From 554b580e970275d5a869cb4fbfb2716f92b2f664 Mon Sep 17 00:00:00 2001 From: Simon Kelley Date: Fri, 17 Apr 2015 22:50:20 +0100 Subject: Log domain when reporting DNSSEC validation failure. --- src/forward.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/src/forward.c b/src/forward.c index 3f6b9a2..1c7da3f 100644 --- a/src/forward.c +++ b/src/forward.c @@ -1014,7 +1014,7 @@ void reply_query(int fd, int family, time_t now) header->hb3 |= HB3_TC; else { - char *result; + char *result, *domain = "result"; if (forward->work_counter == 0) { @@ -1024,7 +1024,10 @@ void reply_query(int fd, int family, time_t now) else result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS")); - log_query(F_KEYTAG | F_SECSTAT, "result", NULL, result); + if (status == STAT_BOGUS && extract_request(header, n, daemon->namebuff, NULL)) + domain = daemon->namebuff; + + log_query(F_KEYTAG | F_SECSTAT, domain, NULL, result); } if (status == STAT_SECURE) @@ -1975,7 +1978,7 @@ unsigned char *tcp_request(int confd, time_t now, { int keycount = DNSSEC_WORK; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */ int status = tcp_key_recurse(now, STAT_TRUNCATED, header, m, 0, daemon->namebuff, daemon->keyname, last_server, &keycount); - char *result; + char *result, *domain = "result"; if (status == STAT_INSECURE_DS) { @@ -1993,8 +1996,10 @@ unsigned char *tcp_request(int confd, time_t now, } else result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS")); - - log_query(F_KEYTAG | F_SECSTAT, "result", NULL, result); + if (status == STAT_BOGUS && extract_request(header, m, daemon->namebuff, NULL)) + domain = daemon->namebuff; + + log_query(F_KEYTAG | F_SECSTAT, domain, NULL, result); if (status == STAT_BOGUS) { -- cgit v1.2.1