]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/resolve/resolved-dns-query.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
networkctl: use and print full hardware address
[thirdparty/systemd.git] / src / resolve / resolved-dns-query.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2
3 #include "alloc-util.h"
4 #include "dns-domain.h"
5 #include "dns-type.h"
6 #include "hostname-util.h"
7 #include "local-addresses.h"
8 #include "resolved-dns-query.h"
9 #include "resolved-dns-synthesize.h"
10 #include "resolved-etc-hosts.h"
11 #include "string-util.h"
12
13 #define CNAME_MAX 8
14 #define QUERIES_MAX 2048
15 #define AUXILIARY_QUERIES_MAX 64
16
17 static int dns_query_candidate_new(DnsQueryCandidate **ret, DnsQuery *q, DnsScope *s) {
18 DnsQueryCandidate *c;
19
20 assert(ret);
21 assert(q);
22 assert(s);
23
24 c = new0(DnsQueryCandidate, 1);
25 if (!c)
26 return -ENOMEM;
27
28 c->query = q;
29 c->scope = s;
30
31 LIST_PREPEND(candidates_by_query, q->candidates, c);
32 LIST_PREPEND(candidates_by_scope, s->query_candidates, c);
33
34 *ret = c;
35 return 0;
36 }
37
38 static void dns_query_candidate_stop(DnsQueryCandidate *c) {
39 DnsTransaction *t;
40
41 assert(c);
42
43 while ((t = set_steal_first(c->transactions))) {
44 set_remove(t->notify_query_candidates, c);
45 set_remove(t->notify_query_candidates_done, c);
46 dns_transaction_gc(t);
47 }
48 }
49
50 DnsQueryCandidate* dns_query_candidate_free(DnsQueryCandidate *c) {
51
52 if (!c)
53 return NULL;
54
55 dns_query_candidate_stop(c);
56
57 set_free(c->transactions);
58 dns_search_domain_unref(c->search_domain);
59
60 if (c->query)
61 LIST_REMOVE(candidates_by_query, c->query->candidates, c);
62
63 if (c->scope)
64 LIST_REMOVE(candidates_by_scope, c->scope->query_candidates, c);
65
66 return mfree(c);
67 }
68
69 static int dns_query_candidate_next_search_domain(DnsQueryCandidate *c) {
70 DnsSearchDomain *next = NULL;
71
72 assert(c);
73
74 if (c->search_domain && c->search_domain->linked)
75 next = c->search_domain->domains_next;
76 else
77 next = dns_scope_get_search_domains(c->scope);
78
79 for (;;) {
80 if (!next) /* We hit the end of the list */
81 return 0;
82
83 if (!next->route_only)
84 break;
85
86 /* Skip over route-only domains */
87 next = next->domains_next;
88 }
89
90 dns_search_domain_unref(c->search_domain);
91 c->search_domain = dns_search_domain_ref(next);
92
93 return 1;
94 }
95
96 static int dns_query_candidate_add_transaction(DnsQueryCandidate *c, DnsResourceKey *key) {
97 _cleanup_(dns_transaction_gcp) DnsTransaction *t = NULL;
98 int r;
99
100 assert(c);
101 assert(key);
102
103 t = dns_scope_find_transaction(c->scope, key, true);
104 if (!t) {
105 r = dns_transaction_new(&t, c->scope, key);
106 if (r < 0)
107 return r;
108 } else if (set_contains(c->transactions, t))
109 return 0;
110
111 r = set_ensure_allocated(&t->notify_query_candidates_done, NULL);
112 if (r < 0)
113 return r;
114
115 r = set_ensure_put(&t->notify_query_candidates, NULL, c);
116 if (r < 0)
117 return r;
118
119 r = set_ensure_put(&c->transactions, NULL, t);
120 if (r < 0) {
121 (void) set_remove(t->notify_query_candidates, c);
122 return r;
123 }
124
125 t->clamp_ttl = c->query->clamp_ttl;
126 TAKE_PTR(t);
127 return 1;
128 }
129
130 static int dns_query_candidate_go(DnsQueryCandidate *c) {
131 DnsTransaction *t;
132 int r;
133 unsigned n = 0;
134
135 assert(c);
136
137 /* Start the transactions that are not started yet */
138 SET_FOREACH(t, c->transactions) {
139 if (t->state != DNS_TRANSACTION_NULL)
140 continue;
141
142 r = dns_transaction_go(t);
143 if (r < 0)
144 return r;
145
146 n++;
147 }
148
149 /* If there was nothing to start, then let's proceed immediately */
150 if (n == 0)
151 dns_query_candidate_notify(c);
152
153 return 0;
154 }
155
156 static DnsTransactionState dns_query_candidate_state(DnsQueryCandidate *c) {
157 DnsTransactionState state = DNS_TRANSACTION_NO_SERVERS;
158 DnsTransaction *t;
159
160 assert(c);
161
162 if (c->error_code != 0)
163 return DNS_TRANSACTION_ERRNO;
164
165 SET_FOREACH(t, c->transactions) {
166
167 switch (t->state) {
168
169 case DNS_TRANSACTION_NULL:
170 /* If there's a NULL transaction pending, then
171 * this means not all transactions where
172 * started yet, and we were called from within
173 * the stackframe that is supposed to start
174 * remaining transactions. In this case,
175 * simply claim the candidate is pending. */
176
177 case DNS_TRANSACTION_PENDING:
178 case DNS_TRANSACTION_VALIDATING:
179 /* If there's one transaction currently in
180 * VALIDATING state, then this means there's
181 * also one in PENDING state, hence we can
182 * return PENDING immediately. */
183 return DNS_TRANSACTION_PENDING;
184
185 case DNS_TRANSACTION_SUCCESS:
186 state = t->state;
187 break;
188
189 default:
190 if (state != DNS_TRANSACTION_SUCCESS)
191 state = t->state;
192
193 break;
194 }
195 }
196
197 return state;
198 }
199
200 static int dns_query_candidate_setup_transactions(DnsQueryCandidate *c) {
201 DnsQuestion *question;
202 DnsResourceKey *key;
203 int n = 0, r;
204
205 assert(c);
206
207 dns_query_candidate_stop(c);
208
209 question = dns_query_question_for_protocol(c->query, c->scope->protocol);
210
211 /* Create one transaction per question key */
212 DNS_QUESTION_FOREACH(key, question) {
213 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *new_key = NULL;
214 DnsResourceKey *qkey;
215
216 if (c->search_domain) {
217 r = dns_resource_key_new_append_suffix(&new_key, key, c->search_domain->name);
218 if (r < 0)
219 goto fail;
220
221 qkey = new_key;
222 } else
223 qkey = key;
224
225 if (!dns_scope_good_key(c->scope, qkey))
226 continue;
227
228 r = dns_query_candidate_add_transaction(c, qkey);
229 if (r < 0)
230 goto fail;
231
232 n++;
233 }
234
235 return n;
236
237 fail:
238 dns_query_candidate_stop(c);
239 return r;
240 }
241
242 void dns_query_candidate_notify(DnsQueryCandidate *c) {
243 DnsTransactionState state;
244 int r;
245
246 assert(c);
247
248 state = dns_query_candidate_state(c);
249
250 if (DNS_TRANSACTION_IS_LIVE(state))
251 return;
252
253 if (state != DNS_TRANSACTION_SUCCESS && c->search_domain) {
254
255 r = dns_query_candidate_next_search_domain(c);
256 if (r < 0)
257 goto fail;
258
259 if (r > 0) {
260 /* OK, there's another search domain to try, let's do so. */
261
262 r = dns_query_candidate_setup_transactions(c);
263 if (r < 0)
264 goto fail;
265
266 if (r > 0) {
267 /* New transactions where queued. Start them and wait */
268
269 r = dns_query_candidate_go(c);
270 if (r < 0)
271 goto fail;
272
273 return;
274 }
275 }
276
277 }
278
279 dns_query_ready(c->query);
280 return;
281
282 fail:
283 log_warning_errno(r, "Failed to follow search domains: %m");
284 c->error_code = r;
285 dns_query_ready(c->query);
286 }
287
288 static void dns_query_stop(DnsQuery *q) {
289 DnsQueryCandidate *c;
290
291 assert(q);
292
293 q->timeout_event_source = sd_event_source_unref(q->timeout_event_source);
294
295 LIST_FOREACH(candidates_by_query, c, q->candidates)
296 dns_query_candidate_stop(c);
297 }
298
299 static void dns_query_free_candidates(DnsQuery *q) {
300 assert(q);
301
302 while (q->candidates)
303 dns_query_candidate_free(q->candidates);
304 }
305
306 static void dns_query_reset_answer(DnsQuery *q) {
307 assert(q);
308
309 q->answer = dns_answer_unref(q->answer);
310 q->answer_rcode = 0;
311 q->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
312 q->answer_errno = 0;
313 q->answer_authenticated = false;
314 q->answer_protocol = _DNS_PROTOCOL_INVALID;
315 q->answer_family = AF_UNSPEC;
316 q->answer_search_domain = dns_search_domain_unref(q->answer_search_domain);
317 }
318
319 DnsQuery *dns_query_free(DnsQuery *q) {
320 if (!q)
321 return NULL;
322
323 while (q->auxiliary_queries)
324 dns_query_free(q->auxiliary_queries);
325
326 if (q->auxiliary_for) {
327 assert(q->auxiliary_for->n_auxiliary_queries > 0);
328 q->auxiliary_for->n_auxiliary_queries--;
329 LIST_REMOVE(auxiliary_queries, q->auxiliary_for->auxiliary_queries, q);
330 }
331
332 dns_query_free_candidates(q);
333
334 dns_question_unref(q->question_idna);
335 dns_question_unref(q->question_utf8);
336
337 dns_query_reset_answer(q);
338
339 sd_bus_message_unref(q->bus_request);
340 sd_bus_track_unref(q->bus_track);
341
342 if (q->varlink_request) {
343 varlink_set_userdata(q->varlink_request, NULL);
344 varlink_unref(q->varlink_request);
345 }
346
347 dns_packet_unref(q->request_dns_packet);
348 dns_packet_unref(q->reply_dns_packet);
349
350 if (q->request_dns_stream) {
351 /* Detach the stream from our query, in case something else keeps a reference to it. */
352 (void) set_remove(q->request_dns_stream->queries, q);
353 q->request_dns_stream = dns_stream_unref(q->request_dns_stream);
354 }
355
356 free(q->request_address_string);
357
358 if (q->manager) {
359 LIST_REMOVE(queries, q->manager->dns_queries, q);
360 q->manager->n_dns_queries--;
361 }
362
363 return mfree(q);
364 }
365
366 int dns_query_new(
367 Manager *m,
368 DnsQuery **ret,
369 DnsQuestion *question_utf8,
370 DnsQuestion *question_idna,
371 int ifindex,
372 uint64_t flags) {
373
374 _cleanup_(dns_query_freep) DnsQuery *q = NULL;
375 DnsResourceKey *key;
376 bool good = false;
377 int r;
378 char key_str[DNS_RESOURCE_KEY_STRING_MAX];
379
380 assert(m);
381
382 if (dns_question_size(question_utf8) > 0) {
383 r = dns_question_is_valid_for_query(question_utf8);
384 if (r < 0)
385 return r;
386 if (r == 0)
387 return -EINVAL;
388
389 good = true;
390 }
391
392 /* If the IDNA and UTF8 questions are the same, merge their references */
393 r = dns_question_is_equal(question_idna, question_utf8);
394 if (r < 0)
395 return r;
396 if (r > 0)
397 question_idna = question_utf8;
398 else {
399 if (dns_question_size(question_idna) > 0) {
400 r = dns_question_is_valid_for_query(question_idna);
401 if (r < 0)
402 return r;
403 if (r == 0)
404 return -EINVAL;
405
406 good = true;
407 }
408 }
409
410 if (!good) /* don't allow empty queries */
411 return -EINVAL;
412
413 if (m->n_dns_queries >= QUERIES_MAX)
414 return -EBUSY;
415
416 q = new0(DnsQuery, 1);
417 if (!q)
418 return -ENOMEM;
419
420 q->question_utf8 = dns_question_ref(question_utf8);
421 q->question_idna = dns_question_ref(question_idna);
422 q->ifindex = ifindex;
423 q->flags = flags;
424 q->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
425 q->answer_protocol = _DNS_PROTOCOL_INVALID;
426 q->answer_family = AF_UNSPEC;
427
428 /* First dump UTF8 question */
429 DNS_QUESTION_FOREACH(key, question_utf8)
430 log_debug("Looking up RR for %s.",
431 dns_resource_key_to_string(key, key_str, sizeof key_str));
432
433 /* And then dump the IDNA question, but only what hasn't been dumped already through the UTF8 question. */
434 DNS_QUESTION_FOREACH(key, question_idna) {
435 r = dns_question_contains(question_utf8, key);
436 if (r < 0)
437 return r;
438 if (r > 0)
439 continue;
440
441 log_debug("Looking up IDNA RR for %s.",
442 dns_resource_key_to_string(key, key_str, sizeof key_str));
443 }
444
445 LIST_PREPEND(queries, m->dns_queries, q);
446 m->n_dns_queries++;
447 q->manager = m;
448
449 if (ret)
450 *ret = q;
451 q = NULL;
452
453 return 0;
454 }
455
456 int dns_query_make_auxiliary(DnsQuery *q, DnsQuery *auxiliary_for) {
457 assert(q);
458 assert(auxiliary_for);
459
460 /* Ensure that the query is not auxiliary yet, and
461 * nothing else is auxiliary to it either */
462 assert(!q->auxiliary_for);
463 assert(!q->auxiliary_queries);
464
465 /* Ensure that the unit we shall be made auxiliary for isn't
466 * auxiliary itself */
467 assert(!auxiliary_for->auxiliary_for);
468
469 if (auxiliary_for->n_auxiliary_queries >= AUXILIARY_QUERIES_MAX)
470 return -EAGAIN;
471
472 LIST_PREPEND(auxiliary_queries, auxiliary_for->auxiliary_queries, q);
473 q->auxiliary_for = auxiliary_for;
474
475 auxiliary_for->n_auxiliary_queries++;
476 return 0;
477 }
478
479 void dns_query_complete(DnsQuery *q, DnsTransactionState state) {
480 assert(q);
481 assert(!DNS_TRANSACTION_IS_LIVE(state));
482 assert(DNS_TRANSACTION_IS_LIVE(q->state));
483
484 /* Note that this call might invalidate the query. Callers should hence not attempt to access the
485 * query or transaction after calling this function. */
486
487 q->state = state;
488
489 dns_query_stop(q);
490 if (q->complete)
491 q->complete(q);
492 }
493
494 static int on_query_timeout(sd_event_source *s, usec_t usec, void *userdata) {
495 DnsQuery *q = userdata;
496
497 assert(s);
498 assert(q);
499
500 dns_query_complete(q, DNS_TRANSACTION_TIMEOUT);
501 return 0;
502 }
503
504 static int dns_query_add_candidate(DnsQuery *q, DnsScope *s) {
505 _cleanup_(dns_query_candidate_freep) DnsQueryCandidate *c = NULL;
506 int r;
507
508 assert(q);
509 assert(s);
510
511 r = dns_query_candidate_new(&c, q, s);
512 if (r < 0)
513 return r;
514
515 /* If this a single-label domain on DNS, we might append a suitable search domain first. */
516 if (!FLAGS_SET(q->flags, SD_RESOLVED_NO_SEARCH) &&
517 dns_scope_name_wants_search_domain(s, dns_question_first_name(q->question_idna))) {
518 /* OK, we want a search domain now. Let's find one for this scope */
519
520 r = dns_query_candidate_next_search_domain(c);
521 if (r < 0)
522 return r;
523 }
524
525 r = dns_query_candidate_setup_transactions(c);
526 if (r < 0)
527 return r;
528
529 TAKE_PTR(c);
530 return 0;
531 }
532
533 static int dns_query_synthesize_reply(DnsQuery *q, DnsTransactionState *state) {
534 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
535 int r;
536
537 assert(q);
538 assert(state);
539
540 /* Tries to synthesize localhost RR replies (and others) where appropriate. Note that this is done *after* the
541 * the normal lookup finished. The data from the network hence takes precedence over the data we
542 * synthesize. (But note that many scopes refuse to resolve certain domain names) */
543
544 if (!IN_SET(*state,
545 DNS_TRANSACTION_RCODE_FAILURE,
546 DNS_TRANSACTION_NO_SERVERS,
547 DNS_TRANSACTION_TIMEOUT,
548 DNS_TRANSACTION_ATTEMPTS_MAX_REACHED,
549 DNS_TRANSACTION_NETWORK_DOWN,
550 DNS_TRANSACTION_NOT_FOUND))
551 return 0;
552
553 r = dns_synthesize_answer(
554 q->manager,
555 q->question_utf8,
556 q->ifindex,
557 &answer);
558 if (r == -ENXIO) {
559 /* If we get ENXIO this tells us to generate NXDOMAIN unconditionally. */
560
561 dns_query_reset_answer(q);
562 q->answer_rcode = DNS_RCODE_NXDOMAIN;
563 q->answer_protocol = dns_synthesize_protocol(q->flags);
564 q->answer_family = dns_synthesize_family(q->flags);
565 q->answer_authenticated = true;
566 *state = DNS_TRANSACTION_RCODE_FAILURE;
567
568 return 0;
569 }
570 if (r <= 0)
571 return r;
572
573 dns_query_reset_answer(q);
574
575 q->answer = TAKE_PTR(answer);
576 q->answer_rcode = DNS_RCODE_SUCCESS;
577 q->answer_protocol = dns_synthesize_protocol(q->flags);
578 q->answer_family = dns_synthesize_family(q->flags);
579 q->answer_authenticated = true;
580
581 *state = DNS_TRANSACTION_SUCCESS;
582
583 return 1;
584 }
585
586 static int dns_query_try_etc_hosts(DnsQuery *q) {
587 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
588 int r;
589
590 assert(q);
591
592 /* Looks in /etc/hosts for matching entries. Note that this is done *before* the normal lookup is done. The
593 * data from /etc/hosts hence takes precedence over the network. */
594
595 r = manager_etc_hosts_lookup(
596 q->manager,
597 q->question_utf8,
598 &answer);
599 if (r <= 0)
600 return r;
601
602 dns_query_reset_answer(q);
603
604 q->answer = TAKE_PTR(answer);
605 q->answer_rcode = DNS_RCODE_SUCCESS;
606 q->answer_protocol = dns_synthesize_protocol(q->flags);
607 q->answer_family = dns_synthesize_family(q->flags);
608 q->answer_authenticated = true;
609
610 return 1;
611 }
612
613 int dns_query_go(DnsQuery *q) {
614 DnsScopeMatch found = DNS_SCOPE_NO;
615 DnsScope *s, *first = NULL;
616 DnsQueryCandidate *c;
617 int r;
618
619 assert(q);
620
621 if (q->state != DNS_TRANSACTION_NULL)
622 return 0;
623
624 r = dns_query_try_etc_hosts(q);
625 if (r < 0)
626 return r;
627 if (r > 0) {
628 dns_query_complete(q, DNS_TRANSACTION_SUCCESS);
629 return 1;
630 }
631
632 LIST_FOREACH(scopes, s, q->manager->dns_scopes) {
633 DnsScopeMatch match;
634 const char *name;
635
636 name = dns_question_first_name(dns_query_question_for_protocol(q, s->protocol));
637 if (!name)
638 continue;
639
640 match = dns_scope_good_domain(s, q->ifindex, q->flags, name);
641 if (match < 0) {
642 log_debug("Couldn't check if '%s' matches against scope, ignoring.", name);
643 continue;
644 }
645
646 if (match > found) { /* Does this match better? If so, remember how well it matched, and the first one
647 * that matches this well */
648 found = match;
649 first = s;
650 }
651 }
652
653 if (found == DNS_SCOPE_NO) {
654 DnsTransactionState state = DNS_TRANSACTION_NO_SERVERS;
655
656 r = dns_query_synthesize_reply(q, &state);
657 if (r < 0)
658 return r;
659
660 dns_query_complete(q, state);
661 return 1;
662 }
663
664 r = dns_query_add_candidate(q, first);
665 if (r < 0)
666 goto fail;
667
668 LIST_FOREACH(scopes, s, first->scopes_next) {
669 DnsScopeMatch match;
670 const char *name;
671
672 name = dns_question_first_name(dns_query_question_for_protocol(q, s->protocol));
673 if (!name)
674 continue;
675
676 match = dns_scope_good_domain(s, q->ifindex, q->flags, name);
677 if (match < 0) {
678 log_debug("Couldn't check if '%s' matches against scope, ignoring.", name);
679 continue;
680 }
681
682 if (match < found)
683 continue;
684
685 r = dns_query_add_candidate(q, s);
686 if (r < 0)
687 goto fail;
688 }
689
690 dns_query_reset_answer(q);
691
692 r = sd_event_add_time_relative(
693 q->manager->event,
694 &q->timeout_event_source,
695 clock_boottime_or_monotonic(),
696 SD_RESOLVED_QUERY_TIMEOUT_USEC,
697 0, on_query_timeout, q);
698 if (r < 0)
699 goto fail;
700
701 (void) sd_event_source_set_description(q->timeout_event_source, "query-timeout");
702
703 q->state = DNS_TRANSACTION_PENDING;
704 q->block_ready++;
705
706 /* Start the transactions */
707 LIST_FOREACH(candidates_by_query, c, q->candidates) {
708 r = dns_query_candidate_go(c);
709 if (r < 0) {
710 q->block_ready--;
711 goto fail;
712 }
713 }
714
715 q->block_ready--;
716 dns_query_ready(q);
717
718 return 1;
719
720 fail:
721 dns_query_stop(q);
722 return r;
723 }
724
725 static void dns_query_accept(DnsQuery *q, DnsQueryCandidate *c) {
726 DnsTransactionState state = DNS_TRANSACTION_NO_SERVERS;
727 bool has_authenticated = false, has_non_authenticated = false;
728 DnssecResult dnssec_result_authenticated = _DNSSEC_RESULT_INVALID, dnssec_result_non_authenticated = _DNSSEC_RESULT_INVALID;
729 DnsTransaction *t;
730 int r;
731
732 assert(q);
733
734 if (!c) {
735 r = dns_query_synthesize_reply(q, &state);
736 if (r < 0)
737 goto fail;
738
739 dns_query_complete(q, state);
740 return;
741 }
742
743 if (c->error_code != 0) {
744 /* If the candidate had an error condition of its own, start with that. */
745 state = DNS_TRANSACTION_ERRNO;
746 q->answer = dns_answer_unref(q->answer);
747 q->answer_rcode = 0;
748 q->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
749 q->answer_authenticated = false;
750 q->answer_errno = c->error_code;
751 }
752
753 SET_FOREACH(t, c->transactions) {
754
755 switch (t->state) {
756
757 case DNS_TRANSACTION_SUCCESS: {
758 /* We found a successfully reply, merge it into the answer */
759 r = dns_answer_extend(&q->answer, t->answer);
760 if (r < 0)
761 goto fail;
762
763 q->answer_rcode = t->answer_rcode;
764 q->answer_errno = 0;
765
766 if (t->answer_authenticated) {
767 has_authenticated = true;
768 dnssec_result_authenticated = t->answer_dnssec_result;
769 } else {
770 has_non_authenticated = true;
771 dnssec_result_non_authenticated = t->answer_dnssec_result;
772 }
773
774 state = DNS_TRANSACTION_SUCCESS;
775 break;
776 }
777
778 case DNS_TRANSACTION_NULL:
779 case DNS_TRANSACTION_PENDING:
780 case DNS_TRANSACTION_VALIDATING:
781 case DNS_TRANSACTION_ABORTED:
782 /* Ignore transactions that didn't complete */
783 continue;
784
785 default:
786 /* Any kind of failure? Store the data away, if there's nothing stored yet. */
787 if (state == DNS_TRANSACTION_SUCCESS)
788 continue;
789
790 /* If there's already an authenticated negative reply stored, then prefer that over any unauthenticated one */
791 if (q->answer_authenticated && !t->answer_authenticated)
792 continue;
793
794 q->answer = dns_answer_unref(q->answer);
795 q->answer_rcode = t->answer_rcode;
796 q->answer_dnssec_result = t->answer_dnssec_result;
797 q->answer_authenticated = t->answer_authenticated;
798 q->answer_errno = t->answer_errno;
799
800 state = t->state;
801 break;
802 }
803 }
804
805 if (state == DNS_TRANSACTION_SUCCESS) {
806 q->answer_authenticated = has_authenticated && !has_non_authenticated;
807 q->answer_dnssec_result = q->answer_authenticated ? dnssec_result_authenticated : dnssec_result_non_authenticated;
808 }
809
810 q->answer_protocol = c->scope->protocol;
811 q->answer_family = c->scope->family;
812
813 dns_search_domain_unref(q->answer_search_domain);
814 q->answer_search_domain = dns_search_domain_ref(c->search_domain);
815
816 r = dns_query_synthesize_reply(q, &state);
817 if (r < 0)
818 goto fail;
819
820 dns_query_complete(q, state);
821 return;
822
823 fail:
824 q->answer_errno = -r;
825 dns_query_complete(q, DNS_TRANSACTION_ERRNO);
826 }
827
828 void dns_query_ready(DnsQuery *q) {
829
830 DnsQueryCandidate *bad = NULL, *c;
831 bool pending = false;
832
833 assert(q);
834 assert(DNS_TRANSACTION_IS_LIVE(q->state));
835
836 /* Note that this call might invalidate the query. Callers
837 * should hence not attempt to access the query or transaction
838 * after calling this function, unless the block_ready
839 * counter was explicitly bumped before doing so. */
840
841 if (q->block_ready > 0)
842 return;
843
844 LIST_FOREACH(candidates_by_query, c, q->candidates) {
845 DnsTransactionState state;
846
847 state = dns_query_candidate_state(c);
848 switch (state) {
849
850 case DNS_TRANSACTION_SUCCESS:
851 /* One of the candidates is successful,
852 * let's use it, and copy its data out */
853 dns_query_accept(q, c);
854 return;
855
856 case DNS_TRANSACTION_NULL:
857 case DNS_TRANSACTION_PENDING:
858 case DNS_TRANSACTION_VALIDATING:
859 /* One of the candidates is still going on,
860 * let's maybe wait for it */
861 pending = true;
862 break;
863
864 default:
865 /* Any kind of failure */
866 bad = c;
867 break;
868 }
869 }
870
871 if (pending)
872 return;
873
874 dns_query_accept(q, bad);
875 }
876
877 static int dns_query_cname_redirect(DnsQuery *q, const DnsResourceRecord *cname) {
878 _cleanup_(dns_question_unrefp) DnsQuestion *nq_idna = NULL, *nq_utf8 = NULL;
879 int r, k;
880
881 assert(q);
882
883 q->n_cname_redirects++;
884 if (q->n_cname_redirects > CNAME_MAX)
885 return -ELOOP;
886
887 r = dns_question_cname_redirect(q->question_idna, cname, &nq_idna);
888 if (r < 0)
889 return r;
890 else if (r > 0)
891 log_debug("Following CNAME/DNAME %s → %s.", dns_question_first_name(q->question_idna), dns_question_first_name(nq_idna));
892
893 k = dns_question_is_equal(q->question_idna, q->question_utf8);
894 if (k < 0)
895 return r;
896 if (k > 0) {
897 /* Same question? Shortcut new question generation */
898 nq_utf8 = dns_question_ref(nq_idna);
899 k = r;
900 } else {
901 k = dns_question_cname_redirect(q->question_utf8, cname, &nq_utf8);
902 if (k < 0)
903 return k;
904 else if (k > 0)
905 log_debug("Following UTF8 CNAME/DNAME %s → %s.", dns_question_first_name(q->question_utf8), dns_question_first_name(nq_utf8));
906 }
907
908 if (r == 0 && k == 0) /* No actual cname happened? */
909 return -ELOOP;
910
911 if (q->answer_protocol == DNS_PROTOCOL_DNS)
912 /* Don't permit CNAME redirects from unicast DNS to LLMNR or MulticastDNS, so that global resources
913 * cannot invade the local namespace. The opposite way we permit: local names may redirect to global
914 * ones. */
915 q->flags &= ~(SD_RESOLVED_LLMNR|SD_RESOLVED_MDNS); /* mask away the local protocols */
916
917 /* Turn off searching for the new name */
918 q->flags |= SD_RESOLVED_NO_SEARCH;
919
920 dns_question_unref(q->question_idna);
921 q->question_idna = TAKE_PTR(nq_idna);
922
923 dns_question_unref(q->question_utf8);
924 q->question_utf8 = TAKE_PTR(nq_utf8);
925
926 dns_query_free_candidates(q);
927 dns_query_reset_answer(q);
928
929 q->state = DNS_TRANSACTION_NULL;
930
931 return 0;
932 }
933
934 int dns_query_process_cname(DnsQuery *q) {
935 _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *cname = NULL;
936 DnsQuestion *question;
937 DnsResourceRecord *rr;
938 int r;
939
940 assert(q);
941
942 if (!IN_SET(q->state, DNS_TRANSACTION_SUCCESS, DNS_TRANSACTION_NULL))
943 return DNS_QUERY_NOMATCH;
944
945 question = dns_query_question_for_protocol(q, q->answer_protocol);
946
947 DNS_ANSWER_FOREACH(rr, q->answer) {
948 r = dns_question_matches_rr(question, rr, DNS_SEARCH_DOMAIN_NAME(q->answer_search_domain));
949 if (r < 0)
950 return r;
951 if (r > 0)
952 return DNS_QUERY_MATCH; /* The answer matches directly, no need to follow cnames */
953
954 r = dns_question_matches_cname_or_dname(question, rr, DNS_SEARCH_DOMAIN_NAME(q->answer_search_domain));
955 if (r < 0)
956 return r;
957 if (r > 0 && !cname)
958 cname = dns_resource_record_ref(rr);
959 }
960
961 if (!cname)
962 return DNS_QUERY_NOMATCH; /* No match and no cname to follow */
963
964 if (q->flags & SD_RESOLVED_NO_CNAME)
965 return -ELOOP;
966
967 if (!q->answer_authenticated)
968 q->previous_redirect_unauthenticated = true;
969
970 /* OK, let's actually follow the CNAME */
971 r = dns_query_cname_redirect(q, cname);
972 if (r < 0)
973 return r;
974
975 /* Let's see if the answer can already answer the new
976 * redirected question */
977 r = dns_query_process_cname(q);
978 if (r != DNS_QUERY_NOMATCH)
979 return r;
980
981 /* OK, it cannot, let's begin with the new query */
982 r = dns_query_go(q);
983 if (r < 0)
984 return r;
985
986 return DNS_QUERY_RESTARTED; /* We restarted the query for a new cname */
987 }
988
989 DnsQuestion* dns_query_question_for_protocol(DnsQuery *q, DnsProtocol protocol) {
990 assert(q);
991
992 switch (protocol) {
993
994 case DNS_PROTOCOL_DNS:
995 return q->question_idna;
996
997 case DNS_PROTOCOL_MDNS:
998 case DNS_PROTOCOL_LLMNR:
999 return q->question_utf8;
1000
1001 default:
1002 return NULL;
1003 }
1004 }
1005
1006 const char *dns_query_string(DnsQuery *q) {
1007 const char *name;
1008 int r;
1009
1010 /* Returns a somewhat useful human-readable lookup key string for this query */
1011
1012 if (q->request_address_string)
1013 return q->request_address_string;
1014
1015 if (q->request_address_valid) {
1016 r = in_addr_to_string(q->request_family, &q->request_address, &q->request_address_string);
1017 if (r >= 0)
1018 return q->request_address_string;
1019 }
1020
1021 name = dns_question_first_name(q->question_utf8);
1022 if (name)
1023 return name;
1024
1025 return dns_question_first_name(q->question_idna);
1026 }
1027
1028 bool dns_query_fully_authenticated(DnsQuery *q) {
1029 assert(q);
1030
1031 return q->answer_authenticated && !q->previous_redirect_unauthenticated;
1032 }
Unnamed repository; edit this file 'description' to name the repository.