From: Kees Monshouwer <mind04@monshouwer.org>
Date: Tue, 13 Oct 2015 19:17:33 +0000 (+0200)
Subject: add global soa-edit settings
X-Git-Tag: dnsdist-1.0.0-alpha1~248^2~2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=4192773a2f2fc76fe0356684c2d25cdd68f706e5;p=pdns

add global soa-edit settings
---

diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc
index 89d45d471..54142fce2 100644
--- a/pdns/common_startup.cc
+++ b/pdns/common_startup.cc
@@ -144,6 +144,8 @@ void declareArguments()
   ::arg().set("soa-refresh-default","Default SOA refresh")="10800";
   ::arg().set("soa-retry-default","Default SOA retry")="3600";
   ::arg().set("soa-expire-default","Default SOA expire")="604800";
+  ::arg().set("default-soa-edit","Default SOA-EDIT value")="";
+  ::arg().set("default-soa-edit-signed","Default SOA-EDIT value for signed zones")="";
 
   ::arg().set("trusted-notification-proxy", "IP address of incoming notification proxy")="";
   ::arg().set("slave-renotify", "If we should send out notifications for slaved updates")="no";
diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc
index 1ea6e6172..d56f27108 100644
--- a/pdns/dbdnsseckeeper.cc
+++ b/pdns/dbdnsseckeeper.cc
@@ -215,6 +215,23 @@ void DNSSECKeeper::getFromMeta(const DNSName& zname, const std::string& key, std
   }
 }
 
+void DNSSECKeeper::getSoaEdit(const DNSName& zname, std::string& value)
+{
+  static const string soaEdit(::arg()["default-soa-edit"]);
+  static const string soaEditSigned(::arg()["default-soa-edit-signed"]);
+
+  getFromMeta(zname, "SOA-EDIT", value);
+
+  if ((!soaEdit.empty() || !soaEditSigned.empty()) && value.empty() && !isPresigned(zname)) {
+    if (!soaEditSigned.empty() && isSecuredZone(zname))
+      value=soaEditSigned;
+    if (value.empty())
+      value=soaEdit;
+  }
+
+  return;
+}
+
 uint64_t DNSSECKeeper::dbdnssecCacheSizes(const std::string& str)
 {
   if(str=="meta-cache-size") {
diff --git a/pdns/dnsseckeeper.hh b/pdns/dnsseckeeper.hh
index b5bb66c88..7225fbbac 100644
--- a/pdns/dnsseckeeper.hh
+++ b/pdns/dnsseckeeper.hh
@@ -109,6 +109,7 @@ public:
   }
   
   void getFromMeta(const DNSName& zname, const std::string& key, std::string& value);
+  void getSoaEdit(const DNSName& zname, std::string& value);
 private:
 
 
diff --git a/pdns/pdns.conf-dist b/pdns/pdns.conf-dist
index 4640c1573..962b705bb 100644
--- a/pdns/pdns.conf-dist
+++ b/pdns/pdns.conf-dist
@@ -84,6 +84,16 @@
 #
 # default-ksk-size=0
 
+#################################
+# default-soa-edit	Default SOA-EDIT value
+#
+# default-soa-edit=
+
+#################################
+# default-soa-edit-signed	Default SOA-EDIT value for signed zones
+#
+# default-soa-edit-signed=
+
 #################################
 # default-soa-mail	mail address to insert in the SOA record if none set in the backend
 #
diff --git a/pdns/pdnssec.cc b/pdns/pdnssec.cc
index 5d07969fd..b13b97832 100644
--- a/pdns/pdnssec.cc
+++ b/pdns/pdnssec.cc
@@ -141,6 +141,8 @@ void loadMainConfig(const std::string& configdir)
   ::arg().set("default-ksk-size","Default KSK size (0 means default)")="0";
   ::arg().set("default-zsk-algorithms","Default ZSK algorithms")="rsasha256";
   ::arg().set("default-zsk-size","Default ZSK size (0 means default)")="0";
+  ::arg().set("default-soa-edit","Default SOA-EDIT value")="";
+  ::arg().set("default-soa-edit-signed","Default SOA-EDIT value for signed zones")="";
   ::arg().set("max-ent-entries", "Maximum number of empty non-terminals in a zone")="100000";
   ::arg().set("module-dir","Default directory for modules")=PKGLIBDIR;
   ::arg().set("entropy-source", "If set, read entropy from this file")="/dev/urandom";
@@ -686,9 +688,14 @@ int increaseSerial(const DNSName& zone, DNSSECKeeper &dk)
     cout<<"No SOA for zone '"<<zone.toString()<<"'"<<endl;
     return -1;
   }
+
+  if (dk.isPresigned(zone)) {
+    cerr<<"Serial increase of presigned zone '"<<zone<<"' is not allowed."<<endl;
+    return -1;
+  }
   
   string soaEditKind;
-  dk.getFromMeta(zone, "SOA-EDIT", soaEditKind);
+  dk.getSoaEdit(zone, soaEditKind);
 
   sd.db->lookup(QType(QType::SOA), zone);
   vector<DNSResourceRecord> rrs;
diff --git a/pdns/rfc2136handler.cc b/pdns/rfc2136handler.cc
index 093b8f46b..0214c9f2a 100644
--- a/pdns/rfc2136handler.cc
+++ b/pdns/rfc2136handler.cc
@@ -971,13 +971,13 @@ void PacketHandler::increaseSerial(const string &msgPrefix, const DomainInfo *di
   if (!soaEdit2136Setting.empty()) {
     soaEdit2136 = soaEdit2136Setting[0];
     if (pdns_iequals(soaEdit2136, "SOA-EDIT") || pdns_iequals(soaEdit2136,"SOA-EDIT-INCREASE") ){
-      vector<string> soaEditSetting;
-      B.getDomainMetadata(di->zone, "SOA-EDIT", soaEditSetting);
+      string soaEditSetting;
+      d_dk.getSoaEdit(di->zone, soaEditSetting);
       if (soaEditSetting.empty()) {
         L<<Logger::Error<<msgPrefix<<"Using "<<soaEdit2136<<" for SOA-EDIT-DNSUPDATE increase on DNS update, but SOA-EDIT is not set for domain \""<< di->zone.toString() <<"\". Using DEFAULT for SOA-EDIT-DNSUPDATE"<<endl;
         soaEdit2136 = "DEFAULT";
       } else
-        soaEdit = soaEditSetting[0];
+        soaEdit = soaEditSetting;
     }
   }
 
diff --git a/pdns/serialtweaker.cc b/pdns/serialtweaker.cc
index 4e30e8d32..758f9b9f2 100644
--- a/pdns/serialtweaker.cc
+++ b/pdns/serialtweaker.cc
@@ -45,7 +45,7 @@ bool editSOA(DNSSECKeeper& dk, const DNSName& qname, DNSPacket* dp)
   BOOST_FOREACH(DNSResourceRecord& rr, rrs) {
     if(rr.qtype.getCode() == QType::SOA && rr.qname == qname) {
       string kind;
-      dk.getFromMeta(qname, "SOA-EDIT", kind);
+      dk.getSoaEdit(qname, kind);
       return editSOARecord(rr, kind);
     }
   }
diff --git a/pdns/tcpreceiver.cc b/pdns/tcpreceiver.cc
index 3d95cf0e6..68fbdd186 100644
--- a/pdns/tcpreceiver.cc
+++ b/pdns/tcpreceiver.cc
@@ -1065,7 +1065,7 @@ int TCPNameserver::doIXFR(shared_ptr<DNSPacket> q, int outsock)
   }
 
   string soaedit;
-  dk.getFromMeta(target, "SOA-EDIT", soaedit);
+  dk.getSoaEdit(target, soaedit);
   if (!rfc1982LessThan(serial, calculateEditSOA(sd, soaedit))) {
     TSIGRecordContent trc;
     DNSName tsigkeyname;