4 #include "secpoll-recursor.hh"
7 #include "arguments.hh"
9 #include "validate-recursor.hh"
12 #ifndef PACKAGEVERSION
13 #define PACKAGEVERSION getPDNSVersion()
16 uint32_t g_security_status
;
17 string g_security_message
;
19 void doSecPoll(time_t* last_secpoll
)
21 if(::arg()["security-poll-suffix"].empty())
24 string
pkgv(PACKAGEVERSION
);
26 gettimeofday(&now
, 0);
28 /* update last_secpoll right now, even if it fails
29 we don't want to retry right away and hammer the server */
30 *last_secpoll
=now
.tv_sec
;
33 if (g_dnssecmode
!= DNSSECMode::Off
) {
35 sr
.setDNSSECValidationRequested(true);
38 vector
<DNSRecord
> ret
;
40 string version
= "recursor-" +pkgv
;
41 string
qstring(version
.substr(0, 63)+ ".security-status."+::arg()["security-poll-suffix"]);
43 if(*qstring
.rbegin()!='.')
46 boost::replace_all(qstring
, "+", "_");
47 boost::replace_all(qstring
, "~", "_");
49 vState state
= Indeterminate
;
50 DNSName
query(qstring
);
51 int res
=sr
.beginResolve(query
, QType(QType::TXT
), 1, ret
);
53 if (g_dnssecmode
!= DNSSECMode::Off
&& res
) {
54 state
= sr
.getValidationState();
58 g_log
<<Logger::Error
<<"Could not retrieve security status update for '" +pkgv
+ "' on '"<<query
<<"', DNSSEC validation result was Bogus!"<<endl
;
59 if(g_security_status
== 1) // If we were OK, go to unknown
60 g_security_status
= 0;
64 if(!res
&& !ret
.empty()) {
66 for(const auto&r
: ret
) {
67 if(r
.d_type
== QType::TXT
)
68 content
= r
.d_content
->getZoneRepresentation();
71 if(!content
.empty() && content
[0]=='"' && content
[content
.size()-1]=='"') {
72 content
=content
.substr(1, content
.length()-2);
75 pair
<string
, string
> split
= splitField(content
, ' ');
77 g_security_status
= std::stoi(split
.first
);
78 g_security_message
= split
.second
;
81 if(pkgv
.find("0.0.") != 0)
82 g_log
<<Logger::Warning
<<"Could not retrieve security status update for '" +pkgv
+ "' on '"<<query
<<"', RCODE = "<< RCode::to_s(res
)<<endl
;
84 g_log
<<Logger::Warning
<<"Ignoring response for security status update, this is a non-release version."<<endl
;
86 if(g_security_status
== 1) // it was ok, now it is unknown
87 g_security_status
= 0;
90 if(g_security_status
== 2) {
91 g_log
<<Logger::Error
<<"PowerDNS Security Update Recommended: "<<g_security_message
<<endl
;
93 else if(g_security_status
== 3) {
94 g_log
<<Logger::Error
<<"PowerDNS Security Update Mandatory: "<<g_security_message
<<endl
;