void Bind2Backend::parseZoneFile(BB2DomainInfo *bbd)
{
NSEC3PARAMRecordContent ns3pr;
- bool nsec3zone=getNSEC3PARAM(bbd->d_name, &ns3pr);
+ bool nsec3zone;
+ if (d_hybrid) {
+ DNSSECKeeper dk;
+ nsec3zone=dk.getNSEC3PARAM(bbd->d_name, &ns3pr);
+ } else
+ nsec3zone=getNSEC3PARAM(bbd->d_name, &ns3pr);
bbd->d_records = shared_ptr<recordstorage_t>(new recordstorage_t());
{
setArgPrefix("bind"+suffix);
d_logprefix="[bind"+suffix+"backend]";
+ d_hybrid=mustDo("hybrid");
s_ignore_broken_records=mustDo("ignore-broken-records");
+ if (!loadZones && d_hybrid)
+ return;
+
Lock l(&s_startup_lock);
d_transaction_id=0;
NSEC3PARAMRecordContent ns3pr;
string auth=bbd.d_name;
- if(!getNSEC3PARAM(auth, &ns3pr)) {
+ bool nsec3zone;
+ if (d_hybrid) {
+ DNSSECKeeper dk;
+ nsec3zone=dk.getNSEC3PARAM(auth, &ns3pr);
+ } else
+ nsec3zone=getNSEC3PARAM(auth, &ns3pr);
+
+ if(!nsec3zone) {
//cerr<<"in bind2backend::getBeforeAndAfterAbsolute: no nsec3 for "<<auth<<endl;
return findBeforeAndAfterUnhashed(bbd, qname, unhashed, before, after);
declare(suffix,"supermasters","List of IP-addresses of supermasters","");
declare(suffix,"supermaster-destdir","Destination directory for newly added slave zones",::arg()["config-dir"]);
declare(suffix,"dnssec-db","Filename to store & access our DNSSEC metadatabase, empty for none", "");
+ declare(suffix,"hybrid","Store DNSSEC metadata in other backend","no");
}
DNSBackend *make(const string &suffix="")
}
bool Bind2Backend::doesDNSSEC()
-{ return false; }
+{ return d_hybrid; }
bool Bind2Backend::getNSEC3PARAM(const std::string& zname, NSEC3PARAMRecordContent* ns3p)
{ return false; }
{ return false; }
int Bind2Backend::addDomainKey(const string& name, const KeyData& key)
-{ return false; }
+{ return -1; }
bool Bind2Backend::activateDomainKey(const string& name, unsigned int id)
{ return false; }
void Bind2Backend::setupDNSSEC()
{
// cerr<<"Settting up dnssec db.. "<<getArg("dnssec-db") <<endl;
- if(getArg("dnssec-db").empty())
+ if(getArg("dnssec-db").empty() || d_hybrid)
return;
try {
d_dnssecdb = shared_ptr<SSQLite3>(new SSQLite3(getArg("dnssec-db")));
bool Bind2Backend::doesDNSSEC()
{
- return true;
+ return d_dnssecdb || d_hybrid;
}
bool Bind2Backend::getNSEC3PARAM(const std::string& zname, NSEC3PARAMRecordContent* ns3p)
{
+ if(!d_dnssecdb || d_hybrid)
+ return false;
+
string value;
vector<string> meta;
getDomainMetadata(zname, "NSEC3PARAM", meta);
bool Bind2Backend::getAllDomainMetadata(const string& name, std::map<std::string, std::vector<std::string> >& meta)
{
- if(!d_dnssecdb)
+ if(!d_dnssecdb || d_hybrid)
return false;
// cerr<<"Asked to get metadata for zone '"<<name<<"'|"<<kind<<"\n";
bool Bind2Backend::getDomainMetadata(const string& name, const std::string& kind, std::vector<std::string>& meta)
{
- if(!d_dnssecdb)
+ if(!d_dnssecdb || d_hybrid)
return false;
// cerr<<"Asked to get metadata for zone '"<<name<<"'|"<<kind<<"\n";
bool Bind2Backend::setDomainMetadata(const string& name, const std::string& kind, const std::vector<std::string>& meta)
{
- if(!d_dnssecdb)
+ if(!d_dnssecdb || d_hybrid)
return false;
boost::format fmt("delete from domainmetadata where domain='%s' and kind='%s'");
bool Bind2Backend::getDomainKeys(const string& name, unsigned int kind, std::vector<KeyData>& keys)
{
// cerr<<"Asked to get keys for zone '"<<name<<"'\n";
- if(!d_dnssecdb)
+ if(!d_dnssecdb || d_hybrid)
return false;
boost::format fmt("select id,flags, active, content from cryptokeys where domain='%s'");
try {
bool Bind2Backend::removeDomainKey(const string& name, unsigned int id)
{
- if(!d_dnssecdb)
+ if(!d_dnssecdb || d_hybrid)
return false;
// cerr<<"Asked to remove key "<<id<<" in zone '"<<name<<"'\n";
int Bind2Backend::addDomainKey(const string& name, const KeyData& key)
{
- if(!d_dnssecdb)
- return false;
+ if(!d_dnssecdb || d_hybrid)
+ return -1;
//cerr<<"Asked to add a key to zone '"<<name<<"'\n";
bool Bind2Backend::activateDomainKey(const string& name, unsigned int id)
{
// cerr<<"Asked to activate key "<<id<<" inzone '"<<name<<"'\n";
- if(!d_dnssecdb)
+ if(!d_dnssecdb || d_hybrid)
return false;
boost::format fmt("update cryptokeys set active=1 where domain='%s' and id=%d");
bool Bind2Backend::deactivateDomainKey(const string& name, unsigned int id)
{
// cerr<<"Asked to deactivate key "<<id<<" inzone '"<<name<<"'\n";
- if(!d_dnssecdb)
+ if(!d_dnssecdb || d_hybrid)
return false;
boost::format fmt("update cryptokeys set active=0 where domain='%s' and id=%d");
bool Bind2Backend::getTSIGKey(const string& name, string* algorithm, string* content)
{
- if(!d_dnssecdb)
+ if(!d_dnssecdb || d_hybrid)
return false;
boost::format fmt("select algorithm, secret from tsigkeys where name='%s'");
bool Bind2Backend::setTSIGKey(const string& name, const string& algorithm, const string& content)
{
- if(!d_dnssecdb)
+ if(!d_dnssecdb || d_hybrid)
return false;
boost::format fmt("replace into tsigkeys (name,algorithm,secret) values('%s', '%s', '%s')");
try {
bool Bind2Backend::deleteTSIGKey(const string& name)
{
- if(!d_dnssecdb)
+ if(!d_dnssecdb || d_hybrid)
return false;
boost::format fmt("delete from tsigkeys where name='%s'");
bool Bind2Backend::getTSIGKeys(std::vector< struct TSIGKey > &keys)
{
- if(!d_dnssecdb)
+ if(!d_dnssecdb || d_hybrid)
return false;
try {
<section id="dnssec-bind-hybrid"><title>PowerDNSSEC hybrid BIND-mode operation</title>
<warning>
<para>
- This mode is only supported in 3.0 and 3.0.1! In 3.1 and up, the bindbackend
- always does its own key storage.
+ This mode is only supported in 3.0, 3.0.1 and 3.4 and up! In 3.1 to 3.3.1, the bindbackend
+ always did its own key storage.
+ In 3.4 and up hybrid bind mode operation is optional and enabled with the bindbackend <command>hybrid</command> config option.
</para>
</warning>
<para>
<row><entry>Slave</entry><entry>Yes</entry></row>
<row><entry>Superslave</entry><entry>Experimental</entry></row>
<row><entry>Autoserial</entry><entry>No</entry></row>
- <row><entry>DNSSEC</entry><entry>Yes, but no key storage</entry></row>
+ <row><entry>DNSSEC</entry><entry>Yes</entry></row>
<row><entry>Disabled data</entry><entry>No</entry></row>
<row><entry>Comments</entry><entry>No</entry></row>
- <row><entry>Module name</entry><entry>none (built in)</entry></row>
+ <row><entry>Module name</entry><entry>bind</entry></row>
<row><entry>Launch</entry><entry>bind</entry></row>
</tbody>
</tgroup>
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>bind-dnssec-db=</term>
+ <listitem>
+ <para>
+ Filename to store and access our DNSSEC metadatabase, empty for none.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>bind-hybrid=</term>
+ <listitem>
+ <para>
+ Store DNSSEC keys and metadata storage in an other backend.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</para>
<sect2>
projects / thirdparty / pdns.git / commitdiff
