]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/resolve/resolved-dns-transaction.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
resolved: rework what ResolveHostname() with family == AF_UNSPEC means
[thirdparty/systemd.git] / src / resolve / resolved-dns-transaction.c
1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
2
3 /***
4 This file is part of systemd.
5
6 Copyright 2014 Lennart Poettering
7
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
12
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
17
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
20 ***/
21
22 #include <sd-messages.h>
23
24 #include "af-list.h"
25 #include "alloc-util.h"
26 #include "dns-domain.h"
27 #include "errno-list.h"
28 #include "fd-util.h"
29 #include "random-util.h"
30 #include "resolved-dns-cache.h"
31 #include "resolved-dns-transaction.h"
32 #include "resolved-llmnr.h"
33 #include "string-table.h"
34
35 #define TRANSACTIONS_MAX 4096
36
37 static void dns_transaction_reset_answer(DnsTransaction *t) {
38 assert(t);
39
40 t->received = dns_packet_unref(t->received);
41 t->answer = dns_answer_unref(t->answer);
42 t->answer_rcode = 0;
43 t->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
44 t->answer_source = _DNS_TRANSACTION_SOURCE_INVALID;
45 t->answer_authenticated = false;
46 t->answer_nsec_ttl = (uint32_t) -1;
47 t->answer_errno = 0;
48 }
49
50 static void dns_transaction_flush_dnssec_transactions(DnsTransaction *t) {
51 DnsTransaction *z;
52
53 assert(t);
54
55 while ((z = set_steal_first(t->dnssec_transactions))) {
56 set_remove(z->notify_transactions, t);
57 dns_transaction_gc(z);
58 }
59 }
60
61 static void dns_transaction_close_connection(DnsTransaction *t) {
62 assert(t);
63
64 t->stream = dns_stream_free(t->stream);
65 t->dns_udp_event_source = sd_event_source_unref(t->dns_udp_event_source);
66 t->dns_udp_fd = safe_close(t->dns_udp_fd);
67 }
68
69 static void dns_transaction_stop_timeout(DnsTransaction *t) {
70 assert(t);
71
72 t->timeout_event_source = sd_event_source_unref(t->timeout_event_source);
73 }
74
75 DnsTransaction* dns_transaction_free(DnsTransaction *t) {
76 DnsQueryCandidate *c;
77 DnsZoneItem *i;
78 DnsTransaction *z;
79
80 if (!t)
81 return NULL;
82
83 log_debug("Freeing transaction %" PRIu16 ".", t->id);
84
85 dns_transaction_close_connection(t);
86 dns_transaction_stop_timeout(t);
87
88 dns_packet_unref(t->sent);
89 dns_transaction_reset_answer(t);
90
91 dns_server_unref(t->server);
92
93 if (t->scope) {
94 hashmap_remove_value(t->scope->transactions_by_key, t->key, t);
95 LIST_REMOVE(transactions_by_scope, t->scope->transactions, t);
96
97 if (t->id != 0)
98 hashmap_remove(t->scope->manager->dns_transactions, UINT_TO_PTR(t->id));
99 }
100
101 while ((c = set_steal_first(t->notify_query_candidates)))
102 set_remove(c->transactions, t);
103 set_free(t->notify_query_candidates);
104
105 while ((i = set_steal_first(t->notify_zone_items)))
106 i->probe_transaction = NULL;
107 set_free(t->notify_zone_items);
108
109 while ((z = set_steal_first(t->notify_transactions)))
110 set_remove(z->dnssec_transactions, t);
111 set_free(t->notify_transactions);
112
113 dns_transaction_flush_dnssec_transactions(t);
114 set_free(t->dnssec_transactions);
115
116 dns_answer_unref(t->validated_keys);
117 dns_resource_key_unref(t->key);
118 free(t->key_string);
119
120 free(t);
121 return NULL;
122 }
123
124 DEFINE_TRIVIAL_CLEANUP_FUNC(DnsTransaction*, dns_transaction_free);
125
126 bool dns_transaction_gc(DnsTransaction *t) {
127 assert(t);
128
129 if (t->block_gc > 0)
130 return true;
131
132 if (set_isempty(t->notify_query_candidates) &&
133 set_isempty(t->notify_zone_items) &&
134 set_isempty(t->notify_transactions)) {
135 dns_transaction_free(t);
136 return false;
137 }
138
139 return true;
140 }
141
142 static uint16_t pick_new_id(Manager *m) {
143 uint16_t new_id;
144
145 /* Find a fresh, unused transaction id. Note that this loop is bounded because there's a limit on the number of
146 * transactions, and it's much lower than the space of IDs. */
147
148 assert_cc(TRANSACTIONS_MAX < 0xFFFF);
149
150 do
151 random_bytes(&new_id, sizeof(new_id));
152 while (new_id == 0 ||
153 hashmap_get(m->dns_transactions, UINT_TO_PTR(new_id)));
154
155 return new_id;
156 }
157
158 int dns_transaction_new(DnsTransaction **ret, DnsScope *s, DnsResourceKey *key) {
159 _cleanup_(dns_transaction_freep) DnsTransaction *t = NULL;
160 int r;
161
162 assert(ret);
163 assert(s);
164 assert(key);
165
166 /* Don't allow looking up invalid or pseudo RRs */
167 if (!dns_type_is_valid_query(key->type))
168 return -EINVAL;
169 if (dns_type_is_obsolete(key->type))
170 return -EOPNOTSUPP;
171
172 /* We only support the IN class */
173 if (key->class != DNS_CLASS_IN && key->class != DNS_CLASS_ANY)
174 return -EOPNOTSUPP;
175
176 if (hashmap_size(s->manager->dns_transactions) >= TRANSACTIONS_MAX)
177 return -EBUSY;
178
179 r = hashmap_ensure_allocated(&s->manager->dns_transactions, NULL);
180 if (r < 0)
181 return r;
182
183 r = hashmap_ensure_allocated(&s->transactions_by_key, &dns_resource_key_hash_ops);
184 if (r < 0)
185 return r;
186
187 t = new0(DnsTransaction, 1);
188 if (!t)
189 return -ENOMEM;
190
191 t->dns_udp_fd = -1;
192 t->answer_source = _DNS_TRANSACTION_SOURCE_INVALID;
193 t->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
194 t->answer_nsec_ttl = (uint32_t) -1;
195 t->key = dns_resource_key_ref(key);
196 t->current_feature_level = _DNS_SERVER_FEATURE_LEVEL_INVALID;
197
198 t->id = pick_new_id(s->manager);
199
200 r = hashmap_put(s->manager->dns_transactions, UINT_TO_PTR(t->id), t);
201 if (r < 0) {
202 t->id = 0;
203 return r;
204 }
205
206 r = hashmap_replace(s->transactions_by_key, t->key, t);
207 if (r < 0) {
208 hashmap_remove(s->manager->dns_transactions, UINT_TO_PTR(t->id));
209 return r;
210 }
211
212 LIST_PREPEND(transactions_by_scope, s->transactions, t);
213 t->scope = s;
214
215 s->manager->n_transactions_total ++;
216
217 if (ret)
218 *ret = t;
219
220 t = NULL;
221
222 return 0;
223 }
224
225 static void dns_transaction_shuffle_id(DnsTransaction *t) {
226 uint16_t new_id;
227 assert(t);
228
229 /* Pick a new ID for this transaction. */
230
231 new_id = pick_new_id(t->scope->manager);
232 assert_se(hashmap_remove_and_put(t->scope->manager->dns_transactions, UINT_TO_PTR(t->id), UINT_TO_PTR(new_id), t) >= 0);
233
234 log_debug("Transaction %" PRIu16 " is now %" PRIu16 ".", t->id, new_id);
235 t->id = new_id;
236
237 /* Make sure we generate a new packet with the new ID */
238 t->sent = dns_packet_unref(t->sent);
239 }
240
241 static void dns_transaction_tentative(DnsTransaction *t, DnsPacket *p) {
242 _cleanup_free_ char *pretty = NULL;
243 DnsZoneItem *z;
244
245 assert(t);
246 assert(p);
247
248 if (manager_our_packet(t->scope->manager, p) != 0)
249 return;
250
251 in_addr_to_string(p->family, &p->sender, &pretty);
252
253 log_debug("Transaction %" PRIu16 " for <%s> on scope %s on %s/%s got tentative packet from %s.",
254 t->id,
255 dns_transaction_key_string(t),
256 dns_protocol_to_string(t->scope->protocol),
257 t->scope->link ? t->scope->link->name : "*",
258 t->scope->family == AF_UNSPEC ? "*" : af_to_name(t->scope->family),
259 pretty);
260
261 /* RFC 4795, Section 4.1 says that the peer with the
262 * lexicographically smaller IP address loses */
263 if (memcmp(&p->sender, &p->destination, FAMILY_ADDRESS_SIZE(p->family)) >= 0) {
264 log_debug("Peer has lexicographically larger IP address and thus lost in the conflict.");
265 return;
266 }
267
268 log_debug("We have the lexicographically larger IP address and thus lost in the conflict.");
269
270 t->block_gc++;
271 while ((z = set_first(t->notify_zone_items))) {
272 /* First, make sure the zone item drops the reference
273 * to us */
274 dns_zone_item_probe_stop(z);
275
276 /* Secondly, report this as conflict, so that we might
277 * look for a different hostname */
278 dns_zone_item_conflict(z);
279 }
280 t->block_gc--;
281
282 dns_transaction_gc(t);
283 }
284
285 void dns_transaction_complete(DnsTransaction *t, DnsTransactionState state) {
286 DnsQueryCandidate *c;
287 DnsZoneItem *z;
288 DnsTransaction *d;
289 Iterator i;
290 const char *st;
291
292 assert(t);
293 assert(!DNS_TRANSACTION_IS_LIVE(state));
294
295 if (state == DNS_TRANSACTION_DNSSEC_FAILED)
296 log_struct(LOG_NOTICE,
297 LOG_MESSAGE_ID(SD_MESSAGE_DNSSEC_FAILURE),
298 LOG_MESSAGE("DNSSEC validation failed for question %s: %s", dns_transaction_key_string(t), dnssec_result_to_string(t->answer_dnssec_result)),
299 "DNS_TRANSACTION=%" PRIu16, t->id,
300 "DNS_QUESTION=%s", dns_transaction_key_string(t),
301 "DNSSEC_RESULT=%s", dnssec_result_to_string(t->answer_dnssec_result),
302 "DNS_SERVER=%s", dns_server_string(t->server),
303 "DNS_SERVER_FEATURE_LEVEL=%s", dns_server_feature_level_to_string(t->server->possible_feature_level),
304 NULL);
305
306 /* Note that this call might invalidate the query. Callers
307 * should hence not attempt to access the query or transaction
308 * after calling this function. */
309
310 if (state == DNS_TRANSACTION_ERRNO)
311 st = errno_to_name(t->answer_errno);
312 else
313 st = dns_transaction_state_to_string(state);
314
315 log_debug("Transaction %" PRIu16 " for <%s> on scope %s on %s/%s now complete with <%s> from %s (%s).",
316 t->id,
317 dns_transaction_key_string(t),
318 dns_protocol_to_string(t->scope->protocol),
319 t->scope->link ? t->scope->link->name : "*",
320 t->scope->family == AF_UNSPEC ? "*" : af_to_name(t->scope->family),
321 st,
322 t->answer_source < 0 ? "none" : dns_transaction_source_to_string(t->answer_source),
323 t->answer_authenticated ? "authenticated" : "unsigned");
324
325 t->state = state;
326
327 dns_transaction_close_connection(t);
328 dns_transaction_stop_timeout(t);
329
330 /* Notify all queries that are interested, but make sure the
331 * transaction isn't freed while we are still looking at it */
332 t->block_gc++;
333
334 SET_FOREACH(c, t->notify_query_candidates, i)
335 dns_query_candidate_notify(c);
336 SET_FOREACH(z, t->notify_zone_items, i)
337 dns_zone_item_notify(z);
338
339 if (!set_isempty(t->notify_transactions)) {
340 DnsTransaction **nt;
341 unsigned j, n = 0;
342
343 /* We need to be careful when notifying other
344 * transactions, as that might destroy other
345 * transactions in our list. Hence, in order to be
346 * able to safely iterate through the list of
347 * transactions, take a GC lock on all of them
348 * first. Then, in a second loop, notify them, but
349 * first unlock that specific transaction. */
350
351 nt = newa(DnsTransaction*, set_size(t->notify_transactions));
352 SET_FOREACH(d, t->notify_transactions, i) {
353 nt[n++] = d;
354 d->block_gc++;
355 }
356
357 assert(n == set_size(t->notify_transactions));
358
359 for (j = 0; j < n; j++) {
360 if (set_contains(t->notify_transactions, nt[j]))
361 dns_transaction_notify(nt[j], t);
362
363 nt[j]->block_gc--;
364 dns_transaction_gc(nt[j]);
365 }
366 }
367
368 t->block_gc--;
369 dns_transaction_gc(t);
370 }
371
372 static int dns_transaction_pick_server(DnsTransaction *t) {
373 DnsServer *server;
374
375 assert(t);
376 assert(t->scope->protocol == DNS_PROTOCOL_DNS);
377
378 server = dns_scope_get_dns_server(t->scope);
379 if (!server)
380 return -ESRCH;
381
382 t->current_feature_level = dns_server_possible_feature_level(server);
383
384 if (server == t->server)
385 return 0;
386
387 dns_server_unref(t->server);
388 t->server = dns_server_ref(server);
389
390 return 1;
391 }
392
393 static void dns_transaction_retry(DnsTransaction *t) {
394 int r;
395
396 assert(t);
397
398 log_debug("Retrying transaction %" PRIu16 ".", t->id);
399
400 /* Before we try again, switch to a new server. */
401 dns_scope_next_dns_server(t->scope);
402
403 r = dns_transaction_go(t);
404 if (r < 0) {
405 t->answer_errno = -r;
406 dns_transaction_complete(t, DNS_TRANSACTION_ERRNO);
407 }
408 }
409
410 static int dns_transaction_maybe_restart(DnsTransaction *t) {
411 assert(t);
412
413 if (!t->server)
414 return 0;
415
416 if (t->current_feature_level <= dns_server_possible_feature_level(t->server))
417 return 0;
418
419 /* The server's current feature level is lower than when we sent the original query. We learnt something from
420 the response or possibly an auxiliary DNSSEC response that we didn't know before. We take that as reason to
421 restart the whole transaction. This is a good idea to deal with servers that respond rubbish if we include
422 OPT RR or DO bit. One of these cases is documented here, for example:
423 https://open.nlnetlabs.nl/pipermail/dnssec-trigger/2014-November/000376.html */
424
425 log_debug("Server feature level is now lower than when we began our transaction. Restarting with new ID.");
426 dns_transaction_shuffle_id(t);
427 return dns_transaction_go(t);
428 }
429
430 static int on_stream_complete(DnsStream *s, int error) {
431 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
432 DnsTransaction *t;
433
434 assert(s);
435 assert(s->transaction);
436
437 /* Copy the data we care about out of the stream before we
438 * destroy it. */
439 t = s->transaction;
440 p = dns_packet_ref(s->read_packet);
441
442 t->stream = dns_stream_free(t->stream);
443
444 if (ERRNO_IS_DISCONNECT(error)) {
445 usec_t usec;
446
447 if (t->scope->protocol == DNS_PROTOCOL_LLMNR) {
448 /* If the LLMNR/TCP connection failed, the host doesn't support LLMNR, and we cannot answer the
449 * question on this scope. */
450 dns_transaction_complete(t, DNS_TRANSACTION_NOT_FOUND);
451 return 0;
452 }
453
454 log_debug_errno(error, "Connection failure for DNS TCP stream: %m");
455 assert_se(sd_event_now(t->scope->manager->event, clock_boottime_or_monotonic(), &usec) >= 0);
456 dns_server_packet_lost(t->server, IPPROTO_TCP, t->current_feature_level, usec - t->start_usec);
457
458 dns_transaction_retry(t);
459 return 0;
460 }
461 if (error != 0) {
462 t->answer_errno = error;
463 dns_transaction_complete(t, DNS_TRANSACTION_ERRNO);
464 return 0;
465 }
466
467 if (dns_packet_validate_reply(p) <= 0) {
468 log_debug("Invalid TCP reply packet.");
469 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
470 return 0;
471 }
472
473 dns_scope_check_conflicts(t->scope, p);
474
475 t->block_gc++;
476 dns_transaction_process_reply(t, p);
477 t->block_gc--;
478
479 /* If the response wasn't useful, then complete the transition
480 * now. After all, we are the worst feature set now with TCP
481 * sockets, and there's really no point in retrying. */
482 if (t->state == DNS_TRANSACTION_PENDING)
483 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
484 else
485 dns_transaction_gc(t);
486
487 return 0;
488 }
489
490 static int dns_transaction_open_tcp(DnsTransaction *t) {
491 _cleanup_close_ int fd = -1;
492 int r;
493
494 assert(t);
495
496 dns_transaction_close_connection(t);
497
498 switch (t->scope->protocol) {
499
500 case DNS_PROTOCOL_DNS:
501 r = dns_transaction_pick_server(t);
502 if (r < 0)
503 return r;
504
505 if (!dns_server_dnssec_supported(t->server) && dns_type_is_dnssec(t->key->type))
506 return -EOPNOTSUPP;
507
508 r = dns_server_adjust_opt(t->server, t->sent, t->current_feature_level);
509 if (r < 0)
510 return r;
511
512 fd = dns_scope_socket_tcp(t->scope, AF_UNSPEC, NULL, t->server, 53);
513 break;
514
515 case DNS_PROTOCOL_LLMNR:
516 /* When we already received a reply to this (but it was truncated), send to its sender address */
517 if (t->received)
518 fd = dns_scope_socket_tcp(t->scope, t->received->family, &t->received->sender, NULL, t->received->sender_port);
519 else {
520 union in_addr_union address;
521 int family = AF_UNSPEC;
522
523 /* Otherwise, try to talk to the owner of a
524 * the IP address, in case this is a reverse
525 * PTR lookup */
526
527 r = dns_name_address(DNS_RESOURCE_KEY_NAME(t->key), &family, &address);
528 if (r < 0)
529 return r;
530 if (r == 0)
531 return -EINVAL;
532 if (family != t->scope->family)
533 return -ESRCH;
534
535 fd = dns_scope_socket_tcp(t->scope, family, &address, NULL, LLMNR_PORT);
536 }
537
538 break;
539
540 default:
541 return -EAFNOSUPPORT;
542 }
543
544 if (fd < 0)
545 return fd;
546
547 r = dns_stream_new(t->scope->manager, &t->stream, t->scope->protocol, fd);
548 if (r < 0)
549 return r;
550 fd = -1;
551
552 r = dns_stream_write_packet(t->stream, t->sent);
553 if (r < 0) {
554 t->stream = dns_stream_free(t->stream);
555 return r;
556 }
557
558 t->stream->complete = on_stream_complete;
559 t->stream->transaction = t;
560
561 /* The interface index is difficult to determine if we are
562 * connecting to the local host, hence fill this in right away
563 * instead of determining it from the socket */
564 if (t->scope->link)
565 t->stream->ifindex = t->scope->link->ifindex;
566
567 dns_transaction_reset_answer(t);
568
569 t->tried_stream = true;
570
571 return 0;
572 }
573
574 static void dns_transaction_cache_answer(DnsTransaction *t) {
575 assert(t);
576
577 /* For mDNS we cache whenever we get the packet, rather than
578 * in each transaction. */
579 if (!IN_SET(t->scope->protocol, DNS_PROTOCOL_DNS, DNS_PROTOCOL_LLMNR))
580 return;
581
582 /* We never cache if this packet is from the local host, under
583 * the assumption that a locally running DNS server would
584 * cache this anyway, and probably knows better when to flush
585 * the cache then we could. */
586 if (!DNS_PACKET_SHALL_CACHE(t->received))
587 return;
588
589 dns_cache_put(&t->scope->cache,
590 t->key,
591 t->answer_rcode,
592 t->answer,
593 t->answer_authenticated,
594 t->answer_nsec_ttl,
595 0,
596 t->received->family,
597 &t->received->sender);
598 }
599
600 static bool dns_transaction_dnssec_is_live(DnsTransaction *t) {
601 DnsTransaction *dt;
602 Iterator i;
603
604 assert(t);
605
606 SET_FOREACH(dt, t->dnssec_transactions, i)
607 if (DNS_TRANSACTION_IS_LIVE(dt->state))
608 return true;
609
610 return false;
611 }
612
613 static int dns_transaction_dnssec_ready(DnsTransaction *t) {
614 DnsTransaction *dt;
615 Iterator i;
616
617 assert(t);
618
619 /* Checks whether the auxiliary DNSSEC transactions of our transaction have completed, or are still
620 * ongoing. Returns 0, if we aren't ready for the DNSSEC validation, positive if we are. */
621
622 SET_FOREACH(dt, t->dnssec_transactions, i) {
623
624 switch (dt->state) {
625
626 case DNS_TRANSACTION_NULL:
627 case DNS_TRANSACTION_PENDING:
628 case DNS_TRANSACTION_VALIDATING:
629 /* Still ongoing */
630 return 0;
631
632 case DNS_TRANSACTION_RCODE_FAILURE:
633 if (dt->answer_rcode != DNS_RCODE_NXDOMAIN) {
634 log_debug("Auxiliary DNSSEC RR query failed with rcode=%s.", dns_rcode_to_string(dt->answer_rcode));
635 goto fail;
636 }
637
638 /* Fall-through: NXDOMAIN is good enough for us. This is because some DNS servers erronously
639 * return NXDOMAIN for empty non-terminals (Akamai...), and we need to handle that nicely, when
640 * asking for parent SOA or similar RRs to make unsigned proofs. */
641
642 case DNS_TRANSACTION_SUCCESS:
643 /* All good. */
644 break;
645
646 case DNS_TRANSACTION_DNSSEC_FAILED:
647 /* We handle DNSSEC failures different from other errors, as we care about the DNSSEC
648 * validationr result */
649
650 log_debug("Auxiliary DNSSEC RR query failed validation: %s", dnssec_result_to_string(dt->answer_dnssec_result));
651 t->answer_dnssec_result = dt->answer_dnssec_result; /* Copy error code over */
652 dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
653 return 0;
654
655
656 default:
657 log_debug("Auxiliary DNSSEC RR query failed with %s", dns_transaction_state_to_string(dt->state));
658 goto fail;
659 }
660 }
661
662 /* All is ready, we can go and validate */
663 return 1;
664
665 fail:
666 t->answer_dnssec_result = DNSSEC_FAILED_AUXILIARY;
667 dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
668 return 0;
669 }
670
671 static void dns_transaction_process_dnssec(DnsTransaction *t) {
672 int r;
673
674 assert(t);
675
676 /* Are there ongoing DNSSEC transactions? If so, let's wait for them. */
677 r = dns_transaction_dnssec_ready(t);
678 if (r < 0)
679 goto fail;
680 if (r == 0) /* We aren't ready yet (or one of our auxiliary transactions failed, and we shouldn't validate now */
681 return;
682
683 /* See if we learnt things from the additional DNSSEC transactions, that we didn't know before, and better
684 * restart the lookup immediately. */
685 r = dns_transaction_maybe_restart(t);
686 if (r < 0)
687 goto fail;
688 if (r > 0) /* Transaction got restarted... */
689 return;
690
691 /* All our auxiliary DNSSEC transactions are complete now. Try
692 * to validate our RRset now. */
693 r = dns_transaction_validate_dnssec(t);
694 if (r == -EBADMSG) {
695 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
696 return;
697 }
698 if (r < 0)
699 goto fail;
700
701 if (t->answer_dnssec_result == DNSSEC_INCOMPATIBLE_SERVER &&
702 t->scope->dnssec_mode == DNSSEC_YES) {
703 /* We are not in automatic downgrade mode, and the
704 * server is bad, refuse operation. */
705 dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
706 return;
707 }
708
709 if (!IN_SET(t->answer_dnssec_result,
710 _DNSSEC_RESULT_INVALID, /* No DNSSEC validation enabled */
711 DNSSEC_VALIDATED, /* Answer is signed and validated successfully */
712 DNSSEC_UNSIGNED, /* Answer is right-fully unsigned */
713 DNSSEC_INCOMPATIBLE_SERVER)) { /* Server does not do DNSSEC (Yay, we are downgrade attack vulnerable!) */
714 dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
715 return;
716 }
717
718 if (t->answer_dnssec_result == DNSSEC_INCOMPATIBLE_SERVER)
719 dns_server_warn_downgrade(t->server);
720
721 dns_transaction_cache_answer(t);
722
723 if (t->answer_rcode == DNS_RCODE_SUCCESS)
724 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
725 else
726 dns_transaction_complete(t, DNS_TRANSACTION_RCODE_FAILURE);
727
728 return;
729
730 fail:
731 t->answer_errno = -r;
732 dns_transaction_complete(t, DNS_TRANSACTION_ERRNO);
733 }
734
735 static int dns_transaction_has_positive_answer(DnsTransaction *t, DnsAnswerFlags *flags) {
736 int r;
737
738 assert(t);
739
740 /* Checks whether the answer is positive, i.e. either a direct
741 * answer to the question, or a CNAME/DNAME for it */
742
743 r = dns_answer_match_key(t->answer, t->key, flags);
744 if (r != 0)
745 return r;
746
747 r = dns_answer_find_cname_or_dname(t->answer, t->key, NULL, flags);
748 if (r != 0)
749 return r;
750
751 return false;
752 }
753
754 static int dns_transaction_fix_rcode(DnsTransaction *t) {
755 int r;
756
757 assert(t);
758
759 /* Fix up the RCODE to SUCCESS if we get at least one matching RR in a response. Note that this contradicts the
760 * DNS RFCs a bit. Specifically, RFC 6604 Section 3 clarifies that the RCODE shall say something about a
761 * CNAME/DNAME chain element coming after the last chain element contained in the message, and not the first
762 * one included. However, it also indicates that not all DNS servers implement this correctly. Moreover, when
763 * using DNSSEC we usually only can prove the first element of a CNAME/DNAME chain anyway, hence let's settle
764 * on always processing the RCODE as referring to the immediate look-up we do, i.e. the first element of a
765 * CNAME/DNAME chain. This way, we uniformly handle CNAME/DNAME chains, regardless if the DNS server
766 * incorrectly implements RCODE, whether DNSSEC is in use, or whether the DNS server only supplied us with an
767 * incomplete CNAME/DNAME chain.
768 *
769 * Or in other words: if we get at least one positive reply in a message we patch NXDOMAIN to become SUCCESS,
770 * and then rely on the CNAME chasing logic to figure out that there's actually a CNAME error with a new
771 * lookup. */
772
773 if (t->answer_rcode != DNS_RCODE_NXDOMAIN)
774 return 0;
775
776 r = dns_transaction_has_positive_answer(t, NULL);
777 if (r <= 0)
778 return r;
779
780 t->answer_rcode = DNS_RCODE_SUCCESS;
781 return 0;
782 }
783
784 void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p) {
785 usec_t ts;
786 int r;
787
788 assert(t);
789 assert(p);
790 assert(t->scope);
791 assert(t->scope->manager);
792
793 if (t->state != DNS_TRANSACTION_PENDING)
794 return;
795
796 /* Note that this call might invalidate the query. Callers
797 * should hence not attempt to access the query or transaction
798 * after calling this function. */
799
800 log_debug("Processing incoming packet on transaction %" PRIu16".", t->id);
801
802 switch (t->scope->protocol) {
803
804 case DNS_PROTOCOL_LLMNR:
805 assert(t->scope->link);
806
807 /* For LLMNR we will not accept any packets from other
808 * interfaces */
809
810 if (p->ifindex != t->scope->link->ifindex)
811 return;
812
813 if (p->family != t->scope->family)
814 return;
815
816 /* Tentative packets are not full responses but still
817 * useful for identifying uniqueness conflicts during
818 * probing. */
819 if (DNS_PACKET_LLMNR_T(p)) {
820 dns_transaction_tentative(t, p);
821 return;
822 }
823
824 break;
825
826 case DNS_PROTOCOL_MDNS:
827 assert(t->scope->link);
828
829 /* For mDNS we will not accept any packets from other interfaces */
830 if (p->ifindex != t->scope->link->ifindex)
831 return;
832
833 if (p->family != t->scope->family)
834 return;
835
836 break;
837
838 case DNS_PROTOCOL_DNS:
839 /* Note that we do not need to verify the
840 * addresses/port numbers of incoming traffic, as we
841 * invoked connect() on our UDP socket in which case
842 * the kernel already does the needed verification for
843 * us. */
844 break;
845
846 default:
847 assert_not_reached("Invalid DNS protocol.");
848 }
849
850 if (t->received != p) {
851 dns_packet_unref(t->received);
852 t->received = dns_packet_ref(p);
853 }
854
855 t->answer_source = DNS_TRANSACTION_NETWORK;
856
857 if (p->ipproto == IPPROTO_TCP) {
858 if (DNS_PACKET_TC(p)) {
859 /* Truncated via TCP? Somebody must be fucking with us */
860 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
861 return;
862 }
863
864 if (DNS_PACKET_ID(p) != t->id) {
865 /* Not the reply to our query? Somebody must be fucking with us */
866 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
867 return;
868 }
869 }
870
871 assert_se(sd_event_now(t->scope->manager->event, clock_boottime_or_monotonic(), &ts) >= 0);
872
873 switch (t->scope->protocol) {
874
875 case DNS_PROTOCOL_DNS:
876 assert(t->server);
877
878 if (IN_SET(DNS_PACKET_RCODE(p), DNS_RCODE_FORMERR, DNS_RCODE_SERVFAIL, DNS_RCODE_NOTIMP)) {
879
880 /* Request failed, immediately try again with reduced features */
881 log_debug("Server returned error: %s", dns_rcode_to_string(DNS_PACKET_RCODE(p)));
882
883 dns_server_packet_failed(t->server, t->current_feature_level);
884 dns_transaction_retry(t);
885 return;
886 } else if (DNS_PACKET_TC(p))
887 dns_server_packet_truncated(t->server, t->current_feature_level);
888
889 break;
890
891 case DNS_PROTOCOL_LLMNR:
892 case DNS_PROTOCOL_MDNS:
893 dns_scope_packet_received(t->scope, ts - t->start_usec);
894 break;
895
896 default:
897 assert_not_reached("Invalid DNS protocol.");
898 }
899
900 if (DNS_PACKET_TC(p)) {
901
902 /* Truncated packets for mDNS are not allowed. Give up immediately. */
903 if (t->scope->protocol == DNS_PROTOCOL_MDNS) {
904 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
905 return;
906 }
907
908 log_debug("Reply truncated, retrying via TCP.");
909
910 /* Response was truncated, let's try again with good old TCP */
911 r = dns_transaction_open_tcp(t);
912 if (r == -ESRCH) {
913 /* No servers found? Damn! */
914 dns_transaction_complete(t, DNS_TRANSACTION_NO_SERVERS);
915 return;
916 }
917 if (r == -EOPNOTSUPP) {
918 /* Tried to ask for DNSSEC RRs, on a server that doesn't do DNSSEC */
919 dns_transaction_complete(t, DNS_TRANSACTION_RR_TYPE_UNSUPPORTED);
920 return;
921 }
922 if (r < 0) {
923 /* On LLMNR, if we cannot connect to the host,
924 * we immediately give up */
925 if (t->scope->protocol != DNS_PROTOCOL_DNS)
926 goto fail;
927
928 /* On DNS, couldn't send? Try immediately again, with a new server */
929 dns_transaction_retry(t);
930 }
931
932 return;
933 }
934
935 /* After the superficial checks, actually parse the message. */
936 r = dns_packet_extract(p);
937 if (r < 0) {
938 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
939 return;
940 }
941
942 /* Report that the OPT RR was missing */
943 if (t->server) {
944 if (!p->opt)
945 dns_server_packet_bad_opt(t->server, t->current_feature_level);
946
947 dns_server_packet_received(t->server, p->ipproto, t->current_feature_level, ts - t->start_usec, p->size);
948 }
949
950 /* See if we know things we didn't know before that indicate we better restart the lookup immediately. */
951 r = dns_transaction_maybe_restart(t);
952 if (r < 0)
953 goto fail;
954 if (r > 0) /* Transaction got restarted... */
955 return;
956
957 if (IN_SET(t->scope->protocol, DNS_PROTOCOL_DNS, DNS_PROTOCOL_LLMNR)) {
958
959 /* Only consider responses with equivalent query section to the request */
960 r = dns_packet_is_reply_for(p, t->key);
961 if (r < 0)
962 goto fail;
963 if (r == 0) {
964 dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
965 return;
966 }
967
968 /* Install the answer as answer to the transaction */
969 dns_answer_unref(t->answer);
970 t->answer = dns_answer_ref(p->answer);
971 t->answer_rcode = DNS_PACKET_RCODE(p);
972 t->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
973 t->answer_authenticated = false;
974
975 r = dns_transaction_fix_rcode(t);
976 if (r < 0)
977 goto fail;
978
979 /* Block GC while starting requests for additional DNSSEC RRs */
980 t->block_gc++;
981 r = dns_transaction_request_dnssec_keys(t);
982 t->block_gc--;
983
984 /* Maybe the transaction is ready for GC'ing now? If so, free it and return. */
985 if (!dns_transaction_gc(t))
986 return;
987
988 /* Requesting additional keys might have resulted in
989 * this transaction to fail, since the auxiliary
990 * request failed for some reason. If so, we are not
991 * in pending state anymore, and we should exit
992 * quickly. */
993 if (t->state != DNS_TRANSACTION_PENDING)
994 return;
995 if (r < 0)
996 goto fail;
997 if (r > 0) {
998 /* There are DNSSEC transactions pending now. Update the state accordingly. */
999 t->state = DNS_TRANSACTION_VALIDATING;
1000 dns_transaction_close_connection(t);
1001 dns_transaction_stop_timeout(t);
1002 return;
1003 }
1004 }
1005
1006 dns_transaction_process_dnssec(t);
1007 return;
1008
1009 fail:
1010 t->answer_errno = -r;
1011 dns_transaction_complete(t, DNS_TRANSACTION_ERRNO);
1012 }
1013
1014 static int on_dns_packet(sd_event_source *s, int fd, uint32_t revents, void *userdata) {
1015 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
1016 DnsTransaction *t = userdata;
1017 int r;
1018
1019 assert(t);
1020 assert(t->scope);
1021
1022 r = manager_recv(t->scope->manager, fd, DNS_PROTOCOL_DNS, &p);
1023 if (ERRNO_IS_DISCONNECT(-r)) {
1024 usec_t usec;
1025
1026 /* UDP connection failure get reported via ICMP and then are possible delivered to us on the next
1027 * recvmsg(). Treat this like a lost packet. */
1028
1029 log_debug_errno(r, "Connection failure for DNS UDP packet: %m");
1030 assert_se(sd_event_now(t->scope->manager->event, clock_boottime_or_monotonic(), &usec) >= 0);
1031 dns_server_packet_lost(t->server, IPPROTO_UDP, t->current_feature_level, usec - t->start_usec);
1032
1033 dns_transaction_retry(t);
1034 return 0;
1035 }
1036 if (r < 0) {
1037 dns_transaction_complete(t, DNS_TRANSACTION_ERRNO);
1038 t->answer_errno = -r;
1039 return 0;
1040 }
1041
1042 r = dns_packet_validate_reply(p);
1043 if (r < 0) {
1044 log_debug_errno(r, "Received invalid DNS packet as response, ignoring: %m");
1045 return 0;
1046 }
1047 if (r == 0) {
1048 log_debug("Received inappropriate DNS packet as response, ignoring.");
1049 return 0;
1050 }
1051
1052 if (DNS_PACKET_ID(p) != t->id) {
1053 log_debug("Received packet with incorrect transaction ID, ignoring.");
1054 return 0;
1055 }
1056
1057 dns_transaction_process_reply(t, p);
1058 return 0;
1059 }
1060
1061 static int dns_transaction_emit_udp(DnsTransaction *t) {
1062 int r;
1063
1064 assert(t);
1065
1066 if (t->scope->protocol == DNS_PROTOCOL_DNS) {
1067
1068 r = dns_transaction_pick_server(t);
1069 if (r < 0)
1070 return r;
1071
1072 if (t->current_feature_level < DNS_SERVER_FEATURE_LEVEL_UDP)
1073 return -EAGAIN;
1074
1075 if (!dns_server_dnssec_supported(t->server) && dns_type_is_dnssec(t->key->type))
1076 return -EOPNOTSUPP;
1077
1078 if (r > 0 || t->dns_udp_fd < 0) { /* Server changed, or no connection yet. */
1079 int fd;
1080
1081 dns_transaction_close_connection(t);
1082
1083 fd = dns_scope_socket_udp(t->scope, t->server, 53);
1084 if (fd < 0)
1085 return fd;
1086
1087 r = sd_event_add_io(t->scope->manager->event, &t->dns_udp_event_source, fd, EPOLLIN, on_dns_packet, t);
1088 if (r < 0) {
1089 safe_close(fd);
1090 return r;
1091 }
1092
1093 (void) sd_event_source_set_description(t->dns_udp_event_source, "dns-transaction-udp");
1094 t->dns_udp_fd = fd;
1095 }
1096
1097 r = dns_server_adjust_opt(t->server, t->sent, t->current_feature_level);
1098 if (r < 0)
1099 return r;
1100 } else
1101 dns_transaction_close_connection(t);
1102
1103 r = dns_scope_emit_udp(t->scope, t->dns_udp_fd, t->sent);
1104 if (r < 0)
1105 return r;
1106
1107 dns_transaction_reset_answer(t);
1108
1109 return 0;
1110 }
1111
1112 static int on_transaction_timeout(sd_event_source *s, usec_t usec, void *userdata) {
1113 DnsTransaction *t = userdata;
1114
1115 assert(s);
1116 assert(t);
1117
1118 if (!t->initial_jitter_scheduled || t->initial_jitter_elapsed) {
1119 /* Timeout reached? Increase the timeout for the server used */
1120 switch (t->scope->protocol) {
1121
1122 case DNS_PROTOCOL_DNS:
1123 assert(t->server);
1124 dns_server_packet_lost(t->server, t->stream ? IPPROTO_TCP : IPPROTO_UDP, t->current_feature_level, usec - t->start_usec);
1125 break;
1126
1127 case DNS_PROTOCOL_LLMNR:
1128 case DNS_PROTOCOL_MDNS:
1129 dns_scope_packet_lost(t->scope, usec - t->start_usec);
1130 break;
1131
1132 default:
1133 assert_not_reached("Invalid DNS protocol.");
1134 }
1135
1136 if (t->initial_jitter_scheduled)
1137 t->initial_jitter_elapsed = true;
1138 }
1139
1140 log_debug("Timeout reached on transaction %" PRIu16 ".", t->id);
1141
1142 dns_transaction_retry(t);
1143 return 0;
1144 }
1145
1146 static usec_t transaction_get_resend_timeout(DnsTransaction *t) {
1147 assert(t);
1148 assert(t->scope);
1149
1150 switch (t->scope->protocol) {
1151
1152 case DNS_PROTOCOL_DNS:
1153 assert(t->server);
1154 return t->server->resend_timeout;
1155
1156 case DNS_PROTOCOL_MDNS:
1157 assert(t->n_attempts > 0);
1158 return (1 << (t->n_attempts - 1)) * USEC_PER_SEC;
1159
1160 case DNS_PROTOCOL_LLMNR:
1161 return t->scope->resend_timeout;
1162
1163 default:
1164 assert_not_reached("Invalid DNS protocol.");
1165 }
1166 }
1167
1168 static int dns_transaction_prepare(DnsTransaction *t, usec_t ts) {
1169 int r;
1170
1171 assert(t);
1172
1173 dns_transaction_stop_timeout(t);
1174
1175 r = dns_scope_network_good(t->scope);
1176 if (r < 0)
1177 return r;
1178 if (r == 0) {
1179 dns_transaction_complete(t, DNS_TRANSACTION_NETWORK_DOWN);
1180 return 0;
1181 }
1182
1183 if (t->n_attempts >= TRANSACTION_ATTEMPTS_MAX(t->scope->protocol)) {
1184 dns_transaction_complete(t, DNS_TRANSACTION_ATTEMPTS_MAX_REACHED);
1185 return 0;
1186 }
1187
1188 if (t->scope->protocol == DNS_PROTOCOL_LLMNR && t->tried_stream) {
1189 /* If we already tried via a stream, then we don't
1190 * retry on LLMNR. See RFC 4795, Section 2.7. */
1191 dns_transaction_complete(t, DNS_TRANSACTION_ATTEMPTS_MAX_REACHED);
1192 return 0;
1193 }
1194
1195 t->n_attempts++;
1196 t->start_usec = ts;
1197
1198 dns_transaction_reset_answer(t);
1199 dns_transaction_flush_dnssec_transactions(t);
1200
1201 /* Check the trust anchor. Do so only on classic DNS, since DNSSEC does not apply otherwise. */
1202 if (t->scope->protocol == DNS_PROTOCOL_DNS) {
1203 r = dns_trust_anchor_lookup_positive(&t->scope->manager->trust_anchor, t->key, &t->answer);
1204 if (r < 0)
1205 return r;
1206 if (r > 0) {
1207 t->answer_rcode = DNS_RCODE_SUCCESS;
1208 t->answer_source = DNS_TRANSACTION_TRUST_ANCHOR;
1209 t->answer_authenticated = true;
1210 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
1211 return 0;
1212 }
1213
1214 if (dns_name_is_root(DNS_RESOURCE_KEY_NAME(t->key)) &&
1215 t->key->type == DNS_TYPE_DS) {
1216
1217 /* Hmm, this is a request for the root DS? A
1218 * DS RR doesn't exist in the root zone, and
1219 * if our trust anchor didn't know it either,
1220 * this means we cannot do any DNSSEC logic
1221 * anymore. */
1222
1223 if (t->scope->dnssec_mode == DNSSEC_ALLOW_DOWNGRADE) {
1224 /* We are in downgrade mode. In this
1225 * case, synthesize an unsigned empty
1226 * response, so that the any lookup
1227 * depending on this one can continue
1228 * assuming there was no DS, and hence
1229 * the root zone was unsigned. */
1230
1231 t->answer_rcode = DNS_RCODE_SUCCESS;
1232 t->answer_source = DNS_TRANSACTION_TRUST_ANCHOR;
1233 t->answer_authenticated = false;
1234 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
1235 } else
1236 /* If we are not in downgrade mode,
1237 * then fail the lookup, because we
1238 * cannot reasonably answer it. There
1239 * might be DS RRs, but we don't know
1240 * them, and the DNS server won't tell
1241 * them to us (and even if it would,
1242 * we couldn't validate it and trust
1243 * it). */
1244 dns_transaction_complete(t, DNS_TRANSACTION_NO_TRUST_ANCHOR);
1245
1246 return 0;
1247 }
1248 }
1249
1250 /* Check the zone, but only if this transaction is not used
1251 * for probing or verifying a zone item. */
1252 if (set_isempty(t->notify_zone_items)) {
1253
1254 r = dns_zone_lookup(&t->scope->zone, t->key, &t->answer, NULL, NULL);
1255 if (r < 0)
1256 return r;
1257 if (r > 0) {
1258 t->answer_rcode = DNS_RCODE_SUCCESS;
1259 t->answer_source = DNS_TRANSACTION_ZONE;
1260 t->answer_authenticated = true;
1261 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
1262 return 0;
1263 }
1264 }
1265
1266 /* Check the cache, but only if this transaction is not used
1267 * for probing or verifying a zone item. */
1268 if (set_isempty(t->notify_zone_items)) {
1269
1270 /* Before trying the cache, let's make sure we figured out a
1271 * server to use. Should this cause a change of server this
1272 * might flush the cache. */
1273 dns_scope_get_dns_server(t->scope);
1274
1275 /* Let's then prune all outdated entries */
1276 dns_cache_prune(&t->scope->cache);
1277
1278 r = dns_cache_lookup(&t->scope->cache, t->key, &t->answer_rcode, &t->answer, &t->answer_authenticated);
1279 if (r < 0)
1280 return r;
1281 if (r > 0) {
1282 t->answer_source = DNS_TRANSACTION_CACHE;
1283 if (t->answer_rcode == DNS_RCODE_SUCCESS)
1284 dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
1285 else
1286 dns_transaction_complete(t, DNS_TRANSACTION_RCODE_FAILURE);
1287 return 0;
1288 }
1289 }
1290
1291 return 1;
1292 }
1293
1294 static int dns_transaction_make_packet_mdns(DnsTransaction *t) {
1295
1296 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
1297 bool add_known_answers = false;
1298 DnsTransaction *other;
1299 unsigned qdcount;
1300 usec_t ts;
1301 int r;
1302
1303 assert(t);
1304 assert(t->scope->protocol == DNS_PROTOCOL_MDNS);
1305
1306 /* Discard any previously prepared packet, so we can start over and coalesce again */
1307 t->sent = dns_packet_unref(t->sent);
1308
1309 r = dns_packet_new_query(&p, t->scope->protocol, 0, false);
1310 if (r < 0)
1311 return r;
1312
1313 r = dns_packet_append_key(p, t->key, NULL);
1314 if (r < 0)
1315 return r;
1316
1317 qdcount = 1;
1318
1319 if (dns_key_is_shared(t->key))
1320 add_known_answers = true;
1321
1322 /*
1323 * For mDNS, we want to coalesce as many open queries in pending transactions into one single
1324 * query packet on the wire as possible. To achieve that, we iterate through all pending transactions
1325 * in our current scope, and see whether their timing contraints allow them to be sent.
1326 */
1327
1328 assert_se(sd_event_now(t->scope->manager->event, clock_boottime_or_monotonic(), &ts) >= 0);
1329
1330 LIST_FOREACH(transactions_by_scope, other, t->scope->transactions) {
1331
1332 /* Skip ourselves */
1333 if (other == t)
1334 continue;
1335
1336 if (other->state != DNS_TRANSACTION_PENDING)
1337 continue;
1338
1339 if (other->next_attempt_after > ts)
1340 continue;
1341
1342 if (qdcount >= UINT16_MAX)
1343 break;
1344
1345 r = dns_packet_append_key(p, other->key, NULL);
1346
1347 /*
1348 * If we can't stuff more questions into the packet, just give up.
1349 * One of the 'other' transactions will fire later and take care of the rest.
1350 */
1351 if (r == -EMSGSIZE)
1352 break;
1353
1354 if (r < 0)
1355 return r;
1356
1357 r = dns_transaction_prepare(other, ts);
1358 if (r <= 0)
1359 continue;
1360
1361 ts += transaction_get_resend_timeout(other);
1362
1363 r = sd_event_add_time(
1364 other->scope->manager->event,
1365 &other->timeout_event_source,
1366 clock_boottime_or_monotonic(),
1367 ts, 0,
1368 on_transaction_timeout, other);
1369 if (r < 0)
1370 return r;
1371
1372 (void) sd_event_source_set_description(t->timeout_event_source, "dns-transaction-timeout");
1373
1374 other->state = DNS_TRANSACTION_PENDING;
1375 other->next_attempt_after = ts;
1376
1377 qdcount ++;
1378
1379 if (dns_key_is_shared(other->key))
1380 add_known_answers = true;
1381 }
1382
1383 DNS_PACKET_HEADER(p)->qdcount = htobe16(qdcount);
1384
1385 /* Append known answer section if we're asking for any shared record */
1386 if (add_known_answers) {
1387 r = dns_cache_export_shared_to_packet(&t->scope->cache, p);
1388 if (r < 0)
1389 return r;
1390 }
1391
1392 t->sent = p;
1393 p = NULL;
1394
1395 return 0;
1396 }
1397
1398 static int dns_transaction_make_packet(DnsTransaction *t) {
1399 _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
1400 int r;
1401
1402 assert(t);
1403
1404 if (t->scope->protocol == DNS_PROTOCOL_MDNS)
1405 return dns_transaction_make_packet_mdns(t);
1406
1407 if (t->sent)
1408 return 0;
1409
1410 r = dns_packet_new_query(&p, t->scope->protocol, 0, t->scope->dnssec_mode != DNSSEC_NO);
1411 if (r < 0)
1412 return r;
1413
1414 r = dns_packet_append_key(p, t->key, NULL);
1415 if (r < 0)
1416 return r;
1417
1418 DNS_PACKET_HEADER(p)->qdcount = htobe16(1);
1419 DNS_PACKET_HEADER(p)->id = t->id;
1420
1421 t->sent = p;
1422 p = NULL;
1423
1424 return 0;
1425 }
1426
1427 int dns_transaction_go(DnsTransaction *t) {
1428 usec_t ts;
1429 int r;
1430
1431 assert(t);
1432
1433 assert_se(sd_event_now(t->scope->manager->event, clock_boottime_or_monotonic(), &ts) >= 0);
1434
1435 r = dns_transaction_prepare(t, ts);
1436 if (r <= 0)
1437 return r;
1438
1439 log_debug("Excercising transaction %" PRIu16 " for <%s> on scope %s on %s/%s.",
1440 t->id,
1441 dns_transaction_key_string(t),
1442 dns_protocol_to_string(t->scope->protocol),
1443 t->scope->link ? t->scope->link->name : "*",
1444 t->scope->family == AF_UNSPEC ? "*" : af_to_name(t->scope->family));
1445
1446 if (!t->initial_jitter_scheduled &&
1447 (t->scope->protocol == DNS_PROTOCOL_LLMNR ||
1448 t->scope->protocol == DNS_PROTOCOL_MDNS)) {
1449 usec_t jitter, accuracy;
1450
1451 /* RFC 4795 Section 2.7 suggests all queries should be
1452 * delayed by a random time from 0 to JITTER_INTERVAL. */
1453
1454 t->initial_jitter_scheduled = true;
1455
1456 random_bytes(&jitter, sizeof(jitter));
1457
1458 switch (t->scope->protocol) {
1459
1460 case DNS_PROTOCOL_LLMNR:
1461 jitter %= LLMNR_JITTER_INTERVAL_USEC;
1462 accuracy = LLMNR_JITTER_INTERVAL_USEC;
1463 break;
1464
1465 case DNS_PROTOCOL_MDNS:
1466 jitter %= MDNS_JITTER_RANGE_USEC;
1467 jitter += MDNS_JITTER_MIN_USEC;
1468 accuracy = MDNS_JITTER_RANGE_USEC;
1469 break;
1470 default:
1471 assert_not_reached("bad protocol");
1472 }
1473
1474 r = sd_event_add_time(
1475 t->scope->manager->event,
1476 &t->timeout_event_source,
1477 clock_boottime_or_monotonic(),
1478 ts + jitter, accuracy,
1479 on_transaction_timeout, t);
1480 if (r < 0)
1481 return r;
1482
1483 (void) sd_event_source_set_description(t->timeout_event_source, "dns-transaction-timeout");
1484
1485 t->n_attempts = 0;
1486 t->next_attempt_after = ts;
1487 t->state = DNS_TRANSACTION_PENDING;
1488
1489 log_debug("Delaying %s transaction for " USEC_FMT "us.", dns_protocol_to_string(t->scope->protocol), jitter);
1490 return 0;
1491 }
1492
1493 /* Otherwise, we need to ask the network */
1494 r = dns_transaction_make_packet(t);
1495 if (r < 0)
1496 return r;
1497
1498 if (t->scope->protocol == DNS_PROTOCOL_LLMNR &&
1499 (dns_name_endswith(DNS_RESOURCE_KEY_NAME(t->key), "in-addr.arpa") > 0 ||
1500 dns_name_endswith(DNS_RESOURCE_KEY_NAME(t->key), "ip6.arpa") > 0)) {
1501
1502 /* RFC 4795, Section 2.4. says reverse lookups shall
1503 * always be made via TCP on LLMNR */
1504 r = dns_transaction_open_tcp(t);
1505 } else {
1506 /* Try via UDP, and if that fails due to large size or lack of
1507 * support try via TCP */
1508 r = dns_transaction_emit_udp(t);
1509 if (r == -EMSGSIZE)
1510 log_debug("Sending query via TCP since it is too large.");
1511 if (r == -EAGAIN)
1512 log_debug("Sending query via TCP since server doesn't support UDP.");
1513 if (r == -EMSGSIZE || r == -EAGAIN)
1514 r = dns_transaction_open_tcp(t);
1515 }
1516
1517 if (r == -ESRCH) {
1518 /* No servers to send this to? */
1519 dns_transaction_complete(t, DNS_TRANSACTION_NO_SERVERS);
1520 return 0;
1521 }
1522 if (r == -EOPNOTSUPP) {
1523 /* Tried to ask for DNSSEC RRs, on a server that doesn't do DNSSEC */
1524 dns_transaction_complete(t, DNS_TRANSACTION_RR_TYPE_UNSUPPORTED);
1525 return 0;
1526 }
1527 if (t->scope->protocol == DNS_PROTOCOL_LLMNR && ERRNO_IS_DISCONNECT(-r)) {
1528 /* On LLMNR, if we cannot connect to a host via TCP when doing reverse lookups. This means we cannot
1529 * answer this request with this protocol. */
1530 dns_transaction_complete(t, DNS_TRANSACTION_NOT_FOUND);
1531 return 0;
1532 }
1533 if (r < 0) {
1534 if (t->scope->protocol != DNS_PROTOCOL_DNS)
1535 return r;
1536
1537 /* Couldn't send? Try immediately again, with a new server */
1538 dns_scope_next_dns_server(t->scope);
1539
1540 return dns_transaction_go(t);
1541 }
1542
1543 ts += transaction_get_resend_timeout(t);
1544
1545 r = sd_event_add_time(
1546 t->scope->manager->event,
1547 &t->timeout_event_source,
1548 clock_boottime_or_monotonic(),
1549 ts, 0,
1550 on_transaction_timeout, t);
1551 if (r < 0)
1552 return r;
1553
1554 (void) sd_event_source_set_description(t->timeout_event_source, "dns-transaction-timeout");
1555
1556 t->state = DNS_TRANSACTION_PENDING;
1557 t->next_attempt_after = ts;
1558
1559 return 1;
1560 }
1561
1562 static int dns_transaction_find_cyclic(DnsTransaction *t, DnsTransaction *aux) {
1563 DnsTransaction *n;
1564 Iterator i;
1565 int r;
1566
1567 assert(t);
1568 assert(aux);
1569
1570 /* Try to find cyclic dependencies between transaction objects */
1571
1572 if (t == aux)
1573 return 1;
1574
1575 SET_FOREACH(n, aux->dnssec_transactions, i) {
1576 r = dns_transaction_find_cyclic(t, n);
1577 if (r != 0)
1578 return r;
1579 }
1580
1581 return 0;
1582 }
1583
1584 static int dns_transaction_add_dnssec_transaction(DnsTransaction *t, DnsResourceKey *key, DnsTransaction **ret) {
1585 DnsTransaction *aux;
1586 int r;
1587
1588 assert(t);
1589 assert(ret);
1590 assert(key);
1591
1592 aux = dns_scope_find_transaction(t->scope, key, true);
1593 if (!aux) {
1594 r = dns_transaction_new(&aux, t->scope, key);
1595 if (r < 0)
1596 return r;
1597 } else {
1598 if (set_contains(t->dnssec_transactions, aux)) {
1599 *ret = aux;
1600 return 0;
1601 }
1602
1603 r = dns_transaction_find_cyclic(t, aux);
1604 if (r < 0)
1605 return r;
1606 if (r > 0) {
1607 log_debug("Detected potential cyclic dependency, refusing to add transaction %" PRIu16 " (%s) as dependency for %" PRIu16 " (%s).",
1608 aux->id,
1609 strna(dns_transaction_key_string(aux)),
1610 t->id,
1611 strna(dns_transaction_key_string(t)));
1612 return -ELOOP;
1613 }
1614 }
1615
1616 r = set_ensure_allocated(&t->dnssec_transactions, NULL);
1617 if (r < 0)
1618 goto gc;
1619
1620 r = set_ensure_allocated(&aux->notify_transactions, NULL);
1621 if (r < 0)
1622 goto gc;
1623
1624 r = set_put(t->dnssec_transactions, aux);
1625 if (r < 0)
1626 goto gc;
1627
1628 r = set_put(aux->notify_transactions, t);
1629 if (r < 0) {
1630 (void) set_remove(t->dnssec_transactions, aux);
1631 goto gc;
1632 }
1633
1634 *ret = aux;
1635 return 1;
1636
1637 gc:
1638 dns_transaction_gc(aux);
1639 return r;
1640 }
1641
1642 static int dns_transaction_request_dnssec_rr(DnsTransaction *t, DnsResourceKey *key) {
1643 _cleanup_(dns_answer_unrefp) DnsAnswer *a = NULL;
1644 DnsTransaction *aux;
1645 int r;
1646
1647 assert(t);
1648 assert(key);
1649
1650 /* Try to get the data from the trust anchor */
1651 r = dns_trust_anchor_lookup_positive(&t->scope->manager->trust_anchor, key, &a);
1652 if (r < 0)
1653 return r;
1654 if (r > 0) {
1655 r = dns_answer_extend(&t->validated_keys, a);
1656 if (r < 0)
1657 return r;
1658
1659 return 0;
1660 }
1661
1662 /* This didn't work, ask for it via the network/cache then. */
1663 r = dns_transaction_add_dnssec_transaction(t, key, &aux);
1664 if (r == -ELOOP) /* This would result in a cyclic dependency */
1665 return 0;
1666 if (r < 0)
1667 return r;
1668
1669 if (aux->state == DNS_TRANSACTION_NULL) {
1670 r = dns_transaction_go(aux);
1671 if (r < 0)
1672 return r;
1673 }
1674
1675 return 1;
1676 }
1677
1678 static int dns_transaction_negative_trust_anchor_lookup(DnsTransaction *t, const char *name) {
1679 int r;
1680
1681 assert(t);
1682
1683 /* Check whether the specified name is in the the NTA
1684 * database, either in the global one, or the link-local
1685 * one. */
1686
1687 r = dns_trust_anchor_lookup_negative(&t->scope->manager->trust_anchor, name);
1688 if (r != 0)
1689 return r;
1690
1691 if (!t->scope->link)
1692 return 0;
1693
1694 return set_contains(t->scope->link->dnssec_negative_trust_anchors, name);
1695 }
1696
1697 static int dns_transaction_has_unsigned_negative_answer(DnsTransaction *t) {
1698 int r;
1699
1700 assert(t);
1701
1702 /* Checks whether the answer is negative, and lacks NSEC/NSEC3
1703 * RRs to prove it */
1704
1705 r = dns_transaction_has_positive_answer(t, NULL);
1706 if (r < 0)
1707 return r;
1708 if (r > 0)
1709 return false;
1710
1711 /* Is this key explicitly listed as a negative trust anchor?
1712 * If so, it's nothing we need to care about */
1713 r = dns_transaction_negative_trust_anchor_lookup(t, DNS_RESOURCE_KEY_NAME(t->key));
1714 if (r < 0)
1715 return r;
1716 if (r > 0)
1717 return false;
1718
1719 /* The answer does not contain any RRs that match to the
1720 * question. If so, let's see if there are any NSEC/NSEC3 RRs
1721 * included. If not, the answer is unsigned. */
1722
1723 r = dns_answer_contains_nsec_or_nsec3(t->answer);
1724 if (r < 0)
1725 return r;
1726 if (r > 0)
1727 return false;
1728
1729 return true;
1730 }
1731
1732 static int dns_transaction_is_primary_response(DnsTransaction *t, DnsResourceRecord *rr) {
1733 int r;
1734
1735 assert(t);
1736 assert(rr);
1737
1738 /* Check if the specified RR is the "primary" response,
1739 * i.e. either matches the question precisely or is a
1740 * CNAME/DNAME for it. */
1741
1742 r = dns_resource_key_match_rr(t->key, rr, NULL);
1743 if (r != 0)
1744 return r;
1745
1746 return dns_resource_key_match_cname_or_dname(t->key, rr->key, NULL);
1747 }
1748
1749 static bool dns_transaction_dnssec_supported(DnsTransaction *t) {
1750 assert(t);
1751
1752 /* Checks whether our transaction's DNS server is assumed to be compatible with DNSSEC. Returns false as soon
1753 * as we changed our mind about a server, and now believe it is incompatible with DNSSEC. */
1754
1755 if (t->scope->protocol != DNS_PROTOCOL_DNS)
1756 return false;
1757
1758 /* If we have picked no server, then we are working from the cache or some other source, and DNSSEC might well
1759 * be supported, hence return true. */
1760 if (!t->server)
1761 return true;
1762
1763 if (t->current_feature_level < DNS_SERVER_FEATURE_LEVEL_DO)
1764 return false;
1765
1766 return dns_server_dnssec_supported(t->server);
1767 }
1768
1769 static bool dns_transaction_dnssec_supported_full(DnsTransaction *t) {
1770 DnsTransaction *dt;
1771 Iterator i;
1772
1773 assert(t);
1774
1775 /* Checks whether our transaction our any of the auxiliary transactions couldn't do DNSSEC. */
1776
1777 if (!dns_transaction_dnssec_supported(t))
1778 return false;
1779
1780 SET_FOREACH(dt, t->dnssec_transactions, i)
1781 if (!dns_transaction_dnssec_supported(dt))
1782 return false;
1783
1784 return true;
1785 }
1786
1787 int dns_transaction_request_dnssec_keys(DnsTransaction *t) {
1788 DnsResourceRecord *rr;
1789
1790 int r;
1791
1792 assert(t);
1793
1794 /*
1795 * Retrieve all auxiliary RRs for the answer we got, so that
1796 * we can verify signatures or prove that RRs are rightfully
1797 * unsigned. Specifically:
1798 *
1799 * - For RRSIG we get the matching DNSKEY
1800 * - For DNSKEY we get the matching DS
1801 * - For unsigned SOA/NS we get the matching DS
1802 * - For unsigned CNAME/DNAME/DS we get the parent SOA RR
1803 * - For other unsigned RRs we get the matching SOA RR
1804 * - For SOA/NS/DS queries with no matching response RRs, and no NSEC/NSEC3, the parent's SOA RR
1805 * - For other queries with no matching response RRs, and no NSEC/NSEC3, the SOA RR
1806 */
1807
1808 if (t->scope->dnssec_mode == DNSSEC_NO)
1809 return 0;
1810 if (t->answer_source != DNS_TRANSACTION_NETWORK)
1811 return 0; /* We only need to validate stuff from the network */
1812 if (!dns_transaction_dnssec_supported(t))
1813 return 0; /* If we can't do DNSSEC anyway there's no point in geting the auxiliary RRs */
1814
1815 DNS_ANSWER_FOREACH(rr, t->answer) {
1816
1817 if (dns_type_is_pseudo(rr->key->type))
1818 continue;
1819
1820 /* If this RR is in the negative trust anchor, we don't need to validate it. */
1821 r = dns_transaction_negative_trust_anchor_lookup(t, DNS_RESOURCE_KEY_NAME(rr->key));
1822 if (r < 0)
1823 return r;
1824 if (r > 0)
1825 continue;
1826
1827 switch (rr->key->type) {
1828
1829 case DNS_TYPE_RRSIG: {
1830 /* For each RRSIG we request the matching DNSKEY */
1831 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *dnskey = NULL;
1832
1833 /* If this RRSIG is about a DNSKEY RR and the
1834 * signer is the same as the owner, then we
1835 * already have the DNSKEY, and we don't have
1836 * to look for more. */
1837 if (rr->rrsig.type_covered == DNS_TYPE_DNSKEY) {
1838 r = dns_name_equal(rr->rrsig.signer, DNS_RESOURCE_KEY_NAME(rr->key));
1839 if (r < 0)
1840 return r;
1841 if (r > 0)
1842 continue;
1843 }
1844
1845 /* If the signer is not a parent of our
1846 * original query, then this is about an
1847 * auxiliary RRset, but not anything we asked
1848 * for. In this case we aren't interested,
1849 * because we don't want to request additional
1850 * RRs for stuff we didn't really ask for, and
1851 * also to avoid request loops, where
1852 * additional RRs from one transaction result
1853 * in another transaction whose additonal RRs
1854 * point back to the original transaction, and
1855 * we deadlock. */
1856 r = dns_name_endswith(DNS_RESOURCE_KEY_NAME(t->key), rr->rrsig.signer);
1857 if (r < 0)
1858 return r;
1859 if (r == 0)
1860 continue;
1861
1862 dnskey = dns_resource_key_new(rr->key->class, DNS_TYPE_DNSKEY, rr->rrsig.signer);
1863 if (!dnskey)
1864 return -ENOMEM;
1865
1866 log_debug("Requesting DNSKEY to validate transaction %" PRIu16" (%s, RRSIG with key tag: %" PRIu16 ").", t->id, DNS_RESOURCE_KEY_NAME(rr->key), rr->rrsig.key_tag);
1867 r = dns_transaction_request_dnssec_rr(t, dnskey);
1868 if (r < 0)
1869 return r;
1870 break;
1871 }
1872
1873 case DNS_TYPE_DNSKEY: {
1874 /* For each DNSKEY we request the matching DS */
1875 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *ds = NULL;
1876
1877 /* If the DNSKEY we are looking at is not for
1878 * zone we are interested in, nor any of its
1879 * parents, we aren't interested, and don't
1880 * request it. After all, we don't want to end
1881 * up in request loops, and want to keep
1882 * additional traffic down. */
1883
1884 r = dns_name_endswith(DNS_RESOURCE_KEY_NAME(t->key), DNS_RESOURCE_KEY_NAME(rr->key));
1885 if (r < 0)
1886 return r;
1887 if (r == 0)
1888 continue;
1889
1890 ds = dns_resource_key_new(rr->key->class, DNS_TYPE_DS, DNS_RESOURCE_KEY_NAME(rr->key));
1891 if (!ds)
1892 return -ENOMEM;
1893
1894 log_debug("Requesting DS to validate transaction %" PRIu16" (%s, DNSKEY with key tag: %" PRIu16 ").", t->id, DNS_RESOURCE_KEY_NAME(rr->key), dnssec_keytag(rr, false));
1895 r = dns_transaction_request_dnssec_rr(t, ds);
1896 if (r < 0)
1897 return r;
1898
1899 break;
1900 }
1901
1902 case DNS_TYPE_SOA:
1903 case DNS_TYPE_NS: {
1904 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *ds = NULL;
1905
1906 /* For an unsigned SOA or NS, try to acquire
1907 * the matching DS RR, as we are at a zone cut
1908 * then, and whether a DS exists tells us
1909 * whether the zone is signed. Do so only if
1910 * this RR matches our original question,
1911 * however. */
1912
1913 r = dns_resource_key_match_rr(t->key, rr, NULL);
1914 if (r < 0)
1915 return r;
1916 if (r == 0)
1917 continue;
1918
1919 r = dnssec_has_rrsig(t->answer, rr->key);
1920 if (r < 0)
1921 return r;
1922 if (r > 0)
1923 continue;
1924
1925 ds = dns_resource_key_new(rr->key->class, DNS_TYPE_DS, DNS_RESOURCE_KEY_NAME(rr->key));
1926 if (!ds)
1927 return -ENOMEM;
1928
1929 log_debug("Requesting DS to validate transaction %" PRIu16 " (%s, unsigned SOA/NS RRset).", t->id, DNS_RESOURCE_KEY_NAME(rr->key));
1930 r = dns_transaction_request_dnssec_rr(t, ds);
1931 if (r < 0)
1932 return r;
1933
1934 break;
1935 }
1936
1937 case DNS_TYPE_DS:
1938 case DNS_TYPE_CNAME:
1939 case DNS_TYPE_DNAME: {
1940 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL;
1941 const char *name;
1942
1943 /* CNAMEs and DNAMEs cannot be located at a
1944 * zone apex, hence ask for the parent SOA for
1945 * unsigned CNAME/DNAME RRs, maybe that's the
1946 * apex. But do all that only if this is
1947 * actually a response to our original
1948 * question.
1949 *
1950 * Similar for DS RRs, which are signed when
1951 * the parent SOA is signed. */
1952
1953 r = dns_transaction_is_primary_response(t, rr);
1954 if (r < 0)
1955 return r;
1956 if (r == 0)
1957 continue;
1958
1959 r = dnssec_has_rrsig(t->answer, rr->key);
1960 if (r < 0)
1961 return r;
1962 if (r > 0)
1963 continue;
1964
1965 r = dns_answer_has_dname_for_cname(t->answer, rr);
1966 if (r < 0)
1967 return r;
1968 if (r > 0)
1969 continue;
1970
1971 name = DNS_RESOURCE_KEY_NAME(rr->key);
1972 r = dns_name_parent(&name);
1973 if (r < 0)
1974 return r;
1975 if (r == 0)
1976 continue;
1977
1978 soa = dns_resource_key_new(rr->key->class, DNS_TYPE_SOA, name);
1979 if (!soa)
1980 return -ENOMEM;
1981
1982 log_debug("Requesting parent SOA to validate transaction %" PRIu16 " (%s, unsigned CNAME/DNAME/DS RRset).", t->id, DNS_RESOURCE_KEY_NAME(rr->key));
1983 r = dns_transaction_request_dnssec_rr(t, soa);
1984 if (r < 0)
1985 return r;
1986
1987 break;
1988 }
1989
1990 default: {
1991 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL;
1992
1993 /* For other unsigned RRsets (including
1994 * NSEC/NSEC3!), look for proof the zone is
1995 * unsigned, by requesting the SOA RR of the
1996 * zone. However, do so only if they are
1997 * directly relevant to our original
1998 * question. */
1999
2000 r = dns_transaction_is_primary_response(t, rr);
2001 if (r < 0)
2002 return r;
2003 if (r == 0)
2004 continue;
2005
2006 r = dnssec_has_rrsig(t->answer, rr->key);
2007 if (r < 0)
2008 return r;
2009 if (r > 0)
2010 continue;
2011
2012 soa = dns_resource_key_new(rr->key->class, DNS_TYPE_SOA, DNS_RESOURCE_KEY_NAME(rr->key));
2013 if (!soa)
2014 return -ENOMEM;
2015
2016 log_debug("Requesting SOA to validate transaction %" PRIu16 " (%s, unsigned non-SOA/NS RRset <%s>).", t->id, DNS_RESOURCE_KEY_NAME(rr->key), dns_resource_record_to_string(rr));
2017 r = dns_transaction_request_dnssec_rr(t, soa);
2018 if (r < 0)
2019 return r;
2020 break;
2021 }}
2022 }
2023
2024 /* Above, we requested everything necessary to validate what
2025 * we got. Now, let's request what we need to validate what we
2026 * didn't get... */
2027
2028 r = dns_transaction_has_unsigned_negative_answer(t);
2029 if (r < 0)
2030 return r;
2031 if (r > 0) {
2032 const char *name;
2033
2034 name = DNS_RESOURCE_KEY_NAME(t->key);
2035
2036 /* If this was a SOA or NS request, then this
2037 * indicates that we are not at a zone apex, hence ask
2038 * the parent name instead. If this was a DS request,
2039 * then it's signed when the parent zone is signed,
2040 * hence ask the parent in that case, too. */
2041
2042 if (IN_SET(t->key->type, DNS_TYPE_SOA, DNS_TYPE_NS, DNS_TYPE_DS)) {
2043 r = dns_name_parent(&name);
2044 if (r < 0)
2045 return r;
2046 if (r > 0)
2047 log_debug("Requesting parent SOA to validate transaction %" PRIu16 " (%s, unsigned empty SOA/NS/DS response).", t->id, DNS_RESOURCE_KEY_NAME(t->key));
2048 else
2049 name = NULL;
2050 } else
2051 log_debug("Requesting SOA to validate transaction %" PRIu16 " (%s, unsigned empty non-SOA/NS/DS response).", t->id, DNS_RESOURCE_KEY_NAME(t->key));
2052
2053 if (name) {
2054 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *soa = NULL;
2055
2056 soa = dns_resource_key_new(t->key->class, DNS_TYPE_SOA, name);
2057 if (!soa)
2058 return -ENOMEM;
2059
2060 r = dns_transaction_request_dnssec_rr(t, soa);
2061 if (r < 0)
2062 return r;
2063 }
2064 }
2065
2066 return dns_transaction_dnssec_is_live(t);
2067 }
2068
2069 void dns_transaction_notify(DnsTransaction *t, DnsTransaction *source) {
2070 assert(t);
2071 assert(source);
2072
2073 /* Invoked whenever any of our auxiliary DNSSEC transactions completed its work. If the state is still PENDING,
2074 we are still in the loop that adds further DNSSEC transactions, hence don't check if we are ready yet. If
2075 the state is VALIDATING however, we should check if we are complete now. */
2076
2077 if (t->state == DNS_TRANSACTION_VALIDATING)
2078 dns_transaction_process_dnssec(t);
2079 }
2080
2081 static int dns_transaction_validate_dnskey_by_ds(DnsTransaction *t) {
2082 DnsResourceRecord *rr;
2083 int ifindex, r;
2084
2085 assert(t);
2086
2087 /* Add all DNSKEY RRs from the answer that are validated by DS
2088 * RRs from the list of validated keys to the list of
2089 * validated keys. */
2090
2091 DNS_ANSWER_FOREACH_IFINDEX(rr, ifindex, t->answer) {
2092
2093 r = dnssec_verify_dnskey_by_ds_search(rr, t->validated_keys);
2094 if (r < 0)
2095 return r;
2096 if (r == 0)
2097 continue;
2098
2099 /* If so, the DNSKEY is validated too. */
2100 r = dns_answer_add_extend(&t->validated_keys, rr, ifindex, DNS_ANSWER_AUTHENTICATED);
2101 if (r < 0)
2102 return r;
2103 }
2104
2105 return 0;
2106 }
2107
2108 static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *rr) {
2109 int r;
2110
2111 assert(t);
2112 assert(rr);
2113
2114 /* Checks if the RR we are looking for must be signed with an
2115 * RRSIG. This is used for positive responses. */
2116
2117 if (t->scope->dnssec_mode == DNSSEC_NO)
2118 return false;
2119
2120 if (dns_type_is_pseudo(rr->key->type))
2121 return -EINVAL;
2122
2123 r = dns_transaction_negative_trust_anchor_lookup(t, DNS_RESOURCE_KEY_NAME(rr->key));
2124 if (r < 0)
2125 return r;
2126 if (r > 0)
2127 return false;
2128
2129 switch (rr->key->type) {
2130
2131 case DNS_TYPE_RRSIG:
2132 /* RRSIGs are the signatures themselves, they need no signing. */
2133 return false;
2134
2135 case DNS_TYPE_SOA:
2136 case DNS_TYPE_NS: {
2137 DnsTransaction *dt;
2138 Iterator i;
2139
2140 /* For SOA or NS RRs we look for a matching DS transaction */
2141
2142 SET_FOREACH(dt, t->dnssec_transactions, i) {
2143
2144 if (dt->key->class != rr->key->class)
2145 continue;
2146 if (dt->key->type != DNS_TYPE_DS)
2147 continue;
2148
2149 r = dns_name_equal(DNS_RESOURCE_KEY_NAME(dt->key), DNS_RESOURCE_KEY_NAME(rr->key));
2150 if (r < 0)
2151 return r;
2152 if (r == 0)
2153 continue;
2154
2155 /* We found a DS transactions for the SOA/NS
2156 * RRs we are looking at. If it discovered signed DS
2157 * RRs, then we need to be signed, too. */
2158
2159 if (!dt->answer_authenticated)
2160 return false;
2161
2162 return dns_answer_match_key(dt->answer, dt->key, NULL);
2163 }
2164
2165 /* We found nothing that proves this is safe to leave
2166 * this unauthenticated, hence ask inist on
2167 * authentication. */
2168 return true;
2169 }
2170
2171 case DNS_TYPE_DS:
2172 case DNS_TYPE_CNAME:
2173 case DNS_TYPE_DNAME: {
2174 const char *parent = NULL;
2175 DnsTransaction *dt;
2176 Iterator i;
2177
2178 /*
2179 * CNAME/DNAME RRs cannot be located at a zone apex, hence look directly for the parent SOA.
2180 *
2181 * DS RRs are signed if the parent is signed, hence also look at the parent SOA
2182 */
2183
2184 SET_FOREACH(dt, t->dnssec_transactions, i) {
2185
2186 if (dt->key->class != rr->key->class)
2187 continue;
2188 if (dt->key->type != DNS_TYPE_SOA)
2189 continue;
2190
2191 if (!parent) {
2192 parent = DNS_RESOURCE_KEY_NAME(rr->key);
2193 r = dns_name_parent(&parent);
2194 if (r < 0)
2195 return r;
2196 if (r == 0) {
2197 if (rr->key->type == DNS_TYPE_DS)
2198 return true;
2199
2200 /* A CNAME/DNAME without a parent? That's sooo weird. */
2201 log_debug("Transaction %" PRIu16 " claims CNAME/DNAME at root. Refusing.", t->id);
2202 return -EBADMSG;
2203 }
2204 }
2205
2206 r = dns_name_equal(DNS_RESOURCE_KEY_NAME(dt->key), parent);
2207 if (r < 0)
2208 return r;
2209 if (r == 0)
2210 continue;
2211
2212 return t->answer_authenticated;
2213 }
2214
2215 return true;
2216 }
2217
2218 default: {
2219 DnsTransaction *dt;
2220 Iterator i;
2221
2222 /* Any other kind of RR (including DNSKEY/NSEC/NSEC3). Let's see if our SOA lookup was authenticated */
2223
2224 SET_FOREACH(dt, t->dnssec_transactions, i) {
2225
2226 if (dt->key->class != rr->key->class)
2227 continue;
2228 if (dt->key->type != DNS_TYPE_SOA)
2229 continue;
2230
2231 r = dns_name_equal(DNS_RESOURCE_KEY_NAME(dt->key), DNS_RESOURCE_KEY_NAME(rr->key));
2232 if (r < 0)
2233 return r;
2234 if (r == 0)
2235 continue;
2236
2237 /* We found the transaction that was supposed to find
2238 * the SOA RR for us. It was successful, but found no
2239 * RR for us. This means we are not at a zone cut. In
2240 * this case, we require authentication if the SOA
2241 * lookup was authenticated too. */
2242 return t->answer_authenticated;
2243 }
2244
2245 return true;
2246 }}
2247 }
2248
2249 static int dns_transaction_in_private_tld(DnsTransaction *t, const DnsResourceKey *key) {
2250 DnsTransaction *dt;
2251 const char *tld;
2252 Iterator i;
2253 int r;
2254
2255 /* If DNSSEC downgrade mode is on, checks whether the
2256 * specified RR is one level below a TLD we have proven not to
2257 * exist. In such a case we assume that this is a private
2258 * domain, and permit it.
2259 *
2260 * This detects cases like the Fritz!Box router networks. Each
2261 * Fritz!Box router serves a private "fritz.box" zone, in the
2262 * non-existing TLD "box". Requests for the "fritz.box" domain
2263 * are served by the router itself, while requests for the
2264 * "box" domain will result in NXDOMAIN.
2265 *
2266 * Note that this logic is unable to detect cases where a
2267 * router serves a private DNS zone directly under
2268 * non-existing TLD. In such a case we cannot detect whether
2269 * the TLD is supposed to exist or not, as all requests we
2270 * make for it will be answered by the router's zone, and not
2271 * by the root zone. */
2272
2273 assert(t);
2274
2275 if (t->scope->dnssec_mode != DNSSEC_ALLOW_DOWNGRADE)
2276 return false; /* In strict DNSSEC mode what doesn't exist, doesn't exist */
2277
2278 tld = DNS_RESOURCE_KEY_NAME(key);
2279 r = dns_name_parent(&tld);
2280 if (r < 0)
2281 return r;
2282 if (r == 0)
2283 return false; /* Already the root domain */
2284
2285 if (!dns_name_is_single_label(tld))
2286 return false;
2287
2288 SET_FOREACH(dt, t->dnssec_transactions, i) {
2289
2290 if (dt->key->class != key->class)
2291 continue;
2292
2293 r = dns_name_equal(DNS_RESOURCE_KEY_NAME(dt->key), tld);
2294 if (r < 0)
2295 return r;
2296 if (r == 0)
2297 continue;
2298
2299 /* We found an auxiliary lookup we did for the TLD. If
2300 * that returned with NXDOMAIN, we know the TLD didn't
2301 * exist, and hence this might be a private zone. */
2302
2303 return dt->answer_rcode == DNS_RCODE_NXDOMAIN;
2304 }
2305
2306 return false;
2307 }
2308
2309 static int dns_transaction_requires_nsec(DnsTransaction *t) {
2310 DnsTransaction *dt;
2311 const char *name;
2312 Iterator i;
2313 int r;
2314
2315 assert(t);
2316
2317 /* Checks if we need to insist on NSEC/NSEC3 RRs for proving
2318 * this negative reply */
2319
2320 if (t->scope->dnssec_mode == DNSSEC_NO)
2321 return false;
2322
2323 if (dns_type_is_pseudo(t->key->type))
2324 return -EINVAL;
2325
2326 r = dns_transaction_negative_trust_anchor_lookup(t, DNS_RESOURCE_KEY_NAME(t->key));
2327 if (r < 0)
2328 return r;
2329 if (r > 0)
2330 return false;
2331
2332 r = dns_transaction_in_private_tld(t, t->key);
2333 if (r < 0)
2334 return r;
2335 if (r > 0) {
2336 /* The lookup is from a TLD that is proven not to
2337 * exist, and we are in downgrade mode, hence ignore
2338 * that fact that we didn't get any NSEC RRs.*/
2339
2340 log_info("Detected a negative query %s in a private DNS zone, permitting unsigned response.", dns_transaction_key_string(t));
2341 return false;
2342 }
2343
2344 name = DNS_RESOURCE_KEY_NAME(t->key);
2345
2346 if (IN_SET(t->key->type, DNS_TYPE_SOA, DNS_TYPE_NS, DNS_TYPE_DS)) {
2347
2348 /* We got a negative reply for this SOA/NS lookup? If
2349 * so, then we are not at a zone apex, and thus should
2350 * look at the result of the parent SOA lookup.
2351 *
2352 * We got a negative reply for this DS lookup? DS RRs
2353 * are signed when their parent zone is signed, hence
2354 * also check the parent SOA in this case. */
2355
2356 r = dns_name_parent(&name);
2357 if (r < 0)
2358 return r;
2359 if (r == 0)
2360 return true;
2361 }
2362
2363 /* For all other RRs we check the SOA on the same level to see
2364 * if it's signed. */
2365
2366 SET_FOREACH(dt, t->dnssec_transactions, i) {
2367
2368 if (dt->key->class != t->key->class)
2369 continue;
2370 if (dt->key->type != DNS_TYPE_SOA)
2371 continue;
2372
2373 r = dns_name_equal(DNS_RESOURCE_KEY_NAME(dt->key), name);
2374 if (r < 0)
2375 return r;
2376 if (r == 0)
2377 continue;
2378
2379 return dt->answer_authenticated;
2380 }
2381
2382 /* If in doubt, require NSEC/NSEC3 */
2383 return true;
2384 }
2385
2386 static int dns_transaction_dnskey_authenticated(DnsTransaction *t, DnsResourceRecord *rr) {
2387 DnsResourceRecord *rrsig;
2388 bool found = false;
2389 int r;
2390
2391 /* Checks whether any of the DNSKEYs used for the RRSIGs for
2392 * the specified RRset is authenticated (i.e. has a matching
2393 * DS RR). */
2394
2395 r = dns_transaction_negative_trust_anchor_lookup(t, DNS_RESOURCE_KEY_NAME(rr->key));
2396 if (r < 0)
2397 return r;
2398 if (r > 0)
2399 return false;
2400
2401 DNS_ANSWER_FOREACH(rrsig, t->answer) {
2402 DnsTransaction *dt;
2403 Iterator i;
2404
2405 r = dnssec_key_match_rrsig(rr->key, rrsig);
2406 if (r < 0)
2407 return r;
2408 if (r == 0)
2409 continue;
2410
2411 SET_FOREACH(dt, t->dnssec_transactions, i) {
2412
2413 if (dt->key->class != rr->key->class)
2414 continue;
2415
2416 if (dt->key->type == DNS_TYPE_DNSKEY) {
2417
2418 r = dns_name_equal(DNS_RESOURCE_KEY_NAME(dt->key), rrsig->rrsig.signer);
2419 if (r < 0)
2420 return r;
2421 if (r == 0)
2422 continue;
2423
2424 /* OK, we found an auxiliary DNSKEY
2425 * lookup. If that lookup is
2426 * authenticated, report this. */
2427
2428 if (dt->answer_authenticated)
2429 return true;
2430
2431 found = true;
2432
2433 } else if (dt->key->type == DNS_TYPE_DS) {
2434
2435 r = dns_name_equal(DNS_RESOURCE_KEY_NAME(dt->key), rrsig->rrsig.signer);
2436 if (r < 0)
2437 return r;
2438 if (r == 0)
2439 continue;
2440
2441 /* OK, we found an auxiliary DS
2442 * lookup. If that lookup is
2443 * authenticated and non-zero, we
2444 * won! */
2445
2446 if (!dt->answer_authenticated)
2447 return false;
2448
2449 return dns_answer_match_key(dt->answer, dt->key, NULL);
2450 }
2451 }
2452 }
2453
2454 return found ? false : -ENXIO;
2455 }
2456
2457 static int dns_transaction_known_signed(DnsTransaction *t, DnsResourceRecord *rr) {
2458 assert(t);
2459 assert(rr);
2460
2461 /* We know that the root domain is signed, hence if it appears
2462 * not to be signed, there's a problem with the DNS server */
2463
2464 return rr->key->class == DNS_CLASS_IN &&
2465 dns_name_is_root(DNS_RESOURCE_KEY_NAME(rr->key));
2466 }
2467
2468 static int dns_transaction_check_revoked_trust_anchors(DnsTransaction *t) {
2469 DnsResourceRecord *rr;
2470 int r;
2471
2472 assert(t);
2473
2474 /* Maybe warn the user that we encountered a revoked DNSKEY
2475 * for a key from our trust anchor. Note that we don't care
2476 * whether the DNSKEY can be authenticated or not. It's
2477 * sufficient if it is self-signed. */
2478
2479 DNS_ANSWER_FOREACH(rr, t->answer) {
2480 r = dns_trust_anchor_check_revoked(&t->scope->manager->trust_anchor, rr, t->answer);
2481 if (r < 0)
2482 return r;
2483 }
2484
2485 return 0;
2486 }
2487
2488 static int dns_transaction_invalidate_revoked_keys(DnsTransaction *t) {
2489 bool changed;
2490 int r;
2491
2492 assert(t);
2493
2494 /* Removes all DNSKEY/DS objects from t->validated_keys that
2495 * our trust anchors database considers revoked. */
2496
2497 do {
2498 DnsResourceRecord *rr;
2499
2500 changed = false;
2501
2502 DNS_ANSWER_FOREACH(rr, t->validated_keys) {
2503 r = dns_trust_anchor_is_revoked(&t->scope->manager->trust_anchor, rr);
2504 if (r < 0)
2505 return r;
2506 if (r > 0) {
2507 r = dns_answer_remove_by_rr(&t->validated_keys, rr);
2508 if (r < 0)
2509 return r;
2510
2511 assert(r > 0);
2512 changed = true;
2513 break;
2514 }
2515 }
2516 } while (changed);
2517
2518 return 0;
2519 }
2520
2521 static int dns_transaction_copy_validated(DnsTransaction *t) {
2522 DnsTransaction *dt;
2523 Iterator i;
2524 int r;
2525
2526 assert(t);
2527
2528 /* Copy all validated RRs from the auxiliary DNSSEC transactions into our set of validated RRs */
2529
2530 SET_FOREACH(dt, t->dnssec_transactions, i) {
2531
2532 if (DNS_TRANSACTION_IS_LIVE(dt->state))
2533 continue;
2534
2535 if (!dt->answer_authenticated)
2536 continue;
2537
2538 r = dns_answer_extend(&t->validated_keys, dt->answer);
2539 if (r < 0)
2540 return r;
2541 }
2542
2543 return 0;
2544 }
2545
2546 int dns_transaction_validate_dnssec(DnsTransaction *t) {
2547 _cleanup_(dns_answer_unrefp) DnsAnswer *validated = NULL;
2548 enum {
2549 PHASE_DNSKEY, /* Phase #1, only validate DNSKEYs */
2550 PHASE_NSEC, /* Phase #2, only validate NSEC+NSEC3 */
2551 PHASE_ALL, /* Phase #3, validate everything else */
2552 } phase;
2553 DnsResourceRecord *rr;
2554 DnsAnswerFlags flags;
2555 int r;
2556
2557 assert(t);
2558
2559 /* We have now collected all DS and DNSKEY RRs in
2560 * t->validated_keys, let's see which RRs we can now
2561 * authenticate with that. */
2562
2563 if (t->scope->dnssec_mode == DNSSEC_NO)
2564 return 0;
2565
2566 /* Already validated */
2567 if (t->answer_dnssec_result != _DNSSEC_RESULT_INVALID)
2568 return 0;
2569
2570 /* Our own stuff needs no validation */
2571 if (IN_SET(t->answer_source, DNS_TRANSACTION_ZONE, DNS_TRANSACTION_TRUST_ANCHOR)) {
2572 t->answer_dnssec_result = DNSSEC_VALIDATED;
2573 t->answer_authenticated = true;
2574 return 0;
2575 }
2576
2577 /* Cached stuff is not affected by validation. */
2578 if (t->answer_source != DNS_TRANSACTION_NETWORK)
2579 return 0;
2580
2581 if (!dns_transaction_dnssec_supported_full(t)) {
2582 /* The server does not support DNSSEC, or doesn't augment responses with RRSIGs. */
2583 t->answer_dnssec_result = DNSSEC_INCOMPATIBLE_SERVER;
2584 log_debug("Not validating response for %" PRIu16 ", server lacks DNSSEC support.", t->id);
2585 return 0;
2586 }
2587
2588 log_debug("Validating response from transaction %" PRIu16 " (%s).", t->id, dns_transaction_key_string(t));
2589
2590 /* First, see if this response contains any revoked trust
2591 * anchors we care about */
2592 r = dns_transaction_check_revoked_trust_anchors(t);
2593 if (r < 0)
2594 return r;
2595
2596 /* Third, copy all RRs we acquired successfully from auxiliary RRs over. */
2597 r = dns_transaction_copy_validated(t);
2598 if (r < 0)
2599 return r;
2600
2601 /* Second, see if there are DNSKEYs we already know a
2602 * validated DS for. */
2603 r = dns_transaction_validate_dnskey_by_ds(t);
2604 if (r < 0)
2605 return r;
2606
2607 /* Fourth, remove all DNSKEY and DS RRs again that our trust
2608 * anchor says are revoked. After all we might have marked
2609 * some keys revoked above, but they might still be lingering
2610 * in our validated_keys list. */
2611 r = dns_transaction_invalidate_revoked_keys(t);
2612 if (r < 0)
2613 return r;
2614
2615 phase = PHASE_DNSKEY;
2616 for (;;) {
2617 bool changed = false, have_nsec = false;
2618
2619 DNS_ANSWER_FOREACH(rr, t->answer) {
2620 DnsResourceRecord *rrsig = NULL;
2621 DnssecResult result;
2622
2623 switch (rr->key->type) {
2624
2625 case DNS_TYPE_RRSIG:
2626 continue;
2627
2628 case DNS_TYPE_DNSKEY:
2629 /* We validate DNSKEYs only in the DNSKEY and ALL phases */
2630 if (phase == PHASE_NSEC)
2631 continue;
2632 break;
2633
2634 case DNS_TYPE_NSEC:
2635 case DNS_TYPE_NSEC3:
2636 have_nsec = true;
2637
2638 /* We validate NSEC/NSEC3 only in the NSEC and ALL phases */
2639 if (phase == PHASE_DNSKEY)
2640 continue;
2641
2642 break;
2643
2644 default:
2645 /* We validate all other RRs only in the ALL phases */
2646 if (phase != PHASE_ALL)
2647 continue;
2648
2649 break;
2650 }
2651
2652 r = dnssec_verify_rrset_search(t->answer, rr->key, t->validated_keys, USEC_INFINITY, &result, &rrsig);
2653 if (r < 0)
2654 return r;
2655
2656 log_debug("Looking at %s: %s", strna(dns_resource_record_to_string(rr)), dnssec_result_to_string(result));
2657
2658 if (result == DNSSEC_VALIDATED) {
2659
2660 if (rr->key->type == DNS_TYPE_DNSKEY) {
2661 /* If we just validated a
2662 * DNSKEY RRset, then let's
2663 * add these keys to the set
2664 * of validated keys for this
2665 * transaction. */
2666
2667 r = dns_answer_copy_by_key(&t->validated_keys, t->answer, rr->key, DNS_ANSWER_AUTHENTICATED);
2668 if (r < 0)
2669 return r;
2670
2671 /* some of the DNSKEYs we just
2672 * added might already have
2673 * been revoked, remove them
2674 * again in that case. */
2675 r = dns_transaction_invalidate_revoked_keys(t);
2676 if (r < 0)
2677 return r;
2678 }
2679
2680 /* Add the validated RRset to the new
2681 * list of validated RRsets, and
2682 * remove it from the unvalidated
2683 * RRsets. We mark the RRset as
2684 * authenticated and cacheable. */
2685 r = dns_answer_move_by_key(&validated, &t->answer, rr->key, DNS_ANSWER_AUTHENTICATED|DNS_ANSWER_CACHEABLE);
2686 if (r < 0)
2687 return r;
2688
2689 manager_dnssec_verdict(t->scope->manager, DNSSEC_SECURE, rr->key);
2690
2691 /* Exit the loop, we dropped something from the answer, start from the beginning */
2692 changed = true;
2693 break;
2694 }
2695
2696 /* If we haven't read all DNSKEYs yet a negative result of the validation is irrelevant, as
2697 * there might be more DNSKEYs coming. Similar, if we haven't read all NSEC/NSEC3 RRs yet, we
2698 * cannot do positive wildcard proofs yet, as those require the NSEC/NSEC3 RRs. */
2699 if (phase != PHASE_ALL)
2700 continue;
2701
2702 if (result == DNSSEC_VALIDATED_WILDCARD) {
2703 bool authenticated = false;
2704 const char *source;
2705
2706 /* This RRset validated, but as a wildcard. This means we need to prove via NSEC/NSEC3
2707 * that no matching non-wildcard RR exists.*/
2708
2709 /* First step, determine the source of synthesis */
2710 r = dns_resource_record_source(rrsig, &source);
2711 if (r < 0)
2712 return r;
2713
2714 r = dnssec_test_positive_wildcard(
2715 validated,
2716 DNS_RESOURCE_KEY_NAME(rr->key),
2717 source,
2718 rrsig->rrsig.signer,
2719 &authenticated);
2720
2721 /* Unless the NSEC proof showed that the key really doesn't exist something is off. */
2722 if (r == 0)
2723 result = DNSSEC_INVALID;
2724 else {
2725 r = dns_answer_move_by_key(&validated, &t->answer, rr->key, authenticated ? (DNS_ANSWER_AUTHENTICATED|DNS_ANSWER_CACHEABLE) : 0);
2726 if (r < 0)
2727 return r;
2728
2729 manager_dnssec_verdict(t->scope->manager, authenticated ? DNSSEC_SECURE : DNSSEC_INSECURE, rr->key);
2730
2731 /* Exit the loop, we dropped something from the answer, start from the beginning */
2732 changed = true;
2733 break;
2734 }
2735 }
2736
2737 if (result == DNSSEC_NO_SIGNATURE) {
2738 r = dns_transaction_requires_rrsig(t, rr);
2739 if (r < 0)
2740 return r;
2741 if (r == 0) {
2742 /* Data does not require signing. In that case, just copy it over,
2743 * but remember that this is by no means authenticated.*/
2744 r = dns_answer_move_by_key(&validated, &t->answer, rr->key, 0);
2745 if (r < 0)
2746 return r;
2747
2748 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
2749 changed = true;
2750 break;
2751 }
2752
2753 r = dns_transaction_known_signed(t, rr);
2754 if (r < 0)
2755 return r;
2756 if (r > 0) {
2757 /* This is an RR we know has to be signed. If it isn't this means
2758 * the server is not attaching RRSIGs, hence complain. */
2759
2760 dns_server_packet_rrsig_missing(t->server, t->current_feature_level);
2761
2762 if (t->scope->dnssec_mode == DNSSEC_ALLOW_DOWNGRADE) {
2763
2764 /* Downgrading is OK? If so, just consider the information unsigned */
2765
2766 r = dns_answer_move_by_key(&validated, &t->answer, rr->key, 0);
2767 if (r < 0)
2768 return r;
2769
2770 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
2771 changed = true;
2772 break;
2773 }
2774
2775 /* Otherwise, fail */
2776 t->answer_dnssec_result = DNSSEC_INCOMPATIBLE_SERVER;
2777 return 0;
2778 }
2779
2780 r = dns_transaction_in_private_tld(t, rr->key);
2781 if (r < 0)
2782 return r;
2783 if (r > 0) {
2784 _cleanup_free_ char *s = NULL;
2785
2786 /* The data is from a TLD that is proven not to exist, and we are in downgrade
2787 * mode, hence ignore the fact that this was not signed. */
2788
2789 (void) dns_resource_key_to_string(rr->key, &s);
2790 log_info("Detected RRset %s is in a private DNS zone, permitting unsigned RRs.", strna(s ? strstrip(s) : NULL));
2791
2792 r = dns_answer_move_by_key(&validated, &t->answer, rr->key, 0);
2793 if (r < 0)
2794 return r;
2795
2796 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
2797 changed = true;
2798 break;
2799 }
2800 }
2801
2802 if (IN_SET(result,
2803 DNSSEC_MISSING_KEY,
2804 DNSSEC_SIGNATURE_EXPIRED,
2805 DNSSEC_UNSUPPORTED_ALGORITHM)) {
2806
2807 r = dns_transaction_dnskey_authenticated(t, rr);
2808 if (r < 0 && r != -ENXIO)
2809 return r;
2810 if (r == 0) {
2811 /* The DNSKEY transaction was not authenticated, this means there's
2812 * no DS for this, which means it's OK if no keys are found for this signature. */
2813
2814 r = dns_answer_move_by_key(&validated, &t->answer, rr->key, 0);
2815 if (r < 0)
2816 return r;
2817
2818 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
2819 changed = true;
2820 break;
2821 }
2822 }
2823
2824 r = dns_transaction_is_primary_response(t, rr);
2825 if (r < 0)
2826 return r;
2827 if (r > 0) {
2828
2829 /* Look for a matching DNAME for this CNAME */
2830 r = dns_answer_has_dname_for_cname(t->answer, rr);
2831 if (r < 0)
2832 return r;
2833 if (r == 0) {
2834 /* Also look among the stuff we already validated */
2835 r = dns_answer_has_dname_for_cname(validated, rr);
2836 if (r < 0)
2837 return r;
2838 }
2839
2840 if (r == 0) {
2841 if (IN_SET(result,
2842 DNSSEC_INVALID,
2843 DNSSEC_SIGNATURE_EXPIRED,
2844 DNSSEC_NO_SIGNATURE))
2845 manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, rr->key);
2846 else /* DNSSEC_MISSING_KEY or DNSSEC_UNSUPPORTED_ALGORITHM */
2847 manager_dnssec_verdict(t->scope->manager, DNSSEC_INDETERMINATE, rr->key);
2848
2849 /* This is a primary response to our question, and it failed validation. That's
2850 * fatal. */
2851 t->answer_dnssec_result = result;
2852 return 0;
2853 }
2854
2855 /* This is a primary response, but we do have a DNAME RR in the RR that can replay this
2856 * CNAME, hence rely on that, and we can remove the CNAME in favour of it. */
2857 }
2858
2859 /* This is just some auxiliary data. Just remove the RRset and continue. */
2860 r = dns_answer_remove_by_key(&t->answer, rr->key);
2861 if (r < 0)
2862 return r;
2863
2864 /* Exit the loop, we dropped something from the answer, start from the beginning */
2865 changed = true;
2866 break;
2867 }
2868
2869 /* Restart the inner loop as long as we managed to achieve something */
2870 if (changed)
2871 continue;
2872
2873 if (phase == PHASE_DNSKEY && have_nsec) {
2874 /* OK, we processed all DNSKEYs, and there are NSEC/NSEC3 RRs, look at those now. */
2875 phase = PHASE_NSEC;
2876 continue;
2877 }
2878
2879 if (phase != PHASE_ALL) {
2880 /* OK, we processed all DNSKEYs and NSEC/NSEC3 RRs, look at all the rest now. Note that in this
2881 * third phase we start to remove RRs we couldn't validate. */
2882 phase = PHASE_ALL;
2883 continue;
2884 }
2885
2886 /* We're done */
2887 break;
2888 }
2889
2890 dns_answer_unref(t->answer);
2891 t->answer = validated;
2892 validated = NULL;
2893
2894 /* At this point the answer only contains validated
2895 * RRsets. Now, let's see if it actually answers the question
2896 * we asked. If so, great! If it doesn't, then see if
2897 * NSEC/NSEC3 can prove this. */
2898 r = dns_transaction_has_positive_answer(t, &flags);
2899 if (r > 0) {
2900 /* Yes, it answers the question! */
2901
2902 if (flags & DNS_ANSWER_AUTHENTICATED) {
2903 /* The answer is fully authenticated, yay. */
2904 t->answer_dnssec_result = DNSSEC_VALIDATED;
2905 t->answer_rcode = DNS_RCODE_SUCCESS;
2906 t->answer_authenticated = true;
2907 } else {
2908 /* The answer is not fully authenticated. */
2909 t->answer_dnssec_result = DNSSEC_UNSIGNED;
2910 t->answer_authenticated = false;
2911 }
2912
2913 } else if (r == 0) {
2914 DnssecNsecResult nr;
2915 bool authenticated = false;
2916
2917 /* Bummer! Let's check NSEC/NSEC3 */
2918 r = dnssec_nsec_test(t->answer, t->key, &nr, &authenticated, &t->answer_nsec_ttl);
2919 if (r < 0)
2920 return r;
2921
2922 switch (nr) {
2923
2924 case DNSSEC_NSEC_NXDOMAIN:
2925 /* NSEC proves the domain doesn't exist. Very good. */
2926 log_debug("Proved NXDOMAIN via NSEC/NSEC3 for transaction %u (%s)", t->id, dns_transaction_key_string(t));
2927 t->answer_dnssec_result = DNSSEC_VALIDATED;
2928 t->answer_rcode = DNS_RCODE_NXDOMAIN;
2929 t->answer_authenticated = authenticated;
2930
2931 manager_dnssec_verdict(t->scope->manager, authenticated ? DNSSEC_SECURE : DNSSEC_INSECURE, t->key);
2932 break;
2933
2934 case DNSSEC_NSEC_NODATA:
2935 /* NSEC proves that there's no data here, very good. */
2936 log_debug("Proved NODATA via NSEC/NSEC3 for transaction %u (%s)", t->id, dns_transaction_key_string(t));
2937 t->answer_dnssec_result = DNSSEC_VALIDATED;
2938 t->answer_rcode = DNS_RCODE_SUCCESS;
2939 t->answer_authenticated = authenticated;
2940
2941 manager_dnssec_verdict(t->scope->manager, authenticated ? DNSSEC_SECURE : DNSSEC_INSECURE, t->key);
2942 break;
2943
2944 case DNSSEC_NSEC_OPTOUT:
2945 /* NSEC3 says the data might not be signed */
2946 log_debug("Data is NSEC3 opt-out via NSEC/NSEC3 for transaction %u (%s)", t->id, dns_transaction_key_string(t));
2947 t->answer_dnssec_result = DNSSEC_UNSIGNED;
2948 t->answer_authenticated = false;
2949
2950 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, t->key);
2951 break;
2952
2953 case DNSSEC_NSEC_NO_RR:
2954 /* No NSEC data? Bummer! */
2955
2956 r = dns_transaction_requires_nsec(t);
2957 if (r < 0)
2958 return r;
2959 if (r > 0) {
2960 t->answer_dnssec_result = DNSSEC_NO_SIGNATURE;
2961 manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, t->key);
2962 } else {
2963 t->answer_dnssec_result = DNSSEC_UNSIGNED;
2964 t->answer_authenticated = false;
2965 manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, t->key);
2966 }
2967
2968 break;
2969
2970 case DNSSEC_NSEC_UNSUPPORTED_ALGORITHM:
2971 /* We don't know the NSEC3 algorithm used? */
2972 t->answer_dnssec_result = DNSSEC_UNSUPPORTED_ALGORITHM;
2973 manager_dnssec_verdict(t->scope->manager, DNSSEC_INDETERMINATE, t->key);
2974 break;
2975
2976 case DNSSEC_NSEC_FOUND:
2977 case DNSSEC_NSEC_CNAME:
2978 /* NSEC says it needs to be there, but we couldn't find it? Bummer! */
2979 t->answer_dnssec_result = DNSSEC_NSEC_MISMATCH;
2980 manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, t->key);
2981 break;
2982
2983 default:
2984 assert_not_reached("Unexpected NSEC result.");
2985 }
2986 }
2987
2988 return 1;
2989 }
2990
2991 const char *dns_transaction_key_string(DnsTransaction *t) {
2992 assert(t);
2993
2994 if (!t->key_string) {
2995 if (dns_resource_key_to_string(t->key, &t->key_string) < 0)
2996 return "n/a";
2997 }
2998
2999 return strstrip(t->key_string);
3000 }
3001
3002 static const char* const dns_transaction_state_table[_DNS_TRANSACTION_STATE_MAX] = {
3003 [DNS_TRANSACTION_NULL] = "null",
3004 [DNS_TRANSACTION_PENDING] = "pending",
3005 [DNS_TRANSACTION_VALIDATING] = "validating",
3006 [DNS_TRANSACTION_RCODE_FAILURE] = "rcode-failure",
3007 [DNS_TRANSACTION_SUCCESS] = "success",
3008 [DNS_TRANSACTION_NO_SERVERS] = "no-servers",
3009 [DNS_TRANSACTION_TIMEOUT] = "timeout",
3010 [DNS_TRANSACTION_ATTEMPTS_MAX_REACHED] = "attempts-max-reached",
3011 [DNS_TRANSACTION_INVALID_REPLY] = "invalid-reply",
3012 [DNS_TRANSACTION_ERRNO] = "errno",
3013 [DNS_TRANSACTION_ABORTED] = "aborted",
3014 [DNS_TRANSACTION_DNSSEC_FAILED] = "dnssec-failed",
3015 [DNS_TRANSACTION_NO_TRUST_ANCHOR] = "no-trust-anchor",
3016 [DNS_TRANSACTION_RR_TYPE_UNSUPPORTED] = "rr-type-unsupported",
3017 [DNS_TRANSACTION_NETWORK_DOWN] = "network-down",
3018 [DNS_TRANSACTION_NOT_FOUND] = "not-found",
3019 };
3020 DEFINE_STRING_TABLE_LOOKUP(dns_transaction_state, DnsTransactionState);
3021
3022 static const char* const dns_transaction_source_table[_DNS_TRANSACTION_SOURCE_MAX] = {
3023 [DNS_TRANSACTION_NETWORK] = "network",
3024 [DNS_TRANSACTION_CACHE] = "cache",
3025 [DNS_TRANSACTION_ZONE] = "zone",
3026 [DNS_TRANSACTION_TRUST_ANCHOR] = "trust-anchor",
3027 };
3028 DEFINE_STRING_TABLE_LOOKUP(dns_transaction_source, DnsTransactionSource);
Unnamed repository; edit this file 'description' to name the repository.