From: Bert Hubert Date: Thu, 6 Jan 2011 18:57:57 +0000 (+0000) Subject: make sure that we dnssec-rectify dnssec enabled zones that are slaved from a remote... X-Git-Tag: auth-3.0~428 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=d7652f3a24fa8d27f7f6215d4dd5417c5a9cafd0;p=pdns make sure that we dnssec-rectify dnssec enabled zones that are slaved from a remote master. Idea by Mathew Hennessy. git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@1819 d19b8d6e-7fed-0310-83ef-9ca221ded41b --- diff --git a/pdns/slavecommunicator.cc b/pdns/slavecommunicator.cc index b095f887e..b977dc304 100644 --- a/pdns/slavecommunicator.cc +++ b/pdns/slavecommunicator.cc @@ -1,6 +1,6 @@ /* PowerDNS Versatile Database Driven Nameserver - Copyright (C) 2002-2009 PowerDNS.COM BV + Copyright (C) 2002-2011 PowerDNS.COM BV This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License version 2 as @@ -17,6 +17,9 @@ */ #include "packetcache.hh" #include "utility.hh" +#include "dnssecinfra.hh" +#include "dnsseckeeper.hh" +#include "base32.hh" #include #include "communicator.hh" #include @@ -69,6 +72,21 @@ void CommunicatorClass::suck(const string &domain,const string &remote) resolver.axfr(remote, domain.c_str()); UeberBackend *B=dynamic_cast(P.getBackend()); + NSEC3PARAMRecordContent ns3pr; + bool narrow; + DNSSECKeeper dk; + bool dnssecZone = false; + if(dk.haveActiveKSKFor(domain)) { + dnssecZone=true; + dk.getNSEC3PARAM(domain, &ns3pr, &narrow); + string hashed; + if(ns3pr.d_salt.empty()) + cerr<<"Adding NSEC ordering information"<getDomainInfo(domain, di) || !di.backend) { L< nsset, qnames; while(resolver.axfrChunk(recs)) { if(first) { L<startTransaction(domain, domain_id); first=false; } + for(Resolver::res_t::iterator i=recs.begin();i!=recs.end();++i) { if(!endsOn(i->qname, domain)) { L<qname<<"' during AXFR of zone '"<qtype.getCode() == QType::NS && !pdns_iequals(i->qname, domain)) + nsset.insert(i->qname); + qnames.insert(i->qname); + } i->domain_id=domain_id; if(i->qtype.getCode()>=1024) throw DBException("Database can't store unknown record type "+lexical_cast(i->qtype.getCode()-1024)); @@ -96,6 +120,31 @@ void CommunicatorClass::suck(const string &domain,const string &remote) di.backend->feedRecord(*i); } } + if(dnssecZone) { + string hashed; + BOOST_FOREACH(const string& qname, qnames) + { + string shorter(qname); + bool auth=true; + do { + if(nsset.count(shorter)) { + auth=false; + break; + } + }while(chopOff(shorter)); + + if(ns3pr.d_salt.empty()) // NSEC + di.backend->updateDNSSECOrderAndAuth(domain_id, domain, qname, auth); + else { + if(!narrow) { + hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, qname))); + cerr<<"'"< '"<< hashed <<"'"<updateDNSSECOrderAndAuthAbsolute(domain_id, qname, hashed, auth); + } + } + } + di.backend->commitTransaction(); di.backend->setFresh(domain_id); L<