static void dns_query_accept(DnsQuery *q, DnsQueryCandidate *c) {
DnsTransactionState state = DNS_TRANSACTION_NO_SERVERS;
bool has_authenticated = false, has_non_authenticated = false;
+ DnssecResult dnssec_result_authenticated = _DNSSEC_RESULT_INVALID, dnssec_result_non_authenticated = _DNSSEC_RESULT_INVALID;
DnsTransaction *t;
Iterator i;
int r;
dns_query_complete(q, DNS_TRANSACTION_RESOURCES);
return;
}
+
q->answer_rcode = t->answer_rcode;
- if (t->answer_authenticated)
+ if (t->answer_authenticated) {
has_authenticated = true;
- else
+ dnssec_result_authenticated = t->answer_dnssec_result;
+ } else {
has_non_authenticated = true;
+ dnssec_result_non_authenticated = t->answer_dnssec_result;
+ }
state = DNS_TRANSACTION_SUCCESS;
break;
/* Any kind of failure? Store the data away,
* if there's nothing stored yet. */
- if (state != DNS_TRANSACTION_SUCCESS) {
-
- dns_answer_unref(q->answer);
- q->answer = dns_answer_ref(t->answer);
- q->answer_rcode = t->answer_rcode;
+ if (state == DNS_TRANSACTION_SUCCESS)
+ continue;
- state = t->state;
- }
+ dns_answer_unref(q->answer);
+ q->answer = dns_answer_ref(t->answer);
+ q->answer_rcode = t->answer_rcode;
+ q->answer_dnssec_result = t->answer_dnssec_result;
+ state = t->state;
break;
}
}
+ if (state == DNS_TRANSACTION_SUCCESS) {
+ q->answer_authenticated = has_authenticated && !has_non_authenticated;
+ q->answer_dnssec_result = q->answer_authenticated ? dnssec_result_authenticated : dnssec_result_non_authenticated;
+ }
+
q->answer_protocol = c->scope->protocol;
q->answer_family = c->scope->family;
- q->answer_authenticated = has_authenticated && !has_non_authenticated;
dns_search_domain_unref(q->answer_search_domain);
q->answer_search_domain = dns_search_domain_ref(c->search_domain);
t->dns_udp_fd = -1;
t->answer_source = _DNS_TRANSACTION_SOURCE_INVALID;
- t->dnssec_result = _DNSSEC_RESULT_INVALID;
+ t->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
t->key = dns_resource_key_ref(key);
/* Find a fresh, unused transaction id */
return;
}
- if (!IN_SET(t->dnssec_result,
+ if (!IN_SET(t->answer_dnssec_result,
_DNSSEC_RESULT_INVALID, /* No DNSSEC validation enabled */
DNSSEC_VALIDATED, /* Answer is signed and validated successfully */
DNSSEC_UNSIGNED)) { /* Answer is right-fully unsigned */
return;
fail:
- t->dnssec_result = DNSSEC_FAILED_AUXILIARY;
+ t->answer_dnssec_result = DNSSEC_FAILED_AUXILIARY;
dns_transaction_complete(t, DNS_TRANSACTION_DNSSEC_FAILED);
}
return 0;
/* Already validated */
- if (t->dnssec_result != _DNSSEC_RESULT_INVALID)
+ if (t->answer_dnssec_result != _DNSSEC_RESULT_INVALID)
return 0;
/* Our own stuff needs no validation */
if (IN_SET(t->answer_source, DNS_TRANSACTION_ZONE, DNS_TRANSACTION_TRUST_ANCHOR)) {
- t->dnssec_result = DNSSEC_VALIDATED;
+ t->answer_dnssec_result = DNSSEC_VALIDATED;
t->answer_authenticated = true;
return 0;
}
* to our question, and it
* failed validation. That's
* fatal. */
- t->dnssec_result = result;
+ t->answer_dnssec_result = result;
return 0;
}
if (flags & DNS_ANSWER_AUTHENTICATED) {
/* The answer is fully authenticated, yay. */
- t->dnssec_result = DNSSEC_VALIDATED;
+ t->answer_dnssec_result = DNSSEC_VALIDATED;
t->answer_rcode = DNS_RCODE_SUCCESS;
t->answer_authenticated = true;
} else {
/* The answer is not fully authenticated. */
- t->dnssec_result = DNSSEC_UNSIGNED;
+ t->answer_dnssec_result = DNSSEC_UNSIGNED;
t->answer_authenticated = false;
}
case DNSSEC_NSEC_NXDOMAIN:
/* NSEC proves the domain doesn't exist. Very good. */
log_debug("Proved NXDOMAIN via NSEC/NSEC3 for transaction %u (%s)", t->id, dns_transaction_key_string(t));
- t->dnssec_result = DNSSEC_VALIDATED;
+ t->answer_dnssec_result = DNSSEC_VALIDATED;
t->answer_rcode = DNS_RCODE_NXDOMAIN;
t->answer_authenticated = true;
break;
case DNSSEC_NSEC_NODATA:
/* NSEC proves that there's no data here, very good. */
log_debug("Proved NODATA via NSEC/NSEC3 for transaction %u (%s)", t->id, dns_transaction_key_string(t));
- t->dnssec_result = DNSSEC_VALIDATED;
+ t->answer_dnssec_result = DNSSEC_VALIDATED;
t->answer_rcode = DNS_RCODE_SUCCESS;
t->answer_authenticated = true;
break;
case DNSSEC_NSEC_OPTOUT:
/* NSEC3 says the data might not be signed */
log_debug("Data is NSEC3 opt-out via NSEC/NSEC3 for transaction %u (%s)", t->id, dns_transaction_key_string(t));
- t->dnssec_result = DNSSEC_UNSIGNED;
+ t->answer_dnssec_result = DNSSEC_UNSIGNED;
t->answer_authenticated = false;
break;
if (r < 0)
return r;
if (r > 0)
- t->dnssec_result = DNSSEC_NO_SIGNATURE;
+ t->answer_dnssec_result = DNSSEC_NO_SIGNATURE;
else {
- t->dnssec_result = DNSSEC_UNSIGNED;
+ t->answer_dnssec_result = DNSSEC_UNSIGNED;
t->answer_authenticated = false;
}
case DNSSEC_NSEC_UNSUPPORTED_ALGORITHM:
/* We don't know the NSEC3 algorithm used? */
- t->dnssec_result = DNSSEC_UNSUPPORTED_ALGORITHM;
+ t->answer_dnssec_result = DNSSEC_UNSUPPORTED_ALGORITHM;
break;
case DNSSEC_NSEC_FOUND:
/* NSEC says it needs to be there, but we couldn't find it? Bummer! */
- t->dnssec_result = DNSSEC_NSEC_MISMATCH;
+ t->answer_dnssec_result = DNSSEC_NSEC_MISMATCH;
break;
default:
projects / thirdparty / systemd.git / commitdiff
