]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/resolve/resolved-dns-query.c
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
resolved: add missing error code check when initializing DNS-over-TLS
[thirdparty/systemd.git] / src / resolve / resolved-dns-query.c
CommitLineData
53e1b683 1/* SPDX-License-Identifier: LGPL-2.1+ */
74b2466e 2
b5efdb8a 3#include "alloc-util.h"
2a1037af 4#include "dns-domain.h"
011696f7 5#include "dns-type.h"
b5efdb8a 6#include "hostname-util.h"
78c6a153 7#include "local-addresses.h"
74b2466e 8#include "resolved-dns-query.h"
839a4a20 9#include "resolved-dns-synthesize.h"
dd0bc0f1 10#include "resolved-etc-hosts.h"
23b298bc 11#include "string-util.h"
74b2466e 12
8ba9fd9c 13#define CNAME_MAX 8
39762fdf 14#define QUERIES_MAX 2048
45ec7efb 15#define AUXILIARY_QUERIES_MAX 64
8ba9fd9c 16
801ad6a6
LP		 17static int dns_query_candidate_new(DnsQueryCandidate **ret, DnsQuery *q, DnsScope *s) {
18 DnsQueryCandidate *c;
74b2466e 19
801ad6a6 20 assert(ret);
faa133f3 21 assert(q);
801ad6a6 22 assert(s);
74b2466e 23
801ad6a6
LP		 24 c = new0(DnsQueryCandidate, 1);
25 if (!c)
26 return -ENOMEM;
27
28 c->query = q;
29 c->scope = s;
30
31 LIST_PREPEND(candidates_by_query, q->candidates, c);
32 LIST_PREPEND(candidates_by_scope, s->query_candidates, c);
33
34 *ret = c;
35 return 0;
36}
37
38static void dns_query_candidate_stop(DnsQueryCandidate *c) {
39 DnsTransaction *t;
74b2466e 40
801ad6a6
LP		 41 assert(c);
42
43 while ((t = set_steal_first(c->transactions))) {
547973de 44 set_remove(t->notify_query_candidates, c);
35aa04e9 45 set_remove(t->notify_query_candidates_done, c);
ec2c5e43 46 dns_transaction_gc(t);
74b2466e 47 }
74b2466e
LP		 48}
49
801ad6a6
LP		 50DnsQueryCandidate* dns_query_candidate_free(DnsQueryCandidate *c) {
51
52 if (!c)
53 return NULL;
54
55 dns_query_candidate_stop(c);
56
57 set_free(c->transactions);
58 dns_search_domain_unref(c->search_domain);
59
60 if (c->query)
61 LIST_REMOVE(candidates_by_query, c->query->candidates, c);
62
63 if (c->scope)
64 LIST_REMOVE(candidates_by_scope, c->scope->query_candidates, c);
65
6b430fdb 66 return mfree(c);
801ad6a6
LP		 67}
68
69static int dns_query_candidate_next_search_domain(DnsQueryCandidate *c) {
801ad6a6
LP		 70 DnsSearchDomain *next = NULL;
71
72 assert(c);
73
ad44b56b 74 if (c->search_domain && c->search_domain->linked)
801ad6a6 75 next = c->search_domain->domains_next;
ad44b56b
LP		 76 else
77 next = dns_scope_get_search_domains(c->scope);
801ad6a6 78
ad44b56b 79 for (;;) {
6627b7e2
LP		 80 if (!next) /* We hit the end of the list */
81 return 0;
801ad6a6 82
ad44b56b
LP		 83 if (!next->route_only)
84 break;
801ad6a6 85
ad44b56b
LP		 86 /* Skip over route-only domains */
87 next = next->domains_next;
801ad6a6
LP		 88 }
89
90 dns_search_domain_unref(c->search_domain);
91 c->search_domain = dns_search_domain_ref(next);
6627b7e2 92
801ad6a6
LP		 93 return 1;
94}
95
96static int dns_query_candidate_add_transaction(DnsQueryCandidate *c, DnsResourceKey *key) {
97 DnsTransaction *t;
98 int r;
99
100 assert(c);
101 assert(key);
102
801ad6a6
LP		 103 t = dns_scope_find_transaction(c->scope, key, true);
104 if (!t) {
105 r = dns_transaction_new(&t, c->scope, key);
106 if (r < 0)
107 return r;
547973de
LP		 108 } else {
109 if (set_contains(c->transactions, t))
110 return 0;
801ad6a6
LP		 111 }
112
547973de
LP		 113 r = set_ensure_allocated(&c->transactions, NULL);
114 if (r < 0)
115 goto gc;
116
117 r = set_ensure_allocated(&t->notify_query_candidates, NULL);
801ad6a6
LP		 118 if (r < 0)
119 goto gc;
120
35aa04e9
LP		 121 r = set_ensure_allocated(&t->notify_query_candidates_done, NULL);
122 if (r < 0)
123 goto gc;
124
547973de 125 r = set_put(t->notify_query_candidates, c);
801ad6a6
LP		 126 if (r < 0)
127 goto gc;
128
129 r = set_put(c->transactions, t);
130 if (r < 0) {
547973de 131 (void) set_remove(t->notify_query_candidates, c);
801ad6a6
LP		 132 goto gc;
133 }
134
17c8de63 135 t->clamp_ttl = c->query->clamp_ttl;
547973de 136 return 1;
801ad6a6
LP		 137
138gc:
139 dns_transaction_gc(t);
140 return r;
141}
142
143static int dns_query_candidate_go(DnsQueryCandidate *c) {
144 DnsTransaction *t;
145 Iterator i;
146 int r;
011696f7 147 unsigned n = 0;
801ad6a6
LP		 148
149 assert(c);
150
151 /* Start the transactions that are not started yet */
152 SET_FOREACH(t, c->transactions, i) {
153 if (t->state != DNS_TRANSACTION_NULL)
154 continue;
155
156 r = dns_transaction_go(t);
157 if (r < 0)
158 return r;
011696f7
LP		 159
160 n++;
801ad6a6
LP		 161 }
162
011696f7
LP		 163 /* If there was nothing to start, then let's proceed immediately */
164 if (n == 0)
165 dns_query_candidate_notify(c);
166
801ad6a6
LP		 167 return 0;
168}
169
170static DnsTransactionState dns_query_candidate_state(DnsQueryCandidate *c) {
171 DnsTransactionState state = DNS_TRANSACTION_NO_SERVERS;
172 DnsTransaction *t;
173 Iterator i;
174
175 assert(c);
176
177 if (c->error_code != 0)
7cc6ed7b 178 return DNS_TRANSACTION_ERRNO;
801ad6a6
LP		 179
180 SET_FOREACH(t, c->transactions, i) {
181
182 switch (t->state) {
183
5264131a
LP		 184 case DNS_TRANSACTION_NULL:
185 /* If there's a NULL transaction pending, then
186 * this means not all transactions where
187 * started yet, and we were called from within
188 * the stackframe that is supposed to start
189 * remaining transactions. In this case,
190 * simply claim the candidate is pending. */
191
801ad6a6 192 case DNS_TRANSACTION_PENDING:
547973de
LP		 193 case DNS_TRANSACTION_VALIDATING:
194 /* If there's one transaction currently in
195 * VALIDATING state, then this means there's
196 * also one in PENDING state, hence we can
197 * return PENDING immediately. */
198 return DNS_TRANSACTION_PENDING;
801ad6a6
LP		 199
200 case DNS_TRANSACTION_SUCCESS:
201 state = t->state;
202 break;
203
204 default:
205 if (state != DNS_TRANSACTION_SUCCESS)
206 state = t->state;
207
208 break;
209 }
210 }
211
212 return state;
213}
214
011696f7
LP		 215static bool dns_query_candidate_is_routable(DnsQueryCandidate *c, uint16_t type) {
216 int family;
217
218 assert(c);
219
220 /* Checks whether the specified RR type matches an address family that is routable on the link(s) the scope of
221 * this candidate belongs to. Specifically, whether there's a routable IPv4 address on it if we query an A RR,
222 * or a routable IPv6 address if we query an AAAA RR. */
223
224 if (!c->query->suppress_unroutable_family)
225 return true;
226
227 if (c->scope->protocol != DNS_PROTOCOL_DNS)
228 return true;
229
230 family = dns_type_to_af(type);
231 if (family < 0)
232 return true;
233
234 if (c->scope->link)
235 return link_relevant(c->scope->link, family, false);
236 else
237 return manager_routable(c->scope->manager, family);
238}
239
801ad6a6 240static int dns_query_candidate_setup_transactions(DnsQueryCandidate *c) {
23b298bc 241 DnsQuestion *question;
801ad6a6
LP		 242 DnsResourceKey *key;
243 int n = 0, r;
244
245 assert(c);
246
247 dns_query_candidate_stop(c);
248
23b298bc
LP		 249 question = dns_query_question_for_protocol(c->query, c->scope->protocol);
250
801ad6a6 251 /* Create one transaction per question key */
23b298bc 252 DNS_QUESTION_FOREACH(key, question) {
801ad6a6 253 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *new_key = NULL;
011696f7
LP		 254 DnsResourceKey *qkey;
255
256 if (!dns_query_candidate_is_routable(c, key->type))
257 continue;
801ad6a6
LP		 258
259 if (c->search_domain) {
260 r = dns_resource_key_new_append_suffix(&new_key, key, c->search_domain->name);
261 if (r < 0)
262 goto fail;
801ad6a6 263
011696f7
LP		 264 qkey = new_key;
265 } else
266 qkey = key;
267
268 if (!dns_scope_good_key(c->scope, qkey))
269 continue;
270
271 r = dns_query_candidate_add_transaction(c, qkey);
801ad6a6
LP		 272 if (r < 0)
273 goto fail;
274
275 n++;
276 }
277
278 return n;
279
280fail:
281 dns_query_candidate_stop(c);
282 return r;
283}
284
547973de 285void dns_query_candidate_notify(DnsQueryCandidate *c) {
801ad6a6
LP		 286 DnsTransactionState state;
287 int r;
288
289 assert(c);
290
291 state = dns_query_candidate_state(c);
292
547973de 293 if (DNS_TRANSACTION_IS_LIVE(state))
801ad6a6
LP		 294 return;
295
296 if (state != DNS_TRANSACTION_SUCCESS && c->search_domain) {
297
298 r = dns_query_candidate_next_search_domain(c);
299 if (r < 0)
300 goto fail;
301
302 if (r > 0) {
303 /* OK, there's another search domain to try, let's do so. */
304
305 r = dns_query_candidate_setup_transactions(c);
306 if (r < 0)
307 goto fail;
308
309 if (r > 0) {
310 /* New transactions where queued. Start them and wait */
311
312 r = dns_query_candidate_go(c);
313 if (r < 0)
314 goto fail;
315
316 return;
317 }
318 }
319
320 }
321
322 dns_query_ready(c->query);
323 return;
324
325fail:
326 log_warning_errno(r, "Failed to follow search domains: %m");
327 c->error_code = r;
328 dns_query_ready(c->query);
329}
330
331static void dns_query_stop(DnsQuery *q) {
332 DnsQueryCandidate *c;
333
334 assert(q);
335
336 q->timeout_event_source = sd_event_source_unref(q->timeout_event_source);
337
338 LIST_FOREACH(candidates_by_query, c, q->candidates)
339 dns_query_candidate_stop(c);
340}
341
7820b320
LP		 342static void dns_query_free_candidates(DnsQuery *q) {
343 assert(q);
344
345 while (q->candidates)
346 dns_query_candidate_free(q->candidates);
347}
348
349static void dns_query_reset_answer(DnsQuery *q) {
350 assert(q);
351
352 q->answer = dns_answer_unref(q->answer);
353 q->answer_rcode = 0;
354 q->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
7cc6ed7b 355 q->answer_errno = 0;
7820b320
LP		 356 q->answer_authenticated = false;
357 q->answer_protocol = _DNS_PROTOCOL_INVALID;
358 q->answer_family = AF_UNSPEC;
359 q->answer_search_domain = dns_search_domain_unref(q->answer_search_domain);
360}
361
74b2466e 362DnsQuery *dns_query_free(DnsQuery *q) {
74b2466e
LP		 363 if (!q)
364 return NULL;
365
45ec7efb
LP		 366 while (q->auxiliary_queries)
367 dns_query_free(q->auxiliary_queries);
368
369 if (q->auxiliary_for) {
370 assert(q->auxiliary_for->n_auxiliary_queries > 0);
371 q->auxiliary_for->n_auxiliary_queries--;
372 LIST_REMOVE(auxiliary_queries, q->auxiliary_for->auxiliary_queries, q);
373 }
374
7820b320 375 dns_query_free_candidates(q);
322345fd 376
23b298bc
LP		 377 dns_question_unref(q->question_idna);
378 dns_question_unref(q->question_utf8);
7820b320
LP		 379
380 dns_query_reset_answer(q);
322345fd 381
ec2c5e43 382 sd_bus_message_unref(q->request);
82bd6ddd 383 sd_bus_track_unref(q->bus_track);
74b2466e 384
b30bf55d 385 dns_packet_unref(q->request_dns_packet);
e8d23f92 386 dns_packet_unref(q->reply_dns_packet);
b30bf55d
LP		 387
388 if (q->request_dns_stream) {
389 /* Detach the stream from our query, in case something else keeps a reference to it. */
b412af57
LP		 390 (void) set_remove(q->request_dns_stream->queries, q);
391 q->request_dns_stream = dns_stream_unref(q->request_dns_stream);
b30bf55d
LP		 392 }
393
23b298bc
LP		 394 free(q->request_address_string);
395
39762fdf 396 if (q->manager) {
74b2466e 397 LIST_REMOVE(queries, q->manager->dns_queries, q);
39762fdf
LP		 398 q->manager->n_dns_queries--;
399 }
74b2466e 400
6b430fdb 401 return mfree(q);
74b2466e
LP		 402}
403
23b298bc
LP		 404int dns_query_new(
405 Manager *m,
406 DnsQuery **ret,
407 DnsQuestion *question_utf8,
408 DnsQuestion *question_idna,
17c8de63
LP		 409 int ifindex,
410 uint64_t flags) {
23b298bc 411
74b2466e 412 _cleanup_(dns_query_freep) DnsQuery *q = NULL;
23b298bc
LP		 413 DnsResourceKey *key;
414 bool good = false;
faa133f3 415 int r;
202b76ae 416 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
74b2466e
LP		 417
418 assert(m);
419
23b298bc
LP		 420 if (dns_question_size(question_utf8) > 0) {
421 r = dns_question_is_valid_for_query(question_utf8);
422 if (r < 0)
423 return r;
424 if (r == 0)
425 return -EINVAL;
426
427 good = true;
428 }
429
430 /* If the IDNA and UTF8 questions are the same, merge their references */
431 r = dns_question_is_equal(question_idna, question_utf8);
faa133f3
LP		 432 if (r < 0)
433 return r;
23b298bc
LP		 434 if (r > 0)
435 question_idna = question_utf8;
436 else {
437 if (dns_question_size(question_idna) > 0) {
438 r = dns_question_is_valid_for_query(question_idna);
439 if (r < 0)
440 return r;
441 if (r == 0)
442 return -EINVAL;
443
444 good = true;
445 }
446 }
447
448 if (!good) /* don't allow empty queries */
449 return -EINVAL;
74b2466e 450
39762fdf
LP		 451 if (m->n_dns_queries >= QUERIES_MAX)
452 return -EBUSY;
453
74b2466e
LP		 454 q = new0(DnsQuery, 1);
455 if (!q)
456 return -ENOMEM;
457
23b298bc
LP		 458 q->question_utf8 = dns_question_ref(question_utf8);
459 q->question_idna = dns_question_ref(question_idna);
51323288
LP		 460 q->ifindex = ifindex;
461 q->flags = flags;
7820b320 462 q->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
801ad6a6 463 q->answer_protocol = _DNS_PROTOCOL_INVALID;
7820b320 464 q->answer_family = AF_UNSPEC;
322345fd 465
23b298bc 466 /* First dump UTF8 question */
202b76ae
ZJS		 467 DNS_QUESTION_FOREACH(key, question_utf8)
468 log_debug("Looking up RR for %s.",
469 dns_resource_key_to_string(key, key_str, sizeof key_str));
23b298bc
LP		 470
471 /* And then dump the IDNA question, but only what hasn't been dumped already through the UTF8 question. */
472 DNS_QUESTION_FOREACH(key, question_idna) {
23b298bc
LP		 473 r = dns_question_contains(question_utf8, key);
474 if (r < 0)
475 return r;
476 if (r > 0)
477 continue;
478
202b76ae
ZJS		 479 log_debug("Looking up IDNA RR for %s.",
480 dns_resource_key_to_string(key, key_str, sizeof key_str));
74b2466e
LP		 481 }
482
483 LIST_PREPEND(queries, m->dns_queries, q);
39762fdf 484 m->n_dns_queries++;
74b2466e
LP		 485 q->manager = m;
486
8ba9fd9c
LP		 487 if (ret)
488 *ret = q;
489 q = NULL;
490
491 return 0;
492}
493
45ec7efb
LP		 494int dns_query_make_auxiliary(DnsQuery *q, DnsQuery *auxiliary_for) {
495 assert(q);
496 assert(auxiliary_for);
497
61233823 498 /* Ensure that the query is not auxiliary yet, and
45ec7efb
LP		 499 * nothing else is auxiliary to it either */
500 assert(!q->auxiliary_for);
501 assert(!q->auxiliary_queries);
502
503 /* Ensure that the unit we shall be made auxiliary for isn't
504 * auxiliary itself */
505 assert(!auxiliary_for->auxiliary_for);
506
507 if (auxiliary_for->n_auxiliary_queries >= AUXILIARY_QUERIES_MAX)
508 return -EAGAIN;
509
510 LIST_PREPEND(auxiliary_queries, auxiliary_for->auxiliary_queries, q);
511 q->auxiliary_for = auxiliary_for;
512
513 auxiliary_for->n_auxiliary_queries++;
514 return 0;
515}
516
ec2c5e43 517static void dns_query_complete(DnsQuery *q, DnsTransactionState state) {
8ba9fd9c 518 assert(q);
547973de
LP		 519 assert(!DNS_TRANSACTION_IS_LIVE(state));
520 assert(DNS_TRANSACTION_IS_LIVE(q->state));
8ba9fd9c 521
322345fd
LP		 522 /* Note that this call might invalidate the query. Callers
523 * should hence not attempt to access the query or transaction
524 * after calling this function. */
8ba9fd9c 525
8ba9fd9c
LP		 526 q->state = state;
527
322345fd
LP		 528 dns_query_stop(q);
529 if (q->complete)
530 q->complete(q);
8ba9fd9c
LP		 531}
532
533static int on_query_timeout(sd_event_source *s, usec_t usec, void *userdata) {
534 DnsQuery *q = userdata;
535
536 assert(s);
537 assert(q);
538
ec2c5e43 539 dns_query_complete(q, DNS_TRANSACTION_TIMEOUT);
8ba9fd9c
LP		 540 return 0;
541}
542
801ad6a6
LP		 543static int dns_query_add_candidate(DnsQuery *q, DnsScope *s) {
544 DnsQueryCandidate *c;
faa133f3
LP		 545 int r;
546
547 assert(q);
ec2c5e43 548 assert(s);
faa133f3 549
801ad6a6 550 r = dns_query_candidate_new(&c, q, s);
faa133f3
LP		 551 if (r < 0)
552 return r;
553
801ad6a6 554 /* If this a single-label domain on DNS, we might append a suitable search domain first. */
6da95857
YW		 555 if ((q->flags & SD_RESOLVED_NO_SEARCH) == 0 &&
556 dns_scope_name_needs_search_domain(s, dns_question_first_name(q->question_idna))) {
557 /* OK, we need a search domain now. Let's find one for this scope */
22f711bb 558
6da95857
YW		 559 r = dns_query_candidate_next_search_domain(c);
560 if (r <= 0) /* if there's no search domain, then we won't add any transaction. */
561 goto fail;
faa133f3
LP		 562 }
563
801ad6a6
LP		 564 r = dns_query_candidate_setup_transactions(c);
565 if (r < 0)
566 goto fail;
567
faa133f3
LP		 568 return 0;
569
801ad6a6
LP		 570fail:
571 dns_query_candidate_free(c);
faa133f3
LP		 572 return r;
573}
574
78c6a153 575static int dns_query_synthesize_reply(DnsQuery *q, DnsTransactionState *state) {
2a1037af 576 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
dd0bc0f1 577 int r;
2a1037af
LP		 578
579 assert(q);
580 assert(state);
581
dd0bc0f1
LP		 582 /* Tries to synthesize localhost RR replies (and others) where appropriate. Note that this is done *after* the
583 * the normal lookup finished. The data from the network hence takes precedence over the data we
584 * synthesize. (But note that many scopes refuse to resolve certain domain names) */
2a1037af
LP		 585
586 if (!IN_SET(*state,
3bbdc31d 587 DNS_TRANSACTION_RCODE_FAILURE,
2a1037af
LP		 588 DNS_TRANSACTION_NO_SERVERS,
589 DNS_TRANSACTION_TIMEOUT,
edbcc1fd 590 DNS_TRANSACTION_ATTEMPTS_MAX_REACHED,
0791110f
LP		 591 DNS_TRANSACTION_NETWORK_DOWN,
592 DNS_TRANSACTION_NOT_FOUND))
78c6a153 593 return 0;
2a1037af 594
839a4a20
LP		 595 r = dns_synthesize_answer(
596 q->manager,
597 q->question_utf8,
598 q->ifindex,
dd0bc0f1 599 &answer);
acf06088
LP		 600 if (r == -ENXIO) {
601 /* If we get ENXIO this tells us to generate NXDOMAIN unconditionally. */
2a1037af 602
acf06088
LP		 603 dns_query_reset_answer(q);
604 q->answer_rcode = DNS_RCODE_NXDOMAIN;
605 q->answer_protocol = dns_synthesize_protocol(q->flags);
606 q->answer_family = dns_synthesize_family(q->flags);
607 q->answer_authenticated = true;
608 *state = DNS_TRANSACTION_RCODE_FAILURE;
609
610 return 0;
611 }
839a4a20
LP		 612 if (r <= 0)
613 return r;
2a1037af 614
839a4a20 615 dns_query_reset_answer(q);
2a1037af 616
1cc6c93a 617 q->answer = TAKE_PTR(answer);
2a1037af 618 q->answer_rcode = DNS_RCODE_SUCCESS;
dd0bc0f1
LP		 619 q->answer_protocol = dns_synthesize_protocol(q->flags);
620 q->answer_family = dns_synthesize_family(q->flags);
839a4a20 621 q->answer_authenticated = true;
2a1037af
LP		 622
623 *state = DNS_TRANSACTION_SUCCESS;
78c6a153
LP		 624
625 return 1;
2a1037af
LP		 626}
627
dd0bc0f1
LP		 628static int dns_query_try_etc_hosts(DnsQuery *q) {
629 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
630 int r;
631
632 assert(q);
633
634 /* Looks in /etc/hosts for matching entries. Note that this is done *before* the normal lookup is done. The
635 * data from /etc/hosts hence takes precedence over the network. */
636
637 r = manager_etc_hosts_lookup(
638 q->manager,
639 q->question_utf8,
640 &answer);
641 if (r <= 0)
642 return r;
643
644 dns_query_reset_answer(q);
645
1cc6c93a 646 q->answer = TAKE_PTR(answer);
dd0bc0f1
LP		 647 q->answer_rcode = DNS_RCODE_SUCCESS;
648 q->answer_protocol = dns_synthesize_protocol(q->flags);
649 q->answer_family = dns_synthesize_family(q->flags);
650 q->answer_authenticated = true;
651
652 return 1;
653}
654
322345fd 655int dns_query_go(DnsQuery *q) {
8ba9fd9c
LP		 656 DnsScopeMatch found = DNS_SCOPE_NO;
657 DnsScope *s, *first = NULL;
801ad6a6 658 DnsQueryCandidate *c;
8ba9fd9c
LP		 659 int r;
660
661 assert(q);
662
ec2c5e43 663 if (q->state != DNS_TRANSACTION_NULL)
8ba9fd9c
LP		 664 return 0;
665
dd0bc0f1
LP		 666 r = dns_query_try_etc_hosts(q);
667 if (r < 0)
668 return r;
669 if (r > 0) {
670 dns_query_complete(q, DNS_TRANSACTION_SUCCESS);
671 return 1;
672 }
673
8ba9fd9c 674 LIST_FOREACH(scopes, s, q->manager->dns_scopes) {
74b2466e 675 DnsScopeMatch match;
23b298bc
LP		 676 const char *name;
677
678 name = dns_question_first_name(dns_query_question_for_protocol(q, s->protocol));
679 if (!name)
680 continue;
74b2466e 681
51323288 682 match = dns_scope_good_domain(s, q->ifindex, q->flags, name);
a97a3b25
LP		 683 if (match < 0) {
684 log_debug("Couldn't check if '%s' matches against scope, ignoring.", name);
74b2466e 685 continue;
a97a3b25 686 }
74b2466e 687
a97a3b25
LP		 688 if (match > found) { /* Does this match better? If so, remember how well it matched, and the first one
689 * that matches this well */
690 found = match;
74b2466e 691 first = s;
74b2466e
LP		 692 }
693 }
694
2a1037af
LP		 695 if (found == DNS_SCOPE_NO) {
696 DnsTransactionState state = DNS_TRANSACTION_NO_SERVERS;
697
7cc6ed7b
LP		 698 r = dns_query_synthesize_reply(q, &state);
699 if (r < 0)
700 return r;
701
d634711b
LP		 702 dns_query_complete(q, state);
703 return 1;
2a1037af 704 }
74b2466e 705
801ad6a6 706 r = dns_query_add_candidate(q, first);
74b2466e 707 if (r < 0)
ec2c5e43 708 goto fail;
74b2466e 709
74b2466e
LP		 710 LIST_FOREACH(scopes, s, first->scopes_next) {
711 DnsScopeMatch match;
23b298bc
LP		 712 const char *name;
713
714 name = dns_question_first_name(dns_query_question_for_protocol(q, s->protocol));
715 if (!name)
716 continue;
74b2466e 717
51323288 718 match = dns_scope_good_domain(s, q->ifindex, q->flags, name);
a97a3b25 719 if (match < 0) {
4605de11 720 log_debug("Couldn't check if '%s' matches against scope, ignoring.", name);
a97a3b25
LP		 721 continue;
722 }
74b2466e 723
a97a3b25 724 if (match < found)
74b2466e
LP		 725 continue;
726
801ad6a6 727 r = dns_query_add_candidate(q, s);
74b2466e 728 if (r < 0)
ec2c5e43 729 goto fail;
74b2466e
LP		 730 }
731
ab88b6d0 732 dns_query_reset_answer(q);
74b2466e 733
9a015429
LP		 734 r = sd_event_add_time(
735 q->manager->event,
736 &q->timeout_event_source,
737 clock_boottime_or_monotonic(),
4cbfd62b
MCO		 738 now(clock_boottime_or_monotonic()) + SD_RESOLVED_QUERY_TIMEOUT_USEC,
739 0, on_query_timeout, q);
74b2466e
LP		 740 if (r < 0)
741 goto fail;
742
aa4a9deb
LP		 743 (void) sd_event_source_set_description(q->timeout_event_source, "query-timeout");
744
ec2c5e43 745 q->state = DNS_TRANSACTION_PENDING;
faa133f3 746 q->block_ready++;
74b2466e 747
801ad6a6
LP		 748 /* Start the transactions */
749 LIST_FOREACH(candidates_by_query, c, q->candidates) {
750 r = dns_query_candidate_go(c);
751 if (r < 0) {
752 q->block_ready--;
ec2c5e43 753 goto fail;
801ad6a6 754 }
74b2466e
LP		 755 }
756
faa133f3
LP		 757 q->block_ready--;
758 dns_query_ready(q);
322345fd 759
8ba9fd9c 760 return 1;
74b2466e
LP		 761
762fail:
8ba9fd9c 763 dns_query_stop(q);
74b2466e
LP		 764 return r;
765}
766
801ad6a6 767static void dns_query_accept(DnsQuery *q, DnsQueryCandidate *c) {
ec2c5e43 768 DnsTransactionState state = DNS_TRANSACTION_NO_SERVERS;
547973de 769 bool has_authenticated = false, has_non_authenticated = false;
019036a4 770 DnssecResult dnssec_result_authenticated = _DNSSEC_RESULT_INVALID, dnssec_result_non_authenticated = _DNSSEC_RESULT_INVALID;
801ad6a6 771 DnsTransaction *t;
faa133f3 772 Iterator i;
547973de 773 int r;
74b2466e
LP		 774
775 assert(q);
776
801ad6a6 777 if (!c) {
7cc6ed7b
LP		 778 r = dns_query_synthesize_reply(q, &state);
779 if (r < 0)
780 goto fail;
781
801ad6a6 782 dns_query_complete(q, state);
74b2466e 783 return;
801ad6a6 784 }
74b2466e 785
a7bf2ada
LP		 786 if (c->error_code != 0) {
787 /* If the candidate had an error condition of its own, start with that. */
788 state = DNS_TRANSACTION_ERRNO;
789 q->answer = dns_answer_unref(q->answer);
790 q->answer_rcode = 0;
791 q->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
cbb1aabb 792 q->answer_authenticated = false;
a7bf2ada
LP		 793 q->answer_errno = c->error_code;
794 }
795
801ad6a6 796 SET_FOREACH(t, c->transactions, i) {
74b2466e 797
801ad6a6 798 switch (t->state) {
934e9b10 799
801ad6a6 800 case DNS_TRANSACTION_SUCCESS: {
f8e2f4d6 801 /* We found a successfully reply, merge it into the answer */
547973de 802 r = dns_answer_extend(&q->answer, t->answer);
7cc6ed7b
LP		 803 if (r < 0)
804 goto fail;
019036a4 805
ae6a4bbf 806 q->answer_rcode = t->answer_rcode;
7cc6ed7b 807 q->answer_errno = 0;
801ad6a6 808
019036a4 809 if (t->answer_authenticated) {
931851e8 810 has_authenticated = true;
019036a4
LP		 811 dnssec_result_authenticated = t->answer_dnssec_result;
812 } else {
931851e8 813 has_non_authenticated = true;
019036a4
LP		 814 dnssec_result_non_authenticated = t->answer_dnssec_result;
815 }
931851e8 816
801ad6a6
LP		 817 state = DNS_TRANSACTION_SUCCESS;
818 break;
819 }
820
801ad6a6 821 case DNS_TRANSACTION_NULL:
547973de
LP		 822 case DNS_TRANSACTION_PENDING:
823 case DNS_TRANSACTION_VALIDATING:
801ad6a6
LP		 824 case DNS_TRANSACTION_ABORTED:
825 /* Ignore transactions that didn't complete */
826 continue;
827
828 default:
cbb1aabb 829 /* Any kind of failure? Store the data away, if there's nothing stored yet. */
019036a4
LP		 830 if (state == DNS_TRANSACTION_SUCCESS)
831 continue;
934e9b10 832
cbb1aabb
LP		 833 /* If there's already an authenticated negative reply stored, then prefer that over any unauthenticated one */
834 if (q->answer_authenticated && !t->answer_authenticated)
835 continue;
836
d38d5ca6 837 q->answer = dns_answer_unref(q->answer);
019036a4
LP		 838 q->answer_rcode = t->answer_rcode;
839 q->answer_dnssec_result = t->answer_dnssec_result;
cbb1aabb 840 q->answer_authenticated = t->answer_authenticated;
7cc6ed7b 841 q->answer_errno = t->answer_errno;
934e9b10 842
019036a4 843 state = t->state;
801ad6a6 844 break;
74b2466e 845 }
801ad6a6 846 }
74b2466e 847
019036a4
LP		 848 if (state == DNS_TRANSACTION_SUCCESS) {
849 q->answer_authenticated = has_authenticated && !has_non_authenticated;
850 q->answer_dnssec_result = q->answer_authenticated ? dnssec_result_authenticated : dnssec_result_non_authenticated;
851 }
852
801ad6a6
LP		 853 q->answer_protocol = c->scope->protocol;
854 q->answer_family = c->scope->family;
934e9b10 855
801ad6a6
LP		 856 dns_search_domain_unref(q->answer_search_domain);
857 q->answer_search_domain = dns_search_domain_ref(c->search_domain);
7e8e0422 858
7cc6ed7b
LP		 859 r = dns_query_synthesize_reply(q, &state);
860 if (r < 0)
861 goto fail;
862
801ad6a6 863 dns_query_complete(q, state);
7cc6ed7b
LP		 864 return;
865
866fail:
867 q->answer_errno = -r;
868 dns_query_complete(q, DNS_TRANSACTION_ERRNO);
801ad6a6 869}
934e9b10 870
801ad6a6 871void dns_query_ready(DnsQuery *q) {
74b2466e 872
801ad6a6
LP		 873 DnsQueryCandidate *bad = NULL, *c;
874 bool pending = false;
74b2466e 875
801ad6a6 876 assert(q);
547973de 877 assert(DNS_TRANSACTION_IS_LIVE(q->state));
e4501ed4 878
801ad6a6
LP		 879 /* Note that this call might invalidate the query. Callers
880 * should hence not attempt to access the query or transaction
881 * after calling this function, unless the block_ready
882 * counter was explicitly bumped before doing so. */
883
884 if (q->block_ready > 0)
885 return;
886
887 LIST_FOREACH(candidates_by_query, c, q->candidates) {
888 DnsTransactionState state;
889
890 state = dns_query_candidate_state(c);
891 switch (state) {
892
893 case DNS_TRANSACTION_SUCCESS:
547973de 894 /* One of the candidates is successful,
801ad6a6
LP		 895 * let's use it, and copy its data out */
896 dns_query_accept(q, c);
e4501ed4
LP		 897 return;
898
801ad6a6 899 case DNS_TRANSACTION_NULL:
547973de
LP		 900 case DNS_TRANSACTION_PENDING:
901 case DNS_TRANSACTION_VALIDATING:
902 /* One of the candidates is still going on,
903 * let's maybe wait for it */
801ad6a6
LP		 904 pending = true;
905 break;
e4501ed4 906
801ad6a6
LP		 907 default:
908 /* Any kind of failure */
909 bad = c;
910 break;
911 }
faa133f3 912 }
74b2466e 913
801ad6a6
LP		 914 if (pending)
915 return;
2a1037af 916
801ad6a6 917 dns_query_accept(q, bad);
74b2466e 918}
8ba9fd9c 919
45ec7efb 920static int dns_query_cname_redirect(DnsQuery *q, const DnsResourceRecord *cname) {
23b298bc
LP		 921 _cleanup_(dns_question_unrefp) DnsQuestion *nq_idna = NULL, *nq_utf8 = NULL;
922 int r, k;
8ba9fd9c
LP		 923
924 assert(q);
925
313cefa1 926 q->n_cname_redirects++;
faa133f3 927 if (q->n_cname_redirects > CNAME_MAX)
8ba9fd9c
LP		 928 return -ELOOP;
929
23b298bc 930 r = dns_question_cname_redirect(q->question_idna, cname, &nq_idna);
faa133f3
LP		 931 if (r < 0)
932 return r;
23b298bc 933 else if (r > 0)
8ec76e6a 934 log_debug("Following CNAME/DNAME %s → %s.", dns_question_first_name(q->question_idna), dns_question_first_name(nq_idna));
23b298bc
LP		 935
936 k = dns_question_is_equal(q->question_idna, q->question_utf8);
937 if (k < 0)
938 return r;
939 if (k > 0) {
940 /* Same question? Shortcut new question generation */
941 nq_utf8 = dns_question_ref(nq_idna);
942 k = r;
943 } else {
944 k = dns_question_cname_redirect(q->question_utf8, cname, &nq_utf8);
945 if (k < 0)
946 return k;
947 else if (k > 0)
8ec76e6a 948 log_debug("Following UTF8 CNAME/DNAME %s → %s.", dns_question_first_name(q->question_utf8), dns_question_first_name(nq_utf8));
23b298bc 949 }
8ba9fd9c 950
23b298bc
LP		 951 if (r == 0 && k == 0) /* No actual cname happened? */
952 return -ELOOP;
953
8e5de09f
LP		 954 if (q->answer_protocol == DNS_PROTOCOL_DNS) {
955 /* Don't permit CNAME redirects from unicast DNS to LLMNR or MulticastDNS, so that global resources
956 * cannot invade the local namespace. The opposite way we permit: local names may redirect to global
957 * ones. */
958
959 q->flags &= ~(SD_RESOLVED_LLMNR|SD_RESOLVED_MDNS); /* mask away the local protocols */
960 }
961
962 /* Turn off searching for the new name */
963 q->flags |= SD_RESOLVED_NO_SEARCH;
964
23b298bc 965 dns_question_unref(q->question_idna);
1cc6c93a 966 q->question_idna = TAKE_PTR(nq_idna);
bc7669cf 967
23b298bc 968 dns_question_unref(q->question_utf8);
1cc6c93a 969 q->question_utf8 = TAKE_PTR(nq_utf8);
8ba9fd9c 970
7820b320
LP		 971 dns_query_free_candidates(q);
972 dns_query_reset_answer(q);
322345fd 973
8e5de09f 974 q->state = DNS_TRANSACTION_NULL;
59a89990 975
8ba9fd9c
LP		 976 return 0;
977}
82bd6ddd 978
45ec7efb
LP		 979int dns_query_process_cname(DnsQuery *q) {
980 _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *cname = NULL;
23b298bc 981 DnsQuestion *question;
45ec7efb
LP		 982 DnsResourceRecord *rr;
983 int r;
984
985 assert(q);
986
7588460a
TG		 987 if (!IN_SET(q->state, DNS_TRANSACTION_SUCCESS, DNS_TRANSACTION_NULL))
988 return DNS_QUERY_NOMATCH;
45ec7efb 989
23b298bc 990 question = dns_query_question_for_protocol(q, q->answer_protocol);
45ec7efb 991
23b298bc
LP		 992 DNS_ANSWER_FOREACH(rr, q->answer) {
993 r = dns_question_matches_rr(question, rr, DNS_SEARCH_DOMAIN_NAME(q->answer_search_domain));
45ec7efb
LP		 994 if (r < 0)
995 return r;
996 if (r > 0)
7588460a 997 return DNS_QUERY_MATCH; /* The answer matches directly, no need to follow cnames */
45ec7efb 998
542e0c84 999 r = dns_question_matches_cname_or_dname(question, rr, DNS_SEARCH_DOMAIN_NAME(q->answer_search_domain));
45ec7efb
LP		 1000 if (r < 0)
1001 return r;
1002 if (r > 0 && !cname)
1003 cname = dns_resource_record_ref(rr);
1004 }
1005
1006 if (!cname)
7588460a 1007 return DNS_QUERY_NOMATCH; /* No match and no cname to follow */
45ec7efb
LP		 1008
1009 if (q->flags & SD_RESOLVED_NO_CNAME)
1010 return -ELOOP;
1011
28830a64
LP		 1012 if (!q->answer_authenticated)
1013 q->previous_redirect_unauthenticated = true;
1014
45ec7efb
LP		 1015 /* OK, let's actually follow the CNAME */
1016 r = dns_query_cname_redirect(q, cname);
1017 if (r < 0)
1018 return r;
1019
1020 /* Let's see if the answer can already answer the new
1021 * redirected question */
7588460a
TG		 1022 r = dns_query_process_cname(q);
1023 if (r != DNS_QUERY_NOMATCH)
1024 return r;
45ec7efb
LP		 1025
1026 /* OK, it cannot, let's begin with the new query */
1027 r = dns_query_go(q);
1028 if (r < 0)
1029 return r;
1030
7588460a 1031 return DNS_QUERY_RESTARTED; /* We restarted the query for a new cname */
45ec7efb
LP		 1032}
1033
82bd6ddd
LP		 1034static int on_bus_track(sd_bus_track *t, void *userdata) {
1035 DnsQuery *q = userdata;
1036
1037 assert(t);
1038 assert(q);
1039
1040 log_debug("Client of active query vanished, aborting query.");
1041 dns_query_complete(q, DNS_TRANSACTION_ABORTED);
1042 return 0;
1043}
1044
966c66e3 1045int dns_query_bus_track(DnsQuery *q, sd_bus_message *m) {
82bd6ddd
LP		 1046 int r;
1047
1048 assert(q);
1049 assert(m);
1050
1051 if (!q->bus_track) {
966c66e3 1052 r = sd_bus_track_new(sd_bus_message_get_bus(m), &q->bus_track, on_bus_track, q);
82bd6ddd
LP		 1053 if (r < 0)
1054 return r;
1055 }
1056
1057 r = sd_bus_track_add_sender(q->bus_track, m);
1058 if (r < 0)
1059 return r;
1060
1061 return 0;
1062}
23b298bc
LP		 1063
1064DnsQuestion* dns_query_question_for_protocol(DnsQuery *q, DnsProtocol protocol) {
1065 assert(q);
1066
1067 switch (protocol) {
1068
1069 case DNS_PROTOCOL_DNS:
1070 return q->question_idna;
1071
1072 case DNS_PROTOCOL_MDNS:
1073 case DNS_PROTOCOL_LLMNR:
1074 return q->question_utf8;
1075
1076 default:
1077 return NULL;
1078 }
1079}
1080
1081const char *dns_query_string(DnsQuery *q) {
1082 const char *name;
1083 int r;
1084
1085 /* Returns a somewhat useful human-readable lookup key string for this query */
1086
1087 if (q->request_address_string)
1088 return q->request_address_string;
1089
1090 if (q->request_address_valid) {
1091 r = in_addr_to_string(q->request_family, &q->request_address, &q->request_address_string);
1092 if (r >= 0)
1093 return q->request_address_string;
1094 }
1095
1096 name = dns_question_first_name(q->question_utf8);
1097 if (name)
1098 return name;
1099
1100 return dns_question_first_name(q->question_idna);
1101}
28830a64
LP		 1102
1103bool dns_query_fully_authenticated(DnsQuery *q) {
1104 assert(q);
1105
1106 return q->answer_authenticated && !q->previous_redirect_unauthenticated;
1107}
Unnamed repository; edit this file 'description' to name the repository.