Patch for improved TSIG logging

Matt Larson mlarson at verisign.com
Mon Jul 29 17:54:35 UTC 2002


Do you run a master server and wonder if your slaves are actually using
the TSIG key you so carefully configured for them?  Or if you have
multiple keys configured in an allow-transfer ACL, do you wonder which
key your slaves are using?  Then this patch is for you: if an outbound
zone transfer uses TSIG, the key name is printed.  For example:

Jul 29 13:48:24 twister named[31318]: approved AXFR from
[127.0.0.1].45158 for "foo.com" (TSIG key "sample.tsig.key")

I would appreciate it if the developers would incorporate this if it
passes muster.

Matt
--
Matt Larson <mlarson at verisign.com>
VeriSign Global Registry Services


*** src/bin/named/ns_req.c.orig Fri Jul 26 14:15:05 2002
--- src/bin/named/ns_req.c Mon Jul 29 10:46:32 2002
***************
*** 856,861 ****
--- 856,862 ----
   DST_KEY *in_key = (in_tsig != NULL) ? in_tsig->key : NULL;
   int access_class;
   int adjustlen = 0;
+  char tsig_keyname_mesg[15+MAXDNAME] = "";

   nameserIncr(from.sin_addr, nssRcvdQ);

***************
*** 1303,1315 ****
     return (Refuse);
    }

    if (type == ns_t_ixfr) {
!       ns_info(ns_log_security, "approved %s from %s for \"%s\"",
         (ixfr_found) ? p_type(type) : "IXFR/AXFR",
!    sin_ntoa(from), *dname ? dname : ".");
    } else
!       ns_info(ns_log_security, "approved %s from %s for \"%s\"",
!        p_type(type), sin_ntoa(from), *dname ? dname : ".");
   }

   /*
--- 1304,1322 ----
     return (Refuse);
    }

+   if (in_key)
+       sprintf(tsig_keyname_mesg, " (TSIG key \"%s\")",
+    in_key->dk_key_name);
+
    if (type == ns_t_ixfr) {
!       ns_info(ns_log_security, "approved %s from %s for \"%s\"%s",
         (ixfr_found) ? p_type(type) : "IXFR/AXFR",
!    sin_ntoa(from), *dname ? dname : ".",
!    tsig_keyname_mesg);
    } else
!       ns_info(ns_log_security, "approved %s from %s for \"%s\"%s",
!        p_type(type), sin_ntoa(from), *dname ? dname : ".",
!                         tsig_keyname_mesg);
   }

   /*




More information about the bind-workers mailing list