]> git.ipfire.org Git - thirdparty/pdns.git/blame - pdns/secpoll-recursor.cc
projects / thirdparty / pdns.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge pull request #6620 from Habbie/nit
[thirdparty/pdns.git] / pdns / secpoll-recursor.cc
CommitLineData
870a0fe4
AT		 1#ifdef HAVE_CONFIG_H
2#include "config.h"
3#endif
806c95f2 4#include "secpoll-recursor.hh"
5#include "syncres.hh"
6#include "logger.hh"
7#include "arguments.hh"
6c85e51f 8#include "version.hh"
e6e0b487 9#include "validate-recursor.hh"
77b9f5ff 10
d36904fb 11#include <stdint.h>
806c95f2 12#ifndef PACKAGEVERSION
77b9f5ff 13#define PACKAGEVERSION getPDNSVersion()
806c95f2 14#endif
15
16uint32_t g_security_status;
17string g_security_message;
18
19void doSecPoll(time_t* last_secpoll)
20{
21 if(::arg()["security-poll-suffix"].empty())
22 return;
23
e6e0b487 24 string pkgv(PACKAGEVERSION);
806c95f2 25 struct timeval now;
26 gettimeofday(&now, 0);
491d5d97
RG		 27
28 /* update last_secpoll right now, even if it fails
29 we don't want to retry right away and hammer the server */
30 *last_secpoll=now.tv_sec;
31
806c95f2 32 SyncRes sr(now);
0c43f455 33 if (g_dnssecmode != DNSSECMode::Off) {
30ee601a 34 sr.setDoDNSSEC(true);
0c43f455
RG		 35 sr.setDNSSECValidationRequested(true);
36 }
37
e325f20c 38 vector<DNSRecord> ret;
581d4ea3 39
e6e0b487 40 string version = "recursor-" +pkgv;
8171ab83 41 string qstring(version.substr(0, 63)+ ".security-status."+::arg()["security-poll-suffix"]);
6c85e51f 42
8171ab83 43 if(*qstring.rbegin()!='.')
44 qstring+='.';
c0a074d7 45
8171ab83 46 boost::replace_all(qstring, "+", "_");
47 boost::replace_all(qstring, "~", "_");
c0a074d7 48
e6e0b487 49 vState state = Indeterminate;
8171ab83 50 DNSName query(qstring);
6c85e51f 51 int res=sr.beginResolve(query, QType(QType::TXT), 1, ret);
e6e0b487 52
4898a348 53 if (g_dnssecmode != DNSSECMode::Off && res) {
4d2be65d 54 state = sr.getValidationState();
4898a348 55 }
e6e0b487
PL		 56
57 if(state == Bogus) {
e6a9dde5 58 g_log<<Logger::Error<<"Could not retrieve security status update for '" +pkgv+ "' on '"<<query<<"', DNSSEC validation result was Bogus!"<<endl;
e6e0b487
PL		 59 if(g_security_status == 1) // If we were OK, go to unknown
60 g_security_status = 0;
61 return;
62 }
63
806c95f2 64 if(!res && !ret.empty()) {
581d4ea3 65 string content;
66 for(const auto&r : ret) {
67 if(r.d_type == QType::TXT)
68 content = r.d_content->getZoneRepresentation();
69 }
70
806c95f2 71 if(!content.empty() && content[0]=='"' && content[content.size()-1]=='"') {
72 content=content.substr(1, content.length()-2);
73 }
581d4ea3 74
806c95f2 75 pair<string, string> split = splitField(content, ' ');
76
335da0ba 77 g_security_status = std::stoi(split.first);
806c95f2 78 g_security_message = split.second;
806c95f2 79 }
80 else {
a350fc7a 81 if(pkgv.find("0.0.") != 0)
e6a9dde5 82 g_log<<Logger::Warning<<"Could not retrieve security status update for '" +pkgv+ "' on '"<<query<<"', RCODE = "<< RCode::to_s(res)<<endl;
a4e9add5 83 else
e6a9dde5 84 g_log<<Logger::Warning<<"Ignoring response for security status update, this is a non-release version."<<endl;
a4e9add5 85
e6e0b487 86 if(g_security_status == 1) // it was ok, now it is unknown
806c95f2 87 g_security_status = 0;
88 }
89
90 if(g_security_status == 2) {
e6a9dde5 91 g_log<<Logger::Error<<"PowerDNS Security Update Recommended: "<<g_security_message<<endl;
806c95f2 92 }
93 else if(g_security_status == 3) {
e6a9dde5 94 g_log<<Logger::Error<<"PowerDNS Security Update Mandatory: "<<g_security_message<<endl;
806c95f2 95 }
96}
Unnamed repository; edit this file 'description' to name the repository.