]> git.ipfire.org Git - thirdparty/pdns.git/commitdiff
projects / thirdparty / pdns.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: cb3a2ff)
auth: add SIGNALING-ZONE metadata setting
authorPeter Thomassen <peter@desec.io>
Mon, 15 Apr 2024 14:58:46 +0000 (16:58 +0200)
committerPeter Thomassen <peter@desec.io>
Wed, 16 Jul 2025 13:05:45 +0000 (15:05 +0200)
pdns/dbdnsseckeeper.cc patch | blob | blame | history
pdns/dnsseckeeper.hh patch | blob | blame | history
pdns/packethandler.cc patch | blob | blame | history
pdns/ws-auth.cc patch | blob | blame | history

diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc
index f2c7f2c216ca7ab015ccce9618dce16ad153a1a8..ed5e08e626e47642560024e7fb5a98564016af41 100644 (file)
--- a/pdns/dbdnsseckeeper.cc
+++ b/pdns/dbdnsseckeeper.cc
@@ -85,6 +85,17 @@ bool DNSSECKeeper::isPresigned(const ZoneName& name, bool useCache)
   return meta=="1";
 }
 
+bool DNSSECKeeper::isSignalingZone(const ZoneName& name, bool useCache)
+{
+  string meta;
+  if (useCache) {
+    getFromMeta(name, "SIGNALING-ZONE", meta);
+  }
+  else {
+    getFromMetaNoCache(name, "SIGNALING-ZONE", meta);
+  }
+  return meta=="1";
+}
 
 bool DNSSECKeeper::addKey(const ZoneName& name, bool setSEPBit, int algorithm, int64_t& keyId, int bits, bool active, bool published)
 {
diff --git a/pdns/dnsseckeeper.hh b/pdns/dnsseckeeper.hh
index 7b5614f792f9b03f68e451f901ffd30bb0edf92d..f0ee85bbb7610ff8afe8ad1db80603e8ce34fef1 100644 (file)
--- a/pdns/dnsseckeeper.hh
+++ b/pdns/dnsseckeeper.hh
@@ -213,6 +213,7 @@ public:
   bool isPresigned(const ZoneName& zname, bool useCache=true);
   bool setPresigned(const ZoneName& zname);
   bool unsetPresigned(const ZoneName& zname);
+  bool isSignalingZone(const ZoneName& zname, bool useCache=true);
   bool setPublishCDNSKEY(const ZoneName& zname, bool deleteAlg);
   void getPublishCDNSKEY(const ZoneName& zname, std::string& value);
   bool unsetPublishCDNSKEY(const ZoneName& zname);
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 518b10e523b4b8dcc2f5d0e4ddc8db172b19fe07..733b05fdb05641bcb50b7a966711a53a53ab7b2b 100644 (file)
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -1342,6 +1342,9 @@ void PacketHandler::completeANYRecords(DNSPacket& p, std::unique_ptr<DNSPacket>&
 
 bool PacketHandler::tryAuthSignal(DNSPacket& p, std::unique_ptr<DNSPacket>& r, DNSName &target) {
   DLOG(g_log<<Logger::Warning<<"Let's try authenticated DNSSEC bootstrapping (RFC 9615) ..."<<endl);
+  if(d_sd.zonename.operator const DNSName&().getRawLabel(0) != "_signal" || !d_dk.isSignalingZone(d_sd.zonename)) {
+    return false;
+  }
 
   // Check that we're doing online signing in narrow mode (as we don't know next owner names)
   if(!d_dk.isSecuredZone(d_sd.zonename) || d_dk.isPresigned(d_sd.zonename)) {
diff --git a/pdns/ws-auth.cc b/pdns/ws-auth.cc
index a1a6247f94a0f76868b75516baed8bfff0494cb8..a72e5c057a117ad2422067ddf5d643ccc900b0ad 100644 (file)
--- a/pdns/ws-auth.cc
+++ b/pdns/ws-auth.cc
@@ -969,6 +969,7 @@ static bool isValidMetadataKind(const string& kind, bool readonly)
     {"PRESIGNED", true},
     {"PUBLISH-CDNSKEY", false},
     {"PUBLISH-CDS", false},
+    {"SIGNALING-ZONE", false},
     {"SLAVE-RENOTIFY", false},
     {"SOA-EDIT", true},
     {"SOA-EDIT-DNSUPDATE", false},
Unnamed repository; edit this file 'description' to name the repository.