* `client-parse-errors`: counts number of client packets that could not be parsed
* `concurrent-queries`: shows the number of MThreads currently running
* `dlg-only-drops`: number of records dropped because of delegation only setting
+* `dnssec-queries`: number of queries received with the DO and/or AD bit set
+* `dnssec-result-bogus`: number of DNSSEC validations that had the Bogus state
+* `dnssec-result-indeterminate`: number of DNSSEC validations that had the Indeterminate state
+* `dnssec-result-insecure`: number of DNSSEC validations that had the Insecure state
+* `dnssec-result-nta`: number of DNSSEC validations that had the NTA (negative trust anchor) state
+* `dnssec-result-secure`: number of DNSSEC validations that had the Secure state
+* `dnssec-validations`: number of DNSSEC validations performed
* `dont-outqueries`: number of outgoing queries dropped because of 'dont-query' setting (since 3.3)
* `edns-ping-matches`: number of servers that sent a valid EDNS PING response
* `edns-ping-mismatches`: number of servers that sent an invalid EDNS PING response
addGetStat("memory-alloc-flux", boost::bind(&MallocTracer::getAllocFlux, g_mtracer, string()));
addGetStat("memory-allocated", boost::bind(&MallocTracer::getTotAllocated, g_mtracer, string()));
#endif
+
+ addGetStat("dnssec-validations", &g_stats.dnssecValidations);
+ addGetStat("dnssec-result-insecure", &g_stats.dnssecResults[Insecure]);
+ addGetStat("dnssec-result-secure", &g_stats.dnssecResults[Secure]);
+ addGetStat("dnssec-result-bogus", &g_stats.dnssecResults[Bogus]);
+ addGetStat("dnssec-result-indeterminate", &g_stats.dnssecResults[Indeterminate]);
+ addGetStat("dnssec-result-nta", &g_stats.dnssecResults[NTA]);
}
static void doExitGeneric(bool nicely)
#include <boost/tuple/tuple_comparison.hpp>
#include "mtasker.hh"
#include "iputils.hh"
+#include "validate.hh"
#include "filterpo.hh"
time_t startupTime;
std::atomic<uint64_t> dnssecQueries;
unsigned int maxMThreadStackUsage;
+ std::atomic<uint64_t> dnssecValidations; // should be the sum of all dnssecResult* stats
+ std::map<vState, std::atomic<uint64_t> > dnssecResults;
};
//! represents a running TCP/IP client session
int d_queries{0};
};
+inline vState increaseDNSSECStateCounter(const vState& state)
+{
+ g_stats.dnssecResults[state]++;
+ return state;
+}
vState validateRecords(const vector<DNSRecord>& recs)
{
if(recs.empty())
return Insecure; // can't secure nothing
+ g_stats.dnssecValidations++;
+
cspmap_t cspmap=harvestCSPFromRecs(recs);
LOG("Got "<<cspmap.size()<<" RRSETs: "<<endl);
int numsigs=0;
for(const auto& csp : cspmap) {
for(const auto& sig : csp.second.signatures) {
state = getKeysFor(sro, sig->d_signer, keys); // XXX check validity here
- if(state == NTA)
+ if(state == NTA) {
+ increaseDNSSECStateCounter(state);
return Insecure;
+ }
LOG("! state = "<<vStates[state]<<", now have "<<keys.size()<<" keys"<<endl);
for(const auto& k : keys) {
LOG("Key: "<<k.getZoneRepresentation()<< " {tag="<<k.getTag()<<"}"<<endl);
// maybe not the right idea
}
}
- if(state == Bogus) {
- return state;
- }
+ if(state == Bogus)
+ return increaseDNSSECStateCounter(state);
validateWithKeySet(cspmap, validrrsets, keys);
}
else {
state = getKeysFor(sro, recs.begin()->d_name, keys); // um WHAT DOES THIS MEAN - try first qname??
LOG("! state = "<<vStates[state]<<", now have "<<keys.size()<<" keys "<<endl);
- return state;
+
+ return increaseDNSSECStateCounter(state);
}
LOG("Took "<<sro.d_queries<<" queries"<<endl);
- if(validrrsets.size() == cspmap.size()) // shortcut - everything was ok
- return Secure;
+ if(validrrsets.size() == cspmap.size())// shortcut - everything was ok
+ return increaseDNSSECStateCounter(Secure);
- if(keys.empty()) {
- return Insecure;
- }
+ if(keys.empty())
+ return increaseDNSSECStateCounter(Insecure);
#if 0
cerr<<"! validated "<<validrrsets.size()<<" RRsets out of "<<cspmap.size()<<endl;
LOG(csp.first.first<<"|"<<DNSRecordContent::NumberToType(csp.first.second)<<" with "<<csp.second.signatures.size()<<" signatures"<<endl);
if(!csp.second.signatures.empty() && !validrrsets.count(csp.first)) {
LOG("Lacks signature, must have one, signatures: "<<csp.second.signatures.size()<<", valid rrsets: "<<validrrsets.count(csp.first)<<endl);
- return Bogus;
+ return increaseDNSSECStateCounter(Bogus);
}
}
- return Insecure;
+ return increaseDNSSECStateCounter(Insecure);
}
projects / pdns / commitdiff