From 98d365058e0dddb0492b11b058c681b38bcf76ad Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Thu, 17 Aug 2017 15:13:24 +0200
Subject: [PATCH] rec: Add `log-rpz-changes` to log RPZ additions and removals

---
 pdns/pdns_recursor.cc               | 4 ++++
 pdns/recursordist/docs/settings.rst | 9 +++++++++
 pdns/reczones.cc                    | 4 ++--
 pdns/rpzloader.hh                   | 2 ++
 4 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index afad36ca6..7f0896a9d 100644
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -164,6 +164,7 @@ string s_programname="pdns_recursor";
 string s_pidfname;
 unsigned int g_numThreads;
 uint16_t g_outgoingEDNSBufsize;
+bool g_logRPZChanges{false};
 
 #define LOCAL_NETS "127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10"
 // Bad Nets taken from both:
@@ -2887,6 +2888,7 @@ static int serviceMain(int argc, char*argv[])
   g_latencyStatSize=::arg().asNum("latency-statistic-size");
 
   g_logCommonErrors=::arg().mustDo("log-common-errors");
+  g_logRPZChanges = ::arg().mustDo("log-rpz-changes");
 
   g_anyToTcp = ::arg().mustDo("any-to-tcp");
   g_udpTruncationThreshold = ::arg().asNum("udp-truncation-threshold");
@@ -3303,6 +3305,8 @@ int main(int argc, char **argv)
 
     ::arg().set("cpu-map", "Thread to CPU mapping, space separated thread-id=cpu1,cpu2..cpuN pairs")="";
 
+    ::arg().setSwitch("log-rpz-changes", "Log additions and removals to RPZ zones at Info level")="no";
+
     ::arg().setCmd("help","Provide a helpful message");
     ::arg().setCmd("version","Print version string");
     ::arg().setCmd("config","Output blank configuration");
diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst
index 08263e544..0bf44e3df 100644
--- a/pdns/recursordist/docs/settings.rst
+++ b/pdns/recursordist/docs/settings.rst
@@ -553,6 +553,15 @@ It is recommended not to set this below 3.
 
 Some DNS errors occur rather frequently and are no cause for alarm.
 
+``log-rpz-changes``
+---------------------
+.. versionadded:: 4.1.0
+
+-  Boolean
+-  Default: no
+
+Log additions and removals to RPZ zones at Info (6) level instead of Debug (7).
+
 .. _setting-logging-facility:
 
 ``logging-facility``
diff --git a/pdns/reczones.cc b/pdns/reczones.cc
index 53c90edea..c0fcca6cd 100644
--- a/pdns/reczones.cc
+++ b/pdns/reczones.cc
@@ -367,7 +367,7 @@ void RPZIXFRTracker(const ComboAddress& master, const DNSName& zoneName, boost::
 	}
 	else {
           totremove++;
-	  L<<Logger::Debug<<"Had removal of "<<rr.d_name<<endl;
+	  L<<(g_logRPZChanges ? Logger::Info : Logger::Debug)<<"Had removal of "<<rr.d_name<<" from RPZ zone "<<zoneName.toStringNoDot()<<endl;
 	  RPZRecordToPolicy(rr, newZone, false, defpol, maxTTL);
 	}
       }
@@ -384,7 +384,7 @@ void RPZIXFRTracker(const ComboAddress& master, const DNSName& zoneName, boost::
 	}
 	else {
           totadd++;
-	  L<<Logger::Debug<<"Had addition of "<<rr.d_name<<endl;
+	  L<<(g_logRPZChanges ? Logger::Info : Logger::Debug)<<"Had addition of "<<rr.d_name<<" to RPZ zone "<<zoneName.toStringNoDot()<<endl;
 	  RPZRecordToPolicy(rr, newZone, true, defpol, maxTTL);
 	}
       }
diff --git a/pdns/rpzloader.hh b/pdns/rpzloader.hh
index 83a367275..37b79c5f5 100644
--- a/pdns/rpzloader.hh
+++ b/pdns/rpzloader.hh
@@ -24,6 +24,8 @@
 #include <string>
 #include "dnsrecords.hh"
 
+extern bool g_logRPZChanges;
+
 void loadRPZFromFile(const std::string& fname, std::shared_ptr<DNSFilterEngine::Zone> zone, boost::optional<DNSFilterEngine::Policy> defpol, uint32_t maxTTL);
 std::shared_ptr<SOARecordContent> loadRPZFromServer(const ComboAddress& master, const DNSName& zoneName, std::shared_ptr<DNSFilterEngine::Zone> zone, boost::optional<DNSFilterEngine::Policy> defpol, uint32_t maxTTL, const TSIGTriplet& tt, size_t maxReceivedBytes, const ComboAddress& localAddress);
 void RPZRecordToPolicy(const DNSRecord& dr, std::shared_ptr<DNSFilterEngine::Zone> zone, bool addOrRemove, boost::optional<DNSFilterEngine::Policy> defpol, uint32_t maxTTL);
-- 
2.40.0