From: Peter van Dijk Date: Sat, 8 May 2021 19:18:20 +0000 (+0200) Subject: auth bindbackend: store nsec3 settings at zone load X-Git-Tag: dnsdist-1.7.0-alpha1~110^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ccb6405fffaf3b13133ca6fbb4159369c3aed169;p=thirdparty%2Fpdns.git auth bindbackend: store nsec3 settings at zone load This keeps, inside the bindbackend, the nsec(3) settings consistent with the 'rectification' applied on zone load. This avoids crashes when nsec3 is enabled or disabled without reloading the zone in the bindbackend. reported by Matt Nordhoff --- diff --git a/modules/bindbackend/bindbackend2.cc b/modules/bindbackend/bindbackend2.cc index f0f48ff48a..d6f2c1f1af 100644 --- a/modules/bindbackend/bindbackend2.cc +++ b/modules/bindbackend/bindbackend2.cc @@ -498,7 +498,7 @@ void Bind2Backend::parseZoneFile(BB2DomainInfo* bbd) nsec3zone = dk.getNSEC3PARAM(bbd->d_name, &ns3pr); } else - nsec3zone = getNSEC3PARAM(bbd->d_name, &ns3pr); + nsec3zone = getNSEC3PARAMuncached(bbd->d_name, &ns3pr); auto records = std::make_shared(); ZoneParserTNG zpt(bbd->d_filename, bbd->d_name, s_binddirectory, d_upgradeContent); @@ -518,6 +518,8 @@ void Bind2Backend::parseZoneFile(BB2DomainInfo* bbd) bbd->d_checknow = false; bbd->d_status = "parsed into memory at " + nowTime(); bbd->d_records = LookButDontTouch(records); + bbd->d_nsec3zone = nsec3zone; + bbd->d_nsec3param = ns3pr; } /** THIS IS AN INTERNAL FUNCTION! It does moadnsparser prio impedance matching @@ -1102,18 +1104,8 @@ bool Bind2Backend::getBeforeAndAfterNamesAbsolute(uint32_t id, const DNSName& qn if (!safeGetBBDomainInfo(id, &bbd)) return false; - NSEC3PARAMRecordContent ns3pr; - - bool nsec3zone; - if (d_hybrid) { - DNSSECKeeper dk; - nsec3zone = dk.getNSEC3PARAM(bbd.d_name, &ns3pr); - } - else - nsec3zone = getNSEC3PARAM(bbd.d_name, &ns3pr); - shared_ptr records = bbd.d_records.get(); - if (!nsec3zone) { + if (!bbd.d_nsec3zone) { return findBeforeAndAfterUnhashed(records, qname, unhashed, before, after); } else { diff --git a/modules/bindbackend/bindbackend2.hh b/modules/bindbackend/bindbackend2.hh index e5bd7cf9c7..fb4ed04672 100644 --- a/modules/bindbackend/bindbackend2.hh +++ b/modules/bindbackend/bindbackend2.hh @@ -167,6 +167,8 @@ public: mutable bool d_checknow; //!< if this domain has been flagged for a check bool d_loaded; //!< if a domain is loaded bool d_wasRejectedLastReload{false}; //!< if the domain was rejected during Bind2Backend::queueReloadAndStore + bool d_nsec3zone{false}; + NSEC3PARAMRecordContent d_nsec3param; private: time_t getCtime(); @@ -253,6 +255,7 @@ private: shared_ptr d_dnssecdb; bool getNSEC3PARAM(const DNSName& name, NSEC3PARAMRecordContent* ns3p); void setLastCheck(uint32_t domain_id, time_t lastcheck); + bool getNSEC3PARAMuncached(const DNSName& name, NSEC3PARAMRecordContent* ns3p); class handle { public: diff --git a/modules/bindbackend/binddnssec.cc b/modules/bindbackend/binddnssec.cc index b3dd4959b4..9710f38b56 100644 --- a/modules/bindbackend/binddnssec.cc +++ b/modules/bindbackend/binddnssec.cc @@ -199,6 +199,19 @@ bool Bind2Backend::doesDNSSEC() } bool Bind2Backend::getNSEC3PARAM(const DNSName& name, NSEC3PARAMRecordContent* ns3p) +{ + BB2DomainInfo bbd; + if (!safeGetBBDomainInfo(name, &bbd)) + return false; + + if (ns3p) { + *ns3p = bbd.d_nsec3param; + } + + return bbd.d_nsec3zone; +} + +bool Bind2Backend::getNSEC3PARAMuncached(const DNSName& name, NSEC3PARAMRecordContent* ns3p) { if (!d_dnssecdb || d_hybrid) return false;