From: Kees Monshouwer Date: Mon, 23 Nov 2020 13:03:59 +0000 (+0100) Subject: auth: add zone and primary to all axfr logging X-Git-Tag: auth-4.5.0-alpha0^2~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=efe7948eea6696ccd408ff2a1f4d850e3866fafb;p=thirdparty%2Fpdns.git auth: add zone and primary to all axfr logging --- diff --git a/pdns/slavecommunicator.cc b/pdns/slavecommunicator.cc index 31460c19b7..b3f47248f3 100644 --- a/pdns/slavecommunicator.cc +++ b/pdns/slavecommunicator.cc @@ -83,6 +83,8 @@ struct ZoneStatus void CommunicatorClass::ixfrSuck(const DNSName &domain, const TSIGTriplet& tt, const ComboAddress& laddr, const ComboAddress& remote, unique_ptr& pdl, ZoneStatus& zs, vector* axfr) { + string logPrefix="IXFR-in zone '"+domain.toLogString()+"', primary '"+remote.toString()+"', "; + UeberBackend B; // fresh UeberBackend DomainInfo di; @@ -95,9 +97,9 @@ void CommunicatorClass::ixfrSuck(const DNSName &domain, const TSIGTriplet& tt, c // this checks three error conditions, and sets wrongDomainKind if we hit the third & had an error if(!B.getDomainInfo(domain, di) || !di.backend || (wrongDomainKind = true, di.kind != DomainInfo::Slave)) { // di.backend and B are mostly identical if(wrongDomainKind) - g_log< doAxfr(const ComboAddress& raddr, const DNSName bool first=true; bool firstNSEC3{true}; bool soa_received {false}; + string logPrefix="AXFR-in zone '"+domain.toLogString()+"', primary '"+raddr.toString()+"', "; while(retriever.getChunk(recs, nullptr, axfr_timeout)) { if(first) { - g_log< doAxfr(const ComboAddress& raddr, const DNSName continue; if(!i->qname.isPartOf(domain)) { - g_log<qname<<"'|"<qtype.getName()<<" during AXFR of zone '"<qname<<"'|"<qtype.getName()<<", ignoring"< doAxfr(const ComboAddress& raddr, const DNSName for(DNSResourceRecord& rr : out) { if(!rr.qname.isPartOf(domain)) { - g_log<qname<<"'|"<qtype.getName()<<" during AXFR of zone '"<qname<<"'|"<qtype.getName()<<", ignoring"<(); pdl->loadFile(script); - g_log< meta; B.getDomainMetadata(domain, "IXFR", meta); if(!meta.empty() && meta[0]=="1") { + logPrefix = "I" + logPrefix; // XFR -> IXFR vector axfr; - g_log< AXFR bool firstNSEC3=true; rrs.reserve(axfr.size()); for(const auto& dr : axfr) { @@ -426,7 +433,7 @@ void CommunicatorClass::suck(const DNSName &domain, const ComboAddress& remote, } } else { - g_log< AXFR + g_log<startTransaction(domain, zs.domain_id); - g_log< maxent) { - g_log<setFresh(zs.domain_id); purgeAuthCaches(domain.toString()+"$"); - g_log<abortTransaction(); } } catch(const MOADNSException &mde) { - g_log<abortTransaction(); } } catch(std::exception &re) { - g_log<abortTransaction(); } } @@ -645,17 +653,17 @@ void CommunicatorClass::suck(const DNSName &domain, const ComboAddress& remote, newCount = d_failedSlaveRefresh[domain].first + 1; time_t nextCheck = now + std::min(newCount * d_tickinterval, (uint64_t)::arg().asNum("default-ttl")); d_failedSlaveRefresh[domain] = {newCount, nextCheck}; - g_log<abortTransaction(); } } catch(PDNSException &ae) { - g_log<abortTransaction(); } } diff --git a/pdns/tcpreceiver.cc b/pdns/tcpreceiver.cc index 8b84ca49fb..609d5ef3c7 100644 --- a/pdns/tcpreceiver.cc +++ b/pdns/tcpreceiver.cc @@ -388,11 +388,13 @@ void TCPNameserver::doConnection(int fd) // call this method with s_plock held! -bool TCPNameserver::canDoAXFR(std::unique_ptr& q) +bool TCPNameserver::canDoAXFR(std::unique_ptr& q, bool isAXFR) { if(::arg().mustDo("disable-axfr")) return false; + string logPrefix=string(isAXFR ? "A" : "I")+"XFR-out zone '"+q->qdomain.toLogString()+"', client '"+q->getRemote().toStringWithPort()+"', "; + if(q->d_havetsig) { // if you have one, it must be good TSIGRecordContent trc; DNSName keyname; @@ -405,18 +407,18 @@ bool TCPNameserver::canDoAXFR(std::unique_ptr& q) DNSSECKeeper dk(s_P->getBackend()); if(!dk.TSIGGrantsAccess(q->qdomain, keyname)) { - g_log<qdomain<<"' denied: key with name '"<d_tsig_algo)<<"' does not grant access to zone"<d_tsig_algo)<<"' does not grant access"<qdomain<<"' allowed: TSIG signed request with authorized key '"<d_tsig_algo)<<"'"<d_tsig_algo)<<"'"<d_remote )) { - g_log<qdomain<<"' allowed: client IP "<getRemote()<<" is in allow-axfr-ips"<& q) if(*k == q->getRemote().toString()) { // cerr<<"got AUTO-NS hit"<qdomain<<"' allowed: client IP "<getRemote()<<" is in NSset"<& q) Netmask nm = Netmask(*i); if(nm.match( (ComboAddress *) &q->d_remote )) { - g_log<qdomain<<"' allowed: client IP "<getRemote()<<" is in per-domain ACL"<& q) extern CommunicatorClass Communicator; if(Communicator.justNotified(q->qdomain, q->getRemote().toString())) { // we just notified this ip - g_log<qdomain<<"' from recently notified slave "<getRemote()<qdomain<<"' denied: client IP "<getRemote()<<" has no permission"<& q, int outsock) { + string logPrefix="AXFR-out zone '"+target.toLogString()+"', client '"+q->getRemote().toStringWithPort()+"', "; + std::unique_ptr outpacket= getFreshAXFRPacket(q); if(q->d_dnssecOk) outpacket->d_dnssecOk=true; // RFC 5936, 2.2.5 'SHOULD' - g_log<getRemote()< l(s_plock); - DLOG(g_log<<"Looking for SOA"<(); } // canDoAXFR does all the ACL checks, and has the if(disable-axfr) shortcut, call it first. - if (!canDoAXFR(q)) { - g_log<getRemote()<<" may not request AXFR"<setRcode(RCode::NotAuth); sendPacket(outpacket,outsock); return 0; } if(!s_P->getBackend()->getSOAUncached(target, sd)) { - g_log<setRcode(RCode::NotAuth); sendPacket(outpacket,outsock); return 0; @@ -533,7 +537,7 @@ int TCPNameserver::doAXFR(const DNSName &target, std::unique_ptr& q, UeberBackend db; if(!db.getSOAUncached(target, sd)) { - g_log<setRcode(RCode::NotAuth); sendPacket(outpacket,outsock); return 0; @@ -550,7 +554,7 @@ int TCPNameserver::doAXFR(const DNSName &target, std::unique_ptr& q, if(securedZone && dk.getNSEC3PARAM(target, &ns3pr, &narrow)) { NSEC3Zone=true; if(narrow) { - g_log<getRemote()<setRcode(RCode::Refused); sendPacket(outpacket,outsock); return 0; @@ -570,18 +574,18 @@ int TCPNameserver::doAXFR(const DNSName &target, std::unique_ptr& q, algorithm = DNSName("hmac-md5"); if(!db.getTSIGKey(tsigkeyname, &algorithm, &tsig64)) { - g_log<addRecord(DNSZoneRecord(soa)); if(securedZone && !presignedZone) { @@ -697,7 +701,7 @@ int TCPNameserver::doAXFR(const DNSName &target, std::unique_ptr& q, // now start list zone if(!(sd.db->list(target, sd.domain_id))) { - g_log<setRcode(RCode::ServFail); sendPacket(outpacket,outsock); return 0; @@ -723,7 +727,7 @@ int TCPNameserver::doAXFR(const DNSName &target, std::unique_ptr& q, int ret1 = stubDoResolve(getRR(zrr.dr)->d_content, QType::A, ips); int ret2 = stubDoResolve(getRR(zrr.dr)->d_content, QType::AAAA, ips); if(ret1 != RCode::NoError || ret2 != RCode::NoError) { - g_log<getZoneRepresentation()<<", aborting AXFR"<getZoneRepresentation()<<", aborting AXFR"<setRcode(RCode::ServFail); sendPacket(outpacket,outsock); return 0; @@ -749,7 +753,7 @@ int TCPNameserver::doAXFR(const DNSName &target, std::unique_ptr& q, zrrs.push_back(zrr); } else { if (zrr.dr.d_type) - g_log<& q, while(shorter != target && shorter.chopOff()) { if(!qnames.count(shorter) && !nonterm.count(shorter) && nsec3set.count(shorter)) { if(!(maxent)) { - g_log<setRcode(RCode::ServFail); + sendPacket(outpacket,outsock); return 0; } nonterm.insert(shorter); @@ -990,9 +996,9 @@ int TCPNameserver::doAXFR(const DNSName &target, std::unique_ptr& q, udiff=dt.udiffNoReset(); if(securedZone) - g_log<addRecord(std::move(soa)); @@ -1001,14 +1007,16 @@ int TCPNameserver::doAXFR(const DNSName &target, std::unique_ptr& q, sendPacket(outpacket, outsock); - DLOG(g_log<<"last packet - close"<getRemote()<<" finished"<& q, int outsock) { + string logPrefix="IXFR-out zone '"+q->qdomain.toLogString()+"', client '"+q->getRemote().toStringWithPort()+"', "; + std::unique_ptr outpacket=getFreshAXFRPacket(q); if(q->d_dnssecOk) outpacket->d_dnssecOk=true; // RFC 5936, 2.2.5 'SHOULD' @@ -1025,26 +1033,26 @@ int TCPNameserver::doIXFR(std::unique_ptr& q, int outsock) serial=pdns_stou(parts[2]); } catch(const std::out_of_range& oor) { - g_log<setRcode(RCode::FormErr); sendPacket(outpacket,outsock); return 0; } } else { - g_log<setRcode(RCode::FormErr); sendPacket(outpacket,outsock); return 0; } } else if (rr->d_type != QType::TSIG && rr->d_type != QType::OPT) { - g_log<d_type).getName()<d_type).getName()<setRcode(RCode::FormErr); sendPacket(outpacket,outsock); return 0; } } - g_log<qdomain<<"' initiated by "<getRemote()<<" with serial "<& q, int outsock) bool serialPermitsIXFR; { std::lock_guard l(s_plock); - DLOG(g_log<<"Looking for SOA"<(); } // canDoAXFR does all the ACL checks, and has the if(disable-axfr) shortcut, call it first. - if(!canDoAXFR(q) || !s_P->getBackend()->getSOAUncached(q->qdomain, sd)) { - g_log<qdomain<<"' failed: not authoritative"<getBackend()->getSOAUncached(q->qdomain, sd)) { + g_log<setRcode(RCode::NotAuth); sendPacket(outpacket,outsock); return 0; @@ -1072,7 +1080,7 @@ int TCPNameserver::doIXFR(std::unique_ptr& q, int outsock) securedZone = dk.isSecuredZone(q->qdomain); if(dk.getNSEC3PARAM(q->qdomain, nullptr, &narrow)) { if(narrow) { - g_log<qdomain<<"' for "<getRemote()<setRcode(RCode::Refused); sendPacket(outpacket,outsock); return 0; @@ -1099,17 +1107,17 @@ int TCPNameserver::doIXFR(std::unique_ptr& q, int outsock) if (algorithm == DNSName("hmac-md5.sig-alg.reg.int")) algorithm = DNSName("hmac-md5"); if(!db.getTSIGKey(tsigkeyname, &algorithm, &tsig64)) { - g_log<addRecord(std::move(soa)); if(securedZone && outpacket->d_dnssecOk) { @@ -1123,12 +1131,12 @@ int TCPNameserver::doIXFR(std::unique_ptr& q, int outsock) sendPacket(outpacket, outsock); - g_log<getRemote()<<" finished"<qdomain<<"' our serial "<qdomain, q, outsock); } diff --git a/pdns/tcpreceiver.hh b/pdns/tcpreceiver.hh index 5220d5b5f2..8d538a7237 100644 --- a/pdns/tcpreceiver.hh +++ b/pdns/tcpreceiver.hh @@ -53,7 +53,7 @@ private: static void getQuestion(int fd, char *mesg, int pktlen, const ComboAddress& remote, unsigned int totalTime); static int doAXFR(const DNSName &target, std::unique_ptr& q, int outsock); static int doIXFR(std::unique_ptr& q, int outsock); - static bool canDoAXFR(std::unique_ptr& q); + static bool canDoAXFR(std::unique_ptr& q, bool isAXFR); static void doConnection(int fd); static void decrementClientCount(const ComboAddress& remote); void thread(void);