#include <boost/algorithm/string.hpp>
#include "auth-packetcache.hh"
#include "utility.hh"
+#include "threadname.hh"
#include "dnssecinfra.hh"
#include "dnsseckeeper.hh"
#include <cstdio>
void *TCPNameserver::doConnection(void *data)
{
+ setThreadName("pdns/tcpConnect");
shared_ptr<DNSPacket> packet;
// Fix gcc-4.0 error (on AMD64)
int fd=(int)(long)data; // gotta love C (generates a harmless warning on opteron)
}
}
- DNSSECKeeper dk;
+ DNSSECKeeper dk(s_P->getBackend());
if (q->d_tsig_algo == TSIG_GSS) {
vector<string> princs;
namespace {
struct NSECXEntry
{
- set<uint16_t> d_set;
+ NSECBitmap d_set;
unsigned int d_ttl;
bool d_auth;
};
s_P=new PacketHandler;
}
+ // canDoAXFR does all the ACL checks, and has the if(disable-axfr) shortcut, call it first.
if (!canDoAXFR(q)) {
g_log<<Logger::Error<<"AXFR of domain '"<<target<<"' failed: "<<q->getRemote()<<" may not request AXFR"<<endl;
outpacket->setRcode(RCode::NotAuth);
return 0;
}
- // canDoAXFR does all the ACL checks, and has the if(disable-axfr) shortcut, call it first.
if(!s_P->getBackend()->getSOAUncached(target, sd)) {
g_log<<Logger::Error<<"AXFR of domain '"<<target<<"' failed: not authoritative"<<endl;
outpacket->setRcode(RCode::NotAuth);
return 0;
}
- DNSSECKeeper dk;
+ DNSSECKeeper dk(&db);
dk.clearCaches(target);
bool securedZone = dk.isSecuredZone(target);
bool presignedZone = dk.isPresigned(target);
if (algorithm == DNSName("hmac-md5.sig-alg.reg.int"))
algorithm = DNSName("hmac-md5");
if (algorithm != DNSName("gss-tsig")) {
- Lock l(&s_plock);
- if(!s_P->getBackend()->getTSIGKey(tsigkeyname, &algorithm, &tsig64)) {
+ if(!db.getTSIGKey(tsigkeyname, &algorithm, &tsig64)) {
g_log<<Logger::Error<<"TSIG key '"<<tsigkeyname<<"' for domain '"<<target<<"' not found"<<endl;
return 0;
}
}
- UeberBackend signatureDB;
-
// SOA *must* go out first, our signing pipe might reorder
DLOG(g_log<<"Sending out SOA"<<endl);
DNSZoneRecord soa = makeEditedDNSZRFromSOAData(dk, sd);
if(securedZone && !presignedZone) {
set<DNSName> authSet;
authSet.insert(target);
- addRRSigs(dk, signatureDB, authSet, outpacket->getRRS());
+ addRRSigs(dk, db, authSet, outpacket->getRRS());
}
if(haveTSIGDetails && !tsigkeyname.empty())
DNSName keyname = NSEC3Zone ? DNSName(toBase32Hex(hashQNameWithSalt(ns3pr, zrr.dr.d_name))) : zrr.dr.d_name;
NSECXEntry& ne = nsecxrepo[keyname];
- ne.d_set.insert(zrr.dr.d_type);
+ ne.d_set.set(zrr.dr.d_type);
ne.d_ttl = sd.default_ttl;
csp.submit(zrr);
DNSName keyname = DNSName(toBase32Hex(hashQNameWithSalt(ns3pr, zrr.dr.d_name)));
NSECXEntry& ne = nsecxrepo[keyname];
- ne.d_set.insert(zrr.dr.d_type);
+ ne.d_set.set(zrr.dr.d_type);
csp.submit(zrr);
}
}
// Group records by name and type, signpipe stumbles over interrupted rrsets
- sort(zrrs.begin(), zrrs.end(), [](const DNSZoneRecord& a, const DNSZoneRecord& b) {
- return tie(a.dr.d_name, a.dr.d_type) < tie(b.dr.d_name, b.dr.d_type);
- });
+ if(securedZone && !presignedZone) {
+ sort(zrrs.begin(), zrrs.end(), [](const DNSZoneRecord& a, const DNSZoneRecord& b) {
+ return tie(a.dr.d_name, a.dr.d_type) < tie(b.dr.d_name, b.dr.d_type);
+ });
+ }
if(rectify) {
// set auth
ne.d_ttl = sd.default_ttl;
ne.d_auth = (ne.d_auth || loopZRR.auth || (NSEC3Zone && (!ns3pr.d_flags)));
if (loopZRR.dr.d_type && loopZRR.dr.d_type != QType::RRSIG) {
- ne.d_set.insert(loopZRR.dr.d_type);
+ ne.d_set.set(loopZRR.dr.d_type);
}
}
}
for(nsecxrepo_t::const_iterator iter = nsecxrepo.begin(); iter != nsecxrepo.end(); ++iter) {
if(iter->second.d_auth) {
NSEC3RecordContent n3rc;
- n3rc.d_set = iter->second.d_set;
- if (n3rc.d_set.size() && (n3rc.d_set.size() != 1 || !n3rc.d_set.count(QType::NS)))
- n3rc.d_set.insert(QType::RRSIG);
- n3rc.d_salt=ns3pr.d_salt;
+ n3rc.set(iter->second.d_set);
+ const auto numberOfTypesSet = n3rc.numberOfTypesSet();
+ if (numberOfTypesSet != 0 && (numberOfTypesSet != 1 || !n3rc.isSet(QType::NS))) {
+ n3rc.set(QType::RRSIG);
+ }
+ n3rc.d_salt = ns3pr.d_salt;
n3rc.d_flags = ns3pr.d_flags;
n3rc.d_iterations = ns3pr.d_iterations;
- n3rc.d_algorithm = 1; // SHA1, fixed in PowerDNS for now
+ n3rc.d_algorithm = DNSSECKeeper::SHA1; // SHA1, fixed in PowerDNS for now
nsecxrepo_t::const_iterator inext = iter;
- inext++;
+ ++inext;
if(inext == nsecxrepo.end())
inext = nsecxrepo.begin();
while(!inext->second.d_auth && inext != iter)
{
- inext++;
+ ++inext;
if(inext == nsecxrepo.end())
inext = nsecxrepo.begin();
}
zrr.dr.d_name = iter->first+sd.qname;
zrr.dr.d_ttl = sd.default_ttl;
- zrr.dr.d_content = std::make_shared<NSEC3RecordContent>(n3rc);
+ zrr.dr.d_content = std::make_shared<NSEC3RecordContent>(std::move(n3rc));
zrr.dr.d_type = QType::NSEC3;
zrr.dr.d_place = DNSResourceRecord::ANSWER;
zrr.auth=true;
}
else for(nsecxrepo_t::const_iterator iter = nsecxrepo.begin(); iter != nsecxrepo.end(); ++iter) {
NSECRecordContent nrc;
- nrc.d_set = iter->second.d_set;
- nrc.d_set.insert(QType::RRSIG);
- nrc.d_set.insert(QType::NSEC);
+ nrc.set(iter->second.d_set);
+ nrc.set(QType::RRSIG);
+ nrc.set(QType::NSEC);
if(boost::next(iter) != nsecxrepo.end())
nrc.d_next = boost::next(iter)->first;
zrr.dr.d_name = iter->first;
zrr.dr.d_ttl = sd.default_ttl;
- zrr.dr.d_content = std::make_shared<NSECRecordContent>(nrc);
+ zrr.dr.d_content = std::make_shared<NSECRecordContent>(std::move(nrc));
zrr.dr.d_type = QType::NSEC;
zrr.dr.d_place = DNSResourceRecord::ANSWER;
zrr.auth=true;
//! Start of TCP operations thread, we launch a new thread for each incoming TCP question
void TCPNameserver::thread()
{
+ setThreadName("pdns/tcpnameser");
try {
for(;;) {
int fd;
int sock=-1;
for(const pollfd& pfd : d_prfds) {
- if(pfd.revents == POLLIN) {
+ if(pfd.revents & POLLIN) {
sock = pfd.fd;
remote.sin4.sin_family = AF_INET6;
addrlen=remote.getSocklen();