From: Libor Peltan <libor.peltan@nic.cz>
Date: Thu, 7 Mar 2019 17:38:36 +0000 (+0100)
Subject: nsec3: cleanup code before re-designing it
X-Git-Tag: v2.9.0~279^2~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b9ed938b28fa79053b49eb395db4898da8c62d58;p=thirdparty%2Fknot-dns.git

nsec3: cleanup code before re-designing it
---

diff --git a/src/knot/dnssec/nsec3-chain.c b/src/knot/dnssec/nsec3-chain.c
index 0e00633847..700bc710f9 100644
--- a/src/knot/dnssec/nsec3-chain.c
+++ b/src/knot/dnssec/nsec3-chain.c
@@ -441,10 +441,6 @@ static int connect_nsec3_nodes2(zone_node_t *a, zone_node_t *b,
 
 	// check if the NSEC3 rrset has not been updated in changeset
 	knot_rrset_t aorig = node_rrset(a, KNOT_RRTYPE_NSEC3);
-	const zone_node_t *ch_a = zone_contents_find_nsec3_node(data->changeset->add, a->owner);
-	if (node_rrtype_exists(ch_a, KNOT_RRTYPE_NSEC3)) {
-		aorig = node_rrset(ch_a, KNOT_RRTYPE_NSEC3);
-	}
 
 	// prepare a copy of NSEC3 rrsets in question
 	knot_rrset_t *acopy = knot_rrset_copy(&aorig, NULL);
@@ -460,9 +456,7 @@ static int connect_nsec3_nodes2(zone_node_t *a, zone_node_t *b,
 	}
 
 	// add the removed original and the updated copy to changeset
-	if (node_rrtype_exists(ch_a, KNOT_RRTYPE_NSEC3)) {
-		ret = changeset_remove_addition(data->changeset, &aorig);
-	} else {
+	if (1) {
 		ret = changeset_add_removal(data->changeset, &aorig, 0);
 	}
 	if (ret == KNOT_EOK) {
@@ -553,7 +547,7 @@ static int create_nsec3_nodes(const zone_contents_t *zone,
  * \return KNOT_EOK, KNOT_E* if any error.
  */
 static int fix_nsec3_for_node(zone_update_t *update, const dnssec_nsec3_params_t *params,
-                              uint32_t ttl, bool opt_out, changeset_t *chgset, const knot_dname_t *for_node)
+                              uint32_t ttl, bool opt_out, const knot_dname_t *for_node)
 {
 	// check if we need to do something
 	const zone_node_t *old_n = zone_contents_find_node(update->zone->contents, for_node);
@@ -588,16 +582,11 @@ static int fix_nsec3_for_node(zone_update_t *update, const dnssec_nsec3_params_t
 		knot_rrset_t rem_nsec3 = node_rrset(old_nsec3_n, KNOT_RRTYPE_NSEC3);
 		if (!knot_rrset_empty(&rem_nsec3)) {
 			knot_rrset_t rem_rrsig = node_rrset(old_nsec3_n, KNOT_RRTYPE_RRSIG);
-			if (!add_nsec3) {
+			if (1) {
 				ret = zone_update_remove(update, &rem_nsec3);
 				if (ret == KNOT_EOK && !knot_rrset_empty(&rem_rrsig)) {
 					ret = zone_update_remove(update, &rem_rrsig);
 				}
-			} else {
-				ret = changeset_add_removal(chgset, &rem_nsec3, CHANGESET_CHECK | CHANGESET_CHECK_CANCELOUT);
-				if (ret == KNOT_EOK && !knot_rrset_empty(&rem_rrsig)) {
-					ret = changeset_add_removal(chgset, &rem_rrsig, 0);
-				}
 			}
 			next_hash = (uint8_t *)knot_nsec3_next(rem_nsec3.rrs.rdata);
 			next_length = knot_nsec3_next_len(rem_nsec3.rrs.rdata);
@@ -625,10 +614,8 @@ static int fix_nsec3_for_node(zone_update_t *update, const dnssec_nsec3_params_t
 			}
 		}
 		if (ret == KNOT_EOK) {
-			if (next_hash == NULL) {
+			if (1) {
 				ret = zone_update_add(update, &nsec3);
-			} else {
-				ret = changeset_add_addition(chgset, &nsec3, CHANGESET_CHECK | CHANGESET_CHECK_CANCELOUT);
 			}
 		}
 		binode_unify(new_nsec3_n, false, NULL);
@@ -640,7 +627,7 @@ static int fix_nsec3_for_node(zone_update_t *update, const dnssec_nsec3_params_t
 }
 
 static int fix_nsec3_nodes(zone_update_t *update, const dnssec_nsec3_params_t *params,
-                           uint32_t ttl, bool opt_out, changeset_t *chgset)
+                           uint32_t ttl, bool opt_out)
 {
 	assert(update);
 
@@ -649,7 +636,7 @@ static int fix_nsec3_nodes(zone_update_t *update, const dnssec_nsec3_params_t *p
 
 	while (!zone_tree_it_finished(&it) && ret == KNOT_EOK) {
 		zone_node_t *n = zone_tree_it_val(&it);
-		ret = fix_nsec3_for_node(update, params, ttl, opt_out, chgset, n->owner);
+		ret = fix_nsec3_for_node(update, params, ttl, opt_out, n->owner);
 		zone_tree_it_next(&it);
 	}
 
@@ -660,9 +647,7 @@ static int fix_nsec3_nodes(zone_update_t *update, const dnssec_nsec3_params_t *p
 
 	while (!zone_tree_it_finished(&it) && ret == KNOT_EOK) {
 		zone_node_t *n = zone_tree_it_val(&it);
-		if (zone_tree_get(update->change.remove->nodes, n->owner) == NULL) {
-			ret = fix_nsec3_for_node(update, params, ttl, opt_out, chgset, n->owner);
-		}
+		ret = fix_nsec3_for_node(update, params, ttl, opt_out, n->owner);
 		zone_tree_it_next(&it);
 	}
 	zone_tree_it_free(&it);
@@ -811,7 +796,7 @@ int knot_nsec3_fix_chain(zone_update_t *update,
                          changeset_t *changeset)
 {
 
-	int ret = fix_nsec3_nodes(update, params, ttl, opt_out, changeset);
+	int ret = fix_nsec3_nodes(update, params, ttl, opt_out);
 	if (ret != KNOT_EOK) {
 		return ret;
 	}
diff --git a/src/knot/dnssec/zone-nsec.c b/src/knot/dnssec/zone-nsec.c
index 47a681f78d..2c7212d6c4 100644
--- a/src/knot/dnssec/zone-nsec.c
+++ b/src/knot/dnssec/zone-nsec.c
@@ -374,8 +374,7 @@ int knot_zone_fix_nsec_chain(zone_update_t *update,
 		goto cleanup;
 	}
 
-	ret = knot_zone_sign_nsecs_in_changeset(zone_keys, ctx, &ch);
-	if (ret == KNOT_EOK) {
+	if (1) {
 		// Disable strict changeset application momentarily for the NSEC chain fix.
 		// This is important for NSEC3, since some nodes are removed from contents
 		// when fixing individual NSEC3 nodes and then the NSEC3 records from these nodes
@@ -385,6 +384,17 @@ int knot_zone_fix_nsec_chain(zone_update_t *update,
 		ret = zone_update_apply_changeset(update, &ch);
 		update->a_ctx->flags |= APPLY_STRICT;
 	}
+	if (ret == KNOT_EOK) {
+		changeset_t ch2;
+		ret = changeset_init(&ch2, update->new_cont->apex->owner);
+		if (ret == KNOT_EOK) {
+			ret = knot_zone_sign_nsecs_in_changeset(zone_keys, ctx, &update->change, &ch2);
+		}
+		if (ret == KNOT_EOK) {
+			ret = zone_update_apply_changeset(update, &ch2);
+		}
+		changeset_clear(&ch2);
+	}
 
 cleanup:
 	changeset_clear(&ch);
diff --git a/src/knot/dnssec/zone-sign.c b/src/knot/dnssec/zone-sign.c
index 371562598c..453f7e5369 100644
--- a/src/knot/dnssec/zone-sign.c
+++ b/src/knot/dnssec/zone-sign.c
@@ -1018,7 +1018,7 @@ static int sign_changeset(const zone_contents_t *zone,
 
 int knot_zone_sign_nsecs_in_changeset(const zone_keyset_t *zone_keys,
                                       const kdnssec_ctx_t *dnssec_ctx,
-                                      changeset_t *changeset)
+                                      changeset_t *changeset, changeset_t *ch_out)
 {
 	if (zone_keys == NULL || dnssec_ctx == NULL || changeset == NULL) {
 		return KNOT_EINVAL;
@@ -1038,7 +1038,7 @@ int knot_zone_sign_nsecs_in_changeset(const zone_keyset_t *zone_keys,
 		    rr.type == KNOT_RRTYPE_NSEC3 ||
 		    rr.type == KNOT_RRTYPE_NSEC3PARAM) {
 			int ret =  add_missing_rrsigs(&rr, NULL, sign_ctx,
-			                              changeset, NULL);
+			                              ch_out, NULL);
 			if (ret != KNOT_EOK) {
 				changeset_iter_clear(&itt);
 				return ret;
diff --git a/src/knot/dnssec/zone-sign.h b/src/knot/dnssec/zone-sign.h
index 08d94443fb..470b4c250a 100644
--- a/src/knot/dnssec/zone-sign.h
+++ b/src/knot/dnssec/zone-sign.h
@@ -112,7 +112,7 @@ bool knot_zone_sign_soa_expired(const zone_contents_t *zone,
  */
 int knot_zone_sign_nsecs_in_changeset(const zone_keyset_t *zone_keys,
                                       const kdnssec_ctx_t *dnssec_ctx,
-                                      changeset_t *changeset);
+                                      changeset_t *changeset, changeset_t *ch_out);
 
 /*!
  * \brief Checks whether RRSet in a node has to be signed. Will not return