[thirdparty/pdns.git] / pdns / secpoll-recursor.cc

#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
#include "secpoll-recursor.hh"
#include "syncres.hh"
#include "logger.hh"
#include "arguments.hh"
#include "version.hh"
#include "validate-recursor.hh"

#include <stdint.h>
#ifndef PACKAGEVERSION 
#define PACKAGEVERSION getPDNSVersion()
#endif

uint32_t g_security_status;
string g_security_message;

void doSecPoll(time_t* last_secpoll)
{
  if(::arg()["security-poll-suffix"].empty())
    return;

  string pkgv(PACKAGEVERSION);
  struct timeval now;
  gettimeofday(&now, 0);
  SyncRes sr(now);
  if (g_dnssecmode != DNSSECMode::Off)
    sr.d_doDNSSEC=true;
  vector<DNSRecord> ret;

  string version = "recursor-" +pkgv;
  string qstring(version.substr(0, 63)+ ".security-status."+::arg()["security-poll-suffix"]);

  if(*qstring.rbegin()!='.')
    qstring+='.';

  boost::replace_all(qstring, "+", "_");
  boost::replace_all(qstring, "~", "_");

  vState state = Indeterminate;
  DNSName query(qstring);
  int res=sr.beginResolve(query, QType(QType::TXT), 1, ret);

  if (g_dnssecmode != DNSSECMode::Off && res)
    state = validateRecords(ret);

  if(state == Bogus) {
    L<<Logger::Error<<"Could not retrieve security status update for '" +pkgv+ "' on '"<<query<<"', DNSSEC validation result was Bogus!"<<endl;
    if(g_security_status == 1) // If we were OK, go to unknown
      g_security_status = 0;
    return;
  }

  if(!res && !ret.empty()) {
    string content=ret.begin()->d_content->getZoneRepresentation();
    if(!content.empty() && content[0]=='"' && content[content.size()-1]=='"') {
      content=content.substr(1, content.length()-2);
    }
      
    pair<string, string> split = splitField(content, ' ');
    
    g_security_status = std::stoi(split.first);
    g_security_message = split.second;

    *last_secpoll=now.tv_sec;
  }
  else {
    if(pkgv.find("0.0."))
      L<<Logger::Warning<<"Could not retrieve security status update for '" +pkgv+ "' on '"<<query<<"', RCODE = "<< RCode::to_s(res)<<endl;
    else
      L<<Logger::Warning<<"Ignoring response for security status update, this a non-release version."<<endl;

    if(g_security_status == 1) // it was ok, now it is unknown
      g_security_status = 0;
    if(res == RCode::NXDomain) // if we had NXDOMAIN, keep on trying more more frequently
      *last_secpoll=now.tv_sec; 
  }

  if(g_security_status == 2) {
    L<<Logger::Error<<"PowerDNS Security Update Recommended: "<<g_security_message<<endl;
  }
  else if(g_security_status == 3) {
    L<<Logger::Error<<"PowerDNS Security Update Mandatory: "<<g_security_message<<endl;
  }
}
Commit	Line	Data
870a0fe4 AT	1	#ifdef HAVE_CONFIG_H
	2	#include "config.h"
	3	#endif
806c95f2	4	#include "secpoll-recursor.hh"
	5	#include "syncres.hh"
	6	#include "logger.hh"
	7	#include "arguments.hh"
6c85e51f	8	#include "version.hh"
e6e0b487	9	#include "validate-recursor.hh"
77b9f5ff	10
d36904fb	11	#include <stdint.h>
806c95f2	12	#ifndef PACKAGEVERSION
77b9f5ff	13	#define PACKAGEVERSION getPDNSVersion()
806c95f2	14	#endif
	15
	16	uint32_t g_security_status;
	17	string g_security_message;
	18
	19	void doSecPoll(time_t* last_secpoll)
	20	{
	21	if(::arg()["security-poll-suffix"].empty())
	22	return;
	23
e6e0b487	24	string pkgv(PACKAGEVERSION);
806c95f2	25	struct timeval now;
	26	gettimeofday(&now, 0);
	27	SyncRes sr(now);
e6e0b487 PL	28	if (g_dnssecmode != DNSSECMode::Off)
e6e0b487 PL	29	sr.d_doDNSSEC=true;
e325f20c	30	vector<DNSRecord> ret;
806c95f2	31
e6e0b487	32	string version = "recursor-" +pkgv;
8171ab83	33	string qstring(version.substr(0, 63)+ ".security-status."+::arg()["security-poll-suffix"]);
6c85e51f	34
8171ab83	35	if(*qstring.rbegin()!='.')
8171ab83	36	qstring+='.';
c0a074d7	37
8171ab83	38	boost::replace_all(qstring, "+", "_");
8171ab83	39	boost::replace_all(qstring, "~", "_");
c0a074d7	40
e6e0b487	41	vState state = Indeterminate;
8171ab83	42	DNSName query(qstring);
6c85e51f	43	int res=sr.beginResolve(query, QType(QType::TXT), 1, ret);
e6e0b487 PL	44
	45	if (g_dnssecmode != DNSSECMode::Off && res)
	46	state = validateRecords(ret);
	47
	48	if(state == Bogus) {
	49	L<<Logger::Error<<"Could not retrieve security status update for '" +pkgv+ "' on '"<<query<<"', DNSSEC validation result was Bogus!"<<endl;
	50	if(g_security_status == 1) // If we were OK, go to unknown
	51	g_security_status = 0;
	52	return;
	53	}
	54
806c95f2	55	if(!res && !ret.empty()) {
e325f20c	56	string content=ret.begin()->d_content->getZoneRepresentation();
806c95f2	57	if(!content.empty() && content[0]=='"' && content[content.size()-1]=='"') {
	58	content=content.substr(1, content.length()-2);
	59	}
	60
	61	pair<string, string> split = splitField(content, ' ');
	62
335da0ba	63	g_security_status = std::stoi(split.first);
806c95f2	64	g_security_message = split.second;
	65
	66	*last_secpoll=now.tv_sec;
	67	}
	68	else {
a4e9add5	69	if(pkgv.find("0.0."))
8171ab83	70	L<<Logger::Warning<<"Could not retrieve security status update for '" +pkgv+ "' on '"<<query<<"', RCODE = "<< RCode::to_s(res)<<endl;
a4e9add5	71	else
e6e0b487	72	L<<Logger::Warning<<"Ignoring response for security status update, this a non-release version."<<endl;
a4e9add5	73
e6e0b487	74	if(g_security_status == 1) // it was ok, now it is unknown
806c95f2	75	g_security_status = 0;
e6e0b487	76	if(res == RCode::NXDomain) // if we had NXDOMAIN, keep on trying more more frequently
c0a074d7	77	*last_secpoll=now.tv_sec;
806c95f2	78	}
	79
	80	if(g_security_status == 2) {
	81	L<<Logger::Error<<"PowerDNS Security Update Recommended: "<<g_security_message<<endl;
	82	}
	83	else if(g_security_status == 3) {
	84	L<<Logger::Error<<"PowerDNS Security Update Mandatory: "<<g_security_message<<endl;
	85	}
	86	}