Add extra statistic to track the number of signature validation operations

daemon/remote.c

@@ -1148,6 +1148,8 @@ print_ext(RES* ssl, struct ub_stats_info* s, int inhibit_zero)
 		(unsigned long)s->svr.ans_bogus)) return 0;
 	if(!ssl_printf(ssl, "num.rrset.bogus"SQ"%lu\n",
 		(unsigned long)s->svr.rrset_bogus)) return 0;
+	if(!ssl_printf(ssl, "num.valops"SQ"%lu\n",
+		(unsigned long)s->svr.val_ops)) return 0;
 	if(!ssl_printf(ssl, "num.query.aggressive.NOERROR"SQ"%lu\n",
 		(unsigned long)s->svr.num_neg_cache_noerror)) return 0;
 	if(!ssl_printf(ssl, "num.query.aggressive.NXDOMAIN"SQ"%lu\n",

daemon/stats.c

@@ -202,6 +202,24 @@ get_rrset_bogus(struct worker* worker, int reset)
 	return r;
 }
 
+/** get number of validation operations from validator */
+static size_t
+get_val_ops(struct worker* worker, int reset)
+{
+	int m = modstack_find(&worker->env.mesh->mods, "validator");
+	struct val_env* ve;
+	size_t r;
+	if(m == -1)
+		return 0;
+	ve = (struct val_env*)worker->env.modinfo[m];
+	lock_basic_lock(&ve->valops_lock);
+	r = ve->num_val_ops;
+	if(reset && !worker->env.cfg->stat_cumulative)
+		ve->num_val_ops = 0;
+	lock_basic_unlock(&ve->valops_lock);
+	return r;
+}
+
 /** get number of ratelimited queries from iterator */
 static size_t
 get_queries_ratelimit(struct worker* worker, int reset)
@@ -295,6 +313,9 @@ server_stats_compile(struct worker* worker, struct ub_stats_info* s, int reset)
 	/* get and reset validator rrset bogus number */
 	s->svr.rrset_bogus = (long long)get_rrset_bogus(worker, reset);
 
+	/* get and reset validator number of validation operations */
+	s->svr.val_ops = (long long)get_val_ops(worker, reset);
+
 	/* get and reset iterator query ratelimit number */
 	s->svr.queries_ratelimited = (long long)get_queries_ratelimit(worker, reset);
 
@@ -495,6 +516,7 @@ void server_stats_add(struct ub_stats_info* total, struct ub_stats_info* a)
 		total->svr.ans_rcode_nodata += a->svr.ans_rcode_nodata;
 		total->svr.ans_secure += a->svr.ans_secure;
 		total->svr.ans_bogus += a->svr.ans_bogus;
+		total->svr.val_ops += a->svr.val_ops;
 		total->svr.unwanted_replies += a->svr.unwanted_replies;
 		total->svr.unwanted_queries += a->svr.unwanted_queries;
 		total->svr.tcp_accept_usage += a->svr.tcp_accept_usage;

libunbound/unbound.h

@@ -772,6 +772,8 @@ struct ub_server_stats {
 	long long ans_bogus;
 	/** rrsets marked bogus by validator */
 	long long rrset_bogus;
+	/** number of signature validation operations performed by validator */
+	long long val_ops;
 	/** number of queries that have been ratelimited by domain recursion. */
 	long long queries_ratelimited;
 	/** unwanted traffic received on server-facing ports */

smallapp/unbound-control.c

@@ -409,6 +409,7 @@ static void print_extended(struct ub_stats_info* s, int inhibit_zero)
 	PR_UL("num.answer.secure", s->svr.ans_secure);
 	PR_UL("num.answer.bogus", s->svr.ans_bogus);
 	PR_UL("num.rrset.bogus", s->svr.rrset_bogus);
+	PR_UL("num.valops", s->svr.val_ops);
 	PR_UL("num.query.aggressive.NOERROR", s->svr.num_neg_cache_noerror);
 	PR_UL("num.query.aggressive.NXDOMAIN", s->svr.num_neg_cache_nxdomain);
 	/* threat detection */

validator/val_sigcrypt.c

@@ -1677,6 +1677,10 @@ dnskey_verify_rrset_sig(struct regional* region, sldns_buffer* buf,
 	/* verify */
 	sec = verify_canonrrset(buf, (int)sig[2+2],
 		sigblock, sigblock_len, key, keylen, reason);
+
+	lock_basic_lock(&ve->valops_lock);
+	ve->num_val_ops++;
+	lock_basic_unlock(&ve->valops_lock);
 
 	if(sec == sec_status_secure) {
 		/* check if TTL is too high - reduce if so */

validator/validator.c

@@ -237,6 +237,9 @@ val_init(struct module_env* env, int id)
 	lock_basic_init(&val_env->bogus_lock);
 	lock_protect(&val_env->bogus_lock, &val_env->num_rrset_bogus,
 		sizeof(val_env->num_rrset_bogus));
+	lock_basic_init(&val_env->valops_lock);
+	lock_protect(&val_env->valops_lock, &val_env->num_val_ops,
+		sizeof(val_env->num_val_ops));
 #ifdef USE_ECDSA_EVP_WORKAROUND
 	ecdsa_evp_workaround_init();
 #endif
@@ -267,6 +270,7 @@ val_deinit(struct module_env* env, int id)
 		return;
 	val_env = (struct val_env*)env->modinfo[id];
 	lock_basic_destroy(&val_env->bogus_lock);
+	lock_basic_destroy(&val_env->valops_lock);
 	anchors_delete(env->anchors);
 	env->anchors = NULL;
 	key_cache_delete(val_env->kcache);

validator/validator.h

@@ -126,6 +126,11 @@ struct val_env {
 	lock_basic_type bogus_lock;
 	/** number of times rrsets marked bogus */
 	size_t num_rrset_bogus;
+
+	/** lock on validation operations counter */
+	lock_basic_type valops_lock;
+	/** number of times a validation operation was performed */
+	size_t num_val_ops;
 };
 
 /**