if(nsec3zone) {
if(rr.qtype.getCode() != QType::NSEC3 && rr.qtype.getCode() != QType::RRSIG)
- hashed=toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname));
+ hashed=toBase32Hex(hashQNameWithSalt(ns3pr, rr.qname));
else
hashed="";
}
{
rr.qname=nt.first+bbd.d_name;
if(nsec3zone)
- hashed=toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname.toString()));
+ hashed=toBase32Hex(hashQNameWithSalt(ns3pr, rr.qname.toString()));
insertRecord(bbd, rr.qname, rr.qtype, rr.content, rr.ttl, hashed, &nt.second);
}
}
return true;
}
-bool RemoteBackend::feedEnts3(int domain_id, const DNSName& domain, map<DNSName,bool>& nonterm, unsigned int times, const string &salt, bool narrow) {
+bool RemoteBackend::feedEnts3(int domain_id, const DNSName& domain, map<DNSName,bool>& nonterm, const NSEC3PARAMRecordContent& ns3prc, bool narrow) {
rapidjson::Document query,answer;
rapidjson::Value parameters;
rapidjson::Value nts;
parameters.SetObject();
JSON_ADD_MEMBER(parameters, "domain_id", domain_id, query.GetAllocator());
JSON_ADD_MEMBER_DNSNAME(parameters, "domain", domain, query.GetAllocator());
- JSON_ADD_MEMBER(parameters, "times", times, query.GetAllocator());
- JSON_ADD_MEMBER(parameters, "salt", salt.c_str(), query.GetAllocator());
+ JSON_ADD_MEMBER(parameters, "times", ns3prc.d_iterations, query.GetAllocator());
+ JSON_ADD_MEMBER(parameters, "salt", ns3prc.d_salt.c_str(), query.GetAllocator());
JSON_ADD_MEMBER(parameters, "narrow", narrow, query.GetAllocator());
JSON_ADD_MEMBER(parameters, "trxid", d_trxid, query.GetAllocator());
virtual bool replaceRRSet(uint32_t domain_id, const DNSName& qname, const QType& qt, const vector<DNSResourceRecord>& rrset);
virtual bool feedRecord(const DNSResourceRecord &r, string *ordername);
virtual bool feedEnts(int domain_id, map<DNSName,bool>& nonterm);
- virtual bool feedEnts3(int domain_id, const DNSName& domain, map<DNSName,bool>& nonterm, unsigned int times, const string &salt, bool narrow);
+ virtual bool feedEnts3(int domain_id, const DNSName& domain, map<DNSName,bool>& nonterm, const NSEC3PARAMRecordContent& ns3prc, bool narrow);
virtual bool startTransaction(const DNSName& domain, int domain_id);
virtual bool commitTransaction();
virtual bool abortTransaction();
BOOST_AUTO_TEST_CASE(test_method_feedEnts3) {
BOOST_TEST_MESSAGE("Testing feedEnts3 method");
be->startTransaction(DNSName("example.com"),2);
+ NSEC3PARAMRecordContent ns3prc;
+ ns3prc.d_iterations=1;
+ ns3prc.d_salt="\u00aa\u00bb\u00cc\u00dd";
map<DNSName, bool> nonterm = boost::assign::map_list_of(DNSName("_udp"), true)(DNSName("_sip._udp"), true);
- BOOST_CHECK(be->feedEnts3(2, DNSName("example.com"), nonterm, 1, "\u00aa\u00bb\u00cc\u00dd", 0));
+ BOOST_CHECK(be->feedEnts3(2, DNSName("example.com"), nonterm, ns3prc, 0));
be->commitTransaction();
}
return true;
}
-bool GSQLBackend::feedEnts3(int domain_id, const DNSName &domain, map<DNSName,bool> &nonterm, unsigned int times, const string &salt, bool narrow)
+bool GSQLBackend::feedEnts3(int domain_id, const DNSName &domain, map<DNSName,bool> &nonterm, const NSEC3PARAMRecordContent& ns3prc, bool narrow)
{
if(!d_dnssecQueries)
return false;
execute()->
reset();
} else {
- ordername=toBase32Hex(hashQNameWithSalt(times, salt, nt.first));
+ ordername=toBase32Hex(hashQNameWithSalt(ns3prc, nt.first));
d_InsertEntOrderQuery_stmt->
bind("domain_id",domain_id)->
bind("qname", nt.first)->
- bind("ordername",toLower(ordername))->
+ bind("ordername",ordername)->
bind("auth",nt.second)->
execute()->
reset();
bool abortTransaction();
bool feedRecord(const DNSResourceRecord &r, string *ordername=0);
bool feedEnts(int domain_id, map<DNSName,bool>& nonterm);
- bool feedEnts3(int domain_id, const DNSName &domain, map<DNSName,bool> &nonterm, unsigned int times, const string &salt, bool narrow);
+ bool feedEnts3(int domain_id, const DNSName &domain, map<DNSName,bool> &nonterm, const NSEC3PARAMRecordContent& ns3prc, bool narrow);
bool createDomain(const DNSName &domain);
bool createSlaveDomain(const string &ip, const DNSName &domain, const string &nameserver, const string &account);
bool deleteDomain(const DNSName &domain);
#include "namespaces.hh"
#include "comment.hh"
#include "dnsname.hh"
+#include "dnsrecords.hh"
class DNSBackend;
struct DomainInfo
{
return false;
}
- virtual bool feedEnts3(int domain_id, const DNSName &domain, map<DNSName,bool> &nonterm, unsigned int times, const string &salt, bool narrow)
+ virtual bool feedEnts3(int domain_id, const DNSName &domain, map<DNSName,bool> &nonterm, const NSEC3PARAMRecordContent& ns3prc, bool narrow)
{
return false;
}
return now;
}
-std::string hashQNameWithSalt(unsigned int times, const std::string& salt, const DNSName& qname)
+string hashQNameWithSalt(const NSEC3PARAMRecordContent& ns3prc, const DNSName& qname)
{
- string toHash;
- toHash.assign(qname.toDNSString());
- toHash.append(salt);
-
-// cerr<<makeHexDump(toHash)<<endl;
+ unsigned int times = ns3prc.d_iterations;
unsigned char hash[20];
+ string toHash(qname.toDNSString());
+
for(;;) {
+ toHash.append(ns3prc.d_salt);
sha1((unsigned char*)toHash.c_str(), toHash.length(), hash);
- if(!times--)
- break;
toHash.assign((char*)hash, sizeof(hash));
- toHash.append(salt);
+ if(!times--)
+ break;
}
- return string((char*)hash, sizeof(hash));
+ return toHash;
}
+
DNSKEYRecordContent DNSSECPrivateKey::getDNSKEY() const
{
return makeDNSKEYFromDNSCryptoKeyEngine(getKey(), d_algorithm, d_flags);
int getRRSIGsForRRSET(DNSSECKeeper& dk, const DNSName& signer, const DNSName signQName, uint16_t signQType, uint32_t signTTL,
vector<shared_ptr<DNSRecordContent> >& toSign, vector<RRSIGRecordContent> &rrc);
-std::string hashQNameWithSalt(unsigned int times, const std::string& salt, const DNSName& qname);
+string hashQNameWithSalt(const NSEC3PARAMRecordContent& ns3prc, const DNSName& qname);
void decodeDERIntegerSequence(const std::string& input, vector<string>& output);
class DNSPacket;
void addRRSigs(DNSSECKeeper& dk, UeberBackend& db, const std::set<DNSName>& authMap, vector<DNSResourceRecord>& rrs);
string nsec3Hash(const DNSName &qname, const string &salt, unsigned int iters)
{
- return toBase32Hex(hashQNameWithSalt(iters, salt, qname));
+ NSEC3PARAMRecordContent ns3prc;
+ ns3prc.d_iterations = iters;
+ ns3prc.d_salt = salt;
+ return toBase32Hex(hashQNameWithSalt(ns3prc, qname));
}
void proveOrDeny(const nsec3set &nsec3s, const DNSName &qname, const string &salt, unsigned int iters, set<DNSName> &proven, set<DNSName> &denied)
// add matching NSEC3 RR
if (mode != 3) {
unhashed=(mode == 0 || mode == 1 || mode == 5) ? target : closest;
- hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
+ hashed=hashQNameWithSalt(ns3rc, unhashed);
DLOG(L<<"1 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl);
// if(!B.getDirectNSECx(sd.domain_id, hashed, QType(QType::NSEC3), before, rr))
}
doNextcloser = true;
unhashed=closest;
- hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
+ hashed=hashQNameWithSalt(ns3rc, unhashed);
DLOG(L<<"1 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl);
// if(!B.getDirectNSECx(sd.domain_id, hashed, QType(QType::NSEC3), before, rr))
}
while( next.chopOff() && !pdns_iequals(next, closest));
- hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
+ hashed=hashQNameWithSalt(ns3rc, unhashed);
DLOG(L<<"2 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl);
// if(!B.getDirectNSECx(sd.domain_id, hashed, QType(QType::NSEC3), before, rr)) {
getNSEC3Hashes(narrow, sd.db,sd.domain_id, hashed, true, unhashed, before, after);
if (mode == 2 || mode == 4) {
unhashed=DNSName("*")+closest;
- hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
+ hashed=hashQNameWithSalt(ns3rc, unhashed);
DLOG(L<<"3 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl);
// if(!B.getDirectNSECx(sd.domain_id, hashed, QType(QType::NSEC3), before, rr)) {
if(haveNSEC3) // NSEC3
{
if(!narrow && (realrr || !isOptOut || nonterm.find(qname)->second))
- ordername=DNSName(toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, qname))) + zone;
+ ordername=DNSName(toBase32Hex(hashQNameWithSalt(ns3pr, qname))) + zone;
else if(!realrr)
auth=false;
}
DNSName ordername;
if(haveNSEC3) {
if(!narrow)
- ordername=DNSName(toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, zone))) + zone;
+ ordername=DNSName(toBase32Hex(hashQNameWithSalt(ns3pr, zone))) + zone;
} else
ordername=zone;
if(g_verbose)
cerr<<"The '"<<zone.toString()<<"' zone uses narrow NSEC3, but calculating hash anyhow"<<endl;
}
- cout<<toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, record))<<endl;
+ cout<<toBase32Hex(hashQNameWithSalt(ns3pr, record))<<endl;
}
else if(cmds[0]=="unset-nsec3") {
if(cmds.size() < 2) {
++ddepth;
} while(shorter.chopOff());
- DNSName ordername = DNSName(toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, qname))) + di->zone;
+ DNSName ordername = DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, qname))) + di->zone;
if (! *narrow && (ddepth == 0 || (ddepth == 1 && nssets.count(qname)))) {
di->backend->updateDNSSECOrderNameAndAuth(di->id, di->zone, qname, ordername, (ddepth == 0 ));
if(*haveNSEC3) {
DNSName ordername;
if(! *narrow)
- ordername=DNSName(toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, rr->d_label)))+di->zone;
+ ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, rr->d_label)))+di->zone;
if (*narrow)
di->backend->updateDNSSECOrderNameAndAuth(di->id, di->zone, rr->d_label, DNSName(), auth);
{
DNSName ordername;
if(! *narrow)
- ordername=DNSName(toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, rr->d_label)))+di->zone;
+ ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, rr->d_label)))+di->zone;
if (*narrow)
di->backend->updateDNSSECOrderNameAndAuth(di->id, di->zone, rr->d_label, DNSName(), auth);
if(*haveNSEC3) {
DNSName ordername;
if(! *narrow)
- ordername=DNSName(toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, *qname)))+di->zone;
+ ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, *qname)))+di->zone;
if (*narrow)
di->backend->updateDNSSECOrderNameAndAuth(di->id, di->zone, rr->d_label, DNSName(), auth); // FIXME400 no *qname here?
if(*haveNSEC3) {
DNSName ordername;
if(! *narrow)
- ordername=DNSName(toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, changeRec)))+di->zone;
+ ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, changeRec)))+di->zone;
di->backend->updateDNSSECOrderNameAndAuth(di->id, di->zone, changeRec, ordername, true);
}
{
DNSName ordername;
if(! *narrow)
- ordername=DNSName(toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, i)))+di->zone;
+ ordername=DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, i)))+di->zone;
di->backend->updateDNSSECOrderNameAndAuth(di->id, di->zone, i, ordername, true);
}
}
else if (haveNSEC3) {
DNSName ordername;
if (!narrow)
- ordername = DNSName(toBase32Hex(hashQNameWithSalt(ns3pr->d_iterations, ns3pr->d_salt, newRec.qname)))+di->zone;
+ ordername = DNSName(toBase32Hex(hashQNameWithSalt(*ns3pr, newRec.qname)))+di->zone;
di->backend->updateDNSSECOrderNameAndAuth(di->id, di->zone, newRec.qname, ordername, true);
}
{
string hashed;
for(const auto &label: labels) {
- hashed=toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, label));
+ hashed=toBase32Hex(hashQNameWithSalt(ns3pr, label));
hashes.insert(pair<string,DNSName>(hashed, label));
}
}
bool auth;
if (!rr.auth && rr.qtype.getCode() == QType::NS) {
if (isNSEC3)
- ordername=toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname));
+ ordername=toBase32Hex(hashQNameWithSalt(ns3pr, rr.qname));
auth=(!isNSEC3 || !optOutFlag || secured.count(ordername));
} else
auth=rr.auth;
if (isDnssecZone && rr.qtype.getCode() != QType::RRSIG) {
if (isNSEC3) {
// NSEC3
- ordername=toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname));
+ ordername=toBase32Hex(hashQNameWithSalt(ns3pr, rr.qname));
if(!isNarrow && (rr.auth || (rr.qtype.getCode() == QType::NS && (!optOutFlag || secured.count(ordername))))) {
di.backend->feedRecord(rr, &ordername);
} else
// Insert empty non-terminals
if(doent && !nonterm.empty()) {
if (isNSEC3) {
- di.backend->feedEnts3(domain_id, domain, nonterm, ns3pr.d_iterations, ns3pr.d_salt, isNarrow);
+ di.backend->feedEnts3(domain_id, domain, nonterm, ns3pr, isNarrow);
} else
di.backend->feedEnts(domain_id, nonterm);
}
BOOST_FOREACH(const DNSSECKeeper::keyset_t::value_type& value, keys) {
rr.qtype = QType(QType::DNSKEY);
rr.content = value.first.getDNSKEY().getZoneRepresentation();
- string keyname = NSEC3Zone ? hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname) : labelReverse(rr.qname.toString());
+ string keyname = NSEC3Zone ? hashQNameWithSalt(ns3pr, rr.qname) : labelReverse(rr.qname.toString());
NSECXEntry& ne = nsecxrepo[keyname];
ne.d_set.insert(rr.qtype.getCode());
ns3pr.d_flags = 0;
rr.content = ns3pr.getZoneRepresentation();
ns3pr.d_flags = flags;
- string keyname = hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname);
+ string keyname = hashQNameWithSalt(ns3pr, rr.qname);
NSECXEntry& ne = nsecxrepo[keyname];
ne.d_set.insert(rr.qtype.getCode());
records++;
if(securedZone && (rr.auth || rr.qtype.getCode() == QType::NS)) {
if (NSEC3Zone || rr.qtype.getCode()) {
- keyname = NSEC3Zone ? hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname) : labelReverse(rr.qname.toString());
+ keyname = NSEC3Zone ? hashQNameWithSalt(ns3pr, rr.qname) : labelReverse(rr.qname.toString());
NSECXEntry& ne = nsecxrepo[keyname];
ne.d_ttl = sd.default_ttl;
ne.d_auth = (ne.d_auth || rr.auth || (NSEC3Zone && (!ns3pr.d_flags || (presignedZone && ns3pr.d_flags))));
projects / pdns / commitdiff