struct soatimes d_st;
};
+class NSECBitmap
+{
+public:
+ bool isSet(uint16_t type) const
+ {
+ if (d_bitset) {
+ return d_bitset->test(type);
+ }
+ return d_set.count(type);
+ }
+ void set(uint16_t type)
+ {
+ if (!d_bitset) {
+ if (d_set.size() >= 200) {
+ migrateToBitSet();
+ }
+ }
+ if (d_bitset) {
+ d_bitset->set(type);
+ }
+ else {
+ d_set.insert(type);
+ }
+ }
+ size_t count() const
+ {
+ if (d_bitset) {
+ return d_bitset->count();
+ }
+ else {
+ return d_set.size();
+ }
+ }
+
+ void fromPacket(PacketReader& pr);
+ void toPacket(DNSPacketWriter& pw);
+ std::string getZoneRepresentation() const;
+
+private:
+ void migrateToBitSet()
+ {
+ d_bitset = std::unique_ptr<std::bitset<65536>>(new std::bitset<65536>());
+ for (const auto& type : d_set) {
+ d_bitset->set(type);
+ }
+ d_set.clear();
+ }
+ /* using a dynamic set is very efficient for a small number of
+ types covered (~200), but uses a lot of memory (up to 3MB)
+ when there are a lot of them.
+ So we start with the set, but allocate and switch to a bitset
+ if the number of covered types increases a lot */
+ std::unique_ptr<std::bitset<65536>> d_bitset;
+ std::set<uint16_t> d_set;
+};
+
class NSECRecordContent : public DNSRecordContent
{
public:
{
return QType::NSEC;
}
+ bool isSet(uint16_t type) const
+ {
+ return d_bitmap.isSet(type);
+ }
+ void set(uint16_t type)
+ {
+ d_bitmap.set(type);
+ }
+ size_t numberOfTypesSet() const
+ {
+ return d_bitmap.count();
+ }
+
DNSName d_next;
- std::set<uint16_t> d_set;
private:
+ NSECBitmap d_bitmap;
};
class NSEC3RecordContent : public DNSRecordContent
uint16_t d_iterations{0};
string d_salt;
string d_nexthash;
- std::set<uint16_t> d_set;
uint16_t getType() const override
{
return QType::NSEC3;
}
-
+ bool isSet(uint16_t type) const
+ {
+ return d_bitmap.isSet(type);
+ }
+ void set(uint16_t type)
+ {
+ d_bitmap.set(type);
+ }
+ size_t numberOfTypesSet() const
+ {
+ return d_bitmap.count();
+ }
private:
+ NSECBitmap d_bitmap;
};
{
// cerr<<"got nsec3 ["<<i->first.d_name<<"]"<<endl;
// cerr<<i->first.d_content->getZoneRepresentation()<<endl;
- NSEC3RecordContent r = dynamic_cast<NSEC3RecordContent&> (*(i->first.d_content));
+ const auto r = std::dynamic_pointer_cast<NSEC3RecordContent>(i->first.d_content);
+ if (!r) {
+ continue;
+ }
// nsec3.insert(new nsec3()
// cerr<<toBase32Hex(r.d_nexthash)<<endl;
vector<string> parts;
string sname=i->first.d_name.toString();
boost::split(parts, sname /* FIXME400 */, boost::is_any_of("."));
- nsec3s.insert(make_pair(toLower(parts[0]), toBase32Hex(r.d_nexthash)));
- nsec3salt = r.d_salt;
- nsec3iters = r.d_iterations;
+ nsec3s.insert(make_pair(toLower(parts[0]), toBase32Hex(r->d_nexthash)));
+ nsec3salt = r->d_salt;
+ nsec3iters = r->d_iterations;
}
else
{
#endif
#include "dnsrecords.hh"
-void NSECRecordContent::report(void)
+class NSECBitmapGenerator
{
- regist(1, 47, &make, &make, "NSEC");
-}
-
-std::shared_ptr<DNSRecordContent> NSECRecordContent::make(const string& content)
-{
- return std::make_shared<NSECRecordContent>(content);
-}
-
-NSECRecordContent::NSECRecordContent(const string& content, const string& zone)
-{
- RecordTextReader rtr(content, DNSName(zone));
- rtr.xfrName(d_next);
-
- while(!rtr.eof()) {
- uint16_t type;
- rtr.xfrType(type);
- d_set.insert(type);
+public:
+ NSECBitmapGenerator(DNSPacketWriter& pw_): pw(pw_)
+ {
}
-}
-
-void NSECRecordContent::toPacket(DNSPacketWriter& pw)
-{
- pw.xfrName(d_next);
-
- uint8_t res[34];
- set<uint16_t>::const_iterator i;
- int oldWindow = -1;
- int window = 0;
- int len = 0;
- string tmp;
-
- for(i=d_set.begin(); i != d_set.end(); ++i){
- uint16_t bit = (*i)%256;
- window = static_cast<int>((*i) / 256);
+ void set(uint16_t type)
+ {
+ uint16_t bit = type % 256;
+ int window = static_cast<int>(type / 256);
if (window != oldWindow) {
if (oldWindow > -1) {
- res[0] = static_cast<unsigned char>(oldWindow);
- res[1] = static_cast<unsigned char>(len);
- tmp.assign(res, res+len+2);
- pw.xfrBlob(tmp);
+ res[0] = static_cast<unsigned char>(oldWindow);
+ res[1] = static_cast<unsigned char>(len);
+ tmp.assign(res, res+len+2);
+ pw.xfrBlob(tmp);
}
memset(res, 0, 34);
oldWindow = window;
len=1+bit/8;
}
- res[0] = static_cast<unsigned char>(window);
- res[1] = static_cast<unsigned char>(len);
- tmp.assign(res, res+len+2);
- pw.xfrBlob(tmp);
+ void finish()
+ {
+ res[0] = static_cast<unsigned char>(oldWindow);
+ res[1] = static_cast<unsigned char>(len);
+ if (len) {
+ tmp.assign(res, res+len+2);
+ pw.xfrBlob(tmp);
+ }
+ }
+
+private:
+ DNSPacketWriter& pw;
+ /* one byte for the window,
+ one for the length,
+ then the maximum of 32 bytes */
+ uint8_t res[34];
+ int oldWindow{-1};
+ int len{0};
+ string tmp;
+};
+
+void NSECBitmap::toPacket(DNSPacketWriter& pw)
+{
+ NSECBitmapGenerator nbg(pw);
+ if (d_bitset) {
+ size_t count = d_bitset->count();
+ size_t found = 0;
+ for(size_t idx = 0; idx < 65535 && found < count; ++idx){
+ if (!d_bitset->test(idx)) {
+ continue;
+ }
+ found++;
+ nbg.set(idx);
+ }
+ }
+ else {
+ for (const auto& type : d_set) {
+ nbg.set(type);
+ }
+ }
+
+ nbg.finish();
}
-std::shared_ptr<NSECRecordContent::DNSRecordContent> NSECRecordContent::make(const DNSRecord &dr, PacketReader& pr)
+void NSECBitmap::fromPacket(PacketReader& pr)
{
- auto ret=std::make_shared<NSECRecordContent>();
- pr.xfrName(ret->d_next);
string bitmap;
pr.xfrBlob(bitmap);
-
+
// 00 06 20 00 00 00 00 03 -> NS RRSIG NSEC ( 2, 46, 47 ) counts from left
- if(bitmap.empty())
- return ret;
+ if(bitmap.empty()) {
+ return;
+ }
- if(bitmap.size() < 2)
+ if(bitmap.size() < 2) {
throw MOADNSException("NSEC record with impossibly small bitmap");
+ }
for(unsigned int n = 0; n+1 < bitmap.size();) {
unsigned int window=static_cast<unsigned char>(bitmap[n++]);
unsigned int blen=static_cast<unsigned char>(bitmap[n++]);
// end if zero padding and ensure packet length
- if(window == 0 && blen == 0) break;
- if(n + blen > bitmap.size())
+ if(window == 0 && blen == 0) {
+ break;
+ }
+
+ if(n + blen > bitmap.size()) {
throw MOADNSException("NSEC record with bitmap length > packet length");
+ }
for(unsigned int k=0; k < blen; k++) {
uint8_t val=bitmap[n++];
- for(int bit = 0; bit < 8 ; ++bit , val>>=1)
+ for(int bit = 0; bit < 8 ; ++bit , val>>=1) {
if(val & 1) {
- ret->d_set.insert((7-bit) + 8*(k) + 256*window);
+ set((7-bit) + 8*(k) + 256*window);
}
}
+ }
+ }
+}
+
+string NSECBitmap::getZoneRepresentation() const
+{
+ string ret;
+
+ if (d_bitset) {
+ size_t count = d_bitset->count();
+ size_t found = 0;
+ for(size_t idx = 0; idx < 65535 && found < count; ++idx) {
+ if (!d_bitset->test(idx)) {
+ continue;
+ }
+ found++;
+
+ ret+=" ";
+ ret+=DNSRecordContent::NumberToType(idx);
+ }
+ }
+ else {
+ for(const auto& type : d_set) {
+ ret+=" ";
+ ret+=DNSRecordContent::NumberToType(type);
+ }
+ }
+
+ return ret;
+}
+
+void NSECRecordContent::report(void)
+{
+ regist(1, 47, &make, &make, "NSEC");
+}
+
+std::shared_ptr<DNSRecordContent> NSECRecordContent::make(const string& content)
+{
+ return std::make_shared<NSECRecordContent>(content);
+}
+
+NSECRecordContent::NSECRecordContent(const string& content, const string& zone)
+{
+ RecordTextReader rtr(content, DNSName(zone));
+ rtr.xfrName(d_next);
+
+ while(!rtr.eof()) {
+ uint16_t type;
+ rtr.xfrType(type);
+ set(type);
}
+}
+
+void NSECRecordContent::toPacket(DNSPacketWriter& pw)
+{
+ pw.xfrName(d_next);
+ d_bitmap.toPacket(pw);
+}
+
+std::shared_ptr<NSECRecordContent::DNSRecordContent> NSECRecordContent::make(const DNSRecord &dr, PacketReader& pr)
+{
+ auto ret=std::make_shared<NSECRecordContent>();
+ pr.xfrName(ret->d_next);
+
+ ret->d_bitmap.fromPacket(pr);
+
return ret;
}
string ret;
RecordTextWriter rtw(ret);
rtw.xfrName(d_next);
-
- for(set<uint16_t>::const_iterator i=d_set.begin(); i!=d_set.end(); ++i) {
- ret+=" ";
- ret+=NumberToType(*i);
- }
-
- return ret;
+
+ return ret + d_bitmap.getZoneRepresentation();
}
////// begin of NSEC3
while(!rtr.eof()) {
uint16_t type;
rtr.xfrType(type);
- d_set.insert(type);
+ set(type);
}
}
pw.xfr8BitInt(d_nexthash.length());
pw.xfrBlob(d_nexthash);
-
- uint8_t res[34];
- set<uint16_t>::const_iterator i;
- int oldWindow = -1;
- int window = 0;
- int len = 0;
- string tmp;
-
- for(i=d_set.begin(); i != d_set.end(); ++i){
- uint16_t bit = (*i)%256;
- window = static_cast<int>((*i) / 256);
- if (window != oldWindow) {
- if (oldWindow > -1) {
- res[0] = static_cast<unsigned char>(oldWindow);
- res[1] = static_cast<unsigned char>(len);
- tmp.assign(res, res+len+2);
- pw.xfrBlob(tmp);
- }
- memset(res, 0, 34);
- oldWindow = window;
- }
- res[2+bit/8] |= 1 << (7-(bit%8));
- len=1+bit/8;
- }
-
- res[0] = static_cast<unsigned char>(window);
- res[1] = static_cast<unsigned char>(len);
-
- if (len) {
- tmp.assign(res, res+len+2);
- pw.xfrBlob(tmp);
- }
+ d_bitmap.toPacket(pw);
}
std::shared_ptr<NSEC3RecordContent::DNSRecordContent> NSEC3RecordContent::make(const DNSRecord &dr, PacketReader& pr)
pr.xfr8BitInt(len);
pr.xfrBlob(ret->d_nexthash, len);
-
- string bitmap;
- pr.xfrBlob(bitmap);
-
- // 00 06 20 00 00 00 00 03 -> NS RRSIG NSEC ( 2, 46, 47 ) counts from left
-
- if(bitmap.empty())
- return ret;
-
- if(bitmap.size() < 2)
- throw MOADNSException("NSEC3 record with impossibly small bitmap");
-
- for(unsigned int n = 0; n+1 < bitmap.size();) {
- unsigned int window=static_cast<unsigned char>(bitmap[n++]);
- unsigned int innerlen=static_cast<unsigned char>(bitmap[n++]);
-
- // end if zero padding and ensure packet length
- if(window == 0&&innerlen == 0) break;
- if(n+innerlen>bitmap.size())
- throw MOADNSException("NSEC record with bitmap length > packet length");
- for(unsigned int k=0; k < innerlen; k++) {
- uint8_t val=bitmap[n++];
- for(int bit = 0; bit < 8 ; ++bit , val>>=1)
- if(val & 1) {
- ret->d_set.insert((7-bit) + 8*(k) + 256*window);
- }
- }
- }
+ ret->d_bitmap.fromPacket(pr);
return ret;
}
rtw.xfrHexBlob(d_salt);
rtw.xfrBase32HexBlob(d_nexthash);
- for(set<uint16_t>::const_iterator i=d_set.begin(); i!=d_set.end(); ++i) {
- ret+=" ";
- ret+=NumberToType(*i);
- }
-
- return ret;
+
+ return ret + d_bitmap.getZoneRepresentation();
}
NSECRecordContent nrc;
nrc.d_next = next;
- nrc.d_set.insert(QType::NSEC);
- nrc.d_set.insert(QType::RRSIG);
+ nrc.set(QType::NSEC);
+ nrc.set(QType::RRSIG);
if(sd.qname == name) {
- nrc.d_set.insert(QType::SOA); // 1dfd8ad SOA can live outside the records table
- nrc.d_set.insert(QType::DNSKEY);
+ nrc.set(QType::SOA); // 1dfd8ad SOA can live outside the records table
+ nrc.set(QType::DNSKEY);
string publishCDNSKEY;
d_dk.getFromMeta(name, "PUBLISH-CDNSKEY", publishCDNSKEY);
if (publishCDNSKEY == "1")
- nrc.d_set.insert(QType::CDNSKEY);
+ nrc.set(QType::CDNSKEY);
string publishCDS;
d_dk.getFromMeta(name, "PUBLISH-CDS", publishCDS);
if (! publishCDS.empty())
- nrc.d_set.insert(QType::CDS);
+ nrc.set(QType::CDS);
}
DNSZoneRecord rr;
while(B.get(rr)) {
#ifdef HAVE_LUA_RECORDS
if(rr.dr.d_type == QType::LUA)
- nrc.d_set.insert(getRR<LUARecordContent>(rr.dr)->d_type);
+ nrc.set(getRR<LUARecordContent>(rr.dr)->d_type);
else
#endif
if(rr.dr.d_type == QType::NS || rr.auth)
- nrc.d_set.insert(rr.dr.d_type);
+ nrc.set(rr.dr.d_type);
}
rr.dr.d_name = name;
rr.dr.d_ttl = sd.default_ttl;
rr.dr.d_type = QType::NSEC;
- rr.dr.d_content = std::make_shared<NSECRecordContent>(nrc);
+ rr.dr.d_content = std::make_shared<NSECRecordContent>(std::move(nrc));
rr.dr.d_place = (mode == 5 ) ? DNSResourceRecord::ANSWER: DNSResourceRecord::AUTHORITY;
rr.auth = true;
if(!name.empty()) {
if (sd.qname == name) {
- n3rc.d_set.insert(QType::SOA); // 1dfd8ad SOA can live outside the records table
- n3rc.d_set.insert(QType::NSEC3PARAM);
- n3rc.d_set.insert(QType::DNSKEY);
+ n3rc.set(QType::SOA); // 1dfd8ad SOA can live outside the records table
+ n3rc.set(QType::NSEC3PARAM);
+ n3rc.set(QType::DNSKEY);
string publishCDNSKEY;
d_dk.getFromMeta(name, "PUBLISH-CDNSKEY", publishCDNSKEY);
if (publishCDNSKEY == "1")
- n3rc.d_set.insert(QType::CDNSKEY);
+ n3rc.set(QType::CDNSKEY);
string publishCDS;
d_dk.getFromMeta(name, "PUBLISH-CDS", publishCDS);
if (! publishCDS.empty())
- n3rc.d_set.insert(QType::CDS);
+ n3rc.set(QType::CDS);
}
B.lookup(QType(QType::ANY), name, NULL, sd.domain_id);
while(B.get(rr)) {
#ifdef HAVE_LUA_RECORDS
if(rr.dr.d_type == QType::LUA)
- n3rc.d_set.insert(getRR<LUARecordContent>(rr.dr)->d_type);
+ n3rc.set(getRR<LUARecordContent>(rr.dr)->d_type);
else
#endif
if(rr.dr.d_type && (rr.dr.d_type == QType::NS || rr.auth)) // skip empty non-terminals
- n3rc.d_set.insert(rr.dr.d_type);
+ n3rc.set(rr.dr.d_type);
}
}
- if (n3rc.d_set.size() && !(n3rc.d_set.size() == 1 && n3rc.d_set.count(QType::NS)))
- n3rc.d_set.insert(QType::RRSIG);
+ const auto numberOfTypesSet = n3rc.numberOfTypesSet();
+ if (numberOfTypesSet != 0 && !(numberOfTypesSet == 1 && n3rc.isSet(QType::NS))) {
+ n3rc.set(QType::RRSIG);
+ }
rr.dr.d_name = DNSName(toBase32Hex(namehash))+sd.qname;
rr.dr.d_ttl = sd.default_ttl;
rr.dr.d_type=QType::NSEC3;
- rr.dr.d_content=std::make_shared<NSEC3RecordContent>(n3rc);
+ rr.dr.d_content=std::make_shared<NSEC3RecordContent>(std::move(n3rc));
rr.dr.d_place = (mode == 5 ) ? DNSResourceRecord::ANSWER: DNSResourceRecord::AUTHORITY;
rr.auth = true;
{
NSECRecordContent nrc;
nrc.d_next = next;
- nrc.d_set = types;
+ for (const auto& type : types) {
+ nrc.set(type);
+ }
DNSRecord rec;
rec.d_name = domain;
rec.d_ttl = ttl;
rec.d_type = QType::NSEC;
- rec.d_content = std::make_shared<NSECRecordContent>(nrc);
+ rec.d_content = std::make_shared<NSECRecordContent>(std::move(nrc));
rec.d_place = DNSResourceRecord::AUTHORITY;
records.push_back(rec);
nrc.d_iterations = iterations;
nrc.d_salt = salt;
nrc.d_nexthash = hashedNext;
- nrc.d_set = types;
+ for (const auto& type : types) {
+ nrc.set(type);
+ }
DNSRecord rec;
rec.d_name = hashedName;
rec.d_ttl = ttl;
rec.d_type = QType::NSEC3;
- rec.d_content = std::make_shared<NSEC3RecordContent>(nrc);
+ rec.d_content = std::make_shared<NSEC3RecordContent>(std::move(nrc));
rec.d_place = DNSResourceRecord::AUTHORITY;
records.push_back(rec);
} else if (zs.optOutFlag != (ns3rc.d_flags & 1))
throw PDNSException("Zones with a mixture of Opt-Out NSEC3 RRs and non-Opt-Out NSEC3 RRs are not supported.");
zs.optOutFlag = ns3rc.d_flags & 1;
- if (ns3rc.d_set.count(QType::NS) && !(rr.qname==domain)) {
+ if (ns3rc.isSet(QType::NS) && !(rr.qname==domain)) {
DNSName hashPart = rr.qname.makeRelative(domain);
zs.secured.insert(hashPart);
}
for(nsecxrepo_t::const_iterator iter = nsecxrepo.begin(); iter != nsecxrepo.end(); ++iter) {
if(iter->second.d_auth) {
NSEC3RecordContent n3rc;
- n3rc.d_set = iter->second.d_set;
- if (n3rc.d_set.size() && (n3rc.d_set.size() != 1 || !n3rc.d_set.count(QType::NS)))
- n3rc.d_set.insert(QType::RRSIG);
- n3rc.d_salt=ns3pr.d_salt;
+ for (const auto type : iter->second.d_set) {
+ n3rc.set(type);
+ }
+ const auto numberOfTypesSet = n3rc.numberOfTypesSet();
+ if (numberOfTypesSet != 0 && (numberOfTypesSet != 1 || !n3rc.isSet(QType::NS))) {
+ n3rc.set(QType::RRSIG);
+ }
+ n3rc.d_salt = ns3pr.d_salt;
n3rc.d_flags = ns3pr.d_flags;
n3rc.d_iterations = ns3pr.d_iterations;
- n3rc.d_algorithm = 1; // SHA1, fixed in PowerDNS for now
+ n3rc.d_algorithm = DNSSECKeeper::SHA1; // SHA1, fixed in PowerDNS for now
nsecxrepo_t::const_iterator inext = iter;
inext++;
if(inext == nsecxrepo.end())
zrr.dr.d_name = iter->first+sd.qname;
zrr.dr.d_ttl = sd.default_ttl;
- zrr.dr.d_content = std::make_shared<NSEC3RecordContent>(n3rc);
+ zrr.dr.d_content = std::make_shared<NSEC3RecordContent>(std::move(n3rc));
zrr.dr.d_type = QType::NSEC3;
zrr.dr.d_place = DNSResourceRecord::ANSWER;
zrr.auth=true;
}
else for(nsecxrepo_t::const_iterator iter = nsecxrepo.begin(); iter != nsecxrepo.end(); ++iter) {
NSECRecordContent nrc;
- nrc.d_set = iter->second.d_set;
- nrc.d_set.insert(QType::RRSIG);
- nrc.d_set.insert(QType::NSEC);
+ for (const auto type : iter->second.d_set) {
+ nrc.set(type);
+ }
+ nrc.set(QType::RRSIG);
+ nrc.set(QType::NSEC);
if(boost::next(iter) != nsecxrepo.end())
nrc.d_next = boost::next(iter)->first;
zrr.dr.d_name = iter->first;
zrr.dr.d_ttl = sd.default_ttl;
- zrr.dr.d_content = std::make_shared<NSECRecordContent>(nrc);
+ zrr.dr.d_content = std::make_shared<NSECRecordContent>(std::move(nrc));
zrr.dr.d_type = QType::NSEC;
zrr.dr.d_place = DNSResourceRecord::ANSWER;
zrr.auth=true;
}
if (record.d_name == zone) {
- return !nsec->d_set.count(QType::NS);
+ return !nsec->isSet(QType::NS);
}
if (isCoveredByNSEC(zone, record.d_name, nsec->d_next)) {
const string beginHash = fromBase32Hex(record.d_name.getRawLabels()[0]);
if (beginHash == h) {
- return !nsec3->d_set.count(QType::NS);
+ return !nsec3->isSet(QType::NS);
}
if (isCoveredByNSEC3Hash(h, beginHash, nsec3->d_nexthash)) {
static bool isNSECAncestorDelegation(const DNSName& signer, const DNSName& owner, const std::shared_ptr<NSECRecordContent>& nsec)
{
- return nsec->d_set.count(QType::NS) &&
- !nsec->d_set.count(QType::SOA) &&
+ return nsec->isSet(QType::NS) &&
+ !nsec->isSet(QType::SOA) &&
signer.countLabels() < owner.countLabels();
}
static bool isNSEC3AncestorDelegation(const DNSName& signer, const DNSName& owner, const std::shared_ptr<NSEC3RecordContent>& nsec3)
{
- return nsec3->d_set.count(QType::NS) &&
- !nsec3->d_set.count(QType::SOA) &&
+ return nsec3->isSet(QType::NS) &&
+ !nsec3->isSet(QType::SOA) &&
signer.countLabels() < owner.countLabels();
}
if (qname.isPartOf(wildcard)) {
LOG("\tWildcard matches");
- if (qtype == 0 || !nsec->d_set.count(qtype)) {
+ if (qtype == 0 || !nsec->isSet(qtype)) {
LOG(" and proves that the type did not exist"<<endl);
return true;
}
if (wildcardExists) {
*wildcardExists = true;
}
- if (qtype == 0 || !nsec3->d_set.count(qtype)) {
+ if (qtype == 0 || !nsec3->isSet(qtype)) {
LOG(" and proves that the type did not exist"<<endl);
return true;
}
owner name regardless of type.
*/
if (qtype != QType::DS && (qname == owner || qname.isPartOf(owner)) && isNSECAncestorDelegation(signer, owner, nsec)) {
- LOG("type is "<<QType(qtype).getName()<<", NS is "<<std::to_string(nsec->d_set.count(QType::NS))<<", SOA is "<<std::to_string(nsec->d_set.count(QType::SOA))<<", signer is "<<signer<<", owner name is "<<owner<<endl);
+ LOG("type is "<<QType(qtype).getName()<<", NS is "<<std::to_string(nsec->isSet(QType::NS))<<", SOA is "<<std::to_string(nsec->isSet(QType::SOA))<<", signer is "<<signer<<", owner name is "<<owner<<endl);
/* this is an "ancestor delegation" NSEC RR */
LOG("An ancestor delegation NSEC RR can only deny the existence of a DS"<<endl);
return NODATA;
/* check if the type is denied */
if(qname == owner) {
- if (nsec->d_set.count(qtype)) {
+ if (nsec->isSet(qtype)) {
LOG("Does _not_ deny existence of type "<<QType(qtype).getName()<<endl);
return NODATA;
}
LOG("Denies existence of type "<<QType(qtype).getName()<<endl);
/* RFC 6840 section 4.3 */
- if (nsec->d_set.count(QType::CNAME)) {
+ if (nsec->isSet(QType::CNAME)) {
LOG("However a CNAME exists"<<endl);
return NODATA;
}
* attention. Bits corresponding to the delegation NS RRset and any
* RRsets for which the parent zone has authoritative data MUST be set
*/
- if (referralToUnsigned && qtype == QType::DS && !nsec->d_set.count(QType::NS)) {
+ if (referralToUnsigned && qtype == QType::DS && !nsec->isSet(QType::NS)) {
LOG("However, no NS record exists at this level!"<<endl);
return NODATA;
}
return NODATA;
}
- LOG("Did not deny existence of "<<QType(qtype).getName()<<", "<<owner<<"?="<<qname<<", "<<nsec->d_set.count(qtype)<<", next: "<<nsec->d_next<<endl);
+ LOG("Did not deny existence of "<<QType(qtype).getName()<<", "<<owner<<"?="<<qname<<", "<<nsec->isSet(qtype)<<", next: "<<nsec->d_next<<endl);
}
} else if(v.first.second==QType::NSEC3) {
for(const auto& r : v.second.records) {
owner name regardless of type.
*/
if (qtype != QType::DS && beginHash == h && isNSEC3AncestorDelegation(signer, v.first.first, nsec3)) {
- LOG("type is "<<QType(qtype).getName()<<", NS is "<<std::to_string(nsec3->d_set.count(QType::NS))<<", SOA is "<<std::to_string(nsec3->d_set.count(QType::SOA))<<", signer is "<<signer<<", owner name is "<<v.first.first<<endl);
+ LOG("type is "<<QType(qtype).getName()<<", NS is "<<std::to_string(nsec3->isSet(QType::NS))<<", SOA is "<<std::to_string(nsec3->isSet(QType::SOA))<<", signer is "<<signer<<", owner name is "<<v.first.first<<endl);
/* this is an "ancestor delegation" NSEC3 RR */
LOG("An ancestor delegation NSEC3 RR can only deny the existence of a DS"<<endl);
return NODATA;
// If the name exists, check if the qtype is denied
if(beginHash == h) {
- if (nsec3->d_set.count(qtype)) {
+ if (nsec3->isSet(qtype)) {
LOG("Does _not_ deny existence of type "<<QType(qtype).getName()<<" for name "<<qname<<" (not opt-out)."<<endl);
return NODATA;
}
LOG("Denies existence of type "<<QType(qtype).getName()<<" for name "<<qname<<" (not opt-out)."<<endl);
/* RFC 6840 section 4.3 */
- if (nsec3->d_set.count(QType::CNAME)) {
+ if (nsec3->isSet(QType::CNAME)) {
LOG("However a CNAME exists"<<endl);
return NODATA;
}
* set and that the DS bit is not set in the Type Bit Maps field of the
* NSEC3 RR.
*/
- if (referralToUnsigned && qtype == QType::DS && !nsec3->d_set.count(QType::NS)) {
+ if (referralToUnsigned && qtype == QType::DS && !nsec3->isSet(QType::NS)) {
LOG("However, no NS record exists at this level!"<<endl);
return NODATA;
}
projects / pdns / commitdiff