From: Bert Hubert <bert.hubert@netherlabs.nl>
Date: Thu, 6 Jan 2011 09:15:39 +0000 (+0000)
Subject: implement 'narrow' NSEC3 generation w/o consulting the database ordering, based on... 
X-Git-Tag: auth-3.0~437
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=22c5aa60dedb111bf9a65994f4e90ed3eff94006;p=pdns

implement 'narrow' NSEC3 generation w/o consulting the database ordering, based on an idea by Roy Arends & discussions with Dan Kaminsky.
This will probably have to be tuned further.


git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@1810 d19b8d6e-7fed-0310-83ef-9ca221ded41b
---

diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc
index 41aece34a..7e47cc4c4 100644
--- a/pdns/dbdnsseckeeper.cc
+++ b/pdns/dbdnsseckeeper.cc
@@ -99,10 +99,16 @@ void DNSSECKeeper::activateKey(const std::string& zname, unsigned int id)
   d_db.activateDomainKey(zname, id);
 }
 
-bool DNSSECKeeper::getNSEC3PARAM(const std::string& zname, NSEC3PARAMRecordContent* ns3p)
+bool DNSSECKeeper::getNSEC3PARAM(const std::string& zname, NSEC3PARAMRecordContent* ns3p, bool* narrow)
 {
-  
   vector<string> meta;
+  if(narrow) {
+    d_db.getDomainMetadata(zname, "NSEC3NARROW", meta);
+    *narrow=false;
+    if(!meta.empty() && meta[0]=="1")
+      *narrow=true;
+  }
+  meta.clear();
   d_db.getDomainMetadata(zname, "NSEC3PARAM", meta);
   
   if(meta.empty())
@@ -122,12 +128,17 @@ bool DNSSECKeeper::getNSEC3PARAM(const std::string& zname, NSEC3PARAMRecordConte
   return true;
 }
 
-void DNSSECKeeper::setNSEC3PARAM(const std::string& zname, const NSEC3PARAMRecordContent& ns3p)
+void DNSSECKeeper::setNSEC3PARAM(const std::string& zname, const NSEC3PARAMRecordContent& ns3p, const bool& narrow)
 {
   string descr = ns3p.getZoneRepresentation();
   vector<string> meta;
   meta.push_back(descr);
   d_db.setDomainMetadata(zname, "NSEC3PARAM", meta);
+  
+  meta.clear();
+  if(narrow)
+    meta.push_back("1");
+  d_db.setDomainMetadata(zname, "NSEC3NARROW", meta);
 }
 
 void DNSSECKeeper::unsetNSEC3PARAM(const std::string& zname)
diff --git a/pdns/dnsseckeeper.hh b/pdns/dnsseckeeper.hh
index 00ec87752..1d117e662 100644
--- a/pdns/dnsseckeeper.hh
+++ b/pdns/dnsseckeeper.hh
@@ -116,8 +116,8 @@ public:
 
   void secureZone(const std::string& fname, int algorithm);
 
-  bool getNSEC3PARAM(const std::string& zname, NSEC3PARAMRecordContent* n3p=0);
-  void setNSEC3PARAM(const std::string& zname, const NSEC3PARAMRecordContent& n3p);
+  bool getNSEC3PARAM(const std::string& zname, NSEC3PARAMRecordContent* n3p=0, bool* narrow=0);
+  void setNSEC3PARAM(const std::string& zname, const NSEC3PARAMRecordContent& n3p, const bool& narrow=false);
   void unsetNSEC3PARAM(const std::string& zname);
 };
 
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 00bcae353..b3fe3c43a 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -512,7 +512,7 @@ void PacketHandler::emitNSEC3(const NSEC3PARAMRecordContent& ns3prc, const std::
   rr.ttl=3600;
   rr.qtype=QType::NSEC3;
   rr.content=n3rc.getZoneRepresentation();
-  cerr<<"nsec3: '"<<rr.content<<"'"<<endl;
+  //cerr<<"nsec3: '"<<rr.content<<"'"<<endl;
   rr.d_place = (mode == 2 ) ? DNSResourceRecord::ANSWER: DNSResourceRecord::AUTHORITY;
   rr.auth = true;
   r->addRecord(rr);
@@ -530,9 +530,10 @@ void PacketHandler::addNSECX(DNSPacket *p, DNSPacket *r, const string& target, c
 {
   NSEC3PARAMRecordContent ns3rc;
   cerr<<"Doing NSEC3PARAM lookup for '"<<auth<<"', "<<p->qdomain<<"|"<<p->qtype.getName()<<": ";
-  if(d_dk.getNSEC3PARAM(auth, &ns3rc))  {
-    cerr<<"Present"<<endl;
-    addNSEC3(p, r, target, auth, ns3rc, mode);
+  bool narrow;
+  if(d_dk.getNSEC3PARAM(auth, &ns3rc, &narrow))  {
+    cerr<<"Present, narrow="<<narrow<<endl;
+    addNSEC3(p, r, target, auth, ns3rc, narrow, mode);
   }
   else {
     cerr<<"Not present"<<endl;
@@ -540,7 +541,37 @@ void PacketHandler::addNSECX(DNSPacket *p, DNSPacket *r, const string& target, c
   }
 }
 
-void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, const string& auth, const NSEC3PARAMRecordContent& ns3rc, int mode)
+static void incrementHash(std::string& hash) // I wonder if this is correct, cmouse? ;-)
+{
+  if(hash.empty())
+    return;
+  for(string::size_type pos=hash.size(); pos; ) {
+    --pos;
+    unsigned char c = (unsigned char)hash[pos];
+    ++c;
+    hash[pos] = (char) c;
+    if(c)
+      break;
+  }
+}
+
+bool PacketHandler::getNSEC3Hashes(bool narrow, DNSBackend* db, int id, const std::string& hashed, string& unhashed, string& before, string& after)
+{
+  bool ret;
+  if(narrow) { // nsec3-narrow
+    ret=true;
+    before=hashed;
+    after=hashed;
+    incrementHash(after);
+  }
+  else {
+    ret=db->getBeforeAndAfterNamesAbsolute(id, hashed, unhashed, before, after);
+  }
+  // cerr<<"rgetNSEC3Hashes: "<<hashed<<", "<<unhashed<<", "<<before<<", "<<after<<endl;
+  return ret;
+}
+
+void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, const string& auth, const NSEC3PARAMRecordContent& ns3rc, bool narrow, int mode)
 {
   string hashed;
   
@@ -550,25 +581,30 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
     cerr<<"Could not get SOA for domain in NSEC3\n";
     return;
   }
-  cerr<<"salt in ph: '"<<makeHexDump(ns3rc.d_salt)<<"'"<<endl;
+  cerr<<"salt in ph: '"<<makeHexDump(ns3rc.d_salt)<<"', narrow="<<narrow<<endl;
   string unhashed, before,after;
   
   // now add the closest encloser
-  hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, auth)));
-  sd.db->getBeforeAndAfterNamesAbsolute(sd.domain_id,  hashed, unhashed, before, after); 
+  unhashed=auth;
+  hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed)));
+  
+  getNSEC3Hashes(narrow, sd.db, sd.domain_id,  hashed, unhashed, before, after); 
   cerr<<"Done calling for closest encloser, before='"<<before<<"', after='"<<after<<"'"<<endl;
   emitNSEC3(ns3rc, auth, unhashed, fromBase32Hex(before), fromBase32Hex(after), target, r, mode);
   
   // now add the main nsec3
-  hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, p->qdomain)));
-  sd.db->getBeforeAndAfterNamesAbsolute(sd.domain_id,  hashed, unhashed, before, after); 
+  unhashed = p->qdomain;
+  hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed)));
+  getNSEC3Hashes(narrow, sd.db,sd.domain_id,  hashed, unhashed, before, after); 
   cerr<<"Done calling for main, before='"<<before<<"', after='"<<after<<"'"<<endl;
   emitNSEC3( ns3rc, auth, unhashed, fromBase32Hex(before), fromBase32Hex(after), target, r, mode);
   
   
   // now add the *
-  hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, dotConcat("*", auth))));
-  sd.db->getBeforeAndAfterNamesAbsolute(sd.domain_id,  hashed, unhashed, before, after); 
+  unhashed=dotConcat("*", auth);
+  hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed)));
+  
+  getNSEC3Hashes(narrow, sd.db, sd.domain_id,  hashed, unhashed, before, after); 
   cerr<<"Done calling for '*', before='"<<before<<"', after='"<<after<<"'"<<endl;
   emitNSEC3( ns3rc, auth, unhashed, fromBase32Hex(before), fromBase32Hex(after), target, r, mode);
 }
@@ -911,7 +947,7 @@ void PacketHandler::synthesiseRRSIGs(DNSPacket* p, DNSPacket* r)
     nrc.d_set.insert(rr.qtype.getCode());
   }
 
-  // now get the fucking NSEC too (since we must sign it!)
+  // now get the NSEC too (since we must sign it!)
 
   SOAData sd;
   sd.db=(DNSBackend *)-1; // force uncached answer
diff --git a/pdns/packethandler.hh b/pdns/packethandler.hh
index 8197ee855..d48497e57 100644
--- a/pdns/packethandler.hh
+++ b/pdns/packethandler.hh
@@ -99,9 +99,10 @@ private:
   bool doDNSSECProcessing(DNSPacket* p, DNSPacket *r);
   void addNSECX(DNSPacket *p, DNSPacket* r, const string &target, const std::string& auth, int mode);
   void addNSEC(DNSPacket *p, DNSPacket* r, const string &target, const std::string& auth, int mode);
-  void addNSEC3(DNSPacket *p, DNSPacket* r, const string &target, const std::string& auth, const NSEC3PARAMRecordContent& nsec3param, int mode);
+  void addNSEC3(DNSPacket *p, DNSPacket* r, const string &target, const std::string& auth, const NSEC3PARAMRecordContent& nsec3param, bool narrow, int mode);
   void emitNSEC(const std::string& before, const std::string& after, const std::string& toNSEC, const std::string& auth, DNSPacket *r, int mode);
   void emitNSEC3(const NSEC3PARAMRecordContent &ns3rc, const std::string& auth, const std::string& unhashed, const std::string& begin, const std::string& end, const std::string& toNSEC3, DNSPacket *r, int mode);
+  bool getNSEC3Hashes(bool narrow, DNSBackend* db, int id, const std::string& hashed, string& unhashed, string& before, string& after);
 
   void synthesiseRRSIGs(DNSPacket* p, DNSPacket* r);
   void makeNXDomain(DNSPacket* p, DNSPacket* r, const std::string& target, SOAData& sd);
diff --git a/pdns/pdnssec.cc b/pdns/pdnssec.cc
index cb882eebc..9c2b21125 100644
--- a/pdns/pdnssec.cc
+++ b/pdns/pdnssec.cc
@@ -218,12 +218,13 @@ try
     const string& zone=cmds[1];
 
     NSEC3PARAMRecordContent ns3pr;
-    dk.getNSEC3PARAM(zone, &ns3pr);
+    bool narrow;
+    dk.getNSEC3PARAM(zone, &ns3pr, &narrow);
     
     if(ns3pr.d_salt.empty()) 
       cerr<<"Zone has NSEC semantics"<<endl;
     else
-      cerr<<"Zone has hashed NSEC3 semantics, configuration: "<<ns3pr.getZoneRepresentation()<<endl;
+      cerr<<"Zone has " << (narrow ? "NARROW " : "") <<"hashed NSEC3 semantics, configuration: "<<ns3pr.getZoneRepresentation()<<endl;
     
     DNSSECKeeper::keyset_t keyset=dk.getKeys(zone);
 
@@ -309,9 +310,9 @@ try
   }
   else if(cmds[0]=="set-nsec3") {
     string nsec3params =  cmds.size() > 2 ? cmds[2] : "1 0 1 ab";
-      
+    bool narrow = cmds.size() > 3 && cmds[3]=="narrow";
     NSEC3PARAMRecordContent ns3pr(nsec3params);
-    dk.setNSEC3PARAM(cmds[1], ns3pr);
+    dk.setNSEC3PARAM(cmds[1], ns3pr, narrow);
   }
   else if(cmds[0]=="unset-nsec3") {
     dk.unsetNSEC3PARAM(cmds[1]);