From: Remi Gacogne Date: Mon, 24 Dec 2018 09:54:17 +0000 (+0100) Subject: rec: Add counters for incoming AD and CD queries X-Git-Tag: rec-4.2.0-alpha1~73^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=88c33dca92f68d3c4a0a9dc8cb3c9838f034b94b;p=thirdparty%2Fpdns.git rec: Add counters for incoming AD and CD queries --- diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc index 28360e42b2..45a6e26a19 100644 --- a/pdns/pdns_recursor.cc +++ b/pdns/pdns_recursor.cc @@ -1110,6 +1110,21 @@ static void startDoResolve(void *p) DNSSECOK=true; g_stats.dnssecQueries++; } + if (dc->d_mdp.d_header.cd) { + /* Per rfc6840 section 5.9, "When processing a request with + the Checking Disabled (CD) bit set, a resolver SHOULD attempt + to return all response data, even data that has failed DNSSEC + validation. */ + ++g_stats.dnssecCheckDisabledQueries; + } + if (dc->d_mdp.d_header.ad) { + /* Per rfc6840 section 5.7, "the AD bit in a query as a signal + indicating that the requester understands and is interested in the + value of the AD bit in the response. This allows a requester to + indicate that it understands the AD bit without also requesting + DNSSEC data via the DO bit. */ + ++g_stats.dnssecAuthenticDataQueries; + } } else { // Ignore the client-set CD flag pw.getHeader()->cd=0; diff --git a/pdns/rec-snmp.cc b/pdns/rec-snmp.cc index ce7dd34bd0..930eca5300 100644 --- a/pdns/rec-snmp.cc +++ b/pdns/rec-snmp.cc @@ -110,6 +110,8 @@ static const oid policyResultCustomOID[] = { RECURSOR_STATS_OID, 91 }; static const oid queryPipeFullDropsOID[] = { RECURSOR_STATS_OID, 92 }; static const oid truncatedDropsOID[] = { RECURSOR_STATS_OID, 93 }; static const oid emptyQueriesOID[] = { RECURSOR_STATS_OID, 94 }; +static const oid dnssecAuthenticDataQueriesOID[] = { RECURSOR_STATS_OID, 95 }; +static const oid dnssecCheckDisabledQueriesOID[] = { RECURSOR_STATS_OID, 96 }; static std::unordered_map s_statsMap; @@ -277,6 +279,8 @@ RecursorSNMPAgent::RecursorSNMPAgent(const std::string& name, const std::string& registerCounter64Stat("edns-ping-matches", ednsPingMatchesOID, OID_LENGTH(ednsPingMatchesOID)); registerCounter64Stat("edns-ping-mismatches", ednsPingMismatchesOID, OID_LENGTH(ednsPingMismatchesOID)); registerCounter64Stat("dnssec-queries", dnssecQueriesOID, OID_LENGTH(dnssecQueriesOID)); + registerCounter64Stat("dnssec-authentic-data-queries", dnssecAuthenticDataQueriesOID, OID_LENGTH(dnssecAuthenticDataQueriesOID)); + registerCounter64Stat("dnssec-check-disabled-queries", dnssecCheckDisabledQueriesOID, OID_LENGTH(dnssecCheckDisabledQueriesOID)); registerCounter64Stat("noping-outqueries", nopingOutqueriesOID, OID_LENGTH(nopingOutqueriesOID)); registerCounter64Stat("noedns-outqueries", noednsOutqueriesOID, OID_LENGTH(noednsOutqueriesOID)); registerCounter64Stat("uptime", uptimeOID, OID_LENGTH(uptimeOID)); diff --git a/pdns/rec_channel_rec.cc b/pdns/rec_channel_rec.cc index 53eebc3d8c..a6a5825cfd 100644 --- a/pdns/rec_channel_rec.cc +++ b/pdns/rec_channel_rec.cc @@ -1013,6 +1013,8 @@ void registerAllStats() addGetStat("edns-ping-matches", &g_stats.ednsPingMatches); addGetStat("edns-ping-mismatches", &g_stats.ednsPingMismatches); addGetStat("dnssec-queries", &g_stats.dnssecQueries); + addGetStat("dnssec-authentic-data-queries", &g_stats.dnssecAuthenticDataQueries); + addGetStat("dnssec-check-disabled-queries", &g_stats.dnssecCheckDisabledQueries); addGetStat("noping-outqueries", &g_stats.noPingOutQueries); addGetStat("noedns-outqueries", &g_stats.noEdnsOutQueries); diff --git a/pdns/recursordist/RECURSOR-MIB.txt b/pdns/recursordist/RECURSOR-MIB.txt index 143d10d31e..c1d74c97e1 100644 --- a/pdns/recursordist/RECURSOR-MIB.txt +++ b/pdns/recursordist/RECURSOR-MIB.txt @@ -15,7 +15,7 @@ IMPORTS FROM SNMPv2-CONF; rec MODULE-IDENTITY - LAST-UPDATED "201611290000Z" + LAST-UPDATED "201812240000Z" ORGANIZATION "PowerDNS BV" CONTACT-INFO "support@powerdns.com" DESCRIPTION @@ -24,6 +24,9 @@ rec MODULE-IDENTITY REVISION "201611290000Z" DESCRIPTION "Initial revision." + REVISION "201812240000Z" + DESCRIPTION "Added the dnssecAuthenticDataQueries and dnssecCheckDisabledQueries stats." + ::= { powerdns 2 } powerdns OBJECT IDENTIFIER ::= { enterprises 43315 } @@ -782,6 +785,22 @@ emptyQueries OBJECT-TYPE "Number of queries dropped because they had a QD count of 0" ::= { stats 94 } +dnssecAuthenticDataQueries OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Number of queries received with the AD bit set" + ::= { stats 95 } + +dnssecCheckDisabledQueries OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Number of queries received with the CD bit set" + ::= { stats 96 } + --- --- Traps / Notifications --- @@ -917,6 +936,9 @@ recGroup OBJECT-GROUP policyResultCustom, queryPipeFullDrops, truncatedDrops, + emptyQueries, + dnssecAuthenticDataQueries, + dnssecCheckDisabledQueries trapReason } STATUS current diff --git a/pdns/recursordist/docs/metrics.rst b/pdns/recursordist/docs/metrics.rst index 6bd2e45ab9..569fcd4690 100644 --- a/pdns/recursordist/docs/metrics.rst +++ b/pdns/recursordist/docs/metrics.rst @@ -184,6 +184,18 @@ dlg-only-drops ^^^^^^^^^^^^^^ number of records dropped because of :ref:`setting-delegation-only` setting +dnssec-authentic-data-queries +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +.. versionadded:: 4.2 + +number of queries received with the AD bit set + +dnssec-check-disabled-queries +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +.. versionadded:: 4.2 + +number of queries received with the CD bit set + dnssec-queries ^^^^^^^^^^^^^^ number of queries received with the DO bit set diff --git a/pdns/syncres.hh b/pdns/syncres.hh index cb2a448591..a9d632d560 100644 --- a/pdns/syncres.hh +++ b/pdns/syncres.hh @@ -933,6 +933,8 @@ struct RecursorStats std::atomic emptyQueriesCount; time_t startupTime; std::atomic dnssecQueries; + std::atomic dnssecAuthenticDataQueries; + std::atomic dnssecCheckDisabledQueries; unsigned int maxMThreadStackUsage; std::atomic dnssecValidations; // should be the sum of all dnssecResult* stats std::map > dnssecResults;