From 0bd3190a3f9d85a2ec5882084bd980bc836f1bbe Mon Sep 17 00:00:00 2001 From: Peter Thomassen Date: Mon, 14 Jul 2025 17:06:15 +0200 Subject: [PATCH] auth: move pdnsutil setNSEC3 checks to DNSSECKeeper --- pdns/dbdnsseckeeper.cc | 7 +++++++ pdns/pdnsutil.cc | 16 +++++++--------- 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc index ed5e08e626..2e834fc4c4 100644 --- a/pdns/dbdnsseckeeper.cc +++ b/pdns/dbdnsseckeeper.cc @@ -395,6 +395,13 @@ bool DNSSECKeeper::checkNSEC3PARAM(const NSEC3PARAMRecordContent& ns3p, string& bool DNSSECKeeper::setNSEC3PARAM(const ZoneName& zname, const NSEC3PARAMRecordContent& ns3p, const bool& narrow) { + if (auto wirelength = zname.operator const DNSName&().wirelength(); wirelength > 222) { + throw runtime_error("Cannot enable NSEC3 for zone '" + zname.toLogString() + "' as it is too long (" + std::to_string(wirelength) + " bytes, maximum is 222 bytes)"); + } + if(ns3p.d_algorithm != 1) { + throw runtime_error("NSEC3PARAM algorithm set to '" + std::to_string(ns3p.d_algorithm) + "', but '1' is the only valid value"); + } + if (d_keymetadb->inTransaction()) { d_metaUpdate = true; } diff --git a/pdns/pdnsutil.cc b/pdns/pdnsutil.cc index 8d5e91c394..abb2e1aa69 100644 --- a/pdns/pdnsutil.cc +++ b/pdns/pdnsutil.cc @@ -3595,16 +3595,14 @@ static int setNsec3(vector& cmds, const std::string_view synopsis) DNSSECKeeper dk; //NOLINT(readability-identifier-length) ZoneName zone(cmds.at(1)); - if (auto wirelength = zone.operator const DNSName&().wirelength(); wirelength > 222) { - cerr<<"Cannot enable NSEC3 for " << zone << " as it is too long (" << wirelength << " bytes, maximum is 222 bytes)"<