From: Otto Moerbeek Date: Wed, 19 Jan 2022 14:07:57 +0000 (+0100) Subject: Rework config to be better understandable: two separate config values for zonemd... X-Git-Tag: auth-4.7.0-alpha1~42^2~13 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=574447ad3c6e13237ad762286c6d633236ba01c4;p=thirdparty%2Fpdns.git Rework config to be better understandable: two separate config values for zonemd and zonemdDNSSEC validation, both having values: "ignore", "process", "required" --- diff --git a/pdns/rec-lua-conf.cc b/pdns/rec-lua-conf.cc index d0b73955d9..6bd0603d21 100644 --- a/pdns/rec-lua-conf.cc +++ b/pdns/rec-lua-conf.cc @@ -444,16 +444,13 @@ void loadRecursorLuaConfig(const std::string& fname, luaConfigDelayedThreads& de if (have.count("retryOnErrorPeriod")) { conf.d_retryOnError = boost::get(have.at("retryOnErrorPeriod")); } - if (have.count("zonemdValidation")) { - string zonemdValidation = boost::get(have.at("zonemdValidation")); - const map nameToVal = { - {"ignore", pdns::ZoneMD::Config::Ignore}, - {"process", pdns::ZoneMD::Config::Process}, - {"logonly", pdns::ZoneMD::Config::LogOnly}, - {"required", pdns::ZoneMD::Config::Required}, - {"requiredWithDNSSEC", pdns::ZoneMD::Config::RequiredWithDNSSEC}, - {"requiredButIgnoreDNSSEC", pdns::ZoneMD::Config::RequiredButIgnoreDNSSEC}, - }; + const map nameToVal = { + {"ignore", pdns::ZoneMD::Config::Ignore}, + {"process", pdns::ZoneMD::Config::Process}, + {"required", pdns::ZoneMD::Config::Required}, + }; + if (have.count("zonemd")) { + string zonemdValidation = boost::get(have.at("zonemd")); auto it = nameToVal.find(zonemdValidation); if (it == nameToVal.end()) { throw std::runtime_error(zonemdValidation + " is not a valid value for `zonemdValidation`"); @@ -462,6 +459,16 @@ void loadRecursorLuaConfig(const std::string& fname, luaConfigDelayedThreads& de conf.d_zonemd = it->second; } } + if (have.count("zonemdDNSSEC")) { + string dnssec = boost::get(have.at("zonemdDNSSEC")); + auto it = nameToVal.find(dnssec); + if (it == nameToVal.end()) { + throw std::runtime_error(dnssec + " is not a valid value for `zonemdDNSSEC`"); + } + else { + conf.d_dnssec = it->second; + } + } } lci.ztcConfigs[validZoneName] = conf; diff --git a/pdns/recursordist/rec-zonetocache.cc b/pdns/recursordist/rec-zonetocache.cc index a059500bdd..67b1fa58f5 100644 --- a/pdns/recursordist/rec-zonetocache.cc +++ b/pdns/recursordist/rec-zonetocache.cc @@ -29,7 +29,6 @@ #include "axfr-retriever.hh" #include "validate-recursor.hh" #include "logging.hh" -#include "threadname.hh" #include "rec-lua-conf.hh" #include "zonemd.hh" #include "validate.hh" @@ -162,6 +161,8 @@ pdns::ZoneMD::Result ZoneData::getByAXFR(const RecZoneToCache::Config& config, p if (config.d_zonemd != pdns::ZoneMD::Config::Ignore) { bool validationDone, validationSuccess; zonemd.verify(validationDone, validationSuccess); + d_log->info("ZONEMD digest validation", "validationDone", Logging::Loggable(validationDone), + "validationSuccess", Logging::Loggable(validationSuccess)); if (!validationDone) { return pdns::ZoneMD::Result::NoValidationDone; } @@ -226,6 +227,8 @@ pdns::ZoneMD::Result ZoneData::processLines(const vector& lines, const R if (config.d_zonemd != pdns::ZoneMD::Config::Ignore) { bool validationDone, validationSuccess; zonemd.verify(validationDone, validationSuccess); + d_log->info("ZONEMD digest validation", "validationDone", Logging::Loggable(validationDone), + "validationSuccess", Logging::Loggable(validationSuccess)); if (!validationDone) { return pdns::ZoneMD::Result::NoValidationDone; } @@ -247,8 +250,7 @@ vState ZoneData::dnssecValidate(pdns::ZoneMD& zonemd, size_t& zonemdCount) const dsmap_t dsmap; // Actually a set vState dsState = sr.getDSRecords(d_zone, dsmap, false, 0); if (dsState != vState::Secure) { - cerr << "getDSRecords says" << dsState << endl; - return vState::Insecure; + return dsState; } skeyset_t dnsKeys; @@ -316,27 +318,25 @@ void ZoneData::ZoneToCache(const RecZoneToCache::Config& config) result = processLines(lines, config, zonemd); } - if (config.d_zonemd == pdns::ZoneMD::Config::RequiredWithDNSSEC && g_dnssecmode == DNSSECMode::Off) { + if (config.d_dnssec == pdns::ZoneMD::Config::Required && g_dnssecmode == DNSSECMode::Off) { throw PDNSException("ZONEMD DNSSEC validation failure: dnssec is switched of but required by ZoneToCache"); } // Validate DNSKEYs and ZONEMD, rest of records are validated on-demand by SyncRes - if (config.d_zonemd == pdns::ZoneMD::Config::RequiredWithDNSSEC || (g_dnssecmode != DNSSECMode::Off && config.d_zonemd != pdns::ZoneMD::Config::RequiredButIgnoreDNSSEC)) { + if (config.d_dnssec == pdns::ZoneMD::Config::Required || (g_dnssecmode != DNSSECMode::Off && config.d_dnssec != pdns::ZoneMD::Config::Ignore)) { size_t zonemdCount; auto validationStatus = dnssecValidate(zonemd, zonemdCount); - d_log->info("ZONEMD record related DNSSEC validation done", "validationStatus", Logging::Loggable(validationStatus), + d_log->info("ZONEMD record related DNSSEC validation", "validationStatus", Logging::Loggable(validationStatus), "zonemdCount", Logging::Loggable(zonemdCount)); - if (config.d_zonemd == pdns::ZoneMD::Config::RequiredWithDNSSEC || g_dnssecmode == DNSSECMode::ValidateAll) { - if (validationStatus != vState::Secure) { - throw PDNSException("ZONEMD required DNSSEC validation failed"); - } + if (config.d_dnssec == pdns::ZoneMD::Config::Required && validationStatus != vState::Secure) { + throw PDNSException("ZONEMD required DNSSEC validation failed"); } if (validationStatus != vState::Secure && validationStatus != vState::Insecure) { throw PDNSException("ZONEMD record DNSSEC Validation failed"); } } - if (pdns::ZoneMD::validationRequired(config.d_zonemd) && result != pdns::ZoneMD::Result::OK) { + if (config.d_zonemd == pdns::ZoneMD::Config::Required && result != pdns::ZoneMD::Result::OK) { // We do not accept NoValidationDone in this case throw PDNSException("ZONEMD digest validation failure"); return; @@ -346,20 +346,6 @@ void ZoneData::ZoneToCache(const RecZoneToCache::Config& config) return; } - if (config.d_zonemd == pdns::ZoneMD::Config::LogOnly) { - switch (result) { - case pdns::ZoneMD::Result::ValidationFailure: - d_log->info("ZONEMD digest failure (ignored)"); - break; - case pdns::ZoneMD::Result::NoValidationDone: - d_log->info("No ZONEMD digest validation done"); - break; - case pdns::ZoneMD::Result::OK: - d_log->info("ZONEMD digest validation succeeded"); - break; - } - } - // Rerun, now inserting the rrsets into the cache with associated sigs d_now = time(nullptr); for (const auto& [key, v] : d_all) { diff --git a/pdns/recursordist/rec-zonetocache.hh b/pdns/recursordist/rec-zonetocache.hh index 7284895eb3..e1162bf4d9 100644 --- a/pdns/recursordist/rec-zonetocache.hh +++ b/pdns/recursordist/rec-zonetocache.hh @@ -42,6 +42,7 @@ public: time_t d_refreshPeriod{24 * 3600}; // Time between refetch uint32_t d_timeout{20}; // timeout in seconds pdns::ZoneMD::Config d_zonemd{pdns::ZoneMD::Config::Process}; + pdns::ZoneMD::Config d_dnssec{pdns::ZoneMD::Config::Process}; }; struct State diff --git a/pdns/zonemd.hh b/pdns/zonemd.hh index 962b99a314..7aad46f0a0 100644 --- a/pdns/zonemd.hh +++ b/pdns/zonemd.hh @@ -40,10 +40,7 @@ public: { Ignore, Process, - LogOnly, - Required, - RequiredWithDNSSEC, - RequiredButIgnoreDNSSEC, + Required }; enum class Result : uint8_t { @@ -60,11 +57,6 @@ public: void readRecord(const DNSRecord& record); void verify(bool& validationDone, bool& validationOK); - static bool validationRequired(Config config) - { - return config == Config::Required || config == Config::RequiredWithDNSSEC || config == Config::RequiredButIgnoreDNSSEC; - } - // Return the zone's apex DNSKEYs const std::set>& getDNSKEYs() const {