From: Kees Monshouwer Date: Fri, 30 May 2014 22:21:11 +0000 (+0200) Subject: get RRSIGs direct from backend and use it for lmdb-backend X-Git-Tag: auth-3.4.0-rc1~106^2~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=461a0401c7d63a580cdcfaed8b9ed83bcbf75c69;p=thirdparty%2Fpdns.git get RRSIGs direct from backend and use it for lmdb-backend --- diff --git a/modules/lmdbbackend/lmdbbackend.cc b/modules/lmdbbackend/lmdbbackend.cc index 68e9c8c5ef..141c05f577 100644 --- a/modules/lmdbbackend/lmdbbackend.cc +++ b/modules/lmdbbackend/lmdbbackend.cc @@ -145,7 +145,7 @@ bool LMDBBackend::getDirectNSECx(uint32_t id, const string &hashed, string &befo // is the key a full match or does the id part match our zone? // if it does we have a valid answer. - if (!key_str.compare(cur_key) || atoi(keyparts[0].c_str()) == (int) id) // FIXME need atoui + if (!key_str.compare(cur_key) || atoi(keyparts[0].c_str()) == (int) id) // FIXME we need atoui goto hasnsecx; } // no match, now we look for the last record in the NSECx chain. @@ -153,7 +153,7 @@ bool LMDBBackend::getDirectNSECx(uint32_t id, const string &hashed, string &befo key.mv_data = (char *)key_str.c_str(); key.mv_size = key_str.length(); - if(!mdb_cursor_get(nsecx_cursor, &key, &data, MDB_SET_RANGE)) { + if(!mdb_cursor_get(nsecx_cursor, &key, &data, MDB_NEXT_NODUP )) { cur_key.assign((const char *)key.mv_data, key.mv_size); cur_value.assign((const char *)data.mv_data, data.mv_size); stringtok(keyparts,cur_key,"\t"); @@ -178,11 +178,51 @@ hasnsecx: rr.qtype=DNSRecordContent::TypeToNumber(valparts[2]); rr.content=valparts[3]; rr.d_place=DNSResourceRecord::AUTHORITY; + rr.domain_id=id; rr.auth=true; return true; } +bool LMDBBackend::getDirectRRSIGs(const string &signer, const string &qname, const QType &qtype, vector &rrsigs) +{ + int rc; + MDB_val key, data; + string key_str, cur_value; + vector valparts; + + key_str=signer+"\t"+makeRelative(qname, signer)+"\t"+qtype.getName(); + key.mv_data = (char *)key_str.c_str(); + key.mv_size = key_str.length(); + + if ((rc = mdb_cursor_get(rrsig_cursor, &key, &data, MDB_SET_KEY)) == 0) { + DNSResourceRecord rr; + rr.qname=qname; + rr.qtype=QType::RRSIG; + //rr.d_place = (DNSResourceRecord::Place) signPlace; + rr.auth=false; + + do { + cur_value.assign((const char *)data.mv_data, data.mv_size); + stringtok(valparts,cur_value,"\t"); + + if( valparts.size() != 2 ) { + throw PDNSException("Invalid record in rrsig table: qname: '" + qname + "'; value: "+ cur_value); + } + + rr.ttl=atoi(valparts[0].c_str()); + rr.content = valparts[1]; + rrsigs.push_back(rr); + + } while (mdb_cursor_get(rrsig_cursor, &key, &data, MDB_NEXT_DUP) == 0); + } + + if (rc == MDB_NOTFOUND) + DEBUGLOG("RRSIG records for qname: '"<& meta); bool getDirectNSECx(uint32_t id, const string &hashed, string &before, DNSResourceRecord &rr); + bool getDirectRRSIGs(const string &signer, const string &qname, const QType &qtype, vector &rrsigs); bool getAuthZone( string &rev_zone ); bool getAuthData( SOAData &, DNSPacket *); diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc index b7eada4bf5..3ef4206852 100644 --- a/pdns/dbdnsseckeeper.cc +++ b/pdns/dbdnsseckeeper.cc @@ -355,10 +355,22 @@ bool DNSSECKeeper::secureZone(const std::string& name, int algorithm, int size) return addKey(name, true, algorithm, size); } -bool DNSSECKeeper::getPreRRSIGs(DNSBackend& db, const std::string& signer, const std::string& qname, - const std::string& wildcardname, const QType& qtype, +bool DNSSECKeeper::getPreRRSIGs(DNSBackend& db, const std::string& signer, const std::string& qname, + const std::string& wildcardname, const QType& qtype, DNSPacketWriter::Place signPlace, vector& rrsigs, uint32_t signTTL) { + vector sigs; + if(db.getDirectRRSIGs(toLower(signer), toLower(wildcardname.empty() ? qname : wildcardname), qtype, sigs)) { + BOOST_FOREACH(DNSResourceRecord &rr, sigs) { + if (!wildcardname.empty()) + rr.qname = toLower(qname); + rr.d_place = (DNSResourceRecord::Place)signPlace; + rr.ttl = signTTL; + rrsigs.push_back(rr); + } + return true; + } + // cerr<<"Doing DB lookup for precomputed RRSIGs for '"<<(wildcardname.empty() ? qname : wildcardname)<<"'"<&rrs) + virtual bool getDirectRRSIGs(const string &signer, const string &qname, const QType &qtype, vector &rrsigs) { return false; } diff --git a/pdns/ueberbackend.cc b/pdns/ueberbackend.cc index 37098f2fe0..19b6e14801 100644 --- a/pdns/ueberbackend.cc +++ b/pdns/ueberbackend.cc @@ -244,10 +244,10 @@ bool UeberBackend::getDirectNSECx(uint32_t id, const string &hashed, string &bef return false; } -bool UeberBackend::getDirectRRSIGs(uint32_t id, const string &qname, const QType &qtype, const vector&rrs) +bool UeberBackend::getDirectRRSIGs(const string &signer, const string &qname, const QType &qtype, vector &rrsigs) { BOOST_FOREACH(DNSBackend* db, backends) { - if(db->getDirectRRSIGs(id, qname, qtype, rrs)) + if(db->getDirectRRSIGs(signer, qname, qtype, rrsigs)) return true; } return false; diff --git a/pdns/ueberbackend.hh b/pdns/ueberbackend.hh index 23bea196da..7039f22853 100644 --- a/pdns/ueberbackend.hh +++ b/pdns/ueberbackend.hh @@ -145,7 +145,7 @@ public: bool deactivateDomainKey(const string& name, unsigned int id); bool getDirectNSECx(uint32_t id, const string &hashed, string &before, DNSResourceRecord &rr); - bool getDirectRRSIGs(uint32_t id, const string &qname, const QType &qtype, const vector&rrs); + bool getDirectRRSIGs(const string &signer, const string &qname, const QType &qtype, vector &rrsigs); bool getTSIGKey(const string& name, string* algorithm, string* content); bool setTSIGKey(const string& name, const string& algorithm, const string& content); diff --git a/pdns/zone2lmdb.cc b/pdns/zone2lmdb.cc index a7d84c4e4f..97684072fd 100644 --- a/pdns/zone2lmdb.cc +++ b/pdns/zone2lmdb.cc @@ -100,12 +100,14 @@ void emitData(string zone, ZoneParserTNG &zpt){ sd.ttl=rr.ttl; continue; } + if (rr.qtype == QType::NSEC3PARAM) + continue; // TODO set metadata string keyStr, dataStr; if (rr.qtype == QType::RRSIG) { RRSIGRecordContent rrc(rr.content); - keyStr=stripDot(rr.qname)+"\t"+DNSRecordContent::NumberToType(rrc.d_type)+"\t"+itoa(g_numZones+1); + keyStr=zone+"\t"+makeRelative(stripDot(rr.qname), zone)+"\t"+DNSRecordContent::NumberToType(rrc.d_type); dataStr=itoa(rr.ttl)+"\t"+rr.content; key.mv_data = (char*)keyStr.c_str(); @@ -122,7 +124,7 @@ void emitData(string zone, ZoneParserTNG &zpt){ keyStr=stripDot(rr.qname)+"\t"+itoa(g_numZones+1); else keyStr=itoa(g_numZones+1)+"\t"+toBase32Hex(bitFlip(fromBase32Hex(makeRelative(stripDot(rr.qname), zone)))); - dataStr=rr.qname+"\t"+itoa(rr.ttl)+"\t"+rr.qtype.getName()+"\t"+rr.content; + dataStr=stripDot(rr.qname)+"\t"+itoa(rr.ttl)+"\t"+rr.qtype.getName()+"\t"+rr.content; key.mv_data = (char*)keyStr.c_str(); key.mv_size = keyStr.length(); diff --git a/regression-tests/.gitignore b/regression-tests/.gitignore index 5e3f3e6470..2457641ce7 100644 --- a/regression-tests/.gitignore +++ b/regression-tests/.gitignore @@ -14,6 +14,7 @@ /pdns-*.conf /*.sqlite3* /named-slave.conf +/named-lmdb.conf /bulktest.results /recursor-bulktest/ /recursor.log diff --git a/regression-tests/backends/lmdb-master b/regression-tests/backends/lmdb-master index fd15924032..f1183791d3 100644 --- a/regression-tests/backends/lmdb-master +++ b/regression-tests/backends/lmdb-master @@ -1,14 +1,11 @@ case $context in - lmdb-nodnssec | lmdb | lmdb-nsec3 | lmdb-nsec3-optout | lmdb-nodnssec-zone | lmdb-zone | lmdb-nsec3-zone | lmdb-nsec3-optout-zone) + lmdb-nodnssec | lmdb | lmdb-nsec3 | lmdb-nsec3-optout | lmdb-zone | lmdb-nsec3-zone | lmdb-nsec3-optout-zone) if [ "${context: -5}" = "-zone" ] then orgcontext=$context case $context in - lmdb-nodnssec-zone) - context=bind - ;; lmdb-zone) context=bind-dnssec ;; @@ -22,25 +19,66 @@ case $context in source ./backends/bind-master + rm -f named-lmdb.conf zones/*.signed + for zone in $(grep 'zone ' named.conf | cut -f2 -d\") do ../pdns/saxfr 127.0.0.1 $port $zone showdetails showflags > zones/$zone.signed + + echo "" >> named-lmdb.conf + echo "zone \"${zone}\" {" >> named-lmdb.conf + echo " type master;" >> named-lmdb.conf + echo " file \"zones/${zone}.signed\";" >> named-lmdb.conf + echo "};" >> named-lmdb.conf done - kill $(cat pdns*.pid) - sleep 2 + + pids=$(cat pdns*.pid) + + if [ -n "$pids" ] + then + kill $pids + set +e + loopcount=0 + done=0 + while [ $loopcount -lt 10 ] && [ $done -eq 0 ] + do + done=1 + for pid in $pids + do + kill -0 $pid > /dev/null 2>&1 + if [ $? -eq 0 ]; + then + done=0 + fi + done + let loopcount=loopcount+1 + sleep 1 + done + + kill -9 $pids + set -e + fi + rm pdns*.pid + context=${orgcontext%-zone} fi - ${MAKE} -C ../pdns zone2sql > /dev/null + ${MAKE} -C ../pdns zone2lmdb > /dev/null rm -f data.mdb lock.mdb - ../pdns/zone2lmdb --named-conf=./named.conf - $RUNWRAPPER $PDNS --daemon=no --local-port=$port --socket-dir=./ \ + if [ $context = lmdb-nodnssec ] + then + ../pdns/zone2lmdb --named-conf=./named.conf + else + ../pdns/zone2lmdb --named-conf=./named-lmdb.conf + fi + + $RUNWRAPPER $PDNS --daemon=no --local-port=$port --config-name=lmdb --socket-dir=./ \ --no-shuffle --launch=lmdb \ --send-root-referral \ --cache-ttl=$cachettl --experimental-dname-processing --no-config \ --lmdb-datapath=./ & - + skipreasons="noent nodyndns nometa lmdb" if [ $context = lmdb-nsec3 ] diff --git a/regression-tests/tests/axfr/skip.lmdb b/regression-tests/tests/axfr/skip.lmdb new file mode 100644 index 0000000000..e69de29bb2 diff --git a/regression-tests/tests/ds-at-unsecure-zone-cut/skip.lmdb b/regression-tests/tests/ds-at-unsecure-zone-cut/skip.lmdb new file mode 100644 index 0000000000..e69de29bb2 diff --git a/regression-tests/tests/verify-dnssec-zone/skip.lmdb b/regression-tests/tests/verify-dnssec-zone/skip.lmdb new file mode 100644 index 0000000000..e69de29bb2