X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=pdns%2Ftcpreceiver.cc;h=9c0a7b80c11256ca94fd0f56833d20e51f7b64b0;hb=c1ee10a6c29d2eede49bf214b80a08d29ae05fc8;hp=409b095588d7a2403b53d722f088a889c754e3ca;hpb=e74a9be9fc8f7da45873112af22fda57478d4257;p=thirdparty%2Fpdns.git diff --git a/pdns/tcpreceiver.cc b/pdns/tcpreceiver.cc index 409b095588..9c0a7b80c1 100644 --- a/pdns/tcpreceiver.cc +++ b/pdns/tcpreceiver.cc @@ -25,6 +25,7 @@ #include #include "auth-packetcache.hh" #include "utility.hh" +#include "threadname.hh" #include "dnssecinfra.hh" #include "dnsseckeeper.hh" #include @@ -252,6 +253,7 @@ void TCPNameserver::decrementClientCount(const ComboAddress& remote) void *TCPNameserver::doConnection(void *data) { + setThreadName("pdns/tcpConnect"); shared_ptr packet; // Fix gcc-4.0 error (on AMD64) int fd=(int)(long)data; // gotta love C (generates a harmless warning on opteron) @@ -439,7 +441,7 @@ bool TCPNameserver::canDoAXFR(shared_ptr q) } } - DNSSECKeeper dk; + DNSSECKeeper dk(s_P->getBackend()); if (q->d_tsig_algo == TSIG_GSS) { vector princs; @@ -530,7 +532,7 @@ bool TCPNameserver::canDoAXFR(shared_ptr q) namespace { struct NSECXEntry { - set d_set; + NSECBitmap d_set; unsigned int d_ttl; bool d_auth; }; @@ -584,6 +586,7 @@ int TCPNameserver::doAXFR(const DNSName &target, shared_ptr q, int ou s_P=new PacketHandler; } + // canDoAXFR does all the ACL checks, and has the if(disable-axfr) shortcut, call it first. if (!canDoAXFR(q)) { g_log<getRemote()<<" may not request AXFR"<setRcode(RCode::NotAuth); @@ -591,7 +594,6 @@ int TCPNameserver::doAXFR(const DNSName &target, shared_ptr q, int ou return 0; } - // canDoAXFR does all the ACL checks, and has the if(disable-axfr) shortcut, call it first. if(!s_P->getBackend()->getSOAUncached(target, sd)) { g_log<setRcode(RCode::NotAuth); @@ -608,7 +610,7 @@ int TCPNameserver::doAXFR(const DNSName &target, shared_ptr q, int ou return 0; } - DNSSECKeeper dk; + DNSSECKeeper dk(&db); dk.clearCaches(target); bool securedZone = dk.isSecuredZone(target); bool presignedZone = dk.isPresigned(target); @@ -645,8 +647,7 @@ int TCPNameserver::doAXFR(const DNSName &target, shared_ptr q, int ou if (algorithm == DNSName("hmac-md5.sig-alg.reg.int")) algorithm = DNSName("hmac-md5"); if (algorithm != DNSName("gss-tsig")) { - Lock l(&s_plock); - if(!s_P->getBackend()->getTSIGKey(tsigkeyname, &algorithm, &tsig64)) { + if(!db.getTSIGKey(tsigkeyname, &algorithm, &tsig64)) { g_log< q, int ou } - UeberBackend signatureDB; - // SOA *must* go out first, our signing pipe might reorder DLOG(g_log<<"Sending out SOA"< q, int ou if(securedZone && !presignedZone) { set authSet; authSet.insert(target); - addRRSigs(dk, signatureDB, authSet, outpacket->getRRS()); + addRRSigs(dk, db, authSet, outpacket->getRRS()); } if(haveTSIGDetails && !tsigkeyname.empty()) @@ -708,7 +707,7 @@ int TCPNameserver::doAXFR(const DNSName &target, shared_ptr q, int ou DNSName keyname = NSEC3Zone ? DNSName(toBase32Hex(hashQNameWithSalt(ns3pr, zrr.dr.d_name))) : zrr.dr.d_name; NSECXEntry& ne = nsecxrepo[keyname]; - ne.d_set.insert(zrr.dr.d_type); + ne.d_set.set(zrr.dr.d_type); ne.d_ttl = sd.default_ttl; csp.submit(zrr); @@ -751,7 +750,7 @@ int TCPNameserver::doAXFR(const DNSName &target, shared_ptr q, int ou DNSName keyname = DNSName(toBase32Hex(hashQNameWithSalt(ns3pr, zrr.dr.d_name))); NSECXEntry& ne = nsecxrepo[keyname]; - ne.d_set.insert(zrr.dr.d_type); + ne.d_set.set(zrr.dr.d_type); csp.submit(zrr); } @@ -814,9 +813,11 @@ int TCPNameserver::doAXFR(const DNSName &target, shared_ptr q, int ou } // Group records by name and type, signpipe stumbles over interrupted rrsets - sort(zrrs.begin(), zrrs.end(), [](const DNSZoneRecord& a, const DNSZoneRecord& b) { - return tie(a.dr.d_name, a.dr.d_type) < tie(b.dr.d_name, b.dr.d_type); - }); + if(securedZone && !presignedZone) { + sort(zrrs.begin(), zrrs.end(), [](const DNSZoneRecord& a, const DNSZoneRecord& b) { + return tie(a.dr.d_name, a.dr.d_type) < tie(b.dr.d_name, b.dr.d_type); + }); + } if(rectify) { // set auth @@ -913,7 +914,7 @@ int TCPNameserver::doAXFR(const DNSName &target, shared_ptr q, int ou ne.d_ttl = sd.default_ttl; ne.d_auth = (ne.d_auth || loopZRR.auth || (NSEC3Zone && (!ns3pr.d_flags))); if (loopZRR.dr.d_type && loopZRR.dr.d_type != QType::RRSIG) { - ne.d_set.insert(loopZRR.dr.d_type); + ne.d_set.set(loopZRR.dr.d_type); } } } @@ -950,20 +951,22 @@ int TCPNameserver::doAXFR(const DNSName &target, shared_ptr q, int ou for(nsecxrepo_t::const_iterator iter = nsecxrepo.begin(); iter != nsecxrepo.end(); ++iter) { if(iter->second.d_auth) { NSEC3RecordContent n3rc; - n3rc.d_set = iter->second.d_set; - if (n3rc.d_set.size() && (n3rc.d_set.size() != 1 || !n3rc.d_set.count(QType::NS))) - n3rc.d_set.insert(QType::RRSIG); - n3rc.d_salt=ns3pr.d_salt; + n3rc.set(iter->second.d_set); + const auto numberOfTypesSet = n3rc.numberOfTypesSet(); + if (numberOfTypesSet != 0 && (numberOfTypesSet != 1 || !n3rc.isSet(QType::NS))) { + n3rc.set(QType::RRSIG); + } + n3rc.d_salt = ns3pr.d_salt; n3rc.d_flags = ns3pr.d_flags; n3rc.d_iterations = ns3pr.d_iterations; - n3rc.d_algorithm = 1; // SHA1, fixed in PowerDNS for now + n3rc.d_algorithm = DNSSECKeeper::SHA1; // SHA1, fixed in PowerDNS for now nsecxrepo_t::const_iterator inext = iter; - inext++; + ++inext; if(inext == nsecxrepo.end()) inext = nsecxrepo.begin(); while(!inext->second.d_auth && inext != iter) { - inext++; + ++inext; if(inext == nsecxrepo.end()) inext = nsecxrepo.begin(); } @@ -971,7 +974,7 @@ int TCPNameserver::doAXFR(const DNSName &target, shared_ptr q, int ou zrr.dr.d_name = iter->first+sd.qname; zrr.dr.d_ttl = sd.default_ttl; - zrr.dr.d_content = std::make_shared(n3rc); + zrr.dr.d_content = std::make_shared(std::move(n3rc)); zrr.dr.d_type = QType::NSEC3; zrr.dr.d_place = DNSResourceRecord::ANSWER; zrr.auth=true; @@ -994,9 +997,9 @@ int TCPNameserver::doAXFR(const DNSName &target, shared_ptr q, int ou } else for(nsecxrepo_t::const_iterator iter = nsecxrepo.begin(); iter != nsecxrepo.end(); ++iter) { NSECRecordContent nrc; - nrc.d_set = iter->second.d_set; - nrc.d_set.insert(QType::RRSIG); - nrc.d_set.insert(QType::NSEC); + nrc.set(iter->second.d_set); + nrc.set(QType::RRSIG); + nrc.set(QType::NSEC); if(boost::next(iter) != nsecxrepo.end()) nrc.d_next = boost::next(iter)->first; @@ -1005,7 +1008,7 @@ int TCPNameserver::doAXFR(const DNSName &target, shared_ptr q, int ou zrr.dr.d_name = iter->first; zrr.dr.d_ttl = sd.default_ttl; - zrr.dr.d_content = std::make_shared(nrc); + zrr.dr.d_content = std::make_shared(std::move(nrc)); zrr.dr.d_type = QType::NSEC; zrr.dr.d_place = DNSResourceRecord::ANSWER; zrr.auth=true; @@ -1336,6 +1339,7 @@ TCPNameserver::TCPNameserver() //! Start of TCP operations thread, we launch a new thread for each incoming TCP question void TCPNameserver::thread() { + setThreadName("pdns/tcpnameser"); try { for(;;) { int fd; @@ -1348,7 +1352,7 @@ void TCPNameserver::thread() int sock=-1; for(const pollfd& pfd : d_prfds) { - if(pfd.revents == POLLIN) { + if(pfd.revents & POLLIN) { sock = pfd.fd; remote.sin4.sin_family = AF_INET6; addrlen=remote.getSocklen();