From: Kees Monshouwer <mind04@monshouwer.org>
Date: Sun, 1 Jun 2014 22:40:43 +0000 (+0200)
Subject: fix NSEC in lmdb-backend
X-Git-Tag: auth-3.4.0-rc1~106^2~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=996df94690020e42c0b0d2d3d155295220371b8c;p=thirdparty%2Fpdns.git

fix NSEC in lmdb-backend
---

diff --git a/modules/lmdbbackend/lmdbbackend.cc b/modules/lmdbbackend/lmdbbackend.cc
index 2ba43530a3..04cfbd5354 100644
--- a/modules/lmdbbackend/lmdbbackend.cc
+++ b/modules/lmdbbackend/lmdbbackend.cc
@@ -131,7 +131,7 @@ bool LMDBBackend::getDomainMetadata(const string& name, const std::string& kind,
       if (valparts.size() == 4) {
         if (kind == "PRESIGNED")
           meta.push_back("1");
-        else
+        else if (valparts[3] != "1")
           meta.push_back(valparts[3]);
       }
     }
@@ -143,13 +143,16 @@ bool LMDBBackend::getDomainMetadata(const string& name, const std::string& kind,
   return true;
 }
 
-bool LMDBBackend::getDirectNSECx(uint32_t id, const string &hashed, string &before, DNSResourceRecord &rr)
+bool LMDBBackend::getDirectNSECx(uint32_t id, const string &hashed, const QType &qtype, string &before, DNSResourceRecord &rr)
 {
   MDB_val key, data;
   string key_str, cur_key, cur_value;
   vector<string> keyparts, valparts;
 
-  key_str=itoa(id)+"\t"+toBase32Hex(bitFlip(hashed));
+  if (qtype == QType::NSEC)
+    key_str=itoa(id)+"\t"+bitFlip(hashed)+"\xff";
+  else
+    key_str=itoa(id)+"\t"+toBase32Hex(bitFlip(hashed));
   key.mv_data = (char *)key_str.c_str();
   key.mv_size = key_str.length();
 
@@ -192,8 +195,10 @@ bool LMDBBackend::getDirectNSECx(uint32_t id, const string &hashed, string &befo
   return true;
 
 hasnsecx:
-
-  before=bitFlip(fromBase32Hex(keyparts[1]));
+  if (qtype == QType::NSEC)
+    before=bitFlip(keyparts[1]).c_str();
+  else
+    before=bitFlip(fromBase32Hex(keyparts[1]));
   rr.qname=valparts[0];
   rr.ttl=atoi(valparts[1].c_str());
   rr.qtype=DNSRecordContent::TypeToNumber(valparts[2]);
@@ -239,7 +244,7 @@ bool LMDBBackend::getDirectRRSIGs(const string &signer, const string &qname, con
   }
 
   if (rc == MDB_NOTFOUND)
-    DEBUGLOG("RRSIG records for qname: '"<<qname"'' with type: '"<<qtype.getName()<<"' not found"<<endl);
+    DEBUGLOG("RRSIG records for qname: '"<<qname<<"'' with type: '"<<qtype.getName()<<"' not found"<<endl);
 
   return true;
 }
diff --git a/modules/lmdbbackend/lmdbbackend.hh b/modules/lmdbbackend/lmdbbackend.hh
index ff5ce46b55..1e540088e2 100644
--- a/modules/lmdbbackend/lmdbbackend.hh
+++ b/modules/lmdbbackend/lmdbbackend.hh
@@ -46,7 +46,7 @@ public:
     bool get(DNSResourceRecord &rr);
 
     bool getDomainMetadata(const string& name, const std::string& kind, std::vector<std::string>& meta);
-    bool getDirectNSECx(uint32_t id, const string &hashed, string &before, DNSResourceRecord &rr);
+    bool getDirectNSECx(uint32_t id, const string &hashed, const QType &qtype, string &before, DNSResourceRecord &rr);
     bool getDirectRRSIGs(const string &signer, const string &qname, const QType &qtype, vector<DNSResourceRecord> &rrsigs);
 
     bool getAuthZone( string &rev_zone );
diff --git a/pdns/dnsbackend.hh b/pdns/dnsbackend.hh
index 8b46204a03..794e38ac24 100644
--- a/pdns/dnsbackend.hh
+++ b/pdns/dnsbackend.hh
@@ -364,7 +364,7 @@ public:
   }
 
   //! called to get a NSECx record from backend
-  virtual bool getDirectNSECx(uint32_t id, const string &hashed, string &before, DNSResourceRecord &rr)
+  virtual bool getDirectNSECx(uint32_t id, const string &hashed, const QType &qtype, string &before, DNSResourceRecord &rr)
   {
     return false;
   }
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index d08b90fbc9..001d7d0b71 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -649,7 +649,7 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
     hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
     DLOG(L<<"1 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl);
 
-    if(!B.getDirectNSECx(sd.domain_id, hashed, before, rr))
+    if(!B.getDirectNSECx(sd.domain_id, hashed, QType(QType::NSEC3), before, rr))
       getNSEC3Hashes(narrow, sd.db, sd.domain_id,  hashed, false, unhashed, before, after, mode);
 
     if (((mode == 0 && ns3rc.d_flags) ||  mode == 1) && (hashed != before)) {
@@ -670,7 +670,7 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
       hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
       DLOG(L<<"1 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl);
 
-      if(!B.getDirectNSECx(sd.domain_id, hashed, before, rr))
+      if(!B.getDirectNSECx(sd.domain_id, hashed, QType(QType::NSEC3), before, rr))
         getNSEC3Hashes(narrow, sd.db, sd.domain_id,  hashed, false, unhashed, before, after);
     }
 
@@ -691,7 +691,7 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
 
     hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
     DLOG(L<<"2 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl);
-    if(!B.getDirectNSECx(sd.domain_id, hashed, before, rr)) {
+    if(!B.getDirectNSECx(sd.domain_id, hashed, QType(QType::NSEC3), before, rr)) {
       getNSEC3Hashes(narrow, sd.db,sd.domain_id,  hashed, true, unhashed, before, after);
       DLOG(L<<"Done calling for covering, hashed: '"<<toBase32Hex(hashed)<<"' before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"'"<<endl);
       emitNSEC3( ns3rc, sd, unhashed, before, after, target, r, mode);
@@ -706,7 +706,7 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
     hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
     DLOG(L<<"3 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl);
 
-    if(!B.getDirectNSECx(sd.domain_id, hashed, before, rr)) {
+    if(!B.getDirectNSECx(sd.domain_id, hashed, QType(QType::NSEC3), before, rr)) {
       getNSEC3Hashes(narrow, sd.db, sd.domain_id,  hashed, (mode != 2), unhashed, before, after);
       DLOG(L<<"Done calling for '*', hashed: '"<<toBase32Hex(hashed)<<"' before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"'"<<endl);
       emitNSEC3( ns3rc, sd, unhashed, before, after, target, r, mode);
@@ -727,8 +727,17 @@ void PacketHandler::addNSEC(DNSPacket *p, DNSPacket *r, const string& target, co
   }
 
   string before,after;
-  sd.db->getBeforeAndAfterNames(sd.domain_id, auth, target, before, after);
-  emitNSEC(before, after, target, sd, r, mode);
+  DNSResourceRecord rr;
+
+  rr.auth=false;
+  if(!B.getDirectNSECx(sd.domain_id, toLower(labelReverse(makeRelative(target, auth))), QType(QType::NSEC), before, rr)) {
+    sd.db->getBeforeAndAfterNames(sd.domain_id, auth, target, before, after);
+    emitNSEC(before, after, target, sd, r, mode);
+  } else if(rr.auth) {
+    if (mode == 5)
+      rr.d_place=DNSResourceRecord::ANSWER;
+    r->addRecord(rr);
+  }
 
   if (mode == 2 || mode == 4) {
     // wildcard NO-DATA or wildcard denial
@@ -738,8 +747,12 @@ void PacketHandler::addNSEC(DNSPacket *p, DNSPacket *r, const string& target, co
       (void) chopOff(closest);
       closest=dotConcat("*", closest);
     }
-    sd.db->getBeforeAndAfterNames(sd.domain_id, auth, closest, before, after);
-    emitNSEC(before, after, target, sd, r, mode);
+    rr.auth=false;
+    if(!B.getDirectNSECx(sd.domain_id, toLower(labelReverse(makeRelative(closest, auth))), QType(QType::NSEC), before, rr)) {
+      sd.db->getBeforeAndAfterNames(sd.domain_id, auth, closest, before, after);
+      emitNSEC(before, after, target, sd, r, mode);
+    } else if(rr.auth)
+      r->addRecord(rr);
   }
   return;
 }
diff --git a/pdns/ueberbackend.cc b/pdns/ueberbackend.cc
index 19b6e14801..2eeb480389 100644
--- a/pdns/ueberbackend.cc
+++ b/pdns/ueberbackend.cc
@@ -235,10 +235,10 @@ bool UeberBackend::getTSIGKeys(std::vector< struct TSIGKey > &keys)
   return true;
 }
 
-bool UeberBackend::getDirectNSECx(uint32_t id, const string &hashed, string &before, DNSResourceRecord &rr)
+bool UeberBackend::getDirectNSECx(uint32_t id, const string &hashed, const QType &qtype, string &before, DNSResourceRecord &rr)
 {
   BOOST_FOREACH(DNSBackend* db, backends) {
-    if(db->getDirectNSECx(id, hashed, before, rr))
+    if(db->getDirectNSECx(id, hashed, qtype, before, rr))
       return true;
   }
   return false;
diff --git a/pdns/ueberbackend.hh b/pdns/ueberbackend.hh
index 7039f22853..f153b03104 100644
--- a/pdns/ueberbackend.hh
+++ b/pdns/ueberbackend.hh
@@ -144,7 +144,7 @@ public:
   bool activateDomainKey(const string& name, unsigned int id);
   bool deactivateDomainKey(const string& name, unsigned int id);
 
-  bool getDirectNSECx(uint32_t id, const string &hashed, string &before, DNSResourceRecord &rr);
+  bool getDirectNSECx(uint32_t id, const string &hashed, const QType &qtype, string &before, DNSResourceRecord &rr);
   bool getDirectRRSIGs(const string &signer, const string &qname, const QType &qtype, vector<DNSResourceRecord> &rrsigs);
 
   bool getTSIGKey(const string& name, string* algorithm, string* content);
diff --git a/pdns/zone2lmdb.cc b/pdns/zone2lmdb.cc
index b073022f08..52aa9a43d5 100644
--- a/pdns/zone2lmdb.cc
+++ b/pdns/zone2lmdb.cc
@@ -79,7 +79,7 @@ void closeDB(){
 }
 
 string reverse(const string &name) {
-  return toLower(string(name.rbegin(), name.rend()));
+  return string(name.rbegin(), name.rend());
 }
 
 void emitData(string zone, ZoneParserTNG &zpt){
@@ -87,14 +87,16 @@ void emitData(string zone, ZoneParserTNG &zpt){
   bool hasSOA=false, isPresigned=false;
   int numRefs=g_numRefs;
   int numRecords=g_numRecords;
-  string metaData;
+  string metaData="1", qname;
   SOAData sd;
   DNSResourceRecord rr;
   MDB_val key, data, keyExt, dataExt;
 
+  zone=toLower(zone);
   mdb_txn_begin(env, txn, 0, &txn_zone);
   while(zpt.get(rr)) {
     numRecords++;
+    qname=toLower(stripDot(rr.qname));
     if (rr.qtype == QType::SOA) {
       hasSOA=true;
       fillSOAData(rr.content, sd);
@@ -103,7 +105,7 @@ void emitData(string zone, ZoneParserTNG &zpt){
     }
     if (rr.qtype == QType::NSEC3PARAM) {
       metaData=rr.content;
-      continue; // TODO set metadata
+      continue;
     }
 
     string keyStr, dataStr;
@@ -111,7 +113,7 @@ void emitData(string zone, ZoneParserTNG &zpt){
     if (rr.qtype == QType::RRSIG) {
       isPresigned=true;
       RRSIGRecordContent rrc(rr.content);
-      keyStr=zone+"\t"+makeRelative(stripDot(rr.qname), zone)+"\t"+DNSRecordContent::NumberToType(rrc.d_type);
+      keyStr=zone+"\t"+makeRelative(qname, zone)+"\t"+DNSRecordContent::NumberToType(rrc.d_type);
       dataStr=itoa(rr.ttl)+"\t"+rr.content;
 
       key.mv_data = (char*)keyStr.c_str();
@@ -125,10 +127,10 @@ void emitData(string zone, ZoneParserTNG &zpt){
 
     if (rr.qtype == QType::NSEC || rr.qtype == QType::NSEC3) {
       if (rr.qtype == QType::NSEC)
-        keyStr=stripDot(rr.qname)+"\t"+itoa(g_numZones+1);
+        keyStr=itoa(g_numZones+1)+"\t"+bitFlip(labelReverse(makeRelative(qname,zone)))+"\xff";
       else
-        keyStr=itoa(g_numZones+1)+"\t"+toBase32Hex(bitFlip(fromBase32Hex(makeRelative(stripDot(rr.qname), zone))));
-      dataStr=stripDot(rr.qname)+"\t"+itoa(rr.ttl)+"\t"+rr.qtype.getName()+"\t"+rr.content;
+        keyStr=itoa(g_numZones+1)+"\t"+toBase32Hex(bitFlip(fromBase32Hex(makeRelative(qname, zone))));
+      dataStr=qname+"\t"+itoa(rr.ttl)+"\t"+rr.qtype.getName()+"\t"+rr.content;
 
       key.mv_data = (char*)keyStr.c_str();
       key.mv_size = keyStr.length();
@@ -139,7 +141,7 @@ void emitData(string zone, ZoneParserTNG &zpt){
       continue;
     }
 
-    keyStr=reverse(stripDot(rr.qname))+"\t"+rr.qtype.getName();
+    keyStr=reverse(qname)+"\t"+rr.qtype.getName();
     dataStr=itoa(g_numZones+1)+"\t"+itoa(rr.ttl)+"\t"+rr.content;
 
     key.mv_data = (char*)keyStr.c_str();