From: Bert Hubert <bert.hubert@netherlabs.nl>
Date: Wed, 12 Jan 2011 16:30:48 +0000 (+0000)
Subject: don't interleave DNSBackend::lookup and ::getSOA!
X-Git-Tag: auth-3.0~370
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=0a791fc7b05737c261e15f6831f00a0fcea70532;p=pdns

don't interleave DNSBackend::lookup and ::getSOA!
Plus don't add NSEC to the RRSIG set for explicit RRSIG queries for NSEC3 zones.


git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@1877 d19b8d6e-7fed-0310-83ef-9ca221ded41b
---

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index fca25b115..ef6efbae7 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -602,14 +602,14 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
   hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
   
   getNSEC3Hashes(narrow, sd.db, sd.domain_id,  hashed, false, unhashed, before, after); 
-  cerr<<"Done calling for closest encloser, before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"'"<<endl;
+  cerr<<"Done calling for closest encloser, before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"', unhashed: '"<<unhashed<<"'"<<endl;
   emitNSEC3(ns3rc, sd, unhashed, before, after, target, r, mode);
 
   // now add the main nsec3
   unhashed = p->qdomain;
   hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
   getNSEC3Hashes(narrow, sd.db,sd.domain_id,  hashed, true, unhashed, before, after); 
-  cerr<<"Done calling for main, before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"'"<<endl;
+  cerr<<"Done calling for main, before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"', unhashed: '"<<unhashed<<"'"<<endl;
   emitNSEC3( ns3rc, sd, unhashed, before, after, target, r, mode);
   
   // now add the *
@@ -617,7 +617,7 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
   hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
   
   getNSEC3Hashes(narrow, sd.db, sd.domain_id,  hashed, true, unhashed, before, after); 
-  cerr<<"Done calling for '*', before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"'"<<endl;
+  cerr<<"Done calling for '*', before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"', unhashed: '"<<unhashed<<"'"<<endl;
   emitNSEC3( ns3rc, sd, unhashed, before, after, target, r, mode);
 }
 
@@ -927,8 +927,6 @@ DNSPacket *PacketHandler::question(DNSPacket *p)
 void PacketHandler::synthesiseRRSIGs(DNSPacket* p, DNSPacket* r)
 {
   cerr<<"Need to fake up the RRSIGs if someone asked for them explicitly"<<endl;
-  B.lookup(QType(QType::ANY), p->qdomain, p);
-  
   typedef map<uint16_t, vector<shared_ptr<DNSRecordContent> > > records_t;
   records_t records;
 
@@ -943,6 +941,7 @@ void PacketHandler::synthesiseRRSIGs(DNSPacket* p, DNSPacket* r)
   getAuth(p, &sd, p->qdomain, 0);
 
   rr.ttl=sd.default_ttl;
+  B.lookup(QType(QType::ANY), p->qdomain, p);
 
   while(B.get(rr)) {
     if(!rr.auth) 
@@ -963,22 +962,27 @@ void PacketHandler::synthesiseRRSIGs(DNSPacket* p, DNSPacket* r)
     records[rr.qtype.getCode()].push_back(drc);
     nrc.d_set.insert(rr.qtype.getCode());
   }
-
-  // now get the NSEC too (since we must sign it!)
-  string before,after;
-  sd.db->getBeforeAndAfterNames(sd.domain_id, sd.qname, p->qdomain, before, after); 
-
-  nrc.d_next=after;
-
-  rr.qname=p->qdomain;
-  // rr.ttl is already set.. we hope
-  rr.qtype=QType::NSEC;
-  rr.content=nrc.getZoneRepresentation();
-
-  records[QType::NSEC].push_back(shared_ptr<DNSRecordContent>(DNSRecordContent::mastermake(rr.qtype.getCode(), 1, rr.content)));
-
-  // ok, the NSEC is in..
-
+  bool narrow;
+  NSEC3PARAMRecordContent ns3pr;
+  bool doNSEC3= d_dk.getNSEC3PARAM(sd.qname, &ns3pr, &narrow);
+  if(doNSEC3) {
+    cerr<<"We don't yet add NSEC3 to explicit RRSIG queries correctly yet! (narrow="<<narrow<<")\n";
+  }
+  else {
+    // now get the NSEC too (since we must sign it!)
+    string before,after;
+    sd.db->getBeforeAndAfterNames(sd.domain_id, sd.qname, p->qdomain, before, after); 
+  
+    nrc.d_next=after;
+  
+    rr.qname=p->qdomain;
+    // rr.ttl is already set.. we hope
+    rr.qtype=QType::NSEC;
+    rr.content=nrc.getZoneRepresentation();
+    records[QType::NSEC].push_back(shared_ptr<DNSRecordContent>(DNSRecordContent::mastermake(rr.qtype.getCode(), 1, rr.content)));
+  
+    // ok, the NSEC is in..
+  }
   cerr<<"Have "<<records.size()<<" rrsets to sign"<<endl;
 
   rr.qname = p->qdomain;