From: Bert Hubert <bert.hubert@netherlabs.nl>
Date: Thu, 13 May 2010 11:08:24 +0000 (+0000)
Subject: infrastructure in packethandler.cc & pdnssec to start to do something with NSEC3... 
X-Git-Tag: rec-3.3~89
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=01fde57ce65025b23b479559efc288bee267b9dd;p=pdns

infrastructure in packethandler.cc & pdnssec to start to do something with NSEC3(PARAM)


git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@1613 d19b8d6e-7fed-0310-83ef-9ca221ded41b
---

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 605207101..8e772d10b 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -17,6 +17,7 @@
 */
 #include "packetcache.hh"
 #include "utility.hh"
+#include "base32.hh"
 #include <string>
 #include <sys/types.h>
 #include <boost/algorithm/string.hpp>
@@ -463,11 +464,36 @@ void PacketHandler::emitNSEC(const std::string& begin, const std::string& end, c
   r->addRecord(rr);
 }
 
+
+
+
 /* mode 0 = no error -> an NSEC that starts with 'target', in authority section
    mode 1 = NXDOMAIN -> an NSEC from auth to first + a covering NSEC
    mode 2 = ANY or direct NSEC request  -> an NSEC that starts with 'target'
    mode 3 = a covering NSEC in the authority section (like 1, except for first)
 */
+void PacketHandler::addNSECX(DNSPacket *p, DNSPacket *r, const string& target, const string& auth, int mode)
+{
+  cerr<<"Doing NSEC3PARAM lookup for '"<<auth<<"'"<<endl;
+  B.lookup(QType(QType::NSEC3PARAM), auth, p);
+  DNSResourceRecord rr, nsec3param;
+  while(B.get(rr)) {
+    nsec3param = rr;
+  }
+  if(!nsec3param.qname.empty())
+    addNSEC3(p, r, target, auth, nsec3param, mode);
+  else
+    addNSEC(p, r, target, auth, mode);
+}
+
+void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, const string& auth, const DNSResourceRecord& nsec3param, int mode)
+{
+  cerr<<"NSEC3 generator called!"<<endl;
+  cerr<<nsec3param.content<<endl;
+  NSEC3PARAMRecordContent *ns3rc=dynamic_cast<NSEC3PARAMRecordContent*>(DNSRecordContent::mastermake(QType::NSEC3PARAM, 1, nsec3param.content));
+  cerr<<"NSEC3 hash, "<<ns3rc->d_iterations<<" iterations, salt '"<<makeHexDump(ns3rc->d_salt)<<"': "<<toBase32Hex(hashQNameWithSalt(ns3rc->d_iterations, ns3rc->d_salt, p->qdomain))<<endl;
+  
+}
 
 void PacketHandler::addNSEC(DNSPacket *p, DNSPacket *r, const string& target, const string& auth, int mode)
 {
@@ -603,7 +629,7 @@ int PacketHandler::makeCanonic(DNSPacket *p, DNSPacket *r, string &target)
     }
 
     if(!sawDS && p->qtype.getCode() == QType::NS && p->d_dnssecOk && rfound) {
-      addNSEC(p, r, p->qdomain, "", 2); // make it 'official' that we have no DS
+      addNSECX(p, r, p->qdomain, "", 2); // make it 'official' that we have no DS
     }
 
     if(hits && !relevantNS && !found && !rfound && shortcut ) { // XXX FIXME !numloops. we found matching qnames but not a qtype
@@ -858,8 +884,8 @@ void PacketHandler::makeNXDomain(DNSPacket* p, DNSPacket* r, const std::string&
   rr.d_place=DNSResourceRecord::AUTHORITY;
   r->addRecord(rr);
   
-  if(p->d_dnssecOk)
-    addNSEC(p, r, target, sd.qname, 1);
+  if(p->d_dnssecOk) 
+    addNSECX(p, r, target, sd.qname, 1);
   r->setRcode(RCode::NXDomain); 
   S.ringAccount("nxdomain-queries",p->qdomain+"/"+p->qtype.getName());
 }
@@ -876,7 +902,7 @@ void PacketHandler::makeNOError(DNSPacket* p, DNSPacket* r, const std::string& t
   r->addRecord(rr);
   
   if(p->d_dnssecOk)
-    addNSEC(p, r, target, sd.qname, 0);
+    addNSECX(p, r, target, sd.qname, 0);
 
   S.ringAccount("noerror-queries",p->qdomain+"/"+p->qtype.getName());
 }
@@ -910,7 +936,7 @@ bool PacketHandler::tryReferral(DNSPacket *p, DNSPacket*r, SOAData& sd, const st
   r->setA(false);
 
   if(!addDSforNS(p, r, sd, rrset.begin()->qname))
-    addNSEC(p, r, rrset.begin()->qname, sd.qname, 0);
+    addNSECX(p, r, rrset.begin()->qname, sd.qname, 0);
   
   return true;
 }
@@ -920,7 +946,7 @@ void PacketHandler::completeANYRecords(DNSPacket *p, DNSPacket*r, SOAData& sd, c
   if(!p->d_dnssecOk)
     cerr<<"Need to add all the RRSIGs too for '"<<target<<"', should do this manually since DNSSEC was not requested"<<endl;
   //  cerr<<"Need to add all the NSEC too.."<<endl; /// XXX FIXME THE ABOVE IF IS WEIRD
-  addNSEC(p, r, target, sd.qname, 2); 
+  addNSECX(p, r, target, sd.qname, 2); 
 }
 
 bool PacketHandler::tryWildcard(DNSPacket *p, DNSPacket*r, SOAData& sd, string &target, bool& retargeted)
@@ -946,7 +972,7 @@ bool PacketHandler::tryWildcard(DNSPacket *p, DNSPacket*r, SOAData& sd, string &
   }
 
   if(p->d_dnssecOk) {
-    addNSEC(p, r, p->qdomain, sd.qname, 3);
+    addNSECX(p, r, p->qdomain, sd.qname, 3);
   }
   return true;
 }
diff --git a/pdns/packethandler.hh b/pdns/packethandler.hh
index 9f141db3f..b7c1a4027 100644
--- a/pdns/packethandler.hh
+++ b/pdns/packethandler.hh
@@ -94,7 +94,9 @@ private:
   bool getTLDAuth(DNSPacket *p, SOAData *sd, const string &target, int *zoneId);
   int doAdditionalProcessingAndDropAA(DNSPacket *p, DNSPacket *r);
   bool doDNSSECProcessing(DNSPacket* p, DNSPacket *r);
+  void addNSECX(DNSPacket *p, DNSPacket* r, const string &target, const std::string& auth, int mode);
   void addNSEC(DNSPacket *p, DNSPacket* r, const string &target, const std::string& auth, int mode);
+  void addNSEC3(DNSPacket *p, DNSPacket* r, const string &target, const std::string& auth, const DNSResourceRecord& nsec3param, int mode);
   void emitNSEC(const std::string& before, const std::string& after, const std::string& toNSEC, DNSPacket *r, int mode);
   void synthesiseRRSIGs(DNSPacket* p, DNSPacket* r);
   void makeNXDomain(DNSPacket* p, DNSPacket* r, const std::string& target, SOAData& sd);
diff --git a/pdns/pdnssec.cc b/pdns/pdnssec.cc
index 97f05aa79..e7c4f23e8 100644
--- a/pdns/pdnssec.cc
+++ b/pdns/pdnssec.cc
@@ -1,6 +1,7 @@
 #include "dnsseckeeper.hh"
 #include "dnssecinfra.hh"
 #include "statbag.hh"
+#include "base32.hh"
 #include <boost/foreach.hpp>
 #include <boost/program_options.hpp>
 #include "dnsbackend.hh"
@@ -97,6 +98,7 @@ void orderZone(const std::string& zone)
   
   if(!B->getSOA(zone, sd)) {
     cerr<<"No SOA!"<<endl;
+    return;
   } 
   cerr<<"ID: "<<sd.domain_id<<endl;
   sd.db->list(zone, sd.domain_id);
@@ -109,8 +111,13 @@ void orderZone(const std::string& zone)
     qnames.insert(rr.qname);
   }
   
+  string salt;
+  char tmp[]={0xab, 0xcd};
+  salt.assign(tmp, 2);
   BOOST_FOREACH(const string& qname, qnames)
   {
+    
+    cerr<<"'"<<qname<<"' -> '"<<toBase32Hex(hashQNameWithSalt(100, salt, qname)) <<"'"<<endl;
     sd.db->updateDNSSECOrderAndAuth(sd.domain_id, zone, qname, true);
   }
   cerr<<"Done listing"<<endl;