From: Kees Monshouwer <mind04@monshouwer.org>
Date: Thu, 1 Oct 2020 06:57:21 +0000 (+0200)
Subject: auth: Speedup presigned signature lookups.
X-Git-Tag: auth-4.4.0-alpha2~25^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F9568%2Fhead;p=thirdparty%2Fpdns.git

auth: Speedup presigned signature lookups.
There was an unnecessary soa lookup which resulted in a large number of extra backend queries.
---

diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc
index 14e1cd253f..de27cd0176 100644
--- a/pdns/dbdnsseckeeper.cc
+++ b/pdns/dbdnsseckeeper.cc
@@ -605,29 +605,30 @@ bool DNSSECKeeper::checkKeys(const DNSName& zone, vector<string>* errorMessages)
   return retval;
 }
 
-bool DNSSECKeeper::getPreRRSIGs(UeberBackend& db, const DNSName& signer, const DNSName& qname,
-        const DNSName& wildcardname, const QType& qtype,
-        DNSResourceRecord::Place signPlace, vector<DNSZoneRecord>& rrsigs, uint32_t signTTL)
-{
-  // cerr<<"Doing DB lookup for precomputed RRSIGs for '"<<(wildcardname.empty() ? qname : wildcardname)<<"'"<<endl;
-        SOAData sd;
-        if(!db.getSOAUncached(signer, sd)) {
-                DLOG(g_log<<"Could not get SOA for domain"<<endl);
-                return false;
-        }
-        db.lookup(QType(QType::RRSIG), wildcardname.countLabels() ? wildcardname : qname, sd.domain_id);
-        DNSZoneRecord rr;
-        while(db.get(rr)) {
-          auto rrsig = getRR<RRSIGRecordContent>(rr.dr);
-          if(rrsig->d_type == qtype.getCode() && rrsig->d_signer==signer) {
-            if (wildcardname.countLabels())
-              rr.dr.d_name = qname;
-            rr.dr.d_place = signPlace;
-            rr.dr.d_ttl = signTTL;
-            rrsigs.push_back(rr);
-          }
-        }
-        return true;
+void DNSSECKeeper::getPreRRSIGs(UeberBackend& db, vector<DNSZoneRecord>& rrs, uint32_t signTTL)
+{
+  if(rrs.empty()) {
+    return;
+  }
+
+  const auto& rr = *rrs.rbegin();
+
+  DNSZoneRecord dzr;
+  std::shared_ptr<RRSIGRecordContent> rrsig;
+
+  db.lookup(QType(QType::RRSIG), !rr.wildcardname.empty() ? rr.wildcardname : rr.dr.d_name, rr.domain_id);
+  while(db.get(dzr)) {
+    rrsig = std::move(getRR<RRSIGRecordContent>(dzr.dr));
+    if(rrsig->d_type == rr.dr.d_type) {
+      if(!rr.wildcardname.empty()) {
+        dzr.dr.d_name = rr.dr.d_name;
+      }
+      dzr.dr.d_place = rr.dr.d_place;
+      dzr.dr.d_ttl = signTTL;
+
+      rrs.emplace_back(std::move(dzr));
+    }
+  }
 }
 
 bool DNSSECKeeper::TSIGGrantsAccess(const DNSName& zone, const DNSName& keyname)
diff --git a/pdns/dnsseckeeper.hh b/pdns/dnsseckeeper.hh
index 56ddc226d8..9f758cf7f5 100644
--- a/pdns/dnsseckeeper.hh
+++ b/pdns/dnsseckeeper.hh
@@ -209,7 +209,7 @@ public:
   bool checkNSEC3PARAM(const NSEC3PARAMRecordContent& ns3p, string& msg);
   bool setNSEC3PARAM(const DNSName& zname, const NSEC3PARAMRecordContent& n3p, const bool& narrow=false);
   bool unsetNSEC3PARAM(const DNSName& zname);
-  bool getPreRRSIGs(UeberBackend& db, const DNSName& signer, const DNSName& qname, const DNSName& wildcardname, const QType& qtype, DNSResourceRecord::Place, vector<DNSZoneRecord>& rrsigs, uint32_t signTTL);
+  void getPreRRSIGs(UeberBackend& db, vector<DNSZoneRecord>& rrs, uint32_t signTTL);
   bool isPresigned(const DNSName& zname, bool useCache=true);
   bool setPresigned(const DNSName& zname);
   bool unsetPresigned(const DNSName& zname);
diff --git a/pdns/dnssecsigner.cc b/pdns/dnssecsigner.cc
index 3bb27930c8..2a9eb764d7 100644
--- a/pdns/dnssecsigner.cc
+++ b/pdns/dnssecsigner.cc
@@ -142,7 +142,7 @@ static void addSignature(DNSSECKeeper& dk, UeberBackend& db, const DNSName& sign
   vector<RRSIGRecordContent> rrcs;
   if(dk.isPresigned(signer)) {
     //cerr<<"Doing presignatures"<<endl;
-    dk.getPreRRSIGs(db, signer, signQName, wildcardname, QType(signQType), signPlace, outsigned, origTTL); // does it all
+    dk.getPreRRSIGs(db, outsigned, origTTL); // does it all
   }
   else {
     if(getRRSIGsForRRSET(dk, signer, wildcardname.countLabels() ? wildcardname : signQName, signQType, signTTL, toSign, rrcs) < 0)  {