From: Miod Vallat Date: Fri, 4 Jul 2025 12:57:48 +0000 (+0200) Subject: Pass false to updateDNSSECOrderNameAndAuth if NSEC3 but narrow. X-Git-Tag: rec-5.3.0-alpha2^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=03c013736aed2b5410c47e79455ef03cccdf5211;p=thirdparty%2Fpdns.git Pass false to updateDNSSECOrderNameAndAuth if NSEC3 but narrow. Signed-off-by: Miod Vallat --- diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc index 8659cfff15..f2c7f2c216 100644 --- a/pdns/dbdnsseckeeper.cc +++ b/pdns/dbdnsseckeeper.cc @@ -877,25 +877,25 @@ bool DNSSECKeeper::rectifyZone(const ZoneName& zone, string& error, string& info it = rss.find(qname); if(it == rss.end() || it->second.update || it->second.auth != auth || it->second.ordername != ordername) { - sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, auth, QType::ANY, haveNSEC3); + sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, auth, QType::ANY, haveNSEC3 && !narrow); ++updates; } if(realrr) { if (dsnames.count(qname)) { - sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, true, QType::DS, haveNSEC3); + sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, true, QType::DS, haveNSEC3 && !narrow); ++updates; } if (!auth || nsset.count(qname)) { ordername.clear(); if(isOptOut && !dsnames.count(qname)){ - sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, false, QType::NS, haveNSEC3); + sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, false, QType::NS, haveNSEC3 && !narrow); ++updates; } - sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, false, QType::A, haveNSEC3); + sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, false, QType::A, haveNSEC3 && !narrow); ++updates; - sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, false, QType::AAAA, haveNSEC3); + sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, false, QType::AAAA, haveNSEC3 && !narrow); ++updates; } diff --git a/pdns/pdnsutil.cc b/pdns/pdnsutil.cc index a77e764941..6579d1b3ff 100644 --- a/pdns/pdnsutil.cc +++ b/pdns/pdnsutil.cc @@ -1007,7 +1007,7 @@ static int increaseSerial(const ZoneName& zone, DNSSECKeeper &dsk) ordername=DNSName(""); if(g_verbose) cerr<<"'"< '"<< ordername <<"'"<updateDNSSECOrderNameAndAuth(sd.domain_id, rr.qname, ordername, true, QType::ANY, haveNSEC3); + sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, rr.qname, ordername, true, QType::ANY, haveNSEC3 && !narrow); } sd.db->commitTransaction(); diff --git a/pdns/rfc2136handler.cc b/pdns/rfc2136handler.cc index 379f19983a..72f1026f0d 100644 --- a/pdns/rfc2136handler.cc +++ b/pdns/rfc2136handler.cc @@ -234,15 +234,15 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr, ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, rr->d_name))); if (*narrow) { - di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), auth, QType::ANY, true); + di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), auth, QType::ANY, false); } else { di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth, QType::ANY, true); } if(!auth || rrType == QType::DS) { - di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::NS, true); - di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A, true); - di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA, true); + di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::NS, !*narrow); + di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A, !*narrow); + di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA, !*narrow); } } else { // NSEC @@ -305,22 +305,22 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr, ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, rr->d_name))); if (*narrow) { - di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), auth, QType::ANY, true); + di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), auth, QType::ANY, false); } else { di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth, QType::ANY, true); } if (fixDS) { - di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, true, QType::DS, true); + di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, true, QType::DS, !*narrow); } if(!auth) { if (ns3pr->d_flags != 0) { - di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::NS, true); + di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::NS, !*narrow); } - di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A, true); - di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA, true); + di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A, !*narrow); + di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA, !*narrow); } } else { // NSEC @@ -354,14 +354,14 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr, ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, qname))); if (*narrow) { - di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), auth, QType::ANY, true); + di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), auth, QType::ANY, false); } else { di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, ordername, auth, QType::ANY, true); } if (ns3pr->d_flags != 0) { - di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::NS, true); + di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::NS, !*narrow); } } else { // NSEC @@ -369,8 +369,8 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr, di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, ordername, false, QType::NS, false); } - di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::A, *haveNSEC3); - di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::AAAA, *haveNSEC3); + di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::A, *haveNSEC3 && !*narrow); + di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::AAAA, *haveNSEC3 && !*narrow); } } } @@ -479,7 +479,7 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr, else { // NSEC ordername=changeRec.makeRelative(di->zone); } - di->backend->updateDNSSECOrderNameAndAuth(di->id, changeRec, ordername, true, QType::ANY, *haveNSEC3); + di->backend->updateDNSSECOrderNameAndAuth(di->id, changeRec, ordername, true, QType::ANY, *haveNSEC3 && !*narrow); } } @@ -547,7 +547,7 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr, if(! *narrow) { ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, i))); } - di->backend->updateDNSSECOrderNameAndAuth(di->id, i, ordername, true, QType::ANY, true); + di->backend->updateDNSSECOrderNameAndAuth(di->id, i, ordername, true, QType::ANY, !*narrow); } } } @@ -1091,6 +1091,6 @@ void PacketHandler::increaseSerial(const string &msgPrefix, const DomainInfo *di } else { // NSEC ordername = rr.qname.makeRelative(di->zone); } - di->backend->updateDNSSECOrderNameAndAuth(di->id, rr.qname, ordername, true, QType::ANY, haveNSEC3); + di->backend->updateDNSSECOrderNameAndAuth(di->id, rr.qname, ordername, true, QType::ANY, haveNSEC3 && !narrow); } }