]> git.ipfire.org Git - thirdparty/pdns.git/blob - pdns/secpoll-recursor.cc
projects / thirdparty / pdns.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #9073 from pieterlexis/runtime-dirs-virtual-hosting
[thirdparty/pdns.git] / pdns / secpoll-recursor.cc
1 #ifdef HAVE_CONFIG_H
2 #include "config.h"
3 #endif
4 #include "secpoll-recursor.hh"
5 #include "syncres.hh"
6 #include "logger.hh"
7 #include "arguments.hh"
8 #include "version.hh"
9 #include "validate-recursor.hh"
10 #include "secpoll.hh"
11
12 #include <stdint.h>
13 #ifndef PACKAGEVERSION
14 #define PACKAGEVERSION getPDNSVersion()
15 #endif
16
17 uint32_t g_security_status;
18 string g_security_message;
19
20 void doSecPoll(time_t* last_secpoll)
21 {
22 if(::arg()["security-poll-suffix"].empty())
23 return;
24
25 string pkgv(PACKAGEVERSION);
26 struct timeval now;
27 gettimeofday(&now, 0);
28
29 /* update last_secpoll right now, even if it fails
30 we don't want to retry right away and hammer the server */
31 *last_secpoll=now.tv_sec;
32
33 SyncRes sr(now);
34 if (g_dnssecmode != DNSSECMode::Off) {
35 sr.setDoDNSSEC(true);
36 sr.setDNSSECValidationRequested(true);
37 }
38
39 vector<DNSRecord> ret;
40
41 string version = "recursor-" +pkgv;
42 string qstring(version.substr(0, 63)+ ".security-status."+::arg()["security-poll-suffix"]);
43
44 if(*qstring.rbegin()!='.')
45 qstring+='.';
46
47 boost::replace_all(qstring, "+", "_");
48 boost::replace_all(qstring, "~", "_");
49
50 vState state = Indeterminate;
51 DNSName query(qstring);
52 int res = sr.beginResolve(query, QType(QType::TXT), 1, ret);
53
54 if (g_dnssecmode != DNSSECMode::Off && res) {
55 state = sr.getValidationState();
56 }
57
58 if(state == Bogus) {
59 g_log<<Logger::Error<<"Failed to retrieve security status update for '" +pkgv+ "' on '"<<query<<"', DNSSEC validation result was Bogus!"<<endl;
60 if(g_security_status == 1) // If we were OK, go to unknown
61 g_security_status = 0;
62 return;
63 }
64
65 if (res == RCode::NXDomain && !isReleaseVersion(pkgv)) {
66 g_log<<Logger::Warning<<"Not validating response for security status update, this is a non-release version"<<endl;
67 return;
68 }
69
70 string security_message;
71 int security_status = g_security_status;
72
73 try {
74 processSecPoll(res, ret, security_status, security_message);
75 } catch(const PDNSException &pe) {
76 g_security_status = security_status;
77 g_log<<Logger::Warning<<"Failed to retrieve security status update for '" << pkgv << "' on '"<< query << "': "<<pe.reason<<endl;
78 return;
79 }
80
81 g_security_message = security_message;
82
83 if(g_security_status != 1 && security_status == 1) {
84 g_log<<Logger::Warning << "Polled security status of version "<<pkgv<<", no known issues reported: " <<g_security_message<<endl;
85 }
86 if(security_status == 2) {
87 g_log<<Logger::Error<<"PowerDNS Security Update Recommended: "<<g_security_message<<endl;
88 }
89 if(security_status == 3) {
90 g_log<<Logger::Error<<"PowerDNS Security Update Mandatory: "<<g_security_message<<endl;
91 }
92
93 g_security_status = security_status;
94 }
Unnamed repository; edit this file 'description' to name the repository.