mirror of
https://github.com/systemd/systemd-stable.git
synced 2024-10-27 10:25:06 +03:00
resolved: log recognizably about DNSSEC downgrades
If we downgrade from DNSSEC to non-DNSSEC mode, let's log about this in a recognizable way (i.e. with a message ID), after all, this is of major importance.
This commit is contained in:
parent
dd0bc0f141
commit
1e02e182f1
@ -19,6 +19,8 @@
|
||||
along with systemd; If not, see <http://www.gnu.org/licenses/>.
|
||||
***/
|
||||
|
||||
#include <sd-messages.h>
|
||||
|
||||
#include "alloc-util.h"
|
||||
#include "resolved-dns-server.h"
|
||||
#include "resolved-resolv-conf.h"
|
||||
@ -547,6 +549,22 @@ bool dns_server_dnssec_supported(DnsServer *server) {
|
||||
return true;
|
||||
}
|
||||
|
||||
void dns_server_warn_downgrade(DnsServer *server) {
|
||||
assert(server);
|
||||
|
||||
if (server->warned_downgrade)
|
||||
return;
|
||||
|
||||
log_struct(LOG_NOTICE,
|
||||
LOG_MESSAGE_ID(SD_MESSAGE_DNSSEC_DOWNGRADE),
|
||||
LOG_MESSAGE("Server %s does not support DNSSEC, downgrading to non-DNSSEC mode.", dns_server_string(server)),
|
||||
"DNS_SERVER=%s", dns_server_string(server),
|
||||
"DNS_SERVER_FEATURE_LEVEL=%s", dns_server_feature_level_to_string(server->possible_feature_level),
|
||||
NULL);
|
||||
|
||||
server->warned_downgrade = true;
|
||||
}
|
||||
|
||||
static void dns_server_hash_func(const void *p, struct siphash *state) {
|
||||
const DnsServer *s = p;
|
||||
|
||||
|
@ -82,6 +82,9 @@ struct DnsServer {
|
||||
usec_t verified_usec;
|
||||
usec_t features_grace_period_usec;
|
||||
|
||||
/* Whether we already warned about downgrading to non-DNSSEC mode for this server */
|
||||
bool warned_downgrade:1;
|
||||
|
||||
/* Used when GC'ing old DNS servers when configuration changes. */
|
||||
bool marked:1;
|
||||
|
||||
@ -119,6 +122,8 @@ const char *dns_server_string(DnsServer *server);
|
||||
|
||||
bool dns_server_dnssec_supported(DnsServer *server);
|
||||
|
||||
void dns_server_warn_downgrade(DnsServer *server);
|
||||
|
||||
DnsServer *dns_server_find(DnsServer *first, int family, const union in_addr_union *in_addr);
|
||||
|
||||
void dns_server_unlink_all(DnsServer *first);
|
||||
|
@ -296,6 +296,8 @@ void dns_transaction_complete(DnsTransaction *t, DnsTransactionState state) {
|
||||
"DNS_TRANSACTION=%" PRIu16, t->id,
|
||||
"DNS_QUESTION=%s", dns_transaction_key_string(t),
|
||||
"DNSSEC_RESULT=%s", dnssec_result_to_string(t->answer_dnssec_result),
|
||||
"DNS_SERVER=%s", dns_server_string(t->server),
|
||||
"DNS_SERVER_FEATURE_LEVEL=%s", dns_server_feature_level_to_string(t->server->possible_feature_level),
|
||||
NULL);
|
||||
|
||||
/* Note that this call might invalidate the query. Callers
|
||||
@ -708,6 +710,9 @@ static void dns_transaction_process_dnssec(DnsTransaction *t) {
|
||||
return;
|
||||
}
|
||||
|
||||
if (t->answer_dnssec_result == DNSSEC_INCOMPATIBLE_SERVER)
|
||||
dns_server_warn_downgrade(t->server);
|
||||
|
||||
dns_transaction_cache_answer(t);
|
||||
|
||||
if (t->answer_rcode == DNS_RCODE_SUCCESS)
|
||||
@ -2568,7 +2573,7 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {
|
||||
if (!dns_transaction_dnssec_supported_full(t)) {
|
||||
/* The server does not support DNSSEC, or doesn't augment responses with RRSIGs. */
|
||||
t->answer_dnssec_result = DNSSEC_INCOMPATIBLE_SERVER;
|
||||
log_debug("Not validating response, server lacks DNSSEC support.");
|
||||
log_debug("Not validating response for %" PRIu16 ", server lacks DNSSEC support.", t->id);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -88,6 +88,7 @@ _SD_BEGIN_DECLARATIONS;
|
||||
|
||||
#define SD_MESSAGE_DNSSEC_FAILURE SD_ID128_MAKE(16,75,d7,f1,72,17,40,98,b1,10,8b,f8,c7,dc,8f,5d)
|
||||
#define SD_MESSAGE_DNSSEC_TRUST_ANCHOR_REVOKED SD_ID128_MAKE(4d,44,08,cf,d0,d1,44,85,91,84,d1,e6,5d,7c,8a,65)
|
||||
#define SD_MESSAGE_DNSSEC_DOWNGRADE SD_ID128_MAKE(36,db,2d,fa,5a,90,45,e1,bd,4a,f5,f9,3e,1c,f0,57)
|
||||
|
||||
_SD_END_DECLARATIONS;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user