From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Wed, 20 Jul 2016 10:22:32 +0000 (+0200)
Subject: Rec: validate DNSSEC for secpoll.powerdns.com
X-Git-Tag: auth-4.0.1~14^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e6e0b487c55a886798a197e1b951e06f82e743a2;p=pdns

Rec: validate DNSSEC for secpoll.powerdns.com
---

diff --git a/pdns/secpoll-recursor.cc b/pdns/secpoll-recursor.cc
index bccfd4a8f..426644564 100644
--- a/pdns/secpoll-recursor.cc
+++ b/pdns/secpoll-recursor.cc
@@ -6,6 +6,7 @@
 #include "logger.hh"
 #include "arguments.hh"
 #include "version.hh"
+#include "validate-recursor.hh"
 
 #include <stdint.h>
 #ifndef PACKAGEVERSION 
@@ -20,13 +21,15 @@ void doSecPoll(time_t* last_secpoll)
   if(::arg()["security-poll-suffix"].empty())
     return;
 
+  string pkgv(PACKAGEVERSION);
   struct timeval now;
   gettimeofday(&now, 0);
   SyncRes sr(now);
-  sr.d_doDNSSEC=true;
+  if (g_dnssecmode != DNSSECMode::Off)
+    sr.d_doDNSSEC=true;
   vector<DNSRecord> ret;
 
-  string version = "recursor-" +string(PACKAGEVERSION);
+  string version = "recursor-" +pkgv;
   string qstring(version.substr(0, 63)+ ".security-status."+::arg()["security-poll-suffix"]);
 
   if(*qstring.rbegin()!='.')
@@ -35,8 +38,20 @@ void doSecPoll(time_t* last_secpoll)
   boost::replace_all(qstring, "+", "_");
   boost::replace_all(qstring, "~", "_");
 
+  vState state = Indeterminate;
   DNSName query(qstring);
   int res=sr.beginResolve(query, QType(QType::TXT), 1, ret);
+
+  if (g_dnssecmode != DNSSECMode::Off && res)
+    state = validateRecords(ret);
+
+  if(state == Bogus) {
+    L<<Logger::Error<<"Could not retrieve security status update for '" +pkgv+ "' on '"<<query<<"', DNSSEC validation result was Bogus!"<<endl;
+    if(g_security_status == 1) // If we were OK, go to unknown
+      g_security_status = 0;
+    return;
+  }
+
   if(!res && !ret.empty()) {
     string content=ret.begin()->d_content->getZoneRepresentation();
     if(!content.empty() && content[0]=='"' && content[content.size()-1]=='"') {
@@ -51,15 +66,14 @@ void doSecPoll(time_t* last_secpoll)
     *last_secpoll=now.tv_sec;
   }
   else {
-    string pkgv(PACKAGEVERSION);
     if(pkgv.find("0.0."))
       L<<Logger::Warning<<"Could not retrieve security status update for '" +pkgv+ "' on '"<<query<<"', RCODE = "<< RCode::to_s(res)<<endl;
     else
-      L<<Logger::Warning<<"Not validating response for security status update, this a non-release version."<<endl;
+      L<<Logger::Warning<<"Ignoring response for security status update, this a non-release version."<<endl;
 
-    if(g_security_status == 1) // it was ok, not it is unknown
+    if(g_security_status == 1) // it was ok, now it is unknown
       g_security_status = 0;
-    if(res == RCode::NXDomain) // if we had servfail, keep on trying more more frequently
+    if(res == RCode::NXDomain) // if we had NXDOMAIN, keep on trying more more frequently
       *last_secpoll=now.tv_sec; 
   }