From: Bert Hubert <bert.hubert@netherlabs.nl>
Date: Thu, 13 May 2010 17:18:48 +0000 (+0000)
Subject: implement first ghetto nsec3 generation code - all wrong
X-Git-Tag: rec-3.3~87
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=5c3bf2dbf241d5b8f3582a5a18e2425a9e8c1784;p=pdns

implement first ghetto nsec3 generation code - all wrong


git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@1615 d19b8d6e-7fed-0310-83ef-9ca221ded41b
---

diff --git a/pdns/backends/gsql/gsqlbackend.cc b/pdns/backends/gsql/gsqlbackend.cc
index c34cfe923..970c2a59d 100644
--- a/pdns/backends/gsql/gsqlbackend.cc
+++ b/pdns/backends/gsql/gsqlbackend.cc
@@ -244,20 +244,22 @@ GSQLBackend::GSQLBackend(const string &mode, const string &suffix)
 }
 
 bool GSQLBackend::updateDNSSECOrderAndAuth(uint32_t domain_id, const std::string& zonename, const std::string& qname, bool auth)
+{
+  string ins=toLower(labelReverse(makeRelative(qname, zonename)));
+  return this->updateDNSSECOrderAndAuthAbsolute(domain_id, qname, ins, auth);
+}
+
+bool GSQLBackend::updateDNSSECOrderAndAuthAbsolute(uint32_t domain_id, const std::string& qname, const std::string& ordername, bool auth)
 {
   char output[1024];
   // ordername='%s',auth=%d where name='%s' and domain_id='%d'
   
-  string ins=toLower(labelReverse(makeRelative(qname, zonename)));
-  snprintf(output, sizeof(output)-1, d_setOrderAuthQuery.c_str(), sqlEscape(ins).c_str(), auth, sqlEscape(qname).c_str(), domain_id);
+  snprintf(output, sizeof(output)-1, d_setOrderAuthQuery.c_str(), sqlEscape(ordername).c_str(), auth, sqlEscape(qname).c_str(), domain_id);
   cerr<<"sql: '"<<output<<"'\n";
   
   d_db->doCommand(output);
-
   return true;
 }
-
-
 bool GSQLBackend::getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, std::string& before, std::string& after)
 {
   cerr<<"gsql before/after called for id="<<id<<", qname="<<qname<<endl;
diff --git a/pdns/backends/gsql/gsqlbackend.hh b/pdns/backends/gsql/gsqlbackend.hh
index 56b88c568..07224982e 100644
--- a/pdns/backends/gsql/gsqlbackend.hh
+++ b/pdns/backends/gsql/gsqlbackend.hh
@@ -41,6 +41,8 @@ public:
   void setNotified(uint32_t domain_id, uint32_t serial);
   virtual bool getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, std::string& before, std::string& after);
   bool updateDNSSECOrderAndAuth(uint32_t domain_id, const std::string& zonename, const std::string& qname, bool auth);
+  virtual bool updateDNSSECOrderAndAuthAbsolute(uint32_t domain_id, const std::string& qname, const std::string& ordername, bool auth);
+
 
 private:
   string d_qname;
diff --git a/pdns/dnsbackend.hh b/pdns/dnsbackend.hh
index d23637093..229b3be8c 100644
--- a/pdns/dnsbackend.hh
+++ b/pdns/dnsbackend.hh
@@ -87,6 +87,12 @@ public:
     return false;
   }
 
+  virtual bool updateDNSSECOrderAndAuthAbsolute(uint32_t domain_id, const std::string& qname, const std::string& ordername, bool auth)
+  {
+    return false;
+  }
+
+
   //! Initiates a list of the specified domain
   /** Once initiated, DNSResourceRecord objects can be retrieved using get(). Should return false
       if the backend does not consider itself responsible for the id passed.
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 8e772d10b..437c92153 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -464,6 +464,34 @@ void PacketHandler::emitNSEC(const std::string& begin, const std::string& end, c
   r->addRecord(rr);
 }
 
+void PacketHandler::emitNSEC3(NSEC3PARAMRecordContent *ns3rc, const std::string& auth, const std::string& begin, const std::string& end, const std::string& toNSEC3, DNSPacket *r, int mode)
+{
+  cerr<<"We should emit NSEC3 '"<<toBase32Hex(begin)<<"' - ('"<<toNSEC3<<"') - '"<<toBase32Hex(end)<<"'"<<endl;
+  NSEC3RecordContent n3rc;
+  n3rc.d_set.insert(QType::RRSIG);
+  n3rc.d_set.insert(QType::NSEC3);
+  n3rc.d_salt=ns3rc->d_salt;
+  n3rc.d_iterations = ns3rc->d_iterations;
+  n3rc.d_algorithm = 1;
+
+  DNSResourceRecord rr;
+  B.lookup(QType(QType::ANY), begin);
+  while(B.get(rr)) {
+    n3rc.d_set.insert(rr.qtype.getCode());    
+  }
+  
+  n3rc.d_nexthash=end;
+
+  rr.qname=dotConcat(toBase32Hex(begin), auth);
+  rr.ttl=3600;
+  rr.qtype=QType::NSEC3;
+  rr.content=n3rc.getZoneRepresentation();
+  cerr<<"nsec3: '"<<rr.content<<"'"<<endl;
+  rr.d_place = (mode == 2 ) ? DNSResourceRecord::ANSWER: DNSResourceRecord::AUTHORITY;
+  rr.auth = true;
+  r->addRecord(rr);
+}
+
 
 
 
@@ -491,8 +519,21 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
   cerr<<"NSEC3 generator called!"<<endl;
   cerr<<nsec3param.content<<endl;
   NSEC3PARAMRecordContent *ns3rc=dynamic_cast<NSEC3PARAMRecordContent*>(DNSRecordContent::mastermake(QType::NSEC3PARAM, 1, nsec3param.content));
-  cerr<<"NSEC3 hash, "<<ns3rc->d_iterations<<" iterations, salt '"<<makeHexDump(ns3rc->d_salt)<<"': "<<toBase32Hex(hashQNameWithSalt(ns3rc->d_iterations, ns3rc->d_salt, p->qdomain))<<endl;
-  
+  string hashed=toBase32Hex(hashQNameWithSalt(ns3rc->d_iterations, ns3rc->d_salt, p->qdomain));
+  cerr<<"NSEC3 hash, "<<ns3rc->d_iterations<<" iterations, salt '"<<makeHexDump(ns3rc->d_salt)<<"': "<<hashed<<endl;
+
+  SOAData sd;
+  sd.db = (DNSBackend*)-1;
+  if(!B.getSOA(auth, sd)) {
+    cerr<<"Could not get SOA for domain in NSEC3\n";
+    return;
+  }
+
+  string before,after;
+  cerr<<"Calling getBeforeandAfterAbsolute!"<<endl;
+  sd.db->getBeforeAndAfterNamesAbsolute(sd.domain_id,  hashed, before, after); 
+  cerr<<"Done calling, before='"<<before<<"', after='"<<after<<"'"<<endl;
+  emitNSEC3( ns3rc, auth, fromBase32Hex(before), fromBase32Hex(after), target, r, mode);
 }
 
 void PacketHandler::addNSEC(DNSPacket *p, DNSPacket *r, const string& target, const string& auth, int mode)
diff --git a/pdns/packethandler.hh b/pdns/packethandler.hh
index b7c1a4027..3c131cbc1 100644
--- a/pdns/packethandler.hh
+++ b/pdns/packethandler.hh
@@ -47,6 +47,7 @@ using namespace std;
     a complete reply.
 
 */
+class NSEC3PARAMRecordContent;
 
 class PacketHandler
 {
@@ -98,6 +99,8 @@ private:
   void addNSEC(DNSPacket *p, DNSPacket* r, const string &target, const std::string& auth, int mode);
   void addNSEC3(DNSPacket *p, DNSPacket* r, const string &target, const std::string& auth, const DNSResourceRecord& nsec3param, int mode);
   void emitNSEC(const std::string& before, const std::string& after, const std::string& toNSEC, DNSPacket *r, int mode);
+  void emitNSEC3(NSEC3PARAMRecordContent *ns3rc, const std::string& auth, const std::string& begin, const std::string& end, const std::string& toNSEC3, DNSPacket *r, int mode);
+
   void synthesiseRRSIGs(DNSPacket* p, DNSPacket* r);
   void makeNXDomain(DNSPacket* p, DNSPacket* r, const std::string& target, SOAData& sd);
   void makeNOError(DNSPacket* p, DNSPacket* r, const std::string& target, SOAData& sd);
diff --git a/pdns/pdnssec.cc b/pdns/pdnssec.cc
index e7c4f23e8..b09ddae65 100644
--- a/pdns/pdnssec.cc
+++ b/pdns/pdnssec.cc
@@ -116,9 +116,10 @@ void orderZone(const std::string& zone)
   salt.assign(tmp, 2);
   BOOST_FOREACH(const string& qname, qnames)
   {
-    
-    cerr<<"'"<<qname<<"' -> '"<<toBase32Hex(hashQNameWithSalt(100, salt, qname)) <<"'"<<endl;
-    sd.db->updateDNSSECOrderAndAuth(sd.domain_id, zone, qname, true);
+    string hashed=toBase32Hex(hashQNameWithSalt(100, salt, qname));
+    cerr<<"'"<<qname<<"' -> '"<< hashed <<"'"<<endl;
+	sd.db->updateDNSSECOrderAndAuthAbsolute(sd.domain_id, qname, hashed, true);
+    // sd.db->updateDNSSECOrderAndAuth(sd.domain_id, zone, qname, true);
   }
   cerr<<"Done listing"<<endl;
 }