Commit d7a905d7 authored by Petr Špaček's avatar Petr Špaček

new module: bogus_log to log DNSSEC bogus queries

parent 9a2bf9bf
Pipeline #37436 passed with stages
in 7 minutes and 41 seconds
......@@ -24,6 +24,7 @@ Knot DNS Resolver modules
.. include:: ../modules/renumber/README.rst
.. include:: ../modules/cookies/README.rst
.. include:: ../modules/version/README.rst
.. include:: ../modules/bogus_log/README.rst
.. include:: ../modules/workarounds/README.rst
.. include:: ../modules/dnstap/README.rst
.. include:: ../modules/ta_signal_query/README.rst
......
.. _mod-bogus_log:
DNSSEC validation failure logging
---------------------------------
This module adds error message for each DNSSEC validation failure.
It is meant to provide hint to operators which queries should be
investigated using diagnostic tools like DNSViz_.
Add following line to your configuration file to enable it:
.. code-block:: lua
modules.load('bogus_log')
Example of error message logged by this module:
.. code-block:: none
DNSSEC validation failure dnssec-failed.org. DNSKEY
.. _DNSViz: http://dnsviz.net/
Please note that in future this module might be replaced
with some other way to log this information.
/* Copyright (C) Knot Resolver contributors. Licensed under GNU GPLv3 or
* (at your option) any later version. See COPYING for text of the license.
*
* This module logs (query name, type) pairs which failed DNSSEC validation. */
#include <libknot/packet/pkt.h>
#include <contrib/cleanup.h>
#include "daemon/engine.h"
#include "lib/layer.h"
static int consume(kr_layer_t *ctx, knot_pkt_t *pkt)
{
if (!(ctx->state & KR_STATE_FAIL)
|| !ctx->req
|| !ctx->req->current_query
|| !ctx->req->current_query->flags.DNSSEC_BOGUS
|| knot_wire_get_qdcount(pkt->wire) != 1)
return ctx->state;
auto_free char *qname_text = kr_dname_text(knot_pkt_qname(pkt));
auto_free char *qtype_text = kr_rrtype_text(knot_pkt_qtype(pkt));
kr_log_error("DNSSEC validation failure %s %s\n", qname_text, qtype_text);
return ctx->state;
}
KR_EXPORT
const kr_layer_api_t *bogus_log_layer(struct kr_module *module)
{
static kr_layer_api_t _layer = {
.consume = &consume,
};
_layer.data = module;
return &_layer;
}
KR_MODULE_EXPORT(bogus_log);
bogus_log_CFLAGS := -fPIC
# We use a symbol that's not in libkres but the daemon.
# On darwin this isn't accepted by default.
bogus_log_LDFLAGS := -Wl,-undefined -Wl,dynamic_lookup
bogus_log_SOURCES := modules/bogus_log/bogus_log.c
bogus_log_DEPEND := $(libkres)
bogus_log_LIBS := $(contrib_TARGET) $(libkres_TARGET) $(libkres_LIBS)
$(call make_c_module,bogus_log)
......@@ -22,7 +22,8 @@ endif
# List of Lua modules
ifeq ($(HAS_lua),yes)
modules_TARGETS += etcd \
modules_TARGETS += bogus_log \
etcd \
ta_sentinel \
graphite \
policy \
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment