From: Bert Hubert Date: Thu, 6 Jan 2011 12:38:31 +0000 (+0000) Subject: Thanks to Roy Arends, actually make nsec3-narrow work, enable with 'pdnssec set-nsec3... X-Git-Tag: auth-3.0~436 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=af3ffdf1a75d548ad9c9e95840d701b649dc3acd;p=pdns Thanks to Roy Arends, actually make nsec3-narrow work, enable with 'pdnssec set-nsec3 "1 0 1 ab" narrow'. Another mode could be 'nsec3-narrow-empty-non-terminal', also appears to work git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@1811 d19b8d6e-7fed-0310-83ef-9ca221ded41b --- diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc index b3fe3c43a..d95daa68e 100644 --- a/pdns/packethandler.cc +++ b/pdns/packethandler.cc @@ -555,12 +555,29 @@ static void incrementHash(std::string& hash) // I wonder if this is correct, cmo } } -bool PacketHandler::getNSEC3Hashes(bool narrow, DNSBackend* db, int id, const std::string& hashed, string& unhashed, string& before, string& after) +static void decrementHash(std::string& hash) // I wonder if this is correct, cmouse? ;-) +{ + if(hash.empty()) + return; + for(string::size_type pos=hash.size(); pos; ) { + --pos; + unsigned char c = (unsigned char)hash[pos]; + --c; + hash[pos] = (char) c; + if(c != 0xff) + break; + } +} + + +bool PacketHandler::getNSEC3Hashes(bool narrow, DNSBackend* db, int id, const std::string& hashed, bool decrement, string& unhashed, string& before, string& after) { bool ret; if(narrow) { // nsec3-narrow ret=true; before=hashed; + if(decrement) + decrementHash(before); after=hashed; incrementHash(after); } @@ -583,28 +600,29 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c } cerr<<"salt in ph: '"<qdomain; hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed))); - getNSEC3Hashes(narrow, sd.db,sd.domain_id, hashed, unhashed, before, after); + getNSEC3Hashes(narrow, sd.db,sd.domain_id, hashed, true, unhashed, before, after); cerr<<"Done calling for main, before='"<d_dnssecOk) addNSECX(p, r, target, sd.qname, 1); - r->setRcode(RCode::NXDomain); + + r->setRcode(RCode::NXDomain); S.ringAccount("nxdomain-queries",p->qdomain+"/"+p->qtype.getName()); } diff --git a/pdns/packethandler.hh b/pdns/packethandler.hh index d48497e57..97868db2e 100644 --- a/pdns/packethandler.hh +++ b/pdns/packethandler.hh @@ -102,7 +102,7 @@ private: void addNSEC3(DNSPacket *p, DNSPacket* r, const string &target, const std::string& auth, const NSEC3PARAMRecordContent& nsec3param, bool narrow, int mode); void emitNSEC(const std::string& before, const std::string& after, const std::string& toNSEC, const std::string& auth, DNSPacket *r, int mode); void emitNSEC3(const NSEC3PARAMRecordContent &ns3rc, const std::string& auth, const std::string& unhashed, const std::string& begin, const std::string& end, const std::string& toNSEC3, DNSPacket *r, int mode); - bool getNSEC3Hashes(bool narrow, DNSBackend* db, int id, const std::string& hashed, string& unhashed, string& before, string& after); + bool getNSEC3Hashes(bool narrow, DNSBackend* db, int id, const std::string& hashed, bool decrement, string& unhashed, string& before, string& after); void synthesiseRRSIGs(DNSPacket* p, DNSPacket* r); void makeNXDomain(DNSPacket* p, DNSPacket* r, const std::string& target, SOAData& sd);