trust anchors: improve logging of failures

engine_cmd() doesn't print the error() exceptions thrown from lua; it only leaves the message on lua stack. (cherry picked from commit a316b9f7)

trust anchors: improve logging of failures
engine_cmd() doesn't print the error() exceptions thrown from lua; it only leaves the message on lua stack. (cherry picked from commit a316b9f7)
6aad8c0f · Vladimír Čunát · Ondřej Surý · dd7ba9e7 · 6aad8c0f · 6aad8c0f
Commit 6aad8c0f authored 8 years ago by Vladimír Čunát Committed by Ondřej Surý 8 years ago
--- a/daemon/engine.h
+++ b/daemon/engine.h
@@ -65,8 +65,17 @@ struct engine {

 int engine_init(struct engine *engine, knot_mm_t *pool);
 void engine_deinit(struct engine *engine);
-/** @warning This function leaves 1 string result on stack. */
+
+/** Perform a lua command within the sandbox.
+ *
+ *  @return zero on success.
+ *  The result will be returned on the lua stack - an error message in case of failure.
+ *  http://www.lua.org/manual/5.1/manual.html#lua_pcall */
 int engine_cmd(struct lua_State *L, const char *str, bool raw);
+
+/** Execute current chunk in the sandbox */
+int engine_pcall(struct lua_State *L, int argc);
+
 int engine_ipc(struct engine *engine, const char *expr);
 int engine_start(struct engine *engine, const char *config_path);
 void engine_stop(struct engine *engine);
@@ -74,9 +83,6 @@ int engine_register(struct engine *engine, const char *module, const char *prece
 int engine_unregister(struct engine *engine, const char *module);
 void engine_lualib(struct engine *engine, const char *name, int (*lib_cb) (struct lua_State *));

-/** Execute current chunk in the sandbox */
-int engine_pcall(struct lua_State *L, int argc);
-
 /** Return engine light userdata. */
 struct engine *engine_luaget(struct lua_State *L);


--- a/daemon/lua/trust_anchors.lua.in
+++ b/daemon/lua/trust_anchors.lua.in
@@ -17,7 +17,8 @@ local function https_fetch(url, ca)
 	return resp[1]
 end

-- Fetch root anchors in XML over HTTPS, returning a zone-file-style string.
+-- Fetch root anchors in XML over HTTPS, returning a zone-file-style string
+-- or false in case of error, and a message.
 local function bootstrap(url, ca)
 	-- RFC 7958, sec. 2, but we don't do precise XML parsing.
 	-- @todo ICANN certificate is verified against current CA
@@ -35,10 +36,13 @@ local function bootstrap(url, ca)
 		rr = rr .. '\n' .. string.format('. 0 IN DS %s %s %s %s',
 			fields.KeyTag, fields.Algorithm, fields.DigestType, fields.Digest)
 	end)
-	-- Add to key set, create an empty keyset file to be filled
-	print('[ ta ] warning: root anchor bootstrapped, you SHOULD check the key manually, see: '..
-	      'https://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.html#sigs')
-	return rr
+	if rr == '' then
+		return false, string.format('[ ta ] failed to get any record from "%s"', url)
+	end
+	local msg = '[ ta ] Root trust anchors bootstrapped over https with pinned certificate.\n'
+			 .. '       You may want to verify them manually, as described on:\n'
+			 .. '       https://data.iana.org/root-anchors/old/draft-icann-dnssec-trust-anchor.html#sigs'
+	return rr, msg
 end

 -- Load the module
@@ -289,10 +293,12 @@ local trust_anchors = {
 			if not io.open(path, 'r') then
 				local rr, msg = bootstrap(trust_anchors.bootstrap_url, trust_anchors.bootstrap_ca)
 				if not rr then
-					error(msg..
-					      ': you MUST obtain the root TA manually, see: '..
-					      'https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec')
+					msg = msg .. '\n'
+						.. '[ ta ] Failed to bootstrap root trust anchors; see:\n'
+					    .. '       https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec'
+					error(msg)
 				end
+				print(msg)
 				trustanchor(rr)
 				-- Fetch DNSKEY immediately
 				trust_anchors.file_current = path

--- a/daemon/main.c
+++ b/daemon/main.c
@@ -681,9 +681,14 @@ int main(int argc, char **argv)
 			ret =  EXIT_FAILURE;
 			goto cleanup;
 		}
-		int lua_ret = 0;
-		if ((lua_ret = engine_cmd(engine.L, cmd, false)) != 0) {
-			kr_log_error("[ ta ] keyfile '%s': failed to load (%s)\n", keyfile_path, lua_strerror(lua_ret));
+		int lua_ret = engine_cmd(engine.L, cmd, false);
+		if (lua_ret != 0) {
+			if (lua_gettop(engine.L) > 0) {
+				kr_log_error("%s", lua_tostring(engine.L, -1));
+			} else {
+				kr_log_error("[ ta ] keyfile '%s': failed to load (%s)\n",
+						keyfile_path, lua_strerror(lua_ret));
+			}
 			ret = EXIT_FAILURE;
 			goto cleanup;
 		}

--- a/lib/dnssec/ta.c
+++ b/lib/dnssec/ta.c
@@ -76,7 +76,7 @@ static int insert_ta(map_t *trust_anchors, const knot_dname_t *name,
 		return kr_error(ENOMEM);
 	}
 	WITH_VERBOSE {
-		kr_rrset_print(ta_rr, "[ ta ]: new trust anchor state:\n");
+		kr_rrset_print(ta_rr, "[ ta ] new state of root trust anchors:\n");
 	}
 	if (is_new_key) {
 		return map_set(trust_anchors, (const char *)name, ta_rr);