From c87e18768266795b50ca7eb370921aee999b29be Mon Sep 17 00:00:00 2001 From: Pieter Lexis Date: Mon, 4 Jul 2016 15:15:41 +0200 Subject: [PATCH] Recursor: Allow logging DNSSEC bogus in any mode Also allow setting this at runtime. --- docs/manpages/rec_control.1.md | 4 ++++ docs/markdown/recursor/settings.md | 8 +++++++ pdns/pdns_recursor.cc | 5 ++++- pdns/rec_channel_rec.cc | 35 +++++++++++++++++++++++++++++- pdns/validate-recursor.cc | 1 + pdns/validate-recursor.hh | 1 + 6 files changed, 52 insertions(+), 2 deletions(-) diff --git a/docs/manpages/rec_control.1.md b/docs/manpages/rec_control.1.md index da0b383dc..4aa0abe8d 100644 --- a/docs/manpages/rec_control.1.md +++ b/docs/manpages/rec_control.1.md @@ -116,6 +116,10 @@ reload-zones : Reload authoritative and forward zones. Retains current configuration in case of errors. +set-dnssec-log-bogus *SETTING* +: Set dnssec-log-bogus setting to *SETTING*. Set to 'on' or 'yes' to log DNSSEC + validation failures and to 'no' or 'off' to disable logging these failures. + set-minimum-ttl *NUM* : Set minimum-ttl-override to *NUM*. diff --git a/docs/markdown/recursor/settings.md b/docs/markdown/recursor/settings.md index ac267eef9..7a6ae17d4 100644 --- a/docs/markdown/recursor/settings.md +++ b/docs/markdown/recursor/settings.md @@ -203,6 +203,14 @@ responses. #### `validate` Full blown DNSSEC validation. Send SERVFAIL to clients on bogus responses. +## `dnssec-log-bogus` +* Boolean +* Default: no +* Available since: 4.0.0 + +Log every DNSSEC validation failure. +**Note**: This is not logged per-query but every time records are validated as Bogus. + ## `dont-query` * Netmasks, comma separated * Default: 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc index 33c9364a8..c629f1213 100644 --- a/pdns/pdns_recursor.cc +++ b/pdns/pdns_recursor.cc @@ -975,7 +975,7 @@ void startDoResolve(void *p) pw.getHeader()->ad=0; } else if(state == Bogus) { - if(sr.doLog() || g_dnssecmode == DNSSECMode::ValidateForLog) { + if(g_dnssecLogBogus || sr.doLog() || g_dnssecmode == DNSSECMode::ValidateForLog) { L<d_mdp.d_qname<<" for "<d_remote.toStringWithPort()<<" validates as Bogus"< +string doSetDnssecLogBogus(T begin, T end) +{ + if (begin == end) + return "No DNSSEC Bogus logging setting specified\n"; + + if (pdns_iequals(*begin, "on") || pdns_iequals(*begin, "yes")) { + if (!g_dnssecLogBogus) { + L< string doAddNTA(T begin, T end) { @@ -1106,6 +1135,7 @@ string RecursorControlParser::getAnswer(const string& question, RecursorControlP "reload-zones reload all auth and forward zones\n" "set-minimum-ttl value set minimum-ttl-override\n" "set-carbon-server set a carbon server for telemetry\n" +"set-dnssec-log-bogus SETTING enable (SETTING=yes) or disable (SETTING=no) logging of DNSSEC validation failures\n" "trace-regex [regex] emit resolution trace for matching queries (empty regex to clear trace)\n" "top-largeanswer-remotes show top remotes receiving large answers\n" "top-queries show top queries\n" @@ -1258,6 +1288,9 @@ string RecursorControlParser::getAnswer(const string& question, RecursorControlP if(cmd=="get-tas") { return getTAs(); } - + + if (cmd=="set-dnssec-log-bogus") + return doSetDnssecLogBogus(begin, end); + return "Unknown command '"+cmd+"', try 'help'\n"; } diff --git a/pdns/validate-recursor.cc b/pdns/validate-recursor.cc index eae00a61d..898fb97be 100644 --- a/pdns/validate-recursor.cc +++ b/pdns/validate-recursor.cc @@ -4,6 +4,7 @@ #include "logger.hh" DNSSECMode g_dnssecmode{DNSSECMode::ProcessNoValidate}; +bool g_dnssecLogBogus; #define LOG(x) if(g_dnssecLOG) { L <& recs); enum class DNSSECMode { Off, Process, ProcessNoValidate, ValidateForLog, ValidateAll }; extern DNSSECMode g_dnssecmode; +extern bool g_dnssecLogBogus; -- 2.40.0