Skip to content

Commit

Permalink
Merge pull request #4097 from pieterlexis/DNSSEC-Log-Bogus
Browse files Browse the repository at this point in the history 
Recursor: Allow logging DNSSEC bogus in any mode
  • Loading branch information
@pieterlexis
pieterlexis authored Jul 5, 2016
2 parents 5d59f52 + c87e187 commit 7f1a3cc
Show file tree
Hide file tree
Showing 6 changed files with 52 additions and 2 deletions.
4 changes: 4 additions & 0 deletions docs/manpages/rec_control.1.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,10 @@ reload-zones
: Reload authoritative and forward zones. Retains current configuration
in case of errors.

set-dnssec-log-bogus *SETTING*
: Set dnssec-log-bogus setting to *SETTING*. Set to 'on' or 'yes' to log DNSSEC
validation failures and to 'no' or 'off' to disable logging these failures.

set-minimum-ttl *NUM*
: Set minimum-ttl-override to *NUM*.

Expand Down
8 changes: 8 additions & 0 deletions docs/markdown/recursor/settings.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -203,6 +203,14 @@ responses.
#### `validate`
Full blown DNSSEC validation. Send SERVFAIL to clients on bogus responses.

## `dnssec-log-bogus`
* Boolean
* Default: no
* Available since: 4.0.0

Log every DNSSEC validation failure.
**Note**: This is not logged per-query but every time records are validated as Bogus.

## `dont-query`
* Netmasks, comma separated
* Default: 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16,
Expand Down
5 changes: 4 additions & 1 deletion pdns/pdns_recursor.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -912,7 +912,7 @@ void startDoResolve(void *p)
pw.getHeader()->ad=0;
}
else if(state == Bogus) {
if(sr.doLog() || g_dnssecmode == DNSSECMode::ValidateForLog) {
if(g_dnssecLogBogus || sr.doLog() || g_dnssecmode == DNSSECMode::ValidateForLog) {
L<<Logger::Warning<<"Answer to "<<dc->d_mdp.d_qname<<" for "<<dc->d_remote.toStringWithPort()<<" validates as Bogus"<<endl;
}

Expand Down Expand Up @@ -2527,6 +2527,8 @@ int serviceMain(int argc, char*argv[])
exit(1);
}

g_dnssecLogBogus = ::arg().mustDo("dnssec-log-bogus");

if(::arg()["trace"]=="fail") {
SyncRes::setDefaultLogMode(SyncRes::Store);
}
Expand Down Expand Up @@ -2852,6 +2854,7 @@ int main(int argc, char **argv)
::arg().setSwitch("non-local-bind", "Enable binding to non-local addresses by using FREEBIND / BINDANY socket options")="no";
::arg().set("trace","if we should output heaps of logging. set to 'fail' to only log failing domains")="off";
::arg().set("dnssec", "DNSSEC mode: off/process-no-validate (default)/process/log-fail/validate")="process-no-validate";
::arg().set("dnssec-log-bogus", "Log DNSSEC bogus validations")="no";
::arg().set("daemon","Operate as a daemon")="no";
::arg().setSwitch("write-pid","Write a PID file")="yes";
::arg().set("loglevel","Amount of logging. Higher is more. Do not set below 3")="4";
Expand Down
35 changes: 34 additions & 1 deletion pdns/rec_channel_rec.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@
#include "responsestats.hh"
#include "rec-lua-conf.hh"

#include "validate-recursor.hh"

#include "secpoll-recursor.hh"
#include "pubsuffix.hh"
#include "namespaces.hh"
Expand Down Expand Up @@ -342,6 +344,33 @@ string doSetCarbonServer(T begin, T end)
return ret;
}

template<typename T>
string doSetDnssecLogBogus(T begin, T end)
{
if (begin == end)
return "No DNSSEC Bogus logging setting specified\n";

if (pdns_iequals(*begin, "on") || pdns_iequals(*begin, "yes")) {
if (!g_dnssecLogBogus) {
L<<Logger::Warning<<"Enabeling DNSSEC Bogus logging, requested via control channel"<<endl;
g_dnssecLogBogus = true;
return "DNSSEC Bogus logging enabled\n";
}
return "DNSSEC Bogus logging was already enabled\n";
}

if (pdns_iequals(*begin, "off") || pdns_iequals(*begin, "no")) {
if (g_dnssecLogBogus) {
L<<Logger::Warning<<"Disabeling DNSSEC Bogus logging, requested via control channel"<<endl;
g_dnssecLogBogus = false;
return "DNSSEC Bogus logging disabled\n";
}
return "DNSSEC Bogus logging was already disabled\n";
}

return "Unknown DNSSEC Bogus setting: '" + *begin +"'\n";
}

template<typename T>
string doAddNTA(T begin, T end)
{
Expand Down Expand Up @@ -1107,6 +1136,7 @@ string RecursorControlParser::getAnswer(const string& question, RecursorControlP
"reload-zones reload all auth and forward zones\n"
"set-minimum-ttl value set minimum-ttl-override\n"
"set-carbon-server set a carbon server for telemetry\n"
"set-dnssec-log-bogus SETTING enable (SETTING=yes) or disable (SETTING=no) logging of DNSSEC validation failures\n"
"trace-regex [regex] emit resolution trace for matching queries (empty regex to clear trace)\n"
"top-largeanswer-remotes show top remotes receiving large answers\n"
"top-queries show top queries\n"
Expand Down Expand Up @@ -1276,6 +1306,9 @@ string RecursorControlParser::getAnswer(const string& question, RecursorControlP
if(cmd=="get-tas") {
return getTAs();
}


if (cmd=="set-dnssec-log-bogus")
return doSetDnssecLogBogus(begin, end);

return "Unknown command '"+cmd+"', try 'help'\n";
}
1 change: 1 addition & 0 deletions pdns/validate-recursor.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
#include "logger.hh"

DNSSECMode g_dnssecmode{DNSSECMode::ProcessNoValidate};
bool g_dnssecLogBogus;

#define LOG(x) if(g_dnssecLOG) { L <<Logger::Warning << x; }

Expand Down
1 change: 1 addition & 0 deletions pdns/validate-recursor.hh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,3 +14,4 @@ vState validateRecords(const vector<DNSRecord>& recs);

enum class DNSSECMode { Off, Process, ProcessNoValidate, ValidateForLog, ValidateAll };
extern DNSSECMode g_dnssecmode;
extern bool g_dnssecLogBogus;

0 comments on commit 7f1a3cc

Please sign in to comment.