Correctly add NSEC3PARAM

author Ruben d'Arco <cyclops@prof-x.net>

Sat, 18 May 2013 10:14:50 +0000 (12:14 +0200)

committer mind04 <mind04@monshouwer.org>

Fri, 12 Jul 2013 15:26:19 +0000 (17:26 +0200)
author Ruben d'Arco <cyclops@prof-x.net>
Sat, 18 May 2013 10:14:50 +0000 (12:14 +0200)
committer mind04 <mind04@monshouwer.org>
Fri, 12 Jul 2013 15:26:19 +0000 (17:26 +0200)
diff --git a/pdns/rfc2136handler.cc b/pdns/rfc2136handler.cc

index 562348403f7b6b6f38a51c2d9b33619625f695aa..d6e10a4fa26851316e8bf8515030d8721011c10f 100644 (file)
--- a/pdns/rfc2136handler.cc
+++ b/pdns/rfc2136handler.cc
@@ -117,28 +117,46 @@ uint16_t PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *
      DLOG(L<<msgPrefix<<"Add/Update record (QClass == IN) "<<rrLabel<<"|"<<rrType.getName()<<endl);
  
      if (rrType == QType::NSEC3PARAM) {
-      L<<Logger::Notice<<msgPrefix<<"Adding NSEC3PARAM for zone, resetting ordernames."<<endl;  
+      L<<Logger::Notice<<msgPrefix<<"Adding/updating NSEC3PARAM for zone, resetting ordernames."<<endl;  
+
        NSEC3PARAMRecordContent nsec3param(rr->d_content->getZoneRepresentation(), di->zone);
+      *narrow = false; // adding a NSEC3 will cause narrow mode to be dropped, as you cannot specify that in a NSEC3PARAM record
        d_dk.setNSEC3PARAM(di->zone, nsec3param, (*narrow));
-      *haveNSEC3 = d_dk.getNSEC3PARAM(di->zone, ns3pr, narrow);
-      di->backend->list(di->zone, di->id);
+      
+
        vector<DNSResourceRecord> rrs;
+      vector<string> delegates;
+      di->backend->list(di->zone, di->id);
        while (di->backend->get(rec)) {
          rrs.push_back(rec);
+        if (rec.qtype == QType::NS && rec.qname != di->zone)
+          delegates.push_back(rec.qname);
        }
+
+      *haveNSEC3 = d_dk.getNSEC3PARAM(di->zone, ns3pr, narrow);
+
        for (vector<DNSResourceRecord>::const_iterator i = rrs.begin(); i != rrs.end(); i++) {
-        string hashed;
+        bool resetOrdernameAndAuth = false;
+        for (vector<string>::const_iterator delegate = delegates.begin(); delegate != delegates.end(); delegate++) {
+          if ((i->qtype.getCode() != QType::NS && endsOn(i->qname, *delegate)) || (i->qtype.getCode() == QType::NS && *delegate == i->qname && ns3pr->d_flags)) {
+            resetOrdernameAndAuth = true;
+            break;
+          }
+        }
  
-        if (*haveNSEC3)        
-          hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, i->qname)));
-        di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, i->qname, hashed, i->auth);
-       
-        if (*narrow)
-          di->backend->nullifyDNSSECOrderNameAndUpdateAuth(di->id, i->qname, i->auth);
+        // always use hashed, as we do nsec3
+        string hashed = toLower(toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, i->qname)));
+        if (resetOrdernameAndAuth) {
+          di->backend->nullifyDNSSECOrderNameAndUpdateAuth(di->id, i->qname, false);
+        } else {
+          di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, i->qname, hashed, i->auth);  
+        }
        }
        return 1;
      }
  
+
+
      bool foundRecord = false;
      di->backend->lookup(rrType, rrLabel);
      while (di->backend->get(rec)) {
author	Ruben d'Arco <cyclops@prof-x.net>
	Sat, 18 May 2013 10:14:50 +0000 (12:14 +0200)
committer	mind04 <mind04@monshouwer.org>
	Fri, 12 Jul 2013 15:26:19 +0000 (17:26 +0200)