From: Kees Monshouwer Date: Sun, 7 Jun 2015 09:02:24 +0000 (+0200) Subject: pdnssec: rectify-zone X-Git-Tag: dnsdist-1.0.0-alpha1~248^2~58^2~21^2~5^2~44 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4fcd7e9b5f5c7fb73fdd62c449503a03c6dcf5a4;p=thirdparty%2Fpdns.git pdnssec: rectify-zone --- diff --git a/pdns/pdnssec.cc b/pdns/pdnssec.cc index 6c60354d1e..a19ce01a92 100644 --- a/pdns/pdnssec.cc +++ b/pdns/pdnssec.cc @@ -203,7 +203,7 @@ bool rectifyZone(DNSSECKeeper& dk, const DNSName& zone) if (rr.qtype.getCode()) { qnames.insert(rr.qname); - if(rr.qtype.getCode() == QType::NS && rr.qname!=zone) + if(rr.qtype.getCode() == QType::NS && rr.qname != zone) nsset.insert(rr.qname); if(rr.qtype.getCode() == QType::DS) dsnames.insert(rr.qname); @@ -236,15 +236,14 @@ bool rectifyZone(DNSSECKeeper& dk, const DNSName& zone) sd.db->startTransaction("", -1); bool realrr=true; - string hashed; - uint32_t maxent = ::arg().asNum("max-ent-entries"); dononterm:; - BOOST_FOREACH(const DNSName& qname, qnames) + for (const auto& qname: qnames) { bool auth=true; - DNSName shorter(qname); + DNSName ordername; + auto shorter(qname); if(realrr) { do { @@ -255,36 +254,30 @@ bool rectifyZone(DNSSECKeeper& dk, const DNSName& zone) } while(shorter.chopOff()); } - if(haveNSEC3) - { - if(!narrow && (realrr || !isOptOut || nonterm.find(qname)->second)) { - hashed=toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, qname)); - if(g_verbose) - cerr<<"'"< '"<< hashed <<"'"<updateDNSSECOrderAndAuthAbsolute(sd.domain_id, qname, hashed, auth); - } - else { - if(!realrr) - auth=false; - sd.db->nullifyDNSSECOrderNameAndUpdateAuth(sd.domain_id, qname, auth); - } - } - else // NSEC + if(haveNSEC3) // NSEC3 { - sd.db->updateDNSSECOrderAndAuth(sd.domain_id, zone, qname, auth); - if (!realrr) - sd.db->nullifyDNSSECOrderNameAndUpdateAuth(sd.domain_id, qname, auth); + if(!narrow && (realrr || !isOptOut || nonterm.find(qname)->second)) + ordername=DNSName(toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, qname))) + zone; + else if(!realrr) + auth=false; } + else if (realrr) // NSEC + ordername=qname; + + if(g_verbose) + cerr<<"'"< '"<< ordername.toString() <<"'"<updateDNSSECOrderNameAndAuth(sd.domain_id, zone, qname, ordername, auth); if(realrr) { if (dsnames.count(qname)) - sd.db->setDNSSECAuthOnDsRecord(sd.domain_id, qname); + sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, zone, qname, ordername, true, QType::DS); if (!auth || nsset.count(qname)) { + ordername.clear(); if(isOptOut) - sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "NS"); - sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "A"); - sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "AAAA"); + sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, zone, qname, ordername, false, QType::NS); + sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, zone, qname, ordername, false, QType::A); + sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, zone, qname, ordername, false, QType::AAAA); } if(doent) @@ -713,20 +706,15 @@ int increaseSerial(const DNSName& zone, DNSSECKeeper &dk) bool narrow; bool haveNSEC3=dk.getNSEC3PARAM(zone, &ns3pr, &narrow); - if(haveNSEC3) - { - if(!narrow) { - string hashed=toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rrs[0].qname)); - if(g_verbose) - cerr<<"'"< '"<< hashed <<"'"<updateDNSSECOrderAndAuthAbsolute(sd.domain_id, rrs[0].qname, hashed, 1); - } - else { - sd.db->nullifyDNSSECOrderNameAndUpdateAuth(sd.domain_id, rrs[0].qname, 1); - } - } else { - sd.db->updateDNSSECOrderAndAuth(sd.domain_id, zone, rrs[0].qname, 1); - } + DNSName ordername; + if(haveNSEC3) { + if(!narrow) + ordername=DNSName(toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, zone))) + zone; + } else + ordername=zone; + if(g_verbose) + cerr<<"'"< '"<< ordername.toString() <<"'"<updateDNSSECOrderNameAndAuth(sd.domain_id, zone, rrs[0].qname, ordername, true); } sd.db->commitTransaction();