From 6f055e43b817b66e6d4f6e4022f0a115dc35651b Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 10 Nov 2020 17:14:16 +0100 Subject: [PATCH] resolved: replace "answer_authenticated" bool by uint64_t query_flags field Let's use the same flags type we use for client communication, i.e. instead of "bool answer_authenticated", let's use "uint64_t answer_query_flags", with the SD_RESOLVED_AUTHENTICATED flag. This is mostly just search/replace, i.e. a refactoring, no change in behaviour. This becomes useful once in a later commit SD_RESOLVED_CONFIDENTIAL is added to indicate resolution that either were encrypted (DNS-over-TLS) or never left the local system. --- src/resolve/resolved-dns-cache.c | 62 ++++++++++++++----------- src/resolve/resolved-dns-cache.h | 4 +- src/resolve/resolved-dns-query.c | 25 +++++----- src/resolve/resolved-dns-query.h | 2 +- src/resolve/resolved-dns-transaction.c | 63 ++++++++++++-------------- src/resolve/resolved-dns-transaction.h | 15 +++--- 6 files changed, 87 insertions(+), 84 deletions(-) diff --git a/src/resolve/resolved-dns-cache.c b/src/resolve/resolved-dns-cache.c index cf0e221621cfd..78b858b8bea11 100644 --- a/src/resolve/resolved-dns-cache.c +++ b/src/resolve/resolved-dns-cache.c @@ -22,6 +22,8 @@ * now) */ #define CACHE_TTL_STRANGE_RCODE_USEC (10 * USEC_PER_SEC) +#define CACHEABLE_QUERY_FLAGS (SD_RESOLVED_AUTHENTICATED) + typedef enum DnsCacheItemType DnsCacheItemType; typedef struct DnsCacheItem DnsCacheItem; @@ -41,8 +43,8 @@ struct DnsCacheItem { int rcode; usec_t until; - bool authenticated:1; bool shared_owner:1; + uint64_t query_flags; /* SD_RESOLVED_AUTHENTICATED */ DnssecResult dnssec_result; int ifindex; @@ -353,7 +355,7 @@ static void dns_cache_item_update_positive( DnsResourceRecord *rr, DnsAnswer *answer, DnsPacket *full_packet, - bool authenticated, + uint64_t query_flags, bool shared_owner, DnssecResult dnssec_result, usec_t timestamp, @@ -390,7 +392,7 @@ static void dns_cache_item_update_positive( i->full_packet = full_packet; i->until = calculate_until(rr, UINT32_MAX, timestamp, false); - i->authenticated = authenticated; + i->query_flags = query_flags & CACHEABLE_QUERY_FLAGS; i->shared_owner = shared_owner; i->dnssec_result = dnssec_result; @@ -407,7 +409,7 @@ static int dns_cache_put_positive( DnsResourceRecord *rr, DnsAnswer *answer, DnsPacket *full_packet, - bool authenticated, + uint64_t query_flags, bool shared_owner, DnssecResult dnssec_result, usec_t timestamp, @@ -448,7 +450,7 @@ static int dns_cache_put_positive( rr, answer, full_packet, - authenticated, + query_flags, shared_owner, dnssec_result, timestamp, @@ -476,7 +478,7 @@ static int dns_cache_put_positive( .answer = dns_answer_ref(answer), .full_packet = dns_packet_ref(full_packet), .until = calculate_until(rr, (uint32_t) -1, timestamp, false), - .authenticated = authenticated, + .query_flags = query_flags & CACHEABLE_QUERY_FLAGS, .shared_owner = shared_owner, .dnssec_result = dnssec_result, .ifindex = ifindex, @@ -496,7 +498,7 @@ static int dns_cache_put_positive( (void) in_addr_to_string(i->owner_family, &i->owner_address, &t); log_debug("Added positive %s%s cache entry for %s "USEC_FMT"s on %s/%s/%s", - i->authenticated ? "authenticated" : "unauthenticated", + FLAGS_SET(i->query_flags, SD_RESOLVED_AUTHENTICATED) ? "authenticated" : "unauthenticated", i->shared_owner ? " shared" : "", dns_resource_key_to_string(i->key, key_str, sizeof key_str), (i->until - timestamp) / USEC_PER_SEC, @@ -515,7 +517,7 @@ static int dns_cache_put_negative( int rcode, DnsAnswer *answer, DnsPacket *full_packet, - bool authenticated, + uint64_t query_flags, DnssecResult dnssec_result, uint32_t nsec_ttl, usec_t timestamp, @@ -566,7 +568,7 @@ static int dns_cache_put_negative( .type = rcode == DNS_RCODE_SUCCESS ? DNS_CACHE_NODATA : rcode == DNS_RCODE_NXDOMAIN ? DNS_CACHE_NXDOMAIN : DNS_CACHE_RCODE, - .authenticated = authenticated, + .query_flags = query_flags & CACHEABLE_QUERY_FLAGS, .dnssec_result = dnssec_result, .owner_family = owner_family, .owner_address = *owner_address, @@ -669,7 +671,7 @@ int dns_cache_put( int rcode, DnsAnswer *answer, DnsPacket *full_packet, - bool authenticated, + uint64_t query_flags, DnssecResult dnssec_result, uint32_t nsec_ttl, int owner_family, @@ -761,7 +763,7 @@ int dns_cache_put( item->rr, primary ? answer : NULL, primary ? full_packet : NULL, - item->flags & DNS_ANSWER_AUTHENTICATED, + (item->flags & DNS_ANSWER_AUTHENTICATED) ? SD_RESOLVED_AUTHENTICATED : 0, item->flags & DNS_ANSWER_SHARED_OWNER, dnssec_result, timestamp, @@ -802,7 +804,8 @@ int dns_cache_put( if (r > 0) { /* Refuse using the SOA data if it is unsigned, but the key is * signed */ - if (authenticated && (flags & DNS_ANSWER_AUTHENTICATED) == 0) + if (FLAGS_SET(query_flags, SD_RESOLVED_AUTHENTICATED) && + (flags & DNS_ANSWER_AUTHENTICATED) == 0) return 0; } @@ -819,7 +822,7 @@ int dns_cache_put( rcode, answer, full_packet, - authenticated, + query_flags, dnssec_result, nsec_ttl, timestamp, @@ -951,7 +954,7 @@ int dns_cache_lookup( int *ret_rcode, DnsAnswer **ret_answer, DnsPacket **ret_full_packet, - bool *ret_authenticated, + uint64_t *ret_query_flags, DnssecResult *ret_dnssec_result) { _cleanup_(dns_packet_unrefp) DnsPacket *full_packet = NULL; @@ -1013,7 +1016,7 @@ int dns_cache_lookup( n++; } - if (j->authenticated) + if (FLAGS_SET(j->query_flags, SD_RESOLVED_AUTHENTICATED)) have_authenticated = true; else have_non_authenticated = true; @@ -1049,7 +1052,14 @@ int dns_cache_lookup( } } else if (j->rr) { - r = answer_add_clamp_ttl(&answer, j->rr, j->ifindex, j->authenticated ? DNS_ANSWER_AUTHENTICATED : 0, NULL, query_flags, j->until, current); + r = answer_add_clamp_ttl(&answer, + j->rr, + j->ifindex, + FLAGS_SET(j->query_flags, SD_RESOLVED_AUTHENTICATED) ? DNS_ANSWER_AUTHENTICATED : 0, + NULL, + query_flags, + j->until, + current); if (r < 0) return r; } @@ -1072,8 +1082,8 @@ int dns_cache_lookup( *ret_answer = TAKE_PTR(answer); if (ret_full_packet) *ret_full_packet = TAKE_PTR(full_packet); - if (ret_authenticated) - *ret_authenticated = false; + if (ret_query_flags) + *ret_query_flags = 0; if (ret_dnssec_result) *ret_dnssec_result = dnssec_result; @@ -1097,8 +1107,8 @@ int dns_cache_lookup( *ret_answer = TAKE_PTR(answer); if (ret_full_packet) *ret_full_packet = TAKE_PTR(full_packet); - if (ret_authenticated) - *ret_authenticated = nsec->authenticated; + if (ret_query_flags) + *ret_query_flags = nsec->query_flags; if (ret_dnssec_result) *ret_dnssec_result = nsec->dnssec_result; @@ -1127,8 +1137,8 @@ int dns_cache_lookup( *ret_answer = TAKE_PTR(answer); if (ret_full_packet) *ret_full_packet = TAKE_PTR(full_packet); - if (ret_authenticated) - *ret_authenticated = have_authenticated && !have_non_authenticated; + if (ret_query_flags) + *ret_query_flags = (have_authenticated && !have_non_authenticated) ? SD_RESOLVED_AUTHENTICATED : 0; if (ret_dnssec_result) *ret_dnssec_result = dnssec_result; @@ -1143,8 +1153,8 @@ int dns_cache_lookup( *ret_answer = TAKE_PTR(answer); if (ret_full_packet) *ret_full_packet = TAKE_PTR(full_packet); - if (ret_authenticated) - *ret_authenticated = have_authenticated && !have_non_authenticated; + if (ret_query_flags) + *ret_query_flags = (have_authenticated && !have_non_authenticated) ? SD_RESOLVED_AUTHENTICATED : 0; if (ret_dnssec_result) *ret_dnssec_result = dnssec_result; @@ -1157,8 +1167,8 @@ int dns_cache_lookup( *ret_answer = NULL; if (ret_full_packet) *ret_full_packet = NULL; - if (ret_authenticated) - *ret_authenticated = false; + if (ret_query_flags) + *ret_query_flags = 0; if (ret_dnssec_result) *ret_dnssec_result = _DNSSEC_RESULT_INVALID; diff --git a/src/resolve/resolved-dns-cache.h b/src/resolve/resolved-dns-cache.h index cfae24fb71cc4..621b52f8926f8 100644 --- a/src/resolve/resolved-dns-cache.h +++ b/src/resolve/resolved-dns-cache.h @@ -30,7 +30,7 @@ int dns_cache_put( int rcode, DnsAnswer *answer, DnsPacket *full_packet, - bool authenticated, + uint64_t query_flags, DnssecResult dnssec_result, uint32_t nsec_ttl, int owner_family, @@ -43,7 +43,7 @@ int dns_cache_lookup( int *ret_rcode, DnsAnswer **ret_answer, DnsPacket **ret_full_packet, - bool *ret_authenticated, + uint64_t *ret_query_flags, DnssecResult *ret_dnssec_result); int dns_cache_check_conflicts(DnsCache *cache, DnsResourceRecord *rr, int owner_family, const union in_addr_union *owner_address); diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c index aa058446421d6..8137b4028b6cd 100644 --- a/src/resolve/resolved-dns-query.c +++ b/src/resolve/resolved-dns-query.c @@ -346,7 +346,7 @@ static void dns_query_reset_answer(DnsQuery *q) { q->answer_rcode = 0; q->answer_dnssec_result = _DNSSEC_RESULT_INVALID; q->answer_errno = 0; - q->answer_authenticated = false; + q->answer_query_flags = 0; q->answer_protocol = _DNS_PROTOCOL_INVALID; q->answer_family = AF_UNSPEC; q->answer_search_domain = dns_search_domain_unref(q->answer_search_domain); @@ -630,7 +630,7 @@ static int dns_query_synthesize_reply(DnsQuery *q, DnsTransactionState *state) { q->answer_rcode = DNS_RCODE_NXDOMAIN; q->answer_protocol = dns_synthesize_protocol(q->flags); q->answer_family = dns_synthesize_family(q->flags); - q->answer_authenticated = true; + q->answer_query_flags = SD_RESOLVED_AUTHENTICATED; *state = DNS_TRANSACTION_RCODE_FAILURE; return 0; @@ -644,7 +644,7 @@ static int dns_query_synthesize_reply(DnsQuery *q, DnsTransactionState *state) { q->answer_rcode = DNS_RCODE_SUCCESS; q->answer_protocol = dns_synthesize_protocol(q->flags); q->answer_family = dns_synthesize_family(q->flags); - q->answer_authenticated = true; + q->answer_query_flags = SD_RESOLVED_AUTHENTICATED; *state = DNS_TRANSACTION_SUCCESS; @@ -676,7 +676,7 @@ static int dns_query_try_etc_hosts(DnsQuery *q) { q->answer_rcode = DNS_RCODE_SUCCESS; q->answer_protocol = dns_synthesize_protocol(q->flags); q->answer_family = dns_synthesize_family(q->flags); - q->answer_authenticated = true; + q->answer_query_flags = SD_RESOLVED_AUTHENTICATED; return 1; } @@ -817,7 +817,7 @@ static void dns_query_accept(DnsQuery *q, DnsQueryCandidate *c) { q->answer = dns_answer_unref(q->answer); q->answer_rcode = 0; q->answer_dnssec_result = _DNSSEC_RESULT_INVALID; - q->answer_authenticated = false; + q->answer_query_flags = 0; q->answer_errno = c->error_code; q->answer_full_packet = dns_packet_unref(q->answer_full_packet); } @@ -845,7 +845,7 @@ static void dns_query_accept(DnsQuery *q, DnsQueryCandidate *c) { dns_packet_unref(q->answer_full_packet); q->answer_full_packet = dns_packet_ref(t->received); - if (t->answer_authenticated) { + if (FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED)) { has_authenticated = true; dnssec_result_authenticated = t->answer_dnssec_result; } else { @@ -870,14 +870,15 @@ static void dns_query_accept(DnsQuery *q, DnsQueryCandidate *c) { continue; /* If there's already an authenticated negative reply stored, then prefer that over any unauthenticated one */ - if (q->answer_authenticated && !t->answer_authenticated) + if (FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED) && + !FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED)) continue; dns_answer_unref(q->answer); q->answer = dns_answer_ref(t->answer); q->answer_rcode = t->answer_rcode; q->answer_dnssec_result = t->answer_dnssec_result; - q->answer_authenticated = t->answer_authenticated; + q->answer_query_flags = t->answer_query_flags; q->answer_errno = t->answer_errno; dns_packet_unref(q->answer_full_packet); q->answer_full_packet = dns_packet_ref(t->received); @@ -888,8 +889,8 @@ static void dns_query_accept(DnsQuery *q, DnsQueryCandidate *c) { } if (state == DNS_TRANSACTION_SUCCESS) { - q->answer_authenticated = has_authenticated && !has_non_authenticated; - q->answer_dnssec_result = q->answer_authenticated ? dnssec_result_authenticated : dnssec_result_non_authenticated; + SET_FLAG(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED, has_authenticated && !has_non_authenticated); + q->answer_dnssec_result = FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED) ? dnssec_result_authenticated : dnssec_result_non_authenticated; } q->answer_protocol = c->scope->protocol; @@ -1049,7 +1050,7 @@ int dns_query_process_cname(DnsQuery *q) { if (q->flags & SD_RESOLVED_NO_CNAME) return -ELOOP; - if (!q->answer_authenticated) + if (!FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED)) q->previous_redirect_unauthenticated = true; /* OK, let's actually follow the CNAME */ @@ -1119,5 +1120,5 @@ const char *dns_query_string(DnsQuery *q) { bool dns_query_fully_authenticated(DnsQuery *q) { assert(q); - return q->answer_authenticated && !q->previous_redirect_unauthenticated; + return FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED) && !q->previous_redirect_unauthenticated; } diff --git a/src/resolve/resolved-dns-query.h b/src/resolve/resolved-dns-query.h index a7916712c11ec..1a30433e8cbef 100644 --- a/src/resolve/resolved-dns-query.h +++ b/src/resolve/resolved-dns-query.h @@ -66,7 +66,7 @@ struct DnsQuery { DnsAnswer *answer; int answer_rcode; DnssecResult answer_dnssec_result; - bool answer_authenticated; + uint64_t answer_query_flags; DnsProtocol answer_protocol; int answer_family; DnsSearchDomain *answer_search_domain; diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c index 55b9114f5839b..32f3f16a0dad1 100644 --- a/src/resolve/resolved-dns-transaction.c +++ b/src/resolve/resolved-dns-transaction.c @@ -29,7 +29,7 @@ static void dns_transaction_reset_answer(DnsTransaction *t) { t->answer_rcode = 0; t->answer_dnssec_result = _DNSSEC_RESULT_INVALID; t->answer_source = _DNS_TRANSACTION_SOURCE_INVALID; - t->answer_authenticated = false; + t->answer_query_flags = 0; t->answer_nsec_ttl = (uint32_t) -1; t->answer_errno = 0; } @@ -420,7 +420,7 @@ void dns_transaction_complete(DnsTransaction *t, DnsTransactionState state) { st, t->answer_source < 0 ? "none" : dns_transaction_source_to_string(t->answer_source), FLAGS_SET(t->query_flags, SD_RESOLVED_NO_VALIDATE) ? "not validated" : - (t->answer_authenticated ? "authenticated" : "unsigned")); + (FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED) ? "authenticated" : "unsigned")); t->state = state; @@ -793,7 +793,7 @@ static void dns_transaction_cache_answer(DnsTransaction *t) { * since our usecase for caching them * is "bypass" mode which is only * enabled for CD packets. */ - t->answer_authenticated, + t->answer_query_flags, t->answer_dnssec_result, t->answer_nsec_ttl, t->received->family, @@ -1231,7 +1231,7 @@ void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p) { t->answer = dns_answer_ref(p->answer); t->answer_rcode = DNS_PACKET_RCODE(p); t->answer_dnssec_result = _DNSSEC_RESULT_INVALID; - t->answer_authenticated = false; + SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false); r = dns_transaction_fix_rcode(t); if (r < 0) @@ -1519,7 +1519,7 @@ static int dns_transaction_prepare(DnsTransaction *t, usec_t ts) { if (r > 0) { t->answer_rcode = DNS_RCODE_SUCCESS; t->answer_source = DNS_TRANSACTION_TRUST_ANCHOR; - t->answer_authenticated = true; + SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, true); dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS); return 0; } @@ -1538,7 +1538,7 @@ static int dns_transaction_prepare(DnsTransaction *t, usec_t ts) { t->answer_rcode = DNS_RCODE_SUCCESS; t->answer_source = DNS_TRANSACTION_TRUST_ANCHOR; - t->answer_authenticated = false; + SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false); dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS); } else /* If we are not in downgrade mode, then fail the lookup, because we cannot @@ -1559,7 +1559,7 @@ static int dns_transaction_prepare(DnsTransaction *t, usec_t ts) { if (r > 0) { t->answer_rcode = DNS_RCODE_SUCCESS; t->answer_source = DNS_TRANSACTION_ZONE; - t->answer_authenticated = true; + SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, true); dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS); return 0; } @@ -1582,7 +1582,7 @@ static int dns_transaction_prepare(DnsTransaction *t, usec_t ts) { &t->answer_rcode, &t->answer, &t->received, - &t->answer_authenticated, + &t->answer_query_flags, &t->answer_dnssec_result); if (r < 0) return r; @@ -2566,7 +2566,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord * * RRs we are looking at. If it discovered signed DS * RRs, then we need to be signed, too. */ - if (!dt->answer_authenticated) + if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED)) return false; return dns_answer_match_key(dt->answer, dns_transaction_key(dt), NULL); @@ -2618,7 +2618,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord * if (r == 0) continue; - return t->answer_authenticated; + return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED); } return true; @@ -2642,12 +2642,10 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord * if (r == 0) continue; - /* We found the transaction that was supposed to find - * the SOA RR for us. It was successful, but found no - * RR for us. This means we are not at a zone cut. In - * this case, we require authentication if the SOA - * lookup was authenticated too. */ - return t->answer_authenticated; + /* We found the transaction that was supposed to find the SOA RR for us. It was + * successful, but found no RR for us. This means we are not at a zone cut. In this + * case, we require authentication if the SOA lookup was authenticated too. */ + return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED); } return true; @@ -2788,7 +2786,7 @@ static int dns_transaction_requires_nsec(DnsTransaction *t) { if (r == 0) continue; - return dt->answer_authenticated; + return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED); } /* If in doubt, require NSEC/NSEC3 */ @@ -2832,11 +2830,10 @@ static int dns_transaction_dnskey_authenticated(DnsTransaction *t, DnsResourceRe if (r == 0) continue; - /* OK, we found an auxiliary DNSKEY - * lookup. If that lookup is - * authenticated, report this. */ + /* OK, we found an auxiliary DNSKEY lookup. If that lookup is authenticated, + * report this. */ - if (dt->answer_authenticated) + if (FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED)) return true; found = true; @@ -2849,12 +2846,10 @@ static int dns_transaction_dnskey_authenticated(DnsTransaction *t, DnsResourceRe if (r == 0) continue; - /* OK, we found an auxiliary DS - * lookup. If that lookup is - * authenticated and non-zero, we - * won! */ + /* OK, we found an auxiliary DS lookup. If that lookup is authenticated and + * non-zero, we won! */ - if (!dt->answer_authenticated) + if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED)) return false; return dns_answer_match_key(dt->answer, dns_transaction_key(dt), NULL); @@ -2942,7 +2937,7 @@ static int dns_transaction_copy_validated(DnsTransaction *t) { if (DNS_TRANSACTION_IS_LIVE(dt->state)) continue; - if (!dt->answer_authenticated) + if (!FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED)) continue; r = dns_answer_extend(&t->validated_keys, dt->answer); @@ -3244,7 +3239,7 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) { /* Our own stuff needs no validation */ if (IN_SET(t->answer_source, DNS_TRANSACTION_ZONE, DNS_TRANSACTION_TRUST_ANCHOR)) { t->answer_dnssec_result = DNSSEC_VALIDATED; - t->answer_authenticated = true; + SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, true); return 0; } @@ -3332,11 +3327,11 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) { /* The answer is fully authenticated, yay. */ t->answer_dnssec_result = DNSSEC_VALIDATED; t->answer_rcode = DNS_RCODE_SUCCESS; - t->answer_authenticated = true; + SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, true); } else { /* The answer is not fully authenticated. */ t->answer_dnssec_result = DNSSEC_UNSIGNED; - t->answer_authenticated = false; + SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false); } } else if (r == 0) { @@ -3355,7 +3350,7 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) { log_debug("Proved NXDOMAIN via NSEC/NSEC3 for transaction %u (%s)", t->id, key_str); t->answer_dnssec_result = DNSSEC_VALIDATED; t->answer_rcode = DNS_RCODE_NXDOMAIN; - t->answer_authenticated = authenticated; + SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, authenticated); manager_dnssec_verdict(t->scope->manager, authenticated ? DNSSEC_SECURE : DNSSEC_INSECURE, dns_transaction_key(t)); break; @@ -3365,7 +3360,7 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) { log_debug("Proved NODATA via NSEC/NSEC3 for transaction %u (%s)", t->id, key_str); t->answer_dnssec_result = DNSSEC_VALIDATED; t->answer_rcode = DNS_RCODE_SUCCESS; - t->answer_authenticated = authenticated; + SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, authenticated); manager_dnssec_verdict(t->scope->manager, authenticated ? DNSSEC_SECURE : DNSSEC_INSECURE, dns_transaction_key(t)); break; @@ -3374,7 +3369,7 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) { /* NSEC3 says the data might not be signed */ log_debug("Data is NSEC3 opt-out via NSEC/NSEC3 for transaction %u (%s)", t->id, key_str); t->answer_dnssec_result = DNSSEC_UNSIGNED; - t->answer_authenticated = false; + SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false); manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, dns_transaction_key(t)); break; @@ -3390,7 +3385,7 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) { manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, dns_transaction_key(t)); } else { t->answer_dnssec_result = DNSSEC_UNSIGNED; - t->answer_authenticated = false; + SET_FLAG(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED, false); manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, dns_transaction_key(t)); } diff --git a/src/resolve/resolved-dns-transaction.h b/src/resolve/resolved-dns-transaction.h index 9376d504bfee9..dab26d01fcaf9 100644 --- a/src/resolve/resolved-dns-transaction.h +++ b/src/resolve/resolved-dns-transaction.h @@ -77,15 +77,12 @@ struct DnsTransaction { uint32_t answer_nsec_ttl; int answer_errno; /* if state is DNS_TRANSACTION_ERRNO */ - /* Indicates whether the primary answer is authenticated, - * i.e. whether the RRs from answer which directly match the - * question are authenticated, or, if there are none, whether - * the NODATA or NXDOMAIN case is. It says nothing about - * additional RRs listed in the answer, however they have - * their own DNS_ANSWER_AUTHORIZED FLAGS. Note that this bit - * is defined different than the AD bit in DNS packets, as - * that covers more than just the actual primary answer. */ - bool answer_authenticated; + /* SD_RESOLVED_AUTHENTICATED here indicates whether the primary answer is authenticated, i.e. whether + * the RRs from answer which directly match the question are authenticated, or, if there are none, + * whether the NODATA or NXDOMAIN case is. It says nothing about additional RRs listed in the answer, + * however they have their own DNS_ANSWER_AUTHORIZED FLAGS. Note that this bit is defined different + * than the AD bit in DNS packets, as that covers more than just the actual primary answer. */ + uint64_t answer_query_flags; /* Contains DNSKEY, DS, SOA RRs we already verified and need * to authenticate this reply */