mirror of
https://github.com/isc-projects/bind9.git
synced 2026-04-28 09:37:10 -04:00
4759. [func] Add logging channel "trust-anchor-telementry" to
record trust-anchor-telementry in incoming requests.
Both _ta-XXXX.<anchor>/NULL and EDNS KEY-TAG options
are logged. [RT #46124]
This commit is contained in:
Mark Andrews
parent
99e0079380
commit
b41c1aacbc
10 changed files with 137 additions and 6 deletions
5
CHANGES
5
CHANGES
|
|
@ -1,3 +1,8 @@
|
|||
4759. [func] Add logging channel "trust-anchor-telementry" to
|
||||
record trust-anchor-telementry in incoming requests.
|
||||
Both _ta-XXXX.<anchor>/NULL and EDNS KEY-TAG options
|
||||
are logged. [RT #46124]
|
||||
|
||||
4758. [doc] Remove documentation of unimplemented "topology".
|
||||
[RT #46161]
|
||||
|
||||
|
|
|
|||
|
|
@ -302,6 +302,7 @@ init_desc(void) {
|
|||
"successful uses of stale cache data after lookup failure",
|
||||
"QryUsedStale");
|
||||
SET_NSSTATDESC(prefetch, "queries triggered prefetch", "Prefetch");
|
||||
SET_NSSTATDESC(keytagopt, "Keytag option received", "KeyTagOpt");
|
||||
INSIST(i == ns_statscounter_max);
|
||||
|
||||
/* Initialize resolver statistics */
|
||||
|
|
|
|||
|
|
@ -3315,16 +3315,24 @@ n=`expr $n + 1`
|
|||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:check that trust-anchor-telemetry queries are received ($n)"
|
||||
echo "I:check that _ta-XXXX trust-anchor-telemetry queries are logged ($n)"
|
||||
ret=0
|
||||
grep "query '_ta-[0-9a-f]*/NULL/IN' approved" ns1/named.run > /dev/null || ret=1
|
||||
grep "trust-anchor-telemetry '_ta-[0-9a-f]*/IN' from" ns1/named.run > /dev/null || ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:check that trust-anchor-telemetry are not sent when disabled ($n)"
|
||||
echo "I:check that _ta-AAAA trust-anchor-telemetry are not sent when disabled ($n)"
|
||||
ret=0
|
||||
grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns1/named.run > /dev/null && ret=1
|
||||
grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/IN" ns1/named.run > /dev/null && ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:check that KEY-TAG trust-anchor-telemetry queries are logged ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS . dnskey +ednsopt=KEY-TAG:ffff @10.53.0.1 > dig.out.ns4.test$n || ret=1
|
||||
grep "trust-anchor-telemetry './IN' from .* 65535" ns1/named.run > /dev/null || ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
|
|
|||
|
|
@ -324,6 +324,16 @@
|
|||
</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row rowsep="0">
|
||||
<entry colname="1">
|
||||
<para><command>trust-anchor-telemetry</command></para>
|
||||
</entry>
|
||||
<entry colname="2">
|
||||
<para>
|
||||
Logs trust-anchor-telemetry requests received by named.
|
||||
</para>
|
||||
</entry>
|
||||
</row>
|
||||
<row rowsep="0">
|
||||
<entry colname="1">
|
||||
<para><command>unmatched</command></para>
|
||||
|
|
|
|||
|
|
@ -544,6 +544,12 @@ exit_check(ns_client_t *client) {
|
|||
client->mortal = ISC_FALSE;
|
||||
client->sendcb = NULL;
|
||||
|
||||
if (client->keytag != NULL) {
|
||||
isc_mem_put(client->mctx, client->keytag,
|
||||
client->keytag_len);
|
||||
client->keytag_len = 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* Put the client on the inactive list. If we are aiming for
|
||||
* the "freed" state, it will be removed from the inactive
|
||||
|
|
@ -612,6 +618,11 @@ exit_check(ns_client_t *client) {
|
|||
dns_message_puttemprdataset(client->message,
|
||||
&client->opt);
|
||||
}
|
||||
if (client->keytag != NULL) {
|
||||
isc_mem_put(client->mctx, client->keytag,
|
||||
client->keytag_len);
|
||||
client->keytag_len = 0;
|
||||
}
|
||||
|
||||
dns_message_destroy(&client->message);
|
||||
|
||||
|
|
@ -2094,6 +2105,23 @@ process_ecs(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
|
|||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
|
||||
static isc_result_t
|
||||
process_keytag(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
|
||||
|
||||
if (optlen == 0 || (optlen % 2) != 0) {
|
||||
isc_buffer_forward(buf, (unsigned int)optlen);
|
||||
return (DNS_R_OPTERR);
|
||||
}
|
||||
|
||||
client->keytag = isc_mem_get(client->mctx, optlen);
|
||||
if (client->keytag != NULL) {
|
||||
client->keytag_len = optlen;
|
||||
memmove(client->keytag, isc_buffer_current(buf), optlen);
|
||||
}
|
||||
isc_buffer_forward(buf, (unsigned int)optlen);
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
|
||||
static isc_result_t
|
||||
process_opt(ns_client_t *client, dns_rdataset_t *opt) {
|
||||
dns_rdata_t rdata;
|
||||
|
|
@ -2190,6 +2218,16 @@ process_opt(ns_client_t *client, dns_rdataset_t *opt) {
|
|||
ns_statscounter_padopt);
|
||||
isc_buffer_forward(&optbuf, optlen);
|
||||
break;
|
||||
case DNS_OPT_KEY_TAG:
|
||||
result = process_keytag(client, &optbuf,
|
||||
optlen);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
ns_client_error(client, result);
|
||||
return (result);
|
||||
}
|
||||
ns_stats_increment(client->sctx->nsstats,
|
||||
ns_statscounter_keytagopt);
|
||||
break;
|
||||
default:
|
||||
ns_stats_increment(client->sctx->nsstats,
|
||||
ns_statscounter_otheropt);
|
||||
|
|
@ -3014,6 +3052,8 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
|
|||
ISC_LINK_INIT(client, link);
|
||||
ISC_LINK_INIT(client, rlink);
|
||||
ISC_QLINK_INIT(client, ilink);
|
||||
client->keytag = NULL;
|
||||
client->keytag_len = 0;
|
||||
|
||||
/*
|
||||
* We call the init routines for the various kinds of client here,
|
||||
|
|
|
|||
|
|
@ -164,6 +164,8 @@ struct ns_client {
|
|||
ISC_QLINK(ns_client_t) ilink;
|
||||
unsigned char cookie[8];
|
||||
isc_uint32_t expire;
|
||||
unsigned char *keytag;
|
||||
isc_uint16_t keytag_len;
|
||||
};
|
||||
|
||||
typedef ISC_QUEUE(ns_client_t) client_queue_t;
|
||||
|
|
|
|||
|
|
@ -24,6 +24,7 @@ LIBNS_EXTERNAL_DATA extern isc_logmodule_t ns_modules[];
|
|||
#define NS_LOGCATEGORY_QUERIES (&ns_categories[3])
|
||||
#define NS_LOGCATEGORY_UPDATE_SECURITY (&ns_categories[4])
|
||||
#define NS_LOGCATEGORY_QUERY_ERRORS (&ns_categories[5])
|
||||
#define NS_LOGCATEGORY_TAT (&ns_categories[6])
|
||||
|
||||
/*
|
||||
* Backwards compatibility.
|
||||
|
|
|
|||
|
|
@ -97,8 +97,9 @@ enum {
|
|||
ns_statscounter_usedstale = 62,
|
||||
|
||||
ns_statscounter_prefetch = 63,
|
||||
ns_statscounter_keytagopt = 64,
|
||||
|
||||
ns_statscounter_max = 64
|
||||
ns_statscounter_max = 65
|
||||
};
|
||||
|
||||
void
|
||||
|
|
|
|||
|
|
@ -31,6 +31,7 @@ LIBNS_EXTERNAL_DATA isc_logcategory_t ns_categories[] = {
|
|||
{ "unmatched", 0 },
|
||||
{ "update-security", 0 },
|
||||
{ "query-errors", 0 },
|
||||
{ "trust-anchor-telemetry", 0 },
|
||||
{ NULL, 0 }
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -4027,7 +4027,7 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype,
|
|||
zbits &= allowed;
|
||||
if (zbits != 0) {
|
||||
isc_netaddr_fromsockaddr(&netaddr,
|
||||
&client->peeraddr);
|
||||
&client->peeraddr);
|
||||
result = rpz_rewrite_ip(client, &netaddr, qtype,
|
||||
DNS_RPZ_TYPE_CLIENT_IP,
|
||||
zbits, &rdataset);
|
||||
|
|
@ -10478,6 +10478,66 @@ query_done(query_ctx_t *qctx) {
|
|||
return (qctx->result);
|
||||
}
|
||||
|
||||
static inline void
|
||||
log_tat(ns_client_t *client) {
|
||||
char namebuf[DNS_NAME_FORMATSIZE];
|
||||
char clientbuf[ISC_NETADDR_FORMATSIZE];
|
||||
char classname[DNS_RDATACLASS_FORMATSIZE];
|
||||
isc_netaddr_t netaddr;
|
||||
char *tags = NULL;
|
||||
size_t taglen = 0;
|
||||
|
||||
if (!isc_log_wouldlog(ns_lctx, ISC_LOG_INFO)) {
|
||||
return;
|
||||
}
|
||||
|
||||
if ((client->query.qtype != dns_rdatatype_null ||
|
||||
!dns_name_istat(client->query.qname)) &&
|
||||
(client->keytag == NULL ||
|
||||
client->query.qtype != dns_rdatatype_dnskey))
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
|
||||
dns_name_format(client->query.qname, namebuf, sizeof(namebuf));
|
||||
isc_netaddr_format(&client->destaddr, clientbuf, sizeof(clientbuf));
|
||||
dns_rdataclass_format(client->view->rdclass, classname,
|
||||
sizeof(classname));
|
||||
|
||||
if (client->query.qtype == dns_rdatatype_dnskey) {
|
||||
isc_uint16_t keytags = client->keytag_len / 2;
|
||||
size_t len = taglen = sizeof("65000") * keytags + 1;
|
||||
char *cp = tags = isc_mem_get(client->mctx, taglen);
|
||||
int i = 0;
|
||||
|
||||
INSIST(client->keytag != NULL);
|
||||
if (tags != NULL) {
|
||||
while (keytags-- > 0U) {
|
||||
int n;
|
||||
isc_uint16_t keytag;
|
||||
keytag = (client->keytag[i * 2] << 8) |
|
||||
client->keytag[i * 2 + 1];
|
||||
n = snprintf(cp, len, " %u", keytag);
|
||||
if (n > 0 && (size_t)n <= len) {
|
||||
cp += n;
|
||||
len -= n;
|
||||
i++;
|
||||
} else {
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
isc_log_write(ns_lctx, NS_LOGCATEGORY_TAT, NS_LOGMODULE_QUERY,
|
||||
ISC_LOG_INFO, "trust-anchor-telemetry '%s/%s' from %s%s",
|
||||
namebuf, classname, clientbuf, tags != NULL? tags : "");
|
||||
if (tags != NULL) {
|
||||
isc_mem_put(client->mctx, tags, taglen);
|
||||
}
|
||||
}
|
||||
|
||||
static inline void
|
||||
log_query(ns_client_t *client, unsigned int flags, unsigned int extflags) {
|
||||
char namebuf[DNS_NAME_FORMATSIZE];
|
||||
|
|
@ -10691,6 +10751,8 @@ ns_query_start(ns_client_t *client) {
|
|||
client->query.qtype = qtype = rdataset->type;
|
||||
dns_rdatatypestats_increment(client->sctx->rcvquerystats, qtype);
|
||||
|
||||
log_tat(client);
|
||||
|
||||
if (dns_rdatatype_ismeta(qtype)) {
|
||||
switch (qtype) {
|
||||
case dns_rdatatype_any:
|
||||
|
|
|
|||
Loading…
Reference in a new issue