break;
}
catch (const pdns::validation::TooManySEC3IterationsException& e) {
- if (g_logCommonErrors) {
+ if (g_logCommonErrors || (g_dnssecLogBogus && resolver.getDNSSECLimitHit())) {
SLOG(g_log << Logger::Notice << "Sending SERVFAIL to " << comboWriter->getRemote() << " during resolve of the custom filter policy '" << appliedPolicy.getName() << "' while resolving '" << comboWriter->d_mdp.d_qname << "' because: " << e.what() << endl,
resolver.d_slog->error(Logr::Notice, e.what(), "Sending SERVFAIL during resolve of the custom filter policy",
- "policyName", Logging::Loggable(appliedPolicy.getName()), "exception", Logging::Loggable("TooManySEC3IterationsException")));
+ "policyName", Logging::Loggable(appliedPolicy.getName()), "exception", Logging::Loggable("TooManySEC3IterationsException"), "dnsseclimithit", Logging::Loggable(resolver.getDNSSECLimitHit())));
}
res = RCode::ServFail;
break;
catch (const pdns::validation::TooManySEC3IterationsException& e) {
if (g_logCommonErrors) {
SLOG(g_log << Logger::Notice << "Sending SERVFAIL to " << comboWriter->getRemote() << " during resolve of '" << comboWriter->d_mdp.d_qname << "' because: " << e.what() << endl,
- resolver.d_slog->error(Logr::Notice, e.what(), "Sending SERVFAIL during resolve"));
+ resolver.d_slog->error(Logr::Notice, e.what(), "Sending SERVFAIL during resolve", "dnsseclimithit", Logging::Loggable(true)));
}
res = RCode::ServFail;
}
if (resolver.doLog() || vStateIsBogus(state)) {
// Only create logging object if needed below, beware if you change the logging logic!
log = resolver.d_slog->withValues("vstate", Logging::Loggable(state));
+ if (resolver.getDNSSECLimitHit()) {
+ log = log->withValues("dnsseclimithit", Logging::Loggable(true));
+ }
auto xdnssec = g_xdnssec.getLocal();
if (xdnssec->check(comboWriter->d_mdp.d_qname)) {
log = log->withValues("in-x-dnssec-names", Logging::Loggable(1));
goto sendit; // NOLINT(cppcoreguidelines-avoid-goto)
}
catch (const pdns::validation::TooManySEC3IterationsException& e) {
- if (g_logCommonErrors) {
+ if (g_logCommonErrors || (g_dnssecLogBogus && resolver.getDNSSECLimitHit())) {
SLOG(g_log << Logger::Notice << "Sending SERVFAIL to " << comboWriter->getRemote() << " during validation of '" << comboWriter->d_mdp.d_qname << "|" << QType(comboWriter->d_mdp.d_qtype) << "' because: " << e.what() << endl,
- resolver.d_slog->error(Logr::Notice, e.what(), "Sending SERVFAIL during validation", "exception", Logging::Loggable("TooManySEC3IterationsException")));
+ resolver.d_slog->error(Logr::Notice, e.what(), "Sending SERVFAIL during validation", "exception", Logging::Loggable("TooManySEC3IterationsException"), "dnsseclimithit", Logging::Loggable(resolver.getDNSSECLimitHit())));
}
goto sendit; // NOLINT(cppcoreguidelines-avoid-goto)
}
return d_queryValidationState;
}
+ [[nodiscard]] bool getDNSSECLimitHit() const
+ {
+ return d_validationContext.d_limitHit;
+ }
+
void setQueryReceivedOverTCP(bool tcp)
{
d_queryReceivedOverTCP = tcp;
}
if (g_maxNSEC3sPerRecordToConsider > 0 && nsec3sConsidered >= g_maxNSEC3sPerRecordToConsider) {
+ context.d_limitHit = true;
return false;
}
nsec3sConsidered++;
if (g_maxNSEC3sPerRecordToConsider > 0 && nsec3sConsidered >= g_maxNSEC3sPerRecordToConsider) {
VLOG(log, qname << ": Too many NSEC3s for this record"<<endl);
+ context.d_limitHit = true;
return dState::NODENIAL;
}
nsec3sConsidered++;
if (g_maxNSEC3sPerRecordToConsider > 0 && nsec3sConsidered >= g_maxNSEC3sPerRecordToConsider) {
VLOG(log, qname << ": Too many NSEC3s for this record"<<endl);
+ context.d_limitHit = true;
return dState::NODENIAL;
}
nsec3sConsidered++;
if (g_maxNSEC3sPerRecordToConsider > 0 && nsec3sConsidered >= g_maxNSEC3sPerRecordToConsider) {
VLOG(log, qname << ": Too many NSEC3s for this record"<<endl);
+ context.d_limitHit = true;
return dState::NODENIAL;
}
nsec3sConsidered++;
if (g_maxRRSIGsPerRecordToConsider > 0 && signaturesConsidered >= g_maxRRSIGsPerRecordToConsider) {
VLOG(log, name<<": We have already considered "<<std::to_string(signaturesConsidered)<<" RRSIG"<<addS(signaturesConsidered)<<" for this record, stopping now"<<endl;);
// possibly going Bogus, the RRSIGs have not been validated so Insecure would be wrong
+ context.d_limitHit = true;
break;
}
signaturesConsidered++;
for (const auto& key : keysMatchingTag) {
if (g_maxDNSKEYsToConsider > 0 && dnskeysConsidered >= g_maxDNSKEYsToConsider) {
VLOG(log, name << ": We have already considered "<<std::to_string(dnskeysConsidered)<<" DNSKEY"<<addS(dnskeysConsidered)<<" for tag "<<std::to_string(signature->d_tag)<<" and algorithm "<<std::to_string(signature->d_algorithm)<<", not considering the remaining ones for this signature"<<endl;);
+ if (!isValid) {
+ context.d_limitHit = true;
+ }
return isValid ? vState::Secure : vState::BogusNoValidRRSIG;
}
dnskeysConsidered++;
// we need to break because we can have a partially validated set
// where the KSK signs the ZSK(s), and even if we don't
// we are going to try to get the correct EDE status (revoked, expired, ...)
+ context.d_limitHit = true;
break;
}
dnskeysConsidered++;
if (g_maxRRSIGsPerRecordToConsider > 0 && signaturesConsidered >= g_maxRRSIGsPerRecordToConsider) {
VLOG(log, zone << ": We have already considered "<<std::to_string(signaturesConsidered)<<" RRSIG"<<addS(signaturesConsidered)<<" for this record, stopping now"<<endl;);
// possibly going Bogus, the RRSIGs have not been validated so Insecure would be wrong
+ context.d_limitHit = true;
return vState::BogusNoValidDNSKEY;
}
for (const auto& key : bytag) {
if (g_maxDNSKEYsToConsider > 0 && dnskeysConsidered >= g_maxDNSKEYsToConsider) {
VLOG(log, zone << ": We have already considered "<<std::to_string(dnskeysConsidered)<<" DNSKEY"<<addS(dnskeysConsidered)<<" for tag "<<std::to_string(sig->d_tag)<<" and algorithm "<<std::to_string(sig->d_algorithm)<<", not considering the remaining ones for this signature"<<endl;);
+ context.d_limitHit = true;
return vState::BogusNoValidDNSKEY;
}
dnskeysConsidered++;
if (g_maxRRSIGsPerRecordToConsider > 0 && signaturesConsidered >= g_maxRRSIGsPerRecordToConsider) {
VLOG(log, zone << ": We have already considered "<<std::to_string(signaturesConsidered)<<" RRSIG"<<addS(signaturesConsidered)<<" for this record, stopping now"<<endl;);
// possibly going Bogus, the RRSIGs have not been validated so Insecure would be wrong
+ context.d_limitHit = true;
return vState::BogusNoValidDNSKEY;
}
// cerr<<"validating : ";
Nsec3HashesCache d_nsec3Cache;
unsigned int d_validationsCounter{0};
unsigned int d_nsec3IterationsRemainingQuota{0};
+ bool d_limitHit{false};
};
class TooManySEC3IterationsException : public std::runtime_error