summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2016-01-21 01:06:28 +0100
committerLennart Poettering <lennart@poettering.net>2016-01-25 17:19:19 +0100
commit7aa8ce985537e7803e16d6f2adf5143df4537cf8 (patch)
tree253b80335c320513511e6169be8f88009dfd2062
parent352af30838f130bf7aaa36dd6174945c11f39d29 (diff)
resolved: also collect statistics about negative DNSSEC proofs
We already maintain statistics about positive DNSSEC proofs, and count them up by 1 for each validated RRset. Now, update the same counters each time we validated a negative query, so that the statistics are the combined result of all validation checks, both positive and negative.
-rw-r--r--src/resolve/resolved-dns-transaction.c22
1 files changed, 20 insertions, 2 deletions
diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
index d485cd917d..6b465abe48 100644
--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@@ -2900,6 +2900,12 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {
t->answer_dnssec_result = DNSSEC_VALIDATED;
t->answer_rcode = DNS_RCODE_NXDOMAIN;
t->answer_authenticated = authenticated;
+
+ if (authenticated)
+ t->scope->manager->n_dnssec_secure++;
+ else
+ t->scope->manager->n_dnssec_insecure++;
+
break;
case DNSSEC_NSEC_NODATA:
@@ -2908,6 +2914,12 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {
t->answer_dnssec_result = DNSSEC_VALIDATED;
t->answer_rcode = DNS_RCODE_SUCCESS;
t->answer_authenticated = authenticated;
+
+ if (authenticated)
+ t->scope->manager->n_dnssec_secure++;
+ else
+ t->scope->manager->n_dnssec_insecure++;
+
break;
case DNSSEC_NSEC_OPTOUT:
@@ -2915,6 +2927,8 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {
log_debug("Data is NSEC3 opt-out via NSEC/NSEC3 for transaction %u (%s)", t->id, dns_transaction_key_string(t));
t->answer_dnssec_result = DNSSEC_UNSIGNED;
t->answer_authenticated = false;
+
+ t->scope->manager->n_dnssec_insecure++;
break;
case DNSSEC_NSEC_NO_RR:
@@ -2923,11 +2937,13 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {
r = dns_transaction_requires_nsec(t);
if (r < 0)
return r;
- if (r > 0)
+ if (r > 0) {
t->answer_dnssec_result = DNSSEC_NO_SIGNATURE;
- else {
+ t->scope->manager->n_dnssec_indeterminate++;
+ } else {
t->answer_dnssec_result = DNSSEC_UNSIGNED;
t->answer_authenticated = false;
+ t->scope->manager->n_dnssec_insecure++;
}
break;
@@ -2935,12 +2951,14 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {
case DNSSEC_NSEC_UNSUPPORTED_ALGORITHM:
/* We don't know the NSEC3 algorithm used? */
t->answer_dnssec_result = DNSSEC_UNSUPPORTED_ALGORITHM;
+ t->scope->manager->n_dnssec_indeterminate++;
break;
case DNSSEC_NSEC_FOUND:
case DNSSEC_NSEC_CNAME:
/* NSEC says it needs to be there, but we couldn't find it? Bummer! */
t->answer_dnssec_result = DNSSEC_NSEC_MISMATCH;
+ t->scope->manager->n_dnssec_bogus++;
break;
default: