1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2014 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
23 #include "alloc-util.h"
24 #include "dns-domain.h"
26 #include "random-util.h"
27 #include "resolved-dns-cache.h"
28 #include "resolved-dns-transaction.h"
29 #include "resolved-llmnr.h"
30 #include "string-table.h"
32 static void dns_transaction_reset_answer(DnsTransaction
*t
) {
35 t
->received
= dns_packet_unref(t
->received
);
36 t
->answer
= dns_answer_unref(t
->answer
);
38 t
->answer_dnssec_result
= _DNSSEC_RESULT_INVALID
;
39 t
->answer_source
= _DNS_TRANSACTION_SOURCE_INVALID
;
40 t
->answer_authenticated
= false;
43 static void dns_transaction_close_connection(DnsTransaction
*t
) {
46 t
->stream
= dns_stream_free(t
->stream
);
47 t
->dns_udp_event_source
= sd_event_source_unref(t
->dns_udp_event_source
);
48 t
->dns_udp_fd
= safe_close(t
->dns_udp_fd
);
51 static void dns_transaction_stop(DnsTransaction
*t
) {
54 t
->timeout_event_source
= sd_event_source_unref(t
->timeout_event_source
);
55 t
->stream
= dns_stream_free(t
->stream
);
57 /* Note that we do not drop the UDP socket here, as we want to
58 * reuse it to repeat the interaction. */
61 DnsTransaction
* dns_transaction_free(DnsTransaction
*t
) {
69 dns_transaction_close_connection(t
);
70 dns_transaction_stop(t
);
72 dns_packet_unref(t
->sent
);
73 dns_transaction_reset_answer(t
);
75 dns_server_unref(t
->server
);
78 hashmap_remove_value(t
->scope
->transactions_by_key
, t
->key
, t
);
79 LIST_REMOVE(transactions_by_scope
, t
->scope
->transactions
, t
);
82 hashmap_remove(t
->scope
->manager
->dns_transactions
, UINT_TO_PTR(t
->id
));
85 while ((c
= set_steal_first(t
->notify_query_candidates
)))
86 set_remove(c
->transactions
, t
);
87 set_free(t
->notify_query_candidates
);
89 while ((i
= set_steal_first(t
->notify_zone_items
)))
90 i
->probe_transaction
= NULL
;
91 set_free(t
->notify_zone_items
);
93 while ((z
= set_steal_first(t
->notify_transactions
)))
94 set_remove(z
->dnssec_transactions
, t
);
95 set_free(t
->notify_transactions
);
97 while ((z
= set_steal_first(t
->dnssec_transactions
))) {
98 set_remove(z
->notify_transactions
, t
);
99 dns_transaction_gc(z
);
101 set_free(t
->dnssec_transactions
);
103 dns_answer_unref(t
->validated_keys
);
104 dns_resource_key_unref(t
->key
);
111 DEFINE_TRIVIAL_CLEANUP_FUNC(DnsTransaction
*, dns_transaction_free
);
113 void dns_transaction_gc(DnsTransaction
*t
) {
119 if (set_isempty(t
->notify_query_candidates
) &&
120 set_isempty(t
->notify_zone_items
) &&
121 set_isempty(t
->notify_transactions
))
122 dns_transaction_free(t
);
125 int dns_transaction_new(DnsTransaction
**ret
, DnsScope
*s
, DnsResourceKey
*key
) {
126 _cleanup_(dns_transaction_freep
) DnsTransaction
*t
= NULL
;
133 /* Don't allow looking up invalid or pseudo RRs */
134 if (!dns_type_is_valid_query(key
->type
))
137 /* We only support the IN class */
138 if (key
->class != DNS_CLASS_IN
&& key
->class != DNS_CLASS_ANY
)
141 r
= hashmap_ensure_allocated(&s
->manager
->dns_transactions
, NULL
);
145 r
= hashmap_ensure_allocated(&s
->transactions_by_key
, &dns_resource_key_hash_ops
);
149 t
= new0(DnsTransaction
, 1);
154 t
->answer_source
= _DNS_TRANSACTION_SOURCE_INVALID
;
155 t
->answer_dnssec_result
= _DNSSEC_RESULT_INVALID
;
156 t
->key
= dns_resource_key_ref(key
);
158 /* Find a fresh, unused transaction id */
160 random_bytes(&t
->id
, sizeof(t
->id
));
162 hashmap_get(s
->manager
->dns_transactions
, UINT_TO_PTR(t
->id
)));
164 r
= hashmap_put(s
->manager
->dns_transactions
, UINT_TO_PTR(t
->id
), t
);
170 r
= hashmap_replace(s
->transactions_by_key
, t
->key
, t
);
172 hashmap_remove(s
->manager
->dns_transactions
, UINT_TO_PTR(t
->id
));
176 LIST_PREPEND(transactions_by_scope
, s
->transactions
, t
);
179 s
->manager
->n_transactions_total
++;
189 static void dns_transaction_tentative(DnsTransaction
*t
, DnsPacket
*p
) {
190 _cleanup_free_
char *pretty
= NULL
;
196 if (manager_our_packet(t
->scope
->manager
, p
) != 0)
199 in_addr_to_string(p
->family
, &p
->sender
, &pretty
);
201 log_debug("Transaction %" PRIu16
" for <%s> on scope %s on %s/%s got tentative packet from %s.",
203 dns_transaction_key_string(t
),
204 dns_protocol_to_string(t
->scope
->protocol
),
205 t
->scope
->link
? t
->scope
->link
->name
: "*",
206 t
->scope
->family
== AF_UNSPEC
? "*" : af_to_name(t
->scope
->family
),
209 /* RFC 4795, Section 4.1 says that the peer with the
210 * lexicographically smaller IP address loses */
211 if (memcmp(&p
->sender
, &p
->destination
, FAMILY_ADDRESS_SIZE(p
->family
)) >= 0) {
212 log_debug("Peer has lexicographically larger IP address and thus lost in the conflict.");
216 log_debug("We have the lexicographically larger IP address and thus lost in the conflict.");
219 while ((z
= set_first(t
->notify_zone_items
))) {
220 /* First, make sure the zone item drops the reference
222 dns_zone_item_probe_stop(z
);
224 /* Secondly, report this as conflict, so that we might
225 * look for a different hostname */
226 dns_zone_item_conflict(z
);
230 dns_transaction_gc(t
);
233 void dns_transaction_complete(DnsTransaction
*t
, DnsTransactionState state
) {
234 DnsQueryCandidate
*c
;
240 assert(!DNS_TRANSACTION_IS_LIVE(state
));
242 if (state
== DNS_TRANSACTION_DNSSEC_FAILED
)
243 log_struct(LOG_NOTICE
,
244 LOG_MESSAGE("DNSSEC validation failed for question %s: %s", dns_transaction_key_string(t
), dnssec_result_to_string(t
->answer_dnssec_result
)),
245 "DNS_TRANSACTION=%" PRIu16
, t
->id
,
246 "DNS_QUESTION=%s", dns_transaction_key_string(t
),
247 "DNSSEC_RESULT=%s", dnssec_result_to_string(t
->answer_dnssec_result
),
250 /* Note that this call might invalidate the query. Callers
251 * should hence not attempt to access the query or transaction
252 * after calling this function. */
254 log_debug("Transaction %" PRIu16
" for <%s> on scope %s on %s/%s now complete with <%s> from %s (%s).",
256 dns_transaction_key_string(t
),
257 dns_protocol_to_string(t
->scope
->protocol
),
258 t
->scope
->link
? t
->scope
->link
->name
: "*",
259 t
->scope
->family
== AF_UNSPEC
? "*" : af_to_name(t
->scope
->family
),
260 dns_transaction_state_to_string(state
),
261 t
->answer_source
< 0 ? "none" : dns_transaction_source_to_string(t
->answer_source
),
262 t
->answer_authenticated
? "authenticated" : "unsigned");
266 dns_transaction_close_connection(t
);
267 dns_transaction_stop(t
);
269 /* Notify all queries that are interested, but make sure the
270 * transaction isn't freed while we are still looking at it */
273 SET_FOREACH(c
, t
->notify_query_candidates
, i
)
274 dns_query_candidate_notify(c
);
275 SET_FOREACH(z
, t
->notify_zone_items
, i
)
276 dns_zone_item_notify(z
);
278 if (!set_isempty(t
->notify_transactions
)) {
282 /* We need to be careful when notifying other
283 * transactions, as that might destroy other
284 * transactions in our list. Hence, in order to be
285 * able to safely iterate through the list of
286 * transactions, take a GC lock on all of them
287 * first. Then, in a second loop, notify them, but
288 * first unlock that specific transaction. */
290 nt
= newa(DnsTransaction
*, set_size(t
->notify_transactions
));
291 SET_FOREACH(d
, t
->notify_transactions
, i
) {
296 assert(n
== set_size(t
->notify_transactions
));
298 for (j
= 0; j
< n
; j
++) {
299 if (set_contains(t
->notify_transactions
, nt
[j
]))
300 dns_transaction_notify(nt
[j
], t
);
303 dns_transaction_gc(nt
[j
]);
308 dns_transaction_gc(t
);
311 static int dns_transaction_pick_server(DnsTransaction
*t
) {
315 assert(t
->scope
->protocol
== DNS_PROTOCOL_DNS
);
317 server
= dns_scope_get_dns_server(t
->scope
);
321 t
->current_features
= dns_server_possible_features(server
);
323 if (server
== t
->server
)
326 dns_server_unref(t
->server
);
327 t
->server
= dns_server_ref(server
);
332 static int on_stream_complete(DnsStream
*s
, int error
) {
333 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
337 assert(s
->transaction
);
339 /* Copy the data we care about out of the stream before we
342 p
= dns_packet_ref(s
->read_packet
);
344 t
->stream
= dns_stream_free(t
->stream
);
346 if (IN_SET(error
, ENOTCONN
, ECONNRESET
, ECONNREFUSED
, ECONNABORTED
, EPIPE
)) {
347 dns_transaction_complete(t
, DNS_TRANSACTION_CONNECTION_FAILURE
);
352 dns_transaction_complete(t
, DNS_TRANSACTION_RESOURCES
);
356 if (dns_packet_validate_reply(p
) <= 0) {
357 log_debug("Invalid TCP reply packet.");
358 dns_transaction_complete(t
, DNS_TRANSACTION_INVALID_REPLY
);
362 dns_scope_check_conflicts(t
->scope
, p
);
365 dns_transaction_process_reply(t
, p
);
368 /* If the response wasn't useful, then complete the transition
369 * now. After all, we are the worst feature set now with TCP
370 * sockets, and there's really no point in retrying. */
371 if (t
->state
== DNS_TRANSACTION_PENDING
)
372 dns_transaction_complete(t
, DNS_TRANSACTION_INVALID_REPLY
);
374 dns_transaction_gc(t
);
379 static int dns_transaction_open_tcp(DnsTransaction
*t
) {
380 _cleanup_close_
int fd
= -1;
385 dns_transaction_close_connection(t
);
387 switch (t
->scope
->protocol
) {
389 case DNS_PROTOCOL_DNS
:
390 r
= dns_transaction_pick_server(t
);
394 r
= dns_server_adjust_opt(t
->server
, t
->sent
, t
->current_features
);
398 fd
= dns_scope_socket_tcp(t
->scope
, AF_UNSPEC
, NULL
, t
->server
, 53);
401 case DNS_PROTOCOL_LLMNR
:
402 /* When we already received a reply to this (but it was truncated), send to its sender address */
404 fd
= dns_scope_socket_tcp(t
->scope
, t
->received
->family
, &t
->received
->sender
, NULL
, t
->received
->sender_port
);
406 union in_addr_union address
;
407 int family
= AF_UNSPEC
;
409 /* Otherwise, try to talk to the owner of a
410 * the IP address, in case this is a reverse
413 r
= dns_name_address(DNS_RESOURCE_KEY_NAME(t
->key
), &family
, &address
);
418 if (family
!= t
->scope
->family
)
421 fd
= dns_scope_socket_tcp(t
->scope
, family
, &address
, NULL
, LLMNR_PORT
);
427 return -EAFNOSUPPORT
;
433 r
= dns_stream_new(t
->scope
->manager
, &t
->stream
, t
->scope
->protocol
, fd
);
438 r
= dns_stream_write_packet(t
->stream
, t
->sent
);
440 t
->stream
= dns_stream_free(t
->stream
);
444 t
->stream
->complete
= on_stream_complete
;
445 t
->stream
->transaction
= t
;
447 /* The interface index is difficult to determine if we are
448 * connecting to the local host, hence fill this in right away
449 * instead of determining it from the socket */
451 t
->stream
->ifindex
= t
->scope
->link
->ifindex
;
453 dns_transaction_reset_answer(t
);
455 t
->tried_stream
= true;
460 static void dns_transaction_cache_answer(DnsTransaction
*t
) {
463 /* For mDNS we cache whenever we get the packet, rather than
464 * in each transaction. */
465 if (!IN_SET(t
->scope
->protocol
, DNS_PROTOCOL_DNS
, DNS_PROTOCOL_LLMNR
))
468 /* We never cache if this packet is from the local host, under
469 * the assumption that a locally running DNS server would
470 * cache this anyway, and probably knows better when to flush
471 * the cache then we could. */
472 if (!DNS_PACKET_SHALL_CACHE(t
->received
))
475 dns_cache_put(&t
->scope
->cache
,
479 t
->answer_authenticated
,
482 &t
->received
->sender
);
485 static bool dns_transaction_dnssec_is_live(DnsTransaction
*t
) {
491 SET_FOREACH(dt
, t
->dnssec_transactions
, i
)
492 if (DNS_TRANSACTION_IS_LIVE(dt
->state
))
498 static void dns_transaction_process_dnssec(DnsTransaction
*t
) {
503 /* Are there ongoing DNSSEC transactions? If so, let's wait for them. */
504 if (dns_transaction_dnssec_is_live(t
))
507 /* All our auxiliary DNSSEC transactions are complete now. Try
508 * to validate our RRset now. */
509 r
= dns_transaction_validate_dnssec(t
);
511 dns_transaction_complete(t
, DNS_TRANSACTION_RESOURCES
);
515 if (t
->answer_dnssec_result
== DNSSEC_INCOMPATIBLE_SERVER
&&
516 t
->scope
->dnssec_mode
== DNSSEC_YES
) {
517 /* We are not in automatic downgrade mode, and the
518 * server is bad, refuse operation. */
519 dns_transaction_complete(t
, DNS_TRANSACTION_DNSSEC_FAILED
);
523 if (!IN_SET(t
->answer_dnssec_result
,
524 _DNSSEC_RESULT_INVALID
, /* No DNSSEC validation enabled */
525 DNSSEC_VALIDATED
, /* Answer is signed and validated successfully */
526 DNSSEC_UNSIGNED
, /* Answer is right-fully unsigned */
527 DNSSEC_INCOMPATIBLE_SERVER
)) { /* Server does not do DNSSEC (Yay, we are downgrade attack vulnerable!) */
528 dns_transaction_complete(t
, DNS_TRANSACTION_DNSSEC_FAILED
);
532 dns_transaction_cache_answer(t
);
534 if (t
->answer_rcode
== DNS_RCODE_SUCCESS
)
535 dns_transaction_complete(t
, DNS_TRANSACTION_SUCCESS
);
537 dns_transaction_complete(t
, DNS_TRANSACTION_RCODE_FAILURE
);
540 void dns_transaction_process_reply(DnsTransaction
*t
, DnsPacket
*p
) {
547 assert(t
->scope
->manager
);
549 if (t
->state
!= DNS_TRANSACTION_PENDING
)
552 /* Note that this call might invalidate the query. Callers
553 * should hence not attempt to access the query or transaction
554 * after calling this function. */
556 log_debug("Processing incoming packet on transaction %" PRIu16
".", t
->id
);
558 switch (t
->scope
->protocol
) {
560 case DNS_PROTOCOL_LLMNR
:
561 assert(t
->scope
->link
);
563 /* For LLMNR we will not accept any packets from other
566 if (p
->ifindex
!= t
->scope
->link
->ifindex
)
569 if (p
->family
!= t
->scope
->family
)
572 /* Tentative packets are not full responses but still
573 * useful for identifying uniqueness conflicts during
575 if (DNS_PACKET_LLMNR_T(p
)) {
576 dns_transaction_tentative(t
, p
);
582 case DNS_PROTOCOL_MDNS
:
583 assert(t
->scope
->link
);
585 /* For mDNS we will not accept any packets from other interfaces */
586 if (p
->ifindex
!= t
->scope
->link
->ifindex
)
589 if (p
->family
!= t
->scope
->family
)
594 case DNS_PROTOCOL_DNS
:
598 assert_not_reached("Invalid DNS protocol.");
601 if (t
->received
!= p
) {
602 dns_packet_unref(t
->received
);
603 t
->received
= dns_packet_ref(p
);
606 t
->answer_source
= DNS_TRANSACTION_NETWORK
;
608 if (p
->ipproto
== IPPROTO_TCP
) {
609 if (DNS_PACKET_TC(p
)) {
610 /* Truncated via TCP? Somebody must be fucking with us */
611 dns_transaction_complete(t
, DNS_TRANSACTION_INVALID_REPLY
);
615 if (DNS_PACKET_ID(p
) != t
->id
) {
616 /* Not the reply to our query? Somebody must be fucking with us */
617 dns_transaction_complete(t
, DNS_TRANSACTION_INVALID_REPLY
);
622 assert_se(sd_event_now(t
->scope
->manager
->event
, clock_boottime_or_monotonic(), &ts
) >= 0);
624 switch (t
->scope
->protocol
) {
626 case DNS_PROTOCOL_DNS
:
629 if (IN_SET(DNS_PACKET_RCODE(p
), DNS_RCODE_FORMERR
, DNS_RCODE_SERVFAIL
, DNS_RCODE_NOTIMP
)) {
631 /* Request failed, immediately try again with reduced features */
632 log_debug("Server returned error: %s", dns_rcode_to_string(DNS_PACKET_RCODE(p
)));
634 dns_server_packet_failed(t
->server
, t
->current_features
);
636 r
= dns_transaction_go(t
);
638 dns_transaction_complete(t
, DNS_TRANSACTION_RESOURCES
);
644 dns_server_packet_received(t
->server
, t
->current_features
, ts
- t
->start_usec
, p
->size
);
648 case DNS_PROTOCOL_LLMNR
:
649 case DNS_PROTOCOL_MDNS
:
650 dns_scope_packet_received(t
->scope
, ts
- t
->start_usec
);
654 assert_not_reached("Invalid DNS protocol.");
657 if (DNS_PACKET_TC(p
)) {
659 /* Truncated packets for mDNS are not allowed. Give up immediately. */
660 if (t
->scope
->protocol
== DNS_PROTOCOL_MDNS
) {
661 dns_transaction_complete(t
, DNS_TRANSACTION_INVALID_REPLY
);
665 /* Response was truncated, let's try again with good old TCP */
666 r
= dns_transaction_open_tcp(t
);
668 /* No servers found? Damn! */
669 dns_transaction_complete(t
, DNS_TRANSACTION_NO_SERVERS
);
673 /* On LLMNR, if we cannot connect to the host,
674 * we immediately give up */
675 if (t
->scope
->protocol
== DNS_PROTOCOL_LLMNR
) {
676 dns_transaction_complete(t
, DNS_TRANSACTION_RESOURCES
);
680 /* On DNS, couldn't send? Try immediately again, with a new server */
681 dns_scope_next_dns_server(t
->scope
);
683 r
= dns_transaction_go(t
);
685 dns_transaction_complete(t
, DNS_TRANSACTION_RESOURCES
);
693 /* Parse message, if it isn't parsed yet. */
694 r
= dns_packet_extract(p
);
696 dns_transaction_complete(t
, DNS_TRANSACTION_INVALID_REPLY
);
700 if (IN_SET(t
->scope
->protocol
, DNS_PROTOCOL_DNS
, DNS_PROTOCOL_LLMNR
)) {
702 /* Only consider responses with equivalent query section to the request */
703 r
= dns_packet_is_reply_for(p
, t
->key
);
705 dns_transaction_complete(t
, DNS_TRANSACTION_RESOURCES
);
709 dns_transaction_complete(t
, DNS_TRANSACTION_INVALID_REPLY
);
713 /* Install the answer as answer to the transaction */
714 dns_answer_unref(t
->answer
);
715 t
->answer
= dns_answer_ref(p
->answer
);
716 t
->answer_rcode
= DNS_PACKET_RCODE(p
);
717 t
->answer_dnssec_result
= _DNSSEC_RESULT_INVALID
;
718 t
->answer_authenticated
= false;
720 r
= dns_transaction_request_dnssec_keys(t
);
722 dns_transaction_complete(t
, DNS_TRANSACTION_RESOURCES
);
726 /* There are DNSSEC transactions pending now. Update the state accordingly. */
727 t
->state
= DNS_TRANSACTION_VALIDATING
;
728 dns_transaction_stop(t
);
733 dns_transaction_process_dnssec(t
);
736 static int on_dns_packet(sd_event_source
*s
, int fd
, uint32_t revents
, void *userdata
) {
737 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
738 DnsTransaction
*t
= userdata
;
744 r
= manager_recv(t
->scope
->manager
, fd
, DNS_PROTOCOL_DNS
, &p
);
748 if (dns_packet_validate_reply(p
) > 0 &&
749 DNS_PACKET_ID(p
) == t
->id
)
750 dns_transaction_process_reply(t
, p
);
752 log_debug("Invalid DNS UDP packet, ignoring.");
757 static int dns_transaction_emit_udp(DnsTransaction
*t
) {
762 if (t
->scope
->protocol
== DNS_PROTOCOL_DNS
) {
764 r
= dns_transaction_pick_server(t
);
768 if (t
->current_features
< DNS_SERVER_FEATURE_LEVEL_UDP
)
771 if (r
> 0 || t
->dns_udp_fd
< 0) { /* Server changed, or no connection yet. */
774 dns_transaction_close_connection(t
);
776 fd
= dns_scope_socket_udp(t
->scope
, t
->server
, 53);
780 r
= sd_event_add_io(t
->scope
->manager
->event
, &t
->dns_udp_event_source
, fd
, EPOLLIN
, on_dns_packet
, t
);
789 r
= dns_server_adjust_opt(t
->server
, t
->sent
, t
->current_features
);
793 dns_transaction_close_connection(t
);
795 r
= dns_scope_emit_udp(t
->scope
, t
->dns_udp_fd
, t
->sent
);
799 dns_transaction_reset_answer(t
);
804 static int on_transaction_timeout(sd_event_source
*s
, usec_t usec
, void *userdata
) {
805 DnsTransaction
*t
= userdata
;
811 if (!t
->initial_jitter_scheduled
|| t
->initial_jitter_elapsed
) {
812 /* Timeout reached? Increase the timeout for the server used */
813 switch (t
->scope
->protocol
) {
815 case DNS_PROTOCOL_DNS
:
817 dns_server_packet_lost(t
->server
, t
->current_features
, usec
- t
->start_usec
);
820 case DNS_PROTOCOL_LLMNR
:
821 case DNS_PROTOCOL_MDNS
:
822 dns_scope_packet_lost(t
->scope
, usec
- t
->start_usec
);
826 assert_not_reached("Invalid DNS protocol.");
829 if (t
->initial_jitter_scheduled
)
830 t
->initial_jitter_elapsed
= true;
833 log_debug("Timeout reached on transaction %" PRIu16
".", t
->id
);
835 /* ...and try again with a new server */
836 dns_scope_next_dns_server(t
->scope
);
838 r
= dns_transaction_go(t
);
840 dns_transaction_complete(t
, DNS_TRANSACTION_RESOURCES
);
845 static usec_t
transaction_get_resend_timeout(DnsTransaction
*t
) {
849 switch (t
->scope
->protocol
) {
851 case DNS_PROTOCOL_DNS
:
853 return t
->server
->resend_timeout
;
855 case DNS_PROTOCOL_MDNS
:
856 assert(t
->n_attempts
> 0);
857 return (1 << (t
->n_attempts
- 1)) * USEC_PER_SEC
;
859 case DNS_PROTOCOL_LLMNR
:
860 return t
->scope
->resend_timeout
;
863 assert_not_reached("Invalid DNS protocol.");
867 static int dns_transaction_prepare(DnsTransaction
*t
, usec_t ts
) {
872 dns_transaction_stop(t
);
874 if (t
->n_attempts
>= TRANSACTION_ATTEMPTS_MAX(t
->scope
->protocol
)) {
875 dns_transaction_complete(t
, DNS_TRANSACTION_ATTEMPTS_MAX_REACHED
);
879 if (t
->scope
->protocol
== DNS_PROTOCOL_LLMNR
&& t
->tried_stream
) {
880 /* If we already tried via a stream, then we don't
881 * retry on LLMNR. See RFC 4795, Section 2.7. */
882 dns_transaction_complete(t
, DNS_TRANSACTION_ATTEMPTS_MAX_REACHED
);
889 dns_transaction_reset_answer(t
);
891 /* Check the trust anchor. Do so only on classic DNS, since DNSSEC does not apply otherwise. */
892 if (t
->scope
->protocol
== DNS_PROTOCOL_DNS
) {
893 r
= dns_trust_anchor_lookup(&t
->scope
->manager
->trust_anchor
, t
->key
, &t
->answer
);
897 t
->answer_rcode
= DNS_RCODE_SUCCESS
;
898 t
->answer_source
= DNS_TRANSACTION_TRUST_ANCHOR
;
899 t
->answer_authenticated
= true;
900 dns_transaction_complete(t
, DNS_TRANSACTION_SUCCESS
);
905 /* Check the zone, but only if this transaction is not used
906 * for probing or verifying a zone item. */
907 if (set_isempty(t
->notify_zone_items
)) {
909 r
= dns_zone_lookup(&t
->scope
->zone
, t
->key
, &t
->answer
, NULL
, NULL
);
913 t
->answer_rcode
= DNS_RCODE_SUCCESS
;
914 t
->answer_source
= DNS_TRANSACTION_ZONE
;
915 t
->answer_authenticated
= true;
916 dns_transaction_complete(t
, DNS_TRANSACTION_SUCCESS
);
921 /* Check the cache, but only if this transaction is not used
922 * for probing or verifying a zone item. */
923 if (set_isempty(t
->notify_zone_items
)) {
925 /* Before trying the cache, let's make sure we figured out a
926 * server to use. Should this cause a change of server this
927 * might flush the cache. */
928 dns_scope_get_dns_server(t
->scope
);
930 /* Let's then prune all outdated entries */
931 dns_cache_prune(&t
->scope
->cache
);
933 r
= dns_cache_lookup(&t
->scope
->cache
, t
->key
, &t
->answer_rcode
, &t
->answer
, &t
->answer_authenticated
);
937 t
->answer_source
= DNS_TRANSACTION_CACHE
;
938 if (t
->answer_rcode
== DNS_RCODE_SUCCESS
)
939 dns_transaction_complete(t
, DNS_TRANSACTION_SUCCESS
);
941 dns_transaction_complete(t
, DNS_TRANSACTION_RCODE_FAILURE
);
949 static int dns_transaction_make_packet_mdns(DnsTransaction
*t
) {
951 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
952 bool add_known_answers
= false;
953 DnsTransaction
*other
;
959 assert(t
->scope
->protocol
== DNS_PROTOCOL_MDNS
);
961 /* Discard any previously prepared packet, so we can start over and coalesce again */
962 t
->sent
= dns_packet_unref(t
->sent
);
964 r
= dns_packet_new_query(&p
, t
->scope
->protocol
, 0, false);
968 r
= dns_packet_append_key(p
, t
->key
, NULL
);
974 if (dns_key_is_shared(t
->key
))
975 add_known_answers
= true;
978 * For mDNS, we want to coalesce as many open queries in pending transactions into one single
979 * query packet on the wire as possible. To achieve that, we iterate through all pending transactions
980 * in our current scope, and see whether their timing contraints allow them to be sent.
983 assert_se(sd_event_now(t
->scope
->manager
->event
, clock_boottime_or_monotonic(), &ts
) >= 0);
985 LIST_FOREACH(transactions_by_scope
, other
, t
->scope
->transactions
) {
991 if (other
->state
!= DNS_TRANSACTION_PENDING
)
994 if (other
->next_attempt_after
> ts
)
997 if (qdcount
>= UINT16_MAX
)
1000 r
= dns_packet_append_key(p
, other
->key
, NULL
);
1003 * If we can't stuff more questions into the packet, just give up.
1004 * One of the 'other' transactions will fire later and take care of the rest.
1012 r
= dns_transaction_prepare(other
, ts
);
1016 ts
+= transaction_get_resend_timeout(other
);
1018 r
= sd_event_add_time(
1019 other
->scope
->manager
->event
,
1020 &other
->timeout_event_source
,
1021 clock_boottime_or_monotonic(),
1023 on_transaction_timeout
, other
);
1027 other
->state
= DNS_TRANSACTION_PENDING
;
1028 other
->next_attempt_after
= ts
;
1032 if (dns_key_is_shared(other
->key
))
1033 add_known_answers
= true;
1036 DNS_PACKET_HEADER(p
)->qdcount
= htobe16(qdcount
);
1038 /* Append known answer section if we're asking for any shared record */
1039 if (add_known_answers
) {
1040 r
= dns_cache_export_shared_to_packet(&t
->scope
->cache
, p
);
1051 static int dns_transaction_make_packet(DnsTransaction
*t
) {
1052 _cleanup_(dns_packet_unrefp
) DnsPacket
*p
= NULL
;
1057 if (t
->scope
->protocol
== DNS_PROTOCOL_MDNS
)
1058 return dns_transaction_make_packet_mdns(t
);
1063 r
= dns_packet_new_query(&p
, t
->scope
->protocol
, 0, t
->scope
->dnssec_mode
!= DNSSEC_NO
);
1067 r
= dns_scope_good_key(t
->scope
, t
->key
);
1073 r
= dns_packet_append_key(p
, t
->key
, NULL
);
1077 DNS_PACKET_HEADER(p
)->qdcount
= htobe16(1);
1078 DNS_PACKET_HEADER(p
)->id
= t
->id
;
1086 int dns_transaction_go(DnsTransaction
*t
) {
1092 assert_se(sd_event_now(t
->scope
->manager
->event
, clock_boottime_or_monotonic(), &ts
) >= 0);
1094 r
= dns_transaction_prepare(t
, ts
);
1098 log_debug("Excercising transaction %" PRIu16
" for <%s> on scope %s on %s/%s.",
1100 dns_transaction_key_string(t
),
1101 dns_protocol_to_string(t
->scope
->protocol
),
1102 t
->scope
->link
? t
->scope
->link
->name
: "*",
1103 t
->scope
->family
== AF_UNSPEC
? "*" : af_to_name(t
->scope
->family
));
1105 if (!t
->initial_jitter_scheduled
&&
1106 (t
->scope
->protocol
== DNS_PROTOCOL_LLMNR
||
1107 t
->scope
->protocol
== DNS_PROTOCOL_MDNS
)) {
1108 usec_t jitter
, accuracy
;
1110 /* RFC 4795 Section 2.7 suggests all queries should be
1111 * delayed by a random time from 0 to JITTER_INTERVAL. */
1113 t
->initial_jitter_scheduled
= true;
1115 random_bytes(&jitter
, sizeof(jitter
));
1117 switch (t
->scope
->protocol
) {
1119 case DNS_PROTOCOL_LLMNR
:
1120 jitter
%= LLMNR_JITTER_INTERVAL_USEC
;
1121 accuracy
= LLMNR_JITTER_INTERVAL_USEC
;
1124 case DNS_PROTOCOL_MDNS
:
1125 jitter
%= MDNS_JITTER_RANGE_USEC
;
1126 jitter
+= MDNS_JITTER_MIN_USEC
;
1127 accuracy
= MDNS_JITTER_RANGE_USEC
;
1130 assert_not_reached("bad protocol");
1133 r
= sd_event_add_time(
1134 t
->scope
->manager
->event
,
1135 &t
->timeout_event_source
,
1136 clock_boottime_or_monotonic(),
1137 ts
+ jitter
, accuracy
,
1138 on_transaction_timeout
, t
);
1143 t
->next_attempt_after
= ts
;
1144 t
->state
= DNS_TRANSACTION_PENDING
;
1146 log_debug("Delaying %s transaction for " USEC_FMT
"us.", dns_protocol_to_string(t
->scope
->protocol
), jitter
);
1150 /* Otherwise, we need to ask the network */
1151 r
= dns_transaction_make_packet(t
);
1153 /* Not the right request to make on this network?
1154 * (i.e. an A request made on IPv6 or an AAAA request
1155 * made on IPv4, on LLMNR or mDNS.) */
1156 dns_transaction_complete(t
, DNS_TRANSACTION_NO_SERVERS
);
1162 if (t
->scope
->protocol
== DNS_PROTOCOL_LLMNR
&&
1163 (dns_name_endswith(DNS_RESOURCE_KEY_NAME(t
->key
), "in-addr.arpa") > 0 ||
1164 dns_name_endswith(DNS_RESOURCE_KEY_NAME(t
->key
), "ip6.arpa") > 0)) {
1166 /* RFC 4795, Section 2.4. says reverse lookups shall
1167 * always be made via TCP on LLMNR */
1168 r
= dns_transaction_open_tcp(t
);
1170 /* Try via UDP, and if that fails due to large size or lack of
1171 * support try via TCP */
1172 r
= dns_transaction_emit_udp(t
);
1173 if (r
== -EMSGSIZE
|| r
== -EAGAIN
)
1174 r
= dns_transaction_open_tcp(t
);
1178 /* No servers to send this to? */
1179 dns_transaction_complete(t
, DNS_TRANSACTION_NO_SERVERS
);
1182 if (t
->scope
->protocol
!= DNS_PROTOCOL_DNS
) {
1183 dns_transaction_complete(t
, DNS_TRANSACTION_RESOURCES
);
1187 /* Couldn't send? Try immediately again, with a new server */
1188 dns_scope_next_dns_server(t
->scope
);
1190 return dns_transaction_go(t
);
1193 ts
+= transaction_get_resend_timeout(t
);
1195 r
= sd_event_add_time(
1196 t
->scope
->manager
->event
,
1197 &t
->timeout_event_source
,
1198 clock_boottime_or_monotonic(),
1200 on_transaction_timeout
, t
);
1204 t
->state
= DNS_TRANSACTION_PENDING
;
1205 t
->next_attempt_after
= ts
;
1210 static int dns_transaction_add_dnssec_transaction(DnsTransaction
*t
, DnsResourceKey
*key
, DnsTransaction
**ret
) {
1211 DnsTransaction
*aux
;
1218 aux
= dns_scope_find_transaction(t
->scope
, key
, true);
1220 r
= dns_transaction_new(&aux
, t
->scope
, key
);
1224 if (set_contains(t
->dnssec_transactions
, aux
)) {
1230 r
= set_ensure_allocated(&t
->dnssec_transactions
, NULL
);
1234 r
= set_ensure_allocated(&aux
->notify_transactions
, NULL
);
1238 r
= set_put(t
->dnssec_transactions
, aux
);
1242 r
= set_put(aux
->notify_transactions
, t
);
1244 (void) set_remove(t
->dnssec_transactions
, aux
);
1252 dns_transaction_gc(aux
);
1256 static int dns_transaction_request_dnssec_rr(DnsTransaction
*t
, DnsResourceKey
*key
) {
1257 _cleanup_(dns_answer_unrefp
) DnsAnswer
*a
= NULL
;
1258 DnsTransaction
*aux
;
1264 r
= dns_resource_key_equal(t
->key
, key
);
1267 if (r
> 0) /* Don't go in circles */
1270 /* Try to get the data from the trust anchor */
1271 r
= dns_trust_anchor_lookup(&t
->scope
->manager
->trust_anchor
, key
, &a
);
1275 r
= dns_answer_extend(&t
->validated_keys
, a
);
1282 /* This didn't work, ask for it via the network/cache then. */
1283 r
= dns_transaction_add_dnssec_transaction(t
, key
, &aux
);
1287 if (aux
->state
== DNS_TRANSACTION_NULL
) {
1288 r
= dns_transaction_go(aux
);
1296 static int dns_transaction_has_positive_answer(DnsTransaction
*t
, DnsAnswerFlags
*flags
) {
1301 /* Checks whether the answer is positive, i.e. either a direct
1302 * answer to the question, or a CNAME/DNAME for it */
1304 r
= dns_answer_match_key(t
->answer
, t
->key
, flags
);
1308 r
= dns_answer_find_cname_or_dname(t
->answer
, t
->key
, NULL
, flags
);
1315 static int dns_transaction_has_unsigned_negative_answer(DnsTransaction
*t
) {
1320 /* Checks whether the answer is negative, and lacks NSEC/NSEC3
1321 * RRs to prove it */
1323 r
= dns_transaction_has_positive_answer(t
, NULL
);
1329 /* The answer does not contain any RRs that match to the
1330 * question. If so, let's see if there are any NSEC/NSEC3 RRs
1331 * included. If not, the answer is unsigned. */
1333 r
= dns_answer_contains_nsec_or_nsec3(t
->answer
);
1342 static int dns_transaction_is_primary_response(DnsTransaction
*t
, DnsResourceRecord
*rr
) {
1348 /* Check if the specified RR is the "primary" response,
1349 * i.e. either matches the question precisely or is a
1350 * CNAME/DNAME for it, or is any kind of NSEC/NSEC3 RR */
1352 r
= dns_resource_key_match_rr(t
->key
, rr
, NULL
);
1356 r
= dns_resource_key_match_cname_or_dname(t
->key
, rr
->key
, NULL
);
1360 if (rr
->key
->type
== DNS_TYPE_NSEC3
) {
1363 p
= DNS_RESOURCE_KEY_NAME(rr
->key
);
1364 r
= dns_name_parent(&p
);
1368 r
= dns_name_endswith(DNS_RESOURCE_KEY_NAME(t
->key
), p
);
1376 return rr
->key
->type
== DNS_TYPE_NSEC
;
1379 int dns_transaction_request_dnssec_keys(DnsTransaction
*t
) {
1380 DnsResourceRecord
*rr
;
1387 * Retrieve all auxiliary RRs for the answer we got, so that
1388 * we can verify signatures or prove that RRs are rightfully
1389 * unsigned. Specifically:
1391 * - For RRSIG we get the matching DNSKEY
1392 * - For DNSKEY we get the matching DS
1393 * - For unsigned SOA/NS we get the matching DS
1394 * - For unsigned CNAME/DNAME/DS we get the parent SOA RR
1395 * - For other unsigned RRs we get the matching SOA RR
1396 * - For SOA/NS/DS queries with no matching response RRs, and no NSEC/NSEC3, the parent's SOA RR
1397 * - For other queries with no matching response RRs, and no NSEC/NSEC3, the SOA RR
1400 if (t
->scope
->dnssec_mode
== DNSSEC_NO
)
1403 if (t
->current_features
< DNS_SERVER_FEATURE_LEVEL_DO
)
1404 return 0; /* Server doesn't do DNSSEC, there's no point in requesting any RRs then. */
1405 if (t
->server
&& t
->server
->rrsig_missing
)
1406 return 0; /* Server handles DNSSEC requests, but isn't augmenting responses with RRSIGs. No point in trying DNSSEC then. */
1408 DNS_ANSWER_FOREACH(rr
, t
->answer
) {
1410 if (dns_type_is_pseudo(rr
->key
->type
))
1413 switch (rr
->key
->type
) {
1415 case DNS_TYPE_RRSIG
: {
1416 /* For each RRSIG we request the matching DNSKEY */
1417 _cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*dnskey
= NULL
;
1419 /* If this RRSIG is about a DNSKEY RR and the
1420 * signer is the same as the owner, then we
1421 * already have the DNSKEY, and we don't have
1422 * to look for more. */
1423 if (rr
->rrsig
.type_covered
== DNS_TYPE_DNSKEY
) {
1424 r
= dns_name_equal(rr
->rrsig
.signer
, DNS_RESOURCE_KEY_NAME(rr
->key
));
1431 /* If the signer is not a parent of our
1432 * original query, then this is about an
1433 * auxiliary RRset, but not anything we asked
1434 * for. In this case we aren't interested,
1435 * because we don't want to request additional
1436 * RRs for stuff we didn't really ask for, and
1437 * also to avoid request loops, where
1438 * additional RRs from one transaction result
1439 * in another transaction whose additonal RRs
1440 * point back to the original transaction, and
1442 r
= dns_name_endswith(DNS_RESOURCE_KEY_NAME(t
->key
), rr
->rrsig
.signer
);
1448 dnskey
= dns_resource_key_new(rr
->key
->class, DNS_TYPE_DNSKEY
, rr
->rrsig
.signer
);
1452 log_debug("Requesting DNSKEY to validate transaction %" PRIu16
" (%s, RRSIG with key tag: %" PRIu16
").", t
->id
, DNS_RESOURCE_KEY_NAME(rr
->key
), rr
->rrsig
.key_tag
);
1453 r
= dns_transaction_request_dnssec_rr(t
, dnskey
);
1459 case DNS_TYPE_DNSKEY
: {
1460 /* For each DNSKEY we request the matching DS */
1461 _cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*ds
= NULL
;
1463 /* If the DNSKEY we are looking at is not for
1464 * zone we are interested in, nor any of its
1465 * parents, we aren't interested, and don't
1466 * request it. After all, we don't want to end
1467 * up in request loops, and want to keep
1468 * additional traffic down. */
1470 r
= dns_name_endswith(DNS_RESOURCE_KEY_NAME(t
->key
), DNS_RESOURCE_KEY_NAME(rr
->key
));
1476 ds
= dns_resource_key_new(rr
->key
->class, DNS_TYPE_DS
, DNS_RESOURCE_KEY_NAME(rr
->key
));
1480 log_debug("Requesting DS to validate transaction %" PRIu16
" (%s, DNSKEY with key tag: %" PRIu16
").", t
->id
, DNS_RESOURCE_KEY_NAME(rr
->key
), dnssec_keytag(rr
));
1481 r
= dns_transaction_request_dnssec_rr(t
, ds
);
1490 _cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*ds
= NULL
;
1492 /* For an unsigned SOA or NS, try to acquire
1493 * the matching DS RR, as we are at a zone cut
1494 * then, and whether a DS exists tells us
1495 * whether the zone is signed. Do so only if
1496 * this RR matches our original question,
1499 r
= dns_resource_key_match_rr(t
->key
, rr
, NULL
);
1505 r
= dnssec_has_rrsig(t
->answer
, rr
->key
);
1511 ds
= dns_resource_key_new(rr
->key
->class, DNS_TYPE_DS
, DNS_RESOURCE_KEY_NAME(rr
->key
));
1515 log_debug("Requesting DS to validate transaction %" PRIu16
" (%s, unsigned SOA/NS RRset).", t
->id
, DNS_RESOURCE_KEY_NAME(rr
->key
));
1516 r
= dns_transaction_request_dnssec_rr(t
, ds
);
1524 case DNS_TYPE_CNAME
:
1525 case DNS_TYPE_DNAME
: {
1526 _cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*soa
= NULL
;
1529 /* CNAMEs and DNAMEs cannot be located at a
1530 * zone apex, hence ask for the parent SOA for
1531 * unsigned CNAME/DNAME RRs, maybe that's the
1532 * apex. But do all that only if this is
1533 * actually a response to our original
1536 * Similar for DS RRs, which are signed when
1537 * the parent SOA is signed. */
1539 r
= dns_transaction_is_primary_response(t
, rr
);
1545 r
= dnssec_has_rrsig(t
->answer
, rr
->key
);
1551 name
= DNS_RESOURCE_KEY_NAME(rr
->key
);
1552 r
= dns_name_parent(&name
);
1558 soa
= dns_resource_key_new(rr
->key
->class, DNS_TYPE_SOA
, name
);
1562 log_debug("Requesting parent SOA to validate transaction %" PRIu16
" (%s, unsigned CNAME/DNAME/DS RRset).", t
->id
, DNS_RESOURCE_KEY_NAME(rr
->key
));
1563 r
= dns_transaction_request_dnssec_rr(t
, soa
);
1571 _cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*soa
= NULL
;
1573 /* For other unsigned RRsets (including
1574 * NSEC/NSEC3!), look for proof the zone is
1575 * unsigned, by requesting the SOA RR of the
1576 * zone. However, do so only if they are
1577 * directly relevant to our original
1580 r
= dns_transaction_is_primary_response(t
, rr
);
1586 r
= dnssec_has_rrsig(t
->answer
, rr
->key
);
1592 soa
= dns_resource_key_new(rr
->key
->class, DNS_TYPE_SOA
, DNS_RESOURCE_KEY_NAME(rr
->key
));
1596 log_debug("Requesting SOA to validate transaction %" PRIu16
" (%s, unsigned non-SOA/NS RRset <%s>).", t
->id
, DNS_RESOURCE_KEY_NAME(rr
->key
), dns_resource_record_to_string(rr
));
1597 r
= dns_transaction_request_dnssec_rr(t
, soa
);
1604 /* Above, we requested everything necessary to validate what
1605 * we got. Now, let's request what we need to validate what we
1608 r
= dns_transaction_has_unsigned_negative_answer(t
);
1614 name
= DNS_RESOURCE_KEY_NAME(t
->key
);
1616 /* If this was a SOA or NS request, then this
1617 * indicates that we are not at a zone apex, hence ask
1618 * the parent name instead. If this was a DS request,
1619 * then it's signed when the parent zone is signed,
1620 * hence ask the parent in that case, too. */
1622 if (IN_SET(t
->key
->type
, DNS_TYPE_SOA
, DNS_TYPE_NS
, DNS_TYPE_DS
)) {
1623 r
= dns_name_parent(&name
);
1627 log_debug("Requesting parent SOA to validate transaction %" PRIu16
" (%s, unsigned empty SOA/NS/DS response).", t
->id
, DNS_RESOURCE_KEY_NAME(t
->key
));
1631 log_debug("Requesting SOA to validate transaction %" PRIu16
" (%s, unsigned empty non-SOA/NS/DS response).", t
->id
, DNS_RESOURCE_KEY_NAME(t
->key
));
1634 _cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*soa
= NULL
;
1636 soa
= dns_resource_key_new(t
->key
->class, DNS_TYPE_SOA
, name
);
1640 r
= dns_transaction_request_dnssec_rr(t
, soa
);
1646 return dns_transaction_dnssec_is_live(t
);
1649 void dns_transaction_notify(DnsTransaction
*t
, DnsTransaction
*source
) {
1655 if (!IN_SET(t
->state
, DNS_TRANSACTION_PENDING
, DNS_TRANSACTION_VALIDATING
))
1658 /* Invoked whenever any of our auxiliary DNSSEC transactions
1659 completed its work. We copy any RRs from that transaction
1660 over into our list of validated keys -- but only if the
1661 answer is authenticated.
1663 Note that we fail our transaction if the auxiliary
1664 transaction failed, except on NXDOMAIN. This is because
1665 some broken DNS servers (Akamai...) will return NXDOMAIN
1666 for empty non-terminals. */
1668 switch (source
->state
) {
1670 case DNS_TRANSACTION_DNSSEC_FAILED
:
1672 log_debug("Auxiliary DNSSEC RR query failed validation: %s", dnssec_result_to_string(source
->answer_dnssec_result
));
1673 t
->answer_dnssec_result
= source
->answer_dnssec_result
; /* Copy error code over */
1674 dns_transaction_complete(t
, DNS_TRANSACTION_DNSSEC_FAILED
);
1677 case DNS_TRANSACTION_RCODE_FAILURE
:
1679 if (source
->answer_rcode
!= DNS_RCODE_NXDOMAIN
) {
1680 log_debug("Auxiliary DNSSEC RR query failed with rcode=%i.", source
->answer_rcode
);
1684 /* fall-through: NXDOMAIN is good enough for us */
1686 case DNS_TRANSACTION_SUCCESS
:
1687 if (source
->answer_authenticated
) {
1688 r
= dns_answer_extend(&t
->validated_keys
, source
->answer
);
1690 log_error_errno(r
, "Failed to merge validated DNSSEC key data: %m");
1695 /* If the state is still PENDING, we are still in the loop
1696 * that adds further DNSSEC transactions, hence don't check if
1697 * we are ready yet. If the state is VALIDATING however, we
1698 * should check if we are complete now. */
1699 if (t
->state
== DNS_TRANSACTION_VALIDATING
)
1700 dns_transaction_process_dnssec(t
);
1704 log_debug("Auxiliary DNSSEC RR query failed with %s", dns_transaction_state_to_string(source
->state
));
1711 t
->answer_dnssec_result
= DNSSEC_FAILED_AUXILIARY
;
1712 dns_transaction_complete(t
, DNS_TRANSACTION_DNSSEC_FAILED
);
1715 static int dns_transaction_validate_dnskey_by_ds(DnsTransaction
*t
) {
1716 DnsResourceRecord
*rr
;
1721 /* Add all DNSKEY RRs from the answer that are validated by DS
1722 * RRs from the list of validated keys to the list of
1723 * validated keys. */
1725 DNS_ANSWER_FOREACH_IFINDEX(rr
, ifindex
, t
->answer
) {
1727 r
= dnssec_verify_dnskey_search(rr
, t
->validated_keys
);
1733 /* If so, the DNSKEY is validated too. */
1734 r
= dns_answer_add_extend(&t
->validated_keys
, rr
, ifindex
, DNS_ANSWER_AUTHENTICATED
);
1742 static int dns_transaction_requires_rrsig(DnsTransaction
*t
, DnsResourceRecord
*rr
) {
1748 /* Checks if the RR we are looking for must be signed with an
1749 * RRSIG. This is used for positive responses. */
1751 if (t
->scope
->dnssec_mode
== DNSSEC_NO
)
1754 if (dns_type_is_pseudo(rr
->key
->type
))
1757 switch (rr
->key
->type
) {
1759 case DNS_TYPE_RRSIG
:
1760 /* RRSIGs are the signatures themselves, they need no signing. */
1768 /* For SOA or NS RRs we look for a matching DS transaction */
1770 SET_FOREACH(dt
, t
->dnssec_transactions
, i
) {
1772 if (dt
->key
->class != rr
->key
->class)
1774 if (dt
->key
->type
!= DNS_TYPE_DS
)
1777 r
= dns_name_equal(DNS_RESOURCE_KEY_NAME(dt
->key
), DNS_RESOURCE_KEY_NAME(rr
->key
));
1783 /* We found a DS transactions for the SOA/NS
1784 * RRs we are looking at. If it discovered signed DS
1785 * RRs, then we need to be signed, too. */
1787 if (!dt
->answer_authenticated
)
1790 return dns_answer_match_key(dt
->answer
, dt
->key
, NULL
);
1793 /* We found nothing that proves this is safe to leave
1794 * this unauthenticated, hence ask inist on
1795 * authentication. */
1800 case DNS_TYPE_CNAME
:
1801 case DNS_TYPE_DNAME
: {
1802 const char *parent
= NULL
;
1807 * CNAME/DNAME RRs cannot be located at a zone apex, hence look directly for the parent SOA.
1809 * DS RRs are signed if the parent is signed, hence also look at the parent SOA
1812 SET_FOREACH(dt
, t
->dnssec_transactions
, i
) {
1814 if (dt
->key
->class != rr
->key
->class)
1816 if (dt
->key
->type
!= DNS_TYPE_SOA
)
1820 parent
= DNS_RESOURCE_KEY_NAME(rr
->key
);
1821 r
= dns_name_parent(&parent
);
1825 if (rr
->key
->type
== DNS_TYPE_DS
)
1828 /* A CNAME/DNAME without a parent? That's sooo weird. */
1829 log_debug("Transaction %" PRIu16
" claims CNAME/DNAME at root. Refusing.", t
->id
);
1834 r
= dns_name_equal(DNS_RESOURCE_KEY_NAME(dt
->key
), parent
);
1840 return t
->answer_authenticated
;
1850 /* Any other kind of RR (including DNSKEY/NSEC/NSEC3). Let's see if our SOA lookup was authenticated */
1852 SET_FOREACH(dt
, t
->dnssec_transactions
, i
) {
1854 if (dt
->key
->class != rr
->key
->class)
1856 if (dt
->key
->type
!= DNS_TYPE_SOA
)
1859 r
= dns_name_equal(DNS_RESOURCE_KEY_NAME(dt
->key
), DNS_RESOURCE_KEY_NAME(rr
->key
));
1865 /* We found the transaction that was supposed to find
1866 * the SOA RR for us. It was successful, but found no
1867 * RR for us. This means we are not at a zone cut. In
1868 * this case, we require authentication if the SOA
1869 * lookup was authenticated too. */
1870 return t
->answer_authenticated
;
1877 static int dns_transaction_requires_nsec(DnsTransaction
*t
) {
1885 /* Checks if we need to insist on NSEC/NSEC3 RRs for proving
1886 * this negative reply */
1888 if (t
->scope
->dnssec_mode
== DNSSEC_NO
)
1891 if (dns_type_is_pseudo(t
->key
->type
))
1894 name
= DNS_RESOURCE_KEY_NAME(t
->key
);
1896 if (IN_SET(t
->key
->type
, DNS_TYPE_SOA
, DNS_TYPE_NS
, DNS_TYPE_DS
)) {
1898 /* We got a negative reply for this SOA/NS lookup? If
1899 * so, then we are not at a zone apex, and thus should
1900 * look at the result of the parent SOA lookup.
1902 * We got a negative reply for this DS lookup? DS RRs
1903 * are signed when their parent zone is signed, hence
1904 * also check the parent SOA in this case. */
1906 r
= dns_name_parent(&name
);
1913 /* For all other RRs we check the SOA on the same level to see
1914 * if it's signed. */
1916 SET_FOREACH(dt
, t
->dnssec_transactions
, i
) {
1918 if (dt
->key
->class != t
->key
->class)
1920 if (dt
->key
->type
!= DNS_TYPE_SOA
)
1923 r
= dns_name_equal(DNS_RESOURCE_KEY_NAME(dt
->key
), name
);
1929 return dt
->answer_authenticated
;
1932 /* If in doubt, require NSEC/NSEC3 */
1936 static int dns_transaction_dnskey_authenticated(DnsTransaction
*t
, DnsResourceRecord
*rr
) {
1937 DnsResourceRecord
*rrsig
;
1941 /* Checks whether any of the DNSKEYs used for the RRSIGs for
1942 * the specified RRset is authenticated (i.e. has a matching
1945 DNS_ANSWER_FOREACH(rrsig
, t
->answer
) {
1949 r
= dnssec_key_match_rrsig(rr
->key
, rrsig
);
1955 SET_FOREACH(dt
, t
->dnssec_transactions
, i
) {
1957 if (dt
->key
->class != rr
->key
->class)
1960 if (dt
->key
->type
== DNS_TYPE_DNSKEY
) {
1962 r
= dns_name_equal(DNS_RESOURCE_KEY_NAME(dt
->key
), rrsig
->rrsig
.signer
);
1968 /* OK, we found an auxiliary DNSKEY
1969 * lookup. If that lookup is
1970 * authenticated, report this. */
1972 if (dt
->answer_authenticated
)
1977 } else if (dt
->key
->type
== DNS_TYPE_DS
) {
1979 r
= dns_name_equal(DNS_RESOURCE_KEY_NAME(dt
->key
), rrsig
->rrsig
.signer
);
1985 /* OK, we found an auxiliary DS
1986 * lookup. If that lookup is
1987 * authenticated and non-zero, we
1990 if (!dt
->answer_authenticated
)
1993 return dns_answer_match_key(dt
->answer
, dt
->key
, NULL
);
1998 return found
? false : -ENXIO
;
2001 static int dns_transaction_known_signed(DnsTransaction
*t
, DnsResourceRecord
*rr
) {
2005 /* We know that the root domain is signed, hence if it appears
2006 * not to be signed, there's a problem with the DNS server */
2008 return rr
->key
->class == DNS_CLASS_IN
&&
2009 dns_name_is_root(DNS_RESOURCE_KEY_NAME(rr
->key
));
2012 int dns_transaction_validate_dnssec(DnsTransaction
*t
) {
2013 _cleanup_(dns_answer_unrefp
) DnsAnswer
*validated
= NULL
;
2014 bool dnskeys_finalized
= false;
2015 DnsResourceRecord
*rr
;
2016 DnsAnswerFlags flags
;
2021 /* We have now collected all DS and DNSKEY RRs in
2022 * t->validated_keys, let's see which RRs we can now
2023 * authenticate with that. */
2025 if (t
->scope
->dnssec_mode
== DNSSEC_NO
)
2028 /* Already validated */
2029 if (t
->answer_dnssec_result
!= _DNSSEC_RESULT_INVALID
)
2032 /* Our own stuff needs no validation */
2033 if (IN_SET(t
->answer_source
, DNS_TRANSACTION_ZONE
, DNS_TRANSACTION_TRUST_ANCHOR
)) {
2034 t
->answer_dnssec_result
= DNSSEC_VALIDATED
;
2035 t
->answer_authenticated
= true;
2039 /* Cached stuff is not affected by validation. */
2040 if (t
->answer_source
!= DNS_TRANSACTION_NETWORK
)
2043 if (t
->current_features
< DNS_SERVER_FEATURE_LEVEL_DO
||
2044 (t
->server
&& t
->server
->rrsig_missing
)) {
2045 /* The server does not support DNSSEC, or doesn't augment responses with RRSIGs. */
2046 t
->answer_dnssec_result
= DNSSEC_INCOMPATIBLE_SERVER
;
2050 log_debug("Validating response from transaction %" PRIu16
" (%s).", t
->id
, dns_transaction_key_string(t
));
2052 /* First see if there are DNSKEYs we already known a validated DS for. */
2053 r
= dns_transaction_validate_dnskey_by_ds(t
);
2058 bool changed
= false;
2060 DNS_ANSWER_FOREACH(rr
, t
->answer
) {
2061 DnssecResult result
;
2063 if (rr
->key
->type
== DNS_TYPE_RRSIG
)
2066 r
= dnssec_verify_rrset_search(t
->answer
, rr
->key
, t
->validated_keys
, USEC_INFINITY
, &result
);
2070 log_debug("Looking at %s: %s", strna(dns_resource_record_to_string(rr
)), dnssec_result_to_string(result
));
2072 if (result
== DNSSEC_VALIDATED
) {
2074 if (rr
->key
->type
== DNS_TYPE_DNSKEY
) {
2075 /* If we just validated a
2076 * DNSKEY RRset, then let's
2077 * add these keys to the set
2078 * of validated keys for this
2081 r
= dns_answer_copy_by_key(&t
->validated_keys
, t
->answer
, rr
->key
, DNS_ANSWER_AUTHENTICATED
);
2086 /* Add the validated RRset to the new
2087 * list of validated RRsets, and
2088 * remove it from the unvalidated
2089 * RRsets. We mark the RRset as
2090 * authenticated and cacheable. */
2091 r
= dns_answer_move_by_key(&validated
, &t
->answer
, rr
->key
, DNS_ANSWER_AUTHENTICATED
|DNS_ANSWER_CACHEABLE
);
2095 t
->scope
->manager
->n_dnssec_secure
++;
2097 /* Exit the loop, we dropped something from the answer, start from the beginning */
2101 } else if (dnskeys_finalized
) {
2103 /* If we haven't read all DNSKEYs yet
2104 * a negative result of the validation
2105 * is irrelevant, as there might be
2106 * more DNSKEYs coming. */
2108 if (result
== DNSSEC_NO_SIGNATURE
) {
2109 r
= dns_transaction_requires_rrsig(t
, rr
);
2113 /* Data does not require signing. In that case, just copy it over,
2114 * but remember that this is by no means authenticated.*/
2115 r
= dns_answer_move_by_key(&validated
, &t
->answer
, rr
->key
, 0);
2119 t
->scope
->manager
->n_dnssec_insecure
++;
2125 r
= dns_transaction_known_signed(t
, rr
);
2129 /* This is an RR we know has to be signed. If it isn't this means
2130 * the server is not attaching RRSIGs, hence complain. */
2132 dns_server_packet_rrsig_missing(t
->server
);
2134 if (t
->scope
->dnssec_mode
== DNSSEC_DOWNGRADE_OK
) {
2136 /* Downgrading is OK? If so, just consider the information unsigned */
2138 r
= dns_answer_move_by_key(&validated
, &t
->answer
, rr
->key
, 0);
2142 t
->scope
->manager
->n_dnssec_insecure
++;
2147 /* Otherwise, fail */
2148 t
->answer_dnssec_result
= DNSSEC_INCOMPATIBLE_SERVER
;
2155 DNSSEC_SIGNATURE_EXPIRED
,
2156 DNSSEC_UNSUPPORTED_ALGORITHM
)) {
2158 r
= dns_transaction_dnskey_authenticated(t
, rr
);
2159 if (r
< 0 && r
!= -ENXIO
)
2162 /* The DNSKEY transaction was not authenticated, this means there's
2163 * no DS for this, which means it's OK if no keys are found for this signature. */
2165 r
= dns_answer_move_by_key(&validated
, &t
->answer
, rr
->key
, 0);
2169 t
->scope
->manager
->n_dnssec_insecure
++;
2178 DNSSEC_SIGNATURE_EXPIRED
,
2179 DNSSEC_NO_SIGNATURE
,
2180 DNSSEC_UNSUPPORTED_ALGORITHM
))
2181 t
->scope
->manager
->n_dnssec_bogus
++;
2183 t
->scope
->manager
->n_dnssec_indeterminate
++;
2185 r
= dns_transaction_is_primary_response(t
, rr
);
2189 /* This is a primary response
2190 * to our question, and it
2191 * failed validation. That's
2193 t
->answer_dnssec_result
= result
;
2197 /* This is just some auxiliary
2198 * data. Just remove the RRset and
2200 r
= dns_answer_remove_by_key(&t
->answer
, rr
->key
);
2204 /* Exit the loop, we dropped something from the answer, start from the beginning */
2213 if (!dnskeys_finalized
) {
2214 /* OK, now we know we have added all DNSKEYs
2215 * we possibly could to our validated
2216 * list. Now run the whole thing once more,
2217 * and strip everything we still cannot
2220 dnskeys_finalized
= true;
2228 dns_answer_unref(t
->answer
);
2229 t
->answer
= validated
;
2232 /* At this point the answer only contains validated
2233 * RRsets. Now, let's see if it actually answers the question
2234 * we asked. If so, great! If it doesn't, then see if
2235 * NSEC/NSEC3 can prove this. */
2236 r
= dns_transaction_has_positive_answer(t
, &flags
);
2238 /* Yes, it answers the question! */
2240 if (flags
& DNS_ANSWER_AUTHENTICATED
) {
2241 /* The answer is fully authenticated, yay. */
2242 t
->answer_dnssec_result
= DNSSEC_VALIDATED
;
2243 t
->answer_rcode
= DNS_RCODE_SUCCESS
;
2244 t
->answer_authenticated
= true;
2246 /* The answer is not fully authenticated. */
2247 t
->answer_dnssec_result
= DNSSEC_UNSIGNED
;
2248 t
->answer_authenticated
= false;
2251 } else if (r
== 0) {
2252 DnssecNsecResult nr
;
2253 bool authenticated
= false;
2255 /* Bummer! Let's check NSEC/NSEC3 */
2256 r
= dnssec_test_nsec(t
->answer
, t
->key
, &nr
, &authenticated
);
2262 case DNSSEC_NSEC_NXDOMAIN
:
2263 /* NSEC proves the domain doesn't exist. Very good. */
2264 log_debug("Proved NXDOMAIN via NSEC/NSEC3 for transaction %u (%s)", t
->id
, dns_transaction_key_string(t
));
2265 t
->answer_dnssec_result
= DNSSEC_VALIDATED
;
2266 t
->answer_rcode
= DNS_RCODE_NXDOMAIN
;
2267 t
->answer_authenticated
= authenticated
;
2270 case DNSSEC_NSEC_NODATA
:
2271 /* NSEC proves that there's no data here, very good. */
2272 log_debug("Proved NODATA via NSEC/NSEC3 for transaction %u (%s)", t
->id
, dns_transaction_key_string(t
));
2273 t
->answer_dnssec_result
= DNSSEC_VALIDATED
;
2274 t
->answer_rcode
= DNS_RCODE_SUCCESS
;
2275 t
->answer_authenticated
= authenticated
;
2278 case DNSSEC_NSEC_OPTOUT
:
2279 /* NSEC3 says the data might not be signed */
2280 log_debug("Data is NSEC3 opt-out via NSEC/NSEC3 for transaction %u (%s)", t
->id
, dns_transaction_key_string(t
));
2281 t
->answer_dnssec_result
= DNSSEC_UNSIGNED
;
2282 t
->answer_authenticated
= false;
2285 case DNSSEC_NSEC_NO_RR
:
2286 /* No NSEC data? Bummer! */
2288 r
= dns_transaction_requires_nsec(t
);
2292 t
->answer_dnssec_result
= DNSSEC_NO_SIGNATURE
;
2294 t
->answer_dnssec_result
= DNSSEC_UNSIGNED
;
2295 t
->answer_authenticated
= false;
2300 case DNSSEC_NSEC_UNSUPPORTED_ALGORITHM
:
2301 /* We don't know the NSEC3 algorithm used? */
2302 t
->answer_dnssec_result
= DNSSEC_UNSUPPORTED_ALGORITHM
;
2305 case DNSSEC_NSEC_FOUND
:
2306 /* NSEC says it needs to be there, but we couldn't find it? Bummer! */
2307 t
->answer_dnssec_result
= DNSSEC_NSEC_MISMATCH
;
2311 assert_not_reached("Unexpected NSEC result.");
2318 const char *dns_transaction_key_string(DnsTransaction
*t
) {
2321 if (!t
->key_string
) {
2322 if (dns_resource_key_to_string(t
->key
, &t
->key_string
) < 0)
2326 return strstrip(t
->key_string
);
2329 static const char* const dns_transaction_state_table
[_DNS_TRANSACTION_STATE_MAX
] = {
2330 [DNS_TRANSACTION_NULL
] = "null",
2331 [DNS_TRANSACTION_PENDING
] = "pending",
2332 [DNS_TRANSACTION_VALIDATING
] = "validating",
2333 [DNS_TRANSACTION_RCODE_FAILURE
] = "rcode-failure",
2334 [DNS_TRANSACTION_SUCCESS
] = "success",
2335 [DNS_TRANSACTION_NO_SERVERS
] = "no-servers",
2336 [DNS_TRANSACTION_TIMEOUT
] = "timeout",
2337 [DNS_TRANSACTION_ATTEMPTS_MAX_REACHED
] = "attempts-max-reached",
2338 [DNS_TRANSACTION_INVALID_REPLY
] = "invalid-reply",
2339 [DNS_TRANSACTION_RESOURCES
] = "resources",
2340 [DNS_TRANSACTION_CONNECTION_FAILURE
] = "connection-failure",
2341 [DNS_TRANSACTION_ABORTED
] = "aborted",
2342 [DNS_TRANSACTION_DNSSEC_FAILED
] = "dnssec-failed",
2344 DEFINE_STRING_TABLE_LOOKUP(dns_transaction_state
, DnsTransactionState
);
2346 static const char* const dns_transaction_source_table
[_DNS_TRANSACTION_SOURCE_MAX
] = {
2347 [DNS_TRANSACTION_NETWORK
] = "network",
2348 [DNS_TRANSACTION_CACHE
] = "cache",
2349 [DNS_TRANSACTION_ZONE
] = "zone",
2350 [DNS_TRANSACTION_TRUST_ANCHOR
] = "trust-anchor",
2352 DEFINE_STRING_TABLE_LOOKUP(dns_transaction_source
, DnsTransactionSource
);