resolved: tweak how we signal authoritative answers

let's make sure we set the "aa" bit in the stub only if we answer with fully authoritative data. For this ensure: 1. Either all data is synthetic, including all CNAME/DNAME redirects 2. Or all data comes from the local trust anchor or the local zones (i.e. not the network or the cache) Follow-up for 4ad017cda57b04b9d65e7da962806cfcc50b5f0c
2025-03-19 22:50:17 +03:00 · 2021-02-24 17:04:55 +01:00 · 2021-02-24 17:04:55 +01:00 · 9ddf099f30
commit 9ddf099f30
parent cb6c4f37dc
3 changed files with 16 additions and 5 deletions
--- a/src/resolve/resolved-dns-query.c
+++ b/src/resolve/resolved-dns-query.c
@ -1122,6 +1122,8 @@ int dns_query_process_cname_one(DnsQuery *q) {
                q->previous_redirect_unauthenticated = true;
        if (!FLAGS_SET(q->answer_query_flags, SD_RESOLVED_CONFIDENTIAL))
                q->previous_redirect_non_confidential = true;
+        if (!FLAGS_SET(q->answer_query_flags, SD_RESOLVED_SYNTHETIC))
+                q->previous_redirect_non_synthetic = true;

        /* OK, let's actually follow the CNAME */
        r = dns_query_cname_redirect(q, cname);
@ -1244,9 +1246,17 @@ bool dns_query_fully_confidential(DnsQuery *q) {
        return FLAGS_SET(q->answer_query_flags, SD_RESOLVED_CONFIDENTIAL) && !q->previous_redirect_non_confidential;
 }

-bool dns_query_fully_synthetic(DnsQuery *q) {
+bool dns_query_fully_authoritative(DnsQuery *q) {
        assert(q);

-        return (q->answer_query_flags & (SD_RESOLVED_SYNTHETIC | SD_RESOLVED_FROM_TRUST_ANCHOR)) &&
-                !(q->answer_query_flags & SD_RESOLVED_FROM_MASK & ~SD_RESOLVED_FROM_TRUST_ANCHOR);
+        /* We are authoritative for everything synthetic (except if a previous CNAME/DNAME) wasn't
+         * synthetic. (Note: SD_RESOLVED_SYNTHETIC is reset on each CNAME/DNAME, hence the explicit check for
+         * previous synthetic DNAME/CNAME redirections.)*/
+        if ((q->answer_query_flags & SD_RESOLVED_SYNTHETIC) && !q->previous_redirect_non_synthetic)
+                return true;
+
+        /* We are also authoritative for everything coming only from the trust anchor and the local
+         * zones. (Note: the SD_RESOLVED_FROM_xyz flags we merge on each redirect, hence no need to
+         * explicitly check previous redirects here.)*/
+        return (q->answer_query_flags & SD_RESOLVED_FROM_MASK & ~(SD_RESOLVED_FROM_TRUST_ANCHOR | SD_RESOLVED_FROM_ZONE)) == 0;
 }
--- a/src/resolve/resolved-dns-query.h
+++ b/src/resolve/resolved-dns-query.h
@ -80,6 +80,7 @@ struct DnsQuery {
        int answer_errno; /* if state is DNS_TRANSACTION_ERRNO */
        bool previous_redirect_unauthenticated;
        bool previous_redirect_non_confidential;
+        bool previous_redirect_non_synthetic;
        DnsPacket *answer_full_packet;

        /* Bus + Varlink client information */
@ -142,7 +143,7 @@ DEFINE_TRIVIAL_CLEANUP_FUNC(DnsQuery*, dns_query_free);

 bool dns_query_fully_authenticated(DnsQuery *q);
 bool dns_query_fully_confidential(DnsQuery *q);
-bool dns_query_fully_synthetic(DnsQuery *q);
+bool dns_query_fully_authoritative(DnsQuery *q);

 static inline uint64_t dns_query_reply_flags_make(DnsQuery *q) {
        assert(q);
--- a/src/resolve/resolved-dns-stub.c
+++ b/src/resolve/resolved-dns-stub.c
@ -580,7 +580,7 @@ static int dns_stub_send_reply(
                        DNS_PACKET_ID(q->request_packet),
                        rcode,
                        truncated,
-                        dns_query_fully_synthetic(q),
+                        dns_query_fully_authoritative(q),
                        !!q->request_packet->opt,
                        edns0_do,
                        DNS_PACKET_AD(q->request_packet) && dns_query_fully_authenticated(q),