From 4ad017cda57b04b9d65e7da962806cfcc50b5f0c Mon Sep 17 00:00:00 2001 From: Sergey Bugaev Date: Sat, 13 Feb 2021 17:09:09 +0300 Subject: [PATCH 1/2] resolved: set the AA bit for synthetic answers The stub DNS server is authoritative for the RRs we synthesize, such as localhost, _gateway, and entries from /etc/hosts, and also for trust anchors. Partially fixes https://github.com/systemd/systemd/issues/17972 --- src/resolve/resolved-dns-query.c | 7 +++++++ src/resolve/resolved-dns-query.h | 1 + src/resolve/resolved-dns-stub.c | 5 ++++- 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c index 1413afe3b9..7fb2e110e0 100644 --- a/src/resolve/resolved-dns-query.c +++ b/src/resolve/resolved-dns-query.c @@ -1140,3 +1140,10 @@ bool dns_query_fully_confidential(DnsQuery *q) { return FLAGS_SET(q->answer_query_flags, SD_RESOLVED_CONFIDENTIAL) && !q->previous_redirect_non_confidential; } + +bool dns_query_fully_synthetic(DnsQuery *q) { + assert(q); + + return (q->answer_query_flags & (SD_RESOLVED_SYNTHETIC | SD_RESOLVED_FROM_TRUST_ANCHOR)) && + !(q->answer_query_flags & SD_RESOLVED_FROM_MASK & ~SD_RESOLVED_FROM_TRUST_ANCHOR); +} diff --git a/src/resolve/resolved-dns-query.h b/src/resolve/resolved-dns-query.h index 4874aa0c17..ea296167b6 100644 --- a/src/resolve/resolved-dns-query.h +++ b/src/resolve/resolved-dns-query.h @@ -134,6 +134,7 @@ DEFINE_TRIVIAL_CLEANUP_FUNC(DnsQuery*, dns_query_free); bool dns_query_fully_authenticated(DnsQuery *q); bool dns_query_fully_confidential(DnsQuery *q); +bool dns_query_fully_synthetic(DnsQuery *q); static inline uint64_t dns_query_reply_flags_make(DnsQuery *q) { assert(q); diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c index a40eeea655..02ac29dbb9 100644 --- a/src/resolve/resolved-dns-stub.c +++ b/src/resolve/resolved-dns-stub.c @@ -428,6 +428,7 @@ static int dns_stub_finish_reply_packet( uint16_t id, int rcode, bool tc, /* set the Truncated bit? */ + bool aa, /* set the Authoritative Answer bit? */ bool add_opt, /* add an OPT RR to this packet? */ bool edns0_do, /* set the EDNS0 DNSSEC OK bit? */ bool ad, /* set the DNSSEC authenticated data bit? */ @@ -466,7 +467,7 @@ static int dns_stub_finish_reply_packet( DNS_PACKET_HEADER(p)->flags = htobe16(DNS_PACKET_MAKE_FLAGS( 1 /* qr */, 0 /* opcode */, - 0 /* aa */, + aa /* aa */, tc /* tc */, 1 /* rd */, 1 /* ra */, @@ -556,6 +557,7 @@ static int dns_stub_send_reply( DNS_PACKET_ID(q->request_packet), rcode, truncated, + dns_query_fully_synthetic(q), !!q->request_packet->opt, edns0_do, DNS_PACKET_AD(q->request_packet) && dns_query_fully_authenticated(q), @@ -596,6 +598,7 @@ static int dns_stub_send_failure( DNS_PACKET_ID(p), rcode, truncated, + false, !!p->opt, DNS_PACKET_DO(p), DNS_PACKET_AD(p) && authenticated, From bb4e030fcb5aa8e6c60615ae5189a3b0e89a0670 Mon Sep 17 00:00:00 2001 From: Sergey Bugaev Date: Sat, 13 Feb 2021 17:16:56 +0300 Subject: [PATCH 2/2] resolved: set the AA bit for mDNS responses This is required by RFC 6762. Fixes https://github.com/systemd/systemd/issues/17972 --- src/resolve/resolved-dns-scope.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c index 2d24b5d101..2a8680aa91 100644 --- a/src/resolve/resolved-dns-scope.c +++ b/src/resolve/resolved-dns-scope.c @@ -883,6 +883,7 @@ int dns_scope_make_reply_packet( _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL; unsigned n_answer = 0, n_soa = 0; int r; + bool c_or_aa; assert(s); assert(ret); @@ -896,11 +897,14 @@ int dns_scope_make_reply_packet( if (r < 0) return r; + /* mDNS answers must have the Authoritative Answer bit set, see RFC 6762, section 18.4. */ + c_or_aa = s->protocol == DNS_PROTOCOL_MDNS; + DNS_PACKET_HEADER(p)->id = id; DNS_PACKET_HEADER(p)->flags = htobe16(DNS_PACKET_MAKE_FLAGS( 1 /* qr */, 0 /* opcode */, - 0 /* c */, + c_or_aa, 0 /* tc */, tentative, 0 /* (ra) */,