trust_anchors: add .summary() and use it for logging

Previous logging was a bit confusing because it logged also intermediate
states during TA changes.

diff --git a/NEWS b/NEWS
index 270b59f48f5a9a6fb00187291977dba0c793eead..d906e79e9c2a4ec64ab914cc1b3657be2fa6b266 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,12 @@ Bugfixes
 --------
 - policy.TLS_FORWARD: fix problems with gnutls 3.3 (#438)
 
+Improvements
+------------
+- dnssec validation failures contain more verbose reasoning (!735)
+- new function trust_anchors.summary() describes state of DNSSEC TAs (!737),
+  and logs new state of trust anchors after start up and automatic changes
+
 
 Knot Resolver 3.2.0 (2018-12-17)
 ================================

diff --git a/daemon/README.rst b/daemon/README.rst
index a55ec43a246e4c0ff1ff3d7d530276a45578b2bc..51f95febec4f7e23684895d6cf4a24d05560015d 100644 (file)
--- a/daemon/README.rst
+++ b/daemon/README.rst
@@ -728,6 +728,10 @@ Trust anchors and DNSSEC
 
       > trust_anchors.add('. 3600 IN DS 19036 8 2 49AAC11...')
 
+.. function:: trust_anchors.summary()
+
+   Return string with summary of configured DNSSEC trust anchors, including negative TAs.
+
 Modules configuration
 ^^^^^^^^^^^^^^^^^^^^^
 

diff --git a/daemon/lua/trust_anchors.lua.in b/daemon/lua/trust_anchors.lua.in
index 29e3e30ea115cb2d2a38e7565cc856f93eef24a5..3f2c5b6078fa868b6f61fc121dd72304eeaec239 100644 (file)
--- a/daemon/lua/trust_anchors.lua.in
+++ b/daemon/lua/trust_anchors.lua.in
@@ -476,6 +476,9 @@ update = function (keyset, new_keys, is_initial)
        if keyset_publish(keyset) == 0 then
                -- TODO: try to rebootstrap if for root?
                return false
+       elseif verbose() then
+               log('[ ta ] refreshed trust anchors for domain ' .. kres.dname2str(keyset.owner) .. ' are:\n'
+                   .. trust_anchors.summary(keyset.owner))
        end
 
        return true
@@ -544,10 +547,36 @@ local add_file = function (path, unmanaged)
        -- Parse new keys, refresh eventually
        if keyset_publish(keyset) == 0 then
                -- TODO: try to rebootstrap if for root?
+       elseif verbose() then
+               log('[ ta ] installed trust anchors for domain ' .. owner_str .. ' are:\n'
+                   .. trust_anchors.summary(owner))
        end
        refresh_plan(keyset, 10 * sec, false)
 end
 
+local function ta_str(owner)
+       local owner_str = kres.dname2str(owner) .. ' '
+       local msg = ''
+       for _, nta in pairs(trust_anchors.insecure) do
+               if owner == kres.str2dname(nta) then
+                       msg = owner_str .. 'is negative trust anchor\n'
+               end
+       end
+       if not trust_anchors.keysets[owner] then
+               if #msg > 0 then  -- it is normal that NTA does not have explicit TA
+                       return msg
+               else
+                       return owner_str .. 'has no explicit trust anchors\n'
+               end
+       end
+       if #msg > 0 then
+               msg = msg .. 'WARNING! negative trust anchor also has an explicit TA\n'
+       end
+       for idx, ta in ipairs(trust_anchors.keysets[owner]) do
+               msg = msg .. kres.rr2str(ta) .. '\n'
+       end
+       return msg
+end
 
 -- TA store management, for user docs see ../README.rst
 trust_anchors = {
@@ -578,7 +607,9 @@ trust_anchors = {
 
        -- Add DS/DNSKEY record(s) (unmanaged)
        add = function (keystr)
-               return trustanchor(keystr)
+               local ret = trustanchor(keystr)
+               if verbose() then log(trust_anchors.summary()) end
+               return ret
        end,
        -- Negative TA management
        set_insecure = function (list)
@@ -591,6 +622,31 @@ trust_anchors = {
                end
                trust_anchors.insecure = list
        end,
+       summary = function (owner)
+               if owner then  -- single domain
+                       return ta_str(owner)
+               end
+
+               -- all domains
+               local msg = ''
+               local ta_count = 0
+               local seen = {}
+               for _, nta_str in pairs(trust_anchors.insecure) do
+                       owner = kres.str2dname(nta_str)
+                       seen[owner] = true
+                       msg = msg .. ta_str(owner)
+               end
+               for owner, _ in pairs(trust_anchors.keysets) do
+                       if not seen[owner] then
+                               ta_count = ta_count + 1
+                               msg = msg .. ta_str(owner)
+                       end
+               end
+               if ta_count == 0 then
+                       msg = msg .. 'No valid trust anchors, DNSSEC validation is disabled\n'
+               end
+               return msg
+       end,
 }
 
 -- Syntactic sugar for TA store

diff --git a/lib/dnssec/ta.c b/lib/dnssec/ta.c
index 323d89b478cffa52d1d14ae21757adccd37fee5f..d4c98e224336aefbc8534ec83994d29d8a69378d 100644 (file)
--- a/lib/dnssec/ta.c
+++ b/lib/dnssec/ta.c
@@ -91,10 +91,6 @@ static int insert_ta(map_t *trust_anchors, const knot_dname_t *name,
                knot_rrset_free(ta_rr, NULL);
                return kr_error(ENOMEM);
        }
-       if(VERBOSE_STATUS) {
-               auto_free char *rr_text = kr_rrset_text(ta_rr);
-               kr_log_verbose("[ ta ] new state of trust anchors for a domain: %s\n", rr_text);
-       }
        if (is_new_key) {
                return map_set(trust_anchors, (const char *)name, ta_rr);
        }