auth: avoid an isane amount of new backend connections during an AXFR

author Kees Monshouwer <mind04@monshouwer.org>

Fri, 30 Mar 2018 14:57:43 +0000 (16:57 +0200)

committer Peter van Dijk <peter.van.dijk@powerdns.com>

Tue, 1 May 2018 14:45:41 +0000 (16:45 +0200)
author Kees Monshouwer <mind04@monshouwer.org>
Fri, 30 Mar 2018 14:57:43 +0000 (16:57 +0200)
committer Peter van Dijk <peter.van.dijk@powerdns.com>
Tue, 1 May 2018 14:45:41 +0000 (16:45 +0200)
diff --git a/pdns/signingpipe.cc b/pdns/signingpipe.cc

index 2f8a2acd6737ee33e3caaa2b16ef5576231c3242..0cc8def1b5643bb567fa575785772c58df2d9bf8 100644 (file)
--- a/pdns/signingpipe.cc
+++ b/pdns/signingpipe.cc
@@ -270,8 +270,8 @@ unsigned int ChunkedSigningPipe::getReady() const
  void ChunkedSigningPipe::worker(int fd)
  try
  {
-  DNSSECKeeper dk;
    UeberBackend db("key-only");
+  DNSSECKeeper dk(&db);
    
    chunk_t* chunk = nullptr;
    int res;
diff --git a/pdns/tcpreceiver.cc b/pdns/tcpreceiver.cc

index eece6994ff90a3fe28a2ea3f3f6b072bffd47169..d2491f79f5557ced1001bf9cdb6378cfdb1cde97 100644 (file)
--- a/pdns/tcpreceiver.cc
+++ b/pdns/tcpreceiver.cc
@@ -439,7 +439,7 @@ bool TCPNameserver::canDoAXFR(shared_ptr<DNSPacket> q)
        }
      }
  
-    DNSSECKeeper dk;
+    DNSSECKeeper dk(s_P->getBackend());
  
      if (q->d_tsig_algo == TSIG_GSS) {
        vector<string> princs;
@@ -577,6 +577,7 @@ int TCPNameserver::doAXFR(const DNSName &target, shared_ptr<DNSPacket> q, int ou
        s_P=new PacketHandler;
      }
  
+    // canDoAXFR does all the ACL checks, and has the if(disable-axfr) shortcut, call it first.
      if (!canDoAXFR(q)) {
        L<<Logger::Error<<"AXFR of domain '"<<target<<"' failed: "<<q->getRemote()<<" cannot request AXFR"<<endl;
        outpacket->setRcode(RCode::NotAuth);
@@ -584,7 +585,6 @@ int TCPNameserver::doAXFR(const DNSName &target, shared_ptr<DNSPacket> q, int ou
        return 0;
      }
  
-    // canDoAXFR does all the ACL checks, and has the if(disable-axfr) shortcut, call it first.
      if(!s_P->getBackend()->getSOAUncached(target, sd)) {
        L<<Logger::Error<<"AXFR of domain '"<<target<<"' failed: not authoritative"<<endl;
        outpacket->setRcode(RCode::NotAuth);
@@ -601,7 +601,7 @@ int TCPNameserver::doAXFR(const DNSName &target, shared_ptr<DNSPacket> q, int ou
      return 0;
    }
  
-  DNSSECKeeper dk;
+  DNSSECKeeper dk(&db);
    dk.clearCaches(target);
    bool securedZone = dk.isSecuredZone(target);
    bool presignedZone = dk.isPresigned(target);
@@ -638,8 +638,7 @@ int TCPNameserver::doAXFR(const DNSName &target, shared_ptr<DNSPacket> q, int ou
      if (algorithm == DNSName("hmac-md5.sig-alg.reg.int"))
        algorithm = DNSName("hmac-md5");
      if (algorithm != DNSName("gss-tsig")) {
-      Lock l(&s_plock);
-      if(!s_P->getBackend()->getTSIGKey(tsigkeyname, &algorithm, &tsig64)) {
+      if(!db.getTSIGKey(tsigkeyname, &algorithm, &tsig64)) {
          L<<Logger::Error<<"TSIG key '"<<tsigkeyname<<"' for domain '"<<target<<"' not found"<<endl;
          return 0;
        }
@@ -651,8 +650,6 @@ int TCPNameserver::doAXFR(const DNSName &target, shared_ptr<DNSPacket> q, int ou
    }
    
    
-  UeberBackend signatureDB; 
-  
    // SOA *must* go out first, our signing pipe might reorder
    DLOG(L<<"Sending out SOA"<<endl);
    DNSResourceRecord soa = makeDNSRRFromSOAData(sd);
@@ -668,7 +665,7 @@ int TCPNameserver::doAXFR(const DNSName &target, shared_ptr<DNSPacket> q, int ou
    if(securedZone && !presignedZone) {
      set<DNSName> authSet;
      authSet.insert(target);
-    addRRSigs(dk, signatureDB, authSet, outpacket->getRRS());
+    addRRSigs(dk, db, authSet, outpacket->getRRS());
    }
    
    if(haveTSIGDetails && !tsigkeyname.empty())
author	Kees Monshouwer <mind04@monshouwer.org>
	Fri, 30 Mar 2018 14:57:43 +0000 (16:57 +0200)
committer	Peter van Dijk <peter.van.dijk@powerdns.com>
	Tue, 1 May 2018 14:45:41 +0000 (16:45 +0200)
pdns/signingpipe.cc		patch \| blob \| history
pdns/tcpreceiver.cc		patch \| blob \| history