4 #include "secpoll-recursor.hh"
7 #include "arguments.hh"
9 #include "validate-recursor.hh"
12 #ifndef PACKAGEVERSION
13 #define PACKAGEVERSION getPDNSVersion()
16 uint32_t g_security_status
;
17 string g_security_message
;
19 void doSecPoll(time_t* last_secpoll
)
21 if(::arg()["security-poll-suffix"].empty())
24 string
pkgv(PACKAGEVERSION
);
26 gettimeofday(&now
, 0);
28 if (g_dnssecmode
!= DNSSECMode::Off
) {
30 sr
.setDNSSECValidationRequested(true);
33 vector
<DNSRecord
> ret
;
35 string version
= "recursor-" +pkgv
;
36 string
qstring(version
.substr(0, 63)+ ".security-status."+::arg()["security-poll-suffix"]);
38 if(*qstring
.rbegin()!='.')
41 boost::replace_all(qstring
, "+", "_");
42 boost::replace_all(qstring
, "~", "_");
44 vState state
= Indeterminate
;
45 DNSName
query(qstring
);
46 int res
=sr
.beginResolve(query
, QType(QType::TXT
), 1, ret
);
48 if (g_dnssecmode
!= DNSSECMode::Off
&& res
) {
49 state
= sr
.getValidationState();
53 L
<<Logger::Error
<<"Could not retrieve security status update for '" +pkgv
+ "' on '"<<query
<<"', DNSSEC validation result was Bogus!"<<endl
;
54 if(g_security_status
== 1) // If we were OK, go to unknown
55 g_security_status
= 0;
59 if(!res
&& !ret
.empty()) {
60 string content
=ret
.begin()->d_content
->getZoneRepresentation();
61 if(!content
.empty() && content
[0]=='"' && content
[content
.size()-1]=='"') {
62 content
=content
.substr(1, content
.length()-2);
65 pair
<string
, string
> split
= splitField(content
, ' ');
67 g_security_status
= std::stoi(split
.first
);
68 g_security_message
= split
.second
;
70 *last_secpoll
=now
.tv_sec
;
73 if(pkgv
.find("0.0.") != 0)
74 L
<<Logger::Warning
<<"Could not retrieve security status update for '" +pkgv
+ "' on '"<<query
<<"', RCODE = "<< RCode::to_s(res
)<<endl
;
76 L
<<Logger::Warning
<<"Ignoring response for security status update, this is a non-release version."<<endl
;
78 if(g_security_status
== 1) // it was ok, now it is unknown
79 g_security_status
= 0;
80 if(res
== RCode::NXDomain
) // if we had NXDOMAIN, keep on trying more more frequently
81 *last_secpoll
=now
.tv_sec
;
84 if(g_security_status
== 2) {
85 L
<<Logger::Error
<<"PowerDNS Security Update Recommended: "<<g_security_message
<<endl
;
87 else if(g_security_status
== 3) {
88 L
<<Logger::Error
<<"PowerDNS Security Update Mandatory: "<<g_security_message
<<endl
;