d_pd.push_back({"validationstates", in_t{
{"Indeterminate", static_cast<unsigned int>(vState::Indeterminate) },
- {"Bogus", static_cast<unsigned int>(vState::Bogus) },
+ {"BogusNoValidDNSKEY", static_cast<unsigned int>(vState::BogusNoValidDNSKEY) },
+ {"BogusInvalidDenial", static_cast<unsigned int>(vState::BogusInvalidDenial) },
+ {"BogusUnableToGetDSs", static_cast<unsigned int>(vState::BogusUnableToGetDSs) },
+ {"BogusUnableToGetDNSKEYs", static_cast<unsigned int>(vState::BogusUnableToGetDNSKEYs) },
+ {"BogusSelfSignedDS", static_cast<unsigned int>(vState::BogusSelfSignedDS) },
+ {"BogusNoRRSIG", static_cast<unsigned int>(vState::BogusNoRRSIG) },
+ {"BogusNoValidRRSIG", static_cast<unsigned int>(vState::BogusNoValidRRSIG) },
+ {"BogusMissingNegativeIndication", static_cast<unsigned int>(vState::BogusMissingNegativeIndication) },
{"Insecure", static_cast<unsigned int>(vState::Insecure) },
{"Secure", static_cast<unsigned int>(vState::Secure) },
}});
}
}
- if (t_pdl || (g_dns64Prefix && dq.qtype == QType::AAAA && dq.validationState != vState::Bogus)) {
+ if (t_pdl || (g_dns64Prefix && dq.qtype == QType::AAAA && !vStateIsBogus(dq.validationState))) {
if (res == RCode::NoError) {
auto i = ret.cbegin();
for(; i!= ret.cend(); ++i) {
if (t_pdl && t_pdl->nodata(dq, res)) {
shouldNotValidate = true;
}
- else if (g_dns64Prefix && dq.qtype == QType::AAAA && dq.validationState != vState::Bogus) {
+ else if (g_dns64Prefix && dq.qtype == QType::AAAA && !vStateIsBogus(dq.validationState)) {
res = getFakeAAAARecords(dq.qname, *g_dns64Prefix, ret);
shouldNotValidate = true;
}
pw.getHeader()->ad=0;
}
- else if(state == vState::Bogus) {
+ else if (vStateIsBogus(state)) {
if(t_bogusremotes)
t_bogusremotes->push_back(dc->d_source);
if(t_bogusqueryring)
}
if (cacheHit) {
- if(valState == vState::Bogus) {
+ if (vStateIsBogus(valState)) {
if(t_bogusremotes)
t_bogusremotes->push_back(source);
if(t_bogusqueryring)
addGetStat("dnssec-validations", &g_stats.dnssecValidations);
addGetStat("dnssec-result-insecure", &g_stats.dnssecResults[vState::Insecure]);
addGetStat("dnssec-result-secure", &g_stats.dnssecResults[vState::Secure]);
- addGetStat("dnssec-result-bogus", &g_stats.dnssecResults[vState::Bogus]);
+ addGetStat("dnssec-result-bogus-no-valid-dnskey", &g_stats.dnssecResults[vState::BogusNoValidDNSKEY]);
+ addGetStat("dnssec-result-bogus-invalid-denial", &g_stats.dnssecResults[vState::BogusInvalidDenial]);
+ addGetStat("dnssec-result-bogus-unable-to-get-dss", &g_stats.dnssecResults[vState::BogusUnableToGetDSs]);
+ addGetStat("dnssec-result-bogus-unable-to-get-dnskeys", &g_stats.dnssecResults[vState::BogusUnableToGetDNSKEYs]);
+ addGetStat("dnssec-result-bogus-self-signed-ds", &g_stats.dnssecResults[vState::BogusSelfSignedDS]);
+ addGetStat("dnssec-result-bogus-no-rrsig", &g_stats.dnssecResults[vState::BogusNoRRSIG]);
+ addGetStat("dnssec-result-bogus-no-valid-rrsig", &g_stats.dnssecResults[vState::BogusNoValidRRSIG]);
+ addGetStat("dnssec-result-bogus-missing-negative-indication", &g_stats.dnssecResults[vState::BogusMissingNegativeIndication]);
addGetStat("dnssec-result-indeterminate", &g_stats.dnssecResults[vState::Indeterminate]);
addGetStat("dnssec-result-nta", &g_stats.dnssecResults[vState::NTA]);
else if (stateUpdate == vState::NTA) {
state = vState::Insecure;
}
- else if (stateUpdate == vState::Bogus) {
+ else if (vStateIsBogus(stateUpdate)) {
state = stateUpdate;
}
else if (stateUpdate == vState::Indeterminate) {
state = stateUpdate;
}
else if (stateUpdate == vState::Insecure) {
- if (*state != vState::Bogus && *state != vState::Indeterminate) {
+ if (!vStateIsBogus(*state) && *state != vState::Indeterminate) {
state = stateUpdate;
}
}
else if (stateUpdate == vState::Secure) {
- if (*state != vState::Bogus && *state != vState::Indeterminate) {
+ if (!vStateIsBogus(*state) && *state != vState::Indeterminate) {
state = stateUpdate;
}
}
vector<DNSRecord> ret;
int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);
BOOST_REQUIRE_EQUAL(ret.size(), 3U);
BOOST_CHECK_EQUAL(queriesCount, 5U);
ret.clear();
res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);
BOOST_REQUIRE_EQUAL(ret.size(), 3U);
BOOST_CHECK_EQUAL(queriesCount, 5U);
}
vector<DNSRecord> ret;
int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusMissingNegativeIndication);
BOOST_REQUIRE_EQUAL(ret.size(), 0U);
/* com|NS, powerdns.com|NS, powerdns.com|A */
BOOST_CHECK_EQUAL(queriesCount, 3U);
ret.clear();
res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusMissingNegativeIndication);
BOOST_REQUIRE_EQUAL(ret.size(), 0U);
/* we don't store empty results */
BOOST_CHECK_EQUAL(queriesCount, 4U);
vector<DNSRecord> ret;
int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusMissingNegativeIndication);
/* 13 NS + 1 RRSIG */
BOOST_REQUIRE_EQUAL(ret.size(), 14U);
BOOST_CHECK_EQUAL(queriesCount, 2U);
ret.clear();
res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusMissingNegativeIndication);
BOOST_REQUIRE_EQUAL(ret.size(), 14U);
BOOST_CHECK_EQUAL(queriesCount, 2U);
}
vector<DNSRecord> ret;
int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoValidDNSKEY);
/* 13 NS + 1 RRSIG */
BOOST_REQUIRE_EQUAL(ret.size(), 14U);
BOOST_CHECK_EQUAL(queriesCount, 2U);
ret.clear();
res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoValidDNSKEY);
BOOST_REQUIRE_EQUAL(ret.size(), 14U);
BOOST_CHECK_EQUAL(queriesCount, 2U);
}
vector<DNSRecord> ret;
int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoValidDNSKEY);
/* 13 NS + 1 RRSIG */
BOOST_REQUIRE_EQUAL(ret.size(), 14U);
BOOST_CHECK_EQUAL(queriesCount, 2U);
ret.clear();
res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoValidDNSKEY);
BOOST_REQUIRE_EQUAL(ret.size(), 14U);
BOOST_CHECK_EQUAL(queriesCount, 2U);
}
vector<DNSRecord> ret;
int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoValidDNSKEY);
/* 13 NS + 1 RRSIG */
BOOST_REQUIRE_EQUAL(ret.size(), 14U);
BOOST_CHECK_EQUAL(queriesCount, 2U);
ret.clear();
res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoValidDNSKEY);
BOOST_REQUIRE_EQUAL(ret.size(), 14U);
BOOST_CHECK_EQUAL(queriesCount, 2U);
ret.clear();
res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoValidDNSKEY);
BOOST_REQUIRE_EQUAL(ret.size(), 14U);
BOOST_CHECK_EQUAL(queriesCount, 4U);
}
vector<DNSRecord> ret;
int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoValidRRSIG);
/* 13 NS + 1 RRSIG */
BOOST_REQUIRE_EQUAL(ret.size(), 14U);
BOOST_CHECK_EQUAL(queriesCount, 2U);
ret.clear();
res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoValidRRSIG);
BOOST_REQUIRE_EQUAL(ret.size(), 14U);
BOOST_CHECK_EQUAL(queriesCount, 2U);
}
vector<DNSRecord> ret;
int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);
/* 13 NS + 0 RRSIG */
BOOST_REQUIRE_EQUAL(ret.size(), 13U);
/* no RRSIG so no query for DNSKEYs */
ret.clear();
res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);
BOOST_REQUIRE_EQUAL(ret.size(), 13U);
/* check that we capped the TTL to max-cache-bogus-ttl */
for (const auto& record : ret) {
vector<DNSRecord> ret;
int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoValidRRSIG);
/* 13 NS + 1 RRSIG */
BOOST_REQUIRE_EQUAL(ret.size(), 14U);
BOOST_CHECK_EQUAL(queriesCount, 2U);
ret.clear();
res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoValidRRSIG);
BOOST_REQUIRE_EQUAL(ret.size(), 14U);
BOOST_CHECK_EQUAL(queriesCount, 2U);
}
vector<DNSRecord> ret;
int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoValidRRSIG);
/* 13 NS + 1 RRSIG */
BOOST_REQUIRE_EQUAL(ret.size(), 14U);
BOOST_CHECK_EQUAL(queriesCount, 2U);
ret.clear();
res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoValidRRSIG);
BOOST_REQUIRE_EQUAL(ret.size(), 14U);
BOOST_CHECK_EQUAL(queriesCount, 2U);
}
vector<DNSRecord> ret;
int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);
BOOST_REQUIRE_EQUAL(ret.size(), 2U);
BOOST_CHECK_EQUAL(queriesCount, 3U);
ret.clear();
res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);
BOOST_REQUIRE_EQUAL(ret.size(), 2U);
BOOST_CHECK_EQUAL(queriesCount, 3U);
ret.clear();
res = sr->beginResolve(DNSName("com."), QType(QType::DS), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);
BOOST_REQUIRE_EQUAL(ret.size(), 1U);
BOOST_CHECK_EQUAL(queriesCount, 3U);
}
vector<DNSRecord> ret;
int res = sr->beginResolve(DNSName("com."), QType(QType::DS), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);
BOOST_REQUIRE_EQUAL(ret.size(), 1U);
BOOST_CHECK_EQUAL(queriesCount, 1U);
}
vector<DNSRecord> ret;
int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusInvalidDenial);
BOOST_REQUIRE_EQUAL(ret.size(), 2U);
BOOST_CHECK_EQUAL(queriesCount, 9U);
ret.clear();
res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusInvalidDenial);
BOOST_REQUIRE_EQUAL(ret.size(), 2U);
BOOST_CHECK_EQUAL(queriesCount, 9U);
}
vector<DNSRecord> ret;
int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusSelfSignedDS);
BOOST_REQUIRE_EQUAL(ret.size(), 2U);
BOOST_CHECK_EQUAL(queriesCount, 8U);
ret.clear();
res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusSelfSignedDS);
BOOST_REQUIRE_EQUAL(ret.size(), 2U);
BOOST_CHECK_EQUAL(queriesCount, 8U);
}
vector<DNSRecord> ret;
int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoValidDNSKEY);
BOOST_REQUIRE_EQUAL(ret.size(), 2U);
BOOST_CHECK_EQUAL(queriesCount, 10U);
ret.clear();
res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoValidDNSKEY);
BOOST_REQUIRE_EQUAL(ret.size(), 2U);
BOOST_CHECK_EQUAL(queriesCount, 10U);
}
vector<DNSRecord> ret;
int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);
BOOST_CHECK_EQUAL(ret.size(), 3U);
BOOST_CHECK_EQUAL(queriesCount, 8U);
ret.clear();
res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);
BOOST_REQUIRE_EQUAL(ret.size(), 3U);
BOOST_CHECK_EQUAL(queriesCount, 8U);
}
vector<DNSRecord> ret;
int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusInvalidDenial);
BOOST_CHECK_EQUAL(ret.size(), 2U);
BOOST_CHECK_EQUAL(queriesCount, 8U);
ret.clear();
res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusInvalidDenial);
BOOST_REQUIRE_EQUAL(ret.size(), 2U);
BOOST_CHECK_EQUAL(queriesCount, 8U);
}
vector<DNSRecord> ret;
int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);
BOOST_REQUIRE_EQUAL(ret.size(), 3U);
BOOST_CHECK_EQUAL(queriesCount, 11U);
ret.clear();
res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);
BOOST_REQUIRE_EQUAL(ret.size(), 3U);
BOOST_CHECK_EQUAL(queriesCount, 11U);
}
vector<DNSRecord> ret;
int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);
BOOST_REQUIRE_EQUAL(ret.size(), 3U);
BOOST_CHECK_EQUAL(queriesCount, 11U);
ret.clear();
res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);
BOOST_REQUIRE_EQUAL(ret.size(), 3U);
BOOST_CHECK_EQUAL(queriesCount, 11U);
}
vector<DNSRecord> ret;
int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);
/* no RRSIG to show */
BOOST_CHECK_EQUAL(ret.size(), 2U);
BOOST_CHECK_EQUAL(queriesCount, 10U);
ret.clear();
res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);
BOOST_CHECK_EQUAL(ret.size(), 2U);
BOOST_CHECK_EQUAL(queriesCount, 10U);
}
int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
/* should be insecure but we have a TA for powerdns.com., but no RRSIG so Bogus */
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);
/* No RRSIG */
BOOST_REQUIRE_EQUAL(ret.size(), 1U);
BOOST_CHECK(ret[0].d_type == QType::A);
ret.clear();
res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);
BOOST_REQUIRE_EQUAL(ret.size(), 1U);
BOOST_CHECK(ret[0].d_type == QType::A);
BOOST_CHECK_EQUAL(queriesCount, 4U);
vector<DNSRecord> ret;
int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusMissingNegativeIndication);
BOOST_REQUIRE_EQUAL(ret.size(), 0U);
/* com|NS, powerdns.com|NS, powerdns.com|A */
BOOST_CHECK_EQUAL(queriesCount, 3U);
ret.clear();
res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusMissingNegativeIndication);
BOOST_REQUIRE_EQUAL(ret.size(), 0U);
/* we don't store empty results */
BOOST_CHECK_EQUAL(queriesCount, 4U);
vector<DNSRecord> ret;
int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NXDomain);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusMissingNegativeIndication);
BOOST_REQUIRE_EQUAL(ret.size(), 0U);
/* com|NS, powerdns.com|NS, powerdns.com|A */
BOOST_CHECK_EQUAL(queriesCount, 3U);
ret.clear();
res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NXDomain);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusMissingNegativeIndication);
BOOST_REQUIRE_EQUAL(ret.size(), 0U);
/* we don't store empty results */
BOOST_CHECK_EQUAL(queriesCount, 4U);
vector<DNSRecord> ret;
int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);
BOOST_REQUIRE_EQUAL(ret.size(), 3U);
BOOST_CHECK_EQUAL(queriesCount, 4U);
BOOST_CHECK_EQUAL(g_negCache->size(), 1U);
BOOST_REQUIRE_EQUAL(g_negCache->get(target, QType(QType::A), sr->getNow(), ne), true);
BOOST_CHECK_EQUAL(ne.d_ttd, fixedNow + SyncRes::s_maxbogusttl);
- BOOST_CHECK_EQUAL(ne.d_validationState, vState::Bogus);
+ BOOST_CHECK_EQUAL(ne.d_validationState, vState::BogusNoRRSIG);
BOOST_CHECK_EQUAL(ne.authoritySOA.records.size(), 1U);
BOOST_CHECK_EQUAL(ne.authoritySOA.signatures.size(), 1U);
BOOST_CHECK_EQUAL(ne.DNSSECRecords.records.size(), 1U);
ret.clear();
res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);
BOOST_REQUIRE_EQUAL(ret.size(), 3U);
BOOST_CHECK_EQUAL(queriesCount, 4U);
}
sr->setDNSSECValidationRequested(true);
res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);
/* check that we correctly capped the TTD for a Bogus record after
just-in-time validation */
BOOST_REQUIRE_EQUAL(ret.size(), 1U);
sr->setDNSSECValidationRequested(true);
res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);
BOOST_REQUIRE_EQUAL(ret.size(), 1U);
for (const auto& record : ret) {
BOOST_CHECK(record.d_type == QType::A);
sr->setDNSSECValidationRequested(true);
res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);
BOOST_REQUIRE_EQUAL(ret.size(), 2U);
/* check that we correctly capped the TTD for a Bogus record after
just-in-time validation */
sr->setDNSSECValidationRequested(true);
res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusNoRRSIG);
BOOST_REQUIRE_EQUAL(ret.size(), 2U);
for (const auto& record : ret) {
BOOST_CHECK(record.d_type == QType::CNAME || record.d_type == QType::A);
sr->setDNSSECValidationRequested(true);
res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusInvalidDenial);
BOOST_REQUIRE_EQUAL(ret.size(), 2U);
for (const auto& record : ret) {
BOOST_CHECK_EQUAL(record.d_ttl, SyncRes::s_maxbogusttl);
}
BOOST_CHECK_EQUAL(queriesCount, 4U);
BOOST_REQUIRE_EQUAL(g_negCache->get(target, QType(QType::A), sr->getNow(), ne), true);
- BOOST_CHECK_EQUAL(ne.d_validationState, vState::Bogus);
+ BOOST_CHECK_EQUAL(ne.d_validationState, vState::BogusInvalidDenial);
BOOST_CHECK_EQUAL(ne.authoritySOA.records.size(), 1U);
BOOST_CHECK_EQUAL(ne.authoritySOA.signatures.size(), 1U);
BOOST_CHECK_EQUAL(ne.d_ttd, now + SyncRes::s_maxbogusttl);
sr->setDNSSECValidationRequested(false);
res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
- BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Bogus);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), vState::BogusInvalidDenial);
BOOST_REQUIRE_EQUAL(ret.size(), 2U);
for (const auto& record : ret) {
BOOST_CHECK_EQUAL(record.d_ttl, SyncRes::s_maxbogusttl);
}
BOOST_CHECK_EQUAL(queriesCount, 4U);
BOOST_REQUIRE_EQUAL(g_negCache->get(target, QType(QType::A), sr->getNow(), ne), true);
- BOOST_CHECK_EQUAL(ne.d_validationState, vState::Bogus);
+ BOOST_CHECK_EQUAL(ne.d_validationState, vState::BogusInvalidDenial);
BOOST_CHECK_EQUAL(ne.authoritySOA.records.size(), 1U);
BOOST_CHECK_EQUAL(ne.authoritySOA.signatures.size(), 1U);
BOOST_CHECK_EQUAL(ne.d_ttd, now + SyncRes::s_maxbogusttl);
state = sr.getValidationState();
}
- if(state == vState::Bogus) {
+ if (vStateIsBogus(state)) {
g_log<<Logger::Error<<"Failed to retrieve security status update for '" +pkgv+ "' on '"<<query<<"', DNSSEC validation result was Bogus!"<<endl;
if(g_security_status == 1) // If we were OK, go to unknown
g_security_status = 0;
return;
}
- if (newState == vState::Bogus) {
+ if (vStateIsBogus(newState)) {
g_recCache->updateValidationStatus(d_now.tv_sec, qname, qt, d_cacheRemote, d_routingTag, aa, newState, s_maxbogusttl + d_now.tv_sec);
}
else {
state = SyncRes::validateRecordsWithSigs(depth, foundName, foundQT, foundName, cset, signatures);
if (state != vState::Indeterminate) {
LOG(prefix<<qname<<": got vState::Indeterminate state from the CNAME cache, new validation result is "<<state<<endl);
- if (state == vState::Bogus) {
+ if (vStateIsBogus(state)) {
capTTL = s_maxbogusttl;
}
updateValidationStatusInCache(foundName, foundQT, wasAuth, state);
if (state != vState::Indeterminate) {
/* validation succeeded, let's update the cache entry so we don't have to validate again */
boost::optional<time_t> capTTD = boost::none;
- if (state == vState::Bogus) {
+ if (vStateIsBogus(state)) {
capTTD = d_now.tv_sec + s_maxbogusttl;
}
g_negCache->updateValidationStatus(ne.d_name, ne.d_qtype, state, capTTD);
// And get the updated ne struct
//t_sstorage.negcache.get(negCacheName, QType(0), d_now, ne, true);
}
- if ((s_hardenNXD == HardenNXD::Yes && ne.d_validationState != vState::Bogus) || ne.d_validationState == vState::Secure) {
+ if ((s_hardenNXD == HardenNXD::Yes && !vStateIsBogus(ne.d_validationState)) || ne.d_validationState == vState::Secure) {
res = RCode::NXDomain;
sttl = ne.d_ttd - d_now.tv_sec;
giveNegative = true;
LOG(prefix<<qname<<": got vState::Indeterminate state for records retrieved from the negative cache, validating.."<<endl);
computeNegCacheValidationStatus(ne, qname, qtype, res, state, depth);
- if (state != cachedState && state == vState::Bogus) {
+ if (state != cachedState && vStateIsBogus(state)) {
sttl = std::min(sttl, s_maxbogusttl);
}
}
if (cachedState != vState::Indeterminate) {
LOG(prefix<<qname<<": got vState::Indeterminate state from the cache, validation result is "<<cachedState<<endl);
- if (cachedState == vState::Bogus) {
+ if (vStateIsBogus(cachedState)) {
capTTL = s_maxbogusttl;
}
if (sqt != QType::ANY && sqt != QType::ADDR) {
}
LOG(d_prefix<<": returning Bogus state from "<<__func__<<"("<<zone<<")"<<endl);
- return vState::Bogus;
+ return vState::BogusUnableToGetDSs;
}
bool SyncRes::haveExactValidationStatus(const DNSName& domain)
{
bool foundCut = false;
dsmap_t ds;
- vState dsState = getDSRecords(qname, ds, newState == vState::Bogus || existingState == vState::Insecure || existingState == vState::Bogus, depth, false, &foundCut);
+ vState dsState = getDSRecords(qname, ds, vStateIsBogus(newState) || existingState == vState::Insecure || vStateIsBogus(existingState), depth, false, &foundCut);
if (dsState != vState::Indeterminate) {
newState = dsState;
/* no need to look for NS and DS if we are already insecure or bogus,
just look for (N)TA
*/
- if (cutState == vState::Insecure || cutState == vState::Bogus) {
+ if (cutState == vState::Insecure || vStateIsBogus(cutState)) {
dsmap_t cutDS;
vState newState = getDSRecords(qname, cutDS, true, depth);
if (newState == vState::Indeterminate) {
covering this set, this looks Bogus. */
if (validatedKeys.size() != tentativeKeys.size()) {
LOG(d_prefix<<": returning Bogus state from "<<__func__<<"("<<zone<<")"<<endl);
- return vState::Bogus;
+ return vState::BogusNoValidDNSKEY;
}
return vState::Secure;
}
LOG(d_prefix<<"Returning Bogus state from "<<__func__<<"("<<signer<<")"<<endl);
- return vState::Bogus;
+ return vState::BogusUnableToGetDNSKEYs;
}
vState SyncRes::validateRecordsWithSigs(unsigned int depth, const DNSName& qname, const QType& qtype, const DNSName& name, const std::vector<DNSRecord>& records, const std::vector<std::shared_ptr<RRSIGRecordContent> >& signatures)
DS (or a denial of a DS) signed by the DS itself, since we should be
requesting it from the parent zone. Something is very wrong */
LOG(d_prefix<<"The DS for "<<qname<<" is signed by itself, going Bogus"<<endl);
- return vState::Bogus;
+ return vState::BogusSelfSignedDS;
}
return vState::Indeterminate;
}
}
} else {
LOG(d_prefix<<"Bogus!"<<endl);
- return vState::Bogus;
+ return vState::BogusNoRRSIG;
}
sortedRecords_t recordcontents;
}
LOG(d_prefix<<"Bogus!"<<endl);
- return vState::Bogus;
+ return vState::BogusNoValidRRSIG;
}
static bool allowAdditionalEntry(std::unordered_set<DNSName>& allowedAdditionals, const DNSRecord& rec)
LOG(d_prefix<<"Validating non-additional record for "<<i->first.name<<endl);
recordState = validateRecordsWithSigs(depth, qname, qtype, i->first.name, i->second.records, i->second.signatures);
/* we might have missed a cut (zone cut within the same auth servers), causing the NS query for an Insecure zone to seem Bogus during zone cut determination */
- if (qtype == QType::NS && i->second.signatures.empty() && recordState == vState::Bogus && haveExactValidationStatus(i->first.name) && getValidationStatus(i->first.name) == vState::Indeterminate) {
+ if (qtype == QType::NS && i->second.signatures.empty() && vStateIsBogus(recordState) && haveExactValidationStatus(i->first.name) && getValidationStatus(i->first.name) == vState::Indeterminate) {
recordState = vState::Indeterminate;
}
}
}
}
- if (recordState == vState::Bogus) {
+ if (vStateIsBogus(recordState)) {
/* this is a TTD by now, be careful */
for(auto& record : i->second.records) {
record.d_ttl = std::min(record.d_ttl, static_cast<uint32_t>(s_maxbogusttl + d_now.tv_sec));
}
else {
LOG(d_prefix<<"Invalid denial found for "<<neName<<", returning Bogus, res="<<denialState<<", expectedState="<<expectedState<<endl);
- neValidationState = vState::Bogus;
+ neValidationState = vState::BogusInvalidDenial;
}
updateValidationState(state, neValidationState);
}
ne.d_validationState = state;
}
- if (ne.d_validationState == vState::Bogus) {
+ if (vStateIsBogus(ne.d_validationState)) {
lowestTTL = min(lowestTTL, s_maxbogusttl);
}
cspmap_t csp = harvestCSPFromNE(ne);
dState res = getDenial(csp, qname, ne.d_qtype.getCode(), false, false, false, wildcardLabelsCount);
if (res != dState::NXDOMAIN) {
- vState st = vState::Bogus;
+ vState st = vState::BogusInvalidDenial;
if (res == dState::INSECURE) {
/* Some part could not be validated, for example a NSEC3 record with a too large number of iterations,
this is not enough to warrant a Bogus, but go Insecure. */
ne.d_validationState = state;
}
- if (ne.d_validationState == vState::Bogus) {
+ if (vStateIsBogus(ne.d_validationState)) {
lowestTTL = min(lowestTTL, s_maxbogusttl);
rec.d_ttl = min(rec.d_ttl, s_maxbogusttl);
}
if (state == vState::Secure && (lwr.d_aabit || sendRDQuery) && !negindic) {
LOG(prefix<<qname<<": NXDOMAIN without a negative indication (missing SOA in authority) in a DNSSEC secure zone, going Bogus"<<endl);
- updateValidationState(state, vState::Bogus);
+ updateValidationState(state, vState::BogusMissingNegativeIndication);
}
if(d_doDNSSEC)
if(state == vState::Secure && (lwr.d_aabit || sendRDQuery) && !negindic) {
LOG(prefix<<qname<<": NODATA without a negative indication (missing SOA in authority) in a DNSSEC secure zone, going Bogus"<<endl);
- updateValidationState(state, vState::Bogus);
+ updateValidationState(state, vState::BogusMissingNegativeIndication);
}
if(d_doDNSSEC)
res=sr.beginResolve(g_rootdnsname, QType(QType::NS), 1, ret, depth + 1);
if (g_dnssecmode != DNSSECMode::Off && g_dnssecmode != DNSSECMode::ProcessNoValidate) {
auto state = sr.getValidationState();
- if (state == vState::Bogus)
+ if (vStateIsBogus(state)) {
throw PDNSException("Got Bogus validation result for .|NS");
+ }
}
return res;
}
if(validkeys.empty())
{
LOG("ended up with zero valid DNSKEYs, going Bogus"<<endl);
- return vState::Bogus;
+ return vState::BogusNoValidDNSKEY;
}
LOG("situation: we have one or more valid DNSKEYs for ["<<*zoneCutIter<<"] (want ["<<zone<<"])"<<endl);
LOG("No DS for "<<*(zoneCutIter+1)<<", now look for a secure denial"<<endl);
dState res = getDenial(validrrsets, *(zoneCutIter+1), QType::DS, true, true);
if (res == dState::INSECURE || res == dState::NXDOMAIN)
- return vState::Bogus;
+ return vState::BogusInvalidDenial;
if (res == dState::NXQTYPE || res == dState::OPTOUT)
return vState::Insecure;
}
}
}
// There were no zone cuts (aka, we should never get here)
- return vState::Bogus;
+ return vState::BogusUnableToGetDNSKEYs;
}
bool isSupportedDS(const DSRecordContent& ds)
const std::string& vStateToString(vState state)
{
- static const std::vector<std::string> vStates = {"Indeterminate", "Bogus", "Insecure", "Secure", "NTA", "TA"};
+ static const std::vector<std::string> vStates = {"Indeterminate", "Insecure", "Secure", "NTA", "TA", "Bogus - No valid DNSKEY", "Bogus - Invalid denial", "Bogus - Unable to get DSs", "Bogus - Unable to get DNSKEYs", "Bogus - Self Signed DS", "Bogus - No RRSIG", "Bogus - No valid RRSIG", "Bogus - Missing negative indication" };
return vStates.at(static_cast<size_t>(state));
}
else if (stateUpdate == vState::NTA) {
state = vState::Insecure;
}
- else if (stateUpdate == vState::Bogus) {
- state = vState::Bogus;
+ else if (vStateIsBogus(stateUpdate)) {
+ state = stateUpdate;
}
else if (state == vState::Indeterminate) {
state = stateUpdate;
}
else if (stateUpdate == vState::Insecure) {
- if (state != vState::Bogus) {
+ if (!vStateIsBogus(state)) {
state = vState::Insecure;
}
}
extern uint16_t g_maxNSEC3Iterations;
// 4033 5
-enum class vState : uint8_t { Indeterminate, Bogus, Insecure, Secure, NTA, TA };
+enum class vState : uint8_t { Indeterminate, Insecure, Secure, NTA, TA, BogusNoValidDNSKEY, BogusInvalidDenial, BogusUnableToGetDSs, BogusUnableToGetDNSKEYs, BogusSelfSignedDS, BogusNoRRSIG, BogusNoValidRRSIG, BogusMissingNegativeIndication };
const std::string& vStateToString(vState state);
+inline bool vStateIsBogus(vState state)
+{
+ return state >= vState::BogusNoValidDNSKEY;
+}
// NSEC(3) results
enum class dState : uint8_t { NODENIAL, NXDOMAIN, NXQTYPE, ENT, INSECURE, OPTOUT};
projects / thirdparty / pdns.git / commitdiff
