From: Vladimír Čunát <vladimir.cunat@nic.cz>
Date: Tue, 13 Jul 2021 10:06:28 +0000 (+0200)
Subject: validate: add kr_rrset_validation_ctx_t::log_qry
X-Git-Tag: v5.4.0~2^2~25
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1cf935135a3518f2ea49808bbf6ad3ee96a81ae4;p=thirdparty%2Fknot-resolver.git

validate: add kr_rrset_validation_ctx_t::log_qry

... so we can use it for more precise logging.  Some calls get simpler.
In particular, without the associated request, we can't produce anything
into trace-logs, which could be confusing.  Normal logs will benefit, too.
(more precise replacement of WITH_VERBOSE will come in a subsequent commit)
---

diff --git a/lib/dnssec.c b/lib/dnssec.c
index e11e1b0d3..65e932085 100644
--- a/lib/dnssec.c
+++ b/lib/dnssec.c
@@ -255,7 +255,7 @@ static int kr_rrset_validate_with_key(kr_rrset_validation_ctx_t *vctx,
 					auto_free char
 						*name_str = kr_dname_text(covered->owner),
 						*type_str = kr_rrtype_text(covered->type);
-					QRVERBOSE(NULL, VALIDATOR,
+					QRVERBOSE(vctx->log_qry, VALIDATOR,
 						"trimming TTL of %s %s: %d -> %d\n",
 						name_str, type_str,
 						(int)covered->ttl, (int)ttl_max);
diff --git a/lib/dnssec.h b/lib/dnssec.h
index d9601eaa9..6e71f62a6 100644
--- a/lib/dnssec.h
+++ b/lib/dnssec.h
@@ -47,6 +47,7 @@ struct kr_rrset_validation_ctx {
 	uint32_t err_cnt;		/*!< Output - Number of validation failures. */
 	uint32_t cname_norrsig_cnt;	/*!< Output - Number of CNAMEs missing RRSIGs. */
 	int result;			/*!< Output - 0 or error code. */
+	const struct kr_query *log_qry; /*!< The query; just for logging purposes. */
 	struct {
 		unsigned int matching_name_type;	/*!< Name + type matches */
 		unsigned int expired;
diff --git a/lib/layer/validate.c b/lib/layer/validate.c
index 5c22d5b9a..5e3050eb1 100644
--- a/lib/layer/validate.c
+++ b/lib/layer/validate.c
@@ -66,12 +66,12 @@ static bool pkt_has_type(const knot_pkt_t *pkt, uint16_t type)
 	return section_has_type(knot_pkt_section(pkt, KNOT_ADDITIONAL), type);
 }
 
-static void log_bogus_rrsig(kr_rrset_validation_ctx_t *vctx, const struct kr_query *qry,
+static void log_bogus_rrsig(kr_rrset_validation_ctx_t *vctx,
 			    const knot_rrset_t *rr, const char *msg) {
-	WITH_VERBOSE(qry) {
+	WITH_VERBOSE(vctx->log_qry) {
 		auto_free char *name_text = kr_dname_text(rr->owner);
 		auto_free char *type_text = kr_rrtype_text(rr->type);
-		VERBOSE_MSG(qry, ">< %s: %s %s "
+		VERBOSE_MSG(vctx->log_qry, ">< %s: %s %s "
 			    "(%u matching RRSIGs, %u expired, %u not yet valid, "
 			    "%u invalid signer, %u invalid label count, %u invalid key, "
 			    "%u invalid crypto, %u invalid NSEC)\n",
@@ -222,7 +222,7 @@ static int validate_section(kr_rrset_validation_ctx_t *vctx, struct kr_query *qr
 			 * NS RRsets that appear at delegation points (...)
 			 * MUST NOT be signed */
 			if (vctx->rrs_counters.matching_name_type > 0)
-				log_bogus_rrsig(vctx, qry, rr,
+				log_bogus_rrsig(vctx, rr,
 					"found unexpected signatures for non-authoritative data which failed to validate, continuing");
 			vctx->result = kr_ok();
 			kr_rank_set(&entry->rank, KR_RANK_TRY);
@@ -235,11 +235,11 @@ static int validate_section(kr_rrset_validation_ctx_t *vctx, struct kr_query *qr
 			/* no RRSIGs found */
 			kr_rank_set(&entry->rank, KR_RANK_MISSING);
 			vctx->err_cnt += 1;
-			log_bogus_rrsig(vctx, qry, rr, "no valid RRSIGs found");
+			log_bogus_rrsig(vctx, rr, "no valid RRSIGs found");
 		} else {
 			kr_rank_set(&entry->rank, KR_RANK_BOGUS);
 			vctx->err_cnt += 1;
-			log_bogus_rrsig(vctx, qry, rr, "bogus signatures");
+			log_bogus_rrsig(vctx, rr, "bogus signatures");
 		}
 	}
 	return kr_ok();
@@ -265,7 +265,8 @@ static int validate_records(struct kr_request *req, knot_pkt_t *answer, knot_mm_
 		.flags		= 0,
 		.err_cnt	= 0,
 		.cname_norrsig_cnt = 0,
-		.result		= 0
+		.result		= 0,
+		.log_qry	= qry,
 	};
 
 	int ret = validate_section(&vctx, qry, pool);
@@ -350,13 +351,14 @@ static int validate_keyset(struct kr_request *req, knot_pkt_t *answer, bool has_
 			.qry_uid	= qry->uid,
 			.has_nsec3	= has_nsec3,
 			.flags		= 0,
-			.result		= 0
+			.result		= 0,
+			.log_qry	= qry,
 		};
 		int ret = kr_dnskeys_trusted(&vctx, qry->zone_cut.trust_anchor);
 		if (ret != 0) {
 			if (ret != kr_error(DNSSEC_INVALID_DS_ALGORITHM) &&
 			    ret != kr_error(EAGAIN)) {
-				log_bogus_rrsig(&vctx, qry, qry->zone_cut.key, "bogus key");
+				log_bogus_rrsig(&vctx, qry->zone_cut.key, "bogus key");
 			}
 			knot_rrset_free(qry->zone_cut.key, qry->zone_cut.pool);
 			qry->zone_cut.key = NULL;