#include "alloc-util.h"
#include "dns-domain.h"
#include "errno-list.h"
+#include "errno-util.h"
#include "fd-util.h"
#include "random-util.h"
#include "resolved-dns-cache.h"
t->id,
dns_resource_key_to_string(t->key, key_str, sizeof key_str),
dns_protocol_to_string(t->scope->protocol),
- t->scope->link ? t->scope->link->name : "*",
+ t->scope->link ? t->scope->link->ifname : "*",
af_to_name_short(t->scope->family),
strnull(pretty));
t->id,
dns_resource_key_to_string(t->key, key_str, sizeof key_str),
dns_protocol_to_string(t->scope->protocol),
- t->scope->link ? t->scope->link->name : "*",
+ t->scope->link ? t->scope->link->ifname : "*",
af_to_name_short(t->scope->family),
st,
t->answer_source < 0 ? "none" : dns_transaction_source_to_string(t->answer_source),
}
static int on_stream_complete(DnsStream *s, int error) {
- _cleanup_(dns_stream_unrefp) DnsStream *p = NULL;
-
- /* Do not let new transactions use this stream */
- if (s->server && s->server->stream == s)
- p = TAKE_PTR(s->server->stream);
+ assert(s);
if (ERRNO_IS_DISCONNECT(error) && s->protocol != DNS_PROTOCOL_LLMNR) {
log_debug_errno(error, "Connection failure for DNS TCP stream: %m");
if (t)
return dns_transaction_on_stream_packet(t, p);
- /* Ignore incorrect transaction id as transaction can have been canceled */
- if (dns_packet_validate_reply(p) <= 0) {
- log_debug("Invalid TCP reply packet.");
- on_stream_complete(s, 0);
- }
-
+ /* Ignore incorrect transaction id as an old transaction can have been canceled. */
+ log_debug("Received unexpected TCP reply packet with id %" PRIu16 ", ignoring.", DNS_PACKET_ID(p));
return 0;
}
+static uint16_t dns_port_for_feature_level(DnsServerFeatureLevel level) {
+ return DNS_SERVER_FEATURE_LEVEL_IS_TLS(level) ? 853 : 53;
+}
+
static int dns_transaction_emit_tcp(DnsTransaction *t) {
- _cleanup_close_ int fd = -1;
_cleanup_(dns_stream_unrefp) DnsStream *s = NULL;
+ _cleanup_close_ int fd = -1;
union sockaddr_union sa;
+ DnsStreamType type;
int r;
assert(t);
if (t->server->stream && (DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level) == t->server->stream->encrypted))
s = dns_stream_ref(t->server->stream);
else
- fd = dns_scope_socket_tcp(t->scope, AF_UNSPEC, NULL, t->server, DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level) ? 853 : 53, &sa);
+ fd = dns_scope_socket_tcp(t->scope, AF_UNSPEC, NULL, t->server, dns_port_for_feature_level(t->current_feature_level), &sa);
+ type = DNS_STREAM_LOOKUP;
break;
case DNS_PROTOCOL_LLMNR:
fd = dns_scope_socket_tcp(t->scope, family, &address, NULL, LLMNR_PORT, &sa);
}
+ type = DNS_STREAM_LLMNR_SEND;
break;
default:
if (fd < 0)
return fd;
- r = dns_stream_new(t->scope->manager, &s, t->scope->protocol, fd, &sa);
+ r = dns_stream_new(t->scope->manager, &s, type, t->scope->protocol, fd, &sa);
if (r < 0)
return r;
fd = -1;
#if ENABLE_DNS_OVER_TLS
- if (DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level)) {
+ if (t->scope->protocol == DNS_PROTOCOL_DNS &&
+ DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level)) {
+
assert(t->server);
r = dnstls_stream_connect_tls(s, t->server);
if (r < 0)
#endif
if (t->server) {
- dns_stream_unref(t->server->stream);
- t->server->stream = dns_stream_ref(s);
+ dns_server_unref_stream(t->server);
s->server = dns_server_ref(t->server);
+ t->server->stream = dns_stream_ref(s);
}
s->complete = on_stream_complete;
}
/* Fall-through: NXDOMAIN/SERVFAIL is good enough for us. This is because some DNS servers
- * erronously return NXDOMAIN/SERVFAIL for empty non-terminals (Akamai...) or missing DS
+ * erroneously return NXDOMAIN/SERVFAIL for empty non-terminals (Akamai...) or missing DS
* records (Facebook), and we need to handle that nicely, when asking for parent SOA or similar
* RRs to make unsigned proofs. */
/*
* For mDNS, we want to coalesce as many open queries in pending transactions into one single
* query packet on the wire as possible. To achieve that, we iterate through all pending transactions
- * in our current scope, and see whether their timing contraints allow them to be sent.
+ * in our current scope, and see whether their timing constraints allow them to be sent.
*/
assert_se(sd_event_now(t->scope->manager->event, clock_boottime_or_monotonic(), &ts) >= 0);
t->id,
dns_resource_key_to_string(t->key, key_str, sizeof key_str),
dns_protocol_to_string(t->scope->protocol),
- t->scope->link ? t->scope->link->name : "*",
+ t->scope->link ? t->scope->link->ifname : "*",
af_to_name_short(t->scope->family));
if (!t->initial_jitter_scheduled &&
if (t->answer_source != DNS_TRANSACTION_NETWORK)
return 0; /* We only need to validate stuff from the network */
if (!dns_transaction_dnssec_supported(t))
- return 0; /* If we can't do DNSSEC anyway there's no point in geting the auxiliary RRs */
+ return 0; /* If we can't do DNSSEC anyway there's no point in getting the auxiliary RRs */
DNS_ANSWER_FOREACH(rr, t->answer) {
* RRs for stuff we didn't really ask for, and
* also to avoid request loops, where
* additional RRs from one transaction result
- * in another transaction whose additonal RRs
+ * in another transaction whose additional RRs
* point back to the original transaction, and
* we deadlock. */
r = dns_name_endswith(dns_resource_key_name(t->key), rr->rrsig.signer);
if (r > 0) /* positive reply, we won't need the SOA and hence don't need to validate
* it. */
continue;
+
+ /* Only bother with this if the SOA/NS RR we are looking at is actually a parent of
+ * what we are looking for, otherwise there's no value in it for us. */
+ r = dns_name_endswith(dns_resource_key_name(t->key), dns_resource_key_name(rr->key));
+ if (r < 0)
+ return r;
+ if (r == 0)
+ continue;
}
r = dnssec_has_rrsig(t->answer, rr->key);
r = dns_name_parent(&name);
if (r > 0) {
type = DNS_TYPE_SOA;
- log_debug("Requesting parent SOA to validate transaction %" PRIu16 " (%s, unsigned empty DS response).",
- t->id, dns_resource_key_name(t->key));
+ log_debug("Requesting parent SOA (→ %s) to validate transaction %" PRIu16 " (%s, unsigned empty DS response).",
+ name, t->id, dns_resource_key_name(t->key));
} else
name = NULL;
} else if (IN_SET(t->key->type, DNS_TYPE_SOA, DNS_TYPE_NS)) {
type = DNS_TYPE_DS;
- log_debug("Requesting DS to validate transaction %" PRIu16 " (%s, unsigned empty SOA/NS response).",
- t->id, dns_resource_key_name(t->key));
+ log_debug("Requesting DS (→ %s) to validate transaction %" PRIu16 " (%s, unsigned empty SOA/NS response).",
+ name, t->id, name);
} else {
type = DNS_TYPE_SOA;
- log_debug("Requesting SOA to validate transaction %" PRIu16 " (%s, unsigned empty non-SOA/NS/DS response).",
- t->id, dns_resource_key_name(t->key));
+ log_debug("Requesting SOA (→ %s) to validate transaction %" PRIu16 " (%s, unsigned empty non-SOA/NS/DS response).",
+ name, t->id, name);
}
if (name) {
projects / thirdparty / systemd.git / blobdiff