]> git.proxmox.com Git - systemd.git/blob - src/resolve/resolved-dns-cache.c
projects / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Imported Upstream version 229
[systemd.git] / src / resolve / resolved-dns-cache.c
1 /***
2 This file is part of systemd.
3
4 Copyright 2014 Lennart Poettering
5
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
10
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
18 ***/
19
20 #include "alloc-util.h"
21 #include "dns-domain.h"
22 #include "resolved-dns-answer.h"
23 #include "resolved-dns-cache.h"
24 #include "resolved-dns-packet.h"
25 #include "string-util.h"
26
27 /* Never cache more than 4K entries. RFC 1536, Section 5 suggests to
28 * leave DNS caches unbounded, but that's crazy. */
29 #define CACHE_MAX 4096
30
31 /* We never keep any item longer than 2h in our cache */
32 #define CACHE_TTL_MAX_USEC (2 * USEC_PER_HOUR)
33
34 typedef enum DnsCacheItemType DnsCacheItemType;
35 typedef struct DnsCacheItem DnsCacheItem;
36
37 enum DnsCacheItemType {
38 DNS_CACHE_POSITIVE,
39 DNS_CACHE_NODATA,
40 DNS_CACHE_NXDOMAIN,
41 };
42
43 struct DnsCacheItem {
44 DnsCacheItemType type;
45 DnsResourceKey *key;
46 DnsResourceRecord *rr;
47
48 usec_t until;
49 bool authenticated:1;
50 bool shared_owner:1;
51
52 int ifindex;
53 int owner_family;
54 union in_addr_union owner_address;
55
56 unsigned prioq_idx;
57 LIST_FIELDS(DnsCacheItem, by_key);
58 };
59
60 static void dns_cache_item_free(DnsCacheItem *i) {
61 if (!i)
62 return;
63
64 dns_resource_record_unref(i->rr);
65 dns_resource_key_unref(i->key);
66 free(i);
67 }
68
69 DEFINE_TRIVIAL_CLEANUP_FUNC(DnsCacheItem*, dns_cache_item_free);
70
71 static void dns_cache_item_unlink_and_free(DnsCache *c, DnsCacheItem *i) {
72 DnsCacheItem *first;
73
74 assert(c);
75
76 if (!i)
77 return;
78
79 first = hashmap_get(c->by_key, i->key);
80 LIST_REMOVE(by_key, first, i);
81
82 if (first)
83 assert_se(hashmap_replace(c->by_key, first->key, first) >= 0);
84 else
85 hashmap_remove(c->by_key, i->key);
86
87 prioq_remove(c->by_expiry, i, &i->prioq_idx);
88
89 dns_cache_item_free(i);
90 }
91
92 static bool dns_cache_remove_by_rr(DnsCache *c, DnsResourceRecord *rr) {
93 DnsCacheItem *first, *i;
94 int r;
95
96 first = hashmap_get(c->by_key, rr->key);
97 LIST_FOREACH(by_key, i, first) {
98 r = dns_resource_record_equal(i->rr, rr);
99 if (r < 0)
100 return r;
101 if (r > 0) {
102 dns_cache_item_unlink_and_free(c, i);
103 return true;
104 }
105 }
106
107 return false;
108 }
109
110 static bool dns_cache_remove_by_key(DnsCache *c, DnsResourceKey *key) {
111 DnsCacheItem *first, *i, *n;
112
113 assert(c);
114 assert(key);
115
116 first = hashmap_remove(c->by_key, key);
117 if (!first)
118 return false;
119
120 LIST_FOREACH_SAFE(by_key, i, n, first) {
121 prioq_remove(c->by_expiry, i, &i->prioq_idx);
122 dns_cache_item_free(i);
123 }
124
125 return true;
126 }
127
128 void dns_cache_flush(DnsCache *c) {
129 DnsResourceKey *key;
130
131 assert(c);
132
133 while ((key = hashmap_first_key(c->by_key)))
134 dns_cache_remove_by_key(c, key);
135
136 assert(hashmap_size(c->by_key) == 0);
137 assert(prioq_size(c->by_expiry) == 0);
138
139 c->by_key = hashmap_free(c->by_key);
140 c->by_expiry = prioq_free(c->by_expiry);
141 }
142
143 static void dns_cache_make_space(DnsCache *c, unsigned add) {
144 assert(c);
145
146 if (add <= 0)
147 return;
148
149 /* Makes space for n new entries. Note that we actually allow
150 * the cache to grow beyond CACHE_MAX, but only when we shall
151 * add more RRs to the cache than CACHE_MAX at once. In that
152 * case the cache will be emptied completely otherwise. */
153
154 for (;;) {
155 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *key = NULL;
156 DnsCacheItem *i;
157
158 if (prioq_size(c->by_expiry) <= 0)
159 break;
160
161 if (prioq_size(c->by_expiry) + add < CACHE_MAX)
162 break;
163
164 i = prioq_peek(c->by_expiry);
165 assert(i);
166
167 /* Take an extra reference to the key so that it
168 * doesn't go away in the middle of the remove call */
169 key = dns_resource_key_ref(i->key);
170 dns_cache_remove_by_key(c, key);
171 }
172 }
173
174 void dns_cache_prune(DnsCache *c) {
175 usec_t t = 0;
176
177 assert(c);
178
179 /* Remove all entries that are past their TTL */
180
181 for (;;) {
182 DnsCacheItem *i;
183
184 i = prioq_peek(c->by_expiry);
185 if (!i)
186 break;
187
188 if (t <= 0)
189 t = now(clock_boottime_or_monotonic());
190
191 if (i->until > t)
192 break;
193
194 /* Depending whether this is an mDNS shared entry
195 * either remove only this one RR or the whole
196 * RRset */
197 if (i->shared_owner)
198 dns_cache_item_unlink_and_free(c, i);
199 else {
200 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *key = NULL;
201
202 /* Take an extra reference to the key so that it
203 * doesn't go away in the middle of the remove call */
204 key = dns_resource_key_ref(i->key);
205 dns_cache_remove_by_key(c, key);
206 }
207 }
208 }
209
210 static int dns_cache_item_prioq_compare_func(const void *a, const void *b) {
211 const DnsCacheItem *x = a, *y = b;
212
213 if (x->until < y->until)
214 return -1;
215 if (x->until > y->until)
216 return 1;
217 return 0;
218 }
219
220 static int dns_cache_init(DnsCache *c) {
221 int r;
222
223 assert(c);
224
225 r = prioq_ensure_allocated(&c->by_expiry, dns_cache_item_prioq_compare_func);
226 if (r < 0)
227 return r;
228
229 r = hashmap_ensure_allocated(&c->by_key, &dns_resource_key_hash_ops);
230 if (r < 0)
231 return r;
232
233 return r;
234 }
235
236 static int dns_cache_link_item(DnsCache *c, DnsCacheItem *i) {
237 DnsCacheItem *first;
238 int r;
239
240 assert(c);
241 assert(i);
242
243 r = prioq_put(c->by_expiry, i, &i->prioq_idx);
244 if (r < 0)
245 return r;
246
247 first = hashmap_get(c->by_key, i->key);
248 if (first) {
249 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *k = NULL;
250
251 /* Keep a reference to the original key, while we manipulate the list. */
252 k = dns_resource_key_ref(first->key);
253
254 /* Now, try to reduce the number of keys we keep */
255 dns_resource_key_reduce(&first->key, &i->key);
256
257 if (first->rr)
258 dns_resource_key_reduce(&first->rr->key, &i->key);
259 if (i->rr)
260 dns_resource_key_reduce(&i->rr->key, &i->key);
261
262 LIST_PREPEND(by_key, first, i);
263 assert_se(hashmap_replace(c->by_key, first->key, first) >= 0);
264 } else {
265 r = hashmap_put(c->by_key, i->key, i);
266 if (r < 0) {
267 prioq_remove(c->by_expiry, i, &i->prioq_idx);
268 return r;
269 }
270 }
271
272 return 0;
273 }
274
275 static DnsCacheItem* dns_cache_get(DnsCache *c, DnsResourceRecord *rr) {
276 DnsCacheItem *i;
277
278 assert(c);
279 assert(rr);
280
281 LIST_FOREACH(by_key, i, hashmap_get(c->by_key, rr->key))
282 if (i->rr && dns_resource_record_equal(i->rr, rr) > 0)
283 return i;
284
285 return NULL;
286 }
287
288 static usec_t calculate_until(DnsResourceRecord *rr, uint32_t nsec_ttl, usec_t timestamp, bool use_soa_minimum) {
289 uint32_t ttl;
290 usec_t u;
291
292 assert(rr);
293
294 ttl = MIN(rr->ttl, nsec_ttl);
295 if (rr->key->type == DNS_TYPE_SOA && use_soa_minimum) {
296 /* If this is a SOA RR, and it is requested, clamp to
297 * the SOA's minimum field. This is used when we do
298 * negative caching, to determine the TTL for the
299 * negative caching entry. See RFC 2308, Section
300 * 5. */
301
302 if (ttl > rr->soa.minimum)
303 ttl = rr->soa.minimum;
304 }
305
306 u = ttl * USEC_PER_SEC;
307 if (u > CACHE_TTL_MAX_USEC)
308 u = CACHE_TTL_MAX_USEC;
309
310 if (rr->expiry != USEC_INFINITY) {
311 usec_t left;
312
313 /* Make use of the DNSSEC RRSIG expiry info, if we
314 * have it */
315
316 left = LESS_BY(rr->expiry, now(CLOCK_REALTIME));
317 if (u > left)
318 u = left;
319 }
320
321 return timestamp + u;
322 }
323
324 static void dns_cache_item_update_positive(
325 DnsCache *c,
326 DnsCacheItem *i,
327 DnsResourceRecord *rr,
328 bool authenticated,
329 bool shared_owner,
330 usec_t timestamp,
331 int ifindex,
332 int owner_family,
333 const union in_addr_union *owner_address) {
334
335 assert(c);
336 assert(i);
337 assert(rr);
338 assert(owner_address);
339
340 i->type = DNS_CACHE_POSITIVE;
341
342 if (!i->by_key_prev)
343 /* We are the first item in the list, we need to
344 * update the key used in the hashmap */
345
346 assert_se(hashmap_replace(c->by_key, rr->key, i) >= 0);
347
348 dns_resource_record_ref(rr);
349 dns_resource_record_unref(i->rr);
350 i->rr = rr;
351
352 dns_resource_key_unref(i->key);
353 i->key = dns_resource_key_ref(rr->key);
354
355 i->until = calculate_until(rr, (uint32_t) -1, timestamp, false);
356 i->authenticated = authenticated;
357 i->shared_owner = shared_owner;
358
359 i->ifindex = ifindex;
360
361 i->owner_family = owner_family;
362 i->owner_address = *owner_address;
363
364 prioq_reshuffle(c->by_expiry, i, &i->prioq_idx);
365 }
366
367 static int dns_cache_put_positive(
368 DnsCache *c,
369 DnsResourceRecord *rr,
370 bool authenticated,
371 bool shared_owner,
372 usec_t timestamp,
373 int ifindex,
374 int owner_family,
375 const union in_addr_union *owner_address) {
376
377 _cleanup_(dns_cache_item_freep) DnsCacheItem *i = NULL;
378 _cleanup_free_ char *key_str = NULL;
379 DnsCacheItem *existing;
380 int r, k;
381
382 assert(c);
383 assert(rr);
384 assert(owner_address);
385
386 /* Never cache pseudo RRs */
387 if (dns_class_is_pseudo(rr->key->class))
388 return 0;
389 if (dns_type_is_pseudo(rr->key->type))
390 return 0;
391
392 /* New TTL is 0? Delete this specific entry... */
393 if (rr->ttl <= 0) {
394 k = dns_cache_remove_by_rr(c, rr);
395
396 if (log_get_max_level() >= LOG_DEBUG) {
397 r = dns_resource_key_to_string(rr->key, &key_str);
398 if (r < 0)
399 return r;
400
401 if (k > 0)
402 log_debug("Removed zero TTL entry from cache: %s", key_str);
403 else
404 log_debug("Not caching zero TTL cache entry: %s", key_str);
405 }
406
407 return 0;
408 }
409
410 /* Entry exists already? Update TTL, timestamp and owner*/
411 existing = dns_cache_get(c, rr);
412 if (existing) {
413 dns_cache_item_update_positive(
414 c,
415 existing,
416 rr,
417 authenticated,
418 shared_owner,
419 timestamp,
420 ifindex,
421 owner_family,
422 owner_address);
423 return 0;
424 }
425
426 /* Otherwise, add the new RR */
427 r = dns_cache_init(c);
428 if (r < 0)
429 return r;
430
431 dns_cache_make_space(c, 1);
432
433 i = new0(DnsCacheItem, 1);
434 if (!i)
435 return -ENOMEM;
436
437 i->type = DNS_CACHE_POSITIVE;
438 i->key = dns_resource_key_ref(rr->key);
439 i->rr = dns_resource_record_ref(rr);
440 i->until = calculate_until(rr, (uint32_t) -1, timestamp, false);
441 i->authenticated = authenticated;
442 i->shared_owner = shared_owner;
443 i->ifindex = ifindex;
444 i->owner_family = owner_family;
445 i->owner_address = *owner_address;
446 i->prioq_idx = PRIOQ_IDX_NULL;
447
448 r = dns_cache_link_item(c, i);
449 if (r < 0)
450 return r;
451
452 if (log_get_max_level() >= LOG_DEBUG) {
453 r = dns_resource_key_to_string(i->key, &key_str);
454 if (r < 0)
455 return r;
456
457 log_debug("Added positive cache entry for %s", key_str);
458 }
459
460 i = NULL;
461 return 0;
462 }
463
464 static int dns_cache_put_negative(
465 DnsCache *c,
466 DnsResourceKey *key,
467 int rcode,
468 bool authenticated,
469 uint32_t nsec_ttl,
470 usec_t timestamp,
471 DnsResourceRecord *soa,
472 int owner_family,
473 const union in_addr_union *owner_address) {
474
475 _cleanup_(dns_cache_item_freep) DnsCacheItem *i = NULL;
476 _cleanup_free_ char *key_str = NULL;
477 int r;
478
479 assert(c);
480 assert(key);
481 assert(soa);
482 assert(owner_address);
483
484 /* Never cache pseudo RR keys. DNS_TYPE_ANY is particularly
485 * important to filter out as we use this as a pseudo-type for
486 * NXDOMAIN entries */
487 if (dns_class_is_pseudo(key->class))
488 return 0;
489 if (dns_type_is_pseudo(key->type))
490 return 0;
491
492 if (nsec_ttl <= 0 || soa->soa.minimum <= 0 || soa->ttl <= 0) {
493 if (log_get_max_level() >= LOG_DEBUG) {
494 r = dns_resource_key_to_string(key, &key_str);
495 if (r < 0)
496 return r;
497
498 log_debug("Not caching negative entry with zero SOA/NSEC/NSEC3 TTL: %s", key_str);
499 }
500
501 return 0;
502 }
503
504 if (!IN_SET(rcode, DNS_RCODE_SUCCESS, DNS_RCODE_NXDOMAIN))
505 return 0;
506
507 r = dns_cache_init(c);
508 if (r < 0)
509 return r;
510
511 dns_cache_make_space(c, 1);
512
513 i = new0(DnsCacheItem, 1);
514 if (!i)
515 return -ENOMEM;
516
517 i->type = rcode == DNS_RCODE_SUCCESS ? DNS_CACHE_NODATA : DNS_CACHE_NXDOMAIN;
518 i->until = calculate_until(soa, nsec_ttl, timestamp, true);
519 i->authenticated = authenticated;
520 i->owner_family = owner_family;
521 i->owner_address = *owner_address;
522 i->prioq_idx = PRIOQ_IDX_NULL;
523
524 if (i->type == DNS_CACHE_NXDOMAIN) {
525 /* NXDOMAIN entries should apply equally to all types, so we use ANY as
526 * a pseudo type for this purpose here. */
527 i->key = dns_resource_key_new(key->class, DNS_TYPE_ANY, DNS_RESOURCE_KEY_NAME(key));
528 if (!i->key)
529 return -ENOMEM;
530
531 /* Make sure to remove any previous entry for this
532 * specific ANY key. (For non-ANY keys the cache data
533 * is already cleared by the caller.) Note that we
534 * don't bother removing positive or NODATA cache
535 * items in this case, because it would either be slow
536 * or require explicit indexing by name */
537 dns_cache_remove_by_key(c, key);
538 } else
539 i->key = dns_resource_key_ref(key);
540
541 r = dns_cache_link_item(c, i);
542 if (r < 0)
543 return r;
544
545 if (log_get_max_level() >= LOG_DEBUG) {
546 r = dns_resource_key_to_string(i->key, &key_str);
547 if (r < 0)
548 return r;
549
550 log_debug("Added %s cache entry for %s", i->type == DNS_CACHE_NODATA ? "NODATA" : "NXDOMAIN", key_str);
551 }
552
553 i = NULL;
554 return 0;
555 }
556
557 static void dns_cache_remove_previous(
558 DnsCache *c,
559 DnsResourceKey *key,
560 DnsAnswer *answer) {
561
562 DnsResourceRecord *rr;
563 DnsAnswerFlags flags;
564
565 assert(c);
566
567 /* First, if we were passed a key (i.e. on LLMNR/DNS, but
568 * not on mDNS), delete all matching old RRs, so that we only
569 * keep complete by_key in place. */
570 if (key)
571 dns_cache_remove_by_key(c, key);
572
573 /* Second, flush all entries matching the answer, unless this
574 * is an RR that is explicitly marked to be "shared" between
575 * peers (i.e. mDNS RRs without the flush-cache bit set). */
576 DNS_ANSWER_FOREACH_FLAGS(rr, flags, answer) {
577 if ((flags & DNS_ANSWER_CACHEABLE) == 0)
578 continue;
579
580 if (flags & DNS_ANSWER_SHARED_OWNER)
581 continue;
582
583 dns_cache_remove_by_key(c, rr->key);
584 }
585 }
586
587 static bool rr_eligible(DnsResourceRecord *rr) {
588 assert(rr);
589
590 /* When we see an NSEC/NSEC3 RR, we'll only cache it if it is from the lower zone, not the upper zone, since
591 * that's where the interesting bits are (with exception of DS RRs). Of course, this way we cannot derive DS
592 * existence from any cached NSEC/NSEC3, but that should be fine. */
593
594 switch (rr->key->type) {
595
596 case DNS_TYPE_NSEC:
597 return !bitmap_isset(rr->nsec.types, DNS_TYPE_NS) ||
598 bitmap_isset(rr->nsec.types, DNS_TYPE_SOA);
599
600 case DNS_TYPE_NSEC3:
601 return !bitmap_isset(rr->nsec3.types, DNS_TYPE_NS) ||
602 bitmap_isset(rr->nsec3.types, DNS_TYPE_SOA);
603
604 default:
605 return true;
606 }
607 }
608
609 int dns_cache_put(
610 DnsCache *c,
611 DnsResourceKey *key,
612 int rcode,
613 DnsAnswer *answer,
614 bool authenticated,
615 uint32_t nsec_ttl,
616 usec_t timestamp,
617 int owner_family,
618 const union in_addr_union *owner_address) {
619
620 DnsResourceRecord *soa = NULL, *rr;
621 DnsAnswerFlags flags;
622 unsigned cache_keys;
623 int r, ifindex;
624
625 assert(c);
626 assert(owner_address);
627
628 dns_cache_remove_previous(c, key, answer);
629
630 if (dns_answer_size(answer) <= 0) {
631 if (log_get_max_level() >= LOG_DEBUG) {
632 _cleanup_free_ char *key_str = NULL;
633
634 r = dns_resource_key_to_string(key, &key_str);
635 if (r < 0)
636 return r;
637
638 log_debug("Not caching negative entry without a SOA record: %s", key_str);
639 }
640
641 return 0;
642 }
643
644 /* We only care for positive replies and NXDOMAINs, on all
645 * other replies we will simply flush the respective entries,
646 * and that's it */
647 if (!IN_SET(rcode, DNS_RCODE_SUCCESS, DNS_RCODE_NXDOMAIN))
648 return 0;
649
650 cache_keys = dns_answer_size(answer);
651 if (key)
652 cache_keys ++;
653
654 /* Make some space for our new entries */
655 dns_cache_make_space(c, cache_keys);
656
657 if (timestamp <= 0)
658 timestamp = now(clock_boottime_or_monotonic());
659
660 /* Second, add in positive entries for all contained RRs */
661 DNS_ANSWER_FOREACH_FULL(rr, ifindex, flags, answer) {
662 if ((flags & DNS_ANSWER_CACHEABLE) == 0)
663 continue;
664
665 r = rr_eligible(rr);
666 if (r < 0)
667 return r;
668 if (r == 0)
669 continue;
670
671 r = dns_cache_put_positive(
672 c,
673 rr,
674 flags & DNS_ANSWER_AUTHENTICATED,
675 flags & DNS_ANSWER_SHARED_OWNER,
676 timestamp,
677 ifindex,
678 owner_family, owner_address);
679 if (r < 0)
680 goto fail;
681 }
682
683 if (!key) /* mDNS doesn't know negative caching, really */
684 return 0;
685
686 /* Third, add in negative entries if the key has no RR */
687 r = dns_answer_match_key(answer, key, NULL);
688 if (r < 0)
689 goto fail;
690 if (r > 0)
691 return 0;
692
693 /* But not if it has a matching CNAME/DNAME (the negative
694 * caching will be done on the canonical name, not on the
695 * alias) */
696 r = dns_answer_find_cname_or_dname(answer, key, NULL, NULL);
697 if (r < 0)
698 goto fail;
699 if (r > 0)
700 return 0;
701
702 /* See https://tools.ietf.org/html/rfc2308, which say that a
703 * matching SOA record in the packet is used to to enable
704 * negative caching. */
705 r = dns_answer_find_soa(answer, key, &soa, &flags);
706 if (r < 0)
707 goto fail;
708 if (r == 0)
709 return 0;
710
711 /* Refuse using the SOA data if it is unsigned, but the key is
712 * signed */
713 if (authenticated && (flags & DNS_ANSWER_AUTHENTICATED) == 0)
714 return 0;
715
716 r = dns_cache_put_negative(
717 c,
718 key,
719 rcode,
720 authenticated,
721 nsec_ttl,
722 timestamp,
723 soa,
724 owner_family, owner_address);
725 if (r < 0)
726 goto fail;
727
728 return 0;
729
730 fail:
731 /* Adding all RRs failed. Let's clean up what we already
732 * added, just in case */
733
734 if (key)
735 dns_cache_remove_by_key(c, key);
736
737 DNS_ANSWER_FOREACH_FLAGS(rr, flags, answer) {
738 if ((flags & DNS_ANSWER_CACHEABLE) == 0)
739 continue;
740
741 dns_cache_remove_by_key(c, rr->key);
742 }
743
744 return r;
745 }
746
747 static DnsCacheItem *dns_cache_get_by_key_follow_cname_dname_nsec(DnsCache *c, DnsResourceKey *k) {
748 DnsCacheItem *i;
749 const char *n;
750 int r;
751
752 assert(c);
753 assert(k);
754
755 /* If we hit some OOM error, or suchlike, we don't care too
756 * much, after all this is just a cache */
757
758 i = hashmap_get(c->by_key, k);
759 if (i)
760 return i;
761
762 n = DNS_RESOURCE_KEY_NAME(k);
763
764 /* Check if we have an NXDOMAIN cache item for the name, notice that we use
765 * the pseudo-type ANY for NXDOMAIN cache items. */
766 i = hashmap_get(c->by_key, &DNS_RESOURCE_KEY_CONST(k->class, DNS_TYPE_ANY, n));
767 if (i && i->type == DNS_CACHE_NXDOMAIN)
768 return i;
769
770 if (dns_type_may_redirect(k->type)) {
771 /* Check if we have a CNAME record instead */
772 i = hashmap_get(c->by_key, &DNS_RESOURCE_KEY_CONST(k->class, DNS_TYPE_CNAME, n));
773 if (i)
774 return i;
775
776 /* OK, let's look for cached DNAME records. */
777 for (;;) {
778 if (isempty(n))
779 return NULL;
780
781 i = hashmap_get(c->by_key, &DNS_RESOURCE_KEY_CONST(k->class, DNS_TYPE_DNAME, n));
782 if (i)
783 return i;
784
785 /* Jump one label ahead */
786 r = dns_name_parent(&n);
787 if (r <= 0)
788 return NULL;
789 }
790 }
791
792 if (k->type != DNS_TYPE_NSEC) {
793 /* Check if we have an NSEC record instead for the name. */
794 i = hashmap_get(c->by_key, &DNS_RESOURCE_KEY_CONST(k->class, DNS_TYPE_NSEC, n));
795 if (i)
796 return i;
797 }
798
799 return NULL;
800 }
801
802 int dns_cache_lookup(DnsCache *c, DnsResourceKey *key, int *rcode, DnsAnswer **ret, bool *authenticated) {
803 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
804 unsigned n = 0;
805 int r;
806 bool nxdomain = false;
807 _cleanup_free_ char *key_str = NULL;
808 DnsCacheItem *j, *first, *nsec = NULL;
809 bool have_authenticated = false, have_non_authenticated = false;
810
811 assert(c);
812 assert(key);
813 assert(rcode);
814 assert(ret);
815 assert(authenticated);
816
817 if (key->type == DNS_TYPE_ANY ||
818 key->class == DNS_CLASS_ANY) {
819
820 /* If we have ANY lookups we don't use the cache, so
821 * that the caller refreshes via the network. */
822
823 if (log_get_max_level() >= LOG_DEBUG) {
824 r = dns_resource_key_to_string(key, &key_str);
825 if (r < 0)
826 return r;
827
828 log_debug("Ignoring cache for ANY lookup: %s", key_str);
829 }
830
831 c->n_miss++;
832
833 *ret = NULL;
834 *rcode = DNS_RCODE_SUCCESS;
835 return 0;
836 }
837
838 first = dns_cache_get_by_key_follow_cname_dname_nsec(c, key);
839 if (!first) {
840 /* If one question cannot be answered we need to refresh */
841
842 if (log_get_max_level() >= LOG_DEBUG) {
843 r = dns_resource_key_to_string(key, &key_str);
844 if (r < 0)
845 return r;
846
847 log_debug("Cache miss for %s", key_str);
848 }
849
850 c->n_miss++;
851
852 *ret = NULL;
853 *rcode = DNS_RCODE_SUCCESS;
854 return 0;
855 }
856
857 LIST_FOREACH(by_key, j, first) {
858 if (j->rr) {
859 if (j->rr->key->type == DNS_TYPE_NSEC)
860 nsec = j;
861
862 n++;
863 } else if (j->type == DNS_CACHE_NXDOMAIN)
864 nxdomain = true;
865
866 if (j->authenticated)
867 have_authenticated = true;
868 else
869 have_non_authenticated = true;
870 }
871
872 if (nsec && !IN_SET(key->type, DNS_TYPE_NSEC, DNS_TYPE_DS)) {
873 /* Note that we won't derive information for DS RRs from an NSEC, because we only cache NSEC RRs from
874 * the lower-zone of a zone cut, but the DS RRs are on the upper zone. */
875
876 if (log_get_max_level() >= LOG_DEBUG) {
877 r = dns_resource_key_to_string(key, &key_str);
878 if (r < 0)
879 return r;
880
881 log_debug("NSEC NODATA cache hit for %s", key_str);
882 }
883
884 /* We only found an NSEC record that matches our name.
885 * If it says the type doesn't exist report
886 * NODATA. Otherwise report a cache miss. */
887
888 *ret = NULL;
889 *rcode = DNS_RCODE_SUCCESS;
890 *authenticated = nsec->authenticated;
891
892 if (!bitmap_isset(nsec->rr->nsec.types, key->type) &&
893 !bitmap_isset(nsec->rr->nsec.types, DNS_TYPE_CNAME) &&
894 !bitmap_isset(nsec->rr->nsec.types, DNS_TYPE_DNAME)) {
895 c->n_hit++;
896 return 1;
897 }
898
899 c->n_miss++;
900 return 0;
901 }
902
903 if (log_get_max_level() >= LOG_DEBUG) {
904 r = dns_resource_key_to_string(key, &key_str);
905 if (r < 0)
906 return r;
907
908 log_debug("%s cache hit for %s",
909 n > 0 ? "Positive" :
910 nxdomain ? "NXDOMAIN" : "NODATA",
911 key_str);
912 }
913
914 if (n <= 0) {
915 c->n_hit++;
916
917 *ret = NULL;
918 *rcode = nxdomain ? DNS_RCODE_NXDOMAIN : DNS_RCODE_SUCCESS;
919 *authenticated = have_authenticated && !have_non_authenticated;
920 return 1;
921 }
922
923 answer = dns_answer_new(n);
924 if (!answer)
925 return -ENOMEM;
926
927 LIST_FOREACH(by_key, j, first) {
928 if (!j->rr)
929 continue;
930
931 r = dns_answer_add(answer, j->rr, j->ifindex, j->authenticated ? DNS_ANSWER_AUTHENTICATED : 0);
932 if (r < 0)
933 return r;
934 }
935
936 c->n_hit++;
937
938 *ret = answer;
939 *rcode = DNS_RCODE_SUCCESS;
940 *authenticated = have_authenticated && !have_non_authenticated;
941 answer = NULL;
942
943 return n;
944 }
945
946 int dns_cache_check_conflicts(DnsCache *cache, DnsResourceRecord *rr, int owner_family, const union in_addr_union *owner_address) {
947 DnsCacheItem *i, *first;
948 bool same_owner = true;
949
950 assert(cache);
951 assert(rr);
952
953 dns_cache_prune(cache);
954
955 /* See if there's a cache entry for the same key. If there
956 * isn't there's no conflict */
957 first = hashmap_get(cache->by_key, rr->key);
958 if (!first)
959 return 0;
960
961 /* See if the RR key is owned by the same owner, if so, there
962 * isn't a conflict either */
963 LIST_FOREACH(by_key, i, first) {
964 if (i->owner_family != owner_family ||
965 !in_addr_equal(owner_family, &i->owner_address, owner_address)) {
966 same_owner = false;
967 break;
968 }
969 }
970 if (same_owner)
971 return 0;
972
973 /* See if there's the exact same RR in the cache. If yes, then
974 * there's no conflict. */
975 if (dns_cache_get(cache, rr))
976 return 0;
977
978 /* There's a conflict */
979 return 1;
980 }
981
982 int dns_cache_export_shared_to_packet(DnsCache *cache, DnsPacket *p) {
983 unsigned ancount = 0;
984 Iterator iterator;
985 DnsCacheItem *i;
986 int r;
987
988 assert(cache);
989 assert(p);
990
991 HASHMAP_FOREACH(i, cache->by_key, iterator) {
992 DnsCacheItem *j;
993
994 LIST_FOREACH(by_key, j, i) {
995 if (!j->rr)
996 continue;
997
998 if (!j->shared_owner)
999 continue;
1000
1001 r = dns_packet_append_rr(p, j->rr, NULL, NULL);
1002 if (r == -EMSGSIZE && p->protocol == DNS_PROTOCOL_MDNS) {
1003 /* For mDNS, if we're unable to stuff all known answers into the given packet,
1004 * allocate a new one, push the RR into that one and link it to the current one.
1005 */
1006
1007 DNS_PACKET_HEADER(p)->ancount = htobe16(ancount);
1008 ancount = 0;
1009
1010 r = dns_packet_new_query(&p->more, p->protocol, 0, true);
1011 if (r < 0)
1012 return r;
1013
1014 /* continue with new packet */
1015 p = p->more;
1016 r = dns_packet_append_rr(p, j->rr, NULL, NULL);
1017 }
1018
1019 if (r < 0)
1020 return r;
1021
1022 ancount ++;
1023 }
1024 }
1025
1026 DNS_PACKET_HEADER(p)->ancount = htobe16(ancount);
1027
1028 return 0;
1029 }
1030
1031 void dns_cache_dump(DnsCache *cache, FILE *f) {
1032 Iterator iterator;
1033 DnsCacheItem *i;
1034 int r;
1035
1036 if (!cache)
1037 return;
1038
1039 if (!f)
1040 f = stdout;
1041
1042 HASHMAP_FOREACH(i, cache->by_key, iterator) {
1043 DnsCacheItem *j;
1044
1045 LIST_FOREACH(by_key, j, i) {
1046
1047 fputc('\t', f);
1048
1049 if (j->rr) {
1050 const char *t;
1051 t = dns_resource_record_to_string(j->rr);
1052 if (!t) {
1053 log_oom();
1054 continue;
1055 }
1056
1057 fputs(t, f);
1058 fputc('\n', f);
1059 } else {
1060 _cleanup_free_ char *z = NULL;
1061 r = dns_resource_key_to_string(j->key, &z);
1062 if (r < 0) {
1063 log_oom();
1064 continue;
1065 }
1066
1067 fputs(z, f);
1068 fputs(" -- ", f);
1069 fputs(j->type == DNS_CACHE_NODATA ? "NODATA" : "NXDOMAIN", f);
1070 fputc('\n', f);
1071 }
1072 }
1073 }
1074 }
1075
1076 bool dns_cache_is_empty(DnsCache *cache) {
1077 if (!cache)
1078 return true;
1079
1080 return hashmap_isempty(cache->by_key);
1081 }
1082
1083 unsigned dns_cache_size(DnsCache *cache) {
1084 if (!cache)
1085 return 0;
1086
1087 return hashmap_size(cache->by_key);
1088 }
systemd for Proxmox projects