Correct deletion of NSEC3PARAM

diff --git a/modules/gmysqlbackend/gmysqlbackend.cc b/modules/gmysqlbackend/gmysqlbackend.cc
index ce270b712dbea32c8d611522e735fadca63e36c9..6473cef62b56ff1eb90ecf0b7033eda4728f486a 100644 (file)
--- a/modules/gmysqlbackend/gmysqlbackend.cc
+++ b/modules/gmysqlbackend/gmysqlbackend.cc
@@ -102,6 +102,7 @@ public:
     declare(suffix,"set-order-and-auth-query", "DNSSEC set ordering query", "update records set ordername='%s',auth=%d where name='%s' and domain_id='%d'");
     declare(suffix,"nullify-ordername-and-update-auth-query", "DNSSEC nullify ordername and update auth query", "update records set ordername=NULL,auth=%d where domain_id='%d' and name='%s'");
     declare(suffix,"nullify-ordername-and-auth-query", "DNSSEC nullify ordername and auth query", "update records set ordername=NULL,auth=0 where name='%s' and type='%s' and domain_id='%d'");
+    declare(suffix,"nullify-ordername-and-auth-ent-query", "DNSSEC nullify ordername and auth for ENT records with name.", "update records set ordername=NULL, auth=NULL where name='%s' AND type IS NULL and domain_id='%d'");
     declare(suffix,"set-auth-on-ds-record-query", "DNSSEC set auth on a DS record", "update records set auth=1 where domain_id='%d' and name='%s' and type='DS'");
 
     declare(suffix,"update-serial-query","", "update domains set notified_serial=%d where id=%d");

diff --git a/modules/gpgsqlbackend/gpgsqlbackend.cc b/modules/gpgsqlbackend/gpgsqlbackend.cc
index 49f432122ff5eeda46918ba8274e0aa142a90df1..0e45a421b088ccda74c2acce25f2b00ad0af3c30 100644 (file)
--- a/modules/gpgsqlbackend/gpgsqlbackend.cc
+++ b/modules/gpgsqlbackend/gpgsqlbackend.cc
@@ -104,6 +104,7 @@ public:
 
     declare(suffix,"nullify-ordername-and-update-auth-query", "DNSSEC nullify ordername and update auth query", "update records set ordername=NULL,auth=(%d = 1) where domain_id='%d' and name='%s'");
     declare(suffix,"nullify-ordername-and-auth-query", "DNSSEC nullify ordername and auth query", "update records set ordername=NULL,auth=false where name=E'%s' and type=E'%s' and domain_id='%d'");
+    declare(suffix,"nullify-ordername-and-auth-ent-query", "DNSSEC nullify ordername and auth for ENT records with name.", "update records set ordername=NULL, auth=NULL where name=E'%s' AND type IS NULL and domain_id='%d'");
     
     declare(suffix,"update-serial-query","", "update domains set notified_serial=%d where id=%d");
     declare(suffix,"update-lastcheck-query","", "update domains set last_check=%d where id=%d");

diff --git a/modules/gsqlite3backend/gsqlite3backend.cc b/modules/gsqlite3backend/gsqlite3backend.cc
index 02dc4fee100081c4f796ad7d5c0de9304dab4117..8585a7e11803ce9a159b5a5124e7a645617cef15 100644 (file)
--- a/modules/gsqlite3backend/gsqlite3backend.cc
+++ b/modules/gsqlite3backend/gsqlite3backend.cc
@@ -97,6 +97,7 @@ public:
 
     declare(suffix,"nullify-ordername-and-update-auth-query", "DNSSEC nullify ordername and update auth query", "update records set ordername=NULL,auth=%d where domain_id='%d' and name='%s'");
     declare(suffix,"nullify-ordername-and-auth-query", "DNSSEC nullify ordername and auth query", "update records set ordername=NULL,auth=0 where name='%s' and type='%s' and domain_id='%d'");
+    declare(suffix,"nullify-ordername-and-auth-ent-query", "DNSSEC nullify ordername and auth for ENT records with name.", "update records set ordername=NULL, auth=NULL where name='%s' AND type IS NULL and domain_id='%d'");
     declare(suffix,"set-auth-on-ds-record-query", "DNSSEC set auth on a DS record", "update records set auth=1 where domain_id='%d' and name='%s' and type='DS'");
     
     declare( suffix, "master-zone-query", "Data", "select master from domains where name='%s' and type='SLAVE'");

diff --git a/pdns/backends/gsql/gsqlbackend.cc b/pdns/backends/gsql/gsqlbackend.cc
index 1eeaaf2fe1c584843961a513d7a32f6dccde22f9..eb97579c2c5f63867437970d9fd648fbfc84f3ef 100644 (file)
--- a/pdns/backends/gsql/gsqlbackend.cc
+++ b/pdns/backends/gsql/gsqlbackend.cc
@@ -300,6 +300,7 @@ GSQLBackend::GSQLBackend(const string &mode, const string &suffix)
     d_setOrderAuthQuery = getArg("set-order-and-auth-query");
     d_nullifyOrderNameAndUpdateAuthQuery = getArg("nullify-ordername-and-update-auth-query");
     d_nullifyOrderNameAndAuthQuery = getArg("nullify-ordername-and-auth-query");
+    d_nullifyOrderNameAndAuthENTQuery = getArg("nullify-ordername-and-auth-ent-query");
     d_setAuthOnDsRecordQuery = getArg("set-auth-on-ds-record-query");
     
     d_AddDomainKeyQuery = getArg("add-domain-key-query");
@@ -346,7 +347,6 @@ bool GSQLBackend::nullifyDNSSECOrderNameAndUpdateAuth(uint32_t domain_id, const
   if(!d_dnssecQueries)
     return false;
   char output[1024];
-
   snprintf(output, sizeof(output)-1, d_nullifyOrderNameAndUpdateAuthQuery.c_str(), auth, domain_id, sqlEscape(qname).c_str());
   try {
     d_db->doCommand(output);
@@ -362,8 +362,10 @@ bool GSQLBackend::nullifyDNSSECOrderNameAndAuth(uint32_t domain_id, const std::s
   if(!d_dnssecQueries)
     return false;
   char output[1024];
-
-  snprintf(output, sizeof(output)-1, d_nullifyOrderNameAndAuthQuery.c_str(), sqlEscape(qname).c_str(), sqlEscape(type).c_str(), domain_id);
+  if (type == "TYPE0")
+    snprintf(output, sizeof(output)-1, d_nullifyOrderNameAndAuthENTQuery.c_str(), sqlEscape(qname).c_str(), domain_id);
+  else
+    snprintf(output, sizeof(output)-1, d_nullifyOrderNameAndAuthQuery.c_str(), sqlEscape(qname).c_str(), sqlEscape(type).c_str(), domain_id);
   try {
     d_db->doCommand(output);
   }

diff --git a/pdns/backends/gsql/gsqlbackend.hh b/pdns/backends/gsql/gsqlbackend.hh
index fc3c689b316ca2d207a9f39c2c68564d0325ee6a..2348ce5433c2c201e281ac2f51623909602babb3 100644 (file)
--- a/pdns/backends/gsql/gsqlbackend.hh
+++ b/pdns/backends/gsql/gsqlbackend.hh
@@ -106,6 +106,7 @@ private:
   string d_setOrderAuthQuery;
   string d_nullifyOrderNameAndUpdateAuthQuery;
   string d_nullifyOrderNameAndAuthQuery;
+  string d_nullifyOrderNameAndAuthENTQuery;
   string d_setAuthOnDsRecordQuery;
   string d_removeEmptyNonTerminalsFromZoneQuery;
   string d_insertEmptyNonTerminalQuery;

diff --git a/pdns/rfc2136handler.cc b/pdns/rfc2136handler.cc
index 899a32faf0a761f71604637d033a2e572af5af49..8a43f4bed946d780142d25555621e105ca7c0f59 100755 (executable)
--- a/pdns/rfc2136handler.cc
+++ b/pdns/rfc2136handler.cc
@@ -117,22 +117,25 @@ uint16_t PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *
     DLOG(L<<msgPrefix<<"Add/Update record (QClass == IN) "<<rrLabel<<"|"<<rrType.getName()<<endl);
 
     if (rrType == QType::NSEC3PARAM) {
-      L<<Logger::Notice<<msgPrefix<<"Setting NSEC3PARAM for zone, resetting ordernames and auth flags."<<endl;  
+      L<<Logger::Notice<<msgPrefix<<"Adding NSEC3PARAM for zone, resetting ordernames."<<endl;  
       NSEC3PARAMRecordContent nsec3param(rr->d_content->getZoneRepresentation(), di->zone);
       d_dk.setNSEC3PARAM(di->zone, nsec3param, (*narrow));
       *haveNSEC3 = d_dk.getNSEC3PARAM(di->zone, ns3pr, narrow);
       di->backend->list(di->zone, di->id);
       vector<DNSResourceRecord> rrs;
       while (di->backend->get(rec)) {
-        rrs.push_back(rec);
+        if (rec.qtype.getCode())
+          rrs.push_back(rec);
       }
       for (vector<DNSResourceRecord>::const_iterator i = rrs.begin(); i != rrs.end(); i++) {
-        if (*narrow) {
+        string hashed;
+
+        if (*haveNSEC3)        
+          hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, i->qname)));
+        di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, i->qname, hashed, i->auth);
+       
+        if (*narrow)
           di->backend->nullifyDNSSECOrderNameAndUpdateAuth(di->id, i->qname, i->auth);
-        } else {
-          string hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, i->qname)));
-          di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, i->qname, hashed, i->auth);
-        }
       }
       return 1;
     }
@@ -321,14 +324,20 @@ uint16_t PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *
       } else 
         return 0;
 
-      *haveNSEC3 = d_dk.getNSEC3PARAM(di->zone, ns3pr, narrow); // still update, as other records in this update packet need to use it as well.
+      // We retrieve new values, other RR's in this update package might need it as well.
+      *haveNSEC3 = d_dk.getNSEC3PARAM(di->zone, ns3pr, narrow);
+
+      // Remove the Order and Aath field
       di->backend->list(di->zone, di->id);
       vector<DNSResourceRecord> rrs;
-      while (di->backend->get(rec)) {
+      while (di->backend->get(rec))
         rrs.push_back(rec);
-      }
       for (vector<DNSResourceRecord>::const_iterator i = rrs.begin(); i != rrs.end(); i++) {
-        di->backend->updateDNSSECOrderAndAuth(di->id, di->zone, i->qname, i->auth);
+        if (!i->qtype.getCode()) {// for ENT records, we want to reset things as they have ordername=NULL and auth=NULL
+          di->backend->nullifyDNSSECOrderNameAndAuth(di->id, i->qname, i->qtype.getName());
+          di->backend->nullifyDNSSECOrderNameAndUpdateAuth(di->id, i->qname, i->auth);
+        } else // all other records are simply updated.
+          di->backend->updateDNSSECOrderAndAuth(di->id, di->zone, i->qname, i->auth);
       }
       return 1;
     }