From 7aa8ce985537e7803e16d6f2adf5143df4537cf8 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 21 Jan 2016 01:06:28 +0100 Subject: [PATCH] resolved: also collect statistics about negative DNSSEC proofs We already maintain statistics about positive DNSSEC proofs, and count them up by 1 for each validated RRset. Now, update the same counters each time we validated a negative query, so that the statistics are the combined result of all validation checks, both positive and negative. --- src/resolve/resolved-dns-transaction.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c index d485cd917d6..6b465abe487 100644 --- a/src/resolve/resolved-dns-transaction.c +++ b/src/resolve/resolved-dns-transaction.c @@ -2900,6 +2900,12 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) { t->answer_dnssec_result = DNSSEC_VALIDATED; t->answer_rcode = DNS_RCODE_NXDOMAIN; t->answer_authenticated = authenticated; + + if (authenticated) + t->scope->manager->n_dnssec_secure++; + else + t->scope->manager->n_dnssec_insecure++; + break; case DNSSEC_NSEC_NODATA: @@ -2908,6 +2914,12 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) { t->answer_dnssec_result = DNSSEC_VALIDATED; t->answer_rcode = DNS_RCODE_SUCCESS; t->answer_authenticated = authenticated; + + if (authenticated) + t->scope->manager->n_dnssec_secure++; + else + t->scope->manager->n_dnssec_insecure++; + break; case DNSSEC_NSEC_OPTOUT: @@ -2915,6 +2927,8 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) { log_debug("Data is NSEC3 opt-out via NSEC/NSEC3 for transaction %u (%s)", t->id, dns_transaction_key_string(t)); t->answer_dnssec_result = DNSSEC_UNSIGNED; t->answer_authenticated = false; + + t->scope->manager->n_dnssec_insecure++; break; case DNSSEC_NSEC_NO_RR: @@ -2923,11 +2937,13 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) { r = dns_transaction_requires_nsec(t); if (r < 0) return r; - if (r > 0) + if (r > 0) { t->answer_dnssec_result = DNSSEC_NO_SIGNATURE; - else { + t->scope->manager->n_dnssec_indeterminate++; + } else { t->answer_dnssec_result = DNSSEC_UNSIGNED; t->answer_authenticated = false; + t->scope->manager->n_dnssec_insecure++; } break; @@ -2935,12 +2951,14 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) { case DNSSEC_NSEC_UNSUPPORTED_ALGORITHM: /* We don't know the NSEC3 algorithm used? */ t->answer_dnssec_result = DNSSEC_UNSUPPORTED_ALGORITHM; + t->scope->manager->n_dnssec_indeterminate++; break; case DNSSEC_NSEC_FOUND: case DNSSEC_NSEC_CNAME: /* NSEC says it needs to be there, but we couldn't find it? Bummer! */ t->answer_dnssec_result = DNSSEC_NSEC_MISMATCH; + t->scope->manager->n_dnssec_bogus++; break; default: