[systemd.git] / src / resolve / dns-type.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include <sys/socket.h>
#include <errno.h>

#include "dns-type.h"
#include "parse-util.h"
#include "string-util.h"

typedef const struct {
        uint16_t type;
        const char *name;
} dns_type;

static const struct dns_type_name *
lookup_dns_type (register const char *str, register GPERF_LEN_TYPE len);

#include "dns_type-from-name.h"
#include "dns_type-to-name.h"

int dns_type_from_string(const char *s) {
        const struct dns_type_name *sc;

        assert(s);

        sc = lookup_dns_type(s, strlen(s));
        if (sc)
                return sc->id;

        s = startswith_no_case(s, "TYPE");
        if (s) {
                unsigned x;

                if (safe_atou(s, &x) >= 0 &&
                    x <= UINT16_MAX)
                        return (int) x;
        }

        return _DNS_TYPE_INVALID;
}

bool dns_type_is_pseudo(uint16_t type) {

        /* Checks whether the specified type is a "pseudo-type". What
         * a "pseudo-type" precisely is, is defined only very weakly,
         * but apparently entails all RR types that are not actually
         * stored as RRs on the server and should hence also not be
         * cached. We use this list primarily to validate NSEC type
         * bitfields, and to verify what to cache. */

        return IN_SET(type,
                      0, /* A Pseudo RR type, according to RFC 2931 */
                      DNS_TYPE_ANY,
                      DNS_TYPE_AXFR,
                      DNS_TYPE_IXFR,
                      DNS_TYPE_OPT,
                      DNS_TYPE_TSIG,
                      DNS_TYPE_TKEY
        );
}

bool dns_class_is_pseudo(uint16_t class) {
        return class == DNS_CLASS_ANY;
}

bool dns_type_is_valid_query(uint16_t type) {

        /* The types valid as questions in packets */

        return !IN_SET(type,
                       0,
                       DNS_TYPE_OPT,
                       DNS_TYPE_TSIG,
                       DNS_TYPE_TKEY,

                       /* RRSIG are technically valid as questions, but we refuse doing explicit queries for them, as
                        * they aren't really payload, but signatures for payload, and cannot be validated on their
                        * own. After all they are the signatures, and have no signatures of their own validating
                        * them. */
                       DNS_TYPE_RRSIG);
}

bool dns_type_is_zone_transer(uint16_t type) {

        /* Zone transfers, either normal or incremental */

        return IN_SET(type,
                      DNS_TYPE_AXFR,
                      DNS_TYPE_IXFR);
}

bool dns_type_is_valid_rr(uint16_t type) {

        /* The types valid as RR in packets (but not necessarily
         * stored on servers). */

        return !IN_SET(type,
                       DNS_TYPE_ANY,
                       DNS_TYPE_AXFR,
                       DNS_TYPE_IXFR);
}

bool dns_class_is_valid_rr(uint16_t class) {
        return class != DNS_CLASS_ANY;
}

bool dns_type_may_redirect(uint16_t type) {
        /* The following record types should never be redirected using
         * CNAME/DNAME RRs. See
         * <https://tools.ietf.org/html/rfc4035#section-2.5>. */

        if (dns_type_is_pseudo(type))
                return false;

        return !IN_SET(type,
                       DNS_TYPE_CNAME,
                       DNS_TYPE_DNAME,
                       DNS_TYPE_NSEC3,
                       DNS_TYPE_NSEC,
                       DNS_TYPE_RRSIG,
                       DNS_TYPE_NXT,
                       DNS_TYPE_SIG,
                       DNS_TYPE_KEY);
}

bool dns_type_may_wildcard(uint16_t type) {

        /* The following records may not be expanded from wildcard RRsets */

        if (dns_type_is_pseudo(type))
                return false;

        return !IN_SET(type,
                       DNS_TYPE_NSEC3,
                       DNS_TYPE_SOA,

                       /* Prohibited by https://tools.ietf.org/html/rfc4592#section-4.4 */
                       DNS_TYPE_DNAME);
}

bool dns_type_apex_only(uint16_t type) {

        /* Returns true for all RR types that may only appear signed in a zone apex */

        return IN_SET(type,
                      DNS_TYPE_SOA,
                      DNS_TYPE_NS,            /* this one can appear elsewhere, too, but not signed */
                      DNS_TYPE_DNSKEY,
                      DNS_TYPE_NSEC3PARAM);
}

bool dns_type_is_dnssec(uint16_t type) {
        return IN_SET(type,
                      DNS_TYPE_DS,
                      DNS_TYPE_DNSKEY,
                      DNS_TYPE_RRSIG,
                      DNS_TYPE_NSEC,
                      DNS_TYPE_NSEC3,
                      DNS_TYPE_NSEC3PARAM);
}

bool dns_type_is_obsolete(uint16_t type) {
        return IN_SET(type,
                      /* Obsoleted by RFC 973 */
                      DNS_TYPE_MD,
                      DNS_TYPE_MF,
                      DNS_TYPE_MAILA,

                      /* Kinda obsoleted by RFC 2505 */
                      DNS_TYPE_MB,
                      DNS_TYPE_MG,
                      DNS_TYPE_MR,
                      DNS_TYPE_MINFO,
                      DNS_TYPE_MAILB,

                      /* RFC1127 kinda obsoleted this by recommending against its use */
                      DNS_TYPE_WKS,

                      /* Declared historical by RFC 6563 */
                      DNS_TYPE_A6,

                      /* Obsoleted by DNSSEC-bis */
                      DNS_TYPE_NXT,

                      /* RFC 1035 removed support for concepts that needed this from RFC 883 */
                      DNS_TYPE_NULL);
}

bool dns_type_needs_authentication(uint16_t type) {

        /* Returns true for all (non-obsolete) RR types where records are not useful if they aren't
         * authenticated. I.e. everything that contains crypto keys. */

        return IN_SET(type,
                      DNS_TYPE_CERT,
                      DNS_TYPE_SSHFP,
                      DNS_TYPE_IPSECKEY,
                      DNS_TYPE_DS,
                      DNS_TYPE_DNSKEY,
                      DNS_TYPE_TLSA,
                      DNS_TYPE_CDNSKEY,
                      DNS_TYPE_OPENPGPKEY,
                      DNS_TYPE_CAA);
}

int dns_type_to_af(uint16_t t) {
        switch (t) {

        case DNS_TYPE_A:
                return AF_INET;

        case DNS_TYPE_AAAA:
                return AF_INET6;

        case DNS_TYPE_ANY:
                return AF_UNSPEC;

        default:
                return -EINVAL;
        }
}

const char *dns_class_to_string(uint16_t class) {

        switch (class) {

        case DNS_CLASS_IN:
                return "IN";

        case DNS_CLASS_ANY:
                return "ANY";
        }

        return NULL;
}

int dns_class_from_string(const char *s) {

        if (!s)
                return _DNS_CLASS_INVALID;

        if (strcaseeq(s, "IN"))
                return DNS_CLASS_IN;
        else if (strcaseeq(s, "ANY"))
                return DNS_CLASS_ANY;

        return _DNS_CLASS_INVALID;
}

const char* tlsa_cert_usage_to_string(uint8_t cert_usage) {

        switch (cert_usage) {

        case 0:
                return "CA constraint";

        case 1:
                return "Service certificate constraint";

        case 2:
                return "Trust anchor assertion";

        case 3:
                return "Domain-issued certificate";

        case 4 ... 254:
                return "Unassigned";

        case 255:
                return "Private use";
        }

        return NULL;  /* clang cannot count that we covered everything */
}

const char* tlsa_selector_to_string(uint8_t selector) {
        switch (selector) {

        case 0:
                return "Full Certificate";

        case 1:
                return "SubjectPublicKeyInfo";

        case 2 ... 254:
                return "Unassigned";

        case 255:
                return "Private use";
        }

        return NULL;
}

const char* tlsa_matching_type_to_string(uint8_t selector) {

        switch (selector) {

        case 0:
                return "No hash used";

        case 1:
                return "SHA-256";

        case 2:
                return "SHA-512";

        case 3 ... 254:
                return "Unassigned";

        case 255:
                return "Private use";
        }

        return NULL;
}
Commit	Line	Data
a032b68d	1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
663996b3	2
4c89c718	3	#include <sys/socket.h>
1d42b86d	4	#include <errno.h>
4c89c718	5
5eef597e	6	#include "dns-type.h"
4c89c718 MP	7	#include "parse-util.h"
4c89c718 MP	8	#include "string-util.h"
60f067b4	9
5eef597e MP	10	typedef const struct {
	11	uint16_t type;
	12	const char *name;
	13	} dns_type;
60f067b4	14
5eef597e	15	static const struct dns_type_name *
2897b343	16	lookup_dns_type (register const char *str, register GPERF_LEN_TYPE len);
663996b3	17
5eef597e MP	18	#include "dns_type-from-name.h"
5eef597e MP	19	#include "dns_type-to-name.h"
663996b3	20
5eef597e MP	21	int dns_type_from_string(const char *s) {
5eef597e MP	22	const struct dns_type_name *sc;
663996b3	23
5eef597e MP	24	assert(s);
	25
	26	sc = lookup_dns_type(s, strlen(s));
4c89c718 MP	27	if (sc)
	28	return sc->id;
	29
	30	s = startswith_no_case(s, "TYPE");
	31	if (s) {
	32	unsigned x;
	33
	34	if (safe_atou(s, &x) >= 0 &&
	35	x <= UINT16_MAX)
	36	return (int) x;
	37	}
	38
	39	return _DNS_TYPE_INVALID;
	40	}
	41
	42	bool dns_type_is_pseudo(uint16_t type) {
	43
	44	/* Checks whether the specified type is a "pseudo-type". What
	45	* a "pseudo-type" precisely is, is defined only very weakly,
	46	* but apparently entails all RR types that are not actually
	47	* stored as RRs on the server and should hence also not be
	48	* cached. We use this list primarily to validate NSEC type
	49	* bitfields, and to verify what to cache. */
	50
	51	return IN_SET(type,
	52	0, /* A Pseudo RR type, according to RFC 2931 */
	53	DNS_TYPE_ANY,
	54	DNS_TYPE_AXFR,
	55	DNS_TYPE_IXFR,
	56	DNS_TYPE_OPT,
	57	DNS_TYPE_TSIG,
	58	DNS_TYPE_TKEY
	59	);
	60	}
	61
	62	bool dns_class_is_pseudo(uint16_t class) {
8f232108	63	return class == DNS_CLASS_ANY;
4c89c718 MP	64	}
	65
	66	bool dns_type_is_valid_query(uint16_t type) {
	67
	68	/* The types valid as questions in packets */
5eef597e	69
4c89c718 MP	70	return !IN_SET(type,
	71	0,
	72	DNS_TYPE_OPT,
	73	DNS_TYPE_TSIG,
	74	DNS_TYPE_TKEY,
	75
	76	/* RRSIG are technically valid as questions, but we refuse doing explicit queries for them, as
	77	* they aren't really payload, but signatures for payload, and cannot be validated on their
	78	* own. After all they are the signatures, and have no signatures of their own validating
	79	* them. */
	80	DNS_TYPE_RRSIG);
60f067b4	81	}
7035cd9e	82
5a920b42 MP	83	bool dns_type_is_zone_transer(uint16_t type) {
	84
	85	/* Zone transfers, either normal or incremental */
	86
	87	return IN_SET(type,
	88	DNS_TYPE_AXFR,
	89	DNS_TYPE_IXFR);
	90	}
	91
4c89c718 MP	92	bool dns_type_is_valid_rr(uint16_t type) {
	93
	94	/* The types valid as RR in packets (but not necessarily
	95	* stored on servers). */
	96
	97	return !IN_SET(type,
	98	DNS_TYPE_ANY,
	99	DNS_TYPE_AXFR,
	100	DNS_TYPE_IXFR);
	101	}
	102
	103	bool dns_class_is_valid_rr(uint16_t class) {
	104	return class != DNS_CLASS_ANY;
	105	}
	106
	107	bool dns_type_may_redirect(uint16_t type) {
	108	/* The following record types should never be redirected using
	109	* CNAME/DNAME RRs. See
	110	* <https://tools.ietf.org/html/rfc4035#section-2.5>. */
	111
	112	if (dns_type_is_pseudo(type))
	113	return false;
	114
	115	return !IN_SET(type,
	116	DNS_TYPE_CNAME,
	117	DNS_TYPE_DNAME,
	118	DNS_TYPE_NSEC3,
	119	DNS_TYPE_NSEC,
	120	DNS_TYPE_RRSIG,
	121	DNS_TYPE_NXT,
	122	DNS_TYPE_SIG,
	123	DNS_TYPE_KEY);
	124	}
	125
	126	bool dns_type_may_wildcard(uint16_t type) {
	127
	128	/* The following records may not be expanded from wildcard RRsets */
	129
	130	if (dns_type_is_pseudo(type))
	131	return false;
	132
	133	return !IN_SET(type,
	134	DNS_TYPE_NSEC3,
	135	DNS_TYPE_SOA,
	136
	137	/* Prohibited by https://tools.ietf.org/html/rfc4592#section-4.4 */
	138	DNS_TYPE_DNAME);
	139	}
	140
	141	bool dns_type_apex_only(uint16_t type) {
	142
	143	/* Returns true for all RR types that may only appear signed in a zone apex */
	144
	145	return IN_SET(type,
	146	DNS_TYPE_SOA,
	147	DNS_TYPE_NS, /* this one can appear elsewhere, too, but not signed */
	148	DNS_TYPE_DNSKEY,
	149	DNS_TYPE_NSEC3PARAM);
	150	}
	151
	152	bool dns_type_is_dnssec(uint16_t type) {
	153	return IN_SET(type,
	154	DNS_TYPE_DS,
	155	DNS_TYPE_DNSKEY,
156	DNS_TYPE_RRSIG,
157	DNS_TYPE_NSEC,
158	DNS_TYPE_NSEC3,
159	DNS_TYPE_NSEC3PARAM);
160	}
161
162	bool dns_type_is_obsolete(uint16_t type) {
163	return IN_SET(type,
164	/* Obsoleted by RFC 973 */
165	DNS_TYPE_MD,
166	DNS_TYPE_MF,
167	DNS_TYPE_MAILA,
168
169	/* Kinda obsoleted by RFC 2505 */
170	DNS_TYPE_MB,
171	DNS_TYPE_MG,
172	DNS_TYPE_MR,
173	DNS_TYPE_MINFO,
174	DNS_TYPE_MAILB,
175
176	/* RFC1127 kinda obsoleted this by recommending against its use */
177	DNS_TYPE_WKS,
178
179	/* Declared historical by RFC 6563 */
180	DNS_TYPE_A6,
181
182	/* Obsoleted by DNSSEC-bis */
183	DNS_TYPE_NXT,
184
185	/* RFC 1035 removed support for concepts that needed this from RFC 883 */
186	DNS_TYPE_NULL);
187	}
188
aa27b158 MP	189	bool dns_type_needs_authentication(uint16_t type) {
	190
	191	/* Returns true for all (non-obsolete) RR types where records are not useful if they aren't
	192	* authenticated. I.e. everything that contains crypto keys. */
	193
	194	return IN_SET(type,
	195	DNS_TYPE_CERT,
	196	DNS_TYPE_SSHFP,
	197	DNS_TYPE_IPSECKEY,
	198	DNS_TYPE_DS,
	199	DNS_TYPE_DNSKEY,
	200	DNS_TYPE_TLSA,
	201	DNS_TYPE_CDNSKEY,
	202	DNS_TYPE_OPENPGPKEY,
	203	DNS_TYPE_CAA);
	204	}
	205
4c89c718 MP	206	int dns_type_to_af(uint16_t t) {
	207	switch (t) {
	208
	209	case DNS_TYPE_A:
	210	return AF_INET;
	211
	212	case DNS_TYPE_AAAA:
	213	return AF_INET6;
	214
	215	case DNS_TYPE_ANY:
	216	return AF_UNSPEC;
	217
	218	default:
	219	return -EINVAL;
	220	}
	221	}
	222
	223	const char *dns_class_to_string(uint16_t class) {
	224
	225	switch (class) {
	226
	227	case DNS_CLASS_IN:
	228	return "IN";
	229
	230	case DNS_CLASS_ANY:
	231	return "ANY";
	232	}
	233
	234	return NULL;
	235	}
	236
	237	int dns_class_from_string(const char *s) {
	238
	239	if (!s)
	240	return _DNS_CLASS_INVALID;
	241
	242	if (strcaseeq(s, "IN"))
	243	return DNS_CLASS_IN;
	244	else if (strcaseeq(s, "ANY"))
	245	return DNS_CLASS_ANY;
	246
	247	return _DNS_CLASS_INVALID;
	248	}
	249
	250	const char* tlsa_cert_usage_to_string(uint8_t cert_usage) {
	251
	252	switch (cert_usage) {
	253
	254	case 0:
	255	return "CA constraint";
	256
	257	case 1:
	258	return "Service certificate constraint";
	259
	260	case 2:
	261	return "Trust anchor assertion";
	262
	263	case 3:
	264	return "Domain-issued certificate";
	265
	266	case 4 ... 254:
	267	return "Unassigned";
	268
	269	case 255:
270	return "Private use";
271	}
272
273	return NULL; /* clang cannot count that we covered everything */
274	}
275
276	const char* tlsa_selector_to_string(uint8_t selector) {
277	switch (selector) {
278
279	case 0:
280	return "Full Certificate";
281
282	case 1:
283	return "SubjectPublicKeyInfo";
284
285	case 2 ... 254:
286	return "Unassigned";
287
288	case 255:
289	return "Private use";
290	}
291
292	return NULL;
293	}
294
295	const char* tlsa_matching_type_to_string(uint8_t selector) {
296
297	switch (selector) {
298
299	case 0:
300	return "No hash used";
301
302	case 1:
303	return "SHA-256";
304
305	case 2:
306	return "SHA-512";
307
308	case 3 ... 254:
309	return "Unassigned";
310
311	case 255:
312	return "Private use";
313	}
314
315	return NULL;
7035cd9e	316	}