From: Bert Hubert <bert.hubert@netherlabs.nl>
Date: Sun, 16 May 2010 21:00:34 +0000 (+0000)
Subject: implement 'NSEC3', and enable it for NXDOMAIN responses - other cases have yet to... 
X-Git-Tag: rec-3.3~86
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=c3c893617c977a81b93b5ef90614930187d25279;p=pdns

implement 'NSEC3', and enable it for NXDOMAIN responses - other cases have yet to be hooked up.
Only works for generic mysql right now. To test, run 'echo 1 0 100 ABCD > ./keys/yourdomain/nsec3param'
And then run pdnssec order-zone yourdomain


git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@1616 d19b8d6e-7fed-0310-83ef-9ca221ded41b
---

diff --git a/modules/gmysqlbackend/gmysqlbackend.cc b/modules/gmysqlbackend/gmysqlbackend.cc
index 911d03f09..c52186231 100644
--- a/modules/gmysqlbackend/gmysqlbackend.cc
+++ b/modules/gmysqlbackend/gmysqlbackend.cc
@@ -88,7 +88,7 @@ public:
     declare(suffix,"insert-slave-query","", "insert into domains (type,name,master,account) values('SLAVE','%s','%s','%s')");
     declare(suffix,"insert-record-query","", "insert into records (content,ttl,prio,type,domain_id,name) values ('%s',%d,%d,'%s',%d,'%s')");
     
-    declare(suffix,"get-order-before-query","DNSSEC Ordering Query, before", "select max(ordername) from records where ordername < '%s' and auth=1 and domain_id=%d");
+    declare(suffix,"get-order-before-query","DNSSEC Ordering Query, before", "select ordername, name from records where ordername <= '%s' and auth=1 and domain_id=%d order by 1 desc limit 1");
     declare(suffix,"get-order-after-query","DNSSEC Ordering Query, afer", "select min(ordername) from records where ordername > '%s' and auth=1 and domain_id=%d");
     declare(suffix,"set-order-and-auth-query", "DNSSEC set ordering query", "update records set ordername='%s',auth=%d where name='%s' and domain_id='%d'");
     
diff --git a/pdns/backends/gsql/gsqlbackend.cc b/pdns/backends/gsql/gsqlbackend.cc
index 970c2a59d..8f2f1c605 100644
--- a/pdns/backends/gsql/gsqlbackend.cc
+++ b/pdns/backends/gsql/gsqlbackend.cc
@@ -260,25 +260,44 @@ bool GSQLBackend::updateDNSSECOrderAndAuthAbsolute(uint32_t domain_id, const std
   d_db->doCommand(output);
   return true;
 }
-bool GSQLBackend::getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, std::string& before, std::string& after)
+bool GSQLBackend::getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, std::string& unhashed, std::string& before, std::string& after)
 {
   cerr<<"gsql before/after called for id="<<id<<", qname="<<qname<<endl;
+  unhashed.clear(); before.clear(); after.clear();
   string lcqname=toLower(qname);
-
+  
   SSql::row_t row;
 
   char output[1024];
-  snprintf(output, sizeof(output)-1, d_afterOrderQuery.c_str(), sqlEscape(lcqname).c_str(), id);
+  string tmp=lcqname;
+
+retryAfter:
+  snprintf(output, sizeof(output)-1, d_afterOrderQuery.c_str(), sqlEscape(tmp).c_str(), id);
   
   d_db->doQuery(output);
   while(d_db->getRow(row)) {
     after=row[0];
   }
 
+  if(after.empty() && !tmp.empty()) {
+    cerr<<"Oops, have to pick the first, there as no last!"<<endl;
+    tmp.clear();
+    goto retryAfter;
+  }
+
+retryBefore:
+
   snprintf(output, sizeof(output)-1, d_beforeOrderQuery.c_str(), sqlEscape(lcqname).c_str(), id);
   d_db->doQuery(output);
   while(d_db->getRow(row)) {
     before=row[0];
+    unhashed=row[1];
+  }
+  
+  if(before.empty() && lcqname!="{") {
+    cerr<<"Oops, have to pick the last!"<<endl;
+    lcqname="{";
+    goto retryBefore;
   }
 
   return true;
diff --git a/pdns/backends/gsql/gsqlbackend.hh b/pdns/backends/gsql/gsqlbackend.hh
index 07224982e..51b9cec91 100644
--- a/pdns/backends/gsql/gsqlbackend.hh
+++ b/pdns/backends/gsql/gsqlbackend.hh
@@ -39,7 +39,7 @@ public:
   void getUpdatedMasters(vector<DomainInfo> *updatedDomains);
   bool getDomainInfo(const string &domain, DomainInfo &di);
   void setNotified(uint32_t domain_id, uint32_t serial);
-  virtual bool getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, std::string& before, std::string& after);
+  virtual bool getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, std::string& unhashed, std::string& before, std::string& after);
   bool updateDNSSECOrderAndAuth(uint32_t domain_id, const std::string& zonename, const std::string& qname, bool auth);
   virtual bool updateDNSSECOrderAndAuthAbsolute(uint32_t domain_id, const std::string& qname, const std::string& ordername, bool auth);
 
diff --git a/pdns/dnsbackend.cc b/pdns/dnsbackend.cc
index ad2cdc4c7..9143d1b32 100644
--- a/pdns/dnsbackend.cc
+++ b/pdns/dnsbackend.cc
@@ -260,7 +260,8 @@ bool DNSBackend::getBeforeAndAfterNames(uint32_t id, const std::string& zonename
   lcqname=makeRelative(qname, zonename);
   
   lcqname=labelReverse(lcqname);
-  bool ret = this->getBeforeAndAfterNamesAbsolute(id, lcqname, before, after);
+  string dnc;
+  bool ret = this->getBeforeAndAfterNamesAbsolute(id, lcqname, dnc, before, after);
   
   before=dotConcat(labelReverse(before), zonename);
   after=dotConcat(labelReverse(after), zonename);
diff --git a/pdns/dnsbackend.hh b/pdns/dnsbackend.hh
index 229b3be8c..eb30b06d4 100644
--- a/pdns/dnsbackend.hh
+++ b/pdns/dnsbackend.hh
@@ -74,7 +74,7 @@ public:
   virtual void lookup(const QType &qtype, const string &qdomain, DNSPacket *pkt_p=0, int zoneId=-1)=0; 
   virtual bool get(DNSResourceRecord &)=0; //!< retrieves one DNSResource record, returns false if no more were available
 
-  virtual bool getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, std::string& before, std::string& after)
+  virtual bool getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, std::string& unhashed, std::string& before, std::string& after)
   {
     std::cerr<<"Default beforeAndAfterAbsolute called!"<<std::endl;
     return false;
diff --git a/pdns/dnssecinfra.cc b/pdns/dnssecinfra.cc
index c1db21fe0..51e26a1f4 100644
--- a/pdns/dnssecinfra.cc
+++ b/pdns/dnssecinfra.cc
@@ -82,7 +82,7 @@ DNSKEYRecordContent getRSAKeyFromISC(rsa_context* rsa, const char* fname)
   drc.d_key.append(exponent);
   drc.d_key.append(modulus);
   drc.d_protocol=3;
-  drc.d_algorithm = 5;
+  drc.d_algorithm = 0; // should not be filled out here..
   fclose(fp);
   return drc;
 }
@@ -145,14 +145,14 @@ DSRecordContent makeDSFromDNSKey(const std::string& qname, const DNSKEYRecordCon
     sha2((unsigned char*)toHash.c_str(), toHash.length(), hash, 0);
 
   DSRecordContent dsrc;
-  dsrc.d_algorithm=5;
+  dsrc.d_algorithm= drc.d_algorithm;
   dsrc.d_digesttype=digest;
   dsrc.d_tag=const_cast<DNSKEYRecordContent&>(drc).getTag();
   dsrc.d_digest.assign((const char*)hash, digest == 1 ? 20 : 32);
   return dsrc;
 }
 
-DNSKEYRecordContent makeDNSKEYFromRSAKey(rsa_context* rc)
+DNSKEYRecordContent makeDNSKEYFromRSAKey(rsa_context* rc, uint8_t algorithm)
 {
   DNSKEYRecordContent drc;
   char tmp[256];
@@ -176,7 +176,7 @@ DNSKEYRecordContent makeDNSKEYFromRSAKey(rsa_context* rc)
   drc.d_key.append(modulus);
 
   drc.d_protocol=3;
-  drc.d_algorithm = 5;
+  drc.d_algorithm = algorithm;
 
   drc.d_flags=256 + (modulus.length()>128);  // oops, I just made this up..
 
@@ -246,6 +246,7 @@ void fillOutRRSIG(const std::string& keyrepodir, const std::string& signQName, R
 
   DNSKEYRecordContent drc =getDNSKEYFor(keyrepodir, rrc.d_signer, withKSK, &rc);
   rrc.d_tag = drc.getTag();
+  rrc.d_algorithm = drc.d_algorithm;
   
   if(g_rrsigs.count(make_pair(hash, rrc.d_tag))) {
     cerr<<"RRSIG cache hit !"<<endl;
@@ -285,7 +286,8 @@ int getRRSIGForRRSET(const std::string& keyrepodir, const std::string signQName,
     return -1;
 
   rrc.d_type=signQType;
-  rrc.d_algorithm=5;      // rsasha1
+
+  // d_algorithm gets filled out by fillOutRRSIG, since it  gets the key
   rrc.d_labels=countLabels(signQName); 
   rrc.d_originalttl=signTTL; 
   rrc.d_siginception=getCurrentInception();;
diff --git a/pdns/dnssecinfra.hh b/pdns/dnssecinfra.hh
index 484865f59..6f33ad39d 100644
--- a/pdns/dnssecinfra.hh
+++ b/pdns/dnssecinfra.hh
@@ -28,7 +28,7 @@ DNSKEYRecordContent getRSAKeyFromISC(rsa_context* rsa, const char* fname);
 void makeRSAPublicKeyFromDNS(rsa_context* rc, const DNSKEYRecordContent& dkrc);
 bool sharedDNSSECCompare(const boost::shared_ptr<DNSRecordContent>& a, const shared_ptr<DNSRecordContent>& b);
 string getSHA1HashForRRSET(const std::string& qname, const RRSIGRecordContent& rrc, std::vector<boost::shared_ptr<DNSRecordContent> >& signRecords);
-DNSKEYRecordContent makeDNSKEYFromRSAKey(rsa_context* rc);
+DNSKEYRecordContent makeDNSKEYFromRSAKey(rsa_context* rc, uint8_t algorithm);
 DSRecordContent makeDSFromDNSKey(const std::string& qname, const DNSKEYRecordContent& drc, int digest=1);
 
 bool getSignerFor(const std::string& keyrepodir, const std::string& qname, std::string &signer);
diff --git a/pdns/dnsseckeeper.cc b/pdns/dnsseckeeper.cc
index 5e75ae88f..996767047 100644
--- a/pdns/dnsseckeeper.cc
+++ b/pdns/dnsseckeeper.cc
@@ -141,6 +141,53 @@ void DNSSECKeeper::deleteZSKFor(const std::string& zname, const std::string& fna
   unlink((d_dirname +"/"+ zname +"/zsks/"+fname).c_str());
 }
 
+bool DNSSECKeeper::getNSEC3PARAM(const std::string& zname, NSEC3PARAMRecordContent* ns3p)
+{
+  fs::path full_path = fs::system_complete( fs::path(d_dirname + "/" + zname + "/nsec3param" ) );
+  ifstream ifs(full_path.external_directory_string().c_str());
+  cerr<<"called for nsec3param..."<<endl;
+  if(!ifs)
+    return false;
+    
+  if(ns3p) {
+    string descr;
+    getline(ifs, descr);
+    NSEC3PARAMRecordContent* tmp=dynamic_cast<NSEC3PARAMRecordContent*>(DNSRecordContent::mastermake(QType::NSEC3PARAM, 1, descr));
+    if(!tmp) {
+      cerr<<"Could not parse "<< full_path.external_directory_string() <<endl;
+      cerr<<"descr: '"<<descr<<"'\n";
+    }
+    *ns3p = *tmp;
+    delete tmp;
+    
+    cerr<<"hmm salt: "<<makeHexDump(ns3p->d_salt)<<endl;
+/*
+    ns3p->d_algorithm=1;
+    ns3p->d_iterations= 100;
+    ns3p->d_salt.assign("\xab\xcd", 2);
+    ns3p->d_saltlength=2;
+    ns3p->d_flags=0;
+    */
+  }
+  return true;
+}
+
+void DNSSECKeeper::setNSEC3PARAM(const std::string& zname, const NSEC3PARAMRecordContent* ns3p)
+{
+  fs::path full_path = fs::system_complete( fs::path(d_dirname + "/" + zname + "/nsec3param" ) );
+  if(ns3p) {
+    string descr = ns3p->getZoneRepresentation();
+    
+    
+    ofstream of(full_path.external_directory_string().c_str());
+    of << descr;
+  }
+  else {
+    unlink(full_path.external_directory_string().c_str());
+  }
+}
+
+
 DNSSECKeeper::zskset_t DNSSECKeeper::getZSKsFor(const std::string& zone, bool all)
 {
   zskset_t zskset;
@@ -160,6 +207,13 @@ DNSSECKeeper::zskset_t DNSSECKeeper::getZSKsFor(const std::string& zone, bool al
       //cerr<<"Hit!"<<endl;
       DNSSECPrivateKey dpk;
       getRSAKeyFromISC(&dpk.d_key.getContext(), dir_itr->path().file_string().c_str());
+
+      if(getNSEC3PARAM(zone)) {
+        dpk.d_algorithm = 7;
+      }
+      else {
+        dpk.d_algorithm = 5;
+      }
       
       struct tm ts1, ts2;
       
@@ -194,7 +248,7 @@ DNSSECKeeper::zskset_t DNSSECKeeper::getZSKsFor(const std::string& zone, bool al
 
 DNSKEYRecordContent DNSSECPrivateKey::getDNSKEY()
 {
-  return makeDNSKEYFromRSAKey(&d_key.getContext());
+  return makeDNSKEYFromRSAKey(&d_key.getContext(), d_algorithm);
 }
 
 
diff --git a/pdns/dnsseckeeper.hh b/pdns/dnsseckeeper.hh
index f2b027218..3ac5b372c 100644
--- a/pdns/dnsseckeeper.hh
+++ b/pdns/dnsseckeeper.hh
@@ -76,6 +76,7 @@ struct DNSSECPrivateKey
   
   RSAContext d_key;
   DNSKEYRecordContent getDNSKEY();
+  uint8_t d_algorithm;
 };
 
 class DNSSECKeeper
@@ -97,8 +98,8 @@ public:
   void deleteZSKFor(const std::string& zname, const std::string& fname);
 
   void addZone(const std::string& fname);
-
-  
+  bool getNSEC3PARAM(const std::string& zname, NSEC3PARAMRecordContent* n3p=0);
+  void setNSEC3PARAM(const std::string& zname, const NSEC3PARAMRecordContent* n3p);
 
 private:
   std::string d_dirname;
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 437c92153..15792f55e 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -197,19 +197,19 @@ int PacketHandler::doFancyRecords(DNSPacket *p, DNSPacket *r, string &target)
   return 0;
 }
 
-/** This catches version requests. Returns 1 if it was handled, 0 if it wasn't */
+/** This catches DNSKEY requests. Returns 1 if it was handled, 0 if it wasn't */
 int PacketHandler::doDNSKEYRequest(DNSPacket *p, DNSPacket *r)
 {
+  if(p->qtype.getCode()!=QType::DNSKEY) 
+    return false;
+    
   DNSResourceRecord rr;
   DNSSECKeeper dk(::arg()["key-repository"]);
 
-  if(p->qtype.getCode()!=QType::DNSKEY) 
-    return false;
 
   bool haveOne=false;
   DNSSECPrivateKey dpk;
 
-
   if(dk.haveKSKFor(p->qdomain, &dpk)) {
     rr.qtype=QType::DNSKEY;
     rr.ttl=3600;
@@ -236,6 +236,29 @@ int PacketHandler::doDNSKEYRequest(DNSPacket *p, DNSPacket *r)
 }
 
 
+/** This catches DNSKEY requests. Returns 1 if it was handled, 0 if it wasn't */
+int PacketHandler::doNSEC3PARAMRequest(DNSPacket *p, DNSPacket *r)
+{
+  if(p->qtype.getCode()!=QType::NSEC3PARAM) 
+    return false;
+
+  DNSResourceRecord rr;
+  DNSSECKeeper dk(::arg()["key-repository"]);
+
+  NSEC3PARAMRecordContent ns3prc;
+  if(dk.getNSEC3PARAM(p->qdomain, &ns3prc)) {
+    rr.qtype=QType::NSEC3PARAM;
+    rr.ttl=3600;
+    rr.qname=p->qdomain;
+    rr.content=ns3prc.getZoneRepresentation(); 
+    rr.auth = true;
+    r->addRecord(rr);
+    return true;
+  }
+  return false;
+}
+
+
 /** This catches version requests. Returns 1 if it was handled, 0 if it wasn't */
 int PacketHandler::doVersionRequest(DNSPacket *p, DNSPacket *r, string &target)
 {
@@ -464,21 +487,25 @@ void PacketHandler::emitNSEC(const std::string& begin, const std::string& end, c
   r->addRecord(rr);
 }
 
-void PacketHandler::emitNSEC3(NSEC3PARAMRecordContent *ns3rc, const std::string& auth, const std::string& begin, const std::string& end, const std::string& toNSEC3, DNSPacket *r, int mode)
+void PacketHandler::emitNSEC3(const NSEC3PARAMRecordContent& ns3prc, const std::string& auth, const std::string& unhashed, const std::string& begin, const std::string& end, const std::string& toNSEC3, DNSPacket *r, int mode)
 {
   cerr<<"We should emit NSEC3 '"<<toBase32Hex(begin)<<"' - ('"<<toNSEC3<<"') - '"<<toBase32Hex(end)<<"'"<<endl;
   NSEC3RecordContent n3rc;
   n3rc.d_set.insert(QType::RRSIG);
-  n3rc.d_set.insert(QType::NSEC3);
-  n3rc.d_salt=ns3rc->d_salt;
-  n3rc.d_iterations = ns3rc->d_iterations;
-  n3rc.d_algorithm = 1;
+  n3rc.d_salt=ns3prc.d_salt;
+  n3rc.d_flags = 0;
+  n3rc.d_iterations = ns3prc.d_iterations;
+  n3rc.d_algorithm = 1; // ?
 
   DNSResourceRecord rr;
-  B.lookup(QType(QType::ANY), begin);
+  B.lookup(QType(QType::ANY), unhashed);
   while(B.get(rr)) {
     n3rc.d_set.insert(rr.qtype.getCode());    
   }
+
+  if(unhashed == auth) {
+    n3rc.d_set.insert(QType::NSEC3PARAM);
+  }
   
   n3rc.d_nexthash=end;
 
@@ -502,38 +529,46 @@ void PacketHandler::emitNSEC3(NSEC3PARAMRecordContent *ns3rc, const std::string&
 */
 void PacketHandler::addNSECX(DNSPacket *p, DNSPacket *r, const string& target, const string& auth, int mode)
 {
+  DNSSECKeeper dk(::arg()["key-repository"]);
+  NSEC3PARAMRecordContent ns3rc;
   cerr<<"Doing NSEC3PARAM lookup for '"<<auth<<"'"<<endl;
-  B.lookup(QType(QType::NSEC3PARAM), auth, p);
-  DNSResourceRecord rr, nsec3param;
-  while(B.get(rr)) {
-    nsec3param = rr;
-  }
-  if(!nsec3param.qname.empty())
-    addNSEC3(p, r, target, auth, nsec3param, mode);
+  if(dk.getNSEC3PARAM(auth, &ns3rc)) 
+    addNSEC3(p, r, target, auth, ns3rc, mode);
   else
     addNSEC(p, r, target, auth, mode);
 }
 
-void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, const string& auth, const DNSResourceRecord& nsec3param, int mode)
+void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, const string& auth, const NSEC3PARAMRecordContent& ns3rc, int mode)
 {
-  cerr<<"NSEC3 generator called!"<<endl;
-  cerr<<nsec3param.content<<endl;
-  NSEC3PARAMRecordContent *ns3rc=dynamic_cast<NSEC3PARAMRecordContent*>(DNSRecordContent::mastermake(QType::NSEC3PARAM, 1, nsec3param.content));
-  string hashed=toBase32Hex(hashQNameWithSalt(ns3rc->d_iterations, ns3rc->d_salt, p->qdomain));
-  cerr<<"NSEC3 hash, "<<ns3rc->d_iterations<<" iterations, salt '"<<makeHexDump(ns3rc->d_salt)<<"': "<<hashed<<endl;
-
+  string hashed;
+  
   SOAData sd;
   sd.db = (DNSBackend*)-1;
   if(!B.getSOA(auth, sd)) {
     cerr<<"Could not get SOA for domain in NSEC3\n";
     return;
   }
-
-  string before,after;
-  cerr<<"Calling getBeforeandAfterAbsolute!"<<endl;
-  sd.db->getBeforeAndAfterNamesAbsolute(sd.domain_id,  hashed, before, after); 
-  cerr<<"Done calling, before='"<<before<<"', after='"<<after<<"'"<<endl;
-  emitNSEC3( ns3rc, auth, fromBase32Hex(before), fromBase32Hex(after), target, r, mode);
+  cerr<<"salt in ph: '"<<makeHexDump(ns3rc.d_salt)<<"'"<<endl;
+  string unhashed, before,after;
+  
+  // now add the closest encloser
+  hashed=toBase32Hex(hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, auth));
+  sd.db->getBeforeAndAfterNamesAbsolute(sd.domain_id,  hashed, unhashed, before, after); 
+  cerr<<"Done calling for closest encloser, before='"<<before<<"', after='"<<after<<"'"<<endl;
+  emitNSEC3(ns3rc, auth, unhashed, fromBase32Hex(before), fromBase32Hex(after), target, r, mode);
+  
+  // now add the main nsec3
+  hashed=toBase32Hex(hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, p->qdomain));
+  sd.db->getBeforeAndAfterNamesAbsolute(sd.domain_id,  hashed, unhashed, before, after); 
+  cerr<<"Done calling for main, before='"<<before<<"', after='"<<after<<"'"<<endl;
+  emitNSEC3( ns3rc, auth, unhashed, fromBase32Hex(before), fromBase32Hex(after), target, r, mode);
+  
+  
+  // now add the *
+  hashed=toBase32Hex(hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, dotConcat("*", auth)));
+  sd.db->getBeforeAndAfterNamesAbsolute(sd.domain_id,  hashed, unhashed, before, after); 
+  cerr<<"Done calling for '*', before='"<<before<<"', after='"<<after<<"'"<<endl;
+  emitNSEC3( ns3rc, auth, unhashed, fromBase32Hex(before), fromBase32Hex(after), target, r, mode);
 }
 
 void PacketHandler::addNSEC(DNSPacket *p, DNSPacket *r, const string& target, const string& auth, int mode)
@@ -1103,6 +1138,9 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
     if(doDNSKEYRequest(p,r)) 
       goto sendit;
 
+    if(doNSEC3PARAMRequest(p,r)) 
+      goto sendit;
+
     if(doVersionRequest(p,r,target)) // catch version.bind requests
       goto sendit;
 
diff --git a/pdns/packethandler.hh b/pdns/packethandler.hh
index 3c131cbc1..aa83882ba 100644
--- a/pdns/packethandler.hh
+++ b/pdns/packethandler.hh
@@ -91,15 +91,16 @@ private:
   int doFancyRecords(DNSPacket *p, DNSPacket *r, string &target);
   int doVersionRequest(DNSPacket *p, DNSPacket *r, string &target);
   int doDNSKEYRequest(DNSPacket *p, DNSPacket *r);
+  int doNSEC3PARAMRequest(DNSPacket *p, DNSPacket *r);
   bool getAuth(DNSPacket *p, SOAData *sd, const string &target, int *zoneId);
   bool getTLDAuth(DNSPacket *p, SOAData *sd, const string &target, int *zoneId);
   int doAdditionalProcessingAndDropAA(DNSPacket *p, DNSPacket *r);
   bool doDNSSECProcessing(DNSPacket* p, DNSPacket *r);
   void addNSECX(DNSPacket *p, DNSPacket* r, const string &target, const std::string& auth, int mode);
   void addNSEC(DNSPacket *p, DNSPacket* r, const string &target, const std::string& auth, int mode);
-  void addNSEC3(DNSPacket *p, DNSPacket* r, const string &target, const std::string& auth, const DNSResourceRecord& nsec3param, int mode);
+  void addNSEC3(DNSPacket *p, DNSPacket* r, const string &target, const std::string& auth, const NSEC3PARAMRecordContent& nsec3param, int mode);
   void emitNSEC(const std::string& before, const std::string& after, const std::string& toNSEC, DNSPacket *r, int mode);
-  void emitNSEC3(NSEC3PARAMRecordContent *ns3rc, const std::string& auth, const std::string& begin, const std::string& end, const std::string& toNSEC3, DNSPacket *r, int mode);
+  void emitNSEC3(const NSEC3PARAMRecordContent &ns3rc, const std::string& auth, const std::string& unhashed, const std::string& begin, const std::string& end, const std::string& toNSEC3, DNSPacket *r, int mode);
 
   void synthesiseRRSIGs(DNSPacket* p, DNSPacket* r);
   void makeNXDomain(DNSPacket* p, DNSPacket* r, const std::string& target, SOAData& sd);
diff --git a/pdns/pdnssec.cc b/pdns/pdnssec.cc
index b09ddae65..c71a8b902 100644
--- a/pdns/pdnssec.cc
+++ b/pdns/pdnssec.cc
@@ -89,10 +89,10 @@ void loadMainConfig()
   UeberBackend::go();
 }
 
-void orderZone(const std::string& zone)
+void orderZone(DNSSECKeeper& dk, const std::string& zone)
 {
   loadMainConfig();
-    
+  reportAllTypes();  
   UeberBackend* B = new UeberBackend("default");
   SOAData sd;
   
@@ -114,12 +114,19 @@ void orderZone(const std::string& zone)
   string salt;
   char tmp[]={0xab, 0xcd};
   salt.assign(tmp, 2);
+  
+  NSEC3PARAMRecordContent ns3pr;
+  dk.getNSEC3PARAM(zone, &ns3pr);
+  string hashed;
   BOOST_FOREACH(const string& qname, qnames)
   {
-    string hashed=toBase32Hex(hashQNameWithSalt(100, salt, qname));
-    cerr<<"'"<<qname<<"' -> '"<< hashed <<"'"<<endl;
-	sd.db->updateDNSSECOrderAndAuthAbsolute(sd.domain_id, qname, hashed, true);
-    // sd.db->updateDNSSECOrderAndAuth(sd.domain_id, zone, qname, true);
+    if(ns3pr.d_salt.empty()) // NSEC
+      sd.db->updateDNSSECOrderAndAuth(sd.domain_id, zone, qname, true);
+    else {
+      hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, qname)));
+      cerr<<"'"<<qname<<"' -> '"<< hashed <<"'"<<endl;
+      sd.db->updateDNSSECOrderAndAuthAbsolute(sd.domain_id, qname, hashed, true);
+    }
   }
   cerr<<"Done listing"<<endl;
 }
@@ -146,7 +153,7 @@ try
     cmds = g_vm["commands"].as<vector<string> >();
 
   if(cmds.empty() || g_vm.count("help")) {
-    cerr<<"Usage: \npdnssec [options] [show-zone] [sign-zone] [update-zone-keys]\n";
+    cerr<<"Usage: \npdnssec [options] [show-zone] [secure-zone] [alter-zone] [order-zone] [update-zone-keys]\n";
     cerr<<desc<<endl;
     return 0;
   }
@@ -158,7 +165,7 @@ try
       cerr << "Error: "<<cmds[0]<<" takes exactly 1 parameter"<<endl;
       return 0;
     }
-    orderZone(cmds[1]);
+    orderZone(dk, cmds[1]);
   }
   else if(cmds[0] == "update-zone-keys") {
     if(cmds.size() != 2) {
@@ -244,7 +251,7 @@ try
       }
     }
   }
-  else if(cmds[0] == "sign-zone") {
+  else if(cmds[0] == "secure-zone") {
     if(cmds.size() != 2) {
       cerr << "Error: "<<cmds[0]<<" takes exactly 1 parameter"<<endl;
       return 0;