Rework config to be better understandable: two separate config values for zonemd...

author Otto Moerbeek <otto.moerbeek@open-xchange.com>

Wed, 19 Jan 2022 14:07:57 +0000 (15:07 +0100)

committer Otto Moerbeek <otto.moerbeek@open-xchange.com>

Fri, 21 Jan 2022 11:06:01 +0000 (12:06 +0100)
author Otto Moerbeek <otto.moerbeek@open-xchange.com>
Wed, 19 Jan 2022 14:07:57 +0000 (15:07 +0100)
committer Otto Moerbeek <otto.moerbeek@open-xchange.com>
Fri, 21 Jan 2022 11:06:01 +0000 (12:06 +0100)
diff --git a/pdns/rec-lua-conf.cc b/pdns/rec-lua-conf.cc

index d0b73955d9c84b8982c1c5ee3bb290263d0be9e7..6bd0603d21a51570e9712e59b56a2e36632c3471 100644 (file)
--- a/pdns/rec-lua-conf.cc
+++ b/pdns/rec-lua-conf.cc
@@ -444,16 +444,13 @@ void loadRecursorLuaConfig(const std::string& fname, luaConfigDelayedThreads& de
          if (have.count("retryOnErrorPeriod")) {
            conf.d_retryOnError = boost::get<uint32_t>(have.at("retryOnErrorPeriod"));
          }
-        if (have.count("zonemdValidation")) {
-          string zonemdValidation = boost::get<string>(have.at("zonemdValidation"));
-          const map<string, pdns::ZoneMD::Config> nameToVal = {
-            {"ignore", pdns::ZoneMD::Config::Ignore},
-            {"process", pdns::ZoneMD::Config::Process},
-            {"logonly", pdns::ZoneMD::Config::LogOnly},
-            {"required", pdns::ZoneMD::Config::Required},
-            {"requiredWithDNSSEC", pdns::ZoneMD::Config::RequiredWithDNSSEC},
-            {"requiredButIgnoreDNSSEC", pdns::ZoneMD::Config::RequiredButIgnoreDNSSEC},
-          };
+        const map<string, pdns::ZoneMD::Config> nameToVal = {
+          {"ignore", pdns::ZoneMD::Config::Ignore},
+          {"process", pdns::ZoneMD::Config::Process},
+          {"required", pdns::ZoneMD::Config::Required},
+        };
+        if (have.count("zonemd")) {
+          string zonemdValidation = boost::get<string>(have.at("zonemd"));
            auto it = nameToVal.find(zonemdValidation);
            if (it == nameToVal.end()) {
              throw std::runtime_error(zonemdValidation + " is not a valid value for `zonemdValidation`");
@@ -462,6 +459,16 @@ void loadRecursorLuaConfig(const std::string& fname, luaConfigDelayedThreads& de
              conf.d_zonemd = it->second;
            }
          }
+        if (have.count("zonemdDNSSEC")) {
+          string dnssec = boost::get<string>(have.at("zonemdDNSSEC"));
+          auto it = nameToVal.find(dnssec);
+          if (it == nameToVal.end()) {
+            throw std::runtime_error(dnssec + " is not a valid value for `zonemdDNSSEC`");
+          }
+          else {
+            conf.d_dnssec = it->second;
+          }
+        }
        }
  
        lci.ztcConfigs[validZoneName] = conf;
diff --git a/pdns/recursordist/rec-zonetocache.cc b/pdns/recursordist/rec-zonetocache.cc

index a059500bdd29b1bf247bc56a8578c859cd837919..67b1fa58f5541ea22e953529cbea1f61a340cc72 100644 (file)
--- a/pdns/recursordist/rec-zonetocache.cc
+++ b/pdns/recursordist/rec-zonetocache.cc
@@ -29,7 +29,6 @@
  #include "axfr-retriever.hh"
  #include "validate-recursor.hh"
  #include "logging.hh"
-#include "threadname.hh"
  #include "rec-lua-conf.hh"
  #include "zonemd.hh"
  #include "validate.hh"
@@ -162,6 +161,8 @@ pdns::ZoneMD::Result ZoneData::getByAXFR(const RecZoneToCache::Config& config, p
    if (config.d_zonemd != pdns::ZoneMD::Config::Ignore) {
      bool validationDone, validationSuccess;
      zonemd.verify(validationDone, validationSuccess);
+    d_log->info("ZONEMD digest validation", "validationDone", Logging::Loggable(validationDone),
+                "validationSuccess", Logging::Loggable(validationSuccess));
      if (!validationDone) {
        return pdns::ZoneMD::Result::NoValidationDone;
      }
@@ -226,6 +227,8 @@ pdns::ZoneMD::Result ZoneData::processLines(const vector<string>& lines, const R
    if (config.d_zonemd != pdns::ZoneMD::Config::Ignore) {
      bool validationDone, validationSuccess;
      zonemd.verify(validationDone, validationSuccess);
+    d_log->info("ZONEMD digest validation", "validationDone", Logging::Loggable(validationDone),
+                "validationSuccess", Logging::Loggable(validationSuccess));
      if (!validationDone) {
        return pdns::ZoneMD::Result::NoValidationDone;
      }
@@ -247,8 +250,7 @@ vState ZoneData::dnssecValidate(pdns::ZoneMD& zonemd, size_t& zonemdCount) const
    dsmap_t dsmap; // Actually a set
    vState dsState = sr.getDSRecords(d_zone, dsmap, false, 0);
    if (dsState != vState::Secure) {
-    cerr << "getDSRecords says" << dsState << endl;
-    return vState::Insecure;
+    return dsState;
    }
  
    skeyset_t dnsKeys;
@@ -316,27 +318,25 @@ void ZoneData::ZoneToCache(const RecZoneToCache::Config& config)
      result = processLines(lines, config, zonemd);
    }
  
-  if (config.d_zonemd == pdns::ZoneMD::Config::RequiredWithDNSSEC && g_dnssecmode == DNSSECMode::Off) {
+  if (config.d_dnssec == pdns::ZoneMD::Config::Required && g_dnssecmode == DNSSECMode::Off) {
      throw PDNSException("ZONEMD DNSSEC validation failure: dnssec is switched of but required by ZoneToCache");
    }
  
    // Validate DNSKEYs and ZONEMD, rest of records are validated on-demand by SyncRes
-  if (config.d_zonemd == pdns::ZoneMD::Config::RequiredWithDNSSEC || (g_dnssecmode != DNSSECMode::Off && config.d_zonemd != pdns::ZoneMD::Config::RequiredButIgnoreDNSSEC)) {
+  if (config.d_dnssec == pdns::ZoneMD::Config::Required || (g_dnssecmode != DNSSECMode::Off && config.d_dnssec != pdns::ZoneMD::Config::Ignore)) {
      size_t zonemdCount;
      auto validationStatus = dnssecValidate(zonemd, zonemdCount);
-    d_log->info("ZONEMD record related DNSSEC validation done", "validationStatus", Logging::Loggable(validationStatus),
+    d_log->info("ZONEMD record related DNSSEC validation", "validationStatus", Logging::Loggable(validationStatus),
                  "zonemdCount", Logging::Loggable(zonemdCount));
-    if (config.d_zonemd == pdns::ZoneMD::Config::RequiredWithDNSSEC || g_dnssecmode == DNSSECMode::ValidateAll) {
-      if (validationStatus != vState::Secure) {
-        throw PDNSException("ZONEMD required DNSSEC validation failed");
-      }
+    if (config.d_dnssec == pdns::ZoneMD::Config::Required && validationStatus != vState::Secure) {
+      throw PDNSException("ZONEMD required DNSSEC validation failed");
      }
      if (validationStatus != vState::Secure && validationStatus != vState::Insecure) {
        throw PDNSException("ZONEMD record DNSSEC Validation failed");
      }
    }
  
-  if (pdns::ZoneMD::validationRequired(config.d_zonemd) && result != pdns::ZoneMD::Result::OK) {
+  if (config.d_zonemd == pdns::ZoneMD::Config::Required && result != pdns::ZoneMD::Result::OK) {
      // We do not accept NoValidationDone in this case
      throw PDNSException("ZONEMD digest validation failure");
      return;
@@ -346,20 +346,6 @@ void ZoneData::ZoneToCache(const RecZoneToCache::Config& config)
      return;
    }
  
-  if (config.d_zonemd == pdns::ZoneMD::Config::LogOnly) {
-    switch (result) {
-    case pdns::ZoneMD::Result::ValidationFailure:
-      d_log->info("ZONEMD digest failure (ignored)");
-      break;
-    case pdns::ZoneMD::Result::NoValidationDone:
-      d_log->info("No ZONEMD digest validation done");
-      break;
-    case pdns::ZoneMD::Result::OK:
-      d_log->info("ZONEMD digest validation succeeded");
-      break;
-    }
-  }
-
    // Rerun, now inserting the rrsets into the cache with associated sigs
    d_now = time(nullptr);
    for (const auto& [key, v] : d_all) {
diff --git a/pdns/recursordist/rec-zonetocache.hh b/pdns/recursordist/rec-zonetocache.hh

index 7284895eb34eb92432fe5312543146ddeb72b223..e1162bf4d98d0016dab637e9e0b5921beb81210f 100644 (file)
--- a/pdns/recursordist/rec-zonetocache.hh
+++ b/pdns/recursordist/rec-zonetocache.hh
@@ -42,6 +42,7 @@ public:
      time_t d_refreshPeriod{24 * 3600}; // Time between refetch
      uint32_t d_timeout{20}; // timeout in seconds
      pdns::ZoneMD::Config d_zonemd{pdns::ZoneMD::Config::Process};
+    pdns::ZoneMD::Config d_dnssec{pdns::ZoneMD::Config::Process};
    };
  
    struct State
diff --git a/pdns/zonemd.hh b/pdns/zonemd.hh

index 962b99a3148960ab1d4572aa199f13527e9ba496..7aad46f0a09ab4b973e7c0140ad6e28209e1cf5b 100644 (file)
--- a/pdns/zonemd.hh
+++ b/pdns/zonemd.hh
@@ -40,10 +40,7 @@ public:
    {
      Ignore,
      Process,
-    LogOnly,
-    Required,
-    RequiredWithDNSSEC,
-    RequiredButIgnoreDNSSEC,
+    Required
    };
    enum class Result : uint8_t
    {
@@ -60,11 +57,6 @@ public:
    void readRecord(const DNSRecord& record);
    void verify(bool& validationDone, bool& validationOK);
  
-  static bool validationRequired(Config config)
-  {
-    return config == Config::Required || config == Config::RequiredWithDNSSEC || config == Config::RequiredButIgnoreDNSSEC;
-  }
-
    // Return the zone's apex DNSKEYs
    const std::set<shared_ptr<DNSKEYRecordContent>>& getDNSKEYs() const
    {
author	Otto Moerbeek <otto.moerbeek@open-xchange.com>
	Wed, 19 Jan 2022 14:07:57 +0000 (15:07 +0100)
committer	Otto Moerbeek <otto.moerbeek@open-xchange.com>
	Fri, 21 Jan 2022 11:06:01 +0000 (12:06 +0100)
pdns/rec-lua-conf.cc		patch \| blob \| blame \| history
pdns/recursordist/rec-zonetocache.cc		patch \| blob \| blame \| history
pdns/recursordist/rec-zonetocache.hh		patch \| blob \| blame \| history
pdns/zonemd.hh		patch \| blob \| blame \| history