/*
- PowerDNS Versatile Database Driven Nameserver
- Copyright (C) 2001 - 2012 PowerDNS.COM BV
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License version 2 as
- published by the Free Software Foundation
-
- Additionally, the license of this program contains a special
- exception which allows to distribute the program in binary form when
- it is linked against OpenSSL.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
-*/
+ * This file is part of PowerDNS or dnsdist.
+ * Copyright -- PowerDNS.COM B.V. and its contributors
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+ * published by the Free Software Foundation.
+ *
+ * In addition, for the avoidance of any doubt, permission is granted to
+ * link this program with OpenSSL and to (re)distribute the binaries
+ * produced as the result of such linking.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
#include "dnssecinfra.hh"
#include "namespaces.hh"
-#include <boost/foreach.hpp>
+
#include "md5.hh"
#include "dnsseckeeper.hh"
#include "dns_random.hh"
rrc.d_sigexpire=startOfWeek + 14*86400;
rrc.d_signer = signer;
rrc.d_tag = 0;
-
- // we sign the RRSET in toSign + the rrc w/o hash
-
- DNSSECKeeper::keyset_t keys = dk.getKeys(signer); // we don't want the . for the root!
- set<int> algoHasKSK, algoHasZSK;
- vector<DNSSECPrivateKey> signingKeys;
-
- BOOST_FOREACH(DNSSECKeeper::keyset_t::value_type& keymeta, keys) {
- if(keymeta.second.active) {
- if(keymeta.second.keyOrZone)
- algoHasKSK.insert(keymeta.first.d_algorithm);
- else
- algoHasZSK.insert(keymeta.first.d_algorithm);
- }
- }
- BOOST_FOREACH(DNSSECKeeper::keyset_t::value_type& keymeta, keys) {
+ DNSSECKeeper::keyset_t keys = dk.getKeys(signer);
+
+ for(DNSSECKeeper::keyset_t::value_type& keymeta : keys) {
if(!keymeta.second.active)
continue;
- if(signQType == QType::DNSKEY) {
- // skip ZSK, if this algorithm has a KSK
- if(!keymeta.second.keyOrZone && algoHasKSK.count(keymeta.first.d_algorithm))
- continue;
- } else {
- // skip KSK, if this algorithm has a ZSK
- if(keymeta.second.keyOrZone && algoHasZSK.count(keymeta.first.d_algorithm))
- continue;
+ if((signQType == QType::DNSKEY && keymeta.second.keyType == DNSSECKeeper::ZSK) ||
+ (signQType != QType::DNSKEY && keymeta.second.keyType == DNSSECKeeper::KSK)) {
+ continue;
}
- signingKeys.push_back(keymeta.first);
- }
-
- BOOST_FOREACH(DNSSECPrivateKey& dpk, signingKeys) {
- fillOutRRSIG(dpk, signQName, rrc, toSign);
+ fillOutRRSIG(keymeta.first, signQName, rrc, toSign);
rrcs.push_back(rrc);
}
return 0;
// this is the entrypoint from DNSPacket
void addSignature(DNSSECKeeper& dk, UeberBackend& db, const DNSName& signer, const DNSName signQName, const DNSName& wildcardname, uint16_t signQType,
- uint32_t signTTL, DNSPacketWriter::Place signPlace,
+ uint32_t signTTL, DNSResourceRecord::Place signPlace,
vector<shared_ptr<DNSRecordContent> >& toSign, vector<DNSResourceRecord>& outsigned, uint32_t origTTL)
{
//cerr<<"Asked to sign '"<<signQName<<"'|"<<DNSRecordContent::NumberToType(signQType)<<", "<<toSign.size()<<" records\n";
else
rr.ttl=signTTL;
rr.auth=false;
- rr.d_place = (DNSResourceRecord::Place) signPlace;
- BOOST_FOREACH(RRSIGRecordContent& rrc, rrcs) {
+ rr.d_place = signPlace;
+ for(RRSIGRecordContent& rrc : rrcs) {
rr.content = rrc.getZoneRepresentation();
outsigned.push_back(rr);
}
uint32_t signTTL=0;
uint32_t origTTL=0;
- DNSPacketWriter::Place signPlace=DNSPacketWriter::ANSWER;
+ DNSResourceRecord::Place signPlace=DNSResourceRecord::ANSWER;
vector<shared_ptr<DNSRecordContent> > toSign;
vector<DNSResourceRecord> signedRecords;
-
+ signedRecords.reserve(rrs.size()*1.5);
+ // cout<<rrs.size()<<", "<<sizeof(DNSResourceRecord)<<endl;
DNSName signer;
for(vector<DNSResourceRecord>::const_iterator pos = rrs.begin(); pos != rrs.end(); ++pos) {
if(pos != rrs.begin() && (signQType != pos->qtype.getCode() || signQName != pos->qname)) {
addSignature(dk, db, signer, signQName, wildcardQName, signQType, signTTL, signPlace, toSign, signedRecords, origTTL);
}
signedRecords.push_back(*pos);
- signQName= DNSName(toLower(pos->qname.toString()));
- wildcardQName = DNSName(toLower(pos->wildcardname.toString()));
+ signQName= pos->qname.makeLowerCase();
+ if(!pos->wildcardname.empty())
+ wildcardQName = pos->wildcardname.makeLowerCase();
+ else
+ wildcardQName.clear();
signQType = pos ->qtype.getCode();
if(pos->signttl)
signTTL = pos->signttl;
else
signTTL = pos->ttl;
origTTL = pos->ttl;
- signPlace = (DNSPacketWriter::Place) pos->d_place;
+ signPlace = pos->d_place;
if(pos->auth || pos->qtype.getCode() == QType::DS) {
string content = pos->content;
if(!pos->content.empty() && pos->qtype.getCode()==QType::TXT && pos->content[0]!='"') {