]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/resolve/resolved-dns-transaction.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #8656 from yuwata/random-fixes
[thirdparty/systemd.git] / src / resolve / resolved-dns-transaction.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2 /***
3 This file is part of systemd.
4
5 Copyright 2014 Lennart Poettering
6
7 systemd is free software; you can redistribute it and/or modify it
8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
10 (at your option) any later version.
11
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
16
17 You should have received a copy of the GNU Lesser General Public License
18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
19 ***/
20
21 #include "sd-messages.h"
22
23 #include "af-list.h"
24 #include "alloc-util.h"
25 #include "dns-domain.h"
26 #include "errno-list.h"
27 #include "fd-util.h"
28 #include "random-util.h"
29 #include "resolved-dns-cache.h"
30 #include "resolved-dns-transaction.h"
31 #include "resolved-llmnr.h"
32 #include "string-table.h"
33
34 #define TRANSACTIONS_MAX 4096
35 #define TRANSACTION_TCP_TIMEOUT_USEC (10U*USEC_PER_SEC)
36
37 static void dns_transaction_reset_answer(DnsTransaction *t) {
38 assert(t);
39
40 t->received = dns_packet_unref(t->received);
41 t->answer = dns_answer_unref(t->answer);
42 t->answer_rcode = 0;
43 t->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
44 t->answer_source = _DNS_TRANSACTION_SOURCE_INVALID;
45 t->answer_authenticated = false;
46 t->answer_nsec_ttl = (uint32_t) -1;
47 t->answer_errno = 0;
48 }
49
50 static void dns_transaction_flush_dnssec_transactions(DnsTransaction *t) {
51 DnsTransaction *z;
52
53 assert(t);
54
55 while ((z = set_steal_first(t->dnssec_transactions))) {
56 set_remove(z->notify_transactions, t);
57 set_remove(z->notify_transactions_done, t);
58 dns_transaction_gc(z);
59 }
60 }
61
62 static void dns_transaction_close_connection(DnsTransaction *t) {
63 assert(t);
64
65 if (t->stream) {
66 /* Let's detach the stream from our transaction, in case something else keeps a reference to it. */
67 t->stream->complete = NULL;
68 t->stream->on_packet = NULL;
69 t->stream->transaction = NULL;
70 t->stream = dns_stream_unref(t->stream);
71 }
72
73 t->dns_udp_event_source = sd_event_source_unref(t->dns_udp_event_source);
74 t->dns_udp_fd = safe_close(t->dns_udp_fd);
75 }
76
77 static void dns_transaction_stop_timeout(DnsTransaction *t) {
78 assert(t);
79
80 t->timeout_event_source = sd_event_source_unref(t->timeout_event_source);
81 }
82
83 DnsTransaction* dns_transaction_free(DnsTransaction *t) {
84 DnsQueryCandidate *c;
85 DnsZoneItem *i;
86 DnsTransaction *z;
87
88 if (!t)
89 return NULL;
90
91 log_debug("Freeing transaction %" PRIu16 ".", t->id);
92
93 dns_transaction_close_connection(t);
94 dns_transaction_stop_timeout(t);
95
96 dns_packet_unref(t->sent);
97 dns_transaction_reset_answer(t);
98
99 dns_server_unref(t->server);
100
101 if (t->scope) {
102 hashmap_remove_value(t->scope->transactions_by_key, t->key, t);
103 LIST_REMOVE(transactions_by_scope, t->scope->transactions, t);
104
105 if (t->id != 0)
106 hashmap_remove(t->scope->manager->dns_transactions, UINT_TO_PTR(t->id));
107 }
108
109 while ((c = set_steal_first(t->notify_query_candidates)))
110 set_remove(c->transactions, t);
111 set_free(t->notify_query_candidates);
112
113 while ((c = set_steal_first(t->notify_query_candidates_done)))
114 set_remove(c->transactions, t);
115 set_free(t->notify_query_candidates_done);
116
117 while ((i = set_steal_first(t->notify_zone_items)))
118 i->probe_transaction = NULL;
119 set_free(t->notify_zone_items);
120
121 while ((i = set_steal_first(t->notify_zone_items_done)))
122 i->probe_transaction = NULL;
123 set_free(t->notify_zone_items_done);
124
125 while ((z = set_steal_first(t->notify_transactions)))
126 set_remove(z->dnssec_transactions, t);
127 set_free(t->notify_transactions);
128
129 while ((z = set_steal_first(t->notify_transactions_done)))
130 set_remove(z->dnssec_transactions, t);
131 set_free(t->notify_transactions_done);
132
133 dns_transaction_flush_dnssec_transactions(t);
134 set_free(t->dnssec_transactions);
135
136 dns_answer_unref(t->validated_keys);
137 dns_resource_key_unref(t->key);
138
139 return mfree(t);
140 }
141
142 DEFINE_TRIVIAL_CLEANUP_FUNC(DnsTransaction*, dns_transaction_free);
143
144 bool dns_transaction_gc(DnsTransaction *t) {
145 assert(t);
146
147 if (t->block_gc > 0)
148 return true;
149
150 if (set_isempty(t->notify_query_candidates) &&
151 set_isempty(t->notify_query_candidates_done) &&
152 set_isempty(t->notify_zone_items) &&
153 set_isempty(t->notify_zone_items_done) &&
154 set_isempty(t->notify_transactions) &&
155 set_isempty(t->notify_transactions_done)) {
156 dns_transaction_free(t);
157 return false;
158 }
159
160 return true;
161 }
162
163 static uint16_t pick_new_id(Manager *m) {
164 uint16_t new_id;
165
166 /* Find a fresh, unused transaction id. Note that this loop is bounded because there's a limit on the number of
167 * transactions, and it's much lower than the space of IDs. */
168
169 assert_cc(TRANSACTIONS_MAX < 0xFFFF);
170
171 do
172 random_bytes(&new_id, sizeof(new_id));
173 while (new_id == 0 ||
174 hashmap_get(m->dns_transactions, UINT_TO_PTR(new_id)));
175
176 return new_id;
177 }
178
179 int dns_transaction_new(DnsTransaction **ret, DnsScope *s, DnsResourceKey *key) {
180 _cleanup_(dns_transaction_freep) DnsTransaction *t = NULL;
181 int r;
182
183 assert(ret);
184 assert(s);
185 assert(key);
186
187 /* Don't allow looking up invalid or pseudo RRs */
188 if (!dns_type_is_valid_query(key->type))
189 return -EINVAL;
190 if (dns_type_is_obsolete(key->type))
191 return -EOPNOTSUPP;
192
193 /* We only support the IN class */
194 if (!IN_SET(key->class, DNS_CLASS_IN, DNS_CLASS_ANY))
195 return -EOPNOTSUPP;
196
197 if (hashmap_size(s->manager->dns_transactions) >= TRANSACTIONS_MAX)
198 return -EBUSY;
199
200 r = hashmap_ensure_allocated(&s->manager->dns_transactions, NULL);
201 if (r < 0)
202 return r;
203
204 r = hashmap_ensure_allocated(&s->transactions_by_key, &dns_resource_key_hash_ops);
205 if (r < 0)
206 return r;
207
208 t = new0(DnsTransaction, 1);
209 if (!t)
210 return -ENOMEM;
211
212 t->dns_udp_fd = -1;
213 t->answer_source = _DNS_TRANSACTION_SOURCE_INVALID;
214 t->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
215 t->answer_nsec_ttl = (uint32_t) -1;
216 t->key = dns_resource_key_ref(key);
217 t->current_feature_level = _DNS_SERVER_FEATURE_LEVEL_INVALID;
218 t->clamp_feature_level = _DNS_SERVER_FEATURE_LEVEL_INVALID;
219
220 t->id = pick_new_id(s->manager);
221
222 r = hashmap_put(s->manager->dns_transactions, UINT_TO_PTR(t->id), t);
223 if (r < 0) {
224 t->id = 0;
225 return r;
226 }
227
228 r = hashmap_replace(s->transactions_by_key, t->key, t);
229 if (r < 0) {
230 hashmap_remove(s->manager->dns_transactions, UINT_TO_PTR(t->id));
231 return r;
232 }
233
234 LIST_PREPEND(transactions_by_scope, s->transactions, t);
235 t->scope = s;
236
237 s->manager->n_transactions_total++;
238
239 if (ret)
240 *ret = t;
241
242 t = NULL;
243
244 return 0;
245 }
246
247 static void dns_transaction_shuffle_id(DnsTransaction *t) {
248 uint16_t new_id;
249 assert(t);
250
251 /* Pick a new ID for this transaction. */
252
253 new_id = pick_new_id(t->scope->manager);
254 assert_se(hashmap_remove_and_put(t->scope->manager->dns_transactions, UINT_TO_PTR(t->id), UINT_TO_PTR(new_id), t) >= 0);
255
256 log_debug("Transaction %" PRIu16 " is now %" PRIu16 ".", t->id, new_id);
257 t->id = new_id;
258
259 /* Make sure we generate a new packet with the new ID */
260 t->sent = dns_packet_unref(t->sent);
261 }
262
263 static void dns_transaction_tentative(DnsTransaction *t, DnsPacket *p) {
264 _cleanup_free_ char *pretty = NULL;
265 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
266 DnsZoneItem *z;
267
268 assert(t);
269 assert(p);
270
271 if (manager_our_packet(t->scope->manager, p) != 0)
272 return;
273
274 (void) in_addr_to_string(p->family, &p->sender, &pretty);
275
276 log_debug("Transaction %" PRIu16 " for <%s> on scope %s on %s/%s got tentative packet from %s.",
277 t->id,
278 dns_resource_key_to_string(t->key, key_str, sizeof key_str),
279 dns_protocol_to_string(t->scope->protocol),
280 t->scope->link ? t->scope->link->name : "*",
281 af_to_name_short(t->scope->family),
282 strnull(pretty));
283
284 /* RFC 4795, Section 4.1 says that the peer with the
285 * lexicographically smaller IP address loses */
286 if (memcmp(&p->sender, &p->destination, FAMILY_ADDRESS_SIZE(p->family)) >= 0) {
287 log_debug("Peer has lexicographically larger IP address and thus lost in the conflict.");
288 return;
289 }
290
291 log_debug("We have the lexicographically larger IP address and thus lost in the conflict.");
292
293 t->block_gc++;
294
295 while ((z = set_first(t->notify_zone_items))) {
296 /* First, make sure the zone item drops the reference
297 * to us */
298 dns_zone_item_probe_stop(z);
299
300 /* Secondly, report this as conflict, so that we might
301 * look for a different hostname */
302 dns_zone_item_conflict(z);
303 }
304 t->block_gc--;
305
306 dns_transaction_gc(t);
307 }
308
309 void dns_transaction_complete(DnsTransaction *t, DnsTransactionState state) {
310 DnsQueryCandidate *c;
311 DnsZoneItem *z;
312 DnsTransaction *d;
313 const char *st;
314 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
315
316 assert(t);
317 assert(!DNS_TRANSACTION_IS_LIVE(state));
318
319 if (state == DNS_TRANSACTION_DNSSEC_FAILED) {
320 dns_resource_key_to_string(t->key, key_str, sizeof key_str);
321
322 log_struct(LOG_NOTICE,
323 "MESSAGE_ID=" SD_MESSAGE_DNSSEC_FAILURE_STR,
324 LOG_MESSAGE("DNSSEC validation failed for question %s: %s", key_str, dnssec_result_to_string(t->answer_dnssec_result)),
325 "DNS_TRANSACTION=%" PRIu16, t->id,
326 "DNS_QUESTION=%s", key_str,
327 "DNSSEC_RESULT=%s", dnssec_result_to_string(t->answer_dnssec_result),
328 "DNS_SERVER=%s", dns_server_string(t->server),
329 "DNS_SERVER_FEATURE_LEVEL=%s", dns_server_feature_level_to_string(t->server->possible_feature_level),
330 NULL);
331 }
332
333 /* Note that this call might invalidate the query. Callers
334 * should hence not attempt to access the query or transaction
335 * after calling this function. */
336
337 if (state == DNS_TRANSACTION_ERRNO)
338 st = errno_to_name(t->answer_errno);
339 else
340 st = dns_transaction_state_to_string(state);
341
342 log_debug("Transaction %" PRIu16 " for <%s> on scope %s on %s/%s now complete with <%s> from %s (%s).",
343 t->id,
344 dns_resource_key_to_string(t->key, key_str, sizeof key_str),
345 dns_protocol_to_string(t->scope->protocol),
346 t->scope->link ? t->scope->link->name : "*",
347 af_to_name_short(t->scope->family),
348 st,
349 t->answer_source < 0 ? "none" : dns_transaction_source_to_string(t->answer_source),
350 t->answer_authenticated ? "authenticated" : "unsigned");
351
352 t->state = state;
353
354 dns_transaction_close_connection(t);
355 dns_transaction_stop_timeout(t);
356
357 /* Notify all queries that are interested, but make sure the
358 * transaction isn't freed while we are still looking at it */
359 t->block_gc++;
360
361 SET_FOREACH_MOVE(c, t->notify_query_candidates_done, t->notify_query_candidates)
362 dns_query_candidate_notify(c);
363 SWAP_TWO(t->notify_query_candidates, t->notify_query_candidates_done);
364
365 SET_FOREACH_MOVE(z, t->notify_zone_items_done, t->notify_zone_items)
366 dns_zone_item_notify(z);
367 SWAP_TWO(t->notify_zone_items, t->notify_zone_items_done);
368 if (t->probing && t->state == DNS_TRANSACTION_ATTEMPTS_MAX_REACHED)
369 (void) dns_scope_announce(t->scope, false);
370
371 SET_FOREACH_MOVE(d, t->notify_transactions_done, t->notify_transactions)
372 dns_transaction_notify(d, t);
373 SWAP_TWO(t->notify_transactions, t->notify_transactions_done);
374
375 t->block_gc--;
376 dns_transaction_gc(t);
377 }
378
379 static int dns_transaction_pick_server(DnsTransaction *t) {
380 DnsServer *server;
381
382 assert(t);
383 assert(t->scope->protocol == DNS_PROTOCOL_DNS);
384
385 /* Pick a DNS server and a feature level for it. */
386
387 server = dns_scope_get_dns_server(t->scope);
388 if (!server)
389 return -ESRCH;
390
391 /* If we changed the server invalidate the feature level clamping, as the new server might have completely
392 * different properties. */
393 if (server != t->server)
394 t->clamp_feature_level = _DNS_SERVER_FEATURE_LEVEL_INVALID;
395
396 t->current_feature_level = dns_server_possible_feature_level(server);
397
398 /* Clamp the feature level if that is requested. */
399 if (t->clamp_feature_level != _DNS_SERVER_FEATURE_LEVEL_INVALID &&
400 t->current_feature_level > t->clamp_feature_level)
401 t->current_feature_level = t->clamp_feature_level;
402
403 log_debug("Using feature level %s for transaction %u.", dns_server_feature_level_to_string(t->current_feature_level), t->id);
404
405 if (server == t->server)
406 return 0;
407
408 dns_server_unref(t->server);
409 t->server = dns_server_ref(server);
410
411 t->n_picked_servers ++;
412
413 log_debug("Using DNS server %s for transaction %u.", dns_server_string(t->server), t->id);
414
415 return 1;
416 }
417
418 static void dns_transaction_retry(DnsTransaction *t, bool next_server) {
419 int r;
420
421 assert(t);
422
423 log_debug("Retrying transaction %" PRIu16 ".", t->id);
424
425 /* Before we try again, switch to a new server. */
426 if (next_server)
427 dns_scope_next_dns_server(t->scope);
428
429 r = dns_transaction_go(t);
430 if (r < 0) {
431 t->answer_errno = -r;
432 dns_transaction_complete(t, DNS_TRANSACTION_ERRNO);
433 }
434 }
435
436 static int dns_transaction_maybe_restart(DnsTransaction *t) {
437 int r;
438
439 assert(t);
440
441 /* Returns > 0 if the transaction was restarted, 0 if not */
442
443 if (!t->server)
444 return 0;
445
446 if (t->current_feature_level <= dns_server_possible_feature_level(t->server))
447 return 0;
448
449 /* The server's current feature level is lower than when we sent the original query. We learnt something from
450 the response or possibly an auxiliary DNSSEC response that we didn't know before. We take that as reason to
451 restart the whole transaction. This is a good idea to deal with servers that respond rubbish if we include
452 OPT RR or DO bit. One of these cases is documented here, for example:
453 https://open.nlnetlabs.nl/pipermail/dnssec-trigger/2014-November/000376.html */
454
455 log_debug("Server feature level is now lower than when we began our transaction. Restarting with new ID.");
456 dns_transaction_shuffle_id(t);
457
458 r = dns_transaction_go(t);
459 if (r < 0)
460 return r;
461
462 return 1;
463 }
464
465 static int on_stream_complete(DnsStream *s, int error) {
466 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
467 DnsTransaction *t;
468
469 assert(s);
470 assert(s->transaction);
471
472 /* Copy the data we care about out of the stream before we
473 * destroy it. */
474 t = s->transaction;
475 p = dns_packet_ref(s->read_packet);
476
477 dns_transaction_close_connection(t);
478
479 if (ERRNO_IS_DISCONNECT(error)) {
480 usec_t usec;
481
482 if (t->scope->protocol == DNS_PROTOCOL_LLMNR) {
483 /* If the LLMNR/TCP connection failed, the host doesn't support LLMNR, and we cannot answer the
484 * question on this scope. */
485 dns_transaction_complete(t, DNS_TRANSACTION_NOT_FOUND);
486 return 0;
487 }
488
489 log_debug_errno(error, "Connection failure for DNS TCP stream: %m");
490 assert_se(sd_event_now(t->scope->manager->event, clock_boottime_or_monotonic(), &usec) >= 0);
491 dns_server_packet_lost(t->server, IPPROTO_TCP, t->current_feature_level, usec - t->start_usec);
492
493 dns_transaction_retry(t, true);
494 return 0;
495 }
496 if (error != 0) {
497 t->answer_errno = error;
498 dns_transaction_complete(t, DNS_TRANSACTION_ERRNO);
499 return 0;
500 }
501
502 if (dns_packet_validate_reply(p) <= 0) {
503 log_debug("Invalid TCP reply packet.");
504 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
505 return 0;
506 }
507
508 dns_scope_check_conflicts(t->scope, p);
509
510 t->block_gc++;
511 dns_transaction_process_reply(t, p);
512 t->block_gc--;
513
514 /* If the response wasn't useful, then complete the transition
515 * now. After all, we are the worst feature set now with TCP
516 * sockets, and there's really no point in retrying. */
517 if (t->state == DNS_TRANSACTION_PENDING)
518 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
519 else
520 dns_transaction_gc(t);
521
522 return 0;
523 }
524
525 static int dns_transaction_open_tcp(DnsTransaction *t) {
526 _cleanup_close_ int fd = -1;
527 int r;
528
529 assert(t);
530
531 dns_transaction_close_connection(t);
532
533 switch (t->scope->protocol) {
534
535 case DNS_PROTOCOL_DNS:
536 r = dns_transaction_pick_server(t);
537 if (r < 0)
538 return r;
539
540 if (!dns_server_dnssec_supported(t->server) && dns_type_is_dnssec(t->key->type))
541 return -EOPNOTSUPP;
542
543 r = dns_server_adjust_opt(t->server, t->sent, t->current_feature_level);
544 if (r < 0)
545 return r;
546
547 fd = dns_scope_socket_tcp(t->scope, AF_UNSPEC, NULL, t->server, 53);
548 break;
549
550 case DNS_PROTOCOL_LLMNR:
551 /* When we already received a reply to this (but it was truncated), send to its sender address */
552 if (t->received)
553 fd = dns_scope_socket_tcp(t->scope, t->received->family, &t->received->sender, NULL, t->received->sender_port);
554 else {
555 union in_addr_union address;
556 int family = AF_UNSPEC;
557
558 /* Otherwise, try to talk to the owner of a
559 * the IP address, in case this is a reverse
560 * PTR lookup */
561
562 r = dns_name_address(dns_resource_key_name(t->key), &family, &address);
563 if (r < 0)
564 return r;
565 if (r == 0)
566 return -EINVAL;
567 if (family != t->scope->family)
568 return -ESRCH;
569
570 fd = dns_scope_socket_tcp(t->scope, family, &address, NULL, LLMNR_PORT);
571 }
572
573 break;
574
575 default:
576 return -EAFNOSUPPORT;
577 }
578
579 if (fd < 0)
580 return fd;
581
582 r = dns_stream_new(t->scope->manager, &t->stream, t->scope->protocol, fd);
583 if (r < 0)
584 return r;
585 fd = -1;
586
587 r = dns_stream_write_packet(t->stream, t->sent);
588 if (r < 0) {
589 t->stream = dns_stream_unref(t->stream);
590 return r;
591 }
592
593 t->stream->complete = on_stream_complete;
594 t->stream->transaction = t;
595
596 /* The interface index is difficult to determine if we are
597 * connecting to the local host, hence fill this in right away
598 * instead of determining it from the socket */
599 t->stream->ifindex = dns_scope_ifindex(t->scope);
600
601 dns_transaction_reset_answer(t);
602
603 t->tried_stream = true;
604
605 return 0;
606 }
607
608 static void dns_transaction_cache_answer(DnsTransaction *t) {
609 assert(t);
610
611 /* For mDNS we cache whenever we get the packet, rather than
612 * in each transaction. */
613 if (!IN_SET(t->scope->protocol, DNS_PROTOCOL_DNS, DNS_PROTOCOL_LLMNR))
614 return;
615
616 /* Caching disabled? */
617 if (!t->scope->manager->enable_cache)
618 return;
619
620 /* We never cache if this packet is from the local host, under
621 * the assumption that a locally running DNS server would
622 * cache this anyway, and probably knows better when to flush
623 * the cache then we could. */
624 if (!DNS_PACKET_SHALL_CACHE(t->received))
625 return;
626
627 dns_cache_put(&t->scope->cache,
628 t->key,
629 t->answer_rcode,
630 t->answer,
631 t->answer_authenticated,
632 t->answer_nsec_ttl,
633 0,
634 t->received->family,
635 &t->received->sender);
636 }
637
638 static bool dns_transaction_dnssec_is_live(DnsTransaction *t) {
639 DnsTransaction *dt;
640 Iterator i;
641
642 assert(t);
643
644 SET_FOREACH(dt, t->dnssec_transactions, i)
645 if (DNS_TRANSACTION_IS_LIVE(dt->state))
646 return true;
647
648 return false;
649 }
650
651 static int dns_transaction_dnssec_ready(DnsTransaction *t) {
652 DnsTransaction *dt;
653 Iterator i;
654
655 assert(t);
656
657 /* Checks whether the auxiliary DNSSEC transactions of our transaction have completed, or are still
658 * ongoing. Returns 0, if we aren't ready for the DNSSEC validation, positive if we are. */
659
660 SET_FOREACH(dt, t->dnssec_transactions, i) {
661
662 switch (dt->state) {
663
664 case DNS_TRANSACTION_NULL:
665 case DNS_TRANSACTION_PENDING:
666 case DNS_TRANSACTION_VALIDATING:
667 /* Still ongoing */
668 return 0;
669
670 case DNS_TRANSACTION_RCODE_FAILURE:
671 if (!IN_SET(dt->answer_rcode, DNS_RCODE_NXDOMAIN, DNS_RCODE_SERVFAIL)) {
672 log_debug("Auxiliary DNSSEC RR query failed with rcode=%s.", dns_rcode_to_string(dt->answer_rcode));
673 goto fail;
674 }
675
676 /* Fall-through: NXDOMAIN/SERVFAIL is good enough for us. This is because some DNS servers
677 * erronously return NXDOMAIN/SERVFAIL for empty non-terminals (Akamai...) or missing DS
678 * records (Facebook), and we need to handle that nicely, when asking for parent SOA or similar
679 * RRs to make unsigned proofs. */
680
681 case DNS_TRANSACTION_SUCCESS:
682 /* All good. */
683 break;
684
685 case DNS_TRANSACTION_DNSSEC_FAILED:
686 /* We handle DNSSEC failures different from other errors, as we care about the DNSSEC
687 * validationr result */
688
689 log_debug("Auxiliary DNSSEC RR query failed validation: %s", dnssec_result_to_string(dt->answer_dnssec_result));
690 t->answer_dnssec_result = dt->answer_dnssec_result; /* Copy error code over */
691 dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
692 return 0;
693
694
695 default:
696 log_debug("Auxiliary DNSSEC RR query failed with %s", dns_transaction_state_to_string(dt->state));
697 goto fail;
698 }
699 }
700
701 /* All is ready, we can go and validate */
702 return 1;
703
704 fail:
705 t->answer_dnssec_result = DNSSEC_FAILED_AUXILIARY;
706 dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
707 return 0;
708 }
709
710 static void dns_transaction_process_dnssec(DnsTransaction *t) {
711 int r;
712
713 assert(t);
714
715 /* Are there ongoing DNSSEC transactions? If so, let's wait for them. */
716 r = dns_transaction_dnssec_ready(t);
717 if (r < 0)
718 goto fail;
719 if (r == 0) /* We aren't ready yet (or one of our auxiliary transactions failed, and we shouldn't validate now */
720 return;
721
722 /* See if we learnt things from the additional DNSSEC transactions, that we didn't know before, and better
723 * restart the lookup immediately. */
724 r = dns_transaction_maybe_restart(t);
725 if (r < 0)
726 goto fail;
727 if (r > 0) /* Transaction got restarted... */
728 return;
729
730 /* All our auxiliary DNSSEC transactions are complete now. Try
731 * to validate our RRset now. */
732 r = dns_transaction_validate_dnssec(t);
733 if (r == -EBADMSG) {
734 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
735 return;
736 }
737 if (r < 0)
738 goto fail;
739
740 if (t->answer_dnssec_result == DNSSEC_INCOMPATIBLE_SERVER &&
741 t->scope->dnssec_mode == DNSSEC_YES) {
742
743 /* We are not in automatic downgrade mode, and the server is bad. Let's try a different server, maybe
744 * that works. */
745
746 if (t->n_picked_servers < dns_scope_get_n_dns_servers(t->scope)) {
747 /* We tried fewer servers on this transaction than we know, let's try another one then */
748 dns_transaction_retry(t, true);
749 return;
750 }
751
752 /* OK, let's give up, apparently all servers we tried didn't work. */
753 dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
754 return;
755 }
756
757 if (!IN_SET(t->answer_dnssec_result,
758 _DNSSEC_RESULT_INVALID, /* No DNSSEC validation enabled */
759 DNSSEC_VALIDATED, /* Answer is signed and validated successfully */
760 DNSSEC_UNSIGNED, /* Answer is right-fully unsigned */
761 DNSSEC_INCOMPATIBLE_SERVER)) { /* Server does not do DNSSEC (Yay, we are downgrade attack vulnerable!) */
762 dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
763 return;
764 }
765
766 if (t->answer_dnssec_result == DNSSEC_INCOMPATIBLE_SERVER)
767 dns_server_warn_downgrade(t->server);
768
769 dns_transaction_cache_answer(t);
770
771 if (t->answer_rcode == DNS_RCODE_SUCCESS)
772 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
773 else
774 dns_transaction_complete(t, DNS_TRANSACTION_RCODE_FAILURE);
775
776 return;
777
778 fail:
779 t->answer_errno = -r;
780 dns_transaction_complete(t, DNS_TRANSACTION_ERRNO);
781 }
782
783 static int dns_transaction_has_positive_answer(DnsTransaction *t, DnsAnswerFlags *flags) {
784 int r;
785
786 assert(t);
787
788 /* Checks whether the answer is positive, i.e. either a direct
789 * answer to the question, or a CNAME/DNAME for it */
790
791 r = dns_answer_match_key(t->answer, t->key, flags);
792 if (r != 0)
793 return r;
794
795 r = dns_answer_find_cname_or_dname(t->answer, t->key, NULL, flags);
796 if (r != 0)
797 return r;
798
799 return false;
800 }
801
802 static int dns_transaction_fix_rcode(DnsTransaction *t) {
803 int r;
804
805 assert(t);
806
807 /* Fix up the RCODE to SUCCESS if we get at least one matching RR in a response. Note that this contradicts the
808 * DNS RFCs a bit. Specifically, RFC 6604 Section 3 clarifies that the RCODE shall say something about a
809 * CNAME/DNAME chain element coming after the last chain element contained in the message, and not the first
810 * one included. However, it also indicates that not all DNS servers implement this correctly. Moreover, when
811 * using DNSSEC we usually only can prove the first element of a CNAME/DNAME chain anyway, hence let's settle
812 * on always processing the RCODE as referring to the immediate look-up we do, i.e. the first element of a
813 * CNAME/DNAME chain. This way, we uniformly handle CNAME/DNAME chains, regardless if the DNS server
814 * incorrectly implements RCODE, whether DNSSEC is in use, or whether the DNS server only supplied us with an
815 * incomplete CNAME/DNAME chain.
816 *
817 * Or in other words: if we get at least one positive reply in a message we patch NXDOMAIN to become SUCCESS,
818 * and then rely on the CNAME chasing logic to figure out that there's actually a CNAME error with a new
819 * lookup. */
820
821 if (t->answer_rcode != DNS_RCODE_NXDOMAIN)
822 return 0;
823
824 r = dns_transaction_has_positive_answer(t, NULL);
825 if (r <= 0)
826 return r;
827
828 t->answer_rcode = DNS_RCODE_SUCCESS;
829 return 0;
830 }
831
832 void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p) {
833 usec_t ts;
834 int r;
835
836 assert(t);
837 assert(p);
838 assert(t->scope);
839 assert(t->scope->manager);
840
841 if (t->state != DNS_TRANSACTION_PENDING)
842 return;
843
844 /* Note that this call might invalidate the query. Callers
845 * should hence not attempt to access the query or transaction
846 * after calling this function. */
847
848 log_debug("Processing incoming packet on transaction %" PRIu16". (rcode=%s)", t->id, dns_rcode_to_string(DNS_PACKET_RCODE(p)));
849
850 switch (t->scope->protocol) {
851
852 case DNS_PROTOCOL_LLMNR:
853 /* For LLMNR we will not accept any packets from other interfaces */
854
855 if (p->ifindex != dns_scope_ifindex(t->scope))
856 return;
857
858 if (p->family != t->scope->family)
859 return;
860
861 /* Tentative packets are not full responses but still
862 * useful for identifying uniqueness conflicts during
863 * probing. */
864 if (DNS_PACKET_LLMNR_T(p)) {
865 dns_transaction_tentative(t, p);
866 return;
867 }
868
869 break;
870
871 case DNS_PROTOCOL_MDNS:
872 /* For mDNS we will not accept any packets from other interfaces */
873
874 if (p->ifindex != dns_scope_ifindex(t->scope))
875 return;
876
877 if (p->family != t->scope->family)
878 return;
879
880 break;
881
882 case DNS_PROTOCOL_DNS:
883 /* Note that we do not need to verify the
884 * addresses/port numbers of incoming traffic, as we
885 * invoked connect() on our UDP socket in which case
886 * the kernel already does the needed verification for
887 * us. */
888 break;
889
890 default:
891 assert_not_reached("Invalid DNS protocol.");
892 }
893
894 if (t->received != p) {
895 dns_packet_unref(t->received);
896 t->received = dns_packet_ref(p);
897 }
898
899 t->answer_source = DNS_TRANSACTION_NETWORK;
900
901 if (p->ipproto == IPPROTO_TCP) {
902 if (DNS_PACKET_TC(p)) {
903 /* Truncated via TCP? Somebody must be fucking with us */
904 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
905 return;
906 }
907
908 if (DNS_PACKET_ID(p) != t->id) {
909 /* Not the reply to our query? Somebody must be fucking with us */
910 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
911 return;
912 }
913 }
914
915 assert_se(sd_event_now(t->scope->manager->event, clock_boottime_or_monotonic(), &ts) >= 0);
916
917 switch (t->scope->protocol) {
918
919 case DNS_PROTOCOL_DNS:
920 assert(t->server);
921
922 if (IN_SET(DNS_PACKET_RCODE(p), DNS_RCODE_FORMERR, DNS_RCODE_SERVFAIL, DNS_RCODE_NOTIMP)) {
923
924 /* Request failed, immediately try again with reduced features */
925
926 if (t->current_feature_level <= DNS_SERVER_FEATURE_LEVEL_UDP) {
927
928 /* This was already at UDP feature level? If so, it doesn't make sense to downgrade
929 * this transaction anymore, but let's see if it might make sense to send the request
930 * to a different DNS server instead. If not let's process the response, and accept the
931 * rcode. Note that we don't retry on TCP, since that's a suitable way to mitigate
932 * packet loss, but is not going to give us better rcodes should we actually have
933 * managed to get them already at UDP level. */
934
935 if (t->n_picked_servers < dns_scope_get_n_dns_servers(t->scope)) {
936 /* We tried fewer servers on this transaction than we know, let's try another one then */
937 dns_transaction_retry(t, true);
938 return;
939 }
940
941 /* Give up, accept the rcode */
942 log_debug("Server returned error: %s", dns_rcode_to_string(DNS_PACKET_RCODE(p)));
943 break;
944 }
945
946 /* Reduce this feature level by one and try again. */
947 t->clamp_feature_level = t->current_feature_level - 1;
948
949 log_debug("Server returned error %s, retrying transaction with reduced feature level %s.",
950 dns_rcode_to_string(DNS_PACKET_RCODE(p)),
951 dns_server_feature_level_to_string(t->clamp_feature_level));
952
953 dns_transaction_retry(t, false /* use the same server */);
954 return;
955 }
956
957 if (DNS_PACKET_RCODE(p) == DNS_RCODE_REFUSED) {
958 /* This server refused our request? If so, try again, use a different server */
959 log_debug("Server returned REFUSED, switching servers, and retrying.");
960 dns_transaction_retry(t, true /* pick a new server */);
961 return;
962 }
963
964 if (DNS_PACKET_TC(p))
965 dns_server_packet_truncated(t->server, t->current_feature_level);
966
967 break;
968
969 case DNS_PROTOCOL_LLMNR:
970 case DNS_PROTOCOL_MDNS:
971 dns_scope_packet_received(t->scope, ts - t->start_usec);
972 break;
973
974 default:
975 assert_not_reached("Invalid DNS protocol.");
976 }
977
978 if (DNS_PACKET_TC(p)) {
979
980 /* Truncated packets for mDNS are not allowed. Give up immediately. */
981 if (t->scope->protocol == DNS_PROTOCOL_MDNS) {
982 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
983 return;
984 }
985
986 log_debug("Reply truncated, retrying via TCP.");
987
988 /* Response was truncated, let's try again with good old TCP */
989 r = dns_transaction_open_tcp(t);
990 if (r == -ESRCH) {
991 /* No servers found? Damn! */
992 dns_transaction_complete(t, DNS_TRANSACTION_NO_SERVERS);
993 return;
994 }
995 if (r == -EOPNOTSUPP) {
996 /* Tried to ask for DNSSEC RRs, on a server that doesn't do DNSSEC */
997 dns_transaction_complete(t, DNS_TRANSACTION_RR_TYPE_UNSUPPORTED);
998 return;
999 }
1000 if (r < 0) {
1001 /* On LLMNR, if we cannot connect to the host,
1002 * we immediately give up */
1003 if (t->scope->protocol != DNS_PROTOCOL_DNS)
1004 goto fail;
1005
1006 /* On DNS, couldn't send? Try immediately again, with a new server */
1007 dns_transaction_retry(t, true);
1008 }
1009
1010 return;
1011 }
1012
1013 /* After the superficial checks, actually parse the message. */
1014 r = dns_packet_extract(p);
1015 if (r < 0) {
1016 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
1017 return;
1018 }
1019
1020 if (t->server) {
1021 /* Report that we successfully received a valid packet with a good rcode after we initially got a bad
1022 * rcode and subsequently downgraded the protocol */
1023
1024 if (IN_SET(DNS_PACKET_RCODE(p), DNS_RCODE_SUCCESS, DNS_RCODE_NXDOMAIN) &&
1025 t->clamp_feature_level != _DNS_SERVER_FEATURE_LEVEL_INVALID)
1026 dns_server_packet_rcode_downgrade(t->server, t->clamp_feature_level);
1027
1028 /* Report that the OPT RR was missing */
1029 if (!p->opt)
1030 dns_server_packet_bad_opt(t->server, t->current_feature_level);
1031
1032 /* Report that we successfully received a packet */
1033 dns_server_packet_received(t->server, p->ipproto, t->current_feature_level, ts - t->start_usec, p->size);
1034 }
1035
1036 /* See if we know things we didn't know before that indicate we better restart the lookup immediately. */
1037 r = dns_transaction_maybe_restart(t);
1038 if (r < 0)
1039 goto fail;
1040 if (r > 0) /* Transaction got restarted... */
1041 return;
1042
1043 if (IN_SET(t->scope->protocol, DNS_PROTOCOL_DNS, DNS_PROTOCOL_LLMNR, DNS_PROTOCOL_MDNS)) {
1044
1045 /* When dealing with protocols other than mDNS only consider responses with
1046 * equivalent query section to the request. For mDNS this check doesn't make
1047 * sense, because the section 6 of RFC6762 states that "Multicast DNS responses MUST NOT
1048 * contain any questions in the Question Section". */
1049 if (t->scope->protocol != DNS_PROTOCOL_MDNS) {
1050 r = dns_packet_is_reply_for(p, t->key);
1051 if (r < 0)
1052 goto fail;
1053 if (r == 0) {
1054 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
1055 return;
1056 }
1057 }
1058
1059 /* Install the answer as answer to the transaction */
1060 dns_answer_unref(t->answer);
1061 t->answer = dns_answer_ref(p->answer);
1062 t->answer_rcode = DNS_PACKET_RCODE(p);
1063 t->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
1064 t->answer_authenticated = false;
1065
1066 r = dns_transaction_fix_rcode(t);
1067 if (r < 0)
1068 goto fail;
1069
1070 /* Block GC while starting requests for additional DNSSEC RRs */
1071 t->block_gc++;
1072 r = dns_transaction_request_dnssec_keys(t);
1073 t->block_gc--;
1074
1075 /* Maybe the transaction is ready for GC'ing now? If so, free it and return. */
1076 if (!dns_transaction_gc(t))
1077 return;
1078
1079 /* Requesting additional keys might have resulted in
1080 * this transaction to fail, since the auxiliary
1081 * request failed for some reason. If so, we are not
1082 * in pending state anymore, and we should exit
1083 * quickly. */
1084 if (t->state != DNS_TRANSACTION_PENDING)
1085 return;
1086 if (r < 0)
1087 goto fail;
1088 if (r > 0) {
1089 /* There are DNSSEC transactions pending now. Update the state accordingly. */
1090 t->state = DNS_TRANSACTION_VALIDATING;
1091 dns_transaction_close_connection(t);
1092 dns_transaction_stop_timeout(t);
1093 return;
1094 }
1095 }
1096
1097 dns_transaction_process_dnssec(t);
1098 return;
1099
1100 fail:
1101 t->answer_errno = -r;
1102 dns_transaction_complete(t, DNS_TRANSACTION_ERRNO);
1103 }
1104
1105 static int on_dns_packet(sd_event_source *s, int fd, uint32_t revents, void *userdata) {
1106 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
1107 DnsTransaction *t = userdata;
1108 int r;
1109
1110 assert(t);
1111 assert(t->scope);
1112
1113 r = manager_recv(t->scope->manager, fd, DNS_PROTOCOL_DNS, &p);
1114 if (ERRNO_IS_DISCONNECT(-r)) {
1115 usec_t usec;
1116
1117 /* UDP connection failure get reported via ICMP and then are possible delivered to us on the next
1118 * recvmsg(). Treat this like a lost packet. */
1119
1120 log_debug_errno(r, "Connection failure for DNS UDP packet: %m");
1121 assert_se(sd_event_now(t->scope->manager->event, clock_boottime_or_monotonic(), &usec) >= 0);
1122 dns_server_packet_lost(t->server, IPPROTO_UDP, t->current_feature_level, usec - t->start_usec);
1123
1124 dns_transaction_retry(t, true);
1125 return 0;
1126 }
1127 if (r < 0) {
1128 dns_transaction_complete(t, DNS_TRANSACTION_ERRNO);
1129 t->answer_errno = -r;
1130 return 0;
1131 }
1132
1133 r = dns_packet_validate_reply(p);
1134 if (r < 0) {
1135 log_debug_errno(r, "Received invalid DNS packet as response, ignoring: %m");
1136 return 0;
1137 }
1138 if (r == 0) {
1139 log_debug("Received inappropriate DNS packet as response, ignoring.");
1140 return 0;
1141 }
1142
1143 if (DNS_PACKET_ID(p) != t->id) {
1144 log_debug("Received packet with incorrect transaction ID, ignoring.");
1145 return 0;
1146 }
1147
1148 dns_transaction_process_reply(t, p);
1149 return 0;
1150 }
1151
1152 static int dns_transaction_emit_udp(DnsTransaction *t) {
1153 int r;
1154
1155 assert(t);
1156
1157 if (t->scope->protocol == DNS_PROTOCOL_DNS) {
1158
1159 r = dns_transaction_pick_server(t);
1160 if (r < 0)
1161 return r;
1162
1163 if (t->current_feature_level < DNS_SERVER_FEATURE_LEVEL_UDP)
1164 return -EAGAIN; /* Sorry, can't do UDP, try TCP! */
1165
1166 if (!dns_server_dnssec_supported(t->server) && dns_type_is_dnssec(t->key->type))
1167 return -EOPNOTSUPP;
1168
1169 if (r > 0 || t->dns_udp_fd < 0) { /* Server changed, or no connection yet. */
1170 int fd;
1171
1172 dns_transaction_close_connection(t);
1173
1174 fd = dns_scope_socket_udp(t->scope, t->server, 53);
1175 if (fd < 0)
1176 return fd;
1177
1178 r = sd_event_add_io(t->scope->manager->event, &t->dns_udp_event_source, fd, EPOLLIN, on_dns_packet, t);
1179 if (r < 0) {
1180 safe_close(fd);
1181 return r;
1182 }
1183
1184 (void) sd_event_source_set_description(t->dns_udp_event_source, "dns-transaction-udp");
1185 t->dns_udp_fd = fd;
1186 }
1187
1188 r = dns_server_adjust_opt(t->server, t->sent, t->current_feature_level);
1189 if (r < 0)
1190 return r;
1191 } else
1192 dns_transaction_close_connection(t);
1193
1194 r = dns_scope_emit_udp(t->scope, t->dns_udp_fd, t->sent);
1195 if (r < 0)
1196 return r;
1197
1198 dns_transaction_reset_answer(t);
1199
1200 return 0;
1201 }
1202
1203 static int on_transaction_timeout(sd_event_source *s, usec_t usec, void *userdata) {
1204 DnsTransaction *t = userdata;
1205
1206 assert(s);
1207 assert(t);
1208
1209 if (!t->initial_jitter_scheduled || t->initial_jitter_elapsed) {
1210 /* Timeout reached? Increase the timeout for the server used */
1211 switch (t->scope->protocol) {
1212
1213 case DNS_PROTOCOL_DNS:
1214 assert(t->server);
1215 dns_server_packet_lost(t->server, t->stream ? IPPROTO_TCP : IPPROTO_UDP, t->current_feature_level, usec - t->start_usec);
1216 break;
1217
1218 case DNS_PROTOCOL_LLMNR:
1219 case DNS_PROTOCOL_MDNS:
1220 dns_scope_packet_lost(t->scope, usec - t->start_usec);
1221 break;
1222
1223 default:
1224 assert_not_reached("Invalid DNS protocol.");
1225 }
1226
1227 if (t->initial_jitter_scheduled)
1228 t->initial_jitter_elapsed = true;
1229 }
1230
1231 log_debug("Timeout reached on transaction %" PRIu16 ".", t->id);
1232
1233 dns_transaction_retry(t, true);
1234 return 0;
1235 }
1236
1237 static usec_t transaction_get_resend_timeout(DnsTransaction *t) {
1238 assert(t);
1239 assert(t->scope);
1240
1241
1242 switch (t->scope->protocol) {
1243
1244 case DNS_PROTOCOL_DNS:
1245
1246 /* When we do TCP, grant a much longer timeout, as in this case there's no need for us to quickly
1247 * resend, as the kernel does that anyway for us, and we really don't want to interrupt it in that
1248 * needlessly. */
1249 if (t->stream)
1250 return TRANSACTION_TCP_TIMEOUT_USEC;
1251
1252 assert(t->server);
1253 return t->server->resend_timeout;
1254
1255 case DNS_PROTOCOL_MDNS:
1256 assert(t->n_attempts > 0);
1257 if (t->probing)
1258 return MDNS_PROBING_INTERVAL_USEC;
1259 else
1260 return (1 << (t->n_attempts - 1)) * USEC_PER_SEC;
1261
1262 case DNS_PROTOCOL_LLMNR:
1263 return t->scope->resend_timeout;
1264
1265 default:
1266 assert_not_reached("Invalid DNS protocol.");
1267 }
1268 }
1269
1270 static int dns_transaction_prepare(DnsTransaction *t, usec_t ts) {
1271 int r;
1272
1273 assert(t);
1274
1275 dns_transaction_stop_timeout(t);
1276
1277 r = dns_scope_network_good(t->scope);
1278 if (r < 0)
1279 return r;
1280 if (r == 0) {
1281 dns_transaction_complete(t, DNS_TRANSACTION_NETWORK_DOWN);
1282 return 0;
1283 }
1284
1285 if (t->n_attempts >= TRANSACTION_ATTEMPTS_MAX(t->scope->protocol)) {
1286 dns_transaction_complete(t, DNS_TRANSACTION_ATTEMPTS_MAX_REACHED);
1287 return 0;
1288 }
1289
1290 if (t->scope->protocol == DNS_PROTOCOL_LLMNR && t->tried_stream) {
1291 /* If we already tried via a stream, then we don't
1292 * retry on LLMNR. See RFC 4795, Section 2.7. */
1293 dns_transaction_complete(t, DNS_TRANSACTION_ATTEMPTS_MAX_REACHED);
1294 return 0;
1295 }
1296
1297 t->n_attempts++;
1298 t->start_usec = ts;
1299
1300 dns_transaction_reset_answer(t);
1301 dns_transaction_flush_dnssec_transactions(t);
1302
1303 /* Check the trust anchor. Do so only on classic DNS, since DNSSEC does not apply otherwise. */
1304 if (t->scope->protocol == DNS_PROTOCOL_DNS) {
1305 r = dns_trust_anchor_lookup_positive(&t->scope->manager->trust_anchor, t->key, &t->answer);
1306 if (r < 0)
1307 return r;
1308 if (r > 0) {
1309 t->answer_rcode = DNS_RCODE_SUCCESS;
1310 t->answer_source = DNS_TRANSACTION_TRUST_ANCHOR;
1311 t->answer_authenticated = true;
1312 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
1313 return 0;
1314 }
1315
1316 if (dns_name_is_root(dns_resource_key_name(t->key)) &&
1317 t->key->type == DNS_TYPE_DS) {
1318
1319 /* Hmm, this is a request for the root DS? A
1320 * DS RR doesn't exist in the root zone, and
1321 * if our trust anchor didn't know it either,
1322 * this means we cannot do any DNSSEC logic
1323 * anymore. */
1324
1325 if (t->scope->dnssec_mode == DNSSEC_ALLOW_DOWNGRADE) {
1326 /* We are in downgrade mode. In this
1327 * case, synthesize an unsigned empty
1328 * response, so that the any lookup
1329 * depending on this one can continue
1330 * assuming there was no DS, and hence
1331 * the root zone was unsigned. */
1332
1333 t->answer_rcode = DNS_RCODE_SUCCESS;
1334 t->answer_source = DNS_TRANSACTION_TRUST_ANCHOR;
1335 t->answer_authenticated = false;
1336 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
1337 } else
1338 /* If we are not in downgrade mode,
1339 * then fail the lookup, because we
1340 * cannot reasonably answer it. There
1341 * might be DS RRs, but we don't know
1342 * them, and the DNS server won't tell
1343 * them to us (and even if it would,
1344 * we couldn't validate and trust them. */
1345 dns_transaction_complete(t, DNS_TRANSACTION_NO_TRUST_ANCHOR);
1346
1347 return 0;
1348 }
1349 }
1350
1351 /* Check the zone, but only if this transaction is not used
1352 * for probing or verifying a zone item. */
1353 if (set_isempty(t->notify_zone_items)) {
1354
1355 r = dns_zone_lookup(&t->scope->zone, t->key, dns_scope_ifindex(t->scope), &t->answer, NULL, NULL);
1356 if (r < 0)
1357 return r;
1358 if (r > 0) {
1359 t->answer_rcode = DNS_RCODE_SUCCESS;
1360 t->answer_source = DNS_TRANSACTION_ZONE;
1361 t->answer_authenticated = true;
1362 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
1363 return 0;
1364 }
1365 }
1366
1367 /* Check the cache, but only if this transaction is not used
1368 * for probing or verifying a zone item. */
1369 if (set_isempty(t->notify_zone_items)) {
1370
1371 /* Before trying the cache, let's make sure we figured out a
1372 * server to use. Should this cause a change of server this
1373 * might flush the cache. */
1374 (void) dns_scope_get_dns_server(t->scope);
1375
1376 /* Let's then prune all outdated entries */
1377 dns_cache_prune(&t->scope->cache);
1378
1379 r = dns_cache_lookup(&t->scope->cache, t->key, t->clamp_ttl, &t->answer_rcode, &t->answer, &t->answer_authenticated);
1380 if (r < 0)
1381 return r;
1382 if (r > 0) {
1383 t->answer_source = DNS_TRANSACTION_CACHE;
1384 if (t->answer_rcode == DNS_RCODE_SUCCESS)
1385 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
1386 else
1387 dns_transaction_complete(t, DNS_TRANSACTION_RCODE_FAILURE);
1388 return 0;
1389 }
1390 }
1391
1392 return 1;
1393 }
1394
1395 static int dns_transaction_make_packet_mdns(DnsTransaction *t) {
1396
1397 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
1398 bool add_known_answers = false;
1399 DnsTransaction *other;
1400 Iterator i;
1401 DnsResourceKey *tkey;
1402 _cleanup_set_free_ Set *keys = NULL;
1403 unsigned qdcount;
1404 unsigned nscount = 0;
1405 usec_t ts;
1406 int r;
1407
1408 assert(t);
1409 assert(t->scope->protocol == DNS_PROTOCOL_MDNS);
1410
1411 /* Discard any previously prepared packet, so we can start over and coalesce again */
1412 t->sent = dns_packet_unref(t->sent);
1413
1414 r = dns_packet_new_query(&p, t->scope->protocol, 0, false);
1415 if (r < 0)
1416 return r;
1417
1418 r = dns_packet_append_key(p, t->key, 0, NULL);
1419 if (r < 0)
1420 return r;
1421
1422 qdcount = 1;
1423
1424 if (dns_key_is_shared(t->key))
1425 add_known_answers = true;
1426
1427 if (t->key->type == DNS_TYPE_ANY) {
1428 r = set_ensure_allocated(&keys, &dns_resource_key_hash_ops);
1429 if (r < 0)
1430 return r;
1431
1432 r = set_put(keys, t->key);
1433 if (r < 0)
1434 return r;
1435 }
1436
1437 /*
1438 * For mDNS, we want to coalesce as many open queries in pending transactions into one single
1439 * query packet on the wire as possible. To achieve that, we iterate through all pending transactions
1440 * in our current scope, and see whether their timing contraints allow them to be sent.
1441 */
1442
1443 assert_se(sd_event_now(t->scope->manager->event, clock_boottime_or_monotonic(), &ts) >= 0);
1444
1445 LIST_FOREACH(transactions_by_scope, other, t->scope->transactions) {
1446
1447 /* Skip ourselves */
1448 if (other == t)
1449 continue;
1450
1451 if (other->state != DNS_TRANSACTION_PENDING)
1452 continue;
1453
1454 if (other->next_attempt_after > ts)
1455 continue;
1456
1457 if (qdcount >= UINT16_MAX)
1458 break;
1459
1460 r = dns_packet_append_key(p, other->key, 0, NULL);
1461
1462 /*
1463 * If we can't stuff more questions into the packet, just give up.
1464 * One of the 'other' transactions will fire later and take care of the rest.
1465 */
1466 if (r == -EMSGSIZE)
1467 break;
1468
1469 if (r < 0)
1470 return r;
1471
1472 r = dns_transaction_prepare(other, ts);
1473 if (r <= 0)
1474 continue;
1475
1476 ts += transaction_get_resend_timeout(other);
1477
1478 r = sd_event_add_time(
1479 other->scope->manager->event,
1480 &other->timeout_event_source,
1481 clock_boottime_or_monotonic(),
1482 ts, 0,
1483 on_transaction_timeout, other);
1484 if (r < 0)
1485 return r;
1486
1487 (void) sd_event_source_set_description(other->timeout_event_source, "dns-transaction-timeout");
1488
1489 other->state = DNS_TRANSACTION_PENDING;
1490 other->next_attempt_after = ts;
1491
1492 qdcount++;
1493
1494 if (dns_key_is_shared(other->key))
1495 add_known_answers = true;
1496
1497 if (other->key->type == DNS_TYPE_ANY) {
1498 r = set_ensure_allocated(&keys, &dns_resource_key_hash_ops);
1499 if (r < 0)
1500 return r;
1501
1502 r = set_put(keys, other->key);
1503 if (r < 0)
1504 return r;
1505 }
1506 }
1507
1508 DNS_PACKET_HEADER(p)->qdcount = htobe16(qdcount);
1509
1510 /* Append known answer section if we're asking for any shared record */
1511 if (add_known_answers) {
1512 r = dns_cache_export_shared_to_packet(&t->scope->cache, p);
1513 if (r < 0)
1514 return r;
1515 }
1516
1517 SET_FOREACH(tkey, keys, i) {
1518 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
1519 bool tentative;
1520
1521 r = dns_zone_lookup(&t->scope->zone, tkey, t->scope->link->ifindex, &answer, NULL, &tentative);
1522 if (r < 0)
1523 return r;
1524
1525 r = dns_packet_append_answer(p, answer);
1526 if (r < 0)
1527 return r;
1528
1529 nscount += dns_answer_size(answer);
1530 }
1531 DNS_PACKET_HEADER(p)->nscount = htobe16(nscount);
1532
1533 t->sent = TAKE_PTR(p);
1534
1535 return 0;
1536 }
1537
1538 static int dns_transaction_make_packet(DnsTransaction *t) {
1539 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
1540 int r;
1541
1542 assert(t);
1543
1544 if (t->scope->protocol == DNS_PROTOCOL_MDNS)
1545 return dns_transaction_make_packet_mdns(t);
1546
1547 if (t->sent)
1548 return 0;
1549
1550 r = dns_packet_new_query(&p, t->scope->protocol, 0, t->scope->dnssec_mode != DNSSEC_NO);
1551 if (r < 0)
1552 return r;
1553
1554 r = dns_packet_append_key(p, t->key, 0, NULL);
1555 if (r < 0)
1556 return r;
1557
1558 DNS_PACKET_HEADER(p)->qdcount = htobe16(1);
1559 DNS_PACKET_HEADER(p)->id = t->id;
1560
1561 t->sent = TAKE_PTR(p);
1562
1563 return 0;
1564 }
1565
1566 int dns_transaction_go(DnsTransaction *t) {
1567 usec_t ts;
1568 int r;
1569 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
1570
1571 assert(t);
1572
1573 /* Returns > 0 if the transaction is now pending, returns 0 if could be processed immediately and has finished
1574 * now. */
1575
1576 assert_se(sd_event_now(t->scope->manager->event, clock_boottime_or_monotonic(), &ts) >= 0);
1577
1578 r = dns_transaction_prepare(t, ts);
1579 if (r <= 0)
1580 return r;
1581
1582 log_debug("Transaction %" PRIu16 " for <%s> scope %s on %s/%s.",
1583 t->id,
1584 dns_resource_key_to_string(t->key, key_str, sizeof key_str),
1585 dns_protocol_to_string(t->scope->protocol),
1586 t->scope->link ? t->scope->link->name : "*",
1587 af_to_name_short(t->scope->family));
1588
1589 if (!t->initial_jitter_scheduled &&
1590 IN_SET(t->scope->protocol, DNS_PROTOCOL_LLMNR, DNS_PROTOCOL_MDNS)) {
1591 usec_t jitter, accuracy;
1592
1593 /* RFC 4795 Section 2.7 suggests all queries should be
1594 * delayed by a random time from 0 to JITTER_INTERVAL. */
1595
1596 t->initial_jitter_scheduled = true;
1597
1598 random_bytes(&jitter, sizeof(jitter));
1599
1600 switch (t->scope->protocol) {
1601
1602 case DNS_PROTOCOL_LLMNR:
1603 jitter %= LLMNR_JITTER_INTERVAL_USEC;
1604 accuracy = LLMNR_JITTER_INTERVAL_USEC;
1605 break;
1606
1607 case DNS_PROTOCOL_MDNS:
1608 jitter %= MDNS_JITTER_RANGE_USEC;
1609 jitter += MDNS_JITTER_MIN_USEC;
1610 accuracy = MDNS_JITTER_RANGE_USEC;
1611 break;
1612 default:
1613 assert_not_reached("bad protocol");
1614 }
1615
1616 r = sd_event_add_time(
1617 t->scope->manager->event,
1618 &t->timeout_event_source,
1619 clock_boottime_or_monotonic(),
1620 ts + jitter, accuracy,
1621 on_transaction_timeout, t);
1622 if (r < 0)
1623 return r;
1624
1625 (void) sd_event_source_set_description(t->timeout_event_source, "dns-transaction-timeout");
1626
1627 t->n_attempts = 0;
1628 t->next_attempt_after = ts;
1629 t->state = DNS_TRANSACTION_PENDING;
1630
1631 log_debug("Delaying %s transaction for " USEC_FMT "us.", dns_protocol_to_string(t->scope->protocol), jitter);
1632 return 0;
1633 }
1634
1635 /* Otherwise, we need to ask the network */
1636 r = dns_transaction_make_packet(t);
1637 if (r < 0)
1638 return r;
1639
1640 if (t->scope->protocol == DNS_PROTOCOL_LLMNR &&
1641 (dns_name_endswith(dns_resource_key_name(t->key), "in-addr.arpa") > 0 ||
1642 dns_name_endswith(dns_resource_key_name(t->key), "ip6.arpa") > 0)) {
1643
1644 /* RFC 4795, Section 2.4. says reverse lookups shall
1645 * always be made via TCP on LLMNR */
1646 r = dns_transaction_open_tcp(t);
1647 } else {
1648 /* Try via UDP, and if that fails due to large size or lack of
1649 * support try via TCP */
1650 r = dns_transaction_emit_udp(t);
1651 if (r == -EMSGSIZE)
1652 log_debug("Sending query via TCP since it is too large.");
1653 else if (r == -EAGAIN)
1654 log_debug("Sending query via TCP since server doesn't support UDP.");
1655 if (IN_SET(r, -EMSGSIZE, -EAGAIN))
1656 r = dns_transaction_open_tcp(t);
1657 }
1658
1659 if (r == -ESRCH) {
1660 /* No servers to send this to? */
1661 dns_transaction_complete(t, DNS_TRANSACTION_NO_SERVERS);
1662 return 0;
1663 }
1664 if (r == -EOPNOTSUPP) {
1665 /* Tried to ask for DNSSEC RRs, on a server that doesn't do DNSSEC */
1666 dns_transaction_complete(t, DNS_TRANSACTION_RR_TYPE_UNSUPPORTED);
1667 return 0;
1668 }
1669 if (t->scope->protocol == DNS_PROTOCOL_LLMNR && ERRNO_IS_DISCONNECT(-r)) {
1670 /* On LLMNR, if we cannot connect to a host via TCP when doing reverse lookups. This means we cannot
1671 * answer this request with this protocol. */
1672 dns_transaction_complete(t, DNS_TRANSACTION_NOT_FOUND);
1673 return 0;
1674 }
1675 if (r < 0) {
1676 if (t->scope->protocol != DNS_PROTOCOL_DNS)
1677 return r;
1678
1679 /* Couldn't send? Try immediately again, with a new server */
1680 dns_scope_next_dns_server(t->scope);
1681
1682 return dns_transaction_go(t);
1683 }
1684
1685 ts += transaction_get_resend_timeout(t);
1686
1687 r = sd_event_add_time(
1688 t->scope->manager->event,
1689 &t->timeout_event_source,
1690 clock_boottime_or_monotonic(),
1691 ts, 0,
1692 on_transaction_timeout, t);
1693 if (r < 0)
1694 return r;
1695
1696 (void) sd_event_source_set_description(t->timeout_event_source, "dns-transaction-timeout");
1697
1698 t->state = DNS_TRANSACTION_PENDING;
1699 t->next_attempt_after = ts;
1700
1701 return 1;
1702 }
1703
1704 static int dns_transaction_find_cyclic(DnsTransaction *t, DnsTransaction *aux) {
1705 DnsTransaction *n;
1706 Iterator i;
1707 int r;
1708
1709 assert(t);
1710 assert(aux);
1711
1712 /* Try to find cyclic dependencies between transaction objects */
1713
1714 if (t == aux)
1715 return 1;
1716
1717 SET_FOREACH(n, aux->dnssec_transactions, i) {
1718 r = dns_transaction_find_cyclic(t, n);
1719 if (r != 0)
1720 return r;
1721 }
1722
1723 return 0;
1724 }
1725
1726 static int dns_transaction_add_dnssec_transaction(DnsTransaction *t, DnsResourceKey *key, DnsTransaction **ret) {
1727 DnsTransaction *aux;
1728 int r;
1729
1730 assert(t);
1731 assert(ret);
1732 assert(key);
1733
1734 aux = dns_scope_find_transaction(t->scope, key, true);
1735 if (!aux) {
1736 r = dns_transaction_new(&aux, t->scope, key);
1737 if (r < 0)
1738 return r;
1739 } else {
1740 if (set_contains(t->dnssec_transactions, aux)) {
1741 *ret = aux;
1742 return 0;
1743 }
1744
1745 r = dns_transaction_find_cyclic(t, aux);
1746 if (r < 0)
1747 return r;
1748 if (r > 0) {
1749 char s[DNS_RESOURCE_KEY_STRING_MAX], saux[DNS_RESOURCE_KEY_STRING_MAX];
1750
1751 log_debug("Potential cyclic dependency, refusing to add transaction %" PRIu16 " (%s) as dependency for %" PRIu16 " (%s).",
1752 aux->id,
1753 dns_resource_key_to_string(t->key, s, sizeof s),
1754 t->id,
1755 dns_resource_key_to_string(aux->key, saux, sizeof saux));
1756
1757 return -ELOOP;
1758 }
1759 }
1760
1761 r = set_ensure_allocated(&t->dnssec_transactions, NULL);
1762 if (r < 0)
1763 goto gc;
1764
1765 r = set_ensure_allocated(&aux->notify_transactions, NULL);
1766 if (r < 0)
1767 goto gc;
1768
1769 r = set_ensure_allocated(&aux->notify_transactions_done, NULL);
1770 if (r < 0)
1771 goto gc;
1772
1773 r = set_put(t->dnssec_transactions, aux);
1774 if (r < 0)
1775 goto gc;
1776
1777 r = set_put(aux->notify_transactions, t);
1778 if (r < 0) {
1779 (void) set_remove(t->dnssec_transactions, aux);
1780 goto gc;
1781 }
1782
1783 *ret = aux;
1784 return 1;
1785
1786 gc:
1787 dns_transaction_gc(aux);
1788 return r;
1789 }
1790
1791 static int dns_transaction_request_dnssec_rr(DnsTransaction *t, DnsResourceKey *key) {
1792 _cleanup_(dns_answer_unrefp) DnsAnswer *a = NULL;
1793 DnsTransaction *aux;
1794 int r;
1795
1796 assert(t);
1797 assert(key);
1798
1799 /* Try to get the data from the trust anchor */
1800 r = dns_trust_anchor_lookup_positive(&t->scope->manager->trust_anchor, key, &a);
1801 if (r < 0)
1802 return r;
1803 if (r > 0) {
1804 r = dns_answer_extend(&t->validated_keys, a);
1805 if (r < 0)
1806 return r;
1807
1808 return 0;
1809 }
1810
1811 /* This didn't work, ask for it via the network/cache then. */
1812 r = dns_transaction_add_dnssec_transaction(t, key, &aux);
1813 if (r == -ELOOP) /* This would result in a cyclic dependency */
1814 return 0;
1815 if (r < 0)
1816 return r;
1817
1818 if (aux->state == DNS_TRANSACTION_NULL) {
1819 r = dns_transaction_go(aux);
1820 if (r < 0)
1821 return r;
1822 }
1823
1824 return 1;
1825 }
1826
1827 static int dns_transaction_negative_trust_anchor_lookup(DnsTransaction *t, const char *name) {
1828 int r;
1829
1830 assert(t);
1831
1832 /* Check whether the specified name is in the NTA
1833 * database, either in the global one, or the link-local
1834 * one. */
1835
1836 r = dns_trust_anchor_lookup_negative(&t->scope->manager->trust_anchor, name);
1837 if (r != 0)
1838 return r;
1839
1840 if (!t->scope->link)
1841 return 0;
1842
1843 return set_contains(t->scope->link->dnssec_negative_trust_anchors, name);
1844 }
1845
1846 static int dns_transaction_has_unsigned_negative_answer(DnsTransaction *t) {
1847 int r;
1848
1849 assert(t);
1850
1851 /* Checks whether the answer is negative, and lacks NSEC/NSEC3
1852 * RRs to prove it */
1853
1854 r = dns_transaction_has_positive_answer(t, NULL);
1855 if (r < 0)
1856 return r;
1857 if (r > 0)
1858 return false;
1859
1860 /* Is this key explicitly listed as a negative trust anchor?
1861 * If so, it's nothing we need to care about */
1862 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(t->key));
1863 if (r < 0)
1864 return r;
1865 if (r > 0)
1866 return false;
1867
1868 /* The answer does not contain any RRs that match to the
1869 * question. If so, let's see if there are any NSEC/NSEC3 RRs
1870 * included. If not, the answer is unsigned. */
1871
1872 r = dns_answer_contains_nsec_or_nsec3(t->answer);
1873 if (r < 0)
1874 return r;
1875 if (r > 0)
1876 return false;
1877
1878 return true;
1879 }
1880
1881 static int dns_transaction_is_primary_response(DnsTransaction *t, DnsResourceRecord *rr) {
1882 int r;
1883
1884 assert(t);
1885 assert(rr);
1886
1887 /* Check if the specified RR is the "primary" response,
1888 * i.e. either matches the question precisely or is a
1889 * CNAME/DNAME for it. */
1890
1891 r = dns_resource_key_match_rr(t->key, rr, NULL);
1892 if (r != 0)
1893 return r;
1894
1895 return dns_resource_key_match_cname_or_dname(t->key, rr->key, NULL);
1896 }
1897
1898 static bool dns_transaction_dnssec_supported(DnsTransaction *t) {
1899 assert(t);
1900
1901 /* Checks whether our transaction's DNS server is assumed to be compatible with DNSSEC. Returns false as soon
1902 * as we changed our mind about a server, and now believe it is incompatible with DNSSEC. */
1903
1904 if (t->scope->protocol != DNS_PROTOCOL_DNS)
1905 return false;
1906
1907 /* If we have picked no server, then we are working from the cache or some other source, and DNSSEC might well
1908 * be supported, hence return true. */
1909 if (!t->server)
1910 return true;
1911
1912 /* Note that we do not check the feature level actually used for the transaction but instead the feature level
1913 * the server is known to support currently, as the transaction feature level might be lower than what the
1914 * server actually supports, since we might have downgraded this transaction's feature level because we got a
1915 * SERVFAIL earlier and wanted to check whether downgrading fixes it. */
1916
1917 return dns_server_dnssec_supported(t->server);
1918 }
1919
1920 static bool dns_transaction_dnssec_supported_full(DnsTransaction *t) {
1921 DnsTransaction *dt;
1922 Iterator i;
1923
1924 assert(t);
1925
1926 /* Checks whether our transaction our any of the auxiliary transactions couldn't do DNSSEC. */
1927
1928 if (!dns_transaction_dnssec_supported(t))
1929 return false;
1930
1931 SET_FOREACH(dt, t->dnssec_transactions, i)
1932 if (!dns_transaction_dnssec_supported(dt))
1933 return false;
1934
1935 return true;
1936 }
1937
1938 int dns_transaction_request_dnssec_keys(DnsTransaction *t) {
1939 DnsResourceRecord *rr;
1940
1941 int r;
1942
1943 assert(t);
1944
1945 /*
1946 * Retrieve all auxiliary RRs for the answer we got, so that
1947 * we can verify signatures or prove that RRs are rightfully
1948 * unsigned. Specifically:
1949 *
1950 * - For RRSIG we get the matching DNSKEY
1951 * - For DNSKEY we get the matching DS
1952 * - For unsigned SOA/NS we get the matching DS
1953 * - For unsigned CNAME/DNAME/DS we get the parent SOA RR
1954 * - For other unsigned RRs we get the matching SOA RR
1955 * - For SOA/NS queries with no matching response RR, and no NSEC/NSEC3, the DS RR
1956 * - For DS queries with no matching response RRs, and no NSEC/NSEC3, the parent's SOA RR
1957 * - For other queries with no matching response RRs, and no NSEC/NSEC3, the SOA RR
1958 */
1959
1960 if (t->scope->dnssec_mode == DNSSEC_NO)
1961 return 0;
1962 if (t->answer_source != DNS_TRANSACTION_NETWORK)
1963 return 0; /* We only need to validate stuff from the network */
1964 if (!dns_transaction_dnssec_supported(t))
1965 return 0; /* If we can't do DNSSEC anyway there's no point in geting the auxiliary RRs */
1966
1967 DNS_ANSWER_FOREACH(rr, t->answer) {
1968
1969 if (dns_type_is_pseudo(rr->key->type))
1970 continue;
1971
1972 /* If this RR is in the negative trust anchor, we don't need to validate it. */
1973 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(rr->key));
1974 if (r < 0)
1975 return r;
1976 if (r > 0)
1977 continue;
1978
1979 switch (rr->key->type) {
1980
1981 case DNS_TYPE_RRSIG: {
1982 /* For each RRSIG we request the matching DNSKEY */
1983 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *dnskey = NULL;
1984
1985 /* If this RRSIG is about a DNSKEY RR and the
1986 * signer is the same as the owner, then we
1987 * already have the DNSKEY, and we don't have
1988 * to look for more. */
1989 if (rr->rrsig.type_covered == DNS_TYPE_DNSKEY) {
1990 r = dns_name_equal(rr->rrsig.signer, dns_resource_key_name(rr->key));
1991 if (r < 0)
1992 return r;
1993 if (r > 0)
1994 continue;
1995 }
1996
1997 /* If the signer is not a parent of our
1998 * original query, then this is about an
1999 * auxiliary RRset, but not anything we asked
2000 * for. In this case we aren't interested,
2001 * because we don't want to request additional
2002 * RRs for stuff we didn't really ask for, and
2003 * also to avoid request loops, where
2004 * additional RRs from one transaction result
2005 * in another transaction whose additonal RRs
2006 * point back to the original transaction, and
2007 * we deadlock. */
2008 r = dns_name_endswith(dns_resource_key_name(t->key), rr->rrsig.signer);
2009 if (r < 0)
2010 return r;
2011 if (r == 0)
2012 continue;
2013
2014 dnskey = dns_resource_key_new(rr->key->class, DNS_TYPE_DNSKEY, rr->rrsig.signer);
2015 if (!dnskey)
2016 return -ENOMEM;
2017
2018 log_debug("Requesting DNSKEY to validate transaction %" PRIu16" (%s, RRSIG with key tag: %" PRIu16 ").",
2019 t->id, dns_resource_key_name(rr->key), rr->rrsig.key_tag);
2020 r = dns_transaction_request_dnssec_rr(t, dnskey);
2021 if (r < 0)
2022 return r;
2023 break;
2024 }
2025
2026 case DNS_TYPE_DNSKEY: {
2027 /* For each DNSKEY we request the matching DS */
2028 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *ds = NULL;
2029
2030 /* If the DNSKEY we are looking at is not for
2031 * zone we are interested in, nor any of its
2032 * parents, we aren't interested, and don't
2033 * request it. After all, we don't want to end
2034 * up in request loops, and want to keep
2035 * additional traffic down. */
2036
2037 r = dns_name_endswith(dns_resource_key_name(t->key), dns_resource_key_name(rr->key));
2038 if (r < 0)
2039 return r;
2040 if (r == 0)
2041 continue;
2042
2043 ds = dns_resource_key_new(rr->key->class, DNS_TYPE_DS, dns_resource_key_name(rr->key));
2044 if (!ds)
2045 return -ENOMEM;
2046
2047 log_debug("Requesting DS to validate transaction %" PRIu16" (%s, DNSKEY with key tag: %" PRIu16 ").",
2048 t->id, dns_resource_key_name(rr->key), dnssec_keytag(rr, false));
2049 r = dns_transaction_request_dnssec_rr(t, ds);
2050 if (r < 0)
2051 return r;
2052
2053 break;
2054 }
2055
2056 case DNS_TYPE_SOA:
2057 case DNS_TYPE_NS: {
2058 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *ds = NULL;
2059
2060 /* For an unsigned SOA or NS, try to acquire
2061 * the matching DS RR, as we are at a zone cut
2062 * then, and whether a DS exists tells us
2063 * whether the zone is signed. Do so only if
2064 * this RR matches our original question,
2065 * however. */
2066
2067 r = dns_resource_key_match_rr(t->key, rr, NULL);
2068 if (r < 0)
2069 return r;
2070 if (r == 0) {
2071 /* Hmm, so this SOA RR doesn't match our original question. In this case, maybe this is
2072 * a negative reply, and we need the a SOA RR's TTL in order to cache a negative entry?
2073 * If so, we need to validate it, too. */
2074
2075 r = dns_answer_match_key(t->answer, t->key, NULL);
2076 if (r < 0)
2077 return r;
2078 if (r > 0) /* positive reply, we won't need the SOA and hence don't need to validate
2079 * it. */
2080 continue;
2081 }
2082
2083 r = dnssec_has_rrsig(t->answer, rr->key);
2084 if (r < 0)
2085 return r;
2086 if (r > 0)
2087 continue;
2088
2089 ds = dns_resource_key_new(rr->key->class, DNS_TYPE_DS, dns_resource_key_name(rr->key));
2090 if (!ds)
2091 return -ENOMEM;
2092
2093 log_debug("Requesting DS to validate transaction %" PRIu16 " (%s, unsigned SOA/NS RRset).",
2094 t->id, dns_resource_key_name(rr->key));
2095 r = dns_transaction_request_dnssec_rr(t, ds);
2096 if (r < 0)
2097 return r;
2098
2099 break;
2100 }
2101
2102 case DNS_TYPE_DS:
2103 case DNS_TYPE_CNAME:
2104 case DNS_TYPE_DNAME: {
2105 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL;
2106 const char *name;
2107
2108 /* CNAMEs and DNAMEs cannot be located at a
2109 * zone apex, hence ask for the parent SOA for
2110 * unsigned CNAME/DNAME RRs, maybe that's the
2111 * apex. But do all that only if this is
2112 * actually a response to our original
2113 * question.
2114 *
2115 * Similar for DS RRs, which are signed when
2116 * the parent SOA is signed. */
2117
2118 r = dns_transaction_is_primary_response(t, rr);
2119 if (r < 0)
2120 return r;
2121 if (r == 0)
2122 continue;
2123
2124 r = dnssec_has_rrsig(t->answer, rr->key);
2125 if (r < 0)
2126 return r;
2127 if (r > 0)
2128 continue;
2129
2130 r = dns_answer_has_dname_for_cname(t->answer, rr);
2131 if (r < 0)
2132 return r;
2133 if (r > 0)
2134 continue;
2135
2136 name = dns_resource_key_name(rr->key);
2137 r = dns_name_parent(&name);
2138 if (r < 0)
2139 return r;
2140 if (r == 0)
2141 continue;
2142
2143 soa = dns_resource_key_new(rr->key->class, DNS_TYPE_SOA, name);
2144 if (!soa)
2145 return -ENOMEM;
2146
2147 log_debug("Requesting parent SOA to validate transaction %" PRIu16 " (%s, unsigned CNAME/DNAME/DS RRset).",
2148 t->id, dns_resource_key_name(rr->key));
2149 r = dns_transaction_request_dnssec_rr(t, soa);
2150 if (r < 0)
2151 return r;
2152
2153 break;
2154 }
2155
2156 default: {
2157 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL;
2158
2159 /* For other unsigned RRsets (including
2160 * NSEC/NSEC3!), look for proof the zone is
2161 * unsigned, by requesting the SOA RR of the
2162 * zone. However, do so only if they are
2163 * directly relevant to our original
2164 * question. */
2165
2166 r = dns_transaction_is_primary_response(t, rr);
2167 if (r < 0)
2168 return r;
2169 if (r == 0)
2170 continue;
2171
2172 r = dnssec_has_rrsig(t->answer, rr->key);
2173 if (r < 0)
2174 return r;
2175 if (r > 0)
2176 continue;
2177
2178 soa = dns_resource_key_new(rr->key->class, DNS_TYPE_SOA, dns_resource_key_name(rr->key));
2179 if (!soa)
2180 return -ENOMEM;
2181
2182 log_debug("Requesting SOA to validate transaction %" PRIu16 " (%s, unsigned non-SOA/NS RRset <%s>).",
2183 t->id, dns_resource_key_name(rr->key), dns_resource_record_to_string(rr));
2184 r = dns_transaction_request_dnssec_rr(t, soa);
2185 if (r < 0)
2186 return r;
2187 break;
2188 }}
2189 }
2190
2191 /* Above, we requested everything necessary to validate what
2192 * we got. Now, let's request what we need to validate what we
2193 * didn't get... */
2194
2195 r = dns_transaction_has_unsigned_negative_answer(t);
2196 if (r < 0)
2197 return r;
2198 if (r > 0) {
2199 const char *name;
2200 uint16_t type = 0;
2201
2202 name = dns_resource_key_name(t->key);
2203
2204 /* If this was a SOA or NS request, then check if there's a DS RR for the same domain. Note that this
2205 * could also be used as indication that we are not at a zone apex, but in real world setups there are
2206 * too many broken DNS servers (Hello, incapdns.net!) where non-terminal zones return NXDOMAIN even
2207 * though they have further children. If this was a DS request, then it's signed when the parent zone
2208 * is signed, hence ask the parent SOA in that case. If this was any other RR then ask for the SOA RR,
2209 * to see if that is signed. */
2210
2211 if (t->key->type == DNS_TYPE_DS) {
2212 r = dns_name_parent(&name);
2213 if (r > 0) {
2214 type = DNS_TYPE_SOA;
2215 log_debug("Requesting parent SOA to validate transaction %" PRIu16 " (%s, unsigned empty DS response).",
2216 t->id, dns_resource_key_name(t->key));
2217 } else
2218 name = NULL;
2219
2220 } else if (IN_SET(t->key->type, DNS_TYPE_SOA, DNS_TYPE_NS)) {
2221
2222 type = DNS_TYPE_DS;
2223 log_debug("Requesting DS to validate transaction %" PRIu16 " (%s, unsigned empty SOA/NS response).",
2224 t->id, dns_resource_key_name(t->key));
2225
2226 } else {
2227 type = DNS_TYPE_SOA;
2228 log_debug("Requesting SOA to validate transaction %" PRIu16 " (%s, unsigned empty non-SOA/NS/DS response).",
2229 t->id, dns_resource_key_name(t->key));
2230 }
2231
2232 if (name) {
2233 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL;
2234
2235 soa = dns_resource_key_new(t->key->class, type, name);
2236 if (!soa)
2237 return -ENOMEM;
2238
2239 r = dns_transaction_request_dnssec_rr(t, soa);
2240 if (r < 0)
2241 return r;
2242 }
2243 }
2244
2245 return dns_transaction_dnssec_is_live(t);
2246 }
2247
2248 void dns_transaction_notify(DnsTransaction *t, DnsTransaction *source) {
2249 assert(t);
2250 assert(source);
2251
2252 /* Invoked whenever any of our auxiliary DNSSEC transactions completed its work. If the state is still PENDING,
2253 we are still in the loop that adds further DNSSEC transactions, hence don't check if we are ready yet. If
2254 the state is VALIDATING however, we should check if we are complete now. */
2255
2256 if (t->state == DNS_TRANSACTION_VALIDATING)
2257 dns_transaction_process_dnssec(t);
2258 }
2259
2260 static int dns_transaction_validate_dnskey_by_ds(DnsTransaction *t) {
2261 DnsResourceRecord *rr;
2262 int ifindex, r;
2263
2264 assert(t);
2265
2266 /* Add all DNSKEY RRs from the answer that are validated by DS
2267 * RRs from the list of validated keys to the list of
2268 * validated keys. */
2269
2270 DNS_ANSWER_FOREACH_IFINDEX(rr, ifindex, t->answer) {
2271
2272 r = dnssec_verify_dnskey_by_ds_search(rr, t->validated_keys);
2273 if (r < 0)
2274 return r;
2275 if (r == 0)
2276 continue;
2277
2278 /* If so, the DNSKEY is validated too. */
2279 r = dns_answer_add_extend(&t->validated_keys, rr, ifindex, DNS_ANSWER_AUTHENTICATED);
2280 if (r < 0)
2281 return r;
2282 }
2283
2284 return 0;
2285 }
2286
2287 static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *rr) {
2288 int r;
2289
2290 assert(t);
2291 assert(rr);
2292
2293 /* Checks if the RR we are looking for must be signed with an
2294 * RRSIG. This is used for positive responses. */
2295
2296 if (t->scope->dnssec_mode == DNSSEC_NO)
2297 return false;
2298
2299 if (dns_type_is_pseudo(rr->key->type))
2300 return -EINVAL;
2301
2302 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(rr->key));
2303 if (r < 0)
2304 return r;
2305 if (r > 0)
2306 return false;
2307
2308 switch (rr->key->type) {
2309
2310 case DNS_TYPE_RRSIG:
2311 /* RRSIGs are the signatures themselves, they need no signing. */
2312 return false;
2313
2314 case DNS_TYPE_SOA:
2315 case DNS_TYPE_NS: {
2316 DnsTransaction *dt;
2317 Iterator i;
2318
2319 /* For SOA or NS RRs we look for a matching DS transaction */
2320
2321 SET_FOREACH(dt, t->dnssec_transactions, i) {
2322
2323 if (dt->key->class != rr->key->class)
2324 continue;
2325 if (dt->key->type != DNS_TYPE_DS)
2326 continue;
2327
2328 r = dns_name_equal(dns_resource_key_name(dt->key), dns_resource_key_name(rr->key));
2329 if (r < 0)
2330 return r;
2331 if (r == 0)
2332 continue;
2333
2334 /* We found a DS transactions for the SOA/NS
2335 * RRs we are looking at. If it discovered signed DS
2336 * RRs, then we need to be signed, too. */
2337
2338 if (!dt->answer_authenticated)
2339 return false;
2340
2341 return dns_answer_match_key(dt->answer, dt->key, NULL);
2342 }
2343
2344 /* We found nothing that proves this is safe to leave
2345 * this unauthenticated, hence ask inist on
2346 * authentication. */
2347 return true;
2348 }
2349
2350 case DNS_TYPE_DS:
2351 case DNS_TYPE_CNAME:
2352 case DNS_TYPE_DNAME: {
2353 const char *parent = NULL;
2354 DnsTransaction *dt;
2355 Iterator i;
2356
2357 /*
2358 * CNAME/DNAME RRs cannot be located at a zone apex, hence look directly for the parent SOA.
2359 *
2360 * DS RRs are signed if the parent is signed, hence also look at the parent SOA
2361 */
2362
2363 SET_FOREACH(dt, t->dnssec_transactions, i) {
2364
2365 if (dt->key->class != rr->key->class)
2366 continue;
2367 if (dt->key->type != DNS_TYPE_SOA)
2368 continue;
2369
2370 if (!parent) {
2371 parent = dns_resource_key_name(rr->key);
2372 r = dns_name_parent(&parent);
2373 if (r < 0)
2374 return r;
2375 if (r == 0) {
2376 if (rr->key->type == DNS_TYPE_DS)
2377 return true;
2378
2379 /* A CNAME/DNAME without a parent? That's sooo weird. */
2380 log_debug("Transaction %" PRIu16 " claims CNAME/DNAME at root. Refusing.", t->id);
2381 return -EBADMSG;
2382 }
2383 }
2384
2385 r = dns_name_equal(dns_resource_key_name(dt->key), parent);
2386 if (r < 0)
2387 return r;
2388 if (r == 0)
2389 continue;
2390
2391 return t->answer_authenticated;
2392 }
2393
2394 return true;
2395 }
2396
2397 default: {
2398 DnsTransaction *dt;
2399 Iterator i;
2400
2401 /* Any other kind of RR (including DNSKEY/NSEC/NSEC3). Let's see if our SOA lookup was authenticated */
2402
2403 SET_FOREACH(dt, t->dnssec_transactions, i) {
2404
2405 if (dt->key->class != rr->key->class)
2406 continue;
2407 if (dt->key->type != DNS_TYPE_SOA)
2408 continue;
2409
2410 r = dns_name_equal(dns_resource_key_name(dt->key), dns_resource_key_name(rr->key));
2411 if (r < 0)
2412 return r;
2413 if (r == 0)
2414 continue;
2415
2416 /* We found the transaction that was supposed to find
2417 * the SOA RR for us. It was successful, but found no
2418 * RR for us. This means we are not at a zone cut. In
2419 * this case, we require authentication if the SOA
2420 * lookup was authenticated too. */
2421 return t->answer_authenticated;
2422 }
2423
2424 return true;
2425 }}
2426 }
2427
2428 static int dns_transaction_in_private_tld(DnsTransaction *t, const DnsResourceKey *key) {
2429 DnsTransaction *dt;
2430 const char *tld;
2431 Iterator i;
2432 int r;
2433
2434 /* If DNSSEC downgrade mode is on, checks whether the
2435 * specified RR is one level below a TLD we have proven not to
2436 * exist. In such a case we assume that this is a private
2437 * domain, and permit it.
2438 *
2439 * This detects cases like the Fritz!Box router networks. Each
2440 * Fritz!Box router serves a private "fritz.box" zone, in the
2441 * non-existing TLD "box". Requests for the "fritz.box" domain
2442 * are served by the router itself, while requests for the
2443 * "box" domain will result in NXDOMAIN.
2444 *
2445 * Note that this logic is unable to detect cases where a
2446 * router serves a private DNS zone directly under
2447 * non-existing TLD. In such a case we cannot detect whether
2448 * the TLD is supposed to exist or not, as all requests we
2449 * make for it will be answered by the router's zone, and not
2450 * by the root zone. */
2451
2452 assert(t);
2453
2454 if (t->scope->dnssec_mode != DNSSEC_ALLOW_DOWNGRADE)
2455 return false; /* In strict DNSSEC mode what doesn't exist, doesn't exist */
2456
2457 tld = dns_resource_key_name(key);
2458 r = dns_name_parent(&tld);
2459 if (r < 0)
2460 return r;
2461 if (r == 0)
2462 return false; /* Already the root domain */
2463
2464 if (!dns_name_is_single_label(tld))
2465 return false;
2466
2467 SET_FOREACH(dt, t->dnssec_transactions, i) {
2468
2469 if (dt->key->class != key->class)
2470 continue;
2471
2472 r = dns_name_equal(dns_resource_key_name(dt->key), tld);
2473 if (r < 0)
2474 return r;
2475 if (r == 0)
2476 continue;
2477
2478 /* We found an auxiliary lookup we did for the TLD. If
2479 * that returned with NXDOMAIN, we know the TLD didn't
2480 * exist, and hence this might be a private zone. */
2481
2482 return dt->answer_rcode == DNS_RCODE_NXDOMAIN;
2483 }
2484
2485 return false;
2486 }
2487
2488 static int dns_transaction_requires_nsec(DnsTransaction *t) {
2489 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
2490 DnsTransaction *dt;
2491 const char *name;
2492 uint16_t type = 0;
2493 Iterator i;
2494 int r;
2495
2496 assert(t);
2497
2498 /* Checks if we need to insist on NSEC/NSEC3 RRs for proving
2499 * this negative reply */
2500
2501 if (t->scope->dnssec_mode == DNSSEC_NO)
2502 return false;
2503
2504 if (dns_type_is_pseudo(t->key->type))
2505 return -EINVAL;
2506
2507 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(t->key));
2508 if (r < 0)
2509 return r;
2510 if (r > 0)
2511 return false;
2512
2513 r = dns_transaction_in_private_tld(t, t->key);
2514 if (r < 0)
2515 return r;
2516 if (r > 0) {
2517 /* The lookup is from a TLD that is proven not to
2518 * exist, and we are in downgrade mode, hence ignore
2519 * that fact that we didn't get any NSEC RRs. */
2520
2521 log_info("Detected a negative query %s in a private DNS zone, permitting unsigned response.",
2522 dns_resource_key_to_string(t->key, key_str, sizeof key_str));
2523 return false;
2524 }
2525
2526 name = dns_resource_key_name(t->key);
2527
2528 if (t->key->type == DNS_TYPE_DS) {
2529
2530 /* We got a negative reply for this DS lookup? DS RRs are signed when their parent zone is signed,
2531 * hence check the parent SOA in this case. */
2532
2533 r = dns_name_parent(&name);
2534 if (r < 0)
2535 return r;
2536 if (r == 0)
2537 return true;
2538
2539 type = DNS_TYPE_SOA;
2540
2541 } else if (IN_SET(t->key->type, DNS_TYPE_SOA, DNS_TYPE_NS))
2542 /* We got a negative reply for this SOA/NS lookup? If so, check if there's a DS RR for this */
2543 type = DNS_TYPE_DS;
2544 else
2545 /* For all other negative replies, check for the SOA lookup */
2546 type = DNS_TYPE_SOA;
2547
2548 /* For all other RRs we check the SOA on the same level to see
2549 * if it's signed. */
2550
2551 SET_FOREACH(dt, t->dnssec_transactions, i) {
2552
2553 if (dt->key->class != t->key->class)
2554 continue;
2555 if (dt->key->type != type)
2556 continue;
2557
2558 r = dns_name_equal(dns_resource_key_name(dt->key), name);
2559 if (r < 0)
2560 return r;
2561 if (r == 0)
2562 continue;
2563
2564 return dt->answer_authenticated;
2565 }
2566
2567 /* If in doubt, require NSEC/NSEC3 */
2568 return true;
2569 }
2570
2571 static int dns_transaction_dnskey_authenticated(DnsTransaction *t, DnsResourceRecord *rr) {
2572 DnsResourceRecord *rrsig;
2573 bool found = false;
2574 int r;
2575
2576 /* Checks whether any of the DNSKEYs used for the RRSIGs for
2577 * the specified RRset is authenticated (i.e. has a matching
2578 * DS RR). */
2579
2580 r = dns_transaction_negative_trust_anchor_lookup(t, dns_resource_key_name(rr->key));
2581 if (r < 0)
2582 return r;
2583 if (r > 0)
2584 return false;
2585
2586 DNS_ANSWER_FOREACH(rrsig, t->answer) {
2587 DnsTransaction *dt;
2588 Iterator i;
2589
2590 r = dnssec_key_match_rrsig(rr->key, rrsig);
2591 if (r < 0)
2592 return r;
2593 if (r == 0)
2594 continue;
2595
2596 SET_FOREACH(dt, t->dnssec_transactions, i) {
2597
2598 if (dt->key->class != rr->key->class)
2599 continue;
2600
2601 if (dt->key->type == DNS_TYPE_DNSKEY) {
2602
2603 r = dns_name_equal(dns_resource_key_name(dt->key), rrsig->rrsig.signer);
2604 if (r < 0)
2605 return r;
2606 if (r == 0)
2607 continue;
2608
2609 /* OK, we found an auxiliary DNSKEY
2610 * lookup. If that lookup is
2611 * authenticated, report this. */
2612
2613 if (dt->answer_authenticated)
2614 return true;
2615
2616 found = true;
2617
2618 } else if (dt->key->type == DNS_TYPE_DS) {
2619
2620 r = dns_name_equal(dns_resource_key_name(dt->key), rrsig->rrsig.signer);
2621 if (r < 0)
2622 return r;
2623 if (r == 0)
2624 continue;
2625
2626 /* OK, we found an auxiliary DS
2627 * lookup. If that lookup is
2628 * authenticated and non-zero, we
2629 * won! */
2630
2631 if (!dt->answer_authenticated)
2632 return false;
2633
2634 return dns_answer_match_key(dt->answer, dt->key, NULL);
2635 }
2636 }
2637 }
2638
2639 return found ? false : -ENXIO;
2640 }
2641
2642 static int dns_transaction_known_signed(DnsTransaction *t, DnsResourceRecord *rr) {
2643 assert(t);
2644 assert(rr);
2645
2646 /* We know that the root domain is signed, hence if it appears
2647 * not to be signed, there's a problem with the DNS server */
2648
2649 return rr->key->class == DNS_CLASS_IN &&
2650 dns_name_is_root(dns_resource_key_name(rr->key));
2651 }
2652
2653 static int dns_transaction_check_revoked_trust_anchors(DnsTransaction *t) {
2654 DnsResourceRecord *rr;
2655 int r;
2656
2657 assert(t);
2658
2659 /* Maybe warn the user that we encountered a revoked DNSKEY
2660 * for a key from our trust anchor. Note that we don't care
2661 * whether the DNSKEY can be authenticated or not. It's
2662 * sufficient if it is self-signed. */
2663
2664 DNS_ANSWER_FOREACH(rr, t->answer) {
2665 r = dns_trust_anchor_check_revoked(&t->scope->manager->trust_anchor, rr, t->answer);
2666 if (r < 0)
2667 return r;
2668 }
2669
2670 return 0;
2671 }
2672
2673 static int dns_transaction_invalidate_revoked_keys(DnsTransaction *t) {
2674 bool changed;
2675 int r;
2676
2677 assert(t);
2678
2679 /* Removes all DNSKEY/DS objects from t->validated_keys that
2680 * our trust anchors database considers revoked. */
2681
2682 do {
2683 DnsResourceRecord *rr;
2684
2685 changed = false;
2686
2687 DNS_ANSWER_FOREACH(rr, t->validated_keys) {
2688 r = dns_trust_anchor_is_revoked(&t->scope->manager->trust_anchor, rr);
2689 if (r < 0)
2690 return r;
2691 if (r > 0) {
2692 r = dns_answer_remove_by_rr(&t->validated_keys, rr);
2693 if (r < 0)
2694 return r;
2695
2696 assert(r > 0);
2697 changed = true;
2698 break;
2699 }
2700 }
2701 } while (changed);
2702
2703 return 0;
2704 }
2705
2706 static int dns_transaction_copy_validated(DnsTransaction *t) {
2707 DnsTransaction *dt;
2708 Iterator i;
2709 int r;
2710
2711 assert(t);
2712
2713 /* Copy all validated RRs from the auxiliary DNSSEC transactions into our set of validated RRs */
2714
2715 SET_FOREACH(dt, t->dnssec_transactions, i) {
2716
2717 if (DNS_TRANSACTION_IS_LIVE(dt->state))
2718 continue;
2719
2720 if (!dt->answer_authenticated)
2721 continue;
2722
2723 r = dns_answer_extend(&t->validated_keys, dt->answer);
2724 if (r < 0)
2725 return r;
2726 }
2727
2728 return 0;
2729 }
2730
2731 typedef enum {
2732 DNSSEC_PHASE_DNSKEY, /* Phase #1, only validate DNSKEYs */
2733 DNSSEC_PHASE_NSEC, /* Phase #2, only validate NSEC+NSEC3 */
2734 DNSSEC_PHASE_ALL, /* Phase #3, validate everything else */
2735 } Phase;
2736
2737 static int dnssec_validate_records(
2738 DnsTransaction *t,
2739 Phase phase,
2740 bool *have_nsec,
2741 DnsAnswer **validated) {
2742
2743 DnsResourceRecord *rr;
2744 int r;
2745
2746 /* Returns negative on error, 0 if validation failed, 1 to restart validation, 2 when finished. */
2747
2748 DNS_ANSWER_FOREACH(rr, t->answer) {
2749 DnsResourceRecord *rrsig = NULL;
2750 DnssecResult result;
2751
2752 switch (rr->key->type) {
2753 case DNS_TYPE_RRSIG:
2754 continue;
2755
2756 case DNS_TYPE_DNSKEY:
2757 /* We validate DNSKEYs only in the DNSKEY and ALL phases */
2758 if (phase == DNSSEC_PHASE_NSEC)
2759 continue;
2760 break;
2761
2762 case DNS_TYPE_NSEC:
2763 case DNS_TYPE_NSEC3:
2764 *have_nsec = true;
2765
2766 /* We validate NSEC/NSEC3 only in the NSEC and ALL phases */
2767 if (phase == DNSSEC_PHASE_DNSKEY)
2768 continue;
2769 break;
2770
2771 default:
2772 /* We validate all other RRs only in the ALL phases */
2773 if (phase != DNSSEC_PHASE_ALL)
2774 continue;
2775 }
2776
2777 r = dnssec_verify_rrset_search(t->answer, rr->key, t->validated_keys, USEC_INFINITY, &result, &rrsig);
2778 if (r < 0)
2779 return r;
2780
2781 log_debug("Looking at %s: %s", strna(dns_resource_record_to_string(rr)), dnssec_result_to_string(result));
2782
2783 if (result == DNSSEC_VALIDATED) {
2784
2785 if (rr->key->type == DNS_TYPE_DNSKEY) {
2786 /* If we just validated a DNSKEY RRset, then let's add these keys to
2787 * the set of validated keys for this transaction. */
2788
2789 r = dns_answer_copy_by_key(&t->validated_keys, t->answer, rr->key, DNS_ANSWER_AUTHENTICATED);
2790 if (r < 0)
2791 return r;
2792
2793 /* Some of the DNSKEYs we just added might already have been revoked,
2794 * remove them again in that case. */
2795 r = dns_transaction_invalidate_revoked_keys(t);
2796 if (r < 0)
2797 return r;
2798 }
2799
2800 /* Add the validated RRset to the new list of validated
2801 * RRsets, and remove it from the unvalidated RRsets.
2802 * We mark the RRset as authenticated and cacheable. */
2803 r = dns_answer_move_by_key(validated, &t->answer, rr->key, DNS_ANSWER_AUTHENTICATED|DNS_ANSWER_CACHEABLE);
2804 if (r < 0)
2805 return r;
2806
2807 manager_dnssec_verdict(t->scope->manager, DNSSEC_SECURE, rr->key);
2808
2809 /* Exit the loop, we dropped something from the answer, start from the beginning */
2810 return 1;
2811 }
2812
2813 /* If we haven't read all DNSKEYs yet a negative result of the validation is irrelevant, as
2814 * there might be more DNSKEYs coming. Similar, if we haven't read all NSEC/NSEC3 RRs yet,
2815 * we cannot do positive wildcard proofs yet, as those require the NSEC/NSEC3 RRs. */
2816 if (phase != DNSSEC_PHASE_ALL)
2817 continue;
2818
2819 if (result == DNSSEC_VALIDATED_WILDCARD) {
2820 bool authenticated = false;
2821 const char *source;
2822
2823 /* This RRset validated, but as a wildcard. This means we need
2824 * to prove via NSEC/NSEC3 that no matching non-wildcard RR exists. */
2825
2826 /* First step, determine the source of synthesis */
2827 r = dns_resource_record_source(rrsig, &source);
2828 if (r < 0)
2829 return r;
2830
2831 r = dnssec_test_positive_wildcard(*validated,
2832 dns_resource_key_name(rr->key),
2833 source,
2834 rrsig->rrsig.signer,
2835 &authenticated);
2836
2837 /* Unless the NSEC proof showed that the key really doesn't exist something is off. */
2838 if (r == 0)
2839 result = DNSSEC_INVALID;
2840 else {
2841 r = dns_answer_move_by_key(validated, &t->answer, rr->key,
2842 authenticated ? (DNS_ANSWER_AUTHENTICATED|DNS_ANSWER_CACHEABLE) : 0);
2843 if (r < 0)
2844 return r;
2845
2846 manager_dnssec_verdict(t->scope->manager, authenticated ? DNSSEC_SECURE : DNSSEC_INSECURE, rr->key);
2847
2848 /* Exit the loop, we dropped something from the answer, start from the beginning */
2849 return 1;
2850 }
2851 }
2852
2853 if (result == DNSSEC_NO_SIGNATURE) {
2854 r = dns_transaction_requires_rrsig(t, rr);
2855 if (r < 0)
2856 return r;
2857 if (r == 0) {
2858 /* Data does not require signing. In that case, just copy it over,
2859 * but remember that this is by no means authenticated. */
2860 r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0);
2861 if (r < 0)
2862 return r;
2863
2864 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
2865 return 1;
2866 }
2867
2868 r = dns_transaction_known_signed(t, rr);
2869 if (r < 0)
2870 return r;
2871 if (r > 0) {
2872 /* This is an RR we know has to be signed. If it isn't this means
2873 * the server is not attaching RRSIGs, hence complain. */
2874
2875 dns_server_packet_rrsig_missing(t->server, t->current_feature_level);
2876
2877 if (t->scope->dnssec_mode == DNSSEC_ALLOW_DOWNGRADE) {
2878
2879 /* Downgrading is OK? If so, just consider the information unsigned */
2880
2881 r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0);
2882 if (r < 0)
2883 return r;
2884
2885 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
2886 return 1;
2887 }
2888
2889 /* Otherwise, fail */
2890 t->answer_dnssec_result = DNSSEC_INCOMPATIBLE_SERVER;
2891 return 0;
2892 }
2893
2894 r = dns_transaction_in_private_tld(t, rr->key);
2895 if (r < 0)
2896 return r;
2897 if (r > 0) {
2898 char s[DNS_RESOURCE_KEY_STRING_MAX];
2899
2900 /* The data is from a TLD that is proven not to exist, and we are in downgrade
2901 * mode, hence ignore the fact that this was not signed. */
2902
2903 log_info("Detected RRset %s is in a private DNS zone, permitting unsigned RRs.",
2904 dns_resource_key_to_string(rr->key, s, sizeof s));
2905
2906 r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0);
2907 if (r < 0)
2908 return r;
2909
2910 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
2911 return 1;
2912 }
2913 }
2914
2915 if (IN_SET(result,
2916 DNSSEC_MISSING_KEY,
2917 DNSSEC_SIGNATURE_EXPIRED,
2918 DNSSEC_UNSUPPORTED_ALGORITHM)) {
2919
2920 r = dns_transaction_dnskey_authenticated(t, rr);
2921 if (r < 0 && r != -ENXIO)
2922 return r;
2923 if (r == 0) {
2924 /* The DNSKEY transaction was not authenticated, this means there's
2925 * no DS for this, which means it's OK if no keys are found for this signature. */
2926
2927 r = dns_answer_move_by_key(validated, &t->answer, rr->key, 0);
2928 if (r < 0)
2929 return r;
2930
2931 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
2932 return 1;
2933 }
2934 }
2935
2936 r = dns_transaction_is_primary_response(t, rr);
2937 if (r < 0)
2938 return r;
2939 if (r > 0) {
2940 /* Look for a matching DNAME for this CNAME */
2941 r = dns_answer_has_dname_for_cname(t->answer, rr);
2942 if (r < 0)
2943 return r;
2944 if (r == 0) {
2945 /* Also look among the stuff we already validated */
2946 r = dns_answer_has_dname_for_cname(*validated, rr);
2947 if (r < 0)
2948 return r;
2949 }
2950
2951 if (r == 0) {
2952 if (IN_SET(result,
2953 DNSSEC_INVALID,
2954 DNSSEC_SIGNATURE_EXPIRED,
2955 DNSSEC_NO_SIGNATURE))
2956 manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, rr->key);
2957 else /* DNSSEC_MISSING_KEY or DNSSEC_UNSUPPORTED_ALGORITHM */
2958 manager_dnssec_verdict(t->scope->manager, DNSSEC_INDETERMINATE, rr->key);
2959
2960 /* This is a primary response to our question, and it failed validation.
2961 * That's fatal. */
2962 t->answer_dnssec_result = result;
2963 return 0;
2964 }
2965
2966 /* This is a primary response, but we do have a DNAME RR
2967 * in the RR that can replay this CNAME, hence rely on
2968 * that, and we can remove the CNAME in favour of it. */
2969 }
2970
2971 /* This is just some auxiliary data. Just remove the RRset and continue. */
2972 r = dns_answer_remove_by_key(&t->answer, rr->key);
2973 if (r < 0)
2974 return r;
2975
2976 /* We dropped something from the answer, start from the beginning. */
2977 return 1;
2978 }
2979
2980 return 2; /* Finito. */
2981 }
2982
2983 int dns_transaction_validate_dnssec(DnsTransaction *t) {
2984 _cleanup_(dns_answer_unrefp) DnsAnswer *validated = NULL;
2985 Phase phase;
2986 DnsAnswerFlags flags;
2987 int r;
2988 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
2989
2990 assert(t);
2991
2992 /* We have now collected all DS and DNSKEY RRs in
2993 * t->validated_keys, let's see which RRs we can now
2994 * authenticate with that. */
2995
2996 if (t->scope->dnssec_mode == DNSSEC_NO)
2997 return 0;
2998
2999 /* Already validated */
3000 if (t->answer_dnssec_result != _DNSSEC_RESULT_INVALID)
3001 return 0;
3002
3003 /* Our own stuff needs no validation */
3004 if (IN_SET(t->answer_source, DNS_TRANSACTION_ZONE, DNS_TRANSACTION_TRUST_ANCHOR)) {
3005 t->answer_dnssec_result = DNSSEC_VALIDATED;
3006 t->answer_authenticated = true;
3007 return 0;
3008 }
3009
3010 /* Cached stuff is not affected by validation. */
3011 if (t->answer_source != DNS_TRANSACTION_NETWORK)
3012 return 0;
3013
3014 if (!dns_transaction_dnssec_supported_full(t)) {
3015 /* The server does not support DNSSEC, or doesn't augment responses with RRSIGs. */
3016 t->answer_dnssec_result = DNSSEC_INCOMPATIBLE_SERVER;
3017 log_debug("Not validating response for %" PRIu16 ", used server feature level does not support DNSSEC.", t->id);
3018 return 0;
3019 }
3020
3021 log_debug("Validating response from transaction %" PRIu16 " (%s).",
3022 t->id,
3023 dns_resource_key_to_string(t->key, key_str, sizeof key_str));
3024
3025 /* First, see if this response contains any revoked trust
3026 * anchors we care about */
3027 r = dns_transaction_check_revoked_trust_anchors(t);
3028 if (r < 0)
3029 return r;
3030
3031 /* Third, copy all RRs we acquired successfully from auxiliary RRs over. */
3032 r = dns_transaction_copy_validated(t);
3033 if (r < 0)
3034 return r;
3035
3036 /* Second, see if there are DNSKEYs we already know a
3037 * validated DS for. */
3038 r = dns_transaction_validate_dnskey_by_ds(t);
3039 if (r < 0)
3040 return r;
3041
3042 /* Fourth, remove all DNSKEY and DS RRs again that our trust
3043 * anchor says are revoked. After all we might have marked
3044 * some keys revoked above, but they might still be lingering
3045 * in our validated_keys list. */
3046 r = dns_transaction_invalidate_revoked_keys(t);
3047 if (r < 0)
3048 return r;
3049
3050 phase = DNSSEC_PHASE_DNSKEY;
3051 for (;;) {
3052 bool have_nsec = false;
3053
3054 r = dnssec_validate_records(t, phase, &have_nsec, &validated);
3055 if (r <= 0)
3056 return r;
3057
3058 /* Try again as long as we managed to achieve something */
3059 if (r == 1)
3060 continue;
3061
3062 if (phase == DNSSEC_PHASE_DNSKEY && have_nsec) {
3063 /* OK, we processed all DNSKEYs, and there are NSEC/NSEC3 RRs, look at those now. */
3064 phase = DNSSEC_PHASE_NSEC;
3065 continue;
3066 }
3067
3068 if (phase != DNSSEC_PHASE_ALL) {
3069 /* OK, we processed all DNSKEYs and NSEC/NSEC3 RRs, look at all the rest now.
3070 * Note that in this third phase we start to remove RRs we couldn't validate. */
3071 phase = DNSSEC_PHASE_ALL;
3072 continue;
3073 }
3074
3075 /* We're done */
3076 break;
3077 }
3078
3079 dns_answer_unref(t->answer);
3080 t->answer = TAKE_PTR(validated);
3081
3082 /* At this point the answer only contains validated
3083 * RRsets. Now, let's see if it actually answers the question
3084 * we asked. If so, great! If it doesn't, then see if
3085 * NSEC/NSEC3 can prove this. */
3086 r = dns_transaction_has_positive_answer(t, &flags);
3087 if (r > 0) {
3088 /* Yes, it answers the question! */
3089
3090 if (flags & DNS_ANSWER_AUTHENTICATED) {
3091 /* The answer is fully authenticated, yay. */
3092 t->answer_dnssec_result = DNSSEC_VALIDATED;
3093 t->answer_rcode = DNS_RCODE_SUCCESS;
3094 t->answer_authenticated = true;
3095 } else {
3096 /* The answer is not fully authenticated. */
3097 t->answer_dnssec_result = DNSSEC_UNSIGNED;
3098 t->answer_authenticated = false;
3099 }
3100
3101 } else if (r == 0) {
3102 DnssecNsecResult nr;
3103 bool authenticated = false;
3104
3105 /* Bummer! Let's check NSEC/NSEC3 */
3106 r = dnssec_nsec_test(t->answer, t->key, &nr, &authenticated, &t->answer_nsec_ttl);
3107 if (r < 0)
3108 return r;
3109
3110 switch (nr) {
3111
3112 case DNSSEC_NSEC_NXDOMAIN:
3113 /* NSEC proves the domain doesn't exist. Very good. */
3114 log_debug("Proved NXDOMAIN via NSEC/NSEC3 for transaction %u (%s)", t->id, key_str);
3115 t->answer_dnssec_result = DNSSEC_VALIDATED;
3116 t->answer_rcode = DNS_RCODE_NXDOMAIN;
3117 t->answer_authenticated = authenticated;
3118
3119 manager_dnssec_verdict(t->scope->manager, authenticated ? DNSSEC_SECURE : DNSSEC_INSECURE, t->key);
3120 break;
3121
3122 case DNSSEC_NSEC_NODATA:
3123 /* NSEC proves that there's no data here, very good. */
3124 log_debug("Proved NODATA via NSEC/NSEC3 for transaction %u (%s)", t->id, key_str);
3125 t->answer_dnssec_result = DNSSEC_VALIDATED;
3126 t->answer_rcode = DNS_RCODE_SUCCESS;
3127 t->answer_authenticated = authenticated;
3128
3129 manager_dnssec_verdict(t->scope->manager, authenticated ? DNSSEC_SECURE : DNSSEC_INSECURE, t->key);
3130 break;
3131
3132 case DNSSEC_NSEC_OPTOUT:
3133 /* NSEC3 says the data might not be signed */
3134 log_debug("Data is NSEC3 opt-out via NSEC/NSEC3 for transaction %u (%s)", t->id, key_str);
3135 t->answer_dnssec_result = DNSSEC_UNSIGNED;
3136 t->answer_authenticated = false;
3137
3138 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, t->key);
3139 break;
3140
3141 case DNSSEC_NSEC_NO_RR:
3142 /* No NSEC data? Bummer! */
3143
3144 r = dns_transaction_requires_nsec(t);
3145 if (r < 0)
3146 return r;
3147 if (r > 0) {
3148 t->answer_dnssec_result = DNSSEC_NO_SIGNATURE;
3149 manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, t->key);
3150 } else {
3151 t->answer_dnssec_result = DNSSEC_UNSIGNED;
3152 t->answer_authenticated = false;
3153 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, t->key);
3154 }
3155
3156 break;
3157
3158 case DNSSEC_NSEC_UNSUPPORTED_ALGORITHM:
3159 /* We don't know the NSEC3 algorithm used? */
3160 t->answer_dnssec_result = DNSSEC_UNSUPPORTED_ALGORITHM;
3161 manager_dnssec_verdict(t->scope->manager, DNSSEC_INDETERMINATE, t->key);
3162 break;
3163
3164 case DNSSEC_NSEC_FOUND:
3165 case DNSSEC_NSEC_CNAME:
3166 /* NSEC says it needs to be there, but we couldn't find it? Bummer! */
3167 t->answer_dnssec_result = DNSSEC_NSEC_MISMATCH;
3168 manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, t->key);
3169 break;
3170
3171 default:
3172 assert_not_reached("Unexpected NSEC result.");
3173 }
3174 }
3175
3176 return 1;
3177 }
3178
3179 static const char* const dns_transaction_state_table[_DNS_TRANSACTION_STATE_MAX] = {
3180 [DNS_TRANSACTION_NULL] = "null",
3181 [DNS_TRANSACTION_PENDING] = "pending",
3182 [DNS_TRANSACTION_VALIDATING] = "validating",
3183 [DNS_TRANSACTION_RCODE_FAILURE] = "rcode-failure",
3184 [DNS_TRANSACTION_SUCCESS] = "success",
3185 [DNS_TRANSACTION_NO_SERVERS] = "no-servers",
3186 [DNS_TRANSACTION_TIMEOUT] = "timeout",
3187 [DNS_TRANSACTION_ATTEMPTS_MAX_REACHED] = "attempts-max-reached",
3188 [DNS_TRANSACTION_INVALID_REPLY] = "invalid-reply",
3189 [DNS_TRANSACTION_ERRNO] = "errno",
3190 [DNS_TRANSACTION_ABORTED] = "aborted",
3191 [DNS_TRANSACTION_DNSSEC_FAILED] = "dnssec-failed",
3192 [DNS_TRANSACTION_NO_TRUST_ANCHOR] = "no-trust-anchor",
3193 [DNS_TRANSACTION_RR_TYPE_UNSUPPORTED] = "rr-type-unsupported",
3194 [DNS_TRANSACTION_NETWORK_DOWN] = "network-down",
3195 [DNS_TRANSACTION_NOT_FOUND] = "not-found",
3196 };
3197 DEFINE_STRING_TABLE_LOOKUP(dns_transaction_state, DnsTransactionState);
3198
3199 static const char* const dns_transaction_source_table[_DNS_TRANSACTION_SOURCE_MAX] = {
3200 [DNS_TRANSACTION_NETWORK] = "network",
3201 [DNS_TRANSACTION_CACHE] = "cache",
3202 [DNS_TRANSACTION_ZONE] = "zone",
3203 [DNS_TRANSACTION_TRUST_ANCHOR] = "trust-anchor",
3204 };
3205 DEFINE_STRING_TABLE_LOOKUP(dns_transaction_source, DnsTransactionSource);
Unnamed repository; edit this file 'description' to name the repository.