4 #include "secpoll-recursor.hh"
7 #include "arguments.hh"
9 #include "validate-recursor.hh"
13 #ifndef PACKAGEVERSION
14 #define PACKAGEVERSION getPDNSVersion()
17 uint32_t g_security_status
;
18 string g_security_message
;
20 void doSecPoll(time_t* last_secpoll
)
22 if(::arg()["security-poll-suffix"].empty())
25 string
pkgv(PACKAGEVERSION
);
27 gettimeofday(&now
, 0);
29 /* update last_secpoll right now, even if it fails
30 we don't want to retry right away and hammer the server */
31 *last_secpoll
=now
.tv_sec
;
34 if (g_dnssecmode
!= DNSSECMode::Off
) {
36 sr
.setDNSSECValidationRequested(true);
39 vector
<DNSRecord
> ret
;
41 string version
= "recursor-" +pkgv
;
42 string
qstring(version
.substr(0, 63)+ ".security-status."+::arg()["security-poll-suffix"]);
44 if(*qstring
.rbegin()!='.')
47 boost::replace_all(qstring
, "+", "_");
48 boost::replace_all(qstring
, "~", "_");
50 vState state
= Indeterminate
;
51 DNSName
query(qstring
);
52 int res
= sr
.beginResolve(query
, QType(QType::TXT
), 1, ret
);
54 if (g_dnssecmode
!= DNSSECMode::Off
&& res
) {
55 state
= sr
.getValidationState();
59 g_log
<<Logger::Error
<<"Could not retrieve security status update for '" +pkgv
+ "' on '"<<query
<<"', DNSSEC validation result was Bogus!"<<endl
;
60 if(g_security_status
== 1) // If we were OK, go to unknown
61 g_security_status
= 0;
65 if (res
== RCode::NXDomain
&& !isReleaseVersion(pkgv
)) {
66 g_log
<<Logger::Warning
<<"Not validating response for security status update, this is a non-release version"<<endl
;
70 string security_message
;
71 int security_status
= g_security_status
;
74 processSecPoll(res
, ret
, security_status
, security_message
);
75 } catch(const PDNSException
&pe
) {
76 g_security_status
= security_status
;
77 g_log
<<Logger::Warning
<<"Could not retrieve security status update for '" << pkgv
<< "' on '"<< query
<< "': "<<pe
.reason
<<endl
;
81 g_security_message
= security_message
;
83 if(g_security_status
!= 1 && security_status
== 1) {
84 g_log
<<Logger::Warning
<< "Polled security status of version "<<pkgv
<<", no known issues reported: " <<g_security_message
<<endl
;
86 if(security_status
== 2) {
87 g_log
<<Logger::Error
<<"PowerDNS Security Update Recommended: "<<g_security_message
<<endl
;
89 if(security_status
== 3) {
90 g_log
<<Logger::Error
<<"PowerDNS Security Update Mandatory: "<<g_security_message
<<endl
;
93 g_security_status
= security_status
;