From: Petr Špaček Date: Fri, 5 Aug 2022 12:03:30 +0000 (+0200) Subject: Log reason why recursion is not available X-Git-Tag: v9.19.6~60^2~3 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=95fc05c45468d023f302dc0d1ea8ab1a2f1d1c84;p=thirdparty%2Fbind9.git Log reason why recursion is not available Log which ACL caused RA=0 condition. Expected performance impact is negligible. --- diff --git a/lib/ns/client.c b/lib/ns/client.c index 6c491afa596..70e091a45b7 100644 --- a/lib/ns/client.c +++ b/lib/ns/client.c @@ -1713,6 +1713,24 @@ ns__client_request(isc_nmhandle_t *handle, isc_result_t eresult, #ifdef HAVE_DNSTAP dns_dtmsgtype_t dtmsgtype; #endif /* ifdef HAVE_DNSTAP */ + static const char *ra_reasons[] = { + "ACLs not processed yet", + "no resolver in view", + "recursion not enabled for view", + "allow-recursion did not match", + "allow-query-cache did not match", + "allow-recursion-on did not match", + "allow-query-cache-on did not match", + }; + enum refusal_reasons { + INVALID, + NO_RESOLVER, + RECURSION_DISABLED, + ALLOW_RECURSION, + ALLOW_QUERY_CACHE, + ALLOW_RECURSION_ON, + ALLOW_QUERY_CACHE_ON + } ra_refusal_reason = INVALID; if (eresult != ISC_R_SUCCESS) { return; @@ -2152,28 +2170,42 @@ ns__client_request(isc_nmhandle_t *handle, isc_result_t eresult, * cache there is no point in setting RA. */ ra = false; - if (client->view->resolver != NULL && client->view->recursion && - ns_client_checkaclsilent(client, NULL, client->view->recursionacl, - true) == ISC_R_SUCCESS && - ns_client_checkaclsilent(client, NULL, client->view->cacheacl, - true) == ISC_R_SUCCESS && - ns_client_checkaclsilent(client, &client->destaddr, - client->view->recursiononacl, - true) == ISC_R_SUCCESS && - ns_client_checkaclsilent(client, &client->destaddr, - client->view->cacheonacl, - true) == ISC_R_SUCCESS) + + /* must be initialized before ns_client_log uses it as index */ + if (client->view->resolver == NULL) { + ra_refusal_reason = NO_RESOLVER; + } else if (!client->view->recursion) { + ra_refusal_reason = RECURSION_DISABLED; + } else if (ns_client_checkaclsilent(client, NULL, + client->view->recursionacl, + true) != ISC_R_SUCCESS) + { + ra_refusal_reason = ALLOW_RECURSION; + } else if (ns_client_checkaclsilent(client, NULL, + client->view->cacheacl, + true) != ISC_R_SUCCESS) + { + ra_refusal_reason = ALLOW_QUERY_CACHE; + } else if (ns_client_checkaclsilent(client, &client->destaddr, + client->view->recursiononacl, + true) != ISC_R_SUCCESS) + { + ra_refusal_reason = ALLOW_RECURSION_ON; + } else if (ns_client_checkaclsilent(client, &client->destaddr, + client->view->cacheonacl, + true) != ISC_R_SUCCESS) { + ra_refusal_reason = ALLOW_QUERY_CACHE_ON; + } else { ra = true; - } - - if (ra) { client->attributes |= NS_CLIENTATTR_RA; } ns_client_log(client, DNS_LOGCATEGORY_SECURITY, NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), - ra ? "recursion available" : "recursion not available"); + ra ? "recursion available" + : "recursion not available (%s)", + ra_reasons[ra_refusal_reason]); /* * Adjust maximum UDP response size for this client.