From: Peter Thomassen Date: Mon, 14 Jul 2025 15:06:15 +0000 (+0200) Subject: auth: move pdnsutil setNSEC3 checks to DNSSECKeeper X-Git-Tag: rec-5.4.0-alpha0~21^2~8 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0bd3190a3f9d85a2ec5882084bd980bc836f1bbe;p=thirdparty%2Fpdns.git auth: move pdnsutil setNSEC3 checks to DNSSECKeeper --- diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc index ed5e08e626..2e834fc4c4 100644 --- a/pdns/dbdnsseckeeper.cc +++ b/pdns/dbdnsseckeeper.cc @@ -395,6 +395,13 @@ bool DNSSECKeeper::checkNSEC3PARAM(const NSEC3PARAMRecordContent& ns3p, string& bool DNSSECKeeper::setNSEC3PARAM(const ZoneName& zname, const NSEC3PARAMRecordContent& ns3p, const bool& narrow) { + if (auto wirelength = zname.operator const DNSName&().wirelength(); wirelength > 222) { + throw runtime_error("Cannot enable NSEC3 for zone '" + zname.toLogString() + "' as it is too long (" + std::to_string(wirelength) + " bytes, maximum is 222 bytes)"); + } + if(ns3p.d_algorithm != 1) { + throw runtime_error("NSEC3PARAM algorithm set to '" + std::to_string(ns3p.d_algorithm) + "', but '1' is the only valid value"); + } + if (d_keymetadb->inTransaction()) { d_metaUpdate = true; } diff --git a/pdns/pdnsutil.cc b/pdns/pdnsutil.cc index 8d5e91c394..abb2e1aa69 100644 --- a/pdns/pdnsutil.cc +++ b/pdns/pdnsutil.cc @@ -3595,16 +3595,14 @@ static int setNsec3(vector& cmds, const std::string_view synopsis) DNSSECKeeper dk; //NOLINT(readability-identifier-length) ZoneName zone(cmds.at(1)); - if (auto wirelength = zone.operator const DNSName&().wirelength(); wirelength > 222) { - cerr<<"Cannot enable NSEC3 for " << zone << " as it is too long (" << wirelength << " bytes, maximum is 222 bytes)"<