From: Otto Date: Wed, 17 Feb 2021 12:43:18 +0000 (+0100) Subject: Documentation plus Prometheus table update. X-Git-Tag: dnsdist-1.6.0-alpha2~20^2~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=268baebe523d4969c7367b523b97f31819be75f6;p=thirdparty%2Fpdns.git Documentation plus Prometheus table update. Also, only list the x-dnssec-result-.... metrics if the corresponding setting is non-empty. --- diff --git a/pdns/rec_channel_rec.cc b/pdns/rec_channel_rec.cc index 56e5517fec..a8333918fc 100644 --- a/pdns/rec_channel_rec.cc +++ b/pdns/rec_channel_rec.cc @@ -1191,21 +1191,14 @@ static void registerAllStats1() addGetStat("dnssec-result-insecure", &g_stats.dnssecResults[vState::Insecure]); addGetStat("dnssec-result-secure", &g_stats.dnssecResults[vState::Secure]); addGetStat("dnssec-result-bogus", []() { - static std::set const bogusStates = { vState::BogusNoValidDNSKEY, vState::BogusInvalidDenial, vState::BogusUnableToGetDSs, vState::BogusUnableToGetDNSKEYs, vState::BogusSelfSignedDS, vState::BogusNoRRSIG, vState::BogusNoValidRRSIG, vState::BogusMissingNegativeIndication, vState::BogusSignatureNotYetValid, vState::BogusSignatureExpired, vState::BogusUnsupportedDNSKEYAlgo, vState::BogusUnsupportedDSDigestType, vState::BogusNoZoneKeyBitSet, vState::BogusRevokedDNSKEY, vState::BogusInvalidDNSKEYProtocol }; + std::set const bogusStates = { vState::BogusNoValidDNSKEY, vState::BogusInvalidDenial, vState::BogusUnableToGetDSs, vState::BogusUnableToGetDNSKEYs, vState::BogusSelfSignedDS, vState::BogusNoRRSIG, vState::BogusNoValidRRSIG, vState::BogusMissingNegativeIndication, vState::BogusSignatureNotYetValid, vState::BogusSignatureExpired, vState::BogusUnsupportedDNSKEYAlgo, vState::BogusUnsupportedDSDigestType, vState::BogusNoZoneKeyBitSet, vState::BogusRevokedDNSKEY, vState::BogusInvalidDNSKEYProtocol }; uint64_t total = 0; for (const auto& state : bogusStates) { total += g_stats.dnssecResults[state]; } return total; }); - addGetStat("x-dnssec-result-bogus", []() { - static std::set const bogusStates = { vState::BogusNoValidDNSKEY, vState::BogusInvalidDenial, vState::BogusUnableToGetDSs, vState::BogusUnableToGetDNSKEYs, vState::BogusSelfSignedDS, vState::BogusNoRRSIG, vState::BogusNoValidRRSIG, vState::BogusMissingNegativeIndication, vState::BogusSignatureNotYetValid, vState::BogusSignatureExpired, vState::BogusUnsupportedDNSKEYAlgo, vState::BogusUnsupportedDSDigestType, vState::BogusNoZoneKeyBitSet, vState::BogusRevokedDNSKEY, vState::BogusInvalidDNSKEYProtocol }; - uint64_t total = 0; - for (const auto& state : bogusStates) { - total += g_stats.xdnssecResults[state]; - } - return total; - }); + addGetStat("dnssec-result-bogus-no-valid-dnskey", &g_stats.dnssecResults[vState::BogusNoValidDNSKEY]); addGetStat("dnssec-result-bogus-invalid-denial", &g_stats.dnssecResults[vState::BogusInvalidDenial]); addGetStat("dnssec-result-bogus-unable-to-get-dss", &g_stats.dnssecResults[vState::BogusUnableToGetDSs]); @@ -1224,25 +1217,36 @@ static void registerAllStats1() addGetStat("dnssec-result-indeterminate", &g_stats.dnssecResults[vState::Indeterminate]); addGetStat("dnssec-result-nta", &g_stats.dnssecResults[vState::NTA]); - addGetStat("x-dnssec-result-bogus-no-valid-dnskey", &g_stats.xdnssecResults[vState::BogusNoValidDNSKEY]); - addGetStat("x-dnssec-result-bogus-invalid-denial", &g_stats.xdnssecResults[vState::BogusInvalidDenial]); - addGetStat("x-dnssec-result-bogus-unable-to-get-dss", &g_stats.xdnssecResults[vState::BogusUnableToGetDSs]); - addGetStat("x-dnssec-result-bogus-unable-to-get-dnskeys", &g_stats.xdnssecResults[vState::BogusUnableToGetDNSKEYs]); - addGetStat("x-dnssec-result-bogus-self-signed-ds", &g_stats.xdnssecResults[vState::BogusSelfSignedDS]); - addGetStat("x-dnssec-result-bogus-no-rrsig", &g_stats.xdnssecResults[vState::BogusNoRRSIG]); - addGetStat("x-dnssec-result-bogus-no-valid-rrsig", &g_stats.xdnssecResults[vState::BogusNoValidRRSIG]); - addGetStat("x-dnssec-result-bogus-missing-negative-indication", &g_stats.xdnssecResults[vState::BogusMissingNegativeIndication]); - addGetStat("x-dnssec-result-bogus-signature-not-yet-valid", &g_stats.xdnssecResults[vState::BogusSignatureNotYetValid]); - addGetStat("x-dnssec-result-bogus-signature-expired", &g_stats.xdnssecResults[vState::BogusSignatureExpired]); - addGetStat("x-dnssec-result-bogus-unsupported-dnskey-algo", &g_stats.xdnssecResults[vState::BogusUnsupportedDNSKEYAlgo]); - addGetStat("x-dnssec-result-bogus-unsupported-ds-digest-type", &g_stats.xdnssecResults[vState::BogusUnsupportedDSDigestType]); - addGetStat("x-dnssec-result-bogus-no-zone-key-bit-set", &g_stats.xdnssecResults[vState::BogusNoZoneKeyBitSet]); - addGetStat("x-dnssec-result-bogus-revoked-dnskey", &g_stats.xdnssecResults[vState::BogusRevokedDNSKEY]); - addGetStat("x-dnssec-result-bogus-invalid-dnskey-protocol", &g_stats.xdnssecResults[vState::BogusInvalidDNSKEYProtocol]); - addGetStat("x-dnssec-result-indeterminate", &g_stats.xdnssecResults[vState::Indeterminate]); - addGetStat("x-dnssec-result-nta", &g_stats.xdnssecResults[vState::NTA]); + if (::arg()["x-dnssec-names"].length() > 0) { + addGetStat("x-dnssec-result-bogus", []() { + std::set const bogusStates = { vState::BogusNoValidDNSKEY, vState::BogusInvalidDenial, vState::BogusUnableToGetDSs, vState::BogusUnableToGetDNSKEYs, vState::BogusSelfSignedDS, vState::BogusNoRRSIG, vState::BogusNoValidRRSIG, vState::BogusMissingNegativeIndication, vState::BogusSignatureNotYetValid, vState::BogusSignatureExpired, vState::BogusUnsupportedDNSKEYAlgo, vState::BogusUnsupportedDSDigestType, vState::BogusNoZoneKeyBitSet, vState::BogusRevokedDNSKEY, vState::BogusInvalidDNSKEYProtocol }; + uint64_t total = 0; + for (const auto& state : bogusStates) { + total += g_stats.xdnssecResults[state]; + } + return total; + }); + addGetStat("x-dnssec-result-bogus-no-valid-dnskey", &g_stats.xdnssecResults[vState::BogusNoValidDNSKEY]); + addGetStat("x-dnssec-result-bogus-invalid-denial", &g_stats.xdnssecResults[vState::BogusInvalidDenial]); + addGetStat("x-dnssec-result-bogus-unable-to-get-dss", &g_stats.xdnssecResults[vState::BogusUnableToGetDSs]); + addGetStat("x-dnssec-result-bogus-unable-to-get-dnskeys", &g_stats.xdnssecResults[vState::BogusUnableToGetDNSKEYs]); + addGetStat("x-dnssec-result-bogus-self-signed-ds", &g_stats.xdnssecResults[vState::BogusSelfSignedDS]); + addGetStat("x-dnssec-result-bogus-no-rrsig", &g_stats.xdnssecResults[vState::BogusNoRRSIG]); + addGetStat("x-dnssec-result-bogus-no-valid-rrsig", &g_stats.xdnssecResults[vState::BogusNoValidRRSIG]); + addGetStat("x-dnssec-result-bogus-missing-negative-indication", &g_stats.xdnssecResults[vState::BogusMissingNegativeIndication]); + addGetStat("x-dnssec-result-bogus-signature-not-yet-valid", &g_stats.xdnssecResults[vState::BogusSignatureNotYetValid]); + addGetStat("x-dnssec-result-bogus-signature-expired", &g_stats.xdnssecResults[vState::BogusSignatureExpired]); + addGetStat("x-dnssec-result-bogus-unsupported-dnskey-algo", &g_stats.xdnssecResults[vState::BogusUnsupportedDNSKEYAlgo]); + addGetStat("x-dnssec-result-bogus-unsupported-ds-digest-type", &g_stats.xdnssecResults[vState::BogusUnsupportedDSDigestType]); + addGetStat("x-dnssec-result-bogus-no-zone-key-bit-set", &g_stats.xdnssecResults[vState::BogusNoZoneKeyBitSet]); + addGetStat("x-dnssec-result-bogus-revoked-dnskey", &g_stats.xdnssecResults[vState::BogusRevokedDNSKEY]); + addGetStat("x-dnssec-result-bogus-invalid-dnskey-protocol", &g_stats.xdnssecResults[vState::BogusInvalidDNSKEYProtocol]); + addGetStat("x-dnssec-result-indeterminate", &g_stats.xdnssecResults[vState::Indeterminate]); + addGetStat("x-dnssec-result-nta", &g_stats.xdnssecResults[vState::NTA]); + addGetStat("x-dnssec-result-insecure", &g_stats.xdnssecResults[vState::Insecure]); + addGetStat("x-dnssec-result-secure", &g_stats.xdnssecResults[vState::Secure]); + } - addGetStat("policy-result-noaction", &g_stats.policyResults[DNSFilterEngine::PolicyKind::NoAction]); addGetStat("policy-result-drop", &g_stats.policyResults[DNSFilterEngine::PolicyKind::Drop]); addGetStat("policy-result-nxdomain", &g_stats.policyResults[DNSFilterEngine::PolicyKind::NXDOMAIN]); diff --git a/pdns/recursordist/docs/metrics.rst b/pdns/recursordist/docs/metrics.rst index fd954b780f..1b712c6d27 100644 --- a/pdns/recursordist/docs/metrics.rst +++ b/pdns/recursordist/docs/metrics.rst @@ -224,9 +224,14 @@ dnssec-queries ^^^^^^^^^^^^^^ number of queries received with the DO bit set +.. _stat-dnssec-result-bogus: + dnssec-result-bogus ^^^^^^^^^^^^^^^^^^^ number of DNSSEC validations that had the Bogus state. Since 4.4.2 detailed counters are available, see below. +Since 4.5.0, if :ref:`setting-x-dnssec-names` is set, a separate set of ``x-dnssec-result-...`` metrics become available, counting +the DNSSEC validation results for names suffix-matching a name in ``x-dnssec-names``. + dnssec-result-bogus-no-valid-dnskey ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -727,3 +732,9 @@ x-ourtime-slow Counts responses where more than 32 milliseconds was spent within the Recursor. See :ref:`stat-x-our-latency` for further details. + +x-dnssec-result-... +^^^^^^^^^^^^^^^^^^^ +.. versionadded:: 4.5.0 + +See :ref:`stat-dnssec-result-bogus`. diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst index 64fa3f2628..9c6342f785 100644 --- a/pdns/recursordist/docs/settings.rst +++ b/pdns/recursordist/docs/settings.rst @@ -2086,3 +2086,18 @@ should be done on the proxy. This option sets the resource record code to use for XPF records, as long as an official code has not been assigned to it. 0 means that XPF is disabled. + +.. _setting-x-dnssec-names: + +``x-dnssec-names`` +------------------ +.. versionadded:: 4.5.0 + +- Comma separated list of domain-names +- Default: (empty) + +List of names whose DNSSEC validation metrics will be counted in a separate set of metrics that start +with ``x-dnssec-result-``. +The names are suffix-matched. +This can be used to not count known failing (test) name validations in the ordinary DNSSEC metrics. + diff --git a/pdns/ws-recursor.cc b/pdns/ws-recursor.cc index 7193ffc956..bc6662e57f 100644 --- a/pdns/ws-recursor.cc +++ b/pdns/ws-recursor.cc @@ -618,6 +618,21 @@ const std::map MetricDefinitionStorage::metrics = {"dnssec-result-secure", MetricDefinition(PrometheusMetricType::counter, "Number of DNSSEC validations that had the Secure state")}, + {"x-dnssec-result-bogus", + MetricDefinition(PrometheusMetricType::counter, + "Number of DNSSEC validations that had the Bogus state")}, + {"x-dnssec-result-indeterminate", + MetricDefinition(PrometheusMetricType::counter, + "Number of DNSSEC validations that had the Indeterminate state")}, + {"x-dnssec-result-insecure", + MetricDefinition(PrometheusMetricType::counter, + "Number of DNSSEC validations that had the Insecure state")}, + {"x-dnssec-result-nta", + MetricDefinition(PrometheusMetricType::counter, + "Number of DNSSEC validations that had the (negative trust anchor) state")}, + {"x-dnssec-result-secure", + MetricDefinition(PrometheusMetricType::counter, + "Number of DNSSEC validations that had the Secure state")}, {"dnssec-validations", MetricDefinition(PrometheusMetricType::counter, @@ -930,6 +945,64 @@ const std::map MetricDefinitionStorage::metrics = { "dnssec-result-bogus-unsupported-ds-digest-type", MetricDefinition(PrometheusMetricType::counter, "number of DNSSEC validations that had the Bogus state because a DS RRset contained only unsupported digest types")}, + { "x-dnssec-result-bogus-invalid-denial", + MetricDefinition(PrometheusMetricType::counter, + "number of DNSSEC validations that had the Bogus state because a valid denial of existence proof could not be found")}, + + { "x-dnssec-result-bogus-invalid-dnskey-protocol", + MetricDefinition(PrometheusMetricType::counter, + "number of DNSSEC validations that had the Bogus state because all DNSKEYs had invalid protocols")}, + + { "x-dnssec-result-bogus-missing-negative-indication", + MetricDefinition(PrometheusMetricType::counter, + "number of DNSSEC validations that had the Bogus state because a NODATA or NXDOMAIN answer lacked the required SOA and/or NSEC(3) records")}, + + { "x-dnssec-result-bogus-no-rrsig", + MetricDefinition(PrometheusMetricType::counter, + "number of DNSSEC validations that had the Bogus state because required RRSIG records were not present in an answer")}, + + { "x-dnssec-result-bogus-no-valid-dnskey", + MetricDefinition(PrometheusMetricType::counter, + "number of DNSSEC validations that had the Bogus state because a valid DNSKEY could not be found")}, + + { "x-dnssec-result-bogus-no-valid-rrsig", + MetricDefinition(PrometheusMetricType::counter, + "number of DNSSEC validations that had the Bogus state because only invalid RRSIG records were present in an answer")}, + + { "x-dnssec-result-bogus-no-zone-key-bit-set", + MetricDefinition(PrometheusMetricType::counter, + "number of DNSSEC validations that had the Bogus state because no DNSKEY with the Zone Key bit set was found")}, + + { "x-dnssec-result-bogus-revoked-dnskey", + MetricDefinition(PrometheusMetricType::counter, + "number of DNSSEC validations that had the Bogus state because all DNSKEYs were revoked")}, + + { "x-dnssec-result-bogus-self-signed-ds", + MetricDefinition(PrometheusMetricType::counter, + "number of DNSSEC validations that had the Bogus state because a DS record was signed by itself")}, + + { "x-dnssec-result-bogus-signature-expired", + MetricDefinition(PrometheusMetricType::counter, + "number of DNSSEC validations that had the Bogus state because the signature expired time in the RRSIG was in the past")}, + + { "x-dnssec-result-bogus-signature-not-yet-valid", + MetricDefinition(PrometheusMetricType::counter, + "number of DNSSEC validations that had the Bogus state because the signature inception time in the RRSIG was not yet valid")}, + + { "x-dnssec-result-bogus-unable-to-get-dnskeys", + MetricDefinition(PrometheusMetricType::counter, + "number of DNSSEC validations that had the Bogus state because a valid DNSKEY could not be retrieved")}, + + { "x-dnssec-result-bogus-unable-to-get-dss", + MetricDefinition(PrometheusMetricType::counter, + "number of DNSSEC validations that had the Bogus state because a valid DS could not be retrieved")}, + { "x-dnssec-result-bogus-unsupported-dnskey-algo", + MetricDefinition(PrometheusMetricType::counter, + "number of DNSSEC validations that had the Bogus state because a DNSKEY RRset contained only unsupported DNSSEC algorithms")}, + + { "x-dnssec-result-bogus-unsupported-ds-digest-type", + MetricDefinition(PrometheusMetricType::counter, + "number of DNSSEC validations that had the Bogus state because a DS RRset contained only unsupported digest types")}, { "proxy-protocol-invalid", MetricDefinition(PrometheusMetricType::counter, @@ -950,7 +1023,7 @@ const std::map MetricDefinitionStorage::metrics = { "taskqueue-pushed", MetricDefinition(PrometheusMetricType::counter, "number of tasks pushed to the taskqueues")}, - + { "taskqueue-size", MetricDefinition(PrometheusMetricType::gauge, "number of tasks currenlty in the taskqueue")},