4759. [func] Add logging channel "trust-anchor-telementry" to

record trust-anchor-telementry in incoming requests. Both _ta-XXXX.<anchor>/NULL and EDNS KEY-TAG options are logged. [RT #46124]

4759. [func] Add logging channel "trust-anchor-telementry" to
record trust-anchor-telementry in incoming requests. Both _ta-XXXX.<anchor>/NULL and EDNS KEY-TAG options are logged. [RT #46124]
b41c1aac · Mark Andrews · 99e00793 · b41c1aac · b41c1aac · b41c1aac
Commit b41c1aac authored Oct 06, 2017 by Mark Andrews
10 changed files
--- a/CHANGES
+++ b/CHANGES
+4759.	[func]		Add logging channel "trust-anchor-telementry" to
+			record trust-anchor-telementry in incoming requests.
+			Both _ta-XXXX.<anchor>/NULL and EDNS KEY-TAG options
+			are logged.  [RT #46124]
+
 4758.	[doc]		Remove documentation of unimplemented "topology".
 			[RT #46161]


--- a/bin/named/statschannel.c
+++ b/bin/named/statschannel.c
@@ -302,6 +302,7 @@ init_desc(void) {
 		       "successful uses of stale cache data after lookup failure",
 		       "QryUsedStale");
 	SET_NSSTATDESC(prefetch, "queries triggered prefetch", "Prefetch");
+	SET_NSSTATDESC(keytagopt, "Keytag option received", "KeyTagOpt");
 	INSIST(i == ns_statscounter_max);

 	/* Initialize resolver statistics */

--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -3315,16 +3315,24 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`

-echo "I:check that trust-anchor-telemetry queries are received ($n)"
+echo "I:check that _ta-XXXX trust-anchor-telemetry queries are logged ($n)"
 ret=0
-grep "query '_ta-[0-9a-f]*/NULL/IN' approved" ns1/named.run > /dev/null || ret=1
+grep "trust-anchor-telemetry '_ta-[0-9a-f]*/IN' from" ns1/named.run > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`

-echo "I:check that trust-anchor-telemetry are not sent when disabled ($n)"
+echo "I:check that _ta-AAAA trust-anchor-telemetry are not sent when disabled ($n)"
 ret=0
-grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns1/named.run > /dev/null && ret=1
+grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/IN" ns1/named.run > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:check that KEY-TAG trust-anchor-telemetry queries are logged ($n)"
+ret=0
+$DIG $DIGOPTS . dnskey +ednsopt=KEY-TAG:ffff @10.53.0.1 > dig.out.ns4.test$n || ret=1
+grep "trust-anchor-telemetry './IN' from .* 65535" ns1/named.run > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`

--- a/doc/arm/logging-categories.xml
+++ b/doc/arm/logging-categories.xml
@@ -324,6 +324,16 @@
 	  </para>
 	</entry>
      </row>
+      <row rowsep="0">
+	<entry colname="1">
+	  <para><command>trust-anchor-telemetry</command></para>
+	</entry>
+	<entry colname="2">
+	  <para>
+	    Logs trust-anchor-telemetry requests received by named.
+	  </para>
+	</entry>
+      </row>
      <row rowsep="0">
 	<entry colname="1">
 	  <para><command>unmatched</command></para>

--- a/lib/ns/client.c
+++ b/lib/ns/client.c
@@ -544,6 +544,12 @@ exit_check(ns_client_t *client) {
 		client->mortal = ISC_FALSE;
 		client->sendcb = NULL;

+		if (client->keytag != NULL) {
+			isc_mem_put(client->mctx, client->keytag,
+				    client->keytag_len);
+			client->keytag_len = 0;
+		}
+
 		/*
 		 * Put the client on the inactive list.  If we are aiming for
 		 * the "freed" state, it will be removed from the inactive
@@ -612,6 +618,11 @@ exit_check(ns_client_t *client) {
 			dns_message_puttemprdataset(client->message,
 						    &client->opt);
 		}
+		if (client->keytag != NULL) {
+			isc_mem_put(client->mctx, client->keytag,
+				    client->keytag_len);
+			client->keytag_len = 0;
+		}

 		dns_message_destroy(&client->message);

@@ -2094,6 +2105,23 @@ process_ecs(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
 	return (ISC_R_SUCCESS);
 }

+static isc_result_t
+process_keytag(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
+
+	if (optlen == 0 || (optlen % 2) != 0) {
+		isc_buffer_forward(buf, (unsigned int)optlen);
+		return (DNS_R_OPTERR);
+	}
+
+	client->keytag = isc_mem_get(client->mctx, optlen);
+	if (client->keytag != NULL) {
+		client->keytag_len = optlen;
+		memmove(client->keytag, isc_buffer_current(buf), optlen);
+	}
+	isc_buffer_forward(buf, (unsigned int)optlen);
+	return (ISC_R_SUCCESS);
+}
+
 static isc_result_t
 process_opt(ns_client_t *client, dns_rdataset_t *opt) {
 	dns_rdata_t rdata;
@@ -2190,6 +2218,16 @@ process_opt(ns_client_t *client, dns_rdataset_t *opt) {
 						   ns_statscounter_padopt);
 				isc_buffer_forward(&optbuf, optlen);
 				break;
+			case DNS_OPT_KEY_TAG:
+				result = process_keytag(client, &optbuf,
+							optlen);
+				if (result != ISC_R_SUCCESS) {
+					ns_client_error(client, result);
+					return (result);
+				}
+				ns_stats_increment(client->sctx->nsstats,
+						   ns_statscounter_keytagopt);
+				break;
 			default:
 				ns_stats_increment(client->sctx->nsstats,
 						   ns_statscounter_otheropt);
@@ -3014,6 +3052,8 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
 	ISC_LINK_INIT(client, link);
 	ISC_LINK_INIT(client, rlink);
 	ISC_QLINK_INIT(client, ilink);
+	client->keytag = NULL;
+	client->keytag_len = 0;

 	/*
 	 * We call the init routines for the various kinds of client here,

--- a/lib/ns/include/ns/client.h
+++ b/lib/ns/include/ns/client.h
@@ -164,6 +164,8 @@ struct ns_client {
 	ISC_QLINK(ns_client_t)	ilink;
 	unsigned char		cookie[8];
 	isc_uint32_t		expire;
+	unsigned char		*keytag;
+	isc_uint16_t		keytag_len;
 };

 typedef ISC_QUEUE(ns_client_t) client_queue_t;

--- a/lib/ns/include/ns/log.h
+++ b/lib/ns/include/ns/log.h
@@ -24,6 +24,7 @@ LIBNS_EXTERNAL_DATA extern isc_logmodule_t ns_modules[];
 #define NS_LOGCATEGORY_QUERIES		(&ns_categories[3])
 #define NS_LOGCATEGORY_UPDATE_SECURITY	(&ns_categories[4])
 #define NS_LOGCATEGORY_QUERY_ERRORS	(&ns_categories[5])
+#define NS_LOGCATEGORY_TAT		(&ns_categories[6])

 /*
 * Backwards compatibility.

--- a/lib/ns/include/ns/stats.h
+++ b/lib/ns/include/ns/stats.h
@@ -97,8 +97,9 @@ enum {
 	ns_statscounter_usedstale = 62,

 	ns_statscounter_prefetch = 63,
+	ns_statscounter_keytagopt = 64,

-	ns_statscounter_max = 64
+	ns_statscounter_max = 65
 };

 void

--- a/lib/ns/log.c
+++ b/lib/ns/log.c
@@ -31,6 +31,7 @@ LIBNS_EXTERNAL_DATA isc_logcategory_t ns_categories[] = {
 	{ "unmatched",                  0 },
 	{ "update-security",            0 },
 	{ "query-errors",               0 },
+	{ "trust-anchor-telemetry",     0 },
 	{ NULL, 			0 }
 };


--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -4027,7 +4027,7 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype,
 			zbits &= allowed;
 			if (zbits != 0) {
 				isc_netaddr_fromsockaddr(&netaddr,
-							&client->peeraddr);
+							 &client->peeraddr);
 				result = rpz_rewrite_ip(client, &netaddr, qtype,
 							DNS_RPZ_TYPE_CLIENT_IP,
 							zbits, &rdataset);
@@ -10478,6 +10478,66 @@ query_done(query_ctx_t *qctx) {
 	return (qctx->result);
 }

+static inline void
+log_tat(ns_client_t *client) {
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char clientbuf[ISC_NETADDR_FORMATSIZE];
+	char classname[DNS_RDATACLASS_FORMATSIZE];
+	isc_netaddr_t netaddr;
+	char *tags = NULL;
+	size_t taglen = 0;
+
+	if (!isc_log_wouldlog(ns_lctx, ISC_LOG_INFO)) {
+		return;
+	}
+
+	if ((client->query.qtype != dns_rdatatype_null ||
+	     !dns_name_istat(client->query.qname)) &&
+	    (client->keytag == NULL ||
+	     client->query.qtype != dns_rdatatype_dnskey))
+	{
+		return;
+	}
+
+	isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
+	dns_name_format(client->query.qname, namebuf, sizeof(namebuf));
+	isc_netaddr_format(&client->destaddr, clientbuf, sizeof(clientbuf));
+	dns_rdataclass_format(client->view->rdclass, classname,
+			      sizeof(classname));
+
+	if (client->query.qtype == dns_rdatatype_dnskey) {
+		isc_uint16_t keytags = client->keytag_len / 2;
+		size_t len = taglen = sizeof("65000") * keytags + 1;
+		char *cp = tags = isc_mem_get(client->mctx, taglen);
+		int i = 0;
+
+		INSIST(client->keytag != NULL);
+		if (tags != NULL) {
+			while (keytags-- > 0U) {
+				int n;
+				isc_uint16_t keytag;
+				keytag = (client->keytag[i * 2] << 8) |
+					 client->keytag[i * 2 + 1];
+				n = snprintf(cp, len, " %u", keytag);
+				if (n > 0 && (size_t)n <= len) {
+					cp += n;
+					len -= n;
+					i++;
+				} else {
+					break;
+				}
+			}
+		}
+	}
+
+	isc_log_write(ns_lctx, NS_LOGCATEGORY_TAT, NS_LOGMODULE_QUERY,
+		      ISC_LOG_INFO, "trust-anchor-telemetry '%s/%s' from %s%s",
+		      namebuf, classname, clientbuf, tags != NULL? tags : "");
+	if (tags != NULL) {
+		isc_mem_put(client->mctx, tags, taglen);
+	}
+}
+
 static inline void
 log_query(ns_client_t *client, unsigned int flags, unsigned int extflags) {
 	char namebuf[DNS_NAME_FORMATSIZE];
@@ -10691,6 +10751,8 @@ ns_query_start(ns_client_t *client) {
 	client->query.qtype = qtype = rdataset->type;
 	dns_rdatatypestats_increment(client->sctx->rcvquerystats, qtype);

+	log_tat(client);
+
 	if (dns_rdatatype_ismeta(qtype)) {
 		switch (qtype) {
 		case dns_rdatatype_any: