From: Otto Moerbeek Date: Tue, 17 Jan 2023 11:18:02 +0000 (+0100) Subject: const correctness and better macro defined in logger.hh instead of two spots X-Git-Tag: dnsdist-1.8.0-rc1~83^2~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a8cd5db58805d8fc8fcfe0658e9643c6108b1e36;p=thirdparty%2Fpdns.git const correctness and better macro defined in logger.hh instead of two spots --- diff --git a/pdns/logger.hh b/pdns/logger.hh index 491d95a373..88e45eb6f7 100644 --- a/pdns/logger.hh +++ b/pdns/logger.hh @@ -167,9 +167,30 @@ Logger& getLogger(); #define DLOG(x) ((void)0) #endif +// The types below are used by rec, which can log to g_log (general logging) or a string stream +// (trace-regexp). We feed an OptLog object to the code that should not know anything about this +// That code shold then log using VLOG + struct LogVariant { string prefix; + // variant cannot hold references std::variant v; }; using OptLog = std::optional; + +#ifndef RECURSOR +// Originally there was a flag but is was never set from !RECURSOR +#define VLOG(log, x) #error VLOG only works in recursor +#else +#define VLOG(log, x) \ + if (log) { \ + if (std::holds_alternative((log)->v)) { \ + *std::get(log->v) << Logger::Warning << (log)->prefix << x; \ + } \ + else if (std::holds_alternative((log)->v)) { \ + *std::get((log)->v) << (log)->prefix << x; \ + } \ + } +#endif + diff --git a/pdns/recursordist/aggressive_nsec.cc b/pdns/recursordist/aggressive_nsec.cc index d4b5c5c212..0cb551b66a 100644 --- a/pdns/recursordist/aggressive_nsec.cc +++ b/pdns/recursordist/aggressive_nsec.cc @@ -337,13 +337,6 @@ bool AggressiveNSECCache::getNSECBefore(time_t now, std::shared_ptrd_entries) { - LOG("- "< "< end of list, looking for the lower bound to "<d_entries.get(); auto it = idx.lower_bound(name); bool end = false; @@ -467,17 +460,7 @@ static void addRecordToRRSet(time_t now, const DNSName& owner, const QType& type } } -#define LOG(x) \ - if (log) { \ - if (std::holds_alternative(log->v)) { \ - *std::get(log->v) << Logger::Warning << log->prefix << x; \ - } \ - else if (std::holds_alternative(log->v)) { \ - *std::get(log->v) << x << log->prefix; \ - } \ - } - -bool AggressiveNSECCache::synthesizeFromNSEC3Wildcard(time_t now, const DNSName& name, const QType& type, std::vector& ret, int& res, bool doDNSSEC, ZoneEntry::CacheEntry& nextCloser, const DNSName& wildcardName, OptLog& log) +bool AggressiveNSECCache::synthesizeFromNSEC3Wildcard(time_t now, const DNSName& name, const QType& type, std::vector& ret, int& res, bool doDNSSEC, ZoneEntry::CacheEntry& nextCloser, const DNSName& wildcardName, const OptLog& log) { vState cachedState; @@ -485,7 +468,7 @@ bool AggressiveNSECCache::synthesizeFromNSEC3Wildcard(time_t now, const DNSName& std::vector> wcSignatures; if (g_recCache->get(now, wildcardName, type, MemRecursorCache::RequireAuth, &wcSet, ComboAddress("127.0.0.1"), boost::none, doDNSSEC ? &wcSignatures : nullptr, nullptr, nullptr, &cachedState) <= 0 || cachedState != vState::Secure) { - LOG("Unfortunately we don't have a valid entry for " << wildcardName << ", so we cannot synthesize from that wildcard" << endl); + VLOG(log, "Unfortunately we don't have a valid entry for " << wildcardName << ", so we cannot synthesize from that wildcard" << endl); return false; } @@ -494,12 +477,12 @@ bool AggressiveNSECCache::synthesizeFromNSEC3Wildcard(time_t now, const DNSName& addRecordToRRSet(now, nextCloser.d_owner, QType::NSEC3, nextCloser.d_ttd - now, nextCloser.d_record, nextCloser.d_signatures, doDNSSEC, ret); /* and of course we won't deny the wildcard either */ - LOG("Synthesized valid answer from NSEC3s and wildcard!" << endl); + VLOG(log, "Synthesized valid answer from NSEC3s and wildcard!" << endl); ++d_nsec3WildcardHits; return true; } -bool AggressiveNSECCache::synthesizeFromNSECWildcard(time_t now, const DNSName& name, const QType& type, std::vector& ret, int& res, bool doDNSSEC, ZoneEntry::CacheEntry& nsec, const DNSName& wildcardName, OptLog& log) +bool AggressiveNSECCache::synthesizeFromNSECWildcard(time_t now, const DNSName& name, const QType& type, std::vector& ret, int& res, bool doDNSSEC, ZoneEntry::CacheEntry& nsec, const DNSName& wildcardName, const OptLog& log) { vState cachedState; @@ -507,19 +490,19 @@ bool AggressiveNSECCache::synthesizeFromNSECWildcard(time_t now, const DNSName& std::vector> wcSignatures; if (g_recCache->get(now, wildcardName, type, MemRecursorCache::RequireAuth, &wcSet, ComboAddress("127.0.0.1"), boost::none, doDNSSEC ? &wcSignatures : nullptr, nullptr, nullptr, &cachedState) <= 0 || cachedState != vState::Secure) { - LOG("Unfortunately we don't have a valid entry for " << wildcardName << ", so we cannot synthesize from that wildcard" << endl); + VLOG(log, "Unfortunately we don't have a valid entry for " << wildcardName << ", so we cannot synthesize from that wildcard" << endl); return false; } addToRRSet(now, wcSet, wcSignatures, name, doDNSSEC, ret, DNSResourceRecord::ANSWER); addRecordToRRSet(now, nsec.d_owner, QType::NSEC, nsec.d_ttd - now, nsec.d_record, nsec.d_signatures, doDNSSEC, ret); - LOG("Synthesized valid answer from NSECs and wildcard!" << endl); + VLOG(log, "Synthesized valid answer from NSECs and wildcard!" << endl); ++d_nsecWildcardHits; return true; } -bool AggressiveNSECCache::getNSEC3Denial(time_t now, std::shared_ptr>& zoneEntry, std::vector& soaSet, std::vector>& soaSignatures, const DNSName& name, const QType& type, std::vector& ret, int& res, bool doDNSSEC, OptLog& log) +bool AggressiveNSECCache::getNSEC3Denial(time_t now, std::shared_ptr>& zoneEntry, std::vector& soaSet, std::vector>& soaSignatures, const DNSName& name, const QType& type, std::vector& ret, int& res, bool doDNSSEC, const OptLog& log) { DNSName zone; std::string salt; @@ -539,15 +522,15 @@ bool AggressiveNSECCache::getNSEC3Denial(time_t now, std::shared_ptr(exactNSEC3.d_record); if (!nsec3 || nsec3->d_iterations != iterations || nsec3->d_salt != salt) { - LOG(" but the content is not valid, or has a different salt or iterations count" << endl); + VLOG(log, " but the content is not valid, or has a different salt or iterations count" << endl); return false; } if (!isTypeDenied(nsec3, type)) { - LOG(" but the requested type (" << type.toString() << ") does exist" << endl); + VLOG(log, " but the requested type (" << type.toString() << ") does exist" << endl); return false; } @@ -561,16 +544,16 @@ bool AggressiveNSECCache::getNSEC3Denial(time_t now, std::shared_ptr(closestNSEC3.d_record); if (!nsec3 || nsec3->d_iterations != iterations || nsec3->d_salt != salt) { - LOG(" but the content is not valid, or has a different salt or iterations count" << endl); + VLOG(log, " but the content is not valid, or has a different salt or iterations count" << endl); break; } @@ -604,12 +587,12 @@ bool AggressiveNSECCache::getNSEC3Denial(time_t now, std::shared_ptr(nextCloserEntry.d_record); if (!nextCloserNsec3 || nextCloserNsec3->d_iterations != iterations || nextCloserNsec3->d_salt != salt) { - LOG("The NSEC3 covering the next closer is not valid, or has a different salt or iterations count, bailing out" << endl); + VLOG(log, "The NSEC3 covering the next closer is not valid, or has a different salt or iterations count, bailing out" << endl); return false; } const DNSName nextCloserSigner = getSigner(nextCloserEntry.d_signatures); if (type == QType::DS && !name.isRoot() && nextCloserSigner == name) { - LOG(" but this NSEC3 comes from the child zone and cannot be used to deny a DS"); + VLOG(log, " but this NSEC3 comes from the child zone and cannot be used to deny a DS"); return false; } @@ -661,20 +644,20 @@ bool AggressiveNSECCache::getNSEC3Denial(time_t now, std::shared_ptr(wcEntry.d_record); if (!nsec3 || nsec3->d_iterations != iterations || nsec3->d_salt != salt) { - LOG(" but the content is not valid, or has a different salt or iterations count" << endl); + VLOG(log, " but the content is not valid, or has a different salt or iterations count" << endl); return false; } @@ -688,38 +671,38 @@ bool AggressiveNSECCache::getNSEC3Denial(time_t now, std::shared_ptr(wcEntry.d_record); if (!nsec3 || nsec3->d_iterations != iterations || nsec3->d_salt != salt) { - LOG("The content of the NSEC3 covering the wildcard is not valid, or has a different salt or iterations count" << endl); + VLOG(log, "The content of the NSEC3 covering the wildcard is not valid, or has a different salt or iterations count" << endl); return false; } const DNSName wcSigner = getSigner(wcEntry.d_signatures); if (type == QType::DS && !name.isRoot() && wcSigner == name) { - LOG(" but this wildcard NSEC3 comes from the child zone and cannot be used to deny a DS"); + VLOG(log, " but this wildcard NSEC3 comes from the child zone and cannot be used to deny a DS"); return false; } @@ -739,12 +722,12 @@ bool AggressiveNSECCache::getNSEC3Denial(time_t now, std::shared_ptr& ret, int& res, const ComboAddress& who, const boost::optional& routingTag, bool doDNSSEC, OptLog log) +bool AggressiveNSECCache::getDenial(time_t now, const DNSName& name, const QType& type, std::vector& ret, int& res, const ComboAddress& who, const boost::optional& routingTag, bool doDNSSEC, const OptLog& log) { std::shared_ptr> zoneEntry; if (type == QType::DS) { @@ -779,7 +762,7 @@ bool AggressiveNSECCache::getDenial(time_t now, const DNSName& name, const QType std::vector> soaSignatures; /* we might not actually need the SOA if we find a matching wildcard, but let's not bother for now */ if (g_recCache->get(now, zone, QType::SOA, MemRecursorCache::RequireAuth, &soaSet, who, routingTag, doDNSSEC ? &soaSignatures : nullptr, nullptr, nullptr, &cachedState) <= 0 || cachedState != vState::Secure) { - LOG("No valid SOA found for " << zone << ", which is the best match for " << name << endl); + VLOG(log, "No valid SOA found for " << zone << ", which is the best match for " << name << endl); return false; } @@ -792,9 +775,9 @@ bool AggressiveNSECCache::getDenial(time_t now, const DNSName& name, const QType bool covered = false; bool needWildcard = false; - LOG("Looking for a NSEC before " << name); + VLOG(log, "Looking for a NSEC before " << name); if (!getNSECBefore(now, zoneEntry, name, entry)) { - LOG(": nothing found in the aggressive cache" << endl); + VLOG(log, ": nothing found in the aggressive cache" << endl); return false; } @@ -803,30 +786,30 @@ bool AggressiveNSECCache::getDenial(time_t now, const DNSName& name, const QType return false; } - LOG(": found a possible NSEC at " << entry.d_owner << " "); + VLOG(log, ": found a possible NSEC at " << entry.d_owner << " "); // note that matchesNSEC() takes care of ruling out ancestor NSECs for us auto denial = matchesNSEC(name, type.getCode(), entry.d_owner, content, entry.d_signatures, log); if (denial == dState::NODENIAL || denial == dState::INCONCLUSIVE) { - LOG(" but it does no cover us" << endl); + VLOG(log, " but it does no cover us" << endl); return false; } else if (denial == dState::NXQTYPE) { covered = true; - LOG(" and it proves that the type does not exist" << endl); + VLOG(log, " and it proves that the type does not exist" << endl); res = RCode::NoError; } else if (denial == dState::NXDOMAIN) { - LOG(" and it proves that the name does not exist" << endl); + VLOG(log, " and it proves that the name does not exist" << endl); DNSName closestEncloser = getClosestEncloserFromNSEC(name, entry.d_owner, entry.d_next); DNSName wc = g_wildcarddnsname + closestEncloser; - LOG("Now looking for a NSEC before the wildcard " << wc); + VLOG(log, "Now looking for a NSEC before the wildcard " << wc); if (!getNSECBefore(now, zoneEntry, wc, wcEntry)) { - LOG(": nothing found in the aggressive cache" << endl); + VLOG(log, ": nothing found in the aggressive cache" << endl); return false; } - LOG(": found a possible NSEC at " << wcEntry.d_owner << " "); + VLOG(log, ": found a possible NSEC at " << wcEntry.d_owner << " "); auto nsecContent = std::dynamic_pointer_cast(wcEntry.d_record); @@ -834,21 +817,21 @@ bool AggressiveNSECCache::getDenial(time_t now, const DNSName& name, const QType if (denial == dState::NODENIAL || denial == dState::INCONCLUSIVE) { if (wcEntry.d_owner == wc) { - LOG(" proving that the wildcard does exist" << endl); + VLOG(log, " proving that the wildcard does exist" << endl); return synthesizeFromNSECWildcard(now, name, type, ret, res, doDNSSEC, entry, wc, log); } - LOG(" but it does no cover us" << endl); + VLOG(log, " but it does no cover us" << endl); return false; } else if (denial == dState::NXQTYPE) { - LOG(" and it proves that there is a matching wildcard, but the type does not exist" << endl); + VLOG(log, " and it proves that there is a matching wildcard, but the type does not exist" << endl); covered = true; res = RCode::NoError; } else if (denial == dState::NXDOMAIN) { - LOG(" and it proves that there is no matching wildcard" << endl); + VLOG(log, " and it proves that there is no matching wildcard" << endl); covered = true; res = RCode::NXDomain; } @@ -871,7 +854,7 @@ bool AggressiveNSECCache::getDenial(time_t now, const DNSName& name, const QType addRecordToRRSet(now, wcEntry.d_owner, QType::NSEC, wcEntry.d_ttd - now, wcEntry.d_record, wcEntry.d_signatures, doDNSSEC, ret); } - LOG("Found valid NSECs covering the requested name and type!" << endl); + VLOG(log, "Found valid NSECs covering the requested name and type!" << endl); ++d_nsecHits; return true; } diff --git a/pdns/recursordist/aggressive_nsec.hh b/pdns/recursordist/aggressive_nsec.hh index f8276e0848..e8fe05a774 100644 --- a/pdns/recursordist/aggressive_nsec.hh +++ b/pdns/recursordist/aggressive_nsec.hh @@ -46,7 +46,7 @@ public: } void insertNSEC(const DNSName& zone, const DNSName& owner, const DNSRecord& record, const std::vector>& signatures, bool nsec3); - bool getDenial(time_t, const DNSName& name, const QType& type, std::vector& ret, int& res, const ComboAddress& who, const boost::optional& routingTag, bool doDNSSEC, OptLog log = std::nullopt); + bool getDenial(time_t, const DNSName& name, const QType& type, std::vector& ret, int& res, const ComboAddress& who, const boost::optional& routingTag, bool doDNSSEC, const OptLog& log = std::nullopt); void removeZoneInfo(const DNSName& zone, bool subzones); @@ -133,9 +133,9 @@ private: std::shared_ptr> getBestZone(const DNSName& zone); bool getNSECBefore(time_t now, std::shared_ptr>& zoneEntry, const DNSName& name, ZoneEntry::CacheEntry& entry); bool getNSEC3(time_t now, std::shared_ptr>& zoneEntry, const DNSName& name, ZoneEntry::CacheEntry& entry); - bool getNSEC3Denial(time_t now, std::shared_ptr>& zoneEntry, std::vector& soaSet, std::vector>& soaSignatures, const DNSName& name, const QType& type, std::vector& ret, int& res, bool doDNSSEC, OptLog&); - bool synthesizeFromNSEC3Wildcard(time_t now, const DNSName& name, const QType& type, std::vector& ret, int& res, bool doDNSSEC, ZoneEntry::CacheEntry& nextCloser, const DNSName& wildcardName, OptLog&); - bool synthesizeFromNSECWildcard(time_t now, const DNSName& name, const QType& type, std::vector& ret, int& res, bool doDNSSEC, ZoneEntry::CacheEntry& nsec, const DNSName& wildcardName, OptLog&); + bool getNSEC3Denial(time_t now, std::shared_ptr>& zoneEntry, std::vector& soaSet, std::vector>& soaSignatures, const DNSName& name, const QType& type, std::vector& ret, int& res, bool doDNSSEC, const OptLog&); + bool synthesizeFromNSEC3Wildcard(time_t now, const DNSName& name, const QType& type, std::vector& ret, int& res, bool doDNSSEC, ZoneEntry::CacheEntry& nextCloser, const DNSName& wildcardName, const OptLog&); + bool synthesizeFromNSECWildcard(time_t now, const DNSName& name, const QType& type, std::vector& ret, int& res, bool doDNSSEC, ZoneEntry::CacheEntry& nsec, const DNSName& wildcardName, const OptLog&); /* slowly updates d_entriesCount */ void updateEntriesCount(SuffixMatchTree>>& zones); diff --git a/pdns/recursordist/syncres.cc b/pdns/recursordist/syncres.cc index 174a0de567..8f4b7b7390 100644 --- a/pdns/recursordist/syncres.cc +++ b/pdns/recursordist/syncres.cc @@ -479,14 +479,14 @@ bool SyncRes::s_addExtendedResolutionDNSErrors; OptLog SyncRes::LogObject(const string& prefix) { - OptLog ret; - if (d_lm == Log) { - ret = {prefix, &g_log}; - } - else if(d_lm == Store) { - ret = {prefix, &d_trace}; - } - return ret; + OptLog ret; + if (d_lm == Log) { + ret = {prefix, &g_log}; + } + else if(d_lm == Store) { + ret = {prefix, &d_trace}; + } + return ret; } // A helper function to print a double with specific printf format. diff --git a/pdns/recursordist/syncres.hh b/pdns/recursordist/syncres.hh index 85aee0cec6..fc08f21737 100644 --- a/pdns/recursordist/syncres.hh +++ b/pdns/recursordist/syncres.hh @@ -165,6 +165,7 @@ public: { s_lm = lm; } + OptLog LogObject(const string& prefix); static uint64_t doEDNSDump(int fd); diff --git a/pdns/validate.cc b/pdns/validate.cc index 2f68a833f0..b75071b576 100644 --- a/pdns/validate.cc +++ b/pdns/validate.cc @@ -9,21 +9,6 @@ time_t g_signatureInceptionSkew{0}; uint16_t g_maxNSEC3Iterations{0}; -#ifndef RECURSOR -// Originally there was a flag but is was never set from !RECURSOR -#define LOG(x) if (false) g_log <(log->v)) { \ - *std::get(log->v) << Logger::Warning << log->prefix << x; \ - } \ - else if (std::holds_alternative(log->v)) { \ - *std::get(log->v) << log->prefix << x; \ - } \ - } -#endif - static bool isAZoneKey(const DNSKEYRecordContent& key) { /* rfc4034 Section 2.1.1: @@ -45,18 +30,18 @@ static bool isRevokedKey(const DNSKEYRecordContent& key) return (key.d_flags & 128) != 0; } -static vector > getByTag(const skeyset_t& keys, uint16_t tag, uint8_t algorithm, OptLog& log) +static vector > getByTag(const skeyset_t& keys, uint16_t tag, uint8_t algorithm, const OptLog& log) { vector> ret; for (const auto& key : keys) { if (!isAZoneKey(*key)) { - LOG("Key for tag "<getZoneRepresentation()<getZoneRepresentation()<(r); if (!nsec) { continue; @@ -276,12 +261,12 @@ static bool provesNoDataWildCard(const DNSName& qname, const uint16_t qtype, con continue; } - LOG("\tWildcard matches"); + VLOG(log, "\tWildcard matches"); if (qtype == 0 || isTypeDenied(nsec, QType(qtype))) { - LOG(" and proves that the type did not exist"<getZoneRepresentation()<getZoneRepresentation()<(r); if (!nsec) { continue; } const DNSName owner = getNSECOwnerName(v.first.first, v.second.signatures); - LOG("Comparing owner: "<isSet(QType::DNAME)) { /* rfc6672 section 5.3.2: DNAME Bit in NSEC Type Map @@ -331,12 +316,12 @@ static bool provesNoWildCard(const DNSName& qname, const uint16_t qtype, const D asserted, then DNAME substitution should have been done, but the substitution has not been done as specified. */ - LOG("\tThe qname is a subdomain of the NSEC and the DNAME bit is set"<d_next)) { - LOG("\tWildcard is covered"<getZoneRepresentation()<getZoneRepresentation()<(r); if (!nsec3) { continue; @@ -376,12 +361,12 @@ static bool provesNSEC3NoWildCard(const DNSName& closestEncloser, uint16_t const if (h.empty()) { return false; } - LOG("\tWildcard hash: "< "<d_nexthash)< "<d_nexthash)<d_nexthash)) { - LOG("\tWildcard hash is covered"<& nsec, const std::vector>& signatures, OptLog log) +dState matchesNSEC(const DNSName& name, uint16_t qtype, const DNSName& nsecOwner, const std::shared_ptr& nsec, const std::vector>& signatures, const OptLog& log) { const DNSName signer = getSigner(signatures); if (!name.isPartOf(signer) || !nsecOwner.isPartOf(signer)) { @@ -434,7 +419,7 @@ dState matchesNSEC(const DNSName& name, uint16_t qtype, const DNSName& nsecOwner if (name.isPartOf(owner) && isNSECAncestorDelegation(signer, owner, nsec)) { /* this is an "ancestor delegation" NSEC RR */ if (!(qtype == QType::DS && name == owner)) { - LOG("An ancestor delegation NSEC RR can only deny the existence of a DS"<d_next)) { - LOG(name<<" is covered by ("<d_next<<") "); + VLOG(log, name<<" is covered by ("<d_next<<") "); if (nsecProvesENT(name, owner, nsec->d_next)) { - LOG("Denies existence of type "<getZoneRepresentation()<getZoneRepresentation()<isSet(QType::NS) && nsec->isSet(QType::SOA)) { - LOG("However, that NSEC is not at the apex and has both the NS and the SOA bits set!"<isSet(QType::NS)) { - LOG("However, no NS record exists at this level!"<d_next)) { - LOG(qname<<" is covered by ("<d_next<<") "); + VLOG(log, qname<<" is covered by ("<d_next<<") "); if (nsecProvesENT(qname, owner, nsec->d_next)) { if (wantsNoDataProof) { /* if the name is an ENT and we received a NODATA answer, we are fine with a NSEC proving that the name does not exist. */ - LOG("Denies existence of type "<d_next); if (wantsNoDataProof) { - LOG("looking for NODATA proof"<isSet(qtype)<<", next: "<d_next<isSet(qtype)<<", next: "<d_next<getZoneRepresentation()<getZoneRepresentation()<(r); if (!nsec3) { continue; @@ -669,24 +654,24 @@ dState getDenial(const cspmap_t &validrrsets, const DNSName& qname, const uint16 const DNSName& hashedOwner = v.first.first; const DNSName signer = getSigner(v.second.signatures); if (!hashedOwner.isPartOf(signer)) { - LOG("Owner "<isSet(QType::NS) && nsec3->isSet(QType::SOA)) { - LOG("However, that NSEC3 is not at the apex and has both the NS and the SOA bits set!"<isSet(QType::NS)) { - LOG("However, no NS record exists at this level!"<getZoneRepresentation()<getZoneRepresentation()<(r); if (!nsec3) { continue; @@ -769,7 +754,7 @@ dState getDenial(const cspmap_t &validrrsets, const DNSName& qname, const uint16 const DNSName signer = getSigner(v.second.signatures); if (!v.first.first.isPartOf(signer)) { - LOG("Owner "<isSet(QType::DNAME)) { @@ -801,7 +786,7 @@ dState getDenial(const cspmap_t &validrrsets, const DNSName& qname, const uint16 asserted, then DNAME substitution should have been done, but the substitution has not been done as specified. */ - LOG("\tThe closest encloser NSEC3 has the DNAME bit is set"<= 1) { DNSName nextCloser(closestEncloser); nextCloser.prependRawLabel(qname.getRawLabel(labelIdx - 1)); - LOG("Looking for a NSEC3 covering the next closer name "<getZoneRepresentation()<getZoneRepresentation()<(r); if(!nsec3) continue; @@ -857,26 +842,26 @@ dState getDenial(const cspmap_t &validrrsets, const DNSName& qname, const uint16 const DNSName signer = getSigner(v.second.signatures); if (!v.first.first.isPartOf(signer)) { - LOG("Owner "< "<d_nexthash)< "<d_nexthash)<d_nexthash)) { - LOG("Denies existence of name "<isOptOut()) { - LOG(" but is opt-out!"); + VLOG(log, " but is opt-out!"); isOptOut = true; } - LOG(endl); + VLOG(log, endl); break; } - LOG("Did not cover us ("<& sig return sig->d_siginception - g_signatureInceptionSkew <= now; } -static bool checkSignatureWithKey(time_t now, const shared_ptr sig, const shared_ptr key, const std::string& msg, vState& ede, OptLog& log) +static bool checkSignatureWithKey(time_t now, const shared_ptr sig, const shared_ptr key, const std::string& msg, vState& ede, const OptLog& log) { bool result = false; try { @@ -969,24 +954,24 @@ static bool checkSignatureWithKey(time_t now, const shared_ptrd_algorithm, key->d_key); result = dke->verify(msg, sig->d_signature); - LOG("signature by key with tag "<d_tag<<" and algorithm "<d_algorithm)<<" was " << (result ? "" : "NOT ")<<"valid"<d_tag<<" and algorithm "<d_algorithm)<<" was " << (result ? "" : "NOT ")<<"valid"<d_siginception - g_signatureInceptionSkew) > now) ? vState::BogusSignatureNotYetValid : vState::BogusSignatureExpired; - LOG("Signature is "<<(ede == vState::BogusSignatureNotYetValid ? "not yet valid" : "expired")<<" (inception: "<d_siginception<<", inception skew: "<d_sigexpire<<", now: "<d_siginception<<", inception skew: "<d_sigexpire<<", now: "< >& signatures, const skeyset_t& keys, OptLog log, bool validateAllSigs) +vState validateWithKeySet(time_t now, const DNSName& name, const sortedRecords_t& toSign, const vector >& signatures, const skeyset_t& keys, const OptLog& log, bool validateAllSigs) { bool foundKey = false; bool isValid = false; @@ -996,14 +981,14 @@ vState validateWithKeySet(time_t now, const DNSName& name, const sortedRecords_t for(const auto& signature : signatures) { unsigned int labelCount = name.countLabels(); if (signature->d_labels > labelCount) { - LOG(name<<": Discarding invalid RRSIG whose label count is "<d_labels<<" while the RRset owner name has only "<d_labels<<" while the RRset owner name has only "<d_tag, signature->d_algorithm, log); if (keysMatchingTag.empty()) { - LOG("No key provided for "<d_tag<<" and algorithm "<d_algorithm)<d_tag<<" and algorithm "<d_algorithm)<d_type)<d_type)<first.first<<"/"<<)<first.first)<<"/"<first.second)<<" with "<second.signatures.size()<<" sigs"<first.first)<<"/"<first.second)<<" with "<second.signatures.size()<<" sigs"<first.first, i->second.records, i->second.signatures, keys, log, true) == vState::Secure) { validated[i->first] = i->second; } @@ -1120,7 +1105,7 @@ bool haveNegativeTrustAnchor(const map& negAnchors, const D return true; } -vState validateDNSKeysAgainstDS(time_t now, const DNSName& zone, const dsmap_t& dsmap, const skeyset_t& tkeys, const sortedRecords_t& toSign, const vector >& sigs, skeyset_t& validkeys, OptLog log) +vState validateDNSKeysAgainstDS(time_t now, const DNSName& zone, const dsmap_t& dsmap, const skeyset_t& tkeys, const sortedRecords_t& toSign, const vector >& sigs, skeyset_t& validkeys, const OptLog& log) { /* * Check all DNSKEY records against all DS records and place all DNSKEY records @@ -1142,17 +1127,17 @@ vState validateDNSKeysAgainstDS(time_t now, const DNSName& zone, const dsmap_t& isValid = dsrc == dsrc2; } catch (const std::exception &e) { - LOG("Unable to make DS from DNSKey: "<dsAnchors; @@ -1281,7 +1266,7 @@ vState getKeysFor(DNSRecordOracle& dro, const DNSName& zone, skeyset_t& keyset, lowestNTA = negAnchor.first; if(!lowestNTA.empty()) { - LOG("Found a Negative Trust Anchor for "< "< "< (rec); if(rrc) { - LOG("Got signature: "<getZoneRepresentation()<<" with tag "<d_tag<<", for type "<d_type)<getZoneRepresentation()<<" with tag "<d_tag<<", for type "<d_type)<d_type != QType::DNSKEY) continue; sigs.push_back(rrc); @@ -1340,13 +1325,13 @@ vState getKeysFor(DNSRecordOracle& dro, const DNSName& zone, skeyset_t& keyset, auto drc=getRR (rec); if(drc) { tkeys.insert(drc); - LOG("Inserting key with tag "<getTag()<<" and algorithm "<d_algorithm)<<": "<getZoneRepresentation()<getTag()<<" and algorithm "<d_algorithm)<<": "<getZoneRepresentation()<, sharedDNSKeyRecordContentCompare > skeyset_t; -vState validateWithKeySet(time_t now, const DNSName& name, const sortedRecords_t& records, const vector >& signatures, const skeyset_t& keys, OptLog log, bool validateAllSigs=true); +vState validateWithKeySet(time_t now, const DNSName& name, const sortedRecords_t& records, const vector >& signatures, const skeyset_t& keys, const OptLog& log, bool validateAllSigs=true); bool isCoveredByNSEC(const DNSName& name, const DNSName& begin, const DNSName& next); bool isCoveredByNSEC3Hash(const std::string& h, const std::string& beginHash, const std::string& nextHash); bool isCoveredByNSEC3Hash(const DNSName& h, const DNSName& beginHash, const DNSName& nextHash); -void validateWithKeySet(const cspmap_t& rrsets, cspmap_t& validated, const skeyset_t& keys, OptLog& log); +void validateWithKeySet(const cspmap_t& rrsets, cspmap_t& validated, const skeyset_t& keys, const OptLog& log); cspmap_t harvestCSPFromRecs(const vector& recs); vState getKeysFor(DNSRecordOracle& dro, const DNSName& zone, skeyset_t& keyset); bool getTrustAnchor(const map& anchors, const DNSName& zone, dsmap_t &res); bool haveNegativeTrustAnchor(const map& negAnchors, const DNSName& zone, std::string& reason); -vState validateDNSKeysAgainstDS(time_t now, const DNSName& zone, const dsmap_t& dsmap, const skeyset_t& tkeys, const sortedRecords_t& toSign, const vector >& sigs, skeyset_t& validkeys, OptLog); -dState getDenial(const cspmap_t &validrrsets, const DNSName& qname, const uint16_t qtype, bool referralToUnsigned, bool wantsNoDataProof, OptLog log = std::nullopt, bool needsWildcardProof=true, unsigned int wildcardLabelsCount=0); -bool isSupportedDS(const DSRecordContent& ds, OptLog); +vState validateDNSKeysAgainstDS(time_t now, const DNSName& zone, const dsmap_t& dsmap, const skeyset_t& tkeys, const sortedRecords_t& toSign, const vector >& sigs, skeyset_t& validkeys, const OptLog&); +dState getDenial(const cspmap_t &validrrsets, const DNSName& qname, const uint16_t qtype, bool referralToUnsigned, bool wantsNoDataProof, const OptLog& log = std::nullopt, bool needsWildcardProof=true, unsigned int wildcardLabelsCount=0); +bool isSupportedDS(const DSRecordContent& ds, const OptLog&); DNSName getSigner(const std::vector >& signatures); bool denialProvesNoDelegation(const DNSName& zone, const std::vector& dsrecords); bool isRRSIGNotExpired(const time_t now, const std::shared_ptr& sig); @@ -93,7 +93,7 @@ bool isWildcardExpanded(unsigned int labelCount, const std::shared_ptr& sign); void updateDNSSECValidationState(vState& state, const vState stateUpdate); -dState matchesNSEC(const DNSName& name, uint16_t qtype, const DNSName& nsecOwner, const std::shared_ptr& nsec, const std::vector>& signatures, OptLog); +dState matchesNSEC(const DNSName& name, uint16_t qtype, const DNSName& nsecOwner, const std::shared_ptr& nsec, const std::vector>& signatures, const OptLog&); bool isNSEC3AncestorDelegation(const DNSName& signer, const DNSName& owner, const std::shared_ptr& nsec3); DNSName getNSECOwnerName(const DNSName& initialOwner, const std::vector >& signatures);