rec: Add counters for incoming AD and CD queries

diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index 28360e42b2c47b4a2f83f3756ce28adf022943fd..45a6e26a19b0fc7ea1cf51ed30f33d00b6267b25 100644 (file)
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -1110,6 +1110,21 @@ static void startDoResolve(void *p)
         DNSSECOK=true;
         g_stats.dnssecQueries++;
       }
+      if (dc->d_mdp.d_header.cd) {
+        /* Per rfc6840 section 5.9, "When processing a request with
+           the Checking Disabled (CD) bit set, a resolver SHOULD attempt
+           to return all response data, even data that has failed DNSSEC
+           validation. */
+        ++g_stats.dnssecCheckDisabledQueries;
+      }
+      if (dc->d_mdp.d_header.ad) {
+        /* Per rfc6840 section 5.7, "the AD bit in a query as a signal
+           indicating that the requester understands and is interested in the
+           value of the AD bit in the response.  This allows a requester to
+           indicate that it understands the AD bit without also requesting
+           DNSSEC data via the DO bit. */
+        ++g_stats.dnssecAuthenticDataQueries;
+      }
     } else {
       // Ignore the client-set CD flag
       pw.getHeader()->cd=0;

diff --git a/pdns/rec-snmp.cc b/pdns/rec-snmp.cc
index ce7dd34bd090cce584c062da1ae9d09d3919e61d..930eca5300a8d2b265da5ced60f407d54fb75aad 100644 (file)
--- a/pdns/rec-snmp.cc
+++ b/pdns/rec-snmp.cc
@@ -110,6 +110,8 @@ static const oid policyResultCustomOID[] = { RECURSOR_STATS_OID, 91 };
 static const oid queryPipeFullDropsOID[] = { RECURSOR_STATS_OID, 92 };
 static const oid truncatedDropsOID[] = { RECURSOR_STATS_OID, 93 };
 static const oid emptyQueriesOID[] = { RECURSOR_STATS_OID, 94 };
+static const oid dnssecAuthenticDataQueriesOID[] = { RECURSOR_STATS_OID, 95 };
+static const oid dnssecCheckDisabledQueriesOID[] = { RECURSOR_STATS_OID, 96 };
 
 static std::unordered_map<oid, std::string> s_statsMap;
 
@@ -277,6 +279,8 @@ RecursorSNMPAgent::RecursorSNMPAgent(const std::string& name, const std::string&
   registerCounter64Stat("edns-ping-matches", ednsPingMatchesOID, OID_LENGTH(ednsPingMatchesOID));
   registerCounter64Stat("edns-ping-mismatches", ednsPingMismatchesOID, OID_LENGTH(ednsPingMismatchesOID));
   registerCounter64Stat("dnssec-queries", dnssecQueriesOID, OID_LENGTH(dnssecQueriesOID));
+  registerCounter64Stat("dnssec-authentic-data-queries", dnssecAuthenticDataQueriesOID, OID_LENGTH(dnssecAuthenticDataQueriesOID));
+  registerCounter64Stat("dnssec-check-disabled-queries", dnssecCheckDisabledQueriesOID, OID_LENGTH(dnssecCheckDisabledQueriesOID));
   registerCounter64Stat("noping-outqueries", nopingOutqueriesOID, OID_LENGTH(nopingOutqueriesOID));
   registerCounter64Stat("noedns-outqueries", noednsOutqueriesOID, OID_LENGTH(noednsOutqueriesOID));
   registerCounter64Stat("uptime", uptimeOID, OID_LENGTH(uptimeOID));

diff --git a/pdns/rec_channel_rec.cc b/pdns/rec_channel_rec.cc
index 53eebc3d8cd0cab91f5b1d0237a4c937c5314022..a6a5825cfddae3394e0c43bd40ea5e697800ee66 100644 (file)
--- a/pdns/rec_channel_rec.cc
+++ b/pdns/rec_channel_rec.cc
@@ -1013,6 +1013,8 @@ void registerAllStats()
   addGetStat("edns-ping-matches", &g_stats.ednsPingMatches);
   addGetStat("edns-ping-mismatches", &g_stats.ednsPingMismatches);
   addGetStat("dnssec-queries", &g_stats.dnssecQueries);
+  addGetStat("dnssec-authentic-data-queries", &g_stats.dnssecAuthenticDataQueries);
+  addGetStat("dnssec-check-disabled-queries", &g_stats.dnssecCheckDisabledQueries);
 
   addGetStat("noping-outqueries", &g_stats.noPingOutQueries);
   addGetStat("noedns-outqueries", &g_stats.noEdnsOutQueries);

diff --git a/pdns/recursordist/RECURSOR-MIB.txt b/pdns/recursordist/RECURSOR-MIB.txt
index 143d10d31e1389f35d8743d462e515b332996e63..c1d74c97e1663ef0211d6d84aba3240727f76904 100644 (file)
--- a/pdns/recursordist/RECURSOR-MIB.txt
+++ b/pdns/recursordist/RECURSOR-MIB.txt
@@ -15,7 +15,7 @@ IMPORTS
         FROM SNMPv2-CONF;
 
 rec MODULE-IDENTITY
-    LAST-UPDATED "201611290000Z"
+    LAST-UPDATED "201812240000Z"
     ORGANIZATION "PowerDNS BV"
     CONTACT-INFO "support@powerdns.com"
     DESCRIPTION
@@ -24,6 +24,9 @@ rec MODULE-IDENTITY
     REVISION "201611290000Z"
     DESCRIPTION "Initial revision."
 
+    REVISION "201812240000Z"
+    DESCRIPTION "Added the dnssecAuthenticDataQueries and dnssecCheckDisabledQueries stats."
+
     ::= { powerdns 2 }
 
 powerdns               OBJECT IDENTIFIER ::= { enterprises 43315 }
@@ -782,6 +785,22 @@ emptyQueries OBJECT-TYPE
         "Number of queries dropped because they had a QD count of 0"
     ::= { stats 94 }
 
+dnssecAuthenticDataQueries OBJECT-TYPE
+    SYNTAX Counter64
+    MAX-ACCESS read-only
+    STATUS current
+    DESCRIPTION
+        "Number of queries received with the AD bit set"
+    ::= { stats 95 }
+
+dnssecCheckDisabledQueries OBJECT-TYPE
+    SYNTAX Counter64
+    MAX-ACCESS read-only
+    STATUS current
+    DESCRIPTION
+        "Number of queries received with the CD bit set"
+    ::= { stats 96 }
+
 ---
 --- Traps / Notifications
 ---
@@ -917,6 +936,9 @@ recGroup OBJECT-GROUP
         policyResultCustom,
         queryPipeFullDrops,
         truncatedDrops,
+        emptyQueries,
+        dnssecAuthenticDataQueries,
+        dnssecCheckDisabledQueries
         trapReason
     }
     STATUS current

diff --git a/pdns/recursordist/docs/metrics.rst b/pdns/recursordist/docs/metrics.rst
index 6bd2e45ab942d770a676206cfb4c1cc3e8c37634..569fcd4690bf9d1d40610748ecb7d46e6986d6a3 100644 (file)
--- a/pdns/recursordist/docs/metrics.rst
+++ b/pdns/recursordist/docs/metrics.rst
@@ -184,6 +184,18 @@ dlg-only-drops
 ^^^^^^^^^^^^^^
 number of records dropped because of :ref:`setting-delegation-only` setting
 
+dnssec-authentic-data-queries
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+.. versionadded:: 4.2
+
+number of queries received with the AD bit set
+
+dnssec-check-disabled-queries
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+.. versionadded:: 4.2
+
+number of queries received with the CD bit set
+
 dnssec-queries
 ^^^^^^^^^^^^^^
 number of queries received with the DO bit set

diff --git a/pdns/syncres.hh b/pdns/syncres.hh
index cb2a448591e68a07eb02fe0f38e4c766533c0910..a9d632d560e48b98d519c6a08224d854fb8e3313 100644 (file)
--- a/pdns/syncres.hh
+++ b/pdns/syncres.hh
@@ -933,6 +933,8 @@ struct RecursorStats
   std::atomic<uint64_t> emptyQueriesCount;
   time_t startupTime;
   std::atomic<uint64_t> dnssecQueries;
+  std::atomic<uint64_t> dnssecAuthenticDataQueries;
+  std::atomic<uint64_t> dnssecCheckDisabledQueries;
   unsigned int maxMThreadStackUsage;
   std::atomic<uint64_t> dnssecValidations; // should be the sum of all dnssecResult* stats
   std::map<vState, std::atomic<uint64_t> > dnssecResults;