]> git.ipfire.org Git - thirdparty/pdns.git/commitdiff
projects / thirdparty / pdns.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 121eb74)
Plumbing to let updateDNSSECOrderNameAndAuth tell NSEC apart from NSEC3.
authorMiod Vallat <miod.vallat@powerdns.com>
Thu, 3 Jul 2025 12:15:44 +0000 (14:15 +0200)
committerMiod Vallat <miod.vallat@powerdns.com>
Thu, 3 Jul 2025 13:28:13 +0000 (15:28 +0200)
Signed-off-by: Miod Vallat <miod.vallat@powerdns.com>
docs/appendices/backend-writers-guide.rst patch | blob | blame | history
modules/lmdbbackend/lmdbbackend.cc patch | blob | blame | history
modules/lmdbbackend/lmdbbackend.hh patch | blob | blame | history
pdns/backends/gsql/gsqlbackend.cc patch | blob | blame | history
pdns/backends/gsql/gsqlbackend.hh patch | blob | blame | history
pdns/dbdnsseckeeper.cc patch | blob | blame | history
pdns/dnsbackend.hh patch | blob | blame | history
pdns/pdnsutil.cc patch | blob | blame | history
pdns/rfc2136handler.cc patch | blob | blame | history

diff --git a/docs/appendices/backend-writers-guide.rst b/docs/appendices/backend-writers-guide.rst
index 66e5ed5d98373e1f87fb5f594e8d969ddf8625cf..c0ec5dfdf3cc11c81a94930a8ebd773bc762efc9 100644 (file)
--- a/docs/appendices/backend-writers-guide.rst
+++ b/docs/appendices/backend-writers-guide.rst
@@ -893,7 +893,7 @@ In order for a backend to support DNSSEC, quite a few number of additional opera
       virtual bool getBeforeAndAfterNamesAbsolute(domainid_t id, const DNSName& qname, DNSName& unhashed, DNSName& before, DNSName& after);
 
       /* update operations */
-      virtual bool updateDNSSECOrderNameAndAuth(domainid_t domain_id, const DNSName& qname, const DNSName& ordername, bool auth, const uint16_t qtype=QType::ANY);
+      virtual bool updateDNSSECOrderNameAndAuth(domainid_t domain_id, const DNSName& qname, const DNSName& ordername, bool auth, const uint16_t qtype, bool isNsec3);
       virtual bool updateEmptyNonTerminals(domainid_t domain_id, set<DNSName>& insert, set<DNSName>& erase, bool remove);
       virtual bool feedEnts(domainid_t domain_id, map<DNSName,bool> &nonterm);
       virtual bool feedEnts3(domainid_t domain_id, const DNSName &domain, map<DNSName,bool> &nonterm, const NSEC3PARAMRecordContent& ns3prc, bool narrow);
@@ -918,7 +918,7 @@ contain `CAP_DNSSEC` if that backend supports DNSSEC.
   Asks the names before and after qname for NSEC and NSEC3. The qname will be hashed when using NSEC3. Care must be taken to handle wrap-around when qname is the first or last in the ordered list of zone names.
   Please note that in case the requested name is present in the zone, it should be returned as the "before" name.
 
-.. cpp:function:: virtual bool updateDNSSECOrderNameAndAuth(domainid_t domain_id, const DNSName& qname, const DNSName& ordername, bool auth, const uint16_t qtype=QType::ANY)
+.. cpp:function:: virtual bool updateDNSSECOrderNameAndAuth(domainid_t domain_id, const DNSName& qname, const DNSName& ordername, bool auth, const uint16_t qtype, bool isNsec3)
 
   Updates the ordername and auth fields.
 
diff --git a/modules/lmdbbackend/lmdbbackend.cc b/modules/lmdbbackend/lmdbbackend.cc
index a895b7a8ab6dee3c88ff8e620f589d347715b9d0..8483355b64dba6f2951730393a20bc367a8d351f 100644 (file)
--- a/modules/lmdbbackend/lmdbbackend.cc
+++ b/modules/lmdbbackend/lmdbbackend.cc
@@ -2624,7 +2624,7 @@ bool LMDBBackend::getBeforeAndAfterNames(domainid_t domainId, const ZoneName& zo
   return true;
 }
 
-bool LMDBBackend::updateDNSSECOrderNameAndAuth(domainid_t domain_id, const DNSName& qname, const DNSName& ordername, bool auth, const uint16_t qtype)
+bool LMDBBackend::updateDNSSECOrderNameAndAuth(domainid_t domain_id, const DNSName& qname, const DNSName& ordername, bool auth, const uint16_t qtype, bool /* isNsec3 */)
 {
   //  cout << __PRETTY_FUNCTION__<< ": "<< domain_id <<", '"<<qname <<"', '"<<ordername<<"', "<<auth<< ", " << qtype << endl;
   shared_ptr<RecordsRWTransaction> txn;
diff --git a/modules/lmdbbackend/lmdbbackend.hh b/modules/lmdbbackend/lmdbbackend.hh
index 612aa6a016b5f1fd20bb0ae7465da6100ed287c0..40887c3dec62216b4b42347fa1ab5e091e77ce13 100644 (file)
--- a/modules/lmdbbackend/lmdbbackend.hh
+++ b/modules/lmdbbackend/lmdbbackend.hh
@@ -160,7 +160,7 @@ public:
 
   bool getBeforeAndAfterNames(domainid_t domainId, const ZoneName& zonename, const DNSName& qname, DNSName& before, DNSName& after) override;
 
-  bool updateDNSSECOrderNameAndAuth(domainid_t domain_id, const DNSName& qname, const DNSName& ordername, bool auth, const uint16_t qtype = QType::ANY) override;
+  bool updateDNSSECOrderNameAndAuth(domainid_t domain_id, const DNSName& qname, const DNSName& ordername, bool auth, const uint16_t qtype, bool isNsec3) override;
 
   bool updateEmptyNonTerminals(domainid_t domain_id, set<DNSName>& insert, set<DNSName>& erase, bool remove) override;
 
diff --git a/pdns/backends/gsql/gsqlbackend.cc b/pdns/backends/gsql/gsqlbackend.cc
index 8f531b557707a89dc7682cafbf025a8c1459786b..24cebbb6b1224e9e9fafa9b45f6977c9aaebed94 100644 (file)
--- a/pdns/backends/gsql/gsqlbackend.cc
+++ b/pdns/backends/gsql/gsqlbackend.cc
@@ -732,7 +732,7 @@ bool GSQLBackend::getCatalogMembers(const ZoneName& catalog, vector<CatalogInfo>
   return true;
 }
 
-bool GSQLBackend::updateDNSSECOrderNameAndAuth(domainid_t domain_id, const DNSName& qname, const DNSName& ordername, bool auth, const uint16_t qtype)
+bool GSQLBackend::updateDNSSECOrderNameAndAuth(domainid_t domain_id, const DNSName& qname, const DNSName& ordername, bool auth, const uint16_t qtype, bool /* isNsec3 */)
 {
   if(!d_dnssecQueries)
     return false;
diff --git a/pdns/backends/gsql/gsqlbackend.hh b/pdns/backends/gsql/gsqlbackend.hh
index 6829f05ed5e8c64cce32e0288d5216b1b89fec26..44c36865d64941bd7c11b811a8b06edfef527fc2 100644 (file)
--- a/pdns/backends/gsql/gsqlbackend.hh
+++ b/pdns/backends/gsql/gsqlbackend.hh
@@ -231,7 +231,7 @@ public:
   bool setAccount(const ZoneName &domain, const string &account) override;
 
   bool getBeforeAndAfterNamesAbsolute(domainid_t id, const DNSName& qname, DNSName& unhashed, DNSName& before, DNSName& after) override;
-  bool updateDNSSECOrderNameAndAuth(domainid_t domain_id, const DNSName& qname, const DNSName& ordername, bool auth, const uint16_t=QType::ANY) override;
+  bool updateDNSSECOrderNameAndAuth(domainid_t domain_id, const DNSName& qname, const DNSName& ordername, bool auth, const uint16_t, bool isNsec3) override;
 
   bool updateEmptyNonTerminals(domainid_t domain_id, set<DNSName>& insert ,set<DNSName>& erase, bool remove) override;
 
diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc
index 0af76a5235645106725a139b0f98f0342b30a9c1..8659cfff15d5b76d20eba7b95c299995d8c1e38f 100644 (file)
--- a/pdns/dbdnsseckeeper.cc
+++ b/pdns/dbdnsseckeeper.cc
@@ -877,25 +877,25 @@ bool DNSSECKeeper::rectifyZone(const ZoneName& zone, string& error, string& info
 
     it = rss.find(qname);
     if(it == rss.end() || it->second.update || it->second.auth != auth || it->second.ordername != ordername) {
-      sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, auth);
+      sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, auth, QType::ANY, haveNSEC3);
       ++updates;
     }
 
     if(realrr)
     {
       if (dsnames.count(qname)) {
-        sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, true, QType::DS);
+        sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, true, QType::DS, haveNSEC3);
         ++updates;
       }
       if (!auth || nsset.count(qname)) {
         ordername.clear();
         if(isOptOut && !dsnames.count(qname)){
-          sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, false, QType::NS);
+          sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, false, QType::NS, haveNSEC3);
           ++updates;
         }
-        sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, false, QType::A);
+        sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, false, QType::A, haveNSEC3);
         ++updates;
-        sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, false, QType::AAAA);
+        sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, false, QType::AAAA, haveNSEC3);
         ++updates;
       }
 
diff --git a/pdns/dnsbackend.hh b/pdns/dnsbackend.hh
index 0a779c93c8e60f7606caca0629f34ea0e3c9ff2a..f87391e63cdb4ca31e4681a49a4c8559b0e8ee14 100644 (file)
--- a/pdns/dnsbackend.hh
+++ b/pdns/dnsbackend.hh
@@ -256,7 +256,7 @@ public:
 
   virtual bool getBeforeAndAfterNames(domainid_t /* id */, const ZoneName& zonename, const DNSName& qname, DNSName& before, DNSName& after);
 
-  virtual bool updateDNSSECOrderNameAndAuth(domainid_t /* domain_id */, const DNSName& /* qname */, const DNSName& /* ordername */, bool /* auth */, const uint16_t /* qtype */ = QType::ANY)
+  virtual bool updateDNSSECOrderNameAndAuth(domainid_t /* domain_id */, const DNSName& /* qname */, const DNSName& /* ordername */, bool /* auth */, const uint16_t /* qtype */, bool /* isNsec3 */)
   {
     return false;
   }
diff --git a/pdns/pdnsutil.cc b/pdns/pdnsutil.cc
index aaed5bb3da392328c942b0ad2e5011e8c10feeb2..a77e7649414580de5c35aca8339f220fa401137e 100644 (file)
--- a/pdns/pdnsutil.cc
+++ b/pdns/pdnsutil.cc
@@ -1007,7 +1007,7 @@ static int increaseSerial(const ZoneName& zone, DNSSECKeeper &dsk)
       ordername=DNSName("");
     if(g_verbose)
       cerr<<"'"<<rr.qname<<"' -> '"<< ordername <<"'"<<endl;
-    sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, rr.qname, ordername, true);
+    sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, rr.qname, ordername, true, QType::ANY, haveNSEC3);
   }
 
   sd.db->commitTransaction();
diff --git a/pdns/rfc2136handler.cc b/pdns/rfc2136handler.cc
index d6c52dd0a142b046593149642bae27c4a65b35df..379f19983ab19652606c0935f7cc068083bfd7ae 100644 (file)
--- a/pdns/rfc2136handler.cc
+++ b/pdns/rfc2136handler.cc
@@ -233,21 +233,23 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr,
           if(! *narrow)
             ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, rr->d_name)));
 
-          if (*narrow)
-            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), auth);
-          else
-            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth);
+          if (*narrow) {
+            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), auth, QType::ANY, true);
+         }
+          else {
+            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth, QType::ANY, true);
+         }
           if(!auth || rrType == QType::DS) {
-            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::NS);
-            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A);
-            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA);
+            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::NS, true);
+            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A, true);
+            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA, true);
           }
 
         } else { // NSEC
-          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, rr->d_name.makeRelative(di->zone), auth);
+          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, rr->d_name.makeRelative(di->zone), auth, QType::ANY, false);
           if(!auth || rrType == QType::DS) {
-            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A);
-            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA);
+            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A, false);
+            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA, false);
           }
         }
       }
@@ -302,32 +304,34 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr,
         if(! *narrow)
           ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, rr->d_name)));
 
-        if (*narrow)
-          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), auth);
-        else
-          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth);
+        if (*narrow) {
+          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), auth, QType::ANY, true);
+       }
+        else {
+          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth, QType::ANY, true);
+       }
 
-        if (fixDS)
-          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, true, QType::DS);
+        if (fixDS) {
+          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, true, QType::DS, true);
+       }
 
-        if(!auth)
-        {
-          if (ns3pr->d_flags)
-            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::NS);
-          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A);
-          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA);
+        if(!auth) {
+          if (ns3pr->d_flags != 0) {
+            di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::NS, true);
+         }
+          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A, true);
+          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA, true);
         }
       }
-      else // NSEC
-      {
+      else { // NSEC
         DNSName ordername=rr->d_name.makeRelative(di->zone);
-        di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth);
+        di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, auth, QType::ANY, false);
         if (fixDS) {
-          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, true, QType::DS);
+          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, ordername, true, QType::DS, false);
         }
         if(!auth) {
-          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A);
-          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA);
+          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::A, false);
+          di->backend->updateDNSSECOrderNameAndAuth(di->id, rr->d_name, DNSName(), false, QType::AAAA, false);
         }
       }
 
@@ -349,21 +353,24 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr,
             if(! *narrow)
               ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, qname)));
 
-            if (*narrow)
-              di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), auth);
-            else
-              di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, ordername, auth);
+            if (*narrow) {
+              di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), auth, QType::ANY, true);
+           }
+            else {
+              di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, ordername, auth, QType::ANY, true);
+           }
 
-            if (ns3pr->d_flags)
-              di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::NS);
+            if (ns3pr->d_flags != 0) {
+              di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::NS, true);
+           }
           }
           else { // NSEC
             DNSName ordername=DNSName(qname).makeRelative(di->zone);
-            di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, ordername, false, QType::NS);
+            di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, ordername, false, QType::NS, false);
           }
 
-          di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::A);
-          di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::AAAA);
+          di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::A, *haveNSEC3);
+          di->backend->updateDNSSECOrderNameAndAuth(di->id, qname, DNSName(), false, QType::AAAA, *haveNSEC3);
         }
       }
     }
@@ -463,17 +470,16 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr,
         }
 
         for (const auto &changeRec:updateAuthFlag) {
+          DNSName ordername;
           if(*haveNSEC3)  {
-            DNSName ordername;
-            if(! *narrow)
+            if(! *narrow) {
               ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, changeRec)));
-
-            di->backend->updateDNSSECOrderNameAndAuth(di->id, changeRec, ordername, true);
+           }
           }
           else { // NSEC
-            DNSName ordername=changeRec.makeRelative(di->zone);
-            di->backend->updateDNSSECOrderNameAndAuth(di->id, changeRec, ordername, true);
+            ordername=changeRec.makeRelative(di->zone);
           }
+          di->backend->updateDNSSECOrderNameAndAuth(di->id, changeRec, ordername, true, QType::ANY, *haveNSEC3);
         }
       }
 
@@ -538,9 +544,10 @@ uint PacketHandler::performUpdate(const string &msgPrefix, const DNSRecord *rr,
       if(*haveNSEC3)
       {
         DNSName ordername;
-        if(! *narrow)
+        if(! *narrow) {
           ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, i)));
-        di->backend->updateDNSSECOrderNameAndAuth(di->id, i, ordername, true);
+       }
+        di->backend->updateDNSSECOrderNameAndAuth(di->id, i, ordername, true, QType::ANY, true);
       }
     }
   }
@@ -1076,15 +1083,14 @@ void PacketHandler::increaseSerial(const string &msgPrefix, const DomainInfo *di
     g_log << Logger::Notice << msgPrefix << "Increasing SOA serial (" << oldSerial << " -> " << sd.serial << ")" << endl;
 
     //Correct ordername + auth flag
+    DNSName ordername;
     if (haveNSEC3) {
-      DNSName ordername;
-      if (!narrow)
+      if (!narrow) {
         ordername = DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, rr.qname)));
-
-      di->backend->updateDNSSECOrderNameAndAuth(di->id, rr.qname, ordername, true);
+      }
     } else { // NSEC
-      DNSName ordername = rr.qname.makeRelative(di->zone);
-      di->backend->updateDNSSECOrderNameAndAuth(di->id, rr.qname, ordername, true);
+      ordername = rr.qname.makeRelative(di->zone);
     }
+    di->backend->updateDNSSECOrderNameAndAuth(di->id, rr.qname, ordername, true, QType::ANY, haveNSEC3);
   }
 }
Unnamed repository; edit this file 'description' to name the repository.