daemon/zimport: better failure logging

author Vladimír Čunát <vladimir.cunat@nic.cz>

Wed, 22 Dec 2021 12:50:46 +0000 (13:50 +0100)

committer Vladimír Čunát <vladimir.cunat@nic.cz>

Wed, 22 Dec 2021 12:50:46 +0000 (13:50 +0100)
author Vladimír Čunát <vladimir.cunat@nic.cz>
Wed, 22 Dec 2021 12:50:46 +0000 (13:50 +0100)
committer Vladimír Čunát <vladimir.cunat@nic.cz>
Wed, 22 Dec 2021 12:50:46 +0000 (13:50 +0100)
diff --git a/daemon/zimport.c b/daemon/zimport.c

index 5c2a6281521565e02ec7a7003748cadf2459c098..418fb5a8158359b220754acb3d13e2f6fe5d9bed 100644 (file)
--- a/daemon/zimport.c
+++ b/daemon/zimport.c
@@ -680,14 +680,25 @@ int zi_zone_import(const zi_config_t config)
                 goto fail;
         }
  
+       kr_rrset_validation_ctx_t err_ctx;
         z_import->svldr = kr_svldr_new_ctx(ds, dnskey, &dnskey_sigs->rrs,
-                                               z_import->timestamp_rr);
+                                               z_import->timestamp_rr, &err_ctx);
         if (!z_import->svldr) {
-               kr_log_error(PREFILL, "failed to validate DNSKEY for `%s`\n", zone_name_str);
+               // log RRSIG stats; very similar to log_bogus_rrsig()
+               kr_log_error(PREFILL, "failed to validate DNSKEY for `%s` "
+                       "(%u matching RRSIGs, %u expired, %u not yet valid, "
+                       "%u invalid signer, %u invalid label count, %u invalid key, "
+                       "%u invalid crypto, %u invalid NSEC)\n",
+                       zone_name_str,
+                       err_ctx.rrs_counters.matching_name_type,
+                       err_ctx.rrs_counters.expired, err_ctx.rrs_counters.notyet,
+                       err_ctx.rrs_counters.signer_invalid,
+                       err_ctx.rrs_counters.labels_invalid,
+                       err_ctx.rrs_counters.key_invalid,
+                       err_ctx.rrs_counters.crypto_invalid,
+                       err_ctx.rrs_counters.nsec_invalid);
                 ret = kr_error(ENOENT);
                 goto fail;
-               /* TODO: more details about why validation failed.
-                * Perhaps extend the SVLDR API to somehow return EDE code. */
         }
  
     //// Do all ZONEMD processing, if desired.
diff --git a/lib/dnssec.c b/lib/dnssec.c

index 2c5d19763586b893e13fed7ba459c2e9fb1cff1c..f56ab759f955fc5b275b6a89ca24573198eb8ce4 100644 (file)
--- a/lib/dnssec.c
+++ b/lib/dnssec.c
@@ -197,7 +197,8 @@ void kr_svldr_free_ctx(struct kr_svldr_ctx *ctx)
         free(ctx);
  }
  struct kr_svldr_ctx * kr_svldr_new_ctx(const knot_rrset_t *ds, knot_rrset_t *dnskey,
-               const knot_rdataset_t *dnskey_sigs, uint32_t timestamp)
+               const knot_rdataset_t *dnskey_sigs, uint32_t timestamp,
+               kr_rrset_validation_ctx_t *err_ctx)
  {
         // Basic init.
         struct kr_svldr_ctx *ctx = calloc(1, sizeof(*ctx));
@@ -225,6 +226,8 @@ struct kr_svldr_ctx * kr_svldr_new_ctx(const knot_rrset_t *ds, knot_rrset_t *dns
         }
         return ctx;
  fail:
+       if (err_ctx)
+               memcpy(err_ctx, &ctx->vctx, sizeof(*err_ctx));
         kr_svldr_free_ctx(ctx);
         return NULL;
  }
diff --git a/lib/dnssec.h b/lib/dnssec.h

index 0ba3621d98c1fcc558172195e74ec52e4baefe70..97c8831d4323d07536fa4f3539b148eaf10c0783 100644 (file)
--- a/lib/dnssec.h
+++ b/lib/dnssec.h
@@ -166,10 +166,12 @@ struct kr_svldr_ctx;
   * - `ds` is assumed to be trusted, and it's used to validate `dnskey+dnskey_sigs`.
   * - The TTL of `dnskey` may get trimmed.
   * - The insides are placed on malloc heap (use _free_ctx).
+ * - `err_ctx` is optional, for use when error happens (but avoid the inside pointers)
   */
  KR_EXPORT
  struct kr_svldr_ctx * kr_svldr_new_ctx(const knot_rrset_t *ds, knot_rrset_t *dnskey,
-               const knot_rdataset_t *dnskey_sigs, uint32_t timestamp);
+               const knot_rdataset_t *dnskey_sigs, uint32_t timestamp,
+               kr_rrset_validation_ctx_t *err_ctx);
  /** Free the context.  Passing NULL is OK. */
  KR_EXPORT
  void kr_svldr_free_ctx(struct kr_svldr_ctx *ctx);
author	Vladimír Čunát <vladimir.cunat@nic.cz>
	Wed, 22 Dec 2021 12:50:46 +0000 (13:50 +0100)
committer	Vladimír Čunát <vladimir.cunat@nic.cz>
	Wed, 22 Dec 2021 12:50:46 +0000 (13:50 +0100)
daemon/zimport.c		patch \| blob \| blame \| history
lib/dnssec.c		patch \| blob \| blame \| history
lib/dnssec.h		patch \| blob \| blame \| history