pdns/secpoll-recursor.cc

   1 #ifdef HAVE_CONFIG_H
   2 #include "config.h"
   3 #endif
   4 #include "secpoll-recursor.hh"
   5 #include "syncres.hh"
   6 #include "logger.hh"
   7 #include "arguments.hh"
   8 #include "version.hh"
   9 #include "validate-recursor.hh"
  10
  11 #include <stdint.h>
  12 #ifndef PACKAGEVERSION
  13 #define PACKAGEVERSION getPDNSVersion()
  14 #endif
  15
  16 uint32_t g_security_status;
  17 string g_security_message;
  18
  19 void doSecPoll(time_t* last_secpoll)
  20 {
  21   if(::arg()["security-poll-suffix"].empty())
  22     return;
  23
  24   string pkgv(PACKAGEVERSION);
  25   struct timeval now;
  26   gettimeofday(&now, 0);
  27   SyncRes sr(now);
  28   if (g_dnssecmode != DNSSECMode::Off) {
  29     sr.setDoDNSSEC(true);
  30     sr.setDNSSECValidationRequested(true);
  31   }
  32
  33   vector<DNSRecord> ret;
  34
  35   string version = "recursor-" +pkgv;
  36   string qstring(version.substr(0, 63)+ ".security-status."+::arg()["security-poll-suffix"]);
  37
  38   if(*qstring.rbegin()!='.')
  39     qstring+='.';
  40
  41   boost::replace_all(qstring, "+", "_");
  42   boost::replace_all(qstring, "~", "_");
  43
  44   vState state = Indeterminate;
  45   DNSName query(qstring);
  46   int res=sr.beginResolve(query, QType(QType::TXT), 1, ret);
  47
  48   if (g_dnssecmode != DNSSECMode::Off && res) {
  49     state = sr.getValidationState();
  50   }
  51
  52   if(state == Bogus) {
  53     L<<Logger::Error<<"Could not retrieve security status update for '" +pkgv+ "' on '"<<query<<"', DNSSEC validation result was Bogus!"<<endl;
  54     if(g_security_status == 1) // If we were OK, go to unknown
  55       g_security_status = 0;
  56     return;
  57   }
  58
  59   if(!res && !ret.empty()) {
  60     string content=ret.begin()->d_content->getZoneRepresentation();
  61     if(!content.empty() && content[0]=='"' && content[content.size()-1]=='"') {
  62       content=content.substr(1, content.length()-2);
  63     }
  64
  65     pair<string, string> split = splitField(content, ' ');
  66
  67     g_security_status = std::stoi(split.first);
  68     g_security_message = split.second;
  69
  70     *last_secpoll=now.tv_sec;
  71   }
  72   else {
  73     if(pkgv.find("0.0.") != 0)
  74       L<<Logger::Warning<<"Could not retrieve security status update for '" +pkgv+ "' on '"<<query<<"', RCODE = "<< RCode::to_s(res)<<endl;
  75     else
  76       L<<Logger::Warning<<"Ignoring response for security status update, this is a non-release version."<<endl;
  77
  78     if(g_security_status == 1) // it was ok, now it is unknown
  79       g_security_status = 0;
  80     if(res == RCode::NXDomain) // if we had NXDOMAIN, keep on trying more more frequently
  81       *last_secpoll=now.tv_sec;
  82   }
  83
  84   if(g_security_status == 2) {
  85     L<<Logger::Error<<"PowerDNS Security Update Recommended: "<<g_security_message<<endl;
  86   }
  87   else if(g_security_status == 3) {
  88     L<<Logger::Error<<"PowerDNS Security Update Mandatory: "<<g_security_message<<endl;
  89   }
  90 }