]>
Commit | Line | Data |
---|---|---|
870a0fe4 AT |
1 | #ifdef HAVE_CONFIG_H |
2 | #include "config.h" | |
3 | #endif | |
806c95f2 | 4 | #include "secpoll-recursor.hh" |
5 | #include "syncres.hh" | |
6 | #include "logger.hh" | |
7 | #include "arguments.hh" | |
6c85e51f | 8 | #include "version.hh" |
e6e0b487 | 9 | #include "validate-recursor.hh" |
77b9f5ff | 10 | |
d36904fb | 11 | #include <stdint.h> |
806c95f2 | 12 | #ifndef PACKAGEVERSION |
77b9f5ff | 13 | #define PACKAGEVERSION getPDNSVersion() |
806c95f2 | 14 | #endif |
15 | ||
16 | uint32_t g_security_status; | |
17 | string g_security_message; | |
18 | ||
19 | void doSecPoll(time_t* last_secpoll) | |
20 | { | |
21 | if(::arg()["security-poll-suffix"].empty()) | |
22 | return; | |
23 | ||
e6e0b487 | 24 | string pkgv(PACKAGEVERSION); |
806c95f2 | 25 | struct timeval now; |
26 | gettimeofday(&now, 0); | |
27 | SyncRes sr(now); | |
e6e0b487 PL |
28 | if (g_dnssecmode != DNSSECMode::Off) |
29 | sr.d_doDNSSEC=true; | |
e325f20c | 30 | vector<DNSRecord> ret; |
806c95f2 | 31 | |
e6e0b487 | 32 | string version = "recursor-" +pkgv; |
8171ab83 | 33 | string qstring(version.substr(0, 63)+ ".security-status."+::arg()["security-poll-suffix"]); |
6c85e51f | 34 | |
8171ab83 | 35 | if(*qstring.rbegin()!='.') |
36 | qstring+='.'; | |
c0a074d7 | 37 | |
8171ab83 | 38 | boost::replace_all(qstring, "+", "_"); |
39 | boost::replace_all(qstring, "~", "_"); | |
c0a074d7 | 40 | |
e6e0b487 | 41 | vState state = Indeterminate; |
8171ab83 | 42 | DNSName query(qstring); |
6c85e51f | 43 | int res=sr.beginResolve(query, QType(QType::TXT), 1, ret); |
e6e0b487 PL |
44 | |
45 | if (g_dnssecmode != DNSSECMode::Off && res) | |
46 | state = validateRecords(ret); | |
47 | ||
48 | if(state == Bogus) { | |
49 | L<<Logger::Error<<"Could not retrieve security status update for '" +pkgv+ "' on '"<<query<<"', DNSSEC validation result was Bogus!"<<endl; | |
50 | if(g_security_status == 1) // If we were OK, go to unknown | |
51 | g_security_status = 0; | |
52 | return; | |
53 | } | |
54 | ||
806c95f2 | 55 | if(!res && !ret.empty()) { |
e325f20c | 56 | string content=ret.begin()->d_content->getZoneRepresentation(); |
806c95f2 | 57 | if(!content.empty() && content[0]=='"' && content[content.size()-1]=='"') { |
58 | content=content.substr(1, content.length()-2); | |
59 | } | |
60 | ||
61 | pair<string, string> split = splitField(content, ' '); | |
62 | ||
335da0ba | 63 | g_security_status = std::stoi(split.first); |
806c95f2 | 64 | g_security_message = split.second; |
65 | ||
66 | *last_secpoll=now.tv_sec; | |
67 | } | |
68 | else { | |
a4e9add5 | 69 | if(pkgv.find("0.0.")) |
8171ab83 | 70 | L<<Logger::Warning<<"Could not retrieve security status update for '" +pkgv+ "' on '"<<query<<"', RCODE = "<< RCode::to_s(res)<<endl; |
a4e9add5 | 71 | else |
e6e0b487 | 72 | L<<Logger::Warning<<"Ignoring response for security status update, this a non-release version."<<endl; |
a4e9add5 | 73 | |
e6e0b487 | 74 | if(g_security_status == 1) // it was ok, now it is unknown |
806c95f2 | 75 | g_security_status = 0; |
e6e0b487 | 76 | if(res == RCode::NXDomain) // if we had NXDOMAIN, keep on trying more more frequently |
c0a074d7 | 77 | *last_secpoll=now.tv_sec; |
806c95f2 | 78 | } |
79 | ||
80 | if(g_security_status == 2) { | |
81 | L<<Logger::Error<<"PowerDNS Security Update Recommended: "<<g_security_message<<endl; | |
82 | } | |
83 | else if(g_security_status == 3) { | |
84 | L<<Logger::Error<<"PowerDNS Security Update Mandatory: "<<g_security_message<<endl; | |
85 | } | |
86 | } |