1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
6 #include "alloc-util.h"
7 #include "dns-domain.h"
8 #include "format-util.h"
9 #include "resolved-dns-answer.h"
10 #include "resolved-dns-cache.h"
11 #include "resolved-dns-packet.h"
12 #include "string-util.h"
14 /* Never cache more than 4K entries. RFC 1536, Section 5 suggests to
15 * leave DNS caches unbounded, but that's crazy. */
16 #define CACHE_MAX 4096
18 /* We never keep any item longer than 2h in our cache unless StaleRetentionSec is greater than zero. */
19 #define CACHE_TTL_MAX_USEC (2 * USEC_PER_HOUR)
21 /* The max TTL for stale data is set to 30 seconds. See RFC 8767, Section 6. */
22 #define CACHE_STALE_TTL_MAX_USEC (30 * USEC_PER_SEC)
24 /* How long to cache strange rcodes, i.e. rcodes != SUCCESS and != NXDOMAIN (specifically: that's only SERVFAIL for
26 #define CACHE_TTL_STRANGE_RCODE_USEC (10 * USEC_PER_SEC)
28 #define CACHEABLE_QUERY_FLAGS (SD_RESOLVED_AUTHENTICATED|SD_RESOLVED_CONFIDENTIAL)
30 typedef enum DnsCacheItemType DnsCacheItemType
;
31 typedef struct DnsCacheItem DnsCacheItem
;
33 enum DnsCacheItemType
{
37 DNS_CACHE_RCODE
, /* "strange" RCODE (effective only SERVFAIL for now) */
41 DnsCacheItemType type
;
43 DnsResourceKey
*key
; /* The key for this item, i.e. the lookup key */
44 DnsResourceRecord
*rr
; /* The RR for this item, i.e. the lookup value for positive queries */
45 DnsAnswer
*answer
; /* The full validated answer, if this is an RRset acquired via a "primary" lookup */
46 DnsPacket
*full_packet
; /* The full packet this information was acquired with */
48 usec_t until
; /* If StaleRetentionSec is greater than zero, until is set to a duration of StaleRetentionSec from the time of TTL expiry. If StaleRetentionSec is zero, both until and until_valid will be set to ttl. */
49 usec_t until_valid
; /* The key is for storing the time when the TTL set to expire. */
50 uint64_t query_flags
; /* SD_RESOLVED_AUTHENTICATED and/or SD_RESOLVED_CONFIDENTIAL */
51 DnssecResult dnssec_result
;
55 union in_addr_union owner_address
;
58 LIST_FIELDS(DnsCacheItem
, by_key
);
63 /* Returns true if this is a cache item created as result of an explicit lookup, or created as "side-effect"
64 * of another request. "Primary" entries will carry the full answer data (with NSEC, …) that can aso prove
65 * wildcard expansion, non-existence and such, while entries that were created as "side-effect" just contain
66 * immediate RR data for the specified RR key, but nothing else. */
67 #define DNS_CACHE_ITEM_IS_PRIMARY(item) (!!(item)->answer)
69 static const char *dns_cache_item_type_to_string(DnsCacheItem
*item
) {
74 case DNS_CACHE_POSITIVE
:
77 case DNS_CACHE_NODATA
:
80 case DNS_CACHE_NXDOMAIN
:
84 return dns_rcode_to_string(item
->rcode
);
90 static DnsCacheItem
* dns_cache_item_free(DnsCacheItem
*i
) {
94 dns_resource_record_unref(i
->rr
);
95 dns_resource_key_unref(i
->key
);
96 dns_answer_unref(i
->answer
);
97 dns_packet_unref(i
->full_packet
);
100 DEFINE_TRIVIAL_CLEANUP_FUNC(DnsCacheItem
*, dns_cache_item_free
);
102 static void dns_cache_item_unlink_and_free(DnsCache
*c
, DnsCacheItem
*i
) {
110 first
= hashmap_get(c
->by_key
, i
->key
);
111 LIST_REMOVE(by_key
, first
, i
);
114 assert_se(hashmap_replace(c
->by_key
, first
->key
, first
) >= 0);
116 hashmap_remove(c
->by_key
, i
->key
);
118 prioq_remove(c
->by_expiry
, i
, &i
->prioq_idx
);
120 dns_cache_item_free(i
);
123 static bool dns_cache_remove_by_rr(DnsCache
*c
, DnsResourceRecord
*rr
) {
127 first
= hashmap_get(c
->by_key
, rr
->key
);
128 LIST_FOREACH(by_key
, i
, first
) {
129 r
= dns_resource_record_equal(i
->rr
, rr
);
133 dns_cache_item_unlink_and_free(c
, i
);
141 static bool dns_cache_remove_by_key(DnsCache
*c
, DnsResourceKey
*key
) {
147 first
= hashmap_remove(c
->by_key
, key
);
151 LIST_FOREACH(by_key
, i
, first
) {
152 prioq_remove(c
->by_expiry
, i
, &i
->prioq_idx
);
153 dns_cache_item_free(i
);
159 void dns_cache_flush(DnsCache
*c
) {
164 while ((key
= hashmap_first_key(c
->by_key
)))
165 dns_cache_remove_by_key(c
, key
);
167 assert(hashmap_isempty(c
->by_key
));
168 assert(prioq_isempty(c
->by_expiry
));
170 c
->by_key
= hashmap_free(c
->by_key
);
171 c
->by_expiry
= prioq_free(c
->by_expiry
);
174 static void dns_cache_make_space(DnsCache
*c
, unsigned add
) {
180 /* Makes space for n new entries. Note that we actually allow
181 * the cache to grow beyond CACHE_MAX, but only when we shall
182 * add more RRs to the cache than CACHE_MAX at once. In that
183 * case the cache will be emptied completely otherwise. */
186 _cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*key
= NULL
;
189 if (prioq_isempty(c
->by_expiry
))
192 if (prioq_size(c
->by_expiry
) + add
< CACHE_MAX
)
195 i
= prioq_peek(c
->by_expiry
);
198 /* Take an extra reference to the key so that it
199 * doesn't go away in the middle of the remove call */
200 key
= dns_resource_key_ref(i
->key
);
201 dns_cache_remove_by_key(c
, key
);
205 void dns_cache_prune(DnsCache
*c
) {
210 /* Remove all entries that are past their TTL */
214 char key_str
[DNS_RESOURCE_KEY_STRING_MAX
];
216 i
= prioq_peek(c
->by_expiry
);
221 t
= now(CLOCK_BOOTTIME
);
226 /* Depending whether this is an mDNS shared entry
227 * either remove only this one RR or the whole RRset */
228 log_debug("Removing %scache entry for %s (expired "USEC_FMT
"s ago)",
229 i
->shared_owner
? "shared " : "",
230 dns_resource_key_to_string(i
->key
, key_str
, sizeof key_str
),
231 (t
- i
->until
) / USEC_PER_SEC
);
234 dns_cache_item_unlink_and_free(c
, i
);
236 _cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*key
= NULL
;
238 /* Take an extra reference to the key so that it
239 * doesn't go away in the middle of the remove call */
240 key
= dns_resource_key_ref(i
->key
);
241 dns_cache_remove_by_key(c
, key
);
246 bool dns_cache_expiry_in_one_second(DnsCache
*c
, usec_t t
) {
251 /* Check if any items expire within the next second */
252 i
= prioq_peek(c
->by_expiry
);
256 if (i
->until
<= usec_add(t
, USEC_PER_SEC
))
262 static int dns_cache_item_prioq_compare_func(const void *a
, const void *b
) {
263 const DnsCacheItem
*x
= a
, *y
= b
;
265 return CMP(x
->until
, y
->until
);
268 static int dns_cache_init(DnsCache
*c
) {
273 r
= prioq_ensure_allocated(&c
->by_expiry
, dns_cache_item_prioq_compare_func
);
277 r
= hashmap_ensure_allocated(&c
->by_key
, &dns_resource_key_hash_ops
);
284 static int dns_cache_link_item(DnsCache
*c
, DnsCacheItem
*i
) {
291 r
= prioq_put(c
->by_expiry
, i
, &i
->prioq_idx
);
295 first
= hashmap_get(c
->by_key
, i
->key
);
297 _unused_
_cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*k
= NULL
;
299 /* Keep a reference to the original key, while we manipulate the list. */
300 k
= dns_resource_key_ref(first
->key
);
302 /* Now, try to reduce the number of keys we keep */
303 dns_resource_key_reduce(&first
->key
, &i
->key
);
306 dns_resource_key_reduce(&first
->rr
->key
, &i
->key
);
308 dns_resource_key_reduce(&i
->rr
->key
, &i
->key
);
310 LIST_PREPEND(by_key
, first
, i
);
311 assert_se(hashmap_replace(c
->by_key
, first
->key
, first
) >= 0);
313 r
= hashmap_put(c
->by_key
, i
->key
, i
);
315 prioq_remove(c
->by_expiry
, i
, &i
->prioq_idx
);
323 static DnsCacheItem
* dns_cache_get(DnsCache
*c
, DnsResourceRecord
*rr
) {
327 LIST_FOREACH(by_key
, i
, (DnsCacheItem
*) hashmap_get(c
->by_key
, rr
->key
))
328 if (i
->rr
&& dns_resource_record_equal(i
->rr
, rr
) > 0)
334 static usec_t
calculate_until_valid(
335 DnsResourceRecord
*rr
,
339 bool use_soa_minimum
) {
346 ttl
= MIN(min_ttl
, nsec_ttl
);
347 if (rr
->key
->type
== DNS_TYPE_SOA
&& use_soa_minimum
) {
348 /* If this is a SOA RR, and it is requested, clamp to the SOA's minimum field. This is used
349 * when we do negative caching, to determine the TTL for the negative caching entry. See RFC
350 * 2308, Section 5. */
352 if (ttl
> rr
->soa
.minimum
)
353 ttl
= rr
->soa
.minimum
;
356 u
= ttl
* USEC_PER_SEC
;
357 if (u
> CACHE_TTL_MAX_USEC
)
358 u
= CACHE_TTL_MAX_USEC
;
360 if (rr
->expiry
!= USEC_INFINITY
) {
363 /* Make use of the DNSSEC RRSIG expiry info, if we have it */
365 left
= LESS_BY(rr
->expiry
, now(CLOCK_REALTIME
));
370 return timestamp
+ u
;
373 static usec_t
calculate_until(
375 usec_t stale_retention_usec
) {
377 return stale_retention_usec
> 0 ? usec_add(until_valid
, stale_retention_usec
) : until_valid
;
380 static void dns_cache_item_update_positive(
383 DnsResourceRecord
*rr
,
385 DnsPacket
*full_packet
,
387 uint64_t query_flags
,
389 DnssecResult dnssec_result
,
393 const union in_addr_union
*owner_address
,
394 usec_t stale_retention_usec
) {
399 assert(owner_address
);
401 i
->type
= DNS_CACHE_POSITIVE
;
404 /* We are the first item in the list, we need to
405 * update the key used in the hashmap */
407 assert_se(hashmap_replace(c
->by_key
, rr
->key
, i
) >= 0);
409 DNS_RR_REPLACE(i
->rr
, dns_resource_record_ref(rr
));
411 DNS_RESOURCE_KEY_REPLACE(i
->key
, dns_resource_key_ref(rr
->key
));
413 DNS_ANSWER_REPLACE(i
->answer
, dns_answer_ref(answer
));
415 DNS_PACKET_REPLACE(i
->full_packet
, dns_packet_ref(full_packet
));
417 i
->until_valid
= calculate_until_valid(rr
, min_ttl
, UINT32_MAX
, timestamp
, false);
418 i
->until
= calculate_until(i
->until_valid
, stale_retention_usec
);
419 i
->query_flags
= query_flags
& CACHEABLE_QUERY_FLAGS
;
420 i
->shared_owner
= shared_owner
;
421 i
->dnssec_result
= dnssec_result
;
423 i
->ifindex
= ifindex
;
425 i
->owner_family
= owner_family
;
426 i
->owner_address
= *owner_address
;
428 prioq_reshuffle(c
->by_expiry
, i
, &i
->prioq_idx
);
431 static int dns_cache_put_positive(
433 DnsProtocol protocol
,
434 DnsResourceRecord
*rr
,
436 DnsPacket
*full_packet
,
437 uint64_t query_flags
,
439 DnssecResult dnssec_result
,
443 const union in_addr_union
*owner_address
,
444 usec_t stale_retention_usec
) {
446 char key_str
[DNS_RESOURCE_KEY_STRING_MAX
];
447 DnsCacheItem
*existing
;
453 assert(owner_address
);
455 /* Never cache pseudo RRs */
456 if (dns_class_is_pseudo(rr
->key
->class))
458 if (dns_type_is_pseudo(rr
->key
->type
))
461 /* Determine the minimal TTL of all RRs in the answer plus the one by the main RR we are supposed to
462 * cache. Since we cache whole answers to questions we should never return answers where only some
463 * RRs are still valid, hence find the lowest here */
464 min_ttl
= MIN(dns_answer_min_ttl(answer
), rr
->ttl
);
466 /* New TTL is 0? Delete this specific entry... */
468 r
= dns_cache_remove_by_rr(c
, rr
);
470 r
> 0 ? "Removed zero TTL entry from cache" : "Not caching zero TTL cache entry",
471 dns_resource_key_to_string(rr
->key
, key_str
, sizeof key_str
));
475 /* Entry exists already? Update TTL, timestamp and owner */
476 existing
= dns_cache_get(c
, rr
);
478 dns_cache_item_update_positive(
492 stale_retention_usec
);
496 /* Do not cache mDNS goodbye packet. */
497 if (protocol
== DNS_PROTOCOL_MDNS
&& rr
->ttl
<= 1)
500 /* Otherwise, add the new RR */
501 r
= dns_cache_init(c
);
505 dns_cache_make_space(c
, 1);
507 _cleanup_(dns_cache_item_freep
) DnsCacheItem
*i
= new(DnsCacheItem
, 1);
511 /* If StaleRetentionSec is greater than zero, the 'until' property is set to a duration
512 * of StaleRetentionSec from the time of TTL expiry.
513 * If StaleRetentionSec is zero, both the 'until' and 'until_valid' are set to the TTL duration,
514 * leading to the eviction of the record once the TTL expires.*/
515 usec_t until_valid
= calculate_until_valid(rr
, min_ttl
, UINT32_MAX
, timestamp
, false);
516 *i
= (DnsCacheItem
) {
517 .type
= DNS_CACHE_POSITIVE
,
518 .key
= dns_resource_key_ref(rr
->key
),
519 .rr
= dns_resource_record_ref(rr
),
520 .answer
= dns_answer_ref(answer
),
521 .full_packet
= dns_packet_ref(full_packet
),
522 .until
= calculate_until(until_valid
, stale_retention_usec
),
523 .until_valid
= until_valid
,
524 .query_flags
= query_flags
& CACHEABLE_QUERY_FLAGS
,
525 .shared_owner
= shared_owner
,
526 .dnssec_result
= dnssec_result
,
528 .owner_family
= owner_family
,
529 .owner_address
= *owner_address
,
530 .prioq_idx
= PRIOQ_IDX_NULL
,
533 r
= dns_cache_link_item(c
, i
);
537 log_debug("Added positive %s %s%s cache entry for %s "USEC_FMT
"s on %s/%s/%s",
538 FLAGS_SET(i
->query_flags
, SD_RESOLVED_AUTHENTICATED
) ? "authenticated" : "unauthenticated",
539 FLAGS_SET(i
->query_flags
, SD_RESOLVED_CONFIDENTIAL
) ? "confidential" : "non-confidential",
540 i
->shared_owner
? " shared" : "",
541 dns_resource_key_to_string(i
->key
, key_str
, sizeof key_str
),
542 (i
->until
- timestamp
) / USEC_PER_SEC
,
543 i
->ifindex
== 0 ? "*" : FORMAT_IFNAME(i
->ifindex
),
544 af_to_name_short(i
->owner_family
),
545 IN_ADDR_TO_STRING(i
->owner_family
, &i
->owner_address
));
550 /* https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml */
551 /* https://www.iana.org/assignments/locally-served-dns-zones/locally-served-dns-zones.xhtml#transport-independent */
552 static bool dns_special_use_domain_invalid_answer(DnsResourceKey
*key
, int rcode
) {
553 /* Sometimes we know a domain exists, even if broken nameservers say otherwise. Make sure not to
554 * cache any answers we know are wrong. */
556 /* RFC9462 § 6.4: resolvers SHOULD respond to queries of any type other than SVCB for
557 * _dns.resolver.arpa. with NODATA and queries of any type for any domain name under resolver.arpa
559 if (dns_name_endswith(dns_resource_key_name(key
), "resolver.arpa") > 0 && rcode
== DNS_RCODE_NXDOMAIN
)
565 static int dns_cache_put_negative(
570 DnsPacket
*full_packet
,
571 uint64_t query_flags
,
572 DnssecResult dnssec_result
,
575 DnsResourceRecord
*soa
,
577 const union in_addr_union
*owner_address
) {
579 _cleanup_(dns_cache_item_freep
) DnsCacheItem
*i
= NULL
;
580 char key_str
[DNS_RESOURCE_KEY_STRING_MAX
];
585 assert(owner_address
);
587 /* Never cache pseudo RR keys. DNS_TYPE_ANY is particularly
588 * important to filter out as we use this as a pseudo-type for
589 * NXDOMAIN entries */
590 if (dns_class_is_pseudo(key
->class))
592 if (dns_type_is_pseudo(key
->type
))
594 if (dns_special_use_domain_invalid_answer(key
, rcode
))
597 if (IN_SET(rcode
, DNS_RCODE_SUCCESS
, DNS_RCODE_NXDOMAIN
)) {
601 /* For negative replies, check if we have a TTL of a SOA */
602 if (nsec_ttl
<= 0 || soa
->soa
.minimum
<= 0 || soa
->ttl
<= 0) {
603 log_debug("Not caching negative entry with zero SOA/NSEC/NSEC3 TTL: %s",
604 dns_resource_key_to_string(key
, key_str
, sizeof key_str
));
607 } else if (rcode
!= DNS_RCODE_SERVFAIL
)
610 r
= dns_cache_init(c
);
614 dns_cache_make_space(c
, 1);
616 i
= new(DnsCacheItem
, 1);
620 *i
= (DnsCacheItem
) {
622 rcode
== DNS_RCODE_SUCCESS
? DNS_CACHE_NODATA
:
623 rcode
== DNS_RCODE_NXDOMAIN
? DNS_CACHE_NXDOMAIN
: DNS_CACHE_RCODE
,
624 .query_flags
= query_flags
& CACHEABLE_QUERY_FLAGS
,
625 .dnssec_result
= dnssec_result
,
626 .owner_family
= owner_family
,
627 .owner_address
= *owner_address
,
628 .prioq_idx
= PRIOQ_IDX_NULL
,
630 .answer
= dns_answer_ref(answer
),
631 .full_packet
= dns_packet_ref(full_packet
),
634 /* Determine how long to cache this entry. In case we have some RRs in the answer use the lowest TTL
635 * of any of them. Typically that's the SOA's TTL, which is OK, but could possibly be lower because
636 * of some other RR. Let's better take the lowest option here than a needlessly high one */
637 i
->until
= i
->until_valid
=
638 i
->type
== DNS_CACHE_RCODE
? timestamp
+ CACHE_TTL_STRANGE_RCODE_USEC
:
639 calculate_until_valid(soa
, dns_answer_min_ttl(answer
), nsec_ttl
, timestamp
, true);
641 if (i
->type
== DNS_CACHE_NXDOMAIN
) {
642 /* NXDOMAIN entries should apply equally to all types, so we use ANY as
643 * a pseudo type for this purpose here. */
644 i
->key
= dns_resource_key_new(key
->class, DNS_TYPE_ANY
, dns_resource_key_name(key
));
648 /* Make sure to remove any previous entry for this
649 * specific ANY key. (For non-ANY keys the cache data
650 * is already cleared by the caller.) Note that we
651 * don't bother removing positive or NODATA cache
652 * items in this case, because it would either be slow
653 * or require explicit indexing by name */
654 dns_cache_remove_by_key(c
, key
);
656 i
->key
= dns_resource_key_ref(key
);
658 r
= dns_cache_link_item(c
, i
);
662 log_debug("Added %s cache entry for %s "USEC_FMT
"s",
663 dns_cache_item_type_to_string(i
),
664 dns_resource_key_to_string(i
->key
, key_str
, sizeof key_str
),
665 (i
->until
- timestamp
) / USEC_PER_SEC
);
671 static void dns_cache_remove_previous(
676 DnsResourceRecord
*rr
;
677 DnsAnswerFlags flags
;
681 /* First, if we were passed a key (i.e. on LLMNR/DNS, but
682 * not on mDNS), delete all matching old RRs, so that we only
683 * keep complete by_key in place. */
685 dns_cache_remove_by_key(c
, key
);
687 /* Second, flush all entries matching the answer, unless this
688 * is an RR that is explicitly marked to be "shared" between
689 * peers (i.e. mDNS RRs without the flush-cache bit set). */
690 DNS_ANSWER_FOREACH_FLAGS(rr
, flags
, answer
) {
691 if ((flags
& DNS_ANSWER_CACHEABLE
) == 0)
694 if (flags
& DNS_ANSWER_SHARED_OWNER
)
697 dns_cache_remove_by_key(c
, rr
->key
);
701 static bool rr_eligible(DnsResourceRecord
*rr
) {
704 /* When we see an NSEC/NSEC3 RR, we'll only cache it if it is from the lower zone, not the upper zone, since
705 * that's where the interesting bits are (with exception of DS RRs). Of course, this way we cannot derive DS
706 * existence from any cached NSEC/NSEC3, but that should be fine. */
708 switch (rr
->key
->type
) {
711 return !bitmap_isset(rr
->nsec
.types
, DNS_TYPE_NS
) ||
712 bitmap_isset(rr
->nsec
.types
, DNS_TYPE_SOA
);
715 return !bitmap_isset(rr
->nsec3
.types
, DNS_TYPE_NS
) ||
716 bitmap_isset(rr
->nsec3
.types
, DNS_TYPE_SOA
);
725 DnsCacheMode cache_mode
,
726 DnsProtocol protocol
,
730 DnsPacket
*full_packet
,
731 uint64_t query_flags
,
732 DnssecResult dnssec_result
,
735 const union in_addr_union
*owner_address
,
736 usec_t stale_retention_usec
) {
738 DnsResourceRecord
*soa
= NULL
;
739 bool weird_rcode
= false;
741 DnsAnswerFlags flags
;
747 assert(owner_address
);
749 dns_cache_remove_previous(c
, key
, answer
);
751 /* We only care for positive replies and NXDOMAINs, on all other replies we will simply flush the respective
752 * entries, and that's it. (Well, with one further exception: since some DNS zones (akamai!) return SERVFAIL
753 * consistently for some lookups, and forwarders tend to propagate that we'll cache that too, but only for a
756 if (IN_SET(rcode
, DNS_RCODE_SUCCESS
, DNS_RCODE_NXDOMAIN
)) {
757 if (dns_answer_isempty(answer
)) {
759 char key_str
[DNS_RESOURCE_KEY_STRING_MAX
];
761 log_debug("Not caching negative entry without a SOA record: %s",
762 dns_resource_key_to_string(key
, key_str
, sizeof key_str
));
769 /* Only cache SERVFAIL as "weird" rcode for now. We can add more later, should that turn out to be
771 if (rcode
!= DNS_RCODE_SERVFAIL
)
777 cache_keys
= dns_answer_size(answer
);
781 /* Make some space for our new entries */
782 dns_cache_make_space(c
, cache_keys
);
784 timestamp
= now(CLOCK_BOOTTIME
);
786 /* Second, add in positive entries for all contained RRs */
787 DNS_ANSWER_FOREACH_ITEM(item
, answer
) {
790 if (!FLAGS_SET(item
->flags
, DNS_ANSWER_CACHEABLE
) ||
791 !rr_eligible(item
->rr
))
795 /* We store the auxiliary RRs and packet data in the cache only if they were in
796 * direct response to the original query. If we cache an RR we also received, and
797 * that is just auxiliary information we can't use the data, hence don't. */
799 primary
= dns_resource_key_match_rr(key
, item
->rr
, NULL
);
803 primary
= dns_resource_key_match_cname_or_dname(key
, item
->rr
->key
, NULL
);
812 /* Do not replace existing cache items for primary lookups with non-primary
813 * data. After all the primary lookup data is a lot more useful. */
814 first
= hashmap_get(c
->by_key
, item
->rr
->key
);
815 if (first
&& DNS_CACHE_ITEM_IS_PRIMARY(first
))
819 r
= dns_cache_put_positive(
823 primary
? answer
: NULL
,
824 primary
? full_packet
: NULL
,
825 ((item
->flags
& DNS_ANSWER_AUTHENTICATED
) ? SD_RESOLVED_AUTHENTICATED
: 0) |
826 (query_flags
& SD_RESOLVED_CONFIDENTIAL
),
827 item
->flags
& DNS_ANSWER_SHARED_OWNER
,
833 stale_retention_usec
);
838 if (!key
) /* mDNS doesn't know negative caching, really */
841 /* Third, add in negative entries if the key has no RR */
842 r
= dns_answer_match_key(answer
, key
, NULL
);
848 /* But not if it has a matching CNAME/DNAME (the negative caching will be done on the canonical name,
849 * not on the alias) */
850 r
= dns_answer_find_cname_or_dname(answer
, key
, NULL
, NULL
);
856 /* See https://tools.ietf.org/html/rfc2308, which say that a matching SOA record in the packet is used to
857 * enable negative caching. We apply one exception though: if we are about to cache a weird rcode we do so
858 * regardless of a SOA. */
859 r
= dns_answer_find_soa(answer
, key
, &soa
, &flags
);
862 if (r
== 0 && !weird_rcode
)
865 /* Refuse using the SOA data if it is unsigned, but the key is signed */
866 if (FLAGS_SET(query_flags
, SD_RESOLVED_AUTHENTICATED
) &&
867 (flags
& DNS_ANSWER_AUTHENTICATED
) == 0)
871 if (cache_mode
== DNS_CACHE_MODE_NO_NEGATIVE
) {
872 char key_str
[DNS_RESOURCE_KEY_STRING_MAX
];
873 log_debug("Not caching negative entry for: %s, cache mode set to no-negative",
874 dns_resource_key_to_string(key
, key_str
, sizeof key_str
));
878 r
= dns_cache_put_negative(
897 /* Adding all RRs failed. Let's clean up what we already
898 * added, just in case */
901 dns_cache_remove_by_key(c
, key
);
903 DNS_ANSWER_FOREACH_ITEM(item
, answer
) {
904 if ((item
->flags
& DNS_ANSWER_CACHEABLE
) == 0)
907 dns_cache_remove_by_key(c
, item
->rr
->key
);
913 static DnsCacheItem
*dns_cache_get_by_key_follow_cname_dname_nsec(DnsCache
*c
, DnsResourceKey
*k
) {
921 /* If we hit some OOM error, or suchlike, we don't care too
922 * much, after all this is just a cache */
924 i
= hashmap_get(c
->by_key
, k
);
928 n
= dns_resource_key_name(k
);
930 /* Check if we have an NXDOMAIN cache item for the name, notice that we use
931 * the pseudo-type ANY for NXDOMAIN cache items. */
932 i
= hashmap_get(c
->by_key
, &DNS_RESOURCE_KEY_CONST(k
->class, DNS_TYPE_ANY
, n
));
933 if (i
&& i
->type
== DNS_CACHE_NXDOMAIN
)
936 if (dns_type_may_redirect(k
->type
)) {
937 /* Check if we have a CNAME record instead */
938 i
= hashmap_get(c
->by_key
, &DNS_RESOURCE_KEY_CONST(k
->class, DNS_TYPE_CNAME
, n
));
939 if (i
&& i
->type
!= DNS_CACHE_NODATA
)
942 /* OK, let's look for cached DNAME records. */
947 i
= hashmap_get(c
->by_key
, &DNS_RESOURCE_KEY_CONST(k
->class, DNS_TYPE_DNAME
, n
));
948 if (i
&& i
->type
!= DNS_CACHE_NODATA
)
951 /* Jump one label ahead */
952 r
= dns_name_parent(&n
);
958 if (k
->type
!= DNS_TYPE_NSEC
) {
959 /* Check if we have an NSEC record instead for the name. */
960 i
= hashmap_get(c
->by_key
, &DNS_RESOURCE_KEY_CONST(k
->class, DNS_TYPE_NSEC
, n
));
968 static int answer_add_clamp_ttl(
970 DnsResourceRecord
*rr
,
972 DnsAnswerFlags answer_flags
,
973 DnsResourceRecord
*rrsig
,
974 uint64_t query_flags
,
978 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*patched
= NULL
, *patched_rrsig
= NULL
;
984 if (FLAGS_SET(query_flags
, SD_RESOLVED_CLAMP_TTL
)) {
989 /* Let's determine how much time is left for this cache entry. Note that we round down, but
990 * clamp this to be 1s at minimum, since we usually want records to remain cached better too
991 * short a time than too long a time, but otoh don't want to return 0 ever, since that has
992 * special semantics in various contexts — in particular in mDNS */
994 left_ttl
= MAX(1U, LESS_BY(until
, current
) / USEC_PER_SEC
);
996 patched
= dns_resource_record_ref(rr
);
998 r
= dns_resource_record_clamp_ttl(&patched
, left_ttl
);
1005 patched_rrsig
= dns_resource_record_ref(rrsig
);
1006 r
= dns_resource_record_clamp_ttl(&patched_rrsig
, left_ttl
);
1010 rrsig
= patched_rrsig
;
1014 r
= dns_answer_add_extend(answer
, rr
, ifindex
, answer_flags
, rrsig
);
1021 int dns_cache_lookup(
1023 DnsResourceKey
*key
,
1024 uint64_t query_flags
,
1026 DnsAnswer
**ret_answer
,
1027 DnsPacket
**ret_full_packet
,
1028 uint64_t *ret_query_flags
,
1029 DnssecResult
*ret_dnssec_result
) {
1031 _cleanup_(dns_packet_unrefp
) DnsPacket
*full_packet
= NULL
;
1032 _cleanup_(dns_answer_unrefp
) DnsAnswer
*answer
= NULL
;
1033 char key_str
[DNS_RESOURCE_KEY_STRING_MAX
];
1036 bool nxdomain
= false;
1037 DnsCacheItem
*first
, *nsec
= NULL
;
1038 bool have_authenticated
= false, have_non_authenticated
= false, have_confidential
= false, have_non_confidential
= false;
1040 int found_rcode
= -1;
1041 DnssecResult dnssec_result
= -1;
1042 int have_dnssec_result
= -1;
1047 if (key
->type
== DNS_TYPE_ANY
|| key
->class == DNS_CLASS_ANY
) {
1048 /* If we have ANY lookups we don't use the cache, so that the caller refreshes via the
1051 log_debug("Ignoring cache for ANY lookup: %s",
1052 dns_resource_key_to_string(key
, key_str
, sizeof key_str
));
1056 first
= dns_cache_get_by_key_follow_cname_dname_nsec(c
, key
);
1058 /* If one question cannot be answered we need to refresh */
1060 log_debug("Cache miss for %s",
1061 dns_resource_key_to_string(key
, key_str
, sizeof key_str
));
1065 if ((query_flags
& (SD_RESOLVED_CLAMP_TTL
| SD_RESOLVED_NO_STALE
)) != 0) {
1066 /* 'current' is always passed to answer_add_clamp_ttl(), but is only used conditionally.
1067 * We'll do the same assert there to make sure that it was initialized properly.
1068 * 'current' is also used below when SD_RESOLVED_NO_STALE is set. */
1069 current
= now(CLOCK_BOOTTIME
);
1070 assert(current
> 0);
1073 LIST_FOREACH(by_key
, j
, first
) {
1074 /* If the caller doesn't allow us to answer questions from cache data learned from
1075 * "side-effect", skip this entry. */
1076 if (FLAGS_SET(query_flags
, SD_RESOLVED_REQUIRE_PRIMARY
) &&
1077 !DNS_CACHE_ITEM_IS_PRIMARY(j
)) {
1078 log_debug("Primary answer was requested for cache lookup for %s, which we don't have.",
1079 dns_resource_key_to_string(key
, key_str
, sizeof key_str
));
1084 /* Skip the next part if ttl is expired and requested with no stale flag. */
1085 if (FLAGS_SET(query_flags
, SD_RESOLVED_NO_STALE
) && j
->until_valid
< current
) {
1086 log_debug("Requested with no stale and TTL expired for %s",
1087 dns_resource_key_to_string(key
, key_str
, sizeof key_str
));
1092 if (j
->type
== DNS_CACHE_NXDOMAIN
)
1094 else if (j
->type
== DNS_CACHE_RCODE
)
1095 found_rcode
= j
->rcode
;
1097 if (j
->rr
->key
->type
== DNS_TYPE_NSEC
)
1103 if (FLAGS_SET(j
->query_flags
, SD_RESOLVED_AUTHENTICATED
))
1104 have_authenticated
= true;
1106 have_non_authenticated
= true;
1108 if (FLAGS_SET(j
->query_flags
, SD_RESOLVED_CONFIDENTIAL
))
1109 have_confidential
= true;
1111 have_non_confidential
= true;
1113 if (j
->dnssec_result
< 0) {
1114 have_dnssec_result
= false; /* an entry without dnssec result? then invalidate things for good */
1115 dnssec_result
= _DNSSEC_RESULT_INVALID
;
1116 } else if (have_dnssec_result
< 0) {
1117 have_dnssec_result
= true; /* So far no result seen, let's pick this one up */
1118 dnssec_result
= j
->dnssec_result
;
1119 } else if (have_dnssec_result
> 0 && j
->dnssec_result
!= dnssec_result
) {
1120 have_dnssec_result
= false; /* conflicting result seen? then invalidate for good */
1121 dnssec_result
= _DNSSEC_RESULT_INVALID
;
1124 /* If the question is being resolved using stale data, the clamp TTL will be set to CACHE_STALE_TTL_MAX_USEC. */
1125 usec_t until
= FLAGS_SET(query_flags
, SD_RESOLVED_NO_STALE
) ? j
->until_valid
1126 : usec_add(current
, CACHE_STALE_TTL_MAX_USEC
);
1128 /* Append the answer RRs to our answer. Ideally we have the answer object, which we
1129 * preferably use. But if the cached entry was generated as "side-effect" of a reply,
1130 * i.e. from validated auxiliary records rather than from the main reply, then we use the
1131 * individual RRs only instead. */
1134 /* Minor optimization, if the full answer object of this and the previous RR is the
1135 * same, don't bother adding it again. Typically we store a full RRset here, hence
1136 * that should be the case. */
1137 if (!j
->by_key_prev
|| j
->answer
!= j
->by_key_prev
->answer
) {
1138 DnsAnswerItem
*item
;
1140 DNS_ANSWER_FOREACH_ITEM(item
, j
->answer
) {
1141 r
= answer_add_clamp_ttl(
1156 r
= answer_add_clamp_ttl(
1160 FLAGS_SET(j
->query_flags
, SD_RESOLVED_AUTHENTICATED
) ? DNS_ANSWER_AUTHENTICATED
: 0,
1169 /* We'll return any packet we have for this. Typically all cache entries for the same key
1170 * should come from the same packet anyway, hence it doesn't really matter which packet we
1171 * return here, they should all resolve to the same anyway. */
1172 if (!full_packet
&& j
->full_packet
)
1173 full_packet
= dns_packet_ref(j
->full_packet
);
1176 if (found_rcode
>= 0) {
1177 log_debug("RCODE %s cache hit for %s",
1178 FORMAT_DNS_RCODE(found_rcode
),
1179 dns_resource_key_to_string(key
, key_str
, sizeof(key_str
)));
1182 *ret_rcode
= found_rcode
;
1184 *ret_answer
= TAKE_PTR(answer
);
1185 if (ret_full_packet
)
1186 *ret_full_packet
= TAKE_PTR(full_packet
);
1187 if (ret_query_flags
)
1188 *ret_query_flags
= 0;
1189 if (ret_dnssec_result
)
1190 *ret_dnssec_result
= dnssec_result
;
1196 if (nsec
&& !IN_SET(key
->type
, DNS_TYPE_NSEC
, DNS_TYPE_DS
)) {
1197 /* Note that we won't derive information for DS RRs from an NSEC, because we only cache NSEC
1198 * RRs from the lower-zone of a zone cut, but the DS RRs are on the upper zone. */
1200 log_debug("NSEC NODATA cache hit for %s",
1201 dns_resource_key_to_string(key
, key_str
, sizeof key_str
));
1203 /* We only found an NSEC record that matches our name. If it says the type doesn't exist
1204 * report NODATA. Otherwise report a cache miss. */
1207 *ret_rcode
= DNS_RCODE_SUCCESS
;
1209 *ret_answer
= TAKE_PTR(answer
);
1210 if (ret_full_packet
)
1211 *ret_full_packet
= TAKE_PTR(full_packet
);
1212 if (ret_query_flags
)
1213 *ret_query_flags
= nsec
->query_flags
;
1214 if (ret_dnssec_result
)
1215 *ret_dnssec_result
= nsec
->dnssec_result
;
1217 if (!bitmap_isset(nsec
->rr
->nsec
.types
, key
->type
) &&
1218 !bitmap_isset(nsec
->rr
->nsec
.types
, DNS_TYPE_CNAME
) &&
1219 !bitmap_isset(nsec
->rr
->nsec
.types
, DNS_TYPE_DNAME
)) {
1228 log_debug("%s cache hit for %s",
1229 n
> 0 ? "Positive" :
1230 nxdomain
? "NXDOMAIN" : "NODATA",
1231 dns_resource_key_to_string(key
, key_str
, sizeof key_str
));
1237 *ret_rcode
= nxdomain
? DNS_RCODE_NXDOMAIN
: DNS_RCODE_SUCCESS
;
1239 *ret_answer
= TAKE_PTR(answer
);
1240 if (ret_full_packet
)
1241 *ret_full_packet
= TAKE_PTR(full_packet
);
1242 if (ret_query_flags
)
1244 ((have_authenticated
&& !have_non_authenticated
) ? SD_RESOLVED_AUTHENTICATED
: 0) |
1245 ((have_confidential
&& !have_non_confidential
) ? SD_RESOLVED_CONFIDENTIAL
: 0);
1246 if (ret_dnssec_result
)
1247 *ret_dnssec_result
= dnssec_result
;
1255 *ret_rcode
= DNS_RCODE_SUCCESS
;
1257 *ret_answer
= TAKE_PTR(answer
);
1258 if (ret_full_packet
)
1259 *ret_full_packet
= TAKE_PTR(full_packet
);
1260 if (ret_query_flags
)
1262 ((have_authenticated
&& !have_non_authenticated
) ? SD_RESOLVED_AUTHENTICATED
: 0) |
1263 ((have_confidential
&& !have_non_confidential
) ? SD_RESOLVED_CONFIDENTIAL
: 0);
1264 if (ret_dnssec_result
)
1265 *ret_dnssec_result
= dnssec_result
;
1271 *ret_rcode
= DNS_RCODE_SUCCESS
;
1274 if (ret_full_packet
)
1275 *ret_full_packet
= NULL
;
1276 if (ret_query_flags
)
1277 *ret_query_flags
= 0;
1278 if (ret_dnssec_result
)
1279 *ret_dnssec_result
= _DNSSEC_RESULT_INVALID
;
1285 int dns_cache_check_conflicts(DnsCache
*cache
, DnsResourceRecord
*rr
, int owner_family
, const union in_addr_union
*owner_address
) {
1286 DnsCacheItem
*first
;
1287 bool same_owner
= true;
1292 dns_cache_prune(cache
);
1294 /* See if there's a cache entry for the same key. If there
1295 * isn't there's no conflict */
1296 first
= hashmap_get(cache
->by_key
, rr
->key
);
1300 /* See if the RR key is owned by the same owner, if so, there
1301 * isn't a conflict either */
1302 LIST_FOREACH(by_key
, i
, first
) {
1303 if (i
->owner_family
!= owner_family
||
1304 !in_addr_equal(owner_family
, &i
->owner_address
, owner_address
)) {
1312 /* See if there's the exact same RR in the cache. If yes, then
1313 * there's no conflict. */
1314 if (dns_cache_get(cache
, rr
))
1317 /* There's a conflict */
1321 int dns_cache_export_shared_to_packet(DnsCache
*cache
, DnsPacket
*p
, usec_t ts
, unsigned max_rr
) {
1322 unsigned ancount
= 0;
1328 assert(p
->protocol
== DNS_PROTOCOL_MDNS
);
1330 HASHMAP_FOREACH(i
, cache
->by_key
)
1331 LIST_FOREACH(by_key
, j
, i
) {
1335 if (!j
->shared_owner
)
1338 /* Ignore cached goodby packet. See on_mdns_packet() and RFC 6762 section 10.1. */
1339 if (j
->rr
->ttl
<= 1)
1342 /* RFC6762 7.1: Don't append records with less than half the TTL remaining
1343 * as known answers. */
1344 if (usec_sub_unsigned(j
->until
, ts
) < j
->rr
->ttl
* USEC_PER_SEC
/ 2)
1347 if (max_rr
> 0 && ancount
>= max_rr
) {
1348 DNS_PACKET_HEADER(p
)->ancount
= htobe16(ancount
);
1351 r
= dns_packet_new_query(&p
->more
, p
->protocol
, 0, true);
1360 r
= dns_packet_append_rr(p
, j
->rr
, 0, NULL
, NULL
);
1361 if (r
== -EMSGSIZE
) {
1363 /* If max_rr == 0, do not allocate more packets. */
1366 /* If we're unable to stuff all known answers into the given packet, allocate
1367 * a new one, push the RR into that one and link it to the current one. */
1369 DNS_PACKET_HEADER(p
)->ancount
= htobe16(ancount
);
1372 r
= dns_packet_new_query(&p
->more
, p
->protocol
, 0, true);
1376 /* continue with new packet */
1378 r
= dns_packet_append_rr(p
, j
->rr
, 0, NULL
, NULL
);
1388 DNS_PACKET_HEADER(p
)->ancount
= htobe16(ancount
);
1393 void dns_cache_dump(DnsCache
*cache
, FILE *f
) {
1402 HASHMAP_FOREACH(i
, cache
->by_key
)
1403 LIST_FOREACH(by_key
, j
, i
) {
1409 t
= dns_resource_record_to_string(j
->rr
);
1418 char key_str
[DNS_RESOURCE_KEY_STRING_MAX
];
1420 fputs(dns_resource_key_to_string(j
->key
, key_str
, sizeof key_str
), f
);
1422 fputs(dns_cache_item_type_to_string(j
), f
);
1428 int dns_cache_dump_to_json(DnsCache
*cache
, JsonVariant
**ret
) {
1429 _cleanup_(json_variant_unrefp
) JsonVariant
*c
= NULL
;
1436 HASHMAP_FOREACH(i
, cache
->by_key
) {
1437 _cleanup_(json_variant_unrefp
) JsonVariant
*d
= NULL
, *k
= NULL
;
1439 r
= dns_resource_key_to_json(i
->key
, &k
);
1444 _cleanup_(json_variant_unrefp
) JsonVariant
*l
= NULL
;
1446 LIST_FOREACH(by_key
, j
, i
) {
1447 _cleanup_(json_variant_unrefp
) JsonVariant
*rj
= NULL
;
1451 r
= dns_resource_record_to_json(j
->rr
, &rj
);
1455 r
= dns_resource_record_to_wire_format(j
->rr
, /* canonical= */ false); /* don't use DNSSEC canonical format, since it removes casing, but we want that for DNS_SD compat */
1459 r
= json_variant_append_arrayb(
1462 JSON_BUILD_PAIR_VARIANT("rr", rj
),
1463 JSON_BUILD_PAIR_BASE64("raw", j
->rr
->wire_format
, j
->rr
->wire_format_size
)));
1469 r
= json_variant_new_array(&l
, NULL
, 0);
1476 JSON_BUILD_PAIR_VARIANT("key", k
),
1477 JSON_BUILD_PAIR_VARIANT("rrs", l
),
1478 JSON_BUILD_PAIR_UNSIGNED("until", i
->until
)));
1479 } else if (i
->type
== DNS_CACHE_NODATA
) {
1482 JSON_BUILD_PAIR_VARIANT("key", k
),
1483 JSON_BUILD_PAIR_EMPTY_ARRAY("rrs"),
1484 JSON_BUILD_PAIR_UNSIGNED("until", i
->until
)));
1488 JSON_BUILD_PAIR_VARIANT("key", k
),
1489 JSON_BUILD_PAIR_STRING("type", dns_cache_item_type_to_string(i
)),
1490 JSON_BUILD_PAIR_UNSIGNED("until", i
->until
)));
1494 r
= json_variant_append_array(&c
, d
);
1500 return json_variant_new_array(ret
, NULL
, 0);
1506 bool dns_cache_is_empty(DnsCache
*cache
) {
1510 return hashmap_isempty(cache
->by_key
);
1513 unsigned dns_cache_size(DnsCache
*cache
) {
1517 return hashmap_size(cache
->by_key
);