make us safe for serving a live-signed root (call us if you want to do this ;-))...

author Bert Hubert <bert.hubert@netherlabs.nl>

Thu, 8 Nov 2012 14:09:43 +0000 (14:09 +0000)

committer Bert Hubert <bert.hubert@netherlabs.nl>

Thu, 8 Nov 2012 14:09:43 +0000 (14:09 +0000)
author Bert Hubert <bert.hubert@netherlabs.nl>
Thu, 8 Nov 2012 14:09:43 +0000 (14:09 +0000)
committer Bert Hubert <bert.hubert@netherlabs.nl>
Thu, 8 Nov 2012 14:09:43 +0000 (14:09 +0000)
diff --git a/pdns/dnssecsigner.cc b/pdns/dnssecsigner.cc

index 055becda4bbdf43d1a5d2813e88f419d39bd8ef1..b6fa71fa59ffcaed693a20d9d393555396863b75 100644 (file)
--- a/pdns/dnssecsigner.cc
+++ b/pdns/dnssecsigner.cc
@@ -37,12 +37,12 @@ int getRRSIGsForRRSET(DNSSECKeeper& dk, const std::string& signer, const std::st
    rrc.d_originalttl=signTTL; 
    rrc.d_siginception=getCurrentInception(3600); // 1 hour safety margin, we start dishing out new week after an hour
    rrc.d_sigexpire = rrc.d_siginception + 14*86400; // XXX should come from zone metadata
-  rrc.d_signer = toLower(signer);
+  rrc.d_signer = signer.empty() ? "." : toLower(signer);
    rrc.d_tag = 0;
    
    // we sign the RRSET in toSign + the rrc w/o hash
    
-  DNSSECKeeper::keyset_t keys = dk.getKeys(rrc.d_signer);
+  DNSSECKeeper::keyset_t keys = dk.getKeys(signer); // we don't want the . for the root!
    vector<DNSSECPrivateKey> KSKs, ZSKs;
    vector<DNSSECPrivateKey>* signingKeys;
    
diff --git a/pdns/slavecommunicator.cc b/pdns/slavecommunicator.cc

index c12cc5a2426c608aaab3a7e19c82a0e5e2dde7eb..e4637c1f6afbfaf07a78c6c1fab62d3feb1bd7d2 100644 (file)
--- a/pdns/slavecommunicator.cc
+++ b/pdns/slavecommunicator.cc
@@ -587,12 +587,12 @@ void CommunicatorClass::slaveRefresh(PacketHandler *P)
      uint32_t theirserial = ssr.d_freshness[di.id].theirSerial, ourserial = di.serial;
      
      if(rfc1982LessThan(theirserial, ourserial)) {
-      L<<Logger::Error<<"Domain "<<di.zone<<" more recent than master, our serial " << ourserial << " > their serial "<< theirserial << endl;
+      L<<Logger::Error<<"Domain '"<<di.zone<<"' more recent than master, our serial " << ourserial << " > their serial "<< theirserial << endl;
        di.backend->setFresh(di.id);
      }
      else if(theirserial == ourserial) {
        if(!dk.isPresigned(di.zone)) {
-        L<<Logger::Warning<<"Domain "<< di.zone<<" is fresh (not presigned, no RRSIG check)"<<endl;
+        L<<Logger::Warning<<"Domain '"<< di.zone<<"' is fresh (not presigned, no RRSIG check)"<<endl;
          di.backend->setFresh(di.id);
        }
        else {
@@ -607,17 +607,17 @@ void CommunicatorClass::slaveRefresh(PacketHandler *P)
            }
          }
          if(maxInception == ssr.d_freshness[di.id].theirInception && maxExpire == ssr.d_freshness[di.id].theirExpire) {
-          L<<Logger::Warning<<"Domain "<< di.zone<<" is fresh and apex RRSIGs match"<<endl;
+          L<<Logger::Warning<<"Domain '"<< di.zone<<"' is fresh and apex RRSIGs match"<<endl;
            di.backend->setFresh(di.id);
          }
          else {
-          L<<Logger::Warning<<"Domain "<< di.zone<<" is fresh, but RRSIGS differ, so DNSSEC stale"<<endl;
+          L<<Logger::Warning<<"Domain '"<< di.zone<<"' is fresh, but RRSIGS differ, so DNSSEC stale"<<endl;
            addSuckRequest(di.zone, *di.masters.begin());
          }
        }
      }
      else {
-      L<<Logger::Warning<<"Domain "<< di.zone<<" is stale, master serial "<<theirserial<<", our serial "<< ourserial <<endl;
+      L<<Logger::Warning<<"Domain '"<< di.zone<<"' is stale, master serial "<<theirserial<<", our serial "<< ourserial <<endl;
        addSuckRequest(di.zone, *di.masters.begin());
      }
    }
author	Bert Hubert <bert.hubert@netherlabs.nl>
	Thu, 8 Nov 2012 14:09:43 +0000 (14:09 +0000)
committer	Bert Hubert <bert.hubert@netherlabs.nl>
	Thu, 8 Nov 2012 14:09:43 +0000 (14:09 +0000)
pdns/dnssecsigner.cc		patch \| blob \| history
pdns/slavecommunicator.cc		patch \| blob \| history