Pass false to updateDNSSECOrderNameAndAuth if NSEC3 but narrow.

author Miod Vallat <miod.vallat@powerdns.com>

Fri, 4 Jul 2025 12:57:48 +0000 (14:57 +0200)

committer Miod Vallat <miod.vallat@powerdns.com>

Fri, 4 Jul 2025 15:07:41 +0000 (17:07 +0200)
author Miod Vallat <miod.vallat@powerdns.com>
Fri, 4 Jul 2025 12:57:48 +0000 (14:57 +0200)
committer Miod Vallat <miod.vallat@powerdns.com>
Fri, 4 Jul 2025 15:07:41 +0000 (17:07 +0200)
diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc

index 8659cfff15d5b76d20eba7b95c299995d8c1e38f..f2c7f2c216ca7ab015ccce9618dce16ad153a1a8 100644 (file)
--- a/pdns/dbdnsseckeeper.cc
+++ b/pdns/dbdnsseckeeper.cc
@@ -877,25 +877,25 @@ bool DNSSECKeeper::rectifyZone(const ZoneName& zone, string& error, string& info
  
      it = rss.find(qname);
      if(it == rss.end() || it->second.update || it->second.auth != auth || it->second.ordername != ordername) {
-      sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, auth, QType::ANY, haveNSEC3);
+      sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, auth, QType::ANY, haveNSEC3 && !narrow);
        ++updates;
      }
  
      if(realrr)
      {
        if (dsnames.count(qname)) {
-        sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, true, QType::DS, haveNSEC3);
+        sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, true, QType::DS, haveNSEC3 && !narrow);
          ++updates;
        }
        if (!auth || nsset.count(qname)) {
          ordername.clear();
          if(isOptOut && !dsnames.count(qname)){
-          sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, false, QType::NS, haveNSEC3);
+          sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, false, QType::NS, haveNSEC3 && !narrow);
            ++updates;
          }
-        sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, false, QType::A, haveNSEC3);
+        sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, false, QType::A, haveNSEC3 && !narrow);
          ++updates;
-        sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, false, QType::AAAA, haveNSEC3);
+        sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, false, QType::AAAA, haveNSEC3 && !narrow);
          ++updates;
        }
  
diff --git a/pdns/pdnsutil.cc b/pdns/pdnsutil.cc

index a77e7649414580de5c35aca8339f220fa401137e..6579d1b3ff193c01ec08db5db0b9f5a75edd6148 100644 (file)
--- a/pdns/pdnsutil.cc
+++ b/pdns/pdnsutil.cc
@@ -1007,7 +1007,7 @@ static int increaseSerial(const ZoneName& zone, DNSSECKeeper &dsk)
        ordername=DNSName("");
      if(g_verbose)
        cerr<<"'"<<rr.qname<<"' -> '"<< ordername <<"'"<<endl;
-    sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, rr.qname, ordername, true, QType::ANY, haveNSEC3);
+    sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, rr.qname, ordername, true, QType::ANY, haveNSEC3 && !narrow);
    }
  
    sd.db->commitTransaction();
diff --git a/pdns/rfc2136handler.cc b/pdns/rfc2136handler.cc

index 379f19983ab19652606c0935f7cc068083bfd7ae..72f1026f0de97ef69ad00651e2f42c49a7482917 100644 (file)
--- a/pdns/rfc2136handler.cc
+++ b/pdns/rfc2136handler.cc
@@ -234,15 +234,15 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr,
              ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, rr->d_name)));
  
            if (*narrow) {
-            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), auth, QType::ANY, true);
+            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), auth, QType::ANY, false);
           }
            else {
              di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth, QType::ANY, true);
           }
            if(!auth || rrType == QType::DS) {
-            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::NS, true);
-            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A, true);
-            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA, true);
+            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::NS, !*narrow);
+            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A, !*narrow);
+            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA, !*narrow);
            }
  
          } else { // NSEC
@@ -305,22 +305,22 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr,
            ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, rr->d_name)));
  
          if (*narrow) {
-          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), auth, QType::ANY, true);
+          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), auth, QType::ANY, false);
         }
          else {
            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth, QType::ANY, true);
         }
  
          if (fixDS) {
-          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, true, QType::DS, true);
+          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, true, QType::DS, !*narrow);
         }
  
          if(!auth) {
            if (ns3pr->d_flags != 0) {
-            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::NS, true);
+            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::NS, !*narrow);
           }
-          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A, true);
-          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA, true);
+          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A, !*narrow);
+          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA, !*narrow);
          }
        }
        else { // NSEC
@@ -354,14 +354,14 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr,
                ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, qname)));
  
              if (*narrow) {
-              di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), auth, QType::ANY, true);
+              di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), auth, QType::ANY, false);
             }
              else {
                di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, ordername, auth, QType::ANY, true);
             }
  
              if (ns3pr->d_flags != 0) {
-              di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::NS, true);
+              di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::NS, !*narrow);
             }
            }
            else { // NSEC
@@ -369,8 +369,8 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr,
              di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, ordername, false, QType::NS, false);
            }
  
-          di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::A, *haveNSEC3);
-          di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::AAAA, *haveNSEC3);
+          di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::A, *haveNSEC3 && !*narrow);
+          di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::AAAA, *haveNSEC3 && !*narrow);
          }
        }
      }
@@ -479,7 +479,7 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr,
            else { // NSEC
              ordername=changeRec.makeRelative(di->zone);
            }
-          di->backend->updateDNSSECOrderNameAndAuth(di->id, changeRec, ordername, true, QType::ANY, *haveNSEC3);
+          di->backend->updateDNSSECOrderNameAndAuth(di->id, changeRec, ordername, true, QType::ANY, *haveNSEC3 && !*narrow);
          }
        }
  
@@ -547,7 +547,7 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr,
          if(! *narrow) {
            ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, i)));
         }
-        di->backend->updateDNSSECOrderNameAndAuth(di->id, i, ordername, true, QType::ANY, true);
+        di->backend->updateDNSSECOrderNameAndAuth(di->id, i, ordername, true, QType::ANY, !*narrow);
        }
      }
    }
@@ -1091,6 +1091,6 @@ void PacketHandler::increaseSerial(const string &msgPrefix, const DomainInfo *di
      } else { // NSEC
        ordername = rr.qname.makeRelative(di->zone);
      }
-    di->backend->updateDNSSECOrderNameAndAuth(di->id, rr.qname, ordername, true, QType::ANY, haveNSEC3);
+    di->backend->updateDNSSECOrderNameAndAuth(di->id, rr.qname, ordername, true, QType::ANY, haveNSEC3 && !narrow);
    }
  }
author	Miod Vallat <miod.vallat@powerdns.com>
	Fri, 4 Jul 2025 12:57:48 +0000 (14:57 +0200)
committer	Miod Vallat <miod.vallat@powerdns.com>
	Fri, 4 Jul 2025 15:07:41 +0000 (17:07 +0200)
pdns/dbdnsseckeeper.cc		patch \| blob \| blame \| history
pdns/pdnsutil.cc		patch \| blob \| blame \| history
pdns/rfc2136handler.cc		patch \| blob \| blame \| history