From: Kees Monshouwer <mind04@monshouwer.org>
Date: Wed, 26 Aug 2020 15:03:10 +0000 (+0200)
Subject: auth: avoid metadata cache polution in the dnsupdate code
X-Git-Tag: auth-4.4.0-alpha1~9^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b163cc0e1a6bbaa861bcc92d8d116cf293985f7f;p=thirdparty%2Fpdns.git

auth: avoid metadata cache polution in the dnsupdate code
---

diff --git a/pdns/packethandler.hh b/pdns/packethandler.hh
index b196d984da..c4c38018c1 100644
--- a/pdns/packethandler.hh
+++ b/pdns/packethandler.hh
@@ -85,7 +85,7 @@ private:
   uint performUpdate(const string &msgPrefix, const DNSRecord *rr, DomainInfo *di, bool isPresigned, bool* narrow, bool* haveNSEC3, NSEC3PARAMRecordContent *ns3pr, bool *updatedSerial);
   int checkUpdatePrescan(const DNSRecord *rr);
   int checkUpdatePrerequisites(const DNSRecord *rr, DomainInfo *di);
-  void increaseSerial(const string &msgPrefix, const DomainInfo *di, bool haveNSEC3, bool narrow, const NSEC3PARAMRecordContent *ns3pr);
+  void increaseSerial(const string &msgPrefix, const DomainInfo *di, const string& soaEditSetting, bool haveNSEC3, bool narrow, const NSEC3PARAMRecordContent *ns3pr);
 
   void makeNXDomain(DNSPacket& p, std::unique_ptr<DNSPacket>& r, const DNSName& target, const DNSName& wildcard, const SOAData& sd);
   void makeNOError(DNSPacket& p, std::unique_ptr<DNSPacket>& r, const DNSName& target, const DNSName& wildcard, const SOAData& sd, int mode);
diff --git a/pdns/rfc2136handler.cc b/pdns/rfc2136handler.cc
index 15902766d4..1d8cf6750b 100644
--- a/pdns/rfc2136handler.cc
+++ b/pdns/rfc2136handler.cc
@@ -122,11 +122,10 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr,
     if (rrType == QType::NSEC3PARAM) {
       g_log<<Logger::Notice<<msgPrefix<<"Adding/updating NSEC3PARAM for zone, resetting ordernames."<<endl;
 
-      NSEC3PARAMRecordContent nsec3param(rr->d_content->getZoneRepresentation(), di->zone.toString() /* FIXME400 huh */);
+      *ns3pr = NSEC3PARAMRecordContent(rr->d_content->getZoneRepresentation(), di->zone.toString() /* FIXME400 huh */);
       *narrow = false; // adding a NSEC3 will cause narrow mode to be dropped, as you cannot specify that in a NSEC3PARAM record
-      d_dk.setNSEC3PARAM(di->zone, nsec3param, (*narrow));
-
-      *haveNSEC3 = d_dk.getNSEC3PARAM(di->zone, ns3pr, narrow);
+      d_dk.setNSEC3PARAM(di->zone, *ns3pr, (*narrow));
+      *haveNSEC3 = true;
 
       vector<DNSResourceRecord> rrs;
       set<DNSName> qnames, nssets, dssets;
@@ -401,15 +400,16 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr,
         d_dk.unsetNSEC3PARAM(rr->d_name);
       else if (rr->d_class == QClass::NONE) {
         NSEC3PARAMRecordContent nsec3rr(rr->d_content->getZoneRepresentation(), di->zone.toString() /* FIXME400 huh */);
-        if (ns3pr->getZoneRepresentation() == nsec3rr.getZoneRepresentation())
+        if (*haveNSEC3 && ns3pr->getZoneRepresentation() == nsec3rr.getZoneRepresentation())
           d_dk.unsetNSEC3PARAM(rr->d_name);
         else
           return 0;
       } else
         return 0;
 
-      // We retrieve new values, other RR's in this update package might need it as well.
-      *haveNSEC3 = d_dk.getNSEC3PARAM(di->zone, ns3pr, narrow);
+      // Update NSEC3 variables, other RR's in this update package might need them as well.
+      *haveNSEC3 = false;
+      *narrow = false;
 
       vector<DNSResourceRecord> rrs;
       set<DNSName> qnames, nssets, dssets, ents;
@@ -910,6 +910,8 @@ int PacketHandler::processUpdate(DNSPacket& p) {
     bool narrow=false;
     bool haveNSEC3 = d_dk.getNSEC3PARAM(di.zone, &ns3pr, &narrow);
     bool isPresigned = d_dk.isPresigned(di.zone);
+    string soaEditSetting;
+    d_dk.getSoaEdit(di.zone, soaEditSetting);
 
     // 3.4.2 - Perform the updates.
     // There's a special condition where deleting the last NS record at zone apex is never deleted (3.4.2.4)
@@ -1012,7 +1014,7 @@ int PacketHandler::processUpdate(DNSPacket& p) {
 
     // Section 3.6 - Update the SOA serial - outside of performUpdate because we do a SOA update for the complete update message
     if (changedRecords > 0 && !updatedSerial) {
-      increaseSerial(msgPrefix, &di, haveNSEC3, narrow, &ns3pr);
+      increaseSerial(msgPrefix, &di, soaEditSetting, haveNSEC3, narrow, &ns3pr);
       changedRecords++;
     }
 
@@ -1024,6 +1026,7 @@ int PacketHandler::processUpdate(DNSPacket& p) {
 
       S.deposit("dnsupdate-changes", changedRecords);
 
+      d_dk.clearMetaCache(di.zone);
       // Purge the records!
       string zone(di.zone.toString());
       zone.append("$");
@@ -1073,7 +1076,7 @@ int PacketHandler::processUpdate(DNSPacket& p) {
   }
 }
 
-void PacketHandler::increaseSerial(const string &msgPrefix, const DomainInfo *di, bool haveNSEC3, bool narrow, const NSEC3PARAMRecordContent *ns3pr) {
+void PacketHandler::increaseSerial(const string &msgPrefix, const DomainInfo *di, const string& soaEditSetting,  bool haveNSEC3, bool narrow, const NSEC3PARAMRecordContent *ns3pr) {
   SOAData sd;
   if (!di->backend->getSOA(di->zone, sd)) {
     throw PDNSException("SOA-Serial update failed because there was no SOA. Wowie.");
@@ -1088,8 +1091,6 @@ void PacketHandler::increaseSerial(const string &msgPrefix, const DomainInfo *di
   if (!soaEdit2136Setting.empty()) {
     soaEdit2136 = soaEdit2136Setting[0];
     if (pdns_iequals(soaEdit2136, "SOA-EDIT") || pdns_iequals(soaEdit2136,"SOA-EDIT-INCREASE") ){
-      string soaEditSetting;
-      d_dk.getSoaEdit(di->zone, soaEditSetting);
       if (soaEditSetting.empty()) {
         g_log<<Logger::Error<<msgPrefix<<"Using "<<soaEdit2136<<" for SOA-EDIT-DNSUPDATE increase on DNS update, but SOA-EDIT is not set for domain \""<< di->zone <<"\". Using DEFAULT for SOA-EDIT-DNSUPDATE"<<endl;
         soaEdit2136 = "DEFAULT";