resolved: log each time we increase the DNSSEC verdict counters

Also, don't consider RRs that aren't primary to the lookups we do as relevant to the lookups.
2016-01-21 02:21:58 +01:00 · 2016-01-21 02:21:58 +01:00 · 59c5b5974d
parent f6618dcd96
commit 59c5b5974d
6 changed files with 67 additions and 39 deletions
--- a/src/resolve/resolved-bus.c
+++ b/src/resolve/resolved-bus.c
@ -1292,10 +1292,10 @@ static int bus_property_get_dnssec_statistics(
        assert(m);

        return sd_bus_message_append(reply, "(tttt)",
-                                     (uint64_t) m->n_dnssec_secure,
-                                     (uint64_t) m->n_dnssec_insecure,
-                                     (uint64_t) m->n_dnssec_bogus,
-                                     (uint64_t) m->n_dnssec_indeterminate);
+                                     (uint64_t) m->n_dnssec_verdict[DNSSEC_SECURE],
+                                     (uint64_t) m->n_dnssec_verdict[DNSSEC_INSECURE],
+                                     (uint64_t) m->n_dnssec_verdict[DNSSEC_BOGUS],
+                                     (uint64_t) m->n_dnssec_verdict[DNSSEC_INDETERMINATE]);
 }

 static int bus_property_get_dnssec_supported(
@ -1326,7 +1326,7 @@ static int bus_method_reset_statistics(sd_bus_message *message, void *userdata,
                s->cache.n_hit = s->cache.n_miss = 0;

        m->n_transactions_total = 0;
-        m->n_dnssec_secure = m->n_dnssec_insecure = m->n_dnssec_bogus = m->n_dnssec_indeterminate = 0;
+        zero(m->n_dnssec_verdict);

        return sd_bus_reply_method_return(message, NULL);
 }
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@ -2142,3 +2142,11 @@ static const char* const dnssec_result_table[_DNSSEC_RESULT_MAX] = {
        [DNSSEC_INCOMPATIBLE_SERVER] = "incompatible-server",
 };
 DEFINE_STRING_TABLE_LOOKUP(dnssec_result, DnssecResult);
+
+static const char* const dnssec_verdict_table[_DNSSEC_VERDICT_MAX] = {
+        [DNSSEC_SECURE] = "secure",
+        [DNSSEC_INSECURE] = "insecure",
+        [DNSSEC_BOGUS] = "bogus",
+        [DNSSEC_INDETERMINATE] = "indeterminate",
+};
+DEFINE_STRING_TABLE_LOOKUP(dnssec_verdict, DnssecVerdict);
--- a/src/resolve/resolved-dns-dnssec.h
+++ b/src/resolve/resolved-dns-dnssec.h
@ -21,8 +21,8 @@
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
 ***/

-typedef enum DnssecMode DnssecMode;
 typedef enum DnssecResult DnssecResult;
+typedef enum DnssecVerdict DnssecVerdict;

 #include "dns-domain.h"
 #include "resolved-dns-answer.h"
@ -50,6 +50,16 @@ enum DnssecResult {
        _DNSSEC_RESULT_INVALID = -1
 };

+enum DnssecVerdict {
+        DNSSEC_SECURE,
+        DNSSEC_INSECURE,
+        DNSSEC_BOGUS,
+        DNSSEC_INDETERMINATE,
+
+        _DNSSEC_VERDICT_MAX,
+        _DNSSEC_VERDICT_INVALID = -1
+};
+
 #define DNSSEC_CANONICAL_HOSTNAME_MAX (DNS_HOSTNAME_MAX + 2)

 /* The longest digest we'll ever generate, of all digest algorithms we support */
@ -90,3 +100,6 @@ int dnssec_test_positive_wildcard(DnsAnswer *a, const char *name, const char *so

 const char* dnssec_result_to_string(DnssecResult m) _const_;
 DnssecResult dnssec_result_from_string(const char *s) _pure_;
+
+const char* dnssec_verdict_to_string(DnssecVerdict m) _const_;
+DnssecVerdict dnssec_verdict_from_string(const char *s) _pure_;
--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@ -2660,7 +2660,7 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {
                                if (r < 0)
                                        return r;

-                                t->scope->manager->n_dnssec_secure++;
+                                manager_dnssec_verdict(t->scope->manager, DNSSEC_SECURE, rr->key);

                                /* Exit the loop, we dropped something from the answer, start from the beginning */
                                changed = true;
@ -2700,10 +2700,7 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {
                                        if (r < 0)
                                                return r;

-                                        if (authenticated)
-                                                t->scope->manager->n_dnssec_secure++;
-                                        else
-                                                t->scope->manager->n_dnssec_insecure++;
+                                        manager_dnssec_verdict(t->scope->manager, authenticated ? DNSSEC_SECURE : DNSSEC_INSECURE, rr->key);

                                        /* Exit the loop, we dropped something from the answer, start from the beginning */
                                        changed = true;
@ -2722,7 +2719,7 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {
                                        if (r < 0)
                                                return r;

-                                        t->scope->manager->n_dnssec_insecure++;
+                                        manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
                                        changed = true;
                                        break;
                                }
@ -2744,7 +2741,7 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {
                                                if (r < 0)
                                                        return r;

-                                                t->scope->manager->n_dnssec_insecure++;
+                                                manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
                                                changed = true;
                                                break;
                                        }
@ -2770,7 +2767,7 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {
                                        if (r < 0)
                                                return r;

-                                        t->scope->manager->n_dnssec_insecure++;
+                                        manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
                                        changed = true;
                                        break;
                                }
@ -2792,20 +2789,12 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {
                                        if (r < 0)
                                                return r;

-                                        t->scope->manager->n_dnssec_insecure++;
+                                        manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
                                        changed = true;
                                        break;
                                }
                        }

-                        if (IN_SET(result,
-                                   DNSSEC_INVALID,
-                                   DNSSEC_SIGNATURE_EXPIRED,
-                                   DNSSEC_NO_SIGNATURE))
-                                t->scope->manager->n_dnssec_bogus++;
-                        else /* DNSSEC_MISSING_KEY or DNSSEC_UNSUPPORTED_ALGORITHM */
-                                t->scope->manager->n_dnssec_indeterminate++;
-
                        r = dns_transaction_is_primary_response(t, rr);
                        if (r < 0)
                                return r;
@ -2823,6 +2812,14 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {
                                }

                                if (r == 0) {
+                                        if (IN_SET(result,
+                                                   DNSSEC_INVALID,
+                                                   DNSSEC_SIGNATURE_EXPIRED,
+                                                   DNSSEC_NO_SIGNATURE))
+                                                manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, rr->key);
+                                        else /* DNSSEC_MISSING_KEY or DNSSEC_UNSUPPORTED_ALGORITHM */
+                                                manager_dnssec_verdict(t->scope->manager, DNSSEC_INDETERMINATE, rr->key);
+
                                        /* This is a primary response to our question, and it failed validation. That's
                                         * fatal. */
                                        t->answer_dnssec_result = result;
@ -2905,11 +2902,7 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {
                        t->answer_rcode = DNS_RCODE_NXDOMAIN;
                        t->answer_authenticated = authenticated;

-                        if (authenticated)
-                                t->scope->manager->n_dnssec_secure++;
-                        else
-                                t->scope->manager->n_dnssec_insecure++;
-
+                        manager_dnssec_verdict(t->scope->manager, authenticated ? DNSSEC_SECURE : DNSSEC_INSECURE, t->key);
                        break;

                case DNSSEC_NSEC_NODATA:
@ -2919,11 +2912,7 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {
                        t->answer_rcode = DNS_RCODE_SUCCESS;
                        t->answer_authenticated = authenticated;

-                        if (authenticated)
-                                t->scope->manager->n_dnssec_secure++;
-                        else
-                                t->scope->manager->n_dnssec_insecure++;
-
+                        manager_dnssec_verdict(t->scope->manager, authenticated ? DNSSEC_SECURE : DNSSEC_INSECURE, t->key);
                        break;

                case DNSSEC_NSEC_OPTOUT:
@ -2932,7 +2921,7 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {
                        t->answer_dnssec_result = DNSSEC_UNSIGNED;
                        t->answer_authenticated = false;

-                        t->scope->manager->n_dnssec_insecure++;
+                        manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, t->key);
                        break;

                case DNSSEC_NSEC_NO_RR:
@ -2943,11 +2932,11 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {
                                return r;
                        if (r > 0) {
                                t->answer_dnssec_result = DNSSEC_NO_SIGNATURE;
-                                t->scope->manager->n_dnssec_indeterminate++;
+                                manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, t->key);
                        } else {
                                t->answer_dnssec_result = DNSSEC_UNSIGNED;
                                t->answer_authenticated = false;
-                                t->scope->manager->n_dnssec_insecure++;
+                                manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, t->key);
                        }

                        break;
@ -2955,14 +2944,14 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {
                case DNSSEC_NSEC_UNSUPPORTED_ALGORITHM:
                        /* We don't know the NSEC3 algorithm used? */
                        t->answer_dnssec_result = DNSSEC_UNSUPPORTED_ALGORITHM;
-                        t->scope->manager->n_dnssec_indeterminate++;
+                        manager_dnssec_verdict(t->scope->manager, DNSSEC_INDETERMINATE, t->key);
                        break;

                case DNSSEC_NSEC_FOUND:
                case DNSSEC_NSEC_CNAME:
                        /* NSEC says it needs to be there, but we couldn't find it? Bummer! */
                        t->answer_dnssec_result = DNSSEC_NSEC_MISMATCH;
-                        t->scope->manager->n_dnssec_bogus++;
+                        manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, t->key);
                        break;

                default:
--- a/src/resolve/resolved-manager.c
+++ b/src/resolve/resolved-manager.c
@ -1203,3 +1203,19 @@ bool manager_dnssec_supported(Manager *m) {

        return true;
 }
+
+void manager_dnssec_verdict(Manager *m, DnssecVerdict verdict, const DnsResourceKey *key) {
+
+        assert(verdict >= 0);
+        assert(verdict < _DNSSEC_VERDICT_MAX);
+
+        if (log_get_max_level() >= LOG_DEBUG) {
+                _cleanup_free_ char *s = NULL;
+
+                (void) dns_resource_key_to_string(key, &s);
+
+                log_debug("Found verdict for lookup %s: %s", s ? strstrip(s) : "n/a", dnssec_verdict_to_string(verdict));
+        }
+
+        m->n_dnssec_verdict[verdict]++;
+}
--- a/src/resolve/resolved-manager.h
+++ b/src/resolve/resolved-manager.h
@ -123,7 +123,7 @@ struct Manager {
        sd_event_source *sigusr1_event_source;

        unsigned n_transactions_total;
-        unsigned n_dnssec_secure, n_dnssec_insecure, n_dnssec_bogus, n_dnssec_indeterminate;
+        unsigned n_dnssec_verdict[_DNSSEC_VERDICT_MAX];
 };

 /* Manager */
@ -161,3 +161,5 @@ int manager_compile_search_domains(Manager *m, OrderedSet **domains);

 DnssecMode manager_get_dnssec_mode(Manager *m);
 bool manager_dnssec_supported(Manager *m);
+
+void manager_dnssec_verdict(Manager *m, DnssecVerdict verdict, const DnsResourceKey *key);