From bfe0517fdcbe1dc62fee18e460ecf467dd491d9b Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Sun, 1 Mar 2009 02:45:38 +0000 Subject: [PATCH] Clarify logged message when an insecure DNSSEC response arrives from a zone thought to be secure: "insecurity proof failed" instead of "not insecure". [RT #19400] --- CHANGES | 5 +++++ bin/named/builtin.c | 3 ++- lib/dns/resolver.c | 16 ++++++---------- lib/dns/result.c | 4 ++-- lib/dns/validator.c | 16 ++++++++++------ 5 files changed, 25 insertions(+), 19 deletions(-) diff --git a/CHANGES b/CHANGES index 1d81d5eb5c4..552b9875181 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,8 @@ +2566. [cleanup] Clarify logged message when an insecure DNSSEC + response arrives from a zone thought to be secure: + "insecurity proof failed" instead of "not + insecure". [RT #19400] + 2565. [func] Add support for HIP record. Includes new functions dns_rdata_hip_first(), dns_rdata_hip_next() and dns_rdata_hip_current(). [RT #19384] diff --git a/bin/named/builtin.c b/bin/named/builtin.c index 8cf5b233489..b4a4b1aca11 100644 --- a/bin/named/builtin.c +++ b/bin/named/builtin.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: builtin.c,v 1.14 2009/02/18 23:47:48 tbox Exp $ */ +/* $Id: builtin.c,v 1.15 2009/03/01 02:45:38 each Exp $ */ /*! \file * \brief @@ -132,6 +132,7 @@ do_authors_lookup(dns_sdblookup_t *lookup) { "Michael Graff", "Andreas Gustafsson", "Bob Halley", + "Evan Hunt", "David Lawrence", "Danny Mayer", "Damien Neil", diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index df79dc79d95..f0b0236def9 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.c,v 1.393 2009/02/27 23:01:48 marka Exp $ */ +/* $Id: resolver.c,v 1.394 2009/03/01 02:45:38 each Exp $ */ /*! \file */ @@ -2126,7 +2126,7 @@ add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_result_t reason, char code[64]; isc_buffer_t b; isc_sockaddr_t *sa; - const char *sep1, *sep2; + const char *spc = ""; isc_sockaddr_t *address = &addrinfo->sockaddr; if (reason == DNS_R_LAME) @@ -2172,18 +2172,14 @@ add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_result_t reason, isc_buffer_init(&b, code, sizeof(code) - 1); dns_rcode_totext(fctx->rmessage->rcode, &b); code[isc_buffer_usedlength(&b)] = '\0'; - sep1 = "("; - sep2 = ") "; + spc = " "; } else if (reason == DNS_R_UNEXPECTEDOPCODE) { isc_buffer_init(&b, code, sizeof(code) - 1); dns_opcode_totext((dns_opcode_t)fctx->rmessage->opcode, &b); code[isc_buffer_usedlength(&b)] = '\0'; - sep1 = "("; - sep2 = ") "; + spc = " "; } else { code[0] = '\0'; - sep1 = ""; - sep2 = ""; } dns_name_format(&fctx->name, namebuf, sizeof(namebuf)); dns_rdatatype_format(fctx->type, typebuf, sizeof(typebuf)); @@ -2191,8 +2187,8 @@ add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_result_t reason, isc_sockaddr_format(address, addrbuf, sizeof(addrbuf)); isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS, DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO, - "%s %s%s%sresolving '%s/%s/%s': %s", - dns_result_totext(reason), sep1, code, sep2, + "error (%s%s%s) resolving '%s/%s/%s': %s", + dns_result_totext(reason), spc, code, namebuf, typebuf, classbuf, addrbuf); } diff --git a/lib/dns/result.c b/lib/dns/result.c index 54c70e0e908..7265d28d48f 100644 --- a/lib/dns/result.c +++ b/lib/dns/result.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: result.c,v 1.125 2008/09/25 04:02:38 tbox Exp $ */ +/* $Id: result.c,v 1.126 2009/03/01 02:45:38 each Exp $ */ /*! \file */ @@ -105,7 +105,7 @@ static const char *text[DNS_R_NRESULTS] = { "no valid RRSIG", /*%< 59 DNS_R_NOVALIDSIG */ "no valid NSEC", /*%< 60 DNS_R_NOVALIDNSEC */ - "not insecure", /*%< 61 DNS_R_NOTINSECURE */ + "insecurity proof failed", /*%< 61 DNS_R_NOTINSECURE */ "unknown service", /*%< 62 DNS_R_UNKNOWNSERVICE */ "recoverable error occurred", /*%< 63 DNS_R_RECOVERABLE */ "unknown opt attribute record", /*%< 64 DNS_R_UNKNOWNOPT */ diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 5874750dd19..0c9477de7d7 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.c,v 1.169 2009/02/15 23:46:23 marka Exp $ */ +/* $Id: validator.c,v 1.170 2009/03/01 02:45:38 each Exp $ */ #include @@ -3222,7 +3222,7 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume) /* * If we have a DS rdataset and it is secure then check if * the DS rdataset has a supported algorithm combination. - * If not this is a insecure delegation as far as this + * If not this is an insecure delegation as far as this * resolver is concerned. Fall back to DLV if available. */ if (have_ds && val->frdataset.trust >= dns_trust_secure && @@ -3276,7 +3276,7 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume) if (result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) { /* * There is no DS. If this is a delegation, - * we maybe done. + * we may be done. */ if (val->frdataset.trust == dns_trust_pending) { result = create_fetch(val, tname, @@ -3394,9 +3394,9 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume) return (nsecvalidate(val, ISC_FALSE)); } */ - + /* Couldn't complete insecurity proof */ validator_log(val, ISC_LOG_DEBUG(3), "insecurity proof failed"); - return (DNS_R_NOTINSECURE); /* Couldn't complete insecurity proof */ + return (DNS_R_NOTINSECURE); out: if (dns_rdataset_isassociated(&val->frdataset)) @@ -3435,7 +3435,7 @@ dlv_validator_start(dns_validator_t *val) { * \li 3. a negative answer (secure or unsecure). * * Note a answer that appears to be a secure positive answer may actually - * be a unsecure positive answer. + * be an unsecure positive answer. */ static void validator_start(isc_task_t *task, isc_event_t *event) { @@ -3500,6 +3500,10 @@ validator_start(isc_task_t *task, isc_event_t *event) { val->attributes |= VALATTR_INSECURITY; result = proveunsecure(val, ISC_FALSE, ISC_FALSE); + if (result != DNS_R_NOTINSECURE) + validator_log(val, ISC_LOG_INFO, + "got insecure response; " + "could not prove it was valid"); } else if (val->event->rdataset == NULL && val->event->sigrdataset == NULL) { -- 2.47.3