From: Otto Date: Tue, 16 Feb 2021 13:41:03 +0000 (+0100) Subject: Count DNSSEC stats for some names in a different set of counters X-Git-Tag: dnsdist-1.6.0-alpha2~20^2~3 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2b20e91845c5194d1d75d383170c04d7e66e4dcb;p=thirdparty%2Fpdns.git Count DNSSEC stats for some names in a different set of counters --- diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc index 440e898167..4a39535143 100644 --- a/pdns/pdns_recursor.cc +++ b/pdns/pdns_recursor.cc @@ -254,6 +254,8 @@ unsigned int g_numThreads; uint16_t g_outgoingEDNSBufsize; bool g_logRPZChanges{false}; +// Used in Syncres to counts DNSSEC stats for names in a different "universe" +GlobalStateHolder g_xdnssec; // Used in the Syncres to not throttle certain servers GlobalStateHolder g_dontThrottleNames; GlobalStateHolder g_dontThrottleNetmasks; @@ -4749,6 +4751,16 @@ static int serviceMain(int argc, char*argv[]) g_dontThrottleNetmasks.setState(std::move(dontThrottleNetmasks)); } + { + SuffixMatchNode xdnssecNames; + vector parts; + stringtok(parts, ::arg()["x-dnssec-names"], " ,"); + for (const auto &p : parts) { + xdnssecNames.add(DNSName(p)); + } + g_xdnssec.setState(std::move(xdnssecNames)); + } + s_balancingFactor = ::arg().asDouble("distribution-load-factor"); if (s_balancingFactor != 0.0 && s_balancingFactor < 1.0) { s_balancingFactor = 0.0; @@ -5476,6 +5488,8 @@ int main(int argc, char **argv) ::arg().set("record-cache-shards", "Number of shards in the record cache")="1024"; ::arg().set("refresh-on-ttl-perc", "If a record is requested from the cache and only this % of original TTL remains, refetch") = "0"; + ::arg().set("x-dnssec-names", "Collect DNSSEC statistics for names or suffixes in this list in separate x-dnssec counters")=""; + #ifdef NOD_ENABLED ::arg().set("new-domain-tracking", "Track newly observed domains (i.e. never seen before).")="no"; ::arg().set("new-domain-log", "Log newly observed domains.")="yes"; diff --git a/pdns/rec_channel_rec.cc b/pdns/rec_channel_rec.cc index 0bcc47238e..56e5517fec 100644 --- a/pdns/rec_channel_rec.cc +++ b/pdns/rec_channel_rec.cc @@ -1198,6 +1198,14 @@ static void registerAllStats1() } return total; }); + addGetStat("x-dnssec-result-bogus", []() { + static std::set const bogusStates = { vState::BogusNoValidDNSKEY, vState::BogusInvalidDenial, vState::BogusUnableToGetDSs, vState::BogusUnableToGetDNSKEYs, vState::BogusSelfSignedDS, vState::BogusNoRRSIG, vState::BogusNoValidRRSIG, vState::BogusMissingNegativeIndication, vState::BogusSignatureNotYetValid, vState::BogusSignatureExpired, vState::BogusUnsupportedDNSKEYAlgo, vState::BogusUnsupportedDSDigestType, vState::BogusNoZoneKeyBitSet, vState::BogusRevokedDNSKEY, vState::BogusInvalidDNSKEYProtocol }; + uint64_t total = 0; + for (const auto& state : bogusStates) { + total += g_stats.xdnssecResults[state]; + } + return total; + }); addGetStat("dnssec-result-bogus-no-valid-dnskey", &g_stats.dnssecResults[vState::BogusNoValidDNSKEY]); addGetStat("dnssec-result-bogus-invalid-denial", &g_stats.dnssecResults[vState::BogusInvalidDenial]); addGetStat("dnssec-result-bogus-unable-to-get-dss", &g_stats.dnssecResults[vState::BogusUnableToGetDSs]); @@ -1216,6 +1224,25 @@ static void registerAllStats1() addGetStat("dnssec-result-indeterminate", &g_stats.dnssecResults[vState::Indeterminate]); addGetStat("dnssec-result-nta", &g_stats.dnssecResults[vState::NTA]); + addGetStat("x-dnssec-result-bogus-no-valid-dnskey", &g_stats.xdnssecResults[vState::BogusNoValidDNSKEY]); + addGetStat("x-dnssec-result-bogus-invalid-denial", &g_stats.xdnssecResults[vState::BogusInvalidDenial]); + addGetStat("x-dnssec-result-bogus-unable-to-get-dss", &g_stats.xdnssecResults[vState::BogusUnableToGetDSs]); + addGetStat("x-dnssec-result-bogus-unable-to-get-dnskeys", &g_stats.xdnssecResults[vState::BogusUnableToGetDNSKEYs]); + addGetStat("x-dnssec-result-bogus-self-signed-ds", &g_stats.xdnssecResults[vState::BogusSelfSignedDS]); + addGetStat("x-dnssec-result-bogus-no-rrsig", &g_stats.xdnssecResults[vState::BogusNoRRSIG]); + addGetStat("x-dnssec-result-bogus-no-valid-rrsig", &g_stats.xdnssecResults[vState::BogusNoValidRRSIG]); + addGetStat("x-dnssec-result-bogus-missing-negative-indication", &g_stats.xdnssecResults[vState::BogusMissingNegativeIndication]); + addGetStat("x-dnssec-result-bogus-signature-not-yet-valid", &g_stats.xdnssecResults[vState::BogusSignatureNotYetValid]); + addGetStat("x-dnssec-result-bogus-signature-expired", &g_stats.xdnssecResults[vState::BogusSignatureExpired]); + addGetStat("x-dnssec-result-bogus-unsupported-dnskey-algo", &g_stats.xdnssecResults[vState::BogusUnsupportedDNSKEYAlgo]); + addGetStat("x-dnssec-result-bogus-unsupported-ds-digest-type", &g_stats.xdnssecResults[vState::BogusUnsupportedDSDigestType]); + addGetStat("x-dnssec-result-bogus-no-zone-key-bit-set", &g_stats.xdnssecResults[vState::BogusNoZoneKeyBitSet]); + addGetStat("x-dnssec-result-bogus-revoked-dnskey", &g_stats.xdnssecResults[vState::BogusRevokedDNSKEY]); + addGetStat("x-dnssec-result-bogus-invalid-dnskey-protocol", &g_stats.xdnssecResults[vState::BogusInvalidDNSKEYProtocol]); + addGetStat("x-dnssec-result-indeterminate", &g_stats.xdnssecResults[vState::Indeterminate]); + addGetStat("x-dnssec-result-nta", &g_stats.xdnssecResults[vState::NTA]); + + addGetStat("policy-result-noaction", &g_stats.policyResults[DNSFilterEngine::PolicyKind::NoAction]); addGetStat("policy-result-drop", &g_stats.policyResults[DNSFilterEngine::PolicyKind::Drop]); addGetStat("policy-result-nxdomain", &g_stats.policyResults[DNSFilterEngine::PolicyKind::NXDOMAIN]); diff --git a/pdns/recursordist/test-syncres_cc.cc b/pdns/recursordist/test-syncres_cc.cc index 4ac5bb9679..58597e71f5 100644 --- a/pdns/recursordist/test-syncres_cc.cc +++ b/pdns/recursordist/test-syncres_cc.cc @@ -9,6 +9,7 @@ RecursorStats g_stats; GlobalStateHolder g_luaconfs; +GlobalStateHolder g_xdnssec; GlobalStateHolder g_dontThrottleNames; GlobalStateHolder g_dontThrottleNetmasks; std::unique_ptr g_recCache{nullptr}; diff --git a/pdns/syncres.cc b/pdns/syncres.cc index b9b12c218e..af48cf9372 100644 --- a/pdns/syncres.cc +++ b/pdns/syncres.cc @@ -167,7 +167,12 @@ int SyncRes::beginResolve(const DNSName &qname, const QType qtype, uint16_t qcla if (d_queryValidationState != vState::Indeterminate) { g_stats.dnssecValidations++; } - increaseDNSSECStateCounter(d_queryValidationState); + auto xdnssec = g_xdnssec.getLocal(); + if (xdnssec->check(qname)) { + increaseXDNSSECStateCounter(d_queryValidationState); + } else { + increaseDNSSECStateCounter(d_queryValidationState); + } } return res; diff --git a/pdns/syncres.hh b/pdns/syncres.hh index abf4eaf8bf..937c849806 100644 --- a/pdns/syncres.hh +++ b/pdns/syncres.hh @@ -61,6 +61,7 @@ #include "fstrm_logger.hh" #endif /* HAVE_FSTRM */ +extern GlobalStateHolder g_xdnssec; extern GlobalStateHolder g_dontThrottleNames; extern GlobalStateHolder g_dontThrottleNetmasks; @@ -1017,6 +1018,7 @@ struct RecursorStats unsigned int maxMThreadStackUsage; std::atomic dnssecValidations; // should be the sum of all dnssecResult* stats std::map > dnssecResults; + std::map > xdnssecResults; std::map > policyResults; std::atomic rebalancedQueries{0}; std::atomic proxyProtocolInvalidCount{0}; diff --git a/pdns/validate-recursor.cc b/pdns/validate-recursor.cc index 41adc3da48..c430d3d19e 100644 --- a/pdns/validate-recursor.cc +++ b/pdns/validate-recursor.cc @@ -29,6 +29,12 @@ vState increaseDNSSECStateCounter(const vState& state) return state; } +vState increaseXDNSSECStateCounter(const vState& state) +{ + g_stats.xdnssecResults[state]++; + return state; +} + // Returns true if dsAnchors were modified bool updateTrustAnchorsFromFile(const std::string &fname, map &dsAnchors) { map newDSAnchors; diff --git a/pdns/validate-recursor.hh b/pdns/validate-recursor.hh index 88ed15e66c..f5e7a41373 100644 --- a/pdns/validate-recursor.hh +++ b/pdns/validate-recursor.hh @@ -38,4 +38,5 @@ extern bool g_dnssecLogBogus; bool checkDNSSECDisabled(); bool warnIfDNSSECDisabled(const string& msg); vState increaseDNSSECStateCounter(const vState& state); +vState increaseXDNSSECStateCounter(const vState& state); bool updateTrustAnchorsFromFile(const std::string &fname, map &dsAnchors);