Patch for improved TSIG logging
Matt Larson
mlarson at verisign.com
Mon Jul 29 17:54:35 UTC 2002
Do you run a master server and wonder if your slaves are actually using
the TSIG key you so carefully configured for them? Or if you have
multiple keys configured in an allow-transfer ACL, do you wonder which
key your slaves are using? Then this patch is for you: if an outbound
zone transfer uses TSIG, the key name is printed. For example:
Jul 29 13:48:24 twister named[31318]: approved AXFR from
[127.0.0.1].45158 for "foo.com" (TSIG key "sample.tsig.key")
I would appreciate it if the developers would incorporate this if it
passes muster.
Matt
--
Matt Larson <mlarson at verisign.com>
VeriSign Global Registry Services
*** src/bin/named/ns_req.c.orig Fri Jul 26 14:15:05 2002
--- src/bin/named/ns_req.c Mon Jul 29 10:46:32 2002
***************
*** 856,861 ****
--- 856,862 ----
DST_KEY *in_key = (in_tsig != NULL) ? in_tsig->key : NULL;
int access_class;
int adjustlen = 0;
+ char tsig_keyname_mesg[15+MAXDNAME] = "";
nameserIncr(from.sin_addr, nssRcvdQ);
***************
*** 1303,1315 ****
return (Refuse);
}
if (type == ns_t_ixfr) {
! ns_info(ns_log_security, "approved %s from %s for \"%s\"",
(ixfr_found) ? p_type(type) : "IXFR/AXFR",
! sin_ntoa(from), *dname ? dname : ".");
} else
! ns_info(ns_log_security, "approved %s from %s for \"%s\"",
! p_type(type), sin_ntoa(from), *dname ? dname : ".");
}
/*
--- 1304,1322 ----
return (Refuse);
}
+ if (in_key)
+ sprintf(tsig_keyname_mesg, " (TSIG key \"%s\")",
+ in_key->dk_key_name);
+
if (type == ns_t_ixfr) {
! ns_info(ns_log_security, "approved %s from %s for \"%s\"%s",
(ixfr_found) ? p_type(type) : "IXFR/AXFR",
! sin_ntoa(from), *dname ? dname : ".",
! tsig_keyname_mesg);
} else
! ns_info(ns_log_security, "approved %s from %s for \"%s\"%s",
! p_type(type), sin_ntoa(from), *dname ? dname : ".",
! tsig_keyname_mesg);
}
/*
More information about the bind-workers
mailing list