From fee90af59a465544ff0aa26cf33636f4e46df935 Mon Sep 17 00:00:00 2001
From: Lubos Slovak <lubos.slovak@nic.cz>
Date: Wed, 4 Sep 2013 15:52:39 +0200
Subject: [PATCH] Added DNSSEC debug messages.
refs #4
---
configure.ac | 1 +
src/knot/server/zones.c | 10 +++++++
src/libknot/dnssec/zone-events.c | 10 ++++++-
src/libknot/dnssec/zone-nsec.c | 17 ++++++++++-
src/libknot/dnssec/zone-sign.c | 11 ++++----
src/libknot/util/debug.h | 48 ++++++++++++++++++++++++++++++++
6 files changed, 90 insertions(+), 7 deletions(-)
diff --git a/configure.ac b/configure.ac
index 168de915b..7f86e2bdb 100644
--- a/configure.ac
+++ b/configure.ac
@@ -93,6 +93,7 @@ AC_ARG_ENABLE([debug],
hash) AC_DEFINE([KNOT_HASH_DEBUG], [1], [Hashtable debug.]) ;;
compiler) AC_DEFINE([KNOT_COMPILER_DEBUG], [1], [Zone compiler debug.]) ;;
stash) AC_DEFINE([KNOT_STASH_DEBUG], [1], [Hash table stash debug.]) ;;
+ dnssec) AC_DEFINE([KNOT_DNSSEC_DEBUG], [1], [DNSSEC debug.]) ;;
esac
done
], [])
diff --git a/src/knot/server/zones.c b/src/knot/server/zones.c
index eeb68c293..31108411e 100644
--- a/src/knot/server/zones.c
+++ b/src/knot/server/zones.c
@@ -1005,6 +1005,8 @@ static int zones_journal_apply(knot_zone_t *zone)
log_server_info("Zone '%s' serial %u -> %u.\n",
zd->conf->name,
serial, knot_zone_serial(contents));
+ dbg_zones("Old zone contents: %p, new: %p\n",
+ zone->contents, contents);
rcu_read_unlock();
apply_ret = xfrin_switch_zone(zone, contents,
XFR_TYPE_IIN);
@@ -1356,6 +1358,10 @@ static int zones_insert_zone(conf_zone_t *z, knot_zone_t **dst,
/* Ensure both new and old have zone contents. */
knot_zone_contents_t *zc = knot_zone_get_contents(zone);
knot_zone_contents_t *zc_old = knot_zone_get_contents(z_old);
+
+ dbg_zones("Going to calculate diff. Old contents: %p, new: %p\n",
+ zc_old, zc);
+
knot_changesets_t *diff_chs = NULL;
if (z->build_diffs && zc && zc_old && zone_changed) {
diff_chs = knot_changesets_create(KNOT_CHANGESET_TYPE_IXFR);
@@ -1370,6 +1376,7 @@ static int zones_insert_zone(conf_zone_t *z, knot_zone_t **dst,
rcu_read_unlock();
return KNOT_ENOMEM;
}
+ dbg_zones(stderr, "Generating diff.\n");
int ret = zones_create_changeset(z_old,
zone, diff_ch);
if (ret == KNOT_ENODIFF) {
@@ -1418,6 +1425,9 @@ static int zones_insert_zone(conf_zone_t *z, knot_zone_t **dst,
knot_update_serial_t soa_up =
zones_changesets_empty(diff_chs) ?
KNOT_SOA_SERIAL_INC : KNOT_SOA_SERIAL_KEEP;
+
+ dbg_zones(stderr, "Signing zone, serial policy: %d\n",
+ soa_up);
int ret = knot_dnssec_zone_sign(zone, sec_ch, soa_up);
if (ret != KNOT_EOK) {
knot_changesets_free(&diff_chs);
diff --git a/src/libknot/dnssec/zone-events.c b/src/libknot/dnssec/zone-events.c
index 371479781..d3d06a39a 100644
--- a/src/libknot/dnssec/zone-events.c
+++ b/src/libknot/dnssec/zone-events.c
@@ -25,6 +25,7 @@
#include "libknot/dnssec/zone-keys.h"
#include "libknot/dnssec/policy.h"
#include "libknot/zone/zone.h"
+#include "libknot/util/debug.h"
static uint32_t time_now(void)
{
@@ -50,10 +51,13 @@ static void init_forced_policy(knot_dnssec_policy_t *p,
static int zone_sign(knot_zone_t *zone, knot_changeset_t *out_ch, bool force,
knot_update_serial_t soa_up)
{
- if (zone == NULL) {
+ if (zone == NULL) {
return KNOT_EINVAL;
}
+ dbg_dnssec_verb("Changeset emtpy before generating NSEC chain: %d\n",
+ knot_changeset_is_empty(out_ch));
+
conf_zone_t *zone_config = ((zonedata_t *)knot_zone_data(zone))->conf;
int result = KNOT_EOK;
@@ -104,6 +108,8 @@ static int zone_sign(knot_zone_t *zone, knot_changeset_t *out_ch, bool force,
free_zone_keys(&zone_keys);
return result;
}
+ dbg_dnssec_verb("Changeset emtpy after generating NSEC chain: %d\n",
+ knot_changeset_is_empty(out_ch));
// add missing signatures
result = knot_zone_sign(zone->contents, &zone_keys, &policy, out_ch);
@@ -116,6 +122,8 @@ static int zone_sign(knot_zone_t *zone, knot_changeset_t *out_ch, bool force,
free_zone_keys(&zone_keys);
return result;
}
+ dbg_dnssec_verb("Changeset emtpy after signing: %d\n",
+ knot_changeset_is_empty(out_ch));
// Check if only SOA changed
if (knot_changeset_is_empty(out_ch) &&
diff --git a/src/libknot/dnssec/zone-nsec.c b/src/libknot/dnssec/zone-nsec.c
index 805aff8dd..36481f6db 100644
--- a/src/libknot/dnssec/zone-nsec.c
+++ b/src/libknot/dnssec/zone-nsec.c
@@ -29,6 +29,7 @@
#include "libknot/util/utils.h"
#include "libknot/zone/zone-contents.h"
#include "libknot/zone/zone-diff.h"
+#include "libknot/util/debug.h"
/* - NSEC chain iteration -------------------------------------------------- */
@@ -195,6 +196,9 @@ static int connect_nsec_nodes(knot_node_t *a, knot_node_t *b, void *d)
{
nsec_chain_iterate_data_t *data = (nsec_chain_iterate_data_t *)d;
+ dbg_dnssec_detail("Changeset emtpy during generating NSEC chain: %d\n",
+ knot_changeset_is_empty(data->changeset));
+
knot_rrset_t *old_nsec = knot_node_get_rrset(a, KNOT_RRTYPE_NSEC);
int ret = 0;
@@ -202,6 +206,12 @@ static int connect_nsec_nodes(knot_node_t *a, knot_node_t *b, void *d)
// just remove the NSEC and its RRSIG, they are redundant
if (old_nsec != NULL
&& knot_node_rrset_count(a) == KNOT_NODE_RRSET_COUNT_ONLY_NSEC) {
+ fprintf(stderr, "foobar\n");
+dbg_dnssec_exec_detail(
+ char *name = knot_dname_to_str(knot_rrset_owner(old_nsec));
+ dbg_dnssec_detail("Removing NSEC at %s.\n", name);
+ free(name);
+);
ret = changeset_remove_nsec(old_nsec, data->changeset);
return ret;
}
@@ -217,17 +227,21 @@ static int connect_nsec_nodes(knot_node_t *a, knot_node_t *b, void *d)
knot_rrset_t *new_nsec = create_nsec_rrset(knot_node_owner(a),
knot_node_owner(b),
&rr_types, data->ttl);
- if (!new_nsec)
+ if (!new_nsec) {
+ dbg_dnssec_detail("Failed to create new NSEC.\n");
return KNOT_ENOMEM;
+ }
if (old_nsec != NULL) {
// current NSEC is valid, do nothing
if (knot_rrset_equal(new_nsec, old_nsec,
KNOT_RRSET_COMPARE_WHOLE)) {
+ dbg_dnssec_detail("NSECs equal.\n");
knot_rrset_deep_free(&new_nsec, 1, 1);
return KNOT_EOK;
}
+ dbg_dnssec_detail("NSECs not equal, replacing.\n");
// current NSEC is invalid, replace it and drop RRSIG
// mark the node, so later we know this NSEC needs new RRSIGs
knot_node_set_replaced_nsec(a);
@@ -238,6 +252,7 @@ static int connect_nsec_nodes(knot_node_t *a, knot_node_t *b, void *d)
}
}
+ dbg_dnssec_detail("Adding new NSEC to changeset.\n");
// Add new NSEC to the changeset (no matter if old was removed)
return knot_changeset_add_rrset(data->changeset, new_nsec,
KNOT_CHANGESET_ADD);
diff --git a/src/libknot/dnssec/zone-sign.c b/src/libknot/dnssec/zone-sign.c
index 801ac272f..444cd0cfa 100644
--- a/src/libknot/dnssec/zone-sign.c
+++ b/src/libknot/dnssec/zone-sign.c
@@ -574,8 +574,7 @@ static int add_rrsigs_for_nsec(knot_rrset_t *rrset, void *data)
}
if (res != KNOT_EOK) {
- fprintf(stderr, "add_rrsigs_for_nsec() for NSEC"
- "failed\n");
+ dbg_dnssec_detail("add_rrsigs_for_nsec() for NSEC failed\n");
}
return res;
@@ -617,21 +616,21 @@ int knot_zone_sign(const knot_zone_contents_t *zone,
result = zone_tree_sign(zone->nodes, zone_keys, policy, out_ch);
if (result != KNOT_EOK) {
- fprintf(stderr, "zone_tree_sign() on normal nodes failed\n");
+ dbg_dnssec_detail("zone_tree_sign() on normal nodes failed\n");
return result;
}
result = zone_tree_sign(zone->nsec3_nodes, zone_keys, policy,
out_ch);
if (result != KNOT_EOK) {
- fprintf(stderr, "zone_tree_sign() on nsec3 nodes failed\n");
+ dbg_dnssec_detail("zone_tree_sign() on nsec3 nodes failed\n");
return result;
}
// sign all NSEC and NSEC3 RRs in changeset
result = sign_nsec(zone_keys, policy, out_ch);
if (result != KNOT_EOK) {
- fprintf(stderr, "sign_nsec() failed\n");
+ dbg_dnssec_detail("sign_nsec() failed\n");
return result;
}
@@ -656,6 +655,8 @@ int knot_zone_sign_update_soa(const knot_zone_contents_t *zone,
const knot_dnssec_policy_t *policy,
knot_changeset_t *changeset)
{
+ dbg_dnssec_verb("Updating SOA...\n");
+
knot_node_t *apex = knot_zone_contents_get_apex(zone);
knot_rrset_t *soa = knot_node_get_rrset(apex, KNOT_RRTYPE_SOA);
diff --git a/src/libknot/util/debug.h b/src/libknot/util/debug.h
index 826260a10..f4a51a292 100644
--- a/src/libknot/util/debug.h
+++ b/src/libknot/util/debug.h
@@ -873,6 +873,54 @@ void knot_zone_contents_dump(knot_zone_contents_t *zone);
#define dbg_rrset_exec_detail(cmds)
#endif
+#ifdef KNOT_DNSSEC_DEBUG
+
+/* Brief messages. */
+#ifdef DEBUG_ENABLE_BRIEF
+#define dbg_dnssec(msg...) log_msg(LOG_SERVER, LOG_DEBUG, msg)
+#define dbg_dnssec_hex(data, len) hex_log(LOG_SERVER, (data), (len))
+#define dbg_dnssec_exec(cmds) do { cmds } while (0)
+#else
+#define dbg_dnssec(msg...)
+#define dbg_dnssec_hex(data, len)
+#define dbg_dnssec_exec(cmds)
+#endif
+
+/* Verbose messages. */
+#ifdef DEBUG_ENABLE_VERBOSE
+#define dbg_dnssec_verb(msg...) log_msg(LOG_SERVER, LOG_DEBUG, msg)
+#define dbg_dnssec_hex_verb(data, len) hex_log(LOG_SERVER, (data), (len))
+#define dbg_dnssec_exec_verb(cmds) do { cmds } while (0)
+#else
+#define dbg_dnssec_verb(msg...)
+#define dbg_dnssec_hex_verb(data, len)
+#define dbg_dnssec_exec_verb(cmds)
+#endif
+
+/* Detail messages. */
+#ifdef DEBUG_ENABLE_DETAILS
+#define dbg_dnssec_detail(msg...) log_msg(LOG_SERVER, LOG_DEBUG, msg)
+#define dbg_dnssec_hex_detail(data, len) hex_log(LOG_SERVER, (data), (len))
+#define dbg_dnssec_exec_detail(cmds) do { cmds } while (0)
+#else
+#define dbg_dnssec_detail(msg...)
+#define dbg_dnssec_hex_detail(data, len)
+#define dbg_dnssec_exec_detail(cmds)
+#endif
+
+/* No messages. */
+#else
+#define dbg_dnssec(msg...)
+#define dbg_dnssec_hex(data, len)
+#define dbg_dnssec_exec(cmds)
+#define dbg_dnssec_verb(msg...)
+#define dbg_dnssec_hex_verb(data, len)
+#define dbg_dnssec_exec_verb(cmds)
+#define dbg_dnssec_detail(msg...)
+#define dbg_dnssec_hex_detail(data, len)
+#define dbg_dnssec_exec_detail(cmds)
+#endif
+
/******************************************************************************/
#endif /* _KNOT_DEBUG_H_ */
--
GitLab