mirror of https://github.com/getdnsapi/getdns.git
Merge branch 'feature/monitor-tool' into release/1.4.0
This commit is contained in:
commit
87fec7f9b4
15
Makefile.in
15
Makefile.in
|
@ -44,7 +44,7 @@ libdir = @libdir@
|
||||||
srcdir = @srcdir@
|
srcdir = @srcdir@
|
||||||
INSTALL = @INSTALL@
|
INSTALL = @INSTALL@
|
||||||
|
|
||||||
all : default @GETDNS_QUERY@
|
all : default @GETDNS_QUERY@ @GETDNS_SERVER_MON@
|
||||||
|
|
||||||
everything: default
|
everything: default
|
||||||
cd src/test && $(MAKE)
|
cd src/test && $(MAKE)
|
||||||
|
@ -55,7 +55,7 @@ default:
|
||||||
install-lib:
|
install-lib:
|
||||||
cd src && $(MAKE) install
|
cd src && $(MAKE) install
|
||||||
|
|
||||||
install: getdns.pc getdns_ext_event.pc install-lib @INSTALL_GETDNS_QUERY@
|
install: getdns.pc getdns_ext_event.pc install-lib @INSTALL_GETDNS_QUERY@ @INSTALL_GETDNS_SERVER_MON@
|
||||||
$(INSTALL) -m 755 -d $(DESTDIR)$(docdir)
|
$(INSTALL) -m 755 -d $(DESTDIR)$(docdir)
|
||||||
$(INSTALL) -m 644 $(srcdir)/AUTHORS $(DESTDIR)$(docdir)
|
$(INSTALL) -m 644 $(srcdir)/AUTHORS $(DESTDIR)$(docdir)
|
||||||
$(INSTALL) -m 644 $(srcdir)/ChangeLog $(DESTDIR)$(docdir)
|
$(INSTALL) -m 644 $(srcdir)/ChangeLog $(DESTDIR)$(docdir)
|
||||||
|
@ -93,7 +93,7 @@ install: getdns.pc getdns_ext_event.pc install-lib @INSTALL_GETDNS_QUERY@
|
||||||
@echo "*** trust anchor management keeping it up-to-date."
|
@echo "*** trust anchor management keeping it up-to-date."
|
||||||
@echo "***"
|
@echo "***"
|
||||||
|
|
||||||
uninstall: @UNINSTALL_GETDNS_QUERY@
|
uninstall: @UNINSTALL_GETDNS_QUERY@ @UNINSTALL_GETDNS_SERVER_MON@
|
||||||
rm -rf $(DESTDIR)$(docdir)
|
rm -rf $(DESTDIR)$(docdir)
|
||||||
cd doc && $(MAKE) $@
|
cd doc && $(MAKE) $@
|
||||||
cd src && $(MAKE) $@
|
cd src && $(MAKE) $@
|
||||||
|
@ -110,6 +110,9 @@ test: default
|
||||||
getdns_query: default
|
getdns_query: default
|
||||||
cd src/tools && $(MAKE) $@
|
cd src/tools && $(MAKE) $@
|
||||||
|
|
||||||
|
getdns_server_mon: default
|
||||||
|
cd src/tools && $(MAKE) $@
|
||||||
|
|
||||||
stubby:
|
stubby:
|
||||||
cd src && $(MAKE) $@
|
cd src && $(MAKE) $@
|
||||||
|
|
||||||
|
@ -125,6 +128,12 @@ install-getdns_query: install-lib
|
||||||
uninstall-getdns_query:
|
uninstall-getdns_query:
|
||||||
cd src/tools && $(MAKE) $@
|
cd src/tools && $(MAKE) $@
|
||||||
|
|
||||||
|
install-getdns_server_mon: install-lib
|
||||||
|
cd src/tools && $(MAKE) $@
|
||||||
|
|
||||||
|
uninstall-getdns_server_mon:
|
||||||
|
cd src/tools && $(MAKE) $@
|
||||||
|
|
||||||
install-stubby:
|
install-stubby:
|
||||||
cd src && $(MAKE) $@
|
cd src && $(MAKE) $@
|
||||||
|
|
||||||
|
|
|
@ -87,10 +87,11 @@ If you are building from git, you need to do the following before building:
|
||||||
# autoreconf -fi
|
# autoreconf -fi
|
||||||
|
|
||||||
|
|
||||||
As well as building the getdns library two other tools may be installed:
|
As well as building the getdns library three other tools may be installed:
|
||||||
|
|
||||||
* getdns_query: a command line test script wrapper for getdns
|
* getdns_query: a command line test script wrapper for getdns
|
||||||
* stubby: an experimental DNS Privacy enabled client
|
* stubby: an experimental DNS Privacy enabled client
|
||||||
|
* getdns_server_mon: test DNS server function and capabilities
|
||||||
|
|
||||||
Note: If you only want to build stubby, then use the `--with-stubby` option when running 'configure'.
|
Note: If you only want to build stubby, then use the `--with-stubby` option when running 'configure'.
|
||||||
|
|
||||||
|
|
16
configure.ac
16
configure.ac
|
@ -1227,6 +1227,22 @@ AC_SUBST(GETDNS_QUERY)
|
||||||
AC_SUBST(INSTALL_GETDNS_QUERY)
|
AC_SUBST(INSTALL_GETDNS_QUERY)
|
||||||
AC_SUBST(UNINSTALL_GETDNS_QUERY)
|
AC_SUBST(UNINSTALL_GETDNS_QUERY)
|
||||||
|
|
||||||
|
AC_ARG_WITH(getdns_server_mon, AS_HELP_STRING([--without-getdns_server_mon],
|
||||||
|
[Do not compile and install the getdns_server_mon tool]),
|
||||||
|
[], [withval="yes"])
|
||||||
|
if test x_$withval = x_no; then
|
||||||
|
GETDNS_SERVER_MON=""
|
||||||
|
INSTALL_GETDNS_SERVER_MON=""
|
||||||
|
UNINSTALL_GETDNS_SERVER_MON=""
|
||||||
|
else
|
||||||
|
GETDNS_SERVER_MON="getdns_server_mon"
|
||||||
|
INSTALL_GETDNS_SERVER_MON="install-getdns_server_mon"
|
||||||
|
UNINSTALL_GETDNS_SERVER_MON="uninstall-getdns_server_mon"
|
||||||
|
fi
|
||||||
|
AC_SUBST(GETDNS_SERVER_MON)
|
||||||
|
AC_SUBST(INSTALL_GETDNS_SERVER_MON)
|
||||||
|
AC_SUBST(UNINSTALL_GETDNS_SERVER_MON)
|
||||||
|
|
||||||
stubby_with_yaml=0
|
stubby_with_yaml=0
|
||||||
AC_ARG_WITH(stubby, AS_HELP_STRING([--with-stubby],
|
AC_ARG_WITH(stubby, AS_HELP_STRING([--with-stubby],
|
||||||
[Compile and install stubby, the (stub) resolver daemon]),
|
[Compile and install stubby, the (stub) resolver daemon]),
|
||||||
|
|
|
@ -202,6 +202,9 @@ test: default
|
||||||
getdns_query: default
|
getdns_query: default
|
||||||
cd tools && $(MAKE) $@
|
cd tools && $(MAKE) $@
|
||||||
|
|
||||||
|
getdns_server_mon: default
|
||||||
|
cd tools && $(MAKE) $@
|
||||||
|
|
||||||
stubby.lo: $(stubbysrcdir)/src/stubby.c
|
stubby.lo: $(stubbysrcdir)/src/stubby.c
|
||||||
$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) -DSTUBBYCONFDIR=\"$(sysconfdir)/stubby\" -DRUNSTATEDIR=\"$(runstatedir)\" -c $< -o $@
|
$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WPEDANTICFLAG) -DSTUBBYCONFDIR=\"$(sysconfdir)/stubby\" -DRUNSTATEDIR=\"$(runstatedir)\" -c $< -o $@
|
||||||
|
|
||||||
|
|
|
@ -1048,6 +1048,7 @@ upstream_init(getdns_upstream *upstream,
|
||||||
upstream->responses_timeouts = 0;
|
upstream->responses_timeouts = 0;
|
||||||
upstream->keepalive_shutdown = 0;
|
upstream->keepalive_shutdown = 0;
|
||||||
upstream->keepalive_timeout = 0;
|
upstream->keepalive_timeout = 0;
|
||||||
|
upstream->server_keepalive_received = 0;
|
||||||
/* How is this upstream doing on UDP? */
|
/* How is this upstream doing on UDP? */
|
||||||
upstream->to_retry = 1;
|
upstream->to_retry = 1;
|
||||||
upstream->back_off = 1;
|
upstream->back_off = 1;
|
||||||
|
|
|
@ -193,6 +193,7 @@ typedef struct getdns_upstream {
|
||||||
size_t responses_timeouts;
|
size_t responses_timeouts;
|
||||||
size_t keepalive_shutdown;
|
size_t keepalive_shutdown;
|
||||||
uint64_t keepalive_timeout;
|
uint64_t keepalive_timeout;
|
||||||
|
int server_keepalive_received;
|
||||||
|
|
||||||
/* Management of outstanding requests on stateful transports */
|
/* Management of outstanding requests on stateful transports */
|
||||||
getdns_network_req *write_queue;
|
getdns_network_req *write_queue;
|
||||||
|
|
|
@ -211,6 +211,7 @@ network_req_init(getdns_network_req *net_req, getdns_dns_req *owner,
|
||||||
net_req->debug_tls_auth_status = GETDNS_AUTH_NONE;
|
net_req->debug_tls_auth_status = GETDNS_AUTH_NONE;
|
||||||
net_req->debug_tls_peer_cert.size = 0;
|
net_req->debug_tls_peer_cert.size = 0;
|
||||||
net_req->debug_tls_peer_cert.data = NULL;
|
net_req->debug_tls_peer_cert.data = NULL;
|
||||||
|
net_req->debug_tls_version = NULL;
|
||||||
net_req->debug_udp = 0;
|
net_req->debug_udp = 0;
|
||||||
|
|
||||||
/* Scheduling, touch only via _getdns_netreq_change_state!
|
/* Scheduling, touch only via _getdns_netreq_change_state!
|
||||||
|
|
15
src/stub.c
15
src/stub.c
|
@ -344,6 +344,7 @@ process_keepalive(
|
||||||
}
|
}
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
upstream->server_keepalive_received = 1;
|
||||||
/* Use server sent value unless the client specified a shorter one.
|
/* Use server sent value unless the client specified a shorter one.
|
||||||
Convert to ms first (wire value has units of 100ms) */
|
Convert to ms first (wire value has units of 100ms) */
|
||||||
uint64_t server_keepalive = ((uint64_t)gldns_read_uint16(position))*100;
|
uint64_t server_keepalive = ((uint64_t)gldns_read_uint16(position))*100;
|
||||||
|
@ -1863,12 +1864,14 @@ upstream_write_cb(void *userarg)
|
||||||
remove_from_write_queue(upstream, netreq);
|
remove_from_write_queue(upstream, netreq);
|
||||||
|
|
||||||
if (netreq->owner->return_call_reporting &&
|
if (netreq->owner->return_call_reporting &&
|
||||||
netreq->upstream->tls_obj &&
|
netreq->upstream->tls_obj) {
|
||||||
netreq->debug_tls_peer_cert.data == NULL &&
|
if (netreq->debug_tls_peer_cert.data == NULL &&
|
||||||
(cert = SSL_get_peer_certificate(netreq->upstream->tls_obj))) {
|
(cert = SSL_get_peer_certificate(netreq->upstream->tls_obj))) {
|
||||||
netreq->debug_tls_peer_cert.size = i2d_X509(
|
netreq->debug_tls_peer_cert.size = i2d_X509(
|
||||||
cert, &netreq->debug_tls_peer_cert.data);
|
cert, &netreq->debug_tls_peer_cert.data);
|
||||||
X509_free(cert);
|
X509_free(cert);
|
||||||
|
}
|
||||||
|
netreq->debug_tls_version = SSL_get_version(netreq->upstream->tls_obj);
|
||||||
}
|
}
|
||||||
/* Need this because auth status is reset on connection close */
|
/* Need this because auth status is reset on connection close */
|
||||||
netreq->debug_tls_auth_status = netreq->upstream->tls_auth_state;
|
netreq->debug_tls_auth_status = netreq->upstream->tls_auth_state;
|
||||||
|
|
|
@ -45,9 +45,9 @@ CFLAGS=-I$(srcdir)/.. -I$(srcdir) -I.. $(cflags) @CFLAGS@ @CPPFLAGS@ $(WPEDANTIC
|
||||||
LDFLAGS=-L.. @LDFLAGS@
|
LDFLAGS=-L.. @LDFLAGS@
|
||||||
LDLIBS=../libgetdns.la @LIBS@
|
LDLIBS=../libgetdns.la @LIBS@
|
||||||
|
|
||||||
ALL_OBJS=getdns_query.lo
|
ALL_OBJS=getdns_query.lo getdns_server_mon.lo
|
||||||
|
|
||||||
PROGRAMS=getdns_query
|
PROGRAMS=getdns_query getdns_server_mon
|
||||||
|
|
||||||
|
|
||||||
.SUFFIXES: .c .o .a .lo .h
|
.SUFFIXES: .c .o .a .lo .h
|
||||||
|
@ -68,6 +68,9 @@ $(ALL_OBJS):
|
||||||
getdns_query: getdns_query.lo
|
getdns_query: getdns_query.lo
|
||||||
$(LIBTOOL) --tag=CC --mode=link $(CC) $(CFLAGS) -o $@ getdns_query.lo $(LDFLAGS) $(LDLIBS)
|
$(LIBTOOL) --tag=CC --mode=link $(CC) $(CFLAGS) -o $@ getdns_query.lo $(LDFLAGS) $(LDLIBS)
|
||||||
|
|
||||||
|
getdns_server_mon: getdns_server_mon.lo
|
||||||
|
$(LIBTOOL) --tag=CC --mode=link $(CC) $(CFLAGS) -o $@ getdns_server_mon.lo $(LDFLAGS) $(LDLIBS)
|
||||||
|
|
||||||
stubby:
|
stubby:
|
||||||
cd .. && $(MAKE) $@
|
cd .. && $(MAKE) $@
|
||||||
|
|
||||||
|
@ -78,6 +81,13 @@ install-getdns_query: getdns_query
|
||||||
uninstall-getdns_query:
|
uninstall-getdns_query:
|
||||||
$(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(bindir)/getdns_query
|
$(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(bindir)/getdns_query
|
||||||
|
|
||||||
|
install-getdns_server_mon: getdns_server_mon
|
||||||
|
$(INSTALL) -m 755 -d $(DESTDIR)$(bindir)
|
||||||
|
$(LIBTOOL) --mode=install cp getdns_server_mon $(DESTDIR)$(bindir)
|
||||||
|
|
||||||
|
uninstall-getdns_server_mon:
|
||||||
|
$(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(bindir)/getdns_server_mon
|
||||||
|
|
||||||
install-stubby:
|
install-stubby:
|
||||||
cd .. && $(MAKE) $@
|
cd .. && $(MAKE) $@
|
||||||
|
|
||||||
|
@ -117,3 +127,10 @@ getdns_query.lo getdns_query.o: $(srcdir)/getdns_query.c \
|
||||||
$(srcdir)/../debug.h \
|
$(srcdir)/../debug.h \
|
||||||
../getdns/getdns.h \
|
../getdns/getdns.h \
|
||||||
../getdns/getdns_extra.h
|
../getdns/getdns_extra.h
|
||||||
|
|
||||||
|
# Dependencies for getdns_server_mon
|
||||||
|
getdns_server_mon.lo getdns_server_mon.o: $(srcdir)/getdns_server_mon.c \
|
||||||
|
../config.h \
|
||||||
|
$(srcdir)/../debug.h \
|
||||||
|
../getdns/getdns.h \
|
||||||
|
../getdns/getdns_extra.h
|
||||||
|
|
|
@ -0,0 +1,263 @@
|
||||||
|
= getdns tools
|
||||||
|
|
||||||
|
This directory contains some tools based on `getdns`.
|
||||||
|
|
||||||
|
* `getdns_query` - a command line wrapper for `getdns`.
|
||||||
|
* `getdns_server_mon` - test DNS server function and capabilities.
|
||||||
|
|
||||||
|
== `getdns_query`
|
||||||
|
|
||||||
|
`getdns_query` is a command line wrapper for `getdns` exposing the
|
||||||
|
features of this implementation (both in the official API and the
|
||||||
|
additional API functions).
|
||||||
|
|
||||||
|
=== Usage
|
||||||
|
|
||||||
|
----
|
||||||
|
usage: getdns_query [<option> ...] \
|
||||||
|
[@<upstream> ...] [+<extension> ...] ['{ <settings> }'] [<name>] [<type>]
|
||||||
|
|
||||||
|
default mode: recursive, synchronous resolution of NS record
|
||||||
|
using UDP with TCP fallback
|
||||||
|
|
||||||
|
upstreams: @<ip>[%<scope_id>][@<port>][#<tls port>][~<tls name>][^<tsig spec>]
|
||||||
|
<ip>@<port> may be given as <IPv4>:<port>
|
||||||
|
or '['<IPv6>[%<scope_id>]']':<port> too
|
||||||
|
|
||||||
|
tsig spec: [<algorithm>:]<name>:<secret in Base64>
|
||||||
|
|
||||||
|
extensions:
|
||||||
|
+add_warning_for_bad_dns
|
||||||
|
+dnssec_return_status
|
||||||
|
+dnssec_return_only_secure
|
||||||
|
+dnssec_return_all_statuses
|
||||||
|
+dnssec_return_validation_chain
|
||||||
|
+dnssec_return_full_validation_chain
|
||||||
|
+dnssec_roadblock_avoidance
|
||||||
|
+edns_cookies
|
||||||
|
+return_both_v4_and_v6
|
||||||
|
+return_call_reporting
|
||||||
|
+sit=<cookie> Send along cookie OPT with value <cookie>
|
||||||
|
+specify_class=<class>
|
||||||
|
+0 Clear all extensions
|
||||||
|
|
||||||
|
settings in json dict format (like outputted by -i option).
|
||||||
|
|
||||||
|
options:
|
||||||
|
-a Perform asynchronous resolution (default = synchronous)
|
||||||
|
-A address lookup (<type> is ignored)
|
||||||
|
-B Batch mode. Schedule all messages before processing responses.
|
||||||
|
-b <bufsize> Set edns0 max_udp_payload size
|
||||||
|
-c Send Client Subnet privacy request
|
||||||
|
-C <filename>
|
||||||
|
Read settings from config file <filename>
|
||||||
|
The getdns context will be configured with these settings
|
||||||
|
The file must be in YAML format (with extension of '.yml')
|
||||||
|
or JSON dict format (with extension '.conf')
|
||||||
|
-D Set edns0 do bit
|
||||||
|
-d clear edns0 do bit
|
||||||
|
-e <idle_timeout> Set idle timeout in milliseconds
|
||||||
|
-F <filename> read the queries from the specified file
|
||||||
|
-f <filename> Read DNSSEC trust anchors from <filename>
|
||||||
|
-G general lookup
|
||||||
|
-H hostname lookup. (<name> must be an IP address; <type> is ignored)
|
||||||
|
-h Print this help
|
||||||
|
-i Print api information
|
||||||
|
-I Interactive mode (> 1 queries on same context)
|
||||||
|
-j Output json response dict
|
||||||
|
-J Pretty print json response dict
|
||||||
|
-k Print root trust anchors
|
||||||
|
-K <pin> Pin a public key for TLS connections (can repeat)
|
||||||
|
(should look like 'pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="')
|
||||||
|
-m Set TLS authentication mode to REQUIRED
|
||||||
|
-n Set TLS authentication mode to NONE (default)
|
||||||
|
-o <filename> Set resolver configuration file path
|
||||||
|
(default = /etc/resolv.conf)
|
||||||
|
-p Pretty print response dict (default)
|
||||||
|
-P <blocksize> Pad TLS queries to a multiple of blocksize
|
||||||
|
(special values: 0: no padding, 1: sensible default policy)
|
||||||
|
-q Quiet mode - don't print response
|
||||||
|
-r Set recursing resolution type
|
||||||
|
-R <filename> Read root hints from <filename>
|
||||||
|
-s Set stub resolution type(default = recursing)
|
||||||
|
-S service lookup (<type> is ignored)
|
||||||
|
-t <timeout> Set timeout in milliseconds
|
||||||
|
-v Print getdns release version
|
||||||
|
-V Increase verbosity (may be used more than once)
|
||||||
|
-x Do not follow redirects
|
||||||
|
-X Follow redirects (default)
|
||||||
|
-0 Append suffix to single label first (default)
|
||||||
|
-W Append suffix always
|
||||||
|
-1 Append suffix only to single label after failure
|
||||||
|
-M Append suffix only to multi label name after failure
|
||||||
|
-N Never append a suffix
|
||||||
|
-Z <suffixes> Set suffixes with the given comma separated list
|
||||||
|
-T Set transport to TCP only
|
||||||
|
-O Set transport to TCP only keep connections open
|
||||||
|
-L Set transport to TLS only keep connections open
|
||||||
|
-E Set transport to TLS with TCP fallback only keep connections open
|
||||||
|
-u Set transport to UDP with TCP fallback (default)
|
||||||
|
-U Set transport to UDP only
|
||||||
|
-l <transports> Set transport list. List can contain 1 of each of the characters
|
||||||
|
U T L for UDP, TCP or TLS e.g 'UT' or 'LTU'
|
||||||
|
-z <listen address>
|
||||||
|
Listen for DNS requests on the given IP address
|
||||||
|
<listen address> is in the same format as upstreams.
|
||||||
|
This option can be given more than once.
|
||||||
|
----
|
||||||
|
|
||||||
|
== `getdns_server_mon`
|
||||||
|
|
||||||
|
`getdns_server_mon` is a collection of DNS server tests. The tests examine
|
||||||
|
both server function and server capability.
|
||||||
|
|
||||||
|
`get_server_mon` can optionally be run in Monitoring mode. In this mode,
|
||||||
|
the tool output is modified to enable it to function as a plugin for
|
||||||
|
popular monitoring systems such as https://www.icinga.org[Icinga],
|
||||||
|
http://naemon.github.io/[Naemon], http://www.nagios.org[Nagios],
|
||||||
|
http://www.shinken-monitoring.org/[Shinken], http://sensuapp.org/[Sensu]
|
||||||
|
and others.
|
||||||
|
|
||||||
|
=== Usage
|
||||||
|
|
||||||
|
----
|
||||||
|
Usage: getdns_server_mon [-M] [-E] [(-u|-t|-T)] [-S] [-K <spki-pin>]
|
||||||
|
[-v [-v [-v]]] [-V] @upstream testname [<test args>]
|
||||||
|
-M|--monitoring Make output suitable for monitoring tools
|
||||||
|
-E|--fail-on-dns-errors Fail on DNS error (NXDOMAIN, SERVFAIL)
|
||||||
|
-u|--udp Use UDP transport
|
||||||
|
-t|--tcp Use TCP transport
|
||||||
|
-T|--tls Use TLS transport
|
||||||
|
-S|--strict-usage-profile Use strict profile (require authentication)
|
||||||
|
-K|--spki-pin <spki-pin> SPKI pin for TLS connections (can repeat)
|
||||||
|
-v|--verbose Increase output verbosity
|
||||||
|
-D|--debug Enable debugging output
|
||||||
|
-V|--version Report GetDNS version
|
||||||
|
|
||||||
|
spki-pin: Should look like 'pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="'
|
||||||
|
|
||||||
|
upstream: @<ip>[%<scope_id][@<port>][#<tls_port>][~tls name>][^<tsig spec>]
|
||||||
|
<ip>@<port> may be given as <IPv4>:<port> or
|
||||||
|
'['<IPv6>[%<scope_id>]']':<port>
|
||||||
|
|
||||||
|
tsig spec: [<algorithm>:]<name>:<secret in Base64>
|
||||||
|
|
||||||
|
Tests:
|
||||||
|
lookup [<name> [<type>]] Check lookup on server
|
||||||
|
keepalive <timeout-ms> [<name> [<type>]]
|
||||||
|
Check server support for EDNS0 keepalive in
|
||||||
|
TCP or TLS connections
|
||||||
|
Timeout of 0 is off.
|
||||||
|
OOOR Check whether server delivers responses out of
|
||||||
|
query order on a TCP or TLS connection
|
||||||
|
qname-min Check whether server supports QNAME minimisation
|
||||||
|
rtt [warn-ms,crit-ms] [<name> [<type>]]
|
||||||
|
Check if server round trip time exceeds
|
||||||
|
thresholds (default 250,500)
|
||||||
|
|
||||||
|
dnssec-validate Check whether server does DNSSEC validation
|
||||||
|
|
||||||
|
tls-auth [<name> [<type>]] Check authentication of TLS server
|
||||||
|
If both a SPKI pin and authentication name are
|
||||||
|
provided, both must authenticate for this test
|
||||||
|
to pass.
|
||||||
|
tls-cert-valid [warn-days,crit-days] [<name> [type]]
|
||||||
|
Check server certificate validity, report
|
||||||
|
warning or critical if days to expiry at
|
||||||
|
or below thresholds (default 14,7).
|
||||||
|
tls-padding <blocksize> [<name> [<type>]]
|
||||||
|
Check server support for EDNS0 padding in TLS
|
||||||
|
Special blocksize values are 0 = off,
|
||||||
|
1 = sensible default.
|
||||||
|
tls-1.3 Check whether server supports TLS 1.3
|
||||||
|
|
||||||
|
Enabling monitoring mode ensures output messages and exit statuses conform
|
||||||
|
to the requirements of monitoring plugins (www.monitoring-plugins.org).
|
||||||
|
----
|
||||||
|
|
||||||
|
Note that the server must currently be specified with an IPv4 or an IPv6 address.
|
||||||
|
|
||||||
|
=== The tests
|
||||||
|
|
||||||
|
Several tests take optional name and RR type parameters. If these are not supplied,
|
||||||
|
default values of `getdnsapi.net` and `AAAA` are used. If the lookup returns no
|
||||||
|
answering records, `getdns_server_mon` reports a status of WARNING.
|
||||||
|
|
||||||
|
[cols="1,3a,1" options="header"]
|
||||||
|
|===
|
||||||
|
| Test name | Test description | Default connection type
|
||||||
|
| `lookup`
|
||||||
|
| Check a name lookup succeeds.
|
||||||
|
| UDP with TCP fallback
|
||||||
|
|
||||||
|
| `keepalive`
|
||||||
|
| See if the server supports EDNS0 keepalive in TCP or TLS
|
||||||
|
connections. Specify a non-zero timeout to set the keepalive timeout
|
||||||
|
in milliseconds, or 0 to disable it.
|
||||||
|
| TCP
|
||||||
|
|
||||||
|
| `OOOR`
|
||||||
|
| Out Of Order Responses. See if the server will send responses to
|
||||||
|
multiple queries in a single TCP or TLS connection in a different
|
||||||
|
order to the order of queries.
|
||||||
|
|
||||||
|
This test is currently experimental, and may give false negative results.
|
||||||
|
| TCP
|
||||||
|
|
||||||
|
| `qname-min`
|
||||||
|
| Does the server support QNAME minimisation?
|
||||||
|
| UDP with TCP fallback
|
||||||
|
|
||||||
|
|`rtt`
|
||||||
|
| Check a lookup round trip time exceeds warning and critical levels in milliseconds.
|
||||||
|
If thresholds are not specified, defaults of 500ms (critical) and 250ms (warning) are used.
|
||||||
|
| UDP with TCP fallback
|
||||||
|
|
||||||
|
|`dnssec-validate`
|
||||||
|
| See if the server is doing DNSSEC validation.
|
||||||
|
| UDP with TCP fallback
|
||||||
|
|
||||||
|
|`tls-auth`
|
||||||
|
| Check if a TLS lookup authenticates successfully. You must specify
|
||||||
|
either a SPKI pin, an authentication name, or both. If you supply
|
||||||
|
both, both must authenticate for the test to succeed.
|
||||||
|
| TLS
|
||||||
|
|
||||||
|
|`tls-cert-valid`
|
||||||
|
| Check the server certificate against warning and critical days to
|
||||||
|
expiry. If thresholds are not specified, defaults of 7 days
|
||||||
|
(critical) and 14 days (warning) are used.
|
||||||
|
| TLS
|
||||||
|
|
||||||
|
|`tls-padding`
|
||||||
|
| Does the server support EDNS0 padding? Specify a non-zero blocksize to set
|
||||||
|
the padding. A padding size of 1 specifies padding of a sensible default size.
|
||||||
|
| TLS
|
||||||
|
|
||||||
|
|`tls-1.3`
|
||||||
|
| Does the server support TLS 1.3? To enable this test,
|
||||||
|
`getdns_server_mon` must be compiled with OpenSSL v1.1.1 or later.
|
||||||
|
|
||||||
|
This test is currently experimental, and may give false negative results.
|
||||||
|
| TLS
|
||||||
|
|===
|
||||||
|
=== Exit status
|
||||||
|
|
||||||
|
[cols="^1,^1,3a" options="header"]
|
||||||
|
|===
|
||||||
|
| Numeric value | Service Status | Status Description
|
||||||
|
| 0
|
||||||
|
| OK
|
||||||
|
| The service was functioning properly
|
||||||
|
|
||||||
|
| 1
|
||||||
|
| WARNING
|
||||||
|
| The service fell below a warning threshold
|
||||||
|
|
||||||
|
|2
|
||||||
|
| CRITICAL
|
||||||
|
| The service was not working or fell below a critical threshold
|
||||||
|
|
||||||
|
|3
|
||||||
|
| UNKNOWN | Invalid arguments or an internal low-level failure
|
||||||
|
|===
|
File diff suppressed because it is too large
Load Diff
|
@ -242,6 +242,7 @@ typedef struct getdns_network_req
|
||||||
uint64_t debug_end_time;
|
uint64_t debug_end_time;
|
||||||
getdns_auth_state_t debug_tls_auth_status;
|
getdns_auth_state_t debug_tls_auth_status;
|
||||||
getdns_bindata debug_tls_peer_cert;
|
getdns_bindata debug_tls_peer_cert;
|
||||||
|
const char *debug_tls_version;
|
||||||
size_t debug_udp;
|
size_t debug_udp;
|
||||||
|
|
||||||
/* When more space is needed for the wire_data response than is
|
/* When more space is needed for the wire_data response than is
|
||||||
|
|
|
@ -880,6 +880,10 @@ _getdns_create_call_reporting_dict(
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
if (getdns_dict_set_int( netreq_debug, "server_keepalive_received", netreq->upstream->server_keepalive_received)) {
|
||||||
|
getdns_dict_destroy(netreq_debug);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
/* The running totals are only updated when a connection is closed.
|
/* The running totals are only updated when a connection is closed.
|
||||||
Since it is open as we have just used it, calcualte the value on the fly */
|
Since it is open as we have just used it, calcualte the value on the fly */
|
||||||
if (getdns_dict_set_int( netreq_debug, "responses_on_this_connection",
|
if (getdns_dict_set_int( netreq_debug, "responses_on_this_connection",
|
||||||
|
@ -916,6 +920,12 @@ _getdns_create_call_reporting_dict(
|
||||||
getdns_dict_destroy(netreq_debug);
|
getdns_dict_destroy(netreq_debug);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
if (getdns_dict_util_set_string(netreq_debug, "tls_version",
|
||||||
|
netreq->debug_tls_version)){
|
||||||
|
|
||||||
|
getdns_dict_destroy(netreq_debug);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
if (getdns_dict_set_bindata(netreq_debug, "tls_peer_cert",
|
if (getdns_dict_set_bindata(netreq_debug, "tls_peer_cert",
|
||||||
&netreq->debug_tls_peer_cert)) {
|
&netreq->debug_tls_peer_cert)) {
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue