Let's use the same flags type we use for client communication, i.e.
instead of "bool answer_authenticated", let's use "uint64_t
answer_query_flags", with the SD_RESOLVED_AUTHENTICATED flag.
This is mostly just search/replace, i.e. a refactoring, no change in
behaviour.
This becomes useful once in a later commit SD_RESOLVED_CONFIDENTIAL is
added to indicate resolution that either were encrypted (DNS-over-TLS)
or never left the local system.
* now) */
#define CACHE_TTL_STRANGE_RCODE_USEC (10 * USEC_PER_SEC)
+#define CACHEABLE_QUERY_FLAGS (SD_RESOLVED_AUTHENTICATED)
+
typedef enum DnsCacheItemType DnsCacheItemType;
typedef struct DnsCacheItem DnsCacheItem;
int rcode;
usec_t until;
- bool authenticated:1;
bool shared_owner:1;
+ uint64_t query_flags; /* SD_RESOLVED_AUTHENTICATED */
DnssecResult dnssec_result;
int ifindex;
DnsResourceRecord *rr,
DnsAnswer *answer,
DnsPacket *full_packet,
- bool authenticated,
+ uint64_t query_flags,
bool shared_owner,
DnssecResult dnssec_result,
usec_t timestamp,
i->full_packet = full_packet;
i->until = calculate_until(rr, UINT32_MAX, timestamp, false);
- i->authenticated = authenticated;
+ i->query_flags = query_flags & CACHEABLE_QUERY_FLAGS;
i->shared_owner = shared_owner;
i->dnssec_result = dnssec_result;
DnsResourceRecord *rr,
DnsAnswer *answer,
DnsPacket *full_packet,
- bool authenticated,
+ uint64_t query_flags,
bool shared_owner,
DnssecResult dnssec_result,
usec_t timestamp,
rr,
answer,
full_packet,
- authenticated,
+ query_flags,
shared_owner,
dnssec_result,
timestamp,
.answer = dns_answer_ref(answer),
.full_packet = dns_packet_ref(full_packet),
.until = calculate_until(rr, (uint32_t) -1, timestamp, false),
- .authenticated = authenticated,
+ .query_flags = query_flags & CACHEABLE_QUERY_FLAGS,
.shared_owner = shared_owner,
.dnssec_result = dnssec_result,
.ifindex = ifindex,
(void) in_addr_to_string(i->owner_family, &i->owner_address, &t);
log_debug("Added positive %s%s cache entry for %s "USEC_FMT"s on %s/%s/%s",
- i->authenticated ? "authenticated" : "unauthenticated",
+ FLAGS_SET(i->query_flags, SD_RESOLVED_AUTHENTICATED) ? "authenticated" : "unauthenticated",
i->shared_owner ? " shared" : "",
dns_resource_key_to_string(i->key, key_str, sizeof key_str),
(i->until - timestamp) / USEC_PER_SEC,
int rcode,
DnsAnswer *answer,
DnsPacket *full_packet,
- bool authenticated,
+ uint64_t query_flags,
DnssecResult dnssec_result,
uint32_t nsec_ttl,
usec_t timestamp,
.type =
rcode == DNS_RCODE_SUCCESS ? DNS_CACHE_NODATA :
rcode == DNS_RCODE_NXDOMAIN ? DNS_CACHE_NXDOMAIN : DNS_CACHE_RCODE,
- .authenticated = authenticated,
+ .query_flags = query_flags & CACHEABLE_QUERY_FLAGS,
.dnssec_result = dnssec_result,
.owner_family = owner_family,
.owner_address = *owner_address,
int rcode,
DnsAnswer *answer,
DnsPacket *full_packet,
- bool authenticated,
+ uint64_t query_flags,
DnssecResult dnssec_result,
uint32_t nsec_ttl,
int owner_family,
item->rr,
primary ? answer : NULL,
primary ? full_packet : NULL,
- item->flags & DNS_ANSWER_AUTHENTICATED,
+ (item->flags & DNS_ANSWER_AUTHENTICATED) ? SD_RESOLVED_AUTHENTICATED : 0,
item->flags & DNS_ANSWER_SHARED_OWNER,
dnssec_result,
timestamp,
if (r > 0) {
/* Refuse using the SOA data if it is unsigned, but the key is
* signed */
- if (authenticated && (flags & DNS_ANSWER_AUTHENTICATED) == 0)
+ if (FLAGS_SET(query_flags, SD_RESOLVED_AUTHENTICATED) &&
+ (flags & DNS_ANSWER_AUTHENTICATED) == 0)
return 0;
}
rcode,
answer,
full_packet,
- authenticated,
+ query_flags,
dnssec_result,
nsec_ttl,
timestamp,
int *ret_rcode,
DnsAnswer **ret_answer,
DnsPacket **ret_full_packet,
- bool *ret_authenticated,
+ uint64_t *ret_query_flags,
DnssecResult *ret_dnssec_result) {
_cleanup_(dns_packet_unrefp) DnsPacket *full_packet = NULL;
n++;
}
- if (j->authenticated)
+ if (FLAGS_SET(j->query_flags, SD_RESOLVED_AUTHENTICATED))
have_authenticated = true;
else
have_non_authenticated = true;
}
} else if (j->rr) {
- r = answer_add_clamp_ttl(&answer, j->rr, j->ifindex, j->authenticated ? DNS_ANSWER_AUTHENTICATED : 0, NULL, query_flags, j->until, current);
+ r = answer_add_clamp_ttl(&answer,
+ j->rr,
+ j->ifindex,
+ FLAGS_SET(j->query_flags, SD_RESOLVED_AUTHENTICATED) ? DNS_ANSWER_AUTHENTICATED : 0,
+ NULL,
+ query_flags,
+ j->until,
+ current);
if (r < 0)
return r;
}
*ret_answer = TAKE_PTR(answer);
if (ret_full_packet)
*ret_full_packet = TAKE_PTR(full_packet);
- if (ret_authenticated)
- *ret_authenticated = false;
+ if (ret_query_flags)
+ *ret_query_flags = 0;
if (ret_dnssec_result)
*ret_dnssec_result = dnssec_result;
*ret_answer = TAKE_PTR(answer);
if (ret_full_packet)
*ret_full_packet = TAKE_PTR(full_packet);
- if (ret_authenticated)
- *ret_authenticated = nsec->authenticated;
+ if (ret_query_flags)
+ *ret_query_flags = nsec->query_flags;
if (ret_dnssec_result)
*ret_dnssec_result = nsec->dnssec_result;
*ret_answer = TAKE_PTR(answer);
if (ret_full_packet)
*ret_full_packet = TAKE_PTR(full_packet);
- if (ret_authenticated)
- *ret_authenticated = have_authenticated && !have_non_authenticated;
+ if (ret_query_flags)
+ *ret_query_flags = (have_authenticated && !have_non_authenticated) ? SD_RESOLVED_AUTHENTICATED : 0;
if (ret_dnssec_result)
*ret_dnssec_result = dnssec_result;
*ret_answer = TAKE_PTR(answer);
if (ret_full_packet)
*ret_full_packet = TAKE_PTR(full_packet);
- if (ret_authenticated)
- *ret_authenticated = have_authenticated && !have_non_authenticated;
+ if (ret_query_flags)
+ *ret_query_flags = (have_authenticated && !have_non_authenticated) ? SD_RESOLVED_AUTHENTICATED : 0;
if (ret_dnssec_result)
*ret_dnssec_result = dnssec_result;
*ret_answer = NULL;
if (ret_full_packet)
*ret_full_packet = NULL;
- if (ret_authenticated)
- *ret_authenticated = false;
+ if (ret_query_flags)
+ *ret_query_flags = 0;
if (ret_dnssec_result)
*ret_dnssec_result = _DNSSEC_RESULT_INVALID;
int rcode,
DnsAnswer *answer,
DnsPacket *full_packet,
- bool authenticated,
+ uint64_t query_flags,
DnssecResult dnssec_result,
uint32_t nsec_ttl,
int owner_family,
int *ret_rcode,
DnsAnswer **ret_answer,
DnsPacket **ret_full_packet,
- bool *ret_authenticated,
+ uint64_t *ret_query_flags,
DnssecResult *ret_dnssec_result);
int dns_cache_check_conflicts(DnsCache *cache, DnsResourceRecord *rr, int owner_family, const union in_addr_union *owner_address);
q->answer_rcode = 0;
q->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
q->answer_errno = 0;
- q->answer_authenticated = false;
+ q->answer_query_flags = 0;
q->answer_protocol = _DNS_PROTOCOL_INVALID;
q->answer_family = AF_UNSPEC;
q->answer_search_domain = dns_search_domain_unref(q->answer_search_domain);
q->answer_rcode = DNS_RCODE_NXDOMAIN;
q->answer_protocol = dns_synthesize_protocol(q->flags);
q->answer_family = dns_synthesize_family(q->flags);
- q->answer_authenticated = true;
+ q->answer_query_flags = SD_RESOLVED_AUTHENTICATED;
*state = DNS_TRANSACTION_RCODE_FAILURE;
return 0;
q->answer_rcode = DNS_RCODE_SUCCESS;
q->answer_protocol = dns_synthesize_protocol(q->flags);
q->answer_family = dns_synthesize_family(q->flags);
- q->answer_authenticated = true;
+ q->answer_query_flags = SD_RESOLVED_AUTHENTICATED;
*state = DNS_TRANSACTION_SUCCESS;
q->answer_rcode = DNS_RCODE_SUCCESS;
q->answer_protocol = dns_synthesize_protocol(q->flags);
q->answer_family = dns_synthesize_family(q->flags);
- q->answer_authenticated = true;
+ q->answer_query_flags = SD_RESOLVED_AUTHENTICATED;
return 1;
}
q->answer = dns_answer_unref(q->answer);
q->answer_rcode = 0;
q->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
- q->answer_authenticated = false;
+ q->answer_query_flags = 0;
q->answer_errno = c->error_code;
q->answer_full_packet = dns_packet_unref(q->answer_full_packet);
}
dns_packet_unref(q->answer_full_packet);
q->answer_full_packet = dns_packet_ref(t->received);
- if (t->answer_authenticated) {
+ if (FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED)) {
has_authenticated = true;
dnssec_result_authenticated = t->answer_dnssec_result;
} else {
continue;
/* If there's already an authenticated negative reply stored, then prefer that over any unauthenticated one */
- if (q->answer_authenticated && !t->answer_authenticated)
+ if (FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED) &&
+ !FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
continue;
dns_answer_unref(q->answer);
q->answer = dns_answer_ref(t->answer);
q->answer_rcode = t->answer_rcode;
q->answer_dnssec_result = t->answer_dnssec_result;
- q->answer_authenticated = t->answer_authenticated;
+ q->answer_query_flags = t->answer_query_flags;
q->answer_errno = t->answer_errno;
dns_packet_unref(q->answer_full_packet);
q->answer_full_packet = dns_packet_ref(t->received);
}
if (state == DNS_TRANSACTION_SUCCESS) {
- q->answer_authenticated = has_authenticated && !has_non_authenticated;
- q->answer_dnssec_result = q->answer_authenticated ? dnssec_result_authenticated : dnssec_result_non_authenticated;
+ SET_FLAG(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED, has_authenticated && !has_non_authenticated);
+ q->answer_dnssec_result = FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED) ? dnssec_result_authenticated : dnssec_result_non_authenticated;
}
q->answer_protocol = c->scope->protocol;
if (q->flags & SD_RESOLVED_NO_CNAME)
return -ELOOP;
- if (!q->answer_authenticated)
+ if (!FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
q->previous_redirect_unauthenticated = true;
/* OK, let's actually follow the CNAME */
bool dns_query_fully_authenticated(DnsQuery *q) {
assert(q);
- return q->answer_authenticated && !q->previous_redirect_unauthenticated;
+ return FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED) && !q->previous_redirect_unauthenticated;
}
DnsAnswer *answer;
int answer_rcode;
DnssecResult answer_dnssec_result;
- bool answer_authenticated;
+ uint64_t answer_query_flags;
DnsProtocol answer_protocol;
int answer_family;
DnsSearchDomain *answer_search_domain;
t->answer_rcode = 0;
t->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
t->answer_source = _DNS_TRANSACTION_SOURCE_INVALID;
- t->answer_authenticated = false;
+ t->answer_query_flags = 0;
t->answer_nsec_ttl = (uint32_t) -1;
t->answer_errno = 0;
}
st,
t->answer_source < 0 ? "none" : dns_transaction_source_to_string(t->answer_source),
FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE) ? "not validated" :
- (t->answer_authenticated ? "authenticated" : "unsigned"));
+ (FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED) ? "authenticated" : "unsigned"));
t->state = state;
* since our usecase for caching them
* is "bypass" mode which is only
* enabled for CD packets. */
- t->answer_authenticated,
+ t->answer_query_flags,
t->answer_dnssec_result,
t->answer_nsec_ttl,
t->received->family,
t->answer = dns_answer_ref(p->answer);
t->answer_rcode = DNS_PACKET_RCODE(p);
t->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
- t->answer_authenticated = false;
+ SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
r = dns_transaction_fix_rcode(t);
if (r < 0)
if (r > 0) {
t->answer_rcode = DNS_RCODE_SUCCESS;
t->answer_source = DNS_TRANSACTION_TRUST_ANCHOR;
- t->answer_authenticated = true;
+ SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, true);
dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
return 0;
}
t->answer_rcode = DNS_RCODE_SUCCESS;
t->answer_source = DNS_TRANSACTION_TRUST_ANCHOR;
- t->answer_authenticated = false;
+ SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
} else
/* If we are not in downgrade mode, then fail the lookup, because we cannot
if (r > 0) {
t->answer_rcode = DNS_RCODE_SUCCESS;
t->answer_source = DNS_TRANSACTION_ZONE;
- t->answer_authenticated = true;
+ SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, true);
dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
return 0;
}
&t->answer_rcode,
&t->answer,
&t->received,
- &t->answer_authenticated,
+ &t->answer_query_flags,
&t->answer_dnssec_result);
if (r < 0)
return r;
* RRs we are looking at. If it discovered signed DS
* RRs, then we need to be signed, too. */
- if (!dt->answer_authenticated)
+ if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
return false;
return dns_answer_match_key(dt->answer, dns_transaction_key(dt), NULL);
if (r == 0)
continue;
- return t->answer_authenticated;
+ return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
}
return true;
if (r == 0)
continue;
- /* We found the transaction that was supposed to find
- * the SOA RR for us. It was successful, but found no
- * RR for us. This means we are not at a zone cut. In
- * this case, we require authentication if the SOA
- * lookup was authenticated too. */
- return t->answer_authenticated;
+ /* We found the transaction that was supposed to find the SOA RR for us. It was
+ * successful, but found no RR for us. This means we are not at a zone cut. In this
+ * case, we require authentication if the SOA lookup was authenticated too. */
+ return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
}
return true;
if (r == 0)
continue;
- return dt->answer_authenticated;
+ return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
}
/* If in doubt, require NSEC/NSEC3 */
if (r == 0)
continue;
- /* OK, we found an auxiliary DNSKEY
- * lookup. If that lookup is
- * authenticated, report this. */
+ /* OK, we found an auxiliary DNSKEY lookup. If that lookup is authenticated,
+ * report this. */
- if (dt->answer_authenticated)
+ if (FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
return true;
found = true;
if (r == 0)
continue;
- /* OK, we found an auxiliary DS
- * lookup. If that lookup is
- * authenticated and non-zero, we
- * won! */
+ /* OK, we found an auxiliary DS lookup. If that lookup is authenticated and
+ * non-zero, we won! */
- if (!dt->answer_authenticated)
+ if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
return false;
return dns_answer_match_key(dt->answer, dns_transaction_key(dt), NULL);
if (DNS_TRANSACTION_IS_LIVE(dt->state))
continue;
- if (!dt->answer_authenticated)
+ if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
continue;
r = dns_answer_extend(&t->validated_keys, dt->answer);
/* Our own stuff needs no validation */
if (IN_SET(t->answer_source, DNS_TRANSACTION_ZONE, DNS_TRANSACTION_TRUST_ANCHOR)) {
t->answer_dnssec_result = DNSSEC_VALIDATED;
- t->answer_authenticated = true;
+ SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, true);
return 0;
}
/* The answer is fully authenticated, yay. */
t->answer_dnssec_result = DNSSEC_VALIDATED;
t->answer_rcode = DNS_RCODE_SUCCESS;
- t->answer_authenticated = true;
+ SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, true);
} else {
/* The answer is not fully authenticated. */
t->answer_dnssec_result = DNSSEC_UNSIGNED;
- t->answer_authenticated = false;
+ SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
}
} else if (r == 0) {
log_debug("Proved NXDOMAIN via NSEC/NSEC3 for transaction %u (%s)", t->id, key_str);
t->answer_dnssec_result = DNSSEC_VALIDATED;
t->answer_rcode = DNS_RCODE_NXDOMAIN;
- t->answer_authenticated = authenticated;
+ SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, authenticated);
manager_dnssec_verdict(t->scope->manager, authenticated ? DNSSEC_SECURE : DNSSEC_INSECURE, dns_transaction_key(t));
break;
log_debug("Proved NODATA via NSEC/NSEC3 for transaction %u (%s)", t->id, key_str);
t->answer_dnssec_result = DNSSEC_VALIDATED;
t->answer_rcode = DNS_RCODE_SUCCESS;
- t->answer_authenticated = authenticated;
+ SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, authenticated);
manager_dnssec_verdict(t->scope->manager, authenticated ? DNSSEC_SECURE : DNSSEC_INSECURE, dns_transaction_key(t));
break;
/* NSEC3 says the data might not be signed */
log_debug("Data is NSEC3 opt-out via NSEC/NSEC3 for transaction %u (%s)", t->id, key_str);
t->answer_dnssec_result = DNSSEC_UNSIGNED;
- t->answer_authenticated = false;
+ SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, dns_transaction_key(t));
break;
manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, dns_transaction_key(t));
} else {
t->answer_dnssec_result = DNSSEC_UNSIGNED;
- t->answer_authenticated = false;
+ SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, dns_transaction_key(t));
}
uint32_t answer_nsec_ttl;
int answer_errno; /* if state is DNS_TRANSACTION_ERRNO */
- /* Indicates whether the primary answer is authenticated,
- * i.e. whether the RRs from answer which directly match the
- * question are authenticated, or, if there are none, whether
- * the NODATA or NXDOMAIN case is. It says nothing about
- * additional RRs listed in the answer, however they have
- * their own DNS_ANSWER_AUTHORIZED FLAGS. Note that this bit
- * is defined different than the AD bit in DNS packets, as
- * that covers more than just the actual primary answer. */
- bool answer_authenticated;
+ /* SD_RESOLVED_AUTHENTICATED here indicates whether the primary answer is authenticated, i.e. whether
+ * the RRs from answer which directly match the question are authenticated, or, if there are none,
+ * whether the NODATA or NXDOMAIN case is. It says nothing about additional RRs listed in the answer,
+ * however they have their own DNS_ANSWER_AUTHORIZED FLAGS. Note that this bit is defined different
+ * than the AD bit in DNS packets, as that covers more than just the actual primary answer. */
+ uint64_t answer_query_flags;
/* Contains DNSKEY, DS, SOA RRs we already verified and need
* to authenticate this reply */
projects / thirdparty / systemd.git / commitdiff
