From: Kees Monshouwer <mind04@monshouwer.org>
Date: Fri, 30 Mar 2018 14:57:43 +0000 (+0200)
Subject: auth: avoid an isane amount of new backend connections during an AXFR
X-Git-Tag: auth-4.1.2~15^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=a5fc844392c271d8bed580b613e1de1de1b4dd73;p=pdns

auth: avoid an isane amount of new backend connections during an AXFR

(cherry picked from commit ea99d4743de9184c0d9b173df09388ec981fe98a)
---

diff --git a/pdns/signingpipe.cc b/pdns/signingpipe.cc
index 2f8a2acd6..0cc8def1b 100644
--- a/pdns/signingpipe.cc
+++ b/pdns/signingpipe.cc
@@ -270,8 +270,8 @@ unsigned int ChunkedSigningPipe::getReady() const
 void ChunkedSigningPipe::worker(int fd)
 try
 {
-  DNSSECKeeper dk;
   UeberBackend db("key-only");
+  DNSSECKeeper dk(&db);
   
   chunk_t* chunk = nullptr;
   int res;
diff --git a/pdns/tcpreceiver.cc b/pdns/tcpreceiver.cc
index eece6994f..d2491f79f 100644
--- a/pdns/tcpreceiver.cc
+++ b/pdns/tcpreceiver.cc
@@ -439,7 +439,7 @@ bool TCPNameserver::canDoAXFR(shared_ptr<DNSPacket> q)
       }
     }
 
-    DNSSECKeeper dk;
+    DNSSECKeeper dk(s_P->getBackend());
 
     if (q->d_tsig_algo == TSIG_GSS) {
       vector<string> princs;
@@ -577,6 +577,7 @@ int TCPNameserver::doAXFR(const DNSName &target, shared_ptr<DNSPacket> q, int ou
       s_P=new PacketHandler;
     }
 
+    // canDoAXFR does all the ACL checks, and has the if(disable-axfr) shortcut, call it first.
     if (!canDoAXFR(q)) {
       L<<Logger::Error<<"AXFR of domain '"<<target<<"' failed: "<<q->getRemote()<<" cannot request AXFR"<<endl;
       outpacket->setRcode(RCode::NotAuth);
@@ -584,7 +585,6 @@ int TCPNameserver::doAXFR(const DNSName &target, shared_ptr<DNSPacket> q, int ou
       return 0;
     }
 
-    // canDoAXFR does all the ACL checks, and has the if(disable-axfr) shortcut, call it first.
     if(!s_P->getBackend()->getSOAUncached(target, sd)) {
       L<<Logger::Error<<"AXFR of domain '"<<target<<"' failed: not authoritative"<<endl;
       outpacket->setRcode(RCode::NotAuth);
@@ -601,7 +601,7 @@ int TCPNameserver::doAXFR(const DNSName &target, shared_ptr<DNSPacket> q, int ou
     return 0;
   }
 
-  DNSSECKeeper dk;
+  DNSSECKeeper dk(&db);
   dk.clearCaches(target);
   bool securedZone = dk.isSecuredZone(target);
   bool presignedZone = dk.isPresigned(target);
@@ -638,8 +638,7 @@ int TCPNameserver::doAXFR(const DNSName &target, shared_ptr<DNSPacket> q, int ou
     if (algorithm == DNSName("hmac-md5.sig-alg.reg.int"))
       algorithm = DNSName("hmac-md5");
     if (algorithm != DNSName("gss-tsig")) {
-      Lock l(&s_plock);
-      if(!s_P->getBackend()->getTSIGKey(tsigkeyname, &algorithm, &tsig64)) {
+      if(!db.getTSIGKey(tsigkeyname, &algorithm, &tsig64)) {
         L<<Logger::Error<<"TSIG key '"<<tsigkeyname<<"' for domain '"<<target<<"' not found"<<endl;
         return 0;
       }
@@ -651,8 +650,6 @@ int TCPNameserver::doAXFR(const DNSName &target, shared_ptr<DNSPacket> q, int ou
   }
   
   
-  UeberBackend signatureDB; 
-  
   // SOA *must* go out first, our signing pipe might reorder
   DLOG(L<<"Sending out SOA"<<endl);
   DNSResourceRecord soa = makeDNSRRFromSOAData(sd);
@@ -668,7 +665,7 @@ int TCPNameserver::doAXFR(const DNSName &target, shared_ptr<DNSPacket> q, int ou
   if(securedZone && !presignedZone) {
     set<DNSName> authSet;
     authSet.insert(target);
-    addRRSigs(dk, signatureDB, authSet, outpacket->getRRS());
+    addRRSigs(dk, db, authSet, outpacket->getRRS());
   }
   
   if(haveTSIGDetails && !tsigkeyname.empty())