From: Bert Hubert <bert.hubert@netherlabs.nl>
Date: Tue, 18 Jan 2011 14:55:39 +0000 (+0000)
Subject: implement 'pdnssec set-presigned', allowing PowerDNSSEC to serve pre-signed zones... 
X-Git-Tag: auth-3.0~354
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=d3e7090cfbad8b9b1bda9468fcb4d2e48c74c8f8;p=pdns

implement 'pdnssec set-presigned', allowing PowerDNSSEC to serve pre-signed zones. Rather experimental, but does appear to work


git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@1893 d19b8d6e-7fed-0310-83ef-9ca221ded41b
---

diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc
index 04344315c..88138ccdd 100644
--- a/pdns/dbdnsseckeeper.cc
+++ b/pdns/dbdnsseckeeper.cc
@@ -40,8 +40,11 @@ DNSSECKeeper::nseccache_t DNSSECKeeper::s_nseccache;
 pthread_mutex_t DNSSECKeeper::s_nseccachelock = PTHREAD_MUTEX_INITIALIZER;
 pthread_mutex_t DNSSECKeeper::s_keycachelock = PTHREAD_MUTEX_INITIALIZER;
 
-bool DNSSECKeeper::haveActiveKSKFor(const std::string& zone) 
+bool DNSSECKeeper::isSecuredZone(const std::string& zone) 
 {
+  if(isPresigned(zone))
+	return true;
+	
   {
     Lock l(&s_keycachelock);
     keycache_t::const_iterator iter = s_keycache.find(zone);
@@ -64,6 +67,14 @@ bool DNSSECKeeper::haveActiveKSKFor(const std::string& zone)
   return false;
 }
 
+bool DNSSECKeeper::isPresigned(const std::string& name)
+{
+  vector<string> meta;
+  d_db.getDomainMetadata(name, "PRESIGNED", meta);
+  if(meta.empty())
+	return false;
+  return meta[0]=="1";
+}
 
 void DNSSECKeeper::addKey(const std::string& name, bool keyOrZone, int algorithm, int bits, bool active)
 {
@@ -228,6 +239,21 @@ void DNSSECKeeper::unsetNSEC3PARAM(const std::string& zname)
 }
 
 
+void DNSSECKeeper::setPresigned(const std::string& zname)
+{
+  clearCaches(zname);
+  vector<string> meta;
+  meta.push_back("1");
+  d_db.setDomainMetadata(zname, "PRESIGNED", meta);
+}
+
+void DNSSECKeeper::unsetPresigned(const std::string& zname)
+{
+  clearCaches(zname);
+  d_db.setDomainMetadata(zname, "PRESIGNED", vector<string>());
+}
+
+
 DNSSECKeeper::keyset_t DNSSECKeeper::getKeys(const std::string& zone, boost::tribool allOrKeyOrZone) 
 {
   unsigned int now = time(0);
@@ -288,3 +314,20 @@ void DNSSECKeeper::secureZone(const std::string& name, int algorithm)
   clearCaches(name); // just to be sure ;)
   addKey(name, true, algorithm);
 }
+
+bool DNSSECKeeper::getPreRRSIGs(const std::string& signer, const std::string& qname, const QType& qtype, 
+	DNSPacketWriter::Place signPlace, vector<DNSResourceRecord>& rrsigs)
+{
+	d_db.lookup(QType(QType::RRSIG), qname);
+	DNSResourceRecord rr;
+	while(d_db.get(rr)) { 
+		cerr<<"Considering for '"<<qtype.getName()<<"' RRSIG '"<<rr.content<<"'\n";
+		if(boost::starts_with(rr.content, qtype.getName()+" ")) {
+			cerr<<"Got it"<<endl;
+			rr.d_place = (DNSResourceRecord::Place)signPlace;
+			rrsigs.push_back(rr);
+		}
+		else cerr<<"Skipping!"<<endl;
+	}
+	return true;
+}
diff --git a/pdns/dnsseckeeper.hh b/pdns/dnsseckeeper.hh
index 40c6ba758..2e3bf8b84 100644
--- a/pdns/dnsseckeeper.hh
+++ b/pdns/dnsseckeeper.hh
@@ -127,7 +127,7 @@ private:
   UeberBackend d_db;
 public:
   DNSSECKeeper() : d_db("key-only"){}
-  bool haveActiveKSKFor(const std::string& zone);
+  bool isSecuredZone(const std::string& zone);
   
   keyset_t getKeys(const std::string& zone, boost::tribool allOrKeyOrZone = boost::indeterminate);
   DNSSECPrivateKey getKeyById(const std::string& zone, unsigned int id);
@@ -143,6 +143,10 @@ public:
   void setNSEC3PARAM(const std::string& zname, const NSEC3PARAMRecordContent& n3p, const bool& narrow=false);
   void unsetNSEC3PARAM(const std::string& zname);
   void clearCaches(const std::string& name);
+  bool getPreRRSIGs(const std::string& signer, const std::string& qname, const QType& qtype, DNSPacketWriter::Place, vector<DNSResourceRecord>& rrsigs);
+  bool isPresigned(const std::string& zname);
+  void setPresigned(const std::string& zname);
+  void unsetPresigned(const std::string& zname);
 private:  
   struct KeyCacheEntry
   {
diff --git a/pdns/dnssecsigner.cc b/pdns/dnssecsigner.cc
index 115347992..31295ffd8 100644
--- a/pdns/dnssecsigner.cc
+++ b/pdns/dnssecsigner.cc
@@ -21,7 +21,7 @@
 #include "dnsseckeeper.hh"
 #include "lock.hh"
 
-/* this is where the RRSIGs begin, key apex *name* gets found, keys are retrieved,
+/* this is where the RRSIGs begin, keys are retrieved,
    but the actual signing happens in fillOutRRSIG */
 int getRRSIGsForRRSET(DNSSECKeeper& dk, const std::string& signer, const std::string signQName, uint16_t signQType, uint32_t signTTL, 
 		     vector<shared_ptr<DNSRecordContent> >& toSign, vector<RRSIGRecordContent>& rrcs, bool ksk)
@@ -31,7 +31,6 @@ int getRRSIGsForRRSET(DNSSECKeeper& dk, const std::string& signer, const std::st
   RRSIGRecordContent rrc;
   rrc.d_type=signQType;
 
-  
   rrc.d_labels=countLabels(signQName); 
   rrc.d_originalttl=signTTL; 
   rrc.d_siginception=getCurrentInception();;
@@ -79,15 +78,17 @@ void addSignature(DNSSECKeeper& dk, const std::string& signer, const std::string
   vector<shared_ptr<DNSRecordContent> >& toSign, vector<DNSResourceRecord>& outsigned)
 {
   // cerr<<"Asked to sign '"<<signQName<<"'|"<<DNSRecordContent::NumberToType(signQType)<<", "<<toSign.size()<<" records\n";
-
-  vector<RRSIGRecordContent> rrcs;
   if(toSign.empty())
     return;
-
-  if(getRRSIGsForRRSET(dk, signer, wildcardname.empty() ? signQName : wildcardname, signQType, signTTL, toSign, rrcs, signQType == QType::DNSKEY) < 0) {
+  vector<RRSIGRecordContent> rrcs;
+  if(dk.isPresigned(signer)) {
+	dk.getPreRRSIGs(signer, signQName, QType(signQType), signPlace, outsigned);
+  }
+  else if(getRRSIGsForRRSET(dk, signer, wildcardname.empty() ? signQName : wildcardname, signQType, signTTL, toSign, rrcs, signQType == QType::DNSKEY) < 0) {
     // cerr<<"Error signing a record!"<<endl;
     return;
   }
+  
   DNSResourceRecord rr;
   rr.qname=signQName;
   rr.qtype=QType::RRSIG;
diff --git a/pdns/htimer.cc b/pdns/htimer.cc
index c5ee839bb..393a83367 100644
--- a/pdns/htimer.cc
+++ b/pdns/htimer.cc
@@ -35,10 +35,6 @@ using namespace std;
    Waiting for packets
 */
 
-  
-
-
-
 #define RDTSC(qp) \
 do { \
   unsigned long lowPart, highPart;        				\
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 785d52cdb..d5eb543e7 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -1,6 +1,6 @@
 /*
     PowerDNS Versatile Database Driven Nameserver
-    Copyright (C) 2002-2010  PowerDNS.COM BV
+    Copyright (C) 2002-2011  PowerDNS.COM BV
 
     This program is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License version 2 as 
@@ -1017,7 +1017,7 @@ void PacketHandler::makeNXDomain(DNSPacket* p, DNSPacket* r, const std::string&
   rr.auth = 1;
   r->addRecord(rr);
   
-  if(p->d_dnssecOk && d_dk.haveActiveKSKFor(sd.qname))
+  if(p->d_dnssecOk && d_dk.isSecuredZone(sd.qname))
     addNSECX(p, r, target, sd.qname, 1);
   
   r->setRcode(RCode::NXDomain);  
@@ -1036,7 +1036,7 @@ void PacketHandler::makeNOError(DNSPacket* p, DNSPacket* r, const std::string& t
   rr.auth = 1;
   r->addRecord(rr);
 
-  if(p->d_dnssecOk && d_dk.haveActiveKSKFor(sd.qname))
+  if(p->d_dnssecOk && d_dk.isSecuredZone(sd.qname))
     addNSECX(p, r, target, sd.qname, 0);
 
   S.ringAccount("noerror-queries",p->qdomain+"/"+p->qtype.getName());
@@ -1070,7 +1070,7 @@ bool PacketHandler::tryReferral(DNSPacket *p, DNSPacket*r, SOAData& sd, const st
   }
   r->setA(false);
 
-  if(p->d_dnssecOk && d_dk.haveActiveKSKFor(sd.qname) && !addDSforNS(p, r, sd, rrset.begin()->qname))
+  if(p->d_dnssecOk && d_dk.isSecuredZone(sd.qname) && !addDSforNS(p, r, sd, rrset.begin()->qname))
     addNSECX(p, r, rrset.begin()->qname, sd.qname, 0);
   
   return true;
@@ -1082,7 +1082,7 @@ void PacketHandler::completeANYRecords(DNSPacket *p, DNSPacket*r, SOAData& sd, c
     cerr<<"Need to add all the RRSIGs too for '"<<target<<"', should do this manually since DNSSEC was not requested"<<endl;
   //  cerr<<"Need to add all the NSEC too.."<<endl; /// XXX FIXME THE ABOVE IF IS WEIRD
   
-  if(!d_dk.haveActiveKSKFor(sd.qname))
+  if(!d_dk.isSecuredZone(sd.qname))
     return;
     
   addNSECX(p, r, target, sd.qname, 2); 
diff --git a/pdns/pdnssec.cc b/pdns/pdnssec.cc
index 32f0e8508..0f0991467 100644
--- a/pdns/pdnssec.cc
+++ b/pdns/pdnssec.cc
@@ -55,8 +55,6 @@ void loadMainConfig(const std::string& configdir)
 
   string configname=::arg()["config-dir"]+"/"+s_programname+".conf";
   cleanSlashes(configname);
-
-  cerr<<"configname: '"<<configname<<"'\n";
   
   ::arg().laxFile(configname.c_str());
   ::arg().set("module-dir","Default directory for modules")=LIBDIR;
@@ -178,6 +176,10 @@ void checkZone(DNSSECKeeper& dk, const std::string& zone)
 
 void showZone(DNSSECKeeper& dk, const std::string& zone)
 {
+  if(!dk.isSecuredZone(zone)) {
+	cerr<<"Zone is not secured\n";
+	return;
+  }
   NSEC3PARAMRecordContent ns3pr;
   bool narrow;
   bool haveNSEC3=dk.getNSEC3PARAM(zone, &ns3pr, &narrow);
@@ -187,6 +189,8 @@ void showZone(DNSSECKeeper& dk, const std::string& zone)
   else
     cout<<"Zone has " << (narrow ? "NARROW " : "") <<"hashed NSEC3 semantics, configuration: "<<ns3pr.getZoneRepresentation()<<endl;
   
+  cout <<"Zone is " << (dk.isPresigned(zone) ? "" : "not ") << "presigned\n";
+  
   DNSSECKeeper::keyset_t keyset=dk.getKeys(zone);
 
   if(keyset.empty())  {
@@ -334,14 +338,14 @@ try
     const string& zone=cmds[1];
     DNSSECPrivateKey dpk;
     
-    if(dk.haveActiveKSKFor(zone)) {
-      cerr << "There is a KSK already for zone '"<<zone<<"', remove with pdnssec remove-zone-key if needed"<<endl;
+    if(dk.isSecuredZone(zone)) {
+      cerr << "Zone '"<<zone<<"' already secure, remove with pdnssec remove-zone-key if needed"<<endl;
       return 0;
     }
       
     dk.secureZone(zone, 8);
 
-    if(!dk.haveActiveKSKFor(zone)) {
+    if(!dk.isSecuredZone(zone)) {
       cerr << "This should not happen, still no key!" << endl;
       return 0;
     }
@@ -364,6 +368,18 @@ try
     NSEC3PARAMRecordContent ns3pr(nsec3params);
     dk.setNSEC3PARAM(cmds[1], ns3pr, narrow);
   }
+  else if(cmds[0]=="set-presigned") {
+	if(cmds.size() < 2) {
+		cerr<<"Wrong number of arguments, syntax: set-presigned DOMAIN"<<endl;
+	}
+    dk.setPresigned(cmds[1]);
+  }
+  else if(cmds[0]=="unset-presigned") {
+	if(cmds.size() < 2) {
+		cerr<<"Wrong number of arguments, syntax: unset-presigned DOMAIN"<<endl;
+	}
+    dk.unsetPresigned(cmds[1]);
+  }
   else if(cmds[0]=="hash-zone-record") {
     if(cmds.size() < 3) {
       cerr<<"Wrong number of arguments, syntax: hash-zone-record ZONE RECORD"<<endl;
diff --git a/pdns/slavecommunicator.cc b/pdns/slavecommunicator.cc
index e722762ff..f271a1d53 100644
--- a/pdns/slavecommunicator.cc
+++ b/pdns/slavecommunicator.cc
@@ -78,7 +78,7 @@ void CommunicatorClass::suck(const string &domain,const string &remote)
     DNSSECKeeper dk;
     bool dnssecZone = false;
     bool haveNSEC3=false;
-    if(dk.haveActiveKSKFor(domain)) {
+    if(dk.isSecuredZone(domain)) {
       dnssecZone=true;
       haveNSEC3=dk.getNSEC3PARAM(domain, &ns3pr, &narrow);
       string hashed;
diff --git a/pdns/tcpreceiver.cc b/pdns/tcpreceiver.cc
index 724676813..2277246d8 100644
--- a/pdns/tcpreceiver.cc
+++ b/pdns/tcpreceiver.cc
@@ -542,7 +542,7 @@ int TCPNameserver::doAXFR(const string &target, shared_ptr<DNSPacket> q, int out
     }
   }
   
-  if(dk.haveActiveKSKFor(target)) {
+  if(dk.isSecuredZone(target)) {
    
     if(NSEC3Zone) {
       for(nsecxrepo_t::const_iterator iter = nsecxrepo.begin(); iter != nsecxrepo.end(); ++iter) {