Permalink
Browse files

add security polling to 3.6.2

  • Loading branch information...
1 parent de04008 commit 42025be31eb9a3f22e2036fd3516101cfe1954f8 @ahupowerdns ahupowerdns committed Oct 28, 2014
Showing with 92 additions and 15 deletions.
  1. +1 −1 pdns/Makefile-recursor
  2. +2 −1 pdns/Makefile.am
  3. +2 −2 pdns/dist-recursor
  4. +15 −11 pdns/pdns_recursor.cc
  5. +61 −0 pdns/secpoll-recursor.cc
  6. +11 −0 pdns/secpoll-recursor.hh
@@ -24,7 +24,7 @@ dns_random.o ext/polarssl-1.3.2/library/aes.o ext/polarssl-1.3.2/library/padlock
lua-pdns.o lua-recursor.o randomhelper.o recpacketcache.o dns.o \
reczones.o base32.o nsecrecords.o json.o ws-recursor.o ws-api.o \
version.o responsestats.o webserver.o ext/yahttp/yahttp/reqresp.o ext/yahttp/yahttp/router.o \
-rec-carbon.o
+rec-carbon.o secpoll-recursor.o
REC_CONTROL_OBJECTS=rec_channel.o rec_control.o arguments.o misc.o \
unix_utility.o logger.o qtype.o
View
@@ -325,7 +325,8 @@ dns_random.cc \
lua-pdns.cc lua-pdns.hh lua-recursor.cc lua-recursor.hh randomhelper.cc \
recpacketcache.cc recpacketcache.hh dns.cc nsecrecords.cc base32.cc cachecleaner.hh \
ws-recursor.cc ws-recursor.hh ws-api.cc ws-api.hh webserver.cc webserver.hh \
-json.cc json.hh version.hh version.cc responsestats.cc rec-carbon.cc
+json.cc json.hh version.hh version.cc responsestats.cc rec-carbon.cc secpoll-recursor.cc \
+secpoll-recursor.hh
pdns_recursor_LDFLAGS= $(LUA_LIBS)
pdns_recursor_LDADD= $(POLARSSL_LIBS) $(YAHTTP_LIBS)
View
@@ -27,7 +27,7 @@ mplexer.hh \
dns_random.hh lua-pdns.hh lua-recursor.hh namespaces.hh \
recpacketcache.hh base32.hh cachecleaner.hh json.hh version.hh \
ws-recursor.hh ws-api.hh \
-responsestats.hh webserver.hh"
+responsestats.hh webserver.hh secpoll-recursor.hh"
CFILES="syncres.cc misc.cc unix_utility.cc qtype.cc \
logger.cc arguments.cc lwres.cc pdns_recursor.cc \
@@ -37,7 +37,7 @@ selectmplexer.cc epollmplexer.cc kqueuemplexer.cc portsmplexer.cc pdns_hw.cc \
sillyrecords.cc lua-pdns.cc lua-recursor.cc randomhelper.cc \
devpollmplexer.cc recpacketcache.cc dns.cc reczones.cc base32.cc nsecrecords.cc \
dnslabeltext.cc json.cc ws-recursor.cc ws-api.cc version.cc dns_random.cc \
-responsestats.cc webserver.cc rec-carbon.cc"
+responsestats.cc webserver.cc rec-carbon.cc secpoll-recursor.cc"
cd docs
make pdns_recursor.1 rec_control.1
View
@@ -66,7 +66,7 @@
#include "lua-recursor.hh"
#include "version.hh"
#include "responsestats.hh"
-
+#include "secpoll-recursor.hh"
#ifndef RECURSOR
#include "statbag.hh"
StatBag S;
@@ -1161,7 +1161,7 @@ void doStats(void)
static void houseKeeping(void *)
try
{
- static __thread time_t last_stat, last_rootupdate, last_prune;
+ static __thread time_t last_stat, last_rootupdate, last_prune, last_secpoll;
static __thread int cleanCounter=0;
struct timeval now;
Utility::gettimeofday(&now, 0);
@@ -1188,13 +1188,6 @@ try
last_prune=time(0);
}
- if(!t_id) {
- if(now.tv_sec - last_stat >= 1800) {
- doStats();
- last_stat=time(0);
- }
- }
-
if(now.tv_sec - last_rootupdate > 7200) {
SyncRes sr(now);
sr.setDoEDNS0(true);
@@ -1209,13 +1202,23 @@ try
else
L<<Logger::Error<<"Failed to update . records, RCODE="<<res<<endl;
}
+
+ if(!t_id) {
+ if(now.tv_sec - last_stat >= 1800) {
+ doStats();
+ last_stat=time(0);
+ }
+
+ if(now.tv_sec - last_secpoll >= 3600) {
+ doSecPoll(&last_secpoll);
+ }
+ }
}
catch(PDNSException& ae)
{
- L<<Logger::Error<<"Fatal error: "<<ae.reason<<endl;
+ L<<Logger::Error<<"Fatal error in housekeeping thread: "<<ae.reason<<endl;
throw;
}
-;
void makeThreadPipes()
{
@@ -2156,6 +2159,7 @@ int main(int argc, char **argv)
::arg().set("minimum-ttl-override", "Set under adverse conditions, a minimum TTL")="0";
::arg().set("include-dir","Include *.conf files from this directory")="";
+ ::arg().set("security-poll-suffix","Domain name from which to query security update notifications")="secpoll.powerdns.com.";
::arg().setCmd("help","Provide a helpful message");
::arg().setCmd("version","Print version string");
@@ -0,0 +1,61 @@
+#include "secpoll-recursor.hh"
+#include "syncres.hh"
+#include "logger.hh"
+#include "arguments.hh"
+#include "version.hh"
+#include "version_generated.h"
+#include <stdint.h>
+#ifndef PACKAGEVERSION
+#define PACKAGEVERSION PDNS_VERSION
+#endif
+
+uint32_t g_security_status;
+string g_security_message;
+
+void doSecPoll(time_t* last_secpoll)
+{
+ if(::arg()["security-poll-suffix"].empty())
+ return;
+
+ struct timeval now;
+ gettimeofday(&now, 0);
+ SyncRes sr(now);
+
+ vector<DNSResourceRecord> ret;
+
+ string query = "recursor-" PACKAGEVERSION ".security-status."+::arg()["security-poll-suffix"];
+
+ if(*query.rbegin()!='.')
+ query+='.';
+
+ boost::replace_all(query, "+", "_");
+
+ int res=sr.beginResolve(query, QType(QType::TXT), 1, ret);
+ if(!res && !ret.empty()) {
+ string content=ret.begin()->content;
+ if(!content.empty() && content[0]=='"' && content[content.size()-1]=='"') {
+ content=content.substr(1, content.length()-2);
+ }
+
+ pair<string, string> split = splitField(content, ' ');
+
+ g_security_status = atoi(split.first.c_str());
+ g_security_message = split.second;
+
+ *last_secpoll=now.tv_sec;
+ }
+ else {
+ L<<Logger::Warning<<"Could not retrieve security status update for '" PACKAGEVERSION "' on '"+query+"', RCODE = "<< RCode::to_s(res)<<endl;
+ if(g_security_status == 1) // it was ok, not it is unknown
+ g_security_status = 0;
+ if(res == RCode::NXDomain) // if we had servfail, keep on trying more more frequently
+ *last_secpoll=now.tv_sec;
+ }
+
+ if(g_security_status == 2) {
+ L<<Logger::Error<<"PowerDNS Security Update Recommended: "<<g_security_message<<endl;
+ }
+ else if(g_security_status == 3) {
+ L<<Logger::Error<<"PowerDNS Security Update Mandatory: "<<g_security_message<<endl;
+ }
+}
@@ -0,0 +1,11 @@
+#ifndef PDNS_SECPOLL_RECURSOR_HH
+#define PDNS_SECPOLL_RECURSOR_HH
+#include <time.h>
+#include "namespaces.hh"
+#include <stdint.h>
+
+void doSecPoll(time_t* );
+extern uint32_t g_security_status;
+extern std::string g_security_message;
+
+#endif

0 comments on commit 42025be

Please sign in to comment.