}
vector<string> meta;
if (B.getDomainMetadata(p->qdomain,"AXFR-MASTER-TSIG",meta) && meta.size() > 0) {
- if (!pdns_iequals(meta[0], p->getTSIGKeyname().toStringNoDot())) {
- g_log<<Logger::Warning<<"Received secure NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<": expected TSIG key '"<<meta[0]<<", got '"<<p->getTSIGKeyname()<<"' (Refused)"<<endl;
+ DNSName expected{meta[0]};
+ if (p->getTSIGKeyname() != expected) {
+ g_log<<Logger::Warning<<"Received secure NOTIFY for "<<p->qdomain<<" from "<<p->getRemote()<<": expected TSIG key '"<<expected<<"', got '"<<p->getTSIGKeyname()<<"' (Refused)"<<endl;
return RCode::Refused;
}
}
}
-void PacketHandler::makeNXDomain(DNSPacket* p, DNSPacket* r, const DNSName& target, const DNSName& wildcard, SOAData& sd)
+void PacketHandler::makeNXDomain(DNSPacket* p, DNSPacket* r, const DNSName& target, const DNSName& wildcard, const SOAData& sd)
{
DNSZoneRecord rr;
- rr.dr.d_name=sd.qname;
- rr.dr.d_type=QType::SOA;
- rr.dr.d_content=makeSOAContent(sd);
+ rr=makeEditedDNSZRFromSOAData(d_dk, sd, DNSResourceRecord::AUTHORITY);
rr.dr.d_ttl=min(sd.ttl, sd.default_ttl);
- rr.signttl=sd.ttl;
- rr.domain_id=sd.domain_id;
- rr.dr.d_place=DNSResourceRecord::AUTHORITY;
- rr.auth = 1;
r->addRecord(rr);
if(d_dnssec) {
r->setRcode(RCode::NXDomain);
}
-void PacketHandler::makeNOError(DNSPacket* p, DNSPacket* r, const DNSName& target, const DNSName& wildcard, SOAData& sd, int mode)
+void PacketHandler::makeNOError(DNSPacket* p, DNSPacket* r, const DNSName& target, const DNSName& wildcard, const SOAData& sd, int mode)
{
DNSZoneRecord rr;
- rr.dr.d_name=sd.qname;
- rr.dr.d_type=QType::SOA;
- rr.dr.d_content=makeSOAContent(sd);
+ rr=makeEditedDNSZRFromSOAData(d_dk, sd, DNSResourceRecord::AUTHORITY);
rr.dr.d_ttl=min(sd.ttl, sd.default_ttl);
- rr.signttl=sd.ttl;
- rr.domain_id=sd.domain_id;
- rr.dr.d_place=DNSResourceRecord::AUTHORITY;
- rr.auth = 1;
r->addRecord(rr);
if(d_dnssec) {
if(!retargeted)
r->setA(false);
- if(d_dnssec && !addDSforNS(p, r, sd, rrset.begin()->dr.d_name)) {
+ if(d_dk.isSecuredZone(sd.qname) && !addDSforNS(p, r, sd, rrset.begin()->dr.d_name) && d_dnssec) {
addNSECX(p, r, rrset.begin()->dr.d_name, DNSName(), sd.qname, 1);
}
set<DNSName> authSet;
vector<DNSZoneRecord> rrset;
- bool weDone=0, weRedirected=0, weHaveUnauth=0;
+ bool weDone=0, weRedirected=0, weHaveUnauth=0, doSigs=0;
DNSName haveAlias;
uint8_t aliasScopeMask;
- DNSPacket *r=0;
+ DNSPacket *r=nullptr;
bool noCache=false;
#ifdef HAVE_LUA_RECORDS
}
DLOG(g_log<<Logger::Error<<"We have authority, zone='"<<sd.qname<<"', id="<<sd.domain_id<<endl);
+ authSet.insert(sd.qname);
d_dnssec=(p->d_dnssecOk && d_dk.isSecuredZone(sd.qname));
- if(d_dnssec) {
- authSet.insert(sd.qname);
- }
+ doSigs |= d_dnssec;
if(!retargetcount) r->qdomainzone=sd.qname;
}
if(p->qtype.getCode() == QType::SOA && sd.qname==p->qdomain) {
- rr.dr.d_name=sd.qname;
- rr.dr.d_type=QType::SOA;
- sd.serial = calculateEditSOA(sd.serial, d_dk, sd.qname);
- rr.dr.d_content=makeSOAContent(sd);
- rr.dr.d_ttl=sd.ttl;
- rr.domain_id=sd.domain_id;
- rr.dr.d_place=DNSResourceRecord::ANSWER;
- rr.auth = true;
+ rr=makeEditedDNSZRFromSOAData(d_dk, sd);
r->addRecord(rr);
goto sendit;
}
/* Add in SOA if required */
if(target==sd.qname) {
- rr.dr.d_name = sd.qname;
- rr.dr.d_type = QType::SOA;
- sd.serial = calculateEditSOA(sd.serial, d_dk, sd.qname);
- rr.dr.d_content = makeSOAContent(sd);
- rr.dr.d_ttl = sd.ttl;
- rr.domain_id = sd.domain_id;
- rr.auth = true;
+ rr=makeEditedDNSZRFromSOAData(d_dk, sd);
rrset.push_back(rr);
}
break;
}
}
- if(authSet.size())
+ if(doSigs)
addRRSigs(d_dk, B, authSet, r->getRRS());
- r->wrapup(); // needed for inserting in cache
- if(!noCache && p->couldBeCached())
+ if(PC.enabled() && !noCache && p->couldBeCached())
PC.insert(p, r, r->getMinTTL()); // in the packet cache
}
catch(DBException &e) {
}
catch(PDNSException &e) {
g_log<<Logger::Error<<"Backend reported permanent error which prevented lookup ("+e.reason+"), aborting"<<endl;
+ delete r;
throw; // we WANT to die at this point
}
catch(std::exception &e) {