{"result":[{"qtype":"A", "qname":"www.example.com", "content":"203.0.113.2", "ttl": 60}]}
+
+``getUpdatedMasters``
+~~~~~~~~~~~~~~~~~
+
+Used to find out any updates to master domains. This is used to trigger notifications in master mode.
+
+- Mandatory: no
+- Parameters: none
+- Reply: array of DomainInfo
+
+Example JSON/RPC
+''''''''''''''''
+
+Query:
+
+::
+
+ {"method": "getUpdatedMasters", "parameters": {}}
+
+Response:
+
+::
+
+ {"result":[{"id":1,"zone":"unit.test.","masters":["10.0.0.1"],"notified_serial":2,"serial":2,"last_check":1464693331,"kind":"master"}]}
+
+Example HTTP/RPC
+''''''''''''''''
+
+Query:
+
+.. code-block:: http
+
+ GET /dnsapi/getUpdatedMasters HTTP/1.1
+
+Response:
+
+.. code-block:: http
+
+ HTTP/1.1 200 OK
+ Content-Type: text/javascript; charset=utf-8
+ Content-Length: 135
+ {"result":[{"id":1,"zone":"unit.test.","masters":["10.0.0.1"],"notified_serial":2,"serial":2,"last_check":1464693331,"kind":"master"}]}
+
+
+
Examples
--------
:tickets: 6028
Forbid label compression in ALIAS wire format.
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 7359
+ :tickets: 7357
+
+ API: Add response-by-qtype and response-by-rcode on /statistics endpoint
Objects
-------
+
+The Statistics endpoint returns an array of objects that can be StatisticItem, MapStatisticItem or RingStatisticItem :
+
.. openapi:: swagger/authoritative-api-swagger.yaml
:definitions: StatisticItem
+.. openapi:: swagger/authoritative-api-swagger.yaml
+ :definitions: MapStatisticItem
+
+.. openapi:: swagger/authoritative-api-swagger.yaml
+ :definitions: RingStatisticItem
+
+Both MapStatisticItem and RingStatisticItem objects contains an array of SimpleStatisticItem
+
+.. openapi:: swagger/authoritative-api-swagger.yaml
+ :definitions: SimpleStatisticItem
\ No newline at end of file
'/servers/{server_id}/statistics':
get:
summary: 'Query statistics.'
- description: 'Query PowerDNS internal statistics. Returns a list of BaseStatisticItem derived elements.'
+ description: 'Query PowerDNS internal statistics.'
operationId: getStats
tags:
- stats
schema:
type: array
items:
- # these can be commented because the swagger code generator fails on them
- # and replaced with
- # type: string
- # or something like that
- $ref: '#/definitions/StatisticItem'
- $ref: '#/definitions/MapStatisticItem'
- $ref: '#/definitions/RingStatisticItem'
required: true
description: 'Maximum number of entries to return'
type: integer
+ - name: object_type
+ in: query
+ required: false
+ description: 'Type of data to search for, one of “all”, “zone”, “record”, “comment”'
+ type: string
responses:
'200':
description: Returns a JSON array with results
type: string
description: 'The value of setting name'
- BaseStatisticItem:
- title: BaseStatisticItem
+ SimpleStatisticItem:
+ title: SimpleStatisticItem
+ type: object
properties:
name:
- type: string
- description: 'The name of this item (e.g. ‘uptime’)'
+ type: string
+ description: 'Item name'
+ value:
+ type: string
+ description: 'Item value'
StatisticItem:
title: StatisticItem
- allOf:
- - $ref: "#/definitions/BaseStatisticItem"
- - properties:
- type:
- enum: [StatisticItem]
- description: 'set to "StatisticItem"'
- value:
- type: string
- description: 'The value of item'
+ properties:
+ name:
+ type: string
+ description: 'Item name'
+ type:
+ type: string
+ description: 'set to "StatisticItem"'
+ value:
+ type: string
+ description: 'Item value'
MapStatisticItem:
title: MapStatisticItem
- allOf:
- - $ref: "#/definitions/BaseStatisticItem"
- - properties:
- type:
- enum: [MapStatisticItem]
- description: 'set to "MapStatisticItem"'
- value:
- type: array
- description: 'named statistic values'
- items:
- type: array
- properties:
- name:
- type: string
- description: 'item name'
- value:
- type: string
- description: 'item value'
+ properties:
+ name:
+ type: string
+ description: 'Item name'
+ type:
+ type: string
+ description: 'Set to "MapStatisticItem"'
+ value:
+ type: array
+ description: 'Named values'
+ items:
+ $ref: '#/definitions/SimpleStatisticItem'
RingStatisticItem:
title: RingStatisticItem
- allOf:
- - $ref: "#/definitions/BaseStatisticItem"
- - properties:
- type:
- enum: [RingStatisticItem]
- description: 'set to "RingStatisticItem"'
- size:
- type: integer
- description: 'for RingStatisticItem objects, the size of the ring'
- value:
- type: array
- description: 'named ring statistic values'
- items:
- type: array
- properties:
- name:
- type: string
- description: 'item name'
- value:
- type: string
- description: 'item value'
+ properties:
+ name:
+ type: string
+ description: 'Item name'
+ type:
+ type: string
+ description: 'Set to "RingStatisticItem"'
+ size:
+ type: integer
+ description: 'Ring size'
+ value:
+ type: array
+ description: 'Named values'
+ items:
+ $ref: '#/definitions/SimpleStatisticItem'
SearchResultZone:
title: SearchResultZone
- ``backupSelector``: used to pick the IP address from list of all candidates if all addresses are down. Choices include 'pickclosest', 'random', 'hashed', 'all' (default to 'random').
- ``source``: Source IP address to check from
- ``stringmatch``: check ``url`` for this string, only declare 'up' if found
+ - ``useragent``: Set the HTTP "User-Agent" header in the requests. By default it is set to "PowerDNS Authoritative Server"
An example of IP address sets:
- `pdns.loglevels.Notice`
- `pdns.loglevels.Warning`
- `pdns.loglevels.Error`
+
+.. function:: pdnsrandom([maximum])
+
+ Get a random number.
+
+ :param int maximum: The largest number to return. This is 2^32-1 by default.
Entries without a netmask will be interpreted as a single address.
By default, the ACL is set is ``127.0.0.0/8`` and ``::1/128``.
+:axfr-max-records:
+ Maximum number of records allowed in an AXFR transaction requested by :program:`ixfrdist`.
+ This may prevent untrusted sources from using all the process memory.
+ By default, this setting is ``0``, which means "unlimited".
+
:axfr-timeout:
Timeout in seconds an AXFR transaction requested by :program:`ixfrdist` may take.
Increase this when the network to the authoritative servers is slow or the domains are very large and you experience timeouts.
}
}
+void RemoteBackend::getUpdatedMasters(vector<DomainInfo>* domains)
+{
+ Json query = Json::object{
+ { "method", "getUpdatedMasters" },
+ { "parameters", Json::object{ } },
+ };
+
+ Json answer;
+ if (this->send(query) == false || this->recv(answer) == false)
+ return;
+
+ if (answer["result"].is_array() == false)
+ return;
+
+ for(const auto& row: answer["result"].array_items()) {
+ DomainInfo di;
+ this->parseDomainInfo(row, di);
+ domains->push_back(di);
+ }
+}
+
DNSBackend *RemoteBackend::maker()
{
try {
bool searchRecords(const string &pattern, int maxResults, vector<DNSResourceRecord>& result) override;
bool searchComments(const string &pattern, int maxResults, vector<Comment>& result) override;
void getAllDomains(vector<DomainInfo> *domains, bool include_disabled=false) override;
+ void getUpdatedMasters(vector<DomainInfo>* domains) override;
static DNSBackend *maker();
BOOST_CHECK_EQUAL(be->directBackendCmd("PING 1234"), "PING 1234");
}
+BOOST_AUTO_TEST_CASE(test_method_getUpdatedMasters) {
+ DomainInfo di;
+ BOOST_TEST_MESSAGE("Testing getUpdatedMasters method");
+ vector<DomainInfo> result;
+
+ be->getUpdatedMasters(&result);
+
+ BOOST_CHECK(result.size() > 0);
+
+ di = result[0];
+ BOOST_CHECK_EQUAL(di.zone.toString(), "master.test.");
+ BOOST_CHECK_EQUAL(di.serial, 2);
+ BOOST_CHECK_EQUAL(di.notified_serial, 2);
+ BOOST_CHECK_EQUAL(di.kind, DomainInfo::Master);
+ BOOST_CHECK_EQUAL(di.backend, be);
+}
+
BOOST_AUTO_TEST_SUITE_END();
:kind => 'native'
}]
end
+ if args["name"] == "master.test."
+ return [{
+ :id => 2,
+ :zone => "master.test.",
+ :masters => ["10.0.0.1"],
+ :notified_serial => $notified_serial,
+ :serial => $notified_serial,
+ :last_check => Time.now.to_i,
+ :kind => 'master'
+ }]
+ end
[false]
end
def do_getalldomains(args)
[do_getdomaininfo({'name'=>'unit.test.'})]
end
+
+ def do_getupdatedmasters()
+ [do_getdomaininfo({'name'=>'master.test.'})]
+ end
end
S.declare("uptime", "Uptime of process in seconds", uptimeOfProcess);
S.declare("real-memory-usage", "Actual unique use of memory in bytes (approx)", getRealMemoryUsage);
+ S.declare("special-memory-usage", "Actual unique use of memory in bytes (approx)", getSpecialMemoryUsage);
S.declare("fd-usage", "Number of open filedescriptors", getOpenFileDescriptors);
#ifdef __linux__
S.declare("udp-recvbuf-errors", "UDP 'recvbuf' errors", udpErrorStats);
{ "DSTPortRule", true, "port", "matches questions received to the destination port specified" },
{ "dumpStats", true, "", "print all statistics we gather" },
{ "dynBlockRulesGroup", true, "", "return a new DynBlockRulesGroup object" },
+ { "EDNSVersionRule", true, "version", "matches queries with the specified EDNS version" },
{ "EDNSOptionRule", true, "optcode", "matches queries with the specified EDNS0 option present" },
+ { "ERCodeAction", true, "ercode", "Reply immediately by turning the query into a response with the specified EDNS extended rcode" },
{ "ERCodeRule", true, "rcode", "matches responses with the specified extended rcode (EDNS0)" },
{ "exceedNXDOMAINs", true, "rate, seconds", "get set of addresses that exceed `rate` NXDOMAIN/s over `seconds` seconds" },
{ "exceedQRate", true, "rate, seconds", "get set of address that exceed `rate` queries/s over `seconds` seconds" },
{ "QNameRule", true, "qname", "matches queries with the specified qname" },
{ "QNameWireLengthRule", true, "min, max", "matches if the qname's length on the wire is less than `min` or more than `max` bytes" },
{ "QTypeRule", true, "qtype", "matches queries with the specified qtype" },
+ { "RCodeAction", true, "rcode", "Reply immediately by turning the query into a response with the specified rcode" },
{ "RCodeRule", true, "rcode", "matches responses with the specified rcode" },
{ "RegexRule", true, "regex", "matches the query name against the supplied regex" },
{ "registerDynBPFFilter", true, "DynBPFFilter", "register this dynamic BPF filter into the web interface so that its counters are displayed" },
{ "sendCustomTrap", true, "str", "send a custom `SNMP` trap from Lua, containing the `str` string"},
{ "setACL", true, "{netmask, netmask}", "replace the ACL set with these netmasks. Use `setACL({})` to reset the list, meaning no one can use us" },
{ "setAddEDNSToSelfGeneratedResponses", true, "add", "set whether to add EDNS to self-generated responses, provided that the initial query had EDNS" },
+ { "setAllowEmptyResponse", true, "allow", "Set to true (defaults to false) to allow empty responses (qdcount=0) with a NoError or NXDomain rcode (default) from backends" },
{ "setAPIWritable", true, "bool, dir", "allow modifications via the API. if `dir` is set, it must be a valid directory where the configuration files will be written by the API" },
{ "setConsoleACL", true, "{netmask, netmask}", "replace the console ACL set with these netmasks" },
{ "setConsoleConnectionsLogging", true, "enabled", "whether to log the opening and closing of console connections" },
generateEDNSOption(EDNSOptionCode::ECS, payload, res);
}
-void generateOptRR(const std::string& optRData, string& res, uint16_t udpPayloadSize, bool dnssecOK)
+void generateOptRR(const std::string& optRData, string& res, uint16_t udpPayloadSize, uint8_t ednsrcode, bool dnssecOK)
{
const uint8_t name = 0;
dnsrecordheader dh;
EDNS0Record edns0;
- edns0.extRCode = 0;
+ edns0.extRCode = ednsrcode;
edns0.version = 0;
edns0.extFlags = dnssecOK ? htons(EDNS_HEADER_FLAG_DO) : 0;
/* we need to add a EDNS0 RR with one EDNS0 ECS option, fixing the AR count */
string EDNSRR;
struct dnsheader* dh = reinterpret_cast<struct dnsheader*>(packet);
- generateOptRR(newECSOption, EDNSRR, g_EdnsUDPPayloadSize, false);
+ generateOptRR(newECSOption, EDNSRR, g_EdnsUDPPayloadSize, 0, false);
/* does it fit in the existing buffer? */
if (packetSize - *len <= EDNSRR.size()) {
return 0;
}
-bool addEDNS(dnsheader* dh, uint16_t& len, const size_t size, bool dnssecOK, uint16_t payloadSize)
+bool addEDNS(dnsheader* dh, uint16_t& len, const size_t size, bool dnssecOK, uint16_t payloadSize, uint8_t ednsrcode)
{
if (dh->arcount != 0) {
return false;
}
std::string optRecord;
- generateOptRR(std::string(), optRecord, payloadSize, dnssecOK);
+ generateOptRR(std::string(), optRecord, payloadSize, ednsrcode, dnssecOK);
if (optRecord.size() >= size || (size - optRecord.size()) < len) {
return false;
if (g_addEDNSToSelfGeneratedResponses) {
/* now we need to add a new OPT record */
- return addEDNS(dq.dh, dq.len, dq.size, dnssecOK, g_PayloadSizeSelfGenAnswers);
+ return addEDNS(dq.dh, dq.len, dq.size, dnssecOK, g_PayloadSizeSelfGenAnswers, dq.ednsRCode);
}
/* otherwise we are just fine */
int rewriteResponseWithoutEDNS(const std::string& initialPacket, vector<uint8_t>& newContent);
int locateEDNSOptRR(const std::string& packet, uint16_t * optStart, size_t * optLen, bool * last);
-void generateOptRR(const std::string& optRData, string& res, uint16_t udpPayloadSize, bool dnssecOK);
+void generateOptRR(const std::string& optRData, string& res, uint16_t udpPayloadSize, uint8_t ednsrcode, bool dnssecOK);
void generateECSOption(const ComboAddress& source, string& res, uint16_t ECSPrefixLength);
int removeEDNSOptionFromOPT(char* optStart, size_t* optLen, const uint16_t optionCodeToRemove);
int rewriteResponseWithoutEDNSOption(const std::string& initialPacket, const uint16_t optionCodeToSkip, vector<uint8_t>& newContent);
int getEDNSOptionsStart(const char* packet, const size_t offset, const size_t len, uint16_t* optRDPosition, size_t * remaining);
bool isEDNSOptionInOpt(const std::string& packet, const size_t optStart, const size_t optLen, const uint16_t optionCodeToFind, size_t* optContentStart = nullptr, uint16_t* optContentLen = nullptr);
-bool addEDNS(dnsheader* dh, uint16_t& len, const size_t size, bool dnssecOK, uint16_t payloadSize);
+bool addEDNS(dnsheader* dh, uint16_t& len, const size_t size, bool dnssecOK, uint16_t payloadSize, uint8_t ednsrcode);
bool addEDNSToQueryTurnedResponse(DNSQuestion& dq);
bool handleEDNSClientSubnet(DNSQuestion& dq, bool* ednsAdded, bool* ecsAdded, bool preserveTrailingData);
uint8_t d_rcode;
};
+class ERCodeAction : public DNSAction
+{
+public:
+ ERCodeAction(uint8_t rcode) : d_rcode(rcode) {}
+ DNSAction::Action operator()(DNSQuestion* dq, string* ruleresult) const override
+ {
+ dq->dh->rcode = (d_rcode & 0xF);
+ dq->ednsRCode = ((d_rcode & 0xFFF0) >> 4);
+ dq->dh->qr = true; // for good measure
+ return Action::HeaderModify;
+ }
+ string toString() const override
+ {
+ return "set ercode "+ERCode::to_s(d_rcode);
+ }
+
+private:
+ uint8_t d_rcode;
+};
+
class TCAction : public DNSAction
{
public:
dq->dh->ancount = htons(dq->dh->ancount);
if (hadEDNS) {
- addEDNS(dq->dh, dq->len, dq->size, dnssecOK, g_PayloadSizeSelfGenAnswers);
+ addEDNS(dq->dh, dq->len, dq->size, dnssecOK, g_PayloadSizeSelfGenAnswers, 0);
}
return Action::HeaderModify;
generateEDNSOption(d_code, mac, optRData);
string res;
- generateOptRR(optRData, res, g_EdnsUDPPayloadSize, false);
+ generateOptRR(optRData, res, g_EdnsUDPPayloadSize, 0, false);
if ((dq->size - dq->len) < res.length())
return Action::None;
return std::shared_ptr<DNSAction>(new RCodeAction(rcode));
});
+ g_lua.writeFunction("ERCodeAction", [](uint8_t rcode) {
+ return std::shared_ptr<DNSAction>(new ERCodeAction(rcode));
+ });
+
g_lua.writeFunction("SkipCacheAction", []() {
return std::shared_ptr<DNSAction>(new SkipCacheAction);
});
return std::shared_ptr<DNSRule>(new ERCodeRule(rcode));
});
+ g_lua.writeFunction("EDNSVersionRule", [](uint8_t version) {
+ return std::shared_ptr<DNSRule>(new EDNSVersionRule(version));
+ });
+
g_lua.writeFunction("EDNSOptionRule", [](uint16_t optcode) {
return std::shared_ptr<DNSRule>(new EDNSOptionRule(optcode));
});
}
#endif
});
+
+ g_lua.writeFunction("setAllowEmptyResponse", [](bool allow) { g_allowEmptyResponse=allow; });
}
vector<std::function<void(void)>> setupLua(bool client, const std::string& config)
static const oid dynBlockedNMGSizeOID[] = { DNSDIST_STATS_OID, 36 };
static const oid ruleServFailOID[] = { DNSDIST_STATS_OID, 37 };
static const oid securityStatusOID[] = { DNSDIST_STATS_OID, 38 };
+static const oid specialMemoryUsageOID[] = { DNSDIST_STATS_OID, 39 };
static std::unordered_map<oid, DNSDistStats::entry_t> s_statsMap;
registerFloatStat("latencyAvg10000", latencyAvg10000OID, OID_LENGTH(latencyAvg10000OID), &g_stats.latencyAvg10000);
registerFloatStat("latencyAvg1000000", latencyAvg1000000OID, OID_LENGTH(latencyAvg1000000OID), &g_stats.latencyAvg1000000);
registerGauge64Stat("uptime", uptimeOID, OID_LENGTH(uptimeOID), &uptimeOfProcess);
- registerGauge64Stat("realMemoryUsage", realMemoryUsageOID, OID_LENGTH(realMemoryUsageOID), &getRealMemoryUsage);
+ registerGauge64Stat("specialMemoryUsage", specialMemoryUsageOID, OID_LENGTH(specialMemoryUsageOID), &getSpecialMemoryUsage);
registerGauge64Stat("cpuUserMSec", cpuUserMSecOID, OID_LENGTH(cpuUserMSecOID), &getCPUTimeUser);
registerGauge64Stat("cpuSysMSec", cpuSysMSecOID, OID_LENGTH(cpuSysMSecOID), &getCPUTimeSystem);
registerGauge64Stat("fdUsage", fdUsageOID, OID_LENGTH(fdUsageOID), &getOpenFileDescriptors);
registerGauge64Stat("dynBlockedNMGSize", dynBlockedNMGSizeOID, OID_LENGTH(dynBlockedNMGSizeOID), [](const std::string&) { return g_dynblockNMG.getLocal()->size(); });
registerGauge64Stat("securityStatus", securityStatusOID, OID_LENGTH(securityStatusOID), [](const std::string&) { return g_stats.securityStatus.load(); });
+ registerGauge64Stat("realMemoryUsage", realMemoryUsageOID, OID_LENGTH(realMemoryUsageOID), &getRealMemoryUsage);
netsnmp_table_registration_info* table_info = SNMP_MALLOC_TYPEDEF(netsnmp_table_registration_info);
};
for(const auto& e : g_stats.entries) {
+ if (e.first == "special-memory-usage")
+ continue; // Too expensive for get-all
if(const auto& val = boost::get<DNSDistStats::stat_t*>(&e.second))
obj.insert({e.first, (double)(*val)->load()});
else if (const auto& dval = boost::get<double*>(&e.second))
std::ostringstream output;
for (const auto& e : g_stats.entries) {
+ if (e.first == "special-memory-usage")
+ continue; // Too expensive for get-all
std::string metricName = std::get<0>(e);
// Prometheus suggest using '_' instead of '-'
Json::array doc;
for(const auto& item : g_stats.entries) {
+ if (item.first == "special-memory-usage")
+ continue; // Too expensive for get-all
+
if(const auto& val = boost::get<DNSDistStats::stat_t*>(&item.second)) {
doc.push_back(Json::object {
{ "type", "StatisticItem" },
typedef boost::variant<bool, double, std::string> configentry_t;
std::vector<std::pair<std::string, configentry_t> > configEntries {
{ "acl", g_ACL.getLocal()->toString() },
+ { "allow-empty-response", g_allowEmptyResponse },
{ "control-socket", g_serverControl.toStringWithPort() },
{ "ecs-override", g_ECSOverride },
{ "ecs-source-prefix-v4", (double) g_ECSSourcePrefixV4 },
bool g_verboseHealthChecks{false};
uint32_t g_staleCacheEntriesTTL{0};
bool g_syslog{true};
+bool g_allowEmptyResponse{false};
GlobalStateHolder<NetmaskGroup> g_ACL;
string g_outputBuffer;
dh->ancount = dh->arcount = dh->nscount = 0;
if (hadEDNS) {
- addEDNS(dh, *len, responseSize, z & EDNS_HEADER_FLAG_DO, payloadSize);
+ addEDNS(dh, *len, responseSize, z & EDNS_HEADER_FLAG_DO, payloadSize, 0);
}
}
catch(...)
}
if (dh->qdcount == 0) {
- if (dh->rcode != RCode::NoError && dh->rcode != RCode::NXDomain) {
+ if ((dh->rcode != RCode::NoError && dh->rcode != RCode::NXDomain) || g_allowEmptyResponse) {
return true;
}
else {
tcpBindsCount++;
}
else {
- delete cs;
errlog("Error while setting up TLS on local address '%s', exiting", cs->local.toStringWithPort());
+ delete cs;
_exit(EXIT_FAILURE);
}
}
unsigned int consumed{0};
uint16_t len;
uint16_t ecsPrefixLength;
+ uint8_t ednsRCode;
boost::optional<uint32_t> tempFailureTTL;
const bool tcp;
const struct timespec* queryTime;
{"latency-avg1000000", &latencyAvg1000000},
{"uptime", uptimeOfProcess},
{"real-memory-usage", getRealMemoryUsage},
+ {"special-memory-usage", getSpecialMemoryUsage},
{"noncompliant-queries", &nonCompliantQueries},
{"noncompliant-responses", &nonCompliantResponses},
{"rdqueries", &rdQueries},
extern std::atomic<uint16_t> g_downstreamTCPCleanupInterval;
extern size_t g_udpVectorSize;
extern bool g_preserveTrailingData;
+extern bool g_allowEmptyResponse;
#ifdef HAVE_EBPF
extern shared_ptr<BPFFilter> g_defaultBPFFilter;
"Number of ServFail responses returned because of a rule"
::= { stats 37 }
+specialMemoryUsage OBJECT-TYPE
+ SYNTAX CounterBasedGauge64
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "Memory usage (more precise but expensive to retrieve)"
+ ::= { stats 38 }
+
securityStatus OBJECT-TYPE
SYNTAX CounterBasedGauge64
MAX-ACCESS read-only
latencyAVG1000000,
uptime,
realMemoryUsage,
+ specialMemoryUsage,
nonCompliantQueries,
nonCompliantResponses,
rdQueries,
PDNS_WITH_LUA([mandatory])
PDNS_CHECK_LUA_HPP
+AM_CONDITIONAL([HAVE_GNUTLS], [false])
+AM_CONDITIONAL([HAVE_LIBSSL], [false])
DNSDIST_ENABLE_DNS_OVER_TLS
-DNSDIST_WITH_GNUTLS
-DNSDIST_WITH_LIBSSL
AS_IF([test "x$enable_dns_over_tls" != "xno"], [
+ DNSDIST_WITH_GNUTLS
+ DNSDIST_WITH_LIBSSL
AS_IF([test "$HAVE_LIBSSL" = "1"], [
# we need libcrypto if libssl is enabled
PDNS_CHECK_LIBCRYPTO
[AC_MSG_NOTICE([SNMP: yes])],
[AC_MSG_NOTICE([SNMP: no])]
)
-AS_IF([test "x$enable_dns_over_tls" != "xno"],
- [AC_MSG_NOTICE([DNS over TLS: yes])],
+AS_IF([test "x$enable_dns_over_tls" != "xno"], [
+ AC_MSG_NOTICE([DNS over TLS: yes])
+ AS_IF([test "x$GNUTLS_LIBS" != "x"],
+ [AC_MSG_NOTICE([GnuTLS: yes])],
+ [AC_MSG_NOTICE([GnuTLS: no])])
+ AS_IF([test "x$LIBSSL_LIBS" != "x"],
+ [AC_MSG_NOTICE([OpenSSL: yes])],
+ [AC_MSG_NOTICE([OpenSSL: no])])
+ ],
[AC_MSG_NOTICE([DNS over TLS: no])]
)
-AS_IF([test "x$GNUTLS_LIBS" != "x"],
- [AC_MSG_NOTICE([GnuTLS: yes])],
- [AC_MSG_NOTICE([GnuTLS: no])]
-)
-AS_IF([test "x$LIBSSL_LIBS" != "x"],
- [AC_MSG_NOTICE([OpenSSL: yes])],
- [AC_MSG_NOTICE([OpenSSL: no])]
-)
AC_MSG_NOTICE([])
uint8_t d_extrcode; // upper bits in EDNS0 record
};
+class EDNSVersionRule : public DNSRule
+{
+public:
+ EDNSVersionRule(uint8_t version) : d_version(version)
+ {
+ }
+ bool matches(const DNSQuestion* dq) const override
+ {
+ uint16_t optStart;
+ size_t optLen = 0;
+ bool last = false;
+ const char * packet = reinterpret_cast<const char*>(dq->dh);
+ std::string packetStr(packet, dq->len);
+ int res = locateEDNSOptRR(packetStr, &optStart, &optLen, &last);
+ if (res != 0) {
+ // no EDNS OPT RR
+ return false;
+ }
+
+ // root label (1), type (2), class (2), ttl (4) + rdlen (2)
+ if (optLen < 11) {
+ return false;
+ }
+
+ if (optStart < dq->len && packetStr.at(optStart) != 0) {
+ // OPT RR Name != '.'
+ return false;
+ }
+ EDNS0Record edns0;
+ static_assert(sizeof(EDNS0Record) == sizeof(uint32_t), "sizeof(EDNS0Record) must match sizeof(uint32_t) AKA RR TTL size");
+ // copy out 4-byte "ttl" (really the EDNS0 record), after root label (1) + type (2) + class (2).
+ memcpy(&edns0, packet + optStart + 5, sizeof edns0);
+
+ return d_version < edns0.version;
+ }
+ string toString() const override
+ {
+ return "ednsversion>"+std::to_string(d_version);
+ }
+private:
+ uint8_t d_version;
+};
+
class EDNSOptionRule : public DNSRule
{
public:
If this function exists, it is called every second to so regular tasks.
This can be used for e.g. :doc:`Dynamic Blocks <../guides/dynblocks>`.
+.. function: setAllowEmptyResponse()
+
+ .. versionadded:: 1.4.0
+
+ Set to true (defaults to false) to allow empty responses (qdcount=0) with a NoError or NXDomain rcode (default) from backends. dnsdist drops these responses by default because it can't match them against the initial query since they don't contain the qname, qtype and qclass, and therefore the risk of collision is much higher than with regular responses.
+
TLSContext
~~~~~~~~~~
Add a Rule and Action to the existing rules.
- :param DNSrule rule: A DNSRule, e.g. an :func:`allRule` or a compounded bunch of rules using e.g. :func:`AndRule`
+ :param DNSrule rule: A DNSRule, e.g. an :func:`AllRule` or a compounded bunch of rules using e.g. :func:`AndRule`
:param action: The action to take
:param table options: A table with key: value pairs with options.
Add a Rule and Action for responses to the existing rules.
- :param DNSRule: A DNSRule, e.g. an :func:`allRule` or a compounded bunch of rules using e.g. :func:`AndRule`
+ :param DNSRule: A DNSRule, e.g. an :func:`AllRule` or a compounded bunch of rules using e.g. :func:`AndRule`
:param action: The action to take
:param table options: A table with key: value pairs with options.
Add a Rule and ResponseAction for Cache Hits to the existing rules.
- :param DNSRule: A DNSRule, e.g. an :func:`allRule` or a compounded bunch of rules using e.g. :func:`AndRule`
+ :param DNSRule: A DNSRule, e.g. an :func:`AllRule` or a compounded bunch of rules using e.g. :func:`AndRule`
:param action: The action to take
:param table options: A table with key: value pairs with options.
Add a Rule and Action for Self-Answered queries to the existing rules.
- :param DNSRule: A DNSRule, e.g. an :func:`allRule` or a compounded bunch of rules using e.g. :func:`AndRule`
+ :param DNSRule: A DNSRule, e.g. an :func:`AllRule` or a compounded bunch of rules using e.g. :func:`AndRule`
:param action: The action to take
.. function:: mvSelfAnsweredResponseRule(from, to)
Matches queries with the DO flag set
+.. function:: DSTPortRule(port)
+
+ Matches questions received to the destination port.
+
+ :param int port: Match destination port.
+
+.. function:: EDNSOptionRule(optcode)
+
+ .. versionadded:: 1.4.0
+
+ Matches queries or responses with the specified EDNS option present.
+ ``optcode`` is specified as an integer, or a constant such as `EDNSOptionCode.ECS`.
+
+.. function:: EDNSVersionRule(version)
+
+ .. versionadded:: 1.4.0
+
+ Matches queries or responses with an OPT record whose EDNS version is greater than the specified EDNS version.
+
+ :param int version: The EDNS version to match on
+
+.. function:: ERCodeRule(rcode)
+
+ Matches queries or responses with the specified ``rcode``.
+ ``rcode`` can be specified as an integer or as one of the built-in :ref:`DNSRCode`.
+ The full 16bit RCode will be matched. If no EDNS OPT RR is present, the upper 12 bits are treated as 0.
+
+ :param int rcode: The RCODE to match on
+
.. function:: MaxQPSIPRule(qps[, v4Mask[, v6Mask[, burst[, expiration[, cleanupDelay[, scanFraction]]]]]])
.. versionchanged:: 1.3.1
Added the optional parameters ``expiration``, ``cleanupDelay`` and ``scanFraction``.
:param int rcode: The RCODE to match on
-.. function:: ERCodeRule(rcode)
-
- Matches queries or responses with the specified ``rcode``.
- ``rcode`` can be specified as an integer or as one of the built-in :ref:`DNSRCode`.
- The full 16bit RCode will be matched. If no EDNS OPT RR is present, the upper 12 bits are treated as 0.
-
- :param int rcode: The RCODE to match on
-
-.. function:: EDNSOptionRule(optcode)
-
- .. versionadded:: 1.3.3
-
- Matches queries or responses with the specified EDNS option present.
- ``optcode`` is specified as an integer, or a constant such as `EDNSOptionCode.ECS`.
-
.. function:: RDRule()
.. versionadded:: 1.2.0
:param bool tcp: Match TCP traffic. Default is true.
-.. function:: DSTPortRule(port)
-
- Matches questions received to the destination port.
-
- :param int port: Match destination port.
-
.. function:: TrailingDataRule()
Matches if the query has trailing data.
:param int v4: The IPv4 netmask length
:param int v6: The IPv6 netmask length
+
+.. function:: ERCodeAction(rcode)
+
+ .. versionadded:: 1.4.0
+
+ Reply immediately by turning the query into a response with the specified EDNS extended ``rcode``.
+ ``rcode`` can be specified as an integer or as one of the built-in :ref:`DNSRCode`.
+
+ :param int rcode: The extended RCODE to respond with.
+
.. function:: LogAction([filename[, binary[, append[, buffered]]]])
Log a line for each query, to the specified ``file`` if any, to the console (require verbose) otherwise.
.. function:: RCodeAction(rcode)
- Reply immediatly by turning the query into a response with the specified ``rcode``.
+ Reply immediately by turning the query into a response with the specified ``rcode``.
``rcode`` can be specified as an integer or as one of the built-in :ref:`DNSRCode`.
:param int rcode: The RCODE to respond with.
shared_ptr<DNSCryptoKeyEngine> DNSCryptoKeyEngine::makeFromISCFile(DNSKEYRecordContent& drc, const char* fname)
{
string sline, isc;
- FILE *fp=fopen(fname, "r");
+ auto fp = std::unique_ptr<FILE, int(*)(FILE*)>(fopen(fname, "r"), fclose);
if(!fp) {
throw runtime_error("Unable to read file '"+string(fname)+"' for generating DNS Private Key");
}
- while(stringfgets(fp, sline)) {
+ while(stringfgets(fp.get(), sline)) {
isc += sline;
}
- fclose(fp);
+ fp.reset();
+
shared_ptr<DNSCryptoKeyEngine> dke = makeFromISCString(drc, isc);
if(!dke->checkKey()) {
throw runtime_error("Invalid DNS Private Key in file '"+string(fname));
d_postpolAddr.insert(nm).second=std::move(pol);
}
-void DNSFilterEngine::Zone::addQNameTrigger(const DNSName& n, Policy&& pol)
+void DNSFilterEngine::Zone::addQNameTrigger(const DNSName& n, Policy&& pol, bool ignoreDuplicate)
{
auto it = d_qpolName.find(n);
if (it != d_qpolName.end()) {
auto& existingPol = it->second;
- if (pol.d_kind != PolicyKind::Custom) {
+ if (pol.d_kind != PolicyKind::Custom && !ignoreDuplicate) {
throw std::runtime_error("Adding a QName-based filter policy of kind " + getKindToString(pol.d_kind) + " but a policy of kind " + getKindToString(existingPol.d_kind) + " already exists for the following QName: " + n.toLogString());
}
- if (existingPol.d_kind != PolicyKind::Custom) {
+ if (existingPol.d_kind != PolicyKind::Custom && ignoreDuplicate) {
throw std::runtime_error("Adding a QName-based filter policy of kind " + getKindToString(existingPol.d_kind) + " but there was already an existing policy for the following QName: " + n.toLogString());
}
void dump(FILE * fp) const;
void addClientTrigger(const Netmask& nm, Policy&& pol);
- void addQNameTrigger(const DNSName& nm, Policy&& pol);
+ void addQNameTrigger(const DNSName& nm, Policy&& pol, bool ignoreDuplicate=false);
void addNSTrigger(const DNSName& dn, Policy&& pol);
void addNSIPTrigger(const Netmask& nm, Policy&& pol);
void addResponseTrigger(const Netmask& nm, Policy&& pol);
// the serial of this SOA record is the serial of the
// zone before the removals and updates of this sequence
if (sr->d_st.serial == masterSOA->d_st.serial) {
+ if (records.size() == 2) {
+ // if the entire update is two SOAs records with the same
+ // serial, this is actually an empty AXFR!
+ return {{remove, records}};
+ }
+
// if it's the final SOA, there is nothing for us to see
break;
}
// FIXME: also report zone size?
}
-void updateThread(const string& workdir, const uint16_t& keep, const uint16_t& axfrTimeout, const uint16_t& soaRetry) {
+void updateThread(const string& workdir, const uint16_t& keep, const uint16_t& axfrTimeout, const uint16_t& soaRetry, const uint32_t axfrMaxRecords) {
setThreadName("ixfrdist/update");
std::map<DNSName, time_t> lastCheck;
records_t records;
try {
AXFRRetriever axfr(master, domain, tt, &local);
- unsigned int nrecords=0;
+ uint32_t nrecords=0;
Resolver::res_t nop;
vector<DNSRecord> chunk;
time_t t_start = time(nullptr);
soaTTL = dr.d_ttl;
}
}
+ if (axfrMaxRecords != 0 && nrecords > axfrMaxRecords) {
+ throw PDNSException("Received more than " + std::to_string(axfrMaxRecords) + " records in AXFR, aborted");
+ }
axfr_now = time(nullptr);
if (axfr_now - t_start > axfrTimeout) {
g_stats.incrementAXFRFailures(domain);
config["keep"] = 20;
}
+ if (config["axfr-max-records"]) {
+ try {
+ config["axfr-max-records"].as<uint32_t>();
+ } catch (const runtime_error &e) {
+ g_log<<Logger::Error<<"Unable to read 'axfr-max-records' value: "<<e.what()<<endl;
+ }
+ } else {
+ config["axfr-max-records"] = 0;
+ }
+
if (config["axfr-timeout"]) {
try {
config["axfr-timeout"].as<uint16_t>();
config["work-dir"].as<string>(),
config["keep"].as<uint16_t>(),
config["axfr-timeout"].as<uint16_t>(),
- config["failed-soa-retry"].as<uint16_t>());
+ config["failed-soa-retry"].as<uint16_t>(),
+ config["axfr-max-records"].as<uint32_t>());
vector<std::thread> tcpHandlers;
tcpHandlers.reserve(config["tcp-in-threads"].as<uint16_t>());
- '127.0.0.0/8'
- '::1'
+# Maximum number of records allowed in a single zone. ixfrdist will abort the
+# zone transfer from the master when more than this number of records have been
+# received. A value of 0 (the default) means unlimited
+#
+axfr-max-records: 0
+
# Timeout in seconds an AXFR transaction requested by ixfrdist may take.
# Increase this when the network to the authoritative servers is slow or the
# domains are very large and you experience timeouts. Set to 20 by default or
if (val.is_number()) {
return val.int_value();
} else if (val.is_string()) {
- return std::stoi(val.string_value());
+ try {
+ return std::stoi(val.string_value());
+ } catch (std::out_of_range&) {
+ throw JsonException("Value for key '" + string(key) + "' is out of range");
+ }
} else {
// TODO: check if value really isn't present
return default_value;
if (val.is_number()) {
return val.number_value();
} else if (val.is_string()) {
- return std::stod(val.string_value());
+ try {
+ return std::stod(val.string_value());
+ } catch (std::out_of_range&) {
+ throw JsonException("Value for key '" + string(key) + "' is out of range");
+ }
} else {
throw JsonException("Key '" + string(key) + "' not an Integer or not present");
}
#include "namespaces.hh"
#include "ednssubnet.hh"
#include "lua-base4.hh"
+#include "dns_random.hh"
BaseLua4::BaseLua4() {
}
// pdnsload
d_lw->writeFunction("pdnslog", [](const std::string& msg, boost::optional<int> loglevel) { g_log << (Logger::Urgency)loglevel.get_value_or(Logger::Warning) << msg<<endl; });
+ d_lw->writeFunction("pdnsrandom", [](boost::optional<uint32_t> maximum) { return dns_random(maximum.get_value_or(0xffffffff)); });
// certain constants
d_pd.push_back({"PASS", (int)PolicyDecision::PASS});
+#include "version.hh"
#include "ext/luawrapper/include/LuaContext.hpp"
#include "lua-auth4.hh"
#include <thread>
setDown(rem, url, opts);
for(bool first=true;;first=false) {
try {
- MiniCurl mc;
+ string useragent = productName();
+ if (opts.count("useragent")) {
+ useragent = opts.at("useragent");
+ }
+ MiniCurl mc(useragent);
string content;
if(opts.count("source")) {
#include <curl/curl.h>
#include <stdexcept>
-MiniCurl::MiniCurl()
+MiniCurl::MiniCurl(const string& useragent)
{
d_curl = curl_easy_init();
+ if (d_curl != nullptr) {
+ curl_easy_setopt(d_curl, CURLOPT_USERAGENT, useragent.c_str());
+ }
}
MiniCurl::~MiniCurl()
class MiniCurl
{
public:
- MiniCurl();
+ MiniCurl(const string& useragent="MiniCurl/0.0");
~MiniCurl();
MiniCurl& operator=(const MiniCurl&) = delete;
std::string getURL(const std::string& str, const ComboAddress* rem=0, const ComboAddress* src=0);
bool readFileIfThere(const char* fname, std::string* line)
{
line->clear();
- FILE* fp = fopen(fname, "r");
+ auto fp = std::unique_ptr<FILE, int(*)(FILE*)>(fopen(fname, "r"), fclose);
if(!fp)
return false;
- stringfgets(fp, *line);
- fclose(fp);
+ stringfgets(fp.get(), *line);
+ fp.reset();
+
return true;
}
uint64_t getRealMemoryUsage(const std::string&)
{
#ifdef __linux__
- ifstream ifs("/proc/"+std::to_string(getpid())+"/smaps");
+ ifstream ifs("/proc/self/statm");
+ if(!ifs)
+ return 0;
+
+ uint64_t size, resident, shared, text, lib, data;
+ ifs >> size >> resident >> shared >> text >> lib >> data;
+
+ return data * getpagesize();
+#else
+ struct rusage ru;
+ if (getrusage(RUSAGE_SELF, &ru) != 0)
+ return 0;
+ return ru.ru_maxrss * 1024;
+#endif
+}
+
+
+uint64_t getSpecialMemoryUsage(const std::string&)
+{
+#ifdef __linux__
+ ifstream ifs("/proc/self/smaps");
if(!ifs)
return 0;
string line;
uint64_t udpErrorStats(const std::string& str);
uint64_t getRealMemoryUsage(const std::string&);
+uint64_t getSpecialMemoryUsage(const std::string&);
uint64_t getOpenFileDescriptors(const std::string&);
uint64_t getCPUTimeUser(const std::string&);
uint64_t getCPUTimeSystem(const std::string&);
maxanswersize = min(static_cast<uint16_t>(edo.d_packetsize >= 512 ? edo.d_packetsize : 512), g_udpTruncationThreshold);
}
ednsOpts = edo.d_options;
- haveEDNS=true;
maxanswersize -= 11; // EDNS header size
for (const auto& o : edo.d_options) {
SyncRes::s_nopacketcache = ::arg().mustDo("disable-packetcache");
SyncRes::s_maxnegttl=::arg().asNum("max-negative-ttl");
+ SyncRes::s_maxbogusttl=::arg().asNum("max-cache-bogus-ttl");
SyncRes::s_maxcachettl=max(::arg().asNum("max-cache-ttl"), 15);
SyncRes::s_packetcachettl=::arg().asNum("packetcache-ttl");
// Cap the packetcache-servfail-ttl to the packetcache-ttl
::arg().set("hint-file", "If set, load root hints from this file")="";
::arg().set("max-cache-entries", "If set, maximum number of entries in the main cache")="1000000";
::arg().set("max-negative-ttl", "maximum number of seconds to keep a negative cached entry in memory")="3600";
+ ::arg().set("max-cache-bogus-ttl", "maximum number of seconds to keep a Bogus (positive or negative) cached entry in memory")="3600";
::arg().set("max-cache-ttl", "maximum number of seconds to keep a cached entry in memory")="86400";
::arg().set("packetcache-ttl", "maximum number of seconds to keep a cached entry in packetcache")="3600";
::arg().set("max-packetcache-entries", "maximum number of entries to keep in the packetcache")="500000";
return iter->second;
}
+typedef std::unordered_map<std::string, boost::variant<bool, uint32_t, std::string > > rpzOptions_t;
-static void parseRPZParameters(const std::unordered_map<string,boost::variant<uint32_t, string> >& have, std::string& polName, boost::optional<DNSFilterEngine::Policy>& defpol, uint32_t& maxTTL, size_t& zoneSizeHint)
+static void parseRPZParameters(rpzOptions_t& have, std::string& polName, boost::optional<DNSFilterEngine::Policy>& defpol, bool& defpolOverrideLocal, uint32_t& maxTTL, size_t& zoneSizeHint)
{
if(have.count("policyName")) {
- polName = boost::get<std::string>(constGet(have, "policyName"));
+ polName = boost::get<std::string>(have["policyName"]);
}
if(have.count("defpol")) {
defpol=DNSFilterEngine::Policy();
- defpol->d_kind = (DNSFilterEngine::PolicyKind)boost::get<uint32_t>(constGet(have, "defpol"));
+ defpol->d_kind = (DNSFilterEngine::PolicyKind)boost::get<uint32_t>(have["defpol"]);
defpol->d_name = std::make_shared<std::string>(polName);
if(defpol->d_kind == DNSFilterEngine::PolicyKind::Custom) {
defpol->d_custom.push_back(DNSRecordContent::mastermake(QType::CNAME, QClass::IN,
- boost::get<string>(constGet(have,"defcontent"))));
+ boost::get<string>(have["defcontent"])));
if(have.count("defttl"))
- defpol->d_ttl = static_cast<int32_t>(boost::get<uint32_t>(constGet(have, "defttl")));
+ defpol->d_ttl = static_cast<int32_t>(boost::get<uint32_t>(have["defttl"]));
else
defpol->d_ttl = -1; // get it from the zone
}
+
+ if (have.count("defpolOverrideLocalData")) {
+ defpolOverrideLocal = boost::get<bool>(have["defpolOverrideLocalData"]);
+ }
}
if(have.count("maxTTL")) {
- maxTTL = boost::get<uint32_t>(constGet(have, "maxTTL"));
+ maxTTL = boost::get<uint32_t>(have["maxTTL"]);
}
if(have.count("zoneSizeHint")) {
- zoneSizeHint = static_cast<size_t>(boost::get<uint32_t>(constGet(have, "zoneSizeHint")));
+ zoneSizeHint = static_cast<size_t>(boost::get<uint32_t>(have["zoneSizeHint"]));
}
}
};
Lua.writeVariable("Policy", pmap);
- Lua.writeFunction("rpzFile", [&lci](const string& filename, const boost::optional<std::unordered_map<string,boost::variant<uint32_t, string>>>& options) {
+ Lua.writeFunction("rpzFile", [&lci](const string& filename, boost::optional<rpzOptions_t> options) {
try {
boost::optional<DNSFilterEngine::Policy> defpol;
+ bool defpolOverrideLocal = true;
std::string polName("rpzFile");
std::shared_ptr<DNSFilterEngine::Zone> zone = std::make_shared<DNSFilterEngine::Zone>();
uint32_t maxTTL = std::numeric_limits<uint32_t>::max();
if(options) {
auto& have = *options;
size_t zoneSizeHint = 0;
- parseRPZParameters(have, polName, defpol, maxTTL, zoneSizeHint);
+ parseRPZParameters(have, polName, defpol, defpolOverrideLocal, maxTTL, zoneSizeHint);
if (zoneSizeHint > 0) {
zone->reserve(zoneSizeHint);
}
}
g_log<<Logger::Warning<<"Loading RPZ from file '"<<filename<<"'"<<endl;
zone->setName(polName);
- loadRPZFromFile(filename, zone, defpol, maxTTL);
+ loadRPZFromFile(filename, zone, defpol, defpolOverrideLocal, maxTTL);
lci.dfe.addZone(zone);
g_log<<Logger::Warning<<"Done loading RPZ from file '"<<filename<<"'"<<endl;
}
}
});
- Lua.writeFunction("rpzMaster", [&lci, &delayedThreads](const boost::variant<string, std::vector<std::pair<int, string> > >& masters_, const string& zoneName, const boost::optional<std::unordered_map<string,boost::variant<uint32_t, string>>>& options) {
+ Lua.writeFunction("rpzMaster", [&lci, &delayedThreads](const boost::variant<string, std::vector<std::pair<int, string> > >& masters_, const string& zoneName, boost::optional<rpzOptions_t> options) {
boost::optional<DNSFilterEngine::Policy> defpol;
+ bool defpolOverrideLocal = true;
std::shared_ptr<DNSFilterEngine::Zone> zone = std::make_shared<DNSFilterEngine::Zone>();
TSIGTriplet tt;
uint32_t refresh=0;
if (options) {
auto& have = *options;
size_t zoneSizeHint = 0;
- parseRPZParameters(have, polName, defpol, maxTTL, zoneSizeHint);
+ parseRPZParameters(have, polName, defpol, defpolOverrideLocal, maxTTL, zoneSizeHint);
if (zoneSizeHint > 0) {
zone->reserve(zoneSizeHint);
}
if(have.count("tsigname")) {
- tt.name=DNSName(toLower(boost::get<string>(constGet(have, "tsigname"))));
- tt.algo=DNSName(toLower(boost::get<string>(constGet(have, "tsigalgo"))));
- if(B64Decode(boost::get<string>(constGet(have, "tsigsecret")), tt.secret))
+ tt.name=DNSName(toLower(boost::get<string>(have["tsigname"])));
+ tt.algo=DNSName(toLower(boost::get<string>(have[ "tsigalgo"])));
+ if(B64Decode(boost::get<string>(have[ "tsigsecret"]), tt.secret))
throw std::runtime_error("TSIG secret is not valid Base-64 encoded");
}
if(have.count("refresh")) {
- refresh = boost::get<uint32_t>(constGet(have,"refresh"));
+ refresh = boost::get<uint32_t>(have["refresh"]);
}
if(have.count("maxReceivedMBytes")) {
- maxReceivedXFRMBytes = static_cast<size_t>(boost::get<uint32_t>(constGet(have,"maxReceivedMBytes")));
+ maxReceivedXFRMBytes = static_cast<size_t>(boost::get<uint32_t>(have["maxReceivedMBytes"]));
}
if(have.count("localAddress")) {
- localAddress = ComboAddress(boost::get<string>(constGet(have,"localAddress")));
+ localAddress = ComboAddress(boost::get<string>(have["localAddress"]));
}
if(have.count("axfrTimeout")) {
- axfrTimeout = static_cast<uint16_t>(boost::get<uint32_t>(constGet(have, "axfrTimeout")));
+ axfrTimeout = static_cast<uint16_t>(boost::get<uint32_t>(have["axfrTimeout"]));
}
if(have.count("seedFile")) {
- seedFile = boost::get<std::string>(constGet(have, "seedFile"));
+ seedFile = boost::get<std::string>(have["seedFile"]);
}
if(have.count("dumpFile")) {
- dumpFile = boost::get<std::string>(constGet(have, "dumpFile"));
+ dumpFile = boost::get<std::string>(have["dumpFile"]);
}
}
if (!seedFile.empty()) {
g_log<<Logger::Info<<"Pre-loading RPZ zone "<<zoneName<<" from seed file '"<<seedFile<<"'"<<endl;
try {
- sr = loadRPZFromFile(seedFile, zone, defpol, maxTTL);
+ sr = loadRPZFromFile(seedFile, zone, defpol, defpolOverrideLocal, maxTTL);
if (zone->getDomain() != domain) {
throw PDNSException("The RPZ zone " + zoneName + " loaded from the seed file (" + zone->getDomain().toString() + ") does not match the one passed in parameter (" + domain.toString() + ")");
exit(1); // FIXME proper exit code?
}
- delayedThreads.rpzMasterThreads.push_back(std::make_tuple(masters, defpol, maxTTL, zoneIdx, tt, maxReceivedXFRMBytes, localAddress, axfrTimeout, sr, dumpFile));
+ delayedThreads.rpzMasterThreads.push_back(std::make_tuple(masters, defpol, defpolOverrideLocal, maxTTL, zoneIdx, tt, maxReceivedXFRMBytes, localAddress, axfrTimeout, sr, dumpFile));
});
typedef vector<pair<int,boost::variant<string, vector<pair<int, string> > > > > argvec_t;
{
for (const auto& rpzMaster : delayedThreads.rpzMasterThreads) {
try {
- std::thread t(RPZIXFRTracker, std::get<0>(rpzMaster), std::get<1>(rpzMaster), std::get<2>(rpzMaster), std::get<3>(rpzMaster), std::get<4>(rpzMaster), std::get<5>(rpzMaster) * 1024 * 1024, std::get<6>(rpzMaster), std::get<7>(rpzMaster), std::get<8>(rpzMaster), std::get<9>(rpzMaster), generation);
+ std::thread t(RPZIXFRTracker, std::get<0>(rpzMaster), std::get<1>(rpzMaster), std::get<2>(rpzMaster), std::get<3>(rpzMaster), std::get<4>(rpzMaster), std::get<5>(rpzMaster), std::get<6>(rpzMaster) * 1024 * 1024, std::get<7>(rpzMaster), std::get<8>(rpzMaster), std::get<9>(rpzMaster), std::get<10>(rpzMaster), generation);
t.detach();
}
catch(const std::exception& e) {
struct luaConfigDelayedThreads
{
- std::vector<std::tuple<std::vector<ComboAddress>, boost::optional<DNSFilterEngine::Policy>, uint32_t, size_t, TSIGTriplet, size_t, ComboAddress, uint16_t, std::shared_ptr<SOARecordContent>, std::string> > rpzMasterThreads;
+ std::vector<std::tuple<std::vector<ComboAddress>, boost::optional<DNSFilterEngine::Policy>, bool, uint32_t, size_t, TSIGTriplet, size_t, ComboAddress, uint16_t, std::shared_ptr<SOARecordContent>, std::string> > rpzMasterThreads;
};
void loadRecursorLuaConfig(const std::string& fname, luaConfigDelayedThreads& delayedThreads);
static const oid dnssecAuthenticDataQueriesOID[] = { RECURSOR_STATS_OID, 95 };
static const oid dnssecCheckDisabledQueriesOID[] = { RECURSOR_STATS_OID, 96 };
static const oid variableResponsesOID[] = { RECURSOR_STATS_OID, 97 };
+static const oid specialMemoryUsageOID[] = { RECURSOR_STATS_OID, 98 };
static std::unordered_map<oid, std::string> s_statsMap;
registerCounter64Stat("policy-result-nodata", policyResultNodataOID, OID_LENGTH(policyResultNodataOID));
registerCounter64Stat("policy-result-truncate", policyResultTruncateOID, OID_LENGTH(policyResultTruncateOID));
registerCounter64Stat("policy-result-custom", policyResultCustomOID, OID_LENGTH(policyResultCustomOID));
+ registerCounter64Stat("special-memory-usage", specialMemoryUsageOID, OID_LENGTH(specialMemoryUsageOID));
#endif /* HAVE_NET_SNMP */
}
ret.insert(make_pair(atomic.first, std::to_string(atomic.second->load())));
}
- for(const auto& the64bitmembers : d_get64bitmembers) {
+ for(const auto& the64bitmembers : d_get64bitmembers) {
if(the64bitmembers.first == "cache-bytes" || the64bitmembers.first=="packetcache-bytes")
continue; // too slow for 'get-all'
+ if(the64bitmembers.first == "special-memory-usage")
+ continue; // too slow for 'get-all'
ret.insert(make_pair(the64bitmembers.first, std::to_string(the64bitmembers.second())));
}
Lock l(&d_dynmetricslock);
static uint64_t dumpNegCache(NegCache& negcache, int fd)
{
- FILE* fp=fdopen(dup(fd), "w");
+ auto fp = std::unique_ptr<FILE, int(*)(FILE*)>(fdopen(dup(fd), "w"), fclose);
if(!fp) { // dup probably failed
return 0;
}
uint64_t ret;
- fprintf(fp, "; negcache dump from thread follows\n;\n");
- ret = negcache.dumpToFile(fp);
- fclose(fp);
+ fprintf(fp.get(), "; negcache dump from thread follows\n;\n");
+ ret = negcache.dumpToFile(fp.get());
return ret;
}
return "Error opening dump file for writing: "+string(strerror(errno))+"\n";
}
- FILE* fp = fdopen(fd, "w");
+ auto fp = std::unique_ptr<FILE, int(*)(FILE*)>(fdopen(fd, "w"), fclose);
if (!fp) {
close(fd);
return "Error converting file descriptor: "+string(strerror(errno))+"\n";
}
- zone->dump(fp);
- fclose(fp);
+ zone->dump(fp.get());
return "done\n";
}
addGetStat("uptime", calculateUptime);
addGetStat("real-memory-usage", boost::bind(getRealMemoryUsage, string()));
- addGetStat("fd-usage", boost::bind(getOpenFileDescriptors, string()));
+ addGetStat("special-memory-usage", boost::bind(getSpecialMemoryUsage, string()));
+ addGetStat("fd-usage", boost::bind(getOpenFileDescriptors, string()));
// addGetStat("query-rate", getQueryRate);
addGetStat("user-msec", getUserTimeMsec);
}
-void RecursorPacketCache::insertResponsePacket(unsigned int tag, uint32_t qhash, std::string&& query, const DNSName& qname, uint16_t qtype, uint16_t qclass, std::string&& responsePacket, time_t now, uint32_t ttl, uint16_t ecsBegin, uint16_t ecsEnd)
-{
- vState valState;
- boost::optional<RecProtoBufMessage> pb(boost::none);
- insertResponsePacket(tag, qhash, std::move(query), qname, qtype, qclass, std::move(responsePacket), now, ttl, valState, ecsBegin, ecsEnd, std::move(pb));
-}
-
void RecursorPacketCache::insertResponsePacket(unsigned int tag, uint32_t qhash, std::string&& query, const DNSName& qname, uint16_t qtype, uint16_t qclass, std::string&& responsePacket, time_t now, uint32_t ttl, const vState& valState, uint16_t ecsBegin, uint16_t ecsEnd, boost::optional<RecProtoBufMessage>&& protobufMessage)
{
auto& idx = d_packetCache.get<HashTag>();
uint64_t RecursorPacketCache::doDump(int fd)
{
- FILE* fp=fdopen(dup(fd), "w");
+ auto fp = std::unique_ptr<FILE, int(*)(FILE*)>(fdopen(dup(fd), "w"), fclose);
if(!fp) { // dup probably failed
return 0;
}
- fprintf(fp, "; main packet cache dump from thread follows\n;\n");
+ fprintf(fp.get(), "; main packet cache dump from thread follows\n;\n");
const auto& sidx=d_packetCache.get<1>();
uint64_t count=0;
for(auto i=sidx.cbegin(); i != sidx.cend(); ++i) {
count++;
try {
- fprintf(fp, "%s %" PRId64 " %s ; tag %d\n", i->d_name.toString().c_str(), static_cast<int64_t>(i->d_ttd - now), DNSRecordContent::NumberToType(i->d_type).c_str(), i->d_tag);
+ fprintf(fp.get(), "%s %" PRId64 " %s ; tag %d\n", i->d_name.toString().c_str(), static_cast<int64_t>(i->d_ttd - now), DNSRecordContent::NumberToType(i->d_type).c_str(), i->d_tag);
}
catch(...) {
- fprintf(fp, "; error printing '%s'\n", i->d_name.empty() ? "EMPTY" : i->d_name.toString().c_str());
+ fprintf(fp.get(), "; error printing '%s'\n", i->d_name.empty() ? "EMPTY" : i->d_name.toString().c_str());
}
}
- fclose(fp);
return count;
}
bool getResponsePacket(unsigned int tag, const std::string& queryPacket, const DNSName& qname, uint16_t qtype, uint16_t qclass, time_t now, std::string* responsePacket, uint32_t* age, uint32_t* qhash);
bool getResponsePacket(unsigned int tag, const std::string& queryPacket, const DNSName& qname, uint16_t qtype, uint16_t qclass, time_t now, std::string* responsePacket, uint32_t* age, vState* valState, uint32_t* qhash, uint16_t* ecsBegin, uint16_t* ecsEnd, RecProtoBufMessage* protobufMessage);
bool getResponsePacket(unsigned int tag, const std::string& queryPacket, DNSName& qname, uint16_t* qtype, uint16_t* qclass, time_t now, std::string* responsePacket, uint32_t* age, vState* valState, uint32_t* qhash, uint16_t* ecsBegin, uint16_t* ecsEnd, RecProtoBufMessage* protobufMessage);
- void insertResponsePacket(unsigned int tag, uint32_t qhash, std::string&& query, const DNSName& qname, uint16_t qtype, uint16_t qclass, std::string&& responsePacket, time_t now, uint32_t ttl, uint16_t ecsBegin, uint16_t ecsEnd);
void insertResponsePacket(unsigned int tag, uint32_t qhash, std::string&& query, const DNSName& qname, uint16_t qtype, uint16_t qclass, std::string&& responsePacket, time_t now, uint32_t ttl, const vState& valState, uint16_t ecsBegin, uint16_t ecsEnd, boost::optional<RecProtoBufMessage>&& protobufMessage);
void doPruneTo(unsigned int maxSize=250000);
uint64_t doDump(int fd);
return false;
}
-bool MemRecursorCache::updateValidationStatus(time_t now, const DNSName &qname, const QType& qt, const ComboAddress& who, bool requireAuth, vState newState)
+bool MemRecursorCache::updateValidationStatus(time_t now, const DNSName &qname, const QType& qt, const ComboAddress& who, bool requireAuth, vState newState, boost::optional<time_t> capTTD)
{
bool updated = false;
uint16_t qtype = qt.getCode();
}
entry->d_state = newState;
+ if (capTTD) {
+ entry->d_ttd = std::min(entry->d_ttd, *capTTD);
+ }
return true;
}
continue;
i->d_state = newState;
+ if (capTTD) {
+ i->d_ttd = std::min(i->d_ttd, *capTTD);
+ }
updated = true;
if(qtype != QType::ANY && qtype != QType::ADDR) // normally if we have a hit, we are done
uint64_t MemRecursorCache::doDump(int fd)
{
- FILE* fp=fdopen(dup(fd), "w");
+ auto fp = std::unique_ptr<FILE, int(*)(FILE*)>(fdopen(dup(fd), "w"), fclose);
if(!fp) { // dup probably failed
return 0;
}
- fprintf(fp, "; main record cache dump from thread follows\n;\n");
+ fprintf(fp.get(), "; main record cache dump from thread follows\n;\n");
const auto& sidx=d_cache.get<SequencedTag>();
uint64_t count=0;
for(const auto j : i.d_records) {
count++;
try {
- fprintf(fp, "%s %" PRId64 " IN %s %s ; (%s) auth=%i %s\n", i.d_qname.toString().c_str(), static_cast<int64_t>(i.d_ttd - now), DNSRecordContent::NumberToType(i.d_qtype).c_str(), j->getZoneRepresentation().c_str(), vStates[i.d_state], i.d_auth, i.d_netmask.empty() ? "" : i.d_netmask.toString().c_str());
+ fprintf(fp.get(), "%s %" PRId64 " IN %s %s ; (%s) auth=%i %s\n", i.d_qname.toString().c_str(), static_cast<int64_t>(i.d_ttd - now), DNSRecordContent::NumberToType(i.d_qtype).c_str(), j->getZoneRepresentation().c_str(), vStates[i.d_state], i.d_auth, i.d_netmask.empty() ? "" : i.d_netmask.toString().c_str());
}
catch(...) {
- fprintf(fp, "; error printing '%s'\n", i.d_qname.empty() ? "EMPTY" : i.d_qname.toString().c_str());
+ fprintf(fp.get(), "; error printing '%s'\n", i.d_qname.empty() ? "EMPTY" : i.d_qname.toString().c_str());
}
}
for(const auto &sig : i.d_signatures) {
count++;
try {
- fprintf(fp, "%s %" PRId64 " IN RRSIG %s ; %s\n", i.d_qname.toString().c_str(), static_cast<int64_t>(i.d_ttd - now), sig->getZoneRepresentation().c_str(), i.d_netmask.empty() ? "" : i.d_netmask.toString().c_str());
+ fprintf(fp.get(), "%s %" PRId64 " IN RRSIG %s ; %s\n", i.d_qname.toString().c_str(), static_cast<int64_t>(i.d_ttd - now), sig->getZoneRepresentation().c_str(), i.d_netmask.empty() ? "" : i.d_netmask.toString().c_str());
}
catch(...) {
- fprintf(fp, "; error printing '%s'\n", i.d_qname.empty() ? "EMPTY" : i.d_qname.toString().c_str());
+ fprintf(fp.get(), "; error printing '%s'\n", i.d_qname.empty() ? "EMPTY" : i.d_qname.toString().c_str());
}
}
}
- fclose(fp);
return count;
}
int doWipeCache(const DNSName& name, bool sub, uint16_t qtype=0xffff);
bool doAgeCache(time_t now, const DNSName& name, uint16_t qtype, uint32_t newTTL);
- bool updateValidationStatus(time_t now, const DNSName &qname, const QType& qt, const ComboAddress& who, bool requireAuth, vState newState);
+ bool updateValidationStatus(time_t now, const DNSName &qname, const QType& qt, const ComboAddress& who, bool requireAuth, vState newState, boost::optional<time_t> capTTD);
uint64_t cacheHits, cacheMisses;
DNSName d_qname;
Netmask d_netmask;
mutable vState d_state;
- time_t d_ttd;
+ mutable time_t d_ttd;
uint16_t d_qtype;
bool d_auth;
};
"Number of variable responses"
::= { stats 97 }
+specialMemoryUsage OBJECT-TYPE
+ SYNTAX CounterBasedGauge64
+ MAX-ACCESS read-only
+ STATUS current
+ DESCRIPTION
+ "Memory usage (more precise bbut expensive to retrieve)"
+ ::= { stats 98 }
+
---
--- Traps / Notifications
---
noednsOutqueries,
uptime,
realMemoryUsage,
+ specialMemoryUsage,
fdUsage,
userMsec,
sysMsec,
.. code-block:: Lua
- rpzFile("dblfilename", {defpol=Policy.Custom, defcontent="badserver.example.com"})
+ rpzFile("dblfilename")
To slave from a master and start IXFR to get updates, use for example:
.. code-block:: Lua
- rpzMaster("192.0.2.4", "policy.rpz", {defpol=Policy.Drop})
+ rpzMaster("192.0.2.4", "policy.rpz")
In this example, 'policy.rpz' denotes the name of the zone to query for.
+The action to be taken on a match is defined by the zone itself, but in some cases it might be interesting to be able to override it, and always apply the same action
+regardless of the one specified in the RPZ zone. To load from file and override the default action with a custom CNAME to badserver.example.com., use for example:
+
+.. code-block:: Lua
+
+ rpzFile("dblfilename", {defpol=Policy.Custom, defcontent="badserver.example.com"})
+
+To instead drop all queries matching a rule, while slaving from a master:
+
+.. code-block:: Lua
+
+ rpzMaster("192.0.2.4", "policy.rpz", {defpol=Policy.Drop})
+
+Note that since 4.2.0, it is possible for the override policy specified via 'defpol' to no longer be applied to local data entries present in the zone by setting the 'defpolOverrideLocalData' parameter to false.
+
As of version 4.2.0, the first parameter of :func:`rpzMaster` can be a list of addresses for failover:
rpzMaster({"192.0.2.4","192.0.2.5:5301"}, "policy.rpz", {defpol=Policy.Drop})
These options can be set in the ``settings`` of both :func:`rpzMaster` and :func:`rpzFile`.
+defcontent
+^^^^^^^^^^
+CNAME field to return in case of defpol=Policy.Custom
+
defpol
^^^^^^
Default policy: `Policy.Custom`_, `Policy.Drop`_, `Policy.NXDOMAIN`_, `Policy.NODATA`_, `Policy.Truncate`_, `Policy.NoAction`_.
-defcontent
-^^^^^^^^^^
-CNAME field to return in case of defpol=Policy.Custom
+defpolOverrideLocalData
+^^^^^^^^^^^^^^^^^^^^^^^
+.. versionadded:: 4.2.0
+ Before 4.2.0 local data entries are always overridden by the default policy.
+
+Whether local data entries should be overridden by the default policy. Default is true.
defttl
^^^^^^
:param int type: The type of record to add, can be ``pdns.AAAA`` etc.
:param str content: The content of the record, will be parsed into wireformat based on the ``type``
- :param int ttl: The TTL in seconds for this record
+ :param int ttl: The TTL in seconds for this record, defaults to 3600
+ :param DNSName name: The name of this record, defaults to :attr:`DNSQuestion.qname`
+
+ .. method:: DNSQuestion:addRecord(type, content, place, [ttl, name])
+
+ Add a record of ``type`` with ``content`` in section ``place``.
+
+ :param int type: The type of record to add, can be ``pdns.AAAA`` etc.
+ :param str content: The content of the record, will be parsed into wireformat based on the ``type``
+ :param int place: The section to place the record, see :attr:`DNSRecord.place`
+ :param int ttl: The TTL in seconds for this record, defaults to 3600
:param DNSName name: The name of this record, defaults to :attr:`DNSQuestion.qname`
.. method:: DNSQuestion:addPolicyTag(tag)
.. function:: getRecursorThreadId() -> int
returns an unsigned integer identifying the thread handling the current request.
+
+.. function:: pdnsrandom([maximum])
+
+ Get a random number.
+
+ :param int maximum: The largest number to return. This is 2^32 by default.
The interval between calls to the Lua user defined `maintenance()` function in seconds.
See :ref:`hooks-maintenance-callback`
+.. _setting-max-cache-bogus-ttl:
+
+``max-cache-bogus-ttl``
+-----------------------
+.. versionadded:: 4.2.0
+
+- Integer
+- Default: 3600
+
+Maximum number of seconds to cache an item in the DNS cache (negative or positive) if its DNSSEC validation failed, no matter what the original TTL specified, to reduce the impact of a broken domain.
+
.. _setting-max-cache-entries:
``max-cache-entries``
* \param qtype The type of the entry to replace
* \param newState The new validation state
*/
-void NegCache::updateValidationStatus(const DNSName& qname, const QType& qtype, const vState newState) {
+void NegCache::updateValidationStatus(const DNSName& qname, const QType& qtype, const vState newState, boost::optional<uint32_t> capTTD) {
auto range = d_negcache.equal_range(tie(qname, qtype));
if (range.first != range.second) {
range.first->d_validationState = newState;
+ if (capTTD) {
+ range.first->d_ttd = std::min(range.first->d_ttd, *capTTD);
+ }
}
}
DNSName d_name; // The denied name
QType d_qtype; // The denied type
DNSName d_auth; // The denying name (aka auth)
- uint32_t d_ttd; // Timestamp when this entry should die
+ mutable uint32_t d_ttd; // Timestamp when this entry should die
recordsAndSignatures authoritySOA; // The upstream SOA record and RRSIGs
recordsAndSignatures DNSSECRecords; // The upstream NSEC(3) and RRSIGs
mutable vState d_validationState{Indeterminate};
};
void add(const NegCacheEntry& ne);
- void updateValidationStatus(const DNSName& qname, const QType& qtype, const vState newState);
+ void updateValidationStatus(const DNSName& qname, const QType& qtype, const vState newState, boost::optional<uint32_t> capTTD);
bool get(const DNSName& qname, const QType& qtype, const struct timeval& now, const NegCacheEntry** ne, bool typeMustMatch=false);
bool getRootNXTrust(const DNSName& qname, const struct timeval& now, const NegCacheEntry** ne);
uint64_t count(const DNSName& qname) const;
SyncRes::s_maxtotusec = 1000*7000;
SyncRes::s_maxdepth = 40;
SyncRes::s_maxnegttl = 3600;
+ SyncRes::s_maxbogusttl = 3600;
SyncRes::s_maxcachettl = 86400;
SyncRes::s_packetcachettl = 3600;
SyncRes::s_packetcacheservfailttl = 60;
return 0;
});
+ SyncRes::s_maxnegttl = 3600;
+
vector<DNSRecord> ret;
int res = sr->beginResolve(target1, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NXDomain);
ret.clear();
res = sr->beginResolve(target2, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NXDomain);
- BOOST_CHECK_EQUAL(ret.size(), 1);
+ BOOST_REQUIRE_EQUAL(ret.size(), 1);
+ BOOST_CHECK_LE(ret[0].d_ttl, SyncRes::s_maxnegttl);
/* one for target1 and one for the entire TLD */
BOOST_CHECK_EQUAL(SyncRes::getNegCacheSize(), 2);
res = sr->beginResolve(target2, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_REQUIRE_EQUAL(ret.size(), 1);
- BOOST_REQUIRE(ret[0].d_type == QType::A);
BOOST_CHECK_EQUAL(ret[0].d_name, target2);
+ BOOST_REQUIRE(ret[0].d_type == QType::A);
BOOST_CHECK(getRR<ARecordContent>(ret[0])->getCA() == ComboAddress("192.0.2.2"));
BOOST_CHECK_EQUAL(SyncRes::t_sstorage.negcache.size(), 1);
char addr[] = "a.root-servers.net.";
for (char idx = 'a'; idx <= 'm'; idx++) {
addr[0] = idx;
- addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 3600);
+ addRecordToLW(res, domain, QType::NS, std::string(addr), DNSResourceRecord::ANSWER, 86400);
}
/* No RRSIG */
return 0;
});
+ SyncRes::s_maxcachettl = 86400;
+ SyncRes::s_maxbogusttl = 3600;
+
vector<DNSRecord> ret;
int res = sr->beginResolve(target, QType(QType::NS), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
BOOST_REQUIRE_EQUAL(ret.size(), 13);
+ /* check that we capped the TTL to max-cache-bogus-ttl */
+ for (const auto& record : ret) {
+ BOOST_CHECK_LE(record.d_ttl, SyncRes::s_maxbogusttl);
+ }
BOOST_CHECK_EQUAL(queriesCount, 1);
}
BOOST_CHECK_EQUAL(queriesCount, 4);
}
+BOOST_AUTO_TEST_CASE(test_dnssec_rrsig_negcache_bogus_validity) {
+ std::unique_ptr<SyncRes> sr;
+ initSR(sr, true);
+
+ setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+ primeHints();
+ const DNSName target("com.");
+ testkeysset_t keys;
+
+ auto luaconfsCopy = g_luaconfs.getCopy();
+ luaconfsCopy.dsAnchors.clear();
+ generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+ generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys);
+ g_luaconfs.setState(luaconfsCopy);
+
+ size_t queriesCount = 0;
+ const time_t fixedNow = sr->getNow().tv_sec;
+
+ sr->setAsyncCallback([target,&queriesCount,keys,fixedNow](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, LWResult* res, bool* chained) {
+ queriesCount++;
+
+ DNSName auth = domain;
+ auth.chopOff();
+
+ if (type == QType::DS || type == QType::DNSKEY) {
+ return genericDSAndDNSKEYHandler(res, domain, auth, type, keys);
+ }
+ else {
+ setLWResult(res, RCode::NoError, true, false, true);
+ addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 86400);
+ addRRSIG(keys, res->d_records, domain, 86400);
+ addNSECRecordToLW(domain, DNSName("z."), { QType::NSEC, QType::RRSIG }, 86400, res->d_records);
+ /* no RRSIG */
+ return 1;
+ }
+
+ return 0;
+ });
+
+ SyncRes::s_maxnegttl = 3600;
+ SyncRes::s_maxbogusttl = 360;
+
+ vector<DNSRecord> ret;
+ int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+ BOOST_CHECK_EQUAL(res, RCode::NoError);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+ BOOST_REQUIRE_EQUAL(ret.size(), 3);
+ BOOST_CHECK_EQUAL(queriesCount, 4);
+
+ /* check that the entry has been negatively cached but not longer than s_maxbogusttl */
+ const NegCache::NegCacheEntry* ne = nullptr;
+ BOOST_CHECK_EQUAL(SyncRes::t_sstorage.negcache.size(), 1);
+ BOOST_REQUIRE_EQUAL(SyncRes::t_sstorage.negcache.get(target, QType(QType::A), sr->getNow(), &ne), true);
+ BOOST_CHECK_EQUAL(ne->d_ttd, fixedNow + SyncRes::s_maxbogusttl);
+ BOOST_CHECK_EQUAL(ne->d_validationState, Bogus);
+ BOOST_CHECK_EQUAL(ne->authoritySOA.records.size(), 1);
+ BOOST_CHECK_EQUAL(ne->authoritySOA.signatures.size(), 1);
+ BOOST_CHECK_EQUAL(ne->DNSSECRecords.records.size(), 1);
+ BOOST_CHECK_EQUAL(ne->DNSSECRecords.signatures.size(), 0);
+
+ /* again, to test the cache */
+ ret.clear();
+ res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+ BOOST_CHECK_EQUAL(res, RCode::NoError);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+ BOOST_REQUIRE_EQUAL(ret.size(), 3);
+ BOOST_CHECK_EQUAL(queriesCount, 4);
+}
+
BOOST_AUTO_TEST_CASE(test_dnssec_rrsig_cache_validity) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);
Validation is optional, and the first query does not ask for it,
so the answer is cached as Indeterminate.
The second query asks for validation, answer should be marked as
- Secure.
+ Secure, after just-in-time validation.
*/
std::unique_ptr<SyncRes> sr;
initSR(sr, true);
else {
if (domain == target && type == QType::A) {
setLWResult(res, 0, true, false, true);
- addRecordToLW(res, target, QType::A, "192.0.2.1");
+ addRecordToLW(res, target, QType::A, "192.0.2.1", DNSResourceRecord::ANSWER, 86400);
/* no RRSIG */
return 1;
}
return 0;
});
+ SyncRes::s_maxbogusttl = 3600;
+
vector<DNSRecord> ret;
/* first query does not require validation */
sr->setDNSSECValidationRequested(false);
BOOST_REQUIRE_EQUAL(ret.size(), 1);
for (const auto& record : ret) {
BOOST_CHECK(record.d_type == QType::A);
+ BOOST_CHECK_EQUAL(record.d_ttl, 86400);
}
BOOST_CHECK_EQUAL(queriesCount, 1);
res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+ /* check that we correctly capped the TTD for a Bogus record after
+ just-in-time validation */
+ BOOST_REQUIRE_EQUAL(ret.size(), 1);
+ for (const auto& record : ret) {
+ BOOST_CHECK(record.d_type == QType::A);
+ BOOST_CHECK_EQUAL(record.d_ttl, SyncRes::s_maxbogusttl);
+ }
+ BOOST_CHECK_EQUAL(queriesCount, 3);
+
+ ret.clear();
+ /* third time also _does_ require validation, so we
+ can check that the cache has been updated */
+ sr->setDNSSECValidationRequested(true);
+ res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+ BOOST_CHECK_EQUAL(res, RCode::NoError);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
BOOST_REQUIRE_EQUAL(ret.size(), 1);
for (const auto& record : ret) {
BOOST_CHECK(record.d_type == QType::A);
+ BOOST_CHECK_EQUAL(record.d_ttl, SyncRes::s_maxbogusttl);
}
BOOST_CHECK_EQUAL(queriesCount, 3);
}
else {
if (domain == target && type == QType::A) {
setLWResult(res, 0, true, false, true);
- addRecordToLW(res, target, QType::CNAME, cnameTarget.toString());
- addRecordToLW(res, cnameTarget, QType::A, "192.0.2.1");
+ addRecordToLW(res, target, QType::CNAME, cnameTarget.toString(), DNSResourceRecord::ANSWER, 86400);
+ addRecordToLW(res, cnameTarget, QType::A, "192.0.2.1", DNSResourceRecord::ANSWER, 86400);
/* no RRSIG */
return 1;
} else if (domain == cnameTarget && type == QType::A) {
setLWResult(res, 0, true, false, true);
- addRecordToLW(res, cnameTarget, QType::A, "192.0.2.1");
+ addRecordToLW(res, cnameTarget, QType::A, "192.0.2.1", DNSResourceRecord::ANSWER, 86400);
/* no RRSIG */
return 1;
}
return 0;
});
+ SyncRes::s_maxbogusttl = 60;
+ SyncRes::s_maxnegttl = 3600;
+
vector<DNSRecord> ret;
/* first query does not require validation */
sr->setDNSSECValidationRequested(false);
BOOST_REQUIRE_EQUAL(ret.size(), 2);
for (const auto& record : ret) {
BOOST_CHECK(record.d_type == QType::CNAME || record.d_type == QType::A);
+ BOOST_CHECK_EQUAL(record.d_ttl, 86400);
}
BOOST_CHECK_EQUAL(queriesCount, 2);
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
BOOST_REQUIRE_EQUAL(ret.size(), 2);
+ /* check that we correctly capped the TTD for a Bogus record after
+ just-in-time validation */
+ for (const auto& record : ret) {
+ BOOST_CHECK(record.d_type == QType::CNAME || record.d_type == QType::A);
+ BOOST_CHECK_EQUAL(record.d_ttl, SyncRes::s_maxbogusttl);
+ }
+ BOOST_CHECK_EQUAL(queriesCount, 5);
+
+ ret.clear();
+ /* and a third time to make sure that the validation status (and TTL!)
+ was properly updated in the cache */
+ sr->setDNSSECValidationRequested(true);
+ res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+ BOOST_CHECK_EQUAL(res, RCode::NoError);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+ BOOST_REQUIRE_EQUAL(ret.size(), 2);
for (const auto& record : ret) {
BOOST_CHECK(record.d_type == QType::CNAME || record.d_type == QType::A);
+ BOOST_CHECK_EQUAL(record.d_ttl, SyncRes::s_maxbogusttl);
}
BOOST_CHECK_EQUAL(queriesCount, 5);
}
}
else {
setLWResult(res, RCode::NoError, true, false, true);
- addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600);
- addRRSIG(keys, res->d_records, domain, 300);
+ addRecordToLW(res, domain, QType::SOA, "pdns-public-ns1.powerdns.com. pieter\\.lexis.powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 86400);
+ addRRSIG(keys, res->d_records, domain, 86400);
/* no denial */
return 1;
}
return 0;
});
+ SyncRes::s_maxbogusttl = 60;
+ SyncRes::s_maxnegttl = 3600;
+ const auto now = sr->getNow().tv_sec;
+
vector<DNSRecord> ret;
/* first query does not require validation */
sr->setDNSSECValidationRequested(false);
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), Indeterminate);
BOOST_REQUIRE_EQUAL(ret.size(), 2);
+ for (const auto& record : ret) {
+ if (record.d_type == QType::SOA) {
+ BOOST_CHECK_EQUAL(record.d_ttl, SyncRes::s_maxnegttl);
+ }
+ }
BOOST_CHECK_EQUAL(queriesCount, 1);
const NegCache::NegCacheEntry* ne = nullptr;
BOOST_CHECK_EQUAL(SyncRes::t_sstorage.negcache.size(), 1);
BOOST_CHECK_EQUAL(ne->d_validationState, Indeterminate);
BOOST_CHECK_EQUAL(ne->authoritySOA.records.size(), 1);
BOOST_CHECK_EQUAL(ne->authoritySOA.signatures.size(), 1);
+ BOOST_CHECK_EQUAL(ne->d_ttd, now + SyncRes::s_maxnegttl);
BOOST_CHECK_EQUAL(ne->DNSSECRecords.records.size(), 0);
BOOST_CHECK_EQUAL(ne->DNSSECRecords.signatures.size(), 0);
BOOST_CHECK_EQUAL(res, RCode::NoError);
BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
BOOST_REQUIRE_EQUAL(ret.size(), 2);
+ for (const auto& record : ret) {
+ BOOST_CHECK_EQUAL(record.d_ttl, SyncRes::s_maxbogusttl);
+ }
+ BOOST_CHECK_EQUAL(queriesCount, 4);
+ BOOST_REQUIRE_EQUAL(SyncRes::t_sstorage.negcache.get(target, QType(QType::A), sr->getNow(), &ne), true);
+ BOOST_CHECK_EQUAL(ne->d_validationState, Bogus);
+ BOOST_CHECK_EQUAL(ne->authoritySOA.records.size(), 1);
+ BOOST_CHECK_EQUAL(ne->authoritySOA.signatures.size(), 1);
+ BOOST_CHECK_EQUAL(ne->d_ttd, now + SyncRes::s_maxbogusttl);
+ BOOST_CHECK_EQUAL(ne->DNSSECRecords.records.size(), 0);
+ BOOST_CHECK_EQUAL(ne->DNSSECRecords.signatures.size(), 0);
+
+ ret.clear();
+ /* third one _does_ not require validation, we just check that
+ the cache (status and TTL) has been correctly updated */
+ sr->setDNSSECValidationRequested(false);
+ res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+ BOOST_CHECK_EQUAL(res, RCode::NoError);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), Bogus);
+ BOOST_REQUIRE_EQUAL(ret.size(), 2);
+ for (const auto& record : ret) {
+ BOOST_CHECK_EQUAL(record.d_ttl, SyncRes::s_maxbogusttl);
+ }
BOOST_CHECK_EQUAL(queriesCount, 4);
BOOST_REQUIRE_EQUAL(SyncRes::t_sstorage.negcache.get(target, QType(QType::A), sr->getNow(), &ne), true);
BOOST_CHECK_EQUAL(ne->d_validationState, Bogus);
BOOST_CHECK_EQUAL(ne->authoritySOA.records.size(), 1);
BOOST_CHECK_EQUAL(ne->authoritySOA.signatures.size(), 1);
+ BOOST_CHECK_EQUAL(ne->d_ttd, now + SyncRes::s_maxbogusttl);
BOOST_CHECK_EQUAL(ne->DNSSECRecords.records.size(), 0);
BOOST_CHECK_EQUAL(ne->DNSSECRecords.signatures.size(), 0);
}
if(!::arg()["forward-zones-file"].empty()) {
g_log<<Logger::Warning<<"Reading zone forwarding information from '"<<::arg()["forward-zones-file"]<<"'"<<endl;
SyncRes::AuthDomain ad;
- FILE *rfp=fopen(::arg()["forward-zones-file"].c_str(), "r");
-
- if(!rfp) {
+ auto fp = std::unique_ptr<FILE, int(*)(FILE*)>(fopen(::arg()["forward-zones-file"].c_str(), "r"), fclose);
+ if(!fp) {
throw PDNSException("Error opening forward-zones-file '"+::arg()["forward-zones-file"]+"': "+stringerror());
}
- shared_ptr<FILE> fp=shared_ptr<FILE>(rfp, fclose);
-
string line;
int linenum=0;
uint64_t before = newMap->size();
}
}
- submitResponse(p.qtype.getCode(), buf.length(), udpOrTCP);
+ submitResponse(p.qtype.getCode(), buf.length(), p.d.rcode, udpOrTCP);
}
#include "dnsparser.hh"
-ResponseStats::ResponseStats() : d_qtypecounters(new std::atomic<unsigned long>[65536])
+ResponseStats::ResponseStats() : d_qtypecounters(new std::atomic<unsigned long>[65536]), d_rcodecounters(new std::atomic<unsigned long>[256])
{
d_sizecounters.push_back(make_pair(20,0));
d_sizecounters.push_back(make_pair(40,0));
d_sizecounters.push_back(make_pair(std::numeric_limits<uint16_t>::max(),0));
for(unsigned int n =0 ; n < 65535; ++n)
d_qtypecounters[n] = 0;
+ for(unsigned int n =0 ; n < 256; ++n)
+ d_rcodecounters[n] = 0;
}
ResponseStats g_rs;
static bool pcomp(const pair<uint16_t, uint64_t>&a , const pair<uint16_t, uint64_t>&b)
{
return a.first < b.first;
-}
+}
+
+void ResponseStats::submitResponse(uint16_t qtype,uint16_t respsize, uint8_t rcode, bool udpOrTCP)
+{
+ d_rcodecounters[rcode]++;
+ submitResponse(qtype, respsize, udpOrTCP);
+}
-void ResponseStats::submitResponse(uint16_t qtype, uint16_t respsize, bool udpOrTCP)
+void ResponseStats::submitResponse(uint16_t qtype,uint16_t respsize, bool udpOrTCP)
{
d_qtypecounters[qtype]++;
pair<uint16_t, uint64_t> s(respsize, 0);
return ret;
}
+map<uint8_t, uint64_t> ResponseStats::getRCodeResponseCounts()
+{
+ map<uint8_t, uint64_t> ret;
+ uint64_t count;
+ for(unsigned int i = 0 ; i < 256 ; ++i) {
+ count= d_rcodecounters[i];
+ if(count)
+ ret[i]=count;
+ }
+ return ret;
+}
+
string ResponseStats::getQTypeReport()
{
typedef map<uint16_t, uint64_t> qtypenums_t;
}
return os.str();
}
-
void submitResponse(DNSPacket &p, bool udpOrTCP);
void submitResponse(uint16_t qtype, uint16_t respsize, bool udpOrTCP);
+ void submitResponse(uint16_t qtype, uint16_t respsize, uint8_t rcode, bool udpOrTCP);
map<uint16_t, uint64_t> getQTypeResponseCounts();
map<uint16_t, uint64_t> getSizeResponseCounts();
+ map<uint8_t, uint64_t> getRCodeResponseCounts();
string getQTypeReport();
private:
boost::scoped_array<std::atomic<unsigned long>> d_qtypecounters;
+ boost::scoped_array<std::atomic<unsigned long>> d_rcodecounters;
typedef vector<pair<uint16_t, uint64_t> > sizecounters_t;
sizecounters_t d_sizecounters;
};
return Netmask(v6);
}
-void RPZRecordToPolicy(const DNSRecord& dr, std::shared_ptr<DNSFilterEngine::Zone> zone, bool addOrRemove, boost::optional<DNSFilterEngine::Policy> defpol, uint32_t maxTTL)
+static void RPZRecordToPolicy(const DNSRecord& dr, std::shared_ptr<DNSFilterEngine::Zone> zone, bool addOrRemove, boost::optional<DNSFilterEngine::Policy> defpol, bool defpolOverrideLocal, uint32_t maxTTL)
{
static const DNSName drop("rpz-drop."), truncate("rpz-tcp-only."), noaction("rpz-passthru.");
static const DNSName rpzClientIP("rpz-client-ip"), rpzIP("rpz-ip"),
static const std::string rpzPrefix("rpz-");
DNSFilterEngine::Policy pol;
+ bool defpolApplied = false;
if(dr.d_class != QClass::IN) {
return;
auto crcTarget=crc->getTarget();
if(defpol) {
pol=*defpol;
+ defpolApplied = true;
}
else if(crcTarget.isRoot()) {
// cerr<<"Wants NXDOMAIN for "<<dr.d_name<<": ";
}
}
else {
- if (defpol) {
+ if (defpol && defpolOverrideLocal) {
pol=*defpol;
+ defpolApplied = true;
}
else {
pol.d_kind = DNSFilterEngine::PolicyKind::Custom;
}
}
- if (!defpol || defpol->d_ttl < 0) {
+ if (!defpolApplied || defpol->d_ttl < 0) {
pol.d_ttl = static_cast<int32_t>(std::min(maxTTL, dr.d_ttl));
} else {
pol.d_ttl = static_cast<int32_t>(std::min(maxTTL, static_cast<uint32_t>(pol.d_ttl)));
else
zone->rmNSIPTrigger(nm, std::move(pol));
} else {
- if(addOrRemove)
- zone->addQNameTrigger(dr.d_name, std::move(pol));
- else
+ if(addOrRemove) {
+ /* if we did override the existing policy with the default policy,
+ we might turn two A or AAAA into a CNAME, which would trigger
+ an exception. Let's just ignore it. */
+ zone->addQNameTrigger(dr.d_name, std::move(pol), defpolApplied);
+ }
+ else {
zone->rmQNameTrigger(dr.d_name, std::move(pol));
+ }
}
}
-static shared_ptr<SOARecordContent> loadRPZFromServer(const ComboAddress& master, const DNSName& zoneName, std::shared_ptr<DNSFilterEngine::Zone> zone, boost::optional<DNSFilterEngine::Policy> defpol, uint32_t maxTTL, const TSIGTriplet& tt, size_t maxReceivedBytes, const ComboAddress& localAddress, uint16_t axfrTimeout)
+static shared_ptr<SOARecordContent> loadRPZFromServer(const ComboAddress& master, const DNSName& zoneName, std::shared_ptr<DNSFilterEngine::Zone> zone, boost::optional<DNSFilterEngine::Policy> defpol, bool defpolOverrideLocal, uint32_t maxTTL, const TSIGTriplet& tt, size_t maxReceivedBytes, const ComboAddress& localAddress, uint16_t axfrTimeout)
{
g_log<<Logger::Warning<<"Loading RPZ zone '"<<zoneName<<"' from "<<master.toStringWithPort()<<endl;
if(!tt.name.empty())
continue;
}
- RPZRecordToPolicy(dr, zone, true, defpol, maxTTL);
+ RPZRecordToPolicy(dr, zone, true, defpol, defpolOverrideLocal, maxTTL);
nrecords++;
}
axfrNow = time(nullptr);
}
// this function is silent - you do the logging
-std::shared_ptr<SOARecordContent> loadRPZFromFile(const std::string& fname, std::shared_ptr<DNSFilterEngine::Zone> zone, boost::optional<DNSFilterEngine::Policy> defpol, uint32_t maxTTL)
+std::shared_ptr<SOARecordContent> loadRPZFromFile(const std::string& fname, std::shared_ptr<DNSFilterEngine::Zone> zone, boost::optional<DNSFilterEngine::Policy> defpol, bool defpolOverrideLocal, uint32_t maxTTL)
{
shared_ptr<SOARecordContent> sr = nullptr;
ZoneParserTNG zpt(fname);
}
else {
dr.d_name=dr.d_name.makeRelative(domain);
- RPZRecordToPolicy(dr, zone, true, defpol, maxTTL);
+ RPZRecordToPolicy(dr, zone, true, defpol, defpolOverrideLocal, maxTTL);
}
}
catch(const PDNSException& pe) {
return false;
}
- FILE * fp = fdopen(fd, "w+");
- if (fp == nullptr) {
+ auto fp = std::unique_ptr<FILE, int(*)(FILE*)>(fdopen(fd, "w+"), fclose);
+ if (!fp) {
close(fd);
g_log<<Logger::Warning<<"Unable to open a file pointer to dump the content of the RPZ zone "<<zoneName.toLogString()<<endl;
return false;
}
-
fd = -1;
try {
- newZone->dump(fp);
+ newZone->dump(fp.get());
}
catch(const std::exception& e) {
g_log<<Logger::Warning<<"Error while dumping the content of the RPZ zone "<<zoneName.toLogString()<<": "<<e.what()<<endl;
- fclose(fp);
return false;
}
- if (fflush(fp) != 0) {
+ if (fflush(fp.get()) != 0) {
g_log<<Logger::Warning<<"Error while flushing the content of the RPZ zone "<<zoneName.toLogString()<<" to the dump file: "<<strerror(errno)<<endl;
return false;
}
- if (fsync(fileno(fp)) != 0) {
+ if (fsync(fileno(fp.get())) != 0) {
g_log<<Logger::Warning<<"Error while syncing the content of the RPZ zone "<<zoneName.toLogString()<<" to the dump file: "<<strerror(errno)<<endl;
return false;
}
- if (fclose(fp) != 0) {
+ if (fclose(fp.release()) != 0) {
g_log<<Logger::Warning<<"Error while writing the content of the RPZ zone "<<zoneName.toLogString()<<" to the dump file: "<<strerror(errno)<<endl;
return false;
}
return true;
}
-void RPZIXFRTracker(const std::vector<ComboAddress>& masters, boost::optional<DNSFilterEngine::Policy> defpol, uint32_t maxTTL, size_t zoneIdx, const TSIGTriplet& tt, size_t maxReceivedBytes, const ComboAddress& localAddress, const uint16_t axfrTimeout, std::shared_ptr<SOARecordContent> sr, std::string dumpZoneFileName, uint64_t configGeneration)
+void RPZIXFRTracker(const std::vector<ComboAddress>& masters, boost::optional<DNSFilterEngine::Policy> defpol, bool defpolOverrideLocal, uint32_t maxTTL, size_t zoneIdx, const TSIGTriplet& tt, size_t maxReceivedBytes, const ComboAddress& localAddress, const uint16_t axfrTimeout, std::shared_ptr<SOARecordContent> sr, std::string dumpZoneFileName, uint64_t configGeneration)
{
setThreadName("pdns-r/RPZIXFR");
bool isPreloaded = sr != nullptr;
std::shared_ptr<DNSFilterEngine::Zone> newZone = std::make_shared<DNSFilterEngine::Zone>(*oldZone);
for (const auto& master : masters) {
try {
- sr = loadRPZFromServer(master, zoneName, newZone, defpol, maxTTL, tt, maxReceivedBytes, localAddress, axfrTimeout);
+ sr = loadRPZFromServer(master, zoneName, newZone, defpol, defpolOverrideLocal, maxTTL, tt, maxReceivedBytes, localAddress, axfrTimeout);
if(refresh == 0) {
refresh = sr->d_st.refresh;
}
else {
totremove++;
g_log<<(g_logRPZChanges ? Logger::Info : Logger::Debug)<<"Had removal of "<<rr.d_name<<" from RPZ zone "<<zoneName<<endl;
- RPZRecordToPolicy(rr, newZone, false, defpol, maxTTL);
+ RPZRecordToPolicy(rr, newZone, false, defpol, defpolOverrideLocal, maxTTL);
}
}
else {
totadd++;
g_log<<(g_logRPZChanges ? Logger::Info : Logger::Debug)<<"Had addition of "<<rr.d_name<<" to RPZ zone "<<zoneName<<endl;
- RPZRecordToPolicy(rr, newZone, true, defpol, maxTTL);
+ RPZRecordToPolicy(rr, newZone, true, defpol, defpolOverrideLocal, maxTTL);
}
}
}
extern bool g_logRPZChanges;
-std::shared_ptr<SOARecordContent> loadRPZFromFile(const std::string& fname, std::shared_ptr<DNSFilterEngine::Zone> zone, boost::optional<DNSFilterEngine::Policy> defpol, uint32_t maxTTL);
-void RPZRecordToPolicy(const DNSRecord& dr, std::shared_ptr<DNSFilterEngine::Zone> zone, bool addOrRemove, boost::optional<DNSFilterEngine::Policy> defpol, uint32_t maxTTL);
-void RPZIXFRTracker(const std::vector<ComboAddress>& masters, boost::optional<DNSFilterEngine::Policy> defpol, uint32_t maxTTL, size_t zoneIdx, const TSIGTriplet& tt, size_t maxReceivedBytes, const ComboAddress& localAddress, const uint16_t axfrTimeout, shared_ptr<SOARecordContent> sr, std::string dumpZoneFileName, uint64_t configGeneration);
+std::shared_ptr<SOARecordContent> loadRPZFromFile(const std::string& fname, std::shared_ptr<DNSFilterEngine::Zone> zone, boost::optional<DNSFilterEngine::Policy> defpol, bool defpolOverrideLocal, uint32_t maxTTL);
+void RPZIXFRTracker(const std::vector<ComboAddress>& masters, boost::optional<DNSFilterEngine::Policy> defpol, bool defpolOverrideLocal, uint32_t maxTTL, size_t zoneIdx, const TSIGTriplet& tt, size_t maxReceivedBytes, const ComboAddress& localAddress, const uint16_t axfrTimeout, shared_ptr<SOARecordContent> sr, std::string dumpZoneFileName, uint64_t configGeneration);
struct rpzStats
{
struct TCacheComp
{
- bool operator()(const pair<string, QType>& a, const pair<string, QType>& b) const
+ bool operator()(const pair<DNSName, QType>& a, const pair<DNSName, QType>& b) const
{
- int cmp=strcasecmp(a.first.c_str(), b.first.c_str());
- if(cmp < 0)
+ if(a.first < b.first)
return true;
- if(cmp > 0)
+ if(b.first < a.first)
return false;
return a.second < b.second;
SyncRes::LogMode SyncRes::s_lm;
unsigned int SyncRes::s_maxnegttl;
+unsigned int SyncRes::s_maxbogusttl;
unsigned int SyncRes::s_maxcachettl;
unsigned int SyncRes::s_maxqperq;
unsigned int SyncRes::s_maxtotusec;
uint64_t SyncRes::doEDNSDump(int fd)
{
- FILE* fp=fdopen(dup(fd), "w");
+ auto fp = std::unique_ptr<FILE, int(*)(FILE*)>(fdopen(dup(fd), "w"), fclose);
if (!fp) {
return 0;
}
uint64_t count = 0;
- fprintf(fp,"; edns from thread follows\n;\n");
+ fprintf(fp.get(),"; edns from thread follows\n;\n");
for(const auto& eds : t_sstorage.ednsstatus) {
count++;
- fprintf(fp, "%s\t%d\t%s", eds.first.toString().c_str(), (int)eds.second.mode, ctime(&eds.second.modeSetAt));
+ fprintf(fp.get(), "%s\t%d\t%s", eds.first.toString().c_str(), (int)eds.second.mode, ctime(&eds.second.modeSetAt));
}
- fclose(fp);
return count;
}
uint64_t SyncRes::doDumpNSSpeeds(int fd)
{
- FILE* fp=fdopen(dup(fd), "w");
+ auto fp = std::unique_ptr<FILE, int(*)(FILE*)>(fdopen(dup(fd), "w"), fclose);
if(!fp)
return 0;
- fprintf(fp, "; nsspeed dump from thread follows\n;\n");
+ fprintf(fp.get(), "; nsspeed dump from thread follows\n;\n");
uint64_t count=0;
for(const auto& i : t_sstorage.nsSpeeds)
count++;
// an <empty> can appear hear in case of authoritative (hosted) zones
- fprintf(fp, "%s -> ", i.first.toLogString().c_str());
+ fprintf(fp.get(), "%s -> ", i.first.toLogString().c_str());
for(const auto& j : i.second.d_collection)
{
// typedef vector<pair<ComboAddress, DecayingEwma> > collection_t;
- fprintf(fp, "%s/%f ", j.first.toString().c_str(), j.second.peek());
+ fprintf(fp.get(), "%s/%f ", j.first.toString().c_str(), j.second.peek());
}
- fprintf(fp, "\n");
+ fprintf(fp.get(), "\n");
}
- fclose(fp);
return count;
}
uint64_t SyncRes::doDumpThrottleMap(int fd)
{
- FILE* fp=fdopen(dup(fd), "w");
+ auto fp = std::unique_ptr<FILE, int(*)(FILE*)>(fdopen(dup(fd), "w"), fclose);
if(!fp)
return 0;
- fprintf(fp, "; throttle map dump follows\n");
- fprintf(fp, "; remote IP\tqname\tqtype\tcount\tttd\n");
+ fprintf(fp.get(), "; throttle map dump follows\n");
+ fprintf(fp.get(), "; remote IP\tqname\tqtype\tcount\tttd\n");
uint64_t count=0;
const auto& throttleMap = t_sstorage.throttle.getThrottleMap();
{
count++;
// remote IP, dns name, qtype, count, ttd
- fprintf(fp, "%s\t%s\t%d\t%u\t%s", i.first.get<0>().toString().c_str(), i.first.get<1>().toLogString().c_str(), i.first.get<2>(), i.second.count, ctime(&i.second.ttd));
+ fprintf(fp.get(), "%s\t%s\t%d\t%u\t%s", i.first.get<0>().toString().c_str(), i.first.get<1>().toLogString().c_str(), i.first.get<2>(), i.second.count, ctime(&i.second.ttd));
}
- fclose(fp);
+
return count;
}
return subdomain;
}
+void SyncRes::updateValidationStatusInCache(const DNSName &qname, const QType& qt, bool aa, vState newState) const
+{
+ if (newState == Bogus) {
+ t_RC->updateValidationStatus(d_now.tv_sec, qname, qt, d_cacheRemote, aa, newState, s_maxbogusttl + d_now.tv_sec);
+ }
+ else {
+ t_RC->updateValidationStatus(d_now.tv_sec, qname, qt, d_cacheRemote, aa, newState, boost::none);
+ }
+}
+
bool SyncRes::doCNAMECacheCheck(const DNSName &qname, const QType &qtype, vector<DNSRecord>& ret, unsigned int depth, int &res, vState& state, bool wasAuthZone, bool wasForwardRecurse)
{
string prefix;
vector<std::shared_ptr<RRSIGRecordContent>> signatures;
vector<std::shared_ptr<DNSRecord>> authorityRecs;
bool wasAuth;
+ uint32_t capTTL = std::numeric_limits<uint32_t>::max();
/* we don't require auth data for forward-recurse lookups */
if(t_RC->get(d_now.tv_sec, qname, QType(QType::CNAME), !wasForwardRecurse && d_requireAuthData, &cset, d_cacheRemote, d_doDNSSEC ? &signatures : nullptr, d_doDNSSEC ? &authorityRecs : nullptr, &d_wasVariable, &state, &wasAuth) > 0) {
state = SyncRes::validateRecordsWithSigs(depth, qname, QType(QType::CNAME), qname, cset, signatures);
if (state != Indeterminate) {
LOG(prefix<<qname<<": got Indeterminate state from the CNAME cache, new validation result is "<<vStates[state]<<endl);
- t_RC->updateValidationStatus(d_now.tv_sec, qname, QType(QType::CNAME), d_cacheRemote, d_requireAuthData, state);
+ if (state == Bogus) {
+ capTTL = s_maxbogusttl;
+ }
+ updateValidationStatusInCache(qname, QType(QType::CNAME), wasAuth, state);
}
}
}
LOG(prefix<<qname<<": Found cache CNAME hit for '"<< qname << "|CNAME" <<"' to '"<<j->d_content->getZoneRepresentation()<<"', validation state is "<<vStates[state]<<endl);
DNSRecord dr=*j;
- dr.d_ttl-=d_now.tv_sec;
+ dr.d_ttl -= d_now.tv_sec;
+ dr.d_ttl = std::min(dr.d_ttl, capTTL);
+ const uint32_t ttl = dr.d_ttl;
ret.reserve(ret.size() + 1 + signatures.size() + authorityRecs.size());
ret.push_back(dr);
DNSRecord sigdr;
sigdr.d_type=QType::RRSIG;
sigdr.d_name=qname;
- sigdr.d_ttl=j->d_ttl - d_now.tv_sec;
+ sigdr.d_ttl=ttl;
sigdr.d_content=signature;
sigdr.d_place=DNSResourceRecord::ANSWER;
sigdr.d_class=QClass::IN;
for(const auto& rec : authorityRecs) {
DNSRecord authDR(*rec);
- authDR.d_ttl=j->d_ttl - d_now.tv_sec;
+ authDR.d_ttl=ttl;
ret.push_back(authDR);
}
}
if (state != Indeterminate) {
/* validation succeeded, let's update the cache entry so we don't have to validate again */
- t_sstorage.negcache.updateValidationStatus(ne->d_name, ne->d_qtype, state);
+ boost::optional<uint32_t> capTTD = boost::none;
+ if (state == Bogus) {
+ capTTD = d_now.tv_sec + s_maxbogusttl;
+ }
+ t_sstorage.negcache.updateValidationStatus(ne->d_name, ne->d_qtype, state, capTTD);
}
}
if (!wasAuthZone && shouldValidate() && state == Indeterminate) {
LOG(prefix<<qname<<": got Indeterminate state for records retrieved from the negative cache, validating.."<<endl);
computeNegCacheValidationStatus(ne, qname, qtype, res, state, depth);
+
+ if (state != cachedState && state == Bogus) {
+ sttl = std::min(sttl, s_maxbogusttl);
+ }
}
// Transplant SOA to the returned packet
vector<std::shared_ptr<RRSIGRecordContent>> signatures;
vector<std::shared_ptr<DNSRecord>> authorityRecs;
uint32_t ttl=0;
+ uint32_t capTTL = std::numeric_limits<uint32_t>::max();
bool wasCachedAuth;
if(t_RC->get(d_now.tv_sec, sqname, sqt, !wasForwardRecurse && d_requireAuthData, &cset, d_cacheRemote, d_doDNSSEC ? &signatures : nullptr, d_doDNSSEC ? &authorityRecs : nullptr, &d_wasVariable, &cachedState, &wasCachedAuth) > 0) {
if (cachedState != Indeterminate) {
LOG(prefix<<qname<<": got Indeterminate state from the cache, validation result is "<<vStates[cachedState]<<endl);
- t_RC->updateValidationStatus(d_now.tv_sec, sqname, sqt, d_cacheRemote, d_requireAuthData, cachedState);
+ if (cachedState == Bogus) {
+ capTTL = s_maxbogusttl;
+ }
+ updateValidationStatusInCache(sqname, sqt, wasCachedAuth, cachedState);
}
}
if(j->d_ttl>(unsigned int) d_now.tv_sec) {
DNSRecord dr=*j;
- ttl = (dr.d_ttl-=d_now.tv_sec);
+ dr.d_ttl -= d_now.tv_sec;
+ dr.d_ttl = std::min(dr.d_ttl, capTTL);
+ ttl = dr.d_ttl;
ret.push_back(dr);
LOG("[ttl="<<dr.d_ttl<<"] ");
found=true;
}
}
+ if (recordState == Bogus) {
+ /* this is a TTD by now, be careful */
+ for(auto& record : i->second.records) {
+ record.d_ttl = std::min(record.d_ttl, static_cast<uint32_t>(s_maxbogusttl + d_now.tv_sec));
+ }
+ }
+
/* We don't need to store NSEC3 records in the positive cache because:
- we don't allow direct NSEC3 queries
- denial of existence proofs in wildcard expanded positive responses are stored in authorityRecs
ne.d_qtype = QType(0); // this encodes 'whole record'
ne.d_auth = rec.d_name;
harvestNXRecords(lwr.d_records, ne, d_now.tv_sec, &lowestTTL);
- ne.d_ttd = d_now.tv_sec + lowestTTL;
if (state == Secure) {
dState denialState = getDenialValidationState(ne, state, NXDOMAIN, false);
ne.d_validationState = state;
}
+ if (ne.d_validationState == Bogus) {
+ lowestTTL = min(lowestTTL, s_maxbogusttl);
+ }
+
+ ne.d_ttd = d_now.tv_sec + lowestTTL;
/* if we get an NXDomain answer with a CNAME, let's not cache the
target, even the server was authoritative for it,
and do an additional query for the CNAME target.
LOG(prefix<<qname<<": answer is in: resolved to '"<< rec.d_content->getZoneRepresentation()<<"|"<<DNSRecordContent::NumberToType(rec.d_type)<<"'"<<endl);
done=true;
- ret.push_back(rec);
if (state == Secure && needWildcardProof) {
/* We have a positive answer synthetized from a wildcard, we need to check that we have
}
else {
LOG(d_prefix<<"Invalid denial in wildcard expanded positive response found for "<<qname<<", returning Bogus, res="<<res<<endl);
+ rec.d_ttl = std::min(rec.d_ttl, s_maxbogusttl);
}
updateValidationState(state, st);
/* we already stored the record with a different validation status, let's fix it */
- t_RC->updateValidationStatus(d_now.tv_sec, qname, qtype, d_cacheRemote, lwr.d_aabit, st);
+ updateValidationStatusInCache(qname, qtype, lwr.d_aabit, st);
}
}
+ ret.push_back(rec);
}
else if((rec.d_type==QType::RRSIG || rec.d_type==QType::NSEC || rec.d_type==QType::NSEC3) && rec.d_place==DNSResourceRecord::ANSWER) {
if(rec.d_type != QType::RRSIG || rec.d_name == qname)
}
else {
rec.d_ttl = min(s_maxnegttl, rec.d_ttl);
- ret.push_back(rec);
NegCache::NegCacheEntry ne;
ne.d_auth = rec.d_name;
ne.d_name = qname;
ne.d_qtype = qtype;
harvestNXRecords(lwr.d_records, ne, d_now.tv_sec, &lowestTTL);
- ne.d_ttd = d_now.tv_sec + lowestTTL;
if (state == Secure) {
dState denialState = getDenialValidationState(ne, state, NXQTYPE, false);
ne.d_validationState = state;
}
+ if (ne.d_validationState == Bogus) {
+ lowestTTL = min(lowestTTL, s_maxbogusttl);
+ rec.d_ttl = min(rec.d_ttl, s_maxbogusttl);
+ }
+ ne.d_ttd = d_now.tv_sec + lowestTTL;
+
if(!wasVariable()) {
if(qtype.getCode()) { // prevents us from blacking out a whole domain
t_sstorage.negcache.add(ne);
}
}
+
+ ret.push_back(rec);
negindic=true;
}
}
static unsigned int s_maxtotusec;
static unsigned int s_maxdepth;
static unsigned int s_maxnegttl;
+ static unsigned int s_maxbogusttl;
static unsigned int s_maxcachettl;
static unsigned int s_packetcachettl;
static unsigned int s_packetcacheservfailttl;
vState getTA(const DNSName& zone, dsmap_t& ds);
bool haveExactValidationStatus(const DNSName& domain);
vState getValidationStatus(const DNSName& subdomain, bool allowIndeterminate=true);
+ void updateValidationStatusInCache(const DNSName &qname, const QType& qt, bool aa, vState newState) const;
bool lookForCut(const DNSName& qname, unsigned int depth, const vState existingState, vState& newState);
void computeZoneCuts(const DNSName& begin, const DNSName& end, unsigned int depth);
bool found = locateEDNSOption(query, EDNSOptionCode::ECS, &optContentStart, &optContentLen);
BOOST_CHECK_EQUAL(found, true);
- BOOST_CHECK_EQUAL(optContentStart, optRDExpectedOffset + sizeof(uint16_t) /* RD len */ + /* option code */ 2 + /* option length */ 2);
- BOOST_CHECK_EQUAL(optContentLen, sizeOfECSContent);
+ if (found == true) {
+ BOOST_CHECK_EQUAL(optContentStart, optRDExpectedOffset + sizeof(uint16_t) /* RD len */ + /* option code */ 2 + /* option length */ 2);
+ BOOST_CHECK_EQUAL(optContentLen, sizeOfECSContent);
+ }
/* truncated packet */
query.resize(query.size() - 1);
bool found = locateEDNSOption(query, EDNSOptionCode::ECS, &optContentStart, &optContentLen);
BOOST_CHECK_EQUAL(found, true);
- BOOST_CHECK_EQUAL(optContentStart, optRDExpectedOffset + sizeof(uint16_t) /* RD len */ + sizeOfCookieOption + /* option code */ 2 + /* option length */ 2);
- BOOST_CHECK_EQUAL(optContentLen, sizeOfECSContent);
+ if (found == true) {
+ BOOST_CHECK_EQUAL(optContentStart, optRDExpectedOffset + sizeof(uint16_t) /* RD len */ + sizeOfCookieOption + /* option code */ 2 + /* option length */ 2);
+ BOOST_CHECK_EQUAL(optContentLen, sizeOfECSContent);
+ }
/* truncated packet */
query.resize(query.size() - 1);
auto ret = processIXFRRecords(master, zone, records, std::dynamic_pointer_cast<SOARecordContent>(masterSOA));
- BOOST_CHECK_EQUAL(ret.size(), 0);
+ // this is actually an empty AXFR
+ BOOST_CHECK_EQUAL(ret.size(), 1);
+ // nothing in the deletion part then
+ BOOST_CHECK_EQUAL(ret.at(0).first.size(), 0);
+ // and the two SOAs in the addition part
+ BOOST_CHECK_EQUAL(ret.at(0).second.size(), 2);
+ BOOST_CHECK_EQUAL(ret.at(0).second.at(0).d_type, QType(QType::SOA).getCode());
+ BOOST_CHECK_EQUAL(ret.at(0).second.at(1).d_type, QType(QType::SOA).getCode());
}
BOOST_AUTO_TEST_CASE(test_ixfr_invalid_no_records) {
pw.commit();
string rpacket((const char*)&packet[0], packet.size());
- rpc.insertResponsePacket(tag, qhash, string(qpacket), qname, QType::A, QClass::IN, string(rpacket), time(0), ttd, 0, 0);
+ rpc.insertResponsePacket(tag, qhash, string(qpacket), qname, QType::A, QClass::IN, string(rpacket), time(0), ttd, Indeterminate, 0, 0, boost::none);
BOOST_CHECK_EQUAL(rpc.size(), 1);
rpc.doPruneTo(0);
BOOST_CHECK_EQUAL(rpc.size(), 0);
- rpc.insertResponsePacket(tag, qhash, string(qpacket), qname, QType::A, QClass::IN, string(rpacket), time(0), ttd, 0, 0);
+ rpc.insertResponsePacket(tag, qhash, string(qpacket), qname, QType::A, QClass::IN, string(rpacket), time(0), ttd, Indeterminate, 0, 0, boost::none);
BOOST_CHECK_EQUAL(rpc.size(), 1);
rpc.doWipePacketCache(qname);
BOOST_CHECK_EQUAL(rpc.size(), 0);
- rpc.insertResponsePacket(tag, qhash, string(qpacket), qname, QType::A, QClass::IN, string(rpacket), time(0), ttd, 0, 0);
+ rpc.insertResponsePacket(tag, qhash, string(qpacket), qname, QType::A, QClass::IN, string(rpacket), time(0), ttd, Indeterminate, 0, 0, boost::none);
BOOST_CHECK_EQUAL(rpc.size(), 1);
uint32_t qhash2 = 0;
bool found = rpc.getResponsePacket(tag, qpacket, time(nullptr), &fpacket, &age, &qhash2);
BOOST_CHECK(r1packet != r2packet);
/* inserting a response for tag1 */
- rpc.insertResponsePacket(tag1, qhash, string(qpacket), qname, QType::A, QClass::IN, string(r1packet), time(0), ttd, 0, 0);
+ rpc.insertResponsePacket(tag1, qhash, string(qpacket), qname, QType::A, QClass::IN, string(r1packet), time(0), ttd, Indeterminate, 0, 0, boost::none);
BOOST_CHECK_EQUAL(rpc.size(), 1);
/* inserting a different response for tag2, should not override the first one */
- rpc.insertResponsePacket(tag2, qhash, string(qpacket), qname, QType::A, QClass::IN, string(r2packet), time(0), ttd, 0, 0);
+ rpc.insertResponsePacket(tag2, qhash, string(qpacket), qname, QType::A, QClass::IN, string(r2packet), time(0), ttd, Indeterminate, 0, 0, boost::none);
BOOST_CHECK_EQUAL(rpc.size(), 2);
/* remove all responses from the cache */
BOOST_CHECK_EQUAL(rpc.size(), 0);
/* reinsert both */
- rpc.insertResponsePacket(tag1, qhash, string(qpacket), qname, QType::A, QClass::IN, string(r1packet), time(0), ttd, 0, 0);
+ rpc.insertResponsePacket(tag1, qhash, string(qpacket), qname, QType::A, QClass::IN, string(r1packet), time(0), ttd, Indeterminate, 0, 0, boost::none);
BOOST_CHECK_EQUAL(rpc.size(), 1);
- rpc.insertResponsePacket(tag2, qhash, string(qpacket), qname, QType::A, QClass::IN, string(r2packet), time(0), ttd, 0, 0);
+ rpc.insertResponsePacket(tag2, qhash, string(qpacket), qname, QType::A, QClass::IN, string(r2packet), time(0), ttd, Indeterminate, 0, 0, boost::none);
BOOST_CHECK_EQUAL(rpc.size(), 2);
/* remove the responses by qname, should remove both */
BOOST_CHECK_EQUAL(rpc.size(), 0);
/* insert the response for tag1 */
- rpc.insertResponsePacket(tag1, qhash, string(qpacket), qname, QType::A, QClass::IN, string(r1packet), time(0), ttd, 0, 0);
+ rpc.insertResponsePacket(tag1, qhash, string(qpacket), qname, QType::A, QClass::IN, string(r1packet), time(0), ttd, Indeterminate, 0, 0, boost::none);
BOOST_CHECK_EQUAL(rpc.size(), 1);
/* we can retrieve it */
BOOST_CHECK_EQUAL(temphash, qhash);
/* adding a response for the second tag */
- rpc.insertResponsePacket(tag2, qhash, string(qpacket), qname, QType::A, QClass::IN, string(r2packet), time(0), ttd, 0, 0);
+ rpc.insertResponsePacket(tag2, qhash, string(qpacket), qname, QType::A, QClass::IN, string(r2packet), time(0), ttd, Indeterminate, 0, 0, boost::none);
BOOST_CHECK_EQUAL(rpc.size(), 2);
/* We still get the correct response for the first tag */
auto resp_qtype_stats = g_rs.getQTypeResponseCounts();
auto resp_size_stats = g_rs.getSizeResponseCounts();
+ auto resp_rcode_stats = g_rs.getRCodeResponseCounts();
Json::array doc;
for(const auto& item : general_stats) {
doc.push_back(Json::object {
{ "type", "MapStatisticItem" },
- { "name", "queries-by-qtype" },
+ { "name", "response-by-qtype" },
{ "value", values },
});
}
});
}
+ {
+ Json::array values;
+ for(const auto& item : resp_rcode_stats) {
+ if (item.second == 0)
+ continue;
+ values.push_back(Json::object {
+ { "name", RCode::to_s(item.first) },
+ { "value", std::to_string(item.second) },
+ });
+ }
+
+ doc.push_back(Json::object {
+ { "type", "MapStatisticItem" },
+ { "name", "response-by-rcode" },
+ { "value", values },
+ });
+ }
+
#ifndef RECURSOR
for(const auto& ringName : S.listRings()) {
Json::array values;
}
static void updateDomainSettingsFromDocument(UeberBackend& B, const DomainInfo& di, const DNSName& zonename, const Json document) {
- string zonemaster;
+ vector<string> zonemaster;
bool shouldRectify = false;
for(auto value : document["masters"].array_items()) {
string master = value.string_value();
if (master.empty())
throw ApiException("Master can not be an empty string");
- zonemaster += master + " ";
+ zonemaster.push_back(master);
}
- if (zonemaster != "") {
- di.backend->setMaster(zonename, zonemaster);
+ if (zonemaster.size()) {
+ di.backend->setMaster(zonename, boost::join(zonemaster, ","));
}
if (document["kind"].is_string()) {
di.backend->setKind(zonename, DomainInfo::stringToKind(stringFromJson(document, "kind")));
string q = req->getvars["q"];
string sMax = req->getvars["max"];
+ string sObjectType = req->getvars["object_type"];
+
int maxEnts = 100;
int ents = 0;
+ // the following types of data can be searched for using the api
+ enum class ObjectType
+ {
+ ALL,
+ ZONE,
+ RECORD,
+ COMMENT
+ } objectType;
+
if (q.empty())
throw ApiException("Query q can't be blank");
if (!sMax.empty())
if (maxEnts < 1)
throw ApiException("Maximum entries must be larger than 0");
+ if (sObjectType.empty())
+ objectType = ObjectType::ALL;
+ else if (sObjectType == "all")
+ objectType = ObjectType::ALL;
+ else if (sObjectType == "zone")
+ objectType = ObjectType::ZONE;
+ else if (sObjectType == "record")
+ objectType = ObjectType::RECORD;
+ else if (sObjectType == "comment")
+ objectType = ObjectType::COMMENT;
+ else
+ throw ApiException("object_type must be one of the following options: all, zone, record, comment");
+
SimpleMatch sm(q,true);
UeberBackend B;
vector<DomainInfo> domains;
for(const DomainInfo di: domains)
{
- if (ents < maxEnts && sm.match(di.zone)) {
+ if ((objectType == ObjectType::ALL || objectType == ObjectType::ZONE) && ents < maxEnts && sm.match(di.zone)) {
doc.push_back(Json::object {
{ "object_type", "zone" },
{ "zone_id", apiZoneNameToId(di.zone) },
zoneIdZone[di.id] = di; // populate cache
}
- if (B.searchRecords(q, maxEnts, result_rr))
+ if ((objectType == ObjectType::ALL || objectType == ObjectType::RECORD) && B.searchRecords(q, maxEnts, result_rr))
{
for(const DNSResourceRecord& rr: result_rr)
{
}
}
- if (B.searchComments(q, maxEnts, result_c))
+ if ((objectType == ObjectType::ALL || objectType == ObjectType::COMMENT) && B.searchComments(q, maxEnts, result_c))
{
for(const Comment &c: result_c)
{
self.assertIn('uptime', [e['name'] for e in data])
if is_auth():
print(data)
- qtype_stats, respsize_stats, queries_stats = None, None, None
+ qtype_stats, respsize_stats, queries_stats, rcode_stats = None, None, None, None
for elem in data:
- if elem['type'] == 'MapStatisticItem' and elem['name'] == 'queries-by-qtype':
+ if elem['type'] == 'MapStatisticItem' and elem['name'] == 'response-by-qtype':
qtype_stats = elem['value']
elif elem['type'] == 'MapStatisticItem' and elem['name'] == 'response-sizes':
respsize_stats = elem['value']
elif elem['type'] == 'RingStatisticItem' and elem['name'] == 'queries':
queries_stats = elem['value']
+ elif elem['type'] == 'MapStatisticItem' and elem['name'] == 'response-by-rcode':
+ rcode_stats = elem['value']
self.assertIn('A', [e['name'] for e in qtype_stats])
self.assertIn('60', [e['name'] for e in respsize_stats])
self.assertIn('example.com/A', [e['name'] for e in queries_stats])
+ self.assertIn('No Error', [e['name'] for e in rcode_stats])
self.assertNotEquals(serverset['records'], [])
self.assertEquals(serverset['comments'], [])
+ def test_zone_comment_out_of_range_modified_at(self):
+ # Test if comments on an rrset stay intact if the rrset is replaced
+ name, payload, zone = self.create_zone()
+ rrset = {
+ 'changetype': 'replace',
+ 'name': name,
+ 'type': 'NS',
+ 'comments': [
+ {
+ 'account': 'test1',
+ 'content': 'oh hi there',
+ 'modified_at': '4294967297'
+ }
+ ]
+ }
+ payload = {'rrsets': [rrset]}
+ r = self.session.patch(
+ self.url("/api/v1/servers/localhost/zones/" + name),
+ data=json.dumps(payload),
+ headers={'content-type': 'application/json'})
+ self.assertEquals(r.status_code, 422)
+ self.assertIn("Value for key 'modified_at' is out of range", r.json()['error'])
+
def test_zone_comment_stay_intact(self):
# Test if comments on an rrset stay intact if the rrset is replaced
name, payload, zone = self.create_zone()
u'ttl': 3600, u'type': u'SOA', u'name': name},
])
+ def test_search_rr_exact_zone_filter_type_zone(self):
+ name = unique_zone_name()
+ data_type = "zone"
+ self.create_zone(name=name, serial=22, soa_edit_api='')
+ r = self.session.get(self.url("/api/v1/servers/localhost/search-data?q=" + name.rstrip('.') + "&object_type=" + data_type))
+ self.assert_success_json(r)
+ print(r.json())
+ self.assertEquals(r.json(), [
+ {u'object_type': u'zone', u'name': name, u'zone_id': name},
+ ])
+
+ def test_search_rr_exact_zone_filter_type_record(self):
+ name = unique_zone_name()
+ data_type = "record"
+ self.create_zone(name=name, serial=22, soa_edit_api='')
+ r = self.session.get(self.url("/api/v1/servers/localhost/search-data?q=" + name.rstrip('.') + "&object_type=" + data_type))
+ self.assert_success_json(r)
+ print(r.json())
+ self.assertEquals(r.json(), [
+ {u'content': u'ns1.example.com.',
+ u'zone_id': name, u'zone': name, u'object_type': u'record', u'disabled': False,
+ u'ttl': 3600, u'type': u'NS', u'name': name},
+ {u'content': u'ns2.example.com.',
+ u'zone_id': name, u'zone': name, u'object_type': u'record', u'disabled': False,
+ u'ttl': 3600, u'type': u'NS', u'name': name},
+ {u'content': u'a.misconfigured.powerdns.server. hostmaster.'+name+' 22 10800 3600 604800 3600',
+ u'zone_id': name, u'zone': name, u'object_type': u'record', u'disabled': False,
+ u'ttl': 3600, u'type': u'SOA', u'name': name},
+ ])
+
def test_search_rr_substring(self):
name = unique_zone_name()
search = name[5:-5]
/*.xml
/*.pid
/*.pyc
-dnsdist_*.conf
-DNSCryptResolver*
-.dnsdist_history
-.history
-dnsdist.log
+/DNSCryptResolver*
+/.dnsdist_history
+/.history
/*_pb2.py
/__pycache__/
-ca.key
-ca.pem
-ca.srl
-server.chain
-server.csr
-server.key
-server.pem
+/ca.key
+/ca.pem
+/ca.srl
+/server.chain
+/server.csr
+/server.key
+/server.pem
+/configs
\ No newline at end of file
_dnsdistStartupDelay = 2.0
_dnsdist = None
_responsesCounter = {}
- _shutUp = True
_config_template = """
"""
_config_params = ['_testServerPort']
cls._TCPResponder.start()
@classmethod
- def startDNSDist(cls, shutUp=True):
+ def startDNSDist(cls):
print("Launching dnsdist..")
- conffile = 'dnsdist_test.conf'
+ confFile = os.path.join('configs', 'dnsdist_%s.conf' % (cls.__name__))
params = tuple([getattr(cls, param) for param in cls._config_params])
print(params)
- with open(conffile, 'w') as conf:
+ with open(confFile, 'w') as conf:
conf.write("-- Autogenerated by dnsdisttests.py\n")
conf.write(cls._config_template % params)
- dnsdistcmd = [os.environ['DNSDISTBIN'], '-C', conffile,
+ dnsdistcmd = [os.environ['DNSDISTBIN'], '-C', confFile,
'-l', '%s:%d' % (cls._dnsDistListeningAddr, cls._dnsDistPort) ]
for acl in cls._acl:
dnsdistcmd.extend(['--acl', acl])
output = subprocess.check_output(testcmd, stderr=subprocess.STDOUT, close_fds=True)
except subprocess.CalledProcessError as exc:
raise AssertionError('dnsdist --check-config failed (%d): %s' % (exc.returncode, exc.output))
- if output != b'Configuration \'dnsdist_test.conf\' OK!\n':
+ expectedOutput = ('Configuration \'%s\' OK!\n' % (confFile)).encode()
+ if output != expectedOutput:
raise AssertionError('dnsdist --check-config failed: %s' % output)
- if shutUp:
- with open(os.devnull, 'w') as fdDevNull:
- cls._dnsdist = subprocess.Popen(dnsdistcmd, close_fds=True, stdout=fdDevNull)
- else:
- cls._dnsdist = subprocess.Popen(dnsdistcmd, close_fds=True)
+ logFile = os.path.join('configs', 'dnsdist_%s.log' % (cls.__name__))
+ with open(logFile, 'w') as fdLog:
+ cls._dnsdist = subprocess.Popen(dnsdistcmd, close_fds=True, stdout=fdLog, stderr=fdLog)
if 'DNSDIST_FAST_TESTS' in os.environ:
delay = 0.5
def setUpClass(cls):
cls.startResponders()
- cls.startDNSDist(cls._shutUp)
+ cls.startDNSDist()
cls.setUpSockets()
print("Launching tests..")
protoc -I=../pdns/ --python_out=. ../pdns/dnsmessage.proto
protoc -I=../pdns/ --python_out=. ../pdns/dnstap.proto
+mkdir -p configs
+
if [ -z "${DNSDISTBIN}" ]; then
DNSDISTBIN=$(ls ../pdns/dnsdistdist/dnsdist-*/dnsdist)
fi
# Generate a chain
cat server.pem ca.pem >> server.chain
-nosetests --with-xunit $@
+if ! nosetests --with-xunit $@; then
+ for log in configs/*.log; do
+ echo "=== ${log} ==="
+ cat "${log}"
+ done
+ false
+fi
rm ca.key ca.pem ca.srl server.csr server.key server.pem server.chain
receivedQuery.id = query.id
self.assertEquals(query, receivedQuery)
self.assertEquals(receivedResponse, response)
+
+class TestAdvancedAllowHeaderOnly(DNSDistTest):
+
+ _config_template = """
+ newServer{address="127.0.0.1:%s"}
+ setAllowEmptyResponse(true)
+ """
+
+ def testHeaderOnlyRefused(self):
+ """
+ Advanced: Header-only refused response
+ """
+ name = 'header-only-refused-response.advanced.tests.powerdns.com.'
+ query = dns.message.make_query(name, 'A', 'IN')
+ response = dns.message.make_response(query)
+ response.set_rcode(dns.rcode.REFUSED)
+ response.question = []
+
+ for method in ("sendUDPQuery", "sendTCPQuery"):
+ sender = getattr(self, method)
+ (receivedQuery, receivedResponse) = sender(query, response)
+ self.assertTrue(receivedQuery)
+ receivedQuery.id = query.id
+ self.assertEquals(query, receivedQuery)
+ self.assertEquals(receivedResponse, response)
+
+ def testHeaderOnlyNoErrorResponse(self):
+ """
+ Advanced: Header-only NoError response should be allowed
+ """
+ name = 'header-only-noerror-response.advanced.tests.powerdns.com.'
+ query = dns.message.make_query(name, 'A', 'IN')
+ response = dns.message.make_response(query)
+ response.question = []
+
+ for method in ("sendUDPQuery", "sendTCPQuery"):
+ sender = getattr(self, method)
+ (receivedQuery, receivedResponse) = sender(query, response)
+ self.assertTrue(receivedQuery)
+ receivedQuery.id = query.id
+ self.assertEquals(query, receivedQuery)
+ self.assertEquals(receivedResponse, response)
+
+ def testHeaderOnlyNXDResponse(self):
+ """
+ Advanced: Header-only NXD response should be allowed
+ """
+ name = 'header-only-nxd-response.advanced.tests.powerdns.com.'
+ query = dns.message.make_query(name, 'A', 'IN')
+ response = dns.message.make_response(query)
+ response.set_rcode(dns.rcode.NXDOMAIN)
+ response.question = []
+
+ for method in ("sendUDPQuery", "sendTCPQuery"):
+ sender = getattr(self, method)
+ (receivedQuery, receivedResponse) = sender(query, response)
+ self.assertTrue(receivedQuery)
+ receivedQuery.id = query.id
+ self.assertEquals(query, receivedQuery)
+ self.assertEquals(receivedResponse, response)
+
+class TestAdvancedEDNSVersionnRule(DNSDistTest):
+
+ _config_template = """
+ newServer{address="127.0.0.1:%s"}
+ addAction(EDNSVersionRule(0), ERCodeAction(dnsdist.BADVERS))
+ """
+
+ def testDropped(self):
+ """
+ Advanced: A question with ECS version larger than 0 is dropped
+ """
+
+ name = 'ednsversionrule.advanced.tests.powerdns.com.'
+
+ query = dns.message.make_query(name, 'A', 'IN', use_edns=1)
+ expectedResponse = dns.message.make_response(query)
+ expectedResponse.set_rcode(dns.rcode.BADVERS)
+
+ for method in ("sendUDPQuery", "sendTCPQuery"):
+ sender = getattr(self, method)
+ (_, receivedResponse) = sender(query, response=None)
+ self.assertEquals(receivedResponse, expectedResponse)
+
+ def testNoEDNS0Pass(self):
+ """
+ Advanced: A question with ECS version 0 goes through
+ """
+
+ name = 'ednsversionrule.advanced.tests.powerdns.com.'
+
+ query = dns.message.make_query(name, 'A', 'IN', use_edns=True)
+ response = dns.message.make_response(query)
+
+ for method in ("sendUDPQuery", "sendTCPQuery"):
+ sender = getattr(self, method)
+ (receivedQuery, receivedResponse) = sender(query, response)
+ receivedQuery.id = query.id
+ self.assertEquals(query, receivedQuery)
+ self.assertEquals(receivedResponse, response)
+
+ def testReplied(self):
+ """
+ Advanced: A question without ECS goes through
+ """
+
+ name = 'ednsoptionrule.advanced.tests.powerdns.com.'
+
+ query = dns.message.make_query(name, 'A', 'IN', use_edns=False)
+ response = dns.message.make_response(query)
+
+ for method in ("sendUDPQuery", "sendTCPQuery"):
+ sender = getattr(self, method)
+ (receivedQuery, receivedResponse) = sender(query, response)
+ receivedQuery.id = query.id
+ self.assertEquals(query, receivedQuery)
+ self.assertEquals(receivedResponse, response)
$SDIG ::1 $port example.com SOA tcp >&2 >/dev/null
$PDNSCONTROL --config-name= --no-config --socket-dir=./ 'show *' | \
- tr ',' '\n'| grep -v -E '(user-msec|sys-msec|uptime|udp-noport-errors|udp-in-errors|real-memory-usage|udp-recvbuf-errors|udp-sndbuf-errors|-hit|-miss|fd-usage|latency)' | LC_ALL=C sort
+ tr ',' '\n'| grep -v -E '(user-msec|sys-msec|uptime|udp-noport-errors|udp-in-errors|real-memory-usage|special-memory-usage|udp-recvbuf-errors|udp-sndbuf-errors|-hit|-miss|fd-usage|latency)' | LC_ALL=C sort
kill $(cat pdns*.pid)
rm pdns*.pid
confdir = os.path.join('configs', cls._confdir)
cls.wipeRecursorCache(confdir)
- @classmethod
- def sendQuery(self, name, rdtype, useTCP=False):
- """Helper function that creates the query"""
- msg = dns.message.make_query(name, rdtype, want_dnssec=True)
- msg.flags |= dns.flags.AD
-
- if useTCP:
- return self.sendTCPQuery(msg)
- return self.sendUDPQuery(msg)
-
def testSecureAnswer(self):
res = self.sendQuery('ns.secure.example.', 'A')
expected = dns.rrset.from_text('ns.secure.example.', 0, dns.rdataclass.IN, 'A', '{prefix}.10'.format(prefix=self._PREFIX))
print(expectedResponse)
print(response)
self.assertEquals(response, expectedResponse)
+
+ @classmethod
+ def sendQuery(cls, name, rdtype, useTCP=False):
+ """Helper function that creates the query"""
+ msg = dns.message.make_query(name, rdtype, want_dnssec=True)
+ msg.flags |= dns.flags.AD
+
+ if useTCP:
+ return cls.sendTCPQuery(msg)
+ return cls.sendUDPQuery(msg)
+
+ def createQuery(self, name, rdtype, flags, ednsflags):
+ """Helper function that creates the query with the specified flags.
+ The flags need to be strings (no checking is performed atm)"""
+ msg = dns.message.make_query(name, rdtype)
+ msg.flags = dns.flags.from_text(flags)
+ msg.flags += dns.flags.from_text('RD')
+ msg.use_edns(edns=0, ednsflags=dns.flags.edns_from_text(ednsflags))
+ return msg
cls._recursor = recursor
cls.tearDownRecursor()
- def createQuery(self, name, rdtype, flags, ednsflags):
- """Helper function that creates the query with the specified flags.
- The flags need to be strings (no checking is performed atm)"""
- msg = dns.message.make_query(name, rdtype)
- msg.flags = dns.flags.from_text(flags)
- msg.flags += dns.flags.from_text('RD')
- msg.use_edns(edns=0, ednsflags=dns.flags.edns_from_text(ednsflags))
- return msg
-
def getQueryForSecure(self, flags='', ednsflags=''):
return self.createQuery('ns1.example.', 'A', flags, ednsflags)
self.assertEqual(len(res.answer), 2)
self.assertEqual(len(res.authority), 0)
self.assertResponseMatches(query, expected, res)
+
+
+class PDNSRandomTest(RecursorTest):
+ """Tests if pdnsrandom works"""
+
+ _confdir = 'pdnsrandom'
+ _config_template = """
+ """
+ _lua_dns_script_file = """
+ function preresolve (dq)
+ dq.rcode = pdns.NOERROR
+ dq:addAnswer(pdns.TXT, pdnsrandom())
+ return true
+ end
+ """
+
+ def testRandom(self):
+ query = dns.message.make_query('whatever.example.', 'TXT')
+
+ ans = set()
+
+ ret = self.sendUDPQuery(query)
+ ans.add(ret.answer[0])
+ ret = self.sendUDPQuery(query)
+ ans.add(ret.answer[0])
+
+ self.assertEqual(len(ans), 2)
dns.rrset.from_text('drop.example.zone.rpz.', 60, dns.rdataclass.IN, dns.rdatatype.CNAME, 'rpz-drop.'),
dns.rrset.from_text('zone.rpz.', 60, dns.rdataclass.IN, dns.rdatatype.SOA, 'ns.zone.rpz. hostmaster.zone.rpz. %d 3600 3600 3600 1' % newSerial)
]
+ elif newSerial == 8:
+ # this one is a bit special too, we are answering with a full AXFR and the new zone is empty
+ records = [
+ dns.rrset.from_text('zone.rpz.', 60, dns.rdataclass.IN, dns.rdatatype.SOA, 'ns.zone.rpz. hostmaster.zone.rpz. %d 3600 3600 3600 1' % newSerial),
+ dns.rrset.from_text('zone.rpz.', 60, dns.rdataclass.IN, dns.rdatatype.SOA, 'ns.zone.rpz. hostmaster.zone.rpz. %d 3600 3600 3600 1' % newSerial)
+ ]
response.answer = records
return (newSerial, response)
print('Error in RPZ socket: %s' % str(e))
sock.close()
-rpzServerPort = 4250
-rpzServer = RPZServer(rpzServerPort)
-
class RPZRecursorTest(RecursorTest):
- """
- This test makes sure that we correctly update RPZ zones via AXFR then IXFR
- """
-
- global rpzServerPort
- _lua_config_file = """
- -- The first server is a bogus one, to test that we correctly fail over to the second one
- rpzMaster({'127.0.0.1:9999', '127.0.0.1:%d'}, 'zone.rpz.', { refresh=1 })
- """ % (rpzServerPort)
_wsPort = 8042
_wsTimeout = 2
_wsPassword = 'secretpassword'
webserver-address=127.0.0.1
webserver-password=%s
api-key=%s
+log-rpz-changes=yes
""" % (_confdir, _wsPort, _wsPassword, _apiKey)
- _xfrDone = 0
-
- @classmethod
- def generateRecursorConfig(cls, confdir):
- authzonepath = os.path.join(confdir, 'example.zone')
- with open(authzonepath, 'w') as authzone:
- authzone.write("""$ORIGIN example.
-@ 3600 IN SOA {soa}
-a 3600 IN A 192.0.2.42
-b 3600 IN A 192.0.2.42
-c 3600 IN A 192.0.2.42
-d 3600 IN A 192.0.2.42
-e 3600 IN A 192.0.2.42
-""".format(soa=cls._SOA))
- super(RPZRecursorTest, cls).generateRecursorConfig(confdir)
@classmethod
def setUpClass(cls):
self.assertRcodeEqual(res, dns.rcode.NOERROR)
self.assertEqual(len(res.answer), 0)
+ def checkNXD(self, qname, qtype='A'):
+ query = dns.message.make_query(qname, qtype, want_dnssec=True)
+ query.flags |= dns.flags.CD
+ for method in ("sendUDPQuery", "sendTCPQuery"):
+ sender = getattr(self, method)
+ res = sender(query)
+ self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)
+ self.assertEqual(len(res.answer), 0)
+ self.assertEqual(len(res.authority), 1)
+
def checkTruncated(self, qname, qtype='A'):
query = dns.message.make_query(qname, qtype, want_dnssec=True)
query.flags |= dns.flags.CD
res = sender(query)
self.assertEqual(res, None)
+ def checkRPZStats(self, serial, recordsCount, fullXFRCount, totalXFRCount):
+ headers = {'x-api-key': self._apiKey}
+ url = 'http://127.0.0.1:' + str(self._wsPort) + '/api/v1/servers/localhost/rpzstatistics'
+ r = requests.get(url, headers=headers, timeout=self._wsTimeout)
+ self.assertTrue(r)
+ self.assertEquals(r.status_code, 200)
+ self.assertTrue(r.json())
+ content = r.json()
+ self.assertIn('zone.rpz.', content)
+ zone = content['zone.rpz.']
+ for key in ['last_update', 'records', 'serial', 'transfers_failed', 'transfers_full', 'transfers_success']:
+ self.assertIn(key, zone)
+
+ self.assertEquals(zone['serial'], serial)
+ self.assertEquals(zone['records'], recordsCount)
+ self.assertEquals(zone['transfers_full'], fullXFRCount)
+ self.assertEquals(zone['transfers_success'], totalXFRCount)
+
+rpzServerPort = 4250
+rpzServer = RPZServer(rpzServerPort)
+
+class RPZXFRRecursorTest(RPZRecursorTest):
+ """
+ This test makes sure that we correctly update RPZ zones via AXFR then IXFR
+ """
+
+ global rpzServerPort
+ _lua_config_file = """
+ -- The first server is a bogus one, to test that we correctly fail over to the second one
+ rpzMaster({'127.0.0.1:9999', '127.0.0.1:%d'}, 'zone.rpz.', { refresh=1 })
+ """ % (rpzServerPort)
+ _confdir = 'RPZXFR'
+ _wsPort = 8042
+ _wsTimeout = 2
+ _wsPassword = 'secretpassword'
+ _apiKey = 'secretapikey'
+ _config_template = """
+auth-zones=example=configs/%s/example.zone
+webserver=yes
+webserver-port=%d
+webserver-address=127.0.0.1
+webserver-password=%s
+api-key=%s
+""" % (_confdir, _wsPort, _wsPassword, _apiKey)
+ _xfrDone = 0
+
+ @classmethod
+ def generateRecursorConfig(cls, confdir):
+ authzonepath = os.path.join(confdir, 'example.zone')
+ with open(authzonepath, 'w') as authzone:
+ authzone.write("""$ORIGIN example.
+@ 3600 IN SOA {soa}
+a 3600 IN A 192.0.2.42
+b 3600 IN A 192.0.2.42
+c 3600 IN A 192.0.2.42
+d 3600 IN A 192.0.2.42
+e 3600 IN A 192.0.2.42
+""".format(soa=cls._SOA))
+ super(RPZRecursorTest, cls).generateRecursorConfig(confdir)
+
def waitUntilCorrectSerialIsLoaded(self, serial, timeout=5):
global rpzServer
raise AssertionError("Waited %d seconds for the serial to be updated to %d but the serial is still %d" % (timeout, serial, currentSerial))
- def checkRPZStats(self, serial, recordsCount, fullXFRCount, totalXFRCount):
- headers = {'x-api-key': self._apiKey}
- url = 'http://127.0.0.1:' + str(self._wsPort) + '/api/v1/servers/localhost/rpzstatistics'
- r = requests.get(url, headers=headers, timeout=self._wsTimeout)
- self.assertTrue(r)
- self.assertEquals(r.status_code, 200)
- self.assertTrue(r.json())
- content = r.json()
- self.assertIn('zone.rpz.', content)
- zone = content['zone.rpz.']
- for key in ['last_update', 'records', 'serial', 'transfers_failed', 'transfers_full', 'transfers_success']:
- self.assertIn(key, zone)
-
- self.assertEquals(zone['serial'], serial)
- self.assertEquals(zone['records'], recordsCount)
- self.assertEquals(zone['transfers_full'], fullXFRCount)
- self.assertEquals(zone['transfers_success'], totalXFRCount)
-
def testRPZ(self):
# first zone, only a should be blocked
self.waitUntilCorrectSerialIsLoaded(1)
# check non-custom policies
self.checkTruncated('tc.example.')
self.checkDropped('drop.example.')
+
+ # eighth zone, all entries should be gone
+ self.waitUntilCorrectSerialIsLoaded(8)
+ self.checkRPZStats(8, 0, 3, self._xfrDone)
+ self.checkNotBlocked('a.example.')
+ self.checkNotBlocked('b.example.')
+ self.checkNotBlocked('c.example.')
+ self.checkNotBlocked('d.example.')
+ self.checkNotBlocked('e.example.')
+ self.checkNXD('f.example.')
+ self.checkNXD('tc.example.')
+ self.checkNXD('drop.example.')
+
+class RPZFileRecursorTest(RPZRecursorTest):
+ """
+ This test makes sure that we correctly load RPZ zones from a file
+ """
+
+ _confdir = 'RPZFile'
+ _wsPort = 8042
+ _wsTimeout = 2
+ _wsPassword = 'secretpassword'
+ _apiKey = 'secretapikey'
+ _lua_config_file = """
+ rpzFile('configs/%s/zone.rpz', { policyName="zone.rpz." })
+ """ % (_confdir)
+ _config_template = """
+auth-zones=example=configs/%s/example.zone
+webserver=yes
+webserver-port=%d
+webserver-address=127.0.0.1
+webserver-password=%s
+api-key=%s
+""" % (_confdir, _wsPort, _wsPassword, _apiKey)
+
+ @classmethod
+ def generateRecursorConfig(cls, confdir):
+ authzonepath = os.path.join(confdir, 'example.zone')
+ with open(authzonepath, 'w') as authzone:
+ authzone.write("""$ORIGIN example.
+@ 3600 IN SOA {soa}
+a 3600 IN A 192.0.2.42
+b 3600 IN A 192.0.2.42
+c 3600 IN A 192.0.2.42
+d 3600 IN A 192.0.2.42
+e 3600 IN A 192.0.2.42
+z 3600 IN A 192.0.2.42
+""".format(soa=cls._SOA))
+
+ rpzFilePath = os.path.join(confdir, 'zone.rpz')
+ with open(rpzFilePath, 'w') as rpzZone:
+ rpzZone.write("""$ORIGIN zone.rpz.
+@ 3600 IN SOA {soa}
+a.example.zone.rpz. 60 IN A 192.0.2.42
+a.example.zone.rpz. 60 IN A 192.0.2.43
+a.example.zone.rpz. 60 IN TXT "some text"
+drop.example.zone.rpz. 60 IN CNAME rpz-drop.
+z.example.zone.rpz. 60 IN A 192.0.2.1
+tc.example.zone.rpz. 60 IN CNAME rpz-tcp-only.
+""".format(soa=cls._SOA))
+ super(RPZFileRecursorTest, cls).generateRecursorConfig(confdir)
+
+ def testRPZ(self):
+ self.checkCustom('a.example.', 'A', dns.rrset.from_text('a.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.42', '192.0.2.43'))
+ self.checkCustom('a.example.', 'TXT', dns.rrset.from_text('a.example.', 0, dns.rdataclass.IN, 'TXT', '"some text"'))
+ self.checkBlocked('z.example.')
+ self.checkNotBlocked('b.example.')
+ self.checkNotBlocked('c.example.')
+ self.checkNotBlocked('d.example.')
+ self.checkNotBlocked('e.example.')
+ # check that the policy is disabled for AD=1 queries
+ self.checkNotBlocked('z.example.', True)
+ # check non-custom policies
+ self.checkTruncated('tc.example.')
+ self.checkDropped('drop.example.')
+
+class RPZFileDefaultPolRecursorTest(RPZRecursorTest):
+ """
+ This test makes sure that we correctly load RPZ zones from a file with a default policy
+ """
+
+ _confdir = 'RPZFileDefaultPolicy'
+ _wsPort = 8042
+ _wsTimeout = 2
+ _wsPassword = 'secretpassword'
+ _apiKey = 'secretapikey'
+ _lua_config_file = """
+ rpzFile('configs/%s/zone.rpz', { policyName="zone.rpz.", defpol=Policy.NoAction })
+ """ % (_confdir)
+ _config_template = """
+auth-zones=example=configs/%s/example.zone
+webserver=yes
+webserver-port=%d
+webserver-address=127.0.0.1
+webserver-password=%s
+api-key=%s
+""" % (_confdir, _wsPort, _wsPassword, _apiKey)
+
+ @classmethod
+ def generateRecursorConfig(cls, confdir):
+ authzonepath = os.path.join(confdir, 'example.zone')
+ with open(authzonepath, 'w') as authzone:
+ authzone.write("""$ORIGIN example.
+@ 3600 IN SOA {soa}
+a 3600 IN A 192.0.2.42
+b 3600 IN A 192.0.2.42
+c 3600 IN A 192.0.2.42
+d 3600 IN A 192.0.2.42
+drop 3600 IN A 192.0.2.42
+e 3600 IN A 192.0.2.42
+z 3600 IN A 192.0.2.42
+""".format(soa=cls._SOA))
+
+ rpzFilePath = os.path.join(confdir, 'zone.rpz')
+ with open(rpzFilePath, 'w') as rpzZone:
+ rpzZone.write("""$ORIGIN zone.rpz.
+@ 3600 IN SOA {soa}
+a.example.zone.rpz. 60 IN A 192.0.2.42
+drop.example.zone.rpz. 60 IN CNAME rpz-drop.
+z.example.zone.rpz. 60 IN A 192.0.2.1
+tc.example.zone.rpz. 60 IN CNAME rpz-tcp-only.
+""".format(soa=cls._SOA))
+ super(RPZFileDefaultPolRecursorTest, cls).generateRecursorConfig(confdir)
+
+ def testRPZ(self):
+ # local data entries are overridden by default
+ self.checkCustom('a.example.', 'A', dns.rrset.from_text('a.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.42'))
+ self.checkNoData('a.example.', 'TXT')
+ # will not be blocked because the default policy overrides local data entries by default
+ self.checkNotBlocked('z.example.')
+ self.checkNotBlocked('b.example.')
+ self.checkNotBlocked('c.example.')
+ self.checkNotBlocked('d.example.')
+ self.checkNotBlocked('e.example.')
+ # check non-local policies, they should be overridden by the default policy
+ self.checkNXD('tc.example.', 'A')
+ self.checkNotBlocked('drop.example.')
+
+class RPZFileDefaultPolNotOverrideLocalRecursorTest(RPZRecursorTest):
+ """
+ This test makes sure that we correctly load RPZ zones from a file with a default policy, not overriding local data entries
+ """
+
+ _confdir = 'RPZFileDefaultPolicyNotOverrideLocal'
+ _wsPort = 8042
+ _wsTimeout = 2
+ _wsPassword = 'secretpassword'
+ _apiKey = 'secretapikey'
+ _lua_config_file = """
+ rpzFile('configs/%s/zone.rpz', { policyName="zone.rpz.", defpol=Policy.NoAction, defpolOverrideLocalData=false })
+ """ % (_confdir)
+ _config_template = """
+auth-zones=example=configs/%s/example.zone
+webserver=yes
+webserver-port=%d
+webserver-address=127.0.0.1
+webserver-password=%s
+api-key=%s
+""" % (_confdir, _wsPort, _wsPassword, _apiKey)
+
+ @classmethod
+ def generateRecursorConfig(cls, confdir):
+ authzonepath = os.path.join(confdir, 'example.zone')
+ with open(authzonepath, 'w') as authzone:
+ authzone.write("""$ORIGIN example.
+@ 3600 IN SOA {soa}
+a 3600 IN A 192.0.2.42
+b 3600 IN A 192.0.2.42
+c 3600 IN A 192.0.2.42
+d 3600 IN A 192.0.2.42
+drop 3600 IN A 192.0.2.42
+e 3600 IN A 192.0.2.42
+z 3600 IN A 192.0.2.42
+""".format(soa=cls._SOA))
+
+ rpzFilePath = os.path.join(confdir, 'zone.rpz')
+ with open(rpzFilePath, 'w') as rpzZone:
+ rpzZone.write("""$ORIGIN zone.rpz.
+@ 3600 IN SOA {soa}
+a.example.zone.rpz. 60 IN A 192.0.2.42
+a.example.zone.rpz. 60 IN A 192.0.2.43
+a.example.zone.rpz. 60 IN TXT "some text"
+drop.example.zone.rpz. 60 IN CNAME rpz-drop.
+z.example.zone.rpz. 60 IN A 192.0.2.1
+tc.example.zone.rpz. 60 IN CNAME rpz-tcp-only.
+""".format(soa=cls._SOA))
+ super(RPZFileDefaultPolNotOverrideLocalRecursorTest, cls).generateRecursorConfig(confdir)
+
+ def testRPZ(self):
+ # local data entries will not be overridden by the default polic
+ self.checkCustom('a.example.', 'A', dns.rrset.from_text('a.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.42', '192.0.2.43'))
+ self.checkCustom('a.example.', 'TXT', dns.rrset.from_text('a.example.', 0, dns.rdataclass.IN, 'TXT', '"some text"'))
+ # will be blocked because the default policy does not override local data entries
+ self.checkBlocked('z.example.')
+ self.checkNotBlocked('b.example.')
+ self.checkNotBlocked('c.example.')
+ self.checkNotBlocked('d.example.')
+ self.checkNotBlocked('e.example.')
+ # check non-local policies, they should be overridden by the default policy
+ self.checkNXD('tc.example.', 'A')
+ self.checkNotBlocked('drop.example.')
--- /dev/null
+import dns
+import os
+from recursortests import RecursorTest
+
+class testBogusMaxTTL(RecursorTest):
+ _confdir = 'BogusMaxTTL'
+
+ _config_template = """dnssec=validate
+max-cache-bogus-ttl=5"""
+
+ @classmethod
+ def setUp(cls):
+ confdir = os.path.join('configs', cls._confdir)
+ cls.wipeRecursorCache(confdir)
+
+ def testBogusCheckDisabled(self):
+ # first query with CD=0, so we should get a ServFail
+ query = self.createQuery('ted.bogus.example.', 'A', 'AD', 'DO')
+ res = self.sendUDPQuery(query)
+ self.assertRcodeEqual(res, dns.rcode.SERVFAIL)
+
+ # then with CD=1 so we should get the A + RRSIG
+ # check that we correctly applied the maximum TTL when caching Bogus entries
+ query = self.createQuery('ted.bogus.example.', 'A', 'AD CD', 'DO')
+ res = self.sendUDPQuery(query)
+ self.assertMessageHasFlags(res, ['CD', 'QR', 'RA', 'RD'], ['DO'])
+ self.assertRcodeEqual(res, dns.rcode.NOERROR)
+ self.assertEquals(len(res.answer), 2)
+ for ans in res.answer:
+ self.assertLessEqual(ans.ttl, 5)
projects / thirdparty / pdns.git / commitdiff
