From: Bert Hubert Date: Wed, 21 Apr 2010 09:33:32 +0000 (+0000) Subject: teach dnspacket.cc about dnssec, but #ifdef out the signing stuff for now X-Git-Tag: rec-3.3~142 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=9c92ad4bee29bbb7b7738bef52e2b964455f9727;p=pdns teach dnspacket.cc about dnssec, but #ifdef out the signing stuff for now update Makefile to link in polarssl & compile the dnssecinfra and dnsseckeeper code git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@1560 d19b8d6e-7fed-0310-83ef-9ca221ded41b --- diff --git a/pdns/Makefile.am b/pdns/Makefile.am index 254e8d2ed..052d9502c 100644 --- a/pdns/Makefile.am +++ b/pdns/Makefile.am @@ -1,4 +1,4 @@ -AM_CXXFLAGS=-DSYSCONFDIR=\"@sysconfdir@\" -DLIBDIR=\"@libdir@\" -DLOCALSTATEDIR=\"@socketdir@\" -Ibackends/bind @THREADFLAGS@ -I/usr/include/lua5.1 +AM_CXXFLAGS=-DSYSCONFDIR=\"@sysconfdir@\" -DLIBDIR=\"@libdir@\" -DLOCALSTATEDIR=\"@socketdir@\" -Ibackends/bind @THREADFLAGS@ -I/usr/include/lua5.1 -I./polarssl-0.13.1/include AM_CPPFLAGS=-Ibackends/bind @THREADFLAGS@ EXTRA_DIST = docs/Makefile docs/expand \ @@ -42,10 +42,10 @@ base64.hh zoneparser-tng.cc dnsrecords.cc dnswriter.cc \ rcpgenerator.cc dnsparser.cc dns_random.hh aes/aescpp.h \ aes/aescrypt.c aes/aes.h aes/aeskey.c aes/aes_modes.c aes/aesopt.h \ aes/aestab.c aes/aestab.h aes/brg_endian.h aes/brg_types.h aes/dns_random.cc \ -randomhelper.cc namespaces.hh nsecrecords.cc base32.cc +randomhelper.cc namespaces.hh nsecrecords.cc base32.cc dnsseckeeper.cc dnssecinfra.cc # -pdns_server_LDFLAGS= @moduleobjects@ @modulelibs@ @DYNLINKFLAGS@ @LIBDL@ @THREADFLAGS@ +pdns_server_LDFLAGS= @moduleobjects@ @modulelibs@ @DYNLINKFLAGS@ @LIBDL@ @THREADFLAGS@ -Lpolarssl-0.13.1/library -lpolarssl -lboost_filesystem-mt sdig_SOURCES=sdig.cc sstuff.hh dnsparser.cc dnsparser.hh dnsrecords.cc dnswriter.cc dnswriter.hh \ misc.cc misc.hh rcpgenerator.cc rcpgenerator.hh base64.cc base64.hh unix_utility.cc \ diff --git a/pdns/dnspacket.cc b/pdns/dnspacket.cc index 82c3dec07..cdc9b501c 100644 --- a/pdns/dnspacket.cc +++ b/pdns/dnspacket.cc @@ -1,6 +1,6 @@ /* PowerDNS Versatile Database Driven Nameserver - Copyright (C) 2001 - 2008 PowerDNS.COM BV + Copyright (C) 2001 - 2010 PowerDNS.COM BV This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 2 as @@ -28,8 +28,10 @@ #include #include #include +#include #include - +#include +#include "dnsseckeeper.hh" #include "dns.hh" #include "dnsbackend.hh" #include "ahuexception.hh" @@ -39,6 +41,8 @@ #include "dnswriter.hh" #include "dnsparser.hh" #include "dnsrecords.hh" +#include +#include "dnssecinfra.hh" DNSPacket::DNSPacket() { @@ -46,6 +50,7 @@ DNSPacket::DNSPacket() d_compress=true; d_tcp=false; d_wantsnsid=false; + d_dnssecOk=false; } string DNSPacket::getString() @@ -92,7 +97,8 @@ DNSPacket::DNSPacket(const DNSPacket &orig) d_maxreplylen = orig.d_maxreplylen; d_ednsping = orig.d_ednsping; d_wantsnsid = orig.d_wantsnsid; - rrs=orig.rrs; + d_dnssecOk = orig.d_dnssecOk; + d_rrs=orig.d_rrs; d_wrapped=orig.d_wrapped; @@ -143,13 +149,13 @@ void DNSPacket::setOpcode(uint16_t opcode) void DNSPacket::clearRecords() { - rrs.clear(); + d_rrs.clear(); } void DNSPacket::addRecord(const DNSResourceRecord &rr) { if(d_compress) - for(vector::const_iterator i=rrs.begin();i!=rrs.end();++i) + for(vector::const_iterator i=d_rrs.begin();i!=d_rrs.end();++i) if(rr.qname==i->qname && rr.qtype==i->qtype && rr.content==i->content) { if(rr.qtype.getCode()!=QType::MX && rr.qtype.getCode()!=QType::SRV) return; @@ -157,7 +163,7 @@ void DNSPacket::addRecord(const DNSResourceRecord &rr) return; } - rrs.push_back(rr); + d_rrs.push_back(rr); } // the functions below update the 'arcount' and 'ancount', plus they serialize themselves to the stringbuffer @@ -244,8 +250,8 @@ vector DNSPacket::getAPRecords() { vector arrs; - for(vector::iterator i=rrs.begin(); - i!=rrs.end(); + for(vector::iterator i=d_rrs.begin(); + i!=d_rrs.end(); ++i) { if(i->d_place!=DNSResourceRecord::ADDITIONAL && @@ -260,11 +266,26 @@ vector DNSPacket::getAPRecords() } +vector DNSPacket::getAnswerRecords() +{ + vector arrs; + + for(vector::iterator i=d_rrs.begin(); + i!=d_rrs.end(); + ++i) + { + if(i->d_place!=DNSResourceRecord::ADDITIONAL) + arrs.push_back(&*i); + } + return arrs; +} + + void DNSPacket::setCompress(bool compress) { d_compress=compress; stringbuffer.reserve(65000); - rrs.reserve(200); + d_rrs.reserve(200); } bool DNSPacket::couldBeCached() @@ -287,19 +308,19 @@ void DNSPacket::wrapup(void) vector additional; - int ipos=rrs.size(); - rrs.resize(rrs.size()+additional.size()); - copy(additional.begin(), additional.end(), rrs.begin()+ipos); + int ipos=d_rrs.size(); + d_rrs.resize(d_rrs.size()+additional.size()); + copy(additional.begin(), additional.end(), d_rrs.begin()+ipos); // we now need to order rrs so that the different sections come at the right place // we want a stable sort, based on the d_place field - stable_sort(rrs.begin(),rrs.end(),rrcomp); + stable_sort(d_rrs.begin(),d_rrs.end(),rrcomp); static bool mustShuffle =::arg().mustDo("no-shuffle"); if(!d_tcp && !mustShuffle) { - shuffle(rrs); + shuffle(d_rrs); } d_wrapped=true; @@ -322,26 +343,69 @@ void DNSPacket::wrapup(void) opts.push_back(make_pair(4, d_ednsping)); } - if(!rrs.empty() || !opts.empty()) { + if(!d_rrs.empty() || !opts.empty()) { try { - for(pos=rrs.begin(); pos < rrs.end(); ++pos) { + string signQName, wildcardQName; + uint16_t signQType=0; + uint32_t signTTL=0; + DNSPacketWriter::Place signPlace=DNSPacketWriter::ANSWER; + vector > toSign; + + for(pos=d_rrs.begin(); pos < d_rrs.end(); ++pos) { // this needs to deal with the 'prio' mismatch! if(pos->qtype.getCode()==QType::MX || pos->qtype.getCode() == QType::SRV) { pos->content = lexical_cast(pos->priority) + " " + pos->content; } - pw.startRecord(pos->qname, pos->qtype.getCode(), pos->ttl, 1, (DNSPacketWriter::Place)pos->d_place); + if(!pos->content.empty() && pos->qtype.getCode()==QType::TXT && pos->content[0]!='"') { pos->content="\""+pos->content+"\""; } if(pos->content.empty()) // empty contents confuse the MOADNS setup pos->content="."; shared_ptr drc(DNSRecordContent::mastermake(pos->qtype.getCode(), 1, pos->content)); + +#if 0 + if(d_dnssecOk) { + if(pos != d_rrs.begin() && (signQType != pos->qtype.getCode() || signQName != pos->qname)) { + addSignature(::arg()["key-repository"], signQName, wildcardQName, signQType, signTTL, signPlace, toSign, pw); + } + signQName= pos->qname; + wildcardQName = pos->wildcardname; + signQType = pos ->qtype.getCode(); + signTTL = pos->ttl; + signPlace = (DNSPacketWriter::Place) pos->d_place; + if(pos->auth) + toSign.push_back(drc); + } +#endif + pw.startRecord(pos->qname, pos->qtype.getCode(), pos->ttl, 1, (DNSPacketWriter::Place)pos->d_place); + drc->toPacket(pw); + + if(!d_tcp && pw.size() + 20 > getMaxReplyLen()) { + cerr<<"Truncating!"<d_place == DNSResourceRecord::ANSWER) { + cerr<<"Set TC bit"<tc=1; } - if(!opts.empty()) - pw.addOpt(2800, 0, 0, opts); + goto noCommit; + + break; + } + } +#if 0 + if(d_dnssecOk && !(d_tcp && d_rrs.rbegin()->qtype.getCode() == QType::SOA && d_rrs.rbegin()->priority == 1234)) { + cerr<<"Last signature.. "<priority<<", "<qtype.getCode()<<", "<< d_rrs.size()<d_maxreplylen = d_maxreplylen; r->d_ednsping = d_ednsping; r->d_wantsnsid = d_wantsnsid; + r->d_dnssecOk = d_dnssecOk; return r; } @@ -456,10 +521,15 @@ try // ANY OPTION WHICH *MIGHT* BE SET DOWN BELOW SHOULD BE CLEARED FIRST! d_wantsnsid=false; + d_dnssecOk=false; d_ednsping.clear(); + if(getEDNSOpts(mdp, &edo)) { d_maxreplylen=max(edo.d_packetsize, (uint16_t)1280); + cerr< >::const_iterator iter = edo.d_options.begin(); iter != edo.d_options.end(); diff --git a/pdns/dnspacket.hh b/pdns/dnspacket.hh index e902c3ffa..662809195 100644 --- a/pdns/dnspacket.hh +++ b/pdns/dnspacket.hh @@ -133,6 +133,7 @@ public: void truncate(int new_length); // has documentation in source vector getAPRecords(); //!< get a vector with DNSResourceRecords that need additional processing + vector getAnswerRecords(); //!< get a vector with DNSResourceRecords that are answers void setCompress(bool compress); DNSPacket *replyPacket() const; //!< convenience function that creates a virgin answer packet to this question @@ -154,7 +155,7 @@ public: string qdomain; //!< qname of the question 4 - unsure how this is used bool d_tcp; - + bool d_dnssecOk; private: void pasteQ(const char *question, int length); //!< set the question of this packet, useful for crafting replies @@ -168,7 +169,8 @@ private: int d_maxreplylen; string d_ednsping; bool d_wantsnsid; - vector rrs; // 4 + + vector d_rrs; // 4 }; diff --git a/pdns/dnsparser.hh b/pdns/dnsparser.hh index 3f6cfa100..fdedb63c1 100644 --- a/pdns/dnsparser.hh +++ b/pdns/dnsparser.hh @@ -150,12 +150,14 @@ public: virtual std::string getZoneRepresentation() const = 0; virtual ~DNSRecordContent() {} virtual void toPacket(DNSPacketWriter& pw)=0; - virtual string serialize(const string& qname) // it would rock if this were const, but it is too hard + virtual string serialize(const string& qname, bool canonic=false) // it would rock if this were const, but it is too hard { vector packet; string empty; DNSPacketWriter pw(packet, empty, 1); - + if(canonic) + pw.setCanonic(true); + pw.startRecord(qname, d_qtype); this->toPacket(pw); pw.commit(); @@ -211,6 +213,17 @@ public: explicit DNSRecordContent(uint16_t type) : d_qtype(type) {} + + + DNSRecordContent& operator=(const DNSRecordContent& orig) + { + const_cast(d_qtype) = orig.d_qtype; // **COUGH** + label = orig.label; + header = orig.header; + return *this; + } + + const uint16_t d_qtype; protected: diff --git a/pdns/dnsrecords.hh b/pdns/dnsrecords.hh index 22273bc43..0369b845c 100644 --- a/pdns/dnsrecords.hh +++ b/pdns/dnsrecords.hh @@ -1,6 +1,6 @@ /* PowerDNS Versatile Database Driven Nameserver - Copyright (C) 2005 - 2009 PowerDNS.COM BV + Copyright (C) 2005 - 2010 PowerDNS.COM BV This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 2 as