From ea99d4743de9184c0d9b173df09388ec981fe98a Mon Sep 17 00:00:00 2001
From: Kees Monshouwer <mind04@monshouwer.org>
Date: Fri, 30 Mar 2018 16:57:43 +0200
Subject: [PATCH] auth: avoid an isane amount of new backend connections during
 an AXFR

---
 pdns/signingpipe.cc |  2 +-
 pdns/tcpreceiver.cc | 13 +++++--------
 2 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/pdns/signingpipe.cc b/pdns/signingpipe.cc
index 44e246cbe4..6c98dd54c6 100644
--- a/pdns/signingpipe.cc
+++ b/pdns/signingpipe.cc
@@ -270,8 +270,8 @@ unsigned int ChunkedSigningPipe::getReady() const
 void ChunkedSigningPipe::worker(int fd)
 try
 {
-  DNSSECKeeper dk;
   UeberBackend db("key-only");
+  DNSSECKeeper dk(&db);
   
   chunk_t* chunk = nullptr;
   int res;
diff --git a/pdns/tcpreceiver.cc b/pdns/tcpreceiver.cc
index 409b095588..e1dfd2e55f 100644
--- a/pdns/tcpreceiver.cc
+++ b/pdns/tcpreceiver.cc
@@ -439,7 +439,7 @@ bool TCPNameserver::canDoAXFR(shared_ptr<DNSPacket> q)
       }
     }
 
-    DNSSECKeeper dk;
+    DNSSECKeeper dk(s_P->getBackend());
 
     if (q->d_tsig_algo == TSIG_GSS) {
       vector<string> princs;
@@ -584,6 +584,7 @@ int TCPNameserver::doAXFR(const DNSName &target, shared_ptr<DNSPacket> q, int ou
       s_P=new PacketHandler;
     }
 
+    // canDoAXFR does all the ACL checks, and has the if(disable-axfr) shortcut, call it first.
     if (!canDoAXFR(q)) {
       g_log<<Logger::Error<<"AXFR of domain '"<<target<<"' failed: "<<q->getRemote()<<" may not request AXFR"<<endl;
       outpacket->setRcode(RCode::NotAuth);
@@ -591,7 +592,6 @@ int TCPNameserver::doAXFR(const DNSName &target, shared_ptr<DNSPacket> q, int ou
       return 0;
     }
 
-    // canDoAXFR does all the ACL checks, and has the if(disable-axfr) shortcut, call it first.
     if(!s_P->getBackend()->getSOAUncached(target, sd)) {
       g_log<<Logger::Error<<"AXFR of domain '"<<target<<"' failed: not authoritative"<<endl;
       outpacket->setRcode(RCode::NotAuth);
@@ -608,7 +608,7 @@ int TCPNameserver::doAXFR(const DNSName &target, shared_ptr<DNSPacket> q, int ou
     return 0;
   }
 
-  DNSSECKeeper dk;
+  DNSSECKeeper dk(&db);
   dk.clearCaches(target);
   bool securedZone = dk.isSecuredZone(target);
   bool presignedZone = dk.isPresigned(target);
@@ -645,8 +645,7 @@ int TCPNameserver::doAXFR(const DNSName &target, shared_ptr<DNSPacket> q, int ou
     if (algorithm == DNSName("hmac-md5.sig-alg.reg.int"))
       algorithm = DNSName("hmac-md5");
     if (algorithm != DNSName("gss-tsig")) {
-      Lock l(&s_plock);
-      if(!s_P->getBackend()->getTSIGKey(tsigkeyname, &algorithm, &tsig64)) {
+      if(!db.getTSIGKey(tsigkeyname, &algorithm, &tsig64)) {
         g_log<<Logger::Error<<"TSIG key '"<<tsigkeyname<<"' for domain '"<<target<<"' not found"<<endl;
         return 0;
       }
@@ -658,8 +657,6 @@ int TCPNameserver::doAXFR(const DNSName &target, shared_ptr<DNSPacket> q, int ou
   }
   
   
-  UeberBackend signatureDB; 
-  
   // SOA *must* go out first, our signing pipe might reorder
   DLOG(g_log<<"Sending out SOA"<<endl);
   DNSZoneRecord soa = makeEditedDNSZRFromSOAData(dk, sd);
@@ -667,7 +664,7 @@ int TCPNameserver::doAXFR(const DNSName &target, shared_ptr<DNSPacket> q, int ou
   if(securedZone && !presignedZone) {
     set<DNSName> authSet;
     authSet.insert(target);
-    addRRSigs(dk, signatureDB, authSet, outpacket->getRRS());
+    addRRSigs(dk, db, authSet, outpacket->getRRS());
   }
   
   if(haveTSIGDetails && !tsigkeyname.empty())
-- 
2.47.2