From: Ruben d'Arco <cyclops@prof-x.net>
Date: Sat, 18 May 2013 10:14:50 +0000 (+0200)
Subject: Correctly add NSEC3PARAM
X-Git-Tag: rec-3.6.0-rc1~556^2~3^2~25
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f858f843eba161064788004a323735f586304193;p=thirdparty%2Fpdns.git

Correctly add NSEC3PARAM
---

diff --git a/pdns/rfc2136handler.cc b/pdns/rfc2136handler.cc
index 562348403f..d6e10a4fa2 100644
--- a/pdns/rfc2136handler.cc
+++ b/pdns/rfc2136handler.cc
@@ -117,28 +117,46 @@ uint16_t PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *
     DLOG(L<<msgPrefix<<"Add/Update record (QClass == IN) "<<rrLabel<<"|"<<rrType.getName()<<endl);
 
     if (rrType == QType::NSEC3PARAM) {
-      L<<Logger::Notice<<msgPrefix<<"Adding NSEC3PARAM for zone, resetting ordernames."<<endl;  
+      L<<Logger::Notice<<msgPrefix<<"Adding/updating NSEC3PARAM for zone, resetting ordernames."<<endl;  
+
       NSEC3PARAMRecordContent nsec3param(rr->d_content->getZoneRepresentation(), di->zone);
+      *narrow = false; // adding a NSEC3 will cause narrow mode to be dropped, as you cannot specify that in a NSEC3PARAM record
       d_dk.setNSEC3PARAM(di->zone, nsec3param, (*narrow));
-      *haveNSEC3 = d_dk.getNSEC3PARAM(di->zone, ns3pr, narrow);
-      di->backend->list(di->zone, di->id);
+      
+
       vector<DNSResourceRecord> rrs;
+      vector<string> delegates;
+      di->backend->list(di->zone, di->id);
       while (di->backend->get(rec)) {
         rrs.push_back(rec);
+        if (rec.qtype == QType::NS && rec.qname != di->zone)
+          delegates.push_back(rec.qname);
       }
+
+      *haveNSEC3 = d_dk.getNSEC3PARAM(di->zone, ns3pr, narrow);
+
       for (vector<DNSResourceRecord>::const_iterator i = rrs.begin(); i != rrs.end(); i++) {
-        string hashed;
+        bool resetOrdernameAndAuth = false;
+        for (vector<string>::const_iterator delegate = delegates.begin(); delegate != delegates.end(); delegate++) {
+          if ((i->qtype.getCode() != QType::NS && endsOn(i->qname, *delegate)) || (i->qtype.getCode() == QType::NS && *delegate == i->qname && ns3pr->d_flags)) {
+            resetOrdernameAndAuth = true;
+            break;
+          }
+        }
 
-        if (*haveNSEC3)        
-          hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, i->qname)));
-        di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, i->qname, hashed, i->auth);
-       
-        if (*narrow)
-          di->backend->nullifyDNSSECOrderNameAndUpdateAuth(di->id, i->qname, i->auth);
+        // always use hashed, as we do nsec3
+        string hashed = toLower(toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, i->qname)));
+        if (resetOrdernameAndAuth) {
+          di->backend->nullifyDNSSECOrderNameAndUpdateAuth(di->id, i->qname, false);
+        } else {
+          di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, i->qname, hashed, i->auth);  
+        }
       }
       return 1;
     }
 
+
+
     bool foundRecord = false;
     di->backend->lookup(rrType, rrLabel);
     while (di->backend->get(rec)) {