[1390] log bad requests

3ff33cfe · Jelte Jansen · cf297878 · 3ff33cfe · 3ff33cfe
Commit 3ff33cfe authored Nov 21, 2011 by Jelte Jansen
Hide whitespace changes
Inline Side-by-side

Showing with 31 additions and 11 deletions

src/bin/xfrout/xfrout.py.in src/bin/xfrout/xfrout.py.in +17 -11

src/bin/xfrout/xfrout_messages.mes src/bin/xfrout/xfrout_messages.mes +14 -0

No files found.
--- a/src/bin/xfrout/xfrout.py.in
+++ b/src/bin/xfrout/xfrout.py.in
@@ -39,6 +39,7 @@ from isc.log_messages.xfrout_messages import *

 isc.log.init("b10-xfrout")
 logger = isc.log.Logger("xfrout")
+DBG_XFROUT_TRACE = logger.DBGLVL_TRACE_BASIC

 try:
    from libutil_io_python import *
@@ -224,39 +225,44 @@ class XfroutSession():
        # the auth server, but since it's far from our xfrout itself,
        # we check it by ourselves.
        if msg.get_rr_count(Message.SECTION_QUESTION) != 1:
-            # TODO: Log?
+            logger.debug(DBG_XFROUT_TRACE, XFROUT_XFR_REQUEST_MISSING_QUESTION,
+                         format_addrinfo(self._remote))
            return Rcode.FORMERR(), msg

        request_type = msg.get_question()[0].get_type()
+        zone_name = msg.get_question()[0].get_name()
+        zone_class = msg.get_question()[0].get_class()

        # If it is an IXFR query, there should be a SOA in the authority
        # section too
        if request_type == RRType.IXFR():
            if msg.get_rr_count(Message.SECTION_AUTHORITY) != 1:
-                # TODO: Log?
+                logger.debug(DBG_XFROUT_TRACE, XFROUT_IXFR_REQUEST_MISSING_SOA,
+                             format_addrinfo(self._remote),
+                             format_zone_str(zone_name, zone_class))
                return Rcode.FORMERR(), msg
            self._request_type = 'IXFR'
        elif request_type == RRType.AXFR():
            self._request_type = 'AXFR'
        else:
-            # TODO: Log?
+            logger.error(XFROUT_XFR_REQUEST_BAD_TYPE,
+                         format_zone_str(zone_name, zone_class),
+                         format_addrinfo(self._remote))
            return Rcode.FORMERR(), msg

        # ACL checks
-        zone_name = msg.get_question()[0].get_name()
-        zone_class = msg.get_question()[0].get_class()
        acl = self._get_transfer_acl(zone_name, zone_class)
        acl_result = acl.execute(
            isc.acl.dns.RequestContext(self._remote[2], msg.get_tsig_record()))
        if acl_result == DROP:
-            logger.info(XFROUT_QUERY_DROPPED, self._request_type,
-                        format_addrinfo(self._remote),
-                        format_zone_str(zone_name, zone_class))
+            logger.debug(DBG_XFROUT_TRACE, XFROUT_QUERY_DROPPED,
+                         self._request_type, format_addrinfo(self._remote),
+                         format_zone_str(zone_name, zone_class))
            return None, None
        elif acl_result == REJECT:
-            logger.info(XFROUT_QUERY_REJECTED, self._request_type,
-                        format_addrinfo(self._remote),
-                        format_zone_str(zone_name, zone_class))
+            logger.debug(DBG_XFROUT_TRACE, XFROUT_QUERY_REJECTED,
+                         self._request_type, format_addrinfo(self._remote),
+                         format_zone_str(zone_name, zone_class))
            return Rcode.REFUSED(), msg

        return rcode, msg

--- a/src/bin/xfrout/xfrout_messages.mes
+++ b/src/bin/xfrout/xfrout_messages.mes
@@ -56,6 +56,10 @@ are missing on the system, or the PYTHONPATH variable is not correct.
 The specific place where this library needs to be depends on your
 system and your specific installation.

+% XFROUT_IXFR_REQUEST_MISSING_SOA IXFR client %1: request packet for %2 did not contain SOA RR
+An IXFR request arrived, but it did not contain a SOA RR in its authority
+section. The xfrout daemon will respond with a FORMERR.
+
 % XFROUT_IXFR_TRANSFER_STARTED %1 client %2: IXFR transfer of zone %3 has started
 An incremental transfer out of the given zone has started.

@@ -150,6 +154,16 @@ on, but the file is in use. The most likely cause is that another
 xfrout daemon process is still running. This xfrout daemon (the one
 printing this message) will not start.

+% XFROUT_XFR_REQUEST_BAD_TYPE bad question type in transfer request for %1 from %2
+A transfer request for the given zone arrived, but the RR in the question
+section was not of type AXFR or IXFR. This request should not even have
+reached the xfrout daemon, and there appears to be a problem in the module
+that passed it on, please file a bug report if this error is encountered.
+
+% XFROUT_XFR_REQUEST_MISSING_QUESTION empty question section in transfer request from %1
+A transfer request from the given client did not contain a question section.
+The xfrout daemon will respond with a FORMERR.
+
 % XFROUT_XFR_TRANSFER_DONE %1 client %2: transfer of %3 complete
 The transfer of the given zone has been completed successfully, or was
 aborted due to a shutdown event.