From: Bert Hubert <bert.hubert@netherlabs.nl>
Date: Thu, 8 Nov 2012 14:09:43 +0000 (+0000)
Subject: make us safe for serving a live-signed root (call us if you want to do this ;-))... 
X-Git-Tag: auth-3.2-rc1~15
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=8e90e4284aa143433cd6d0c424b460c2406e108f;p=pdns

make us safe for serving a live-signed root (call us if you want to do this ;-)). Ticket 614 reports a crash, I observed an exception. The exception should go away by this patch.


git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@2867 d19b8d6e-7fed-0310-83ef-9ca221ded41b
---

diff --git a/pdns/dnssecsigner.cc b/pdns/dnssecsigner.cc
index 055becda4..b6fa71fa5 100644
--- a/pdns/dnssecsigner.cc
+++ b/pdns/dnssecsigner.cc
@@ -37,12 +37,12 @@ int getRRSIGsForRRSET(DNSSECKeeper& dk, const std::string& signer, const std::st
   rrc.d_originalttl=signTTL; 
   rrc.d_siginception=getCurrentInception(3600); // 1 hour safety margin, we start dishing out new week after an hour
   rrc.d_sigexpire = rrc.d_siginception + 14*86400; // XXX should come from zone metadata
-  rrc.d_signer = toLower(signer);
+  rrc.d_signer = signer.empty() ? "." : toLower(signer);
   rrc.d_tag = 0;
   
   // we sign the RRSET in toSign + the rrc w/o hash
   
-  DNSSECKeeper::keyset_t keys = dk.getKeys(rrc.d_signer);
+  DNSSECKeeper::keyset_t keys = dk.getKeys(signer); // we don't want the . for the root!
   vector<DNSSECPrivateKey> KSKs, ZSKs;
   vector<DNSSECPrivateKey>* signingKeys;
   
diff --git a/pdns/slavecommunicator.cc b/pdns/slavecommunicator.cc
index c12cc5a24..e4637c1f6 100644
--- a/pdns/slavecommunicator.cc
+++ b/pdns/slavecommunicator.cc
@@ -587,12 +587,12 @@ void CommunicatorClass::slaveRefresh(PacketHandler *P)
     uint32_t theirserial = ssr.d_freshness[di.id].theirSerial, ourserial = di.serial;
     
     if(rfc1982LessThan(theirserial, ourserial)) {
-      L<<Logger::Error<<"Domain "<<di.zone<<" more recent than master, our serial " << ourserial << " > their serial "<< theirserial << endl;
+      L<<Logger::Error<<"Domain '"<<di.zone<<"' more recent than master, our serial " << ourserial << " > their serial "<< theirserial << endl;
       di.backend->setFresh(di.id);
     }
     else if(theirserial == ourserial) {
       if(!dk.isPresigned(di.zone)) {
-        L<<Logger::Warning<<"Domain "<< di.zone<<" is fresh (not presigned, no RRSIG check)"<<endl;
+        L<<Logger::Warning<<"Domain '"<< di.zone<<"' is fresh (not presigned, no RRSIG check)"<<endl;
         di.backend->setFresh(di.id);
       }
       else {
@@ -607,17 +607,17 @@ void CommunicatorClass::slaveRefresh(PacketHandler *P)
           }
         }
         if(maxInception == ssr.d_freshness[di.id].theirInception && maxExpire == ssr.d_freshness[di.id].theirExpire) {
-          L<<Logger::Warning<<"Domain "<< di.zone<<" is fresh and apex RRSIGs match"<<endl;
+          L<<Logger::Warning<<"Domain '"<< di.zone<<"' is fresh and apex RRSIGs match"<<endl;
           di.backend->setFresh(di.id);
         }
         else {
-          L<<Logger::Warning<<"Domain "<< di.zone<<" is fresh, but RRSIGS differ, so DNSSEC stale"<<endl;
+          L<<Logger::Warning<<"Domain '"<< di.zone<<"' is fresh, but RRSIGS differ, so DNSSEC stale"<<endl;
           addSuckRequest(di.zone, *di.masters.begin());
         }
       }
     }
     else {
-      L<<Logger::Warning<<"Domain "<< di.zone<<" is stale, master serial "<<theirserial<<", our serial "<< ourserial <<endl;
+      L<<Logger::Warning<<"Domain '"<< di.zone<<"' is stale, master serial "<<theirserial<<", our serial "<< ourserial <<endl;
       addSuckRequest(di.zone, *di.masters.begin());
     }
   }