assert(m);
return sd_bus_message_append(reply, "(tttt)",
- (uint64_t) m->n_dnssec_secure,
- (uint64_t) m->n_dnssec_insecure,
- (uint64_t) m->n_dnssec_bogus,
- (uint64_t) m->n_dnssec_indeterminate);
+ (uint64_t) m->n_dnssec_verdict[DNSSEC_SECURE],
+ (uint64_t) m->n_dnssec_verdict[DNSSEC_INSECURE],
+ (uint64_t) m->n_dnssec_verdict[DNSSEC_BOGUS],
+ (uint64_t) m->n_dnssec_verdict[DNSSEC_INDETERMINATE]);
}
static int bus_property_get_dnssec_supported(
s->cache.n_hit = s->cache.n_miss = 0;
m->n_transactions_total = 0;
- m->n_dnssec_secure = m->n_dnssec_insecure = m->n_dnssec_bogus = m->n_dnssec_indeterminate = 0;
+ zero(m->n_dnssec_verdict);
return sd_bus_reply_method_return(message, NULL);
}
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
-typedef enum DnssecMode DnssecMode;
typedef enum DnssecResult DnssecResult;
+typedef enum DnssecVerdict DnssecVerdict;
#include "dns-domain.h"
#include "resolved-dns-answer.h"
_DNSSEC_RESULT_INVALID = -1
};
+enum DnssecVerdict {
+ DNSSEC_SECURE,
+ DNSSEC_INSECURE,
+ DNSSEC_BOGUS,
+ DNSSEC_INDETERMINATE,
+
+ _DNSSEC_VERDICT_MAX,
+ _DNSSEC_VERDICT_INVALID = -1
+};
+
#define DNSSEC_CANONICAL_HOSTNAME_MAX (DNS_HOSTNAME_MAX + 2)
/* The longest digest we'll ever generate, of all digest algorithms we support */
const char* dnssec_result_to_string(DnssecResult m) _const_;
DnssecResult dnssec_result_from_string(const char *s) _pure_;
+
+const char* dnssec_verdict_to_string(DnssecVerdict m) _const_;
+DnssecVerdict dnssec_verdict_from_string(const char *s) _pure_;
if (r < 0)
return r;
- t->scope->manager->n_dnssec_secure++;
+ manager_dnssec_verdict(t->scope->manager, DNSSEC_SECURE, rr->key);
/* Exit the loop, we dropped something from the answer, start from the beginning */
changed = true;
if (r < 0)
return r;
- if (authenticated)
- t->scope->manager->n_dnssec_secure++;
- else
- t->scope->manager->n_dnssec_insecure++;
+ manager_dnssec_verdict(t->scope->manager, authenticated ? DNSSEC_SECURE : DNSSEC_INSECURE, rr->key);
/* Exit the loop, we dropped something from the answer, start from the beginning */
changed = true;
if (r < 0)
return r;
- t->scope->manager->n_dnssec_insecure++;
+ manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
changed = true;
break;
}
if (r < 0)
return r;
- t->scope->manager->n_dnssec_insecure++;
+ manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
changed = true;
break;
}
if (r < 0)
return r;
- t->scope->manager->n_dnssec_insecure++;
+ manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
changed = true;
break;
}
if (r < 0)
return r;
- t->scope->manager->n_dnssec_insecure++;
+ manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, rr->key);
changed = true;
break;
}
}
- if (IN_SET(result,
- DNSSEC_INVALID,
- DNSSEC_SIGNATURE_EXPIRED,
- DNSSEC_NO_SIGNATURE))
- t->scope->manager->n_dnssec_bogus++;
- else /* DNSSEC_MISSING_KEY or DNSSEC_UNSUPPORTED_ALGORITHM */
- t->scope->manager->n_dnssec_indeterminate++;
-
r = dns_transaction_is_primary_response(t, rr);
if (r < 0)
return r;
}
if (r == 0) {
+ if (IN_SET(result,
+ DNSSEC_INVALID,
+ DNSSEC_SIGNATURE_EXPIRED,
+ DNSSEC_NO_SIGNATURE))
+ manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, rr->key);
+ else /* DNSSEC_MISSING_KEY or DNSSEC_UNSUPPORTED_ALGORITHM */
+ manager_dnssec_verdict(t->scope->manager, DNSSEC_INDETERMINATE, rr->key);
+
/* This is a primary response to our question, and it failed validation. That's
* fatal. */
t->answer_dnssec_result = result;
t->answer_rcode = DNS_RCODE_NXDOMAIN;
t->answer_authenticated = authenticated;
- if (authenticated)
- t->scope->manager->n_dnssec_secure++;
- else
- t->scope->manager->n_dnssec_insecure++;
-
+ manager_dnssec_verdict(t->scope->manager, authenticated ? DNSSEC_SECURE : DNSSEC_INSECURE, t->key);
break;
case DNSSEC_NSEC_NODATA:
t->answer_rcode = DNS_RCODE_SUCCESS;
t->answer_authenticated = authenticated;
- if (authenticated)
- t->scope->manager->n_dnssec_secure++;
- else
- t->scope->manager->n_dnssec_insecure++;
-
+ manager_dnssec_verdict(t->scope->manager, authenticated ? DNSSEC_SECURE : DNSSEC_INSECURE, t->key);
break;
case DNSSEC_NSEC_OPTOUT:
t->answer_dnssec_result = DNSSEC_UNSIGNED;
t->answer_authenticated = false;
- t->scope->manager->n_dnssec_insecure++;
+ manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, t->key);
break;
case DNSSEC_NSEC_NO_RR:
return r;
if (r > 0) {
t->answer_dnssec_result = DNSSEC_NO_SIGNATURE;
- t->scope->manager->n_dnssec_indeterminate++;
+ manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, t->key);
} else {
t->answer_dnssec_result = DNSSEC_UNSIGNED;
t->answer_authenticated = false;
- t->scope->manager->n_dnssec_insecure++;
+ manager_dnssec_verdict(t->scope->manager, DNSSEC_INSECURE, t->key);
}
break;
case DNSSEC_NSEC_UNSUPPORTED_ALGORITHM:
/* We don't know the NSEC3 algorithm used? */
t->answer_dnssec_result = DNSSEC_UNSUPPORTED_ALGORITHM;
- t->scope->manager->n_dnssec_indeterminate++;
+ manager_dnssec_verdict(t->scope->manager, DNSSEC_INDETERMINATE, t->key);
break;
case DNSSEC_NSEC_FOUND:
case DNSSEC_NSEC_CNAME:
/* NSEC says it needs to be there, but we couldn't find it? Bummer! */
t->answer_dnssec_result = DNSSEC_NSEC_MISMATCH;
- t->scope->manager->n_dnssec_bogus++;
+ manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, t->key);
break;
default:
projects / platform / upstream / systemd.git / commitdiff