From: bert hubert Date: Wed, 18 Mar 2015 10:44:05 +0000 (+0100) Subject: implement & document DNSSEC pool rules X-Git-Tag: dnsdist-1.0.0-alpha1~248^2~88^2~39 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b4fd86c3a8c00f5604664a8a6f8c901417e5cb0b;p=thirdparty%2Fpdns.git implement & document DNSSEC pool rules --- diff --git a/pdns/README-dnsdist.md b/pdns/README-dnsdist.md index ce1f128b7e..d001eefbfa 100644 --- a/pdns/README-dnsdist.md +++ b/pdns/README-dnsdist.md @@ -206,6 +206,19 @@ servers that lack this feature. Note that calling `addAnyTCRule()` achieves the same thing, without involving Lua. +DNSSEC +------ +To provide DNSSEC service from a separate pool, try: +``` +newServer{address="2001:888:2000:1d::2", pool="dnssec"} +newServer{address="2a01:4f8:110:4389::2", pool="dnssec"} +setDNSSECPool("dnssec") +topRule() +``` + +This routes all queries with a DNSSEC OK (DO) or CD bit set to on to the "dnssec" pool. +The final `topRule()` command moves this rule to the top, so it gets evaluated first. + Inspecting live traffic ----------------------- This is still much in flux, but for now, try: @@ -431,6 +444,9 @@ Here are all functions: * `rmRule(n)`: remove rule n * `mvRule(from, to)`: move rule 'from' to a position where it is in front of 'to'. 'to' can be one larger than the largest rule, in which case the rule will be moved to the last position. + * Specialist rule generators + * addAnyTCRule(): generate TC=1 answers to ANY queries, moving them to TCP + * setDNSSECPool(): move queries requesting DNSSEC processing to this pool * Pool related: * `addPoolRule(domain, pool)`: send queries to this domain to that pool * `addPoolRule({domain, domain}, pool)`: send queries to these domains to that pool diff --git a/pdns/dnsdist-lua.cc b/pdns/dnsdist-lua.cc index 74a5ab6dec..fa6d926ac7 100644 --- a/pdns/dnsdist-lua.cc +++ b/pdns/dnsdist-lua.cc @@ -17,7 +17,7 @@ vector> setupLua(bool client) [client](boost::variant> pvars, boost::optional qps) { if(client) { - return shared_ptr(); + return std::make_shared(ComboAddress()); } if(auto address = boost::get(&pvars)) { auto ret=std::make_shared(ComboAddress(*address, 53)); @@ -97,6 +97,15 @@ vector> setupLua(bool client) g_rulactions.setState(rules); }); + g_lua.writeFunction("topRule", []() { + auto rules = g_rulactions.getCopy(); + if(rules.empty()) + return; + auto subject = *rules.rbegin(); + rules.erase(std::prev(rules.end())); + rules.insert(rules.begin(), subject); + g_rulactions.setState(rules); + }); g_lua.writeFunction("mvRule", [](unsigned int from, unsigned int to) { auto rules = g_rulactions.getCopy(); if(from >= rules.size() || to > rules.size()) { diff --git a/pdns/dnsdist.cc b/pdns/dnsdist.cc index 8de15d2465..ad8498511d 100644 --- a/pdns/dnsdist.cc +++ b/pdns/dnsdist.cc @@ -980,7 +980,7 @@ char* my_generator(const char* text, int state) vector words{"showRules()", "shutdown()", "rmRule(", "mvRule(", "addACL(", "addLocal(", "setServerPolicy(", "setServerPolicyLua(", "newServer(", "rmServer(", "showServers()", "show(", "newDNSName(", "newSuffixMatchNode(", "controlSocket(", "topClients(", "showResponseLatency()", "newQPSLimiter(", "makeKey()", "setKey(", "testCrypto()", "addAnyTCRule()", "showServerPolicy()", "setACL(", "showACL()", "addDomainBlock(", - "addPoolRule(", "addQPSLimit(", "topResponses(", "topQueries("}; + "addPoolRule(", "addQPSLimit(", "topResponses(", "topQueries(", "topRule()", "setDNSSECPool("}; static int s_counter=0; int counter=0; if(!state) diff --git a/pdns/dnsdistconf.lua b/pdns/dnsdistconf.lua index e844e6ee78..a444840157 100644 --- a/pdns/dnsdistconf.lua +++ b/pdns/dnsdistconf.lua @@ -57,9 +57,9 @@ end xs=newServer{address="2001:888:2000:1d::2", pool="auth"} newServer{address="2a01:4f8:110:4389::2", pool="auth"} - xs:addPool("dnssec") setDNSSECPool("dnssec") +topRule() function splitSetup(servers, remote, qname, qtype, dh) if(dh:getRD() == false)