From: Willem Toorop <willem@NLnetLabs.nl>
Date: Mon, 16 May 2011 12:18:20 +0000 (+0000)
Subject: Clarify the operation of the ldns_dnssec_mark_glue() function and the meaning of... 
X-Git-Tag: release-1.6.10rc1~11
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=15e5479ef9f33b1c791345f7bf60333179bc2637;p=thirdparty%2Fldns.git

Clarify the operation of the ldns_dnssec_mark_glue() function and the meaning of the is_glue data field in the ldns_dnssec_name structure.
Reveal the existance of the ldns_dnssec_mark_glue() function (that was alleady in the ldns_symbols.def list) in the header file.
Export ldns_dnssec_name_is_glue() with the library.
---

diff --git a/dnssec.c b/dnssec.c
index 7a6aaf9c..ae50996c 100644
--- a/dnssec.c
+++ b/dnssec.c
@@ -769,7 +769,8 @@ ldns_dnssec_rrsets_contains_type(ldns_dnssec_rrsets *rrsets,
 static int
 is_glue(ldns_dnssec_rrsets *cur_rrsets, ldns_dnssec_rrsets *orig_rrsets)
 {
-	/* only glue if a or aaaa if there are no ns, unless there is soa */
+	/* only glue if a or aaaa with names that have an NS rrset and are not the 
+	   apex (do not have a soa rrset) */
 	return (cur_rrsets->type == LDNS_RR_TYPE_A ||
 	        cur_rrsets->type ==  LDNS_RR_TYPE_AAAA) &&
 	        (ldns_dnssec_rrsets_contains_type(orig_rrsets,
diff --git a/dnssec_sign.c b/dnssec_sign.c
index 78b3ef6b..d28f87a4 100644
--- a/dnssec_sign.c
+++ b/dnssec_sign.c
@@ -538,6 +538,19 @@ ldns_dnssec_name_has_only_a(ldns_dnssec_name *cur_name)
 	return 1;
 }
 
+/*
+ * Regardless of its name, this function does not mark the glue rrsets as glue,
+ * but only names that have ONLY glue rrsets.
+ *
+ * TODO
+ * Names with glue on the delegation are NOT marked! They are handled seperatly
+ * and specially within the is_glue() function in dnssec.c to exclude them 
+ * from the NSEC and NSEC3 bitmaps; and in ldns_dnssec_zone_create_rrsigs_flg()
+ * in dnssec_sign.c to make sure those rrsets are not signed.
+ * 
+ * Also, names that have other obscured rrsets besides A and AAAA types will NOT
+ * be marked. This is probably a mistake.
+ */
 ldns_status
 ldns_dnssec_zone_mark_glue(ldns_dnssec_zone *zone)
 {
@@ -550,7 +563,7 @@ ldns_dnssec_zone_mark_glue(ldns_dnssec_zone *zone)
 		cur_name = (ldns_dnssec_name *) cur_node->data;
 		cur_node = ldns_rbtree_next(cur_node);
 		if (ldns_dnssec_name_has_only_a(cur_name)) {
-			/* assume glue XXX check for zone cur */
+			/* assume glue XXX check for zone cut */
 			cur_owner = ldns_rdf_clone(ldns_rr_owner(
 					      cur_name->rrsets->rrs->rr));
 			while (ldns_dname_label_count(cur_owner) >
diff --git a/ldns/dnssec_sign.h b/ldns/dnssec_sign.h
index 5b3921ab..1958cef5 100644
--- a/ldns/dnssec_sign.h
+++ b/ldns/dnssec_sign.h
@@ -82,6 +82,20 @@ ldns_rdf *ldns_sign_public_rsasha1(ldns_buffer *to_sign, RSA *key);
 ldns_rdf *ldns_sign_public_rsamd5(ldns_buffer *to_sign, RSA *key);
 #endif /* HAVE_SSL */
 
+/**
+ * Marks the names in the zone that contain only glue, by setting the
+ * is_glue attribute of the ldns_dnssec_name structure to true.
+ * Names with glue on the delegation point and occluded names with other 
+ * rrsets than only A and AAAA are not marked!
+ *
+ * \param[in] zone the zone in which to mark the names
+ * \return LDNS_STATUS_OK on succesful completion
+ */
+ldns_status
+ldns_dnssec_zone_mark_glue(ldns_dnssec_zone *zone)
+{
+}
+
 /**
  * Finds the first dnssec_name node in the rbtree that has not been marked
  * as glue, starting at the given node
diff --git a/ldns/dnssec_zone.h b/ldns/dnssec_zone.h
index bdb5a3c4..7751b419 100644
--- a/ldns/dnssec_zone.h
+++ b/ldns/dnssec_zone.h
@@ -70,8 +70,14 @@ struct ldns_struct_dnssec_name
 	 */
 	ldns_dnssec_rrs *nsec_signatures;
 	/**
-	 * Set to true if this name is glue
-	 * (as marked by ldns_dnssec_zone_mark_glue())
+	 * Set to true if this name contains only glue rrsets.
+	 * Names that contain other obscured rrsets and records with glue on the
+	 * delegation point will NOT have this bool set to true.
+	 * ldns_dnssec_zone_mark_glue() should have been called before using this
+	 * field.
+	 * This field should not be read directly, but only via the 
+	 * ldns_dnssec_name_is_glue() function.
+	 * 
 	 */
 	bool is_glue;
 	/**
@@ -239,8 +245,11 @@ void ldns_dnssec_name_set_name(ldns_dnssec_name *name,
 						 ldns_rdf *dname);
 /**
  * Returns if dnssec_name structure is marked as glue.
- * Note that the ldns_dnssec_zone_mark_glue function has to be called
- * on a zone before using this function.
+ * The ldns_dnssec_zone_mark_glue() function has to be called on a zone before
+ * using this function.
+ * Only names that have only glue rrsets will be marked.
+ * Names that have other obscured rrsets and names containing glue on the 
+ * delegation point will NOT be marked!
  *
  * \param[in] name the dnssec name to get the domain name from
  * \return true if the structure is marked as glue, false otherwise.
diff --git a/ldns_symbols.def b/ldns_symbols.def
index 7b80bf69..9158fe5a 100644
--- a/ldns_symbols.def
+++ b/ldns_symbols.def
@@ -85,6 +85,7 @@ ldns_dnssec_name_cmp
 ldns_dnssec_name_deep_free
 ldns_dnssec_name_find_rrset
 ldns_dnssec_name_free
+ldns_dnssec_name_is_glue
 ldns_dnssec_name_name
 ldns_dnssec_name_new
 ldns_dnssec_name_new_frm_rr