]>
Commit | Line | Data |
---|---|---|
870a0fe4 AT |
1 | #ifdef HAVE_CONFIG_H |
2 | #include "config.h" | |
3 | #endif | |
199631c6 | 4 | #include "secpoll-auth.hh" |
5 | ||
6 | #include "logger.hh" | |
7 | #include "arguments.hh" | |
8 | #include "version.hh" | |
199631c6 | 9 | #include "dnsparser.hh" |
10 | #include "misc.hh" | |
fa8fd4d2 | 11 | |
199631c6 | 12 | #include "sstuff.hh" |
13 | #include "dnswriter.hh" | |
14 | #include "dns_random.hh" | |
15 | #include "namespaces.hh" | |
16 | #include "statbag.hh" | |
24317c7f | 17 | #include "stubresolver.hh" |
2d40d42b | 18 | #include "secpoll.hh" |
90ba52e0 | 19 | #include "dnsrecords.hh" |
d36904fb | 20 | #include <stdint.h> |
2e39551c | 21 | #ifndef PACKAGEVERSION |
77b9f5ff | 22 | #define PACKAGEVERSION getPDNSVersion() |
199631c6 | 23 | #endif |
24 | ||
25 | string g_security_message; | |
26 | ||
27 | extern StatBag S; | |
28 | ||
1758334d PL |
29 | /** Do an actual secpoll for the current version |
30 | * @param first bool that tells if this is the first secpoll run since startup | |
31 | */ | |
199631c6 | 32 | void doSecPoll(bool first) |
33 | { | |
34 | if(::arg()["security-poll-suffix"].empty()) | |
35 | return; | |
36 | ||
37 | struct timeval now; | |
38 | gettimeofday(&now, 0); | |
2d40d42b | 39 | string pkgv(PACKAGEVERSION); |
199631c6 | 40 | |
2d40d42b | 41 | string version = "auth-" + pkgv; |
1a02ba61 | 42 | string query = version.substr(0, 63) +".security-status."+::arg()["security-poll-suffix"]; |
199631c6 | 43 | |
44 | if(*query.rbegin()!='.') | |
45 | query+='.'; | |
46 | ||
47 | boost::replace_all(query, "+", "_"); | |
666c4c22 | 48 | boost::replace_all(query, "~", "_"); |
199631c6 | 49 | |
607f2b3f | 50 | int security_status = std::stoi(S.getValueStr("security-status")); |
199631c6 | 51 | |
2d40d42b PL |
52 | vector<DNSRecord> ret; |
53 | int res = stubDoResolve(DNSName(query), QType::TXT, ret); | |
199631c6 | 54 | |
2d40d42b PL |
55 | if (res == RCode::NXDomain && !isReleaseVersion(pkgv)) { |
56 | g_log<<Logger::Warning<<"Not validating response for security status update, this is a non-release version"<<endl; | |
0a444ae4 PL |
57 | return; |
58 | } | |
59 | ||
2d40d42b PL |
60 | string security_message; |
61 | ||
62 | try { | |
63 | processSecPoll(res, ret, security_status, security_message); | |
64 | } catch(const PDNSException &pe) { | |
65 | S.set("security-status", security_status); | |
66 | g_log<<Logger::Warning<<"Could not retrieve security status update for '" + pkgv + "' on '"+ query + "': "<<pe.reason<<endl; | |
0a444ae4 | 67 | return; |
199631c6 | 68 | } |
69 | ||
2d40d42b PL |
70 | |
71 | S.set("security-status", security_status); | |
72 | g_security_message = security_message; | |
0a444ae4 | 73 | |
199631c6 | 74 | if(security_status == 1 && first) { |
e6a9dde5 | 75 | g_log<<Logger::Warning << "Polled security status of version "<<PACKAGEVERSION<<" at startup, no known issues reported: " <<g_security_message<<endl; |
199631c6 | 76 | } |
77 | if(security_status == 2) { | |
e6a9dde5 | 78 | g_log<<Logger::Error<<"PowerDNS Security Update Recommended: "<<g_security_message<<endl; |
199631c6 | 79 | } |
607f2b3f | 80 | if(security_status == 3) { |
e6a9dde5 | 81 | g_log<<Logger::Error<<"PowerDNS Security Update Mandatory: "<<g_security_message<<endl; |
199631c6 | 82 | } |
199631c6 | 83 | } |