From: Kees Monshouwer <mind04@monshouwer.org>
Date: Thu, 11 Apr 2013 21:26:33 +0000 (+0200)
Subject: return NOTIMP for direct RRSIG request
X-Git-Tag: auth-3.3.2~2^2~20
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f0b3b248ac6dd4b35aa72ca8fe8ed1e0093bae3c;p=thirdparty%2Fpdns.git

return NOTIMP for direct RRSIG request
---

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index f131dfb04f..3b2dbe08b4 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -839,138 +839,6 @@ DNSPacket *PacketHandler::question(DNSPacket *p)
   return ret;
 }
 
-void PacketHandler::synthesiseRRSIGs(DNSPacket* p, DNSPacket* r)
-{
-  DLOG(L<<"Need to synthesise the RRSIGs if someone asked for them explicitly"<<endl);
-  typedef map<uint16_t, vector<shared_ptr<DNSRecordContent> > > records_t;
-  typedef map<uint16_t, uint32_t> ttls_t;
-  records_t records;
-  ttls_t ttls;
-
-  NSECRecordContent nrc;
-  NSEC3RecordContent n3rc;
-  nrc.d_set.insert(QType::RRSIG);
-
-  DNSResourceRecord rr;
-
-  SOAData sd;
-  sd.db=(DNSBackend *)-1; // force uncached answer
-  getAuth(p, &sd, p->qdomain, 0);
-
-  bool narrow;
-  NSEC3PARAMRecordContent ns3pr;
-  bool doNSEC3= d_dk.getNSEC3PARAM(sd.qname, &ns3pr, &narrow);
-
-  B.lookup(QType(QType::ANY), p->qdomain, p);
-
-  bool haveone=false;
-  while(B.get(rr)) {
-    haveone=true;
-    if(!((rr.auth && rr.qtype.getCode()) || (!(doNSEC3 && ns3pr.d_flags) && rr.qtype.getCode() == QType::NS)))
-      continue;
-
-    // make sure all fields are present in the SOA content
-    if(rr.qtype.getCode() == QType::SOA) {
-      rr.content = serializeSOAData(sd);
-    }
- 
-    // this deals with the 'prio' mismatch!
-    if(rr.qtype.getCode()==QType::MX || rr.qtype.getCode() == QType::SRV) {  
-      rr.content = lexical_cast<string>(rr.priority) + " " + rr.content;
-    }
-    
-    // fix direct DNSKEY ttl
-    if(::arg().mustDo("direct-dnskey") && rr.qtype.getCode() == QType::DNSKEY) {
-      rr.ttl = sd.default_ttl;
-    }
-
-    if(!rr.content.empty() && rr.qtype.getCode()==QType::TXT && rr.content[0]!='"') {
-      rr.content="\""+rr.content+"\"";
-    }
-    if(rr.content.empty())  // empty contents confuse the MOADNS setup
-      rr.content=".";
-    shared_ptr<DNSRecordContent> drc(DNSRecordContent::mastermake(rr.qtype.getCode(), 1, rr.content)); 
-    
-    records[rr.qtype.getCode()].push_back(drc);
-    ttls[rr.qtype.getCode()]=rr.ttl;
-    nrc.d_set.insert(rr.qtype.getCode());
-  }
-
-  if(records.empty()) {
-    if (haveone)
-      makeNOError(p, r, p->qdomain, "", sd, 0);
-    return;
-  }
-
-  if(pdns_iequals(p->qdomain, sd.qname)) { // Add DNSKEYs at apex
-    DNSSECPrivateKey dpk;
-
-    DNSSECKeeper::keyset_t keyset = d_dk.getKeys(p->qdomain);
-    BOOST_FOREACH(DNSSECKeeper::keyset_t::value_type value, keyset) {
-
-      records[QType::DNSKEY].push_back(shared_ptr<DNSRecordContent>(DNSRecordContent::mastermake(QType::DNSKEY, 1, value.first.getDNSKEY().getZoneRepresentation())));
-      ttls[QType::DNSKEY]=sd.default_ttl;
-      nrc.d_set.insert(QType::DNSKEY);
-    }
-  }
-
-  string before,after;
-  string unhashed(p->qdomain);
-
-  if(doNSEC3) {
-    // now get the NSEC3 and NSEC3PARAM
-    string hashed=hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, unhashed);
-    getNSEC3Hashes(narrow, sd.db, sd.domain_id,  hashed, false, unhashed, before, after);
-    unhashed=dotConcat(toLower(toBase32Hex(before)), sd.qname);
-
-    n3rc.d_set=nrc.d_set; // Copy d_set from NSEC
-    n3rc.d_algorithm=ns3pr.d_algorithm;
-    n3rc.d_flags=ns3pr.d_flags;
-    n3rc.d_iterations=ns3pr.d_iterations;
-    n3rc.d_salt=ns3pr.d_salt;
-    n3rc.d_nexthash=after;
-
-    if(pdns_iequals(p->qdomain, sd.qname)) {
-      ns3pr.d_flags = 0; // the NSEC3PARAM 'flag' is defined to always be zero in RFC5155.
-
-      records[QType::NSEC3PARAM].push_back(shared_ptr<DNSRecordContent>(DNSRecordContent::mastermake(QType::NSEC3PARAM, 1, ns3pr.getZoneRepresentation())));
-      ttls[QType::NSEC3PARAM]=sd.default_ttl;
-      n3rc.d_set.insert(QType::NSEC3PARAM);
-    }
-
-    // ok, the NSEC3PARAM is in..
-  }
-  else {
-    // now get the NSEC too (since we must sign it!)
-    sd.db->getBeforeAndAfterNames(sd.domain_id, sd.qname, p->qdomain, before, after);
-
-    nrc.d_set.insert(QType::NSEC);
-    nrc.d_next=after;
-
-    records[QType::NSEC].push_back(shared_ptr<DNSRecordContent>(DNSRecordContent::mastermake(QType::NSEC, 1, nrc.getZoneRepresentation())));
-    ttls[QType::NSEC]=sd.default_ttl;
-
-    // ok, the NSEC is in..
-  }
-  DLOG(L<<"Have "<<records.size()<<" rrsets to sign"<<endl);
-
-  rr.auth = 0; // please don't sign this!
-  rr.d_place = DNSResourceRecord::ANSWER;
-  rr.qtype = QType::RRSIG;
-
-  vector<DNSResourceRecord> rrsigs;
-
-  BOOST_FOREACH(records_t::value_type& iter, records) {
-    rr.qname=(doNSEC3 && iter.first == QType::NSEC3) ? unhashed : p->qdomain;
-    rr.ttl=ttls[iter.first];
-
-    addSignature(d_dk, B, sd.qname, rr.qname, rr.qname, iter.first, rr.ttl, DNSPacketWriter::ANSWER, iter.second, rrsigs, rr.ttl);
-  }
-
-  BOOST_FOREACH(DNSResourceRecord& rr, rrsigs)
-    r->addRecord(rr);
-}
-
 void PacketHandler::makeNXDomain(DNSPacket* p, DNSPacket* r, const std::string& target, const std::string& wildcard, SOAData& sd)
 {
   DNSResourceRecord rr;
@@ -1193,7 +1061,8 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
     if(doVersionRequest(p,r,target)) // catch version.bind requests
       goto sendit;
 
-    if((p->qtype.getCode() == QType::ANY || p->qtype.getCode() == QType::RRSIG) && !p->d_tcp && g_anyToTcp) {
+    // send TC for udp ANY query if any-to-tcp is enabled.
+    if(p->qtype.getCode() == QType::ANY && !p->d_tcp && g_anyToTcp) {
       r->d.tc = 1;
       r->commitD();
       return r;
@@ -1268,8 +1137,9 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
     }
 
     // this TRUMPS a cname!
-    if(p->qtype.getCode() == QType::RRSIG && d_dk.isSecuredZone(sd.qname)) {
-      synthesiseRRSIGs(p, r);
+    if(p->qtype.getCode() == QType::RRSIG) {
+      L<<Logger::Info<<"Direct RRSIG query for "<<target<<" from "<<p->getRemote()<<endl;
+      r->setRcode(RCode::NotImp);
       goto sendit;
     }