]> granicus.if.org Git - pdns/commitdiff
projects / pdns / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 01cb2fe)
add ability to do TSIG signed AXFR requests by setting AXFR-MASTER-TSIG domainmetadat...
authorBert Hubert <bert.hubert@netherlabs.nl>
Thu, 17 Feb 2011 09:59:21 +0000 (09:59 +0000)
committerBert Hubert <bert.hubert@netherlabs.nl>
Thu, 17 Feb 2011 09:59:21 +0000 (09:59 +0000)
Does not yet verify responses!

git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@2035 d19b8d6e-7fed-0310-83ef-9ca221ded41b

pdns/dbdnsseckeeper.cc patch | blob | history
pdns/dnssecinfra.cc patch | blob | history
pdns/dnsseckeeper.hh patch | blob | history
pdns/resolver.cc patch | blob | history
pdns/resolver.hh patch | blob | history
pdns/slavecommunicator.cc patch | blob | history

diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc
index 6122ab77ee42a817392ba734fc2bb8cb62319d71..8aa07c6ab1b0d28686357e6cc58afa692e47c31b 100644 (file)
--- a/pdns/dbdnsseckeeper.cc
+++ b/pdns/dbdnsseckeeper.cc
@@ -352,3 +352,18 @@ bool DNSSECKeeper::TSIGGrantsAccess(const string& zone, const string& keyname, c
   }
   return false;
 }
+
+bool DNSSECKeeper::getTSIGForAcces(const string& zone, const string& master, string* keyname)
+{
+  vector<string> keynames;
+  d_keymetadb.getDomainMetadata(zone, "AXFR-MASTER-TSIG", keynames);
+  keyname->clear();
+  
+  // XXX FIXME this should check for a specific master!
+  BOOST_FOREACH(const string& dbkey, keynames) {
+    *keyname=dbkey;
+  
+    return true;
+  }
+  return false;
+}
diff --git a/pdns/dnssecinfra.cc b/pdns/dnssecinfra.cc
index 4a28cab4e070cde39f05e36ba0a6841786578bdb..0dfe9c9c3f1afbdd821d41972a82661d6283fd87 100644 (file)
--- a/pdns/dnssecinfra.cc
+++ b/pdns/dnssecinfra.cc
@@ -442,9 +442,6 @@ string makeTSIGMessageFromTSIGPacket(const string& opacket, unsigned int tsigOff
   return message;
 }
 
-
-
-
 void addTSIG(DNSPacketWriter& pw, TSIGRecordContent* trc, const string& tsigkeyname, const string& tsigsecret, const string& tsigprevious, bool timersonly)
 {
   string toSign;
diff --git a/pdns/dnsseckeeper.hh b/pdns/dnsseckeeper.hh
index d93c0f87787e45305e887e63fdd6542f5dc5e261..1c3c43a32e05d83f2cf16f487706264960c40c1e 100644 (file)
--- a/pdns/dnsseckeeper.hh
+++ b/pdns/dnsseckeeper.hh
@@ -55,6 +55,7 @@ public:
   void unsetPresigned(const std::string& zname);
   
   bool TSIGGrantsAccess(const string& zone, const string& keyname, const string& algorithm);
+  bool getTSIGForAcces(const string& zone, const string& master, string* keyname);
 private:
   void getFromMeta(const std::string& zname, const std::string& key, std::string& value);
   
diff --git a/pdns/resolver.cc b/pdns/resolver.cc
index 55a782f91b08acf4eeef798f79fccce46c50de66..28d69f48c48777e20b9a9d5b117b8d93c78827dc 100644 (file)
--- a/pdns/resolver.cc
+++ b/pdns/resolver.cc
@@ -295,7 +295,7 @@ void Resolver::getSoaSerial(const string &ipport, const string &domain, uint32_t
   *serial=(uint32_t)atol(parts[2].c_str());
 }
 
-AXFRRetriever::AXFRRetriever(const ComboAddress& remote, const string& domain)
+AXFRRetriever::AXFRRetriever(const ComboAddress& remote, const string& domain, const string& tsigkeyname, const string& tsigalgorithm, const string& tsigsecret)
 {
   ComboAddress local;
   if(remote.sin4.sin_family == AF_INET)
@@ -315,6 +315,16 @@ AXFRRetriever::AXFRRetriever(const ComboAddress& remote, const string& domain)
   DNSPacketWriter pw(packet, domain, QType::AXFR);
   pw.getHeader()->id = dns_random(0xffff);
 
+  if(!tsigkeyname.empty()) {
+    TSIGRecordContent trc;
+    trc.d_algoName = tsigalgorithm + ".sig-alg.reg.int.";
+    trc.d_time = time(0);
+    trc.d_fudge = 300;
+    trc.d_origID=ntohs(pw.getHeader()->id);
+    trc.d_eRcode=0;
+    addTSIG(pw, &trc, tsigkeyname, tsigsecret, "", false);
+  }
+
   uint16_t replen=htons(packet.size());
   Utility::iovec iov[2];
   iov[0].iov_base=(char*)&replen;
diff --git a/pdns/resolver.hh b/pdns/resolver.hh
index b5315cb7416f576222109e16d714e71507d39afb..1a2c34ee68e8dd7587dd330f0d04d487f744d7f8 100644 (file)
--- a/pdns/resolver.hh
+++ b/pdns/resolver.hh
@@ -82,7 +82,7 @@ private:
 class AXFRRetriever : public boost::noncopyable
 {
   public:
-    AXFRRetriever(const ComboAddress& remote, const string& zone);
+    AXFRRetriever(const ComboAddress& remote, const string& zone, const string& tsigkeyname=string(), const string& tsigalgorithm=string(), const string& tsigsecret=string());
     int getChunk(Resolver::res_t &res);  
   
   private:
diff --git a/pdns/slavecommunicator.cc b/pdns/slavecommunicator.cc
index 28cbc6736b928259cecbfe8e57a4f1c6ccebb68e..baa07c35ff93ab2827f1a6e3c2ccc0269fe74ecc 100644 (file)
--- a/pdns/slavecommunicator.cc
+++ b/pdns/slavecommunicator.cc
@@ -35,6 +35,7 @@
 #include "packetcache.hh"
 #include <boost/foreach.hpp>
 #include <boost/lexical_cast.hpp>
+#include "base64.hh"
 #include "inflighter.cc"
 
 #include "namespaces.hh"
@@ -69,9 +70,6 @@ void CommunicatorClass::suck(const string &domain,const string &remote)
   di.backend=0;
   bool first=true;    
   try {
-    ComboAddress raddr(remote, 53);
-    AXFRRetriever retriever(raddr, domain.c_str());
-
     UeberBackend *B=dynamic_cast<UeberBackend *>(P.getBackend());
     NSEC3PARAMRecordContent ns3pr;
     bool narrow;
@@ -100,6 +98,18 @@ void CommunicatorClass::suck(const string &domain,const string &remote)
 
     Resolver::res_t recs;
     set<string> nsset, qnames;
+    
+    ComboAddress raddr(remote, 53);
+    
+    string tsigkeyname, tsigalgorithm, tsigsecret;
+    
+    if(dk.getTSIGForAcces(domain, remote, &tsigkeyname)) {
+      string tsigsecret64;
+      B->getTSIGKey(tsigkeyname, &tsigalgorithm, &tsigsecret64);
+      B64Decode(tsigsecret64, tsigsecret);
+    }
+    AXFRRetriever retriever(raddr, domain.c_str(), tsigkeyname, tsigalgorithm, tsigsecret);
+    
     while(retriever.getChunk(recs)) {
       if(first) {
         L<<Logger::Error<<"AXFR started for '"<<domain<<"', transaction started"<<endl;
Unnamed repository; edit this file 'description' to name the repository.