Recursor: Allow logging DNSSEC bogus in any mode

Also allow setting this at runtime.

diff --git a/docs/manpages/rec_control.1.md b/docs/manpages/rec_control.1.md
index da0b383dc075d60b52f4bd384790633097f84d1a..4aa0abe8de758c4ef8c1744945307892d89e8556 100644 (file)
--- a/docs/manpages/rec_control.1.md
+++ b/docs/manpages/rec_control.1.md
@@ -116,6 +116,10 @@ reload-zones
 :    Reload authoritative and forward zones. Retains current configuration
      in case of errors.
 
+set-dnssec-log-bogus *SETTING*
+:    Set dnssec-log-bogus setting to *SETTING*. Set to 'on' or 'yes' to log DNSSEC
+     validation failures and to 'no' or 'off' to disable logging these failures.
+
 set-minimum-ttl *NUM*
 :    Set minimum-ttl-override to *NUM*.
 

diff --git a/docs/markdown/recursor/settings.md b/docs/markdown/recursor/settings.md
index ac267eef934d1aa0dcc023d71fc5a86ed8b5aa3f..7a6ae17d47f9e1d51e246cf0137951ca0323921c 100644 (file)
--- a/docs/markdown/recursor/settings.md
+++ b/docs/markdown/recursor/settings.md
@@ -203,6 +203,14 @@ responses.
 #### `validate`
 Full blown DNSSEC validation. Send SERVFAIL to clients on bogus responses.
 
+## `dnssec-log-bogus`
+* Boolean
+* Default: no
+* Available since: 4.0.0
+
+Log every DNSSEC validation failure.
+**Note**: This is not logged per-query but every time records are validated as Bogus.
+
 ## `dont-query`
 * Netmasks, comma separated
 * Default: 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16,

diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index 33c9364a85705ee2aecba7995e7edab99f309f7d..c629f12139f8fcdd6e3e30bf5e29b1a0080c28aa 100644 (file)
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -975,7 +975,7 @@ void startDoResolve(void *p)
             pw.getHeader()->ad=0;
           }
           else if(state == Bogus) {
-            if(sr.doLog() || g_dnssecmode == DNSSECMode::ValidateForLog) {
+            if(g_dnssecLogBogus || sr.doLog() || g_dnssecmode == DNSSECMode::ValidateForLog) {
               L<<Logger::Warning<<"Answer to "<<dc->d_mdp.d_qname<<" for "<<dc->d_remote.toStringWithPort()<<" validates as Bogus"<<endl;
             }
             
@@ -2625,6 +2625,8 @@ int serviceMain(int argc, char*argv[])
     exit(1);
   }
 
+  g_dnssecLogBogus = ::arg().mustDo("dnssec-log-bogus");
+
   if(::arg()["trace"]=="fail") {
     SyncRes::setDefaultLogMode(SyncRes::Store);
   }
@@ -2950,6 +2952,7 @@ int main(int argc, char **argv)
     ::arg().setSwitch("non-local-bind", "Enable binding to non-local addresses by using FREEBIND / BINDANY socket options")="no";
     ::arg().set("trace","if we should output heaps of logging. set to 'fail' to only log failing domains")="off";
     ::arg().set("dnssec", "DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate")="process-no-validate";
+    ::arg().set("dnssec-log-bogus", "Log DNSSEC bogus validations")="no";
     ::arg().set("daemon","Operate as a daemon")="no";
     ::arg().setSwitch("write-pid","Write a PID file")="yes";
     ::arg().set("loglevel","Amount of logging. Higher is more. Do not set below 3")="4";

diff --git a/pdns/rec_channel_rec.cc b/pdns/rec_channel_rec.cc
index 3e0b7c40e25c504d3cdb2eb1cef9cba7dca46cc9..da0806f2f8ffe269e6a4f8907636d8da68ca4ce1 100644 (file)
--- a/pdns/rec_channel_rec.cc
+++ b/pdns/rec_channel_rec.cc
@@ -30,6 +30,8 @@
 #include "responsestats.hh"
 #include "rec-lua-conf.hh"
 
+#include "validate-recursor.hh"
+
 #include "secpoll-recursor.hh"
 #include "pubsuffix.hh"
 #include "namespaces.hh"
@@ -342,6 +344,33 @@ string doSetCarbonServer(T begin, T end)
   return ret;
 }
 
+template<typename T>
+string doSetDnssecLogBogus(T begin, T end)
+{
+  if (begin == end)
+    return "No DNSSEC Bogus logging setting specified\n";
+
+  if (pdns_iequals(*begin, "on") || pdns_iequals(*begin, "yes")) {
+    if (!g_dnssecLogBogus) {
+      L<<Logger::Warning<<"Enabeling DNSSEC Bogus logging, requested via control channel"<<endl;
+      g_dnssecLogBogus = true;
+      return "DNSSEC Bogus logging enabled\n";
+    }
+    return "DNSSEC Bogus logging was already enabled\n";
+  }
+
+  if (pdns_iequals(*begin, "off") || pdns_iequals(*begin, "no")) {
+    if (g_dnssecLogBogus) {
+      L<<Logger::Warning<<"Disabeling DNSSEC Bogus logging, requested via control channel"<<endl;
+      g_dnssecLogBogus = false;
+      return "DNSSEC Bogus logging disabled\n";
+    }
+    return "DNSSEC Bogus logging was already disabled\n";
+  }
+
+  return "Unknown DNSSEC Bogus setting: '" + *begin +"'\n";
+}
+
 template<typename T>
 string doAddNTA(T begin, T end)
 {
@@ -1106,6 +1135,7 @@ string RecursorControlParser::getAnswer(const string& question, RecursorControlP
 "reload-zones                     reload all auth and forward zones\n"
 "set-minimum-ttl value            set minimum-ttl-override\n"
 "set-carbon-server                set a carbon server for telemetry\n"
+"set-dnssec-log-bogus SETTING     enable (SETTING=yes) or disable (SETTING=no) logging of DNSSEC validation failures\n"
 "trace-regex [regex]              emit resolution trace for matching queries (empty regex to clear trace)\n"
 "top-largeanswer-remotes          show top remotes receiving large answers\n"
 "top-queries                      show top queries\n"
@@ -1258,6 +1288,9 @@ string RecursorControlParser::getAnswer(const string& question, RecursorControlP
   if(cmd=="get-tas") {
     return getTAs();
   }
-  
+
+  if (cmd=="set-dnssec-log-bogus")
+    return doSetDnssecLogBogus(begin, end);
+
   return "Unknown command '"+cmd+"', try 'help'\n";
 }

diff --git a/pdns/validate-recursor.cc b/pdns/validate-recursor.cc
index eae00a61d4e064cf787a77bffac2340a2cc6922f..898fb97be80fca97856bbf72dcf527bdab32c34a 100644 (file)
--- a/pdns/validate-recursor.cc
+++ b/pdns/validate-recursor.cc
@@ -4,6 +4,7 @@
 #include "logger.hh"
 
 DNSSECMode g_dnssecmode{DNSSECMode::ProcessNoValidate};
+bool g_dnssecLogBogus;
 
 #define LOG(x) if(g_dnssecLOG) { L <<Logger::Warning << x; }
 

diff --git a/pdns/validate-recursor.hh b/pdns/validate-recursor.hh
index c2350e3cfeb97489a7bef76df6b5818cc734c751..b7f84e4e2f96af982676340bde4d047b52a2bfbc 100644 (file)
--- a/pdns/validate-recursor.hh
+++ b/pdns/validate-recursor.hh
@@ -14,3 +14,4 @@ vState validateRecords(const vector<DNSRecord>& recs);
 
 enum class DNSSECMode { Off, Process, ProcessNoValidate, ValidateForLog, ValidateAll };
 extern DNSSECMode g_dnssecmode;
+extern bool g_dnssecLogBogus;