mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 14:07:59 +00:00
Code Issues Releases Wiki Activity

Update dnskey sign operations statistics

Browse Source 
Update per key tag the stats counter when it creates a new signature.
This can happen upon a dynamic update, or when doing DNSSEC
maintenance.
This commit is contained in:
Matthijs Mekking
2019-06-20 13:06:04 +02:00
committed by Matthijs Mekking
parent d8cf7aedfa
commit 312fa7f65e
2 changed files with 46 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
lib/dns/update.c
View File

@@ -48,6 +48,7 @@
#include <dns/result.h> #include <dns/result.h>
#include <dns/soa.h> #include <dns/soa.h>
#include <dns/ssu.h> #include <dns/ssu.h>
#include <dns/stats.h>
#include <dns/tsig.h> #include <dns/tsig.h>
#include <dns/update.h> #include <dns/update.h>
#include <dns/view.h> #include <dns/view.h>
@@ -1076,6 +1077,7 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
dns_dbnode_t *node = NULL; dns_dbnode_t *node = NULL;
dns_rdataset_t rdataset; dns_rdataset_t rdataset;
dns_rdata_t sig_rdata = DNS_RDATA_INIT; dns_rdata_t sig_rdata = DNS_RDATA_INIT;
dns_stats_t* dnssecsignstats = dns_zone_getdnssecsignstats(zone);
isc_buffer_t buffer; isc_buffer_t buffer;
unsigned char data[1024]; /* XXX */ unsigned char data[1024]; /* XXX */
unsigned int i, j; unsigned int i, j;
@@ -1181,6 +1183,11 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
dns_rdata_reset(&sig_rdata); dns_rdata_reset(&sig_rdata);
isc_buffer_init(&buffer, data, sizeof(data)); isc_buffer_init(&buffer, data, sizeof(data));
added_sig = true; added_sig = true;
/* Update DNSSEC sign statistics. */
if (dnssecsignstats != NULL) {
dns_dnssecsignstats_increment(dnssecsignstats,
dst_key_id(keys[i]));
}
} }
if (!added_sig) { if (!added_sig) {
update_log(log, zone, ISC_LOG_ERROR, update_log(log, zone, ISC_LOG_ERROR,

61
lib/dns/zone.c
View File

@@ -6516,13 +6516,14 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
static isc_result_t static isc_result_t
add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
dns_rdatatype_t type, dns_diff_t *diff, dst_key_t **keys, dns_zone_t* zone, dns_rdatatype_t type, dns_diff_t *diff,
unsigned int nkeys, isc_mem_t *mctx, isc_stdtime_t inception, dst_key_t **keys, unsigned int nkeys, isc_mem_t *mctx,
isc_stdtime_t expire, bool check_ksk, isc_stdtime_t inception, isc_stdtime_t expire,
bool keyset_kskonly) bool check_ksk, bool keyset_kskonly)
{ {
isc_result_t result; isc_result_t result;
dns_dbnode_t *node = NULL; dns_dbnode_t *node = NULL;
dns_stats_t* dnssecsignstats = dns_zone_getdnssecsignstats(zone);
dns_rdataset_t rdataset; dns_rdataset_t rdataset;
dns_rdata_t sig_rdata = DNS_RDATA_INIT; dns_rdata_t sig_rdata = DNS_RDATA_INIT;
unsigned char data[1024]; /* XXX */ unsigned char data[1024]; /* XXX */
@@ -6624,13 +6625,19 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
CHECK(dns_dnssec_sign(name, &rdataset, keys[i], CHECK(dns_dnssec_sign(name, &rdataset, keys[i],
&inception, &expire, &inception, &expire,
mctx, &buffer, &sig_rdata)); mctx, &buffer, &sig_rdata));
/* Update the database and journal with the RRSIG. */ /* Update the database and journal with the RRSIG. */
/* XXX inefficient - will cause dataset merging */ /* XXX inefficient - will cause dataset merging */
CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADDRESIGN, CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADDRESIGN,
name, rdataset.ttl, &sig_rdata)); name, rdataset.ttl, &sig_rdata));
dns_rdata_reset(&sig_rdata); dns_rdata_reset(&sig_rdata);
isc_buffer_init(&buffer, data, sizeof(data)); isc_buffer_init(&buffer, data, sizeof(data));
/* Update DNSSEC sign statistics. */
if (dnssecsignstats != NULL) {
dns_dnssecsignstats_increment(dnssecsignstats,
dst_key_id(keys[i]));
}
} }
failure: failure:
@@ -6757,9 +6764,9 @@ zone_resigninc(dns_zone_t *zone) {
break; break;
} }
result = add_sigs(db, version, name, covers, zonediff.diff, result = add_sigs(db, version, name, zone, covers,
zone_keys, nkeys, zone->mctx, inception, zonediff.diff, zone_keys, nkeys, zone->mctx,
expire, check_ksk, keyset_kskonly); inception, expire, check_ksk, keyset_kskonly);
if (result != ISC_R_SUCCESS) { if (result != ISC_R_SUCCESS) {
dns_zone_log(zone, ISC_LOG_ERROR, dns_zone_log(zone, ISC_LOG_ERROR,
"zone_resigninc:add_sigs -> %s", "zone_resigninc:add_sigs -> %s",
@@ -6815,7 +6822,7 @@ zone_resigninc(dns_zone_t *zone) {
* Generate maximum life time signatures so that the above loop * Generate maximum life time signatures so that the above loop
* termination is sensible. * termination is sensible.
*/ */
result = add_sigs(db, version, &zone->origin, dns_rdatatype_soa, result = add_sigs(db, version, &zone->origin, zone, dns_rdatatype_soa,
zonediff.diff, zone_keys, nkeys, zone->mctx, zonediff.diff, zone_keys, nkeys, zone->mctx,
inception, soaexpire, check_ksk, keyset_kskonly); inception, soaexpire, check_ksk, keyset_kskonly);
if (result != ISC_R_SUCCESS) { if (result != ISC_R_SUCCESS) {
@@ -7004,9 +7011,9 @@ check_if_bottom_of_zone(dns_db_t *db, dns_dbnode_t *node,
} }
static isc_result_t static isc_result_t
sign_a_node(dns_db_t *db, dns_name_t *name, dns_dbnode_t *node, sign_a_node(dns_db_t *db, dns_zone_t *zone, dns_name_t *name,
dns_dbversion_t *version, bool build_nsec3, dns_dbnode_t *node, dns_dbversion_t *version,
bool build_nsec, dst_key_t *key, bool build_nsec3, bool build_nsec, dst_key_t *key,
isc_stdtime_t inception, isc_stdtime_t expire, isc_stdtime_t inception, isc_stdtime_t expire,
unsigned int minimum, bool is_ksk, unsigned int minimum, bool is_ksk,
bool keyset_kskonly, bool is_bottom_of_zone, bool keyset_kskonly, bool is_bottom_of_zone,
@@ -7016,6 +7023,8 @@ sign_a_node(dns_db_t *db, dns_name_t *name, dns_dbnode_t *node,
dns_rdatasetiter_t *iterator = NULL; dns_rdatasetiter_t *iterator = NULL;
dns_rdataset_t rdataset; dns_rdataset_t rdataset;
dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdata_t rdata = DNS_RDATA_INIT;
dns_stats_t* dnssecsignstats = dns_zone_getdnssecsignstats(zone);
isc_buffer_t buffer; isc_buffer_t buffer;
unsigned char data[1024]; unsigned char data[1024];
bool seen_soa, seen_ns, seen_rr, seen_nsec, seen_nsec3, seen_ds; bool seen_soa, seen_ns, seen_rr, seen_nsec, seen_nsec3, seen_ds;
@@ -7117,6 +7126,13 @@ sign_a_node(dns_db_t *db, dns_name_t *name, dns_dbnode_t *node,
CHECK(update_one_rr(db, version, diff, DNS_DIFFOP_ADDRESIGN, CHECK(update_one_rr(db, version, diff, DNS_DIFFOP_ADDRESIGN,
name, rdataset.ttl, &rdata)); name, rdataset.ttl, &rdata));
dns_rdata_reset(&rdata); dns_rdata_reset(&rdata);
/* Update DNSSEC sign statistics. */
if (dnssecsignstats != NULL) {
dns_dnssecsignstats_increment(dnssecsignstats,
dst_key_id(key));
}
(*signatures)--; (*signatures)--;
next_rdataset: next_rdataset:
dns_rdataset_disassociate(&rdataset); dns_rdataset_disassociate(&rdataset);
@@ -7650,7 +7666,7 @@ dns__zone_updatesigs(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *version,
dns_result_totext(result)); dns_result_totext(result));
return (result); return (result);
} }
result = add_sigs(db, version, &tuple->name, result = add_sigs(db, version, &tuple->name, zone,
tuple->rdata.type, zonediff->diff, tuple->rdata.type, zonediff->diff,
zone_keys, nkeys, zone->mctx, inception, zone_keys, nkeys, zone->mctx, inception,
exp, check_ksk, keyset_kskonly); exp, check_ksk, keyset_kskonly);
@@ -8415,7 +8431,7 @@ zone_nsec3chain(dns_zone_t *zone) {
goto failure; goto failure;
} }
result = add_sigs(db, version, &zone->origin, dns_rdatatype_soa, result = add_sigs(db, version, &zone->origin, zone, dns_rdatatype_soa,
zonediff.diff, zone_keys, nkeys, zone->mctx, zonediff.diff, zone_keys, nkeys, zone->mctx,
inception, soaexpire, check_ksk, keyset_kskonly); inception, soaexpire, check_ksk, keyset_kskonly);
if (result != ISC_R_SUCCESS) { if (result != ISC_R_SUCCESS) {
@@ -8977,9 +8993,10 @@ zone_sign(dns_zone_t *zone) {
continue; continue;
} }
CHECK(sign_a_node(db, name, node, version, build_nsec3, CHECK(sign_a_node(db, zone, name, node, version,
build_nsec, zone_keys[i], inception, build_nsec3, build_nsec,
expire, zone->minimum, is_ksk, zone_keys[i], inception, expire,
zone->minimum, is_ksk,
(both && keyset_kskonly), (both && keyset_kskonly),
is_bottom_of_zone, zonediff.diff, is_bottom_of_zone, zonediff.diff,
&signatures, zone->mctx)); &signatures, zone->mctx));
@@ -9117,7 +9134,7 @@ zone_sign(dns_zone_t *zone) {
* Generate maximum life time signatures so that the above loop * Generate maximum life time signatures so that the above loop
* termination is sensible. * termination is sensible.
*/ */
result = add_sigs(db, version, &zone->origin, dns_rdatatype_soa, result = add_sigs(db, version, &zone->origin, zone, dns_rdatatype_soa,
zonediff.diff, zone_keys, nkeys, zone->mctx, zonediff.diff, zone_keys, nkeys, zone->mctx,
inception, soaexpire, check_ksk, keyset_kskonly); inception, soaexpire, check_ksk, keyset_kskonly);
if (result != ISC_R_SUCCESS) { if (result != ISC_R_SUCCESS) {
@@ -18172,10 +18189,10 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
dns_result_totext(result)); dns_result_totext(result));
goto failure; goto failure;
} }
result = add_sigs(db, ver, &zone->origin, dns_rdatatype_dnskey, result = add_sigs(db, ver, &zone->origin, zone,
zonediff->diff, zone_keys, nkeys, zone->mctx, dns_rdatatype_dnskey, zonediff->diff,
inception, keyexpire, check_ksk, zone_keys, nkeys, zone->mctx, inception,
keyset_kskonly); keyexpire, check_ksk, keyset_kskonly);
if (result != ISC_R_SUCCESS) { if (result != ISC_R_SUCCESS) {
dnssec_log(zone, ISC_LOG_ERROR, dnssec_log(zone, ISC_LOG_ERROR,
"sign_apex:add_sigs -> %s", "sign_apex:add_sigs -> %s",