From: Kees Monshouwer <mind04@monshouwer.org>
Date: Thu, 11 Apr 2013 21:26:33 +0000 (+0200)
Subject: return NOTIMP for direct RRSIG request
X-Git-Tag: rec-3.6.0~19^2~2^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ec62f3c0a26ee4cc3f4302ecbb3400f992555344;p=thirdparty%2Fpdns.git

return NOTIMP for direct RRSIG request
---

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 9cea755e77..4f260df928 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -880,138 +880,6 @@ DNSPacket *PacketHandler::question(DNSPacket *p)
   return ret;
 }
 
-void PacketHandler::synthesiseRRSIGs(DNSPacket* p, DNSPacket* r)
-{
-  DLOG(L<<"Need to synthesise the RRSIGs if someone asked for them explicitly"<<endl);
-  typedef map<uint16_t, vector<shared_ptr<DNSRecordContent> > > records_t;
-  typedef map<uint16_t, uint32_t> ttls_t;
-  records_t records;
-  ttls_t ttls;
-
-  NSECRecordContent nrc;
-  NSEC3RecordContent n3rc;
-  nrc.d_set.insert(QType::RRSIG);
-
-  DNSResourceRecord rr;
-
-  SOAData sd;
-  sd.db=(DNSBackend *)-1; // force uncached answer
-  B.getAuth(p, &sd, p->qdomain, 0);
-
-  bool narrow;
-  NSEC3PARAMRecordContent ns3pr;
-  bool doNSEC3= d_dk.getNSEC3PARAM(sd.qname, &ns3pr, &narrow);
-
-  B.lookup(QType(QType::ANY), p->qdomain, p);
-
-  bool haveone=false;
-  while(B.get(rr)) {
-    haveone=true;
-    if(!((rr.auth && rr.qtype.getCode()) || (!(doNSEC3 && ns3pr.d_flags) && rr.qtype.getCode() == QType::NS)))
-      continue;
-
-    // make sure all fields are present in the SOA content
-    if(rr.qtype.getCode() == QType::SOA) {
-      rr.content = serializeSOAData(sd);
-    }
- 
-    // this deals with the 'prio' mismatch!
-    if(rr.qtype.getCode()==QType::MX || rr.qtype.getCode() == QType::SRV) {  
-      rr.content = lexical_cast<string>(rr.priority) + " " + rr.content;
-    }
-    
-    // fix direct DNSKEY ttl
-    if(::arg().mustDo("direct-dnskey") && rr.qtype.getCode() == QType::DNSKEY) {
-      rr.ttl = sd.default_ttl;
-    }
-
-    if(!rr.content.empty() && rr.qtype.getCode()==QType::TXT && rr.content[0]!='"') {
-      rr.content="\""+rr.content+"\"";
-    }
-    if(rr.content.empty())  // empty contents confuse the MOADNS setup
-      rr.content=".";
-    shared_ptr<DNSRecordContent> drc(DNSRecordContent::mastermake(rr.qtype.getCode(), 1, rr.content)); 
-    
-    records[rr.qtype.getCode()].push_back(drc);
-    ttls[rr.qtype.getCode()]=rr.ttl;
-    nrc.d_set.insert(rr.qtype.getCode());
-  }
-
-  if(records.empty()) {
-    if (haveone)
-      makeNOError(p, r, p->qdomain, "", sd, 0);
-    return;
-  }
-
-  if(pdns_iequals(p->qdomain, sd.qname)) { // Add DNSKEYs at apex
-    DNSSECPrivateKey dpk;
-
-    DNSSECKeeper::keyset_t keyset = d_dk.getKeys(p->qdomain);
-    BOOST_FOREACH(DNSSECKeeper::keyset_t::value_type value, keyset) {
-
-      records[QType::DNSKEY].push_back(shared_ptr<DNSRecordContent>(DNSRecordContent::mastermake(QType::DNSKEY, 1, value.first.getDNSKEY().getZoneRepresentation())));
-      ttls[QType::DNSKEY]=sd.default_ttl;
-      nrc.d_set.insert(QType::DNSKEY);
-    }
-  }
-
-  string before,after;
-  string unhashed(p->qdomain);
-
-  if(doNSEC3) {
-    // now get the NSEC3 and NSEC3PARAM
-    string hashed=hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, unhashed);
-    getNSEC3Hashes(narrow, sd.db, sd.domain_id,  hashed, false, unhashed, before, after);
-    unhashed=dotConcat(toBase32Hex(before), sd.qname);
-
-    n3rc.d_set=nrc.d_set; // Copy d_set from NSEC
-    n3rc.d_algorithm=ns3pr.d_algorithm;
-    n3rc.d_flags=ns3pr.d_flags;
-    n3rc.d_iterations=ns3pr.d_iterations;
-    n3rc.d_salt=ns3pr.d_salt;
-    n3rc.d_nexthash=after;
-
-    if(pdns_iequals(p->qdomain, sd.qname)) {
-      ns3pr.d_flags = 0; // the NSEC3PARAM 'flag' is defined to always be zero in RFC5155.
-
-      records[QType::NSEC3PARAM].push_back(shared_ptr<DNSRecordContent>(DNSRecordContent::mastermake(QType::NSEC3PARAM, 1, ns3pr.getZoneRepresentation())));
-      ttls[QType::NSEC3PARAM]=sd.default_ttl;
-      n3rc.d_set.insert(QType::NSEC3PARAM);
-    }
-
-    // ok, the NSEC3PARAM is in..
-  }
-  else {
-    // now get the NSEC too (since we must sign it!)
-    sd.db->getBeforeAndAfterNames(sd.domain_id, sd.qname, p->qdomain, before, after);
-
-    nrc.d_set.insert(QType::NSEC);
-    nrc.d_next=after;
-
-    records[QType::NSEC].push_back(shared_ptr<DNSRecordContent>(DNSRecordContent::mastermake(QType::NSEC, 1, nrc.getZoneRepresentation())));
-    ttls[QType::NSEC]=sd.default_ttl;
-
-    // ok, the NSEC is in..
-  }
-  DLOG(L<<"Have "<<records.size()<<" rrsets to sign"<<endl);
-
-  rr.auth = 0; // please don't sign this!
-  rr.d_place = DNSResourceRecord::ANSWER;
-  rr.qtype = QType::RRSIG;
-
-  vector<DNSResourceRecord> rrsigs;
-
-  BOOST_FOREACH(records_t::value_type& iter, records) {
-    rr.qname=(doNSEC3 && iter.first == QType::NSEC3) ? unhashed : p->qdomain;
-    rr.ttl=ttls[iter.first];
-
-    addSignature(d_dk, B, sd.qname, rr.qname, rr.qname, iter.first, rr.ttl, DNSPacketWriter::ANSWER, iter.second, rrsigs, rr.ttl);
-  }
-
-  BOOST_FOREACH(DNSResourceRecord& rr, rrsigs)
-    r->addRecord(rr);
-}
-
 void PacketHandler::makeNXDomain(DNSPacket* p, DNSPacket* r, const std::string& target, const std::string& wildcard, SOAData& sd)
 {
   DNSResourceRecord rr;
@@ -1262,8 +1130,8 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
       return r;
     }
 
-    // send TC for udp ANY or RRSIG query if any-to-tcp is enabled.
-    if(g_anyToTcp && !p->d_tcp && ((p->qtype.getCode() == QType::ANY || p->qtype.getCode() == QType::RRSIG))) {
+    // send TC for udp ANY query if any-to-tcp is enabled.
+    if(p->qtype.getCode() == QType::ANY && !p->d_tcp && g_anyToTcp) {
       r->d.tc = 1;
       r->commitD();
       return r;
@@ -1344,8 +1212,9 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
     }
 
     // this TRUMPS a cname!
-    if(p->qtype.getCode() == QType::RRSIG && d_dk.isSecuredZone(sd.qname)) {
-      synthesiseRRSIGs(p, r);
+    if(p->qtype.getCode() == QType::RRSIG) {
+      L<<Logger::Info<<"Direct RRSIG query for "<<target<<" from "<<p->getRemote()<<endl;
+      r->setRcode(RCode::NotImp);
       goto sendit;
     }
 
diff --git a/regression-tests/tests/direct-rrsig/expected_result b/regression-tests/tests/direct-rrsig/expected_result
index 04adefd9cb..d4ccd691dc 100644
--- a/regression-tests/tests/direct-rrsig/expected_result
+++ b/regression-tests/tests/direct-rrsig/expected_result
@@ -1,4 +1,3 @@
-1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
 2	.	IN	OPT	32768	
-Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Rcode: 4, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
 Reply to question for qname='example.com.', qtype=RRSIG
diff --git a/regression-tests/tests/direct-rrsig/expected_result.dnssec b/regression-tests/tests/direct-rrsig/expected_result.dnssec
deleted file mode 100644
index 840b7fdd16..0000000000
--- a/regression-tests/tests/direct-rrsig/expected_result.dnssec
+++ /dev/null
@@ -1,8 +0,0 @@
-0	example.com.	IN	RRSIG	100000	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
-0	example.com.	IN	RRSIG	120	MX 8 2 120 [expiry] [inception] [keytag] example.com. ...
-0	example.com.	IN	RRSIG	120	NS 8 2 120 [expiry] [inception] [keytag] example.com. ...
-0	example.com.	IN	RRSIG	86400	DNSKEY 8 2 86400 [expiry] [inception] [keytag] example.com. ...
-0	example.com.	IN	RRSIG	86400	NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ...
-2	.	IN	OPT	32768	
-Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
-Reply to question for qname='example.com.', qtype=RRSIG
diff --git a/regression-tests/tests/direct-rrsig/expected_result.narrow b/regression-tests/tests/direct-rrsig/expected_result.narrow
deleted file mode 100644
index 73e3aa98ef..0000000000
--- a/regression-tests/tests/direct-rrsig/expected_result.narrow
+++ /dev/null
@@ -1,8 +0,0 @@
-0	example.com.	IN	RRSIG	100000	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
-0	example.com.	IN	RRSIG	120	MX 8 2 120 [expiry] [inception] [keytag] example.com. ...
-0	example.com.	IN	RRSIG	120	NS 8 2 120 [expiry] [inception] [keytag] example.com. ...
-0	example.com.	IN	RRSIG	86400	DNSKEY 8 2 86400 [expiry] [inception] [keytag] example.com. ...
-0	example.com.	IN	RRSIG	86400	NSEC3PARAM 8 2 86400 [expiry] [inception] [keytag] example.com. ...
-2	.	IN	OPT	32768	
-Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
-Reply to question for qname='example.com.', qtype=RRSIG
diff --git a/regression-tests/tests/direct-rrsig/expected_result.nsec3 b/regression-tests/tests/direct-rrsig/expected_result.nsec3
deleted file mode 100644
index 73e3aa98ef..0000000000
--- a/regression-tests/tests/direct-rrsig/expected_result.nsec3
+++ /dev/null
@@ -1,8 +0,0 @@
-0	example.com.	IN	RRSIG	100000	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
-0	example.com.	IN	RRSIG	120	MX 8 2 120 [expiry] [inception] [keytag] example.com. ...
-0	example.com.	IN	RRSIG	120	NS 8 2 120 [expiry] [inception] [keytag] example.com. ...
-0	example.com.	IN	RRSIG	86400	DNSKEY 8 2 86400 [expiry] [inception] [keytag] example.com. ...
-0	example.com.	IN	RRSIG	86400	NSEC3PARAM 8 2 86400 [expiry] [inception] [keytag] example.com. ...
-2	.	IN	OPT	32768	
-Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
-Reply to question for qname='example.com.', qtype=RRSIG