Add per rule logging of dns_ssutable_checkrules processing

author Mark Andrews <marka@isc.org>

Wed, 29 May 2024 05:04:37 +0000 (15:04 +1000)

committer Mark Andrews <marka@isc.org>

Tue, 22 Oct 2024 21:35:08 +0000 (08:35 +1100)
author Mark Andrews <marka@isc.org>
Wed, 29 May 2024 05:04:37 +0000 (15:04 +1000)
committer Mark Andrews <marka@isc.org>
Tue, 22 Oct 2024 21:35:08 +0000 (08:35 +1100)
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c

index f8cbee27f4c4c86b1b58b78a0f749ed51bf926e4..4253a73821c123b78ebaa2de940edffccf8bece1 100644 (file)
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -203,6 +203,11 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
         isc_mem_t *mctx = dns_zone_getmctx(zone);
         bool autoddns = false;
         isc_result_t result = ISC_R_SUCCESS;
+       char debug[1024];
+       isc_buffer_t dbuf;
+
+       isc_buffer_init(&dbuf, debug, sizeof(debug));
+       isc_buffer_setmctx(&dbuf, mctx);
  
         (void)cfg_map_get(zconfig, "update-policy", &updatepolicy);
  
@@ -237,7 +242,9 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
                 isc_buffer_t b;
                 dns_ssuruletype_t *types;
                 unsigned int i, n;
+               char namebuf[DNS_NAME_FORMATSIZE];
  
+               isc_buffer_clear(&dbuf);
                 str = cfg_obj_asstring(mode);
                 if (strcasecmp(str, "grant") == 0) {
                         grant = true;
@@ -246,14 +253,7 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
                 } else {
                         UNREACHABLE();
                 }
-
-               str = cfg_obj_asstring(matchtype);
-               CHECK(dns_ssu_mtypefromstring(str, &mtype));
-               if (mtype == dns_ssumatchtype_subdomain &&
-                   strcasecmp(str, "zonesub") == 0)
-               {
-                       usezone = true;
-               }
+               isc_buffer_putstr(&dbuf, str);
  
                 dns_fixedname_init(&fident);
                 str = cfg_obj_asstring(identity);
@@ -266,6 +266,20 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
                                     "'%s' is not a valid name", str);
                         goto cleanup;
                 }
+               dns_name_format(dns_fixedname_name(&fident), namebuf,
+                               sizeof(namebuf));
+               isc_buffer_putstr(&dbuf, " ");
+               isc_buffer_putstr(&dbuf, namebuf);
+
+               str = cfg_obj_asstring(matchtype);
+               CHECK(dns_ssu_mtypefromstring(str, &mtype));
+               if (mtype == dns_ssumatchtype_subdomain &&
+                   strcasecmp(str, "zonesub") == 0)
+               {
+                       usezone = true;
+               }
+               isc_buffer_putstr(&dbuf, " ");
+               isc_buffer_putstr(&dbuf, str);
  
                 dns_fixedname_init(&fname);
                 if (usezone) {
@@ -282,6 +296,10 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
                                             "'%s' is not a valid name", str);
                                 goto cleanup;
                         }
+                       dns_name_format(dns_fixedname_name(&fname), namebuf,
+                                       sizeof(namebuf));
+                       isc_buffer_putstr(&dbuf, " ");
+                       isc_buffer_putstr(&dbuf, namebuf);
                 }
  
                 n = named_config_listcount(typelist);
@@ -305,6 +323,8 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
                         typeobj = cfg_listelt_value(element2);
                         str = cfg_obj_asstring(typeobj);
                         r.base = UNCONST(str);
+                       isc_buffer_putstr(&dbuf, " ");
+                       isc_buffer_putstr(&dbuf, str);
  
                         bracket = strchr(str, '(' /*)*/);
                         if (bracket != NULL) {
@@ -337,9 +357,10 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
                 }
                 INSIST(i == n);
  
+               isc_buffer_putuint8(&dbuf, '\0');
                 dns_ssutable_addrule(table, grant, dns_fixedname_name(&fident),
                                      mtype, dns_fixedname_name(&fname), n,
-                                    types);
+                                    types, isc_buffer_base(&dbuf));
                 if (types != NULL) {
                         isc_mem_cput(mctx, types, n, sizeof(*types));
                 }
@@ -363,15 +384,16 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
                         goto cleanup;
                 }
  
-               dns_ssutable_addrule(table, true,
-                                    named_g_server->session_keyname,
-                                    dns_ssumatchtype_local,
-                                    dns_zone_getorigin(zone), 1, &any);
+               dns_ssutable_addrule(
+                       table, true, named_g_server->session_keyname,
+                       dns_ssumatchtype_local, dns_zone_getorigin(zone), 1,
+                       &any, "local");
         }
  
         dns_zone_setssutable(zone, table);
  
  cleanup:
+       isc_buffer_clearmctx(&dbuf);
         dns_ssutable_detach(&table);
         return (result);
  }
diff --git a/lib/dns/include/dns/ssu.h b/lib/dns/include/dns/ssu.h

index ead0097632321242d7ba02dd0fa2468d71edcc10..b26f750911e0735ae9762c9809c6d69418e697ad 100644 (file)
--- a/lib/dns/include/dns/ssu.h
+++ b/lib/dns/include/dns/ssu.h
@@ -111,7 +111,7 @@ void
  dns_ssutable_addrule(dns_ssutable_t *table, bool grant,
                      const dns_name_t *identity, dns_ssumatchtype_t matchtype,
                      const dns_name_t *name, unsigned int ntypes,
-                    dns_ssuruletype_t *types);
+                    dns_ssuruletype_t *types, const char *debug);
  /*%<
   *     Adds a new rule to a simple-secure-update rule table.  The rule
   *     either grants or denies update privileges of an identity (or set of
@@ -134,6 +134,7 @@ dns_ssutable_addrule(dns_ssutable_t *table, bool grant,
   *\li          'matchtype' must be one of the defined constants.
   *\li          'name' is a valid absolute name
   *\li          If 'ntypes' > 0, 'types' must not be NULL
+ *\li          'debug' must not be NULL
   *
   *     Returns:
   *\li          ISC_R_SUCCESS
diff --git a/lib/dns/ssu.c b/lib/dns/ssu.c

index fdfd3f6981f24fcc76e9b7ab9976c079bf4750c8..18782209d2153f0e109e2304fbddb0df973a267b 100644 (file)
--- a/lib/dns/ssu.c
+++ b/lib/dns/ssu.c
@@ -47,6 +47,7 @@ struct dns_ssurule {
         dns_ssuruletype_t *types;     /*%< the data types.  Can include */
                                       /*   ANY. if NULL, defaults to all */
                                       /*   types except SIG, SOA, and NS */
+       char *debug;                  /*%< text version for debugging */
         ISC_LINK(dns_ssurule_t) link;
  };
  
@@ -96,6 +97,9 @@ destroy(dns_ssutable_t *table) {
                         isc_mem_cput(mctx, rule->types, rule->ntypes,
                                      sizeof(*rule->types));
                 }
+               if (rule->debug != NULL) {
+                       isc_mem_free(mctx, rule->debug);
+               }
                 ISC_LIST_UNLINK(table->rules, rule, link);
                 rule->magic = 0;
                 isc_mem_put(mctx, rule, sizeof(dns_ssurule_t));
@@ -129,11 +133,56 @@ dns_ssutable_detach(dns_ssutable_t **tablep) {
         }
  }
  
+static const char *
+mtypetostring(dns_ssumatchtype_t matchtype) {
+       switch (matchtype) {
+       case dns_ssumatchtype_name:
+               return ("name");
+       case dns_ssumatchtype_wildcard:
+               return ("wildcard");
+       case dns_ssumatchtype_self:
+               return ("self");
+       case dns_ssumatchtype_selfsub:
+               return ("selfsub");
+       case dns_ssumatchtype_selfwild:
+               return ("selfwild");
+       case dns_ssumatchtype_selfms:
+               return ("ms-self");
+       case dns_ssumatchtype_selfsubms:
+               return ("ms-selfsub");
+       case dns_ssumatchtype_selfkrb5:
+               return ("krb5-self");
+       case dns_ssumatchtype_selfsubkrb5:
+               return ("krb5-selfsub");
+       case dns_ssumatchtype_subdomainms:
+               return ("ms-subdomain");
+       case dns_ssumatchtype_subdomainselfmsrhs:
+               return ("ms-subdomain-self-rhs");
+       case dns_ssumatchtype_subdomainkrb5:
+               return ("krb5-subdomain");
+       case dns_ssumatchtype_subdomainselfkrb5rhs:
+               return ("krb5-subdomain-self-rhs");
+       case dns_ssumatchtype_tcpself:
+               return ("tcp-self");
+       case dns_ssumatchtype_6to4self:
+               return ("6to4-self");
+       case dns_ssumatchtype_subdomain:
+               return ("subdomain");
+       case dns_ssumatchtype_external:
+               return ("external");
+       case dns_ssumatchtype_local:
+               return ("local");
+       case dns_ssumatchtype_dlz:
+               return ("dlz");
+       }
+       return ("UnknownMatchType");
+}
+
  void
  dns_ssutable_addrule(dns_ssutable_t *table, bool grant,
                      const dns_name_t *identity, dns_ssumatchtype_t matchtype,
                      const dns_name_t *name, unsigned int ntypes,
-                    dns_ssuruletype_t *types) {
+                    dns_ssuruletype_t *types, const char *debug) {
         dns_ssurule_t *rule;
         isc_mem_t *mctx;
  
@@ -147,35 +196,34 @@ dns_ssutable_addrule(dns_ssutable_t *table, bool grant,
         if (ntypes > 0) {
                 REQUIRE(types != NULL);
         }
+       REQUIRE(debug != NULL);
  
         mctx = table->mctx;
         rule = isc_mem_get(mctx, sizeof(*rule));
+       *rule = (dns_ssurule_t){
+               .grant = grant,
+               .matchtype = matchtype,
+               .identity = isc_mem_get(mctx, sizeof(*rule->identity)),
+               .name = isc_mem_get(mctx, sizeof(*rule->name)),
+               .ntypes = ntypes,
+               .types = ntypes == 0 ? NULL
+                                    : isc_mem_cget(mctx, ntypes,
+                                                   sizeof(*rule->types)),
+               .link = ISC_LINK_INITIALIZER,
+               .magic = SSURULEMAGIC,
+       };
  
-       rule->identity = NULL;
-       rule->name = NULL;
-       rule->types = NULL;
-
-       rule->grant = grant;
-
-       rule->identity = isc_mem_get(mctx, sizeof(*rule->identity));
         dns_name_init(rule->identity, NULL);
         dns_name_dup(identity, mctx, rule->identity);
-
-       rule->name = isc_mem_get(mctx, sizeof(*rule->name));
         dns_name_init(rule->name, NULL);
         dns_name_dup(name, mctx, rule->name);
  
-       rule->matchtype = matchtype;
-
-       rule->ntypes = ntypes;
         if (ntypes > 0) {
-               rule->types = isc_mem_cget(mctx, ntypes, sizeof(*rule->types));
                 memmove(rule->types, types, ntypes * sizeof(*rule->types));
-       } else {
-               rule->types = NULL;
         }
  
-       rule->magic = SSURULEMAGIC;
+       rule->debug = isc_mem_strdup(mctx, debug);
+
         ISC_LIST_INITANDAPPEND(table->rules, rule, link);
  }
  
@@ -289,12 +337,40 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
         int match;
         isc_result_t result;
         unsigned int i;
+       bool logit = isc_log_wouldlog(99);
  
         REQUIRE(VALID_SSUTABLE(table));
         REQUIRE(signer == NULL || dns_name_isabsolute(signer));
         REQUIRE(dns_name_isabsolute(name));
         REQUIRE(addr == NULL || env != NULL);
  
+       if (logit) {
+               char signerbuf[DNS_NAME_FORMATSIZE] = { 0 };
+               char namebuf[DNS_NAME_FORMATSIZE] = { 0 };
+               char targetbuf[DNS_NAME_FORMATSIZE] = { 0 };
+               char addrbuf[ISC_NETADDR_FORMATSIZE] = { 0 };
+               char typebuf[DNS_RDATATYPE_FORMATSIZE] = { 0 };
+
+               if (signer != NULL) {
+                       dns_name_format(signer, signerbuf, sizeof(signerbuf));
+               }
+               dns_name_format(name, namebuf, sizeof(namebuf));
+               if (target != NULL) {
+                       dns_name_format(target, targetbuf, sizeof(targetbuf));
+               }
+               dns_rdatatype_format(type, typebuf, sizeof(typebuf));
+               if (addr != NULL) {
+                       isc_netaddr_format(addr, addrbuf, sizeof(addrbuf));
+               }
+
+               isc_log_write(DNS_LOGCATEGORY_UPDATE_POLICY, DNS_LOGMODULE_SSU,
+                             ISC_LOG_DEBUG(99),
+                             "update-policy: using: signer=%s name=%s addr=%s "
+                             "tcp=%u type=%s target=%s",
+                             signerbuf, namebuf, addrbuf, tcp, typebuf,
+                             targetbuf);
+       }
+
         if (signer == NULL && addr == NULL) {
                 return (false);
         }
@@ -302,6 +378,49 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
         for (rule = ISC_LIST_HEAD(table->rules); rule != NULL;
              rule = ISC_LIST_NEXT(rule, link))
         {
+               if (logit) {
+                       isc_log_write(DNS_LOGCATEGORY_UPDATE_POLICY,
+                                     DNS_LOGMODULE_SSU, ISC_LOG_DEBUG(99),
+                                     "update-policy: trying: %s",
+                                     rule->debug != NULL ? rule->debug
+                                                         : "not available");
+
+                       if (tcp && addr != NULL) {
+                               char namebuf[DNS_NAME_FORMATSIZE] = { 0 };
+                               switch (rule->matchtype) {
+                               case dns_ssumatchtype_tcpself:
+                                       tcpself =
+                                               dns_fixedname_initname(&fixed);
+                                       reverse_from_address(tcpself, addr);
+                                       dns_name_format(tcpself, namebuf,
+                                                       sizeof(namebuf));
+                                       isc_log_write(
+                                               DNS_LOGCATEGORY_UPDATE_POLICY,
+                                               DNS_LOGMODULE_SSU,
+                                               ISC_LOG_DEBUG(99),
+                                               "update-policy: %s=%s",
+                                               mtypetostring(rule->matchtype),
+                                               namebuf);
+                                       break;
+                               case dns_ssumatchtype_6to4self:
+                                       stfself =
+                                               dns_fixedname_initname(&fixed);
+                                       stf_from_address(stfself, addr);
+                                       dns_name_format(stfself, namebuf,
+                                                       sizeof(namebuf));
+                                       isc_log_write(
+                                               DNS_LOGCATEGORY_UPDATE_POLICY,
+                                               DNS_LOGMODULE_SSU,
+                                               ISC_LOG_DEBUG(99),
+                                               "update-policy: %s=%s",
+                                               mtypetostring(rule->matchtype),
+                                               namebuf);
+                                       break;
+                               default:
+                                       break;
+                               }
+                       }
+               }
                 switch (rule->matchtype) {
                 case dns_ssumatchtype_local:
                 case dns_ssumatchtype_name:
@@ -311,16 +430,43 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
                 case dns_ssumatchtype_subdomain:
                 case dns_ssumatchtype_wildcard:
                         if (signer == NULL) {
+                               if (logit) {
+                                       isc_log_write(
+                                               DNS_LOGCATEGORY_UPDATE_POLICY,
+                                               DNS_LOGMODULE_SSU,
+                                               ISC_LOG_DEBUG(99),
+                                               "update-policy: next "
+                                               "rule: no signer");
+                               }
                                 continue;
                         }
                         if (dns_name_iswildcard(rule->identity)) {
                                 if (!dns_name_matcheswildcard(signer,
                                                               rule->identity))
                                 {
+                                       if (logit) {
+                                               isc_log_write(
+                                                       DNS_LOGCATEGORY_UPDATE_POLICY,
+                                                       DNS_LOGMODULE_SSU,
+                                                       ISC_LOG_DEBUG(99),
+                                                       "update-policy: next "
+                                                       "rule: signer does not "
+                                                       "match wildcard "
+                                                       "identity");
+                                       }
                                         continue;
                                 }
                         } else {
                                 if (!dns_name_equal(signer, rule->identity)) {
+                                       if (logit) {
+                                               isc_log_write(
+                                                       DNS_LOGCATEGORY_UPDATE_POLICY,
+                                                       DNS_LOGMODULE_SSU,
+                                                       ISC_LOG_DEBUG(99),
+                                                       "update-policy: next "
+                                                       "rule: signer does not "
+                                                       "match identity");
+                                       }
                                         continue;
                                 }
                         }
@@ -334,12 +480,28 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
                 case dns_ssumatchtype_subdomainselfkrb5rhs:
                 case dns_ssumatchtype_subdomainselfmsrhs:
                         if (signer == NULL) {
+                               if (logit) {
+                                       isc_log_write(
+                                               DNS_LOGCATEGORY_UPDATE_POLICY,
+                                               DNS_LOGMODULE_SSU,
+                                               ISC_LOG_DEBUG(99),
+                                               "update-policy: next "
+                                               "rule: no signer");
+                               }
                                 continue;
                         }
                         break;
                 case dns_ssumatchtype_tcpself:
                 case dns_ssumatchtype_6to4self:
                         if (!tcp || addr == NULL) {
+                               if (logit) {
+                                       isc_log_write(
+                                               DNS_LOGCATEGORY_UPDATE_POLICY,
+                                               DNS_LOGMODULE_SSU,
+                                               ISC_LOG_DEBUG(99),
+                                               "update-policy: next rule: %s",
+                                               tcp ? "no address" : "not TCP");
+                               }
                                 continue;
                         }
                         break;
@@ -351,19 +513,51 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
                 switch (rule->matchtype) {
                 case dns_ssumatchtype_name:
                         if (!dns_name_equal(name, rule->name)) {
+                               if (logit) {
+                                       isc_log_write(
+                                               DNS_LOGCATEGORY_UPDATE_POLICY,
+                                               DNS_LOGMODULE_SSU,
+                                               ISC_LOG_DEBUG(99),
+                                               "update-policy: next "
+                                               "rule: name mismatch");
+                               }
                                 continue;
                         }
                         break;
                 case dns_ssumatchtype_subdomain:
                         if (!dns_name_issubdomain(name, rule->name)) {
+                               if (logit) {
+                                       isc_log_write(
+                                               DNS_LOGCATEGORY_UPDATE_POLICY,
+                                               DNS_LOGMODULE_SSU,
+                                               ISC_LOG_DEBUG(99),
+                                               "update-policy: next rule: "
+                                               "name/subdomain mismatch");
+                               }
                                 continue;
                         }
                         break;
                 case dns_ssumatchtype_local:
                         if (addr == NULL) {
+                               if (logit) {
+                                       isc_log_write(
+                                               DNS_LOGCATEGORY_UPDATE_POLICY,
+                                               DNS_LOGMODULE_SSU,
+                                               ISC_LOG_DEBUG(99),
+                                               "update-policy: next "
+                                               "rule: no address");
+                               }
                                 continue;
                         }
                         if (!dns_name_issubdomain(name, rule->name)) {
+                               if (logit) {
+                                       isc_log_write(
+                                               DNS_LOGCATEGORY_UPDATE_POLICY,
+                                               DNS_LOGMODULE_SSU,
+                                               ISC_LOG_DEBUG(99),
+                                               "update-policy: next rule: "
+                                               "name/subdomain mismatch");
+                               }
                                 continue;
                         }
                         rcu_read_lock();
@@ -381,21 +575,56 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
                                                       "key not from "
                                                       "localhost");
                                 }
+                               if (logit) {
+                                       isc_log_write(
+                                               DNS_LOGCATEGORY_UPDATE_POLICY,
+                                               DNS_LOGMODULE_SSU,
+                                               ISC_LOG_DEBUG(99),
+                                               "update-policy: next rule: "
+                                               "address not local");
+                               }
                                 continue;
                         }
                         break;
                 case dns_ssumatchtype_wildcard:
                         if (!dns_name_matcheswildcard(name, rule->name)) {
+                               if (logit) {
+                                       isc_log_write(
+                                               DNS_LOGCATEGORY_UPDATE_POLICY,
+                                               DNS_LOGMODULE_SSU,
+                                               ISC_LOG_DEBUG(99),
+                                               "update-policy: next "
+                                               "rule: record name does "
+                                               "not match wilcard name");
+                               }
                                 continue;
                         }
                         break;
                 case dns_ssumatchtype_self:
                         if (!dns_name_equal(signer, name)) {
+                               if (logit) {
+                                       isc_log_write(
+                                               DNS_LOGCATEGORY_UPDATE_POLICY,
+                                               DNS_LOGMODULE_SSU,
+                                               ISC_LOG_DEBUG(99),
+                                               "update-policy: next "
+                                               "rule: record named not "
+                                               "equal signer");
+                               }
                                 continue;
                         }
                         break;
                 case dns_ssumatchtype_selfsub:
                         if (!dns_name_issubdomain(name, signer)) {
+                               if (logit) {
+                                       isc_log_write(
+                                               DNS_LOGCATEGORY_UPDATE_POLICY,
+                                               DNS_LOGMODULE_SSU,
+                                               ISC_LOG_DEBUG(99),
+                                               "update-policy: next "
+                                               "rule: record name not "
+                                               "subdomain of signer");
+                               }
                                 continue;
                         }
                         break;
@@ -404,9 +633,27 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
                         result = dns_name_concatenate(dns_wildcardname, signer,
                                                       wildcard, NULL);
                         if (result != ISC_R_SUCCESS) {
+                               if (logit) {
+                                       isc_log_write(
+                                               DNS_LOGCATEGORY_UPDATE_POLICY,
+                                               DNS_LOGMODULE_SSU,
+                                               ISC_LOG_DEBUG(99),
+                                               "update-policy: next "
+                                               "rule: wilcard, signer "
+                                               "concatenation failed");
+                               }
                                 continue;
                         }
                         if (!dns_name_matcheswildcard(name, wildcard)) {
+                               if (logit) {
+                                       isc_log_write(
+                                               DNS_LOGCATEGORY_UPDATE_POLICY,
+                                               DNS_LOGMODULE_SSU,
+                                               ISC_LOG_DEBUG(99),
+                                               "update-policy: next rule: "
+                                               "record name does not match "
+                                               "wildcarded signer");
+                               }
                                 continue;
                         }
                         break;
@@ -416,6 +663,13 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
                         {
                                 break;
                         }
+                       if (logit) {
+                               isc_log_write(
+                                       DNS_LOGCATEGORY_UPDATE_POLICY,
+                                       DNS_LOGMODULE_SSU, ISC_LOG_DEBUG(99),
+                                       "update-policy: next rule: krb5 signer "
+                                       "doesn't map to record name");
+                       }
                         continue;
                 case dns_ssumatchtype_selfms:
                         if (dst_gssapi_identitymatchesrealmms(
@@ -423,6 +677,13 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
                         {
                                 break;
                         }
+                       if (logit) {
+                               isc_log_write(
+                                       DNS_LOGCATEGORY_UPDATE_POLICY,
+                                       DNS_LOGMODULE_SSU, ISC_LOG_DEBUG(99),
+                                       "update-policy: next rule: MS Windows "
+                                       "signer doesn't map to record name");
+                       }
                         continue;
                 case dns_ssumatchtype_selfsubkrb5:
                         if (dst_gssapi_identitymatchesrealmkrb5(
@@ -430,6 +691,14 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
                         {
                                 break;
                         }
+                       if (logit) {
+                               isc_log_write(DNS_LOGCATEGORY_UPDATE_POLICY,
+                                             DNS_LOGMODULE_SSU,
+                                             ISC_LOG_DEBUG(99),
+                                             "update-policy: next rule: "
+                                             "record name not a subdomain of "
+                                             "krb5 signer mapped name");
+                       }
                         continue;
                 case dns_ssumatchtype_selfsubms:
                         if (dst_gssapi_identitymatchesrealmms(
@@ -437,10 +706,27 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
                         {
                                 break;
                         }
+                       if (logit) {
+                               isc_log_write(DNS_LOGCATEGORY_UPDATE_POLICY,
+                                             DNS_LOGMODULE_SSU,
+                                             ISC_LOG_DEBUG(99),
+                                             "update-policy: next rule: "
+                                             "record name not a subdomain of "
+                                             "MS Windows signer mapped name");
+                       }
                         continue;
                 case dns_ssumatchtype_subdomainkrb5:
                 case dns_ssumatchtype_subdomainselfkrb5rhs:
                         if (!dns_name_issubdomain(name, rule->name)) {
+                               if (logit) {
+                                       isc_log_write(
+                                               DNS_LOGCATEGORY_UPDATE_POLICY,
+                                               DNS_LOGMODULE_SSU,
+                                               ISC_LOG_DEBUG(99),
+                                               "update-policy: next "
+                                               "rule: record name not a "
+                                               "subdomain of rule name");
+                               }
                                 continue;
                         }
                         tname = NULL;
@@ -461,10 +747,27 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
                         {
                                 break;
                         }
+                       if (logit) {
+                               isc_log_write(DNS_LOGCATEGORY_UPDATE_POLICY,
+                                             DNS_LOGMODULE_SSU,
+                                             ISC_LOG_DEBUG(99),
+                                             "update-policy: next rule: rdata "
+                                             "name does not match krb5 signer "
+                                             "mapped name");
+                       }
                         continue;
                 case dns_ssumatchtype_subdomainms:
                 case dns_ssumatchtype_subdomainselfmsrhs:
                         if (!dns_name_issubdomain(name, rule->name)) {
+                               if (logit) {
+                                       isc_log_write(
+                                               DNS_LOGCATEGORY_UPDATE_POLICY,
+                                               DNS_LOGMODULE_SSU,
+                                               ISC_LOG_DEBUG(99),
+                                               "update-policy: next "
+                                               "rule: record name not a "
+                                               "subdomain of rule name");
+                               }
                                 continue;
                         }
                         tname = NULL;
@@ -485,6 +788,14 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
                         {
                                 break;
                         }
+                       if (logit) {
+                               isc_log_write(DNS_LOGCATEGORY_UPDATE_POLICY,
+                                             DNS_LOGMODULE_SSU,
+                                             ISC_LOG_DEBUG(99),
+                                             "update-policy: next rule: rdata "
+                                             "name does not match MS Windows "
+                                             "signer mapped name");
+                       }
                         continue;
                 case dns_ssumatchtype_tcpself:
                         tcpself = dns_fixedname_initname(&fixed);
@@ -493,14 +804,43 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
                                 if (!dns_name_matcheswildcard(tcpself,
                                                               rule->identity))
                                 {
+                                       if (logit) {
+                                               isc_log_write(
+                                                       DNS_LOGCATEGORY_UPDATE_POLICY,
+                                                       DNS_LOGMODULE_SSU,
+                                                       ISC_LOG_DEBUG(99),
+                                                       "update-policy: next "
+                                                       "rule: tcp-self name "
+                                                       "does not match "
+                                                       "wildcard identity");
+                                       }
                                         continue;
                                 }
                         } else {
                                 if (!dns_name_equal(tcpself, rule->identity)) {
+                                       if (logit) {
+                                               isc_log_write(
+                                                       DNS_LOGCATEGORY_UPDATE_POLICY,
+                                                       DNS_LOGMODULE_SSU,
+                                                       ISC_LOG_DEBUG(99),
+                                                       "update-policy: next "
+                                                       "rule: tcp-self name "
+                                                       "does not match "
+                                                       "identity");
+                                       }
                                         continue;
                                 }
                         }
                         if (!dns_name_equal(tcpself, name)) {
+                               if (logit) {
+                                       isc_log_write(
+                                               DNS_LOGCATEGORY_UPDATE_POLICY,
+                                               DNS_LOGMODULE_SSU,
+                                               ISC_LOG_DEBUG(99),
+                                               "update-policy: next rule: "
+                                               "tcp-self name does not match "
+                                               "record name");
+                               }
                                 continue;
                         }
                         break;
@@ -511,14 +851,47 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
                                 if (!dns_name_matcheswildcard(stfself,
                                                               rule->identity))
                                 {
+                                       if (logit) {
+                                               isc_log_write(
+                                                       DNS_LOGCATEGORY_UPDATE_POLICY,
+                                                       DNS_LOGMODULE_SSU,
+                                                       ISC_LOG_DEBUG(99),
+                                                       "update-policy: next "
+                                                       "rule: %s name "
+                                                       "does not match "
+                                                       "wildcard identity",
+                                                       mtypetostring(
+                                                               rule->matchtype));
+                                       }
                                         continue;
                                 }
                         } else {
                                 if (!dns_name_equal(stfself, rule->identity)) {
+                                       if (logit) {
+                                               isc_log_write(
+                                                       DNS_LOGCATEGORY_UPDATE_POLICY,
+                                                       DNS_LOGMODULE_SSU,
+                                                       ISC_LOG_DEBUG(99),
+                                                       "update-policy: next "
+                                                       "rule: %s name does "
+                                                       "not match identity",
+                                                       mtypetostring(
+                                                               rule->matchtype));
+                                       }
                                         continue;
                                 }
                         }
                         if (!dns_name_equal(stfself, name)) {
+                               if (logit) {
+                                       isc_log_write(
+                                               DNS_LOGCATEGORY_UPDATE_POLICY,
+                                               DNS_LOGMODULE_SSU,
+                                               ISC_LOG_DEBUG(99),
+                                               "update-policy: next "
+                                               "rule: %s name does not "
+                                               "match record name",
+                                               mtypetostring(rule->matchtype));
+                               }
                                 continue;
                         }
                         break;
@@ -527,6 +900,14 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
                                                     name, addr, type, key,
                                                     table->mctx))
                         {
+                               if (logit) {
+                                       isc_log_write(
+                                               DNS_LOGCATEGORY_UPDATE_POLICY,
+                                               DNS_LOGMODULE_SSU,
+                                               ISC_LOG_DEBUG(99),
+                                               "update-policy: next rule: "
+                                               "external match failed");
+                               }
                                 continue;
                         }
                         break;
@@ -534,6 +915,14 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
                         if (!dns_dlz_ssumatch(table->dlzdatabase, signer, name,
                                               addr, type, key))
                         {
+                               if (logit) {
+                                       isc_log_write(
+                                               DNS_LOGCATEGORY_UPDATE_POLICY,
+                                               DNS_LOGMODULE_SSU,
+                                               ISC_LOG_DEBUG(99),
+                                               "update-policy: next "
+                                               "rule: dlz match failed");
+                               }
                                 continue;
                         }
                         break;
@@ -547,6 +936,14 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
                         if (rule->matchtype != dns_ssumatchtype_dlz &&
                             !isusertype(type))
                         {
+                               if (logit) {
+                                       isc_log_write(
+                                               DNS_LOGCATEGORY_UPDATE_POLICY,
+                                               DNS_LOGMODULE_SSU,
+                                               ISC_LOG_DEBUG(99),
+                                               "update-policy: next "
+                                               "rule: not user type");
+                               }
                                 continue;
                         }
                 } else {
@@ -558,14 +955,34 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
                                 }
                         }
                         if (i == rule->ntypes) {
+                               if (logit) {
+                                       isc_log_write(
+                                               DNS_LOGCATEGORY_UPDATE_POLICY,
+                                               DNS_LOGMODULE_SSU,
+                                               ISC_LOG_DEBUG(99),
+                                               "update-policy: next rule: "
+                                               "type not in type list");
+                               }
                                 continue;
                         }
                 }
                 if (rule->grant && rulep != NULL) {
                         *rulep = rule;
                 }
+               if (logit) {
+                       isc_log_write(DNS_LOGCATEGORY_UPDATE_POLICY,
+                                     DNS_LOGMODULE_SSU, ISC_LOG_DEBUG(99),
+                                     "update-policy: matched: %s",
+                                     rule->debug != NULL ? rule->debug
+                                                         : "not available");
+               }
                 return (rule->grant);
         }
+       if (logit) {
+               isc_log_write(DNS_LOGCATEGORY_UPDATE_POLICY, DNS_LOGMODULE_SSU,
+                             ISC_LOG_DEBUG(99),
+                             "update-policy: no match found");
+       }
  
         return (false);
  }
@@ -653,13 +1070,13 @@ dns_ssutable_createdlz(isc_mem_t *mctx, dns_ssutable_t **tablep,
  
         rule = isc_mem_get(table->mctx, sizeof(dns_ssurule_t));
  
-       rule->identity = NULL;
-       rule->name = NULL;
-       rule->grant = true;
-       rule->matchtype = dns_ssumatchtype_dlz;
-       rule->ntypes = 0;
-       rule->types = NULL;
-       rule->magic = SSURULEMAGIC;
+       *rule = (dns_ssurule_t){
+               .grant = true,
+               .matchtype = dns_ssumatchtype_dlz,
+               .magic = SSURULEMAGIC,
+       };
+
+       rule->debug = isc_mem_strdup(mctx, "grant dlz");
  
         ISC_LIST_INITANDAPPEND(table->rules, rule, link);
         *tablep = table;
author	Mark Andrews <marka@isc.org>
	Wed, 29 May 2024 05:04:37 +0000 (15:04 +1000)
committer	Mark Andrews <marka@isc.org>
	Tue, 22 Oct 2024 21:35:08 +0000 (08:35 +1100)
bin/named/zoneconf.c		patch \| blob \| blame \| history
lib/dns/include/dns/ssu.h		patch \| blob \| blame \| history
lib/dns/ssu.c		patch \| blob \| blame \| history