From 6a82ce4a43f89b4626d975363be5eb989e06231c Mon Sep 17 00:00:00 2001 From: Ruben d'Arco Date: Wed, 22 May 2013 19:40:31 +0200 Subject: [PATCH] Fix DS and NS add in different order --- pdns/rfc2136handler.cc | 35 ++++++++++++------- .../1dyndns-update-add-delete-ds/command | 30 +++++++++++++++- .../expected_result | 24 +++++++++++++ .../expected_result.dnssec | 24 +++++++++++++ .../expected_result.narrow | 24 +++++++++++++ .../expected_result.nsec3 | 24 +++++++++++++ .../expected_result.nsec3-optout | 24 +++++++++++++ 7 files changed, 171 insertions(+), 14 deletions(-) diff --git a/pdns/rfc2136handler.cc b/pdns/rfc2136handler.cc index 72a8e5165c..83371ec8a7 100644 --- a/pdns/rfc2136handler.cc +++ b/pdns/rfc2136handler.cc @@ -261,19 +261,25 @@ uint16_t PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord * // because we added a record, we need to fix DNSSEC data. string shorter(rrLabel); bool auth=newRec.auth; + bool fixDS = (rrType == QType::DS); - if ( ! pdns_iequals(di->zone, shorter)) { + if ( ! pdns_iequals(di->zone, shorter)) { // Everything at APEX is auth=1 && no ENT's do { + if (pdns_iequals(di->zone, shorter)) break; + bool foundShorter = false; di->backend->lookup(QType(QType::ANY), shorter); while (di->backend->get(rec)) { + if (pdns_iequals(rec.qname, rrLabel) && rec.qtype == QType::DS) + fixDS = true; if ( ! pdns_iequals(shorter, rrLabel) ) foundShorter = true; if (rec.qtype == QType::NS) // are we inserting below a delegate? auth=false; } + if (!foundShorter && auth && !pdns_iequals(shorter, rrLabel)) // haven't found any record at current level, insert ENT. insnonterm.insert(shorter); if (foundShorter) @@ -292,8 +298,9 @@ uint16_t PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord * else di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, rrLabel, hashed, auth); - if (rrType == QType::DS) - di->backend->setDNSSECAuthOnDsRecord(di->id, rrLabel); + if (fixDS) + di->backend->setDNSSECAuthOnDsRecord(di->id, rrLabel); + if(!auth) { if (ns3pr->d_flags) @@ -305,14 +312,12 @@ uint16_t PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord * else // NSEC { di->backend->updateDNSSECOrderAndAuth(di->id, di->zone, rrLabel, auth); - if (rrType == QType::DS) + if (fixDS) { di->backend->setDNSSECAuthOnDsRecord(di->id, rrLabel); - else { - if(!auth) - { - di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "A"); - di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "AAAA"); - } + } + if(!auth) { + di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "A"); + di->backend->nullifyDNSSECOrderNameAndAuth(di->id, rrLabel, "AAAA"); } } @@ -321,11 +326,11 @@ uint16_t PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord * // Auth can only be false when the rrLabel is not the zone if (auth == false && rrType == QType::NS) { DLOG(L< qnames; di->backend->listSubZone(rrLabel, di->id); while(di->backend->get(rec)) { - if (rec.qtype.getCode() && rec.qtype.getCode() != QType::DS) // Skip ENT and DS records. + if (rec.qtype.getCode() && rec.qtype.getCode() != QType::DS && !pdns_iequals(rrLabel, rec.qname)) // Skip ENT, DS and our already corrected record. qnames.push_back(rec.qname); } for(vector::const_iterator qname=qnames.begin(); qname != qnames.end(); ++qname) { @@ -334,7 +339,11 @@ uint16_t PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord * if(! *narrow) hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, *qname))); - di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, *qname, hashed, auth); + if (*narrow) + di->backend->nullifyDNSSECOrderNameAndUpdateAuth(di->id, rrLabel, auth); + else + di->backend->updateDNSSECOrderAndAuthAbsolute(di->id, *qname, hashed, auth); + if (ns3pr->d_flags) di->backend->nullifyDNSSECOrderNameAndAuth(di->id, *qname, "NS"); } diff --git a/regression-tests/1dyndns-update-add-delete-ds/command b/regression-tests/1dyndns-update-add-delete-ds/command index 5641a2dd98..aac7a6dd12 100755 --- a/regression-tests/1dyndns-update-add-delete-ds/command +++ b/regression-tests/1dyndns-update-add-delete-ds/command @@ -28,4 +28,32 @@ answer ! # check if the record was deleted -mysqldiff 2 "Check if record is gone" \ No newline at end of file +mysqldiff 2 "Check if record is gone" + +# add a delegate + ds +cleannsupdate <>HEADER<<- opcode: UPDATE, status: NOERROR, id: [id] +;; flags: qr aa; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 +;; ZONE SECTION: +;test.dyndns. IN SOA + +Check delegate and DS added correctly again (other way around) +--- Start: diff start step.3 --- +> del.test.dyndns DS 0 39274 8 2 8e8a8cfb40fd0c30bfa82e53752e1c257dafb7b6206d12b9eda43af3eab2157d 3600 +> del.test.dyndns NS 0 ns1.del.test.dyndns 3600 +> ns1.del.test.dyndns A 0 127.0.0.1 3600 +--- End: diff start step.3 --- + +Answer: +;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: [id] +;; flags: qr aa; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 +;; ZONE SECTION: +;test.dyndns. IN SOA + +Check if record is gone again +--- Start: diff start step.4 --- +no difference +--- End: diff start step.4 --- + diff --git a/regression-tests/1dyndns-update-add-delete-ds/expected_result.dnssec b/regression-tests/1dyndns-update-add-delete-ds/expected_result.dnssec index 30a2b13131..4caf743218 100644 --- a/regression-tests/1dyndns-update-add-delete-ds/expected_result.dnssec +++ b/regression-tests/1dyndns-update-add-delete-ds/expected_result.dnssec @@ -22,3 +22,27 @@ Check if record is gone no difference --- End: diff start step.2 --- +Answer: +;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: [id] +;; flags: qr aa; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 +;; ZONE SECTION: +;test.dyndns. IN SOA + +Check delegate and DS added correctly again (other way around) +--- Start: diff start step.3 --- +> del.test.dyndns DS 0 39274 8 2 8e8a8cfb40fd0c30bfa82e53752e1c257dafb7b6206d12b9eda43af3eab2157d 3600 'del' 1 +> del.test.dyndns NS 0 ns1.del.test.dyndns 3600 'del' 0 +> ns1.del.test.dyndns A 0 127.0.0.1 3600 NULL 0 +--- End: diff start step.3 --- + +Answer: +;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: [id] +;; flags: qr aa; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 +;; ZONE SECTION: +;test.dyndns. IN SOA + +Check if record is gone again +--- Start: diff start step.4 --- +no difference +--- End: diff start step.4 --- + diff --git a/regression-tests/1dyndns-update-add-delete-ds/expected_result.narrow b/regression-tests/1dyndns-update-add-delete-ds/expected_result.narrow index dcdceb5d50..24cfd29bd6 100644 --- a/regression-tests/1dyndns-update-add-delete-ds/expected_result.narrow +++ b/regression-tests/1dyndns-update-add-delete-ds/expected_result.narrow @@ -22,3 +22,27 @@ Check if record is gone no difference --- End: diff start step.2 --- +Answer: +;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: [id] +;; flags: qr aa; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 +;; ZONE SECTION: +;test.dyndns. IN SOA + +Check delegate and DS added correctly again (other way around) +--- Start: diff start step.3 --- +> del.test.dyndns DS 0 39274 8 2 8e8a8cfb40fd0c30bfa82e53752e1c257dafb7b6206d12b9eda43af3eab2157d 3600 NULL 1 +> del.test.dyndns NS 0 ns1.del.test.dyndns 3600 NULL 0 +> ns1.del.test.dyndns A 0 127.0.0.1 3600 NULL 0 +--- End: diff start step.3 --- + +Answer: +;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: [id] +;; flags: qr aa; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 +;; ZONE SECTION: +;test.dyndns. IN SOA + +Check if record is gone again +--- Start: diff start step.4 --- +no difference +--- End: diff start step.4 --- + diff --git a/regression-tests/1dyndns-update-add-delete-ds/expected_result.nsec3 b/regression-tests/1dyndns-update-add-delete-ds/expected_result.nsec3 index 488aad2c1e..b2a24e21b4 100644 --- a/regression-tests/1dyndns-update-add-delete-ds/expected_result.nsec3 +++ b/regression-tests/1dyndns-update-add-delete-ds/expected_result.nsec3 @@ -22,3 +22,27 @@ Check if record is gone no difference --- End: diff start step.2 --- +Answer: +;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: [id] +;; flags: qr aa; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 +;; ZONE SECTION: +;test.dyndns. IN SOA + +Check delegate and DS added correctly again (other way around) +--- Start: diff start step.3 --- +> del.test.dyndns DS 0 39274 8 2 8e8a8cfb40fd0c30bfa82e53752e1c257dafb7b6206d12b9eda43af3eab2157d 3600 'ott41kituq4b2adjpf8gs59se6liu8vh' 1 +> del.test.dyndns NS 0 ns1.del.test.dyndns 3600 'ott41kituq4b2adjpf8gs59se6liu8vh' 0 +> ns1.del.test.dyndns A 0 127.0.0.1 3600 NULL 0 +--- End: diff start step.3 --- + +Answer: +;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: [id] +;; flags: qr aa; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 +;; ZONE SECTION: +;test.dyndns. IN SOA + +Check if record is gone again +--- Start: diff start step.4 --- +no difference +--- End: diff start step.4 --- + diff --git a/regression-tests/1dyndns-update-add-delete-ds/expected_result.nsec3-optout b/regression-tests/1dyndns-update-add-delete-ds/expected_result.nsec3-optout index 39087525cd..eacc20657c 100644 --- a/regression-tests/1dyndns-update-add-delete-ds/expected_result.nsec3-optout +++ b/regression-tests/1dyndns-update-add-delete-ds/expected_result.nsec3-optout @@ -22,3 +22,27 @@ Check if record is gone no difference --- End: diff start step.2 --- +Answer: +;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: [id] +;; flags: qr aa; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 +;; ZONE SECTION: +;test.dyndns. IN SOA + +Check delegate and DS added correctly again (other way around) +--- Start: diff start step.3 --- +> del.test.dyndns DS 0 39274 8 2 8e8a8cfb40fd0c30bfa82e53752e1c257dafb7b6206d12b9eda43af3eab2157d 3600 'ott41kituq4b2adjpf8gs59se6liu8vh' 1 +> del.test.dyndns NS 0 ns1.del.test.dyndns 3600 NULL 0 +> ns1.del.test.dyndns A 0 127.0.0.1 3600 NULL 0 +--- End: diff start step.3 --- + +Answer: +;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: [id] +;; flags: qr aa; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 +;; ZONE SECTION: +;test.dyndns. IN SOA + +Check if record is gone again +--- Start: diff start step.4 --- +no difference +--- End: diff start step.4 --- + -- 2.47.3