summaryrefslogtreecommitdiffstats
path: root/src/resolve
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2020-11-10 17:14:16 +0100
committerLennart Poettering <lennart@poettering.net>2021-02-16 10:03:43 +0100
commit6f055e43b817b66e6d4f6e4022f0a115dc35651b (patch)
treecf9268a61926b62a850abc7c8cbc418c9427b8f2 /src/resolve
parentMerge pull request #18611 from poettering/ifname-validate-tighter (diff)
downloadsystemd-6f055e43b817b66e6d4f6e4022f0a115dc35651b.tar.xz
systemd-6f055e43b817b66e6d4f6e4022f0a115dc35651b.zip
resolved: replace "answer_authenticated" bool by uint64_t query_flags field
Let's use the same flags type we use for client communication, i.e. instead of "bool answer_authenticated", let's use "uint64_t answer_query_flags", with the SD_RESOLVED_AUTHENTICATED flag. This is mostly just search/replace, i.e. a refactoring, no change in behaviour. This becomes useful once in a later commit SD_RESOLVED_CONFIDENTIAL is added to indicate resolution that either were encrypted (DNS-over-TLS) or never left the local system.
Diffstat (limited to 'src/resolve')
-rw-r--r--src/resolve/resolved-dns-cache.c62
-rw-r--r--src/resolve/resolved-dns-cache.h4
-rw-r--r--src/resolve/resolved-dns-query.c25
-rw-r--r--src/resolve/resolved-dns-query.h2
-rw-r--r--src/resolve/resolved-dns-transaction.c63
-rw-r--r--src/resolve/resolved-dns-transaction.h15
6 files changed, 87 insertions, 84 deletions
diff --git a/src/resolve/resolved-dns-cache.c b/src/resolve/resolved-dns-cache.c
index cf0e221621..78b858b8be 100644
--- a/src/resolve/resolved-dns-cache.c
+++ b/src/resolve/resolved-dns-cache.c
@@ -22,6 +22,8 @@
* now) */
#define CACHE_TTL_STRANGE_RCODE_USEC (10 * USEC_PER_SEC)
+#define CACHEABLE_QUERY_FLAGS (SD_RESOLVED_AUTHENTICATED)
+
typedef enum DnsCacheItemType DnsCacheItemType;
typedef struct DnsCacheItem DnsCacheItem;
@@ -41,8 +43,8 @@ struct DnsCacheItem {
int rcode;
usec_t until;
- bool authenticated:1;
bool shared_owner:1;
+ uint64_t query_flags; /* SD_RESOLVED_AUTHENTICATED */
DnssecResult dnssec_result;
int ifindex;
@@ -353,7 +355,7 @@ static void dns_cache_item_update_positive(
DnsResourceRecord *rr,
DnsAnswer *answer,
DnsPacket *full_packet,
- bool authenticated,
+ uint64_t query_flags,
bool shared_owner,
DnssecResult dnssec_result,
usec_t timestamp,
@@ -390,7 +392,7 @@ static void dns_cache_item_update_positive(
i->full_packet = full_packet;
i->until = calculate_until(rr, UINT32_MAX, timestamp, false);
- i->authenticated = authenticated;
+ i->query_flags = query_flags & CACHEABLE_QUERY_FLAGS;
i->shared_owner = shared_owner;
i->dnssec_result = dnssec_result;
@@ -407,7 +409,7 @@ static int dns_cache_put_positive(
DnsResourceRecord *rr,
DnsAnswer *answer,
DnsPacket *full_packet,
- bool authenticated,
+ uint64_t query_flags,
bool shared_owner,
DnssecResult dnssec_result,
usec_t timestamp,
@@ -448,7 +450,7 @@ static int dns_cache_put_positive(
rr,
answer,
full_packet,
- authenticated,
+ query_flags,
shared_owner,
dnssec_result,
timestamp,
@@ -476,7 +478,7 @@ static int dns_cache_put_positive(
.answer = dns_answer_ref(answer),
.full_packet = dns_packet_ref(full_packet),
.until = calculate_until(rr, (uint32_t) -1, timestamp, false),
- .authenticated = authenticated,
+ .query_flags = query_flags & CACHEABLE_QUERY_FLAGS,
.shared_owner = shared_owner,
.dnssec_result = dnssec_result,
.ifindex = ifindex,
@@ -496,7 +498,7 @@ static int dns_cache_put_positive(
(void) in_addr_to_string(i->owner_family, &i->owner_address, &t);
log_debug("Added positive %s%s cache entry for %s "USEC_FMT"s on %s/%s/%s",
- i->authenticated ? "authenticated" : "unauthenticated",
+ FLAGS_SET(i->query_flags, SD_RESOLVED_AUTHENTICATED) ? "authenticated" : "unauthenticated",
i->shared_owner ? " shared" : "",
dns_resource_key_to_string(i->key, key_str, sizeof key_str),
(i->until - timestamp) / USEC_PER_SEC,
@@ -515,7 +517,7 @@ static int dns_cache_put_negative(
int rcode,
DnsAnswer *answer,
DnsPacket *full_packet,
- bool authenticated,
+ uint64_t query_flags,
DnssecResult dnssec_result,
uint32_t nsec_ttl,
usec_t timestamp,
@@ -566,7 +568,7 @@ static int dns_cache_put_negative(
.type =
rcode == DNS_RCODE_SUCCESS ? DNS_CACHE_NODATA :
rcode == DNS_RCODE_NXDOMAIN ? DNS_CACHE_NXDOMAIN : DNS_CACHE_RCODE,
- .authenticated = authenticated,
+ .query_flags = query_flags & CACHEABLE_QUERY_FLAGS,
.dnssec_result = dnssec_result,
.owner_family = owner_family,
.owner_address = *owner_address,
@@ -669,7 +671,7 @@ int dns_cache_put(
int rcode,
DnsAnswer *answer,
DnsPacket *full_packet,
- bool authenticated,
+ uint64_t query_flags,
DnssecResult dnssec_result,
uint32_t nsec_ttl,
int owner_family,
@@ -761,7 +763,7 @@ int dns_cache_put(
item->rr,
primary ? answer : NULL,
primary ? full_packet : NULL,
- item->flags & DNS_ANSWER_AUTHENTICATED,
+ (item->flags & DNS_ANSWER_AUTHENTICATED) ? SD_RESOLVED_AUTHENTICATED : 0,
item->flags & DNS_ANSWER_SHARED_OWNER,
dnssec_result,
timestamp,
@@ -802,7 +804,8 @@ int dns_cache_put(
if (r > 0) {
/* Refuse using the SOA data if it is unsigned, but the key is
* signed */
- if (authenticated && (flags & DNS_ANSWER_AUTHENTICATED) == 0)
+ if (FLAGS_SET(query_flags, SD_RESOLVED_AUTHENTICATED) &&
+ (flags & DNS_ANSWER_AUTHENTICATED) == 0)
return 0;
}
@@ -819,7 +822,7 @@ int dns_cache_put(
rcode,
answer,
full_packet,
- authenticated,
+ query_flags,
dnssec_result,
nsec_ttl,
timestamp,
@@ -951,7 +954,7 @@ int dns_cache_lookup(
int *ret_rcode,
DnsAnswer **ret_answer,
DnsPacket **ret_full_packet,
- bool *ret_authenticated,
+ uint64_t *ret_query_flags,
DnssecResult *ret_dnssec_result) {
_cleanup_(dns_packet_unrefp) DnsPacket *full_packet = NULL;
@@ -1013,7 +1016,7 @@ int dns_cache_lookup(
n++;
}
- if (j->authenticated)
+ if (FLAGS_SET(j->query_flags, SD_RESOLVED_AUTHENTICATED))
have_authenticated = true;
else
have_non_authenticated = true;
@@ -1049,7 +1052,14 @@ int dns_cache_lookup(
}
} else if (j->rr) {
- r = answer_add_clamp_ttl(&answer, j->rr, j->ifindex, j->authenticated ? DNS_ANSWER_AUTHENTICATED : 0, NULL, query_flags, j->until, current);
+ r = answer_add_clamp_ttl(&answer,
+ j->rr,
+ j->ifindex,
+ FLAGS_SET(j->query_flags, SD_RESOLVED_AUTHENTICATED) ? DNS_ANSWER_AUTHENTICATED : 0,
+ NULL,
+ query_flags,
+ j->until,
+ current);
if (r < 0)
return r;
}
@@ -1072,8 +1082,8 @@ int dns_cache_lookup(
*ret_answer = TAKE_PTR(answer);
if (ret_full_packet)
*ret_full_packet = TAKE_PTR(full_packet);
- if (ret_authenticated)
- *ret_authenticated = false;
+ if (ret_query_flags)
+ *ret_query_flags = 0;
if (ret_dnssec_result)
*ret_dnssec_result = dnssec_result;
@@ -1097,8 +1107,8 @@ int dns_cache_lookup(
*ret_answer = TAKE_PTR(answer);
if (ret_full_packet)
*ret_full_packet = TAKE_PTR(full_packet);
- if (ret_authenticated)
- *ret_authenticated = nsec->authenticated;
+ if (ret_query_flags)
+ *ret_query_flags = nsec->query_flags;
if (ret_dnssec_result)
*ret_dnssec_result = nsec->dnssec_result;
@@ -1127,8 +1137,8 @@ int dns_cache_lookup(
*ret_answer = TAKE_PTR(answer);
if (ret_full_packet)
*ret_full_packet = TAKE_PTR(full_packet);
- if (ret_authenticated)
- *ret_authenticated = have_authenticated && !have_non_authenticated;
+ if (ret_query_flags)
+ *ret_query_flags = (have_authenticated && !have_non_authenticated) ? SD_RESOLVED_AUTHENTICATED : 0;
if (ret_dnssec_result)
*ret_dnssec_result = dnssec_result;
@@ -1143,8 +1153,8 @@ int dns_cache_lookup(
*ret_answer = TAKE_PTR(answer);
if (ret_full_packet)
*ret_full_packet = TAKE_PTR(full_packet);
- if (ret_authenticated)
- *ret_authenticated = have_authenticated && !have_non_authenticated;
+ if (ret_query_flags)
+ *ret_query_flags = (have_authenticated && !have_non_authenticated) ? SD_RESOLVED_AUTHENTICATED : 0;
if (ret_dnssec_result)
*ret_dnssec_result = dnssec_result;
@@ -1157,8 +1167,8 @@ miss:
*ret_answer = NULL;
if (ret_full_packet)
*ret_full_packet = NULL;
- if (ret_authenticated)
- *ret_authenticated = false;
+ if (ret_query_flags)
+ *ret_query_flags = 0;
if (ret_dnssec_result)
*ret_dnssec_result = _DNSSEC_RESULT_INVALID;
diff --git a/src/resolve/resolved-dns-cache.h b/src/resolve/resolved-dns-cache.h
index cfae24fb71..621b52f892 100644
--- a/src/resolve/resolved-dns-cache.h
+++ b/src/resolve/resolved-dns-cache.h
@@ -30,7 +30,7 @@ int dns_cache_put(
int rcode,
DnsAnswer *answer,
DnsPacket *full_packet,
- bool authenticated,
+ uint64_t query_flags,
DnssecResult dnssec_result,
uint32_t nsec_ttl,
int owner_family,
@@ -43,7 +43,7 @@ int dns_cache_lookup(
int *ret_rcode,
DnsAnswer **ret_answer,
DnsPacket **ret_full_packet,
- bool *ret_authenticated,
+ uint64_t *ret_query_flags,
DnssecResult *ret_dnssec_result);
int dns_cache_check_conflicts(DnsCache *cache, DnsResourceRecord *rr, int owner_family, const union in_addr_union *owner_address);
diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c
index aa05844642..8137b4028b 100644
--- a/src/resolve/resolved-dns-query.c
+++ b/src/resolve/resolved-dns-query.c
@@ -346,7 +346,7 @@ static void dns_query_reset_answer(DnsQuery *q) {
q->answer_rcode = 0;
q->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
q->answer_errno = 0;
- q->answer_authenticated = false;
+ q->answer_query_flags = 0;
q->answer_protocol = _DNS_PROTOCOL_INVALID;
q->answer_family = AF_UNSPEC;
q->answer_search_domain = dns_search_domain_unref(q->answer_search_domain);
@@ -630,7 +630,7 @@ static int dns_query_synthesize_reply(DnsQuery *q, DnsTransactionState *state) {
q->answer_rcode = DNS_RCODE_NXDOMAIN;
q->answer_protocol = dns_synthesize_protocol(q->flags);
q->answer_family = dns_synthesize_family(q->flags);
- q->answer_authenticated = true;
+ q->answer_query_flags = SD_RESOLVED_AUTHENTICATED;
*state = DNS_TRANSACTION_RCODE_FAILURE;
return 0;
@@ -644,7 +644,7 @@ static int dns_query_synthesize_reply(DnsQuery *q, DnsTransactionState *state) {
q->answer_rcode = DNS_RCODE_SUCCESS;
q->answer_protocol = dns_synthesize_protocol(q->flags);
q->answer_family = dns_synthesize_family(q->flags);
- q->answer_authenticated = true;
+ q->answer_query_flags = SD_RESOLVED_AUTHENTICATED;
*state = DNS_TRANSACTION_SUCCESS;
@@ -676,7 +676,7 @@ static int dns_query_try_etc_hosts(DnsQuery *q) {
q->answer_rcode = DNS_RCODE_SUCCESS;
q->answer_protocol = dns_synthesize_protocol(q->flags);
q->answer_family = dns_synthesize_family(q->flags);
- q->answer_authenticated = true;
+ q->answer_query_flags = SD_RESOLVED_AUTHENTICATED;
return 1;
}
@@ -817,7 +817,7 @@ static void dns_query_accept(DnsQuery *q, DnsQueryCandidate *c) {
q->answer = dns_answer_unref(q->answer);
q->answer_rcode = 0;
q->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
- q->answer_authenticated = false;
+ q->answer_query_flags = 0;
q->answer_errno = c->error_code;
q->answer_full_packet = dns_packet_unref(q->answer_full_packet);
}
@@ -845,7 +845,7 @@ static void dns_query_accept(DnsQuery *q, DnsQueryCandidate *c) {
dns_packet_unref(q->answer_full_packet);
q->answer_full_packet = dns_packet_ref(t->received);
- if (t->answer_authenticated) {
+ if (FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED)) {
has_authenticated = true;
dnssec_result_authenticated = t->answer_dnssec_result;
} else {
@@ -870,14 +870,15 @@ static void dns_query_accept(DnsQuery *q, DnsQueryCandidate *c) {
continue;
/* If there's already an authenticated negative reply stored, then prefer that over any unauthenticated one */
- if (q->answer_authenticated && !t->answer_authenticated)
+ if (FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED) &&
+ !FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
continue;
dns_answer_unref(q->answer);
q->answer = dns_answer_ref(t->answer);
q->answer_rcode = t->answer_rcode;
q->answer_dnssec_result = t->answer_dnssec_result;
- q->answer_authenticated = t->answer_authenticated;
+ q->answer_query_flags = t->answer_query_flags;
q->answer_errno = t->answer_errno;
dns_packet_unref(q->answer_full_packet);
q->answer_full_packet = dns_packet_ref(t->received);
@@ -888,8 +889,8 @@ static void dns_query_accept(DnsQuery *q, DnsQueryCandidate *c) {
}
if (state == DNS_TRANSACTION_SUCCESS) {
- q->answer_authenticated = has_authenticated && !has_non_authenticated;
- q->answer_dnssec_result = q->answer_authenticated ? dnssec_result_authenticated : dnssec_result_non_authenticated;
+ SET_FLAG(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED, has_authenticated && !has_non_authenticated);
+ q->answer_dnssec_result = FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED) ? dnssec_result_authenticated : dnssec_result_non_authenticated;
}
q->answer_protocol = c->scope->protocol;
@@ -1049,7 +1050,7 @@ int dns_query_process_cname(DnsQuery *q) {
if (q->flags & SD_RESOLVED_NO_CNAME)
return -ELOOP;
- if (!q->answer_authenticated)
+ if (!FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
q->previous_redirect_unauthenticated = true;
/* OK, let's actually follow the CNAME */
@@ -1119,5 +1120,5 @@ const char *dns_query_string(DnsQuery *q) {
bool dns_query_fully_authenticated(DnsQuery *q) {
assert(q);
- return q->answer_authenticated && !q->previous_redirect_unauthenticated;
+ return FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED) && !q->previous_redirect_unauthenticated;
}
diff --git a/src/resolve/resolved-dns-query.h b/src/resolve/resolved-dns-query.h
index a7916712c1..1a30433e8c 100644
--- a/src/resolve/resolved-dns-query.h
+++ b/src/resolve/resolved-dns-query.h
@@ -66,7 +66,7 @@ struct DnsQuery {
DnsAnswer *answer;
int answer_rcode;
DnssecResult answer_dnssec_result;
- bool answer_authenticated;
+ uint64_t answer_query_flags;
DnsProtocol answer_protocol;
int answer_family;
DnsSearchDomain *answer_search_domain;
diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
index 55b9114f58..32f3f16a0d 100644
--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@@ -29,7 +29,7 @@ static void dns_transaction_reset_answer(DnsTransaction *t) {
t->answer_rcode = 0;
t->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
t->answer_source = _DNS_TRANSACTION_SOURCE_INVALID;
- t->answer_authenticated = false;
+ t->answer_query_flags = 0;
t->answer_nsec_ttl = (uint32_t) -1;
t->answer_errno = 0;
}
@@ -420,7 +420,7 @@ void dns_transaction_complete(DnsTransaction *t, DnsTransactionState state) {
st,
t->answer_source < 0 ? "none" : dns_transaction_source_to_string(t->answer_source),
FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE) ? "not validated" :
- (t->answer_authenticated ? "authenticated" : "unsigned"));
+ (FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED) ? "authenticated" : "unsigned"));
t->state = state;
@@ -793,7 +793,7 @@ static void dns_transaction_cache_answer(DnsTransaction *t) {
* since our usecase for caching them
* is "bypass" mode which is only
* enabled for CD packets. */
- t->answer_authenticated,
+ t->answer_query_flags,
t->answer_dnssec_result,
t->answer_nsec_ttl,
t->received->family,
@@ -1231,7 +1231,7 @@ void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p) {
t->answer = dns_answer_ref(p->answer);
t->answer_rcode = DNS_PACKET_RCODE(p);
t->answer_dnssec_result = _DNSSEC_RESULT_INVALID;
- t->answer_authenticated = false;
+ SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
r = dns_transaction_fix_rcode(t);
if (r < 0)
@@ -1519,7 +1519,7 @@ static int dns_transaction_prepare(DnsTransaction *t, usec_t ts) {
if (r > 0) {
t->answer_rcode = DNS_RCODE_SUCCESS;
t->answer_source = DNS_TRANSACTION_TRUST_ANCHOR;
- t->answer_authenticated = true;
+ SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, true);
dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
return 0;
}
@@ -1538,7 +1538,7 @@ static int dns_transaction_prepare(DnsTransaction *t, usec_t ts) {
t->answer_rcode = DNS_RCODE_SUCCESS;
t->answer_source = DNS_TRANSACTION_TRUST_ANCHOR;
- t->answer_authenticated = false;
+ SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
} else
/* If we are not in downgrade mode, then fail the lookup, because we cannot
@@ -1559,7 +1559,7 @@ static int dns_transaction_prepare(DnsTransaction *t, usec_t ts) {
if (r > 0) {
t->answer_rcode = DNS_RCODE_SUCCESS;
t->answer_source = DNS_TRANSACTION_ZONE;
- t->answer_authenticated = true;
+ SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, true);
dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
return 0;
}
@@ -1582,7 +1582,7 @@ static int dns_transaction_prepare(DnsTransaction *t, usec_t ts) {
&t->answer_rcode,
&t->answer,
&t->received,
- &t->answer_authenticated,
+ &t->answer_query_flags,
&t->answer_dnssec_result);
if (r < 0)
return r;
@@ -2566,7 +2566,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *
* RRs we are looking at. If it discovered signed DS
* RRs, then we need to be signed, too. */
- if (!dt->answer_authenticated)
+ if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
return false;
return dns_answer_match_key(dt->answer, dns_transaction_key(dt), NULL);
@@ -2618,7 +2618,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *
if (r == 0)
continue;
- return t->answer_authenticated;
+ return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
}
return true;
@@ -2642,12 +2642,10 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *
if (r == 0)
continue;
- /* We found the transaction that was supposed to find
- * the SOA RR for us. It was successful, but found no
- * RR for us. This means we are not at a zone cut. In
- * this case, we require authentication if the SOA
- * lookup was authenticated too. */
- return t->answer_authenticated;
+ /* We found the transaction that was supposed to find the SOA RR for us. It was
+ * successful, but found no RR for us. This means we are not at a zone cut. In this
+ * case, we require authentication if the SOA lookup was authenticated too. */
+ return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
}
return true;
@@ -2788,7 +2786,7 @@ static int dns_transaction_requires_nsec(DnsTransaction *t) {
if (r == 0)
continue;
- return dt->answer_authenticated;
+ return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
}
/* If in doubt, require NSEC/NSEC3 */
@@ -2832,11 +2830,10 @@ static int dns_transaction_dnskey_authenticated(DnsTransaction *t, DnsResourceRe
if (r == 0)
continue;
- /* OK, we found an auxiliary DNSKEY
- * lookup. If that lookup is
- * authenticated, report this. */
+ /* OK, we found an auxiliary DNSKEY lookup. If that lookup is authenticated,
+ * report this. */
- if (dt->answer_authenticated)
+ if (FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
return true;
found = true;
@@ -2849,12 +2846,10 @@ static int dns_transaction_dnskey_authenticated(DnsTransaction *t, DnsResourceRe
if (r == 0)
continue;
- /* OK, we found an auxiliary DS
- * lookup. If that lookup is
- * authenticated and non-zero, we
- * won! */
+ /* OK, we found an auxiliary DS lookup. If that lookup is authenticated and
+ * non-zero, we won! */
- if (!dt->answer_authenticated)
+ if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
return false;
return dns_answer_match_key(dt->answer, dns_transaction_key(dt), NULL);
@@ -2942,7 +2937,7 @@ static int dns_transaction_copy_validated(DnsTransaction *t) {
if (DNS_TRANSACTION_IS_LIVE(dt->state))
continue;
- if (!dt->answer_authenticated)
+ if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED))
continue;
r = dns_answer_extend(&t->validated_keys, dt->answer);
@@ -3244,7 +3239,7 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {
/* Our own stuff needs no validation */
if (IN_SET(t->answer_source, DNS_TRANSACTION_ZONE, DNS_TRANSACTION_TRUST_ANCHOR)) {
t->answer_dnssec_result = DNSSEC_VALIDATED;
- t->answer_authenticated = true;
+ SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, true);
return 0;
}
@@ -3332,11 +3327,11 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {
/* The answer is fully authenticated, yay. */
t->answer_dnssec_result = DNSSEC_VALIDATED;
t->answer_rcode = DNS_RCODE_SUCCESS;
- t->answer_authenticated = true;
+ SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, true);
} else {
/* The answer is not fully authenticated. */
t->answer_dnssec_result = DNSSEC_UNSIGNED;
- t->answer_authenticated = false;
+ SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
}
} else if (r == 0) {
@@ -3355,7 +3350,7 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {
log_debug("Proved NXDOMAIN via NSEC/NSEC3 for transaction %u (%s)", t->id, key_str);
t->answer_dnssec_result = DNSSEC_VALIDATED;
t->answer_rcode = DNS_RCODE_NXDOMAIN;
- t->answer_authenticated = authenticated;
+ SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, authenticated);
manager_dnssec_verdict(t->scope->manager, authenticated ? DNSSEC_SECURE : DNSSEC_INSECURE, dns_transaction_key(t));
break;
@@ -3365,7 +3360,7 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {
log_debug("Proved NODATA via NSEC/NSEC3 for transaction %u (%s)", t->id, key_str);
t->answer_dnssec_result = DNSSEC_VALIDATED;
t->answer_rcode = DNS_RCODE_SUCCESS;
- t->answer_authenticated = authenticated;
+ SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, authenticated);
manager_dnssec_verdict(t->scope->manager, authenticated ? DNSSEC_SECURE : DNSSEC_INSECURE, dns_transaction_key(t));
break;
@@ -3374,7 +3369,7 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {
/* NSEC3 says the data might not be signed */
log_debug("Data is NSEC3 opt-out via NSEC/NSEC3 for transaction %u (%s)", t->id, key_str);
t->answer_dnssec_result = DNSSEC_UNSIGNED;
- t->answer_authenticated = false;
+ SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, dns_transaction_key(t));
break;
@@ -3390,7 +3385,7 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {
manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, dns_transaction_key(t));
} else {
t->answer_dnssec_result = DNSSEC_UNSIGNED;
- t->answer_authenticated = false;
+ SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false);
manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, dns_transaction_key(t));
}
diff --git a/src/resolve/resolved-dns-transaction.h b/src/resolve/resolved-dns-transaction.h
index 9376d504bf..dab26d01fc 100644
--- a/src/resolve/resolved-dns-transaction.h
+++ b/src/resolve/resolved-dns-transaction.h
@@ -77,15 +77,12 @@ struct DnsTransaction {
uint32_t answer_nsec_ttl;
int answer_errno; /* if state is DNS_TRANSACTION_ERRNO */
- /* Indicates whether the primary answer is authenticated,
- * i.e. whether the RRs from answer which directly match the
- * question are authenticated, or, if there are none, whether
- * the NODATA or NXDOMAIN case is. It says nothing about
- * additional RRs listed in the answer, however they have
- * their own DNS_ANSWER_AUTHORIZED FLAGS. Note that this bit
- * is defined different than the AD bit in DNS packets, as
- * that covers more than just the actual primary answer. */
- bool answer_authenticated;
+ /* SD_RESOLVED_AUTHENTICATED here indicates whether the primary answer is authenticated, i.e. whether
+ * the RRs from answer which directly match the question are authenticated, or, if there are none,
+ * whether the NODATA or NXDOMAIN case is. It says nothing about additional RRs listed in the answer,
+ * however they have their own DNS_ANSWER_AUTHORIZED FLAGS. Note that this bit is defined different
+ * than the AD bit in DNS packets, as that covers more than just the actual primary answer. */
+ uint64_t answer_query_flags;
/* Contains DNSKEY, DS, SOA RRs we already verified and need
* to authenticate this reply */
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-03 09:30:05 +0100