From: Miod Vallat Date: Thu, 3 Jul 2025 12:15:44 +0000 (+0200) Subject: Plumbing to let updateDNSSECOrderNameAndAuth tell NSEC apart from NSEC3. X-Git-Tag: rec-5.3.0-alpha2~10^2~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eb3e5c77b64611314630da12c9646d92e9067854;p=thirdparty%2Fpdns.git Plumbing to let updateDNSSECOrderNameAndAuth tell NSEC apart from NSEC3. Signed-off-by: Miod Vallat --- diff --git a/docs/appendices/backend-writers-guide.rst b/docs/appendices/backend-writers-guide.rst index 66e5ed5d98..c0ec5dfdf3 100644 --- a/docs/appendices/backend-writers-guide.rst +++ b/docs/appendices/backend-writers-guide.rst @@ -893,7 +893,7 @@ In order for a backend to support DNSSEC, quite a few number of additional opera virtual bool getBeforeAndAfterNamesAbsolute(domainid_t id, const DNSName& qname, DNSName& unhashed, DNSName& before, DNSName& after); /* update operations */ - virtual bool updateDNSSECOrderNameAndAuth(domainid_t domain_id, const DNSName& qname, const DNSName& ordername, bool auth, const uint16_t qtype=QType::ANY); + virtual bool updateDNSSECOrderNameAndAuth(domainid_t domain_id, const DNSName& qname, const DNSName& ordername, bool auth, const uint16_t qtype, bool isNsec3); virtual bool updateEmptyNonTerminals(domainid_t domain_id, set& insert, set& erase, bool remove); virtual bool feedEnts(domainid_t domain_id, map &nonterm); virtual bool feedEnts3(domainid_t domain_id, const DNSName &domain, map &nonterm, const NSEC3PARAMRecordContent& ns3prc, bool narrow); @@ -918,7 +918,7 @@ contain `CAP_DNSSEC` if that backend supports DNSSEC. Asks the names before and after qname for NSEC and NSEC3. The qname will be hashed when using NSEC3. Care must be taken to handle wrap-around when qname is the first or last in the ordered list of zone names. Please note that in case the requested name is present in the zone, it should be returned as the "before" name. -.. cpp:function:: virtual bool updateDNSSECOrderNameAndAuth(domainid_t domain_id, const DNSName& qname, const DNSName& ordername, bool auth, const uint16_t qtype=QType::ANY) +.. cpp:function:: virtual bool updateDNSSECOrderNameAndAuth(domainid_t domain_id, const DNSName& qname, const DNSName& ordername, bool auth, const uint16_t qtype, bool isNsec3) Updates the ordername and auth fields. diff --git a/modules/lmdbbackend/lmdbbackend.cc b/modules/lmdbbackend/lmdbbackend.cc index a895b7a8ab..8483355b64 100644 --- a/modules/lmdbbackend/lmdbbackend.cc +++ b/modules/lmdbbackend/lmdbbackend.cc @@ -2624,7 +2624,7 @@ bool LMDBBackend::getBeforeAndAfterNames(domainid_t domainId, const ZoneName& zo return true; } -bool LMDBBackend::updateDNSSECOrderNameAndAuth(domainid_t domain_id, const DNSName& qname, const DNSName& ordername, bool auth, const uint16_t qtype) +bool LMDBBackend::updateDNSSECOrderNameAndAuth(domainid_t domain_id, const DNSName& qname, const DNSName& ordername, bool auth, const uint16_t qtype, bool /* isNsec3 */) { // cout << __PRETTY_FUNCTION__<< ": "<< domain_id <<", '"< txn; diff --git a/modules/lmdbbackend/lmdbbackend.hh b/modules/lmdbbackend/lmdbbackend.hh index 612aa6a016..40887c3dec 100644 --- a/modules/lmdbbackend/lmdbbackend.hh +++ b/modules/lmdbbackend/lmdbbackend.hh @@ -160,7 +160,7 @@ public: bool getBeforeAndAfterNames(domainid_t domainId, const ZoneName& zonename, const DNSName& qname, DNSName& before, DNSName& after) override; - bool updateDNSSECOrderNameAndAuth(domainid_t domain_id, const DNSName& qname, const DNSName& ordername, bool auth, const uint16_t qtype = QType::ANY) override; + bool updateDNSSECOrderNameAndAuth(domainid_t domain_id, const DNSName& qname, const DNSName& ordername, bool auth, const uint16_t qtype, bool isNsec3) override; bool updateEmptyNonTerminals(domainid_t domain_id, set& insert, set& erase, bool remove) override; diff --git a/pdns/backends/gsql/gsqlbackend.cc b/pdns/backends/gsql/gsqlbackend.cc index 8f531b5577..24cebbb6b1 100644 --- a/pdns/backends/gsql/gsqlbackend.cc +++ b/pdns/backends/gsql/gsqlbackend.cc @@ -732,7 +732,7 @@ bool GSQLBackend::getCatalogMembers(const ZoneName& catalog, vector return true; } -bool GSQLBackend::updateDNSSECOrderNameAndAuth(domainid_t domain_id, const DNSName& qname, const DNSName& ordername, bool auth, const uint16_t qtype) +bool GSQLBackend::updateDNSSECOrderNameAndAuth(domainid_t domain_id, const DNSName& qname, const DNSName& ordername, bool auth, const uint16_t qtype, bool /* isNsec3 */) { if(!d_dnssecQueries) return false; diff --git a/pdns/backends/gsql/gsqlbackend.hh b/pdns/backends/gsql/gsqlbackend.hh index 6829f05ed5..44c36865d6 100644 --- a/pdns/backends/gsql/gsqlbackend.hh +++ b/pdns/backends/gsql/gsqlbackend.hh @@ -231,7 +231,7 @@ public: bool setAccount(const ZoneName &domain, const string &account) override; bool getBeforeAndAfterNamesAbsolute(domainid_t id, const DNSName& qname, DNSName& unhashed, DNSName& before, DNSName& after) override; - bool updateDNSSECOrderNameAndAuth(domainid_t domain_id, const DNSName& qname, const DNSName& ordername, bool auth, const uint16_t=QType::ANY) override; + bool updateDNSSECOrderNameAndAuth(domainid_t domain_id, const DNSName& qname, const DNSName& ordername, bool auth, const uint16_t, bool isNsec3) override; bool updateEmptyNonTerminals(domainid_t domain_id, set& insert ,set& erase, bool remove) override; diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc index 0af76a5235..8659cfff15 100644 --- a/pdns/dbdnsseckeeper.cc +++ b/pdns/dbdnsseckeeper.cc @@ -877,25 +877,25 @@ bool DNSSECKeeper::rectifyZone(const ZoneName& zone, string& error, string& info it = rss.find(qname); if(it == rss.end() || it->second.update || it->second.auth != auth || it->second.ordername != ordername) { - sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, auth); + sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, auth, QType::ANY, haveNSEC3); ++updates; } if(realrr) { if (dsnames.count(qname)) { - sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, true, QType::DS); + sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, true, QType::DS, haveNSEC3); ++updates; } if (!auth || nsset.count(qname)) { ordername.clear(); if(isOptOut && !dsnames.count(qname)){ - sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, false, QType::NS); + sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, false, QType::NS, haveNSEC3); ++updates; } - sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, false, QType::A); + sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, false, QType::A, haveNSEC3); ++updates; - sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, false, QType::AAAA); + sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, false, QType::AAAA, haveNSEC3); ++updates; } diff --git a/pdns/dnsbackend.hh b/pdns/dnsbackend.hh index 0a779c93c8..f87391e63c 100644 --- a/pdns/dnsbackend.hh +++ b/pdns/dnsbackend.hh @@ -256,7 +256,7 @@ public: virtual bool getBeforeAndAfterNames(domainid_t /* id */, const ZoneName& zonename, const DNSName& qname, DNSName& before, DNSName& after); - virtual bool updateDNSSECOrderNameAndAuth(domainid_t /* domain_id */, const DNSName& /* qname */, const DNSName& /* ordername */, bool /* auth */, const uint16_t /* qtype */ = QType::ANY) + virtual bool updateDNSSECOrderNameAndAuth(domainid_t /* domain_id */, const DNSName& /* qname */, const DNSName& /* ordername */, bool /* auth */, const uint16_t /* qtype */, bool /* isNsec3 */) { return false; } diff --git a/pdns/pdnsutil.cc b/pdns/pdnsutil.cc index aaed5bb3da..a77e764941 100644 --- a/pdns/pdnsutil.cc +++ b/pdns/pdnsutil.cc @@ -1007,7 +1007,7 @@ static int increaseSerial(const ZoneName& zone, DNSSECKeeper &dsk) ordername=DNSName(""); if(g_verbose) cerr<<"'"< '"<< ordername <<"'"<updateDNSSECOrderNameAndAuth(sd.domain_id, rr.qname, ordername, true); + sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, rr.qname, ordername, true, QType::ANY, haveNSEC3); } sd.db->commitTransaction(); diff --git a/pdns/rfc2136handler.cc b/pdns/rfc2136handler.cc index d6c52dd0a1..379f19983a 100644 --- a/pdns/rfc2136handler.cc +++ b/pdns/rfc2136handler.cc @@ -233,21 +233,23 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr, if(! *narrow) ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, rr->d_name))); - if (*narrow) - di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), auth); - else - di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth); + if (*narrow) { + di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), auth, QType::ANY, true); + } + else { + di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth, QType::ANY, true); + } if(!auth || rrType == QType::DS) { - di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::NS); - di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A); - di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA); + di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::NS, true); + di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A, true); + di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA, true); } } else { // NSEC - di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, rr->d_name.makeRelative(di->zone), auth); + di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, rr->d_name.makeRelative(di->zone), auth, QType::ANY, false); if(!auth || rrType == QType::DS) { - di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A); - di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA); + di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A, false); + di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA, false); } } } @@ -302,32 +304,34 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr, if(! *narrow) ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, rr->d_name))); - if (*narrow) - di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), auth); - else - di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth); + if (*narrow) { + di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), auth, QType::ANY, true); + } + else { + di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth, QType::ANY, true); + } - if (fixDS) - di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, true, QType::DS); + if (fixDS) { + di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, true, QType::DS, true); + } - if(!auth) - { - if (ns3pr->d_flags) - di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::NS); - di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A); - di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA); + if(!auth) { + if (ns3pr->d_flags != 0) { + di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::NS, true); + } + di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A, true); + di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA, true); } } - else // NSEC - { + else { // NSEC DNSName ordername=rr->d_name.makeRelative(di->zone); - di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth); + di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth, QType::ANY, false); if (fixDS) { - di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, true, QType::DS); + di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, true, QType::DS, false); } if(!auth) { - di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A); - di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA); + di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A, false); + di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA, false); } } @@ -349,21 +353,24 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr, if(! *narrow) ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, qname))); - if (*narrow) - di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), auth); - else - di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, ordername, auth); + if (*narrow) { + di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), auth, QType::ANY, true); + } + else { + di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, ordername, auth, QType::ANY, true); + } - if (ns3pr->d_flags) - di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::NS); + if (ns3pr->d_flags != 0) { + di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::NS, true); + } } else { // NSEC DNSName ordername=DNSName(qname).makeRelative(di->zone); - di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, ordername, false, QType::NS); + di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, ordername, false, QType::NS, false); } - di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::A); - di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::AAAA); + di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::A, *haveNSEC3); + di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::AAAA, *haveNSEC3); } } } @@ -463,17 +470,16 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr, } for (const auto &changeRec:updateAuthFlag) { + DNSName ordername; if(*haveNSEC3) { - DNSName ordername; - if(! *narrow) + if(! *narrow) { ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, changeRec))); - - di->backend->updateDNSSECOrderNameAndAuth(di->id, changeRec, ordername, true); + } } else { // NSEC - DNSName ordername=changeRec.makeRelative(di->zone); - di->backend->updateDNSSECOrderNameAndAuth(di->id, changeRec, ordername, true); + ordername=changeRec.makeRelative(di->zone); } + di->backend->updateDNSSECOrderNameAndAuth(di->id, changeRec, ordername, true, QType::ANY, *haveNSEC3); } } @@ -538,9 +544,10 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr, if(*haveNSEC3) { DNSName ordername; - if(! *narrow) + if(! *narrow) { ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, i))); - di->backend->updateDNSSECOrderNameAndAuth(di->id, i, ordername, true); + } + di->backend->updateDNSSECOrderNameAndAuth(di->id, i, ordername, true, QType::ANY, true); } } } @@ -1076,15 +1083,14 @@ void PacketHandler::increaseSerial(const string &msgPrefix, const DomainInfo *di g_log << Logger::Notice << msgPrefix << "Increasing SOA serial (" << oldSerial << " -> " << sd.serial << ")" << endl; //Correct ordername + auth flag + DNSName ordername; if (haveNSEC3) { - DNSName ordername; - if (!narrow) + if (!narrow) { ordername = DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, rr.qname))); - - di->backend->updateDNSSECOrderNameAndAuth(di->id, rr.qname, ordername, true); + } } else { // NSEC - DNSName ordername = rr.qname.makeRelative(di->zone); - di->backend->updateDNSSECOrderNameAndAuth(di->id, rr.qname, ordername, true); + ordername = rr.qname.makeRelative(di->zone); } + di->backend->updateDNSSECOrderNameAndAuth(di->id, rr.qname, ordername, true, QType::ANY, haveNSEC3); } }