From 6c1fcbfe13a0a67e2a3e8759710656e69a28d684 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Tue, 5 Jan 2021 15:49:24 +0100
Subject: [PATCH] rec: Add metrics for Aggressive NSEC caching

---
 pdns/rec-snmp.cc                     | 10 ++++++
 pdns/rec_channel_rec.cc              |  9 ++++-
 pdns/recursordist/RECURSOR-MIB.txt   | 50 +++++++++++++++++++++++++++-
 pdns/recursordist/aggressive_nsec.cc |  8 +++++
 pdns/recursordist/aggressive_nsec.hh | 31 ++++++++++++++++-
 pdns/recursordist/docs/metrics.rst   | 24 +++++++++++++
 6 files changed, 129 insertions(+), 3 deletions(-)

diff --git a/pdns/rec-snmp.cc b/pdns/rec-snmp.cc
index 03c64193f7..c4a1b2fdc8 100644
--- a/pdns/rec-snmp.cc
+++ b/pdns/rec-snmp.cc
@@ -125,6 +125,11 @@ static const oid nodLookupsDroppedOversizeOID[] = { RECURSOR_STATS_OID, 104 };
 static const oid taskQueuePushedOID[] = { RECURSOR_STATS_OID, 105 };
 static const oid taskQueueExpiredOID[] = { RECURSOR_STATS_OID, 106 };
 static const oid taskQueueSizeOID[] = { RECURSOR_STATS_OID, 107 };
+static const oid aggressiveNSECCacheEntriesOID[] = { RECURSOR_STATS_OID, 108 };
+static const oid aggressiveNSECCacheNSECHitsOID[] = { RECURSOR_STATS_OID, 109 };
+static const oid aggressiveNSECCacheNSEC3HitsOID[] = { RECURSOR_STATS_OID, 110 };
+static const oid aggressiveNSECCacheNSECWCHitsOID[] = { RECURSOR_STATS_OID, 111 };
+static const oid aggressiveNSECCacheNSEC3WCHitsOID[] = { RECURSOR_STATS_OID, 112 };
 
 static std::unordered_map<oid, std::string> s_statsMap;
 
@@ -341,5 +346,10 @@ RecursorSNMPAgent::RecursorSNMPAgent(const std::string& name, const std::string&
   registerCounter64Stat("tasqueue-pushed", taskQueuePushedOID, OID_LENGTH(taskQueuePushedOID));
   registerCounter64Stat("taskqueue-expired", taskQueueExpiredOID, OID_LENGTH(taskQueueExpiredOID));
   registerCounter64Stat("taskqueue-size", taskQueueSizeOID, OID_LENGTH(taskQueueSizeOID));
+  registerCounter64Stat("aggressive-nsec-cache-entries", aggressiveNSECCacheEntriesOID, OID_LENGTH(aggressiveNSECCacheEntriesOID));
+  registerCounter64Stat("aggressive-nsec-cache-nsec-hits", aggressiveNSECCacheNSECHitsOID, OID_LENGTH(aggressiveNSECCacheNSECHitsOID));
+  registerCounter64Stat("aggressive-nsec-cache-nsec3-hits", aggressiveNSECCacheNSEC3HitsOID, OID_LENGTH(aggressiveNSECCacheNSEC3HitsOID));
+  registerCounter64Stat("aggressive-nsec-cache-nsec-wc-hits", aggressiveNSECCacheNSECWCHitsOID, OID_LENGTH(aggressiveNSECCacheNSECWCHitsOID));
+  registerCounter64Stat("aggressive-nsec-cache-nsec-wc3-hits", aggressiveNSECCacheNSEC3WCHitsOID, OID_LENGTH(aggressiveNSECCacheNSEC3WCHitsOID));
 #endif /* HAVE_NET_SNMP */
 }
diff --git a/pdns/rec_channel_rec.cc b/pdns/rec_channel_rec.cc
index 84ac0f8ea0..e13a421062 100644
--- a/pdns/rec_channel_rec.cc
+++ b/pdns/rec_channel_rec.cc
@@ -31,6 +31,7 @@
 #include "responsestats.hh"
 #include "rec-lua-conf.hh"
 
+#include "aggressive_nsec.hh"
 #include "validate-recursor.hh"
 #include "filterpo.hh"
 
@@ -1047,7 +1048,13 @@ static void registerAllStats1()
   addGetStat("packetcache-misses", doGetPacketCacheMisses); 
   addGetStat("packetcache-entries", doGetPacketCacheSize); 
   addGetStat("packetcache-bytes", doGetPacketCacheBytes); 
-  
+
+  addGetStat("aggressive-nsec-cache-entries", [](){ return g_aggressiveNSECCache ? g_aggressiveNSECCache->getEntriesCount() : 0; });
+  addGetStat("aggressive-nsec-cache-nsec-hits", [](){ return g_aggressiveNSECCache ? g_aggressiveNSECCache->getNSECHits() : 0; });
+  addGetStat("aggressive-nsec-cache-nsec3-hits", [](){ return g_aggressiveNSECCache ? g_aggressiveNSECCache->getNSEC3Hits() : 0; });
+  addGetStat("aggressive-nsec-cache-nsec-wc-hits", [](){ return g_aggressiveNSECCache ? g_aggressiveNSECCache->getNSECWildcardHits() : 0; });
+  addGetStat("aggressive-nsec-cache-nsec3-wc-hits", [](){ return g_aggressiveNSECCache ? g_aggressiveNSECCache->getNSEC3WildcardHits() : 0; });
+
   addGetStat("malloc-bytes", doGetMallocated);
   
   addGetStat("servfail-answers", &g_stats.servFails);
diff --git a/pdns/recursordist/RECURSOR-MIB.txt b/pdns/recursordist/RECURSOR-MIB.txt
index 10e7c30a36..666da877d4 100644
--- a/pdns/recursordist/RECURSOR-MIB.txt
+++ b/pdns/recursordist/RECURSOR-MIB.txt
@@ -33,6 +33,9 @@ rec MODULE-IDENTITY
     REVISION "202002170000Z"
     DESCRIPTION "Added proxyProtocolInvalid metric."
 
+    REVISION "202101050000Z"
+    DESCRIPTION "Added Aggressive NSEC cache metrics."
+
     ::= { powerdns 2 }
 
 powerdns		OBJECT IDENTIFIER ::= { enterprises 43315 }
@@ -895,6 +898,46 @@ taskQueueSize OBJECT-TYPE
         "Number of tasks currenlty in the taskqueues"
     ::= { stats 107 }
 
+aggressiveNSECCacheEntries OBJECT-TYPE
+    SYNTAX Counter64
+    MAX-ACCESS read-only
+    STATUS current
+    DESCRIPTION
+        "Number of entries in the aggressive NSEC cache"
+    ::= { stats 108 }
+
+aggressiveNSECCacheNSECHits OBJECT-TYPE
+    SYNTAX Counter64
+    MAX-ACCESS read-only
+    STATUS current
+    DESCRIPTION
+        "Number of NSEC-related hits from the aggressive NSEC cache"
+    ::= { stats 109 }
+
+aggressiveNSECCacheNSEC3Hits OBJECT-TYPE
+    SYNTAX Counter64
+    MAX-ACCESS read-only
+    STATUS current
+    DESCRIPTION
+        "Number of NSEC3-related hits from the aggressive NSEC cache"
+    ::= { stats 110 }
+
+aggressiveNSECCacheNSECWcHits OBJECT-TYPE
+    SYNTAX Counter64
+    MAX-ACCESS read-only
+    STATUS current
+    DESCRIPTION
+        "Number of answers synthesized from the NSEC aggressive cache"
+    ::= { stats 111 }
+
+aggressiveNSECCacheNSEC3WcHits OBJECT-TYPE
+    SYNTAX Counter64
+    MAX-ACCESS read-only
+    STATUS current
+    DESCRIPTION
+        "Number of answers synthesized from the NSEC3 aggressive cache"
+    ::= { stats 112 }
+
 ---
 --- Traps / Notifications
 ---
@@ -1045,7 +1088,12 @@ recGroup OBJECT-GROUP
         nodLookupsDroppedOversize,
         taskQueuePushed,
         taskQueueExpired,
-        taskQueueSize
+        taskQueueSize,
+        aggressiveNSECCacheEntries,
+        aggressiveNSECCacheNSECHits,
+        aggressiveNSECCacheNSEC3Hits,
+        aggressiveNSECCacheNSECWcHits,
+        aggressiveNSECCacheNSEC3WcHits
     }
     STATUS current
     DESCRIPTION "Objects conformance group for PowerDNS Recursor"
diff --git a/pdns/recursordist/aggressive_nsec.cc b/pdns/recursordist/aggressive_nsec.cc
index 44228eaf42..014bcb955b 100644
--- a/pdns/recursordist/aggressive_nsec.cc
+++ b/pdns/recursordist/aggressive_nsec.cc
@@ -172,6 +172,7 @@ void AggressiveNSECCache::insertNSEC(const DNSName& zone, const DNSName& owner,
       entry->d_entries.insert({record.d_content, signatures, owner, std::move(next), record.d_ttl});
     }
   }
+  ++d_entriesCount;
 }
 
 bool AggressiveNSECCache::getNSECBefore(time_t now, std::shared_ptr<AggressiveNSECCache::ZoneEntry>& zoneEntry, const DNSName& name, ZoneEntry::CacheEntry& entry) {
@@ -219,6 +220,7 @@ bool AggressiveNSECCache::getNSECBefore(time_t now, std::shared_ptr<AggressiveNS
 
   if (it->d_ttd <= now) {
     idx.erase(it);
+    --d_entriesCount;
     return false;
   }
 
@@ -245,6 +247,7 @@ bool AggressiveNSECCache::getNSEC3(time_t now, std::shared_ptr<AggressiveNSECCac
 
     if (it->d_ttd <= now) {
       idx.erase(it);
+      --d_entriesCount;
       return false;
     }
 
@@ -332,6 +335,7 @@ bool AggressiveNSECCache::synthesizeFromNSEC3Wildcard(time_t now, const DNSName&
   /* and of course we won't deny the wildcard either */
 
   LOG("Synthesized valid answer from NSEC3s and wildcard!"<<endl);
+  ++d_nsec3WildcardHits;
   return true;
 }
 
@@ -351,6 +355,7 @@ bool AggressiveNSECCache::synthesizeFromNSECWildcard(time_t now, const DNSName&
   addRecordToRRSet(now, nsec.d_owner, QType::NSEC3, nsec.d_ttd - now, nsec.d_record, nsec.d_signatures, doDNSSEC, ret);
 
   LOG("Synthesized valid answer from NSECs and wildcard!"<<endl);
+  ++d_nsecWildcardHits;
   return true;
 }
 
@@ -389,6 +394,7 @@ bool AggressiveNSECCache::getNSEC3Denial(time_t now, std::shared_ptr<AggressiveN
     }
 
     LOG(": done!"<<endl);
+    ++d_nsec3Hits;
     res = RCode::NoError;
     addToRRSet(now, soaSet, soaSignatures, zoneEntry->d_zone, doDNSSEC, ret);
     addRecordToRRSet(now, exactNSEC3.d_owner, QType::NSEC3, exactNSEC3.d_ttd - now, exactNSEC3.d_record, exactNSEC3.d_signatures, doDNSSEC, ret);
@@ -477,6 +483,7 @@ bool AggressiveNSECCache::getNSEC3Denial(time_t now, std::shared_ptr<AggressiveN
   addRecordToRRSet(now, wcEntry.d_owner, QType::NSEC3, wcEntry.d_ttd - now, wcEntry.d_record, wcEntry.d_signatures, doDNSSEC, ret);
 
   LOG("Found valid NSEC3s covering the requested name and type!"<<endl);
+  ++d_nsec3Hits;
   return true;
 }
 
@@ -589,5 +596,6 @@ bool AggressiveNSECCache::getDenial(time_t now, const DNSName& name, const QType
   }
 
   LOG("Found valid NSECs covering the requested name and type!"<<endl);
+  ++d_nsecHits;
   return true;
 }
diff --git a/pdns/recursordist/aggressive_nsec.hh b/pdns/recursordist/aggressive_nsec.hh
index e8e905c226..659e3d9414 100644
--- a/pdns/recursordist/aggressive_nsec.hh
+++ b/pdns/recursordist/aggressive_nsec.hh
@@ -41,9 +41,33 @@ public:
   void insertNSEC(const DNSName& zone, const DNSName& owner, const DNSRecord& record, const std::vector<std::shared_ptr<RRSIGRecordContent>>& signatures, bool nsec3);
   bool getDenial(time_t, const DNSName& name, const QType& type, std::vector<DNSRecord>& ret, int& res, const ComboAddress& who, const boost::optional<std::string>& routingTag, bool doDNSSEC);
 
-  //bool getBestZoneInfo(DNSName& lookup, bool& nsec3, std::string& salt, uint16_t& iterations);
   //void removeZoneInfo(const DNSName& zone);
 
+  uint64_t getEntriesCount() const
+  {
+    return d_entriesCount;
+  }
+
+  uint64_t getNSECHits() const
+  {
+    return d_nsecHits;
+  }
+
+  uint64_t getNSEC3Hits() const
+  {
+    return d_nsec3Hits;
+  }
+
+  uint64_t getNSECWildcardHits() const
+  {
+    return d_nsecWildcardHits;
+  }
+
+  uint64_t getNSEC3WildcardHits() const
+  {
+    return d_nsec3WildcardHits;
+  }
+
 private:
 
   struct ZoneEntry
@@ -102,6 +126,11 @@ private:
 
   SuffixMatchTree<std::shared_ptr<ZoneEntry>> d_zones;
   ReadWriteLock d_lock;
+  std::atomic<uint64_t> d_entriesCount{0};
+  std::atomic<uint64_t> d_nsecHits{0};
+  std::atomic<uint64_t> d_nsec3Hits{0};
+  std::atomic<uint64_t> d_nsecWildcardHits{0};
+  std::atomic<uint64_t> d_nsec3WildcardHits{0};
 };
 
 
diff --git a/pdns/recursordist/docs/metrics.rst b/pdns/recursordist/docs/metrics.rst
index fd954b780f..149564867a 100644
--- a/pdns/recursordist/docs/metrics.rst
+++ b/pdns/recursordist/docs/metrics.rst
@@ -88,6 +88,30 @@ It should be noted that answers0-1 + answers1-10 + answers10-100 + answers100-10
 
 Also note that unauthorized-tcp and unauthorized-udp packets do not end up in the 'questions' count.
 
+aggressive-nsec-cache-entries
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+.. versionadded:: 4.5
+
+number of entries in the aggressive NSEC cache
+
+aggressive-nsec-cache-nsec-hits
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+.. versionadded:: 4.5
+
+number of negative answers generated from NSEC entries by the aggressive NSEC cache
+
+aggressive-nsec-cache-nsec3-wc-hits
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+.. versionadded:: 4.5
+
+number of answers synthesized from NSEC entries and wildcards by the NSEC aggressive cache
+
+aggressive-nsec-cache-nsec3-wc-hits
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+.. versionadded:: 4.5
+
+number of answers synthesized from NSEC entries and wildcards by the NSEC3 aggressive cache
+
 all-outqueries
 ^^^^^^^^^^^^^^
 counts the number of outgoing UDP queries since starting
-- 
2.47.2