From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Wed, 8 Nov 2017 10:07:48 +0000 (+0100)
Subject: auth: Add back missing output details to rectifyZone
X-Git-Tag: auth-4.1.0-rc3~14^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=591026081de473cb8483ad380b62b78a9c9f4498;p=pdns

auth: Add back missing output details to rectifyZone
---

diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc
index 063de10fb..c8369b21e 100644
--- a/pdns/dbdnsseckeeper.cc
+++ b/pdns/dbdnsseckeeper.cc
@@ -593,9 +593,10 @@ bool DNSSECKeeper::getTSIGForAccess(const DNSName& zone, const string& master, D
  *
  * \param zone The zone to rectify
  * \param error& A string where error messages are added
+ * \param info& A string where informational messages are added
  * \param doTransaction Whether or not to wrap the rectify in a transaction
  */
-bool DNSSECKeeper::rectifyZone(const DNSName& zone, string& error, bool doTransaction) {
+bool DNSSECKeeper::rectifyZone(const DNSName& zone, string& error, string& info, bool doTransaction) {
   if (isPresigned(zone)) {
     error =  "Rectify presigned zone '"+zone.toLogString()+"' is not allowed/necessary.";
     return false;
@@ -620,6 +621,7 @@ bool DNSSECKeeper::rectifyZone(const DNSName& zone, string& error, bool doTransa
 
   sd.db->list(zone, sd.domain_id);
 
+  ostringstream infostream;
   DNSResourceRecord rr;
   set<DNSName> qnames, nsset, dsnames, insnonterm, delnonterm;
   map<DNSName,bool> nonterm;
@@ -645,6 +647,25 @@ bool DNSSECKeeper::rectifyZone(const DNSName& zone, string& error, bool doTransa
   bool haveNSEC3 = getNSEC3PARAM(zone, &ns3pr, &narrow);
   bool isOptOut = (haveNSEC3 && ns3pr.d_flags);
 
+  if(isSecuredZone(zone)) {
+    if(!haveNSEC3) {
+      infostream<<"Adding NSEC ordering information ";
+    }
+    else if(!narrow) {
+      if(!isOptOut) {
+	infostream<<"Adding NSEC3 hashed ordering information for '"<<zone<<"'";
+      }
+      else {
+	infostream<<"Adding NSEC3 opt-out hashed ordering information for '"<<zone<<"'";
+      }
+    } else {
+      infostream<<"Erasing NSEC3 ordering since we are narrow, only setting 'auth' fields";
+    }
+  }
+  else {
+    infostream<<"Adding empty non-terminals for non-DNSSEC zone";
+  }
+
   set<DNSName> nsec3set;
   if (haveNSEC3 && !narrow) {
     for (auto &loopRR: rrs) {
@@ -707,10 +728,6 @@ bool DNSSECKeeper::rectifyZone(const DNSName& zone, string& error, bool doTransa
     else if (realrr) // NSEC
       ordername=qname.makeRelative(zone);
 
-    /*
-    if(g_verbose)
-      cerr<<"'"<<qname<<"' -> '"<< ordername <<"'"<<endl;
-      */
     sd.db->updateDNSSECOrderNameAndAuth(sd.domain_id, qname, ordername, auth);
 
     if(realrr)
@@ -778,6 +795,7 @@ bool DNSSECKeeper::rectifyZone(const DNSName& zone, string& error, bool doTransa
   if (doTransaction)
     sd.db->commitTransaction();
 
+  info = infostream.str();
   return true;
 }
 
diff --git a/pdns/dnsseckeeper.hh b/pdns/dnsseckeeper.hh
index f6e7b678a..2a3f878dc 100644
--- a/pdns/dnsseckeeper.hh
+++ b/pdns/dnsseckeeper.hh
@@ -210,7 +210,7 @@ public:
   
   void getFromMeta(const DNSName& zname, const std::string& key, std::string& value);
   void getSoaEdit(const DNSName& zname, std::string& value);
-  bool rectifyZone(const DNSName& zone, std::string& error, bool doTransaction);
+  bool rectifyZone(const DNSName& zone, std::string& error, std::string& info, bool doTransaction);
 private:
 
 
diff --git a/pdns/pdnsutil.cc b/pdns/pdnsutil.cc
index 51fa742f0..3cc79e9e8 100644
--- a/pdns/pdnsutil.cc
+++ b/pdns/pdnsutil.cc
@@ -137,9 +137,13 @@ void loadMainConfig(const std::string& configdir)
 
 bool rectifyZone(DNSSECKeeper& dk, const DNSName& zone)
 {
+  string output;
   string error;
-  bool ret = dk.rectifyZone(zone, error, true);
-  if (!ret) {
+  bool ret = dk.rectifyZone(zone, error, output, true);
+  if (!output.empty()) {
+    cerr<<output<<endl;
+  }
+  if (!ret && !error.empty()) {
     cerr<<error<<endl;
   }
   return ret;
diff --git a/pdns/ws-auth.cc b/pdns/ws-auth.cc
index dc3265bf7..9b228f936 100644
--- a/pdns/ws-auth.cc
+++ b/pdns/ws-auth.cc
@@ -650,8 +650,9 @@ static void updateDomainSettingsFromDocument(UeberBackend& B, const DomainInfo&
   string api_rectify;
   di.backend->getDomainMetadataOne(zonename, "API-RECTIFY", api_rectify);
   if (shouldRectify && dk.isSecuredZone(zonename) && !dk.isPresigned(zonename) && api_rectify == "1") {
+    string info;
     string error_msg = "";
-    if (!dk.rectifyZone(zonename, error_msg, true))
+    if (!dk.rectifyZone(zonename, error_msg, info, true))
       throw ApiException("Failed to rectify '" + zonename.toString() + "' " + error_msg);
   }
 }
@@ -1469,7 +1470,8 @@ static void apiServerZoneRectify(HttpRequest* req, HttpResponse* resp) {
     throw ApiException("Zone '" + zonename.toString() + "' is a slave zone, not rectifying.");
 
   string error_msg = "";
-  if (!dk.rectifyZone(zonename, error_msg, true))
+  string info;
+  if (!dk.rectifyZone(zonename, error_msg, info, true))
     throw ApiException("Failed to rectify '" + zonename.toString() + "' " + error_msg);
 
   resp->setSuccessResult("Rectified");
@@ -1695,7 +1697,8 @@ static void patchZone(HttpRequest* req, HttpResponse* resp) {
   di.backend->getDomainMetadataOne(zonename, "API-RECTIFY", api_rectify);
   if (dk.isSecuredZone(zonename) && !dk.isPresigned(zonename) && api_rectify == "1") {
     string error_msg = "";
-    if (!dk.rectifyZone(zonename, error_msg, false))
+    string info;
+    if (!dk.rectifyZone(zonename, error_msg, info, false))
       throw ApiException("Failed to rectify '" + zonename.toString() + "' " + error_msg);
   }