mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 14:35:26 +00:00
Code Issues Releases Wiki Activity

Merge branch '570-extend-dnstap-update' into 'master'

Browse Source 
Resolve "Extend dnstap option to support update messages"

Closes #570

See merge request isc-projects/bind9!829
This commit is contained in:
Evan Hunt
2018-10-03 12:32:37 -04:00
parent 8be7d6ac3c 1c8b908c21
commit b7ac47c47d
18 changed files with 263 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGES
View File

@@ -1,3 +1,7 @@
5040. [func] Extended dnstap so that it can log UPDATE requests
and responses as separate message types. Thanks
to Greg Rabil. [GL #570]
5039. [bug] Named could fail to preserve owner name case of new
RRset. [GL #420]

28
bin/named/named.conf.docbook
View File

@@ -13,7 +13,7 @@
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.named.conf">
<info>
<date>2018-06-21</date>
<date>2018-09-04</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
@@ -192,6 +192,7 @@ options {
] [ dscp <replaceable>integer</replaceable> ];
alt-transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> |
* ) ] [ dscp <replaceable>integer</replaceable> ];
answer-cookie <replaceable>boolean</replaceable>;
attach-cache <replaceable>string</replaceable>;
auth-nxdomain <replaceable>boolean</replaceable>; // default changed
auto-dnssec ( allow | maintain | off );
@@ -257,8 +258,8 @@ options {
dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
dnssec-update-mode ( maintain | no-resign );
dnssec-validation ( yes | no | auto );
dnstap { ( all | auth | client | forwarder | resolver ) [ ( query |
response ) ]; ... };
dnstap { ( all | auth | client | forwarder | resolver | update ) [
( query | response ) ]; ... };
dnstap-identity ( <replaceable>quoted_string</replaceable> | none | hostname );
dnstap-output ( file | unix ) <replaceable>quoted_string</replaceable> [ size ( unlimited |
<replaceable>size</replaceable> ) ] [ versions ( unlimited | <replaceable>integer</replaceable> ) ] [ suffix (
@@ -340,6 +341,7 @@ options {
min-retry-time <replaceable>integer</replaceable>;
minimal-any <replaceable>boolean</replaceable>;
minimal-responses ( no-auth | no-auth-recursive | <replaceable>boolean</replaceable> );
mirror <replaceable>boolean</replaceable>;
multi-master <replaceable>boolean</replaceable>;
new-zones-directory <replaceable>quoted_string</replaceable>;
no-case-compress { <replaceable>address_match_element</replaceable>; ... };
@@ -609,8 +611,8 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
dnssec-update-mode ( maintain | no-resign );
dnssec-validation ( yes | no | auto );
dnstap { ( all | auth | client | forwarder | resolver ) [ ( query |
response ) ]; ... };
dnstap { ( all | auth | client | forwarder | resolver | update ) [
( query | response ) ]; ... };
dual-stack-servers [ port <replaceable>integer</replaceable> ] { ( <replaceable>quoted_string</replaceable> [ port
<replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] | <replaceable>ipv4_address</replaceable> [ port
<replaceable>integer</replaceable> ] [ dscp <replaceable>integer</replaceable> ] | <replaceable>ipv6_address</replaceable> [ port
@@ -671,6 +673,7 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
min-retry-time <replaceable>integer</replaceable>;
minimal-any <replaceable>boolean</replaceable>;
minimal-responses ( no-auth | no-auth-recursive | <replaceable>boolean</replaceable> );
mirror <replaceable>boolean</replaceable>;
multi-master <replaceable>boolean</replaceable>;
new-zones-directory <replaceable>quoted_string</replaceable>;
no-case-compress { <replaceable>address_match_element</replaceable>; ... };
@@ -893,10 +896,10 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
static-stub | stub );
update-check-ksk <replaceable>boolean</replaceable>;
update-policy ( local | { ( deny | grant ) <replaceable>string</replaceable> (
6to4-self | external | krb5-self | krb5-subdomain |
ms-self | ms-subdomain | name | self | selfsub |
selfwild | subdomain | tcp-self | wildcard | zonesub )
[ <replaceable>string</replaceable> ] <replaceable>rrtypelist</replaceable>; ... };
6to4-self | external | krb5-self | krb5-selfsub |
krb5-subdomain | ms-self | ms-selfsub | ms-subdomain |
name | self | selfsub | selfwild | subdomain | tcp-self
| wildcard | zonesub ) [ <replaceable>string</replaceable> ] <replaceable>rrtypelist</replaceable>; ... };
use-alt-transfer-source <replaceable>boolean</replaceable>;
zero-no-soa-ttl <replaceable>boolean</replaceable>;
zone-statistics ( full | terse | none | <replaceable>boolean</replaceable> );
@@ -996,9 +999,10 @@ zone <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
forward | hint | redirect | static-stub | stub );
update-check-ksk <replaceable>boolean</replaceable>;
update-policy ( local | { ( deny | grant ) <replaceable>string</replaceable> ( 6to4-self |
external | krb5-self | krb5-subdomain | ms-self | ms-subdomain
| name | self | selfsub | selfwild | subdomain | tcp-self |
wildcard | zonesub ) [ <replaceable>string</replaceable> ] <replaceable>rrtypelist</replaceable>; ... };
external | krb5-self | krb5-selfsub | krb5-subdomain | ms-self
| ms-selfsub | ms-subdomain | name | self | selfsub | selfwild
| subdomain | tcp-self | wildcard | zonesub ) [ <replaceable>string</replaceable> ]
<replaceable>rrtypelist</replaceable>; ... };
use-alt-transfer-source <replaceable>boolean</replaceable>;
zero-no-soa-ttl <replaceable>boolean</replaceable>;
zone-statistics ( full | terse | none | <replaceable>boolean</replaceable> );

5
bin/named/server.c
View File

@@ -3412,11 +3412,14 @@ configure_dnstap(const cfg_obj_t **maps, dns_view_t *view) {
dt |= DNS_DTTYPE_RQ|DNS_DTTYPE_RR;
} else if (strcasecmp(str, "forwarder") == 0) {
dt |= DNS_DTTYPE_FQ|DNS_DTTYPE_FR;
} else if (strcasecmp(str, "update") == 0) {
dt |= DNS_DTTYPE_UQ|DNS_DTTYPE_UR;
} else if (strcasecmp(str, "all") == 0) {
dt |= DNS_DTTYPE_CQ|DNS_DTTYPE_CR|
DNS_DTTYPE_AQ|DNS_DTTYPE_AR|
DNS_DTTYPE_RQ|DNS_DTTYPE_RR|
DNS_DTTYPE_FQ|DNS_DTTYPE_FR;
DNS_DTTYPE_FQ|DNS_DTTYPE_FR|
DNS_DTTYPE_UQ|DNS_DTTYPE_UR;
}
obj2 = cfg_tuple_get(obj, "mode");

1
bin/tests/system/dnstap/clean.sh
View File

@@ -23,3 +23,4 @@ rm -f ns*/dnstap.out.save.?
rm -f ns*/named.lock
rm -f ydump.out
rm -f ns*/managed-keys.bind*
rm -f ns2/example.db ns2/example.db.jnl

0
bin/tests/system/dnstap/ns2/example.db → bin/tests/system/dnstap/ns2/example.db.in
View File

2
bin/tests/system/dnstap/setup.sh
View File

@@ -17,3 +17,5 @@ copy_setports ns1/named.conf.in ns1/named.conf
copy_setports ns2/named.conf.in ns2/named.conf
copy_setports ns3/named.conf.in ns3/named.conf
copy_setports ns4/named.conf.in ns4/named.conf
cp ns2/example.db.in ns2/example.db

148
bin/tests/system/dnstap/tests.sh
View File

@@ -55,6 +55,14 @@ $RNDCCMD -s 10.53.0.4 dnstap -reopen | sed 's/^/ns4 /' | cat_i
$DIG $DIGOPTS @10.53.0.3 a.example > dig.out
# send an UPDATE to ns2
$NSUPDATE <<- EOF
server 10.53.0.2 ${PORT}
zone example
update add b.example 3600 in a 10.10.10.10
send
EOF
# XXX: file output should be flushed once a second according
# to the libfstrm source, but it doesn't seem to happen until
# enough data has accumulated. to get all the output, we stop
@@ -75,6 +83,8 @@ cq1=`$DNSTAPREAD ns1/dnstap.out.save | grep "CQ " | wc -l`
cr1=`$DNSTAPREAD ns1/dnstap.out.save | grep "CR " | wc -l`
rq1=`$DNSTAPREAD ns1/dnstap.out.save | grep "RQ " | wc -l`
rr1=`$DNSTAPREAD ns1/dnstap.out.save | grep "RR " | wc -l`
uq1=`$DNSTAPREAD ns1/dnstap.out.save | grep "UQ " | wc -l`
ur1=`$DNSTAPREAD ns1/dnstap.out.save | grep "UR " | wc -l`
udp2=`$DNSTAPREAD ns2/dnstap.out.save | grep "UDP " | wc -l`
tcp2=`$DNSTAPREAD ns2/dnstap.out.save | grep "TCP " | wc -l`
@@ -84,6 +94,8 @@ cq2=`$DNSTAPREAD ns2/dnstap.out.save | grep "CQ " | wc -l`
cr2=`$DNSTAPREAD ns2/dnstap.out.save | grep "CR " | wc -l`
rq2=`$DNSTAPREAD ns2/dnstap.out.save | grep "RQ " | wc -l`
rr2=`$DNSTAPREAD ns2/dnstap.out.save | grep "RR " | wc -l`
uq2=`$DNSTAPREAD ns2/dnstap.out.save | grep "UQ " | wc -l`
ur2=`$DNSTAPREAD ns2/dnstap.out.save | grep "UR " | wc -l`
mv ns3/dnstap.out.0 ns3/dnstap.out.save
udp3=`$DNSTAPREAD ns3/dnstap.out.save | grep "UDP " | wc -l`
@@ -94,6 +106,8 @@ cq3=`$DNSTAPREAD ns3/dnstap.out.save | grep "CQ " | wc -l`
cr3=`$DNSTAPREAD ns3/dnstap.out.save | grep "CR " | wc -l`
rq3=`$DNSTAPREAD ns3/dnstap.out.save | grep "RQ " | wc -l`
rr3=`$DNSTAPREAD ns3/dnstap.out.save | grep "RR " | wc -l`
uq3=`$DNSTAPREAD ns3/dnstap.out.save | grep "UQ " | wc -l`
ur3=`$DNSTAPREAD ns3/dnstap.out.save | grep "UR " | wc -l`
echo_i "checking UDP message counts"
ret=0
@@ -231,6 +245,40 @@ ret=0
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking UPDATE_QUERY message counts"
ret=0
[ $uq1 -eq 0 ] || {
echo_i "ns1 $uq1 expected 0"
ret=1
}
[ $uq2 -eq 0 ] || {
echo_i "ns2 $uq2 expected 0"
ret=1
}
[ $uq3 -eq 0 ] || {
echo_i "ns3 $uq3 expected 0"
ret=1
}
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking UPDATE_RESPONSE message counts"
ret=0
[ $ur1 -eq 0 ] || {
echo_i "ns1 $ur1 expected 0"
ret=1
}
[ $ur2 -eq 0 ] || {
echo_i "ns2 $ur2 expected 0"
ret=1
}
[ $ur3 -eq 0 ] || {
echo_i "ns3 $ur3 expected 0"
ret=1
}
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking reopened message counts"
udp1=`$DNSTAPREAD ns1/dnstap.out | grep "UDP " | wc -l`
@@ -241,6 +289,8 @@ cq1=`$DNSTAPREAD ns1/dnstap.out | grep "CQ " | wc -l`
cr1=`$DNSTAPREAD ns1/dnstap.out | grep "CR " | wc -l`
rq1=`$DNSTAPREAD ns1/dnstap.out | grep "RQ " | wc -l`
rr1=`$DNSTAPREAD ns1/dnstap.out | grep "RR " | wc -l`
uq1=`$DNSTAPREAD ns1/dnstap.out | grep "UQ " | wc -l`
ur1=`$DNSTAPREAD ns1/dnstap.out | grep "UR " | wc -l`
udp2=`$DNSTAPREAD ns2/dnstap.out | grep "UDP " | wc -l`
tcp2=`$DNSTAPREAD ns2/dnstap.out | grep "TCP " | wc -l`
@@ -250,6 +300,8 @@ cq2=`$DNSTAPREAD ns2/dnstap.out | grep "CQ " | wc -l`
cr2=`$DNSTAPREAD ns2/dnstap.out | grep "CR " | wc -l`
rq2=`$DNSTAPREAD ns2/dnstap.out | grep "RQ " | wc -l`
rr2=`$DNSTAPREAD ns2/dnstap.out | grep "RR " | wc -l`
uq2=`$DNSTAPREAD ns2/dnstap.out | grep "UQ " | wc -l`
ur2=`$DNSTAPREAD ns2/dnstap.out | grep "UR " | wc -l`
udp3=`$DNSTAPREAD ns3/dnstap.out | grep "UDP " | wc -l`
tcp3=`$DNSTAPREAD ns3/dnstap.out | grep "TCP " | wc -l`
@@ -259,6 +311,8 @@ cq3=`$DNSTAPREAD ns3/dnstap.out | grep "CQ " | wc -l`
cr3=`$DNSTAPREAD ns3/dnstap.out | grep "CR " | wc -l`
rq3=`$DNSTAPREAD ns3/dnstap.out | grep "RQ " | wc -l`
rr3=`$DNSTAPREAD ns3/dnstap.out | grep "RR " | wc -l`
uq3=`$DNSTAPREAD ns3/dnstap.out | grep "UQ " | wc -l`
ur3=`$DNSTAPREAD ns3/dnstap.out | grep "UR " | wc -l`
echo_i "checking UDP message counts"
ret=0
@@ -266,8 +320,8 @@ ret=0
echo_i "ns1 $udp1 expected 0"
ret=1
}
[ $udp2 -eq 0 ] || {
echo_i "ns2 $udp2 expected 0"
[ $udp2 -eq 2 ] || {
echo_i "ns2 $udp2 expected 2"
ret=1
}
[ $udp3 -eq 2 ] || {
@@ -396,6 +450,41 @@ ret=0
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking UPDATE_QUERY message counts"
ret=0
[ $uq1 -eq 0 ] || {
echo_i "ns1 $uq1 expected 0"
ret=1
}
[ $uq2 -eq 1 ] || {
echo_i "ns2 $uq2 expected 1"
ret=1
}
[ $uq3 -eq 0 ] || {
echo_i "ns3 $uq3 expected 0"
ret=1
}
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking UPDATE_RESPONSE message counts"
ret=0
[ $ur1 -eq 0 ] || {
echo_i "ns1 $ur1 expected 0"
ret=1
}
[ $ur2 -eq 1 ] || {
echo_i "ns2 $ur2 expected 1"
ret=1
}
[ $ur3 -eq 0 ] || {
echo_i "ns3 $ur3 expected 0"
ret=1
}
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
HAS_PYYAML=0
if [ -n "$PYTHON" ] ; then
$PYTHON -c "import yaml" 2> /dev/null && HAS_PYYAML=1
@@ -423,6 +512,15 @@ status=`expr $status + $ret`
if [ -n "$FSTRM_CAPTURE" ] ; then
$DIG $DIGOPTS @10.53.0.4 a.example > dig.out
# send an UPDATE to ns4
$NSUPDATE <<- EOF > nsupdate.out 2>&1
server 10.53.0.4 ${PORT}
zone example
update add b.example 3600 in a 10.10.10.10
send
EOF
grep "update failed: NOTAUTH" nsupdate.out > /dev/null || ret=1
echo_i "checking unix socket message counts"
sleep 2
kill $fstrm_capture_pid
@@ -435,11 +533,13 @@ if [ -n "$FSTRM_CAPTURE" ] ; then
cr4=`$DNSTAPREAD dnstap.out | grep "CR " | wc -l`
rq4=`$DNSTAPREAD dnstap.out | grep "RQ " | wc -l`
rr4=`$DNSTAPREAD dnstap.out | grep "RR " | wc -l`
uq4=`$DNSTAPREAD dnstap.out | grep "UQ " | wc -l`
ur4=`$DNSTAPREAD dnstap.out | grep "UR " | wc -l`
echo_i "checking UDP message counts"
ret=0
[ $udp4 -eq 2 ] || {
echo_i "ns4 $udp4 expected 2"
[ $udp4 -eq 4 ] || {
echo_i "ns4 $udp4 expected 4"
ret=1
}
if [ $ret != 0 ]; then echo_i "failed"; fi
@@ -505,7 +605,27 @@ if [ -n "$FSTRM_CAPTURE" ] ; then
echo_i "ns4 $rr4 expected 0"
ret=1
}
echo_i "checking UPDATE_QUERY message counts"
ret=0
[ $uq4 -eq 1 ] || {
echo_i "ns4 $uq4 expected 1"
ret=1
}
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking UPDATE_RESPONSE message counts"
ret=0
[ $ur4 -eq 1 ] || {
echo_i "ns4 $ur4 expected 1"
ret=1
}
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
mv dnstap.out dnstap.out.save
$FSTRM_CAPTURE -t protobuf:dnstap.Dnstap -u ns4/dnstap.out \
-w dnstap.out > fstrm_capture.out 2>&1 &
fstrm_capture_pid=$!
@@ -524,6 +644,8 @@ if [ -n "$FSTRM_CAPTURE" ] ; then
cr4=`$DNSTAPREAD dnstap.out | grep "CR " | wc -l`
rq4=`$DNSTAPREAD dnstap.out | grep "RQ " | wc -l`
rr4=`$DNSTAPREAD dnstap.out | grep "RR " | wc -l`
uq4=`$DNSTAPREAD dnstap.out | grep "UQ " | wc -l`
ur4=`$DNSTAPREAD dnstap.out | grep "UR " | wc -l`
echo_i "checking UDP message counts"
ret=0
@@ -594,6 +716,24 @@ if [ -n "$FSTRM_CAPTURE" ] ; then
echo_i "ns4 $rr4 expected 0"
ret=1
}
echo_i "checking UPDATE_QUERY message counts"
ret=0
[ $uq4 -eq 0 ] || {
echo_i "ns4 $uq4 expected 0"
ret=1
}
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking UPDATE_RESPONSE message counts"
ret=0
[ $ur4 -eq 0 ] || {
echo_i "ns4 $ur4 expected 0"
ret=1
}
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
fi
echo_i "exit status: $status"

9
doc/arm/Bv9ARM-book.xml
View File

@@ -4366,10 +4366,11 @@ badresp:1,adberr:0,findfail:0,valfail:0]
The <command>dnstap</command> option is a bracketed list
of message types to be logged. These may be set differently
for each view. Supported types are <literal>client</literal>,
<literal>auth</literal>, <literal>resolver</literal>, and
<literal>forwarder</literal>. Specifying type
<literal>all</literal> will cause all <command>dnstap</command>
messages to be logged, regardless of type.
<literal>auth</literal>, <literal>resolver</literal>,
<literal>forwarder</literal>, and <literal>update</literal>.
Specifying type <literal>all</literal> will cause all
<command>dnstap</command> messages to be logged, regardless of
type.
</para>
<para>
Each type may take an additional argument to indicate whether

2
doc/arm/master.zoneopt.xml
View File

@@ -63,7 +63,7 @@
<command>sig-signing-type</command> <replaceable>integer</replaceable>;
<command>sig-validity-interval</command> <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ];
<command>update-check-ksk</command> <replaceable>boolean</replaceable>;
<command>update-policy</command> ( local | { ( deny | grant ) <replaceable>string</replaceable> ( 6to4-self | external | krb5-self | krb5-subdomain | ms-self | ms-subdomain | name | self | selfsub | selfwild | subdomain | tcp-self | wildcard | zonesub ) [ <replaceable>string</replaceable> ] <replaceable>rrtypelist</replaceable>; ... };
<command>update-policy</command> ( local | { ( deny | grant ) <replaceable>string</replaceable> ( 6to4-self | external | krb5-self | krb5-selfsub | krb5-subdomain | ms-self | ms-selfsub | ms-subdomain | name | self | selfsub | selfwild | subdomain | tcp-self | wildcard | zonesub ) [ <replaceable>string</replaceable> ] <replaceable>rrtypelist</replaceable>; ... };
<command>zero-no-soa-ttl</command> <replaceable>boolean</replaceable>;
<command>zone-statistics</command> ( full | terse | none | <replaceable>boolean</replaceable> );
};

5
doc/arm/options.grammar.xml
View File

@@ -31,6 +31,7 @@
] [ dscp <replaceable>integer</replaceable> ];
<command>alt-transfer-source-v6</command> ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> |
* ) ] [ dscp <replaceable>integer</replaceable> ];
<command>answer-cookie</command> <replaceable>boolean</replaceable>;
<command>attach-cache</command> <replaceable>string</replaceable>;
<command>auth-nxdomain</command> <replaceable>boolean</replaceable>; // default changed
<command>auto-dnssec</command> ( allow | maintain | off );
@@ -96,8 +97,8 @@
<command>dnssec-secure-to-insecure</command> <replaceable>boolean</replaceable>;
<command>dnssec-update-mode</command> ( maintain | no-resign );
<command>dnssec-validation</command> ( yes | no | auto );
<command>dnstap</command> { ( all | auth | client | forwarder | resolver ) [ ( query |
<command>response</command> ) ]; ... };
<command>dnstap</command> { ( all | auth | client | forwarder | resolver | update ) [
( query | response ) ]; ... };
<command>dnstap-identity</command> ( <replaceable>quoted_string</replaceable> | none | hostname );
<command>dnstap-output</command> ( file | unix ) <replaceable>quoted_string</replaceable> [ size ( unlimited |
<replaceable>size</replaceable> ) ] [ versions ( unlimited | <replaceable>integer</replaceable> ) ] [ suffix (

2
doc/misc/master.zoneopt
View File

@@ -51,7 +51,7 @@ zone <string> [ <class> ] {
sig-signing-type <integer>;
sig-validity-interval <integer> [ <integer> ];
update-check-ksk <boolean>;
update-policy ( local | { ( deny | grant ) <string> ( 6to4-self | external | krb5-self | krb5-subdomain | ms-self | ms-subdomain | name | self | selfsub | selfwild | subdomain | tcp-self | wildcard | zonesub ) [ <string> ] <rrtypelist>; ... };
update-policy ( local | { ( deny | grant ) <string> ( 6to4-self | external | krb5-self | krb5-selfsub | krb5-subdomain | ms-self | ms-selfsub | ms-subdomain | name | self | selfsub | selfwild | subdomain | tcp-self | wildcard | zonesub ) [ <string> ] <rrtypelist>; ... };
zero-no-soa-ttl <boolean>;
zone-statistics ( full | terse | none | <boolean> );
};

55
doc/misc/options
View File

@@ -146,15 +146,13 @@ options {
dnssec-secure-to-insecure <boolean>;
dnssec-update-mode ( maintain | no-resign );
dnssec-validation ( yes | no | auto );
dnstap { ( all | auth | client | forwarder |
resolver ) [ ( query | response ) ]; ... }; // not configured
dnstap-identity ( <quoted_string> | none |
hostname ); // not configured
dnstap-output ( file | unix ) <quoted_string> [
size ( unlimited | <size> ) ] [ versions (
unlimited | <integer> ) ] [ suffix ( increment
| timestamp ) ]; // not configured
dnstap-version ( <quoted_string> | none ); // not configured
dnstap { ( all | auth | client | forwarder | resolver | update ) [
( query | response ) ]; ... };
dnstap-identity ( <quoted_string> | none | hostname );
dnstap-output ( file | unix ) <quoted_string> [ size ( unlimited |
<size> ) ] [ versions ( unlimited | <integer> ) ] [ suffix (
increment | timestamp ) ];
dnstap-version ( <quoted_string> | none );
dscp <integer>;
dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
<integer> ] [ dscp <integer> ] | <ipv4_address> [ port
@@ -178,14 +176,14 @@ options {
forward ( first | only );
forwarders [ port <integer> ] [ dscp <integer> ] { ( <ipv4_address>
| <ipv6_address> ) [ port <integer> ] [ dscp <integer> ]; ... };
fstrm-set-buffer-hint <integer>; // not configured
fstrm-set-flush-timeout <integer>; // not configured
fstrm-set-input-queue-size <integer>; // not configured
fstrm-set-output-notify-threshold <integer>; // not configured
fstrm-set-output-queue-model ( mpsc | spsc ); // not configured
fstrm-set-output-queue-size <integer>; // not configured
fstrm-set-reopen-interval <ttlval>; // not configured
geoip-directory ( <quoted_string> | none ); // not configured
fstrm-set-buffer-hint <integer>;
fstrm-set-flush-timeout <integer>;
fstrm-set-input-queue-size <integer>;
fstrm-set-output-notify-threshold <integer>;
fstrm-set-output-queue-model ( mpsc | spsc );
fstrm-set-output-queue-size <integer>;
fstrm-set-reopen-interval <ttlval>;
geoip-directory ( <quoted_string> | none );
geoip-use-ecs <boolean>; // obsolete
glue-cache <boolean>;
has-old-clients <boolean>; // obsolete
@@ -206,7 +204,7 @@ options {
listen-on-v6 [ port <integer> ] [ dscp
<integer> ] {
<address_match_element>; ... }; // may occur multiple times
lmdb-mapsize <sizeval>; // non-operational
lmdb-mapsize <sizeval>;
lock-file ( <quoted_string> | none );
maintain-ixfr-base <boolean>; // obsolete
managed-keys-directory <quoted_string>;
@@ -515,8 +513,8 @@ view <string> [ <class> ] {
dnssec-secure-to-insecure <boolean>;
dnssec-update-mode ( maintain | no-resign );
dnssec-validation ( yes | no | auto );
dnstap { ( all | auth | client | forwarder |
resolver ) [ ( query | response ) ]; ... }; // not configured
dnstap { ( all | auth | client | forwarder | resolver | update ) [
( query | response ) ]; ... };
dual-stack-servers [ port <integer> ] { ( <quoted_string> [ port
<integer> ] [ dscp <integer> ] | <ipv4_address> [ port
<integer> ] [ dscp <integer> ] | <ipv6_address> [ port
@@ -547,7 +545,7 @@ view <string> [ <class> ] {
}; // may occur multiple times
key-directory <quoted_string>;
lame-ttl <ttlval>;
lmdb-mapsize <sizeval>; // non-operational
lmdb-mapsize <sizeval>;
maintain-ixfr-base <boolean>; // obsolete
managed-keys { <string> <string>
<integer> <integer> <integer>
@@ -822,10 +820,10 @@ view <string> [ <class> ] {
static-stub | stub );
update-check-ksk <boolean>;
update-policy ( local | { ( deny | grant ) <string> (
6to4-self | external | krb5-self | krb5-subdomain |
ms-self | ms-subdomain | name | self | selfsub |
selfwild | subdomain | tcp-self | wildcard | zonesub )
[ <string> ] <rrtypelist>; ... };
6to4-self | external | krb5-self | krb5-selfsub |
krb5-subdomain | ms-self | ms-selfsub | ms-subdomain |
name | self | selfsub | selfwild | subdomain | tcp-self
| wildcard | zonesub ) [ <string> ] <rrtypelist>; ... };
use-alt-transfer-source <boolean>;
zero-no-soa-ttl <boolean>;
zone-statistics ( full | terse | none | <boolean> );
@@ -926,9 +924,10 @@ zone <string> [ <class> ] {
forward | hint | redirect | static-stub | stub );
update-check-ksk <boolean>;
update-policy ( local | { ( deny | grant ) <string> ( 6to4-self |
external | krb5-self | krb5-subdomain | ms-self | ms-subdomain
| name | self | selfsub | selfwild | subdomain | tcp-self |
wildcard | zonesub ) [ <string> ] <rrtypelist>; ... };
external | krb5-self | krb5-selfsub | krb5-subdomain | ms-self
| ms-selfsub | ms-subdomain | name | self | selfsub | selfwild
| subdomain | tcp-self | wildcard | zonesub ) [ <string> ]
<rrtypelist>; ... };
use-alt-transfer-source <boolean>;
zero-no-soa-ttl <boolean>;
zone-statistics ( full | terse | none | <boolean> );

18
lib/dns/dnstap.c
View File

@@ -694,6 +694,10 @@ dnstap_type(dns_dtmsgtype_t msgtype) {
return (DNSTAP__MESSAGE__TYPE__TOOL_QUERY);
case DNS_DTTYPE_TR:
return (DNSTAP__MESSAGE__TYPE__TOOL_RESPONSE);
case DNS_DTTYPE_UQ:
return (DNSTAP__MESSAGE__TYPE__UPDATE_QUERY);
case DNS_DTTYPE_UR:
return (DNSTAP__MESSAGE__TYPE__UPDATE_RESPONSE);
default:
INSIST(0);
}
@@ -860,6 +864,7 @@ dns_dt_send(dns_view_t *view, dns_dtmsgtype_t msgtype,
case DNS_DTTYPE_FR:
case DNS_DTTYPE_SR:
case DNS_DTTYPE_TR:
case DNS_DTTYPE_UR:
if (rtime != NULL)
t = rtime;
@@ -881,6 +886,7 @@ dns_dt_send(dns_view_t *view, dns_dtmsgtype_t msgtype,
case DNS_DTTYPE_RQ:
case DNS_DTTYPE_SQ:
case DNS_DTTYPE_TQ:
case DNS_DTTYPE_UQ:
if (qtime != NULL)
t = qtime;
@@ -1160,6 +1166,12 @@ dns_dt_parse(isc_mem_t *mctx, isc_region_t *src, dns_dtdata_t **destp) {
case DNSTAP__MESSAGE__TYPE__TOOL_RESPONSE:
d->type = DNS_DTTYPE_TR;
break;
case DNSTAP__MESSAGE__TYPE__UPDATE_QUERY:
d->type = DNS_DTTYPE_UQ;
break;
case DNSTAP__MESSAGE__TYPE__UPDATE_RESPONSE:
d->type = DNS_DTTYPE_UR;
break;
default:
CHECK(DNS_R_BADDNSTAP);
}
@@ -1316,6 +1328,12 @@ dns_dt_datatotext(dns_dtdata_t *d, isc_buffer_t **dest) {
case DNS_DTTYPE_TR:
CHECK(putstr(dest, "TR "));
break;
case DNS_DTTYPE_UQ:
CHECK(putstr(dest, "UQ "));
break;
case DNS_DTTYPE_UR:
CHECK(putstr(dest, "UR "));
break;
default:
return (DNS_R_BADDNSTAP);
}

10
lib/dns/dnstap.proto
View File

@@ -165,6 +165,16 @@ message Message {
// TOOL_RESPONSE is a DNS response message received by a DNS software
// tool from a DNS server, from the perspective of the tool.
TOOL_RESPONSE = 12;
// UPDATE_QUERY is a DNS update query message received from a resolver
// by an authoritative name server, from the perspective of the
// authoritative name server.
UPDATE_QUERY = 13;
// UPDATE_RESPONSE is a DNS update response message sent from an
// authoritative name server to a resolver, from the perspective of the
// authoritative name server.
UPDATE_RESPONSE = 14;
}
// One of the Type values described above.

8
lib/dns/include/dns/dnstap.h
View File

@@ -73,13 +73,17 @@ struct fstrm_iothr_options;
#define DNS_DTTYPE_FR 0x0200
#define DNS_DTTYPE_TQ 0x0400
#define DNS_DTTYPE_TR 0x0800
#define DNS_DTTYPE_UQ 0x1000
#define DNS_DTTYPE_UR 0x2000
#define DNS_DTTYPE_QUERY \
(DNS_DTTYPE_SQ|DNS_DTTYPE_CQ|DNS_DTTYPE_AQ|\
DNS_DTTYPE_RQ|DNS_DTTYPE_FQ|DNS_DTTYPE_TQ)
DNS_DTTYPE_RQ|DNS_DTTYPE_FQ|DNS_DTTYPE_TQ|\
DNS_DTTYPE_UQ)
#define DNS_DTTYPE_RESPONSE \
(DNS_DTTYPE_SR|DNS_DTTYPE_CR|DNS_DTTYPE_AR|\
DNS_DTTYPE_RR|DNS_DTTYPE_FR|DNS_DTTYPE_TR)
DNS_DTTYPE_RR|DNS_DTTYPE_FR|DNS_DTTYPE_TR|\
DNS_DTTYPE_UR)
#define DNS_DTTYPE_ALL \
(DNS_DTTYPE_QUERY|DNS_DTTYPE_RESPONSE)

5
lib/isccfg/namedconf.c
View File

@@ -1276,10 +1276,11 @@ static cfg_type_t cfg_type_resppadding = {
* ...
* }
*
* ... where message type is one of: client, resolver, auth, forwarder, all
* ... where message type is one of: client, resolver, auth, forwarder,
* update, all
*/
static const char *dnstap_types[] = {
"all", "auth", "client", "forwarder", "resolver", NULL
"all", "auth", "client", "forwarder", "resolver", "update", NULL
};
static const char *dnstap_modes[] = { "query", "response", NULL };

21
lib/ns/client.c
View File

@@ -1225,10 +1225,13 @@ client_send(ns_client_t *client) {
isc_buffer_usedregion(&b, &zr);
}
if ((client->message->flags & DNS_MESSAGEFLAG_RD) != 0)
if (client->message->opcode == dns_opcode_update) {
dtmsgtype = DNS_DTTYPE_UR;
} else if ((client->message->flags & DNS_MESSAGEFLAG_RD) != 0) {
dtmsgtype = DNS_DTTYPE_CR;
else
} else {
dtmsgtype = DNS_DTTYPE_AR;
}
#endif /* HAVE_DNSTAP */
if (cleanup_cctx) {
@@ -1269,9 +1272,11 @@ client_send(ns_client_t *client) {
break;
}
} else {
respsize = isc_buffer_usedlength(&buffer);
result = client_sendpkg(client, &buffer);
#ifdef HAVE_DNSTAP
/*
* Log dnstap data first, because client_sendpkg() may
* leave client->view set to NULL.
*/
if (client->view != NULL) {
dns_dt_send(client->view, dtmsgtype,
&client->peeraddr,
@@ -1281,6 +1286,9 @@ client_send(ns_client_t *client) {
}
#endif /* HAVE_DNSTAP */
respsize = isc_buffer_usedlength(&buffer);
result = client_sendpkg(client, &buffer);
switch (isc_sockaddr_pf(&client->peeraddr)) {
case AF_INET:
isc_stats_increment(client->sctx->udpoutstats4,
@@ -2847,6 +2855,11 @@ ns__client_request(isc_task_t *task, isc_event_t *event) {
break;
case dns_opcode_update:
CTRACE("update");
#ifdef HAVE_DNSTAP
dns_dt_send(client->view, DNS_DTTYPE_UQ, &client->peeraddr,
&client->destsockaddr, TCP_CLIENT(client), NULL,
&client->requesttime, NULL, buffer);
#endif /* HAVE_DNSTAP */
ns_client_settimeout(client, 60);
ns_update_start(client, sigresult);
break;

2
util/copyrights
View File

@@ -1091,7 +1091,7 @@
./bin/tests/system/dnstap/good-size-version.conf CONF-C 2017,2018
./bin/tests/system/dnstap/ns1/named.conf.in CONF-C 2015,2016,2017,2018
./bin/tests/system/dnstap/ns1/root.db ZONE 2015,2016,2018
./bin/tests/system/dnstap/ns2/example.db ZONE 2015,2016,2018
./bin/tests/system/dnstap/ns2/example.db.in ZONE 2015,2016,2018
./bin/tests/system/dnstap/ns2/named.conf.in CONF-C 2015,2016,2017,2018
./bin/tests/system/dnstap/ns3/named.conf.in CONF-C 2015,2016,2017,2018
./bin/tests/system/dnstap/ns4/named.conf.in CONF-C 2016,2018