hook up ECDSA in git pdns_recursor build, not yet in separate tarball. Fix up CNAME...

author bert hubert <bert.hubert@netherlabs.nl>

Sat, 28 Nov 2015 10:05:07 +0000 (11:05 +0100)

committer bert hubert <bert.hubert@netherlabs.nl>

Sat, 28 Nov 2015 10:05:07 +0000 (11:05 +0100)
author bert hubert <bert.hubert@netherlabs.nl>
Sat, 28 Nov 2015 10:05:07 +0000 (11:05 +0100)
committer bert hubert <bert.hubert@netherlabs.nl>
Sat, 28 Nov 2015 10:05:07 +0000 (11:05 +0100)
diff --git a/pdns/Makefile.am b/pdns/Makefile.am

index 14880cfd4c7606078349cb0917bc10b7f2f67fe5..315e84a42796b98ff05cdfbe9d3189b95f1e2510 100644 (file)
--- a/pdns/Makefile.am
+++ b/pdns/Makefile.am
@@ -1158,6 +1158,12 @@ pdns_recursor_SOURCES += pkcs11signers.cc pkcs11signers.hh
  pdns_recursor_LDADD += $(P11KIT1_LIBS)
  endif
  
+if BOTAN110
+pdns_recursor_SOURCES += botan110signers.cc botansigners.cc
+pdns_recursor_LDADD += $(BOTAN110_LIBS)
+endif
+
+
  pdns_recursor_LDFLAGS = $(AM_LDFLAGS)
  
  if MALLOC_TRACE
diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc

index dc0ba748f7a1b36ca144351e66e6ad74bc93f56a..8346d56693b19f97f72bac1615c816c56ccd981b 100644 (file)
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -801,9 +801,14 @@ void startDoResolve(void *p)
        pw.getHeader()->rcode=res;
  
        if(edo.d_Z & EDNSOpts::DNSSECOK) {
-       if(validateRecords(ret))
+       auto state=validateRecords(ret);
+       if(state == Secure) {
           pw.getHeader()->ad=1;
-       else {
+       }
+       else if(state == Insecure) {
+         pw.getHeader()->ad=0;
+       }
+       else if(state == Bogus && !pw.getHeader()->cd) {
           pw.getHeader()->rcode=RCode::ServFail;
           goto sendit;
         }
diff --git a/pdns/validate-recursor.cc b/pdns/validate-recursor.cc

index 89fd1de85b44daa823a9a384629f2e603549b089..df1b549d612575ad0661e9c80f8c6ca84763ade5 100644 (file)
--- a/pdns/validate-recursor.cc
+++ b/pdns/validate-recursor.cc
@@ -12,9 +12,8 @@ public:
      SyncRes sr(tv);
  
      vector<DNSRecord> ret;
-    int res;
      sr.d_doDNSSEC=true;
-    res=sr.beginResolve(qname, QType(qtype), 1, ret);
+    sr.beginResolve(qname, QType(qtype), 1, ret);
      d_queries += sr.d_outqueries;
      return ret;
    }
@@ -22,14 +21,14 @@ public:
  };
  
  
-bool validateRecords(const vector<DNSRecord>& recs)
+vState validateRecords(const vector<DNSRecord>& recs)
  {
    g_rootDS =  "19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5";
    cspmap_t cspmap=harvestCSPFromRecs(recs);
    //  cerr<<"Got "<<cspmap.size()<<" RRSETs: ";
    int numsigs=0;
    for(const auto& csp : cspmap) {
-    //    cerr<<" "<<csp.first.first<<'/'<<DNSRecordContent::NumberToType(csp.first.second)<<": "<<csp.second.signatures.size()<<" sigs for "<<csp.second.records.size()<<" records"<<endl;
+    //    cerr<<"Going to validate: "<<csp.first.first<<'/'<<DNSRecordContent::NumberToType(csp.first.second)<<": "<<csp.second.signatures.size()<<" sigs for "<<csp.second.records.size()<<" records"<<endl;
      numsigs+= csp.second.signatures.size();
    }
     
@@ -41,10 +40,8 @@ bool validateRecords(const vector<DNSRecord>& recs)
    if(numsigs) {
      for(const auto& csp : cspmap) {
        for(const auto& sig : csp.second.signatures) {
-       //      cerr<<"got rrsig "<<sig->d_signer<<"/"<<sig->d_tag<<endl;
         vState state = getKeysFor(sro, sig->d_signer, keys);
         //      cerr<<"! state = "<<vStates[state]<<", now have "<<keys.size()<<" keys"<<endl;
-        // dsmap.insert(make_pair(dsrc.d_tag, dsrc));
        }
      }
  
@@ -54,7 +51,9 @@ bool validateRecords(const vector<DNSRecord>& recs)
      //    cerr<<"no sigs, hoping for Insecure"<<endl;
      vState state = getKeysFor(sro, recs.begin()->d_name, keys); // um WHAT DOES THIS MEAN - try first qname??
      //    cerr<<"! state = "<<vStates[state]<<", now have "<<keys.size()<<" keys "<<endl;
+    return state;
    }
+  
    //  cerr<<"! validated "<<validrrsets.size()<<" RRsets out of "<<cspmap.size()<<endl;
  
    //  cerr<<"% validated RRs:"<<endl;
@@ -65,5 +64,7 @@ bool validateRecords(const vector<DNSRecord>& recs)
      }
    }
    //  cerr<<"Took "<<sro.d_queries<<" queries"<<endl;
-  return validrrsets.size() == cspmap.size();
+  if(validrrsets.size() == cspmap.size())
+    return Secure;
+  return Insecure;
  }
diff --git a/pdns/validate-recursor.hh b/pdns/validate-recursor.hh

index e3fd3999ec9565c8428e18e7f2545954b7216247..1952061444b735870bfdf6000e75749c161a7758 100644 (file)
--- a/pdns/validate-recursor.hh
+++ b/pdns/validate-recursor.hh
@@ -1,5 +1,6 @@
  #pragma once
  #include "dnsparser.hh"
  #include "namespaces.hh"
+#include "validate.hh"
  
-bool validateRecords(const vector<DNSRecord>& recs);
+vState validateRecords(const vector<DNSRecord>& recs);
author	bert hubert <bert.hubert@netherlabs.nl>
	Sat, 28 Nov 2015 10:05:07 +0000 (11:05 +0100)
committer	bert hubert <bert.hubert@netherlabs.nl>
	Sat, 28 Nov 2015 10:05:07 +0000 (11:05 +0100)
pdns/Makefile.am		patch \| blob \| history
pdns/pdns_recursor.cc		patch \| blob \| history
pdns/validate-recursor.cc		patch \| blob \| history
pdns/validate-recursor.hh		patch \| blob \| history