logwatch/logwatch-named-dnssec.patch

Handle DNSSEC messages in named.

Author: Frank Crawford <frank@crawford.emu.id.au>
RH-Bugzilla: #666394
Backported-By: Jan Synacek <jsynacek@redhat.com>

--- logwatch-svn242/scripts/services/named	2014-09-09 18:08:00.000000000 +0200
+++ logwatch-svn242-new/scripts/services/named	2014-09-24 07:54:13.582370611 +0200
@@ -116,6 +116,7 @@
       ($ThisLine =~ /too many timeouts resolving '.*' .*: disabling EDNS/) or
       ($ThisLine =~ /too many timeouts resolving '.*' .*: reducing the advertised EDNS UDP packet size to .* octets/) or
       ($ThisLine =~ /reloading zones succeeded/) or
+      ($ThisLine =~ /generating session key/) or
       ($ThisLine =~ /success resolving '.*' \(in '.*'?\) after disabling EDNS/) or
       ($ThisLine =~ /success resolving '.*' \(in '.*'?\) after reducing the advertised EDNS UDP packet size to 512 octets/) or
       ($ThisLine =~ /the working directory is not writable/) or
@@ -137,6 +138,11 @@
       ($ThisLine =~ /refresh in progress, refresh check queued/) or
       ($ThisLine =~ /refresh: NODATA response from master/) or
       ($ThisLine =~ /update with no effect/) or
+      ($ThisLine =~ /reading built-in trusted keys from file/) or
+      ($ThisLine =~ /using built-in trusted-keys/) or
+      ($ThisLine =~ /set up managed keys zone/) or
+      # the following seems okay since it says "success"
+      ($ThisLine =~ /managed-keys-zone .*: No DNSKEY RRSIGs found for '.*': success/) or
       ($ThisLine =~ /validating \@0x[[:xdigit:]]+: .* no valid signature found/) or
       ($ThisLine =~ /^sizing zone task pool based on \d+ zones/) or
       ($ThisLine =~ /^BIND \d+ is maintained by Internet Systems Consortium/) or
@@ -169,7 +175,8 @@
       $ShutdownNamed++;
    } elsif ( $ThisLine =~ /named shutdown failed/ ) {
       $ShutdownNamedFail++;
-   } elsif ( ($Host, $Zone) = ( $ThisLine =~ /client ([^\#]+)#[^\:]+: zone transfer '(.+)' denied/ ) ) {
+   } elsif ( (($Host, $Zone) = ( $ThisLine =~ /client ([^\#]+)#[^\:]+: (?:view \w+: )?zone transfer '(.+)' denied/ )) or
+             (($Host, $Zone) = ( $ThisLine =~ /client ([^\#]+)#[^\:]+: (?:view \w+: )?bad zone transfer request: '(.+)':/ )) ) {
       $DeniedZoneTransfers{$Host}{$Zone}++;
    } elsif ( ($Zone) = ( $ThisLine =~ /zone (.+) zone transfer deferred due to quota/ ) ) {
       $DeferredZoneTransfers{$Zone}++;
@@ -195,14 +202,13 @@
       $ConnectionRefused{$Addr}{$Server}++;
    } elsif ( (undef,$Addr,undef,$Server) = ( $ThisLine =~ /ame server (on|resolving) '(.+)' \(in .+\):\s+(\[.+\]\.\d+)?\s*'?(.+)'?:?/ ) ) {
       $LameServer{$Addr}{$Server}++;
-   } elsif ( ($Zone) = ( $ThisLine =~ /Zone \"(.+)\" was removed/ ) ) {
+   } elsif ( (($Zone) = ( $ThisLine =~ /Zone \"(.+)\" was removed/ )) or
+             (($Zone) = ( $ThisLine =~ /zone (.+): \(.*\) removed/ )) ) {
       $ZoneRemoved{$Zone}++;
    } elsif ( ($Zone) = ( $ThisLine =~ /received notify for zone '(.*)'/ ) ) {
       $ZoneReceivedNotify{$Zone}++;
    } elsif ( ($Zone) = ( $ThisLine =~ /zone (.*): notify from .* up to date/ ) ) {
       $ZoneReceivedNotify{$Zone}++;
-   } elsif ( ($Zone) = ( $ThisLine =~ /zone (.*): notify from .* up to date/ ) ) {
-      $ZoneReceivedNotify{$Zone}++;
    } elsif ( ($Zone) = ( $ThisLine =~ /zone (.+)\/IN: refused notify from non-master/ ) ) {
       $ZoneRefusedNotify{$Zone}++;
 #   } elsif ( ($Rhost,$Ldom,$Reason) = ( $ThisLine =~ /client ([\d\.a-fA-F:]+) bad zone transfer request: '(.+)': (.+)$/ ) ) {
@@ -225,13 +231,13 @@
    } elsif ( ($Client) = ( $ThisLine =~ /warning: client (.*) no more TCP clients/ ) ) {
       $FullClient = LookupIP ($Client);
       $DeniedTCPClient{$FullClient}++;
-   } elsif ( ($Client) = ( $ThisLine =~ /client (.*)#\d+: query \(cache\) denied/ ) ) {
+   } elsif ( ($Client) = ( $ThisLine =~ /client (.*)#\d+: (?:view \w+: )?query \(cache\) denied/ ) ) {
       $FullClient = LookupIP ($Client);
       $DeniedQuery{$FullClient}++;
    } elsif ( ($Client) = ( $ThisLine =~ /client (.*)#\d+: query '.*\/IN' denied/ ) ) {
       $FullClient = LookupIP ($Client);
       $DeniedQueryNoCache{$FullClient}++;
-   } elsif ( ($Rhost, $ViewName, $Ldom) = ($ThisLine =~ /client ([\.0-9a-fA-F:]+)#\d+:(?: view ([^ ]+):)? update '(.*)' denied/)) {
+   } elsif ( ($Rhost, $ViewName, $Ldom) = ($ThisLine =~ /client ([\.0-9a-fA-F:]+)#\d+: (?:view \w+: )?update '(.*)' denied/)) {
       $ViewName = ($ViewName ? "/$ViewName" : "");
       $UpdateDenied{"$Rhost ($Ldom$ViewName)"}++;
    } elsif ( ($Rhost, $Ldom) = ($ThisLine =~ /client ([\d\.]+)#\d+: update forwarding '(.*)' denied/)) {
@@ -288,6 +294,18 @@
       $NoSOA{$Client}++;
    } elsif (($Hint) = ($ThisLine =~ /checkhints: (.*)/) ) {
       $Hints{$Hint}++;
+   } elsif (($Zone,$RR) = ($ThisLine =~ /^\s*validating \@0x[[:xdigit:]]+: (.*) (\w+): got insecure response; parent indicates it should be secure/)) {
+      $DNSSECInsec{'__Total__'}++;
+      $DNSSECInsec{$Zone}{$RR}++;
+   } elsif (($Zone,$RR) = ($ThisLine =~ /^\s*validating \@0x[[:xdigit:]]+: (.*) (\w+): no valid signature found/)) {
+      $DNSSECInvalid{'__Total__'}++;
+      $DNSSECInvalid{$Zone}{$RR}++;
+   } elsif (($Zone,$RR) = ($ThisLine =~ /^\s*validating \@0x[[:xdigit:]]+: (.*) (\w+): bad cache hit/)) {
+      $DNSSECBadCache{'__Total__'}++;
+      $DNSSECBadCache{$Zone}{$RR}++;
+   } elsif (($Error,$Host) = ($ThisLine =~ /error \((.*)\) resolving '([^']+)':/)) {
+      $DNSSECError{$Error}{'__Total__'}++;
+      $DNSSECError{$Error}{$Host}++;
    } elsif ($ThisLine =~ /^samba_dlz:/) {
       if ( ($Rhost, $Error) = ($ThisLine =~ /disallowing update of signer=.* name=(.*) type=.* error=(.*)/ )) {
             $UpdateDenied{"$Rhost ($Error)"}++;
@@ -648,6 +666,51 @@
    }
 }
 
+if (($Detail >= 5) and (keys %DNSSECInsec)) {
+   print "\n DNSSEC Insecure Responses: " . $DNSSECInsec{'__Total__'} . " Time(s)\n";
+   foreach $Zone (sort keys %DNSSECInsec) {
+      if (($Detail >= 10) and ($Zone =~ /.+/) and ($Zone ne '__Total__')) {
+        foreach $RR (sort keys %{$DNSSECInsec{$Zone}}) {
+           print "   " . "$Zone/$RR: " . $DNSSECInsec{$Zone}{$RR} . " Time(s)\n";
+        }
+      }
+   }
+}
+
+if (($Detail >= 5) and (keys %DNSSECInvalid)) {
+   print "\n DNSSEC No Valid Signature: " . $DNSSECInvalid{'__Total__'} . " Time(s)\n";
+   foreach $Zone (sort keys %DNSSECInvalid) {
+      if (($Detail >= 10) and ($Zone =~ /.+/) and ($Zone ne '__Total__')) {
+        foreach $RR (sort keys %{$DNSSECInvalid{$Zone}}) {
+           print "   " . "$Zone/$RR: " . $DNSSECInvalid{$Zone}{$RR} . " Time(s)\n";
+        }
+      }
+   }
+}
+
+if (($Detail >= 5) and (keys %DNSSECBadCache)) {
+   print "\n DNSSEC Bad Cache hit: " . $DNSSECBadCache{'__Total__'} . " Time(s)\n";
+   foreach $Zone (sort keys %DNSSECBadCache) {
+      if (($Detail >= 10) and ($Zone =~ /.+/) and ($Zone ne '__Total__')) {
+        foreach $RR (sort keys %{$DNSSECBadCache{$Zone}}) {
+           print "   " . "$Zone/$RR: " . $DNSSECBadCache{$Zone}{$RR} . " Time(s)\n";
+        }
+      }
+   }
+}
+
+if (($Detail >= 5) and (keys %DNSSECError)) {
+   print "\n DNS Errors:\n";
+   foreach $Error (sort keys %DNSSECError) {
+      print "   $Error: " . $DNSSECError{$Error}{'__Total__'} . " Time(s)\n";
+      if ($Detail >= 10) {
+         foreach $Host (sort keys %{$DNSSECError{$Error}}) {
+            print "     " . "$Host: " . $DNSSECError{$Error}{$Host} . " Time(s)\n" unless ($Host eq '__Total__');
+         }
+      }
+   }
+}
+
 if (keys %OtherList) {
    print "\n**Unmatched Entries**\n";
    foreach $line (sort {$a cmp $b} keys %OtherList) {