From: Ruben d'Arco <cyclops@prof-x.net>
Date: Mon, 13 May 2013 07:31:34 +0000 (+0200)
Subject: Correct deletion of NSEC3PARAM
X-Git-Tag: rec-3.6.0-rc1~556^2~3^2~34
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e3dc2b564fd93b7b269338a4833f50ae52282ae2;p=thirdparty%2Fpdns.git

Correct deletion of NSEC3PARAM
---

diff --git a/modules/gmysqlbackend/gmysqlbackend.cc b/modules/gmysqlbackend/gmysqlbackend.cc
index ce270b712d..6473cef62b 100644
--- a/modules/gmysqlbackend/gmysqlbackend.cc
+++ b/modules/gmysqlbackend/gmysqlbackend.cc
@@ -102,6 +102,7 @@ public:
     declare(suffix,"set-order-and-auth-query", "DNSSEC set ordering query", "update records set ordername='%s',auth=%d where name='%s' and domain_id='%d'");
     declare(suffix,"nullify-ordername-and-update-auth-query", "DNSSEC nullify ordername and update auth query", "update records set ordername=NULL,auth=%d where domain_id='%d' and name='%s'");
     declare(suffix,"nullify-ordername-and-auth-query", "DNSSEC nullify ordername and auth query", "update records set ordername=NULL,auth=0 where name='%s' and type='%s' and domain_id='%d'");
+    declare(suffix,"nullify-ordername-and-auth-ent-query", "DNSSEC nullify ordername and auth for ENT records with name.", "update records set ordername=NULL, auth=NULL where name='%s' AND type IS NULL and domain_id='%d'");
     declare(suffix,"set-auth-on-ds-record-query", "DNSSEC set auth on a DS record", "update records set auth=1 where domain_id='%d' and name='%s' and type='DS'");
 
     declare(suffix,"update-serial-query","", "update domains set notified_serial=%d where id=%d");
diff --git a/modules/gpgsqlbackend/gpgsqlbackend.cc b/modules/gpgsqlbackend/gpgsqlbackend.cc
index 49f432122f..0e45a421b0 100644
--- a/modules/gpgsqlbackend/gpgsqlbackend.cc
+++ b/modules/gpgsqlbackend/gpgsqlbackend.cc
@@ -104,6 +104,7 @@ public:
 
     declare(suffix,"nullify-ordername-and-update-auth-query", "DNSSEC nullify ordername and update auth query", "update records set ordername=NULL,auth=(%d = 1) where domain_id='%d' and name='%s'");
     declare(suffix,"nullify-ordername-and-auth-query", "DNSSEC nullify ordername and auth query", "update records set ordername=NULL,auth=false where name=E'%s' and type=E'%s' and domain_id='%d'");
+    declare(suffix,"nullify-ordername-and-auth-ent-query", "DNSSEC nullify ordername and auth for ENT records with name.", "update records set ordername=NULL, auth=NULL where name=E'%s' AND type IS NULL and domain_id='%d'");
     
     declare(suffix,"update-serial-query","", "update domains set notified_serial=%d where id=%d");
     declare(suffix,"update-lastcheck-query","", "update domains set last_check=%d where id=%d");
diff --git a/modules/gsqlite3backend/gsqlite3backend.cc b/modules/gsqlite3backend/gsqlite3backend.cc
index 02dc4fee10..8585a7e118 100644
--- a/modules/gsqlite3backend/gsqlite3backend.cc
+++ b/modules/gsqlite3backend/gsqlite3backend.cc
@@ -97,6 +97,7 @@ public:
 
     declare(suffix,"nullify-ordername-and-update-auth-query", "DNSSEC nullify ordername and update auth query", "update records set ordername=NULL,auth=%d where domain_id='%d' and name='%s'");
     declare(suffix,"nullify-ordername-and-auth-query", "DNSSEC nullify ordername and auth query", "update records set ordername=NULL,auth=0 where name='%s' and type='%s' and domain_id='%d'");
+    declare(suffix,"nullify-ordername-and-auth-ent-query", "DNSSEC nullify ordername and auth for ENT records with name.", "update records set ordername=NULL, auth=NULL where name='%s' AND type IS NULL and domain_id='%d'");
     declare(suffix,"set-auth-on-ds-record-query", "DNSSEC set auth on a DS record", "update records set auth=1 where domain_id='%d' and name='%s' and type='DS'");
     
     declare( suffix, "master-zone-query", "Data", "select master from domains where name='%s' and type='SLAVE'");
diff --git a/pdns/backends/gsql/gsqlbackend.cc b/pdns/backends/gsql/gsqlbackend.cc
index 1eeaaf2fe1..eb97579c2c 100644
--- a/pdns/backends/gsql/gsqlbackend.cc
+++ b/pdns/backends/gsql/gsqlbackend.cc
@@ -300,6 +300,7 @@ GSQLBackend::GSQLBackend(const string &mode, const string &suffix)
     d_setOrderAuthQuery = getArg("set-order-and-auth-query");
     d_nullifyOrderNameAndUpdateAuthQuery = getArg("nullify-ordername-and-update-auth-query");
     d_nullifyOrderNameAndAuthQuery = getArg("nullify-ordername-and-auth-query");
+    d_nullifyOrderNameAndAuthENTQuery = getArg("nullify-ordername-and-auth-ent-query");
     d_setAuthOnDsRecordQuery = getArg("set-auth-on-ds-record-query");
     
     d_AddDomainKeyQuery = getArg("add-domain-key-query");
@@ -346,7 +347,6 @@ bool GSQLBackend::nullifyDNSSECOrderNameAndUpdateAuth(uint32_t domain_id, const
   if(!d_dnssecQueries)
     return false;
   char output[1024];
-
   snprintf(output, sizeof(output)-1, d_nullifyOrderNameAndUpdateAuthQuery.c_str(), auth, domain_id, sqlEscape(qname).c_str());
   try {
     d_db->doCommand(output);
@@ -362,8 +362,10 @@ bool GSQLBackend::nullifyDNSSECOrderNameAndAuth(uint32_t domain_id, const std::s
   if(!d_dnssecQueries)
     return false;
   char output[1024];
-
-  snprintf(output, sizeof(output)-1, d_nullifyOrderNameAndAuthQuery.c_str(), sqlEscape(qname).c_str(), sqlEscape(type).c_str(), domain_id);
+  if (type == "TYPE0")
+    snprintf(output, sizeof(output)-1, d_nullifyOrderNameAndAuthENTQuery.c_str(), sqlEscape(qname).c_str(), domain_id);
+  else
+    snprintf(output, sizeof(output)-1, d_nullifyOrderNameAndAuthQuery.c_str(), sqlEscape(qname).c_str(), sqlEscape(type).c_str(), domain_id);
   try {
     d_db->doCommand(output);
   }
diff --git a/pdns/backends/gsql/gsqlbackend.hh b/pdns/backends/gsql/gsqlbackend.hh
index fc3c689b31..2348ce5433 100644
--- a/pdns/backends/gsql/gsqlbackend.hh
+++ b/pdns/backends/gsql/gsqlbackend.hh
@@ -106,6 +106,7 @@ private:
   string d_setOrderAuthQuery;
   string d_nullifyOrderNameAndUpdateAuthQuery;
   string d_nullifyOrderNameAndAuthQuery;
+  string d_nullifyOrderNameAndAuthENTQuery;
   string d_setAuthOnDsRecordQuery;
   string d_removeEmptyNonTerminalsFromZoneQuery;
   string d_insertEmptyNonTerminalQuery;
diff --git a/pdns/rfc2136handler.cc b/pdns/rfc2136handler.cc
index 899a32faf0..8a43f4bed9 100755
--- a/pdns/rfc2136handler.cc
+++ b/pdns/rfc2136handler.cc
@@ -117,22 +117,25 @@ uint16_t PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *
     DLOG(L<<msgPrefix<<"Add/Update record (QClass == IN) "<<rrLabel<<"|"<<rrType.getName()<<endl);
 
     if (rrType == QType::NSEC3PARAM) {
-      L<<Logger::Notice<<msgPrefix<<"Setting NSEC3PARAM for zone, resetting ordernames and auth flags."<<endl;  
+      L<<Logger::Notice<<msgPrefix<<"Adding NSEC3PARAM for zone, resetting ordernames."<<endl;  
       NSEC3PARAMRecordContent nsec3param(rr->d_content->getZoneRepresentation(), di->zone);
       d_dk.setNSEC3PARAM(di->zone, nsec3param, (*narrow));
       *haveNSEC3 = d_dk.getNSEC3PARAM(di->zone, ns3pr, narrow);
       di->backend->list(di->zone, di->id);
       vector<DNSResourceRecord> rrs;
       while (di->backend->get(rec)) {
-        rrs.push_back(rec);
+        if (rec.qtype.getCode())
+          rrs.push_back(rec);
       }
       for (vector<DNSResourceRecord>::const_iterator i = rrs.begin(); i != rrs.end(); i++) {
-        if (*narrow) {
+        string hashed;
+
+        if (*haveNSEC3)        
+          hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, i->qname)));
+        di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, i->qname, hashed, i->auth);
+       
+        if (*narrow)
           di->backend->nullifyDNSSECOrderNameAndUpdateAuth(di->id, i->qname, i->auth);
-        } else {
-          string hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, i->qname)));
-          di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, i->qname, hashed, i->auth);
-        }
       }
       return 1;
     }
@@ -321,14 +324,20 @@ uint16_t PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *
       } else 
         return 0;
 
-      *haveNSEC3 = d_dk.getNSEC3PARAM(di->zone, ns3pr, narrow); // still update, as other records in this update packet need to use it as well.
+      // We retrieve new values, other RR's in this update package might need it as well.
+      *haveNSEC3 = d_dk.getNSEC3PARAM(di->zone, ns3pr, narrow);
+
+      // Remove the Order and Aath field
       di->backend->list(di->zone, di->id);
       vector<DNSResourceRecord> rrs;
-      while (di->backend->get(rec)) {
+      while (di->backend->get(rec))
         rrs.push_back(rec);
-      }
       for (vector<DNSResourceRecord>::const_iterator i = rrs.begin(); i != rrs.end(); i++) {
-        di->backend->updateDNSSECOrderAndAuth(di->id, di->zone, i->qname, i->auth);
+        if (!i->qtype.getCode()) {// for ENT records, we want to reset things as they have ordername=NULL and auth=NULL
+          di->backend->nullifyDNSSECOrderNameAndAuth(di->id, i->qname, i->qtype.getName());
+          di->backend->nullifyDNSSECOrderNameAndUpdateAuth(di->id, i->qname, i->auth);
+        } else // all other records are simply updated.
+          di->backend->updateDNSSECOrderAndAuth(di->id, di->zone, i->qname, i->auth);
       }
       return 1;
     }