}
-bool getNSEC3Hashes(bool narrow, DNSBackend* db, int id, const std::string& hashed, bool decrement, string& unhashed, string& before, string& after)
+bool getNSEC3Hashes(bool narrow, DNSBackend* db, int id, const std::string& hashed, bool decrement, string& unhashed, string& before, string& after, int mode)
{
bool ret;
if(narrow) { // nsec3-narrow
incrementHash(after);
}
else {
- if (decrement)
+ if (decrement || mode ==1)
before.clear();
else
before=' ';
return;
}
+ bool doNextcloser = false;
string unhashed, hashed, before, after;
string closest;
} else
closest=target;
- if (mode == 1) {
- DNSResourceRecord rr;
- while( chopOff( closest ) && (closest != sd.qname)) { // stop at SOA
- B.lookup(QType(QType::ANY), closest, p, sd.domain_id);
- if (B.get(rr)) {
- while(B.get(rr));
- break;
- }
- }
- }
-
// add matching NSEC3 RR
// we used to skip this one for mode 3, but old BIND needs it
// see https://github.com/PowerDNS/pdns/issues/814
if (mode != 3 || g_addSuperfluousNSEC3) {
- unhashed=(mode == 0 || mode == 5) ? target : closest;
-
+ unhashed=(mode == 0 || mode == 1 || mode == 5) ? target : closest;
hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
DLOG(L<<"1 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl);
- getNSEC3Hashes(narrow, sd.db, sd.domain_id, hashed, false, unhashed, before, after);
+ getNSEC3Hashes(narrow, sd.db, sd.domain_id, hashed, false, unhashed, before, after, mode);
+
+ if (mode == 1 && (hashed != before)) {
+ DLOG(L<<"No matching NSEC3 for DS, do closest (provable) encloser"<<endl);
+
+ DNSResourceRecord rr;
+ while( chopOff( closest ) && (closest != sd.qname)) { // stop at SOA
+ B.lookup(QType(QType::ANY), closest, p, sd.domain_id);
+ if (B.get(rr)) {
+ while(B.get(rr));
+ break;
+ }
+ }
+ doNextcloser = true;
+ unhashed=closest;
+ hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed)
+ DLOG(L<<"1 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl);
+
+ getNSEC3Hashes(narrow, sd.db, sd.domain_id, hashed, false, unhashed, before, after);
+ }
+
DLOG(L<<"Done calling for matching, hashed: '"<<toBase32Hex(hashed)<<"' before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"'"<<endl);
emitNSEC3(ns3rc, sd, unhashed, before, after, target, r, mode);
}
// add covering NSEC3 RR
- if (mode != 0 && mode != 5) {
+ if ((mode >= 2 && mode <= 4) || doNextcloser) {
string next(target);
do {
unhashed=next;
DNSSECKeeper d_dk; // same, might even share B?
};
void emitNSEC3(DNSBackend& B, const NSEC3PARAMRecordContent& ns3prc, const SOAData& sd, const std::string& unhashed, const std::string& begin, const std::string& end, const std::string& toNSEC3, DNSPacket *r, int mode);
-bool getNSEC3Hashes(bool narrow, DNSBackend* db, int id, const std::string& hashed, bool decrement, string& unhashed, string& before, string& after);
+bool getNSEC3Hashes(bool narrow, DNSBackend* db, int id, const std::string& hashed, bool decrement, string& unhashed, string& before, string& after, int mode=0);
#endif /* PACKETHANDLER */
/nsd.*
/nsd-slave.*
/*.nsd
-/ixfr-slave.db
-/ixfr-slave.state
+/ixfr*.db
+/ixfr*.state
/*.signed
/*.bind
/dsset-*
Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
Reply to question for qname='b.host.test.dyndns.', qtype=ANY
1 c.host.test.dyndns. IN NS 3600 ns1.c.host.test.dyndns.
-1 fgun0ru4oe3g76tr551hg97mpu37b6mh.test.dyndns. IN NSEC3 86400 1 [flags] 1 abcd FGUN0RU4OE3G76TR551HG97MPU37B6MJ
-1 fgun0ru4oe3g76tr551hg97mpu37b6mh.test.dyndns. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.dyndns. ...
-1 lmrsadk2bb62qpruaules5i5ap06cp55.test.dyndns. IN NSEC3 86400 1 [flags] 1 abcd LMRSADK2BB62QPRUAULES5I5AP06CP56
-1 lmrsadk2bb62qpruaules5i5ap06cp55.test.dyndns. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.dyndns. ...
+1 fgun0ru4oe3g76tr551hg97mpu37b6mi.test.dyndns. IN NSEC3 86400 1 [flags] 1 abcd FGUN0RU4OE3G76TR551HG97MPU37B6MJ NS
+1 fgun0ru4oe3g76tr551hg97mpu37b6mi.test.dyndns. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.dyndns. ...
2 . IN OPT 32768
2 ns1.c.host.test.dyndns. IN A 3600 192.168.0.1
Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0
Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
Reply to question for qname='b.b.host.test.dyndns.', qtype=ANY
1 c.host.test.dyndns. IN NS 3600 ns1.c.host.test.dyndns.
-1 fgun0ru4oe3g76tr551hg97mpu37b6mh.test.dyndns. IN NSEC3 86400 1 [flags] 1 abcd FGUN0RU4OE3G76TR551HG97MPU37B6MJ
-1 fgun0ru4oe3g76tr551hg97mpu37b6mh.test.dyndns. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.dyndns. ...
-1 lmrsadk2bb62qpruaules5i5ap06cp55.test.dyndns. IN NSEC3 86400 1 [flags] 1 abcd LMRSADK2BB62QPRUAULES5I5AP06CP56
-1 lmrsadk2bb62qpruaules5i5ap06cp55.test.dyndns. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.dyndns. ...
+1 fgun0ru4oe3g76tr551hg97mpu37b6mi.test.dyndns. IN NSEC3 86400 1 [flags] 1 abcd FGUN0RU4OE3G76TR551HG97MPU37B6MJ NS
+1 fgun0ru4oe3g76tr551hg97mpu37b6mi.test.dyndns. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.dyndns. ...
2 . IN OPT 32768
2 ns1.c.host.test.dyndns. IN A 3600 192.168.0.1
Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0
1 c.host.test.dyndns. IN NS 3600 ns1.c.host.test.dyndns.
1 fgun0ru4oe3g76tr551hg97mpu37b6mi.test.dyndns. IN NSEC3 86400 1 [flags] 1 abcd FQU365VN7BR5CSV8CG6NE9V8HA6D008P NS
1 fgun0ru4oe3g76tr551hg97mpu37b6mi.test.dyndns. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.dyndns. ...
-1 lmrsadk2bb62qpruaules5i5ap06cp55.test.dyndns. IN NSEC3 86400 1 [flags] 1 abcd LRESBBP3LV8BLGJ9FSGTDMM4Q7VJ3D6J
-1 lmrsadk2bb62qpruaules5i5ap06cp55.test.dyndns. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.dyndns. ...
2 . IN OPT 32768
2 ns1.c.host.test.dyndns. IN A 3600 192.168.0.1
Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0
1 c.host.test.dyndns. IN NS 3600 ns1.c.host.test.dyndns.
1 fgun0ru4oe3g76tr551hg97mpu37b6mi.test.dyndns. IN NSEC3 86400 1 [flags] 1 abcd FQU365VN7BR5CSV8CG6NE9V8HA6D008P NS
1 fgun0ru4oe3g76tr551hg97mpu37b6mi.test.dyndns. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.dyndns. ...
-1 lmrsadk2bb62qpruaules5i5ap06cp55.test.dyndns. IN NSEC3 86400 1 [flags] 1 abcd LRESBBP3LV8BLGJ9FSGTDMM4Q7VJ3D6J
-1 lmrsadk2bb62qpruaules5i5ap06cp55.test.dyndns. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.dyndns. ...
2 . IN OPT 32768
2 ns1.c.host.test.dyndns. IN A 3600 192.168.0.1
Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0
1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1 t67rqvqprigd7rtb5fah6c3o7g9th3iv.example.com. IN NSEC3 86400 1 1 1 abcd T67RQVQPRIGD7RTB5FAH6C3O7G9TH3J1
-1 t67rqvqprigd7rtb5fah6c3o7g9th3iv.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN NSEC3 86400 1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
-1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1 t67rqvqprigd7rtb5fah6c3o7g9th3j0.example.com. IN NSEC3 86400 1 1 1 abcd T67RQVQPRIGD7RTB5FAH6C3O7G9TH3J1 NS
+1 t67rqvqprigd7rtb5fah6c3o7g9th3j0.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
2 . IN OPT 32768
Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
Reply to question for qname='usa.example.com.', qtype=DS
1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
1 t67rqvqprigd7rtb5fah6c3o7g9th3j0.example.com. IN NSEC3 86400 1 0 1 abcd T6A44A7N1B90T5RIS4IBQKT51MMDL0LO NS
1 t67rqvqprigd7rtb5fah6c3o7g9th3j0.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN NSEC3 86400 1 0 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
-1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
2 . IN OPT 32768
Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
Reply to question for qname='usa.example.com.', qtype=DS
-1 be6iqh4fjrtdhacqk7g3iq96qcvf2qoi.dnssec-parent.com. IN NSEC3 86400 1 1 1 abcd BE6IQH4FJRTDHACQK7G3IQ96QCVF2QOK
-1 be6iqh4fjrtdhacqk7g3iq96qcvf2qoi.dnssec-parent.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
+1 be6iqh4fjrtdhacqk7g3iq96qcvf2qoj.dnssec-parent.com. IN NSEC3 86400 1 1 1 abcd BE6IQH4FJRTDHACQK7G3IQ96QCVF2QOK NS
+1 be6iqh4fjrtdhacqk7g3iq96qcvf2qoj.dnssec-parent.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
1 dnssec-parent.com. IN RRSIG 3600 SOA 8 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
1 dnssec-parent.com. IN SOA 3600 ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400
-1 dvkuo8kja65gcsq600e6di9u719lsj8u.dnssec-parent.com. IN NSEC3 86400 1 1 1 abcd DVKUO8KJA65GCSQ600E6DI9U719LSJ8V A NS SOA RRSIG DNSKEY NSEC3PARAM
-1 dvkuo8kja65gcsq600e6di9u719lsj8u.dnssec-parent.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
2 . IN OPT 32768
Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
Reply to question for qname='delegated.dnssec-parent.com.', qtype=DS
1 be6iqh4fjrtdhacqk7g3iq96qcvf2qoj.dnssec-parent.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
1 dnssec-parent.com. IN RRSIG 3600 SOA 8 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
1 dnssec-parent.com. IN SOA 3600 ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400
-1 dvkuo8kja65gcsq600e6di9u719lsj8u.dnssec-parent.com. IN NSEC3 86400 1 0 1 abcd 1SCAQA30LQ0DO5EIRNE4KPJFBEBFGR54 A NS SOA RRSIG DNSKEY NSEC3PARAM
-1 dvkuo8kja65gcsq600e6di9u719lsj8u.dnssec-parent.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
2 . IN OPT 32768
Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
Reply to question for qname='delegated.dnssec-parent.com.', qtype=DS
-1 t67rqvqprigd7rtb5fah6c3o7g9th3iv.example.com. IN NSEC3 86400 1 1 1 abcd T67RQVQPRIGD7RTB5FAH6C3O7G9TH3J1
-1 t67rqvqprigd7rtb5fah6c3o7g9th3iv.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1 t67rqvqprigd7rtb5fah6c3o7g9th3j0.example.com. IN NSEC3 86400 1 1 1 abcd T67RQVQPRIGD7RTB5FAH6C3O7G9TH3J1 NS
+1 t67rqvqprigd7rtb5fah6c3o7g9th3j0.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
1 usa.example.com. IN NS 120 usa-ns1.usa.example.com.
1 usa.example.com. IN NS 120 usa-ns2.usa.example.com.
-1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN NSEC3 86400 1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
-1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
2 . IN OPT 32768
2 usa-ns1.usa.example.com. IN A 120 192.168.4.1
2 usa-ns2.usa.example.com. IN A 120 192.168.4.2
1 t67rqvqprigd7rtb5fah6c3o7g9th3j0.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
1 usa.example.com. IN NS 120 usa-ns1.usa.example.com.
1 usa.example.com. IN NS 120 usa-ns2.usa.example.com.
-1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN NSEC3 86400 1 0 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
-1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
2 . IN OPT 32768
2 usa-ns1.usa.example.com. IN A 120 192.168.4.1
2 usa-ns2.usa.example.com. IN A 120 192.168.4.2
-1 2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com. IN NSEC3 86400 1 1 1 abcd 2EU2GULBU53H9UVHFALSHPBO2A83T6L3 NS SOA MX RRSIG DNSKEY NSEC3PARAM
-1 2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
1 blah.test.com. IN NS 3600 blah.test.com.
-1 s96h2qicbt8d9i5aa43kp8sjjresq4ka.test.com. IN NSEC3 86400 1 1 1 abcd S96H2QICBT8D9I5AA43KP8SJJRESQ4KC
-1 s96h2qicbt8d9i5aa43kp8sjjresq4ka.test.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
+1 s96h2qicbt8d9i5aa43kp8sjjresq4kb.test.com. IN NSEC3 86400 1 1 1 abcd S96H2QICBT8D9I5AA43KP8SJJRESQ4KC NS
+1 s96h2qicbt8d9i5aa43kp8sjjresq4kb.test.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
2 . IN OPT 32768
2 blah.test.com. IN A 3600 192.168.6.1
Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0
-1 2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com. IN NSEC3 86400 1 0 1 abcd 2GKS2N3JPQF62QOHAVFQ1PHOLM3HR7RA NS SOA MX RRSIG DNSKEY NSEC3PARAM
-1 2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
1 blah.test.com. IN NS 3600 blah.test.com.
1 s96h2qicbt8d9i5aa43kp8sjjresq4kb.test.com. IN NSEC3 86400 1 0 1 abcd SA5VVPQN1COEJGJ3HBKFEKDNII8KKSQA NS
1 s96h2qicbt8d9i5aa43kp8sjjresq4kb.test.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
projects / thirdparty / pdns.git / commitdiff
