t
->current_features
);
405 fd
= dns_scope_socket_tcp(t
->scope
, AF_UNSPEC
, NULL
, t
->server
, 53);
408 case DNS_PROTOCOL_LLMNR
:
409 /* When we already received a reply to this (but it was truncated), send to its sender address */
411 fd
= dns_scope_socket_tcp(t
->scope
, t
->received
->family
, &t
->received
->sender
, NULL
, t
->received
->sender_port
);
413 union in_addr_union address
;
414 int family
= AF_UNSPEC
;
416 /* Otherwise, try to talk to the owner of a
417 * the IP address, in case this is a reverse
420 r
= dns_name_address(DNS_RESOURCE_KEY_NAME(t
->key
), &family
, &address
);
425 if (family
!= t
->scope
->family
)
428 fd
= dns_scope_socket_tcp(t
->scope
, family
, &address
, NULL
, LLMNR_PORT
);
434 return -EAFNOSUPPORT
;
440 r
= dns_stream_new(t
->scope
->manager
, &t
->stream
, t
->scope
->protocol
, fd
);
445 r
= dns_stream_write_packet(t
->stream
, t
->sent
);
447 t
->stream
= dns_stream_free(t
->stream
);
451 t
->stream
->complete
= on_stream_complete
;
452 t
->stream
->transaction
= t
;
454 /* The interface index is difficult to determine if we are
455 * connecting to the local host, hence fill this in right away
456 * instead of determining it from the socket */
458 t
->stream
->ifindex
= t
->scope
->link
->ifindex
;
460 dns_transaction_reset_answer(t
);
462 t
->tried_stream
= true;
467 static void dns_transaction_cache_answer(DnsTransaction
*t
) {
470 /* For mDNS we cache whenever we get the packet, rather than
471 * in each transaction. */
472 if (!IN_SET(t
->scope
->protocol
, DNS_PROTOCOL_DNS
, DNS_PROTOCOL_LLMNR
))
475 /* We never cache if this packet is from the local host, under
476 * the assumption that a locally running DNS server would
477 * cache this anyway, and probably knows better when to flush
478 * the cache then we could. */
479 if (!DNS_PACKET_SHALL_CACHE(t
->received
))
482 dns_cache_put(&t
->scope
->cache
,
486 t
->answer_authenticated
,
490 &t
->received
->sender
);
493 static bool dns_transaction_dnssec_is_live(DnsTransaction
*t
) {
499 SET_FOREACH(dt
, t
->dnssec_transactions
, i
)
500 if (DNS_TRANSACTION_IS_LIVE(dt
->state
))
506 static void dns_transaction_process_dnssec(DnsTransaction
*t
) {
511 /* Are there ongoing DNSSEC transactions? If so, let's wait for them. */
512 if (dns_transaction_dnssec_is_live(t
))
515 /* All our auxiliary DNSSEC transactions are complete now. Try
516 * to validate our RRset now. */
517 r
= dns_transaction_validate_dnssec(t
);
519 dns_transaction_complete(t
, DNS_TRANSACTION_RESOURCES
);
523 if (t
->answer_dnssec_result
== DNSSEC_INCOMPATIBLE_SERVER
&&
524 t
->scope
->dnssec_mode
== DNSSEC_YES
) {
525 /* We are not in automatic downgrade mode, and the
526 * server is bad, refuse operation. */
527 dns_transaction_complete(t
, DNS_TRANSACTION_DNSSEC_FAILED
);
531 if (!IN_SET(t
->answer_dnssec_result
,
532 _DNSSEC_RESULT_INVALID
, /* No DNSSEC validation enabled */
533 DNSSEC_VALIDATED
, /* Answer is signed and validated successfully */
534 DNSSEC_UNSIGNED
, /* Answer is right-fully unsigned */
535 DNSSEC_INCOMPATIBLE_SERVER
)) { /* Server does not do DNSSEC (Yay, we are downgrade attack vulnerable!) */
536 dns_transaction_complete(t
, DNS_TRANSACTION_DNSSEC_FAILED
);
540 dns_transaction_cache_answer(t
);
542 if (t
->answer_rcode
== DNS_RCODE_SUCCESS
)
543 dns_transaction_complete(t
, DNS_TRANSACTION_SUCCESS
);
545 dns_transaction_complete(t
, DNS_TRANSACTION_RCODE_FAILURE
);
548 void dns_transaction_process_reply(DnsTransaction
*t
, DnsPacket
*p
) {
555 assert(t
->scope
->manager
);
557 if (t
->state
!= DNS_TRANSACTION_PENDING
)
560 /* Note that this call might invalidate the query. Callers
561 * should hence not attempt to access the query or transaction
562 * after calling this function. */
564 log_debug("Processing incoming packet on transaction %" PRIu16
".", t
->id
);
566 switch (t
->scope
->protocol
) {
568 case DNS_PROTOCOL_LLMNR
:
569 assert(t
->scope
->link
);
571 /* For LLMNR we will not accept any packets from other
574 if (p
->ifindex
!= t
->scope
->link
->ifindex
)
577 if (p
->family
!= t
->scope
->family
)
580 /* Tentative packets are not full responses but still
581 * useful for identifying uniqueness conflicts during
583 if (DNS_PACKET_LLMNR_T(p
)) {
584 dns_transaction_tentative(t
, p
);
590 case DNS_PROTOCOL_MDNS
:
591 assert(t
->scope
->link
);
593 /* For mDNS we will not accept any packets from other interfaces */
594 if (p
->ifindex
!= t
->scope
->link
->ifindex
)
597 if (p
->family
!= t
->scope
->family
)
602 case DNS_PROTOCOL_DNS
:
603 /* Note that we do not need to verify the
604 * addresses/port numbers of incoming traffic, as we
605 * invoked connect() on our UDP socket in which case
606 * the kernel already does the needed verification for
611 assert_not_reached("Invalid DNS protocol.");
614 if (t
->received
!= p
) {
615 dns_packet_unref(t
->received
);
616 t
->received
= dns_packet_ref(p
);
619 t
->answer_source
= DNS_TRANSACTION_NETWORK
;
621 if (p
->ipproto
== IPPROTO_TCP
) {
622 if (DNS_PACKET_TC(p
)) {
623 /* Truncated via TCP? Somebody must be fucking with us */
624 dns_transaction_complete(t
, DNS_TRANSACTION_INVALID_REPLY
);
628 if (DNS_PACKET_ID(p
) != t
->id
) {
629 /* Not the reply to our query? Somebody must be fucking with us */
630 dns_transaction_complete(t
, DNS_TRANSACTION_INVALID_REPLY
);
635 assert_se(sd_event_now(t
->scope
->manager
->event
, clock_boottime_or_monotonic(), &ts
) >= 0);
637 switch (t
->scope
->protocol
) {
639 case DNS_PROTOCOL_DNS
:
642 if (IN_SET(DNS_PACKET_RCODE(p
), DNS_RCODE_FORMERR
, DNS_RCODE_SERVFAIL
, DNS_RCODE_NOTIMP
)) {
644 /* Request failed, immediately try again with reduced features */
645 log_debug("Server returned error: %s", dns_rcode_to_string(DNS_PACKET_RCODE(p
)));
647 dns_server_packet_failed(t
->server
, t
->current_features
);
649 r
= dns_transaction_go(t
);
651 dns_transaction_complete(t
, DNS_TRANSACTION_RESOURCES
);
657 dns_server_packet_received(t
->server
, t
->current_features
, ts
- t
->start_usec
, p
->size
);
661 case DNS_PROTOCOL_LLMNR
:
662 case DNS_PROTOCOL_MDNS
:
663 dns_scope_packet_received(t
->scope
, ts
- t
->start_usec
);
667 assert_not_reached("Invalid DNS protocol.");
670 if (DNS_PACKET_TC(p
)) {
672 /* Truncated packets for mDNS are not allowed. Give up immediately. */
673 if (t
->scope
->protocol
== DNS_PROTOCOL_MDNS
) {
674 dns_transaction_complete(t
, DNS_TRANSACTION_INVALID_REPLY
);
678 /* Response was truncated, let's try again with good old TCP */
679 r
= dns_transaction_open_tcp(t
);
681 /* No servers found? Damn! */
682 dns_transaction_complete(t
, DNS_TRANSACTION_NO_SERVERS
);
686 /* On LLMNR, if we cannot connect to the host,
687 * we immediately give up */
688 if (t
->scope
->protocol
== DNS_PROTOCOL_LLMNR
) {
689 dns_transaction_complete(t
, DNS_TRANSACTION_RESOURCES
);
693 /* On DNS, couldn't send? Try immediately again, with a new server */
694 dns_scope_next_dns_server(t
->scope
);
696 r
= dns_transaction_go(t
);
698 dns_transaction_complete(t
, DNS_TRANSACTION_RESOURCES
);
706 /* Parse message, if it isn't parsed yet. */
707 r
= dns_packet_extract(p
);
709 dns_transaction_complete(t
, DNS_TRANSACTION_INVALID_REPLY
);
713 if (IN_SET(t
->scope
->protocol
, DNS_PROTOCOL_DNS
, DNS_PROTOCOL_LLMNR
)) {
715 /* Only consider responses with equivalent query section to the request */
716 r
= dns_packet_is_reply_for(p
, t
->key
);
718 dns_transaction_complete(t
, DNS_TRANSACTION_RESOURCES
);
722 dns_transaction_complete(t
, DNS_TRANSACTION_INVALID_REPLY
);
726 /* Install the answer as answer to the transaction */
727 dns_answer_unref(t
->answer
);
728 t
->answer
= dns_answer_ref(p
->answer
);
729 t
->answer_rcode
= DNS_PACKET_RCODE(p
);
730 t
->answer_dnssec_result
= _DNSSEC_RESULT_INVALID
;
731 t
->answer_authenticated
= false;
733 /* Block GC while starting requests for additional DNSSEC RRs */
735 r
= dns_transaction_request_dnssec_keys(t
);
738 /* Maybe the transaction is ready for GC'ing now? If so, free it and return. */
739 if (!dns_transaction_gc(t
))
742 /* Requesting additional keys might have resulted in
743 * this transaction to fail, since the auxiliary
744 * request failed for some reason. If so, we are not
745 * in pending state anymore, and we should exit
747 if (t
->state
!= DNS_TRANSACTION_PENDING
)
750 dns_transaction_complete(t
, DNS_TRANSACTION_RESOURCES
);
754 /* There are DNSSEC transactions pending now. Update the state accordingly. */
755 t
->state
= DNS_TRANSACTION_VALIDATING
;
756 dns_transaction_close_connection(t
);
757 dns_transaction_stop_timeout(t
);
762 dns_transaction_process_dnssec(t
);
765 static int on_dns_packet(sd_event_source
*s
, int fd
, uint32_t revents
, void *userdata
) {
766 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
767 DnsTransaction
*t
= userdata
;
773 r
= manager_recv(t
->scope
->manager
, fd
, DNS_PROTOCOL_DNS
, &p
);
777 if (dns_packet_validate_reply(p
) > 0 &&
778 DNS_PACKET_ID(p
) == t
->id
)
779 dns_transaction_process_reply(t
, p
);
781 log_debug("Invalid DNS UDP packet, ignoring.");
786 static int dns_transaction_emit_udp(DnsTransaction
*t
) {
791 if (t
->scope
->protocol
== DNS_PROTOCOL_DNS
) {
793 r
= dns_transaction_pick_server(t
);
797 if (t
->current_features
< DNS_SERVER_FEATURE_LEVEL_UDP
)
800 if (r
> 0 || t
->dns_udp_fd
< 0) { /* Server changed, or no connection yet. */
803 dns_transaction_close_connection(t
);
805 fd
= dns_scope_socket_udp(t
->scope
, t
->server
, 53);
809 r
= sd_event_add_io(t
->scope
->manager
->event
, &t
->dns_udp_event_source
, fd
, EPOLLIN
, on_dns_packet
, t
);
818 r
= dns_server_adjust_opt(t
->server
, t
->sent
, t
->current_features
);
822 dns_transaction_close_connection(t
);
824 r
= dns_scope_emit_udp(t
->scope
, t
->dns_udp_fd
, t
->sent
);
828 dns_transaction_reset_answer(t
);
833 static int on_transaction_timeout(sd_event_source
*s
, usec_t usec
, void *userdata
) {
834 DnsTransaction
*t
= userdata
;
840 if (!t
->initial_jitter_scheduled
|| t
->initial_jitter_elapsed
) {
841 /* Timeout reached? Increase the timeout for the server used */
842 switch (t
->scope
->protocol
) {
844 case DNS_PROTOCOL_DNS
:
846 dns_server_packet_lost(t
->server
, t
->current_features
, usec
- t
->start_usec
);
849 case DNS_PROTOCOL_LLMNR
:
850 case DNS_PROTOCOL_MDNS
:
851 dns_scope_packet_lost(t
->scope
, usec
- t
->start_usec
);
855 assert_not_reached("Invalid DNS protocol.");
858 if (t
->initial_jitter_scheduled
)
859 t
->initial_jitter_elapsed
= true;
862 log_debug("Timeout reached on transaction %" PRIu16
".", t
->id
);
864 /* ...and try again with a new server */
865 dns_scope_next_dns_server(t
->scope
);
867 r
= dns_transaction_go(t
);
869 dns_transaction_complete(t
, DNS_TRANSACTION_RESOURCES
);
874 static usec_t
transaction_get_resend_timeout(DnsTransaction
*t
) {
878 switch (t
->scope
->protocol
) {
880 case DNS_PROTOCOL_DNS
:
882 return t
->server
->resend_timeout
;
884 case DNS_PROTOCOL_MDNS
:
885 assert(t
->n_attempts
> 0);
886 return (1 << (t
->n_attempts
- 1)) * USEC_PER_SEC
;
888 case DNS_PROTOCOL_LLMNR
:
889 return t
->scope
->resend_timeout
;
892 assert_not_reached("Invalid DNS protocol.");
896 static int dns_transaction_prepare(DnsTransaction
*t
, usec_t ts
) {
901 dns_transaction_stop_timeout(t
);
903 if (t
->n_attempts
>= TRANSACTION_ATTEMPTS_MAX(t
->scope
->protocol
)) {
904 dns_transaction_complete(t
, DNS_TRANSACTION_ATTEMPTS_MAX_REACHED
);
908 if (t
->scope
->protocol
== DNS_PROTOCOL_LLMNR
&& t
->tried_stream
) {
909 /* If we already tried via a stream, then we don't
910 * retry on LLMNR. See RFC 4795, Section 2.7. */
911 dns_transaction_complete(t
, DNS_TRANSACTION_ATTEMPTS_MAX_REACHED
);
918 dns_transaction_reset_answer(t
);
920 /* Check the trust anchor. Do so only on classic DNS, since DNSSEC does not apply otherwise. */
921 if (t
->scope
->protocol
== DNS_PROTOCOL_DNS
) {
922 r
= dns_trust_anchor_lookup_positive(&t
->scope
->manager
->trust_anchor
, t
->key
, &t
->answer
);
926 t
->answer_rcode
= DNS_RCODE_SUCCESS
;
927 t
->answer_source
= DNS_TRANSACTION_TRUST_ANCHOR
;
928 t
->answer_authenticated
= true;
929 dns_transaction_complete(t
, DNS_TRANSACTION_SUCCESS
);
933 if (dns_name_is_root(DNS_RESOURCE_KEY_NAME(t
->key
)) &&
934 t
->key
->type
== DNS_TYPE_DS
) {
936 /* Hmm, this is a request for the root DS? A
937 * DS RR doesn't exist in the root zone, and
938 * if our trust anchor didn't know it either,
939 * this means we cannot do any DNSSEC logic
942 if (t
->scope
->dnssec_mode
== DNSSEC_ALLOW_DOWNGRADE
) {
943 /* We are in downgrade mode. In this
944 * case, synthesize an unsigned empty
945 * response, so that the any lookup
946 * depending on this one can continue
947 * assuming there was no DS, and hence
948 * the root zone was unsigned. */
950 t
->answer_rcode
= DNS_RCODE_SUCCESS
;
951 t
->answer_source
= DNS_TRANSACTION_TRUST_ANCHOR
;
952 t
->answer_authenticated
= false;
953 dns_transaction_complete(t
, DNS_TRANSACTION_SUCCESS
);
955 /* If we are not in downgrade mode,
956 * then fail the lookup, because we
957 * cannot reasonably answer it. There
958 * might be DS RRs, but we don't know
959 * them, and the DNS server won't tell
960 * them to us (and even if it would,
961 * we couldn't validate it and trust
963 dns_transaction_complete(t
, DNS_TRANSACTION_NO_TRUST_ANCHOR
);
969 /* Check the zone, but only if this transaction is not used
970 * for probing or verifying a zone item. */
971 if (set_isempty(t
->notify_zone_items
)) {
973 r
= dns_zone_lookup(&t
->scope
->zone
, t
->key
, &t
->answer
, NULL
, NULL
);
977 t
->answer_rcode
= DNS_RCODE_SUCCESS
;
978 t
->answer_source
= DNS_TRANSACTION_ZONE
;
979 t
->answer_authenticated
= true;
980 dns_transaction_complete(t
, DNS_TRANSACTION_SUCCESS
);
985 /* Check the cache, but only if this transaction is not used
986 * for probing or verifying a zone item. */
987 if (set_isempty(t
->notify_zone_items
)) {
989 /* Before trying the cache, let's make sure we figured out a
990 * server to use. Should this cause a change of server this
991 * might flush the cache. */
992 dns_scope_get_dns_server(t
->scope
);
994 /* Let's then prune all outdated entries */
995 dns_cache_prune(&t
->scope
->cache
);
997 r
= dns_cache_lookup(&t
->scope
->cache
, t
->key
, &t
->answer_rcode
, &t
->answer
, &t
->answer_authenticated
);
1001 t
->answer_source
= DNS_TRANSACTION_CACHE
;
1002 if (t
->answer_rcode
== DNS_RCODE_SUCCESS
)
1003 dns_transaction_complete(t
, DNS_TRANSACTION_SUCCESS
);
1005 dns_transaction_complete(t
, DNS_TRANSACTION_RCODE_FAILURE
);
1013 static int dns_transaction_make_packet_mdns(DnsTransaction
*t
) {
1015 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
1016 bool add_known_answers
= false;
1017 DnsTransaction
*other
;
1023 assert(t
->scope
->protocol
== DNS_PROTOCOL_MDNS
);
1025 /* Discard any previously prepared packet, so we can start over and coalesce again */
1026 t
->sent
= dns_packet_unref(t
->sent
);
1028 r
= dns_packet_new_query(&p
, t
->scope
->protocol
, 0, false);
1032 r
= dns_packet_append_key(p
, t
->key
, NULL
);
1038 if (dns_key_is_shared(t
->key
))
1039 add_known_answers
= true;
1042 * For mDNS, we want to coalesce as many open queries in pending transactions into one single
1043 * query packet on the wire as possible. To achieve that, we iterate through all pending transactions
1044 * in our current scope, and see whether their timing contraints allow them to be sent.
1047 assert_se(sd_event_now(t
->scope
->manager
->event
, clock_boottime_or_monotonic(), &ts
) >= 0);
1049 LIST_FOREACH(transactions_by_scope
, other
, t
->scope
->transactions
) {
1051 /* Skip ourselves */
1055 if (other
->state
!= DNS_TRANSACTION_PENDING
)
1058 if (other
->next_attempt_after
> ts
)
1061 if (qdcount
>= UINT16_MAX
)
1064 r
= dns_packet_append_key(p
, other
->key
, NULL
);
1067 * If we can't stuff more questions into the packet, just give up.
1068 * One of the 'other' transactions will fire later and take care of the rest.
1076 r
= dns_transaction_prepare(other
, ts
);
1080 ts
+= transaction_get_resend_timeout(other
);
1082 r
= sd_event_add_time(
1083 other
->scope
->manager
->event
,
1084 &other
->timeout_event_source
,
1085 clock_boottime_or_monotonic(),
1087 on_transaction_timeout
, other
);
1091 other
->state
= DNS_TRANSACTION_PENDING
;
1092 other
->next_attempt_after
= ts
;
1096 if (dns_key_is_shared(other
->key
))
1097 add_known_answers
= true;
1100 DNS_PACKET_HEADER(p
)->qdcount
= htobe16(qdcount
);
1102 /* Append known answer section if we're asking for any shared record */
1103 if (add_known_answers
) {
1104 r
= dns_cache_export_shared_to_packet(&t
->scope
->cache
, p
);
1115 static int dns_transaction_make_packet(DnsTransaction
*t
) {
1116 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
1121 if (t
->scope
->protocol
== DNS_PROTOCOL_MDNS
)
1122 return dns_transaction_make_packet_mdns(t
);
1127 r
= dns_packet_new_query(&p
, t
->scope
->protocol
, 0, t
->scope
->dnssec_mode
!= DNSSEC_NO
);
1131 r
= dns_scope_good_key(t
->scope
, t
->key
);
1137 r
= dns_packet_append_key(p
, t
->key
, NULL
);
1141 DNS_PACKET_HEADER(p
)->qdcount
= htobe16(1);
1142 DNS_PACKET_HEADER(p
)->id
= t
->id
;
1150 int dns_transaction_go(DnsTransaction
*t
) {
1156 assert_se(sd_event_now(t
->scope
->manager
->event
, clock_boottime_or_monotonic(), &ts
) >= 0);
1158 r
= dns_transaction_prepare(t
, ts
);
1162 log_debug("Excercising transaction %" PRIu16
" for <%s> on scope %s on %s/%s.",
1164 dns_transaction_key_string(t
),
1165 dns_protocol_to_string(t
->scope
->protocol
),
1166 t
->scope
->link
? t
->scope
->link
->name
: "*",
1167 t
->scope
->family
== AF_UNSPEC
? "*" : af_to_name(t
->scope
->family
));
1169 if (!t
->initial_jitter_scheduled
&&
1170 (t
->scope
->protocol
== DNS_PROTOCOL_LLMNR
||
1171 t
->scope
->protocol
== DNS_PROTOCOL_MDNS
)) {
1172 usec_t jitter
, accuracy
;
1174 /* RFC 4795 Section 2.7 suggests all queries should be
1175 * delayed by a random time from 0 to JITTER_INTERVAL. */
1177 t
->initial_jitter_scheduled
= true;
1179 random_bytes(&jitter
, sizeof(jitter
));
1181 switch (t
->scope
->protocol
) {
1183 case DNS_PROTOCOL_LLMNR
:
1184 jitter
%= LLMNR_JITTER_INTERVAL_USEC
;
1185 accuracy
= LLMNR_JITTER_INTERVAL_USEC
;
1188 case DNS_PROTOCOL_MDNS
:
1189 jitter
%= MDNS_JITTER_RANGE_USEC
;
1190 jitter
+= MDNS_JITTER_MIN_USEC
;
1191 accuracy
= MDNS_JITTER_RANGE_USEC
;
1194 assert_not_reached("bad protocol");
1197 r
= sd_event_add_time(
1198 t
->scope
->manager
->event
,
1199 &t
->timeout_event_source
,
1200 clock_boottime_or_monotonic(),
1201 ts
+ jitter
, accuracy
,
1202 on_transaction_timeout
, t
);
1207 t
->next_attempt_after
= ts
;
1208 t
->state
= DNS_TRANSACTION_PENDING
;
1210 log_debug("Delaying %s transaction for " USEC_FMT
"us.", dns_protocol_to_string(t
->scope
->protocol
), jitter
);
1214 /* Otherwise, we need to ask the network */
1215 r
= dns_transaction_make_packet(t
);
1217 /* Not the right request to make on this network?
1218 * (i.e. an A request made on IPv6 or an AAAA request
1219 * made on IPv4, on LLMNR or mDNS.) */
1220 dns_transaction_complete(t
, DNS_TRANSACTION_NO_SERVERS
);
1226 if (t
->scope
->protocol
== DNS_PROTOCOL_LLMNR
&&
1227 (dns_name_endswith(DNS_RESOURCE_KEY_NAME(t
->key
), "in-addr.arpa") > 0 ||
1228 dns_name_endswith(DNS_RESOURCE_KEY_NAME(t
->key
), "ip6.arpa") > 0)) {
1230 /* RFC 4795, Section 2.4. says reverse lookups shall
1231 * always be made via TCP on LLMNR */
1232 r
= dns_transaction_open_tcp(t
);
1234 /* Try via UDP, and if that fails due to large size or lack of
1235 * support try via TCP */
1236 r
= dns_transaction_emit_udp(t
);
1237 if (r
== -EMSGSIZE
|| r
== -EAGAIN
)
1238 r
= dns_transaction_open_tcp(t
);
1242 /* No servers to send this to? */
1243 dns_transaction_complete(t
, DNS_TRANSACTION_NO_SERVERS
);
1246 if (t
->scope
->protocol
!= DNS_PROTOCOL_DNS
) {
1247 dns_transaction_complete(t
, DNS_TRANSACTION_RESOURCES
);
1251 /* Couldn't send? Try immediately again, with a new server */
1252 dns_scope_next_dns_server(t
->scope
);
1254 return dns_transaction_go(t
);
1257 ts
+= transaction_get_resend_timeout(t
);
1259 r
= sd_event_add_time(
1260 t
->scope
->manager
->event
,
1261 &t
->timeout_event_source
,
1262 clock_boottime_or_monotonic(),
1264 on_transaction_timeout
, t
);
1268 t
->state
= DNS_TRANSACTION_PENDING
;
1269 t
->next_attempt_after
= ts
;
1274 static int dns_transaction_find_cyclic(DnsTransaction
*t
, DnsTransaction
*aux
) {
1282 /* Try to find cyclic dependencies between transaction objects */
1287 SET_FOREACH(n
, aux
->notify_transactions
, i
) {
1288 r
= dns_transaction_find_cyclic(t
, n
);
1296 static int dns_transaction_add_dnssec_transaction(DnsTransaction
*t
, DnsResourceKey
*key
, DnsTransaction
**ret
) {
1297 DnsTransaction
*aux
;
1304 aux
= dns_scope_find_transaction(t
->scope
, key
, true);
1306 r
= dns_transaction_new(&aux
, t
->scope
, key
);
1310 if (set_contains(t
->dnssec_transactions
, aux
)) {
1315 r
= dns_transaction_find_cyclic(t
, aux
);
1319 log_debug("Detected potential cyclic dependency, refusing to add transaction %" PRIu16
" (%s) as dependency for %" PRIu16
" (%s).",
1321 strna(dns_transaction_key_string(aux
)),
1323 strna(dns_transaction_key_string(t
)));
1328 r
= set_ensure_allocated(&t
->dnssec_transactions
, NULL
);
1332 r
= set_ensure_allocated(&aux
->notify_transactions
, NULL
);
1336 r
= set_put(t
->dnssec_transactions
, aux
);
1340 r
= set_put(aux
->notify_transactions
, t
);
1342 (void) set_remove(t
->dnssec_transactions
, aux
);
1350 dns_transaction_gc(aux
);
1354 static int dns_transaction_request_dnssec_rr(DnsTransaction
*t
, DnsResourceKey
*key
) {
1355 _cleanup_(dns_answer_unrefp
) DnsAnswer
*a
= NULL
;
1356 DnsTransaction
*aux
;
1362 /* Try to get the data from the trust anchor */
1363 r
= dns_trust_anchor_lookup_positive(&t
->scope
->manager
->trust_anchor
, key
, &a
);
1367 r
= dns_answer_extend(&t
->validated_keys
, a
);
1374 /* This didn't work, ask for it via the network/cache then. */
1375 r
= dns_transaction_add_dnssec_transaction(t
, key
, &aux
);
1376 if (r
== -ELOOP
) /* This would result in a cyclic dependency */
1381 if (aux
->state
== DNS_TRANSACTION_NULL
) {
1382 r
= dns_transaction_go(aux
);
1390 static int dns_transaction_has_positive_answer(DnsTransaction
*t
, DnsAnswerFlags
*flags
) {
1395 /* Checks whether the answer is positive, i.e. either a direct
1396 * answer to the question, or a CNAME/DNAME for it */
1398 r
= dns_answer_match_key(t
->answer
, t
->key
, flags
);
1402 r
= dns_answer_find_cname_or_dname(t
->answer
, t
->key
, NULL
, flags
);
1409 static int dns_transaction_has_unsigned_negative_answer(DnsTransaction
*t
) {
1414 /* Checks whether the answer is negative, and lacks NSEC/NSEC3
1415 * RRs to prove it */
1417 r
= dns_transaction_has_positive_answer(t
, NULL
);
1423 /* Is this key explicitly listed as a negative trust anchor?
1424 * If so, it's nothing we need to care about */
1425 r
= dns_trust_anchor_lookup_negative(&t
->scope
->manager
->trust_anchor
, DNS_RESOURCE_KEY_NAME(t
->key
));
1431 /* The answer does not contain any RRs that match to the
1432 * question. If so, let's see if there are any NSEC/NSEC3 RRs
1433 * included. If not, the answer is unsigned. */
1435 r
= dns_answer_contains_nsec_or_nsec3(t
->answer
);
1444 static int dns_transaction_is_primary_response(DnsTransaction
*t
, DnsResourceRecord
*rr
) {
1450 /* Check if the specified RR is the "primary" response,
1451 * i.e. either matches the question precisely or is a
1452 * CNAME/DNAME for it, or is any kind of NSEC/NSEC3 RR */
1454 r
= dns_resource_key_match_rr(t
->key
, rr
, NULL
);
1458 r
= dns_resource_key_match_cname_or_dname(t
->key
, rr
->key
, NULL
);
1462 if (rr
->key
->type
== DNS_TYPE_NSEC3
) {
1465 p
= DNS_RESOURCE_KEY_NAME(rr
->key
);
1466 r
= dns_name_parent(&p
);
1470 r
= dns_name_endswith(DNS_RESOURCE_KEY_NAME(t
->key
), p
);
1478 return rr
->key
->type
== DNS_TYPE_NSEC
;
1481 int dns_transaction_request_dnssec_keys(DnsTransaction
*t
) {
1482 DnsResourceRecord
*rr
;
1489 * Retrieve all auxiliary RRs for the answer we got, so that
1490 * we can verify signatures or prove that RRs are rightfully
1491 * unsigned. Specifically:
1493 * - For RRSIG we get the matching DNSKEY
1494 * - For DNSKEY we get the matching DS
1495 * - For unsigned SOA/NS we get the matching DS
1496 * - For unsigned CNAME/DNAME/DS we get the parent SOA RR
1497 * - For other unsigned RRs we get the matching SOA RR
1498 * - For SOA/NS/DS queries with no matching response RRs, and no NSEC/NSEC3, the parent's SOA RR
1499 * - For other queries with no matching response RRs, and no NSEC/NSEC3, the SOA RR
1502 if (t
->scope
->dnssec_mode
== DNSSEC_NO
)
1505 if (t
->current_features
< DNS_SERVER_FEATURE_LEVEL_DO
)
1506 return 0; /* Server doesn't do DNSSEC, there's no point in requesting any RRs then. */
1507 if (t
->server
&& t
->server
->rrsig_missing
)
1508 return 0; /* Server handles DNSSEC requests, but isn't augmenting responses with RRSIGs. No point in trying DNSSEC then. */
1510 DNS_ANSWER_FOREACH(rr
, t
->answer
) {
1512 if (dns_type_is_pseudo(rr
->key
->type
))
1515 /* If this RR is in the negative trust anchor, we don't need to validate it. */
1516 r
= dns_trust_anchor_lookup_negative(&t
->scope
->manager
->trust_anchor
, DNS_RESOURCE_KEY_NAME(rr
->key
));
1522 switch (rr
->key
->type
) {
1524 case DNS_TYPE_RRSIG
: {
1525 /* For each RRSIG we request the matching DNSKEY */
1526 _cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*dnskey
= NULL
;
1528 /* If this RRSIG is about a DNSKEY RR and the
1529 * signer is the same as the owner, then we
1530 * already have the DNSKEY, and we don't have
1531 * to look for more. */
1532 if (rr
->rrsig
.type_covered
== DNS_TYPE_DNSKEY
) {
1533 r
= dns_name_equal(rr
->rrsig
.signer
, DNS_RESOURCE_KEY_NAME(rr
->key
));
1540 /* If the signer is not a parent of our
1541 * original query, then this is about an
1542 * auxiliary RRset, but not anything we asked
1543 * for. In this case we aren't interested,
1544 * because we don't want to request additional
1545 * RRs for stuff we didn't really ask for, and
1546 * also to avoid request loops, where
1547 * additional RRs from one transaction result
1548 * in another transaction whose additonal RRs
1549 * point back to the original transaction, and
1551 r
= dns_name_endswith(DNS_RESOURCE_KEY_NAME(t
->key
), rr
->rrsig
.signer
);
1557 dnskey
= dns_resource_key_new(rr
->key
->class, DNS_TYPE_DNSKEY
, rr
->rrsig
.signer
);
1561 log_debug("Requesting DNSKEY to validate transaction %" PRIu16
" (%s, RRSIG with key tag: %" PRIu16
").", t
->id
, DNS_RESOURCE_KEY_NAME(rr
->key
), rr
->rrsig
.key_tag
);
1562 r
= dns_transaction_request_dnssec_rr(t
, dnskey
);
1568 case DNS_TYPE_DNSKEY
: {
1569 /* For each DNSKEY we request the matching DS */
1570 _cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*ds
= NULL
;
1572 /* If the DNSKEY we are looking at is not for
1573 * zone we are interested in, nor any of its
1574 * parents, we aren't interested, and don't
1575 * request it. After all, we don't want to end
1576 * up in request loops, and want to keep
1577 * additional traffic down. */
1579 r
= dns_name_endswith(DNS_RESOURCE_KEY_NAME(t
->key
), DNS_RESOURCE_KEY_NAME(rr
->key
));
1585 ds
= dns_resource_key_new(rr
->key
->class, DNS_TYPE_DS
, DNS_RESOURCE_KEY_NAME(rr
->key
));
1589 log_debug("Requesting DS to validate transaction %" PRIu16
" (%s, DNSKEY with key tag: %" PRIu16
").", t
->id
, DNS_RESOURCE_KEY_NAME(rr
->key
), dnssec_keytag(rr
, false));
1590 r
= dns_transaction_request_dnssec_rr(t
, ds
);
1599 _cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*ds
= NULL
;
1601 /* For an unsigned SOA or NS, try to acquire
1602 * the matching DS RR, as we are at a zone cut
1603 * then, and whether a DS exists tells us
1604 * whether the zone is signed. Do so only if
1605 * this RR matches our original question,
1608 r
= dns_resource_key_match_rr(t
->key
, rr
, NULL
);
1614 r
= dnssec_has_rrsig(t
->answer
, rr
->key
);
1620 ds
= dns_resource_key_new(rr
->key
->class, DNS_TYPE_DS
, DNS_RESOURCE_KEY_NAME(rr
->key
));
1624 log_debug("Requesting DS to validate transaction %" PRIu16
" (%s, unsigned SOA/NS RRset).", t
->id
, DNS_RESOURCE_KEY_NAME(rr
->key
));
1625 r
= dns_transaction_request_dnssec_rr(t
, ds
);
1633 case DNS_TYPE_CNAME
:
1634 case DNS_TYPE_DNAME
: {
1635 _cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*soa
= NULL
;
1638 /* CNAMEs and DNAMEs cannot be located at a
1639 * zone apex, hence ask for the parent SOA for
1640 * unsigned CNAME/DNAME RRs, maybe that's the
1641 * apex. But do all that only if this is
1642 * actually a response to our original
1645 * Similar for DS RRs, which are signed when
1646 * the parent SOA is signed. */
1648 r
= dns_transaction_is_primary_response(t
, rr
);
1654 r
= dnssec_has_rrsig(t
->answer
, rr
->key
);
1660 name
= DNS_RESOURCE_KEY_NAME(rr
->key
);
1661 r
= dns_name_parent(&name
);
1667 soa
= dns_resource_key_new(rr
->key
->class, DNS_TYPE_SOA
, name
);
1671 log_debug("Requesting parent SOA to validate transaction %" PRIu16
" (%s, unsigned CNAME/DNAME/DS RRset).", t
->id
, DNS_RESOURCE_KEY_NAME(rr
->key
));
1672 r
= dns_transaction_request_dnssec_rr(t
, soa
);
1680 _cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*soa
= NULL
;
1682 /* For other unsigned RRsets (including
1683 * NSEC/NSEC3!), look for proof the zone is
1684 * unsigned, by requesting the SOA RR of the
1685 * zone. However, do so only if they are
1686 * directly relevant to our original
1689 r
= dns_transaction_is_primary_response(t
, rr
);
1695 r
= dnssec_has_rrsig(t
->answer
, rr
->key
);
1701 soa
= dns_resource_key_new(rr
->key
->class, DNS_TYPE_SOA
, DNS_RESOURCE_KEY_NAME(rr
->key
));
1705 log_debug("Requesting SOA to validate transaction %" PRIu16
" (%s, unsigned non-SOA/NS RRset <%s>).", t
->id
, DNS_RESOURCE_KEY_NAME(rr
->key
), dns_resource_record_to_string(rr
));
1706 r
= dns_transaction_request_dnssec_rr(t
, soa
);
1713 /* Above, we requested everything necessary to validate what
1714 * we got. Now, let's request what we need to validate what we
1717 r
= dns_transaction_has_unsigned_negative_answer(t
);
1723 name
= DNS_RESOURCE_KEY_NAME(t
->key
);
1725 /* If this was a SOA or NS request, then this
1726 * indicates that we are not at a zone apex, hence ask
1727 * the parent name instead. If this was a DS request,
1728 * then it's signed when the parent zone is signed,
1729 * hence ask the parent in that case, too. */
1731 if (IN_SET(t
->key
->type
, DNS_TYPE_SOA
, DNS_TYPE_NS
, DNS_TYPE_DS
)) {
1732 r
= dns_name_parent(&name
);
1736 log_debug("Requesting parent SOA to validate transaction %" PRIu16
" (%s, unsigned empty SOA/NS/DS response).", t
->id
, DNS_RESOURCE_KEY_NAME(t
->key
));
1740 log_debug("Requesting SOA to validate transaction %" PRIu16
" (%s, unsigned empty non-SOA/NS/DS response).", t
->id
, DNS_RESOURCE_KEY_NAME(t
->key
));
1743 _cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*soa
= NULL
;
1745 soa
= dns_resource_key_new(t
->key
->class, DNS_TYPE_SOA
, name
);
1749 r
= dns_transaction_request_dnssec_rr(t
, soa
);
1755 return dns_transaction_dnssec_is_live(t
);
1758 void dns_transaction_notify(DnsTransaction
*t
, DnsTransaction
*source
) {
1764 if (!IN_SET(t
->state
, DNS_TRANSACTION_PENDING
, DNS_TRANSACTION_VALIDATING
))
1767 /* Invoked whenever any of our auxiliary DNSSEC transactions
1768 completed its work. We copy any RRs from that transaction
1769 over into our list of validated keys -- but only if the
1770 answer is authenticated.
1772 Note that we fail our transaction if the auxiliary
1773 transaction failed, except on NXDOMAIN. This is because
1774 some broken DNS servers (Akamai...) will return NXDOMAIN
1775 for empty non-terminals. */
1777 switch (source
->state
) {
1779 case DNS_TRANSACTION_DNSSEC_FAILED
:
1781 log_debug("Auxiliary DNSSEC RR query failed validation: %s", dnssec_result_to_string(source
->answer_dnssec_result
));
1782 t
->answer_dnssec_result
= source
->answer_dnssec_result
; /* Copy error code over */
1783 dns_transaction_complete(t
, DNS_TRANSACTION_DNSSEC_FAILED
);
1786 case DNS_TRANSACTION_RCODE_FAILURE
:
1788 if (source
->answer_rcode
!= DNS_RCODE_NXDOMAIN
) {
1789 log_debug("Auxiliary DNSSEC RR query failed with rcode=%i.", source
->answer_rcode
);
1793 /* fall-through: NXDOMAIN is good enough for us */
1795 case DNS_TRANSACTION_SUCCESS
:
1796 if (source
->answer_authenticated
) {
1797 r
= dns_answer_extend(&t
->validated_keys
, source
->answer
);
1799 log_error_errno(r
, "Failed to merge validated DNSSEC key data: %m");
1804 /* If the state is still PENDING, we are still in the loop
1805 * that adds further DNSSEC transactions, hence don't check if
1806 * we are ready yet. If the state is VALIDATING however, we
1807 * should check if we are complete now. */
1808 if (t
->state
== DNS_TRANSACTION_VALIDATING
)
1809 dns_transaction_process_dnssec(t
);
1813 log_debug("Auxiliary DNSSEC RR query failed with %s", dns_transaction_state_to_string(source
->state
));
1820 t
->answer_dnssec_result
= DNSSEC_FAILED_AUXILIARY
;
1821 dns_transaction_complete(t
, DNS_TRANSACTION_DNSSEC_FAILED
);
1824 static int dns_transaction_validate_dnskey_by_ds(DnsTransaction
*t
) {
1825 DnsResourceRecord
*rr
;
1830 /* Add all DNSKEY RRs from the answer that are validated by DS
1831 * RRs from the list of validated keys to the list of
1832 * validated keys. */
1834 DNS_ANSWER_FOREACH_IFINDEX(rr
, ifindex
, t
->answer
) {
1836 r
= dnssec_verify_dnskey_search(rr
, t
->validated_keys
);
1842 /* If so, the DNSKEY is validated too. */
1843 r
= dns_answer_add_extend(&t
->validated_keys
, rr
, ifindex
, DNS_ANSWER_AUTHENTICATED
);
1851 static int dns_transaction_requires_rrsig(DnsTransaction
*t
, DnsResourceRecord
*rr
) {
1857 /* Checks if the RR we are looking for must be signed with an
1858 * RRSIG. This is used for positive responses. */
1860 if (t
->scope
->dnssec_mode
== DNSSEC_NO
)
1863 if (dns_type_is_pseudo(rr
->key
->type
))
1866 r
= dns_trust_anchor_lookup_negative(&t
->scope
->manager
->trust_anchor
, DNS_RESOURCE_KEY_NAME(rr
->key
));
1872 switch (rr
->key
->type
) {
1874 case DNS_TYPE_RRSIG
:
1875 /* RRSIGs are the signatures themselves, they need no signing. */
1883 /* For SOA or NS RRs we look for a matching DS transaction */
1885 SET_FOREACH(dt
, t
->dnssec_transactions
, i
) {
1887 if (dt
->key
->class != rr
->key
->class)
1889 if (dt
->key
->type
!= DNS_TYPE_DS
)
1892 r
= dns_name_equal(DNS_RESOURCE_KEY_NAME(dt
->key
), DNS_RESOURCE_KEY_NAME(rr
->key
));
1898 /* We found a DS transactions for the SOA/NS
1899 * RRs we are looking at. If it discovered signed DS
1900 * RRs, then we need to be signed, too. */
1902 if (!dt
->answer_authenticated
)
1905 return dns_answer_match_key(dt
->answer
, dt
->key
, NULL
);
1908 /* We found nothing that proves this is safe to leave
1909 * this unauthenticated, hence ask inist on
1910 * authentication. */
1915 case DNS_TYPE_CNAME
:
1916 case DNS_TYPE_DNAME
: {
1917 const char *parent
= NULL
;
1922 * CNAME/DNAME RRs cannot be located at a zone apex, hence look directly for the parent SOA.
1924 * DS RRs are signed if the parent is signed, hence also look at the parent SOA
1927 SET_FOREACH(dt
, t
->dnssec_transactions
, i
) {
1929 if (dt
->key
->class != rr
->key
->class)
1931 if (dt
->key
->type
!= DNS_TYPE_SOA
)
1935 parent
= DNS_RESOURCE_KEY_NAME(rr
->key
);
1936 r
= dns_name_parent(&parent
);
1940 if (rr
->key
->type
== DNS_TYPE_DS
)
1943 /* A CNAME/DNAME without a parent? That's sooo weird. */
1944 log_debug("Transaction %" PRIu16
" claims CNAME/DNAME at root. Refusing.", t
->id
);
1949 r
= dns_name_equal(DNS_RESOURCE_KEY_NAME(dt
->key
), parent
);
1955 return t
->answer_authenticated
;
1965 /* Any other kind of RR (including DNSKEY/NSEC/NSEC3). Let's see if our SOA lookup was authenticated */
1967 SET_FOREACH(dt
, t
->dnssec_transactions
, i
) {
1969 if (dt
->key
->class != rr
->key
->class)
1971 if (dt
->key
->type
!= DNS_TYPE_SOA
)
1974 r
= dns_name_equal(DNS_RESOURCE_KEY_NAME(dt
->key
), DNS_RESOURCE_KEY_NAME(rr
->key
));
1980 /* We found the transaction that was supposed to find
1981 * the SOA RR for us. It was successful, but found no
1982 * RR for us. This means we are not at a zone cut. In
1983 * this case, we require authentication if the SOA
1984 * lookup was authenticated too. */
1985 return t
->answer_authenticated
;
1992 static int dns_transaction_requires_nsec(DnsTransaction
*t
) {
2000 /* Checks if we need to insist on NSEC/NSEC3 RRs for proving
2001 * this negative reply */
2003 if (t
->scope
->dnssec_mode
== DNSSEC_NO
)
2006 if (dns_type_is_pseudo(t
->key
->type
))
2009 r
= dns_trust_anchor_lookup_negative(&t
->scope
->manager
->trust_anchor
, DNS_RESOURCE_KEY_NAME(t
->key
));
2015 name
= DNS_RESOURCE_KEY_NAME(t
->key
);
2017 if (IN_SET(t
->key
->type
, DNS_TYPE_SOA
, DNS_TYPE_NS
, DNS_TYPE_DS
)) {
2019 /* We got a negative reply for this SOA/NS lookup? If
2020 * so, then we are not at a zone apex, and thus should
2021 * look at the result of the parent SOA lookup.
2023 * We got a negative reply for this DS lookup? DS RRs
2024 * are signed when their parent zone is signed, hence
2025 * also check the parent SOA in this case. */
2027 r
= dns_name_parent(&name
);
2034 /* For all other RRs we check the SOA on the same level to see
2035 * if it's signed. */
2037 SET_FOREACH(dt
, t
->dnssec_transactions
, i
) {
2039 if (dt
->key
->class != t
->key
->class)
2041 if (dt
->key
->type
!= DNS_TYPE_SOA
)
2044 r
= dns_name_equal(DNS_RESOURCE_KEY_NAME(dt
->key
), name
);
2050 return dt
->answer_authenticated
;
2053 /* If in doubt, require NSEC/NSEC3 */
2057 static int dns_transaction_dnskey_authenticated(DnsTransaction
*t
, DnsResourceRecord
*rr
) {
2058 DnsResourceRecord
*rrsig
;
2062 /* Checks whether any of the DNSKEYs used for the RRSIGs for
2063 * the specified RRset is authenticated (i.e. has a matching
2066 r
= dns_trust_anchor_lookup_negative(&t
->scope
->manager
->trust_anchor
, DNS_RESOURCE_KEY_NAME(rr
->key
));
2072 DNS_ANSWER_FOREACH(rrsig
, t
->answer
) {
2076 r
= dnssec_key_match_rrsig(rr
->key
, rrsig
);
2082 SET_FOREACH(dt
, t
->dnssec_transactions
, i
) {
2084 if (dt
->key
->class != rr
->key
->class)
2087 if (dt
->key
->type
== DNS_TYPE_DNSKEY
) {
2089 r
= dns_name_equal(DNS_RESOURCE_KEY_NAME(dt
->key
), rrsig
->rrsig
.signer
);
2095 /* OK, we found an auxiliary DNSKEY
2096 * lookup. If that lookup is
2097 * authenticated, report this. */
2099 if (dt
->answer_authenticated
)
2104 } else if (dt
->key
->type
== DNS_TYPE_DS
) {
2106 r
= dns_name_equal(DNS_RESOURCE_KEY_NAME(dt
->key
), rrsig
->rrsig
.signer
);
2112 /* OK, we found an auxiliary DS
2113 * lookup. If that lookup is
2114 * authenticated and non-zero, we
2117 if (!dt
->answer_authenticated
)
2120 return dns_answer_match_key(dt
->answer
, dt
->key
, NULL
);
2125 return found
? false : -ENXIO
;
2128 static int dns_transaction_known_signed(DnsTransaction
*t
, DnsResourceRecord
*rr
) {
2132 /* We know that the root domain is signed, hence if it appears
2133 * not to be signed, there's a problem with the DNS server */
2135 return rr
->key
->class == DNS_CLASS_IN
&&
2136 dns_name_is_root(DNS_RESOURCE_KEY_NAME(rr
->key
));
2139 int dns_transaction_validate_dnssec(DnsTransaction
*t
) {
2140 _cleanup_(dns_answer_unrefp
) DnsAnswer
*validated
= NULL
;
2141 bool dnskeys_finalized
= false;
2142 DnsResourceRecord
*rr
;
2143 DnsAnswerFlags flags
;
2148 /* We have now collected all DS and DNSKEY RRs in
2149 * t->validated_keys, let's see which RRs we can now
2150 * authenticate with that. */
2152 if (t
->scope
->dnssec_mode
== DNSSEC_NO
)
2155 /* Already validated */
2156 if (t
->answer_dnssec_result
!= _DNSSEC_RESULT_INVALID
)
2159 /* Our own stuff needs no validation */
2160 if (IN_SET(t
->answer_source
, DNS_TRANSACTION_ZONE
, DNS_TRANSACTION_TRUST_ANCHOR
)) {
2161 t
->answer_dnssec_result
= DNSSEC_VALIDATED
;
2162 t
->answer_authenticated
= true;
2166 /* Cached stuff is not affected by validation. */
2167 if (t
->answer_source
!= DNS_TRANSACTION_NETWORK
)
2170 if (t
->current_features
< DNS_SERVER_FEATURE_LEVEL_DO
||
2171 (t
->server
&& t
->server
->rrsig_missing
)) {
2172 /* The server does not support DNSSEC, or doesn't augment responses with RRSIGs. */
2173 t
->answer_dnssec_result
= DNSSEC_INCOMPATIBLE_SERVER
;
2177 log_debug("Validating response from transaction %" PRIu16
" (%s).", t
->id
, dns_transaction_key_string(t
));
2179 /* First see if there are DNSKEYs we already known a validated DS for. */
2180 r
= dns_transaction_validate_dnskey_by_ds(t
);
2185 bool changed
= false;
2187 DNS_ANSWER_FOREACH(rr
, t
->answer
) {
2188 DnssecResult result
;
2190 if (rr
->key
->type
== DNS_TYPE_RRSIG
)
2193 r
= dnssec_verify_rrset_search(t
->answer
, rr
->key
, t
->validated_keys
, USEC_INFINITY
, &result
);
2197 log_debug("Looking at %s: %s", strna(dns_resource_record_to_string(rr
)), dnssec_result_to_string(result
));
2199 if (result
== DNSSEC_VALIDATED
) {
2201 if (rr
->key
->type
== DNS_TYPE_DNSKEY
) {
2202 /* If we just validated a
2203 * DNSKEY RRset, then let's
2204 * add these keys to the set
2205 * of validated keys for this
2208 r
= dns_answer_copy_by_key(&t
->validated_keys
, t
->answer
, rr
->key
, DNS_ANSWER_AUTHENTICATED
);
2212 /* Maybe warn the user that we
2213 * encountered a revoked
2214 * DNSKEY for a key from our
2216 r
= dns_trust_anchor_check_revoked(&t
->scope
->manager
->trust_anchor
, t
->answer
, rr
->key
);
2221 /* Add the validated RRset to the new
2222 * list of validated RRsets, and
2223 * remove it from the unvalidated
2224 * RRsets. We mark the RRset as
2225 * authenticated and cacheable. */
2226 r
= dns_answer_move_by_key(&validated
, &t
->answer
, rr
->key
, DNS_ANSWER_AUTHENTICATED
|DNS_ANSWER_CACHEABLE
);
2230 t
->scope
->manager
->n_dnssec_secure
++;
2232 /* Exit the loop, we dropped something from the answer, start from the beginning */
2236 } else if (dnskeys_finalized
) {
2238 /* If we haven't read all DNSKEYs yet
2239 * a negative result of the validation
2240 * is irrelevant, as there might be
2241 * more DNSKEYs coming. */
2243 if (result
== DNSSEC_NO_SIGNATURE
) {
2244 r
= dns_transaction_requires_rrsig(t
, rr
);
2248 /* Data does not require signing. In that case, just copy it over,
2249 * but remember that this is by no means authenticated.*/
2250 r
= dns_answer_move_by_key(&validated
, &t
->answer
, rr
->key
, 0);
2254 t
->scope
->manager
->n_dnssec_insecure
++;
2260 r
= dns_transaction_known_signed(t
, rr
);
2264 /* This is an RR we know has to be signed. If it isn't this means
2265 * the server is not attaching RRSIGs, hence complain. */
2267 dns_server_packet_rrsig_missing(t
->server
);
2269 if (t
->scope
->dnssec_mode
== DNSSEC_ALLOW_DOWNGRADE
) {
2271 /* Downgrading is OK? If so, just consider the information unsigned */
2273 r
= dns_answer_move_by_key(&validated
, &t
->answer
, rr
->key
, 0);
2277 t
->scope
->manager
->n_dnssec_insecure
++;
2282 /* Otherwise, fail */
2283 t
->answer_dnssec_result
= DNSSEC_INCOMPATIBLE_SERVER
;
2290 DNSSEC_SIGNATURE_EXPIRED
,
2291 DNSSEC_UNSUPPORTED_ALGORITHM
)) {
2293 r
= dns_transaction_dnskey_authenticated(t
, rr
);
2294 if (r
< 0 && r
!= -ENXIO
)
2297 /* The DNSKEY transaction was not authenticated, this means there's
2298 * no DS for this, which means it's OK if no keys are found for this signature. */
2300 r
= dns_answer_move_by_key(&validated
, &t
->answer
, rr
->key
, 0);
2304 t
->scope
->manager
->n_dnssec_insecure
++;
2313 DNSSEC_SIGNATURE_EXPIRED
,
2314 DNSSEC_NO_SIGNATURE
,
2315 DNSSEC_UNSUPPORTED_ALGORITHM
))
2316 t
->scope
->manager
->n_dnssec_bogus
++;
2318 t
->scope
->manager
->n_dnssec_indeterminate
++;
2320 r
= dns_transaction_is_primary_response(t
, rr
);
2324 /* This is a primary response
2325 * to our question, and it
2326 * failed validation. That's
2328 t
->answer_dnssec_result
= result
;
2332 /* This is just some auxiliary
2333 * data. Just remove the RRset and
2335 r
= dns_answer_remove_by_key(&t
->answer
, rr
->key
);
2339 /* Exit the loop, we dropped something from the answer, start from the beginning */
2348 if (!dnskeys_finalized
) {
2349 /* OK, now we know we have added all DNSKEYs
2350 * we possibly could to our validated
2351 * list. Now run the whole thing once more,
2352 * and strip everything we still cannot
2355 dnskeys_finalized
= true;
2363 dns_answer_unref(t
->answer
);
2364 t
->answer
= validated
;
2367 /* At this point the answer only contains validated
2368 * RRsets. Now, let's see if it actually answers the question
2369 * we asked. If so, great! If it doesn't, then see if
2370 * NSEC/NSEC3 can prove this. */
2371 r
= dns_transaction_has_positive_answer(t
, &flags
);
2373 /* Yes, it answers the question! */
2375 if (flags
& DNS_ANSWER_AUTHENTICATED
) {
2376 /* The answer is fully authenticated, yay. */
2377 t
->answer_dnssec_result
= DNSSEC_VALIDATED
;
2378 t
->answer_rcode
= DNS_RCODE_SUCCESS
;
2379 t
->answer_authenticated
= true;
2381 /* The answer is not fully authenticated. */
2382 t
->answer_dnssec_result
= DNSSEC_UNSIGNED
;
2383 t
->answer_authenticated
= false;
2386 } else if (r
== 0) {
2387 DnssecNsecResult nr
;
2388 bool authenticated
= false;
2390 /* Bummer! Let's check NSEC/NSEC3 */
2391 r
= dnssec_test_nsec(t
->answer
, t
->key
, &nr
, &authenticated
, &t
->answer_nsec_ttl
);
2397 case DNSSEC_NSEC_NXDOMAIN
:
2398 /* NSEC proves the domain doesn't exist. Very good. */
2399 log_debug("Proved NXDOMAIN via NSEC/NSEC3 for transaction %u (%s)", t
->id
, dns_transaction_key_string(t
));
2400 t
->answer_dnssec_result
= DNSSEC_VALIDATED
;
2401 t
->answer_rcode
= DNS_RCODE_NXDOMAIN
;
2402 t
->answer_authenticated
= authenticated
;
2405 case DNSSEC_NSEC_NODATA
:
2406 /* NSEC proves that there's no data here, very good. */
2407 log_debug("Proved NODATA via NSEC/NSEC3 for transaction %u (%s)", t
->id
, dns_transaction_key_string(t
));
2408 t
->answer_dnssec_result
= DNSSEC_VALIDATED
;
2409 t
->answer_rcode
= DNS_RCODE_SUCCESS
;
2410 t
->answer_authenticated
= authenticated
;
2413 case DNSSEC_NSEC_OPTOUT
:
2414 /* NSEC3 says the data might not be signed */
2415 log_debug("Data is NSEC3 opt-out via NSEC/NSEC3 for transaction %u (%s)", t
->id
, dns_transaction_key_string(t
));
2416 t
->answer_dnssec_result
= DNSSEC_UNSIGNED
;
2417 t
->answer_authenticated
= false;
2420 case DNSSEC_NSEC_NO_RR
:
2421 /* No NSEC data? Bummer! */
2423 r
= dns_transaction_requires_nsec(t
);
2427 t
->answer_dnssec_result
= DNSSEC_NO_SIGNATURE
;
2429 t
->answer_dnssec_result
= DNSSEC_UNSIGNED
;
2430 t
->answer_authenticated
= false;
2435 case DNSSEC_NSEC_UNSUPPORTED_ALGORITHM
:
2436 /* We don't know the NSEC3 algorithm used? */
2437 t
->answer_dnssec_result
= DNSSEC_UNSUPPORTED_ALGORITHM
;
2440 case DNSSEC_NSEC_FOUND
:
2441 case DNSSEC_NSEC_CNAME
:
2442 /* NSEC says it needs to be there, but we couldn't find it? Bummer! */
2443 t
->answer_dnssec_result
= DNSSEC_NSEC_MISMATCH
;
2447 assert_not_reached("Unexpected NSEC result.");
2454 const char *dns_transaction_key_string(DnsTransaction
*t
) {
2457 if (!t
->key_string
) {
2458 if (dns_resource_key_to_string(t
->key
, &t
->key_string
) < 0)
2462 return strstrip(t
->key_string
);
2465 static const char* const dns_transaction_state_table
[_DNS_TRANSACTION_STATE_MAX
] = {
2466 [DNS_TRANSACTION_NULL
] = "null",
2467 [DNS_TRANSACTION_PENDING
] = "pending",
2468 [DNS_TRANSACTION_VALIDATING
] = "validating",
2469 [DNS_TRANSACTION_RCODE_FAILURE
] = "rcode-failure",
2470 [DNS_TRANSACTION_SUCCESS
] = "success",
2471 [DNS_TRANSACTION_NO_SERVERS
] = "no-servers",
2472 [DNS_TRANSACTION_TIMEOUT
] = "timeout",
2473 [DNS_TRANSACTION_ATTEMPTS_MAX_REACHED
] = "attempts-max-reached",
2474 [DNS_TRANSACTION_INVALID_REPLY
] = "invalid-reply",
2475 [DNS_TRANSACTION_RESOURCES
] = "resources",
2476 [DNS_TRANSACTION_CONNECTION_FAILURE
] = "connection-failure",
2477 [DNS_TRANSACTION_ABORTED
] = "aborted",
2478 [DNS_TRANSACTION_DNSSEC_FAILED
] = "dnssec-failed",
2479 [DNS_TRANSACTION_NO_TRUST_ANCHOR
] = "no-trust-anchor",
2481 DEFINE_STRING_TABLE_LOOKUP(dns_transaction_state
, DnsTransactionState
);
2483 static const char* const dns_transaction_source_table
[_DNS_TRANSACTION_SOURCE_MAX
] = {
2484 [DNS_TRANSACTION_NETWORK
] = "network",
2485 [DNS_TRANSACTION_CACHE
] = "cache",
2486 [DNS_TRANSACTION_ZONE
] = "zone",
2487 [DNS_TRANSACTION_TRUST_ANCHOR
] = "trust-anchor",
2489 DEFINE_STRING_TABLE_LOOKUP(dns_transaction_source
, DnsTransactionSource
);