mirror of
https://github.com/NLnetLabs/unbound.git
synced 2025-12-20 23:00:56 -05:00
Log option for bogus only.
git-svn-id: file:///svn/unbound/trunk@1734 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards
parent
f73ce55c6e
commit
72aa0bad92
12 changed files with 1163 additions and 1095 deletions
|
|
@ -1,6 +1,8 @@
|
||||||
20 July 2009: Wouter
|
20 July 2009: Wouter
|
||||||
- Ignore transient sendto errors, no route to host, and host, net down.
|
- Ignore transient sendto errors, no route to host, and host, net down.
|
||||||
- contrib/update-anchor.sh has -r option for root-hints.
|
- contrib/update-anchor.sh has -r option for root-hints.
|
||||||
|
- feature val-log-level: 1 prints validation failures so you can
|
||||||
|
keep track of them during dnssec deployment.
|
||||||
|
|
||||||
16 July 2009: Wouter
|
16 July 2009: Wouter
|
||||||
- fix replacement malloc code. Used in crosscompile.
|
- fix replacement malloc code. Used in crosscompile.
|
||||||
|
|
|
||||||
|
|
@ -342,6 +342,10 @@ server:
|
||||||
# replies if the message is found secure. The default is off.
|
# replies if the message is found secure. The default is off.
|
||||||
# val-permissive-mode: no
|
# val-permissive-mode: no
|
||||||
|
|
||||||
|
# Have the validator log failed validations for your diagnosis.
|
||||||
|
# 0: off. 1: A line per failed user query.
|
||||||
|
# val-log-level: 0
|
||||||
|
|
||||||
# It is possible to configure NSEC3 maximum iteration counts per
|
# It is possible to configure NSEC3 maximum iteration counts per
|
||||||
# keysize. Keep this table very short, as linear search is done.
|
# keysize. Keep this table very short, as linear search is done.
|
||||||
# A message with an NSEC3 with larger count is marked insecure.
|
# A message with an NSEC3 with larger count is marked insecure.
|
||||||
|
|
|
||||||
|
|
@ -563,6 +563,13 @@ indeterminate or unchecked are not affected. Default is yes. Use this setting
|
||||||
to protect the users that rely on this validator for authentication from
|
to protect the users that rely on this validator for authentication from
|
||||||
protentially bad data in the additional section.
|
protentially bad data in the additional section.
|
||||||
.TP
|
.TP
|
||||||
|
.B val\-log\-level: \fI<number>
|
||||||
|
Have the validator print validation failures to the log. Regardless of the
|
||||||
|
verbosity setting. Default is 0, off. At 1, for every user query that fails
|
||||||
|
a line is printed to the logs. This way you can monitor what happens with
|
||||||
|
validation. Use a diagnosis tool, such as dig or drill, to find out why
|
||||||
|
validation is failing for these queries.
|
||||||
|
.TP
|
||||||
.B val\-permissive\-mode: \fI<yes or no>
|
.B val\-permissive\-mode: \fI<yes or no>
|
||||||
Instruct the validator to mark bogus messages as indeterminate. The security
|
Instruct the validator to mark bogus messages as indeterminate. The security
|
||||||
checks are performed, but if the result is bogus (failed security), the
|
checks are performed, but if the result is bogus (failed security), the
|
||||||
|
|
|
||||||
|
|
@ -175,6 +175,7 @@ print_option(struct config_file* cfg, const char* opt)
|
||||||
else O_STR(opt, "dlv-anchor-file", dlv_anchor_file)
|
else O_STR(opt, "dlv-anchor-file", dlv_anchor_file)
|
||||||
else O_DEC(opt, "val-bogus-ttl", bogus_ttl)
|
else O_DEC(opt, "val-bogus-ttl", bogus_ttl)
|
||||||
else O_YNO(opt, "val-clean-additional", val_clean_additional)
|
else O_YNO(opt, "val-clean-additional", val_clean_additional)
|
||||||
|
else O_DEC(opt, "val-log-level", val_log_level)
|
||||||
else O_YNO(opt, "val-permissive-mode", val_permissive_mode)
|
else O_YNO(opt, "val-permissive-mode", val_permissive_mode)
|
||||||
else O_STR(opt, "val-nsec3-keysize-iterations",val_nsec3_key_iterations)
|
else O_STR(opt, "val-nsec3-keysize-iterations",val_nsec3_key_iterations)
|
||||||
else O_MEM(opt, "key-cache-size", key_cache_size)
|
else O_MEM(opt, "key-cache-size", key_cache_size)
|
||||||
|
|
|
||||||
|
|
@ -155,6 +155,7 @@ config_create()
|
||||||
cfg->val_sig_skew_min = 3600; /* at least daylight savings trouble */
|
cfg->val_sig_skew_min = 3600; /* at least daylight savings trouble */
|
||||||
cfg->val_sig_skew_max = 86400; /* at most timezone settings trouble */
|
cfg->val_sig_skew_max = 86400; /* at most timezone settings trouble */
|
||||||
cfg->val_clean_additional = 1;
|
cfg->val_clean_additional = 1;
|
||||||
|
cfg->val_log_level = 0;
|
||||||
cfg->val_permissive_mode = 0;
|
cfg->val_permissive_mode = 0;
|
||||||
cfg->key_cache_size = 4 * 1024 * 1024;
|
cfg->key_cache_size = 4 * 1024 * 1024;
|
||||||
cfg->key_cache_slabs = 4;
|
cfg->key_cache_slabs = 4;
|
||||||
|
|
@ -375,6 +376,9 @@ int config_set_option(struct config_file* cfg, const char* opt,
|
||||||
} else if(strcmp(opt, "val-clean-additional:") == 0) {
|
} else if(strcmp(opt, "val-clean-additional:") == 0) {
|
||||||
IS_YES_OR_NO;
|
IS_YES_OR_NO;
|
||||||
cfg->val_clean_additional = (strcmp(val, "yes") == 0);
|
cfg->val_clean_additional = (strcmp(val, "yes") == 0);
|
||||||
|
} else if(strcmp(opt, "val-log-level:") == 0) {
|
||||||
|
IS_NUMBER_OR_ZERO;
|
||||||
|
cfg->val_log_level = atoi(val);
|
||||||
} else if(strcmp(opt, "val-permissive-mode:") == 0) {
|
} else if(strcmp(opt, "val-permissive-mode:") == 0) {
|
||||||
IS_YES_OR_NO;
|
IS_YES_OR_NO;
|
||||||
cfg->val_permissive_mode = (strcmp(val, "yes") == 0);
|
cfg->val_permissive_mode = (strcmp(val, "yes") == 0);
|
||||||
|
|
|
||||||
|
|
@ -213,6 +213,8 @@ struct config_file {
|
||||||
int bogus_ttl;
|
int bogus_ttl;
|
||||||
/** should validator clean additional section for secure msgs */
|
/** should validator clean additional section for secure msgs */
|
||||||
int val_clean_additional;
|
int val_clean_additional;
|
||||||
|
/** log bogus messages by the validator */
|
||||||
|
int val_log_level;
|
||||||
/** should validator allow bogus messages to go through */
|
/** should validator allow bogus messages to go through */
|
||||||
int val_permissive_mode;
|
int val_permissive_mode;
|
||||||
/** nsec3 maximum iterations per key size, string */
|
/** nsec3 maximum iterations per key size, string */
|
||||||
|
|
|
||||||
1558
util/configlexer.c
1558
util/configlexer.c
File diff suppressed because it is too large
Load diff
|
|
@ -199,6 +199,7 @@ val-sig-skew-max{COLON} { YDVAR(1, VAR_VAL_SIG_SKEW_MAX) }
|
||||||
val-bogus-ttl{COLON} { YDVAR(1, VAR_BOGUS_TTL) }
|
val-bogus-ttl{COLON} { YDVAR(1, VAR_BOGUS_TTL) }
|
||||||
val-clean-additional{COLON} { YDVAR(1, VAR_VAL_CLEAN_ADDITIONAL) }
|
val-clean-additional{COLON} { YDVAR(1, VAR_VAL_CLEAN_ADDITIONAL) }
|
||||||
val-permissive-mode{COLON} { YDVAR(1, VAR_VAL_PERMISSIVE_MODE) }
|
val-permissive-mode{COLON} { YDVAR(1, VAR_VAL_PERMISSIVE_MODE) }
|
||||||
|
val-log-level{COLON} { YDVAR(1, VAR_VAL_LOG_LEVEL) }
|
||||||
key-cache-size{COLON} { YDVAR(1, VAR_KEY_CACHE_SIZE) }
|
key-cache-size{COLON} { YDVAR(1, VAR_KEY_CACHE_SIZE) }
|
||||||
key-cache-slabs{COLON} { YDVAR(1, VAR_KEY_CACHE_SLABS) }
|
key-cache-slabs{COLON} { YDVAR(1, VAR_KEY_CACHE_SLABS) }
|
||||||
neg-cache-size{COLON} { YDVAR(1, VAR_NEG_CACHE_SIZE) }
|
neg-cache-size{COLON} { YDVAR(1, VAR_NEG_CACHE_SIZE) }
|
||||||
|
|
|
||||||
File diff suppressed because it is too large
Load diff
|
|
@ -143,7 +143,8 @@
|
||||||
VAR_PYTHON_SCRIPT = 359,
|
VAR_PYTHON_SCRIPT = 359,
|
||||||
VAR_VAL_SIG_SKEW_MIN = 360,
|
VAR_VAL_SIG_SKEW_MIN = 360,
|
||||||
VAR_VAL_SIG_SKEW_MAX = 361,
|
VAR_VAL_SIG_SKEW_MAX = 361,
|
||||||
VAR_CACHE_MIN_TTL = 362
|
VAR_CACHE_MIN_TTL = 362,
|
||||||
|
VAR_VAL_LOG_LEVEL = 363
|
||||||
};
|
};
|
||||||
#endif
|
#endif
|
||||||
/* Tokens. */
|
/* Tokens. */
|
||||||
|
|
@ -252,6 +253,7 @@
|
||||||
#define VAR_VAL_SIG_SKEW_MIN 360
|
#define VAR_VAL_SIG_SKEW_MIN 360
|
||||||
#define VAR_VAL_SIG_SKEW_MAX 361
|
#define VAR_VAL_SIG_SKEW_MAX 361
|
||||||
#define VAR_CACHE_MIN_TTL 362
|
#define VAR_CACHE_MIN_TTL 362
|
||||||
|
#define VAR_VAL_LOG_LEVEL 363
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -268,7 +270,7 @@ typedef union YYSTYPE
|
||||||
|
|
||||||
|
|
||||||
/* Line 1676 of yacc.c */
|
/* Line 1676 of yacc.c */
|
||||||
#line 272 "util/configparser.h"
|
#line 274 "util/configparser.h"
|
||||||
} YYSTYPE;
|
} YYSTYPE;
|
||||||
# define YYSTYPE_IS_TRIVIAL 1
|
# define YYSTYPE_IS_TRIVIAL 1
|
||||||
# define yystype YYSTYPE /* obsolescent; will be withdrawn */
|
# define yystype YYSTYPE /* obsolescent; will be withdrawn */
|
||||||
|
|
|
||||||
|
|
@ -98,7 +98,7 @@ extern struct config_parser_state* cfg_parser;
|
||||||
%token VAR_EXTENDED_STATISTICS VAR_LOCAL_DATA_PTR VAR_JOSTLE_TIMEOUT
|
%token VAR_EXTENDED_STATISTICS VAR_LOCAL_DATA_PTR VAR_JOSTLE_TIMEOUT
|
||||||
%token VAR_STUB_PRIME VAR_UNWANTED_REPLY_THRESHOLD VAR_LOG_TIME_ASCII
|
%token VAR_STUB_PRIME VAR_UNWANTED_REPLY_THRESHOLD VAR_LOG_TIME_ASCII
|
||||||
%token VAR_DOMAIN_INSECURE VAR_PYTHON VAR_PYTHON_SCRIPT VAR_VAL_SIG_SKEW_MIN
|
%token VAR_DOMAIN_INSECURE VAR_PYTHON VAR_PYTHON_SCRIPT VAR_VAL_SIG_SKEW_MIN
|
||||||
%token VAR_VAL_SIG_SKEW_MAX VAR_CACHE_MIN_TTL
|
%token VAR_VAL_SIG_SKEW_MAX VAR_CACHE_MIN_TTL VAR_VAL_LOG_LEVEL
|
||||||
|
|
||||||
%%
|
%%
|
||||||
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
|
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
|
||||||
|
|
@ -148,7 +148,7 @@ content_server: server_num_threads | server_verbosity | server_port |
|
||||||
server_local_data_ptr | server_jostle_timeout |
|
server_local_data_ptr | server_jostle_timeout |
|
||||||
server_unwanted_reply_threshold | server_log_time_ascii |
|
server_unwanted_reply_threshold | server_log_time_ascii |
|
||||||
server_domain_insecure | server_val_sig_skew_min |
|
server_domain_insecure | server_val_sig_skew_min |
|
||||||
server_val_sig_skew_max | server_cache_min_ttl
|
server_val_sig_skew_max | server_cache_min_ttl | server_val_log_level
|
||||||
;
|
;
|
||||||
stubstart: VAR_STUB_ZONE
|
stubstart: VAR_STUB_ZONE
|
||||||
{
|
{
|
||||||
|
|
@ -846,6 +846,14 @@ server_val_permissive_mode: VAR_VAL_PERMISSIVE_MODE STRING_ARG
|
||||||
free($2);
|
free($2);
|
||||||
}
|
}
|
||||||
;
|
;
|
||||||
|
server_val_log_level: VAR_VAL_LOG_LEVEL STRING_ARG
|
||||||
|
{
|
||||||
|
OUTYY(("P(server_val_log_level:%s)\n", $2));
|
||||||
|
if(atoi($2) == 0 && strcmp($2, "0") != 0)
|
||||||
|
yyerror("number expected");
|
||||||
|
else cfg_parser->cfg->val_log_level = atoi($2);
|
||||||
|
}
|
||||||
|
;
|
||||||
server_val_nsec3_keysize_iterations: VAR_VAL_NSEC3_KEYSIZE_ITERATIONS STRING_ARG
|
server_val_nsec3_keysize_iterations: VAR_VAL_NSEC3_KEYSIZE_ITERATIONS STRING_ARG
|
||||||
{
|
{
|
||||||
OUTYY(("P(server_val_nsec3_keysize_iterations:%s)\n", $2));
|
OUTYY(("P(server_val_nsec3_keysize_iterations:%s)\n", $2));
|
||||||
|
|
|
||||||
|
|
@ -1796,6 +1796,9 @@ processFinished(struct module_qstate* qstate, struct val_qstate* vq,
|
||||||
* endless bogus revalidation */
|
* endless bogus revalidation */
|
||||||
if(vq->orig_msg->rep->security == sec_status_bogus) {
|
if(vq->orig_msg->rep->security == sec_status_bogus) {
|
||||||
vq->orig_msg->rep->ttl = *qstate->env->now + ve->bogus_ttl;
|
vq->orig_msg->rep->ttl = *qstate->env->now + ve->bogus_ttl;
|
||||||
|
if(qstate->env->cfg->val_log_level >= 1) {
|
||||||
|
log_query_info(0, "validation failure", &qstate->qinfo);
|
||||||
|
}
|
||||||
/* If we are in permissive mode, bogus gets indeterminate */
|
/* If we are in permissive mode, bogus gets indeterminate */
|
||||||
if(ve->permissive_mode)
|
if(ve->permissive_mode)
|
||||||
vq->orig_msg->rep->security = sec_status_indeterminate;
|
vq->orig_msg->rep->security = sec_status_indeterminate;
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue