new module: bogus_log to log DNSSEC bogus queries

diff --git a/doc/modules.rst b/doc/modules.rst
index 0d2566f693005378af9d30febe9fe6e6e484e151..9480b9c8139f464eb84e9a2f63fb63754ec8a136 100644 (file)
--- a/doc/modules.rst
+++ b/doc/modules.rst
@@ -24,6 +24,7 @@ Knot DNS Resolver modules
 .. include:: ../modules/renumber/README.rst
 .. include:: ../modules/cookies/README.rst
 .. include:: ../modules/version/README.rst
+.. include:: ../modules/bogus_log/README.rst
 .. include:: ../modules/workarounds/README.rst
 .. include:: ../modules/dnstap/README.rst
 .. include:: ../modules/ta_signal_query/README.rst

diff --git a/modules/bogus_log/README.rst b/modules/bogus_log/README.rst
new file mode 100644 (file)
index 0000000..dc42ba0
--- /dev/null
+++ b/modules/bogus_log/README.rst
@@ -0,0 +1,25 @@
+.. _mod-bogus_log:
+
+DNSSEC validation failure logging
+---------------------------------
+
+This module adds error message for each DNSSEC validation failure.
+It is meant to provide hint to operators which queries should be
+investigated using diagnostic tools like DNSViz_.
+
+Add following line to your configuration file to enable it:
+
+.. code-block:: lua
+
+        modules.load('bogus_log')
+
+Example of error message logged by this module:
+
+.. code-block:: none
+
+        DNSSEC validation failure dnssec-failed.org. DNSKEY
+
+.. _DNSViz: http://dnsviz.net/
+
+Please note that in future this module might be replaced
+with some other way to log this information.

diff --git a/modules/bogus_log/bogus_log.c b/modules/bogus_log/bogus_log.c
new file mode 100644 (file)
index 0000000..7e88baa
--- /dev/null
+++ b/modules/bogus_log/bogus_log.c
@@ -0,0 +1,38 @@
+/* Copyright (C) Knot Resolver contributors. Licensed under GNU GPLv3 or
+ * (at your option) any later version. See COPYING for text of the license.
+ *
+ * This module logs (query name, type) pairs which failed DNSSEC validation. */
+
+#include <libknot/packet/pkt.h>
+#include <contrib/cleanup.h>
+
+#include "daemon/engine.h"
+#include "lib/layer.h"
+
+static int consume(kr_layer_t *ctx, knot_pkt_t *pkt)
+{
+       if (!(ctx->state & KR_STATE_FAIL)
+           || !ctx->req
+           || !ctx->req->current_query
+           || !ctx->req->current_query->flags.DNSSEC_BOGUS
+           || knot_wire_get_qdcount(pkt->wire) != 1)
+               return ctx->state;
+
+       auto_free char *qname_text = kr_dname_text(knot_pkt_qname(pkt));
+       auto_free char *qtype_text = kr_rrtype_text(knot_pkt_qtype(pkt));
+
+       kr_log_error("DNSSEC validation failure %s %s\n", qname_text, qtype_text);
+       return ctx->state;
+}
+
+KR_EXPORT
+const kr_layer_api_t *bogus_log_layer(struct kr_module *module)
+{
+       static kr_layer_api_t _layer = {
+               .consume = &consume,
+       };
+       _layer.data = module;
+       return &_layer;
+}
+
+KR_MODULE_EXPORT(bogus_log);

diff --git a/modules/bogus_log/bogus_log.mk b/modules/bogus_log/bogus_log.mk
new file mode 100644 (file)
index 0000000..7431b19
--- /dev/null
+++ b/modules/bogus_log/bogus_log.mk
@@ -0,0 +1,8 @@
+bogus_log_CFLAGS := -fPIC
+# We use a symbol that's not in libkres but the daemon.
+# On darwin this isn't accepted by default.
+bogus_log_LDFLAGS := -Wl,-undefined -Wl,dynamic_lookup
+bogus_log_SOURCES := modules/bogus_log/bogus_log.c
+bogus_log_DEPEND := $(libkres)
+bogus_log_LIBS := $(contrib_TARGET) $(libkres_TARGET) $(libkres_LIBS)
+$(call make_c_module,bogus_log)

diff --git a/modules/modules.mk b/modules/modules.mk
index 3c6cbc65af7bea70ddc0787534ba3dd019b73d2c..1764f2658be5e63b4e663c9d23dd22eb97974d56 100644 (file)
--- a/modules/modules.mk
+++ b/modules/modules.mk
@@ -22,7 +22,8 @@ endif
 
 # List of Lua modules
 ifeq ($(HAS_lua),yes)
-modules_TARGETS += etcd \
+modules_TARGETS += bogus_log \
+                  etcd \
                    ta_sentinel \
                    graphite \
                    policy \