teach pdnssec check-zone about direct-dnskey

author Peter van Dijk <peter.van.dijk@netherlabs.nl>

Mon, 26 Nov 2012 15:11:52 +0000 (15:11 +0000)

committer Peter van Dijk <peter.van.dijk@netherlabs.nl>

Mon, 26 Nov 2012 15:11:52 +0000 (15:11 +0000)
author Peter van Dijk <peter.van.dijk@netherlabs.nl>
Mon, 26 Nov 2012 15:11:52 +0000 (15:11 +0000)
committer Peter van Dijk <peter.van.dijk@netherlabs.nl>
Mon, 26 Nov 2012 15:11:52 +0000 (15:11 +0000)
diff --git a/pdns/pdnssec.cc b/pdns/pdnssec.cc

index 480e6a9c8d312efb6c7793fe465aec4e2239fb32..787c723f824bdd0f87d3a458e860f522634f4a53 100644 (file)
--- a/pdns/pdnssec.cc
+++ b/pdns/pdnssec.cc
@@ -68,6 +68,8 @@ void loadMainConfig(const std::string& configdir)
    ::arg().laxFile(configname.c_str());
    ::arg().set("max-ent-entries", "Maximum number of empty non-terminals in a zone")="100000";
    ::arg().set("module-dir","Default directory for modules")=LIBDIR;
+  ::arg().setSwitch("direct-dnskey","EXPERIMENTAL: fetch DNSKEY RRs from backend during DNSKEY synthesis")="no";
+
    BackendMakers().launch(::arg()["launch"]); // vrooooom!
    ::arg().laxFile(configname.c_str());    
    //cerr<<"Backend: "<<::arg()["launch"]<<", '" << ::arg()["gmysql-dbname"] <<"'" <<endl;
@@ -91,7 +93,7 @@ void loadMainConfig(const std::string& configdir)
    ::arg().set("soa-expire-default","Default SOA expire")="604800";
    ::arg().setSwitch("query-logging","Hint backends that queries should be logged")="no";
    ::arg().set("soa-minimum-ttl","Default SOA minimum ttl")="3600";    
-  
+
    UeberBackend::go();
  }
  
@@ -263,7 +265,7 @@ void rectifyAllZones(DNSSECKeeper &dk)
    cout<<"Rectified "<<domainInfo.size()<<" zones."<<endl;
  }
  
-int checkZone(UeberBackend *B, const std::string& zone)
+int checkZone(DNSSECKeeper &dk, UeberBackend *B, const std::string& zone)
  {
    SOAData sd;
    sd.db=(DNSBackend*)-1;
@@ -292,6 +294,26 @@ int checkZone(UeberBackend *B, const std::string& zone)
        continue;
      }
  
+    if(rr.qtype.getCode() == QType::DNSKEY)
+    {
+      if(!dk.isPresigned(zone))
+      {
+        if(::arg().mustDo("direct-dnskey"))
+        {
+          if(rr.ttl != sd.default_ttl)
+          {
+            cout<<"[Warning] DNSKEY TTL of "<<rr.ttl<<" at '"<<rr.qname<<"' differs from SOA minimum of "<<sd.default_ttl<<endl;
+            numwarnings++;
+          }
+        }
+        else
+        {
+          cout<<"[Error] DNSKEY in non-presigned zone will mostly be ignored and can cause problems."<<endl;
+          numerrors++;
+        }
+      }
+    }
+
      if(rr.qtype.getCode() == QType::SOA)
      {
        fillSOAData(rr.content, sd);
@@ -343,7 +365,7 @@ int checkZone(UeberBackend *B, const std::string& zone)
    return numerrors;
  }
  
-int checkAllZones() 
+int checkAllZones(DNSSECKeeper &dk) 
  {
    scoped_ptr<UeberBackend> B(new UeberBackend("default"));
    vector<DomainInfo> domainInfo;
@@ -351,7 +373,7 @@ int checkAllZones()
    B->getAllDomains(&domainInfo);
    int errors=0;
    BOOST_FOREACH(DomainInfo di, domainInfo) {
-    if (checkZone(B.get(), di.zone) > 0) 
+    if (checkZone(dk, B.get(), di.zone) > 0) 
         errors++;
    }
    cout<<"Checked "<<domainInfo.size()<<" zones, "<<errors<<" had errors."<<endl;
@@ -793,10 +815,10 @@ try
        return 0;
      }
      scoped_ptr<UeberBackend> B(new UeberBackend("default"));
-    exit(checkZone(B.get(), cmds[1]));
+    exit(checkZone(dk, B.get(), cmds[1]));
    }
    else if (cmds[0] == "check-all-zones") {
-    exit(checkAllZones());
+    exit(checkAllZones(dk));
    }
    else if (cmds[0] == "test-zone") {
      cerr << "Did you mean check-zone?"<<endl;
author	Peter van Dijk <peter.van.dijk@netherlabs.nl>
	Mon, 26 Nov 2012 15:11:52 +0000 (15:11 +0000)
committer	Peter van Dijk <peter.van.dijk@netherlabs.nl>
	Mon, 26 Nov 2012 15:11:52 +0000 (15:11 +0000)