From f368990ef0b3873f641b079f08537bea80b9d0e3 Mon Sep 17 00:00:00 2001 From: Otto Moerbeek Date: Thu, 8 May 2025 12:25:36 +0200 Subject: [PATCH] Add setting and metric --- pdns/recursordist/RECURSOR-MIB.txt | 11 ++++++++++- pdns/recursordist/lwres.cc | 2 +- pdns/recursordist/metrics_table.py | 6 ++++++ pdns/recursordist/rec-main.cc | 1 + pdns/recursordist/rec-rust-lib/table.py | 12 ++++++++++++ regression-tests.recursor-dnssec/test_SNMP.py | 2 +- 6 files changed, 31 insertions(+), 3 deletions(-) diff --git a/pdns/recursordist/RECURSOR-MIB.txt b/pdns/recursordist/RECURSOR-MIB.txt index 2f95b69bf5..c9b83836d3 100644 --- a/pdns/recursordist/RECURSOR-MIB.txt +++ b/pdns/recursordist/RECURSOR-MIB.txt @@ -1291,6 +1291,14 @@ tcpOverflow OBJECT-TYPE "Incoming TCP limits reached" ::= { stats 152 } +ecsMissing OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current + DESCRIPTION + "Number of answers where ECS info was missing" + ::= { stats 153 } + --- --- Traps / Notifications --- @@ -1489,7 +1497,8 @@ recGroup OBJECT-GROUP maxChainLength, maxChainWeight, chainLimits, - tcpOverflow + tcpOverflow, + ecsMissing } STATUS current DESCRIPTION "Objects conformance group for PowerDNS Recursor" diff --git a/pdns/recursordist/lwres.cc b/pdns/recursordist/lwres.cc index 5923fb1c10..f00fa48908 100644 --- a/pdns/recursordist/lwres.cc +++ b/pdns/recursordist/lwres.cc @@ -58,7 +58,7 @@ thread_local TCPOutConnectionManager t_tcp_manager; std::shared_ptr g_slogout; bool g_paddingOutgoing; -bool g_ECSHardening{false}; +bool g_ECSHardening; void remoteLoggerQueueData(RemoteLoggerInterface& rli, const std::string& data) { diff --git a/pdns/recursordist/metrics_table.py b/pdns/recursordist/metrics_table.py index f1ef6eb608..9bd117049a 100644 --- a/pdns/recursordist/metrics_table.py +++ b/pdns/recursordist/metrics_table.py @@ -1401,4 +1401,10 @@ 'pname': 'proxy-mapping-total-n-0', # For multicounters, state the first # No SNMP }, + { + 'name': 'ecs-missing', + 'lambda': '[] { return g_Counters.sum(rec::Counter::ecsMissingCount); }', + 'desc': 'Number of answers where ECS info was missing', + 'snmp': 153, + }, ] diff --git a/pdns/recursordist/rec-main.cc b/pdns/recursordist/rec-main.cc index 73f111a17e..2f4540b20f 100644 --- a/pdns/recursordist/rec-main.cc +++ b/pdns/recursordist/rec-main.cc @@ -2310,6 +2310,7 @@ static int serviceMain(Logr::log_t log) } g_paddingTag = ::arg().asNum("edns-padding-tag"); g_paddingOutgoing = ::arg().mustDo("edns-padding-out"); + g_ECSHardening = ::arg().mustDo("edns-subnet-harden"); RecThreadInfo::setNumDistributorThreads(::arg().asNum("distributor-threads")); RecThreadInfo::setNumUDPWorkerThreads(::arg().asNum("threads")); diff --git a/pdns/recursordist/rec-rust-lib/table.py b/pdns/recursordist/rec-rust-lib/table.py index 71f67bde9b..3be6609cbb 100644 --- a/pdns/recursordist/rec-rust-lib/table.py +++ b/pdns/recursordist/rec-rust-lib/table.py @@ -951,6 +951,18 @@ By default, this option is empty, meaning no EDNS Client Subnet information is s ''', 'versionadded': '4.5.0' }, + { + 'name' : 'edns_subnet_harden', + 'section' : 'outgoing', + 'type' : LType.Bool, + 'default' : 'false', + 'help' : 'Do more strict checking or EDNS Client Subnet information returned by authoritative servers', + 'doc' : ''' +Do more strict checking or EDNS Client Subnet information returned by authoritative servers. +Answers missing ECS information will be ignored and followed up by an ECS-less query. + ''', + 'versionadded': ['5.2.x', '5.1.x', '5.0.x'] + }, { 'name' : 'enable_old_settings', 'section' : 'recursor', diff --git a/regression-tests.recursor-dnssec/test_SNMP.py b/regression-tests.recursor-dnssec/test_SNMP.py index 40907ad3ab..c55c5818ef 100644 --- a/regression-tests.recursor-dnssec/test_SNMP.py +++ b/regression-tests.recursor-dnssec/test_SNMP.py @@ -21,7 +21,7 @@ class SNMPTest(RecursorTest): """ def _checkStatsValues(self, results): - count = 152 + count = 153 for i in list(range(1, count)): oid = self._snmpOID + '.1.' + str(i) + '.0' self.assertTrue(oid in results) -- 2.47.2