From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Thu, 1 Sep 2016 16:28:28 +0000 (+0200)
Subject: Rec: warn on DNSSEC (N)TAs config without DNSSEC
X-Git-Tag: dnsdist-1.1.0-beta2~82^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e48c6b8ad3361cc3cbfa0b2b9e81959b78bf95ec;p=thirdparty%2Fpdns.git

Rec: warn on DNSSEC (N)TAs config without DNSSEC
---

diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index c719bfe646..87d3713d98 100644
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -2607,6 +2607,24 @@ int serviceMain(int argc, char*argv[])
     exit(99);
   }
 
+  // keep this ABOVE loadRecursorLuaConfig!
+  if(::arg()["dnssec"]=="off")
+    g_dnssecmode=DNSSECMode::Off;
+  else if(::arg()["dnssec"]=="process-no-validate")
+    g_dnssecmode=DNSSECMode::ProcessNoValidate;
+  else if(::arg()["dnssec"]=="process")
+    g_dnssecmode=DNSSECMode::Process;
+  else if(::arg()["dnssec"]=="validate")
+    g_dnssecmode=DNSSECMode::ValidateAll;
+  else if(::arg()["dnssec"]=="log-fail")
+    g_dnssecmode=DNSSECMode::ValidateForLog;
+  else {
+    L<<Logger::Error<<"Unknown DNSSEC mode "<<::arg()["dnssec"]<<endl;
+    exit(1);
+  }
+
+  g_dnssecLogBogus = ::arg().mustDo("dnssec-log-bogus");
+
   loadRecursorLuaConfig(::arg()["lua-config-file"]);
 
   parseACLs();
@@ -2639,23 +2657,6 @@ int serviceMain(int argc, char*argv[])
   setupDelegationOnly();
   g_outgoingEDNSBufsize=::arg().asNum("edns-outgoing-bufsize");
 
-  if(::arg()["dnssec"]=="off")
-    g_dnssecmode=DNSSECMode::Off;
-  else if(::arg()["dnssec"]=="process-no-validate")
-    g_dnssecmode=DNSSECMode::ProcessNoValidate;
-  else if(::arg()["dnssec"]=="process")
-    g_dnssecmode=DNSSECMode::Process;
-  else if(::arg()["dnssec"]=="validate")
-    g_dnssecmode=DNSSECMode::ValidateAll;
-  else if(::arg()["dnssec"]=="log-fail")
-    g_dnssecmode=DNSSECMode::ValidateForLog;
-  else {
-    L<<Logger::Error<<"Unknown DNSSEC mode "<<::arg()["dnssec"]<<endl;
-    exit(1);
-  }
-
-  g_dnssecLogBogus = ::arg().mustDo("dnssec-log-bogus");
-
   if(::arg()["trace"]=="fail") {
     SyncRes::setDefaultLogMode(SyncRes::Store);
   }
diff --git a/pdns/rec-lua-conf.cc b/pdns/rec-lua-conf.cc
index 26dfae684f..a499b8699b 100644
--- a/pdns/rec-lua-conf.cc
+++ b/pdns/rec-lua-conf.cc
@@ -15,6 +15,7 @@
 #include "base64.hh"
 #include "remote_logger.hh"
 #include "validate.hh"
+#include "validate-recursor.hh"
 #include "root-dnssec.hh"
 
 GlobalStateHolder<LuaConfigItems> g_luaconfs; 
@@ -233,12 +234,14 @@ void loadRecursorLuaConfig(const std::string& fname)
 		    });
 
   Lua.writeFunction("addDS", [&lci](const std::string& who, const std::string& what) {
+      warnIfDNSSECDisabled("Warning: adding Trust Anchor for DNSSEC (addDS), but dnssec is set to 'off'!");
       DNSName zone(who);
       auto ds = unique_ptr<DSRecordContent>(dynamic_cast<DSRecordContent*>(DSRecordContent::make(what)));
       lci.dsAnchors[zone].insert(*ds);
   });
 
   Lua.writeFunction("clearDS", [&lci](boost::optional<string> who) {
+      warnIfDNSSECDisabled("Warning: removing Trust Anchor for DNSSEC (clearDS), but dnssec is set to 'off'!");
       if(who)
         lci.dsAnchors.erase(DNSName(*who));
       else
@@ -246,6 +249,7 @@ void loadRecursorLuaConfig(const std::string& fname)
     });
 
   Lua.writeFunction("addNTA", [&lci](const std::string& who, const boost::optional<std::string> why) {
+      warnIfDNSSECDisabled("Warning: adding Negative Trust Anchor for DNSSEC (addNTA), but dnssec is set to 'off'!");
       if(why)
         lci.negAnchors[DNSName(who)] = static_cast<string>(*why);
       else
@@ -253,6 +257,7 @@ void loadRecursorLuaConfig(const std::string& fname)
     });
 
   Lua.writeFunction("clearNTA", [&lci](boost::optional<string> who) {
+      warnIfDNSSECDisabled("Warning: removing Negative Trust Anchor for DNSSEC (clearNTA), but dnssec is set to 'off'!");
       if(who)
         lci.negAnchors.erase(DNSName(*who));
       else
diff --git a/pdns/validate-recursor.cc b/pdns/validate-recursor.cc
index 5819cfe7a9..aef9379c5d 100644
--- a/pdns/validate-recursor.cc
+++ b/pdns/validate-recursor.cc
@@ -26,6 +26,11 @@ public:
   int d_queries{0};
 };
 
+void warnIfDNSSECDisabled(const string& msg) {
+  if(g_dnssecmode == DNSSECMode::Off)
+    L<<Logger::Warning<<msg<<endl;
+}
+
 inline vState increaseDNSSECStateCounter(const vState& state)
 {
   g_stats.dnssecResults[state]++;
diff --git a/pdns/validate-recursor.hh b/pdns/validate-recursor.hh
index 5604ac5338..2fa9850828 100644
--- a/pdns/validate-recursor.hh
+++ b/pdns/validate-recursor.hh
@@ -23,6 +23,7 @@
 #include "dnsparser.hh"
 #include "namespaces.hh"
 #include "validate.hh"
+#include "logger.hh"
 
 vState validateRecords(const vector<DNSRecord>& recs);
 
@@ -36,3 +37,5 @@ vState validateRecords(const vector<DNSRecord>& recs);
 enum class DNSSECMode { Off, Process, ProcessNoValidate, ValidateForLog, ValidateAll };
 extern DNSSECMode g_dnssecmode;
 extern bool g_dnssecLogBogus;
+
+void warnIfDNSSECDisabled(const string& msg);