This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled

From: Siddhesh Poyarekar <siddhesh at redhat dot com>
To: libc-alpha at sourceware dot org
Cc: carlos at redhat dot com
Date: Fri, 20 Feb 2015 00:35:06 +0530
Subject: [PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled
Authentication-results: sourceware.org; auth=none

DNAME records are a convenient way to set up RRSIG for an entire
subtree of a domain name tree instead of signing each of those
records.  Querying on such domains result in messages about a mismatch
in the query type and returned record type.  This patch disables the
logging of this message for DNAME records if the DO bit is set.

Tested on x86_64.

	* resolv/gethnamaddr.c (getanswer): Don't log about record
	type mismatch for DNAME if DNSSEC is requested.
	* resolv/nss_dns/dns-host.c (getanswer_r): Likewise.
---
 resolv/gethnamaddr.c      | 14 +++++++++++---
 resolv/nss_dns/dns-host.c | 11 ++++++++---
 2 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/resolv/gethnamaddr.c b/resolv/gethnamaddr.c
index 9e0c498..ae55fac 100644
--- a/resolv/gethnamaddr.c
+++ b/resolv/gethnamaddr.c
@@ -349,10 +349,18 @@ getanswer (const querybuf *answer, int anslen, const char *qname, int qtype)
 			continue;
 		}
 		if (type != qtype) {
-			syslog(LOG_NOTICE|LOG_AUTH,
+			/* Skip logging if we received a DNAME when we have set
+			 * the DO bit.  DNAME records are a convenient way to
+			 * set up DNSSEC records and such setups can make this
+			 * log message needlessly noisy.
+			 */
+			if ((_res.options & RES_USE_DNSSEC) == 0
+			    || type != T_DNAME) {
+				syslog(LOG_NOTICE|LOG_AUTH,
 	       "gethostby*.getanswer: asked for \"%s %s %s\", got type \"%s\"",
-			       qname, p_class(C_IN), p_type(qtype),
-			       p_type(type));
+					qname, p_class(C_IN), p_type(qtype),
+					p_type(type));
+			}
 			cp += n;
 			continue;		/* XXX - had_error++ ? */
 		}
diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
index b10c94e..510d388 100644
--- a/resolv/nss_dns/dns-host.c
+++ b/resolv/nss_dns/dns-host.c
@@ -844,9 +844,14 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype,
 	have_to_map = 1;
       else if (__glibc_unlikely (type != qtype))
 	{
-	  syslog (LOG_NOTICE | LOG_AUTH,
-	       "gethostby*.getanswer: asked for \"%s %s %s\", got type \"%s\"",
-		  qname, p_class (C_IN), p_type (qtype), p_type (type));
+	  /* Skip logging if we received a DNAME when we have set the DO bit.
+	     DNAME records are a convenient way to set up DNSSEC records and
+	     such setups can make this log message needlessly noisy.  */
+	  if ((_res.options & RES_USE_DNSSEC) == 0 || type != T_DNAME)
+	    syslog (LOG_NOTICE | LOG_AUTH,
+		    "gethostby*.getanswer: asked for \"%s %s %s\", "
+		    "got type \"%s\"",
+		    qname, p_class (C_IN), p_type (qtype), p_type (type));
 	  cp += n;
 	  continue;			/* XXX - had_error++ ? */
 	}
-- 
2.1.0

Attachment: pgpKTATLobH7M.pgp
Description: PGP signature

Follow-Ups:
- Re: [PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled
  - From: Carlos O'Donell
- Re: [PATCH] Silence resolver logging for DNAME records when DNSSEC is enabled
  - From: Florian Weimer

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]