diff options
author | Lennart Poettering <lennart@poettering.net> | 2016-01-21 01:06:28 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2016-01-25 17:19:19 +0100 |
commit | 7aa8ce985537e7803e16d6f2adf5143df4537cf8 (patch) | |
tree | 253b80335c320513511e6169be8f88009dfd2062 /src | |
parent | 352af30838f130bf7aaa36dd6174945c11f39d29 (diff) |
resolved: also collect statistics about negative DNSSEC proofs
We already maintain statistics about positive DNSSEC proofs, and count them up by 1 for each validated RRset. Now,
update the same counters each time we validated a negative query, so that the statistics are the combined result of all
validation checks, both positive and negative.
Diffstat (limited to 'src')
-rw-r--r-- | src/resolve/resolved-dns-transaction.c | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c index d485cd917d..6b465abe48 100644 --- a/src/resolve/resolved-dns-transaction.c +++ b/src/resolve/resolved-dns-transaction.c @@ -2900,6 +2900,12 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) { t->answer_dnssec_result = DNSSEC_VALIDATED; t->answer_rcode = DNS_RCODE_NXDOMAIN; t->answer_authenticated = authenticated; + + if (authenticated) + t->scope->manager->n_dnssec_secure++; + else + t->scope->manager->n_dnssec_insecure++; + break; case DNSSEC_NSEC_NODATA: @@ -2908,6 +2914,12 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) { t->answer_dnssec_result = DNSSEC_VALIDATED; t->answer_rcode = DNS_RCODE_SUCCESS; t->answer_authenticated = authenticated; + + if (authenticated) + t->scope->manager->n_dnssec_secure++; + else + t->scope->manager->n_dnssec_insecure++; + break; case DNSSEC_NSEC_OPTOUT: @@ -2915,6 +2927,8 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) { log_debug("Data is NSEC3 opt-out via NSEC/NSEC3 for transaction %u (%s)", t->id, dns_transaction_key_string(t)); t->answer_dnssec_result = DNSSEC_UNSIGNED; t->answer_authenticated = false; + + t->scope->manager->n_dnssec_insecure++; break; case DNSSEC_NSEC_NO_RR: @@ -2923,11 +2937,13 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) { r = dns_transaction_requires_nsec(t); if (r < 0) return r; - if (r > 0) + if (r > 0) { t->answer_dnssec_result = DNSSEC_NO_SIGNATURE; - else { + t->scope->manager->n_dnssec_indeterminate++; + } else { t->answer_dnssec_result = DNSSEC_UNSIGNED; t->answer_authenticated = false; + t->scope->manager->n_dnssec_insecure++; } break; @@ -2935,12 +2951,14 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) { case DNSSEC_NSEC_UNSUPPORTED_ALGORITHM: /* We don't know the NSEC3 algorithm used? */ t->answer_dnssec_result = DNSSEC_UNSUPPORTED_ALGORITHM; + t->scope->manager->n_dnssec_indeterminate++; break; case DNSSEC_NSEC_FOUND: case DNSSEC_NSEC_CNAME: /* NSEC says it needs to be there, but we couldn't find it? Bummer! */ t->answer_dnssec_result = DNSSEC_NSEC_MISMATCH; + t->scope->manager->n_dnssec_bogus++; break; default: |