From: Pieter Lexis Date: Fri, 6 Oct 2017 12:24:45 +0000 (+0200) Subject: Add checkNSEC3PARAM function X-Git-Tag: rec-4.1.0-rc2~36^2~6 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=68fd1167cda241453d6cfcb9a805c4c3d9977242;p=pdns Add checkNSEC3PARAM function --- diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc index 514043216..76088ba8a 100644 --- a/pdns/dbdnsseckeeper.cc +++ b/pdns/dbdnsseckeeper.cc @@ -291,14 +291,37 @@ bool DNSSECKeeper::getNSEC3PARAM(const DNSName& zname, NSEC3PARAMRecordContent* return true; } -bool DNSSECKeeper::setNSEC3PARAM(const DNSName& zname, const NSEC3PARAMRecordContent& ns3p, const bool& narrow) +/* + * Check is the provided NSEC3PARAM record is something we can work with + * + * \param ns3p NSEC3PARAMRecordContent to check + * \param msg string to fill with an error message + * \return true on valid, false otherwise + */ +bool DNSSECKeeper::checkNSEC3PARAM(const NSEC3PARAMRecordContent& ns3p, string& msg) { static int maxNSEC3Iterations=::arg().asNum("max-nsec3-iterations"); - if (ns3p.d_iterations > maxNSEC3Iterations) - throw runtime_error("Can't set NSEC3PARAM for zone '"+zname.toString()+"': number of NSEC3 iterations is above 'max-nsec3-iterations'"); + bool ret = true; + if (ns3p.d_iterations > maxNSEC3Iterations) { + msg += "Number of NSEC3 iterations is above 'max-nsec3-iterations'."; + ret = false; + } + + if (ns3p.d_algorithm != 1) { + if (!ret) + msg += ' '; + msg += "Invalid hash algorithm for NSEC3: '"+std::to_string(ns3p.d_algorithm)+"', the only valid value is '1'."; + ret = false; + } + + return ret; +} - if (ns3p.d_algorithm != 1) - throw runtime_error("Invalid hash algorithm for NSEC3: '"+std::to_string(ns3p.d_algorithm)+"' for zone '"+zname.toString()+"'. The only valid value is '1'"); +bool DNSSECKeeper::setNSEC3PARAM(const DNSName& zname, const NSEC3PARAMRecordContent& ns3p, const bool& narrow) +{ + string error_msg = ""; + if (!checkNSEC3PARAM(ns3p, error_msg)) + throw runtime_error("NSEC3PARAMs provided for zone '"+zname.toString()+"' are invalid: " + error_msg); clearCaches(zname); string descr = ns3p.getZoneRepresentation(); diff --git a/pdns/dnsseckeeper.hh b/pdns/dnsseckeeper.hh index 12ba75480..2cecc5557 100644 --- a/pdns/dnsseckeeper.hh +++ b/pdns/dnsseckeeper.hh @@ -181,6 +181,7 @@ public: bool checkKeys(const DNSName& zname); bool getNSEC3PARAM(const DNSName& zname, NSEC3PARAMRecordContent* n3p=0, bool* narrow=0); + bool checkNSEC3PARAM(const NSEC3PARAMRecordContent& ns3p, string& msg); bool setNSEC3PARAM(const DNSName& zname, const NSEC3PARAMRecordContent& n3p, const bool& narrow=false); bool unsetNSEC3PARAM(const DNSName& zname); void clearAllCaches();