From: phonedph1 <20867105+phonedph1@users.noreply.github.com>
Date: Thu, 15 Apr 2021 16:57:15 +0000 (-0600)
Subject: rec: print the covering NSEC
X-Git-Tag: dnsdist-1.6.0-rc1^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a651118120d441c1cf20daa9d495d2795ac0b5e8;p=thirdparty%2Fpdns.git

rec: print the covering NSEC

It would be nice to log not only that a name is covered, but what entry actually covers it. This is useful in debugging crazy setups.
---

diff --git a/pdns/validate.cc b/pdns/validate.cc
index 901b085d40..d559969c91 100644
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -452,7 +452,7 @@ dState matchesNSEC(const DNSName& name, uint16_t qtype, const DNSName& nsecOwner
   }
 
   if (isCoveredByNSEC(name, owner, nsec->d_next)) {
-    LOG(name<<" is covered ");
+    LOG(name<<" is covered by ("<<owner<<" to "<<nsec->d_next<<") ");
 
     if (nsecProvesENT(name, owner, nsec->d_next)) {
       LOG("Denies existence of type "<<name<<"/"<<QType(qtype).getName()<<" by proving that "<<name<<" is an ENT"<<endl);
@@ -577,7 +577,7 @@ dState getDenial(const cspmap_t &validrrsets, const DNSName& qname, const uint16
 
         /* check if the whole NAME is denied existing */
         if (isCoveredByNSEC(qname, owner, nsec->d_next)) {
-          LOG(qname<<" is covered ");
+          LOG(name<<" is covered by ("<<owner<<" to "<<nsec->d_next<<") ");
 
           if (nsecProvesENT(qname, owner, nsec->d_next)) {
             if (wantsNoDataProof) {