From: Bert Hubert Date: Thu, 17 Feb 2011 09:59:21 +0000 (+0000) Subject: add ability to do TSIG signed AXFR requests by setting AXFR-MASTER-TSIG domainmetadat... X-Git-Tag: auth-3.0~213 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=29b92d6f2f93eee04cb0462598958595136a40a6;p=pdns add ability to do TSIG signed AXFR requests by setting AXFR-MASTER-TSIG domainmetadata setting to a TSIG keyname Does not yet verify responses! git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@2035 d19b8d6e-7fed-0310-83ef-9ca221ded41b --- diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc index 6122ab77e..8aa07c6ab 100644 --- a/pdns/dbdnsseckeeper.cc +++ b/pdns/dbdnsseckeeper.cc @@ -352,3 +352,18 @@ bool DNSSECKeeper::TSIGGrantsAccess(const string& zone, const string& keyname, c } return false; } + +bool DNSSECKeeper::getTSIGForAcces(const string& zone, const string& master, string* keyname) +{ + vector keynames; + d_keymetadb.getDomainMetadata(zone, "AXFR-MASTER-TSIG", keynames); + keyname->clear(); + + // XXX FIXME this should check for a specific master! + BOOST_FOREACH(const string& dbkey, keynames) { + *keyname=dbkey; + + return true; + } + return false; +} diff --git a/pdns/dnssecinfra.cc b/pdns/dnssecinfra.cc index 4a28cab4e..0dfe9c9c3 100644 --- a/pdns/dnssecinfra.cc +++ b/pdns/dnssecinfra.cc @@ -442,9 +442,6 @@ string makeTSIGMessageFromTSIGPacket(const string& opacket, unsigned int tsigOff return message; } - - - void addTSIG(DNSPacketWriter& pw, TSIGRecordContent* trc, const string& tsigkeyname, const string& tsigsecret, const string& tsigprevious, bool timersonly) { string toSign; diff --git a/pdns/dnsseckeeper.hh b/pdns/dnsseckeeper.hh index d93c0f877..1c3c43a32 100644 --- a/pdns/dnsseckeeper.hh +++ b/pdns/dnsseckeeper.hh @@ -55,6 +55,7 @@ public: void unsetPresigned(const std::string& zname); bool TSIGGrantsAccess(const string& zone, const string& keyname, const string& algorithm); + bool getTSIGForAcces(const string& zone, const string& master, string* keyname); private: void getFromMeta(const std::string& zname, const std::string& key, std::string& value); diff --git a/pdns/resolver.cc b/pdns/resolver.cc index 55a782f91..28d69f48c 100644 --- a/pdns/resolver.cc +++ b/pdns/resolver.cc @@ -295,7 +295,7 @@ void Resolver::getSoaSerial(const string &ipport, const string &domain, uint32_t *serial=(uint32_t)atol(parts[2].c_str()); } -AXFRRetriever::AXFRRetriever(const ComboAddress& remote, const string& domain) +AXFRRetriever::AXFRRetriever(const ComboAddress& remote, const string& domain, const string& tsigkeyname, const string& tsigalgorithm, const string& tsigsecret) { ComboAddress local; if(remote.sin4.sin_family == AF_INET) @@ -315,6 +315,16 @@ AXFRRetriever::AXFRRetriever(const ComboAddress& remote, const string& domain) DNSPacketWriter pw(packet, domain, QType::AXFR); pw.getHeader()->id = dns_random(0xffff); + if(!tsigkeyname.empty()) { + TSIGRecordContent trc; + trc.d_algoName = tsigalgorithm + ".sig-alg.reg.int."; + trc.d_time = time(0); + trc.d_fudge = 300; + trc.d_origID=ntohs(pw.getHeader()->id); + trc.d_eRcode=0; + addTSIG(pw, &trc, tsigkeyname, tsigsecret, "", false); + } + uint16_t replen=htons(packet.size()); Utility::iovec iov[2]; iov[0].iov_base=(char*)&replen; diff --git a/pdns/resolver.hh b/pdns/resolver.hh index b5315cb74..1a2c34ee6 100644 --- a/pdns/resolver.hh +++ b/pdns/resolver.hh @@ -82,7 +82,7 @@ private: class AXFRRetriever : public boost::noncopyable { public: - AXFRRetriever(const ComboAddress& remote, const string& zone); + AXFRRetriever(const ComboAddress& remote, const string& zone, const string& tsigkeyname=string(), const string& tsigalgorithm=string(), const string& tsigsecret=string()); int getChunk(Resolver::res_t &res); private: diff --git a/pdns/slavecommunicator.cc b/pdns/slavecommunicator.cc index 28cbc6736..baa07c35f 100644 --- a/pdns/slavecommunicator.cc +++ b/pdns/slavecommunicator.cc @@ -35,6 +35,7 @@ #include "packetcache.hh" #include #include +#include "base64.hh" #include "inflighter.cc" #include "namespaces.hh" @@ -69,9 +70,6 @@ void CommunicatorClass::suck(const string &domain,const string &remote) di.backend=0; bool first=true; try { - ComboAddress raddr(remote, 53); - AXFRRetriever retriever(raddr, domain.c_str()); - UeberBackend *B=dynamic_cast(P.getBackend()); NSEC3PARAMRecordContent ns3pr; bool narrow; @@ -100,6 +98,18 @@ void CommunicatorClass::suck(const string &domain,const string &remote) Resolver::res_t recs; set nsset, qnames; + + ComboAddress raddr(remote, 53); + + string tsigkeyname, tsigalgorithm, tsigsecret; + + if(dk.getTSIGForAcces(domain, remote, &tsigkeyname)) { + string tsigsecret64; + B->getTSIGKey(tsigkeyname, &tsigalgorithm, &tsigsecret64); + B64Decode(tsigsecret64, tsigsecret); + } + AXFRRetriever retriever(raddr, domain.c_str(), tsigkeyname, tsigalgorithm, tsigsecret); + while(retriever.getChunk(recs)) { if(first) { L<