Commit d7a905d7 authored by Petr Špaček's avatar Petr Špaček

new module: bogus_log to log DNSSEC bogus queries

parent 9a2bf9bf
Pipeline #37436 passed with stages
in 7 minutes and 41 seconds
......@@ -24,6 +24,7 @@ Knot DNS Resolver modules
.. include:: ../modules/renumber/README.rst
.. include:: ../modules/cookies/README.rst
.. include:: ../modules/version/README.rst
.. include:: ../modules/bogus_log/README.rst
.. include:: ../modules/workarounds/README.rst
.. include:: ../modules/dnstap/README.rst
.. include:: ../modules/ta_signal_query/README.rst
.. _mod-bogus_log:
DNSSEC validation failure logging
This module adds error message for each DNSSEC validation failure.
It is meant to provide hint to operators which queries should be
investigated using diagnostic tools like DNSViz_.
Add following line to your configuration file to enable it:
.. code-block:: lua
Example of error message logged by this module:
.. code-block:: none
DNSSEC validation failure DNSKEY
.. _DNSViz:
Please note that in future this module might be replaced
with some other way to log this information.
/* Copyright (C) Knot Resolver contributors. Licensed under GNU GPLv3 or
* (at your option) any later version. See COPYING for text of the license.
* This module logs (query name, type) pairs which failed DNSSEC validation. */
#include <libknot/packet/pkt.h>
#include <contrib/cleanup.h>
#include "daemon/engine.h"
#include "lib/layer.h"
static int consume(kr_layer_t *ctx, knot_pkt_t *pkt)
if (!(ctx->state & KR_STATE_FAIL)
|| !ctx->req
|| !ctx->req->current_query
|| !ctx->req->current_query->flags.DNSSEC_BOGUS
|| knot_wire_get_qdcount(pkt->wire) != 1)
return ctx->state;
auto_free char *qname_text = kr_dname_text(knot_pkt_qname(pkt));
auto_free char *qtype_text = kr_rrtype_text(knot_pkt_qtype(pkt));
kr_log_error("DNSSEC validation failure %s %s\n", qname_text, qtype_text);
return ctx->state;
const kr_layer_api_t *bogus_log_layer(struct kr_module *module)
static kr_layer_api_t _layer = {
.consume = &consume,
}; = module;
return &_layer;
bogus_log_CFLAGS := -fPIC
# We use a symbol that's not in libkres but the daemon.
# On darwin this isn't accepted by default.
bogus_log_LDFLAGS := -Wl,-undefined -Wl,dynamic_lookup
bogus_log_SOURCES := modules/bogus_log/bogus_log.c
bogus_log_DEPEND := $(libkres)
bogus_log_LIBS := $(contrib_TARGET) $(libkres_TARGET) $(libkres_LIBS)
$(call make_c_module,bogus_log)
......@@ -22,7 +22,8 @@ endif
# List of Lua modules
ifeq ($(HAS_lua),yes)
modules_TARGETS += etcd \
modules_TARGETS += bogus_log \
etcd \
ta_sentinel \
graphite \
policy \
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment