From: Peter van Dijk <peter.van.dijk@netherlabs.nl>
Date: Fri, 19 Oct 2012 07:09:13 +0000 (+0000)
Subject: add bind presigned tests and fixes for them; most fixes by Kees Monshouwer
X-Git-Tag: auth-3.2-rc1~67
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b563f71b3352b62f4fc3c8f25638be54c8e01f25;p=pdns

add bind presigned tests and fixes for them; most fixes by Kees Monshouwer

git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@2815 d19b8d6e-7fed-0310-83ef-9ca221ded41b
---

diff --git a/pdns/backends/bind/bindbackend2.cc b/pdns/backends/bind/bindbackend2.cc
index adafd5792..5e95595fd 100644
--- a/pdns/backends/bind/bindbackend2.cc
+++ b/pdns/backends/bind/bindbackend2.cc
@@ -441,6 +441,7 @@ void Bind2Backend::insert(shared_ptr<State> stage, int id, const string &qnameu,
   bdr.qtype=qtype.getCode();
   bdr.content=content; 
   bdr.nsec3hash = hashed;
+  // cerr<<"qname '"<<bdr.qname<<"' nsec3hash '"<<hashed<<"' qtype '"<<qtype.getName()<<"'"<<endl;
   
   if (!qtype.getCode()) // Set auth on empty non-terminals
     bdr.auth=true;
@@ -620,7 +621,7 @@ void Bind2Backend::doEmptyNonTerminals(shared_ptr<State> stage, int id, bool nse
   uint32_t maxent = ::arg().asNum("max-ent-entries");
 
   BOOST_FOREACH(const Bind2DNSRecord& bdr, *bb2.d_records)
-    if (bdr.auth)
+    if (bdr.auth && (bdr.qtype != QType::RRSIG))
       qnames.insert(labelReverse(bdr.qname));
 
   BOOST_FOREACH(const string& qname, qnames)
@@ -646,7 +647,7 @@ void Bind2Backend::doEmptyNonTerminals(shared_ptr<State> stage, int id, bool nse
   }
 
   DNSResourceRecord rr;
-  rr.qtype="0";
+  rr.qtype="#0";
   rr.content="";
   rr.ttl=0;
   rr.priority=0;
@@ -752,8 +753,12 @@ void Bind2Backend::loadConfig(string* status)
             DNSResourceRecord rr;
             string hashed;
             while(zpt.get(rr)) {
-              if(nsec3zone)
-                hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname)));
+              if(nsec3zone) {
+                if(rr.qtype.getCode() != QType::NSEC3 && rr.qtype.getCode() != QType::RRSIG)
+                  hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname)));
+                else
+                  hashed="";
+              }
               insert(staging, bbd->d_id, rr.qname, rr.qtype, rr.content, rr.ttl, rr.priority, hashed);
             }
         
@@ -875,8 +880,12 @@ void Bind2Backend::queueReload(BB2DomainInfo *bbd)
     NSEC3PARAMRecordContent ns3pr;
     bool nsec3zone=getNSEC3PARAM(bbd->d_name, &ns3pr);
     while(zpt.get(rr)) {
-      if(nsec3zone)
-        hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname)));
+      if(nsec3zone) {
+        if(rr.qtype.getCode() != QType::NSEC3 && rr.qtype.getCode() != QType::RRSIG)
+          hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname)));
+        else
+          hashed="";
+      }
       insert(staging, bbd->d_id, rr.qname, rr.qtype, rr.content, rr.ttl, rr.priority, hashed);
     }
     // cerr<<"Start sort of "<<staging->id_zone_map[bbd->d_id].d_records->size()<<" records"<<endl;        
@@ -982,7 +991,7 @@ bool Bind2Backend::getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string
       iter = hashindex.end();
     }
 
-    while(iter == hashindex.end() || !(iter->auth))
+    while(iter == hashindex.end() || !(iter->auth) || iter->nsec3hash.empty())
     {
       iter--;
       if(iter == hashindex.begin())
@@ -1000,7 +1009,7 @@ bool Bind2Backend::getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string
       iter = hashindex.begin();
     }
 
-    while(!(iter->auth))
+    while(!(iter->auth) || iter->nsec3hash.empty())
     {
       iter++;
       if(iter == hashindex.end())
@@ -1030,8 +1039,9 @@ void Bind2Backend::lookup(const QType &qtype, const string &qname, DNSPacket *pk
   shared_ptr<State> state = s_state;
 
   name_id_map_t::const_iterator iditer;
-  while((iditer=state->name_id_map.find(domain)) == state->name_id_map.end() && chopOff(domain))
-    ;
+  do {
+    iditer=state->name_id_map.find(domain);
+  } while ((iditer == state->name_id_map.end() || (zoneId != iditer->second && zoneId != -1)) && chopOff(domain));
 
   if(iditer==state->name_id_map.end()) {
     if(mustlog)
diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc
index 040728757..d6611837b 100644
--- a/pdns/dbdnsseckeeper.cc
+++ b/pdns/dbdnsseckeeper.cc
@@ -358,7 +358,13 @@ bool DNSSECKeeper::getPreRRSIGs(DNSBackend& db, const std::string& signer, const
 	DNSPacketWriter::Place signPlace, vector<DNSResourceRecord>& rrsigs, uint32_t signTTL)
 {
   // cerr<<"Doing DB lookup for precomputed RRSIGs for '"<<(wildcardname.empty() ? qname : wildcardname)<<"'"<<endl;
-	db.lookup(QType(QType::RRSIG), wildcardname.empty() ? qname : wildcardname);
+	SOAData sd;
+	sd.db=(DNSBackend *)-1; // force uncached answer
+	if(!db.getSOA(signer, sd)) {
+		DLOG(L<<"Could not get SOA for domain"<<endl);
+		return false;
+	}
+	db.lookup(QType(QType::RRSIG), wildcardname.empty() ? qname : wildcardname, NULL, sd.domain_id);
 	DNSResourceRecord rr;
 	while(db.get(rr)) { 
 		// cerr<<"Considering for '"<<qtype.getName()<<"' RRSIG '"<<rr.content<<"'\n";
@@ -369,7 +375,7 @@ bool DNSSECKeeper::getPreRRSIGs(DNSBackend& db, const std::string& signer, const
 			if (!wildcardname.empty())
 				rr.qname = qname;
 			rr.d_place = (DNSResourceRecord::Place)signPlace;
-      rr.ttl = signTTL;
+			rr.ttl = signTTL;
 			rrsigs.push_back(rr);
 		}
 		else ; // cerr<<"Skipping!"<<endl;
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index d8a989c19..05237c6df 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -416,9 +416,9 @@ void PacketHandler::emitNSEC(const std::string& begin, const std::string& end, c
     nrc.d_set.insert(QType::DNSKEY);
 
   DNSResourceRecord rr;
-  B.lookup(QType(QType::ANY), begin);
+  B.lookup(QType(QType::ANY), begin, NULL, sd.domain_id);
   while(B.get(rr)) {
-    if(rr.domain_id == sd.domain_id && (rr.qtype.getCode() == QType::NS || rr.auth))
+    if(rr.qtype.getCode() == QType::NS || rr.auth)
       nrc.d_set.insert(rr.qtype.getCode());    
   }
   
diff --git a/regression-tests/ds-at-unsecure-zone-cut/skip.bind-dnssec b/regression-tests/ds-at-unsecure-zone-cut/skip.bind-dnssec
deleted file mode 100644
index e69de29bb..000000000
diff --git a/regression-tests/start-test-stop b/regression-tests/start-test-stop
index 2a3b60a14..8aa880d79 100755
--- a/regression-tests/start-test-stop
+++ b/regression-tests/start-test-stop
@@ -9,10 +9,11 @@ tosql ()
 
 bindwait ()
 {
+	configname=$1
 	domcount=$(grep -c zone named.conf)
 	while sleep 10
 	do
-		done=$( (../pdns/pdns_control --socket-dir=. --no-config bind-domain-status || true) | grep -c 'parsed into memory' || true )
+		done=$( (../pdns/pdns_control --config-name=$configname --socket-dir=. --no-config bind-domain-status || true) | grep -c 'parsed into memory' || true )
 		if [ $done = $domcount ]
 		then
 			return
@@ -89,7 +90,7 @@ case $context in
 			$RUNWRAPPER ../pdns/pdns_server --daemon=no --local-port=$port --socket-dir=./  \
 				--no-shuffle --launch=bind --bind-config=./named.conf       \
 				--bind-dnssec-db=./dnssec.sqlite3 \
-			 --send-root-referral    \
+			    --send-root-referral    \
 				--cache-ttl=0 --no-config &
 			bindwait
 			;;
@@ -409,50 +410,78 @@ export extracontexts
 export skipreasons
 export testsdir
 
-if [ $presigned = yes ] && [ ${context:0:6} = gmysql ]
+if [ $presigned = yes ]
 then
-	context=${context}-presigned
-	[ -z "$GMYSQL2DB" ] && GMYSQL2DB=pdnstest2
-	[ -z "$GMYSQL2USER" ] && GMYSQL2USER=root
-	[ -z "$GMYSQL2HOST" ] && GMYSQL2HOST=localhost
-	[ -z "$GMYSQL2PASSWD" ] && GMYSQL2PASSWD=''
-
-	mysqladmin --user="$GMYSQL2USER" --password="$GMYSQL2PASSWD" --host="$GMYSQL2HOST" --force drop "$GMYSQL2DB" \
-		|| echo ignoring mysqladmin drop failure
-	mysqladmin --user="$GMYSQL2USER" --password="$GMYSQL2PASSWD" --host="$GMYSQL2HOST" create "$GMYSQL2DB"
-	mysql --user="$GMYSQL2USER" --password="$GMYSQL2PASSWD" --host="$GMYSQL2HOST" \
-		"$GMYSQL2DB" < ../pdns/no-dnssec.schema.mysql.sql
-	mysql --user="$GMYSQL2USER" --password="$GMYSQL2PASSWD" --host="$GMYSQL2HOST" \
-		"$GMYSQL2DB" < ../pdns/dnssec.schema.mysql.sql
-
-	for zone in $(grep zone named.conf  | cut -f2 -d\")
-	do
+	if [ ${context:0:6} = gmysql ]
+	then
+		context=${context}-presigned
+		[ -z "$GMYSQL2DB" ] && GMYSQL2DB=pdnstest2
+		[ -z "$GMYSQL2USER" ] && GMYSQL2USER=root
+		[ -z "$GMYSQL2HOST" ] && GMYSQL2HOST=localhost
+		[ -z "$GMYSQL2PASSWD" ] && GMYSQL2PASSWD=''
+
+		mysqladmin --user="$GMYSQL2USER" --password="$GMYSQL2PASSWD" --host="$GMYSQL2HOST" --force drop "$GMYSQL2DB" \
+			|| echo ignoring mysqladmin drop failure
+		mysqladmin --user="$GMYSQL2USER" --password="$GMYSQL2PASSWD" --host="$GMYSQL2HOST" create "$GMYSQL2DB"
 		mysql --user="$GMYSQL2USER" --password="$GMYSQL2PASSWD" --host="$GMYSQL2HOST" \
-		"$GMYSQL2DB" \
-		-e "INSERT INTO domains (name, type, master) VALUES('$zone','SLAVE','127.0.0.1:$port')"
-	done
-
-	port=$((port+100))
-
-	$RUNWRAPPER ../pdns/pdns_server --daemon=no --local-port=$port --socket-dir=./  \
-		--no-shuffle --launch=gmysql --gmysql-dnssec \
-		--fancy-records --send-root-referral \
-		--cache-ttl=0 --query-cache-ttl=0 --no-config --slave --retrieval-threads=1 \
-		--gmysql-dbname="$GMYSQL2DB" \
-		--gmysql-user="$GMYSQL2USER" \
-		--gmysql-host="$GMYSQL2HOST" \
-		--gmysql-password="$GMYSQL2PASSWD" \
-		--config-name=gmysql2 |& egrep -v "update records set ordername|insert into records" &
-	echo 'waiting for zones to be slaved'
-	while sleep 10
-	do
-		todo=$(mysql --user="$GMYSQL2USER" --password="$GMYSQL2PASSWD" --host="$GMYSQl2HOST" \
-			   "$GMYSQL2DB" -ss -e 'SELECT COUNT(id) FROM domains WHERE last_check IS NULL')
-		if [ $todo = 0 ]
-		then
-			break
-		fi
-	done
+			"$GMYSQL2DB" < ../pdns/no-dnssec.schema.mysql.sql
+		mysql --user="$GMYSQL2USER" --password="$GMYSQL2PASSWD" --host="$GMYSQL2HOST" \
+			"$GMYSQL2DB" < ../pdns/dnssec.schema.mysql.sql
+
+		for zone in $(grep zone named.conf  | cut -f2 -d\" | tac)
+		do
+			mysql --user="$GMYSQL2USER" --password="$GMYSQL2PASSWD" --host="$GMYSQL2HOST" \
+			"$GMYSQL2DB" \
+			-e "INSERT INTO domains (name, type, master) VALUES('$zone','SLAVE','127.0.0.1:$port')"
+		done
+
+		port=$((port+100))
+
+		$RUNWRAPPER ../pdns/pdns_server --daemon=no --local-port=$port --socket-dir=./  \
+			--no-shuffle --launch=gmysql --gmysql-dnssec \
+			--fancy-records --send-root-referral \
+			--cache-ttl=0 --query-cache-ttl=0 --no-config --slave --retrieval-threads=1 \
+			--gmysql-dbname="$GMYSQL2DB" \
+			--gmysql-user="$GMYSQL2USER" \
+			--gmysql-host="$GMYSQL2HOST" \
+			--gmysql-password="$GMYSQL2PASSWD" \
+			--config-name=gmysql2 |& egrep -v "update records set ordername|insert into records" &
+		echo 'waiting for zones to be slaved'
+		while sleep 10
+		do
+			todo=$(mysql --user="$GMYSQL2USER" --password="$GMYSQL2PASSWD" --host="$GMYSQl2HOST" \
+				   "$GMYSQL2DB" -ss -e 'SELECT COUNT(id) FROM domains WHERE last_check IS NULL')
+			if [ $todo = 0 ]
+			then
+				break
+			fi
+		done
+	elif [ ${context:0:4} = bind ]
+	then
+		context=${context}-presigned
+		sed -e 's/type master;/type slave;\n\tmasters { 127.0.0.1:'$port'; };/' -e 's/file "\([^"]\+\)/file "\1-slave/' < named.conf > named-slave.conf
+
+		for zone in $(grep zone named.conf  | cut -f2 -d\")
+		do
+			rm -rf $zone-slave
+		done
+		
+		rm -f dnssec-slave.sqlite3
+		../pdns/pdnssec --config-dir=. create-bind-db dnssec-slave.sqlite3
+		port=$((port+100))
+
+		$RUNWRAPPER ../pdns/pdns_server --daemon=no --local-port=$port --socket-dir=./  \
+			--no-shuffle --launch=bind --bind-config=./named-slave.conf --slave         \
+			--send-root-referral --retrieval-threads=1  --config-name=bind-slave \
+			--cache-ttl=0 --no-config --bind-dnssec-db=./dnssec-slave.sqlite3 &
+		echo 'waiting for zones to be loaded'
+		bindwait bind-slave
+		echo 'reloading zones to work around metadata bug'
+		for zone in $(grep zone named.conf  | cut -f2 -d\")
+		do
+			../pdns/pdns_control --no-config --socket-dir=. --config-name=bind-slave bind-reload-now $zone
+		done
+	fi
 fi
 
 ## TODO: give pdns a few seconds to startup or fail, then check if it did not fail