picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
Systemd/src/resolve/resolved-dns-cache.c

810 lines
24 KiB
C
Raw Normal View History

resolved: add DNS cache
2014-07-17 19:38:37 +02:00
/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
/***
This file is part of systemd.
Copyright 2014 Lennart Poettering
systemd is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
(at your option) any later version.
systemd is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
util-lib: split out allocation calls into alloc-util.[ch]
2015-10-27 03:01:06 +01:00
#include "alloc-util.h"
resolved: implement client-side DNAME resolution Most servers apparently always implicitly convert DNAME to CNAME, but some servers don't, hence implement this properly, as this is required by edns0.
2015-11-24 00:18:49 +01:00
#include "dns-domain.h"
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
#include "resolved-dns-cache.h"
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
#include "resolved-dns-packet.h"
resolved: implement client-side DNAME resolution Most servers apparently always implicitly convert DNAME to CNAME, but some servers don't, hence implement this properly, as this is required by edns0.
2015-11-24 00:18:49 +01:00
#include "string-util.h"
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
resolved: various bad memory access fixes to the cache
2014-07-18 21:01:22 +02:00
/* Never cache more than 1K entries */
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
#define CACHE_MAX 1024
resolved: various bad memory access fixes to the cache
2014-07-18 21:01:22 +02:00
/* We never keep any item longer than 10min in our cache */
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
#define CACHE_TTL_MAX_USEC (10 * USEC_PER_MINUTE)
resolve: add llmnr responder side for UDP and TCP Name defending is still missing.
2014-07-29 14:24:02 +02:00
typedef enum DnsCacheItemType DnsCacheItemType;
typedef struct DnsCacheItem DnsCacheItem;
enum DnsCacheItemType {
DNS_CACHE_POSITIVE,
DNS_CACHE_NODATA,
DNS_CACHE_NXDOMAIN,
};
struct DnsCacheItem {
DnsResourceKey *key;
DnsResourceRecord *rr;
usec_t until;
DnsCacheItemType type;
unsigned prioq_idx;
resolved: add a concept of "authenticated" responses This adds a new SD_RESOLVED_AUTHENTICATED flag for responses we return on the bus. When set, then the data has been authenticated. For now this mostly reflects the DNSSEC AD bit, if DNSSEC=trust is set. As soon as the client-side validation is complete it will be hooked up to this flag too. We also set this bit whenver we generated the data ourselves, for example, because it originates in our local LLMNR zone, or from the built-in trust anchor database. The "systemd-resolve-host" tool has been updated to show the flag state for the data it shows.
2015-12-03 21:04:52 +01:00
bool authenticated;
resolved: implement full LLMNR conflict detection logic
2014-08-06 16:15:35 +02:00
int owner_family;
union in_addr_union owner_address;
resolve: add llmnr responder side for UDP and TCP Name defending is still missing.
2014-07-29 14:24:02 +02:00
LIST_FIELDS(DnsCacheItem, by_key);
};
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
static void dns_cache_item_free(DnsCacheItem *i) {
if (!i)
return;
dns_resource_record_unref(i->rr);
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
dns_resource_key_unref(i->key);
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
free(i);
}
DEFINE_TRIVIAL_CLEANUP_FUNC(DnsCacheItem*, dns_cache_item_free);
static void dns_cache_item_remove_and_free(DnsCache *c, DnsCacheItem *i) {
DnsCacheItem *first;
assert(c);
if (!i)
return;
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
first = hashmap_get(c->by_key, i->key);
LIST_REMOVE(by_key, first, i);
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
if (first)
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
assert_se(hashmap_replace(c->by_key, first->key, first) >= 0);
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
else
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
hashmap_remove(c->by_key, i->key);
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
prioq_remove(c->by_expiry, i, &i->prioq_idx);
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
dns_cache_item_free(i);
}
void dns_cache_flush(DnsCache *c) {
DnsCacheItem *i;
assert(c);
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
while ((i = hashmap_first(c->by_key)))
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
dns_cache_item_remove_and_free(c, i);
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
assert(hashmap_size(c->by_key) == 0);
assert(prioq_size(c->by_expiry) == 0);
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
resolved: fix crash when shutting down Reported by Cristian Rodríguez http://lists.freedesktop.org/archives/systemd-devel/2015-May/031626.html
2015-05-18 23:23:17 +02:00
c->by_key = hashmap_free(c->by_key);
c->by_expiry = prioq_free(c->by_expiry);
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
}
resolved: cache - add more detailed cache debug logging
2015-08-12 18:18:31 +02:00
static bool dns_cache_remove(DnsCache *c, DnsResourceKey *key) {
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
DnsCacheItem *i;
resolved: cache - add more detailed cache debug logging
2015-08-12 18:18:31 +02:00
bool exist = false;
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
assert(c);
assert(key);
resolved: cache - add more detailed cache debug logging
2015-08-12 18:18:31 +02:00
while ((i = hashmap_get(c->by_key, key))) {
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
dns_cache_item_remove_and_free(c, i);
resolved: cache - add more detailed cache debug logging
2015-08-12 18:18:31 +02:00
exist = true;
}
return exist;
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
}
static void dns_cache_make_space(DnsCache *c, unsigned add) {
assert(c);
if (add <= 0)
return;
/* Makes space for n new entries. Note that we actually allow
* the cache to grow beyond CACHE_MAX, but only when we shall
* add more RRs to the cache than CACHE_MAX at once. In that
* case the cache will be emptied completely otherwise. */
for (;;) {
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
_cleanup_(dns_resource_key_unrefp) DnsResourceKey *key = NULL;
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
DnsCacheItem *i;
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
if (prioq_size(c->by_expiry) <= 0)
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
break;
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
if (prioq_size(c->by_expiry) + add < CACHE_MAX)
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
break;
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
i = prioq_peek(c->by_expiry);
resolved: various bad memory access fixes to the cache
2014-07-18 21:01:22 +02:00
assert(i);
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
/* Take an extra reference to the key so that it
resolved: various bad memory access fixes to the cache
2014-07-18 21:01:22 +02:00
* doesn't go away in the middle of the remove call */
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
key = dns_resource_key_ref(i->key);
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
dns_cache_remove(c, key);
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
}
}
void dns_cache_prune(DnsCache *c) {
usec_t t = 0;
assert(c);
/* Remove all entries that are past their TTL */
for (;;) {
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
_cleanup_(dns_resource_key_unrefp) DnsResourceKey *key = NULL;
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
DnsCacheItem *i;
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
i = prioq_peek(c->by_expiry);
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
if (!i)
break;
if (t <= 0)
resolved: cache - use clock_boottime_or_monotonic() We cannot rely on CLOCK_BOOTTIME being supported by the kernel, so fallack to CLOCK_MONOTONIC if the former is not supported.
2015-07-28 02:45:04 +02:00
t = now(clock_boottime_or_monotonic());
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
if (i->until > t)
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
break;
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
/* Take an extra reference to the key so that it
resolved: various bad memory access fixes to the cache
2014-07-18 21:01:22 +02:00
* doesn't go away in the middle of the remove call */
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
key = dns_resource_key_ref(i->key);
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
dns_cache_remove(c, key);
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
}
}
static int dns_cache_item_prioq_compare_func(const void *a, const void *b) {
const DnsCacheItem *x = a, *y = b;
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
if (x->until < y->until)
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
return -1;
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
if (x->until > y->until)
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
return 1;
return 0;
}
resolve: add llmnr responder side for UDP and TCP Name defending is still missing.
2014-07-29 14:24:02 +02:00
static int dns_cache_init(DnsCache *c) {
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
int r;
resolve: add llmnr responder side for UDP and TCP Name defending is still missing.
2014-07-29 14:24:02 +02:00
assert(c);
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
r = prioq_ensure_allocated(&c->by_expiry, dns_cache_item_prioq_compare_func);
if (r < 0)
return r;
hashmap: introduce hash_ops to make struct Hashmap smaller It is redundant to store 'hash' and 'compare' function pointers in struct Hashmap separately. The functions always comprise a pair. Store a single pointer to struct hash_ops instead. systemd keeps hundreds of hashmaps, so this saves a little bit of memory.
2014-08-13 01:00:18 +02:00
r = hashmap_ensure_allocated(&c->by_key, &dns_resource_key_hash_ops);
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
if (r < 0)
return r;
return r;
}
static int dns_cache_link_item(DnsCache *c, DnsCacheItem *i) {
DnsCacheItem *first;
int r;
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
assert(c);
assert(i);
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
r = prioq_put(c->by_expiry, i, &i->prioq_idx);
if (r < 0)
return r;
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
first = hashmap_get(c->by_key, i->key);
if (first) {
LIST_PREPEND(by_key, first, i);
assert_se(hashmap_replace(c->by_key, first->key, first) >= 0);
} else {
r = hashmap_put(c->by_key, i->key, i);
if (r < 0) {
prioq_remove(c->by_expiry, i, &i->prioq_idx);
return r;
}
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
}
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
return 0;
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
}
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
static DnsCacheItem* dns_cache_get(DnsCache *c, DnsResourceRecord *rr) {
DnsCacheItem *i;
assert(c);
assert(rr);
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
LIST_FOREACH(by_key, i, hashmap_get(c->by_key, rr->key))
resolved: properly check return value of dns_resource_record_equal()
2014-08-06 16:14:53 +02:00
if (i->rr && dns_resource_record_equal(i->rr, rr) > 0)
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
return i;
return NULL;
}
resolved: add a concept of "authenticated" responses This adds a new SD_RESOLVED_AUTHENTICATED flag for responses we return on the bus. When set, then the data has been authenticated. For now this mostly reflects the DNSSEC AD bit, if DNSSEC=trust is set. As soon as the client-side validation is complete it will be hooked up to this flag too. We also set this bit whenver we generated the data ourselves, for example, because it originates in our local LLMNR zone, or from the built-in trust anchor database. The "systemd-resolve-host" tool has been updated to show the flag state for the data it shows.
2015-12-03 21:04:52 +01:00
static void dns_cache_item_update_positive(DnsCache *c, DnsCacheItem *i, DnsResourceRecord *rr, bool authenticated, usec_t timestamp) {
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
assert(c);
assert(i);
assert(rr);
i->type = DNS_CACHE_POSITIVE;
tree-wide: drop {} from one-line if blocks Patch via coccinelle.
2015-09-08 23:03:38 +02:00
if (!i->by_key_prev)
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
/* We are the first item in the list, we need to
* update the key used in the hashmap */
assert_se(hashmap_replace(c->by_key, rr->key, i) >= 0);
dns_resource_record_ref(rr);
dns_resource_record_unref(i->rr);
i->rr = rr;
dns_resource_key_unref(i->key);
i->key = dns_resource_key_ref(rr->key);
resolved: add a concept of "authenticated" responses This adds a new SD_RESOLVED_AUTHENTICATED flag for responses we return on the bus. When set, then the data has been authenticated. For now this mostly reflects the DNSSEC AD bit, if DNSSEC=trust is set. As soon as the client-side validation is complete it will be hooked up to this flag too. We also set this bit whenver we generated the data ourselves, for example, because it originates in our local LLMNR zone, or from the built-in trust anchor database. The "systemd-resolve-host" tool has been updated to show the flag state for the data it shows.
2015-12-03 21:04:52 +01:00
i->authenticated = authenticated;
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
i->until = timestamp + MIN(rr->ttl * USEC_PER_SEC, CACHE_TTL_MAX_USEC);
prioq_reshuffle(c->by_expiry, i, &i->prioq_idx);
}
resolved: implement full LLMNR conflict detection logic
2014-08-06 16:15:35 +02:00
static int dns_cache_put_positive(
DnsCache *c,
DnsResourceRecord *rr,
resolved: add a concept of "authenticated" responses This adds a new SD_RESOLVED_AUTHENTICATED flag for responses we return on the bus. When set, then the data has been authenticated. For now this mostly reflects the DNSSEC AD bit, if DNSSEC=trust is set. As soon as the client-side validation is complete it will be hooked up to this flag too. We also set this bit whenver we generated the data ourselves, for example, because it originates in our local LLMNR zone, or from the built-in trust anchor database. The "systemd-resolve-host" tool has been updated to show the flag state for the data it shows.
2015-12-03 21:04:52 +01:00
bool authenticated,
resolved: implement full LLMNR conflict detection logic
2014-08-06 16:15:35 +02:00
usec_t timestamp,
int owner_family,
const union in_addr_union *owner_address) {
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
_cleanup_(dns_cache_item_freep) DnsCacheItem *i = NULL;
resolved: cache - add more detailed cache debug logging
2015-08-12 18:18:31 +02:00
_cleanup_free_ char *key_str = NULL;
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
DnsCacheItem *existing;
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
int r;
assert(c);
assert(rr);
resolved: implement full LLMNR conflict detection logic
2014-08-06 16:15:35 +02:00
assert(owner_address);
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
/* New TTL is 0? Delete the entry... */
if (rr->ttl <= 0) {
resolved: cache - clarify logging
2015-08-17 08:38:48 +02:00
r = dns_resource_key_to_string(rr->key, &key_str);
if (r < 0)
return r;
resolved: cache - add more detailed cache debug logging
2015-08-12 18:18:31 +02:00
resolved: cache - clarify logging
2015-08-17 08:38:48 +02:00
if (dns_cache_remove(c, rr->key))
resolved: cache - add more detailed cache debug logging
2015-08-12 18:18:31 +02:00
log_debug("Removed zero TTL entry from cache: %s", key_str);
resolved: cache - clarify logging
2015-08-17 08:38:48 +02:00
else
log_debug("Not caching zero TTL cache entry: %s", key_str);
resolved: cache - add more detailed cache debug logging
2015-08-12 18:18:31 +02:00
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
return 0;
}
resolved: never cache ANY lookups
2014-07-30 11:26:49 +02:00
if (rr->key->class == DNS_CLASS_ANY)
return 0;
if (rr->key->type == DNS_TYPE_ANY)
return 0;
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
/* Entry exists already? Update TTL and timestamp */
existing = dns_cache_get(c, rr);
if (existing) {
resolved: add a concept of "authenticated" responses This adds a new SD_RESOLVED_AUTHENTICATED flag for responses we return on the bus. When set, then the data has been authenticated. For now this mostly reflects the DNSSEC AD bit, if DNSSEC=trust is set. As soon as the client-side validation is complete it will be hooked up to this flag too. We also set this bit whenver we generated the data ourselves, for example, because it originates in our local LLMNR zone, or from the built-in trust anchor database. The "systemd-resolve-host" tool has been updated to show the flag state for the data it shows.
2015-12-03 21:04:52 +01:00
dns_cache_item_update_positive(c, existing, rr, authenticated, timestamp);
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
return 0;
}
/* Otherwise, add the new RR */
resolve: add llmnr responder side for UDP and TCP Name defending is still missing.
2014-07-29 14:24:02 +02:00
r = dns_cache_init(c);
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
if (r < 0)
return r;
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
dns_cache_make_space(c, 1);
i = new0(DnsCacheItem, 1);
if (!i)
return -ENOMEM;
i->type = DNS_CACHE_POSITIVE;
i->key = dns_resource_key_ref(rr->key);
i->rr = dns_resource_record_ref(rr);
i->until = timestamp + MIN(i->rr->ttl * USEC_PER_SEC, CACHE_TTL_MAX_USEC);
i->prioq_idx = PRIOQ_IDX_NULL;
resolved: implement full LLMNR conflict detection logic
2014-08-06 16:15:35 +02:00
i->owner_family = owner_family;
i->owner_address = *owner_address;
resolved: add a concept of "authenticated" responses This adds a new SD_RESOLVED_AUTHENTICATED flag for responses we return on the bus. When set, then the data has been authenticated. For now this mostly reflects the DNSSEC AD bit, if DNSSEC=trust is set. As soon as the client-side validation is complete it will be hooked up to this flag too. We also set this bit whenver we generated the data ourselves, for example, because it originates in our local LLMNR zone, or from the built-in trust anchor database. The "systemd-resolve-host" tool has been updated to show the flag state for the data it shows.
2015-12-03 21:04:52 +01:00
i->authenticated = authenticated;
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
r = dns_cache_link_item(c, i);
if (r < 0)
return r;
resolved: cache - add more detailed cache debug logging
2015-08-12 18:18:31 +02:00
r = dns_resource_key_to_string(i->key, &key_str);
if (r < 0)
return r;
log_debug("Added cache entry for %s", key_str);
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
i = NULL;
return 0;
}
resolved: implement full LLMNR conflict detection logic
2014-08-06 16:15:35 +02:00
static int dns_cache_put_negative(
DnsCache *c,
DnsResourceKey *key,
int rcode,
resolved: add a concept of "authenticated" responses This adds a new SD_RESOLVED_AUTHENTICATED flag for responses we return on the bus. When set, then the data has been authenticated. For now this mostly reflects the DNSSEC AD bit, if DNSSEC=trust is set. As soon as the client-side validation is complete it will be hooked up to this flag too. We also set this bit whenver we generated the data ourselves, for example, because it originates in our local LLMNR zone, or from the built-in trust anchor database. The "systemd-resolve-host" tool has been updated to show the flag state for the data it shows.
2015-12-03 21:04:52 +01:00
bool authenticated,
resolved: implement full LLMNR conflict detection logic
2014-08-06 16:15:35 +02:00
usec_t timestamp,
uint32_t soa_ttl,
int owner_family,
const union in_addr_union *owner_address) {
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
_cleanup_(dns_cache_item_freep) DnsCacheItem *i = NULL;
resolved: cache - add more detailed cache debug logging
2015-08-12 18:18:31 +02:00
_cleanup_free_ char *key_str = NULL;
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
int r;
assert(c);
assert(key);
resolved: implement full LLMNR conflict detection logic
2014-08-06 16:15:35 +02:00
assert(owner_address);
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
dns_cache_remove(c, key);
resolved: never cache ANY lookups
2014-07-30 11:26:49 +02:00
if (key->class == DNS_CLASS_ANY)
return 0;
if (key->type == DNS_TYPE_ANY)
return 0;
resolved: cache - add more detailed cache debug logging
2015-08-12 18:18:31 +02:00
if (soa_ttl <= 0) {
r = dns_resource_key_to_string(key, &key_str);
if (r < 0)
return r;
resolved: cache - clarify logging
2015-08-17 08:38:48 +02:00
log_debug("Not caching negative entry with zero SOA TTL: %s", key_str);
resolved: cache - add more detailed cache debug logging
2015-08-12 18:18:31 +02:00
resolved: don't bother caching negative RRs when the SOA TTL is 0 anyway
2014-08-01 00:57:19 +02:00
return 0;
resolved: cache - add more detailed cache debug logging
2015-08-12 18:18:31 +02:00
}
resolved: never cache ANY lookups
2014-07-30 11:26:49 +02:00
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
if (!IN_SET(rcode, DNS_RCODE_SUCCESS, DNS_RCODE_NXDOMAIN))
return 0;
resolve: add llmnr responder side for UDP and TCP Name defending is still missing.
2014-07-29 14:24:02 +02:00
r = dns_cache_init(c);
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
if (r < 0)
return r;
dns_cache_make_space(c, 1);
i = new0(DnsCacheItem, 1);
if (!i)
return -ENOMEM;
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
i->type = rcode == DNS_RCODE_SUCCESS ? DNS_CACHE_NODATA : DNS_CACHE_NXDOMAIN;
i->key = dns_resource_key_ref(key);
i->until = timestamp + MIN(soa_ttl * USEC_PER_SEC, CACHE_TTL_MAX_USEC);
i->prioq_idx = PRIOQ_IDX_NULL;
resolved: implement full LLMNR conflict detection logic
2014-08-06 16:15:35 +02:00
i->owner_family = owner_family;
i->owner_address = *owner_address;
resolved: add a concept of "authenticated" responses This adds a new SD_RESOLVED_AUTHENTICATED flag for responses we return on the bus. When set, then the data has been authenticated. For now this mostly reflects the DNSSEC AD bit, if DNSSEC=trust is set. As soon as the client-side validation is complete it will be hooked up to this flag too. We also set this bit whenver we generated the data ourselves, for example, because it originates in our local LLMNR zone, or from the built-in trust anchor database. The "systemd-resolve-host" tool has been updated to show the flag state for the data it shows.
2015-12-03 21:04:52 +01:00
i->authenticated = authenticated;
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
r = dns_cache_link_item(c, i);
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
if (r < 0)
return r;
resolved: cache - add more detailed cache debug logging
2015-08-12 18:18:31 +02:00
r = dns_resource_key_to_string(i->key, &key_str);
if (r < 0)
return r;
log_debug("Added %s cache entry for %s", i->type == DNS_CACHE_NODATA ? "NODATA" : "NXDOMAIN", key_str);
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
i = NULL;
return 0;
}
resolved: implement full LLMNR conflict detection logic
2014-08-06 16:15:35 +02:00
int dns_cache_put(
DnsCache *c,
resolved: cache - only allow putting a single question key at a time Only one key is allowed per transaction now, so let's simplify things and only allow putting one question key into the cache at a time.
2015-09-04 01:01:27 +02:00
DnsResourceKey *key,
resolved: implement full LLMNR conflict detection logic
2014-08-06 16:15:35 +02:00
int rcode,
DnsAnswer *answer,
unsigned max_rrs,
resolved: add a concept of "authenticated" responses This adds a new SD_RESOLVED_AUTHENTICATED flag for responses we return on the bus. When set, then the data has been authenticated. For now this mostly reflects the DNSSEC AD bit, if DNSSEC=trust is set. As soon as the client-side validation is complete it will be hooked up to this flag too. We also set this bit whenver we generated the data ourselves, for example, because it originates in our local LLMNR zone, or from the built-in trust anchor database. The "systemd-resolve-host" tool has been updated to show the flag state for the data it shows.
2015-12-03 21:04:52 +01:00
bool authenticated,
resolved: implement full LLMNR conflict detection logic
2014-08-06 16:15:35 +02:00
usec_t timestamp,
int owner_family,
const union in_addr_union *owner_address) {
resolved: cache - only allow putting a single question key at a time Only one key is allowed per transaction now, so let's simplify things and only allow putting one question key into the cache at a time.
2015-09-04 01:01:27 +02:00
DnsResourceRecord *soa = NULL;
resolved: allow dns_cache_put() without a question Currently, dns_cache_put() does a number of things: 1) It unconditionally removes all keys contained in the passed question before adding keys from the newly arrived answers. 2) It puts positive entries into the cache for all RRs contained in the answer. 3) It creates negative entries in the cache for all keys in the question that are not answered. Allow passing q = NULL in the parameters and skip 1) and 3), so we can use that function for mDNS responses. In this case, the question is irrelevant, we are interested in all answers we got.
2015-08-04 13:53:02 +02:00
unsigned cache_keys, i;
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
int r;
assert(c);
resolved: cache - only allow putting a single question key at a time Only one key is allowed per transaction now, so let's simplify things and only allow putting one question key into the cache at a time.
2015-09-04 01:01:27 +02:00
if (key) {
/* First, if we were passed a key, delete all matching old RRs,
resolved: allow dns_cache_put() without a question Currently, dns_cache_put() does a number of things: 1) It unconditionally removes all keys contained in the passed question before adding keys from the newly arrived answers. 2) It puts positive entries into the cache for all RRs contained in the answer. 3) It creates negative entries in the cache for all keys in the question that are not answered. Allow passing q = NULL in the parameters and skip 1) and 3), so we can use that function for mDNS responses. In this case, the question is irrelevant, we are interested in all answers we got.
2015-08-04 13:53:02 +02:00
* so that we only keep complete by_key in place. */
resolved: cache - only allow putting a single question key at a time Only one key is allowed per transaction now, so let's simplify things and only allow putting one question key into the cache at a time.
2015-09-04 01:01:27 +02:00
dns_cache_remove(c, key);
resolved: allow dns_cache_put() without a question Currently, dns_cache_put() does a number of things: 1) It unconditionally removes all keys contained in the passed question before adding keys from the newly arrived answers. 2) It puts positive entries into the cache for all RRs contained in the answer. 3) It creates negative entries in the cache for all keys in the question that are not answered. Allow passing q = NULL in the parameters and skip 1) and 3), so we can use that function for mDNS responses. In this case, the question is irrelevant, we are interested in all answers we got.
2015-08-04 13:53:02 +02:00
}
resolved: properly handle adding empty replies to cache
2014-07-30 14:21:18 +02:00
if (!answer)
return 0;
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
for (i = 0; i < answer->n_rrs; i++)
resolved: rework synthesizing logic With this change we'll now also generate synthesized RRs for the local LLMNR hostname (first label of system hostname), the local mDNS hostname (first label of system hostname suffixed with .local), the "gateway" hostname and all the reverse PTRs. This hence takes over part of what nss-myhostname already implemented. Local hostnames resolve to the set of local IP addresses. Since the addresses are possibly on different interfaces it is necessary to change the internal DnsAnswer object to track per-RR interface indexes, and to change the bus API to always return the interface per-address rather than per-reply. This change also patches the existing clients for resolved accordingly (nss-resolve + systemd-resolve-host). This also changes the routing logic for queries slightly: we now ensure that the local hostname is never resolved via LLMNR, thus making it trustable on the local system.
2015-08-17 23:54:08 +02:00
dns_cache_remove(c, answer->items[i].rr->key);
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
/* We only care for positive replies and NXDOMAINs, on all
* other replies we will simply flush the respective entries,
* and that's it */
if (!IN_SET(rcode, DNS_RCODE_SUCCESS, DNS_RCODE_NXDOMAIN))
return 0;
resolved: allow dns_cache_put() without a question Currently, dns_cache_put() does a number of things: 1) It unconditionally removes all keys contained in the passed question before adding keys from the newly arrived answers. 2) It puts positive entries into the cache for all RRs contained in the answer. 3) It creates negative entries in the cache for all keys in the question that are not answered. Allow passing q = NULL in the parameters and skip 1) and 3), so we can use that function for mDNS responses. In this case, the question is irrelevant, we are interested in all answers we got.
2015-08-04 13:53:02 +02:00
cache_keys = answer->n_rrs;
resolved: cache - only allow putting a single question key at a time Only one key is allowed per transaction now, so let's simplify things and only allow putting one question key into the cache at a time.
2015-09-04 01:01:27 +02:00
if (key)
cache_keys ++;
resolved: allow dns_cache_put() without a question Currently, dns_cache_put() does a number of things: 1) It unconditionally removes all keys contained in the passed question before adding keys from the newly arrived answers. 2) It puts positive entries into the cache for all RRs contained in the answer. 3) It creates negative entries in the cache for all keys in the question that are not answered. Allow passing q = NULL in the parameters and skip 1) and 3), so we can use that function for mDNS responses. In this case, the question is irrelevant, we are interested in all answers we got.
2015-08-04 13:53:02 +02:00
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
/* Make some space for our new entries */
resolved: allow dns_cache_put() without a question Currently, dns_cache_put() does a number of things: 1) It unconditionally removes all keys contained in the passed question before adding keys from the newly arrived answers. 2) It puts positive entries into the cache for all RRs contained in the answer. 3) It creates negative entries in the cache for all keys in the question that are not answered. Allow passing q = NULL in the parameters and skip 1) and 3), so we can use that function for mDNS responses. In this case, the question is irrelevant, we are interested in all answers we got.
2015-08-04 13:53:02 +02:00
dns_cache_make_space(c, cache_keys);
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
if (timestamp <= 0)
resolved: cache - use clock_boottime_or_monotonic() We cannot rely on CLOCK_BOOTTIME being supported by the kernel, so fallack to CLOCK_MONOTONIC if the former is not supported.
2015-07-28 02:45:04 +02:00
timestamp = now(clock_boottime_or_monotonic());
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
/* Second, add in positive entries for all contained RRs */
resolved: only cache answer RRs, never additional or authoritative RRs of responses
2014-07-30 01:46:27 +02:00
for (i = 0; i < MIN(max_rrs, answer->n_rrs); i++) {
resolved: flush keys when DNS_RESOURCE_KEY_CACHE_FLUSH is set In mDNS, DNS_RESOURCE_KEY_CACHE_FLUSH denotes whether other records with the same key should be flushed from the cache.
2015-08-04 14:12:46 +02:00
DnsResourceRecord *rr = answer->items[i].rr;
if (rr->key->cache_flush)
dns_cache_remove(c, rr->key);
r = dns_cache_put_positive(c, rr, authenticated, timestamp, owner_family, owner_address);
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
if (r < 0)
goto fail;
}
resolved: cache - only allow putting a single question key at a time Only one key is allowed per transaction now, so let's simplify things and only allow putting one question key into the cache at a time.
2015-09-04 01:01:27 +02:00
if (!key)
resolved: allow dns_cache_put() without a question Currently, dns_cache_put() does a number of things: 1) It unconditionally removes all keys contained in the passed question before adding keys from the newly arrived answers. 2) It puts positive entries into the cache for all RRs contained in the answer. 3) It creates negative entries in the cache for all keys in the question that are not answered. Allow passing q = NULL in the parameters and skip 1) and 3), so we can use that function for mDNS responses. In this case, the question is irrelevant, we are interested in all answers we got.
2015-08-04 13:53:02 +02:00
return 0;
resolved: cache - only allow putting a single question key at a time Only one key is allowed per transaction now, so let's simplify things and only allow putting one question key into the cache at a time.
2015-09-04 01:01:27 +02:00
/* Third, add in negative entries if the key has no RR */
resolved: chase DNSKEY/DS RRs when doing look-ups with DNSSEC enabled This adds initial support for validating RRSIG/DNSKEY/DS chains when doing lookups. Proof-of-non-existance, or proof-of-unsigned-zones is not implemented yet. With this change DnsTransaction objects will generate additional DnsTransaction objects when looking for DNSKEY or DS RRs to validate an RRSIG on a response. DnsTransaction objects are thus created for three reasons now: 1) Because a user asked for something to be resolved, i.e. requested by a DnsQuery/DnsQueryCandidate object. 2) As result of LLMNR RR probing, requested by a DnsZoneItem. 3) Because another DnsTransaction requires the requested RRs for validation of its own response. DnsTransactions are shared between all these users, and are GC automatically as soon as all of these users don't need a specific transaction anymore. To unify the handling of these three reasons for existance for a DnsTransaction, a new common naming is introduced: each DnsTransaction now tracks its "owners" via a Set* object named "notify_xyz", containing all owners to notify on completion. A new DnsTransaction state is introduced called "VALIDATING" that is entered after a response has been receieved which needs to be validated, as long as we are still waiting for the DNSKEY/DS RRs from other DnsTransactions. This patch will request the DNSKEY/DS RRs bottom-up, and then validate them top-down. Caching of RRs is now only done after verification, so that the cache is not poisoned with known invalid data. The "DnsAnswer" object gained a substantial number of new calls, since we need to add/remove RRs to it dynamically now.
2015-12-09 18:13:16 +01:00
r = dns_answer_match_key(answer, key);
resolved: cache - only allow putting a single question key at a time Only one key is allowed per transaction now, so let's simplify things and only allow putting one question key into the cache at a time.
2015-09-04 01:01:27 +02:00
if (r < 0)
goto fail;
if (r > 0)
return 0;
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
resolved: chase DNSKEY/DS RRs when doing look-ups with DNSSEC enabled This adds initial support for validating RRSIG/DNSKEY/DS chains when doing lookups. Proof-of-non-existance, or proof-of-unsigned-zones is not implemented yet. With this change DnsTransaction objects will generate additional DnsTransaction objects when looking for DNSKEY or DS RRs to validate an RRSIG on a response. DnsTransaction objects are thus created for three reasons now: 1) Because a user asked for something to be resolved, i.e. requested by a DnsQuery/DnsQueryCandidate object. 2) As result of LLMNR RR probing, requested by a DnsZoneItem. 3) Because another DnsTransaction requires the requested RRs for validation of its own response. DnsTransactions are shared between all these users, and are GC automatically as soon as all of these users don't need a specific transaction anymore. To unify the handling of these three reasons for existance for a DnsTransaction, a new common naming is introduced: each DnsTransaction now tracks its "owners" via a Set* object named "notify_xyz", containing all owners to notify on completion. A new DnsTransaction state is introduced called "VALIDATING" that is entered after a response has been receieved which needs to be validated, as long as we are still waiting for the DNSKEY/DS RRs from other DnsTransactions. This patch will request the DNSKEY/DS RRs bottom-up, and then validate them top-down. Caching of RRs is now only done after verification, so that the cache is not poisoned with known invalid data. The "DnsAnswer" object gained a substantial number of new calls, since we need to add/remove RRs to it dynamically now.
2015-12-09 18:13:16 +01:00
/* See https://tools.ietf.org/html/rfc2308, which say that a
* matching SOA record in the packet is used to to enable
* negative caching. */
resolved: add reference to negative caching RFC
2015-08-21 22:47:06 +02:00
resolved: cache - only allow putting a single question key at a time Only one key is allowed per transaction now, so let's simplify things and only allow putting one question key into the cache at a time.
2015-09-04 01:01:27 +02:00
r = dns_answer_find_soa(answer, key, &soa);
if (r < 0)
goto fail;
if (r == 0)
return 0;
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
resolved: add a concept of "authenticated" responses This adds a new SD_RESOLVED_AUTHENTICATED flag for responses we return on the bus. When set, then the data has been authenticated. For now this mostly reflects the DNSSEC AD bit, if DNSSEC=trust is set. As soon as the client-side validation is complete it will be hooked up to this flag too. We also set this bit whenver we generated the data ourselves, for example, because it originates in our local LLMNR zone, or from the built-in trust anchor database. The "systemd-resolve-host" tool has been updated to show the flag state for the data it shows.
2015-12-03 21:04:52 +01:00
r = dns_cache_put_negative(c, key, rcode, authenticated, timestamp, MIN(soa->soa.minimum, soa->ttl), owner_family, owner_address);
resolved: cache - only allow putting a single question key at a time Only one key is allowed per transaction now, so let's simplify things and only allow putting one question key into the cache at a time.
2015-09-04 01:01:27 +02:00
if (r < 0)
goto fail;
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
return 0;
fail:
/* Adding all RRs failed. Let's clean up what we already
* added, just in case */
resolved: cache - only allow putting a single question key at a time Only one key is allowed per transaction now, so let's simplify things and only allow putting one question key into the cache at a time.
2015-09-04 01:01:27 +02:00
if (key)
dns_cache_remove(c, key);
resolved: allow dns_cache_put() without a question Currently, dns_cache_put() does a number of things: 1) It unconditionally removes all keys contained in the passed question before adding keys from the newly arrived answers. 2) It puts positive entries into the cache for all RRs contained in the answer. 3) It creates negative entries in the cache for all keys in the question that are not answered. Allow passing q = NULL in the parameters and skip 1) and 3), so we can use that function for mDNS responses. In this case, the question is irrelevant, we are interested in all answers we got.
2015-08-04 13:53:02 +02:00
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
for (i = 0; i < answer->n_rrs; i++)
resolved: rework synthesizing logic With this change we'll now also generate synthesized RRs for the local LLMNR hostname (first label of system hostname), the local mDNS hostname (first label of system hostname suffixed with .local), the "gateway" hostname and all the reverse PTRs. This hence takes over part of what nss-myhostname already implemented. Local hostnames resolve to the set of local IP addresses. Since the addresses are possibly on different interfaces it is necessary to change the internal DnsAnswer object to track per-RR interface indexes, and to change the bus API to always return the interface per-address rather than per-reply. This change also patches the existing clients for resolved accordingly (nss-resolve + systemd-resolve-host). This also changes the routing logic for queries slightly: we now ensure that the local hostname is never resolved via LLMNR, thus making it trustable on the local system.
2015-08-17 23:54:08 +02:00
dns_cache_remove(c, answer->items[i].rr->key);
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
return r;
}
resolved: synthesize NODATA cache results when we find matching NSEC RRs If we have a precisely matching NSEC RR for a name, we can use its type bit field to synthesize NODATA cache lookup results for all types not mentioned in there. This is useful for mDNS where NSEC RRs are used to indicate missing RRs for a specific type, but is beneficial in other cases too. To test this, consider these two lines: systemd-resolve-host -t NSEC nasa.gov systemd-resolve-host -t SRV nasa.gov The second line will not result in traffic as the first line already cached the NSEC field.
2015-12-02 23:59:19 +01:00
static DnsCacheItem *dns_cache_get_by_key_follow_cname_dname_nsec(DnsCache *c, DnsResourceKey *k) {
resolved: implement client-side DNAME resolution Most servers apparently always implicitly convert DNAME to CNAME, but some servers don't, hence implement this properly, as this is required by edns0.
2015-11-24 00:18:49 +01:00
DnsCacheItem *i;
const char *n;
int r;
resolved: cache - handle CNAME redirection CNAME records are special in the way they are treated by DNS servers, and our cache should mimic that behavior: In case a domain name has an alias, its CNAME record is returned in place of any other. Our cache was not doing this despite caching the CNAME records, this entailed needless lookups to re-resolve the CNAME.
2015-08-17 07:56:57 +02:00
assert(c);
assert(k);
resolved: implement client-side DNAME resolution Most servers apparently always implicitly convert DNAME to CNAME, but some servers don't, hence implement this properly, as this is required by edns0.
2015-11-24 00:18:49 +01:00
/* If we hit some OOM error, or suchlike, we don't care too
* much, after all this is just a cache */
resolved: cache - handle CNAME redirection CNAME records are special in the way they are treated by DNS servers, and our cache should mimic that behavior: In case a domain name has an alias, its CNAME record is returned in place of any other. Our cache was not doing this despite caching the CNAME records, this entailed needless lookups to re-resolve the CNAME.
2015-08-17 07:56:57 +02:00
i = hashmap_get(c->by_key, k);
resolved: synthesize NODATA cache results when we find matching NSEC RRs If we have a precisely matching NSEC RR for a name, we can use its type bit field to synthesize NODATA cache lookup results for all types not mentioned in there. This is useful for mDNS where NSEC RRs are used to indicate missing RRs for a specific type, but is beneficial in other cases too. To test this, consider these two lines: systemd-resolve-host -t NSEC nasa.gov systemd-resolve-host -t SRV nasa.gov The second line will not result in traffic as the first line already cached the NSEC field.
2015-12-02 23:59:19 +01:00
if (i || IN_SET(k->type, DNS_TYPE_CNAME, DNS_TYPE_DNAME, DNS_TYPE_NSEC))
return i;
n = DNS_RESOURCE_KEY_NAME(k);
/* Check if we have an NSEC record instead for the name. */
resolved: optionally, allocate DnsResourceKey objects on the stack Sometimes when looking up entries in hashmaps indexed by a DnsResourceKey it is helpful not having to allocate a full DnsResourceKey dynamically just to use it as search key. Instead, optionally allow allocation of a DnsResourceKey on the stack. Resource keys allocated like that of course are subject to other lifetime cycles than the usual Resource keys, hence initialize the reference counter to to (unsigned) -1. While we are at it, remove the prototype for dns_resource_key_new_dname() which was never implemented.
2015-12-03 17:27:13 +01:00
i = hashmap_get(c->by_key, &DNS_RESOURCE_KEY_CONST(k->class, DNS_TYPE_NSEC, n));
resolved: synthesize NODATA cache results when we find matching NSEC RRs If we have a precisely matching NSEC RR for a name, we can use its type bit field to synthesize NODATA cache lookup results for all types not mentioned in there. This is useful for mDNS where NSEC RRs are used to indicate missing RRs for a specific type, but is beneficial in other cases too. To test this, consider these two lines: systemd-resolve-host -t NSEC nasa.gov systemd-resolve-host -t SRV nasa.gov The second line will not result in traffic as the first line already cached the NSEC field.
2015-12-02 23:59:19 +01:00
if (i)
resolved: cache - handle CNAME redirection CNAME records are special in the way they are treated by DNS servers, and our cache should mimic that behavior: In case a domain name has an alias, its CNAME record is returned in place of any other. Our cache was not doing this despite caching the CNAME records, this entailed needless lookups to re-resolve the CNAME.
2015-08-17 07:56:57 +02:00
return i;
resolved: implement client-side DNAME resolution Most servers apparently always implicitly convert DNAME to CNAME, but some servers don't, hence implement this properly, as this is required by edns0.
2015-11-24 00:18:49 +01:00
/* Check if we have a CNAME record instead */
resolved: optionally, allocate DnsResourceKey objects on the stack Sometimes when looking up entries in hashmaps indexed by a DnsResourceKey it is helpful not having to allocate a full DnsResourceKey dynamically just to use it as search key. Instead, optionally allow allocation of a DnsResourceKey on the stack. Resource keys allocated like that of course are subject to other lifetime cycles than the usual Resource keys, hence initialize the reference counter to to (unsigned) -1. While we are at it, remove the prototype for dns_resource_key_new_dname() which was never implemented.
2015-12-03 17:27:13 +01:00
i = hashmap_get(c->by_key, &DNS_RESOURCE_KEY_CONST(k->class, DNS_TYPE_CNAME, n));
resolved: implement client-side DNAME resolution Most servers apparently always implicitly convert DNAME to CNAME, but some servers don't, hence implement this properly, as this is required by edns0.
2015-11-24 00:18:49 +01:00
if (i)
return i;
/* OK, let's look for cached DNAME records. */
for (;;) {
char label[DNS_LABEL_MAX];
if (isempty(n))
return NULL;
resolved: cache - handle CNAME redirection CNAME records are special in the way they are treated by DNS servers, and our cache should mimic that behavior: In case a domain name has an alias, its CNAME record is returned in place of any other. Our cache was not doing this despite caching the CNAME records, this entailed needless lookups to re-resolve the CNAME.
2015-08-17 07:56:57 +02:00
resolved: optionally, allocate DnsResourceKey objects on the stack Sometimes when looking up entries in hashmaps indexed by a DnsResourceKey it is helpful not having to allocate a full DnsResourceKey dynamically just to use it as search key. Instead, optionally allow allocation of a DnsResourceKey on the stack. Resource keys allocated like that of course are subject to other lifetime cycles than the usual Resource keys, hence initialize the reference counter to to (unsigned) -1. While we are at it, remove the prototype for dns_resource_key_new_dname() which was never implemented.
2015-12-03 17:27:13 +01:00
i = hashmap_get(c->by_key, &DNS_RESOURCE_KEY_CONST(k->class, DNS_TYPE_DNAME, n));
resolved: implement client-side DNAME resolution Most servers apparently always implicitly convert DNAME to CNAME, but some servers don't, hence implement this properly, as this is required by edns0.
2015-11-24 00:18:49 +01:00
if (i)
return i;
/* Jump one label ahead */
r = dns_label_unescape(&n, label, sizeof(label));
if (r <= 0)
return NULL;
}
return NULL;
resolved: cache - handle CNAME redirection CNAME records are special in the way they are treated by DNS servers, and our cache should mimic that behavior: In case a domain name has an alias, its CNAME record is returned in place of any other. Our cache was not doing this despite caching the CNAME records, this entailed needless lookups to re-resolve the CNAME.
2015-08-17 07:56:57 +02:00
}
resolved: add a concept of "authenticated" responses This adds a new SD_RESOLVED_AUTHENTICATED flag for responses we return on the bus. When set, then the data has been authenticated. For now this mostly reflects the DNSSEC AD bit, if DNSSEC=trust is set. As soon as the client-side validation is complete it will be hooked up to this flag too. We also set this bit whenver we generated the data ourselves, for example, because it originates in our local LLMNR zone, or from the built-in trust anchor database. The "systemd-resolve-host" tool has been updated to show the flag state for the data it shows.
2015-12-03 21:04:52 +01:00
int dns_cache_lookup(DnsCache *c, DnsResourceKey *key, int *rcode, DnsAnswer **ret, bool *authenticated) {
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
_cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
resolved: only maintain one question RR key per transaction Let's simplify things and only maintain a single RR key per transaction object, instead of a full DnsQuestion. Unicast DNS and LLMNR don't support multiple questions per packet anway, and Multicast DNS suggests coalescing questions beyond a single dns query, across the whole system.
2015-08-21 22:55:01 +02:00
unsigned n = 0;
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
int r;
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
bool nxdomain = false;
resolved: only maintain one question RR key per transaction Let's simplify things and only maintain a single RR key per transaction object, instead of a full DnsQuestion. Unicast DNS and LLMNR don't support multiple questions per packet anway, and Multicast DNS suggests coalescing questions beyond a single dns query, across the whole system.
2015-08-21 22:55:01 +02:00
_cleanup_free_ char *key_str = NULL;
resolved: add a concept of "authenticated" responses This adds a new SD_RESOLVED_AUTHENTICATED flag for responses we return on the bus. When set, then the data has been authenticated. For now this mostly reflects the DNSSEC AD bit, if DNSSEC=trust is set. As soon as the client-side validation is complete it will be hooked up to this flag too. We also set this bit whenver we generated the data ourselves, for example, because it originates in our local LLMNR zone, or from the built-in trust anchor database. The "systemd-resolve-host" tool has been updated to show the flag state for the data it shows.
2015-12-03 21:04:52 +01:00
DnsCacheItem *j, *first, *nsec = NULL;
bool have_authenticated = false, have_non_authenticated = false;
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
assert(c);
resolved: only maintain one question RR key per transaction Let's simplify things and only maintain a single RR key per transaction object, instead of a full DnsQuestion. Unicast DNS and LLMNR don't support multiple questions per packet anway, and Multicast DNS suggests coalescing questions beyond a single dns query, across the whole system.
2015-08-21 22:55:01 +02:00
assert(key);
resolve: add llmnr responder side for UDP and TCP Name defending is still missing.
2014-07-29 14:24:02 +02:00
assert(rcode);
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
assert(ret);
resolved: add a concept of "authenticated" responses This adds a new SD_RESOLVED_AUTHENTICATED flag for responses we return on the bus. When set, then the data has been authenticated. For now this mostly reflects the DNSSEC AD bit, if DNSSEC=trust is set. As soon as the client-side validation is complete it will be hooked up to this flag too. We also set this bit whenver we generated the data ourselves, for example, because it originates in our local LLMNR zone, or from the built-in trust anchor database. The "systemd-resolve-host" tool has been updated to show the flag state for the data it shows.
2015-12-03 21:04:52 +01:00
assert(authenticated);
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
resolved: only maintain one question RR key per transaction Let's simplify things and only maintain a single RR key per transaction object, instead of a full DnsQuestion. Unicast DNS and LLMNR don't support multiple questions per packet anway, and Multicast DNS suggests coalescing questions beyond a single dns query, across the whole system.
2015-08-21 22:55:01 +02:00
if (key->type == DNS_TYPE_ANY ||
key->class == DNS_CLASS_ANY) {
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
resolved: add a concept of "authenticated" responses This adds a new SD_RESOLVED_AUTHENTICATED flag for responses we return on the bus. When set, then the data has been authenticated. For now this mostly reflects the DNSSEC AD bit, if DNSSEC=trust is set. As soon as the client-side validation is complete it will be hooked up to this flag too. We also set this bit whenver we generated the data ourselves, for example, because it originates in our local LLMNR zone, or from the built-in trust anchor database. The "systemd-resolve-host" tool has been updated to show the flag state for the data it shows.
2015-12-03 21:04:52 +01:00
/* If we have ANY lookups we don't use the cache, so
* that the caller refreshes via the network. */
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
resolved: only maintain one question RR key per transaction Let's simplify things and only maintain a single RR key per transaction object, instead of a full DnsQuestion. Unicast DNS and LLMNR don't support multiple questions per packet anway, and Multicast DNS suggests coalescing questions beyond a single dns query, across the whole system.
2015-08-21 22:55:01 +02:00
r = dns_resource_key_to_string(key, &key_str);
if (r < 0)
return r;
resolved: cache - add more detailed cache debug logging
2015-08-12 18:18:31 +02:00
resolved: only maintain one question RR key per transaction Let's simplify things and only maintain a single RR key per transaction object, instead of a full DnsQuestion. Unicast DNS and LLMNR don't support multiple questions per packet anway, and Multicast DNS suggests coalescing questions beyond a single dns query, across the whole system.
2015-08-21 22:55:01 +02:00
log_debug("Ignoring cache for ANY lookup: %s", key_str);
resolved: cache - add more detailed cache debug logging
2015-08-12 18:18:31 +02:00
resolved: only maintain one question RR key per transaction Let's simplify things and only maintain a single RR key per transaction object, instead of a full DnsQuestion. Unicast DNS and LLMNR don't support multiple questions per packet anway, and Multicast DNS suggests coalescing questions beyond a single dns query, across the whole system.
2015-08-21 22:55:01 +02:00
*ret = NULL;
*rcode = DNS_RCODE_SUCCESS;
return 0;
}
resolved: cache - add more detailed cache debug logging
2015-08-12 18:18:31 +02:00
resolved: synthesize NODATA cache results when we find matching NSEC RRs If we have a precisely matching NSEC RR for a name, we can use its type bit field to synthesize NODATA cache lookup results for all types not mentioned in there. This is useful for mDNS where NSEC RRs are used to indicate missing RRs for a specific type, but is beneficial in other cases too. To test this, consider these two lines: systemd-resolve-host -t NSEC nasa.gov systemd-resolve-host -t SRV nasa.gov The second line will not result in traffic as the first line already cached the NSEC field.
2015-12-02 23:59:19 +01:00
first = dns_cache_get_by_key_follow_cname_dname_nsec(c, key);
resolved: only maintain one question RR key per transaction Let's simplify things and only maintain a single RR key per transaction object, instead of a full DnsQuestion. Unicast DNS and LLMNR don't support multiple questions per packet anway, and Multicast DNS suggests coalescing questions beyond a single dns query, across the whole system.
2015-08-21 22:55:01 +02:00
if (!first) {
/* If one question cannot be answered we need to refresh */
resolved: never cache ANY lookups
2014-07-30 11:26:49 +02:00
resolved: only maintain one question RR key per transaction Let's simplify things and only maintain a single RR key per transaction object, instead of a full DnsQuestion. Unicast DNS and LLMNR don't support multiple questions per packet anway, and Multicast DNS suggests coalescing questions beyond a single dns query, across the whole system.
2015-08-21 22:55:01 +02:00
r = dns_resource_key_to_string(key, &key_str);
if (r < 0)
return r;
resolved: cache - add more detailed cache debug logging
2015-08-12 18:18:31 +02:00
resolved: only maintain one question RR key per transaction Let's simplify things and only maintain a single RR key per transaction object, instead of a full DnsQuestion. Unicast DNS and LLMNR don't support multiple questions per packet anway, and Multicast DNS suggests coalescing questions beyond a single dns query, across the whole system.
2015-08-21 22:55:01 +02:00
log_debug("Cache miss for %s", key_str);
resolved: cache - add more detailed cache debug logging
2015-08-12 18:18:31 +02:00
resolved: only maintain one question RR key per transaction Let's simplify things and only maintain a single RR key per transaction object, instead of a full DnsQuestion. Unicast DNS and LLMNR don't support multiple questions per packet anway, and Multicast DNS suggests coalescing questions beyond a single dns query, across the whole system.
2015-08-21 22:55:01 +02:00
*ret = NULL;
*rcode = DNS_RCODE_SUCCESS;
return 0;
}
resolved: cache - add more detailed cache debug logging
2015-08-12 18:18:31 +02:00
resolved: only maintain one question RR key per transaction Let's simplify things and only maintain a single RR key per transaction object, instead of a full DnsQuestion. Unicast DNS and LLMNR don't support multiple questions per packet anway, and Multicast DNS suggests coalescing questions beyond a single dns query, across the whole system.
2015-08-21 22:55:01 +02:00
LIST_FOREACH(by_key, j, first) {
resolved: synthesize NODATA cache results when we find matching NSEC RRs If we have a precisely matching NSEC RR for a name, we can use its type bit field to synthesize NODATA cache lookup results for all types not mentioned in there. This is useful for mDNS where NSEC RRs are used to indicate missing RRs for a specific type, but is beneficial in other cases too. To test this, consider these two lines: systemd-resolve-host -t NSEC nasa.gov systemd-resolve-host -t SRV nasa.gov The second line will not result in traffic as the first line already cached the NSEC field.
2015-12-02 23:59:19 +01:00
if (j->rr) {
if (j->rr->key->type == DNS_TYPE_NSEC)
resolved: add a concept of "authenticated" responses This adds a new SD_RESOLVED_AUTHENTICATED flag for responses we return on the bus. When set, then the data has been authenticated. For now this mostly reflects the DNSSEC AD bit, if DNSSEC=trust is set. As soon as the client-side validation is complete it will be hooked up to this flag too. We also set this bit whenver we generated the data ourselves, for example, because it originates in our local LLMNR zone, or from the built-in trust anchor database. The "systemd-resolve-host" tool has been updated to show the flag state for the data it shows.
2015-12-03 21:04:52 +01:00
nsec = j;
resolved: only maintain one question RR key per transaction Let's simplify things and only maintain a single RR key per transaction object, instead of a full DnsQuestion. Unicast DNS and LLMNR don't support multiple questions per packet anway, and Multicast DNS suggests coalescing questions beyond a single dns query, across the whole system.
2015-08-21 22:55:01 +02:00
n++;
resolved: synthesize NODATA cache results when we find matching NSEC RRs If we have a precisely matching NSEC RR for a name, we can use its type bit field to synthesize NODATA cache lookup results for all types not mentioned in there. This is useful for mDNS where NSEC RRs are used to indicate missing RRs for a specific type, but is beneficial in other cases too. To test this, consider these two lines: systemd-resolve-host -t NSEC nasa.gov systemd-resolve-host -t SRV nasa.gov The second line will not result in traffic as the first line already cached the NSEC field.
2015-12-02 23:59:19 +01:00
} else if (j->type == DNS_CACHE_NXDOMAIN)
resolved: only maintain one question RR key per transaction Let's simplify things and only maintain a single RR key per transaction object, instead of a full DnsQuestion. Unicast DNS and LLMNR don't support multiple questions per packet anway, and Multicast DNS suggests coalescing questions beyond a single dns query, across the whole system.
2015-08-21 22:55:01 +02:00
nxdomain = true;
resolved: add a concept of "authenticated" responses This adds a new SD_RESOLVED_AUTHENTICATED flag for responses we return on the bus. When set, then the data has been authenticated. For now this mostly reflects the DNSSEC AD bit, if DNSSEC=trust is set. As soon as the client-side validation is complete it will be hooked up to this flag too. We also set this bit whenver we generated the data ourselves, for example, because it originates in our local LLMNR zone, or from the built-in trust anchor database. The "systemd-resolve-host" tool has been updated to show the flag state for the data it shows.
2015-12-03 21:04:52 +01:00
if (j->authenticated)
have_authenticated = true;
else
have_non_authenticated = true;
resolved: only maintain one question RR key per transaction Let's simplify things and only maintain a single RR key per transaction object, instead of a full DnsQuestion. Unicast DNS and LLMNR don't support multiple questions per packet anway, and Multicast DNS suggests coalescing questions beyond a single dns query, across the whole system.
2015-08-21 22:55:01 +02:00
}
resolved: cache - add more detailed cache debug logging
2015-08-12 18:18:31 +02:00
resolved: only maintain one question RR key per transaction Let's simplify things and only maintain a single RR key per transaction object, instead of a full DnsQuestion. Unicast DNS and LLMNR don't support multiple questions per packet anway, and Multicast DNS suggests coalescing questions beyond a single dns query, across the whole system.
2015-08-21 22:55:01 +02:00
r = dns_resource_key_to_string(key, &key_str);
if (r < 0)
return r;
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
resolved: synthesize NODATA cache results when we find matching NSEC RRs If we have a precisely matching NSEC RR for a name, we can use its type bit field to synthesize NODATA cache lookup results for all types not mentioned in there. This is useful for mDNS where NSEC RRs are used to indicate missing RRs for a specific type, but is beneficial in other cases too. To test this, consider these two lines: systemd-resolve-host -t NSEC nasa.gov systemd-resolve-host -t SRV nasa.gov The second line will not result in traffic as the first line already cached the NSEC field.
2015-12-02 23:59:19 +01:00
if (nsec && key->type != DNS_TYPE_NSEC) {
log_debug("NSEC NODATA cache hit for %s", key_str);
/* We only found an NSEC record that matches our name.
* If it says the type doesn't exit report
* NODATA. Otherwise report a cache miss. */
*ret = NULL;
*rcode = DNS_RCODE_SUCCESS;
resolved: add a concept of "authenticated" responses This adds a new SD_RESOLVED_AUTHENTICATED flag for responses we return on the bus. When set, then the data has been authenticated. For now this mostly reflects the DNSSEC AD bit, if DNSSEC=trust is set. As soon as the client-side validation is complete it will be hooked up to this flag too. We also set this bit whenver we generated the data ourselves, for example, because it originates in our local LLMNR zone, or from the built-in trust anchor database. The "systemd-resolve-host" tool has been updated to show the flag state for the data it shows.
2015-12-03 21:04:52 +01:00
*authenticated = nsec->authenticated;
resolved: synthesize NODATA cache results when we find matching NSEC RRs If we have a precisely matching NSEC RR for a name, we can use its type bit field to synthesize NODATA cache lookup results for all types not mentioned in there. This is useful for mDNS where NSEC RRs are used to indicate missing RRs for a specific type, but is beneficial in other cases too. To test this, consider these two lines: systemd-resolve-host -t NSEC nasa.gov systemd-resolve-host -t SRV nasa.gov The second line will not result in traffic as the first line already cached the NSEC field.
2015-12-02 23:59:19 +01:00
resolved: add a concept of "authenticated" responses This adds a new SD_RESOLVED_AUTHENTICATED flag for responses we return on the bus. When set, then the data has been authenticated. For now this mostly reflects the DNSSEC AD bit, if DNSSEC=trust is set. As soon as the client-side validation is complete it will be hooked up to this flag too. We also set this bit whenver we generated the data ourselves, for example, because it originates in our local LLMNR zone, or from the built-in trust anchor database. The "systemd-resolve-host" tool has been updated to show the flag state for the data it shows.
2015-12-03 21:04:52 +01:00
return !bitmap_isset(nsec->rr->nsec.types, key->type) &&
!bitmap_isset(nsec->rr->nsec.types, DNS_TYPE_CNAME) &&
!bitmap_isset(nsec->rr->nsec.types, DNS_TYPE_DNAME);
resolved: synthesize NODATA cache results when we find matching NSEC RRs If we have a precisely matching NSEC RR for a name, we can use its type bit field to synthesize NODATA cache lookup results for all types not mentioned in there. This is useful for mDNS where NSEC RRs are used to indicate missing RRs for a specific type, but is beneficial in other cases too. To test this, consider these two lines: systemd-resolve-host -t NSEC nasa.gov systemd-resolve-host -t SRV nasa.gov The second line will not result in traffic as the first line already cached the NSEC field.
2015-12-02 23:59:19 +01:00
}
resolved: only maintain one question RR key per transaction Let's simplify things and only maintain a single RR key per transaction object, instead of a full DnsQuestion. Unicast DNS and LLMNR don't support multiple questions per packet anway, and Multicast DNS suggests coalescing questions beyond a single dns query, across the whole system.
2015-08-21 22:55:01 +02:00
log_debug("%s cache hit for %s",
resolved: synthesize NODATA cache results when we find matching NSEC RRs If we have a precisely matching NSEC RR for a name, we can use its type bit field to synthesize NODATA cache lookup results for all types not mentioned in there. This is useful for mDNS where NSEC RRs are used to indicate missing RRs for a specific type, but is beneficial in other cases too. To test this, consider these two lines: systemd-resolve-host -t NSEC nasa.gov systemd-resolve-host -t SRV nasa.gov The second line will not result in traffic as the first line already cached the NSEC field.
2015-12-02 23:59:19 +01:00
n > 0 ? "Positive" :
nxdomain ? "NXDOMAIN" : "NODATA",
resolved: only maintain one question RR key per transaction Let's simplify things and only maintain a single RR key per transaction object, instead of a full DnsQuestion. Unicast DNS and LLMNR don't support multiple questions per packet anway, and Multicast DNS suggests coalescing questions beyond a single dns query, across the whole system.
2015-08-21 22:55:01 +02:00
key_str);
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
if (n <= 0) {
*ret = NULL;
*rcode = nxdomain ? DNS_RCODE_NXDOMAIN : DNS_RCODE_SUCCESS;
resolved: add a concept of "authenticated" responses This adds a new SD_RESOLVED_AUTHENTICATED flag for responses we return on the bus. When set, then the data has been authenticated. For now this mostly reflects the DNSSEC AD bit, if DNSSEC=trust is set. As soon as the client-side validation is complete it will be hooked up to this flag too. We also set this bit whenver we generated the data ourselves, for example, because it originates in our local LLMNR zone, or from the built-in trust anchor database. The "systemd-resolve-host" tool has been updated to show the flag state for the data it shows.
2015-12-03 21:04:52 +01:00
*authenticated = have_authenticated && !have_non_authenticated;
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
return 1;
}
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
answer = dns_answer_new(n);
if (!answer)
return -ENOMEM;
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
resolved: only maintain one question RR key per transaction Let's simplify things and only maintain a single RR key per transaction object, instead of a full DnsQuestion. Unicast DNS and LLMNR don't support multiple questions per packet anway, and Multicast DNS suggests coalescing questions beyond a single dns query, across the whole system.
2015-08-21 22:55:01 +02:00
LIST_FOREACH(by_key, j, first) {
if (!j->rr)
continue;
r = dns_answer_add(answer, j->rr, 0);
if (r < 0)
return r;
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
}
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
*ret = answer;
resolved: implement negative caching
2014-07-23 00:57:25 +02:00
*rcode = DNS_RCODE_SUCCESS;
resolved: add a concept of "authenticated" responses This adds a new SD_RESOLVED_AUTHENTICATED flag for responses we return on the bus. When set, then the data has been authenticated. For now this mostly reflects the DNSSEC AD bit, if DNSSEC=trust is set. As soon as the client-side validation is complete it will be hooked up to this flag too. We also set this bit whenver we generated the data ourselves, for example, because it originates in our local LLMNR zone, or from the built-in trust anchor database. The "systemd-resolve-host" tool has been updated to show the flag state for the data it shows.
2015-12-03 21:04:52 +01:00
*authenticated = have_authenticated && !have_non_authenticated;
resolved: rework logic so that we can share transactions between queries of different clients
2014-07-22 21:48:41 +02:00
answer = NULL;
return n;
resolved: add DNS cache
2014-07-17 19:38:37 +02:00
}
resolved: implement full LLMNR conflict detection logic
2014-08-06 16:15:35 +02:00
int dns_cache_check_conflicts(DnsCache *cache, DnsResourceRecord *rr, int owner_family, const union in_addr_union *owner_address) {
DnsCacheItem *i, *first;
bool same_owner = true;
assert(cache);
assert(rr);
dns_cache_prune(cache);
/* See if there's a cache entry for the same key. If there
* isn't there's no conflict */
first = hashmap_get(cache->by_key, rr->key);
if (!first)
return 0;
/* See if the RR key is owned by the same owner, if so, there
* isn't a conflict either */
LIST_FOREACH(by_key, i, first) {
if (i->owner_family != owner_family ||
!in_addr_equal(owner_family, &i->owner_address, owner_address)) {
same_owner = false;
break;
}
}
if (same_owner)
return 0;
/* See if there's the exact same RR in the cache. If yes, then
* there's no conflict. */
if (dns_cache_get(cache, rr))
return 0;
/* There's a conflict */
return 1;
}
resolved: dump cache and zone contents to syslog on SIGUSR1
2015-08-26 09:41:45 +02:00
resolved: add dns_cache_export_to_packet() This new functions exports cached records of type PTR, SRV and TXT into an existing DnsPacket. This is used in order to fill in known records to mDNS queries, for known answer supression.
2015-12-01 00:53:42 +01:00
int dns_cache_export_shared_to_packet(DnsCache *cache, DnsPacket *p) {
unsigned ancount = 0;
Iterator iterator;
DnsCacheItem *i;
int r;
assert(cache);
resolved: add more linked packets for overlong known answers For mDNS, if we're unable to stuff all known answers into the given packet, allocate a new one, push the RR into that one and link it to the current one.
2015-12-09 13:09:35 +01:00
assert(p);
resolved: add dns_cache_export_to_packet() This new functions exports cached records of type PTR, SRV and TXT into an existing DnsPacket. This is used in order to fill in known records to mDNS queries, for known answer supression.
2015-12-01 00:53:42 +01:00
HASHMAP_FOREACH(i, cache->by_key, iterator) {
DnsCacheItem *j;
LIST_FOREACH(by_key, j, i) {
_cleanup_free_ char *t = NULL;
if (!j->rr)
continue;
if (!dns_key_is_shared(j->rr->key))
continue;
r = dns_packet_append_rr(p, j->rr, NULL, NULL);
resolved: add more linked packets for overlong known answers For mDNS, if we're unable to stuff all known answers into the given packet, allocate a new one, push the RR into that one and link it to the current one.
2015-12-09 13:09:35 +01:00
if (r == -EMSGSIZE && p->protocol == DNS_PROTOCOL_MDNS) {
/* For mDNS, if we're unable to stuff all known answers into the given packet,
* allocate a new one, push the RR into that one and link it to the current one.
*/
DNS_PACKET_HEADER(p)->ancount = htobe16(ancount);
ancount = 0;
r = dns_packet_new_query(&p->more, p->protocol, 0, true);
if (r < 0)
return r;
/* continue with new packet */
p = p->more;
r = dns_packet_append_rr(p, j->rr, NULL, NULL);
}
resolved: add dns_cache_export_to_packet() This new functions exports cached records of type PTR, SRV and TXT into an existing DnsPacket. This is used in order to fill in known records to mDNS queries, for known answer supression.
2015-12-01 00:53:42 +01:00
if (r < 0)
return r;
ancount ++;
}
}
DNS_PACKET_HEADER(p)->ancount = htobe16(ancount);
return 0;
}
resolved: dump cache and zone contents to syslog on SIGUSR1
2015-08-26 09:41:45 +02:00
void dns_cache_dump(DnsCache *cache, FILE *f) {
Iterator iterator;
DnsCacheItem *i;
int r;
if (!cache)
return;
if (!f)
f = stdout;
HASHMAP_FOREACH(i, cache->by_key, iterator) {
DnsCacheItem *j;
LIST_FOREACH(by_key, j, i) {
_cleanup_free_ char *t = NULL;
fputc('\t', f);
if (j->rr) {
r = dns_resource_record_to_string(j->rr, &t);
if (r < 0) {
log_oom();
continue;
}
fputs(t, f);
fputc('\n', f);
} else {
r = dns_resource_key_to_string(j->key, &t);
if (r < 0) {
log_oom();
continue;
}
fputs(t, f);
fputs(" -- ", f);
fputs(j->type == DNS_CACHE_NODATA ? "NODATA" : "NXDOMAIN", f);
fputc('\n', f);
}
}
}
}
bool dns_cache_is_empty(DnsCache *cache) {
if (!cache)
return true;
return hashmap_isempty(cache->by_key);
}
Reference in a new issue Copy permalink