Commit e789c969 authored by Petr Špaček's avatar Petr Špaček Committed by Vladimír Čunát

trust_anchors: add .summary() and use it for logging

Previous logging was a bit confusing because it logged also intermediate
states during TA changes.
parent 8d2b2a45
......@@ -5,6 +5,12 @@ Bugfixes
--------
- policy.TLS_FORWARD: fix problems with gnutls 3.3 (#438)
Improvements
------------
- dnssec validation failures contain more verbose reasoning (!735)
- new function trust_anchors.summary() describes state of DNSSEC TAs (!737),
and logs new state of trust anchors after start up and automatic changes
Knot Resolver 3.2.0 (2018-12-17)
================================
......
......@@ -728,6 +728,10 @@ Trust anchors and DNSSEC
> trust_anchors.add('. 3600 IN DS 19036 8 2 49AAC11...')
.. function:: trust_anchors.summary()
Return string with summary of configured DNSSEC trust anchors, including negative TAs.
Modules configuration
^^^^^^^^^^^^^^^^^^^^^
......
......@@ -476,6 +476,9 @@ update = function (keyset, new_keys, is_initial)
if keyset_publish(keyset) == 0 then
-- TODO: try to rebootstrap if for root?
return false
elseif verbose() then
log('[ ta ] refreshed trust anchors for domain ' .. kres.dname2str(keyset.owner) .. ' are:\n'
.. trust_anchors.summary(keyset.owner))
end
return true
......@@ -544,10 +547,36 @@ local add_file = function (path, unmanaged)
-- Parse new keys, refresh eventually
if keyset_publish(keyset) == 0 then
-- TODO: try to rebootstrap if for root?
elseif verbose() then
log('[ ta ] installed trust anchors for domain ' .. owner_str .. ' are:\n'
.. trust_anchors.summary(owner))
end
refresh_plan(keyset, 10 * sec, false)
end
local function ta_str(owner)
local owner_str = kres.dname2str(owner) .. ' '
local msg = ''
for _, nta in pairs(trust_anchors.insecure) do
if owner == kres.str2dname(nta) then
msg = owner_str .. 'is negative trust anchor\n'
end
end
if not trust_anchors.keysets[owner] then
if #msg > 0 then -- it is normal that NTA does not have explicit TA
return msg
else
return owner_str .. 'has no explicit trust anchors\n'
end
end
if #msg > 0 then
msg = msg .. 'WARNING! negative trust anchor also has an explicit TA\n'
end
for idx, ta in ipairs(trust_anchors.keysets[owner]) do
msg = msg .. kres.rr2str(ta) .. '\n'
end
return msg
end
-- TA store management, for user docs see ../README.rst
trust_anchors = {
......@@ -578,7 +607,9 @@ trust_anchors = {
-- Add DS/DNSKEY record(s) (unmanaged)
add = function (keystr)
return trustanchor(keystr)
local ret = trustanchor(keystr)
if verbose() then log(trust_anchors.summary()) end
return ret
end,
-- Negative TA management
set_insecure = function (list)
......@@ -591,6 +622,31 @@ trust_anchors = {
end
trust_anchors.insecure = list
end,
summary = function (owner)
if owner then -- single domain
return ta_str(owner)
end
-- all domains
local msg = ''
local ta_count = 0
local seen = {}
for _, nta_str in pairs(trust_anchors.insecure) do
owner = kres.str2dname(nta_str)
seen[owner] = true
msg = msg .. ta_str(owner)
end
for owner, _ in pairs(trust_anchors.keysets) do
if not seen[owner] then
ta_count = ta_count + 1
msg = msg .. ta_str(owner)
end
end
if ta_count == 0 then
msg = msg .. 'No valid trust anchors, DNSSEC validation is disabled\n'
end
return msg
end,
}
-- Syntactic sugar for TA store
......
......@@ -91,10 +91,6 @@ static int insert_ta(map_t *trust_anchors, const knot_dname_t *name,
knot_rrset_free(ta_rr, NULL);
return kr_error(ENOMEM);
}
if(VERBOSE_STATUS) {
auto_free char *rr_text = kr_rrset_text(ta_rr);
kr_log_verbose("[ ta ] new state of trust anchors for a domain: %s\n", rr_text);
}
if (is_new_key) {
return map_set(trust_anchors, (const char *)name, ta_rr);
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment