Skip to content
Snippets Groups Projects
Commit 6aad8c0f authored by Vladimír Čunát's avatar Vladimír Čunát Committed by Ondřej Surý
Browse files

trust anchors: improve logging of failures

engine_cmd() doesn't print the error() exceptions thrown from lua;
it only leaves the message on lua stack.

(cherry picked from commit a316b9f7)
parent dd7ba9e7
Branches
Tags
2 merge requests!2571.2 merge master,!2181.2.4 dev
......@@ -65,8 +65,17 @@ struct engine {
int engine_init(struct engine *engine, knot_mm_t *pool);
void engine_deinit(struct engine *engine);
/** @warning This function leaves 1 string result on stack. */
/** Perform a lua command within the sandbox.
*
* @return zero on success.
* The result will be returned on the lua stack - an error message in case of failure.
* http://www.lua.org/manual/5.1/manual.html#lua_pcall */
int engine_cmd(struct lua_State *L, const char *str, bool raw);
/** Execute current chunk in the sandbox */
int engine_pcall(struct lua_State *L, int argc);
int engine_ipc(struct engine *engine, const char *expr);
int engine_start(struct engine *engine, const char *config_path);
void engine_stop(struct engine *engine);
......@@ -74,9 +83,6 @@ int engine_register(struct engine *engine, const char *module, const char *prece
int engine_unregister(struct engine *engine, const char *module);
void engine_lualib(struct engine *engine, const char *name, int (*lib_cb) (struct lua_State *));
/** Execute current chunk in the sandbox */
int engine_pcall(struct lua_State *L, int argc);
/** Return engine light userdata. */
struct engine *engine_luaget(struct lua_State *L);
......
......@@ -17,7 +17,8 @@ local function https_fetch(url, ca)
return resp[1]
end
-- Fetch root anchors in XML over HTTPS, returning a zone-file-style string.
-- Fetch root anchors in XML over HTTPS, returning a zone-file-style string
-- or false in case of error, and a message.
local function bootstrap(url, ca)
-- RFC 7958, sec. 2, but we don't do precise XML parsing.
-- @todo ICANN certificate is verified against current CA
......@@ -35,10 +36,13 @@ local function bootstrap(url, ca)
rr = rr .. '\n' .. string.format('. 0 IN DS %s %s %s %s',
fields.KeyTag, fields.Algorithm, fields.DigestType, fields.Digest)
end)
-- Add to key set, create an empty keyset file to be filled
print('[ ta ] warning: root anchor bootstrapped, you SHOULD check the key manually, see: '..
'https://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.html#sigs')
return rr
if rr == '' then
return false, string.format('[ ta ] failed to get any record from "%s"', url)
end
local msg = '[ ta ] Root trust anchors bootstrapped over https with pinned certificate.\n'
.. ' You may want to verify them manually, as described on:\n'
.. ' https://data.iana.org/root-anchors/old/draft-icann-dnssec-trust-anchor.html#sigs'
return rr, msg
end
-- Load the module
......@@ -289,10 +293,12 @@ local trust_anchors = {
if not io.open(path, 'r') then
local rr, msg = bootstrap(trust_anchors.bootstrap_url, trust_anchors.bootstrap_ca)
if not rr then
error(msg..
': you MUST obtain the root TA manually, see: '..
'https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec')
msg = msg .. '\n'
.. '[ ta ] Failed to bootstrap root trust anchors; see:\n'
.. ' https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec'
error(msg)
end
print(msg)
trustanchor(rr)
-- Fetch DNSKEY immediately
trust_anchors.file_current = path
......
......@@ -681,9 +681,14 @@ int main(int argc, char **argv)
ret = EXIT_FAILURE;
goto cleanup;
}
int lua_ret = 0;
if ((lua_ret = engine_cmd(engine.L, cmd, false)) != 0) {
kr_log_error("[ ta ] keyfile '%s': failed to load (%s)\n", keyfile_path, lua_strerror(lua_ret));
int lua_ret = engine_cmd(engine.L, cmd, false);
if (lua_ret != 0) {
if (lua_gettop(engine.L) > 0) {
kr_log_error("%s", lua_tostring(engine.L, -1));
} else {
kr_log_error("[ ta ] keyfile '%s': failed to load (%s)\n",
keyfile_path, lua_strerror(lua_ret));
}
ret = EXIT_FAILURE;
goto cleanup;
}
......
......@@ -76,7 +76,7 @@ static int insert_ta(map_t *trust_anchors, const knot_dname_t *name,
return kr_error(ENOMEM);
}
WITH_VERBOSE {
kr_rrset_print(ta_rr, "[ ta ]: new trust anchor state:\n");
kr_rrset_print(ta_rr, "[ ta ] new state of root trust anchors:\n");
}
if (is_new_key) {
return map_set(trust_anchors, (const char *)name, ta_rr);
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment