exit 1
fi
+
write_centos()
{
OS=centos
VERSION=$1
PKG=$2
CMD=$3
+
cat <<EOF > Dockerfile.$RELEASE.$OS-$VERSION
FROM $OS:$VERSION
RUN yum install -y epel-release bind-utils
EOF
+
if [ "$VERSION" = "6" -o "$VERSION" = "7" ]; then
cat <<EOF >> Dockerfile.$RELEASE.$OS-$VERSION
RUN yum install -y yum-plugin-priorities
EOF
fi
+
cat <<EOF >> Dockerfile.$RELEASE.$OS-$VERSION
RUN curl -o /etc/yum.repos.d/powerdns-$RELEASE.repo https://repo.powerdns.com/repo-files/$OS-$RELEASE.repo
RUN yum install -y $PKG
+EOF
+
+ if [ "$RELEASE" = "rec-43" ]; then
+ cat <<EOF >> Dockerfile.$RELEASE.$OS-$VERSION
+
+RUN mkdir /var/run/pdns-recursor
+EOF
+ fi
+
+ cat <<EOF >> Dockerfile.$RELEASE.$OS-$VERSION
CMD $CMD --version
EOF
}
+
write_debian_or_ubuntu()
{
OS=$1
VERSION=$2
PKG=$3
CMD=$4
+
cat <<EOF > pdns.list.$RELEASE.$OS-$VERSION
deb [arch=amd64] http://repo.powerdns.com/$OS $VERSION-$RELEASE main
EOF
+
# if not exists
cat <<EOF > pdns.debian-and-ubuntu
Package: pdns-*
Pin: origin repo.powerdns.com
Pin-Priority: 600
EOF
+
cat <<EOF > Dockerfile.$RELEASE.$OS-$VERSION
FROM $OS:$VERSION
RUN curl https://repo.powerdns.com/FD380FBB-pub.asc | apt-key add -
RUN apt-get update
RUN apt-get install -y $PKG
+EOF
+
+ if [ "$RELEASE" = "rec-43" ]; then
+ cat <<EOF >> Dockerfile.$RELEASE.$OS-$VERSION
+
+RUN mkdir /var/run/pdns-recursor
+EOF
+ fi
+
+ cat <<EOF >> Dockerfile.$RELEASE.$OS-$VERSION
CMD $CMD --version
EOF
}
+
write_debian()
{
write_debian_or_ubuntu debian $1 $2 $3
}
+
write_ubuntu()
{
write_debian_or_ubuntu ubuntu $1 $2 $3
}
+
RELEASE=$1
if [ "$RELEASE" = "auth-40" ]; then
write_ubuntu trusty pdns-server pdns_server
write_ubuntu xenial pdns-server pdns_server
write_ubuntu bionic pdns-server pdns_server
-elif [ "$RELEASE" = "auth-42" ]; then
- write_centos 6 pdns pdns_server
- write_centos 7 pdns pdns_server
- write_centos 8 pdns pdns_server
- write_debian stretch pdns-server pdns_server
- write_debian buster pdns-server pdns_server
- write_ubuntu xenial pdns-server pdns_server
- write_ubuntu bionic pdns-server pdns_server
-elif [ "$RELEASE" = "auth-43" ]; then
+elif [ "$RELEASE" = "auth-42" -o "$RELEASE" = "auth-43" ]; then
write_centos 6 pdns pdns_server
write_centos 7 pdns pdns_server
write_centos 8 pdns pdns_server
write_ubuntu trusty pdns-recursor pdns_recursor
write_ubuntu xenial pdns-recursor pdns_recursor
write_ubuntu bionic pdns-recursor pdns_recursor
-elif [ "$RELEASE" = "rec-42" ]; then
- write_centos 6 pdns-recursor pdns_recursor
- write_centos 7 pdns-recursor pdns_recursor
- write_centos 8 pdns-recursor pdns_recursor
- write_debian stretch pdns-recursor pdns_recursor
- write_debian buster pdns-recursor pdns_recursor
- write_ubuntu xenial pdns-recursor pdns_recursor
- write_ubuntu bionic pdns-recursor pdns_recursor
-elif [ "$RELEASE" = "rec-43" ]; then
+elif [ "$RELEASE" = "rec-42" -o "$RELEASE" = "rec-43" ]; then
write_centos 6 pdns-recursor pdns_recursor
write_centos 7 pdns-recursor pdns_recursor
write_centos 8 pdns-recursor pdns_recursor
.. note::
This does not add the zone to the :ref:`setting-bind-config` file.
-``bind-domain-status <domain> [domain]``
+``bind-domain-extended-status [domain ...]``
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. versionadded:: 4.3.0
+
+Output an extended status of a domain or domains, containing much more information than
+the simple domain status, like the number of records currently loaded, whether pdns
+is master or slave for the domain, the list of masters, various timers, etc
+
+``bind-domain-status [domain ...]``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Output status of domain or domains. Can be one of:
Default Schema
--------------
-This is the 4.2 schema. Please find `the 4.1 schema on GitHub <https://github.com/PowerDNS/pdns/blob/rel/auth-4.1.x/modules/gmysqlbackend/schema.mysql.sql>`_.
+This is the 4.3 schema. Please find `the 4.2 schema <https://github.com/PowerDNS/pdns/blob/rel/auth-4.2.x/modules/gmysqlbackend/schema.mysql.sql>`_ and `the 4.1 schema <https://github.com/PowerDNS/pdns/blob/rel/auth-4.1.x/modules/gmysqlbackend/schema.mysql.sql>`_ on GitHub.
.. literalinclude:: ../../modules/gmysqlbackend/schema.mysql.sql
This schema can also be found in the PowerDNS source as
``modules/godbcbackend/schema.mssql.sql``).
-This is the schema for 4.2. For 4.1, please find `the 4.1 schema on GitHub <https://github.com/PowerDNS/pdns/blob/rel/auth-4.1.x/modules/godbcbackend/schema.mssql.sql>`_.
+This is the schema for 4.3. Please find `the 4.2 schema <https://github.com/PowerDNS/pdns/blob/rel/auth-4.2.x/modules/godbcbackend/schema.mssql.sql>`_ and `the 4.1 schema <https://github.com/PowerDNS/pdns/blob/rel/auth-4.1.x/modules/godbcbackend/schema.mssql.sql>`_ on GitHub.
.. literalinclude:: ../../modules/godbcbackend/schema.mssql.sql
:language: SQL
Default schema
--------------
-This is the 4.2 schema. Please find `the 4.1 schema on GitHub <https://github.com/PowerDNS/pdns/blob/rel/auth-4.1.x/modules/gpgsqlbackend/schema.pgsql.sql>`_.
+This is the 4.3 schema. Please find `the 4.2 schema <https://github.com/PowerDNS/pdns/blob/rel/auth-4.2.x/modules/gpgsqlbackend/schema.pgsql.sql>`_ and the `the 4.1 schema <https://github.com/PowerDNS/pdns/blob/rel/auth-4.1.x/modules/gpgsqlbackend/schema.pgsql.sql>`_ on GitHub.
.. literalinclude:: ../../modules/gpgsqlbackend/schema.pgsql.sql
:language: SQL
------------------------
Before you can use this backend you first have to set it up and fill it
-with data. The default setup conforms to the following schema in 4.2.
-If you have not upgraded to 4.2, please use `the 4.1 schema on GitHub <https://github.com/PowerDNS/pdns/blob/rel/auth-4.1.x/modules/gsqlite3backend/schema.sqlite3.sql>`_.
+with data. The default setup conforms to the following schema in 4.3.
+If you have not upgraded to 4.3, please use `the 4.2 schema <https://github.com/PowerDNS/pdns/blob/rel/auth-4.2.x/modules/gsqlite3backend/schema.sqlite3.sql>`_ or `the 4.1 schema <https://github.com/PowerDNS/pdns/blob/rel/auth-4.1.x/modules/gsqlite3backend/schema.sqlite3.sql>`_ on GitHub.
.. literalinclude:: ../../modules/gsqlite3backend/schema.sqlite3.sql
* ``nometasync``: flush system buffers to disk only once per transaction, omit the metadata flush. This maintains database integrity, but can potentially lose the last committed transaction if the operating system crashes.
* ``mapasync``: (default). Use asynchronous flushes to disk. As with nosync, a system crash can then corrupt the database or lose the last transactions.
+.. _setting-lmdb-schema-version:
+
+``lmdb-schema-version``
+^^^^^^^^^^^^^^^^^^^^^^^
+
+Determines the maximum schema version LMDB is allowed to upgrade to. If the on disk LMDB database has a lower version that the current version of the LMDB schema the backend will not start, unless this setting allows it to upgrade the schema. If the version of the DB is already the same as the current schema version this setting is not checked and the backend starts normally.
+
+The default value for this setting is the highest supported schema version for the version of PowerDNS you are starting. if you want to prevent automatic schema upgrades, explicitly set this setting to the current default before upgrading PowerDNS.
LMDB Structure
--------------
Changelogs for 4.3.x
====================
+.. changelog::
+ :version: 4.3.0-beta1
+ :released: 31st of January 2020
+
+ This is the first beta for version 4.3.0 of the Authoritative Server.
+ Please see :doc:`the upgrade notes <../upgrading>` for some minor breaking changes.
+
+ Some minor fixes have been left out from the list below; some other bugs may have been fixed accidentally as a result of the tremendous amount of work that goes into each of our major releases.
+
+ As announced in `Backend removals in the upcoming Authoritative Server release <https://blog.powerdns.com/2019/10/17/backend-removals-in-the-upcoming-authoritative-server-release/>`_, we have removed five backends.
+
+ .. change::
+ :tags: Changes
+ :pullreq: 8754
+
+ remove the implicit 5->7 algorithm upgrade
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 8749
+
+ allow local-ipv6 until 4.4.0
+
+ .. change::
+ :tags: New Features
+ :pullreq: 8594
+
+ add default-publish-{cds|cdnskey} options
+
+ .. change::
+ :tags: Changes
+ :pullreq: 8744
+
+ Make Lua mandatory for Auth (Chris Hofstaedtler)
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 8681
+
+ Add metrics about the size of our in-memory rings
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 8628
+
+ make sure records from LMDB backend end up in the right packet section (Kees Monshouwer)
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 8627
+
+ gpgsqlbackend: stop using prepared statements (Chris Hofstaedtler)
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 8713
+
+ Enforce a strict maximum size for the packet and records caches
+
+ .. change::
+ :tags: New Features
+ :pullreq: 8701, 8732
+
+ remotebackend: Support alsoNotifies, setFresh, getUnfreshSlaveInfos
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 8649
+
+ Clear the TSIG algo between iterations in the API
+
+ .. change::
+ :tags: New Features
+ :pullreq: 8177
+
+ Add support for managing unpublished DNSSEC keys (Robin Geuze, TransIP)
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 8668
+
+ HTTP API: Allow DNAME in apex with SOA and NS records
+
.. changelog::
:version: 4.3.0-alpha1
:released: 10th of December 2019
This is the first alpha for version 4.3.0 of the Authoritative Server.
Please see :doc:`the upgrade notes <../upgrading>` for some minor breaking changes.
- Some minor fixes have been left out from the list below; some other bugs may have been fixed accidentally as a result of the tremendous amount of work that goes into each of our major releases.
- As announced in `Backend removals in the upcoming Authoritative Server release <https://blog.powerdns.com/2019/10/17/backend-removals-in-the-upcoming-authoritative-server-release/>`_, we have removed five backends.
.. change::
:tags: Removed Features
PowerDNS Security Policy
------------------------
-If you have a security problem to report, please email us at both security@powerdns.com and ahu@ds9a.nl.
+If you have a security problem to report, please email us at both peter.van-dijk@powerdns.com and remi.gacogne@powerdns.com.
In case you want to encrypt your report using PGP, please use: https://www.powerdns.com/powerdns-keyblock.asc
Please do not mail security issues to public lists, nor file a ticket, unless we do not get back to you in a timely manner.
--------------------------
Connect to MySQL as a user with sufficient privileges and issue the
-following commands below if you are running the 4.2 or master version of PowerDNS:
+following commands below if you are running the 4.3 or master version of PowerDNS:
-Please find `the 4.1 schema on GitHub <https://github.com/PowerDNS/pdns/blob/rel/auth-4.1.x/modules/gmysqlbackend/schema.mysql.sql>`_.
+Please find `the 4.2 schema <https://github.com/PowerDNS/pdns/blob/rel/auth-4.2.x/modules/gmysqlbackend/schema.mysql.sql>`_ and `the 4.1 schema <https://github.com/PowerDNS/pdns/blob/rel/auth-4.1.x/modules/gmysqlbackend/schema.mysql.sql>`_ on GitHub.
.. literalinclude:: ../../modules/gmysqlbackend/schema.mysql.sql
description: |
When set to the name of a specific statistic, only this value is returned.
If no statistic with that name exists, the response has a 422 status and an error message.
-
+ - name: includerings
+ in: query
+ required: false
+ type: boolean
+ default: true
+ description: '“true” (default) or “false”, whether to include the Ring items, which can contain thousands of log messages or queried domains. Setting this to ”false” may make the response a lot smaller.'
responses:
'200':
description: List of Statistic Items
and served immediately. Note that this does not add the zone to the
bind-config file. *FILENAME* must be an absolute path.
+bind-domain-extended-status [*DOMAIN*...]
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Output an extended status of all domains, containing much more information than
+the simple domain status, like the number of records currently loaded, whether pdns
+is master or slave for the domain, the list of masters, various timers, etc
+Optionally, append *DOMAIN*\ s to get the status of specific zones.
+
bind-domain-status [*DOMAIN*...]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2020011600 10800 3600 604800 10800
+@ 86400 IN SOA pdns-public-ns1.powerdns.com. pieter\.lexis.powerdns.com. 2020020300 10800 3600 604800 10800
@ 3600 IN NS pdns-public-ns1.powerdns.com.
@ 3600 IN NS pdns-public-ns2.powerdns.com.
auth-4.2.0-rc3.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
auth-4.2.0.security-status 60 IN TXT "1 OK"
auth-4.2.1.security-status 60 IN TXT "1 OK"
-auth-4.3.0-alpha1.security-status 60 IN TXT "1 OK"
+auth-4.3.0-alpha1.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
+auth-4.3.0-beta1.security-status 60 IN TXT "1 OK"
; Auth Debian
auth-3.4.1-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2015-02/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-03/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-04/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-05/"
recursor-4.3.0-alpha2.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
recursor-4.3.0-alpha3.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
recursor-4.3.0-beta1.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
-recursor-4.3.0-beta2.security-status 60 IN TXT "1 OK"
+recursor-4.3.0-beta2.security-status 60 IN TXT "2 Unsupported pre-release (no known vulnerabilities)"
+recursor-4.3.0-rc1.security-status 60 IN TXT "1 OK"
; Recursor Debian
recursor-3.6.2-2.debian.security-status 60 IN TXT "3 Upgrade now, see https://doc.powerdns.com/3/security/powerdns-advisory-2015-01/ and https://doc.powerdns.com/3/security/powerdns-advisory-2016-02/"
----------------------------
.. versionchanged:: 4.3.0
- This setting has been removed, use :ref:`setting-localaddress-nonexist-fail`
+ This setting has been removed, use :ref:`setting-local-address-nonexist-fail`
- Boolean
- Default: no
- :ref:`setting-local-ipv6` has been deprecated, and will be removed in 4.4.0. IPv4 and IPv6 listen addresses can now be set with :ref:`setting-local-address`. The default for the latter has been changed to ``0.0.0.0, ::``.
+Schema changes
+^^^^^^^^^^^^^^
+- The new 'unpublished DNSSEC keys' feature comes with a mandatory schema change for all database backends (including BIND with a DNSSEC database). Please find files named "4.2.0_to_4.3.0_schema.X.sql" for your database backend in our Git repo, tarball, or distro-specific documentation path. For the LMDB backend, please review :ref:`setting-lmdb-schema-version`.
+
+Implicit 5->7 algorithm upgrades
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Since version 3.0 (the first version of the PowerDNS Authoritative Server that supported DNSSEC signing), we have automatically, silently, upgraded algorithm 5 (RSASHA1) keys to algorithm 7 (RSASHA1-NSEC3-SHA1) when the user enabled NSEC3. This has been a source of confusion, and because of that, we introduced warnings for users of this feature in 4.0 and 4.1. To see if you are affected, run ``pdnsutil check-all-zones`` from version 4.0 or up. In this release, the automatic upgrade is gone, and affected zones will break if no action is taken.
4.1.X to 4.2.0
--------------
string Bind2Backend::DLDomStatusHandler(const vector<string>&parts, Utility::pid_t ppid)
{
ostringstream ret;
-
+
if(parts.size() > 1) {
for(vector<string>::const_iterator i=parts.begin()+1;i<parts.end();++i) {
BB2DomainInfo bbd;
- if(safeGetBBDomainInfo(DNSName(*i), &bbd)) {
+ if(safeGetBBDomainInfo(DNSName(*i), &bbd)) {
ret<< *i << ": "<< (bbd.d_loaded ? "": "[rejected]") <<"\t"<<bbd.d_status<<"\n";
- }
- else
+ }
+ else {
ret<< *i << " no such domain\n";
- }
+ }
+ }
}
else {
ReadLock rl(&s_state_lock);
return ret.str();
}
+static void printDomainExtendedStatus(ostringstream& ret, const BB2DomainInfo& info)
+{
+ ret << info.d_name << ": " << std::endl;
+ ret << "\t Status: " << info.d_status << std::endl;
+ ret << "\t Internal ID: " << info.d_id << std::endl;
+ ret << "\t On-disk file: " << info.d_filename << " (" << info.d_ctime << ")" << std::endl;
+ ret << "\t Kind: ";
+ switch (info.d_kind) {
+ case DomainInfo::Master:
+ ret << "Master";
+ break;
+ case DomainInfo::Slave:
+ ret << "Slave";
+ break;
+ default:
+ ret << "Native";
+ }
+ ret << std::endl;
+ ret << "\t Masters: " << std::endl;
+ for (const auto& master : info.d_masters) {
+ ret << "\t\t - " << master.toStringWithPort() << std::endl;
+ }
+ ret << "\t Also Notify: " << std::endl;
+ for (const auto& also : info.d_also_notify) {
+ ret << "\t\t - " << also << std::endl;
+ }
+ ret << "\t Number of records: " << info.d_records.getEntriesCount() << std::endl;
+ ret << "\t Loaded: " << info.d_loaded << std::endl;
+ ret << "\t Check now: " << info.d_checknow << std::endl;
+ ret << "\t Check interval: " << info.getCheckInterval() << std::endl;
+ ret << "\t Last check: " << info.d_lastcheck << std::endl;
+ ret << "\t Last notified: " << info.d_lastnotified << std::endl;
+}
+
+string Bind2Backend::DLDomExtendedStatusHandler(const vector<string>&parts, Utility::pid_t ppid)
+{
+ ostringstream ret;
+
+ if (parts.size() > 1) {
+ for (const auto& part : parts) {
+ BB2DomainInfo bbd;
+ if (safeGetBBDomainInfo(DNSName(part), &bbd)) {
+ printDomainExtendedStatus(ret, bbd);
+ }
+ else {
+ ret << part << " no such domain" << std::endl;
+ }
+ }
+ }
+ else {
+ ReadLock rl(&s_state_lock);
+ for (const auto& state : s_state) {
+ printDomainExtendedStatus(ret, state);
+ }
+ }
+
+ if (ret.str().empty()) {
+ ret << "no domains passed" << std::endl;
+ }
+
+ return ret.str();
+}
+
string Bind2Backend::DLListRejectsHandler(const vector<string>&parts, Utility::pid_t ppid)
{
ostringstream ret;
extern DynListener *dl;
dl->registerFunc("BIND-RELOAD-NOW", &DLReloadNowHandler, "bindbackend: reload domains", "<domains>");
dl->registerFunc("BIND-DOMAIN-STATUS", &DLDomStatusHandler, "bindbackend: list status of all domains", "[domains]");
+ dl->registerFunc("BIND-DOMAIN-EXTENDED-STATUS", &DLDomExtendedStatusHandler, "bindbackend: list the extended status of all domains", "[domains]");
dl->registerFunc("BIND-LIST-REJECTS", &DLListRejectsHandler, "bindbackend: list rejected domains");
dl->registerFunc("BIND-ADD-ZONE", &DLAddDomainHandler, "bindbackend: add zone", "<domain> <filename>");
}
return ret;
}
+ size_t getEntriesCount() const
+ {
+ std::lock_guard<std::mutex> lock(s_lock);
+ return d_records->size();
+ }
+
private:
static std::mutex s_lock;
shared_ptr<T> d_records;
bool current();
//! configure how often this domain should be checked for changes (on disk)
void setCheckInterval(time_t seconds);
+ time_t getCheckInterval() const
+ {
+ return d_checkinterval;
+ }
DNSName d_name; //!< actual name of the domain
DomainInfo::DomainKind d_kind; //!< the kind of domain
static void insertRecord(std::shared_ptr<recordstorage_t>& records, const DNSName& zoneName, const DNSName &qname, const QType &qtype, const string &content, int ttl, const std::string& hashed=string(), bool *auth=nullptr);
void reload() override;
static string DLDomStatusHandler(const vector<string>&parts, Utility::pid_t ppid);
+ static string DLDomExtendedStatusHandler(const vector<string>&parts, Utility::pid_t ppid);
static string DLListRejectsHandler(const vector<string>&parts, Utility::pid_t ppid);
static string DLReloadNowHandler(const vector<string>&parts, Utility::pid_t ppid);
static string DLAddDomainHandler(const vector<string>&parts, Utility::pid_t ppid);
+++ /dev/null
-/*
- * This file is part of PowerDNS or dnsdist.
- * Copyright -- PowerDNS.COM B.V. and its contributors
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of version 2 of the GNU General Public License as
- * published by the Free Software Foundation.
- *
- * In addition, for the avoidance of any doubt, permission is granted to
- * link this program with OpenSSL and to (re)distribute the binaries
- * produced as the result of such linking.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
- */
-#ifdef HAVE_CONFIG_H
-#include "config.h"
-#endif
-#include "odbxbackend.hh"
-
-
-
-unsigned int odbx_host_index[2] = { 0, 0 };
-
-
-
-bool OdbxBackend::connectTo( const vector<string>& hosts, QueryType type )
-{
- int err;
- unsigned int h, i;
- int idx = odbx_host_index[type]++ % hosts.size();
-
-
- if( m_handle[type] != NULL )
- {
- odbx_unbind( m_handle[type] );
- odbx_finish( m_handle[type] );
- m_handle[type] = NULL;
- }
-
- if( type == WRITE && getArg( "backend" ) == "sqlite" )
- {
- g_log.log( m_myname + " Using same SQLite connection for reading and writing to '" + hosts[odbx_host_index[READ]] + "'", Logger::Notice );
- m_handle[WRITE] = m_handle[READ];
- return true;
- }
-
- for( i = 0; i < hosts.size(); i++ )
- {
- h = ( idx + i ) % hosts.size();
-
- if( ( err = odbx_init( &(m_handle[type]), getArg( "backend" ).c_str(), hosts[h].c_str(), getArg( "port" ).c_str() ) ) == ODBX_ERR_SUCCESS )
- {
- if( ( err = odbx_bind( m_handle[type], getArg( "database" ).c_str(), getArg( "username" ).c_str(), getArg( "password" ).c_str(), ODBX_BIND_SIMPLE ) ) == ODBX_ERR_SUCCESS )
- {
- g_log.log( m_myname + " Database connection (" + (type ? "write" : "read") + ") to '" + hosts[h] + "' succeeded", Logger::Notice );
- return true;
- }
-
- g_log.log( m_myname + " Unable to bind to database on host " + hosts[h] + " - " + string( odbx_error( m_handle[type], err ) ), Logger::Error );
- continue;
- }
-
- g_log.log( m_myname + " Unable to connect to server on host " + hosts[h] + " - " + string( odbx_error( m_handle[type], err ) ), Logger::Error );
- }
-
- m_handle[type] = NULL;
- return false;
-}
-
-
-
-bool OdbxBackend::execStmt( const char* stmt, unsigned long length, QueryType type )
-{
- int err;
-
-
- DLOG( g_log.log( m_myname + " execStmt()", Logger::Debug ) );
-
- if( m_qlog ) { g_log.log( m_myname + " Query: " + stmt, Logger::Info ); }
-
- if( ( err = odbx_query( m_handle[type], stmt, length ) ) < 0 )
- {
- g_log.log( m_myname + " execStmt: Unable to execute query - " + string( odbx_error( m_handle[type], err ) ), Logger::Error );
-
- if( err != -ODBX_ERR_PARAM && odbx_error_type( m_handle[type], err ) > 0 ) { return false; } // ODBX_ERR_PARAM workaround
- if( !connectTo( m_hosts[type], type ) ) { return false; }
- if( odbx_query( m_handle[type], stmt, length ) < 0 ) { return false; }
- }
-
- if( type == WRITE ) { while( getRecord( type ) ); }
-
- return true;
-}
-
-
-
-bool OdbxBackend::getRecord( QueryType type )
-{
- int err = 3;
-
-
- DLOG( g_log.log( m_myname + " getRecord()", Logger::Debug ) );
-
- do
- {
- if( err < 0 )
- {
- g_log.log( m_myname + " getRecord: Unable to get next result - " + string( odbx_error( m_handle[type], err ) ), Logger::Error );
- throw( PDNSException( "Error: odbx_result() failed" ) );
- }
-
- if( m_result != NULL )
- {
- if( err == 3 )
- {
- if( ( err = odbx_row_fetch( m_result ) ) < 0 )
- {
- g_log.log( m_myname + " getRecord: Unable to get next row - " + string( odbx_error( m_handle[type], err ) ), Logger::Error );
- throw( PDNSException( "Error: odbx_row_fetch() failed" ) );
- }
-
- if( err > 0 )
- {
-#ifdef VERBOSELOG
- unsigned int i;
- string fields;
-
- for( i = 0; i < odbx_column_count( m_result ); i++ )
- {
- fields += string( odbx_column_name( m_result, i ) );
-
- if( odbx_field_value( m_result, i ) != NULL )
- {
- fields += "=" + string( odbx_field_value( m_result, i ) ) + ", ";
- }
- else
- {
- fields += "=NULL, ";
- }
- }
-
- g_log.log( m_myname + " Values: " + fields, Logger::Error );
-#endif
- return true;
- }
-
- }
-
- odbx_result_free( m_result );
- m_result = NULL;
- }
- }
- while( ( err = odbx_result( m_handle[type], &m_result, NULL, 0 ) ) != 0 );
-
- m_result = NULL;
- return false;
-}
-
-
-
-string OdbxBackend::escape( const string& str, QueryType type )
-{
- int err;
- unsigned long len = sizeof( m_escbuf );
-
-
- DLOG( g_log.log( m_myname + " escape(string)", Logger::Debug ) );
-
- if( ( err = odbx_escape( m_handle[type], str.c_str(), str.size(), m_escbuf, &len ) ) < 0 )
- {
- g_log.log( m_myname + " escape(string): Unable to escape string - " + string( odbx_error( m_handle[type], err ) ), Logger::Error );
-
- if( err != -ODBX_ERR_PARAM && odbx_error_type( m_handle[type], err ) > 0 ) { throw( runtime_error( "odbx_escape() failed" ) ); } // ODBX_ERR_PARAM workaround
- if( !connectTo( m_hosts[type], type ) ) { throw( runtime_error( "odbx_escape() failed" ) ); }
- if( odbx_escape( m_handle[type], str.c_str(), str.size(), m_escbuf, &len ) < 0 ) { throw( runtime_error( "odbx_escape() failed" ) ); }
- }
-
- return string( m_escbuf, len );
-}
-
-
-
-bool OdbxBackend::getDomainList( const string& stmt, vector<DomainInfo>* domains, bool (*check_fcn)(uint32_t,uint32_t,SOAData*,DomainInfo*) )
-{
- const char* tmp;
- uint32_t nlast, nserial;
-
- SOAData sd;
-
- DLOG( g_log.log( m_myname + " getDomainList()", Logger::Debug ) );
-
- if( !execStmt( stmt.c_str(), stmt.size(), READ ) ) { return false; }
- if( !getRecord( READ ) ) { return false; }
-
- do
- {
- DomainInfo di;
- nlast = 0;
- nserial = 0;
- sd.serial = 0;
- sd.refresh = 0;
-
- if( ( tmp = odbx_field_value( m_result, 6 ) ) != NULL )
- {
- fillSOAData( string( tmp, odbx_field_length( m_result, 6 ) ), sd );
- }
-
- if( !sd.serial && ( tmp = odbx_field_value( m_result, 5 ) ) != NULL )
- {
- sd.serial = strtol( tmp, NULL, 10 );
- }
-
- if( ( tmp = odbx_field_value( m_result, 4 ) ) != NULL )
- {
- nserial = strtol( tmp, NULL, 10 );
- }
-
- if( ( tmp = odbx_field_value( m_result, 3 ) ) != NULL )
- {
- nlast = strtol( tmp, NULL, 10 );
- }
-
- if( (*check_fcn)( nlast, nserial, &sd, &di ) )
- {
- if( ( tmp = odbx_field_value( m_result, 2 ) ) != NULL )
- {
- vector<string> masters;
- stringtok(masters, string( tmp, odbx_field_length( m_result, 2 )), ", \t" );
- for(const auto& m : masters)
- {
- di.masters.emplace_back(m, 53);
- }
- }
-
- if( ( tmp = odbx_field_value( m_result, 1 ) ) != NULL )
- {
- di.zone = DNSName( string(tmp, odbx_field_length( m_result, 1 )) );
- }
-
- if( ( tmp = odbx_field_value( m_result, 0 ) ) != NULL )
- {
- di.id = strtol( tmp, NULL, 10 );
- }
-
- di.last_check = nlast;
- di.notified_serial = nserial;
- di.serial = sd.serial;
- di.backend = this;
-
- domains->push_back( di );
- }
- }
- while( getRecord( READ ) );
-
- return true;
-}
-
-
-
-bool checkSlave( uint32_t nlast, uint32_t nserial, SOAData* sd, DomainInfo* di )
-{
- if( nlast + sd->refresh < (uint32_t) time( 0 ) )
- {
- di->kind = DomainInfo::Slave;
- return true;
- }
-
- return false;
-}
-
-
-
-bool checkMaster( uint32_t nlast, uint32_t nserial, SOAData* sd, DomainInfo* di )
-{
- if( nserial != sd->serial )
- {
- di->kind = DomainInfo::Master;
- return true;
- }
-
- return false;
-}
dpk.d_flags = kd.flags;
dpk.d_algorithm = dkrc.d_algorithm;
- if(dpk.d_algorithm == DNSSECKeeper::RSASHA1 && getNSEC3PARAM(zname)) {
- dpk.d_algorithm = DNSSECKeeper::RSASHA1NSEC3SHA1;
- }
-
return dpk;
}
throw runtime_error("Can't find a key with id "+std::to_string(id)+" for zone '"+zname.toLogString()+"'");
dpk.d_flags = kd.flags;
dpk.d_algorithm = dkrc.d_algorithm;
- if(dpk.d_algorithm == DNSSECKeeper::RSASHA1 && getNSEC3PARAM(zone)) {
- g_log<<Logger::Warning<<"Zone '"<<zone<<"' has NSEC3 semantics, but the "<< (kd.active ? "" : "in" ) <<"active key with id "<<kd.id<<" has 'Algorithm: 5'. This should be corrected to 'Algorithm: 7' in the database (or NSEC3 should be disabled)."<<endl;
- dpk.d_algorithm = DNSSECKeeper::RSASHA1NSEC3SHA1;
- }
KeyMetaData kmd;
{
public:
DNSResourceRecord() : last_modified(0), ttl(0), signttl(0), domain_id(-1), qclass(1), scopeMask(0), auth(1), disabled(0) {};
- ~DNSResourceRecord(){};
static DNSResourceRecord fromWire(const DNSRecord& d);
enum Place : uint8_t {QUESTION=0, ANSWER=1, AUTHORITY=2, ADDITIONAL=3}; //!< Type describing the positioning within, say, a DNSPacket
}
#endif /* HAVE_NET_SNMP */
});
+
g_lua.registerFunction<void(DNSQuestion::*)(std::string, std::string)>("setTag", [](DNSQuestion& dq, const std::string& strLabel, const std::string& strValue) {
if(dq.qTag == nullptr) {
dq.qTag = std::make_shared<QTag>();
}
return true;
});
+
+ g_lua.registerFunction<void(DNSResponse::*)(std::string, std::string)>("setTag", [](DNSResponse& dr, const std::string& strLabel, const std::string& strValue) {
+ if(dr.qTag == nullptr) {
+ dr.qTag = std::make_shared<QTag>();
+ }
+ dr.qTag->insert({strLabel, strValue});
+ });
+
+ g_lua.registerFunction<void(DNSResponse::*)(vector<pair<string, string>>)>("setTagArray", [](DNSResponse& dr, const vector<pair<string, string>>&tags) {
+ if (!dr.qTag) {
+ dr.qTag = std::make_shared<QTag>();
+ }
+
+ for (const auto& tag : tags) {
+ dr.qTag->insert({tag.first, tag.second});
+ }
+ });
+ g_lua.registerFunction<string(DNSResponse::*)(std::string)>("getTag", [](const DNSResponse& dr, const std::string& strLabel) {
+ if (!dr.qTag) {
+ return string();
+ }
+
+ std::string strValue;
+ const auto it = dr.qTag->find(strLabel);
+ if (it == dr.qTag->cend()) {
+ return string();
+ }
+ return it->second;
+ });
+ g_lua.registerFunction<QTag(DNSResponse::*)(void)>("getTagArray", [](const DNSResponse& dr) {
+ if (!dr.qTag) {
+ QTag empty;
+ return empty;
+ }
+
+ return *dr.qTag;
+ });
+
g_lua.registerFunction<void(DNSResponse::*)(std::string)>("sendTrap", [](const DNSResponse& dr, boost::optional<std::string> reason) {
#ifdef HAVE_NET_SNMP
if (g_snmpAgent && g_snmpTrapsEnabled) {
auto states = g_dstates.getLocal();
const string statesbase = "dnsdist_server_";
+ output << "# HELP " << statesbase << "status " << "Whether this backend is up (1) or down (0)" << "\n";
+ output << "# TYPE " << statesbase << "status " << "gauge" << "\n";
output << "# HELP " << statesbase << "queries " << "Amount of queries relayed to server" << "\n";
output << "# TYPE " << statesbase << "queries " << "counter" << "\n";
output << "# HELP " << statesbase << "responses " << "Amount of responses received from this server" << "\n";
output << "# TYPE " << statesbase << "drops " << "counter" << "\n";
output << "# HELP " << statesbase << "latency " << "Server's latency when answering questions in milliseconds" << "\n";
output << "# TYPE " << statesbase << "latency " << "gauge" << "\n";
- output << "# HELP " << statesbase << "senderrors " << "Total number of OS send errors while relaying queries" << "\n";
+ output << "# HELP " << statesbase << "senderrors " << "Total number of OS send errors while relaying queries" << "\n";
output << "# TYPE " << statesbase << "senderrors " << "counter" << "\n";
output << "# HELP " << statesbase << "outstanding " << "Current number of queries that are waiting for a backend response" << "\n";
output << "# TYPE " << statesbase << "outstanding " << "gauge" << "\n";
const std::string label = boost::str(boost::format("{server=\"%1%\",address=\"%2%\"}")
% serverName % state->remote.toStringWithPort());
+ output << statesbase << "status" << label << " " << (state->isUp() ? "1" : "0") << "\n";
output << statesbase << "queries" << label << " " << state->queries.load() << "\n";
output << statesbase << "responses" << label << " " << state->responses.load() << "\n";
output << statesbase << "drops" << label << " " << state->reuseds.load() << "\n";
#include "libssl.hh"
+class OpenSSLFrontendContext
+{
+public:
+ OpenSSLFrontendContext(const ComboAddress& addr, const TLSConfig& tlsConfig): d_ticketKeys(tlsConfig.d_numberOfTicketsKeys)
+ {
+ registerOpenSSLUser();
+
+ d_tlsCtx = libssl_init_server_context(tlsConfig, d_ocspResponses);
+ if (!d_tlsCtx) {
+ ERR_print_errors_fp(stderr);
+ throw std::runtime_error("Error creating TLS context on " + addr.toStringWithPort());
+ }
+ }
+
+ void cleanup()
+ {
+ d_tlsCtx.reset();
+
+ unregisterOpenSSLUser();
+ }
+
+ OpenSSLTLSTicketKeysRing d_ticketKeys;
+ std::map<int, std::string> d_ocspResponses;
+ std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)> d_tlsCtx{nullptr, SSL_CTX_free};
+};
+
class OpenSSLTLSConnection: public TLSConnection
{
public:
- OpenSSLTLSConnection(int socket, unsigned int timeout, SSL_CTX* tlsCtx): d_conn(std::unique_ptr<SSL, void(*)(SSL*)>(SSL_new(tlsCtx), SSL_free)), d_timeout(timeout)
+ OpenSSLTLSConnection(int socket, unsigned int timeout, std::shared_ptr<OpenSSLFrontendContext> feContext): d_feContext(feContext), d_conn(std::unique_ptr<SSL, void(*)(SSL*)>(SSL_new(d_feContext->d_tlsCtx.get()), SSL_free)), d_timeout(timeout)
{
d_socket = socket;
private:
static std::atomic_flag s_initTLSConnIndex;
+ std::shared_ptr<OpenSSLFrontendContext> d_feContext;
std::unique_ptr<SSL, void(*)(SSL*)> d_conn;
unsigned int d_timeout;
};
class OpenSSLTLSIOCtx: public TLSCtx
{
public:
- OpenSSLTLSIOCtx(TLSFrontend& fe): d_ticketKeys(fe.d_tlsConfig.d_numberOfTicketsKeys)
+ OpenSSLTLSIOCtx(TLSFrontend& fe)
{
- registerOpenSSLUser();
- d_ticketsKeyRotationDelay = fe.d_tlsConfig.d_ticketsKeyRotationDelay;
+ d_feContext = std::make_shared<OpenSSLFrontendContext>(fe.d_addr, fe.d_tlsConfig);
- d_tlsCtx = libssl_init_server_context(fe.d_tlsConfig, d_ocspResponses);
- if (!d_tlsCtx) {
- ERR_print_errors_fp(stderr);
- throw std::runtime_error("Error creating TLS context on " + fe.d_addr.toStringWithPort());
- }
+ d_ticketsKeyRotationDelay = fe.d_tlsConfig.d_ticketsKeyRotationDelay;
if (fe.d_tlsConfig.d_enableTickets && fe.d_tlsConfig.d_numberOfTicketsKeys > 0) {
/* use our own ticket keys handler so we can rotate them */
- SSL_CTX_set_tlsext_ticket_key_cb(d_tlsCtx.get(), &OpenSSLTLSIOCtx::ticketKeyCb);
- libssl_set_ticket_key_callback_data(d_tlsCtx.get(), this);
+ SSL_CTX_set_tlsext_ticket_key_cb(d_feContext->d_tlsCtx.get(), &OpenSSLTLSIOCtx::ticketKeyCb);
+ libssl_set_ticket_key_callback_data(d_feContext->d_tlsCtx.get(), d_feContext.get());
}
- if (!d_ocspResponses.empty()) {
- SSL_CTX_set_tlsext_status_cb(d_tlsCtx.get(), &OpenSSLTLSIOCtx::ocspStaplingCb);
- SSL_CTX_set_tlsext_status_arg(d_tlsCtx.get(), &d_ocspResponses);
+ if (!d_feContext->d_ocspResponses.empty()) {
+ SSL_CTX_set_tlsext_status_cb(d_feContext->d_tlsCtx.get(), &OpenSSLTLSIOCtx::ocspStaplingCb);
+ SSL_CTX_set_tlsext_status_arg(d_feContext->d_tlsCtx.get(), &d_feContext->d_ocspResponses);
}
- libssl_set_error_counters_callback(d_tlsCtx, &fe.d_tlsCounters);
+ libssl_set_error_counters_callback(d_feContext->d_tlsCtx, &fe.d_tlsCounters);
try {
if (fe.d_tlsConfig.d_ticketKeyFile.empty()) {
}
}
- virtual ~OpenSSLTLSIOCtx() override
+ ~OpenSSLTLSIOCtx() override
{
- d_tlsCtx.reset();
-
- unregisterOpenSSLUser();
}
static int ticketKeyCb(SSL *s, unsigned char keyName[TLS_TICKETS_KEY_NAME_SIZE], unsigned char *iv, EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc)
{
- OpenSSLTLSIOCtx* ctx = reinterpret_cast<OpenSSLTLSIOCtx*>(libssl_get_ticket_key_callback_data(s));
+ OpenSSLFrontendContext* ctx = reinterpret_cast<OpenSSLFrontendContext*>(libssl_get_ticket_key_callback_data(s));
if (ctx == nullptr) {
return -1;
}
{
handleTicketsKeyRotation(now);
- return std::unique_ptr<OpenSSLTLSConnection>(new OpenSSLTLSConnection(socket, timeout, d_tlsCtx.get()));
+ return std::unique_ptr<OpenSSLTLSConnection>(new OpenSSLTLSConnection(socket, timeout, d_feContext));
}
void rotateTicketsKey(time_t now) override
{
- d_ticketKeys.rotateTicketsKey(now);
+ d_feContext->d_ticketKeys.rotateTicketsKey(now);
if (d_ticketsKeyRotationDelay > 0) {
d_ticketsKeyNextRotation = now + d_ticketsKeyRotationDelay;
void loadTicketsKeys(const std::string& keyFile) override final
{
- d_ticketKeys.loadTicketsKeys(keyFile);
+ d_feContext->d_ticketKeys.loadTicketsKeys(keyFile);
if (d_ticketsKeyRotationDelay > 0) {
d_ticketsKeyNextRotation = time(nullptr) + d_ticketsKeyRotationDelay;
size_t getTicketsKeysCount() override
{
- return d_ticketKeys.getKeysCount();
+ return d_feContext->d_ticketKeys.getKeysCount();
}
private:
- OpenSSLTLSTicketKeysRing d_ticketKeys;
- std::map<int, std::string> d_ocspResponses;
- std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)> d_tlsCtx{nullptr, SSL_CTX_free};
+ std::shared_ptr<OpenSSLFrontendContext> d_feContext;
};
#endif /* HAVE_LIBSSL */
shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::makeFromISCString(dkrc, kd.content));
if(dkrc.d_algorithm == DNSSECKeeper::RSASHA1) {
- cout<<"[Warning] zone '"<<zone<<"' has NSEC3 semantics, but the "<< (kd.active ? "" : "in" ) <<"active key with id "<<kd.id<<" has 'Algorithm: 5'. This should be corrected to 'Algorithm: 7' in the database (or NSEC3 should be disabled)."<<endl;
- numwarnings++;
+ cout<<"[Error] zone '"<<zone<<"' has NSEC3 semantics, but the "<< (kd.active ? "" : "in" ) <<"active key with id "<<kd.id<<" has 'Algorithm: 5'. This should be corrected to 'Algorithm: 7' in the database (or NSEC3 should be disabled)."<<endl;
+ numerrors++;
}
}
}
Changelogs for 4.3.x
====================
+.. changelog::
+ :version: 4.3.0-rc1
+ :released: 3rd of February 2020
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 8751
+
+ Update boost.m4.
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 8738
+
+ Explicitly enable dnstap for debian-stretch and buster.
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 8730
+
+ Make ``ComboAddress::setPort()`` update the current object.
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 8728
+
+ EPEL 8 now has libfstrm-devel.
+
+ .. change::
+ :tags: Bug Fixes
+ :pullreq: 8727
+
+ Fix the evaluation order for filtering policies (RPZ).
+
+ .. change::
+ :tags: Improvements
+ :pullreq: 8726
+
+ Give an explicit messsage if something is wrong with socket-dir.
.. changelog::
:version: 4.3.0-beta2
Check if server is alive.
quit
- Request shutdown of the recursor.
+ Request shutdown of the recursor, exiting the process while
+ letting the OS clean up resources.
quit-nicely
- Request nice shutdown of the recursor.
+ Request nice shutdown of the recursor. This method allows all
+ threads to finish their current work and releases resources before
+ exiting. This is the preferred method to stop the recursor.
reload-acls
Reloads ACLs.
Threading and distribution of queries
-------------------------------------
-When running with several threads, you can either ask PowerDNS to start a special thread to dispatch the incoming queries to the workers by setting :ref:`setting-pdns-distributes-queries` to true, or let the worker threads handle the incoming queries themselves.
-The dispatch thread enabled by :ref:`setting-pdns-distributes-queries` tries to send the same queries to the same thread to maximize the cache-hit ratio, but it might become a bottleneck if the incoming queries rate is too high to be handled by a single thread.
+When running with several threads, you can either ask PowerDNS to start one or more special threads to dispatch the incoming queries to the workers by setting :ref:`setting-pdns-distributes-queries` to true, or let the worker threads handle the incoming queries themselves.
+
+The dispatch thread enabled by :ref:`setting-pdns-distributes-queries` tries to send the same queries to the same thread to maximize the cache-hit ratio.
+If the incoming query rate is so high that the dispatch thread becomes a bottleneck, you can increase :ref:`setting-distributor-threads` to use more than one.
If :ref:`setting-pdns-distributes-queries` is set to false and either ``SO_REUSEPORT`` support is not available or the :ref:`setting-reuseport` directive is set to false, all worker threads share the same listening sockets.
.. versionadded:: 4.1.0
The :ref:`setting-cpu-map` parameter can be used to pin worker threads to specific CPUs, in order to keep caches as warm as possible and optimize memory access on NUMA systems.
+.. versionadded:: 4.2.0
+ The :ref:`setting-distributor-threads` parameter can be used to run more than one distributor thread.
+
Performance tips
----------------
^^^^^^^^^^^^^^
The Recursor Cache contains all DNS knowledge gathered over time.
-This is also knows as a "record cache".
+This is also known as a "record cache".
Packet Cache
^^^^^^^^^^^^
zrr.auth = 1; // please sign!
string publishCDNSKEY, publishCDS;
- dk.getFromMeta(q->qdomain, "PUBLISH-CDNSKEY", publishCDNSKEY);
- dk.getFromMeta(q->qdomain, "PUBLISH-CDS", publishCDS);
+ dk.getPublishCDNSKEY(q->qdomain, publishCDNSKEY);
+ dk.getPublishCDS(q->qdomain, publishCDS);
vector<DNSZoneRecord> cds, cdnskey;
DNSSECKeeper::keyset_t entryPoints = dk.getEntryPoints(q->qdomain);
set<uint32_t> entryPointIds;
}
#ifndef RECURSOR
- for(const auto& ringName : S.listRings()) {
- Json::array values;
- const auto& ring = S.getRing(ringName);
- for(const auto& item : ring) {
- if (item.second == 0)
- continue;
-
- values.push_back(Json::object {
- { "name", item.first },
- { "value", std::to_string(item.second) },
+ if (!req->getvars.count("includerings") ||
+ req->getvars["includerings"] != "false") {
+ for(const auto& ringName : S.listRings()) {
+ Json::array values;
+ const auto& ring = S.getRing(ringName);
+ for(const auto& item : ring) {
+ if (item.second == 0)
+ continue;
+
+ values.push_back(Json::object {
+ { "name", item.first },
+ { "value", std::to_string(item.second) },
+ });
+ }
+
+ doc.push_back(Json::object {
+ { "type", "RingStatisticItem" },
+ { "name", ringName },
+ { "size", std::to_string(S.getRingSize(ringName)) },
+ { "value", values },
});
}
-
- doc.push_back(Json::object {
- { "type", "RingStatisticItem" },
- { "name", ringName },
- { "size", std::to_string(S.getRingSize(ringName)) },
- { "value", values },
- });
}
#endif
bindwait
$SDIG 127.0.0.1 $port minimal.com CDS dnssec | LC_ALL=C sort
+$SAXFR 127.0.0.1 $port minimal.com dnssec | LC_ALL=C sort
$PDNSUTIL --config-dir=default-publish-cds set-publish-cds minimal.com 2
$SDIG 127.0.0.1 $port minimal.com CDS dnssec | LC_ALL=C sort
+$SAXFR 127.0.0.1 $port minimal.com dnssec | LC_ALL=C sort
$PDNSUTIL --config-dir=default-publish-cds set-publish-cds minimal.com ''
$SDIG 127.0.0.1 $port minimal.com CDS dnssec | LC_ALL=C sort
+$SAXFR 127.0.0.1 $port minimal.com dnssec | LC_ALL=C sort
$PDNSUTIL --config-dir=default-publish-cds unset-publish-cds minimal.com
$SDIG 127.0.0.1 $port minimal.com CDS dnssec | LC_ALL=C sort
+$SAXFR 127.0.0.1 $port minimal.com dnssec | LC_ALL=C sort
kill $(cat pdns*.pid)
rm pdns*.pid
2 . IN OPT 32768
Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
Reply to question for qname='minimal.com.', qtype=CDS
+minimal.com. 120 IN NS ns1.example.com.
+minimal.com. 120 IN NS ns2.example.com.
+minimal.com. 120 IN RRSIG NS 8 2 120 [expiry] [inception] [keytag] minimal.com. ...
+minimal.com. 120 IN RRSIG SOA 8 2 120 [expiry] [inception] [keytag] minimal.com. ...
+minimal.com. 120 IN SOA ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+minimal.com. 120 IN SOA ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+minimal.com. 86400 IN CDS 54319 8 4 ff159f2cc251c9850b24bedb9158f33b292137d228a2a8686c2a178e29e1097f80210813beba035bb065bbe1ffbb2229
+minimal.com. 86400 IN DNSKEY 257 3 8 ...
+minimal.com. 86400 IN NSEC minimal.com. NS SOA RRSIG NSEC DNSKEY CDS
+minimal.com. 86400 IN RRSIG CDS 8 2 86400 [expiry] [inception] [keytag] minimal.com. ...
+minimal.com. 86400 IN RRSIG DNSKEY 8 2 86400 [expiry] [inception] [keytag] minimal.com. ...
+minimal.com. 86400 IN RRSIG NSEC 8 2 86400 [expiry] [inception] [keytag] minimal.com. ...
0 minimal.com. IN CDS 86400 54319 8 2 c5359d2a312ff6c28883b5d6404c76666262c26bd3dadfed63afb366e6f09c24
0 minimal.com. IN RRSIG 86400 CDS 8 2 86400 [expiry] [inception] [keytag] minimal.com. ...
2 . IN OPT 32768
Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
Reply to question for qname='minimal.com.', qtype=CDS
+minimal.com. 120 IN NS ns1.example.com.
+minimal.com. 120 IN NS ns2.example.com.
+minimal.com. 120 IN RRSIG NS 8 2 120 [expiry] [inception] [keytag] minimal.com. ...
+minimal.com. 120 IN RRSIG SOA 8 2 120 [expiry] [inception] [keytag] minimal.com. ...
+minimal.com. 120 IN SOA ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+minimal.com. 120 IN SOA ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+minimal.com. 86400 IN CDS 54319 8 2 c5359d2a312ff6c28883b5d6404c76666262c26bd3dadfed63afb366e6f09c24
+minimal.com. 86400 IN DNSKEY 257 3 8 ...
+minimal.com. 86400 IN NSEC minimal.com. NS SOA RRSIG NSEC DNSKEY CDS
+minimal.com. 86400 IN RRSIG CDS 8 2 86400 [expiry] [inception] [keytag] minimal.com. ...
+minimal.com. 86400 IN RRSIG DNSKEY 8 2 86400 [expiry] [inception] [keytag] minimal.com. ...
+minimal.com. 86400 IN RRSIG NSEC 8 2 86400 [expiry] [inception] [keytag] minimal.com. ...
1 minimal.com. IN NSEC 86400 minimal.com. NS SOA RRSIG NSEC DNSKEY
1 minimal.com. IN RRSIG 120 SOA 8 2 120 [expiry] [inception] [keytag] minimal.com. ...
1 minimal.com. IN RRSIG 86400 NSEC 8 2 86400 [expiry] [inception] [keytag] minimal.com. ...
2 . IN OPT 32768
Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
Reply to question for qname='minimal.com.', qtype=CDS
+minimal.com. 120 IN NS ns1.example.com.
+minimal.com. 120 IN NS ns2.example.com.
+minimal.com. 120 IN RRSIG NS 8 2 120 [expiry] [inception] [keytag] minimal.com. ...
+minimal.com. 120 IN RRSIG SOA 8 2 120 [expiry] [inception] [keytag] minimal.com. ...
+minimal.com. 120 IN SOA ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+minimal.com. 120 IN SOA ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+minimal.com. 86400 IN DNSKEY 257 3 8 ...
+minimal.com. 86400 IN NSEC minimal.com. NS SOA RRSIG NSEC DNSKEY
+minimal.com. 86400 IN RRSIG DNSKEY 8 2 86400 [expiry] [inception] [keytag] minimal.com. ...
+minimal.com. 86400 IN RRSIG NSEC 8 2 86400 [expiry] [inception] [keytag] minimal.com. ...
0 minimal.com. IN CDS 86400 54319 8 4 ff159f2cc251c9850b24bedb9158f33b292137d228a2a8686c2a178e29e1097f80210813beba035bb065bbe1ffbb2229
0 minimal.com. IN RRSIG 86400 CDS 8 2 86400 [expiry] [inception] [keytag] minimal.com. ...
2 . IN OPT 32768
Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
Reply to question for qname='minimal.com.', qtype=CDS
+minimal.com. 120 IN NS ns1.example.com.
+minimal.com. 120 IN NS ns2.example.com.
+minimal.com. 120 IN RRSIG NS 8 2 120 [expiry] [inception] [keytag] minimal.com. ...
+minimal.com. 120 IN RRSIG SOA 8 2 120 [expiry] [inception] [keytag] minimal.com. ...
+minimal.com. 120 IN SOA ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+minimal.com. 120 IN SOA ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+minimal.com. 86400 IN CDS 54319 8 4 ff159f2cc251c9850b24bedb9158f33b292137d228a2a8686c2a178e29e1097f80210813beba035bb065bbe1ffbb2229
+minimal.com. 86400 IN DNSKEY 257 3 8 ...
+minimal.com. 86400 IN NSEC minimal.com. NS SOA RRSIG NSEC DNSKEY CDS
+minimal.com. 86400 IN RRSIG CDS 8 2 86400 [expiry] [inception] [keytag] minimal.com. ...
+minimal.com. 86400 IN RRSIG DNSKEY 8 2 86400 [expiry] [inception] [keytag] minimal.com. ...
+minimal.com. 86400 IN RRSIG NSEC 8 2 86400 [expiry] [inception] [keytag] minimal.com. ...