diff options
| author | Lennart Poettering <lennart@poettering.net> | 2020-11-05 11:01:52 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2021-02-09 17:58:25 +0100 |
| commit | 775ae35403f8f3c01b7ac13387fe8aac1759993f (patch) | |
| tree | 4d2a693ea94e2a611c133d0678630d6ff0014e6b /src/resolve/resolved-dns-transaction.h | |
| parent | resolved: DNS_CLASS_ANY lookups are OK too (diff) | |
| download | systemd-775ae35403f8f3c01b7ac13387fe8aac1759993f.tar.xz systemd-775ae35403f8f3c01b7ac13387fe8aac1759993f.zip | |
resolved: add support for answering DNSSEC questions on the stub
This substantially beefs up the local DNS stub feature set in order to
allow local clients to do DNSSEC validation through the stub.
Previously we'd return NOTIMP if we'd get a DO or DO+CD lookup. With
this change we'll instead:
1. If we get DO+CD requests (i.e. DNSSEC with no local checking) we'll
proxy DNS queries and response mostly unmodified to/from upstream DNS
servers if possible (this is called "bypass" mode). We will patch in
new request IDs, (and patch them back out on reply), so that we can
sanely keep track of things. We'll also maintain a minimal local
cache for such lookups, always keeping the whole DNS packets in it
(if we reply from cache we'll patch the TTLs of all included RRs).
2. If we get DO requests without CD (i.e. DNSSEC with local checking)
we'll resolve and validate locally. In this mode we will not proxy
packets, but generate our own. We will however cache the combination
of answer RRs (along with their packet section assignments) we got
back in the cache, and use this information to generate reply packets
from the DNS stub.
In both cases: if we determine a lookup is to be answered from LLMNR or
mDNS we'll always revert to non-DNSSEC, non-proxy operation as before.
Answers will lack the DO bit then, since the data cannot be validated
via DNSSEC by the clients.
To make this logic more debuggable, this also adds query flags for
turning off RR sources. i.e. cache/network/zone/trust anchor/local
synthesis may now be disabled individually for each lookup.
The cache is substantially updated to make all this work: in addition to
caching simple RRs for lookup RR keys, we'll now cache the whole packets
and the whole combination of RRs, so that we can answer DO and DO+CD
replies sensibly according to the rules described above. This sounds
wasteful, but given that the
DnsResourceRecord/DnsResourceKey/DnsAnswer/DnsPacket
objects are all ref-counted and we try to merge references the actual
additional memory used should be limited (but this might be something to
optimize further later on).
To implement classic RR key lookups and new-style packet proxy lookups
(i.e. the ones necessary for DO+CD packet proxying, as described above)
DnsTransaction and DnsQuery objects now always maintain either a
DnsResourceKey/DnsQuestion as lookup key or a DnsPacket for "bypass"
mode.
Fixes: #4621 #17218
Diffstat (limited to 'src/resolve/resolved-dns-transaction.h')
| -rw-r--r-- | src/resolve/resolved-dns-transaction.h | 25 |
1 files changed, 20 insertions, 5 deletions
diff --git a/src/resolve/resolved-dns-transaction.h b/src/resolve/resolved-dns-transaction.h index 9a3b54061c..93ff6b3d58 100644 --- a/src/resolve/resolved-dns-transaction.h +++ b/src/resolve/resolved-dns-transaction.h @@ -5,6 +5,7 @@ #include "in-addr-util.h" typedef struct DnsTransaction DnsTransaction; +typedef struct DnsTransactionFinder DnsTransactionFinder; typedef enum DnsTransactionState DnsTransactionState; typedef enum DnsTransactionSource DnsTransactionSource; @@ -31,6 +32,7 @@ enum DnsTransactionState { DNS_TRANSACTION_RR_TYPE_UNSUPPORTED, DNS_TRANSACTION_NETWORK_DOWN, DNS_TRANSACTION_NOT_FOUND, /* like NXDOMAIN, but when LLMNR/TCP connections fail */ + DNS_TRANSACTION_NO_SOURCE, /* All suitable DnsTransactionSource turned off */ _DNS_TRANSACTION_STATE_MAX, _DNS_TRANSACTION_STATE_INVALID = -1 }; @@ -49,7 +51,10 @@ enum DnsTransactionSource { struct DnsTransaction { DnsScope *scope; - DnsResourceKey *key; + DnsResourceKey *key; /* For regular lookups the RR key to look for */ + DnsPacket *bypass; /* For bypass lookups the full original request packet */ + + uint64_t query_flags; DnsTransactionState state; @@ -60,8 +65,6 @@ struct DnsTransaction { bool initial_jitter_scheduled:1; bool initial_jitter_elapsed:1; - bool clamp_ttl:1; - bool probing:1; DnsPacket *sent, *received; @@ -133,9 +136,10 @@ struct DnsTransaction { LIST_FIELDS(DnsTransaction, transactions_by_scope); LIST_FIELDS(DnsTransaction, transactions_by_stream); + LIST_FIELDS(DnsTransaction, transactions_by_key); }; -int dns_transaction_new(DnsTransaction **ret, DnsScope *s, DnsResourceKey *key); +int dns_transaction_new(DnsTransaction **ret, DnsScope *s, DnsResourceKey *key, DnsPacket *bypass, uint64_t flags); DnsTransaction* dns_transaction_free(DnsTransaction *t); bool dns_transaction_gc(DnsTransaction *t); @@ -153,7 +157,18 @@ int dns_transaction_request_dnssec_keys(DnsTransaction *t); static inline DnsResourceKey *dns_transaction_key(DnsTransaction *t) { assert(t); - return t->key; + /* Return the lookup key of this transaction. Either takes the lookup key from the bypass packet if + * we are a bypass transaction. Or take the configured key for regular transactions. */ + + if (t->key) + return t->key; + + assert(t->bypass); + + if (dns_question_isempty(t->bypass->question)) + return NULL; + + return t->bypass->question->keys[0]; } const char* dns_transaction_state_to_string(DnsTransactionState p) _const_; |