From: Kees Monshouwer Date: Sun, 27 Jan 2019 21:36:00 +0000 (+0100) Subject: auth: lmdb-backend avoid duplicate NSEC3 records in presigned zones X-Git-Tag: auth-4.2.0-beta1~29^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F7470%2Fhead;p=thirdparty%2Fpdns.git auth: lmdb-backend avoid duplicate NSEC3 records in presigned zones --- diff --git a/modules/bindbackend/bindbackend2.cc b/modules/bindbackend/bindbackend2.cc index 0f4e70f919..69d0450fc9 100644 --- a/modules/bindbackend/bindbackend2.cc +++ b/modules/bindbackend/bindbackend2.cc @@ -251,7 +251,7 @@ bool Bind2Backend::abortTransaction() return true; } -bool Bind2Backend::feedRecord(const DNSResourceRecord &rr, const DNSName &ordername) +bool Bind2Backend::feedRecord(const DNSResourceRecord &rr, const DNSName &ordername, bool ordernameIsNSEC3) { BB2DomainInfo bbd; if (!safeGetBBDomainInfo(d_transaction_id, &bbd)) diff --git a/modules/bindbackend/bindbackend2.hh b/modules/bindbackend/bindbackend2.hh index 76ce499089..424c5683b0 100644 --- a/modules/bindbackend/bindbackend2.hh +++ b/modules/bindbackend/bindbackend2.hh @@ -206,7 +206,7 @@ public: void setFresh(uint32_t domain_id) override; void setNotified(uint32_t id, uint32_t serial) override; bool startTransaction(const DNSName &qname, int id) override; - bool feedRecord(const DNSResourceRecord &rr, const DNSName &ordername) override; + bool feedRecord(const DNSResourceRecord &rr, const DNSName &ordername, bool ordernameIsNSEC3=false) override; bool commitTransaction() override; bool abortTransaction() override; void alsoNotifies(const DNSName &domain, set *ips) override; diff --git a/modules/lmdbbackend/lmdbbackend.cc b/modules/lmdbbackend/lmdbbackend.cc index 9ca3e29e62..8b9ca2bc67 100644 --- a/modules/lmdbbackend/lmdbbackend.cc +++ b/modules/lmdbbackend/lmdbbackend.cc @@ -182,6 +182,7 @@ std::string serToString(const DNSResourceRecord& rr) ret += rr.content; ret.append((const char*)&rr.ttl, 4); ret.append(1, (char)rr.auth); + ret.append(1, (char)false); ret.append(1, (char)rr.disabled); return ret; } @@ -193,7 +194,7 @@ void serFromString(const string_view& str, DNSResourceRecord& rr) memcpy(&len, &str[0], 2); rr.content.assign(&str[2], len); // len bytes memcpy(&rr.ttl, &str[2] + len, 4); - rr.auth = str[str.size()-2]; + rr.auth = str[str.size()-3]; rr.disabled = str[str.size()-1]; rr.wildcardname.clear(); } @@ -302,19 +303,22 @@ bool LMDBBackend::abortTransaction() } // d_rwtxn must be set here -bool LMDBBackend::feedRecord(const DNSResourceRecord &r, const DNSName &ordername) +bool LMDBBackend::feedRecord(const DNSResourceRecord &r, const DNSName &ordername, bool ordernameIsNSEC3) { DNSResourceRecord rr(r); rr.qname.makeUsRelative(d_transactiondomain); rr.content = serializeContent(rr.qtype.getCode(), r.qname, rr.content); + rr.disabled = false; compoundOrdername co; d_rwtxn->txn.put(d_rwtxn->db->dbi, co(r.domain_id, rr.qname, rr.qtype.getCode()), serToString(rr)); - if(!ordername.empty()) { + if(ordernameIsNSEC3 && !ordername.empty()) { + MDBOutVal val; + if(d_rwtxn->txn.get(d_rwtxn->db->dbi, co(r.domain_id, rr.qname, QType::NSEC3), val)) { rr.ttl = 0; - rr.auth = 0; rr.content=rr.qname.toDNSStringLC(); + rr.auth = 0; string ser = serToString(rr); d_rwtxn->txn.put(d_rwtxn->db->dbi, co(r.domain_id, ordername, QType::NSEC3), ser); @@ -322,6 +326,7 @@ bool LMDBBackend::feedRecord(const DNSResourceRecord &r, const DNSName &ordernam rr.content = ordername.toDNSString(); ser = serToString(rr); d_rwtxn->txn.put(d_rwtxn->db->dbi, co(r.domain_id, rr.qname, QType::NSEC3), ser); + } } return true; } @@ -334,8 +339,9 @@ bool LMDBBackend::feedEnts(int domain_id, map& nonterm) for(const auto& nt: nonterm) { rr.qname = nt.first.makeRelative(d_transactiondomain); rr.auth = nt.second; - std::string ser = serToString(rr); + rr.disabled = true; + std::string ser = serToString(rr); d_rwtxn->txn.put(d_rwtxn->db->dbi, co(domain_id, rr.qname, 0), ser); } return true; @@ -343,6 +349,7 @@ bool LMDBBackend::feedEnts(int domain_id, map& nonterm) bool LMDBBackend::feedEnts3(int domain_id, const DNSName &domain, map &nonterm, const NSEC3PARAMRecordContent& ns3prc, bool narrow) { + string ser; DNSName ordername; DNSResourceRecord rr; compoundOrdername co; @@ -350,14 +357,14 @@ bool LMDBBackend::feedEnts3(int domain_id, const DNSName &domain, maptxn.put(d_rwtxn->db->dbi, co(domain_id, rr.qname, 0), ser); if(!narrow && rr.auth) { - rr.auth=0; - rr.content=rr.qname.toDNSString(); + rr.content = rr.qname.toDNSString(); + rr.auth = false; + rr.disabled = false; ser = serToString(rr); ordername=DNSName(toBase32Hex(hashQNameWithSalt(ns3prc, nt.first))); diff --git a/modules/lmdbbackend/lmdbbackend.hh b/modules/lmdbbackend/lmdbbackend.hh index 14cd5499a8..fa51d0d83f 100644 --- a/modules/lmdbbackend/lmdbbackend.hh +++ b/modules/lmdbbackend/lmdbbackend.hh @@ -45,7 +45,7 @@ public: bool startTransaction(const DNSName &domain, int domain_id=-1) override; bool commitTransaction() override; bool abortTransaction() override; - bool feedRecord(const DNSResourceRecord &r, const DNSName &ordername) override; + bool feedRecord(const DNSResourceRecord &r, const DNSName &ordername, bool ordernameIsNSEC3=false) override; bool feedEnts(int domain_id, map& nonterm) override; bool feedEnts3(int domain_id, const DNSName &domain, map &nonterm, const NSEC3PARAMRecordContent& ns3prc, bool narrow) override; bool replaceRRSet(uint32_t domain_id, const DNSName& qname, const QType& qt, const vector& rrset) override; diff --git a/modules/luabackend/luabackend.hh b/modules/luabackend/luabackend.hh index 2d7c4d2ff2..38971a4f54 100644 --- a/modules/luabackend/luabackend.hh +++ b/modules/luabackend/luabackend.hh @@ -75,7 +75,7 @@ public: bool startTransaction(const DNSName &qname, int id) override; bool commitTransaction() override; bool abortTransaction() override; - bool feedRecord(const DNSResourceRecord &rr, const DNSName &ordername) override; + bool feedRecord(const DNSResourceRecord &rr, const DNSName &ordername, bool ordernameIsNSEC3=false) override; // SUPERMASTER BACKEND diff --git a/modules/luabackend/slave.cc b/modules/luabackend/slave.cc index 1d61fff00a..ff90067c7c 100644 --- a/modules/luabackend/slave.cc +++ b/modules/luabackend/slave.cc @@ -33,7 +33,7 @@ virtual bool startTransaction(const string &qname, int id); virtual bool commitTransaction(); virtual bool abortTransaction(); - virtual bool feedRecord(const DNSResourceRecord &rr, DNSName &ordername); + virtual bool feedRecord(const DNSResourceRecord &rr, DNSName &ordername, bool ordernameIsNSEC3); virtual bool getDomainInfo(const string &domain, DomainInfo &di); virtual void getUnfreshSlaveInfos(vector* domains); @@ -135,7 +135,7 @@ bool LUABackend::abortTransaction() { return ok; } -bool LUABackend::feedRecord(const DNSResourceRecord &rr, const DNSName &ordername) { +bool LUABackend::feedRecord(const DNSResourceRecord &rr, const DNSName &ordername, bool ordernameIsNSEC3) { if (f_lua_feedrecord == 0) return false; diff --git a/modules/opendbxbackend/odbxbackend.cc b/modules/opendbxbackend/odbxbackend.cc index 2ffd7cebe9..d9d8a5c03e 100644 --- a/modules/opendbxbackend/odbxbackend.cc +++ b/modules/opendbxbackend/odbxbackend.cc @@ -629,7 +629,7 @@ bool OdbxBackend::createSlaveDomain( const string& ip, const DNSName& domain, co -bool OdbxBackend::feedRecord( const DNSResourceRecord& rr, const DNSName& ordername ) +bool OdbxBackend::feedRecord( const DNSResourceRecord& rr, const DNSName& ordername, bool ordernameIsNSEC3 ) { try { diff --git a/modules/opendbxbackend/odbxbackend.hh b/modules/opendbxbackend/odbxbackend.hh index bcf115019e..4a8b910aa1 100644 --- a/modules/opendbxbackend/odbxbackend.hh +++ b/modules/opendbxbackend/odbxbackend.hh @@ -86,7 +86,7 @@ public: bool abortTransaction() override; bool getDomainInfo( const DNSName& domain, DomainInfo& di, bool getSerial=true ) override; - bool feedRecord( const DNSResourceRecord& rr, const DNSName& ordername ) override; + bool feedRecord( const DNSResourceRecord& rr, const DNSName& ordername, bool ordernameIsNSEC3=false ) override; bool createSlaveDomain( const string& ip, const DNSName& domain, const string &nameserver, const string& account ) override; bool superMasterBackend( const string& ip, const DNSName& domain, const vector& nsset, string *nameserver, string* account, DNSBackend** ddb ) override; diff --git a/modules/remotebackend/remotebackend.cc b/modules/remotebackend/remotebackend.cc index 068562e624..e90ac21f07 100644 --- a/modules/remotebackend/remotebackend.cc +++ b/modules/remotebackend/remotebackend.cc @@ -699,7 +699,7 @@ bool RemoteBackend::replaceRRSet(uint32_t domain_id, const DNSName& qname, const return true; } -bool RemoteBackend::feedRecord(const DNSResourceRecord &rr, const DNSName &ordername) { +bool RemoteBackend::feedRecord(const DNSResourceRecord &rr, const DNSName &ordername, bool ordernameIsNSEC3) { Json query = Json::object{ { "method", "feedRecord" }, { "parameters", Json::object{ diff --git a/modules/remotebackend/remotebackend.hh b/modules/remotebackend/remotebackend.hh index 5747ef2989..7972e1ced6 100644 --- a/modules/remotebackend/remotebackend.hh +++ b/modules/remotebackend/remotebackend.hh @@ -173,7 +173,7 @@ class RemoteBackend : public DNSBackend bool superMasterBackend(const string &ip, const DNSName& domain, const vector&nsset, string *nameserver, string *account, DNSBackend **ddb) override; bool createSlaveDomain(const string &ip, const DNSName& domain, const string& nameserver, const string &account) override; bool replaceRRSet(uint32_t domain_id, const DNSName& qname, const QType& qt, const vector& rrset) override; - bool feedRecord(const DNSResourceRecord &r, const DNSName &ordername) override; + bool feedRecord(const DNSResourceRecord &r, const DNSName &ordername, bool ordernameIsNSEC3=false) override; bool feedEnts(int domain_id, map& nonterm) override; bool feedEnts3(int domain_id, const DNSName& domain, map& nonterm, const NSEC3PARAMRecordContent& ns3prc, bool narrow) override; bool startTransaction(const DNSName& domain, int domain_id) override; diff --git a/pdns/backends/gsql/gsqlbackend.cc b/pdns/backends/gsql/gsqlbackend.cc index 74864b0047..f010a1728b 100644 --- a/pdns/backends/gsql/gsqlbackend.cc +++ b/pdns/backends/gsql/gsqlbackend.cc @@ -1334,7 +1334,7 @@ bool GSQLBackend::replaceRRSet(uint32_t domain_id, const DNSName& qname, const Q return true; } -bool GSQLBackend::feedRecord(const DNSResourceRecord &r, const DNSName &ordername) +bool GSQLBackend::feedRecord(const DNSResourceRecord &r, const DNSName &ordername, bool ordernameIsNSEC3) { int prio=0; string content(r.content); diff --git a/pdns/backends/gsql/gsqlbackend.hh b/pdns/backends/gsql/gsqlbackend.hh index 7f27100fc9..be25db1c15 100644 --- a/pdns/backends/gsql/gsqlbackend.hh +++ b/pdns/backends/gsql/gsqlbackend.hh @@ -187,7 +187,7 @@ public: bool startTransaction(const DNSName &domain, int domain_id=-1) override; bool commitTransaction() override; bool abortTransaction() override; - bool feedRecord(const DNSResourceRecord &r, const DNSName &ordername) override; + bool feedRecord(const DNSResourceRecord &r, const DNSName &ordername, bool ordernameIsNSEC3=false) override; bool feedEnts(int domain_id, map& nonterm) override; bool feedEnts3(int domain_id, const DNSName &domain, map &nonterm, const NSEC3PARAMRecordContent& ns3prc, bool narrow) override; bool createDomain(const DNSName &domain) override { diff --git a/pdns/dnsbackend.hh b/pdns/dnsbackend.hh index d5f26945ed..4fe4208b62 100644 --- a/pdns/dnsbackend.hh +++ b/pdns/dnsbackend.hh @@ -270,7 +270,7 @@ public: } //! feeds a record to a zone, needs a call to startTransaction first - virtual bool feedRecord(const DNSResourceRecord &rr, const DNSName &ordername) + virtual bool feedRecord(const DNSResourceRecord &rr, const DNSName &ordername, bool ordernameIsNSEC3=false) { return false; // no problem! } diff --git a/pdns/slavecommunicator.cc b/pdns/slavecommunicator.cc index 43c074362f..190488faf5 100644 --- a/pdns/slavecommunicator.cc +++ b/pdns/slavecommunicator.cc @@ -560,7 +560,7 @@ void CommunicatorClass::suck(const DNSName &domain, const ComboAddress& remote) // NSEC3 ordername=DNSName(toBase32Hex(hashQNameWithSalt(zs.ns3pr, rr.qname))); if(!zs.isNarrow && (rr.auth || (rr.qtype.getCode() == QType::NS && (!zs.optOutFlag || zs.secured.count(ordername))))) { - di.backend->feedRecord(rr, ordername); + di.backend->feedRecord(rr, ordername, true); } else di.backend->feedRecord(rr, DNSName()); } else {