]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/resolve/resolved-dns-transaction.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #28428 from ldv-alt/ERRNO_IS
[thirdparty/systemd.git] / src / resolve / resolved-dns-transaction.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include "sd-messages.h"
4
5 #include "af-list.h"
6 #include "alloc-util.h"
7 #include "dns-domain.h"
8 #include "errno-list.h"
9 #include "errno-util.h"
10 #include "fd-util.h"
11 #include "glyph-util.h"
12 #include "random-util.h"
13 #include "resolved-dns-cache.h"
14 #include "resolved-dns-transaction.h"
15 #include "resolved-dnstls.h"
16 #include "resolved-llmnr.h"
17 #include "string-table.h"
18
19 #define TRANSACTIONS_MAX 4096
20 #define TRANSACTION_TCP_TIMEOUT_USEC (10U*USEC_PER_SEC)
21
22 /* After how much time to repeat classic DNS requests */
23 #define DNS_TIMEOUT_USEC (SD_RESOLVED_QUERY_TIMEOUT_USEC / DNS_TRANSACTION_ATTEMPTS_MAX)
24
25 static void dns_transaction_reset_answer(DnsTransaction *t) {
26 assert(t);
27
28 t->received = dns_packet_unref(t->received);
29 t->answer = dns_answer_unref(t->answer);
30 t->answer_rcode = 0;
31 t->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
32 t->answer_source = _DNS_TRANSACTION_SOURCE_INVALID;
33 t->answer_query_flags = 0;
34 t->answer_nsec_ttl = UINT32_MAX;
35 t->answer_errno = 0;
36 }
37
38 static void dns_transaction_flush_dnssec_transactions(DnsTransaction *t) {
39 DnsTransaction *z;
40
41 assert(t);
42
43 while ((z = set_steal_first(t->dnssec_transactions))) {
44 set_remove(z->notify_transactions, t);
45 set_remove(z->notify_transactions_done, t);
46 dns_transaction_gc(z);
47 }
48 }
49
50 static void dns_transaction_close_connection(
51 DnsTransaction *t,
52 bool use_graveyard) { /* Set use_graveyard = false when you know the connection is already
53 * dead, for example because you got a connection error back from the
54 * kernel. In that case there's no point in keeping the fd around,
55 * hence don't. */
56 int r;
57
58 assert(t);
59
60 if (t->stream) {
61 /* Let's detach the stream from our transaction, in case something else keeps a reference to it. */
62 LIST_REMOVE(transactions_by_stream, t->stream->transactions, t);
63
64 /* Remove packet in case it's still in the queue */
65 dns_packet_unref(ordered_set_remove(t->stream->write_queue, t->sent));
66
67 t->stream = dns_stream_unref(t->stream);
68 }
69
70 t->dns_udp_event_source = sd_event_source_disable_unref(t->dns_udp_event_source);
71
72 /* If we have a UDP socket where we sent a packet, but never received one, then add it to the socket
73 * graveyard, instead of closing it right away. That way it will stick around for a moment longer,
74 * and the reply we might still get from the server will be eaten up instead of resulting in an ICMP
75 * port unreachable error message. */
76
77 if (use_graveyard && t->dns_udp_fd >= 0 && t->sent && !t->received) {
78 r = manager_add_socket_to_graveyard(t->scope->manager, t->dns_udp_fd);
79 if (r < 0)
80 log_debug_errno(r, "Failed to add UDP socket to graveyard, closing immediately: %m");
81 else
82 TAKE_FD(t->dns_udp_fd);
83 }
84
85 t->dns_udp_fd = safe_close(t->dns_udp_fd);
86 }
87
88 static void dns_transaction_stop_timeout(DnsTransaction *t) {
89 assert(t);
90
91 t->timeout_event_source = sd_event_source_disable_unref(t->timeout_event_source);
92 }
93
94 DnsTransaction* dns_transaction_free(DnsTransaction *t) {
95 DnsQueryCandidate *c;
96 DnsZoneItem *i;
97 DnsTransaction *z;
98
99 if (!t)
100 return NULL;
101
102 log_debug("Freeing transaction %" PRIu16 ".", t->id);
103
104 dns_transaction_close_connection(t, true);
105 dns_transaction_stop_timeout(t);
106
107 dns_packet_unref(t->sent);
108 dns_transaction_reset_answer(t);
109
110 dns_server_unref(t->server);
111
112 if (t->scope) {
113 if (t->key) {
114 DnsTransaction *first;
115
116 first = hashmap_get(t->scope->transactions_by_key, t->key);
117 LIST_REMOVE(transactions_by_key, first, t);
118 if (first)
119 hashmap_replace(t->scope->transactions_by_key, first->key, first);
120 else
121 hashmap_remove(t->scope->transactions_by_key, t->key);
122 }
123
124 LIST_REMOVE(transactions_by_scope, t->scope->transactions, t);
125
126 if (t->id != 0)
127 hashmap_remove(t->scope->manager->dns_transactions, UINT_TO_PTR(t->id));
128 }
129
130 while ((c = set_steal_first(t->notify_query_candidates)))
131 set_remove(c->transactions, t);
132 set_free(t->notify_query_candidates);
133
134 while ((c = set_steal_first(t->notify_query_candidates_done)))
135 set_remove(c->transactions, t);
136 set_free(t->notify_query_candidates_done);
137
138 while ((i = set_steal_first(t->notify_zone_items)))
139 i->probe_transaction = NULL;
140 set_free(t->notify_zone_items);
141
142 while ((i = set_steal_first(t->notify_zone_items_done)))
143 i->probe_transaction = NULL;
144 set_free(t->notify_zone_items_done);
145
146 while ((z = set_steal_first(t->notify_transactions)))
147 set_remove(z->dnssec_transactions, t);
148 set_free(t->notify_transactions);
149
150 while ((z = set_steal_first(t->notify_transactions_done)))
151 set_remove(z->dnssec_transactions, t);
152 set_free(t->notify_transactions_done);
153
154 dns_transaction_flush_dnssec_transactions(t);
155 set_free(t->dnssec_transactions);
156
157 dns_answer_unref(t->validated_keys);
158 dns_resource_key_unref(t->key);
159 dns_packet_unref(t->bypass);
160
161 return mfree(t);
162 }
163
164 DEFINE_TRIVIAL_CLEANUP_FUNC(DnsTransaction*, dns_transaction_free);
165
166 DnsTransaction* dns_transaction_gc(DnsTransaction *t) {
167 assert(t);
168
169 /* Returns !NULL if we can't gc yet. */
170
171 if (t->block_gc > 0)
172 return t;
173
174 if (set_isempty(t->notify_query_candidates) &&
175 set_isempty(t->notify_query_candidates_done) &&
176 set_isempty(t->notify_zone_items) &&
177 set_isempty(t->notify_zone_items_done) &&
178 set_isempty(t->notify_transactions) &&
179 set_isempty(t->notify_transactions_done))
180 return dns_transaction_free(t);
181
182 return t;
183 }
184
185 static uint16_t pick_new_id(Manager *m) {
186 uint16_t new_id;
187
188 /* Find a fresh, unused transaction id. Note that this loop is bounded because there's a limit on the
189 * number of transactions, and it's much lower than the space of IDs. */
190
191 assert_cc(TRANSACTIONS_MAX < 0xFFFF);
192
193 do
194 random_bytes(&new_id, sizeof(new_id));
195 while (new_id == 0 ||
196 hashmap_get(m->dns_transactions, UINT_TO_PTR(new_id)));
197
198 return new_id;
199 }
200
201 static int key_ok(
202 DnsScope *scope,
203 DnsResourceKey *key) {
204
205 /* Don't allow looking up invalid or pseudo RRs */
206 if (!dns_type_is_valid_query(key->type))
207 return -EINVAL;
208 if (dns_type_is_obsolete(key->type))
209 return -EOPNOTSUPP;
210
211 /* We only support the IN class */
212 if (!IN_SET(key->class, DNS_CLASS_IN, DNS_CLASS_ANY))
213 return -EOPNOTSUPP;
214
215 /* Don't allows DNSSEC RRs to be looked up via LLMNR/mDNS. They don't really make sense
216 * there, and it speeds up our queries if we refuse this early */
217 if (scope->protocol != DNS_PROTOCOL_DNS &&
218 dns_type_is_dnssec(key->type))
219 return -EOPNOTSUPP;
220
221 return 0;
222 }
223
224 int dns_transaction_new(
225 DnsTransaction **ret,
226 DnsScope *s,
227 DnsResourceKey *key,
228 DnsPacket *bypass,
229 uint64_t query_flags) {
230
231 _cleanup_(dns_transaction_freep) DnsTransaction *t = NULL;
232 int r;
233
234 assert(ret);
235 assert(s);
236
237 if (key) {
238 assert(!bypass);
239
240 r = key_ok(s, key);
241 if (r < 0)
242 return r;
243 } else {
244 DnsResourceKey *qk;
245 assert(bypass);
246
247 r = dns_packet_validate_query(bypass);
248 if (r < 0)
249 return r;
250
251 DNS_QUESTION_FOREACH(qk, bypass->question) {
252 r = key_ok(s, qk);
253 if (r < 0)
254 return r;
255 }
256 }
257
258 if (hashmap_size(s->manager->dns_transactions) >= TRANSACTIONS_MAX)
259 return -EBUSY;
260
261 r = hashmap_ensure_allocated(&s->manager->dns_transactions, NULL);
262 if (r < 0)
263 return r;
264
265 if (key) {
266 r = hashmap_ensure_allocated(&s->transactions_by_key, &dns_resource_key_hash_ops);
267 if (r < 0)
268 return r;
269 }
270
271 t = new(DnsTransaction, 1);
272 if (!t)
273 return -ENOMEM;
274
275 *t = (DnsTransaction) {
276 .dns_udp_fd = -EBADF,
277 .answer_source = _DNS_TRANSACTION_SOURCE_INVALID,
278 .answer_dnssec_result = _DNSSEC_RESULT_INVALID,
279 .answer_nsec_ttl = UINT32_MAX,
280 .key = dns_resource_key_ref(key),
281 .query_flags = query_flags,
282 .bypass = dns_packet_ref(bypass),
283 .current_feature_level = _DNS_SERVER_FEATURE_LEVEL_INVALID,
284 .clamp_feature_level_servfail = _DNS_SERVER_FEATURE_LEVEL_INVALID,
285 .id = pick_new_id(s->manager),
286 };
287
288 r = hashmap_put(s->manager->dns_transactions, UINT_TO_PTR(t->id), t);
289 if (r < 0) {
290 t->id = 0;
291 return r;
292 }
293
294 if (t->key) {
295 DnsTransaction *first;
296
297 first = hashmap_get(s->transactions_by_key, t->key);
298 LIST_PREPEND(transactions_by_key, first, t);
299
300 r = hashmap_replace(s->transactions_by_key, first->key, first);
301 if (r < 0) {
302 LIST_REMOVE(transactions_by_key, first, t);
303 return r;
304 }
305 }
306
307 LIST_PREPEND(transactions_by_scope, s->transactions, t);
308 t->scope = s;
309
310 s->manager->n_transactions_total++;
311
312 if (ret)
313 *ret = t;
314
315 TAKE_PTR(t);
316 return 0;
317 }
318
319 static void dns_transaction_shuffle_id(DnsTransaction *t) {
320 uint16_t new_id;
321 assert(t);
322
323 /* Pick a new ID for this transaction. */
324
325 new_id = pick_new_id(t->scope->manager);
326 assert_se(hashmap_remove_and_put(t->scope->manager->dns_transactions, UINT_TO_PTR(t->id), UINT_TO_PTR(new_id), t) >= 0);
327
328 log_debug("Transaction %" PRIu16 " is now %" PRIu16 ".", t->id, new_id);
329 t->id = new_id;
330
331 /* Make sure we generate a new packet with the new ID */
332 t->sent = dns_packet_unref(t->sent);
333 }
334
335 static void dns_transaction_tentative(DnsTransaction *t, DnsPacket *p) {
336 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
337 DnsZoneItem *z;
338
339 assert(t);
340 assert(p);
341 assert(t->scope->protocol == DNS_PROTOCOL_LLMNR);
342
343 if (manager_packet_from_local_address(t->scope->manager, p) != 0)
344 return;
345
346 log_debug("Transaction %" PRIu16 " for <%s> on scope %s on %s/%s got tentative packet from %s.",
347 t->id,
348 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str),
349 dns_protocol_to_string(t->scope->protocol),
350 t->scope->link ? t->scope->link->ifname : "*",
351 af_to_name_short(t->scope->family),
352 IN_ADDR_TO_STRING(p->family, &p->sender));
353
354 /* RFC 4795, Section 4.1 says that the peer with the
355 * lexicographically smaller IP address loses */
356 if (memcmp(&p->sender, &p->destination, FAMILY_ADDRESS_SIZE(p->family)) >= 0) {
357 log_debug("Peer has lexicographically larger IP address and thus lost in the conflict.");
358 return;
359 }
360
361 log_debug("We have the lexicographically larger IP address and thus lost in the conflict.");
362
363 t->block_gc++;
364
365 while ((z = set_first(t->notify_zone_items))) {
366 /* First, make sure the zone item drops the reference
367 * to us */
368 dns_zone_item_probe_stop(z);
369
370 /* Secondly, report this as conflict, so that we might
371 * look for a different hostname */
372 dns_zone_item_conflict(z);
373 }
374 t->block_gc--;
375
376 dns_transaction_gc(t);
377 }
378
379 void dns_transaction_complete(DnsTransaction *t, DnsTransactionState state) {
380 DnsQueryCandidate *c;
381 DnsZoneItem *z;
382 DnsTransaction *d;
383 const char *st;
384 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
385
386 assert(t);
387 assert(!DNS_TRANSACTION_IS_LIVE(state));
388
389 if (state == DNS_TRANSACTION_DNSSEC_FAILED) {
390 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str);
391
392 log_struct(LOG_NOTICE,
393 "MESSAGE_ID=" SD_MESSAGE_DNSSEC_FAILURE_STR,
394 LOG_MESSAGE("DNSSEC validation failed for question %s: %s",
395 key_str, dnssec_result_to_string(t->answer_dnssec_result)),
396 "DNS_TRANSACTION=%" PRIu16, t->id,
397 "DNS_QUESTION=%s", key_str,
398 "DNSSEC_RESULT=%s", dnssec_result_to_string(t->answer_dnssec_result),
399 "DNS_SERVER=%s", strna(dns_server_string_full(t->server)),
400 "DNS_SERVER_FEATURE_LEVEL=%s", dns_server_feature_level_to_string(t->server->possible_feature_level));
401 }
402
403 /* Note that this call might invalidate the query. Callers
404 * should hence not attempt to access the query or transaction
405 * after calling this function. */
406
407 if (state == DNS_TRANSACTION_ERRNO)
408 st = errno_to_name(t->answer_errno);
409 else
410 st = dns_transaction_state_to_string(state);
411
412 log_debug("%s transaction %" PRIu16 " for <%s> on scope %s on %s/%s now complete with <%s> from %s (%s; %s).",
413 t->bypass ? "Bypass" : "Regular",
414 t->id,
415 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str),
416 dns_protocol_to_string(t->scope->protocol),
417 t->scope->link ? t->scope->link->ifname : "*",
418 af_to_name_short(t->scope->family),
419 st,
420 t->answer_source < 0 ? "none" : dns_transaction_source_to_string(t->answer_source),
421 FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE) ? "not validated" :
422 (FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED) ? "authenticated" : "unsigned"),
423 FLAGS_SET(t->answer_query_flags, SD_RESOLVED_CONFIDENTIAL) ? "confidential" : "non-confidential");
424
425 t->state = state;
426
427 dns_transaction_close_connection(t, true);
428 dns_transaction_stop_timeout(t);
429
430 /* Notify all queries that are interested, but make sure the
431 * transaction isn't freed while we are still looking at it */
432 t->block_gc++;
433
434 SET_FOREACH_MOVE(c, t->notify_query_candidates_done, t->notify_query_candidates)
435 dns_query_candidate_notify(c);
436 SWAP_TWO(t->notify_query_candidates, t->notify_query_candidates_done);
437
438 SET_FOREACH_MOVE(z, t->notify_zone_items_done, t->notify_zone_items)
439 dns_zone_item_notify(z);
440 SWAP_TWO(t->notify_zone_items, t->notify_zone_items_done);
441 if (t->probing && t->state == DNS_TRANSACTION_ATTEMPTS_MAX_REACHED)
442 (void) dns_scope_announce(t->scope, false);
443
444 SET_FOREACH_MOVE(d, t->notify_transactions_done, t->notify_transactions)
445 dns_transaction_notify(d, t);
446 SWAP_TWO(t->notify_transactions, t->notify_transactions_done);
447
448 t->block_gc--;
449 dns_transaction_gc(t);
450 }
451
452 static void dns_transaction_complete_errno(DnsTransaction *t, int error) {
453 assert(t);
454 assert(error != 0);
455
456 t->answer_errno = abs(error);
457 dns_transaction_complete(t, DNS_TRANSACTION_ERRNO);
458 }
459
460 static int dns_transaction_pick_server(DnsTransaction *t) {
461 DnsServer *server;
462
463 assert(t);
464 assert(t->scope->protocol == DNS_PROTOCOL_DNS);
465
466 /* Pick a DNS server and a feature level for it. */
467
468 server = dns_scope_get_dns_server(t->scope);
469 if (!server)
470 return -ESRCH;
471
472 /* If we changed the server invalidate the feature level clamping, as the new server might have completely
473 * different properties. */
474 if (server != t->server)
475 t->clamp_feature_level_servfail = _DNS_SERVER_FEATURE_LEVEL_INVALID;
476
477 t->current_feature_level = dns_server_possible_feature_level(server);
478
479 /* Clamp the feature level if that is requested. */
480 if (t->clamp_feature_level_servfail != _DNS_SERVER_FEATURE_LEVEL_INVALID &&
481 t->current_feature_level > t->clamp_feature_level_servfail)
482 t->current_feature_level = t->clamp_feature_level_servfail;
483
484 log_debug("Using feature level %s for transaction %u.", dns_server_feature_level_to_string(t->current_feature_level), t->id);
485
486 if (server == t->server)
487 return 0;
488
489 dns_server_unref(t->server);
490 t->server = dns_server_ref(server);
491
492 t->n_picked_servers ++;
493
494 log_debug("Using DNS server %s for transaction %u.", strna(dns_server_string_full(t->server)), t->id);
495
496 return 1;
497 }
498
499 static void dns_transaction_retry(DnsTransaction *t, bool next_server) {
500 int r;
501
502 assert(t);
503
504 /* Retries the transaction as it is, possibly on a different server */
505
506 if (next_server && t->scope->protocol == DNS_PROTOCOL_DNS)
507 log_debug("Retrying transaction %" PRIu16 ", after switching servers.", t->id);
508 else
509 log_debug("Retrying transaction %" PRIu16 ".", t->id);
510
511 /* Before we try again, switch to a new server. */
512 if (next_server)
513 dns_scope_next_dns_server(t->scope, t->server);
514
515 r = dns_transaction_go(t);
516 if (r < 0)
517 dns_transaction_complete_errno(t, r);
518 }
519
520 static bool dns_transaction_limited_retry(DnsTransaction *t) {
521 assert(t);
522
523 /* If we haven't tried all different servers yet, let's try again with a different server */
524
525 if (t->n_picked_servers >= dns_scope_get_n_dns_servers(t->scope))
526 return false;
527
528 dns_transaction_retry(t, /* next_server= */ true);
529 return true;
530 }
531
532 static int dns_transaction_maybe_restart(DnsTransaction *t) {
533 int r;
534
535 assert(t);
536
537 /* Restarts the transaction, under a new ID if the feature level of the server changed since we first
538 * tried, without changing DNS server. Returns > 0 if the transaction was restarted, 0 if not. */
539
540 if (!t->server)
541 return 0;
542
543 if (t->current_feature_level <= dns_server_possible_feature_level(t->server))
544 return 0;
545
546 /* The server's current feature level is lower than when we sent the original query. We learnt something from
547 the response or possibly an auxiliary DNSSEC response that we didn't know before. We take that as reason to
548 restart the whole transaction. This is a good idea to deal with servers that respond rubbish if we include
549 OPT RR or DO bit. One of these cases is documented here, for example:
550 https://open.nlnetlabs.nl/pipermail/dnssec-trigger/2014-November/000376.html */
551
552 log_debug("Server feature level is now lower than when we began our transaction. Restarting with new ID.");
553 dns_transaction_shuffle_id(t);
554
555 r = dns_transaction_go(t);
556 if (r < 0)
557 return r;
558
559 return 1;
560 }
561
562 static void on_transaction_stream_error(DnsTransaction *t, int error) {
563 assert(t);
564
565 dns_transaction_close_connection(t, true);
566
567 if (ERRNO_IS_DISCONNECT(error)) {
568 if (t->scope->protocol == DNS_PROTOCOL_LLMNR) {
569 /* If the LLMNR/TCP connection failed, the host doesn't support LLMNR, and we cannot answer the
570 * question on this scope. */
571 dns_transaction_complete(t, DNS_TRANSACTION_NOT_FOUND);
572 return;
573 }
574
575 dns_transaction_retry(t, true);
576 return;
577 }
578 if (error != 0)
579 dns_transaction_complete_errno(t, error);
580 }
581
582 static int dns_transaction_on_stream_packet(DnsTransaction *t, DnsStream *s, DnsPacket *p) {
583 bool encrypted;
584
585 assert(t);
586 assert(s);
587 assert(p);
588
589 encrypted = s->encrypted;
590
591 dns_transaction_close_connection(t, true);
592
593 if (dns_packet_validate_reply(p) <= 0) {
594 log_debug("Invalid TCP reply packet.");
595 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
596 return 0;
597 }
598
599 dns_scope_check_conflicts(t->scope, p);
600
601 t->block_gc++;
602 dns_transaction_process_reply(t, p, encrypted);
603 t->block_gc--;
604
605 /* If the response wasn't useful, then complete the transition
606 * now. After all, we are the worst feature set now with TCP
607 * sockets, and there's really no point in retrying. */
608 if (t->state == DNS_TRANSACTION_PENDING)
609 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
610 else
611 dns_transaction_gc(t);
612
613 return 0;
614 }
615
616 static int on_stream_complete(DnsStream *s, int error) {
617 assert(s);
618
619 if (ERRNO_IS_DISCONNECT(error) && s->protocol != DNS_PROTOCOL_LLMNR) {
620 log_debug_errno(error, "Connection failure for DNS TCP stream: %m");
621
622 if (s->transactions) {
623 DnsTransaction *t;
624
625 t = s->transactions;
626 dns_server_packet_lost(t->server, IPPROTO_TCP, t->current_feature_level);
627 }
628 }
629
630 if (error != 0)
631 LIST_FOREACH(transactions_by_stream, t, s->transactions)
632 on_transaction_stream_error(t, error);
633
634 return 0;
635 }
636
637 static int on_stream_packet(DnsStream *s, DnsPacket *p) {
638 DnsTransaction *t;
639
640 assert(s);
641 assert(s->manager);
642 assert(p);
643
644 t = hashmap_get(s->manager->dns_transactions, UINT_TO_PTR(DNS_PACKET_ID(p)));
645 if (t && t->stream == s) /* Validate that the stream we got this on actually is the stream the
646 * transaction was using. */
647 return dns_transaction_on_stream_packet(t, s, p);
648
649 /* Ignore incorrect transaction id as an old transaction can have been canceled. */
650 log_debug("Received unexpected TCP reply packet with id %" PRIu16 ", ignoring.", DNS_PACKET_ID(p));
651 return 0;
652 }
653
654 static uint16_t dns_transaction_port(DnsTransaction *t) {
655 assert(t);
656
657 if (t->server->port > 0)
658 return t->server->port;
659
660 return DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level) ? 853 : 53;
661 }
662
663 static int dns_transaction_emit_tcp(DnsTransaction *t) {
664 usec_t stream_timeout_usec = DNS_STREAM_DEFAULT_TIMEOUT_USEC;
665 _cleanup_(dns_stream_unrefp) DnsStream *s = NULL;
666 _cleanup_close_ int fd = -EBADF;
667 union sockaddr_union sa;
668 DnsStreamType type;
669 int r;
670
671 assert(t);
672 assert(t->sent);
673
674 dns_transaction_close_connection(t, true);
675
676 switch (t->scope->protocol) {
677
678 case DNS_PROTOCOL_DNS:
679 r = dns_transaction_pick_server(t);
680 if (r < 0)
681 return r;
682
683 if (manager_server_is_stub(t->scope->manager, t->server))
684 return -ELOOP;
685
686 if (!t->bypass) {
687 if (!dns_server_dnssec_supported(t->server) && dns_type_is_dnssec(dns_transaction_key(t)->type))
688 return -EOPNOTSUPP;
689
690 r = dns_server_adjust_opt(t->server, t->sent, t->current_feature_level);
691 if (r < 0)
692 return r;
693 }
694
695 if (t->server->stream && (DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level) == t->server->stream->encrypted))
696 s = dns_stream_ref(t->server->stream);
697 else
698 fd = dns_scope_socket_tcp(t->scope, AF_UNSPEC, NULL, t->server, dns_transaction_port(t), &sa);
699
700 /* Lower timeout in DNS-over-TLS opportunistic mode. In environments where DoT is blocked
701 * without ICMP response overly long delays when contacting DoT servers are nasty, in
702 * particular if multiple DNS servers are defined which we try in turn and all are
703 * blocked. Hence, substantially lower the timeout in that case. */
704 if (DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level) &&
705 dns_server_get_dns_over_tls_mode(t->server) == DNS_OVER_TLS_OPPORTUNISTIC)
706 stream_timeout_usec = DNS_STREAM_OPPORTUNISTIC_TLS_TIMEOUT_USEC;
707
708 type = DNS_STREAM_LOOKUP;
709 break;
710
711 case DNS_PROTOCOL_LLMNR:
712 /* When we already received a reply to this (but it was truncated), send to its sender address */
713 if (t->received)
714 fd = dns_scope_socket_tcp(t->scope, t->received->family, &t->received->sender, NULL, t->received->sender_port, &sa);
715 else {
716 union in_addr_union address;
717 int family = AF_UNSPEC;
718
719 /* Otherwise, try to talk to the owner of a
720 * the IP address, in case this is a reverse
721 * PTR lookup */
722
723 r = dns_name_address(dns_resource_key_name(dns_transaction_key(t)), &family, &address);
724 if (r < 0)
725 return r;
726 if (r == 0)
727 return -EINVAL;
728 if (family != t->scope->family)
729 return -ESRCH;
730
731 fd = dns_scope_socket_tcp(t->scope, family, &address, NULL, LLMNR_PORT, &sa);
732 }
733
734 type = DNS_STREAM_LLMNR_SEND;
735 break;
736
737 default:
738 return -EAFNOSUPPORT;
739 }
740
741 if (!s) {
742 if (fd < 0)
743 return fd;
744
745 r = dns_stream_new(t->scope->manager, &s, type, t->scope->protocol, fd, &sa,
746 on_stream_packet, on_stream_complete, stream_timeout_usec);
747 if (r < 0)
748 return r;
749
750 fd = -EBADF;
751
752 #if ENABLE_DNS_OVER_TLS
753 if (t->scope->protocol == DNS_PROTOCOL_DNS &&
754 DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level)) {
755
756 assert(t->server);
757 r = dnstls_stream_connect_tls(s, t->server);
758 if (r < 0)
759 return r;
760 }
761 #endif
762
763 if (t->server) {
764 dns_server_unref_stream(t->server);
765 s->server = dns_server_ref(t->server);
766 t->server->stream = dns_stream_ref(s);
767 }
768
769 /* The interface index is difficult to determine if we are
770 * connecting to the local host, hence fill this in right away
771 * instead of determining it from the socket */
772 s->ifindex = dns_scope_ifindex(t->scope);
773 }
774
775 t->stream = TAKE_PTR(s);
776 LIST_PREPEND(transactions_by_stream, t->stream->transactions, t);
777
778 r = dns_stream_write_packet(t->stream, t->sent);
779 if (r < 0) {
780 dns_transaction_close_connection(t, /* use_graveyard= */ false);
781 return r;
782 }
783
784 dns_transaction_reset_answer(t);
785
786 t->tried_stream = true;
787
788 return 0;
789 }
790
791 static void dns_transaction_cache_answer(DnsTransaction *t) {
792 assert(t);
793
794 /* For mDNS we cache whenever we get the packet, rather than
795 * in each transaction. */
796 if (!IN_SET(t->scope->protocol, DNS_PROTOCOL_DNS, DNS_PROTOCOL_LLMNR))
797 return;
798
799 /* Caching disabled? */
800 if (t->scope->manager->enable_cache == DNS_CACHE_MODE_NO)
801 return;
802
803 /* If validation is turned off for this transaction, but DNSSEC is on, then let's not cache this */
804 if (FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE) && t->scope->dnssec_mode != DNSSEC_NO)
805 return;
806
807 /* Packet from localhost? */
808 if (!t->scope->manager->cache_from_localhost &&
809 in_addr_is_localhost(t->received->family, &t->received->sender) != 0)
810 return;
811
812 dns_cache_put(&t->scope->cache,
813 t->scope->manager->enable_cache,
814 t->scope->protocol,
815 dns_transaction_key(t),
816 t->answer_rcode,
817 t->answer,
818 DNS_PACKET_CD(t->received) ? t->received : NULL, /* only cache full packets with CD on,
819 * since our usecase for caching them
820 * is "bypass" mode which is only
821 * enabled for CD packets. */
822 t->answer_query_flags,
823 t->answer_dnssec_result,
824 t->answer_nsec_ttl,
825 t->received->family,
826 &t->received->sender,
827 t->scope->manager->stale_retention_usec);
828 }
829
830 static bool dns_transaction_dnssec_is_live(DnsTransaction *t) {
831 DnsTransaction *dt;
832
833 assert(t);
834
835 SET_FOREACH(dt, t->dnssec_transactions)
836 if (DNS_TRANSACTION_IS_LIVE(dt->state))
837 return true;
838
839 return false;
840 }
841
842 static int dns_transaction_dnssec_ready(DnsTransaction *t) {
843 DnsTransaction *dt;
844 int r;
845
846 assert(t);
847
848 /* Checks whether the auxiliary DNSSEC transactions of our transaction have completed, or are still
849 * ongoing. Returns 0, if we aren't ready for the DNSSEC validation, positive if we are. */
850
851 SET_FOREACH(dt, t->dnssec_transactions) {
852
853 switch (dt->state) {
854
855 case DNS_TRANSACTION_NULL:
856 case DNS_TRANSACTION_PENDING:
857 case DNS_TRANSACTION_VALIDATING:
858 /* Still ongoing */
859 return 0;
860
861 case DNS_TRANSACTION_RCODE_FAILURE:
862 if (!IN_SET(dt->answer_rcode, DNS_RCODE_NXDOMAIN, DNS_RCODE_SERVFAIL)) {
863 log_debug("Auxiliary DNSSEC RR query failed with rcode=%s.", FORMAT_DNS_RCODE(dt->answer_rcode));
864 goto fail;
865 }
866
867 /* Fall-through: NXDOMAIN/SERVFAIL is good enough for us. This is because some DNS servers
868 * erroneously return NXDOMAIN/SERVFAIL for empty non-terminals (Akamai...) or missing DS
869 * records (Facebook), and we need to handle that nicely, when asking for parent SOA or similar
870 * RRs to make unsigned proofs. */
871
872 case DNS_TRANSACTION_SUCCESS:
873 /* All good. */
874 break;
875
876 case DNS_TRANSACTION_DNSSEC_FAILED:
877 /* We handle DNSSEC failures different from other errors, as we care about the DNSSEC
878 * validation result */
879
880 log_debug("Auxiliary DNSSEC RR query failed validation: %s", dnssec_result_to_string(dt->answer_dnssec_result));
881 t->answer_dnssec_result = dt->answer_dnssec_result; /* Copy error code over */
882 dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
883 return 0;
884
885 default:
886 log_debug("Auxiliary DNSSEC RR query failed with %s", dns_transaction_state_to_string(dt->state));
887 goto fail;
888 }
889 }
890
891 /* All is ready, we can go and validate */
892 return 1;
893
894 fail:
895 /* Some auxiliary DNSSEC transaction failed for some reason. Maybe we learned something about the
896 * server due to this failure, and the feature level is now different? Let's see and restart the
897 * transaction if so. If not, let's propagate the auxiliary failure.
898 *
899 * This is particularly relevant if an auxiliary request figured out that DNSSEC doesn't work, and we
900 * are in permissive DNSSEC mode, and thus should restart things without DNSSEC magic. */
901 r = dns_transaction_maybe_restart(t);
902 if (r < 0)
903 return r;
904 if (r > 0)
905 return 0; /* don't validate just yet, we restarted things */
906
907 t->answer_dnssec_result = DNSSEC_FAILED_AUXILIARY;
908 dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
909 return 0;
910 }
911
912 static void dns_transaction_process_dnssec(DnsTransaction *t) {
913 int r;
914
915 assert(t);
916
917 /* Are there ongoing DNSSEC transactions? If so, let's wait for them. */
918 r = dns_transaction_dnssec_ready(t);
919 if (r < 0)
920 goto fail;
921 if (r == 0) /* We aren't ready yet (or one of our auxiliary transactions failed, and we shouldn't validate now */
922 return;
923
924 /* See if we learnt things from the additional DNSSEC transactions, that we didn't know before, and better
925 * restart the lookup immediately. */
926 r = dns_transaction_maybe_restart(t);
927 if (r < 0)
928 goto fail;
929 if (r > 0) /* Transaction got restarted... */
930 return;
931
932 /* All our auxiliary DNSSEC transactions are complete now. Try
933 * to validate our RRset now. */
934 r = dns_transaction_validate_dnssec(t);
935 if (r == -EBADMSG) {
936 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
937 return;
938 }
939 if (r < 0)
940 goto fail;
941
942 if (t->answer_dnssec_result == DNSSEC_INCOMPATIBLE_SERVER &&
943 t->scope->dnssec_mode == DNSSEC_YES) {
944
945 /* We are not in automatic downgrade mode, and the server is bad. Let's try a different server, maybe
946 * that works. */
947
948 if (dns_transaction_limited_retry(t))
949 return;
950
951 /* OK, let's give up, apparently all servers we tried didn't work. */
952 dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
953 return;
954 }
955
956 if (!IN_SET(t->answer_dnssec_result,
957 _DNSSEC_RESULT_INVALID, /* No DNSSEC validation enabled */
958 DNSSEC_VALIDATED, /* Answer is signed and validated successfully */
959 DNSSEC_UNSIGNED, /* Answer is right-fully unsigned */
960 DNSSEC_INCOMPATIBLE_SERVER)) { /* Server does not do DNSSEC (Yay, we are downgrade attack vulnerable!) */
961 dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
962 return;
963 }
964
965 if (t->answer_dnssec_result == DNSSEC_INCOMPATIBLE_SERVER)
966 dns_server_warn_downgrade(t->server);
967
968 dns_transaction_cache_answer(t);
969
970 if (t->answer_rcode == DNS_RCODE_SUCCESS)
971 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
972 else
973 dns_transaction_complete(t, DNS_TRANSACTION_RCODE_FAILURE);
974
975 return;
976
977 fail:
978 dns_transaction_complete_errno(t, r);
979 }
980
981 static int dns_transaction_has_positive_answer(DnsTransaction *t, DnsAnswerFlags *flags) {
982 int r;
983
984 assert(t);
985
986 /* Checks whether the answer is positive, i.e. either a direct
987 * answer to the question, or a CNAME/DNAME for it */
988
989 r = dns_answer_match_key(t->answer, dns_transaction_key(t), flags);
990 if (r != 0)
991 return r;
992
993 r = dns_answer_find_cname_or_dname(t->answer, dns_transaction_key(t), NULL, flags);
994 if (r != 0)
995 return r;
996
997 return false;
998 }
999
1000 static int dns_transaction_fix_rcode(DnsTransaction *t) {
1001 int r;
1002
1003 assert(t);
1004
1005 /* Fix up the RCODE to SUCCESS if we get at least one matching RR in a response. Note that this contradicts the
1006 * DNS RFCs a bit. Specifically, RFC 6604 Section 3 clarifies that the RCODE shall say something about a
1007 * CNAME/DNAME chain element coming after the last chain element contained in the message, and not the first
1008 * one included. However, it also indicates that not all DNS servers implement this correctly. Moreover, when
1009 * using DNSSEC we usually only can prove the first element of a CNAME/DNAME chain anyway, hence let's settle
1010 * on always processing the RCODE as referring to the immediate look-up we do, i.e. the first element of a
1011 * CNAME/DNAME chain. This way, we uniformly handle CNAME/DNAME chains, regardless if the DNS server
1012 * incorrectly implements RCODE, whether DNSSEC is in use, or whether the DNS server only supplied us with an
1013 * incomplete CNAME/DNAME chain.
1014 *
1015 * Or in other words: if we get at least one positive reply in a message we patch NXDOMAIN to become SUCCESS,
1016 * and then rely on the CNAME chasing logic to figure out that there's actually a CNAME error with a new
1017 * lookup. */
1018
1019 if (t->answer_rcode != DNS_RCODE_NXDOMAIN)
1020 return 0;
1021
1022 r = dns_transaction_has_positive_answer(t, NULL);
1023 if (r <= 0)
1024 return r;
1025
1026 t->answer_rcode = DNS_RCODE_SUCCESS;
1027 return 0;
1028 }
1029
1030 void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p, bool encrypted) {
1031 bool retry_with_tcp = false;
1032 int r;
1033
1034 assert(t);
1035 assert(p);
1036 assert(t->scope);
1037 assert(t->scope->manager);
1038
1039 if (t->state != DNS_TRANSACTION_PENDING)
1040 return;
1041
1042 /* Note that this call might invalidate the query. Callers
1043 * should hence not attempt to access the query or transaction
1044 * after calling this function. */
1045
1046 log_debug("Processing incoming packet of size %zu on transaction %" PRIu16" (rcode=%s).",
1047 p->size,
1048 t->id, FORMAT_DNS_RCODE(DNS_PACKET_RCODE(p)));
1049
1050 switch (t->scope->protocol) {
1051
1052 case DNS_PROTOCOL_LLMNR:
1053 /* For LLMNR we will not accept any packets from other interfaces */
1054
1055 if (p->ifindex != dns_scope_ifindex(t->scope))
1056 return;
1057
1058 if (p->family != t->scope->family)
1059 return;
1060
1061 /* Tentative packets are not full responses but still
1062 * useful for identifying uniqueness conflicts during
1063 * probing. */
1064 if (DNS_PACKET_LLMNR_T(p)) {
1065 dns_transaction_tentative(t, p);
1066 return;
1067 }
1068
1069 break;
1070
1071 case DNS_PROTOCOL_MDNS:
1072 /* For mDNS we will not accept any packets from other interfaces */
1073
1074 if (p->ifindex != dns_scope_ifindex(t->scope))
1075 return;
1076
1077 if (p->family != t->scope->family)
1078 return;
1079
1080 break;
1081
1082 case DNS_PROTOCOL_DNS:
1083 /* Note that we do not need to verify the
1084 * addresses/port numbers of incoming traffic, as we
1085 * invoked connect() on our UDP socket in which case
1086 * the kernel already does the needed verification for
1087 * us. */
1088 break;
1089
1090 default:
1091 assert_not_reached();
1092 }
1093
1094 if (t->received != p)
1095 DNS_PACKET_REPLACE(t->received, dns_packet_ref(p));
1096
1097 t->answer_source = DNS_TRANSACTION_NETWORK;
1098
1099 if (p->ipproto == IPPROTO_TCP) {
1100 if (DNS_PACKET_TC(p)) {
1101 /* Truncated via TCP? Somebody must be fucking with us */
1102 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
1103 return;
1104 }
1105
1106 if (DNS_PACKET_ID(p) != t->id) {
1107 /* Not the reply to our query? Somebody must be fucking with us */
1108 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
1109 return;
1110 }
1111 }
1112
1113 switch (t->scope->protocol) {
1114
1115 case DNS_PROTOCOL_DNS:
1116 assert(t->server);
1117
1118 if (!t->bypass &&
1119 IN_SET(DNS_PACKET_RCODE(p), DNS_RCODE_FORMERR, DNS_RCODE_SERVFAIL, DNS_RCODE_NOTIMP)) {
1120
1121 /* Request failed, immediately try again with reduced features */
1122
1123 if (t->current_feature_level <= DNS_SERVER_FEATURE_LEVEL_UDP) {
1124
1125 /* This was already at UDP feature level? If so, it doesn't make sense to downgrade
1126 * this transaction anymore, but let's see if it might make sense to send the request
1127 * to a different DNS server instead. If not let's process the response, and accept the
1128 * rcode. Note that we don't retry on TCP, since that's a suitable way to mitigate
1129 * packet loss, but is not going to give us better rcodes should we actually have
1130 * managed to get them already at UDP level. */
1131
1132 if (dns_transaction_limited_retry(t))
1133 return;
1134
1135 /* Give up, accept the rcode */
1136 log_debug("Server returned error: %s", FORMAT_DNS_RCODE(DNS_PACKET_RCODE(p)));
1137 break;
1138 }
1139
1140 /* SERVFAIL can happen for many reasons and may be transient.
1141 * To avoid unnecessary downgrades retry once with the initial level.
1142 * Check for clamp_feature_level_servfail having an invalid value as a sign that this is the
1143 * first attempt to downgrade. If so, clamp to the current value so that the transaction
1144 * is retried without actually downgrading. If the next try also fails we will downgrade by
1145 * hitting the else branch below. */
1146 if (DNS_PACKET_RCODE(p) == DNS_RCODE_SERVFAIL &&
1147 t->clamp_feature_level_servfail < 0) {
1148 t->clamp_feature_level_servfail = t->current_feature_level;
1149 log_debug("Server returned error %s, retrying transaction.",
1150 FORMAT_DNS_RCODE(DNS_PACKET_RCODE(p)));
1151 } else {
1152 /* Reduce this feature level by one and try again. */
1153 switch (t->current_feature_level) {
1154 case DNS_SERVER_FEATURE_LEVEL_TLS_DO:
1155 t->clamp_feature_level_servfail = DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN;
1156 break;
1157 case DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN + 1:
1158 /* Skip plain TLS when TLS is not supported */
1159 t->clamp_feature_level_servfail = DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN - 1;
1160 break;
1161 default:
1162 t->clamp_feature_level_servfail = t->current_feature_level - 1;
1163 }
1164
1165 log_debug("Server returned error %s, retrying transaction with reduced feature level %s.",
1166 FORMAT_DNS_RCODE(DNS_PACKET_RCODE(p)),
1167 dns_server_feature_level_to_string(t->clamp_feature_level_servfail));
1168 }
1169
1170 dns_transaction_retry(t, false /* use the same server */);
1171 return;
1172 }
1173
1174 if (DNS_PACKET_RCODE(p) == DNS_RCODE_REFUSED) {
1175 /* This server refused our request? If so, try again, use a different server */
1176 log_debug("Server returned REFUSED, switching servers, and retrying.");
1177
1178 if (dns_transaction_limited_retry(t))
1179 return;
1180
1181 break;
1182 }
1183
1184 if (DNS_PACKET_TC(p))
1185 dns_server_packet_truncated(t->server, t->current_feature_level);
1186
1187 break;
1188
1189 case DNS_PROTOCOL_LLMNR:
1190 case DNS_PROTOCOL_MDNS:
1191 dns_scope_packet_received(t->scope, p->timestamp - t->start_usec);
1192 break;
1193
1194 default:
1195 assert_not_reached();
1196 }
1197
1198 if (DNS_PACKET_TC(p)) {
1199
1200 /* Truncated packets for mDNS are not allowed. Give up immediately. */
1201 if (t->scope->protocol == DNS_PROTOCOL_MDNS) {
1202 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
1203 return;
1204 }
1205
1206 /* Response was truncated, let's try again with good old TCP */
1207 log_debug("Reply truncated, retrying via TCP.");
1208 retry_with_tcp = true;
1209
1210 } else if (t->scope->protocol == DNS_PROTOCOL_DNS &&
1211 DNS_PACKET_IS_FRAGMENTED(p)) {
1212
1213 /* Report the fragment size, so that we downgrade from LARGE to regular EDNS0 if needed */
1214 if (t->server)
1215 dns_server_packet_udp_fragmented(t->server, dns_packet_size_unfragmented(p));
1216
1217 if (t->current_feature_level > DNS_SERVER_FEATURE_LEVEL_UDP) {
1218 /* Packet was fragmented. Let's retry with TCP to avoid fragmentation attack
1219 * issues. (We don't do that on the lowest feature level however, since crappy DNS
1220 * servers often do not implement TCP, hence falling back to TCP on fragmentation is
1221 * counter-productive there.) */
1222
1223 log_debug("Reply fragmented, retrying via TCP. (Largest fragment size: %zu; Datagram size: %zu)",
1224 p->fragsize, p->size);
1225 retry_with_tcp = true;
1226 }
1227 }
1228
1229 if (retry_with_tcp) {
1230 r = dns_transaction_emit_tcp(t);
1231 if (r == -ESRCH) {
1232 /* No servers found? Damn! */
1233 dns_transaction_complete(t, DNS_TRANSACTION_NO_SERVERS);
1234 return;
1235 }
1236 if (r == -EOPNOTSUPP) {
1237 /* Tried to ask for DNSSEC RRs, on a server that doesn't do DNSSEC */
1238 dns_transaction_complete(t, DNS_TRANSACTION_RR_TYPE_UNSUPPORTED);
1239 return;
1240 }
1241 if (r < 0) {
1242 /* On LLMNR, if we cannot connect to the host,
1243 * we immediately give up */
1244 if (t->scope->protocol != DNS_PROTOCOL_DNS)
1245 goto fail;
1246
1247 /* On DNS, couldn't send? Try immediately again, with a new server */
1248 if (dns_transaction_limited_retry(t))
1249 return;
1250
1251 /* No new server to try, give up */
1252 dns_transaction_complete(t, DNS_TRANSACTION_ATTEMPTS_MAX_REACHED);
1253 }
1254
1255 return;
1256 }
1257
1258 /* After the superficial checks, actually parse the message. */
1259 r = dns_packet_extract(p);
1260 if (r < 0) {
1261 if (t->server) {
1262 dns_server_packet_invalid(t->server, t->current_feature_level);
1263
1264 r = dns_transaction_maybe_restart(t);
1265 if (r < 0)
1266 goto fail;
1267 if (r > 0) /* Transaction got restarted... */
1268 return;
1269 }
1270
1271 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
1272 return;
1273 }
1274
1275 if (t->server) {
1276 /* Report that we successfully received a valid packet with a good rcode after we initially got a bad
1277 * rcode and subsequently downgraded the protocol */
1278
1279 if (IN_SET(DNS_PACKET_RCODE(p), DNS_RCODE_SUCCESS, DNS_RCODE_NXDOMAIN) &&
1280 t->clamp_feature_level_servfail != _DNS_SERVER_FEATURE_LEVEL_INVALID)
1281 dns_server_packet_rcode_downgrade(t->server, t->clamp_feature_level_servfail);
1282
1283 /* Report that the OPT RR was missing */
1284 if (!p->opt)
1285 dns_server_packet_bad_opt(t->server, t->current_feature_level);
1286
1287 /* Report that the server didn't copy our query DO bit from request to response */
1288 if (DNS_PACKET_DO(t->sent) && !DNS_PACKET_DO(t->received))
1289 dns_server_packet_do_off(t->server, t->current_feature_level);
1290
1291 /* Report that we successfully received a packet. We keep track of the largest packet
1292 * size/fragment size we got. Which is useful for announcing the EDNS(0) packet size we can
1293 * receive to our server. */
1294 dns_server_packet_received(t->server, p->ipproto, t->current_feature_level, dns_packet_size_unfragmented(p));
1295 }
1296
1297 /* See if we know things we didn't know before that indicate we better restart the lookup immediately. */
1298 r = dns_transaction_maybe_restart(t);
1299 if (r < 0)
1300 goto fail;
1301 if (r > 0) /* Transaction got restarted... */
1302 return;
1303
1304 /* When dealing with protocols other than mDNS only consider responses with equivalent query section
1305 * to the request. For mDNS this check doesn't make sense, because the section 6 of RFC6762 states
1306 * that "Multicast DNS responses MUST NOT contain any questions in the Question Section". */
1307 if (t->scope->protocol != DNS_PROTOCOL_MDNS) {
1308 r = dns_packet_is_reply_for(p, dns_transaction_key(t));
1309 if (r < 0)
1310 goto fail;
1311 if (r == 0) {
1312 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
1313 return;
1314 }
1315 }
1316
1317 /* Install the answer as answer to the transaction. We ref the answer twice here: the main `answer`
1318 * field is later replaced by the DNSSEC validated subset. The 'answer_auxiliary' field carries the
1319 * original complete record set, including RRSIG and friends. We use this when passing data to
1320 * clients that ask for DNSSEC metadata. */
1321 DNS_ANSWER_REPLACE(t->answer, dns_answer_ref(p->answer));
1322 t->answer_rcode = DNS_PACKET_RCODE(p);
1323 t->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
1324 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
1325 SET_FLAG(t->answer_query_flags, SD_RESOLVED_CONFIDENTIAL, encrypted);
1326
1327 r = dns_transaction_fix_rcode(t);
1328 if (r < 0)
1329 goto fail;
1330
1331 /* Block GC while starting requests for additional DNSSEC RRs */
1332 t->block_gc++;
1333 r = dns_transaction_request_dnssec_keys(t);
1334 t->block_gc--;
1335
1336 /* Maybe the transaction is ready for GC'ing now? If so, free it and return. */
1337 if (!dns_transaction_gc(t))
1338 return;
1339
1340 /* Requesting additional keys might have resulted in this transaction to fail, since the auxiliary
1341 * request failed for some reason. If so, we are not in pending state anymore, and we should exit
1342 * quickly. */
1343 if (t->state != DNS_TRANSACTION_PENDING)
1344 return;
1345 if (r < 0)
1346 goto fail;
1347 if (r > 0) {
1348 /* There are DNSSEC transactions pending now. Update the state accordingly. */
1349 t->state = DNS_TRANSACTION_VALIDATING;
1350 dns_transaction_close_connection(t, true);
1351 dns_transaction_stop_timeout(t);
1352 return;
1353 }
1354
1355 dns_transaction_process_dnssec(t);
1356 return;
1357
1358 fail:
1359 dns_transaction_complete_errno(t, r);
1360 }
1361
1362 static int on_dns_packet(sd_event_source *s, int fd, uint32_t revents, void *userdata) {
1363 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
1364 DnsTransaction *t = ASSERT_PTR(userdata);
1365 int r;
1366
1367 assert(t->scope);
1368
1369 r = manager_recv(t->scope->manager, fd, DNS_PROTOCOL_DNS, &p);
1370 if (r < 0) {
1371 if (ERRNO_IS_DISCONNECT(r)) {
1372 usec_t usec;
1373
1374 /* UDP connection failures get reported via ICMP and then are possibly delivered to us on the
1375 * next recvmsg(). Treat this like a lost packet. */
1376
1377 log_debug_errno(r, "Connection failure for DNS UDP packet: %m");
1378 assert_se(sd_event_now(t->scope->manager->event, CLOCK_BOOTTIME, &usec) >= 0);
1379 dns_server_packet_lost(t->server, IPPROTO_UDP, t->current_feature_level);
1380
1381 dns_transaction_close_connection(t, /* use_graveyard = */ false);
1382
1383 if (dns_transaction_limited_retry(t)) /* Try a different server */
1384 return 0;
1385 }
1386 dns_transaction_complete_errno(t, r);
1387 return 0;
1388 }
1389 if (r == 0)
1390 /* Spurious wakeup without any data */
1391 return 0;
1392
1393 r = dns_packet_validate_reply(p);
1394 if (r < 0) {
1395 log_debug_errno(r, "Received invalid DNS packet as response, ignoring: %m");
1396 return 0;
1397 }
1398 if (r == 0) {
1399 log_debug("Received inappropriate DNS packet as response, ignoring.");
1400 return 0;
1401 }
1402
1403 if (DNS_PACKET_ID(p) != t->id) {
1404 log_debug("Received packet with incorrect transaction ID, ignoring.");
1405 return 0;
1406 }
1407
1408 dns_transaction_process_reply(t, p, false);
1409 return 0;
1410 }
1411
1412 static int dns_transaction_emit_udp(DnsTransaction *t) {
1413 int r;
1414
1415 assert(t);
1416
1417 if (t->scope->protocol == DNS_PROTOCOL_DNS) {
1418
1419 r = dns_transaction_pick_server(t);
1420 if (r < 0)
1421 return r;
1422
1423 if (manager_server_is_stub(t->scope->manager, t->server))
1424 return -ELOOP;
1425
1426 if (t->current_feature_level < DNS_SERVER_FEATURE_LEVEL_UDP || DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level))
1427 return -EAGAIN; /* Sorry, can't do UDP, try TCP! */
1428
1429 if (!t->bypass && !dns_server_dnssec_supported(t->server) && dns_type_is_dnssec(dns_transaction_key(t)->type))
1430 return -EOPNOTSUPP;
1431
1432 if (r > 0 || t->dns_udp_fd < 0) { /* Server changed, or no connection yet. */
1433 int fd;
1434
1435 dns_transaction_close_connection(t, true);
1436
1437 /* Before we allocate a new UDP socket, let's process the graveyard a bit to free some fds */
1438 manager_socket_graveyard_process(t->scope->manager);
1439
1440 fd = dns_scope_socket_udp(t->scope, t->server);
1441 if (fd < 0)
1442 return fd;
1443
1444 r = sd_event_add_io(t->scope->manager->event, &t->dns_udp_event_source, fd, EPOLLIN, on_dns_packet, t);
1445 if (r < 0) {
1446 safe_close(fd);
1447 return r;
1448 }
1449
1450 (void) sd_event_source_set_description(t->dns_udp_event_source, "dns-transaction-udp");
1451 t->dns_udp_fd = fd;
1452 }
1453
1454 if (!t->bypass) {
1455 r = dns_server_adjust_opt(t->server, t->sent, t->current_feature_level);
1456 if (r < 0)
1457 return r;
1458 }
1459 } else
1460 dns_transaction_close_connection(t, true);
1461
1462 r = dns_scope_emit_udp(t->scope, t->dns_udp_fd, t->server ? t->server->family : AF_UNSPEC, t->sent);
1463 if (r < 0)
1464 return r;
1465
1466 dns_transaction_reset_answer(t);
1467
1468 return 0;
1469 }
1470
1471 static int on_transaction_timeout(sd_event_source *s, usec_t usec, void *userdata) {
1472 DnsTransaction *t = ASSERT_PTR(userdata);
1473
1474 assert(s);
1475
1476 if (t->initial_jitter_scheduled && !t->initial_jitter_elapsed) {
1477 log_debug("Initial jitter phase for transaction %" PRIu16 " elapsed.", t->id);
1478 t->initial_jitter_elapsed = true;
1479 } else {
1480 /* Timeout reached? Increase the timeout for the server used */
1481 switch (t->scope->protocol) {
1482
1483 case DNS_PROTOCOL_DNS:
1484 assert(t->server);
1485 dns_server_packet_lost(t->server, t->stream ? IPPROTO_TCP : IPPROTO_UDP, t->current_feature_level);
1486 break;
1487
1488 case DNS_PROTOCOL_LLMNR:
1489 case DNS_PROTOCOL_MDNS:
1490 dns_scope_packet_lost(t->scope, usec - t->start_usec);
1491 break;
1492
1493 default:
1494 assert_not_reached();
1495 }
1496
1497 log_debug("Timeout reached on transaction %" PRIu16 ".", t->id);
1498 }
1499
1500 dns_transaction_retry(t, /* next_server= */ true); /* try a different server, but given this means
1501 * packet loss, let's do so even if we already
1502 * tried a bunch */
1503 return 0;
1504 }
1505
1506 static int dns_transaction_setup_timeout(
1507 DnsTransaction *t,
1508 usec_t timeout_usec /* relative */,
1509 usec_t next_usec /* CLOCK_BOOTTIME */) {
1510
1511 int r;
1512
1513 assert(t);
1514
1515 dns_transaction_stop_timeout(t);
1516
1517 r = sd_event_add_time_relative(
1518 t->scope->manager->event,
1519 &t->timeout_event_source,
1520 CLOCK_BOOTTIME,
1521 timeout_usec, 0,
1522 on_transaction_timeout, t);
1523 if (r < 0)
1524 return r;
1525
1526 (void) sd_event_source_set_description(t->timeout_event_source, "dns-transaction-timeout");
1527
1528 t->next_attempt_after = next_usec;
1529 t->state = DNS_TRANSACTION_PENDING;
1530 return 0;
1531 }
1532
1533 static usec_t transaction_get_resend_timeout(DnsTransaction *t) {
1534 assert(t);
1535 assert(t->scope);
1536
1537 switch (t->scope->protocol) {
1538
1539 case DNS_PROTOCOL_DNS:
1540
1541 /* When we do TCP, grant a much longer timeout, as in this case there's no need for us to quickly
1542 * resend, as the kernel does that anyway for us, and we really don't want to interrupt it in that
1543 * needlessly. */
1544 if (t->stream)
1545 return TRANSACTION_TCP_TIMEOUT_USEC;
1546
1547 return DNS_TIMEOUT_USEC;
1548
1549 case DNS_PROTOCOL_MDNS:
1550 if (t->probing)
1551 return MDNS_PROBING_INTERVAL_USEC;
1552
1553 /* See RFC 6762 Section 5.1 suggests that timeout should be a few seconds. */
1554 assert(t->n_attempts > 0);
1555 return (1 << (t->n_attempts - 1)) * USEC_PER_SEC;
1556
1557 case DNS_PROTOCOL_LLMNR:
1558 return t->scope->resend_timeout;
1559
1560 default:
1561 assert_not_reached();
1562 }
1563 }
1564
1565 static void dns_transaction_randomize_answer(DnsTransaction *t) {
1566 int r;
1567
1568 assert(t);
1569
1570 /* Randomizes the order of the answer array. This is done for all cached responses, so that we return
1571 * a different order each time. We do this only for DNS traffic, in order to do some minimal, crappy
1572 * load balancing. We don't do this for LLMNR or mDNS, since the order (preferring link-local
1573 * addresses, and such like) might have meaning there, and load balancing is pointless. */
1574
1575 if (t->scope->protocol != DNS_PROTOCOL_DNS)
1576 return;
1577
1578 /* No point in randomizing, if there's just one RR */
1579 if (dns_answer_size(t->answer) <= 1)
1580 return;
1581
1582 r = dns_answer_reserve_or_clone(&t->answer, 0);
1583 if (r < 0) /* If this fails, just don't randomize, this is non-essential stuff after all */
1584 return (void) log_debug_errno(r, "Failed to clone answer record, not randomizing RR order of answer: %m");
1585
1586 dns_answer_randomize(t->answer);
1587 }
1588
1589 static int dns_transaction_prepare(DnsTransaction *t, usec_t ts) {
1590 int r;
1591
1592 assert(t);
1593
1594 /* Returns 0 if dns_transaction_complete() has been called. In that case the transaction and query
1595 * candidate objects may have been invalidated and must not be accessed. Returns 1 if the transaction
1596 * has been prepared. */
1597
1598 dns_transaction_stop_timeout(t);
1599
1600 if (!dns_scope_network_good(t->scope)) {
1601 dns_transaction_complete(t, DNS_TRANSACTION_NETWORK_DOWN);
1602 return 0;
1603 }
1604
1605 if (t->n_attempts >= TRANSACTION_ATTEMPTS_MAX(t->scope->protocol)) {
1606 DnsTransactionState result;
1607
1608 if (t->scope->protocol == DNS_PROTOCOL_LLMNR)
1609 /* If we didn't find anything on LLMNR, it's not an error, but a failure to resolve
1610 * the name. */
1611 result = DNS_TRANSACTION_NOT_FOUND;
1612 else
1613 result = DNS_TRANSACTION_ATTEMPTS_MAX_REACHED;
1614
1615 dns_transaction_complete(t, result);
1616 return 0;
1617 }
1618
1619 if (t->scope->protocol == DNS_PROTOCOL_LLMNR && t->tried_stream) {
1620 /* If we already tried via a stream, then we don't
1621 * retry on LLMNR. See RFC 4795, Section 2.7. */
1622 dns_transaction_complete(t, DNS_TRANSACTION_ATTEMPTS_MAX_REACHED);
1623 return 0;
1624 }
1625
1626 t->n_attempts++;
1627 t->start_usec = ts;
1628
1629 dns_transaction_reset_answer(t);
1630 dns_transaction_flush_dnssec_transactions(t);
1631
1632 /* Check the trust anchor. Do so only on classic DNS, since DNSSEC does not apply otherwise. */
1633 if (t->scope->protocol == DNS_PROTOCOL_DNS &&
1634 !FLAGS_SET(t->query_flags, SD_RESOLVED_NO_TRUST_ANCHOR)) {
1635 r = dns_trust_anchor_lookup_positive(&t->scope->manager->trust_anchor, dns_transaction_key(t), &t->answer);
1636 if (r < 0)
1637 return r;
1638 if (r > 0) {
1639 t->answer_rcode = DNS_RCODE_SUCCESS;
1640 t->answer_source = DNS_TRANSACTION_TRUST_ANCHOR;
1641 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED|SD_RESOLVED_CONFIDENTIAL, true);
1642 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
1643 return 0;
1644 }
1645
1646 if (dns_name_is_root(dns_resource_key_name(dns_transaction_key(t))) &&
1647 dns_transaction_key(t)->type == DNS_TYPE_DS) {
1648
1649 /* Hmm, this is a request for the root DS? A DS RR doesn't exist in the root zone,
1650 * and if our trust anchor didn't know it either, this means we cannot do any DNSSEC
1651 * logic anymore. */
1652
1653 if (t->scope->dnssec_mode == DNSSEC_ALLOW_DOWNGRADE) {
1654 /* We are in downgrade mode. In this case, synthesize an unsigned empty
1655 * response, so that the any lookup depending on this one can continue
1656 * assuming there was no DS, and hence the root zone was unsigned. */
1657
1658 t->answer_rcode = DNS_RCODE_SUCCESS;
1659 t->answer_source = DNS_TRANSACTION_TRUST_ANCHOR;
1660 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
1661 SET_FLAG(t->answer_query_flags, SD_RESOLVED_CONFIDENTIAL, true);
1662 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
1663 } else
1664 /* If we are not in downgrade mode, then fail the lookup, because we cannot
1665 * reasonably answer it. There might be DS RRs, but we don't know them, and
1666 * the DNS server won't tell them to us (and even if it would, we couldn't
1667 * validate and trust them. */
1668 dns_transaction_complete(t, DNS_TRANSACTION_NO_TRUST_ANCHOR);
1669
1670 return 0;
1671 }
1672 }
1673
1674 /* Check the zone. */
1675 if (!FLAGS_SET(t->query_flags, SD_RESOLVED_NO_ZONE)) {
1676 r = dns_zone_lookup(&t->scope->zone, dns_transaction_key(t), dns_scope_ifindex(t->scope), &t->answer, NULL, NULL);
1677 if (r < 0)
1678 return r;
1679 if (r > 0) {
1680 t->answer_rcode = DNS_RCODE_SUCCESS;
1681 t->answer_source = DNS_TRANSACTION_ZONE;
1682 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED|SD_RESOLVED_CONFIDENTIAL, true);
1683 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
1684 return 0;
1685 }
1686 }
1687
1688 /* Check the cache. */
1689 if (!FLAGS_SET(t->query_flags, SD_RESOLVED_NO_CACHE)) {
1690
1691 /* Before trying the cache, let's make sure we figured out a server to use. Should this cause
1692 * a change of server this might flush the cache. */
1693 (void) dns_scope_get_dns_server(t->scope);
1694
1695 /* Let's then prune all outdated entries */
1696 dns_cache_prune(&t->scope->cache);
1697
1698 /* For the initial attempt or when no stale data is requested, disable serve stale
1699 * and answer the question from the cache (honors ttl property).
1700 * On the second attempt, if StaleRetentionSec is greater than zero,
1701 * try to answer the question using stale date (honors until property) */
1702 uint64_t query_flags = t->query_flags;
1703 if (t->n_attempts == 1 || t->scope->manager->stale_retention_usec == 0)
1704 query_flags |= SD_RESOLVED_NO_STALE;
1705
1706 r = dns_cache_lookup(
1707 &t->scope->cache,
1708 dns_transaction_key(t),
1709 query_flags,
1710 &t->answer_rcode,
1711 &t->answer,
1712 &t->received,
1713 &t->answer_query_flags,
1714 &t->answer_dnssec_result);
1715 if (r < 0)
1716 return r;
1717 if (r > 0) {
1718 dns_transaction_randomize_answer(t);
1719
1720 if (t->bypass && t->scope->protocol == DNS_PROTOCOL_DNS && !t->received)
1721 /* When bypass mode is on, do not use cached data unless it came with a full
1722 * packet. */
1723 dns_transaction_reset_answer(t);
1724 else {
1725 if (t->n_attempts > 1 && !FLAGS_SET(query_flags, SD_RESOLVED_NO_STALE)) {
1726 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
1727 log_debug("Serve Stale response rcode=%s for %s",
1728 FORMAT_DNS_RCODE(t->answer_rcode),
1729 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str));
1730 }
1731
1732 t->answer_source = DNS_TRANSACTION_CACHE;
1733 if (t->answer_rcode == DNS_RCODE_SUCCESS)
1734 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
1735 else
1736 dns_transaction_complete(t, DNS_TRANSACTION_RCODE_FAILURE);
1737 return 0;
1738 }
1739 }
1740 }
1741
1742 if (FLAGS_SET(t->query_flags, SD_RESOLVED_NO_NETWORK)) {
1743 dns_transaction_complete(t, DNS_TRANSACTION_NO_SOURCE);
1744 return 0;
1745 }
1746
1747 return 1;
1748 }
1749
1750 static int dns_packet_append_zone(DnsPacket *p, DnsTransaction *t, DnsResourceKey *k, unsigned *nscount) {
1751 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
1752 bool tentative;
1753 int r;
1754
1755 assert(p);
1756 assert(t);
1757 assert(k);
1758
1759 if (k->type != DNS_TYPE_ANY)
1760 return 0;
1761
1762 r = dns_zone_lookup(&t->scope->zone, k, t->scope->link->ifindex, &answer, NULL, &tentative);
1763 if (r < 0)
1764 return r;
1765
1766 return dns_packet_append_answer(p, answer, nscount);
1767 }
1768
1769 static int dns_transaction_make_packet_mdns(DnsTransaction *t) {
1770 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
1771 _cleanup_set_free_ Set *keys = NULL;
1772 unsigned qdcount, ancount = 0 /* avoid false maybe-uninitialized warning */, nscount;
1773 bool add_known_answers = false;
1774 usec_t ts;
1775 int r;
1776
1777 assert(t);
1778 assert(t->scope->protocol == DNS_PROTOCOL_MDNS);
1779
1780 /* Discard any previously prepared packet, so we can start over and coalesce again */
1781 t->sent = dns_packet_unref(t->sent);
1782
1783 /* First, create a dummy packet to calculate packet size. */
1784 r = dns_packet_new_query(&p, t->scope->protocol, 0, false);
1785 if (r < 0)
1786 return r;
1787
1788 r = dns_packet_append_key(p, dns_transaction_key(t), 0, NULL);
1789 if (r < 0)
1790 return r;
1791
1792 qdcount = 1;
1793
1794 if (dns_key_is_shared(dns_transaction_key(t)))
1795 add_known_answers = true;
1796
1797 r = dns_packet_append_zone(p, t, dns_transaction_key(t), NULL);
1798 if (r < 0)
1799 return r;
1800
1801 /* Save appended keys */
1802 r = set_ensure_put(&keys, &dns_resource_key_hash_ops, dns_transaction_key(t));
1803 if (r < 0)
1804 return r;
1805
1806 /*
1807 * For mDNS, we want to coalesce as many open queries in pending transactions into one single
1808 * query packet on the wire as possible. To achieve that, we iterate through all pending transactions
1809 * in our current scope, and see whether their timing constraints allow them to be sent.
1810 */
1811
1812 assert_se(sd_event_now(t->scope->manager->event, CLOCK_BOOTTIME, &ts) >= 0);
1813
1814 for (bool restart = true; restart;) {
1815 restart = false;
1816 LIST_FOREACH(transactions_by_scope, other, t->scope->transactions) {
1817 size_t saved_packet_size;
1818 bool append = false;
1819
1820 /* Skip ourselves */
1821 if (other == t)
1822 continue;
1823
1824 if (other->state != DNS_TRANSACTION_PENDING)
1825 continue;
1826
1827 if (other->next_attempt_after > ts)
1828 continue;
1829
1830 if (!set_contains(keys, dns_transaction_key(other))) {
1831 r = dns_packet_append_key(p, dns_transaction_key(other), 0, &saved_packet_size);
1832 /* If we can't stuff more questions into the packet, just give up.
1833 * One of the 'other' transactions will fire later and take care of the rest. */
1834 if (r == -EMSGSIZE)
1835 break;
1836 if (r < 0)
1837 return r;
1838
1839 r = dns_packet_append_zone(p, t, dns_transaction_key(other), NULL);
1840 if (r == -EMSGSIZE)
1841 break;
1842 if (r < 0)
1843 return r;
1844
1845 append = true;
1846 }
1847
1848 r = dns_transaction_prepare(other, ts);
1849 if (r < 0)
1850 return r;
1851 if (r == 0) {
1852 if (append)
1853 dns_packet_truncate(p, saved_packet_size);
1854
1855 /* In this case, not only this transaction, but multiple transactions may be
1856 * freed. Hence, we need to restart the loop. */
1857 restart = true;
1858 break;
1859 }
1860
1861 usec_t timeout = transaction_get_resend_timeout(other);
1862 r = dns_transaction_setup_timeout(other, timeout, usec_add(ts, timeout));
1863 if (r < 0)
1864 return r;
1865
1866 if (dns_key_is_shared(dns_transaction_key(other)))
1867 add_known_answers = true;
1868
1869 if (append) {
1870 r = set_ensure_put(&keys, &dns_resource_key_hash_ops, dns_transaction_key(other));
1871 if (r < 0)
1872 return r;
1873 }
1874
1875 qdcount++;
1876 if (qdcount >= UINT16_MAX)
1877 break;
1878 }
1879 }
1880
1881 /* Append known answer section if we're asking for any shared record */
1882 if (add_known_answers) {
1883 r = dns_cache_export_shared_to_packet(&t->scope->cache, p, ts, 0);
1884 if (r < 0)
1885 return r;
1886
1887 ancount = be16toh(DNS_PACKET_HEADER(p)->ancount);
1888 }
1889
1890 /* Then, create actual packet. */
1891 p = dns_packet_unref(p);
1892 r = dns_packet_new_query(&p, t->scope->protocol, 0, false);
1893 if (r < 0)
1894 return r;
1895
1896 /* Questions */
1897 DnsResourceKey *k;
1898 SET_FOREACH(k, keys) {
1899 r = dns_packet_append_key(p, k, 0, NULL);
1900 if (r < 0)
1901 return r;
1902 }
1903 DNS_PACKET_HEADER(p)->qdcount = htobe16(qdcount);
1904
1905 /* Known answers */
1906 if (add_known_answers) {
1907 r = dns_cache_export_shared_to_packet(&t->scope->cache, p, ts, ancount);
1908 if (r < 0)
1909 return r;
1910 }
1911
1912 /* Authorities */
1913 nscount = 0;
1914 SET_FOREACH(k, keys) {
1915 r = dns_packet_append_zone(p, t, k, &nscount);
1916 if (r < 0)
1917 return r;
1918 }
1919 DNS_PACKET_HEADER(p)->nscount = htobe16(nscount);
1920
1921 t->sent = TAKE_PTR(p);
1922 return 0;
1923 }
1924
1925 static int dns_transaction_make_packet(DnsTransaction *t) {
1926 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
1927 int r;
1928
1929 assert(t);
1930
1931 if (t->scope->protocol == DNS_PROTOCOL_MDNS)
1932 return dns_transaction_make_packet_mdns(t);
1933
1934 if (t->sent)
1935 return 0;
1936
1937 if (t->bypass && t->bypass->protocol == t->scope->protocol) {
1938 /* If bypass logic is enabled and the protocol if the original packet and our scope match,
1939 * take the original packet, copy it, and patch in our new ID */
1940 r = dns_packet_dup(&p, t->bypass);
1941 if (r < 0)
1942 return r;
1943 } else {
1944 r = dns_packet_new_query(
1945 &p, t->scope->protocol,
1946 /* min_alloc_dsize = */ 0,
1947 /* dnssec_cd = */ !FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE) &&
1948 t->scope->dnssec_mode != DNSSEC_NO);
1949 if (r < 0)
1950 return r;
1951
1952 r = dns_packet_append_key(p, dns_transaction_key(t), 0, NULL);
1953 if (r < 0)
1954 return r;
1955
1956 DNS_PACKET_HEADER(p)->qdcount = htobe16(1);
1957 }
1958
1959 DNS_PACKET_HEADER(p)->id = t->id;
1960
1961 t->sent = TAKE_PTR(p);
1962 return 0;
1963 }
1964
1965 int dns_transaction_go(DnsTransaction *t) {
1966 usec_t ts;
1967 int r;
1968 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
1969
1970 assert(t);
1971
1972 /* Returns > 0 if the transaction is now pending, returns 0 if could be processed immediately and has
1973 * finished now. In the latter case, the transaction and query candidate objects must not be accessed.
1974 */
1975
1976 assert_se(sd_event_now(t->scope->manager->event, CLOCK_BOOTTIME, &ts) >= 0);
1977
1978 r = dns_transaction_prepare(t, ts);
1979 if (r <= 0)
1980 return r;
1981
1982 log_debug("Firing %s transaction %" PRIu16 " for <%s> scope %s on %s/%s (validate=%s).",
1983 t->bypass ? "bypass" : "regular",
1984 t->id,
1985 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str),
1986 dns_protocol_to_string(t->scope->protocol),
1987 t->scope->link ? t->scope->link->ifname : "*",
1988 af_to_name_short(t->scope->family),
1989 yes_no(!FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE)));
1990
1991 if (!t->initial_jitter_scheduled &&
1992 IN_SET(t->scope->protocol, DNS_PROTOCOL_LLMNR, DNS_PROTOCOL_MDNS)) {
1993 usec_t jitter;
1994
1995 /* RFC 4795 Section 2.7 suggests all LLMNR queries should be delayed by a random time from 0 to
1996 * JITTER_INTERVAL.
1997 * RFC 6762 Section 8.1 suggests initial probe queries should be delayed by a random time from
1998 * 0 to 250ms. */
1999
2000 t->initial_jitter_scheduled = true;
2001 t->n_attempts = 0;
2002
2003 switch (t->scope->protocol) {
2004
2005 case DNS_PROTOCOL_LLMNR:
2006 jitter = random_u64_range(LLMNR_JITTER_INTERVAL_USEC);
2007 break;
2008
2009 case DNS_PROTOCOL_MDNS:
2010 if (t->probing)
2011 jitter = random_u64_range(MDNS_PROBING_INTERVAL_USEC);
2012 else
2013 jitter = 0;
2014 break;
2015 default:
2016 assert_not_reached();
2017 }
2018
2019 r = dns_transaction_setup_timeout(t, jitter, ts);
2020 if (r < 0)
2021 return r;
2022
2023 log_debug("Delaying %s transaction %" PRIu16 " for " USEC_FMT "us.",
2024 dns_protocol_to_string(t->scope->protocol),
2025 t->id,
2026 jitter);
2027 return 1;
2028 }
2029
2030 /* Otherwise, we need to ask the network */
2031 r = dns_transaction_make_packet(t);
2032 if (r < 0)
2033 return r;
2034
2035 if (t->scope->protocol == DNS_PROTOCOL_LLMNR &&
2036 (dns_name_endswith(dns_resource_key_name(dns_transaction_key(t)), "in-addr.arpa") > 0 ||
2037 dns_name_endswith(dns_resource_key_name(dns_transaction_key(t)), "ip6.arpa") > 0)) {
2038
2039 /* RFC 4795, Section 2.4. says reverse lookups shall
2040 * always be made via TCP on LLMNR */
2041 r = dns_transaction_emit_tcp(t);
2042 } else {
2043 /* Try via UDP, and if that fails due to large size or lack of
2044 * support try via TCP */
2045 r = dns_transaction_emit_udp(t);
2046 if (r == -EMSGSIZE)
2047 log_debug("Sending query via TCP since it is too large.");
2048 else if (r == -EAGAIN)
2049 log_debug("Sending query via TCP since UDP isn't supported or DNS-over-TLS is selected.");
2050 else if (r == -EPERM)
2051 log_debug("Sending query via TCP since UDP is blocked.");
2052 if (IN_SET(r, -EMSGSIZE, -EAGAIN, -EPERM))
2053 r = dns_transaction_emit_tcp(t);
2054 }
2055 if (r == -ELOOP) {
2056 if (t->scope->protocol != DNS_PROTOCOL_DNS)
2057 return r;
2058
2059 /* One of our own stub listeners */
2060 log_debug_errno(r, "Detected that specified DNS server is our own extra listener, switching DNS servers.");
2061
2062 dns_scope_next_dns_server(t->scope, t->server);
2063
2064 if (dns_scope_get_dns_server(t->scope) == t->server) {
2065 log_debug_errno(r, "Still pointing to extra listener after switching DNS servers, refusing operation.");
2066 dns_transaction_complete(t, DNS_TRANSACTION_STUB_LOOP);
2067 return 0;
2068 }
2069
2070 return dns_transaction_go(t);
2071 }
2072 if (r == -ESRCH) {
2073 /* No servers to send this to? */
2074 dns_transaction_complete(t, DNS_TRANSACTION_NO_SERVERS);
2075 return 0;
2076 }
2077 if (r == -EOPNOTSUPP) {
2078 /* Tried to ask for DNSSEC RRs, on a server that doesn't do DNSSEC */
2079 dns_transaction_complete(t, DNS_TRANSACTION_RR_TYPE_UNSUPPORTED);
2080 return 0;
2081 }
2082 if (t->scope->protocol == DNS_PROTOCOL_LLMNR && r < 0 && ERRNO_IS_DISCONNECT(r)) {
2083 /* On LLMNR, if we cannot connect to a host via TCP when doing reverse lookups. This means we cannot
2084 * answer this request with this protocol. */
2085 dns_transaction_complete(t, DNS_TRANSACTION_NOT_FOUND);
2086 return 0;
2087 }
2088 if (r < 0) {
2089 if (t->scope->protocol != DNS_PROTOCOL_DNS)
2090 return r;
2091
2092 /* Couldn't send? Try immediately again, with a new server */
2093 dns_scope_next_dns_server(t->scope, t->server);
2094
2095 return dns_transaction_go(t);
2096 }
2097
2098 usec_t timeout = transaction_get_resend_timeout(t);
2099 r = dns_transaction_setup_timeout(t, timeout, usec_add(ts, timeout));
2100 if (r < 0)
2101 return r;
2102
2103 return 1;
2104 }
2105
2106 static int dns_transaction_find_cyclic(DnsTransaction *t, DnsTransaction *aux) {
2107 DnsTransaction *n;
2108 int r;
2109
2110 assert(t);
2111 assert(aux);
2112
2113 /* Try to find cyclic dependencies between transaction objects */
2114
2115 if (t == aux)
2116 return 1;
2117
2118 SET_FOREACH(n, aux->dnssec_transactions) {
2119 r = dns_transaction_find_cyclic(t, n);
2120 if (r != 0)
2121 return r;
2122 }
2123
2124 return 0;
2125 }
2126
2127 static int dns_transaction_add_dnssec_transaction(DnsTransaction *t, DnsResourceKey *key, DnsTransaction **ret) {
2128 _cleanup_(dns_transaction_gcp) DnsTransaction *aux = NULL;
2129 int r;
2130
2131 assert(t);
2132 assert(ret);
2133 assert(key);
2134
2135 aux = dns_scope_find_transaction(t->scope, key, t->query_flags);
2136 if (!aux) {
2137 r = dns_transaction_new(&aux, t->scope, key, NULL, t->query_flags);
2138 if (r < 0)
2139 return r;
2140 } else {
2141 if (set_contains(t->dnssec_transactions, aux)) {
2142 *ret = aux;
2143 return 0;
2144 }
2145
2146 r = dns_transaction_find_cyclic(t, aux);
2147 if (r < 0)
2148 return r;
2149 if (r > 0) {
2150 char s[DNS_RESOURCE_KEY_STRING_MAX], saux[DNS_RESOURCE_KEY_STRING_MAX];
2151
2152 return log_debug_errno(SYNTHETIC_ERRNO(ELOOP),
2153 "Potential cyclic dependency, refusing to add transaction %" PRIu16 " (%s) as dependency for %" PRIu16 " (%s).",
2154 aux->id,
2155 dns_resource_key_to_string(dns_transaction_key(t), s, sizeof s),
2156 t->id,
2157 dns_resource_key_to_string(dns_transaction_key(aux), saux, sizeof saux));
2158 }
2159 }
2160
2161 r = set_ensure_allocated(&aux->notify_transactions_done, NULL);
2162 if (r < 0)
2163 return r;
2164
2165 r = set_ensure_put(&t->dnssec_transactions, NULL, aux);
2166 if (r < 0)
2167 return r;
2168
2169 r = set_ensure_put(&aux->notify_transactions, NULL, t);
2170 if (r < 0) {
2171 (void) set_remove(t->dnssec_transactions, aux);
2172 return r;
2173 }
2174
2175 *ret = TAKE_PTR(aux);
2176 return 1;
2177 }
2178
2179 static int dns_transaction_request_dnssec_rr(DnsTransaction *t, DnsResourceKey *key) {
2180 _cleanup_(dns_answer_unrefp) DnsAnswer *a = NULL;
2181 DnsTransaction *aux;
2182 int r;
2183
2184 assert(t);
2185 assert(key);
2186
2187 /* Try to get the data from the trust anchor */
2188 r = dns_trust_anchor_lookup_positive(&t->scope->manager->trust_anchor, key, &a);
2189 if (r < 0)
2190 return r;
2191 if (r > 0) {
2192 r = dns_answer_extend(&t->validated_keys, a);
2193 if (r < 0)
2194 return r;
2195
2196 return 0;
2197 }
2198
2199 /* This didn't work, ask for it via the network/cache then. */
2200 r = dns_transaction_add_dnssec_transaction(t, key, &aux);
2201 if (r == -ELOOP) /* This would result in a cyclic dependency */
2202 return 0;
2203 if (r < 0)
2204 return r;
2205
2206 if (aux->state == DNS_TRANSACTION_NULL) {
2207 r = dns_transaction_go(aux);
2208 if (r < 0)
2209 return r;
2210 }
2211
2212 return 1;
2213 }
2214
2215 static int dns_transaction_negative_trust_anchor_lookup(DnsTransaction *t, const char *name) {
2216 int r;
2217
2218 assert(t);
2219
2220 /* Check whether the specified name is in the NTA
2221 * database, either in the global one, or the link-local
2222 * one. */
2223
2224 r = dns_trust_anchor_lookup_negative(&t->scope->manager->trust_anchor, name);
2225 if (r != 0)
2226 return r;
2227
2228 if (!t->scope->link)
2229 return 0;
2230
2231 return link_negative_trust_anchor_lookup(t->scope->link, name);
2232 }
2233
2234 static int dns_transaction_has_negative_answer(DnsTransaction *t) {
2235 int r;
2236
2237 assert(t);
2238
2239 /* Checks whether the answer is negative, and lacks NSEC/NSEC3
2240 * RRs to prove it */
2241
2242 r = dns_transaction_has_positive_answer(t, NULL);
2243 if (r < 0)
2244 return r;
2245 if (r > 0)
2246 return false;
2247
2248 /* Is this key explicitly listed as a negative trust anchor?
2249 * If so, it's nothing we need to care about */
2250 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(dns_transaction_key(t)));
2251 if (r < 0)
2252 return r;
2253 return !r;
2254 }
2255
2256 static int dns_transaction_is_primary_response(DnsTransaction *t, DnsResourceRecord *rr) {
2257 int r;
2258
2259 assert(t);
2260 assert(rr);
2261
2262 /* Check if the specified RR is the "primary" response,
2263 * i.e. either matches the question precisely or is a
2264 * CNAME/DNAME for it. */
2265
2266 r = dns_resource_key_match_rr(dns_transaction_key(t), rr, NULL);
2267 if (r != 0)
2268 return r;
2269
2270 return dns_resource_key_match_cname_or_dname(dns_transaction_key(t), rr->key, NULL);
2271 }
2272
2273 static bool dns_transaction_dnssec_supported(DnsTransaction *t) {
2274 assert(t);
2275
2276 /* Checks whether our transaction's DNS server is assumed to be compatible with DNSSEC. Returns false as soon
2277 * as we changed our mind about a server, and now believe it is incompatible with DNSSEC. */
2278
2279 if (t->scope->protocol != DNS_PROTOCOL_DNS)
2280 return false;
2281
2282 /* If we have picked no server, then we are working from the cache or some other source, and DNSSEC might well
2283 * be supported, hence return true. */
2284 if (!t->server)
2285 return true;
2286
2287 /* Note that we do not check the feature level actually used for the transaction but instead the feature level
2288 * the server is known to support currently, as the transaction feature level might be lower than what the
2289 * server actually supports, since we might have downgraded this transaction's feature level because we got a
2290 * SERVFAIL earlier and wanted to check whether downgrading fixes it. */
2291
2292 return dns_server_dnssec_supported(t->server);
2293 }
2294
2295 static bool dns_transaction_dnssec_supported_full(DnsTransaction *t) {
2296 DnsTransaction *dt;
2297
2298 assert(t);
2299
2300 /* Checks whether our transaction our any of the auxiliary transactions couldn't do DNSSEC. */
2301
2302 if (!dns_transaction_dnssec_supported(t))
2303 return false;
2304
2305 SET_FOREACH(dt, t->dnssec_transactions)
2306 if (!dns_transaction_dnssec_supported(dt))
2307 return false;
2308
2309 return true;
2310 }
2311
2312 int dns_transaction_request_dnssec_keys(DnsTransaction *t) {
2313 DnsResourceRecord *rr;
2314
2315 int r;
2316
2317 assert(t);
2318
2319 /*
2320 * Retrieve all auxiliary RRs for the answer we got, so that
2321 * we can verify signatures or prove that RRs are rightfully
2322 * unsigned. Specifically:
2323 *
2324 * - For RRSIG we get the matching DNSKEY
2325 * - For DNSKEY we get the matching DS
2326 * - For unsigned SOA/NS we get the matching DS
2327 * - For unsigned CNAME/DNAME/DS we get the parent SOA RR
2328 * - For other unsigned RRs we get the matching SOA RR
2329 * - For SOA/NS queries with no matching response RR, and no NSEC/NSEC3, the DS RR
2330 * - For DS queries with no matching response RRs, and no NSEC/NSEC3, the parent's SOA RR
2331 * - For other queries with no matching response RRs, and no NSEC/NSEC3, the SOA RR
2332 */
2333
2334 if (FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE) || t->scope->dnssec_mode == DNSSEC_NO)
2335 return 0;
2336 if (t->answer_source != DNS_TRANSACTION_NETWORK)
2337 return 0; /* We only need to validate stuff from the network */
2338 if (!dns_transaction_dnssec_supported(t))
2339 return 0; /* If we can't do DNSSEC anyway there's no point in getting the auxiliary RRs */
2340
2341 DNS_ANSWER_FOREACH(rr, t->answer) {
2342
2343 if (dns_type_is_pseudo(rr->key->type))
2344 continue;
2345
2346 /* If this RR is in the negative trust anchor, we don't need to validate it. */
2347 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(rr->key));
2348 if (r < 0)
2349 return r;
2350 if (r > 0)
2351 continue;
2352
2353 switch (rr->key->type) {
2354
2355 case DNS_TYPE_RRSIG: {
2356 /* For each RRSIG we request the matching DNSKEY */
2357 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *dnskey = NULL;
2358
2359 /* If this RRSIG is about a DNSKEY RR and the
2360 * signer is the same as the owner, then we
2361 * already have the DNSKEY, and we don't have
2362 * to look for more. */
2363 if (rr->rrsig.type_covered == DNS_TYPE_DNSKEY) {
2364 r = dns_name_equal(rr->rrsig.signer, dns_resource_key_name(rr->key));
2365 if (r < 0)
2366 return r;
2367 if (r > 0)
2368 continue;
2369 }
2370
2371 /* If the signer is not a parent of our
2372 * original query, then this is about an
2373 * auxiliary RRset, but not anything we asked
2374 * for. In this case we aren't interested,
2375 * because we don't want to request additional
2376 * RRs for stuff we didn't really ask for, and
2377 * also to avoid request loops, where
2378 * additional RRs from one transaction result
2379 * in another transaction whose additional RRs
2380 * point back to the original transaction, and
2381 * we deadlock. */
2382 r = dns_name_endswith(dns_resource_key_name(dns_transaction_key(t)), rr->rrsig.signer);
2383 if (r < 0)
2384 return r;
2385 if (r == 0)
2386 continue;
2387
2388 dnskey = dns_resource_key_new(rr->key->class, DNS_TYPE_DNSKEY, rr->rrsig.signer);
2389 if (!dnskey)
2390 return -ENOMEM;
2391
2392 log_debug("Requesting DNSKEY to validate transaction %" PRIu16" (%s, RRSIG with key tag: %" PRIu16 ").",
2393 t->id, dns_resource_key_name(rr->key), rr->rrsig.key_tag);
2394 r = dns_transaction_request_dnssec_rr(t, dnskey);
2395 if (r < 0)
2396 return r;
2397 break;
2398 }
2399
2400 case DNS_TYPE_DNSKEY: {
2401 /* For each DNSKEY we request the matching DS */
2402 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *ds = NULL;
2403
2404 /* If the DNSKEY we are looking at is not for
2405 * zone we are interested in, nor any of its
2406 * parents, we aren't interested, and don't
2407 * request it. After all, we don't want to end
2408 * up in request loops, and want to keep
2409 * additional traffic down. */
2410
2411 r = dns_name_endswith(dns_resource_key_name(dns_transaction_key(t)), dns_resource_key_name(rr->key));
2412 if (r < 0)
2413 return r;
2414 if (r == 0)
2415 continue;
2416
2417 ds = dns_resource_key_new(rr->key->class, DNS_TYPE_DS, dns_resource_key_name(rr->key));
2418 if (!ds)
2419 return -ENOMEM;
2420
2421 log_debug("Requesting DS to validate transaction %" PRIu16" (%s, DNSKEY with key tag: %" PRIu16 ").",
2422 t->id, dns_resource_key_name(rr->key), dnssec_keytag(rr, false));
2423 r = dns_transaction_request_dnssec_rr(t, ds);
2424 if (r < 0)
2425 return r;
2426
2427 break;
2428 }
2429
2430 case DNS_TYPE_SOA:
2431 case DNS_TYPE_NS: {
2432 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *ds = NULL;
2433
2434 /* For an unsigned SOA or NS, try to acquire
2435 * the matching DS RR, as we are at a zone cut
2436 * then, and whether a DS exists tells us
2437 * whether the zone is signed. Do so only if
2438 * this RR matches our original question,
2439 * however. */
2440
2441 r = dns_resource_key_match_rr(dns_transaction_key(t), rr, NULL);
2442 if (r < 0)
2443 return r;
2444 if (r == 0) {
2445 /* Hmm, so this SOA RR doesn't match our original question. In this case, maybe this is
2446 * a negative reply, and we need the SOA RR's TTL in order to cache a negative entry?
2447 * If so, we need to validate it, too. */
2448
2449 r = dns_answer_match_key(t->answer, dns_transaction_key(t), NULL);
2450 if (r < 0)
2451 return r;
2452 if (r > 0) /* positive reply, we won't need the SOA and hence don't need to validate
2453 * it. */
2454 continue;
2455
2456 /* Only bother with this if the SOA/NS RR we are looking at is actually a parent of
2457 * what we are looking for, otherwise there's no value in it for us. */
2458 r = dns_name_endswith(dns_resource_key_name(dns_transaction_key(t)), dns_resource_key_name(rr->key));
2459 if (r < 0)
2460 return r;
2461 if (r == 0)
2462 continue;
2463 }
2464
2465 r = dnssec_has_rrsig(t->answer, rr->key);
2466 if (r < 0)
2467 return r;
2468 if (r > 0)
2469 continue;
2470
2471 ds = dns_resource_key_new(rr->key->class, DNS_TYPE_DS, dns_resource_key_name(rr->key));
2472 if (!ds)
2473 return -ENOMEM;
2474
2475 log_debug("Requesting DS to validate transaction %" PRIu16 " (%s, unsigned SOA/NS RRset).",
2476 t->id, dns_resource_key_name(rr->key));
2477 r = dns_transaction_request_dnssec_rr(t, ds);
2478 if (r < 0)
2479 return r;
2480
2481 break;
2482 }
2483
2484 case DNS_TYPE_DS:
2485 case DNS_TYPE_CNAME:
2486 case DNS_TYPE_DNAME: {
2487 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL;
2488 const char *name;
2489
2490 /* CNAMEs and DNAMEs cannot be located at a
2491 * zone apex, hence ask for the parent SOA for
2492 * unsigned CNAME/DNAME RRs, maybe that's the
2493 * apex. But do all that only if this is
2494 * actually a response to our original
2495 * question.
2496 *
2497 * Similar for DS RRs, which are signed when
2498 * the parent SOA is signed. */
2499
2500 r = dns_transaction_is_primary_response(t, rr);
2501 if (r < 0)
2502 return r;
2503 if (r == 0)
2504 continue;
2505
2506 r = dnssec_has_rrsig(t->answer, rr->key);
2507 if (r < 0)
2508 return r;
2509 if (r > 0)
2510 continue;
2511
2512 r = dns_answer_has_dname_for_cname(t->answer, rr);
2513 if (r < 0)
2514 return r;
2515 if (r > 0)
2516 continue;
2517
2518 name = dns_resource_key_name(rr->key);
2519 r = dns_name_parent(&name);
2520 if (r < 0)
2521 return r;
2522 if (r == 0)
2523 continue;
2524
2525 soa = dns_resource_key_new(rr->key->class, DNS_TYPE_SOA, name);
2526 if (!soa)
2527 return -ENOMEM;
2528
2529 log_debug("Requesting parent SOA to validate transaction %" PRIu16 " (%s, unsigned CNAME/DNAME/DS RRset).",
2530 t->id, dns_resource_key_name(rr->key));
2531 r = dns_transaction_request_dnssec_rr(t, soa);
2532 if (r < 0)
2533 return r;
2534
2535 break;
2536 }
2537
2538 default: {
2539 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL;
2540
2541 /* For other unsigned RRsets (including
2542 * NSEC/NSEC3!), look for proof the zone is
2543 * unsigned, by requesting the SOA RR of the
2544 * zone. However, do so only if they are
2545 * directly relevant to our original
2546 * question. */
2547
2548 r = dns_transaction_is_primary_response(t, rr);
2549 if (r < 0)
2550 return r;
2551 if (r == 0)
2552 continue;
2553
2554 r = dnssec_has_rrsig(t->answer, rr->key);
2555 if (r < 0)
2556 return r;
2557 if (r > 0)
2558 continue;
2559
2560 soa = dns_resource_key_new(rr->key->class, DNS_TYPE_SOA, dns_resource_key_name(rr->key));
2561 if (!soa)
2562 return -ENOMEM;
2563
2564 log_debug("Requesting SOA to validate transaction %" PRIu16 " (%s, unsigned non-SOA/NS RRset <%s>).",
2565 t->id, dns_resource_key_name(rr->key), dns_resource_record_to_string(rr));
2566 r = dns_transaction_request_dnssec_rr(t, soa);
2567 if (r < 0)
2568 return r;
2569 break;
2570 }}
2571 }
2572
2573 /* Above, we requested everything necessary to validate what
2574 * we got. Now, let's request what we need to validate what we
2575 * didn't get... */
2576
2577 r = dns_transaction_has_negative_answer(t);
2578 if (r < 0)
2579 return r;
2580 if (r > 0) {
2581 const char *name, *signed_status;
2582 uint16_t type = 0;
2583
2584 name = dns_resource_key_name(dns_transaction_key(t));
2585 signed_status = dns_answer_contains_nsec_or_nsec3(t->answer) ? "signed" : "unsigned";
2586
2587 /* If this was a SOA or NS request, then check if there's a DS RR for the same domain. Note that this
2588 * could also be used as indication that we are not at a zone apex, but in real world setups there are
2589 * too many broken DNS servers (Hello, incapdns.net!) where non-terminal zones return NXDOMAIN even
2590 * though they have further children. If this was a DS request, then it's signed when the parent zone
2591 * is signed, hence ask the parent SOA in that case. If this was any other RR then ask for the SOA RR,
2592 * to see if that is signed. */
2593
2594 if (dns_transaction_key(t)->type == DNS_TYPE_DS) {
2595 r = dns_name_parent(&name);
2596 if (r > 0) {
2597 type = DNS_TYPE_SOA;
2598 log_debug("Requesting parent SOA (%s %s) to validate transaction %" PRIu16 " (%s, %s empty DS response).",
2599 special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), name, t->id,
2600 dns_resource_key_name(dns_transaction_key(t)), signed_status);
2601 } else
2602 name = NULL;
2603
2604 } else if (IN_SET(dns_transaction_key(t)->type, DNS_TYPE_SOA, DNS_TYPE_NS)) {
2605
2606 type = DNS_TYPE_DS;
2607 log_debug("Requesting DS (%s %s) to validate transaction %" PRIu16 " (%s, %s empty SOA/NS response).",
2608 special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), name, t->id, name, signed_status);
2609
2610 } else {
2611 type = DNS_TYPE_SOA;
2612 log_debug("Requesting SOA (%s %s) to validate transaction %" PRIu16 " (%s, %s empty non-SOA/NS/DS response).",
2613 special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), name, t->id, name, signed_status);
2614 }
2615
2616 if (name) {
2617 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL;
2618
2619 soa = dns_resource_key_new(dns_transaction_key(t)->class, type, name);
2620 if (!soa)
2621 return -ENOMEM;
2622
2623 r = dns_transaction_request_dnssec_rr(t, soa);
2624 if (r < 0)
2625 return r;
2626 }
2627 }
2628
2629 return dns_transaction_dnssec_is_live(t);
2630 }
2631
2632 void dns_transaction_notify(DnsTransaction *t, DnsTransaction *source) {
2633 assert(t);
2634 assert(source);
2635
2636 /* Invoked whenever any of our auxiliary DNSSEC transactions completed its work. If the state is still PENDING,
2637 we are still in the loop that adds further DNSSEC transactions, hence don't check if we are ready yet. If
2638 the state is VALIDATING however, we should check if we are complete now. */
2639
2640 if (t->state == DNS_TRANSACTION_VALIDATING)
2641 dns_transaction_process_dnssec(t);
2642 }
2643
2644 static int dns_transaction_validate_dnskey_by_ds(DnsTransaction *t) {
2645 DnsAnswerItem *item;
2646 int r;
2647
2648 assert(t);
2649
2650 /* Add all DNSKEY RRs from the answer that are validated by DS
2651 * RRs from the list of validated keys to the list of
2652 * validated keys. */
2653
2654 DNS_ANSWER_FOREACH_ITEM(item, t->answer) {
2655
2656 r = dnssec_verify_dnskey_by_ds_search(item->rr, t->validated_keys);
2657 if (r < 0)
2658 return r;
2659 if (r == 0)
2660 continue;
2661
2662 /* If so, the DNSKEY is validated too. */
2663 r = dns_answer_add_extend(&t->validated_keys, item->rr, item->ifindex, item->flags|DNS_ANSWER_AUTHENTICATED, item->rrsig);
2664 if (r < 0)
2665 return r;
2666 }
2667
2668 return 0;
2669 }
2670
2671 static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *rr) {
2672 int r;
2673
2674 assert(t);
2675 assert(rr);
2676
2677 /* Checks if the RR we are looking for must be signed with an
2678 * RRSIG. This is used for positive responses. */
2679
2680 if (t->scope->dnssec_mode == DNSSEC_NO)
2681 return false;
2682
2683 if (dns_type_is_pseudo(rr->key->type))
2684 return -EINVAL;
2685
2686 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(rr->key));
2687 if (r < 0)
2688 return r;
2689 if (r > 0)
2690 return false;
2691
2692 switch (rr->key->type) {
2693
2694 case DNS_TYPE_RRSIG:
2695 /* RRSIGs are the signatures themselves, they need no signing. */
2696 return false;
2697
2698 case DNS_TYPE_SOA:
2699 case DNS_TYPE_NS: {
2700 DnsTransaction *dt;
2701
2702 /* For SOA or NS RRs we look for a matching DS transaction */
2703
2704 SET_FOREACH(dt, t->dnssec_transactions) {
2705
2706 if (dns_transaction_key(dt)->class != rr->key->class)
2707 continue;
2708 if (dns_transaction_key(dt)->type != DNS_TYPE_DS)
2709 continue;
2710
2711 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), dns_resource_key_name(rr->key));
2712 if (r < 0)
2713 return r;
2714 if (r == 0)
2715 continue;
2716
2717 /* We found a DS transactions for the SOA/NS
2718 * RRs we are looking at. If it discovered signed DS
2719 * RRs, then we need to be signed, too. */
2720
2721 if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
2722 return false;
2723
2724 return dns_answer_match_key(dt->answer, dns_transaction_key(dt), NULL);
2725 }
2726
2727 /* We found nothing that proves this is safe to leave
2728 * this unauthenticated, hence ask inist on
2729 * authentication. */
2730 return true;
2731 }
2732
2733 case DNS_TYPE_DS:
2734 case DNS_TYPE_CNAME:
2735 case DNS_TYPE_DNAME: {
2736 const char *parent = NULL;
2737 DnsTransaction *dt;
2738
2739 /*
2740 * CNAME/DNAME RRs cannot be located at a zone apex, hence look directly for the parent SOA.
2741 *
2742 * DS RRs are signed if the parent is signed, hence also look at the parent SOA
2743 */
2744
2745 SET_FOREACH(dt, t->dnssec_transactions) {
2746
2747 if (dns_transaction_key(dt)->class != rr->key->class)
2748 continue;
2749 if (dns_transaction_key(dt)->type != DNS_TYPE_SOA)
2750 continue;
2751
2752 if (!parent) {
2753 parent = dns_resource_key_name(rr->key);
2754 r = dns_name_parent(&parent);
2755 if (r < 0)
2756 return r;
2757 if (r == 0) {
2758 if (rr->key->type == DNS_TYPE_DS)
2759 return true;
2760
2761 /* A CNAME/DNAME without a parent? That's sooo weird. */
2762 return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG),
2763 "Transaction %" PRIu16 " claims CNAME/DNAME at root. Refusing.", t->id);
2764 }
2765 }
2766
2767 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), parent);
2768 if (r < 0)
2769 return r;
2770 if (r == 0)
2771 continue;
2772
2773 return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
2774 }
2775
2776 return true;
2777 }
2778
2779 default: {
2780 DnsTransaction *dt;
2781
2782 /* Any other kind of RR (including DNSKEY/NSEC/NSEC3). Let's see if our SOA lookup was authenticated */
2783
2784 SET_FOREACH(dt, t->dnssec_transactions) {
2785
2786 if (dns_transaction_key(dt)->class != rr->key->class)
2787 continue;
2788 if (dns_transaction_key(dt)->type != DNS_TYPE_SOA)
2789 continue;
2790
2791 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), dns_resource_key_name(rr->key));
2792 if (r < 0)
2793 return r;
2794 if (r == 0)
2795 continue;
2796
2797 /* We found the transaction that was supposed to find the SOA RR for us. It was
2798 * successful, but found no RR for us. This means we are not at a zone cut. In this
2799 * case, we require authentication if the SOA lookup was authenticated too. */
2800 return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
2801 }
2802
2803 return true;
2804 }}
2805 }
2806
2807 static int dns_transaction_in_private_tld(DnsTransaction *t, const DnsResourceKey *key) {
2808 DnsTransaction *dt;
2809 const char *tld;
2810 int r;
2811
2812 /* If DNSSEC downgrade mode is on, checks whether the
2813 * specified RR is one level below a TLD we have proven not to
2814 * exist. In such a case we assume that this is a private
2815 * domain, and permit it.
2816 *
2817 * This detects cases like the Fritz!Box router networks. Each
2818 * Fritz!Box router serves a private "fritz.box" zone, in the
2819 * non-existing TLD "box". Requests for the "fritz.box" domain
2820 * are served by the router itself, while requests for the
2821 * "box" domain will result in NXDOMAIN.
2822 *
2823 * Note that this logic is unable to detect cases where a
2824 * router serves a private DNS zone directly under
2825 * non-existing TLD. In such a case we cannot detect whether
2826 * the TLD is supposed to exist or not, as all requests we
2827 * make for it will be answered by the router's zone, and not
2828 * by the root zone. */
2829
2830 assert(t);
2831
2832 if (t->scope->dnssec_mode != DNSSEC_ALLOW_DOWNGRADE)
2833 return false; /* In strict DNSSEC mode what doesn't exist, doesn't exist */
2834
2835 tld = dns_resource_key_name(key);
2836 r = dns_name_parent(&tld);
2837 if (r < 0)
2838 return r;
2839 if (r == 0)
2840 return false; /* Already the root domain */
2841
2842 if (!dns_name_is_single_label(tld))
2843 return false;
2844
2845 SET_FOREACH(dt, t->dnssec_transactions) {
2846
2847 if (dns_transaction_key(dt)->class != key->class)
2848 continue;
2849
2850 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), tld);
2851 if (r < 0)
2852 return r;
2853 if (r == 0)
2854 continue;
2855
2856 /* We found an auxiliary lookup we did for the TLD. If
2857 * that returned with NXDOMAIN, we know the TLD didn't
2858 * exist, and hence this might be a private zone. */
2859
2860 return dt->answer_rcode == DNS_RCODE_NXDOMAIN;
2861 }
2862
2863 return false;
2864 }
2865
2866 static int dns_transaction_requires_nsec(DnsTransaction *t) {
2867 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
2868 DnsTransaction *dt;
2869 const char *name;
2870 uint16_t type = 0;
2871 int r;
2872
2873 assert(t);
2874
2875 /* Checks if we need to insist on NSEC/NSEC3 RRs for proving
2876 * this negative reply */
2877
2878 if (t->scope->dnssec_mode == DNSSEC_NO)
2879 return false;
2880
2881 if (dns_type_is_pseudo(dns_transaction_key(t)->type))
2882 return -EINVAL;
2883
2884 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(dns_transaction_key(t)));
2885 if (r < 0)
2886 return r;
2887 if (r > 0)
2888 return false;
2889
2890 r = dns_transaction_in_private_tld(t, dns_transaction_key(t));
2891 if (r < 0)
2892 return r;
2893 if (r > 0) {
2894 /* The lookup is from a TLD that is proven not to
2895 * exist, and we are in downgrade mode, hence ignore
2896 * that fact that we didn't get any NSEC RRs. */
2897
2898 log_info("Detected a negative query %s in a private DNS zone, permitting unsigned response.",
2899 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str));
2900 return false;
2901 }
2902
2903 name = dns_resource_key_name(dns_transaction_key(t));
2904
2905 if (dns_transaction_key(t)->type == DNS_TYPE_DS) {
2906
2907 /* We got a negative reply for this DS lookup? DS RRs are signed when their parent zone is signed,
2908 * hence check the parent SOA in this case. */
2909
2910 r = dns_name_parent(&name);
2911 if (r < 0)
2912 return r;
2913 if (r == 0)
2914 return true;
2915
2916 type = DNS_TYPE_SOA;
2917
2918 } else if (IN_SET(dns_transaction_key(t)->type, DNS_TYPE_SOA, DNS_TYPE_NS))
2919 /* We got a negative reply for this SOA/NS lookup? If so, check if there's a DS RR for this */
2920 type = DNS_TYPE_DS;
2921 else
2922 /* For all other negative replies, check for the SOA lookup */
2923 type = DNS_TYPE_SOA;
2924
2925 /* For all other RRs we check the SOA on the same level to see
2926 * if it's signed. */
2927
2928 SET_FOREACH(dt, t->dnssec_transactions) {
2929
2930 if (dns_transaction_key(dt)->class != dns_transaction_key(t)->class)
2931 continue;
2932 if (dns_transaction_key(dt)->type != type)
2933 continue;
2934
2935 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), name);
2936 if (r < 0)
2937 return r;
2938 if (r == 0)
2939 continue;
2940
2941 return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
2942 }
2943
2944 /* If in doubt, require NSEC/NSEC3 */
2945 return true;
2946 }
2947
2948 static int dns_transaction_dnskey_authenticated(DnsTransaction *t, DnsResourceRecord *rr) {
2949 DnsResourceRecord *rrsig;
2950 bool found = false;
2951 int r;
2952
2953 /* Checks whether any of the DNSKEYs used for the RRSIGs for
2954 * the specified RRset is authenticated (i.e. has a matching
2955 * DS RR). */
2956
2957 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(rr->key));
2958 if (r < 0)
2959 return r;
2960 if (r > 0)
2961 return false;
2962
2963 DNS_ANSWER_FOREACH(rrsig, t->answer) {
2964 DnsTransaction *dt;
2965
2966 r = dnssec_key_match_rrsig(rr->key, rrsig);
2967 if (r < 0)
2968 return r;
2969 if (r == 0)
2970 continue;
2971
2972 SET_FOREACH(dt, t->dnssec_transactions) {
2973
2974 if (dns_transaction_key(dt)->class != rr->key->class)
2975 continue;
2976
2977 if (dns_transaction_key(dt)->type == DNS_TYPE_DNSKEY) {
2978
2979 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), rrsig->rrsig.signer);
2980 if (r < 0)
2981 return r;
2982 if (r == 0)
2983 continue;
2984
2985 /* OK, we found an auxiliary DNSKEY lookup. If that lookup is authenticated,
2986 * report this. */
2987
2988 if (FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
2989 return true;
2990
2991 found = true;
2992
2993 } else if (dns_transaction_key(dt)->type == DNS_TYPE_DS) {
2994
2995 r = dns_name_equal(dns_resource_key_name(dns_transaction_key(dt)), rrsig->rrsig.signer);
2996 if (r < 0)
2997 return r;
2998 if (r == 0)
2999 continue;
3000
3001 /* OK, we found an auxiliary DS lookup. If that lookup is authenticated and
3002 * non-zero, we won! */
3003
3004 if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
3005 return false;
3006
3007 return dns_answer_match_key(dt->answer, dns_transaction_key(dt), NULL);
3008 }
3009 }
3010 }
3011
3012 return found ? false : -ENXIO;
3013 }
3014
3015 static int dns_transaction_known_signed(DnsTransaction *t, DnsResourceRecord *rr) {
3016 assert(t);
3017 assert(rr);
3018
3019 /* We know that the root domain is signed, hence if it appears
3020 * not to be signed, there's a problem with the DNS server */
3021
3022 return rr->key->class == DNS_CLASS_IN &&
3023 dns_name_is_root(dns_resource_key_name(rr->key));
3024 }
3025
3026 static int dns_transaction_check_revoked_trust_anchors(DnsTransaction *t) {
3027 DnsResourceRecord *rr;
3028 int r;
3029
3030 assert(t);
3031
3032 /* Maybe warn the user that we encountered a revoked DNSKEY
3033 * for a key from our trust anchor. Note that we don't care
3034 * whether the DNSKEY can be authenticated or not. It's
3035 * sufficient if it is self-signed. */
3036
3037 DNS_ANSWER_FOREACH(rr, t->answer) {
3038 r = dns_trust_anchor_check_revoked(&t->scope->manager->trust_anchor, rr, t->answer);
3039 if (r < 0)
3040 return r;
3041 }
3042
3043 return 0;
3044 }
3045
3046 static int dns_transaction_invalidate_revoked_keys(DnsTransaction *t) {
3047 bool changed;
3048 int r;
3049
3050 assert(t);
3051
3052 /* Removes all DNSKEY/DS objects from t->validated_keys that
3053 * our trust anchors database considers revoked. */
3054
3055 do {
3056 DnsResourceRecord *rr;
3057
3058 changed = false;
3059
3060 DNS_ANSWER_FOREACH(rr, t->validated_keys) {
3061 r = dns_trust_anchor_is_revoked(&t->scope->manager->trust_anchor, rr);
3062 if (r < 0)
3063 return r;
3064 if (r > 0) {
3065 r = dns_answer_remove_by_rr(&t->validated_keys, rr);
3066 if (r < 0)
3067 return r;
3068
3069 assert(r > 0);
3070 changed = true;
3071 break;
3072 }
3073 }
3074 } while (changed);
3075
3076 return 0;
3077 }
3078
3079 static int dns_transaction_copy_validated(DnsTransaction *t) {
3080 DnsTransaction *dt;
3081 int r;
3082
3083 assert(t);
3084
3085 /* Copy all validated RRs from the auxiliary DNSSEC transactions into our set of validated RRs */
3086
3087 SET_FOREACH(dt, t->dnssec_transactions) {
3088
3089 if (DNS_TRANSACTION_IS_LIVE(dt->state))
3090 continue;
3091
3092 if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
3093 continue;
3094
3095 r = dns_answer_extend(&t->validated_keys, dt->answer);
3096 if (r < 0)
3097 return r;
3098 }
3099
3100 return 0;
3101 }
3102
3103 typedef enum {
3104 DNSSEC_PHASE_DNSKEY, /* Phase #1, only validate DNSKEYs */
3105 DNSSEC_PHASE_NSEC, /* Phase #2, only validate NSEC+NSEC3 */
3106 DNSSEC_PHASE_ALL, /* Phase #3, validate everything else */
3107 } Phase;
3108
3109 static int dnssec_validate_records(
3110 DnsTransaction *t,
3111 Phase phase,
3112 bool *have_nsec,
3113 DnsAnswer **validated) {
3114
3115 DnsResourceRecord *rr;
3116 int r;
3117
3118 /* Returns negative on error, 0 if validation failed, 1 to restart validation, 2 when finished. */
3119
3120 DNS_ANSWER_FOREACH(rr, t->answer) {
3121 _unused_ _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr_ref = dns_resource_record_ref(rr);
3122 DnsResourceRecord *rrsig = NULL;
3123 DnssecResult result;
3124
3125 switch (rr->key->type) {
3126 case DNS_TYPE_RRSIG:
3127 continue;
3128
3129 case DNS_TYPE_DNSKEY:
3130 /* We validate DNSKEYs only in the DNSKEY and ALL phases */
3131 if (phase == DNSSEC_PHASE_NSEC)
3132 continue;
3133 break;
3134
3135 case DNS_TYPE_NSEC:
3136 case DNS_TYPE_NSEC3:
3137 *have_nsec = true;
3138
3139 /* We validate NSEC/NSEC3 only in the NSEC and ALL phases */
3140 if (phase == DNSSEC_PHASE_DNSKEY)
3141 continue;
3142 break;
3143
3144 default:
3145 /* We validate all other RRs only in the ALL phases */
3146 if (phase != DNSSEC_PHASE_ALL)
3147 continue;
3148 }
3149
3150 r = dnssec_verify_rrset_search(
3151 t->answer,
3152 rr->key,
3153 t->validated_keys,
3154 USEC_INFINITY,
3155 &result,
3156 &rrsig);
3157 if (r < 0)
3158 return r;
3159
3160 log_debug("Looking at %s: %s", strna(dns_resource_record_to_string(rr)), dnssec_result_to_string(result));
3161
3162 if (result == DNSSEC_VALIDATED) {
3163 assert(rrsig);
3164
3165 if (rr->key->type == DNS_TYPE_DNSKEY) {
3166 /* If we just validated a DNSKEY RRset, then let's add these keys to
3167 * the set of validated keys for this transaction. */
3168
3169 r = dns_answer_copy_by_key(&t->validated_keys, t->answer, rr->key, DNS_ANSWER_AUTHENTICATED, rrsig);
3170 if (r < 0)
3171 return r;
3172
3173 /* Some of the DNSKEYs we just added might already have been revoked,
3174 * remove them again in that case. */
3175 r = dns_transaction_invalidate_revoked_keys(t);
3176 if (r < 0)
3177 return r;
3178 }
3179
3180 /* Add the validated RRset to the new list of validated RRsets, and remove it from
3181 * the unvalidated RRsets. We mark the RRset as authenticated and cacheable. */
3182 r = dns_answer_move_by_key(validated, &t->answer, rr->key, DNS_ANSWER_AUTHENTICATED|DNS_ANSWER_CACHEABLE, rrsig);
3183 if (r < 0)
3184 return r;
3185
3186 manager_dnssec_verdict(t->scope->manager, DNSSEC_SECURE, rr->key);
3187
3188 /* Exit the loop, we dropped something from the answer, start from the beginning */
3189 return 1;
3190 }
3191
3192 /* If we haven't read all DNSKEYs yet a negative result of the validation is irrelevant, as
3193 * there might be more DNSKEYs coming. Similar, if we haven't read all NSEC/NSEC3 RRs yet,
3194 * we cannot do positive wildcard proofs yet, as those require the NSEC/NSEC3 RRs. */
3195 if (phase != DNSSEC_PHASE_ALL)
3196 continue;
3197
3198 if (result == DNSSEC_VALIDATED_WILDCARD) {
3199 bool authenticated = false;
3200 const char *source;
3201
3202 assert(rrsig);
3203
3204 /* This RRset validated, but as a wildcard. This means we need
3205 * to prove via NSEC/NSEC3 that no matching non-wildcard RR exists. */
3206
3207 /* First step, determine the source of synthesis */
3208 r = dns_resource_record_source(rrsig, &source);
3209 if (r < 0)
3210 return r;
3211
3212 r = dnssec_test_positive_wildcard(*validated,
3213 dns_resource_key_name(rr->key),
3214 source,
3215 rrsig->rrsig.signer,
3216 &authenticated);
3217
3218 /* Unless the NSEC proof showed that the key really doesn't exist something is off. */
3219 if (r == 0)
3220 result = DNSSEC_INVALID;
3221 else {
3222 r = dns_answer_move_by_key(
3223 validated,
3224 &t->answer,
3225 rr->key,
3226 authenticated ? (DNS_ANSWER_AUTHENTICATED|DNS_ANSWER_CACHEABLE) : 0,
3227 rrsig);
3228 if (r < 0)
3229 return r;
3230
3231 manager_dnssec_verdict(t->scope->manager, authenticated ? DNSSEC_SECURE : DNSSEC_INSECURE, rr->key);
3232
3233 /* Exit the loop, we dropped something from the answer, start from the beginning */
3234 return 1;
3235 }
3236 }
3237
3238 if (result == DNSSEC_NO_SIGNATURE) {
3239 r = dns_transaction_requires_rrsig(t, rr);
3240 if (r < 0)
3241 return r;
3242 if (r == 0) {
3243 /* Data does not require signing. In that case, just copy it over,
3244 * but remember that this is by no means authenticated. */
3245 r = dns_answer_move_by_key(
3246 validated,
3247 &t->answer,
3248 rr->key,
3249 0,
3250 NULL);
3251 if (r < 0)
3252 return r;
3253
3254 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
3255 return 1;
3256 }
3257
3258 r = dns_transaction_known_signed(t, rr);
3259 if (r < 0)
3260 return r;
3261 if (r > 0) {
3262 /* This is an RR we know has to be signed. If it isn't this means
3263 * the server is not attaching RRSIGs, hence complain. */
3264
3265 dns_server_packet_rrsig_missing(t->server, t->current_feature_level);
3266
3267 if (t->scope->dnssec_mode == DNSSEC_ALLOW_DOWNGRADE) {
3268
3269 /* Downgrading is OK? If so, just consider the information unsigned */
3270
3271 r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0, NULL);
3272 if (r < 0)
3273 return r;
3274
3275 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
3276 return 1;
3277 }
3278
3279 /* Otherwise, fail */
3280 t->answer_dnssec_result = DNSSEC_INCOMPATIBLE_SERVER;
3281 return 0;
3282 }
3283
3284 r = dns_transaction_in_private_tld(t, rr->key);
3285 if (r < 0)
3286 return r;
3287 if (r > 0) {
3288 char s[DNS_RESOURCE_KEY_STRING_MAX];
3289
3290 /* The data is from a TLD that is proven not to exist, and we are in downgrade
3291 * mode, hence ignore the fact that this was not signed. */
3292
3293 log_info("Detected RRset %s is in a private DNS zone, permitting unsigned RRs.",
3294 dns_resource_key_to_string(rr->key, s, sizeof s));
3295
3296 r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0, NULL);
3297 if (r < 0)
3298 return r;
3299
3300 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
3301 return 1;
3302 }
3303 }
3304
3305 /* https://datatracker.ietf.org/doc/html/rfc6840#section-5.2 */
3306 if (result == DNSSEC_UNSUPPORTED_ALGORITHM) {
3307 r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0, NULL);
3308 if (r < 0)
3309 return r;
3310
3311 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
3312 return 1;
3313 }
3314
3315 if (IN_SET(result,
3316 DNSSEC_MISSING_KEY,
3317 DNSSEC_SIGNATURE_EXPIRED)) {
3318
3319 r = dns_transaction_dnskey_authenticated(t, rr);
3320 if (r < 0 && r != -ENXIO)
3321 return r;
3322 if (r == 0) {
3323 /* The DNSKEY transaction was not authenticated, this means there's
3324 * no DS for this, which means it's OK if no keys are found for this signature. */
3325
3326 r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0, NULL);
3327 if (r < 0)
3328 return r;
3329
3330 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
3331 return 1;
3332 }
3333 }
3334
3335 r = dns_transaction_is_primary_response(t, rr);
3336 if (r < 0)
3337 return r;
3338 if (r > 0) {
3339 /* Look for a matching DNAME for this CNAME */
3340 r = dns_answer_has_dname_for_cname(t->answer, rr);
3341 if (r < 0)
3342 return r;
3343 if (r == 0) {
3344 /* Also look among the stuff we already validated */
3345 r = dns_answer_has_dname_for_cname(*validated, rr);
3346 if (r < 0)
3347 return r;
3348 }
3349
3350 if (r == 0) {
3351 if (IN_SET(result,
3352 DNSSEC_INVALID,
3353 DNSSEC_SIGNATURE_EXPIRED,
3354 DNSSEC_NO_SIGNATURE))
3355 manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, rr->key);
3356 else /* DNSSEC_MISSING_KEY or DNSSEC_UNSUPPORTED_ALGORITHM */
3357 manager_dnssec_verdict(t->scope->manager, DNSSEC_INDETERMINATE, rr->key);
3358
3359 /* This is a primary response to our question, and it failed validation.
3360 * That's fatal. */
3361 t->answer_dnssec_result = result;
3362 return 0;
3363 }
3364
3365 /* This is a primary response, but we do have a DNAME RR
3366 * in the RR that can replay this CNAME, hence rely on
3367 * that, and we can remove the CNAME in favour of it. */
3368 }
3369
3370 /* This is just some auxiliary data. Just remove the RRset and continue. */
3371 r = dns_answer_remove_by_key(&t->answer, rr->key);
3372 if (r < 0)
3373 return r;
3374
3375 /* We dropped something from the answer, start from the beginning. */
3376 return 1;
3377 }
3378
3379 return 2; /* Finito. */
3380 }
3381
3382 int dns_transaction_validate_dnssec(DnsTransaction *t) {
3383 _cleanup_(dns_answer_unrefp) DnsAnswer *validated = NULL;
3384 Phase phase;
3385 DnsAnswerFlags flags;
3386 int r;
3387 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
3388
3389 assert(t);
3390
3391 /* We have now collected all DS and DNSKEY RRs in t->validated_keys, let's see which RRs we can now
3392 * authenticate with that. */
3393
3394 if (FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE) || t->scope->dnssec_mode == DNSSEC_NO)
3395 return 0;
3396
3397 /* Already validated */
3398 if (t->answer_dnssec_result != _DNSSEC_RESULT_INVALID)
3399 return 0;
3400
3401 /* Our own stuff needs no validation */
3402 if (IN_SET(t->answer_source, DNS_TRANSACTION_ZONE, DNS_TRANSACTION_TRUST_ANCHOR)) {
3403 t->answer_dnssec_result = DNSSEC_VALIDATED;
3404 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, true);
3405 return 0;
3406 }
3407
3408 /* Cached stuff is not affected by validation. */
3409 if (t->answer_source != DNS_TRANSACTION_NETWORK)
3410 return 0;
3411
3412 if (!dns_transaction_dnssec_supported_full(t)) {
3413 /* The server does not support DNSSEC, or doesn't augment responses with RRSIGs. */
3414 t->answer_dnssec_result = DNSSEC_INCOMPATIBLE_SERVER;
3415 log_debug("Not validating response for %" PRIu16 ", used server feature level does not support DNSSEC.", t->id);
3416 return 0;
3417 }
3418
3419 log_debug("Validating response from transaction %" PRIu16 " (%s).",
3420 t->id,
3421 dns_resource_key_to_string(dns_transaction_key(t), key_str, sizeof key_str));
3422
3423 /* First, see if this response contains any revoked trust
3424 * anchors we care about */
3425 r = dns_transaction_check_revoked_trust_anchors(t);
3426 if (r < 0)
3427 return r;
3428
3429 /* Third, copy all RRs we acquired successfully from auxiliary RRs over. */
3430 r = dns_transaction_copy_validated(t);
3431 if (r < 0)
3432 return r;
3433
3434 /* Second, see if there are DNSKEYs we already know a
3435 * validated DS for. */
3436 r = dns_transaction_validate_dnskey_by_ds(t);
3437 if (r < 0)
3438 return r;
3439
3440 /* Fourth, remove all DNSKEY and DS RRs again that our trust
3441 * anchor says are revoked. After all we might have marked
3442 * some keys revoked above, but they might still be lingering
3443 * in our validated_keys list. */
3444 r = dns_transaction_invalidate_revoked_keys(t);
3445 if (r < 0)
3446 return r;
3447
3448 phase = DNSSEC_PHASE_DNSKEY;
3449 for (;;) {
3450 bool have_nsec = false;
3451
3452 r = dnssec_validate_records(t, phase, &have_nsec, &validated);
3453 if (r <= 0)
3454 return r;
3455
3456 /* Try again as long as we managed to achieve something */
3457 if (r == 1)
3458 continue;
3459
3460 if (phase == DNSSEC_PHASE_DNSKEY && have_nsec) {
3461 /* OK, we processed all DNSKEYs, and there are NSEC/NSEC3 RRs, look at those now. */
3462 phase = DNSSEC_PHASE_NSEC;
3463 continue;
3464 }
3465
3466 if (phase != DNSSEC_PHASE_ALL) {
3467 /* OK, we processed all DNSKEYs and NSEC/NSEC3 RRs, look at all the rest now.
3468 * Note that in this third phase we start to remove RRs we couldn't validate. */
3469 phase = DNSSEC_PHASE_ALL;
3470 continue;
3471 }
3472
3473 /* We're done */
3474 break;
3475 }
3476
3477 DNS_ANSWER_REPLACE(t->answer, TAKE_PTR(validated));
3478
3479 /* At this point the answer only contains validated
3480 * RRsets. Now, let's see if it actually answers the question
3481 * we asked. If so, great! If it doesn't, then see if
3482 * NSEC/NSEC3 can prove this. */
3483 r = dns_transaction_has_positive_answer(t, &flags);
3484 if (r > 0) {
3485 /* Yes, it answers the question! */
3486
3487 if (flags & DNS_ANSWER_AUTHENTICATED) {
3488 /* The answer is fully authenticated, yay. */
3489 t->answer_dnssec_result = DNSSEC_VALIDATED;
3490 t->answer_rcode = DNS_RCODE_SUCCESS;
3491 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, true);
3492 } else {
3493 /* The answer is not fully authenticated. */
3494 t->answer_dnssec_result = DNSSEC_UNSIGNED;
3495 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
3496 }
3497
3498 } else if (r == 0) {
3499 DnssecNsecResult nr;
3500 bool authenticated = false;
3501
3502 /* Bummer! Let's check NSEC/NSEC3 */
3503 r = dnssec_nsec_test(t->answer, dns_transaction_key(t), &nr, &authenticated, &t->answer_nsec_ttl);
3504 if (r < 0)
3505 return r;
3506
3507 switch (nr) {
3508
3509 case DNSSEC_NSEC_NXDOMAIN:
3510 /* NSEC proves the domain doesn't exist. Very good. */
3511 log_debug("Proved NXDOMAIN via NSEC/NSEC3 for transaction %u (%s)", t->id, key_str);
3512 t->answer_dnssec_result = DNSSEC_VALIDATED;
3513 t->answer_rcode = DNS_RCODE_NXDOMAIN;
3514 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, authenticated);
3515
3516 manager_dnssec_verdict(t->scope->manager, authenticated ? DNSSEC_SECURE : DNSSEC_INSECURE, dns_transaction_key(t));
3517 break;
3518
3519 case DNSSEC_NSEC_NODATA:
3520 /* NSEC proves that there's no data here, very good. */
3521 log_debug("Proved NODATA via NSEC/NSEC3 for transaction %u (%s)", t->id, key_str);
3522 t->answer_dnssec_result = DNSSEC_VALIDATED;
3523 t->answer_rcode = DNS_RCODE_SUCCESS;
3524 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, authenticated);
3525
3526 manager_dnssec_verdict(t->scope->manager, authenticated ? DNSSEC_SECURE : DNSSEC_INSECURE, dns_transaction_key(t));
3527 break;
3528
3529 case DNSSEC_NSEC_OPTOUT:
3530 /* NSEC3 says the data might not be signed */
3531 log_debug("Data is NSEC3 opt-out via NSEC/NSEC3 for transaction %u (%s)", t->id, key_str);
3532 t->answer_dnssec_result = DNSSEC_UNSIGNED;
3533 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
3534
3535 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, dns_transaction_key(t));
3536 break;
3537
3538 case DNSSEC_NSEC_NO_RR:
3539 /* No NSEC data? Bummer! */
3540
3541 r = dns_transaction_requires_nsec(t);
3542 if (r < 0)
3543 return r;
3544 if (r > 0) {
3545 t->answer_dnssec_result = DNSSEC_NO_SIGNATURE;
3546 manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, dns_transaction_key(t));
3547 } else {
3548 t->answer_dnssec_result = DNSSEC_UNSIGNED;
3549 SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
3550 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, dns_transaction_key(t));
3551 }
3552
3553 break;
3554
3555 case DNSSEC_NSEC_UNSUPPORTED_ALGORITHM:
3556 /* We don't know the NSEC3 algorithm used? */
3557 t->answer_dnssec_result = DNSSEC_UNSUPPORTED_ALGORITHM;
3558 manager_dnssec_verdict(t->scope->manager, DNSSEC_INDETERMINATE, dns_transaction_key(t));
3559 break;
3560
3561 case DNSSEC_NSEC_FOUND:
3562 case DNSSEC_NSEC_CNAME:
3563 /* NSEC says it needs to be there, but we couldn't find it? Bummer! */
3564 t->answer_dnssec_result = DNSSEC_NSEC_MISMATCH;
3565 manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, dns_transaction_key(t));
3566 break;
3567
3568 default:
3569 assert_not_reached();
3570 }
3571 }
3572
3573 return 1;
3574 }
3575
3576 static const char* const dns_transaction_state_table[_DNS_TRANSACTION_STATE_MAX] = {
3577 [DNS_TRANSACTION_NULL] = "null",
3578 [DNS_TRANSACTION_PENDING] = "pending",
3579 [DNS_TRANSACTION_VALIDATING] = "validating",
3580 [DNS_TRANSACTION_RCODE_FAILURE] = "rcode-failure",
3581 [DNS_TRANSACTION_SUCCESS] = "success",
3582 [DNS_TRANSACTION_NO_SERVERS] = "no-servers",
3583 [DNS_TRANSACTION_TIMEOUT] = "timeout",
3584 [DNS_TRANSACTION_ATTEMPTS_MAX_REACHED] = "attempts-max-reached",
3585 [DNS_TRANSACTION_INVALID_REPLY] = "invalid-reply",
3586 [DNS_TRANSACTION_ERRNO] = "errno",
3587 [DNS_TRANSACTION_ABORTED] = "aborted",
3588 [DNS_TRANSACTION_DNSSEC_FAILED] = "dnssec-failed",
3589 [DNS_TRANSACTION_NO_TRUST_ANCHOR] = "no-trust-anchor",
3590 [DNS_TRANSACTION_RR_TYPE_UNSUPPORTED] = "rr-type-unsupported",
3591 [DNS_TRANSACTION_NETWORK_DOWN] = "network-down",
3592 [DNS_TRANSACTION_NOT_FOUND] = "not-found",
3593 [DNS_TRANSACTION_NO_SOURCE] = "no-source",
3594 [DNS_TRANSACTION_STUB_LOOP] = "stub-loop",
3595 };
3596 DEFINE_STRING_TABLE_LOOKUP(dns_transaction_state, DnsTransactionState);
3597
3598 static const char* const dns_transaction_source_table[_DNS_TRANSACTION_SOURCE_MAX] = {
3599 [DNS_TRANSACTION_NETWORK] = "network",
3600 [DNS_TRANSACTION_CACHE] = "cache",
3601 [DNS_TRANSACTION_ZONE] = "zone",
3602 [DNS_TRANSACTION_TRUST_ANCHOR] = "trust-anchor",
3603 };
3604 DEFINE_STRING_TABLE_LOOKUP(dns_transaction_source, DnsTransactionSource);
Unnamed repository; edit this file 'description' to name the repository.