From: Otto <otto.moerbeek@open-xchange.com>
Date: Wed, 17 Feb 2021 13:07:22 +0000 (+0100)
Subject: Add marker if name is in x-dnssec-names when logging validation status
X-Git-Tag: dnsdist-1.6.0-alpha2~20^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a1b95336e19a7f6eecd598c8234008fbbc072d00;p=thirdparty%2Fpdns.git

Add marker if name is in x-dnssec-names when logging validation status
---

diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index 4a39535143..425e450f0f 100644
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -1837,26 +1837,34 @@ static void startDoResolve(void *p)
       // Does the validation mode or query demand validation?
       if(!shouldNotValidate && sr.isDNSSECValidationRequested()) {
         try {
-          if(sr.doLog()) {
-            g_log<<Logger::Warning<<"Starting validation of answer to "<<dc->d_mdp.d_qname<<"|"<<QType(dc->d_mdp.d_qtype).getName()<<" for "<<dc->getRemote()<<endl;
+          auto state = sr.getValidationState();
+
+          string x_marker;
+          if (sr.doLog() || vStateIsBogus(state)) {
+            auto xdnssec = g_xdnssec.getLocal();
+            if (xdnssec->check(dc->d_mdp.d_qname)) {
+              x_marker = " [in x-dnssec-names]";
+            }
           }
 
-          auto state = sr.getValidationState();
+          if(sr.doLog()) {
+            g_log<<Logger::Warning<<"Starting validation of answer to "<<dc->d_mdp.d_qname<<"|"<<QType(dc->d_mdp.d_qtype).getName()<<x_marker<<" for "<<dc->getRemote()<<endl;
+          }
 
           if(state == vState::Secure) {
             if(sr.doLog()) {
-              g_log<<Logger::Warning<<"Answer to "<<dc->d_mdp.d_qname<<"|"<<QType(dc->d_mdp.d_qtype).getName()<<" for "<<dc->getRemote()<<" validates correctly"<<endl;
+              g_log<<Logger::Warning<<"Answer to "<<dc->d_mdp.d_qname<<"|"<<QType(dc->d_mdp.d_qtype).getName()<<x_marker<<" for "<<dc->getRemote()<<" validates correctly"<<endl;
             }
-            
+
             // Is the query source interested in the value of the ad-bit?
             if (dc->d_mdp.d_header.ad || DNSSECOK)
               pw.getHeader()->ad=1;
           }
           else if(state == vState::Insecure) {
             if(sr.doLog()) {
-              g_log<<Logger::Warning<<"Answer to "<<dc->d_mdp.d_qname<<"|"<<QType(dc->d_mdp.d_qtype).getName()<<" for "<<dc->getRemote()<<" validates as Insecure"<<endl;
+              g_log<<Logger::Warning<<"Answer to "<<dc->d_mdp.d_qname<<"|"<<QType(dc->d_mdp.d_qtype).getName()<<x_marker<<" for "<<dc->getRemote()<<" validates as Insecure"<<endl;
             }
-            
+
             pw.getHeader()->ad=0;
           }
           else if (vStateIsBogus(state)) {
@@ -1865,20 +1873,20 @@ static void startDoResolve(void *p)
             if(t_bogusqueryring)
               t_bogusqueryring->push_back(make_pair(dc->d_mdp.d_qname, dc->d_mdp.d_qtype));
             if(g_dnssecLogBogus || sr.doLog() || g_dnssecmode == DNSSECMode::ValidateForLog) {
-              g_log<<Logger::Warning<<"Answer to "<<dc->d_mdp.d_qname<<"|"<<QType(dc->d_mdp.d_qtype).getName()<<" for "<<dc->getRemote()<<" validates as "<<vStateToString(state)<<endl;
+               g_log<<Logger::Warning<<"Answer to "<<dc->d_mdp.d_qname<<"|"<<QType(dc->d_mdp.d_qtype).getName()<<x_marker<<" for "<<dc->getRemote()<<" validates as "<<vStateToString(state)<<endl;
             }
-            
+
             // Does the query or validation mode sending out a SERVFAIL on validation errors?
             if(!pw.getHeader()->cd && (g_dnssecmode == DNSSECMode::ValidateAll || dc->d_mdp.d_header.ad || DNSSECOK)) {
               if(sr.doLog()) {
                 g_log<<Logger::Warning<<"Sending out SERVFAIL for "<<dc->d_mdp.d_qname<<"|"<<QType(dc->d_mdp.d_qtype).getName()<<" because recursor or query demands it for Bogus results"<<endl;
               }
-              
+
               pw.getHeader()->rcode=RCode::ServFail;
               goto sendit;
             } else {
               if(sr.doLog()) {
-                g_log<<Logger::Warning<<"Not sending out SERVFAIL for "<<dc->d_mdp.d_qname<<"|"<<QType(dc->d_mdp.d_qtype).getName()<<" Bogus validation since neither config nor query demands this"<<endl;
+                g_log<<Logger::Warning<<"Not sending out SERVFAIL for "<<dc->d_mdp.d_qname<<"|"<<QType(dc->d_mdp.d_qtype).getName()<<x_marker<<" Bogus validation since neither config nor query demands this"<<endl;
               }
             }
           }