auth bindbackend: store nsec3 settings at zone load

This keeps, inside the bindbackend, the nsec(3) settings consistent
with the 'rectification' applied on zone load. This avoids crashes
when nsec3 is enabled or disabled without reloading the zone in the
bindbackend.

reported by Matt Nordhoff

diff --git a/modules/bindbackend/bindbackend2.cc b/modules/bindbackend/bindbackend2.cc
index f0f48ff48ae92c13c3f1ba253587beee3df97308..d6f2c1f1af48e7728979604437579b5beb9c7b26 100644 (file)
--- a/modules/bindbackend/bindbackend2.cc
+++ b/modules/bindbackend/bindbackend2.cc
@@ -498,7 +498,7 @@ void Bind2Backend::parseZoneFile(BB2DomainInfo* bbd)
     nsec3zone = dk.getNSEC3PARAM(bbd->d_name, &ns3pr);
   }
   else
-    nsec3zone = getNSEC3PARAM(bbd->d_name, &ns3pr);
+    nsec3zone = getNSEC3PARAMuncached(bbd->d_name, &ns3pr);
 
   auto records = std::make_shared<recordstorage_t>();
   ZoneParserTNG zpt(bbd->d_filename, bbd->d_name, s_binddirectory, d_upgradeContent);
@@ -518,6 +518,8 @@ void Bind2Backend::parseZoneFile(BB2DomainInfo* bbd)
   bbd->d_checknow = false;
   bbd->d_status = "parsed into memory at " + nowTime();
   bbd->d_records = LookButDontTouch<recordstorage_t>(records);
+  bbd->d_nsec3zone = nsec3zone;
+  bbd->d_nsec3param = ns3pr;
 }
 
 /** THIS IS AN INTERNAL FUNCTION! It does moadnsparser prio impedance matching
@@ -1102,18 +1104,8 @@ bool Bind2Backend::getBeforeAndAfterNamesAbsolute(uint32_t id, const DNSName& qn
   if (!safeGetBBDomainInfo(id, &bbd))
     return false;
 
-  NSEC3PARAMRecordContent ns3pr;
-
-  bool nsec3zone;
-  if (d_hybrid) {
-    DNSSECKeeper dk;
-    nsec3zone = dk.getNSEC3PARAM(bbd.d_name, &ns3pr);
-  }
-  else
-    nsec3zone = getNSEC3PARAM(bbd.d_name, &ns3pr);
-
   shared_ptr<const recordstorage_t> records = bbd.d_records.get();
-  if (!nsec3zone) {
+  if (!bbd.d_nsec3zone) {
     return findBeforeAndAfterUnhashed(records, qname, unhashed, before, after);
   }
   else {

diff --git a/modules/bindbackend/bindbackend2.hh b/modules/bindbackend/bindbackend2.hh
index e5bd7cf9c7e43bcb7eeab2cbcc921fca72dca9c3..fb4ed0467265fd05d0fe10a306b2a9b9f3dbed46 100644 (file)
--- a/modules/bindbackend/bindbackend2.hh
+++ b/modules/bindbackend/bindbackend2.hh
@@ -167,6 +167,8 @@ public:
   mutable bool d_checknow; //!< if this domain has been flagged for a check
   bool d_loaded; //!< if a domain is loaded
   bool d_wasRejectedLastReload{false}; //!< if the domain was rejected during Bind2Backend::queueReloadAndStore
+  bool d_nsec3zone{false};
+  NSEC3PARAMRecordContent d_nsec3param;
 
 private:
   time_t getCtime();
@@ -253,6 +255,7 @@ private:
   shared_ptr<SSQLite3> d_dnssecdb;
   bool getNSEC3PARAM(const DNSName& name, NSEC3PARAMRecordContent* ns3p);
   void setLastCheck(uint32_t domain_id, time_t lastcheck);
+  bool getNSEC3PARAMuncached(const DNSName& name, NSEC3PARAMRecordContent* ns3p);
   class handle
   {
   public:

diff --git a/modules/bindbackend/binddnssec.cc b/modules/bindbackend/binddnssec.cc
index b3dd4959b46b98da7b2b2d9339d25a3978b801ed..9710f38b56e2d26b21fb13d8101e50630f4eb976 100644 (file)
--- a/modules/bindbackend/binddnssec.cc
+++ b/modules/bindbackend/binddnssec.cc
@@ -199,6 +199,19 @@ bool Bind2Backend::doesDNSSEC()
 }
 
 bool Bind2Backend::getNSEC3PARAM(const DNSName& name, NSEC3PARAMRecordContent* ns3p)
+{
+  BB2DomainInfo bbd;
+  if (!safeGetBBDomainInfo(name, &bbd))
+    return false;
+
+  if (ns3p) {
+    *ns3p = bbd.d_nsec3param;
+  }
+
+  return bbd.d_nsec3zone;
+}
+
+bool Bind2Backend::getNSEC3PARAMuncached(const DNSName& name, NSEC3PARAMRecordContent* ns3p)
 {
   if (!d_dnssecdb || d_hybrid)
     return false;