From: bert hubert <bert.hubert@netherlabs.nl>
Date: Mon, 20 Oct 2014 14:38:08 +0000 (+0200)
Subject: implement security polling according to docs/security-poll.md
X-Git-Tag: rec-3.7.0-rc1~201^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d67620e4520c72f5610ce521138157b254fb66fa;p=thirdparty%2Fpdns.git

implement security polling according to docs/security-poll.md
---

diff --git a/pdns/Makefile-recursor b/pdns/Makefile-recursor
index 9cff5e26f1..2a3654de05 100644
--- a/pdns/Makefile-recursor
+++ b/pdns/Makefile-recursor
@@ -24,7 +24,7 @@ dns_random.o ext/polarssl/library/aes.o dnslabeltext.o \
 lua-pdns.o lua-recursor.o randomhelper.o recpacketcache.o dns.o \
 reczones.o base32.o nsecrecords.o json.o ws-recursor.o ws-api.o \
 version.o responsestats.o webserver.o ext/yahttp/yahttp/reqresp.o ext/yahttp/yahttp/router.o \
-rec-carbon.o
+rec-carbon.o secpoll-recursor.o
 
 REC_CONTROL_OBJECTS=rec_channel.o rec_control.o arguments.o misc.o \
 	unix_utility.o logger.o qtype.o
diff --git a/pdns/Makefile.am b/pdns/Makefile.am
index 0dfe883c1a..6ab9c7ae8c 100644
--- a/pdns/Makefile.am
+++ b/pdns/Makefile.am
@@ -906,6 +906,8 @@ pdns_recursor_SOURCES = \
 	reczones.cc \
 	resolver.hh \
 	responsestats.cc \
+	secpoll-recursor.cc \
+	secpoll-recuersor.hh \
 	selectmplexer.cc \
 	sillyrecords.cc \
 	statbag.cc \
diff --git a/pdns/dist-recursor b/pdns/dist-recursor
index 449a4788d5..b61a032495 100755
--- a/pdns/dist-recursor
+++ b/pdns/dist-recursor
@@ -26,7 +26,7 @@ sstuff.hh mtasker.hh mtasker.cc lwres.hh logger.hh pdnsexception.hh \
 mplexer.hh \
 dns_random.hh lua-pdns.hh lua-recursor.hh namespaces.hh \
 recpacketcache.hh base32.hh cachecleaner.hh json.hh version.hh \
-ws-recursor.hh ws-api.hh \
+ws-recursor.hh ws-api.hh secpoll-recursor.hh \
 responsestats.hh webserver.hh"
 
 CFILES="syncres.cc  misc.cc unix_utility.cc qtype.cc \
@@ -37,7 +37,7 @@ selectmplexer.cc epollmplexer.cc kqueuemplexer.cc portsmplexer.cc pdns_hw.cc \
 sillyrecords.cc lua-pdns.cc lua-recursor.cc randomhelper.cc \
 devpollmplexer.cc recpacketcache.cc dns.cc reczones.cc base32.cc nsecrecords.cc \
 dnslabeltext.cc json.cc ws-recursor.cc ws-api.cc version.cc dns_random.cc \
-responsestats.cc webserver.cc rec-carbon.cc"
+responsestats.cc webserver.cc rec-carbon.cc secpoll-recursor.cc"
 
 cd docs
 make pdns_recursor.1 rec_control.1
diff --git a/pdns/docs/security-poll.md b/pdns/docs/security-poll.md
index cf0f734c23..8e83aab78f 100644
--- a/pdns/docs/security-poll.md
+++ b/pdns/docs/security-poll.md
@@ -22,21 +22,21 @@ PowerDNS software periodically tries to resolve
 
 The data returned is in one of the following forms:
 
- * NXDOMAIN or resolution failure -> -1
- * "0 Ok" -> 0
- * "1 Upgrade recommended for security reasons, see http://powerdns.com/..." -> 1
- * "2 Upgrade mandatory for security reasons, see http://powerdns.com/..." -> 2
-
-In cases 1 or 2, periodic logging commences. The metric security-status is
-set to 1 or 2 respectively. If at a later date, resolution fails, the
-security-status is not reset to 0. It could be lowered however if we
+ * NXDOMAIN or resolution failure -> 0
+ * "1 Ok" -> 1
+ * "2 Upgrade recommended for security reasons, see http://powerdns.com/..." -> 2
+ * "3 Upgrade mandatory for security reasons, see http://powerdns.com/..." -> 3
+
+In cases 2 or 3, periodic logging commences. The metric security-status is
+set to 2 or 3 respectively. If at a later date, resolution fails, the
+security-status is not reset to 1. It could be lowered however if we
 discover the security status is less urgent than we thought.
 
-If resolution fails, and the previous security-status was 0, the new
-security-status becomes -1 ('no data'). If the security-status was higher
-than 0, it will remain that way, and not get set to -1.
+If resolution fails, and the previous security-status was 1, the new
+security-status becomes 0 ('no data'). If the security-status was higher
+than 1, it will remain that way, and not get set to 0.
 
-In this way, security-status of -1 really means 'no data', and can not mask
+In this way, security-status of 0 really means 'no data', and can not mask
 a known problem.
 
 ## Distributions
diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index e0784af9ac..cbe2cf0fea 100644
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -66,7 +66,7 @@
 #include "lua-recursor.hh"
 #include "version.hh"
 #include "responsestats.hh"
-
+#include "secpoll-recursor.hh"
 #ifndef RECURSOR
 #include "statbag.hh"
 StatBag S;
@@ -1175,7 +1175,7 @@ void doStats(void)
 static void houseKeeping(void *)
 try
 {
-  static __thread time_t last_stat, last_rootupdate, last_prune;
+  static __thread time_t last_stat, last_rootupdate, last_prune, last_secpoll;
   static __thread int cleanCounter=0;
   struct timeval now;
   Utility::gettimeofday(&now, 0);
@@ -1202,13 +1202,6 @@ try
     last_prune=time(0);
   }
   
-  if(!t_id) {
-    if(now.tv_sec - last_stat >= 1800) { 
-      doStats();
-      last_stat=time(0);
-    }
-  }
-  
   if(now.tv_sec - last_rootupdate > 7200) {
     SyncRes sr(now);
     sr.setDoEDNS0(true);
@@ -1223,6 +1216,19 @@ try
     else
       L<<Logger::Error<<"Failed to update . records, RCODE="<<res<<endl;
   }
+
+  if(!t_id) {
+    if(now.tv_sec - last_stat >= 1800) { 
+      doStats();
+      last_stat=time(0);
+    }
+
+    if(now.tv_sec - last_secpoll >= 1800) {
+      doSecPoll(&last_secpoll);
+    }
+  }
+  
+
 }
 catch(PDNSException& ae)
 {
@@ -2174,6 +2180,7 @@ int main(int argc, char **argv)
     ::arg().set("minimum-ttl-override", "Set under adverse conditions, a minimum TTL")="0";
 
     ::arg().set("include-dir","Include *.conf files from this directory")="";
+    ::arg().set("security-poll-suffix","Domain name from which to query security update notifications")="secpoll.powerdns.com.";
 
     ::arg().setCmd("help","Provide a helpful message");
     ::arg().setCmd("version","Print version string");
diff --git a/pdns/rec_channel_rec.cc b/pdns/rec_channel_rec.cc
index df72fb96da..9953f810cd 100644
--- a/pdns/rec_channel_rec.cc
+++ b/pdns/rec_channel_rec.cc
@@ -23,6 +23,7 @@
 #include "lock.hh"
 #include "responsestats.hh"
 #include "version_generated.h"
+#include "secpoll-recursor.hh"
 
 #include "namespaces.hh"
 pthread_mutex_t g_carbon_config_lock=PTHREAD_MUTEX_INITIALIZER;
@@ -537,6 +538,7 @@ RecursorControlParser::RecursorControlParser()
   addGetStat("failed-host-entries", boost::bind(getFailedHostsSize));
 
   addGetStat("concurrent-queries", boost::bind(getConcurrentQueries)); 
+  addGetStat("security-status", &g_security_status);
   addGetStat("outgoing-timeouts", &SyncRes::s_outgoingtimeouts);
   addGetStat("tcp-outqueries", &SyncRes::s_tcpoutqueries);
   addGetStat("all-outqueries", &SyncRes::s_outqueries);