From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Thu, 14 Apr 2022 15:20:15 +0000 (+0200)
Subject: rec: DNSSEC counters track responses sent, not actual validations performed
X-Git-Tag: auth-4.8.0-alpha0~136^2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3aebcb3af2cea8f85502fe070ece1da6a531f85e;p=thirdparty%2Fpdns.git

rec: DNSSEC counters track responses sent, not actual validations performed

Since 4.1 these counters are updated for every response sent, even if the DNSSEC
status was fetched from the records cache and did not involve any actual
validation.
---

diff --git a/pdns/recursordist/RECURSOR-MIB.txt b/pdns/recursordist/RECURSOR-MIB.txt
index 2def016acb..15be9c21f3 100644
--- a/pdns/recursordist/RECURSOR-MIB.txt
+++ b/pdns/recursordist/RECURSOR-MIB.txt
@@ -691,7 +691,7 @@ dnssecValidations OBJECT-TYPE
     MAX-ACCESS read-only
     STATUS current
     DESCRIPTION
-        "Number of DNSSEC validations"
+        "Number of responses sent, packet-cache hits excluded, for which a DNSSEC validation was requested by either the client or the configuration"
     ::= { stats 80 }
 
 dnssecResultInsecure OBJECT-TYPE
@@ -699,7 +699,7 @@ dnssecResultInsecure OBJECT-TYPE
     MAX-ACCESS read-only
     STATUS current
     DESCRIPTION
-        "Number of DNSSEC insecure results"
+        "Number of responses sent, excluding packet-cache hits, that were in the DNSSEC insecure state"
     ::= { stats 81 }
 
 dnssecResultSecure OBJECT-TYPE
@@ -707,7 +707,7 @@ dnssecResultSecure OBJECT-TYPE
     MAX-ACCESS read-only
     STATUS current
     DESCRIPTION
-        "Number of DNSSEC secure results"
+        "Number of responses sent, excluding packet-cache hits, that were in the DNSSEC secure state"
     ::= { stats 82 }
 
 dnssecResultBogus OBJECT-TYPE
@@ -715,7 +715,7 @@ dnssecResultBogus OBJECT-TYPE
     MAX-ACCESS read-only
     STATUS current
     DESCRIPTION
-        "Number of DNSSEC bogus results"
+        "Number of responses sent, excluding packet-cache hits, that were in the DNSSEC bogus state"
     ::= { stats 83 }
 
 dnssecResultIndeterminate OBJECT-TYPE
@@ -723,7 +723,7 @@ dnssecResultIndeterminate OBJECT-TYPE
     MAX-ACCESS read-only
     STATUS current
     DESCRIPTION
-        "Number of DNSSEC indeterminate results"
+        "Number of responses sent, excluding packet-cache hits, that were in the DNSSEC indeterminate state"
     ::= { stats 84 }
 
 dnssecResultNta OBJECT-TYPE
@@ -731,7 +731,7 @@ dnssecResultNta OBJECT-TYPE
     MAX-ACCESS read-only
     STATUS current
     DESCRIPTION
-        "Number of DNSSEC NTA results"
+        "Number of responses sent, excluding packet-cache hits, that were in the DNSSEC NTA state"
     ::= { stats 85 }
 
 policyResultNoaction OBJECT-TYPE
diff --git a/pdns/recursordist/docs/metrics.rst b/pdns/recursordist/docs/metrics.rst
index 137e25e7fb..121dba2cdc 100644
--- a/pdns/recursordist/docs/metrics.rst
+++ b/pdns/recursordist/docs/metrics.rst
@@ -330,7 +330,7 @@ number of queries received with the DO bit set
 
 dnssec-result-bogus
 ^^^^^^^^^^^^^^^^^^^
-number of DNSSEC validations that had the   Bogus state. Since 4.4.2 detailed counters are available, see below.
+number of responses sent, packet-cache hits excluded, that were in the DNSSEC Bogus state. Since 4.4.2 detailed counters are available, see below.
 Since 4.5.0, if :ref:`setting-x-dnssec-names` is set, a separate set of ``x-dnssec-result-...`` metrics become available, counting
 the DNSSEC validation results for names suffix-matching a name in ``x-dnssec-names``.
 
@@ -339,91 +339,91 @@ dnssec-result-bogus-no-valid-dnskey
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 .. versionadded:: 4.4.2
 
-number of DNSSEC validations that had the Bogus state because a valid DNSKEY could not be found.
+number of responses sent, packet-cache hits excluded, that were in the Bogus state because a valid DNSKEY could not be found.
 
 dnssec-result-bogus-invalid-denial
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 .. versionadded:: 4.4.2
 
-number of DNSSEC validations that had the Bogus state because a valid denial of existence proof could not be found.
+number of responses sent, packet-cache hits excluded, that were in the Bogus state because a valid denial of existence proof could not be found.
 
 dnssec-result-bogus-unable-to-get-dss
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 .. versionadded:: 4.4.2
 
-number of DNSSEC validations that had the Bogus state because a valid DS could not be retrieved.
+number of responses sent, packet-cache hits excluded, that were in the Bogus state because a valid DS could not be retrieved.
 
 dnssec-result-bogus-unable-to-get-dnskeys
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 .. versionadded:: 4.4.2
 
-number of DNSSEC validations that had the Bogus state because a valid DNSKEY could not be retrieved.
+number of responses sent, packet-cache hits excluded, that were in the Bogus state because a valid DNSKEY could not be retrieved.
 
 dnssec-result-bogus-self-signed-ds
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 .. versionadded:: 4.4.2
 
-number of DNSSEC validations that had the Bogus state because a DS record was signed by itself.
+number of responses sent, packet-cache hits excluded, that were in the Bogus state because a DS record was signed by itself.
 
 dnssec-result-bogus-no-rrsig
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 .. versionadded:: 4.4.2
 
-number of DNSSEC validations that had the Bogus state because required RRSIG records were not present in an answer.
+number of responses sent, packet-cache hits excluded, that were in the Bogus state because required RRSIG records were not present in an answer.
 
 dnssec-result-bogus-no-valid-rrsig
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 .. versionadded:: 4.4.2
 
-number of DNSSEC validations that had the Bogus state because only invalid RRSIG records were present in an answer.
+number of responses sent, packet-cache hits excluded, that were in the Bogus state because only invalid RRSIG records were present in an answer.
 
 dnssec-result-bogus-missing-negative-indication
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 .. versionadded:: 4.4.2
 
-number of DNSSEC validations that had the Bogus state because a NODATA or NXDOMAIN answer lacked the required SOA and/or NSEC(3) records.
+number of responses sent, packet-cache hits excluded, that were in the Bogus state because a NODATA or NXDOMAIN answer lacked the required SOA and/or NSEC(3) records.
 
 dnssec-result-bogus-signature-no-yet-valid
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 .. versionadded:: 4.4.2
 
-number of DNSSEC validations that had the Bogus state because the signature inception time in the RRSIG was not yet valid.
+number of responses sent, packet-cache hits excluded, that were in the Bogus state because the signature inception time in the RRSIG was not yet valid.
 
 dnssec-result-bogus-signature-expired
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 .. versionadded:: 4.4.2
 
-number of DNSSEC validations that had the Bogus state because the signature expired time in the RRSIG was in the past.
+number of responses sent, packet-cache hits excluded, that were in the Bogus state because the signature expired time in the RRSIG was in the past.
 
 dnssec-result-bogus-unsupported-dnskey-algo
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 .. versionadded:: 4.4.2
 
-number of DNSSEC validations that had the Bogus state because a DNSKEY RRset contained only unsupported DNSSEC algorithms.
+number of responses sent, packet-cache hits excluded, that were in the Bogus state because a DNSKEY RRset contained only unsupported DNSSEC algorithms.
 
 dnssec-result-bogus-unsupported-ds-digest-type
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 .. versionadded:: 4.4.2
 
-number of DNSSEC validations that had the Bogus state because a DS RRset contained only unsupported digest types.
+number of responses sent, packet-cache hits excluded, that were in the Bogus state because a DS RRset contained only unsupported digest types.
 
 dnssec-result-bogus-no-zone-key-bit-set
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 .. versionadded:: 4.4.2
 
-number of DNSSEC validations that had the Bogus state because no DNSKEY with the Zone Key bit set was found.
+number of responses sent, packet-cache hits excluded, that were in the Bogus state because no DNSKEY with the Zone Key bit set was found.
 
 dnssec-result-bogus-revoked-dnskey
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 .. versionadded:: 4.4.2
 
-number of DNSSEC validations that had the Bogus state because all DNSKEYs were revoked.
+number of responses sent, packet-cache hits excluded, that were in the Bogus state because all DNSKEYs were revoked.
 
 dnssec-result-bogus-invalid-dnskey-protocol
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 .. versionadded:: 4.4.2
 
-number of DNSSEC validations that had the Bogus state because all DNSKEYs had invalid protocols.
+number of responses sent, packet-cache hits excluded, that were in the Bogus state because all DNSKEYs had invalid protocols.
 
 dnssec-result-indeterminate
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -431,19 +431,19 @@ number of DNSSEC validations that   had the Indeterminate state
 
 dnssec-result-insecure
 ^^^^^^^^^^^^^^^^^^^^^^
-number of DNSSEC validations that had the   Insecure state
+number of responses sent, packet-cache hits excluded, that were in the Insecure state
 
 dnssec-result-nta
 ^^^^^^^^^^^^^^^^^
-number of DNSSEC validations that had the NTA   (negative trust anchor) state
+number of responses sent, packet-cache hits excluded, that were in the NTA (negative trust anchor) state
 
 dnssec-result-secure
 ^^^^^^^^^^^^^^^^^^^^
-number of DNSSEC validations that had the   Secure state
+number of responses sent, packet-cache hits excluded, that were in the Secure state
 
 dnssec-validations
 ^^^^^^^^^^^^^^^^^^
-number of DNSSEC validations performed
+number of responses sent, packet-cache hits excluded, for which a DNSSEC validation was requested by either the client or the configuration
 
 dont-outqueries
 ^^^^^^^^^^^^^^^