uint16_t g_outgoingEDNSBufsize;
bool g_logRPZChanges{false};
+// Used in Syncres to counts DNSSEC stats for names in a different "universe"
+GlobalStateHolder<SuffixMatchNode> g_xdnssec;
// Used in the Syncres to not throttle certain servers
GlobalStateHolder<SuffixMatchNode> g_dontThrottleNames;
GlobalStateHolder<NetmaskGroup> g_dontThrottleNetmasks;
g_dontThrottleNetmasks.setState(std::move(dontThrottleNetmasks));
}
+ {
+ SuffixMatchNode xdnssecNames;
+ vector<string> parts;
+ stringtok(parts, ::arg()["x-dnssec-names"], " ,");
+ for (const auto &p : parts) {
+ xdnssecNames.add(DNSName(p));
+ }
+ g_xdnssec.setState(std::move(xdnssecNames));
+ }
+
s_balancingFactor = ::arg().asDouble("distribution-load-factor");
if (s_balancingFactor != 0.0 && s_balancingFactor < 1.0) {
s_balancingFactor = 0.0;
::arg().set("record-cache-shards", "Number of shards in the record cache")="1024";
::arg().set("refresh-on-ttl-perc", "If a record is requested from the cache and only this % of original TTL remains, refetch") = "0";
+ ::arg().set("x-dnssec-names", "Collect DNSSEC statistics for names or suffixes in this list in separate x-dnssec counters")="";
+
#ifdef NOD_ENABLED
::arg().set("new-domain-tracking", "Track newly observed domains (i.e. never seen before).")="no";
::arg().set("new-domain-log", "Log newly observed domains.")="yes";
}
return total;
});
+ addGetStat("x-dnssec-result-bogus", []() {
+ static std::set<vState> const bogusStates = { vState::BogusNoValidDNSKEY, vState::BogusInvalidDenial, vState::BogusUnableToGetDSs, vState::BogusUnableToGetDNSKEYs, vState::BogusSelfSignedDS, vState::BogusNoRRSIG, vState::BogusNoValidRRSIG, vState::BogusMissingNegativeIndication, vState::BogusSignatureNotYetValid, vState::BogusSignatureExpired, vState::BogusUnsupportedDNSKEYAlgo, vState::BogusUnsupportedDSDigestType, vState::BogusNoZoneKeyBitSet, vState::BogusRevokedDNSKEY, vState::BogusInvalidDNSKEYProtocol };
+ uint64_t total = 0;
+ for (const auto& state : bogusStates) {
+ total += g_stats.xdnssecResults[state];
+ }
+ return total;
+ });
addGetStat("dnssec-result-bogus-no-valid-dnskey", &g_stats.dnssecResults[vState::BogusNoValidDNSKEY]);
addGetStat("dnssec-result-bogus-invalid-denial", &g_stats.dnssecResults[vState::BogusInvalidDenial]);
addGetStat("dnssec-result-bogus-unable-to-get-dss", &g_stats.dnssecResults[vState::BogusUnableToGetDSs]);
addGetStat("dnssec-result-indeterminate", &g_stats.dnssecResults[vState::Indeterminate]);
addGetStat("dnssec-result-nta", &g_stats.dnssecResults[vState::NTA]);
+ addGetStat("x-dnssec-result-bogus-no-valid-dnskey", &g_stats.xdnssecResults[vState::BogusNoValidDNSKEY]);
+ addGetStat("x-dnssec-result-bogus-invalid-denial", &g_stats.xdnssecResults[vState::BogusInvalidDenial]);
+ addGetStat("x-dnssec-result-bogus-unable-to-get-dss", &g_stats.xdnssecResults[vState::BogusUnableToGetDSs]);
+ addGetStat("x-dnssec-result-bogus-unable-to-get-dnskeys", &g_stats.xdnssecResults[vState::BogusUnableToGetDNSKEYs]);
+ addGetStat("x-dnssec-result-bogus-self-signed-ds", &g_stats.xdnssecResults[vState::BogusSelfSignedDS]);
+ addGetStat("x-dnssec-result-bogus-no-rrsig", &g_stats.xdnssecResults[vState::BogusNoRRSIG]);
+ addGetStat("x-dnssec-result-bogus-no-valid-rrsig", &g_stats.xdnssecResults[vState::BogusNoValidRRSIG]);
+ addGetStat("x-dnssec-result-bogus-missing-negative-indication", &g_stats.xdnssecResults[vState::BogusMissingNegativeIndication]);
+ addGetStat("x-dnssec-result-bogus-signature-not-yet-valid", &g_stats.xdnssecResults[vState::BogusSignatureNotYetValid]);
+ addGetStat("x-dnssec-result-bogus-signature-expired", &g_stats.xdnssecResults[vState::BogusSignatureExpired]);
+ addGetStat("x-dnssec-result-bogus-unsupported-dnskey-algo", &g_stats.xdnssecResults[vState::BogusUnsupportedDNSKEYAlgo]);
+ addGetStat("x-dnssec-result-bogus-unsupported-ds-digest-type", &g_stats.xdnssecResults[vState::BogusUnsupportedDSDigestType]);
+ addGetStat("x-dnssec-result-bogus-no-zone-key-bit-set", &g_stats.xdnssecResults[vState::BogusNoZoneKeyBitSet]);
+ addGetStat("x-dnssec-result-bogus-revoked-dnskey", &g_stats.xdnssecResults[vState::BogusRevokedDNSKEY]);
+ addGetStat("x-dnssec-result-bogus-invalid-dnskey-protocol", &g_stats.xdnssecResults[vState::BogusInvalidDNSKEYProtocol]);
+ addGetStat("x-dnssec-result-indeterminate", &g_stats.xdnssecResults[vState::Indeterminate]);
+ addGetStat("x-dnssec-result-nta", &g_stats.xdnssecResults[vState::NTA]);
+
+
addGetStat("policy-result-noaction", &g_stats.policyResults[DNSFilterEngine::PolicyKind::NoAction]);
addGetStat("policy-result-drop", &g_stats.policyResults[DNSFilterEngine::PolicyKind::Drop]);
addGetStat("policy-result-nxdomain", &g_stats.policyResults[DNSFilterEngine::PolicyKind::NXDOMAIN]);
RecursorStats g_stats;
GlobalStateHolder<LuaConfigItems> g_luaconfs;
+GlobalStateHolder<SuffixMatchNode> g_xdnssec;
GlobalStateHolder<SuffixMatchNode> g_dontThrottleNames;
GlobalStateHolder<NetmaskGroup> g_dontThrottleNetmasks;
std::unique_ptr<MemRecursorCache> g_recCache{nullptr};
if (d_queryValidationState != vState::Indeterminate) {
g_stats.dnssecValidations++;
}
- increaseDNSSECStateCounter(d_queryValidationState);
+ auto xdnssec = g_xdnssec.getLocal();
+ if (xdnssec->check(qname)) {
+ increaseXDNSSECStateCounter(d_queryValidationState);
+ } else {
+ increaseDNSSECStateCounter(d_queryValidationState);
+ }
}
return res;
#include "fstrm_logger.hh"
#endif /* HAVE_FSTRM */
+extern GlobalStateHolder<SuffixMatchNode> g_xdnssec;
extern GlobalStateHolder<SuffixMatchNode> g_dontThrottleNames;
extern GlobalStateHolder<NetmaskGroup> g_dontThrottleNetmasks;
unsigned int maxMThreadStackUsage;
std::atomic<uint64_t> dnssecValidations; // should be the sum of all dnssecResult* stats
std::map<vState, std::atomic<uint64_t> > dnssecResults;
+ std::map<vState, std::atomic<uint64_t> > xdnssecResults;
std::map<DNSFilterEngine::PolicyKind, std::atomic<uint64_t> > policyResults;
std::atomic<uint64_t> rebalancedQueries{0};
std::atomic<uint64_t> proxyProtocolInvalidCount{0};
return state;
}
+vState increaseXDNSSECStateCounter(const vState& state)
+{
+ g_stats.xdnssecResults[state]++;
+ return state;
+}
+
// Returns true if dsAnchors were modified
bool updateTrustAnchorsFromFile(const std::string &fname, map<DNSName, dsmap_t> &dsAnchors) {
map<DNSName,dsmap_t> newDSAnchors;
bool checkDNSSECDisabled();
bool warnIfDNSSECDisabled(const string& msg);
vState increaseDNSSECStateCounter(const vState& state);
+vState increaseXDNSSECStateCounter(const vState& state);
bool updateTrustAnchorsFromFile(const std::string &fname, map<DNSName, dsmap_t> &dsAnchors);
projects / thirdparty / pdns.git / commitdiff
